您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 服务的虚拟网络集成Virtual network integration for Azure services

通过将 Azure 服务集成到 Azure 虚拟网络,可从虚拟机或虚拟网络中的计算资源私密访问服务。Integrating Azure services to an Azure virtual network enables private access to the service from virtual machines or compute resources in the virtual network. 可通过以下选项在虚拟网络中集成 Azure 服务:You can integrate Azure services in your virtual network with the following options:

  • 将服务的专用实例部署到虚拟网络中。Deploying dedicated instances of the service into a virtual network. 随后即可在虚拟网络内以及从本地网络私密访问这些服务。The services can then be privately accessed within the virtual network and from on-premises networks.
  • 使用专用链接从虚拟网络和本地网络访问服务的特定实例。Using Private Link to access privately an specific instance of the service from your virtual network and from on-premises networks.

你还可以通过服务终结点将虚拟网络扩展到服务,来访问使用公共终结点的服务。You can also access the service using public endpoints by extending a virtual network to the service, through service endpoints. 服务终结点允许服务资源在虚拟网络中得到保护。Service endpoints allow service resources to be secured to the virtual network.

将 Azure 服务部署到虚拟网络Deploy Azure services into virtual networks

虚拟网络中部署专用 Azure 服务时,可通过专用 IP 地址与服务资源进行私密通信。When you deploy dedicated Azure services in a virtual network, you can communicate with the service resources privately, through private IP addresses.

虚拟网络中部署的服务

在虚拟网络中部署服务可提供以下功能:Deploying services within a virtual network provides the following capabilities:

  • 虚拟网络内的资源可以通过专用 IP 地址彼此进行私密通信。Resources within the virtual network can communicate with each other privately, through private IP addresses. 例如,在虚拟网络中,在虚拟机上运行的 HDInsight 与 SQL Server 之间可直接传输数据。Example, directly transferring data between HDInsight and SQL Server running on a virtual machine, in the virtual network.
  • 本地资源可通过站点到站点 VPN(VPN 网关)ExpressRoute 使用专用 IP 地址访问虚拟网络中的资源。On-premises resources can access resources in a virtual network using private IP addresses over a Site-to-Site VPN (VPN Gateway) or ExpressRoute.
  • 虚拟网络可使用专用 IP 地址进行对等互连,实现虚拟网络中资源之间的彼此通信。Virtual networks can be peered to enable resources in the virtual networks to communicate with each other, using private IP addresses.
  • 虚拟网络中的服务实例通常由 Azure 服务完全托管。Service instances in a virtual network are typically fully managed by the Azure service. 这包括监视资源的运行状况并根据负载进行缩放。This includes monitoring the health of the resources and scaling with load.
  • 服务实例部署在虚拟网络的子网中。Service instances are deployed into a subnet in a virtual network. 根据服务提供的指南,必须通过网络安全组对子网开放入站和出站网络访问。Inbound and outbound network access for the subnet must be opened through network security groups, per guidance provided by the service.
  • 某些服务还会对它们能够部署到其中的子网施加限制,限制策略、路由的应用,或者要求将 VM 和服务资源组合到同一子网中。Certain services also impose restrictions on the subnet they are deployed in, limiting the application of policies, routes or combining VMs and service resources within the same subnet. 请查看每项服务,了解这些具体限制,因为它们会随时间而变化。Check with each service on the specific restrictions as they may change over time. 此类服务的示例包括: Azure NetApp 文件、专用 HSM、Azure 容器实例和应用服务。Examples of such services are Azure NetApp Files, Dedicated HSM, Azure Container Instances, App Service.
  • (可选)服务可能需要一个委派子网作为显式标识符,用于表示子网可承载特定服务。Optionally, services might require a delegated subnet as an explicit identifier that a subnet can host a particular service. 服务可以通过委托获得显式权限,可以在委托的子网中创建服务专属资源。By delegating, services get explicit permissions to create service-specific resources in the delegated subnet.
  • 如需 REST API 响应的示例,请参阅包含委托子网的虚拟网络See an example of a REST API response on a virtual network with a delegated subnet. 可以通过可用委托 API 获得一个内容广泛的列表,其中包含的服务使用委托子网模型。A comprehensive list of services that are using the delegated subnet model can be obtained via the Available Delegations API.

可部署到虚拟网络中的服务Services that can be deployed into a virtual network

类别Category 服务Service 专用¹ 子网Dedicated¹ Subnet
计算Compute 虚拟机:LinuxWindowsVirtual machines: Linux or Windows
虚拟机规模集Virtual machine scale sets
云服务:仅限虚拟网络(经典)Cloud Service: Virtual network (classic) only
Azure BatchAzure Batch
No
No
No
否²No²
网络Network 应用程序网关 - WAFApplication Gateway - WAF
VPN 网关VPN Gateway
Azure 防火墙Azure Firewall
网络虚拟设备Network Virtual Appliances
Yes
Yes
Yes
No
DataData RedisCacheRedisCache
Azure SQL 数据库托管实例Azure SQL Database Managed Instance
Yes
Yes
分析Analytics Azure HDInsightAzure HDInsight
Azure DatabricksAzure Databricks
否²No²
否²No²
标识Identity Azure Active Directory 域服务Azure Active Directory Domain Services No
容器Containers Azure Kubernetes 服务 (AKS)Azure Kubernetes Service (AKS)
Azure 容器实例 (ACI)Azure Container Instance (ACI)
带有 Azure 虚拟网络 CNI 插件Azure 容器服务引擎Azure Container Service Engine with Azure Virtual Network CNI plug-in
否²No²
Yes

No
WebWeb API 管理API Management
应用服务环境App Service Environment
Azure 逻辑应用Azure Logic Apps
Yes
Yes
Yes
已承载Hosted Azure 专用 HSMAzure Dedicated HSM
Azure NetApp 文件Azure NetApp Files
Yes
Yes

¹ “专用”意味着只能将特定于服务的资源部署在此子网中,并且不能将其与客户 VM/VMSS 组合使用¹ 'Dedicated' implies that only service specific resources can be deployed in this subnet and cannot be combined with customer VM/VMSSs
² 此为建议选项,但不是服务施加的强制要求。² Recommended, but not a mandatory requirement imposed by the service.