ExpressRoute 线路和对等互连ExpressRoute circuits and peering

ExpressRoute 线路通过连接提供商将本地基础结构连接到 Azure。ExpressRoute circuits connect your on-premises infrastructure to Azure through a connectivity provider. 本文帮助你了解 ExpressRoute 线路和路由域/对等互连。This article helps you understand ExpressRoute circuits and routing domains/peering. 下图展示了 WAN 与 Microsoft 之间连接的逻辑表示。The following figure shows a logical representation of connectivity between your WAN and Microsoft.

ExpressRoute 线路ExpressRoute circuits

ExpressRoute 线路表示通过连接提供商在本地基础结构与 Azure 云服务之间建立的逻辑连接。An ExpressRoute circuit represents a logical connection between your on-premises infrastructure and Azure cloud services through a connectivity provider. 可以订购多条 ExpressRoute 线路。You can order multiple ExpressRoute circuits. 每条线路可以位于相同或不同的区域,且可以通过不同的连接提供商连接到各个场所。Each circuit can be in the same or different regions, and can be connected to your premises through different connectivity providers.

ExpressRoute 线路不会映射到任何物理实体。ExpressRoute circuits do not map to any physical entities. 线路由称为服务密钥 (s-key) 的标准 GUID 进行唯一标识。A circuit is uniquely identified by a standard GUID called as a service key (s-key). 服务密钥是在 Microsoft、连接提供商与你之间唯一交换的一条信息。The service key is the only piece of information exchanged between Microsoft, the connectivity provider, and you. s-key 不是用于保证安全的机密。The s-key is not a secret for security purposes. ExpressRoute 线路与 s-key 之间存在 1:1 映射。There is a 1:1 mapping between an ExpressRoute circuit and the s-key.

ExpressRoute 线路最多可以有三个独立的对等互连:Azure 公共、Azure 专用和 Microsoft 对等互连。An ExpressRoute circuit can have up to three independent peerings: Azure public, Azure private and Microsoft peering. 每个对等互连是一对独立的 BGP 会话,每个会话采用冗余配置以实现高可用性。Each peering is a pair of independent BGP sessions each of them configured redundantly for high availability. ExpressRoute 线路与路由域之间存在 1:N (1 <= N <= 3) 映射。There is a 1:N (1 <= N <= 3) mapping between an ExpressRoute circuit and routing domains. 每条 ExpressRoute 线路可以启用一个、两个或全部三个对等互连。An ExpressRoute circuit can have any one, two, or all three peerings enabled per ExpressRoute circuit.

每条线路有固定的带宽(50 Mbps、100 Mbps、200 Mbps、500 Mbps、1 Gbps、10 Gbps),并映射到连接提供商和对等互连位置。Each circuit has a fixed bandwidth (50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 10 Gbps) and is mapped to a connectivity provider and a peering location. 所选择的带宽在所有线路对等互连之间共享The bandwidth you select is shared across all circuit peerings

配额、限制和局限性Quotas, limits, and limitations

默认配额和限制适用于每条 ExpressRoute 线路。Default quotas and limits apply for every ExpressRoute circuit. 有关配额的最新信息,请参阅 Azure 订阅和服务限制、配额与约束Refer to the Azure Subscription and Service Limits, Quotas, and Constraints page for up-to-date information on quotas.

ExpressRoute 对等互连ExpressRoute peering

一条 ExpressRoute 线路有多个与之关联的路由域/对等互连:Azure 公用对等互连、Azure 专用对等互连和 Microsoft 对等互连。An ExpressRoute circuit has multiple routing domains/peerings associated with it: Azure public, Azure private, and Microsoft. 在一对路由器上(采用主动-主动或负载共享配置),每个对等互连采用相同的配置以实现高可用性。Each peering is configured identically on a pair of routers (in active-active or load sharing configuration) for high availability. Azure 服务分类为 Azure 公共 和 Azure 专用 以表示 IP 寻址方案。Azure services are categorized as Azure public and Azure private to represent the IP addressing schemes.

Azure 专用对等互连Azure private peering

可以通过专用对等域来连接虚拟网络内部署的 Azure 计算服务(即虚拟机 (IaaS) 和云服务 (PaaS))。Azure compute services, namely virtual machines (IaaS) and cloud services (PaaS), that are deployed within a virtual network can be connected through the private peering domain. 专用对等域被视为进入 Azure 的核心网络的受信任扩展。The private peering domain is considered to be a trusted extension of your core network into Azure. 可以在核心网络和 Azure 虚拟网络 (VNet) 之间设置双向连接。You can set up bi-directional connectivity between your core network and Azure virtual networks (VNets). 利用此对等互连,可以使用专用 IP 地址直接连接到虚拟机和云服务。This peering lets you connect to virtual machines and cloud services directly on their private IP addresses.

可以将多个虚拟网络连接到专用对等域。You can connect more than one virtual network to the private peering domain. 有关限制和局限性的信息,请查看常见问题解答页Review the FAQ page for information on limits and limitations. 有关限制的最新信息,请访问 Azure 订阅和服务限制、配额与约束You can visit the Azure Subscription and Service Limits, Quotas, and Constraints page for up-to-date information on limits. 有关路由配置的详细信息,请参阅路由页。Refer to the Routing page for detailed information on routing configuration.

Microsoft 对等互连Microsoft peering

与 Microsoft 联机服务(Azure PaaS 服务)的连接通过 Microsoft 对等互连建立。Connectivity to Microsoft online services (Azure PaaS services) occurs through Microsoft peering. 我们通过 Microsoft 对等路由域在你的 WAN 和 Microsoft 云服务之间启用双向连接。We enable bi-directional connectivity between your WAN and Microsoft cloud services through the Microsoft peering routing domain. 只能通过由你或连接提供商拥有的公共 IP 地址连接到 Microsoft 云服务,并且你必须遵守我们规定的所有规则。You must connect to Microsoft cloud services only over public IP addresses that are owned by you or your connectivity provider and you must adhere to all the defined rules. 有关详细信息,请参阅 ExpressRoute 先决条件页。For more information, see the ExpressRoute prerequisites page.

有关支持的服务、费用和配置的更多详细信息,请参阅常见问题解答页。See the FAQ page for more information on services supported, costs, and configuration details. 有关提供 Microsoft 对等互连支持的连接提供商列表的信息,请参阅 ExpressRoute Locations (ExpressRoute 位置)页。See the ExpressRoute Locations page for information on the list of connectivity providers offering Microsoft peering support.

Azure 公共对等互连Azure public peering

Note

Azure 公共对等互连有 1 个 NAT IP 地址与每个 BGP 会话相关联。Azure public peering has 1 NAT IP address associated to each BGP session. 对于大于 2 个 NAT IP 地址,请转到 Microsoft 对等互连。For greater than 2 NAT IP addresses, move to Microsoft peering. 通过 Microsoft 对等互连,可以配置自己的 NAT 分配,并使用路由筛选器进行选择性前缀播发。Microsoft peering allows you to configure your own NAT allocations, as well as use route filters for selective prefix advertisements. 有关详细信息,请参阅转到 Microsoft 对等互连For more information, see Move to Microsoft peering.

Azure 存储、SQL 数据库和网站等服务是通过公共 IP 地址提供的。Services such as Azure Storage, SQL databases, and Websites are offered on public IP addresses. 可以通过公共对等路由域私下连接到公共 IP 地址(包括云服务的 VIP)上托管的服务。You can privately connect to services hosted on public IP addresses, including VIPs of your cloud services, through the public peering routing domain. 可以将公共对等域连接到外围网络,并从 WAN 连接到公共 IP 地址上的所有 Azure 服务,而无需通过 Internet 连接。You can connect the public peering domain to your DMZ and connect to all Azure services on their public IP addresses from your WAN without having to connect through the internet.

始终会从 WAN 发起到 Azure 服务的连接。Connectivity is always initiated from your WAN to Azure services. Azure 服务无法通过此路由域发起到网络的连接。Azure services will not be able to initiate connections into your network through this routing domain. 启用公共对等互连后,可以连接到所有 Azure 服务。Once public peering is enabled, you can connect to all Azure services. 我们不允许选择要将路由播发到的服务。We do not allow you to selectively pick services for which we advertise routes to.

可以在网络中定义自定义路由筛选器,以只使用所需的路由。You can define custom route filters within your network to consume only the routes you need. 有关路由配置的详细信息,请参阅路由页。Refer to the Routing page for detailed information on routing configuration.

有关通过公共对等路由域支持的服务的详细信息,请参阅常见问题解答For more information about services supported through the public peering routing domain, see the FAQ.

对等互连比较Peering comparison

下表比较了三种路由域:The following table compares the three routing domains:

专用对等互连Private Peering Microsoft 对等互连Microsoft Peering 公共对等互连Public Peering
每个对等互连支持的最大前缀数 Max. # prefixes supported per peering 默认情况下为 4000,而 ExpressRoute 高级版支持 10,0004000 by default, 10,000 with ExpressRoute Premium 200200 200200
支持的 IP 地址范围IP address ranges supported WAN 中任何有效的 IP 地址。Any valid IP address within your WAN. 由你或连接提供商拥有的公共 IP 地址。Public IP addresses owned by you or your connectivity provider. 由你或连接提供商拥有的公共 IP 地址。Public IP addresses owned by you or your connectivity provider.
AS 编号要求AS Number requirements 专用和公共 AS 编号。Private and public AS numbers. 如果选择使用公共 AS 编号,必须拥有该编号。You must own the public AS number if you choose to use one. 专用和公共 AS 编号。Private and public AS numbers. 但是,必须证明对公共 IP 地址的所有权。However, you must prove ownership of public IP addresses. 专用和公共 AS 编号。Private and public AS numbers. 但是,必须证明对公共 IP 地址的所有权。However, you must prove ownership of public IP addresses.
支持的 IP 协议IP protocols supported IPv4IPv4 IPv4、IPv6IPv4, IPv6 IPv4IPv4
路由接口 IP 地址Routing Interface IP addresses RFC1918 和公共 IP 地址RFC1918 and public IP addresses 在路由注册表中向你注册的公共 IP 地址。Public IP addresses registered to you in routing registries. 在路由注册表中注册的公共 IP 地址。Public IP addresses registered to you in routing registries.
MD5 哈希支持MD5 Hash support Yes Yes Yes

可以启用一个或多个路由域作为 ExpressRoute 线路的一部分。You may enable one or more of the routing domains as part of your ExpressRoute circuit. 要将这些路由域合并成单个路由域,可以选择将所有路由域放置在同一个 VPN 中。You can choose to have all the routing domains put on the same VPN if you want to combine them into a single routing domain. 此外,还可以如图所示,将它们放置在不同的路由域中。You can also put them on different routing domains, similar to the diagram. 建议的配置是将专用对等链路直接连接到核心网络,并将公共和 Microsoft 对等链路连接到外围网络。The recommended configuration is that private peering is connected directly to the core network, and the public and Microsoft peering links are connected to your DMZ.

每个对等互连都需要单独的 BGP 会话(每个对等互连类型一对)。Each peering requires separate BGP sessions (one pair for each peering type). BGP 会话对提供高度可用的链接。The BGP session pairs provide a highly available link. 若要通过第 2 层连接性提供程序进行连接,需要负责配置和管理路由。If you are connecting through layer 2 connectivity providers, you are responsible for configuring and managing routing. 可以通过查看设置 ExpressRoute 的工作流了解更多详细信息。You can learn more by reviewing the workflows for setting up ExpressRoute.

后续步骤Next steps