虛擬網路對等互連Virtual network peering

虛擬網路對等互連可讓您順暢地連接 Azure虛擬網路Virtual network peering enables you to seamlessly connect Azure virtual networks. 經過對等互連後,所有虛擬網路就可以作為一個整體來進行連線。Once peered, the virtual networks appear as one, for connectivity purposes. 在對等互連之虛擬網路中的虛擬機器之間的流量,會透過 Microsoft 骨幹基礎結構路由傳送,其原理就像在相同虛擬網路中的虛擬機器之間,流量只會透過「私人」 IP 位址來路由傳送。The traffic between virtual machines in the peered virtual networks is routed through the Microsoft backbone infrastructure, much like traffic is routed between virtual machines in the same virtual network, through private IP addresses only. Azure 支援:Azure supports:

  • VNet 對等互連 - 連接相同 Azure 區域內的 VNetVNet peering - connecting VNets within the same Azure region
  • 全球 VNet 對等互連 - 連接各 Azure 區域內的 VNetGlobal VNet peering - connecting VNets across Azure regions

使用虛擬網路對等互連 (不論是本機還是全球) 的優點包括︰The benefits of using virtual network peering, whether local or global, include:

  • 對等互連虛擬網路之間的網路流量為私用。Network traffic between peered virtual networks is private. 虛擬網路之間的流量會保留在 Microsoft 骨幹網路上。Traffic between the virtual networks is kept on the Microsoft backbone network. 虛擬網路之間的通訊不需要公用網際網路、閘道或加密。No public Internet, gateways, or encryption is required in the communication between the virtual networks.
  • 不同虛擬網路的資源之間具有低延遲、高頻寬連線。A low-latency, high-bandwidth connection between resources in different virtual networks.
  • 一旦虛擬網路對等互連,某個虛擬網路中的資源與不同虛擬網路中資源通訊的能力。The ability for resources in one virtual network to communicate with resources in a different virtual network, once the virtual networks are peered.
  • 跨 Azure 訂用帳戶、部署模型和跨 Azure 區域傳輸資料的能力。The ability to transfer data across Azure subscriptions, deployment models, and across Azure regions.
  • 能夠將透過 Azure Resource Manager 所建立的虛擬網路對等互連,或將透過 Resource Manager 所建立的虛擬網路與透過傳統部署模型所建立的虛擬網路對等互連。The ability to peer virtual networks created through the Azure Resource Manager or to peer one virtual network created through Resource Manager to a virtual network created through the classic deployment model. 若要深入了解 Azure 部署模型,請參閱了解 Azure 部署模型To learn more about Azure deployment models, see Understand Azure deployment models.
  • 建立對等互連時或建立對等互連之後,虛擬網路中的資源沒有停機時間。No downtime to resources in either virtual network when creating the peering, or after the peering is created.

連線能力Connectivity

虛擬網路對等互連後,任一虛擬網路中的資源可以直接與對等互連虛擬網路中的資源連線。After virtual networks are peered, resources in either virtual network can directly connect with resources in the peered virtual network.

在相同區域的對等互連虛擬網路中,虛擬機器之間的網路延遲與單一虛擬網路中的網路延遲相同。The network latency between virtual machines in peered virtual networks in the same region is the same as the latency within a single virtual network. 網路輸送量為依照虛擬機器大小,按比例允許的頻寬。The network throughput is based on the bandwidth that's allowed for the virtual machine, proportionate to its size. 對等互連內的頻寬沒有其他額外限制。There isn't any additional restriction on bandwidth within the peering.

對等互連之虛擬網路中的虛擬機器之間的流量,會透過 Microsoft 骨幹基礎結構直接路由傳送,而不會透過閘道或透過公用網際網路來傳送。The traffic between virtual machines in peered virtual networks is routed directly through the Microsoft backbone infrastructure, not through a gateway or over the public Internet.

如有需要,可以將網路安全性群組套用在任一個虛擬網路,以封鎖其他虛擬網路或子網路的存取權限。Network security groups can be applied in either virtual network to block access to other virtual networks or subnets, if desired. 設定虛擬網路對等互連時,您可以開啟或關閉虛擬網路之間的網路安全性群組規則。When configuring virtual network peering, you can either open or close the network security group rules between the virtual networks. 如果您開啟對等互連的虛擬網路 (預設選項) 之間的完整連線,您可以將網路安全性群組套用至特定子網路或虛擬機器,以封鎖或拒絕特定的存取。If you open full connectivity between peered virtual networks (which is the default option), you can apply network security groups to specific subnets or virtual machines to block or deny specific access. 若要深入了解網路安全性群組,請參閱網路安全性群組概觀To learn more about network security groups, see Network security groups overview.

服務鏈結Service chaining

您可以設定使用者定義的路由,指向對等互連虛擬網路中當作「下一個躍點」 IP 位址的虛擬機器,或指向虛擬網路閘道,以啟用服務鏈結。You can configure user-defined routes that point to virtual machines in peered virtual networks as the next hop IP address, or to virtual network gateways, to enable service chaining. 服務鏈結可讓您透過使用者定義的路由,將流量從一個虛擬網路導向對等互連虛擬網路中的虛擬設備或虛擬網路閘道。Service chaining enables you to direct traffic from one virtual network to a virtual appliance, or virtual network gateway, in a peered virtual network, through user-defined routes.

您可以部署中樞和輪輻網路,其中的中樞虛擬網路可以裝載基礎結構元件,例如網路虛擬設備或 VPN 閘道。You can deploy hub-and-spoke networks, where the hub virtual network can host infrastructure components such as a network virtual appliance or VPN gateway. 所有輪輻虛擬網路可以接著與中樞虛擬網路對等互連。All the spoke virtual networks can then peer with the hub virtual network. 流量可以通過在中樞虛擬網路中的網路虛擬設備或 VPN 閘道。Traffic can flow through network virtual appliances or VPN gateways in the hub virtual network.

虛擬網路對等互連可讓使用者定義路由中的下一個躍點成為對等互連虛擬網路中虛擬機器的 IP 位址或 VPN 閘道。Virtual network peering enables the next hop in a user-defined route to be the IP address of a virtual machine in the peered virtual network, or a VPN gateway. 不過,您不能使用指定 ExpressRoute 閘道作為下一個躍點類型的使用者定義路由,在虛擬網路之間路由傳送。You cannot however, route between virtual networks with a user-defined route specifying an ExpressRoute gateway as the next hop type. 若要深入了解使用者定義的路由,請參閱使用者定義的路由概觀To learn more about user-defined routes, see User-defined routes overview. 若要了解如何建立中樞和輪輻網路拓撲,請參閱中樞和輪輻網路拓撲To learn how to create a hub and spoke network topology, see hub and spoke network topology.

閘道及內部部署連線能力Gateways and on-premises connectivity

不論每個虛擬網路是否與其他虛擬網路對等互連,它們仍可以擁有自己的閘道並使用它來連線至內部部署網路。Each virtual network, regardless of whether it is peered with another virtual network, can still have its own gateway and use it to connect to an on-premises network. 即使虛擬網路已對等互連,您也可以使用閘道來設定虛擬網路對虛擬網路連線You can also configure virtual network-to-virtual network connections by using gateways, even though the virtual networks are peered.

當針對虛擬網路內部連線的兩個選項已設定時,虛擬網路之間的流量將會透過對等互連設定流動 (也就是透過 Azure 骨幹)。When both options for virtual network interconnectivity are configured, the traffic between the virtual networks flows through the peering configuration (that is, through the Azure backbone).

當虛擬網路已對等互連時,您也可以將對等互連虛擬網路中的閘道設定為內部部署網路的傳輸點。When virtual networks are peered, you can also configure the gateway in the peered virtual network as a transit point to an on-premises network. 在此情況下,使用遠端閘道的虛擬網路不能擁有專屬閘道。In this case, the virtual network that is using a remote gateway cannot have its own gateway. 虛擬網路只能擁有一個閘道。A virtual network can have only one gateway. 閘道可以是本機或遠端閘道 (在對等互連的虛擬網路中),如下圖所示:The gateway can be either a local or remote gateway (in the peered virtual network), as shown in the following picture:

虛擬網路對等互連傳輸

VNet 對等互連和全域 VNet 對等互連支援閘道傳輸。Gateway transit is supported for both VNet Peering and Global VNet Peering. 只有當閘道位於虛擬網路 (Resource Manager) 時,才支援透過不同部署模型 (Resource Manager 和傳統) 建立虛擬網路之間的閘道傳輸。Gateway transit between virtual networks created through different deployment models (Resource Manager and classic) is supported only if the gateway is in the virtual network (Resource Manager). 若要深入了解如何使用閘道來進行傳輸,請參閱設定 VPN 閘道以在虛擬網路對等互連中進行傳輸To learn more about using a gateway for transit, see Configure a VPN gateway for transit in a virtual network peering.

當共用單一 Azure ExpressRoute 連線的虛擬網路已對等互連時,它們之間的流量會經過對等互連關聯性 (也就是透過 Azure 骨幹網路)。When the virtual networks that are sharing a single Azure ExpressRoute connection are peered, the traffic between them goes through the peering relationship (that is, through the Azure backbone network). 您依然可以在每個虛擬網路中使用本機閘道來連線內部部署線路。You can still use local gateways in each virtual network to connect to the on-premises circuit. 此外,您也可以使用共用閘道並設定內部部署連線的傳輸。Alternatively, you can use a shared gateway and configure transit for on-premises connectivity.

疑難排解Troubleshoot

若要確認虛擬網路對等互連,您可以針對虛擬網路的任何子網路中的網路介面檢查有效的路由To confirm a virtual network peering, you can check effective routes for a network interface in any subnet in a virtual network. 如果虛擬網路對等互連存在,則虛擬網路內的所有子網路都具有下一個躍點類型為「VNet 對等互連」 的路由 (對每個對等互連的虛擬網路中的每個位址空間而言)。If a virtual network peering exists, all subnets within the virtual network have routes with next hop type VNet peering, for each address space in each peered virtual network.

您也可以使用網路監看員的連線能力檢查,針對對等互連虛擬網路中的虛擬機器連線能力進行疑難排解。You can also troubleshoot connectivity to a virtual machine in a peered virtual network using Network Watcher's connectivity check. 連線能力檢查可讓您查看流量是以何種方式從來源虛擬機器的網路介面傳送至目的地虛擬機器的網路介面。Connectivity check lets you see how traffic is routed from a source virtual machine's network interface to a destination virtual machine's network interface.

您也可以嘗試虛擬網路對等互連問題的疑難排解員You can also try the Troubleshooter for virtual network peering issues.

需求和限制Requirements and constraints

只有在為虛擬網路建立全域的對等互連時,會受到下列限制:The following constraints apply only when virtual networks are globally peered:

  • 一個虛擬網路中的資源無法與全域對等互連的虛擬網路中的基本的內部負載平衡器的前端 IP 位址通訊。Resources in one virtual network cannot communicate with the front-end IP address of a Basic internal load balancer in a globally peered virtual network. 基本 Load Balancer 支援只存在於相同區域內。Support for Basic Load Balancer only exists within the same region. 標準 Load Balancer 支援存在,VNet 對等互連和全域 VNet 對等互連。Support for Standard Load Balancer exists for both, VNet Peering and Global VNet Peering. 使用全域 VNet 對等互連上無法運作的基本負載平衡器服務會記載這裡。Services that use a Basic load balancer which will not work over Global VNet Peering are documented here.

若要深入了解需求和限制,請參閱虛擬網路對等互連需求和限制To learn more about requirements and constraints, see Virtual network peering requirements and constraints. 若要了解您可為虛擬網路建立之對等互連數目的限制,請參閱 Azure 網路限制To learn about the limits for the number of peerings you can create for a virtual network, see Azure networking limits.

權限Permissions

若要了解建立虛擬網路對等互連所需的權限,請閱讀虛擬網路對等互連權限To learn about permissions required to create a virtual network peering, see Virtual network peering permissions.

價格Pricing

我們會針對使用虛擬網路對等互連連線的輸入和輸出流量收取少許費用。There is a nominal charge for ingress and egress traffic that utilizes a virtual network peering connection. 如需有關 VNet 對等互連和全域 VNet 對等互連定價的詳細資訊,請參閱定價頁面For more information on VNet Peering and Global VNet peering pricing, see the pricing page.

閘道傳輸是可利用跨內部部署或 VNet 對 VNet 連線能力的對等互連虛擬網路中的 VPN/ExpressRoute 閘道的虛擬網路對等互連屬性。Gateway transit is a peering property that enables a virtual network to utilize a VPN/ExpressRoute gateway in a peered virtual network for cross premises or VNet-to-VNet connectivity. 透過在此案例中的遠端閘道的輸送量受限於VPN 閘道費用或 ExpressRoute 閘道的費用,並不會產生VNet 對等互連費用。Traffic passing through a remote gateway in this scenario is subject to VPN gateway charges or ExpressRoute gateway charges and does not incur VNet peering charges. 比方說,如果 VNetA 具有內部部署連線的 VPN 閘道之 VNetB 對等互連至 VNetA 適當設定的屬性,在內部部署環境中之 VNetB 流量是只需付費輸出每個 VPN 閘道定價或 ExpressRoute 定價。For example, If VNetA has a VPN gateway for on-premises connectivity and VNetB is peered to VNetA with appropriate properties configured, traffic from VNetB to on-premises is only charged egress per VPN gateway pricing or ExpressRoute pricing. VNet 對等互連費用將不適用。VNet peering charges do not apply. 了解如何為虛擬網路對等互連設定 VPN 閘道傳輸Learn how to configure VPN gateway transit for virtual network peering.

後續步驟Next steps