建立虛擬網路對等互連 - Resource Manager,不同的訂用帳戶和 Azure Active Directory 租用戶Create a virtual network peering - Resource Manager, different subscriptions and Azure Active Directory tenants

在本教學課程中,您會了解如何在透過 Resource Manager 建立的虛擬網路之間,建立虛擬網路對等互連。In this tutorial, you learn to create a virtual network peering between virtual networks created through Resource Manager. 虛擬網路存在於不同的訂用帳戶中,而這些訂用帳戶可能屬於不同的 Azure Active Directory (Azure AD) 租用戶。The virtual networks exist in different subscriptions that may belong to different Azure Active Directory (Azure AD) tenants. 對等互連兩個虛擬網路,可讓不同虛擬網路中的資源彼此通訊,且通訊時會有相同的頻寬和延遲,彷彿這些資源是位於相同的虛擬網路中。Peering two virtual networks enables resources in different virtual networks to communicate with each other with the same bandwidth and latency as though the resources were in the same virtual network. 深入了解虛擬網路對等互連Learn more about Virtual network peering.

建立虛擬網路對等互連的步驟會因一些因素而有所不同,這取決於虛擬網路是位於相同還是不同的訂用帳戶中,以及是透過哪一個 Azure 部署模型建立虛擬網路。The steps to create a virtual network peering are different, depending on whether the virtual networks are in the same, or different, subscriptions, and which Azure deployment model the virtual networks are created through. 選取下表中的案例,以了解如何在其他案例中建立虛擬網路對等互連:Learn how to create a virtual network peering in other scenarios by selecting the scenario from the following table:

Azure 部署模型Azure deployment model Azure 訂用帳戶Azure subscription
兩者皆使用 Resource ManagerBoth Resource Manager 相同Same
一個使用 Resource Manager、一個使用傳統部署模型One Resource Manager, one classic 相同Same
一個使用 Resource Manager、一個使用傳統部署模型One Resource Manager, one classic 不同Different

虛擬網路對等互連無法在透過傳統部署模型建立的兩個虛擬網路之間建立。A virtual network peering cannot be created between two virtual networks deployed through the classic deployment model. 如果您需要將兩個都是透過傳統部署模型建立的虛擬網路連接,可以使用 Azure VPN 閘道來連接這些虛擬網路。If you need to connect virtual networks that were both created through the classic deployment model, you can use an Azure VPN Gateway to connect the virtual networks.

此教學課程將同一個區域中的虛擬網路視為對等。This tutorial peers virtual networks in the same region. 您也可以針對不同支援區域中的虛擬網路進行對等互連。You can also peer virtual networks in different supported regions. 建議您在對等互連虛擬網路之前,先熟悉對等互連的需求和限制條件It's recommended that you familiarize yourself with the peering requirements and constraints before peering virtual networks.

您可以使用 Azure 入口網站、Azure 命令列介面 (CLI)、Azure PowerShellAzure Resource Manager 範本,來建立虛擬網路對等互連。You can use the Azure portal, the Azure command-line interface (CLI), Azure PowerShell, or an Azure Resource Manager template to create a virtual network peering. 選取任何先前的工具連結,直接前往使用您所選工具建立虛擬網路對等互連的步驟。Select any of the previous tool links to go directly to the steps for creating a virtual network peering using your tool of choice.

如果虛擬網路位於不同的訂用帳戶中,而且該訂用帳戶與不同 Azure Active Directory 租用戶相關聯,請在繼續之前先完成下列步驟:If the virtual networks are in different subscriptions, and the subscriptions are associated with different Azure Active Directory tenants, complete the following steps before continuing:

  1. 將每個 Active Directory 租用戶的使用者新增為相對 Azure Active Directory 租用戶中的來賓使用者Add the user from each Active Directory tenant as a guest user in the opposite Azure Active Directory tenant.
  2. 每個使用者必須接受相對 Azure Active Directory 租用戶的來賓使用者邀請。Each user must accept the guest user invitation from the opposite Azure Active Directory tenant.

建立對等互連 - Azure 入口網站Create peering - Azure portal

下列步驟針對每個訂用帳戶使用不同的帳戶。The following steps use different accounts for each subscription. 如果您使用對兩個訂用帳戶都有權限的帳戶,便可以使用該相同帳戶來進行所有步驟、略過登出入口網站的步驟,以及略過指派另一位使用者權限給虛擬網路的步驟。If you're using an account that has permissions to both subscriptions, you can use the same account for all steps, skip the steps for logging out of the portal, and skip the steps for assigning another user permissions to the virtual networks.

  1. UserA 身分登入 Azure 入口網站Log in to the Azure portal as UserA. 您登入時使用的帳戶必須擁有必要的權限,才能建立虛擬網路對等互連。The account you log in with must have the necessary permissions to create a virtual network peering. 如需權限清單,請參閱虛擬網路對等互連權限For a list of permissions, see Virtual network peering permissions.

  2. 選取 [+建立資源],選取 [網絡],然後選取 [虛擬網路]。Select + Create a resource, select Networking, and then select Virtual network.

  3. 選取或輸入下列設定的下列範例值,然後選取 [建立]:Select or enter the following example values for the following settings, then select Create:

    • 名稱myVnetAName: myVnetA
    • 位址空間10.0.0.0/16Address space: 10.0.0.0/16
    • 子網路名稱預設值Subnet name: default
    • 子網路位址範圍10.0.0.0/24Subnet address range: 10.0.0.0/24
    • 訂用帳戶:選取訂用帳戶 A。Subscription: Select subscription A.
    • 資源群組:選取 [新建],然後輸入 myResourceGroupAResource group: Select Create new and enter myResourceGroupA
    • 位置:美國東部Location: East US
  4. 在入口網站頂端的 [搜尋資源] 方塊中,輸入 myVnetAIn the Search resources box at the top of the portal, type myVnetA. 當 myVnetA 出現在搜尋結果中時,選取 [myVnetA]。Select myVnetA when it appears in the search results.

  5. 從左側的垂直選項清單中選取 [存取控制] (IAM)。Select Access control (IAM) from the vertical list of options on the left side.

  6. 在 [myVnetA - 存取控制] (IAM) 之下,選取 [+ 新增角色只太]。Under myVnetA - Access control (IAM), select + Add role assignment.

  7. 選取 [角色] 方塊中的 [網路參與者]。Select Network contributor in the Role box.

  8. 在 [選取] 方塊中,選取 [UserB],或輸入 UserB 的電子郵件地址來搜尋它。In the Select box, select UserB, or type UserB's email address to search for it.

  9. 選取 [儲存]。Select Save.

  10. 在 [myVnetA - 存取控制] (IAM) 下,從左側的垂直選項清單中選取 [屬性]。Under myVnetA - Access control (IAM), select Properties from the vertical list of options on the left side. 複製 [資源識別碼],在稍後的步驟中將會用到此識別碼。Copy the RESOURCE ID, which is used in a later step. 資源識別碼類似下列範例:/subscriptions/<Subscription Id>/resourceGroups/myResourceGroupA/providers/Microsoft.Network/virtualNetworks/myVnetAThe resource ID is similar to the following example: /subscriptions/<Subscription Id>/resourceGroups/myResourceGroupA/providers/Microsoft.Network/virtualNetworks/myVnetA.

  11. 以 UserA 身分登出入口網站,然後以 UserB 身分登入。Log out of the portal as UserA, then log in as UserB.

  12. 完成步驟 2 到 3,其中在步驟 3 中輸入或選取下列值:Complete steps 2-3, entering or selecting the following values in step 3:

    • 名稱myVnetBName: myVnetB
    • 位址空間10.1.0.0/16Address space: 10.1.0.0/16
    • 子網路名稱預設值Subnet name: default
    • 子網路位址範圍10.1.0.0/24Subnet address range: 10.1.0.0/24
    • 訂用帳戶:選取訂用帳戶 B。Subscription: Select subscription B.
    • 資源群組:選取 [新建],然後輸入 myResourceGroupBResource group: Select Create new and enter myResourceGroupB
    • 位置:美國東部Location: East US
  13. 在入口網站頂端的 [搜尋資源] 方塊中,輸入 myVnetBIn the Search resources box at the top of the portal, type myVnetB. 當 myVnetB 出現在搜尋結果中時,選取 [myVnetB]。Select myVnetB when it appears in the search results.

  14. 在 [myVnetB] 下,從左側的垂直選項清單中選取 [屬性]。Under myVnetB, select Properties from the vertical list of options on the left side. 複製 [資源識別碼],在稍後的步驟中將會用到此識別碼。Copy the RESOURCE ID, which is used in a later step. 資源識別碼類似下列範例:/subscriptions/<Subscription ID>/resourceGroups/myResourceGroupB/providers/Microsoft.ClassicNetwork/virtualNetworks/myVnetBThe resource ID is similar to the following example: /subscriptions/<Subscription ID>/resourceGroups/myResourceGroupB/providers/Microsoft.ClassicNetwork/virtualNetworks/myVnetB.

  15. 選取 [myVnetB] 下的 [存取控制] (IAM),然後針對 myVnetB 完成步驟 5 到 10,其中在步驟 8 中輸入 UserASelect Access control (IAM) under myVnetB, and then complete steps 5-10 for myVnetB, entering UserA in step 8.

  16. 以 UserB 身分登出入口網站,然後以 UserA 身分登入。Log out of the portal as UserB and log in as UserA.

  17. 在入口網站頂端的 [搜尋資源] 方塊中,輸入 myVnetAIn the Search resources box at the top of the portal, type myVnetA. 當 myVnetA 出現在搜尋結果中時,選取 [myVnetA]。Select myVnetA when it appears in the search results.

  18. 選取 [myVnetA]。Select myVnetA.

  19. 在 [設定] 底下,選取 [對等互連]。Under SETTINGS, select Peerings.

  20. 在 [myVnetA - 對等互連] 下,選取 [+ 新增]Under myVnetA - Peerings, select + Add

  21. 在 [新增對等互連] 下,輸入或選取下列選項,然後選取 [確定]:Under Add peering, enter, or select, the following options, then select OK:

    • 名稱myVnetAToMyVnetBName: myVnetAToMyVnetB
    • 虛擬網路部署模型︰選擇 資源管理員Virtual network deployment model: Select Resource Manager.
    • 我知道我的資源識別碼:核取此方塊。I know my resource ID: Check this box.
    • 資源識別碼:輸入來自步驟 14 的資源識別碼。Resource ID: Enter the resource ID from step 14.
    • 允許虛擬網路存取: 確定已選取 [啟用]。Allow virtual network access: Ensure that Enabled is selected. 本教學課程中不會使用其他設定。No other settings are used in this tutorial. 若要了解所有對等互連設定,請閱讀管理虛擬網路對等互連To learn about all peering settings, read Manage virtual network peerings.
  22. 在上一個步驟中選取 [確定] 之後,不久就會出現您建立的對等互連。The peering you created appears a short wait after selecting OK in the previous step. 您所建立之 myVnetAToMyVnetB 對等互連的 [對等互連狀態] 資料行中會列出 [已起始]。Initiated is listed in the PEERING STATUS column for the myVnetAToMyVnetB peering you created. 您已將 myVnetA 對等互連到 myVnetB,但現在必須將 myVnetB 對等互連到 myVnetA。You've peered myVnetA to myVnetB, but now you must peer myVnetB to myVnetA. 必須以建立雙線的對等互連,虛擬網路中的資源才能彼此通訊。The peering must be created in both directions to enable resources in the virtual networks to communicate with each other.

  23. 以 UserA 身分登出入口網站,然後以 UserB 身分登入。Log out of the portal as UserA and log in as UserB.

  24. 針對 myVnetB 完成步驟 17 到 21。Complete steps 17-21 again for myVnetB. 在步驟 21 中,將對等互連命名為 myVnetBToMyVnetA,針對 [虛擬網路] 選取 [myVnetA],然後在 [資源識別碼] 方塊中輸入來自步驟 10 的識別碼。In step 21, name the peering myVnetBToMyVnetA, select myVnetA for Virtual network, and enter the ID from step 10 in the Resource ID box.

  25. 選取 [確定] 來建立 myVnetB 的對等互連幾秒之後,您剛建立之 myVnetBToMyVnetA 對等互連的 [對等互連狀態] 資料行中就會列出 [已連線]。A few seconds after selecting OK to create the peering for myVnetB, the myVnetBToMyVnetA peering you just created is listed with Connected in the PEERING STATUS column.

  26. 以 UserB 身分登出入口網站,然後以 UserA 身分登入。Log out of the portal as UserB and log in as UserA.

  27. 再次完成步驟 17 到 19。Complete steps 17-19 again. myVnetAToVNetB 對等互連的 [對等互連狀態] 現在也是 [已連線]。The PEERING STATUS for the myVnetAToVNetB peering is now also Connected. 您在對等互連中兩個虛擬網路的 [對等互連狀態] 資料行中看到 [已連線] 之後,對等互連變已建立成功。The peering is successfully established after you see Connected in the PEERING STATUS column for both virtual networks in the peering. 您在任何一個虛擬網路中建立的任何 Azure 資源現在能夠透過其 IP 位址彼此通訊。Any Azure resources you create in either virtual network are now able to communicate with each other through their IP addresses. 如果您使用虛擬網路的預設 Azure 名稱解析,則虛擬網路中的資源無法跨虛擬網路解析名稱。If you're using default Azure name resolution for the virtual networks, the resources in the virtual networks are not able to resolve names across the virtual networks. 如果您想要跨對等互連中的虛擬網路解析名稱,您必須建立自己的 DNS 伺服器。If you want to resolve names across virtual networks in a peering, you must create your own DNS server. 了解如何設定使用自己的 DNS 伺服器進行名稱解析Learn how to set up Name resolution using your own DNS server.

  28. 選擇性:雖然本教學課程未涵蓋建立虛擬機器,但您可以在每個虛擬網路中建立一部虛擬機器,並從一部虛擬機器連線至另一部來驗證連線。Optional: Though creating virtual machines is not covered in this tutorial, you can create a virtual machine in each virtual network and connect from one virtual machine to the other, to validate connectivity.

  29. 選擇性:若要刪除您在本教學課程中建立的資源,請完成本文中 刪除資源一節的步驟。Optional: To delete the resources that you create in this tutorial, complete the steps in the Delete resources section of this article.

建立對等互連 - Azure CLICreate peering - Azure CLI

本教學課程針對每個訂用帳戶使用不同的帳戶。This tutorial uses different accounts for each subscription. 如果您使用對兩個訂用帳戶都有權限的帳戶,便可以使用該相同帳戶來進行所有步驟、略過登出 Azure 的步驟,以及移除建立使用者角色指派項目的指令碼行。If you're using an account that has permissions to both subscriptions, you can use the same account for all steps, skip the steps for logging out of Azure, and remove the lines of script that create user role assignments. 請使用您要用於 UserA 和 UserB 的使用者名稱來取代下列指令碼中的 UserA@azure.com 和 UserB@azure.com。Replace UserA@azure.com and UserB@azure.com in all of the following scripts with the usernames you're using for UserA and UserB.

下列指令碼:The following scripts:

  • 需要 Azure CLI 2.0.4 版或更新版本。Requires the Azure CLI version 2.0.4 or later. 若要尋找版本,請執行 az --versionTo find the version, run az --version. 如果您需要升級,請參閱安裝 Azure CLIIf you need to upgrade, see Install Azure CLI.
  • 適用於 Bash 殼層。Works in a Bash shell. 如需在 Windows 用戶端上執行 Azure CLI 指令碼的選項,請參閱在 Windows 上安裝 Azure CLIFor options on running Azure CLI scripts on Windows client, see Install the Azure CLI on Windows.

您可以不安裝 CLI 及其相依項目,而是改用 Azure Cloud Shell。Instead of installing the CLI and its dependencies, you can use the Azure Cloud Shell. Azure Cloud Shell 是免費的 Bash Shell,您可以直接在 Azure 入口網站內執行。The Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. 它具有預先安裝和設定的 Azure CLI,可與您的帳戶搭配使用。It has the Azure CLI preinstalled and configured to use with your account. 選取以下指令碼中的 [試試看] 按鈕,這會叫用可讓您登入 Azure 帳戶的 Cloud Shell。Select the Try it button in the script that follows, which invokes a Cloud Shell that you can log in to your Azure account with.

  1. 開啟 CLI 工作階段,然後使用 azure login 命令來以 UserA 身分登入 Azure。Open a CLI session and log in to Azure as UserA using the azure login command. 您登入時使用的帳戶必須擁有必要的權限,才能建立虛擬網路對等互連。The account you log in with must have the necessary permissions to create a virtual network peering. 如需權限清單,請參閱虛擬網路對等互連權限For a list of permissions, see Virtual network peering permissions.

  2. 將下列指令碼複製到您電腦上的文字編輯器中,使用 SubscriptionA 的 ID 來取代 <SubscriptionA-Id>,接著複製修改過的指令碼並貼到您的 CLI 工作階段中,然後按 EnterCopy the following script to a text editor on your PC, replace <SubscriptionA-Id> with the ID of SubscriptionA, then copy the modified script, paste it in your CLI session, and press Enter. 如果您不知道您的訂用帳戶 ID,請輸入 az account show 命令。If you don't know your subscription Id, enter the az account show command. 輸出中的 id 值就是您的訂用帳戶 ID。The value for id in the output is your subscription Id.

    # Create a resource group.
    az group create \
      --name myResourceGroupA \
      --location eastus
    
    # Create virtual network A.
    az network vnet create \
      --name myVnetA \
      --resource-group myResourceGroupA \
      --location eastus \
      --address-prefix 10.0.0.0/16
    
    # Assign UserB permissions to virtual network A.
    az role assignment create \
      --assignee UserB@azure.com \
      --role "Network Contributor" \
      --scope /subscriptions/<SubscriptionA-Id>/resourceGroups/myResourceGroupA/providers/Microsoft.Network/VirtualNetworks/myVnetA
    
  3. 使用 az logout 命令來以 UserA 身分登出 Azure,然後以 UserB 身分登入 Azure。Log out of Azure as UserA using the az logout command, then log in to Azure as UserB. 您登入時使用的帳戶必須擁有必要的權限,才能建立虛擬網路對等互連。The account you log in with must have the necessary permissions to create a virtual network peering. 如需權限清單,請參閱虛擬網路對等互連權限For a list of permissions, see Virtual network peering permissions.

  4. 建立 myVnetB。Create myVnetB. 將步驟 2 中的指令碼內容複製到您電腦上的文字編輯器中。Copy the script contents in step 2 to a text editor on your PC. 使用 SubscriptionB 的 ID 來取代 <SubscriptionA-Id>Replace <SubscriptionA-Id> with the ID of SubscriptionB. 將 10.0.0.0/16 變更為 10.1.0.0/16、將所有 A 變更為 B,以及將所有 B 變更為 A。複製修改過的指令碼並貼到您的 CLI 工作階段中,然後按 EnterChange 10.0.0.0/16 to 10.1.0.0/16, change all As to B, and all Bs to A. Copy the modified script, paste it in to your CLI session, and press Enter.

  5. 以 UserB 身分登出 Azure,然後以 UserA 身分登入 Azure。Log out of Azure as UserB and log in to Azure as UserA.

  6. 建立從 myVnetA 到 myVnetB 的虛擬網路對等互連。Create a virtual network peering from myVnetA to myVnetB. 將下列指令碼內容複製到您電腦上的文字編輯器中。Copy the following script contents to a text editor on your PC. 使用 SubscriptionB 的 ID 來取代 <SubscriptionB-Id>Replace <SubscriptionB-Id> with the ID of SubscriptionB. 若要執行指令碼,請複製修改過的指令碼並貼到您的 CLI 工作階段中,然後按 Enter。To execute the script, copy the modified script, paste it into your CLI session, and press Enter.

        # Get the id for myVnetA.
        vnetAId=$(az network vnet show \
          --resource-group myResourceGroupA \
          --name myVnetA \
          --query id --out tsv)
    
        # Peer myVNetA to myVNetB.
        az network vnet peering create \
          --name myVnetAToMyVnetB \
          --resource-group myResourceGroupA \
          --vnet-name myVnetA \
          --remote-vnet /subscriptions/<SubscriptionB-Id>/resourceGroups/myResourceGroupB/providers/Microsoft.Network/VirtualNetworks/myVnetB \
          --allow-vnet-access
    
  7. 檢視 myVnetA 的對等互連狀態。View the peering state of myVnetA.

    az network vnet peering list \
      --resource-group myResourceGroupA \
      --vnet-name myVnetA \
      --output table
    

    狀態為 InitiatedThe state is Initiated. 在您建立從 myVnetB 到 myVnetA 的對等互連之後,它就會變更為 ConnectedIt changes to Connected once you create the peering to myVnetA from myVnetB.

  8. 將 UserA 登出 Azure,然後以 UserB 身分登入 Azure。Log out UserA from Azure and log in to Azure as UserB.

  9. 建立從 myVnetB 到 myVnetA 的對等互連。Create the peering from myVnetB to myVnetA. 將步驟 6 中的指令碼內容複製到您電腦上的文字編輯器中。Copy the script contents in step 6 to a text editor on your PC. 使用 SubscriptionA 的 ID 來取代 <SubscriptionB-Id>,並將所有 A 變更為 B,以及將所有 B 變更為 A。變更完成之後,複製修改過的指令碼並貼到您的 CLI 工作階段中,然後按 EnterReplace <SubscriptionB-Id> with the ID for SubscriptionA and change all As to B and all Bs to A. Once you've made the changes, copy the modified script, paste it into your CLI session, and press Enter.

  10. 檢視 myVnetB 的對等互連狀態。View the peering state of myVnetB. 將步驟 7 中的指令碼內容複製到您電腦上的文字編輯器中。Copy the script contents in step 7 to a text editor on your PC. 針對資源群組和虛擬網路名稱將 A 變更為 B,複製指令碼、將修改過的指令碼貼到您的 CLI 工作階段中,然後按 EnterChange A to B for the resource group and virtual network names, copy the script, paste the modified script in to your CLI session, and then press Enter. 對等互連狀態為 ConnectedThe peering state is Connected. 在您建立從 myVnetB 到 myVnetA 的對等互連之後,myVnetA 的對等互連狀態就會變更為 ConnectedThe peering state of myVnetA changes to Connected after you've created the peering from myVnetB to myVnetA. 您可以將 UserA 重新登入 Azure,然後再次完成步驟 7 以確認 myVnetA 的對等互連狀態。You can log UserA back in to Azure and complete step 7 again to verify the peering state of myVnetA.

    注意

    必須等到兩個虛擬網路的對等互連狀態都變成 Connected 之後,才算已建立對等互連。The peering is not established until the peering state is Connected for both virtual networks.

  11. 選擇性:雖然本教學課程未涵蓋建立虛擬機器,但您可以在每個虛擬網路中建立一部虛擬機器,並從一部虛擬機器連線至另一部來驗證連線。Optional: Though creating virtual machines is not covered in this tutorial, you can create a virtual machine in each virtual network and connect from one virtual machine to the other, to validate connectivity.

  12. 選擇性:若要刪除您在本教學課程中所建立的資源,請完成本文中 刪除資源的步驟。Optional: To delete the resources that you create in this tutorial, complete the steps in Delete resources in this article.

您在任何一個虛擬網路中建立的任何 Azure 資源現在能夠透過其 IP 位址彼此通訊。Any Azure resources you create in either virtual network are now able to communicate with each other through their IP addresses. 如果您使用虛擬網路的預設 Azure 名稱解析,則虛擬網路中的資源無法跨虛擬網路解析名稱。If you're using default Azure name resolution for the virtual networks, the resources in the virtual networks are not able to resolve names across the virtual networks. 如果您想要跨對等互連中的虛擬網路解析名稱,您必須建立自己的 DNS 伺服器。If you want to resolve names across virtual networks in a peering, you must create your own DNS server. 了解如何設定使用自己的 DNS 伺服器進行名稱解析Learn how to set up Name resolution using your own DNS server.

建立對等互連 - PowerShellCreate peering - PowerShell

注意

本文已更新為使用 Azure Az PowerShell 模組。This article has been updated to use the Azure Az PowerShell module. Az PowerShell 模組是用來與 Azure 互動的建議 PowerShell 模組。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要開始使用 Az PowerShell 模組,請參閱安裝 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要瞭解如何遷移至 Az PowerShell 模組,請參閱將 Azure PowerShell 從 AzureRM 遷移至 Az。To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

本教學課程針對每個訂用帳戶使用不同的帳戶。This tutorial uses different accounts for each subscription. 如果您使用對兩個訂用帳戶都有權限的帳戶,便可以使用該相同帳戶來進行所有步驟、略過登出 Azure 的步驟,以及移除建立使用者角色指派項目的指令碼行。If you're using an account that has permissions to both subscriptions, you can use the same account for all steps, skip the steps for logging out of Azure, and remove the lines of script that create user role assignments. 請使用您要用於 UserA 和 UserB 的使用者名稱來取代下列指令碼中的 UserA@azure.com 和 UserB@azure.com。Replace UserA@azure.com and UserB@azure.com in all of the following scripts with the usernames you're using for UserA and UserB.

  1. 確認您有 Azure PowerShell 1.0.0 版或更高版本。Confirm that you have Azure PowerShell version 1.0.0 or higher. 您可以藉由執行 Get-Module -Name Az 以完成此操作。建議安裝最新版本的 PowerShell Az 模組。You can do this by running the Get-Module -Name Az We recommend installing the latest version of the PowerShell Az module. 如果您不熟悉 Azure PowerShell,請參閱 Azure PowerShell 概觀If you're new to Azure PowerShell, see Azure PowerShell overview.

  2. 啟動 PowerShell 工作階段。Start a PowerShell session.

  3. 在 PowerShell 中,輸入 Connect-AzAccount 命令來以 UserA 身分登入 Azure。In PowerShell, log in to Azure as UserA by entering the Connect-AzAccount command. 您登入時使用的帳戶必須擁有必要的權限,才能建立虛擬網路對等互連。The account you log in with must have the necessary permissions to create a virtual network peering. 如需權限清單,請參閱虛擬網路對等互連權限For a list of permissions, see Virtual network peering permissions.

  4. 建立資源群組和虛擬網路 A。將下列指令碼複製到您電腦上的文字編輯器中。Create a resource group and virtual network A. Copy the following script to a text editor on your PC. 使用 SubscriptionA 的 ID 來取代 <SubscriptionA-Id>Replace <SubscriptionA-Id> with the ID of SubscriptionA. 如果您不知道您的訂用帳戶 ID,請輸入 Get-AzSubscription 命令來檢視它。If you don't know your subscription Id, enter the Get-AzSubscription command to view it. 傳回之輸出中的 Id 值就是您的訂用帳戶 ID。The value for Id in the returned output is your subscription ID. 若要執行指令碼,請複製修改過的指令碼並貼到 PowerShell 中,然後按 EnterTo execute the script, copy the modified script, paste it in to PowerShell, and then press Enter.

    # Create a resource group.
    New-AzResourceGroup `
      -Name MyResourceGroupA `
      -Location eastus
    
    # Create virtual network A.
    $vNetA = New-AzVirtualNetwork `
      -ResourceGroupName MyResourceGroupA `
      -Name 'myVnetA' `
      -AddressPrefix '10.0.0.0/16' `
      -Location eastus
    
    # Assign UserB permissions to myVnetA.
    New-AzRoleAssignment `
      -SignInName UserB@azure.com `
      -RoleDefinitionName "Network Contributor" `
      -Scope /subscriptions/<SubscriptionA-Id>/resourceGroups/myResourceGroupA/providers/Microsoft.Network/VirtualNetworks/myVnetA
    
  5. 將 UserA 登出 Azure,然後以 UserB 身分登入。Log out UserA from Azure and log in UserB. 您登入時使用的帳戶必須擁有必要的權限,才能建立虛擬網路對等互連。The account you log in with must have the necessary permissions to create a virtual network peering. 如需權限清單,請參閱虛擬網路對等互連權限For a list of permissions, see Virtual network peering permissions.

  6. 將步驟 4 中的指令碼內容複製到您電腦上的文字編輯器中。Copy the script contents in step 4 to a text editor on your PC. 使用訂用帳戶 B 的 ID 來取代 <SubscriptionA-Id>。將 10.0.0.0/16 變更為 10.1.0.0/16。Replace <SubscriptionA-Id> with the ID for subscription B. Change 10.0.0.0/16 to 10.1.0.0/16. 將所有 A 都變更為 B,並將所有 B 都變更為 A。若要執行指令碼,請複製修改過的指令碼並貼到 PowerShell 中,然後按 EnterChange all As to B and all Bs to A. To execute the script, copy the modified script, paste into PowerShell, and then press Enter.

  7. 將 UserB 登出 Azure,然後以 UserA 身分登入。Log out UserB from Azure and log in UserA.

  8. 建立從 myVnetA 到 myVnetB 的對等互連。Create the peering from myVnetA to myVnetB. 將下列指令碼複製到您電腦上的文字編輯器中。Copy the following script to a text editor on your PC. 使用訂用帳戶 B 的 ID 來取代 <SubscriptionB-Id>。若要執行指令碼,請複製修改過的指令碼並貼到 PowerShell 中,然後按 EnterReplace <SubscriptionB-Id> with the ID of subscription B. To execute the script, copy the modified script, paste in to PowerShell, and then press Enter.

    # Peer myVnetA to myVnetB.
    $vNetA=Get-AzVirtualNetwork -Name myVnetA -ResourceGroupName myResourceGroupA
    Add-AzVirtualNetworkPeering `
      -Name 'myVnetAToMyVnetB' `
      -VirtualNetwork $vNetA `
      -RemoteVirtualNetworkId "/subscriptions/<SubscriptionB-Id>/resourceGroups/myResourceGroupB/providers/Microsoft.Network/virtualNetworks/myVnetB"
    
  9. 檢視 myVnetA 的對等互連狀態。View the peering state of myVnetA.

    Get-AzVirtualNetworkPeering `
      -ResourceGroupName myResourceGroupA `
      -VirtualNetworkName myVnetA `
      | Format-Table VirtualNetworkName, PeeringState
    

    狀態為 InitiatedThe state is Initiated. 在您設定從 myVnetB 到 myVnetA 的對等互連之後,它就會變更為 ConnectedIt changes to Connected once you set up the peering to myVnetA from myVnetB.

  10. 將 UserA 登出 Azure,然後以 UserB 身分登入。Log out UserA from Azure and log in UserB.

  11. 建立從 myVnetB 到 myVnetA 的對等互連。Create the peering from myVnetB to myVnetA. 將步驟 8 中的指令碼內容複製到您電腦上的文字編輯器中。Copy the script contents in step 8 to a text editor on your PC. 使用訂用帳戶 A 的識別碼來取代 <SubscriptionB-Id>,並將所有 A 都變更為 B,以及將所有 B 都變更為 A。若要執行指令碼,請複製修改過的指令碼並貼到 PowerShell 中,然後按 EnterReplace <SubscriptionB-Id> with the ID of subscription A and change all As to B and all Bs to A. To execute the script, copy the modified script, paste it in to PowerShell, and then press Enter.

  12. 檢視 myVnetB 的對等互連狀態。View the peering state of myVnetB. 將步驟 9 中的指令碼內容複製到您電腦上的文字編輯器中。Copy the script contents in step 9 to a text editor on your PC. 針對資源群組和虛擬網路名稱,將 A 變更為 B。Change A to B for the resource group and virtual network names. 若要執行指令碼,請將修改過的指令碼貼到 PowerShell 中,然後按 EnterTo execute the script, paste the modified script into PowerShell, and then press Enter. 狀態為 ConnectedThe state is Connected. 在您建立從 myVnetBmyVnetA 的對等互連之後,myVnetA 的對等互連狀態就會變更為 ConnectedThe peering state of myVnetA changes to Connected after you've created the peering from myVnetB to myVnetA. 您可以將 UserA 重新登入 Azure,然後再次完成步驟 9 以確認 myVnetA 的對等互連狀態。You can log UserA back in to Azure and complete step 9 again to verify the peering state of myVnetA.

    注意

    必須等到兩個虛擬網路的對等互連狀態都變成 Connected 之後,才算已建立對等互連。The peering is not established until the peering state is Connected for both virtual networks.

    您在任何一個虛擬網路中建立的任何 Azure 資源現在能夠透過其 IP 位址彼此通訊。Any Azure resources you create in either virtual network are now able to communicate with each other through their IP addresses. 如果您使用虛擬網路的預設 Azure 名稱解析,則虛擬網路中的資源無法跨虛擬網路解析名稱。If you're using default Azure name resolution for the virtual networks, the resources in the virtual networks are not able to resolve names across the virtual networks. 如果您想要跨對等互連中的虛擬網路解析名稱,您必須建立自己的 DNS 伺服器。If you want to resolve names across virtual networks in a peering, you must create your own DNS server. 了解如何設定使用自己的 DNS 伺服器進行名稱解析Learn how to set up Name resolution using your own DNS server.

  13. 選擇性:雖然本教學課程未涵蓋建立虛擬機器,但您可以在每個虛擬網路中建立一部虛擬機器,並從一部虛擬機器連線至另一部來驗證連線。Optional: Though creating virtual machines is not covered in this tutorial, you can create a virtual machine in each virtual network and connect from one virtual machine to the other, to validate connectivity.

  14. 選擇性:若要刪除您在本教學課程中所建立的資源,請完成本文中 刪除資源的步驟。Optional: To delete the resources that you create in this tutorial, complete the steps in Delete resources in this article.

建立對等互連 - Resource Manager 範本Create peering - Resource Manager template

  1. 若要建立虛擬網路並指派適當的權限,請完成本文的入口網站Azure CLIPowerShell 小節中的步驟。To create a virtual network and assign the appropriate permissions, complete the steps in the Portal, Azure CLI, or PowerShell sections of this article.

  2. 將下列文字儲存至您本機電腦上的檔案。Save the text that follows to a file on your local computer. 使用 UserA 的訂用帳戶識別碼來取代 <subscription ID>Replace <subscription ID> with UserA's subscription ID. 例如,您可以將檔案另存為 vnetpeeringA.json。You might save the file as vnetpeeringA.json, for example.

    {
         "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
         "contentVersion": "1.0.0.0",
         "parameters": {
         },
         "variables": {
         },
     "resources": [
             {
             "apiVersion": "2016-06-01",
             "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings",
             "name": "myVnetA/myVnetAToMyVnetB",
             "location": "[resourceGroup().location]",
             "properties": {
             "allowVirtualNetworkAccess": true,
             "allowForwardedTraffic": false,
             "allowGatewayTransit": false,
             "useRemoteGateways": false,
                 "remoteVirtualNetwork": {
                 "id": "/subscriptions/<subscription ID>/resourceGroups/PeeringTest/providers/Microsoft.Network/virtualNetworks/myVnetB"
                 }
             }
             }
         ]
    }
    
  3. 以 UserA 身分登入 Azure,然後使用入口網站PowerShellAzure CLI 部署範本。Log in to Azure as UserA and deploy the template using the portal, PowerShell, or the Azure CLI. 指定您在步驟 2 中儲存範例 JSON 文字的目的地檔案名稱。Specify the file name you saved the example json text in step 2 to.

  4. 將步驟 2 中的範例 JSON 複製到您電腦上的檔案,然後變更以下列項目開頭的行:Copy the example json from step 2 to a file on your computer and make changes to the lines that begin with:

    • 名稱:將 myVnetA/myVnetAToMyVnetB 變更為 myVnetB/myVnetBToMyVnetAname: Change myVnetA/myVnetAToMyVnetB to myVnetB/myVnetBToMyVnetA.
    • id:將 <subscription ID> 取代為 UserB 的訂用帳戶識別碼,並將 myVnetB 變更為 myVnetAid: Replace <subscription ID> with UserB's subscription ID and change myVnetB to myVnetA.
  5. 以 UserB 身分登入 Azure,並再次完成步驟 3。Complete step 3 again, logged in to Azure as UserB.

  6. 選擇性:雖然本教學課程未涵蓋建立虛擬機器,但您可以在每個虛擬網路中建立一部虛擬機器,並從一部虛擬機器連線至另一部來驗證連線。Optional: Though creating virtual machines is not covered in this tutorial, you can create a virtual machine in each virtual network and connect from one virtual machine to the other, to validate connectivity.

  7. 選擇性:若要刪除您在本教學課程中建立的資源,請使用 Azure 入口網站、PowerShell 或 Azure CLI 來完成本文之 刪除資源一節中的步驟。Optional: To delete the resources that you create in this tutorial, complete the steps in the Delete resources section of this article, using either the Azure portal, PowerShell, or the Azure CLI.

刪除資源Delete resources

當您完成本教學課程時,您可能會想刪除您在教學課程中建立的資源,以免產生使用費。When you've finished this tutorial, you might want to delete the resources you created in the tutorial, so you don't incur usage charges. 刪除資源群組同時會刪除其內含的所有資源。Deleting a resource group also deletes all resources that are in the resource group.

Azure 入口網站Azure portal

  1. 以 UserA 身分登入 Azure 入口網站。Log in to the Azure portal as UserA.
  2. 在入口網站搜尋方塊中,輸入 myResourceGroupAIn the portal search box, enter myResourceGroupA. 在搜尋結果中,選取 [myResourceGroupA]。In the search results, select myResourceGroupA.
  3. 選取 [刪除] 。Select Delete.
  4. 若要確認刪除,請在 [輸入資源群組名稱] 方塊中輸入 myResourceGroupA,然後選取 [刪除]。To confirm the deletion, in the TYPE THE RESOURCE GROUP NAME box, enter myResourceGroupA, and then select Delete.
  5. 以 UserA 身分登出入口網站,然後以 UserB 身分登入。Log out of the portal as UserA and log in as UserB.
  6. 針對 myResourceGroupB,完成步驟 2 到 4。Complete steps 2-4 for myResourceGroupB.

Azure CLIAzure CLI

  1. 以 UserA 身分登入 Azure,然後執行下列命令:Log in to Azure as UserA and execute the following command:

    az group delete --name myResourceGroupA --yes
    
  2. 以 UserA 身分登出 Azure,然後以 UserB 身分登入。Log out of Azure as UserA and log in as UserB.

  3. 執行下列命令:Execute the following command:

    az group delete --name myResourceGroupB --yes
    

PowerShellPowerShell

  1. 以 UserA 身分登入 Azure,然後執行下列命令:Log in to Azure as UserA and execute the following command:

    Remove-AzResourceGroup -Name myResourceGroupA -force
    
  2. 以 UserA 身分登出 Azure,然後以 UserB 身分登入。Log out of Azure as UserA and log in as UserB.

  3. 執行下列命令:Execute the following command:

    Remove-AzResourceGroup -Name myResourceGroupB -force
    

後續步驟Next steps