About Aviatrix in the China Regions
This document provides an overview of the Aviatrix features that are supported and the requirements for implementing Aviatrix in the China regions. It also provides various options and design patterns for interconnecting Aviatrix in the China regions and Global regions.
You cannot update an IAM role-based policy using the Aviatrix Controller interface. If you encounter this issue, update the IAM policy manually using your AWS China account. |
Features Supported in AWS China, Azure China, and Alibaba China Regions
Feature | AWS China | Azure China | Alibaba Cloud China and Global |
---|---|---|---|
Controller Marketplace Launch |
Yes |
Yes |
No |
CoPilot Marketplace Launch |
Yes |
Yes |
No |
Controller Security Group Management |
Yes |
No |
No |
Multi Accounts |
Yes |
Yes |
Yes |
Launch Controller with CloudFormation |
Yes |
N/A |
N/A |
VPC Tool |
Yes |
Yes |
Yes |
FlightPath |
Yes |
Yes |
Yes |
Transit Network Spoke and Transit Gateways |
Yes |
Yes |
Yes |
Aviatrix Transit Gateway Peering |
Yes |
Yes |
Yes |
Transit to External IPsec Devices |
Yes |
Yes |
Yes |
Site2Cloud VPN for All Gateways |
Yes |
Yes |
Yes |
BGP over LAN |
No |
No |
No |
BGP over GRE |
No |
No |
No |
Native Peering |
Yes |
Yes |
No |
Network Segmentation |
Yes |
Yes |
Yes |
Firewall Network |
Yes |
No |
No |
High Performance Encryption Mode |
Yes |
Yes |
No |
Aviatrix Edge |
No |
No |
No |
FQDN Egress Control |
No |
No |
No |
Stateful Firewall |
No |
No |
No |
Advanced NAT |
No |
No |
No |
ThreatIQ |
No |
No |
No |
Micro-Segmentation |
No |
No |
No |
Remote Access UserVPN (OpenVPN) |
No |
No |
No |
PrivateS3 |
No |
N/A |
N/A |
Transit to AWS VGW |
No |
N/A |
N/A |
AWS Transit Gateway Orchestration |
No |
N/A |
N/A |
Controller Migrate |
No |
No |
No |
Terraform |
Yes |
Yes |
Yes |
Backup and Restore |
Yes |
Yes |
Yes |
Logging Service Integration (Rsyslog, Netflow, and CloudWatch) |
Yes |
Yes |
Yes |
Requirements to Implement Aviatrix in China Regions
The following are the requirements to implement Aviatrix in AWS China, Azure China, and Alibaba China regions.
-
The Aviatrix Controller must be deployed in the China region, for example, AWS China Ningxia region. Currently, an Aviatrix Controller in the Global region (non-China) does not support Aviatrix Gateways deployment and management in the China region. Similarly, an Aviatrix Controller in the China region does not support Aviatrix Gateways deployment and management in the Global region. See Unsupported Topologies.
-
You must have an Internet Content Provider (ICP) license. An ICP license is required for opening a CSP account in the China region. For more information, see Acquiring a China ICP License.
Unsupported Topologies
The following topologies are not supported.
An Aviatrix Controller launched in the Global region does not support Aviatrix Gateways deployment and management in the China region.
An Aviatrix Controller launched in the China region does not support Aviatrix Gateways deployment and management in the Global region.
Acquiring a China ICP License
Regulations in China require you to acquire an Internet Content Provider (ICP) license from the government and register the license with your CSP to provide Internet services in China. In China, an ICP license is required to establish SSL connections between different regions, ISPs, CSPs, or to cross national borders. Aviatrix supports transit gateways using AWS China, Azure China, and Alibaba multicloud networks in the China region. Obtaining and implementing an ICP is a process, and you should follow the directions of your compliance experts.
Here are some general guidelines Aviatrix recommends to implement a multi-cloud network in the China region:
-
Create or use a Legal Entity in China to apply for the ICP license.
-
Apply for a Legal Domain Name in the China Registration.
-
Acquire the ICP Certificate from the China Ministry of Industry and Information Technology (MIIT).
-
Register the ICP Certificate with your CSP in the China region.
-
Use dedicated lines from certified telecom carries for connections between China and the rest of the world.
Slow connection speeds and high-latency associated with the China region can be overcome by using a dedicated line to create Aviatrix transit connections and deploying services close to the China region.
-
Deploy the Aviatrix Controller and CoPilot.
-
Enter the certificate domain that was submitted during the ICP application in Aviatrix Controller (see What is a Certificate Domain?)
-
Deploy Aviatrix Secure Multicloud Network in China.
Consequences of Non-Compliance with the Chinese Government Regulations
The following consequences can result for non-compliance of the Chinese Government Regulations.
-
The company is not permitted to open an account with a CSP in China region.
-
Aviatrix Controller is unable to deploy and manage Aviatrix Gateways.
-
The connection between Aviatrix Gateways is intermittent or becomes disconnected from time to time.
Interconnecting Aviatrix in the China region and the Global region
Site2Cloud can be established between Aviatrix Transit Gateways in the China region and the Global region.
The following options are available for the underlying network of Site2Cloud:
-
Public Internet
NotePublic Internet connections maybe unstable due to additional network traffic processing by the Chinese government.
-
Private connectivity through certified telecom carriers such as China Telecom, China Unicom, and China Mobile
-
Alibaba Cloud Network using VPC Peering or Alibaba Cloud Enterprise Network (Alibaba CEN) https://www.alibabacloud.com/product/cen
To create a global multicloud network with low-latency connectivity between the China region and the global region, we recommend that you use private connectivity provided by certified telecom carriers or through the Alibaba Cloud network.
For a description of the design patterns for these underlying networks, see Design Patterns for China Region.
Launching Aviatrix Controller in AWS China
To launch Aviatrix Controller in AWS China, do the following:
-
Log in to the AWS China Portal.
-
Navigate to the AWS Marketplace for the Ningxia and Beijing Region.
-
Search for the keyword "Aviatrix."
Use the following URLs to find the Controller and CoPilot on the AWS China Marketplace:
Use the following URL to launch the Aviatrix Controller from the AWS CloudFormation in AWS China:
Launching Aviatrix Controller in Azure China
To launch Aviatrix Controller in Azure China, do the following:
-
Log in to the Azure China Portal.
-
Navigate to the Azure Marketplace for the China North region.
-
Search for the keyword "Aviatrix."
Use the following URL to find the Controller on the Azure China Marketplace: