Azure 中的互操作性:控制平面分析Interoperability in Azure : Control plane analysis

本文介绍了测试设置的控制平面分析。This article describes the control plane analysis of the test setup. 你也可以查看测试设置的测试设置配置数据平面分析You can also review the test setup configuration and the data plane analysis of the test setup.

从本质上讲,控制平面分析的作用是检查拓扑中网络之间交换的路由。Control plane analysis essentially examines routes that are exchanged between networks within a topology. 控制平面分析有助于了解不同网络如何查看拓扑。Control plane analysis can help you understand how different networks view the topology.

中心和辐射 VNet 透视图Hub and spoke VNet perspective

下图说明了中心虚拟网络 (VNet) 和辐射 VNet(以蓝色突出显示)中的网络。The following figure illustrates the network from the perspective of a hub virtual network (VNet) and a spoke VNet (highlighted in blue). 该图还显示了不同网络的自治系统编号 (ASN),以及在不同网络之间交换的路由:The figure also shows the autonomous system number (ASN) of different networks and routes that are exchanged between different networks:

11

VNet 的 ExpressRoute 网关的 ASN 不同于 Microsoft Enterprise Edge 路由器 (MSEE) 的 ASN。The ASN of the VNet's Azure ExpressRoute gateway is different from the ASN of Microsoft Enterprise Edge Routers (MSEEs). ExpressRoute 网关使用专用 ASN(值为 65515),而 MSEE 全局使用公共 ASN(值为 12076) 。An ExpressRoute gateway uses a private ASN (a value of 65515) and MSEEs use public ASN (a value of 12076) globally. 配置 ExpressRoute 对等互连时,由于 MSEE 是对等方,因此,需要将 12076 用作对等 ASN 。When you configure ExpressRoute peering, because MSEE is the peer, you use 12076 as the peer ASN. 在 Azure 端,MSEE 与 ExpressRoute 网关建立 eBGP 对等互连。On the Azure side, MSEE establishes eBGP peering with the ExpressRoute gateway. MSEE 为每个 ExpressRoute 对等互连建立的双重 eBGP 对等互连在控制平面级别是透明的。The dual eBGP peering that the MSEE establishes for each ExpressRoute peering is transparent at the control plane level. 因此,在查看 ExpressRoute 路由表时,会看到 VNet 的 ExpressRoute 网关 ASN 是 VNet 的前缀。Therefore, when you view an ExpressRoute route table, you see the VNet's ExpressRoute gateway ASN for the VNet's prefixes.

下图显示了 ExpressRoute 路由表示例:The following figure shows a sample ExpressRoute route table:

55

在 Azure 中,仅从对等互连角度来看,ASN 才有意义。Within Azure, the ASN is significant only from a peering perspective. 默认情况下,Azure VPN 网关中 ExpressRoute 网关和 VPN 网关的 ASN 均为 65515 。By default, the ASN of both the ExpressRoute gateway and the VPN gateway in Azure VPN Gateway is 65515.

本地位置 1 和远程 VNet 透视图(通过 ExpressRoute 1 建立连接)On-premises Location 1 and the remote VNet perspective via ExpressRoute 1

本地位置 1 和远程 VNet 都通过 ExpressRoute 1 连接到中心 VNet。Both on-premises Location 1 and the remote VNet are connected to the hub VNet via ExpressRoute 1. 它们共享同一个拓扑透视图,如下图所示:They share the same perspective of the topology, as shown in the following diagram:

22

本地位置 1 和分支 VNet 通过站点到站点 VPN 建立连接的透视图On-premises Location 1 and the branch VNet perspective via a site-to-site VPN

本地位置 1 和分支 VNet 都通过站点到站点 VPN 连接连接到中心 VNet 的 VPN 网关。Both on-premises Location 1 and the branch VNet are connected to a hub VNet's VPN gateway via a site-to-site VPN connection. 它们共享同一个拓扑透视图,如下图所示:They share the same perspective of the topology, as shown in the following diagram:

33

本地位置 2 透视图On-premises Location 2 perspective

本地位置 2 通过 ExpressRoute 2 的专用对等互连连接到中心 VNet:On-premises Location 2 is connected to a hub VNet via private peering of ExpressRoute 2:

44

串联 ExpressRoute 和站点到站点 VPN 连接ExpressRoute and site-to-site VPN connectivity in tandem

将站点到站点 VPN 用作 ExpressRoute 的安全故障转移路径Site-to-site VPN as a secure failover path for ExpressRoute

ExpressRoute 充当冗余的线路对,可确保高可用性。ExpressRoute serves as a redundant circuit pair to ensure high availability. 可在不同的 Azure 区域配置异地冗余的 ExpressRoute 连接。You can configure geo-redundant ExpressRoute connectivity in different Azure regions. 另外,如测试设置中所示,在 Azure 区域中,可以使用站点到站点 VPN 为 ExpressRoute 连接创建故障转移路径。Also, as demonstrated in our test setup, within an Azure region, you can use a site-to-site VPN to create a failover path for your ExpressRoute connectivity. 通过 ExpressRoute 和站点到站点 VPN 播发相同的前缀时,Azure 会优先使用 ExpressRoute。When the same prefixes are advertised over both ExpressRoute and a site-to-site VPN, Azure prioritizes ExpressRoute. 为了避免 ExpressRoute 与站点到站点 VPN 之间的非对称路由,本地网络配置同样应该优先使用 ExpressRoute 连接,然后再使用站点到站点 VPN 连接。To avoid asymmetrical routing between ExpressRoute and the site-to-site VPN, on-premises network configuration should also reciprocate by using ExpressRoute connectivity before it uses site-to-site VPN connectivity.

有关如何配置 ExpressRoute 和站点到站点 VPN 共存连接的详细信息,请参阅 ExpressRoute 和站点到站点共存For more information about how to configure coexisting connections for ExpressRoute and a site-to-site VPN, see ExpressRoute and site-to-site coexistence.

将后端连接扩展到辐射 VNet 和分支位置Extend back-end connectivity to spoke VNets and branch locations

使用 VNet 对等互连建立辐射 VNet 连接Spoke VNet connectivity by using VNet peering

中心辐射型 VNet 体系结构的使用非常广泛。Hub and spoke VNet architecture is widely used. 中心是 Azure 中的一个 VNet,充当辐射 VNet 与本地网络之间的连接中心点。The hub is a VNet in Azure that acts as a central point of connectivity between your spoke VNets and to your on-premises network. 辐射是与中心对等互连的 VNet,可用于隔离工作负荷。The spokes are VNets that peer with the hub, and which you can use to isolate workloads. 流量通过 ExpressRoute 或 VPN 连接在本地数据中心与中心之间流动。Traffic flows between the on-premises datacenter and the hub through an ExpressRoute or VPN connection.

在区域内的 VNet 对等互连中,辐射 VNet 可以使用中心 VPN 网关(VPN 和 ExpressRoute 网关)来与远程网络通信。In VNet peering within a region, spoke VNets can use hub VPN gateways (both VPN and ExpressRoute gateways) to communicate with remote networks.

使用站点到站点 VPN 建立分支 VNet 连接Branch VNet connectivity by using site-to-site VPN

你可能想让位于不同区域中的分支 VNet 和本地网络通过中心 VNet 相互通信。You might want branch VNets, which are in different regions, and on-premises networks to communicate with each other via a hub VNet. 此配置的本机 Azure 解决方案是使用 VPN 建立站点到站点 VPN 连接。The native Azure solution for this configuration is site-to-site VPN connectivity by using a VPN. 替代方案是对中心内部的路由使用网络虚拟设备 (NVA)。An alternative is to use a network virtual appliance (NVA) for routing in the hub.

有关详细信息,请参阅什么是 VPN 网关?For more information, see What is VPN Gateway?.

后续步骤Next steps

了解测试设置的数据平面分析,以及 Azure 网络监视功能视图。Learn about data plane analysis of the test setup and Azure network monitoring feature views.

请参阅 ExpressRoute 常见问题解答See the ExpressRoute FAQ to:

  • 了解可将多少条 ExpressRoute 线路连接到一个 ExpressRoute 网关。Learn how many ExpressRoute circuits you can connect to an ExpressRoute gateway.
  • 了解可将多少个 ExpressRoute 网关连接到一条 ExpressRoute 线路。Learn how many ExpressRoute gateways you can connect to an ExpressRoute circuit.
  • 了解 ExpressRoute 的其他缩放限制。Learn about other scale limits of ExpressRoute.

[VNet-Config]: https://docs.azure.cn/virtual-network/virtual-network-manage-peering[VNet-Config]: https://docs.azure.cn/virtual-network/virtual-network-manage-peering