您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

将本地网络连接到 Azure

ExpressRoute
虚拟网络
VPN 网关

本文比较了用于将本地网络连接到 Azure 虚拟网络 (VNet) 的选项。This article compares options for connecting an on-premises network to an Azure Virtual Network (VNet). 每个选项都有可用的更详细的参考体系结构。For each option, a more detailed reference architecture is available.

VPN 连接VPN connection

VPN 网关是一种虚拟网关,可在 Azure 虚拟网络和本地位置之间发送加密的流量。A VPN gateway is a type of virtual network gateway that sends encrypted traffic between an Azure virtual network and an on-premises location. 加密的流量流经公共 Internet。The encrypted traffic goes over the public Internet.

此体系结构适合满足以下条件的混合应用程序:本地硬件与云之间的流量可能较小,或者用户愿意用略微延长的延迟换得云的灵活性和处理能力。This architecture is suitable for hybrid applications where the traffic between on-premises hardware and the cloud is likely to be light, or you are willing to trade slightly extended latency for the flexibility and processing power of the cloud.

优点Benefits

  • 易于配置。Simple to configure.
  • 有很高的带宽可用;最高可达 10 Gbps,具体取决于 VPN 网关 SKU。Much higher bandwidth available; up to 10 Gbps depending on the VPN Gateway SKU.

挑战Challenges

  • 需要本地 VPN 设备。Requires an on-premises VPN device.
  • 尽管 Microsoft 保证每个 VPN 网关 99.9% 的可用性,但此 SLA 仅涵盖 VPN 网关,并不涉及与网关之间的网络连接。Although Microsoft guarantees 99.9% availability for each VPN Gateway, this SLA only covers the VPN gateway, and not your network connection to the gateway.

参考体系结构Reference architecture

Azure ExpressRoute 连接Azure ExpressRoute connection

ExpressRoute 连接通过第三方连接提供商使用专用连接。ExpressRoute connections use a private, dedicated connection through a third-party connectivity provider. 该专用连接将本地网络扩展到 Azure 中。The private connection extends your on-premises network into Azure.

此体系结构适合满足以下条件的混合应用程序:运行需要较高程度可伸缩性的大规模、任务关键型工作负荷。This architecture is suitable for hybrid applications running large-scale, mission-critical workloads that require a high degree of scalability.

优点Benefits

  • 有很高的带宽可用;最高可达 10 Gbps,具体取决于连接提供商。Much higher bandwidth available; up to 10 Gbps depending on the connectivity provider.
  • 支持动态缩放带宽以帮助在需求较低的时段降低成本。Supports dynamic scaling of bandwidth to help reduce costs during periods of lower demand. 但是,并非所有连接提供商都提供此选项。However, not all connectivity providers have this option.
  • 可能会允许组织直接访问国家/地区云,具体取决于连接提供商。May allow your organization direct access to national clouds, depending on the connectivity provider.
  • 跨整个连接的 99.9% 可用性 SLA。99.9% availability SLA across the entire connection.

挑战Challenges

  • 设置可能复杂。Can be complex to set up. 创建 ExpressRoute 连接需要使用第三方连接提供商。Creating an ExpressRoute connection requires working with a third-party connectivity provider. 该提供商负责预配网络连接。The provider is responsible for provisioning the network connection.
  • 需要本地高带宽路由器。Requires high-bandwidth routers on-premises.

参考体系结构Reference architecture

使用 ExpressRoute 和 VPN 实现故障转移ExpressRoute with VPN failover

此选项合并了前面两个选项,在正常情况下使用 ExpressRoute,但在 ExpressRoute 线路中发生连接丢失时故障转移到 VPN 连接。This options combines the previous two, using ExpressRoute in normal conditions, but failing over to a VPN connection if there is a loss of connectivity in the ExpressRoute circuit.

此体系结构适合需要 ExpressRoute 的较高带宽并且还需要高度可用的网络连接的混合应用程序。This architecture is suitable for hybrid applications that need the higher bandwidth of ExpressRoute, and also require highly available network connectivity.

优点Benefits

  • 在 ExpressRoute 线路出现故障时具有高可用性,虽然回退连接位于带宽较低的网络上。High availability if the ExpressRoute circuit fails, although the fallback connection is on a lower bandwidth network.

挑战Challenges

  • 配置复杂。Complex to configure. 需要设置 VPN 连接和 ExpressRoute 线路。You need to set up both a VPN connection and an ExpressRoute circuit.
  • 需要冗余硬件(VPN 设备),以及你需要为其付费的冗余 Azure VPN 网关连接。Requires redundant hardware (VPN appliances), and a redundant Azure VPN Gateway connection for which you pay charges.

参考体系结构Reference architecture

中心辐射型网络拓扑Hub-spoke network topology

可以使用中心辐射型网络拓扑,在隔离工作负荷的同时共享标识和安全性之类的服务。A hub-spoke network topology is a way to isolate workloads while sharing services such as identity and security. 中心是 Azure 中的一个虚拟网络 (VNet),充当到本地网络的连接的中心点。The hub is a virtual network (VNet) in Azure that acts as a central point of connectivity to your on-premises network. 辐射是与中心对等互连的 VNet。The spokes are VNets that peer with the hub. 共享服务部署在中心,而各个工作负荷则以辐射的形式部署。Shared services are deployed in the hub, while individual workloads are deployed as spokes.

参考体系结构Reference architectures