Explore

Azure China - Alibaba China - Alibaba Global - Azure Europe

1. Introduction

The goal of this document is to provide information on using Terraform to deploy Aviatrix Azure + Alibaba in China, providing connectivity to a symmetrical layout in Europe for end to end testing.

There are a few options on connecting to China:

OPT1:- Europe Azure Transit > S2C < China Azure Transit

OPT2:- Europe Azure Transit > Europe Ali Transit > S2C < China Ali Transit < China Azure Transit

OPT3:- As above but with Europe Ali Transit > S2C/VPC Peering < China Ali Transit

(VPC Peering leveraged, CEN is another option, but this is not covered here)

Note/.

The code can be used to apply OPT1 to OPT3, the code is setup currently to leverage OPT3 using ‘vpc peering’, largely because this offers a better throughput and a slight improvement on latency compared to the other two options.

The code can easily be customized to achieve OPT1 and OPT2 for testing

CEN has not been dealt with here (customer requirement didn’t extend here so this hasn’t been reviewed)

The Terraform code used for the China deployment leveraged Jorge Cortes’ Repo (see below)

1.1 References

⁠

About Aviatrix in the China Regions :: Documentation⁠

(official Aviatrix documentation)

⁠

China Clouds Overview - Aviatrix Product Management - Confluence (atlassian.net)⁠

Aviatrix Prod team

Terraform code Repos:

(Azure Controller in China)

⁠

jocortems/aviatrix_controller_azure_china: This module deploys an Aviatrix Controller in Azure China as a VM. There is no HA (github.com)⁠

⁠

(Azure Transit + NSG in China)

⁠

https://github.com/jocortems/aviatrix_alicloud_china_gateway_azure_controller_nsg⁠

(Alibaba Transit + NSG in China)

⁠

https://github.com/jocortems/aviatrix_alicloud_china_gateway_azure_controller_nsg⁠

⁠

2. Azure Controller - China

Deployment in China requires a dedicated Aviatrix Controller / Copilot, the ‘Azure Controller in China’ link above pretty much covers the deployment so won’t be delved into further.

2.1 Don’t forget to register Azure Resource Providers (RPs)

Easy to forget as the Azure China subscription will be ‘new’, therefore the RPs will need to be registered.

You can add ‘skip_provider_registration = false ‘ to the terraform provider BUT it’s quicker and easier to get the RP registration done beforehand.

Here the Terraform provider shows the registration was set to ‘true’ to skip as the RPs were registered using the ‘az cli’

⁠

2.1.2 Which RPs to register

As a minimum at least the following

Microsoft.Network

Microsoft.Compute

Microsoft.Storage

MachineLearningServices

2.1.3 Where and how to register RPs?

⁠

https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types⁠

⁠

2.1.4 ICP cert domain

+ ICP cert domain (Internet Content Provider) license is required for our SSL connectivity. The following are registered, adding the 2nd level domain ‘cbc-networks.com’ is sufficient

aviatrixaws.cbc-networks.com aviatrixazure.cbc-networks.com aviatrixalicloud.cbc-networks.com

Where to add this?

⁠
⁠
⁠

3. Deploying

There are two Terraform repos ‘ALIAZCHINA’ and ‘ALIAZGLOBAL’, the former deploys in China and the latter deploys in EUROPE (though can be changed to US or other region).

Check the respective repo READMEs for additional info.

3.1 Summary of Deployment

Deploy ALIAZCHINA first

Obtain the ALI China transit private IPs and furnish the ALIAZGLOBAL repo ‘extconn.s2c.tf’ with these (s2c)

Deploy ALIAZGLOBAL

Obtain the ALI Global transit private IPs and furnish the ALIAZCHINA repo ‘extconn.s2c.tf’ with these (for s2c)

3.1.1 ALIAZCHINA

⁠

3.1.2 ALIAZGLOBAL

⁠

3.2 Repo ‘aliazchina’ Terraform code

Check this GitHub repo’s README for more details.

⁠

https://github.com/patelavtx/aliazchina.git⁠

⁠

3.3 Repo ‘aliazglobal’ Terraform code

Check this GitHub repo’s README for more details.

⁠

https://github.com/patelavtx/aliazglobal.git⁠

⁠

4.0 Copilot output showing the ALI Global to ALI China S2C

LHS = Copilot in Global

RHS =Copilot in China

⁠

4.1 Copilot authentication and service link to controller

Note/. that the following https rule 200 was used, (this is ‘wide open’ on https, but used in lab testing), to narrow down, allow the Copilot public IP port https access.

As you can see, rule 65000 is for private IP connectivity for local vnet traffic, controller and copilot are both in same vnet/subet, but needs ‘public ip’ access for linking copilot to controller

⁠

4.2 Copilot Security Group Management

Currently there is an issue when ‘China North’ is selected, ‘China North 2 or 3’ works

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.