您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 虚拟网络Azure Virtual Network

Microsoft Azure 虚拟网络服务可以使 Azure 资源与虚拟网络中的其他资源进行安全通信。The Microsoft Azure Virtual Network service enables Azure resources to securely communicate with other in a virtual network. 虚拟网络是你自己的网络在云中的表示形式。A virtual network is a representation of your own network in the cloud. 虚拟网络是对专用于订阅的 Azure 云进行的逻辑隔离。A virtual network is a logical isolation of the Azure cloud dedicated to your subscription. 可将虚拟网络连接到其他虚拟网络,或本地网络。You can connect virtual networks to other virtual networks, or to your on-premises network. 下图显示了 Azure 虚拟网络服务的部分功能:The following picture shows some of the capabilities of the Azure Virtual Network service:

网络示意图

若要了解有关以下 Azure 虚拟网络功能的详细信息,请单击功能:To learn more about the following Azure Virtual Network capabilities, click the capability:

  • 隔离:虚拟网络之间彼此隔离。Isolation: Virtual networks are isolated from one another. 可以为使用相同 CIDR(例如 10.0.0.0/0)地址块的开发、测试和生产创建单独的虚拟网络。You can create separate virtual networks for development, testing, and production that use the same CIDR (10.0.0.0/0, for example) address blocks. 相反地,也可以创建使用不同 CIDR 地址的多个虚拟网络并将网络连接在一起。Conversely, you can create multiple virtual networks that use different CIDR address blocks and connect the networks together. 可将一个虚拟网络分为多个子网。You can segment a virtual network into multiple subnets. Azure 为虚拟网络中部署的虚拟机和 Azure 云服务角色实例提供内部名称解析。Azure provides internal name resolution for virtual machines and Azure Cloud Services role instances deployed in a virtual network. 可选择配置虚拟网络来使用自己的 DNS 服务器,而不使用 Azure 内部名称解析。You can optionally configure a virtual network to use your own DNS servers, instead of using Azure internal name resolution.
  • Internet 通信:默认情况下,虚拟网络中的所有 Azure 虚拟机和云服务角色实例都具有 Internet 访问权限。Internet communication: All Azure Virtual Machines and Cloud Services role instances in a virtual network have access to the Internet, by default. 根据需要,还可对特定资源启用入站访问。You can also enable inbound access to specific resources, as needed.
  • Azure 资源通信:可以在同一虚拟网络中部署云服务、虚拟机等 Azure 资源。Azure resource communication: Azure resources such as Cloud Services and virtual machines can be deployed in the same virtual network. 即使资源在不同的子网中,也可使用专用 IP 地址与彼此通信。The resources can communicate with each other using private IP addresses, even if they are in different subnets. Azure 提供子网、VNet 和本地网络之间的默认路由,因此无需配置和管理路由。Azure provides default routing between subnets, VNets, and on-premises networks, so you don't have to configure and manage routes. 如果需要,可以自定义 Azure 的路由。You can customize Azure's routing though, if desired.
  • 虚拟网络连接:虚拟网络可以互相连接,使任何虚拟网络中的资源可以与任何其他虚拟网络中的资源进行通信。Virtual network connectivity: Virtual networks can be connected to each other, enabling resources in any virtual network to communicate with resources in any other virtual network.
  • 本地连接:虚拟网络与本地网络可以私下连接,也可以通过 Internet 使用站点到站点 VPN 连接。On-premises connectivity: A virtual network can be privately connected to an on-premises network or by using a site-to-site VPN connection over the Internet.
  • 流量筛选:按源 IP 地址和端口、目标 IP 地址和端口以及协议对虚拟机和云服务角色实例网络流量进行入站和出站筛选。Traffic filtering: Virtual machines and Cloud Services role instance network traffic can be filtered inbound and outbound by source IP address and port, destination IP address and port, and protocol.
  • 路由:可选择通过配置自己的路由或通过网关传播 BGP 路由来替代 Azure 默认路由。Routing: You can optionally override Azure's default routing by configuring your own routes, or by propagating BGP routes through a network gateway.

网络隔离和细分Network isolation and segmentation

可在每个 Azure 订阅和 Azure 区域中实现多个虚拟网络。You can implement multiple virtual networks within each Azure subscription and Azure region. 每个虚拟网络与其他虚拟网络相互隔离。Each virtual network is isolated from other virtual networks. 可以对每个虚拟网络执行以下操作:For each virtual network you can:

  • 使用公共和专用 (RFC 1918) 地址指定自定义专用 IP 地址空间。Specify a custom private IP address space using public and private (RFC 1918) addresses. Azure 从分配的地址空间中向虚拟网络中的资源分配一个专用 IP 地址。Azure assigns resources in a virtual network a private IP address from the address space you assign.
  • 将虚拟网络细分为一个或多个子网,并向每个子网分配一部分虚拟网络地址空间。Segment the virtual network into one or more subnets and allocate a portion of the virtual network's address space to each subnet.
  • 使用 Azure 提供的名称解析或指定自己的 DNS 服务器以供虚拟网络中的资源使用。Use Azure-provided name resolution or specify your own DNS server for use by resources in a virtual network. 若要了解虚拟网络中名称解析的详细信息,请阅读 VM 和云服务的名称解析一文。To learn more about name resolution in virtual networks, see Name resolution for VMs and Cloud Services article.

Internet 通信Internet communication

默认情况下,虚拟网络中的所有资源都可以与 Internet 进行出站通信。All resources in a virtual network can communicate outbound to the Internet, by default. 资源的专用 IP 地址是源网络地址 (SNAT),该地址被转换为 Azure 基础结构选择的公共 IP 地址。The private IP address of the resource is source network address translated (SNAT) to a public IP address selected by the Azure infrastructure. 若要了解出站网络连接的详细信息,请阅读了解 Azure 中的出站连接一文。To learn more about outbound Internet connectivity, read the Understanding outbound connections in Azure article. 若要阻止出站 Internet 连接,可以自定义路由或筛选流量。To prevent outbound Internet connectivity, you can implement custom routes or traffic filtering.

若要从 Internet 入站通信到 Azure 资源或出站通信到不具 SNAT 的 Internet,则必须向资源分配一个公共 IP 地址。To communicate inbound to Azure resources from the Internet, or to communicate outbound to the Internet without SNAT, a resource must be assigned a public IP address. 若要详细了解公共 IP 地址,请阅读 公共 IP 地址一文。To learn more about public IP addresses, read the Public IP addresses article.

Azure 资源之间的安全通信Secure communication between Azure resources

可以在虚拟网络中部署虚拟机。You can deploy virtual machines within a virtual network. 虚拟机通过网络接口与虚拟网络中的其他资源进行通信。Virtual machines communicate with other resources in a virtual network through a network interface. 若要了解有关网络接口的详细信息,请阅读网络接口To learn more about network interfaces, see Network interfaces.

还可以将其他类型的 Azure 资源部署到虚拟网络,如 Azure 虚拟机、Azure 云服务、Azure 应用服务环境和 Azure 虚拟机规模集。You can also deploy several other types of Azure resources to a virtual network, such as Azure Virtual Machines, Azure Cloud Services, Azure App Service Environments, and Azure Virtual Machine Scale Sets. 有关可部署到虚拟网络的 Azure 资源完整列表,请参阅 Azure 服务的虚拟网络服务集成For a complete list of Azure resources you can deploy into a virtual network, see Virtual network service integration for Azure services.

某些资源不能部署到虚拟网络,但可将资源通信限制在虚拟网络中。Some resources can't be deployed into a virtual network, but enable you to restrict communication from resources within a virtual network only. 若要详细了解如何限制对资源的访问,请参阅虚拟网络服务终结点To learn more about how to restrict access to resources, see Virtual network service endpoints.

连接虚拟网络Connect virtual networks

可以互相连接虚拟网络,使虚拟网络中的资源能够通过虚拟网络对等互连相互进行通信。You can connect virtual networks to each other, enabling resources in either virtual network to communicate with each other using virtual network peering. 不同虚拟网络中的资源之间的带宽和延迟与同一虚拟网络中的资源之间的带宽和延迟相同。The bandwidth and latency of communication between resources in different virtual networks is the same as if the resources were in the same virtual network. 若要了解对等互连的详细信息,请阅读虚拟网络对等互连一文。To learn more about peering, read the Virtual network peering article.

连接到本地网络Connect to an on-premises network

可组合使用以下任何选项将本地网络连接到虚拟网络:You can connect your on-premises network to a virtual network using any combination of the following options:

  • 点到站点虚拟专用网 (VPN):在虚拟网络和网络中的单台电脑之间建立连接。Point-to-site virtual private network (VPN): Established between a virtual network and a single PC in your network. 要与虚拟网络建立连接的每台电脑必须单独配置其连接。Each PC that wants to establish connectivity with a virtual network must configure their connections independently. 这种连接类型适用于刚开始使用 Azure 的人员或开发人员,因为该连接类型仅需对现有网络作出极少更改或不做任何更改。This connection type is great if you're just getting started with Azure, or for developers, because it requires little or no changes to your existing network. 此连接使用 SSTP 协议在电脑和虚拟网络之间通过 Internet 提供加密通信。The connection uses the SSTP protocol to provide encrypted communication over the Internet between the PC and a virtual network. 由于流量遍历 Internet,因此点到站点 VPN 的延迟不可预测。The latency for a point-to-site VPN is unpredictable, since the traffic traverses the Internet.
  • 站点到站点 VPN:在 VPN 设备和虚拟网络中部署的 Azure VPN 网关之间建立连接。Site-to-site VPN: Established between your VPN device and an Azure VPN Gateway deployed in a virtual network. 此连接类型可使授权的任何本地资源访问虚拟网络。This connection type enables any on-premises resource you authorize to access a virtual network. 此连接是一个 IPSec/IKE VPN,该 VPN 通过 Internet 在本地设备和 Azure VPN 网关之间提供加密通信。The connection is an IPSec/IKE VPN that provides encrypted communication over the Internet between your on-premises device and the Azure VPN gateway. 由于流量遍历 Internet,因此站点到站点连接的延迟不可预测。The latency for a site-to-site connection is unpredictable, since the traffic traverses the Internet.
  • Azure ExpressRoute:通过 ExpressRoute 合作伙伴在网络和 Azure 之间建立连接。Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. 此连接是专用连接。This connection is private. 流量不会遍历 Internet。Traffic does not traverse the Internet. 由于流量未遍历 Internet,因此 ExpressRoute 连接的延迟可预测。The latency for an ExpressRoute connection is predictable, since traffic doesn't traverse the Internet.

若要了解有关所有以前连接选项的详细信息,请阅读连接拓扑图一文。To learn more about all the previous connection options, read the Connection topology diagrams article.

筛选网络流量Filter network traffic

可使用以下两个选项中任意一个或同时使用这两个方案筛选子网之间的网络流量:You can filter network traffic between subnets using either or both of the following options:

  • 网络安全组:每个网络安全组可包含多个入站和出站安全规则,通过这些规则可按源和目标 IP 地址、端口和协议筛选流量。Network security groups: A network security group can contain multiple inbound and outbound security rules that enable you to filter traffic by source and destination IP address, port, and protocol. 可以将网络安全组应用到虚拟机的每个网络接口。You can apply a network security group to each network interface in a virtual machine. 此外,还可以将网络安全组应用到网络接口或其他 Azure 资源所在的子网。You can also apply a network security group to the subnet a network interface, or other Azure resource, is in. 若要深入了解网络安全组,请参阅网络安全组To learn more about network security groups, see Network security groups.
  • 虚拟网络设备:虚拟网络设备是运行软件的虚拟机,软件可执行网络功能,例如防火墙。Network virtual appliances: A network virtual appliance is a virtual machine running software that performs a network function, such as a firewall. 可在 Azure Marketplace 中查看可用的网络虚拟设备列表。View a list of available network virtual appliances in the Azure Marketplace. 网络虚拟设备也可用于提供 WAN 优化和其他网络流量功能。Network virtual appliances are also available that provide WAN optimization and other network traffic functions. 网络虚拟设备通常与用户定义路由或 BGP 路由配合使用。Network virtual appliances are typically used with user-defined or BGP routes. 还可以使用网络虚拟设备来筛选虚拟网络之间的流量。You can also use a network virtual appliance to filter traffic between virtual networks.

路由网络流量Route network traffic

默认情况下,Azure 会创建路由表,这些路由表可使连接到虚拟网络中任何子网的资源相互进行通信。Azure creates route tables that enable resources connected to any subnet in any virtual network to communicate with each other, by default. 可使用以下两个选项中任意一个或同时使用二者替代 Azure 创建的默认路由:You can implement either or both of the following options to override the default routes Azure creates:

  • 用户定义路由:可创建自定义路由表,其中包含可对每个子网控制流量路由位置的路由。User-defined routes: You can create custom route tables with routes that control where traffic is routed to for each subnet. 若要深入了解用户定义的路由,请参阅用户定义的路由To learn more about user-defined routes, see User-defined routes.
  • BGP 路由:如果使用 Azure VPN 网关或 ExpressRoute 连接将虚拟网络连接到本地网络,则可将 BGP 路由传播到虚拟网络。BGP routes: If you connect your virtual network to your on-premises network using an Azure VPN Gateway or ExpressRoute connection, you can propagate BGP routes to your virtual networks.

定价Pricing

虚拟网络、子网、路由表或网络安全组无收费。There is no charge for virtual networks, subnets, route tables, or network security groups. 出站 Internet 带宽使用、公共 IP 地址、虚拟网络对等互连、VPN 网关和 ExpressRoute 各有其定价结构。Outbound Internet bandwidth usage, public IP addresses, virtual network peering, VPN Gateways, and ExpressRoute each have their own pricing structures. 相关详细信息,请查看虚拟网络VPN 网关ExpressRoute 定价页面。View the Virtual network, VPN Gateway, and ExpressRoute pricing pages for more information.

常见问题FAQ

若要查看关于 Azure 虚拟网络的常见问题解答,请参阅虚拟网络常见问题解答一文。To review frequently asked questions about Azure Virtual Network, see the Virtual network FAQ article.

后续步骤Next steps