Mention China to a Western software team and somebody will bring up the Great Firewall in about thirty seconds. Followed by a panicked series of questions:

1. How do we get around it?!
2. Will our website be blocked?!
3. Can we still use our CDN?!

All reasonable questions, just not the first ones you should be asking. The funny thing about bringing software into China is that most teams never even make it to the firewall problem. They hit two bigger obstacles first, one of them is legal and the other is technical.

Problem #1: Your Application Might Not Be Compliant

A lot of software companies assume China is another deployment region. You just spin up some infrastructure, translate a few pages and then boom! You’ve launched.

Unfortunately, China has other ideas.

Data residency requirements, cross-border transfer rules, ICP filings, privacy regulations, and sector-specific compliance requirements all start influencing architecture decisions long before the first customer signs up. The uncomfortable part is that these are often assumptions you have to consider during the design phase of your software.

All those decisions you made during design suddenly mean your app doesn’t meet China’s compliance and sovereignty laws. Teams often discover this far too late - the application has already been built, the infrastructure is already burning money, and the launch date is already booked. Now somebody is explaining why your architecture needs to change and you’re wondering how this is only just now being talked about.

Problem #2: Half Your Dependencies Don't Work

Let's assume you've solved the compliance side. Hooray! Bring out the wine or blackberry juice! You’ve made some progress!

But now it's time to discover how many integral dependencies you’re using just don’t work. Authentication is usually the first one (let the fun begin!).

A surprising number of modern applications depend on Google somewhere in the sign-in flow. Maybe it's OAuth. Maybe it's Firebase. Maybe it's a library nobody has thought about in three years. Then a user in Beijing clicks "Sign In" and nothing happens, the login screen spins forever and game over!

The same pattern shows up everywhere. Facebook, Instagram, X, and so on – all blocked in China. Major payment platforms such as Stripe cannot process. AI, the latest hot topic, is also a major service where China plays by its own rules. The list goes on. Entire products have been designed around assumptions that stop being true the moment you cross into China. This is usually the point where teams realise they need the Chinese equivalent for these services, such as WeChat, AliPay, DeepSeek, etc.

Now You Can Start Worrying About the Firewall

This is the part everyone often talks about:

• The Great Firewall
• DNS injection
• Deep Packet Inspection (DPI)
• Cross-border latency
• VPNs

The irony is that these challenges only matter once your software is legal and your dependencies actually work. A blocked authentication service will destroy user onboarding long before network optimisation becomes relevant. An application that can't legally store its customer data has bigger concerns than packet loss.

Nevertheless, the firewall can absolutely affect performance and reliability. It creates real engineering challenges and deserves serious attention. It just isn't usually the first problem. Or the second.

What Should You Actually Do?

Before discussing CDNs, VPNs, or network routing, perform two audits.

First, conduct a compliance audit.

Understand where your data lives, who can access it, and whether your architecture can satisfy China’s strict requirements. Second, conduct a dependency audit.

List every external service your application relies on:

• Authentication
• Payments
• Analytics
• Social media
• Marketing platforms
• AI providers
• Everything

Then ask a simple question: Which of these still work when a user is sitting in Shanghai?

Most teams are surprised by how quickly that list starts shrinking. The Great Firewall gets all the attention because it's visible. The bigger problems are usually hiding inside your architecture.

That's where the real work starts.