什麼是 Azure 虛擬網路?What is Azure Virtual Network?

Azure 虛擬網路 (VNet) 是私人網路在 Azure 中的基本建置組塊。Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet 可讓多種類型的 Azure 資源 (例如 Azure 虛擬機器 (VM)) 安全地彼此通訊,以及與網際網路和內部部署網路通訊。VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. VNet 與您自有資料中心內所運作的傳統網路類似,但會有更多 Azure 基礎結構的好處,例如調整規模、可用性和隔離。VNet is similar to a traditional network that you'd operate in your own data center, but brings with it additional benefits of Azure's infrastructure such as scale, availability, and isolation.

VNet 概念VNet concepts

  • 位址空間︰ 在建立 VNet 時,您必須使用公用和私人 (RFC 1918) 位址指定自訂私人 IP 位址空間。Address space: When creating a VNet, you must specify a custom private IP address space using public and private (RFC 1918) addresses. Azure 會從您指派的位址空間,將私人 IP 位址指派給虛擬網路中的資源。Azure assigns resources in a virtual network a private IP address from the address space that you assign. 例如,如果您在位址空間為 10.0.0.0/16 的 VNet 中部署 VM,系統就會對 VM 指派像是 10.0.0.4 等的私人 IP。For example, if you deploy a VM in a VNet with address space, 10.0.0.0/16, the VM will be assigned a private IP like 10.0.0.4.
  • 子網路: 子網路可讓您將虛擬網路分成一或多個次網路,並將虛擬網路位址空間的一部分配置給每個子網路。Subnets: Subnets enable you to segment the virtual network into one or more sub-networks and allocate a portion of the virtual network's address space to each subnet. 然後,您便可以在特定子網路中部署 Azure 資源。You can then deploy Azure resources in a specific subnet. 和傳統網路一樣,子網路也可讓您將 VNet 位址空間分成多個區段,以便適合組織的內部網路使用。Just like in a traditional network, subnets allow you to segment your VNet address space into segments that are appropriate for the organization's internal network. 這也會改善位址的配置效率。This also improves address allocation efficiency. 您可以使用網路安全性群組來保護子網路內的資源。You can secure resources within subnets using Network Security Groups. 如需詳細資訊,請參閱網路安全性群組For more information, see Network security groups.
  • 區域:VNet 的範圍為單一區域/位置;不過,您可以使用虛擬網路對等互連將不同區域的多個虛擬網路連在一起。Regions: VNet is scoped to a single region/location; however, multiple virtual networks from different regions can be connected together using Virtual Network Peering.
  • 訂用帳戶︰ VNet 的範圍為訂用帳戶。Subscription: VNet is scoped to a subscription. 您可以在每個 Azure 訂用帳戶和 Azure 區域內實作多個虛擬網路。You can implement multiple virtual networks within each Azure subscription and Azure region.

最佳作法Best practices

當您 Azure 中建置網路時,請務必記住下列通用設計原則:As you build your network in Azure, it is important to keep in mind the following universal design principles:

  • 確保沒有重疊的位址空間。Ensure non-overlapping address spaces. 確定 VNet 位址空間 (CIDR 區塊) 不會與組織的其他網路範圍重疊。Make sure your VNet address space (CIDR block) does not overlap with your organization's other network ranges.
  • 子網路不應涵蓋 VNet 的整個位址空間。Your subnets should not cover the entire address space of the VNet. 預先規劃並保留部分位址空間供日後使用。Plan ahead and reserve some address space for the future.
  • 建議您擁有少量大型 VNet 而非多個小型 VNet。It is recommended you have fewer large VNets than multiple small VNets. 這可避免造成管理負荷。This will prevent management overhead.
  • 將網路安全性群組 (NSG) 指派給其下的子網路,以保護您的 VNet。Secure your VNet's by assigning Network Security Groups (NSGs) to the subnets beneath them.

與網際網路通訊Communicate with the internet

依預設,VNet 中的所有資源都能夠進行對網際網路的輸出通訊。All resources in a VNet can communicate outbound to the internet, by default. 您可以藉由指派公用 IP 位址或公用負載平衡器,對該項資源進行輸入通訊。You can communicate inbound to a resource by assigning a public IP address or a public Load Balancer. 您也可以使用公用 IP 或公用負載平衡器來管理您的輸出連線。You can also use public IP or public Load Balancer to manage your outbound connections. 若要深入了解 Azure 中的輸出連線,請參閱輸出連線公用 IP 位址負載平衡器To learn more about outbound connections in Azure, see Outbound connections, Public IP addresses, and Load Balancer.

注意

僅使用內部 Standard Load Balancer 時無法建立輸出連線,除非您定義輸出連線要如何與執行個體層級的公用 IP 或公用負載平衡器搭配運作。When using only an internal Standard Load Balancer, outbound connectivity is not available until you define how you want outbound connections to work with an instance-level public IP or a public Load Balancer.

Azure 資源之間的通訊Communicate between Azure resources

Azure 資源可透過下列其中一種方式安全地相互通訊:Azure resources communicate securely with each other in one of the following ways:

  • 透過虛擬網路:您可以將虛擬機器和數種其他類型的 Azure 資源部署到虛擬網路,例如 Azure App Service Environment、Azure Kubernetes Service (AKS) 和 Azure 虛擬機器擴展集。Through a virtual network: You can deploy VMs, and several other types of Azure resources to a virtual network, such as Azure App Service Environments, the Azure Kubernetes Service (AKS), and Azure Virtual Machine Scale Sets. 若要檢視可部署到虛擬網路中的 Azure 資源的完整清單,請參閱虛擬網路服務整合To view a complete list of Azure resources that you can deploy into a virtual network, see Virtual network service integration.
  • 透過虛擬網路服務端點:透過直接連線,將您的虛擬網路私人位址空間與虛擬網路的身分識別延伸至 Azure 服務資源,例如 Azure 儲存體帳戶與 Azure SQL 資料庫。Through a virtual network service endpoint: Extend your virtual network private address space and the identity of your virtual network to Azure service resources, such as Azure Storage accounts and Azure SQL Database, over a direct connection. 服務端點可讓您將重要的 Azure 服務資源限用於虛擬網路,而加以保護。Service endpoints allow you to secure your critical Azure service resources to only a virtual network. 若要深入了解,請參閱虛擬網路服務端點概觀To learn more, see Virtual network service endpoints overview.
  • 透過 VNet 對等互連:您可以讓虛擬網路彼此連線,以便虛擬網路中的資源能夠使用虛擬網路對等互連彼此通訊。Through VNet Peering: You can connect virtual networks to each other, enabling resources in either virtual network to communicate with each other, using virtual network peering. 您所連線的虛擬網路可位於相同或不同的 Azure 區域。The virtual networks you connect can be in the same, or different, Azure regions. 若要深入了解,請參閱虛擬網路對等互連To learn more, see Virtual network peering.

與內部部署資源通訊Communicate with on-premises resources

您可以使用下列選項的任意組合,將內部部署電腦和網路連線至虛擬網路︰You can connect your on-premises computers and networks to a virtual network using any combination of the following options:

  • 點對站虛擬私人網路 (VPN): 建立於虛擬網路與您網路中的單一電腦之間。Point-to-site virtual private network (VPN): Established between a virtual network and a single computer in your network. 每部想要與虛擬網路建立連線的電腦,都必須設定其連線。Each computer that wants to establish connectivity with a virtual network must configure its connection. 如果您剛開始使用 Azure,此連線類型就很適合您,也適用於開發人員,因為它幾乎不需要變更您現有的網路。This connection type is great if you're just getting started with Azure, or for developers, because it requires little or no changes to your existing network. 您的電腦與虛擬網路之間的通訊,會在網際網路間透過加密通道傳送。The communication between your computer and a virtual network is sent through an encrypted tunnel over the internet. 若要深入了解,請參閱點對站 VPNTo learn more, see Point-to-site VPN.
  • 站對站 VPN: 建立於您的內部部署 VPN 裝置與虛擬網路中部署的 Azure VPN 閘道之間。Site-to-site VPN: Established between your on-premises VPN device and an Azure VPN Gateway that is deployed in a virtual network. 此連線類型可讓您授權的任何內部部署資源存取虛擬網路。This connection type enables any on-premises resource that you authorize to access a virtual network. 您的內部部署 VPN 裝置與 Azure VPN 閘道之間的通訊,會在網際網路間透過加密通道傳送。The communication between your on-premises VPN device and an Azure VPN gateway is sent through an encrypted tunnel over the internet. 若要深入了解,請參閱站對站 VPNTo learn more, see Site-to-site VPN.
  • Azure ExpressRoute: 透過 ExpressRoute 合作夥伴,建立於您的網路與 Azure 之間。Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. 此連線是私人連線。This connection is private. 流量不會經由網際網路傳送。Traffic does not go over the internet. 若要深入了解,請參閱 ExpressRouteTo learn more, see ExpressRoute.

篩選網路流量Filter network traffic

您可以使用下列一個或兩個選項,篩選子網路之間的網路流量︰You can filter network traffic between subnets using either or both of the following options:

  • 網路安全性群組: 網路安全性群組可包含多個輸入和輸出安全性規則,讓您依照來源和目的地 IP 位址、連接埠和通訊協定篩選資源收送的流量。Network security groups: Network security groups and application security groups can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. 若要深入了解,請參閱網路安全性群組應用程式安全性群組To learn more, see Network security groups or Application security groups.
  • 網路虛擬設備: 網路虛擬設備是執行網路功能的 VM,例如防火牆、WAN 最佳化或其他網路功能。Network virtual appliances: A network virtual appliance is a VM that performs a network function, such as a firewall, WAN optimization, or other network function. 若要檢視可在虛擬網路中部署的網路虛擬設備,請參閱 Azure MarketplaceTo view a list of available network virtual appliances that you can deploy in a virtual network, see Azure Marketplace.

路由網路流量Route network traffic

Azure 依預設會路由子網路、連線的虛擬網路、內部部署網路和網際網路之間的流量。Azure routes traffic between subnets, connected virtual networks, on-premises networks, and the Internet, by default. 您可以實作下列一個或兩個選項,覆寫 Azure 所建立的預設路由︰You can implement either or both of the following options to override the default routes Azure creates:

  • 路由資料表︰ 你可以自訂路由表,設定傳送路線用來控制傳送到每個子網路的流量Route tables: You can create custom route tables with routes that control where traffic is routed to for each subnet. 深入了解路由表Learn more about route tables.
  • 邊界閘道協定 (BGP) 路由: 如果您使用 Azure VPN 閘道或 ExpressRoute 連線將虛擬網路連線至內部部署網路,則可將您的內部部署 BGP 路由傳播至虛擬網路。Border gateway protocol (BGP) routes: If you connect your virtual network to your on-premises network using an Azure VPN Gateway or ExpressRoute connection, you can propagate your on-premises BGP routes to your virtual networks. 深入了解如何透過 Azure VPN 閘道ExpressRoute 使用 BGP。Learn more about using BGP with Azure VPN Gateway and ExpressRoute.

Azure 服務的虛擬網路整合Virtual network integration for Azure services

透過將 Azure 服務整合到 Azure 虛擬網路,可以啟用從虛擬機器或虛擬網路中的計算資源對服務進行私下存取。Integrating Azure services to an Azure virtual network enables private access to the service from virtual machines or compute resources in the virtual network. 您可以使用下列選項,在虛擬網路中整合 Azure 服務:You can integrate Azure services in your virtual network with the following options:

  • 將服務的專用執行個體部署至虛擬網路。Deploying dedicated instances of the service into a virtual network. 然後,在虛擬網路和內部部署網路中,可以私下存取這些服務。The services can then be privately accessed within the virtual network and from on-premises networks.
  • 使用 Private Link,從您的虛擬網路和內部部署網路私下存取特定的服務執行個體。Using Private Link to access privately a specific instance of the service from your virtual network and from on-premises networks.
  • 您也可以使用公用端點來存取服務,方法是透過服務端點,將虛擬網路擴充至服務。You can also access the service using public endpoints by extending a virtual network to the service, through service endpoints. 服務端點可保障虛擬網路一定可以使用服務資源。Service endpoints allow service resources to be secured to the virtual network.

Azure VNet 的限制Azure VNet limits

您可以部署的 Azure 資源數量有一些限制。There are certain limits around the number of Azure resources you can deploy. 大部分的 Azure 網路限制均在最大值。Most Azure networking limits are at the maximum values. 不過,您可以增加某些網路限制,如 VNet 限制頁面所指定。However, you can increase certain networking limits as specified on the VNet limits page.

定價Pricing

Azure VNet 沒有使用費,成本為零。There is no charge for using Azure VNet, it is free of cost. 但資源會有標準費用,例如虛擬機器 (VM) 和其他產品。Standard charges are applicable for resources, such as Virtual Machines (VMs) and other products. 若要深入了解,請參閱 VNet 定價和 Azure定價計算機To learn more, see VNet pricing and the Azure pricing calculator.

後續步驟Next steps

若要開始使用虛擬網路,請建立一個虛擬網路、對其部署一些 VM,然後進行 VM 之間的通訊。To get started using a virtual network, create one, deploy a few VMs to it, and communicate between the VMs. 若要深入了解,請參閱建立虛擬網路快速入門。To learn how, see the Create a virtual network quickstart.