azure network overview...• azure network overview tenant x subneta subnet b subnet c internet...
TRANSCRIPT
-
• Azure Network Overview
-
Tenant X
Subnet A
Subnet B
Subnet C
Internet
网络增值服务 S/N• VPN Gateway, 私有云VPN互通
• ExpressRoute,私有云专线互通
• NAT Gateway, 静态NAT(外访内), 动态NAT(内访外)
• LB Gateway,外访内服务发布
• Firewall,提供网络及主机级别安全防御
Destination Next-Hop
Private Cloud Subnet VPN
Gateway/Expressroute
SNIP/MIP LB Gateway
0.0.0.0 NAT Instance
WAN
为租户提供公有云网络服务• 租户内 L2/L3 网络服务 E/W
• 租户隔离,允许租户间地址重叠
• 租户虚拟机移动性
-
Tenant X192.168.0.0/16
GatewaySubnet192.168.3.0/24
Demo192.168.1.0/24
Default192.169.0.0/24
On Promise192.169.0.0/16
Default192.168.0.0/24
Default192.170.0.0/24
Peer vNet192.170.0.0/16
-
Name: VNet1
Address space: 10.57.0.0/16,
10.66.0.0/24
Internet
-
Name: VNet1
Address space: 10.57.0.0/16,
10.66.0.0/24
Subnet1
10.57.1.0/24
Subnet2
10.66.0.0/24
-
Tenant X192.168.0.0/16
GatewaySubnet192.168.3.0/24
demo192.168.1.0/24
default192.168.0.0/24
Internet
Destination Next-Hop
192.168.0.0/16 Virtual Network
0.0.0.0/0 Internet/NAT GW/LB
192.169.0.0/16 VPN/ER GW
192.170.0.0/16 PeerVnetGW
WAN
-
Internet
Name: VNet2
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
Azure
WAN
-
• NSG
-
See here for up-to-date information :
https://docs.azure.cn/zh-cn/azure-subscription-service-limits#networking-limits
https://docs.azure.cn/zh-cn/azure-subscription-service-limits#networking-limits
-
• NSG
• Load Balancer/NAT
-
Tenant X192.168.0.0/16
GatewaySubnet192.168.3.0/24
Demo192.168.1.0/24
Default192.169.0.0/24
On Promise192.169.0.0/16
Default192.168.0.0/24
Default192.170.0.0/24
Peer vNet192.170.0.0/16
-
Availability set
-
Availability set
-
Availability set
-
https://docs.azure.cn/zh-cn/load-balancer/load-balancer-distribution-mode
https://docs.azure.cn/zh-cn/load-balancer/load-balancer-distribution-mode
-
Tenant X192.168.0.0/16
GatewaySubnet192.168.3.0/24
Demo192.168.1.0/24
Default192.168.0.0/24
netdemo3192.168.1.4
netdemo1192.168.0.4
netdemo2192.168.0.5
-
WebRedirect
-
Name: VNet2
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24MyAGWsubnet
10.57.2.0/28
-
• NSG
• VPN/Express Route GW
-
Name: VNet1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
GatewaySubnet
10.57.3.0/27
-
Name: VNet1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
GatewaySubnet
10.57.3.0/27
-
10.1.0.0/16
Internet
Name: VNet1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
Gateway Subnet
10.57.3.0/27
IPSEC
-
10.1.0.0/16
Internet
Name: TRVNET1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
Gateway Subnet
10.57.3.0/27
IPSEC
-
10.1.0.0/16
Internet
Name: TRVNET1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
Gateway Subnet
10.57.3.0/27
IPSEC
Name: TRVNET1
Address space: 10.57.0.0/16
-
10.1.0.0/16
Internet
Name: TRVNET1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
Gateway Subnet
10.57.3.0/27
IPSEC
Name: TRVNET1
Address space: 10.57.0.0/16
-
10.1.0.0/16
Internet
Name: VNet1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
ER Provider’s
network
Gateway Subnet
10.57.3.0/27
Azure WAN
-
10.1.0.0/16
Internet
Name: CR-VNET1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
ER Provider’s
network
Gateway Subnet
10.57.3.0/27
Azure WAN
-
10.1.0.0/16
Internet
Name: CR-VNET1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
ER Provider’s
network
Gateway Subnet
10.57.3.0/27
Azure WAN
Name: TRVNET1
Address space: 10.57.0.0/16
Name: TRVNET1
Address space: 10.57.0.0/16
-
10.1.0.0/16
Internet
Name: CR-VNET1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
ER Provider’s
network
Gateway Subnet
10.57.3.0/27
Azure WAN
Name: TRVNET1
Address space: 10.57.0.0/16
Name: TRVNET1
Address space: 10.57.0.0/16
-
https://docs.azure.cn/zh-cn/vpn-gateway/vpn-gateway-about-vpn-devices#known
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
https://docs.azure.cn/zh-cn/vpn-gateway/vpn-gateway-about-vpn-devices#knownhttps://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
-
Tenant X192.168.0.0/16
GatewaySubnet192.168.3.0/24
Demo192.168.1.0/24
Default192.169.0.0/24
On Promise192.169.0.0/16
Default192.168.0.0/24
Default192.170.0.0/24
Peer vNet192.170.0.0/16
-
• NSG
• VPN/Express Route GW
• VNet Peering
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
System Route Table: TRVNET3
Dest: 10.57.0.0/16 Send to: Local VNet
Dest: 0.0.0.0/0 Send to: Internet
System Route Table: TRVNET4
Dest: 10.6.0.0/16 Send to: Local VNet
Dest: 0.0.0.0/0 Send to: Internet
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
System Route Table: TRVNET3
Dest: 10.57.0.0/16 Send to: Local VNet
Dest: 0.0.0.0/0 Send to: Internet
System Route Table: TRVNET4
Dest: 10.6.0.0/16 Send to: Local VNet
Dest: 10.57.0.0/16 Send to: VNet Gateway
Dest: 0.0.0.0/0 Send to: Internet
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
System Route Table: TRVNET3
Dest: 10.57.0.0/16 Send to: Local VNet
Dest: 10.6.0.0/16 Send to: VNet Gateway
Dest: 0.0.0.0/0 Send to: Internet
System Route Table: TRVNET4
Dest: 10.6.0.0/16 Send to: Local VNet
Dest: 10.57.0.0/16 Send to: VNet Gateway
Dest: 0.0.0.0/0 Send to: Internet
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
Name: VNet5
Address space: 10.7.0.0/16
Subnet1
10.7.8.0/24
Gateway Subnet
10.7.3.0/27
System Route Table:
TRVNET3
Dest:
10.57.0.0/16
Send to:
Local VNet
Dest:
0.0.0.0/0
Send to:
Internet
System Route Table:
TRVNET4
Dest:
10.6.0.0/16
Send to:
Local VNet
Dest:
0.0.0.0/0
Send to:
Internet
System Route Table:
TRVNET5
Dest:
10.7.0.0/16
Send to:
Local VNet
Dest:
0.0.0.0/0
Send to:
Internet
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
Name: VNet5
Address space: 10.7.0.0/16
Subnet1
10.7.8.0/24
Gateway Subnet
10.7.3.0/27
System Route Table:
TRVNET3
Dest:
10.57.0.0/16
Send to:
Local VNet
Dest:
10.6.0.0/16
Send to:
VNet GW
Dest:
0.0.0.0/0
Send to:
Internet
System Route Table:
TRVNET4
Dest:
10.6.0.0/16
Send to:
Local VNet
Dest:
10.57.0.0/16
Send to:
VNet GW
Dest:
0.0.0.0/0
Send to:
Internet
System Route Table:
TRVNET5
Dest:
10.7.0.0/16
Send to:
Local VNet
Dest:
0.0.0.0/0
Send to:
Internet
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
Name: VNet5
Address space: 10.7.0.0/16
Subnet1
10.7.8.0/24
Gateway Subnet
10.7.3.0/27
System Route Table:
TRVNET3
Dest:
10.57.0.0/16
Send to:
Local VNet
Dest:
10.6.0.0/16
Send to:
VNet GW
Dest:
10.7.0.0/16
Send to:
VNet GW
Dest:
0.0.0.0/0
Send to:
Internet
System Route Table:
TRVNET4
Dest:
10.6.0.0/16
Send to:
Local VNet
Dest:
10.57.0.0/16
Send to:
VNet GW
Dest:
0.0.0.0/0
Send to:
Internet
System Route Table:
TRVNET5
Dest:
10.7.0.0/16
Send to:
Local VNet
Dest:
10.57.0.0/16
Send to:
VNet GW
Dest:
0.0.0.0/0
Send to:
Internet
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
Name: VNet5
Address space: 10.7.0.0/16
Subnet1
10.7.8.0/24
Gateway Subnet
10.7.3.0/27
System Route Table:
TRVNET3
Dest:
10.57.0.0/16
Send to:
Local VNet
Dest:
10.6.0.0/16
Send to:
VNet GW
Dest:
10.7.0.0/16
Send to:
VNet GW
Dest:
0.0.0.0/0
Send to:
Internet
System Route Table:
TRVNET4
Dest:
10.6.0.0/16
Send to:
Local VNet
Dest:
10.57.0.0/16
Send to:
VNet GW
Dest:
0.0.0.0/0
Send to:
Internet
System Route Table:
TRVNET5
Dest:
10.7.0.0/16
Send to:
Local VNet
Dest:
10.57.0.0/16
Send to:
VNet GW
Dest:
0.0.0.0/0
Send to:
Internet
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
Name: VNet5
Address space: 10.7.0.0/16
Subnet1
10.7.8.0/24
Gateway Subnet
10.7.3.0/27
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
Name: VNet5
Address space: 10.7.0.0/16
Subnet1
10.7.8.0/24
Gateway Subnet
10.7.3.0/27
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
Name: VNet5
Address space: 10.7.0.0/16
Subnet1
10.7.8.0/24
Gateway Subnet
10.7.3.0/27
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
Name: VNet5
Address space: 10.7.0.0/16
Subnet1
10.7.8.0/24
Gateway Subnet
10.7.3.0/27
Please send me packets going to:
10.7.0.0/16
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
Name: VNet5
Address space: 10.7.0.0/16
Subnet1
10.7.8.0/24
Gateway Subnet
10.7.3.0/27
Please send me packets going to:
10.7.0.0/16
OK
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
Name: VNet5
Address space: 10.7.0.0/16
Subnet1
10.7.8.0/24
Gateway Subnet
10.7.3.0/27
Please send me packets going to:
10.7.0.0/16
Please send me packets going to:
10.7.0.0/16 and
10.57.0.0/16
OK
-
Name: VNet3
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Gateway Subnet
10.57.3.0/27
Name: VNet4
Address space: 10.6.0.0/16
Subnet1
10.6.11.0/24
Gateway Subnet
10.6.3.0/27
Name: VNet5
Address space: 10.7.0.0/16
Subnet1
10.7.8.0/24
Gateway Subnet
10.7.3.0/27
Please send me packets going to:
10.7.0.0/16
Please send me packets going to:
10.7.0.0/16 and
10.57.0.0/16
OK
OK
System Route Table: TRVNET4
Dest: 10.6.0.0/16 Send to: Local
VNet
Dest: 10.57.0.0/16 Send to: VNet GW
Dest: 10.7.0.0/16 Send to VNet GW
Dest: 0.0.0.0/0 Send to: Internet
TRVNET4 has now a
route to send traffic to
TRVNET5. TRVNET3
acts as a tranist
network
-
Option#1: Full Mesh Option#2: BGP + transit routing
Efficient routing: each VNet is directly connected to
any other VNet
Traffic between VNets may cross 1 or more transit
networks
Many VNet-2-VNet connections to be maintained Any-to-any connectivity is possible with fewer VNET-
2VNET connections
Cross-VNET communication performance is capped
by VNet Gateway’s bandwidth
Cross-VNET communication performance is capped
by VNet Gateway’s bandwidth
-
Option#1: Full Mesh Option#2: BGP + transit routing
Efficient routing: each VNet is directly connected to
any other VNet
Traffic between VNets may cross 1 or more transit
networks
Many VNet-2-VNet connections to be maintained Any-to-any connectivity is possible with fewer VNET-
2VNET connections
Cross-VNET communication performance is capped
by VNet Gateway’s bandwidth
Cross-VNET communication performance is capped
by VNet Gateway’s bandwidth
-
VNet1
Subnet1 Subnet2
VNet2
Subnet1 Subnet2
-
VNet2
Subnet1 Subnet2
VNet1
Subnet1 Subnet2
-
VNet1 cannot send/receive traffic to/from VNet3
-
On-Prem
-
On-PremVNet1 and VNet2 must be both ARM!
-
Tenant X192.168.0.0/16
GatewaySubnet192.168.3.0/24
Demo192.168.1.0/24
Default192.169.0.0/24
On Promise192.169.0.0/16
Default192.168.0.0/24
Default192.170.0.0/24
Peer vNet192.170.0.0/16
-
• NSG
• VPN/Express Route GW
• VNet Peering
• NVA
-
Route Table (Simplified)
Dest: 10.57.0.0/16 On-link
Dest: 10.3.2.0/24 On-link
Dest: 10.100.0.0/16 Next hop:
Dest: 192.168.0.0/16 Next hop:
Dest: 0.0.0.0/0 Next hop:
Destinations that can be reached directly
without crossing layer-3 devices
Destinations that can be reached through a
known layer-3 gateway device
Gateway for any other destination
-
Packets with destination IP address included in VNet's address space
send directly to destination VM
Packets with destination IP address belonging to networks connected via
ER or IPSec send to ER/S2S Virtual Network Gateway
Packets that do not match previous rules send to the internet
-
Name: VNet1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
Subnet3
10.57.3.0/25
Sytem Route (Local VNet rule)
System Route Table
Dest: 10.57.0.0/16 Send to: Local VNet
Dest: 0.0.0.0/0 Send to: Internet
-
Name: VNet1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
Subnet3
10.57.3.0/25
UDR
-
Name: VNet1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
GW Subnet
10.57.9.0/28
Internet
-
Name: VNet1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
GW Subnet
10.57.9.0/28
Internet
-
Name: VNet1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
GW Subnet
10.57.9.0/28
Internet
-
Name: VNet1
Address space: 10.57.0.0/16
Subnet1
10.57.1.0/24
Subnet2
10.57.2.0/25
GW Subnet
10.57.9.0/28
Internet
-
Tenant X192.168.0.0/16
GatewaySubnet192.168.3.0/24
Demo192.168.1.0/24
Default192.169.0.0/24
On Promise192.169.0.0/16
Default192.168.0.0/24
Default192.170.0.0/24
Peer vNet192.170.0.0/16