VPNs via MPLS or SD-WAN in China
Posted by , Last modified by on 22 April 2020 12:10
While the operation of a VPN for connecting sites between Europe or America and China is already subject to some regulations and restrictions by the Chinese state, there are also additional restrictions in place regarding the technologies used for implementing a VPN in China. This is because the Chinese state only permits VPNs that are implemented using MPLS or SD-WAN. IP-based VPNs are no longer permitted in China.
Multiprotocol Label Switching (MPLS)
MPLS is a routing technology that is used for transporting data packets over defined routes with higher performance. Instead of each router having to analyze the data packets itself on the way and determine the next hop, predefined routes are defined via MPLS.
When a data packet enters the MPLS network, a route is determined and assigned to the data packet as a label. Each router in the MPLS network then only needs to read the label and immediately knows to which router it must forward the packet. The data throughput is thus increased and a high quality of service (QoS) ensured.
Since MPLS networks operate independently of the public Internet and require their own hardware between locations, MPLS is primarily offered as a service by telephone companies and Internet service providers (ISPs) for connecting international locations. Through partnerships with other carriers, international MPLS networks can be established. Based on this and the fact that determining the respective routes is complex and has to be completed individually, it is not surprising that MPLS services generally involve very significant costs. At the same time, the range of an MPLS network depends on the hardware used by the MPLS provider. This can be a major challenge, especially for locations in more remote areas. Before setting up such a VPN via MPLS, it is important to ensure the MPLS provider can actually provide the service at all of the company's locations. An established MPLS network can thus be a decisive factor in determining where a company can expand to in the future. If a planned company location lies outside of the network of the MPLS provider, a change of provider would be conceivable, but this of course would be associated with high costs. With an MPLS network that provides site connectivity to China, this problem becomes even more acute. First, only the three major Internet service providers (China Telecom, China Unicom, China Mobile) are available as MPLS partners in China, and secondly, the VPN must be licensed by the Chinese state via these ISPs.
Although MPLS does not itself provide any encryption, as a Virtual Private Network (VPN) it is separated from the public Internet and can therefore be considered secure for transporting data. The security of data transports in China should nevertheless be treated with caution. As you are forced to work with one of the three major ISPs in China, and they are owned by the Chinese state, our recommendation is still to additionally encrypt the data for VPNs that are set up via MPLS in China. Since MPLS operates between layer 2 and layer 3 of the OSI model, and is therefore often referred to as a layer 2.5 protocol, it is not vulnerable to Denial of Service (DoS) attacks.
With the increasingly widespread use of cloud services and Software as a Service (SaaS), the use of MPLS encounters another problem. This is because MPLS was developed at a time when branches of a company actually always wanted to transmit data to or retrieve data from the headquarters. An additional endpoint in the MPLS network for cloud services was never envisaged.
Software Defined Wide Area Network (SD-WAN)
SD-WAN is a new type of routing technology which, compared to MPLS, is much less dependent on hardware, and in fact is generally implemented via software that bundles several Internet and other WAN connections (such as MPLS) at one company location. No new network needs to be set up for an SD-WAN, as it works over the existing Internet connection of a site. As a result of this, an SD-WAN solution can usually be deployed within a few days - MPLS, on the other hand, takes much longer to deploy.
Because of this, international location networking can be realized much more cost-effectively and swiftly. At the same time, SD-WAN is not dependent on a central provider, which means a different Internet provider can be used at each location. With SD-WAN it is therefore also much easier to reach even remote branches of a company and to connect them via a VPN.
SD-WAN VPNs are particularly popular in China, as the Chinese government is actively promoting them and driving forward the utilization of cloud services. Many cloud providers around the world provide Cloud Enabled SD-WANs, which enables a local SD-WAN to connect to a cloud gateway of the respective provider. This means that if the connection fails, an alternative connection can be created within a few milliseconds, which means the failure of the first connection will generally not be noticed by the user.
The fact that an SD-WAN uses the existing Internet connections makes this technology less expensive. However, this also represents the biggest disadvantage of SD-WANs, because as soon as a data packet enters the public Internet, fluctuations in latency and packet loss rates can occur, which in turn has a negative effect on data transfers via the SD-WAN. While this is not important for sending e-mails or sharing files, it can be critical when it comes to phone calls or video conferencing.
VPNs that are implemented via an SD-WAN and provide connections to a site in China, must be licensed with the Chinese state via one of the Chinese ISPs, just as with MPLS.
The trend: pure SD-WAN or Hybrid-WAN
Pure MPLS networks are still used for a large part of corporate VPNs. However, this is not so much due to the advantages of MPLS over SD-WAN, but rather because MPLS was the leading VPN technology for a long time and the devices used have long service lives.
The trend in the coming years will move away from pure MPLS networks, which will increasingly be replaced by SD-WANs or Hybrid-WANs. The aim here is to reduce the high costs of MPLS as much as possible and to use such solutions only where they actually bring tangible benefits.
Companies that use time-critical applications or services locally, such as telephone calls or video conferences, will continue to rely on MPLS for these, as the high quality of service provides a decisive advantage. However, for companies that make use of these services via a cloud instead of locally, SD-WANs are becoming increasingly accepted in this area as well.
Since SD-WANs can also transport MPLS packets, it is relatively easy to connect the two technologies to form a Hybrid-WAN. In this scenario, the expensive MPLS networks are used for time-critical applications, while all other data is transmitted via an SD-WAN. Even though this means both technologies are used, the costs for companies are reduced as less bandwidth is required for MPLS.
As a partner of the Internet service providers in China, WEBER.cloud China can assist you in obtaining a licensed VPN in China. Simply get in touch with us.