Azure Stack Hub 耐用網路簡介Azure Stack Hub ruggedized network introduction

網路設計總覽Network design overview

實體網路設計Physical Network design

Azure Stack Hub 耐用解決方案需要有彈性且高可用性的實體基礎結構,以支援其作業和服務。The Azure Stack Hub ruggedized solution requires a resilient and highly available physical infrastructure to support its operation and services. 從 ToR 上行連結至界限交換器僅限用 SFP + 或 SFP28 媒體和 1 GB、10 GB 或 25-GB 的速度。Uplinks from ToR to Border switches are limited to SFP+ or SFP28 media and 1 GB, 10 GB, or 25-GB speeds. 請洽詢您原始設備製造商 (OEM) 的硬體廠商,以了解可用性。Check with your original equipment manufacturer (OEM) hardware vendor for availability.

下圖顯示建議的 Azure Stack Hub 耐用設計。The following diagram presents our recommended design for Azure Stack Hub ruggedized.

Azure Stack Hub 耐用實體網路

邏輯網路設計Logical network design

邏輯網路設計代表實體網路基礎結構的抽象概念。A logical network design represents an abstraction of a physical network infrastructure. 其用來組織及簡化主機、虛擬機器 (VM) 和服務的網路指派。They're used to organize and simplify network assignments for hosts, virtual machines (VMs), and services. 在建立邏輯網路的過程中,會建立網站來定義:As part of logical network creation, network sites are created to define the:

  • 虛擬區域網路絡 (Vlan) virtual local area networks (VLANs)
  • IP 子網IP subnets
  • IP 子網/VLAN 配對IP subnet/VLAN pairs

所有這些都與每個實體位置中的邏輯網路相關聯。All of which are associated with the logical network in each physical location.

下表顯示邏輯網路,以及您必須為其進行規劃的相關 IPv4 子網路範圍:The following table shows the logical networks and associated IPv4 subnet ranges that you must plan for:

邏輯網路Logical Network 說明Description 大小Size
公用虛擬 IP (VIP) Public Virtual IP (VIP) Azure Stack Hub 耐用使用此網路的總計31個位址。Azure Stack Hub ruggedized uses a total of 31 addresses from this network. 有8個公用 IP 位址用於一組小型的 Azure Stack Hub 耐用服務,而其餘部分則由租使用者 Vm 使用。Eight public IP addresses are used for a small set of Azure Stack Hub ruggedized services and the rest are used by tenant VMs. 如果您打算使用 App Service 和 SQL 資源提供者,則會再使用 7 個位址。If you plan to use App Service and the SQL resource providers, 7 more addresses are used. 其餘 15 個 IP 則保留給未來的 Azure 服務。The remaining 15 IPs are reserved for future Azure services. /26 (62 主機) -/26 (62 hosts)-
/22 (1022 主機) /22 (1022 hosts)

建議 = / 24 (254 部主機)Recommended = /24 (254 hosts)
交換器基礎結構Switch infrastructure 路由用途的點對點 IP 位址、專屬的交換器管理介面,及指派給參數的回送位址。Point-to-point IP addresses for routing purposes, dedicated switch management interfaces, and loopback addresses assigned to the switch. /26/26
基礎結構Infrastructure 用於 Azure Stack Hub 耐用內部元件進行通訊。Used for Azure Stack Hub ruggedized internal components to communicate. /24/24
PrivatePrivate 用於儲存體網路、私人 Vip、基礎結構容器和其他內部函式。Used for the storage network, private VIPs, Infrastructure containers, and other internal functions. /20/20
基礎板管理控制器 (BMC)Baseboard Management Controller (BMC) 用來與實體主機上的基礎板管理控制器通訊。Used to communicate with the baseboard management controllers on the physical hosts. /26/26

網路基礎結構Network Infrastructure

Azure Stack Hub 耐用的網路基礎結構包含數個在參數上設定的邏輯網路。The network infrastructure for Azure Stack Hub ruggedized consists of several logical networks that are configured on the switches. 下圖顯示這些邏輯網路,以及它們如何與機架上的 (TOR) 、基礎板管理控制器,以及 (客戶網路) 交換器的框線整合。The following diagram shows these logical networks and how they integrate with the top-of-rack (TOR), baseboard management controller, and border (customer network) switches.

Azure Stack Hub 耐用邏輯網狀圖:Azure Stack Hub ruggedized logical network diagram:

Azure Stack Hub 耐用邏輯網路

BMC 網路BMC network

此網路專門用來將所有基礎板管理控制器 (也稱為 BMS 或服務處理器) 連線至管理網路。This network is dedicated to connecting all the baseboard management controllers (also known as BMC or service processors) to the management network. 範例包括:iDRAC、iLO、iBMC 等等。Examples include: iDRAC, iLO, iBMC, and so on. 只有一個 BMC 帳戶會用來與任何 BMC 節點通訊。Only one BMC account is used to communicate with any BMC node. 如果硬體生命週期主機 (HLH) 存在,它會位在此網路上,並可提供用於維護或監視硬體的 OEM 專用軟體。If present, the Hardware Lifecycle Host (HLH) is located on this network and may provide OEM-specific software for hardware maintenance or monitoring.

HLH 也會裝載部署 VM (DVM)。The HLH also hosts the Deployment VM (DVM). DVM 會在 Azure Stack Hub 耐用部署期間使用,並且在部署完成時移除。The DVM is used during Azure Stack Hub ruggedized deployment and is removed when deployment completes. DVM 需要網際網路存取已連線的部署案例,以測試、驗證及存取多個元件。The DVM requires Internet access in connected deployment scenarios to test, validate, and access multiple components. 這些元件可以位於公司網路內部和外部 (例如: NTP、DNS 和 Azure) 。These components can be inside and outside of your corporate network (for example: NTP, DNS, and Azure). 如需連線能力需求的詳細資訊,請參閱 Azure Stack Hub 耐用防火牆整合中的 NAT 一節。For more information about connectivity requirements, see the NAT section in Azure Stack Hub ruggedized firewall integration.

私人網路Private network

/20 (4096 主機 Ip) 網路是 Azure Stack Hub 耐用區域的私用。The /20 (4096 host IPs) network is private to the Azure Stack Hub ruggedized region. 它不會擴充到超出 Azure Stack Hub 耐用區域的邊界交換器裝置。It doesn't expand beyond the border switch devices of the Azure Stack Hub ruggedized region. 此網路分成多個子網,例如:This network is divided into multiple subnets, for example:

  • 存放裝置網路:/25 (128 ip) 網路,用來支援使用空間直接存取和伺服器訊息區 (SMB) 儲存體流量和 VM 即時移轉。Storage network: A /25 (128 IPs) network used to support the use of Spaces Direct and Server Message Block (SMB) storage traffic and VM live migration.
  • 內部虛擬 IP 網路:一個/25 網路,專用於軟體負載平衡器的僅限內部 vip。Internal virtual IP network: A /25 network dedicated to internal-only VIPs for the software load balancer.
  • 容器網路: A/23 (512 ip) 網路專用於執行基礎結構服務之容器之間的僅限內部流量Container network: A /23 (512 IPs) network dedicated to internal-only traffic between containers running infrastructure services

私人網路的大小為/20 (4096 Ip) 的私人 IP 空間。The size for the Private Network is /20 (4096 IPs) of private IP space. 此網路是 Azure Stack Hub 耐用系統的私用網路。This network is private to the Azure Stack Hub ruggedized system. 它不會路由至 Azure Stack Hub 耐用系統的邊界交換器裝置,而且可以在多個 Azure Stack Hub 耐用系統上重複使用。It doesn't route beyond the border switch devices of the Azure Stack Hub ruggedized system, and can be reused on multiple Azure Stack Hub ruggedized systems. 雖然網路是 Azure Stack Hub 耐用的私用網路,但不能與資料中心內的其他網路重迭。While the network is private to Azure Stack Hub ruggedized, it must not overlap with other networks in the datacenter. 如需私人 IP 空間的指引,建議您遵循 RFC 1918。For guidance on Private IP space, we recommend following the RFC 1918.

/20 私人 IP 空間會分割成多個網路,讓 Azure Stack Hub 耐用系統基礎結構可在未來版本的容器上執行。The /20 Private IP space is divided into multiple networks, that enable the Azure Stack Hub ruggedized system infrastructure to run on containers in future releases. 如需詳細資訊,請參閱1910版本資訊。Refer to the 1910 release notes for details. 這個新的私人 IP 空間可讓您在部署之前,減少所需的可路由 IP 空間。This new Private IP space enables ongoing efforts to reduce the required routable IP space before deployment.

Azure Stack Hub 耐用基礎結構網路Azure Stack Hub ruggedized infrastructure network

/24 網路專屬於內部 Azure Stack Hub 耐用元件,可在彼此間通訊和交換資料。The /24 network is dedicated to internal Azure Stack Hub ruggedized components, to communicate and exchange data among themselves. 此子網可以從 Azure Stack Hub 耐用解決方案外部路由傳送至您的資料中心。This subnet can be routable externally of the Azure Stack Hub ruggedized solution to your datacenter. 我們 建議在此子網上使用公用或網際網路可路由傳送的 IP 位址。We don't recommend using Public or Internet routable IP addresses on this subnet. 此網路會向邊界公告,但其大部分的 Ip 會受到 (Acl) 的存取控制清單保護。This network is advertised to the Border, but most of its IPs are protected by Access Control Lists (ACLs). 允許存取的 Ip 位於較小的範圍內,相當於/27 網路的大小。The IPs allowed for access are within a small range, equivalent in size to a /27 network. Ip 主機服務(例如具有特殊許可權的端點) (PEP) 和 Azure Stack Hub 耐用備份。The IPs host services like the privileged end point (PEP) and Azure Stack Hub ruggedized Backup.

公用 VIP 網路Public VIP network

公用 VIP 網路會指派給 Azure Stack Hub 耐用中的網路控制站。The Public VIP Network is assigned to the network controller in Azure Stack Hub ruggedized. 它不是交換器上的邏輯網路。It's not a logical network on the switch. SLB 會針對租用戶工作負載使用位址集區並指派 /32 網路。The SLB uses the pool of addresses and assigns /32 networks for tenant workloads. 在交換器路由表中,這些/32 Ip 會透過邊界閘道協定 (BGP) 公告為可用的路由。On the switch routing table, these /32 IPs are advertised as an available route via Border Gateway Protocol (BGP). 此網路包含可從外部存取的公用位址。This network contains public addresses that are externally accessible. Azure Stack Hub 的耐用基礎結構會保留此公用 VIP 網路的前31個位址,而其餘部分則由租使用者 Vm 使用。The Azure Stack Hub ruggedized infrastructure reserves the first 31 addresses from this Public VIP Network, while the remainder is used by tenant VMs. 此子網路上的網路大小範圍從最小 /26 (64 部主機) 到最大 /22 (1022 部主機),The network size on this subnet can range from a minimum of /26 (64 hosts) to a maximum of /22 (1022 hosts). 建議您規劃/24 網路。We recommend you plan for a /24 network.

交換器基礎結構網路Switch infrastructure network

/26 網路是一個子網,其中包含可路由傳送的點對點 IP/30 (兩個主機 Ip) 子網和回送。The /26 network is the subnet that contains the routable point-to-point IP /30 (two host IPs) subnets and the loopbacks. 這些是用於頻外交換器管理與 BGP 路由器識別碼的專用/32 子網。These are dedicated /32 subnets for in-band switch management and BGP router ID. 此 IP 位址範圍必須可在 Azure Stack Hub 耐用解決方案外部路由傳送至您的資料中心。This range of IP addresses must be routable outside the Azure Stack Hub ruggedized solution to your datacenter. IP 位址可以是私人或公用。The IP addresses may be private or public.

交換器管理網路Switch management network

/29 (六個主機 Ip) 網路專門用來連接交換器的管理埠。The /29 (six host IPs) network is dedicated to connecting the management ports of the switches. 此網路允許頻外存取進行部署、管理和疑難排解。This network allows out-of-band access for deployment, management, and troubleshooting. 它是從上述的交換器基礎結構網路計算而來。It's calculated from the switch infrastructure network mentioned above.

DNS 設計總覽DNS design overview

若要從 Azure Stack Hub 耐用外部存取 Azure Stack Hub 耐用端點 (入口網站adminportal管理adminmanagement.) ,您必須將 Azure Stack Hub 耐用 DNS 服務與裝載您要在 AZURE STACK HUB 耐用中使用之 dns 區域的 dns 伺服器整合。To access Azure Stack Hub ruggedized endpoints (portal, adminportal, management, adminmanagement) from outside Azure Stack Hub ruggedized, you must integrate the Azure Stack Hub ruggedized DNS services with the DNS servers that host the DNS zones you want to use in Azure Stack Hub ruggedized.

Azure Stack Hub 耐用 DNS 命名空間Azure Stack Hub ruggedized DNS namespace

當您部署 Azure Stack Hub 耐用時,您必須提供一些與 DNS 相關的重要資訊。You're required to provide some important information related to DNS when you deploy Azure Stack Hub ruggedized.

欄位Field 說明Description 範例Example
區域Region Azure Stack Hub 耐用部署的地理位置。The geographic location of your Azure Stack Hub ruggedized deployment. 東部east
外部網域名稱External Domain Name 您要用於 Azure Stack Hub 耐用部署的區功能變數名稱稱。The name of the zone you want to use for your Azure Stack Hub ruggedized deployment. cloud.fabrikam.comcloud.fabrikam.com
內部網域名稱Internal Domain Name 用於 Azure Stack Hub 耐用中基礎結構服務的內部區功能變數名稱稱。The name of the internal zone that's used for infrastructure services in Azure Stack Hub ruggedized. 它是目錄服務整合式和私人 (無法從 Azure Stack Hub 耐用部署) 外部連線。It's Directory Service-integrated and private (not reachable from outside the Azure Stack Hub ruggedized deployment). azurestackazurestack.local
DNS 轉送DNS Forwarders 在公司內部網路或公用網際網路上,用來轉送 DNS 查詢、DNS 區域,以及裝載于 Azure Stack Hub 耐用外部之記錄的 DNS 伺服器。DNS servers that are used to forward DNS queries, DNS zones, and records that are hosted outside Azure Stack Hub ruggedized, either on the corporate intranet or public Internet. 您可以在部署之後,使用 Set-AzSDnsForwarder cmdlet 來編輯 DNS 轉寄站值。You can edit the DNS Forwarder value with the Set-AzSDnsForwarder cmdlet after deployment.
命名前置詞 (選擇性)Naming Prefix (Optional) 您希望 Azure Stack Hub 耐用基礎結構角色實例電腦名稱稱擁有的命名前置詞。The naming prefix you want your Azure Stack Hub ruggedized infrastructure role instance machine names to have. 如果未提供,則預設值為 "az"。If not provided, the default is "azs". azazs

Azure Stack Hub 耐用部署和端點的完整功能變數名稱 (FQDN) 是 Region 參數和 External Domain Name 參數的組合。The fully qualified domain name (FQDN) of your Azure Stack Hub ruggedized deployment and endpoints is the combination of the Region parameter and the External Domain Name parameter. 使用上表中的範例值,此 Azure Stack Hub 耐用部署的 FQDN 為: east.cloud.fabrikam.comUsing the values from the examples in the previous table, the FQDN for this Azure Stack Hub ruggedized deployment would be: east.cloud.fabrikam.com

因此,此部署的一些端點範例會類似下列 URL:As such, examples of some of the endpoints for this deployment would look like the following URLs:

  • https://portal.east.cloud.fabrikam.com
  • https://adminportal.east.cloud.fabrikam.com

若要將此範例 DNS 命名空間用於 Azure Stack Hub 耐用部署,必須符合下列條件:To use this example DNS namespace for an Azure Stack Hub ruggedized deployment, the following conditions are required:

  • 區域 fabrikam.com 會向網域註冊機構、內部公司 DNS 伺服器或兩者註冊。The zone fabrikam.com is registered with a domain registrar, internal corporate DNS server, or both. 註冊取決於您的名稱解析需求。Registration depends on your name resolution requirements.
  • 子域 cloud.fabrikam.com 存在於 [區域 fabrikam.com] 下。The child domain cloud.fabrikam.com exists under the zone fabrikam.com.
  • 您可以從 Azure Stack Hub 的耐用部署,連線到裝載區域 fabrikam.com 和 cloud.fabrikam.com 的 DNS 伺服器。The DNS servers that host the zones fabrikam.com and cloud.fabrikam.com can be reached from the Azure Stack Hub ruggedized deployment.

若要從 Azure Stack Hub 耐用外部解析 Azure Stack Hub 耐用端點和實例的 DNS 名稱,您必須整合 DNS 伺服器。To resolve DNS names for Azure Stack Hub ruggedized endpoints and instances from outside Azure Stack Hub ruggedized, you must integrate the DNS servers. 包括裝載 Azure Stack Hub 耐用外部 DNS 區域的伺服器,以及裝載您要使用之上層區域的 DNS 伺服器。Including servers that host the external DNS zone for Azure Stack Hub ruggedized, with the DNS servers that host the parent zone you want to use.

DNS 名稱標籤DNS name labels

Azure Stack Hub 耐用支援將 DNS 名稱標籤新增至公用 IP 位址,以允許公用 IP 位址的名稱解析。Azure Stack Hub ruggedized supports adding a DNS name label to a public IP address to allow name resolution for public IP addresses. DNS 標籤可讓使用者依名稱存取裝載于 Azure Stack Hub 耐用中的應用程式和服務,是方便的方式。DNS labels are a convenient way for users to reach apps and services hosted in Azure Stack Hub ruggedized by name. DNS 名稱標籤使用的命名空間與基礎結構端點的命名空間有些許不同。The DNS name label uses a slightly different namespace than the infrastructure endpoints. 在先前的範例命名空間之後,DNS 名稱標籤的命名空間會是: * . east.cloudapp.cloud.fabrikam.comFollowing the previous example namespace, the namespace for DNS name labels would be: *.east.cloudapp.cloud.fabrikam.com.

如果租使用者在公用 IP 位址資源的 [DNS 名稱] 欄位中指定 myapp ,它會在 Azure Stack Hub 耐用外部 DNS 伺服器的區域 east.cloudapp.cloud.fabrikam.com 中,建立 myapp 的 a 記錄。If a tenant specifies Myapp in the DNS name field of a public IP address resource, it creates an A record for myapp in the zone east.cloudapp.cloud.fabrikam.com on the Azure Stack Hub ruggedized external DNS server. 產生的完整功能變數名稱會是: myapp.east.cloudapp.cloud.fabrikam.comThe resulting fully qualified domain name would be: myapp.east.cloudapp.cloud.fabrikam.com.

如果您想要利用這種功能並使用此命名空間,您必須整合 DNS 伺服器。If you want to leverage this functionality and use this namespace, you must integrate the DNS servers. 包括主控 Azure Stack Hub 耐用外部 DNS 區域的伺服器,以及裝載您要使用之上層區域的 DNS 伺服器。Including servers that host the external DNS zone for Azure Stack Hub ruggedized, and the DNS servers that host the parent zone you want to use as well. 此命名空間與用於 Azure Stack Hub 耐用服務端點的命名空間不同,因此您必須建立額外的委派或條件式轉送規則。This namespace is different than the one used for the Azure Stack Hub ruggedized service endpoints, so you must create an additional delegation or conditional forwarding rule.

如需 DNS 名稱標籤如何運作的詳細資訊,請參閱 Azure Stack Hub 耐用中的「使用 DNS」。For more information about how the DNS Name label works, see "Using DNS" in Azure Stack Hub ruggedized.

解析和委派Resolution and delegation

有兩種類型的 DNS 伺服器:There are two types of DNS servers:

  • 權威 DNS 伺服器會裝載 DNS 區域。An authoritative DNS server hosts DNS zones. 它只會回答這些區域中的 DNS 記錄查詢。It answers DNS queries for records in those zones only.
  • 遞迴 DNS 伺服器不會裝載 DNS 區域。A recursive DNS server doesn't host DNS zones. 它會呼叫授權 DNS 伺服器來收集所需的資料,以回答所有 DNS 查詢。It answers all DNS queries by calling authoritative DNS servers to gather the data it needs.

Azure Stack Hub 耐用包含權威和遞迴 DNS 伺服器。Azure Stack Hub ruggedized includes both authoritative and recursive DNS servers. 遞迴伺服器可用來解析內部私人區域以外的所有專案名稱,以及 Azure Stack Hub 耐用部署的外部公用 DNS 區域。The recursive servers are used to resolve names of everything except the internal private zone, and the external public DNS zone for the Azure Stack Hub ruggedized deployment.

從 Azure Stack Hub 耐用解析外部 DNS 名稱Resolving external DNS names from Azure Stack Hub ruggedized

若要在 Azure Stack Hub 耐用 ((例如: www.bing.com) )之外解析端點的 DNS 名稱,您必須為 Azure Stack Hub 耐用提供 DNS 伺服器,以轉寄 Azure Stack Hub 耐用未授權的 DNS 要求。To resolve DNS names for endpoints outside Azure Stack Hub ruggedized (for example: www.bing.com), you must provide DNS servers for Azure Stack Hub ruggedized to forward DNS requests, for which Azure Stack Hub ruggedized isn't authoritative. Azure Stack Hub 耐用的 DNS 伺服器會將要求轉送到) 的 [DNS 轉寄站] 欄位中的部署工作表 (。DNS servers that Azure Stack Hub ruggedized forwards requests to are required in the Deployment Worksheet (in the DNS Forwarder field). 請至少在此欄位中提供兩個伺服器以供容錯使用。Provide at least two servers in this field for fault tolerance. 若沒有這些值,Azure Stack Hub 耐用部署將會失敗。Without these values, Azure Stack Hub ruggedized deployment fails. 您可以在部署之後,使用 Set-AzSDnsForwarder cmdlet 來編輯 DNS 轉寄站值。You can edit the DNS Forwarder values with the Set-AzSDnsForwarder cmdlet after deployment.

防火牆設計總覽Firewall design overview

建議您使用防火牆裝置來協助保護 Azure Stack Hub 耐用。It's recommended that you use a firewall device to help secure Azure Stack Hub ruggedized. 防火牆可協助抵禦分散式阻斷服務 (DDOS) 攻擊、入侵偵測及內容檢查等作業。Firewalls can help defend against things like distributed denial-of-service (DDOS) attacks, intrusion detection, and content inspection. 不過,它們也會成為 Azure 儲存體服務 (例如 Blob、資料表和佇列) 的輸送量瓶頸。However, they can also become a throughput bottleneck for Azure storage services like blobs, tables, and queues.

如果使用中斷連線的部署模式,您就必須發佈 AD FS 端點。If a disconnected deployment mode is used, you must publish the AD FS endpoint. 如需詳細資訊,請參閱資料中心整合身分識別一文。For more information, see the datacenter integration identity article.

Azure Resource Manager (系統管理員)、系統管理員入口網站及 Key Vault (系統管理員) 端點並不一定需要外部發佈。The Azure Resource Manager (administrator), administrator portal, and Key Vault (administrator) endpoints don't necessarily require external publishing. 例如,作為服務提供者,您可以只從網路內部(而不是從網際網路)管理 Azure Stack Hub 耐用,藉以限制受攻擊面。For example, as a service provider, you could limit the attack surface by only administering Azure Stack Hub ruggedized from inside your network, and not from the Internet.

就企業組織而言,外部網路可能是現有的公司網路。For enterprise organizations, the external network can be the existing corporate network. 在此案例中,您必須發佈端點,以從公司網路 Azure Stack Hub 耐用操作。In this scenario, you must publish endpoints to operate Azure Stack Hub ruggedized from the corporate network.

網路位址轉譯Network Address Translation

(NAT) 的網路位址轉譯是建議的方法,以便在部署期間允許部署虛擬機器 (DVM) 存取外部資源。Network Address Translation (NAT) is the recommended method to allow the deployment virtual machine (DVM) to access external resources during deployment. 此外,針對緊急修復主控台 (ERCS) Vm 或具有特殊許可權的端點,在註冊和疑難排解期間 (PEP) 。Also for the Emergency Recovery Console (ERCS) VMs or privileged endpoint (PEP) during registration and troubleshooting.

NAT 也可以是外部網路上公用 IP 位址或公用 VIP 的替代方案。NAT can also be an alternative to Public IP addresses on the external network or public VIPs. 不過,並不建議這麼做,因為它會限制租用戶使用者體驗並增加複雜性。However, it's not recommended to do so because it limits the tenant user experience and increases complexity. 其中一個選項是一對一的 NAT,其仍然需要在集區上為每個使用者 IP 提供一個公用 IP。One option would be a one to one NAT that still requires one public IP per user IP on the pool. 另一個選項是多對一的 NAT,其需要針對使用者可能使用的所有連接埠,為每個使用者 VIP 提供一個 NAT 規則。Another option is a many to one NAT that requires a NAT rule per user VIP for all ports a user might use.

將 NAT 用於公用 VIP 的一些缺點包括:Some of the downsides of using NAT for Public VIP are:

  • 管理防火牆規則時的額外負荷,因為使用者會在軟體定義的網路中控制自己的端點和發佈規則, (SDN) 堆疊。Overhead when managing firewall rules, as users control their own endpoints and publishing rules in the software-defined networking (SDN) stack. 使用者必須聯絡 Azure Stack Hub 耐用操作員,才能發佈其 Vip 及更新埠清單。Users must contact the Azure Stack Hub ruggedized operator to get their VIPs published, and to update the port list.
  • 雖然使用 NAT 會限制使用者體驗,但它可讓操作員完全控制發佈要求。While NAT usage limits the user experience, it gives full control to the operator over publishing requests.
  • 針對與 Azure 搭配的混合式雲端案例,請考量 Azure 不支援使用 NAT 來設定端點 VPN 通道。For hybrid cloud scenarios with Azure, consider that Azure doesn't support setting up a VPN tunnel to an endpoint using NAT.

SSL 攔截SSL interception

目前建議您停用任何 SSL 攔截 (例如,) 所有 Azure Stack Hub 耐用流量的解密卸載。It's currently recommended to disable any SSL interception (for example decryption offloading) on all Azure Stack Hub ruggedized traffic. 如果未來的更新支援此功能,將會提供有關如何啟用 Azure Stack Hub 耐用 SSL 攔截的指引。If it's supported in future updates, guidance will be provided about how to enable SSL interception for Azure Stack Hub ruggedized.

Edge 部署防火牆案例Edge deployment firewall scenario

在邊緣部署中,Azure Stack Hub 耐用會直接部署在邊緣路由器或防火牆後方。In an edge deployment, Azure Stack Hub ruggedized is deployed directly behind the edge router or the firewall. 在這些案例中,防火牆會支援 (案例1的框線之上) ,同時支援主動-主動和主動-被動防火牆設定。In these scenarios, it's supported for the firewall to be above the border (Scenario 1) where it supports both active-active and active-passive firewall configurations. 它也可以做為邊界裝置 (案例 2) ,其中只支援主動-主動防火牆設定。It can also act as the border device (Scenario 2), where it only supports active-active firewall configuration. 案例2依賴相同成本的多重路徑 (ECMP) 搭配 BGP 或靜態路由進行容錯移轉。Scenario 2 relies on equal-cost multi-path (ECMP) with either BGP or static routing for failover.

在部署時,會從外部網路為公用 VIP 集區指定公用的可路由傳送 IP 位址。Public routable IP addresses are specified for the public VIP pool from the external network, at deployment time. 基於安全性考慮,在邊緣案例中, 建議在任何其他網路上使用公用可路由傳送的 ip。For security purposes, public routable IPs aren't recommended on any other network in an edge scenario. 此案例會讓使用者能夠享有像在 Azure 這類公用雲端一樣的完全自我控制雲端體驗。This scenario enables a user to experience the full self-controlled cloud experience as in a public cloud like Azure.

Azure Stack Hub 耐用 edge 防火牆案例

企業內部網路或周邊網路防火牆案例Enterprise intranet or perimeter network firewall scenario

在企業內部網路或周邊部署中,Azure Stack Hub 耐用會部署在多分區防火牆上,或部署在邊緣防火牆與內部公司網路防火牆之間。In an enterprise intranet or perimeter deployment, Azure Stack Hub ruggedized is deployed on a multi-zoned firewall, or in between the edge firewall and the internal corporate network firewall. 然後其流量會分散在安全的周邊網路 (或 DMZ) 與不安全的區域之間,如下所述:Its traffic is then distributed between the secure, perimeter network (or DMZ), and unsecure zones as described below:

  • 安全區域:使用內部或公司可路由傳送 IP 位址的內部網路。Secure zone: The internal network that uses internal or corporate routable IP addresses. 可以劃分安全網路。The secure network can be divided. 它可以透過防火牆 NAT 進行網際網路輸出存取。It can have Internet outbound access through the Firewall NAT. 通常可透過內部網路從您的資料中心內部存取。It's normally accessible from inside your datacenter via the internal network. 除了外部網路的公用 VIP 集區之外,所有 Azure Stack Hub 耐用網路都應該位於安全區域中。All Azure Stack Hub ruggedized networks should reside in the secure zone, except for the external network's public VIP pool.
  • 周邊區域Perimeter zone. 周邊網路是一般部署外部或網際網路對應應用程式(例如 Web 服務器)的位置。The perimeter network is where external or Internet-facing apps like Web servers are typically deployed. 防火牆通常會受防火牆監視,以避免像是 DDoS 和入侵 (入侵) ,同時還允許來自網際網路的指定輸入流量。It's normally monitored by a firewall to avoid attacks like DDoS and intrusion (hacking) while still allowing specified inbound traffic from the Internet. 只有 Azure Stack Hub 耐用的外部網路公用 VIP 集區應位於 DMZ 區域中。Only the external network public VIP pool of Azure Stack Hub ruggedized should reside in the DMZ zone.
  • 不安全區域Unsecure zone. 外部網路(網際網路)。The external network, the Internet. 不建議在 安全的區域中部署 Azure Stack Hub 耐用。Deploying Azure Stack Hub ruggedized in the unsecure zone isn't recommended.

周邊網路防火牆案例

VPN 設計總覽VPN design overview

雖然 VPN 是使用者概念,但有一些重要的考慮是解決方案擁有者和操作員必須知道的。Although VPN is a user concept, there are some important considerations that a solution owner and operator need to know.

您必須先為您的虛擬網路建立虛擬網路 (VPN) 閘道,才能傳送 Azure 虛擬網路和內部部署網站之間的網路流量。Before you can send network traffic between your Azure virtual network and your on-premises site, you must create a virtual network (VPN) gateway for your virtual network.

VPN 閘道是一種虛擬網路閘道,可透過公用連接傳送加密的流量。A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection. 您可以使用 VPN 閘道,在 Azure Stack Hub 耐用中的虛擬網路與 Azure 中的虛擬網路之間安全地傳送流量。You can use VPN gateways to send traffic securely between a virtual network in Azure Stack Hub ruggedized and a virtual network in Azure. 您也可以在虛擬網路與連線到 VPN 裝置的另一個網路之間安全地傳送流量。You can also send traffic securely between a virtual network and another network that is connected to a VPN device.

建立虛擬網路閘道時,您可指定想要建立的閘道類型。When you create a virtual network gateway, you specify the gateway type that you want to create. Azure Stack Hub 耐用支援一種虛擬網路閘道類型: Vpn 類型。Azure Stack Hub ruggedized supports one type of virtual network gateway: the Vpn type.

每個虛擬網路可以有兩個虛擬網路閘道,但每種類型只能有一個。Each virtual network can have two virtual network gateways, but only one of each type. 視您選擇的設定而定,您可以對單一 VPN 閘道建立多個連線。Depending on the settings that you choose, you can create multiple connections to a single VPN gateway. 這種設定的範例是多站台連線設定。An example of this kind of setup is a multi-site connection configuration.

在您建立及設定 Azure Stack Hub 耐用的 VPN 閘道之前,請先參閱 Azure Stack Hub 耐用網路功能的考慮。Before you create and configure VPN gateways for Azure Stack Hub ruggedized, review the considerations for Azure Stack Hub ruggedized networking. 您將瞭解 Azure Stack Hub 耐用的設定與 Azure 有何不同。You learn how configurations for Azure Stack Hub ruggedized differ from Azure.

在 Azure 中,您所選 VPN 閘道 SKU 的頻寬輸送量必須分配給連線到該閘道的所有連線。In Azure, the bandwidth throughput for the VPN gateway SKU you choose must be divided across all connections that are connected to the gateway. 不過,在 Azure Stack Hub 耐用中,VPN 閘道 SKU 的頻寬值會套用到連線到閘道的每個連線資源。In Azure Stack Hub ruggedized however, the bandwidth value for the VPN gateway SKU is applied to each connection resource that is connected to the gateway. 例如:For example:

  • 在 Azure 中,基本 VPN 閘道 SKU 可以容納大約 100 Mbps 的彙總輸送量。In Azure, the basic VPN gateway SKU can accommodate approximately 100 Mbps of aggregate throughput. 如果您對該 VPN 閘道建立兩個連線,而且其中一個連線使用 50 Mbps 的頻寬,則 50 Mbps 可供另一個連線使用。If you create two connections to that VPN gateway, and one connection is using 50 Mbps of bandwidth, then 50 Mbps is available to the other connection.
  • 在 Azure Stack Hub 耐用中,基本 VPN 閘道 SKU 的每個連接都會配置 100 Mbps 的輸送量。In Azure Stack Hub ruggedized, each connection to the basic VPN gateway SKU is allocated 100 Mbps of throughput.

VPN 類型VPN types

當您為 VPN 閘道組態建立虛擬網路閘道時,必須指定 VPN 類型。When you create the virtual network gateway for a VPN gateway configuration, you must specify a VPN type. 您所選擇的 VPN 類型取決於您想要建立的連線拓撲。The VPN type that you choose depends on the connection topology that you want to create. VPN 類型也取決於您所使用的硬體。A VPN type can also depend on the hardware that you're using. S2S 組態需要 VPN 裝置。S2S configurations require a VPN device. 有些 VPN 裝置僅支援特定 VPN 類型。Some VPN devices only support a certain VPN type.

重要

Azure Stack Hub 耐用目前僅支援路由式 VPN 類型。Currently, Azure Stack Hub ruggedized only supports the route-based VPN type. 如果您的裝置僅支援原則式 Vpn,則不支援從 Azure Stack Hub 耐用連接到這些裝置。If your device only supports policy-based VPNs, then connections to those devices from Azure Stack Hub ruggedized are not supported. 此外,Azure Stack Hub 耐用目前不支援使用以原則為基礎之閘道的流量選取器,因為不支援自訂的 IPSec/IKE 原則設定。In addition, Azure Stack Hub ruggedized does not support using policy-based traffic selectors for route-based gateways at this time, because custom IPSec/IKE policy configurations are not supported.

  • 原則式:以原則為基礎的 vpn 會根據 ipsec 原則,透過 ipsec 通道來加密和導向封包。PolicyBased: Policy-based VPNs encrypt and direct packets through IPsec tunnels, based on IPsec policies. 原則會使用您內部部署網路與 Azure Stack Hub 耐用 VNet 之間的位址首碼組合進行設定。Policies are configured with the combinations of address prefixes between your on-premises network, and the Azure Stack Hub ruggedized VNet. 原則 (或流量選取器) 通常為 VPN 裝置組態中的存取清單。The policy, or traffic selector, is usually an access list in the VPN device configuration. 原則式 在 Azure 中受到支援,但不支援在 Azure Stack Hub 耐用中。PolicyBased is supported in Azure, but not in Azure Stack Hub ruggedized.
  • 路由式:以路由為基礎的 vpn 會使用在 IP 轉送或路由表中設定的路由。RouteBased: Route-based VPNs use routes that are configured in the IP forwarding or routing table. 會路由傳送封包至其對應的通道介面。The routes direct packets to their corresponding tunnel interfaces. 然後,通道介面會加密或解密輸入和輸出通道的封包。The tunnel interfaces then encrypt or decrypt the packets in and out of the tunnels. 路由式 vpn 的原則或流量選取器會設定為任何對任何 (,或使用萬用字元) 。The policy, or traffic selector, for RouteBased VPNs are configured as any-to-any (or use wild cards). 根據預設,這些設定無法變更。By default, they can't be changed. 路由式 VPN 類型的值是 路由式The value for a RouteBased VPN type is RouteBased.

設定 VPN 閘道Configuring a VPN gateway

VPN 閘道連線需仰賴數個具有特定設定的資源。A VPN gateway connection relies on several resources that are configured with specific settings. 大部分的資源都可以分開設定,但是在某些情況下必須以特定順序進行設定。Most of these resources can be configured separately, but in some cases they must be configured in a specific order.

設定Settings

您為每個資源選擇的設定,對於建立成功連線而言極為重要。The settings that you choose for each resource are critical for creating a successful connection.

本文會協助您了解:This article helps you understand:

  • 閘道類型、VPN 類型及連線類型。Gateway types, VPN types, and connection types.
  • 閘道子網路、區域網路閘道,以及您可能想要考慮的其他資源設定。Gateway subnets, local network gateways, and other resource settings that you might want to consider.

連線拓撲圖表Connection topology diagrams

VPN 閘道連線有不同的組態可用。There are different configurations available for VPN gateway connections. 決定哪個組態最符合您的需求。Determine which configuration best fits your needs. 在下列各節中,您可以檢視有關下列 VPN 閘道連線的資訊和拓撲圖表︰In the following sections, you can view information and topology diagrams about the following VPN gateway connections:

  • 可用的部署模型Available deployment model
  • 可用的設定工具Available configuration tools
  • 直接帶您前往某篇文章的連結 (如果可用)Links that take you directly to an article, if available

下列各節中的圖形和描述可協助您選取符合您需求的連線拓撲。The diagrams and descriptions in the following sections can help you select a connection topology to match your requirements. 這些圖表顯示主要基準拓撲,但您也可以使用這些圖表作為指南來建置更複雜的組態。The diagrams show the main baseline topologies, but it's possible to build more complex configurations using the diagrams as a guide.

站對站以及多網站 (IPsec/IKE VPN 通道)Site-to-site and multi-site (IPsec/IKE VPN tunnel)

網站間Site-to-site

「網站間 (S2S)」 VPN 閘道連線是透過 IPsec/IKE (IKEv2) VPN 通道建立的連線。A site-to-site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv2) VPN tunnel. 此類型的連線需要位於內部部署的 VPN 裝置,而且具有指派的公用 IP 位址。This type of connection requires a VPN device that is located on-premises and is assigned a public IP address. 這個裝置不能位於 NAT 後方。This device can't be located behind a NAT. S2S 連線可以用於跨單位與混合式組態。S2S connections can be used for cross-premises and hybrid configurations.

多網站Multi-site

「多網站」連線是站對站連線的變化。A multi-site connection is a variation of the site-to-site connection. 您可以從虛擬網路閘道建立多個 VPN 連線,通常會連接至多個內部部署網站。You create more than one VPN connection from your virtual network gateway, typically connecting to multiple on-premises sites. 處理多重連線時,您必須使用路由式 VPN 類型 (也就是使用傳統 VNet 時的動態閘道)。When working with multiple connections, you must use a route-based VPN type (known as a dynamic gateway when working with classic VNets). 因為每個虛擬網路只能有一個 VPN 閘道,所以透過該閘道的所有連線會共用可用的頻寬。Because each virtual network can only have one VPN gateway, all connections through the gateway share the available bandwidth.

閘道 SKUGateway SKUs

當您建立 Azure Stack Hub 耐用的虛擬網路閘道時,您會指定想要使用的閘道 SKU。When you create a virtual network gateway for Azure Stack Hub ruggedized, you specify the gateway SKU that you want to use. 支援下列 VPN 閘道 SKU:The following VPN gateway SKUs are supported:

  • 基本Basic
  • 標準Standard
  • 高效能High Performance

選取較高的閘道 SKU 可將更多 Cpu 和網路頻寬分配給閘道。Selecting a higher gateway SKU allocates more CPUs and network bandwidth to the gateway. 如此一來,閘道可以對虛擬網路支援更高的網路輸送量。As a result, the gateway can support higher network throughput to the virtual network.

Azure Stack Hub 耐用不支援專門搭配 Express Route 使用的 Ultra 效能閘道 SKU。Azure Stack Hub ruggedized doesn't support the Ultra Performance gateway SKU, which is used exclusively with Express Route.

當您選取 SKU 時,請考慮下列事項:Consider the following when you select the SKU:

  • Azure Stack Hub 耐用不支援以原則為基礎的閘道。Azure Stack Hub ruggedized doesn't support policy-based gateways.
  • 基本 SKU 不支援 BGP。BGP isn't supported on the Basic SKU.
  • Azure Stack Hub 耐用中不支援 ExpressRoute-VPN 閘道共存設定。ExpressRoute-VPN gateway coexisting configurations aren't supported in Azure Stack Hub ruggedized.

閘道可用性Gateway availability

高可用性案例只能在 高效能閘道 連接 SKU 上進行設定。High availability scenarios can only be configured on the High-Performance Gateway connection SKU. 不同于 Azure 可透過主動/主動和主動/被動設定提供可用性,Azure Stack Hub 耐用僅支援主動/被動設定。Unlike Azure, which provides availability through both active/active and active/passive configurations, Azure Stack Hub ruggedized only supports the active/passive configuration.

容錯移轉Failover

Azure Stack Hub 耐用中有三個多租使用者閘道基礎結構 Vm。There are three multi-tenant gateway infrastructure VMs in Azure Stack Hub ruggedized. 這些 VM 中的兩個是作用中模式,而第三個是備援模式。Two of these VMs are in active mode, and the third is in redundant mode. 作用中的 VM 會在本身啟用 VPN 連線的建立,而備援 VM 只能在發生容錯移轉時接受 VPN 連線。Active VMs enable the creation of VPN connections on them, and the redundant VM only accepts VPN connections if a failover happens. 如果作用中的閘道 VM 變得無法使用,VPN 連線會在短暫中斷連線 (幾秒鐘) 後,容錯移轉至備援 VM。If an active gateway VM becomes unavailable, the VPN connection fails over to the redundant VM after a short period (a few seconds) of connection loss.

依 SKU 列出的估計彙總輸送量Estimated aggregate throughput by SKU

下表依照閘道 SKU 顯示閘道類型和預估的彙總輸送量:The following table shows the gateway types and the estimated aggregate throughput by gateway SKU:

VPN 閘道輸送量 (1)VPN Gateway throughput (1) VPN 閘道最大 IPsec 通道 (2)VPN Gateway max IPsec tunnels (2)
基本 SKU (3)Basic SKU (3) 100 Mbps100 Mbps 2020
標準 SKUStandard SKU 100 Mbps100 Mbps 2020
高效能 SKUHigh-Performance SKU 200 Mbps200 Mbps 1010

資料表附註Table notes

(1) -VPN 輸送量不是網際網路上跨單位連線的保證輸送量。(1) - VPN throughput isn't a guaranteed throughput for cross-premises connections across the Internet. 這是可能的最大輸送量測量。It's the maximum possible throughput measurement.
(2) -最大通道是所有訂用帳戶的每個 Azure Stack Hub 耐用部署的總計。(2) - Max tunnels is the total per Azure Stack Hub ruggedized deployment for all subscriptions.
(3) -基本 SKU 不支援 BGP 路由。(3) - BGP routing isn't supported for the Basic SKU.

重要

兩個 Azure Stack Hub 耐用部署之間只能建立一個站對站 VPN 連線。Only one site-to-site VPN connection can be created between two Azure Stack Hub ruggedized deployments. 這是因為平台中有限制,只允許單一 VPN 連線到相同的 IP 位址。This is due to a limitation in the platform that only allows a single VPN connection to the same IP address. 因為 Azure Stack Hub 耐用會利用多租使用者閘道,而此閘道會針對 Azure Stack Hub 耐用系統中的所有 VPN 閘道使用單一公用 IP,因此兩個 Azure Stack Hub 耐用系統之間只能有一個 VPN 連接。Because Azure Stack Hub ruggedized leverages the multi-tenant gateway, which uses a single public IP for all VPN gateways in the Azure Stack Hub ruggedized system, there can be only one VPN connection between two Azure Stack Hub ruggedized systems.

將多個站對站 VPN 連線連接到任何使用單一 IP 位址的 VPN 閘道也適用此限制。This limitation also applies to connecting more than one site-to-site VPN connection to any VPN gateway that uses a single IP address. Azure Stack Hub 耐用不允許使用同一個 IP 位址建立多個局域網路閘道資源。 * *Azure Stack Hub ruggedized does not allow more than one local network gateway resource to be created using the same IP address.**

IPsec/IKE 參數IPsec/IKE parameters

當您在 Azure Stack Hub 耐用中設定 VPN 連線時,您必須在兩端設定連線。When you set up a VPN connection in Azure Stack Hub ruggedized, you must configure the connection at both ends. 如果您要設定 Azure Stack Hub 耐用與硬體裝置之間的 VPN 連線,該裝置可能會要求您進行其他設定。If you're configuring a VPN connection between Azure Stack Hub ruggedized and a hardware device, that device might ask you for additional settings. 例如,作為 VPN 閘道的交換器或路由器。For example, a switch or router that's acting as a VPN gateway.

不同于支援多個供應專案作為啟動器和回應程式的 Azure,Azure Stack Hub 耐用預設只支援一個供應專案。Unlike Azure, which supports multiple offers as both an initiator and a responder, Azure Stack Hub ruggedized supports only one offer by default. 如果您需要使用不同的 IPSec/IKE 設定來搭配 VPN 裝置運作,您有更多的設定可用來手動設定連線。If you need to use different IPSec/IKE settings to work with your VPN device, there are more settings available to you to configure your connection manually.

IKE 階段 1 (主要模式) 參數IKE Phase 1 (Main Mode) parameters

屬性Property Value
IKE 版本IKE Version IKEv2IKEv2
Diffie-Hellman 群組Diffie-Hellman Group ECP384ECP384
驗證方法Authentication Method 預先共用金鑰Pre-Shared Key
加密與雜湊演算法Encryption & Hashing Algorithms AES256, SHA384AES256, SHA384
SA 存留期 (時間)SA Lifetime (Time) 28,800 秒28,800 seconds

IKE 階段 2 (快速模式) 參數IKE Phase 2 (Quick Mode) parameters

屬性Property Value
IKE 版本IKE Version IKEv2IKEv2
加密與雜湊演算法 (加密)Encryption & Hashing Algorithms (Encryption) GCMAES256GCMAES256
加密與雜湊演算法 (驗證)Encryption & Hashing Algorithms (Authentication) GCMAES256GCMAES256
SA 存留期 (時間)SA Lifetime (Time) 27,000 秒27,000 seconds
SA 存留期 (KB)SA Lifetime (Kilobytes) 33,553,40833,553,408
完整轉寄密碼 (PFS)Perfect Forward Secrecy (PFS) ECP384ECP384
停用的對等偵測Dead Peer Detection 支援Supported

設定自訂的 IPSec/IKE 連線原則Configure custom IPSec/IKE connection policies

IPsec 和 IKE 通訊協定標準支援各種不同的密碼編譯演算法的各種組合。The IPsec and IKE protocol standard supports a wide range of cryptographic algorithms in various combinations. 若要查看 Azure Stack Hub 耐用支援哪些參數來滿足合規性或安全性需求,請參閱 IPsec/IKE 參數。To see which parameters are supported in Azure Stack Hub ruggedized to satisfy compliance or security requirements, see IPsec/IKE parameters.

本文會指導您如何建立和設定 IPsec/IKE 原則,並套用至新的或現有的連線。This article provides instructions on how to create and configure an IPsec/IKE policy and apply to a new or existing connection.

考量Considerations

在使用這些原則時,請注意下列重要事項:Note the following important considerations when using these policies:

  • IPsec/IKE 原則只適用於 Standard 和 HighPerformance (路由式) 閘道 SKU。The IPsec/IKE policy only works on the Standard and HighPerformance (route-based) gateway SKUs.
  • 每個給定的連線只能指定 一個 原則組合。You can only specify one policy combination for a given connection.
  • 您必須同時對 IKE (主要模式) 和 IPsec (快速模式) 指定所有的演算法和參數。You must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). 系統不允許只指定一部分原則。Partial policy specification isn't allowed.
  • 請確認 VPN 裝置廠商規格,確保內部部署 VPN 裝置支援原則。Consult with your VPN device vendor specifications to ensure the policy is supported on your on-premises VPN devices. 如果原則不相容,則無法建立站對站連線。Site-to-site connections can't be established if the policies are incompatible.

建立和設定 IPsec/IKE 原則的工作流程Workflow to create and set IPsec/IKE policy

本節概述要在站對站 VPN 連線上建立和更新 IPsec/IKE 原則所必須執行的工作流程:This section outlines the workflow required to create and update the IPsec/IKE policy on a site-to-site VPN connection:

  1. 建立虛擬網路和 VPN 閘道。Create a virtual network and a VPN gateway.
  2. 為跨單位連線建立區域網路閘道。Create a local network gateway for cross-premises connection.
  3. 使用選取的演算法和參數建立 IPsec/IKE 原則。Create an IPsec/IKE policy with selected algorithms and parameters.
  4. 使用 IPsec/IKE 原則建立 IPsec 連線。Create an IPSec connection with the IPsec/IKE policy.
  5. 新增/更新/移除現有連線的 IPsec/IKE 原則。Add/update/remove an IPsec/IKE policy for an existing connection.

支援的密碼編譯演算法和金鑰長度Supported cryptographic algorithms and key strengths

下表列出 Azure Stack Hub 耐用客戶可設定的支援密碼編譯演算法和金鑰強度:The following table lists the supported cryptographic algorithms and key strengths configurable by Azure Stack Hub ruggedized customers:

IPsec/IKEv2IPsec/IKEv2 選項Options
IKEv2 加密IKEv2 Encryption AES256、AES192、AES128、DES3、DESAES256, AES192, AES128, DES3, DES
IKEv2 完整性IKEv2 Integrity SHA384、SHA256、SHA1、MD5SHA384, SHA256, SHA1, MD5
DH 群組DH Group ECP384、ECP256、DHGroup14、DHGroup2048、DHGroup2、DHGroup1、無ECP384, ECP256, DHGroup14, DHGroup2048, DHGroup2, DHGroup1, None
IPsec 加密IPsec Encryption GCMAES256、GCMAES192、GCMAES128、AES256、AES192、AES128、DES3、DES、無GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128, DES3, DES, None
IPsec 完整性IPsec Integrity GCMASE256、GCMAES192、GCMAES128、SHA256、SHA1、MD5GCMASE256, GCMAES192, GCMAES128, SHA256, SHA1, MD5
PFS 群組PFS Group PFS24、ECP384、ECP256、PFS2048、PFS2、PFS1、無PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1, None
QM SA 存留期QM SA Lifetime (選擇性:如果未指定,即會使用預設值)(Optional: default values are used if not specified)
秒 (整數;最小值 300/預設值27000秒) Seconds (integer; min. 300/default 27,000 seconds)
Kb (整數;最小 1024/預設 102400000 Kb) KBytes (integer; min. 1024/default 102,400,000 KBytes)
流量選取器Traffic Selector Azure Stack Hub 耐用中不支援以原則為基礎的流量選取器。Policy-based Traffic Selectors aren't supported in Azure Stack Hub ruggedized.

內部部署 VPN 裝置組態必須符合或包含您在 Azure IPsec/IKE 原則中指定的下列演算法和參數︰Your on-premises VPN device configuration must match or contain the following algorithms and parameters that you specify on the Azure IPsec/IKE policy:

  • IKE 加密演算法 (主要模式/第 1 階段)。IKE encryption algorithm (Main Mode / Phase 1).
  • IKE 完整性演算法 (主要模式/第 1 階段)。IKE integrity algorithm (Main Mode / Phase 1).
  • DH 群組 (主要模式/第 1 階段)。DH Group (Main Mode / Phase 1).
  • IPsec 加密演算法 (快速模式/第 2 階段)。IPsec encryption algorithm (Quick Mode / Phase 2).
  • IPsec 完整性演算法 (快速模式/第 2 階段)。IPsec integrity algorithm (Quick Mode / Phase 2).
  • PFS 群組 (快速模式/第 2 階段)。PFS Group (Quick Mode / Phase 2).
  • SA 存留期僅為本機規格,不需要相符。The SA lifetimes are local specifications only, they don't need to match.

如果 GCMAES 會用於 IPsec 加密演算法,您必須基於 IPsec 完整性選取相同的 GCMAES 演算法和金鑰長度。If GCMAES is used as for IPsec Encryption algorithm, you must select the same GCMAES algorithm and key length for IPsec integrity. 例如:針對這兩者使用 GCMAES128。For example: using GCMAES128 for both.

在上表中:In the preceding table:

  • IKEv2 會對應到主要模式或第 1 階段。IKEv2 corresponds to Main Mode or Phase 1.
  • IPsec 會對應到快速模式或第 2 階段。IPsec corresponds to Quick Mode or Phase 2.
  • DH 群組會指定在主要模式或第 1 階段中使用的 Diffie-Hellmen 群組。DH Group specifies the Diffie-Hellmen Group used in Main Mode or Phase 1.
  • PFS 群組會指定在快速模式或第 2 階段中使用的 Diffie-Hellmen 群組。PFS Group specifies the Diffie-Hellmen Group used in Quick Mode or Phase 2.
  • Azure Stack Hub 耐用 VPN 閘道的 IKEv2 主要模式 SA 存留期會固定為28800秒。IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure Stack Hub ruggedized VPN gateways.

下表列出自訂原則所支援的對應 Diffie-Hellman 群組:The following table lists the corresponding Diffie-Hellman Groups supported by the custom policy:

Diffie-Hellman 群組Diffie-Hellman Group DHGroupDHGroup PFSGroupPFSGroup 金鑰長度Key length
11 DHGroup1DHGroup1 PFS1PFS1 768 位元 MODP768-bit MODP
22 DHGroup2DHGroup2 PFS2PFS2 1024 位元 MODP1024-bit MODP
1414 DHGroup14DHGroup14 PFS2048PFS2048 2048 位元 MODP2048-bit MODP
DHGroup2048DHGroup2048
1919 ECP256ECP256 ECP256ECP256 256 位元 ECP256-bit ECP
2020 ECP384ECP384 ECP384ECP384 384 位元 ECP384-bit ECP
2424 DHGroup24DHGroup24 PFS24PFS24 2048 位元 MODP2048-bit MODP

使用 Azure ExpressRoute 將 Azure Stack Hub 耐用連線到 AzureConnect Azure Stack Hub ruggedized to Azure using Azure ExpressRoute

概觀、假設和先決條件Overview, assumptions, and prerequisites

Azure ExpressRoute 可讓您將內部部署網路延伸至 Microsoft 雲端。Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud. 您可以使用連接提供者所提供的私人連線。You use a private connection supplied by a connectivity provider. ExpressRoute 不是透過公用網際網路的 VPN 連接。ExpressRoute isn't a VPN connection over the public Internet.

如需 Azure ExpressRoute 的詳細資訊,請參閱 ExpressRoute 概觀。For more information about Azure ExpressRoute, see the ExpressRoute overview.

假設Assumptions

本文假設:This article assumes that:

  • 您具備 Azure 的使用知識。You have a working knowledge of Azure.
  • 您對 Azure Stack Hub 耐用有基本的瞭解。You have a basic understanding of Azure Stack Hub ruggedized.
  • 您對網路有基本的了解。You have a basic understanding of networking.

必要條件Prerequisites

若要使用 ExpressRoute 連接 Azure Stack Hub 耐用和 Azure,您必須符合下列需求:To connect Azure Stack Hub ruggedized and Azure using ExpressRoute, you must meet the following requirements:

  • 透過連線提供者佈建的 ExpressRoute 線路。A provisioned ExpressRoute circuit through a connectivity provider.
  • Azure 訂用帳戶,用於 Azure 中建立 ExpressRoute 線路和 VNet。An Azure subscription to create an ExpressRoute circuit and VNets in Azure.
  • 支援的路由器:A router that supports:
    • 其區域網路介面與 Azure Stack Hub 耐用多租使用者閘道之間的站對站 VPN 連線。site-to-site VPN connections between its LAN interface and Azure Stack Hub ruggedized multi-tenant gateway.
    • 如果您的 Azure Stack Hub 耐用部署中有一個以上的租使用者,則建立多個 Vrf (虛擬路由和轉送) 。creating multiple VRFs (Virtual Routing and Forwarding) if there's more than one tenant in your Azure Stack Hub ruggedized deployment.
  • 擁有路由器,且其具有:A router that has:
    • 連線至 ExpressRoute 線路的 WAN 連接埠。A WAN port connected to the ExpressRoute circuit.
    • 連線到 Azure Stack Hub 耐用多租使用者閘道的 LAN 埠。A LAN port connected to the Azure Stack Hub ruggedized multi-tenant gateway.

ExpressRoute 網路架構ExpressRoute network architecture

下圖顯示使用本文中的範例完成 ExpressRoute 設定之後的 Azure Stack Hub 耐用和 Azure 環境:The following figure shows the Azure Stack Hub ruggedized and Azure environments after you finish setting up ExpressRoute using the examples in this article:

ExpressRoute 網路架構

下圖顯示多個租使用者如何透過 ExpressRoute 路由器,將 Azure Stack Hub 耐用基礎結構連線至 Azure:The following figure shows how multiple tenants connect from the Azure Stack Hub ruggedized infrastructure through the ExpressRoute router to Azure:

ExpressRoute 網路架構多租使用者