hybrid-cloud-networking
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseHybrid Cloud Networking
混合云网络
Configure secure, high-performance connectivity between on-premises and cloud environments using VPN, Direct Connect, and ExpressRoute.
使用VPN、Direct Connect和ExpressRoute配置本地与云环境之间的安全、高性能连接。
Purpose
用途
Establish secure, reliable network connectivity between on-premises data centers and cloud providers (AWS, Azure, GCP).
建立本地数据中心与云服务商(AWS、Azure、GCP)之间的安全、可靠网络连接。
When to Use
适用场景
- Connect on-premises to cloud
- Extend datacenter to cloud
- Implement hybrid active-active setups
- Meet compliance requirements
- Migrate to cloud gradually
- 将本地环境连接到云平台
- 将数据中心扩展到云环境
- 部署混合云主备架构
- 满足合规要求
- 逐步迁移到云平台
Connection Options
连接选项
AWS Connectivity
AWS连接方案
1. Site-to-Site VPN
1. 站点到站点VPN
- IPSec VPN over internet
- Up to 1.25 Gbps per tunnel
- Cost-effective for moderate bandwidth
- Higher latency, internet-dependent
hcl
resource "aws_vpn_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = {
Name = "main-vpn-gateway"
}
}
resource "aws_customer_gateway" "main" {
bgp_asn = 65000
ip_address = "203.0.113.1"
type = "ipsec.1"
}
resource "aws_vpn_connection" "main" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.main.id
type = "ipsec.1"
static_routes_only = false
}- 基于互联网的IPSec VPN
- 每个隧道最高1.25 Gbps带宽
- 中等带宽场景下性价比高
- 延迟较高,依赖互联网稳定性
hcl
resource "aws_vpn_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = {
Name = "main-vpn-gateway"
}
}
resource "aws_customer_gateway" "main" {
bgp_asn = 65000
ip_address = "203.0.113.1"
type = "ipsec.1"
}
resource "aws_vpn_connection" "main" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.main.id
type = "ipsec.1"
static_routes_only = false
}2. AWS Direct Connect
2. AWS Direct Connect
- Dedicated network connection
- 1 Gbps to 100 Gbps
- Lower latency, consistent bandwidth
- More expensive, setup time required
Reference: See
references/direct-connect.md- 专用网络连接
- 带宽范围1 Gbps至100 Gbps
- 延迟更低,带宽稳定
- 成本更高,需要一定部署时间
参考: 参见
references/direct-connect.mdAzure Connectivity
Azure连接方案
1. Site-to-Site VPN
1. 站点到站点VPN
hcl
resource "azurerm_virtual_network_gateway" "vpn" {
name = "vpn-gateway"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
type = "Vpn"
vpn_type = "RouteBased"
sku = "VpnGw1"
ip_configuration {
name = "vnetGatewayConfig"
public_ip_address_id = azurerm_public_ip.vpn.id
private_ip_address_allocation = "Dynamic"
subnet_id = azurerm_subnet.gateway.id
}
}hcl
resource "azurerm_virtual_network_gateway" "vpn" {
name = "vpn-gateway"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
type = "Vpn"
vpn_type = "RouteBased"
sku = "VpnGw1"
ip_configuration {
name = "vnetGatewayConfig"
public_ip_address_id = azurerm_public_ip.vpn.id
private_ip_address_allocation = "Dynamic"
subnet_id = azurerm_subnet.gateway.id
}
}2. Azure ExpressRoute
2. Azure ExpressRoute
- Private connection via connectivity provider
- Up to 100 Gbps
- Low latency, high reliability
- Premium for global connectivity
- 通过连接服务商提供的专用连接
- 最高100 Gbps带宽
- 延迟低,可靠性高
- 全球连接需使用Premium版本
GCP Connectivity
GCP连接方案
1. Cloud VPN
1. Cloud VPN
- IPSec VPN (Classic or HA VPN)
- HA VPN: 99.99% SLA
- Up to 3 Gbps per tunnel
- IPSec VPN(经典版或高可用版)
- HA VPN:99.99% SLA
- 每个隧道最高3 Gbps带宽
2. Cloud Interconnect
2. Cloud Interconnect
- Dedicated (10 Gbps, 100 Gbps)
- Partner (50 Mbps to 50 Gbps)
- Lower latency than VPN
- 专用版(10 Gbps、100 Gbps)
- 合作伙伴版(50 Mbps至50 Gbps)
- 延迟低于VPN
Hybrid Network Patterns
混合云网络模式
Pattern 1: Hub-and-Spoke
模式1:中心辐射式
On-Premises Datacenter
↓
VPN/Direct Connect
↓
Transit Gateway (AWS) / vWAN (Azure)
↓
├─ Production VPC/VNet
├─ Staging VPC/VNet
└─ Development VPC/VNet本地数据中心
↓
VPN/Direct Connect
↓
Transit Gateway (AWS) / vWAN (Azure)
↓
├─ 生产环境VPC/VNet
├─ 预发布环境VPC/VNet
└─ 开发环境VPC/VNetPattern 2: Multi-Region Hybrid
模式2:多区域混合
On-Premises
├─ Direct Connect → us-east-1
└─ Direct Connect → us-west-2
↓
Cross-Region Peering本地环境
├─ Direct Connect → us-east-1
└─ Direct Connect → us-west-2
↓
跨区域对等连接Pattern 3: Multi-Cloud Hybrid
模式3:多云混合
On-Premises Datacenter
├─ Direct Connect → AWS
├─ ExpressRoute → Azure
└─ Interconnect → GCP本地数据中心
├─ Direct Connect → AWS
├─ ExpressRoute → Azure
└─ Interconnect → GCPRouting Configuration
路由配置
BGP Configuration
BGP配置
On-Premises Router:
- AS Number: 65000
- Advertise: 10.0.0.0/8
Cloud Router:
- AS Number: 64512 (AWS), 65515 (Azure)
- Advertise: Cloud VPC/VNet CIDRs本地路由器:
- AS编号:65000
- 宣告网段:10.0.0.0/8
云路由器:
- AS编号:64512 (AWS), 65515 (Azure)
- 宣告网段:云VPC/VNet CIDRRoute Propagation
路由传播
- Enable route propagation on route tables
- Use BGP for dynamic routing
- Implement route filtering
- Monitor route advertisements
- 在路由表上启用路由传播
- 使用BGP实现动态路由
- 部署路由过滤规则
- 监控路由宣告情况
Security Best Practices
安全最佳实践
- Use private connectivity (Direct Connect/ExpressRoute)
- Implement encryption for VPN tunnels
- Use VPC endpoints to avoid internet routing
- Configure network ACLs and security groups
- Enable VPC Flow Logs for monitoring
- Implement DDoS protection
- Use PrivateLink/Private Endpoints
- Monitor connections with CloudWatch/Monitor
- Implement redundancy (dual tunnels)
- Regular security audits
- 使用专用连接(Direct Connect/ExpressRoute)
- 为VPN隧道启用加密
- 使用VPC端点避免通过互联网路由
- 配置网络ACL和安全组
- 启用VPC流日志用于监控
- 部署DDoS防护
- 使用PrivateLink/私有端点
- 通过CloudWatch/Monitor监控连接状态
- 实现冗余(双隧道)
- 定期进行安全审计
High Availability
高可用配置
Dual VPN Tunnels
双VPN隧道
hcl
resource "aws_vpn_connection" "primary" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.primary.id
type = "ipsec.1"
}
resource "aws_vpn_connection" "secondary" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.secondary.id
type = "ipsec.1"
}hcl
resource "aws_vpn_connection" "primary" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.primary.id
type = "ipsec.1"
}
resource "aws_vpn_connection" "secondary" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.secondary.id
type = "ipsec.1"
}Active-Active Configuration
主备配置
- Multiple connections from different locations
- BGP for automatic failover
- Equal-cost multi-path (ECMP) routing
- Monitor health of all connections
- 从不同位置建立多个连接
- 使用BGP实现自动故障转移
- 等价多路径(ECMP)路由
- 监控所有连接的健康状态
Monitoring and Troubleshooting
监控与故障排查
Key Metrics
关键指标
- Tunnel status (up/down)
- Bytes in/out
- Packet loss
- Latency
- BGP session status
- 隧道状态(在线/离线)
- 出入流量字节数
- 数据包丢失率
- 延迟
- BGP会话状态
Troubleshooting
故障排查命令
bash
undefinedbash
undefinedAWS VPN
AWS VPN
aws ec2 describe-vpn-connections
aws ec2 get-vpn-connection-telemetry
aws ec2 describe-vpn-connections
aws ec2 get-vpn-connection-telemetry
Azure VPN
Azure VPN
az network vpn-connection show
az network vpn-connection show-device-config-script
undefinedaz network vpn-connection show
az network vpn-connection show-device-config-script
undefinedCost Optimization
成本优化
- Right-size connections based on traffic
- Use VPN for low-bandwidth workloads
- Consolidate traffic through fewer connections
- Minimize data transfer costs
- Use Direct Connect for high bandwidth
- Implement caching to reduce traffic
- 根据流量规模选择合适的连接规格
- 低带宽场景使用VPN
- 通过更少的连接整合流量
- 降低数据传输成本
- 高带宽场景使用Direct Connect
- 部署缓存减少流量
Reference Files
参考文件
- - VPN configuration guide
references/vpn-setup.md - - Direct Connect setup
references/direct-connect.md
- - VPN配置指南
references/vpn-setup.md - - Direct Connect部署文档
references/direct-connect.md
Related Skills
相关技能
- - For architecture decisions
multi-cloud-architecture - - For IaC implementation
terraform-module-library
- - 用于架构决策
multi-cloud-architecture - - 用于基础设施即代码实现
terraform-module-library