您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

迁移到 Azure 虚拟 WANMigrate to Azure Virtual WAN

Azure 虚拟 WAN 允许公司简化全球连接,以便从 Microsoft 全球网络的规模中获益。Azure Virtual WAN lets companies simplify their global connectivity in order to benefit from the scale of the Microsoft global network. 本文提供了要从现有的客户托管的中心辐射型拓扑迁移到利用 Microsoft 托管的虚拟 WAN 中心的设计的技术详细信息。This article provides technical details for companies that want to migrate from an existing customer-managed hub-and-spoke topology, to a design that leverages Microsoft-managed Virtual WAN hubs.

有关使用以云为中心的新式企业全局网络的企业所能实现的好处的信息,请参阅全局传输网络体系结构和虚拟 WANFor information about the benefits that Azure Virtual WAN enables for enterprises adopting a cloud-centric modern enterprise global network, see Global transit network architecture and Virtual WAN.

中心和分支 图: Azure 虚拟 WANhub and spoke Figure: Azure Virtual WAN

成千上万的客户使用 Azure 虚拟数据中心(VDC)中心辐射型连接模型来利用 Azure 网络的默认可传递的路由行为,以便构建简单且可缩放的云网络。The Azure Virtual Datacenter (VDC) hub-and-spoke connectivity model has been adopted by thousands of our customers to leverage the default transitive routing behavior of Azure Networking in order to build simple and scalable cloud networks. Azure 虚拟广域网构建在这些概念上,并引入了新功能,这些功能不仅允许在本地位置和 Azure 之间建立全局连接拓扑,而且还允许客户利用 Microsoft 网络的规模来增强其现有的全局网络。Azure Virtual WAN builds on these concepts and introduces new capabilities that allow global connectivity topologies, not only between on-premises locations and Azure, but also allowing customers to leverage the scale of the Microsoft network to augment their existing global networks.

本文介绍如何将现有混合环境迁移到虚拟 WAN。This article shows how to migrate an existing hybrid environment to Virtual WAN.

场景Scenario

Contoso 是一家全球金融组织,办事处处于欧洲和亚洲。Contoso is a global financial organization with offices in both Europe and Asia. 他们计划将其现有的应用程序从本地数据中心迁移到 Azure,并基于 VDC 体系结构建立了基础设计,其中包括用于混合连接的区域客户托管中心虚拟网络。They are planning to move their existing applications from an on-premises data center in to Azure and have built out a foundation design based on the VDC architecture, including regional customer-managed hub virtual networks for hybrid connectivity. 作为迁移到基于云的技术的一部分,网络团队已经担负着确保用户的连接对业务发展进行了优化。As part of the move to cloud-based technologies, the network team have been tasked with ensuring that their connectivity is optimized for the business moving forward.

下图显示了现有全局网络的高级视图,包括与多个 Azure 区域的连接。The following figure shows a high-level view of the existing global network including connectivity to multiple Azure regions.

Contoso 现有网络拓扑 图: contoso 现有网络拓扑Contoso existing network topology Figure: Contoso existing network topology

从现有网络拓扑中可了解以下几点:The following points can be understood from the existing network topology:

  • 已在多个区域使用了中心辐射型拓扑,其中包括用于连回到公共专用 WAN 的 ExpressRoute 高级线路。A hub-and-spoke topology is used in multiple regions including ExpressRoute Premium circuits for connectivity back to a common private WAN.

  • 其中一些站点还将 VPN 隧道与 Azure 直接连接,以访问 Microsoft 云中托管的应用程序。Some of these sites also have VPN tunnels directly in to Azure to reach applications hosted within the Microsoft cloud.

要求Requirements

网络团队的任务是提供一个全球网络模型,该模型可以支持 Contoso 向云的迁移,且必须在成本、规模和性能方面进行优化。The networking team have been tasked with delivering a global network model that can support the Contoso migration to the cloud and must optimize in the areas of cost, scale, and performance. 总而言之,需要满足以下要求:In summary, the following requirements are to be met:

  • 为总部 (HQ) 和分支机构提供云托管应用程序的优化路径。Provide both head quarter (HQ) and branch offices with optimized path to cloud hosted applications.
  • 在保留以下连接路径的同时,消除对用于 VPN 终止的现有本地数据中心(DC)的依赖:Remove the reliance on existing on-premises data centers (DC) for VPN termination while retaining the following connectivity paths:
    • 分支到 VNet: VPN 连接的办公室必须能够访问本地 Azure 区域中已迁移到云中的应用程序。Branch -to- VNet: VPN connected offices must be able to access applications migrated to the cloud in the local Azure region.
    • 分支到集线器到到端的连接: VPN 连接的办公室必须能够访问迁移到远程 Azure 区域中的云中的应用程序。Branch -to- Hub -to- Hub -to- VNet: VPN connected offices must be able to access applications migrated to the cloud in the remote Azure region.
    • 分支到分支:区域 VPN 连接的办公室必须能够与其他每个和 ExpressRoute 连接的 HQ 总部站点通信。Branch -to- branch: Regional VPN connected offices must be able to communicate with each other and ExpressRoute connected HQ/DC sites.
    • 分支到中心到中心到分支:全局分隔的 VPN 连接的办公室必须能够彼此通信,并可以与任何 ExpressRoute 连接的 HQ/DC 站点通信。Branch -to- Hub -to- Hub -to- branch: Globally separated VPN connected offices must be able to communicate with each other and any ExpressRoute connected HQ/DC sites.
    • 分支到 Internet:连接的站点必须能够与 Internet 通信。Branch -to- Internet: Connected sites must be able to communicate with the Internet. 必须筛选和记录此流量。This traffic must be filtered and logged.
    • Vnet 到 vnet:同一区域中的辐射虚拟网络必须能够彼此通信。VNet -to- VNet: Spoke virtual networks in the same region must be able to communicate with each other.
    • vnet 到中心到从的分支到 vnet:不同区域中的辐射虚拟网络必须能够彼此通信。VNet -to- Hub -to- Hub -to- VNet: Spoke virtual networks in the different regions must be able to communicate with each other.
  • 提供 Contoso 漫游用户(便携式计算机和电话)访问公司资源而不是企业网络的能力。Provide the ability for Contoso roaming users (laptop and phone) to access company resources while not on the corporate network.

Azure 虚拟 WAN 体系结构Azure Virtual WAN architecture

下图显示了使用 Azure 虚拟 WAN 的更新目标拓扑的高级视图,以满足上一部分中所述的要求。The following figure shows a high-level view of the updated target topology using Azure Virtual WAN to meet the requirements detailed in the previous section.

Contoso 虚拟 WAN 体系结构 图: Azure 虚拟 wan 体系结构Contoso virtual WAN architecture Figure: Azure Virtual WAN architecture

摘要:Summary:

  • 欧洲 HQ 仍连接 ExpressRoute,而欧洲本地 DC 已完全迁移到 Azure,现已停用。HQ in Europe remains ExpressRoute connected, Europe on-premises DC are fully migrated to Azure and now decommissioned.
  • 亚洲 DC 和 HQ 仍连接专用 WAN。Asia DC and HQ remain connected to Private WAN. 现在,Azure 虚拟 WAN 用于增加本地运营商网络,提供全球连接。Azure Virtual WAN now used to augment the local carrier network and provide global connectivity.
  • 同时在西欧和南部东亚 Azure 区域中部署的 azure 虚拟 WAN 中心为 ExpressRoute 和 VPN 连接的设备提供连接集线器。Azure Virtual WAN hubs deployed in both West Europe and South East Asia Azure regions to provide connectivity hub for ExpressRoute and VPN connected devices.
  • 中心还通过全球网格网络的 OpenVPN 连接,为使用多种客户端类型的漫游用户提供 VPN 终端,这样,用户不仅可以访问已迁移到 Azure 的应用程序,而且还能访问保留在本地的任何资源。Hubs also provide VPN termination for roaming users across multiple client types using OpenVPN connectivity to the global mesh network, allowing access to not only applications migrated to Azure, but also any resources remaining on-premises.
  • Azure 虚拟 WAN 提供的虚拟网络中的资源的 Internet 连接。Internet connectivity for resources within a virtual network provided by Azure Virtual WAN.

同样由 Azure 虚拟 WAN 提供的远程站点 Internet 连接。Internet connectivity for remote sites also provided by Azure Virtual WAN. 通过合作伙伴集成支持的本地 Internet 中断,用于优化对 Office 365 等 SaaS 服务的访问。Local internet breakout supported via partner integration for optimized access to SaaS services such as Office 365.

迁移到虚拟 WANMigrate to Virtual WAN

本部分介绍迁移到 Azure 虚拟 WAN 的各个步骤。This section shows the various steps for migrating to Azure Virtual WAN.

步骤1: VDC 集散单区域Step 1: VDC hub-and-spoke single region

查看体系结构。Review the architecture. 下图显示了 Contoso 在推出 Azure 虚拟 WAN 之前的单个区域拓扑:The following figure shows a single region topology for Contoso prior to the rollout of Azure Virtual WAN:

单区域拓扑 图1: VDC 集线器辐射单区域Single region topology Figure 1: VDC hub-and-spoke single region

为了保持虚拟数据中心(VDC)方法,客户托管的中心虚拟网络包含多个功能块:In keeping with the Virtual Data Center (VDC) approach, the customer-managed hub virtual network contains several function blocks:

  • 共享服务(多个轮辐所需的任何常见功能)。Shared services (any common function required by multiple spokes). 示例: Contoso 在基础结构即服务(IaaS)虚拟机上使用 Windows Server 域控制器。Example: Contoso uses Windows Server domain controllers on Infrastructure-as-a-service (IaaS) virtual machines.
  • IP/路由防火墙服务由第三方网络虚拟设备提供,可实现辐射网络到辐射网络的第 3 层 IP 路由。IP/Routing firewall services are provided by a third-party network virtual appliance, enabling spoke-to-spoke layer-3 IP routing.
  • Internet 入口/出口服务,其中包括用于入站 HTTPS 请求的 Azure 应用程序网关,以及在虚拟机上运行且用于已筛选的 Internet 资源出站访问的第三方代理服务。Internet ingress/egress services including Azure Application Gateway for inbound HTTPS requests and third-party proxy services running on virtual machines for filtered outbound access to internet resources.
  • 用于连接到本地网络的 ExpressRoute 和 VPN 虚拟网络网关。ExpressRoute and VPN virtual network gateway for connectivity to on-premises networks.

步骤2:部署虚拟 WAN 中心Step 2: Deploy Virtual WAN hubs

在每个区域中部署虚拟 WAN 中心。Deploy a Virtual WAN hub in each region. 按照以下文章中所述,设置包含 VPN 网关和 ExpressRoute 网关的虚拟 WAN 集线器:Set up the Virtual WAN hub with VPN Gateway and ExpressRoute Gateway as described in the following articles:

备注

若要启用本文中所示的某些流量路径,Azure 虚拟 WAN 必须使用标准 SKU。Azure Virtual WAN must be using the Standard SKU to enable some of the traffic paths shown in this article.

部署虚拟 WAN 中心 图2: VDC 辐射到虚拟 wan 迁移Deploy Virtual WAN hubs Figure 2: VDC hub-and-spoke to Virtual WAN migration

步骤3:将远程站点(ExpressRoute 和 VPN)连接到虚拟 WANStep 3: Connect remote sites (ExpressRoute and VPN) to Virtual WAN

将虚拟 WAN 集线器连接到现有 ExpressRoute 线路,并通过 Internet 将站点到站点 Vpn 设置为任何远程分支。Connect the Virtual WAN hub to the existing ExpressRoute circuits and set up Site-to-site VPNs over the Internet to any remote branches.

备注

ExpressRoute 线路必须升级为高级 SKU 类型,以便连接到虚拟 WAN 中心。Express Routes Circuits must be upgraded to Premium SKU type to connect to Virtual WAN hub.

将远程站点连接到虚拟 WAN 图3: VDC 辐射到虚拟 wan 迁移Connect remote sites to Virtual WAN Figure 3: VDC hub-and-spoke to Virtual WAN migration

此时,本地网络设备将开始接收路由,以反映分配给虚拟 WAN 托管集线器 VNet 的 IP 地址空间。At this point, on-premises network equipment will begin to receive routes reflecting the IP address space assigned to the Virtual WAN-managed hub VNet. 在此阶段,连接 VPN 的远程分支将在辐射虚拟网络中显示两条指向任何现有应用程序的路径。Remote VPN-connected branches at this stage will see two paths to any existing applications in the spoke virtual networks. 这些设备应配置为继续使用指向 VDC 中心的隧道,以确保转换阶段的对称路由。These devices should be configured to continue to use the tunnel to the VDC hub to ensure symmetrical routing during the transition phase.

步骤4:通过虚拟 WAN 测试混合连接Step 4: Test hybrid connectivity via Virtual WAN

在将托管虚拟 WAN 中心用于生产连接之前,我们建议你设置测试辐射虚拟网络和虚拟 WAN VNet 连接。Prior to using the managed Virtual WAN hub for production connectivity, we recommend that you set up a test spoke virtual network and Virtual WAN VNet connection. 继续执行后续步骤之前,通过 ExpressRoute 和站点到站点 VPN 验证此测试环境的连接是否正常工作。Validate that connections to this test environment work via ExpressRoute and Site to Site VPN before continuing with the next steps.

通过虚拟 WAN 测试混合连接 图4: VDC 辐射到虚拟 wan 迁移Test hybrid connectivity via Virtual WAN Figure 4: VDC hub-and-spoke to Virtual WAN migration

步骤5:将连接转换到虚拟 WAN 集线器Step 5: Transition connectivity to virtual WAN hub

转换连接到虚拟 WAN 中心 图5: VDC 中心辐射到虚拟广域网迁移Transition connectivity to Virtual WAN hub Figure 5: VDC hub-and-spoke to Virtual WAN migration

a。a. 删除从辐射虚拟网络到旧 VDC 集线器的现有对等互连。Delete the existing peering connections from Spoke virtual networks to the old VDC hub. 步骤 a-c 完成之前,无法访问辐射虚拟网络中的应用程序。Access to applications in spoke virtual networks is unavailable until steps a-c are complete.

b.b. 通过 VNet 连接将辐射虚拟网络连接到虚拟 WAN hub。Connect the spoke virtual networks to the Virtual WAN hub via VNet connections.

c.c. 删除之前在辐射虚拟网络中使用的用于辐射网络到辐射网络通信的任何用户定义路由 (UDR)。Remove any user-defined routes (UDR) previously used within spoke virtual networks for spoke-to-spoke communications. 虚拟 WAN 中心内提供的动态路由现已启用此路径。This path is now enabled by dynamic routing available within the Virtual WAN hub.

d.d. VDC 中心内的现有 ExpressRoute 和 VPN 网关现已停用,以便执行下一步骤 (e)。Existing ExpressRoute and VPN Gateways in the VDC hub are now decommissioned to permit the next step (e).

e.e. 通过新的 VNet 连接将旧 VDC 中心(中心虚拟网络)连接到虚拟 WAN 中心。Connect the old VDC hub (hub virtual network) to the Virtual WAN hub via a new VNet connection.

步骤6:旧集线器成为共享服务辐射Step 6: Old hub becomes shared services spoke

现已重新设计了 Azure 网络,使虚拟 WAN 中心成为了新拓扑的中心点。We have now redesigned our Azure network to make the Virtual WAN hub the central point in our new topology.

旧的中心成为共享服务辐射 图6: VDC 辐射到虚拟 WAN 迁移Old hub becomes Shared Services spoke Figure 6: VDC hub-and-spoke to Virtual WAN migration

由于虚拟 WAN 中心是托管实体,不允许部署自定义资源(如虚拟机),因此共享服务块现在作为辐射虚拟网络存在,并通过 Azure 应用程序网关或网络虚拟化设备。Because the Virtual WAN hub is a managed entity and does not allow deployment of custom resources such as virtual machines, the shared services block now exists as a spoke virtual network and hosts functions such as internet ingress via Azure Application Gateway or network virtualized appliance. 现在,共享服务环境与后端虚拟机之间的流量在虚拟 WAN 托管的中心内传输。Traffic between the shared services environment and backend virtual machines now transits the Virtual WAN-managed hub.

步骤7:优化本地连接以充分利用虚拟 WANStep 7: Optimize on-premises connectivity to fully utilize Virtual WAN

在此阶段,Contoso 基本已将业务应用程序迁移到 Microsoft 云,仅少量旧版应用程序保留在本地 DC。At this stage, Contoso has mostly completed their migrations of business applications in into the Microsoft Cloud, with only a few legacy applications remaining within the on-premises DC.

优化本地连接以充分利用虚拟 WAN 图7: VDC 中心辐射到虚拟广域网迁移Optimize on-premises connectivity to fully utilize Virtual WAN Figure 7: VDC hub-and-spoke to Virtual WAN migration

为利用 Azure 虚拟 WAN 的全部功能,Contoso 决定停用其旧的本地 VPN 连接。To leverage the full functionality of Azure Virtual WAN, Contoso decides to decommission their legacy on-premises VPN connections. 继续访问 HQ 或 DC 网络的任何分支都能够使用 Azure 虚拟 WAN 的内置传输路由在 Microsoft 全球网络中传输。Any branches continuing to access HQ or DC networks are able to transit the Microsoft global network using the built-in transit routing of Azure Virtual WAN.

备注

对于希望利用 Microsoft 主干网来补全其现有专用 WAN 的客户,ExpressRoute Global Reach 是替代选项。ExpressRoute Global Reach is an alternative choice for customers wishing to leverage the Microsoft backbone to complement their existing private WANs.

最终状态体系结构和流量路径End-state architecture and traffic paths

最终状态体系结构和流量路径 图:双重区域虚拟 WANEnd-state architecture and traffic paths Figure: Dual region Virtual WAN

本节通过介绍一些示例流量来概述此拓扑如何满足初始要求。This section provides a summary of how this topology meets the original requirements by looking at some example traffic flows.

路径 1Path 1

路径1显示从亚太地区的 S2S VPN 连接的分支到南部东亚区域中的 Azure VNet 的流量流。Path 1 shows traffic flow from a S2S VPN connected branch in Asia to an Azure VNet in the South East Asia region.

流量按如下方式路由:The traffic is routed as follows:

  • 亚洲分支通过启用了弹性的 S2S BGP BGP 隧道连接到南部东亚虚拟 WAN 中心。Asia branch is connected via resilient S2S BGP enabled tunnels into South East Asia Virtual WAN hub.

  • 亚洲虚拟 WAN 中心将流量本地路由到连接的 VNet。Asia Virtual WAN hub routes traffic locally to connected VNet.

流量流 1

路径 2Path 2

路径2显示从 ExpressRoute 连接的欧洲 HQ 到南部东亚区域中的 Azure VNet 的流量流。Path 2 shows traffic flow from the ExpressRoute connected European HQ to an Azure VNet in the South East Asia region.

流量按如下方式路由:The traffic is routed as follows:

  • 欧洲总部通过高级 ExpressRoute 线路连接到西欧虚拟 WAN 集线器。European HQ is connected via premium ExpressRoute circuit into West Europe Virtual WAN hub.

  • 虚拟 WAN 中心到中心全球连接确保流量能够传输到远程区域中连接的 VNet。Virtual WAN hub-to-hub global connectivity enables transit of traffic to VNet connected in remote region.

流量流 2

路径 3Path 3

路径3显示了从连接到专用广域网的亚洲本地 DC 到欧洲 S2S 连接分支的流量流。Path 3 shows traffic flow from the Asia on-premises DC connected to Private WAN to a European S2S connected Branch.

流量按如下方式路由:The traffic is routed as follows:

  • 亚洲 DC 连接到本地专用 WAN 运营商。Asia DC is connected to local Private WAN carrier.

  • ExpressRoute 线路本地终止于专用 WAN 连接到南部东亚虚拟 WAN 中心。ExpressRoute circuit locally terminates in Private WAN connects to the South East Asia Virtual WAN hub.

  • 利用虚拟 WAN 集线器到中心全局连接,可以传输流量。Virtual WAN hub-to-hub global connectivity enables transit of traffic.

流量流 3

路径 4Path 4

路径4显示从南部东亚区域中的 Azure VNet 到西欧区域中的 Azure VNet 的流量流。Path 4 shows traffic flow from an Azure VNet in South East Asia region to an Azure VNet in West Europe region.

流量按如下方式路由:The traffic is routed as follows:

  • 虚拟 WAN 中心之间的全球连接确保无需进一步的用户配置即可本地传输所有连接的 Azure VNet。Virtual WAN hub-to-hub global connectivity enables native transit of all connected Azure VNets without further user config.

流量流 4

路径 5Path 5

路径5显示了从漫游 VPN (P2S)用户到西欧区域中的 Azure VNet 的流量流。Path 5 shows traffic flow from roaming VPN (P2S) users to an Azure VNet in the West Europe region.

流量按如下方式路由:The traffic is routed as follows:

  • 便携式计算机和移动设备用户使用 OpenVPN 客户端在西欧中的 P2S VPN 网关进行透明连接。Laptop and mobile device users use the OpenVPN client for transparent connectivity in to the P2S VPN gateway in West Europe.

  • 西欧虚拟 WAN 中心将流量本地路由到连接的 VNet。West Europe Virtual WAN hub routes traffic locally to connected VNet.

流量流 5

通过 Azure 防火墙的安全和策略控制Security and policy control via Azure Firewall

Contoso 现在已经验证了所有分支和 Vnet 之间的连接性,并满足本文前面所述的要求。Contoso has now validated connectivity between all branches and VNets in line with the requirements discussed earlier in this article. 若要满足其安全控制和网络隔离要求,需要继续通过集线器网络分离和记录流量。To meet their requirements for security control and network isolation, they need to continue to separate and log traffic via the hub network. 以前,此函数是由网络虚拟设备(NVA)执行的。Previously this function was performed by a network virtual appliance (NVA). Contoso 还希望解除其现有的代理服务,并利用本机 Azure 服务进行出站 Internet 筛选。Contoso also wants to decommission their existing proxy services and utilize native Azure services for outbound Internet filtering.

通过 Azure 防火墙 安全和策略控制 图:虚拟 WAN 中的 Azure 防火墙(受保护的虚拟中心)Security and policy control via Azure Firewall Figure: Azure Firewall in Virtual WAN (Secured Virtual hub)

需要执行以下高级步骤,将 Azure 防火墙引入到虚拟 WAN 中心,以实现策略控制的统一点。The following high-level steps are required to introduce Azure Firewall into the Virtual WAN hubs to enable a unified point of policy control. 有关此过程的详细信息以及安全虚拟中心的概念,请参阅Azure 防火墙管理器For more information about this process and the concept of Secure Virtual Hubs, see Azure Firewall Manager.

  1. 创建 Azure 防火墙策略。Create Azure Firewall policy.
  2. 将防火墙策略链接到 Azure 虚拟 WAN 中心。Link firewall policy to Azure Virtual WAN hub. 此步骤允许现有的虚拟 WAN 中心作为受保护的虚拟中心工作,并部署所需的 Azure 防火墙资源。This step allows the existing Virtual WAN hub to function as a secured virtual hub, and deploys the required Azure Firewall resources.

备注

如果 Azure 防火墙部署在标准的虚拟 WAN 中心(SKU:标准)中: V2V、B2V、V2I 和 B2I FW 策略仅适用于源自 Vnet 的流量和连接到部署了 Azure FW 的特定集线器的分支(安全中心)。If the Azure Firewall is deployed in a Standard Virtual WAN hub (SKU : Standard): V2V, B2V, V2I and B2I FW policies are only enforced on the traffic originating from the VNets and Branches connected to the specific hub where the Azure FW is deployed (Secured Hub). 源自远程 Vnet 的流量和连接到同一虚拟 WAN 中其他虚拟 WAN 中心的分支将不会 "防火墙处理",即使远程分支和 VNet 通过虚拟 WAN 中心互连到中心链接也是如此。Traffic originating from remote VNets and Branches that are attached to other Virtual WAN hubs in the same Virtual WAN will not be "firewalled", even though the remote Branches and VNet are interconnected via Virtual WAN hub to hub links. 跨集线器防火墙支持在 Azure 虚拟 WAN 和防火墙管理器路线图上。Cross-hub firewalling support is on the Azure Virtual WAN and Firewall Manager roadmap.

以下路径显示了使用 Azure 安全虚拟中心启用的连接路径:The following paths show the connectivity paths enabled by using Azure secured virtual hubs:

路径 6Path 6

路径6显示了同一区域内 Vnet 之间的安全流量流。Path 6 shows secure traffic flow between VNets within the same region.

流量按如下方式路由:The traffic is routed as follows:

  • 连接到同一安全虚拟中心的虚拟网络现通过 Azure 防火墙路由流量。Virtual Networks connected to the same Secured Virtual Hub now route traffic to via the Azure Firewall.

  • Azure 防火墙可将策略应用这些流量流。Azure Firewall can apply policy to these flows.

流量流 6

路径 7Path 7

路径7显示了从 Azure VNet 到 Internet 或第三方安全服务的流量流。Path 7 shows traffic flow from an Azure VNet to the Internet or third-party Security Service.

流量按如下方式路由:The traffic is routed as follows:

  • 连接到安全虚拟中心的虚拟网络使用安全中心作为 Internet 访问的中心点,可以将流量发送到 Internet 上的公共目标位置。Virtual Networks connected to the Secure Virtual Hub can send traffic to public, destinations on the Internet, using the Secure Hub as a central point of Internet access.

  • 可以使用 Azure 防火墙 FQDN 规则在本地筛选此流量,或将其发送到第三方安全服务进行检测。This traffic can be filtered locally using Azure Firewall FQDN rules, or sent to a third-party security service for inspection.

流量流 7

路径 8Path 8

路径8显示来自分支到 Internet 或第三方安全服务的流量流。Path 8 shows traffic flow from branch-to-Internet or third-party Security Service.

流量按如下方式路由:The traffic is routed as follows:

  • 连接到安全虚拟中心的分支可以通过使用安全中心作为 Internet 访问的中心点,将流量发送到 Internet 上的公共目标。Branches connected to the Secure Virtual Hub can send traffic to public destinations on the Internet by using the Secure Hub as a central point of Internet access.

  • 可以使用 Azure 防火墙 FQDN 规则在本地筛选此流量,或将其发送到第三方安全服务进行检测。This traffic can be filtered locally using Azure Firewall FQDN rules, or sent to a third-party security service for inspection.

流量流 8

后续步骤Next steps

详细了解 Azure 虚拟 WANLearn more about Azure Virtual WAN