Aws, Azure, all other public cloud providers are using completely isolated instances of their platform in China. The idea of using their backbone as transport is great on paper but doesn’t work in practice because the instances and regions outside of China are not interconnected on their backbone.
The instability being experienced is a result of traversing the Internet across China boarder which has several challenges. You need a protected transport of some kind from China licensed vendor to address these issues.
Is it possible to do it with Azure instead?
Thanks for the great answer and details!
We do not permit solicitation on this subreddit.
We’re mainly using AT&T for MPLS and they have different LMP.
PS: between China and NA, do you have any other presence?
OK, so use Seoul, Tokyo, Osaka, Hong Kong, etc.
I don’t see why not, but you will need to find something that allows you to route between VPC’s like AWS Transit Gateway… maybe Azure Virtual WAN?
We use prisma access everywhere but China. We use a dedicated evpn P2P link via Singapore to egress China.
That prisma link is not operated by Palo, so ymmv.
I’ve done it with Telstra Global. Completely managed from Australia. I never had to deal with the local telecoms but the MPLS tail was installed by China Telecom.
Once it was up and running - rock solid.
Would you then use a regular Internet tunnel to get out of China to one of those AWS locations? I think that then would still be affected by the Great Firewall which presumably causes much of their current problems.
Yes. It’s a simple enough to test it out and you can easily just delete everything. In my experience, I had a VPN tunnel from Singapore > North America that frequently ran into packet loss issues due to upstream ISP routing issues out of my control. By setting a tunnel from Singapore to AWS Tokyo it took a better/more reliable path and generally things are more stable.
In my limited experience, mainland China to Hong Kong is stable and Hong Kong to the rest of the internet is also stable. So I assume by this logic an IPSec tunnel from a mainland China site to the Hong Kong AWS region, and then out to the internet or another location would work okay.
I’ve been toying with the idea for one of my mainland sites as an alternative to China Telecom’s SDWAN solution that costs way too much money. So I’m hoping someone here will explain why this is a stupid idea.
Yeah, when I’ve looked into this and gotten some quotes, hopping through Hong Kong has been one of the options given to us. Currently have service from http://www.hxboyue.com/ which uses Hong Kong as one of the egress points we can use, not without problems. I don’t think it’s a stupid idea, until China rearranges things in Hong Kong and you don’t have a service provider familiar with crossing the Great Firewall to help figure things out. Kind of makes sense that the bigger carriers like China Telecom would have more resources in that way, and charge more as well than a little guy like http://www.hxboyue.com/