ExpressRoute 路由要求ExpressRoute routing requirements

若要使用 ExpressRoute 连接到 Azure 云服务,需要设置并管理路由。To connect to Azure cloud services using ExpressRoute, you’ll need to set up and manage routing. 某些连接服务提供商以托管服务形式提供路由的设置和管理。Some connectivity providers offer setting up and managing routing as a managed service. 请咨询连接服务提供商,以确定他们是否提供此类服务。Check with your connectivity provider to see if they offer this service. 如果不提供,则必须遵守以下要求:If they don't, you must adhere to the following requirements:

有关需要在设置后才能建立连接的路由会话的说明,请参阅线路和路由域一文。Refer to the Circuits and routing domains article for a description of the routing sessions that need to be setup in to facilitate connectivity.

Note

Microsoft 不支持将任何路由器冗余协议(例如 HSRP 和 VRRP)用于高可用性配置。Microsoft does not support any router redundancy protocols (for example, HSRP, VRRP) for high availability configurations. 我们依赖每个对等互连的一组冗余 BGP 会话来获得高可用性。We rely on a redundant pair of BGP sessions per peering for high availability.

用于对等互连的 IP 地址IP addresses used for peerings

需要保留一些 IP 地址块用于配置网络与 Microsoft Enterprise Edge (MSEE) 路由器之间的路由。You need to reserve a few blocks of IP addresses to configure routing between your network and Microsoft's Enterprise edge (MSEEs) routers. 本部分提供了要求列表,并介绍有关如何获取和使用这些 IP 地址的规则。This section provides a list of requirements and describes the rules regarding how these IP addresses must be acquired and used.

用于 Azure 专用对等互连的 IP 地址IP addresses used for Azure private peering

可以使用专用 IP 地址或公共 IP 地址配置对等互连。You can use either private IP addresses or public IP addresses to configure the peerings. 用于配置路由的地址范围不得与用于在 Azure 中创建虚拟网络的地址范围重叠。The address range used for configuring routes must not overlap with address ranges used to create virtual networks in Azure.

  • 必须为路由接口保留一个 /29 子网或两个 /30 子网。You must reserve a /29 subnet or two /30 subnets for routing interfaces.
  • 用于路由的子网可以是专用 IP 地址或公共 IP 地址。The subnets used for routing can be either private IP addresses or public IP addresses.
  • 子网不得与客户保留用于 Azure 云的范围冲突。The subnets must not conflict with the range reserved by the customer for use in the Azure cloud.
  • 如果使用 /29 子网,它将拆分成两个 /30 子网。If a /29 subnet is used, it is split into two /30 subnets.
    • 第一个 /30 子网用于主链路,第二个 /30 子网用于辅助链路。The first /30 subnet is used for the primary link and the second /30 subnet is used for the secondary link.
    • 对于每个 /30 子网,必须在路由器上使用 /30 子网的第一个 IP 地址。For each of the /30 subnets, you must use the first IP address of the /30 subnet on your router. Microsoft 使用 /30 子网的第二个 IP 地址设置 BGP 会话。Microsoft uses the second IP address of the /30 subnet to set up a BGP session.
    • 可用性 SLA 只有在设置两个 BGP 会话后才有效。You must setup both BGP sessions for our availability SLA to be valid.

专用对等互连示例Example for private peering

如果选择使用 a.b.c.d/29 设置对等互连,它将拆分成两个 /30 子网。If you choose to use a.b.c.d/29 to set up the peering, it is split into two /30 subnets. 在以下示例中,请注意 a.b.c.d/29 子网的用法:In the following example, notice how the a.b.c.d/29 subnet is used:

  • a.b.c.d/29 拆分成 a.b.c.d/30 和 a.b.c.d+4/30 并通过预配 API 一路传递到 Microsoft。a.b.c.d/29 is split to a.b.c.d/30 and a.b.c.d+4/30 and passed down to Microsoft through the provisioning APIs.
    • 请使用 a.b.c.d+1 作为主要 PE 的 VRF IP,而 Microsoft 将使用 a.b.c.d+2 作为主要 MSEE 的 VRF IP。You use a.b.c.d+1 as the VRF IP for the Primary PE and Microsoft will consume a.b.c.d+2 as the VRF IP for the primary MSEE.
    • 请使用 b.c.d+5 作为辅助 PE 的 VRF IP,而 Microsoft 将使用 a.b.c.d+6 作为辅助 MSEE 的 VRF IP。You use a.b.c.d+5 as the VRF IP for the secondary PE and Microsoft will use a.b.c.d+6 as the VRF IP for the secondary MSEE.

假设选择 192.168.100.128/29 设置专用对等互连。Consider a case where you select 192.168.100.128/29 to setup private peering. 192.168.100.128/29 包括从 192.168.100.128 到 192.168.100.135 的地址,其中:192.168.100.128/29 includes addresses from 192.168.100.128 to 192.168.100.135, among which:

  • 192.168.100.128/30 分配给 link1(提供商使用 192.168.100.129,Microsoft 使用 192.168.100.130)。192.168.100.128/30 will be assigned to link1, with provider using 192.168.100.129 and Microsoft using 192.168.100.130.
  • 192.168.100.132/30 分配给 link2(提供商使用 192.168.100.133,Microsoft 使用 192.168.100.134)。192.168.100.132/30 will be assigned to link2, with provider using 192.168.100.133 and Microsoft using 192.168.100.134.

用于 Microsoft 对等互连的 IP 地址IP addresses used for Microsoft peering

必须使用自己的公共 IP 地址设置 BGP 会话。You must use public IP addresses that you own for setting up the BGP sessions. Microsoft 必须能够通过路由 Internet 注册表和 Internet 路由注册表验证 IP 地址的所有权。Microsoft must be able to verify the ownership of the IP addresses through Routing Internet Registries and Internet Routing Registries.

  • 门户中列出的与 Microsoft 对等互连的已播发公共前缀相对应的 IP 将为 Microsoft 核心路由器创建 ACL,目的是允许来自这些 IP 的入站流量。The IPs listed in the portal for Advertised Public Prefixes for Microsoft Peering will create ACLs for the Microsoft core routers to allow inbound traffic from these IPs.
  • 必须使用一个唯一的 /29 (IPv4) 或 /125 (IPv6) 子网或两个 /30 (IPv4) 或 /126 (IPv6) 子网为每条 ExpressRoute 线路(如果有多个)的每个对等互连设置 BGP 对等互连。You must use a unique /29 (IPv4) or /125 (IPv6) subnet or two /30 (IPv4) or /126 (IPv6) subnets to set up the BGP peering for each peering per ExpressRoute circuit (if you have more than one).
  • 如果使用 /29 子网,它将拆分成两个 /30 子网。If a /29 subnet is used, it is split into two /30 subnets.
  • 第一个 /30 子网用于主链路,第二个 /30 子网将用于辅助链路。The first /30 subnet is used for the primary link and the second /30 subnet will be used for the secondary link.
  • 对于每个 /30 子网,必须在路由器上使用 /30 子网的第一个 IP 地址。For each of the /30 subnets, you must use the first IP address of the /30 subnet on your router. Microsoft 使用 /30 子网的第二个 IP 地址设置 BGP 会话。Microsoft uses the second IP address of the /30 subnet to set up a BGP session.
  • 如果使用 /125 子网,它将拆分成两个 /126 子网。If a /125 subnet is used, it is split into two /126 subnets.
  • 第一个 /126 子网用于主链路,第二个 /126 子网将用于辅助链路。The first /126 subnet is used for the primary link and the second /126 subnet will be used for the secondary link.
  • 对于每个 /126 子网,必须在路由器上使用 /126 子网的第一个 IP 地址。For each of the /126 subnets, you must use the first IP address of the /126 subnet on your router. Microsoft 使用 /126 子网的第二个 IP 地址设置 BGP 会话。Microsoft uses the second IP address of the /126 subnet to set up a BGP session.
  • 只有设置两个 BGP 会话,我们的 可用性 SLA 才有效。You must set up both BGP sessions for our availability SLA to be valid.

用于 Azure 公共对等互连的 IP 地址IP addresses used for Azure public peering

Note

Azure 公共对等互连不适用于新线路。Azure public peering is not available for new circuits.

必须使用自己的公共 IP 地址设置 BGP 会话。You must use public IP addresses that you own for setting up the BGP sessions. Microsoft 必须能够通过路由 Internet 注册表和 Internet 路由注册表来验证 IP 地址的所有权。Microsoft must be able to verify the ownership of the IP addresses through Routing Internet Registries and Internet Routing Registries.

  • 必须使用一个唯一的 /29 子网或两个 /30 子网为每条 ExpressRoute 线路(如果有多个)的每个对等互连设置 BGP 对等互连。You must use a unique /29 subnet or two /30 subnets to set up the BGP peering for each peering per ExpressRoute circuit (if you have more than one).
  • 如果使用 /29 子网,它将拆分成两个 /30 子网。If a /29 subnet is used, it is split into two /30 subnets.
    • 第一个 /30 子网用于主链路,第二个 /30 子网用于辅助链路。The first /30 subnet is used for the primary link and the second /30 subnet is used for the secondary link.
    • 对于每个 /30 子网,必须在路由器上使用 /30 子网的第一个 IP 地址。For each of the /30 subnets, you must use the first IP address of the /30 subnet on your router. Microsoft 使用 /30 子网的第二个 IP 地址设置 BGP 会话。Microsoft uses the second IP address of the /30 subnet to set up a BGP session.
    • 只有设置两个 BGP 会话,我们的 可用性 SLA 才有效。You must set up both BGP sessions for our availability SLA to be valid.

公共 IP 地址要求Public IP address requirement

专用对等互连Private peering

可选择使用用于专用对等互连的公共或专用 IPv4 地址。You can choose to use public or private IPv4 addresses for private peering. 我们会对用户的流量进行端到端隔离,因此在进行专用对等互连时,不可能出现与其他客户的地址发生重叠的情况。We provide end-to-end isolation of your traffic, so overlapping of addresses with other customers is not possible in case of private peering. 这些地址不会播发到 Internet。These addresses are not advertised to Internet.

Microsoft 对等互连Microsoft peering

专用 AS 编号可以用于 Microsoft 对等互连,但也需手动验证。A Private AS Number is allowed with Microsoft Peering, but will also require manual validation. 此外,对于收到的前缀,我们会删除 AS PATH 中的专用 AS 数字。In addition, we remove private AS numbers in the AS PATH for the received prefixes. 因此,无法在 AS PATH 中追加专用 AS 数字来影响 Microsoft 对等互连的路由As a result, you can't append private AS numbers in the AS PATH to influence routing for Microsoft Peering.

Important

不要将相同的公共 IP 路由播发到公共 Internet 和通过 ExpressRoute 播发。Do not advertise the same public IP route to the public Internet and over ExpressRoute. 为了降低错误配置导致不对称路由的风险,我们强烈建议通过 ExpressRoute 播发到 Microsoft 的 NAT IP 地址应该来自完全没有播发到 Internet 的范围。To reduce the risk of incorrect configuration causing asymmetric routing, we strongly recommend that the NAT IP addresses advertised to Microsoft over ExpressRoute be from a range that is not advertised to the internet at all. 如果无法实现这一点,则必须确保通过 ExpressRoute 播发的范围比 Internet 连接上的范围更具体。If this is not possible to achieve, it is essential to ensure you advertise a more specific range over ExpressRoute than the one on the Internet connection. 除了要进行 NAT 的公共路由外,还可以在本地网络中通过 ExpressRoute 播发与 Microsoft 中的 Office 365 终结点通信的服务器使用的公共 IP 地址。Besides the public route for NAT, you can also advertise over ExpressRoute the Public IP addresses used by the servers in your on-premises network that communicate with Office 365 endpoints within Microsoft.

公共对等互连Public peering

Azure 公共对等互连路径使用户能够通过其公共 IP 地址连接到 Azure 中托管的所有服务。The Azure public peering path enables you to connect to all services hosted in Azure over their public IP addresses. 这些服务包括 ExpessRoute 常见问题 中列出的服务,以及由 ISV 托管在 Microsoft Azure 上的所有服务。These include services listed in the ExpessRoute FAQ and any services hosted by ISVs on Microsoft Azure. 始终从用户网络向 Microsoft 网络发起与公共对等互连中 Microsoft Azure 服务的连接。Connectivity to Microsoft Azure services on public peering is always initiated from your network into the Microsoft network. 必须为定向到 Microsoft 网络的流量使用公共 IP 地址。You must use Public IP addresses for the traffic destined to Microsoft network.

Important

所有 Azure PaaS 服务可通过 Microsoft 对等互连访问。All Azure PaaS services are accessible through Microsoft peering.

公共对等互连允许使用专用 AS 编号。A Private AS Number is allowed with public peering.

动态路由交换Dynamic route exchange

路由交换将通过 eBGP 协议进行。Routing exchange will be over eBGP protocol. 在 MSEE 与路由器之间建立 EBGP 会话。EBGP sessions are established between the MSEEs and your routers. 不要求对 BGP 会话进行身份验证。Authentication of BGP sessions is not a requirement. 如果需要,可以配置 MD5 哈希。If required, an MD5 hash can be configured. 有关配置 BGP 会话的信息,请参阅配置路由线路预配工作流和线路状态See the Configure routing and Circuit provisioning workflows and circuit states for information about configuring BGP sessions.

自治系统编号Autonomous System numbers

Microsoft 使用 AS 12076 进行 Azure 公共、Azure 专用和 Microsoft 对等互连。Microsoft uses AS 12076 for Azure public, Azure private and Microsoft peering. 我们保留了 ASN 65515-65520 供内部使用。We have reserved ASNs from 65515 to 65520 for internal use. 支持 16 和 32 位 AS 编号。Both 16 and 32 bit AS numbers are supported.

数据传输对称没有相关要求。There are no requirements around data transfer symmetry. 转发与返回路径可以遍历不同的路由器对。The forward and return paths may traverse different router pairs. 相同的路由必须从属于你的多个线路对的任何一端播发。Identical routes must be advertised from either sides across multiple circuit pairs belonging to you. 路由指标不需要完全相同。Route metrics are not required to be identical.

路由聚合与前缀限制Route aggregation and prefix limits

支持通过 Azure 专用对等互连播发最多 4000 个前缀。We support up to 4000 prefixes advertised to us through the Azure private peering. 如果已启用 ExpressRoute 高级版附加组件,则可增加到 10,000 个前缀。This can be increased up to 10,000 prefixes if the ExpressRoute premium add-on is enabled. 接受为每个 BGP 会话最多使用 200 个前缀建立 Azure 公共和 Microsoft 对等互连。We accept up to 200 prefixes per BGP session for Azure public and Microsoft peering.

如果前缀数目超过此限制,将丢弃 BGP 会话。The BGP session is dropped if the number of prefixes exceeds the limit. 只接受专用对等互连链路上的默认路由。We will accept default routes on the private peering link only. 提供商必须从 Azure 公共和 Microsoft 对等互连路径中筛选默认路由和专用 IP 地址 (RFC 1918)。Provider must filter out default route and private IP addresses (RFC 1918) from the Azure public and Microsoft peering paths.

传输路由和跨区域路由Transit routing and cross-region routing

ExpressRoute 不能配置为传输路由器。ExpressRoute cannot be configured as transit routers. 必须依赖连接服务提供商的传输路由服务。You will have to rely on your connectivity provider for transit routing services.

播发默认路由Advertising default routes

只有 Azure 专用对等互连会话允许默认路由。Default routes are permitted only on Azure private peering sessions. 在这种情况下,可将所有流量从关联的虚拟网络路由到用户网络。In such a case, we will route all traffic from the associated virtual networks to your network. 在专用对等互连中播发默认路由会导致阻止来自 Azure 的 Internet 路径。Advertising default routes into private peering will result in the internet path from Azure being blocked. 必须依赖企业网络边缘,为 Azure 中托管的服务往返路由 Internet 的流量。You must rely on your corporate edge to route traffic from and to the internet for services hosted in Azure.

若要启用与其他 Azure 服务和基础结构服务的连接,必须确保已准备下列其中一项:To enable connectivity to other Azure services and infrastructure services, you must make sure one of the following items is in place:

  • 已启用 Azure 公共对等互连,以将流量路由到公共终结点。Azure public peering is enabled to route traffic to public endpoints.
  • 使用用户定义的路由可为需要 Internet 连接的每个子网建立 Internet 连接。You use user-defined routing to allow internet connectivity for every subnet requiring Internet connectivity.

Note

播发默认路由会中断 Windows 和其他 VM 许可证激活。Advertising default routes will break Windows and other VM license activation. 请按照 此处 的说明来解决此问题。Follow instructions here to work around this.

后续步骤Next steps