迁移到 Azure 虚拟 WANMigrate to Azure Virtual WAN

Azure 虚拟 WAN 可让公司简化其全球连接,以便充分利用 Azure 全球网络的规模。Azure Virtual WAN lets companies simplify their global connectivity in order to benefit from the scale of the Azure global network. 本文面向相关公司(这些公司希望从现有的客户托管中心辐射型拓扑迁移到利用 Azure 托管虚拟 WAN 中心的设计)提供了技术细节。This article provides technical details for companies that want to migrate from an existing customer-managed hub-and-spoke topology, to a design that leverages Azure-managed Virtual WAN hubs.

若要了解 Azure 虚拟 WAN 为那些采用以云为中心的新式企业级全球网络的企业带来的好处,请参阅全球传输网络体系结构和虚拟 WANFor information about the benefits that Azure Virtual WAN enables for enterprises adopting a cloud-centric modern enterprise global network, see Global transit network architecture and Virtual WAN.

中心和辐射 图:Azure 虚拟 WANFigure: Azure Virtual WAN

数千客户已采用 Azure 中心辐射连接模型,以利用 Azure 网络的默认传递路由行为来构建简单且可缩放的云网络。The Azure hub-and-spoke connectivity model has been adopted by thousands of our customers to leverage the default transitive routing behavior of Azure Networking in order to build simple and scalable cloud networks. Azure 虚拟 WAN 基于这些概念,并引入了新功能。新功能不仅允许本地位置和 Azure 之间的全球连接拓扑,还允许客户利用大规模的 Azure 网络来扩展其现有的全球网络。Azure Virtual WAN builds on these concepts and introduces new capabilities that allow global connectivity topologies, not only between on-premises locations and Azure, but also allowing customers to leverage the scale of the Azure network to augment their existing global networks.

本文介绍如何将客户管理的现有中心辐射型环境迁移到基于 Azure 虚拟 WAN 的拓扑。This article shows how to migrate an existing customer-managed hub-and-spoke environment, to a topology that is based on Azure Virtual WAN.

方案Scenario

Contoso 是一家全球金融组织,在欧洲和亚洲设有办事处。Contoso is a global financial organization with offices in both Europe and Asia. 他们计划将其现有的应用程序从本地数据中心迁移到 Azure,并基于客户管理的中心辐射体系结构建立了基础设计,其中包括用于混合连接的区域中心虚拟网络。They are planning to move their existing applications from an on-premises data center in to Azure and have built out a foundation design based on the customer-managed hub-and-spoke architecture, including regional hub virtual networks for hybrid connectivity. 在迁移到基于云的技术的过程中,网络团队的任务是确保针对不断发展的业务优化其连接。As part of the move to cloud-based technologies, the network team have been tasked with ensuring that their connectivity is optimized for the business moving forward.

下图显示了现有全球网络的概览性视图,其中包括与多个 Azure 区域的连接。The following figure shows a high-level view of the existing global network including connectivity to multiple Azure regions.

Contoso 现有网络拓扑 图:Contoso 现有网络拓扑Figure: Contoso existing network topology

从现有网络拓扑中可了解以下几点:The following points can be understood from the existing network topology:

  • 已在多个区域使用了中心辐射型拓扑,其中包括用于连回到公共专用广域网 (WAN) 的 ExpressRoute 线路。A hub-and-spoke topology is used in multiple regions including ExpressRoute circuits for connectivity back to a common private Wide Area Network (WAN).

  • 其中一些站点还将 VPN 隧道与 Azure 直接连接,以访问云中托管的应用程序。Some of these sites also have VPN tunnels directly in to Azure to reach applications hosted within the cloud.

要求Requirements

网络团队的任务是提供一个全球网络模型,该模型可以支持 Contoso 向云的迁移,且必须在成本、规模和性能方面进行优化。The networking team have been tasked with delivering a global network model that can support the Contoso migration to the cloud and must optimize in the areas of cost, scale, and performance. 总而言之,需要满足以下要求:In summary, the following requirements are to be met:

  • 为总部 (HQ) 和分支机构提供云托管应用程序的优化路径。Provide both head quarter (HQ) and branch offices with optimized path to cloud hosted applications.
  • 消除 VPN 终端对现有本地数据中心 (DC) 的依赖,同时保留以下连接路径:Remove the reliance on existing on-premises data centers (DC) for VPN termination while retaining the following connectivity paths:
    • 分支到 VNet :连接 VPN 的办事处必须能够访问本地 Azure 区域中迁移到云的应用程序。Branch-to-VNet : VPN connected offices must be able to access applications migrated to the cloud in the local Azure region.
    • 分支 -> 中心 -> 中心 -> VNet :连接 VPN 的办事处必须能够访问远程 Azure 区域中迁移到云的应用程序。Branch-to-Hub to Hub-to-VNet : VPN connected offices must be able to access applications migrated to the cloud in the remote Azure region.
    • 分支到分支 :连接区域 VPN 的办事处必须能够相互通信,且能够与连接 ExpressRoute 的 HQ/DC 站点通信。Branch-to-branch : Regional VPN connected offices must be able to communicate with each other and ExpressRoute connected HQ/DC sites.
    • 分支 -> 中心 -> 中心 -> 分支 :连接全球分布 VPN 的办事处必须能够相互通信,且能够与任何连接 ExpressRoute 的 HQ/DC 站点通信。Branch-to-Hub to Hub-to-branch : Globally separated VPN connected offices must be able to communicate with each other and any ExpressRoute connected HQ/DC sites.
    • 分支到 Internet :连接的站点必须能够与 Internet 通信。Branch-to-Internet : Connected sites must be able to communicate with the Internet. 必须筛选并记录此流量。This traffic must be filtered and logged.
    • VNet 到 VNet :同一区域中的辐射虚拟网络必须能够相互通信。VNet-to-VNet : Spoke virtual networks in the same region must be able to communicate with each other.
    • VNet -> 中心 -> 中心 -> VNet :不同区域中的辐射虚拟网络必须能够相互通信。VNet-to-Hub to Hub-to-VNet : Spoke virtual networks in the different regions must be able to communicate with each other.
  • 使 Contoso 漫游用户(笔记本电脑和手机)无需连接公司网络即可访问公司资源。Provide the ability for Contoso roaming users (laptop and phone) to access company resources while not on the corporate network.

Azure 虚拟 WAN 体系结构Azure Virtual WAN architecture

下图显示了更新后的目标拓扑的概览性视图,该拓扑使用 Azure 虚拟 WAN 来满足上一部分详述的要求。The following figure shows a high-level view of the updated target topology using Azure Virtual WAN to meet the requirements detailed in the previous section.

Contoso 虚拟 WAN 体系结构 图:Azure 虚拟 WAN 体系结构Figure: Azure Virtual WAN architecture

摘要:Summary:

  • 欧洲 HQ 仍连接 ExpressRoute,而欧洲本地 DC 已完全迁移到 Azure,现已停用。HQ in Europe remains ExpressRoute connected, Europe on-premises DC are fully migrated to Azure and now decommissioned.
  • 亚洲 DC 和 HQ 仍连接专用 WAN。Asia DC and HQ remain connected to Private WAN. Azure 虚拟 WAN 现用于扩展本地运营商网络并提供全球连接。Azure Virtual WAN now used to augment the local carrier network and provide global connectivity.
  • “中国东部 2”和“中国东南部 2”Azure 区域均部署了 Azure 虚拟 WAN 中心,目的是为连接 ExpressRoute 和 VPN 的设备提供连接中心。Azure Virtual WAN hubs deployed in both China East 2 and South China East 2 Azure regions to provide connectivity hub for ExpressRoute and VPN connected devices.
  • 中心还通过全球网格网络的 OpenVPN 连接,为使用多种客户端类型的漫游用户提供 VPN 终端,这样,用户不仅可以访问已迁移到 Azure 的应用程序,而且还能访问保留在本地的任何资源。Hubs also provide VPN termination for roaming users across multiple client types using OpenVPN connectivity to the global mesh network, allowing access to not only applications migrated to Azure, but also any resources remaining on-premises.
  • Azure 虚拟 WAN 提供的虚拟网络中的资源的 Internet 连接。Internet connectivity for resources within a virtual network provided by Azure Virtual WAN.

同样由 Azure 虚拟 WAN 提供的远程站点 Internet 连接。Internet connectivity for remote sites also provided by Azure Virtual WAN. 通过合作伙伴集成支持的本地 Internet 中断,用于优化对 Office 365 等 SaaS 服务的访问。Local internet breakout supported via partner integration for optimized access to SaaS services such as Office 365.

迁移到虚拟 WANMigrate to Virtual WAN

本部分介绍迁移到 Azure 虚拟 WAN 的各个步骤。This section shows the various steps for migrating to Azure Virtual WAN.

步骤 1:单区域客户托管中心辐射Step 1: Single region customer-managed hub-and-spoke

下图显示 Azure 虚拟 WAN 推出之前 Contoso 的单区域拓扑:The following figure shows a single region topology for Contoso prior to the rollout of Azure Virtual WAN:

单区域拓扑 图 1: 单区域手动中心辐射Figure 1: Single region manual hub-and-spoke

与中心辐射方法一致,客户托管的中心虚拟网络包含几个功能块:In keeping with the hub-and-spoke approach, the customer-managed hub virtual network contains several function blocks:

  • 共享服务(多个辐射网络所需的任何常用功能)。Shared services (any common function required by multiple spokes). 示例:Contoso 在基础结构即服务 (IaaS) 虚拟机上使用 Windows Server 域控制器。Example: Contoso uses Windows Server domain controllers on Infrastructure-as-a-service (IaaS) virtual machines.
  • IP/路由防火墙服务由第三方网络虚拟设备提供,可实现辐射网络到辐射网络的第 3 层 IP 路由。IP/Routing firewall services are provided by a third-party network virtual appliance, enabling spoke-to-spoke layer-3 IP routing.
  • Internet 入口/出口服务,其中包括用于入站 HTTPS 请求的 Azure 应用程序网关,以及在虚拟机上运行且用于已筛选的 Internet 资源出站访问的第三方代理服务。Internet ingress/egress services including Azure Application Gateway for inbound HTTPS requests and third-party proxy services running on virtual machines for filtered outbound access to internet resources.
  • ExpressRoute 和 VPN 虚拟网关,用于连接到本地网络。ExpressRoute and VPN virtual network gateway for connectivity to on-premises networks.

步骤 2:部署虚拟 WAN 中心Step 2: Deploy Virtual WAN hubs

在每个区域中部署虚拟 WAN 中心。Deploy a Virtual WAN hub in each region. 按以下文章所述,使用 VPN 和 ExpressRoute 功能设置虚拟 WAN 中心:Set up the Virtual WAN hub with VPN and ExpressRoute functionality as described in the following articles:

备注

若要启用本文所述的某些流量路径,Azure 虚拟 WAN 必须使用标准 SKU。Azure Virtual WAN must be using the Standard SKU to enable some of the traffic paths shown in this article.

部署虚拟 WAN 中心 图 2: 从客户托管的中心辐射型拓扑迁移到虚拟 WANFigure 2: Customer-managed hub-and-spoke to Virtual WAN migration

步骤 3:将远程站点(ExpressRoute 和 VPN)连接到虚拟 WANStep 3: Connect remote sites (ExpressRoute and VPN) to Virtual WAN

将虚拟 WAN 中心连接到现有 ExpressRoute 线路,并通过 Internet 在任何远程分支上设置站点到站点 VPN。Connect the Virtual WAN hub to the existing ExpressRoute circuits and set up Site-to-site VPNs over the Internet to any remote branches.

将远程站点连接到虚拟 WAN 图 3: 从客户托管的中心辐射型拓扑迁移到虚拟 WANFigure 3: Customer-managed hub-and-spoke to Virtual WAN migration

此时,本地网络设备将开始接收路由,这些路由表明分配给虚拟 WAN 托管中心 VNet 的 IP 地址空间。At this point, on-premises network equipment will begin to receive routes reflecting the IP address space assigned to the Virtual WAN-managed hub VNet. 在此阶段,连接 VPN 的远程分支将在辐射虚拟网络中显示两条指向任何现有应用程序的路径。Remote VPN-connected branches at this stage will see two paths to any existing applications in the spoke virtual networks. 这些设备应配置为继续使用指向客户托管中心的隧道,以确保转换阶段的对称路由。These devices should be configured to continue to use the tunnel to the customer-managed hub to ensure symmetrical routing during the transition phase.

步骤 4:通过虚拟 WAN 测试混合连接Step 4: Test hybrid connectivity via Virtual WAN

使用托管的虚拟 WAN 中心进行生产连接之前,建议你设置测试性辐射虚拟网络和虚拟 WAN VNet 连接。Prior to using the managed Virtual WAN hub for production connectivity, we recommend that you set up a test spoke virtual network and Virtual WAN VNet connection. 继续执行后续步骤之前,通过 ExpressRoute 和站点到站点 VPN 验证此测试环境的连接是否正常工作。Validate that connections to this test environment work via ExpressRoute and Site to Site VPN before continuing with the next steps.

通过虚拟 WAN 测试混合连接 图 4: 从客户托管的中心辐射型拓扑迁移到虚拟 WANFigure 4: Customer-managed hub-and-spoke to Virtual WAN migration

在此阶段,必须认识到,原来的客户管理的中心虚拟网络和新的虚拟 WAN 中心都连接到同一条 ExpressRoute 线路。At this stage, it is important to recognize that both the original customer-managed hub virtual network and the new Virtual WAN Hub are both connected to the same ExpressRoute circuit. 因此,我们有一条可用于使两种环境中的分支进行通信的通信路径。Due to this, we have a traffic path that can be used to enable spokes in both environments to communicate. 例如,来自连接到客户管理中心虚拟网络的分支的流量会遍历用于 ExpressRoute 线路的 MSEE 设备,以访问通过 VNet 连接连接到新虚拟 WAN 中心的任何分支。For example, traffic from a spoke that is attached to the customer-managed hub virtual network will traverse the MSEE devices used for the ExpressRoute circuit to reach any spoke connected via a VNet connection to the new Virtual WAN hub. 这样就可以在步骤 5 中分阶段迁移分支。This allows a staged migration of spokes in Step 5.

步骤 5:将连接转换到虚拟 WAN 中心Step 5: Transition connectivity to virtual WAN hub

将连接转换到虚拟 WAN 中心 图 5: 从客户托管的中心辐射型拓扑迁移到虚拟 WANFigure 5: Customer-managed hub-and-spoke to Virtual WAN migration

a。a. 删除辐射虚拟网络到旧的客户托管中心的现有对等连接。Delete the existing peering connections from Spoke virtual networks to the old customer-managed hub. 步骤 a-c 完成之前,无法访问辐射虚拟网络中的应用程序。Access to applications in spoke virtual networks is unavailable until steps a-c are complete.

b.b. 通过 VNet 连接将辐射虚拟网络连接到虚拟 WAN 中心。Connect the spoke virtual networks to the Virtual WAN hub via VNet connections.

c.c. 删除之前在辐射虚拟网络中使用的用于辐射网络到辐射网络通信的任何用户定义路由 (UDR)。Remove any user-defined routes (UDR) previously used within spoke virtual networks for spoke-to-spoke communications. 虚拟 WAN 中心内提供的动态路由现已启用此路径。This path is now enabled by dynamic routing available within the Virtual WAN hub.

d.d. 客户托管中心内的现有 ExpressRoute 和 VPN 网关现已停用,以便执行下一个步骤 (e)。Existing ExpressRoute and VPN Gateways in the customer-managed hub are now decommissioned to permit the next step (e).

e.e. 通过新的 VNet 连接将旧的客户托管中心(中心虚拟网络)连接到虚拟 WAN 中心。Connect the old customer-managed hub (hub virtual network) to the Virtual WAN hub via a new VNet connection.

步骤 6:旧中心成为共享服务辐射网络Step 6: Old hub becomes shared services spoke

现已重新设计了 Azure 网络,使虚拟 WAN 中心成为了新拓扑的中心点。We have now redesigned our Azure network to make the Virtual WAN hub the central point in our new topology.

旧中心成为共享服务辐射网络 图 6:从客户托管的中心辐射型拓扑迁移到虚拟 WANFigure 6: Customer-managed hub-and-spoke to Virtual WAN migration

由于虚拟 WAN 中心是托管实体,且不允许部署虚拟机之类的自定义资源,因此共享服务功能块现以辐射虚拟网络形式存在,该网络通过 Azure 应用程序网关或网络虚拟设备托管 Internet 入口等功能。Because the Virtual WAN hub is a managed entity and does not allow deployment of custom resources such as virtual machines, the shared services block now exists as a spoke virtual network and hosts functions such as internet ingress via Azure Application Gateway or network virtualized appliance. 现在,共享服务环境与后端虚拟机之间的流量在虚拟 WAN 托管的中心内传输。Traffic between the shared services environment and backend virtual machines now transits the Virtual WAN-managed hub.

步骤 7:优化本地连接以充分利用虚拟 WANStep 7: Optimize on-premises connectivity to fully utilize Virtual WAN

在此阶段,Contoso 基本已将业务应用程序迁移到 Azure 云,仅少量旧版应用程序保留在本地 DC。At this stage, Contoso has mostly completed their migrations of business applications in into the Azure Cloud, with only a few legacy applications remaining within the on-premises DC.

优化本地连接以充分利用虚拟 WAN 图 7: 从客户托管的中心辐射型拓扑迁移到虚拟 WANFigure 7: Customer-managed hub-and-spoke to Virtual WAN migration

为利用 Azure 虚拟 WAN 的全部功能,Contoso 决定停用其旧的本地 VPN 连接。To leverage the full functionality of Azure Virtual WAN, Contoso decides to decommission their legacy on-premises VPN connections. 任何分支(用于继续访问 HQ 或 DC 网络)都能够使用 Azure 虚拟 WAN 的内置传输路由在 Azure 全球网络中传输内容。Any branches continuing to access HQ or DC networks are able to transit the Azure global network using the built-in transit routing of Azure Virtual WAN.

备注

对于希望利用 Azure 主干网提供 ExpressRoute 到 ExpressRoute 的传输(图 7 中未显示)的客户,ExpressRoute Global Reach 是必需的。ExpressRoute Global Reach is required for customers that want to leverage the Azure backbone to provide ExpressRoute to ExpressRoute transit (not shown Figure 7.).

最终状态体系结构和流量路径End-state architecture and traffic paths

最终状态体系结构和流量路径 图:双区域虚拟 WANFigure: Dual region Virtual WAN

本节通过介绍一些示例流量来概述此拓扑如何满足初始要求。This section provides a summary of how this topology meets the original requirements by looking at some example traffic flows.

路径 1Path 1

路径 1 显示了从亚洲的 S2S VPN 连接分支到“中国东部 2”区域的 Azure VNet 的通信流。Path 1 shows traffic flow from a S2S VPN connected branch in Asia to an Azure VNet in the China East 2 region.

流量按如下方式路由:The traffic is routed as follows:

  • 亚洲分支将通过启用了可复原 S2S BGP 的隧道连接到中国东南部 2 虚拟 WAN 中心。Asia branch is connected via resilient S2S BGP enabled tunnels into South China East 2 Virtual WAN hub.

  • 亚洲虚拟 WAN 中心将流量本地路由到连接的 VNet。Asia Virtual WAN hub routes traffic locally to connected VNet.

流量流 1

路径 2Path 2

路径 2 显示了从 ExpressRoute 的已连接的欧洲总部到“中国东部 2”区域中的 Azure VNet 的通信流。Path 2 shows traffic flow from the ExpressRoute connected European HQ to an Azure VNet in the China East 2 region.

流量按如下方式路由:The traffic is routed as follows:

  • 欧洲总部将通过 ExpressRoute 线路连接到中国东部 2 虚拟 WAN 中心。European HQ is connected via ExpressRoute circuit into China East 2 Virtual WAN hub.

  • 虚拟 WAN 中心到中心全球连接确保流量能够传输到远程区域中连接的 VNet。Virtual WAN hub-to-hub global connectivity enables transit of traffic to VNet connected in remote region.

流量流 2

路径 3Path 3

路径 3 显示了从连接到专用 WAN 的亚洲本地 DC 到连接欧洲 S2S 的分支的通信流。Path 3 shows traffic flow from the Asia on-premises DC connected to Private WAN to a European S2S connected Branch.

流量按如下方式路由:The traffic is routed as follows:

  • 亚洲 DC 连接到本地专用 WAN 运营商。Asia DC is connected to local Private WAN carrier.

  • 专用 WAN 中的 ExpressRoute 线路本地终端连接到中国东部 2 虚拟 WAN 中心。ExpressRoute circuit locally terminates in Private WAN connects to the China East 2 Virtual WAN hub.

  • 虚拟 WAN 中心之间的全球连接可实现流量传输。Virtual WAN hub-to-hub global connectivity enables transit of traffic.

流量流 3

路径 4Path 4

路径 4 显示了从“中国东部 2”区域中的 Azure VNet 到“中国东部”区域中的 Azure VNet 的通信流。Path 4 shows traffic flow from an Azure VNet in China East 2 region to an Azure VNet in China East region.

流量按如下方式路由:The traffic is routed as follows:

  • 虚拟 WAN 中心之间的全球连接确保无需进一步的用户配置即可本地传输所有连接的 Azure VNet。Virtual WAN hub-to-hub global connectivity enables native transit of all connected Azure VNets without further user config.

流量流 4

路径 5Path 5

路径 5 显示了从漫游 VPN (P2S) 用户到“中国东部”区域中的 Azure VNet 的通信流。Path 5 shows traffic flow from roaming VPN (P2S) users to an Azure VNet in the China East region.

流量按如下方式路由:The traffic is routed as follows:

  • 笔记本电脑和移动设备用户使用 OpenVPN 客户端实现与中国东部 P2S VPN 网关的透明连接。Laptop and mobile device users use the OpenVPN client for transparent connectivity in to the P2S VPN gateway in China East.

  • 中国东部虚拟 WAN 中心将流量本地路由到连接的 VNet。China East Virtual WAN hub routes traffic locally to connected VNet.

流量流 5

通过 Azure 防火墙的安全和策略控制Security and policy control via Azure Firewall

Contoso 现已按照本文前面部分讨论的要求验证了所有分支与 VNet 之间的连接。Contoso has now validated connectivity between all branches and VNets in line with the requirements discussed earlier in this article. 为满足对安全控制和网络隔离的要求,他们需要继续通过中心网络来分离和记录流量。To meet their requirements for security control and network isolation, they need to continue to separate and log traffic via the hub network. 以前,此功能是由网络虚拟设备 (NVA) 执行的。Previously this function was performed by a network virtual appliance (NVA). Contoso 还希望停用其现有代理服务,并利用本机 Azure 服务进行出站 Internet 筛选。Contoso also wants to decommission their existing proxy services and utilize native Azure services for outbound Internet filtering.

通过 Azure 防火墙的安全和策略控制 图:虚拟 WAN(安全虚拟中心)中的 Azure 防火墙Figure: Azure Firewall in Virtual WAN (Secured Virtual hub)

若要将 Azure 防火墙引入虚拟 WAN 中心以启用统一的策略控制点,需要执行以下高级步骤。The following high-level steps are required to introduce Azure Firewall into the Virtual WAN hubs to enable a unified point of policy control.

  1. 创建 Azure 防火墙策略。Create Azure Firewall policy.
  2. 将防火墙策略链接到 Azure 虚拟 WAN 中心。Link firewall policy to Azure Virtual WAN hub. 此步骤允许现有的虚拟 WAN 中心充当安全虚拟中心,并部署所需的 Azure 防火墙资源。This step allows the existing Virtual WAN hub to function as a secured virtual hub, and deploys the required Azure Firewall resources.

备注

存在与使用安全虚拟中心(包括区域间流量)相关的约束。There are constraints relating to use of secured virtual hubs, including inter-region traffic.

以下路径显示了通过使用 Azure 安全虚拟中心启用的连接路径:The following paths show the connectivity paths enabled by using Azure secured virtual hubs:

路径 6Path 6

路径 6 显示了同一区域中 VNet 之间的安全通信流。Path 6 shows secure traffic flow between VNets within the same region.

流量按如下方式路由:The traffic is routed as follows:

  • 连接到同一安全虚拟中心的虚拟网络现通过 Azure 防火墙路由流量。Virtual Networks connected to the same Secured Virtual Hub now route traffic to via the Azure Firewall.

  • Azure 防火墙可将策略应用这些流量流。Azure Firewall can apply policy to these flows.

流量流 6

路径 7Path 7

路径 7 显示了 Azure VNet 到 Internet 或第三方安全服务的通信流。Path 7 shows traffic flow from an Azure VNet to the Internet or third-party Security Service.

流量按如下方式路由:The traffic is routed as follows:

  • 连接到安全虚拟中心的虚拟网络使用安全中心作为 Internet 访问的中心点,可以将流量发送到 Internet 上的公共目标位置。Virtual Networks connected to the Secure Virtual Hub can send traffic to public, destinations on the Internet, using the Secure Hub as a central point of Internet access.

  • 可使用 Azure 防火墙 FQDN 规则以本地方式筛选此流量,也可将其发送到第三方安全服务进行检查。This traffic can be filtered locally using Azure Firewall FQDN rules, or sent to a third-party security service for inspection.

流量流 7

路径 8Path 8

路径 8 显示了分支到 Internet 或第三方安全服务的通信流。Path 8 shows traffic flow from branch-to-Internet or third-party Security Service.

流量按如下方式路由:The traffic is routed as follows:

  • 连接到安全虚拟中心的分支使用安全中心作为 Internet 访问的中心点,可以将流量发送到 Internet 上的公共目标位置。Branches connected to the Secure Virtual Hub can send traffic to public destinations on the Internet by using the Secure Hub as a central point of Internet access.

  • 可使用 Azure 防火墙 FQDN 规则以本地方式筛选此流量,也可将其发送到第三方安全服务进行检查。This traffic can be filtered locally using Azure Firewall FQDN rules, or sent to a third-party security service for inspection.

流量流 8

后续步骤Next steps

详细了解 Azure 虚拟 WANLearn more about Azure Virtual WAN.