|
| 1 | +--- |
| 2 | +title: 'Interconnect with China using Azure Virtual WAN and secure Hub' |
| 3 | +description: Learn about Virtual WAN automated scalable branch-to-branch connectivity, available regions, and partners. |
| 4 | +services: virtual-wan |
| 5 | +author: cherylmc |
| 6 | + |
| 7 | +ms.service: virtual-wan |
| 8 | +ms.topic: conceptual |
| 9 | +ms.date: 03/25/2020 |
| 10 | +ms.author: cherylmc |
| 11 | + |
| 12 | +--- |
| 13 | + |
| 14 | +# Interconnect with China using Azure Virtual WAN and Secure Hub |
| 15 | + |
| 16 | +When looking at common manufacturing industries, there is often the question about how to improve interconnection with China. Those improvements are mostly relevant for using Cloud Services like Office 365, Azure Global Services, or interconnect branches inside of China with a customer backbone. |
| 17 | + |
| 18 | +In most of the cases, customers are struggling with high latencies, low bandwidth, unstable connection, and high costs connecting to outside of China (for example, Europe or the United States). |
| 19 | + |
| 20 | +A reason for these struggles is the "Great Firewall of China", which protects the Chinese part of the Internet and filters traffic to China. Nearly all traffic running from China Mainland to outside of China, except the special administration zones like Hong Kong and Macau, passes the Great Firewall. The traffic running through Hong Kong and Macau does not hit the Great Firewall in full force, it is handled by a subset of the Great Firewall. |
| 21 | + |
| 22 | + |
| 23 | + |
| 24 | +Using Virtual WAN, a customer can establish a more performant and stable connection to Microsoft Cloud Services and a connection to their enterprise network without breaking the Chinese cybersecurity law. |
| 25 | + |
| 26 | +## <a name="requirements"></a>Requirements and workflow |
| 27 | + |
| 28 | +If you want to stay compliant to the Chinese cybersecurity law, you need to meet a set of certain conditions. |
| 29 | + |
| 30 | +First, you need to work together with a network and ISP who owns an ICP (Internet Content Provider) license for China. In most cases, you'll end up with one of the following providers: |
| 31 | + |
| 32 | +* China Telecom Global Ltd. |
| 33 | +* China Mobile Ltd. |
| 34 | +* China Unicom Ltd. |
| 35 | +* PCCW Global Ltd. |
| 36 | +* Hong Kong Telecom Ltd. |
| 37 | + |
| 38 | +Depending on the provider and your needs, you now need to purchase one of the following network connectivity services to interconnect your branches within China. |
| 39 | + |
| 40 | +* A MPLS/IPVPN Network |
| 41 | +* A Software Defined WAN (SDWAN) |
| 42 | +* Dedicated Internet Access |
| 43 | + |
| 44 | +Next, you need to agree with that provider to give a breakout to the Microsoft Global Network and its Edge Network in Hong Kong, not in Beijing or Shanghai. In this case, Hong Kong is very import because of its physical connection and location to China. |
| 45 | + |
| 46 | +While most customers think using Singapore for interconnect is the best case because it looks nearer to China when looking on the map, this is not true. When you follow network fiber maps, nearly all network connects go through Beijing, Shanghai, and Hong Kong. This makes Hong Kong a better location choice to interconnect to China. |
| 47 | + |
| 48 | +Depending on the provider, you may get different service offerings. The table below shows an example of providers and the service they offer, based on information at the time this article was written. |
| 49 | + |
| 50 | +| Service | Provider examples | |
| 51 | +| --- | --- | |
| 52 | +| MPLS/IPVPN Network |PCCW, China Telecom Global | |
| 53 | +|SDWAN| PCCW, China Telecom Global| |
| 54 | +| Dedicated Internet Access | PCCW, Hong Kong Telecom, China Mobil, PCCW | |
| 55 | + |
| 56 | +With your provider, you can agree on which of the following two solutions to use to reach the Microsoft global backbone: |
| 57 | + |
| 58 | +* Getting a Microsoft Azure ExpressRoute terminated in Hong Kong. That would be the case for the use of MPLS/IPVPN. Currently, only the only ICP license provider with ExpressRoute to Hong Kong is China Telecom Global. However, they can also talk to the other providers if they leverage Cloud Exchange Providers like Megaport or InterCloud. For more information, see [ExpressRoute connectivity providers](../expressroute/expressroute-locations-providers.md#partners). |
| 59 | + |
| 60 | +* Using a Dedicated Internet Access directly at one of the following Internet Exchange Points, or using a private network interconnect. |
| 61 | + |
| 62 | +The following list shows Internet Exchanges possible in Hong Kong: |
| 63 | + |
| 64 | +* AMS-IX Hong Kong |
| 65 | +* BBIX Hong Kong |
| 66 | +* Equinix Hong Kong |
| 67 | +* HKIX |
| 68 | + |
| 69 | +When using this connect, your next BGP hop for Microsoft Services must be Microsoft Autonomous System Number (AS#) 8075. If you use a single location or SDWAN solution, that would be the choice of connection. |
| 70 | + |
| 71 | +Either way, we still recommend that you have a second and regular Internet Breakout into the Chinese Mainland. This is to split the traffic between enterprise traffic to cloud services like Microsoft 365 and Azure, and by-law regulated Internet traffic. |
| 72 | + |
| 73 | +A compliant network architecture within China could look like the following example: |
| 74 | + |
| 75 | + |
| 76 | + |
| 77 | +In this example, having an interconnect with the Microsoft Global Network in Hong Kong, you can now start to leverage the [Azure Virtual WAN Global Transit Architecture](virtual-wan-global-transit-network-architecture.md) and additional services, like Azure secure Virtual WAN hub, in order to consume services and interconnect to your branches and datacenter outside China. |
| 78 | + |
| 79 | +## <a name="hub-to-hub"></a>Hub-to-hub communication |
| 80 | + |
| 81 | +In this section, we use Virtual WAN hub-to-hub communication to interconnect. In this scenario, you create a new Virtual WAN hub resource to connect to a Virtual WAN hub in Hong Kong, other regions you prefer, a region where you already have Azure resources, or where want to connect. |
| 82 | + |
| 83 | +A sample architecture could look like following example: |
| 84 | + |
| 85 | + |
| 86 | + |
| 87 | +In this example, the China branches connect to Azure Cloud China and each other by using VPN or MPLS connections. Branches that need to be connected to Global Services use MPLS or Internet-based services that are connected directly to Hong Kong. If you want to use ExpressRoute in Hong Kong as well as in the other region, you need to configure [ExpressRoute Global Reach](../expressroute/expressroute-global-reach.md) to interconnect both ExpressRoute Circuits. |
| 88 | + |
| 89 | +ExpressRoute Global Reach is not available in some regions. If you need to interconnect with Brazil or India, for example, you need to leverage [Cloud Exchange Providers](../expressroute/expressroute-locations.md#connectivity-through-exchange-providers) to provide the routing services. |
| 90 | + |
| 91 | +The figure below shows both examples for this scenario. |
| 92 | + |
| 93 | + |
| 94 | + |
| 95 | +## <a name="secure"></a>Secure Internet breakout for Office 365 |
| 96 | + |
| 97 | +Another consideration is network security as well as logging for the entry point between China and the Virtual WAN established backbone component, and the customer backbone. In most cases, there is a need to breakout to the Internet in Hong Kong to directly reach the Microsoft Edge Network and, with that, the Azure Front Door Servers used for Microsoft 365 Services. |
| 98 | + |
| 99 | +For both scenarios with Virtual WAN, you would leverage the [Azure Virtual WAN secured hub](../firewall-manager/secured-virtual-hub.md). Using Azure Firewall Manager, you can change a regular Virtual WAN hub to a secured hub, and then deploy and manage an Azure Firewall within that hub. |
| 100 | + |
| 101 | +The following figure shows an example of this scenario: |
| 102 | + |
| 103 | + |
| 104 | + |
| 105 | +## <a name="traffic"></a>Architecture and traffic flows |
| 106 | + |
| 107 | +Depending on your choice regarding the connection to Hong Kong, the overall architecture may change slightly. This section shows three available architectures in different combination with VPN or SDWAN and/or ExpressRoute. |
| 108 | + |
| 109 | +All of these options make use of Azure Virtual WAN secured hub for direct M365 connectivity in Hong Kong. These architectures also support the compliance requirements for [Office 365 Multi-Geo](https://docs.microsoft.com/office365/enterprise/office-365-multi-geo) and keep that traffic near the next Office 365 Front Door location. As a result, it's also an improvement for the usage of Microsoft 365 out of China. |
| 110 | + |
| 111 | +When using Azure Virtual WAN together with Internet connections, every connection can benefit from additional services like [Microsoft Azure Peering Services (MAPS)](https://docs.microsoft.com/azure/peering-service/about). MAPS was built to optimize traffic coming to the Microsoft Global Network from 3rd Party Internet Service Providers. |
| 112 | + |
| 113 | +### <a name="option-1"></a>Option 1: SDWAN or VPN |
| 114 | + |
| 115 | +This section discusses a design that uses SDWAN or VPN to Hong Kong and to other branches. This option shows the use and traffic flow when using pure Internet connection on both sites of the Virtual WAN backbone. In this case, the connection is brought to Hong Kong using dedicated Internet access, or an ICP provider SDWAN solution. Other branches are using pure Internet or SDWAN Solutions as well. |
| 116 | + |
| 117 | + |
| 118 | + |
| 119 | +In this architecture, every site is connected to the Microsoft Global Network by using VPN and Azure Virtual WAN. The traffic between the sites and Hong Kong is transmitted trough the Microsoft Network and only uses regular Internet connection on the last mile. |
| 120 | + |
| 121 | +### <a name="option-2"></a>Option 2: ExpressRoute and SDWAN or VPN |
| 122 | + |
| 123 | +This section discusses a design that uses ExpressRoute in Hong Kong and other Branches with VPN/SDWAN Branches. This option shows the use of and ExpressRoute terminated in Hong Kong and other branches connected via SDWAN or VPN. ExpressRoute in Hong Kong is currently limited to a short list of Providers, which you can find in the list of [Express Route Partners](../expressroute/expressroute-locations-providers.md#global-commercial-azure). |
| 124 | + |
| 125 | + |
| 126 | + |
| 127 | +There are also options to terminate ExpressRoute from China, for example, in South Korea or Japan. But, given compliance, regulation, and latency, Hong Kong is currently the best choice. |
| 128 | + |
| 129 | +### <a name="option-3"></a>Option 3: ExpressRoute only |
| 130 | + |
| 131 | +This section discusses a design that where ExpressRoute is used for Hong Kong and other Branches. This option shows the interconnect using ExpressRoute on both ends. Here you have a different traffic flow than the other. The Microsoft 365 traffic will flow to the Azure virtual WAN secured hub and from there to the Microsoft Edge Network and the Internet. |
| 132 | + |
| 133 | +The traffic that goes to the interconnected branches or from them to the locations in China will follow a different approach within that architecture. Currently virtual WAN does not support ExpressRoute to ExpressRoute transit. The traffic will leverage ExpressRoute Global Reach or the 3rd Party interconnect without passing the virtual WAN Hub. It will directly flow from one Microsoft Enterprise Edge (MSEE) to another. |
| 134 | + |
| 135 | + |
| 136 | + |
| 137 | +Currently ExpressRoute Global Reach is not available in every country, but you can configure a solution using Azure Virtual WAN. |
| 138 | + |
| 139 | +You can, for example, configure an ExpressRoute with Microsoft Peering and connect a VPN tunnel through that peering to Azure Virtual WAN. Now you have enabled, again, the transit between VPN and ExpressRoute without Global Reach and 3rd party provider and service, such as Megaport Cloud. |
| 140 | + |
| 141 | +## Next steps |
| 142 | + |
| 143 | +See the following articles for more information: |
| 144 | + |
| 145 | +* [Global Transit network architecture with Azure Virtual WAN](virtual-wan-global-transit-network-architecture.md) |
| 146 | + |
| 147 | +* [Create a Virtual WAN hub](virtual-wan-site-to-site-portal.md) |
| 148 | + |
| 149 | +* [Configure a Virtual WAN secured hub](../firewall-manager/secure-cloud-network.md) |
| 150 | + |
| 151 | +* [Azure Peering Service Preview Overview](https://docs.microsoft.com/azure/peering-service/about) |
0 commit comments