RAS 閘道可用性RAS Gateway High Availability

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

您可以使用本主題以深入了解可用性設定 RAS Multitenant 閘道的軟體定義網路 (SDN)。You can use this topic to learn about high availability configurations for the RAS Multitenant Gateway for Software Defined Networking (SDN).

本主題包含下列各節。This topic contains the following sections.

RAS 閘道概觀RAS Gateway Overview

如果您的組織雲端服務提供者 (CSP) 或使用多個 tenants 企業版,您可以在 multitenant 模式提供的網路流量路由 virtual 和實體網路,包括網際網路的部署 RAS 閘道。If your organization is a Cloud Service Provider (CSP) or an Enterprise with multiple tenants, you can deploy RAS Gateway in multitenant mode to provide network traffic routing to and from virtual and physical networks, including the Internet.

您可以在路由傳送至承租人 virtual 網路和資源承租人客戶網路流量 edge 閘道 multitenant 模式部署 RAS 閘道。You can deploy RAS Gateway in multitenant mode as an edge gateway to route tenant customer network traffic to tenant virtual networks and resources.

當您部署 RAS 閘道 Vm 提供可用性和容錯移轉多次時,您的部署閘道集區。When you deploy multiple instances of RAS Gateway VMs that provide high availability and failover, you are deploying a gateway pool. 在 Windows Server 2012 R2 所有閘道 Vm 都構成進行閘道部署的邏輯分離有點難的單一集區。In Windows Server 2012 R2, all the gateway VMs formed a single pool, which made a logical separation of the gateway deployment a little difficult. Windows Server 2012 R2 閘道提供閘道 Vm,導致 VPN 連接到網站 (S2S) 提供容量的置中使用 1:1 冗餘部署。Windows Server 2012 R2 gateway offered a 1:1 redundancy deployment for the gateway VMs, which resulted in under-utilization of the available capacity for site-to-site (S2S) VPN connections.

這個問題會提供多個閘道集區的可不同類型的邏輯分隔的 Windows Server 2016 中解析。This issue is resolved in Windows Server 2016, which provides multiple Gateway Pools - which can be of different types for logical separation. 新的 [M + N 冗餘模式可讓更有效率容錯移轉設定。The new mode of M+N redundancy allows for a more efficient failover configuration.

如需概觀 RAS 閘道,請查看RAS 閘道For more overview information about RAS Gateway, see RAS Gateway.

閘道集區概觀Gateway Pools Overview

在 Windows Server 2016,您可以部署閘道一或多個集區中。In Windows Server 2016, you can deploy gateways in one or more pools.

下圖顯示閘道集區提供路由 virtual 網路間流量之不同類型。The following illustration shows different types of gateway pools that provide traffic routing between virtual networks.

RAS 閘道集區

每個集區有下列屬性。Each pool has the following properties.

  • 每個集區是 M + N 備援。Each pool is M+N redundant. 這表示已 ' 的作用中閘道 Vm 備份的待命閘道 Vm「n」數目。This means that an 'M' number of active gateway VMs are backed up by an 'N' number of standby gateway VMs. N(待命閘道)值都小於 M(作用中閘道)。The value of N (standby gateways) is always less than or equal to M (active gateways).

  • 集區可以執行任何個人閘道函式-2 (IKEv2) S2S、3 層 (L3),以及一般路由封裝 (GRE)-或集區網際網路金鑰交換版本可以執行所有的這些功能。A pool can perform any of the individual gateway functions - Internet Key Exchange version 2 (IKEv2) S2S, Layer 3 (L3), and Generic Routing Encapsulation (GRE) - or the pool can perform all of these functions.

  • 您可以將單一公用 IP 位址指派給所有集區或子集集區中。You can assign a single public IP address to all pools or to a subset of pools. 讓大幅減少公用 IP 位址,您必須使用,因為它是可以讓所有 tenants 連接到上一個 IP 位址雲端。Doing so greatly reduces the number of public IP addresses that you must use, because it is possible to have all tenants connect to the cloud on a single IP address. 區段下面可用性和負載平衡描述運作方式。The section below on High Availability and Load balancing describes how this works.

  • 您可以輕鬆地縮放閘道集區向上或向下新增或移除閘道 Vm 集區中。You can easily scale a gateway pool up or down by adding or removing gateway VMs in the pool. 移除或額外的閘道不會不會中斷集區所提供的服務。Removal or addition of gateways does not disrupt the services that are provided by a pool. 您也可以新增與移除閘道整個集區。You can also add and remove entire pools of gateways.

  • 連接的單一房客可以在多個集區與集區中的多個閘道終止。Connections of a single tenant can terminate on multiple pools and multiple gateways in a pool. 不過,如果房客已連接終止在所有輸入閘道集區中,它不希望其他所有類型或個人類型閘道集區。However, if a tenant has connections terminating in an All type gateway pool, it cannot subscribe to other All type or individual type gateway pools.

閘道集區也提供其他案例,以便處於:Gateway pools also provide the flexibility to enable additional scenarios:

  • 單一-承租人集區的您可以建立集區一承租人來使用。Single-tenant pools - you can create one pool for use by one tenant.

  • 如果您銷售透過協力廠商(轉售商)頻道的雲端服務,您可以建立集區的不同設定為每個轉售商。If you are selling cloud services through partner (reseller) channels, you can create separate sets of pools for every reseller.

  • 多個集區,可提供相同的閘道功能,但不同的容量。Multiple pools can provide the same gateway function but different capacities. 例如,您可以建立支援高輸送量和低 IKEv2 S2S 輸送量閘道集區。For example, you can create a gateway pool that supports both high throughput and low throughput IKEv2 S2S connections.

RAS 閘道部署概觀RAS Gateway Deployment Overview

下圖示範 RAS 閘道一般雲端服務提供者 (CSP) 部署。The following illustration demonstrates a typical Cloud Service Provider (CSP) deployment of RAS Gateway.

RAS 閘道部署概觀

使用這類部署,部署後面軟體負載平衡器 (SLB),如此可讓指派整個部署單一公用 IP 位址 CSP 閘道集區。With this type of deployment, the gateway pools are deployed behind a Software Load Balancer (SLB), which enables the CSP to assign a single public IP address for the entire deployment. 在多個閘道集區-和也集區中的多個閘道,可以終止房客的多個閘道器連接。Multiple gateway connections of a tenant can terminate on multiple gateway pools - and also on multiple gateways within a pool. 這透過 IKEv2 S2S 連接上述圖表中所示,但也是一樣適用於其他閘道功能,例如 L3 和 GRE 閘道。This is illustrated through IKEv2 S2S connections in the above diagram, but the same is applicable to other gateway functions too, such as L3 and GRE gateways.

圖示,在威靈頓 BGP 裝置是 RAS Multitenant 閘道 BGP 使用。In the illustration, the MT BGP device is a RAS Multitenant Gateway with BGP. Multitenant BGP 用於動態路由。Multitenant BGP is used for dynamic routing. 適用於房客路由集中-單點,稱為「之前的路徑反映 (RR)、處理所有承租人網站 BGP 對都等。The routing for a tenant is centralized - a single point, called the route reflector (RR), handles the BGP peering for all tenant sites. 本身 RR 分散在所有閘道集區中。The RR itself is distributed across all gateways in a pool. 這會導致位置的房客(資料路徑)連接終止在多個閘道,但 RR 承租人(BGP 等點-控制路徑)的閘道只有一個的設定。This results in a configuration where the connections of a tenant (data path) terminate on multiple gateways, but the RR for the tenant (BGP peering point - control path) is on only one of the gateways.

BGP 路由器分開描述此打造路由概念圖。The BGP router is separated out in the diagram to depict this centralized routing concept. 閘道 BGP 還提供路由傳送,可讓做為傳輸點之間的網站有兩個承租人路由雲端。The gateway BGP implementation also provides transit routing, which enables the cloud to act as a transit point for routing between two tenant sites. 這些 BGP 功能適用於所有閘道功能。These BGP capabilities are applicable to all gateway functions.

Network Controller 的 RAS 閘道整合RAS Gateway Integration with Network Controller

在 Windows Server 2016 Network Controller 完全整合 RAS 閘道。RAS Gateway is fully integrated with Network Controller in Windows Server 2016. 當部署 RAS 閘道和 Network Controller Network Controller 執行下列功能。When RAS Gateway and Network Controller are deployed, Network Controller performs the following functions.

  • 閘道集區的部署Deployment of the gateway pools

  • 在每個閘道承租人連接的設定Configuration of tenant connections on each gateway

  • 切換網路流量流向一個待命閘道閘道失敗事件Switching network traffic flows to a standby gateway in the event of a gateway failure

下列章節提供 RAS 閘道和 Network Controller 的詳細的資訊。The following sections provide detailed information about RAS Gateway and Network Controller.

提供與負載平衡的閘道器連接(IKEv2、L3,以及 GRE)Provisioning and Load Balancing of Gateway Connections (IKEv2, L3, and GRE)

當房客要求閘道器連接時,以 Network Controller 傳送要求。When a tenant requests a gateway connection, the request is sent to Network Controller. 設定 network Controller 的所有閘道集區,包括每個集區與每個閘道容量每個集區中的相關資訊。Network Controller is configured with information about all of the gateway pools, including the capacity of each pool and every gateway in every pool. Network Controller 選取正確的集區和閘道器連接。Network Controller selects the correct pool and gateway for the connection. 這個選項根據頻寬需求的連接。This selection is based on the bandwidth requirement for the connection. Network Controller 以挑選連接有效率集區使用「最適合」的演算法。Network Controller uses a "best fit" algorithm to pick connections efficiently in a pool. 如果這是第一個承租人連接連接的 BGP 等點也指定這一次。The BGP peering point for the connection is also designated at this time if this is the first connection of the tenant.

選取 [網路控制器 RAS 閘道器連接之後,Network Controller provisions 上閘道器連接必要的設定。After Network Controller selects a RAS Gateway for the connection, Network Controller provisions the necessary configuration for the connection on the gateway. 如果連接 IKEv2 S2S 連接,Network Controller 也 provisions 網路位址轉譯 (NAT) 規則 SLB 集區。這項 SLB 集區規則 NAT 指示承租人從指定閘道器連接要求。If the connection is an IKEv2 S2S connection, Network Controller also provisions a Network Address Translation (NAT) rule on the SLB pool; this NAT rule on the SLB pool directs connection requests from the tenant to the designated gateway. 唯一必須來源 IP 來區分 tenants。Tenants are differentiated by the source IP, which is expected to be unique.

注意

L3 和 GRE 連接略過 SLB,和直接與指定的 RAS 閘道器連接。L3 and GRE connections bypass the SLB and connect directly with the designated RAS Gateway. 這些連接需要的遠端端點路由器(或其他協力廠商的裝置)必須設定正確的 RAS 閘道器連接。These connections require that the remote endpoint router (or other third party device) must be correctly configured to connect with the RAS Gateway.

如果 BGP 路由是否可供連接,然後 BGP 外面 RAS 閘道-車載機起始且路徑會先和雲端交換閘道。If BGP routing is enabled for the connection, then BGP peering is initiated by RAS Gateway - and routes are exchanged between on-premises and cloud gateways. 由 BGP 學習(或的靜態設定的路徑如果 BGP 不是)路由傳送至 Network Controller。The routes that are learned by BGP (or that are statically configured routes if BGP is not used) are sent to Network Controller. Network Controller 然後 plumbs 下 HYPER-V 主機在其安裝承租人 Vm 的路徑。Network Controller then plumbs the routes down to the Hyper-V hosts upon which the tenant VMs are installed. 此時,承租人流量可傳送到正確先網站。At this point, tenant traffic can be routed to the correct on-premises site. Network Controller 也建立指定閘道位置的相關的 HYPER-V 網路模擬原則和 plumbs 它們下 HYPER-V 主機。Network Controller also creates associated Hyper-V Network Virtualization policies that specify gateway locations, and plumbs them down to the Hyper-V hosts.

適用於 IKEv2 S2S 可用性High Availability for IKEv2 S2S

連接和 BGP 外面的不同 tenants 所組成 RAS 閘道集區中。A RAS Gateway in a pool consists of both connections and BGP peering of different tenants. 每個集區已 ' 使用閘道和「n」待命閘道。Every pool has 'M' active gateways and 'N' standby gateways.

Network Controller 會以下列方式處理閘道失敗。Network Controller handles the failure of gateways in the following manner.

  • Network Controller 持續 ping 閘道中的所有集區與可偵測失敗閘道或失敗。Network Controller constantly pings the gateways in all pools and can detect a gateway that is failed or failing. Network Controller 可以偵測下列幾種 RAS 閘道失敗。Network Controller can detect the following types of RAS Gateway failures.

    • RAS 閘道 VM 失敗RAS Gateway VM failure

    • HYPER-V 主機時,RAS 閘道執行的失敗Failure of the Hyper-V host upon which the RAS Gateway is running

    • RAS 閘道服務失敗RAS Gateway service failure

    Network Controller 儲存所有部署使用閘道的設定。Network Controller stores the configuration of all deployed active gateways. 設定所組成連接設定和路由設定。Configuration consists of connection settings and routing settings.

  • 閘道失敗時,它會影響承租人連接閘道,以及其他閘道位於,但其 RR 位於失敗閘道承租人連接。When a gateway fails, it impacts tenant connections on the gateway, as well as tenant connections that are located on other gateways but whose RR resides on the failed gateway. 向下時間的第二個連接小於前者。The down time of the latter connections is less than the former. 當 Network Controller 偵測閘道失敗時,它會執行下列工作。When Network Controller detects a failed gateway, it performs the following tasks.

    • 移除主機運算影響連接的路徑。Removes the routes of the impacted connections from the compute hosts.

    • 移除這些主機 HYPER-V 網路模擬原則。Removes the Hyper-V Network Virtualization policies on these hosts.

    • 選取一個待命閘道、將它轉換成使用閘道,並設定閘道。Selects a standby gateway, converts it into an active gateway, and configures the gateway.

    • 變更 NAT 對應至點連接到新閘道 SLB 集區。Changes the NAT mappings on the SLB pool to point connections to the new gateway.

  • 同時,設定會出現在新作用中閘道,IKEv2 S2S 連接和 BGP 外面是重新建立。Simultaneously, as the configuration comes up on the new active gateway, the IKEv2 S2S connections and BGP peering are re-established. 可以雲端閘道或先閘道初始連接和 BGP 對等。The connections and BGP peering can be initiated by either the cloud gateway or the on-premises gateway. 閘道重新整理他們路徑,然後將它們傳送給 Network Controller。The gateways refresh their routes and send them to Network Controller. Network Controller 學習閘道探索的新路由之後,Network Controller 傳送路徑和相關的 HYPER-V 網路模擬原則至 HYPER-V 主機的錯誤影響 tenants Vm 所在的位置。After Network Controller learns the new routes discovered by the gateways, Network Controller sends the routes and the associated Hyper-V Network Virtualization policies to the Hyper-V hosts where the VMs of the failure-impacted tenants reside. 這項活動 Network Controller 是類似的新的安裝程式連接情況下,僅它發生更大。This Network Controller activity is similar to the circumstance of a new connection setup, only it occurs on a larger scale.

適用於 GRE 可用性High Availability for GRE

Network Controller-包括偵測、複製連接和待命閘道路由設定,容錯 BGP/靜態路由影響的連接(包括收回及路徑的在重新配管計算主機和 BGP 重新對等),和重新運算主機 HYPER-V 網路模擬原則設定的移轉-RAS 閘道容錯移轉回應的程序也適用於 GRE 閘道和連接。The process of RAS Gateway failover response by Network Controller - including failure detection, copying connection and routing configuration to the standby gateway, failover of BGP/static routing of the impacted connections (including the withdrawal and re-plumbing of routes on compute hosts and BGP re-peering), and reconfiguration of Hyper-V Network Virtualization policies on compute hosts - is the same for GRE gateways and connections. 重新建立的 GRE 連接交貨以不同的方式,但是,且 GRE 的可用性方案部分的額外需求。The re-establishment of GRE connections happens differently, however, and the high availability solution for GRE has some additional requirements.

適用於 GRE 可用性

閘道部署的時間,請在每個 RAS 閘道 VM 指派動態 IP 位址 (DIP)。At the time of gateway deployment, every RAS Gateway VM is assigned a Dynamic IP address (DIP). 此外,每個閘道 VM 也已指派 GRE 可用性 virtual IP 位址 (VIP)。In addition, every gateway VM is also assigned a virtual IP address (VIP) for GRE high availability. Vip 已指派給閘道可接受 GRE 連接集區中,而不非 GRE 集區。VIPs are assigned only to gateways in pools that can accept GRE connections, and not to non-GRE pools. 指派 Vip 的通知架 (TOR) 參數使用 BGP,再到雲端實體網路進一步通知 Vip 頂端。The VIPs assigned are advertised to the top of rack (TOR) switches using BGP, which then further advertises the VIPs into the cloud physical network. 這樣可閘道可從遠端路由器或第三方裝置所在的另一端 GRE 連接。This makes the gateways reachable from the remote routers or third party devices where the other end of the GRE connection resides. BGP 對等是不同的承租人路徑交換對等承租人層級 BGP。This BGP peering is different than the tenant-level BGP peering for the exchange of tenant routes.

GRE 連接提供的時間,在 Network Controller 選取閘道、設定 GRE 端點上選取閘道,並傳回 VIP 指派閘道位址。At the time of GRE connection provisioning, Network Controller selects a gateway, configures a GRE endpoint on the selected gateway, and returns back the VIP address of the assigned gateway. 這個 VIP 然後設定為 GRE 通道位址遠端路由器上的目的地。This VIP is then configured as the destination GRE tunnel address on the remote router.

閘道失敗時,Network Controller 複製待命閘道 VIP 位址失敗的閘道及其他設定資料。When a gateway fails, Network Controller copies the VIP address of the failed gateway and other configuration data to the standby gateway. 待命閘道使用中時,它通知其 TOR 切換至 VIP,並進一步進入實體網路。When the standby gateway becomes active, it advertises the VIP to its TOR switch and further into the physical network. 遠端路由器繼續相同 VIP 連接 GRE 通道並路由基礎結構確保的新作用中閘道路由封包。Remote routers continue to connect GRE tunnels to the same VIP and the routing infrastructure ensures that packets are routed to the new active gateway.

轉送閘道 L3 的高可用性High Availability for L3 Forwarding Gateways

HYPER-V 網路模擬 L3 轉接閘道是橋樑 datacenter 中的實體基礎結構和模擬的 HYPER-V 網路模擬雲端基礎結構。A Hyper-V Network Virtualization L3 forwarding gateway is a bridge between the physical infrastructure in the datacenter and the virtualized infrastructure in the Hyper-V Network Virtualization cloud. Multitenant L3 轉接閘道在每個承租人使用它自己的 VLAN 標記邏輯網路連接承租人的實體網路的問題。On a multitenant L3 forwarding gateway, each tenant uses its own VLAN tagged logical network for connectivity with the tenant's physical network.

當新的承租人建立新的 L3 閘道時,網路控制器閘道服務管理員選取可用閘道 VM,並設定新的承租人介面與可用性(從承租人的 VLAN 標記邏輯網路)客戶地址 (CA) 空間 IP 位址。When a new tenant creates a new L3 gateway, Network Controller Gateway Service Manager selects an available gateway VM and configures a new tenant interface with a highly available Customer Address (CA) space IP address (from the tenant's VLAN tagged logical network). 使用遠端(實體網路),閘道上對等 IP 位址的 IP 位址,以及為下一步躍瑞曲之戰承租人的 HYPER-V 網路模擬網路。The IP address is used as the peer IP address on the remote (physical network) gateway, and is the Next-Hop to reach the tenant's Hyper-V Network Virtualization network.

然而 IPsec 或 GRE 網路連接 TOR 開關切換至將會不了解承租人的 VLAN 標記的網路動態。Unlike IPsec or GRE network connections, the TOR switch will not learn the tenant's VLAN tagged network dynamically. 路由承租人的 VLAN 標記網路需要上 TOR 開關切換至所有中繼參數和實體基礎結構和確保端點連接閘道路由器設定。The routing for the tenant's VLAN tagged network needs to be configured on the TOR switch and all the intermediate switches and routers between physical infrastructure and the gateway to ensure end to end connectivity. 以下是範例 CSP Virtual 網路設定為下列圖所示。Following is an example CSP Virtual Network configuration as depicted in the illustration below.

網路Network 子網路Subnet VLAN IDVLAN ID 預設閘道Default Gateway
Contoso L3 邏輯網路Contoso L3 Logical Network 10.127.134.0/2410.127.134.0/24 10011001 10.127.134.110.127.134.1
Woodgrove L3 邏輯網路Woodgrove L3 Logical Network 10.127.134.0/2410.127.134.0/24 10021002 10.127.134.110.127.134.1

以下是範例承租人閘道設定為下列圖所示。Following are example tenant gateway configurations as depicted in the illustration below.

承租人名稱Tenant Name L3 閘道 IP 位址L3 gateway IP Address VLAN IDVLAN ID 等 IP 位址Peer IP Address
ContosoContoso 10.127.134.5010.127.134.50 10011001 10.127.134.5510.127.134.55
WoodgroveWoodgrove 10.127.134.6010.127.134.60 10021002 10.127.134.6510.127.134.65

以下是這些設定 CSP 資料中心中的圖示。Following is the illustration of these configurations in a CSP datacenter.

轉送閘道 L3 的高可用性

閘道失敗的原因,失敗偵測和閘道容錯移轉的部分 L3 轉寄閘道程序很類似 IKEv2 和 GRE RAS 閘道的處理程序。The gateway failures, failure detection, and the gateway failover process in the context of an L3 forwarding gateway is similar to the processes for IKEv2 and GRE RAS Gateways. 不同的外部 IP 位址的處理方式。The differences are in the way the external IP addresses are handled.

健康閘道 VM 狀態時,選取其中一個待命閘道從集區 Network Controller,並重新 provisions 網路連接和路由待命閘道。When the gateway VM state becomes unhealthy, Network Controller selects one of the standby gateways from the pool and re-provisions the network connections and routing on the standby gateway. 移動連接,L3 轉寄閘道的高度時提供 CA 空間 IP 位址也移動到新閘道 VM 承租人 CA 空間 BGP IP 位址。While moving the connections, the L3 Forwarding gateway's highly available CA space IP address is also moved to the new gateway VM along with the CA space BGP IP address of the tenant.

因為 L3 外面 IP 位址移到新閘道 VM 容錯移轉期間,是一次連接到此 IP 位址,以及接下來,瑞曲之戰 HYPER-V 網路模擬工作負載遠端實體的基礎結構。Because the L3 Peering IP address is moved to the new gateway VM during the failover, the remote physical infrastructure is again able to connect to this IP address and, subsequently, reach the Hyper-V Network Virtualization workload. 適用於 BGP 動態路由,BGP IP 位址移動到新閘道 VM CA 空間遠端 BGP 路由器可以重新對等,並將該名了解所有 HYPER-V 網路模擬路徑再試一次。For BGP dynamic routing, as the CA space BGP IP address is moved to the new gateway VM, the remote BGP Router can re-establish peering and learn all Hyper-V Network Virtualization routes again.

注意

為了 VLAN 標記邏輯網路使用承租人通訊,您必須分開設定 TOR 切換和中繼路由器的所有。You must separately configure the TOR switches and all of the intermediate routers in order to use the VLAN tagged logical network for tenant communication. 此外,L3 容錯移轉會用這種方式設定架限制。In addition, L3 failover is restricted to only the racks which are configured in this way. 因此,必須仔細設定 L3 閘道集區且手動設定必須完成另行購買。Because of this, the L3 gateway pool must be carefully configured and manual configuration must be completed separately.