什麼是 Azure 虛擬網路?What is Azure Virtual Network?

Azure 虛擬網路可讓多種類型的 Azure 資源 (例如 Azure 虛擬機器 (VM)) 安全地彼此通訊,以及與網際網路和內部部署網路通訊。Azure Virtual Network enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. 虛擬網路的範圍限定在單一 Azure 區域。A virtual network is scoped to a single Azure region. Azure 區域包含一組資料中心,部署在定義有延遲的邊緣網路,並透過區域低延遲網路進行連線。An Azure region is a set of datacenters deployed within a latency-defined perimeter and connected through a dedicated regional low-latency network.

虛擬網路由子網路所構成。Virtual networks are made up of subnets. 子網路是虛擬網路中的某個 IP 位址範圍。A subnet is a range of IP addresses within your virtual network. 子網路 (如虛擬網路) 的範圍限定在單一 Azure 區域。Subnets, like virtual networks, are scoped to a single Azure region.

您可以使用虛擬網路對等互連將不同區域的多個虛擬網路連在一起。Multiple virtual networks from different regions can be connected together using Virtual Network Peering.

Azure 虛擬網路提供下列主要功能:Azure Virtual Network provides the following key capabilities:

隔離和分割Isolation and segmentation

您可以在每個 Azure 訂用帳戶和 Azure 區域內實作多個虛擬網路。You can implement multiple virtual networks within each Azure subscription and Azure region. 每個虛擬網路都與其他虛擬網路隔離。Each virtual network is isolated from other virtual networks. 對於每個虛擬網路,您可以:For each virtual network you can:

  • 使用公用和私人 (RFC 1918) 位址指定自訂私人 IP 位址空間。Specify a custom private IP address space using public and private (RFC 1918) addresses. Azure 會從您指派的位址空間,將私人 IP 位址指派給虛擬網路中的資源。Azure assigns resources in a virtual network a private IP address from the address space that you assign.
  • 將虛擬網路分成一或多個子網路,並將虛擬網路位址空間的一部分配置給每個子網路。Segment the virtual network into one or more subnets and allocate a portion of the virtual network's address space to each subnet.
  • 使用 Azure 提供的名稱解析,或指定您自己的 DNS 伺服器,以供虛擬網路中的資源使用。Use Azure-provided name resolution, or specify your own DNS server, for use by resources in a virtual network.

與網際網路通訊Communicate with the internet

依預設,虛擬網路中的所有資源都能夠進行對網際網路的輸出通訊。All resources in a virtual network can communicate outbound to the internet, by default. 您可以藉由指派公用 IP 位址或公用負載平衡器,對該項資源進行輸入通訊。You can communicate inbound to a resource by assigning a public IP address or a public Load Balancer. 您也可以使用公用 IP 或公用負載平衡器來管理您的輸出連線。You can also use public IP or public Load Balancer to manage your outbound connections. 若要深入了解 Azure 中的輸出連線,請參閱輸出連線公用 IP 位址負載平衡器To learn more about outbound connections in Azure, see Outbound connections, Public IP addresses, and Load Balancer.

注意

僅使用內部 Standard Load Balancer 時無法建立輸出連線,除非您定義輸出連線要如何與執行個體層級的公用 IP 或公用負載平衡器搭配運作。When using only an internal Standard Load Balancer, outbound connectivity is not available until you define how you want outbound connections to work with an instance-level public IP or a public Load Balancer.

Azure 資源之間的通訊Communicate between Azure resources

Azure 資源可透過下列其中一種方式安全地相互通訊:Azure resources communicate securely with each other in one of the following ways:

  • 透過虛擬網路:您可以將虛擬機器和數種其他類型的 Azure 資源部署到虛擬網路,例如 Azure App Service Environment、Azure Kubernetes Service (AKS) 和 Azure 虛擬機器擴展集。Through a virtual network: You can deploy VMs, and several other types of Azure resources to a virtual network, such as Azure App Service Environments, the Azure Kubernetes Service (AKS), and Azure Virtual Machine Scale Sets. 若要檢視可部署到虛擬網路中的 Azure 資源的完整清單,請參閱虛擬網路服務整合To view a complete list of Azure resources that you can deploy into a virtual network, see Virtual network service integration.
  • 透過虛擬網路服務端點:透過直接連線,將您的虛擬網路私人位址空間與虛擬網路的身分識別延伸至 Azure 服務資源,例如 Azure 儲存體帳戶與 Azure SQL 資料庫。Through a virtual network service endpoint: Extend your virtual network private address space and the identity of your virtual network to Azure service resources, such as Azure Storage accounts and Azure SQL databases, over a direct connection. 服務端點可讓您將重要的 Azure 服務資源限用於虛擬網路,而加以保護。Service endpoints allow you to secure your critical Azure service resources to only a virtual network. 若要深入了解,請參閱虛擬網路服務端點概觀To learn more, see Virtual network service endpoints overview.

與內部部署資源通訊Communicate with on-premises resources

您可以使用下列選項的任意組合,將內部部署電腦和網路連線至虛擬網路︰You can connect your on-premises computers and networks to a virtual network using any combination of the following options:

  • 點對站虛擬私人網路 (VPN): 建立於虛擬網路與您網路中的單一電腦之間。Point-to-site virtual private network (VPN): Established between a virtual network and a single computer in your network. 每部想要與虛擬網路建立連線的電腦,都必須設定其連線。Each computer that wants to establish connectivity with a virtual network must configure its connection. 如果您剛開始使用 Azure,此連線類型就很適合您,也適用於開發人員,因為它幾乎不需要變更您現有的網路。This connection type is great if you're just getting started with Azure, or for developers, because it requires little or no changes to your existing network. 您的電腦與虛擬網路之間的通訊,會在網際網路間透過加密通道傳送。The communication between your computer and a virtual network is sent through an encrypted tunnel over the internet. 若要深入了解,請參閱點對站 VPNTo learn more, see Point-to-site VPN.
  • 站對站 VPN: 建立於您的內部部署 VPN 裝置與虛擬網路中部署的 Azure VPN 閘道之間。Site-to-site VPN: Established between your on-premises VPN device and an Azure VPN Gateway that is deployed in a virtual network. 此連線類型可讓您授權的任何內部部署資源存取虛擬網路。This connection type enables any on-premises resource that you authorize to access a virtual network. 您的內部部署 VPN 裝置與 Azure VPN 閘道之間的通訊,會在網際網路間透過加密通道傳送。The communication between your on-premises VPN device and an Azure VPN gateway is sent through an encrypted tunnel over the internet. 若要深入了解,請參閱站對站 VPNTo learn more, see Site-to-site VPN.
  • Azure ExpressRoute: 透過 ExpressRoute 合作夥伴,建立於您的網路與 Azure 之間。Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. 此連線是私人連線。This connection is private. 流量不會經由網際網路傳送。Traffic does not go over the internet. 若要深入了解,請參閱 ExpressRouteTo learn more, see ExpressRoute.

篩選網路流量Filter network traffic

您可以使用下列一個或兩個選項,篩選子網路之間的網路流量︰You can filter network traffic between subnets using either or both of the following options:

  • 安全性群組: 網路安全性群組可包含多個輸入和輸出安全性規則,讓您依照來源和目的地 IP 位址、連接埠和通訊協定篩選資源收送的流量。Security groups: Network security groups and application security groups can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. 若要深入了解,請參閱網路安全性群組應用程式安全性群組To learn more, see Network security groups or Application security groups.
  • 網路虛擬設備: 網路虛擬設備是執行網路功能的 VM,例如防火牆、WAN 最佳化或其他網路功能。Network virtual appliances: A network virtual appliance is a VM that performs a network function, such as a firewall, WAN optimization, or other network function. 若要檢視可在虛擬網路中部署的網路虛擬設備,請參閱 Azure MarketplaceTo view a list of available network virtual appliances that you can deploy in a virtual network, see Azure Marketplace.

路由網路流量Route network traffic

Azure 依預設會路由子網路、連線的虛擬網路、內部部署網路和網際網路之間的流量。Azure routes traffic between subnets, connected virtual networks, on-premises networks, and the Internet, by default. 您可以實作下列一個或兩個選項,覆寫 Azure 所建立的預設路由︰You can implement either or both of the following options to override the default routes Azure creates:

  • 路由資料表︰ 您可以建立自訂路由表,其中的路由可控制每個子網路的流量會路由傳送至的位置。Route tables: You can create custom route tables with routes that control where traffic is routed to for each subnet. 深入了解路由表Learn more about route tables.
  • 邊界閘道協定 (BGP) 路由: 如果您使用 Azure VPN 閘道或 ExpressRoute 連線將虛擬網路連線至內部部署網路,則可將您的內部部署 BGP 路由傳播至虛擬網路。Border gateway protocol (BGP) routes: If you connect your virtual network to your on-premises network using an Azure VPN Gateway or ExpressRoute connection, you can propagate your on-premises BGP routes to your virtual networks. 深入了解如何透過 Azure VPN 閘道ExpressRoute 使用 BGP。Learn more about using BGP with Azure VPN Gateway and ExpressRoute.

連線虛擬網路Connect virtual networks

您可以讓虛擬網路彼此連線,以便虛擬網路中的資源能夠使用虛擬網路對等互連彼此通訊。You can connect virtual networks to each other, enabling resources in either virtual network to communicate with each other, using virtual network peering. 您所連線的虛擬網路可位於相同或不同的 Azure 區域。The virtual networks you connect can be in the same, or different, Azure regions. 若要深入了解,請參閱虛擬網路對等互連To learn more, see Virtual network peering.

後續步驟Next steps

現在您已經大致了解 Azure 虛擬網路的概觀。You now have an overview of Azure Virtual Network. 若要開始使用虛擬網路,請建立一個虛擬網路、對其部署一些 VM,然後進行 VM 之間的通訊。To get started using a virtual network, create one, deploy a few VMs to it, and communicate between the VMs. 若要深入了解,請參閱建立虛擬網路快速入門。To learn how, see the Create a virtual network quickstart.