Azure 虛擬網路的常見問題 (FAQ)Azure Virtual Network frequently asked questions (FAQ)

虛擬網路基本概念Virtual Network basics

什麼是 Azure 虛擬網路 (VNet)?What is an Azure Virtual Network (VNet)?

Azure 虛擬網路 (VNet) 是您的網路在雲端中的身分。An Azure Virtual Network (VNet) is a representation of your own network in the cloud. 它是專屬於您訂用帳戶的 Azure 雲端邏輯隔離。It is a logical isolation of the Azure cloud dedicated to your subscription. 您可以使用 VNet 在 Azure 中佈建和管理虛擬私人網路 (VPN),也可以選擇性地連結 VNet 與其他 Azure 中的 VNet,或連結您的內部部署 IT 基礎結構,以便建立混合式或跨單位的解決方案。You can use VNets to provision and manage virtual private networks (VPNs) in Azure and, optionally, link the VNets with other VNets in Azure, or with your on-premises IT infrastructure to create hybrid or cross-premises solutions. 您所建立的每個 VNet 都有自己的 CIDR 區塊,且只要 CIDR 區塊不重迭,就可以連結至其他 Vnet 和內部部署網路。Each VNet you create has its own CIDR block and can be linked to other VNets and on-premises networks as long as the CIDR blocks do not overlap. 針對 VNet 和分割的 VNet 子網路,您也擁有 DNS 伺服器設定的控制項。You also have control of DNS server settings for VNets, and segmentation of the VNet into subnets.

您可以使用 VNet:Use VNets to:

  • 建立專用的私人雲端專用 VNet。Create a dedicated private cloud-only VNet. 針對您的解決方案,有時候您不需要跨單位組態。Sometimes you don't require a cross-premises configuration for your solution. 當您建立 VNet 時,您的服務和 VNet 中的 VM 可以直接且安全地在雲端中彼此通訊。When you create a VNet, your services and VMs within your VNet can communicate directly and securely with each other in the cloud. 您仍然可以設定 VM 的端點連線,以及需要網際網路通訊作為解決方案一部分的服務。You can still configure endpoint connections for the VMs and services that require Internet communication, as part of your solution.

  • 安全地擴充您的資料中心。Securely extend your data center. 您可以使用 VNet 建置傳統的站台對站台 (S2S) VPN,安全地擴充資料中心容量。With VNets, you can build traditional site-to-site (S2S) VPNs to securely scale your datacenter capacity. S2S VPN 使用 IPSEC 在您的公司 VPN 閘道與 Azure 之間提供安全連接。S2S VPNs use IPSEC to provide a secure connection between your corporate VPN gateway and Azure.

  • 啟用混合式雲端案例。Enable hybrid cloud scenarios. VNet 可讓您彈性地支援許多混合式雲端案例。VNets give you the flexibility to support a range of hybrid cloud scenarios. 您可以將雲端型應用程式安全地連接到任何類型的內部部署系統,例如大型主機和 Unix 系統。You can securely connect cloud-based applications to any type of on-premises system such as mainframes and Unix systems.

如何開始?How do I get started?

若要開始使用,請造訪 虛擬網路檔Visit the Virtual network documentation to get started. 本內容提供所有 VNet 功能的概觀和部署資訊。This content provides overview and deployment information for all of the VNet features.

我可以使用不包含跨單位連線的 VNet 嗎?Can I use VNets without cross-premises connectivity?

是。Yes. 您可以使用 VNet,而不用將它連線到您的單位。You can use a VNet without connecting it to your premises. 例如,您可以在 Azure VNet 中單獨執行 Microsoft Windows Server Active Directory 網域控制站和 SharePoint 伺服器陣列。For example, you could run Microsoft Windows Server Active Directory domain controllers and SharePoint farms solely in an Azure VNet.

我可以在一或多個 VNet 與我的內部部署資料中心之間執行 WAN 最佳化嗎?Can I perform WAN optimization between VNets or a VNet and my on-premises data center?

是。Yes. 您可以透過 Azure Marketplace,部署來自多個廠商的 WAN 最佳化網路的虛擬應用裝置You can deploy a WAN optimization network virtual appliance from several vendors through the Azure Marketplace.

組態Configuration

我可以使用哪些工具來建立 VNet?What tools do I use to create a VNet?

您可以使用下列工具來建立或設定 VNet:You can use the following tools to create or configure a VNet:

我可以在 VNet 中使用哪些位址範圍?What address ranges can I use in my VNets?

建議您使用 RFC 1918中列舉的位址範圍,該位址範圍已針對私人、無法路由傳送的位址空間設定為 IETF:We recommend that you use the address ranges enumerated in RFC 1918, which have been set aside by the IETF for private, non-routable address spaces:

  • 10.0.0.0 - 10.255.255.255 (10/8 首碼)10.0.0.0 - 10.255.255.255 (10/8 prefix)
  • 172.16.0.0-172.31.255.255 (>172.16./12 首碼) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 - 192.168.255.255 (192.168/16 首碼)192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

其他位址空間可能會運作,但可能會有不必要的副作用。Other address spaces may work but may have undesirable side effects.

此外,您無法新增下列位址範圍:In addition, you cannot add the following address ranges:

  • 224.0.0.0/4 (多點傳送)224.0.0.0/4 (Multicast)
  • 255.255.255.255/32 (廣播)255.255.255.255/32 (Broadcast)
  • 127.0.0.0/8 (回送)127.0.0.0/8 (Loopback)
  • 169.254.0.0/16 (連結-本機)169.254.0.0/16 (Link-local)
  • 168.63.129.16/32 (內部 DNS)168.63.129.16/32 (Internal DNS)

我可以在 VNet 擁有公用 IP 位址嗎?Can I have public IP addresses in my VNets?

是。Yes. 如需有關公用 IP 位址範圍的詳細資訊,請參閱建立虛擬網路For more information about public IP address ranges, see Create a virtual network. 您無法直接從網際網路存取公用 IP 位址。Public IP addresses are not directly accessible from the internet.

我的 VNet 中的子網路數目是否有限制?Is there a limit to the number of subnets in my VNet?

是。Yes. 如需詳細資訊,請參閱 Azure 限制See Azure limits for details. 子網路位址空間不能互相重疊。Subnet address spaces cannot overlap one another.

在這些子網路內使用 IP 位址是否有任何限制?Are there any restrictions on using IP addresses within these subnets?

是。Yes. Azure 會在每個子網路中保留 5 個 IP 位址。Azure reserves 5 IP addresses within each subnet. 這些是 x. x. x. x. x. x. 3 和子網的最後一個位址。These are x.x.x.0-x.x.x.3 and the last address of the subnet. 在 Azure 服務的每個子網中,都會保留 x. x. x. x. 3。x.x.x.1-x.x.x.3 is reserved in each subnet for Azure services.

  • x.x.x.x. x. x. 0:網路位址x.x.x.0: Network address
  • x. x. 1: Azure 保留給預設閘道x.x.x.1: Reserved by Azure for the default gateway
  • x.x. 2.x. x. x. 3:由 Azure 保留,以將 Azure DNS Ip 對應至 VNet 空間x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space
  • x.x.x.x:網路廣播位址x.x.x.255: Network broadcast address

VNet 和子網路的大小限制為何?How small and how large can VNets and subnets be?

最小的支援 IPv4 子網為/29,而最大值為/8 (使用 CIDR 子網定義) 。The smallest supported IPv4 subnet is /29, and the largest is /8 (using CIDR subnet definitions). IPv6 子網的大小必須完全為/64。IPv6 subnets must be exactly /64 in size.

我可以使用 VNet 將 VLAN 帶到 Azure 嗎?Can I bring my VLANs to Azure using VNets?

不會。No. VNet 是 Layer-3 重疊。VNets are Layer-3 overlays. Azure 不支援任何 Layer-2 語意。Azure does not support any Layer-2 semantics.

可以在我的 Vnet 和子網路上指定自訂路由原則嗎?Can I specify custom routing policies on my VNets and subnets?

是。Yes. 您可以建立路由表,並且將它與子網路產生關聯。You can create a route table and associate it to a subnet. 如需 Azure 中路由的詳細資訊,請參閱路由概觀For more information about routing in Azure, see Routing overview.

VNet 是否支援多點傳送或廣播?Do VNets support multicast or broadcast?

不會。No. 不支援多點傳送與廣播。Multicast and broadcast are not supported.

我可以在 VNet 中使用哪些通訊協定?What protocols can I use within VNets?

您可以在 VNet 中使用 TCP、UDP 和 ICMP TCP/IP 通訊協定。You can use TCP, UDP, and ICMP TCP/IP protocols within VNets. VNet 內可支援單點傳播,但透過單點傳播 (來源連接埠 UDP/68 / 目的地連接埠 UDP/67) 的動態主機設定通訊協定 (DHCP),以及保留給主機使用的 UDP 來源連接埠 65330 除外。Unicast is supported within VNets, with the exception of Dynamic Host Configuration Protocol (DHCP) via Unicast (source port UDP/68 / destination port UDP/67) and UDP source port 65330 which is reserved for the host. 多點傳送、廣播、IP-in-IP 封裝式封包和 Generic Routing Encapsulation (GRE) 封包在 VNet 內會遭到封鎖。Multicast, broadcast, IP-in-IP encapsulated packets, and Generic Routing Encapsulation (GRE) packets are blocked within VNets.

我可以在 VNet 中偵測我的預設路由器嗎?Can I ping my default routers within a VNet?

不會。No.

我可以使用 tracert 來診斷連線嗎?Can I use tracert to diagnose connectivity?

不會。No.

我可以在建立 VNet 之後新增子網路嗎?Can I add subnets after the VNet is created?

是。Yes. 只要子網路位址範圍不是其他子網路的一部分,而且虛擬網路的位址範圍中有可用空間,子網路就可以隨時新增至 VNet。Subnets can be added to VNets at any time as long as the subnet address range is not part of another subnet and there is available space left in the virtual network's address range.

我可以在建立子網路之後修改其大小嗎?Can I modify the size of my subnet after I create it?

是。Yes. 如果其中沒有部署任何 VM 或服務,您可以新增、移除、展開或縮小子網路。You can add, remove, expand, or shrink a subnet if there are no VMs or services deployed within it.

我是否可以在建立 Vnet 之後加以修改?Can I modify Vnet after I created them?

是。Yes. 您可以加入、移除和修改 VNet 所使用的 CIDR 區塊。You can add, remove, and modify the CIDR blocks used by a VNet.

如果我在 VNet 中執行服務,我可以連線到網際網路嗎?If I am running my services in a VNet, can I connect to the internet?

是。Yes. 部署在 VNet 中的所有服務皆可輸出連線到網際網路。All services deployed within a VNet can connect outbound to the internet. 若要深入了解 Azure 中的輸出網際網路連線,請參閱輸出連線To learn more about outbound internet connections in Azure, see Outbound connections. 如果您想要輸入連線到透過 Resource Manager 所部署的資源,該資源必須已獲派公用 IP 位址。If you want to connect inbound to a resource deployed through Resource Manager, the resource must have a public IP address assigned to it. 若要深入了解公用 IP 位址,請參閱公用 IP 位址To learn more about public IP addresses, see Public IP addresses. Azure 中部署的每個 Azure 雲端服務皆已指派公開可定址的 VIP。Every Azure Cloud Service deployed in Azure has a publicly addressable VIP assigned to it. 您必須定義 PaaS 角色的輸入端點和虛擬機器的端點,啟用這些服務以接受來自網際網路的連接。You define input endpoints for PaaS roles and endpoints for virtual machines to enable these services to accept connections from the internet.

VNet 是否支援 IPv6?Do VNets support IPv6?

是的,Vnet 可以是僅限 IPv4 或雙堆疊 (IPv4 + IPv6) 。Yes, VNets can be IPv4-only or dual stack (IPv4+IPv6). 如需詳細資訊,請參閱 Azure 虛擬網路的 IPv6 總覽For details, see Overview of IPv6 for Azure Virtual Networks.

VNet 可以跨區域嗎?Can a VNet span regions?

不會。No. VNet 僅限於單一區域。A VNet is limited to a single region. 不過,虛擬網路可以跨越可用性區域。A virtual network does, however, span availability zones. 若要深入了解可用性區域,請參閱可用性區域概觀To learn more about availability zones, see Availability zones overview. 您可以使用虛擬網路對等互連,與不同區域中的虛擬網路連線。You can connect virtual networks in different regions with virtual network peering. 如需詳細資訊,請參閱虛擬網路對等互連概觀For details, see Virtual network peering overview

我可以將 VNet 連線到 Azure 中的另一個 VNet 嗎?Can I connect a VNet to another VNet in Azure?

是。Yes. 您可以使用下列其中一個項目,將一個 VNet 連線到另一個 VNet︰You can connect one VNet to another VNet using either:

名稱解析 (DNS)Name Resolution (DNS)

適用於 VNet 的 DNS 選項為何?What are my DNS options for VNets?

使用 [ VM 和角色執行個體的名稱解析 ] 頁面上的決策資料表來引導您完成所有可用的 DNS 選項。Use the decision table on the Name Resolution for VMs and Role Instances page to guide you through all the DNS options available.

我可以指定適用於 VNet 的 DNS 伺服器嗎?Can I specify DNS servers for a VNet?

是。Yes. 您可以在 VNet 設定中指定 DNS 伺服器 IP 位址。You can specify DNS server IP addresses in the VNet settings. 此設定會套用為 VNet 中所有虛擬機器的預設 DNS 伺服器。The setting is applied as the default DNS server(s) for all VMs in the VNet.

我可以指定多少部 DNS 伺服器?How many DNS servers can I specify?

請參考 Azure 限制Reference Azure limits.

我可以在建立虛擬網路之後修改 DNS 伺服器嗎?Can I modify my DNS servers after I have created the network?

是。Yes. 您可以隨時針對 VNet 變更 DNS 伺服器清單。You can change the DNS server list for your VNet at any time. 如果您變更 DNS 伺服器清單,您需要在 VNet 中的所有受影響的 Vm 上執行 DHCP 租用更新,新的 DNS 設定才會生效。If you change your DNS server list, you need to perform a DHCP lease renewal on all affected VMs in the VNet, for the new DNS settings to take effect. 若為執行 Windows OS 的 Vm,您可以 ipconfig /renew 直接在 VM 上輸入來執行此動作。For VMs running Windows OS you can do this by typing ipconfig /renew directly on the VM. 針對其他作業系統類型,請參閱特定作業系統類型的 DHCP 租用更新檔。For other OS types, refer to the DHCP lease renewal documentation for the specific OS type.

什麼是 Azure 提供的 DNS,以及它是否可搭配 VNet 使用?What is Azure-provided DNS and does it work with VNets?

Azure 提供的 DNS 是由 Microsoft 所提供的多租用戶 DNS 服務。Azure-provided DNS is a multi-tenant DNS service offered by Microsoft. Azure 會註冊您在此服務中的所有 VM 和雲端服務角色執行個體。Azure registers all of your VMs and cloud service role instances in this service. 這個服務可根據相同雲端服務內所包含 VM 和角色的主機名稱,以及根據 VM 的 FQDN 和相同 VNet 中的角色執行個體提供名稱解析功能。This service provides name resolution by hostname for VMs and role instances contained within the same cloud service, and by FQDN for VMs and role instances in the same VNet. 若要深入了解 DNS,請參閱虛擬機器與雲端服務角色執行個體的名稱解析To learn more about DNS, see Name Resolution for VMs and Cloud Services role instances.

VNet 中的前 100 個雲端服務具有使用 Azure 所提供 DNS 進行跨租用戶名稱解析的限制。There is a limitation to the first 100 cloud services in a VNet for cross-tenant name resolution using Azure-provided DNS. 如果您使用自己的 DNS 伺服器,則不適用這項限制。If you are using your own DNS server, this limitation does not apply.

我是否可以根據每個虛擬機器或雲端服務來覆寫 DNS 設定?Can I override my DNS settings on a per-VM or cloud service basis?

是。Yes. 您可以根據每個虛擬機器或雲端服務設定 DNS 伺服器,以便覆寫預設網路設定。You can set DNS servers per VM or cloud service to override the default network settings. 不過,建議您盡可能使用全網路 DNS。However, it's recommended that you use network-wide DNS as much as possible.

我可以加上自己的 DNS 尾碼嗎?Can I bring my own DNS suffix?

不會。No. 您無法針對 VNet 指定自訂的 DNS 尾碼。You cannot specify a custom DNS suffix for your VNets.

連接虛擬機器Connecting virtual machines

我可以將 VM 部署至 VNet 嗎?Can I deploy VMs to a VNet?

是。Yes. 所有連接至透過 Resource Manager 部署模型部署的 VM 網路介面 (NIC) 必須連接到 VNet。All network interfaces (NIC) attached to a VM deployed through the Resource Manager deployment model must be connected to a VNet. 透過傳統部署模型部署的 VM 可以選擇連接至 VNet。VMs deployed through the classic deployment model can optionally be connected to a VNet.

我可以將哪些類型的 IP 位址指派至 VM?What are the different types of IP addresses I can assign to VMs?

  • 私人︰ 在每部 VM 內指派至每個 NIC。Private: Assigned to each NIC within each VM. 您可使用靜態或動態方法來指派位址。The address is assigned using either the static or dynamic method. 系統會根據您在 VNet 子網路設定中所指定的範圍來指派私人 IP 位址。Private IP addresses are assigned from the range that you specified in the subnet settings of your VNet. 即使沒有連線至 VNet,透過傳統部署模型所部署的資源也會獲派私人 IP 位址。Resources deployed through the classic deployment model are assigned private IP addresses, even if they're not connected to a VNet. 配置方法的行為會隨著資源是以 Resource Manager 或傳統部署模型所部署的而有所不同:The behavior of the allocation method is different depending on whether a resource was deployed with the Resource Manager or classic deployment model:

    • Resource Manager:以動態或靜態方法指派的私人 IP 位址會持續指派給虛擬機器 (Resource Manager),直到資源刪除為止。Resource Manager: A private IP address assigned with the dynamic or static method remains assigned to a virtual machine (Resource Manager) until the resource is deleted. 差異在於,使用靜態時是由您選取要指派的位址,使用動態時則是由 Azure 選擇。The difference is that you select the address to assign when using static, and Azure chooses when using dynamic.
    • 傳統:如果虛擬機器 (傳統) VM 在處於已停止 (已解除配置) 狀態之後又重新啟動,以動態方法所指派的私人 IP 位址可能會變更。Classic: A private IP address assigned with the dynamic method may change when a virtual machine (classic) VM is restarted after having been in the stopped (deallocated) state. 如果您需要確保透過傳統部署模型所部署之資源的私人 IP 位址永遠不會變更,請使用靜態方法來指派私人 IP 位址。If you need to ensure that the private IP address for a resource deployed through the classic deployment model never changes, assign a private IP address with the static method.
  • 公用︰ 選擇性地指派至與透過 Azure Resource Manager 部署模型部署的 VM 所連接的 NIC。Public: Optionally assigned to NICs attached to VMs deployed through the Azure Resource Manager deployment model. 您可使用靜態或動態配置方法來指派位址。The address can be assigned with the static or dynamic allocation method. 所有透過傳統部署模型部署的 VM 與雲端服務角色執行個體,皆存在於受指派動態公用虛擬 IP (VIP) 位址的雲端服務內。All VMs and Cloud Services role instances deployed through the classic deployment model exist within a cloud service, which is assigned a dynamic, public virtual IP (VIP) address. 公用 靜態 IP 位址,稱為 保留的 IP 位址,可選擇性地被指派為 VIP。A public static IP address, called a Reserved IP address, can optionally be assigned as a VIP. 您可以將公用 IP 位址指派至透過傳統部署模型部署的個別 VM 或雲端服務角色執行個體。You can assign public IP addresses to individual VMs or Cloud Services role instances deployed through the classic deployment model. 這些位址稱為執行個體層級公用 IP (ILPIP位址,並可動態指派。These addresses are called Instance level public IP (ILPIP addresses and can be assigned dynamically.

我可以為稍後建立的 VM 保留私人 IP 位址嗎?Can I reserve a private IP address for a VM that I will create at a later time?

不會。No. 您不能保留私人 IP 位址。You cannot reserve a private IP address. 如果有可用的私人 IP 位址,則會由 DHCP 伺服器指派至虛擬機器或角色執行個體。If a private IP address is available, it is assigned to a VM or role instance by the DHCP server. 該虛擬機器可能不是您想要指派私人 IP 位址的目的地。The VM may or may not be the one that you want the private IP address assigned to. 不過,您可以將已建立虛擬機器的私人 IP 位址變更為任何可用的私人 IP 位址。You can, however, change the private IP address of an already created VM, to any available private IP address.

VNet 中的私人 IP 位址會根據 VM 進行變更嗎?Do private IP addresses change for VMs in a VNet?

要看情況而定。It depends. 如果是透過 Resource Manager 來部署 VM,不論 IP 位址是使用靜態還是動態配置方法指派的,都不會變更。If the VM was deployed through Resource Manager, no, regardless of whether the IP address was assigned with the static or dynamic allocation method. 如果虛擬機器是透過傳統部署模型所部署的,當虛擬機器在處於已停止 (已解除配置) 狀態之後又啟動,動態 IP 位址會變更。If the VM was deployed through the classic deployment model, dynamic IP addresses can change when a VM is started after having been in the stopped (deallocated) state. 當虛擬機器遭到刪除時,位址會從透過任一種部署模型所部署的虛擬機器中釋放出來。The address is released from a VM deployed through either deployment model when the VM is deleted.

我可以在 VM 作業系統中將 IP 位址手動指派至 NIC 嗎?Can I manually assign IP addresses to NICs within the VM operating system?

是,但是除非必要 (例如,在指派多個 IP 位址給虛擬機器時),否則不建議這麼做。Yes, but it's not recommended unless necessary, such as when assigning multiple IP addresses to a virtual machine. 如需詳細資訊,請參閱將多個 IP 位址新增至虛擬機器For details, see Adding multiple IP addresses to a virtual machine. 如果指派給 Azure NIC (連結至虛擬機器) 的 IP 位址變更,且虛擬機器作業系統中的 IP 位址不同,您就會失去與虛擬機器的連線。If the IP address assigned to an Azure NIC attached to a VM changes, and the IP address within the VM operating system is different, you lose connectivity to the VM.

若我在作業系統內停止雲端服務部署位置或關閉 VM,我的 IP 位址會受到影響嗎?If I stop a Cloud Service deployment slot or shutdown a VM from within the operating system, what happens to my IP addresses?

不做任何動作。Nothing. IP 位址 (公用 VIP、公用與私人) 仍會指派至雲端服務部署位置或 VM。The IP addresses (public VIP, public, and private) remain assigned to the cloud service deployment slot or VM.

我可以將 VM 從子網路移動至 VNet 中的其他子網路而不需重新部署嗎?Can I move VMs from one subnet to another subnet in a VNet without redeploying?

是。Yes. 您可以在如何將 VM 或角色執行個體移至不同的子網路一文內找到更多資訊。You can find more information in the How to move a VM or role instance to a different subnet article.

我可以針對 VM 設定靜態 MAC 位址嗎?Can I configure a static MAC address for my VM?

不會。No. MAC 位址無法以靜態方式設定。A MAC address cannot be statically configured.

當我建立虛擬機器之後 MAC 位址會保持相同的狀態嗎?Will the MAC address remain the same for my VM once it's created?

是,若是建立透過 Resource Manager 和傳統部署模型部署的 VM,MAC 位址會維持不變,直至刪除為止。Yes, the MAC address remains the same for a VM deployed through both the Resource Manager and classic deployment models until it's deleted. 以往,當 VM 狀態為已停止 (已重新分配) 時,系統會釋放 MAC 位址,但現在即使 VM 狀態為重新分配時,MAC 位址仍會保持不變。Previously, the MAC address was released if the VM was stopped (deallocated), but now the MAC address is retained even when the VM is in the deallocated state. 在網路介面遭到刪除或指派給主要網路介面之主要 IP 組態的私人 IP 位址遭到變更之前,MAC 位址會保持指派給網路介面。The MAC address remains assigned to the network interface until the network interface is deleted or the private IP address assigned to the primary IP configuration of the primary network interface is changed.

我可以從 VNet 中的 VM 連線到網際網路嗎?Can I connect to the internet from a VM in a VNet?

是。Yes. 部署在 VNet 中的所有 VM 與雲端服務角色執行個體皆可連線到網際網路。All VMs and Cloud Services role instances deployed within a VNet can connect to the Internet.

連線到 VNet 的 Azure 服務Azure services that connect to VNets

我可以搭配使用 Azure App Service Web Apps 和 VNet 嗎?Can I use Azure App Service Web Apps with a VNet?

是。Yes. 您 Web Apps 可以使用 ASE (App Service 環境) ,將應用程式的後端連接至 Vnet,並使用 VNet 整合將應用程式的後端連接到您的應用程式,並使用服務端點來鎖定應用程式的輸入流量。You can deploy Web Apps inside a VNet using an ASE (App Service Environment), connect the backend of your apps to your VNets with VNet Integration, and lock down inbound traffic to your app with service endpoints. 如需詳細資訊,請參閱下列文章:For more information, see the following articles:

我可以在 VNet 中使用 Web 和背景工作角色 (PaaS) 部署雲端服務嗎?Can I deploy Cloud Services with web and worker roles (PaaS) in a VNet?

是。Yes. 您可以 (選擇性地) 在 VNet 內部署雲端服務角色執行個體。You can (optionally) deploy Cloud Services role instances within VNets. 若要這樣做,請在服務組態的網路組態區段中,指定 VNet 名稱和角色/子網路對應。To do so, you specify the VNet name and the role/subnet mappings in the network configuration section of your service configuration. 您不需要更新任何二進位檔。You do not need to update any of your binaries.

是否可以將虛擬機器擴展集連線到 VNet?Can I connect a virtual machine scale set to a VNet?

是。Yes. 您必須將虛擬機器擴展集連線到 VNet。You must connect a virtual machine scale set to a VNet.

是否有可以從中將資源部署至 VNet 的完整 Azure 服務清單?Is there a complete list of Azure services that can I deploy resources from into a VNet?

是,如需詳細資訊,請參閱 Azure 服務的虛擬網路整合Yes, For details, see Virtual network integration for Azure services.

如何限制從 VNet 存取 Azure PaaS 資源?How can I restrict access to Azure PaaS resources from a VNet?

透過某些 Azure PaaS 服務部署的資源 (例如 Azure 儲存體和 Azure SQL Database) ,可以透過使用虛擬網路服務端點或 Azure Private Link,來限制對 VNet 的網路存取。Resources deployed through some Azure PaaS services (such as Azure Storage and Azure SQL Database), can restrict network access to VNet through the use of virtual network service endpoints or Azure Private Link. 如需詳細資訊,請參閱 虛擬網路服務端點總覽Azure Private Link 總覽For details, see Virtual network service endpoints overview, Azure Private Link overview

我可以將服務移入和移出 VNet 嗎?Can I move my services in and out of VNets?

不會。No. 您無法將服務移入和移出 VNet。You cannot move services in and out of VNets. 若要將資源移至另一個 VNet,您必須刪除並重新部署資源。To move a resource to another VNet, you have to delete and redeploy the resource.

安全性Security

什麼是 VNet 的安全性模型?What is the security model for VNets?

VNet 會與另一個 VNet,以及其他裝載於 Azure 基礎結構中的服務隔離。VNets are isolated from one another, and other services hosted in the Azure infrastructure. VNet 是一種信任邊界。A VNet is a trust boundary.

我可以將輸入或輸出流量限制為與 VNet 連接的資源嗎?Can I restrict inbound or outbound traffic flow to VNet-connected resources?

是。Yes. 您可以將 網路安全性群組 套用至 VNet、連接至 VNet 的 NIC 或同時在兩者以內的獨立子網路。You can apply Network Security Groups to individual subnets within a VNet, NICs attached to a VNet, or both.

我可以在與 VNet 連線的資源之間實作防火牆嗎?Can I implement a firewall between VNet-connected resources?

是。Yes. 您可以透過 Azure Marketplace 部署來自多個廠商的防火牆網路虛擬應用裝置You can deploy a firewall network virtual appliance from several vendors through the Azure Marketplace.

我可以怎樣取得關於保護 VNet 的資訊?Is there information available about securing VNets?

是。Yes. 如需詳細資訊,請參閱 Azure 網路安全性概觀For details, see Azure Network Security Overview.

虛擬網路是否儲存客戶資料?Do Virtual Networks store customer data?

不會。No. 虛擬網路不會儲存任何客戶資料。Virtual Networks doesn't store any customer data.

API、結構描述和工具APIs, schemas, and tools

我可以從程式碼管理 VNet 嗎?Can I manage VNets from code?

是。Yes. 您可以在 Azure Resource Manager傳統 部署模型中使用 REST api 進行 vnet。You can use REST APIs for VNets in the Azure Resource Manager and classic deployment models.

是否有工具支援 VNet?Is there tooling support for VNets?

是。Yes. 深入了解如何使用:Learn more about using:

VNet 對等互連VNet peering

什麼是 VNet 對等互連?What is VNet peering?

VNet 對等互連 (或虛擬網路對等互連) 可讓您將虛擬網路連線。VNet peering (or virtual network peering) enables you to connect virtual networks. 虛擬網路之間的 VNet 對等互連連線可讓您私下透過 IPv4 位址在虛擬網路之間路由傳送流量。A VNet peering connection between virtual networks enables you to route traffic between them privately through IPv4 addresses. 所對等互連 VNet 中的虛擬機器可以彼此通訊,彷彿它們位於相同的網路內。Virtual machines in the peered VNets can communicate with each other as if they are within the same network. 這些虛擬網路可位於相同或不同的區域 (也稱為全域 VNet 對等互連)。These virtual networks can be in the same region or in different regions (also known as Global VNet Peering). VNet 對等互連連線也可以跨 Azure 訂用帳戶來建立。VNet peering connections can also be created across Azure subscriptions.

我是否可對不同區域中的 VNet 建立對等互連連線?Can I create a peering connection to a VNet in a different region?

是。Yes. 全域 VNet 可讓您對不同區域中的對等 VNet 建立對等互連。Global VNet peering enables you to peer VNets in different regions. 全球 VNet 對等互連可在所有 Azure 公用區域、中國雲端區域和政府雲端區域中使用。Global VNet peering is available in all Azure public regions, China cloud regions, and Government cloud regions. 您無法從 Azure 公用區域到國家雲端區域之間進行全域對等互連。You cannot globally peer from Azure public regions to national cloud regions.

如果兩個不同區域中的兩個虛擬網路是透過全域 VNet 對等互連對等互連,您就無法透過 Load Balancer 的前端 IP 連線到基本 Load Balancer 後方的資源。If the two virtual networks in two different regions are peered over Global VNet Peering, you cannot connect to resources that are behind a Basic Load Balancer through the Front End IP of the Load Balancer. Standard Load Balancer 不會有這種限制。This restriction does not exist for a Standard Load Balancer. 下列資源可以使用基本負載平衡器,這表示您無法透過全域 VNet 對等互連的 Load Balancer 前端 IP 來存取它們。The following resources can use Basic Load Balancers which means you cannot reach them through the Load Balancer's Front End IP over Global VNet Peering. 不過,您可以使用全域 VNet 對等互連,直接透過其私人 VNet Ip 連線到資源(如有允許)。You can however use Global VNet peering to reach the resources directly through their private VNet IPs, if permitted.

  • 基本負載平衡器後方的 VmVMs behind Basic Load Balancers
  • 使用基本負載平衡器的虛擬機器擴展集Virtual machine scale sets with Basic Load Balancers
  • Redis 快取Redis Cache
  • 應用程式閘道 (v1) SKUApplication Gateway (v1) SKU
  • Service FabricService Fabric
  • API 管理API Management
  • Active Directory 網域服務 (新增) Active Directory Domain Service (ADDS)
  • Logic AppsLogic Apps
  • HDInsightHDInsight
  • Azure BatchAzure Batch
  • App Service 環境App Service Environment

您可以透過 ExpressRoute 或透過 vnet 閘道的 VNet 對 VNet 連接到這些資源。You can connect to these resources via ExpressRoute or VNet-to-VNet through VNet Gateways.

如果我的虛擬網路屬於不同 Azure Active Directory 租用戶中的訂用帳戶,我是否可啟用 VNet 對等互連?Can I enable VNet Peering if my virtual networks belong to subscriptions within different Azure Active Directory tenants?

是。Yes. 如果您的訂用帳戶屬於不同的 Azure Active Directory 租用戶,則無法建立 VNet 對等互連 (不論是本機還是全域)。It is possible to establish VNet Peering (whether local or global) if your subscriptions belong to different Azure Active Directory tenants. 您可以透過入口網站、PowerShell 或 CLI 來完成此動作。You can do this via Portal, PowerShell or CLI.

我的 VNet 對等互連連線處於「已起始」狀態,但為何無法連線?My VNet peering connection is in Initiated state, why can't I connect?

如果您的對等互連連線處於 起始 狀態,這表示您只建立了一個連結。If your peering connection is in an Initiated state, this means you have created only one link. 必須建立雙向連結,才能建立成功的連線。A bidirectional link must be created in order to establish a successful connection. 例如,若要建立 VNet A 對 VNet B 的對等互連,則必須建立從 VNetA 到 VNetB 和從 VNetB 到 VNetA 的連結。For example, to peer VNet A to VNet B, a link must be created from VNetA to VNetB and from VNetB to VNetA. 建立兩個連結會將狀態變更為 [ 已連線]。Creating both links will change the state to Connected.

我的 VNet 對等互連連線處於「已中斷連線」狀態,為何我無法將連線對等互連?My VNet peering connection is in Disconnected state, why can't I create a peering connection?

如果您的 VNet 對等互連連線處於「已 中斷 連線」狀態,則表示已刪除其中一個所建立的連結。If your VNet peering connection is in a Disconnected state, it means one of the links created was deleted. 若要重新建立對等互連連線,您將需要刪除該連結並重新建立。In order to re-establish a peering connection, you will need to delete the link and recreate it.

我的 VNet 是否可與不同訂用帳戶中的 VNet 對等互連?Can I peer my VNet with a VNet in a different subscription?

是。Yes. 您可以跨訂用帳戶和跨區域建立 VNet 的對等互連。You can peer VNets across subscriptions and across regions.

我是否可將兩個具有相同或重疊位址範圍的 VNet 對等互連?Can I peer two VNets with matching or overlapping address ranges?

不會。No. 位址空間不可重疊,才能啟用 VNet 對等互連。Address spaces must not overlap to enable VNet Peering.

我可以將 VNet 對兩個不同的 Vnet,同時在這兩個對等互連上啟用 [使用遠端閘道] 選項嗎?Can I peer a VNet to two different VNets with the the 'Use Remote Gateway' option enabled on both the peerings?

不會。No. 您只能在其中一個 Vnet 的對等互連上啟用 [使用遠端閘道] 選項。You can only enable the 'Use Remote Gateway' option on one peering to one of the VNets.

建立 VNet 對等互連連線無需收費。There is no charge for creating a VNet peering connection. 透過對等互連連線的資料傳輸才會收費。Data transfer across peering connections is charged. 請參閱這裡See here.

VNet 對等互連流量是否會加密?Is VNet peering traffic encrypted?

當 Azure 流量在資料中心之間移動 (不是由 Microsoft 或代表 Microsoft) 所控制的實體界限之外,就會在基礎網路硬體上使用 MACsec 資料連結層加密When Azure traffic moves between datacenters (outside physical boundaries not controlled by Microsoft or on behalf of Microsoft), MACsec data-link layer encryption is utilized on the underlying network hardware. 這適用于 VNet 對等互連流量。This is applicable to VNet peering traffic.

為什麼我的對等互連連線處於 中斷 線上狀態?Why is my peering connection in a Disconnected state?

一個 VNet 對等互連連結遭到刪除時,VNet 對等互連連線即會進入「中斷連線」狀態。VNet peering connections go into Disconnected state when one VNet peering link is deleted. 您必須將兩個連結都刪除,以重新建立成功的對等互連連線。You must delete both links in order to reestablish a successful peering connection.

如果我建立 VNetA 到 VNetB 的對等互連,然後又建立 VNetB 到 VNetC 的對等互連,這是否表示 VNetA 與 VNetC 之間會有對等互連?If I peer VNetA to VNetB and I peer VNetB to VNetC, does that mean VNetA and VNetC are peered?

不會。No. 目前不支援轉移的對等互連。Transitive peering is not supported. 為此,您必須直接建立 VNetA 與 VNetC 的對等互連。You must peer VNetA and VNetC for this to take place.

對等互連連線是否有任何頻寬限制?Are there any bandwidth limitations for peering connections?

不會。No. VNet 對等互連 (不論本機或全域) 並未施加任何頻寬限制。VNet peering, whether local or global, does not impose any bandwidth restrictions. 頻寬只受限於 VM 或計算資源。Bandwidth is only limited by the VM or the compute resource.

如何對 VNet 對等互連問題進行疑難排解?How can I troubleshoot VNet Peering issues?

以下是您可以試試的 疑難排解指南Here is a troubleshooter guide you can try.

虛擬網路 TAPVirtual network TAP

哪些 Azure 區域可用於虛擬網路 TAP?Which Azure regions are available for virtual network TAP?

虛擬網路點預覽適用于所有 Azure 區域。Virtual network TAP preview is available in all Azure regions. 受監視的網路介面、虛擬網路 TAP 資源以及收集器或分析解決方案,都必須部署在相同的區域。The monitored network interfaces, the virtual network TAP resource, and the collector or analytics solution must be deployed in the same region.

虛擬網路 TAP 是否支援鏡像封包的任何篩選功能?Does Virtual Network TAP support any filtering capabilities on the mirrored packets?

虛擬網路 TAP 預覽版不支援篩選功能。Filtering capabilities are not supported with the virtual network TAP preview. 將 TAP 設定新增到網路介面時,網路介面上所有連入和連出流量的深層複本將會串流處理到 TAP 目的地。When a TAP configuration is added to a network interface a deep copy of all the ingress and egress traffic on the network interface is streamed to the TAP destination.

是否可以將多個 TAP 設定新增到受監視的網路介面?Can multiple TAP configurations be added to a monitored network interface?

受監視的網路介面只能有一個 TAP 設定。A monitored network interface can have only one TAP configuration. 請洽詢個別的 合作夥伴解決方案 ,以將多個點出流量的串流串流至您選擇的分析工具。Check with the individual partner solution for the capability to stream multiple copies of the TAP traffic to the analytics tools of your choice.

相同的虛擬網路 TAP 資源,是否可以彙總來自多個虛擬網路中受監視的網路介面的流量?Can the same virtual network TAP resource aggregate traffic from monitored network interfaces in more than one virtual network?

是。Yes. 相同的虛擬網路 TAP 資源可用來在相同訂用帳戶或不同訂用帳戶中,彙總對等互連虛擬網路中之受監視的網路介面的鏡像流量。The same virtual network TAP resource can be used to aggregate mirrored traffic from monitored network interfaces in peered virtual networks in the same subscription or a different subscription. 虛擬網路 TAP 資源和目的地負載平衡器或目的地網路介面,必須位於相同的訂用帳戶中。The virtual network TAP resource and the destination load balancer or destination network interface must be in the same subscription. 所有訂用帳戶都必須位於相同的 Azure Active Directory 租用戶下。All subscriptions must be under the same Azure Active Directory tenant.

如果我啟用網路介面上的虛擬網路 TAP 設定,是否有任何關於生產流量的效能考量?Are there any performance considerations on production traffic if I enable a virtual network TAP configuration on a network interface?

虛擬網路點擊目前處於預覽狀態。Virtual network TAP is in preview. 在預覽期間,沒有任何服務等級協定。During preview, there is no service level agreement. 該功能不應該用於生產工作負載。The capability should not be used for production workloads. 當虛擬機器網路介面啟用時,請使用點一下設定,配置給虛擬機器以傳送生產流量的 Azure 主機上相同資源會用來執行鏡像功能,並傳送鏡像封包。When a virtual machine network interface is enabled with a TAP configuration, the same resources on the Azure host allocated to the virtual machine to send the production traffic is used to perform the mirroring function and send the mirrored packets. 選取正確的 LinuxWindows 虛擬機器大小,以確保有足夠的資源可供虛擬機器傳送生產流量和鏡像流量。Select the correct Linux or Windows virtual machine size to ensure that sufficient resources are available for the virtual machine to send the production traffic and the mirrored traffic.

虛擬網路 TAP 是否支援 LinuxWindows 的加速網路?Is accelerated networking for Linux or Windows supported with virtual network TAP?

您將能夠在連結到已啟用加速網路之虛擬機器上的網路介面上,新增 TAP 設定。You will be able to add a TAP configuration on a network interface attached to a virtual machine that is enabled with accelerated networking. 但是,新增 TAP 設定會影響虛擬機器的效能與延遲,因為 Azure 加速網路目前不支援鏡像流量的卸載。But the performance and latency on the virtual machine will be affected by adding TAP configuration since the offload for mirroring traffic is currently not supported by Azure accelerated networking.

虛擬網路服務端點Virtual network service endpoints

對 Azure 服務設定服務端點的正確作業順序為何?What is the right sequence of operations to set up service endpoints to an Azure service?

透過服務端點保護 Azure 服務資源的步驟有兩個:There are two steps to secure an Azure service resource through service endpoints:

  1. 針對 Azure 服務開啟服務端點。Turn on service endpoints for the Azure service.
  2. 在 Azure 服務上設定 VNet ACL。Set up VNet ACLs on the Azure service.

第一個步驟是網路端作業,第二個步驟是服務資源端作業。The first step is a network side operation and the second step is a service resource side operation. 這兩個步驟都可由相同的系統管理員或不同的系統管理員,根據授與給系統管理員角色的 Azure RBAC 許可權來執行。Both steps can be performed either by the same administrator or different administrators based on the Azure RBAC permissions granted to the administrator role. 我們建議您先針對您的虛擬網路開啟服務端點,再於 Azure 服務端設定 VNet ACL。We recommend that you first turn on service endpoints for your virtual network prior to setting up VNet ACLs on Azure service side. 因此,必須以上列循序執行這些步驟,以設定 VNet 服務端點。Hence, the steps must be performed in the sequence listed above to set up VNet service endpoints.

注意

您必須先完成上述兩個作業,才能限制 Azure 服務存取所允許的 VNet 和子網路。Both the operations described above must be completed before you can limit the Azure service access to the allowed VNet and subnet. 只在網路端針對 Azure 服務開啟服務端點不能提供您受限制的存取。Only turning on service endpoints for the Azure service on the network side does not provide you the limited access. 此外,您也必須在 Azure 服務端設定 VNet ACL。In addition, you must also set up VNet ACLs on the Azure service side.

某些服務 (例如 SQL 和 CosmosDB) 可透過 >ignoremissingvnetserviceendpoint 旗標來允許上述順序的例外狀況。Certain services (such as SQL and CosmosDB) allow exceptions to the above sequence through the IgnoreMissingVnetServiceEndpoint flag. 一旦旗標設定為 True,就可以在 Azure 服務端設定 VNet acl,再于網路端設定服務端點。Once the flag is set to True, VNet ACLs can be set on the Azure service side prior to setting up the service endpoints on the network side. Azure 服務提供此旗標來協助客戶避免連線中斷,若 IP 防火牆是設定在 Azure 服務上,在網路端開啟服務端點可能會導致連線中斷,因為來源 IP 從公用 IPv4 位址變更為私人位址。Azure services provide this flag to help customers in cases where the specific IP firewalls are configured on Azure services and turning on the service endpoints on the network side can lead to a connectivity drop since the source IP changes from a public IPv4 address to a private address. 先在 Azure 服務端設定 VNet ACL,再於網路端設定服務端點有助於避免連線中斷。Setting up VNet ACLs on the Azure service side before setting service endpoints on the network side can help avoid a connectivity drop.

是否所有的 Azure 服務都位在客戶提供的 Azure 虛擬網路中?Do all Azure services reside in the Azure virtual network provided by the customer? VNet 服務端點如何與 Azure 服務搭配運作?How does VNet service endpoint work with Azure services?

否,並非所有的 Azure 服務都位在客戶的虛擬網路中。No, not all Azure services reside in the customer's virtual network. 大部分的 Azure 資料服務(例如 Azure 儲存體、Azure SQL 和 Azure Cosmos DB)都是可透過公用 IP 位址存取的多租使用者服務。The majority of Azure data services such as Azure Storage, Azure SQL, and Azure Cosmos DB, are multi-tenant services that can be accessed over public IP addresses. 您可以在這裡深入了解 Azure 服務的虛擬網路整合。You can learn more about virtual network integration for Azure services here.

當您使用 VNet 服務端點功能 (在網路端開啟 VNet 服務端點並在 Azure 服務端設定適當的 VNet ACL) 時,從允許的 VNet 和子網路存取 Azure 服務會受限。When you use the VNet service endpoints feature (turning on VNet service endpoint on the network side and setting up appropriate VNet ACLs on the Azure service side), access to an Azure service is restricted from an allowed VNet and subnet.

VNet 服務端點如何提供安全性?How does VNet service endpoint provide security?

VNet 服務端點功能 (在網路端開啟 VNet 服務端點,並在 Azure 服務端設定適當的 VNet Acl) 將 Azure 服務存取限制為允許的 VNet 和子網,因此可提供網路層級的安全性和 Azure 服務流量的隔離。The VNet service endpoint feature (turning on VNet service endpoint on the network side and setting up appropriate VNet ACLs on the Azure service side) limits the Azure service access to the allowed VNet and subnet, thus providing a network level security and isolation of the Azure service traffic. 使用 VNet 服務端點的所有流量都流經 Microsoft 骨幹,因此提供與公用網際網路的另一層隔離。All traffic using VNet service endpoints flows over Microsoft backbone, thus providing another layer of isolation from the public internet. 此外,客戶可選擇完全移除公用網際網路對 Azure 服務資源的存取權,僅允許來自其虛擬網路的流量 (透過 IP 防火牆和 VNet ACL 的組合),進而保護 Azure 服務資源不會被未經授權的使用者存取。Moreover, customers can choose to fully remove public Internet access to the Azure service resources and allow traffic only from their virtual network through a combination of IP firewall and VNet ACLs, thus protecting the Azure service resources from unauthorized access.

VNet 服務端點保護的是 VNet 資源或是 Azure 服務?What does the VNet service endpoint protect - VNet resources or Azure service?

VNet 服務端點是協助保護 Azure 服務資源。VNet service endpoints help protect Azure service resources. VNet 資源是由「網路安全性群組」(NSG) 來保護。VNet resources are protected through Network Security Groups (NSGs).

使用 VNet 服務端點是否有任何成本?Is there any cost for using VNet service endpoints?

否,使用 VNet 服務端點沒有額外成本。No, there is no additional cost for using VNet service endpoints.

如果虛擬網路和 Azure 服務資源屬於不同子訂用帳戶,我是否可以開啟 VNet 服務端點並設定 VNet ACL?Can I turn on VNet service endpoints and set up VNet ACLs if the virtual network and the Azure service resources belong to different subscriptions?

是,可以的。Yes, it is possible. 虛擬網路和 Azure 服務資源可以位在相同或不同的訂用帳戶中。Virtual networks and Azure service resources can be either in the same or different subscriptions. 唯一的需求是虛擬網路和 Azure 服務資源必須在相同的 Active Directory (AD) 租用戶下。The only requirement is that both the virtual network and Azure service resources must be under the same Active Directory (AD) tenant.

如果虛擬網路和 Azure 服務資源屬於不同 AD 租用戶,是否可開啟 VNet 服務端點並設定 VNet ACL?Can I turn on VNet service endpoints and set up VNet ACLs if the virtual network and the Azure service resources belong to different AD tenants?

是,使用服務端點進行 Azure 儲存體和 Azure Key Vault 可能是可行的。Yes, it is possible when using service endpoints for Azure Storage and Azure Key Vault. 針對其餘的服務,AD 租使用者不支援 VNet 服務端點和 VNet Acl。For rest of services, VNet service endpoints and VNet ACLs are not supported across AD tenants.

內部部署裝置的 IP 位址是否可以透過 Azure 虛擬網路閘道來連線 (VPN) 或 ExpressRoute 閘道會透過 VNet 服務端點存取 Azure PaaS 服務?Can an on-premises device’s IP address that is connected through Azure Virtual Network gateway (VPN) or ExpressRoute gateway access Azure PaaS Service over VNet service endpoints?

根據預設,從內部部署網路無法觸達放到虛擬網路保護的 Azure 服務資源。By default, Azure service resources secured to virtual networks are not reachable from on-premises networks. 如果需要允許來自內部部署的流量,您也必須允許內部部署或 ExpressRoute 中的公用 (通常是 NAT) IP 位址。If you want to allow traffic from on-premises, you must also allow public (typically, NAT) IP addresses from your on-premises or ExpressRoute. 透過 Azure 服務資源的 IP 防火牆設定,可以新增這些 IP 位址。These IP addresses can be added through the IP firewall configuration for the Azure service resources.

我是否可以使用 VNet 服務端點功能,來保護虛擬網路內或跨多個虛擬網路中的多個子網的 Azure 服務?Can I use VNet Service Endpoint feature to secure Azure service to multiple subnets within a virtual network or across multiple virtual networks?

若要將 Azure 服務保護到虛擬網路內或多個虛擬網路中的多個子網,請在每個子網上的網路端個別啟用服務端點,然後在 Azure 服務端設定適當的 VNet Acl,以保護所有子網的 Azure 服務資源。To secure Azure services to multiple subnets within a virtual network or across multiple virtual networks, enable service endpoints on the network side on each of the subnets independently and then secure Azure service resources to all of the subnets by setting up appropriate VNet ACLs on the Azure service side.

如何篩選從虛擬網路流向 Azure 服務的輸出流量,但仍然使用服務端點?How can I filter outbound traffic from a virtual network to Azure services and still use service endpoints?

如果您想檢查或篩選從虛擬網路送到 Azure 服務的流量,可以在虛擬網路內部署網路虛擬設備。If you want to inspect or filter the traffic destined to an Azure service from a virtual network, you can deploy a network virtual appliance within the virtual network. 接著,您可以將服務端點套用到網路虛擬設備部署所在的子網路,並透過 VNet ACL 將 Azure 服務資源只保護到該子網路。You can then apply service endpoints to the subnet where the network virtual appliance is deployed and secure Azure service resources only to this subnet through VNet ACLs. 如果您想要使用網路虛擬設備篩選,讓來自虛擬網路的 Azure 服務只能存取特定 Azure 資源,則此案例可能也有幫助。This scenario might also be helpful if you wish to restrict Azure service access from your virtual network only to specific Azure resources using network virtual appliance filtering. 如需詳細資訊,請參閱使用網路虛擬設備輸出For more information, see egress with network virtual appliances.

當您存取有虛擬網路存取控制清單 (ACL) 從 VNet 外部啟用的 Azure 服務帳戶時,會發生什麼事?What happens when you access an Azure service account that has a virtual network access control list (ACL) enabled from outside the VNet?

傳回 HTTP 403 或 HTTP 404 錯誤。The HTTP 403 or HTTP 404 error is returned.

在不同區域中建立的虛擬網路是否可存取另一個區域中的 Azure 服務帳戶?Are subnets of a virtual network created in different regions allowed to access an Azure service account in another region?

是,對於大部分的 Azure 服務,在不同區域中建立的虛擬網路可透過 VNet 服務端點存取位在另一個區域中的 Azure 服務。Yes, for most of the Azure services, virtual networks created in different regions can access Azure services in another region through the VNet service endpoints. 例如,如果 Azure Cosmos DB 帳戶位於美國西部或美國東部,而虛擬網路位於多個區域,則虛擬網路可存取 Azure Cosmos DB。For example, if an Azure Cosmos DB account is in West US or East US and virtual networks are in multiple regions, the virtual network can access Azure Cosmos DB. 儲存體和 SQL 是例外,它們本質上具有地區性,且虛擬網路和 Azure 服務都需要在相同區域中。Storage and SQL are exceptions and are regional in nature and both the virtual network and the Azure service need to be in the same region.

Azure 服務可以同時有 VNet ACL 和 IP 防火牆嗎?Can an Azure service have both a VNet ACL and an IP firewall?

是,VNet ACL 和 IP 防火牆可以並存。Yes, a VNet ACL and an IP firewall can co-exist. 這兩個功能彼此互補以確保隔離和安全性。Both features complement each other to ensure isolation and security.

如果刪除的虛擬網路或子網路有針對 Azure 服務開啟的服務端點,會發生什麼事?What happens if you delete a virtual network or subnet that has service endpoint turned on for Azure service?

VNet 和子網域的刪除是獨立的作業,即使已針對 Azure 服務開啟服務端點也支援。Deletion of VNets and subnets are independent operations and are supported even when service endpoints are turned on for Azure services. 如果 Azure 服務有設定 VNet Acl,針對這些 Vnet 和子網,當已開啟 VNet 服務端點的 vnet 或子網被刪除時,與該 Azure 服務相關聯的 VNet ACL 資訊就會停用。In cases where the Azure services have VNet ACLs set up, for those VNets and subnets, the VNet ACL information associated with that Azure service is disabled when a VNet or subnet that has VNet service endpoint turned on is deleted.

如果刪除已啟用 VNet 服務端點的 Azure 服務帳戶,會發生什麼事?What happens if an Azure service account that has a VNet Service endpoint enabled is deleted?

Azure 服務帳戶的刪除是獨立的作業,即使在網路端啟用服務端點且已在 Azure 服務端設定 VNet Acl,也會受到支援。The deletion of an Azure service account is an independent operation and is supported even when the service endpoint is enabled on the network side and VNet ACLs are set up on Azure service side.

啟用 VNet 服務端點的資源 (如子網路中的 VM) 的 IP 位址會發生什麼事?What happens to the source IP address of a resource (like a VM in a subnet) that has VNet service endpoint enabled?

當虛擬網路服務端點啟用時,您虛擬網路中的資源用來傳送流量至 Azure 服務的來源 IP 位址,會從使用公用 IPV4 位址切換為使用 Azure 虛擬網路的私人位址。When virtual network service endpoints are enabled, the source IP addresses of the resources in your virtual network's subnet switches from using public IPV4 addresses to the Azure virtual network's private IP addresses for traffic to Azure service. 請注意,這可能會導致 Azure 服務上先前設定為公用 IPV4 位址的特定 IP 防火牆失敗。Note that this can cause specific IP firewalls that are set to public IPV4 address earlier on the Azure services to fail.

服務端點路由是否一律優先?Does the service endpoint route always take precedence?

服務端點新增的系統路由優先于 BGP 路由,並提供服務端點流量的最佳路由。Service endpoints add a system route which takes precedence over BGP routes and provides optimum routing for the service endpoint traffic. 服務端點接受的服務流量,一律都是直接從您的虛擬網路到 Microsoft Azure 骨幹網路上的服務。Service endpoints always take service traffic directly from your virtual network to the service on the Microsoft Azure backbone network. 如需 Azure 如何選取路由的詳細資訊,請參閱 Azure 虛擬網路流量路由For more information about how Azure selects a route, see Azure Virtual network traffic routing.

服務端點是否可與 ICMP 搭配運作?Do service endpoints work with ICMP?

否,源自已啟用服務端點之子網的 ICMP 流量,將不會採用所需端點的服務通道路徑。No, ICMP traffic that is sourced from a subnet with service endpoints enabled will not take the service tunnel path to the desired endpoint. 服務端點只會處理 TCP 流量。Service endpoints will only handle TCP traffic. 這表示,如果您想要透過服務端點來測試對端點的延遲或連線,偵測和 tracert 等工具將不會顯示子網內資源將採用的真正路徑。This means that if you want to test latency or connectivity to an endpoint via service endpoints, tools like ping and tracert will not show the true path that the resources within the subnet will take.

子網路上的 NSG 如何搭配服務端點運作?How does NSG on a subnet work with service endpoints?

為了與 Azure 服務建立連線,NSG 需要允許輸出連線。To reach the Azure service, NSGs need to allow outbound connectivity. 如果您的 NSG 對所有網際網路輸出流量都是開放的,服務端點流量應該就能運作。If your NSGs are opened to all Internet outbound traffic, then the service endpoint traffic should work. 您也可以使用「服務」標籤,限制輸出流量只有流向服務 IP 的流量。You can also limit the outbound traffic to service IPs only using the Service tags.

設定服務端點需要哪些權限?What permissions do I need to set up service endpoints?

擁有虛擬網路寫入權的使用者,可以在虛擬網路上個別設定服務端點。Service endpoints can be configured on a virtual network independently by a user with write access to the virtual network. 若要保護 VNet 的 Azure 服務資源,使用者必須擁有所要新增之子網的 virtualNetworks/subnet/joinViaServiceEndpoint/action 許可權。To secure Azure service resources to a VNet, the user must have permission Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action for the subnets being added. 此權限預設會隨附在內建的服務管理員角色中,可藉由建立自訂角色加以修改。This permission is included in the built-in service administrator role by default and can be modified by creating custom roles. 深入了解內建角色以及如何將特定權限指派給自訂角色Learn more about built-in roles and assigning specific permissions to custom roles.

是否能篩選流向 Azure 服務的虛擬網路流量,僅允許特定 Azure 服務資源的流量經過 VNet 服務端點?Can I filter virtual network traffic to Azure services, allowing only specific azure service resources, over VNet service endpoints?

虛擬網路 (VNet) 服務端點原則可讓您篩選 Azure 服務的虛擬網路流量,僅允許特定 Azure 服務資源經過服務端點。Virtual network (VNet) service endpoint policies allow you to filter virtual network traffic to Azure services, allowing only specific Azure service resources over the service endpoints. 服務端點原則可針對流向 Azure 服務的虛擬網路流量提供細部的存取控制。Endpoint policies provide granular access control from the virtual network traffic to the Azure services. 您可以在此深入了解服務端點原則。You can learn more about the service endpoint policies here.

Azure Active Directory (Azure AD) 支援 VNet 服務端點嗎?Does Azure Active Directory (Azure AD) support VNet service endpoints?

Azure Active Directory (Azure AD) 原本不支援服務端點。Azure Active Directory (Azure AD) doesn't support service endpoints natively. 您可以在 這裡看到支援 VNet 服務端點的 Azure 服務完整清單。Complete list of Azure Services supporting VNet service endpoints can be seen here. 請注意,在支援服務端點的服務下所列的 "AzureActiveDirectory" 標籤,可用來將服務端點支援 ADLS Gen 1。Note that the "Microsoft.AzureActiveDirectory" tag listed under services supporting service endpoints is used for supporting service endpoints to ADLS Gen 1. 針對 ADLS Gen 1,Azure Data Lake Storage Gen1 的虛擬網路整合會使用您虛擬網路之間的虛擬網路服務端點安全性,並 Azure Active Directory (Azure AD) ,以在存取權杖中產生額外的安全性宣告。For ADLS Gen 1, virtual network integration for Azure Data Lake Storage Gen1 makes use of the virtual network service endpoint security between your virtual network and Azure Active Directory (Azure AD) to generate additional security claims in the access token. 這些宣告隨後會用來對 Data Lake Storage Gen1 帳戶驗證虛擬網路並允許存取。These claims are then used to authenticate your virtual network to your Data Lake Storage Gen1 account and allow access. 深入瞭解 Azure Data Lake Store Gen 1 VNet 整合Learn more about Azure Data Lake Store Gen 1 VNet Integration

從我的 VNet 能設定的 VNet 服務端點數量是否有限制?Are there any limits on how many VNet service endpoints I can set up from my VNet?

虛擬網路中的 VNet 服務端點總數沒有限制。There is no limit on the total number of VNet service endpoints in a virtual network. 針對 Azure 服務資源 (例如 Azure 儲存體帳戶) ,服務可能會強制執行用來保護資源的子網數目限制。For an Azure service resource (such as an Azure Storage account), services may enforce limits on the number of subnets used for securing the resource. 下表顯示一些範例限制:The following table shows some example limits:

Azure 服務Azure service VNet 規則的限制Limits on VNet rules
Azure 儲存體Azure Storage 100100
Azure SQLAzure SQL 128128
Azure Synapse AnalyticsAzure Synapse Analytics 128128
Azure KeyVaultAzure KeyVault 127127
Azure Cosmos DBAzure Cosmos DB 6464
Azure 事件中樞Azure Event Hub 128128
Azure 服務匯流排Azure Service Bus 128128
Azure Data Lake Store V1Azure Data Lake Store V1 100100

注意

限制會隨 Azure 服務而變更。The limits are subjected to changes at the discretion of the Azure service. 請參閱個別的服務文件以取得服務詳細資料。Refer to the respective service documentation for services details.