在故障转移期间保留 IP 地址Retain IP addresses during failover

Azure Site Recovery 支持针对 Azure VM 进行灾难恢复,方法是:将 VM 复制到其他 Azure 区域,在发生故障时进行故障转移,并在一切恢复正常后故障恢复到主要区域。Azure Site Recovery enables disaster recovery for Azure VMs by replicating VMs to another Azure region, failing over if an outage occurs, and failing back to the primary region when things are back to normal.

在故障转移期间,可能想要将 IP 地址保留在与源区域相同的目标区域中:During failover, you might want to keep the IP addressing in the target region identical to the source region:

  • 默认情况下,为 Azure VM 启动灾难恢复时,Site Recovery 将根据源资源设置创建目标资源。By default, when you enable disaster recovery for Azure VMs, Site Recovery creates target resources based on source resource settings. 对于配置有静态 IP 地址的 Azure VM,Site Recovery 将尝试对目标 VM 预配相同的 IP 地址(如果未占用)。For Azure VMs configured with static IP addresses, Site Recovery tries to provision the same IP address for the target VM, if it's not in use. 有关 Site Recovery 如何处理寻址的完整介绍,请参阅本文For a full explanation of how Site Recovery handles addressing, review this article.
  • 对于简单的应用程序,默认配置就足够了。For simple applications, the default configuration is sufficient. 对于较复杂的应用,可能需要预配其他资源,以连接在确保故障转移后按预期方式工作。For more complex apps, you might need to provision additional resource to make sure that connectivity works as expected after failover.

本文提供在较复杂的示例方案中保留 IP 地址的一些示例。This article provides some examples for retaining IP addresses in more complex example scenarios. 示例包括:The examples include:

  • 针对在 Azure 中运行所有资源的公司的故障转移Failover for a company with all resources running in Azure
  • 针对使用混合部署并同时在本地和 Azure 中运行资源的公司的故障转移Failover for a company with a hybrid deployment, and resources running both on-premises and in Azure

Azure 中的资源:完全故障转移Resources in Azure: full failover

公司 A 在 Azure 中运行其所有应用。Company A has all its apps running in Azure.

在故障转移之前Before failover

下方是故障转移之前的体系结构。Here's the architecture before failover.

  • 公司 A 在源和目标 Azure 区域中具有相同的网络和子网。Company A has identical networks and subnets in source and target Azure regions.
  • 为了缩短恢复时间目标 (RTO),公司对 SQL Server Always On、域控制器等使用副本节点。这些副本节点位于目标区域中的另一个 VNet 中,因此可在源区域和目标区域之间建立 VPN 站点到站点连接。To reduce recovery time objective (RTO), company uses replica nodes for SQL Server Always On, domain controllers, etc. These replica nodes are in a different VNet in the target region, so that they can establish VPN site-to-site connectivity between the source and target regions. 如果源和目标中使用相同的 IP 地址,则无法建立连接。This isn't possible if the same IP address space is used in the source and target.
  • 故障转移前,网络体系结构如下所示:Before failover, the network architecture is as follows:
    • 主要区域是“Azure 中国东部”Primary region is Azure China East

      • 中国东部包含的 VNet( 源 VNet )的地址空间为 10.1.0.0/16。China East has a VNet ( Source VNet ) with address space 10.1.0.0/16.

      • 中国东部的工作负荷拆分在 VNet 中的三个子网中:China East has workloads split across three subnets in the VNet:

        • 子网 1 :10.1.1.0/24Subnet 1 : 10.1.1.0/24
        • 子网 2 :10.1.2.0/24Subnet 2 : 10.1.2.0/24
        • 子网 3 :10.1.3.0/24Subnet 3 : 10.1.3.0/24
    • 次要(目标)区域是“Azure 中国北部”Secondary (target) region is Azure China North

      • 中国北部具有与 源 VNet 相同的恢复 VNet( 恢复 VNet )。China North has a recovery VNet ( Recovery VNet ) identical to Source VNet .
      • 中国北部具有地址空间为 10.2.0.0/16 的额外 VNet ( Azure VNet )。China North has an additional VNet ( Azure VNet ) with address space 10.2.0.0/16.
      • Azure VNet 包含地址空间为 10.2.4.0/24 的子网(子网 4) 。Azure VNet contains a subnet ( Subnet 4 ) with address space 10.2.4.0/24.
      • SQL Server Always On、域控制器等的副本节点位于子网 4 中 。Replica nodes for SQL Server Always On, domain controller etc. are located in Subnet 4 .
    • 源 VNet 和 Azure VNet 通过 VPN 站点到站点连接建立连接 。Source VNet and Azure VNet are connected with a VPN site-to-site connection.

    • 恢复 VNet 未与其他任何虚拟网络相连接。Recovery VNet is not connected with any other virtual network.

    • 公司 A 分配/验证已复制项的目标 IP 地址 。Company A assigns/verifies target IP addresses for replicated items. 每个 VM 的目标 IP 均与源 IP 相同。The target IP is the same as source IP for each VM.

完全故障转移前 Azure 中的资源

在故障转移之后After failover

如果源区域发生故障,公司 A 可将其所有资源故障转移到目标区域。If a source regional outage occurs, Company A can fail over all its resources to the target region.

  • 如果目标 IP 地址在故障转移前已就位,公司 A 可安排故障转移以及故障转移后自动在恢复 VNet 和 Azure VNet 之间建立连接 。With target IP addresses already in place before the failover, Company A can orchestrate failover and automatically establish connections after failover between Recovery VNet and Azure VNet . 下图对此做了演示.This is illustrated in the following diagram..

  • 根据应用的要求,可以在故障转移之前、期间(作为中间步骤)或之后,在目标区域中的两个 VNet(恢复 VNet 和 Azure VNet)之间建立连接 。Depending on app requirements, connections between the two VNets ( Recovery VNet and Azure VNet ) in the target region can be established before, during (as an intermediate step) or after the failover.

    • 该公司可以使用恢复计划来指定何时建立连接。The company can use recovery plans to specify when connections will be established.
    • 他们可以使用 VNet 对等互连或站点到站点 VPN 来在 VNet 之间进行连接。They can connect between the VNets using VNet peering or site-to-site VPN.
      • VNet 对等互连不使用 VPN 网关,并且具有不同的约束。VNet peering doesn't use a VPN gateway and has different constraints.
      • VNet 对等互连定价的计算不同于 VNet 到 VNet VPN 网关定价的计算。VNet peering pricing is calculated differently than VNet-to-VNet VPN Gateway pricing. 对于故障转移,我们通常建议使用与源网络相同的连接方法(包括连接类型),以最大程度减少不可预测的网络事件。For failovers, we generally advise to use the same connectivity method as source networks, including the connection type, to minimize unpredictable network incidents.

    Azure 完全故障转移中的资源

Azure 中的资源:独立应用故障转移Resources in Azure: isolated app failover

可能需要在应用级别进行故障转移。You might need to fail over at the app level. 例如,对位于专用子网中的特定应用或特定应用层进行故障转移。For example, to fail over a specific app or app tier located in a dedicated subnet.

  • 在此方案中,尽管可以保留 IP 地址,但通常不建议这样做,因为这将增加连接不一致的可能性。In this scenario, although you can retain IP addressing, it's not generally advisable since it increases the chance of connectivity inconsistencies. 此外,还将与同一 Azure VNet 中的其他子网断开子网连接。You'll also lose subnet connectivity to other subnets within the same Azure VNet.
  • 对子网级别应用执行故障转移的更好方法是:使用不同的目标 IP 地址进行故障转移(如果需要与源 VNet 上的其他子网建立连接),或者在源区域中将每个应用隔离在其自己的专用 VNet 中。A better way to do subnet-level app failover is to use different target IP addresses for failover (if you need connectivity to other subnets on source VNet), or to isolate each app in its own dedicated VNet in the source region. 使用后一种方法可以在源区域中的网络之间建立连接,并且在故障转移到目标区域时可以模拟相同的行为。With the latter approach you can establish connectivity between networks in the source region, and emulate the same behavior when you fail over to the target region.

在此示例中,公司 A 将源区域中的应用放置在专用 VNet 中,并在这些 VNet 之间建立连接。In this example, Company A places apps in the source region in dedicated VNets, and establishes connectivity between those VNets. 借助此设计,他们可以执行独立应用故障转移,并在目标网络中保留源专用 IP 地址。With this design, they can perform isolated app failover, and retain the source private IP addresses in the target network.

在故障转移之前Before failover

故障转移前,体系结构如下所示:Before failover, the architecture is as follows:

  • 应用程序 VM 托管在主要的 Azure 中国东部区域:Application VMs are hosted in the primary Azure China East region:

    • App1 VM 位于 VNet 源 VNet1 中:10.1.0.0/16。App1 VMs are located in VNet Source VNet 1 : 10.1.0.0/16.
    • App2 VM 位于 VNet 源 VNet 2 中:10.2.0.0/16。App2 VMs are located in VNet Source VNet 2 : 10.2.0.0/16.
    • 源 VNet 1 包含两个子网 。Source VNet 1 has two subnets.
    • 源 VNet 2 包含两个子网 。Source VNet 2 has two subnets.
  • 次要(目标)区域是“Azure 中国北部”Secondary (target) region is Azure China North

    • 中国北部具有与 源 VNet 1源 VNet 2 相同的恢复 VNet( 恢复 VNet 1恢复 VNet 2 )。China North has a recovery VNets ( Recovery VNet 1 and Recovery VNet 2 ) that are identical to Source VNet 1 and Source VNet 2 .
    • 恢复 VNet 1恢复 VNet 2 各自具有 2 个与 源 VNet 1源 VNet 2 中的子网匹配的子网Recovery VNet 1 and Recovery VNet 2 each have two subnets that match the subnets in Source VNet 1 and Source VNet 2
    • 中国北部具有地址空间为 10.3.0.0/16 的额外 VNet ( Azure VNet )。China North has an additional VNet ( Azure VNet ) with address space 10.3.0.0/16.
    • Azure VNet 包含地址空间为 10.3.4.0/24 的子网( 子网 4 )。Azure VNet contains a subnet ( Subnet 4 ) with address space 10.3.4.0/24.
    • SQL Server Always On、域控制器等的副本节点位于子网 4 中 。Replica nodes for SQL Server Always On, domain controller etc are located in Subnet 4 .
  • 存在大量站点到站点 VPN 连接:There are a number of site-to-site VPN connections:

    • 源 VNet 1 和 Azure VNet Source VNet 1 and Azure VNet
    • 源 VNet 2 和 Azure VNet Source VNet 2 and Azure VNet
    • 源 VNet 1 和源 VNet 2 通过站点到站点 VPN 进行连接 Source VNet 1 and Source VNet 2 are connected with VPN site-to-site
  • 恢复 VNet 1 和恢复 VNet 2 不会连接到其他任何 VNet 。Recovery VNet 1 and Recovery VNet 2 aren't connected to any other VNets.

  • 公司 A 对恢复 VNet 1 和恢复 VNet 2 配置 VPN 网关以减少 RTO 。Company A configures VPN gateways on Recovery VNet 1 and Recovery VNet 2 , to reduce RTO.

  • 恢复 VNet1恢复 VNet2 未与其他任何虚拟网络相连接。Recovery VNet1 and Recovery VNet2 are not connected with any other virtual network.

  • 为了降低恢复时间目标 (RTO),在故障转移之前,可在 恢复 VNet1恢复 VNet2 上配置 VPN 网关。To reduce recovery time objective (RTO), VPN gateways are configured on Recovery VNet1 and Recovery VNet2 prior to failover.

    应用故障转移前 Azure 中的资源

在故障转移之后After failover

如果发生影响单个应用(本示例中的源 VNet 2)的故障或问题,公司 A 可按如下所示恢复受影响的应用:In the event of an outage or issue that affects a single app (in **Source VNet 2 in our example), Company A can recover the affected app as follows:

  • 断开源 VNet1 与源 VNet2,以及源 VNet2 与 Azure VNet 之间的 VPN 连接 。Disconnect VPN connections between Source VNet1 and Source VNet2 , and between Source VNet2 and Azure VNet .
  • 在源 VNet1 与恢复 VNet2,以及恢复 VNet2 与 Azure VNet 之间建立 VPN 连接 。Establish VPN connections between Source VNet1 and Recovery VNet2 , and between Recovery VNet2 and Azure VNet .
  • 将源 VNet2 中的 VM 故障转移到恢复 VNet2 。Fail over VMs in Source VNet2 to Recovery VNet2 .

Azure 应用故障转移中的资源

  • 可以延伸此示例,以包括更多的应用程序和网络连接。This example can be expanded to include more applications and network connections. 从源故障转移到目标时,我们建议尽可能地遵循相似性连接模式。The recommendation is to follow a like-like connection model, as far as possible, when failing over from source to target.
  • VPN 网关利用公共 IP 地址和网关跃点建立连接。VPN Gateways use public IP addresses and gateway hops to establish connections. 如果不想使用公共 IP 地址,或希望避免额外的跃点,可以使用 Azure VNet 对等互连受支持的 Azure 区域之间将虚拟网络对等互连。If you don't want to use public IP addresses, or you want to avoid extra hops, you can use Azure VNet peering to peer virtual networks across supported Azure regions.

混合资源:完全故障转移Hybrid resources: full failover

在此方案中,公司 B 实行混合部署,其在 Azure 中运行一部分应用程序基础结构,并在本地运行剩余的基础结构 。In this scenario, Company B runs a hybrid business, with part of the application infrastructure running on Azure, and the remainder running on-premises.

在故障转移之前Before failover

下面是故障转移之前网络体系结构的外观。Here's what the network architecture looks like before failover.

  • 应用程序 VM 托管在 Azure 中国东部。Application VMs are hosted in Azure China East.

  • 中国东部包含的 VNet( 源 VNet )的地址空间为 10.1.0.0/16。China East has a VNet ( Source VNet ) with address space 10.1.0.0/16.

    • 中国东部的工作负荷拆分在 源 VNet 的三个子网之间:China East has workloads split across three subnets in Source VNet :
      • 子网 1 :10.1.1.0/24Subnet 1 : 10.1.1.0/24

      • 子网 2 :10.1.2.0/24Subnet 2 : 10.1.2.0/24

      • 子网 3 :10.1.3.0/24(使用地址空间为 10.1.0.0/16 的 Azure 虚拟网络)。Subnet 3 : 10.1.3.0/24 utilizing an Azure virtual network with address space 10.1.0.0/16. 此虚拟网络名为“源 VNet” This virtual network is named Source VNet

  • 次要(目标)区域是“Azure 中国北部”:The secondary (target) region is Azure China North:

    • 中国北部具有与 源 VNet 相同的恢复 VNet( 恢复 VNet )。China North has a recovery VNet ( Recovery VNet ) identical to Source VNet .
  • 中国东部的 VM 通过 Azure ExpressRoute 或站点到站点 VPN 连接到本地数据中心。VMs in China East are connected to an on-premises datacenter with Azure ExpressRoute or site-to-site-VPN.

  • 为了降低 RTO,公司 B 在故障转移之前,在 Azure 中国北部的恢复 VNet 中预配了网关。To reduce RTO, Company B provisions gateways on Recovery VNet in Azure China North prior to failover.

  • 公司 B 分配/验证已复制 VM 的目标 IP 地址。Company B assigns/verifies target IP addresses for replicated VMs. 每个 VM 的目标 IP 地址均与源 IP 地址相同。The target IP address is the same as source IP address for each VM.

故障转移之前的本地到 Azure 连接

在故障转移之后After failover

如果源区域发生故障,公司 B 可将其所有资源故障转移到目标区域。If a source regional outage occurs, Company B can fail over all its resources to the target region.

  • 如果目标 IP 地址在故障转移前已就位,公司 B 可安排故障转移以及故障转移后自动在 恢复 VNetAzure VNet 之间建立连接。With target IP addresses already in place before the failover, Company B can orchestrate failover and automatically establish connections after failover between Recovery VNet and Azure VNet .

  • 根据应用的要求,可以在故障转移之前、期间(作为中间步骤)或之后,在目标区域中的两个 VNet(恢复 VNet 和 Azure VNet)之间建立连接 。Depending on app requirements, connections between the two VNets ( Recovery VNet and Azure VNet ) in the target region can be established before, during (as an intermediate step) or after the failover. 该公司可以使用恢复计划来指定何时建立连接。The company can use recovery plans to specify when connections will be established.

  • 在 Azure 中国北部与本地数据中心之间建立连接之前,应断开 Azure 中国东部与本地数据中心之间的原始连接。The original connection between Azure China East and the on-premises datacenter should be disconnected before establishing the connection between Azure China North and on-premises datacenter.

  • 本地路由将重新配置为在故障转移之后指向目标区域和网关。The on-premises routing is reconfigured to point to the target region and gateways post failover.

故障转移之后的本地到 Azure 连接

混合资源:独立应用故障转移Hybrid resources: isolated app failover

公司 B 不能在子网级别对独立应用进行故障转移。Company B can't fail over isolated apps at the subnet level. 这是因为,源和恢复 VNet 中的地址空间是相同的,并且源到本地的原始连接处于活动状态。This is because the address space on source and recovery VNets is the same, and the original source to on-premises connection is active.

  • 为了复原应用,公司 B 需要将每个应用放置于其自己的专用 Azure VNet 中。For app resiliency Company B will need to place each app in its own dedicated Azure VNet.
  • 每个应用都位于单独的 VNet 中后,公司 B 可故障转移独立应用,并将源连接路由到目标区域。With each app in a separate VNet, Company B can fail over isolated apps, and route source connections to the target region.

后续步骤Next steps

了解恢复计划Learn about recovery plans.