您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 虚拟网络常见问题 (FAQ)Azure Virtual Network frequently asked questions (FAQ)

虚拟网络基础知识Virtual Network basics

Azure 虚拟网络 (VNet) 是什么?What is an Azure Virtual Network (VNet)?

Azure 虚拟网络 (VNet) 是你自己的网络在云中的表示形式。An Azure Virtual Network (VNet) is a representation of your own network in the cloud. 它是对专用于订阅的 Azure 云进行的逻辑隔离。It is a logical isolation of the Azure cloud dedicated to your subscription. 你可以使用 VNet 设置和管理 Azure 中的虚拟专用网络 (VPN),或者链接 VNet 与 Azure 中的其他 VNet,或链接你的本地 IT 基础结构,以创建混合或跨界解决方案。You can use VNets to provision and manage virtual private networks (VPNs) in Azure and, optionally, link the VNets with other VNets in Azure, or with your on-premises IT infrastructure to create hybrid or cross-premises solutions. 创建的每个 VNet 具有其自身的 CIDR 块,只要 CIDR 块不重叠,即可链接到其他 VNet 和本地网络。Each VNet you create has its own CIDR block, and can be linked to other VNets and on-premises networks as long as the CIDR blocks do not overlap. 还可以控制 VNet 的 DNS 服务器设置并将 VNet 分离到子网中。You also have control of DNS server settings for VNets, and segmentation of the VNet into subnets.

使用 VNet:Use VNets to:

  • 创建私有云专用的 VNet:有时,不需要对解决方案使用跨界配置。Create a dedicated private cloud-only VNet Sometimes you don't require a cross-premises configuration for your solution. 创建 VNet 时,VNet 中的服务和 VM 可以在云中安全地互相直接通信。When you create a VNet, your services and VMs within your VNet can communicate directly and securely with each other in the cloud. 在解决方案中,还可以为需要进行 Internet 通信的 VM 和服务配置终结点连接。You can still configure endpoint connections for the VMs and services that require Internet communication, as part of your solution.
  • 安全地扩展数据中心:借助 VNet,可以构建传统的站点到站点 (S2S) VPN,以便安全缩放数据中心的容量。Securely extend your data center With VNets, you can build traditional site-to-site (S2S) VPNs to securely scale your datacenter capacity. S2S VPN 使用 IPSEC 提供企业 VPN 网关和 Azure 之间的安全连接。S2S VPNs use IPSEC to provide a secure connection between your corporate VPN gateway and Azure.
  • 实现混合云方案:利用 VNet 可以灵活支持一系列混合云方案。Enable hybrid cloud scenarios VNets give you the flexibility to support a range of hybrid cloud scenarios. 可以安全地将基于云的应用程序连接到任何类型的本地系统,例如大型机和 Unix 系统。You can securely connect cloud-based applications to any type of on-premises system such as mainframes and Unix systems.

如何入门?How do I get started?

请访问虚拟网络文档帮助自己入门。Visit the Virtual network documentation to get started. 该内容提供了所有 VNet 功能的概述和部署信息。This content provides overview and deployment information for all of the VNet features.

没有跨界连接的情况下是否可以使用 VNet?Can I use VNets without cross-premises connectivity?

是的。Yes. 可以在不连接到本地的情况下使用 VNet。You can use a VNet without connecting it to your premises. 例如,可以在 Azure VNet 中单独运行 Microsoft Windows Server Active Directory 域控制器和 SharePoint 场。For example, you could run Microsoft Windows Server Active Directory domain controllers and SharePoint farms solely in an Azure VNet.

是否可以在 VNet 之间或者 VNet 与本地数据中心之间执行 WAN 优化?Can I perform WAN optimization between VNets or a VNet and my on-premises data center?

是的。Yes. 可以通过 Azure 市场部署许多供应商提供 WAN 优化网络虚拟设备You can deploy a WAN optimization network virtual appliance from several vendors through the Azure Marketplace.

配置Configuration

要使用哪些工具创建 VNet?What tools do I use to create a VNet?

可以使用以下工具创建或配置 VNet:You can use the following tools to create or configure a VNet:

在我的 VNet 中可以使用哪些地址范围?What address ranges can I use in my VNets?

RFC 1918中定义的任何 IP 地址范围。Any IP address range defined in RFC 1918. 例如 10.0.0.0/16。For example, 10.0.0.0/16. 无法添加以下的地址范围:You cannot add the following address ranges:

  • 224.0.0.0/4(多播)224.0.0.0/4 (Multicast)
  • 255.255.255.255/32(广播)255.255.255.255/32 (Broadcast)
  • 127.0.0.0/8(环回)127.0.0.0/8 (Loopback)
  • 169.254.0.0/16(本地链路)169.254.0.0/16 (Link-local)
  • 168.63.129.16/32(内部 DNS)168.63.129.16/32 (Internal DNS)

我的 VNet 中是否可以有公共 IP 地址?Can I have public IP addresses in my VNets?

是的。Yes. 有关公共 IP 地址范围的详细信息,请参阅创建虚拟网络For more information about public IP address ranges, see Create a virtual network. 无法从 Internet 直接访问公共 IP 地址。Public IP addresses are not directly accessible from the internet.

VNet 中的子网数量是否有限制?Is there a limit to the number of subnets in my VNet?

是的。Yes. 有关详细信息,请参阅 Azure 限制See Azure limits for details. 子网地址空间不能相互重叠。Subnet address spaces cannot overlap one another.

使用这些子网中的 IP 地址是否有任何限制?Are there any restrictions on using IP addresses within these subnets?

是的。Yes. Azure 在每个子网中保留 5 个 IP 地址。Azure reserves 5 IP addresses within each subnet. 这些是 x.x.x.0-x.x.x.3 和最后一个子网的地址。These are x.x.x.0-x.x.x.3 and the last address of the subnet.

  • 为协议一致性保留 x.x.x.0 和最后一个子网的地址。x.x.x.0 and the last address of the subnet is reserved for protocol conformance.
  • x.x.x.1-x.x.x.3 保留在 Azure 服务的每个子网中。x.x.x.1-x.x.x.3 is reserved in each subnet for Azure services.

VNet 和子网的最小和最大容量是多少?How small and how large can VNets and subnets be?

支持的最小子网为 /29,最大为 /8(使用 CIDR 子网定义)。The smallest supported subnet is /29, and the largest is /8 (using CIDR subnet definitions).

是否可以使用 VNet 将 VLAN 引入 Azure 中?Can I bring my VLANs to Azure using VNets?

不。No. VNet 是第 3 层重叠。VNets are Layer-3 overlays. Azure 不支持任何第 2 层语义。Azure does not support any Layer-2 semantics.

是否可以在 VNet 和子网上指定自定义路由策略?Can I specify custom routing policies on my VNets and subnets?

是的。Yes. 你可以创建路由表并将其关联到子网。You can create a route table and associate it to a subnet. 有关 Azure 中的路由的详细信息,请参阅路由概述For more information about routing in Azure, see Routing overview.

VNet 是否支持多播或广播?Do VNets support multicast or broadcast?

不。No. 不支持多播和广播。Multicast and broadcast are not supported.

在 VNet 中可以使用哪些协议?What protocols can I use within VNets?

可以在 VNet 中使用 TCP、UDP 和 ICMP TCP/IP 协议。You can use TCP, UDP, and ICMP TCP/IP protocols within VNets. VNet 内支持单播放,但通过单播(源端口 UDP/68/目标端口 UDP/67)的动态主机配置协议 (DHCP) 除外。Unicast is supported within VNets, with the exception of Dynamic Host Configuration Protocol (DHCP) via Unicast (source port UDP/68 / destination port UDP/67). VNet 中会阻止多播、广播、在 IP 里面封装 IP 的数据包以及通用路由封装 (GRE) 数据包。Multicast, broadcast, IP-in-IP encapsulated packets, and Generic Routing Encapsulation (GRE) packets are blocked within VNets.

是否可以在 VNet 中 ping 默认路由器?Can I ping my default routers within a VNet?

不。No.

是否可以使用 tracert 诊断连接?Can I use tracert to diagnose connectivity?

不。No.

创建 VNet 后是否可以添加子网?Can I add subnets after the VNet is created?

是的。Yes. 可以随时向 VNet 中添加子网,只要子网地址范围不是另一子网的一部分并且虚拟网络的地址范围中有剩余的可用空间。Subnets can be added to VNets at any time as long as the subnet address range is not part of another subnet and there is available space left in the virtual network's address range.

创建后是否可以修改子网的大小?Can I modify the size of my subnet after I create it?

是的。Yes. 如果子网中未部署任何 VM 或服务,可以添加、删除、扩展或收缩该子网。You can add, remove, expand, or shrink a subnet if there are no VMs or services deployed within it.

创建子网后是否可以对其进行修改?Can I modify subnets after I created them?

是的。Yes. 可以添加、删除和修改 VNet 使用的 CIDR 块。You can add, remove, and modify the CIDR blocks used by a VNet.

如果我在 VNet 中运行服务,是否可以连接到 Internet?If I am running my services in a VNet, can I connect to the internet?

是的。Yes. VNet 中部署的所有服务都可以在出站方向连接到 Internet。All services deployed within a VNet can connect outbound to the internet. 若要详细了解 Azure 中的出站 Internet 连接,请参阅出站连接To learn more about outbound internet connections in Azure, see Outbound connections. 如果希望在入站方向连接到通过资源管理器部署的某个资源,该资源必须具有分配给它的公用 IP 地址。If you want to connect inbound to a resource deployed through Resource Manager, the resource must have a public IP address assigned to it. 若要详细了解公用 IP 地址,请参阅公用 IP 地址To learn more about public IP addresses, see Public IP addresses. Azure 中部署的每个云服务都具有分配给它的可公开寻址的 VIP。Every Azure Cloud Service deployed in Azure has a publicly addressable VIP assigned to it. 你将定义 PaaS 角色的输入终结点和虚拟机的终结点,以使这些服务可以接受来自 Internet 的连接。You define input endpoints for PaaS roles and endpoints for virtual machines to enable these services to accept connections from the internet.

VNet 是否支持 IPv6?Do VNets support IPv6?

不。No. 目前不能将 IPv6 用于 VNet。You cannot use IPv6 with VNets at this time. 但是,可以将 IPv6 地址分配给 Azure 负载均衡器来对虚拟机进行负载均衡。You can however, assign IPv6 addresses to Azure load balancers to load balance virtual machines. 有关详细信息,请参阅 Azure 负载均衡器的 IPv6 概述For details, see Overview of IPv6 for Azure Load Balancer.

VNet 是否可以跨区域?Can a VNet span regions?

不。No. 一个 VNet 限制为单个区域。A VNet is limited to a single region. 但是,虚拟网络可以跨可用性区域。A virtual network does, however, span availability zones. 若要详细了解可用性区域,请参阅可用性区域概述To learn more about availability zones, see Availability zones overview. 可以通过虚拟网络对等互连来连接不同区域中的虚拟网络。You can connect virtual networks in different regions with virtual network peering. 有关详细信息,请参阅虚拟网络对等互连概述For details, see Virtual network peering overview

是否可以将 VNet 连接到 Azure 中的另一个 VNet?Can I connect a VNet to another VNet in Azure?

是的。Yes. 可以使用以下任一方式将一个 VNet 连接到另一个 VNet:You can connect one VNet to another VNet using either:

名称解析 (DNS)Name Resolution (DNS)

VNet 的 DNS 选项有哪些?What are my DNS options for VNets?

使用 VM 和角色实例的名称解析页上的决策表,可引导用户浏览可用的所有 DNS 选项。Use the decision table on the Name Resolution for VMs and Role Instances page to guide you through all the DNS options available.

是否可以为 VNet 指定 DNS 服务器?Can I specify DNS servers for a VNet?

是的。Yes. 可以在 VNet 设置中指定 DNS 服务器 IP 地址。You can specify DNS server IP addresses in the VNet settings. 此设置将应用为 VNet 中的所有 VM 的默认 DNS 服务器。The setting is applied as the default DNS server(s) for all VMs in the VNet.

可以指定多少 DNS 服务器?How many DNS servers can I specify?

请参考 Azure 限制Reference Azure limits.

创建网络后是否可以修改 DNS 服务器?Can I modify my DNS servers after I have created the network?

是的。Yes. 可以随时更改 VNet 的 DNS 服务器列表。You can change the DNS server list for your VNet at any time. 如果更改 DNS 服务器列表,则需要重新启动 VNet 中的每个 VM,以使其拾取新的 DNS 服务器。If you change your DNS server list, you will need to restart each of the VMs in your VNet in order for them to pick up the new DNS server.

什么是 Azure 提供的 DNS?它是否适用于 VNet?What is Azure-provided DNS and does it work with VNets?

Azure 提供的 DNS 是由 Microsoft 提供的多租户 DNS 服务。Azure-provided DNS is a multi-tenant DNS service offered by Microsoft. Azure 在此服务中注册所有 VM 和云服务角色实例。Azure registers all of your VMs and cloud service role instances in this service. 此服务通过主机名为相同云服务内包含的 VM 和角色实例提供名称解析,并通过 FQDN 为相同 VNet 中的 VM 和角色实例提供名称解析。This service provides name resolution by hostname for VMs and role instances contained within the same cloud service, and by FQDN for VMs and role instances in the same VNet. 若要详细了解 DNS,请参阅 VM 和云服务角色实例的名称解析To learn more about DNS, see Name Resolution for VMs and Cloud Services role instances.

使用 Azure 提供的 DNS 进行跨租户名称解析时,VNet 中的前 100 个云服务存在限制。There is a limitation to the first 100 cloud services in a VNet for cross-tenant name resolution using Azure-provided DNS. 如果使用自己的 DNS 服务器,此限制则不适用。If you are using your own DNS server, this limitation does not apply.

是否可以基于每个 VM 或云服务重写 DNS 设置?Can I override my DNS settings on a per-VM or cloud service basis?

是的。Yes. 可以基于每个 VM 或云服务设置 DNS 服务器,以替代默认网络设置。You can set DNS servers per VM or cloud service to override the default network settings. 但是,建议尽可能使用网络级别的 DNS。However, it's recommended that you use network-wide DNS as much as possible.

是否可以引入我自己的 DNS 后缀?Can I bring my own DNS suffix?

不。No. 不能为 VNet 指定自定义的 DNS 后缀。You cannot specify a custom DNS suffix for your VNets.

连接虚拟机Connecting virtual machines

是否可以将 VM 部署到 VNet?Can I deploy VMs to a VNet?

是的。Yes. 附加到通过资源管理器部署模型部署的 VM 的所有网络接口 (NIC) 必须连接到 VNet。All network interfaces (NIC) attached to a VM deployed through the Resource Manager deployment model must be connected to a VNet. 可以选择性地将通过经典部署模型部署的 VM 连接到 VNet。VMs deployed through the classic deployment model can optionally be connected to a VNet.

可向 VM 分配哪些不同类型的 IP 地址?What are the different types of IP addresses I can assign to VMs?

  • 专用: 分配到每个 VM 中的每个 NIC。Private: Assigned to each NIC within each VM. 使用静态或动态方法分配地址。The address is assigned using either the static or dynamic method. 应该分配 VNet 子网设置中指定的范围内的专用 IP 地址。Private IP addresses are assigned from the range that you specified in the subnet settings of your VNet. 将为通过经典部署模型部署的资源分配专用 IP 地址,即使它们未连接到 VNet。Resources deployed through the classic deployment model are assigned private IP addresses, even if they're not connected to a VNet. 分配方法的行为根据资源是通过资源管理器还是通过经典部署模型部署的而不同:The behavior of the allocation method is different depending on whether a resource was deployed with the Resource Manager or classic deployment model:

    • 资源管理器:使用动态或静态方法分配的专用 IP 地址保持分配给虚拟机(资源管理器),直到该资源被删除。Resource Manager: A private IP address assigned with the dynamic or static method remains assigned to a virtual machine (Resource Manager) until the resource is deleted. 差别在于,使用静态方法时由你来选择地址,而使用动态方法时由 Azure 来选择地址。The difference is that you select the address to assign when using static, and Azure chooses when using dynamic.
    • 经典:如果虚拟机(经典)VM 在处于停止(解除分配)状态后重启,则使用动态方法分配的的专用 IP 地址可能会变化。Classic: A private IP address assigned with the dynamic method may change when a virtual machine (classic) VM is restarted after having been in the stopped (deallocated) state. 如果需要确保通过经典部署模型部署的资源的专用 IP 地址永远不会变化,请使用静态方法分配专用 IP 地址。If you need to ensure that the private IP address for a resource deployed through the classic deployment model never changes, assign a private IP address with the static method.
  • 公共: 选择性地分配给附加到通过 Azure 资源管理器部署模型部署的 VM 的 NIC。Public: Optionally assigned to NICs attached to VMs deployed through the Azure Resource Manager deployment model. 可以使用静态或动态分配方法分配地址。The address can be assigned with the static or dynamic allocation method. 通过经典部署模型部署的所有 VM 和云服务角色实例位于分配有动态公共虚拟 IP (VIP) 地址的云服务中。All VMs and Cloud Services role instances deployed through the classic deployment model exist within a cloud service, which is assigned a dynamic, public virtual IP (VIP) address. 可以选择性地将某个公共静态 IP 地址(称为保留 IP 地址)分配为 VIP。A public static IP address, called a Reserved IP address, can optionally be assigned as a VIP. 可将公共 IP 地址分配给通过经典部署模型部署的单个 VM 或云服务角色实例。You can assign public IP addresses to individual VMs or Cloud Services role instances deployed through the classic deployment model. 这些地址称为实例级公共 IP (ILPIP 地址,可动态分配。These addresses are called Instance level public IP (ILPIP addresses and can be assigned dynamically.

是否可为以后创建的 VM 保留专用 IP 地址?Can I reserve a private IP address for a VM that I will create at a later time?

不。No. 无法保留专用 IP 地址。You cannot reserve a private IP address. 如果某个专用 IP 地址可用,则 DHCP 服务器会将其分配给某个 VM 或角色实例。If a private IP address is available, it is assigned to a VM or role instance by the DHCP server. 该 VM 可能是你希望将专用 IP 地址分配到的 VM,也可能不是。The VM may or may not be the one that you want the private IP address assigned to. 但是,可将已创建的 VM 的专用 IP 地址更改为任何可用的专用 IP 地址。You can, however, change the private IP address of an already created VM, to any available private IP address.

VNet 中 VM 的专用 IP 地址是否会变化?Do private IP addresses change for VMs in a VNet?

视情况而定。It depends. 如果 VM 是通过资源管理器部署的,则无论 IP 地址是使用静态还是动态分配方法分配的,该 IP 地址都不会变化。If the VM was deployed through Resource Manager, no, regardless of whether the IP address was assigned with the static or dynamic allocation method. 如果 VM 是通过经典部署模型部署的,则动态 IP 地址在 VM 处于停止(解除分配)状态后重新启动时可能会变化。If the VM was deployed through the classic deployment model, dynamic IP addresses can change when a VM is started after having been in the stopped (deallocated) state. 当删除通过任一部署模型部署的 VM 时,会从该 VM 释放地址。The address is released from a VM deployed through either deployment model when the VM is deleted.

是否可以在 VM 操作系统中手动将 IP 地址分配到 NIC?Can I manually assign IP addresses to NICs within the VM operating system?

可以,但是除非必要,不建议这样做,例如为虚拟机分配多个 IP 地址时。Yes, but it's not recommended unless necessary, such as when assigning multiple IP addresses to a virtual machine. 有关详细信息,请参阅为虚拟机添加多个 IP 地址For details, see Adding multiple IP addresses to a virtual machine. 如果分配给附加到 VM 的 Azure NIC 的 IP 地址更改,并且 VM 操作系统内的 IP 地址不同,则会丢失到 VM 的连接。If the IP address assigned to an Azure NIC attached to a VM changes, and the IP address within the VM operating system is different, you lose connectivity to the VM.

如果在操作系统中停止云服务部署槽或关闭 VM,IP 地址会发生什么情况?If I stop a Cloud Service deployment slot or shutdown a VM from within the operating system, what happens to my IP addresses?

无变化。Nothing. IP 地址(公共 VIP、公共和专用)将保留分配给该云服务部署槽或 VM。The IP addresses (public VIP, public, and private) remain assigned to the cloud service deployment slot or VM.

在无需重新部署的情况下,是否可以将 VM 从一个子网移动到 VNet 中的另一个子网?Can I move VMs from one subnet to another subnet in a VNet without redeploying?

是的。Yes. 可在如何将 VM 或角色实例移到其他子网一文中找到详细信息。You can find more information in the How to move a VM or role instance to a different subnet article.

是否可以为我的 VM 配置静态 MAC 地址?Can I configure a static MAC address for my VM?

不。No. MAC 地址不能以静态方式配置。A MAC address cannot be statically configured.

创建 VM 后,其 MAC 地址是否将保持不变?Will the MAC address remain the same for my VM once it's created?

是的,通过 Resource Manager 和经典部署模型部署的 VM 在被删除之前,其 MAC 地址将保持不变。Yes, the MAC address remains the same for a VM deployed through both the Resource Manager and classic deployment models until it's deleted. 以前,如果停止(解除分配)VM,会释放 MAC 地址,但现在,即使 VM 处于解除分配状态,也会保留其 MAC 地址。Previously, the MAC address was released if the VM was stopped (deallocated), but now the MAC address is retained even when the VM is in the deallocated state. 除非网络接口被删除或者分配给主网络接口的主 IP 配置的专用 IP 地址发生更改,否则该 MAC 地址将始终分配给该网络接口。The MAC address remains assigned to the network interface until the network interface is deleted or the private IP address assigned to the primary IP configuration of the primary network interface is changed.

是否可以通过 VNet 中的 VM 连接到 Internet?Can I connect to the internet from a VM in a VNet?

是的。Yes. VNet 中部署的所有 VM 和云服务角色实例都可连接到 Internet。All VMs and Cloud Services role instances deployed within a VNet can connect to the Internet.

连接到 VNet 的 Azure 服务Azure services that connect to VNets

是否可以在 VNet 中使用 Azure 应用服务 Web 应用?Can I use Azure App Service Web Apps with a VNet?

是的。Yes. 可以部署在 VNet 使用 ASE (应用服务环境) 中的 Web 应用,连接到 Vnet 使用 VNet 集成和入站流量锁定您的应用程序的后端,以使用服务终结点对应用程序。You can deploy Web Apps inside a VNet using an ASE (App Service Environment), connect the backend of your apps to your VNets with VNet Integration, and lock down inbound traffic to your app with service endpoints. 有关详细信息,请参阅以下文章:For more information, see the following articles:

是否可以在 VNet 中部署云服务与 Web 和辅助角色 (PaaS)?Can I deploy Cloud Services with web and worker roles (PaaS) in a VNet?

是的。Yes. (可选)可在 VNet 中部署云服务角色实例。You can (optionally) deploy Cloud Services role instances within VNets. 为此,请在服务配置的网络配置部分中指定 VNet 名称和角色/子网映射。To do so, you specify the VNet name and the role/subnet mappings in the network configuration section of your service configuration. 不需要更新任何二进制文件。You do not need to update any of your binaries.

可以连接的虚拟机规模集到 VNet?Can I connect a virtual machine scale set to a VNet?

是的。Yes. 你必须连接的虚拟机规模集到 VNet。You must connect a virtual machine scale set to a VNet.

是否存在我可以将其中的资源部署到 VNet 的 Azure 服务完整列表?Is there a complete list of Azure services that can I deploy resources from into a VNet?

是的,有关详细信息,请参阅Azure 服务的虚拟网络集成Yes, For details, see Virtual network integration for Azure services.

可以从 VNet 限制对哪些 Azure PaaS 资源的访问?Which Azure PaaS resources can I restrict access to from a VNet?

通过某些 Azure PaaS 服务(例如 Azure 存储和 Azure SQL 数据库)部署的资源只能通过使用虚拟网络服务终结点限制对 VNet 中的资源的访问。Resources deployed through some Azure PaaS services (such as Azure Storage and Azure SQL Database), can restrict network access to only resources in a VNet through the use of virtual network service endpoints. 有关详细信息,请参阅虚拟网络服务终结点概述For details, see Virtual network service endpoints overview.

是否可以将服务移入和移出 VNet?Can I move my services in and out of VNets?

不。No. 不能将服务移入和移出 VNet。You cannot move services in and out of VNets. 若要将某个资源移动到另一个 VNet,必须删除并重新部署该资源。To move a resource to another VNet, you have to delete and redeploy the resource.

安全Security

VNet 的安全模型是什么?What is the security model for VNets?

VNet 相互之间以及与 Azure 基础结构中托管的其他服务之间相互隔离。VNets are isolated from one another, and other services hosted in the Azure infrastructure. VNet 是一条信任边界。A VNet is a trust boundary.

是否可以限制入站或出站流量流向与 VNet 连接的资源?Can I restrict inbound or outbound traffic flow to VNet-connected resources?

可以。Yes. 可向 VNet 中的单个子网和/或附加到 VNet 的 NIC 应用网络安全组You can apply Network Security Groups to individual subnets within a VNet, NICs attached to a VNet, or both.

是否可在与 VNet 连接的资源之间实施防火墙?Can I implement a firewall between VNet-connected resources?

是的。Yes. 可以通过 Azure 市场部署许多供应商提供防火墙网络虚拟设备You can deploy a firewall network virtual appliance from several vendors through the Azure Marketplace.

是否有介绍如何保护 VNet 的信息?Is there information available about securing VNets?

是的。Yes. 有关详细信息,请参阅 Azure 网络安全概述For details, see Azure Network Security Overview.

API、架构和工具APIs, schemas, and tools

是否可以通过代码管理 VNet?Can I manage VNets from code?

是的。Yes. 可以针对 Vnet 中使用 REST Api Azure 资源管理器经典部署模型。You can use REST APIs for VNets in the Azure Resource Manager and classic deployment models.

是否有 VNet 的工具支持?Is there tooling support for VNets?

是的。Yes. 详细了解以下操作:Learn more about using:

VNet 对等互连VNet peering

什么是 VNet 对等互连?What is VNet peering?

使用 VNet 对等互连(或虚拟网络对等互连)可连接虚拟网络。VNet peering (or virtual network peering) enables you to connect virtual networks. 使用虚拟网络之间的 VNet 对等互连连接,可通过 IPv4 地址在这些虚拟网络之间私下路由流量。A VNet peering connection between virtual networks enables you to route traffic between them privately through IPv4 addresses. 对等互连的 VNet 中的虚拟机可相互通信,如同它们处于同一网络中一样。Virtual machines in the peered VNets can communicate with each other as if they are within the same network. 这些虚拟网络可以位于相同区域或不同区域中(也称为全球 VNet 对等互连)。These virtual networks can be in the same region or in different regions (also known as Global VNet Peering). 此外,还可跨 Azure 订阅创建 VNet 对等互连连接。VNet peering connections can also be created across Azure subscriptions.

是否可以在另一区域创建到 VNet 的对等互连连接?Can I create a peering connection to a VNet in a different region?

是的。Yes. 全球 VNet 对等互连可以将不同区域中的 VNet 对等互连。Global VNet peering enables you to peer VNets in different regions. 全局 VNet 对等互连目前在所有 Azure 公共区域、 中国云区域和政府云区域。Global VNet peering is available in all Azure public regions, China cloud regions, and Government cloud regions. 您不能全局对等互连从 Azure 公共区域到国家云区域。You cannot globally peer from Azure public regions to national cloud regions.

如果两个虚拟网络位于不同的区域(全球 VNet 对等互连),则无法连接到使用基本负载均衡器的资源。If the two virtual networks are in different region (Global VNet Peering), you cannot connect to resources that use Basic Load Balancer. 你可以连接到使用标准负载均衡器的资源。You can connect to resources that use Standard Load Balancer. 以下资源使用基本负载均衡器,这意味着你不能跨全球 VNet 对等互连与它们进行通信:The following resources use Basic Load Balancers which means you cannot communicate to them across Global VNet Peering:

  • 位于基本负载均衡器后的 VMVMs behind Basic Load Balancers
  • 使用基本负载均衡器虚拟机规模集Virtual machine scale sets with Basic Load Balancers
  • Redis 缓存Redis Cache
  • 应用程序网关 (v1) SKUApplication Gateway (v1) SKU
  • Service FabricService Fabric
  • SQL MISQL MI
  • API 管理API Management
  • Active Directory 域服务 (ADDS)Active Directory Domain Service (ADDS)
  • 逻辑应用Logic Apps
  • HDInsightHDInsight
  • Azure 批处理Azure Batch
  • AKSAKS
  • 应用服务环境App Service Environment

你可以通过 VNet 网关经由 ExpressRoute 或 VNet-to-VNet 连接到这些资源。You can connect to these resource via ExpressRoute or VNet-to-VNet through VNet Gateways.

如果虚拟网络所属的订阅位于不同的 Azure Active Directory 租户中,能否启用 VNet 对等互连?Can I enable VNet Peering if my virtual networks belong to subscriptions within different Azure Active Directory tenants?

是的。Yes. 如果订阅属于不同的 Azure Active Directory 租户,则可以建立 VNet 对等互连(无论是本地还是全球)。It is possible to establish VNet Peering (whether local or global) if your subscriptions belong to different Azure Active Directory tenants. 可以通过 PowerShell 或 CLI 来执行此操作。You can do this via PowerShell or CLI. 尚不支持门户。Portal is not yet supported.

我的 VNet 对等互连连接处于“已启动”状态,为什么我不能连接? My VNet peering connection is in Initiated state, why can't I connect?

如果对等互连连接处于“已启动”状态,则意味着只创建了一个链接。If your peering connection is in an Initiated state, this means you have created only one link. 必须创建双向链接才能成功建立连接。A bidirectional link must be created in order to establish a successful connection. 例如,若要从 VNet A 对等互连到 VNet B,必须创建从 VNetA 到 VNetB 以及从 VNetB 到 VNetA 的链接。For example, to peer VNet A to VNet B, a link must be created from VNetA to VNetB and from VNetB to VNetA. 创建两个链接后,状态会更改为“已连接”。 Creating both links will change the state to Connected.

我的 VNet 对等互连连接处于“已断开连接”状态,为什么我无法创建对等互连连接 ?My VNet peering connection is in Disconnected state, why can't I create a peering connection?

VNet 对等互连连接处于“已断开连接”状态意味着创建的某个链接已被删除。If your VNet peering connection is in a Disconnected state, it means one of the links created was deleted. 若要重新建立对等互连连接,需要删除该链接并重新创建。In order to re-establish a peering connection, you will need to delete the link and recreate.

是否可以将我的 VNet 与另一订阅中的 VNet 对等互连?Can I peer my VNet with a VNet in a different subscription?

是的。Yes. 可以跨订阅和跨区域进行 VNet 对等互连。You can peer VNets across subscriptions and across regions.

是否可以将两个地址范围匹配或重叠的 VNet 对等互连?Can I peer two VNets with matching or overlapping address ranges?

不。No. 要启用 VNet 对等互连,地址空间不得重叠。Address spaces must not overlap to enable VNet Peering.

创建 VNet 对等互连连接不收费。There is no charge for creating a VNet peering connection. 跨对等互连连接进行数据传输收费。Data transfer across peering connections is charged. 参阅此文See here.

VNet 对等互连流量是否加密?Is VNet peering traffic encrypted?

不。No. 对等互连 VNet 中的资源之间的流量是专用的,处于隔离状态。Traffic between resources in peered VNets is private and isolated. 它始终局限在 Microsoft 主干上。It remains completely on the Microsoft Backbone.

为什么我的对等互连连接处于已断开状态?Why is my peering connection in a disconnected state?

删除某个 VNet 对等互连链接时,VNet 对等互连连接就会进入“已断开”状态。VNet peering connections go into Disconnected state when one VNet peering link is deleted. 必须删除两个链接才能重新建立成功的对等互连连接。You must delete both links in order to reestablish a successful peering connection.

如果我从 VNetA 对等互连到 VNetB,然后又从 VNetB 对等互连到 VNetC,这是否意味着 VNetA 和 VNetC 已对等互连?If I peer VNetA to VNetB and I peer VNetB to VNetC, does that mean VNetA and VNetC are peered?

不。No. 不支持可传递对等互连。Transitive peering is not supported. 必须单独将 VNetA 和 VNetC 对等互连。You must peer VNetA and VNetC for this to take place.

对等互连连接是否存在带宽限制?Are there any bandwidth limitations for peering connections?

不。No. VNet 对等互连不管是本地的还是全球的,都没有任何带宽限制。VNet peering, whether local or global, does not impose any bandwidth restrictions. 带宽仅受 VM 或计算资源的限制。Bandwidth is only limited by the VM or the compute resource.

如何排查 VNet 对等互连的问题?How can I troubleshoot VNet Peering issues?

下面是疑难解答指南可以尝试。Here is a troubleshooter guide you can try.

虚拟网络 TAPVirtual network TAP

可以在哪些 Azure 区域使用虚拟网络 TAP?Which Azure regions are available for virtual network TAP?

虚拟网络 TAP 预览版在所有 Azure 区域中都可用。Virtual network TAP preview is available in all Azure regions. 受监视的网络接口、虚拟网络 TAP 资源和收集器或分析解决方案必须部署在同一区域中。The monitored network interfaces, the virtual network TAP resource, and the collector or analytics solution must be deployed in the same region.

虚拟网络 TAP 是否支持对镜像数据包使用任何筛选功能?Does Virtual Network TAP support any filtering capabilities on the mirrored packets?

虚拟网络 TAP 预览版不支持筛选功能。Filtering capabilities are not supported with the virtual network TAP preview. 当 TAP 配置被添加到网络接口后,此网络接口上所有入口和出口流量的一个深层副本会被流式传输到 TAP 目标。When a TAP configuration is added to a network interface a deep copy of all the ingress and egress traffic on the network interface is streamed to the TAP destination.

是否可以向受监视的网络接口添加多个 TAP 配置?Can multiple TAP configurations be added to a monitored network interface?

受监视的网络接口仅能拥有一个 TAP 配置。A monitored network interface can have only one TAP configuration. 查看单个合作伙伴解决方案,寻找将 TAP 流量的多个副本流式传输到你所选择的分析工具的功能。Check with the individual partner solutions for the capability to stream multiple copies of the TAP traffic to the analytics tools of your choice.

同一虚拟网络 TAP 资源是否可以聚合多个虚拟网络中来自受监视的网络接口的流量?Can the same virtual network TAP resource aggregate traffic from monitored network interfaces in more than one virtual network?

是的。Yes. 同一虚拟网络 TAP 资源可用于聚合同一订阅或不同订阅中的对等虚拟网络中来自受监视的网络接口的镜像流量。The same virtual network TAP resource can be used to aggregate mirrored traffic from monitored network interfaces in peered virtual networks in the same subscription or a different subscription. 虚拟网络 TAP 资源和目标负载均衡器或目标网络接口必须位于同一订阅中。The virtual network TAP resource and the destination load balancer or destination network interface must be in the same subscription. 所有订阅必须在同一 Azure Active Directory 租户下。All subscriptions must be under the same Azure Active Directory tenant.

如果我在网络接口上启用虚拟网络 TAP 配置,是否需要考虑生产流量的性能问题?Are there any performance considerations on production traffic if I enable a virtual network TAP configuration on a network interface?

虚拟网络 TAP 现为预览版。Virtual network TAP is in preview. 在预览版期间,没有服务级别协议。During preview, there is no service level agreement. 容量不应用于生产工作负荷。The capability should not be used for production workloads. 使用 TAP 配置启用虚拟网络接口后,Azure 主机上分配给虚拟机以发送生产流量的相同资源将用于执行镜像功能并发送镜像数据包。When a virtual machine network interface is enabled with a TAP configuration, the same resources on the azure host allocated to the virtual machine to send the production traffic is used to perform the mirroring function and send the mirrored packets. 选择正确的 LinuxWindows 虚拟机大小,确保有足够的资源可用于虚拟机以发送生产流量和镜像流量。Select the correct Linux or Windows virtual machine size to ensure that sufficient resources are available for the virtual machine to send the production traffic and the mirrored traffic.

虚拟网络 TAP 是否支持适用于 LinuxWindows 的加速网络?Is accelerated networking for Linux or Windows supported with virtual network TAP?

你将能够在附加到已启用加速网络的虚拟机的网络接口上添加 TAP 配置。You will be able to add a TAP configuration on a network interface attached to a virtual machine that is enabled with accelerated networking. 但是,通过添加 TAP 配置将使虚拟机上的性能和延迟情况受到影响,因为 Azure 加速网络目前不支持卸载镜像流量。But the performance and latency on the virtual machine will be affected by adding TAP configuration since the offload for mirroring traffic is currently not supported by Azure accelerated networking.

虚拟网络服务终结点Virtual network service endpoints

为 Azure 服务设置服务终结点的正确操作顺序是什么?What is the right sequence of operations to set up service endpoints to an Azure service?

通过服务终结点保护 Azure 服务资源有两个步骤:There are two steps to securing an Azure service resource through service endpoints:

  1. 启用 Azure 服务的服务终结点。Turn on service endpoints for the Azure service.
  2. 在 Azure 服务上设置 VNet Acl。Set up VNet ACLs on the Azure service.

第一步是网络端操作,第二步是服务资源端操作。The first step is a network side operation and the second step is a service resource side operation. 这两个步骤可以由同一管理员或不同的管理员根据授予管理员角色的 RBAC 权限执行。Both steps can be performed either by the same administrator or different administrators based on the RBAC permissions granted to the administrator role. 建议首先在 Azure 服务端设置 VNet ACL 之前打开虚拟网络的服务终结点。We recommend that you first turn on service endpoints for your virtual network prior to setting up VNet ACLs on Azure service side. 因此,必须按照上面列出的顺序执行这些步骤以设置 VNet 服务终结点。Hence, the steps must be performed in sequence listed above to set up VNet service endpoints.

备注

必须先完成上述两个操作,然后才能限制 Azure 服务对允许的 VNet 和子网的访问。Both the operations described above must be completed before you can limit the Azure service access to the allowed VNet and subnet. 只有打开网络端 Azure 服务的服务终结点才能提供有限的访问权限。Only turning on service endpoints for the Azure service on the network side does not provide you the limited access. 此外,还必须在 Azure 服务端设置 VNet acl。In addition, you must also set up VNet ACLs on the Azure service side.

某些服务(如 SQL 和 CosmosDB)允许通过“IgnoreMissingVnetServiceEndpoint”标志对上述序列进行异常处理 。Certain services (such as SQL, and CosmosDB) allow exceptions to the above sequence through the IgnoreMissingVnetServiceEndpoint flag . 一旦将标志设置为“True”,就可在网络端设置服务终结点之前,在 Azure 服务端设置 VNet ACL 。Once the flag is set to True, VNet ACLs can be set on the Azure service side prior to setting up the service endpoints on network side. Azure 服务提供此标志以帮助客户在 Azure 服务上配置特定的 IP 防火墙,由于源 IP 从公共 IPv4 地址更改为专用地址,因此打开网络端的服务终结点会导致连接性下降。Azure services provide this flag to help customers in cases where the specific IP firewalls are configured on Azure services and turning on the service endpoints on the network side can lead to a connectivity drop since the source IP changes from a public IPv4 address to a private address. 在网络端设置服务终结点之前,在 Azure 服务端设置 VNet ACL 可帮助避免连接性下降。Setting up VNet ACLs on the Azure service side before setting service endpoints on the network side can help avoid a connectivity drop.

是否所有 Azure 服务都位于客户提供的 Azure 虚拟网络中?Do all Azure services reside in the Azure virtual network provided by the customer? VNet 服务终结点如何与 Azure 服务一起工作?How does VNet service endpoint work with Azure services?

否,并非所有 Azure 服务都位于客户提供的虚拟网络中。No, not all Azure services reside in the customer's virtual network. 大多数 Azure 数据服务,如 Azure 存储、Azure SQL 和 Azure Cosmos DB,都是可以通过公共 IP 地址访问的多租户服务。Majority of the Azure data services such as Azure Storage, Azure SQL, and Azure Cosmos DB, are multi-tenant services that can be accessed over public IP addresses. 可在此处详细了解 Azure 服务的虚拟网络集成。You can learn more about virtual network integration for Azure services here.

使用 VNet 服务终结点功能(在网络端打开 VNet 服务终结点并在 Azure 服务端设置适当的 VNet ACL)时,从允许的 VNet 和子网访问 Azure 服务具有一定限制。When you use the VNet service endpoints feature (turning on VNet service endpoint on the network side and setting up appropriate VNet ACLs on the Azure service side), access to an Azure service is restricted from an allowed VNet and subnet.

VNet 服务终结点是如何提供安全的?How does VNet service endpoint provide security?

VNet 服务终结点功能(在网络端打开 VNet 服务终结点并在 Azure 服务端设置适当的 VNet ACL)限制 Azure 服务访问允许的 VNet 和子网,从而提供了网络级别的安全性和 Azure 服务流量的隔离。The VNet service endpoint feature (turning on VNet service endpoint on the network side and setting up appropriate VNet ACLs on the Azure service side) limits the Azure service access to allowed VNet and subnet, thus providing a network level security and isolation of the Azure service traffic. 所有使用 VNet 服务终结点的流量都在 Microsoft 主干上流动,从而提供了与公共 Internet 的另一层隔离。All traffic using VNet service endpoints flows over Microsoft backbone, thus providing another layer of isolation from the public internet. 此外,客户还可选择完全删除对 Azure 服务资源的公共 Internet 访问权限,并且只允许通过 IP 防火墙和 VNet ACL 的组合从其虚拟网络中访问流量,从而保护 Azure 服务资源免受未经授权的访问。Moreover, customers can choose to fully remove public Internet access to the Azure service resources and allow traffic only from their virtual network through a combination of IP firewall and VNet ACLs, thus protecting the Azure service resources from unauthorized access.

VNet 服务终结点保护什么 - VNet 资源还是 Azure 服务?What does the VNet service endpoint protect - VNet resources or Azure service?

VNet 服务终结点有助于保护 Azure 服务资源。VNet service endpoints help protect Azure service resources. VNet 资源通过网络安全组 (NSG) 进行保护。VNet resources are protected through Network Security Groups (NSGs).

使用 VNet 服务终结点会产生任何成本吗?Is there any cost for using VNet service endpoints?

不会,使用 VNet 服务终结点不会产生额外的成本。No, there is no additional cost for using VNet service endpoints.

如果虚拟网络和 Azure 服务资源属于不同的订阅,是否可打开 VNet 服务终结点并设置 VNet ACL?Can I turn on VNet service endpoints and set up VNet ACLs if the virtual network and the Azure service resources belong to different subscriptions?

是的,可以这样做。Yes, it is possible. 虚拟网络和 Azure 服务资源也可以位于相同或不同的订阅中。Virtual networks and Azure service resources can be either in the same or different subscriptions. 唯一的要求是虚拟网络和 Azure 服务资源必须位于相同的 Active Directory (AD) 租户之下。The only requirement is that both the virtual network and Azure service resources must be under the same Active Directory (AD) tenant.

如果虚拟网络和 Azure 服务资源属于不同的 AD 租户,是否可打开 VNet 服务终结点并设置 VNet ACL?Can I turn on VNet service endpoints and set up VNet ACLs if the virtual network and the Azure service resources belong to different AD tenants?

否,AD 租户不支持 VNet 服务终结点和 VNet ACL。No, VNet service endpoints and VNet ACLs are not supported across AD tenants.

通过 Azure 虚拟网络网关 (VPN) 或快速路由网关连接的本地设备的 IP 地址是否可通过 VNet 服务终结点访问 Azure PaaS 服务?Can an on-premises device’s IP address that is connected through Azure Virtual Network gateway (VPN) or Express route gateway access Azure PaaS Service over VNet service endpoints?

默认情况下,无法从本地网络访问在虚拟网络中保护的 Azure 服务资源。By default, Azure service resources secured to virtual networks are not reachable from on-premises networks. 要允许来自本地的流量,还必须允许来自本地或 ExpressRoute 的公共(通常为 NAT)IP 地址。If you want to allow traffic from on-premises, you must also allow public (typically, NAT) IP addresses from your on-premises or ExpressRoute. 可通过 Azure 服务资源的 IP 防火墙配置添加这些 IP 地址。These IP addresses can be added through the IP firewall configuration for the Azure service resources.

是否可使用 VNet 服务终结点功能来保护 Azure 服务到虚拟网络中的多个子网或跨多个虚拟网络?Can I use VNet Service Endpoint feature to secure Azure service to multiple subnets with in a Virtual network or across multiple virtual networks?

要在一个虚拟网络中的多个子网内或者跨多个虚拟网络保护 Azure 服务,可以针对每个子网单独启用服务终结点,然后通过在 Azure 服务端设置适当的 VNet ACL 来保护所有子网的 Azure 服务资源。To secure Azure services to multiple subnets within a virtual network or across multiple virtual networks, enable service endpoints on network side on each of the subnets independently and then secure Azure service resources to all of the subnets by setting up appropriate VNet ACLs on Azure service side.

如何筛选从虚拟网络到 Azure 服务的出站流量,并且仍然使用服务终结点?How can I filter outbound traffic from a virtual network to Azure services and still use service endpoints?

如果想要检查或筛选从虚拟网络发往 Azure 服务的流量,可在该虚拟网络中部署网络虚拟设备。If you want to inspect or filter the traffic destined to an Azure service from a virtual network, you can deploy a network virtual appliance within the virtual network. 然后,可将服务终结点应用到部署了网络虚拟设备的子网,并通过 VNet ACL 在该子网中保护 Azure 服务资源。You can then apply service endpoints to the subnet where the network virtual appliance is deployed and secure Azure service resources only to this subnet through VNet ACLs. 如果希望使用网络虚拟设备筛选将从虚拟网络发起的 Azure 服务访问限制为特定的 Azure 资源,此方案可能也很有帮助。This scenario might also be helpful if you wish to restrict Azure service access from your virtual network only to specific Azure resources using network virtual appliance filtering. 有关详细信息,请阅读网络虚拟设备出口一文。For more information, see egress with network virtual appliances.

从 VNet 外部访问已启用虚拟网络访问控制列表 (ACL) 的 Azure 服务帐户时会发生什么情况?What happens when you access an Azure service account that has virtual network access control list (ACL) enabled from outside the VNet?

将返回 HTTP 403 或 HTTP 404 错误。The HTTP 403 or HTTP 404 error is returned.

是否允许不同区域中创建的虚拟网络子网访问另一个区域中的 Azure 服务帐户?Are subnets of a virtual network created in different regions allowed to access an Azure service account in another region?

是的,对于大多数 Azure 服务,在不同区域创建的虚拟网络可以通过 VNet 服务终结点访问另一个区域的 Azure 服务。Yes, for most of the Azure services, virtual networks created in different regions can access Azure services in another region through the VNet service endpoints. 例如,如果 Azure Cosmos DB 帐户位于美国西部或美国东部,而虚拟网络位于多个区域,该虚拟网络可以访问 Azure Cosmos DB。For example, if an Azure Cosmos DB account is in West US or East US and virtual networks are in multiple regions, the virtual network can access Azure Cosmos DB. 存储和 SQL 是例外情况,本质上是区域性的,虚拟网络和 Azure 服务都需位于同一区域。Storage and SQL are exceptions and are regional in nature and both the virtual network and the Azure service need to be in the same region.

Azure 服务可同时具有 VNet ACL 和 IP 防火墙吗?Can an Azure service have both VNet ACL and an IP firewall?

是的,VNet ACL 和 IP 防火墙可同时存在。Yes, VNet ACL and an IP firewall can co-exist. 这两个功能相互补充以确保隔离和安全性。Both features complement each other to ensure isolation and security.

如果删除为 Azure 服务打开服务终结点的虚拟网络或子网,会发生什么情况?What happens if you delete a virtual network or subnet that has service endpoint turned on for Azure service?

删除 VNet 和子网是独立的操作,即使为 Azure 服务打开服务终结点时也支持该操作。Deletion of VNets and subnets are independent operations and are supported even when service endpoints are turned on for Azure services. 如果 Azure 服务设置了 VNet ACL,对于这些 VNet 和子网,当 VNet 或已打开 VNet 服务终结点的子网被删除时,与该 Azure 服务关联的 VNet ACL 信息将被禁用。In cases where the Azure services have VNet ACLs set up, for those VNets and subnets, the VNet ACLs information associated with that Azure service is disabled when a VNet or subnet that has VNet service endpoint turned on is deleted.

如果删除启用了 VNet 服务终结点的 Azure 服务帐户会发生什么?What happens if Azure service account that has VNet Service endpoint enabled is deleted?

删除 Azure 服务帐户是一个独立的操作,即使在网络端启用服务终结点并在 Azure 服务端设置 VNet ACL 时也支持该操作。The deletion of Azure service account is an independent operation and is supported even when the service endpoint is enabled on the network side and VNet ACLs are set up on Azure service side.

启用 VNet 服务终结点的资源(如子网中的 VM)的源 IP 地址会发生什么?What happens to the source IP address of a resource (like a VM in a subnet) that has VNet service endpoint enabled?

启用虚拟网络服务终结点后,虚拟网络子网中资源的源 IP 地址将从公共 IPV4 地址更改为使用 Azure 虚拟网络的专用地址,以便将流量传送到 Azure 服务。When virtual network service endpoints are enabled, the source IP addresses of the resources in your virtual network's subnet switches from using public IPV4 addresses to the Azure virtual network's private IP addresses for traffic to Azure service. 请注意,这会导致前面在 Azure 服务上设置为公共 IPv4 地址的特定 IP 防火墙失败。Note that this can cause specific IP firewall that are set to public IPV4 address earlier on the Azure services to fail.

服务终结点路由始终最优先吗?Does service endpoint route always take precedence?

服务终结点添加的系统路由要优先于 BGP 路由,并为服务终结点流量提供最佳路由。Service endpoints add a system route which takes precedence over BGP routes and provide optimum routing for the service endpoint traffic. 服务终结点始终将直接来自虚拟网络的服务流量转发到 Microsoft Azure 主干网络上的服务。Service endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network. 有关 Azure 如何选择路由的详细信息,请参阅 Azure 虚拟网络流量路由For more information about how Azure selects a route, see Azure Virtual network traffic routing.

子网上的 NSG 如何与服务终结点配合使用?How does NSG on a subnet work with service endpoints?

要访问 Azure 服务,NSG 需要允许出站连接。To reach the Azure service, NSGs need to allow outbound connectivity. 如果 NSG 对所有 Internet 出站流量开放,则服务端点流量应有效。If your NSGs are opened to all Internet outbound traffic, then the service endpoint traffic should work. 还可仅使用服务标签将出站流量限制为服务 IP。You can also limit the outbound traffic to service IPs only using the Service tags.

设置服务终结点需要哪些权限?What permissions do I need to set up service endpoints?

对虚拟网络拥有写入访问权限的用户可在虚拟网络上单独配置服务终结点。Service endpoints can be configured on a virtual network independently by a user with write access to the virtual network. 若要保护与 VNet 的 Azure 服务资源,用户必须具有的权限Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action正在添加的子网。To secure Azure service resources to a VNet, the user must have permission Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action for the subnets being added. 此权限默认包含在内置的服务管理员角色中,可通过创建自定义角色进行修改。This permission is included in the built-in service administrator role by default and can be modified by creating custom roles. 详细了解内置角色以及如何将特定的权限分配到自定义角色Learn more about built-in roles and assigning specific permissions to custom roles.

我是否可以通过 VNet 服务终结点筛选发往 Azure 服务的虚拟网络流量,以便仅允许特定的 Azure 服务资源?Can I filter virtual network traffic to Azure services, allowing only specific azure service resources, over VNet service endpoints?

使用虚拟网络 (VNet) 服务终结点策略可以通过服务终结点筛选发往 Azure 服务的虚拟网络流量,以便仅允许特定的 Azure 服务资源。Virtual network (VNet) service endpoint policies allow you to filter virtual network traffic to Azure services, allowing only specific Azure service resources over the service endpoints. 终结点策略从发往 Azure 服务的虚拟网络流量提供精细的访问控制。Endpoint policies provide granular access control from the virtual network traffic to the Azure services. 可在此处了解有关服务终结点策略的更多信息。You can learn more about the service endpoint policies here.

Azure Active Directory (Azure AD) 是否支持 VNet 服务终结点?Does Azure Active Directory (Azure AD) support VNet service endpoints?

Azure Active Directory (Azure AD) 并不本机支持服务终结点。Azure Active Directory (Azure AD) doesn't support service endpoints natively. 可以看到支持 VNet 服务终结点的 Azure 服务的完整列表此处Complete list of Azure Services supporting VNet service endpoints can be seen here. 请注意,"Microsoft.AzureActiveDirectory"下列出服务支持服务终结点的标记用于支持 ADLS 第 1 代的服务终结点。Note that "Microsoft.AzureActiveDirectory" tag listed under services supporting service endpoints is used for supporting service endpoints to ADLS Gen 1. 对于 ADLS 第 1 代的 Azure 数据湖存储 Gen1 虚拟网络集成可以使用虚拟网络与 Azure Active Directory (Azure AD) 之间的虚拟网络服务终结点安全生成额外的安全声明的访问令牌中。For ADLS Gen 1, virtual network integration for Azure Data Lake Storage Gen1 makes use of the virtual network service endpoint security between your virtual network and Azure Active Directory (Azure AD) to generate additional security claims in the access token. 然后,系统会使用这些声明对 Data Lake Storage Gen1 帐户进行虚拟网络身份验证,然后允许访问。These claims are then used to authenticate your virtual network to your Data Lake Storage Gen1 account and allow access. 了解有关 [Azure 数据湖存储 Gen 1 VNet 集成] (../data-lake-store/data-lake-store-network-security.md?toc=%2fazure%2fvirtual-network%2ftoc.jsonLearn more about [Azure Data Lake Store Gen 1 VNet Integration](../data-lake-store/data-lake-store-network-security.md?toc=%2fazure%2fvirtual-network%2ftoc.json

对于我可以从 VNet 中设置多少个 VNet 服务终结点有什么限制吗?Are there any limits on how many VNet service endpoints I can set up from my VNet?

虚拟网络中的 VNet 服务终结点总数没有限制。There is no limit on the total number of VNet service endpoints in a virtual network. 对于 Azure 服务资源(例如 Azure 存储帐户),服务可能会对用于保护资源的子网数目施加限制。For an Azure service resource (such as, an Azure Storage account), services may enforce limits on the number of subnets used for securing the resource. 下表显示了一些示例限制:The following table shows some example limits:

Azure 服务Azure service 对 VNet 规则的限制Limits on VNet rules
Azure 存储Azure Storage 100100
Azure SQLAzure SQL 128128
Azure SQL 数据仓库Azure SQL Data Warehouse 128128
Azure KeyVaultAzure KeyVault 127127
Azure Cosmos DBAzure Cosmos DB 6464
Azure 事件中心Azure Event Hub 128128
Azure 服务总线Azure Service Bus 128128
Azure Data Lake Store V1Azure Data Lake Store V1 100100

备注

Azure 服务自行决定是否对这些限制进行更改。The limits are subjected to changes at the discretion of the Azure service. 有关服务详细信息,请参阅相应的服务文档。Refer to the respective service documentation for services details.