虚拟设备方案Virtual appliance scenario

在较大的 Azure 客户中,一种常见情况是需要向 Internet 公开某个双层应用程序,同时允许从本地数据中心访问后端层。A common scenario among larger Azure customer is the need to provide a two-tiered application exposed to the Internet, while allowing access to the back tier from an on-premises datacenter. 本文档指导实施一种使用用户定义的路由 (UDR)、VPN 网关和网络虚拟设备部署双层环境的方案,该方案可满足以下要求:This document will walk you through a scenario using User Defined Routes (UDR), a VPN Gateway, and network virtual appliances to deploy a two-tier environment that meets the following requirements:

  • 只能从公共 Internet 访问 Web 应用程序。Web application must be accessible from the public Internet only.
  • 托管应用程序的 Web 服务器必须能够访问后端应用程序服务器。Web server hosting the application must be able to access a backend application server.
  • 从 Internet 到 Web 应用程序的所有流量必须流经防火墙虚拟设备。All traffic from the Internet to the web application must go through a firewall virtual appliance. 此虚拟设备只用于 Internet 流量。This virtual appliance will be used for Internet traffic only.
  • 发往应用程序服务器的所有流量必须流经防火墙虚拟设备。All traffic going to the application server must go through a firewall virtual appliance. 此虚拟设备用于通过 VPN 网关从本地网络访问后端服务器。This virtual appliance will be used for access to the backend end server, and access coming in from the on-premises network via a VPN Gateway.
  • 管理员必须能够使用第三个防火墙虚拟设备(专门用于管理目的)从其本地计算机管理防火墙虚拟设备。Administrators must be able to manage the firewall virtual appliances from their on-premises computers, by using a third firewall virtual appliance used exclusively for management purposes.

这是一个标准的外围网络(也称为 DMZ)方案,其中包含一个外围网络和一个受保护网络。This is a standard perimeter network (also knowns as DMZ) scenario with a DMZ and a protected network. 可以在 Azure 中使用 NSG 和/或防火墙虚拟设备来构建此类方案。Such scenario can be constructed in Azure by using NSGs,firewall virtual appliances, or a combination of both. 下表显示了 NSG 与防火墙虚拟设备之间的一些优缺点。The table below shows some of the pros and cons between NSGs and firewall virtual appliances.

优点Pros 缺点Cons
NSGNSG 无需付费。No cost.
已集成到 Azure RBAC 中。Integrated into Azure RBAC.
可以在 Azure 资源管理器模板中创建规则。Rules can be created in Azure Resource Manager templates.
在大型环境中复杂性各不相同。Complexity could vary in larger environments.
防火墙Firewall 完全控制数据平面。Full control over data plane.
通过防火墙控制台进行集中管理。Central management through firewall console.
防火墙设备的费用。Cost of firewall appliance.
不与 Azure RBAC 集成。Not integrated with Azure RBAC.

以下解决方案使用防火墙虚拟设备来实施外围网络 (DMZ)/受保护网络方案。The solution below uses firewall virtual appliances to implement a perimeter network (DMZ)/protected network scenario.

注意事项Considerations

可以使用当前可用的如下所述的不同功能在 Azure 中部署上述环境。You can deploy the environment explained above in Azure using different features available today, as follows.

  • 虚拟网络 (VNet)Virtual network (VNet). Azure VNet 在形式上与本地网络相似,可分段为一个或多个子网,以提供流量隔离和关注点分离。An Azure VNet acts in similar fashion to an on-premises network, and can be segmented into one or more subnets to provide traffic isolation, and separation of concerns.
  • 虚拟设备Virtual appliance. 有多个合作伙伴在 Azure 市场中提供了虚拟设备,可对上述三种防火墙使用这些设备。Several partners provide virtual appliances in the Azure Marketplace that can be used for the three firewalls described above.
  • 用户定义的路由 (UDR)User Defined Routes (UDR). 路由表可以包含 Azure 网络使用的 UDR 来控制数据包在 VNet 中的流动。Route tables can contain UDRs used by Azure networking to control the flow of packets within a VNet. 这些路由表可应用到子网。These route tables can be applied to subnets. Azure 中的最新功能之一是将路由表应用到 GatewaySubnet,从而能够通过混合连接将传入 Azure VNet 的所有流量转发到虚拟设备。One of the newest features in Azure is the ability to apply a route table to the GatewaySubnet, providing the ability to forward all traffic coming into the Azure VNet from a hybrid connection to a virtual appliance.
  • IP 转发IP Forwarding. 默认情况下,仅当数据包目标 IP 地址与 NIC IP 地址匹配时,Azure 网络引擎才将数据包转发到虚拟网络接口卡 (NIC)。By default, the Azure networking engine forward packets to virtual network interface cards (NICs) only if the packet destination IP address matches the NIC IP address. 因此,如果 UDR 定义必须将数据包发送到给定的虚拟设备,则 Azure 网络引擎会丢弃该数据包。Therefore, if a UDR defines that a packet must be sent to a given virtual appliance, the Azure networking engine would drop that packet. 为了确保将数据包传送到并非数据包实际目标的 VM(在本例中为虚拟设备),需要为虚拟设备启用 IP 转发。To ensure the packet is delivered to a VM (in this case a virtual appliance) that is not the actual destination for the packet, you need to enable IP Forwarding for the virtual appliance.
  • 网络安全组 (NSG)Network Security Groups (NSGs). 以下示例未使用 NSG,但可以在此解决方案中使用应用到子网和/或 NIC 的 NSG 来进一步筛选传入和传出子网与 NIC 的流量。The example below does not make use of NSGs, but you could use NSGs applied to the subnets and/or NICs in this solution to further filter the traffic in and out of those subnets and NICs.

IPv6 连接

在本示例中,有一个包含以下项的订阅:In this example there is a subscription that contains the following:

  • 2 个资源组(示意图中未显示)。2 resource groups, not shown in the diagram.
    • ONPREMRGONPREMRG. 包含模拟本地网络所需的所有资源。Contains all resources necessary to simulate an on-premises network.
    • AZURERGAZURERG. 包含 Azure 虚拟网络环境所需的所有资源。Contains all resources necessary for the Azure virtual network environment.
  • 名为 onpremvnet 的 VNet,用于模拟按如下所示分段的本地数据中心。A VNet named onpremvnet used to mimic an on-premises datacenter segmented as listed below.
    • onpremsn1onpremsn1. 包含一个虚拟机 (VM) 的子网,该 VM 运行 Ubuntu,用于模拟本地服务器。Subnet containing a virtual machine (VM) running Ubuntu to mimic an on-premises server.
    • onpremsn2onpremsn2. 包含一个 VM 的子网,该 VM 运行 Ubuntu,用于模拟管理员使用的本地计算机。Subnet containing a VM running Ubuntu to mimic an on-premises computer used by an administrator.
  • onpremvnet 上有一个名为 OPFW 的防火墙虚拟设备,用于与 azurevnet 保持隧道连接。There is one firewall virtual appliance named OPFW on onpremvnet used to maintain a tunnel to azurevnet.
  • 按如下所示分段的名为 azurevnet 的 VNet。A VNet named azurevnet segmented as listed below.
    • azsn1azsn1. 专门用于外部防火墙的外部防火墙子网。External firewall subnet used exclusively for the external firewall. 所有 Internet 流量将通过此子网传入。All Internet traffic will come in through this subnet. 此子网仅包含链接到外部防火墙的 NIC。This subnet only contains a NIC linked to the external firewall.
    • azsn2azsn2. 前端子网,托管作为 Web 服务器运行的、将从 Internet 访问的 VM。Front end subnet hosting a VM running as a web server that will be accessed from the Internet.
    • azsn3azsn3. 后端子网,托管运行前端应用程序服务器的、由前端 Web 服务器访问的 VM。Backend subnet hosting a VM running a backend application server that will be accessed by the front end web server.
    • azsn4azsn4. 管理子网,专门用于提供对所有防火墙虚拟设备的管理访问权限。Management subnet used exclusively to provide management access to all firewall virtual appliances. 此子网仅包含解决方案中使用的每个防火墙虚拟设备的 NIC。This subnet only contains a NIC for each firewall virtual appliance used in the solution.
    • GatewaySubnetGatewaySubnet. ExpressRoute 和 VPN 网关在 Azure VNet 与其他网络之间提供连接所需的 Azure 混合连接子网。Azure hybrid connection subnet required for ExpressRoute and VPN Gateway to provide connectivity between Azure VNets and other networks.
  • azurevnet 网络中有 3 个防火墙虚拟设备。There are 3 firewall virtual appliances in the azurevnet network.
    • AZF1AZF1. 在 Azure 中使用公共 IP 地址资源向公共 Internet 公开的外部防火墙。External firewall exposed to the public Internet by using a public IP address resource in Azure. 需要确保从市场或者直接从设备供应商那里获取一个模板用于预配 3-NIC 虚拟设备。You need to ensure you have a template from the Marketplace, or directly from your appliance vendor, that provisions a 3-NIC virtual appliance.
    • AZF2AZF2. 用于控制 azsn2azsn3 之间流量的内部防火墙。Internal firewall used to control traffic between azsn2 and azsn3. 这也是一个 3-NIC 虚拟设备。This is also a 3-NIC virtual appliance.
    • AZF3AZF3. 管理员可从本地数据中心访问的管理防火墙,它已连接到用于管理所有防火墙设备的管理子网。Management firewall accessible to administrators from the on-premises datacenter, and connected to a management subnet used to manage all firewall appliances. 可以在市场中查找 2-NIC 虚拟设备模板,或者直接向设备供应商请求提供此类模板。You can find 2-NIC virtual appliance templates in the Marketplace, or request one directly from your appliance vendor.

用户定义的路由 (UDR)User Defined Routing (UDR)

Azure 中的每个子网可以链接到用于定义该子网中发起的流量路由方式的 UDR 表。Each subnet in Azure can be linked to a UDR table used to define how traffic initiated in that subnet is routed. 如果未定义 UDR,Azure 将使用默认路由来允许流量从一个子网流向另一个子网。If no UDRs are defined, Azure uses default routes to allow traffic to flow from one subnet to another. 若要更好地理解 UDR,请访问什么是用户定义的路由和 IP 转发To better understand UDRs, visit What are User Defined Routes and IP Forwarding.

为了确保根据上述最后一项要求通过适当的防火墙设备进行通信,需要在 azurevnet 中创建以下包含 UDR 的路由表。To ensure communication is done through the right firewall appliance, based on the last requirement above, you need to create the following route table containing UDRs in azurevnet.

azgwudrazgwudr

在此方案中,只会通过连接到 AZF3,使用从本地流往 Azure 的流量来管理防火墙,并且这些流量必须通过内部防火墙 AZF2In this scenario, the only traffic flowing from on-premises to Azure will be used to manage the firewalls by connecting to AZF3, and that traffic must go through the internal firewall, AZF2. 因此,GatewaySubnet 中只需要一个路由,如下所示。Therefore, only one route is necessary in the GatewaySubnet as shown below.

目标Destination 下一跃点Next hop 说明Explanation
10.0.4.0/2410.0.4.0/24 10.0.3.1110.0.3.11 允许本地流量到达管理防火墙 AZF3Allows on-premises traffic to reach management firewall AZF3

azsn2udrazsn2udr

目标Destination 下一跃点Next hop 说明Explanation
10.0.3.0/2410.0.3.0/24 10.0.2.1110.0.2.11 允许通过 AZF2 将流量传送到托管应用程序服务器的后端子网Allows traffic to the backend subnet hosting the application server through AZF2
0.0.0.0/00.0.0.0/0 10.0.2.1010.0.2.10 允许通过 AZF1 路由所有其他流量Allows all other traffic to be routed through AZF1

azsn3udrazsn3udr

目标Destination 下一跃点Next hop 说明Explanation
10.0.2.0/2410.0.2.0/24 10.0.3.1010.0.3.10 允许通过 AZF2 将发往 azsn2 的流量从应用服务器传送到 Web 服务器Allows traffic to azsn2 to flow from app server to the webserver through AZF2

还需要为 onpremvnet 中的子网创建路由表用于模拟本地数据中心。You also need to create route tables for the subnets in onpremvnet to mimic the on-premises datacenter.

onpremsn1udronpremsn1udr

目标Destination 下一跃点Next hop 说明Explanation
192.168.2.0/24192.168.2.0/24 192.168.1.4192.168.1.4 允许通过 OPFW 将流量传送到 onpremsn2Allows traffic to onpremsn2 through OPFW

onpremsn2udronpremsn2udr

目标Destination 下一跃点Next hop 说明Explanation
10.0.3.0/2410.0.3.0/24 192.168.2.4192.168.2.4 允许通过 OPFW 将流量传送到 Azure 中的后端子网Allows traffic to the backed subnet in Azure through OPFW
192.168.1.0/24192.168.1.0/24 192.168.2.4192.168.2.4 允许通过 OPFW 将流量传送到 onpremsn1Allows traffic to onpremsn1 through OPFW

IP 转发IP Forwarding

可以结合使用 UDR 和 IP 转发功能来允许使用虚拟设备控制 Azure VNet 中的流量流。UDR and IP Forwarding are features that you can use in combination to allow virtual appliances to be used to control traffic flow in an Azure VNet. 虚拟设备只是一个 VM,该 VM 所运行的应用程序用于通过某种方式(例如防火墙或 NAT 设备)处理网络流量。A virtual appliance is nothing more than a VM that runs an application used to handle network traffic in some way, such as a firewall or a NAT device.

此虚拟设备 VM 必须能够接收不发送给自身的传入流量。This virtual appliance VM must be able to receive incoming traffic that is not addressed to itself. 若要允许 VM 接收发送到其他目标的流量,必须为该 VM 启用 IP 转发。To allow a VM to receive traffic addressed to other destinations, you must enable IP Forwarding for the VM. 这是 Azure 设置,不是来宾操作系统中的设置。This is an Azure setting, not a setting in the guest operating system. 虚拟设备仍需要运行某种类型的应用程序来处理传入流量并相应地路由这些流量。Your virtual appliance still needs to run some type of application to handle the incoming traffic, and route it appropriately.

有关 IP 转发的详细信息,请访问什么是用户定义的路由和 IP 转发To learn more about IP Forwarding, visit What are User Defined Routes and IP Forwarding.

例如,假设在 Azure vnet 中具有以下设置:As an example, imagine you have the following setup in an Azure vnet:

  • 子网 onpremsn1 包含名为 onpremvm1 的 VM。Subnet onpremsn1 contains a VM named onpremvm1.
  • 子网 onpremsn2 包含名为 onpremvm2 的 VM。Subnet onpremsn2 contains a VM named onpremvm2.
  • 名为 OPFW 的虚拟设备已连接到 onpremsn1onpremsn2A virtual appliance named OPFW is connected to onpremsn1 and onpremsn2.
  • 链接到 onpremsn1 的用户定义路由指定发往 onpremsn2 的所有流量必须发送到 OPFWA user defined route linked to onpremsn1 specifies that all traffic to onpremsn2 must be sent to OPFW.

此时,如果 onpremvm1 尝试与 onpremvm2 建立连接,将使用 UDR 并将流量发送到用作下一跃点的 OPFWAt this point, if onpremvm1 tries to establish a connection with onpremvm2, the UDR will be used and traffic will be sent to OPFW as the next hop. 请注意,实际数据包目标不会更改,onpremvm2 仍显示为目标。Keep in mind that the actual packet destination is not being changed, it still says onpremvm2 is the destination.

如果没有为 OPFW启用 IP 转发,Azure 虚拟网络逻辑将丢弃数据包,因为仅当 VM 的 IP 地址是数据包的目标时,它才允许将数据包发送到 VM。Without IP Forwarding enabled for OPFW, the Azure virtual networking logic will drop the packets, since it only allows packets to be sent to a VM if the VM's IP address is the destination for the packet.

如果启用了 IP 转发,Azure 虚拟网络逻辑会将数据包转发到 OPFW,且不更改其原始目标地址。With IP Forwarding, the Azure virtual network logic will forward the packets to OPFW, without changing its original destination address. OPFW 必须处理数据包并确定要进行哪些方面的处理。OPFW must handle the packets and determine what to do with them.

要正常运行上述方案,必须在 OPFWAZF1AZF2AZF3 中用于路由的 NIC(除链接到管理子网以外的所有 NIC)上启用 IP 转发。For the scenario above to work, you must enable IP Forwarding on the NICs for OPFW, AZF1, AZF2, and AZF3 that are used for routing (all NICs except the ones linked to the management subnet).

防火墙规则Firewall Rules

如上所述,IP 转发仅确保将数据包发送到虚拟设备。As described above, IP Forwarding only ensures packets are sent to the virtual appliances. 设备仍需要确定如何处理这些数据包。Your appliance still needs to decide what to do with those packets. 对于上述方案,需要在设备中创建以下规则:In the scenario above, you will need to create the following rules in your appliances:

OPFWOPFW

OPFW 代表包含以下规则的本地设备:OPFW represents an on-premises device containing the following rules:

  • 路由:发往 10.0.0.0/16 (azurevnet) 的所有流量必须通过隧道 ONPREMAZURE 发送。Route: All traffic to 10.0.0.0/16 (azurevnet) must be sent through tunnel ONPREMAZURE.
  • 策略:允许 port2ONPREMAZURE 之间的所有双向流量。Policy: Allow all bidirectional traffic between port2 and ONPREMAZURE.

AZF1AZF1

AZF1 代表包含以下规则的 Azure 虚拟设备:AZF1 represents an Azure virtual appliance containing the following rules:

  • 策略:允许 port1port2 之间的所有双向流量。Policy: Allow all bidirectional traffic between port1 and port2.

AZF2AZF2

AZF2 代表包含以下规则的 Azure 虚拟设备:AZF2 represents an Azure virtual appliance containing the following rules:

  • 路由:发往 10.0.0.0/16 (onpremvnet) 的所有流量必须通过 port1 发送到 Azure 网关 IP 地址(即 10.0.0.1)。Route: All traffic to 10.0.0.0/16 (onpremvnet) must be sent to the Azure gateway IP address (i.e. 10.0.0.1) through port1.
  • 策略:允许 port1port2 之间的所有双向流量。Policy: Allow all bidirectional traffic between port1 and port2.

网络安全组 (NSG)Network Security Groups (NSGs)

此方案中未使用 NSG。In this scenario, NSGs are not being used. 但是,可以向每个子网应用 NSG,以限制传入和传出的流量。However, you could apply NSGs to each subnet to restrict incoming and outgoing traffic. 例如,可将以下 NSG 规则应用到外部 FW 子网。For instance, you could apply the following NSG rules to the external FW subnet.

传入Incoming

  • 允许所有 TCP 流量从 Internet 发往子网中任何 VM 上的端口 80。Allow all TCP traffic from the Internet to port 80 on any VM in the subnet.
  • 拒绝来自 Internet 的所有其他流量。Deny all other traffic from the Internet.

传出Outgoing

  • 拒绝发往 Internet 的所有流量。Deny all traffic to the Internet.

大致步骤High level steps

若要部署此方案,请遵循以下概要步骤。To deploy this scenario, follow the high level steps below.

  1. 登录到 Azure 订阅。Login to your Azure Subscription.
  2. 如果要部署 VNet 来模拟本地网络,请预配属于 ONPREMRG 的资源。If you want to deploy a VNet to mimic the on-premises network, provision the resources that are part of ONPREMRG.
  3. 预配属于 AZURERG 的资源。Provision the resources that are part of AZURERG.
  4. 预配从 onpremvnetazurevnet 的隧道。Provision the tunnel from onpremvnet to azurevnet.
  5. 预配所有资源后,登录到 onpremvm2 并 ping 10.0.3.101,以测试 onpremsn2azsn3 之间的连接。Once all resources are provisioned, sign in to onpremvm2 and ping 10.0.3.101 to test connectivity between onpremsn2 and azsn3.