規劃虛擬網路Plan virtual networks

建立虛擬網路並加以實驗是一件很簡單的事,但您很可能必須隨時間部署多個虛擬網路,以支援組織的生產需求。Creating a virtual network to experiment with is easy enough, but chances are, you will deploy multiple virtual networks over time to support the production needs of your organization. 藉由一些規劃,您將能夠更有效地部署虛擬網路並連線所需的資源。With some planning, you will be able to deploy virtual networks and connect the resources you need more effectively. 本文章在您已經很熟悉虛擬網路,並具備相關使用經驗的前提之下,將能提供最多的幫助。The information in this article is most helpful if you're already familiar with virtual networks and have some experience working with them. 如果您不熟悉虛擬網路,建議先閱讀虛擬網路概觀If you are not familiar with virtual networks, it's recommended that you read Virtual network overview.

命名Naming

所有 Azure 資源都有名稱。All Azure resources have a name. 名稱在範圍內必須是唯一的,而範圍可能會依每個資源類型而有所不同。The name must be unique within a scope, that may vary for each resource type. 例如,虛擬網路的名稱在資源群組內必須是唯一的,但在訂用帳戶或 Azure 區域內則可以重複。For example, the name of a virtual network must be unique within a resource group, but can be duplicated within a subscription or Azure region. 在隨時間管理數個網路資源的情況下,定義可讓您在命名資源時一致地使用的命名慣例將會很有幫助。Defining a naming convention that you can use consistently when naming resources is helpful when managing several network resources over time. 如需建議,請參閱命名慣例For suggestions, see Naming conventions.

區域Regions

所有的 Azure 資源都是建立於 Azure 區域和訂用帳戶中。All Azure resources are created in an Azure region and subscription. 只有當虛擬網路位於與資源相同的區域和訂用帳戶時,才能在虛擬網路中建立資源。A resource can only be created in a virtual network that exists in the same region and subscription as the resource. 不過,您可以連線存在於不同訂用帳戶和區域中的虛擬網路。You can however, connect virtual networks that exist in different subscriptions and regions. 如需詳細資訊,請參閱連線能力For more information, see connectivity. 決定要將資源部署在哪些區域時,請考慮資源的取用者實際位於何處:When deciding which region(s) to deploy resources in, consider where consumers of the resources are physically located:

  • 資源的取用者通常會希望將取用資源的網路延遲降至最低。Consumers of resources typically want the lowest network latency to their resources. 若要判斷指定的位置與 Azure 區域之間的相對延遲,請參閱檢視相對延遲To determine relative latencies between a specified location and Azure regions, see View relative latencies.
  • 您是否有資料存留、主權、合規性或復原等需求?Do you have data residency, sovereignty, compliance, or resiliency requirements? 如果是,選擇能符合這些需求的區域很重要。If so, choosing the region that aligns to the requirements is critical. 如需詳細資訊,請參閱 Azure 的地理區For more information, see Azure geographies.
  • 針對您部署資源的 Azure 區域,相同區域內的 Azure 可用性區域之間是否有復原需求?Do you require resiliency across Azure Availability Zones within the same Azure region for the resources you deploy? 您可以將虛擬機器 (VM) 等資源部署到相同虛擬網路內的不同可用性區域。You can deploy resources, such as virtual machines (VM) to different availability zones within the same virtual network. 不過,並非所有的 Azure 區域都支援可用性區域。Not all Azure regions support availability zones however. 若要深入了解可用性區域和支援此功能的區域,請參閱可用性區域To learn more about availability zones and the regions that support them, see Availability zones.

訂用帳戶Subscriptions

您可以在每個訂用帳戶內,部署限制之內的多個虛擬網路。You can deploy as many virtual networks as required within each subscription, up to the limit. 例如,有些組織針對不同部門會有不同的訂用帳戶。Some organizations have different subscriptions for different departments, for example. 如需訂用帳戶的詳細資訊和相關考量,請參閱訂用帳戶治理For more information and considerations around subscriptions, see Subscription governance.

分割Segmentation

您可以針對每個訂用帳戶和每個區域建立多個虛擬網路。You can create multiple virtual networks per subscription and per region. 您可以在每個虛擬網路內建立多個子網路。You can create multiple subnets within each virtual network. 下列考量可協助您判斷自己需要多少虛擬網路和子網路:The considerations that follow help you determine how many virtual networks and subnets you require:

虛擬網路Virtual networks

虛擬網路為 Azure 公用網路虛擬、隔離的部分。A virtual network is a virtual, isolated portion of the Azure public network. 每個虛擬網路都專屬於您的訂用帳戶。Each virtual network is dedicated to your subscription. 決定要在訂用帳戶中建立一或多個虛擬網路時,要考量的事項包括:Things to consider when deciding whether to create one virtual network, or multiple virtual networks in a subscription:

  • 組織針對將流量隔離至不同的虛擬網路上,是否有任何安全性需求?Do any organizational security requirements exist for isolating traffic into separate virtual networks? 您可以選擇是否要連線虛擬網路。You can choose to connect virtual networks or not. 如果您連線虛擬網路,就可以實作網路虛擬設備 (例如防火牆) 以控制虛擬網路之間流量的流動。If you connect virtual networks, you can implement a network virtual appliance, such as a firewall, to control the flow of traffic between the virtual networks. 如需詳細資訊,請參閱安全性連線能力For more information, see security and connectivity.
  • 組織是否有任何將虛擬網路隔離到不同訂用帳戶區域的需求?Do any organizational requirements exist for isolating virtual networks into separate subscriptions or regions?
  • 網路介面可讓 VM 與其他資源進行通訊。A network interface enables a VM to communicate with other resources. 每個網路介面都會被指派一或多個私人 IP 位址。Each network interface has one or more private IP addresses assigned to it. 您在虛擬網路中需要多少個網路介面和私人 IP 位址How many network interfaces and private IP addresses do you require in a virtual network? 您在虛擬網路內可以擁有的網路介面和私人 IP 位址數目是有限制的。There are limits to the number of network interfaces and private IP addresses that you can have within a virtual network.
  • 您是否要將虛擬網路連線至另一個虛擬網路或內部部署網路?Do you want to connect the virtual network to another virtual network or on-premises network? 您可以選擇讓虛擬網路互相連線,或是連線到內部部署網路,但不能連線到其他網路。You may choose to connect some virtual networks to each other or on-premises networks, but not others. 如需詳細資訊,請參閱連線能力For more information, see connectivity. 您連線到其他虛擬網路或內部部署網路的每個虛擬網路,都必須有唯一的位址空間。Each virtual network that you connect to another virtual network, or on-premises network, must have a unique address space. 每個虛擬網路都要有一或多個公用或私人位址範圍指派至其位址空間。Each virtual network has one or more public or private address ranges assigned to its address space. 位址範圍是以無類別網域間路由選擇 (CIDR) 格式指定,例如 10.0.0.0/16。An address range is specified in classless internet domain routing (CIDR) format, such as 10.0.0.0/16. 深入了解虛擬網路的位址範圍Learn more about address ranges for virtual networks.
  • 您針對不同虛擬網路中的資源,是否有任何組織管理需求?Do you have any organizational administration requirements for resources in different virtual networks? 如果是,您可以將資源分散至不同的虛擬網路,以簡化對組織中個人的權限指派,或對不同的虛擬網路指派不同的原則。If so, you might separate resources into separate virtual network to simplify permission assignment to individuals in your organization or to assign different policies to different virtual networks.
  • 當您將某些 Azure 服務資源部署到虛擬網路時,它們會建立自己的虛擬網路。When you deploy some Azure service resources into a virtual network, they create their own virtual network. 若要判斷 Azure 服務是否會建立自己的虛擬網路,請參閱針對每個可部署到虛擬網路的 Azure 服務的資訊。To determine whether an Azure service creates its own virtual network, see information for each Azure service that can be deployed into a virtual network.

子網路Subnets

虛擬網路可根據限制分割成一或多個子網路。A virtual network can be segmented into one or more subnets up to the limits. 決定要在訂用帳戶中建立一或多個子網路時,要考量的事項包括:Things to consider when deciding whether to create one subnet, or multiple virtual networks in a subscription:

  • 每個子網路於虛擬網路的位址空間內都必須具有唯一的位址範圍 (以 CIDR 格式指定)。Each subnet must have a unique address range, specified in CIDR format, within the address space of the virtual network. 此位址範圍不能與虛擬網路內的其他子網路重疊。The address range cannot overlap with other subnets in the virtual network.
  • 如果您打算將一些 Azure 服務資源部署到虛擬網路中,它們可能需要 (或會建立) 自己的子網路,因此必須要有足夠的未配置空間以供它們進行。If you plan to deploy some Azure service resources into a virtual network, they may require, or create, their own subnet, so there must be enough unallocated space for them to do so. 若要判斷 Azure 服務是否會建立自己的子網路,請參閱針對每個可部署到虛擬網路的 Azure 服務的資訊。To determine whether an Azure service creates its own subnet, see information for each Azure service that can be deployed into a virtual network. 例如,如果您使用 Azure VPN 閘道將虛擬網路連線到內部部署網路,該虛擬網路針對閘道必須有專用的子網路。For example, if you connect a virtual network to an on-premises network using an Azure VPN Gateway, the virtual network must have a dedicated subnet for the gateway. 深入了解閘道子網路Learn more about gateway subnets.
  • 根據預設,Azure 會在虛擬網路中的所有子網路之間路由傳送網路流量。Azure routes network traffic between all subnets in a virtual network, by default. 您可以覆寫 Azure 的預設路由,以避免 Azure 在子網路之間進行路由傳送,或透過網路虛擬設備路由傳送子網路之間的流量。You can override Azure's default routing to prevent Azure routing between subnets, or to route traffic between subnets through a network virtual appliance, for example. 如果您需要相同虛擬網路中資源間的流量流經網路虛擬設備 (NVA),請將資源部署到不同的子網路。If you require that traffic between resources in the same virtual network flow through a network virtual appliance (NVA), deploy the resources to different subnets. 深入了解安全性Learn more in security.
  • 您可以將 azure 資源(例如 Azure 儲存體帳戶或 Azure SQL Database)的存取限制為具有虛擬網路服務端點的特定子網。You can limit access to Azure resources such as an Azure storage account or Azure SQL Database, to specific subnets with a virtual network service endpoint. 此外,您可以拒絕來自網際網路的資源存取。Further, you can deny access to the resources from the internet. 您可以建立多個子網路,並只針對某些子網路啟用某個服務端點。You may create multiple subnets, and enable a service endpoint for some subnets, but not others. 深入了解服務端點,以及您可以針對它們啟用的 Azure 資源。Learn more about service endpoints, and the Azure resources you can enable them for.
  • 您可以將零或一個網路安全性群組關聯至虛擬網路中的每個子網路。You can associate zero or one network security group to each subnet in a virtual network. 您可以將相同或不同的網路安全性群組關聯至每個子網路。You can associate the same, or a different, network security group to each subnet. 每個網路安全性群組都包含規則,能允許或拒絕進出來源與目的地的流量。Each network security group contains rules, which allow or deny traffic to and from sources and destinations. 深入了解網路安全性群組Learn more about network security groups.

安全性Security

您可以使用網路安全性群組和網路虛擬設備來篩選虛擬網路中進出資源的網路流量。You can filter network traffic to and from resources in a virtual network using network security groups and network virtual appliances. 您可以控制 Azure 路由傳送來自子網路流量的方法。You can control how Azure routes traffic from subnets. 您也可以限制組織中能使用虛擬網路中資源的人員。You can also limit who in your organization can work with resources in virtual networks.

流量篩選Traffic filtering

  • 您可以使用網路安全性群組、能篩選網路流量的 NVA,或是上述兩者來篩選虛擬網路中資源之間的網路流量。You can filter network traffic between resources in a virtual network using a network security group, an NVA that filters network traffic, or both. 若要部署 NVA (例如防火牆) 來篩選網路流量,請參閱 Azure MarketplaceTo deploy an NVA, such as a firewall, to filter network traffic, see the Azure Marketplace. 使用 NVA 時,您也可以建立自訂路由,以將來自子網路的流量路由傳送到 NVA。When using an NVA, you also create custom routes to route traffic from subnets to the NVA. 深入了解流量路由Learn more about traffic routing.
  • 網路安全性群組包含數個預設的安全性規則,能允許或拒絕進出資源的流量。A network security group contains several default security rules that allow or deny traffic to or from resources. 網路安全性群組可以與網路介面、網路介面所在的子網路,或是上述兩者建立關聯。A network security group can be associated to a network interface, the subnet the network interface is in, or both. 為了簡化安全性規則的管理,建議您盡量將網路安全性群組關聯至個別的子網路,而不是子網路內的個別網路介面。To simplify management of security rules, it's recommended that you associate a network security group to individual subnets, rather than individual network interfaces within the subnet, whenever possible.
  • 如果子網路內不同的 VM 需要套用不同的安全性規則,您可以將 VM 中的網路介面與一或多個應用程式安全性群組建立關聯。If different VMs within a subnet need different security rules applied to them, you can associate the network interface in the VM to one or more application security groups. 安全性規則可以在其來源、目的地,或是上述兩者中指定應用程式安全性群組。A security rule can specify an application security group in its source, destination, or both. 該規則接著只會套用到身為該應用程式安全性群組成員的網路介面。That rule then only applies to the network interfaces that are members of the application security group. 深入了解網路安全性群組應用程式安全性群組Learn more about network security groups and application security groups.
  • Azure 會在每個網路安全性群組內建立數個預設的安全性規則。Azure creates several default security rules within each network security group. 其中一個預設規則會允許流量流經虛擬網路中所有資源。One default rule allows all traffic to flow between all resources in a virtual network. 若要覆寫這個行為,請使用網路安全性群組、透過自訂路由將流量路由傳送到 NVA,或是上述兩者。To override this behavior, use network security groups, custom routing to route traffic to an NVA, or both. 建議您熟悉 Azure 的所有預設安全性規則,並了解網路安全性群組規則套用到資源的方法。It's recommended that you familiarize yourself with all of Azure's default security rules and understand how network security group rules are applied to a resource.

您可以查看使用 NVA在 Azure 與網際網路之間執行周邊網路的範例設計 (也稱為 DMZ) 。You can view sample designs for implementing a perimeter network (also known as a DMZ) between Azure and the internet using an NVA.

流量路由Traffic routing

Azure 會針對來自子網路的輸出流量建立數個預設路由。Azure creates several default routes for outbound traffic from a subnet. 您可以透過建立路由表並將它關聯至子網路,來覆寫 Azure 的預設路由。You can override Azure's default routing by creating a route table and associating it to a subnet. 覆寫 Azure 預設路由的常見原因包括:Common reasons for overriding Azure's default routing are:

  • 您想讓子網路之間的流量流經 NVA。Because you want traffic between subnets to flow through an NVA. 若要深入瞭解如何 設定路由表以強制流量通過 NVATo learn more about how to configure route tables to force traffic through an NVA.
  • 您想要強制所有流經 NVA (或內部部署) 的網際網路繫結流量,流經 Azure VPN 閘道。Because you want to force all internet-bound traffic through an NVA, or on-premises, through an Azure VPN gateway. 強制網際網路流量流經內部以進行檢查及記錄,通常稱為「強制通道」。Forcing internet traffic on-premises for inspection and logging is often referred to as forced tunneling. 深入了解如何設定強制通道Learn more about how to configure forced tunneling.

如果您需要實作自訂路由,建議先熟悉 Azure 中的路由If you need to implement custom routing, it's recommended that you familiarize yourself with routing in Azure.

連線能力Connectivity

您可以使用虛擬網路對等互連將虛擬網路連線到其他虛擬網路,或是使用 Azure VPN 閘道將虛擬網路連線到您的內部部署網路。You can connect a virtual network to other virtual networks using virtual network peering, or to your on-premises network, using an Azure VPN gateway.

對等互連Peering

使用虛擬網路對等互連時,虛擬網路可位於相同或不同的 Azure 支援區域。When using virtual network peering, the virtual networks can be in the same, or different, supported Azure regions. 虛擬網路可以位於相同或不同的 Azure 訂用帳戶 (即使訂用帳戶屬於不同的 Azure Active Directory 租用戶)。The virtual networks can be in the same or different Azure subscriptions (even subscriptions belonging to different Azure Active Directory tenants). 在建立對等互連之前,建議您先熟悉對等互連的所有需求和限制條件Before creating a peering, it's recommended that you familiarize yourself with all of the peering requirements and constraints. 相同區域中對等互連的虛擬網路中資源間的頻寬會相同,就像這些資源都位於相同的虛擬網路一樣。Bandwidth between resources in virtual networks peered in the same region is the same as if the resources were in the same virtual network.

VPN 閘道VPN gateway

您可以使用 Azure VPN 閘道,利用站對站 VPN或搭配 Azure ExpressRoute 的專用連線,將虛擬網路連線到您的內部部署網路。You can use an Azure VPN Gateway to connect a virtual network to your on-premises network using a site-to-site VPN, or using a dedicated connection with Azure ExpressRoute.

您可以結合對等互連和 VPN 閘道來建立 中樞和輪輻網路,其中輪輻虛擬網路會連線到中樞虛擬網路,而中樞則會連線至內部部署網路(例如)。You can combine peering and a VPN gateway to create hub and spoke networks, where spoke virtual networks connect to a hub virtual network, and the hub connects to an on-premises network, for example.

名稱解析Name resolution

單一虛擬網路中的資源無法使用 Azure 的內建 DNS 來解析對等互連虛擬網路中的資源名稱。Resources in one virtual network cannot resolve the names of resources in a peered virtual network using Azure's built-in DNS. 若要解析對等互連虛擬網路中的名稱,請部署您自己的 DNS 伺服器,或使用 Azure DNS 私人網域To resolve names in a peered virtual network, deploy your own DNS server, or use Azure DNS private domains. 若要解析虛擬網路和內部部署網路中資源間的名稱,也需要您部署自己的 DNS 伺服器。Resolving names between resources in a virtual network and on-premises networks also requires you to deploy your own DNS server.

權限Permissions

Azure 會利用 azure 角色型存取控制 (AZURE RBAC) 資源。Azure utilizes Azure role-based access control (Azure RBAC) to resources. 許可權會指派給下列階層中的 範圍 :管理群組、訂用帳戶、資源群組和個別資源。Permissions are assigned to a scope in the following hierarchy: management group, subscription, resource group, and individual resource. 若要深入了解階層,請參閱組織您的資源To learn more about the hierarchy, see Organize your resources. 若要使用 Azure 虛擬網路和其所有相關功能,例如對等互連、網路安全性群組、服務端點和路由表,您可以將組織的成員指派為內建的擁有者參與者網路參與者角色,再將該角色指派到適當的範圍。To work with Azure virtual networks and all of their related capabilities such as peering, network security groups, service endpoints, and route tables, you can assign members of your organization to the built-in Owner, Contributor, or Network contributor roles, and then assign the role to the appropriate scope. 如果您想要針對一組虛擬網路功能指派特定權限,請建立自訂角色,並針對該角色指派虛擬網路子網路和服務端點網路介面對等互連網路和應用程式安全性群組路由表所需的特定權限。If you want to assign specific permissions for a subset of virtual network capabilities, create a custom role and assign the specific permissions required for virtual networks, subnets and service endpoints, network interfaces, peering, network and application security groups, or route tables to the role.

原則Policy

Azure 原則可讓您建立、指派和管理原則定義。Azure Policy enables you to create, assign, and manage policy definitions. 原則定義會對您的資源強制執行不同的規則,讓資源能持續符合組織標準和服務等級協定的規範。Policy definitions enforce different rules over your resources, so the resources stay compliant with your organizational standards and service level agreements. Azure 原則會針對資源執行評估,掃描出不符合您所擁有原則定義規範的資源。Azure Policy runs an evaluation of your resources, scanning for resources that are not compliant with the policy definitions you have. 例如,您可以定義並套用一個原則,以允許只在特定資源群組或區域中建立虛擬網路。For example, you can define and apply a policy that allows creation of virtual networks in only a specific resource group or region. 另一個原則可能會要求每個子網路都要有相關聯的網路安全性群組。Another policy can require that every subnet has a network security group associated to it. 接著,在建立和更新資源時,系統就會評估這些原則。The policies are then evaluated when creating and updating resources.

原則會套用到下列階層:管理群組、訂用帳戶和資源群組。Policies are applied to the following hierarchy: management group, subscription, and resource group. 深入瞭解 Azure 原則 或部署一些虛擬網路 Azure 原則定義Learn more about Azure Policy or deploy some virtual network Azure Policy definitions.

後續步驟Next steps

深入了解虛擬網路子網路與服務端點網路介面對等互連網路和應用程式安全性群組路由表的所有工作、設定和選項。Learn about all tasks, settings, and options for a virtual network, subnet and service endpoint, network interface, peering, network and application security group, or route table.