您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 ExpressRoute 将本地网络连接到 Azure

ExpressRoute
虚拟网络
VPN 网关

此参考体系结构演示如何使用 ExpressRoute 以及用作故障转移连接的站点到站点虚拟专用网络 (VPN),将本地网络连接到 Azure 虚拟网络 (VNet)。This reference architecture shows how to connect an on-premises network to an Azure virtual network (VNet) using ExpressRoute, with a site-to-site virtual private network (VPN) as a failover connection. 本地网络与 Azure VNet 之间的流量通过 ExpressRoute 连接传送。Traffic flows between the on-premises network and the Azure VNet through an ExpressRoute connection. 如果 ExpressRoute 线路的连接断开,则通过 IPSec VPN 隧道路由流量。If there is a loss of connectivity in the ExpressRoute circuit, traffic is routed through an IPSec VPN tunnel. 部署此解决方案Deploy this solution.

请注意,如果 ExpressRoute 线路不可用,VPN 路由只会处理专用对等互连。Note that if the ExpressRoute circuit is unavailable, the VPN route will only handle private peering connections. 公共对等互连和 Microsoft 对等互连将通过 Internet 建立。Public peering and Microsoft peering connections will pass over the Internet.

使用 ExpressRoute 和 VPN 网关的高可用性混合网络的参考体系结构

下载此体系结构的 Visio 文件Download a Visio file of this architecture.

体系结构Architecture

该体系结构包括以下组件。The architecture consists of the following components.

  • 本地网络On-premises network. 组织中运行的专用局域网。A private local-area network running within an organization.

  • VPN 设备VPN appliance. 用于与本地网络建立外部连接的设备或服务。A device or service that provides external connectivity to the on-premises network. 该 VPN 设备可以是硬件设备,也可以是软件解决方案,例如 Windows Server 2012 中的路由和远程访问服务 (RRAS)。The VPN appliance may be a hardware device, or it can be a software solution such as the Routing and Remote Access Service (RRAS) in Windows Server 2012. 有关受支持 VPN 设备的列表和有关为连接到 Azure 而配置所选 VPN 设备的信息,请参阅关于用于建立站点到站点 VPN 网关连接的 VPN 设备For a list of supported VPN appliances and information on configuring selected VPN appliances for connecting to Azure, see About VPN devices for Site-to-Site VPN Gateway connections.

  • ExpressRoute 线路ExpressRoute circuit. 连接提供商提供的第 2 层或第 3 层线路,用于通过边缘路由器将本地网络与 Azure 相连接。A layer 2 or layer 3 circuit supplied by the connectivity provider that joins the on-premises network with Azure through the edge routers. 该线路使用连接提供商管理的硬件基础结构。The circuit uses the hardware infrastructure managed by the connectivity provider.

  • ExpressRoute 虚拟网络网关ExpressRoute virtual network gateway. ExpressRoute 虚拟网络网关可将 VNet 连接到用于建立本地网络连接的 ExpressRoute 线路。The ExpressRoute virtual network gateway enables the VNet to connect to the ExpressRoute circuit used for connectivity with your on-premises network.

  • VPN 虚拟网络网关VPN virtual network gateway. VPN 虚拟网络网关可让 VNet 连接到本地网络中 VPN 设备。The VPN virtual network gateway enables the VNet to connect to the VPN appliance in the on-premises network. VPN 虚拟网络网关配置为仅通过 VPN 设备接受来自本地网络的请求。The VPN virtual network gateway is configured to accept requests from the on-premises network only through the VPN appliance. 有关详细信息,请参阅将本地网络连接到 Microsoft Azure 虚拟网络For more information, see Connect an on-premises network to a Microsoft Azure virtual network.

  • VPN 连接VPN connection. 该连接包含一些属性,这些属性指定连接类型 (IPSec),以及与本地 VPN 设备共享的、用于加密流量的密钥。The connection has properties that specify the connection type (IPSec) and the key shared with the on-premises VPN appliance to encrypt traffic.

  • Azure 虚拟网络 (VNet) 。Azure Virtual Network (VNet). 每个 VNet 驻留在单个 Azure 区域中,可以托管多个应用层。Each VNet resides in a single Azure region, and can host multiple application tiers. 可以使用每个 VNet 中的子网将应用层分段。Application tiers can be segmented using subnets in each VNet.

  • 网关子网Gateway subnet. 虚拟网络网关保留在同一子网中。The virtual network gateways are held in the same subnet.

  • 云应用程序Cloud application. Azure 中托管的应用程序。The application hosted in Azure. 它可以包含多个层,以及通过 Azure 负载均衡器连接的多个子网。It might include multiple tiers, with multiple subnets connected through Azure load balancers. 有关应用程序基础结构的详细信息,请参阅运行 Windows VM 工作负荷运行 Linux VM 工作负荷For more information about the application infrastructure, see Running Windows VM workloads and Running Linux VM workloads.

建议Recommendations

以下建议适用于大多数方案。The following recommendations apply for most scenarios. 除非有优先于这些建议的特定要求,否则请遵循这些建议。Follow these recommendations unless you have a specific requirement that overrides them.

VNet 和 GatewaySubnetVNet and GatewaySubnet

使用已有的 Gateway 对象在同一 VNet 中创建 ExpressRoute 虚拟网络网关连接和 VPN 虚拟网络网关连接。Create the ExpressRoute virtual network gateway connection and the VPN virtual network gateway connection in the same VNet with a Gateway object already in place. 他们将共享名为 GatewaySubnet 的同一子网They will both share the same subnet named GatewaySubnet.

如果 VNet 已包含名为 GatewaySubnet 的子网,请确保它具有 /27 或更大的地址空间。If the VNet already includes a subnet named GatewaySubnet, ensure that it has a /27 or larger address space. 如果现有子网太小,请使用以下 PowerShell 命令删除该子网:If the existing subnet is too small, use the following PowerShell command to remove the subnet:

$vnet = Get-AzVirtualNetwork -Name <your-vnet-name> -ResourceGroupName <your-resource-group>
Remove-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet

如果 VNet 不包含名为 GatewaySubnet 的子网,请通过以下 PowerShell 命令创建一个新子网:If the VNet does not contain a subnet named GatewaySubnet, create a new one using the following PowerShell command:

$vnet = Get-AzVirtualNetwork -Name <your-vnet-name> -ResourceGroupName <your-resource-group>
Add-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet -AddressPrefix "10.200.255.224/27"
$vnet = Set-AzVirtualNetwork -VirtualNetwork $vnet

VPN 和 ExpressRoute 网关VPN and ExpressRoute gateways

验证组织是否符合有关连接 Azure 的 ExpressRoute 先决条件要求Verify that your organization meets the ExpressRoute prerequisite requirements for connecting to Azure.

如果 Azure VNet 中已有 VPN 虚拟网络网关,请使用以下 PowerShell 命令将其删除:If you already have a VPN virtual network gateway in your Azure VNet, use the following PowerShell command to remove it:

Remove-AzVirtualNetworkGateway -Name <your-gateway-name> -ResourceGroupName <your-resource-group>

遵照使用 Azure ExpressRoute 实施混合网络体系结构中的说明建立 ExpressRoute 连接。Follow the instructions in Implementing a hybrid network architecture with Azure ExpressRoute to establish your ExpressRoute connection.

遵照使用 Azure 和本地 VPN 实施混合网络体系结构中的说明建立 VPN 虚拟网络网关连接。Follow the instructions in Implementing a hybrid network architecture with Azure and On-premises VPN to establish your VPN virtual network gateway connection.

建立虚拟网络网关连接后,请按如下所示测试环境:After you have established the virtual network gateway connections, test the environment as follows:

  1. 确保可从本地网络连接到 Azure VNet。Make sure you can connect from your on-premises network to your Azure VNet.
  2. 联系提供商停止 ExpressRoute 连接,以进行测试。Contact your provider to stop ExpressRoute connectivity for testing.
  3. 验证是否仍可使用 VPN 虚拟网络网关连接从本地网络连接到 Azure VNet。Verify that you can still connect from your on-premises network to your Azure VNet using the VPN virtual network gateway connection.
  4. 联系提供商重新建立 ExpressRoute 连接。Contact your provider to reestablish ExpressRoute connectivity.

DevOps 注意事项DevOps considerations

有关 ExpressRoute DevOps 的注意事项,请参阅使用 Azure ExpressRoute 实现混合网络 体系结构指南。For ExpressRoute DevOps considerations, see the Implementing a Hybrid Network Architecture with Azure ExpressRoute guidance.

有关站点到站点 VPN DevOps 注意事项,请参阅使用 Azure 和本地 VPN 实现混合 网络 体系结构指南。For site-to-site VPN DevOps considerations, see the Implementing a Hybrid Network Architecture with Azure and On-premises VPN guidance.

安全注意事项Security considerations

有关一般性 Azure 安全注意事项,请参阅 Microsoft 云服务和网络安全For general Azure security considerations, see Microsoft cloud services and network security.

成本注意事项Cost considerations

有关 ExpressRoute 成本注意事项,请参阅以下文章:For ExpressRoute cost considerations, see these articles:

部署解决方案Deploy the solution

先决条件Prerequisites. 必须提供一个已配置适当网络设备的现有本地基础结构。You must have an existing on-premises infrastructure already configured with a suitable network appliance.

若要部署该解决方案,请执行以下步骤。To deploy the solution, perform the following steps.

  1. 单击以下链接。Click the link below.

    “部署到 Azure”Deploy to Azure

  2. 等待该链接在 Azure 门户中打开,然后执行以下步骤:Wait for the link to open in the Azure portal, then follow these steps:

    • 参数文件中已定义 资源组 名称,因此请选择“新建”,并在文本框中输入 ra-hybrid-vpn-er-rgThe Resource group name is already defined in the parameter file, so select Create New and enter ra-hybrid-vpn-er-rg in the text box.
    • 从“位置”下拉框中选择区域。Select the region from the Location drop down box.
    • 不要编辑“模板根 URI”或“参数根 URI”文本框。Do not edit the Template Root Uri or the Parameter Root Uri text boxes.
    • 查看条款和条件,并单击“我同意上述条款和条件”复选框。Review the terms and conditions, then click the I agree to the terms and conditions stated above checkbox.
    • 单击“购买”按钮。Click the Purchase button.
  3. 等待部署完成。Wait for the deployment to complete.

  4. 单击以下链接。Click the link below.

    “部署到 Azure”Deploy to Azure

  5. 等待该链接在 Azure 门户中打开,然后执行以下步骤:Wait for the link to open in the Azure portal, then enter then follow these steps:

    • 在“资源组”部分中选择“使用现有”,在文本框中输入 ra-hybrid-vpn-er-rgSelect Use existing in the Resource group section and enter ra-hybrid-vpn-er-rg in the text box.
    • 从“位置”下拉框中选择区域。Select the region from the Location drop down box.
    • 不要编辑“模板根 URI”或“参数根 URI”文本框。Do not edit the Template Root Uri or the Parameter Root Uri text boxes.
    • 查看条款和条件,并单击“我同意上述条款和条件”复选框。Review the terms and conditions, then click the I agree to the terms and conditions stated above checkbox.
    • 单击“购买”按钮。Click the Purchase button.

后续步骤Next Steps