RAS 閘道部署架構RAS Gateway Deployment Architecture

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用本主題以深入了解部署 RAS 閘道,包括 RAS 閘道集區之前的路徑反映程式,以及部署多個閘道個人 tenants 的雲端服務提供者 (CSP)。You can use this topic to learn about Cloud Service Provider (CSP) deployment of RAS Gateway, including RAS Gateway pools, Route Reflectors, and deploying multiple gateways for individual tenants.

下列章節提供一些 RAS 閘道的新功能的簡短的概觀,讓您可以了解如何在閘道部署的設計使用這些功能。The following sections provide brief overviews of some of the RAS Gateway new features so that you can understand how to use these features in the design of your gateway deployment.

此外,部署範例提供,包括新增新 tenants、路由同步處理資料平面路由、閘道與之前的路徑反映容錯移轉,及更多的程序的相關資訊。In addition, an example deployment is provided, including information about the process of adding new tenants, route synchronization and data plane routing, gateway and Route Reflector failover, and more.

本主題包含下列各節。This topic contains the following sections.

使用設計部署 RAS 閘道的新功能Using RAS Gateway New Features to Design Your Deployment

RAS 閘道包括多個變更,並改善您部署閘道基礎結構資料中心的方式的新功能。RAS Gateway includes multiple new features that change and improve the way in which you deploy your gateway infrastructure in your datacenter.

BGP 路由反映BGP Route Reflector

邊境閘道通訊協定 (BGP) 路由反映功能現在已隨附 RAS 閘道,並提供 BGP 完整網格拓撲通常需要路由同步處理路由器之間的另一個方法。The Border Gateway Protocol (BGP) Route Reflector capability is now included with RAS Gateway, and provides an alternative to BGP full mesh topology that is normally required for route synchronization between routers. 完整網格同步處理的所有 BGP 路由器必須與所有其他路由器路由拓撲都連接。With full mesh synchronization, all BGP routers must connect with all other routers in the routing topology. 當您使用之前的路徑反映時,不過,路由反映是與其他路由器,稱為 BGP 路由反映戶端,藉以簡化路由同步處理和降低網路流量的所有連接只有路由器。When you use Route Reflector, however, the Route Reflector is the only router that connects with all of the other routers, called BGP Route Reflector clients, thereby simplifying route synchronization and reducing network traffic. 之前的路徑反映學習所有路徑、 計算最佳路徑,並重新其 BGP 戶端的最佳路由分配。The Route Reflector learns all routes, calculates best routes, and redistributes the best routes to its BGP clients.

如需詳細資訊,請查看新 RAS 閘道在For more information, see What's New in RAS Gateway.

閘道集區Gateway Pools

您可以在 Windows Server 2016 建立不同類型的許多閘道集區。In Windows Server 2016, you can create many gateway pools of different types. 閘道集區包含許多 RAS 閘道的執行個體與路由實體和 virtual 網路間網路流量。Gateway pools contain many instances of RAS Gateway, and route network traffic between physical and virtual networks.

如需詳細資訊,請查看RAS 閘道] 中的新功能RAS 閘道可用性For more information, see What's New in RAS Gateway and RAS Gateway High Availability.

閘道集區擴充性Gateway Pool Scalability

您可以輕鬆地縮放閘道集區向上或向下新增或移除閘道 Vm 集區中。You can easily scale a gateway pool up or down by adding or removing gateway VMs in the pool. 移除或額外的閘道不會不會中斷集區所提供的服務。Removal or addition of gateways does not disrupt the services that are provided by a pool. 您也可以新增與移除閘道整個集區。You can also add and remove entire pools of gateways.

如需詳細資訊,請查看RAS 閘道] 中的新功能RAS 閘道可用性For more information, see What's New in RAS Gateway and RAS Gateway High Availability.

M + N 閘道集區冗餘M+N Gateway Pool Redundancy

每個閘道集區是 M + N 備援。Every gateway pool is M+N redundant. 這表示已 ' 的作用中閘道 Vm 備份的待命閘道 Vm「n」數目。This means that an 'M' number of active gateway VMs are backed up by an 'N' number of standby gateway VMs. M + N 冗餘為您提供更具彈性判斷您需要時部署 RAS 閘道可靠性的層級。M+N redundancy provides you with more flexibility in determining the level of reliability that you require when you deploy RAS Gateway.

如需詳細資訊,請查看RAS 閘道] 中的新功能RAS 閘道可用性For more information, see What's New in RAS Gateway and RAS Gateway High Availability.

部署範例Example Deployment

下圖範例提供 eBGP 網站-VPN 連接兩個 tenants,以 Contoso Woodgrove,並 Fabrikam CSP datacenter 之間設定上對等。The following illustration provides an example with eBGP peering over site-to-site VPN connections configured between two tenants, Contoso and Woodgrove, and the Fabrikam CSP datacenter.

eBGP 網站-VPN 上對等

在此範例中,以 Contoso 需要其他閘道的頻寬,閘道基礎結構設計判斷来終止 Contoso 洛杉磯網站上 GW3 GW2 而導致。In this example, Contoso requires additional gateway bandwidth, leading to the gateway infrastructure design decision to terminate the Contoso Los Angeles site on GW3 instead of GW2. 因為,以 Contoso VPN 來自不同的網站終止 CSP datacenter 這兩個不同的閘道上中。Because of this, Contoso VPN connections from different sites terminate in the CSP datacenter on two different gateways.

這兩個 GW2 和 GW3,這些閘道已第一次 RAS 閘道 CSP 加入他們的基礎結構 Contoso 和 Woodgrove tenants 時 Network Controller 的設定。Both of these gateways, GW2 and GW3, were the first RAS Gateways configured by Network Controller when the CSP added the Contoso and Woodgrove tenants to their infrastructure. 因此,這些這兩個閘道設定為路由反映程式這些對應針對(或 tenants)。Because of this, these two gateways are configured as Route Reflectors for these corresponding customers (or tenants). GW2,以 Contoso 路由反映,就必須 GW3 Woodgrove 路由反映-除了正在 VPN 連接,以 Contoso 洛杉磯總部網站的 CSP RAS 閘道結束點。GW2 is the Contoso Route Reflector, and GW3 is the Woodgrove Route Reflector - in addition to being the CSP RAS Gateway termination point for the VPN connection with the Contoso Los Angeles HQ site.

注意

一個 RAS 閘道可以傳送 virtual 和實體網路流量的最多個數百不同 tenants,根據的每個承租人頻寬需求。One RAS Gateway can route virtual and physical network traffic for up to one hundred different tenants, depending on the bandwidth requirements of each tenant.

之前的路徑反映程式,GW2 將 Contoso CA 空間路由傳送至網路控制器,並 GW3 將 Woodgrove CA 空間路由傳送至網路控制器。As Route Reflectors, GW2 sends Contoso CA Space routes to Network Controller, and GW3 sends Woodgrove CA Space routes to Network Controller.

Network Controller 推入 HYPER-V 網路模擬原則,以 Contoso 和 Woodgrove virtual 網路,以及為 RAS 閘道及負載平衡原則設定為軟體負載平衡集區 Multiplexers (MUXes) RAS 原則。Network Controller pushes Hyper-V Network Virtualization policies to the Contoso and Woodgrove virtual networks, as well as RAS policies to the RAS Gateways and load balancing policies to the Multiplexers (MUXes) that are configured as a Software Load Balancing pool.

新增新的 Tenants 和客戶位址 (CA) 空間 eBGP PeeringAdding New Tenants and Customer Address (CA) Space eBGP Peering

當您登入新的客戶並將為新房客客戶新增您的資料中心時,您可以使用下列程序,有許多都由 Network Controller and RAS 閘道 eBGP 路由器會自動執行。When you sign a new customer and add the customer as a new tenant in your datacenter, you can use the following process, much of which is automatically performed by Network Controller and RAS Gateway eBGP routers.

  1. 提供新的 virtual 網路和工作負載根據您承租人的需求。Provision a new virtual network and workloads according to your tenant's requirements.

  2. 如果需要的話,設定遠端承租人企業網站與他們 virtual 網路之間遠端連接在您的資料中心。If required, configure remote connectivity between the remote tenant Enterprise site and their virtual network at your datacenter. 當您的承租人部署至網站 VPN 連接時,Network Controller 自動選取可用 RAS 閘道 VM 提供閘道集區中,並設定連接。When you deploy a site-to-site VPN connection for the tenant, Network Controller automatically selects an available RAS Gateway VM from the available gateway pool and configures the connection.

  3. 時設定的新承租人 RAS 閘道 VM Network Controller,也 RAS 閘道設定為 BGP 路由器,並將它指定為路由反映程式中的承租人。While configuring the RAS Gateway VM for the new tenant, Network Controller also configures the RAS Gateway as a BGP Router and designates it as the Route Reflector for the tenant. 這是為 true,即使是在環境 RAS 閘道地方做為閘道,或為閘道和之前的路徑反映,適用於其他 tenants。This is true even in circumstances where the RAS Gateway serves as a gateway, or as a gateway and Route Reflector, for other tenants.

  4. 根據是否 CA 空間路由靜態設定使用網路或動態 BGP 路由設定,Network Controller 設定對應靜態路徑、BGP 鄰居或兩者上 RAS 閘道 VM 反映之前的路徑。Depending on whether CA space routing is configured to use statically configured networks or dynamic BGP routing, Network Controller configures the corresponding static routes, BGP neighbors, or both on the RAS Gateway VM and Route Reflector.

    注意

    • 之後 Network Controller 已設定的 RAS 閘道和之前的路徑反映承租人,只要相同承租人需要新的網站來 VPN 連接 Network Controller 檢查是否有可用的容量此 RAS 閘道 VM 上。After Network Controller has configured a RAS Gateway and Route Reflector for the tenant, whenever the same tenant requires a new site-to-site VPN connection, Network Controller checks for the available capacity on this RAS Gateway VM. 如果原始閘道可以服務所需的容量,相同 RAS 閘道 VM 也被設定新的網路。If the original gateway can service the required capacity, the new network connection is also configured on the same RAS Gateway VM. 如果 RAS 閘道 VM 無法處理其他容量,Network Controller 選取新的可用 RAS 閘道 VM 和上設定的新連接。If the RAS Gateway VM cannot handle additional capacity, Network Controller selects a new available RAS Gateway VM and configures the new connection on it. 相關的承租人這個新 RAS 閘道 VM 變成路由反映 client 的原始承租人 RAS 閘道之前的路徑反映。This new RAS Gateway VM associated with the tenant becomes the Route Reflector client of the original tenant RAS Gateway Route Reflector.
    • 因為 RAS 閘道集區位於軟體負載平衡器 (SLBs),tenants 的網站來 VPN 位址每次使用單一公用 IP 位址,稱為「virtual IP 位址 (VIP),這由 SLBs 被翻譯成稱為動態 IP 位址 (DIP),適用於企業承租人路由流量 RAS 閘道 datacenter 內部 IP 位址。Because RAS Gateway pools are behind Software Load Balancers (SLBs), the tenants' site-to-site VPN addresses each use a single public IP address, called a virtual IP address (VIP), which is translated by the SLBs into a datacenter-internal IP address, called a dynamic IP address (DIP), for a RAS Gateway that routes traffic for the Enterprise tenant. 透過 SLB 此公開私密金鑰--IP 位址對應可確保之間的企業網站 CSP RAS 閘道和之前的路徑反映程式網站-VPN 通道會建立正確。This public-to-private IP address mapping by SLB ensures that the site-to-site VPN tunnels are correctly established between the Enterprise sites and the CSP RAS Gateways and Route Reflectors.

      如需有關 SLB、Vip,以及 DIPs 的詳細資訊,請查看軟體負載平衡和 #40;SLB 與 #41;適用於 SDNFor more information about SLB, VIPs, and DIPs, see Software Load Balancing (SLB) for SDN.

  5. 網站以 VPN 企業網站與 CSP datacenter RAS 閘道建立新的承租人的通道之後, 通道相關聯的靜態路由自動的企業和 CSP 側邊的通道上提供。After the site-to-site VPN tunnel between the Enterprise site and the CSP datacenter RAS Gateway is established for the new tenant, the static routes that are associated with the tunnels are automatically provisioned on both the Enterprise and CSP sides of the tunnel.

  6. 使用 CA 空間 BGP 路由、外面之間的企業網站與 CSP RAS 閘道之前的路徑反映 eBGP 也建立。With CA space BGP routing, the eBGP peering between the Enterprise sites and the CSP RAS Gateway Route Reflector is also established.

之前的路徑同步處理和資料平面路由Route Synchronization and Data Plane Routing

EBGP 外面建立之間企業網站與 CSP RAS 閘道之前的路徑反映之後,在之前的路徑反映程式會學習的所有企業路由使用動態 BGP 路由。After eBGP peering is established between Enterprise sites and the CSP RAS Gateway Route Reflector, the Route Reflector learns all of the Enterprise routes by using dynamic BGP routing. 之前的路徑反映同步之間的之前的路徑反映用所有的這些路由使它們的所有設定的路徑與的時間。The Route Reflector synchronizes these routes between all of the Route Reflector clients so that they are all configured with the same set of routes.

之前的路徑反映也會更新這些整合的路徑,使用路由同步,網路控制器。Route Reflector also updates these consolidated routes, using route synchronization, to Network Controller. Network Controller 然後路徑轉譯 HYPER-V 網路模擬原則和設定 Fabric 網路,以確保 End-to-End 資料路徑路由提供。Network Controller then translates the routes into the Hyper-V Network Virtualization policies and configures the Fabric Network to ensure that End-to-End Data Path routing is provisioned. 此程序可承租人 virtual 網路承租人企業的無障礙網站。This process makes the tenant virtual network accessible from the tenant Enterprise sites.

資料平面路由,瑞曲之戰 RAS 閘道 Vm 的封包會直接傳送到承租人的 virtual 網路,因為現在參與 RAS 閘道 Vm 中的所有可用的所需的路徑。For Data Plane routing, the packets that reach the RAS Gateway VMs are directly routed to the tenant's virtual network, because the required routes are now available with all of the participating RAS Gateway VMs.

同樣地,就地 HYPER-V 網路模擬原則,使用承租人 virtual 網路路由傳送封包直接至 RAS 閘道 Vm(而不需要知道路由反映),然後到企業網站上網站-VPN 通道。Similarly, with the Hyper-V Network Virtualization policies in place, the tenant virtual network routes packets directly to the RAS Gateway VMs (without requiring to know about the Route Reflector) and then to the Enterprise sites over the site-to-site VPN tunnels.

此外。In addition. 返回流量承租人 virtual 網路從遠端承租人企業網站略過 SLBs,處理程序稱為「直接伺服器傳回 (DSR)。return traffic from the tenant virtual network to the remote tenant Enterprise site bypasses the SLBs, a process called Direct Server Return (DSR).

如何 Network Controller 回應 RAS 閘道和之前的路徑反映錯誤後的移轉How Network Controller Responds to RAS Gateway and Route Reflector Failover

以下是兩個可能容錯移轉案例-一個用於 RAS 閘道之前的路徑反映戶端-,一個用於 RAS 閘道之前的路徑反映程式包括 Network Controller 處理方式容錯移轉 vm 中設定的相關資訊。Following are two possible failover scenarios - one for RAS Gateway Route Reflector clients and one for RAS Gateway Route Reflectors - including information about how Network Controller handles failover for VMs in either configuration.

RAS 閘道 BGP 路由反映 Client 的 VM 失敗VM Failure of a RAS Gateway BGP Route Reflector Client

Network Controller RAS 閘道之前的路徑反映 client 失敗時,必須具備下列動作。Network Controller takes the following actions when a RAS Gateway Route Reflector client fails.

注意

當 RAS 閘道不路由反映房客的 BGP 基礎結構時,是路由反映 client 承租人的 BGP 基礎結構。When a RAS Gateway is not a Route Reflector for a tenant's BGP infrastructure, it is a Route Reflector client in the tenant's BGP infrastructure.

  • Network Controller 選取待命 RAS 閘道 VM 可用,並 provisions 新 RAS 閘道 VM 失敗 RAS 閘道 VM 的設定。Network Controller selects an available standby RAS Gateway VM and provisions the new RAS Gateway VM with the configuration of the failed RAS Gateway VM.

  • Network Controller 更新確保網站-VPN 通道從承租人網站失敗 RAS 閘道,正確地建立的新 RAS 閘道對應 SLB 設定。Network Controller updates the corresponding SLB configuration to ensure that the site-to-site VPN tunnels from tenant sites to the failed RAS Gateway are correctly established with the new RAS Gateway.

  • Network Controller 設定 BGP 路由反映 client 新閘道上。Network Controller configures the BGP Route Reflector client on the new gateway.

  • Network Controller 設定為使用中的新 RAS 閘道 BGP 路由反映 client。Network Controller configures the new RAS Gateway BGP Route Reflector client as active. RAS 閘道立即開始使用承租人的之前的路徑反映分享路由的資訊,以便 eBGP 外面對應企業網站對等。The RAS Gateway immediately starts peering with the tenant's Route Reflector to share routing information and to enable eBGP peering for the corresponding Enterprise site.

適用於 RAS 閘道 BGP 路由反映 VM 失敗VM Failure for a RAS Gateway BGP Route Reflector

Network Controller RAS 閘道 BGP 路由反映失敗時,必須具備下列動作。Network Controller takes the following actions when a RAS Gateway BGP Route Reflector fails.

  • Network Controller 選取待命 RAS 閘道 VM 可用,並 provisions 新 RAS 閘道 VM 失敗 RAS 閘道 VM 的設定。Network Controller selects an available standby RAS Gateway VM and provisions the new RAS Gateway VM with the configuration of the failed RAS Gateway VM.

  • Network Controller 上新 RAS 閘道 VM 中,設定,路由反映,並將新 VM 指派失敗 VM,藉以 VM 失敗許可之前的路徑完整性使用相同的 IP 位址。Network Controller configures the Route Reflector on the new RAS Gateway VM, and assigns the new VM the same IP address that was used by the failed VM, thereby providing route integrity despite the VM failure.

  • Network Controller 更新確保網站-VPN 通道從承租人網站失敗 RAS 閘道,正確地建立的新 RAS 閘道對應 SLB 設定。Network Controller updates the corresponding SLB configuration to ensure that the site-to-site VPN tunnels from tenant sites to the failed RAS Gateway are correctly established with the new RAS Gateway.

  • Network Controller 設定為使用中的新 RAS 閘道 BGP 路由反映 VM。Network Controller configures the new RAS Gateway BGP Route Reflector VM as active.

  • 立即在之前的路徑反映程式變成作用中。The Route Reflector immediately becomes active. 建立網站-VPN 通道至企業版,並在之前的路徑反映使用 eBGP 外面和交換企業網站路由器的路徑。The site-to-site VPN tunnel to the Enterprise is established, and the Route Reflector uses eBGP peering and exchanges routes with the Enterprise site routers.

  • 之後 BGP 路由選取項目,RAS 閘道 BGP 路由反映更新承租人資料中心、路由反映戶端與網路控制器,請讓 End-to-End 資料路徑承租人流量同步路徑。After BGP route selection, the RAS Gateway BGP Route Reflector updates tenant Route Reflector clients in the datacenter, and synchronizes routes with Network Controller, making the End-to-End Data Path available for tenant traffic.

使用 RAS 閘道的新功能的優點Advantages of Using New RAS Gateway Features

以下是幾個優點設計 RAS 閘道部署時,使用這些新 RAS 閘道功能。Following are a few of the advantages of using these new RAS Gateway features when designing your RAS Gateway deployment.

RAS 閘道擴充性RAS Gateway scalability

因為您可以新增多個 RAS 閘道 Vm 當您需要 RAS 閘道集區,您可以輕鬆地縮放效能與容量最佳化 RAS 閘道部署。Because you can add as many RAS Gateway VMs as you need to RAS Gateway pools, you can easily scale your RAS Gateway deployment to optimize performance and capacity. 當您新增 Vm 集區時,您可以使用的網站 VPN 連接任何保證 (IKEv2,L3,GRE),無下時間與消除容量瓶頸設定這些 RAS 閘道。When you add VMs to a pool, you can configure these RAS Gateways with site-to-site VPN connections of any kind (IKEv2, L3, GRE), eliminating capacity bottlenecks with no down time.

簡化的企業網站閘道管理Simplified Enterprise Site Gateway Management

當您承租人有多個企業網站時,承租人可以在所有網站的一個遠端網站-VPN IP 位址和單一遠端鄰居的 IP 位址-CSP 資料中心 RAS 閘道 BGP 路由反映 VIP 該承租人的設定。When your tenant has multiple Enterprise sites, the tenant can configure all sites with one remote site-to-site VPN IP address and a single remote neighbor IP address - your CSP datacenter RAS Gateway BGP Route Reflector VIP for that tenant. 這可簡化您 tenants 閘道管理。This simplifies gateway management for your tenants.

閘道失敗的預覽版修復功能Fast Remediation of Gateway Failure

若要確保預覽版容錯移轉回應,您可以設定 BGP Keepalive 參數時間 edge 路徑和控制路由器簡短的時間間隔,例如小於 10 秒之間。To ensure a fast failover response, you can configure the BGP Keepalive parameter time between edge routes and the control router to a short time interval, such as less than or equal to ten seconds. 使用這個簡短繼續運作的時間間隔,如果 RAS 閘道 BGP edge 路由器失敗,快速偵測失敗和 Network Controller 遵循上一節中所提供的步驟。With this short keep alive interval, if a RAS Gateway BGP edge router fails, the failure is quickly detected and Network Controller follows the steps provided in previous sections. 利用這個可能降低失敗的另一個偵測通訊協定,例如雙向轉寄偵測 (BFD) 通訊協定的需求。This advantage might reduce the need for a separate failure detection protocol, such as Bidirectional Forwarding Detection (BFD) protocol.