您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

云采用框架企业级登陆区域体系结构Cloud Adoption Framework enterprise-scale landing zone architecture

企业规模是一种体系结构方法和一个参考实现,可在 Azure 上大规模地构建和操作化登录区域。Enterprise-scale is an architectural approach and a reference implementation that enables effective construction and operationalization of landing zones on Azure, at scale. 此方法适用于 azure 路线图和 Azure 的云采用框架。This approach aligns with the Azure roadmap and the Cloud Adoption Framework for Azure.

体系结构概述Architecture overview

云采用框架企业级登陆区域体系结构表示组织的 Azure 环境的战略设计路径和目标技术状态。The Cloud Adoption Framework enterprise-scale landing zone architecture represents the strategic design path and target technical state for an organization's Azure environment. 它将随着 Azure 平台一起不断发展,而且由你的组织规划 Azure 之旅所必需作出的各种设计决策进行定义。It will continue to evolve alongside the Azure platform and is defined by the various design decisions that your organization must make to map your Azure journey.

并非所有企业都采用相同的方式采用 Azure,因此云采用框架企业级登陆区域体系结构在客户之间有所不同。Not all enterprises adopt Azure the same way, so the Cloud Adoption Framework enterprise-scale landing zone architecture varies between customers. 本指南中的技术注意事项和设计建议可能会根据组织的方案产生不同的折衷。The technical considerations and design recommendations in this guide might yield different trade-offs based on your organization's scenario. 可存在一些变化形式,但如果遵循核心建议,则生成的目标体系结构将使组织进行可持续缩放。Some variation is expected, but if you follow the core recommendations, the resulting target architecture will set your organization on a path to sustainable scale.

企业规模的登录区域Landing zone in enterprise-scale

Azure 登陆区域是负责缩放、安全、治理、网络和标识的多订阅 Azure 环境的输出。Azure landing zones are the output of a multisubscription Azure environment that accounts for scale, security, governance, networking, and identity. Azure 登陆区域在 Azure 中的企业规模上实现应用程序迁移和领域开发。Azure landing zones enable application migrations and greenfield development at enterprise-scale in Azure. 这些区域考虑到支持客户应用程序组合所必需的全部平台资源,且在基础结构即服务与平台即服务之间不作区别。These zones consider all platform resources that are required to support the customer's application portfolio and don't differentiate between infrastructure as a service or platform as a service.

例如,在构造新的住房之前,水、气体和电等城市实用程序如何访问。An example is how city utilities such as water, gas, and electricity are accessible before new homes are constructed. 在这种情况下,网络、标识和访问管理、策略、管理和监视是共享的实用工具服务,必须随时可用于帮助简化应用程序迁移过程,然后再开始。In this context, the network, identity and access management, policies, management, and monitoring are shared utility services that must be readily available to help streamline the application migration process before it begins.

显示登陆区域设计的关系图。

图1:登陆区域设计。Figure 1: Landing zone design.

体系结构概况High-level architecture

企业规模体系结构由8个 关键设计领域中的一组设计注意事项和建议定义,建议使用两种网络拓扑:基于 AZURE 虚拟 WAN 网络拓扑的企业规模体系结构 (图2中所示) ,或基于图) 3 中所示的中心和辐射型体系 (结构的传统 Azure 网络拓扑。An enterprise-scale architecture is defined by a set of design considerations and recommendations across eight critical design areas, with two network topologies recommended: an enterprise-scale architecture based on an Azure Virtual WAN network topology (depicted in figure 2), or based on a traditional Azure network topology based on the hub and spoke architecture (depicted in figure 3).

显示基于 Azure 虚拟 WAN 网络拓扑的云采用框架企业级登陆区域体系结构的关系图。Diagram that shows Cloud Adoption Framework enterprise-scale landing zone architecture based on an Azure Virtual WAN network topology.

图2:基于 Azure 虚拟 WAN 网络拓扑的云采用框架企业级登陆区域体系结构。请注意,该连接订阅使用虚拟 WAN 集线器。Figure 2: Cloud Adoption Framework enterprise-scale landing zone architecture based on an Azure Virtual WAN network topology. Note that the connectivity subscription uses a Virtual WAN hub.

显示云采用框架企业级登陆区域体系结构的关系图。Diagram that shows Cloud Adoption Framework enterprise-scale landing zone architecture.

图3:基于传统 Azure 网络拓扑的云采用框架企业级登陆区域体系结构。请注意,该连接订阅使用集线器 VNet。Figure 3: Cloud Adoption Framework enterprise-scale landing zone architecture based on a traditional Azure networking topology. Note that the connectivity subscription uses a hub VNet.

下载 PDF 或 Visio 文件,其中包含基于 虚拟 WAN (pdf) 网络拓扑的企业级体系结构图表,或基于 中心和辐射 (PDF) 体系结构的传统 Azure 网络拓扑。Download the PDF or Visio files that contain the enterprise-scale architecture diagrams based on the Virtual WAN (PDF) network topology or a traditional Azure network topology based on the hub and spoke (PDF) architecture. 同时包含虚拟 WAN 和中心辐射型体系结构关系图的 Visio 文件可以 (vdx) 下载为 visio 关系 图。A Visio file containing both the Virtual WAN and the hub and spoke architecture diagram can be downloaded as a Visio diagram (VSDX).

在图2和3中,有对企业级关键设计领域的引用,这些区域是使用字母 A 到 I 指示的:On figures 2 and 3 there are references to the enterprise-scale critical design areas, which are indicated with the letters A to I:

字母 A 企业协议 (EA) 注册和 Azure Active Directory 租户The letter A Enterprise Agreement (EA) enrollment and Azure Active Directory tenants. 企业协议 (EA) 注册表示 Microsoft 与组织使用 Azure 的方式之间的商业关系。An Enterprise Agreement (EA) enrollment represents the commercial relationship between Microsoft and how your organization uses Azure. 它提供所有订阅的计费基础,并且会对数字资产的管理产生影响。It provides the basis for billing across all your subscriptions and affects administration of your digital estate. 你的 EA 注册通过 Azure EA 门户进行管理。Your EA enrollment is managed via the Azure EA portal. 注册通常表示组织的层次结构,其中包括部门、帐户和订阅。An enrollment often represents an organization's hierarchy, which includes departments, accounts, and subscriptions. Azure AD 租户提供标识和访问管理,标识和访问管理是安全状态的重要组成部分。An Azure AD tenant provides identity and access management, which is an important part of your security posture. Azure AD 租户确保经过身份验证和获得授权的用户只能访问其有权访问的资源。An Azure AD tenant ensures that authenticated and authorized users have access to only the resources for which they have access permissions.

字母 B 标识和访问管理The letter B Identity and access management. 必须构建 Azure Active Directory 设计和集成,以确保服务器和用户进行身份验证。Azure Active Directory design and integration must be built to ensure both server and user authentication. 必须对 azure RBAC) (azure RBAC 的访问控制进行建模和部署,才能强制执行职责分离,并强制实施平台操作和管理所需的权利。Azure role-based access control (Azure RBAC) must be modeled and deployed to enforce separation of duties and the required entitlements for platform operation and management. 必须设计和部署密钥管理,以确保对资源的安全访问,并支持轮换和恢复等操作。Key management must be designed and deployed to ensure secure access to resources and support operations such as rotation and recovery. 最终,访问角色将分配给控制和数据平面上的应用程序所有者,以自主创建和管理资源。Ultimately, access roles are assigned to application owners at the control and data planes to create and manage resources autonomously.

字母 C 管理组和订阅组织The letter C Management group and subscription organization. 当组织计划大规模 Azure 采用时,Azure Active Directory (Azure AD) 租户中的管理组结构支持组织映射,必须对其进行全面考虑。Management group structures within an Azure Active Directory (Azure AD) tenant support organizational mapping and must be considered thoroughly when an organization plans Azure adoption at scale. 订阅是 Azure 中管理、计费和缩放的一个单位。Subscriptions are a unit of management, billing, and scale within Azure. 针对大规模 Azure 采用进行设计时,它们将发挥至关重要的作用。They play a critical role when you're designing for large-scale Azure adoption. 这一关键设计领域有助于您根据关键因素来捕获订阅要求和设计目标订阅。This critical design area helps you capture subscription requirements and design target subscriptions based on critical factors. 这些因素分别是环境类型、所有权和治理模型、组织结构以及应用程序组合。These factors are environment type, ownership and governance model, organizational structure, and application portfolios.

字母 D 管理和监视The letter D Management and monitoring. 必须设计、部署和集成平台级整体(水平)资源监视和警报。Platform-level holistic (horizontal) resource monitoring and alerting must be designed, deployed, and integrated. 还必须定义和简化操作任务(例如修补和备份)。Operational tasks such as patching and backup must also be defined and streamlined. 安全操作、监视和日志记录必须设计为与 Azure 中的两个资源和现有的本地系统相集成。Security operations, monitoring, and logging must be designed and integrated with both resources on Azure and existing on-premises systems. 捕获跨资源的控制平面操作的所有订阅活动日志都应该流式传输到 Log Analytics,以使它们可用于查询和分析,但需遵守 Azure RBAC 权限。All subscription activity logs that capture control plane operations across resources should be streamed into Log Analytics to make them available for query and analysis, subject to Azure RBAC permissions.

字母 E 网络拓扑和连接The letter E Network topology and connectivity. 必须在 Azure 区域和本地环境中生成和部署端到端网络拓扑,以确保平台部署之间的北南部和中东连接。The end-to-end network topology must be built and deployed across Azure regions and on-premises environments to ensure north-south and east-west connectivity between platform deployments. 必须在网络安全设计中标识、部署和配置所需的服务和资源(如防火墙和网络虚拟设备),以确保完全满足安全要求。Required services and resources such as firewalls and network virtual appliances must be identified, deployed, and configured throughout network security design to ensure that security requirements are fully met.

字母 F ,字母  G  字母 H 业务连续性和灾难恢复安全、管理和符合性The letter F, The letter G, The letter H Business continuity and disaster recovery and Security, governance, and compliance. 必须在目标 Azure 平台上标识、描述、构建和部署特定于区域的特定策略,以确保公司、法规和业务线控制已就位。Holistic and landing-zone-specific policies must be identified, described, built, and deployed onto the target Azure platform to ensure corporate, regulatory, and line-of-business controls are in place. 最终,应使用策略来保证应用程序和基础资源的符合性,而无需任何抽象预配或管理功能。Ultimately, policies should be used to guarantee the compliance of applications and underlying resources without any abstraction provisioning or administration capability.

字母 I 平台自动化和 DevOpsThe letter I Platform automation and DevOps. 必须设计、构建和部署具有强大软件开发生命周期实践的端到端 DevOps 体验,以确保可安全、可重复且一致地交付基础结构即代码项目。An end-to-end DevOps experience with robust software development lifecycle practices must be designed, built, and deployed to ensure a safe, repeatable, and consistent delivery of infrastructure-as-code artifacts. 此类项目通过使用专用的集成、发布和部署管道进行开发、测试和部署,具有强大的源代码管理和可跟踪性。Such artifacts are to be developed, tested, and deployed by using dedicated integration, release, and deployment pipelines with strong source control and traceability.

后续步骤Next steps

使用云采用框架企业级设计准则自定义此体系结构的实现。Customize implementation of this architecture by using the Cloud Adoption Framework enterprise-scale design guidelines.