在 Azure Stack Hub 上部署高度可用的网络虚拟设备Deploy highly available network virtual appliances on Azure Stack Hub

本文介绍如何在 Azure Stack Hub 中部署一组网络虚拟设备 (NVA) 以实现高可用性。This article shows you how to deploy a set of network virtual appliances (NVAs) for high availability in Azure Stack Hub. NVA 通常用来控制从外围网络(也称为 DMZ)到其他网络或子网的网络流量流。An NVA is typically used to control the flow of network traffic from a perimeter network, also known as a DMZ, to other networks or subnets. 本文包括了仅用于入口、仅用于出口和同时用于入口和出口的示例体系结构。The article includes example architectures for ingress only, egress only, and both ingress and egress.

Azure Stack Hub 市场中提供了不同供应商的 NVA,可以使用其中的一个来获得最佳性能。There are NVAs from different vendors available on Azure Stack Hub Marketplace, use one of them for optimal performance.

该体系结构具有以下组件。The architecture has the following components.

网络和负载均衡Networking and load balancing

  • 虚拟网络和子网Virtual network and subnets. 每个 Azure VM 都会部署到可细分为子网的虚拟网络中。Every Azure VM is deployed into a virtual network that can be segmented into subnets. 为每个层创建一个单独的子网。Create a separate subnet for each tier.

  • 第 7 层负载均衡器Layer 7 Load Balancer. Azure Stack Hub 中尚未提供应用程序网关,不过,Azure Stack Hub 市场中提供了替代方案,例如:A10 vThunder ADCAs Application Gateway is not yet available on Azure Stack Hub, there are alternatives available on Azure Stack Hub Market place such as: A10 vThunder ADC

  • 负载均衡器Load balancers. 使用 Azure 负载均衡器可将网络流量从 Web 层分配到业务层,以及从业务层分配到 SQL Server。Use Azure Load Balancerto distribute network traffic from the web tier to the business tier, and from the business tier to SQL Server.

  • 网络安全组 (NSG)。Network security groups (NSGs). 使用 NSG 限制虚拟网络中的网络流量。Use NSGs to restrict network traffic within the virtual network. 例如,在此处显示的三层体系结构中,数据库层不接受来自 Web 前端的流量,仅接受来自业务层和管理子网的流量。For example, in the three-tier architecture shown here, the database tier doesn't accept traffic from the web front end, only from the business tier and the management subnet.

  • UDR。UDRs. 使用用户定义的路由 (UDR) 将流量路由到特定的负载均衡器。Use user-defined routes (UDRs) to route traffic to the specific load balancer.

本文假设读者基本了解 Azure Stack Hub 网络。This article assumes a basic understanding of Azure Stack Hub networking.

体系结构关系图Architecture diagrams

NVA 可以采用许多不同的体系结构部署到外围网络中。An NVA can be deployed to a perimeter network in many different architectures. 例如,下图演示了用于入口的单个 NVA 的使用。For example, the following figure illustrates the use of a single NVA for ingress.

自动生成的社交媒体文章说明的屏幕截图

在此体系结构中,NVA 会检查所有入站和出站网络流量并且仅会放行符合网络安全规则的流量,从而提供一个安全的网络边界。In this architecture, the NVA provides a secure network boundary by checking all inbound and outbound network traffic and passing only the traffic that meets network security rules. 因为所有网络流量都必须通过 NVA,这意味着 NVA 是网络中的单一故障点。The fact that all network traffic must pass through the NVA means that the NVA is a single point of failure in the network. 如果 NVA 发生故障,则网络流量没有其他路径可用,并且所有后端子网都不可用。If the NVA fails, there is no other path for network traffic and all the back-end subnets are unavailable.

若要使 NVA 高度可用,请将多个 NVA 部署到可用性集中。To make an NVA highly available, deploy more than one NVA into an availability set.

下面的体系结构描述了实现高度可用的 NVA 所需的资源和配置:The following architectures describe the resources and configuration necessary for highly available NVAs:

解决方案Solution 优点Benefits 注意事项Considerations
具有第 7 层 NVA 的入口Ingress with layer 7 NVAs 所有 NVA 节点都是主动的。All NVA nodes are active. 需要一个可以终止连接的 NVA 并使用 SNAT。Requires an NVA that can terminate connections and use SNAT.
对于来自企业网络/Internet 和来自 Azure Stack Hub 的流量,需要单独的一组 NVA。Requires a separate set of NVAs for traffic coming from the Enterprise Network/Internet and from Azure Stack Hub.
只能用于在 Azure Stack Hub 外部产生的流量。Can only be used for traffic originating outside Azure Stack Hub.
具有第 7 层 NVA 的出口Egress with layer 7 NVAs 所有 NVA 节点都是主动的。All NVA nodes are active. 需要一个可以终止连接的 NVA 并实现源网络地址转换 (SNAT)。Requires an NVA that can terminate connections and implements source network address translation (SNAT).
具有第 7 层 NVA 的入口-出口Ingress-Egress with layer 7 NVAs 所有节点都是主动的。All nodes are active.
能够处理源自 Azure Stack Hub 的流量。Able to handle traffic originated in Azure Stack Hub.
需要一个可以终止连接的 NVA 并使用 SNAT。Requires an NVA that can terminate connections and use SNAT.
对于来自企业网络/Internet 和来自 Azure Stack Hub 的流量,需要单独的一组 NVA。Requires a separate set of NVAs for traffic coming from the Enterprise Network/Internet and from Azure Stack Hub.

具有第 7 层 NVA 的入口Ingress with layer 7 NVAs

下图显示了一个高可用性体系结构,它在面向 Internet 的负载均衡器后实现了一个入口外围网络。The following figure shows a high availability architecture that implements an ingress perimeter network behind an internet-facing load balancer. 此体系结构设计用于提供到 Azure Stack Hub 工作负载的连接以用于第 7 层流量,例如 HTTP 或 HTTPS:This architecture is designed to provide connectivity to Azure Stack Hub workloads for layer 7 traffic, such as HTTP or HTTPS:

自动生成的映射说明的屏幕截图

此体系结构的好处是所有 NVA 都是主动的,并且如果其中一个发生故障,则负载均衡器会将网络流量定向到另一个 NVA。The benefit of this architecture is that all NVAs are active, and if one fails the load balancer directs network traffic to the other NVA. 两个 NVA 都将流量路由到内部负载均衡器,因此,只要有一个 NVA 是主动的,流量便可继续流动。Both NVAs route traffic to the internal load balancer so as long as one NVA is active, traffic continues to flow. 这些 NVA 是终止用于 Web 层 VM 的 SSL 流量所必需的。The NVAs are required to terminate SSL traffic intended for the web tier VMs. 无法扩展这些 NVA 来处理企业网络流量,因为企业网络流量需要另一组具有自身网络路由的专用 NVA。These NVAs cannot be extended to handle Enterprise Network traffic because Enterprise Network traffic requires another dedicated set of NVAs with their own network routes.

具有第 7 层 NVA 的出口Egress with layer 7 NVAs

可以扩展采用第 7 层 NVA 体系结构的入口,以针对源自 Azure Stack Hub 工作负载的请求提供出口外围网络。The Ingress with layer 7 NVAs architecture can be expanded to provide an egress perimeter network for requests originating in the Azure Stack Hub workload. 以下体系结构设计用于在外围网络中提供具有高可用性的 NVA 以用于第 7 层流量,例如 HTTP 或 HTTPS:The following architecture is designed to provide high availability of the NVAs in the perimeter network for layer 7 traffic, such as HTTP or HTTPS:

自动生成的手机说明的屏幕截图

在此体系结构中,源自 Azure Stack Hub 的所有流量将路由到一个外部负载均衡器。In this architecture, all traffic originating in Azure Stack Hub is routed to an internal load balancer. 该负载均衡器将传出请求分布到一组 NVA 中。The load balancer distributes outgoing requests between a set of NVAs. 这些 NVA 使用其各自的公共 IP 地址将流量定向到 Internet。These NVAs direct traffic to the Internet using their individual public IP addresses.

具有第 7 层 NVA 的入口-出口Ingress-egress with layer 7 NVAs

在这两个入口与出口体系结构中,入口与出口有单独的外围网络。In the two ingress and egress architectures, there was a separate perimeter network for ingress and egress. 以下体系结构演示了如何创建可以同时用于入口和出口的外围网络以用于第 7 层流量,例如 HTTP 或 HTTPS:The following architecture demonstrates how to create a perimeter network that can be used for both ingress and egress for layer 7 traffic, such as HTTP or HTTPS:

自动生成的社交媒体文章说明的屏幕截图

在采用第 7 层 NVA 体系结构的入口-出口中,NVA 处理来自第 7 层负载均衡器的传入请求。In the Ingress-egress with layer 7 NVAs architecture, the NVAs process incoming requests from a Layer 7 Load Balancer. NVA 还处理负载均衡器的后端池中的工作负荷 VM 发出的传出请求。The NVAs also process outgoing requests from the workload VMs in the back-end pool of the load balancer. 由于传入流量是使用第 7 层负载均衡器路由的,而传出流量是通过 SLB(Azure Stack Hub 基本负载均衡器)路由的,因此,NVA 负责维护会话相关性。Because incoming traffic is routed with a layer 7 load balancer, and outgoing traffic is routed with an SLB (Azure Stack Hub Basic Load Balancer), the NVAs are responsible for maintaining session affinity. 也就是说,第 7 层负载均衡器维护入站和出站请求的映射,因此,它可以将正确的响应转发到原始请求者。That is, the layer 7 load balancer maintains a mapping of inbound and outbound requests so it can forward the correct response to the original requestor. 但是,内部负载均衡器无权访问第 7 层负载均衡器映射,它使用其自身的逻辑将响应发送到 NVA。However, the internal load balancer doesn't have access to the layer 7 load balancer mappings, and uses its own logic to send responses to the NVAs. 负载均衡器可能会将响应发送到起初没有从第 7 层负载均衡器收到请求的 NVA。It's possible the load balancer could send a response to an NVA that did not initially receive the request from the layer 7 load balancer. 在这种情况下,各个 NVA 必须进行通信并在它们之间传输响应,以便正确的 NVA 可以将响应转发到第 7 层负载均衡器。In this case, the NVAs must communicate and transfer the response between them so the correct NVA can forward the response to the layer 7 load balancer.

备注

你还可以通过确保 NVA 执行入站源网络地址转换 (SNAT) 来解决非对称路由问题。You can also solve the asymmetric routing issue by ensuring the NVAs perform inbound source network address translation (SNAT). 这会将请求者的原始源 IP 替换为入站流上使用的 NVA 的 IP 地址之一。This would replace the original source IP of the requestor to one of the IP addresses of the NVA used on the inbound flow. 这确保可以一次使用多个 NVA,同时保持路由对称性。This ensures that you can use multiple NVAs at a time, while preserving the route symmetry.

后续步骤Next steps