20221129 Azure Route Exchange: 以 Azure VMware Solution 為例

Transcript

1. Azure Route Exchange Phil Huang <[email protected]> Sr. Cloud Solution Architect

   2022/11/29 以 Azure VMware Solution 為例

2. Challenge Azure Networking

3. FortiGate 60E wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface 192.168.100.6/24

   Azure VMware Solution 10.7.0.0/22 D-MSEE

4. On-premise Source IP: 192.168.100.6 vCenter IP of Azure VMware Solution

   in Canada Central : 10.7.0.2

5. Hint Azure Networking

6. Azure VMware Solution 連線特性 Already enable VMware NSX-T Edge •

   一座 Azure VMware Solution 提供 2 種 Peering 方式 1. Azure ExpressRoute 2. Azure ExpressRoute Global Reach (對方也須具備 ExpressRoute 才能用) • 預設狀況下，AVS BGP Peering 是由 Azure 所自動設定 • AS Path: 64513 (AVS BGP ASN) -> 65100 -> ... -> 398656 -> 12076 -> Customer Managed ASN

7. Azure ExpressRoute 連線特性 Private Connection to Microsoft Cloud Ref: https://learn.microsoft.com/en-us/azure/route-server/expressroute-vpn-support

   • 若已具備 ExpressRoute 且須連到指定 Azure VNet， 則需在該 Azure VNet 使用 Virtual Network Gateway (VNG) 並採用 ExpressRoute Type 接入網 路 • 若有需要跟其他線路進行路由，則需要在該 Azure VNet 使用 Azure Route Server，並啟用 Branch-to- Branch 協助路由宣告 (Route Propagate)

8. Virtual Network Gateway 使用特性 Access to Azure virtual network •

   Virtual Network Gateway 提供 2 種 Gateway Type，可共存 同一個 Azure VNet 1. VPN 2. ExpressRoute • 若需與 Azure Route Server 交換路由，則需要滿足下列條件

9. 觀察 BGP Peer 及 Learned Routes 狀態 Virtual Network Gateway

   • 選擇 VPN Gateway > Monitoring > BGP Peers

10. Azure Route Server 使用特性 Enables exchange route information with Azure

    virtual networks • 預設狀況下，Azure Route Server 會啟用 BGP，且 ASN 為 65515 • 無需額外進行 BGP Peer 操作，預設自動跟所在 Azure VNet 之 GatewaySubnet 進行路由交換

11. Route Exchange with Static Route between ExpressRoute and S2S VPN

    Case 1 Common Use Case!!!

12. Ref: FortiGate 60E wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface

    192.168.100.6/24 • No BGP • Static Route Only Azure VMware Solution 10.7.0.0/22 D-MSEE ExpressRoute vnet-hub 10.10.0.0/24 ExpressRoute Gateway GatewaySubnet 10.10.0.0/27 AzureRouteSubnet 10.10.0.32/27 ars-hub ASN: 65515 private-ip: 10.10.0.37 private-ip: 10.10.0.36 S2S VPN Gateway pip-vpn-1 pip-vpn-2 pip-er pip-ars private-ip-1: 10.10.0.14 private-ip-2: 10.10.0.15 ASN: 65515 Solution - Create VNet - Create ExpressRoute Gateway (Basic SKU) - Create VPN Gateway - Active-Active Mode - Enable BGP - ASN: 65515 - Create Azure Route Server - Enable branch-to-branch

13. Ref: FortiGate 60E wan1 Public IP: x.x.x.x internal1 192.168.100.254/24 Surface

    192.168.100.6/24 • No BGP • Static Route Only vWAN 10.10.0.0/24 ExpressRoute Gateway GatewaySubnet 10.10.0.0/27 AzureRouteSubnet 10.10.0.32/27 ars-hub ASN: 65515 private-ip: 10.10.0.37 private-ip: 10.10.0.36 S2S VPN Gateway pip-vpn-1 pip-vpn-2 pip-er pip-ars private-ip-1: 10.10.0.14 private-ip-2: 10.10.0.15 ASN: 65515 Azure VMware Solution 10.7.0.0/22 D-MSEE ExpressRoute Solution - Create vWAN - Create vHub

14. Case 1 Azure VMware Solution NSX-T T0 BGP ASN: 64513

    10.7.0.0/22

15. Route Exchange with eBGP between ExpressRoute and S2S VPN Case

    2

16. Ref: FortiGate 60E ASN: 65533 wan1 Public IP: x.x.x.x internal1

    192.168.100.254/24 Surface 192.168.100.6/24 • BGP ASN: 65533 Azure VMware Solution 10.7.0.0/22 D-MSEE ExpressRoute vnet-hub 10.10.0.0/24 ExpressRoute Gateway GatewaySubnet 10.10.0.0/27 AzureRouteSubnet 10.10.0.32/27 ars-hub ASN: 65515 private-ip: 10.10.0.37 private-ip: 10.10.0.36 S2S VPN Gateway pip-vpn-1 pip-vpn-2 pip-er pip-ars private-ip-1: 10.10.0.14 private-ip-2: 10.10.0.15 ASN: 65515 Solution - Create VNet - Create ExpressRoute Gateway (Basic SKU) - Create VPN Gateway - Active-Active Mode - Enable BGP - ASN: 65515 - Create Azure Route Server - Enable branch-to-branch

17. Case 2: Route Traffic Azure VMware Solution NSX-T T0 BGP

    ASN: 64513 10.7.0.0/22 ASN: 65533

18. Route Exchange with multi eBGP between ExpressRoute and S2S VPN

    Case 3

19. Ref: FortiGate 60E ASN: 65533 wan1 Public IP: x.x.x.x internal1

    192.168.100.254/24 Surface 192.168.100.6/24 Azure VMware Solution 10.7.0.0/22 D-MSEE ExpressRoute vnet-hub 10.10.0.0/24 ExpressRoute Gateway GatewaySubnet 10.10.0.0/27 AzureRouteSubnet 10.10.0.32/27 ars-hub ASN: 65515 private-ip: 10.10.0.37 private-ip: 10.10.0.36 S2S VPN Gateway pip-vpn-1 pip-vpn-2 pip-er pip-ars private-ip-1: 10.10.0.14 private-ip-2: 10.10.0.15 ASN: 300 Solution - Create VNet - Create ExpressRoute Gateway (Basic SKU) - Create VPN Gateway - Active-Active Mode - Enable BGP - ASN: 300 - Create Azure Route Server - Enable branch-to-branch

20. Case 3: Route Traffic ASN: 300 Azure VMware Solution NSX-T

    T0 BGP ASN: 64513 10.7.0.0/22

21. Conclusion Azure Networking • 若於地端並無配置 BGP 設計，僅具有 Static Route /

    Policy Route，則可以透過 Case 1 方式將路由接入 至 Azure • 若地端有 BGP 設定，則可透過 Case 2 與 Azure Private ASN 65515 進行路由交換 • 若有特殊架構規劃需求，則可透過 Case 3 或額外建立 NVA (如 FRRouting on Azure VM / 3rd party SD- WAN / vRouter 等) 實踐

22. Invent with purpose.