關於 BGP 與 Azure VPN 閘道About BGP with Azure VPN Gateway

這篇文章提供 Azure VPN 閘道中的 BGP (邊界閘道協定) 支援概觀。This article provides an overview of BGP (Border Gateway Protocol) support in Azure VPN Gateway.

BGP 是常用於網際網路的標準路由通訊協定,可交換兩個或多個網路之間的路由和可執行性資訊。BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. 在 Azure 虛擬網路的內容中使用時,BGP 會啟用 Azure VPN 閘道,以及內部部署 VPN 裝置 (稱為 BGP 對等互連或鄰近項目) 來交換「路由」,其會通知這兩個閘道對要通過閘道的首碼或所涉及之路由器的可用性和可執行性。When used in the context of Azure Virtual Networks, BGP enables the Azure VPN Gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange "routes" that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved. BGP 也可以傳播從一個 BGP 對等互連到所有其他 BGP 對等所識別的 BGP 閘道,來啟用多個網路之間的傳輸路由。BGP can also enable transit routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers.

為何要使用 BGP?Why use BGP?

BGP 是選用功能,可供您與 Azure 路由 VPN 閘道搭配使用。BGP is an optional feature you can use with Azure Route-Based VPN gateways. 您也應該要先確定您的內部部署 VPN 裝置支援 BGP 後,再啟用此功能。You should also make sure your on-premises VPN devices support BGP before you enable the feature. 您可以無需 BGP 即可繼續使用 Azure VPN 閘道和您的內部部署 VPN 裝置。You can continue to use Azure VPN gateways and your on-premises VPN devices without BGP. 它相當於使用靜態路由 (不含 BGP) 與在您的網路和 Azure 之間使用具有 BGP 的動態路由。It is the equivalent of using static routes (without BGP) vs. using dynamic routing with BGP between your networks and Azure.

BGP 具有數個優點和新功能:There are several advantages and new capabilities with BGP:

支援自動和彈性的前置詞更新Support automatic and flexible prefix updates

利用 BGP,您只需要透過 IPsec S2S VPN 通道宣告特定 BGP 對等互連的最小前置詞。With BGP, you only need to declare a minimum prefix to a specific BGP peer over the IPsec S2S VPN tunnel. 它也可以小至內部部署 VPN 裝置的 BGP 對等互連 IP 位址的主機前置詞 (/ 32)。It can be as small as a host prefix (/32) of the BGP peer IP address of your on-premises VPN device. 您可以控制您要公告至 Azure 以允許 Azure 虛擬網路存取的內部部署網路首碼。You can control which on-premises network prefixes you want to advertise to Azure to allow your Azure Virtual Network to access.

您也可以公告可能包含一些您 VNet 位址首碼的較大首碼,例如大型私人 IP 位址空間 (例如 10.0.0.0/8)。You can also advertise larger prefixes that may include some of your VNet address prefixes, such as a large private IP address space (for example, 10.0.0.0/8). 可是請注意,首碼不可與您的任何一個 VNet 首碼相同。Note though the prefixes cannot be identical with any one of your VNet prefixes. 與您的 VNet 首碼相同的路由將會遭到拒絕。Those routes identical to your VNet prefixes will be rejected.

根據 BGP 使用自動容錯移轉,在 VNet 和內部部署站台之間支援多個通道Support multiple tunnels between a VNet and an on-premises site with automatic failover based on BGP

您可以在 Azure VNet 與內部部署 VPN 裝置之間的相同位置中建立多個連接。You can establish multiple connections between your Azure VNet and your on-premises VPN devices in the same location. 這項功能在主動-主動組態中的兩個網路之間提供多個通道 (路徑)。This capability provides multiple tunnels (paths) between the two networks in an active-active configuration. 如果其中一個通道已中斷連線,對應的路由會透過 BGP 撤回,且流量會自動轉換到其餘的通道。If one of the tunnels is disconnected, the corresponding routes will be withdrawn via BGP and the traffic automatically shifts to the remaining tunnels.

下圖顯示這項高可用性設定的簡單範例︰The following diagram shows a simple example of this highly available setup:

多個作用中路徑

支援內部部署網路與多個 Azure Vnet 之間的傳輸路由Support transit routing between your on-premises networks and multiple Azure VNets

BGP 可讓多個閘道識別及傳播來自不同網路的首碼,無論這些網路是直接或間接連線。BGP enables multiple gateways to learn and propagate prefixes from different networks, whether they are directly or indirectly connected. 這可以使用內部部署站台之間的 Azure VPN 閘道,或跨多個 Azure 虛擬網路啟用傳送路由。This can enable transit routing with Azure VPN gateways between your on-premises sites or across multiple Azure Virtual Networks.

下圖顯示具有多個路徑的多重躍點拓撲的範例,這些路徑可透過Microsoft 網路內的 Azure VPN 閘道來傳輸兩個內部部署網路之間的流量︰The following diagram shows an example of a multi-hop topology with multiple paths that can transit traffic between the two on-premises networks through Azure VPN gateways within the Microsoft Networks:

多重躍點傳輸

BGP 常見問題集BGP FAQ

所有的 Azure VPN 閘道 SKU 上是否都支援 BGP?Is BGP supported on all Azure VPN Gateway SKUs?

否,Azure VpnGw1 VpnGw2 VpnGw3 StandardHighPerformance VPN 閘道支援 BGP。No, BGP is supported on Azure VpnGw1, VpnGw2, VpnGw3, Standard and HighPerformance VPN gateways. 基本 SKU。Basic SKU is NOT supported.

可以使用 BGP 與 Azure Policy-Based VPN 閘道嗎?Can I use BGP with Azure Policy-Based VPN gateways?

否,僅路由 VPN 閘道支援 BGP。No, BGP is supported on Route-Based VPN gateways only.

可以使用私人 ASN (自發系統編號) 嗎?Can I use private ASNs (Autonomous System Numbers)?

是,針對您的內部部署網路和 Azure 虛擬網路,您可以使用您自己的公用 ASN 或私人 ASN。Yes, you can use your own public ASNs or private ASNs for both your on-premises networks and Azure virtual networks.

可以使用 32 位元的 ASN (自發系統編號) 嗎?Can I use 32-bit ASNs (Autonomous System Numbers)?

否,Azure VPN 閘道目前支援 16 位元的 ASN。No, the Azure VPN Gateways support 16-Bit ASNs today.

是否有 Azure 所保留的 ASN 嗎?Are there ASNs reserved by Azure?

是,下列是 Azure 針對內部和外部對等互連所保留的 ASN︰Yes, the following ASNs are reserved by Azure for both internal and external peerings:

  • 公用 ASN:8074、8075、12076Public ASNs: 8074, 8075, 12076
  • 私人 ASN:65515、65517、65518、65519、65520Private ASNs: 65515, 65517, 65518, 65519, 65520

連接到 Azure VPN 閘道時,您無法針對內部部署 VPN 裝置指定這些 ASN。You cannot specify these ASNs for your on premises VPN devices when connecting to Azure VPN gateways.

有我不能使用的任何其他 ASN 嗎?Are there any other ASNs that I can't use?

是,下列是 IANA 保留的 ASN 且無法在 Azure VPN 閘道上進行設定:Yes, the following ASNs are reserved by IANA and can't be configured on your Azure VPN Gateway:

23456、64496-64511、65535-65551 和 42949672923456, 64496-64511, 65535-65551 and 429496729

內部部署 VPN 網路和 Azure VNet 可以使用相同的 ASN 嗎?Can I use the same ASN for both on-premises VPN networks and Azure VNets?

否,如果您要將內部部署網路和 Azure VNet 與 BGP 連接,必須在內部部署網路與 Azure VNet 之間指派不同 ASN。No, you must assign different ASNs between your on-premises networks and your Azure VNets if you are connecting them together with BGP. Azure VPN 閘道已將預設 ASN 指派為 65515 (無論跨單位連線是否啟用 BGP)。Azure VPN Gateways have a default ASN of 65515 assigned, whether BGP is enabled or not for your cross-premises connectivity. 您可以在建立 VPN 閘道時指派不同的 ASN 來覆寫這個預設值,或在建立閘道之後變更 ASN。You can override this default by assigning a different ASN when creating the VPN gateway, or change the ASN after the gateway is created. 您必須將內部部署 ASN 指派給對應 Azure 區域網路閘道。You will need to assign your on-premises ASNs to the corresponding Azure Local Network Gateways.

Azure VPN 閘道會通告我哪些位址首碼?What address prefixes will Azure VPN gateways advertise to me?

Azure VPN 閘道會通告下列路由至您的內部部署 BGP 裝置︰Azure VPN gateway will advertise the following routes to your on-premises BGP devices:

  • 您的 VNet 位址首碼Your VNet address prefixes
  • 每個本機網路閘道的位址首碼已連線到 Azure VPN 閘道Address prefixes for each Local Network Gateways connected to the Azure VPN gateway
  • 從其他 BGP 對等互連工作階段識別的路由已連線到 Azure VPN 閘道, 除了預設路由或與任何 VNet 首碼重疊的路由Routes learned from other BGP peering sessions connected to the Azure VPN gateway, except default route or routes overlapped with any VNet prefix.

我可以向 Azure VPN 閘道公告多少個前置詞?How many prefixes can I advertise to Azure VPN gateway?

我們最多支援 4000 個前置詞。We support up to 4000 prefixes. 如果前置詞數目超過此限制,則會捨棄 BGP 工作階段。The BGP session is dropped if the number of prefixes exceeds the limit.

可以公告 Azure VPN 閘道的預設路由 (0.0.0.0/0) 嗎?Can I advertise default route (0.0.0.0/0) to Azure VPN gateways?

是。Yes.

請注意,這會強制所有 VNet 輸出流量流向您的內部部署站台,而且會阻礙 VNet VM 直接接受來自網際網路的公用通訊,例如從網際網路到 VM 的 RDP 或 SSH。Please note this will force all VNet egress traffic towards your on-premises site, and will prevent the VNet VMs from accepting public communication from the Internet directly, such RDP or SSH from the Internet to the VMs.

可以公告確切的前置詞做為我的虛擬網路前置詞嗎?Can I advertise the exact prefixes as my Virtual Network prefixes?

是,公告相同的前置詞做為任何一個虛擬網路位址前置詞,將由 Azure 平台進行封鎖或篩選。No, advertising the same prefixes as any one of your Virtual Network address prefixes will be blocked or filtered by the Azure platform. 不過,您可以公告一個前置詞,也就是您在虛擬網路內已有的超集。However you can advertise a prefix that is a superset of what you have inside your Virtual Network.

例如,您的虛擬網路使用了位址空間 10.0.0.0/16,而您可以公告 10.0.0.0/8。For example, if your virtual network used the address space 10.0.0.0/16, you could advertise 10.0.0.0/8. 但您無法公告 10.0.0.0/16 或 10.0.0.0/24。But you cannot advertise 10.0.0.0/16 or 10.0.0.0/24.

可以與我的 VNet 對 VNet 連線搭配使用 BGP 嗎?Can I use BGP with my VNet-to-VNet connections?

是,您可以針對跨單位連線和 VNet 對 VNet 連線使用 BGP。Yes, you can use BGP for both cross-premises connections and VNet-to-VNet connections.

可以針對我的 Azure VPN 閘道混合使用 BGP 和非 BGP 連線嗎?Can I mix BGP with non-BGP connections for my Azure VPN gateways?

是,針對相同的 Azure VPN 閘道,您可以混合使用 BGP 和非 BGP 連線。Yes, you can mix both BGP and non-BGP connections for the same Azure VPN gateway.

Azure VPN 閘道是否支援 BGP 傳輸路由?Does Azure VPN gateway support BGP transit routing?

是,可支援 BGP 傳輸路由,但例外狀況為 Azure VPN 閘道 不會 公告其他的 BGP 對等互連的預設路由。Yes, BGP transit routing is supported, with the exception that Azure VPN gateways will NOT advertise default routes to other BGP peers. 若要啟用跨多個 Azure VPN 閘道的路由傳輸,您必須在所有中繼 VNet 對 VNet 連線上啟用 BGP。To enable transit routing across multiple Azure VPN gateways, you must enable BGP on all intermediate VNet-to-VNet connections. 如需詳細資訊,請參閱關於 BGPFor more information, see About BGP.

是否可在 Azure VPN 閘道與我的內部部署網路之間擁有多個通道?Can I have more than one tunnel between Azure VPN gateway and my on-premises network?

是,您可在 Azure VPN 閘道與內部部署網路之間建立多個 S2S VPN 通道。Yes, you can establish more than one S2S VPN tunnel between an Azure VPN gateway and your on-premises network. 請注意,所有這些通道將會計入您 Azure VPN 閘道的通道總數,而您必須在這兩個通道上啟用 BGP。Please note that all these tunnels will be counted against the total number of tunnels for your Azure VPN gateways and you must enable BGP on both tunnels.

例如,如果您在 Azure VPN 閘道與其中一個內部部署網路之間有兩個備援通道,它們會在您的 Azure VPN 閘道的總配額 (標準為 10,HighPerformance 為 30) 中耗用 2 個通道。For example, if you have two redundant tunnels between your Azure VPN gateway and one of your on-premises networks, they will consume 2 tunnels out of the total quota for your Azure VPN gateway (10 for Standard and 30 for HighPerformance).

可以在兩個具有 BGP 的 Azure VNet 之間擁有多個通道嗎?Can I have multiple tunnels between two Azure VNets with BGP?

是,但是主動-主動組態中必須有至少一個虛擬網路閘道。Yes, but at least one of the virtual network gateways must be in active-active configuration.

我可以在 ExpressRoute/S2S VPN 共存組態中使用適用於 S2S VPN 的 BGP 嗎?Can I use BGP for S2S VPN in an ExpressRoute/S2S VPN co-existence configuration?

是。Yes.

Azure VPN 閘道會對 BGP 對等互連 IP 使用什麼位址?What address does Azure VPN gateway use for BGP Peer IP?

Azure VPN 閘道會配置針對虛擬網路定義的 GatewaySubnet 範圍的單一 IP 位址。The Azure VPN gateway will allocate a single IP address from the GatewaySubnet range defined for the virtual network. 根據預設,它是範圍的最後第二個位址。By default, it is the second last address of the range. 例如,如果您的 GatewaySubnet 是 10.12.255.0/27,範圍從 10.12.255.0 到 10.12.255.31,則 Azure VPN 閘道上的 BGP 對等互連 IP 位址會是 10.12.255.30。For example, if your GatewaySubnet is 10.12.255.0/27, ranging from 10.12.255.0 to 10.12.255.31, the BGP Peer IP address on the Azure VPN gateway will be 10.12.255.30. 當您列出 Azure VPN 閘道器資訊時,可以找到這項資訊。You can find this information when you list the Azure VPN gateway information.

我的 VPN 裝置上的 BGP 對等互連 IP 位址有哪些需求?What are the requirements for the BGP Peer IP addresses on my VPN device?

您內部部署 BGP 對等互連位址 不得 與您的 VPN 裝置的公用 IP 位址相同。Your on-premises BGP peer address MUST NOT be the same as the public IP address of your VPN device. 在 VPN 裝置上針對 BGP 對等互連 IP 使用不同的 IP 位址。Use a different IP address on the VPN device for your BGP Peer IP. 它可以是指派給裝置上的回送介面的位址,但請注意,它不能是 APIPA (169.254.x.x) 位址。It can be an address assigned to the loopback interface on the device, but please note that it cannot be an APIPA (169.254.x.x) address. 在代表位置的對應本機網路閘道中指定這個位址。Specify this address in the corresponding Local Network Gateway representing the location.

使用 BGP 時,應將區域網路閘道的位址首碼指定為什麼?What should I specify as my address prefixes for the Local Network Gateway when I use BGP?

Azure 區域網路閘道會指定內部部署網路的起始位址首碼。Azure Local Network Gateway specifies the initial address prefixes for the on-premises network. 若具有 BGP,您必須配置 BGP 對等互連 IP 位址的主機首碼 (/32 首碼) 作為該內部部署網路的位址空間。With BGP, you must allocate the host prefix (/32 prefix) of your BGP Peer IP address as the address space for that on-premises network. 如果 BGP 對等互連 IP 為 10.52.255.254,您應該指定「10.52.255.254/32」作為代表此內部部署網路的區域網路閘道的 localNetworkAddressSpace。If your BGP Peer IP is 10.52.255.254, you should specify "10.52.255.254/32" as the localNetworkAddressSpace of the Local Network Gateway representing this on-premises network. 這是為了確保 Azure VPN 閘道透過 S2S VPN 通道建立 BGP 工作階段。This is to ensure that the Azure VPN gateway establishes the BGP session through the S2S VPN tunnel.

我應該將什麼加入我的 BGP 對等互連工作階段的內部部署 VPN 裝置?What should I add to my on-premises VPN device for the BGP peering session?

您應該在指向 IPsec S2S VPN 通道的 VPN 裝置上加入 Azure BGP 對等互連 IP 位址的主機路由。You should add a host route of the Azure BGP Peer IP address on your VPN device pointing to the IPsec S2S VPN tunnel. 例如,如果 Azure VPN 對等互連 IP 是「10.12.255.30」,您應該加入 VPN 裝置上具有比對 IPsec 通道介面的躍點介面的「10.12.255.30」主機路由。For example, if the Azure VPN Peer IP is "10.12.255.30", you should add a host route for "10.12.255.30" with a nexthop interface of the matching IPsec tunnel interface on your VPN device.

後續步驟Next steps

請參閱 開始使用 Azure VPN 閘道上的 BGP ,以了解設定跨單位與 VNet 對 VNet 連線 BGP 的步驟。See Getting started with BGP on Azure VPN gateways for steps to configure BGP for your cross-premises and VNet-to-VNet connections.