Azure Stack 的網路整合規劃Network integration planning for Azure Stack

本文提供 Azure Stack 網路基礎架構資訊,可協助您決定如何以最佳方式將 Azure Stack 整合至現有的網路環境。This article provides Azure Stack network infrastructure information to help you decide how to best integrate Azure Stack into your existing networking environment.

注意

若要從 Azure Stack 解析外部 DNS 名稱 (例如 www.bing.com),您必須提供 DNS 伺服器來轉送 DNS 要求。To resolve external DNS names from Azure Stack (for example, www.bing.com), you need to provide DNS servers to forward DNS requests. 如需有關 Azure Stack DNS 需求的詳細資訊,請參閱 Azure Stack 資料中心整合 - DNSFor more information about Azure Stack DNS requirements, see Azure Stack datacenter integration - DNS.

實體網路設計Physical network design

Azure Stack 解決方案需要有彈性且高可用性的實體基礎結構,以支援其作業和服務。The Azure Stack solution requires a resilient and highly available physical infrastructure to support its operation and services. 若要將 Azure Stack 整合到網路,需要從機架頂端交換器 (ToR) 上行連結至最近交換器或路由器,其在本文件中稱為「界限」。To integrate Azure Stack to the network it requires uplinks from the Top-of-Rack switches (ToR) to the nearest switch or router, which on this documentation is referred as Border. ToR 可以上行連結至單一或一對界限。The ToRs can be uplinked to a single or a pair of Borders. ToR 是由我們的自動化工具所預先設定,使用 BGP 路由時,ToR 與界限之間預計至少有一個連線,而在使用靜態路由時,則 ToR 與界限之間至少有兩個連線 (每個 ToR 一個),且任一路由選項最多四個連線。The ToR is pre-configured by our automation tool, it expects a minimum of one connection between ToR and Border when using BGP Routing and a minimum of two connections (one per ToR) between ToR and Border when using Static Routing, with a maximum of four connections on either routing options. 這些連線僅限 SFP + 或 SFP28 媒體,以及至少一個 GB 的速度。These connections are limited to SFP+ or SFP28 media and a minimum of one GB speed. 請洽詢您的原始設備製造商 (OEM) 硬體廠商以取得可用性。Please check with your original equipment manufacturer (OEM) hardware vendor for availability. 下圖呈現建議的設計:The following diagram presents the recommended design:

建議的 Azure Stack 網路設計

頻寬配置Bandwidth Allocation

Azure Stack Hub 是使用 Windows Server 2019 容錯移轉叢集和空間直接存取技術所建立。Azure Stack Hub is built using Windows Server 2019 Failover Cluster and Spaces Direct technologies. 部分的 Azure Stack Hub 實體網路設定可利用流量隔離和頻寬保證,以確保空間直接存取儲存體通訊可符合解決方案所需的效能和規模。A portion of the Azure Stack Hub physical network configuration is done to utilize traffic separation and bandwidth guarantees to ensure that the Spaces Direct storage communications can meet the performance and scale required of the solution. 網路設定會使用流量類別,將 Azure Stack Hub 基礎結構和/或租使用者的網路使用量的空間直接存取、RDMA 型通訊區隔開。The network configuration uses traffic classes to separate the Spaces Direct, RDMA-based communications from that of the network utilization by the Azure Stack Hub infrastructure and/or tenant. 為了符合針對 Windows Server 2019 所定義的最新最佳作法,Azure Stack Hub 變更為使用額外的流量類別或優先權,以進一步區分伺服器與伺服器通訊,以支援容錯移轉叢集控制通訊。To align to the current best practices defined for Windows Server 2019, Azure Stack Hub is changing to use an additional traffic class or priority to further separate server to server communication in support of the Failover Clustering control communication. 這個新的流量類別定義將設定為保留2% 的可用實體頻寬。This new traffic class definition will be configured to reserve 2% of the available, physical bandwidth. 此流量類別和頻寬保留設定是藉由 Azure Stack Hub 解決方案的機架 (ToR) 交換器,以及 Azure Stack Hub 的主機或伺服器上的變更來完成。This traffic class and bandwidth reservation configuration is accomplished by a change on the top-of-rack (ToR) switches of the Azure Stack Hub solution and on the host or servers of Azure Stack Hub. 請注意,客戶邊界網路裝置上不需要進行變更。Note that changes are not required on the customer border network devices. 這些變更可為容錯移轉叢集通訊提供更佳的復原能力,目的是要避免網路頻寬完全耗用的情況,以及導致容錯移轉叢集控制訊息中斷的情況。These changes provide better resiliency for Failover Cluster communication and are meant to avoid situations where network bandwidth is fully consumed and as a result Failover Cluster control messages are disrupted. 請注意,容錯移轉叢集通訊是 Azure Stack Hub 基礎結構的重要元件,如果長時間中斷,可能會導致空間直接存取儲存體服務或其他服務的不穩定,最後會影響租使用者或使用者工作負載的穩定性。Note that the Failover Cluster communication is a critical component of the Azure Stack Hub infrastructure and if disrupted for long periods, can lead to instability in the Spaces Direct storage services or other services that will eventually impact tenant or end-user workload stability.

注意

描述的變更會新增至2008版本中 Azure Stack Hub 系統的主機層級。The described changes are added at the host level of an Azure Stack Hub system in the 2008 release. 請洽詢您的 OEM,以在 ToR 網路交換器上進行必要的變更。Please contact your OEM to arrange making the required changes at the ToR network switches. 這項 ToR 變更可以在更新為2008版之前,或更新為2008之後執行。This ToR change can be performed either prior to updating to the 2008 release or after updating to 2008. 需要 ToR 交換器的設定變更,才能改善容錯移轉叢集通訊。The configuration change to the ToR switches is required to improve the Failover Cluster communications.

邏輯網路Logical Networks

邏輯網路代表基礎實體網路基礎結構的抽象概念。Logical networks represent an abstraction of the underlying physical network infrastructure. 其用來組織及簡化主機、虛擬機器 (VM) 和服務的網路指派。They're used to organize and simplify network assignments for hosts, virtual machines (VMs), and services. 建立邏輯網路時會建立網路站台,以定義虛擬區域網路 (VLAN)、IP 子網路,以及與每個實體位置中邏輯網路相關聯的 IP 子網路/VLAN 配對。As part of logical network creation, network sites are created to define the virtual local area networks (VLANs), IP subnets, and IP subnet/VLAN pairs that are associated with the logical network in each physical location.

下表顯示邏輯網路,以及您必須為其進行規劃的相關 IPv4 子網路範圍:The following table shows the logical networks and associated IPv4 subnet ranges that you must plan for:

邏輯網路Logical Network 描述Description 大小Size
公用 VIPPublic VIP Azure Stack 從這個網路使用總計 31 個位址。Azure Stack uses a total of 31 addresses from this network. 有 8 個公用 IP 位址用於小型 Azure Stack 服務集,其餘位址由租用戶 VM 使用。Eight public IP addresses are used for a small set of Azure Stack services and the rest are used by tenant VMs. 如果您打算使用 App Service 和 SQL 資源提供者,則會再使用 7 個位址。If you plan to use App Service and the SQL resource providers, 7 more addresses are used. 其餘 15 個 IP 則保留給未來的 Azure 服務。The remaining 15 IPs are reserved for future Azure services. /26 (62 部主機) - /22 (1022 部主機)/26 (62 hosts) - /22 (1022 hosts)

建議 = / 24 (254 部主機)Recommended = /24 (254 hosts)
交換器基礎結構Switch infrastructure 路由用途的點對點 IP 位址、專屬的交換器管理介面,及指派給參數的回送位址。Point-to-point IP addresses for routing purposes, dedicated switch management interfaces, and loopback addresses assigned to the switch. /26/26
基礎結構Infrastructure 用於通訊的 Azure Stack 內部元件。Used for Azure Stack internal components to communicate. /24/24
PrivatePrivate 用於儲存體網路、私人 VIP、基礎結構容器和其他內部函式。Used for the storage network, private VIPs, Infrastructure containers and other internal functions. 從 1910 版開始,此子網路的大小會變更為 /20。如需詳細資訊,請參閱本文中的私人網路一節。Starting in 1910, the size for this subnet is changing to /20, for more details reference the Private network section in this article. /20/20
BMCBMC 用來與實體主機上的 BMC 通訊。Used to communicate with the BMCs on the physical hosts. /26/26

注意

當系統更新至 1910 版時,入口網站上的警示會提醒操作員執行新的 PEP Cmdlet Set-AzsPrivateNetwork 來加入新的 /20 私人 IP 空間。When the system is updated to 1910 version, an alert on the portal will remind the operator to run the new PEP cmdlet Set-AzsPrivateNetwork to add a new /20 Private IP space. 如需執行 Cmdlet 的指示,請參閱 1910 版本資訊Please see the 1910 release notes for instructions on running the cmdlet. 如需有關選取 /20 私人 IP 空間的詳細資訊和指引,請參閱本文的私人網路一節。For more information and guidance on selecting the /20 private IP space, please see the Private network section in this article.

網路基礎結構Network infrastructure

Azure Stack 的網路基礎結構包含交換器上設定的數個邏輯網路。The network infrastructure for Azure Stack consists of several logical networks that are configured on the switches. 下圖顯示這些邏輯網路,及其如何整合機架頂端 (TOR)、基礎板管理控制器 (BMC) 與界限 (客戶網路) 交換器。The following diagram shows these logical networks and how they integrate with the top-of-rack (TOR), baseboard management controller (BMC), and border (customer network) switches.

邏輯網路圖表和交換器連線

BMC 網路BMC network

此網路專門用來將所有基礎板管理控制器 (也稱為 BMS 或服務處理器) 連線至管理網路。This network is dedicated to connecting all the baseboard management controllers (also known as BMC or service processors) to the management network. 範例包括:iDRAC、iLO、iBMC 等等。Examples include: iDRAC, iLO, iBMC, and so on. 只有一個 BMC 帳戶會用來與任何 BMC 節點通訊。Only one BMC account is used to communicate with any BMC node. 如果硬體生命週期主機 (HLH) 存在,它會位在此網路上,並可提供用於維護或監視硬體的 OEM 專用軟體。If present, the Hardware Lifecycle Host (HLH) is located on this network and may provide OEM-specific software for hardware maintenance or monitoring.

HLH 也會裝載部署 VM (DVM)。The HLH also hosts the Deployment VM (DVM). DVM 會在 Azure Stack 部署期間使用,並且在部署完成時移除。The DVM is used during Azure Stack deployment and is removed when deployment completes. 在已連線的部署案例中,DVM 需要網際網路存取權才能測試、驗證及存取多個元件。The DVM requires internet access in connected deployment scenarios to test, validate, and access multiple components. 這些元件可以位於公司網路內部和外部 (例如: NTP、DNS 和 Azure) 。These components can be inside and outside of your corporate network (for example: NTP, DNS, and Azure). 如需有關連線需求的詳細資訊,請參閱 Azure Stack 防火牆整合中的 NAT 區段For more information about connectivity requirements, see the NAT section in Azure Stack firewall integration.

私人網路Private network

此 /20 (4096 個 IP) 網路由 Azure Stack 區域所私有 (不會路由到超出 Azure Stack 系統的界限交換器裝置),而且分成多個子網路,以下是一些範例:This /20 (4096 IPs) network is private to the Azure Stack region (doesn't route beyond the border switch devices of the Azure Stack system) and is divided into multiple subnets, here are some examples:

  • 存放裝置網路:/25 (128 ip) 網路,用來支援使用空間直接存取和伺服器訊息區 (SMB) 儲存體流量和 VM 即時移轉。Storage network: A /25 (128 IPs) network used to support the use of Spaces Direct and Server Message Block (SMB) storage traffic and VM live migration.
  • 內部虛擬 IP 網路:一個/25 網路,專用於軟體負載平衡器的僅限內部 vip。Internal virtual IP network: A /25 network dedicated to internal-only VIPs for the software load balancer.
  • 容器網路: A/23 (512 ip) 網路,專用於執行基礎結構服務之容器之間的內部網路流量。Container network: A /23 (512 IPs) network dedicated to internal-only traffic between containers running infrastructure services.

從 1910 版開始,Azure Stack Hub 系統 需要 額外的 /20 私人內部 IP 空間。Starting with the 1910 release, the Azure Stack Hub system requires an additional /20 private internal IP space. 此網路將會由 Azure Stack 系統所私有 (不會路由到超出 Azure Stack 系統的界限交換器裝置),而且可以在資料中心內的多個 Azure Stack 系統上重複使用。This network will be private to the Azure Stack system (doesn't route beyond the border switch devices of the Azure Stack system) and can be reused on multiple Azure Stack systems within your datacenter. 這是 Azure Stack 的私用網路,不能與您資料中心內的其他網路重疊。While the network is private to Azure Stack, it must not overlap with other networks in the datacenter. /20 私人 IP 空間會分割成多個網路,讓您能夠在容器上執行 Azure Stack Hub 基礎結構。The /20 private IP space is divided into multiple networks that enable running the Azure Stack Hub infrastructure on containers. 此外,這個新的 IP 空間也會用來啟用進行中的工作,以減少部署前所需的可路由 IP 空間。In addition, this new Private IP space enables ongoing efforts to reduce the required routable IP space prior to deployment. 在容器中執行 Azure Stack Hub 基礎結構的目標是要最佳化使用率並提升效能。The goal of running the Azure Stack Hub infrastructure in containers is to optimize utilization and enhance performance. 此外,/20 私人 IP 空間也會用來啟用進行中的工作,以減少部署前所需的可路由 IP 空間。In addition, the /20 private IP space is also used to enable ongoing efforts that will reduce required routable IP space before deployment. 如需私人 IP 空間的指引,建議您遵循 RFC 1918For guidance on Private IP space, we recommend following RFC 1918.

針對在 1910 版之前部署的系統,此 /20 子網路將會是更新至 1910 之後,要輸入系統的額外網路。For systems deployed before 1910, this /20 subnet will be an additional network to be entered into systems after updating to 1910. 您必須透過 Set-AzsPrivateNetwork PEP Cmdlet,將額外的網路提供給系統。The additional network will need to be provided to the system through the Set-AzsPrivateNetwork PEP cmdlet.

注意

在1910之後,/20 輸入可作為下一個 Azure Stack Hub 更新的先決條件。The /20 input serves as a prerequisite to the next Azure Stack Hub update after 1910. 當 1910 之後的下一個 Azure Stack Hub 更新發行,且您嘗試安裝該更新時,如果您尚未完成以下補救步驟所述的 /20 輸入,則更新將會失敗。When the next Azure Stack Hub update after 1910 releases and you attempt to install it, the update will fail if you haven't completed the /20 input as described in the remediation steps as follows. 在上述的補救步驟完成之前,管理員入口網站中會出現警示。An alert will be present in the administrator portal until the above remediation steps have been completed. 請參閱資料中心網路整合一文,以了解如何使用這個新的私人空間。See the Datacenter network integration article to understand how this new private space will be consumed.

補救步驟:若要補救,請依照指示 開啟 PEP 會話Remediation steps: To remediate, follow the instructions to open a PEP Session. 準備一個大小為 /20 的私人內部 IP 範圍,然後使用下列範例,在 PEP 工作階段中執行下列 Cmdlet (僅適用於 1910 以後的版本):Set-AzsPrivateNetwork -UserSubnet 10.87.0.0/20Prepare a private internal IP range of size /20, and run the following cmdlet (only available starting with 1910) in the PEP session using the following example: Set-AzsPrivateNetwork -UserSubnet 10.87.0.0/20. 如果作業成功執行,您將會收到新增至設定的訊息 Az 內部網路範圍。如果成功完成,系統管理員入口網站中的警示將會關閉。If the operation is performed successfully, you'll receive the message Azs Internal Network range added to the config. If successfully completed, the alert will close in the administrator portal. Azure Stack Hub 系統現在可以更新為下一個版本。The Azure Stack Hub system can now update to the next version.

Azure Stack 基礎結構網路Azure Stack infrastructure network

此 /24 網路專屬於內部 Azure Stack 元件,以便這些元件通訊和交換本身的資料。This /24 network is dedicated to internal Azure Stack components so that they can communicate and exchange data among themselves. 此子網路可以從 Azure Stack 解決方案外部路由傳送至您的資料中心,因此不建議在此子網路上使用公用或網際網路可路由傳送的 IP 位址。This subnet can be routable externally of the Azure Stack solution to your datacenter, we do not recommend using Public or Internet routable IP addresses on this subnet. 此網路會向邊界公告,但其大部分的 IP 會受到存取控制清單 (ACL) 的保護。This network is advertised to the Border but most of its IPs are protected by Access Control Lists (ACLs). 允許存取的 IP 會在大小等同於 /27 網路和主機服務 (例如,特殊權限端點 (PEP)Azure Stack 備份) 的小型範圍內。The IPs allowed for access are within a small range equivalent in size to a /27 network and host services like the privileged end point (PEP) and Azure Stack Backup.

公用 VIP 網路Public VIP network

公用 VIP 網路會指派給 Azure Stack 中的網路控制器。The Public VIP Network is assigned to the network controller in Azure Stack. 它不是交換器上的邏輯網路。It's not a logical network on the switch. SLB 會針對租用戶工作負載使用位址集區並指派 /32 網路。The SLB uses the pool of addresses and assigns /32 networks for tenant workloads. 在交換器路由表上,這些 /32 IP 會公告為可透過 BGP 使用的路由。On the switch routing table, these /32 IPs are advertised as an available route via BGP. 此網路包含外部可存取的 IP 位址或公用 IP 位址。This network contains the external-accessible or public IP addresses. Azure Stack 基礎結構保留公用 VIP 網路的前 31 個位址,而剩下的由租用戶 VM 使用。The Azure Stack infrastructure reserves the first 31 addresses from this Public VIP Network while the remainder is used by tenant VMs. 此子網路上的網路大小範圍從最小 /26 (64 部主機) 到最大 /22 (1022 部主機),The network size on this subnet can range from a minimum of /26 (64 hosts) to a maximum of /22 (1022 hosts). 我們建議您規劃 /24 網路。We recommend that you plan for a /24 network.

交換器基礎結構網路Switch infrastructure network

此 /26 網路是一個子網路,其中包含可路由傳送的點對點 IP /30 (2 個主機 IP) 子網路和回送 (這是用於頻內交換器管理與 BGP 路由器識別碼的專用 /32 子網路)。This /26 network is the subnet that contains the routable point-to-point IP /30 (two host IPs) subnets and the loopbacks, which are dedicated /32 subnets for in-band switch management and BGP router ID. 此 IP 位址範圍必須可在 Azure Stack 解決方案外部路由傳送至您的資料中心,This range of IP addresses must be routable outside the Azure Stack solution to your datacenter. 而這些 IP 位址可以是私人或公用 IP。They may be private or public IPs.

交換器管理網路Switch management network

此 /29 (6 個主機 IP) 網路專門用來與交換器的管理連接埠連線。This /29 (six host IPs) network is dedicated to connecting the management ports of the switches. 其允許部署、管理和疑難排解的頻外存取。It allows out-of-band access for deployment, management, and troubleshooting. 它是從上述的交換器基礎結構網路計算而來。It's calculated from the switch infrastructure network mentioned above.

允許網路Permitted networks

從 1910 版開始,部署工作表會有這個新欄位,讓操作員可變更某些存取控制清單 (ACL),以允許從受信任的資料中心網路範圍存取網路裝置管理介面與硬體生命週期主機 (HLH)。Starting on 1910, the Deployment Worksheet will have this new field allowing the operator to change some access control list (ACL)s to allow access to network device management interfaces and the hardware lifecycle host (HLH) from a trusted datacenter network range. 透過變更存取控制清單,操作員可以允許特定網路範圍內的管理 Jumpbox VM 存取交換器管理介面、HLH OS 與 HLH BMC。With the access control list change, the operator can allow their management jumpbox VMs within a specific network range to access the switch management interface, the HLH OS and the HLH BMC. 操作員可以提供一或多個子網路給此清單,如果保留空白,則會預設為拒絕存取。The operator can provide one or multiple subnets to this list, if left blank it will default to deny access. 此新功能取代了部署後手動介入的需求,如<修改 Azure Stack 交換器設定上的特定設定>所述。This new functionality replaces the need for post-deployment manual intervention as it used to be described on the Modify specific settings on your Azure Stack switch configuration.

後續步驟Next steps

深入瞭解網路規劃: 框線連線能力Learn about network planning: Border connectivity.