教學課程:使用 Azure 入口網站以路由表路由傳送網路流量Tutorial: Route network traffic with a route table using the Azure portal

根據預設,Azure 會路由虛擬網路內所有子網路之間的流量。Azure routes traffic between all subnets within a virtual network, by default. 您可以建立您自己的路由,以覆寫 Azure 的預設路由。You can create your own routes to override Azure's default routing. 舉例來說,如果您想要通過網路虛擬設備 (NVA) 路由傳送子網路之間的流量,則建立自訂路由的能力很有幫助。The ability to create custom routes is helpful if, for example, you want to route traffic between subnets through a network virtual appliance (NVA). 在本教學課程中,您了解如何:In this tutorial, you learn how to:

  • 建立路由表Create a route table
  • 建立路由Create a route
  • 建立有多個子網路的虛擬網路Create a virtual network with multiple subnets
  • 建立路由表與子網路的關聯Associate a route table to a subnet
  • 建立會路由傳送流量的 NVACreate an NVA that routes traffic
  • 將虛擬機器 (VM) 部署到不同子網路Deploy virtual machines (VM) into different subnets
  • 透過 NVA 從一個子網路將流量路由傳送到另一個子網路Route traffic from one subnet to another through an NVA

您可以依偏好使用 Azure CLIAzure PowerShell 完成本教學課程。If you prefer, you can finish this tutorial using the Azure CLI or Azure PowerShell.

如果您沒有 Azure 訂用帳戶,請在開始前建立 免費帳戶If you don't have an Azure subscription, create a free account before you begin.

登入 AzureSign in to Azure

登入 Azure 入口網站Sign in to the Azure portal.

建立路由表Create a route table

  1. 在畫面的左上方,選取 [建立資源] > [網路] > [路由表]。On the upper-left side of the screen, select Create a resource > Networking > Route table.

  2. 在 [建立路由表] 中,輸入或選取這項資訊:In Create route table, enter or select this information:

    設定Setting Value
    NameName 輸入 myRouteTablePublicEnter myRouteTablePublic.
    訂用帳戶Subscription 選取您的訂用帳戶。Select your subscription.
    資源群組Resource group 選取 [新建],輸入 myResourceGroup,然後選取 [確定]。Select Create new, enter myResourceGroup, and select OK.
    位置Location 保留預設值 [美國東部]。Leave the default East US.
    BCP 路由傳播BGP route propagation 保留預設值 [啟用]。Leave the default Enabled.
  3. 選取 [建立] 。Select Create.

建立路由Create a route

  1. 在入口網站的搜尋列中,輸入 myRouteTablePublicIn the portal's search bar, enter myRouteTablePublic.

  2. myRouteTablePublic 出現在搜尋結果時,選取它。When myRouteTablePublic appears in the search results, select it.

  3. myRouteTablePublic 中的 [設定] 下方,選取 [路由] > [+ 新增]。In myRouteTablePublic under Settings, select Routes > + Add.

    新增路由

  4. 在 [新增路由] 中,輸入或選取這項資訊:In Add route, enter or select this information:

    設定Setting Value
    路由名稱Route name 輸入 ToPrivateSubnetEnter ToPrivateSubnet.
    位址首碼Address prefix 輸入 10.0.1.0/24Enter 10.0.1.0/24.
    下一個躍點類型Next hop type 選取 [虛擬設備]。Select Virtual appliance.
    下一個躍點位址Next hop address 輸入 10.0.2.4Enter 10.0.2.4.
  5. 選取 [確定] 。Select OK.

建立路由表與子網路的關聯Associate a route table to a subnet

您必須先建立虛擬網路和子網路,才能讓路由表與子網路產生關聯。Before you can associate a route table to a subnet, you have to create a virtual network and subnet.

建立虛擬網路Create a virtual network

  1. 在畫面的左上方,選取 [建立資源] > [網路] > [虛擬網路]。On the upper-left side of the screen, select Create a resource > Networking > Virtual network.

  2. 在 [建立虛擬網路] 中,輸入或選取這項資訊:In Create virtual network, enter or select this information:

    設定Setting Value
    NameName 輸入 myVirtualNetworkEnter myVirtualNetwork.
    位址空間Address space 輸入 10.0.0.0/16Enter 10.0.0.0/16.
    訂用帳戶Subscription 選取您的訂用帳戶。Select your subscription.
    資源群組Resource group 選取 [選取現有的] > [myResourceGroup]。Select Select existing > myResourceGroup.
    位置Location 保留預設值 [美國東部]。Leave the default East US.
    子網路 - 名稱Subnet - Name 輸入公用Enter Public.
    子網路 - 位址範圍Subnet - Address range 輸入 10.0.0.0/24Enter 10.0.0.0/24.
  3. 保留其餘的預設值,然後選取 [建立]。Leave the rest of the defaults and select Create.

將子網路新增至虛擬網路Add subnets to the virtual network

  1. 在入口網站的搜尋列中,輸入 myVirtualNetworkIn the portal's search bar, enter myVirtualNetwork.

  2. 當搜尋結果中出現 myVirtualNetwork 時加以選取。When myVirtualNetwork appears in the search results, select it.

  3. myVirtualNetwork 中的 [設定] 下方,選取 [子網路] > [+ 子網路]。In myVirtualNetwork, under Settings, select Subnets > + Subnet.

    新增子網路

  4. 在 [新增子網路] 中,輸入這項資訊:In Add subnet, enter this information:

    設定Setting Value
    NameName 輸入私人Enter Private.
    位址空間Address space 輸入 10.0.1.0/24Enter 10.0.1.0/24.
  5. 保留其餘的預設值,然後選取 [確定]。Leave the rest of the defaults and select OK.

  6. 再次選取 [+ 子網路]。Select + Subnet again. 這次請輸入這項資訊:This time, enter this information:

    設定Setting Value
    NameName 輸入 DMZEnter DMZ.
    位址空間Address space 輸入 10.0.2.0/24Enter 10.0.2.0/24.
  7. 和上次一樣,保留其餘的預設值,然後選取 [確定]。Like the last time, leave the rest of the defaults and select OK.

    Azure 會顯示三個子網路:公用私人DMZAzure shows the three subnets: Public, Private, and DMZ.

讓 myRouteTablePublic 與公用子網路產生關聯Associate myRouteTablePublic to your Public subnet

  1. 選取 [公用]。Select Public.

  2. 在 [公用] 中,選取 [路由表] > [MyRouteTablePublic] > [儲存]。In Public, select Route table > MyRouteTablePublic > Save.

    關聯路由表

建立 NVACreate an NVA

NVA 是可協助您最佳化路由和防火牆等網路功能的 VM。NVAs are VMs that help with network functions like routing and firewall optimization. 如果您想要,您可以選取不同的作業系統。You can select a different operating system if you want. 本教學課程假設您使用 Windows Server 2016 DatacenterThis tutorial assumes you're using Windows Server 2016 Datacenter.

  1. 在畫面的左上方,選取 [建立資源] > [計算] > [Windows Server 2016 Datacenter]。On the upper-left side of the screen, select Create a resource > Compute > Windows Server 2016 Datacenter.

  2. 在 [建立虛擬機器 - 基本] 中,輸入或選取這項資訊:In Create a virtual machine - Basics, enter or select this information:

    設定Setting Value
    專案詳細資料PROJECT DETAILS
    訂用帳戶Subscription 選取您的訂用帳戶。Select your subscription.
    資源群組Resource group 選取 myResourceGroupSelect myResourceGroup.
    執行個體詳細資料INSTANCE DETAILS
    虛擬機器名稱Virtual machine name 輸入 myVmNvaEnter myVmNva.
    區域Region 選取 [美國東部]。Select East US.
    可用性選項Availability options 保留預設值 [不需要基礎結構備援]。Leave the default No infrastructure redundancy required.
    映像Image 保留預設值 [Windows Server 2016 Datacenter]。Leave the default Windows Server 2016 Datacenter.
    大小Size 保留預設值 [標準 DS1 v2]。Leave the default Standard DS1 v2.
    系統管理員帳戶ADMINISTRATOR ACCOUNT
    使用者名稱Username 輸入您選擇的使用者名稱。Enter a user name of your choosing.
    密碼Password 輸入您選擇的密碼。Enter a password of your choosing. 密碼長度至少必須有 12 個字元,而且符合定義的複雜度需求The password must be at least 12 characters long and meet the defined complexity requirements.
    確認密碼Confirm Password 再次輸入密碼。Reenter password.
    輸入連接埠規則INBOUND PORT RULES
    公用輸入連接埠Public inbound ports 保留預設值 [無]。Leave the default None.
    節省費用SAVE MONEY
    已經有 Windows 授權?Already have a Windows license? 保留預設值 [否]。Leave the default No.
  3. 選取 [下一步:磁碟]Select Next : Disks.

  4. 在 [建立虛擬機器 - 磁碟] 中,選取最適合您個人需求的設定。In Create a virtual machine - Disks, select the settings that are right for your needs.

  5. 選取 [下一步:網路]Select Next : Networking.

  6. 在 [建立虛擬機器 - 網路] 中,選取這項資訊:In Create a virtual machine - Networking, select this information:

    設定Setting Value
    虛擬網路Virtual network 保留預設值 [myVirtualNetwork]。Leave the default myVirtualNetwork.
    子網路Subnet 選取 [DMZ (10.0.2.0/24)]。Select DMZ (10.0.2.0/24).
    公用 IPPublic IP 選取 [無]。Select None. 您不需要公用 IP 位址。You don't need a public IP address. VM 不會透過網際網路連線。The VM won't connect over the internet.
  7. 保留其餘的預設值,然後選取 [下一步:管理]Leave the rest of the defaults and select Next : Management.

  8. 在 [建立虛擬機器 - 管理] 中,針對 [診斷儲存體帳戶],選取 [新建]。In Create a virtual machine - Management, for Diagnostics storage account, select Create New.

  9. 在 [建立儲存體帳戶] 中,輸入或選取這項資訊:In Create storage account, enter or select this information:

    設定Setting Value
    NameName 輸入 mynvastorageaccountEnter mynvastorageaccount.
    帳戶類型Account kind 保留預設值 [儲存體 (一般用途 v1)]。Leave the default Storage (general purpose v1).
    效能Performance 保留預設值 [標準]。Leave the default Standard.
    複寫Replication 保留預設值 [本地備援儲存體 (LRS)]。Leave the default Locally-redundant storage (LRS).
  10. 選取 [確定]Select OK

  11. 選取 [檢閱 + 建立]。Select Review + create. 您會移至 [檢閱 + 建立] 頁面,且 Azure 會驗證您的設定。You're taken to the Review + create page and Azure validates your configuration.

  12. 當您看到 [驗證成功] 時,請選取 [建立]。When you see that Validation passed, select Create.

    建立 VM 需要幾分鐘的時間。The VM takes a few minutes to create. 在 VM 建立完成前,請勿繼續操作。Don't keep going until Azure finishes creating the VM. [您的部署正在進行] 頁面會顯示您的部署詳細資料。The Your deployment is underway page will show you deployment details.

  13. 您的 VM 準備就緒後,請選取 [前往資源]。When your VM is ready, select Go to resource.

開啟 IP 轉送Turn on IP forwarding

myVmNva 開啟 IP 轉送。Turn on IP forwarding for myVmNva. 當 Azure 將網路流量傳送至 myVmNva 時,如果流量的目的地為不同的 IP 位址,IP 轉送會將流量傳送至正確的位置。When Azure sends network traffic to myVmNva, if the traffic is destined for a different IP address, IP forwarding will send the traffic to the correct location.

  1. myVmNva 的 [設定] 下方,選取 [網路]。On myVmNva, under Settings, select Networking.

  2. 選取 [myvmnva123]。Select myvmnva123. 這是 Azure 為您的 VM 建立的網路介面。That's the network interface Azure created for your VM. 它會有唯一的數字字串供您明確識別。It will have a string of numbers to make it unique for you.

    VM 網路功能

  3. 在 [設定] 下方,選取 [IP 組態]。Under Settings, select IP configurations.

  4. 在 [myvmnva123 - IP 組態] 上,針對 [IP 轉送] 選取 [啟用],然後選取 [儲存]。On myvmnva123 - IP configurations, for IP forwarding, select Enabled and then select Save.

    啟用 IP 轉送

建立公用和私人虛擬機器Create public and private virtual machines

在虛擬網路中建立公用 VM 和私人 VM。Create a public VM and a private VM in the virtual network. 您稍後將用它們來檢視 Azure 透過 NVA 將「公用」子網路的流量路由至「私人」子網路。Later, you'll use them to see that Azure routes the Public subnet traffic to the Private subnet through the NVA.

完成建立 NVA 的步驟 1-12。Complete steps 1-12 of Create an NVA. 所使用的設定大致相同。Use most of the same settings. 必須不同的值如下:These values are the ones that have to be different:

設定Setting Value
公用 VMPUBLIC VM
基本BASICS
虛擬機器名稱Virtual machine name 輸入 myVmPublicEnter myVmPublic.
網路NETWORKING
子網路Subnet 選取 [公用 (10.0.0.0/24)]。Select Public (10.0.0.0/24).
公用 IP 位址Public IP address 接受預設值。Accept the default.
公用輸入連接埠Public inbound ports 選取 [允許選取的連接埠]。Select Allow selected ports.
選取輸入連接埠Select inbound ports 選取 [HTTP] 和 [RDP]。Select HTTP and RDP.
管理MANAGEMENT
診斷儲存體帳戶Diagnostics storage account 保留預設值 [mynvastorageaccount]。Leave the default mynvastorageaccount.
私人 VMPRIVATE VM
基本BASICS
虛擬機器名稱Virtual machine name 輸入 myVmPrivateEnter myVmPrivate.
網路NETWORKING
子網路Subnet 選取 [私人 (10.0.1.0/24)]。Select Private (10.0.1.0/24).
公用 IP 位址Public IP address 接受預設值。Accept the default.
公用輸入連接埠Public inbound ports 選取 [允許選取的連接埠]。Select Allow selected ports.
選取輸入連接埠Select inbound ports 選取 [HTTP] 和 [RDP]。Select HTTP and RDP.
管理MANAGEMENT
診斷儲存體帳戶Diagnostics storage account 保留預設值 [mynvastorageaccount]。Leave the default mynvastorageaccount.

您可以在 Azure 建立 myVmPublic 虛擬機器的時候建立 myVmPrivate 虛擬機器。You can create the myVmPrivate VM while Azure creates the myVmPublic VM. 在 Azure 完成兩部虛擬機器建立之前,請勿繼續進行其餘步驟。Don't continue with the rest of the steps until Azure finishes creating both VMs.

透過 NVA 路由傳送流量Route traffic through an NVA

透過遠端桌面登入 myVmPrivateSign in to myVmPrivate over remote desktop

  1. 在入口網站的搜尋列中,輸入 myVmPrivateIn the portal's search bar, enter myVmPrivate.

  2. myVmPrivate 虛擬機器出現在搜尋結果中時,請加以選取。When the myVmPrivate VM appears in the search results, select it.

  3. 選取 [連線],以建立對 myVmPrivate VM 的遠端桌面連線。Select Connect to create a remote desktop connection to the myVmPrivate VM.

  4. 在 [連線至虛擬機器] 中,選取 [下載 RDP 檔案]。In Connect to virtual machine, select Download RDP File. Azure 會建立一個「遠端桌面通訊協定」(.rdp) 檔案,並下載至您的電腦。Azure creates a Remote Desktop Protocol (.rdp) file and downloads it to your computer.

  5. 開啟下載的 .rdp 檔案。Open the downloaded .rdp file.

    1. 如果出現提示,請選取 [連接]。If prompted, select Connect.

    2. 輸入您在建立私人 VM 時指定的使用者名稱和密碼。Enter the user name and password you specified when creating the Private VM.

    3. 您可能需要選取 [其他選擇] > [使用不同的帳戶],以使用私人 VM 認證。You may need to select More choices > Use a different account, to use the Private VM credentials.

  6. 選取 [確定] 。Select OK.

    您可能會在登入過程中收到憑證警告。You may receive a certificate warning during the sign in process.

  7. 選取 [是] 以連線至 VM。Select Yes to connect to the VM.

讓 ICMP 可通過 Windows 防火牆Enable ICMP through the Windows firewall

在後續步驟中,您將使用追蹤路由工具來測試路由。In a later step, you'll use the trace route tool to test routing. 追蹤路由會使用網際網路控制訊息通訊協定 (ICMP),但 Windows 防火牆依預設會加以拒絕。Trace route uses the Internet Control Message Protocol (ICMP), which the Windows Firewall denies by default. 讓 ICMP 可通過 Windows 防火牆。Enable ICMP through the Windows firewall.

  1. 在 myVmPrivate 的遠端桌面中,開啟 PowerShell。In the Remote Desktop of myVmPrivate, open PowerShell.

  2. 輸入此命令:Enter this command:

    New-NetFirewallRule –DisplayName “Allow ICMPv4-In” –Protocol ICMPv4
    

    在本教學課程中,您將使用追蹤路由來測試路由。You're using trace route to test routing in this tutorial. 在生產環境中,我們不建議允許 ICMP 通過 Windows 防火牆。For production environments, we don't recommend allowing ICMP through the Windows Firewall.

在 myVmNva 內開啟 IP 轉送Turn on IP forwarding within myVmNva

您已使用 Azure 為 VM 的網路介面開啟 IP 轉送You turned on IP forwarding for the VM's network interface using Azure. VM 的作業系統也必須轉送網路流量。The VM's operating system also has to forward network traffic. 請使用下列命令為 myVmNva VM 的作業系統開啟 IP 轉送。Turn on IP forwarding for myVmNva VM's operating system with these commands.

  1. 從 myVmPrivate VM 上的命令提示字元,開啟 myVmNva VM 的遠端桌面:From a command prompt on the myVmPrivate VM, open a remote desktop to the myVmNva VM:

    mstsc /v:myvmnva
    
  2. 從 myVmNva 上的 PowerShell,輸入下列命令以開啟 IP 轉送:From PowerShell on the myVmNva, enter this command to turn on IP forwarding:

    Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name IpEnableRouter -Value 1
    
  3. 重新啟動 myVmNva VM。Restart the myVmNva VM. 在工作列中,選取 [啟動] 按鈕 > [電源] 按鈕、[其他 (計劃性)] > [繼續]。From the taskbar, select Start button > Power button, Other (Planned) > Continue.

    這也會中斷遠端桌面工作階段的連線。That also disconnects the remote desktop session.

  4. 在 myVmNva VM 重新啟動後,建立 myVmPublic VM 的遠端桌面工作階段。After the myVmNva VM restarts, create a remote desktop session to the myVmPublic VM. 在與 myVmPrivate VM 保持連線的情況下,開啟命令提示字元,並執行此命令:While still connected to the myVmPrivate VM, open a command prompt and run this command:

    mstsc /v:myVmPublic
    
  5. 在 myVmPublic 的遠端桌面中,開啟 PowerShell。In the Remote Desktop of myVmPublic, open PowerShell.

  6. 輸入下列命令,讓 ICMP 可通過 Windows 防火牆:Enable ICMP through the Windows firewall by entering this command:

    New-NetFirewallRule –DisplayName “Allow ICMPv4-In” –Protocol ICMPv4
    

測試網路流量的路由Test the routing of network traffic

首先,我們將測試從 myVmPublic VM 到 myVmPrivate VM 的網路流量路由。First, let's test routing of network traffic from the myVmPublic VM to the myVmPrivate VM.

  1. 從 myVmPublic VM 上的 PowerShell,輸入此命令:From PowerShell on the myVmPublic VM, enter this command:

    tracert myVmPrivate
    

    回應如下列範例所示:The response is similar to this example:

    Tracing route to myVmPrivate.vpgub4nqnocezhjgurw44dnxrc.bx.internal.cloudapp.net [10.0.1.4]
    over a maximum of 30 hops:
    
    1    <1 ms     *        1 ms  10.0.2.4
    2     1 ms     1 ms     1 ms  10.0.1.4
    
    Trace complete.
    

    您可以看到第一個躍點是 10.0.2.4。You can see the first hop is to 10.0.2.4. 這是 NVA 的私人 IP 位址。It's NVA's private IP address. 第二個躍點是 myVmPrivate VM 的私人 IP 位址:10.0.1.4。The second hop is to the private IP address of the myVmPrivate VM: 10.0.1.4. 您先前已將路由新增至 myRouteTablePublic 路由表,並建立該路由表與公用子網路的關聯。Earlier, you added the route to the myRouteTablePublic route table and associated it to the Public subnet. 因此,Azure 會透過 NVA 傳送流量,而不是直接傳送至私人子網路。As a result, Azure sent the traffic through the NVA and not directly to the Private subnet.

  2. 關閉 myVmPublic 虛擬機器的遠端桌面工作階段,但您仍然與 myVmPrivate 虛擬機器連線。Close the remote desktop session to the myVmPublic VM, which leaves you still connected to the myVmPrivate VM.

  3. 從 myVmPrivate VM 上的命令提示字元,輸入此命令:From a command prompt on the myVmPrivate VM, enter this command:

    tracert myVmPublic
    

    這會測試從 myVmPrivate VM 到 myVmPublic VM 的網路流量路由。It tests the routing of network traffic from the myVmPrivate VM to the myVmPublic VM. 回應如下列範例所示:The response is similar to this example:

    Tracing route to myVmPublic.vpgub4nqnocezhjgurw44dnxrc.bx.internal.cloudapp.net [10.0.0.4]
    over a maximum of 30 hops:
    
    1     1 ms     1 ms     1 ms  10.0.0.4
    
    Trace complete.
    

    您可以看到 Azure 將流量直接從 myVmPrivate VM 路由至 myVmPublic VM。You can see Azure routes traffic directly from the myVmPrivate VM to the myVmPublic VM. 根據預設,Azure 會直接路由傳送子網路之間的流量。By default, Azure routes traffic directly between subnets.

  4. 關閉 myVmPrivate 虛擬機器的遠端桌面工作階段。Close the remote desktop session to the myVmPrivate VM.

清除資源Clean up resources

當不再需要時,請將資源群組及其包含的所有資源刪除:When no longer needed, delete the resource group and all resources it has:

  1. 在入口網站的搜尋列中,輸入 myResourceGroup。In the portal's search bar, enter myResourceGroup.

  2. 當您在搜尋結果中看到 myResourceGroup 時,請加以選取。When you see myResourceGroup in the search results, select it.

  3. 選取 [刪除資源群組]。Select Delete resource group.

  4. 針對 [輸入資源群組名稱:] 輸入 myResourceGroup,然後選取 [刪除]。Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME: and select Delete.

後續步驟Next steps

在本教學課程中,您已建立路由表,並將其與子網路產生關聯。In this tutorial, you created a route table and associated it to a subnet. 您已建立簡單的 NVA,它會將來自公用子網路的流量路由傳送至私人子網路。You created a simple NVA that routed traffic from a public subnet to a private subnet. 您已了解其作法,現在您可以從 Azure Marketplace 部署不同的預先設定 NVA。Now that you know how to do that, you can deploy different pre-configured NVAs from the Azure Marketplace. 其中包含許多您會認為很有用的網路功能。They carry out many network functions you'll find useful. 若要深入了解路由,請參閱路由概觀管理路由表To learn more about routing, see Routing overview and Manage a route table.

雖然您可以在虛擬網路內部署許多 Azure 資源,但 Azure 無法將某些 PaaS 服務的資源部署到虛擬網路中。While you can deploy many Azure resources within a virtual network, Azure can't deploy resources for some PaaS services into a virtual network. 您可以限制對某些 Azure PaaS 服務所含資源的存取。It's possible to restrict access to the resources of some Azure PaaS services. 但此類限制必須是來自虛擬網路子網路的流量。The restriction must only be traffic from a virtual network subnet though. 若要了解如何限制對 Azure PaaS 資源的網路存取,請繼續進行下一個教學課程。To learn how to restrict network access to Azure PaaS resources, advance to the next tutorial.