您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

查看网络选项Review your network options

设计和实现 Azure 网络功能是云采用工作的关键部分。Designing and implementing Azure networking capabilities is a critical part of your cloud adoption efforts. 你需要做出网络设计决策,以正确支持将托管在云中的工作负荷和服务。You'll need to make networking design decisions to properly support the workloads and services that will be hosted in the cloud. Azure 网络产品和服务支持多种网络功能。Azure networking products and services support a wide variety of networking capabilities. 如何组织这些服务和所选的网络体系结构取决于组织的工作负荷、治理和连接性要求。How you structure these services and the networking architectures you choose depends on your organization's workload, governance, and connectivity requirements.

确定工作负荷网络要求Identify workload networking requirements

作为登陆区域评估和准备的一部分,需要确定登陆区域需要支持的网络功能。As part of your landing zone evaluation and preparation, you need to identify the networking capabilities that your landing zone needs to support. 此过程涉及评估构成工作负荷的每个应用程序和服务,以确定其连接网络控制要求。This process involves assessing each of the applications and services that make up your workloads to determine their connectivity network control requirements. 确定并记录要求后,可以为登陆区域创建策略,以便根据工作负荷需求控制允许的网络资源和配置。After you identify and document the requirements, you can create policies for your landing zone to control the allowed networking resources and configuration based on your workload needs.

对于将要部署到登陆区域环境的每个应用程序或服务,请使用以下决策树作为起点来帮助确定要使用的网络工具或服务:For each application or service you'll deploy to your landing zone environment, use the following decision tree as a starting point to help you determine the networking tools or services to use:

Azure 网络服务决策树 图1: azure 网络服务决策树。Azure networking services decision tree Figure 1: The Azure networking service decision tree.

主要问题Key questions

请回答以下有关工作负荷的问题,这样有助于你根据 Azure 网络服务决策树做出决策:Answer the following questions about your workloads to help you make decisions based on the Azure networking services decision tree:

  • 工作负荷是否需要虚拟网络?Will your workloads require a virtual network? 托管的平台即服务 (PaaS) 资源类型使用并不需要虚拟网络的基本平台网络功能。Managed platform as a service (PaaS) resource types use underlying platform network capabilities that don't always require a virtual network. 如果你的工作负荷不需要高级网络功能,并且你不需要部署基础结构即服务 (IaaS) 资源,则 PaaS 资源提供的默认本机网络功能可能会满足你的工作负荷连接和流量管理要求。If your workloads don't require advanced networking features and you don't need to deploy infrastructure as a service (IaaS) resources, the default native networking capabilities provided by PaaS resources might meet your workload connectivity and traffic management requirements.
  • 你的工作负荷是否需要虚拟网络与本地数据中心之间建立连接?Will your workloads require connectivity between virtual networks and your on-premises datacenter? Azure 提供了两种用于建立混合网络功能的解决方案: Azure VPN 网关和 Azure ExpressRoute。Azure provides two solutions for establishing hybrid networking capabilities: Azure VPN gateway and Azure ExpressRoute. AZURE VPN 网关 通过站点到站点 vpn 将本地网络连接到 Azure,这一点类似于你如何设置并连接到远程分支机构。Azure VPN gateway connects your on-premises networks to Azure through Site-to-Site VPNs similar to how you might set up and connect to a remote branch office. VPN 网关的最大带宽为 10 Gbps。VPN gateway has a maximum bandwidth of 10 Gbps. Azure ExpressRoute 使用 Azure 与本地基础结构之间的专用连接提供更高的可靠性和更低的延迟。Azure ExpressRoute offers higher reliability and lower latency by using a private connection between Azure and your on-premises infrastructure. ExpressRoute 的带宽选项范围为 50 Mbps 到 100 Gbps。Bandwidth options for ExpressRoute range from 50 Mbps to 100 Gbps.
  • 是否需要使用本地网络设备检查和审核传出流量?Will you need to inspect and audit outgoing traffic by using on-premises network devices? 对于云本机工作负载,可以使用 Azure 防火墙 或云托管的第三方 网络虚拟设备 (nva) 检查和审核移动到公共 internet 或从公共 internet 移动的流量。For cloud-native workloads, you can use Azure Firewall or cloud-hosted, third-party network virtual appliances (NVAs) to inspect and audit traffic moving to or from the public internet. 但许多企业 IT 安全策略需要将 internet 绑定的传出流量传递到组织的本地环境中的集中管理的设备。But many enterprise IT security policies require internet-bound outgoing traffic to pass through centrally managed devices in the organization's on-premises environment. 强制隧道支持这些方案。Forced tunneling supports these scenarios. 并非所有托管服务都支持强制隧道。Not all managed services support forced tunneling. Azure App Service、 AZURE API 管理azure KUBERNETES Service (AKS) azure SQL 托管实例Azure DatabricksAzure HDInsight应用服务环境的服务和功能在虚拟网络中部署服务或功能时支持此配置。Services and features like App Service Environment in Azure App Service, Azure API Management, Azure Kubernetes Service (AKS), Azure SQL Managed Instance, Azure Databricks, and Azure HDInsight support this configuration when the service or feature is deployed inside a virtual network.
  • 是否需要连接多个虚拟网络?Do you need to connect multiple virtual networks? 可以使用虚拟网络对等互连连接 Azure 虚拟网络的多个实例。You can use virtual network peering to connect multiple instances of Azure Virtual Network. 对等互连可以支持跨订阅和区域的连接。Peering can support connections across subscriptions and regions. 对于提供跨多个订阅共享或需要管理大量网络对等互连的服务的方案,请考虑采用中心辐射型网络体系结构或使用 Azure 虚拟 WANFor scenarios where you provide services that are shared across multiple subscriptions or need to manage a large number of network peerings, consider adopting a hub and spoke networking architecture or using Azure Virtual WAN. 虚拟网络对等互连仅在两个对等互连网络之间提供连接。Virtual network peering provides connectivity only between two peered networks. 默认情况下,它不会提供跨多个对等互连的可传递连接。By default, it doesn't provide transitive connectivity across multiple peerings.
  • 是否可通过 Internet 访问你的工作负荷?Will your workloads be accessible over the internet? Azure 提供的服务旨在帮助你管理和保护对应用程序和服务的外部访问:Azure provides services that are designed to help you manage and secure external access to your applications and services:
  • 是否需要支持自定义 DNS 管理?Will you need to support custom DNS management? Azure DNS 是 DNS 域的托管服务。Azure DNS is a hosting service for DNS domains. Azure DNS 使用 Azure 基础结构提供名称解析。Azure DNS provides name resolution by using the Azure infrastructure. 如果工作负荷所需的名称解析超出 Azure DNS 提供的功能,则可能需要部署其他解决方案。If your workloads require name resolution that goes beyond the features that are provided by Azure DNS, you might need to deploy additional solutions. 如果你的工作负荷还需要 Active Directory 服务,请考虑使用 Azure Active Directory 域服务来增强 Azure DNS 功能。If your workloads also require Active Directory services, consider using Azure Active Directory Domain Services to augment Azure DNS capabilities. 若要获得更多功能,还可以部署自定义 IaaS 虚拟机以支持你的要求。For more capabilities, you can also deploy custom IaaS virtual machines to support your requirements.

常见网络方案Common networking scenarios

Azure 网络由提供不同网络功能的多个产品和服务组成。Azure networking is composed of multiple products and services that provide different networking capabilities. 作为网络设计过程的一部分,你可以将工作负荷要求与下表中的网络方案进行比较,以确定可用于提供这些网络功能的 Azure 工具或服务:As part of your networking design process, you can compare your workload requirements to the networking scenarios in the following table to identify the Azure tools or services you can use to provide these networking capabilities:

方案Scenario 网络产品或服务Networking product or service
我需要网络基础结构连接从虚拟机到传入 VPN 连接的所有内容。I need the networking infrastructure to connect everything, from virtual machines to incoming VPN connections. Azure 虚拟网络Azure Virtual Network
我需要平衡入站和出站连接,以及针对应用程序或服务的请求。I need to balance inbound and outbound connections and requests to my applications or services. Azure 负载均衡器Azure Load Balancer
我想优化应用程序服务器场的交付,同时使用 Web 应用程序防火墙提高应用程序的安全性。I want to optimize delivery from application server farms while increasing application security with a Web Application Firewall. Azure 应用程序网关Azure Application Gateway
Azure Front DoorAzure Front Door
我需要安全使用 Internet 通过高性能 VPN 网关访问 Azure 虚拟网络。I need to securely use the internet to access Azure Virtual Network through high-performance VPN gateways. Azure VPN 网关Azure VPN gateway
我想要确保超快 DNS 响应和超高可用性,满足所有域需求。I want to ensure ultra-fast DNS responses and ultra-high availability for all my domain needs. Azure DNSAzure DNS
我需要加速向全球客户交付从应用程序和存储的内容到流式处理视频的高带宽内容。I need to accelerate the delivery of high-bandwidth content to customers worldwide, from applications and stored content to streaming video. Azure 内容分发网络 (CDN) Azure Content Delivery Network (CDN)
我需要保护我的 Azure 应用程序免受 DDoS 攻击。I need to protect my Azure applications from DDoS attacks. Azure DDoS 防护Azure DDoS protection
我需要在全球 Azure 区域内以最佳方式向服务分发流量,同时提供高可用性和响应性。I need to distribute traffic optimally to services across global Azure regions, while providing high availability and responsiveness. Azure 流量管理器Azure Traffic Manager

Azure Front DoorAzure Front Door
我需要添加专用网络连接,以便从公司网络访问 Microsoft 云服务,就好像它们本地驻留在我自己的数据中心中一样。I need to add private network connectivity to access Microsoft cloud services from my corporate networks, as if they were on-premises and residing in my own datacenter. Azure ExpressRouteAzure ExpressRoute
我想要在网络方案级别监视和诊断状态。I want to monitor and diagnose conditions at a network-scenario level. Azure 网络观察程序Azure Network Watcher
我需要本机防火墙功能,内置的高可用性、无限制的云可伸缩性和零维护。I need native firewall capabilities, with built-in high availability, unrestricted cloud scalability, and zero maintenance. Azure 防火墙Azure Firewall
我需要安全地连接企业办公室、零售位置和站点。I need to connect business offices, retail locations, and sites securely. Azure 虚拟 WANAzure Virtual WAN
我需要安全性更高的可扩展交付点,面向基于微服务的全球 Web 应用程序。I need a scalable, security-enhanced delivery point for global microservices-based web applications. Azure Front DoorAzure Front Door

选择网络体系结构Choose a networking architecture

确定支持工作负荷所需的 Azure 网络服务后,还需要设计将这些服务组合在一起以提供登陆区域的云网络基础结构的体系结构。After you identify the Azure networking services that you need to support your workloads, you also need to design the architecture that will combine these services to provide your landing zone's cloud networking infrastructure. 云采用框架软件定义的网络决策指南提供了有关 Azure 中使用的一些最常见网络体系结构模式的详细信息。The Cloud Adoption Framework Software Defined Networking decision guide provides details about some of the most common networking architecture patterns used on Azure.

下表总结了这些模式所支持的主要方案:The following table summarizes the primary scenarios that these patterns support:

方案Scenario 建议的网络体系结构Suggested network architecture
部署到登陆区域的所有 Azure 托管的工作负载将完全基于 PaaS,不需要虚拟网络,并且不是包含 IaaS 资源的更广泛的云采用工作量。All of the Azure-hosted workloads deployed to your landing zone will be entirely PaaS-based, won't require a virtual network, and aren't part of a wider cloud adoption effort that includes IaaS resources. 仅限 PaaSPaaS-only
Azure 托管的工作负荷将部署基于 IaaS 的资源(如虚拟机),或者需要虚拟网络,但不需要连接到本地环境。Your Azure-hosted workloads will deploy IaaS-based resources like virtual machines or otherwise require a virtual network, but don't require connectivity to your on-premises environment. 云原生Cloud-native
Azure 托管的工作负荷需要对本地资源具有有限访问权限,但需要将云连接视为不受信任。Your Azure-hosted workloads require limited access to on-premises resources, but you're required to treat cloud connections as untrusted. 云外围网络Cloud DMZ
Azure 托管的工作负荷需要对本地资源具有有限访问权限,并且你计划在云和本地环境之间实施成熟安全策略和安全连接。Your Azure-hosted workloads require limited access to on-premises resources, and you plan to implement mature security policies and secure connectivity between the cloud and your on-premises environment. 混合Hybrid
你需要部署和管理可能超出 Azure 订阅限制的大量 VM 和工作负荷,你需要跨订阅共享服务,或者角色、应用程序或权限隔离需要分段更多的结构。You need to deploy and manage a large number of VMs and workloads, potentially exceeding Azure subscription limits, you need to share services across subscriptions, or you need a more segmented structure for role, application, or permission segregation. 中心和分支Hub and spoke
你有多个分支机构需要相互连接并连接到 Azure。You have many branch offices that need to connect to each other and to Azure. Azure 虚拟 WANAzure Virtual WAN

Azure 虚拟数据中心Azure Virtual Datacenter

此外,如果你的企业 IT 组管理大型云环境,则请考虑咨询 CAF 企业级登陆区域,另外,在使用其中一种体系结构模式时。In addition using one of these architecture patterns, if your enterprise IT group manages large cloud environments, consider consulting the CAF enterprise-scale landing zone. 当你设计基于 Azure 的云基础结构时,如果你在 24 1000) 个月内 ((应用程序、基础结构或数据资产),则 CAF 企业级登陆区域提供一种结合使用的网络、安全、管理和基础结构方法。When you design your Azure-based cloud infrastructure, the CAF enterprise-scale landing zone provides a combined approach to networking, security, management, and infrastructure if you have a mid-term objective (within 24 months) to host more than 1,000 assets (applications, infrastructure, or data assets) in the cloud.

对于满足以下条件的组织,你可能也想要首先使用 CAF 企业规模登陆区域For organizations that meet the following criteria, you may also want to start with the CAF enterprise-scale landing zone:

  • 企业必须遵循集中进行监视和审核的合规性要求。Your enterprise is subject to regulatory compliance requirements that require centralized monitoring and audit capabilities.
  • 你需要维护针对核心服务的常见政策和治理合规性与中心化 IT 控制。You need to maintain common policy and governance compliance and centralized IT control over core services.
  • 你的行业依赖于一个复杂平台,监管该平台需要实施复杂的控制并需要具备深厚的专业领域知识。Your industry depends on a complex platform which requires complex controls and deep domain expertise to govern the platform. 这在金融、石油和天然气或制造行业最为常见。This is most common in large enterprises within finance, oil and gas, or manufacturing.
  • 现有的 IT 治理策略要求更严格地遵循现有的功能要求,即使是在采用的早期阶段。Your existing IT governance policies require tighter parity with existing features, even during early stage adoption.

遵循 Azure 网络最佳做法Follow Azure networking best practices

作为网络设计过程的一部分,请参阅以下文章:As part of your networking design process, see these articles: