China enforces strict regulations on both the operation of Azure data centers within the country and the export of strong encryption. Because of these constraints, Dispel recommends structuring deployments in China as follows:
Build the regional cloud network and VDIs in the SouthEastAsia Azure datacenter (Singapore).
Use a private line for connectivity between China and the regional node in Singapore.
A standard, often stand-alone Dispel Region may be used to serve Chinese facilities. There are simply additional considerations for connections that traverse border crossings into and out of China.
1. What a “Private Line” Means in China
A private line (国际专线 / international dedicated line) is a leased circuit that connects a site in China to a site abroad through the international gateway of a licensed carrier (China Telecom, China Mobile, or China Unicom).
Key points:
Private lines may be MPLS, leased lines, or managed IPsec tunnels.
They are provisioned and operated only by licensed carriers.
They must exit China through authorized cross-border gateways in Beijing, Shanghai, Guangzhou, or Shenzhen.
From these gateways, traffic may be routed to Hong Kong (very common) or directly to the wider internet/offshore destination, depending on the carrier’s design.
Once provisioned, you may legally build your own overlay (e.g., run a Dispel StrongSwan IPsec or OpenVPN tunnel), since the underlying transport is compliant.
For deployment, all sites should route traffic through the site with the private line before exiting to the internet. For example, if a private line is provisioned in Shanghai, other sites (e.g., in Wuhan) must first route through Shanghai before reaching external resources
📊 Diagram above: Illustrates Dispel tunnel traffic routing from Wuhan → Shanghai(via private line) → Hong Kong → Singapore → Singapore VDIs.
2. Process to Obtain a Private Line
Step 1: Contract with a licensed Chinese carrier
Typically requires a Chinese legal entity or local subsidiary.
Step 2: Define endpoints
Specify your onshore PoP (Point of Presence) (in China) and your offshore PoP (Singapore, in this case).
Provide business justification for encryption use.
Step 3: Carrier provisioning
The carrier provisions MPLS/leased-line bandwidth across its backbone, exiting at an approved gateway.
Step 4: Add your overlay
On top of the carrier line, deploy StrongSwan to enforce your chosen cryptographic suite (e.g., AES-256-GCM, SHA-512, ECP-384 — aligned with Dispel’s standards — more details can be found here)
3. Other Considerations
🖥️ RDP Connections: While China may sometimes restrict RDP connections leaving the country, in practice these restrictions are rare and depend on the local ISP.
This is generally not an issue but should be considered during planning.
💡 Typical lead time: weeks to months
💡 Pricing: significantly higher than commodity internet VPNs, usually charged by bandwidth (10 Mbps, 100 Mbps, etc.) and distance.