在 Azure Stack Hub 上部署高可用性網路虛擬設備Deploy highly available network virtual appliances on Azure Stack Hub

此文章說明如何在 Azure Stack Hub 中部署一組網路虛擬設備 (NVA) 以取得高可用性。This article shows you how to deploy a set of network virtual appliances (NVAs) for high availability in Azure Stack Hub. NVA 通常是用來控制從周邊網路 (也稱為 DMZ) 流至其他網路或子網路之網路流量的流動。An NVA is typically used to control the flow of network traffic from a perimeter network, also known as a DMZ, to other networks or subnets. 本文包含「僅輸入」、「僅輸出」,以及「輸入和輸出」的範例架構。The article includes example architectures for ingress only, egress only, and both ingress and egress.

Azure Stack Hub Marketplace 上提供不同廠商的 NVA,您可以使用其中一個來獲得最佳效能。There are NVAs from different vendors available on Azure Stack Hub Marketplace, use one of them for optimal performance.

此架構具有下列元件。The architecture has the following components.

網路和負載平衡Networking and load balancing

  • 虛擬網路和子網路Virtual network and subnets. 每部 Azure VM 都會部署到可以分割成子網路的虛擬網路。Every Azure VM is deployed into a virtual network that can be segmented into subnets. 針對每一層建立不同的子網路。Create a separate subnet for each tier.

  • 第 7 層負載平衡器。Layer 7 Load Balancer. 由於 Azure Stack Hub 上尚未提供應用程式閘道,因此,Azure Stack Hub Market Place 上有其他可用的替代方案,例如:KEMP LoadMaster 負載平衡器 ADC 內容切換/ f5 Big-IP Virtual EditionA10 vThunder ADCAs Application Gateway is not yet available on Azure Stack Hub, there are alternatives available on Azure Stack Hub Market place such as: KEMP LoadMaster Load Balancer ADC Content Switch/ f5 Big-IP Virtual Edition or A10 vThunder ADC

  • 負載平衡器Load balancers. 使用 Azure Load Balancer 將來自 Web 層的網路流量散發到商務層,以及將來自商務層的流量散發到 SQL Server。Use Azure Load Balancerto distribute network traffic from the web tier to the business tier, and from the business tier to SQL Server.

  • 網路安全性群組 (NSG)。Network security groups (NSGs). 使用 NSG 來限制虛擬網路內的網路流量。Use NSGs to restrict network traffic within the virtual network. 例如,在如下所示的三層式架構中,資料庫層不接受來自 Web 前端的流量,只接受來自商務層與管理子網路的流量。For example, in the three-tier architecture shown here, the database tier doesn't accept traffic from the web front end, only from the business tier and the management subnet.

  • UDR。UDRs. 使用 使用者定義路由 (UDR) 將流量路由傳送到特定負載平衡器。Use user-defined routes (UDRs) to route traffic to the specific load balancer.

此文章假設您對 Azure Stack Hub 網路功能有基本認識。This article assumes a basic understanding of Azure Stack Hub networking.

架構圖表Architecture diagrams

NVA 可以部署到許多不同架構的周邊網路中。An NVA can be deployed to a perimeter network in many different architectures. 例如,下圖說明針對輸入使用單一 NVA 的方式。For example, the following figure illustrates the use of a single NVA for ingress.

顯示針對輸入使用單一 NVA 的螢幕擷取畫面。

在這種架構中,NVA 會檢查所有輸入和輸出的網路流量,並僅傳遞符合網路安全性規則的流量,藉此提供安全的網路界限。In this architecture, the NVA provides a secure network boundary by checking all inbound and outbound network traffic and passing only the traffic that meets network security rules. 由於所有網路流量都必須通過 NVA,這也代表 NVA 會成為網路中的單一失敗點。The fact that all network traffic must pass through the NVA means that the NVA is a single point of failure in the network. 如果 NVA 失敗,網路流量就沒有其他路徑,導致所有後端子網路都無法使用。If the NVA fails, there is no other path for network traffic and all the back-end subnets are unavailable.

若要讓 NVA 具高可用性,請在可用性設定組中部署多個 NVA。To make an NVA highly available, deploy more than one NVA into an availability set.

下列架構描述高可用性 NVA 所需的資源和設定:The following architectures describe the resources and configuration necessary for highly available NVAs:

解決方法Solution 優點Benefits 考量Considerations
具第 7 層 NVA 的輸入Ingress with layer 7 NVAs 所有 NVA 節點都是作用中狀態。All NVA nodes are active. 需要可以終止連線並使用 SNAT 的 NVA。Requires an NVA that can terminate connections and use SNAT.
需要另外一組 NVA 以供來自企業網路/網際網路與 Azure Stack Hub 的流量使用。Requires a separate set of NVAs for traffic coming from the Enterprise Network/Internet and from Azure Stack Hub.
僅能用於源自於 Azure Stack Hub 外部的流量。Can only be used for traffic originating outside Azure Stack Hub.
具第 7 層 NVA 的輸出Egress with layer 7 NVAs 所有 NVA 節點都是作用中狀態。All NVA nodes are active. 需要可以終止連線並實作來源網路位址轉譯 (SNAT) 的 NVA。Requires an NVA that can terminate connections and implements source network address translation (SNAT).
具第 7 層 NVA 的輸入-輸出Ingress-Egress with layer 7 NVAs 所有節點都是作用中狀態。All nodes are active.
能夠處理來自 Azure Stack Hub 中的流量。Able to handle traffic originated in Azure Stack Hub.
需要可以終止連線並使用 SNAT 的 NVA。Requires an NVA that can terminate connections and use SNAT.
需要另外一組 NVA 以供來自企業網路/網際網路與 Azure Stack Hub 的流量使用。Requires a separate set of NVAs for traffic coming from the Enterprise Network/Internet and from Azure Stack Hub.

具第 7 層 NVA 的輸入Ingress with layer 7 NVAs

下圖所示範的高可用性架構會在面向網際網路的負載平衡器後方實作輸入周邊網路。The following figure shows a high availability architecture that implements an ingress perimeter network behind an internet-facing load balancer. 此架構設計成可針對第 7 層流量 (例如 HTTP 或 HTTPS) 提供與 Azure Stack Hub 工作負載的連線:This architecture is designed to provide connectivity to Azure Stack Hub workloads for layer 7 traffic, such as HTTP or HTTPS:

自動產生的地圖描述的螢幕擷取畫面

這個架構的優點是所有 NVA 都處於作用中狀態,而且如果其中一個失敗,負載平衡器就會將網路流量導向其他 NVA。The benefit of this architecture is that all NVAs are active, and if one fails the load balancer directs network traffic to the other NVA. 兩個 NVA 都會將流量路由傳送到內部負載平衡器,因此只要有一個 NVA 處於作用中狀態,流量就會繼續流動。Both NVAs route traffic to the internal load balancer so as long as one NVA is active, traffic continues to flow. 需要這些 NVA 以終止適用於 Web 層 VM 的 SSL 流量。The NVAs are required to terminate SSL traffic intended for the web tier VMs. 您無法擴充這些 NVA 以處理企業網路流量,因為企業網路流量需要另一組具有個別網路路由的專用 NVA。These NVAs cannot be extended to handle Enterprise Network traffic because Enterprise Network traffic requires another dedicated set of NVAs with their own network routes.

具第 7 層 NVA 的輸出Egress with layer 7 NVAs

具有第 7 層 NVA 架構的連入可以擴充,以針對源自 Azure Stack Hub 工作負載的要求提供輸出周邊網路。The Ingress with layer 7 NVAs architecture can be expanded to provide an egress perimeter network for requests originating in the Azure Stack Hub workload. 下列架構旨在能於周邊網路中為第 7 層的流量 (如 HTTP 或 HTTPS) 提供 NVA 的高可用性:The following architecture is designed to provide high availability of the NVAs in the perimeter network for layer 7 traffic, such as HTTP or HTTPS:

自動產生的行動電話描述的螢幕擷取畫面

在此架構中,源自 Azure Stack Hub 中的所有流量都會路由傳送到內部負載平衡器。In this architecture, all traffic originating in Azure Stack Hub is routed to an internal load balancer. 負載平衡器會在一組 NVA 之間散發連出要求。The load balancer distributes outgoing requests between a set of NVAs. 這些 NVA 會使用個別的公用 IP 位址,將流量導向網際網路。These NVAs direct traffic to the Internet using their individual public IP addresses.

具第 7 層 NVA 的輸入-輸出Ingress-egress with layer 7 NVAs

在這兩個輸入與輸出架構中,輸入與輸出有不同的周邊網路。In the two ingress and egress architectures, there was a separate perimeter network for ingress and egress. 下列架構會示範如何建立可同時用於針對第 7 層流量 (例如 HTTP 或 HTTPS) 之輸入和輸出的周邊網路:The following architecture demonstrates how to create a perimeter network that can be used for both ingress and egress for layer 7 traffic, such as HTTP or HTTPS:

自動產生的社交媒體貼文描述的螢幕擷取畫面

在具有第 7 層 NVA 架構的輸入輸出中,NVA 會處理來自第 7 層負載平衡器的連入要求。In the Ingress-egress with layer 7 NVAs architecture, the NVAs process incoming requests from a Layer 7 Load Balancer. NVA 也會處理來自負載平衡器後端集區中之工作負載 VM 的連出要求。The NVAs also process outgoing requests from the workload VMs in the back-end pool of the load balancer. 因為連入流量是使用第 7 層負載平衡器來路由傳送,而連出流量是透過 SLB (Azure Stack Hub 基本負載平衡器) 來路由傳送,因此 NVA 會負責維護工作階段同質。Because incoming traffic is routed with a layer 7 load balancer, and outgoing traffic is routed with an SLB (Azure Stack Hub Basic Load Balancer), the NVAs are responsible for maintaining session affinity. 亦即,第 7 層負載平衡器會維護傳入和傳出要求的對應,使它可以將正確的回應轉送到原始要求者。That is, the layer 7 load balancer maintains a mapping of inbound and outbound requests so it can forward the correct response to the original requestor. 不過,內部負載平衡器並無法存取第 7 層負載平衡器對應,而會使用自己的邏輯來將回應傳送到 NVA。However, the internal load balancer doesn't have access to the layer 7 load balancer mappings, and uses its own logic to send responses to the NVAs. 負載平衡器有可能會將回應傳送給從未接收到來自第 7 層負載平衡器之要求的 NVA。It's possible the load balancer could send a response to an NVA that did not initially receive the request from the layer 7 load balancer. 在此情況下,NVA 必須彼此進行通訊並傳輸回應,使正確的 NVA 可以將回應轉送至第 7 層負載平衡器。In this case, the NVAs must communicate and transfer the response between them so the correct NVA can forward the response to the layer 7 load balancer.

注意

您也可以透過確保 NVA 執行輸入來源網路位址轉譯 (SNAT),來解決非對稱的路由問題。You can also solve the asymmetric routing issue by ensuring the NVAs perform inbound source network address translation (SNAT). 這會將要求者的原始來源 IP 取代為 NVA 用於輸入流量的其中一個 IP 位址。This would replace the original source IP of the requestor to one of the IP addresses of the NVA used on the inbound flow. 如此可確保您能夠一次使用多個 NVA,同時保留路由對稱性。This ensures that you can use multiple NVAs at a time, while preserving the route symmetry.

後續步驟Next steps