使用 Azure 虚拟 WAN 和安全中心与中国互连Interconnect with China using Azure Virtual WAN and Secure Hub

在常见的汽车、制造、物流行业或其他机构(例如大使馆)中,经常提出的一个问题是如何改进与中国的互连。When looking at common automotive, manufacturing, logistics industries or other institutes like embassies, there is often the question about how to improve interconnection with China. 这些改进措施主要与使用云服务(例如 Office 365、Azure 全球服务)或将中国境内的分支与客户主干网互连相关。Those improvements are mostly relevant for using Cloud Services like Office 365, Azure Global Services, or interconnect branches inside of China with a customer backbone.

在大多数情况下,连接到中国境外(例如欧洲或美国)的客户都要与高延迟、低带宽、不稳定连接以及高费用等问题做斗争。In most of the cases, customers are struggling with high latencies, low bandwidth, unstable connection, and high costs connecting to outside of China (for example, Europe or the United States).

进行这些斗争的原因在于“中国防火长城(中国国家防火墙)”,它会保护 Internet 上的中国网段部分,并筛选发往中国的流量。A reason for these struggles is the "Great Firewall of China", which protects the Chinese part of the Internet and filters traffic to China. 从中国大陆发往中国境外(香港和澳门等特别行政区除外)的几乎所有流量都要流经防火长城。Nearly all traffic running from China Mainland to outside of China, except the special administration zones like Hong Kong and Macau, passes the Great Firewall. 流经香港和澳门的流量不会由防火长城全力进行控制,而是由防火长城的一部分进行处理。The traffic running through Hong Kong and Macau does not hit the Great Firewall in full force, it is handled by a subset of the Great Firewall.

提供商互连

使用虚拟 WAN,客户可与 Azure 云服务建立性能更高且更稳定的连接,并可连接到其企业网络,同时不会违反中国网络安全法。Using Virtual WAN, a customer can establish a more performant and stable connection to Azure Cloud Services and a connection to their enterprise network without breaking the Chinese cybersecurity law.

要求和工作流Requirements and workflow

若要持续遵守中国网络安全法,需要满足一组特定的条件。If you want to stay compliant to the Chinese cybersecurity law, you need to meet a set of certain conditions.

首先,需要与拥有中国 ICP(Internet 内容提供商)执照的网络提供商和 ISP 合作。First, you need to work together with a network and ISP who owns an ICP (Internet Content Provider) license for China. 在大多数情况下,你最终会与以下提供商之一合作:In most cases, you'll end up with one of the following providers:

  • 中国电信国际有限公司China Telecom Global Ltd.
  • 中国移动有限公司China Mobile Ltd.
  • 中国联通有限公司China Unicom Ltd.
  • PCCW Global Ltd.(香港电讯盈科环球有限公司)PCCW Global Ltd.
  • 香港电信有限公司Hong Kong Telecom Ltd.

目前需要购买以下网络连接服务之一才能与中国境内的分支建立互连,具体取决于提供商和你的需求。Depending on the provider and your needs, you now need to purchase one of the following network connectivity services to interconnect your branches within China.

  • MPLS/IPVPN 网络A MPLS/IPVPN Network
  • 软件定义的 WAN (SDWAN)A Software Defined WAN (SDWAN)
  • 专用 Internet 访问Dedicated Internet Access

接下来,需要同意该提供商在 Azure 全球网络及其位于香港(而不是北京或上海)的边缘网络中提供一个接入点。Next, you need to agree with that provider to give a breakout to the Azure Global Network and its Edge Network in Hong Kong, not in Beijing or Shanghai. 在这种情况下,香港由于其自身的物理连接优势及其在中国的位置而显得非常重要。In this case, Hong Kong is very important because of its physical connection and location to China.

大多数客户觉得新加坡在地图上与中国较为靠近,因此最适合在新加坡建立互连,但事实上并非如此。While most customers think using Singapore for interconnect is the best case because it looks nearer to China when looking on the map, this is not true. 观察网络光纤地图时可以发现,与中国的几乎所有网络连接都是通过北京、上海和香港建立的。When you follow network fiber maps, nearly all network connects go through Beijing, Shanghai, and Hong Kong. 因此,香港是更适合与中国建立互连的位置。This makes Hong Kong a better location choice to interconnect to China.

根据具体的提供商,你可能会获得不同的服务产品。Depending on the provider, you may get different service offerings. 下表根据编写本文时能获得的信息,列出了提供商及其提供的服务的示例。The table below shows an example of providers and the service they offer, based on information at the time this article was written.

服务Service 提供商示例Provider examples
MPLS/IPVPN 网络MPLS/IPVPN Network PCCW、中国电信国际有限公司PCCW, China Telecom Global
SDWANSDWAN PCCW、中国电信国际有限公司PCCW, China Telecom Global
专用 Internet 访问Dedicated Internet Access PCCW、香港电信、中国移动PCCW, Hong Kong Telecom, China Mobil

可以与提供商议定要使用以下两种解决方案中的哪一种来接入 Azure 全球主干网:With your provider, you can agree on which of the following two solutions to use to reach the Azure global backbone:

  • 获取在香港终止流量的 Azure ExpressRoute。Getting an Azure ExpressRoute terminated in Hong Kong. 使用 MPLS/IPVPN 时需要采用这种解决方案。That would be the case for the use of MPLS/IPVPN. 目前,能够通过 ExpressRoute 连接到香港且持有 ICP 执照的唯一一家提供商是中国电信国际有限公司。Currently, only the only ICP license provider with ExpressRoute to Hong Kong is China Telecom Global. 但是,提供商还可以通过 Megaport 或 InterCloud 等云交换提供商来与其他提供商通信。However, they can also talk to the other providers if they leverage Cloud Exchange Providers like Megaport or InterCloud. 有关详细信息,请参阅 ExpressRoute 连接提供商For more information, see ExpressRoute connectivity providers.

  • 在以下 Internet 交换点之一或通过专用网络互连直接使用专用 Internet 访问。Using a Dedicated Internet Access directly at one of the following Internet Exchange Points, or using a private network interconnect.

以下列表显示了香港提供的 Internet 交换点:The following list shows Internet Exchanges possible in Hong Kong:

  • AMS-IX 香港AMS-IX Hong Kong
  • BBIXBBIX Hong Kong
  • Equinix 香港Equinix Hong Kong
  • HKIXHKIX

使用此连接方式时,Azure 服务的下一 BGP 跃点必须是 Azure 自治系统编号 (AS#) 8075。When using this connect, your next BGP hop for Azure Services must be Azure Autonomous System Number (AS#) 8075. 如果使用单一位置或 SDWAN 解决方案,则应选择使用此连接方式。If you use a single location or SDWAN solution, that would be the choice of connection.

无论采用哪种方式,我们仍建议在中国大陆建立另一个常规 Internet 接入点。Either way, we still recommend that you have a second and regular Internet Breakout into the Chinese Mainland. 其目的是将发往云服务(例如 Microsoft 365 和 Azure)的企业流量与法律管制的 Internet 流量分开。This is to split the traffic between enterprise traffic to cloud services like Microsoft 365 and Azure, and by-law regulated Internet traffic.

中国境内合规的网络体系结构如以下示例所示:A compliant network architecture within China could look like the following example:

多个分支

在此示例中,与位于香港的 Azure 全球网络建立互连后,可以开始利用 Azure 虚拟 WAN 全球传输体系结构和其他服务(例如 Azure 安全虚拟 WAN 中心)来使用服务,并互连到中国境外的分支和数据中心。In this example, having an interconnect with the Azure Global Network in Hong Kong, you can now start to leverage the Azure Virtual WAN Global Transit Architecture and additional services, like Azure secure Virtual WAN hub, in order to consume services and interconnect to your branches and datacenter outside China.

中心到中心通信Hub-to-hub communication

在本部分中,我们将使用虚拟 WAN 中心到中心通信进行互连。In this section, we use Virtual WAN hub-to-hub communication to interconnect. 在此方案中,你将创建一个新的虚拟 WAN 中心资源,以连接到位于香港、你首选的其他区域、已包含你的 Azure 资源的区域或你要连接到的位置的 WAN 中心。In this scenario, you create a new Virtual WAN hub resource to connect to a Virtual WAN hub in Hong Kong, other regions you prefer, a region where you already have Azure resources, or where want to connect.

示例体系结构如以下示例所示:A sample architecture could look like following example:

示例 WAN

在此示例中,中国的各个分支使用 VPN 或 MPLS 连接来连接到 Azure 中国云并彼此连接。In this example, the China branches connect to Azure Cloud China and each other by using VPN or MPLS connections. 需要连接到全球服务的分支使用已直接连接到香港的 MPLS 或基于 Internet 的服务。Branches that need to be connected to Global Services use MPLS or Internet-based services that are connected directly to Hong Kong.

ExpressRoute Global Reach 在某些区域不可用。ExpressRoute Global Reach is not available in some regions. 例如,如果需要与巴西或印度互连,需要利用云交换提供商来提供路由服务。If you need to interconnect with Brazil or India, for example, you need to leverage Cloud Exchange Providers to provide the routing services.

下图显示了此方案的上述两种示例连接。The figure below shows both examples for this scenario.

Global Reach

适用于 Office 365 的安全 Internet 接入点Secure Internet breakout for Office 365

另一个注意事项是网络安全性,以及中国和虚拟 WAN 建立的主干组件与客户主干网之间的入口点的日志记录。Another consideration is network security as well as logging for the entry point between China and the Virtual WAN established backbone component, and the customer backbone. 在大多数情况下,需要通过接入点连接到香港的 Internet 才能直接访问 Microsoft 边缘网络,为此,Microsoft 365 服务会使用 Azure Front Door 服务器。In most cases, there is a need to breakout to the Internet in Hong Kong to directly reach the Microsoft Edge Network and, with that, the Azure Front Door Servers used for Microsoft 365 Services.

下图演示了此方案的示例:The following figure shows an example of this scenario:

适用于 Web 和 Azure 服务流量的 Internet 接入点

体系结构和流量流Architecture and traffic flows

整体体系结构可能略有不同,具体取决于你选择如何与香港建立连接。Depending on your choice regarding the connection to Hong Kong, the overall architecture may change slightly. 本部分介绍了在将 VPN 或 SDWAN 和/或 ExpressRoute 进行不同组合的情况下的三种可用体系结构。This section shows three available architectures in different combination with VPN or SDWAN and/or ExpressRoute.

所有这些选项都利用由 Azure 虚拟 WAN 保护的中心在香港建立直接 M365 连接。All of these options make use of Azure Virtual WAN secured hub for direct M365 connectivity in Hong Kong. 这些体系结构还支持 Office 365 多地域的合规要求,并使该流量靠近下一个 Office 365 Front Door 位置。These architectures also support the compliance requirements for Office 365 Multi-Geo and keep that traffic near the next Office 365 Front Door location. 因此,它也会改善中国境外的 Microsoft 365 使用情况。As a result, it's also an improvement for the usage of Microsoft 365 out of China.

选项 1:SDWAN 或 VPNOption 1: SDWAN or VPN

本部分讨论了使用 SDWAN 或 VPN 连接到香港和其他分支的设计。This section discusses a design that uses SDWAN or VPN to Hong Kong and to other branches. 此选项展示了在虚拟 WAN 主干网的两个站点上使用纯 Internet 连接时的用法和流量流。This option shows the use and traffic flow when using pure Internet connection on both sites of the Virtual WAN backbone. 在这种情况下,将使用“专用 Internet 访问”或 ICP 提供商 SDWAN 解决方案连接到香港。In this case, the connection is brought to Hong Kong using dedicated Internet access, or an ICP provider SDWAN solution. 其他分支也使用纯 Internet 或 SDWAN 解决方案。Other branches are using pure Internet or SDWAN Solutions as well.

中国大陆到香港的流量

在此体系结构中,每个站点都使用 VPN 和 Azure 虚拟 WAN 连接到 Azure 全球网络。In this architecture, every site is connected to the Azure Global Network by using VPN and Azure Virtual WAN. 站点与香港之间的流量通过 Azure 网络传输,只在最后一英里范围内才使用常规的 Internet 连接。The traffic between the sites and Hong Kong is transmitted trough the Azure Network and only uses regular Internet connection on the last mile.

选项 2:ExpressRoute 和 SDWAN 或 VPNOption 2: ExpressRoute and SDWAN or VPN

本部分讨论了在香港使用 ExpressRoute 并对其他分支使用 VPN/SDWAN 的设计。This section discusses a design that uses ExpressRoute in Hong Kong and other Branches with VPN/SDWAN Branches. 此选项展示了如何使用在香港终止流量的 ExpressRoute 以及通过 SDWAN 或 VPN 连接的其他分支。This option shows the use of and ExpressRoute terminated in Hong Kong and other branches connected via SDWAN or VPN. 香港的 ExpressRoute 目前仅可供少量提供商使用,可以在 Express Route 合作伙伴列表中找到这些提供商。ExpressRoute in Hong Kong is currently limited to a short list of Providers, which you can find in the list of Express Route Partners.

中国大陆到香港的流量 - ExpressRoute

也可以选择(例如,在韩国或日本)使用 ExpressRoute 终止来自中国大陆的流量。There are also options to terminate ExpressRoute from China, for example, in South Korea or Japan. 但出于合规性、管制和延迟方面的原因,香港目前是最佳选择。But, given compliance, regulation, and latency, Hong Kong is currently the best choice.

选项 3:仅使用 ExpressRouteOption 3: ExpressRoute only

本部分讨论了在香港和其他分支中使用 ExpressRoute 的设计。This section discusses a design that where ExpressRoute is used for Hong Kong and other Branches. 此选项展示了在两端都使用 ExpressRoute 的互连。This option shows the interconnect using ExpressRoute on both ends. 此处的流量流与其他选项不同。Here you have a different traffic flow than the other. Microsoft 365 流量将流向由 Azure 虚拟 WAN 保护的中心,然后从该中心流向 Microsoft 边缘网络和 Internet。The Microsoft 365 traffic will flow to the Azure virtual WAN secured hub and from there to the Microsoft Edge Network and the Internet.

发往互连分支或者从互连分支发往中国境内位置的流量在该体系结构中遵循不同的方法。The traffic that goes to the interconnected branches or from them to the locations in China will follow a different approach within that architecture. 目前,虚拟 WAN 不支持 ExpressRoute 到 ExpressRoute 的传输。Currently virtual WAN does not support ExpressRoute to ExpressRoute transit. 该流量将利用 ExpressRoute Global Reach 或第三方互连,而不会通过 WAN 中心。The traffic will leverage ExpressRoute Global Reach or the 3rd Party interconnect without passing the virtual WAN Hub. 它直接从一个 Microsoft Enterprise Edge (MSEE) 流向另一个 MSEE。It will directly flow from one Microsoft Enterprise Edge (MSEE) to another.

ExpressRoute Global Reach

目前,ExpressRoute Global Reach 并非在每个国家/地区都可用,但你可以使用 Azure 虚拟 WAN 来配置解决方案。Currently ExpressRoute Global Reach is not available in every country, but you can configure a solution using Azure Virtual WAN.

例如,可以使用 Azure 对等互连配置 ExpressRoute,并通过该对等互连将 VPN 隧道连接到 Azure 虚拟 WAN。You can, for example, configure an ExpressRoute with Azure Peering and connect a VPN tunnel through that peering to Azure Virtual WAN. 现在,你已再次实现了 VPN 与 ExpressRoute 之间的传输,且未使用 Global Reach 以及第三方提供商和服务(例如 Megaport Cloud)。Now you have enabled, again, the transit between VPN and ExpressRoute without Global Reach and 3rd party provider and service, such as Megaport Cloud.

后续步骤Next steps

有关详细信息,请参阅以下文章:See the following articles for more information: