Building a Solution for China Cross-Border VPC Connection

By Xianying Lu, Sr. Cloud Product Manager – China Telecom Global
By Kevin Liu, Sr. Networking Specialist – AWS China

Many customers want to connect commercial regions to the China regions. For instance, they want to transfer objects from commercial Amazon Simple Storage Service (Amazon S3) regions to China regions S3, or transfer Amazon Elastic Container Registry (Amazon ECR) images between commercial regions to China regions.

However, China’s compliance and infrastructure requirements are different than other countries. It requires isolation between virtual private clouds (VPCs) in the China regions and VPCs in the other global regions.

In this post, we present a solution that enables cross-border connectivity between six Amazon Web Services (AWS) commercial regions and China regions using a third-party marketplace solution that relies on AWS Direct Connect partners.

This solution enables customers to connect two VPCs between AWS commercial and China regions using a partner-offered hosted connection. China Telecom and China Unicom, both AWS Direct Connect partners, offer this regulation-compliant solution through AWS Marketplace:

• China Telecom on AWS Marketplace
• China Unicom on AWS Marketplace

By working directly with AWS Direct Connect partners, this solution provides customers a cross-border connection within one week, as opposed to the median four weeks expected through other offerings. It also comes with the benefits of adjustable bandwidth limits and consolidated billing within AWS Marketplace.

The following step-by-step guide focus on China Telecom’s solution, but China Unicom’s guide is the same.

Solution Overview

China Telecom’s solution demonstrates how to set up a cross-border connection between VPCs in China regions and AWS global regions. The following example illustrates a SIN (Singapore region) to ZHY (Ningxia region) cross-border connection, which includes these AWS services and features:

• Two VPCs (one in SIN region, one in ZHY region) created by the customer.
• Two direct connections (one in SIN region, one in ZHY regions) provided by an AWS Direct Connect partner in AWS Marketplace.
• Two virtual interfaces (one in SIN region, one in ZHY region) created by the customer.

Figure 1 – Example connection between the SIN and ZHY regions.

Prerequisites

The following prerequisites are required to start the service application:

• Service requirement: from where (global region) to where (China region), cross-border Direct Connect circuit bandwidth (10-500 Mbps), subscription term (1-month/3-month/6-month/12-month)
• AWS account IDs (both global and China regions)
• Amazon VPCs (both global and China regions)
• AWS Virtual Private Gateways (both global and China regions)
• Customer info (entity name, addresses)
• Customer contact info (name, phone, email)

Provisioning Steps

To begin the provisioning process to set up the connection, customers can follow these steps which we’ll walk you through one by one:

• Subscribe to the telco solution in AWS Marketplace.
• Input the necessary information requested in the telco console page.
• Create a private virtual interface (VIF) for both VPCs in their respective regions after the Direct Connect connection is established.

Step 1: Subscribe to the Telco Solution in AWS Marketplace

• Go to the partner landing page, and choose the cross-border source and destination (take Ningxia to Singapore, for example).

Figure 2 – The partner landing page.

• Click Link To Commercial and it will be redirected to the “Ningxia to Singapore” Marketplace subscription page.
• Subscribe to the telco solution and choose a contract.
• Click the View purchase options button and choose your connection contract options (we chose free trail in this example).

Figure 3 – Service subscription page.

• Click the Create contract button and choose Pay now, and then select Set up your account. The page will be redirected to a telco console page.

Step 2: Input Information Requested in the Telco Console Page

• Register an account on the telco console website.
• Input email and password, and then it will be redirected to the telco console website. Enter the login information you just created, and you will log in to the console website.
• Input the necessary information requested, and click the Enterprise +Add button and put in the contact information.

Figure 4 – Enterprise information filling page.

• Click the Submit button, and after the telco approves the enterprise information the data status will change to “Effective.”
• After that, click the Contacts tab, select the +Add Contact button, and then input the contact information of the technical, business, and billing person. After submission, the enterprise information will display “Effective.”
• Input in the business information (region info, bandwidth, account ID) so the China telco can create two AWS Direct Connect connections. After submission, the business applying information will display.

Figure 5 – Contact information filling page.

Step 3: Create Private VIFs in Global and China Regions

After compliance is validated and all requirements are met, the customer will get a Direct Connect connection in both regions in 3-5 working days. Let’s take the following topology as an example to show how to proceed with the configuration.

Note the account’s business development team will notify the customer offline when compliance is validated.

Figure 6 – Example topology.

• Accept the Direct Connect connection the China telco provided in both global regions and China regions.
• Accept the Direct Connect connection in the global AWS console; switch accounts and accept the connection in China AWS console.

Figure 7 – Direct Connect connection acceptance page.

• Configure private VIF in both global and China regions.
• Log in to the global console. Configure private VIF in the global region; configure the VLAN ID the China telco provided, and configure the China region virtual private gateway (VGW) autonomous system number (ASN) as border gateway protocol (BGP).

Figure 8 – VIF settings page in SIN console.

• Switch accounts and configure private VIF in the China region; configure VLAN ID the China telco provided and configure the global region VGW ASN as BGP ASN.

Figure 9 – VIF settings page in ZHY console.

• After a moment, you will see the private VIFs are available in both China and global regions.

Step 4: Configure the VPC Subnet Route Table

• Enable the global VPC subnet route table to propagate, and the route table will learn the China VPC CIDR from VGW.

Figure 10 – Subnet route table in SIN.

• Enable the China VPC subnet route table to propagate, and the route table will learn the global VPC CIDR from VGW.

Figure 11 – Subnet route table in ZHY.

Step 5: Test the Result

Ping Amazon Elastic Compute Cloud (Amazon EC2) in the ZHY region from EC2 in the SIN region—it works!

Figure 12 – Ping test result from SIN to ZHY.

Step 6: Troubleshooting the Connection

• If VIF BGP status is not active, confirm the VLAN ID, BGP ASN, peer IP, and MD5 password are configured right.
• If VIF BGP status is active, confirm the VPC subnet route table learned the peer VPC prefixes.
• If VIF BGP status is active and VPC subnet route table learned the peer VPC prefixes, make sure all of the EC2 security groups open the correct port and VPC subnet network ACL allow the traffics.

Conclusion

In this post, we presented a solution for connecting VPCs between China regions and AWS global regions using a third-party AWS Marketplace solution provided by existing AWS Direct Connect partners through a simplified process.

This solution offers customers the benefits of shorter service cross-border Direct Connect provisioning lead-time, flexible bandwidth, and consolidated billing.

China Telecom and China Unicom, both AWS Direct Connect partners, offer this regulation-compliant solution through AWS Marketplace:

• China Telecom on AWS Marketplace
• China Unicom on AWS Marketplace