您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

部署迁移基础结构Deploy a migration infrastructure

本文介绍虚拟公司 Contoso 如何准备其本地迁移基础结构和设置 Azure 基础结构,以便做好迁移准备,然后在混合环境中运行业务。This article shows how the fictional company Contoso prepares its on-premises infrastructure for migration, sets up an Azure infrastructure in preparation for migration, and runs the business in a hybrid environment.

当你使用此示例来帮助规划你自己的基础结构迁移工作时,请记住提供的示例体系结构特定于 Contoso。When you use this example to help plan your own infrastructure migration efforts, keep in mind that the provided sample architecture is specific to Contoso. 在对订阅设计或网络体系结构作出重要的基础结构决策时,请查看组织的业务需求、结构和技术要求。Review your organization's business needs, structure, and technical requirements when making important infrastructure decisions about subscription design or network architecture.

是否需要本文所述的所有元素取决于迁移策略。Whether you need all the elements described in this article depends on your migration strategy. 例如,如果在 Azure 中仅构建云本机应用程序,则可能需要不太复杂的网络结构。For example, you might need a less complex network structure if you're building only cloud-native applications in Azure.

概述Overview

在迁移到 Azure 之前,准备 Azure 基础结构至关重要。Before Contoso can migrate to Azure, it's critical to prepare an Azure infrastructure. 通常,Contoso 需要考虑六个方面:Generally, Contoso needs to think about six areas:

  • 步骤1: Azure 订阅。Step 1: Azure subscriptions. 它将如何购买 Azure 并与 Azure 平台和服务进行交互?How will IT purchase Azure and interact with the Azure platform and services?
  • 步骤2:混合标识。Step 2: Hybrid identity. 迁移后,如何管理和控制对本地和 Azure 资源的访问?How will IT manage and control access to on-premises and Azure resources after migration? 如何将标识管理扩展或移动到云?How does IT extend or move identity management to the cloud?
  • 步骤3:灾难恢复和复原。Step 3: Disaster recovery and resilience. 如果中断和灾难发生,它将如何确保其应用程序和基础结构复原?How will IT ensure that its applications and infrastructure are resilient if outages and disasters occur?
  • 步骤4:网络。Step 4: Network. 它应该如何设计网络基础结构并在其本地数据中心与 Azure 之间建立连接?How should IT design a network infrastructure and establish connectivity between its on-premises datacenter and Azure?
  • 步骤5:安全性。Step 5: Security. 它将如何保护混合部署?How will IT secure the hybrid deployment?
  • 步骤6:监管。Step 6: Governance. 它如何使部署与安全和监管要求保持一致?How will IT keep the deployment aligned with security and governance requirements?

准备工作Before you start

在开始查看基础结构之前,请考虑阅读有关 Azure 功能的一些背景信息:Before we start reviewing the infrastructure, consider reading some background information about relevant Azure capabilities:

本地体系结构On-premises architecture

下面是显示当前 Contoso 本地基础结构的关系图。Here's a diagram that shows the current Contoso on-premises infrastructure.

Contoso 体系结构的关系图。 图1: Contoso 本地体系结构。Diagram of the Contoso architecture. Figure 1: Contoso on-premises architecture.

  • Contoso 有一个主要数据中心位于美国东部美国的纽约。Contoso has one main datacenter located in New York City in the eastern United States.
  • Contoso 在美国还有 3 家当地分支机构。There are three additional local branches across the United States.
  • 使用光纤连接到 internet 连接到 internet 时, (500 Mbps) 。The main datacenter is connected to the internet with a fiber-optic Metro Ethernet connection (500 Mbps).
  • 每个分支通过企业级连接本地连接到 internet,并使用 IPsec VPN 隧道回到主数据中心。Each branch is connected locally to the internet through business-class connections, with IPsec VPN tunnels back to the main datacenter. 此方法允许将整个网络永久连接起来并优化 internet 连接。This approach allows the entire network to be permanently connected and optimizes internet connectivity.
  • 主要数据中心通过 VMware 实现了完全的虚拟化处理。The main datacenter is fully virtualized with VMware. Contoso 有两个由 vCenter Server 6.5 管理的 ESXi 6.5 虚拟化主机。Contoso has two ESXi 6.5 virtualization hosts managed by vCenter Server 6.5.
  • Contoso 将 Active Directory 用于标识管理和域名系统 (内部网络上的 DNS) 服务器。Contoso uses Active Directory for identity management and Domain Name System (DNS) servers on the internal network.
  • 数据中心内的域控制器在 (Vm) 上的 VMware 虚拟机上运行。The domain controllers in the datacenter run on VMware virtual machines (VMs). 而当地分支机构的域控制器在物理服务器上运行。The domain controllers at local branches run on physical servers.

步骤 1:购买和订阅 AzureStep 1: Buy and subscribe to Azure

Contoso 需要确定如何购买 Azure,如何管理订阅以及如何许可服务和资源。Contoso needs to figure out how to buy Azure, how to manage subscriptions, and how to license services and resources.

购买 AzureBuy Azure

Contoso 正在 企业协议进行注册。Contoso is enrolling in an Enterprise Agreement. 本协议要求对 Azure 的前期资金承诺,这使 Contoso 获得灵活的计费选项和优化定价等权益。This agreement entails an upfront monetary commitment to Azure, which entitles Contoso to earn benefits like flexible billing options and optimized pricing.

以下是详细信息:Here are the details:

  • Contoso 预估其年度 Azure 费用。Contoso estimated what its yearly Azure spend will be. Contoso 签署协议后,将在第一年中支付。When Contoso signed the agreement, it paid for the first year in full.
  • Contoso 需要使用所有承诺,然后才能超出或损失这些资金的价值。Contoso needs to use all commitments before the year is over or lose the value for those dollars.
  • 如果出于某种原因,Contoso 超出了其承诺并花费了更多的原因,Microsoft 将为该差异开票。If for some reason Contoso exceeds its commitment and spends more, Microsoft will invoice for the difference.
  • 因超出承诺使用量而产生的任何费用按照 Contoso 合同中的相同费率计费。Any cost incurred above the commitment will be at the same rates as those in the Contoso contract. 不会因超出部分而产生任何罚款。There are no penalties for going over.

管理订阅Manage subscriptions

购买 Azure 后,Contoso 需要确定如何管理 Azure 订阅。After paying for Azure, Contoso needs to figure out how to manage Azure subscriptions. 由于 Contoso 包含 EA,因此它可以创建的 Azure 订阅的数量没有限制。Because Contoso has an EA, there's no limit on the number of Azure subscriptions it can create. Azure 企业协议注册定义公司如何使用 Azure 服务,以及如何定义核心监管结构。An Azure Enterprise Agreement enrollment defines how a company shapes and uses Azure services, and defines a core governance structure.

作为第一步,Contoso 为其注册定义了一个称为 企业基架 的结构。As a first step, Contoso has defined a structure known as an enterprise scaffold for its enrollment. Contoso 使用 Azure enterprise 基架指导 来帮助理解和设计基架。Contoso used the Azure enterprise scaffold guidance to help understand and design a scaffold.

目前,Contoso 已决定使用功能方法来管理订阅:For now, Contoso has decided to use a functional approach to manage subscriptions:

  • 在企业内部,它将使用控制 Azure 预算的单个 IT 部门。Inside the enterprise, it will use a single IT department that controls the Azure budget. 该部门是具有订阅的唯一组。This will be the only group with subscriptions.
  • Contoso 将在将来扩展此模型,以便其他公司组可以作为 "注册" 层次结构中的部门加入。Contoso will extend this model in the future, so that other corporate groups can join as departments in the enrollment hierarchy.
  • 在 IT 部门内部,Contoso 已构造了两个订阅: ProductionDevelopmentInside the IT department, Contoso has structured two subscriptions, Production and Development.
  • 如果 Contoso 将来需要更多订阅,还需要为这些订阅管理访问、策略和符合性。If Contoso needs more subscriptions in the future, it will also need to manage access, policies, and compliance for those subscriptions. Contoso 通过引入 Azure 管理组 作为订阅的附加层来完成此操作。Contoso will do that by introducing Azure management groups as an additional layer above subscriptions.

企业层次结构的关系图。 图2:企业层次结构。Diagram of the enterprise hierarchy. Figure 2: Enterprise hierarchy.

检查许可Examine licensing

使用配置的订阅,Contoso 可以查看 Microsoft 许可。With subscriptions configured, Contoso can look at Microsoft licensing. 授权策略将取决于 Contoso 想要迁移到 Azure 的资源,以及如何在 Azure 中选择和部署 Vm 和服务。The licensing strategy will depend on the resources that Contoso wants to migrate to Azure and how VMs and services are selected and deployed in Azure.

Azure 混合权益Azure Hybrid Benefit

对于在 Azure 中部署 Vm,标准映像包括一个许可证,该许可证将按每分钟对所使用的软件收费。For deploying VMs in Azure, standard images include a license that will charge Contoso by the minute for the software being used. 不过,Contoso 已经成为一位长期的 Microsoft 客户,并使用软件保障维护了 EAs 和开放许可证。However, Contoso has been a long-term Microsoft customer and has maintained EAs and open licenses with Software Assurance.

Azure 混合权益提供了一种用于迁移的经济高效的方法。Azure Hybrid Benefit provides a cost-effective method for migration. 它可以通过转换或重复使用软件保障中涵盖的 Windows Server Datacenter 和 Standard edition 许可证,来节省 Azure Vm 和 SQL Server 工作负荷。It allows Contoso to save on Azure VMs and SQL Server workloads by converting or reusing Windows Server Datacenter and Standard edition licenses covered with Software Assurance. 这允许 Contoso 为 Vm 和 SQL Server 降低基础计算费率。This allows Contoso to pay a lower base compute rate for VMs and SQL Server. 有关详细信息,请参阅 Azure 混合权益For more information, see Azure Hybrid Benefit.

许可移动性License Mobility

通过软件保障实现的许可移动性给 Microsoft 批量许可客户(如 Contoso)灵活地在 Azure 上部署具有活动软件保障的符合条件的服务器应用程序。License Mobility through Software Assurance gives Microsoft Volume Licensing customers like Contoso the flexibility to deploy eligible server applications with active Software Assurance on Azure. 这样就无需购买新许可证。This eliminates the need to purchase new licenses. 现有许可证没有任何关联的移动性费用,可轻松地在 Azure 中部署。With no associated mobility fees, existing licenses can easily be deployed in Azure. 有关详细信息,请参阅 Azure 上的通过软件保障实现的许可移动性For more information, see License Mobility through Software Assurance on Azure.

可预测工作负载的保留实例Reserved instances for predictable workloads

可预测的工作负荷始终需要与运行的 Vm 一起使用,例如业务线应用程序,如 SAP ERP 系统。Predictable workloads always need to be available with VMs running, such as line-of-business applications like an SAP ERP system. 不可预知的工作负荷是可变的,例如在高需求期间处于开启状态的 Vm,以及在需求较低时的 Vm。Unpredictable workloads are variable, like VMs that are on during high demand and off when demand is low.

Azure 保留虚拟机实例的关系图。 图3: Azure 保留虚拟机实例。Diagram of Azure Reserved Virtual Machine Instances. Figure 3: Azure Reserved Virtual Machine Instances.

在 exchange 中,若要为必须长期维护的特定 VM 实例使用保留实例,Contoso 可以获得折扣和优先级的容量。In exchange for using reserved instances for specific VM instances that must be maintained for long durations, Contoso can get both a discount and prioritized capacity. Azure 保留虚拟机实例 与 Azure 混合权益结合使用时,可将 Contoso 最多保存到 82 (%,如年4月) 2018。Using Azure Reserved Virtual Machine Instances together with Azure Hybrid Benefit can save Contoso up to 82 percent off regular pay-as-you-go pricing (as of April 2018).

步骤 2:管理混合标识Step 2: Manage hybrid identity

通过标识和访问管理提供和控制用户对 Azure 资源的访问,是将 Azure 基础结构汇聚在一起的一个重要步骤。Giving and controlling user access to Azure resources with identity and access management is an important step in pulling together an Azure infrastructure.

Contoso 决定将其本地 Active Directory 扩展到云中,而不是在 Azure 中生成单独的新系统。Contoso decides to extend its on-premises Active Directory into the cloud, rather than build a new separate system in Azure. 由于 Contoso 尚未使用 Microsoft 365,因此它需要预配 Azure AD 实例。Because Contoso isn't using Microsoft 365 yet, it needs to provision an Azure AD instance. 如果 Contoso 使用 Microsoft 365,则它可能已经有一个 Azure AD 租户和目录,它可以用作其主 Azure AD 实例。If Contoso were using Microsoft 365, it would already have an existing Azure AD tenant and directory, which it could use as its primary Azure AD instance.

详细了解 Microsoft 365 标识模型和 Azure Active DirectoryLearn more about Microsoft 365 identity models and Azure Active Directory. 你还可以了解如何 将 Azure 订阅关联或添加到 Azure Active Directory 租户You can also learn how to associate or add an Azure subscription to your Azure Active Directory tenant.

创建 Azure AD 目录Create an Azure AD directory

Contoso 使用 Azure 订阅中包含的 Azure AD Free 版本。Contoso is using the Azure AD Free edition that's included with an Azure subscription. Contoso 管理员创建一个 Azure AD 目录:Contoso admins create an Azure AD directory:

  1. Azure 门户中,他们将 创建一个 Azure Active Directory 的资源 > 标识 > 。In the Azure portal, they go to Create a resource > Identity > Azure Active Directory.

  2. 在 " 创建目录" 中,它们指定目录的名称、初始域名和应创建目录的区域。In Create directory, they specify a name for the directory, an initial domain name, and the region where the directory should be created.

    用于创建 Azure AD 目录的选项的屏幕截图。

    图4:创建 Azure AD 目录。Figure 4: Create an Azure AD directory.

备注

所创建的目录的格式为初始域名 domain-name.onmicrosoft.comThe directory that's created has an initial domain name in the form domain-name.onmicrosoft.com. 无法更改或删除该域名。The name can't be changed or deleted. 相反,管理员需要将其注册域名添加到 Azure AD。Instead, the admins need to add its registered domain name to Azure AD.

添加域名Add the domain name

若要使用标准域名,Contoso 管理员需要将其作为自定义域名添加到 Azure AD。To use the standard domain name, Contoso admins need to add it as a custom domain name to Azure AD. 管理员可通过此选项分配熟悉的用户名。This option allows them to assign familiar user names. 例如,用户可以使用电子邮件地址 billg@contoso.com 而不是登录 billg@contosomigration.onmicrosoft.comFor example, a user can sign in with the email address billg@contoso.com instead of billg@contosomigration.onmicrosoft.com.

若要设置自定义域名,管理员需要将其添加到目录,添加 DNS 条目,然后验证 Azure AD 中的名称。To set up a custom domain name, the admins add it to the directory, add a DNS entry, and then verify the name in Azure AD.

  1. 在 "自定义域名 > " 中,添加 定义域。In Custom domain names > Add custom domain, they add the domain.

  2. 若要在 Azure 中使用 DNS 条目,则需要将其注册到域注册机构:To use a DNS entry in Azure, they need to register it with their domain registrar:

    • 在“自定义域名”列表中,记下该名称的 DNS 信息。In the Custom domain names list, they note the DNS information for the name. 它使用的是 MX 记录。It's using an MX record.
    • 它们需要访问名称服务器。They need access to the name server. 他们 contoso.com 使用注明的详细信息登录到域,并为 Azure AD 提供的 DNS 条目创建新的 MX 记录。They sign in to the contoso.com domain and create a new MX record for the DNS entry provided by Azure AD, by using the details noted.
  3. DNS 记录传播后,它们会选择 " 验证 " 以检查域详细信息中的自定义域名。After the DNS records propagate, they select Verify to check the custom domain name in the details for the domain.

    显示 Azure Active Directory D N S 选项的屏幕截图。

    图5:检查域名。Figure 5: Checking the domain name.

设置本地和 Azure 组和用户Set up on-premises and Azure groups and users

建立 Azure AD 目录后,Contoso 管理员需要将员工添加到将同步到 Azure AD 的本地 Active Directory 组。Now that the Azure AD directory is established, Contoso admins need to add employees to on-premises Active Directory groups that will synchronize to Azure AD. 应使用与 Azure 中的资源组名称匹配的本地组名。They should use on-premises group names that match the names of resource groups in Azure. 这样可以更轻松地出于同步目的标识匹配项。This makes it easier to identify matches for synchronization purposes.

在 Azure 中创建资源组Create resource groups in Azure

Azure 资源组将 Azure 资源聚集在一起。Azure resource groups gather Azure resources together. 通过使用资源组 ID,Azure 可以对组中的资源执行操作。Using a resource group ID allows Azure to perform operations on the resources within the group.

一个 Azure 订阅可以有多个资源组。An Azure subscription can have multiple resource groups. 一个资源组存在于单个订阅中。A resource group exists in a single subscription. 此外,单个资源组可以有多个资源。In addition, a single resource group can have multiple resources. 资源属于单个资源组。A resource belongs to a single resource group.

Contoso 管理员设置 Azure 资源组,如下表所示。Contoso admins set up Azure resource groups as shown in the following table.

资源组Resource group 详细信息Details
ContosoCobRG 此组包含与业务连续性相关的所有资源。This group contains all resources related to continuity of business. 它包括 Contoso 将用于 Azure Site Recovery 服务和 Azure 备份服务的保管库。It includes vaults that Contoso will use for the Azure Site Recovery service and the Azure Backup service.

它还包括用于迁移的资源,包括 Azure Migrate 和 Azure 数据库迁移服务。It also includes resources used for migration, including Azure Migrate and Azure Database Migration Service.
ContosoDevRG 此组包含开发/测试资源。This group contains dev/test resources.
ContosoFailoverRG 此组充当故障转移资源的登录区域。This group serves as a landing zone for failed-over resources.
ContosoNetworkingRG 此组包含所有网络资源。This group contains all network resources.
ContosoRG 此组包含与生产应用程序和数据库相关的资源。This group contains resources related to production applications and databases.

Contoso 创建资源组的步骤如下:They create resource groups as follows:

  1. 在 Azure 门户 >“资源组”中添加一个组。In the Azure portal > Resource groups, they add a group.

  2. 对于每个组,它们指定一个名称、组所属的订阅和区域。For each group, they specify a name, the subscription to which the group belongs, and the region.

  3. 资源组显示在“资源组”列表中。Resource groups appear in the Resource groups list.

    显示资源组列表的屏幕截图

    图6:资源组。Figure 6: Resource groups.

缩放资源组Scale resource groups

将来,Contoso 会根据需要添加其他资源组。In future, Contoso will add other resource groups based on needs. 例如,它可能为每个应用程序或服务定义资源组,以便可以单独管理和保护每个资源组。For example, it might define a resource group for each application or service so that each can be managed and secured independently.

创建匹配的本地安全组Create matching security groups on-premises

在本地 Active Directory 实例中,Contoso 管理员设置的安全组的名称与 Azure 资源组的名称相匹配。In the on-premises Active Directory instance, Contoso admins set up security groups with names that match the names of the Azure resource groups.

显示本地 Active Directory 安全组的屏幕截图。 图7:本地 Active Directory 安全组。Screenshot that shows on-premises Active Directory security groups. Figure 7: On-premises Active Directory security groups.

为了便于管理,Contoso 创建了将添加到所有其他组的附加组。For management purposes, they create an additional group that will be added to all of the other groups. 此组具有针对 Azure 中所有资源组的权限。This group will have rights to all resource groups in Azure. 此组中将添加有限数量的全局管理员。A limited number of global admins will be added to this group.

与 Active Directory 同步Synchronize Active Directory

Contoso 需要提供通用标识,用于访问本地和云端资源。Contoso wants to provide a common identity for accessing resources on-premises and in the cloud. 为此,它会将本地 Active Directory 实例与 Azure AD 集成。To do this, it will integrate the on-premises Active Directory instance with Azure AD. 使用此模型,用户和组织可以利用单个标识来访问本地应用程序和云服务,例如 Microsoft 365 或 internet 上的数千个其他站点。With this model, users and organizations can take advantage of a single identity to access on-premises applications and cloud services, such as Microsoft 365, or thousands of other sites on the internet. 管理员可以使用 Active Directory 中的组来实现 AZURE RBAC) (基于角色的访问控制 Admins can use the groups in Active Directory to implement Azure role-based access control (Azure RBAC).

为了便于集成,Contoso 使用 Azure AD Connect 工具To facilitate integration, Contoso uses the Azure AD Connect tool. 在域控制器上安装和配置该工具时,它会将本地 Active Directory 标识同步到 Azure AD。When you install and configure the tool on a domain controller, it synchronizes the on-premises Active Directory identities to Azure AD.

下载该工具Download the tool

  1. 在 Azure 门户中,Contoso 管理员 Azure Active Directory > Azure AD Connect ,并将最新版本的工具下载到它们用来进行同步的服务器。In the Azure portal, Contoso admins go to Azure Active Directory > Azure AD Connect and download the latest version of the tool to the server they're using for synchronization.

    显示用于下载 Azure A D Connect 的链接的屏幕截图。

    图8:下载 Azure AD Connect。Figure 8: Downloading Azure AD Connect.

  2. 它们 AzureADConnect.msi 使用 快速设置 开始安装。They start the AzureADConnect.msi installation by using Express Settings. 这是最常见的安装,可用于具有密码哈希同步的单林拓扑进行身份验证。This is the most common installation, and it can be used for a single-forest topology with password-hash synchronization for authentication.

    显示 Azure AD Connect 向导的屏幕截图。

    图9: Azure AD Connect 向导。Figure 9: Azure AD Connect Wizard.

  3. 在 " 连接到 Azure AD" 中,它们指定用于连接到表单或) 中 Azure AD (的凭据 admin@contoso.com admin@contoso.onmicrosoft.comIn Connect to Azure AD, they specify the credentials for connecting to Azure AD (in the form admin@contoso.com or admin@contoso.onmicrosoft.com).

    屏幕截图,显示 Azure A D Connect 向导的 "连接到 Azure A" 页。

    图10: Azure AD Connect 向导:连接到 Azure AD。Figure 10: Azure AD Connect Wizard: Connect to Azure AD.

  4. 在 " 连接到 AD DS" 中,它们为本地目录指定凭据 (形式 CONTOSO\admincontoso.com\admin) 。In Connect to AD DS, they specify credentials for the on-premises directory (in the form CONTOSO\admin or contoso.com\admin).

    屏幕截图,显示 Azure A D Connect 向导的 "连接到 D" 页。

    图11: Azure AD Connect 向导:连接到 AD DS。Figure 11: Azure AD Connect Wizard: Connect to AD DS.

  5. 在“已准备好配置”中,选择“配置完成后开始同步过程”立即开始同步。In Ready to configure, they select Start the synchronization process when configuration completes to start the sync immediately. 然后安装。Then they install.

    注意以下事项:Note the following:

    • Contoso 与 Azure直接连接。Contoso has a direct connection to Azure. 如果本地 Active Directory 实例位于代理后面,请查看 Azure AD 连接问题的疑难解答If your on-premises Active Directory instance is behind a proxy, review troubleshoot Azure AD connectivity.

    • 完成第一次同步后,本地 Active Directory 对象将在 Azure AD 目录中可见。After the first synchronization, on-premises Active Directory objects are visible in the Azure AD directory.

      显示本地 Active Directory 对象的屏幕截图 Azure Active Directory 中可见。

      图12:本地 Active Directory 在 Azure AD 中可见的对象。Figure 12: On-premises Active Directory objects visible in Azure AD.

    • Contoso IT 团队在每个组中表示并基于其角色。The Contoso IT team is represented in each group and is based on its role.

      显示组成员身份的屏幕截图。

      图13:组成员身份。Figure 13: Group membership.

设置 Azure RBACSet up Azure RBAC

AZURE RBAC 启用对 azure 的精细访问管理。Azure RBAC enables fine-grained access management for Azure. 使用 Azure RBAC,只能授予用户执行任务所需的访问权限量。By using Azure RBAC, you can grant only the amount of access that users need to perform tasks. 可以在作用域级别将相应的 Azure 角色分配给用户、组和应用程序。You assign the appropriate Azure role to users, groups, and applications at a scope level. 角色分配的范围可以是订阅、资源组或单个资源。The scope of a role assignment can be a subscription, a resource group, or a single resource.

然后,Contoso 管理员将角色分配给它们从本地同步的 Active Directory 组。Contoso admins then assign roles to the Active Directory groups that they synchronized from on-premises.

  1. ControlCobRG 资源组中,它们 (IAM) > 添加角色分配 中选择 "访问控制"。In the ControlCobRG resource group, they select Access control (IAM) > Add role assignment.

  2. 在 "添加角色分配 > 角色 > 参与者" 中,他们 ContosoCobRG 从列表中选择安全组。In Add role assignment > Role > Contributor, they select the ContosoCobRG security group from the list. 该组随即出现在“所选成员”列表中。The group then appears in the Selected members list.

  3. 它们使用与其他资源组相同的权限重复此操作 (除了 ContosoAzureAdmins) ,方法是将 参与者 权限添加到与资源组匹配的安全组。They repeat this with the same permissions for the other resource groups (except for ContosoAzureAdmins) by adding Contributor permissions to the security group that matches the resource group.

  4. 对于 ContosoAzureAdmins 安全组,他们分配 所有者 角色。For the ContosoAzureAdmins security group, they assign the Owner role.

    显示本地 Azure Active Directory 组的屏幕截图。

    图14:向安全组分配角色。Figure 14: Assigning roles to security groups.

步骤3:复原设计Step 3: Design for resiliency

设置区域Set up regions

Azure 资源部署在不同区域内。Azure resources are deployed within regions. 区域组织成地区。Regions are organized into geographies. 数据驻留、主权、符合性和复原要求在地理边界内有效。Data residency, sovereignty, compliance, and resiliency requirements are honored within geographical boundaries.

区域由一组数据中心组成。A region consists of a set of datacenters. 这些数据中心部署在定义了延迟的外围中,并通过专用的区域性低延迟网络互相连接。These datacenters are deployed within a latency-defined perimeter, and connected through a dedicated regional low-latency network.

每个 Azure 区域都与另一个区域配对以获得恢复能力。Each Azure region is paired with a different region for resiliency. 了解 Azure 区域以及如何配对区域Read about Azure regions, and understand how regions are paired.

Contoso 决定使用 East US 2 位于弗吉尼亚州) 的 (作为主要区域, Central US (位于爱荷华) 作为次要区域,原因如下:Contoso has decided to use East US 2 (located in Virginia) as the primary region and Central US (located in Iowa) as the secondary region, for these reasons:

  • Contoso 数据中心位于纽约,这样做考虑了到最近的数据中心的延迟。The Contoso datacenter is located in New York, and Contoso considered latency to the closest datacenter.
  • East US 2 具有 Contoso 所需的所有服务和产品。East US 2 has all the services and products that Contoso needs. 并非所有 Azure 区域都提供相同的产品和服务。Not all Azure regions have the same products and services available. 有关详细信息,请参阅 Azure 产品在各区域中的推出情况For more information, see Azure products by region.
  • Central US 是的 Azure 配对区域 East US 2Central US is the Azure paired region for East US 2.

对于混合环境,Contoso 需要考虑如何在其区域设计中融入恢复能力和灾难恢复策略。As it thinks about the hybrid environment, Contoso needs to consider how to build resilience and a disaster recovery strategy into the region design. 最简单的策略是单区域部署,它依赖于 Azure 平台功能,如容错域和区域配对以实现复原能力。The simplest strategy is a single-region deployment, which relies on Azure platform features such as fault domains and regional pairing for resilience. 最复杂的是一个完整的主动-主动模型,其中部署了云服务和数据库,并为两个区域的用户提供服务。The most complex is a full active-active model in which cloud services and database are deployed and servicing users from two regions.

Contoso 已决定采取折中的方式。Contoso has decided to take a middle road. 它将在主要区域中部署应用程序和资源,并将基础结构的完整副本保留在次要区域中。It will deploy applications and resources in a primary region and keep a full copy of the infrastructure in the secondary region. 使用该策略时,如果发生了完整的应用程序灾难或区域性故障,副本就可以作为完整备份。With that strategy, the copy is ready to act as a full backup if a complete application disaster or regional failure occurs.

设置可用性Set up availability

可用性集Availability sets

可用性集可帮助保护数据中心内的本地硬件和网络中断的应用程序和数据。Availability sets help protect applications and data from a local hardware and network outage within a datacenter. 可用性集跨数据中心内的物理硬件分发 Azure Vm。Availability sets distribute Azure VMs across physical hardware within a datacenter.

容错域表示数据中心内有通用电源和网络开关的基础硬件。Fault domains represent underlying hardware with a common power source and network switch within the datacenter. 可用性集中的 Vm 分布在容错域中,以最大程度地减少单个硬件或网络故障导致的停机时间。VMs in an availability set are distributed across fault domains to minimize outages caused by a single hardware or network failure.

更新域表示可以同时维护或重新启动的基础硬件。Update domains represent underlying hardware that can undergo maintenance or be rebooted at the same time. 可用性集还在多个更新域之间分布 Vm,以确保至少一个实例将始终运行。Availability sets also distribute VMs across multiple update domains to ensure that at least one instance will be running at all times.

每当 VM 工作负荷需要高可用性时,Contoso 将实现可用性组。Contoso will implement availability sets whenever VM workloads require high availability. 有关详细信息,请参阅 在 Azure 中管理 Windows vm 的可用性For more information, see Manage the availability of Windows VMs in Azure.

可用性区域Availability Zones

可用性区域帮助保护应用程序和数据不受影响区域内整个数据中心的故障影响。Availability Zones help protect applications and data from failures that affect an entire datacenter within a region.

每个可用性区域都代表一个 Azure 区域内的唯一物理位置。Each Availability Zone represents a unique physical location within an Azure region. 每个区域由一个或多个数据中心组成,这些数据中心配置了独立电源以及散热和网络设备。Each zone consists of one or more datacenters equipped with independent power, cooling, and networking.

所有已启用的地区中至少有三个单独的区域。There's a minimum of three separate zones in all enabled regions. 区域中区域的物理隔离可以在发生数据中心故障的情况下保护应用程序和数据。The physical separation of zones within a region protects applications and data from datacenter failures.

当应用程序需要更高的可伸缩性、可用性和复原能力时,Contoso 将使用可用性区域。Contoso will use Availability Zones whenever applications need greater scalability, availability, and resilience. 有关详细信息,请参阅 Azure 中的区域和可用性区域For more information, see Regions and Availability Zones in Azure.

配置备份Configure backup

Azure 备份Azure Backup

可以使用 Azure 备份来备份和还原 Azure VM 磁盘。You can use Azure Backup to back up and restore Azure VM disks.

Azure 备份允许自动备份存储在 Azure 存储中的 VM 磁盘映像。Azure Backup allows automated backups of VM disk images stored in Azure Storage. 备份保持应用程序一致性,以确保备份的数据在事务上保持一致,并确保应用程序在还原后启动。Backups are application consistent to ensure that backed-up data is transactionally consistent and that applications will start post-restore.

Azure 备份支持本地冗余存储 (LRS) 在发生本地硬件故障时,在数据中心内复制备份数据的多个副本。Azure Backup supports locally redundant storage (LRS) to replicate multiple copies of backup data within a datacenter if a local hardware failure occurs. 如果发生区域性中断,Azure 备份还支持 (GRS) 的异地冗余存储,该存储将备份数据复制到次要配对区域。If a regional outage occurs, Azure Backup also supports geo-redundant storage (GRS), which replicates backup data to a secondary paired region.

Azure 备份使用 AES-256 加密传输中的数据。Azure Backup encrypts data in transit by using AES-256. 静态备份的数据通过 Azure 存储加密进行加密。Backed-up data at rest is encrypted through Azure Storage encryption.

Contoso 将在所有生产 Vm 上将 Azure 备份与 GRS 配合使用,以确保备份工作负荷数据,并在发生中断后快速恢复。Contoso will use Azure Backup with GRS on all production VMs to ensure that workload data is backed up and can be quickly restored if a disruption occurs. 有关详细信息,请参阅 AZURE VM 备份概述For more information, see An overview of Azure VM backup.

设置灾难恢复Set up disaster recovery

Azure Site RecoveryAzure Site Recovery

Azure Site Recovery 通过使业务应用程序和工作负荷在区域性中断期间运行来帮助确保业务连续性。Azure Site Recovery helps ensure business continuity by keeping business applications and workloads running during regional outages.

Azure Site Recovery 连续地将 Azure Vm 从主要区域复制到次要区域,确保两个位置中的功能副本。Azure Site Recovery continuously replicates Azure VMs from a primary to a secondary region, ensuring functional copies in both locations. 在主要区域发生服务中断时,应用程序或服务将故障转移到使用辅助区域中复制的 VM 实例。In the event of an outage in the primary region, the application or service fails over to using the VM instances replicated in the secondary region. 此故障转移可最大程度地减少潜在中断。This failover minimizes potential disruption. 当操作返回正常时,应用程序或服务可以故障回复到主要区域中的 Vm。When operations return to normal, the applications or services can fail back to VMs in the primary region.

Contoso 将为任务关键型工作负荷中使用的所有生产 Vm 实施 Azure Site Recovery ,确保在主要区域发生中断时的最小中断。Contoso will implement Azure Site Recovery for all production VMs used in mission-critical workloads, ensuring minimal disruption during an outage in the primary region.

步骤 4:计划网络基础结构Step 4: Design a network infrastructure

进行区域设计后,Contoso 就可以考虑使用网络策略。With the regional design in place, Contoso is ready to consider a network strategy. 需要考虑本地数据中心和 Azure 如何相互连接和通信,以及如何在 Azure 中设计网络基础结构。It needs to think about how the on-premises datacenter and Azure connect and communicate with each other, and how to design the network infrastructure in Azure. 具体而言,Contoso 需要:Specifically, Contoso needs to:

  • 规划混合网络连接。Plan hybrid network connectivity. 确定如何跨本地和 Azure 连接网络。Figure out how it's going to connect networks across on-premises and Azure.
  • 设计 Azure 网络基础结构。Design an Azure network infrastructure. 决定如何在区域部署网络。Decide how it will deploy networks over regions. 网络在同一区域内还是跨区域通信?How will networks communicate within the same region and across regions?
  • 设计和设置 Azure 网络。Design and set up Azure networks. 设置 Azure 网络和子网,并决定其中驻留的内容。Set up Azure networks and subnets, and decide what will reside in them.

规划混合网络连接Plan hybrid network connectivity

Contoso 考虑了在 Azure 与本地数据中心之间 混合网络的多个体系结构Contoso considered several architectures for hybrid networking between Azure and the on-premises datacenter. 有关详细信息,请参阅选择用于将本地网络连接到 Azure 的解决方案For more information, see Choose a solution for connecting an on-premises network to Azure.

作为提醒,Contoso 本地网络基础结构当前包括纽约的数据中心,以及美国东部半部分的本地分支。As a reminder, the Contoso on-premises network infrastructure currently consists of the datacenter in New York, and local branches in the eastern half of the United States. 所有位置都具有与 internet 的企业级连接。All locations have a business-class connection to the internet. 然后,每个分支通过 internet 通过 IPsec VPN 隧道连接到数据中心。Each of the branches is then connected to the datacenter via an IPsec VPN tunnel over the internet.

Contoso 网络的图示。 图15: Contoso 网络。Diagram of the Contoso network. Figure 15: The Contoso network.

Contoso 决定实现混合连接的方式如下:Here's how Contoso decided to implement hybrid connectivity:

  1. 在纽约的 Contoso datacenter 和两个 Azure 区域之间建立新的站点到站点 VPN 连接 East US 2 Central USSet up a new Site-to-Site VPN connection between the Contoso datacenter in New York and the two Azure regions, East US 2 and Central US.
  2. 针对 Azure 中的虚拟网络绑定的分支机构流量将通过主 Contoso 数据中心进行路由。Branch office traffic bound for virtual networks in Azure will route through the main Contoso datacenter.
  3. Contoso 扩展 Azure 部署时,它将在数据中心与 Azure 区域之间建立 Azure ExpressRoute 连接。As Contoso scales up Azure deployment, it will establish an Azure ExpressRoute connection between the datacenter and the Azure regions. 发生这种情况时,Contoso 将仅保留 VPN 站点到站点连接,以便进行故障转移。When this happens, Contoso will retain the VPN Site-to-Site connection for failover purposes only.

仅限 VPN:VPN only:

显示 Contoso VPN 的屏幕截图。 图16: CONTOSO VPN。Screenshot that shows the Contoso VPN. Figure 16: The Contoso VPN.

VPN 和 ExpressRoute:VPN and ExpressRoute:

显示 Contoso VPN 和 ExpressRoute 的屏幕截图。 图17: CONTOSO VPN 和 ExpressRoute。Screenshot that shows the Contoso VPN and ExpressRoute. Figure 17: Contoso VPN and ExpressRoute.

设计 Azure 网络基础结构Design the Azure network infrastructure

Contoso 的网络配置必须使混合部署安全且可缩放。Contoso's network configuration must make the hybrid deployment secure and scalable. Contoso 正在采取一种长期的做法,设计虚拟网络是复原能力和企业就绪。Contoso is taking a long-term approach to this, designing virtual networks to be resilient and enterprise ready. 有关详细信息,请参阅 规划虚拟网络For more information, see Plan virtual networks.

为了连接两个区域,Contoso 将实现一个集线器到集线器的网络模型。To connect the two regions, Contoso will implement a hub-to-hub network model. 在每个区域中,Contoso 使用中心辐射型模型。Within each region, Contoso will use a hub-and-spoke model. 为了连接网络和中心,Contoso 使用 Azure 网络对等互连。To connect networks and hubs, Contoso will use Azure network peering.

网络对等互连Network peering

Azure 中的虚拟网络对等互连将虚拟网络和中心连接起来。Virtual network peering in Azure connects virtual networks and hubs. 全局对等互连允许在不同区域的虚拟网络或中心之间建立连接。Global peering allows connections between virtual network or hubs in different regions. 本地对等互连在同一区域中连接虚拟网络。Local peering connects virtual networks in the same region.

虚拟网络对等互连具有以下优势:Virtual network peering provides several advantages:

  • 对等虚拟网络之间的网络流量是专用的。Network traffic between peered virtual networks is private.
  • 虚拟网络之间的流量仅限于 Microsoft 主干网络。Traffic between the virtual networks is kept on the Microsoft backbone network. 虚拟网络之间的通信中不需要公共 internet、网关或加密。No public internet, gateways, or encryption is required in the communication between the virtual networks.
  • 对等互连在不同虚拟网络中的资源之间提供默认的低延迟、高带宽连接。Peering provides a default, low-latency, high-bandwidth connection between resources in different virtual networks.

跨区域的中心到中心模型Hub-to-hub model across regions

Contoso 将在每个区域部署中心。Contoso will deploy a hub in each region. 集线器是 Azure 中的一个虚拟网络,它充当到本地网络的中心连接点。A hub is a virtual network in Azure that acts as a central point of connectivity to your on-premises network. 集线器虚拟网络将通过全局虚拟网络对等互连相互连接,这会跨 Azure 区域连接虚拟网络。The hub virtual networks will connect to each other via global virtual network peering, which connects virtual networks across Azure regions. 每个区域的中心与其他区域的合作伙伴中心建立对等互连。The hub in each region is peered to its partner hub in the other region. 该集线器对等互连其所在区域中的每个网络,并且可以连接到所有网络资源。The hub is peered to every network in its region, and it can connect to all network resources.

全局对等互连的关系图。 图18:全局对等互连。Diagram of global peering. Figure 18: Global peering.

区域内的辐射模型Hub-and-spoke model within a region

在每个区域中,Contoso 会出于不同目的部署虚拟网络,作为从区域中心进行辐射网络的目的。Within each region, Contoso will deploy virtual networks for different purposes as spoke networks from the region hub. 区域内的虚拟网络使用对等互连连接到其中心。Virtual networks within a region use peering to connect to their hub and to each other.

设计中心网络Design the hub network

在中心辐射型模型中,Contoso 需要考虑如何路由来自本地数据中心和 internet 的流量。Within the hub-and-spoke model, Contoso needed to think about how traffic from the on-premises datacenter and from the internet would be routed. Contoso 决定为 East US 2 和中心处理路由 Central USHere's how Contoso decided to handle routing for both the East US 2 and Central US hubs:

  • Contoso 正在设计一种网络,允许从 internet 和企业网络通过使用 VPN 连接到 Azure。Contoso is designing a network that allows traffic from the internet and from the corporate network by using a VPN to Azure.
  • 网络体系结构有两个边界、一个不受信任的前端外围区域和一个受信任的后端区域。The network architecture has two boundaries, an untrusted front-end perimeter zone and a back-end trusted zone.
  • 防火墙在每个区域中都有一个网络适配器,用于控制对受信任区域的访问。A firewall will have a network adapter in each zone, controlling access to trusted zones.
  • 来自 Internet:From the internet:
    • Internet 流量将到达外围网络上负载均衡的公共 IP 地址。Internet traffic will hit a load-balanced public IP address on the perimeter network.
    • 此流量通过防火墙路由,并服从防火墙规则。This traffic is routed through the firewall and subject to firewall rules.
    • 实现网络访问控制后,流量转发到受信任区域中的相应位置。After network access controls are implemented, traffic will be forwarded to the appropriate location in the trusted zone.
    • 来自虚拟网络的出站流量将通过用户定义的路由路由到 internet。Outbound traffic from the virtual network will be routed to the internet through user-defined routes. 流量是通过防火墙强制执行的,并已在 Contoso 策略中进行了检查。The traffic is forced through the firewall and inspected in line with Contoso policies.
  • 来自 Contoso 数据中心:From the Contoso datacenter:
    • 通过站点到站点 VPN 或 ExpressRoute 传入的流量会命中 Azure VPN 网关的公共 IP 地址。Incoming traffic over Site-to-Site VPN or ExpressRoute hits the public IP address of the Azure VPN gateway.
    • 流量通过防火墙路由,受防火墙规则约束。Traffic is routed through the firewall and subject to firewall rules.
    • 应用防火墙规则后,会将流量转发到受信任的内部区域子网上 (标准 SKU) 的内部负载均衡器。After the application of firewall rules, traffic is forwarded to an internal load balancer (Standard SKU) on the trusted internal zone subnet.
    • 通过防火墙路由从受信任子网到本地数据中心的出站流量。Outbound traffic from the trusted subnet to the on-premises datacenter over the VPN is routed through the firewall. 在流量通过站点到站点 VPN 连接之前应用规则。Rules are applied before traffic goes over the Site-to-Site VPN connection.

设计和设置 Azure 网络Design and set up Azure networks

使用网络和路由拓扑时,Contoso 已准备好设置 Azure 网络和子网:With a network and routing topology in place, Contoso is ready to set up Azure networks and subnets:

  • Contoso 将在 Azure () 中实现一个类专用网络 10.0.0.0/8Contoso will implement a class-A private network in Azure (10.0.0.0/8). 这适用于本地;它目前有一个类 B 专用地址空间 (172.160.0.0/16) 。This works because of on-premises; it currently has a class-B private address space (172.160.0.0/16). Contoso 可以确保地址范围之间不存在任何重叠。Contoso can be sure there won't be any overlap between address ranges.
  • Contoso 将在主要区域和次要区域中部署虚拟网络。Contoso will deploy virtual networks in both the primary and secondary regions.
  • Contoso 将使用一种命名约定,其中包含前缀 VNET 和区域缩写词 EUS2CUSContoso will use a naming convention that includes the prefix VNET and the region abbreviation EUS2 or CUS. 使用此标准,将在 VNET-HUB-EUS2 East US 2 区域和区域中命名中心网络 VNET-HUB-CUS Central USUsing this standard, the hub networks will be named VNET-HUB-EUS2 in the East US 2 region and VNET-HUB-CUS in the Central US region.

虚拟网络 East US 2Virtual networks in East US 2

East US 2 是 Contoso 将用于部署资源和服务的主要区域。East US 2 is the primary region that Contoso will use to deploy resources and services. Contoso 将在该区域中设计网络:Here's how Contoso will design networks in that region:

  • 中心: 中的中心虚拟网络被 East US 2 视为 Contoso 与本地数据中心的主要连接。Hub: The hub virtual network in East US 2 is considered Contoso's primary connectivity to the on-premises datacenter.

  • 虚拟网络: 如有必要,中的辐射虚拟网络 East US 2 可用于隔离工作负荷。Virtual networks: The spoke virtual networks in East US 2 can be used to isolate workloads if necessary. 除了中心虚拟网络,Contoso 还在中有两个轮辐虚拟网络 East US 2In addition to the hub virtual network, Contoso will have two spoke virtual networks in East US 2:

    • VNET-DEV-EUS2.VNET-DEV-EUS2. 此虚拟网络将为开发/测试团队提供适用于开发项目的功能齐全的网络。This virtual network will provide the dev/test team with a fully functional network for dev projects. 它可充当生产试点区域,依赖于生产基础结构才可支持运行。It will act as a production pilot area, and will rely on the production infrastructure to function.

    • VNET-PROD-EUS2.VNET-PROD-EUS2. Azure IaaS 生产组件位于此网络中。Azure IaaS production components will be located in this network.

    每个虚拟网络将具有自己的唯一地址空间,而不会重叠。Each virtual network will have its own unique address space without overlap. Contoso 打算配置路由,而无需 (NAT) 网络地址转换。Contoso intends to configure routing without requiring network address translation (NAT).

  • 子网: 每个网络中的每个应用程序层都有一个子网。Subnets: There will be a subnet in each network for each application tier. 生产网络中的每个子网在开发虚拟网络中将具有匹配的子网。Each subnet in the production network will have a matching subnet in the development virtual network. 生产网络具有域控制器的子网。The production network has a subnet for domain controllers.

下表汇总了中的虚拟网络 East US 2The following table summarizes virtual networks in East US 2.

虚拟网络Virtual network 范围Range 对等Peer
VNET-HUB-EUS2 10.240.0.0/20 VNET-HUB-CUS2, VNET-DEV-EUS2, VNET-PROD-EUS2VNET-HUB-CUS2, VNET-DEV-EUS2, VNET-PROD-EUS2
VNET-DEV-EUS2 10.245.16.0/20 VNET-HUB-EUS2
VNET-PROD-EUS2 10.245.32.0/20 VNET-HUB-EUS2, VNET-PROD-CUSVNET-HUB-EUS2, VNET-PROD-CUS

主要区域中的辐射模型示意图。 图19:中心辐射型模型。Diagram of the hub-and-spoke model in the primary region. Figure 19: A hub-and-spoke model.

网络中的子网 East US 2 Hub (VNET-HUB-EUS2) Subnets in the East US 2 Hub network (VNET-HUB-EUS2)

子网/区域Subnet/zone CIDRCIDR 可用 IP 地址Usable IP addresses
IB-UntrustZone 10.240.0.0/24 251251
IB-TrustZone 10.240.1.0/24 251251
OB-UntrustZone 10.240.2.0/24 251251
OB-TrustZone 10.240.3.0/24 251251
GatewaySubnet 10.240.10.0/24 251251

开发网络中的子网 East US 2 (VNET-DEV-EUS2) Subnets in the East US 2 development network (VNET-DEV-EUS2)

开发团队使用开发虚拟网络作为生产试点区域。The development team uses the development virtual network as a production pilot area. 它具有三个子网。It has three subnets.

子网Subnet CIDRCIDR 地址Addresses 子网所含组件In subnet
DEV-FE-EUS2 10.245.16.0/22 10191019 前端/web 层 VmFront ends/web-tier VMs
DEV-APP-EUS2 10.245.20.0/22 10191019 应用层 VmApplication-tier VMs
DEV-DB-EUS2 10.245.24.0/23 507507 数据库 VMDatabase VMs

生产网络中的子网 East US 2 (VNET-PROD-EUS2) Subnets in the East US 2 production network (VNET-PROD-EUS2)

Azure IaaS 组件位于生产网络中。Azure IaaS components are located in the production network. 每个应用程序层都有自己的子网。Each application tier has its own subnet. 子网与开发网络中的子网匹配,并添加了域控制器的子网。Subnets match those in the development network, with the addition of a subnet for domain controllers.

子网Subnet CIDRCIDR 地址Addresses 子网所含组件In subnet
PROD-FE-EUS2 10.245.32.0/22 10191019 前端/web 层 VmFront ends/web-tier VMs
PROD-APP-EUS2 10.245.36.0/22 10191019 应用层 VmApplication-tier VMs
PROD-DB-EUS2 10.245.40.0/23 507507 数据库 VMDatabase VMs
PROD-DC-EUS2 10.245.42.0/24 251251 域控制器 VMDomain controller VMs

集线器网络体系结构示意图。 图20:集线器网络体系结构。Diagram of the hub network architecture. Figure 20: Hub network architecture.

(辅助区域中的虚拟网络 Central US) Virtual networks in Central US (secondary region)

Central US 是 Contoso 的次要区域。Central US is Contoso's secondary region. 下面是 Contoso 在该区域架构网络的方式:Here's how Contoso will architect networks within it:

  • 中心: 中的中心虚拟网络 Central US 被认为是与本地数据中心的辅助连接点。Hub: The hub virtual network in Central US is considered the secondary point of connectivity to the on-premises datacenter. 中的辐射虚拟网络 Central US 可用于隔离工作负荷(如有必要),并独立于其他轮辐进行管理。The spoke virtual networks in Central US can be used to isolate workloads if necessary, managed separately from other spokes.

  • 虚拟网络: Contoso 将在中有两个虚拟网络 Central USVirtual networks: Contoso will have two virtual networks in Central US:

    • VNET-PROD-CUS:这是一个生产网络,可被视为辅助集线器。VNET-PROD-CUS: This is a production network and can be thought of as a secondary hub.
    • VNET-ASR-CUS:此虚拟网络将充当从本地故障转移后或作为 Azure Vm 从主要区域故障转移到次要区域时创建 Vm 的位置。VNET-ASR-CUS: This virtual network will act as a location in which VMs are created after failover from on-premises or as a location for Azure VMs failed over from the primary to the secondary region. 此网络类似于生产网络,但没有任何域控制器。This network is similar to the production networks but without any domain controllers on it.

    区域中的每个虚拟网络都具有自己的地址空间,而不会重叠。Each virtual network in the region will have its own address space without overlap. Contoso 配置无需 NAT 的路由。Contoso will configure routing without NAT.

  • 子网: 子网的设计方式与中的子网类似 East US 2Subnets: The subnets will be designed in a similar way to those in East US 2.

下表汇总了中的虚拟网络 Central USThe following table summarizes virtual networks in Central US.

虚拟网络Virtual network 范围Range 对等Peer
VNET-HUB-CUS 10.250.0.0/20 VNET-HUB-EUS2, VNET-ASR-CUS, VNET-PROD-CUSVNET-HUB-EUS2, VNET-ASR-CUS, VNET-PROD-CUS
VNET-ASR-CUS 10.255.16.0/20 VNET-HUB-CUS, VNET-PROD-CUSVNET-HUB-CUS, VNET-PROD-CUS
VNET-PROD-CUS 10.255.32.0/20 VNET-HUB-CUS, VNET-ASR-CUS, VNET-PROD-EUS2VNET-HUB-CUS, VNET-ASR-CUS, VNET-PROD-EUS2

配对区域中的辐射模型示意图。 图21:成对区域中的集散模型。Diagram of a hub-and-spoke model in a paired region. Figure 21: A hub-and-spoke model in a paired region.

中心网络中的子网 Central US (VNET-HUB-CUS) Subnets in the Central US hub network (VNET-HUB-CUS)

子网Subnet CIDRCIDR 可用 IP 地址Usable IP addresses
IB-UntrustZone 10.250.0.0/24 251251
IB-TrustZone 10.250.1.0/24 251251
OB-UntrustZone 10.250.2.0/24 251251
OB-TrustZone 10.250.3.0/24 251251
GatewaySubnet 10.250.10.0/24 251251

生产网络中的子网 Central US (VNET-PROD-CUS) Subnets in the Central US production network (VNET-PROD-CUS)

与主要区域中的生产网络 (East US 2) 并行, () 的次要区域中有一个生产网络 Central USIn parallel with the production network in the primary region (East US 2), there's a production network in the secondary region (Central US).

子网Subnet CIDRCIDR 地址Addresses 子网所含组件In subnet
PROD-FE-CUS 10.255.32.0/22 10191019 前端/web 层 VmFront ends/web-tier VMs
PROD-APP-CUS 10.255.36.0/22 10191019 应用层 VmApplication-tier VMs
PROD-DB-CUS 10.255.40.0/23 507507 数据库 VMDatabase VMs
PROD-DC-CUS 10.255.42.0/24 251251 域控制器 VMDomain controller VMs

Central US故障转移/恢复网络中的子网 (VNET-ASR-CUS) Subnets in the Central US failover/recovery network (VNET-ASR-CUS)

VNET-ASR-CUS网络用于在区域之间进行故障转移。The VNET-ASR-CUS network is used for failover between regions. Site Recovery 用于复制和故障转移区域间的 Azure VM。Site Recovery will be used to replicate and fail over Azure VMs between the regions. 它还充当 Azure 网络的 Contoso 数据中心,用于保留在本地但故障转移到 Azure 的受保护工作负荷。It also functions as a Contoso datacenter to the Azure network for protected workloads that remain on-premises but fail over to Azure for disaster recovery.

VNET-ASR-CUS 是与生产虚拟网络相同的基本子网, East US 2 但不需要域控制器子网。VNET-ASR-CUS is the same basic subnet as the production virtual network in East US 2 but without the need for a domain controller subnet.

子网Subnet CIDRCIDR 地址Addresses 子网所含组件In subnet
ASR-FE-CUS 10.255.16.0/22 10191019 前端/web 层 VmFront ends/web-tier VMs
ASR-APP-CUS 10.255.20.0/22 10191019 应用层 VmApplication-tier VMs
ASR-DB-CUS 10.255.24.0/23 507507 数据库 VMDatabase VMs

集线器网络体系结构示意图。 图22:集线器网络体系结构。Diagram of a hub network architecture. Figure 22: Hub network architecture.

配置对等连接Configure peered connections

每个区域中的集线器将被对等互连到其他区域中的中心,以及中心区域内的所有虚拟网络。The hub in each region will be peered to the hub in the other region and to all virtual networks within the hub region. 此配置允许中心通信和查看某个区域内的所有虚拟网络。This configuration allows for hubs to communicate and to view all virtual networks within a region. 请注意,对等互连会创建一个双侧连接。Note that peering creates a two-sided connection. 一种是在第一个虚拟网络上启动对等方,另一个虚拟网络在第二个虚拟网络上。One is from the initiating peer on the first virtual network, and the other is on the second virtual network.

在混合部署中,需要可以从本地数据中心与 Azure 之间的 VPN 连接查看对等之间传递的流量。In a hybrid deployment, traffic that passes between peers needs to be visible from the VPN connection between the on-premises datacenter and Azure. 若要启用此设置,Contoso 必须使用对等互连连接上的特定设置。To enable this, Contoso must use specific settings on peered connections. 对于从辐射虚拟网络到本地数据中心的任何连接,Contoso 需要允许转发流量并跨 VPN 网关。For any connections from spoke virtual networks through the hub to the on-premises datacenter, Contoso needs to allow traffic to be forwarded and to cross the VPN gateways.

域控制器Domain controller

对于网络中的域控制器 VNET-PROD-EUS2 ,Contoso 希望流量在 EUS2 中心/生产网络之间流动,并通过 VPN 连接传输到本地。For the domain controllers in the VNET-PROD-EUS2 network, Contoso wants traffic to flow both between the EUS2 hub/production network and over the VPN connection to on-premises. 为此,Contoso 管理员必须允许以下各项:To do this, Contoso admins must allow the following:

  1. 对于对等连接,选中“允许转发流量”和“允许网关传输配置”。Allow forwarded traffic and Allow gateway transit configurations on the peered connection. 在本示例中,这是从到的 VNET-HUB-EUS2 连接 VNET-PROD-EUS2In our example, this would be the connection from VNET-HUB-EUS2 to VNET-PROD-EUS2.

    屏幕截图,显示允许转发的流量并允许网关传输的选定复选框。

    图23:对等互连连接。Figure 23: A peered connection.

  2. 允许转发的流量 ,并在对等互连的另一端 使用远程网关 VNET-PROD-EUS2 VNET-HUB-EUS2Allow forwarded traffic and Use remote gateways on the other side of the peering, on the connection from VNET-PROD-EUS2 to VNET-HUB-EUS2.

    屏幕截图,显示允许转发的流量和使用远程网关的选定复选框。

    图24:对等互连连接。Figure 24: A peered connection.

  3. 在本地,它们设置一个静态路由,该路由将本地流量定向到通过 VPN 隧道路由到虚拟网络。On-premises, they set up a static route that directs the local traffic to route across the VPN tunnel to the virtual network. 在提供从 Contoso 到 Azure 的 VPN 隧道的网关上完成配置。The configuration is completed on the gateway that provides the VPN tunnel from Contoso to Azure. 它们为静态路由 (RRAS) 使用路由和远程访问服务。They use routing and remote access service (RRAS) for the static route.

    显示静态路由选项的屏幕截图。

    图25:对等互连连接。Figure 25: A peered connection.

生产网络Production networks

辐射对等网络无法通过中心看到另一个区域中的辐射对等网络。A spoked peer network can't see a spoked peer network in another region via a hub. 对于这两个区域中的 Contoso 生产网络彼此之间相互联系,Contoso 管理员需要为和创建直接的对等互连连接 VNET-PROD-EUS2 VENT-PROD-CUSFor Contoso's production networks in both regions to see each other, Contoso admins need to create a direct peered connection for VNET-PROD-EUS2 and VENT-PROD-CUS.

创建直接对等互连连接的关系图。 图26:创建直接对等互连连接。Diagram of creating a direct peered connection. Figure 26: Creating a direct peered connection.

设置 DNSSet up DNS

在虚拟网络中部署资源时,有多种域名解析方式可供选择。When you deploy resources in virtual networks, you have a couple of choices for domain name resolution. 你可以使用 Azure 提供的名称解析,或提供 DNS 服务器进行解析。You can use name resolution provided by Azure or provide DNS servers for resolution. 你使用的名称解析类型取决于你的资源需要彼此通信的方式。The type of name resolution that you use depends on how your resources need to communicate with each other. 获取有关 Azure DNS 服务的详细信息Get more information about the Azure DNS service.

Contoso 管理员已确定 Azure DNS 服务不适用于混合环境。Contoso admins have decided that the Azure DNS service isn't a good choice in the hybrid environment. 相反,他们将使用本地 DNS 服务器。Instead, they'll use the on-premises DNS servers. 以下是详细信息:Here are the details:

  • 由于这是一个混合网络,因此,本地和 Azure 中的所有 Vm 都需要能够解析名称才能正常工作。Because this is a hybrid network, all VMs on-premises and in Azure need to be able to resolve names to function properly. 这意味着,必须将自定义 DNS 设置应用到所有虚拟网络。This means that custom DNS settings must be applied to all the virtual networks.

  • Contoso 目前在 Contoso 数据中心和分支机构部署) (Dc 的域控制器。Contoso currently has domain controllers (DCs) deployed in the Contoso datacenter and at the branch offices. 主 DNS 服务器 contosodc1 (172.16.0.10) 并 contosodc2 (172.16.0.1) 。The primary DNS servers are contosodc1 (172.16.0.10) and contosodc2 (172.16.0.1).

  • 部署虚拟网络后,将本地域控制器配置为网络中的 DNS 服务器。After the virtual networks are deployed, the on-premises domain controllers are configured as DNS servers in the networks.

  • 如果为虚拟网络指定了可选的自定义 DNS,则 168.63.129.16 必须将 Azure 中递归解析程序的虚拟 IP 地址添加到列表。If an optional custom DNS is specified for the virtual network, the virtual IP address 168.63.129.16 for the recursive resolvers in Azure must be added to the list. 为此,Contoso 在每个虚拟网络上配置 DNS 服务器设置。To do this, Contoso configures DNS server settings on each virtual network. 例如,网络的自定义 DNS 设置如下所示 VNET-HUB-EUS2For example, the custom DNS settings for the VNET-HUB-EUS2 network would be as follows:

    显示自定义 DNS 配置的屏幕截图。

    图27:自定义 DNS。Figure 27: A custom DNS.

除了本地域控制器以外,Contoso 还会实施四个域控制器,以支持每个区域) (两个 Azure 网络:In addition to the on-premises domain controllers, Contoso will implement four domain controllers to support the Azure networks (two for each region):

区域Region DCDC 虚拟网络Virtual network 子网Subnet IP 地址IP address
East US 2 contosodc3 VNET-PROD-EUS2 PROD-DC-EUS2 10.245.42.4
East US 2 contosodc4 VNET-PROD-EUS2 PROD-DC-EUS2 10.245.42.5
Central US contosodc5 VNET-PROD-CUS PROD-DC-CUS 10.255.42.4
Central US contosodc6 VNET-PROD-CUS PROD-DC-CUS 10.255.42.4

在部署本地域控制器后,Contoso 需要更新任一区域中的网络 DNS 设置,以在 DNS 服务器列表中包括新的域控制器。After deploying the on-premises domain controllers, Contoso needs to update the DNS settings on networks on either region to include the new domain controllers in the DNS server list.

在 Azure 中设置域控制器Set up domain controllers in Azure

在更新网络设置后,Contoso 管理员已准备好在 Azure 中构建域控制器。After updating network settings, Contoso admins are ready to build out the domain controllers in Azure.

  1. 在 Azure 门户中,它们将新的 Windows Server VM 部署到相应的虚拟网络。In the Azure portal, they deploy a new Windows Server VM to the appropriate virtual network.

  2. 它们在每个位置为 VM 创建可用性集They create availability sets in each location for the VM. 可用性集确保 Azure fabric 将 Vm 分成 Azure 区域中的不同基础结构。Availability sets ensure that the Azure fabric separates the VMs into different infrastructures in the Azure region. 可用性集还允许 Contoso 享有99.95% 的服务级别协议 (SLA) 用于 Azure 中的 Vm。Availability sets also allow Contoso to be eligible for the 99.95 percent service-level agreement (SLA) for VMs in Azure.

    显示可用性集创建的屏幕截图。

    图28:可用性集。Figure 28: An availability set.

  3. 部署 VM 后,打开 VM 的网络接口。After the VM is deployed, they open the network interface for the VM. 它们将专用 IP 地址设置为静态,并指定有效的地址。They set the private IP address to static and specify a valid address.

    显示 VM 网络接口连接的屏幕截图。

    图29: VM NIC。Figure 29: A VM NIC.

  4. 它们将新的数据磁盘附加到 VM。They attach a new data disk to the VM. 此磁盘包含 Active Directory 数据库和 sysvol 共享。This disk contains the Active Directory database and the sysvol share.

    磁盘的大小将确定支持的 IOPS 数。The size of the disk will determine the number of IOPS that it supports. 随着时间的推移,磁盘大小可能需要随着环境的增长而增加。Over time, the disk size might need to increase as the environment grows.

    备注

    不应将磁盘设置为主机缓存的读/写。The disk shouldn't be set to read/write for host caching. Active Directory 数据库不支持此操作。Active Directory databases don't support this.

    显示 Active Directory 磁盘的屏幕截图。

    图30: Active Directory 磁盘。Figure 30: An Active Directory disk.

  5. 添加磁盘后,它们会通过远程桌面服务连接到 VM 并打开服务器管理器。After the disk is added, they connect to the VM over Remote Desktop Services and open Server Manager.

  6. 文件和存储服务 中,它们运行新建卷向导。In File and Storage Services, they run the New Volume Wizard. 它们可确保在本地 VM 上向驱动器分配字母 F 或更高版本。They ensure that the drive is assigned the letter F or above on the local VM.

    显示 "新建卷" 向导的屏幕截图。

    图31:新建卷向导。Figure 31: New Volume Wizard.

  7. 在“服务器管理器”中添加“Active Directory 域服务”角色。In Server Manager, they add the Active Directory Domain Services role. 然后,将 VM 配置为域控制器。Then, they configure the VM as a domain controller.

    显示选择服务器角色的屏幕截图。

    图32:添加服务器角色。Figure 32: Adding the server role.

  8. 将 VM 配置为 DC 并重新启动后,它们会打开 DNS 管理器,并将 Azure DNS 解析程序配置为转发器。After the VM is configured as a DC and restarted, they open DNS manager and configure the Azure DNS resolver as a forwarder. 这样,DC 可转发它无法在 Azure DNS 中解析的 DNS 查询。This allows the DC to forward DNS queries it can't resolve in the Azure DNS.

    显示将 DNS 解析程序配置为转发器的屏幕截图。

    图33:配置 Azure DNS 解析程序。Figure 33: Configuring the Azure DNS resolver.

  9. 它们将每个虚拟网络的自定义 DNS 设置更新为虚拟网络区域的相应域控制器。They update the custom DNS settings for each virtual network with the appropriate domain controller for the virtual network region. 在列表中纳入本地 DC。They include on-premises DCs in the list.

设置 Active DirectorySet up Active Directory

Active Directory 是网络的关键服务,必须正确配置。Active Directory is a critical service for a network and must be configured correctly. Contoso 管理员将为 Contoso datacenter 和和地区构建 Active Directory 站点 East US 2 Central USContoso admins will build Active Directory sites for the Contoso datacenter and for the East US 2 and Central US regions.

  1. 它们将创建两个新 AZURE-EUS2 的站点, (和 AZURE-CUS) 数据中心站点 (contoso-datacenter) 。They create two new sites (AZURE-EUS2 and AZURE-CUS) along with the datacenter site (contoso-datacenter).

  2. 创建站点后,它们会在站点中创建子网,以匹配虚拟网络和数据中心。After creating the sites, they create subnets in the sites, to match the virtual networks and datacenter.

    显示数据中心子网创建的屏幕截图。

    图34: Datacenter 子网。Figure 34: Datacenter subnets.

  3. 它们创建两个站点链接来连接所有内容。They create two site links to connect everything. 然后,应将域控制器移动到相应的位置。The domain controllers should then be moved to their location.

    显示数据中心链接创建的屏幕截图。

    图35:数据中心链接。Figure 35: Datacenter links.

  4. 它们确认 Active Directory 复制拓扑已就绪。They confirm that the Active Directory replication topology is in place.

    显示数据中心复制拓扑的屏幕截图。

    图36:数据中心复制。Figure 36: Datacenter replication.

一切完成后,本地 Active Directory 管理中心中将显示域控制器和站点的列表。With everything complete, a list of the domain controllers and sites is shown in the on-premises Active Directory Administrative Center.

显示 Active Directory 管理中心的屏幕截图。 图37: Active Directory 管理中心。Screenshot that shows the Active Directory Administrative Center. Figure 37: The Active Directory Administrative Center.

步骤 5:规划管理Step 5: Plan for governance

Azure 提供了一系列跨服务和 Azure 平台的管理控制。Azure provides a range of governance controls across services and the Azure platform. 有关详细信息,请参阅 Azure 调控选项For more information, see the Azure governance options.

在配置标识和访问控制时,Contoso 已经开始设置管理和安全方面的一些方面。As it configures identity and access control, Contoso has already begun to put some aspects of governance and security in place. 广泛地说,它需要考虑三个方面:Broadly, it needs to consider three areas:

  • 策略: Azure 策略对资源应用并强制实施规则和影响,因此资源符合公司要求和 Sla。Policy: Azure Policy applies and enforces rules and effects over your resources, so the resources comply with corporate requirements and SLAs.
  • 锁定: Azure 允许你锁定订阅、资源组和其他资源,以便只能由具有权限的用户修改这些资源。Locks: Azure allows you to lock subscriptions, resource groups, and other resources so that they can be modified only by those with permissions.
  • 标记: 可以通过标记控制、审核和管理资源。Tags: Resources can be controlled, audited, and managed with tags. 标记可将元数据附加到资源,提供有关资源或所有者的信息。Tags attach metadata to resources, providing information about resources or owners.

设置策略Set up policies

Azure 策略服务通过扫描不符合策略定义的资源来评估资源。The Azure Policy service evaluates your resources by scanning for those not compliant with policy definitions. 例如,你可能有一个仅允许某些类型的 Vm 或需要资源具有特定标记的策略。For example, you might have a policy that only allows certain types of VMs or requires resources to have a specific tag.

Azure Policy 指定策略定义,而策略分配指定策略的应用范围。Policies specify a policy definition, and a policy assignment specifies the scope in which a policy should be applied. 该范围可以是从管理组到资源组。The scope can range from a management group to a resource group. 了解如何 创建和管理策略Learn how to create and manage policies.

Contoso 想要开始两个策略。Contoso wants to begin two policies. 它需要策略,以确保仅可在和区域中部署 East US 2 资源 Central USIt wants a policy to ensure that resources can be deployed in the East US 2 and Central US regions only. 它还需要将 VM Sku 限制为仅批准的 Sku 的策略。It also wants a policy to limit VM SKUs to approved SKUs only. 目的是确保不使用昂贵的 VM SKU。The intention is to ensure that expensive VM SKUs aren't used.

限制资源区域Limit resources to regions

Contoso 使用内置策略定义“允许的位置”来限制资源区域。Contoso uses the built-in policy definition Allowed locations to limit resource regions.

  1. 在 Azure 门户中,选择“所有服务”,搜索“策略”。In the Azure portal, select All services, and search for Policy.

  2. 选择 分配 > 分配策略Select Assignments > Assign policy.

  3. 在策略列表中,选择“允许的位置”。In the policy list, select Allowed locations.

  4. 将 " 作用域 " 设置为 Azure 订阅的名称,并选择允许列表中的两个区域。Set Scope to the name of the Azure subscription, and select the two regions in the allowlist.

    显示通过策略定义的允许位置的屏幕截图。

    图38:允许通过策略定义的位置。Figure 38: Allowed locations defined via policy.

  5. 默认情况下,该策略设置为 " 拒绝"。By default, the policy is set with Deny. 此设置意味着,如果某人在或区域中的订阅中启动部署 East US 2 Central US ,则部署将失败。This setting means that if someone starts a deployment in the subscription that isn't in either the East US 2 or Central US region, the deployment will fail. 如果 Contoso 订阅中的某人尝试在中设置部署,则会发生这种情况 West USHere's what happens if someone in the Contoso subscription tries to set up a deployment in West US.

    显示失败策略中的错误的屏幕截图。

    图39:策略失败。Figure 39: A failed policy.

允许特定 VM SKUAllow specific VM SKUs

Contoso 将使用内置策略定义 Allow virtual machine SKUs 来限制可在订阅中创建的 vm 类型。Contoso will use the built-in policy definition Allow virtual machine SKUs to limit the types of VMs that can be created in the subscription.

显示 SKU 选项的屏幕截图。 图40:策略 SKU。Screenshot that shows SKU selections. Figure 40: A policy SKU.

检查策略符合性Check policy compliance

策略立即生效,Contoso 可以检查资源的符合性。Policies go into effect immediately, and Contoso can check resources for compliance. 在 Azure 门户中,选择“符合性”链接。In the Azure portal, select the Compliance link. 符合性仪表板随即显示。The compliance dashboard appears. 您可以深入了解更多详细信息。You can drill down for more details.

显示相容性仪表板的屏幕截图。 图41:策略符合性。Screenshot that shows the compliance dashboard. Figure 41: Policy compliance.

设置锁定Set up locks

Contoso 长期使用 ITIL 框架管理其系统。Contoso has long been using the ITIL framework for the management of its systems. 该框架最重要的一个方面变更控制,而 Contoso 希望确保在 Azure 部署中实现该变更控制。One of the most important aspects of the framework is change control, and Contoso wants to make sure that change control is implemented in the Azure deployment.

Contoso 将 锁定资源Contoso will lock resources. 任何生产或故障转移组件都必须位于具有只读锁定的资源组中。Any production or failover component must be in a resource group that has a read-only lock. 这意味着,若要修改或删除生产项,授权用户必须删除该锁定。This means that to modify or delete production items, authorized users must remove the lock. 非生产资源组将包含 CanNotDelete 锁。Nonproduction resource groups will have CanNotDelete locks. 这意味着授权用户可以读取或修改资源,但不能将其删除。This means that authorized users can read or modify a resource but can't delete it.

设置标记Set up tagging

为了跟踪添加的资源,将资源与相应的部门、客户和环境关联对 Contoso 变得越发重要。To track resources as they're added, it will be increasingly important for Contoso to associate resources with an appropriate department, customer, and environment. 除了提供有关资源和所有者的信息外,标记还会使 Contoso 对资源进行聚合和分组,并使用这些数据实现费用分摊。In addition to providing information about resources and owners, tags will enable Contoso to aggregate and group resources and to use that data for chargeback purposes.

Contoso 需要以一种适合企业的方式(如按角色或部门)来可视化其 Azure 资产。Contoso needs to visualize its Azure assets in a way that makes sense for the business, such as by role or department. 请注意,资源不需要驻留在同一个资源组中就可共享一个标记。Note that resources don't need to reside in the same resource group to share a tag. Contoso 将创建标记分类,以便每个人都使用相同的标记。Contoso will create a tag taxonomy so that everyone uses the same tags.

标记名称Tag name ValueValue
CostCenter 12345:它必须是 SAP 中的有效成本中心。12345: It must be a valid cost center from SAP.
BusinessUnit 从 SAP) (的业务部门的名称。Name of the business unit (from SAP). 匹配 CostCenterMatches CostCenter.
ApplicationTeam 拥有应用程序支持的团队的电子邮件别名。Email alias of the team that owns support for the application.
CatalogName 应用程序的名称 SharedServices ,或根据资源所支持的服务目录。Name of the application or SharedServices, according to the service catalog that the resource supports.
ServiceManager 资源的 ITIL 服务管理者的电子邮件别名。Email alias of the ITIL Service Manager for the resource.
COBPriority 企业为 BCDR 设置的优先级。Priority set by the business for BCDR. 值为 1-5。Values of 1-5.
ENV DEVSTGPROD 是允许的值,用于表示开发、过渡和生产。DEV, STG, and PROD are the allowed values, representing development, staging, and production.

例如:For example:

显示 Azure 标记的屏幕截图。 图42: Azure 标记。Screenshot that shows Azure tags. Figure 42: Azure tags.

创建标记后,Contoso 将返回并创建新的策略定义和分配,以便在整个组织中强制使用所需的标记。After creating the tag, Contoso will go back and create new policy definitions and assignments to enforce the use of the required tags across the organization.

步骤 6:考虑安全性Step 6: Consider security

在云中,安全性非常重要,Azure 提供了多种不同的安全工具和功能。Security is crucial in the cloud, and Azure provides a wide array of security tools and capabilities. 它们可帮助你在安全的 Azure 平台上创建安全的解决方案。These help you to create secure solutions on the secure Azure platform. 若要了解有关 Azure 安全性的详细信息,请参阅 信任你的云See Trust your cloud to learn more about Azure security.

Contoso 需要考虑以下几个方面:There are a few aspects for Contoso to consider:

  • Azure 安全中心 为混合云工作负荷中的标识提供统一的安全管理和 Microsoft Defender。Azure Security Center provides unified security management and Microsoft Defender for Identity across hybrid cloud workloads. 使用它可在工作负荷中应用安全策略,限制威胁的暴露程度,并检测和响应攻击。Use it to apply security policies across your workloads, limit your exposure to threats, and detect and respond to attacks.
  • (NSG 的网络安全组) 根据允许或拒绝连接到 Azure 中的虚拟网络的资源的网络流量的安全规则列表来筛选网络流量。A network security group (NSG) filters network traffic based on a list of security rules that allow or deny network traffic to resources connected to virtual networks in Azure.
  • Azure 磁盘加密 是一种有助于加密 Windows 和 LINUX IaaS VM 磁盘的功能。Azure Disk Encryption is a capability that helps you encrypt your Windows and Linux IaaS VM disks.

使用 Azure 安全中心Work with the Azure Security Center

Contoso 正在寻找快速查看其新的混合云的安全状况,并特别是其 Azure 工作负荷。Contoso is looking for a quick view into the security posture of its new hybrid cloud, and specifically, its Azure workloads. 因此,Contoso 决定实现 Azure 安全中心,并开始使用以下功能:As a result, Contoso has decided to implement Azure Security Center starting with the following features:

  • 集中式策略管理Centralized policy management
  • 持续评估Continuous assessment
  • 可行的建议Actionable recommendations

集中管理策略Centralize policy management

使用集中式策略管理,Contoso 可通过集中管理整个环境中的安全策略,确保符合安全要求。With centralized policy management, Contoso will ensure compliance with security requirements by centrally managing security policies across the entire environment. 它可以简单快捷地实现适用于其所有 Azure 资源的策略。It can simply and quickly implement a policy that applies to all of its Azure resources.

显示安全策略的选项的屏幕截图。 图43:安全策略。Screenshot that shows selections for a security policy. Figure 43: A security policy.

评估安全Assess security

Contoso 将利用持续的安全评估,监视计算机、网络、存储、数据和应用程序的安全性,以发现潜在的安全问题。Contoso will take advantage of the continuous security assessment that monitors the security of machines, networks, storage, data, and applications to discover potential security issues.

安全中心分析 Contoso 计算、基础结构和数据资源的安全状态。Security Center analyzes the security state of the Contoso compute, infrastructure, and data resources. 它还分析 Azure 应用和服务的安全状态。It also analyzes the security state of Azure apps and services. 持续评估可帮助 Contoso 运营团队发现潜在的安全问题,例如系统缺少安全更新,或者网络端口被公开。Continuous assessment helps the Contoso operations team to discover potential security issues, such as systems with missing security updates or exposed network ports.

Contoso 希望确保所有 Vm 都受到保护。Contoso wants to make sure all of the VMs are protected. 安全中心会对此有帮助。Security Center helps with this. 它将验证 VM 运行状况,并做出优先级和可操作的建议,以便在安全漏洞被利用之前对其进行修正。It verifies VM health, and it makes prioritized and actionable recommendations to remediate security vulnerabilities before they're exploited.

显示虚拟机监视的屏幕截图。 图44:监视。Screenshot that shows monitoring of virtual machines. Figure 44: Monitoring.

使用 NSGWork with NSGs

Contoso 可以使用网络安全组限制虚拟网络中的资源的网络流量。Contoso can limit network traffic to resources in a virtual network by using network security groups.

网络安全组包含一个安全规则列表,这些规则可根据源或目标 IP 地址、端口和协议允许或拒绝入站或出站网络流量。A network security group contains a list of security rules that allow or deny inbound or outbound network traffic based on source or destination IP address, port, and protocol. 向某个子网应用规则时,该规则会应用到该子网中的所有资源。When applied to a subnet, rules are applied to all resources in the subnet. 除了网络接口外,这还包括子网中部署的 Azure 服务实例。In addition to network interfaces, this includes instances of Azure services deployed in the subnet.

使用 (Asg) 的应用程序安全组,你可以将网络安全配置为应用程序结构的自然扩展。Application security groups (ASGs) enable you to configure network security as a natural extension of an application structure. 然后,可以对 Vm 进行分组,并基于这些组定义网络安全策略。You can then group VMs and define network security policies based on those groups.

Contoso 可以使用 Asg 来大规模重复使用安全策略,而无需手动维护显式 IP 地址。Contoso can use ASGs to reuse the security policy at scale without manual maintenance of explicit IP addresses. 平台处理显式 IP 地址和多个规则集的复杂性,因此,组织可以将精力集中在业务逻辑上。The platform handles the complexity of explicit IP addresses and multiple rule sets, so the organization can focus on business logic. Contoso 可以将 ASG 指定为安全规则中的源和目标。Contoso can specify an ASG as the source and destination in a security rule. 定义安全策略后,Contoso 可以创建 Vm,并将 VM Nic 分配给组。After a security policy is defined, Contoso can create VMs and assign the VM NICs to a group.

Contoso 将混合实现 NSG 和 ASG。Contoso will implement a mix of NSGs and ASGs. Contoso 关注 NSG 管理。Contoso is concerned about NSG management. 它还担心 Nsg 的过度利用和增加的操作人员的复杂性。It's also worried about the overuse of NSGs and the added complexity for operations staff. 下面是 Contoso 要做的事项:Here's what Contoso will do:

  • 进出所有子网的所有流量 (北/南) 将受到 NSG 规则的限制,集线器网络中的网关子网除外。All traffic into and out of all subnets (north/south) will be subject to an NSG rule, except for the gateway subnets in the hub networks.
  • 所有防火墙或域控制器都将受到子网 Nsg 和 NIC Nsg 的保护。Any firewalls or domain controllers will be protected by both subnet NSGs and NIC NSGs.
  • 所有生成应用程序都应用了 ASG。All production applications will have ASGs applied.

Contoso 已经生成了此安全配置将如何查找其应用程序的模型。Contoso has built a model of how this security configuration will look for its applications.

Contoso 安全模型的关系图。 图45:安全模型。Diagram of the Contoso security model. Figure 45: Security model.

使用最低特权配置与 ASG 关联的 NSG,以确保只有经过允许的数据包可以从网络的一部分流到其目标。The NSGs associated with the ASGs will be configured with least privilege to ensure that only allowed packets can flow from one part of the network to its destination.

操作Action 名称Name Source 目标Target 端口Port
Allow AllowInternetToFE VNET-HUB-EUS1/IB-TrustZone APP1-FE 80、44380, 443
Allow AllowWebToApp APP1-FE APP1-APP 80、44380, 443
Allow AllowAppToDB APP1-APP APP1-DB 14331433
Deny DenyAllInbound 任意Any 任意Any 任意Any

加密数据Encrypt data

Azure 磁盘加密与 Azure Key Vault 集成,有助于控制和管理订阅的磁盘加密密钥和机密。Azure Disk Encryption integrates with Azure Key Vault to help control and manage the disk-encryption keys and secrets for a subscription. 它可确保 VM 磁盘上的所有数据在 Azure 存储中静态加密。It ensures that all data on VM disks is encrypted at rest in Azure Storage.

Contoso 已确定特定 VM 需要加密。Contoso has determined that specific VMs require encryption. Contoso 将使用客户、机密或个人数据将加密应用到 Vm。Contoso will apply encryption to VMs with customer, confidential, or personal data.

结论Conclusion

在本文中,Contoso 设置 azure 订阅、混合识别、灾难恢复、网络、管理和安全的 Azure 基础结构和策略。In this article, Contoso set up an Azure infrastructure and policy for Azure subscription, hybrid identify, disaster recovery, network, governance, and security.

云迁移并非需要在此处执行的每个步骤。Not every step taken here is required for a cloud migration. 在这种情况下,Contoso 计划了一个网络基础结构,它可以处理所有类型的迁移,同时保护安全、复原和可缩放性。In this case, Contoso planned a network infrastructure that can handle all types of migrations while being secure, resilient, and scalable.

后续步骤Next steps

设置 Azure 基础结构后,Contoso 已准备好开始将工作负荷迁移到云。After setting up its Azure infrastructure, Contoso is ready to begin migrating workloads to the cloud. 有关使用此示例基础结构作为迁移目标的一种选择方案,请参阅 迁移模式和示例概述See the migration patterns and examples overview for a selection of scenarios that use this sample infrastructure as a migration target.