使用 Azure 虛擬網路或防火牆規則來限制對 Azure container registry 的存取Restrict access to an Azure container registry using an Azure virtual network or firewall rules

Azure 虛擬網路為您的 azure 和內部部署資源提供安全的私用網路。Azure Virtual Network provides secure, private networking for your Azure and on-premises resources. 藉由限制從 Azure 虛擬網路存取您的私用 Azure container registry, 您可以確保只有虛擬網路中的資源會存取登錄。By limiting access to your private Azure container registry from an Azure virtual network, you ensure that only resources in the virtual network access the registry. 針對跨單位案例, 您也可以設定防火牆規則, 只允許來自特定 IP 位址的登錄存取。For cross-premises scenarios, you can also configure firewall rules to allow registry access only from specific IP addresses.

本文說明在容器登錄上設定輸入網路存取規則的兩個案例: 從部署在虛擬網路中的虛擬機器, 或從 VM 的公用 IP 位址。This article shows two scenarios to configure inbound network access rules on a container registry: from a virtual machine deployed in a virtual network, or from a VM's public IP address.

重要

此功能目前在預覽階段,但有某些限制This feature is currently in preview, and some limitations apply. 若您同意補充的使用規定即可取得預覽。Previews are made available to you on the condition that you agree to the supplemental terms of use. 在公開上市 (GA) 之前,此功能的某些領域可能會變更。Some aspects of this feature may change prior to general availability (GA).

如果您改為設定資源的存取規則, 以從防火牆後方連線至容器登錄, 請參閱設定規則以存取防火牆後方的 Azure container registryIf instead you need to set up access rules for resources to reach a container registry from behind a firewall, see Configure rules to access an Azure container registry behind a firewall.

預覽限制Preview limitations

  • 只能使用網路存取規則來設定Premium容器登錄。Only a Premium container registry can be configured with network access rules. 如需登錄服務層的詳細資訊, 請參閱Azure Container Registry skuFor information about registry service tiers, see Azure Container Registry SKUs.

  • 只有Azure Kubernetes Service叢集或 Azure虛擬機器可用來做為主機, 才能存取虛擬網路中的容器登錄。Only an Azure Kubernetes Service cluster or Azure virtual machine can be used as a host to access a container registry in a virtual network. 目前不支援其他 Azure 服務, 包括 Azure 容器實例。Other Azure services including Azure Container Instances aren't currently supported.

  • 在虛擬網路中存取的容器登錄中, 目前不支援ACR 工作作業。ACR Tasks operations aren't currently supported in a container registry accessed in a virtual network.

  • 每個登錄最多支援100個虛擬網路規則。Each registry supports a maximum of 100 virtual network rules.

先決條件Prerequisites

  • 若要使用本文中的 Azure CLI 步驟, 需要 Azure CLI 版本2.0.58 或更新版本。To use the Azure CLI steps in this article, Azure CLI version 2.0.58 or later is required. 如果您需要安裝或升級,請參閱安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

  • 如果您還沒有容器登錄, 請建立一個 (需要 Premium SKU) 並hello-world從 Docker Hub 推送範例映射 (例如)。If you don't already have a container registry, create one (Premium SKU required) and push a sample image such as hello-world from Docker Hub. 例如, 使用Azure 入口網站Azure CLI來建立登錄。For example, use the Azure portal or the Azure CLI to create a registry.

  • 如果您想要使用不同 Azure 訂用帳戶中的虛擬網路來限制登錄存取, 您必須在該訂用帳戶中註冊 Azure Container Registry 的資源提供者。If you want to restrict registry access using a virtual network in a different Azure subscription, you need to register the resource provider for Azure Container Registry in that subscription. 例如:For example:

    az account set --subscription <Name or ID of subscription of virtual network>
    
    az provider register --namespace Microsoft.ContainerRegistry
    

關於容器登錄的網路規則About network rules for a container registry

根據預設, Azure container registry 會接受從任何網路上的主機透過網際網路連接。An Azure container registry by default accepts connections over the internet from hosts on any network. 透過虛擬網路, 您可以只允許 AKS 叢集或 Azure VM 之類的 Azure 資源, 安全地存取登錄, 而不需跨越網路界限。With a virtual network, you can allow only Azure resources such as an AKS cluster or Azure VM to securely access the registry, without crossing a network boundary. 您也可以設定網路防火牆規則, 將特定的公用網際網路 IP 位址範圍列入允許清單。You can also configure network firewall rules to whitelist specific public internet IP address ranges.

若要限制登錄的存取權, 請先變更登錄的預設動作, 使其拒絕所有的網路連線。To limit access to a registry, first change the default action of the registry so that it denies all network connections. 然後, 新增網路存取規則。Then, add network access rules. 透過網路規則授與存取權的用戶端必須繼續向容器登錄進行驗證, 並獲得授權來存取資料。Clients granted access via the network rules must continue to authenticate to the container registry and be authorized to access the data.

子網的服務端點Service endpoint for subnets

若要允許從虛擬網路中的子網進行存取, 您需要為 Azure Container Registry 服務新增服務端點To allow access from a subnet in a virtual network, you need to add a service endpoint for the Azure Container Registry service.

多租使用者服務 (例如 Azure Container Registry) 會針對所有客戶使用一組 IP 位址。Multi-tenant services, like Azure Container Registry, use a single set of IP addresses for all customers. 服務端點會指派端點來存取登錄。A service endpoint assigns an endpoint to access a registry. 此端點可透過 Azure 骨幹網路, 讓流量成為資源的最佳路由。This endpoint gives traffic an optimal route to the resource over the Azure backbone network. 虛擬網路和子網路的身分識別也會隨著每項要求傳輸。The identities of the virtual network and the subnet are also transmitted with each request.

防火牆規則Firewall rules

針對 IP 網路規則, 請使用 CIDR 標記法 (例如16.17.18.0/24 ) 或個別的 IP 位址 (如16.17.18.19 一類) 提供允許的網際網路位址範圍。For IP network rules, provide allowed internet address ranges using CIDR notation such as 16.17.18.0/24 or an individual IP addresses like 16.17.18.19. 只有公用網際網路 ip 位址允許使用 IP 網路規則。IP network rules are only allowed for public internet IP addresses. IP 規則中不允許保留私人網路的 IP 位址範圍 (如 RFC 1918 中所定義)。IP address ranges reserved for private networks (as defined in RFC 1918) aren't allowed in IP rules.

建立具備 Docker 功能的虛擬機器Create a Docker-enabled virtual machine

在本文中, 請使用已啟用 Docker 的 Ubuntu VM 來存取 Azure container registry。For this article, use a Docker-enabled Ubuntu VM to access an Azure container registry. 若要對登錄使用 Azure Active Directory 驗證, 請同時在 VM 上安裝Azure CLITo use Azure Active Directory authentication to the registry, also install the Azure CLI on the VM. 如果您已經有 Azure 虛擬機器, 請略過此建立步驟。If you already have an Azure virtual machine, skip this creation step.

您可以將相同的資源群組用於虛擬機器和容器登錄。You may use the same resource group for your virtual machine and your container registry. 此安裝程式會在結束時簡化清理, 但不需要。This setup simplifies clean-up at the end but isn't required. 如果您選擇為虛擬機器和虛擬網路建立個別的資源群組, 請執行az group createIf you choose to create a separate resource group for the virtual machine and virtual network, run az group create. 下列範例會在westcentralus位置中建立名為myResourceGroup的資源群組:The following example creates a resource group named myResourceGroup in the westcentralus location:

az group create --name myResourceGroup --location westus

現在, 使用az vm create部署預設的 Ubuntu Azure 虛擬機器。Now deploy a default Ubuntu Azure virtual machine with az vm create. 下列範例會建立名為myDockerVM的 VM:The following example creates a VM named myDockerVM:

az vm create \
    --resource-group myResourceGroup \
    --name myDockerVM \
    --image UbuntuLTS \
    --admin-username azureuser \
    --generate-ssh-keys

系統需要花幾分鐘的時間來建立 VM。It takes a few minutes for the VM to be created. 命令完成之後,請記下 Azure CLI 所顯示的 publicIpAddressWhen the command completes, take note of the publicIpAddress displayed by the Azure CLI. 使用此位址來建立 VM 的 SSH 連線, 並選擇性地在稍後設定防火牆規則。Use this address to make SSH connections to the VM, and optionally for later setup of firewall rules.

在 VM 上安裝 DockerInstall Docker on the VM

在 VM 執行之後,與 VM 建立 SSH 連線。After the VM is running, make an SSH connection to the VM. 以您 VM 的公用 IP 位址取代 publicIpAddressReplace publicIpAddress with the public IP address of your VM.

ssh azureuser@publicIpAddress

執行下列命令以在 Ubuntu VM 上安裝 Docker:Run the following command to install Docker on the Ubuntu VM:

sudo apt install docker.io -y

安裝之後,執行下列命令確認 Docker 在 VM 上正常執行:After installation, run the following command to verify that Docker is running properly on the VM:

sudo docker run -it hello-world

輸出:Output:

Hello from Docker!
This message shows that your installation appears to be working correctly.
[...]

安裝 Azure CLIInstall the Azure CLI

請遵循使用 apt 安裝 Azure CLI 中的步驟在您的 Ubuntu 虛擬機器上安裝 Azure CLI。Follow the steps in Install Azure CLI with apt to install the Azure CLI on your Ubuntu virtual machine. 在本文中, 請確定您安裝的是2.0.58 或更新版本。For this article, ensure that you install version 2.0.58 or later.

結束 SSH 連線。Exit the SSH connection.

允許從虛擬網路存取Allow access from a virtual network

在本節中, 請將您的容器登錄設定為允許從 Azure 虛擬網路中的子網進行存取。In this section, configure your container registry to allow access from a subnet in an Azure virtual network. 系統會提供使用 Azure CLI 和 Azure 入口網站的對等步驟。Equivalent steps using the Azure CLI and Azure portal are provided.

允許從虛擬網路存取-CLIAllow access from a virtual network - CLI

將服務端點新增至子網Add a service endpoint to a subnet

當您建立 VM 時, Azure 預設會在相同的資源群組中建立虛擬網路。When you create a VM, Azure by default creates a virtual network in the same resource group. 虛擬網路的名稱是以虛擬機器的名稱為基礎。The name of the virtual network is based on the name of the virtual machine. 例如, 如果您將虛擬機器命名為myDockerVM, 預設的虛擬網路名稱是myDockerVMVNET, 子網名為myDockerVMSubnetFor example, if you name your virtual machine myDockerVM, the default virtual network name is myDockerVMVNET, with a subnet named myDockerVMSubnet. 請在 Azure 入口網站中, 或使用az network vnet list命令來確認:Verify this in the Azure portal or by using the az network vnet list command:

az network vnet list --resource-group myResourceGroup --query "[].{Name: name, Subnet: subnets[0].name}"

輸出:Output:

[
  {
    "Name": "myDockerVMVNET",
    "Subnet": "myDockerVMSubnet"
  }
]

使用az network vnet subnet update命令, 將ContainerRegistry服務端點新增至您的子網。Use the az network vnet subnet update command to add a Microsoft.ContainerRegistry service endpoint to your subnet. 在下列命令中, 以您的虛擬網路和子網的名稱取代:Substitute the names of your virtual network and subnet in the following command:

az network vnet subnet update \
  --name myDockerVMSubnet \
  --vnet-name myDockerVMVNET \
  --resource-group myResourceGroup \
  --service-endpoints Microsoft.ContainerRegistry

使用az network vnet subnet show命令來取出子網的資源識別碼。Use the az network vnet subnet show command to retrieve the resource ID of the subnet. 您在稍後的步驟中需要用到此設定網路存取規則。You need this in a later step to configure a network access rule.

az network vnet subnet show \
  --name myDockerVMSubnet \
  --vnet-name myDockerVMVNET \
  --resource-group myResourceGroup \
  --query "id"
  --output tsv

輸出:Output:

/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myDockerVMVNET/subnets/myDockerVMSubnet

變更登錄的預設網路存取Change default network access to registry

根據預設, Azure container registry 允許從任何網路上的主機進行連接。By default, an Azure container registry allows connections from hosts on any network. 若要限制對所選網路的存取, 請將預設動作變更為 [拒絕存取]。To limit access to a selected network, change the default action to deny access. 在下列az acr update命令中, 以您的登錄名稱取代:Substitute the name of your registry in the following az acr update command:

az acr update --name myContainerRegistry --default-action Deny

將網路規則新增至登錄Add network rule to registry

使用az acr network-rule add命令, 將網路規則新增至您的登錄, 以允許從 VM 的子網進行存取。Use the az acr network-rule add command to add a network rule to your registry that allows access from the VM's subnet. 在下列命令中, 以容器登錄的名稱和子網的資源識別碼取代:Substitute the container registry's name and the resource ID of the subnet in the following command:

az acr network-rule add --name mycontainerregistry --subnet <subnet-resource-id>

繼續驗證登錄的存取權Continue to Verify access to the registry.

允許從虛擬網路存取-入口網站Allow access from a virtual network - portal

將服務端點新增至子網Add service endpoint to subnet

當您建立 VM 時, Azure 預設會在相同的資源群組中建立虛擬網路。When you create a VM, Azure by default creates a virtual network in the same resource group. 虛擬網路的名稱是以虛擬機器的名稱為基礎。The name of the virtual network is based on the name of the virtual machine. 例如, 如果您將虛擬機器命名為myDockerVM, 預設的虛擬網路名稱是myDockerVMVNET, 子網名為myDockerVMSubnetFor example, if you name your virtual machine myDockerVM, the default virtual network name is myDockerVMVNET, with a subnet named myDockerVMSubnet.

若要將 Azure Container Registry 的服務端點新增至子網:To add a service endpoint for Azure Container Registry to a subnet:

  1. Azure 入口網站頂端的 [搜尋] 方塊中, 輸入 [虛擬網路]。In the search box at the top of the Azure portal, enter virtual networks. 當搜尋結果中出現虛擬網路時加以選取。When Virtual networks appear in the search results, select it.
  2. 從 [虛擬網路] 清單中, 選取要部署虛擬機器的虛擬網路, 例如myDockerVMVNETFrom the list of virtual networks, select the virtual network where your virtual machine is deployed, such as myDockerVMVNET.
  3. 在 [設定] 底下, 選取 [子網]。Under Settings, select Subnets.
  4. 選取您的虛擬機器部署所在的子網, 例如myDockerVMSubnetSelect the subnet where your virtual machine is deployed, such as myDockerVMSubnet.
  5. 在 [服務端點] 底下, 選取 [ ContainerRegistry]。Under Service endpoints, select Microsoft.ContainerRegistry.
  6. 選取 [ 儲存]。Select Save.

將服務端點新增至子網

設定登錄的網路存取Configure network access for registry

根據預設, Azure container registry 允許從任何網路上的主機進行連接。By default, an Azure container registry allows connections from hosts on any network. 若要限制對虛擬網路的存取:To limit access to the virtual network:

  1. 在入口網站中, 流覽至您的 container registry。In the portal, navigate to your container registry.
  2. 在 [設定] 底下, 選取 [防火牆和虛擬網路]。Under Settings, select Firewall and virtual networks.
  3. 若要預設拒絕存取,請選擇允許所選網路存取權。To deny access by default, choose to allow access from Selected networks.
  4. 選取 [新增現有的虛擬網路], 然後選取您使用服務端點設定的虛擬網路和子網。Select Add existing virtual network, and select the virtual network and subnet you configured with a service endpoint. 選取 [新增]。Select Add.
  5. 選取 [ 儲存]。Select Save.

設定用於 container registry 的虛擬網路

繼續驗證登錄的存取權Continue to Verify access to the registry.

允許來自 IP 位址的存取Allow access from an IP address

在本節中, 請將您的容器登錄設定為允許來自特定 IP 位址或範圍的存取。In this section, configure your container registry to allow access from a specific IP address or range. 系統會提供使用 Azure CLI 和 Azure 入口網站的對等步驟。Equivalent steps using the Azure CLI and Azure portal are provided.

允許來自 IP 位址的存取-CLIAllow access from an IP address - CLI

變更登錄的預設網路存取Change default network access to registry

如果您尚未這麼做, 請將登錄設定更新為預設拒絕存取。If you haven't already done so, update the registry configuration to deny access by default. 在下列az acr update命令中, 以您的登錄名稱取代:Substitute the name of your registry in the following az acr update command:

az acr update --name myContainerRegistry --default-action Deny

從登錄移除網路規則Remove network rule from registry

如果您先前已新增網路規則, 以允許從 VM 的子網進行存取, 請移除子網的服務端點和網路規則。If you previously added a network rule to allow access from the VM's subnet, remove the subnet's service endpoint and the network rule. 以您在 [ az acr network-rule remove ] 命令的先前步驟中所抓取之子網的容器登錄名稱和資源識別碼取代:Substitute the container registry's name and the resource ID of the subnet you retrieved in an earlier step in the az acr network-rule remove command:

# Remove service endpoint

az network vnet subnet update \
  --name myDockerVMSubnet \
  --vnet-name myDockerVMVNET \
  --resource-group myResourceGroup \
  --service-endpoints ""

# Remove network rule

az acr network-rule remove --name mycontainerregistry --subnet <subnet-resource-id>

將網路規則新增至登錄Add network rule to registry

使用az acr network-rule add命令, 將網路規則新增至您的登錄, 以允許從 VM 的 IP 位址進行存取。Use the az acr network-rule add command to add a network rule to your registry that allows access from the VM's IP address. 在下列命令中, 以容器登錄的名稱和 VM 的公用 IP 位址取代。Substitute the container registry's name and the public IP address of the VM in the following command.

az acr network-rule add --name mycontainerregistry --ip-address <public-IP-address>

繼續驗證登錄的存取權Continue to Verify access to the registry.

允許從 IP 位址存取-入口網站Allow access from an IP address - portal

從登錄移除現有的網路規則Remove existing network rule from registry

如果您先前已新增網路規則, 以允許從 VM 的子網進行存取, 請移除現有的規則。If you previously added a network rule to allow access from the VM's subnet, remove the existing rule. 如果您想要從不同的 VM 存取登錄, 請略過本節。Skip this section if you want to access the registry from a different VM.

  • 更新子網設定, 以移除 Azure Container Registry 的子網服務端點。Update the subnet settings to remove the subnet's service endpoint for Azure Container Registry.

    1. Azure 入口網站中, 流覽至虛擬機器部署所在的虛擬網路。In the Azure portal, navigate to the virtual network where your virtual machine is deployed.
    2. 在 [設定] 底下, 選取 [子網]。Under Settings, select Subnets.
    3. 選取您的虛擬機器部署所在的子網。Select the subnet where your virtual machine is deployed.
    4. 在 [服務端點] 下, 移除ContainerRegistry的核取方塊。Under Service endpoints, remove the checkbox for Microsoft.ContainerRegistry.
    5. 選取 [ 儲存]。Select Save.
  • 移除允許子網存取登錄的網路規則。Remove the network rule that allows the subnet to access the registry.

    1. 在入口網站中, 流覽至您的 container registry。In the portal, navigate to your container registry.
    2. 在 [設定] 底下, 選取 [防火牆和虛擬網路]。Under Settings, select Firewall and virtual networks.
    3. 在 [虛擬網路] 底下, 選取虛擬網路的名稱, 然後選取 [移除]。Under Virtual networks, select the name of the virtual network, and then select Remove.
    4. 選取 [ 儲存]。Select Save.

將網路規則新增至登錄Add network rule to registry

  1. 在入口網站中, 流覽至您的 container registry。In the portal, navigate to your container registry.
  2. 在 [設定] 底下, 選取 [防火牆和虛擬網路]。Under Settings, select Firewall and virtual networks.
  3. 如果您尚未這麼做, 請選擇允許從選取的網路進行存取。If you haven't already done so, choose to allow access from Selected networks.
  4. 在 [虛擬網路] 下, 確定未選取任何網路。Under Virtual networks, ensure no network is selected.
  5. 在 [防火牆] 底下, 輸入 VM 的公用 IP 位址。Under Firewall, enter the public IP address of a VM. 或者, 以 CIDR 標記法輸入包含 VM IP 位址的位址範圍。Or, enter an address range in CIDR notation that contains the VM's IP address.
  6. 選取 [ 儲存]。Select Save.

設定 container registry 的防火牆規則

繼續驗證登錄的存取權Continue to Verify access to the registry.

驗證登錄的存取權Verify access to the registry

等候幾分鐘的時間讓設定更新之後, 請確認 VM 可以存取容器登錄。After waiting a few minutes for the configuration to update, verify that the VM can access the container registry. 建立 VM 的 SSH 連線, 並執行az acr login命令以登入您的登錄。Make an SSH connection to your VM, and run the az acr login command to login to your registry.

az acr login --name mycontainerregistry

您可以執行登錄作業 (例如docker pull [執行]), 從登錄中提取範例映射。You can perform registry operations such as run docker pull to pull a sample image from the registry. 以適用于您登錄的映射和標籤值取代, 並在前面加上登錄登入伺服器名稱 (全部小寫):Substitute an image and tag value appropriate for your registry, prefixed with the registry login server name (all lowercase):

docker pull mycontainerregistry.azurecr.io/hello-world:v1

Docker 已成功將映射提取到 VM。Docker successfully pulls the image to the VM.

這個範例示範您可以透過網路存取規則來存取私人容器登錄。This example demonstrates that you can access the private container registry through the network access rule. 不過, 無法從未設定網路存取規則的其他登入主機存取登錄。However, the registry can't be accessed from a different login host that doesn't have a network access rule configured. 如果您嘗試使用az acr login命令或docker login命令從另一部主機登入, 輸出會如下所示:If you attempt to login from another host using the az acr login command or docker login command, output is similar to the following:

Error response from daemon: login attempt to https://xxxxxxx.azurecr.io/v2/ failed with status: 403 Forbidden

還原預設登錄存取Restore default registry access

若要將登錄還原為預設允許存取, 請移除任何已設定的網路規則。To restore the registry to allow access by default, remove any network rules that are configured. 然後將預設動作設定為 [允許存取]。Then set the default action to allow access. 系統會提供使用 Azure CLI 和 Azure 入口網站的對等步驟。Equivalent steps using the Azure CLI and Azure portal are provided.

還原預設登錄存取-CLIRestore default registry access - CLI

移除網路規則Remove network rules

若要查看為您的登錄設定的網路規則清單, 請執行下列az acr network-rule list命令:To see a list of network rules configured for your registry, run the following az acr network-rule list command:

az acr network-rule list--name mycontainerregistry 

針對每個已設定的規則, 執行az acr network-rule remove命令將其移除。For each rule that is configured, run the az acr network-rule remove command to remove it. 例如:For example:

# Remove a rule that allows access for a subnet. Substitute the subnet resource ID.

az acr network-rule remove \
  --name mycontainerregistry \
  --subnet /subscriptions/ \
  xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myDockerVMVNET/subnets/myDockerVMSubnet

# Remove a rule that allows access for an IP address or CIDR range such as 23.45.1.0/24.

az acr network-rule remove \
  --name mycontainerregistry \
  --ip-address 23.45.1.0/24

允許存取Allow access

在下列az acr update命令中, 以您的登錄名稱取代:Substitute the name of your registry in the following az acr update command:

az acr update --name myContainerRegistry --default-action Allow

還原預設登錄存取-入口網站Restore default registry access - portal

  1. 在入口網站中, 流覽至您的容器登錄, 然後選取 [防火牆和虛擬網路]。In the portal, navigate to your container registry and select Firewall and virtual networks.
  2. 在 [虛擬網路] 底下, 選取每個虛擬網路, 然後選取 [移除]。Under Virtual networks, select each virtual network, and then select Remove.
  3. 在 [防火牆] 底下, 選取每個位址範圍, 然後選取 [刪除] 圖示。Under Firewall, select each address range, and then select the Delete icon.
  4. 在 [允許存取來源] 底下, 選取 [所有網路]。Under Allow access from, select All networks.
  5. 選取 [ 儲存]。Select Save.

清除資源Clean up resources

如果您已在相同的資源群組中建立所有 Azure 資源, 但不再需要它們, 您可以使用單一az group delete命令, 選擇性地刪除資源:If you created all the Azure resources in the same resource group and no longer need them, you can optionally delete the resources by using a single az group delete command:

az group delete --name myResourceGroup

若要在入口網站中清除資源, 請流覽至 myResourceGroup 資源群組。To clean up your resources in the portal, navigate to the myResourceGroup resource group. 載入資源群組後, 按一下 [刪除資源群組] 以移除資源群組和儲存在該處的資源。Once the resource group is loaded, click on Delete resource group to remove the resource group and the resources stored there.

後續步驟Next steps

雖然本文簡短,但仍討論了幾項虛擬網路資源及功能。Several virtual network resources and features were discussed in this article, though briefly. Azure 虛擬網路文件涵蓋這些主題的詳細說明:The Azure Virtual Network documentation covers these topics extensively: