关于 Azure VPN 网关的 BGPAbout BGP with Azure VPN Gateway

本文概述了 Azure VPN 网关中的 BGP(边界网关协议)支持。This article provides an overview of BGP (Border Gateway Protocol) support in Azure VPN Gateway.

BGP 是通常在 Internet 上使用的,用于在两个或更多网络之间交换路由和可访问性信息的标准路由协议。BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. 在 Azure 虚拟网络的上下文中使用时,BGP 允许 Azure VPN 网关和本地 VPN 设备(称为 BGP 对等节点或邻居)交换“路由”,这些路由会通知这两个网关这些前缀的可用性和可访问性,以便这些前缀可通过涉及的网关或路由器。When used in the context of Azure Virtual Networks, BGP enables the Azure VPN Gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange "routes" that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved. BGP 还可以通过将 BGP 网关从一个 BGP 对等节点获知的路由传播到所有其他 BGP 对等节点来允许在多个网络之间传输路由。BGP can also enable transit routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers.

为什么使用 BGP?Why use BGP?

BGP 是可用于 Azure 基于路由的 VPN 网关的可选功能。BGP is an optional feature you can use with Azure Route-Based VPN gateways. 在启用此功能之前,还应确保本地 VPN 设备支持 BGP。You should also make sure your on-premises VPN devices support BGP before you enable the feature. 可以继续使用不带 BGP 的 Azure VPN 网关和本地 VPN 设备。You can continue to use Azure VPN gateways and your on-premises VPN devices without BGP. 它等效于在你的网络与 Azure 之间使用静态路由(不带 BGP)使用带 BGP 的动态路由。It is the equivalent of using static routes (without BGP) vs. using dynamic routing with BGP between your networks and Azure.

使用 BGP 有几个优点和新功能:There are several advantages and new capabilities with BGP:

支持自动和灵活的前缀更新Support automatic and flexible prefix updates

使用 BGP,只需通过 IPsec S2S VPN 隧道为特定 BGP 对等节点声明最小前缀。With BGP, you only need to declare a minimum prefix to a specific BGP peer over the IPsec S2S VPN tunnel. 它最小可为本地 VPN 设备的 BGP 对等节点 IP 地址的主机前缀(/32)。It can be as small as a host prefix (/32) of the BGP peer IP address of your on-premises VPN device. 可以控制要将哪些本地网络前缀播发到 Azure 以允许 Azure 虚拟网络访问。You can control which on-premises network prefixes you want to advertise to Azure to allow your Azure Virtual Network to access.

还可以播发更大的前缀,可以包括一些 VNet 地址前缀,如大型专用 IP 地址空间(例如,10.0.0.0/8)。You can also advertise larger prefixes that may include some of your VNet address prefixes, such as a large private IP address space (for example, 10.0.0.0/8). 但请注意,这些前缀不能与任一 VNet 前缀相同。Note though the prefixes cannot be identical with any one of your VNet prefixes. 与 VNet 前缀相同的这些路由会被拒绝。Those routes identical to your VNet prefixes will be rejected.

支持 VNet 与本地站点之间的多个隧道基于 BGP 自动进行故障转移Support multiple tunnels between a VNet and an on-premises site with automatic failover based on BGP

可以在同一位置的 Azure VNet 和本地 VPN 设备之间建立多个连接。You can establish multiple connections between your Azure VNet and your on-premises VPN devices in the same location. 在主-主配置中,此功能在两个网络之间提供多个隧道(路径)。This capability provides multiple tunnels (paths) between the two networks in an active-active configuration. 如果其中一个隧道断开连接,则将通过 BGP 撤销相应的路由,流量会自动转移到其余隧道。If one of the tunnels is disconnected, the corresponding routes will be withdrawn via BGP and the traffic automatically shifts to the remaining tunnels.

下图显示了此高度可用设置的简单示例:The following diagram shows a simple example of this highly available setup:

多个活动路径

支持本地网络与多个 Azure VNet 之间的传输路由Support transit routing between your on-premises networks and multiple Azure VNets

BGP 使多个网关可以从不同网络获知和传播前缀,而无论它们是直接还是间接连接。BGP enables multiple gateways to learn and propagate prefixes from different networks, whether they are directly or indirectly connected. 这可以为本地站点之间或跨多个 Azure 虚拟网络的 Azure VPN 网关启用传输路由。This can enable transit routing with Azure VPN gateways between your on-premises sites or across multiple Azure Virtual Networks.

下图显示了多跃点拓扑的示例,其中的多个路径可以通过 Microsoft 网络中的 Azure VPN 网关在两个本地网络之间传输流量:The following diagram shows an example of a multi-hop topology with multiple paths that can transit traffic between the two on-premises networks through Azure VPN gateways within the Microsoft Networks:

多跃点传输

BGP 常见问题解答BGP FAQ

BGP 是否在所有 Azure VPN 网关 SKU 上受支持?Is BGP supported on all Azure VPN Gateway SKUs?

否,BGP 在 Azure VpnGw1VpnGw2VpnGw3、标准 VPN 网关和高性能 VPN 网关上受支持。No, BGP is supported on Azure VpnGw1, VpnGw2, VpnGw3, Standard and HighPerformance VPN gateways. 基本 SKU。Basic SKU is NOT supported.

能否将 BGP 用于基于 Azure Policy 的 VPN 网关?Can I use BGP with Azure Policy-Based VPN gateways?

否,只有基于路由的 VPN 网关支持 BGP。No, BGP is supported on Route-Based VPN gateways only.

能否使用专用 ASN(自治系统编号)?Can I use private ASNs (Autonomous System Numbers)?

能,可以将自己的公共 ASN 或专用 ASN 同时用于本地网络和 Azure 虚拟网络。Yes, you can use your own public ASNs or private ASNs for both your on-premises networks and Azure virtual networks.

能否使用 32 位 ASN(自治系统编号)?Can I use 32-bit ASNs (Autonomous System Numbers)?

否,Azure VPN 网关目前支持 16 位 ASN。No, the Azure VPN Gateways support 16-Bit ASNs today.

是否存在由 Azure 保留的 ASN?Are there ASNs reserved by Azure?

是,Azure 保留了以下 ASN 用于内部和外部的对等互连:Yes, the following ASNs are reserved by Azure for both internal and external peerings:

  • 公用 ASN:8074、8075、12076Public ASNs: 8074, 8075, 12076
  • 专用 ASN:65515、65517、65518、65519、65520Private ASNs: 65515, 65517, 65518, 65519, 65520

连接到 Azure VPN 网关时,不能为本地 VPN 设备指定这些 ASN。You cannot specify these ASNs for your on premises VPN devices when connecting to Azure VPN gateways.

是否有任何其他我不能使用的 ASN?Are there any other ASNs that I can't use?

是的。以下 ASN 是 IANA 保留的,不能在 Azure VPN 网关上配置:Yes, the following ASNs are reserved by IANA and can't be configured on your Azure VPN Gateway:

23456、64496-64511、65535-65551 和 42949672923456, 64496-64511, 65535-65551 and 429496729

我可以使用哪些专用 ASN?What Private ASNs can I use?

可使用的专用 ASN 的可用范围如下:The useable range of Private ASNs that can be used are:

  • 64512-65514、65521-6553464512-65514, 65521-65534

IANA 或 Azure 不保留这些 ASN 以供使用,因此可用于分配给 Azure VPN 网关。These ASNs are not reserved by IANA or Azure for use and therefore can be used to assign to your Azure VPN Gateway.

能否将同一个 ASN 同时用于本地 VPN 网络和 Azure VNet?Can I use the same ASN for both on-premises VPN networks and Azure VNets?

否,必须在本地网络和 Azure VNet 之间分配不同 ASN(如果要使用 BGP 将它们连接在一起)。No, you must assign different ASNs between your on-premises networks and your Azure VNets if you are connecting them together with BGP. 无论是否为跨界连接启用了 BGP,都会为 Azure VPN 网关分配默认 ASN(即 65515)。Azure VPN Gateways have a default ASN of 65515 assigned, whether BGP is enabled or not for your cross-premises connectivity. 可以通过在创建 VPN 网关时分配不同 ASN,或者在创建网关后更改 ASN 来覆盖此默认值。You can override this default by assigning a different ASN when creating the VPN gateway, or change the ASN after the gateway is created. 需要将本地 ASN 分配给相应的 Azure 本地网关。You will need to assign your on-premises ASNs to the corresponding Azure Local Network Gateways.

Azure VPN 网关将播发给我哪些地址前缀?What address prefixes will Azure VPN gateways advertise to me?

Azure VPN 网关会将以下路由播发到本地 BGP 设备:Azure VPN gateway will advertise the following routes to your on-premises BGP devices:

  • VNet 地址前缀Your VNet address prefixes
  • 已连接到 Azure VPN 网关的每个本地网关的地址前缀Address prefixes for each Local Network Gateways connected to the Azure VPN gateway
  • 从连接到 Azure VPN 网关的其他 BGP 对等会话获知的路由, 默认路由或与任何 VNet 前缀重叠的路由除外Routes learned from other BGP peering sessions connected to the Azure VPN gateway, except default route or routes overlapped with any VNet prefix.

我可以向 Azure VPN 网关发布多少个前缀?How many prefixes can I advertise to Azure VPN gateway?

我们支持最多 4000 个前缀。We support up to 4000 prefixes. 如果前缀数目超过此限制,将丢弃 BGP 会话。The BGP session is dropped if the number of prefixes exceeds the limit.

能否将默认路由 (0.0.0.0/0) 播发给 Azure VPN 网关?Can I advertise default route (0.0.0.0/0) to Azure VPN gateways?

是的。Yes.

请注意,这样会强制所有的 VNet 出口流量流向本地站点,并且会阻止 VNet VM 接受直接来自 Internet 的公共通信,例如从 Internet 发往 VM 的 RDP 或 SSH。Please note this will force all VNet egress traffic towards your on-premises site, and will prevent the VNet VMs from accepting public communication from the Internet directly, such RDP or SSH from the Internet to the VMs.

能否播发与虚拟网络前缀完全相同的前缀?Can I advertise the exact prefixes as my Virtual Network prefixes?

不能,Azure 平台会阻止播发与任一虚拟网络地址前缀相同的前缀或对其进行筛选。No, advertising the same prefixes as any one of your Virtual Network address prefixes will be blocked or filtered by the Azure platform. 但是,可播发属于虚拟网络内所拥有内容超集的前缀。However you can advertise a prefix that is a superset of what you have inside your Virtual Network.

例如,如果虚拟网络可使用地址空间 10.0.0.0/16,则可以播发 10.0.0.0/8,For example, if your virtual network used the address space 10.0.0.0/16, you could advertise 10.0.0.0/8. 但不能播发 10.0.0.0/16 或 10.0.0.0/24。But you cannot advertise 10.0.0.0/16 or 10.0.0.0/24.

能否将 BGP 用于 VNet 到 VNet 连接?Can I use BGP with my VNet-to-VNet connections?

能,可以将 BGP 同时用于跨界连接和 VNet 到 VNet 连接。Yes, you can use BGP for both cross-premises connections and VNet-to-VNet connections.

能否将 BGP 连接与非 BGP 连接混合用于 Azure VPN 网关?Can I mix BGP with non-BGP connections for my Azure VPN gateways?

能,可以将 BGP 连接和非 BGP 连接混合用于同一 Azure VPN 网关。Yes, you can mix both BGP and non-BGP connections for the same Azure VPN gateway.

Azure VPN 网关是否支持 BGP 传输路由?Does Azure VPN gateway support BGP transit routing?

是,支持 BGP 传输路由,但例外是 Azure VPN 网关 会将默认路由播发到其他 BGP 对等节点。Yes, BGP transit routing is supported, with the exception that Azure VPN gateways will NOT advertise default routes to other BGP peers. 若要启用跨多个 Azure VPN 网关的传输路由,必须在所有中间 VNet 到 VNet 连接上启用 BGP。To enable transit routing across multiple Azure VPN gateways, you must enable BGP on all intermediate VNet-to-VNet connections. 有关详细信息,请参阅关于 BGPFor more information, see About BGP.

在 Azure VPN 网关和我的本地网络之间能否有多个隧道?Can I have more than one tunnel between Azure VPN gateway and my on-premises network?

能,可以在 Azure VPN 网关和本地网络之间建立多个 S2S VPN 隧道。Yes, you can establish more than one S2S VPN tunnel between an Azure VPN gateway and your on-premises network. 请注意,所有这些隧道都会计入 Azure VPN 网关的隧道总数,而且必须在两个隧道上启用 BGP。Please note that all these tunnels will be counted against the total number of tunnels for your Azure VPN gateways and you must enable BGP on both tunnels.

例如,如果在 Azure VPN 网关与一个本地网络之间有两个冗余隧道,它们会占用 Azure VPN 网关的总配额(标准为 10 个,高性能为 30 个)中的 2 个隧道。For example, if you have two redundant tunnels between your Azure VPN gateway and one of your on-premises networks, they will consume 2 tunnels out of the total quota for your Azure VPN gateway (10 for Standard and 30 for HighPerformance).

在两个使用 BGP 的 Azure VNet 之间能否有多个隧道?Can I have multiple tunnels between two Azure VNets with BGP?

是,但其中至少一个虚拟网络网关必须采用主动-主动配置。Yes, but at least one of the virtual network gateways must be in active-active configuration.

能否在 ExpressRoute/S2S VPN 共存配置中对 S2S VPN 使用 BGP?Can I use BGP for S2S VPN in an ExpressRoute/S2S VPN co-existence configuration?

是的。Yes.

Azure VPN 网关将哪个地址用于 BGP 对等节点 IP?What address does Azure VPN gateway use for BGP Peer IP?

Azure VPN 网关将从 GatewaySubnet 范围中为主动-待机 VPN 网关分配一个 IP 地址,或为主动-主动 VPN 网关分配两个 IP 地址。The Azure VPN gateway will allocate a single IP address from the GatewaySubnet range for active-standby VPN gateways, or two IP addresses for active-active VPN gateways. 可以使用 PowerShell(Get-AzVirtualNetworkGateway,请查找“bgpPeeringAddress”属性)或通过 Azure 门户(在“网关配置”页上的“配置 BGP ASN”属性下)获取实际分配的 BGP IP 地址。You can get the actual BGP IP address(es) allocated by using PowerShell (Get-AzVirtualNetworkGateway, look for the "bgpPeeringAddress" property), or in the Azure portal (under the "Configure BGP ASN" property on the Gateway Configuration page).

VPN 设备上的 BGP 对等节点 IP 地址的要求是什么?What are the requirements for the BGP Peer IP addresses on my VPN device?

本地 BGP 对等节点地址不能与 VPN 到设备的公共 IP 地址或 VPN 网关的 Vnet 地址空间相同。Your on-premises BGP peer address MUST NOT be the same as the public IP address of your VPN device or the Vnet address space of the VPN Gateway. 在 VPN 设备上对 BGP 对等节点 IP 使用不同的 IP 地址。Use a different IP address on the VPN device for your BGP Peer IP. 它可以是一个分配给设备上环回接口的地址,但请注意,它不能是 APIPA (169.254.x.x) 地址。It can be an address assigned to the loopback interface on the device, but please note that it cannot be an APIPA (169.254.x.x) address. 在表示该位置的相应本地网关中指定此地址。Specify this address in the corresponding Local Network Gateway representing the location.

使用 BGP 时应将什么指定为本地网关的地址前缀?What should I specify as my address prefixes for the Local Network Gateway when I use BGP?

Azure 本地网关为本地网络指定初始地址前缀。Azure Local Network Gateway specifies the initial address prefixes for the on-premises network. 使用 BGP 时,必须分配 BGP 对等节点 IP 地址的主机前缀(/32 前缀)作为本地网络的地址空间。With BGP, you must allocate the host prefix (/32 prefix) of your BGP Peer IP address as the address space for that on-premises network. 如果 BGP 对等节点 IP 为 10.52.255.254,则应指定“10.52.255.254/32”作为表示此本地网络的本地网关的 localNetworkAddressSpace。If your BGP Peer IP is 10.52.255.254, you should specify "10.52.255.254/32" as the localNetworkAddressSpace of the Local Network Gateway representing this on-premises network. 这是为了确保 Azure VPN 网关通过 S2S VPN 隧道建立 BGP 会话。This is to ensure that the Azure VPN gateway establishes the BGP session through the S2S VPN tunnel.

应为 BGP 对等会话添加到本地 VPN 设备什么内容?What should I add to my on-premises VPN device for the BGP peering session?

应在指向 IPsec S2S VPN 隧道的 VPN 设备上添加 Azure BGP 对等节点 IP 地址的主机路由。You should add a host route of the Azure BGP Peer IP address on your VPN device pointing to the IPsec S2S VPN tunnel. 例如,如果 Azure VPN 对等节点 IP 为“10.12.255.30”,则应在 VPN 设备上添加“10.12.255.30”的主机路由(包含匹配的 IPsec 隧道接口的下一跃点接口)。For example, if the Azure VPN Peer IP is "10.12.255.30", you should add a host route for "10.12.255.30" with a nexthop interface of the matching IPsec tunnel interface on your VPN device.

后续步骤Next steps

有关为跨界连接和 VNet 到 VNet 连接配置 BGP 的步骤,请参阅在 Azure VPN 网关上使用 BGP 入门See Getting started with BGP on Azure VPN gateways for steps to configure BGP for your cross-premises and VNet-to-VNet connections.