适用于云解决方案提供商 (CSP) 的 ExpressRouteExpressRoute for Cloud Solution Providers (CSP)

Microsoft 为传统经销商和分销商 (CSP) 提供超大规模的服务,允许他们为客户快速预配新服务和解决方案,而不需投资开发这些新服务。Microsoft provides Hyper-scale services for traditional resellers and distributors (CSP) to be able to rapidly provision new services and solutions for your customers without the need to invest in developing these new services. 为了让云解决方案提供商 (CSP) 能够直接管理这些新服务,Microsoft 提供了相应的程序和 API,以便 CSP 代表客户管理 Microsoft Azure 资源。To allow the Cloud Solution Provider (CSP) the ability to directly manage these new services, Microsoft provides programs and APIs that allow the CSP to manage Microsoft Azure resources on behalf of your customers. 其中一项资源就是 ExpressRoute。One of those resources is ExpressRoute. ExpressRoute 允许 CSP 将现有客户资源连接到 Azure 服务。ExpressRoute allows the CSP to connect existing customer resources to Azure services. ExpressRoute 是一种高速专用通信链路,可以链接到 Azure 中的服务。ExpressRoute is a high speed private communications link to services in Azure.

ExpressRoute 由一对可以实现高可用性的线路组成,这对线路连接到单个客户订阅,不能由多个客户共享。ExpressRoute is comprised of a pair of circuits for high availability that are attached to a single customer's subscription(s) and cannot be shared by multiple customers. 每个线路都会在不同的路由器中终止,目的是维持高可用性。Each circuit should be terminated in a different router to maintain the high availability.


每个 ExpressRoute 线路所允许的带宽和连接数都有限。There are limits to the bandwidth and number of connections possible on each ExpressRoute circuit. 如果单个客户的需求超出这些限制,则他们将需要多个 ExpressRoute 线路才能实现混合网络。If a single customer's needs exceed these limits, they will require multiple ExpressRoute circuits for their hybrid network implementation.

Microsoft Azure 提供越来越多的服务,可以将这些服务提供给客户。Microsoft Azure provides a growing number of services that you can offer to your customers. ExpressRoute 允许对 Microsoft Azure 环境进行高速、低延迟访问,有助于你和你的客户充分利用这些服务。ExpressRoute helps you and your customers take advantage of these services by providing high speed low latency access to the Microsoft Azure environment.

Azure 管理Azure management

Microsoft 为 CSP 提供管理 Azure 客户订阅所需的 API,允许通过编程方式与自己的服务管理系统集成。Microsoft provides CSPs with APIs to manage the Azure customer subscriptions by allowing programmatic integration with your own service management systems. 可在 此处找到受支持的管理功能。Supported management capabilities can be found here.

Azure 资源管理Azure resource management

订阅管理方式将取决于你与客户签署的协定。The contract you have with your customer will determine how the subscription will be managed. 可以由 CSP 直接管理资源的创建和维护,也可以始终由客户对 Microsoft Azure 订阅进行控制,并根据需要来创建 Azure 资源。The CSP can directly manage the creation and maintenance of resources or the customer can maintain control of the Microsoft Azure subscription and create the Azure resources as they need. 如果客户在其 Microsoft Azure 订阅中管理资源的创建,他们会使用以下两种模型之一:“Connect-Through”模型或“Direct-To”模型。If your customer manages the creation of resources in their Microsoft Azure subscription they will use one of two models: “Connect-Through” model, or “Direct-To” model. 将在下面各节中详细介绍这些模型。These models are described in detail in the following sections.

Connect-Through 模型Connect-through model


在 Connect-Through 模型中,CSP 在数据中心和你客户的 Azure 订阅之间创建直接连接。In the connect-through model, the CSP creates a direct connection between your datacenter and your customer’s Azure subscription. 使用 ExpressRoute 进行直接连接,将网络与 Azure 相连。The direct connection is made using ExpressRoute, connecting your network with Azure. 然后,客户再连接到网络。Then your customer connects to your network. 此方案要求客户通过 CSP 网络来访问 Azure 服务。This scenario requires that the customer passes through the CSP network to access Azure services.

如果客户有其他不由你管理的 Azure 订阅,他们会使用公共 Internet 或自己的专用连接来连接到这些在非 CSP 订阅下预配的服务。If your customer has other Azure subscriptions not managed by the you, they would use the public Internet or their own private connection to connect to those services provisioned under the non CSP subscription.

对于管理 Azure 服务的 CSP 来说,所作的假定是该 CSP 有一个以前建立的客户标识存储,该存储随后会复制到 Azure Active Directory 中,以便通过 Administrate-On-Behalf-Of (AOBO) 对其 CSP 订阅进行管理。For CSP managing Azure services, it is assumed that the CSP has a previously established customer identity store which would then be replicated into Azure Active Directory for management of their CSP subscription through Administrate-On-Behalf-Of (AOBO). 此方案的关键驱动因素包括:既定的合作伙伴或服务提供商已建立与客户的合作关系、客户目前正使用提供商的服务,或者合作伙伴希望提供包括提供商托管型解决方案和 Azure 托管型解决方案在内的组合型解决方案,以便增加灵活性,并解决客户遇到的无法单独通过 CSP 来解决的挑战。Key drivers for this scenario include where a given partner or service provider has an established relationship with the customer, the customer is consuming provider services currently or the partner has a desire to provide a combination of provider-hosted and Azure-hosted solutions to provide flexibility and address customer challenges which cannot be satisfied by CSP alone. 此模型见下 This model is illustrated in Figure, below.


Connect-To 模型Connect-to model


在 Connect-To 模型中,服务提供商使用基于客户网络的 ExpressRoute 在其客户的数据中心和 CSP 预配的 Azure 订阅之间创建直接连接。In the Connect-To model, the service provider creates a direct connection between their customer’s datacenter and the CSP provisioned Azure subscription using ExpressRoute over the customer’s (customer) network.


就 ExpressRoute 来说,客户需创建和维护 ExpressRoute 线路。For ExpressRoute the customer would need to create and maintain the ExpressRoute circuit.

此连接方案要求客户在访问由 CSP 管理的 Azure 订阅时通过客户网络直接进行连接,使用全部或部分由客户创建、拥有和管理的直接网络连接。This connectivity scenario requires that the customer connects directly through a customer network to access CSP-managed Azure subscription, using a direct network connection that is created, owned and managed either wholly or in part by the customer. 对于这些客户来说,所作的假定是提供商目前并没有建立客户标识存储,而且提供商会帮助客户将当前的标识存储复制到 Azure Active Directory 中,以便通过 AOBO 管理其订阅。For these customers it is assumed that the provider does not currently have a customer identity store established, and the provider would assist the customer in replicating their current identify store into Azure Active Directory for management of their subscription through AOBO. 此方案的关键驱动因素包括:既定的合作伙伴或服务提供商已建立与客户的合作关系、客户目前正使用提供商的服务,或者合作伙伴希望提供完全基于 Azure 托管型解决方案的服务,而不需要使用现有的提供商数据中心或基础结构。Key drivers for this scenario include where a given partner or service provider has an established relationship with the customer, the customer is consuming provider services currently, or the partner has a desire to provide services that are based solely on Azure-hosted solutions without the need for an existing provider datacenter or infrastructure.


如何选择这两种模式取决于客户的需求,以及目前提供 Azure 服务的具体需要。The choice between these two option are based on your customer’s needs and your current need to provide Azure services. 有关这些模型的详细信息以及关联的基于角色的访问控制、网络和标识设计模式在以下链接中有详尽介绍:The details of these models and the associated role-based access control, networking, and identity design patterns are covered in details in the following links:

  • 基于角色的访问控制 (RBAC) – RBAC 基于 Azure Active Directory。Role Based Access Control (RBAC) – RBAC is based on Azure Active Directory. 有关 Azure RBAC 的详细信息,请参阅 此处For more information on Azure RBAC see here.
  • 网络 – 介绍有关 Azure 中网络的各种主题。Networking – Covers the various topics of networking in Azure.
  • Azure Active Directory (Azure AD) – Azure AD 提供针对 Microsoft Azure 和第三方 SaaS 应用程序的标识管理。Azure Active Directory (Azure AD) – Azure AD provides the identity management for Microsoft Azure and 3rd party SaaS applications. 有关 Azure AD 的详细信息,请参阅 此处For more information about Azure AD see here.

网络速度Network speeds

ExpressRoute 支持的网络速度其范围为 50 Mb/秒到 10Gb/秒。ExpressRoute supports network speeds from 50 Mb/s to 10Gb/s. 因此,客户可以根据其具体环境购买所需的网络带宽。This allows customers to purchase the amount of network bandwidth needed for their unique environment.


网络带宽可以在不中断通信的情况下,根据需要进行提升,但要降低网络速度,则需先拆卸线路,然后按较低的网络速度重新创建。Network bandwidth can be increased as needed without disrupting communications, but to reduce the network speed requires tearing down the circuit and recreating it at the lower network speed.

ExpressRoute 支持将多个 vNet 连接到单个 ExpressRoute 线路,以便更好地利用速度更高的连接。ExpressRoute supports the connection of multiple vNets to a single ExpressRoute circuit for better utilization of the higher-speed connections. 单个 ExpressRoute 线路可以在同一客户拥有的多个 Azure 订阅之间共享。A single ExpressRoute circuit can be shared among multiple Azure subscriptions owned by the same customer.

配置 ExpressRouteConfiguring ExpressRoute

可以将 ExpressRoute 配置为在单个 ExpressRoute 线路上支持三种类型的流量(路由域)。ExpressRoute can be configured to support three types of traffic (routing domains) over a single ExpressRoute circuit. 该流量可分成 Microsoft 对等互连、Azure 公共对等互连和专用对等互连。This traffic is segregated into Microsoft peering, Azure public peering and private peering. 可以选择一种类型的或所有类型的需通过单个 ExpressRoute 线路发送的流量,也可以使用多个 ExpressRoute 线路,具体取决于 ExpressRoute 线路的大小以及客户的隔离要求。You can choose one or all types of traffic to be sent over a single ExpressRoute circuit or use multiple ExpressRoute circuits depending on the size of the ExpressRoute circuit and isolation required by your customer. 客户所面临的安全状况可能不允许公共流量和专用流量经过相同的线路。The security posture of your customer may not allow public traffic and private traffic to traverse over the same circuit.

Connect-Through 模型Connect-through model

在 Connect-Through 配置中,需要负责所有网络基础结构,确保将客户数据中心资源连接到 Azure 中托管的订阅。In a connect-through configuration the you will be responsible for all of the networking underpinnings to connect your customers datacenter resources to the subscriptions hosted in Azure. 每个想要使用 Azure 功能的客户都需要建立自己的 ExpressRoute 连接,由你进行管理。Each of your customer's that want to use Azure capabilities will need their own ExpressRoute connection, which will be managed by the You. 将使用客户所用的相同方法来采购 ExpressRoute 线路。The you will use the same methods the customer would use to procure the ExpressRoute circuit. 将按照 ExpressRoute 线路预配工作流和线路状态一文中概述的相同步骤进行操作。The you will follow the same steps outlined in the article ExpressRoute workflows for circuit provisioning and circuit states. 然后,将配置边界网关协议 (BGP) 路由,以便控制本地网络与 Azure vNet 之间的流量。The you will then configure the Border Gateway Protocol (BGP) routes to control the traffic flowing between the on-premises network and Azure vNet.

Connect-To 模型Connect-to model

在 Connect-To 配置中,你的客户已经建立了到 Azure 的连接,或者会启动一个到 Internet 服务提供商的连接,将 ExpressRoute 从你客户自己的数据中心直接链接到 Azure 而不是你的数据中心。In a connect-to configuration, your customer already has an existing connection to Azure or will initiate a connection to the internet service provider linking ExpressRoute from their own datacenter directly to Azure, instead of your datacenter. 客户将遵循上述 Connect-Through 模型中描述的步骤来开始预配过程。To begin the provisioning process, your customer will follow the steps as described in the Connect-Through model, above. 建立线路以后,用户的客户需先配置本地路由器,才能访问用户的网络和 Azure vNet。Once the circuit has been established, your customer will need to configure the on-premises routers to be able to access both your network and Azure vNets.

可以协助设置连接并配置路由,以便你数据中心的资源能够与你数据中心的客户端资源通信,或者与 Azure 中托管的资源通信。You can assist with setting up the connection and configuring the routes to allow the resources in your datacenter(s) to communicate with the client resources in your datacenter, or with the resources hosted in Azure.

ExpressRoute 路由域ExpressRoute routing domains

ExpressRoute 为新线路提供了两个路由域:专用对等互连和 Microsoft 对等互连。ExpressRoute offers two routing domains for new circuits: private peering and Microsoft peering. 在主动-主动配置中,每个路由域都配置了相同的路由器,以确保高可用性。Each of the routing domains is configured with identical routers in active-active configuration for high availability. 有关 ExpressRoute 路由域的详细信息,请查看此处For more details on ExpressRoute routing domains look here.

可以自定义路由筛选器,根据需要来允许相关路由。You can define custom routes filters to allow only the route(s) you want to allow or need. 如需详细信息,或者需要了解如何进行此类更改,请参阅详细介绍路由筛选器的以下文章:使用 PowerShell 创建和修改 ExpressRoute 线路的路由For more information or to see how to make these changes see article: Create and modify routing for an ExpressRoute circuit using PowerShell for more details about routing filters.


对于 Microsoft 对等互连和公共对等互连,必须通过客户或 CSP 拥有的公共 IP 地址进行连接,并且必须遵循所有定义的规则。For Microsoft and Public Peering connectivity must be though a public IP address owned by the customer or CSP and must adhere to all defined rules. 有关更多详细信息,请参阅 ExpressRoute 先决条件页。For more information, see the ExpressRoute Prerequisites page.


ExpressRoute 通过 Azure 虚拟网络网关连接到 Azure 网络。ExpressRoute connects to the Azure networks through the Azure Virtual Network Gateway. 网络网关为 Azure 虚拟网络提供路由功能。Network gateways provide routing for Azure virtual networks.

创建 Azure 虚拟网络时,还会为 vNet 创建默认的路由表,以便引导进出 vNet 子网的流量。Creating Azure Virtual Networks also creates a default routing table for the vNet to direct traffic to/from the subnets of the vNet. 如果默认路由表对解决方案来说不够用,则可创建自定义路由,以便将传出流量路由到自定义设备,或者阻止到特定子网或外部网络的路由。If the default route table is insufficient for the solution custom routes can be created to route outgoing traffic to custom appliances or to block routes to specific subnets or external networks.

默认路由Default routing

默认路由表包含以下路由:The default route table includes the following routes:

  • 在子网内路由Routing within a subnet
  • 在虚拟网络中从子网到子网路由Subnet-to-subnet within the virtual network
  • 到 InternetTo the Internet
  • 从虚拟网络到虚拟网络的路由,使用 VPN 网关Virtual network-to-virtual network using VPN gateway
  • 从虚拟网络到本地网络的路由,使用 VPN 或 ExpressRoute 网关Virtual network-to-on-premises network using a VPN or ExpressRoute gateway


用户定义的路由 (UDR)User-defined routing (UDR)

使用用户定义的路由,可以控制虚拟网络中从分配的子网到其他子网的出站流量,或者控制经过其他某个预定义网关(ExpressRoute;Internet 或 VPN)的出站流量。User-defined routes allow the control of traffic outbound from the assigned subnet to other subnets in the virtual network or over one of the other predefined gateways (ExpressRoute; internet or VPN). 可以将默认的系统路由表替换为用户定义的路由表,以便将默认路由表替换为自定义路由。The default system routing table can be replaced with a user-defined routing table that replaces the default routing table with custom routes. 使用用户定义的路由,客户可以创建到某些设备(例如防火墙或入侵检测设备)的特定路由,或者阻止他人从托管用户定义的路由的子网访问特定的子网。With user-defined routing, customers can create specific routes to appliances such as firewalls or intrusion detection appliances, or block access to specific subnets from the subnet hosting the user-defined route. 有关用户定义的路由的概述,请查看 此处For an overview of User Defined Routes look here.


根据所用的模型(Connect-To 或 Connect-Through),客户可在其 vNet 中定义安全策略,或者向 CSP 提供针对其 vNet 进行定义时的安全策略要求。Depending on which model is in use, Connect-To or Connect-Through, your customer defines the security policies in their vNet or provides the security policy requirements to the CSP to define to their vNets. 可以定义以下安全标准:The following security criteria can be defined:

  1. 客户隔离 — Azure 平台通过将客户 ID 和 vNet 信息存储在安全的数据库中,将每个客户的流量封装在 GRE 隧道中,从而实现客户隔离。Customer Isolation — The Azure platform provides customer isolation by storing Customer ID and vNet info in a secure database, which is used to encapsulate each customer’s traffic in a GRE tunnel.

  2. 网络安全组 (NSG) 规则用于在 Azure 的 vNet 中定义允许进出子网的流量。Network Security Group (NSG) rules are for defining allowed traffic into and out of the subnets within vNets in Azure. 默认情况下,NSG 包含的“阻止”规则将阻止从 Internet 到 vNet 的流量,包含的“允许”规则将允许 vNet 内部的流量。By default, the NSG contain Block rules to block traffic from the Internet to the vNet and Allow rules for traffic within a vNet. 有关网络安全组的详细信息,请查看 此处For more information about Network Security Groups look here.

  3. 强制隧道 — 此选项可将源自 Azure 的面向 Internet 的流量通过 ExpressRoute 连接重定向到本地数据中心。Force tunneling —This is an option to redirect internet bound traffic originating in Azure to be redirected over the ExpressRoute connection to the on premises datacenter. 有关强制隧道的详细信息,请查看此处For more information about Forced tunneling look here.

  4. 加密 — 虽然 ExpressRoute 线路专用于特定客户,但也可以使用该线路访问网络提供商,这会导致入侵者查看数据包流量。Encryption — Even though the ExpressRoute circuits are dedicated to a specific customer, there is the possibility that the network provider could be breached, allowing an intruder to examine packet traffic. 为了解决这种可能存在的问题,可以让客户或 CSP 加密连接中的流量,即为本地资源和 Azure 资源之间的所有流量定义 IPSec 隧道模式策略(请参阅图 5 上方针对客户 1 的可选“隧道”模式 IPSec:ExpressRoute 安全性)。To address this potential, a customer or CSP can encrypt traffic over the connection by defining IPSec tunnel-mode policies for all traffic flowing between the on premises resources and Azure resources (refer to the optional Tunnel mode IPSec for Customer 1 in Figure 5: ExpressRoute Security, above). 第二个选项是在 ExpressRoute 线路的每个终结点处使用防火墙设备。The second option would be to use a firewall appliance at each the end point of the ExpressRoute circuit. 这需要在两端安装其他的第三方防火墙 VM/设备,以便加密 ExpressRoute 线路上的流量。This will require additional 3rd party firewall VMs/Appliances to be installed on both ends to encrypt the traffic over the ExpressRoute circuit.


后续步骤Next steps

使用云解决方案提供商服务,可以在不需要购买昂贵的基础结构和功能的情况下,提升你对客户的价值,让你一直充当主要的外包提供商。The Cloud Solution Provider service provides you a way to increase your value to your customers without the need for expensive infrastructure and capability purchases, while maintaining your position as the primary outsourcing provider. 可以通过 CSP API 实现与 Microsoft Azure 的无缝集成,让你在现有的管理框架内集成对 Azure 的管理功能。Seamless integration with Microsoft Azure can be accomplished through the CSP API, allowing you to integrate management of Azure within your existing management frameworks.

如需更多信息,可单击以下链接:Additional Information can be found at the following links:

云解决方案提供商计划中的 AzureAzure in Cloud Solution Provider program.
做好以云解决方案提供商身份进行事务处理的准备Get ready to transact as a Cloud Solution Provider.
Microsoft 云解决方案提供商资源Microsoft Cloud Solution Provider resources.