您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

虚拟网络对等互连Virtual network peering

利用虚拟网络对等互连,可以在Azure 虚拟网络中无缝连接网络。Virtual network peering enables you to seamlessly connect networks in Azure Virtual Network. 虚拟网络出于连接目的显示为一个虚拟网络。The virtual networks appear as one for connectivity purposes. 虚拟机之间的流量使用 Microsoft 主干基础结构。The traffic between virtual machines uses the Microsoft backbone infrastructure. 类似于同一网络中的虚拟机之间的流量,仅通过 Microsoft 的专用网络路由流量。Like traffic between virtual machines in the same network, traffic is routed through Microsoft's private network only.

Azure 支持以下类型的对等互连:Azure supports the following types of peering:

  • 虚拟网络对等互连:连接同一 Azure 区域内的虚拟网络。Virtual network peering: Connect virtual networks within the same Azure region.
  • 全局虚拟网络对等互连:跨 Azure 区域连接虚拟网络。Global virtual network peering: Connecting virtual networks across Azure regions.

使用虚拟网络对等互连(无论本地还是全局)的优点包括:The benefits of using virtual network peering, whether local or global, include:

  • 不同虚拟网络中资源之间的连接延迟低且带宽高。A low-latency, high-bandwidth connection between resources in different virtual networks.
  • 一个虚拟网络中的资源与另一个虚拟网络中的资源进行通信的能力。The ability for resources in one virtual network to communicate with resources in a different virtual network.
  • 跨 Azure 订阅、Azure Active Directory 租户、部署模型和 Azure 区域之间的虚拟网络之间传输数据的功能。The ability to transfer data between virtual networks across Azure subscriptions, Azure Active Directory tenants, deployment models, and Azure regions.
  • 通过 Azure 资源管理器对等互连虚拟网络的功能。The ability to peer virtual networks created through the Azure Resource Manager.
  • 能够将通过资源管理器创建的虚拟网络对等互连到通过经典部署模型创建的虚拟网络。The ability to peer a virtual network created through Resource Manager to one created through the classic deployment model. 若要详细了解 Azure 部署模型,请参阅了解 Azure 部署模型To learn more about Azure deployment models, see Understand Azure deployment models.
  • 在创建对等互连之时或之后,虚拟网络中的资源不会出现停机的现象。No downtime to resources in either virtual network when creating the peering, or after the peering is created.

对等虚拟网络之间的网络流量是专用的。Network traffic between peered virtual networks is private. 虚拟网络之间的流量仅限于 Microsoft 主干网络。Traffic between the virtual networks is kept on the Microsoft backbone network. 在虚拟网络之间通信不需公共 Internet、网关或加密。No public Internet, gateways, or encryption is required in the communication between the virtual networks.

连接Connectivity

对于对等互连虚拟网络,任一虚拟网络中的资源可以直接与对等互连虚拟网络中的资源进行连接。For peered virtual networks, resources in either virtual network can directly connect with resources in the peered virtual network.

同一区域中对等互连虚拟网络上的虚拟机之间的网络延迟与单个虚拟网络中的延迟相同。The network latency between virtual machines in peered virtual networks in the same region is the same as the latency within a single virtual network. 网络吞吐量取决于可供虚拟机使用的与其大小成比例的带宽。The network throughput is based on the bandwidth that's allowed for the virtual machine, proportionate to its size. 对等互连的带宽没有任何其他限制。There isn't any additional restriction on bandwidth within the peering.

对等互连虚拟网络中虚拟机之间的流量直接通过 Microsoft 主干基础结构路由,而不通过网关或公共 Internet 路由。The traffic between virtual machines in peered virtual networks is routed directly through the Microsoft backbone infrastructure, not through a gateway or over the public Internet.

可以在虚拟网络中应用网络安全组,阻止对其他虚拟网络或子网的访问。You can apply network security groups in either virtual network to block access to other virtual networks or subnets. 配置虚拟网络对等互连时,可以打开或关闭虚拟网络之间的网络安全组规则。When configuring virtual network peering, either open or close the network security group rules between the virtual networks. 如果打开对等互连虚拟网络之间的完全连接,则可以应用网络安全组来阻止或拒绝特定访问。If you open full connectivity between peered virtual networks, you can apply network security groups to block or deny specific access. 默认选项为 "完全连接"。Full connectivity is the default option. 若要详细了解网络安全组,请参阅安全组To learn more about network security groups, see Security groups.

服务链Service chaining

使用服务链,可以通过用户定义的路由将流量从一个虚拟网络定向到对等互连网络中的虚拟设备或网关。Service chaining enables you to direct traffic from one virtual network to a virtual appliance or gateway in a peered network through user-defined routes.

若要启用服务链接,请将指向对等互连虚拟网络中的虚拟机的用户定义路由配置为下一个跃点IP 地址。To enable service chaining, configure user-defined routes that point to virtual machines in peered virtual networks as the next hop IP address. 用户定义的路由还可以指向虚拟网络网关,以启用服务链接。User-defined routes could also point to virtual network gateways to enable service chaining.

你可以部署中心辐射型网络,其中,中心虚拟网络托管基础结构组件,如网络虚拟设备或 VPN 网关。You can deploy hub-and-spoke networks, where the hub virtual network hosts infrastructure components such as a network virtual appliance or VPN gateway. 然后,可以将所有分散虚拟网络与中心虚拟网络对等。All the spoke virtual networks can then peer with the hub virtual network. 流量流过中心虚拟网络中的网络虚拟设备或 VPN 网关。Traffic flows through network virtual appliances or VPN gateways in the hub virtual network.

通过虚拟网络对等互连,用户定义的路由中的下一个跃点可以成为对等虚拟网络中虚拟机或 VNP 网关的 IP 地址。Virtual network peering enables the next hop in a user-defined route to be the IP address of a virtual machine in the peered virtual network, or a VPN gateway. 不能使用用户定义的路由(将 Azure ExpressRoute 网关指定为下一跃点类型)在虚拟网络之间进行路由。You can't route between virtual networks with a user-defined route that specifies an Azure ExpressRoute gateway as the next hop type. 若要深入了解用户定义的路由,请参阅用户定义的路由概述To learn more about user-defined routes, see User-defined routes overview. 若要了解如何创建中心和分支网络拓扑,请参阅Azure 中的中心辐射型网络拓扑To learn how to create a hub and spoke network topology, see Hub-spoke network topology in Azure.

网关和本地连接Gateways and on-premises connectivity

每个虚拟网络(包括对等互连虚拟网络)都可以有自己的网关。Each virtual network, including a peered virtual network, can have its own gateway. 虚拟网络可以使用它的网关连接到本地网络。A virtual network can use its gateway to connect to an on-premises network. 你还可以使用网关配置虚拟网络到虚拟网络连接,即使对于对等互连虚拟网络也是如此。You can also configure virtual network-to-virtual network connections by using gateways, even for peered virtual networks.

如果为虚拟网络互连配置这两个选项,则虚拟网络之间的流量将流经对等互连配置。When you configure both options for virtual network interconnectivity, the traffic between the virtual networks flows through the peering configuration. 流量使用 Azure 主干。The traffic uses the Azure backbone.

你还可以在对等互连虚拟网络中将网关配置为本地网络的传输点。You can also configure the gateway in the peered virtual network as a transit point to an on-premises network. 在这种情况下,使用远程网关的虚拟网络不能有自己的网关。In this case, the virtual network that is using a remote gateway can't have its own gateway. 虚拟网络只有一个网关。A virtual network has only one gateway. 网关是对等互连虚拟网络中的本地或远程网关,如下图所示:The gateway is either a local or remote gateway in the peered virtual network, as shown in the following diagram:

虚拟网络对等互连传输

虚拟网络对等互连和全局虚拟网络对等互连都支持网关传输。Both virtual network peering and global virtual network peering support gateway transit.

支持在通过不同部署模型创建的虚拟网络之间进行网关传输。Gateway transit between virtual networks created through different deployment models is supported. 网关必须位于资源管理器型号的虚拟网络中。The gateway must be in the virtual network in the Resource Manager model. 若要了解有关使用网关进行传输的详细信息,请参阅配置 VPN 网关以在虚拟网络对等互连中传输To learn more about using a gateway for transit, see Configure a VPN gateway for transit in a virtual network peering.

当对等互连共享单个 Azure ExpressRoute 连接的虚拟网络时,它们之间的流量会通过对等关系进行。When you peer virtual networks that share a single Azure ExpressRoute connection, the traffic between them goes through the peering relationship. 该流量使用 Azure 主干网络。That traffic uses the Azure backbone network. 仍可在各个虚拟网络中使用本地网关连接到本地线路。You can still use local gateways in each virtual network to connect to the on-premises circuit. 否则,可以使用共享网关,并为本地连接配置传输。Otherwise, you can use a shared gateway and configure transit for on-premises connectivity.

故障排除Troubleshoot

若要确认虚拟网络是对等互连的,可以检查有效路由。To confirm that virtual networks are peered, you can check effective routes. 检查虚拟网络中任何子网中的网络接口的路由。Check routes for a network interface in any subnet in a virtual network. 如果虚拟网络对等互连存在,则虚拟网络中的所有子网都会有下一跃点类型为“VNet 对等互连”的路由,这适用于每个对等互连的虚拟网络中的每个地址空间。If a virtual network peering exists, all subnets within the virtual network have routes with next hop type VNet peering, for each address space in each peered virtual network. 有关详细信息,请参阅诊断虚拟机路由问题For more information, see Diagnose a virtual machine routing problem.

还可以使用 Azure 网络观察程序对对等互连虚拟网络中虚拟机的连接进行故障排除。You can also troubleshoot connectivity to a virtual machine in a peered virtual network using Azure Network Watcher. 连接性检查使你可以查看流量如何从源虚拟机的网络接口路由到目标虚拟机的网络接口。A connectivity check lets you see how traffic is routed from a source virtual machine's network interface to a destination virtual machine's network interface. 有关详细信息,请参阅使用 Azure 门户对 Azure 网络观察程序的连接进行故障排除For more information, see Troubleshoot connections with Azure Network Watcher using the Azure portal.

你还可以尝试排查虚拟网络对等互连问题You can also try the Troubleshoot virtual network peering issues.

对等互连虚拟网络的约束Constraints for peered virtual networks

仅当虚拟网络全局对等互连时,以下约束适用:The following constraints apply only when virtual networks are globally peered:

有关详细信息,请参阅要求和约束For more information, see Requirements and constraints. 若要了解有关支持的对等互连数量的详细信息,请参阅网络限制To learn more about the supported number of peerings, see Networking limits.

权限Permissions

若要了解创建虚拟网络对等互连所需的权限,请参阅权限To learn about permissions required to create a virtual network peering, see Permissions.

定价Pricing

使用虚拟网络对等互连连接的入口和出口流量需要支付极少的费用。There's a nominal charge for ingress and egress traffic that uses a virtual network peering connection. 有关详细信息,请参阅虚拟网络定价For more information, see Virtual Network pricing.

网关传输是一种对等互连属性,使虚拟网络能够在对等互连虚拟网络中使用 VPN/ExpressRoute 网关。Gateway Transit is a peering property that enables a virtual network to utilize a VPN/ExpressRoute gateway in a peered virtual network. 网关传输适用于跨界连接和网络到网络连接。Gateway transit works for both cross premises and network-to-network connectivity. 到对等互连虚拟网络中的网关(入站或出站)的流量产生虚拟网络对等互连费用。Traffic to the gateway (ingress or egress) in the peered virtual network incurs virtual network peering charges. 有关详细信息,请参阅 vpn 网关定价和 expressroute 网关定价以获得 expressroute 网关费用。For more information, see VPN Gateway pricing for VPN gateway charges and ExpressRoute Gateway pricing for ExpressRoute gateway charges.

备注

本文档的以前版本指出,不会将虚拟网络对等互连费用用于网关传输。A previous version of this document stated that virtual network peering charges would not apply with Gateway Transit. 它现在按定价页反映准确的定价。It now reflects accurate pricing per the pricing page.

后续步骤Next steps

  • 可以在两个虚拟网络之间创建对等互连。You can create a peering between two virtual networks. 网络可以属于同一订阅、同一订阅中的不同部署模型或不同的订阅。The networks can belong to the same subscription, different deployment models in the same subscription, or different subscriptions. 完成适用于以下方案之一的教程:Complete a tutorial for one of the following scenarios:

    Azure 部署模型Azure deployment model 订阅Subscription
    都是资源管理器模型Both Resource Manager 相同Same
    不同Different
    一个是资源管理器模型,一个是经典模型One Resource Manager, one classic 相同Same
    不同Different
  • 若要了解如何创建中心和分支网络拓扑,请参阅Azure 中的中心辐射型网络拓扑To learn how to create a hub and spoke network topology, see Hub-spoke network topology in Azure.

  • 若要了解有关所有虚拟网络对等互连设置的信息,请参阅创建、更改或删除虚拟网络对等互连To learn about all virtual network peering settings, see Create, change, or delete a virtual network peering.

  • 有关常见虚拟网络对等互连和全局虚拟网络对等互连问题的解答,请参阅VNet 对等互连For answers to common virtual network peering and global virtual network peering questions, see VNet Peering.