您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 中的中心辐射型网络拓扑Hub-spoke network topology in Azure

此参考体系结构展示了如何在 Azure 中实现中心辐射型拓扑。This reference architecture shows how to implement a hub-spoke topology in Azure. 中心是 Azure 中的一个虚拟网络 (VNet),充当到本地网络的连接的中心点。The hub is a virtual network (VNet) in Azure that acts as a central point of connectivity to your on-premises network. 辐射是与中心对等互连的 VNet,可用于隔离工作负荷。The spokes are VNets that peer with the hub, and can be used to isolate workloads. 流量通过 ExpressRoute 或 VPN 网关连接在本地数据中心与中心之间流动。Traffic flows between the on-premises datacenter and the hub through an ExpressRoute or VPN gateway connection. 部署此解决方案Deploy this solution.

00

下载此体系结构的Visio 文件Download a Visio file of this architecture

此拓扑的好处包括:The benefits of this topology include:

  • 节省成本 - 通过将可以由多个工作负荷(例如网络虚拟设备 (NVAs) 和 DNS 服务器)共享的服务集中放置在单个位置中。Cost savings by centralizing services that can be shared by multiple workloads, such as network virtual appliances (NVAs) and DNS servers, in a single location.
  • 克服订阅限制 - 通过将不同订阅中的 Vnet 对等互连到中心。Overcome subscriptions limits by peering VNets from different subscriptions to the central hub.
  • 关注点隔离(在中心 IT(SecOps、InfraOps)与工作负荷 (DevOps) 之间)。Separation of concerns between central IT (SecOps, InfraOps) and workloads (DevOps).

此体系结构的典型用途包括:Typical uses for this architecture include:

  • 在各种环境(例如开发、测试和生产)中部署的需要使用共享服务(例如 DNS、IDS、NTP 或 AD DS)的工作负荷。Workloads deployed in different environments, such as development, testing, and production, that require shared services such as DNS, IDS, NTP, or AD DS. 共享服务放置在中心 VNet 中,而每个环境都部署到辐射以保持隔离。Shared services are placed in the hub VNet, while each environment is deployed to a spoke to maintain isolation.
  • 不需要彼此连接但需要访问共享服务的工作负荷。Workloads that do not require connectivity to each other, but require access to shared services.
  • 需要对安全方面进行集中控制(例如作为外围网络的中心内的防火墙),并且需要在每个辐射中对工作负荷进行隔离管理的企业。Enterprises that require central control over security aspects, such as a firewall in the hub as a DMZ, and segregated management for the workloads in each spoke.

体系结构Architecture

该体系结构包括以下组件。The architecture consists of the following components.

  • 本地网络On-premises network. 在组织内运行的一个专用局域网。A private local-area network running within an organization.

  • VPN 设备VPN device. 提供到本地网络的外部连接的设备或服务。A device or service that provides external connectivity to the on-premises network. VPN 设备可以是硬件设备,也可以是软件解决方案,例如 Windows Server 2012 中的路由和远程访问服务 (RRAS)。The VPN device may be a hardware device, or a software solution such as the Routing and Remote Access Service (RRAS) in Windows Server 2012. 有关受支持的 VPN 设备的列表, 以及有关配置用于连接到 Azure 的所选 VPN 设备的信息, 请参阅关于用于站点到站点 Vpn 网关连接的 vpn 设备For a list of supported VPN appliances and information on configuring selected VPN appliances for connecting to Azure, see About VPN devices for Site-to-Site VPN Gateway connections.

  • VPN 虚拟网络网关或 ExpressRoute 网关VPN virtual network gateway or ExpressRoute gateway. 虚拟网络网关可以将 VNet 连接到用于本地网络连接的 VPN 设备或 ExpressRoute 线路。The virtual network gateway enables the VNet to connect to the VPN device, or ExpressRoute circuit, used for connectivity with your on-premises network. 有关详细信息, 请参阅将本地网络连接到 Microsoft Azure 虚拟网络For more information, see Connect an on-premises network to a Microsoft Azure virtual network.

备注

此参考体系结构的部署脚本使用 VPN 网关进行连接,使用 Azure 中的 VNet 来模拟本地网络。The deployment scripts for this reference architecture use a VPN gateway for connectivity, and a VNet in Azure to simulate your on-premises network.

  • 中心 VNetHub VNet. 用作中心辐射型拓扑中的中心的 Azure VNet。Azure VNet used as the hub in the hub-spoke topology. 中心是到本地网络的连接的中心点,它还托管着可以由辐射 VNet 中托管的各种工作负荷使用的服务。The hub is the central point of connectivity to your on-premises network, and a place to host services that can be consumed by the different workloads hosted in the spoke VNets.

  • 网关子网Gateway subnet. 虚拟网络网关保留在同一子网中。The virtual network gateways are held in the same subnet.

  • 辐射 VNetSpoke VNets. 用作中心辐射型拓扑中的辐射的一个或多个 Azure VNet。One or more Azure VNets that are used as spokes in the hub-spoke topology. 辐射可以用来隔离其自己的 VNet 中的工作负荷,独立于其他辐射进行管理。Spokes can be used to isolate workloads in their own VNets, managed separately from other spokes. 每个工作负荷可以包括多个层,并具有通过 Azure 负载均衡器连接的多个子网。Each workload might include multiple tiers, with multiple subnets connected through Azure load balancers. 有关应用程序基础结构的详细信息, 请参阅运行 WINDOWS vm 工作负荷运行 Linux vm 工作负荷For more information about the application infrastructure, see Running Windows VM workloads and Running Linux VM workloads.

  • VNet 对等互连VNet peering. 可以使用对等互连连接来连接两个 vnet。Two VNets can be connected using a peering connection. 对等互连连接是 VNet 之间的不可传递低延迟连接。Peering connections are non-transitive, low latency connections between VNets. 进行对等互连后,VNet 可使用 Azure 主干交换流量,不需要使用路由器。Once peered, the VNets exchange traffic by using the Azure backbone, without the need for a router. 在中心辐射型网络拓扑中,将使用 VNet 对等互连来将中心连接到每个辐射。In a hub-spoke network topology, you use VNet peering to connect the hub to each spoke. 可在相同区域或不同区域中的虚拟网络之间建立对等互连。You can peer virtual networks in the same region, or different regions. 有关详细信息, 请参阅要求和约束For more information, see Requirements and constraints.

备注

文本仅涵盖了资源管理器部署,但也可以将经典 VNet 连接到同一订阅中的资源管理器 VNet。This article only covers Resource Manager deployments, but you can also connect a classic VNet to a Resource Manager VNet in the same subscription. 这样,辐射将可以托管经典部署,并且仍然可以从中心内共享的各种服务受益。That way, your spokes can host classic deployments and still benefit from services shared in the hub.

建议Recommendations

以下建议适用于大多数方案。The following recommendations apply for most scenarios. 除非有优先于这些建议的特定要求,否则请遵循这些建议。Follow these recommendations unless you have a specific requirement that overrides them.

资源组Resource groups

中心 VNet 和每个辐射 VNet 可以在不同的资源组中实现,甚至可以在不同的订阅中实现。The hub VNet, and each spoke VNet, can be implemented in different resource groups, and even different subscriptions. 如果对等虚拟网络位于不同的订阅中,两个订阅可关联到同一个或不同的 Azure Active Directory 租户。When you peer virtual networks in different subscriptions, both subscriptions can be associated to the same or different Azure Active Directory tenant. 这样,可以对各个工作负荷进行非集中管理,同时在中心 VNet 内维护共享服务。This allows for a decentralized management of each workload, while sharing services maintained in the hub VNet.

VNet 和 GatewaySubnetVNet and GatewaySubnet

创建一个名为 GatewaySubnet 的子网,使其地址范围为 /27。Create a subnet named GatewaySubnet, with an address range of /27. 此子网是虚拟网络网关所必需的。This subnet is required by the virtual network gateway. 向此子网分配 32 个地址将有助于防止将来达到网关大小限制。Allocating 32 addresses to this subnet will help to prevent reaching gateway size limitations in the future.

有关设置网关的详细信息,请根据你的连接类型参阅以下参考体系结构:For more information about setting up the gateway, see the following reference architectures, depending on your connection type:

要实现更高的可用性,可以将 ExpressRoute 外加 VPN 用于故障转移。For higher availability, you can use ExpressRoute plus a VPN for failover. 请参阅使用 ExpressRoute 和 VPN 故障转移将本地网络连接到 AzureSee Connect an on-premises network to Azure using ExpressRoute with VPN failover.

如果不需要与本地网络的连接,还可以在不使用网关的情况下使用中心辐射型拓扑。A hub-spoke topology can also be used without a gateway, if you don't need connectivity with your on-premises network.

VNet 对等VNet peering

VNet 对等互连是两个 VNet 之间的不可传递关系。VNet peering is a non-transitive relationship between two VNets. 如果需要将各个辐射彼此连接,请考虑在这些辐射之间添加一个单独的对等互连连接。If you require spokes to connect to each other, consider adding a separate peering connection between those spokes.

但是, 如果有多个轮辐需要相互连接, 则由于每个 VNet 的 vnet 对等互连数限制, 导致可能的对等互连连接的速度非常快。However, if you have several spokes that need to connect with each other, you will run out of possible peering connections very quickly due to the limitation on number of VNets peerings per VNet. 在这种情况下, 请考虑使用用户定义的路由 (Udr) 来强制将流量定向到发送到 Azure 防火墙的分支, 或将其作为中心 VNet 中的路由器。In this scenario, consider using user defined routes (UDRs) to force traffic destined to a spoke to be sent to Azure Firewall or an NVA acting as a router at the hub VNet. 这将允许各个辐射彼此连接。This will allow the spokes to connect to each other.

还可以将辐射配置为使用中心 VNet 网关与远程网络进行通信。You can also configure spokes to use the hub VNet gateway to communicate with remote networks. 若要允许网关流量从辐射流动到中心,以及允许连接到远程网络,必须:To allow gateway traffic to flow from spoke to hub, and connect to remote networks, you must:

  • 在中心内配置 VNet 对等互连连接以允许网关中转Configure the VNet peering connection in the hub to allow gateway transit.
  • 在每个辐射中配置 VNet 对等互连连接以使用远程网关Configure the VNet peering connection in each spoke to use remote gateways.
  • 配置所有 VNet 对等互连连接以允许转发的流量Configure all VNet peering connections to allow forwarded traffic.

注意事项Considerations

辐射连接Spoke connectivity

如果需要在轮辐之间建立连接, 请考虑部署 Azure 防火墙或 NVA 以在中心内路由, 并在辐射中使用 Udr 将流量转发到中心。If you require connectivity between spokes, consider deploying Azure Firewall or an NVA for routing in the hub, and using UDRs in the spoke to forward traffic to the hub. 以下部署步骤包括一个用于设置此配置的可选步骤。The deployment steps below include an optional step that sets up this configuration.

22

在这种情况下,必须配置对等互连连接以允许转发的流量In this scenario, you must configure the peering connections to allow forwarded traffic.

另外,请考虑要在中心内共享哪些服务,以确保中心能够针对大量辐射进行缩放。Also consider what services are shared in the hub, to ensure the hub scales for a larger number of spokes. 例如,如果中心提供防火墙服务,则在添加多个辐射时请考虑防火墙解决方案的带宽限制。For instance, if your hub provides firewall services, consider the bandwidth limits of your firewall solution when adding multiple spokes. 你可能希望将这些共享服务中的某一些移动到二级中心内。You might want to move some of these shared services to a second level of hubs.

部署解决方案Deploy the solution

GitHub上提供了此体系结构的部署。A deployment for this architecture is available on GitHub. 该部署使用每个 VNet 中的 VM 来测试连接。It uses VMs in each VNet to test connectivity. 每个 jumpbox 的两个实例—将部署一个 Linux vm 和一个 Windows vm。Two instances of each jumpbox are deployed — one Linux VM and one Windows VM. 在实际部署中, 你将部署一个类型。In a real deployment, you would deploy a single type.

没有在中心部署共享服务。No shared services are deployed in the hub. 对于包含共享服务的版本, 请参阅使用 Azure 中的共享服务的中心辐射型网络拓扑For a version that includes shared services, see Hub-spoke network topology with shared services in Azure.

该部署在订阅中创建以下资源组:The deployment creates the following resource groups in your subscription:

  • hub-vnet-rghub-vnet-rg
  • onprem-jb-rgonprem-jb-rg
  • onprem-vnet-rgonprem-vnet-rg
  • spoke1-vnet-rgspoke1-vnet-rg
  • spoke2-vnet-rgspoke2-vnet-rg

先决条件Prerequisites

  1. 克隆、下载参考体系结构 GitHub 存储库的 zip 文件或创建其分支。Clone, fork, or download the zip file for the reference architectures GitHub repository.

  2. 安装 Azure CLI 2.0Install Azure CLI 2.0.

  3. 安装 Node 和 NPMInstall Node and NPM

  4. 安装 Azure 构建基块 npm 包。Install the Azure building blocks npm package.

    npm install -g @mspnp/azure-building-blocks
    
  5. 在命令提示符、bash 提示符或 PowerShell 提示符下,按如下所示登录到你的 Azure 帐户:From a command prompt, bash prompt, or PowerShell prompt, sign into your Azure account as follows:

    az login
    

部署参考体系结构Deploy the reference architecture

按照以下步骤部署体系结构:Follow these steps to deploy the architecture:

  1. 导航到参考体系结构存储库的 hybrid-networking/hub-spoke 文件夹。Navigate to the hybrid-networking/hub-spoke folder of the reference architectures repository.

  2. 打开 hub-spoke.json 文件。Open the hub-spoke.json file.

  3. 替换[replace-with-username][replace-with-password]的所有实例的值。Replace the values for all instances of [replace-with-username] and [replace-with-password].

    "adminUsername": "[replace-with-username]",
    "adminPassword": "[replace-with-password]",
    
  4. 找到 [replace-with-shared-key] 的两个实例,并输入 VPN 连接的共享密钥。Find both instances of [replace-with-shared-key] and enter a shared key for the VPN connection. 值必须匹配。The values must match.

    "sharedKey": "[replace-with-shared-key]",
    
  5. 保存该文件。Save the file.

  6. 运行下面的命令:Run the following command:

    azbb -s <subscription_id> -g onprem-vnet-rg -l <location> -p hub-spoke.json --deploy
    
  7. 等待部署完成。Wait for the deployment to finish. 此部署创建四个虚拟网络、八个 Vm、两个 VPN 网关、两个 VPN 网关之间的连接, 以及配置虚拟网络对等互连。This deployment creates four virtual networks, eight VMs, two VPN gateways, the connection between the two VPN gateways, and configures virtual network peering. 创建 VPN 网关可能需要大约40分钟。It can take about 40 minutes to create the VPN gateways.

测试连接—窗口Test connectivity — Windows

若要使用 Windows 测试从模拟的本地环境到中心和辐射的连接, 请执行以下步骤:To test connectivity from the simulated on-premises environment to the hub and spokes using Windows, follow these steps:

  1. 使用 Azure 门户在 onprem-jb-rg 资源组中找到名为 jb-vm1 的 VM。Use the Azure portal to find the VM named jb-vm1 in the onprem-jb-rg resource group.

  2. 单击 Connect 来与 VM 建立远程桌面会话。Click Connect to open a remote desktop session to the VM. 使用 hub-spoke.json 参数文件中指定的密码。Use the password that you specified in the hub-spoke.json parameter file.

  3. 在 VM 中打开 PowerShell 控制台, 并使用Test-NetConnection cmdlet 验证是否可以连接到中心的 jumpbox VM。Open a PowerShell console in the VM, and use the Test-NetConnection cmdlet to verify that you can connect to the jumpbox VM in the hub.

    Test-NetConnection 10.0.0.36 -CommonTCPPort RDP
    

    输出应如下所示:The output should look similar to the following:

    ComputerName     : 10.0.0.36
    RemoteAddress    : 10.0.0.36
    RemotePort       : 3389
    InterfaceAlias   : Ethernet 2
    SourceAddress    : 192.168.1.000
    TcpTestSucceeded : True
    
  4. Test-NetConnection使用 cmdlet 验证是否可以连接到分支中的 jumpbox vm。Use the Test-NetConnection cmdlet to verify that you can connect to the jumpbox VMs in the spokes.

    Test-NetConnection 10.1.0.36 -CommonTCPPort RDP
    Test-NetConnection 10.2.0.36 -CommonTCPPort RDP
    

备注

默认情况下,Windows Server VM 不允许 Azure 中的 ICMP 响应。By default, Windows Server VMs do not allow ICMP responses in Azure. 如果要使用ping测试连接, 请在 Windows 高级防火墙中为每个 VM 启用 ICMP 流量。If you want to use ping to test connectivity, enable ICMP traffic in the Windows Advanced Firewall for each VM.

测试连接—性 LinuxTest connectivity — Linux

若要使用 Linux 测试从模拟的本地环境到中心和辐射的连接, 请执行以下步骤:To test connectivity from the simulated on-premises environment to the hub and spokes using Linux, follow these steps:

  1. 使用 Azure 门户在 onprem-jb-rg 资源组中找到名为 jbl-vm1 的 VM。Use the Azure portal to find the VM named jbl-vm1 in the onprem-jb-rg resource group.

  2. 单击 Connect,并复制门户中显示的 ssh 命令。Click Connect and copy the ssh command shown in the portal.

  3. 运行ssh以连接到模拟的本地环境。Run ssh to connect to the simulated on-premises environment. 使用 hub-spoke.json 参数文件中指定的密码。Use the password that you specified in the hub-spoke.json parameter file.

  4. nc使用命令测试与中心中 jumpbox VM 的连接:Use the nc command to test connectivity to the jumpbox VM in the hub:

    nc -vzw 1 10.0.0.37 22
    

    输出应如下所示:The output should look similar to the following:

    Connection to 10.0.0.37 22 port [tcp/ssh] succeeded!
    
  5. 使用 nc 命令测试与每个辐射中 Jumpbox VM 的连接。Use the nc command to test connectivity to the jumpbox VMs in each spoke:

    nc -vzw 1 10.1.0.37 22
    nc -vzw 1 10.2.0.37 22
    

添加辐射之间的连接Add connectivity between spokes

此步骤是可选的。This step is optional. 如果要允许轮辐彼此连接, 请在尝试连接到另一辐射时, 使用Azure 防火墙强制将流量从辐射连接到路由器。If you want to allow spokes to connect to each other, use Azure Firewall to force traffic from spokes to the router when trying to connect to another spoke. 执行以下步骤以部署 Azure 防火墙、防火墙规则以允许 RDP 和 SSH, 并通过用户定义的路由 (Udr) 允许两个轮辐 Vnet 连接:Perform the following steps to deploy Azure Firewall, firewall rules to allow RDP and SSH, and user-defined routes (UDRs) to allow the two spoke VNets to connect:

  1. 导航到参考体系结构存储库的 hybrid-networking/hub-spoke 文件夹。Navigate to the hybrid-networking/hub-spoke folder of the reference architectures repository.

  2. 运行下面的命令:Run the following command:

    azbb -s <subscription_id> -g hub-vnet-rg -l <location> -p hub-firewall.json --deploy
    

备注

Azure 防火墙的专用 IP 地址设置为10.0.0.132。The private IP address of the Azure Firewall is set to 10.0.0.132. 由于 Azure 分配专用 IP 地址的方式, 这将是此部署的 IP 地址。This will be the IP address for this deployment due to the way Azure allocates private IP addresses. 对此部署的任何修改都可以更改此默认地址。Any modifications to this deployment may change this default address. 在这种情况下, hub-firewall.json请编辑路由表, 并将nextHop路由中的所有实例替换为指向 Azure 防火墙的正确专用 IP 地址。In that situation, edit the hub-firewall.json route tables and replace all instances of nextHop in the routes to point to the correct private IP address of Azure Firewall.

测试轮辐—窗口之间的连接Test connectivity between spokes — Windows

如果已连接轮辐, 请执行以下步骤以使用 Windows 验证连接:If you connected the spokes, perform these steps to verify connectivity using Windows:

  1. 使用 Azure 门户在 onprem-jb-rg 资源组中找到名为 jb-vm1 的 VM。Use the Azure portal to find the VM named jb-vm1 in the onprem-jb-rg resource group.

  2. 单击 Connect 来与 VM 建立远程桌面会话。Click Connect to open a remote desktop session to the VM. 使用 hub-spoke.json 参数文件中指定的密码。Use the password that you specified in the hub-spoke.json parameter file.

  3. 在此远程桌面会话中, 打开与10.1.0.36 的另一个远程桌面会话。From inside this remote desktop session, open another remote desktop session to 10.1.0.36. 这是 jumpbox 的专用 IP 地址。That's the private IP address of the jumpbox in spoke 1.

  4. 在第二个远程桌面会话中, 打开 PowerShell 控制台。From the second remote desktop session, open a PowerShell console. Test-NetConnection使用 cmdlet 验证是否可以连接到分支2中的 jumpbox VM。Use the Test-NetConnection cmdlet to verify that you can connect to the jumpbox VM in spoke 2.

    Test-NetConnection 10.2.0.36 -CommonTCPPort RDP
    

在轮辐— Linux 之间测试连接Test connectivity between spokes — Linux

如果已连接轮辐, 请执行以下步骤以使用 Linux 验证连接:If you connected the spokes, perform these steps to verify connectivity using Linux:

  1. 使用 Azure 门户在 onprem-jb-rg 资源组中找到名为 jbl-vm1 的 VM。Use the Azure portal to find the VM named jbl-vm1 in the onprem-jb-rg resource group.

  2. 单击 Connect,并复制门户中显示的 ssh 命令。Click Connect and copy the ssh command shown in the portal.

  3. 在 Linux 提示符下,运行 ssh 连接到模拟本地环境。From a Linux prompt, run ssh to connect to the simulated on-premises environment. 使用 hub-spoke.json 参数文件中指定的密码。Use the password that you specified in the hub-spoke.json parameter file.

  4. 使用 Azure 门户在 spoke1-vnet-rg 资源组中找到名为 s1jbl-vm1 的 VM。Use the Azure portal to find the VM named s1jbl-vm1 in the spoke1-vnet-rg resource group.

  5. 单击 Connect,并复制门户中显示的 ssh 命令。Click Connect and copy the ssh command shown in the portal.

  6. 在步骤3中创建的 ssh 会话中, ssh运行以连接到 jumpbox。In the ssh session created in step 3, run ssh to connect to the spoke-1 jumpbox. 使用 hub-spoke.json 参数文件中指定的密码。Use the password that you specified in the hub-spoke.json parameter file.

  7. nc使用命令测试与分支2中的 jumpbox VM 的连接:Use the nc command to test connectivity to the jumpbox VM in spoke 2:

    nc -vzw 1 10.2.0.37 22
    

后续步骤Next steps

有关部署共享标识和安全服务的此体系结构的版本, 请参阅在 Azure 中使用共享服务实现中心辐射型网络拓扑For a version of this architecture that deploys shared identity and security services, see Hub-spoke network topology with shared services in Azure.