将 Azure 与公有云进行连接Connecting Azure with public clouds

许多企业因业务目标和技术目标而追求一种多云的策略。Many enterprises are pursuing a multi-cloud strategy because of business and technical goals. 这些目标包括成本、灵活性、功能可用性、冗余、数据主权等。此策略有助于企业利用两种云的优势。These include cost, flexibility, feature availability, redundancy, data sovereignty etc. This strategy helps them leverage best of both clouds.

此方法也对企业提出了网络和应用程序体系结构方面的挑战。This approach also poses challenges for the enterprise in terms of network and application architecture. 这些挑战包括延迟和数据吞吐量。Some of these challenges are latency and data throughput. 为了应对这些挑战,客户希望能够直接连接到多个云。To address these challenges customers are looking to connect to multiple clouds directly. 一些服务提供商提供了一种为客户连接多个云提供商的解决方案。Some service providers provide a solution to connect multiple cloud providers for the customers. 在其他情况下,客户可以通过部署自己的路由器来连接多个公有云。In other cases, customer can deploy their own router to connect multiple public clouds.

通过 ExpressRoute 进行连接Connectivity via ExpressRoute

客户可以使用 ExpressRoute,通过某个连接服务提供商提供的专用连接将本地网络扩展到 Microsoft 云。ExpressRoute lets customers extend their on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. 客户可以使用 ExpressRoute 与 Microsoft 云服务建立连接。With ExpressRoute, customers can establish connections to Microsoft cloud services.

可以使用三种方式通过 ExpressRoute 进行连接。There are three ways to connect via ExpressRoute.

  1. Layer3 提供商Layer3 provider
  2. Layer2 提供商Layer2 provider
  3. 直接连接Direct connection

Layer3 提供商Layer3 Provider

Layer3 提供商通常称为 IP VPN 或 MPLS VPN 提供商。Layer3 providers are commonly known as IP VPN or MPLS VPN providers. 客户利用这些提供商在其数据中心、分支和云之间进行多点连接。Customers leverage these providers for multipoint connectivity between their data centers, branches and the cloud. 客户通过 BGP 或静态默认路由连接到 L3 提供商。Customers connect to the L3 provider via BGP or via static default route. 服务提供商在客户站点、事件中心和公有云之间播发路由。Service provider advertises routes between the customer sites, datacenters and public cloud.

通过 Layer3 提供商进行连接时,Microsoft 会通过 BGP 将客户 VNET 路由播发给服务提供商。When connecting through Layer3 provider, Microsoft will advertise customer VNET routes to the service provider over BGP. 提供商可以进行两种不同的实现。The provider can have two different implementations.

提供商可能会将每个云提供商置于单独的 VRF 中,前提是来自所有云提供商的流量会到达客户路由器。Provider may be landing each cloud provider in a separate VRF, if traffic from all the cloud providers will reach at customer router. 如果客户通过服务提供商运行 BGP,则默认情况下,这些路由会重新播发到其他云提供商。If customer is running BGP with service provider, then these routes will be re-advertised to other cloud providers by default.

如果服务提供商将所有云提供商置于同一 VRF 中,则会将路由从服务提供商处直接播发到其他云提供商。If service provider is landing all the cloud providers in the same VRF, then routes will be advertised to other cloud providers from the service provider directly. 这将采用标准的 BGP 操作,其中的 eBGP 路由默认播发到其他 eBGP 邻居。This is assuming standard BGP operation where eBGP routes are advertised to other eBGP neighbors by default.

每个公有云有不同的前缀限制,因此服务提供商在分发路由时应谨慎。Each public cloud has different prefix limit so while distributing the routes service provider should take caution in distributing the routes.

Layer2 提供商和直接连接Layer2 Provider and Direct connection

虽然两种模型中的物理连接不同,但在 layer3 中,BGP 是在 MSEE 和客户路由器之间直接建立的。Although physical connectivity in both models is different, but at layer3 BGP is established directly between MSEE and the customer router. 就 ExpressRoute Direct 来说,客户直接连接到 MSEE。For ExpressRoute Direct customer connects to MSEE directly. 而在使用 Layer2 时,服务提供商将 VLAN 从客户本地扩展到云。While in case of Layer2, service provider extends VLAN from customer premises to the cloud. 客户在 layer2 网络之上运行 BGP,将其 DC 连接到云。Customers run BGP on top of layer2 network to connect their DCs to the cloud. 在两种情况下,客户将通过点到点方式连接到每个公有云。In both cases, customer will have point-to-point connections to each of the public clouds. 客户会建立单独的 BGP 连接来连接到每个公有云。Customer will establish separate BGP connection to each public cloud. 默认情况下,一个云提供商接收的路由会播发到其他云提供商。Routes received by one cloud provider will be advertised to other cloud provider by default. 每个云提供商都有不同的前缀限制,因此客户在播发路由时应注意这些限制。Each cloud provider has different prefix limit so while advertising the routes customer should take care of these limits. 客户可以在播发其他公有云提供的路由时,与 Microsoft 一起使用常规 BGP 设置。Customer can use usual BGP knobs with Microsoft while advertising routes from other public clouds.

通过 ExpressRoute 进行的直接连接Direct connection with ExpressRoute

客户可以选择将 ExpressRoute 直接连接到云提供商的直接连接产品/服务。Customers can choose to connect ExpressRoute directly to the cloud provider's direct connectivity offering. 两个云提供商将进行背靠背连接,并会在其路由器之间直接建立 BGP。Two cloud providers will be connected back to back and BGP will be established directly between their routers. 目前,此类型的连接可以通过 Oracle 获得。This type of connection is available with Oracle today.

站点到站点 VPNSite-to-site VPN

客户可以利用 Internet 将其在 Azure 中的实例与其他公有云连接。Customers can leverage Internet to connect their instances in Azure with other public clouds. 几乎所有云提供商都提供站点到站点 VPN 功能。Almost all the cloud providers offer site-to-site VPN capabilities. 但是,由于缺少某些变体,可能会存在不兼容现象。However, there could be incompatibilities because of lack of certain variants. 例如,某些云提供商仅支持 IKEv1,因此在该云中,必须有一个 VPN 终止终结点。For example, some cloud providers only support IKEv1 so there is a VPN termination endpoint required in that cloud. 对于那些支持 IKEv2 的云提供商,可以在两个云提供商的 VPN 网关之间建立直接隧道。For those cloud providers supporting IKEv2 a direct tunnel can be established between VPN gateways at both cloud providers.

站点到站点 VPN 不属于具有高吞吐量和低延迟特性的解决方案。Site-to-site VPN is not considered a high throughput and low latency solution. 但是,可以将它用作物理连接的备份。However, it can be used as a backup to physical connectivity.

后续步骤Next steps

如果遇到 ExpressRoute 和虚拟网络连接的其他任何问题,请参阅 ExpressRoute 常见问题解答See ExpressRoute FAQ for any further questions on ExpressRoute and virtual network connectivity.