您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

定义 Azure 网络拓扑Define an Azure network topology

网络拓扑是企业级体系结构的关键元素,因为它定义了应用程序之间的通信方式。Network topology is a critical element of the enterprise-scale architecture because it defines how applications can communicate with each other. 本部分探讨 Azure 部署的技术和拓扑方法。This section explores technologies and topology approaches for Azure deployments. 它重点介绍两种核心方法:基于 Azure 虚拟 WAN 的拓扑和传统拓扑。It focuses on two core approaches: topologies based on Azure Virtual WAN, and traditional topologies.

虚拟 WAN 用于满足大规模的互连要求Virtual WAN is used to meet large-scale interconnectivity requirements. 由于它是一项 Microsoft 托管的服务,因此它还可降低网络总体复杂性,并有助于实现组织网络的现代化。Because it is a Microsoft-managed service, it also reduces overall network complexity and helps to modernize your organization's network. 如果以下任何一点满足你的要求,则虚拟 WAN 拓扑可能最为合适:A Virtual WAN topology may be most appropriate if any of the following points meet your requirements:

  • 你的组织打算跨多个 Azure 区域部署资源,并需要在这些 Azure 区域中的 Vnet 与多个本地位置之间进行全球连接。Your organization intends to deploy resources across several Azure regions and requires global connectivity between VNets in these Azure regions and multiple on-premises locations.
  • 你的组织打算将大规模分支网络直接集成到 Azure,无论是通过软件定义的 WAN (SD-WAN) 部署,还是需要超过30个分支站点来实现本机 IPsec 终止。Your organization intends to integrate a large-scale branch network directly in to Azure, either via a software-defined WAN (SD-WAN) deployment or requires more than 30 branch sites for native IPsec termination.
  • 需要 VPN 和 ExpressRoute 之间的可传递路由。You require transitive routing between VPN and ExpressRoute. 例如E.g. 通过站点到站点 VPN 或通过点到站点 VPN 连接的远程用户连接的远程分支需要通过 Azure 连接到 ExpressRoute 连接的 DC。Remote branches connected via Site-to-site VPN or remote users connected via Point-to-site VPN, require connectivity to an ExpressRoute connected DC, via Azure.

传统的中心辐射型网络拓扑 有助于在 Azure 中使用客户管理的路由和安全来构建自定义的安全大规模网络。A traditional hub-and-spoke network topology helps you build customized secure large-scale networks in Azure with routing and security managed by the customer. 如果以下任何一点满足您的要求,则传统拓扑可能最为合适:A traditional topology may be most appropriate if any of the following points meet your requirements:

  • 你的组织打算在一个或多个 Azure 区域部署资源,而在 Azure 区域之间的某些流量应 (例如,两个不同 Azure 区域之间的两个虚拟网络之间的流量) ,无需跨所有 Azure 区域的完整网格网络。Your organization intends to deploy resources across one or several Azure regions and while some traffic across Azure regions is expected (for example, traffic between two virtual networks across two different Azure regions), a full mesh network across all Azure regions is not required.
  • 每个区域的远程或分支位置数量较低。You have a low number of remote or branch locations per region. 也就是说,需要的 IPsec 站点到站点隧道必须少于30个。That is, you need fewer than 30 IPsec Site-to-Site tunnels.
  • 手动配置 Azure 网络路由策略需要完全控制和粒度。You require full control and granularity for manually configuring your Azure network routing policy.

虚拟 WAN 网络拓扑 (Microsoft 管理的) Virtual WAN network topology (Microsoft-managed)

示意图展示了虚拟 WAN 网络拓扑。

图1:虚拟 WAN 网络拓扑。Figure 1: Virtual WAN network topology.

传统的 Azure 网络拓扑Traditional Azure networking topology

说明传统 Azure 网络拓扑的示意图。

图2:传统的 Azure 网络拓扑。Figure 2: A traditional Azure network topology.