有关 Azure Stack 集成系统的数据中心集成规划注意事项Datacenter integration planning considerations for Azure Stack integrated systems

如果你对 Azure Stack 集成系统感兴趣,应了解有关部署的重要规划注意事项,及系统如何适应数据中心。If you're interested in an Azure Stack integrated system, you should understand the major planning considerations around deployment and how the system fits into your datacenter. 本文提供这些注意事项的综合概述,帮助你在 Azure Stack 集成系统方面做出重要的基础结构决策。This article provides a high-level overview of these considerations to help you make important infrastructure decisions for your Azure Stack integrated systems. 配合 OEM 硬件供应商将 Azure Stack 部署到数据中心时,了解这些注意事项会有所帮助。An understanding of these considerations helps when working with your OEM hardware vendor while they deploy Azure Stack to your datacenter.

Note

只能从经过授权的硬件供应商购买 Azure Stack 集成系统。Azure Stack integrated systems can only be purchased from authorized hardware vendors.

若要部署 Azure Stack,需在部署开始之前,将规划信息提供给解决方案提供商,以便快速顺利地完成部署过程。To deploy Azure Stack, you need to provide planning information to your solution provider before deployment starts to help the process go quickly and smoothly. 所需的信息包括网络、安全和标识信息,以及可能需要许多不同领域和决策制定者相关知识的重要决策。The information required ranges across networking, security, and identity information with many important decisions that may require knowledge from many different areas and decision makers. 需要与组织中多个团队的人员协商,确保在部署之前已准备好全部所需的信息。You'll need people from multiple teams in your organization to ensure that you have all required information ready before deployment. 收集此信息时,与硬件供应商沟通可能有所帮助,因为他们可以提供有帮助的建议。It can help to talk to your hardware vendor while collecting this information because they might have helpful advice.

研究和收集所需的信息时,可能需要对网络环境进行一些部署前的配置更改。While researching and collecting the required information, you might need to make some pre-deployment configuration changes to your network environment. 这些更改可能包括保留 Azure Stack 解决方案的 IP 地址空间,以及配置路由器、交换机和防火墙,以便为连接到新的 Azure Stack 解决方案交换机做好准备。These changes could include reserving IP address spaces for the Azure Stack solution as well as configuring your routers, switches, and firewalls to prepare for the connectivity to the new Azure Stack solution switches. 确保在主题领域专家的帮助下完成规划。Make sure to have the subject area expert lined up to help you with your planning.

容量规划注意事项Capacity planning considerations

评估 Azure Stack 解决方案的采购时,需要在硬件配置方面做出选择,因为它直接影响到 Azure Stack 解决方案的总体容量。When you evaluate an Azure Stack solution for acquisition, you make hardware configuration choices which have a direct impact on the overall capacity of the Azure Stack solution. 考虑因素包括 CPU、内存密度、存储配置和总体解决方案规模(例如服务器的数目)的一般选择。These include the classic choices of CPU, memory density, storage configuration, and overall solution scale (for example, number of servers). 不同于传统的虚拟化解决方案,简单地评估这些组件并不能很好地确定可用的容量。Unlike a traditional virtualization solution, the simple arithmetic of these components to determine usable capacity doesn't apply. 第一个原因是 Azure Stack 构建为在解决方案自身内部托管基础结构或管理组件。The first reason is that Azure Stack is architected to host the infrastructure or management components within the solution itself. 第二个原因是解决方案的某些容量保留用于通过更新解决方案的软件来支持复原,这需要将租户工作负荷的中断降到最低程度。The second reason is that some of the solution's capacity is reserved in support of resiliency by updating the solution's software in a way that minimizes disruption of tenant workloads.

Azure Stack 容量规划器电子表格通过两种方式帮助你在规划容量时做出明智的决策:The Azure Stack capacity planner spreadsheet helps you make informed decisions for planning capacity in two ways. 第一种方式是选择硬件产品/服务并尝试符合资源组合。The first is by selecting a hardware offering and attempting to fit a combination of resources. 第二种方式是定义 Azure Stack 要运行的工作负荷,以查看可支持此操作的可用硬件 SKU。The second is by defining the workload that Azure Stack is intended to run to view the available hardware SKUs that can support it. 最后,可以参考该电子表格做出 Azure Stack 规划和配置方面的决策。Finally, the spreadsheet is intended as a guide to help in making decisions related to Azure Stack planning and configuration.

该电子表格不能取代你自己的调查和分析。The spreadsheet isn't intended to serve as a substitute for your own investigation and analysis. Azure 对于该电子表格中提供的信息不做任何明示或暗示的声明或保证。Azure makes no representations or warranties, express or implied, with respect to the information provided within the spreadsheet.

管理注意事项Management considerations

Azure Stack 是一个密封的系统,从权限和网络角度来看,其基础结构已锁定。Azure Stack is a sealed system, where the infrastructure is locked down both from a permissions and network perspective. 可以应用网络访问控制列表 (ACL) 来阻止所有未经授权的传入流量,以及基础结构组件之间所有不必要的通信。Network access control lists (ACLs) are applied to block all unauthorized incoming traffic and all unnecessary communications between infrastructure components. 这样,未经授权的用户便难以访问此系统。This system makes it difficult for unauthorized users to access the system.

在日常管理与操作期间,管理员可以不受限制地访问基础结构。For daily management and operations, there's no unrestricted admin access to the infrastructure. Azure Stack 操作员必须通过管理员门户或 Azure 资源管理器(通过 PowerShell 或 REST API)管理系统。Azure Stack operators must manage the system through the administrator portal or through Azure Resource Manager (via PowerShell or the REST API). 无法通过其他管理工具(例如 Hyper-V 管理器或故障转移群集管理器)访问系统。There's no access to the system by other management tools like Hyper-V Manager or Failover Cluster Manager. 为了帮助保护系统,不能在 Azure Stack 基础结构组件中安装第三方软件(例如代理)。To help protect the system, third-party software (for example, agents) can't be installed inside the components of the Azure Stack infrastructure. 通过 PowerShell 或 REST API 可与外部管理与安全软件建立互操作性。Interoperability with external management and security software occurs via PowerShell or the REST API.

需要较高级别的访问权限来排查无法通过警报调解步骤解决的问题时,请联系 Azure 支持部门。Contact Azure Support when you need a higher level of access for troubleshooting issues that aren't resolved through alert mediation steps. 支持人员会提供暂时性的完整管理员访问权限,让你通过某种方法访问系统,以执行更高级的操作。Through support, there's a method to provide temporary full admin access to the system for more advanced operations.

标识注意事项Identity considerations

选择标识提供者Choose identity provider

需要考虑用于 Azure Stack 部署的标识提供者:Azure AD 或 AD FS。You'll need to consider which identity provider you want to use for Azure Stack deployment, either Azure AD or AD FS. 部署之后无法切换标识提供者,除非重新部署整个系统。You can't switch identity providers after deployment without full system redeployment. 如果你未拥有 Azure AD 帐户且使用的是云解决方案提供商提供给你的帐户,并且你决定切换提供商并使用其他 Azure AD 帐户,则必须联系解决方案提供商让其根据你的成本为你重新部署解决方案。If you don't own the Azure AD account and are using an account provided to you by your Cloud Solution Provider, and if you decide to switch provider and use a different Azure AD account, you'll have to contact your solution provider to redeploy the solution for you at your cost.

标识提供者选项与租户虚拟机 (VM)、标识系统及其使用的帐户、它们能否加入 Active Directory 域等因素无关。Your identity provider choice has no bearing on tenant virtual machines (VMs), the identity system, accounts they use, or whether they can join an Active Directory domain, and so on. 这些因素是分开的。These things are separate.

可以在 Azure Stack 集成系统连接模型一文中详细了解如何选择标识提供者。You can learn more about choosing an identity provider in the Azure Stack integrated systems connection models article.

AD FS 与 Graph 集成AD FS and Graph integration

如果选择将 AD FS 作为标识提供者来部署 Azure Stack,必须通过联合信任将 Azure Stack 上的 AD FS 实例与现有的 AD FS 实例集成。If you choose to deploy Azure Stack using AD FS as the identity provider, you must integrate the AD FS instance on Azure Stack with an existing AD FS instance through a federation trust. 通过这种集成,现有 Active Directory 林中的标识便可以对 Azure Stack 中的资源进行身份验证。This integration allows identities in an existing Active Directory forest to authenticate with resources in Azure Stack.

还可将 Azure Stack 中的 Graph 服务与现有的 Active Directory 集成。You can also integrate the Graph service in Azure Stack with the existing Active Directory. 这种集成可让你在 Azure Stack 中管理基于角色的访问控制 (RBAC)。This integration lets you manage Role-Based Access Control (RBAC) in Azure Stack. 委托资源的访问权限后,Graph 组件使用 LDAP 协议来查找现有 Active Directory 林中的用户帐户。When access to a resource is delegated, the Graph component looks up the user account in the existing Active Directory forest using the LDAP protocol.

下图显示了集成的 AD FS 和 Graph 流。The following diagram shows integrated AD FS and Graph traffic flow. 显示 AD FS 与 Graph 流的示意图Diagram showing AD FS and Graph traffic flow

许可模式Licensing model

必须确定要使用哪个许可模式。You must decide which licensing model you want to use. 可用的选项取决于是否要部署连接到 Internet 的 Azure Stack:The available options depend on if you deploy Azure Stack connected to the internet:

  • 对于连接的部署,可以选择即用即付或基于容量的许可模式。For a connected deployment, you can choose either pay-as-you-use or capacity-based licensing. 即用即付模式需要连接到 Azure 来报告用量,并通过 Azure 商务系统计费。Pay-as-you-use requires a connection to Azure to report usage, which is then billed through Azure commerce.
  • 如果部署与 Internet 断开连接的 Azure Stack,只能使用基于容量的许可模式。Only capacity-based licensing is supported if you deploy disconnected from the internet.

命名决策Naming decisions

需要考虑如何规划 Azure Stack 命名空间,尤其是区域名称和外部域名。You'll need to think about how you want to plan your Azure Stack namespace, especially the region name and external domain name. 公开终结点的 Azure Stack 部署的外部完全限定域名 (FQDN) 由以下两个名称组成:<区域>.<fqdn>。The external fully qualified domain name (FQDN) of your Azure Stack deployment for public-facing endpoints is the combination of these two names: <region>.<fqdn>. 例如 east.cloud.fabrikam.comFor example, east.cloud.fabrikam.com. 在此示例中,Azure Stack 门户将在以下 URL 中提供:In this example, the Azure Stack portals would be available at the following URLs:

Important

为 Azure Stack 部署选择的区域名称必须唯一,将在门户地址中显示。The region name you choose for your Azure Stack deployment must be unique and will appear in the portal addresses.

下表汇总了这些域命名决策。The following table summarizes these domain naming decisions.

NameName 说明Description
区域名称Region name 第一个 Azure Stack 区域名称。The name of your first Azure Stack region. 此名称用作 Azure Stack 管理的公共虚拟 IP 地址 (VIP) 的 FQDN 的一部分。This name is used as part of the FQDN for the public virtual IP addresses (VIPs) that Azure Stack manages. 通常,区域名称是一个物理位置标识符,例如数据中心位置。Typically, the region name would be a physical location identifier such as a datacenter location.

区域名称必须仅包含字母和 0-9 之间的数字。The region name must consist of only letters and numbers between 0-9. 不允许使用特殊字符(例如 -# 等)。No special characters (like -, #, and so on) are allowed.
外部域名External domain name 包含面向外部的 VIP 的终结点的域名系统 (DNS) 区域名称。The name of the Domain Name System (DNS) zone for endpoints with external-facing VIPs. 在这些公共 VIP 的 FQDN 中使用。Used in the FQDN for these public VIPs.
专用(内部)域名Private (internal) domain name 在 Azure Stack 中为基础结构管理创建的域(和内部 DNS 区域)的名称。The name of the domain (and internal DNS zone) created on Azure Stack for infrastructure management.

证书要求Certificate requirements

针对部署,需要为面向公众的终结点提供安全套接字层 (SSL) 证书。For deployment, you'll need to provide Secure Sockets Layer (SSL) certificates for public-facing endpoints. 概括而言,证书具有以下要求:At a high level, certificates have the following requirements:

  • 可以使用单个通配符证书或使用一组专用证书,并只对终结点(例如存储和 Key Vault)使用通配符。You can use a single wildcard certificate or you can use a set of dedicated certificates, and then use wildcards only for endpoints like storage and Key Vault.
  • 证书可以由公众信任的证书颁发机构 (CA) 或客户管理的 CA 颁发。Certificates can be issued by a public trusted certificate authority (CA) or a customer-managed CA.

有关部署 Azure Stack 时需要哪些 PKI 证书以及如何获取这些证书的详细信息,请参阅 Azure Stack 公钥基础结构证书要求For more information about what PKI certificates are required to deploy Azure Stack, and how to obtain them, see, Azure Stack Public Key Infrastructure certificate requirements.

Important

应将提供的 PKI 证书信息用作一般指导。The provided PKI certificate information should be used as general guidance. 获取 Azure Stack 的任何 PKI 证书之前,请咨询 OEM 硬件合作伙伴。Before you acquire any PKI certificates for Azure Stack, work with your OEM hardware partner. 他们将提供更详细的证书指导和要求。They'll provide more detailed certificate guidance and requirements.

时间同步Time synchronization

必须选择用于同步 Azure Stack 的特定时间服务器。You must choose a specific time server which is used to synchronize Azure Stack. 时间同步对于 Azure Stack 及其基础结构角色而言至关重要,因为它用于生成 Kerberos 票证。Time synchronization is critical to Azure Stack and its infrastructure roles because it's used to generate Kerberos tickets. Kerberos 票证用于内部服务的相互身份验证。Kerberos tickets are used to authenticate internal services with each other.

必须指定时间同步服务器的 IP。You must specify an IP for the time synchronization server. 基础结构中的大多数组件都可以解析 URL,但有些组件只支持 IP 地址。Although most of the components in the infrastructure can resolve a URL, some only support IP addresses. 如果使用的是离线部署选项,则必须在企业网络中指定时间服务器,并确保可从 Azure Stack 中的基础结构网络访问该服务器。If you're using the disconnected deployment option, you must specify a time server on your corporate network that you're sure you can reach from the infrastructure network in Azure Stack.

将 Azure Stack 连接到 AzureConnect Azure Stack to Azure

对于混合云方案,需要规划如何将 Azure Stack 连接到 Azure。For hybrid cloud scenarios, you'll need to plan how you want to connect Azure Stack to Azure. 支持使用两种方法将 Azure Stack 中的虚拟网络连接到 Azure 中的虚拟网络:There are two supported methods to connect virtual networks in Azure Stack to virtual networks in Azure:

  • 站点到站点:通过 IPsec(IKE v1 和 IKE v2)建立虚拟专用网络 (VPN) 连接。Site-to-site: A virtual private network (VPN) connection over IPsec (IKE v1 and IKE v2). 此类连接需要 VPN 设备或路由以及远程访问服务 (RRAS)。This type of connection requires a VPN device or Routing and Remote Access Service (RRAS). 有关 Azure 中 VPN 网关的详细信息,请参阅关于 VPN 网关For more information about VPN gateways in Azure, see About VPN Gateway. 通过此隧道进行的通信经过加密,并且很安全。The communication over this tunnel is encrypted and secure. 但是,带宽受限于隧道的最大吞吐量 (100-200 Mbps)。However, bandwidth is limited by the maximum throughput of the tunnel (100-200 Mbps).

  • 出站 NAT:默认情况下,Azure Stack 中的所有 VM 都可通过出站 NAT 连接到外部网络。Outbound NAT: By default, all VMs in Azure Stack will have connectivity to external networks via outbound NAT. 在 Azure Stack 中创建的每个虚拟网络分配有一个公共 IP 地址。Each virtual network that's created in Azure Stack gets a public IP address assigned to it. 无论 VM 是直接被分配了公共 IP 地址,还是位于采用公共 IP 地址的负载均衡器后面,都可以使用虚拟网络的 VIP,通过出站 NAT 进行出站访问。Whether the VM is directly assigned a public IP address or is behind a load balancer with a public IP address, it will have outbound access via outbound NAT using the VIP of the virtual network. 此方法只适用于 VM 发起的、目标为外部网络(Internet 或 Intranet)的通信,This method only works for communication that's initiated by the VM and destined for external networks (either internet or intranet). 而不可用来与外部 VM 通信。It can't be used to communicate with the VM from outside.

混合连接选项Hybrid connectivity options

对于混合连接,必须考虑提供哪种部署及其部署位置。For hybrid connectivity, it's important to consider what kind of deployment you want to offer and where it will be deployed. 需要考虑是否隔离每个租户的网络流量,以及是否要进行 Intranet 或 Internet 部署。You'll need to consider whether you need to isolate network traffic per tenant, and whether you'll have an intranet or internet deployment.

  • 单租户 Azure Stack:至少从网络角度看,这种 Azure Stack 部署看起来就像是一个租户。Single-tenant Azure Stack: An Azure Stack deployment that looks, at least from a networking perspective, as if it's one tenant. 可能存在许多租户订阅,但如同任何 Intranet 服务一样,所有流量通过相同的网络传输。There can be many tenant subscriptions, but like any intranet service, all traffic travels over the same networks. 来自一个订阅的网络流量通过与另一个订阅相同的网络连接传输,不需要通过加密隧道进行隔离。Network traffic from one subscription travels over the same network connection as another subscription and doesn't need to be isolated via an encrypted tunnel.

  • 多租户 Azure Stack:在这种 Azure Stack 部署中,每个租户订阅的、发往 Azure Stack 外部网络的流量必须与其他租户的网络流量相隔离。Multi-tenant Azure Stack: An Azure Stack deployment where each tenant subscription's traffic that's bound for networks that are external to Azure Stack must be isolated from other tenants' network traffic.

  • Intranet 部署:位于企业 Intranet 上的 Azure Stack 部署,通常位于专用 IP 地址空间中,并在一个或多个防火墙后面。Intranet deployment: An Azure Stack deployment that sits on a corporate intranet, typically on private IP address space and behind one or more firewalls. 公共 IP 地址并非真正面向公众,因为它们无法通过公共 Internet 直接路由。The public IP addresses aren't truly public because they can't be routed directly over the public internet.

  • Internet 部署:这种 Azure Stack 部署连接到公共 Internet,并针对公共 VIP 范围使用可通过 Internet 路由的公共 IP 地址。Internet deployment: An Azure Stack deployment that's connected to the public internet and uses internet-routable public IP addresses for the public VIP range. 部署仍可位于防火墙后面,但可以从公共 Internet 和 Azure 直接访问公共 VIP 范围。The deployment can still sit behind a firewall, but the public VIP range is directly reachable from the public internet and Azure.

下表汇总了混合连接方案及其优点、缺点和用例。The following table summarizes the hybrid connectivity scenarios with the pros, cons, and use cases.

方案Scenario 连接方法Connectivity Method 优点Pros 缺点Cons 适用范围Good For
单租户 Azure Stack、Intranet 部署Single tenant Azure Stack, intranet deployment 出站 NATOutbound NAT 提供更快的带宽用于提高传输速度。Better bandwidth for faster transfers. 易于实施;不需要网关。Simple to implement; no gateways required. 不加密流量;堆栈外部无隔离或加密。Traffic not encrypted; no isolation or encryption outside the stack. 同等信任所有租户的企业部署。Enterprise deployments where all tenants are equally trusted.

与 Azure 之间建立了 Azure ExpressRoute 线路的企业。Enterprises that have an Azure ExpressRoute circuit to Azure.
多租户 Azure Stack、Intranet 部署Multi-tenant Azure Stack, intranet deployment 站点到站点 VPNSite-to-site VPN 从租户 VNet 到目标的流量是安全的。Traffic from the tenant VNet to destination is secure. 带宽受限于站点到站点 VPN 隧道。Bandwidth is limited by site-to-site VPN tunnel.

需要在虚拟网络中部署网关,在目标网络中部署 VPN 设备。Requires a gateway in the virtual network and a VPN device on the destination network.
必须避免其他租户访问其部分租户流量的企业部署。Enterprise deployments where some tenant traffic must be secured from other tenants.
单租户 Azure Stack、Internet 部署Single tenant Azure Stack, internet deployment 出站 NATOutbound NAT 提供更快的带宽用于提高传输速度。Better bandwidth for faster transfers. 不加密流量;堆栈外部无隔离或加密。Traffic not encrypted; no isolation or encryption outside the stack. 托管方案,其中的租户获取自身的 Azure Stack 部署,并与 Azure Stack 环境之间建立专用线路。Hosting scenarios where the tenant gets their own Azure Stack deployment and a dedicated circuit to the Azure Stack environment. 例如,ExpressRoute 和多重协议标签交换 (MPLS)。For example, ExpressRoute and Multiprotocol Label Switching (MPLS).
多租户 Azure Stack、Internet 部署Multi-tenant Azure Stack, internet deployment 站点到站点 VPNSite-to-site VPN 从租户 VNet 到目标的流量是安全的。Traffic from the tenant VNet to destination is secure. 带宽受限于站点到站点 VPN 隧道。Bandwidth is limited by site-to-site VPN tunnel.

需要在虚拟网络中部署网关,在目标网络中部署 VPN 设备。Requires a gateway in the virtual network and a VPN device on the destination network.
托管方案,其中的提供商需要提供多租户云,使租户彼此不信任且必须加密流量。Hosting scenarios where the provider wants to offer a multi-tenant cloud, where the tenants don't trust each other and traffic must be encrypted.

使用 ExpressRouteUsing ExpressRoute

对于单租户 Intranet 和多租户方案,可以通过 ExpressRoute 将 Azure Stack 连接到 Azure。You can connect Azure Stack to Azure via ExpressRoute for both single-tenant intranet and multi-tenant scenarios. 需要通过连接提供商预配 ExpressRoute 线路。You'll need a provisioned ExpressRoute circuit through a connectivity provider.

下图显示了单租户方案的 ExpressRoute(其中“客户的连接”是 ExpressRoute 线路)。The following diagram shows ExpressRoute for a single-tenant scenario (where "Customer's connection" is the ExpressRoute circuit).

显示单租户 ExpressRoute 方案的示意图

下图显示了多租户方案的 ExpressRoute。The following diagram shows ExpressRoute for a multi-tenant scenario.

显示多租户 ExpressRoute 方案的示意图

外部监视External monitoring

若要从 Azure Stack 部署和设备获取所有警报的单个视图,并针对票证将警报集成到现有 IT 服务管理工作流,可将 Azure Stack 与外部数据中心监视解决方案集成To get a single view of all alerts from your Azure Stack deployment and devices, and to integrate alerts into existing IT Service Management workflows for ticketing, you can integrate Azure Stack with external datacenter monitoring solutions.

Azure Stack 解决方案随附的硬件生命周期主机是 Azure Stack 外部的计算机,运行 OEM 硬件供应商为硬件提供的管理工具。Included with the Azure Stack solution, the hardware lifecycle host is a computer outside Azure Stack that runs OEM vendor-provided management tools for hardware. 可以使用这些工具,或者与数据中心现有监视解决方案直接集成的其他解决方案。You can use these tools or other solutions that directly integrate with existing monitoring solutions in your datacenter.

下表汇总了目前可用选项的列表。The following table summarizes the list of currently available options.

区域Area 外部监视解决方案External Monitoring Solution
Azure Stack 软件Azure Stack software 适用于 Operations Manager 的 Azure Stack 管理包Azure Stack Management Pack for Operations Manager
Nagios 插件Nagios plug-in
基于 REST 的 API 调用REST-based API calls
物理服务器(通过 IPMI 的 BMC)Physical servers (BMCs via IPMI) OEM 硬件 - Operations Manager 供应商管理包OEM hardware - Operations Manager vendor management pack
OEM 硬件供应商提供的解决方案OEM hardware vendor-provided solution
硬件供应商 Nagios 插件。Hardware vendor Nagios plug-ins.
OEM 合作伙伴支持的监视解决方案(随附)OEM partner-supported monitoring solution (included)
网络设备 (SNMP)Network devices (SNMP) Operations Manager 网络设备发现Operations Manager network device discovery
OEM 硬件供应商提供的解决方案OEM hardware vendor-provided solution
Nagios 交换机插件Nagios switch plug-in
租户订阅运行状况监视Tenant subscription health monitoring 适用于 Azure 的 System Center 管理包System Center Management Pack for Azure

请注意以下要求:Note the following requirements:

  • 使用的解决方案必须无代理。The solution you use must be agentless. 不能在 Azure Stack 组件内部安装第三方代理。You can't install third-party agents inside Azure Stack components.
  • 若要使用 System Center Operations Manager,需要安装 Operations Manager 2012 R2 或 Operations Manager 2016。If you want to use System Center Operations Manager, Operations Manager 2012 R2 or Operations Manager 2016 is required.

备份和灾难恢复Backup and disaster recovery

备份和灾难恢复的规划涉及到规划这两个用于托管 IaaS VM 和 PaaS 服务的 Azure Stack 底层基础结构,以及租户应用和数据。Planning for backup and disaster recovery involves planning for both the underlying Azure Stack infrastructure that hosts IaaS VMs and PaaS services, and for tenant apps and data. 请单独规划这些工作。Plan for these things separately.

保护基础结构组件Protect infrastructure components

将 Azure Stack 基础结构组件备份到指定的 SMB 共享:You can back up Azure Stack infrastructure components to an SMB share that you specify:

  • 在现有的基于 Windows 的文件服务器或第三方设备上需有外部 SMB 文件共享。You'll need an external SMB file share on an existing Windows-based file server or a third-party device.
  • 将此同一共享用于网络交换机与硬件生命周期主机的备份。Use this same share for the backup of network switches and the hardware lifecycle host. OEM 硬件供应商会帮助提供这些组件的备份和还原指导,因为这些操作在 Azure Stack 外部进行。Your OEM hardware vendor will help provide guidance for backup and restore of these components because these are external to Azure Stack. 你要负责根据 OEM 供应商的建议来运行备份工作流。You're responsible for running the backup workflows based on the OEM vendor's recommendation.

如果发生重大数据丢失,可以使用基础结构备份来重新植入部署数据,例如:If catastrophic data loss occurs, you can use the infrastructure backup to reseed deployment data such as:

  • 部署输入和标识符Deployment inputs and identifiers
  • 服务帐户Service accounts
  • CA 根证书CA root certificate
  • 联合资源(在断开连接部署中)fFederated resources (in disconnected deployments)
  • 计划、套餐、订阅和配额Plans, offers, subscriptions, and quotas
  • RBAC 策略与角色分配RBAC policy and role assignments
  • Key Vault 机密Key Vault secrets

保护 IaaS VM 上的租户应用Protect tenant apps on IaaS VMs

Azure Stack 不会备份租户应用和数据。Azure Stack doesn't back up tenant apps and data. 必须针对 Azure Stack 的外部目标规划备份和灾难恢复保护。You must plan for backup and disaster recovery protection to a target external to Azure Stack. 租户保护是租户驱动的活动。Tenant protection is a tenant-driven activity. 对于 IaaS VM,租户可以使用来宾内部技术来保护文件夹、应用数据和系统状态。For IaaS VMs, tenants can use in-guest technologies to protect file folders, app data, and system state. 但是,企业或服务提供商可能需要在同一数据中心或云外部提供备份和恢复解决方案。However, as an enterprise or service provider, you may want to offer a backup and recovery solution in the same datacenter or externally in a cloud.

若要备份 Linux 或 Windows IaaS VM,必须使用有权访问来宾操作系统的备份产品来保护文件、文件夹、操作系统状态和应用数据。To back up Linux or Windows IaaS VMs, you must use backup products with access to the guest operating system to protect file, folder, operating system state, and app data. 可以使用 Azure 备份、System Center Data Center Protection Manager 或支持的第三方产品。You can use Azure Backup, System Center Data Center Protection Manager, or supported third-party products.

在发生灾难时,若要将数据复制到辅助位置并协调应用程序故障转移,可以使用 Azure Site Recovery 或支持的第三方产品。To replicate data to a secondary location and orchestrate application failover if a disaster occurs, you can use Azure Site Recovery or supported third-party products. 此外,支持本机复制的应用(例如 Microsoft SQL Server)可将数据复制到正在运行应用的另一个位置。Also, apps that support native replication, like Microsoft SQL Server, can replicate data to another location where the app is running.

了解详细信息Learn more

  • 有关用例、购买、合作伙伴和 OEM 硬件供应商的信息,请参阅 Azure Stack 产品页。For information about use cases, purchasing, partners, and OEM hardware vendors, see the Azure Stack product page.
  • 有关 Azure Stack 集成系统的路线图和上市区域的信息,请参阅白皮书:Azure Stack:Azure 的扩展For information about the roadmap and geo-availability for Azure Stack integrated systems, see the white paper: Azure Stack: An extension of Azure.

后续步骤Next steps

Azure Stack 部署连接模型Azure Stack deployment connection models