关于 Azure VPN 网关的 BGPAbout BGP with Azure VPN Gateway

本文概述了 Azure VPN 网关中的 BGP(边界网关协议)支持。This article provides an overview of BGP (Border Gateway Protocol) support in Azure VPN Gateway.

BGP 是通常在 Internet 上使用的,用于在两个或更多网络之间交换路由和可访问性信息的标准路由协议。BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. 在 Azure 虚拟网络的上下文中使用时,BGP 允许 Azure VPN 网关和本地 VPN 设备(称为 BGP 对等节点或邻居)交换“路由”,这些路由将通知这两个网关这些前缀的可用性和可访问性,以便这些前缀可通过涉及的网关或路由器。When used in the context of Azure Virtual Networks, BGP enables the Azure VPN Gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange "routes" that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved. BGP 还可以通过将 BGP 网关从一个 BGP 对等节点获知的路由传播到所有其他 BGP 对等节点来允许在多个网络之间传输路由。BGP can also enable transit routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers.

为什么使用 BGP?Why use BGP?

BGP 是可用于 Azure 基于路由的 VPN 网关的可选功能。BGP is an optional feature you can use with Azure Route-Based VPN gateways. 在启用此功能之前,还应确保本地 VPN 设备支持 BGP。You should also make sure your on-premises VPN devices support BGP before you enable the feature. 可以继续使用不带 BGP 的 Azure VPN 网关和本地 VPN 设备。You can continue to use Azure VPN gateways and your on-premises VPN devices without BGP. 它等效于在网络与 Azure 之间使用静态路由(不带 BGP) 使用带 BGP 的动态路由。It is the equivalent of using static routes (without BGP) vs. using dynamic routing with BGP between your networks and Azure.

使用 BGP 有几个优点和新功能:There are several advantages and new capabilities with BGP:

支持自动和灵活的前缀更新Support automatic and flexible prefix updates

使用 BGP,只需通过 IPsec S2S VPN 隧道为特定 BGP 对等节点声明最小前缀。With BGP, you only need to declare a minimum prefix to a specific BGP peer over the IPsec S2S VPN tunnel. 它最小可为本地 VPN 设备的 BGP 对等节点 IP 地址的主机前缀(/32)。It can be as small as a host prefix (/32) of the BGP peer IP address of your on-premises VPN device. 可以控制要将哪些本地网络前缀播发到 Azure 以允许 Azure 虚拟网络访问。You can control which on-premises network prefixes you want to advertise to Azure to allow your Azure Virtual Network to access.

还可以播发更大的前缀,可以包括一些 VNet 地址前缀,如大型专用 IP 地址空间(例如,10.0.0.0/8)。You can also advertise larger prefixes that may include some of your VNet address prefixes, such as a large private IP address space (for example, 10.0.0.0/8). 但请注意,这些前缀不能与任一 VNet 前缀相同。Note though the prefixes cannot be identical with any one of your VNet prefixes. 与 VNet 前缀相同的这些路由会被拒绝。Those routes identical to your VNet prefixes will be rejected.

支持 VNet 与本地站点之间的多个隧道基于 BGP 自动进行故障转移Support multiple tunnels between a VNet and an on-premises site with automatic failover based on BGP

可以在同一位置的 Azure VNet 和本地 VPN 设备之间建立多个连接。You can establish multiple connections between your Azure VNet and your on-premises VPN devices in the same location. 在主-主配置中,此功能在两个网络之间提供多个隧道(路径)。This capability provides multiple tunnels (paths) between the two networks in an active-active configuration. 如果其中一个隧道断开连接,则将通过 BGP 撤销相应的路由,流量会自动转移到其余隧道。If one of the tunnels is disconnected, the corresponding routes will be withdrawn via BGP and the traffic automatically shifts to the remaining tunnels.

下图显示了此高度可用设置的简单示例:The following diagram shows a simple example of this highly available setup:

多个活动路径

支持本地网络与多个 Azure VNet 之间的传输路由Support transit routing between your on-premises networks and multiple Azure VNets

BGP 使多个网关可以从不同网络获知和传播前缀,而无论它们是直接还是间接连接。BGP enables multiple gateways to learn and propagate prefixes from different networks, whether they are directly or indirectly connected. 这可以为本地站点之间或跨多个 Azure 虚拟网络的 Azure VPN 网关启用传输路由。This can enable transit routing with Azure VPN gateways between your on-premises sites or across multiple Azure Virtual Networks.

下图显示了多跃点拓扑的示例,其中的多个路径可以通过 Microsoft 网络中的 Azure VPN 网关在两个本地网络之间传输流量:The following diagram shows an example of a multi-hop topology with multiple paths that can transit traffic between the two on-premises networks through Azure VPN gateways within the Microsoft Networks:

多跃点传输

BGP 常见问题解答BGP FAQ

BGP 是否在所有 Azure VPN 网关 SKU 上受支持?Is BGP supported on all Azure VPN Gateway SKUs?

除了基本 SKU,其他所有 Azure VPN 网关 SKU 都支持 BGP。BGP is supported on all Azure VPN Gateway SKUs except Basic SKU.

能否将 BGP 用于 Azure 策略 VPN 网关?Can I use BGP with Azure Policy VPN gateways?

否,只有基于路由的 VPN 网关支持 BGP。No, BGP is supported on route-based VPN gateways only.

可使用哪种 ASN(自治系统编号)?What ASNs (Autonomous System Numbers) can I use?

可以将自己的公共 ASN 或专用 ASN 同时用于本地网络和 Azure 虚拟网络。You can use your own public ASNs or private ASNs for both your on-premises networks and Azure virtual networks. 不能使用 Azure 或 IANA 保留的范围。You can't use the ranges reserved by Azure or IANA.

Azure 或 IANA 保留的 ASN 如下所示:The following ASNs are reserved by Azure or IANA:

  • 由 Azure 保留的 ASN:ASNs reserved by Azure:
    • 公用 ASN:8074、8075、12076Public ASNs: 8074, 8075, 12076
    • 专用 ASN:65515、65517、65518、65519、65520Private ASNs: 65515, 65517, 65518, 65519, 65520
  • 由 IANA 保留的 ASN:ASNs reserved by IANA:
    • 23456、64496-64511、65535-65551 和 42949672923456, 64496-64511, 65535-65551 and 429496729

连接到 Azure VPN 网关时,不能为本地 VPN 设备指定这些 ASN。You can't specify these ASNs for your on-premises VPN devices when you're connecting to Azure VPN gateways.

是否可以使用 32 位(4 字节)ASN?Can I use 32-bit (4-byte) ASNs?

可以,VPN 网关现在支持 32 位(4 字节)ASN。Yes, VPN Gateway now supports 32-bit (4-byte) ASNs. 若要使用 ASN 以十进制格式进行配置,请使用 PowerShell、Azure CLI 或 Azure SDK。To configure by using ASN in decimal format, use PowerShell, the Azure CLI, or the Azure SDK.

可以使用哪些专用 ASN?What private ASNs can I use?

可用的专用 ASN 范围包括:The useable ranges of private ASNs are:

  • 64512-65514 和 65521-6553464512-65514 and 65521-65534

IANA 或 Azure 不会保留和使用这些 ASN,因此可将其分配给 Azure VPN 网关。These ASNs aren't reserved by IANA or Azure for use, and therefore can be used to assign to your Azure VPN gateway.

VPN 网关将哪个地址用于 BGP 对等节点 IP?What address does VPN Gateway use for BGP peer IP?

默认情况下,VPN 网关为主备 VPN 网关分配 GatewaySubnet 范围中的一个 IP 地址,或者为双活 VPN 网关分配两个 IP 地址。By default, VPN Gateway allocates a single IP address from the GatewaySubnet range for active-standby VPN gateways, or two IP addresses for active-active VPN gateways. 在你创建 VPN 网关时,系统会自动分配这些地址。These addresses are allocated automatically when you create the VPN gateway. 可以通过使用 PowerShell 或通过在 Azure 门户中查找来获取分配的实际 BGP IP 地址。You can get the actual BGP IP address allocated by using PowerShell or by locating it in the Azure portal. 在 PowerShell 中,使用 Get-AzVirtualNetworkGateway,并查找 bgpPeeringAddress 属性 。In PowerShell, use Get-AzVirtualNetworkGateway, and look for the bgpPeeringAddress property. 在 Azure 门户的“网关配置”页面上的“配置 BGP ASN”属性下查看 。In the Azure portal, on the Gateway Configuration page, look under the Configure BGP ASN property.

如果你的本地 VPN 路由器使用 APIPA IP 地址 (169.254.x.x) 作为 BGP IP 地址,则你必须在 Azure VPN 网关上再指定一个 Azure APIPA BGP IP 地址 。If your on-premises VPN routers use APIPA IP addresses (169.254.x.x) as the BGP IP addresses, you must specify an additional Azure APIPA BGP IP address on your Azure VPN gateway. Azure VPN 网关会选择将 APIPA 地址用于在本地网络网关中指定的本地 APIPA BGP 对等节点中,或者对非 APIPA 本地 BGP 对等节点使用专用 IP 地址。Azure VPN Gateway selects the APIPA address to use with the on-premises APIPA BGP peer specified in the local network gateway, or the private IP address for a non-APIPA, on-premises BGP peer. 有关详细信息,请参阅配置 BGPFor more information, see Configure BGP.

VPN 设备上的 BGP 对等节点 IP 地址的要求是什么?What are the requirements for the BGP peer IP addresses on my VPN device?

本地 BGP 对等节点地址不得与 VPN 设备的公共 IP 地址相同,也不得来自 VPN 网关的虚拟网络地址空间。Your on-premises BGP peer address must not be the same as the public IP address of your VPN device or from the virtual network address space of the VPN gateway. 在 VPN 设备上对 BGP 对等节点 IP 使用不同的 IP 地址。Use a different IP address on the VPN device for your BGP peer IP. 它可以是一个分配给设备上环回接口的地址(常规 IP 地址或 APIPA 地址)。It can be an address assigned to the loopback interface on the device (either a regular IP address or an APIPA address). 如果设备对 BGP 使用 APIPA 地址,你必须在 Azure VPN 网关上指定 APIPA BGP IP 地址,如配置 BGP 中所述。If your device uses an APIPA address for BGP, you must specify an APIPA BGP IP address on your Azure VPN gateway, as described in Configure BGP. 在表示该位置的相应本地网关中指定此地址。Specify this address in the corresponding local network gateway representing the location.

使用 BGP 时应将什么指定为本地网关的地址前缀?What should I specify as my address prefixes for the local network gateway when I use BGP?

重要

这是之前记录的要求中的一项更改。This is a change from the previously documented requirement. 如果你使用 BGP 进行连接,则将相应的本地网络网关资源的“地址空间”字段留空。If you use BGP for a connection, leave the Address space field empty for the corresponding local network gateway resource. Azure VPN 网关将在内部添加一个通过 IPsec 隧道传往本地 BGP 对等节点 IP 的主机路由。Azure VPN Gateway adds a host route internally to the on-premises BGP peer IP over the IPsec tunnel. 请不要在“地址空间”字段添加 /32 路由。Don't add the /32 route in the Address space field. 该路由是冗余的;如果你使用 APIPA 地址作为本地 VPN 设备 BGP IP,则无法将它添加到此字段。It's redundant and if you use an APIPA address as the on-premises VPN device BGP IP, it can't be added to this field. 如果在“地址空间”字段中添加任何其他前缀,则除了通过 BGP 了解到的路由外,这些前缀将作为静态路由添加到 Azure VPN 网关上。If you add any other prefixes in the Address space field, they are added as static routes on the Azure VPN gateway, in addition to the routes learned via BGP.

能否将同一个 ASN 同时用于本地 VPN 网络和 Azure 虚拟网络?Can I use the same ASN for both on-premises VPN networks and Azure virtual networks?

否,必须在本地网络和 Azure 虚拟网络之间分配不同 ASN(如果要使用 BGP 将它们连接在一起)。No, you must assign different ASNs between your on-premises networks and your Azure virtual networks if you're connecting them together with BGP. 无论是否为跨界连接启用了 BGP,都会为 Azure VPN 网关分配默认 ASN(即 65515)。Azure VPN gateways have a default ASN of 65515 assigned, whether BGP is enabled or not for your cross-premises connectivity. 可以通过在创建 VPN 网关时分配不同 ASN,或者在创建网关后更改 ASN 来覆盖此默认值。You can override this default by assigning a different ASN when you're creating the VPN gateway, or you can change the ASN after the gateway is created. 需要将本地 ASN 分配给相应的 Azure 本地网关。You will need to assign your on-premises ASNs to the corresponding Azure local network gateways.

Azure VPN 网关将播发给我哪些地址前缀?What address prefixes will Azure VPN gateways advertise to me?

这些网关会将以下路由播发到本地 BGP 设备:The gateways advertise the following routes to your on-premises BGP devices:

  • 你的虚拟网络地址前缀。Your virtual network address prefixes.
  • 已连接到 Azure VPN 网关的每个本地网关的地址前缀。Address prefixes for each local network gateway connected to the Azure VPN gateway.
  • 从连接到 Azure VPN 网关的其他 BGP 对等会话获知的路由,不包括默认路由或与任何虚拟网络前缀重叠的路由。Routes learned from other BGP peering sessions connected to the Azure VPN gateway, except for the default route or routes that overlap with any virtual network prefix.

我可以向 Azure VPN 网关发布多少个前缀?How many prefixes can I advertise to Azure VPN Gateway?

Azure VPN 网关最多支持 4000 个前缀。Azure VPN Gateway supports up to 4000 prefixes. 如果前缀数目超过此限制,将丢弃 BGP 会话。The BGP session is dropped if the number of prefixes exceeds the limit.

能否将默认路由 (0.0.0.0/0) 播发给 Azure VPN 网关?Can I advertise default route (0.0.0.0/0) to Azure VPN gateways?

是的。Yes. 请注意,这会强制所有虚拟网络出口流量流向你的本地站点。Note that this forces all virtual network egress traffic towards your on-premises site. 它还可阻止虚拟网络 VM 直接从 internet 接收公共通信,例如从 internet 到 VM 的 RDP 或 SSH。It also prevents the virtual network VMs from accepting public communication from the internet directly, such RDP or SSH from the internet to the VMs.

能否播发与虚拟网络前缀完全相同的前缀?Can I advertise the exact prefixes as my virtual network prefixes?

不能,Azure 将阻止播发与任一虚拟网络地址前缀相同的前缀或对其进行筛选。No, advertising the same prefixes as any one of your virtual network address prefixes will be blocked or filtered by Azure. 但是,可播发属于虚拟网络内所拥有内容超集的前缀。You can, however, advertise a prefix that is a superset of what you have inside your virtual network.

例如,如果虚拟网络使用了地址空间 10.0.0.0/16,则可以播发 10.0.0.0/8。For example, if your virtual network used the address space 10.0.0.0/16, you can advertise 10.0.0.0/8. 但无法播发 10.0.0.0/16 或 10.0.0.0/24。But you can't advertise 10.0.0.0/16 or 10.0.0.0/24.

能否对虚拟网络之间的连接使用 BGP?Can I use BGP with my connections between virtual networks?

可以,BGP 既可用于跨界连接,也可用于虚拟网络之间的连接。Yes, you can use BGP for both cross-premises connections and connections between virtual networks.

能否将 BGP 连接与非 BGP 连接混合用于 Azure VPN 网关?Can I mix BGP with non-BGP connections for my Azure VPN gateways?

能,可以将 BGP 连接和非 BGP 连接混合用于同一 Azure VPN 网关。Yes, you can mix both BGP and non-BGP connections for the same Azure VPN gateway.

Azure VPN 网关是否支持 BGP 传输路由?Does Azure VPN Gateway support BGP transit routing?

是,支持 BGP 传输路由,但例外是 Azure VPN 网关不会将默认路由播发到其他 BGP 对等节点。Yes, BGP transit routing is supported, with the exception that Azure VPN gateways don't advertise default routes to other BGP peers. 若要启用跨多个 Azure VPN 网关的传输路由,必须在虚拟网络之间的所有中间连接上启用 BGP。To enable transit routing across multiple Azure VPN gateways, you must enable BGP on all intermediate connections between virtual networks. 有关详细信息,请参阅关于 BGPFor more information, see About BGP.

在 Azure VPN 网关和我的本地网络之间能否有多个隧道?Can I have more than one tunnel between an Azure VPN gateway and my on-premises network?

能,可以在 Azure VPN 网关和本地网络之间建立多个站点到站点 (S2S) VPN 隧道。Yes, you can establish more than one site-to-site (S2S) VPN tunnel between an Azure VPN gateway and your on-premises network. 请注意,所有这些隧道都将计入 Azure VPN 网关的隧道总数,且你必须在这两个隧道上都启用 BGP。Note that all these tunnels are counted against the total number of tunnels for your Azure VPN gateways, and you must enable BGP on both tunnels.

例如,如果在 Azure VPN 网关与一个本地网络之间有两个冗余隧道,则它们将占用 Azure VPN 网关的总配额中的 2 个隧道。For example, if you have two redundant tunnels between your Azure VPN gateway and one of your on-premises networks, they consume 2 tunnels out of the total quota for your Azure VPN gateway.

在两个使用 BGP 的 Azure 虚拟网络之间能否有多个隧道?Can I have multiple tunnels between two Azure virtual networks with BGP?

是,但必须至少有一个虚拟网络网关采用主动-主动配置。Yes, but at least one of the virtual network gateways must be in active-active configuration.

能否在 Azure ExpressRoute 和 S2S VPN 共存配置中对 S2S VPN 使用 BGP?Can I use BGP for S2S VPN in an Azure ExpressRoute and S2S VPN coexistence configuration?

是的。Yes.

应为 BGP 对等会话添加到本地 VPN 设备什么内容?What should I add to my on-premises VPN device for the BGP peering session?

在 VPN 设备上添加 Azure BGP 对等节点 IP 地址的主机路由。Add a host route of the Azure BGP peer IP address on your VPN device. 此路由指向 IPsec S2S VPN 隧道。This route points to the IPsec S2S VPN tunnel. 例如,如果 Azure VPN 对等节点 IP 为“10.12.255.30”,则在 VPN 设备上添加“10.12.255.30”的主机路由(包含匹配的 IPsec 隧道接口的下一跃点接口)。For example, if the Azure VPN peer IP is 10.12.255.30, you add a host route for 10.12.255.30 with a next-hop interface of the matching IPsec tunnel interface on your VPN device.

虚拟网络网关是否支持将 BFD 用于使用 BGP 的 S2S 连接?Does the virtual network gateway support BFD for S2S connections with BGP?

不能。No. 双向转发检测 (BFD) 是一种协议,与使用标准 BGP keepalive 相比,将 BFD 与 BGP 结合使用可更快地检测相邻故障时间。Bidirectional Forwarding Detection (BFD) is a protocol that you can use with BGP to detect neighbor downtime quicker than you can by using standard BGP "keepalives." BFD 使用亚秒级计时器,它专门在 LAN 环境中使用,但不跨公共 Internet 或广域网连接进行使用。BFD uses subsecond timers designed to work in LAN environments, but not across the public internet or Wide Area Network connections.

对于通过公共 Internet 进行的连接,某些数据包延迟(甚至被删除)的情况是不常见的,因此引入这些主动计时器有可能使性能更不稳定。For connections over the public internet, having certain packets delayed or even dropped isn't unusual, so introducing these aggressive timers can add instability. 这种不稳定可能导致路由遭到 BGP 抑制。This instability might cause routes to be dampened by BGP. 替换方法是,可配置本地设备,使其具有 keepalive 时间间隔比默认的 60 秒低的计时器,并具有保持时间为 180 秒的计时器。As an alternative, you can configure your on-premises device with timers lower than the default, 60-second "keepalive" interval, and the 180-second hold timer. 这可缩短收敛时间。This results in a quicker convergence time.

后续步骤Next steps

有关为跨界连接和 VNet 到 VNet 连接配置 BGP 的步骤,请参阅 Azure VPN 网关上的 BGP 入门See Getting started with BGP on Azure VPN gateways for steps to configure BGP for your cross-premises and VNet-to-VNet connections.