部署网络流量Deployment network traffic
了解 Azure Stack Hub 部署期间的网络流量有助于使部署成功。Understanding network traffic during Azure Stack Hub deployment will help make the deployment successful. 本文将引导你逐步了解部署过程中的网络流量,以便你知道应出现的结果。This article walks you through the network traffic flow during the deployment process so you know what to expect.
下图描绘了部署过程中涉及的所有组件和连接:This illustration shows all the components and connections involved in the deployment process:
备注
本文介绍了联网部署的要求。This article describes the requirements for a connected deployment. 若要了解其他部署方法,请参阅 Azure Stack Hub 部署连接模型。To learn about other deployment methods, see Azure Stack Hub deployment connection models.
部署 VMThe Deployment VM
Azure Stack Hub 解决方案包括一组用于托管 Azure Stack Hub 组件的服务器,以及一个额外的称为“硬件生命周期主机 (HLH)”的服务器。The Azure Stack Hub solution includes a group of servers that are used to host Azure Stack Hub components and an extra server called the Hardware Lifecycle Host (HLH). 此服务器用于部署和管理解决方案的生命周期,并在部署过程中托管部署 VM (DVM)。This server is used to deploy and manage the lifecycle of your solution and hosts the Deployment VM (DVM) during deployment.
Azure Stack Hub 解决方案提供商可以预配其他管理 VM。Azure Stack Hub solution providers may provision additional management VMs. 在解决方案提供商对管理 VM 进行任何更改之前,请与解决方案提供商确认。Confirm with the solution provider before making any changes to management VMs from a solution provider.
部署要求Deployment requirements
在部署开始之前,必须满足一些最低要求。这些要求可以由 OEM 进行验证,目的是确保部署成功完成:Before deployment starts, there are some minimum requirements that can be validated by your OEM to ensure deployment completes successfully:
- 证书。Certificates.
- Azure 订阅。Azure subscription. 你可能需要检查订阅。You may need to check your subscription.
- Internet 访问。Internet access.
- DNS。DNS.
- NTP。NTP.
备注
本文重点介绍后三个要求。This article focuses on the last three requirements. 有关头两个要求的详细信息,请查看上面的链接。For more information on the first two, see the links above.
关于部署网络流量About deployment network traffic
DVM 配置了一个来自 BMC 网络的 IP,要求对 Internet 进行网络访问。The DVM is configured with an IP from the BMC network and requires network access to the internet. 虽然并不是所有 BMC 网络组件都要求对 Internet 进行外部路由或访问,但某些特定于 OEM 的组件会利用来自此网络的 IP,可能也需要它。Although not all of the BMC network components require external routing or access to the internet, some OEM-specific components using IPs from this network might also require it.
在部署期间,DVM 会使用订阅中的 Azure 帐户通过 Azure Active Directory (Azure AD) 进行身份验证。During deployment, the DVM authenticates against Azure Active Directory (Azure AD) using an Azure account from your subscription. 为此,DVM 需要对特定端口和 URL 的列表进行 Internet 访问。In order to do so, the DVM requires internet access to a list of specific ports and URLs. DVM 会利用 DNS 服务器将内部组件发出的 DNS 请求转发到外部 URL。The DVM will utilize a DNS server to forward DNS requests made by internal components to external URLs. 内部 DNS 将这些请求转发到你在部署之前提供给 OEM 的 DNS 转发器地址。The internal DNS forwards these requests to the DNS forwarder address that you provide to the OEM before deployment. 这同样适用于 NTP 服务器,需要一个可靠的时间服务器来维护所有 Azure Stack Hub 组件的一致性和时间同步。The same is true for the NTP server: a reliable Time Server is required to maintain consistency and time synchronization for all Azure Stack Hub components.
部署期间 DVM 所需的 Internet 访问仅限出站访问,不得在部署期间进行入站调用。The internet access required by the DVM during deployment is outbound only, no inbound calls are made during deployment. 请注意,它使用 IP 作为源,且 Azure Stack Hub 不支持代理配置。Keep in mind that it uses its IP as source and that Azure Stack Hub doesn't support proxy configurations. 因此,必要时需提供透明代理或 NAT 来访问 Internet。Therefore, if necessary, you need to provide a transparent proxy or NAT to access the internet. 在部署期间,一些内部组件将开始使用公共 VIP 通过外部网络访问 Internet。During deployment, some internal components will start accessing the internet through the external network using public VIPs. 部署完以后,Azure 和 Azure Stack Hub 之间的所有通信都使用公共 VIP 通过外部网络来完成。After deployment completes, all communication between Azure and Azure Stack Hub is made through the external network using public VIPs.
Azure Stack Hub 交换机上的网络配置包含访问控制列表 (ACL),用于限制特定网络源和目标之间的流量。Network configurations on Azure Stack Hub switches contain access control lists (ACLs) that restrict traffic between certain network sources and destinations. DVM 是访问不受限的唯一组件;即使 HLH 也受到限制。The DVM is the only component with unrestricted access; even the HLH is restricted. 可以向 OEM 询问自定义选项,以便更容易地从网络进行管理和访问。You can ask your OEM about customization options to ease management and access from your networks. 由于存在这些 ACL,因此必须确保在部署时不更改 DNS 和 NTP 服务器地址,Because of these ACLs, it's important to avoid changing the DNS and NTP server addresses at deployment time. 否则需重新配置解决方案的所有交换机。If you do so, you need to reconfigure all of the switches for the solution.
部署完成后,系统的组件将继续使用外部网络通过 SDN 使用提供的 DNS 和 NTP 服务器地址。After deployment is completed, the provided DNS and NTP server addresses will continue to be used by the system's components through the SDN using the external network. 例如,如果在部署完成以后查看 DNS 请求,会发现源从 DVM IP 更改为公共 VIP。For example, if you check DNS requests after deployment is completed, the source will change from the DVM IP to a public VIP.