全局传输网络体系结构和虚拟 WANGlobal transit network architecture and Virtual WAN

现代企业需要在云中和本地的超分布式应用程序、数据与用户之间随时建立连接。Modern enterprises require ubiquitous connectivity between hyper-distributed applications, data, and users across the cloud and on-premises. 有许多企业正在采用全局传输网络体系结构来整合、连接和控制以云为中心的现代全球企业 IT 设施。Global transit network architecture is being adopted by enterprises to consolidate, connect, and control the cloud-centric modern, global enterprise IT footprint.

全局传输网络体系结构基于经典的中心辐射型连接模型,使用其中的云托管网络“中心”可以在跨不同“辐射”类型分布的终结点之间建立传输连接。The global transit network architecture is based on a classic hub-and-spoke connectivity model where the cloud hosted network 'hub' enables transitive connectivity between endpoints that may be distributed across different types of 'spokes'.

在此模型中,辐射可以是:In this model, a spoke can be:

  • 虚拟网络 (VNet)Virtual network (VNets)
  • 物理分支站点Physical branch site
  • 远程用户Remote user
  • InternetInternet

中心和辐射

图 1:全局传输中心辐射型网络Figure 1: Global transit hub-and-spoke network

图 1 显示了全局传输网络的逻辑视图,其中的地理分散式用户、物理站点和 VNet 通过云中托管的网络中心互连。Figure 1 shows the logical view of the global transit network where geographically distributed users, physical sites, and VNets are interconnected via a networking hub hosted in the cloud. 此体系结构可在网络终结点之间实现逻辑单跃点传输连接。This architecture enables logical one-hop transit connectivity between the networking endpoints.

使用虚拟 WAN 的全局传输网络Global transit network with Virtual WAN

Azure 虚拟 WAN 是 Azure 托管的云网络服务。Azure Virtual WAN is a Azure-managed cloud networking service. 构成此服务的所有网络组件由 Azure 托管和管理。All the networking components that this service is composed of are hosted and managed by Azure. 有关虚拟 WAN 的详细信息,请参阅虚拟 WAN 概述一文。For more information about Virtual WAN, see the Virtual WAN Overview article.

Azure 虚拟 WAN 支持在 VNet 中的全局分布式云工作负荷集、分支站点、SaaS 和 PaaS 应用程序与用户之间随时建立任意点到任意点的连接,从而实现全局传输网络体系结构。Azure Virtual WAN allows a global transit network architecture by enabling ubiquitous, any-to-any connectivity between globally distributed sets of cloud workloads in VNets, branch sites, SaaS and PaaS applications, and users.

Azure 虚拟 WAN

图 2:全局传输网络和虚拟 WANFigure 2: Global transit network and Virtual WAN

在 Azure 虚拟 WAN 体系结构中,虚拟 WAN 中心在可将分支、VNet 和远程用户连接到的 Azure 区域中预配。In the Azure Virtual WAN architecture, virtual WAN hubs are provisioned in Azure regions, to which you can choose to connect your branches, VNets, and remote users. 物理分支站点通过高级 ExpressRoute 或站点到站点 VPN 连接到中心,VNet 通过 VNet 连接连接到中心,远程用户可以使用用户 VPN(点到站点 VPN)直接连接到中心。The physical branch sites are connected to the hub by Premium ExpressRoute or site-to site-VPNs, VNets are connected to the hub by VNet connections, and remote users can directly connect to the hub using User VPN (point-to-site VPNs). 虚拟 WAN 还支持跨区域 VNet 连接,其中,一个区域中的 VNet 可以连接到另一个区域中的虚拟 WAN 中心。Virtual WAN also supports cross-region VNet connection where a VNet in one region can be connected to a virtual WAN hub in a different region.

若要建立虚拟 WAN,可以在包含最多辐射(分支、VNet、用户)的区域中创建单个虚拟 WAN 中心,然后将其他区域中的辐射连接到该中心。You can establish a virtual WAN by creating a single virtual WAN hub in the region that has the largest number of spokes (branches, VNets, users), and then connecting the spokes that are in other regions to the hub. 如果企业的运营足迹主要在包括少量几个远程辐射的单个区域内,则这是一个不错的选择。This is a good option when an enterprise footprint is mostly in one region with a few remote spokes.

中心到中心的连接(预览)Hub-to-hub connectivity (Preview)

企业云足迹可以跨多个云区域,最好是从最靠近其物理站点和用户的区域访问云(改善延迟)。An Enterprise cloud footprint can span multiple cloud regions and it is optimal (latency-wise) to access the cloud from a region closest to their physical site and users. 全局传输网络体系结构的重要原则之一是在所有云与本地网络终结点之间实现跨区域连接。One of the key principles of global transit network architecture is to enable cross-region connectivity between all cloud and on-premises network endpoints. 这意味着,与一个区域中的云相连接的分支发出的流量,可以使用 Azure 全球网络实现的中心到中心连接抵达不同区域中的另一个分支或 VNet。This means that traffic from a branch that is connected to the cloud in one region can reach another branch or a VNet in a different region using hub-to-hub connectivity enabled by Azure Global Network.

跨区域

图 3:虚拟 WAN 跨区域连接Figure 3: Virtual WAN cross-region connectivity

在单个虚拟 WAN 中启用多个中心时,中心将通过中心到中心的链接自动互连,从而在跨多个区域分布的分支与 VNet 之间实现全局连接。When multiple hubs are enabled in a single virtual WAN, the hubs are automatically interconnected via hub-to-hub links, thus enabling global connectivity between branches and Vnets that are distributed across multiple regions.

此外,全部属于同一虚拟 WAN 的中心可与不同的区域访问和安全策略相关联。Additionally, hubs that are all part of the same virtual WAN, can be associated with different regional access and security policies. 有关详细信息,请参阅本文稍后的安全和策略控制For more information, see Security and policy control later in this article.

任意点到任意点的连接Any-to-any connectivity

全局传输网络体系结构通过虚拟 WAN 中心实现任意点到任意点的连接。Global transit network architecture enables any-to-any connectivity via virtual WAN hubs. 此体系结构消除或减少了辐射之间的全网格或部分网格式连接模型的需要,此类模型的构建和维护更复杂。This architecture eliminates or reduces the need for full mesh or partial mesh connectivity between spokes, that are more complex to build and maintain. 此外,与网格网络相比,中心辐射型体系结构中的路由控制更容易配置和维护。In addition, routing control in hub-and-spoke vs. mesh networks is easier to configure and maintain.

在全局体系结构环境中,任意点到任意点的连接可让企业中的全局分布式用户、分支、数据中心、VNet 和应用程序通过传输中心相互连接。Any-to-any connectivity (in the context of a global architecture) allows an enterprise with globally distributed users, branches, datacenters, VNets, and applications to connect to each other through the "transit" hub(s). Azure 虚拟 WAN 充当全局传输系统。Azure Virtual WAN acts as the global transit system.

任意点到任意点

图 4:虚拟 WAN 流量路径Figure 4: Virtual WAN traffic paths

Azure 虚拟 WAN 支持以下全局传输连接路径。Azure Virtual WAN supports the following global transit connectivity paths. 括号中的字母对应于图 4 中的标识。The letters in parentheses map to Figure 4.

  • 分支到 VNet (a)Branch-to-VNet (a)

  • 分支到分支 (b)Branch-to-branch (b)

    • 虚拟 WANVirtual WAN
  • 远程用户到 VNet (c)Remote User-to-VNet (c)

  • 远程用户到分支 (d)Remote User-to-branch (d)

  • VNet 到 VNet (e)VNet-to-VNet (e)

  • 分支到中心/中心到分支 (f)Branch-to-hub-hub-to-Branch (f)

  • 分支到中心/中心到 VNet (g)Branch-to-hub-hub-to-VNet (g)

  • VNet 到中心/中心到 VNet (h)VNet-to-hub-hub-to-VNet (h)

分支到 VNet (a)/分支到 VNet 跨区域 (g)Branch-to-VNet (a) and Branch-to-VNet Cross-region (g)

分支到 VNet 是 Azure 虚拟 WAN 支持的主要路径。Branch-to-VNet is the primary path supported by Azure Virtual WAN. 使用此路径可将分支连接到 Azure VNet 中部署的 Azure IAAS 企业工作负荷。This path allows you to connect branches to Azure IAAS enterprise workloads that are deployed in Azure VNets. 分支可以通过 ExpressRoute 或站点到站点 VPN 连接到虚拟 WAN。Branches can be connected to the virtual WAN via ExpressRoute or site-to-site VPN. 流量通过 VNet 连接传输到与虚拟 WAN 中心相连接的 VNet。The traffic transits to VNets that are connected to the virtual WAN hubs via VNet Connections. 虚拟 WAN 不需要明确的网关传输,因为虚拟 WAN 会自动启用到分支站点的网关传输。Explicit gateway transit is not required for Virtual WAN because Virtual WAN automatically enables gateway transit to branch site. 请参阅虚拟 WAN 合作伙伴一文,了解如何将 SD-WAN CPE 连接到虚拟 WAN。See Virtual WAN Partners article on how to connect an SD-WAN CPE to Virtual WAN.

虚拟 WANVirtual WAN

在此模型中,使用 ExpressRoute 连接到虚拟 WAN 中心的每个分支可以使用分支到 VNet 的路径连接到 VNet。In this model, each branch that is connected to the virtual WAN hub using ExpressRoute can connect to VNets using the branch-to-VNet path.

分支到分支 (b)/分支到分支跨区域 (f)Branch-to-branch (b) and Branch-to-Branch cross-region (f)

分支可以使用 ExpressRoute 线路和/或站点到站点 VPN 连接连接到 Azure 虚拟 WAN 中心。Branches can be connected to an Azure virtual WAN hub using ExpressRoute circuits and/or site-to-site VPN connections. 可将分支连接到其最靠近的区域中的虚拟 WAN 中心。You can connect the branches to the virtual WAN hub that is in the region closest to the branch.

企业可以通过此选项来利用 Azure 主干网连接分支。This option lets enterprises leverage the Azure backbone to connect branches. 但是,尽管可以此功能,应该权衡通过 Azure 虚拟 WAN 与通过专用 WAN 连接分支的利弊。However, even though this capability is available, you should weigh the benefits of connecting branches over Azure Virtual WAN vs. using a private WAN.

备注

禁用虚拟 WAN 中的分支到分支连接 - 可以将虚拟 WAN 配置为禁用分支到分支连接。Disabling Branch-to-Branch Connectivity in Virtual WAN - Virtual WAN can be configured to disable Branch-to-Branch connectivity. 此配置将阻止连接了 VPN(S2S 和 P2S)与 Express Route 的站点之间的路由传播。This configuation will block route propagation between VPN (S2S and P2S) and Express Route connected sites. 此配置不会影响分支到 Vnet 以及 Vnet 到 Vnet 的路由传播和连接。This configuration will not affect branch-to-Vnet and Vnet-to-Vnet route propogation and connectivity. 使用 Azure 门户配置此设置:在“虚拟 WAN 配置”菜单下,选择“设置”:分支到分支 - 已禁用。To configure this setting using Azure Portal: Under Virtual WAN Configuration menu, Choose Setting: Branch-to-Branch - Disabled.

远程用户到 VNet (c)Remote User-to-VNet (c)

使用远程用户客户端与虚拟 WAN 之间的点到站点连接可以安全地直接远程访问 Azure。You can enable direct, secure remote access to Azure using point-to-site connection from a remote user client to a virtual WAN. 企业远程用户不再需要使用企业 VPN 来始终与云保持连接。Enterprise remote users no longer have to hairpin to the cloud using a corporate VPN.

远程用户到分支 (d)Remote User-to-branch (d)

使用远程用户到分支路径,与 Azure 建立了点到站点连接的远程用户可以通过云传输流量,以此访问本地工作负荷和应用程序。The Remote User-to-branch path lets remote users who are using a point-to-site connection to Azure access on-premises workloads and applications by transiting through the cloud. 此路径可让远程用户灵活访问部署在 Azure 中和本地的工作负荷。This path gives remote users the flexibility to access workloads that are both deployed in Azure and on-premises. 企业可以在 Azure 虚拟 WAN 中启用基于中心云的安全远程访问服务。Enterprises can enable central cloud-based secure remote access service in Azure Virtual WAN.

VNet 到 VNet 传输 (e)/VNet 到 VNet 跨区域 (h)VNet-to-VNet transit (e) and VNet-to-VNet cross-region (h)

VNet 到 VNet 传输使 VNet 能够相互连接,以互连跨多个 VNet 实施的多层应用程序。The VNet-to-VNet transit enables VNets to connect to each other in order to interconnect multi-tier applications that are implemented across multiple VNets. 或者,可以通过 VNet 对等互连将 VNet 相互连接,这可能适合无需通过 VWAN 中心进行传输的某些方案。Optionally, you can connect VNets to each other through VNet Peering and this may be suitable for some scenarios where transit via the VWAN hub is not necessary.

Azure 虚拟 WAN 中的强制隧道和默认路由Force Tunneling and Default Route in Azure Virtual WAN

可以通过在虚拟 WAN 中的 VPN、ExpressRoute 或虚拟网络连接上配置“启用默认路由”来启用强制隧道。Force Tunneling can be enabled by configuring the enable default route on a VPN, ExpressRoute, or Virtual Network connection in Virtual WAN.

如果连接上的启用默认标志为“已启用”,则虚拟中心可将获知的默认路由传播到虚拟网络/站点到站点 VPN/ExpressRoute 连接。A virtual hub propagates a learned default route to a virtual network/site-to-site VPN/ExpressRoute connection if enable default flag is 'Enabled' on the connection.

当用户编辑虚拟网络连接、VPN 连接或 ExpressRoute 连接时,将显示此标志。This flag is visible when the user edits a virtual network connection, a VPN connection, or an ExpressRoute connection. 默认情况下,当站点或 ExpressRoute 线路连接到中心时,将禁用此标志。By default, this flag is disabled when a site or an ExpressRoute circuit is connected to a hub. 如果添加虚拟网络连接以将 VNet 连接到虚拟中心,则默认情况下启用此功能。It is enabled by default when a virtual network connection is added to connect a VNet to a virtual hub. 默认路由不是源自虚拟 WAN 中心;只有当虚拟 WAN 中心由于在中心部署防火墙而获知默认路由或另一个连接的站点已启用强制隧道时,此标志才会将默认路由传播到连接。The default route does not originate in the Virtual WAN hub; the default route is propagated if it is already learned by the Virtual WAN hub as a result of deploying a firewall in the hub, or if another connected site has forced-tunneling enabled.

安全和策略控制Security and policy control

Azure 虚拟 WAN 中心将互连整个混合网络中的所有网络终结点,可能会看到所有传输网络流量。The Azure Virtual WAN hubs interconnect all the networking end points across the hybrid network and potentially see all transit network traffic. 可以在 VWAN 中心内部署 Azure 防火墙以启用基于云的安全、访问和策略控制,将虚拟 WAN 中心转换为安全虚拟中心。Virtual WAN hubs can be converted to Secured Virtual Hubs by deploying the Azure Firewall inside VWAN hubs to enable cloud-based security, access, and policy control. 虚拟 WAN 中心内的 Azure 防火墙协调可由 Azure 防火墙管理器执行。Orchestration of Azure Firewalls in virtual WAN hubs can be performed by Azure Firewall Manager.

Azure 防火墙管理器提供管理和缩放全局传输网络安全性的功能。Azure Firewall Manager provides the capabilities to manage and scale security for global transit networks. Azure 防火墙管理器提供通过第三方工具和 Azure 防火墙集中管理路由、全局策略和高级 Internet 安全服务的功能。Azure Firewall Manager provides ability to centrally manage routing, global policy management, advanced Internet security services via third-party along with the Azure Firewall.

使用 Azure 防火墙的安全虚拟中心

图 5:使用 Azure 防火墙的安全虚拟中心Figure 5: Secured virtual hub with Azure Firewall

虚拟 WAN 的 Azure 防火墙支持以下全局安全传输连接路径。Azure Firewall to the virtual WAN supports the following global secured transit connectivity paths. 括号中的字母对应于图 5 中的标识。The letters in parentheses map to Figure 5.

  • VNet 到 VNet 安全传输 (e)VNet-to-VNet secure transit (e)
  • VNet 到 Internet 或第三方安全服务 (i)VNet-to-Internet or third-party Security Service (i)
  • 分支到 Internet 或第三方安全服务 (j)Branch-to-Internet or third-party Security Service (j)

VNet 到 VNet 安全传输 (e)VNet-to-VNet secured transit (e)

VNet 到 VNet 安全传输使 VNet 能够通过虚拟 WAN 中心内的 Azure 防火墙相互连接。The VNet-to-VNet secured transit enables VNets to connect to each other via the Azure Firewall in the virtual WAN hub.

VNet 到 Internet 或第三方安全服务 (i)VNet-to-Internet or third-party Security Service (i)

VNet 到 Internet 使 VNet 能够通过虚拟 WAN 中心内的 Azure 防火墙连接到 Internet。The VNet-to-Internet enables VNets to connect to the internet via the Azure Firewall in the virtual WAN hub. 通过受支持的第三方安全服务流向 Internet 的流量不会流经 Azure 防火墙。Traffic to internet via supported third-party security services does not flow through the Azure Firewall. 可以使用 Azure 防火墙管理器通过受支持的第三方安全服务配置 Vnet 到 Internet 的路径。You can configure Vnet-to-Internet path via supported third-party security service using Azure Firewall Manager.

分支到 Internet 或第三方安全服务 (j)Branch-to-Internet or third-party Security Service (j)

分支到 Internet 使分支能够通过虚拟 WAN 中心内的 Azure 防火墙连接到 Internet。The Branch-to-Internet enables branches to connect to the internet via the Azure Firewall in the virtual WAN hub. 通过受支持的第三方安全服务流向 Internet 的流量不会流经 Azure 防火墙。Traffic to internet via supported third-party security services does not flow through the Azure Firewall. 可以使用 Azure 防火墙管理器通过受支持的第三方安全服务配置分支到 Internet 的路径。You can configure Branch-to-Internet path via supported third-party security service using Azure Firewall Manager.

如何在安全虚拟中心中启用默认路由 (0.0.0.0/0)How do I enable default route (0.0.0.0/0) in a Secured Virtual Hub

可以将虚拟 WAN 中心(安全虚拟中心)中部署的 Azure 防火墙配置为 Internet 的默认路由器,或配置为适用于所有分支(通过 VPN 或 Express Route 连接)、辐射 Vnet 和用户(通过 P2S VPN 连接)的受信任安全提供程序。Azure Firewall deployed in a Virtual WAN hub (Secure Virtual Hub) can be configured as default router to the Internet or Trusted Security Provider for all branches (connected by VPN or Express Route), spoke Vnets and Users (connected via P2S VPN). 必须使用 Azure 防火墙管理器完成此配置。This configuration must be done using Azure Firewall Manager. 请参阅流向中心的流量路由,配置来自分支(包括用户)以及经 Azure 防火墙 Vnet 到 Internet 的所有流量。See Route Traffic to your hub to configure all traffic from branches (including Users) as well as Vnets to Internet via the Azure Firewall.

这是一个两步式配置:This is a two step configuration:

  1. 使用“安全虚拟中心路由设置”菜单配置 Internet 流量路由。Configure Internet traffic routing using Secure Virtual Hub Route Setting menu. 配置可以通过防火墙将流量发送到 Internet 的 Vnet 和分支。Configure Vnets and Branches that can send traffic to the internet via the Firewall.

  2. 将那些连接(Vnet 和分支)配置为可以通过中心或受信任安全提供程序中的 Azure 防火墙将流量路由到 Internet (0.0.0.0/0)。Configure which Connections (Vnet and Branch) can route traffic to the internet (0.0.0.0/0) via the Azure FW in the hub or Trusted Security Provider. 此步骤确保将默认路由传播到通过“连接”附加到虚拟 WAN 中心的选定分支和 Vnet。This step ensures that the default route is propagated to selected branches and Vnets that are attached to the Virtual WAN hub via the Connections.

安全虚拟中心中流向本地防火墙的强制隧道流量Force Tunneling Traffic to On-Premises Firewall in a Secured Virtual Hub

如果通过虚拟中心获知(通过 BGP)的已有默认路由源自分支之一(VPN 或 ER 站点),则此默认路由会被从 Azure 防火墙管理器设置中获知的默认路由覆盖。If there is already a default route learned (via BGP) by the Virtual Hub from one of the Branches (VPN or ER sites), this default route is overridden by the default route learned from Azure Firewall Manager setting. 这种情况下,从 Vnet 和分支进入中心并流向 Internet 的所有流量都将路由到 Azure 防火墙或受信任的安全提供程序。In this case, all traffic that is entering the hub from Vnets and branches destined to internet, will be routed to the Azure Firewall or Trusted Security Provider.

备注

目前,对于源自 Vnet、分支或用户的 Internet 绑定流量,无法选择本地防火墙或 Azure 防火墙(以及受信任的安全提供程序)。Currently there is no option to select on-premises Firewall or Azure Firewall (and Trusted Security Provider) for internet bound traffic originating from Vnets, Branches or Users. 从 Azure 防火墙管理器设置中获知的默认路由始终优先于从分支之一获知的默认路由。The default route learned from the Azure Firewall Manager setting is always preferred over the default route learned from one of the branches.

后续步骤Next steps

使用虚拟 WAN 创建连接并在 VWAN 中心内部署 Azure 防火墙。Create a connection using Virtual WAN and Deploy Azure Firewall in VWAN hub(s).