Cloudflare finds a way through China's network defences
Teams with locals to allow consistent security policy to make it through the Great Firewall
Cloudflare has found a way to extend some of its services across the Great Firewall and into mainland China.
"Performance and reliability for traffic flows across the mainland China border have been a consistent challenge for IT teams within multinational organizations," wrote product managers Kyle Krum and Annika Garbers. "Packets crossing the China border often experience reachability, congestion, loss, and latency challenges on their way to an origin server outside of China (and vice versa on the return path)."
Those glitches mean security and IT teams "can also struggle to enforce consistent policies across this traffic, since many aspects of China networking are often treated separately from the rest of an organization's global network because of their unique challenges," the pair wrote.
To address those challenges, Cloudflare has worked with unidentified "local partners" who "route local traffic to its destination within China, and global traffic across a secure link to the closest available Cloudflare datacenter on the other side of the Chinese border."
Cloudflare runs its suite of services in that datacenter, including firewall-as-a-service and Secure Web Gateway. Policies applied to those services can then be extended from an org's presences around the world, through the Great Firewall and into Chinese networks.
This should, in theory, mean an organization's security policies applied elsewhere can be extended into China.
Cloudflare's Chinese partners would not have chosen to participate in this cross-border arrangement without assent from Beijing. Doing otherwise would earn them rebukes – and worse.
- Two thirds of DNS queries for IPv6 hosts sent to Chinese resolvers fail, researchers find
- US bans Chinese telecoms imports – won't even consider authorizing them
- Cloudflare stomps huge DDoS attack on crypto platform
- 'Odor simulation' included in China's national VR plan
The firm's local offering is therefore good news for China and multinational organizations that operate there.
It's good for China, because the while the nation is working to make domestic consumption a bigger contributor to its economy as part of a "dual circulation" strategy, that plan recognizes the ongoing importance of exports.
But COVID-19 gave many organizations a lesson: that concentrating their manufacturing in China created unwelcome levels of risk. Some are diversifying their operations outside China. Some are leaving.
Allowing Cloudflare to make operations in China just a little easier will be welcomed by multinational organizations and by Chinese businesses that operate offshore.
Whether US authorities like it remains to be seen. Current policy calls for "clean networks" that are free of Chinese technology and do not connect to Chinese networks or network operators. Cloudflare is clearly working with Chinese carriers to make this service possible – which just might earn it a closer look from US authorities.
And we still don't know the extent of Cloudflare's ambitions in China.
"We've heard from both China-based and multinational organizations that are excited to have the full suite of Cloudflare One functions available across China to achieve a full SASE architecture just a few milliseconds from everywhere their users and applications are in the world," today's post states. "We're actively working toward this objective with our strategic partners, expanding upon the current availability of our application services platform across 45 datacenters in 38 unique cities in mainland China." ®