关于如何在 Azure VM 灾难恢复中联网About networking in Azure VM disaster recovery

本文提供了使用 Azure Site Recovery 在不同区域之间复制和恢复 Azure VM 的网络指南。This article provides networking guidance when you're replicating and recovering Azure VMs from one region to another, using Azure Site Recovery.

开始之前Before you start

了解 Site Recovery 如何为此方案提供灾难恢复。Learn how Site Recovery provides disaster recovery for this scenario.

典型网络基础结构Typical network infrastructure

下图描绘了 Azure VM 上运行的应用程序的典型 Azure 环境:The following diagram depicts a typical Azure environment, for applications running on Azure VMs:

客户环境

如果使用 Azure ExpressRoute 或从本地网络到 Azure 的 VPN 连接,则环境如下:If you're using Azure ExpressRoute or a VPN connection from your on-premises network to Azure, the environment is as follows:

客户环境

通常,网络使用防火墙和网络安全组 (NSG) 进行保护。Typically, networks are protected using firewalls and network security groups (NSGs). 应使用服务标记来控制网络连接。Service tags should be used to control network connectivity. NSG 应允许多个服务标记来控制出站连接。NSGs should allow several service tags to control outbound connectivity.

重要

Site Recovery 不支持使用经过身份验证的代理控制网络连接,并且无法启用复制。Using an authenticated proxy to control network connectivity isn't supported by Site Recovery, and replication can't be enabled.

URL 的出站连接Outbound connectivity for URLs

如果使用基于 URL 的防火墙代理来控制出站连接,请允许以下 Site Recovery URL:If you are using a URL-based firewall proxy to control outbound connectivity, allow these Site Recovery URLs:

备注

不应执行基于 IP 地址的允许列表来控制出站连接。IP address based whitelisting should not be performed to control outbound connectivity.

URLURL 详细信息Details
*.blob.core.chinacloudapi.cn*.blob.core.chinacloudapi.cn 必需,以便从 VM 将数据写入到源区域中的缓存存储帐户。Required so that data can be written to the cache storage account in the source region from the VM. 如果知道 VM 的所有缓存存储帐户,则可允许访问特定的存储帐户 URL(例如:cache1.blob.core.chinacloudapi.cn 和 cache2.blob.core.chinacloudapi.cn)而不允许访问 *.blob.core.chinacloudapi.cnIf you know all the cache storage accounts for your VMs, you can allow access to the specific storage account URLs (Ex: cache1.blob.core.chinacloudapi.cn and cache2.blob.core.chinacloudapi.cn) instead of *.blob.core.chinacloudapi.cn
login.chinacloudapi.cnlogin.chinacloudapi.cn 对于 Site Recovery 服务 URL 的授权和身份验证而言是必需的。Required for authorization and authentication to the Site Recovery service URLs.
*.hypervrecoverymanager.windowsazure.cn*.hypervrecoverymanager.windowsazure.cn 必需,以便从 VM 进行 Site Recovery 服务通信。Required so that the Site Recovery service communication can occur from the VM.
*.servicebus.chinacloudapi.cn*.servicebus.chinacloudapi.cn 必需,以便从 VM 写入 Site Recovery 监视和诊断数据。Required so that the Site Recovery monitoring and diagnostics data can be written from the VM.
*.vault.azure.cn*.vault.azure.cn 允许访问,以便通过门户为支持 ADE 的虚拟机启用复制Allows access to enable replication for ADE-enabled virtual machines via portal
*.azure-automation.cn*.azure-automation.cn 允许通过门户为复制项启用移动代理自动升级Allows enabling auto-upgrade of mobility agent for a replicated item via portal

使用服务标记的出站连接Outbound connectivity using Service Tags

如果使用 NSG 来控制出站连接,需要允许这些服务标记。If you are using an NSG to control outbound connectivity, these service tags need to be allowed.

  • 对于源区域中的存储帐户:For the storage accounts in source region:

    • 为源区域创建基于存储服务标记的 NSG 规则。Create a Storage service tag based NSG rule for the source region.
    • 允许这些地址,才能从 VM 将数据写入到缓存存储帐户。Allow these addresses so that data can be written to the cache storage account, from the VM.
  • 创建一个基于 Azure Active Directory (AAD) 服务标记的 NSG 规则以允许访问与 AAD 对应的所有 IP 地址Create a Azure Active Directory (AAD) service tag based NSG rule for allowing access to all IP addresses corresponding to AAD

  • 为目标区域创建基于 EventsHub 服务标记的 NSG 规则,这样就可以访问 Site Recovery 监视功能。Create an EventsHub service tag based NSG rule for the target region, allowing access to Site Recovery monitoring.

  • 创建基于 AzureSiteRecovery 服务标记的 NSG 规则,以允许访问任何区域中的 Site Recovery 服务。Create an AzureSiteRecovery service tag based NSG rule for allowing access to Site Recovery service in any region.

  • 创建基于 AzureKeyVault 服务标记的 NSG 规则。Create an AzureKeyVault service tag based NSG rule. 仅在通过门户为支持 ADE 的虚拟机启用复制时才需要这样做。This is required only for enabling replication of ADE-enabled virtual machines via portal.

  • 创建基于 GuestAndHybridManagement 服务标记的 NSG 规则。Create a GuestAndHybridManagement service tag based NSG rule. 仅在通过门户为复制项启用移动代理自动升级时才需要这样做。This is required only for enabling auto-upgrade of mobility agent for a replicated item via portal.

  • 在生产 NSG 中创建所需的 NSG 规则之前,建议先在测试 NSG 中创建这些规则,并确保没有任何问题。We recommend that you create the required NSG rules on a test NSG, and verify that there are no problems before you create the rules on a production NSG.

    备注

    在 Azure 中国云上使用服务标记创建出站连接时,对于那些“目标服务标记”中未显示的不受支持的服务标记,我们可以使用匹配的终结点 IP 地址创建出站连接,以允许访问任何区域中的特定服务。When we create the outbound connectivity using service tags on Azure China Cloud, for those unsupported service tags that did not showed in in the Destination service tag , We can create outbound connectivity with the matching endpoint IP address for allowing access to specific service in any region.

    例如,当 AzureSiteRecovery 服务标记不支持 Azure 中国的特定区域时。For example, if the AzureSiteRecovery service tag did not supported the specific region in Azure China. 我们可以使用匹配的 AzureSiteRecovery 终结点 IP 地址来创建出站连接,以允许访问任何区域中的 Site Recovery 服务。We can create outbound connectivity with matching AzureSiteRecovery endpoint IP address for allowing access to Site Recovery service in any region.

    TargetTarget Site Recovery IPSite Recovery IP Site Recovery 监视 IPSite Recovery monitoring IP
    中国东部China East 42.159.205.4542.159.205.45 42.159.132.4042.159.132.40
    中国北部China North 40.125.202.25440.125.202.254 42.159.4.15142.159.4.151
    中国东部 2China East 2 40.73.118.5240.73.118.52 40.73.100.12540.73.100.125
    中国北部 2China North 2 40.73.35.19340.73.35.193 40.73.33.23040.73.33.230

    可以在 Azure IP 范围和服务标记 - 中国云中按服务标记查找所有匹配的终结点 IP 地址。We can find all the matching endpoint IP address by service tag in the Azure IP Ranges and Service Tags – China Cloud.

NSG 配置示例Example NSG configuration

此示例演示如何为要复制的 VM 配置 NSG 规则。This example shows how to configure NSG rules for a VM to replicate.

  • 如果使用 NSG 规则控制出站连接,请对所有必需的 IP 地址范围使用端口 443 的“允许 HTTPS 出站”规则。If you're using NSG rules to control outbound connectivity, use "Allow HTTPS outbound" rules to port:443 for all the required IP address ranges.
  • 此示例假设 VM 源位置是“中国东部”,目标位置是“中国中部”。The example presumes that the VM source location is "China East" and the target location is "China North".

NSG 规则 - 中国东部NSG rules - China East

  1. 在 NSG 上为“Storage”创建出站 HTTPS (443) 安全规则,如以下屏幕截图所示。Create an outbound HTTPS (443) security rule for "Storage" on the NSG as shown in the screenshot below.

    storage-tag

  2. 基于 NSG 规则为“AzureActiveDirectory”创建出站 HTTPS (443) 安全规则,如以下屏幕截图所示。Create an outbound HTTPS (443) security rule for "AzureActiveDirectory" on the NSG as shown in the screenshot below.

    aad-tag

  3. 与上述安全规则类似,为 NSG 上的“EventHub”创建出站 HTTPS (443) 安全规则,该规则对应于目标位置。Similar to above security rules, create outbound HTTPS (443) security rule for "EventHub" on the NSG that correspond to the target location. 这样就可以访问 Site Recovery 监视功能。This allows access to Site Recovery monitoring.

  4. 在 NSG 上为“AzureSiteRecovery”创建出站 HTTPS (443) 安全规则。Create an outbound HTTPS (443) security rule for "AzureSiteRecovery" on the NSG. 这样就可以在任何区域访问 Site Recovery 服务。This allows access to Site Recovery Service in any region.

    备注

    如果 Azure 中国的特定区域不支持 AzureSiteRecovery 服务标记,则可以为对应于目标位置的 Site Recovery IP 创建出站 HTTPS (443) 安全规则:If the AzureSiteRecovery service tage not supported on specific region in Azure China, We can create an outbound HTTPS (443) security rule for the Site Recovery IPs that correspond to the target location:

    例如:For example:

    位置Location Site Recovery IP 地址Site Recovery IP address Site Recovery 监视 IP 地址Site Recovery monitoring IP address
    中国北部China North 40.125.202.25440.125.202.254 42.159.4.15142.159.4.151

    site-recovery-ip-address

NSG 规则 - 中国北部NSG rules - China North

必须创建这些规则,才能在故障转移后启用从目标区域到源区域的复制:These rules are required so that replication can be enabled from the target region to the source region post-failover:

  1. 基于 NSG 为“存储”创建出站 HTTPS (443) 安全规则。Create an outbound HTTPS (443) security rule for "Storage" on the NSG.

  2. 基于 NSG 规则为“AzureActiveDirectory”创建出站 HTTPS (443) 安全规则。Create an outbound HTTPS (443) security rule for "AzureActiveDirectory" on the NSG.

  3. 与上述安全规则类似,为 NSG 上的“EventHub”创建出站 HTTPS (443) 安全规则,该规则对应于源位置。Similar to above security rules, create outbound HTTPS (443) security rule for "EventHub" on the NSG that correspond to the source location. 这样就可以访问 Site Recovery 监视功能。This allows access to Site Recovery monitoring.

  4. 在 NSG 上为“AzureSiteRecovery”创建出站 HTTPS (443) 安全规则。Create an outbound HTTPS (443) security rule for "AzureSiteRecovery" on the NSG. 这样就可以在任何区域访问 Site Recovery 服务。This allows access to Site Recovery Service in any region.

    备注

    如果 Azure 中国的特定区域不支持 AzureSiteRecovery 服务标记,则可以为对应于源位置的 Site Recovery IP 创建出站 HTTPS (443) 安全规则:If the AzureSiteRecovery service tage not supported on specific region in Azure China, We can create an outbound HTTPS (443) security rule for the Site Recovery IPs that correspond to the source location:

    例如:For example:

    位置Location Site Recovery IP 地址Site Recovery IP address Site Recovery 监视 IP 地址Site Recovery monitoring IP address
    中国东部China East 42.159.205.4542.159.205.45 42.159.132.4042.159.132.40

网络虚拟设备配置Network virtual appliance configuration

如果使用网络虚拟设备 (NVA) 控制来自 VM 的出站网络流量,则设备可能在所有复制流量通过 NVA 的情况下受到限制。If you are using network virtual appliances (NVAs) to control outbound network traffic from VMs, the appliance might get throttled if all the replication traffic passes through the NVA. 我们建议在虚拟网络中为“存储”创建一个网络服务终结点,这样复制流量就不会经过 NVA。We recommend creating a network service endpoint in your virtual network for "Storage" so that the replication traffic does not go to the NVA.

为存储创建网络服务终结点Create network service endpoint for Storage

可在虚拟网络中为“存储”创建一个网络服务终结点,这样复制流量就不会离开 Azure 边界。You can create a network service endpoint in your virtual network for "Storage" so that the replication traffic does not leave Azure boundary.

  • 选择 Azure 虚拟网络并单击“服务终结点”。Select your Azure virtual network and click on 'Service endpoints'

    storage-endpoint

  • 单击“添加”,“添加服务终结点”选项卡随即打开Click 'Add' and 'Add service endpoints' tab opens

  • 选择“服务”下的“Microsoft.Storage”和“子网”字段下的所需子网,并单击“添加”。Select 'Microsoft.Storage' under 'Service' and the required subnets under 'Subnets' field and click 'Add'

备注

不限制虚拟网络对用于 ASR 的存储帐户的访问权限。Do not restrict virtual network access to your storage accounts used for ASR. 应允许来自“所有网络”的访问You should allow access from 'All networks'

强制隧道Forced tunneling

对 0.0.0.0/0 地址前缀,可将 Azure 默认系统路由重写为自定义路由,并将 VM 流量转换为本地网络虚拟设备 (NVA),但不建议对 Site Recovery 复制使用此配置。You can override Azure's default system route for the 0.0.0.0/0 address prefix with a custom route and divert VM traffic to an on-premises network virtual appliance (NVA), but this configuration is not recommended for Site Recovery replication. 如果使用自定义路由,则应在虚拟网络中为“存储”创建一个虚拟网络服务终结点,这样复制流量就不会离开 Azure 边界。If you're using custom routes, you should create a virtual network service endpoint in your virtual network for "Storage" so that the replication traffic does not leave the Azure boundary.

后续步骤Next steps