您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 Azure 虚拟网络?What is Azure Virtual Network?

Azure 虚拟网络允许许多类型的 Azure 资源(例如 Azure 虚拟机 (VM))以安全方式彼此通信、与 Internet 通信,以及与本地网络通信。Azure Virtual Network enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. Azure 虚拟网络提供以下重要功能:Azure Virtual Network provides the following key capabilities:

隔离和细分Isolation and segmentation

可在每个 Azure 订阅和 Azure 区域中实现多个虚拟网络。You can implement multiple virtual networks within each Azure subscription and Azure region. 每个虚拟网络与其他虚拟网络相互隔离。Each virtual network is isolated from other virtual networks. 可以对每个虚拟网络执行以下操作:For each virtual network you can:

  • 使用公共和专用 (RFC 1918) 地址指定自定义专用 IP 地址空间。Specify a custom private IP address space using public and private (RFC 1918) addresses. Azure 从分配的地址空间中向虚拟网络中的资源分配一个专用 IP 地址。Azure assigns resources in a virtual network a private IP address from the address space that you assign.
  • 将虚拟网络细分为一个或多个子网,并向每个子网分配一部分虚拟网络地址空间。Segment the virtual network into one or more subnets and allocate a portion of the virtual network's address space to each subnet.
  • 使用 Azure 提供的名称解析或指定自己的 DNS 服务器以供虚拟网络中的资源使用。Use Azure-provided name resolution, or specify your own DNS server, for use by resources in a virtual network.

与 Internet 通信Communicate with the internet

默认情况下,虚拟网络中的所有资源都可以与 Internet 进行出站通信。All resources in a virtual network can communicate outbound to the internet, by default. 将公共 IP 地址分配给某个资源即可与之进行入站通信。You can communicate inbound to a resource by assigning a public IP address to it. 有关详细信息,请参阅公共 IP 地址To learn more, see Public IP addresses.

Azure 资源之间的通信Communicate between Azure resources

Azure 资源采用下述某种方式安全地相互通信:Azure resources communicate securely with each other in one of the following ways:

  • 通过虚拟网络:可以将 VM 和多个其他类型的 Azure 资源部署到虚拟网络,如 Azure 应用服务环境和 Azure 虚拟机规模集。Through a virtual network: You can deploy VMs and several other types of Azure resources to a virtual network, such as Azure App Service Environments and Azure Virtual Machine Scale Sets. 若要查看可部署到虚拟网络的 Azure 资源的完整列表,请参阅虚拟网络服务集成To view a complete list of Azure resources that you can deploy into a virtual network, see Virtual network service integration.
  • 通过虚拟网络服务终结点:通过直接连接将虚拟网络专用地址空间和虚拟网络的标识扩展到 Azure 服务资源,例如 Azure 存储帐户和 Azure SQL 数据库。Through a virtual network service endpoint: Extend your virtual network private address space and the identity of your virtual network to Azure service resources, such as Azure Storage accounts and Azure SQL Databases, over a direct connection. 使用服务终结点可以保护关键的 Azure 服务资源,只允许在客户自己的虚拟网络中对其进行访问。Service endpoints allow you to secure your critical Azure service resources to only a virtual network. 有关详细信息,请参阅虚拟网络服务终结点概述To learn more, see Virtual network service endpoints overview.

与本地资源通信Communicate with on-premises resources

可组合使用以下任何选项将本地计算机和网络连接到虚拟网络:You can connect your on-premises computers and networks to a virtual network using any combination of the following options:

  • 点到站点虚拟专用网络 (VPN):在虚拟网络和网络中的单台计算机之间建立连接。Point-to-site virtual private network (VPN): Established between a virtual network and a single computer in your network. 要与虚拟网络建立连接的每台计算机必须配置其连接。Each computer that wants to establish connectivity with a virtual network must configure its connection. 这种连接类型适用于刚开始使用 Azure 的人员或开发人员,因为该连接类型仅需对现有网络作出极少更改或不做任何更改。This connection type is great if you're just getting started with Azure, or for developers, because it requires little or no changes to your existing network. 计算机与虚拟网络之间的通信经 Internet 通过加密的通道来发送。The communication between your computer and a virtual network is sent through an encrypted tunnel over the internet. 若要了解更多信息,请参阅点到站点 VPNTo learn more, see Point-to-site VPN.
  • 站点到站点 VPN:在本地 VPN 设备和虚拟网络中部署的 Azure VPN 网关之间建立连接。Site-to-site VPN: Established between your on-premises VPN device and an Azure VPN Gateway that is deployed in a virtual network. 此连接类型可使授权的任何本地资源访问虚拟网络。This connection type enables any on-premises resource that you authorize to access a virtual network. 本地 VPN 设备和 Azure VPN 网关之间的通信经 Internet 通过加密的通道来发送。The communication between your on-premises VPN device and an Azure VPN gateway is sent through an encrypted tunnel over the internet. 若要了解更多信息,请参阅站点到站点 VPNTo learn more, see Site-to-site VPN.
  • Azure ExpressRoute:通过 ExpressRoute 合作伙伴在网络和 Azure 之间建立连接。Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. 此连接是专用连接。This connection is private. 流量不经过 Internet。Traffic does not go over the internet. 若要了解详细信息,请参阅 ExpressRouteTo learn more, see ExpressRoute.

筛选网络流量Filter network traffic

可使用以下两个选项中任意一个或同时使用这两个方案筛选子网之间的网络流量:You can filter network traffic between subnets using either or both of the following options:

  • 网络安全组:每个网络安全组可包含多个入站和出站安全规则,通过这些规则可按源和目标 IP 地址、端口和协议筛选出入资源的流量。Network security groups: A network security group can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. 有关详细信息,请参阅网络安全组To learn more, see Network security groups.
  • 虚拟网络设备:虚拟网络设备是可执行网络功能(例如防火墙、WAN 优化等)的 VM。Network virtual appliances: A network virtual appliance is a VM that performs a network function, such as a firewall, WAN optimization, or other network function. 若要查看可在虚拟网络中部署的网络虚拟设备,请参阅 Azure MarketplaceTo view a list of available network virtual appliances that you can deploy in a virtual network, see Azure Marketplace.

路由网络流量Route network traffic

默认情况下,Azure 在子网、连接的虚拟网络、本地网络以及 Internet 之间路由流量。Azure routes traffic between subnets, connected virtual networks, on-premises networks, and the Internet, by default. 可使用以下两个选项中任意一个或同时使用二者替代 Azure 创建的默认路由:You can implement either or both of the following options to override the default routes Azure creates:

  • 路由表:可创建自定义路由表,其中包含可对每个子网控制流量路由到位置的路由。Route tables: You can create custom route tables with routes that control where traffic is routed to for each subnet. 详细了解路由表Learn more about route tables.
  • 边界网关协议 (BGP) 路由:如果使用 Azure VPN 网关或 ExpressRoute 连接将虚拟网络连接到本地网络,则可将本地 BGP 路由传播到虚拟网络。Border gateway protocol (BGP) routes: If you connect your virtual network to your on-premises network using an Azure VPN Gateway or ExpressRoute connection, you can propagate your on-premises BGP routes to your virtual networks. 详细了解如何将 BGP 与 Azure VPN 网关ExpressRoute 配合使用。Learn more about using BGP with Azure VPN Gateway and ExpressRoute.

连接虚拟网络Connect virtual networks

可以互相连接虚拟网络,使虚拟网络中的资源能够通过虚拟网络对等互连相互进行通信。You can connect virtual networks to each other, enabling resources in either virtual network to communicate with each other, using virtual network peering. 连接的虚拟网络可以在相同或不同的 Azure 区域中。The virtual networks you connect can be in the same, or different, Azure regions. 有关详细信息,请参阅虚拟网络对等互连To learn more, see Virtual network peering.

后续步骤Next steps

现在你已概要了解 Azure 虚拟网络。You now have an overview of Azure Virtual Network. 若要使用虚拟网络来入门,请先创建一个虚拟网络,向其部署一些 VM,然后在 VM 之间通信。To get started using a virtual network, create one, deploy a few VMs to it, and communicate between the VMs. 有关详细信息,请参阅创建虚拟网络快速入门。To learn how, see the Create a virtual network quickstart.