带有 Azure 虚拟 WAN 的 SD-WAN 连接体系结构SD-WAN connectivity architecture with Azure Virtual WAN

Azure 虚拟 WAN 是一个网络服务,其中整合了许多云连接与安全服务,并提供单一操作界面。Azure Virtual WAN is a networking service that brings together many cloud connectivity and security services with a single operational interface. 这些服务包括分支(通过站点到站点 VPN 连接)、远程用户(点到站点 VPN)、专用连接 (ExpressRoute)、VNet 的云内部可中转连接、VPN 和 ExpressRoute 互连、路由、Azure 防火墙,以及专用连接加密。These services include branch (via Site-to-site VPN), remote user (Point-to-site VPN), private (ExpressRoute) connectivity, intra-cloud transitive connectivity for Vnets, VPN and ExpressRoute interconnectivity, routing, Azure Firewall, and encryption for private connectivity.

尽管 Azure 虚拟 WAN 本身是软件定义的 WAN (SD-WAN),但它也用于实现与基于场地的 SD-WAN 技术和服务无缝互连。Although Azure Virtual WAN itself is a Software Defined WAN (SD-WAN), it is also designed to enable seamless interconnection with the premises-based SD-WAN technologies and services. 许多此类服务由我们的虚拟 WAN 生态系统和 Azure 网络托管服务合作伙伴 (MSP) 提供。Many such services are offered by our Virtual WAN ecosystem and Azure Networking Managed Services partners (MSPs). 将其专用 WAN 转换为 SD-WAN 的企业在将其专用 SD-WAN 与 Azure 虚拟 WAN 互连时可以使用多个选项。Enterprises that are transforming their private WAN to SD-WAN have options when interconnecting their private SD-WAN with Azure Virtual WAN. 企业可从以下选项中进行选择:Enterprises can choose from these options:

  • 直接互连模型Direct Interconnect Model
  • 间接互连模型Indirect Interconnect Model
  • 使用企业偏好的托管服务提供商 MSP 的托管混合 WAN 模型Managed Hybrid WAN Model using their favorite managed service provider MSP

在所有这些情况下,虚拟 WAN 与 SD-WAN 的互连与连接端类似,但业务流程和操作端可能存在差异。In all of these cases, the interconnection of Virtual WAN with SD-WAN is similar from the connectivity side, but may vary on the orchestration and operational side.

直接互连模型Direct Interconnect model

直接互连模型

在此体系结构模型中,SD-WAN 分支客户场地设备 (CPE) 通过 IPsec 连接来与虚拟 WAN 中心直接连接。In this architecture model, the SD-WAN branch customer-premises equipment (CPE) is directly connected to Virtual WAN hubs via IPsec connections. 分支 CPE 还可以通过专用 SD-WAN 连接到其他分支,或利用虚拟 WAN 建立分支到分支的连接。The branch CPE may also be connected to other branches via the private SD-WAN, or leverage Virtual WAN for branch to branch connectivity. 需要访问其在 Azure 中的工作负荷的分支可以通过在虚拟 WAN 中心内终止的 IPsec 隧道,直接且安全地访问 Azure。Branches that need to access their workloads in Azure will be able to directly and securely access Azure via the IPsec tunnel(s) that are terminated in the Virtual WAN hub(s).

SD-WAN CPE 合作伙伴可以启用自动化,以通过其相关 CPE 设备,将通常比较繁琐且容易出错的 IPsec 连接自动化。SD-WAN CPE partners can enable automation in order to automate the normally tedious and error-prone IPsec connectivity from their respective CPE devices. 自动化使 SD-WAN 控制器能够通过虚拟 WAN API 来与 Azure 通信,以配置虚拟 WAN 站点,以及将必要的 IPsec 隧道配置推送到分支 CPE。Automation allows the SD-WAN controller to talk to Azure via the Virtual WAN API to configure the Virtual WAN sites, as well as push necessary IPsec tunnel configuration to the branch CPEs. 有关不同 SD-WAN 合作伙伴提供的虚拟 WAN 互连自动化的说明,请参阅自动化指导原则See Automation guidelines for the description of Virtual WAN interconnection automation by various SD-WAN partners.

SD-WAN CPE 仍然是实现和强制实施流量优化和路径选择的地方。The SD-WAN CPE continues to be the place where traffic optimization as well as path selection is implemented and enforced.

在此模型中,基于实时流量特征的某些供应商专用流量优化可能不受支持,因为与虚拟 WAN 的连接是通过 IPsec 建立的,并且 IPsec VPN 在虚拟 WAN VPN 网关上终止。In this model, some vendor proprietary traffic optimization based on real-time traffic characteristics may not be supported because the connectivity to Virtual WAN is over IPsec and the IPsec VPN is terminated on the Virtual WAN VPN gateway. 例如,分支 CPE 上的动态路径选择是可行的,由于分支设备与另一个 SD-WAN 节点交换各种网络数据包信息,因此可以在分支上动态识别要用于各种优先级流量的最佳链接。For example, dynamic path selection at the branch CPE is feasible due to the branch device exchanging various network packet information with another SD-WAN node, hence identifying the best link to use for various prioritized traffic dynamically at the branch. 在需要进行最后一英里优化的区域(分支到最靠近的 Azure POP),此功能可能非常有用。This feature may be useful in areas where last mile optimization (branch to the closest Azure POP) is required.

使用虚拟 WAN,用户可以获得 Azure 路径选择,即,通过从分支 CPE 到虚拟 WAN VPN 网关的多个 ISP 链接进行基于策略的路径选择。With Virtual WAN, users can get Azure Path Selection, which is policy-based path selection across multiple ISP links from the branch CPE to Virtual WAN VPN gateways. 虚拟 WAN 允许设置多个来自同一 SD-WAN 分支 CPE 的链接(路径);每个链接代表从 SD-WAN CPE 的某个唯一公共 IP 到 Azure 虚拟 WAN VPN 网关的两个不同实例的双隧道连接。Virtual WAN allows for the setup of multiple links (paths) from the same SD-WAN branch CPE; each link represents a dual tunnel connection from a unique public IP of the SD-WAN CPE to two different instances of Azure Virtual WAN VPN gateway. SD-WAN 供应商可以根据其在 CPE 链接上的策略引擎设置的流量策略,实施连接 Azure 的最佳路径。SD-WAN vendors can implement the most optimal path to Azure, based on traffic policies set by their policy engine on the CPE links.

间接互连模型Indirect Interconnect model

间接互连模型

在此体系结构模型中,SD-WAN 分支 CPE 间接连接到虚拟 WAN 中心。In this architecture model, SD-WAN branch CPEs are indirectly connected to Virtual WAN hubs. 如图所示,企业 VNet 中部署了一个 SD-WAN 虚拟 CPE。As the figure shows, an SD-WAN virtual CPE is deployed in an enterprise VNet. 此虚拟 CPE 使用 IPsec 连接到虚拟 WAN 中心。This virtual CPE is, in turn, connected to the Virtual WAN hub(s) using IPsec. 该虚拟 CPE 充当用于接入 Azure 的 SD-WAN 网关。The virtual CPE serves as an SD-WAN gateway into Azure. 需要访问其在 Azure 中的工作负荷的分支可以通过 v-CPE 网关进行访问。Branches that need to access their workloads in Azure will be able access them via the v-CPE gateway.

由于与 Azure 的连接是通过 v-CPE 网关 (NVA) 建立的,因此从 Azure 工作负荷 VNet 传入和传出到其他 SD-WAN 分支的所有流量都通过 NVA 传送。Since the connectivity to Azure is via the v-CPE gateway (NVA), all traffic to and from Azure workload VNets to other SD-WAN branches go via the NVA. 在此模型中,用户负责管理和操作 SD-WAN NVA(包括高可用性、可伸缩性和路由)。In this model, the user is responsible for managing and operating the SD-WAN NVA including high availability, scalability, and routing.

托管混合 WAN 模型Managed Hybrid WAN model

托管混合 WAN 模型

在此体系结构模型中,企业可以利用托管服务提供商 (MSP) 合作伙伴提供的托管 SD-WAN 服务。In this architecture model, enterprises can leverage a managed SD-WAN service offered by a Managed Service Provider (MSP) partner. 此模型类似于上面所述的直接模型或间接模型。This model is similar to the direct or indirect models described above. 但是,在此模型中,SD-WAN 设计、业务流程和操作由 SD-WAN 提供商提供。However, in this model, the SD-WAN design, orchestration, and operations are delivered by the SD-WAN Provider.

其他信息Additional Information