AWS China tips and ICP Recordal

Sudhir Kumar
2 min readMay 12, 2022

Few tips regarding AWS China. It’s being managed by separate entity and currently operating in 2 regions i.e. Ningxia and Beijing regions. AWS offers fewer services in China in comparison to US region.


No concept of root user login/email. To provision an AWS account you can use AWS Org and use cross account OrganizationRole to login as root . Enable MFA to assume this role.


AWS SSO service not enabled yet. You can use SAML federation to multiple accounts via Azure China or on-premises AD.

Why ICP (Internet content provider) Recordal ?

You can’t go live with any domain in China. You have to file for ICP recordal e.g:- * After approval, you can start using NLB or ELB or EC2 instance but the condition is that you have to get all public IP’s associated with these resources and fill it in ICP to indicate all public IP attachments associated with *

For ELB it’s tricky so you need to create a support case with AWS. They will procure multiple IP’s for ELB and that can be used in ICP recordal process.

For NLB; it’s straightforward as it already have static public IP address and those can be used in ICP Recordal process.

According to the “Regulations on Internet Information Service of the People’s Republic of China”, the domains without ICP recordal or ICP license shall not provide Internet information service. If your domain name is publicly accessed through the servers of NWCD or SINNET, you should apply for ICP recordal by SINNET or NWCD.

These approvals take time in China and only China team members / residents can file it and manage ICP recordal.

ARN (Amazon Resource Name): Use aws-cn (instead of aws) in ARN while using config management tools.

More Info ->

Egress traffic from China NAT Gateways to non-China region:

If your traffic is leaving from China NAT Gateways to non-china regions then it can pose serious issues as China Cyber Police will flag it as “Illegal cross border http proxy usage”. Enable VPC Flow logs to analyze traffic via Athena or third party provider as well.

You have to stop this traffic path and can address it in 2 ways:

  • Start consuming local services (instead of communicating with non-China services) e.g- public service available in China itself.
  • If it’s your own Infra then route it to over DX to your Data center and use your company MPLS WAN link to connect to non-China endpoints.

Connectivity :

If you are using IPSEC tunnels over internet from AWS VPC to on-premises then choose your internet provider carefully in China as you may witness packet losses/latency issues. Use edge nodes to monitor your network from all VPC’s. DirectConnect is better solution but expensive as well.



Sudhir Kumar

Working as Cloud lead/Architect with security mindset.