Introduction

A valued client who was already running the Midships Ping AIS Accelerator in their Hong Kong environment, requested our assistance in extending their identity platform into mainland China. Their goals were to deploy the same reliable Ping AIS setup on Tencent Cloud, preserve the user experience for customers across Shanghai, Beijing, and other Chinese regions.

Tencent Cloud is one of China’s leading cloud providers, deeply integrated into the local digital ecosystem (including WeChat, QQ, and numerous Chinese applications). Utilizing our cloud-agnostic Helm charts, automated deployment scripts, and geolocation-based routing, we set out to deliver a robust, scalable, and fully compliant Ping AIS solution for the Chinese market.

Problem Statement

The client wanted to scale out their CIAM solution to China, from their current presence in Hong Kong. The business wanted to build upon an architecture and solution currently deployed in the Hong Kong region, whilst providing flexibility to cater for any possible data residency requirements.

Since they had found Midships Ping AIS Accelerator deployment in the Hong Kong region to be resilient, performant, and scalable, they tasked Midships to showcase how it could be deployed in China.

Our tech team used this opportunity to demonstrate how the Midships Ping AIS accelerator architecture already supports this re-usability and allows for customisations.

Key Constraints

• Data Residency Flexibility: The solution must support either full directory replication across regions or isolated identity domains.

• Consistent User Experience: Authentication and performance in mainland China must match the existing Hong Kong environment, so users see no difference in login flow or speed.

• Network and Deployment Restrictions: Deployments must work around the Great Firewall’s limitations (registry access, port restrictions) and leverage local services (e.g., Tencent Container Registry) without degrading reliability.

The Solution

To meet clients' requirements, we leveraged the Midships Ping AIS Accelerator deployment framework and tailored a multi-region architecture on Tencent Cloud (China) and AWS (Hong Kong).

• Provisioned dedicated Kubernetes clusters in Tencent Cloud (mainland China) and AWS (Hong Kong) to ensure regional presence, resilience, and local compliance.

• Created a Tencent Container Registry (TCR) instance; pushed all container images to TCR and updated Helm charts to pull from it—bypassing China‑specific image pull restrictions while preserving standard registries elsewhere.

• Deployed PingAM, PingIDM, and PingDS using the Midships Ping AIS Accelerator’s automated Helm charts for consistent, repeatable setups.

• Configured PingDS replication servers in Tencent Cloud and AWS to continuously synchronize user data for a seamless global experience.

• Adjusted service ports to commonly allowed ports, ensuring services were accessible despite network restrictions. Configured network connections to ensure consistent and reliable access through the firewall.

• Configured SSL-encrypted connections between PingAM instances in Tencent Cloud and AWS, leveraging a robust certificate management infrastructure to ensure secure and encrypted inter-cloud communication.

Results

• Seamless Cross-Region Access: Users can enjoy uninterrupted authentication and data access in both Hong Kong and mainland China; when integrated with geolocation routing, requests are automatically directed to the respective CIAM cluster under the appropriate regional policies.

• Regulatory Assurance: The deployment offers flexible options—either full directory replication or isolated identity domains—to meet current data-residency mandates and adapt to evolving regulatory requirements.

• Robust Network Integration: Reliable connectivity across the Great Firewall through optimized port configurations and encrypted traffic.

• Operational Agility: Automated, cloud-agnostic deployment framework streamlines future regional expansions.

Conclusion

The global deployment of Ping AIS within Tencent Cloud and AWS successfully navigated stringent compliance, network challenges, and user experience requirements. By combining automation, strategic network configurations, and dynamic user routing, Midships established a scalable, secure, and compliant identity management framework ready for future expansion.

Midships Ping AIS Accelerator is compatible with all the major cloud providers. (AWS, Azure, GCP, OpenShift, Alibaba, Oracle, and Tencent).