您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

ExpressRoute NAT 要求ExpressRoute NAT requirements

要使用 ExpressRoute 连接到 Microsoft 云服务,需要设置并管理 NAT。To connect to Microsoft cloud services using ExpressRoute, you’ll need to set up and manage NATs. 某些连接服务提供商以托管服务形式提供 NAT 的设置和管理。Some connectivity providers offer setting up and managing NAT as a managed service. 请咨询连接服务提供商,以确定他们是否提供此类服务。Check with your connectivity provider to see if they offer such a service. 如果没有,则必须遵守相关要求,如下所述。If not, you must adhere to the requirements described below.

查看 ExpressRoute 线路和路由域 页,获得各种路由域概述。Review the ExpressRoute circuits and routing domains page to get an overview of the various routing domains. 为了符合 Azure 公共和 Microsoft 对等互连的公共 IP 地址要求,建议在网络与 Microsoft 之间设置 NAT。To meet the public IP address requirements for Azure public and Microsoft peering, we recommend that you set up NAT between your network and Microsoft. 本部分提供需要设置的 NAT 基础结构的详细描述。This section provides a detailed description of the NAT infrastructure you need to set up.

Microsoft 对等互连的 NAT 要求NAT requirements for Microsoft peering

Microsoft 对等互连路径用于连接到不支持通过 Azure 公共对等互连路径访问的 Microsoft 云服务。The Microsoft peering path lets you connect to Microsoft cloud services that are not supported through the Azure public peering path. 服务列表包括 Office 365 服务,例如 Exchange Online、SharePoint Online 和 Skype for Business。The list of services includes Office 365 services, such as Exchange Online, SharePoint Online, and Skype for Business. Microsoft 有望在 Microsoft 对等互连上支持双向连接。Microsoft expects to support bi-directional connectivity on the Microsoft peering. 定向到 Microsoft 云服务的流量必须由 SNAT 转换成有效的公共 IPv4 地址才能进入 Microsoft 网络。Traffic destined to Microsoft cloud services must be SNATed to valid public IPv4 addresses before they enter the Microsoft network. 从 Microsoft 云服务定向到网络的流量必须在 Internet 边缘进行 SNAT 转换,避免非对称路由Traffic destined to your network from Microsoft cloud services must be SNATed at your Internet edge to prevent asymmetric routing. 下图提供了有关如何为 Microsoft 对等互连设置 NAT 的综合示意图。The figure below provides a high-level picture of how the NAT should be set up for Microsoft peering.

从网络发起的,目标为 Microsoft 的流量Traffic originating from your network destined to Microsoft

  • 必须确保流量进入公共 IPv4 地址有效的 Microsoft 对等互连路径。You must ensure that traffic is entering the Microsoft peering path with a valid public IPv4 address. Microsoft 必须能够根据区域路由 Internet 注册表 (RIR) 或 Internet 路由注册表 (IRR) 验证 IPv4 NAT 地址池的所有权。Microsoft must be able to validate the owner of the IPv4 NAT address pool against the regional routing internet registry (RIR) or an internet routing registry (IRR). 会根据配对的 AS 编号和用于 NAT 的 IP 地址执行检查。A check will be performed based on the AS number being peered with and the IP addresses used for the NAT. 有关路由注册的信息,请参阅 ExpressRoute 路由要求 页。Refer to the ExpressRoute routing requirements page for information on routing registries.

  • 用于 Azure 公共对等互连设置和其他 ExpressRoute 线路的 IP 地址不得通过 BGP 会话向 Microsoft 播发。IP addresses used for the Azure public peering setup and other ExpressRoute circuits must not be advertised to Microsoft through the BGP session. 通过此对等互连播发的 NAT IP 前缀长度没有限制。There is no restriction on the length of the NAT IP prefix advertised through this peering.

    重要

    已播发到 Microsoft 的 NAT IP 池不得播发到 Internet。The NAT IP pool advertised to Microsoft must not be advertised to the Internet. 这会中断其他 Microsoft 服务的连接。This will break connectivity to other Microsoft services.

从 Microsoft 发起的,目标为网络的流量Traffic originating from Microsoft destined to your network

  • 某些方案需要 Microsoft 启动到网络中托管的服务终结点的连接。Certain scenarios require Microsoft to initiate connectivity to service endpoints hosted within your network. 一个典型的示例就是从 Office 365 连接到网络中托管的 ADFS 服务器。A typical example of the scenario would be connectivity to ADFS servers hosted in your network from Office 365. 在这种情况下,必须将网络中相应的前缀透露给 Microsoft 对等互连。In such cases, you must leak appropriate prefixes from your network into the Microsoft peering.
  • 必须在 Internet 边缘为网络中的服务终结点进行 Microsoft 流量的 SNAT 转换,避免非对称路由You must SNAT Microsoft traffic at the Internet edge for service endpoints within your network to prevent asymmetric routing. 只要目标 IP 地址与通过 ExpressRoute 接收的路由匹配,将始终通过 ExpressRoute 发送请求和回复。Requests and replies with a destination IP that match a route received via ExpressRoute will always be sent via ExpressRoute. 如果请求是通过 Internet 接收的,而回复是通过 ExpressRoute 发送的,则会存在非对称路由。Asymmetric routing exists if the request is received via the Internet with the reply sent via ExpressRoute. 在 Internet 边缘对传入的 Microsoft 流量进行 SNAT 转换 可以强制回复流量回到 Internet 边缘,从而解决此问题。SNATing the incoming Microsoft traffic at the Internet edge forces reply traffic back to the Internet edge, resolving the problem.

非对称路由与 ExpressRoute

Azure 公共对等互连的 NAT 要求NAT requirements for Azure public peering

备注

Azure 公共对等互连不适用于新线路。Azure public peering is not available for new circuits.

Azure 公共对等互连路径用于连接到托管于 Azure 中的所有服务的公共 IP 地址。The Azure public peering path enables you to connect to all services hosted in Azure over their public IP addresses. 其中包括 ExpessRoute 常见问题 中列出的服务以及由 Microsoft Azure 上的 ISV 托管的任何服务。These include services listed in the ExpessRoute FAQ and any services hosted by ISVs on Microsoft Azure.

重要

始终从网络向 Microsoft 网络发起与公共对等互连中 Microsoft Azure 服务的连接。Connectivity to Microsoft Azure services on public peering is always initiated from your network into the Microsoft network. 因此,不能通过 ExpressRoute 启动从 Microsoft Azure 服务到网络的会话。Therefore, sessions cannot be initiated from Microsoft Azure services to your network over ExpressRoute. 在尝试过后,发送到这些播发 IP 的数据包将使用 Internet 而不是 ExpressRoute。If attempted, packets sent to these advertised IPs will use the internet instead of ExpressRoute.

定向到公共对等互连中 Microsoft Azure 的流量必须由 SNAT 转换成有效的公共 IPv4 地址,才能进入 Microsoft 网络。Traffic destined to Microsoft Azure on public peering must be SNATed to valid public IPv4 addresses before they enter the Microsoft network. 下图提供了有关如何设置 NAT 以符合上述要求的综合示意图。The figure below provides a high-level picture of how the NAT could be set up to meet the above requirement.

NAT IP 池和路由播发NAT IP pool and route advertisements

必须确保流量进入公共 IPv4 地址有效的 Azure 公共对等互连路径。You must ensure that traffic is entering the Azure public peering path with valid public IPv4 address. Microsoft 必须能够根据区域路由 Internet 注册表 (RIR) 或 Internet 路由注册表 (IRR) 验证 IPv4 NAT 地址池的所有权。Microsoft must be able to validate the ownership of the IPv4 NAT address pool against a regional routing Internet registry (RIR) or an Internet routing registry (IRR). 会根据配对的 AS 编号和用于 NAT 的 IP 地址执行检查。A check will be performed based on the AS number being peered with and the IP addresses used for the NAT. 有关路由注册的信息,请参阅 ExpressRoute 路由要求 页。Refer to the ExpressRoute routing requirements page for information on routing registries.

通过此对等互连播发的 NAT IP 前缀长度没有限制。There are no restrictions on the length of the NAT IP prefix advertised through this peering. 必须监视 NAT 池,并确保未耗尽 NAT 会话。You must monitor the NAT pool and ensure that you are not starved of NAT sessions.

重要

已播发到 Microsoft 的 NAT IP 池不得播发到 Internet。The NAT IP pool advertised to Microsoft must not be advertised to the Internet. 这会中断其他 Microsoft 服务的连接。This will break connectivity to other Microsoft services.

后续步骤Next steps