For web app developers, serving users in China requires a completely different way of thinking. I’ll explain how to work in practical steps to achieve good-enough solutions.
You have a web app with a global reach, but not quite global. You still haven’t acquired those 1.4 billion Chinese consumers. This is not just another geolocation. Serving China is a voyage into the unknown, even for the most experienced technologist. Chinese laws, regulations, and the Great Firewall pose a high barrier to non-Chinese companies.
This is hard to comprehend when your career is built on finding a workaround for every obstacle. However, the rules are real, they are enforced, and they are trending stricter all the time. Your website, network connection, or cloud server can be cut off at any time for violating the rules, with no explanation and no practical way to appeal.
An unavoidable obstacle
So how do you do it? The approach pushed hard by the Chinese regulatory system is this:
Chinese customers should be served only by a Chinese-owned-and-registered corporation, with Chinese DevOps in Chinese offices, on a Chinese cloud provider, with a separate database in China, integrated only loosely if at all with non-Chinese systems.
Having mentioned this, let’s now go over the steps to take for getting your app through the Great Firewall.
Note: You will not reach a solution as reliable and fast as what you are used to, but even a few steps can often meet your basic requirements.
Building a China-friendly Front End
You can get a good start with straightforward optimizations to your front end code alone, without deploying anything to China. I’ll describe a combination of special optimization techniques to handle the Great Firewall, along with standard ones that you’re already familiar with.
Find out what’s slowing you down
On the bright side, communication from China across the Firewall for domains that are not on the blacklist is generally not a problem. So, you can solve your third-party slowness by taking advantage of decent speeds on your own domain, so long as it is not being throttled. (If it is, you’re going to need a very different and much more difficult solution.)
The first step is to measure the detailed performance of the network invocations. The most flexible approach for a developer iteratively analyzing and improving performance is to use the wide variety of standard in-browser development tools like Firefox Dev Tools or Google HAR Analyzer. However, this requires access to a VM in China. Alternatively, web-based services can give you most of the information you need. WebPageTest is a good option, and more are listed here.
Serve resources yourself
Compared to loading resources, AJAX-to-third-party domains are harder to speed up. You can consider proxying these calls too, though that can be difficult given security controls against man-in-the-middle attacks. The less your application depends on third parties, the better. Even when that slows your development as you reinvent services instead of using outside offerings.
Get around to those optimizations you’ve been promising yourself
Those are some China-specific optimizations, but standard front-end optimization is a good idea. You may have put this off if speed was already good enough, but when resources can irregularly take minutes to load, your web app must be resilient enough so that no resource can block rendering. Minify everything, and load any possible resource asynchronously, and after the onLoad event so that page rendering is not blocked.
All that will get you an application that basically works from China, and can take you a long way. But still, you won’t see the reliability and speed you have come to expect; and access can be blocked at any time.
Beware of the “quick fixes”
Next, I’ll mention a few solutions that look like quick fixes but aren’t: China CDNs, VPNs, and Hong Kong deployment.
CDNs are accelerators, not tunnelers
A China-oriented CDN speeds access to your servers outside China for customers in China. But this is an accelerator, not a firewall tunneler. To retain their license and avoid blocking, the CDN providers must cooperate with the Great Firewall, and so the same content restrictions apply. The China CDN will make fast sites into somewhat faster sites; it will not help with the biggest bottlenecks that I mentioned above.
Further, these CDNs do not control access from the frontend to third-party servers — often the biggest bottleneck unless you serve resources from your own domain, as advised above. CDNs have other disadvantages; DNS configuration is complex, and the CDN’s ownership often changes hands, which results in unstable APIs.
VPNs provide a form of Great-Firewall-tunneling. They are widely used in China, though illegal. They could be an acceptable solution for making a corporate app available to a small number of well-known users. But as a web app provider, you most likely want to maximize access; you don’t want to require your customers to use VPNs. Even when VPNs are usable, their traffic is often far slower than with direct non-VPN access, whether because of interference from the Firewall or because VPNs add another layer to all network communication. And at any time, VPNs can go down as the authorities identify and block them — or worse, slow them irregularly. (Marc Bevand tells an impressive story of VPN-busting through advanced deep-packet detection side-channel leaks.)
Hong Kong is just another location outside the Firewall
Hong Kong deployment looks promising; Hong Kong borders on Shenzhen and is administered by China, yet it allows network freedom. Even Google, otherwise banned in China, has a data center there. Unfortunately, this has only limited value. The Firewall still slows and interrupts access from mainland China to Hong Kong, as it does for other locations. Just as you try to get your servers close to your customers outside China to shave off some milliseconds, so too Hong Kong brings you closer to China; but it does not solve your main problem.
Your necessary licenses
If hosting outside China doesn’t do it for you, consider deploying into China. To do this, you will first have to start the licensing process.
There are two levels of Internet Content Provider (ICP) licensing:
- An ICP filing (Bei’an), which is a legal requirement before exposing your website in China.
- If your site is commercial and selling online services, a full ICP license is needed. This is available only to a company that is majority Chinese-owned.
Going with the ICP filing and not the full license is obviously quite limiting, but for this article, I’ll assume that the filing is your only option.
This is the point where I tell you that I am a technologist, not a lawyer, and certainly not a Chinese-accredited lawyer; so check the details before you go ahead. Laws and realities on the ground are always changing. I can assure you, however, that this process really is as complicated as it looks.
Get your Bei’an on
For the ICP filing, set up a Chinese subsidiary with employees and offices. A legal fiction is not enough; you have to pass validations that the subsidiary is real, up to and including a photo of an employee holding a poster from the cloud provider in your bricks-and-mortar office. That employee is not just a formality — a strong understanding of how the rules impact your cloud deployment is a tremendous asset.
You might look for a Chinese partner company that can do this for you, but ongoing changes in enforcement make this an uncertain solution.
Next, submit the ICP filing early; The process takes weeks. You will get your ICP number, which you must display on the footer of your home page.
If you want to actually sell goods in China, the ICP filing is not enough; you need an ICP license, and your company must be not only registered in China but majority-owned by Chinese.
Start Your China Deployment
Your options for the Cloud include local providers like Alibaba (Aliyun) and Tencent, and foreign cloud platforms from AWS and Azure. I strongly recommend AWS China and Azure China, which give you consistent APIs that you are familiar with. Their technologies also have excellent English-language documentation, articles, training, StackExchange, and forum posts generated by worldwide ecosystems. English documentation of Alibaba and Tencent remains sparse, despite valiant efforts to catch up. (In fact, documentation and posts on China-specific questions about AWS China and Azure China are surprisingly sparse; but at least you’ll have the help you need on the APIs.)
AWS and Azure aren’t Amazon and Microsoft
AWS China is not owned by Amazon, and Azure China is not owned by Microsoft. Instead, these services are run by Chinese companies; only the technology is licensed from the American companies.
They should be considered separate clouds that happen to use the same technologies, not separate regions. They are not integrated. In AWS, for example, you need to create separate user identities inside and outside China. You cannot copy AMIs to and from China, there is no Route 53 that could allow global DNS, and you can’t connect between the regions with Private Link.
Signing up for the China cloud is much harder. With worldwide cloud providers, you generally need nothing but a credit card number. With the providers in China (including AWS and Azure), you need the ICP filing and the license for your Chinese subsidiary. You also need to deal with much more stringent anti-fraud “real-name registration” provisions, including photos of several forms of ID and extensive personal details. Free tiers are very limited or unavailable, and payment is in advance.
During the process of setting up your China deployment, you’ll likely face some technical limitations:
A clunky deployment experience
AWS China and Azure China lag behind the original providers in adopting their new technologies.
And ordinary processes, for example, registering for the cloud provider or even just deleting a VM, often require far more human support that you are used to, particularly with the native Chinese cloud providers. The support engineers are professional, but the level of English skills is not what you are used to.
Your access from outside China using the GUI console may occasionally slow. Likewise, connectivity for development and deployment access can fail. Consider developing and running your Continuous Integration processes against a non-China region.
You cannot expose well-known HTTP ports like 80 and 443 without an ICP filing. That means that all your development and testing will have to be on other ports, switching to standard ports only for production.
Likewise, most of your testing won’t be in a realistic DNS setup, since it is not worthwhile to file just for testing: Both your domain (like test-mycompany.com) and the SSL certificate must be approved based on your ICP filing.
Be best prepared with tried-and-true technologies
On the bright side, network connections between China and non-China servers are usually just as fast as any connections in the cloud. Deploy a minimal subset of functionality to the China cloud and then integrate into your home base deployment outside China.
You can integrate-cloud-to-cloud as usual unless you have the bad luck of being assigned an IP address earlier used by a blocked service. Yet you may encounter slowdowns at any time, so design your integrations for that. Keep independent databases inside and outside the Great Firewall, and synchronize them asynchronously. Cloud providers offer bulk-data exfiltration services that go over a direct link that avoids the Firewall. However, these are expensive and not needed for normal purposes; ordinary asynchronous architectures will do.
Just keep your architecture simple with tried-and-true technologies, after checking what is available and mature in the Chinese cloud platform. (They are always following along slightly behind the worldwide offerings). Don’t try to lift-and-shift an entire complex architecture from AWS or Azure. Instead, take parts from your well-factored microservice architecture. (If you don’t have such an architecture, now is the time!) Just deploy the set of microservices that you absolutely need in China. You may need to fork your code to adjust to the requirements of the Chinese cloud, but in migrating from AWS or Azure to their Chinese platforms, you won’t have to change much.
It is difficult, but possible, to expose your web app for use from China. First, optimize the front-end with both standard and China-specific techniques. Next, establish a Chinese subsidiary and deploy a minimal subset of microservices to AWS China or Azure China.