高可用性跨界连接与 VNet 到 VNet 连接Highly Available Cross-Premises and VNet-to-VNet Connectivity

本文概述使用 Azure VPN 网关的跨界连接和 VNet 到 VNet 连接的高可用性配置选项。This article provides an overview of Highly Available configuration options for your cross-premises and VNet-to-VNet connectivity using Azure VPN gateways.

关于 Azure VPN 网关冗余About Azure VPN gateway redundancy

每个 Azure VPN 网关由两个采用主动-待机配置的实例组成。Every Azure VPN gateway consists of two instances in an active-standby configuration. 当主动实例发生任何计划内维护或计划外中断时,待机实例会自动接管负载(故障转移),恢复 S2S VPN 连接或 VNet 到 VNet 连接。For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections. 这种交接会造成短暂的中断。The switch over will cause a brief interruption. 发生计划内维护时,10 到 15 秒内应可恢复连接。For planned maintenance, the connectivity should be restored within 10 to 15 seconds. 发生计划外的问题时,恢复连接所需的时间更长,在最糟的情况下大约需要 1 到 1.5 分钟。For unplanned issues, the connection recovery will be longer, about 1 minute to 1 and a half minutes in the worst case. 对于 P2S VPN 客户端到网关的连接,会断开 P2S 连接,并且用户需要从客户端计算机重新连接。For P2S VPN client connections to the gateway, the P2S connections will be disconnected and the users will need to reconnect from the client machines.

主动-待机

高可用性跨界连接Highly Available Cross-Premises Connectivity

若要为跨界连接提供更高的可用性,可以使用多种选项:To provide better availability for your cross premises connections, there are a couple of options available:

  • 多个本地 VPN 设备Multiple on-premises VPN devices
  • 主动-主动 Azure VPN 网关Active-active Azure VPN gateway
  • 两者的组合Combination of both

多个本地 VPN 设备Multiple on-premises VPN devices

可以使用本地网络中的多个 VPN 设备连接到 Azure VPN 网关,如下图所示:You can use multiple VPN devices from your on-premises network to connect to your Azure VPN gateway, as shown in the following diagram:

多个本地 VPN

此配置提供多个活动隧道用于从同一个 Azure VPN 网关连接到同一位置中的本地设备。This configuration provides multiple active tunnels from the same Azure VPN gateway to your on-premises devices in the same location. 此配置有一些要求和限制:There are some requirements and constraints:

  1. 需要创建从 VPN 设备到 Azure 的多个 S2S VPN 连接。You need to create multiple S2S VPN connections from your VPN devices to Azure. 将多个 VPN 设备从同一本地网络连接到 Azure 时,需要为每个 VPN 设备创建一个本地网络网关,以及一个从 Azure VPN 网关到每个本地网络网关的连接。When you connect multiple VPN devices from the same on-premises network to Azure, you need to create one local network gateway for each VPN device, and one connection from your Azure VPN gateway to each local network gateway.
  2. 对应于 VPN 设备的本地网络网关在“GatewayIpAddress”属性中必须有唯一的公共 IP 地址。The local network gateways corresponding to your VPN devices must have unique public IP addresses in the "GatewayIpAddress" property.
  3. 此配置需要 BGP。BGP is required for this configuration. 必须在“BgpPeerIpAddress”属性中为代表 VPN 设备的每个本地网络网关指定唯一的 BGP 对等 IP 地址。Each local network gateway representing a VPN device must have a unique BGP peer IP address specified in the "BgpPeerIpAddress" property.
  4. 每个本地网络网关中的 AddressPrefix 属性字段不能重叠。The AddressPrefix property field in each local network gateway must not overlap. 应在 AddressPrefix 字段中指定 /32 CIDR 格式的“BgpPeerIpAddress”,例如 10.200.200.254/32。You should specify the "BgpPeerIpAddress" in /32 CIDR format in the AddressPrefix field, for example, 10.200.200.254/32.
  5. 应使用 BGP 向 Azure VPN 网关播发同一本地网络的相同前缀,流量将同时通过这些隧道转发。You should use BGP to advertise the same prefixes of the same on-premises network prefixes to your Azure VPN gateway, and the traffic will be forwarded through these tunnels simultaneously.
  6. 必须使用等价多路径路由 (ECMP)。You must use Equal-cost multi-path routing (ECMP).
  7. 每个连接将计入 Azure VPN 网关的隧道数目上限,基本和标准 SKU 的上限为 10,高性能 SKU 的上限为 30。Each connection is counted against the maximum number of tunnels for your Azure VPN gateway, 10 for Basic and Standard SKUs, and 30 for HighPerformance SKU.

在此配置中,Azure VPN 网关仍处于主动-待机模式,因此,仍会发生上述故障转移行为和短暂中断。In this configuration, the Azure VPN gateway is still in active-standby mode, so the same failover behavior and brief interruption will still happen as described above. 但是,这种设置可针对本地网络和 VPN 设备故障或中断提供保护。But this setup guards against failures or interruptions on your on-premises network and VPN devices.

主动-主动 Azure VPN 网关Active-active Azure VPN gateway

现在,可以在主动-主动配置中创建一个 Azure VPN 网关,其中的两个网关 VM 实例将与本地 VPN 设备建立 S2S VPN 隧道,如下图所示:You can now create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs will establish S2S VPN tunnels to your on-premises VPN device, as shown the following diagram:

主动-主动

在此配置中,每个 Azure 网关实例都有唯一的公共 IP 地址,每个实例将与本地网络网关和连接中指定的本地 VPN 设备建立 IPsec/IKE S2S VPN 隧道。In this configuration, each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and connection. 请注意,这两个 VPN 隧道实际上属于同一个连接。Note that both VPN tunnels are actually part of the same connection. 仍然需要配置本地 VPN 设备,以便与这两个 Azure VPN 网关公共 IP 地址建立两条 S2S VPN 隧道,或者接受这种通道。You will still need to configure your on-premises VPN device to accept or establish two S2S VPN tunnels to those two Azure VPN gateway public IP addresses.

由于 Azure 网关实例采用主动-主动配置,因此,从 Azure 虚拟网络到本地网络的流量同时通过这两条隧道路由,即使本地 VPN 设备优先选择其中一个隧道,也是如此。Because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN device may favor one tunnel over the other. 请注意,除非其中一个实例发生维护事件,否则相同的 TCP 或 UDP 流量始终会遍历相同的隧道或路径。Note though the same TCP or UDP flow will always traverse the same tunnel or path, unless a maintenance event happens on one of the instances.

当一个网关实例发生计划内维护或计划外事件时,从该实例到本地 VPN 设备的 IPsec 隧道会断开。When a planned maintenance or unplanned event happens to one gateway instance, the IPsec tunnel from that instance to your on-premises VPN device will be disconnected. VPN 设备上的对应路由应会自动删除或撤消,以便将流量切换到其他活动 IPsec 隧道。The corresponding routes on your VPN devices should be removed or withdrawn automatically so that the traffic will be switched over to the other active IPsec tunnel. 在 Azure 端,会自动从受影响的实例切换到活动实例。On the Azure side, the switch over will happen automatically from the affected instance to the active instance.

双重冗余:Azure 和本地网络的主动-主动 VPN 网关Dual-redundancy: active-active VPN gateways for both Azure and on-premises networks

最可靠的选项是结合网络和 Azure 上的主动-主动网关,如下图所示。The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in the diagram below.

双重冗余

此处创建并设置了采用主动-主动配置的 Azure VPN 网关,并针对上述两个本地 VPN 设备创建了两个本地网络网关和两个连接。Here you create and setup the Azure VPN gateway in an active-active configuration, and create two local network gateways and two connections for your two on-premises VPN devices as described above. 结果是在 Azure 虚拟网络与本地网络之间建立了包含 4 个 IPsec 隧道的全面网格连接。The result is a full mesh connectivity of 4 IPsec tunnels between your Azure virtual network and your on-premises network.

所有网关和隧道从 Azure 端激活,因此流量同时分散在 4 个隧道之间,每个 TCP 或 UDP 流量再次沿着源自 Azure 端的相同隧道或路径传送。All gateways and tunnels are active from the Azure side, so the traffic will be spread among all 4 tunnels simultaneously, although each TCP or UDP flow will again follow the same tunnel or path from the Azure side. 即使通过分发流量,你仍可能通过 IPsec 隧道看到略微更高的吞吐量,此配置的主要目标是实现高可用性。Even though by spreading the traffic, you may see slightly better throughput over the IPsec tunnels, the primary goal of this configuration is for high availability. 由于分散的统计特征,难以通过某种测量方式来确定不同的应用程序流量状况对聚合吞吐量造成的影响。And due to the statistical nature of the spreading, it is difficult to provide the measurement on how different application traffic conditions will affect the aggregate throughput.

此拓扑需要使用两个本地网络网关和两个连接来支持本地 VPN 设备对,需要使用 BGP 来与同一个本地网络建立两个连接。This topology will require two local network gateways and two connections to support the pair of on-premises VPN devices, and BGP is required to allow the two connections to the same on-premises network. 上述配置同样需要满足这些要求。These requirements are the same as the above.

通过 Azure VPN 网关实现高可用性 VNet 到 VNet 连接Highly Available VNet-to-VNet Connectivity through Azure VPN Gateways

上述主动-主动配置同样适用于 Azure VNet 到 VNet 连接。The same active-active configuration can also apply to Azure VNet-to-VNet connections. 可为两个虚拟网络创建主动-主动 VPN 网关并将它们连接到一起,同样在两个 VNet 之间构成包含 4 个隧道的全面网格连接,如下图所示:You can create active-active VPN gateways for both virtual networks, and connect them together to form the same full mesh connectivity of 4 tunnels between the two VNets, as shown in the diagram below:

VNet 到 VNet

这可以确保用于任何计划内维护事件的两个虚拟网络之间始终有一对隧道,进一步提高可用性。This ensures there are always a pair of tunnels between the two virtual networks for any planned maintenance events, providing even better availability. 尽管用于跨界连接的相同拓扑需要两个连接,但如上所示的 VNet 到 VNet 拓扑只需要为每个网关建立一个连接。Even though the same topology for cross-premises connectivity requires two connections, the VNet-to-VNet topology shown above will need only one connection for each gateway. 此外,除非基于 VNet 到 VNet 连接的传输路由是必需的,否则 BGP 是可选的。Additionally, BGP is optional unless transit routing over the VNet-to-VNet connection is required.

后续步骤Next steps

有关配置主动-主动跨界连接和 VNet 到 VNet 连接的步骤,请参阅为跨界连接和 VNet 到 VNet 连接配置主动-主动 VPN 网关See Configuring Active-Active VPN Gateways for Cross-Premises and VNet-to-VNet Connections for steps to configure active-active cross-premises and VNet-to-VNet connections.