Skip to main content
PTS Managed Services
Talk to us

· 9 min read · china-it · By

Connecting Your China Office to Global HQ: SD-WAN, MPLS and IPLC Compared

SD-WAN, MPLS and IPLC compared for connecting a Mainland China office to global HQ: performance, compliance, cost profile and lead times — and why consumer VPNs aren't the answer.

On this page

Connecting a Mainland China office to your global network is a regulated design decision, not a product purchase — and the three serious options are licensed MPLS, SD-WAN through licensed providers, and dedicated IPLC circuits. The consumer VPN your team is quietly using is none of these: it’s legally grey, operationally fragile, and prone to failing exactly when you need it. This guide compares the three compliant approaches in plain terms — performance, compliance, cost profile and lead time — so you can pick the architecture that fits your business rather than the one a vendor happens to sell.

Why can’t we just use a VPN?

Because China regulates VPNs in a way no Western jurisdiction does. VPN use is legal in China only through government-approved services, and the rules specifically prohibit traditional IP-based VPNs while permitting implementations built on MPLS or SD-WAN technologies. Corporate cross-border connectivity is expected to run through authorised telecommunications operators, established for internal business use.

Even setting the law aside, the operational case collapses on its own. Inside the Mainland, the Great Firewall affects every cross-border data flow: unapproved VPN services are routinely blocked or throttled, and reliability degrades further during politically sensitive periods and major national events. A connection that mostly works is not a foundation for ERP access, Teams calls and file synchronisation between your Shenzhen office and global HQ. Enforcement historically targets providers more than individual users, but businesses using unapproved services still carry penalty risk — and the practical risk of waking up to a dead link.

So the honest starting point for any China–HQ connectivity design is: the workaround era is over; pick a licensed option. (For the broader background, see our top 10 things to know about VPNs in China.)

What are the three compliant options?

MPLS through licensed carriers

The traditional enterprise answer: a private MPLS connection delivered by a licensed carrier — China Telecom, China Unicom or China Mobile — linking your China sites to your global WAN. It’s reliable, compliant and predictable, with consistent latency that doesn’t depend on public internet conditions. The trade-off is cost: MPLS circuits are expensive, capacity upgrades are slow and contractual, and you pay for the bandwidth whether you use it or not.

SD-WAN through ICP-licensed providers

The modern middle ground. SD-WAN in China typically uses a twinned architecture: one network operating inside China, another covering the rest of the world, bridged through dedicated circuits that commonly route via Hong Kong or Singapore. Sites inside China connect to the SD-WAN over local broadband using IPsec tunnels, which is what makes the economics attractive — inexpensive local connectivity at the edge instead of premium circuits to every site. The SD-WAN provider must be approved and operate through authorised telecom channels, which is non-negotiable. Done properly, you get centralised management of Chinese and global sites through a single portal, traffic optimisation, and a cost profile well below MPLS — with performance that’s very good, though ultimately influenced by the local broadband underneath it.

IPLC: dedicated international private leased circuits

The heavy enterprise option. An IPLC (International Private Leased Circuit) is a dedicated point-to-point circuit between locations — say, Shanghai and Hong Kong — sold by licensed carriers. Nothing is shared, nothing transits the public internet, and performance is the most consistent of the three options. The price reflects that: IPLC is the most expensive approach per megabit, and it connects points rather than meshing many sites. It suits businesses with a specific, demanding flow — market data, latency-sensitive trading links, high-volume replication between two data centres — rather than general office connectivity.

How do MPLS, SD-WAN and IPLC compare?

MPLS (licensed carrier)SD-WAN (licensed provider)IPLC (dedicated circuit)
What it isPrivate carrier WAN connecting China sites to your global networkTwinned China + global networks, local broadband at the edge, bridged via licensed circuitsDedicated point-to-point leased circuit between two locations
PerformanceConsistent and predictableGood; edge performance depends on local broadband qualityThe most consistent — nothing shared, no public internet
CompliancePermitted via licensed carriers (China Telecom, Unicom, Mobile)Permitted through approved, ICP-licensed providers via authorised telecom channelsLicensed carrier product, compliant by design
Cost profileHigh — premium circuits to every siteModerate — the main reason businesses choose itHighest per circuit
Lead timeLong — licensed circuits commonly take weeks, not daysEdge sites stand up faster on local broadband; the licensed cross-border link still drives the timelineLongest — dedicated capacity provisioned end to end
Best forMulti-site enterprises wanting maximum predictabilityMost foreign businesses connecting China offices to global systemsA specific high-demand flow between two fixed points

Two practical notes on reading that table. First, lead times in China are building-, city- and carrier-dependent, and circuit installation is consistently the longest item in any China office build — order early, whatever you choose. Second, these options combine: a common architecture is SD-WAN for general office traffic with an IPLC underneath a single critical flow.

Where do licensing and regulation come into the design?

Three regulatory touchpoints shape whatever you build:

  • Who’s allowed to carry the traffic. Cross-border connectivity must come through authorised telecommunications operators, and SD-WAN providers need the appropriate approvals — in practice, the serious providers hold ICP licences and operate through the licensed carriers. A provider that can’t show its licensing posture isn’t a provider you can build on.
  • Government access. Authorised services in China operate within a framework that includes government oversight of transmitted data. Western businesses used to an expectation of complete end-to-end privacy need to weigh this consciously — it’s a structural feature of compliant connectivity in China, not a flaw in one product.
  • Hosting triggers its own licensing. If you host services inside China as part of the architecture, ICP licensing requirements can apply to the hosted services themselves — a separate workstream with no Western equivalent.

These rules also change, sometimes at short notice. Build with a partner who tracks them, and revisit the setup periodically rather than assuming a compliant design stays compliant forever.

A compliant pipe does not make the data flowing through it compliant. Under PIPL, moving personal data out of the Mainland — to your global tenant, your HQ, or Hong Kong, which counts as cross-border under PIPL despite the one-country framing — is a regulated transfer, with thresholds determining whether you’re exempt, need a standard-contract filing, or need a full security assessment. The right order of operations is to map what data actually needs to cross the border first, then size the connectivity around those flows — not to build the link and let the data follow. Our cross-border Hong Kong–China IT playbook covers this data-first approach, and the connectivity decision interacts directly with your Microsoft 365 tenant strategy (global versus 21Vianet) as well.

Which option fits which business?

A reasonable default mapping, before the specifics of your sites and data flows adjust it:

  • A small China office (rep office, sales team) reaching global SaaS and HQ systems: SD-WAN through a licensed provider, almost every time. The economics and flexibility fit, and modern offerings are mature.
  • A multi-site China operation (manufacturing plus offices) with steady, predictable flows to a global WAN: licensed MPLS, or MPLS for the core with SD-WAN at smaller sites.
  • A financial or data-intensive business with one critical flow — market data into Shanghai, replication to a Hong Kong data centre: IPLC for that flow, with SD-WAN or MPLS around it.
  • Anyone still on consumer VPNs: treat this as technical debt with a regulatory dimension, and migrate before it migrates you.

The honest answer also depends on lead times and the building you’re in, which is why connectivity is the first thing to order in any China office project — the full sequencing is on our China IT services page.

How PTS helps

PTS designs and runs cross-border connectivity as part of managed IT for China operations — through our locally registered Shanghai entity, with Mandarin-speaking engineers on the ground and the carrier and provider relationships this work requires. We’re vendor-neutral, so the recommendation is driven by your data flows and budget, not a reseller margin. For overseas head offices, IT for foreign companies in China and Hong Kong describes how we work as your team on the ground. If you’re connecting a China office now — or untangling a setup that’s stopped working — talk to PTS.

SD-WAN, MPLS and IPLC FAQs

Only through government-approved services established via authorised telecommunications operators, for internal business use. Traditional IP-based VPNs are specifically prohibited; permitted implementations are built on MPLS or SD-WAN technologies. Unapproved consumer VPNs carry legal risk and, just as practically, fail unpredictably — especially during politically sensitive periods.

Which is cheapest: SD-WAN, MPLS or IPLC?

SD-WAN, in most real deployments — it uses inexpensive local broadband at the edge and reserves licensed circuits for the cross-border bridge, which is why it has become the default for foreign businesses. MPLS costs more for its predictability; IPLC is the most expensive per circuit and is bought for specific high-demand flows rather than general connectivity.

How long does a licensed China circuit take to install?

Licensed circuits are the longest lead-time item in a China office build — commonly weeks rather than days, varying by city, carrier and building. Order connectivity as early as your entity and premises allow, and plan interim arrangements so the office isn’t dark while you wait.

Compliant connectivity in China operates within a regulatory framework that includes government oversight of transmitted data — that’s part of what “authorised” means. Businesses should weigh this consciously in their architecture and data-flow design, keeping genuinely sensitive data subject to appropriate controls and taking qualified legal advice on their specific position.

No — the pipe and the data are separate questions. Personal data leaving the Mainland (including to Hong Kong) is a regulated cross-border transfer under PIPL regardless of how compliant the circuit is, with thresholds that determine whether you need filings or assessments. Map the data flows first, then design connectivity around what’s actually permitted to move.

Tags:

chinainfrastructuremanaged-itcompliance

Related reading

12 Feb 2024

IT Integration in China, Challenges for Manufacturing

29 Aug 2023

Top 10 Technology Challenges in China

16 Feb 2026

Azure Cloud Migration for Hong Kong Business

Want practical help on this?

Tell us what you're trying to do. We'll come back with practical advice and, where it helps, a costed proposal — no sales pitch.

Talk to PTS

Practical, costed proposal · No obligation

Call Request a proposal