Alibaba Cloud and Aviatrix joint solution for global encrypted connectivity solution including Mainland China

In order to serve their customers to the best extent possible, Enterprises need to host their services close to their clients. In the past, they used to build data centers in different geographical regions, close to their users. With digital services and IT workloads more and more moving to the cloud, enterprises start leveraging multiple regions and clouds to provide the best service quality.

Even though the front-end of the user-facing applications are distributed around the globe, there may still be some (backend) services which need to access shared resources which are deployed in a specific cloud, region, or data center (DC). For these kind of integration purposes, global enterprises build secure communication channels to let workloads and services communicate over a dedicated private link. Historically, this has often been implemented through MPLS networks.

The Aviatrix platform, which is built according to the Multi-Cloud Network Architecture (MCNA) can easily solve such challenges and add additional layers of security, to provide global enterprises with a seamless connectivity option across the globe.

There is one part of the global network which remains somewhat isolated from the rest of the world — China. The connectivity in and out of Mainland China is protected by the Great Firewall, which poses a challenge for companies that would like to build an encrypted channel between Mainland China and other regions such as Europe or Americas. In the design described below we are leveraging Alibaba Cloud’s private connectivity service Cloud Enterprise Network (CEN) to make it happen. Keep on reading to understand how easy it is to build the architecture as in the diagram below.

Alibaba Cloud Introduction and biggest benefits

Alibaba Cloud, founded in 2009, is a global leader in cloud computing and artificial intelligence, providing services to thousands of enterprises, developers, and governments organizations in more than 200 countries and regions. Committed to the success of its customers, Alibaba Cloud provides reliable and secure cloud computing and data processing capabilities as a part of its online solutions.

There are multiple strategic reasons to include Alibaba Cloud into your IT strategy, three of which we will detail in the subsequent sections.

Fast-Paced Innovator that Supports World’s Most Demanding E-Commerce Applications

Alibaba Cloud supports one of the highest demanding online events on earth reliably each year: Double 11, the world’s biggest shopping festival with a gross merchandized volume of more than 74.1 billion USD in 11 days in 2020. To give you a better idea on the scale of this event let’s drop some numbers on the resources and workloads that are exclusive to this event (2020):

· 800+ million participating customers

· 2.32 billion orders and deliveries orchestrated, coordinated, and delivered.

· 583k orders per second during peak times which the highest traffic peak ever witnessed in the world

· 250k+ participating brands

· 1.7 billion network attacks that were successfully mitigated

Alibaba Cloud is the technology backbone of a Alibaba Group and has been constantly pushing the limits of today’s technologies to support our own core business. This fast-paced innovation and battle-proven technology is provided to our millions of customers, which are often large enterprises by themselves with millions of end-customers. The constant stream of innovation is productized constantly and released frequently as new services and features to build upon and to reliably support business-critical application infrastructure by the millions of our customers world-wide.

Second to None Business and Technology Partner for China

Alibaba Group and its cloud division is an international company with Chinese roots. As such we are second to none as a technology and business partner for your IT and innovation projects in South East Asia and China in particular. Alibaba Cloud is the clear market leader with roughly one third of the market-share in Asia Pacific, well ahead any of its cloud competitors such as AWS, Microsoft Azure, or Google Cloud according to the latest Market Share for IT Services report by Gartner.

For Mainland China the market-share proportions are even more drastic. Alibaba Cloud is taking well over 40% nowadays, which is larger than the next five cloud competitors combined.

With its strong presence in the Asia Pacific region with (as of this writing) 19 regions, 12 of which are in Mainland China, and one additional region in Hong Kong, Alibaba Cloud is the number one choice for global, scalable, and secure application platforms that empower your digital innovation strategy in the APAC regions. In total, Alibaba Cloud has 24 regions world-wide which also includes North-America (2) and Europe (2) which lets you also benefit from the innovation capabilities of Alibaba Cloud in your local regions while fully complying to the local law and regulation such as GDPR. Below figure gives you an overview about our global footprint of 24 region and 75 availability zones as of now.

Note that all of these 24 regions can be managed from one single account. Many services also provide cross-region integration capabilities that let you easily replicate and copy data to and from any of our regions. One of these services, Cloud Enterprise Network (CEN), is also a part of the Aviatrix Cloud Network Platform. CEN is used to provide a low-latency and reliable network connection between any of our 24 regions by leveraging Alibaba Cloud’s global backbone network.

Geo-Politically Balanced Multi-Cloud Strategy

Looking at the recent Gartner Magic Quadrants for IaaS Worldwide from 2020 and 2021 and compare it to the quadrants of previous years you will notice that both the number and geographic heterogeneity has been drastically reduced. In total, there are only seven players left, five of which are headquartered in the USA. This leaves Alibaba Cloud and Tencent Cloud as the only hyperscalers that are not under American jurisdiction. A multi-cloud strategy that is aimed at minimizing regulatory and legal risks associated with a multi-regional deployment can be crucial for businesses. Alibaba Cloud is a reliable and trusted business and technology partner for implementing such a strategy and can help you mitigate these risks.

Challenges with connectivity to China

Private, secure and reliable connectivity in and out of Mainland China is hard to implement. There are a few options, but each has its own challenges:

- IPsec tunnel over Public IPs — standard ports for IPsec need to be whitelisted by the Great Firewall, and even then, the connection may not be very stable

- Private connectivity using a 3rd party — long lead times to get the link up, high cost, and point-to-point nature of such link; complexity in extending that network to other resources; no encryption

- Private connectivity leveraging Cloud Provider’s backbone — only Alibaba Cloud offers such a connection, but it is not encrypted; complexity in extending that network to other resources (e.g. DC, other CSPs)

The biggest cloud providers, AWS and Azure, use separate entities and a separate backbone for their regions in Mainland China. You need separate accounts and consoles to manage your resources inside and outside China.

Alibaba Cloud, however, offers a single account and single management console for all their regions including the 11 regions in Mainland China. This makes it a good option to consider when building the enterprise global backbone.

The challenge, as mentioned before, is the lack of encryption on these links, as well as complex setup of the connectivity and routing if any other networks (other CSPs or DCs) need to be added into the mix.

Aviatrix Design

The Aviatrix Cloud Network Platform is extremely flexible and can be deployed in a number of diverse ways based on business and technical requirements. It is a low friction solution that fits easily in existing processes without requiring significant modifications to the existing cloud provisioning workflows.

Global organizations can leverage any number of CSPs from Azure, GCP, AWS, OCI and Alibaba Cloud. This following validated design will be focusing on the architecture built with Alibaba Cloud’s backbone.

The crucial element of the solution is Alibaba Cloud’s Cloud Enterprise Network (CEN). It is a transit solution, interconnecting VPCs (and other networks) in a private manner. CEN is a global hub, so VPCs from any region can be attached to it. One of the main advantages compared to other solutions is that its network-latency and -reliability is not affected by the Great Firewall. It enables customers to interconnect VPCs in Mainland China with any other of Alibaba Cloud’s regions such as Germany in a stable and private way. The challenge is, however, that the traffic is not encrypted. Also, when you want to use CEN as a transit solution expanding to more external resources, configuration of the routing becomes more complex.

To understand the overall architecture, let’s focus on one simple scenario at the beginning: Interconnecting a DC in Europe with a DC in China, in an encrypted way, using Alibaba Cloud’s network backbone.

In the diagram you will notice the following:

- Aviatrix Controller in Europe (main Controller, running in any cloud, managing all the networks outside of Mainland China)

- Aviatrix Controller in China (Controller in AWS China, managing the networks in Mainland China; it is a separate controller to avoid any issues with connectivity through the Great Firewall)

- Ali Cloud VPCs in Region 1 and Region 2 (Europe and Mainland China) — interconnected privately using CEN

- Aviatrix Transit GWs in Alibaba Cloud VPCs — building encrypted transitive connectivity between Europe and China

- IPsec tunnels (Site2Cloud) from each DC to its respective local Transit GW

- CoPilot instances monitoring and visualizing the environments

Such architecture allows the DCs to communicate in a fully encrypted and stable way, between Europe and China.

We can easily add all the VPCs you have in Alibaba Cloud’s regions, simply by deploying Aviatrix Spoke Gateways in them and attaching them to their respective Transit GWs, as depicted in the diagram below.

Now each DC can communicate with any Spoke VPC in any region, and all is leveraging Aviatrix’ encrypted transit network (all the peerings between Aviatrix Gateways are encrypted).

Going even further, we can keep on expanding to other clouds in each region.

In this architecture your Azure Europe resources can communicate with Alibaba Cloud, AWS China resources using private, stable, and encrypted connectivity by traversing Alibaba Cloud’s network backbone.

This design includes various levels of redundancy. For example — you may notice that now each DC connects over IPsec to two Transit Networks in its region. This allows for path optimization, but in case of one link failure (e.g. IPsec between DC and Azure Europe) you can use the other link (IPsec from DC to Alibaba Cloud Europe) to still access VNETs in Azure.

Connection stability

To verify how stable the link over Alibaba’s Cloud CEN is, we have built a setup consisting of:

• Spoke GW in Alibaba Cloud VPC in Frankfurt
• Transit GW in Alibaba Cloud VPC in Frankfurt
• Transit GW in Alibaba Cloud VPC in Shanghai
• Spoke GW in Alibaba Cloud VPC in Shanghai

Each Spoke VPC had a test VM. We have ran a ping session for 36 hours.

There was 0% packet lost over that entire time. This confirms how stable both the underlaying CEN and Aviatrix overlay are.

Aviatrix Deployment

Aviatrix is a powerful and advanced platform providing networking and security services in the public clouds, with multi-cloud optionality. While being comprehensive, it is also perfectly modular — you can start really small with just one or two services, and if you need to add more services, or expand into other clouds, you can do it any time. The platform is flexible and can easily follow your current needs. Start anywhere, grow anywhere.

Once this base platform is built out, the customer can add more services:

• Next Generation Firewall inspection (Palo Alto, Fortinet, Checkpoint)
• Stateful L4 Firewall
• Network segmentation
• User VPN
• FQND Egress Filtering
• Multi-Cloud connectivity and network segmentation
• Encryption over FastConnect
• Advanced NAT for interconnecting networks with overlapping IPs

and many more.

Are you ready to deploy Aviatrix in your cloud environment? Start here: https://docs.aviatrix.com/StartUpGuides/aviatrix_overview.html

About the Authors

Oliver Arafat

I am leading the solution architecture team in the DACH and CEE region of Alibaba Cloud. My team is helping customers of all sizes and industries reaching their full potential with cloud-based solutions.

My email address: o.arafat@alibaba-inc.com

Tomasz Klimczyk

I am a Solution Architect in EMEA for Aviatrix, building up the relationships with the local customers and helping them on the journey towards the public cloud. Prior to Aviatrix, I had spent many years working with on-prem and telco-solutions, in the QA, SE and PM roles.

My email address: tomasz@aviatrix.com

Disclaimers:

The public internet bandwidth to Mainland China is limited resulting in non-predictable and varying QoS and latency.
Alibaba Cloud CEN lets you transfer data over a private and dedicated connection to Mainland China which fully conforms to the Cyber Security Law (CSL). Note that you are still responsible for adhering to the local legislation of each country on application level. For EU this would be GDPR, for Mainland China this would the CSL which is implemented by the MLPS 2.0. More information on this can be found here: https://www.alibabacloud.com/china-gateway/mlps2

Some features of Aviatrix may not yet be enabled for China or Alibaba regions. Please check with your Aviatrix team regarding the availability.