在 Windows Server 2016 中,客户顾虑的问题之一是 SDN 网关无法满足现代网络的吞吐量要求。 IPsec 和 GRE 隧道的网络吞吐量存在限制,IPsec 连接的单连接吞吐量约为 300 Mbps,GRE 连接的吞吐量约为 2.5 Gbps。
从 Windows Server 2019 开始,我们已显著提升 SDN 网关性能,IPsec 和 GRE 连接速度已分别大幅攀升至 1.8 Gbps 和 15 Gbps。 同时,每字节的 CPU 周期大大减少,从而提供了超高性能吞吐量,并且 CPU 占用率也大大降低。
利用网关获得高性能
For GRE connections, once you deploy/upgrade to Windows Server 2019 builds on the gateway VMs, you should automatically see the improved performance. 不需要手动执行任何步骤。
For IPsec connections, by default, when you create the connection for your virtual networks, you get the Windows Server 2016 data path and performance numbers. 若要启用 Windows Server 2019 数据路径,请执行以下操作:
- On an SDN gateway VM, go to Services console (services.msc).
- 找到名为“Azure 网关服务”的服务,并将启动类型设置为“自动”。
- 重启网关 VM。 此网关上的活动连接将故障转移到冗余的网关 VM。
- 对其余的网关 VM 重复上述步骤。
若要运行高性能 IPsec 连接,需要满足以下要求:
- 须在本地网关上启用网络地址转换遍历 (NAT-T)。 启用高性能 IPsec 连接时,SDN 网关会配置 NAT 规则,因此还需要在本地网关上启用 NAT-T。
- 本地网关须在端口 500 和 4500 上允许用户数据报协议 (UDP) 数据包,以及协议 50 和 51。
Tip
For the best performance results, ensure that the cipherTransformationConstant and authenticationTransformConstant in quickMode settings of the IPsec connection uses the GCMAES256 cipher suite.
为了获得最佳性能,网关主机硬件必须支持 AES-NI 和 PCLMULQDQ CPU 指令集。 Westmere (32nm) 及更高版本的所有 Intel CPU 上都提供了这些指令集,但已禁用了 AES-NI 的型号除外。 你可以查看硬件供应商文档,了解 CPU 是否支持 AES-NI 和 PCLMULQDQ CPU 指令集。
下面是具有最佳安全算法的 IPsec 连接的 REST 示例:
# NOTE: The virtual gateway must be created before creating the IPsec connection. More details here.
# Create a new object for Tenant Network IPsec Connection
$nwConnectionProperties = New-Object Microsoft.Windows.NetworkController.NetworkConnectionProperties
# Update the common object properties
$nwConnectionProperties.ConnectionType = "IPSec"
$nwConnectionProperties.OutboundKiloBitsPerSecond = 2000000
$nwConnectionProperties.InboundKiloBitsPerSecond = 2000000
# Update specific properties depending on the Connection Type
$nwConnectionProperties.IpSecConfiguration = New-Object Microsoft.Windows.NetworkController.IpSecConfiguration
$nwConnectionProperties.IpSecConfiguration.AuthenticationMethod = "PSK"
$nwConnectionProperties.IpSecConfiguration.SharedSecret = "111_aaa"
$nwConnectionProperties.IpSecConfiguration.QuickMode = New-Object Microsoft.Windows.NetworkController.QuickMode
$nwConnectionProperties.IpSecConfiguration.QuickMode.PerfectForwardSecrecy = "PFS2048"
$nwConnectionProperties.IpSecConfiguration.QuickMode.AuthenticationTransformationConstant = "GCMAES256"
$nwConnectionProperties.IpSecConfiguration.QuickMode.CipherTransformationConstant = "GCMAES256"
$nwConnectionProperties.IpSecConfiguration.QuickMode.SALifeTimeSeconds = 3600
$nwConnectionProperties.IpSecConfiguration.QuickMode.IdleDisconnectSeconds = 500
$nwConnectionProperties.IpSecConfiguration.QuickMode.SALifeTimeKiloBytes = 2000
$nwConnectionProperties.IpSecConfiguration.MainMode = New-Object Microsoft.Windows.NetworkController.MainMode
$nwConnectionProperties.IpSecConfiguration.MainMode.DiffieHellmanGroup = "Group2"
$nwConnectionProperties.IpSecConfiguration.MainMode.IntegrityAlgorithm = "SHA256"
$nwConnectionProperties.IpSecConfiguration.MainMode.EncryptionAlgorithm = "AES256"
$nwConnectionProperties.IpSecConfiguration.MainMode.SALifeTimeSeconds = 28800
$nwConnectionProperties.IpSecConfiguration.MainMode.SALifeTimeKiloBytes = 2000
# L3 specific configuration (leave blank for IPSec)
$nwConnectionProperties.IPAddresses = @()
$nwConnectionProperties.PeerIPAddresses = @()
# Update the IPv4 Routes that are reachable over the site-to-site VPN Tunnel
$nwConnectionProperties.Routes = @()
$ipv4Route = New-Object Microsoft.Windows.NetworkController.RouteInfo
$ipv4Route.DestinationPrefix = "<<On premise subnet that must be reachable over the VPN tunnel. Ex: 10.0.0.0/24>>"
$ipv4Route.metric = 10
$nwConnectionProperties.Routes += $ipv4Route
# Tunnel Destination (Remote Endpoint) Address
$nwConnectionProperties.DestinationIPAddress = "<<Public IP address of the On-Premise VPN gateway. Ex: 192.168.3.4>>"
# Add the new Network Connection for the tenant. Note that the virtual gateway must be created before creating the IPsec connection. $uri is the REST URI of your deployment and must be in the form of “https://<REST URI>”
New-NetworkControllerVirtualGatewayNetworkConnection -ConnectionUri $uri -VirtualGatewayId $virtualGW.ResourceId -ResourceId "Contoso_IPSecGW" -Properties $nwConnectionProperties -Force
Testing Results
我们已在测试实验室中对 SDN 网关进行了广泛的性能测试。 在测试中,我们比较了使用 Windows Server 2019 时在 SDN 场景下与非 SDN 场景下的网关网络性能。 You can find the results and test setup details captured in the blog article here.