ℹ️ Cloudflare One in China - China Express partnering with CMI and CBC
Welcome to Cloudflare CIO Week 2023!
This CIO Week we’ll demonstrate how Cloudflare is helping CIOs keep data, devices and employees both safe and fast across hybrid and remote environments. We’ll show how Cloudflare accelerates digital transformation and modernizes networking and security towards a Zero Trust model.
In this episode, tune in for a conversation with Cloudflare's Ameet Naik, Dafu Wang, Tingting Wang and China Mobile International's VP of Product Support, Zhuo Liu and International Partner Alliance, CBC Tech's VP Jeffry Hong.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
For more, don't miss the Cloudflare CIO Week Hub
Hi everyone, welcome to another exciting segment as part of CIO Week 2023. This is the session we're going to talk about our announcement about China Express and our partnerships with with the leading providers in China.
And my name is Ameet Naik.
I'm the Director of Product Marketing responsible for the Cloudflare Network Platform.
And joining me today are some very special guests. I'll introduce them one by one.
So first off, I want to introduce Dafu Wang and Tingting Wang who are part of the business development team that have been working on Cloudflare's China Network and China Express.
Dafu and Tingting, you want to say a quick hello? Hello everybody.
And Tingting, we have a couple of really special guests with us today.
Why don't you go ahead and introduce them?
Yeah, thanks Ameet. So today we're very excited to have our China Express partner CMI and CBC's guest with us.
Let me introduce Liu Zhuo.
Liu Zhuo is a VP of Product from China Mobile International. He is a telecommunication and data communication professional with over 10 years of industry experience.
His background is expertise in telecom carrier level IP and IP data networking engineering and operation, routing switches SD-WAN and network security.
Thanks for joining us Liu Zhuo. Also, we have Jeffrey Hong, VP of International Partner Alliance from CBC Tech.
Jeffrey serves as head of International Partner Alliance and is responsible for supporting and helping CBC Tech's partner expanding their business into China.
Jeffrey has spent over 20 years in telecom sector working mostly with carrier and service provider.
Before he joined CBC Tech, he led several executive roles in sales and management and CNW, Hong Kong Telecom and Sprint International.
Thank you Jeffrey for joining us.
I know it's very early for you. You are based in Hong Kong. So thank you so much for getting up so early for us.
You're welcome. Thank you for inviting us.
Okay, thank you. Thank you both for joining us and especially Jeffrey and Liu Zhuo joining us on a Saturday.
So just to read, before we jump into what is China Express, I want to sort of just quickly recap.
So Cloudflare has been providing application services to users in mainline China since 2015.
As many of you know, the network environment in China has some unique characteristics and maintaining security and performance for a good user experience for users both in and out of China needs special consideration.
And Cloudflare has been doing this using in -country data centers and caching thanks to our strategic partnerships with JD Cloud.
And while this delivers really significant performance improvements, some of the requests from the caches in China still need to go out to the origin servers, which may be located outside of mainline China.
And this has some interesting characteristics and pose some problems.
So I want to turn to Dafu and talk a little bit about what are some of the network challenges experienced by global businesses that are operating or trying to serve users in mainline China?
Thank you, Amit.
So yes, China actually got a very special Internet environment and also a really strict regulation.
And the architecture is very different from the world.
First of all, there are very limited international gateway in China. In general, there are three main international gateway based in Beijing, Shanghai, and Guangzhou.
And also on top of that, there are only three big ISPs that are licensed to provide a cross -border circuit.
And because of the limited pairing between different ISPs, the domestic network has a very poor performance as the traffic is congested.
It's very common. And secondly, there are restricted cross-border regulations applied.
It's local Internet regulations, underlying infrastructure, and a threat to landscape present a variety of unique challenges that can make it harder for global business to deliver the quality of experience as local consumers expected.
So therefore, with a limited international Internet gateway and a restricted cross -border regulations, the congestion cost of international traffic has a very high latency and a package drop rate.
So users in China are difficult to access servers, websites, or third-party SaaS applications hosted outside of China.
As a result, on the network layer, we have seen office-to -office connections and employee-to-global resource challenges.
China branch office always have difficulty connecting with the outside China headquarters due to the complex setup and also cross-border congestions.
For example, if customers use the Internet, the latency and package drop will be high because it's congested.
And also, we see a lot of cases where global consumers' employees in China have trouble accessing some of the company's global resource because of the traffic it needs to go through China grid firewall.
For example, our global customers might not access our Zero Trust and web service when they're traveling to China.
Also, on the application layer, when it comes to dynamic content on the global region, due to unstable and slow-performing connections, the lead time could be very high.
And also, the DNS and HTTPS request being resolved outside of would cause even more latencies.
So that's interesting, right? So we did some things back in 2015 to move some of the Cloudflare caching and security functions within the country so that traffic wouldn't have to go in and out of the country, right?
And what you're saying is even that is not...
It helps to a great extent, but when users are accessing dynamic content or accessing dynamic SaaS applications that are served from outside the country, this can be particularly challenging, right?
Yes. So of course, we've been busy and we've been busy trying to solve this problem.
So I want to turn to you, Tingting, to understand.
Tell us a little bit more about China Express and what it is and how does it help address some of the issues that Dafu raised?
Yeah. So as you mentioned, we've been working in China for our customer, for them to use their service in China for many years.
So China network helped them to solve the problem of delivering the content in country.
But then, time over time, we still have a lot of customers come to us.
They have more specific challenges when it comes to cross -border connections, right?
One, you can see certain of their on-premise or SaaS application, the current performance bottleneck of the cross-border is still there.
And secondly, recently, our Zero Trust business has been growing very fast and our Zero Trust customer come to us saying, hey, I want to use the same service in China as well.
So how can we do that?
So all these customer requests come to us and we work with our local partners, CBC and CMI, come with this program called China Express.
So essentially, it is a suite of connectivity and the performance offering that designed specially to simplify the connectivity and improve the performance for users in China.
And back to the key user case I just mentioned, for our Zero Trust customers, now they can leverage the same service globally, so their users and office can use the same service in China as well.
And for existing China network customer, if they add, let's say, the premium DIA on top of their current service, they can significantly improve the cross-border part of the performance as well.
So we see the China Express can bring a lot of benefit to our existing and new customers.
And we do have three categories.
One is premium DIA, one is private link, and then travel SIM. And I think our guests will talk about more of these three categories later.
Yeah, thanks for that great introduction.
And let's dig into some of these individual categories of products.
So premium DIA sounds interesting. So Jeffrey, let me turn to you.
Tell us a little bit about premium DIA and also about CBC Tech and what you guys do.
Well, great. Thanks, Amit. Basically, what CBC Tech does is we've been providing telco service since 2008.
And we have actually been evolving ourselves into network technology service providers through the network as a service approach.
And we've been providing this premium Internet for very long, specifically to target people, what is MNC, global MNC branches in China, who may have a lot of challenges going out of China because of using public Internet.
So what we have done is that we have created this premium Internet platform where we have put a special algorithm in place, working with the three incumbent ISP, like you said earlier, earlier, that we have this special channel that we can ensure the traffic coming out of China will be piped through this special tunnel out of China.
And then it has optimized performance with very low packet loss, like less than 1% packet loss, and with very good latency.
So basically, what we have done with Cloudflare is to ensure that all this traffic coming out of JD Cloud will be coming throughout this special tunnel.
And we will carry all this traffic going off China through this public Internet into international, where we will be actually paired with Cloudflare, with all these traffic sent over to the public cloud.
So that's how we work with this China Express services. So it sounds like when user traffic hits a cache in China in the JD Cloud Center, and let's say there's a cache miss, and the cache now has to go back to the origin server to retrieve the data or to access a dynamic application, that traffic will now flow over a premium DIA connection, thanks to CBC Tech, right?
And it'll get handed off to the origin outside of the country.
And that solves a lot of the performance and congestion problems that Dafo mentioned earlier.
Is that a fair statement?
Yep, it is. And make sure that this is still going through the so-called grid firewall.
But we, like I said, we have put an algorithm in place to ensure that the traffic will be actually piped through the lowest latency, lowest packet loss tunnel through our backbone to international.
And do the customers have to worry about regulatory compliance issues there?
Oh, it's fully compliant.
It's fully compliant. Yeah, like I said, it's still going through the public Internet and the grid firewall.
Sounds really seamless to me, right?
And sounds like just simplifying things for customers. It is. They don't have to worry about the congestion issues, right?
The other part of China Express is PrivateLink.
And premium DIA sounds like a great solution. But what's the difference between premium DIA and PrivateLink?
And what use cases would you recommend?
And what circumstances would you recommend PrivateLinks?
Okay, I would say that PrivateLink is mainly for those customer -owned traffic, like the Internet.
So basically, we will pipe through all these customer-owned traffic, site-to-site traffic, or even the private traffic into this PrivateLink going out of China so that they can actually have the same performance as like in the public Internet.
And also, I think the best part is about how they can actually assess those sites that maybe may not have a good performance or may not be able to assess from a public Internet space so that it can actually help those customers who are tackling to like the in-house server and all those private traffic that can go through.
So, will that also help with security requirements by keeping that traffic off of the public Internet?
Yeah, I think that that is one of the major benefits of it because people, some of the company, they might be thinking that everything cannot be gone public, has to be private.
So basically, this PrivateLink will help them. Got it, got it. And I know some of the major global SaaS vendors like Salesforce.com, they offer some direct connectivity options into their data centers.
So will customers with presence in China be able to use something like PrivateLink to connect directly to Salesforce.com, for example?
Yeah, I think both public and private will, I mean, the premium DIA and the PrivateLink will be able to serve the purpose if it is like Salesforce.com and most of the SaaS platform can be done through either way.
That's really exciting. And these are all available through CBC Tech. So, I think this simplifies and solves a lot of the problems that Dafoe mentioned earlier in the discussion, right?
Exactly. Thanks, Jeffrey. I want to turn to Lu Jiro and ask you a couple of questions about another related but slightly different use case, right?
So a big need for global companies is when they open a branch office in China, or they have employees that are traveling and visiting China.
And they're trying to access all of the corporate applications, which may be in a cloud service, which may be SaaS, maybe located in the data centers outside.
This is a big use case, a big demand we see, a need we see from customers.
And to help with this, we've partnered with you to offer a travel SIM to our customers, right?
Tell us a little bit more about the travel SIM, how it works, and how it works with, especially with Cloudflare 1.0 Trust.
Right, sure. Thank you, Amit. So basically, the travel SIM is just a SIM card that provided by CMI.
And actually, at CMI, we are China Mobile.
So we actually start our business from the mobile market in China, if you go back to several decades ago.
China Mobile is actually separated from the other telecom carriers and focusing on the mobile markets.
And we provide SIM card, we provide the voice services, we provide the mobile data services.
And as we grow, as we develop the market, and right now, China Mobile actually has a lot of international roaming partner with all the tier one major carriers around the world.
And then we started to provide those travel SIMs.
And one part of the travel SIM is actually provided for those customers that's coming out of Mainland China, maybe they're having a tour to the US or to Europe.
And then we actually provide those SIM card on the reverse direction that so that people in different countries, like Chinese people or the local peoples, whoever wants to travel to China, they will have this SIM card provided by China Mobile.
And when they bring it back to Mainland China, they will be able to use it.
And our goal of the travel SIM is actually to provide a unified experience for all customers, regardless of their location, say I'm in the US or my friends are in Europe, and we all want to go to China.
And the goal of our travel SIM is to provide the same services and experience for different peoples around or as long as they're going to China.
So when we combine this travel SIM to the Cloudflare services, and we're actually wanting the customer will have the same user experience when connecting to Cloudflare platform outside of Mainland China and then inside Mainland China.
And yes, that's our goal. So this really, from a CIO perspective, this really simplifies the job of provisioning connectivity for employees when they travel.
They don't have to go hunt for a local provider. They can turn that phone on when they land and they're already connected, right?
It's just really, really seamless.
And that's a really exciting product because I know this is a problem that a lot of our customers have had and been looking for a solution for.
So I want to dig a little bit into kind of how this, you mentioned Cloudflare One and we mentioned providing a consistent experience for users.
I want to turn to Dafu and talk about, help us understand how this simplifies the whole Cloudflare One experience for, let's say, global employees traveling in China or that are located in China that are remote or in an office.
Thanks, Amit. So yes, currently we have three solutions to solve the problem in three main scenarios.
Thanks to Selmai's travel SIM, we have the first one actually focus on the business travelers.
The travel SIM provided by Selmai will provide a network connectivity and it can be used, like I mentioned by Liu Zhou, can be used with our Cloudflare One web client on mobile devices.
And with this, the customer can enjoy the same as the rest of the world once they travel to China.
They don't need to purchase additional, like additional seats in China.
They just need to really simply insert the SIM card and they are good to go.
The SIM card is going to provide a full GLT network automatically and establish a wire guard terminal to our closest Cloudflare data center outside of China.
And the customer can literally enjoy the Zero Trust right away.
And the second solution focuses on the remote user in China for like permanent users or employees.
Unlike the temporary travel with the SIM card, through the remote user in China, we have worked with our partner to provide a network to carry out the traffic to our closest data center outside of China.
So this scenario will cover as worker from home, worker from field, and also mobile devices.
So this solution will also allow security teams to enforce consistent policies across devices connecting to corporate resource rather than just like managing separate security stacks for users actually inside and outside of China.
So suppose user actually either based in China or like frequently travel inside and outside of China need to access corporate resource hosted outside of China, they can access Cloudflare Zero Trust, the organization through the web client, company managed devices without necessarily being physically in an office.
So with our partner's network, our web client will establish the same wire guard terminal to the Cloudflare pub and our partner's network only carry the traffic and all the traffic on the wire guard still get a security stack enforced by Cloudflare.
So just as the traffic while with our other partner to Cloudflare at network level, what client traffic arriving our first stop outside of China is filled through gateway and access policies.
So basically the IT administrators can choose to enforce the same and all additional policies for devices trafficked from China versus other global locations.
This setup will make IT's life way more easier.
So they don't need to worry about installing and managing a single devices client to just to grant access and control the security regardless of where employees are in China.
And the third one is about office to office scenario.
So with our magical one solution, the global traffic from inside China office is going to route you to the closest available Cloudflare data center on the other side of China border with the connection provider from our partner.
So at that part, Cloudflare enforces a full stack of security functions across the traffic, including network firewall as a service and security web gateway policies.
The traffic is then routed to the destination, like a final destination, like the outside China headquarter offices, whether another connected location on the private network of any cost to GIE, IP sector, no direct connection, or a public Internet resource across an optimized middleman path.
Of course, returning traffic to the connected network location in China would take the same but the opposite path.
And right now with the help from CMI, we have established such connection in our Beijing office.
So I would like to turn to Liu Zhuo to share more details about our Beijing project, our Beijing connections.
So here, please.
Right. Thank you, Dafu. And I think that's a very, very, very interesting first step for our cooperation for our strategic partnership.
And so, so basically we are a telecom carrier company.
So we provide the infrastructure and the basic idea of that of that product is actually we treat the Cloudflare traffic as one type of application because what we actually, the technology that we're actually using is more like an application-based acceleration.
So basically we treat the Cloudflare one platform traffic as one of the application traffic.
And we're actually putting that application traffic into a premium connectivity between inside China and outside China.
And for the actual application itself, we don't really touch it because we only provide the layer three and below services.
So for all the application like layer four, even layer four and five, six, seven, it's all controlled or all provided by still by Cloudflare.
And we are only providing those premium connectivity, a light -loaded, not really congested, separated from the public Internet traffic channel to the Cloudflare offices in Beijing.
So yeah, that's the basic idea. And hopefully so far, everything's going well.
Yeah. And that's really exciting, right? So at Cloudflare, we do something called dogfooding, which is we eat our own dog food.
We use our own products first. So before we let any customers give it a try, we try it ourselves, right?
And we actually use it and put it in practice. So this is a great step in that direction.
And like Dafu mentioned, right? So the real power of Cloudflare one is to offer a very uniform experience to users, whether they're in an office or whether they're working from home or whether they're traveling remotely.
And then with this partnership and China Express, I think we're extending that to make sure that we're providing the same consistent experience, whether they're inside China or outside of China, right?
While having the controls, while having the ability to implement a region-aware, device-aware, identity-aware security policy so that we can stay compliant and meet regulatory requirements as well.
So that's really exciting to be able to take Cloudflare one and extend it to China.
So it's a great, great development and partnership. So the last question I'm sure on everybody's mind is how do we start using this?
How do we do this?
So Tingting, let me ask you, what should customers that want to try China Express, what's the next step should they take?
Yeah. So actually all this China Express solutions, we have been working with CBC and CMI.
We have done tons of POC and testing.
Like you said, we also docked with ourselves. Our bidding office is using it.
We actually have also done dozens of customer POCs in progress right now.
A couple of them actually are already in the contract process. So if you are interested in this solution, you think this can help you to solve some of your problems in China, feel free to contact your account team, your CSM, your AE.
They will arrange any necessary information you need.
And also welcome to reach out to us directly, tingting.Cloudflare.com or dafu .Cloudflare.com.
We are more than happy to help you.
I think eventually for Cloudflare, our mission is to help to build a better Internet.
And I don't think the Internet should be with a boundary, meaning like we should not have Internet only outside of China or inside of China.
For you, we want to provide a solution that you don't need to consider all these things.
So that's our goal, to simplify these things in China, although it's a very unique market.
But we are here to help from China Network, from China Express.
We are committed in this market and we want to help you to expand your business in China and tell us what your challenges are.
And we will keep adding new partners to our China offering.
And we're very excited to help our customers to support their business in China.
I couldn't have closed that on a better note.
Thank you, tingting and Dafu for doing all the hard work to pull all this together and to make it easier for our customers to extend services in China.
And a very, very special thank you to our special guests, Jeffrey Hong and Lu Xie for joining us today at odd hours and speaking to our guests.
Thank you very much.
I hope everyone has a good Friday and a great weekend. Thank you very much.