方案:隔离 VNetScenario: Isolating VNets

使用虚拟 WAN 虚拟中心路由时,有很多可用方案。When working with Virtual WAN virtual hub routing, there are quite a few available scenarios. 在此方案中,目标是要防止 VNet 之间相互通信。In this scenario, the goal is to prevent VNets from being able to reach other. 这称为隔离 VNet。This is known as isolating VNets. 有关虚拟中心路由的信息,请参阅关于虚拟中心路由For information about virtual hub routing, see About virtual hub routing.

设计Design

在此方案中,某个特定 VNet 内的工作负载保持被隔离状态,无法与其他 VNet 通信。In this scenario, the workload within a certain VNet remains isolated and is not able to communicate with other VNets. 但是,这些 VNet 需要与所有分支(VPN、ER 和用户 VPN)通信。However, the VNets are required to reach all branches (VPN, ER, and User VPN). 为了确定将会需要多少个路由表,可以构建一个连接矩阵。In order to figure out how many route tables will be needed, you can build a connectivity matrix. 对于此方案,它将如下表所示,其中每个单元格表示源(行)是否可以与目标(列)通信:For this scenario it will look like the following table, where each cell represents whether a source (row) can communicate to a destination (column):

From 目标To VNetVNets 分支Branches
VNetVNets 直接Direct 直接Direct
分支Branches 直接Direct 直接Direct

上表中的各单元格描述了虚拟 WAN 连接(流的“源”端,行标题)是否与目标前缀(流的“目标”端,斜体形式的列标题)通信。Each of the cells in the previous table describes whether a Virtual WAN connection (the "From" side of the flow, the row headers) communicates with a destination prefix (the "To" side of the flow, the column headers in italics). 在此场景中,没有防火墙或网络虚拟设备,因此通信直接通过虚拟 WAN 进行(因此在表中使用“直接”一词)。In this scenario there are no firewalls or Network Virtual Appliances, so communications flows directly over Virtual WAN (hence the word "Direct" in the table).

此连接矩阵提供了两种不同的行模式,它们会转换为两个路由表。This connectivity matrix gives us two different row patterns, which translate to two route tables. 虚拟 WAN 已经有一个 Default 路由表,所以我们需要有另一个路由表。Virtual WAN already has a Default route table, so we will need another route table. 在此示例中,我们将该路由表命名为 RT_VNET。For this example, we will name the route table RT_VNET.

VNet 将会与此 RT_VNET 路由表关联。VNets will be associated to this RT_VNET route table. 由于它们需要连接到分支,因此分支需要传播到 RT_VNET(否则 VNet 无法获取分支前缀)。Because they need connectivity to branches, branches will need to propagate to RT_VNET (otherwise the VNets would not learn the branch prefixes). 由于分支始终关联到 Default 路由表,因此 VNet 需要传播到 Default 路由表。Since the branches are always associated to the Default route table, VNets will need to propagate to the Default route table. 这样,最终设计如下:As a result, this is the final design:

  • 虚拟网络:Virtual networks:
    • 关联的路由表:RT_VNETAssociated route table: RT_VNET
    • 传播到路由表:DefaultPropagating to route tables: Default
  • 分支:Branches:
    • 关联的路由表:DefaultAssociated route table: Default
    • 传播到路由表:RT_VNET 和 Default Propagating to route tables: RT_VNET and Default

请注意,由于只有分支传播到 RT_VNET 路由表,因此只有这些才是 VNet 将要获取的前缀,而其他 VNet 的分支则不是。Notice that since only branches propagate to the route table RT_VNET, those will be the only prefixes that VNets will learn, and not those of other VNets.

有关虚拟中心路由的信息,请参阅关于虚拟中心路由For information about virtual hub routing, see About virtual hub routing.

工作流Workflow

若要配置此方案,请考虑以下步骤:In order to configure this scenario, take the following steps into consideration:

  1. 在每个中心创建自定义路由表。Create a custom route table in each hub. 在此示例中,路由表为 RT_VNet。In the example, the route table is RT_VNet. 若要创建路由表,请参阅如何配置虚拟中心路由To create a route table, see How to configure virtual hub routing. 若要详细了解路由表,请参阅关于虚拟中心路由For more information about route tables, see About virtual hub routing.

  2. 创建 RT_VNet 路由表时,请配置以下设置:When you create the RT_VNet route table, configure the following settings:

    • Association:选择要隔离的 VNet。Association: Select the VNets you want to isolate.
    • 传播:为分支选择选项,意味着分支 (VPN/ER/P2S) 连接会将路由传播到此路由表。Propagation: Select the option for branches, implying branch(VPN/ER/P2S) connections will propagate routes to this route table.

隔离的 VNet

后续步骤Next steps