全局传输网络体系结构和虚拟 WANGlobal transit network architecture and Virtual WAN

现代企业需要在云中和本地的超分布式应用程序、数据与用户之间随时建立连接。Modern enterprises require ubiquitous connectivity between hyper-distributed applications, data, and users across the cloud and on-premises. 有许多企业正在采用全局传输网络体系结构来整合、连接和控制以云为中心的现代全球企业 IT 设施。Global transit network architecture is being adopted by enterprises to consolidate, connect, and control the cloud-centric modern, global enterprise IT footprint.

全局传输网络体系结构基于经典的中心辐射型连接模型,使用其中的云托管网络“中心”可以在跨不同“辐射”类型分布的终结点之间建立传输连接。The global transit network architecture is based on a classic hub-and-spoke connectivity model where the cloud hosted network 'hub' enables transitive connectivity between endpoints that may be distributed across different types of 'spokes'.

在此模型中,辐射可以是:In this model, a spoke can be:

  • 虚拟网络 (VNet)Virtual network (VNets)
  • 物理分支站点Physical branch site
  • 远程用户Remote user
  • InternetInternet

中心和辐射

图 1:全局传输中心辐射型网络Figure 1: Global transit hub-and-spoke network

图 1 显示了全局传输网络的逻辑视图,其中的地理分散式用户、物理站点和 VNet 通过云中托管的网络中心互连。Figure 1 shows the logical view of the global transit network where geographically distributed users, physical sites, and VNets are interconnected via a networking hub hosted in the cloud. 此体系结构可在网络终结点之间实现逻辑单跃点传输连接。This architecture enables logical one-hop transit connectivity between the networking endpoints.

使用虚拟 WAN 的全局传输网络Global transit network with Virtual WAN

Azure 虚拟 WAN 是 Azure 托管的云网络服务。Azure Virtual WAN is a Azure-managed cloud networking service. 构成此服务的所有网络组件由 Azure 托管和管理。All the networking components that this service is composed of are hosted and managed by Azure. 有关虚拟 WAN 的详细信息,请参阅虚拟 WAN 概述一文。For more information about Virtual WAN, see the Virtual WAN Overview article.

Azure 虚拟 WAN 支持在 VNet 中的全局分布式云工作负荷集、分支站点、SaaS 和 PaaS 应用程序与用户之间随时建立任意点到任意点的连接,从而实现全局传输网络体系结构。Azure Virtual WAN allows a global transit network architecture by enabling ubiquitous, any-to-any connectivity between globally distributed sets of cloud workloads in VNets, branch sites, SaaS and PaaS applications, and users.

Azure 虚拟 WAN

图 2:全局传输网络和虚拟 WANFigure 2: Global transit network and Virtual WAN

在 Azure 虚拟 WAN 体系结构中,虚拟 WAN 中心在可将分支、VNet 和远程用户连接到的 Azure 区域中预配。In the Azure Virtual WAN architecture, virtual WAN hubs are provisioned in Azure regions, to which you can choose to connect your branches, VNets, and remote users. 物理分支站点通过高级 ExpressRoute 或站点到站点 VPN 连接到中心,VNet 通过 VNet 连接连接到中心,远程用户可以使用用户 VPN(点到站点 VPN)直接连接到中心。The physical branch sites are connected to the hub by Premium ExpressRoute or site-to site-VPNs, VNets are connected to the hub by VNet connections, and remote users can directly connect to the hub using User VPN (point-to-site VPNs). 虚拟 WAN 还支持跨区域 VNet 连接,其中,一个区域中的 VNet 可以连接到另一个区域中的虚拟 WAN 中心。Virtual WAN also supports cross-region VNet connection where a VNet in one region can be connected to a virtual WAN hub in a different region.

若要建立虚拟 WAN,可以在包含最多辐射(分支、VNet、用户)的区域中创建单个虚拟 WAN 中心,然后将其他区域中的辐射连接到该中心。You can establish a virtual WAN by creating a single virtual WAN hub in the region that has the largest number of spokes (branches, VNets, users), and then connecting the spokes that are in other regions to the hub. 如果企业的运营足迹主要在包括少量几个远程辐射的单个区域内,则这是一个不错的选择。This is a good option when an enterprise footprint is mostly in one region with a few remote spokes.

中心到中心的连接Hub-to-hub connectivity

企业云足迹可以跨多个云区域,最好是从最靠近其物理站点和用户的区域访问云(改善延迟)。An Enterprise cloud footprint can span multiple cloud regions and it is optimal (latency-wise) to access the cloud from a region closest to their physical site and users. 全局传输网络体系结构的重要原则之一是在所有云与本地网络终结点之间实现跨区域连接。One of the key principles of global transit network architecture is to enable cross-region connectivity between all cloud and on-premises network endpoints. 这意味着,与一个区域中的云相连接的分支发出的流量,可以使用 Azure 全球网络实现的中心到中心连接抵达不同区域中的另一个分支或 VNet。This means that traffic from a branch that is connected to the cloud in one region can reach another branch or a VNet in a different region using hub-to-hub connectivity enabled by Azure Global Network.

跨区域

图 3:虚拟 WAN 跨区域连接Figure 3: Virtual WAN cross-region connectivity

在单个虚拟 WAN 中启用多个中心时,中心将通过中心到中心的链接自动互连,从而在跨多个区域分布的分支与 VNet 之间实现全局连接。When multiple hubs are enabled in a single virtual WAN, the hubs are automatically interconnected via hub-to-hub links, thus enabling global connectivity between branches and Vnets that are distributed across multiple regions.

此外,全部属于同一虚拟 WAN 的中心可与不同的区域访问和安全策略相关联。Additionally, hubs that are all part of the same virtual WAN, can be associated with different regional access and security policies. 有关详细信息,请参阅本文稍后的安全和策略控制For more information, see Security and policy control later in this article.

任意点到任意点的连接Any-to-any connectivity

全局传输网络体系结构通过虚拟 WAN 中心实现任意点到任意点的连接。Global transit network architecture enables any-to-any connectivity via virtual WAN hubs. 此体系结构消除或减少了辐射之间的全网格或部分网格式连接模型的需要,此类模型的构建和维护更复杂。This architecture eliminates or reduces the need for full mesh or partial mesh connectivity between spokes, that are more complex to build and maintain. 此外,与网格网络相比,中心辐射型体系结构中的路由控制更容易配置和维护。In addition, routing control in hub-and-spoke vs. mesh networks is easier to configure and maintain.

在全局体系结构环境中,任意点到任意点的连接可让企业中的全局分布式用户、分支、数据中心、VNet 和应用程序通过传输中心相互连接。Any-to-any connectivity (in the context of a global architecture) allows an enterprise with globally distributed users, branches, datacenters, VNets, and applications to connect to each other through the "transit" hub(s). Azure 虚拟 WAN 充当全局传输系统。Azure Virtual WAN acts as the global transit system.

任意点到任意点

图 4:虚拟 WAN 流量路径Figure 4: Virtual WAN traffic paths

Azure 虚拟 WAN 支持以下全局传输连接路径。Azure Virtual WAN supports the following global transit connectivity paths. 括号中的字母对应于图 4 中的标识。The letters in parentheses map to Figure 4.

  • 分支到 VNet (a)Branch-to-VNet (a)

  • 分支到分支 (b)Branch-to-branch (b)

    • 虚拟 WANVirtual WAN
  • 远程用户到 VNet (c)Remote User-to-VNet (c)

  • 远程用户到分支 (d)Remote User-to-branch (d)

  • VNet 到 VNet (e)VNet-to-VNet (e)

  • 分支到中心/中心到分支 (f)Branch-to-hub-hub-to-Branch (f)

  • 分支到中心/中心到 VNet (g)Branch-to-hub-hub-to-VNet (g)

  • VNet 到中心/中心到 VNet (h)VNet-to-hub-hub-to-VNet (h)

分支到 VNet (a)/分支到 VNet 跨区域 (g)Branch-to-VNet (a) and Branch-to-VNet Cross-region (g)

分支到 VNet 是 Azure 虚拟 WAN 支持的主要路径。Branch-to-VNet is the primary path supported by Azure Virtual WAN. 使用此路径可将分支连接到 Azure VNet 中部署的 Azure IAAS 企业工作负荷。This path allows you to connect branches to Azure IAAS enterprise workloads that are deployed in Azure VNets. 分支可以通过 ExpressRoute 或站点到站点 VPN 连接到虚拟 WAN。Branches can be connected to the virtual WAN via ExpressRoute or site-to-site VPN. 流量通过 VNet 连接传输到与虚拟 WAN 中心相连接的 VNet。The traffic transits to VNets that are connected to the virtual WAN hubs via VNet Connections. 虚拟 WAN 不需要明确的网关传输,因为虚拟 WAN 会自动启用到分支站点的网关传输。Explicit gateway transit is not required for Virtual WAN because Virtual WAN automatically enables gateway transit to branch site. 请参阅虚拟 WAN 合作伙伴一文,了解如何将 SD-WAN CPE 连接到虚拟 WAN。See Virtual WAN Partners article on how to connect an SD-WAN CPE to Virtual WAN.

虚拟 WANVirtual WAN

在此模型中,使用 ExpressRoute 连接到虚拟 WAN 中心的每个分支可以使用分支到 VNet 的路径连接到 VNet。In this model, each branch that is connected to the virtual WAN hub using ExpressRoute can connect to VNets using the branch-to-VNet path.

分支到分支 (b)/分支到分支跨区域 (f)Branch-to-branch (b) and Branch-to-Branch cross-region (f)

分支可以使用 ExpressRoute 线路和/或站点到站点 VPN 连接连接到 Azure 虚拟 WAN 中心。Branches can be connected to an Azure virtual WAN hub using ExpressRoute circuits and/or site-to-site VPN connections. 可将分支连接到其最靠近的区域中的虚拟 WAN 中心。You can connect the branches to the virtual WAN hub that is in the region closest to the branch.

企业可以通过此选项来利用 Azure 主干网连接分支。This option lets enterprises leverage the Azure backbone to connect branches. 但是,尽管可以此功能,应该权衡通过 Azure 虚拟 WAN 与通过专用 WAN 连接分支的利弊。However, even though this capability is available, you should weigh the benefits of connecting branches over Azure Virtual WAN vs. using a private WAN.

远程用户到 VNet (c)Remote User-to-VNet (c)

使用远程用户客户端与虚拟 WAN 之间的点到站点连接可以安全地直接远程访问 Azure。You can enable direct, secure remote access to Azure using point-to-site connection from a remote user client to a virtual WAN. 企业远程用户不再需要使用企业 VPN 来始终与云保持连接。Enterprise remote users no longer have to hairpin to the cloud using a corporate VPN.

远程用户到分支 (d)Remote User-to-branch (d)

使用远程用户到分支路径,与 Azure 建立了点到站点连接的远程用户可以通过云传输流量,以此访问本地工作负荷和应用程序。The Remote User-to-branch path lets remote users who are using a point-to-site connection to Azure access on-premises workloads and applications by transiting through the cloud. 此路径可让远程用户灵活访问部署在 Azure 中和本地的工作负荷。This path gives remote users the flexibility to access workloads that are both deployed in Azure and on-premises. 企业可以在 Azure 虚拟 WAN 中启用基于中心云的安全远程访问服务。Enterprises can enable central cloud-based secure remote access service in Azure Virtual WAN.

VNet 到 VNet 传输 (e)/VNet 到 VNet 跨区域 (h)VNet-to-VNet transit (e) and VNet-to-VNet cross-region (h)

VNet 到 VNet 传输使 VNet 能够相互连接,以互连跨多个 VNet 实施的多层应用程序。The VNet-to-VNet transit enables VNets to connect to each other in order to interconnect multi-tier applications that are implemented across multiple VNets. 或者,可以通过 VNet 对等互连将 VNet 相互连接,这可能适合无需通过 VWAN 中心进行传输的某些方案。Optionally, you can connect VNets to each other through VNet Peering and this may be suitable for some scenarios where transit via the VWAN hub is not necessary.

安全和策略控制Security and policy control

Azure 虚拟 WAN 中心将互连整个混合网络中的所有网络终结点,可能会看到所有传输网络流量。The Azure Virtual WAN hubs interconnect all the networking end points across the hybrid network and potentially see all transit network traffic. 可以在 VWAN 中心内部署 Azure 防火墙以启用基于云的安全、访问和策略控制,将虚拟 WAN 中心转换为安全虚拟中心。Virtual WAN hubs can be converted to Secured Virtual Hubs by deploying the Azure Firewall inside VWAN hubs to enable cloud-based security, access, and policy control. 虚拟 WAN 中心内的 Azure 防火墙协调可由 Azure 防火墙管理器执行。Orchestration of Azure Firewalls in virtual WAN hubs can be performed by Azure Firewall Manager.

Azure 防火墙管理器提供管理和缩放全局传输网络安全性的功能。Azure Firewall Manager provides the capabilities to manage and scale security for global transit networks. Azure 防火墙管理器提供通过第三方工具和 Azure 防火墙集中管理路由、全局策略和高级 Internet 安全服务的功能。Azure Firewall Manager provides ability to centrally manage routing, global policy management, advanced Internet security services via third-party along with the Azure Firewall.

使用 Azure 防火墙的安全虚拟中心

图 5:使用 Azure 防火墙的安全虚拟中心Figure 5: Secured virtual hub with Azure Firewall

虚拟 WAN 的 Azure 防火墙支持以下全局安全传输连接路径。Azure Firewall to the virtual WAN supports the following global secured transit connectivity paths. 括号中的字母对应于图 5 中的标识。The letters in parentheses map to Figure 5.

  • VNet 到 VNet 安全传输 (e)VNet-to-VNet secure transit (e)
  • VNet 到 Internet 或第三方安全服务 (i)VNet-to-Internet or third-party Security Service (i)
  • 分支到 Internet 或第三方安全服务 (j)Branch-to-Internet or third-party Security Service (j)

VNet 到 VNet 安全传输 (e)VNet-to-VNet secured transit (e)

VNet 到 VNet 安全传输使 VNet 能够通过虚拟 WAN 中心内的 Azure 防火墙相互连接。The VNet-to-VNet secured transit enables VNets to connect to each other via the Azure Firewall in the virtual WAN hub.

VNet 到 Internet 或第三方安全服务 (i)VNet-to-Internet or third-party Security Service (i)

VNet 到 Internet 或第三方安全传输使 VNet 能够通过虚拟 WAN 中心内的 Azure 防火墙连接到 Internet 或支持的第三方安全服务。The VNet-to-Internet or third-party secured transit enables VNets to connect to the internet or a supported third-party security services via the Azure Firewall in the virtual WAN hub.

分支到 Internet 或第三方安全服务 (j)Branch-to-Internet or third-party Security Service (j)

分支到 Internet 或第三方安全传输使分支能够通过虚拟 WAN 中心内的 Azure 防火墙连接到 Internet 或支持的第三方安全服务。The branch-to-Internet or third-party Secure transit enables branches to connect to the internet or a supported third-party security services via the Azure Firewall in the virtual WAN hub.

后续步骤Next steps

使用虚拟 WAN 创建连接并在 VWAN 中心内部署 Azure 防火墙。Create a connection using Virtual WAN and Deploy Azure Firewall in VWAN hub(s).