虛擬網路流量路由Virtual network traffic routing

了解 Azure 如何在 Azure、內部部署和網際網路資源間路由流量。Learn about how Azure routes traffic between Azure, on-premises, and Internet resources. Azure 會在 Azure 虛擬網路內自動為每個子網路建立路由表,並將系統的預設路由新增至該表格。Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table. 若要深入了解虛擬網路和子網路,請參閱虛擬網路概觀To learn more about virtual networks and subnets, see Virtual network overview. 您可以使用自訂路由覆寫某些 Azure 的系統路由,並將其他自訂路由新增至路由表。You can override some of Azure's system routes with custom routes, and add additional custom routes to route tables. Azure 會依據子網路路由表中的路由,來路由子網路的輸出流量。Azure routes outbound traffic from a subnet based on the routes in a subnet's route table.

系統路由System routes

Azure 會自動建立系統路由,並將路由指派給虛擬網路中的每個子網路。Azure automatically creates system routes and assigns the routes to each subnet in a virtual network. 您無法建立系統路由,也無法移除系統路由,但是您可以使用自訂路由覆寫某些系統路由。You can't create system routes, nor can you remove system routes, but you can override some system routes with custom routes. 當您使用特定 Azure 功能時,Azure 會為每個子網路建立預設的系統路由,並將其他選擇性預設路由新增至特定子網路或每個子網路。Azure creates default system routes for each subnet, and adds additional optional default routes to specific subnets, or every subnet, when you use specific Azure capabilities.

預設值Default

每個路由會包含位址首碼和下一個躍點類型。Each route contains an address prefix and next hop type. 當流量離開子網路並傳送至具有路由位址首碼的 IP 位址時,包含該首碼的路由就是 Azure 使用的路由。When traffic leaving a subnet is sent to an IP address within the address prefix of a route, the route that contains the prefix is the route Azure uses. 了解有多個路由都包含相同或重疊的首碼時,Azure 如何選取路由Learn more about how Azure selects a route when multiple routes contain the same prefixes, or overlapping prefixes. 每次建立虛擬網路時,Azure 會在虛擬網路內自動為每個子網路建立下列預設系統路由:Whenever a virtual network is created, Azure automatically creates the following default system routes for each subnet within the virtual network:

sourceSource 位址首碼Address prefixes 下一個躍點類型Next hop type
預設值Default 虛擬網路獨有Unique to the virtual network 虛擬網路Virtual network
預設值Default 0.0.0.0/00.0.0.0/0 InternetInternet
預設值Default 10.0.0.0/810.0.0.0/8 NoneNone
預設值Default 192.168.0.0/16192.168.0.0/16 NoneNone
預設值Default 100.64.0.0/10100.64.0.0/10 NoneNone

上表列出的下一個躍點類型,代表 Azure 如何路由上述位址首碼指定的流量。The next hop types listed in the previous table represent how Azure routes traffic destined for the address prefix listed. 下一個躍點類型的說明如下:Explanations for the next hop types follow:

  • 虛擬網路:在虛擬網路位址空間內的位址範圍間路由流量。Virtual network: Routes traffic between address ranges within the address space of a virtual network. Azure 建立路由所用的位址首碼,會與每個虛擬網路位址空間中定義的位址範圍相對應。Azure creates a route with an address prefix that corresponds to each address range defined within the address space of a virtual network. 如果虛擬網路位址空間有多個定義的位址範圍,則 Azure 會為每個位址範圍建立個別路由。If the virtual network address space has multiple address ranges defined, Azure creates an individual route for each address range. Azure 會使用針對每個位址範圍建立的路由,來自動路由子網路之間的流量。Azure automatically routes traffic between subnets using the routes created for each address range. 您不需要為 Azure 定義閘道來路由子網路之間的流量。You don't need to define gateways for Azure to route traffic between subnets. 雖然虛擬網路包含子網路,而且每個子網路都有定義的位址範圍,但 Azure 不會 為子網路位址範圍建立預設路由,因為每一個子網路位址範圍都在虛擬網路位址空間的位址範圍內。Though a virtual network contains subnets, and each subnet has a defined address range, Azure does not create default routes for subnet address ranges, because each subnet address range is within an address range of the address space of a virtual network.

  • 網際網路:將位址首碼所指定的流量路由到網際網路。Internet: Routes traffic specified by the address prefix to the Internet. 系統預設路由會指定 0.0.0.0/0 位址首碼。The system default route specifies the 0.0.0.0/0 address prefix. 如果您不覆寫 Azure 的預設路由,Azure 會將所有不是由虛擬網路內位址範圍指定的流量路由至網際網路,但有一個例外。If you don't override Azure's default routes, Azure routes traffic for any address not specified by an address range within a virtual network, to the Internet, with one exception. 如果目的地位址適用於 Azure 的其中一個服務,Azure 會透過 Azure 的骨幹網路直接將流量路由至該服務,而不是將流量路由至網際網路。If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. 不論虛擬網路存在哪一個 Azure 區域,或 Azure 服務執行個體部署在哪一個 Azure 區域,Azure 服務之間的流量都不會周遊網際網路。Traffic between Azure services does not traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in. 您可以使用自訂路由,來覆寫位址首碼為 0.0.0.0/0 的 Azure 預設系統路由。You can override Azure's default system route for the 0.0.0.0/0 address prefix with a custom route.

  • :路由至下一個躍點類型為 [無] 的流量會遭到捨棄,而不是路由至子網路以外的地方。None: Traffic routed to the None next hop type is dropped, rather than routed outside the subnet. Azure 會為下列位址首碼自動建立預設路由:Azure automatically creates default routes for the following address prefixes:

    • 10.0.0.0/8/8 以及 192.168.0.0/16:在 RFC 1918 中保留以作為私人用途。10.0.0.0/8 and 192.168.0.0/16: Reserved for private use in RFC 1918.
    • 100.64.0.0/10:在 RFC 6598 中保留。100.64.0.0/10: Reserved in RFC 6598.

    如果您在虛擬網路位址空間內指派上述任何位址範圍時,Azure 會自動將路由的下一個躍點類型從變更至虛擬網路If you assign any of the previous address ranges within the address space of a virtual network, Azure automatically changes the next hop type for the route from None to Virtual network. 如果您對其指派位址範圍的虛擬網路位址空間中,包含四個保留位址首碼的其中一個 (但不是完全相同) 時,Azure 會移除該首碼的路由,並針對您新增的位址首碼來新增路由 (使用虛擬網路作為下一個躍點類型)。If you assign an address range to the address space of a virtual network that includes, but isn't the same as, one of the four reserved address prefixes, Azure removes the route for the prefix and adds a route for the address prefix you added, with Virtual network as the next hop type.

選擇性預設路由Optional default routes

Azure 會針對不同的 Azure 功能,新增其他預設系統路由,但只有當您啟用這些功能時才會新增。Azure adds additional default system routes for different Azure capabilities, but only if you enable the capabilities. 根據不同功能,Azure 會將選擇性預設路徑新增至該虛擬網路內的特定子網路,或新增至一個虛擬網路內的所有子網路。Depending on the capability, Azure adds optional default routes to either specific subnets within the virtual network, or to all subnets within a virtual network. 當您啟用不同功能時,Azure 可能會新增的其他系統路由和下一個躍點類型如下:The additional system routes and next hop types that Azure may add when you enable different capabilities are:

sourceSource 位址首碼Address prefixes 下一個躍點類型Next hop type 虛擬網路中新增路由的子網路Subnet within virtual network that route is added to
預設值Default 虛擬網路獨有,例如:10.1.0.0/16Unique to the virtual network, for example: 10.1.0.0/16 VNet 對等互連VNet peering 全部All
虛擬網路閘道Virtual network gateway 透過 BGP 從內部部署公佈的首碼,或在本機網路閘道中設定的首碼Prefixes advertised from on-premises via BGP, or configured in the local network gateway 虛擬網路閘道Virtual network gateway 全部All
預設值Default 多個Multiple VirtualNetworkServiceEndpointVirtualNetworkServiceEndpoint 僅限服務端點已啟用的子網路。Only the subnet a service endpoint is enabled for.
  • 虛擬網路 (VNet) 對等互連:當您在兩個虛擬網路間建立虛擬網路對等互連時,系統會在每個建立對等連線的虛擬網路位址空間中,為每個位址範圍新增路由。Virtual network (VNet) peering: When you create a virtual network peering between two virtual networks, a route is added for each address range within the address space of each virtual network a peering is created for. 深入了解虛擬網路對等互連Learn more about virtual network peering.

  • 虛擬網路閘道:將虛擬網路閘道新增到虛擬網路時,系統會新增一個或多個下一個躍點類型列為「虛擬網路閘道」 的路由。Virtual network gateway: One or more routes with Virtual network gateway listed as the next hop type are added when a virtual network gateway is added to a virtual network. 來源也是虛擬網路閘道,因為閘道會將路由新增至子網路。The source is also virtual network gateway, because the gateway adds the routes to the subnet. 如果您的內部部署網路閘道會交換邊界閘道協定 (BGP) 路由與 Azure 虛擬網路閘道,則系統會針對每個從內部部署網路閘道散佈的每個路由新增路由。If your on-premises network gateway exchanges border gateway protocol (BGP) routes with an Azure virtual network gateway, a route is added for each route propagated from the on-premises network gateway. 建議您盡可能將內部部署路由彙總至最大的位址範圍,那麼散佈至 Azure 虛擬網路閘道的路由就會最少。It's recommended that you summarize on-premises routes to the largest address ranges possible, so the fewest number of routes are propagated to an Azure virtual network gateway. 您可以散佈至 Azure 虛擬網路閘道的路由數目有限。There are limits to the number of routes you can propagate to an Azure virtual network gateway. 如需詳細資訊,請參閱 Azure 限制For details, see Azure limits.

  • VirtualNetworkServiceEndpoint:當您對特定服務啟用服務端點時,Azure 會將該服務的公用 IP 位址新增至路由表。VirtualNetworkServiceEndpoint: The public IP addresses for certain services are added to the route table by Azure when you enable a service endpoint to the service. 服務端點是針對虛擬網路內的個別子網路啟用,因此路由只會新增至服務端點已啟用的子網路路由表。Service endpoints are enabled for individual subnets within a virtual network, so the route is only added to the route table of a subnet a service endpoint is enabled for. Azure 服務的公用 IP 位址會定期變更。The public IP addresses of Azure services change periodically. 當位址變更時,Azure 會自動管理路由表中的位址。Azure manages the addresses in the route table automatically when the addresses change. 深入了解虛擬網路服務端點,以及可以對其建立服務端點的服務。Learn more about virtual network service endpoints, and the services you can create service endpoints for.

    注意

    VNet 對等互連VirtualNetworkServiceEndpoint 下一個躍點類型只會新增至透過 Azure Resource Manager 部署模型建立的虛擬網路子網路路由表。The VNet peering and VirtualNetworkServiceEndpoint next hop types are only added to route tables of subnets within virtual networks created through the Azure Resource Manager deployment model. 如果路由表是與透過傳統部署模型建立的虛擬網路子網路相關聯,則下一個躍點類型不會新增至該路由表。The next hop types are not added to route tables that are associated to virtual network subnets created through the classic deployment model. 深入了解 Azure 部署模型Learn more about Azure deployment models.

自訂路由Custom routes

您可以透過建立使用者定義路由,或藉由交換邊界閘道協定 (BGP) 路由,在內部網路閘道和 Azure 虛擬網路閘道間建立自訂路由。You create custom routes by either creating user-defined routes, or by exchanging border gateway protocol (BGP) routes between your on-premises network gateway and an Azure virtual network gateway.

使用者定義User-defined

您可以在 Azure 中建立自訂或使用者定義路由來覆寫 Azure 的預設系統路由,或將其他路由新增至子網路的路由表。You can create custom, or user-defined, routes in Azure to override Azure's default system routes, or to add additional routes to a subnet's route table. 在 Azure 中,您可以建立路由表,然後使路由表與零個或多個虛擬網路子網路產生關聯。In Azure, you create a route table, then associate the route table to zero or more virtual network subnets. 每個子網路可以有零個或一個與其相關聯的路由表。Each subnet can have zero or one route table associated to it. 若要了解您可以新增至路由表的最大路由數目,以及您可以為每個 Azure 訂用帳戶建立的最大使用者定義路由表數目,請參閱 Azure 限制To learn about the maximum number of routes you can add to a route table and the maximum number of user-defined route tables you can create per Azure subscription, see Azure limits. 如果您建立路由表並讓它與子網路產生關聯,其中的路由會結合或覆寫 Azure 新增至子網路的預設路由。If you create a route table and associate it to a subnet, the routes within it are combined with, or override, the default routes Azure adds to a subnet by default.

建立使用者定義路由時,您可以指定下列的下一個躍點類型:You can specify the following next hop types when creating a user-defined route:

  • 虛擬設備:虛擬設備通常是執行網路應用程式 (例如防火牆) 的虛擬機器。Virtual appliance: A virtual appliance is a virtual machine that typically runs a network application, such as a firewall. 若要了解您可以在虛擬網路中部署之多種預先設定的網路虛擬設備,請參閱 Azure MarketplaceTo learn about a variety of pre-configured network virtual appliances you can deploy in a virtual network, see the Azure Marketplace. 當您使用虛擬設備躍點類型建立路由時,您也會指定下一個躍點 IP 位址。When you create a route with the virtual appliance hop type, you also specify a next hop IP address. IP 位址可以是:The IP address can be:

    • 連接至虛擬機器的網路介面私人 IP 位址The private IP address of a network interface attached to a virtual machine. 連接至虛擬機器,並將網路流量轉送至本身以外其他位址的任何網路介面,都必須啟用 Azure 啟用 IP 轉送選項。Any network interface attached to a virtual machine that forwards network traffic to an address other than its own must have the Azure Enable IP forwarding option enabled for it. 該設定會使 Azure 停止檢查網路介面的來源和目的地。The setting disables Azure's check of the source and destination for a network interface. 深入了解如何啟用網路介面的 IP 轉送Learn more about how to enable IP forwarding for a network interface. 雖然 [啟用 IP 轉送] 是 Azure 的設定,但您可能也需要啟用虛擬機器作業系統內的 IP 轉送,以便設備轉送已指派給 Azure 網路介面的私人 IP 位址間的流量。Though Enable IP forwarding is an Azure setting, you may also need to enable IP forwarding within the virtual machine's operating system for the appliance to forward traffic between private IP addresses assigned to Azure network interfaces. 如果設備必須將流量路由傳送至公用 IP 位址,則設備必須代理流量,或將來源的私人 IP 位址進行網路位址轉譯為其自有的私人 IP 位址,然後 Azure 會將該位址進行網路位址轉譯為公用 IP 位址,再將流量傳送到網際網路。If the appliance must route traffic to a public IP address, it must either proxy the traffic, or network address translate the private IP address of the source's private IP address to its own private IP address, which Azure then network address translates to a public IP address, before sending the traffic to the Internet. 若要決定虛擬機器內的必要設定,請參閱您作業系統或網路應用程式的文件。To determine required settings within the virtual machine, see the documentation for your operating system or network application. 若要了解 Azure 中的輸出連線,請參閱了解輸出連線To understand outbound connections in Azure, see Understanding outbound connections.

      注意

      將虛擬設備部署至不同子網路,則透過該虛擬設備路由的資源就會在其中部署。Deploy a virtual appliance into a different subnet than the resources that route through the virtual appliance are deployed in. 如果將虛擬設備部署至相同子網路,然後將路由表套用至透過虛擬設備路由流量的子網路,就會造成路由迴圈,使得流量不會離開子網路。Deploying the virtual appliance to the same subnet, then applying a route table to the subnet that routes traffic through the virtual appliance, can result in routing loops, where traffic never leaves the subnet.

    • Azure 內部負載平衡器的私人 IP 位址。The private IP address of an Azure internal load balancer. 負載平衡器通常作為網路虛擬設備高可用性策略的一部分使用。A load balancer is often used as part of a high availability strategy for network virtual appliances.

    您可以定義位址首碼為 0.0.0.0/0 的路由和虛擬設備的下一個躍點類型,讓設備檢查流量並判斷是否要轉送或捨棄流量。You can define a route with 0.0.0.0/0 as the address prefix and a next hop type of virtual appliance, enabling the appliance to inspect the traffic and determine whether to forward or drop the traffic. 如果您想要建立包含 0.0.0.0/0 位址首碼的使用者定義路由,請先了解 0.0.0.0/0 位址首碼If you intend to create a user-defined route that contains the 0.0.0.0/0 address prefix, read 0.0.0.0/0 address prefix first.

  • 虛擬網路閘道:當您要將特定位址首碼指定的流量路由至虛擬網路閘道時指定。Virtual network gateway: Specify when you want traffic destined for specific address prefixes routed to a virtual network gateway. 虛擬網路閘道必須使用 VPN 類型建立。The virtual network gateway must be created with type VPN. 您無法在使用者定義路由中指定建立為 ExpressRoute 類型的虛擬網路閘道,因為若使用 ExpressRoute,您必須使用適用於自訂路由的 BGP。You cannot specify a virtual network gateway created as type ExpressRoute in a user-defined route because with ExpressRoute, you must use BGP for custom routes. 您可以將路由定義為將 0.0.0.0/0 位址首碼指定流量導向路由式虛擬網路閘道。You can define a route that directs traffic destined for the 0.0.0.0/0 address prefix to a route-based virtual network gateway. 在內部部署上,您可能有裝置可檢查流量並決定是否要轉送或捨棄流量。On your premises, you might have a device that inspects the traffic and determines whether to forward or drop the traffic. 如果您想要建立 0.0.0.0/0 位址首碼的使用者定義路由,請先了解 0.0.0.0/0 位址首碼If you intend to create a user-defined route for the 0.0.0.0/0 address prefix, read 0.0.0.0/0 address prefix first. 您不需要設定 0.0.0.0/0 位址首碼的使用者定義路由,如果您已啟用 VPN 虛擬網路閘道的 BGP,則可以透過 BGP 公佈具有 0.0.0.0/0 首碼的路由。Instead of configuring a user-defined route for the 0.0.0.0/0 address prefix, you can advertise a route with the 0.0.0.0/0 prefix via BGP, if you've enabled BGP for a VPN virtual network gateway.

  • :當您要捨棄位址首碼的流量,而不是將流量轉送至目的地時指定。None: Specify when you want to drop traffic to an address prefix, rather than forwarding the traffic to a destination. 如果有功能尚未設定完畢,Azure 可能會針對某些選擇性系統路徑列出「無」 。If you haven't fully configured a capability, Azure may list None for some of the optional system routes. 例如,如果您看到下一個躍點類型為「虛擬網路閘道」 或「虛擬設備」 的下一個躍點 IP 位址列為「無」 ,這可能是因為裝置未執行或未完整設定。For example, if you see None listed as the Next hop IP address with a Next hop type of Virtual network gateway or Virtual appliance, it may be because the device isn't running, or isn't fully configured. Azure 會針對下一個躍點類型為的保留位址首碼,建立系統預設路由Azure creates system default routes for reserved address prefixes with None as the next hop type.

  • 虛擬網路:當您想要覆寫虛擬網路中的預設路由時指定。Virtual network: Specify when you want to override the default routing within a virtual network. 請參閱路由範例,以針對您想以虛擬網路躍點類型建立路由的原因取得範例。See Routing example, for an example of why you might create a route with the Virtual network hop type.

  • 網際網路:當您想要明確地將位址首碼指定的流量路由至網際網路時指定,或您想要 Azure 服務所用的流量 (具有公用 IP 位址) 保留在 Azure 骨幹網路中時指定。Internet: Specify when you want to explicitly route traffic destined to an address prefix to the Internet, or if you want traffic destined for Azure services with public IP addresses kept within the Azure backbone network.

您無法在使用者定義路由中指定 VNet 對等互連VirtualNetworkServiceEndpoint 作為下一個躍點類型。You cannot specify VNet peering or VirtualNetworkServiceEndpoint as the next hop type in user-defined routes. 當您設定虛擬網路對等互連或服務端點時,具有 VNet 對等互連VirtualNetworkServiceEndpoint 下一個躍點類型的路由只可由 Azure 建立。Routes with the VNet peering or VirtualNetworkServiceEndpoint next hop types are only created by Azure, when you configure a virtual network peering, or a service endpoint.

Azure 工具間的下一個躍點類型Next hop types across Azure tools

下一個躍點類型的顯示和參照名稱在 Azure 入口網站和命令列工具之間是不同的,以及在 Azure Resource Manager 和傳統部署模型之間也不同。The name displayed and referenced for next hop types is different between the Azure portal and command-line tools, and the Azure Resource Manager and classic deployment models. 下表列出的名稱可用來參照使用不同工具和部署模型的每種下一個躍點類型:The following table lists the names used to refer to each next hop type with the different tools and deployment models:

下一個躍點類型Next hop type Azure CLI 和 PowerShell (Resource Manager)Azure CLI and PowerShell (Resource Manager) Azure 傳統 CLI 和 PowerShell (傳統)Azure classic CLI and PowerShell (classic)
虛擬網路閘道Virtual network gateway VirtualNetworkGatewayVirtualNetworkGateway VPNGatewayVPNGateway
虛擬網路Virtual network VNetLocalVNetLocal VNETLocal (不適用於 asm 模式下的傳統 CLI)VNETLocal (not available in the classic CLI in asm mode)
InternetInternet InternetInternet Internet (不適用於 asm 模式下的傳統 CLI)Internet (not available in the classic CLI in asm mode)
虛擬設備Virtual appliance VirtualApplianceVirtualAppliance VirtualApplianceVirtualAppliance
NoneNone NoneNone Null (不適用於 asm 模式下的傳統 CLI)Null (not available in the classic CLI in asm mode)
虛擬網路對等互連Virtual network peering VNet 對等互連VNet peering 不適用Not applicable
虛擬網路服務端點Virtual network service endpoint VirtualNetworkServiceEndpointVirtualNetworkServiceEndpoint 不適用Not applicable

邊界閘道協定Border gateway protocol

內部部署網路閘道可以使用邊界閘道通訊協定 (BGP) 交換路由與 Azure 虛擬網路閘道。An on-premises network gateway can exchange routes with an Azure virtual network gateway using the border gateway protocol (BGP). 是否要對 Azure 虛擬網路閘道使用 BGP,取決於您建立閘道時選取的類型。Using BGP with an Azure virtual network gateway is dependent on the type you selected when you created the gateway. 如果您選取的類型為:If the type you selected were:

  • ExpressRoute:您必須使用 BGP 將內部部署路由公佈至 Microsoft 邊緣路由器。ExpressRoute: You must use BGP to advertise on-premises routes to the Microsoft Edge router. 如果您部署的虛擬網路閘道是以下列類型部署,您就無法建立使用者定義的路由來強制 ExpressRoute 虛擬網路閘道的流量:ExpressRoute。You cannot create user-defined routes to force traffic to the ExpressRoute virtual network gateway if you deploy a virtual network gateway deployed as type: ExpressRoute. 您可以使用使用者定義的路由,強制執行從 Express Route 到例如網路虛擬裝置的流量。You can use user-defined routes for forcing traffic from the Express Route to, for example, a Network Virtual Appliance.
  • VPN:您可以選擇性地使用 BGP。VPN: You can, optionally use BGP. 如需詳細資訊,請參閱BGP 與站台對站 VPN 連線For details, see BGP with site-to-site VPN connections.

當您使用 BGP 交換 Azure 與路由時,系統會針對每個公佈的首碼,將個別路由新增至虛擬網路中的所有子網路路由表。When you exchange routes with Azure using BGP, a separate route is added to the route table of all subnets in a virtual network for each advertised prefix. 新增路由的來源和下一個躍點類型會列為虛擬網路閘道The route is added with Virtual network gateway listed as the source and next hop type.

ER 與 VPN 閘道路由傳播,可以透過使用路由表上的屬性來在子網路上停用。ER and VPN Gateway route propagation can be disabled on a subnet using a property on a route table. 當您使用 BGP 與 Azure 交換路由時,路由不會新增至所有子網路的路由表與虛擬網路閘道路由傳播已停用。When you exchange routes with Azure using BGP, routes are not added to the route table of all subnets with Virtual network gateway route propagation disabled. 使用下一個躍點類型為虛擬網路閘道自訂路由,即可進行 VPN 連線。Connectivity with VPN connections is achieved using custom routes with a next hop type of Virtual network gateway. 如需詳細資訊,請參閱 < 如何停用虛擬網路閘道路由傳播For details, see How to disable Virtual network gateway route propagation.

Azure 如何選取路由How Azure selects a route

當輸出流量從子網路送出時,Azure 會根據目的地 IP 位址選取路由 (使用最長的首碼比對演算法)。When outbound traffic is sent from a subnet, Azure selects a route based on the destination IP address, using the longest prefix match algorithm. 例如,路由表有兩個路由:一個路由指定 10.0.0.0/24 位址首碼,而其他路由指定 10.0.0.0/16 位址首碼。For example, a route table has two routes: One route specifies the 10.0.0.0/24 address prefix, while the other route specifies the 10.0.0.0/16 address prefix. Azure 會將 10.0.0.5 指定流量路由至位址首碼為 10.0.0.0/24 之路由中指定的下一個躍點類型,因為 10.0.0.5 雖然都在兩個位址首碼中,但比起 10.0.0.0/16,10.0.0.0/24 是較長的首碼。Azure routes traffic destined for 10.0.0.5, to the next hop type specified in the route with the 10.0.0.0/24 address prefix, because 10.0.0.0/24 is a longer prefix than 10.0.0.0/16, even though 10.0.0.5 is within both address prefixes. Azure 會將 10.0.1.5 指定流量路由至位址首碼為 10.0.0.0/16 之路由中指定的下一個躍點類型,因為 10.0.1.5 不包含在 10.0.0.0/24 位址首碼中,因此位址首碼為 10.0.0.0/16 的路由是符合的最長首碼。Azure routes traffic destined to 10.0.1.5, to the next hop type specified in the route with the 10.0.0.0/16 address prefix, because 10.0.1.5 isn't included in the 10.0.0.0/24 address prefix, therefore the route with the 10.0.0.0/16 address prefix is the longest prefix that matches.

如果多個路由包含相同的位址首碼,則 Azure 會根據下列優先順序選取路由類型:If multiple routes contain the same address prefix, Azure selects the route type, based on the following priority:

  1. 使用者定義路由User-defined route
  2. BGP 路由BGP route
  3. 系統路由System route

注意

即使 BGP 路由是更為專用的路由,系統仍會慣用與虛擬網路、虛擬網路對等互連或虛擬網路服務端點相關之流量的系統路由。System routes for traffic related to virtual network, virtual network peerings, or virtual network service endpoints, are preferred routes, even if BGP routes are more specific.

例如,路由表包含下列路由:For example, a route table contains the following routes:

sourceSource 位址首碼Address prefixes 下一個躍點類型Next hop type
預設值Default 0.0.0.0/00.0.0.0/0 InternetInternet
使用者User 0.0.0.0/00.0.0.0/0 虛擬網路閘道Virtual network gateway

當流量的目的地 IP 位址不在路由表中任何其他路由的位址首碼內時,Azure 會選取具有使用者來源的路由,因為使用者定義路由的優先順序高於系統預設路由。When traffic is destined for an IP address outside the address prefixes of any other routes in the route table, Azure selects the route with the User source, because user-defined routes are higher priority than system default routes.

請參閱路由範例,以取得完整路由資料表,表中有路由的說明。See Routing example for a comprehensive routing table with explanations of the routes in the table.

0.0.0.0/0 位址首碼0.0.0.0/0 address prefix

如果 IP 位址不在子網路路由表中任何其他路由的位址首碼內,則具有 0.0.0.0/0 位址首碼的路由會指示 Azure 如何路由該 IP 位址指定的流量。A route with the 0.0.0.0/0 address prefix instructs Azure how to route traffic destined for an IP address that is not within the address prefix of any other route in a subnet's route table. 建立子網路時,Azure 會建立 0.0.0.0/0 位址首碼的預設路由,且下一個躍點類型為網際網路When a subnet is created, Azure creates a default route to the 0.0.0.0/0 address prefix, with the Internet next hop type. 如果您不覆寫此路由,Azure 就會將不包含在任何其他路由位址首碼的 IP 位址所用流量,路由至網際網路。If you don't override this route, Azure routes all traffic destined to IP addresses not included in the address prefix of any other route, to the Internet. 但有個例外,Azure 服務公用 IP 位址的流量會保留在 Azure 骨幹網路中,而不會路由至網際網路。The exception is that traffic to the public IP addresses of Azure services remains on the Azure backbone network, and is not routed to the Internet. 如果您以自訂路由覆寫此路由,其目的地位址不在路由表中任何其他路由位址首碼中的流量,就會將傳送至網路虛擬設備或虛擬網路閘道 (視您指定的自訂路由而定)。If you override this route, with a custom route, traffic destined to addresses not within the address prefixes of any other route in the route table is sent to a network virtual appliance or virtual network gateway, depending on which you specify in a custom route.

當您覆寫 0.0.0.0/0 位址首碼後,除了輸出流量會從子網路流經虛擬網路閘道或虛擬設備外,使用 Azure 預設路由時也會發生下列變更:When you override the 0.0.0.0/0 address prefix, in addition to outbound traffic from the subnet flowing through the virtual network gateway or virtual appliance, the following changes occur with Azure's default routing:

  • Azure 會將所有流量傳送至路由中指定的下一個躍點類型,包括 Azure 服務公用 IP 位址指定的流量。Azure sends all traffic to the next hop type specified in the route, including traffic destined for public IP addresses of Azure services. 當 0.0.0.0/0 位址首碼路由的下個躍點類型是網際網路時,從子網路送往 Azure 服務公用 IP 位址的流量永遠不會離開 Azure 的骨幹網路,不論虛擬網路或 Azure 服務資源存在哪個 Azure 地區。When the next hop type for the route with the 0.0.0.0/0 address prefix is Internet, traffic from the subnet destined to the public IP addresses of Azure services never leaves Azure's backbone network, regardless of the Azure region the virtual network or Azure service resource exist in. 但當您以虛擬網路閘道虛擬設備建立使用者定義或 BGP 路由時,所有流量 (包括傳送至您尚未對其啟用服務端點之 Azure 服務公用 IP 位址的流量) 會傳送至路由中指定的下一個躍點類型。When you create a user-defined or BGP route with a Virtual network gateway or Virtual appliance next hop type however, all traffic, including traffic sent to public IP addresses of Azure services you haven't enabled service endpoints for, is sent to the next hop type specified in the route. 如果您已啟用服務的服務端點,服務的流量則不會路由至路由位址首碼為 0.0.0.0/0 的下一個躍點類型,因為當您啟用服務端點時,服務的位址首碼會在 Azure 建立的路由中指定,而服務的位址首碼會比 0.0.0.0/0 長。If you've enabled a service endpoint for a service, traffic to the service is not routed to the next hop type in a route with the 0.0.0.0/0 address prefix, because address prefixes for the service are specified in the route that Azure creates when you enable the service endpoint, and the address prefixes for the service are longer than 0.0.0.0/0.

  • 您已無法從網際網路直接存取子網路中的資源。You are no longer able to directly access resources in the subnet from the Internet. 如果輸入流量是通過路由位址首碼為 0.0.0.0/0 的下一個躍點所指定的裝置後,再抵達虛擬網路中的資源,則您可以直接從網際網路存取子網路中的資源。You can indirectly access resources in the subnet from the Internet, if inbound traffic passes through the device specified by the next hop type for a route with the 0.0.0.0/0 address prefix before reaching the resource in the virtual network. 如果路由包含下列的下一個躍點類型值:If the route contains the following values for next hop type:

    • 虛擬設備:設備必須:Virtual appliance: The appliance must:

      • 能夠從網際網路存取Be accessible from the Internet
      • 已有指派的公用 IP 位址Have a public IP address assigned to it,
      • 沒有相關聯的網路安全性群組規則會阻止裝置通訊Not have a network security group rule associated to it that prevents communication to the device
      • 不會拒絕通訊Not deny the communication
      • 能夠進行網路位址轉譯和轉送,或對傳送至子網路中目的地資源的流量設定 Proxy,並將流量傳回網際網路。Be able to network address translate and forward, or proxy the traffic to the destination resource in the subnet, and return the traffic back to the Internet.
    • 虛擬網路閘道:如果閘道是 ExpressRoute 虛擬網路閘道,則透過 ExpressRoute 的私人對等互連,連線到網際網路的裝置在內部部署上可以進行網路位址轉譯和轉送,或對傳送至子網路中目的地資源的流量設定 Proxy。Virtual network gateway: If the gateway is an ExpressRoute virtual network gateway, an Internet-connected device on-premises can network address translate and forward, or proxy the traffic to the destination resource in the subnet, via ExpressRoute's private peering.

如果虛擬網路連線至 Azure VPN 閘道,請勿將路由表關聯至所含路由的目的地為 0.0.0.0/0 的閘道子網路If your virtual network is connected to an Azure VPN gateway, do not associate a route table to the gateway subnet that includes a route with a destination of 0.0.0.0/0. 這麼做會讓閘道無法正常運作。Doing so can prevent the gateway from functioning properly. 如需詳細資訊,請參閱 VPN 閘道常見問題集中的為什麼 VPN 閘道上的某些連接埠已開啟? 問題。For details, see the Why are certain ports opened on my VPN gateway? question in the VPN Gateway FAQ.

請參閱 Azure 與內部部署資料中心之間的 DMZAzure 與網際網路之間的 DMZ,以取得在網際網路和 Azure 之間使用虛擬網路閘道和虛擬設備的實作詳細資料。See DMZ between Azure and your on-premises datacenter and DMZ between Azure and the Internet for implementation details when using virtual network gateways and virtual appliances between the Internet and Azure.

路由範例Routing example

為了說明本文中的概念,以下各節會說明:To illustrate the concepts in this article, the sections that follow describe:

  • 案例與需求A scenario, with requirements
  • 必須符合需求的自訂路由The custom routes necessary to meet the requirements
  • 每個子網路都有的路由表,其中包含必須符合需求的預設與自訂路由The route table that exists for one subnet that includes the default and custom routes necessary to meet the requirements

注意

此範例不適合作為建議的實作或最佳做法的實作。This example is not intended to be a recommended or best practice implementation. 相反地,此範例只適合用來說明本文中的概念。Rather, it is provided only to illustrate concepts in this article.

需求Requirements

  1. 在相同的 Azure 區域中實作兩個虛擬網路,並且讓資源可在虛擬網路之間通訊。Implement two virtual networks in the same Azure region and enable resources to communicate between the virtual networks.

  2. 啟用內部部署網路,以透過 VPN 通道在網際網路間安全地與兩個虛擬網路進行通訊。Enable an on-premises network to communicate securely with both virtual networks through a VPN tunnel over the Internet. 或者,也可以使用 ExpressRoute 連線,但此範例中會使用 VPN 連線。Alternatively, an ExpressRoute connection could be used, but in this example, a VPN connection is used.

  3. 針對一個虛擬網路中有一個子網路:For one subnet in one virtual network:

    • 強制子網路的所有輸出流量 (除了傳送至 Azure 儲存體和子網路內的流量) 通過網路的虛擬設備,以便進行檢查和記錄。Force all outbound traffic from the subnet, except to Azure Storage and within the subnet, to flow through a network virtual appliance, for inspection and logging.
    • 不會檢查子網路內私人 IP 位址之間的流量;允許流量直接在所有資源之間的流動。Do not inspect traffic between private IP addresses within the subnet; allow traffic to flow directly between all resources.
    • 捨棄任何傳送至其他虛擬網路的輸出流量。Drop any outbound traffic destined for the other virtual network.
    • 允許傳送至 Azure 儲存體的輸出流量直接流向儲存體,而不強制透過網路虛擬設備。Enable outbound traffic to Azure storage to flow directly to storage, without forcing it through a network virtual appliance.
  4. 允許所有其他子網路和虛擬網路之間的所有流量。Allow all traffic between all other subnets and virtual networks.

實作Implementation

透過符合上述需求的 Azure Resource Manager 部署模型所執行的實作如下圖所示:The following picture shows an implementation through the Azure Resource Manager deployment model that meets the previous requirements:

網路圖表

箭號顯示流量的流動。Arrows show the flow of traffic.

路由表Route tables

Subnet1Subnet1

圖片中的 Subnet1 路由表 包含下列路由:The route table for Subnet1 in the picture contains the following routes:

IDID sourceSource StateState 位址首碼Address prefixes 下一個躍點類型Next hop type 下一個躍點 IP 位址Next hop IP address 使用者定義路由名稱User-defined route name
11 預設值Default 無效Invalid 10.0.0.0/1610.0.0.0/16 虛擬網路Virtual network
22 使用者User ActiveActive 10.0.0.0/1610.0.0.0/16 虛擬設備Virtual appliance 10.0.100.410.0.100.4 Within-VNet1Within-VNet1
33 使用者User ActiveActive 10.0.0.0/2410.0.0.0/24 虛擬網路Virtual network Within-Subnet1Within-Subnet1
44 預設值Default 無效Invalid 10.1.0.0/1610.1.0.0/16 VNet 對等互連VNet peering
55 預設值Default 無效Invalid 10.2.0.0/1610.2.0.0/16 VNet 對等互連VNet peering
66 使用者User ActiveActive 10.1.0.0/1610.1.0.0/16 NoneNone ToVNet2-1-DropToVNet2-1-Drop
77 使用者User ActiveActive 10.2.0.0/1610.2.0.0/16 NoneNone ToVNet2-2-DropToVNet2-2-Drop
88 預設值Default 無效Invalid 10.10.0.0/1610.10.0.0/16 虛擬網路閘道Virtual network gateway [X.X.X.X][X.X.X.X]
99 使用者User ActiveActive 10.10.0.0/1610.10.0.0/16 虛擬設備Virtual appliance 10.0.100.410.0.100.4 To-On-PremTo-On-Prem
1010 預設值Default ActiveActive [X.X.X.X][X.X.X.X] VirtualNetworkServiceEndpointVirtualNetworkServiceEndpoint
1111 預設值Default 無效Invalid 0.0.0.0/00.0.0.0/0 InternetInternet
1212 使用者User ActiveActive 0.0.0.0/00.0.0.0/0 虛擬設備Virtual appliance 10.0.100.410.0.100.4 Default-NVADefault-NVA

每個路由 ID 的說明如下:An explanation of each route ID follows:

  1. Azure 已自動為 Virtual-network-1 內的所有子網路新增此路由,因為 10.0.0.0/16 是虛擬網路位址空間中定義的唯一位址範圍。Azure automatically added this route for all subnets within Virtual-network-1, because 10.0.0.0/16 is the only address range defined in the address space for the virtual network. 如果未建立路由 ID2 中的使用者定義路由,傳送到 10.0.0.1 和 10.0.255.254 之間任何位址的流量就會在虛擬網路內進行路由,因為首碼長度大於 0.0.0.0/0,且不在任何其他路由的位址首碼內。If the user-defined route in route ID2 weren't created, traffic sent to any address between 10.0.0.1 and 10.0.255.254 would be routed within the virtual network, because the prefix is longer than 0.0.0.0/0, and not within the address prefixes of any of the other routes. 當 ID2 (使用者定義路由) 已新增時,Azure 會自動將狀態從「作用中」 變更為「無效」 ,因為其首碼與預設路由一樣,而使用者定義路由會覆寫預設路由。Azure automatically changed the state from Active to Invalid, when ID2, a user-defined route, was added, since it has the same prefix as the default route, and user-defined routes override default routes. Subnet2 的此路由狀態仍然是「作用中」 ,因為其中有使用者定義路由 (ID2) 的路由表並未與 Subnet2 產生關聯。The state of this route is still Active for Subnet2, because the route table that user-defined route, ID2 is in, isn't associated to Subnet2.
  2. 當 10.0.0.0/16 位址首碼的使用者定義路由已與 Virtual-network-1 中 Subnet1 子網路產生關聯時,Azure 就會新增此路由。Azure added this route when a user-defined route for the 10.0.0.0/16 address prefix was associated to the Subnet1 subnet in the Virtual-network-1 virtual network. 使用者定義路由會指定 10.0.100.4 作為虛擬設備的 IP 位址,因為該位址是指派給虛擬設備虛擬機器的私人 IP 位址。The user-defined route specifies 10.0.100.4 as the IP address of the virtual appliance, because the address is the private IP address assigned to the virtual appliance virtual machine. 此路由存在的路由表並未與 Subnet2 產生關聯,因此不會出現在 Subnet2 的路由表中。The route table this route exists in is not associated to Subnet2, so doesn't appear in the route table for Subnet2. 此路由會覆寫 10.0.0.0/16 首碼 (ID1) 的預設路由,預設路由會透過虛擬網路的下一個躍點類型,自動在虛擬網路內路由位址 10.0.0.1 和 10.0.255.254 的流量。This route overrides the default route for the 10.0.0.0/16 prefix (ID1), which automatically routed traffic addressed to 10.0.0.1 and 10.0.255.254 within the virtual network through the virtual network next hop type. 此路由是為符合需求 3 而存在,會強制所有輸出流量通過虛擬設備。This route exists to meet requirement 3, to force all outbound traffic through a virtual appliance.
  3. 當 10.0.0.0/24 位址首碼的使用者定義路由已與 Subnet1 子網路產生關聯時,Azure 就會新增此路由。Azure added this route when a user-defined route for the 10.0.0.0/24 address prefix was associated to the Subnet1 subnet. 傳送至位址 10.0.0.1 和 10.0.0.254 之間的流量仍會在子網路內,而不是路由至上一個規則 (ID2) 中指定的虛擬設備,因為有比 ID2 路由更長的首碼。Traffic destined for addresses between 10.0.0.1 and 10.0.0.254 remains within the subnet, rather than being routed to the virtual appliance specified in the previous rule (ID2), because it has a longer prefix than the ID2 route. 此路由並未與Subnet2 產生關聯,因此路由不會出現在 Subnet2 的路由表中。This route was not associated to Subnet2, so the route does not appear in the route table for Subnet2. 針對 Subnet1 內的流量,此路由有效地覆寫 ID2 路由。This route effectively overrides the ID2 route for traffic within Subnet1. 此路由是為符合需求 3 而存在。This route exists to meet requirement 3.
  4. 當虛擬網路與 Virtual-network-2 對等互連時,Azure 會針對 Virtual-network-1 內的所有子網路,自動在 ID 4 和 ID 5 中新增路由。Azure automatically added the routes in IDs 4 and 5 for all subnets within Virtual-network-1, when the virtual network was peered with Virtual-network-2. Virtual-network-2 在其位址空間中有兩個位址範圍:10.1.0.0/16 和 10.2.0.0/16,因此 Azure 會為每個範圍新增路由。Virtual-network-2 has two address ranges in its address space: 10.1.0.0/16 and 10.2.0.0/16, so Azure added a route for each range. 如果未建立路由 ID 6 和 ID 7 中的使用者定義路由,傳送到 10.1.0.1-10.1.255.254 和 10.2.0.1-10.2.255.254 之間任何位址的流量將會路由至對等虛擬網路,因為首碼長度大於 0.0.0.0/0,且不在任何其他路由的位址首碼內。If the user-defined routes in route IDs 6 and 7 weren't created, traffic sent to any address between 10.1.0.1-10.1.255.254 and 10.2.0.1-10.2.255.254 would be routed to the peered virtual network, because the prefix is longer than 0.0.0.0/0, and not within the address prefixes of any of the other routes. 當 ID 6 和 ID 7 中的已新增時,Azure 會自動將狀態從「作用中」 變更為「無效」 ,因為他們的首碼與路由 ID 4 和 ID 5 一樣,而使用者定義路由會覆寫預設路由。Azure automatically changed the state from Active to Invalid, when the routes in IDs 6 and 7 were added, since they have the same prefixes as the routes in IDs 4 and 5, and user-defined routes override default routes. 在 Id 4 和 5 的路由狀態仍然是Active for Subnet2,因為在中,使用者定義的路由 Id 6 和 7 中的路由資料表不相關聯Subnet2.The state of the routes in IDs 4 and 5 are still Active for Subnet2, because the route table that the user-defined routes in IDs 6 and 7 are in, isn't associated to Subnet2. 虛擬網路對等互連是為符合需求 1 而建立。A virtual network peering was created to meet requirement 1.
  5. 與 ID4 的說明相同。Same explanation as ID4.
  6. 當 10.1.0.0/16 和 10.2.0.0/16 位址首碼的使用者定義路由已與 Subnet1 子網路產生關聯時,Azure 就會新增此路由和 ID7 中的路由。Azure added this route and the route in ID7, when user-defined routes for the 10.1.0.0/16 and 10.2.0.0/16 address prefixes were associated to the Subnet1 subnet. 傳送至 10.1.0.1-10.1.255.254 和 10.2.0.1-10.2.255.254 之間位址的流量會遭到 Azure 捨棄,而不是路由至對等互連的虛擬網路,因為使用者定義路由會覆寫預設路由。Traffic destined for addresses between 10.1.0.1-10.1.255.254 and 10.2.0.1-10.2.255.254 is dropped by Azure, rather than being routed to the peered virtual network, because user-defined routes override default routes. 這些路由並未與 Subnet2 產生關聯,因此路由不會出現在 Subnet2 的路由表中。The routes are not associated to Subnet2, so the routes do not appear in the route table for Subnet2. 針對離開 Subnet1 的流量,這些路由會覆寫 ID4 和 ID5 路由。The routes override the ID4 and ID5 routes for traffic leaving Subnet1. ID6 和 ID7 路由是為符合需求 3 而存在,會捨棄其他虛擬網路指定的流量。The ID6 and ID7 routes exist to meet requirement 3 to drop traffic destined to the other virtual network.
  7. 與 ID6 的說明相同。Same explanation as ID6.
  8. 當 VPN 類型虛擬網路閘道在虛擬網路內建立時,Azure 會針對 Virtual-network-1 內的所有子網路,自動新增此路由。Azure automatically added this route for all subnets within Virtual-network-1 when a VPN type virtual network gateway was created within the virtual network. Azure 會將虛擬網路閘道的公用 IP 位址新增至路由表。Azure added the public IP address of the virtual network gateway to the route table. 傳送到 10.10.0.1 和 10.10.255.254 之間任何位址的流量會路由至虛擬網路閘道。Traffic sent to any address between 10.10.0.1 and 10.10.255.254 is routed to the virtual network gateway. 首碼長度大於 0.0.0.0/0,且不在任何其他路由的位址首碼內。The prefix is longer than 0.0.0.0/0 and not within the address prefixes of any of the other routes. 虛擬網路閘道是為符合需求 2 而建立。A virtual network gateway was created to meet requirement 2.
  9. 當 10.10.0.0/16 位址首碼的使用者定義路由已新增至與 Subnet1 相關聯的路由表時,Azure 就會新增此路由。Azure added this route when a user-defined route for the 10.10.0.0/16 address prefix was added to the route table associated to Subnet1. 此路由會覆寫 ID8。This route overrides ID8. 路由會將所有內部部署網路指定的流量傳送至 NVA 以進行檢查,而不是將流量直接路由至內部部署。The route sends all traffic destined for the on-premises network to an NVA for inspection, rather than routing traffic directly on-premises. 此路由是為符合需求 3 而建立。This route was created to meet requirement 3.
  10. 當 Azure 服務的服務端點已為子網路啟用時,Azure 會自動將此路由新增至子網路。Azure automatically added this route to the subnet when a service endpoint to an Azure service was enabled for the subnet. Azure 會將流量從子網路路由至服務的公用 IP 位址 (透過 Azure 基礎結構網路)。Azure routes traffic from the subnet to a public IP address of the service, over the Azure infrastructure network. 首碼長度大於 0.0.0.0/0,且不在任何其他路由的位址首碼內。The prefix is longer than 0.0.0.0/0 and not within the address prefixes of any of the other routes. 服務端點是為符合需求 3 而建立,會允許 Azure 儲存體指定的流量可直接流向 Azure 儲存體。A service endpoint was created to meet requirement 3, to enable traffic destined for Azure Storage to flow directly to Azure Storage.
  11. Azure 會自動將此路由新增至 Virtual-network-1 和 Virtual-network-2 內所有子網路的路由表。Azure automatically added this route to the route table of all subnets within Virtual-network-1 and Virtual-network-2. 0.0.0.0/0 位址首碼是最短的首碼。The 0.0.0.0/0 address prefix is the shortest prefix. 若流量傳送至位址首碼較長的位址,則流量會以其他路由為基礎進行路由。Any traffic sent to addresses within a longer address prefix are routed based on other routes. 依預設,Azure 會將位址指定的所有流量路由至網際網路,除非位址已在其他某個路由中指定。By default, Azure routes all traffic destined for addresses other than the addresses specified in one of the other routes to the Internet. 當 0.0.0.0/0 位址首碼 (ID12) 的使用者定義路由已與子網路產生關聯時,Azure 會自動將 Subnet1 子網路的狀態從「作用中」 變更為「無效」 。Azure automatically changed the state from Active to Invalid for the Subnet1 subnet when a user-defined route for the 0.0.0.0/0 address prefix (ID12) was associated to the subnet. 對於兩個虛擬網路內的所有其他子網路而言,此路由的狀態仍是「作用中」 ,因為路由並未與任何其他虛擬網路內的任何其他子網路產生關聯。The state of this route is still Active for all other subnets within both virtual networks, because the route isn't associated to any other subnets within any other virtual networks.
  12. 當 0.0.0.0/0 位址首碼的使用者定義路由已與 Subnet1 子網路產生關聯時,Azure 就會新增此路由。Azure added this route when a user-defined route for the 0.0.0.0/0 address prefix was associated to the Subnet1 subnet. 使用者定義路由會指定 10.0.100.4 為虛擬設備的 IP 位址。The user-defined route specifies 10.0.100.4 as the IP address of the virtual appliance. 此路由並未與 Subnet2 產生關聯,因此路由不會出現在 Subnet2 的路由表中。This route is not associated to Subnet2, so the route does not appear in the route table for Subnet2. 如果流量是由不在任何其他路由位址首碼內的位址所用,則所有流量都會傳送至虛擬設備。All traffic for any address not included in the address prefixes of any of the other routes is sent to the virtual appliance. 此路由的增加會將 Subnet1 的 0.0.0.0/0 位址首碼 (ID11) 預設路由狀態從「作用中」 變更為「無效」 ,因為使用者定義路由會覆寫預設路由。The addition of this route changed the state of the default route for the 0.0.0.0/0 address prefix (ID11) from Active to Invalid for Subnet1, because a user-defined route overrides a default route. 此路由存在,以符合第三個需求This route exists to meet the third requirement.

Subnet2Subnet2

圖片中的 Subnet2 路由表 包含下列路由:The route table for Subnet2 in the picture contains the following routes:

sourceSource StateState 位址首碼Address prefixes 下一個躍點類型Next hop type 下一個躍點 IP 位址Next hop IP address
預設值Default ActiveActive 10.0.0.0/1610.0.0.0/16 虛擬網路Virtual network
預設值Default ActiveActive 10.1.0.0/1610.1.0.0/16 VNet 對等互連VNet peering
預設值Default ActiveActive 10.2.0.0/1610.2.0.0/16 VNet 對等互連VNet peering
預設值Default ActiveActive 10.10.0.0/1610.10.0.0/16 虛擬網路閘道Virtual network gateway [X.X.X.X][X.X.X.X]
預設值Default ActiveActive 0.0.0.0/00.0.0.0/0 InternetInternet
預設值Default ActiveActive 10.0.0.0/810.0.0.0/8 NoneNone
預設值Default ActiveActive 100.64.0.0/10100.64.0.0/10 NoneNone
預設值Default ActiveActive 192.168.0.0/16192.168.0.0/16 NoneNone

Subnet2 的路由表包含所有 Azure 建立的預設路由和選擇性 VNet 對等互連與虛擬網路閘道選擇性路由。The route table for Subnet2 contains all Azure-created default routes and the optional VNet peering and Virtual network gateway optional routes. 當閘道和對等互連新增至虛擬網路時,Azure 就會將選擇性路由新增至虛擬網路中的所有子網路。Azure added the optional routes to all subnets in the virtual network when the gateway and peering were added to the virtual network. Azure 會移除從 10.0.0.0/8/8、 192.168.0.0/16,以及 100.64.0.0/10 位址首碼的路由Subnet1路由表新增至使用者定義的路由,0.0.0.0/0 位址首碼時Subnet1.Azure removed the routes for the 10.0.0.0/8, 192.168.0.0/16, and 100.64.0.0/10 address prefixes from the Subnet1 route table when the user-defined route for the 0.0.0.0/0 address prefix was added to Subnet1.

後續步驟Next steps