什么是网络控制器?What is Network Controller?

适用于 Azure Stack HCI,版本 20H2;Windows Server 2019;Windows Server 2016Applies to Azure Stack HCI, version 20H2; Windows Server 2019; Windows Server 2016

网络控制器是软件定义的网络 (SDN) 管理的基础。Network Controller is the cornerstone of Software Defined Networking (SDN) management. 这是一种高度可缩放的服务器角色,提供了一种集中的可编程自动操作点,用于对虚拟网络基础结构进行管理、配置、监视和故障排除。It is a highly scalable server role that provides a centralized, programmable point of automation to manage, configure, monitor, and troubleshoot virtual network infrastructure.

使用网络控制器,你可以自动执行网络基础结构的配置和管理,而不是执行网络设备和服务的手动配置。Using Network Controller, you can automate the configuration and management of network infrastructure instead of performing manual configuration of network devices and services.

网络控制器的工作原理How Network Controller works

网络控制器提供了一个应用程序编程接口 (API),该接口允许网络控制器与网络设备、服务和组件进行通信并对其进行管理 (Southbound API),还提供了另外一个 API,该 API 使管理应用程序能够将所需的网络设置和服务告知网络控制器 (Northbound API)。Network Controller provides one application programming interface (API) that allows Network Controller to communicate with and manage network devices, services, and components (Southbound API), and a second API that allows management applications to tell the Network Controller what network settings and services they need (Northbound API).

借助 Southbound API,网络控制器可以管理网络设备和网络服务,并收集你需要的关于网络的所有信息。With the Southbound API, Network Controller can manage network devices and network services, and gather all of the information you need about the network. 网络控制器持续监视网络设备和服务的状态,并确保与所需状态偏离的配置得到修正。Network Controller continually monitors the state of network devices and services, and ensures that any configuration drift from the desired state is remediated.

网络控制器 Northbound API 作为 REST 接口而实现。The Network Controller Northbound API is implemented as a REST interface. 该控制器提供从管理应用程序管理数据中心网络的功能。It provides the ability to manage your datacenter network from management applications. 为进行管理,用户可以直接使用 REST API,或使用在 REST API 的基础上构建的 Windows PowerShell,或使用具有图形用户界面的管理应用程序,如 Windows Admin Center 或 System Center Virtual Machine Manager。For management, users can use the REST API directly, or use Windows PowerShell built on top of the REST API, or management applications with a graphical user interface such as Windows Admin Center or System Center Virtual Machine Manager.

网络控制器功能Network Controller features

通过网络控制器,你可以管理 SDN 功能,如虚拟网络、防火墙、软件负载均衡器和 RAS 网关。Network Controller allows you to manage SDN features such as virtual networks, firewalls, Software Load Balancer, and RAS Gateway. 以下是其众多功能中的一部分。The following are some of its many features.

虚拟网络管理Virtual network management

通过此网络控制器功能,你可以部署和配置 Hyper-V 网络虚拟化、在各个 VM 上配置虚拟网络适配器以及存储和分发虚拟网络策略。This Network Controller feature allows you to deploy and configure Hyper-V Network Virtualization, configure virtual network adapters on individual VMs, and store and distribute virtual network policies. 利用此功能,你可以创建虚拟网络和子网,将虚拟机 (VM) 附加到这些网络,并在同一虚拟网络中的 VM 之间启用通信。With this feature, you can create virtual networks and subnets, attach virtual machines (VMs) to these networks, and enable communication between VMs in the same virtual network.

网络控制器支持基于虚拟局域网 (VLAN) 的网络、网络虚拟化通用路由封装 (NVGRE) 和虚拟可扩展局域网 (VXLAN)。Network Controller supports Virtual Local Area Network (VLAN) based networks, Network Virtualization Generic Routing Encapsulation (NVGRE) and Virtual Extensible Local Area Network (VXLAN).

防火墙管理Firewall management

利用此网络控制器功能,针对数据中心内部(东/西)和外部(北/南)网络流量,你可以配置和管理工作负载 VM 的允许/拒绝防火墙访问控制规则。This Network Controller feature allows you to configure and manage allow/deny firewall Access Control rules for your workload VMs for both internal (East/West) and external (North/South) network traffic in your datacenter. 防火墙规则用于工作负载 VM 的 vSwitch 端口,因此它们分布在数据中心内的工作负载中,并随工作负载一起移动。The firewall rules are plumbed in the vSwitch port of workload VMs, and so they are distributed across your workloads in the datacenter and move along with your workloads.

使用 Northbound API,你可以为工作负载 VM 的传入和传出流量定义防火墙规则。Using the Northbound API, you can define the firewall rules for both incoming and outgoing traffic from the workload VMs. 还可以配置每条防火墙规则,以记录该规则允许或拒绝的流量。You can also configure each firewall rule to log the traffic that was allowed or denied by the rule.

软件负载均衡器管理Software Load Balancer management

利用软件负载均衡器,你可以使多台服务器托管同一工作负载,从而提供高可用性和可伸缩性。Software Load Balancer allows you to enable multiple servers to host the same workload, providing high availability and scalability. 使用软件负载均衡器,你可以配置和管理负载均衡、入站网络地址转换 (NAT) 以及对连接到传统 VLAN 网络和虚拟网络的工作负载的 Internet 出站访问。With Software Load Balancer, you can configure and manage load balancing, inbound Network Address Translation (NAT), and outbound access to the Internet for workloads connected to traditional VLAN networks and virtual networks.

网关管理Gateway management

利用远程访问服务 (RAS) 网关,你可以部署、配置和管理属于网关池成员的 VM,从而提供指向客户工作负载的外部网络连接。Remote Access Service (RAS) Gateway allows you to deploy, configure, and manage VMs that are members of a gateway pool, providing external network connectivity to your customer workloads. 对于网关,在虚拟网络与远程网络之间支持以下连接类型:With gateways, the following connectivity types are supported between your virtual and remote networks:

  • 使用 IPsec 的站点到站点虚拟专用网络 (VPN) 网关连接Site-to-site virtual private network (VPN) gateway connectivity using IPsec
  • 使用通用路由封装 (GRE) 的站点到站点 VPN 网关连接Site-to-site VPN gateway connectivity using Generic Routing Encapsulation (GRE)
  • 第 3 层转发功能Layer 3 forwarding capability

网关连接支持在动态路由管理中使用边界网关协议 (BGP)。Gateway connections support Border Gateway Protocol (BGP) for dynamic route management.

虚拟设备链接Virtual appliance chaining

利用此网络控制器功能,你可以将虚拟网络设备附加到虚拟网络。This Network Controller feature allows you to attach virtual network appliances to your virtual networks. 这些设备可用于高级防火墙、负载均衡、入侵检测和防护以及许多其他网络服务。These appliances can be used for advanced firewalling, load balancing, intrusion detection and prevention, and many other network services. 可以添加执行用户定义的路由和端口镜像功能的虚拟设备。You can add virtual appliances that perform user-defined routing and port mirroring functions. 使用用户定义的路由时,虚拟设备将用作虚拟网络上虚拟子网之间的路由器。With user-defined routing, the virtual appliance gets used as a router between the virtual subnets on the virtual network. 使用端口镜像时,进入或离开受监视端口的所有网络流量都会被复制并发送到虚拟设备进行分析。With port mirroring, all network traffic that is entering or leaving the monitored port is duplicated and sent to a virtual appliance for analysis.

若要了解有关用户定义的路由的详细信息,请参阅在虚拟网络上使用网络虚拟设备To learn more about user-defined routes, see Use Network Virtual Appliances on a Virtual Network.

网络控制器部署注意事项Network Controller deployment considerations

  • 不要将网络控制器服务器角色部署在物理主机上。Do not deploy the Network Controller server role on physical hosts. 网络控制器应部署在其自己的专用 VM 上。The Network Controller should be deployed on its own dedicated VMs.

  • 你可以在域环境和非域环境中部署网络控制器。You can deploy Network Controller in both domain and non-domain environments. 在域环境中,网络控制器使用 Kerberos 对用户和网络设备进行身份验证;在非域环境中,必须部署用于身份验证的证书。In domain environments, Network Controller authenticates users and network devices by using Kerberos; in non-domain environments, you must deploy certificates for authentication.

  • 网络控制器部署非常重要,它可提供高可用性,并使你能够轻松地扩展或缩减你的数据中心需求。It’s critical for Network Controller deployments to provide high availability and the ability for you to easily scale up or down with your datacenter needs. 至少使用三个 VM,以便为网络控制器应用程序提供高可用性。Use at least three VMs in order to provide high availability for the Network Controller application.

  • 为了实现高可用性和可伸缩性,网络控制器依赖于 Service Fabric。To achieve high availability and scalability, Network Controller relies on Service Fabric. Service Fabric 提供一种分布式系统平台,用于生成可缩放、可靠且易于管理的应用程序。Service Fabric provides a distributed systems platform to build scalable, reliable, and easily managed applications. 了解有关网络控制器作为 Service Fabric 应用程序的详细信息Learn more about Network Controller as a Service Fabric Application.

后续步骤Next steps

如需相关信息,另请参阅:For related information, see also: