边界连接Border connectivity

网络集成规划是成功进行 Azure Stack Hub 集成系统部署、操作和管理的重要先决条件。Network integration planning is an important prerequisite for successful Azure Stack Hub integrated systems deployment, operation, and management. 边界连接规划从选择是否要将动态路由与边界网关协议 (BGP) 一起使用开始。Border connectivity planning begins by choosing if you want use dynamic routing with border gateway protocol (BGP). 这需要分配一个 16 位自治系统编号 (ASN)(公共或专用),或使用静态路由。This requires assigning a 16-bit autonomous system number (ASN), public or private, or using static routing.

重要

架顶式 (TOR) 交换机需要在物理接口上配置具有点到点 IP(/30 网络)的第 3 层上行链路。The top of rack (TOR) switches require Layer 3 uplinks with Point-to-Point IPs (/30 networks) configured on the physical interfaces. 不支持具有支持 Azure Stack Hub 操作的 TOR 交换机的第 2 层上行链路。Layer 2 uplinks with TOR switches supporting Azure Stack Hub operations isn't supported. 边界设备可支持 32 位 BGP 自治系统编号 (ASN)。The Border device can support 32-bit BGP autonomous system number (ASN).

BGP 路由BGP routing

使用 BGP 等动态路由协议可以保证系统始终会注意到网络更改和便于管理。Using a dynamic routing protocol like BGP guarantees that your system is always aware of network changes and facilitates administration. 为了增强安全性,可以针对 TOR 和边界之间的 BGP 对等互连设置密码。For enhanced security, a password may be set on the BGP peering between the TOR and the Border.

如下图所示,将使用前缀列表阻止播发 TOR 交换机上的专用 IP 空间。As shown in the following diagram, advertising of the private IP space on the TOR switch is blocked using a prefix-list. 前缀列表将拒绝播发专用网络,它会作为路由映射应用于 TOR 与边界之间的连接。The prefix list denies the advertisement of the Private Network and it's applied as a route-map on the connection between the TOR and the border.

Azure Stack Hub 解决方案内运行的软件负载均衡器 (SLB) 将对等互连到 TOR 设备,以便它可以动态播发 VIP 地址。The Software Load Balancer (SLB) running inside the Azure Stack Hub solution peers to the TOR devices so it can dynamically advertise the VIP addresses.

若要确保用户流量立即以透明方式从故障中恢复,TOR 设备之间配置的 VPC 或 MLAG 允许对主机和 HSRP 或 VRRP 使用多底盘链接聚合以便为 IP 网络提供网络冗余。To ensure that user traffic immediately and transparently recovers from failure, the VPC or MLAG configured between the TOR devices allows the use of multi-chassis link aggregation to the hosts and HSRP or VRRP that provides network redundancy for the IP networks.

BGP 路由

静态路由Static routing

静态路由需要额外配置边界设备。Static routing requires additional configuration to the border devices. 它需要更多的手动干预和管理,以及在任何更改之前进行彻底的分析。It requires more manual intervention and management as well as thorough analysis before any change. 配置错误导致的问题可能需要更多时间进行回退,具体取决于所做的更改。Issues caused by a configuration error may take more time to rollback depending on the changes made. 不建议使用此路由方法,但支持此方法。This routing method isn't recommended, but it's supported.

若要使用静态路由将 Azure Stack Hub 集成到网络环境,必须连接边界和 TOR 设备之间的所有四个物理链路。To integrate Azure Stack Hub into your networking environment using static routing, all four physical links between the border and the TOR device must be connected. 由于静态路由的工作方式,无法保证高可用性。High availability can't be guaranteed because of how static routing works.

对于发往 Azure Stack Hub 内任何网络的流量,边界设备必须配置有指向 TOR 和边界之间设置的四个 P2P IP 中的每一个的静态路由,但仅需要外部或公共 VIP 网络就能运行。The border device must be configured with static routes pointing to each one of the four P2P IP's set between the TOR and the Border for traffic destined to any network inside Azure Stack Hub, but only the External or Public VIP network is required for operation. 初始部署需要到 BMC 网络和外部网络的静态路由。Static routes to the BMC and the External networks are required for initial deployment. 操作员可以选择在边界中保留静态路由以访问位于 BMC 和基础结构网络上的管理资源。Operators can choose to leave static routes in the border to access management resources that reside on the BMC and the Infrastructure network. 添加指向交换机基础结构交换机管理网络的静态路由是可选的。Adding static routes to switch infrastructure and switch management networks is optional.

TOR 设备配置有将所有流量发送到边界设备的静态默认路由。The TOR devices are configured with a static default route sending all traffic to the border devices. 默认规则的一个流量例外是,对于专用空间,将使用应用于 TOR 到边界连接的访问控制列表阻止该流量。The one traffic exception to the default rule is for the private space, which is blocked using an Access Control List applied on the TOR to border connection.

静态路由仅适用于 TOR 与边界交换机之间的上行链路。Static routing applies only to the uplinks between the TOR and border switches. 机架内使用的是 BGP 动态路由,因为它对于 SLB 和其他组件来说是基本工具,无法禁用或删除。BGP dynamic routing is used inside the rack because it's an essential tool for the SLB and other components and can't be disabled or removed.

静态路由

* 在部署后,BMC 网络是可选的。* The BMC network is optional after deployment.

** 交换机基础结构网络是可选的,因为整个网络可以包含在交换机管理网络中。** The Switch Infrastructure network is optional, as the whole network can be included in the Switch Management network.

*** 交换机管理网络是必需的,可以与交换机基础结构网络分开添加。*** The Switch Management network is required and can be added separately from the Switch Infrastructure network.

透明代理Transparent proxy

如果数据中心要求所有流量都使用代理,则必须配置“透明代理”以便根据策略处理来自机架的所有流量,并分离网络上不同区域之间的流量。If your datacenter requires all traffic to use a proxy, you must configure a transparent proxy to process all traffic from the rack to handle it according to policy, separating traffic between the zones on your network.

重要

Azure Stack Hub 解决方案不支持普通 Web 代理。The Azure Stack Hub solution doesn't support normal web proxies.

透明代理(也称为截获、内联或强制代理)将截获网络层的正常通信,而无需任何特殊的客户端配置。A transparent proxy (also known as an intercepting, inline, or forced proxy) intercepts normal communication at the network layer without requiring any special client configuration. 客户端不需要知道代理是否存在。Clients don't need to be aware of the existence of the proxy.

透明代理

SSL 流量拦截不受支持,并且在访问终结点时可能会导致服务故障。SSL traffic interception is not supported and can lead to service failures when accessing endpoints. 与标识所需的终结点进行通信时,支持的最大超时值为 60 秒,并可以进行 3 次重试尝试。The maximum supported timeout to communicate with endpoints required for identity is 60s with 3 retry attempts.

后续步骤Next steps

DNS 集成DNS integration