China’s “great firewall” is a well known and hugely discussed obstacle when consuming cloud services like Microsoft Azure and 365 Services from the Chinese mainland. In this post, you’ll learn about some solutions that have been developed to help mitigate its impact. Let’s dig right in!
The Problem with Network Performance and China’s Great Firewall
As we all know, latency is horrible when going directly from the Chinese mainland to any global cloud provider, even when you use the CDN or Frontdoor Services out of China.
That’s because all traffic going directly from China Mainland to global is routed through the “Great Firewall of China” located in Beijing and Shanghai.
But there is a little unknown loophole. Traffic which goes through the free trade and special administrative zones of Hong Kong and Macau is not routed through the great firewall and ends directly in these cities. Traffic which is then rerouted, for example, through a Cloud or Network Provider Backbone like the Microsoft Global Backbone, is then no longer passing the Great Firewall of China.
Let me try to illustrate that with a picture.
As you may know, not all internet traffic must be terminated on the Chinese mainland. Enterprise traffic, for example, from global organizations, can be routed through private Networks like MPLS to improve performance. Only traffic for things like YouTube, Facebook, Google, etc. needs to be terminated in China.
There are Chinese network providers like China Telecom who offer these dedicated access services to their global customers that are doing business in China.
The Internet Access Points provided by services like this mostly terminate in Hong Kong and are for the business traffic of those customers. There is only one point which is somewhat of a problem for customers. China Telecom is not taking care of the proper routing in these situations. So customers need to set the routing rules themselves and need to route traffic which is forbidden (again things like YouTube, Facebook…etc) for their Chinese employees to their internet breakout in China and the traffic for business purposes to the edge location in Hong Kong.
Now comes the good news. With Software Defined WAN Solutions or SDWAN and some BGP Routing Magic, you can automate the filtering and routing, which makes this process MUCH easier.
First let’s explain SDWAN:
SD-WAN is an acronym for software-defined networking in a wide area network (WAN). SD-WAN simplifies the management and operation of a WAN by decoupling (separating) the networking hardware from its control mechanism. This concept is similar to how software-defined networking implements virtualization technology to improve data center management and operation.
A key application of SD-WAN is to allow companies to build higher-performance WANs using lower-cost and commercially available Internet access, enabling businesses to partially or wholly replace more expensive private WAN connection technologies such as MPLS.
Most of you will know BGP or Border Gateway Protocol Routing:
Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. The protocol is classified as a path vector protocol. The Border Gateway Protocol makes routing decisions based on paths, network policies, or rule-sets configured by a network administrator and is involved in making core routing decisions.
BGP may be used for routing within an autonomous system. In this application it is referred to as Interior Border Gateway Protocol, Internal BGP, or iBGP. In contrast, the Internet application of the protocol may be referred to as Exterior Border Gateway Protocol, External BGP, or eBGP.
What can you do?
First, you need to have an SDWAN Device connected to both of the internet connections and you need an SDWAN Aggregator for Device Management and Route automation for all routes outside of China. How does one easily address this need? Microsoft has made a solution!
Microsoft Azure Virtual WAN
Azure Virtual WAN is a networking service that provides optimized and automated branch connectivity to, and through, Azure. Azure regions serve as hubs that you can choose to connect your branches to. Once the branches are connected, you can leverage the Azure backbone to establish branch-to-VNet and branch-to-branch connectivity. For a list of partners and locations that support Virtual WAN VPN, see the Virtual WAN partners and locations article. Azure Virtual WAN brings together many Azure cloud connectivity services such as site-to-site VPN (generally available), ExpressRoute (Preview), point-to-site user VPN (Preview) into a single operational interface. Connectivity to Azure VNets is established by using virtual network connections.
Microsoft currently has an extension for their Azure Virtual WAN offering in a preview that will provide a dedicated internet breakout for Microsoft 365 Services.
With that, you could place a virtual WAN Hub in Hong Kong and go through the dedicated Internet Breakout from China Telecom to your Services in Azure or Microsoft 365 without passing the Great Firewall. The route announcements will be done by the Azure Virtual WAN Hub to the virtual WAN Appliances in China. Everything which is not available via the Hong Kong route will be routed through the Internet Gateway in China. This provides a performance boost for business applications and makes your life easier as a result.
In addition to that, it’s also worth noting that you can set up filters and rules within the virtual WAN Appliance. You should also consider enabling logging traffic as well. That way, if someone from the Chinese government comes around and ask some questions, you’ll be prepared to show them how this works.
Optimizing the Azure/Office Authentication Environment
Looking a bit deeper on Azure and Office 365, you now can start to improve the performance, but at an application layer.
First, you should reduce the latency to your authentication environment. Most of my customers are using ADFS or Azure AD Authentication Passthrough for Single Sign-On. The responding servers are mostly only in the headquarters or in a single Azure Region. You should setup them on a global scale together with Traffic Manager or Azure Front Door to get them GeoIP and GeoDNS aware. let me show it in the example picture below.
The next step is to then get your Azure AD to work globally and break down the replication borders. Which means, change your Microsoft Contract so that the support can enable you for Azure AD geo-replication. With that, you can locate your users within other Azure AD regions.
Finally comes the last clue. You may know of Office 365 MultiGeo.
With Office 365 Multi-Geo, your organization can expand its Office 365 presence to multiple geographic regions and/or countries within your existing tenant. Reach out to your Microsoft Account Team to sign up your Multi-National Company for Office 365 Multi-Geo. With Office 365 Multi-Geo, you can provision and store data at rest in the geo locations that you’ve chosen to meet data residency requirements, and at the same time unlock your global roll out of modern productivity experiences to your workforce.
MultiGeo normally is a tool to set the preferred data location for different Office 365 Services like Exchange or SharePoint online to solve compliance issues and questions. Microsoft does not support or praise it for performance improvement because you only move the backend data location.
Note that Office 365 Multi-Geo is not primarily designed for performance optimization, it is designed to meet data residency requirements. For information about performance optimization for Office 365, see Network planning and performance tuning for Office 365 or contact your support group.
But with the changes we spoke about prior in the blog, you can use it to increase performance. You move the Azure AD Account and Office Workspace for the given users to Hong Kong for example. With an authentication environment in that region, all traffic will be handled in Hong Kong and will not be rerouted to other locations. That will also increase the overall user experience and performance for those configured users.
This article presents a great way of dealing with the Great Firewall of China and maintaining performance levels within China. This simply gives us a few more tools at our disposal to make performance better for situations with users and infrastructure running from the Chinese mainland, while adhering to the proper laws and regulations with the Government in China.
What about you? Do you have a story to share about ways your organization has been impacted by the Great Firewall? We’d love to hear about it in the comments section below!
Go to Original Article
Author: Florian Klaffenbach