Azure 使用 NVA 的快速路由强制隧道
[英]Azure Express route forced-tunneling with NVA
问题描述
I want to set-up forced tunneling in Azure. All traffic destined to inte.net should be routed to on-prem and exit to inte.net from there.
我想在 Azure 中设置强制隧道。所有发往 inte.net 的流量都应该路由到本地并从那里退出到 inte.net。
- As far as i understand i need to advertise default route via BGP in Azure so that it replaces inte.net default route and send everything to on-prem via Express route.据我所知,我需要在 Azure 中通过 BGP 通告默认路由,以便它替换 inte.net 默认路由并通过 Express 路由将所有内容发送到本地。
- Then i make UDRs 0.0.0.0/0 next hop to NVA Cisco firewall on all su.nets in Azure.然后我将 UDR 0.0.0.0/0 设置为 Azure 中所有 su.net 上的 NVA Cisco 防火墙的下一跳。
All traffic from Azure su.nets will go to NVA and from there it will be routed to on-prem or to another .NET.来自 Azure su.nets 的所有流量将 go 到 NVA,然后从那里路由到本地或另一个 .NET。
Question is what about the traffic coming from on-prem to Azure?问题是从本地到 Azure 的流量如何? I want that traffic to also go through NVA cisco firewall.我希望该流量也通过 NVA 思科防火墙到达 go。 How could it be done as gateway su.net do not support 0.0.0.0/0 UDRs with Express route setup.由于网关 su.net 不支持具有 Express 路由设置的 0.0.0.0/0 UDR,因此如何完成。
1 个解决方案
解决方案1
0 已采纳 2021-09-28 14:31:04
Your initial understanding of the setup is correct.您对设置的初步理解是正确的。 You will have to advertise a default route of 0.0.0.0/0 via BGP from your on-premises to Azure, so that all your Azure traffic is sent to your on-premises via the ExpressRoute.您必须通过 BGP 将默认路由 0.0.0.0/0 从您的本地通告到 Azure,以便您的所有 Azure 流量都通过 ExpressRoute 发送到您的本地。 And in order to filter all that traffic by an NVA, you can add a UDR with 0.0.0.0/0 on all the su.nets (except the NVA su.net) with next hop as your Cisco Firewall NVA.为了通过 NVA 过滤所有流量,您可以在所有 su.net(NVA su.net 除外)上添加一个带有 0.0.0.0/0 的 UDR,下一跳作为您的思科防火墙 NVA。
This setup will take care of the routing from Azure to on-premises which will go as below: All su.nets --> Cisco NVA --> ExpressRoute gateway --> On-premises.此设置将负责从 Azure 到内部部署的路由,如下所示:所有 su.nets --> Cisco NVA --> ExpressRoute 网关 --> 内部部署。
Now coming back to your question on what about the return traffic, yes GatewaySu.net do not support 0.0.0.0/0 UDRs but it supports UDRs with other address prefixes.现在回到关于返回流量的问题,是的,GatewaySu.net 不支持 0.0.0.0/0 UDR,但它支持具有其他地址前缀的 UDR。
Hence, you can add a UDR to the ExpressRoute GatewaySu.net with the address prefix of your .net range with next hop type Virtual Appliance and IP address of your Cisco NVA.因此,您可以将 UDR 添加到 ExpressRoute GatewaySu.net,其地址前缀为 .net 范围,下一跃点类型为虚拟设备,Cisco NVA 的地址为 IP。 This will make sure that any traffic that comes from your on-premises for your Azure .net range, when reaches your ExpressRoute gateway will be forwarded to the Cisco NVA.这将确保来自 Azure .net 范围内的任何流量在到达 ExpressRoute 网关时都将转发到 Cisco NVA。
For example: If your .net address range is 10.0.0.0/16 then you can add a UDR to your ExpressRoute GatewaySu.net as below: Address prefix: 10.0.0.0/16 --> Next hop = Virtual Appliance --> Next hop = IP address of Cisco NVA So the routing from On-premises to Azure will go as below: On-premises --> ExpressRoute gateway --> Cisco NVA --> All su.nets.例如:如果您的 .net 地址范围是 10.0.0.0/16,那么您可以将 UDR 添加到您的 ExpressRoute GatewaySu.net,如下所示: 地址前缀:10.0.0.0/16 --> Next hop = Virtual Appliance --> Next hop = Cisco NVA 的 IP 地址 因此,从内部部署到 Azure 的路由将为 go,如下所示:内部部署 --> ExpressRoute 网关 --> Cisco NVA --> 所有 su.net。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.