Overview

If you serve users in the People's Republic of China, consider using local infrastructure there to enhance the performance and availability of your web applications, especially when traversing the Great Firewall of China (GFW).

CloudFront China

AWS offers the capability to deploy web applications in China using one of two AWS regions in China and a local partition of CloudFront called CloudFront China, distinct from the CloudFront Global partition. CloudFront China's Points of Presence (PoPs) are located within mainland China, operated by Ningxia Western Cloud Data Co. Ltd. (NWCD), and built using infrastructure isolated from CloudFront Global.

Before creating a distribution using CloudFront China, you must first obtain an Internet Content Provider (ICP) recordal for your root domain, such as example.cn, from the Chinese authorities. Note that you cannot use the default CloudFront domain (*.cloudfront.cn) to serve content. You must add an alternate domain name, also known as a CNAME or alias, to your CloudFront China distribution and then use that domain name in the URLs for your content. The ICP recordal must be applied for by an entity located in mainland China. Furthermore, the root domain must be registered through a qualified Chinese domain name registrar and must resolve to an IP address hosted within mainland China. Consult the AWS China ICP recordal support documentation for more details on obtaining the required ICP recordal for your domain before proceeding.

While CloudFront China is largely based on the same software stack as CloudFront Global, it doesn't have a feature parity with CloudFront Global. Consider the parity differences between both CloudFront partitions when designing your application with CloudFront China (e.g. Lambda@Edge and Origin Shield are not available with CloudFront China). Also, consider the feature parity for AWS WAF.

To get started with CloudFront China follow the instructions in the following blog. You will learn how to use AWS Cloud Development Kit (CDK) to deploy a CloudFront China distribution with an S3 origin hosted in the AWS China (Beijing) Region.

Common use cases

Improving performance from China to CloudFront Global

If you have a web application that you serve globally (e.g. www.example.com), and you want to expand it to users in China without registering a new domain name in China (e.g. www.example.cn) and applying for an ICP recordal, you can use CloudFront Global to deliver traffic to China from nearby PoPs outside of China (e.g. Honk Kong).

To improve the performance and availability of your web application for users in China in this case, you can leverage the ZenLayer proxy. Zenlayer operates International Private Leased Circuits (IPLC) connecting Mainland China to outside locations, offering more stable connection to CloudFront Global PoPs.

The following steps explain how to implement this architecture:

  1. Acquire the Zenlayer service from the AWS Marketplace, and configure it to point to your Global domain name hosted on CloudFront Global. Zenlayer will provide you with an IP address to use in China (e.g. 1.2.3.4) to benefit from their IPLC infrastructure.
  2. In your public Hosted Zone (example.com) in Route 53 Global, modify your existing record www record and change it to use a Geolocation Routing policy with the default location set for global users to be your CloudFront Global distribution.
  3. Add another www record, also with a Geolocation Routing policy, but with the location set to China and pointing to the IP provided by ZenLayer.

Note that there is a risk of GFW banning your global domain name (e.g. www.example.com). To reduce this risk, and further improve the performance of your web application, consider using a CloudFront China distribution.

Using CloudFront China with a global origin

If you do not want to replicate your origin in China to avoid incurring additional costs or introducing more complexity to your architecture, you can use CloudFront China and point it to your Global origin.

This architectural option has multiple considerations to take into Account:

  • You should obtain an ICP recordal and use a domain name registered in China (e.g. www.example.cn) for your users in China.
  • While cacheable content will be served locally with the best performance, dynamic content and cache misses still need to traverse the GFW. To optimize this path for HTTP requests between CloudFront China and your global origin, consider using ZenLayer proxy between these two components.
  • CloudFront China cannot use Origin Access Identity (OAI) or Origin Access Control (OAC) with S3 buckets in global regions.
  • Review the Data Security Law and the Personal Information Protection Law of the People's Republic of China to ensure compliance since you would potentially be processing user data collected in China outside of China.  

Replicating origin infrastructure in China

To achieve the best performance and availability for your application delivery in China, consider deploying your web application on an origin in one of the AWS Regions in China, using a dedicated domain name (.cn). In this architecture, local delivery in China will be using an origin in China, CloudFront China and Route 53 China. To learn how to replicate content to AWS regions in China, read this blog.

For optimal traffic routing across your global deployments and China deployment, consider the reference architecture described in this blog.

Was this page helpful?

 Feedback