子网扩展Subnet extension

将工作负荷迁移到公有云需要经过认真的规划和协调。Workload migration to the public cloud requires careful planning and coordination. 其中一个重要考虑因素是能够保留 IP 地址。One of the key considerations can be the ability to retain your IP addresses. 如果应用程序具有 IP 地址依赖性,或者法规要求使用特定的 IP 地址,则这项能力就非常重要。Which can be important especially if your applications have IP address dependency or you have compliance requirements to use specific IP addresses. Azure 虚拟网络允许使用所选的 IP 地址范围创建 VNet 和子网,从而解决了此问题。Azure Virtual Network solves this problem for you by allowing you to create VNet and Subnets using an IP address range of your choice.

除上述要求以外,如果还要求在本地保留某些应用程序,则迁移可能有一定的难度。Migrations can get a bit challenging when the above requirement is coupled with an additional requirement to keep some applications on-premises. 在这种情况下,必须在 Azure 与本地之间拆分应用程序,但不能在任何一端为 IP 地址重新编号。In such as a situation, you'll have to split the applications between Azure and on-premises, without renumbering the IP addresses on either side. 此外,必须允许这些应用程序像是在同一个网络中一样相互通信。Additionally, you'll have to allow the applications to communicate as if they are in the same network.

上述问题的解决方法之一是使用子网扩展。One solution to the above problem is subnet extension. 扩展网络后,位于不同实际位置的应用程序可以通过同一个广播域进行通信,而无需重新架构网络拓扑。Extending a network allows applications to talk over the same broadcast domain when they exist at different physical locations, removing the need to rearchitect your network topology.

尽管在一般情况下扩展网络并非良好的做法,在对于以下用例,可能有必要这样做。While extending your network isn't a good practice in general, below use cases can make it necessary.

  • 分阶段迁移:最常见的场景是分阶段完成迁移。Phased Migration: The most common scenario is that you want to phase your migration. 需要先迁移几个应用程序,然后逐渐将剩余的应用程序迁移到 Azure。You want to bring a few applications first and over time migrate rest of the applications to Azure.
  • 延迟:低延迟要求可能是在本地保留某些应用程序的另一个原因,这可以确保它们尽量靠近你的数据中心。Latency: Low latency requirements can be another reason for you to keep some applications on-premises to ensure that they're as close as possible to your datacenter.
  • 符合性:另一种用例是,需要根据法规要求在本地保留某些应用程序。Compliance: Another use case is that you might have compliance requirements to keep some of your applications on-premises.

备注

除非必要,否则不应扩展子网。You should not extend your subnets unless it is necessary. 如果确实需要扩展子网,应尽量将此措施作为一个中间步骤来实施。In the cases where you do extend your subnets, you should try to make it an intermediate step. 如果有时间,应尝试为本地网络中的应用程序重新编号,然后将其迁移到 Azure。With time, you should try re-number applications in your on-premises network and migrate them to Azure.

下一部分会介绍如何将子网扩展到 Azure 中。In the next section, we'll discuss how you can extend your subnets into Azure.

将子网扩展到 AzureExtend your subnet to Azure

可以使用基于第 3 层叠加网络的解决方案将本地子网扩展到 Azure。You can extend your on-premises subnets to Azure using a layer-3 overlay network based solution. 大多数解决方案使用叠加技术(例如 VXLAN)通过第 3 层叠加网络来扩展第 2 层网络。Most solutions use an overlay technology such as VXLAN to extend the layer-2 network using an layer-3 overlay network. 下图显示了一个通用的解决方案。The diagram below shows a generalized solution. 在此解决方案中,同一子网位于 Azure 和本地这两端。In this solution, the same subnet exists on both sides that is, Azure and on-premises.

子网扩展示例

该子网中的 IP 地址已分配到 Azure 中和本地的 VM。The IP addresses from the subnet are assigned to VMs on Azure and on-premises. Azure 和本地的网络中都插入了一个 NVA。Both Azure and on-premises have an NVA inserted in their networks. 当 Azure 中的 VM 尝试与本地网络中的 VM 通信时,Azure NVA 将捕获数据包,封装该数据包,然后通过 VPN/Express Route 将其发送到本地网络。When a VM in Azure tries to talk to a VM in on-premises network, the Azure NVA captures the packet, encapsulates it, and sends it over VPN/Express Route to the on-premises network. 本地 NVA 接收数据包,解封装数据包,然后将其转发到 NVA 所在网络中的目标接收端。The on-premises NVA receives the packet, decapsulates it and forwards it to the intended recipient in its network. 返回流量使用类似的路径和逻辑。The return traffic uses a similar path and logic.

在以上示例中,Azure NVA 和本地 NVA 相互通信,并了解各自的 IP 地址。In the above example, the Azure NVA and the on-premises NVA communicate and learn about IP addresses behind each other. 更复杂的网络还可能包含映射服务,该服务维护 NVA 及其 IP 地址之间的映射。More complex networks can also have a mapping service, which maintains the mapping between the NVAs and the IP addresses behind them. 当 NVA 收到数据包时,将查询映射服务,以找出具有目标 IP 地址的 NVA 的地址。When an NVA receives a packet, it queries the mapping service to find out the address of the NVA that has the destination IP address behind it.

下一部分将提供我们已在 Azure 中测试的子网扩展解决方案的详细信息。In the next section, you'll find details on subnet extension solutions we've tested on Azure.

后续步骤Next steps

使用供应商解决方案将子网扩展到 AzureExtend your subnet to Azure using vendor solutions.