This document provides an overview of the Aviatrix features that are supported and the requirements for implementing Aviatrix in the China regions. It also provides various options and design patterns for interconnecting Aviatrix in the China regions and Global regions.
| Feature | AWS China | Azure China | Alibaba Cloud China and Global |
| Controller Marketplace Launch | Yes | Yes | No |
| CoPilot Marketplace Launch | Yes | No | No |
| Controller Security Group Management | Yes | No | No |
| Multi Accounts | Yes | Yes | Yes |
| Launch Controller with CloudFormation | Yes | N/A | N/A |
| VPC Tool | Yes | Yes | Yes |
| FlightPath | Yes | Yes | Yes |
| Transit Network Spoke and Transit Gateways | Yes | Yes | Yes |
| Aviatrix Transit Gateway Peering | Yes | Yes | Yes |
| Transit to External IPsec Devices | Yes | Yes | Yes |
| Site2Cloud VPN for All Gateways | Yes | Yes | Yes |
| BGP over LAN | No | No | No |
| BGP over GRE | No | No | No |
| Native Peering | Yes | Yes | No |
| Network Segmentation | Yes | Yes | Yes |
| Firewall Network | Yes | No | No |
| Insane Mode Encryption | Yes | Yes | No |
| Managed CloudN | Private Preview | Private Preview | No |
| Aviatrix Edge | No | No | No |
| FQDN Egress Control | No | No | No |
| Stateful Firewall | No | No | No |
| Advanced NAT | No | No | No |
| ThreatIQ and ThreatGuard | No | No | No |
| Micro-Segmentation | No | No | No |
| Remote Access User VPN (OpenVPN) | No | No | No |
| PrivateS3 | No | N/A | N/A |
| Transit to AWS VGW | No | N/A | N/A |
| AWS Transit Gateway Orchestration | No | N/A | N/A |
| Controller Migrate | No | No | No |
| Terraform | Yes | Yes | Yes |
| Backup and Restore | Yes | Yes | Yes |
| Logging Service Integration (Rsyslog, Netflow, and CloudWatch) | Yes | Yes | Yes |
The following are the requirements to implement Aviatrix in AWS China, Azure China, and Alibaba China regions.
- The Aviatrix Controller must be deployed in the China region, for example, AWS China Ningxia region. Currently, an Aviatrix Controller in the Global region (non-China) does not support Aviatrix Gateways deployment and management in the China region. Similarly, an Aviatrix Controller in the China region does not support Aviatrix Gateways deployment and management in the Global region. See Unsupported Topologies.
- You must have an Internet Content Provider (ICP) license. An ICP license is required for opening a CSP account in the China region. For more information, see Acquiring a China ICP License.
The following topologies are not supported.
An Aviatrix Controller launched in the Global region does not support Aviatrix Gateways deployment and management in the China region.
An Aviatrix Controller launched in the China region does not support Aviatrix Gateways deployment and management in the Global region.
Regulations in China require you to acquire an Internet Content Provider (ICP) license from the government and register the license with your CSP to provide Internet services in China. In China, an ICP license is required to establish SSL connections between different regions, ISPs, CSPs, or to cross national borders. Aviatrix supports transit gateways using AWS China, Azure China, and Alibaba multi-cloud networks in the China region. Obtaining and implementing an ICP is a process, and you should follow the directions of your compliance experts.
Here are some general guidelines Aviatrix recommends to implement a multi-cloud network in the China region:
- Create or use a Legal Entity in China to apply for the ICP license.
- Apply for a Legal Domain Name in the China Registration.
- Acquire the ICP Certificate from the China Ministry of Industry and Information Technology (MIIT).
- Register the ICP Certificate with your CSP in the China region.
Use dedicated lines from certified telecom carries for connections between China and the rest of the world.
Tip
Slow connection speeds and high-latency associated with the China region can be overcome by using a dedicated line to create Aviatrix transit connections and deploying services close to the China region.
- Deploy the Aviatrix Controller, CoPilot (for AWS China only).
- Enter the certificate domain that was submitted during the ICP application in Aviatrix Controller (see What is Certificate Domain?.
- Deploy Aviatrix Secure Multi-Cloud Network in China.
The following consequences can result for non-compliance of the Chinese Government Regulations.
- The company is not permitted to open an account with a CSP in China region.
- Aviatrix Controller is unable to deploy and manage Aviatrix Gateways.
- The connection between Aviatrix Gateways is intermittent or becomes disconnected from time to time.
Site2Cloud can be established between Aviatrix Transit Gateways in the China region and the Global region.
The following options are available for the underlying network of Site2Cloud:
Public Internet
Note
Public Internet connections maybe unstable due to additional network traffic processing by the Chinese government.
- Private connectivity through certified telecom carriers such as China Telecom, China Unicom, and China Mobile
- Alibaba Cloud Network using VPC Peering or Alibaba Cloud Enterprise Network (Alibaba CEN) https://www.alibabacloud.com/product/cen
To create a global multi-cloud network with low-latency connectivity between the China region and the global region, we recommend that you use private connectivity provided by certified telecom carriers or through the Alibaba Cloud network.
For a description of the design patterns for these underlying networks, see Design Patterns for China Region.
To launch Aviatrix Controller in AWS China, do the following:
- Log in to the AWS China Portal.
- Navigate to the AWS Marketplace for the Ningxia and Beijing Region.
- Search for the keyword "Aviatrix."
Note
The Aviatrix Controller is available on both the AWS China and Azure China Marketplaces. Aviatrix CoPilot is available on AWS China Marketplace only.
Use the following URLs to find the Controller and CoPilot on the AWS China Marketplace:
Use the following URL to launch the Aviatrix Controller from the AWS CloudFormation in AWS China:
To launch Aviatrix Controller in Azure China, do the following:
- Log in to the Azure China Portal.
- Navigate to the Azure Marketplace for the China North region.
- Search for the keyword "Aviatrix."
Note
The Aviatrix Controller is available on both the AWS China and Azure China Marketplaces. Aviatrix CoPilot is available on AWS China Marketplace only. You can launch CoPilot only from AWS China.
Use the following URL to find the Controller on the Azure China Marketplace:
China region only
Cross-border connectivity through certified telecom carriers
Cross-border connectivity through Alibaba Cloud Enterprise Network (Alibaba CEN)
