#avs #azure #networking
YouTube: https://www.youtube.com/watch?v=F9voykz0Brs
Azure Route ExchangePhil Huang Sr. Cloud Solution Architect2022/11/29以 Azure VMware Solution 為例
View Slide
ChallengeAzure Networking
FortiGate 60Ewan1Public IP: x.x.x.xinternal1192.168.100.254/24Surface192.168.100.6/24Azure VMware Solution10.7.0.0/22D-MSEE
On-premise Source IP: 192.168.100.6vCenter IP of Azure VMware Solution in Canada Central : 10.7.0.2
HintAzure Networking
Azure VMware Solution 連線特性Already enable VMware NSX-T Edge• 一座 Azure VMware Solution 提供 2 種 Peering 方式1. Azure ExpressRoute2. Azure ExpressRoute Global Reach (對方也須具備 ExpressRoute 才能用)• 預設狀況下,AVS BGP Peering 是由 Azure 所自動設定• AS Path: 64513 (AVS BGP ASN) -> 65100 -> ... -> 398656 -> 12076 -> Customer Managed ASN
Azure ExpressRoute 連線特性Private Connection to Microsoft CloudRef: https://learn.microsoft.com/en-us/azure/route-server/expressroute-vpn-support• 若已具備 ExpressRoute 且須連到指定 Azure VNet,則需在該 Azure VNet 使用 Virtual NetworkGateway (VNG) 並採用 ExpressRoute Type 接入網路• 若有需要跟其他線路進行路由,則需要在該 AzureVNet 使用 Azure Route Server,並啟用 Branch-to-Branch 協助路由宣告 (Route Propagate)
Virtual Network Gateway 使用特性Access to Azure virtual network• Virtual Network Gateway 提供 2 種 Gateway Type,可共存同一個 Azure VNet1. VPN2. ExpressRoute• 若需與 Azure Route Server 交換路由,則需要滿足下列條件
觀察 BGP Peer 及 Learned Routes 狀態Virtual Network Gateway• 選擇 VPN Gateway > Monitoring> BGP Peers
Azure Route Server 使用特性Enables exchange route information with Azure virtual networks• 預設狀況下,Azure Route Server 會啟用 BGP,且 ASN 為 65515• 無需額外進行 BGP Peer 操作,預設自動跟所在 Azure VNet 之 GatewaySubnet 進行路由交換
Route Exchange with StaticRoute between ExpressRouteand S2S VPNCase 1Common Use Case!!!
Ref:FortiGate 60Ewan1Public IP: x.x.x.xinternal1192.168.100.254/24Surface192.168.100.6/24• No BGP• Static Route OnlyAzure VMware Solution10.7.0.0/22D-MSEEExpressRoutevnet-hub10.10.0.0/24ExpressRouteGatewayGatewaySubnet10.10.0.0/27AzureRouteSubnet10.10.0.32/27ars-hubASN: 65515private-ip: 10.10.0.37private-ip: 10.10.0.36S2S VPNGatewaypip-vpn-1pip-vpn-2pip-erpip-arsprivate-ip-1: 10.10.0.14private-ip-2: 10.10.0.15ASN: 65515Solution- Create VNet- Create ExpressRoute Gateway (Basic SKU)- Create VPN Gateway- Active-Active Mode- Enable BGP- ASN: 65515- Create Azure Route Server- Enable branch-to-branch
Ref:FortiGate 60Ewan1Public IP: x.x.x.xinternal1192.168.100.254/24Surface192.168.100.6/24• No BGP• Static Route Only vWAN10.10.0.0/24ExpressRouteGatewayGatewaySubnet10.10.0.0/27AzureRouteSubnet10.10.0.32/27ars-hubASN: 65515private-ip: 10.10.0.37private-ip: 10.10.0.36S2S VPNGatewaypip-vpn-1pip-vpn-2pip-erpip-arsprivate-ip-1: 10.10.0.14private-ip-2: 10.10.0.15ASN: 65515Azure VMware Solution10.7.0.0/22D-MSEEExpressRouteSolution- Create vWAN- Create vHub
Case 1Azure VMware SolutionNSX-T T0 BGP ASN: 6451310.7.0.0/22
Route Exchange with eBGPbetween ExpressRoute andS2S VPNCase 2
Ref:FortiGate 60EASN: 65533wan1Public IP: x.x.x.xinternal1192.168.100.254/24Surface192.168.100.6/24• BGP ASN: 65533Azure VMware Solution10.7.0.0/22D-MSEEExpressRoutevnet-hub10.10.0.0/24ExpressRouteGatewayGatewaySubnet10.10.0.0/27AzureRouteSubnet10.10.0.32/27ars-hubASN: 65515private-ip: 10.10.0.37private-ip: 10.10.0.36S2S VPNGatewaypip-vpn-1pip-vpn-2pip-erpip-arsprivate-ip-1: 10.10.0.14private-ip-2: 10.10.0.15ASN: 65515Solution- Create VNet- Create ExpressRoute Gateway (Basic SKU)- Create VPN Gateway- Active-Active Mode- Enable BGP- ASN: 65515- Create Azure Route Server- Enable branch-to-branch
Case 2: Route TrafficAzure VMware SolutionNSX-T T0 BGP ASN: 6451310.7.0.0/22ASN: 65533
Route Exchange with multieBGP between ExpressRouteand S2S VPNCase 3
Ref:FortiGate 60EASN: 65533wan1Public IP: x.x.x.xinternal1192.168.100.254/24Surface192.168.100.6/24Azure VMware Solution10.7.0.0/22D-MSEEExpressRoutevnet-hub10.10.0.0/24ExpressRouteGatewayGatewaySubnet10.10.0.0/27AzureRouteSubnet10.10.0.32/27ars-hubASN: 65515private-ip: 10.10.0.37private-ip: 10.10.0.36S2S VPNGatewaypip-vpn-1pip-vpn-2pip-erpip-arsprivate-ip-1: 10.10.0.14private-ip-2: 10.10.0.15ASN: 300Solution- Create VNet- Create ExpressRoute Gateway (Basic SKU)- Create VPN Gateway- Active-Active Mode- Enable BGP- ASN: 300- Create Azure Route Server- Enable branch-to-branch
Case 3: Route TrafficASN: 300Azure VMware SolutionNSX-T T0 BGP ASN: 6451310.7.0.0/22
ConclusionAzure Networking• 若於地端並無配置 BGP 設計,僅具有 Static Route / Policy Route,則可以透過 Case 1 方式將路由接入至 Azure• 若地端有 BGP 設定,則可透過 Case 2 與 Azure Private ASN 65515 進行路由交換• 若有特殊架構規劃需求,則可透過 Case 3 或額外建立 NVA (如 FRRouting on Azure VM / 3rd party SD-WAN / vRouter 等) 實踐
Invent with purpose.
pichuang
miu_crescent
nagix
hacomono
picardparis
line_developers_tw
senkin13
kazukihayase
tomuro
prashantspol
tkhresk
tkmnzm
keithpitt
hatefulcrawdad
addyosmani
rmw
hannesfritz
frogandcode
phodgson
mojombo
geeforr
kneath
hursman
rocio