加入、變更或刪除虛擬網路子網路Add, change, or delete a virtual network subnet

了解如何加入、變更或刪除虛擬網路子網路。Learn how to add, change, or delete a virtual network subnet. 所有部署到虛擬網路的 Azure 資源都會部署到虛擬網路內的子網路。All Azure resources deployed into a virtual network are deployed into a subnet within a virtual network. 如果您不熟悉虛擬網路,您可以在虛擬網路概觀中或透過完成教學課程來深入了解。If you're new to virtual networks, you can learn more about them in the Virtual network overview or by completing a tutorial. 若要建立、變更或刪除虛擬網路,請參閱管理虛擬網路To create, change, or delete a virtual network, see Manage a virtual network.

開始之前Before you begin

注意

本文已更新為使用新的 Azure PowerShell Az 模組。This article has been updated to use the new Azure PowerShell Az module. AzureRM 模組在至少 2020 年 12 月之前都還會持續收到錯誤 (Bug) 修正,因此您仍然可以持續使用。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要深入了解新的 Az 模組和 AzureRM 的相容性,請參閱新的 Azure PowerShell Az 模組簡介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 如需 Az 模組安裝指示,請參閱安裝 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

在完成本文任一節的步驟之前,請先完成下列工作︰Complete the following tasks before completing steps in any section of this article:

  • 如果您還沒有 Azure 帳戶,請註冊免費試用帳戶If you don't already have an Azure account, sign up for a free trial account.
  • 如果使用入口網站,請開啟 https://portal.azure.com,並使用您的 Azure 帳戶來登入。If using the portal, open https://portal.azure.com, and log in with your Azure account.
  • 如果使用 PowerShell 命令來完成這篇文章中的工作,請在 Azure Cloud Shell (英文) 中執行命令,或從您的電腦執行 PowerShell。If using PowerShell commands to complete tasks in this article, either run the commands in the Azure Cloud Shell, or by running PowerShell from your computer. Azure Cloud Shell 是免費的互動式 Shell,可讓您用來執行本文中的步驟。The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. 它具有預先安裝和設定的共用 Azure 工具,可與您的帳戶搭配使用。It has common Azure tools preinstalled and configured to use with your account. 本教學課程需要 Azure PowerShell 模組 1.0.0 版或更新版本。This tutorial requires the Azure PowerShell module version 1.0.0 or later. 執行 Get-Module -ListAvailable Az 來了解安裝的版本。Run Get-Module -ListAvailable Az to find the installed version. 如果您需要升級,請參閱安裝 Azure PowerShell 模組If you need to upgrade, see Install Azure PowerShell module. 如果您在本機執行 PowerShell,則也需要執行 Connect-AzAccount 以建立與 Azure 的連線。If you are running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.
  • 如果使用命令列介面 (CLI) 命令來完成這篇文章中的工作,請在 Azure Cloud Shell (英文) 中執行命令,或從您的電腦執行 CLI。If using Azure Command-line interface (CLI) commands to complete tasks in this article, either run the commands in the Azure Cloud Shell, or by running the CLI from your computer. 本教學課程需要 Azure CLI 2.0.31 版或更新版本。This tutorial requires the Azure CLI version 2.0.31 or later. 執行 az --version 來了解安裝的版本。Run az --version to find the installed version. 如果您需要安裝或升級,請參閱安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI. 如果您在本機執行 Azure CLI,則也需要執行 az login 以建立與 Azure 的連線。If you are running the Azure CLI locally, you also need to run az login to create a connection with Azure.

您登入或連線到 Azure 的帳戶必須指派為網路參與者角色,或為已指派權限中所列適當動作的自訂角色The account you log into, or connect to Azure with, must be assigned to the network contributor role or to a custom role that is assigned the appropriate actions listed in Permissions.

新增子網路Add a subnet

  1. 在入口網站頂端的搜尋方塊中輸入「虛擬網路」。In the search box at the top of the portal, enter virtual networks in the search box. 當搜尋結果中出現虛擬網路時加以選取。When Virtual networks appear in the search results, select it.
  2. 從虛擬網路清單中,選取您要新增子網路的虛擬網路。From the list of virtual networks, select the virtual network you want to add a subnet to.
  3. 在 [設定] 底下,選取 [子網路]。Under SETTINGS, select Subnets.
  4. 選取 [+ 子網路]。Select +Subnet.
  5. 為下列參數輸入值︰Enter values for the following parameters:
    • 名稱:此名稱必須是虛擬網路中的唯一名稱。Name: The name must be unique within the virtual network. 如需與其他 Azure 服務的最大相容性,我們建議使用字母作為名稱的第一個字元。For maximum compatibility with other Azure services, we recommend using a letter as the first character of the name. 例如,Azure 應用程式閘道不會部署到名稱以數字開頭的子網路。For example, Azure Application Gateway won't deploy into a subnet that has a name that starts with a number.

    • 位址範圍:此範圍必須是虛擬網路位址空間內的唯一範圍。Address range: The range must be unique within the address space for the virtual network. 此範圍不能與虛擬網路內的其他子網路位址範圍重疊。The range cannot overlap with other subnet address ranges within the virtual network. 位址空間必須以「無類別網域間路由選擇」(CIDR) 標記法來指定。The address space must be specified by using Classless Inter-Domain Routing (CIDR) notation. 例如,在位址空間為 10.0.0.0/16 的虛擬網路中,您可以定義 10.0.0.0/24 的子網路位址空間。For example, in a virtual network with address space 10.0.0.0/16, you might define a subnet address space of 10.0.0.0/24. 您可以指定的最小範圍是 /29,此範圍可提供八個 IP 位址供子網路使用。The smallest range you can specify is /29, which provides eight IP addresses for the subnet. 為了符合通訊協定的規定,Azure 會保留每個子網路中的第一個和最後一個位址。Azure reserves the first and last address in each subnet for protocol conformance. Azure 還會保留三個位址供 Azure 服務使用。Three additional addresses are reserved for Azure service usage. 因此,以 /29 位址範圍所定義的子網路會在子網路中產生三個可用的 IP 位址。As a result, defining a subnet with a /29 address range results in three usable IP addresses in the subnet. 如果您打算將虛擬網路連接至 VPN 閘道,則必須建立一個閘道子網路。If you plan to connect a virtual network to a VPN gateway, you must create a gateway subnet. 深入了解閘道子網路位址範圍的具體考量Learn more about specific address range considerations for gateway subnets. 若符合特定條件,您可以在子網路加入後變更其位址範圍。You can change the address range after the subnet is added, under specific conditions. 若要了解如何變更子網路的位址範圍,請參閱變更子網路設定To learn how to change a subnet address range, see Change subnet settings.

    • 網路安全性群組:您可以將零個或一個現有網路安全性群組與子網路建立關聯,以篩選子網路的輸入和輸出網路流量。Network security group: You can associate zero, or one existing network security group to a subnet to filter inbound and outbound network traffic for the subnet. 網路安全性群組必須與虛擬網路位於相同的訂用帳戶和位置當中。The network security group must exist in the same subscription and location as the virtual network. 深入了解網路安全性群組如何建立網路安全性群組Learn more about network security groups and how to create a network security group.

    • 路由表︰ 您可以將零個或一個現有路由表和子網路建立關聯,以控制路由至其他網路的網路流量。Route table: You can associate zero or one existing route table to a subnet to control network traffic routing to other networks. 路由表必須與虛擬網路位於相同的訂用帳戶和位置當中。The route table must exist in the same subscription and location as the virtual network. 深入了解 Azure 路由如何建立路由表Learn more about Azure routing and how to create a route table

    • 服務端點: 您可為子網路啟用零個或多個服務端點。Service endpoints: A subnet can have zero or multiple service endpoints enabled for it. 若要啟用服務的服務端點,請選取服務或從 [服務] 清單中選取您想要啟用服務端點的服務。To enable a service endpoint for a service, select the service or services that you want to enable service endpoints for from the Services list. 系統會自動設定端點的位置。The location is configured automatically for an endpoint. 根據預設,系統會將服務端點設定為虛擬網路的區域。By default, service endpoints are configured for the virtual network's region. 如果是 Azure 儲存體,為了支援區域性容錯移轉案例,系統會自動將端點設定為 Azure 配對區域For Azure Storage, to support regional failover scenarios, endpoints are automatically configured to Azure paired regions.

    • 子網路委派: 子網路可以有零或多個為它啟用的委派。Subnet delegation: A subnet can have zero to multiple delegations enabled for it. 子網路委派提供明確的權限給服務以在部署服務時使用唯一識別碼在子網路中建立服務特定資源。Subnet delegation gives explicit permissions to the service to create service-specific resources in the subnet using a unique identifier when deploying the service. 若要為服務進行委派,請從 [服務] 清單選取您要委派到的服務。To delegate for a service, select the service you want to delegate to from the Services list.

      若要移除服務端點,請取消選取您想要移除其服務端點的服務。To remove a service endpoint, unselect the service you want to remove the service endpoint for. 若要深入了解服務端點,以及可以啟用服務端點的服務,請參閱虛擬網路服務端點概觀To learn more about service endpoints, and the services they can be enabled for, see Virtual network service endpoints overview. 一旦您啟用服務的服務端點,您也必須為以服務建立的資源啟用子網路的網路存取權。Once you enable a service endpoint for a service, you must also enable network access for the subnet for a resource created with the service. 例如,如果您啟用 Microsoft.Storage 的服務端點,您也必須對想要授與網路存取權的所有 Azure 儲存體帳戶啟用網路存取權。For example, if you enable the service endpoint for Microsoft.Storage, you must also enable network access to all Azure Storage accounts you want to grant network access to. 如需如何為已啟用服務端點的子網路啟用網路存取權的詳細資訊,請參閱您啟用其服務端點之個別服務的服務文件。For details about how to enable network access to subnets that a service endpoint is enabled for, see the documentation for the individual service you enabled the service endpoint for.

      若要驗證是否已為子網路啟用服務端點,請查看子網路中任何網路介面的有效路由To validate that a service endpoint is enabled for a subnet, view the effective routes for any network interface in the subnet. 當端點已完成設定時,您會看到「預設」路由 (包含服務的位址首碼),且 nextHopType 為 VirtualNetworkServiceEndpointWhen an endpoint is configured, you see a default route with the address prefixes of the service, and a nextHopType of VirtualNetworkServiceEndpoint. 若要深入了解路由,請參閱路由概觀To learn more about routing, see Routing overview.

  6. 若要在所選虛擬網路中新增子網路,請選取 [確定]。To add the subnet to the virtual network that you selected, select OK.

命令Commands

變更子網路設定Change subnet settings

  1. 在入口網站頂端的搜尋方塊中輸入「虛擬網路」。In the search box at the top of the portal, enter virtual networks in the search box. 當搜尋結果中出現虛擬網路時加以選取。When Virtual networks appear in the search results, select it.

  2. 在虛擬網路清單中,選取您想要檢視設定且包含子網路的虛擬網路。From the list of virtual networks, select the virtual network that contains the subnet you want to change settings for.

  3. 在 [設定] 底下,選取 [子網路]。Under SETTINGS, select Subnets.

  4. 在子網路清單中,選取您想要變更設定的子網路。In the list of subnets, select the subnet you want to change settings for. 您可以變更下列設定:You can change the following settings:

    • 位址範圍: 如果子網路內沒有部署資源,您可以變更位址範圍。Address range: If no resources are deployed within the subnet, you can change the address range. 如果子網路中有任何資源存在,您必須將資源移至另一個子網路,或先從子網路中刪除。If any resources exist in the subnet, you must either move the resources to another subnet, or delete them from the subnet first. 不同資源的資源移動或刪除步驟也各異。The steps you take to move or delete a resource vary depending on the resource. 若要了解如何移動或刪除子網路中的資源,請閱讀您想要移動或刪除之各個資源類型的適用文件。To learn how to move or delete resources that are in subnets, read the documentation for each resource type that you want to move or delete. 如需位址範圍的條件約束,請參閱步驟 5 的新增子網路See the constraints for Address range in step 5 of Add a subnet.
    • 使用者︰您可以使用內建角色或自有的自訂角色來控制子網路的存取。Users: You can control access to the subnet by using built-in roles or your own custom roles. 若要深入了解如何指派角色和使用者以存取子網路,請參閱使用角色指派來管理 Azure 資源的存取權To learn more about assigning roles and users to access the subnet, see Use role assignment to manage access to your Azure resources.
    • 網路安全性群組路由表:請參閱新增子網路的步驟 5。Network security group and Route table: See step 5 of Add a subnet.
    • 服務端點:請參閱新增子網路的步驟 5 中的服務端點。Service endpoints: See service endpoints in step 5 of Add a subnet. 當啟用現有子網路的服務端點時,請確定子網路中的任何資源上都沒有重要的工作正在執行。When enabling a service endpoint for an existing subnet, ensure that no critical tasks are running on any resource in the subnet. 服務端點會將子網路中每個網路介面上的路由,從使用預設路由 (使用 0.0.0.0/0 位址前置詞和網際網路的下一個躍點類型) 切換為使用新的路由 (使用服務的位址前置詞和 VirtualNetworkServiceEndpoint 的下一個躍點類型)。Service endpoints switch routes on every network interface in the subnet from using the default route with the 0.0.0.0/0 address prefix and next hop type of Internet, to using a new route with the address prefixes of the service, and a next hop type of VirtualNetworkServiceEndpoint. 在切換期間,任何開啟的 TCP 連接都可能會終止。During the switch, any open TCP connections may be terminated. 直到流量流向服務時,服務端點才會啟用,以便所有網路介面都使用新的路由進行更新。The service endpoint is not enabled until traffic flows to the service for all network interfaces are updated with the new route. 若要深入了解路由,請參閱路由概觀To learn more about routing, see Routing overview.
    • 子網路委派: 請參閱新增子網路之步驟 5 中的服務端點。Subnet delegation: See service endpoints in step 5 of Add a subnet. 子網路委派可以修改為有零或多個為它啟用的委派。Subnet delegation can be modified to zero or multiple delegations enabled for it. 如果服務的資源已部署在子網中,則在移除服務的所有資源之前,無法新增或移除子網委派。If a resource for a service is already deployed in the subnet, subnet delegation cannot be added or removed until the all resources for the service are removed. 若要為不同的服務進行委派,請從 [服務] 清單選取您要委派到的服務。To delegate for a different service, select the service you want to delegate to from the Services list.
  5. 選取 [ 儲存]。Select Save.

命令Commands

刪除子網路Delete a subnet

您只能刪除未包含任何資源的子網路。You can delete a subnet only if there are no resources in the subnet. 如果子網路中含有資源,您必須先刪除其中的資源才能將它刪除。If there are resources in the subnet, you must delete the resources that are in the subnet before you can delete the subnet. 不同資源的資源刪除步驟也各異。The steps you take to delete a resource vary depending on the resource. 若要了解如何刪除子網路中的資源,請閱讀您想要刪除之各個資源類型的適用文件。To learn how to delete resources that are in subnets, read the documentation for each resource type that you want to delete.

  1. 在入口網站頂端的搜尋方塊中輸入「虛擬網路」。In the search box at the top of the portal, enter virtual networks in the search box. 當搜尋結果中出現虛擬網路時加以選取。When Virtual networks appear in the search results, select it.
  2. 在虛擬網路清單中,選取虛擬網路,而其中包含您想要刪除的子網路。From the list of virtual networks, select the virtual network that contains the subnet you want to delete.
  3. 在 [設定] 底下,選取 [子網路]。Under SETTINGS, select Subnets.
  4. 在子網路清單中,在您想要刪除的子網路右側,選取 [...]In the list of subnets, select ..., on the right, for the subnet you want to delete
  5. 選取 [刪除],然後選取 [是]。Select Delete, and then select Yes.

命令Commands

權限Permissions

若要針對子網路執行工作,您的帳戶必須指派為網路參與者角色或為已指派下表所列適當動作的自訂角色:To perform tasks on subnets, your account must be assigned to the network contributor role or to a custom role that is assigned the appropriate actions listed in the following table:

動作Action 名稱Name
Microsoft.Network/virtualNetworks/subnets/readMicrosoft.Network/virtualNetworks/subnets/read 讀取虛擬網路子網路Read a virtual network subnet
Microsoft.Network/virtualNetworks/subnets/writeMicrosoft.Network/virtualNetworks/subnets/write 建立或更新虛擬網路子網路Create or update a virtual network subnet
Microsoft.Network/virtualNetworks/subnets/deleteMicrosoft.Network/virtualNetworks/subnets/delete 刪除虛擬網路子網路Delete a virtual network subnet
Microsoft.Network/virtualNetworks/subnets/join/actionMicrosoft.Network/virtualNetworks/subnets/join/action 加入虛擬網路Join a virtual network
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/actionMicrosoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 啟用子網路的服務端點Enable a service endpoint for a subnet
Microsoft.Network/virtualNetworks/subnets/virtualMachines/readMicrosoft.Network/virtualNetworks/subnets/virtualMachines/read 取得子網路中的虛擬機器Get the virtual machines in a subnet

後續步驟Next steps