Tuesday, November 13, 2018

Getting in and out of China in the SD-WAN era

What is everyone doing to connect to sites in China these days? For all my non-China sites we're moving to SD-WAN over internet links, and planned to just keep MPLS at my sites in Hong Kong and the mainland (Through the SD-WAN Appliance) to hub and spoke the mainland to Hong Kong where it could hop on the internet SD-WAN to everywhere else. This worked for about a month until there was some big Expo and my VPN over the MPLS back to Hong Kong went belly up. We failed back to checkpoint appliances on both sides, which seem to use encryption that the great firewall is okay with. (Using SteelConnect and it just does pretty standard IPSEC over port 4500 by default, so it doesn't surprise me that it got blocked). We could also have just sent the data directly over the MPLS, but tend to try to build tunnels and encrypt if possible.

I'd probably leave it this way, but the next challenge is that the business management has heard of recent Dawn Raids on companies like ours in China and want to get all the server hardware out of the offices. They feel as though putting all the Chinese data in a Mainland region of AWS / Azure will at least keep from having to worry about someone showing up and taking all the servers and killing the production lines until more hardware can be acquired, etc. Of course, since those regions don't talk to any non-mainland regions, it seems like I'd be routing my internal access to those things through my network in Hong Kong, through the mainland and over some China Telcom links to the AWS/Azure infrastructure.

Just curious what everyone else is doing to connect to China both for access to on premise networks and/or AWS/Azure, and experiences with MPLS Links in the country or even Aryaka.



No comments:

Post a Comment