China is the key economy of the 21st Century. This is the world leading manufacturing center and the fastest growing economy in the world. Most enterprise need to run operations in China and to find the appropriate solutions to provide their teams with the appropriate connectivity and network performance.
China, a booming market for digital and connectivity services
As any modern economy it has a huge appetite for digital services from their domestic market (source):
- 855M internet users, adding 25M subscribers in a single year in 2020!
- 1.04Bn social media users.
- 1.6Bn mobile connections
Outsiders focus their attention on serving this market as intensely as possible.
This requires connectivity and digital services to expand their operations to the Chinese market: access to business apps, SaaS and cloud services, need to connect their local operations to data centers and clouds located outside China – through SDWAN, VPN, etc…
The specifics of China’s telecom market
Obviously China is not a country like others, besides the size of its market: the level of control of the government on the economy is much higher. This applies to telecom and internet access services at 2 levels:
- Strict control of what content and services can be accessed on the Internet from China. China has its own set of leading digital services:
- Wechat is the leading messaging platform, far ahead of WhatsApp, Facebook Messenger, etc.
- Sina Weibo, Baidu Tieba, XiaohongShu, Tencent Weibo, Kuaishou, Douban and Douyu all have more users than Linkedin.
- Some popular digital services like Facebook and Google are simply blocked.
- A telecom market with a limited number of operators which are mostly state owned.
Understand the consequences for your plans and architecture
These specifics of the Chinese market represent a very important challenge; you should take it into account when designing your plans for the connectivity required by your operations in China for:
- Applications and cloud services required to work with your customers and distributors located in China
- Cloud services used by your own employees (CASBs, SaaS applications, …)
- Connectivity of your branches and plants in China
So let’s dive into what’s special about connectivity in China?
The Great Firewall of China and its impact on connectivity and network performance(GFC)
All the traffic going outside China goes through a government ruled infrastructure that acts like a filtering proxy or firewall.
Among other things, this infrastructure executes the following actions on traffic:
- IP range bans
- DNS spoofing, filtering and redirections: in other words, the GFC can inject fake responses to DNS queries made in clear to DNS servers located outside China.
- URL filtering
- QoS filtering: rather than blocking certain services, the GFC can apply a certain level of packet loss on services (e.g. VPNs)
- Packet forging and TCP reset attacks: the GFC can reset connections…
- Man in the middle attacks: of course, this does not apply to the latest TLS versions, but the GFC can also place itself in the middle of the connection and sniff the traffic headed to an external destination.
The bottom line for your services: it slows down internet traffic, poor connectivity and packet loss.
2 layers of providers in China: domestic connectivity and internet gateway providers
Domestic connectivity operators
There is a limited number of providers available on the market. All of them are state owned companies: China Mobile, China Netcom (now merged with Unicom), China Telecom, China Unicom, Net.
China Telecom and China Netcom are the two main operators for DSL/Broadband connections. 3 players share most of the Mobile access market: China Mobile, China Telecom and China Unicom.
China is a large country. Distances are large so the latency inside China can be significant (read this article to understand).
The quality of internet connection, although broadband speed improves regularly (+17% YoY in 2020, for an average speed of 100Mbps+), can vary massively, especially from region to region.
Internet gateway: the Great Firewall of China
There are a limited number of internet gateways in China. These gateways are part of the networks of a second group of operators: ChinaNet and ChinaTelecom.
From a routing standpoint, you will see a huge load balancing appearing; most likely it reveals that the traffic processing requires splitting the load across many nodes to be able to process it.
The graphic hereunder shows the network path from 8 of Kadiska’s performance stations in China to app.kadiska.com (hosted in the EU): the first consequence of the Great Firewall is the instability of network performance both from a latency standpoint and from a packet loss point of view.
It is remarkable to see that the connectivity of the stations located in Hong-Kong (not covered by the Great Firewall) and Alibaba is not impacted by the packet loss rates generated by the Great Firewall.
You can see the two paths first using the services of internal providers (Tianjii and China Telecom) to finally reach a network and a gateway operated by ChinaNet:
You can see that most of the latency occurring is taking place inside the ChinaNet network:
Bottom line: How to improve connectivity and network performance for your users in China?
Is there a way network path to by-pass the Great Firewall?
Is there a way to route the traffic to / from China to the rest of the Internet without any impact of the big firewall?
VPNs are being used quite extensively but prove to be hard to maintain a good quality of service through time through the Great Firewall.
Looking for a network path that does not go through the Firewall looks like a clever option:
- There may be as some government backed cloud service providers operate both in China and other countries and the traffic going through their internal network through the border does not go across the big firewall.
- You can see a map of Alibaba’s cloud regions. Obviously the Great Firewall does not affect the traffic from one region to another. This is the basis for alternative architectures to connect your Chinese users to the outside world.
- Some providers offer Chinese gateway services which allow SDWAN traffic to exit China through these alternative routes like Teridion.
Pay attention to your local Chinese providers
The quality of the connectivity inside China is still quite important, so choosing the best operator for the users region and the destination you need to reach is important.
Extending your digital platform to China
Another alternative to make your services more accessible in China… is simply to host them directly in China.
In all cases, you should evaluate carefully the performance gain of each of these options. And whatever the solution chosen you should evaluate it carefully and monitor its performance once in production. Want to know how? Take a look at this article.