您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 ExpressRoute 和 VPN 故障转移将本地网络连接到 AzureConnect an on-premises network to Azure using ExpressRoute with VPN failover

此参考体系结构演示如何使用 ExpressRoute 以及用作故障转移连接的站点到站点虚拟专用网络 (VPN),将本地网络连接到 Azure 虚拟网络 (VNet)。This reference architecture shows how to connect an on-premises network to an Azure virtual network (VNet) using ExpressRoute, with a site-to-site virtual private network (VPN) as a failover connection. 本地网络与 Azure VNet 之间的流量通过 ExpressRoute 连接传送。Traffic flows between the on-premises network and the Azure VNet through an ExpressRoute connection. 如果 ExpressRoute 线路的连接断开,则通过 IPSec VPN 隧道路由流量。If there is a loss of connectivity in the ExpressRoute circuit, traffic is routed through an IPSec VPN tunnel. 部署此解决方案Deploy this solution.

请注意,如果 ExpressRoute 线路不可用,VPN 路由只会处理专用对等互连。Note that if the ExpressRoute circuit is unavailable, the VPN route will only handle private peering connections. 公共对等互连和 Microsoft 对等互连将通过 Internet 建立。Public peering and Microsoft peering connections will pass over the Internet.

使用 ExpressRoute 和 VPN 网关的高可用性混合网络的参考体系结构

下载Visio 文件此体系结构。Download a Visio file of this architecture.

体系结构Architecture

该体系结构包括以下组件。The architecture consists of the following components.

  • 本地网络On-premises network. 组织中运行的专用局域网。A private local-area network running within an organization.

  • VPN 设备VPN appliance. 用于与本地网络建立外部连接的设备或服务。A device or service that provides external connectivity to the on-premises network. 该 VPN 设备可以是硬件设备,也可以是软件解决方案,例如 Windows Server 2012 中的路由和远程访问服务 (RRAS)。The VPN appliance may be a hardware device, or it can be a software solution such as the Routing and Remote Access Service (RRAS) in Windows Server 2012. 有关支持的 VPN 设备和配置用于连接到 Azure 的所选的 VPN 设备的信息的列表,请参阅关于 VPN 设备进行站点到站点 VPN 网关连接For a list of supported VPN appliances and information on configuring selected VPN appliances for connecting to Azure, see About VPN devices for Site-to-Site VPN Gateway connections.

  • ExpressRoute 线路ExpressRoute circuit. 连接提供商提供的第 2 层或第 3 层线路,用于通过边缘路由器将本地网络与 Azure 相连接。A layer 2 or layer 3 circuit supplied by the connectivity provider that joins the on-premises network with Azure through the edge routers. 该线路使用连接提供商管理的硬件基础结构。The circuit uses the hardware infrastructure managed by the connectivity provider.

  • ExpressRoute 虚拟网络网关ExpressRoute virtual network gateway. ExpressRoute 虚拟网络网关可将 VNet 连接到用于建立本地网络连接的 ExpressRoute 线路。The ExpressRoute virtual network gateway enables the VNet to connect to the ExpressRoute circuit used for connectivity with your on-premises network.

  • VPN 虚拟网络网关VPN virtual network gateway. VPN 虚拟网络网关可让 VNet 连接到本地网络中 VPN 设备。The VPN virtual network gateway enables the VNet to connect to the VPN appliance in the on-premises network. VPN 虚拟网络网关配置为仅通过 VPN 设备接受来自本地网络的请求。The VPN virtual network gateway is configured to accept requests from the on-premises network only through the VPN appliance. 有关详细信息,请参阅的本地网络连接到 Microsoft Azure 虚拟网络For more information, see Connect an on-premises network to a Microsoft Azure virtual network.

  • VPN 连接VPN connection. 该连接包含一些属性,这些属性指定连接类型 (IPSec),以及与本地 VPN 设备共享的、用于加密流量的密钥。The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.

  • Azure 虚拟网络 (VNet)Azure Virtual Network (VNet). 每个 VNet 驻留在单个 Azure 区域中,可以托管多个应用层。Each VNet resides in a single Azure region, and can host multiple application tiers. 可以使用每个 VNet 中的子网将应用层分段。Application tiers can be segmented using subnets in each VNet.

  • 网关子网Gateway subnet. 虚拟网络网关保留在同一子网中。The virtual network gateways are held in the same subnet.

  • 云应用程序Cloud application. Azure 中托管的应用程序。The application hosted in Azure. 它可以包含多个层,以及通过 Azure 负载均衡器连接的多个子网。It might include multiple tiers, with multiple subnets connected through Azure load balancers. 有关应用程序基础结构的详细信息,请参阅运行 Windows VM 工作负荷 and Running Linux VM workloadsFor more information about the application infrastructure, see Running Windows VM workloads and Running Linux VM workloads.

建议Recommendations

以下建议适用于大多数方案。The following recommendations apply for most scenarios. 除非有优先于这些建议的特定要求,否则请遵循这些建议。Follow these recommendations unless you have a specific requirement that overrides them.

VNet 和 GatewaySubnetVNet and GatewaySubnet

在与网关对象的同一 VNet 中创建 ExpressRoute 虚拟网络网关连接和 VPN 虚拟网络网关连接。Create the ExpressRoute virtual network gateway connection and the VPN virtual network gateway connection in the same VNet with a Gateway object already in place. 它们将这两者共享名为位于同一子网GatewaySubnetThey will both share the same subnet named GatewaySubnet.

如果 VNet 已包含名为 GatewaySubnet 的子网,请确保它具有 /27 或更大的地址空间。If the VNet already includes a subnet named GatewaySubnet, ensure that it has a /27 or larger address space. 如果现有子网太小,请使用以下 PowerShell 命令删除该子网:If the existing subnet is too small, use the following PowerShell command to remove the subnet:

$vnet = Get-AzureRmVirtualNetworkGateway -Name <yourvnetname> -ResourceGroupName <yourresourcegroup>
Remove-AzureRmVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet

如果 VNet 不包含名为的子网GatewaySubnet,新建一个使用以下 PowerShell 命令:If the VNet does not contain a subnet named GatewaySubnet, create a new one using the following PowerShell command:

$vnet = Get-AzureRmVirtualNetworkGateway -Name <yourvnetname> -ResourceGroupName <yourresourcegroup>
Add-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet -AddressPrefix "10.200.255.224/27"
$vnet = Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

VPN 和 ExpressRoute 网关VPN and ExpressRoute gateways

验证你的组织是否满足ExpressRoute 先决条件要求用于连接到 Azure。Verify that your organization meets the ExpressRoute prerequisite requirements for connecting to Azure.

如果你的 Azure VNet 中已有 VPN 虚拟网络网关,使用以下 PowerShell 命令以将其删除:If you already have a VPN virtual network gateway in your Azure VNet, use the following PowerShell command to remove it:

Remove-AzureRmVirtualNetworkGateway -Name <yourgatewayname> -ResourceGroupName <yourresourcegroup>

按照中的说明实现使用 Azure ExpressRoute 的混合网络体系结构建立 ExpressRoute 连接。Follow the instructions in Implementing a hybrid network architecture with Azure ExpressRoute to establish your ExpressRoute connection.

按照中的说明实施混合网络体系结构与 Azure 和本地 VPN建立 VPN 虚拟网络网关连接。Follow the instructions in Implementing a hybrid network architecture with Azure and On-premises VPN to establish your VPN virtual network gateway connection.

建立虚拟网络网关连接后,请按如下所示测试环境:After you have established the virtual network gateway connections, test the environment as follows:

  1. 确保可从本地网络连接到 Azure VNet。Make sure you can connect from your on-premises network to your Azure VNet.
  2. 联系提供商停止 ExpressRoute 连接,以进行测试。Contact your provider to stop ExpressRoute connectivity for testing.
  3. 验证是否仍可使用 VPN 虚拟网络网关连接从本地网络连接到 Azure VNet。Verify that you can still connect from your on-premises network to your Azure VNet using the VPN virtual network gateway connection.
  4. 联系提供商重新建立 ExpressRoute 连接。Contact your provider to reestablish ExpressRoute connectivity.

注意事项Considerations

有关 ExpressRoute 注意事项,请参阅实现使用 Azure ExpressRoute 的混合网络体系结构指南。For ExpressRoute considerations, see the Implementing a Hybrid Network Architecture with Azure ExpressRoute guidance.

站点到站点 VPN 注意事项,请参阅实施混合网络体系结构与 Azure 和本地 VPN指南。For site-to-site VPN considerations, see the Implementing a Hybrid Network Architecture with Azure and On-premises VPN guidance.

有关一般性 Azure 安全注意事项,请参阅Microsoft 云服务和网络安全性For general Azure security considerations, see Microsoft cloud services and network security.

部署解决方案Deploy the solution

先决条件Prerequisites. 必须提供一个已配置适当网络设备的现有本地基础结构。You must have an existing on-premises infrastructure already configured with a suitable network appliance.

若要部署该解决方案,请执行以下步骤。To deploy the solution, perform the following steps.

  1. 单击下面的链接。Click the link below.

    部署到 AzureDeploy to Azure

  2. 等待该链接在 Azure 门户中打开,然后执行以下步骤:Wait for the link to open in the Azure portal, then follow these steps:

    • 参数文件中已定义资源组名称,因此请选择“新建”,并在文本框中输入 ra-hybrid-vpn-er-rgThe Resource group name is already defined in the parameter file, so select Create New and enter ra-hybrid-vpn-er-rg in the text box.
    • 从“位置”下拉框中选择区域。 Select the region from the Location drop down box.
    • 不要编辑“模板根 URI”或“参数根 URI”文本框。 Do not edit the Template Root Uri or the Parameter Root Uri text boxes.
    • 查看条款和条件,并单击“我同意上述条款和条件”复选框。 Review the terms and conditions, then click the I agree to the terms and conditions stated above checkbox.
    • 单击“购买”按钮。 Click the Purchase button.
  3. 等待部署完成。Wait for the deployment to complete.

  4. 单击下面的链接。Click the link below.

    部署到 AzureDeploy to Azure

  5. 等待该链接在 Azure 门户中打开,然后执行以下步骤:Wait for the link to open in the Azure portal, then enter then follow these steps:

    • 在“资源组”部分中选择“使用现有”,在文本框中输入 ra-hybrid-vpn-er-rgSelect Use existing in the Resource group section and enter ra-hybrid-vpn-er-rg in the text box.
    • 从“位置”下拉框中选择区域。 Select the region from the Location drop down box.
    • 不要编辑“模板根 URI”或“参数根 URI”文本框。 Do not edit the Template Root Uri or the Parameter Root Uri text boxes.
    • 查看条款和条件,并单击“我同意上述条款和条件”复选框。 Review the terms and conditions, then click the I agree to the terms and conditions stated above checkbox.
    • 单击“购买”按钮。 Click the Purchase button.