Azure Stack 的网络集成规划Network integration planning for Azure Stack

本文提供 Azure Stack 网络基础架构信息,可帮助你确定如何以最佳方式将 Azure Stack 集成到现有的网络环境。This article provides Azure Stack network infrastructure information to help you decide how to best integrate Azure Stack into your existing networking environment.

备注

若要从 Azure Stack 解析外部 DNS 名称(例如 www.bing.com),必须提供 DNS 服务器来转发 DNS 请求。To resolve external DNS names from Azure Stack (for example, www.bing.com), you need to provide DNS servers to forward DNS requests. 有关 Azure Stack DNS 要求的详细信息,请参阅 Azure Stack 数据中心集成 - DNSFor more information about Azure Stack DNS requirements, see Azure Stack datacenter integration - DNS.

物理网络设计Physical network design

Azure Stack 解决方案需有弹性且高度可用的物理基础结构才能支持其操作和服务。The Azure Stack solution requires a resilient and highly available physical infrastructure to support its operation and services. 若要将 Azure Stack 集成到网络,它需要从架顶式交换机 (ToR) 上行链接到最近的交换机或路由器,在本文档中称为“边界”。To integrate Azure Stack to the network it requires uplinks from the Top-of-Rack switches (ToR) to the nearest switch or router, which on this documentation is referred as Border. ToR 可以上行链接到单个或一对边界。The ToRs can be uplinked to a single or a pair of Borders. ToR 是由我们的自动化工具预先配置的,当使用 BGP 路由时,它期望 ToR 与边界之间至少有一个连接,当使用静态路由时,它期望 ToR 与边界之间至少有两个连接(每个 ToR 一个),每个路由选项上最多有四个连接。The ToR is pre-configured by our automation tool, it expects a minimum of one connection between ToR and Border when using BGP Routing and a minimum of two connections (one per ToR) between ToR and Border when using Static Routing, with a maximum of four connections on either routing options. 这些连接仅限于 SFP + 或 SFP28 介质以及 1 GB、10 GB 或 25-GB 速度。These connections are limited to SFP+ or SFP28 media and one GB, 10 GB, or 25-GB speeds. 请咨询原始设备制造商 (OEM) 硬件供应商以了解可用性。Check with your original equipment manufacturer (OEM) hardware vendor for availability. 下图显示了建议的设计:The following diagram presents the recommended design:

建议的 Azure Stack 网络设计

逻辑网络Logical Networks

逻辑网络表示底层物理网络基础结构的抽象。Logical networks represent an abstraction of the underlying physical network infrastructure. 它们用于组织和简化主机、虚拟机 (VM) 和服务的网络分配。They're used to organize and simplify network assignments for hosts, virtual machines (VMs), and services. 网络站点在创建逻辑网络时创建,定义虚拟局域网 (VLAN)、IP 子网,以及与每个物理位置中逻辑网络关联的 IP 子网/VLAN 对。As part of logical network creation, network sites are created to define the virtual local area networks (VLANs), IP subnets, and IP subnet/VLAN pairs that are associated with the logical network in each physical location.

下表显示了逻辑网络以及必须规划的关联 IPv4 子网范围:The following table shows the logical networks and associated IPv4 subnet ranges that you must plan for:

逻辑网络Logical Network 说明Description 大小Size
公共 VIPPublic VIP Azure Stack 总共使用此网络中的 31 个地址。Azure Stack uses a total of 31 addresses from this network. 8 个公共 IP 地址由少量的 Azure Stack 服务使用,剩余的地址由租户 VM 使用。Eight public IP addresses are used for a small set of Azure Stack services and the rest are used by tenant VMs. 如果打算使用应用服务和 SQL 资源提供程序,则还要额外使用 7 个地址。If you plan to use App Service and the SQL resource providers, 7 more addresses are used. 其余 15 个 IP 保留用于将来的 Azure 服务。The remaining 15 IPs are reserved for future Azure services. /26(62 台主机)- /22(1022 台主机)/26 (62 hosts) - /22 (1022 hosts)

建议使用 /24(254 台主机)Recommended = /24 (254 hosts)
交换机基础结构Switch infrastructure 用于路由的专用交换机管理接口的点到点 IP 地址,以及分配给交换机的环回地址。Point-to-point IP addresses for routing purposes, dedicated switch management interfaces, and loopback addresses assigned to the switch. /26/26
基础结构Infrastructure 用于通信的 Azure Stack 内部组件。Used for Azure Stack internal components to communicate. /24/24
专用Private 用于存储网络、专用 VIP、基础结构容器和其他内部功能。Used for the storage network, private VIPs, Infrastructure containers and other internal functions. 从 1910 开始,此子网的大小更改为 /20,有关更多详细信息,请参阅本文中的专用网络部分。Starting in 1910, the size for this subnet is changing to /20, for more details reference the Private network section in this article. /20/20
BMCBMC 用于与物理主机上的 BMC 通信。Used to communicate with the BMCs on the physical hosts. /26/26

备注

系统更新到版本 1910 后,门户上的警报将提醒操作员运行新的 PEP cmdlet Set-AzsPrivateNetwork 来添加新的 /20 专用 IP 空间。When the system is updated to 1910 version, an alert on the portal will remind the operator to run the new PEP cmdlet Set-AzsPrivateNetwork to add a new /20 Private IP space. 有关运行该 cmdlet 的说明,请参阅 1910 发行说明Please see the 1910 release notes for instructions on running the cmdlet. 有关选择 /20 专用 IP 空间的详细信息和指导,请参阅本文中的专用网络部分。For more information and guidance on selecting the /20 private IP space, please see the Private network section in this article.

网络基础结构Network infrastructure

Azure Stack 的网络基础结构包括交换机上配置的多个逻辑网络。The network infrastructure for Azure Stack consists of several logical networks that are configured on the switches. 下图显示了这些逻辑网络,及其如何与架顶 (TOR)、基板管理控制器 (BMC) 和边界(客户网络)交换机集成。The following diagram shows these logical networks and how they integrate with the top-of-rack (TOR), baseboard management controller (BMC), and border (customer network) switches.

逻辑网络示意图和交换机连接

BMC 网络BMC network

此网络专门用于将所有基板管理控制器(也称为 BMC 或服务处理器)连接到管理网络。This network is dedicated to connecting all the baseboard management controllers (also known as BMC or service processors) to the management network. 示例包括:iDRAC、iLO、iBMC 等。Examples include: iDRAC, iLO, iBMC, and so on. 仅一个 BMC 帐户用于与任何 BMC 节点通信。Only one BMC account is used to communicate with any BMC node. 如果硬件生命周期主机 (HLH) 存在,它将位于此网络,并可提供 OEM 特定的软件,用于硬件维护或监视。If present, the Hardware Lifecycle Host (HLH) is located on this network and may provide OEM-specific software for hardware maintenance or monitoring.

HLH 也托管部署 VM (DVM)。The HLH also hosts the Deployment VM (DVM). 此 DVM 在 Azure Stack 部署期间使用,在部署完成后删除。The DVM is used during Azure Stack deployment and is removed when deployment completes. 此 DVM 在联网部署场景中需要进行 Internet 访问,以便测试、验证和访问多个组件。The DVM requires internet access in connected deployment scenarios to test, validate, and access multiple components. 这些组件可以在公司网络内,也可以在公司网络外(例如:NTP、DNS 和 Azure)。These components can be inside and outside of your corporate network (for example: NTP, DNS, and Azure). 有关连接要求的详细信息,请参阅 Azure Stack 防火墙集成中的 NAT 部分For more information about connectivity requirements, see the NAT section in Azure Stack firewall integration.

专用网络Private network

此 /20(4096 个 IP)网络专用于 Azure Stack 区域(不会路由到 Azure Stack 系统的边界交换机设备以外),并划分为多个子网,下面是一些示例:This /20 (4096 IPs) network is private to the Azure Stack region (doesn't route beyond the border switch devices of the Azure Stack system) and is divided into multiple subnets, here are some examples:

  • 存储网络:一个 /25(128 个 IP)网络,用于支持空间直通和服务器消息块 (SMB) 存储流量与 VM 实时迁移的使用。Storage network: A /25 (128 IPs) network used to support the use of Spaces Direct and Server Message Block (SMB) storage traffic and VM live migration.
  • 内部虚拟 IP 网络:一个 /25 网络,专用于软件负载均衡器的仅限内部的 VIP。Internal virtual IP network: A /25 network dedicated to internal-only VIPs for the software load balancer.
  • 容器网络:一个 /23(512 个 IP)网络,专用于在运行基础结构服务的容器之间处理仅限内部的流量。Container network: A /23 (512 IPs) network dedicated to internal-only traffic between containers running infrastructure services.

从版本 1910 开始,Azure Stack Hub 系统需要额外的 /20 专用内部 IP 空间。Starting with the 1910 release, the Azure Stack Hub system requires an additional /20 private internal IP space. 此网络专用于 Azure Stack 系统(不会路由到 Azure Stack 系统的边界交换机设备以外),并且可以在数据中心内的多个 Azure Stack 系统上重复使用。This network will be private to the Azure Stack system (doesn't route beyond the border switch devices of the Azure Stack system) and can be reused on multiple Azure Stack systems within your datacenter. 这是 Azure Stack 的专用网络,不能与数据中心内的其他网络重叠。While the network is private to Azure Stack, it must not overlap with other networks in the datacenter. /20 专用 IP 空间划分成多个网络,使你能够在容器上运行 Azure Stack Hub 基础结构(如以前的 1905 发行说明中所述)。The /20 private IP space is divided into multiple networks that enable running the Azure Stack Hub infrastructure on containers (as previously mentioned in the 1905 release notes). 此外,借助此新专用 IP 空间,可以在部署之前持续减少所需的可路由 IP 空间。In addition, this new Private IP space enables ongoing efforts to reduce the required routable IP space prior to deployment. 在容器中运行 Azure Stack Hub 基础结构的目标是优化利用率并提升性能。The goal of running the Azure Stack Hub infrastructure in containers is to optimize utilization and enhance performance. 此外,/20 专用 IP 空间还用于实现正在进行的工作,以减少部署前所需的可路由 IP 空间。In addition, the /20 private IP space is also used to enable ongoing efforts that will reduce required routable IP space before deployment. 有关专用 IP 空间的指导,建议遵循 RFC 1918For guidance on Private IP space, we recommend following RFC 1918.

对于在版本 1910 之前部署的系统,此 /20 子网将是更新到 1910 之后,要输入系统中的附加网络。For systems deployed before 1910, this /20 subnet will be an additional network to be entered into systems after updating to 1910. 需要通过 Set-AzsPrivateNetwork PEP cmdlet 将此附加网络提供给系统。The additional network will need to be provided to the system through the Set-AzsPrivateNetwork PEP cmdlet.

备注

/20 输入是版本 1910 之后下一个 Azure Stack Hub 更新的先决条件。The /20 input serves as a prerequisite to the next Azure Stack Hub update after 1910. 发布版本 1910 之后的下一个 Azure Stack Hub 更新后,当你尝试安装该更新时,如果尚未完成以下补救步骤中所述的 /20 输入,则更新将会失败。When the next Azure Stack Hub update after 1910 releases and you attempt to install it, the update will fail if you haven't completed the /20 input as described in the remediation steps as follows. 在完成上述补救步骤之前,管理员门户中会出现警报。An alert will be present in the administrator portal until the above remediation steps have been completed. 请参阅数据中心网络集成一文,了解如何使用此新专用空间。See the Datacenter network integration article to understand how this new private space will be consumed.

修正步骤:若要进行补救,请按照说明打开 PEP 会话Remediation steps: To remediate, follow the instructions to open a PEP Session. 准备一个大小为 /20 的专用内部 IP 范围,然后使用以下示例,在 PEP 会话中运行以下 cmdlet(仅适用于 1910 及更高版本):Set-AzsPrivateNetwork -UserSubnet 10.87.0.0/20Prepare a private internal IP range of size /20, and run the following cmdlet (only available starting with 1910) in the PEP session using the following example: Set-AzsPrivateNetwork -UserSubnet 10.87.0.0/20. 如果成功执行该操作,将会出现消息“Azs 内部网络范围已添加到配置”。如果成功完成,管理员门户中的警报将会关闭。If the operation is performed successfully, you'll receive the message Azs Internal Network range added to the config. If successfully completed, the alert will close in the administrator portal. Azure Stack Hub 系统现在可以更新到下一版本。The Azure Stack Hub system can now update to the next version.

Azure Stack 基础结构网络Azure Stack infrastructure network

此 /24 网络专用于内部 Azure Stack 组件,使这些组件能够相互通信和交换数据。This /24 network is dedicated to internal Azure Stack components so that they can communicate and exchange data among themselves. 此子网可以从 Azure Stack 解决方案外部路由到数据中心,我们不建议在此子网上使用公共的或可以通过 Internet 路由的 IP 地址。This subnet can be routable externally of the Azure Stack solution to your datacenter, we do not recommend using Public or Internet routable IP addresses on this subnet. 此网络广播到边界,但其大多数 IP 受访问控制列表 (ACL) 的保护。This network is advertised to the Border but most of its IPs are protected by Access Control Lists (ACLs). 允许进行访问的 IP 在一个小的范围内(其大小相当于一个 /27 网络),可托管特权终结点 (PEP)Azure Stack 备份之类的服务。The IPs allowed for access are within a small range equivalent in size to a /27 network and host services like the privileged end point (PEP) and Azure Stack Backup.

公共 VIP 网络Public VIP network

公共 VIP 网络分配给 Azure Stack 中的网络控制器。The Public VIP Network is assigned to the network controller in Azure Stack. 它不是交换机上的逻辑网络。It's not a logical network on the switch. SLB 针对租户工作负荷使用地址池并分配 /32 网络。The SLB uses the pool of addresses and assigns /32 networks for tenant workloads. 在交换机路由表中,这些 /32 IP 通过 BGP 播发为可用路由。On the switch routing table, these /32 IPs are advertised as an available route via BGP. 此网络包含外部可访问的 IP 地址或公共 IP 地址。This network contains the external-accessible or public IP addresses. Azure Stack 基础结构会保留此公共 VIP 网络中的前 31 个地址,剩余的地址由租户 VM 使用。The Azure Stack infrastructure reserves the first 31 addresses from this Public VIP Network while the remainder is used by tenant VMs. 此子网中的网络大小范围为最小 /26(64 台主机)到最大 /22(1022 台主机)。The network size on this subnet can range from a minimum of /26 (64 hosts) to a maximum of /22 (1022 hosts). 我们建议规划 /24 网络。We recommend that you plan for a /24 network.

交换机基础结构网络Switch infrastructure network

此 /26 网络是一个子网,其中包含可路由的点到点 IP /30(两个主机 IP)子网和环回(专用于带内交换机管理和 BGP 路由器 ID 的 /32 子网)。This /26 network is the subnet that contains the routable point-to-point IP /30 (two host IPs) subnets and the loopbacks, which are dedicated /32 subnets for in-band switch management and BGP router ID. 此 IP 地址范围必须可从 Azure Stack 解决方案外部路由到数据中心,This range of IP addresses must be routable outside the Azure Stack solution to your datacenter. 可以是专用或公共 IP。They may be private or public IPs.

交换机管理网络Switch management network

此 /29(六个主机 IP)网络专用于连接交换机的管理端口。This /29 (six host IPs) network is dedicated to connecting the management ports of the switches. 其允许带外访问,以完成部署、管理和故障排除。It allows out-of-band access for deployment, management, and troubleshooting. 它是从上述交换机基础结构网络计算而来的。It's calculated from the switch infrastructure network mentioned above.

允许的网络Permitted networks

从版本 1910 开始,部署工作表将包含此新字段,允许操作员更改某些访问控制列表 (ACL),以允许从受信任的数据中心网络范围访问网络设备管理接口和硬件生命周期主机 (HLH)。Starting on 1910, the Deployment Worksheet will have this new field allowing the operator to change some access control list (ACL)s to allow access to network device management interfaces and the hardware lifecycle host (HLH) from a trusted datacenter network range. 更改访问控制列表后,操作员可以允许特定网络范围内的管理 Jumpbox VM 访问交换机管理接口、HLH OS 和 HLH BMC。With the access control list change, the operator can allow their management jumpbox VMs within a specific network range to access the switch management interface, the HLH OS and the HLH BMC. 操作员可在此列表中提供一个或多个子网;如果留空,则默认为拒绝访问。The operator can provide one or multiple subnets to this list, if left blank it will default to deny access. 借助此项新功能,在部署后,就不需要根据修改 Azure Stack 交换机配置中的特定设置所述进行人工干预。This new functionality replaces the need for post-deployment manual intervention as it used to be described on the Modify specific settings on your Azure Stack switch configuration.

后续步骤Next steps

了解网络规划:边界连接Learn about network planning: Border connectivity.