About Aviatrix in the China Regions

This document provides an overview of the Aviatrix features that are supported and the requirements for implementing Aviatrix in the China regions. It also provides various options and design patterns for interconnecting Aviatrix in the China regions and Global regions.

You cannot update an IAM role-based policy using the Aviatrix Controller interface. If you encounter this issue, update the IAM policy manually using your AWS China account.

Features Supported in AWS China, Azure China, and Alibaba China Regions

Feature AWS China Azure China Alibaba Cloud China and Global

Controller Marketplace Launch

Yes

Yes

No

CoPilot Marketplace Launch

Yes

Yes

No

Controller Security Group Management

Yes

No

No

Multi Accounts

Yes

Yes

Yes

Launch Controller with CloudFormation

Yes

N/A

N/A

VPC Tool

Yes

Yes

Yes

FlightPath

Yes

Yes

Yes

Transit Network Spoke and Transit Gateways

Yes

Yes

Yes

Aviatrix Transit Gateway Peering

Yes

Yes

Yes

Transit to External IPsec Devices

Yes

Yes

Yes

Site2Cloud VPN for All Gateways

Yes

Yes

Yes

BGP over LAN

No

No

No

BGP over GRE

No

No

No

Native Peering

Yes

Yes

No

Network Segmentation

Yes

Yes

Yes

Firewall Network

Yes

No

No

High Performance Encryption Mode

Yes

Yes

No

Aviatrix Edge

No

No

No

FQDN Egress Control

No

No

No

Stateful Firewall

No

No

No

Advanced NAT

No

No

No

ThreatIQ

No

No

No

Micro-Segmentation

No

No

No

Remote Access UserVPN (OpenVPN)

No

No

No

PrivateS3

No

N/A

N/A

Transit to AWS VGW

No

N/A

N/A

AWS Transit Gateway Orchestration

No

N/A

N/A

Controller Migrate

No

No

No

Terraform

Yes

Yes

Yes

Backup and Restore

Yes

Yes

Yes

Logging Service Integration (Rsyslog, Netflow, and CloudWatch)

Yes

Yes

Yes

Requirements to Implement Aviatrix in China Regions

The following are the requirements to implement Aviatrix in AWS China, Azure China, and Alibaba China regions.

  • The Aviatrix Controller must be deployed in the China region, for example, AWS China Ningxia region. Currently, an Aviatrix Controller in the Global region (non-China) does not support Aviatrix Gateways deployment and management in the China region. Similarly, an Aviatrix Controller in the China region does not support Aviatrix Gateways deployment and management in the Global region. See Unsupported Topologies.

  • You must have an Internet Content Provider (ICP) license. An ICP license is required for opening a CSP account in the China region. For more information, see Acquiring a China ICP License.

Unsupported Topologies

The following topologies are not supported.

An Aviatrix Controller launched in the Global region does not support Aviatrix Gateways deployment and management in the China region.

aviatrix_china_unsupported_global_manage_china

An Aviatrix Controller launched in the China region does not support Aviatrix Gateways deployment and management in the Global region.

aviatrix_china_unsupported_china_manage_global

Acquiring a China ICP License

Regulations in China require you to acquire an Internet Content Provider (ICP) license from the government and register the license with your CSP to provide Internet services in China. In China, an ICP license is required to establish SSL connections between different regions, ISPs, CSPs, or to cross national borders. Aviatrix supports transit gateways using AWS China, Azure China, and Alibaba multicloud networks in the China region. Obtaining and implementing an ICP is a process, and you should follow the directions of your compliance experts.

Here are some general guidelines Aviatrix recommends to implement a multi-cloud network in the China region:

  • Create or use a Legal Entity in China to apply for the ICP license.

  • Apply for a Legal Domain Name in the China Registration.

  • Acquire the ICP Certificate from the China Ministry of Industry and Information Technology (MIIT).

  • Register the ICP Certificate with your CSP in the China region.

  • Use dedicated lines from certified telecom carries for connections between China and the rest of the world.

    Slow connection speeds and high-latency associated with the China region can be overcome by using a dedicated line to create Aviatrix transit connections and deploying services close to the China region.

  • Deploy the Aviatrix Controller and CoPilot.

  • Enter the certificate domain that was submitted during the ICP application in Aviatrix Controller (see What is a Certificate Domain?)

  • Deploy Aviatrix Secure Multicloud Network in China.

Consequences of Non-Compliance with the Chinese Government Regulations

The following consequences can result for non-compliance of the Chinese Government Regulations.

  • The company is not permitted to open an account with a CSP in China region.

  • Aviatrix Controller is unable to deploy and manage Aviatrix Gateways.

  • The connection between Aviatrix Gateways is intermittent or becomes disconnected from time to time.

Interconnecting Aviatrix in the China region and the Global region

Site2Cloud can be established between Aviatrix Transit Gateways in the China region and the Global region.

The following options are available for the underlying network of Site2Cloud:

  1. Public Internet

    Note

    Public Internet connections maybe unstable due to additional network traffic processing by the Chinese government.

aviatrix_china_site2cloud_internet
  1. Private connectivity through certified telecom carriers such as China Telecom, China Unicom, and China Mobile

aviatrix_china_site2cloud_telecoms
  1. Alibaba Cloud Network using VPC Peering or Alibaba Cloud Enterprise Network (Alibaba CEN) https://www.alibabacloud.com/product/cen

aviatrix_china_site2cloud_alicloud

To create a global multicloud network with low-latency connectivity between the China region and the global region, we recommend that you use private connectivity provided by certified telecom carriers or through the Alibaba Cloud network.

For a description of the design patterns for these underlying networks, see Design Patterns for China Region.

Launching Aviatrix Controller in AWS China

To launch Aviatrix Controller in AWS China, do the following:

  1. Log in to the AWS China Portal.

  2. Navigate to the AWS Marketplace for the Ningxia and Beijing Region.

  3. Search for the keyword "Aviatrix."

aviatrix_aws_china_marketplace

Use the following URLs to find the Controller and CoPilot on the AWS China Marketplace:

Use the following URL to launch the Aviatrix Controller from the AWS CloudFormation in AWS China:

Launching Aviatrix Controller in Azure China

To launch Aviatrix Controller in Azure China, do the following:

  1. Log in to the Azure China Portal.

  2. Navigate to the Azure Marketplace for the China North region.

  3. Search for the keyword "Aviatrix."

aviatrix_azure_china_marketplace

Use the following URL to find the Controller on the Azure China Marketplace:

Design Patterns for China region

China region only

aviatrix_china_design_china_only

Cross-border connectivity through certified telecom carriers

aviatrix_china_design_cross_border_telecom

Cross-border connectivity through Alibaba Cloud Enterprise Network (Alibaba CEN)

aviatrix_china_design_cross_border_alicloud