您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

创建、更改或删除虚拟网络对等互连Create, change, or delete a virtual network peering

了解如何创建、更改或删除虚拟网络对等互连。Learn how to create, change, or delete a virtual network peering. 虚拟网络对等互连可以通过 Azure 主干网络连接同一区域或不同区域的虚拟网络(也称为全球 VNet 对等互连)。Virtual network peering enables you to connect virtual networks in the same region and across regions (also known as Global VNet Peering) through the Azure backbone network. 对等互连后,这些虚拟网络仍将作为单独的资源进行管理。Once peered, the virtual networks are still managed as separate resources. 如果不熟悉虚拟网络对等互连,可以通过阅读虚拟网络对等互连概述或完成教程来了解其详细信息。If you're new to virtual network peering, you can learn more about it in the virtual network peering overview or by completing a tutorial.

开始之前Before you begin

在完成本文任何部分中的步骤之前,请完成以下任务:Complete the following tasks before completing steps in any section of this article:

  • 如果还没有 Azure 帐户,请注册免费试用帐户If you don't already have an Azure account, sign up for a free trial account.
  • 如果使用门户,请打开 https://portal.azure.com ,并使用具有所需权限的帐户登录,以处理对等互连。If using the portal, open https://portal.azure.com, and log in with an account that has the necessary permissions to work with peerings.
  • 如果使用 PowerShell 命令来完成本文中的任务,请运行 Azure Cloud Shell 中的命令,或从计算机运行 PowerShell。If using PowerShell commands to complete tasks in this article, either run the commands in the Azure Cloud Shell, or by running PowerShell from your computer. Azure Cloud Shell 是免费的交互式 shell,可以使用它运行本文中的步骤。The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. 它预安装有常用 Azure 工具并将其配置与帐户一起使用。It has common Azure tools preinstalled and configured to use with your account. 本教程需要 Azure PowerShell 模块 5.7.0 或更高版本。This tutorial requires the Azure PowerShell module version 5.7.0 or later. 运行 Get-Module -ListAvailable AzureRM 查找已安装的版本。Run Get-Module -ListAvailable AzureRM to find the installed version. 如果需要升级,请参阅安装 Azure PowerShell 模块If you need to upgrade, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需要使用具有所需权限的帐户运行 Connect-AzureRmAccount 来处理对等互连,以便与 Azure 建立连接。If you are running PowerShell locally, you also need to run Connect-AzureRmAccount with an account that has the necessary permissions to work with peering, to create a connection with Azure.
  • 如果使用 Azure 命令行接口 (CLI) 命令来完成本文中的任务,请运行 Azure Cloud Shell 中的命令,或从计算机运行 CLI。If using Azure Command-line interface (CLI) commands to complete tasks in this article, either run the commands in the Azure Cloud Shell, or by running the CLI from your computer. 本教程需要 Azure CLI 2.0.31 或更高版本。This tutorial requires the Azure CLI version 2.0.31 or later. 运行 az --version 查找已安装的版本。Run az --version to find the installed version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI. 如果在本地运行 Azure CLI,则还需要使用具有所需权限的帐户运行 az login 来处理对等互连,以便与 Azure 建立连接。If you are running the Azure CLI locally, you also need to run az login with an account that has the necessary permissions to work with peering, to create a connection with Azure.

登录或连接到 Azure 所用的帐户必须分配有网络参与者角色或者分配有可执行权限中列出的适当操作的自定义角色The account you log into, or connect to Azure with, must be assigned to the network contributor role or to a custom role that is assigned the appropriate actions listed in Permissions.

创建对等互连Create a peering

创建对等互连之前,请熟悉要求和约束以及所需权限Before creating a peering, familiarize yourself with the requirements and constraints and necessary permissions.

  1. 在 Azure 门户顶部的搜索框中,输入“虚拟网络”。In the search box at the top of the Azure portal, enter virtual networks in the search box. 当“虚拟网络”出现在搜索结果中时,请将其选中。When Virtual networks appear in the search results, select it. 如果“虚拟网络(经典)”出现在列表中,请不要选择它,因为无法从通过经典部署模型部署的虚拟网络创建对等互连。Do not select Virtual networks (classic) if it appears in the list, as you cannot create a peering from a virtual network deployed through the classic deployment model.
  2. 从列表中选择要为其创建对等的虚拟网络。Select the virtual network in the list that you want to create a peering for.
  3. 从虚拟网络列表中,选择要为其创建对等的虚拟网络。From the list of virtual networks, select the virtual network you want to create a peering for.
  4. 在“设置”下,选择“对等”。Under SETTINGS, select Peerings.
  5. 选择“+ 添加”。Select + Add.
  6. 为以下设置输入或选择值:Enter or select values for the following settings:

    • 名称:对等互连的名称在虚拟网络中必须唯一。Name: The name for the peering must be unique within the virtual network.
    • 虚拟网络部署模型:选择要对等互连的虚拟网络是通过哪种部署模型来进行部署的。Virtual network deployment model: Select which deployment model the virtual network you want to peer with was deployed through.
    • 我知道我的资源 ID:如果对要进行对等互连的虚拟网络拥有读取访问权限,请保留取消选中此复选框。I know my resource ID: If you have read access to the virtual network you want to peer with, leave this checkbox unchecked. 如果对要进行对等互连的虚拟网络或订阅没有读取访问权限,则选中此框。If you don't have read access to the virtual network or subscription you want to peer with, check this box. 在选中此框时显示的“资源 ID”复选框中输入要进行对等互连的虚拟网络的完整资源 ID。Enter the full resource ID of the virtual network you want to peer with in the Resource ID box that appeared when you checked the box. 输入的虚拟网络资源 ID 必须与此虚拟网络位于同一 Azure 区域,或受支持的不同 Azure 区域。The resource ID you enter must be for a virtual network that exists in the same, or supported different Azure region as this virtual network. 完整资源 ID 类似于 /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/The full resource ID looks similar to /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/. 可以通过查看虚拟网络的属性,获取虚拟网络的资源 ID。You can get the resource ID for a virtual network by viewing the properties for a virtual network. 若要了解如何查看虚拟网络的属性,请参阅管理虚拟网络To learn how to view the properties for a virtual network, see Manage virtual networks. 如果订阅关联的 Azure Active Directory 租户和你要进行对等互连的虚拟网络的订阅不同,则首先将每个租户中的一名用户添加为对方租户中的来宾用户If the subscription is associated to a different Azure Active Directory tenant than the subscription with the virtual network you're creating the peering from, first add a user from each tenant as a guest user in the opposite tenant.
    • 订阅:选择要进行对等互连的虚拟网络的订阅Subscription: Select the subscription of the virtual network you want to peer with. 将列出一个或多个订阅,具体取决于帐户对多少个订阅具有读取访问权限。One or more subscriptions are listed, depending on how many subscriptions your account has read access to. 如果选中“资源 ID”复选框,则此设置不可用。If you checked the Resource ID checkbox, this setting isn't available.
    • 虚拟网络:选择要进行对等互连的虚拟网络。Virtual network: Select the virtual network you want to peer with. 可以选择通过任一 Azure 部署模型创建的虚拟网络。You can select a virtual network created through either Azure deployment model. 如果要选择不同区域中的虚拟网络,必须选择受支持区域中的虚拟网络。If you want to select a virtual network in a different region, you must select a virtual network in a supported region. 必须具有对虚拟网络的读取访问权限,才能使其出现在列表中。You must have read access to the virtual network for it to be visible in the list. 如果列出了某个虚拟网络,但显示为灰色,则可能是因为虚拟网络的地址空间与此虚拟网络的地址空间重叠。If a virtual network is listed, but grayed out, it may be because the address space for the virtual network overlaps with the address space for this virtual network. 如果虚拟网络地址空间重叠,则它们无法进行对等互连。If virtual network address spaces overlap, they cannot be peered. 如果选中“资源 ID”复选框,则此设置不可用。If you checked the Resource ID checkbox, this setting isn't available.
    • 允许虚拟网络访问:如果要启用两个虚拟网络之间的通信,请选择“启用”(默认)。Allow virtual network access: Select Enabled (default) if you want to enable communication between the two virtual networks. 启用虚拟网络之间的通信可允许资源连接到任意虚拟网络,并以相同的带宽和延迟互相之间进行通信,就如同它们是连接到同一个虚拟网络一样。Enabling communication between virtual networks allows resources connected to either virtual network to communicate with each other with the same bandwidth and latency as if they were connected to the same virtual network. 这两个虚拟网络中的资源之间的所有通信都在 Azure 专用网络上进行。All communication between resources in the two virtual networks is over the Azure private network. 网络安全组的服务标记 VirtualNetwork 中包含虚拟网络和已对等互连的虚拟网络。The VirtualNetwork service tag for network security groups encompasses the virtual network and peered virtual network. 若要深入了解网络安全组服务标记,请参阅网络安全组概述To learn more about network security group service tags, see Network security groups overview. 如果不希望流量流到已对等互连的虚拟网络,请选择“禁用”。Select Disabled if you don't want traffic to flow to the peered virtual network. 如果已将一个虚拟网络与另一个虚拟网络对等互连,但有时想要禁用这两个虚拟网络之间的流量流动,则可以选择“禁用”。You might select Disabled if you've peered a virtual network with another virtual network, but occasionally want to disable traffic flow between the two virtual networks. 可发现启用/禁用比删除并重新创建对等互连更加方便。You may find enabling/disabling is more convenient than deleting and re-creating peerings. 当禁用此设置时,流量不会在已对等互连的虚拟网络间流动。When this setting is disabled, traffic doesn't flow between the peered virtual networks.
    • 允许转发的流量: 选中此框将允许某个虚拟网络中通过网络虚拟设备转发的(不是从该虚拟网络发起的)流量通过对等互连流动到此虚拟网络。Allow forwarded traffic: Check this box to allow traffic forwarded by a network virtual appliance in a virtual network (that didn't originate from the virtual network) to flow to this virtual network through a peering. 例如,假设有名为 Spoke1、Spoke2 和 Hub 的三个虚拟网络。For example, consider three virtual networks named Spoke1, Spoke2, and Hub. 每个辐射虚拟网络与中心虚拟网络之间存在一个对等互连,但各个辐射虚拟网络之间不存在对等互连。A peering exists between each spoke virtual network and the Hub virtual network, but peerings don't exist between the spoke virtual networks. 一个网络虚拟设备部署在中心虚拟网络中,用户定义的路由应用于通过该网络虚拟设备在各个子网之间路由流量的每个辐射虚拟网络。A network virtual appliance is deployed in the Hub virtual network, and user-defined routes are applied to each spoke virtual network that route traffic between the subnets through the network virtual appliance. 如果没有为每个辐射虚拟网络与中心虚拟网络之间的对等选中此复选框,则流量不会在各个辐射虚拟网络之间流动,因为中心在各个虚拟网络之间转发流量。If this checkbox is not checked for the peering between each spoke virtual network and the hub virtual network, traffic doesn't flow between the spoke virtual networks because the hub is forwarding the traffic between the virtual networks. 虽然启动此功能可允许通过对等互连转发流量,但它并不会创建任何用户定义的路由或网络虚拟设备。While enabling this capability allows the forwarded traffic through the peering, it does not create any user-defined routes or network virtual appliances. 用户自定义的路由和网络虚拟设备是单独创建的。User-defined routes and network virtual appliances are created separately. 了解用户定义的路由Learn about user-defined routes. 如果流量通过 Azure VPN 网关在虚拟网络之间转发,则无需检查此设置。You don't need to check this setting if traffic is forwarded between virtual networks through an Azure VPN Gateway.
    • 允许网关传输:如果有附加到此虚拟网络的虚拟网络网关并且想要允许来自已对等互连的虚拟网络的流量流经网关,请选中此框。Allow gateway transit: Check this box if you have a virtual network gateway attached to this virtual network and want to allow traffic from the peered virtual network to flow through the gateway. 例如,此虚拟网络有可能通过虚拟网络网关附加到本地网络。For example, this virtual network may be attached to an on-premises network through a virtual network gateway. 网关可以是一个 ExpressRoute 或 VPN 网关。The gateway can be an ExpressRoute or VPN gateway. 选中此框将允许来自所对等互连的虚拟网络的流量通过附加到此虚拟网络的网关流动到本地网络。Checking this box allows traffic from the peered virtual network to flow through the gateway attached to this virtual network to the on-premises network. 如果选中此框,则已对等连接的虚拟网络不能有已配置的网关。If you check this box, the peered virtual network cannot have a gateway configured. 设置从另一虚拟网络到此虚拟网络的对等互连时,对等互连的虚拟网络必须选中复选框“使用远程网关”。The peered virtual network must have the Use remote gateways checkbox checked when setting up the peering from the other virtual network to this virtual network. 如果保留此框的未选中状态(默认),则来自已对等互连的虚拟网络的流量仍可流动到此虚拟网络,但无法流经附加到此虚拟网络的虚拟网络网关。If you leave this box unchecked (default), traffic from the peered virtual network still flows to this virtual network, but cannot flow through a virtual network gateway attached to this virtual network. 如果在虚拟网络(资源管理器)和虚拟网络(经典)之间进行对等互连,则网关必须位于虚拟网络(资源管理器)中。If the peering is between a virtual network (Resource Manager) and a virtual network (classic), the gateway must be in the virtual network (Resource Manager). 如果要对等互连不同区域中的虚拟网络,无法启用此选项。You cannot enable this option if you're peering virtual networks in different regions.

      除了将流量转发到本地网络之外,VPN 网关还可以在与该网关所在的虚拟网络对等互连的虚拟网络之间转发网络流量,各个虚拟网络不需要都彼此对等互连。In addition to forwarding traffic to an on-premises network, a VPN gateway can forward network traffic between virtual networks that are peered with the virtual network the gateway is in, without the virtual networks needing to be peered with each other. 如果希望在中心(请参阅为允许转发的流量描述的中心和辐射示例)虚拟网络中使用 VPN 网关在未彼此对等互连的辐射虚拟网络之间路由流量,则使用 VPN 网关转发流量非常有用。Using a VPN gateway to forward traffic is useful when you want to use a VPN gateway in a hub (see the hub and spoke example described for Allow forwarded traffic) virtual network to route traffic between spoke virtual networks that aren't peered with each other. 若要了解有关允许使用网关进行传输的详细信息,请参阅配置 VPN 网关以在虚拟网络对等互连中传输To learn more about allowing use of a gateway for transit, see Configure a VPN gateway for transit in a virtual network peering. 此方案要求实现用户定义的路由来将虚拟网络网关指定为下一跃点类型。This scenario requires implementing user-defined routes that specify the virtual network gateway as the next hop type. 了解用户定义的路由Learn about user-defined routes. 只能将 VPN 网关指定为用户定义的路由中的下一跃点类型,不能将 ExpressRoute 网关指定为用户定义的路由中的下一跃点类型。You can only specify a VPN gateway as a next hop type in a user-defined route, you cannot specify an ExpressRoute gateway as the next hop type in a user-defined route. 如果要对等互连不同区域中的虚拟网络,无法启用此选项。You cannot enable this option if you're peering virtual networks in different regions.

    • 使用远程网关:选中此框可允许来自此虚拟网络的流量流经附加到正与之对等互连的虚拟网络的虚拟网络网关。Use remote gateways: Check this box to allow traffic from this virtual network to flow through a virtual network gateway attached to the virtual network you're peering with. 例如,正与之对等互连的虚拟网络附加了一个 VPN 网关,可实现与本地网络的通信。For example, the virtual network you're peering with has a VPN gateway attached that enables communication to an on-premises network. 选中此框可允许来自此虚拟网络的流量流经附加到已对等互连的虚拟网络的 VPN 网关。Checking this box allows traffic from this virtual network to flow through the VPN gateway attached to the peered virtual network. 如果选中此框,已对等互连的虚拟网络必须附加有虚拟网络网关,并且必须已选中“允许网关传输”复选框。If you check this box, the peered virtual network must have a virtual network gateway attached to it and must have the Allow gateway transit checkbox checked. 如果保留此框的未选中状态(默认),则来自已对等互连的虚拟网络的流量仍将流动到此虚拟网络,但无法流经附加到此虚拟网络的虚拟网络网关。If you leave this box unchecked (default), traffic from the peered virtual network can still flow to this virtual network, but cannot flow through a virtual network gateway attached to this virtual network. 此虚拟网络只有一个对等互连可以启用此设置。Only one peering for this virtual network can have this setting enabled.

      如果已在虚拟网络中配置了网关,则无法使用远程网关。You cannot use remote gateways if you already have a gateway configured in your virtual network. 如果要对等互连不同区域中的虚拟网络,无法启用此选项。You cannot enable this option if you're peering virtual networks in different regions. 若要了解有关使用网关进行传输的详细信息,请参阅配置 VPN 网关以在虚拟网络对等互连中传输To learn more about using a gateway for transit, see Configure a VPN gateway for transit in a virtual network peering

  7. 选择“确定”,将对等互连添加到所选的虚拟网络。Select OK to add the peering to the virtual network you selected.

有关在不同订阅和部署模型中的虚拟网络之间实现对等互连的分步说明,请参阅后续步骤For step-by-step instructions for implementing peering between virtual networks in different subscriptions and deployment models, see next steps.

命令Commands

查看或更改对等互连设置View or change peering settings

更改对等互连之前,请熟悉要求和约束以及所需权限Before changing a peering, familiarize yourself with the requirements and constraints and necessary permissions.

  1. 在门户顶部的搜索框中,输入“虚拟网络”。In the search box at the top of the portal, enter virtual networks in the search box. 当“虚拟网络”出现在搜索结果中时,请将其选中。When Virtual networks appear in the search results, select it. 如果“虚拟网络(经典)”出现在列表中,请不要选择它,因为无法从通过经典部署模型部署的虚拟网络创建对等互连。Do not select Virtual networks (classic) if it appears in the list, as you cannot create a peering from a virtual network deployed through the classic deployment model.
  2. 从列表中选择要为其更改对等设置的虚拟网络。Select the virtual network in the list that you want to change peering settings for.
  3. 从虚拟网络列表中,选择要为其更改对等设置的虚拟网络。From the list of virtual networks, select the virtual network you want to change peering settings for.
  4. 在“设置”下,选择“对等”。Under SETTINGS, select Peerings.
  5. 选择要查看或更改其设置的对等互连。Select the peering you want to view or change settings for.
  6. 更改相应的设置。Change the appropriate setting. 针对每个设置的相关选项,请参阅“创建对等”部分的第 6 步Read about the options for each setting in step 6 of Create a peering.
  7. 选择“保存”。Select Save.

命令Commands

删除对等互连Delete a peering

在删除对等互连之前,请确保帐户具有所需权限Before deleting a peering, ensure your account has the necessary permissions.

当对等互连删除后,来自虚拟网络的流量将不再流动到已对等互连的虚拟网络中。When a peering is deleted, traffic from a virtual network no longer flows to the peered virtual network. 将通过资源管理器部署的虚拟网络对等互连后,每个虚拟网络都具与另一个虚拟网络的对等互连。When virtual networks deployed through Resource Manager are peered, each virtual network has a peering to the other virtual network. 虽然从一个虚拟网络删除对等互连会禁用虚拟网络之间的通信,但这不会删除另一个虚拟网络的对等互连。Though deleting the peering from one virtual network disables the communication between the virtual networks, it does not delete the peering from the other virtual network. 存在于另一个虚拟网络中的对等互连的对等互连状态为“已断开连接”。The peering status for the peering that exists in the other virtual network is Disconnected. 必须在第一个虚拟网络中重新创建对等互连,并且这两个虚拟网络的对等互连状态均更改为“已连接”后,才能重新创建对等互连。You cannot recreate the peering until you re-create the peering in the first virtual network and the peering status for both virtual networks changes to Connected.

如果希望虚拟网络偶尔进行通信,而非始终通信,与其删除对等互连,更好的方法是改为将“允许虚拟网络访问”设置设为“禁用”。If you want virtual networks to communicate sometimes, but not always, rather than deleting a peering, you can set the Allow virtual network access setting to Disabled instead. 若要了解如何操作,请阅读本文创建对等互连部分的步骤 6。To learn how, read step 6 of the Create a peering section of this article. 可发现禁用和启用网络访问比删除并重新创建对等互连更加容易。You may find disabling and enabling network access easier than deleting and recreating peerings.

  1. 在门户顶部的搜索框中,输入“虚拟网络”。In the search box at the top of the portal, enter virtual networks in the search box. 当“虚拟网络”出现在搜索结果中时,请将其选中。When Virtual networks appear in the search results, select it. 如果“虚拟网络(经典)”出现在列表中,请不要选择它,因为无法从通过经典部署模型部署的虚拟网络创建对等互连。Do not select Virtual networks (classic) if it appears in the list, as you cannot create a peering from a virtual network deployed through the classic deployment model.
  2. 从列表中选择要为其删除对等的虚拟网络。Select the virtual network in the list that you want to delete a peering for.
  3. 从虚拟网络列表中,选择要为其删除对等的虚拟网络。From the list of virtual networks, select the virtual network you want to delete a peering for.
  4. 在“设置”下,选择“对等”。Under SETTINGS, select Peerings.
  5. 在要删除的对等右侧,依次选择“...”、“删除”和“是”,从第一个虚拟网络删除对等。On the right side of the peering you want to delete, select ..., select Delete, then select Yes to delete the peering from the first virtual network.
  6. 完成先前的步骤,以从对等互连中的另一个虚拟网络中删除对等互连。Complete the previous steps to delete the peering from the other virtual network in the peering.

命令Commands

要求和约束Requirements and constraints

  • 可在相同区域或不同区域中的虚拟网络之间建立对等互连。You can peer virtual networks in the same region, or different regions. 不同区域中的对等互连虚拟网络也称为“全球对等互连”。Peering virtual networks in different regions is also referred to as global peering.
  • 创建全球对等互连时,对等虚拟网络可以存在于任何 Azure 公有云区域中,但不能存在于 Azure 国有云中。When creating a global peering, the peered virtual networks can exist in any Azure public cloud region, but not in Azure national clouds. 只能在国有云中相同区域中的虚拟网络之间建立对等互连。You can only peer virtual networks in the same region in national clouds.
  • 一个虚拟网络中的资源无法与全球对等互连虚拟网络中 Azure 内部负载均衡器的前端 IP 地址通信。Resources in one virtual network cannot communicate with the front-end IP address of an Azure internal load balancer in a globally peered virtual network. 负载均衡器以及与之通信的资源必须位于相同区域中的同一虚拟网络。The load balancer and the resources that communicate with it must be in a virtual network in the same region. 但是,如果对等互连的虚拟网络位于相同区域,则任一虚拟网络中的资源可以与进行对等互连的任一虚拟网络中的 Azure 内部负载均衡器的前端 IP 地址通信。If the peered virtual networks are in the same region however, resources in either virtual network can communicate with the front-end IP address of an Azure internal load balancer in either virtual network in the peering.
  • 无法使用远程网关或允许网关在全球对等互连的虚拟网络中传输。You cannot use remote gateways or allow gateway transit in globally peered virtual networks. 若要使用远程网关或允许网关传输,对等互连的虚拟网络必须位于同一区域中。To use remote gateways or allow gateway transit, the peered virtual networks must be in the same region.
  • 虚拟网络可以位于相同或不同的订阅中。The virtual networks can be in the same, or different subscriptions. 如果对等虚拟网络位于不同的订阅中,两个订阅可关联到同一个或不同的 Azure Active Directory 租户。When you peer virtual networks in different subscriptions, both subscriptions can be associated to the same or different Azure Active Directory tenant. 如果还没有 AD 租户,可以快速创建一个If you don't already have an AD tenant, you can quickly create one. 门户中不支持通过与不同 Azure Active Directory 租户相关联的订阅跨虚拟网络进行对等互连。Support for peering across virtual networks from subscriptions associated to different Azure Active Directory tenants is not available in Portal. 可使用 CLI、PowerShell 或模板。You can use CLI, PowerShell, or Templates.
  • 进行对等互连的虚拟网络的 IP 地址空间不得重叠。The virtual networks you peer must have non-overlapping IP address spaces.
  • 虚拟网络与另一个虚拟网络对等后,不能向其添加或从中删除地址范围。You can't add address ranges to, or delete address ranges from a virtual network's address space once a virtual network is peered with another virtual network. 若要添加或删除地址范围,请删除对等,添加或删除地址范围,然后重新创建对等。To add or remove address ranges, delete the peering, add or remove the address ranges, then re-create the peering. 若要为虚拟网络添加或删除地址范围,请参阅管理虚拟网络To add address ranges to, or remove address ranges from virtual networks, see Manage virtual networks.
  • 可以对等互连两个通过资源管理器部署的虚拟网络,或对等互连一个通过资源管理器部署的虚拟网络与一个通过经典部署模型部署的虚拟网络。You can peer two virtual networks deployed through Resource Manager or a virtual network deployed through Resource Manager with a virtual network deployed through the classic deployment model. 不能对等互连两个通过经典部署模型创建的虚拟网络。You cannot peer two virtual networks created through the classic deployment model. 如果不熟悉 Azure 部署模型,请阅读了解 Azure 部署模型一文。If you're not familiar with Azure deployment models, read the Understand Azure deployment models article. 可以使用 VPN 网关来连接两个通过经典部署模型创建的虚拟网络。You can use a VPN Gateway to connect two virtual networks created through the classic deployment model.
  • 对等互连两个通过资源管理器创建的虚拟网络时,必须为对等互连中的每个虚拟网络都配置对等互连。When peering two virtual networks created through Resource Manager, a peering must be configured for each virtual network in the peering. 将看到以下类型的对等互连状态之一:You see one of the following types for peering status:
    • 已启动:从第一个虚拟网络创建与第二个虚拟网络的对等互连时,对等互连状态为“已启动”。Initiated: When you create the peering to the second virtual network from the first virtual network, the peering status is Initiated.
    • 已连接:从第二个虚拟网络创建与第一个虚拟网络的对等互连时,对等互连状态为“已连接”。Connected: When you create the peering from the second virtual network to the first virtual network, its peering status is Connected. 如果查看第一个虚拟网络的对等互连状态,将看到其状态从“已启动”更改为“已连接”。If you view the peering status for the first virtual network, you see its status changed from Initiated to Connected. 直到两个虚拟网络对等互连的对等互连状态均为“已连接”时,对等互连才成功建立。The peering is not successfully established until the peering status for both virtual network peerings is Connected.
  • 当对等互连一个通过资源管理器创建的虚拟网络与一个通过经典部署模型创建的虚拟网络时,只需为通过资源管理器部署的虚拟网络配置对等互连。When peering a virtual network created through Resource Manager with a virtual network created through the classic deployment model, you only configure a peering for the virtual network deployed through Resource Manager. 不能为虚拟网络(经典)配置对等互连,或在两个通过经典部署模型部署的虚拟网络之间配置对等互连。You cannot configure peering for a virtual network (classic), or between two virtual networks deployed through the classic deployment model. 在从虚拟网络(资源管理器)将对等互连创建至虚拟网络(经典)时,对等互连状态为“正在更新”,随后将更改为“已连接”。When you create the peering from the virtual network (Resource Manager) to the virtual network (Classic), the peering status is Updating, then shortly changes to Connected.
  • 对等互连在两个虚拟网络之间创建。A peering is established between two virtual networks. 对等互连是不可传递的。Peerings are not transitive. 如果在以下虚拟网络之间创建对等互连:If you create peerings between:

    • VirtualNetwork1 和 VirtualNetwork2VirtualNetwork1 & VirtualNetwork2
    • VirtualNetwork2 和 VirtualNetwork3VirtualNetwork2 & VirtualNetwork3

    不会通过 VirtualNetwork2 在 VirtualNetwork1 和 VirtualNetwork3 之间形成对等互连。There is no peering between VirtualNetwork1 and VirtualNetwork3 through VirtualNetwork2. 如果要在 VirtualNetwork1 和 VirtualNetwork3 之间创建虚拟网络对等互连,必须在 VirtualNetwork1 和 VirtualNetwork3 之间创建对等互连。If you want to create a virtual network peering between VirtualNetwork1 and VirtualNetwork3, you have to create a peering between VirtualNetwork1 and VirtualNetwork3.

  • 无法使用默认 Azure 名称解析来解析已对等互连的虚拟网络中的名称。You can't resolve names in peered virtual networks using default Azure name resolution. 若要解析其他虚拟网络中的名称,必须使用适用于专用域的 Azure DNS,或使用自定义 DNS 服务器。To resolve names in other virtual networks, you must use Azure DNS for private domains or a custom DNS server. 若要了解如何设置自己的 DNS 服务器,请参阅使用自己的 DNS 服务器进行名称解析To learn how to set up your own DNS server, see Name resolution using your own DNS server.
  • 同一区域中对等互连虚拟网络中的资源可以互相之间以相同的带宽和延迟进行通信,就如同资源是位于同一个虚拟网络中一样。Resources in peered virtual networks in the same region can communicate with each other with the same bandwidth and latency as if they were in the same virtual network. 但是,每种虚拟机大小都有其自己的最大网络带宽。Each virtual machine size has its own maximum network bandwidth however. 若要深入了解不同虚拟机大小的最大网络带宽,请参阅 WindowsLinux 虚拟机大小。To learn more about maximum network bandwidth for different virtual machine sizes, see Windows or Linux virtual machine sizes.
  • 一个虚拟网络可以对等互连到另一个虚拟网络,也可以通过 Azure 虚拟网络网关连接到另一个虚拟网络。A virtual network can be peered to another virtual network, and also be connected to another virtual network with an Azure virtual network gateway. 当虚拟网络同时通过对等互连和网关连接时,虚拟网络的流量会根据对等互连配置流动,而不是网关。When virtual networks are connected through both peering and a gateway, traffic between the virtual networks flows through the peering configuration, rather than the gateway.
  • 对于利用虚拟网络对等互连的入口和出口流量,有少许收费。There is a nominal charge for ingress and egress traffic that utilizes a virtual network peering. 有关详细信息,请参阅定价页For more information, see the pricing page.

权限Permissions

必须向以下角色分配用于进行虚拟网络对等互连的帐户:The accounts you use to work with virtual network peering must be assigned to the following roles:

如果未将帐户分配给上述角色之一,则必须将其分配给分配有下表中的必要操作的自定义角色If your account is not assigned to one of the previous roles, it must be assigned to a custom role that is assigned the necessary actions from the following table:

操作Action 名称Name
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/writeMicrosoft.Network/virtualNetworks/virtualNetworkPeerings/write 创建从虚拟网络 A 到虚拟网络 B 的对等互连时必需。虚拟网络 A 必须是虚拟网络(资源管理器)Required to create a peering from virtual network A to virtual network B. Virtual network A must be a virtual network (Resource Manager)
Microsoft.Network/virtualNetworks/peer/actionMicrosoft.Network/virtualNetworks/peer/action 创建从虚拟网络 B(资源管理器)到虚拟网络 A 的对等互连时必需Required to create a peering from virtual network B (Resource Manager) to virtual network A
Microsoft.ClassicNetwork/virtualNetworks/peerMicrosoft.ClassicNetwork/virtualNetworks/peer 创建从虚拟网络 B(经典)到虚拟网络 A 的对等互连时必需Required to create a peering from virtual network B (classic) to virtual network A
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/readMicrosoft.Network/virtualNetworks/virtualNetworkPeerings/read 读取虚拟网络对等互连Read a virtual network peering
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/deleteMicrosoft.Network/virtualNetworks/virtualNetworkPeerings/delete 删除虚拟网络对等互连Delete a virtual network peering

后续步骤Next steps