网关带宽分配Gateway bandwidth allocation

适用于: Windows ServerApplies to: Windows Server

在 Windows Server 2016 中,IPsec、GRE 和 L3 的单个隧道带宽是网关总容量的比率。In Windows Server 2016, the individual tunnel bandwidth for IPsec, GRE, and L3 was a ratio of the total gateway capacity. 因此,客户可以根据需要从网关 VM 传出的标准 TCP 带宽提供网关容量。Therefore, customers would provide the gateway capacity based on the standard TCP bandwidth expecting this out of the gateway VM.

此外,网关上的最大 IPsec 隧道带宽限制为 (3/20) * 客户提供的网关容量。Also, maximum IPsec tunnel bandwidth on the gateway was limited to (3/20)*Gateway Capacity provided by the customer. 例如,如果将网关容量设置为 100 Mbps,则 IPsec 隧道容量将为 150 Mbps。So, for example, if you set the gateway capacity to 100 Mbps, then the IPsec tunnel capacity would be 150 Mbps. GRE 和 L3 隧道的等效比率分别为1/5 和1/2。The equivalent ratios for GRE and L3 tunnels are 1/5 and 1/2, respectively.

虽然这适用于大多数部署,但固定比率模型不适用于高吞吐量环境。Although this worked for the majority of the deployments, the fixed ratio model was not appropriate for high throughput environments. 即使数据传输速率较高 (说,大于 40 Gbps) ,因为内部因素,最大的 SDN 网关隧道吞吐量最大。Even when the data transfer rates were high (say, higher than 40 Gbps), the maximum throughput of SDN gateway tunnels capped due to internal factors.

在 Windows Server 2019 中,对于隧道类型,最大吞吐量是固定的:In Windows Server 2019, for a tunnel type, the maximum throughput is fixed:

  • IPsec = 5 GbpsIPsec = 5 Gbps

  • GRE = 15 GbpsGRE = 15 Gbps

  • L3 = 5 GbpsL3 = 5 Gbps

因此,即使你的网关主机/VM 支持具有较高吞吐量的 Nic,但最大可用隧道吞吐量也是固定的。So, even if your gateway host/VM supports NICs with much higher throughput, the maximum available tunnel throughput is fixed. 此问题的另一个问题是任意过度预配网关,在为网关容量提供非常高的数量时,会发生这种情况。Another issue this takes care of is arbitrarily over-provisioning gateways, which happens when providing a very high number for the gateway capacity.

网关容量计算Gateway capacity calculation

理想情况下,将网关吞吐量容量设置为可供网关 VM 使用的吞吐量。Ideally, you set the gateway throughput capacity to the throughput available to the gateway VM. 例如,如果你有一个网关 VM,并且基础主机 NIC 吞吐量是 25 Gbps,则网关吞吐量也可以设置为 25 Gbps。So, for example, if you have a single gateway VM and the underlying host NIC throughput is 25 Gbps, the gateway throughput can be set to 25 Gbps as well.

如果仅使用网关进行 IPsec 连接,则最大可用固定容量是 5 Gbps。If using a gateway only for IPsec connections, the maximum available fixed capacity is 5 Gbps. 例如,如果你在网关上设置 IPsec 连接,则只能将 (传入 + 传出) 的聚合带宽设置为 5 Gbps。So, for example, if you provision IPsec connections on the gateway, you can only provision to an aggregate bandwidth (incoming + outgoing) as 5 Gbps.

如果同时使用网关进行 IPsec 和 GRE 连接,则可以预配最多 5 Gbps 的 IPsec 吞吐量或最大 15 Gbps 的 GRE 吞吐量。If using the gateway for both IPsec and GRE connectivity, you can provision maximum 5 Gbps of IPsec throughput or maximum 15 Gbps of GRE throughput. 例如,如果你预配了 2 Gbps IPsec 吞吐量,则会有 3 Gbps 的 IPsec 吞吐量,可在网关或第9So, for example, if you provision 2 Gbps of IPsec throughput, you have 3 Gbps of IPsec throughput left to provision on the gateway or 9 Gbps of GRE throughput left.

若要将其放在更数学术语中:To put this in more mathematical terms:

  • 网关总容量 = 25 GbpsTotal capacity of the gateway = 25 Gbps

  • 可用 IPsec 容量总计 = 5 Gbps (固定) Total available IPsec capacity = 5 Gbps (fixed)

  • 可用 GRE 容量总计 = 15 Gbps (固定) Total available GRE capacity = 15 Gbps (fixed)

  • 此网关的 IPsec 吞吐量比率 = 25/5 = 5 GbpsIPsec throughput ratio for this gateway = 25/5 = 5 Gbps

  • 此网关的 GRE 吞吐量比率 = 25/15 = 5/3 GbpsGRE throughput ratio for this gateway = 25/15 = 5/3 Gbps

例如,如果向客户分配 2 Gbps IPsec 吞吐量:For example, if you allocate 2 Gbps of IPsec throughput to a customer:

网关上的剩余可用容量 = 网关的总容量– IPsec 吞吐量比率 * 分配 (使用的容量) Remaining available capacity on the gateway = Total capacity of the gateway – IPsec throughput ratio*IPsec throughput allocated (used capacity)

      25– 5 * 2 = 15 Gbps      25–5*2 = 15 Gbps

可在网关上分配的其余 IPsec 吞吐量Remaining IPsec throughput that you can allocate on the gateway

      5-2 = 3 Gbps      5-2 = 3 Gbps

可在网关分配的其余 GRE 吞吐量 = 网关/GRE 吞吐量比的剩余容量Remaining GRE throughput that you can allocate on the gateway = Remaining capacity of gateway/GRE throughput ratio

      15 * 3/5 = 9 Gbps      15*3/5 = 9 Gbps

吞吐量比根据网关的总容量而定。The throughput ratio varies depending on the total capacity of the gateway. 需要注意的一点是,应将总容量设置为可用于网关 VM 的 TCP 带宽。One thing to note is that you should set the total capacity to the TCP bandwidth available to the gateway VM. 如果在网关上托管多个 Vm,则必须相应地调整网关的总容量。If you have multiple VMs hosted on the gateway, you must adjust the total capacity of the gateway accordingly.

此外,如果网关容量小于可用的总隧道容量,则可用的隧道容量总数将设置为 "网关容量"。Also, if the gateway capacity is less than the total available tunnel capacity, the total available tunnel capacity is set to the gateway capacity. 例如,如果将网关容量设置为 4 Gbps,则 IPsec、L3 和 GRE 的可用总容量均设置为 4 Gbps,并将每个隧道的吞吐量比率保留为 1 Gbps。For example, if you set the gateway capacity to 4 Gbps, the total available capacity for IPsec, L3, and GRE is set to 4 Gbps, leaving the throughput ratio for each tunnel to 1 Gbps.

Windows Server 2016 行为Windows Server 2016 behavior

Windows Server 2016 的网关容量计算算法保持不变。The gateway capacity calculation algorithm for Windows Server 2016 remains unchanged. 在 Windows Server 2016 中,最大 IPsec 隧道带宽限制为网关上 (3/20) * 网关容量。In Windows Server 2016, Maximum IPsec tunnel bandwidth was limited to (3/20)*gateway capacity on a gateway. GRE 和 L3 隧道的等效比率分别为1/5 和1/2。The equivalent ratios for GRE and L3 tunnels were 1/5 and 1/2, respectively.

如果要从 Windows Server 2016 升级到 Windows Server 2019:If you are upgrading from Windows Server 2016 to Windows Server 2019:

  1. GRE 和 L3 隧道: 一旦将网络控制器节点更新到 Windows Server 2019,Windows Server 2019 分配逻辑就会生效GRE and L3 tunnels: The Windows Server 2019 allocation logic takes effect once Network Controller nodes get updated to Windows Server 2019

  2. IPSec 隧道: Windows Server 2016 网关分配逻辑将继续工作,直到网关池中的所有网关升级到 Windows Server 2019。IPSec tunnels: The Windows Server 2016 gateway allocation logic continues to function until all the gateways in the gateway pool get upgraded to Windows Server 2019. 对于网关池中的所有网关,必须将 Azure 网关服务设置为 "自动"。For all gateways in the gateway pool, you must set the Azure gateway service to Automatic.

备注

升级到 Windows Server 2019 后,网关可能会因分配逻辑从 Windows Server 2016 更改为 Windows Server 2019) 而变得过度预配 (。It is possible that after upgrading to Windows Server 2019, a gateway becomes over-provisioned (as the allocation logic changes from Windows Server 2016 to Windows Server 2019). 在这种情况下,网关上的现有连接将继续存在。In this case, the existing connections on the gateway continue to exist. 网关的 REST 资源会引发一条警告,指出网关已过度设置。The REST resource for the Gateway throws a warning that the gateway is over-provisioned. 在这种情况下,应将一些连接移到另一个网关。In this case, you should move some connections to another gateway.