您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

虚拟网络流量路由Virtual network traffic routing

了解 Azure 如何在 Azure 资源、本地资源和 Internet 资源之间路由流量。Learn about how Azure routes traffic between Azure, on-premises, and Internet resources. Azure 自动为 Azure 虚拟网络中的每个子网创建一个路由表,然后向该表添加系统默认路由。Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table. 若要详细了解虚拟网络和子网,请参阅虚拟网络概述To learn more about virtual networks and subnets, see Virtual network overview. 可以使用自定义路由替代 Azure 的部分系统路由,并向路由表添加其他自定义路由。You can override some of Azure's system routes with custom routes, and add additional custom routes to route tables. Azure 根据子网的路由表中的路由,从子网路由出站流量。Azure routes outbound traffic from a subnet based on the routes in a subnet's route table.

系统路由System routes

Azure 自动创建系统路由,并将路由分配到虚拟网络中的每个子网。Azure automatically creates system routes and assigns the routes to each subnet in a virtual network. 你不能创建系统路由,也不能删除系统路由,但可以使用自定义路由替代某些系统路由。You can't create system routes, nor can you remove system routes, but you can override some system routes with custom routes. Azure 为每个子网创建默认系统路由,并向特定子网或每个子网添加其他可选默认路由,前提是当你使用特定的 Azure 功能时。Azure creates default system routes for each subnet, and adds additional optional default routes to specific subnets, or every subnet, when you use specific Azure capabilities.

默认Default

每个路由包含地址前缀和下一跃点类型。Each route contains an address prefix and next hop type. 将离开子网的流量发送到某个路由的地址前缀中的 IP 地址时,包含前缀的该路由是 Azure 使用的路由。When traffic leaving a subnet is sent to an IP address within the address prefix of a route, the route that contains the prefix is the route Azure uses. 详细了解当多个路由包含相同的前缀或重叠前缀时,Azure 如何选择路由Learn more about how Azure selects a route when multiple routes contain the same prefixes, or overlapping prefixes. 只要创建了虚拟网络,Azure 就会自动为虚拟网络中的每个子网创建下述默认的系统路由:Whenever a virtual network is created, Azure automatically creates the following default system routes for each subnet within the virtual network:

SourceSource 地址前缀Address prefixes 下一跃点类型Next hop type
默认Default 对虚拟网络唯一Unique to the virtual network 虚拟网络Virtual network
默认Default 0.0.0.0/00.0.0.0/0 InternetInternet
默认Default 10.0.0.0/810.0.0.0/8 None
默认Default 172.16.0.0/12172.16.0.0/12 None
默认Default 192.168.0.0/16192.168.0.0/16 None
默认Default 100.64.0.0/10100.64.0.0/10 None

上表中列出的下一跃点类型表示 Azure 如何路由目标为所列地址前缀的流量。The next hop types listed in the previous table represent how Azure routes traffic destined for the address prefix listed. 下面是下一跃点类型的说明:Explanations for the next hop types follow:

  • 虚拟网络:在虚拟网络的地址空间中的地址范围之间路由流量。Virtual network: Routes traffic between address ranges within the address space of a virtual network. Azure 使用地址前缀创建路由,该前缀对应的每个地址范围是在虚拟网络的地址空间中定义的。Azure creates a route with an address prefix that corresponds to each address range defined within the address space of a virtual network. 如果虚拟网络地址空间定义了多个地址范围,Azure 会为每个地址范围创建单个路由。If the virtual network address space has multiple address ranges defined, Azure creates an individual route for each address range. Azure 使用为每个地址范围创建的路由在子网之间自动路由流量。Azure automatically routes traffic between subnets using the routes created for each address range. 不需为 Azure 定义在子网之间路由流量的网关。You don't need to define gateways for Azure to route traffic between subnets. 虽然虚拟网络包含子网,且每个子网都有定义的地址范围,但 Azure 不为子网地址范围创建默认路由,因为每个子网地址范围都是在虚拟网络地址空间的地址范围之内。Though a virtual network contains subnets, and each subnet has a defined address range, Azure does not create default routes for subnet address ranges, because each subnet address range is within an address range of the address space of a virtual network.

  • Internet:将地址前缀指定的流量路由到 Internet。Internet: Routes traffic specified by the address prefix to the Internet. 系统默认路由指定 0.0.0.0/0 地址前缀。The system default route specifies the 0.0.0.0/0 address prefix. 如果不替代 Azure 的默认路由,Azure 会将不是通过虚拟网络中的地址范围指定的地址的流量路由到 Internet,但有一个例外。If you don't override Azure's default routes, Azure routes traffic for any address not specified by an address range within a virtual network, to the Internet, with one exception. 如果目标地址是用于某个 Azure 服务的,Azure 会将流量通过 Azure 的主干网络直接路由到该服务,而不是将流量路由到 Internet。If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Azure 服务之间的流量不跨越 Internet,不管虚拟网络存在于哪个 Azure 区域,也不管 Azure 服务的实例部署在哪个 Azure 区域。Traffic between Azure services does not traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in. 可以将 0.0.0.0/0 地址前缀对应的 Azure 默认系统路由替代为自定义路由You can override Azure's default system route for the 0.0.0.0/0 address prefix with a custom route.

  • :系统会将路由到“无”下一跃点类型的流量删除,而不是将其路由到子网外。None: Traffic routed to the None next hop type is dropped, rather than routed outside the subnet. Azure 自动为以下地址前缀创建默认路由:Azure automatically creates default routes for the following address prefixes:

    • 10.0.0.0/8、172.16.0.0/12、192.168.0.0/16:保留在 RFC 1918 中专用。10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16: Reserved for private use in RFC 1918.
    • 100.64.0.0/10:保留在 RFC 6598 中使用。100.64.0.0/10: Reserved in RFC 6598.

      如果将上述任何地址范围分配到虚拟网络的地址空间中,Azure 会自动将路由的下一跃点类型从“无”更改为“虚拟网络”。If you assign any of the previous address ranges within the address space of a virtual network, Azure automatically changes the next hop type for the route from None to Virtual network. 如果将地址范围分配到虚拟网络的地址空间时,该地址空间包括四个保留地址前缀中的一个,但与其并不相同,则 Azure 会删除该前缀对应的路由,为你所添加的地址前缀添加一个路由,并使用“虚拟网络”作为下一跃点类型。If you assign an address range to the address space of a virtual network that includes, but isn't the same as, one of the four reserved address prefixes, Azure removes the route for the prefix and adds a route for the address prefix you added, with Virtual network as the next hop type.

可选默认路由Optional default routes

Azure 会针对不同的 Azure 功能添加其他默认的系统路由,但前提是你启用这些功能。Azure adds additional default system routes for different Azure capabilities, but only if you enable the capabilities. Azure 会根据功能将可选的默认路由添加到虚拟网络中的特定子网,或者添加到虚拟网络中的所有子网。Depending on the capability, Azure adds optional default routes to either specific subnets within the virtual network, or to all subnets within a virtual network. 启用不同的功能时,Azure 可能添加的其他系统路由和下一跃点类型为:The additional system routes and next hop types that Azure may add when you enable different capabilities are:

SourceSource 地址前缀Address prefixes 下一跃点类型Next hop type 向其添加路由的虚拟网络中的子网Subnet within virtual network that route is added to
默认Default 对虚拟网络唯一,例如:10.1.0.0/16Unique to the virtual network, for example: 10.1.0.0/16 VNet 对等互连VNet peering 全部All
虚拟网络网关Virtual network gateway 从本地通过 BGP 播发的前缀,或者在本地网关中配置的前缀Prefixes advertised from on-premises via BGP, or configured in the local network gateway 虚拟网络网关Virtual network gateway 全部All
默认Default 多个Multiple VirtualNetworkServiceEndpointVirtualNetworkServiceEndpoint 仅为其启用服务终结点的子网。Only the subnet a service endpoint is enabled for.
  • 虚拟网络 (VNet) 对等互连:在两个虚拟网络之间创建虚拟网络对等互连时,会为每个虚拟网络(已为其创建对等互连)的地址空间中的每个地址范围添加一个路由。Virtual network (VNet) peering: When you create a virtual network peering between two virtual networks, a route is added for each address range within the address space of each virtual network a peering is created for. 详细了解虚拟网络对等互连Learn more about virtual network peering.
  • 虚拟网关:向虚拟网络添加虚拟网关时,会添加一个或多个将“虚拟网关”列为下一跃点类型的路由。Virtual network gateway: One or more routes with Virtual network gateway listed as the next hop type are added when a virtual network gateway is added to a virtual network. 源也是“虚拟网关”,因为网关向子网添加路由。The source is also virtual network gateway, because the gateway adds the routes to the subnet. 如果本地网关与 Azure 虚拟网关交换了边界网关协议 (BGP) 路由,则会为每个从本地网关传播的路由添加一个路由。If your on-premises network gateway exchanges border gateway protocol (BGP routes with an Azure virtual network gateway, a route is added for each route propagated from the on-premises network gateway. 建议尽可能汇总最大地址范围的本地路由,尽量减少传播到 Azure 虚拟网关的路由数。It's recommended that you summarize on-premises routes to the largest address ranges possible, so the fewest number of routes are propagated to an Azure virtual network gateway. 传播到 Azure 虚拟网关的路由存在数量限制。There are limits to the number of routes you can propagate to an Azure virtual network gateway. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.
  • VirtualNetworkServiceEndpoint:启用特定服务的服务终结点时,Azure 会将该服务的公共 IP 地址添加到路由表。VirtualNetworkServiceEndpoint: The public IP addresses for certain services are added to the route table by Azure when you enable a service endpoint to the service. 服务终结点是为虚拟网络中的单个子网启用的,因此仅将路由添加到为其启用了服务终结点的子网的路由表。Service endpoints are enabled for individual subnets within a virtual network, so the route is only added to the route table of a subnet a service endpoint is enabled for. Azure 服务的公共 IP 地址定期更改。The public IP addresses of Azure services change periodically. 当地址更改时,Azure 自动管理路由表中的地址。Azure manages the addresses in the route table automatically when the addresses change. 详细了解虚拟网络服务终结点,以及可以为其创建服务终结点的服务。Learn more about virtual network service endpoints, and the services you can create service endpoints for.

备注

“VNet 对等互连”和“VirtualNetworkServiceEndpoint”下一跃点类型仅添加到通过 Azure 资源管理器部署模型创建的虚拟网络中子网的路由表。The VNet peering and VirtualNetworkServiceEndpoint next hop types are only added to route tables of subnets within virtual networks created through the Azure Resource Manager deployment model. 下一跃点类型不添加到通过经典部署模型与虚拟网络子网关联的路由表。The next hop types are not added to route tables that are associated to virtual network subnets created through the classic deployment model. 详细了解 Azure 部署模型Learn more about Azure deployment models.

自定义路由Custom routes

创建自定义路由有两种方式:一是创建用户定义路由,二是在本地网关和 Azure 虚拟网关之间交换边界网关协议 (BGP) 路由。You create custom routes by either creating user-defined routes, or by exchanging border gateway protocol (BGP) routes between your on-premises network gateway and an Azure virtual network gateway.

用户定义User-defined

可以在 Azure 中创建自定义或用户定义路由,以便替代 Azure 的默认系统路由,或者向子网的路由表添加其他路由。You can create custom, or user-defined, routes in Azure to override Azure's default system routes, or to add additional routes to a subnet's route table. 可以在 Azure 中创建一个路由表,然后将该路由表关联到零个或零个以上的虚拟网络子网。In Azure, you create a route table, then associate the route table to zero or more virtual network subnets. 每个子网可以有一个与之关联的路由表,也可以没有。Each subnet can have zero or one route table associated to it. 若要了解可以添加到路由表的最大路由数,以及可以为每个 Azure 订阅创建的最大用户定义路由表数,请参阅 Azure 限制To learn about the maximum number of routes you can add to a route table and the maximum number of user-defined route tables you can create per Azure subscription, see Azure limits. 如果创建一个路由表并将其关联到子网,则其中的路由会与 Azure 默认情况下添加到子网的默认路由组合在一起,或者将其替代。If you create a route table and associate it to a subnet, the routes within it are combined with, or override, the default routes Azure adds to a subnet by default.

可以在创建用户定义路由时指定下面的下一跃点类型:You can specify the following next hop types when creating a user-defined route:

  • 虚拟设备:虚拟设备是通常情况下运行防火墙等网络应用程序的虚拟机。Virtual appliance: A virtual appliance is a virtual machine that typically runs a network application, such as a firewall. 若要了解各种可在虚拟网络中部署的预配置网络虚拟设备,请参阅 Azure MarketplaceTo learn about a variety of pre-configured network virtual appliances you can deploy in a virtual network, see the Azure Marketplace. 使用“虚拟设备”跃点类型创建路由时,也指定下一跃点 IP 地址。When you create a route with the virtual appliance hop type, you also specify a next hop IP address. IP 地址可以是:The IP address can be:

    • 附加到虚拟机的网络接口的专用 IP 地址The private IP address of a network interface attached to a virtual machine. 如果网络接口附加到虚拟机,而虚拟机将网络流量转发到不是自己地址的地址,则该网络接口必须为其启用 Azure 选项“启用 IP 转发”。Any network interface attached to a virtual machine that forwards network traffic to an address other than its own must have the Azure Enable IP forwarding option enabled for it. 此设置禁止 Azure 在源和目标中检查网络接口。The setting disables Azure's check of the source and destination for a network interface. 详细了解如何为网络接口启用 IP 转发Learn more about how to enable IP forwarding for a network interface. 虽然“启用 IP 转发”是一项 Azure 设置,但你也可能需要在虚拟机的操作系统中启用 IP 转发,否则设备无法在分配到 Azure 网络接口的专用 IP 地址之间转发流量。Though Enable IP forwarding is an Azure setting, you may also need to enable IP forwarding within the virtual machine's operating system for the appliance to forward traffic between private IP addresses assigned to Azure network interfaces. 如果必须将流量路由到公共 IP 地址,则设备需通过代理来路由流量,或者通过网络地址转换将源的专用 IP 地址转换为其自己的专用 IP 地址,然后再由 Azure 将网络地址转换为公共 IP 地址,这样才能将流量发送到 Internet。If the appliance must route traffic to a public IP address, it must either proxy the traffic, or network address translate the private IP address of the source's private IP address to its own private IP address, which Azure then network address translates to a public IP address, before sending the traffic to the Internet. 若要确定虚拟机中的必需设置,请参阅操作系统或网络应用程序的文档。To determine required settings within the virtual machine, see the documentation for your operating system or network application. 若要了解 Azure 中的出站连接,请参阅了解出站连接To understand outbound connections in Azure, see Understanding outbound connections.

      备注

      将虚拟设备部署到子网时,该子网应不同于通过虚拟设备路由的资源所部署到的子网。Deploy a virtual appliance into a different subnet than the resources that route through the virtual appliance are deployed in. 如果将虚拟设备部署到同一子网,然后将路由表应用到通过虚拟设备路由流量的子网,则可能导致路由循环,使流量无法离开子网。Deploying the virtual appliance to the same subnet, then applying a route table to the subnet that routes traffic through the virtual appliance, can result in routing loops, where traffic never leaves the subnet.

    • Azure 内部负载均衡器的专用 IP 地址。The private IP address of an Azure internal load balancer. 负载均衡器通常作为网络虚拟设备的高可用性策略的一部分使用。A load balancer is often used as part of a high availability strategy for network virtual appliances.

      可以在定义路由时,使用“0.0.0.0/0”作为地址前缀,使用“虚拟设备”作为下一跃点类型,这样设备就可以检查流量,并决定是转发流量还是丢弃流量。You can define a route with 0.0.0.0/0 as the address prefix and a next hop type of virtual appliance, enabling the appliance to inspect the traffic and determine whether to forward or drop the traffic. 若要创建包含 0.0.0.0/0 地址前缀的用户定义路由,请先阅读 0.0.0.0/0 地址前缀If you intend to create a user-defined route that contains the 0.0.0.0/0 address prefix, read 0.0.0.0/0 address prefix first.

  • 虚拟网关:需要将目标为特定地址前缀的流量路由到虚拟网关时,请指定此项。Virtual network gateway: Specify when you want traffic destined for specific address prefixes routed to a virtual network gateway. 创建虚拟网关时,类型必须为“VPN”。The virtual network gateway must be created with type VPN. 不能在用户定义路由中指定将虚拟网关创建为“ExpressRoute”类型,因为类型为 ExpressRoute 时,必须对自定义路由使用 BGPYou cannot specify a virtual network gateway created as type ExpressRoute in a user-defined route because with ExpressRoute, you must use BGP for custom routes. 可以定义一个路由,让其将目标为 0.0.0.0/0 地址前缀的流量定向到基于路由的虚拟网关。You can define a route that directs traffic destined for the 0.0.0.0/0 address prefix to a route-based virtual network gateway. 可以在本地设置一个设备,让其检查流量并决定是转发还是丢弃流量。On your premises, you might have a device that inspects the traffic and determines whether to forward or drop the traffic. 若要创建地址前缀为 0.0.0.0/0 的用户定义路由,请先阅读 0.0.0.0/0 地址前缀If you intend to create a user-defined route for the 0.0.0.0/0 address prefix, read 0.0.0.0/0 address prefix first. 可以通过 BGP 播发前缀为 0.0.0.0/0 的路由,而不必配置地址前缀为 0.0.0.0/0 的用户定义路由,前提是为 VPN 虚拟网关启用 BGPInstead of configuring a user-defined route for the 0.0.0.0/0 address prefix, you can advertise a route with the 0.0.0.0/0 prefix via BGP, if you've enabled BGP for a VPN virtual network gateway.

  • :需要丢弃流向某个地址前缀的流量,而不是将该流量转发到目标时,请指定此项。None: Specify when you want to drop traffic to an address prefix, rather than forwarding the traffic to a destination. 如果某项功能尚未完全配置好,Azure 可能会针对部分可选的系统路由列出“无”。If you haven't fully configured a capability, Azure may list None for some of the optional system routes. 例如,如果看到“无”作为“下一跃点 IP 地址”列出,且“下一跃点类型”为“虚拟网关”或“虚拟设备”,则可能是因为设备未运行或未完全配置好。For example, if you see None listed as the Next hop IP address with a Next hop type of Virtual network gateway or Virtual appliance, it may be because the device isn't running, or isn't fully configured. Azure 为保留的地址前缀创建系统默认路由,使用“无”作为下一跃点类型。Azure creates system default routes for reserved address prefixes with None as the next hop type.
  • 虚拟网络:需要替代虚拟网络中的默认路由时,请指定此项。Virtual network: Specify when you want to override the default routing within a virtual network. 请参阅路由示例,通过示例了解为何需创建跃点类型为“虚拟网络”的路由。See Routing example, for an example of why you might create a route with the Virtual network hop type.
  • Internet:需要将目标为某个地址前缀的流量显式路由到 Internet 时,或者需要将流量的目标设定为 Azure 服务,且公共 IP 地址始终位于 Azure 主干网络内时,请指定此项。Internet: Specify when you want to explicitly route traffic destined to an address prefix to the Internet, or if you want traffic destined for Azure services with public IP addresses kept within the Azure backbone network.

不能在用户定义路由中指定“VNet 对等互连”或“VirtualNetworkServiceEndpoint”作为下一跃点类型。You cannot specify VNet peering or VirtualNetworkServiceEndpoint as the next hop type in user-defined routes. 下一跃点类型为“VNet 对等互连”或“VirtualNetworkServiceEndpoint”的路由只能在配置虚拟网络对等互连或服务终结点时,通过 Azure 创建。Routes with the VNet peering or VirtualNetworkServiceEndpoint next hop types are only created by Azure, when you configure a virtual network peering, or a service endpoint.

各个 Azure 工具中的下一跃点类型Next hop types across Azure tools

下一跃点类型的显示和引用名称在 Azure 门户和命令行工具以及 Azure 资源管理器部署模型和经典部署模型中并不相同。The name displayed and referenced for next hop types is different between the Azure portal and command-line tools, and the Azure Resource Manager and classic deployment models. 下表列出了在不同的工具和部署模型中引用每个下一跃点类型时所使用的名称:The following table lists the names used to refer to each next hop type with the different tools and deployment models:

下一跃点类型Next hop type Azure CLI 2.0 和 PowerShell(资源管理器)Azure CLI 2.0 and PowerShell (Resource Manager) Azure CLI 1.0 和 PowerShell(经典)Azure CLI 1.0 and PowerShell (classic)
虚拟网络网关Virtual network gateway VirtualNetworkGatewayVirtualNetworkGateway VPNGatewayVPNGateway
虚拟网络Virtual network VNetLocalVNetLocal VNETLocal(不适用于 CLI 1.0 的 asm 模式)VNETLocal (not available in the CLI 1.0 in asm mode)
InternetInternet InternetInternet Internet(不适用于 CLI 1.0 的 asm 模式)Internet (not available in the CLI 1.0 in asm mode)
虚拟设备Virtual appliance VirtualApplianceVirtualAppliance VirtualApplianceVirtualAppliance
None None Null(不适用于 CLI 1.0 的 asm 模式)Null (not available in the CLI 1.0 in asm mode)
虚拟网络对等互连Virtual network peering VNet 对等互连VNet peering 不适用Not applicable
虚拟网络服务终结点Virtual network service endpoint VirtualNetworkServiceEndpointVirtualNetworkServiceEndpoint 不适用Not applicable

边界网关协议Border gateway protocol

本地网关可以通过边界网关协议 (BGP) 与 Azure 虚拟网关交换路由。An on-premises network gateway can exchange routes with an Azure virtual network gateway using the border gateway protocol (BGP). 将 BGP 与 Azure 虚拟网关配合使用的前提是在创建网关时选择了适当的类型。Using BGP with an Azure virtual network gateway is dependent on the type you selected when you created the gateway. 如果选择的类型是:If the type you selected was:

  • ExpressRoute:必须使用 BGP 将本地路由播发到 Microsoft 边缘路由器。ExpressRoute: You must use BGP to advertise on-premises routes to the Microsoft edge router. 如果将虚拟网关部署为 ExpressRoute 类型,则不能通过创建用户定义路由来强制流量到达 ExpressRoute 虚拟网关。You cannot create user-defined routes to force traffic to the ExpressRoute virtual network gateway if you deploy a virtual network gateway deployed as type: ExpressRoute. 例如,可以使用用户定义的路由来强制来自 Express Route 的流量到达网络虚拟设备。You can use user-defined routes for forcing traffic from the Express Route to, for example, an Network Virtual Appliance.
  • VPN:可以选择性地使用 BGP。VPN: You can, optionally use BGP. 有关详细信息,请参阅 BGP 与站点到站点 VPN 连接配合使用For details, see BGP with site-to-site VPN connections.

使用 BGP 与 Azure 交换路由时,系统会针对每个播发的前缀,将一个单独的路由添加到包含虚拟网络中所有子网的路由表。When you exchange routes with Azure using BGP, a separate route is added to the route table of all subnets in a virtual network for each advertised prefix. 添加路由时,会将“虚拟网关”列为源和下一跃点类型。The route is added with Virtual network gateway listed as the source and next hop type.

Azure 如何选择路由How Azure selects a route

当出站流量是从子网发送时,Azure 使用最长前缀匹配算法,根据目标 IP 地址选择路由。When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm. 例如,一个路由表有两个路由:一个路由指定 10.0.0.0/24 地址前缀,另一个路由指定 10.0.0.0/16 地址前缀。For example, a route table has two routes: One route specifies the 10.0.0.0/24 address prefix, while the other route specifies the 10.0.0.0/16 address prefix. Azure 会将目标为 10.0.0.5 的流量路由到在路由中指定的地址前缀为 10.0.0.0/24 的下一跃点类型,因为前缀 10.0.0.0/24 比 10.0.0.0/16 长,虽然 10.0.0.5 处于这两个地址前缀范围内。Azure routes traffic destined for 10.0.0.5, to the next hop type specified in the route with the 10.0.0.0/24 address prefix, because 10.0.0.0/24 is a longer prefix than 10.0.0.0/16, even though 10.0.0.5 is within both address prefixes. Azure 会将目标为 10.0.1.5 的流量路由到在路由中指定的地址前缀为 10.0.0.0/16 的下一跃点类型,因为 10.0.1.5 不包括在 10.0.0.0/24 地址前缀中,而地址前缀为 10.0.0.0/16 的路由具有相匹配的最长前缀。Azure routes traffic destined to 10.0.1.5, to the next hop type specified in the route with the 10.0.0.0/16 address prefix, because 10.0.1.5 isn't included in the 10.0.0.0/24 address prefix, therefore the route with the 10.0.0.0/16 address prefix is the longest prefix that matches.

如果多个路由包含同一地址前缀,Azure 根据以下优先级选择路由类型:If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:

  1. 用户定义的路由User-defined route
  2. BGP 路由BGP route
  3. 系统路由System route

备注

即使 BGP 路由更具体,与虚拟网络、虚拟网络对等互连或虚拟网络服务终结点相关的流量的系统路由也仍是首选路由。System routes for traffic related to virtual network, virtual network peerings, or virtual network service endpoints, are preferred routes, even if BGP routes are more specific.

例如,路由表包含以下路由:For example, a route table contains the following routes:

SourceSource 地址前缀Address prefixes 下一跃点类型Next hop type
默认Default 0.0.0.0/00.0.0.0/0 InternetInternet
用户User 0.0.0.0/00.0.0.0/0 虚拟网络网关Virtual network gateway

当流量的目标 IP 地址位于路由表中任何其他路由的地址前缀之外时,Azure 选择源为“用户”的路由,因为用户定义路由的优先级高于系统默认路由。When traffic is destined for an IP address outside the address prefixes of any other routes in the route table, Azure selects the route with the User source, because user-defined routes are higher priority than system default routes.

请参阅路由示例,其中有一个全面的路由表,对多种路由进行了说明。See Routing example for a comprehensive routing table with explanations of the routes in the table.

0.0.0.0/0 地址前缀0.0.0.0/0 address prefix

0.0.0.0/0 地址前缀的路由会指导 Azure 如何路由目标 IP 地址不在子网路由表中任何其他路由的地址前缀中的流量。A route with the 0.0.0.0/0 address prefix instructs Azure how to route traffic destined for an IP address that is not within the address prefix of any other route in a subnet's route table. 创建子网时,Azure 会创建地址前缀为“0.0.0.0/0”且下一跃点类型为“Internet”的默认路由。When a subnet is created, Azure creates a default route to the 0.0.0.0/0 address prefix, with the Internet next hop type. 如果不替代此路由,Azure 会将目标 IP 地址不包括在任何其他路由的地址前缀中的所有流量路由到 Internet。If you don't override this route, Azure routes all traffic destined to IP addresses not included in the address prefix of any other route, to the Internet. 例外是,目标为 Azure 服务公共 IP 地址的流量仍保留在 Azure 主干网络中,不路由到 Internet。The exception is that traffic to the public IP addresses of Azure services remains on the Azure backbone network, and is not routed to the Internet. 如果使用自定义路由来替代此路由,系统会将目标地址不在路由表中任何其他路由的地址前缀中的流量发送到网络虚拟设备或虚拟网关,具体取决于在自定义路由中指定了哪一个。If you override this route, with a custom route, traffic destined to addresses not within the address prefixes of any other route in the route table is sent to a network virtual appliance or virtual network gateway, depending on which you specify in a custom route.

替代 0.0.0.0/0 地址前缀时,除了出站流量从子网流经虚拟网关或虚拟设备,还会在 Azure 的默认路由上发生以下变化:When you override the 0.0.0.0/0 address prefix, in addition to outbound traffic from the subnet flowing through the virtual network gateway or virtual appliance, the following changes occur with Azure's default routing:

  • Azure 将所有流量发送到路由中指定的下一跃点类型,包括目标为 Azure 服务公共 IP 地址的流量。Azure sends all traffic to the next hop type specified in the route, including traffic destined for public IP addresses of Azure services. 当地址前缀为 0.0.0.0/0 的路由的下一跃点类型为“Internet”时,从子网流向 Azure 服务公共 IP 地址的流量不会离开 Azure 的主干网络,不管虚拟网络或 Azure 服务资源存在于哪个 Azure 区域。When the next hop type for the route with the 0.0.0.0/0 address prefix is Internet, traffic from the subnet destined to the public IP addresses of Azure services never leaves Azure's backbone network, regardless of the Azure region the virtual network or Azure service resource exist in. 但在创建下一跃点类型为“虚拟网关”或“虚拟设备”的用户定义路由或 BGP 路由时,所有流量都会发送到路由中指定的下一跃点类型,包括发送到 Azure 服务(尚未为其启用服务终结点)公共 IP 地址的流量。When you create a user-defined or BGP route with a Virtual network gateway or Virtual appliance next hop type however, all traffic, including traffic sent to public IP addresses of Azure services you haven't enabled service endpoints for, is sent to the next hop type specified in the route. 如果已为服务启用服务终结点,则不会将目标为该服务的流量路由到地址前缀为 0.0.0.0/0 的路由中的下一跃点类型,因为该服务的地址前缀是在启用服务终结点时 Azure 创建的路由中指定的,并且该服务的地址前缀比 0.0.0.0/0 长。If you've enabled a service endpoint for a service, traffic to the service is not routed to the next hop type in a route with the 0.0.0.0/0 address prefix, because address prefixes for the service are specified in the route that Azure creates when you enable the service endpoint, and the address prefixes for the service are longer than 0.0.0.0/0.
  • 你将不再能够直接从 Internet 访问子网中的资源。You are no longer able to directly access resources in the subnet from the Internet. 可以从 Internet 直接访问子网中的资源,前提是入站流量在到达虚拟网络中的资源之前,流经地址前缀为 0.0.0.0/0 的路由的下一跃点类型所指定的设备。You can indirectly access resources in the subnet from the Internet, if inbound traffic passes through the device specified by the next hop type for a route with the 0.0.0.0/0 address prefix before reaching the resource in the virtual network. 如果路由包含下一跃点类型的以下值:If the route contains the following values for next hop type:

    • 虚拟设备:设备必须符合以下条件:Virtual appliance: The appliance must:
      • 可从 Internet 访问Be accessible from the Internet
      • 有分配的公共 IP 地址Have a public IP address assigned to it,
      • 没有与阻止设备通信的网络安全组规则相关联Not have a network security group rule associated to it that prevents communication to the device
      • 不拒绝通信Not deny the communication
      • 能够进行网络地址转换和转发,或者能够对流向子网中目标资源的流量进行代理,以及能够让流量返回 Internet。Be able to network address translate and forward, or proxy the traffic to the destination resource in the subnet, and return the traffic back to the Internet.
    • 虚拟网关:如果网关为 ExpressRoute 虚拟网关,则连接了 Internet 的本地设备可以进行网络地址转换和转发,或者通过 ExpressRoute 的专用对等互连对流向子网中目标资源的流量进行代理。Virtual network gateway: If the gateway is an ExpressRoute virtual network gateway, an Internet-connected device on-premises can network address translate and forward, or proxy the traffic to the destination resource in the subnet, via ExpressRoute's private peering.

    请参阅 Azure 与本地数据中心之间的外围网络Azure 与 Internet 之间的外围网络,了解在 Internet 和 Azure 之间使用虚拟网关和虚拟设备时的实施详情。See DMZ between Azure and your on-premises datacenter and DMZ between Azure and the Internet for implementation details when using virtual network gateways and virtual appliances between the Internet and Azure.

路由示例Routing example

为了说明本文中的概念,下述部分介绍了:To illustrate the concepts in this article, the sections that follow describe:

  • 带要求的方案A scenario, with requirements
  • 条件所要求的自定义路由The custom routes necessary to meet the requirements
  • 为一个子网设置的路由表,其中包括条件所要求的默认路由和自定义路由The route table that exists for one subnet that includes the default and custom routes necessary to meet the requirements

备注

不应将此示例作为建议或最佳做法来实现。This example is not intended to be a recommended or best practice implementation. 提供此示例只是为了说明本文中的概念。Rather, it is provided only to illustrate concepts in this article.

要求Requirements

  1. 在同一 Azure 区域实现两个虚拟网络,并允许资源在虚拟网络之间通信。Implement two virtual networks in the same Azure region and enable resources to communicate between the virtual networks.
  2. 允许本地网络以安全方式通过 Internet 上的 VPN 隧道与两个虚拟网络通信。Enable an on-premises network to communicate securely with both virtual networks through a VPN tunnel over the Internet. 也可使用 ExpressRoute 连接,但在此示例中,使用的是 VPN 连接。Alternatively, an ExpressRoute connection could be used, but in this example, a VPN connection is used.
  3. 对于一个虚拟网络中有一个子网的情况,请执行以下操作:For one subnet in one virtual network:

    • 强制来自子网的所有出站流量(到 Azure 存储和子网内的流量除外)流经网络虚拟设备进行检查和日志记录。Force all outbound traffic from the subnet, except to Azure Storage and within the subnet, to flow through a network virtual appliance, for inspection and logging.
    • 不检查子网中专用 IP 地址之间的流量;允许流量在所有资源之间直接流动。Do not inspect traffic between private IP addresses within the subnet; allow traffic to flow directly between all resources.
    • 丢弃目标为其他虚拟网络的出站流量。Drop any outbound traffic destined for the other virtual network.
    • 允许目标为 Azure 存储的出站流量直接流向存储,不强制其流经网络虚拟设备。Enable outbound traffic to Azure storage to flow directly to storage, without forcing it through a network virtual appliance.
  4. 允许所有其他子网和虚拟网络之间的所有流量。Allow all traffic between all other subnets and virtual networks.

实现Implementation

下图显示了一个通过 Azure 资源管理器部署模型完成的符合上述要求的实现:The following picture shows an implementation through the Azure Resource Manager deployment model that meets the previous requirements:

网络示意图

箭头显示流量方向。Arrows show the flow of traffic.

路由表Route tables

Subnet1Subnet1

图中 Subnet1 的路由表包含以下路由:The route table for Subnet1 in the picture contains the following routes:

IDID SourceSource StateState 地址前缀Address prefixes 下一跃点类型Next hop type 下一跃点 IP 地址Next hop IP address 用户定义路由的名称User-defined route name
11 默认Default 无效Invalid 10.0.0.0/1610.0.0.0/16 虚拟网络Virtual network
22 用户User 活动Active 10.0.0.0/1610.0.0.0/16 虚拟设备Virtual appliance 10.0.100.410.0.100.4 Within-VNet1Within-VNet1
33 用户User 活动Active 10.0.0.0/2410.0.0.0/24 虚拟网络Virtual network Within-Subnet1Within-Subnet1
44 默认Default 无效Invalid 10.1.0.0/1610.1.0.0/16 VNet 对等互连VNet peering
55 默认Default 无效Invalid 10.2.0.0/1610.2.0.0/16 VNet 对等互连VNet peering
66 用户User 活动Active 10.1.0.0/1610.1.0.0/16 None ToVNet2-1-DropToVNet2-1-Drop
77 用户User 活动Active 10.2.0.0/1610.2.0.0/16 None ToVNet2-2-DropToVNet2-2-Drop
88 默认Default 无效Invalid 10.10.0.0/1610.10.0.0/16 虚拟网络网关Virtual network gateway [X.X.X.X][X.X.X.X]
99 用户User 活动Active 10.10.0.0/1610.10.0.0/16 虚拟设备Virtual appliance 10.0.100.410.0.100.4 To-On-PremTo-On-Prem
1010 默认Default 活动Active [X.X.X.X][X.X.X.X] VirtualNetworkServiceEndpointVirtualNetworkServiceEndpoint
1111 默认Default 无效Invalid 0.0.0.0/00.0.0.0/0 InternetInternet
1212 用户User 活动Active 0.0.0.0/00.0.0.0/0 虚拟设备Virtual appliance 10.0.100.410.0.100.4 Default-NVADefault-NVA

每个路由 ID 的说明如下所示:An explanation of each route ID follows:

  1. Azure 自动为 Virtual-network-1 中的所有子网添加了此路由,因为 10.0.0.0/16 是在虚拟网络的地址空间中定义的唯一地址范围。Azure automatically added this route for all subnets within Virtual-network-1, because 10.0.0.0/16 is the only address range defined in the address space for the virtual network. 如果未在路由 ID2 中创建用户定义路由,则会将发送到 10.0.0.1 和 10.0.255.254 之间地址的流量路由到虚拟网络内部,因为该前缀比 0.0.0.0/0 长,且不在任何其他路由的地址前缀中。If the user-defined route in route ID2 weren't created, traffic sent to any address between 10.0.0.1 and 10.0.255.254 would be routed within the virtual network, because the prefix is longer than 0.0.0.0/0, and not within the address prefixes of any of the other routes. 添加用户定义路由 ID2 时,Azure 自动将状态从“活动”更改为“无效”,因为其前缀与默认路由相同,且用户定义路由会替代默认路由。Azure automatically changed the state from Active to Invalid, when ID2, a user-defined route, was added, since it has the same prefix as the default route, and user-defined routes override default routes. 对于 Subnet2 来说,此路由的状态仍为“活动”,因为用户定义路由 ID2 所在的路由表未关联到 Subnet2。The state of this route is still Active for Subnet2, because the route table that user-defined route, ID2 is in, isn't associated to Subnet2.
  2. 将地址前缀为 10.0.0.0/16 的用户定义路由关联到 Virtual-network-1 虚拟网络中的 Subnet1 子网时,Azure 添加了此路由。Azure added this route when a user-defined route for the 10.0.0.0/16 address prefix was associated to the Subnet1 subnet in the Virtual-network-1 virtual network. 用户定义路由指定 10.0.100.4 作为虚拟设备的 IP 地址,因为该地址是分配到虚拟设备虚拟机的专用 IP 地址。The user-defined route specifies 10.0.100.4 as the IP address of the virtual appliance, because the address is the private IP address assigned to the virtual appliance virtual machine. 此路由所在的路由表未关联到 Subnet2,因此未出现在 Subnet2 的路由表中。The route table this route exists in is not associated to Subnet2, so doesn't appear in the route table for Subnet2. 此路由会替代 10.0.0.0/16 前缀的默认路由 (ID1),后者自动通过虚拟网络下一跃点类型将目标地址为 10.0.0.1 和 10.0.255.254 的流量路由到虚拟网络内部。This route overrides the default route for the 10.0.0.0/16 prefix (ID1), which automatically routed traffic addressed to 10.0.0.1 and 10.0.255.254 within the virtual network through the virtual network next hop type. 此路由存在的原因是为了满足要求 3,强制所有出站流量流经虚拟设备。This route exists to meet requirement 3, to force all outbound traffic through a virtual appliance.
  3. 将地址前缀为 10.0.0.0/24 的用户定义路由关联到 Subnet1 子网时,Azure 添加了此路由。Azure added this route when a user-defined route for the 10.0.0.0/24 address prefix was associated to the Subnet1 subnet. 目标为 10.0.0.1 和 10.0.0.0.254 之间地址的流量保留在子网内,而不是路由到前一规则 (ID2) 中指定的虚拟设备,因为它的前缀比 ID2 路由长。Traffic destined for addresses between 10.0.0.1 and 10.0.0.0.254 remains within the subnet, rather than being routed to the virtual appliance specified in the previous rule (ID2), because it has a longer prefix than the ID2 route. 此路由未关联到 Subnet2,因此未出现在 Subnet2 的路由表中。This route was not associated to Subnet2, so the route does not appear in the route table for Subnet2. 对于 Subnet1 中的流量,此路由有效地替代了 ID2 路由。This route effectively overrides the ID2 route for traffic within Subnet1. 此路由存在的原因是为了满足要求 3。This route exists to meet requirement 3.
  4. 对于 Virtual-network-1 中的所有子网,Azure 在该虚拟网络与 Virtual-network-2 对等互连时自动在 ID 4 和 5 中添加了路由。Azure automatically added the routes in IDs 4 and 5 for all subnets within Virtual-network-1, when the virtual network was peered with Virtual-network-2. Virtual-network-2 在其地址空间中有两个地址范围:10.1.0.0/16 和 10.2.0.0/16,因此 Azure 为每个范围添加了一个路由。Virtual-network-2 has two address ranges in its address space: 10.1.0.0/16 and 10.2.0.0/16, so Azure added a route for each range. 如果未在路由 ID 6 和 7 中创建用户定义路由,则会将发送到 10.1.0.1-10.1.255.254 和 10.2.0.1-10.2.255.254 之间地址的流量路由到对等互连的虚拟网络,因为该前缀比 0.0.0.0/0 长,且不在任何其他路由的地址前缀中。If the user-defined routes in route IDs 6 and 7 weren't created, traffic sent to any address between 10.1.0.1-10.1.255.254 and 10.2.0.1-10.2.255.254 would be routed to the peered virtual network, because the prefix is longer than 0.0.0.0/0, and not within the address prefixes of any of the other routes. 添加 ID 6 和 7 中的路由 时,Azure 自动将状态从“活动”更改为“无效”,因为其前缀与 ID 4 和 5 中的路由相同,且用户定义路由会替代默认路由。Azure automatically changed the state from Active to Invalid, when the routes in IDs 6 and 7 were added, since they have the same prefixes as the routes in IDs 4 and 5, and user-defined routes override default routes. 对于 Subnet2 来说,ID 4 和 5 中路由的状态仍为“活动”,因为 ID 4 和 5 中用户定义路由所在的路由表未关联到 Subnet2。The state of the routes in IDs 4 and 5 are still Active for Subnet2, because the route table that the user-defined routes in IDs 4 and 5 are in, isn't associated to Subnet2. 创建虚拟网络对等互连是为了满足要求 1。A virtual network peering was created to meet requirement 1.
  5. 与 ID4 的说明相同。Same explanation as ID4.
  6. 将地址前缀为 10.1.0.0/16 和 10.2.0.0/16 的用户定义路由关联到 Subnet1 子网时,Azure 添加了此路由以及 ID7 中的路由。Azure added this route and the route in ID7, when user-defined routes for the 10.1.0.0/16 and 10.2.0.0/16 address prefixes were associated to the Subnet1 subnet. Azure 放弃目标为 10.1.0.1-10.1.255.254 和 10.2.0.1-10.2.255.254 之间地址的流量,而不是将其路由到对等互连的虚拟网络,因为用户定义路由会替代默认路由。Traffic destined for addresses between 10.1.0.1-10.1.255.254 and 10.2.0.1-10.2.255.254 is dropped by Azure, rather than being routed to the peered virtual network, because user-defined routes override default routes. 这些路由未关联到 Subnet2,因此未出现在 Subnet2 的路由表中。The routes are not associated to Subnet2, so the routes do not appear in the route table for Subnet2. 对于离开 Subnet1 的流量,这些路由替代 ID4 和 ID5 路由。The routes override the ID4 and ID5 routes for traffic leaving Subnet1. ID6 和 ID7 路由存在的目的是满足要求 3,丢弃目标为其他虚拟网络的流量。The ID6 and ID7 routes exist to meet requirement 3 to drop traffic destined to the other virtual network.
  7. 与 ID6 的说明相同。Same explanation as ID6.
  8. Virtual-network-1 中创建 VPN 类型的虚拟网关时,Azure 自动为该虚拟网络中的所有子网添加了此路由。Azure automatically added this route for all subnets within Virtual-network-1 when a VPN type virtual network gateway was created within the virtual network. Azure 向路由表添加了虚拟网关的公共 IP 地址。Azure added the public IP address of the virtual network gateway to the route table. 发送到 10.10.0.1 和 10.10.255.254 之间地址的流量路由到虚拟网关。Traffic sent to any address between 10.10.0.1 and 10.10.255.254 is routed to the virtual network gateway. 此前缀比 0.0.0.0/0 长,且不在任何其他路由的地址前缀中。The prefix is longer than 0.0.0.0/0 and not within the address prefixes of any of the other routes. 创建虚拟网关是为了满足要求 2。A virtual network gateway was created to meet requirement 2.
  9. 将地址前缀为 10.10.0.0/16 的用户定义路由添加到已关联到 Subnet1 的路由表时,Azure 添加了此路由。Azure added this route when a user-defined route for the 10.10.0.0/16 address prefix was added to the route table associated to Subnet1. 此路由替代 ID8。This route overrides ID8. 此路由将所有目标为本地网络的流量发送到 NVA 进行检查,而不是直接将流量路由到本地。The route sends all traffic destined for the on-premises network to an NVA for inspection, rather than routing traffic directly on-premises. 创建此路由是为了满足要求 3。This route was created to meet requirement 3.
  10. 为子网启用 Azure 服务的服务终结点时,Azure 自动将此路由添加到了子网。Azure automatically added this route to the subnet when a service endpoint to an Azure service was enabled for the subnet. Azure 通过 Azure 基础结构网络将流量从子网路由到服务的公共 IP 地址。Azure routes traffic from the subnet to a public IP address of the service, over the Azure infrastructure network. 此前缀比 0.0.0.0/0 长,且不在任何其他路由的地址前缀中。The prefix is longer than 0.0.0.0/0 and not within the address prefixes of any of the other routes. 创建服务终结点是为了满足要求 3,允许目标为 Azure 存储的流量直接流向 Azure 存储。A service endpoint was created to meet requirement 3, to enable traffic destined for Azure Storage to flow directly to Azure Storage.
  11. Azure 自动向 Virtual-network-1 和 Virtual-network-2 中所有子网的路由表添加了此路由。Azure automatically added this route to the route table of all subnets within Virtual-network-1 and Virtual-network-2. 0.0.0.0/0 地址前缀是最短的前缀。The 0.0.0.0/0 address prefix is the shortest prefix. 发送到更长地址前缀中地址的流量根据其他路由来路由。Any traffic sent to addresses within a longer address prefix are routed based on other routes. 默认情况下,如果流量的目标地址不同于在某个其他路由中指定的地址,Azure 会将所有这些流量路由到 Internet。By default, Azure routes all traffic destined for addresses other than the addresses specified in one of the other routes to the Internet. 将地址前缀为 0.0.0.0/0 的用户定义路由 (ID12) 关联到 Subnet1 子网时,Azure 自动将该子网的状态从“活动”更改为“无效”。Azure automatically changed the state from Active to Invalid for the Subnet1 subnet when a user-defined route for the 0.0.0.0/0 address prefix (ID12) was associated to the subnet. 对于这两个虚拟网络中的所有其他子网,此路由的状态仍为“活动”,因为此路由未关联到任何其他虚拟网络中的任何其他子网。The state of this route is still Active for all other subnets within both virtual networks, because the route isn't associated to any other subnets within any other virtual networks.
  12. 将地址前缀为 0.0.0.0/0 的用户定义路由关联到 Subnet1 子网时,Azure 添加了此路由。Azure added this route when a user-defined route for the 0.0.0.0/0 address prefix was associated to the Subnet1 subnet. 用户定义路由指定 10.0.100.4 作为虚拟设备的 IP 地址。The user-defined route specifies 10.0.100.4 as the IP address of the virtual appliance. 此路由未关联到 Subnet2,因此未出现在 Subnet2 的路由表中。This route is not associated to Subnet2, so the route does not appear in the route table for Subnet2. 地址未包括在任何其他路由的地址前缀中的所有流量都发送到虚拟设备。All traffic for any address not included in the address prefixes of any of the other routes is sent to the virtual appliance. 对于 Subnet1,添加此路由后,地址前缀为 0.0.0.0/0 的默认路由 (ID11) 的状态就从“活动”变成了“无效”,因为用户定义路由会替代默认路由。The addition of this route changed the state of the default route for the 0.0.0.0/0 address prefix (ID11) from Active to Invalid for Subnet1, because a user-defined route overrides a default route. 此路由存在的原因是为了满足要求 3。This route exists to meet requirement 3.

Subnet2Subnet2

图中 Subnet2 的路由表包含以下路由:The route table for Subnet2 in the picture contains the following routes:

SourceSource StateState 地址前缀Address prefixes 下一跃点类型Next hop type 下一跃点 IP 地址Next hop IP address
默认Default 活动Active 10.0.0.0/1610.0.0.0/16 虚拟网络Virtual network
默认Default 活动Active 10.1.0.0/1610.1.0.0/16 VNet 对等互连VNet peering
默认Default 活动Active 10.2.0.0/1610.2.0.0/16 VNet 对等互连VNet peering
默认Default 活动Active 10.10.0.0/1610.10.0.0/16 虚拟网络网关Virtual network gateway [X.X.X.X][X.X.X.X]
默认Default 活动Active 0.0.0.0/00.0.0.0/0 InternetInternet
默认Default 活动Active 10.0.0.0/810.0.0.0/8 None
默认Default 活动Active 100.64.0.0/10100.64.0.0/10 None
默认Default 活动Active 172.16.0.0/12172.16.0.0/12 None
默认Default 活动Active 192.168.0.0/16192.168.0.0/16 None

Subnet2 的路由表包含所有 Azure 创建的默认路由,以及可选的 VNet 对等互连和虚拟网关可选路由。The route table for Subnet2 contains all Azure-created default routes and the optional VNet peering and Virtual network gateway optional routes. 向虚拟网络添加网关和对等互连时,Azure 向虚拟网络中的所有子网添加了可选路由。Azure added the optional routes to all subnets in the virtual network when the gateway and peering were added to the virtual network. 向 Subnet1 添加地址前缀为 0.0.0.0/0 的用户定义路由时,Azure 从 Subnet1 路由表中删除了地址前缀为 10.0.0.0/8、172.16.0.0/12、192.168.0.0/16、100.64.0.0/10 的路由。Azure removed the routes for the 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 100.64.0.0/10 address prefixes from the Subnet1 route table when the user-defined route for the 0.0.0.0/0 address prefix was added to Subnet1.

后续步骤Next steps