您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

虚拟网络对等互连Virtual network peering

使用虚拟网络对等互连可以无缝连接两个 Azure 虚拟网络Virtual network peering enables you to seemlessly connect two Azure virtual networks. 建立对等互连后,出于连接目的,两个虚拟网络会显示为一个。Once peered, the virtual networks appear as one, for connectivity purposes. 对等虚拟网络中虚拟机之间的流量通过 Microsoft 主干基础结构路由,非常类似于只通过专用 IP 地址在同一虚拟网络中的虚拟机之间路由流量。The traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone infrastructure, much like traffic is routed between virtual machines in the same virtual network, through private IP addresses only.

使用虚拟网络对等互连的优点包括:The benefits of using virtual network peering include:

  • 对等虚拟网络之间的网络流量是专用的。Network traffic between peered virtual networks is private. 虚拟网络之间的流量仅限于 Microsoft 主干网络。Traffic between the virtual networks is kept on the Microsoft backbone network. 在虚拟网络之间通信不需公共 Internet、网关或加密。No public Internet, gateways, or encryption is required in the communication between the virtual networks.
  • 不同虚拟网络中资源之间的连接延迟低且带宽高。A low-latency, high-bandwidth connection between resources in different virtual networks.
  • 在虚拟网络对等互连之后,一个虚拟网络中的资源与另一虚拟网络中的资源通信的功能。The ability for resources in one virtual network to communicate with resources in a different virtual network, once the virtual networks are peered.
  • 跨 Azure 订阅、部署模型和 Azure 区域传输数据的功能(预览版)。The ability to transfer data across Azure subscriptions, deployment models, and across Azure regions (preview).
  • 可将通过 Azure 资源管理器创建的虚拟网络对等互连,或者将一个通过资源管理器创建的虚拟网络对等互连到通过经典部署模型创建的虚拟网络。The ability to peer virtual networks created through the Azure Resource Manager or to peer one virtual network created through Resource Manager to a virtual network created through the classic deployment model. 若要详细了解 Azure 部署模型,请参阅了解 Azure 部署模型To learn more about Azure deployment models, see Understand Azure deployment models.
  • 在创建对等互连之时或之后,虚拟网络中的资源不会出现停机的现象。No downtime to resources in either virtual network when creating the peering, or after the peering is created.

要求和约束Requirements and constraints

  • 在同一区域中的虚拟网络之间建立对等互连的功能已推出正式版。Peering virtual networks in the same region is generally available. 在不同区域中的虚拟网络之间建立对等互连的功能目前已在美国中西部、加拿大中部和美国西部 2 区推出预览版。Peering virtual networks in different regions is currently in preview in US West Central, Canada Central, and US West 2. 在不同区域中进行虚拟网络对等互连之前,必须先注册订阅(针对预览版)。Before peering virtual networks in different regions, you must first register your subscription for the preview. 如果尚未完成预览版的注册,则无法在不同区域创建虚拟网络之间的对等互连。Attempting to create a peering between virtual networks in different regions fails if you haven't completed registration for the preview.

    警告

    跨区域创建的虚拟网络对等互连与正式版中的对等互连相比,可用性和可靠性级别可能不同。Virtual network peerings created cross-region may not have the same level of availability and reliability as peerings in a general availability release. 虚拟网络对等互连的功能可能存在约束,不一定可在所有 Azure 区域中使用。Virtual network peerings may have constrained capabilities and may not be available in all Azure regions. 有关此功能可用性和状态方面的最新通知,请参阅 Azure Virtual Network updates(Azure 虚拟网络更新)页。For the most up-to-date notifications on availability and status of this feature, check the Azure Virtual Network updates page.

  • 对等虚拟网络 的 IP 地址空间不得重叠。The peered virtual networks must have non-overlapping IP address spaces.

  • 虚拟网络与另一虚拟网络对等后,不能在虚拟网络的地址空间中添加或删除地址范围。Address ranges cannot be added to or deleted from the address space of a virtual network once a virtual network is peered with another virtual network. 若需向对等互连的虚拟网络的地址空间添加地址范围,必须先删除对等互连,然后添加地址空间,最后再添加对等互连。If you need to add address ranges to the address space of a peered virtual network, you must remove the peering, add the address space, and then add the peering again.
  • 虚拟网络对等互连在两个虚拟网络之间进行。Virtual network peering is between two virtual networks. 对等互连之间没有任何派生的可传递关系。There is no derived transitive relationship across peerings. 例如,如果 virtualNetworkA 与 virtualNetworkB 对等互连,而 virtualNetworkB 与 virtualNetworkC 对等互连,则 virtualNetworkA 不会对等互连到 virtualNetworkC。For example, if virtualNetworkA is peered with virtualNetworkB, and virtualNetworkB is peered with virtualNetworkC, virtualNetworkA is not peered to virtualNetworkC.
  • 可将两个不同订阅中的虚拟网络对等互连,只要两个订阅的特权用户(请参阅特定权限)授权对等互连,并且订阅与同一个 Azure Active Directory 租户关联即可。You can peer virtual networks that exist in two different subscriptions, as long a privileged user (see specific permissions) of both subscriptions authorizes the peering, and the subscriptions are associated to the same Azure Active Directory tenant. 可以使用 VPN 网关来连接关联到不同 Active Directory 租户的订阅中的虚拟网络。You can use a VPN Gateway to connect virtual networks in subscriptions associated to different Active Directory tenants.
  • 如果两个虚拟网络都是通过 Resource Manager 部署模型创建的,或者其中一个虚拟网络是通过 Resource Manager 部署模型创建的,而另一个是通过经典部署模型创建的,则可以将这两个虚拟网络对等互连。Virtual networks can be peered if both are created through the Resource Manager deployment model or if one virtual network is created through the Resource Manager deployment model and the other is created through the classic deployment model. 但是,都是通过经典部署模型创建的虚拟网络不能彼此对等互连。Virtual networks created through the classic deployment model cannot be peered to each other, however. 可以使用 VPN 网关来连接通过经典部署模型创建的虚拟网络。You can use a VPN Gateway to connect virtual networks created through the classic deployment model.
  • 虽然在对等虚拟网络中进行虚拟机之间的通信没有其他带宽限制,但有一个最大网络带宽,具体取决于虚拟机大小(仍适用)。Though the communication between virtual machines in peered virtual networks has no additional bandwidth restrictions, there is a maximum network bandwidth depending on the virtual machine size that still applies. 若要深入了解不同 虚拟机大小的最大网络带宽,请参阅有关 WindowsLinux 虚拟机大小的文章。To learn more about maximum network bandwidth for different virtual machine sizes, read the Windows or Linux virtual machine sizes articles.

    基本虚拟网络对等互连

连接Connectivity

将虚拟网络对等互连后,其中一个虚拟网络中的虚拟机资源可直接连接到对等互连虚拟网络中的资源。After virtual networks are peered, resources in either virtual network can directly connect with resources in the peered virtual network.

同一区域中对等互连虚拟网络上的虚拟机之间的网络延迟与单个虚拟网络中的延迟相同。The network latency between virtual machines in peered virtual networks in the same region is the same as the latency within a single virtual network. 网络吞吐量取决于可供虚拟机使用的与其大小成比例的带宽。The network throughput is based on the bandwidth that's allowed for the virtual machine, proportionate to its size. 对等互连的带宽没有任何其他限制。There isn't any additional restriction on bandwidth within the peering.

对等互连虚拟网络中虚拟机之间的流量直接通过 Microsoft 主干基础结构路由,而不通过网关或公共 Internet 路由。The traffic between virtual machines in peered virtual networks is routed directly through the Microsoft backbone infrastructure, not through a gateway or over the public Internet.

虚拟网络中的虚拟机可以访问同一区域中对等互连虚拟网络上的内部负载均衡。Virtual machines in a virtual network can access the internal load-balancer in the peered virtual network in the same region. 对内部负载均衡器的支持并未扩展到全局对等互连的虚拟网络(预览版)。Support for internal load balancer does not extend across globally peered virtual networks (preview). 全局虚拟网络对等互连正式版会支持内部负载均衡器。The general availability release of global virtual network peering will have support for internal load balancer.

可根据需要将网络安全组应用于虚拟网络(阻止访问其他虚拟网络)或子网。Network security groups can be applied in either virtual network to block access to other virtual networks or subnets, if desired. 配置虚拟网络对等互连时,可打开或关闭虚拟网络之间的网络安全组规则。When configuring virtual network peering, you can either open or close the network security group rules between the virtual networks. 如果打开对等虚拟网络之间的完全连接(这是默认选项),则可将网络安全组应用到特定子网或虚拟机,以便阻止或拒绝特定访问。If you open full connectivity between peered virtual networks (which is the default option), you can apply network security groups to specific subnets or virtual machines to block or deny specific access. 若要深入了解网络安全组,请参阅网络安全组概述To learn more about network security groups, see Network security groups overview.

服务链Service chaining

可将指向对等虚拟网络中虚拟机的用户定义的路由表配置为“下一跃点”IP 地址(也可配置指向虚拟网关的用户定义的路由),以便启用服务链。You can configure user-defined routes that point to virtual machines in peered virtual networks as the next hop IP address, or to virtual network gateways, to enable service chaining. 使用服务链,可以通过用户定义的路由将流量从一个虚拟网络定向到对等虚拟网络中的虚拟设备(或虚拟网关)。Service chaining enables you to direct traffic from one virtual network to a virtual appliance, or virtual network gateway, in a peered virtual network, through user-defined routes.

可以部署中心辐射型网络,允许中心虚拟网络在其中托管基础结构组件,如网络虚拟设备或 VPN 网关。You can deploy hub-and-spoke networks, where the hub virtual network can host infrastructure components such as a network virtual appliance or VPN gateway. 然后,可以将所有分散虚拟网络与中心虚拟网络对等。All the spoke virtual networks can then peer with the hub virtual network. 流量可以流经中心虚拟网络中的网络虚拟设备或 VPN 网关。Traffic can flow through network virtual appliances or VPN gateways in the hub virtual network.

通过虚拟网络对等互连,用户定义的路由中的下一个跃点可以成为对等虚拟网络中虚拟机或 VNP 网关的 IP 地址。Virtual network peering enables the next hop in a user-defined route to be the IP address of a virtual machine in the peered virtual network, or a VPN gateway. 但在虚拟网络之间进行路由时,不能通过用户定义的路由将 ExpressRoute 网关指定为下一跃点类型。You cannot however, route between virtual networks with a user-defined route specifying an ExpressRoute gateway as the next hop type. 若要深入了解用户定义的路由,请参阅用户定义的路由概述To learn more about user-defined routes, see User-defined routes overview. 若要了解如何创建中心和分支网络拓扑,请参阅中心和分支网络拓扑To learn how to create a hub and spoke network topology, see hub and spoke network topology.

网关和本地连接Gateways and on-premises connectivity

无论是否与另一个虚拟网络对等,每个虚拟网络仍可具有自己的网关,并使用它连接到本地网络。Each virtual network, regardless of whether it is peered with another virtual network, can still have its own gateway and use it to connect to an on-premises network. 即使虚拟网络对等,用户也可以使用网关配置虚拟网络到虚拟网络连接You can also configure virtual network-to-virtual network connections by using gateways, even though the virtual networks are peered.

若已配置虚拟网络互连的两个选项,则虚拟网络之间的流量将通过对等配置(即通过 Azure 主干)流通。When both options for virtual network interconnectivity are configured, the traffic between the virtual networks flows through the peering configuration (that is, through the Azure backbone).

在同一区域中建立虚拟网络对等互连后,还可将对等互连虚拟网络中的网关配置为本地网络的传输点。When virtual networks are peered in the same region, you can also configure the gateway in the peered virtual network as a transit point to an on-premises network. 在这种情况下,使用远程网关的虚拟网络没有自己的网关。In this case, the virtual network that is using a remote gateway cannot have its own gateway. 虚拟网络只能有一个网关。A virtual network can have only one gateway. 网关可能是本地网关或远程网关(对等虚拟网络中),如下图所示:The gateway can be either a local or remote gateway (in the peered virtual network), as shown in the following picture:

虚拟网络对等互连传输

通过不同部署模型或不同区域创建的虚拟网络之间的对等互连关系不支持网关传输。Gateway transit is not supported in the peering relationship between virtual networks created through different deployment models or different regions. 若要使网关传输正常工作,对等互连关系中的两个虚拟网络都必须通过资源管理器创建,并且必须在同一区域中。Both virtual networks in the peering relationship must have been created through Resource Manager and must be in the same region for gateway transit to work. 全局对等互连的虚拟网络目前不支持网关传输。Globally peered virtual networks do not currently support gateway transit.

正在共享单个 Azure ExpressRoute 连接的虚拟网络对等时,它们之间的流量会通过对等关系(即通过 Azure 主干网)流通。When the virtual networks that are sharing a single Azure ExpressRoute connection are peered, the traffic between them goes through the peering relationship (that is, through the Azure backbone network). 仍可在各个虚拟网络中使用本地网关连接到本地线路。You can still use local gateways in each virtual network to connect to the on-premises circuit. 也可使用共享网关,并为本地连接配置传输。Alternatively, you can use a shared gateway and configure transit for on-premises connectivity.

权限Permissions

虚拟网络对等互连是一项特权操作。Virtual network peering is a privileged operation. 它是 VirtualNetworks 命名空间下的独立功能。It’s a separate function under the VirtualNetworks namespace. 可授予用户特定权限来授权对等互连。A user can be given specific rights to authorize peering. 具有虚拟网络读写访问权限的用户自动继承这些权限。A user who has read-write access to the virtual network inherits these rights automatically.

管理员或具有对等互连能力的特权用户可在另一个虚拟网络上启动对等互连操作。A user who is either an admin or a privileged user of the peering ability can initiate a peering operation on another virtual network. 所需的最低权限级别为“网络参与者”。The minimum level of permission required is Network Contributor. 如果另一端存在对等互连的匹配请求且也满足其他要求,则会建立对等互连。If there is a matching request for peering on the other side, and if other requirements are met, the peering is established.

例如,如果在名为 myvirtual networkA 和 myvirtual networkB 的虚拟网络之间建立对等互连,则必须为帐户分配针对每个虚拟网络的以下最低角色或权限:For example, if you were peering virtual networks named myVirtualNetworkA and myVirtualNetworkB, your account must be assigned the following minimum role or permissions for each virtual network:

虚拟网络Virtual network 部署模型Deployment model 角色Role 权限Permissions
myVirtualNetworkAmyVirtualNetworkA 资源管理器Resource Manager 网络参与者Network Contributor Microsoft.Network/virtualNetworks/virtualNetworkPeerings/writeMicrosoft.Network/virtualNetworks/virtualNetworkPeerings/write
经典Classic 经典网络参与者Classic Network Contributor 不适用N/A
myVirtualNetworkBmyVirtualNetworkB 资源管理器Resource Manager 网络参与者Network Contributor Microsoft.Network/virtualNetworks/peerMicrosoft.Network/virtualNetworks/peer
经典Classic 经典网络参与者Classic Network Contributor Microsoft.ClassicNetwork/virtualNetworks/peerMicrosoft.ClassicNetwork/virtualNetworks/peer

监视Monitor

对等互连两个通过资源管理器创建的虚拟网络时,必须为对等互连中的每个虚拟网络都配置对等互连。When peering two virtual networks created through Resource Manager, a peering must be configured for each virtual network in the peering. 可以监视对等互连的状态。You can monitor the status of your peering connection. 对等互连处于以下状态之一:The peering status is one of the following states:

  • 已启动:创建从第一个虚拟网络到第二个虚拟网络的对等互连时显示的状态。Initiated: The state shown when you create the peering from the first virtual network to the second virtual network.
  • 已连接:创建从第二个虚拟网络到第一个虚拟网络的对等互连后显示的状态。Connected: The state show once you've created the peering from the second virtual network to the first virtual network. 第一个虚拟网络的对等互连状态从“已启动”更改为“已连接”。The peering state for the first virtual network changes from Initiated to Connected. 直到两个虚拟网络对等互连的状态均为“已连接”时,虚拟网络对等互连才成功建立。A virtual network peering is not successfully established until the state for both virtual network peerings is Connected.
  • 已断开连接:如果在两个虚拟网络之间建立对等互连后删除了从一个虚拟网络到另一个虚拟网络的对等互连,则这种情况下显示的状态为“已断开连接”。Disconnected: The state shown if a peering from one virtual network to another is deleted after a peering is established between two virtual networks.

故障排除Troubleshoot

若要确认虚拟网络对等互连,可以检查有效路由,看虚拟网络的任何子网中是否存在网络接口。To confirm a virtual network peering, you can check effective routes for a network interface in any subnet in a virtual network. 如果虚拟网络对等互连存在,则虚拟网络中的所有子网都会有下一跃点类型为“VNet 对等互连”的路由,这适用于每个对等互连的虚拟网络中的每个地址空间。If a virtual network peering exists, all subnets within the virtual network have routes with next hop type VNet peering, for each address space in each peered virtual network.

还可以使用网络观察程序的连接性检查来排查与对等互连虚拟网络中某个虚拟机之间的连接问题。You can also troubleshoot connectivity to a virtual machine in a peered virtual network using Network Watcher's connectivity check. 可以通过连接性检查来确定流量如何从源虚拟机的网络接口路由到目标虚拟机的网络接口。Connectivity check lets you see how traffic is routed from a source virtual machine's network interface to a destination virtual machine's network interface.

限制Limits

允许单个虚拟网络建立的对等互连数存在限制。There are limits on the number of peerings that are allowed for a single virtual network. 有关详细信息,请参阅 Azure 网络限制For details, see Azure networking limits.

定价Pricing

利用虚拟网络对等互连的入口和出口流量会产生少许费用。There is a nominal charge for ingress and egress traffic that utilizes a virtual network peering connection. 有关详细信息,请参阅定价页For more information, see the pricing page.

后续步骤Next steps