Azure 网络体系结构Azure network architecture

Azure 网络体系结构遵循行业标准核心/分配/访问模型的修改版本,并使用不同的硬件层。The Azure network architecture follows a modified version of the industry standard core/distribution/access model, with distinct hardware layers. 这些层包括:The layers include:

  • 核心(数据中心路由器)Core (datacenter routers)
  • 分配(接入路由器和 L2 聚合)。Distribution (access routers and L2 aggregation). 分配层将 L3 路由与 L2 交换隔离开来。The distribution layer separates L3 routing from L2 switching.
  • 访问(L2 主机交换机)Access (L2 host switches)

网络体系结构包含两个级别的第 2 层交换机。The network architecture has two levels of layer 2 switches. 一个层聚合来自另一个层的流量。One layer aggregates traffic from the other layer. 第二层循环整合冗余。The second layer loops to incorporate redundancy. 此体系结构提供更灵活的 VLAN 占用空间,并可以改善端口缩放情况。The architecture provides a more flexible VLAN footprint, and improves port scaling. 该体系结构保持 L2 和 L3 的独特性,允许在网络中的每个独特层上使用硬件,并尽量减少一个层中的故障影响到其他层。The architecture keeps L2 and L3 distinct, which allows the use of hardware in each of the distinct layers in the network, and minimizes fault in one layer from affecting the other layer(s). 使用中继可以实现资源共享,例如,与 L3 基础结构建立连接。The use of trunks allows for resource sharing, such as the connectivity to the L3 infrastructure.

网络配置Network configuration

数据中心内 Azure 群集的网络体系结构包括以下设备:The network architecture of an Azure cluster within a datacenter consists of the following devices:

  • 路由器(数据中心、接入路由器和边界叶路由器)Routers (datacenter, access router, and border leaf routers)
  • 交换机(聚合和架顶式交换机)Switches (aggregation and top-of-rack switches)
  • Digi CMDigi CMs
  • 配电装置Power distribution units

Azure 有两个独立的体系结构。Azure has two separate architectures. 某些现有 Azure 客户和共享服务驻留在默认的 LAN 体系结构 (DLA) 中,而新区域和虚拟客户驻留在 Quantum 10 (Q10) 体系结构中。Some existing Azure customers and shared services reside on the default LAN architecture (DLA), whereas new regions and virtual customers reside on Quantum 10 (Q10) architecture. DLA 体系结构采用传统的树形设计,其中包含主动/被动接入路由器,并向接入路由器应用安全访问控制列表 (ACL)。The DLA architecture is a traditional tree design, with active/passive access routers and security access control lists (ACLs) applied to the access routers. Quantum 10 体系结构采用 Close/mesh 路由器设计,其中的 ACL 不在路由器上应用。The Quantum 10 architecture is a Close/mesh design of routers, where ACLs are not applied at the routers. 而是通过软件负载均衡 (SLB) 或软件定义的 VLAN 在路由下面应用。Instead, ACLs are applied below the routing, through Software Load Balancing (SLB) or software defined VLANs.

下图提供了 Azure 群集中网络体系结构的统括式概述:The following diagram provides a high-level overview of the network architecture within an Azure cluster:

Azure 网络示意图

Quantum 10 设备Quantum 10 devices

Quantum 10 设计通过 Clos/mesh 设计中的多个设备执行第 3 层交换传播。The Quantum 10 design conducts layer 3 switching spread over multiple devices in a Clos/mesh design. Q10 设计的优点包括容量更大,缩放现有网络基础结构的能力更高。The advantages of the Q10 design include larger capability and greater ability to scale existing network infrastructure. 该设计采用边界叶路由器、骨干交换机和架顶式路由器,跨多个路由将流量传递到群集,以实现容错。The design employs border leaf routers, spine switches, and top-of-rack routers to pass traffic to clusters across multiple routes, allowing for fault tolerance. 网络地址转换等安全服务由软件负载均衡而不是硬件设备进行处理。Software load balancing, instead of hardware devices, handles security services such as network address translation.

接入路由器Access routers

分配/L3 接入路由器 (AR) 针对分配层和接入层执行主要路由功能。The distribution/access L3 routers (ARs) perform the primary routing functionality for the distribution and access layers. 这些设备以配对的形式部署,是子网的默认网关。These devices are deployed as a pair, and are the default gateway for subnets. 每个 AR 对可以支持多个 L2 聚合交换机对,具体取决于容量。Each AR pair can support multiple L2 aggregation switch pairs, depending on capacity. 最大对数取决于设备的容量以及故障域。The maximum number depends on the capacity of the device, as well as failure domains. 典型数字是每个 AR 对支持三个 L2 聚合交换机对。A typical number is three L2 aggregation switch pairs per AR pair.

L2 聚合交换机L2 aggregation switches

这些设备充当 L2 流量的聚合点。These devices serve as an aggregation point for L2 traffic. 它们是 L2 结构的分配层,可以处理大量的流量。They are the distribution layer for the L2 fabric, and can handle large amounts of traffic. 由于这些设备聚合流量,因此需要 802.1q 功能,以及端口聚合和 10GE 等高带宽技术。Because these devices aggregate traffic, they require 802.1q functionality, and high-bandwidth technologies such as port aggregation and 10GE.

L2 主机交换机L2 host switches

主机直接连接到这些交换机。Hosts connect directly to these switches. 它们可以是机架安装式交换机,也可以是机箱部署设备。They can be rack-mounted switches, or chassis deployments. 802.1q 标准允许将一个 VLAN 指定为本机 VLAN,并将该 VLAN 视为正常(未标记)以太网帧。The 802.1q standard allows for the designation of one VLAN as a native VLAN, treating that VLAN as normal (untagged) Ethernet framing. 在正常情况下,将通过 802.1q 中继端口以未标记的形式传输和接收本机 VLAN 上的帧。Under normal circumstances, frames on the native VLAN are transmitted and received untagged on an 802.1q trunk port. 此功能可用于迁移到 802.1q,并与不支持 802.1q 的设备实现兼容。This feature was designed for migration to 802.1q and compatibility with non-802.1q capable devices. 在此体系结构中,只有网络基础结构使用本机 VLAN。In this architecture, only the network infrastructure uses the native VLAN.

此体系结构指定了本机 VLAN 的选择标准。This architecture specifies a standard for native VLAN selection. 该标准确保 AR 设备尽量为每个中继以及 L2Aggregation 到 L2Aggregation 的中继使用唯一的本机 VLAN。The standard ensures, where possible, that the AR devices have a unique, native VLAN for every trunk and the L2Aggregation to L2Aggregation trunks. L2Aggregation 到 L2Host 的交换中继采用非默认的本机 VLAN。The L2Aggregation to L2Host Switch trunks have a non-default native VLAN.

链路聚合允许将多个独立的链路捆绑在一起,并将其视为一个逻辑链路。Link aggregation allows multiple individual links to be bundled together, and treated as a single logical link. 为简化操作调试,用于指定端口通道接口的编号应该标准化。To facilitate operational debugging, the number used to designate port-channel interfaces should be standardized. 网络的剩余部分将在端口通道的两端使用相同的编号。The rest of the network uses the same number at both ends of a port-channel.

为 L2Agg 到 L2Host 交换指定的编号是在 L2Agg 端使用的端口通道编号。The numbers specified for the L2Agg to L2Host switch are the port-channel numbers used on the L2Agg side. 由于 L2Host 端的编号范围有更高的限制,因此,标准是在 L2Host 端使用编号 1 和 2。Because the range of numbers is more limited at the L2Host side, the standard is to use numbers 1 and 2 at the L2Host side. 这两个编号分别表示连接到“a”端和“b”端的端口通道。These refer to the port-channel going to the "a" side and the "b" side, respectively.

VLANVLANs

网络体系结构使用 VLAN 将服务器统一分组成单个广播域。The network architecture uses VLANs to group servers together into a single broadcast domain. VLAN 编号符合 802.1q 标准,该标准支持 VLAN 编号 1-4094。VLAN numbers conform to 802.1q standard, which supports VLANs numbered 1–4094.

边缘体系结构Edge architecture

Azure 数据中心构建在高度冗余、适当预配的网络基础结构之上。Azure datacenters are built upon highly redundant and well-provisioned network infrastructures. Microsoft 在 Azure 数据中心以“需求加一”(N+1) 冗余体系结构或更佳的方式实施网络。Microsoft implements networks within the Azure datacenters with “need plus one” (N+1) redundancy architectures or better. 数据中心内部和数据中心之间的完全故障转移功能有助于确保网络与服务的可用性。Full failover features within and between datacenters help to ensure network and service availability. 从外部看,数据中心由专用的高带宽网络线路提供服务。Externally, datacenters are served by dedicated, high-bandwidth network circuits. 这些线路以冗余方式将资产连接到全球 1200 多个 Internet 服务提供商的多个对等连接点。These circuits redundantly connect properties with over 1200 internet service providers globally at multiple peering points. 这在整个网络中提供超过 2,000 Gbps 的潜在边缘容量。This provides in excess of 2,000 Gbps of potential edge capacity across the network.

位于 Azure 网络边缘和访问层的筛选路由器在数据包级别提供十分可靠的安全性,可帮助防止有人在未经授权的情况下尝试连接到 Azure。Filtering routers at the edge and access layer of the Azure network provides well-established security at the packet level and helps to prevent unauthorized attempts to connect to Azure. 这些路由器有助于确保数据包的实际内容包含预期格式的数据,并符合预期的客户端/服务器通信方案。The routers help to ensure that the actual contents of the packets contain data in the expected format, and conform to the expected client/server communication scheme. Azure 实施分层体系结构,其中包括以下网络隔离和访问控制组件:Azure implements a tiered architecture, consisting of the following network segregation and access control components:

  • 边缘路由器。Edge routers. 这些路由器将应用程序环境与 Internet 隔离开来。These segregate the application environment from the internet. 边缘路由器旨在提供反欺骗保护,并使用 ACL 来限制访问。Edge routers are designed to provide anti-spoof protection and limit access by using ACLs.
  • 分配(接入)路由器。Distribution (access) routers. 这些路由器只允许 Microsoft 批准的 IP 地址,提供反欺骗功能,并使用 ACL 建立连接。These allow only Microsoft approved IP addresses, provide anti-spoofing, and establish connections by using ACLs.

网络连接规则Network connection rules

Azure 在其网络中部署边缘路由器,以便在数据包级别提供安全性,防止未经授权的人员尝试连接到 Azure。On its network, Azure deploys edge routers that provide security at the packet level to prevent unauthorized attempts to connect to Azure. 边缘路由器可以确保数据包的实际内容包含预期格式的数据,并符合预期的客户端/服务器通信方案。Edge routers ensure that the actual contents of the packets contain data in the expected format, and conform to the expected client/server communication scheme.

边缘路由器将应用程序环境与 Internet 隔离开来。Edge routers segregate the application environment from the internet. 这些路由器旨在提供反欺骗保护,并使用 ACL 来限制访问。These routers are designed to provide anti-spoof protection, and limit access by using ACLs. Microsoft 使用分层 ACL 方法配置边缘路由器,以限制允许传输边缘路由器和接入路由器流量的网络协议。Microsoft configures edge routers by using a tiered ACL approach, to limit network protocols that are allowed to transit the edge routers and access routers.

Microsoft 将网络设备定位在接入位置和边缘位置,使其充当应用入口或出口筛选器的边界点。Microsoft positions network devices at access and edge locations, to act as boundary points where ingress or egress filters are applied.

后续步骤Next steps

若要详细了解 Microsoft 如何帮助保护 Azure 基础结构,请参阅:To learn more about what Microsoft does to help secure the Azure infrastructure, see: