China Infrastructure

Acceleration on
Applications (AOA)

Solution Overview for Global Teams
May 2026
Background

Problem The Great Firewall Effect

China's network regulations cause significant performance degradation and inaccessibility when reaching overseas applications.

300–500ms+
Round-trip latency
Packet Loss
Timeouts & resets
Blocking
Full inaccessibility

Solution What is AOA?

Acceleration on Applications is a network acceleration solution that:

  • Routes overseas-bound traffic through dedicated tunnels to ISP exit nodes
  • Bypasses congested peering points via optimized paths
  • Supports Meraki retail, Fortigate office, and cloud (Ali/Azure) scenarios

Coverage Three Deployment Scenarios

Meraki
Retail & Warehouse
Fortigate
HQ Office
VCPE
Ali & Azure Cloud
Affected Services

Google (Gmail, G-Drive, G-Meeting), GitHub, Atlassian, SAP, and other global SaaS platforms.

Scope Limitation

AOA cannot bypass services fully blocked by the Great Firewall. It works within the boundary of what is legally accessible.

Deployment Scenarios

AOA covers three distinct user scenarios across our China infrastructure:

Scenario Location Network Device Use Case
Retail / Office / Warehouse Meraki sites Meraki MX Hub Gmail, G-Drive, G-Meeting, Global Websites
HQ Chinalab (Shanghai) Fortigate (SD-WAN) Gmail, G-Drive, G-Meeting, Developer tools, Global Websites
Cloud Alibaba Cloud / Azure China VPC + VCPE Cloud-hosted apps accessing overseas APIs & services
Meraki MX
Retail & Warehouse Sites
Fortigate
HQ Office (Chinalab)
VCPE
Cloud (Ali / Azure)
Architecture Evolution: AOA 1.0 → AOA 2.0

Legacy AOA 1.0 Architecture

AOA 1.0 Architecture

Current AOA 2.0 Architecture

AOA 2.0 Architecture
AOA 2.0 — Dual-ISP Redundancy

AOA 2.0 addresses the single-ISP reliability concern:

Consolidated CU Tunnel

Merged Google01 + Google02 tunnels into a single CU AOA2.0 tunnel via China Unicom (CU).

CT Backup Path

Maintained the existing CT AOA tunnel as the secondary/backup path via China Telecom.

Automatic Failover

Each site connects to both ISP hubs — if one ISP goes down, traffic automatically fails over to the other.

Key Improvement

Instead of maintaining separate Google tunnels, AOA 2.0 merges Google and non-Google acceleration into a single CU tunnel per hub, while keeping the CT tunnel as redundancy.

Meraki Retail Sites Architecture
Meraki Retail Sites Architecture

Two AOA Hubs

HubISPNetwork NameRole
CU AOA Hub China Unicom CU SH AOA2.0 Hub Primary for retail
CT AOA Hub China Telecom CTG GZ Google Hub Primary for offices

CU AOA Hub Details

  • High-Availability (HA) pair using VRRP protocol
  • Primary MX: Q2SW-T7PS-6XC3 / Secondary: Q2SW-EVP8-DC8X
  • WAN connects to CU CPE router (10.42.0.1/30)
  • Static routes for Google IP scopes; API script dynamically manages routes for non-Google AOA domains
Fortigate Sites — Chinalab Office
Fortigate Chinalab Architecture

In the Chinalab office, the Fortigate firewall acts as the SD-WAN edge:

  • CT Google Tunnel — Primary AOA path via China Telecom
  • CU AOA Tunnel — Secondary/redundant path via China Unicom
  • CU AOA interface added to SD-WAN Zones as secondary member in SD-WAN Rules
Performance SLA

Monitors ICMP reachability to 8.8.8.8 — if the CT tunnel fails, traffic automatically switches to the CU tunnel.

Cloud Environments — Ali & Azure
Alibaba Cloud Architecture
Alibaba Cloud VPC Structure
Azure China Architecture
Azure China VPC Structure
CloudPrimary TunnelSecondary Tunnel
Alibaba Cloud CU AOA (10.42.2.0/30) CT AOA (10.41.2.0/30)
Azure China CU AOA CT AOA
Cloud SD-WAN Rules & Failover
SD-WAN Rules Configuration

AOA is deployed via VCPE (Virtual CPE) instances within the VPC:

  • A Performance SLA monitors 8.8.8.8 reachability
  • SD-WAN Rules handle automatic failover
  • If CU tunnel is down → traffic redirects to CT tunnel, and vice versa

Automatic Failover
All failover scenarios use Performance SLA + SD-WAN Rules — no manual intervention is required when an ISP tunnel goes down.

Disaster Recovery Plan

Meraki Network DRP — CU Hub Failure

Meraki DRP Failover

Chinalab (Fortigate) DRP

#TunnelISPFailover
1stCT GoogleChina TelecomSLA monitors 8.8.8.8
2ndCU AOAChina UnicomSD-WAN auto-switch

Cloud (Ali / Azure) DRP

#TunnelISPFailover
1stCU AOAChina UnicomSLA monitors 8.8.8.8
2ndCT AOAChina TelecomSD-WAN auto-switch
How to Request AOA

If a team or application needs acceleration for overseas access:

1

Submit Request

Visit
support.decathlon.net
/saw/Requests

2

Select Offering

Choose the "AOA" offering from the service catalog.

3

Specify Scenario

Clearly specify:
Retail, Office (Chinalab), or Cloud (Ali/Azure).

4

Document Usage

Assess and document your application usage in the request.

Important Notes & Constraints

Policy Business Use Only

AOA is provided for business demands only, not personal use.

SLA Service Level

Infrastructure SLA: 99.5% / Core service SLA: 99.9%

Risk Policy Changes

Cannot guarantee AOA availability in the event of national policy changes.

GFW Blocked Services

If an application is fully blocked by GFW, it cannot be added to AOA.

Personal Data

If personal information is involved, the CN security team must validate compliance.

Whitelist Requirements — AOA Egress IPs

ISPAOA Egress IPs
China Telecom (CT)129.227.62.160/28, 43.230.90.192/28
China Unicom (CU)43.155.83.235, 159.138.31.0, 156.59.18.243, 34.92.198.49
Key Terminology
TermDefinition
AOAAcceleration on Applications
CTChina Telecom — one of the two ISP partners
CUChina Unicom — the second ISP partner for redundancy
VCPEVirtual Customer Premises Equipment — software-based network appliance deployed in cloud VPCs
MXMeraki MX security appliance (used at retail/hub sites)
VRRPVirtual Router Redundancy Protocol — used for HA pair failover
GFWGreat Firewall — China's internet censorship system
SD-WANSoftware-Defined WAN — used for intelligent traffic routing and failover
Performance SLAHealth check mechanism monitoring ICMP reachability (typically to 8.8.8.8)

Thank You

Questions & Discussion

Submit AOA requests at

support.decathlon.net/saw/Requests