虚拟网络对等互连Virtual Network peering

使用虚拟网络对等互连可以无缝连接 Azure Stack Hub 环境中的虚拟网络。Virtual network peering enables you to seamlessly connect virtual networks in an Azure Stack Hub environment. 出于连接目的,两个虚拟网络会显示为一个。The virtual networks appear as one for connectivity purposes. 虚拟机之间的流量使用底层 SDN 基础结构。The traffic between virtual machines uses the underlying SDN infrastructure. 与同一网络中的虚拟机之间的流量一样,这些流量仅通过 Azure Stack Hub 专用网络路由。Like traffic between virtual machines in the same network, traffic is only routed through the Azure Stack Hub private network.

Azure Stack Hub 不支持全局对等互连,因为“区域”的概念不适用。Azure Stack Hub does not support global peering, as the concept of "regions" does not apply.

使用虚拟网络对等互连的优点如下:The benefits of using virtual network peering are as follows:

  • 不同虚拟网络中资源之间的连接延迟低且带宽高。A low-latency, high-bandwidth connection between resources in different virtual networks.
  • 一个虚拟网络中的资源可与另一个虚拟网络中的资源通信。The ability of resources in one virtual network to communicate with resources in a different virtual network.
  • 可以在跨不同订阅和 Azure Active Directory 租户的虚拟网络之间传输数据。The ability to transfer data between virtual networks across different subscriptions and Azure Active Directory tenants.
  • 在创建对等互连之时或之后,虚拟网络中的资源不会出现停机的现象。No downtime to resources in either virtual network when creating the peering, or after the peering is created.

对等虚拟网络之间的网络流量是专用的。Network traffic between peered virtual networks is private. 虚拟网络之间的流量保留在基础结构层中。Traffic between virtual networks is kept in the infrastructure layer. 在虚拟网络之间通信不需要公共 Internet、网关或加密。No public internet, gateways, or encryption is required in the communication between virtual networks.

连接Connectivity

对于对等互连的虚拟网络,任一虚拟网络中的虚拟机资源可直接连接到对等互连虚拟网络中的资源。For peered virtual networks, resources in either virtual network can directly connect with resources in the peered virtual network.

同一区域中对等互连虚拟网络上的虚拟机之间的网络延迟与单个虚拟网络中的延迟相同。The network latency between virtual machines in peered virtual networks in the same region is the same as the latency within a single virtual network. 网络吞吐量取决于可供虚拟机使用的与其大小成比例的带宽。The network throughput is based on the bandwidth that's allowed for the virtual machine, proportionate to its size. 对等互连的带宽没有任何其他限制。There isn't any additional restriction on bandwidth within the peering.

对等互连虚拟网络中虚拟机之间的流量直接通过 SDN 层路由,而不通过网关或公共 Internet 路由。The traffic between virtual machines in peered virtual networks is routed directly through the SDN layer, not through a gateway or over the public internet.

可以在虚拟网络中应用网络安全组,以阻止访问其他虚拟网络或子网。You can apply network security groups in either virtual network to block access to other virtual networks or subnets. 配置虚拟网络对等互连时,可以打开或关闭虚拟网络之间的网络安全组规则。When configuring virtual network peering, either open or close the network security group rules between the virtual networks. 如果在对等互连的虚拟网络之间建立了完全连接,则可以应用网络安全组来阻止或拒绝特定的访问。If you open full connectivity between peered virtual networks, you can apply network security groups to block or deny specific access. 完全连接是默认选项。Full connectivity is the default option. 若要详细了解网络安全组,请参阅安全组To learn more about network security groups, see Security groups.

服务链Service chaining

使用服务链,可以通过用户定义的路由将流量从一个虚拟网络定向到对等互连网络中的虚拟设备或网关。Service chaining enables you to direct traffic from one virtual network to a virtual appliance or gateway in a peered network through user-defined routes.

若要启用服务链,请将指向对等互连虚拟网络中虚拟机的用户定义的路由配置为下一跃点 IP 地址。 To enable service chaining, configure user-defined routes that point to virtual machines in peered virtual networks as the next hop IP address.

可以部署中心辐射型网络,其中,中心虚拟网络托管网络虚拟设备或 VPN 网关等基础结构组件。You can deploy hub-and-spoke networks, where the hub virtual network hosts infrastructure components such as a network virtual appliance or VPN gateway. 然后,可将所有分支虚拟网络对等互连到中心虚拟网络。All the spoke virtual networks can then peer with the hub virtual network. 流量流经中心虚拟网络中的网络虚拟设备或 VPN 网关。Traffic flows through network virtual appliances or VPN gateways in the hub virtual network.

通过虚拟网络对等互连,用户定义的路由中的下一个跃点可以成为对等虚拟网络中虚拟机的 IP 地址。Virtual network peering enables the next hop in a user-defined route to be the IP address of a virtual machine in the peered virtual network. 若要深入了解用户定义的路由,请参阅用户定义的路由概述To learn more about user-defined routes, see User-defined routes overview. 要了解如何创建中心辐射型网络拓扑,请参阅 Azure 中的中心辐射型网络拓扑To learn how to create a hub and spoke network topology, see Hub-spoke network topology in Azure.

网关和本地连接Gateways and on-premises connectivity

每个虚拟网络(包括对等互连的虚拟网络)都可以有自身的网关。Each virtual network, including a peered virtual network, can have its own gateway. 虚拟网络可以使用其网关连接到本地网络。A virtual network can use its gateway to connect to an on-premises network. 请查看虚拟网络网关文档Please review the Virtual Network Gateway documentation.

还可以将对等互连的虚拟网络中的网关配置为本地网络的传输点。You can also configure the gateway in the peered virtual network as a transit point to an on-premises network. 在这种情况下,使用远程网关的虚拟网络不能有自身的网关。In this case, the virtual network that is using a remote gateway can't have its own gateway. 一个虚拟网络只能有一个网关。A virtual network has only one gateway. 网关是对等互连虚拟网络中的本地网关或远程网关,如下图所示:The gateway is either a local or remote gateway in the peered virtual network, as shown in the following figure:

VPN 网关拓扑

请注意,在对等互连中启用“UseRemoteGateways”选项之前,必须在 VPN 网关中创建“连接”对象 。Note that a Connection object must be created in the VPN gateway prior to enabling the UseRemoteGateways options in the peering.

虚拟网络对等互连配置Virtual network peering configuration

允许虚拟网络访问: 启用虚拟网络之间的通信可允许资源连接到任意虚拟网络,并以相同的带宽和延迟互相之间进行通信,就如同它们是连接到同一个虚拟网络一样。Allow virtual network access: Enabling communication between virtual networks allows resources connected to either virtual network to communicate with each other with the same bandwidth and latency as if they were connected to the same virtual network. 这两个虚拟网络中的资源之间的所有通信都通过内部 SDN 层路由。All communication between resources in the two virtual networks is routed through the internal SDN layer.

不启用网络访问的一个原因可能是你已将一个虚拟网络与另一个虚拟网络对等互连,但有时想要禁用这两个虚拟网络之间的流量流动。One reason to not enable network access might be a scenario where you've peered a virtual network with another virtual network, but occasionally want to disable traffic flow between the two virtual networks. 你会发现,启用/禁用比删除并重新创建对等互连更加方便。You might find enabling/disabling is more convenient than deleting and re-creating peerings. 当禁用此设置时,流量不会在已对等互连的虚拟网络间流动。When this setting is disabled, traffic does not flow between the peered virtual networks.

允许转发的流量: 选中此框将允许某个虚拟网络中通过网络虚拟设备转发的(不是从该虚拟网络发起的)流量通过对等互连流动到此虚拟网络。Allow forwarded traffic: Check this box to allow traffic forwarded by a network virtual appliance in a virtual network (that didn't originate from the virtual network) to flow to this virtual network through a peering. 例如,假设有名为 Spoke1、Spoke2 和 Hub 的三个虚拟网络。For example, consider three virtual networks named Spoke1, Spoke2, and Hub. 每个辐射虚拟网络与中心虚拟网络之间存在一个对等互连,但各个辐射虚拟网络之间不存在对等互连。A peering exists between each spoke virtual network and the Hub virtual network, but peerings don't exist between the spoke virtual networks. 一个网络虚拟设备部署在中心虚拟网络中,用户定义的路由应用于通过该网络虚拟设备在各个子网之间路由流量的每个辐射虚拟网络。A network virtual appliance is deployed in the Hub virtual network, and user-defined routes are applied to each spoke virtual network that route traffic between the subnets through the network virtual appliance. 如果没有为每个辐射虚拟网络与中心虚拟网络之间的对等互连选中此复选框,则流量不会在各个辐射虚拟网络之间流动,因为中心i不在各个虚拟网络之间转发流量。If this checkbox is not checked for the peering between each spoke virtual network and the hub virtual network, traffic doesn't flow between the spoke virtual networks because the hub is not forwarding the traffic between the virtual networks. 虽然启用此功能即可通过对等互连转发流量,但不会创建任何用户定义的路由或网络虚拟设备。While enabling this capability allows the forwarded traffic through the peering, it does not create any user-defined routes or network virtual appliances. 用户定义的路由和网络虚拟设备是单独创建的。User-defined routes and network virtual appliances are created separately. 了解用户定义的路由Learn about user-defined routes. 如果流量通过 VPN 网关在虚拟网络之间转发,则无需检查此设置。You do not need to check this setting if traffic is forwarded between virtual networks through a VPN Gateway.

允许网关传输: 如果有附加到此虚拟网络的虚拟网络网关并且想要允许来自已对等互连的虚拟网络的流量流经网关,请选中此框。Allow gateway transit: Check this box if you have a virtual network gateway attached to this virtual network, and want to allow traffic from the peered virtual network to flow through the gateway. 例如,此虚拟网络可以通过虚拟网关附加到本地网络。For example, this virtual network may be attached to an on-premises network through a virtual network gateway. 选中此框将允许来自所对等互连的虚拟网络的流量通过附加到此虚拟网络的网关流到本地网络。Checking this box allows traffic from the peered virtual network to flow through the gateway attached to this virtual network to the on-premises network. 如果选中此框,则已对等互连的虚拟网络不能有已配置的网关。If you check this box, the peered virtual network cannot have a gateway configured. 设置从另一虚拟网络到此虚拟网络的对等互连时,必须选中对等互连的虚拟网络的“使用远程网关”框。The peered virtual network must have the Use remote gateways box checked when setting up the peering from the other virtual network to this virtual network. 如果保留此框的未选中状态(默认),则来自已对等互连的虚拟网络的流量仍可流动到此虚拟网络,但无法流经附加到此虚拟网络的虚拟网关。If you leave this box unchecked (the default), traffic from the peered virtual network still flows to this virtual network, but cannot flow through a virtual network gateway attached to this virtual network.

使用远程网关: 选中此框可允许来自此虚拟网络的流量流经附加到正与之对等互连的虚拟网络的虚拟网络网关。Use remote gateways: Check this box to allow traffic from this virtual network to flow through a virtual network gateway attached to the virtual network you're peering with. 例如,要与之对等互连的虚拟网络附加了一个 VPN 网关,因此可与本地网络通信。For example, the virtual network you're peering with has a VPN gateway attached that enables communication to an on-premises network. 选中此框即可让来自此虚拟网络的流量流经附加到已对等互连的虚拟网络的 VPN 网关。Checking this box allows traffic from this virtual network to flow through the VPN gateway attached to the peered virtual network. 如果选中此框,已对等互连的虚拟网络必须附加有虚拟网关,并且必须已选中“允许网关传输”框。If you check this box, the peered virtual network must have a virtual network gateway attached to it and must have the Allow gateway transit box checked. 如果保留此框的未选中状态(默认),则来自已对等互连的虚拟网络的流量仍可流动到此虚拟网络,但无法流经附加到此虚拟网络的虚拟网关。If you leave this box unchecked (the default), traffic from the peered virtual network can still flow to this virtual network, but cannot flow through a virtual network gateway attached to this virtual network.

如果已在虚拟网络中配置了网关,则无法使用远程网关。You can't use remote gateways if you already have a gateway configured in your virtual network.

权限Permissions

请确保在不同订阅和 Azure AD 租户中使用 VNET 创建对等互连时,帐户已分配有“参与者”角色。Please ensure that when creating peerings with VNETs in different subscriptions and Azure AD tenants, the accounts have the Contributor role assigned. 此外,在不同的 Azure AD 租户之间不存在用于对等互连的用户界面功能。Additionally, there is no user interface capability for peering between different Azure AD tenants. 可使用 Azure CLI 和 PowerShell 来创建对等互连。You can use Azure CLI and PowerShell to create the peerings.

虚拟网络对等互连常见问题解答 (FAQ)Virtual network peering frequently asked questions (FAQ)

什么是虚拟网络对等互连?What is Virtual network peering?

使用虚拟网络对等互连可连接虚拟网络。Virtual network peering enables you to connect virtual networks. 使用虚拟网络之间的 VNet 对等互连连接,可通过 IPv4 地址在这些虚拟网络之间私下路由流量。A VNet peering connection between virtual networks enables you to route traffic between them privately through IPv4 addresses. 对等互连的 VNet 中的虚拟机可相互通信,如同它们处于同一网络中一样。Virtual machines in the peered VNets can communicate with each other as if they are within the same network. 还可跨多个订阅创建 VNet 对等互连连接。VNet peering connections can also be created across multiple subscriptions.

Azure Stack Hub 是否支持全球 VNET 对等互连?Does Azure Stack Hub support Global VNET peering?

Azure Stack Hub 不支持全球对等互连,因为“区域”的概念不适用。Azure Stack Hub does not support global peering, as the concept of "regions" does not apply.

虚拟网络对等互连在哪次 Azure Stack Hub 更新中提供?On which Azure Stack Hub update will virtual network peering be available?

从 2008 更新开始,Azure Stack Hub 中提供了虚拟网络对等互连。virtual network peering is available in Azure Stack Hub starting with the 2008 update.

能否将 Azure Stack Hub 中的虚拟网络与 Azure 中的虚拟网络对等互连?Can I peer my virtual network in Azure Stack Hub to a virtual network in Azure?

不能,目前不支持在 Azure 与 Azure Stack Hub 之间建立对等互连。No, peering between Azure and Azure Stack hub is not supported at this time.

能否将 Azure Stack Hub1 中的虚拟网络与 Azure Stack Hub2 中的虚拟网络对等互连?Can I peer my virtual network in Azure Stack Hub1 to a virtual network in Azure Stack Hub2?

不能,只能在一个 Azure Stack Hub 系统中的虚拟网络之间创建对等互连。No, peering can only be created between virtual networks in one Azure Stack Hub system. 若要详细了解如何从不同标记连接两个虚拟网络,请参阅在 Azure Stack Hub 中建立 VNET 到 VNET 的连接For more information about how to connect two virtual networks from different stamps, see Establish a VNET to VNET connection in Azure Stack Hub.

如果虚拟网络所属的订阅位于不同的 Azure Active Directory 租户中,能否启用对等互连?Can I enable peering if my virtual networks belong to subscriptions within different Azure Active Directory tenants?

可以。Yes. 订阅属于不同的 Azure Active Directory 租户时,可以建立 VNet 对等互连。It is possible to establish VNet Peering if your subscriptions belong to different Azure Active Directory tenants. 可以通过 PowerShell 或 CLI 来执行此操作。You can do this via PowerShell or CLI. 尚不支持门户。The portal is not yet supported.

能否将我的虚拟网络与另一订阅中的虚拟网络对等互连?Can I peer my virtual network with a virtual network in a different subscription?

可以。Yes. 可以跨订阅进行虚拟网络对等互连。You can peer virtual networks across subscriptions.

对等互连连接是否存在带宽限制?Are there any bandwidth limitations for peering connections?

否。No. 虚拟网络对等互连不会施加任何带宽限制。Virtual network peering does not impose any bandwidth restrictions. 带宽仅受 VM 或计算资源的限制。Bandwidth is only limited by the VM or the compute resource.

我的虚拟网络对等互连连接处于“已启动”状态,为什么我不能连接?My virtual network peering connection is in an Initiated state, why can't I connect?

如果对等互连连接处于“已启动”状态,则意味着只创建了一个链路。If your peering connection is in an Initiated state, it means you have created only one link. 必须创建双向链接才能成功建立连接。A bidirectional link must be created in order to establish a successful connection. 例如,要将 VNet A 对等互连到 VNet B,必须创建从 VNet A 到 VNet B 的链路以及从 VNet B 到 VNet A 的链路。创建这两个链路后,连接状态更改为“已连接”。For example, to peer VNet A to VNet B, a link must be created from VNet A to VNet B, and from VNet B to VNet A. Creating both links changes the state to Connected.

我的虚拟网络对等互连连接处于“已断开连接”状态,为什么我无法创建对等互连连接?My virtual network peering connection is in a Disconnected state, why can't I create a peering connection?

如果虚拟网络对等互连连接处于“已断开连接”状态,则意味着创建的某个链路已被删除。If your virtual network peering connection is in a Disconnected state, it means one of the links created was deleted. 要重新建立对等互连连接,请删除该链路并重新创建它。In order to re-establish a peering connection, delete the link and recreate it.

虚拟网络对等互连流量是否已加密?Is virtual network peering traffic encrypted?

不是。No. 对等互连的虚拟网络中的资源之间的流量是专用的,处于隔离状态。Traffic between resources in peered virtual networks is private and isolated. 它完全保留在 Azure Stack Hub 系统的 SDN 层中。It remains completely in the SDN layer of the Azure Stack Hub system.

如果我从 VNet A 对等互连到 VNet B,然后又从 VNet B 对等互连到 VNet C,这是否意味着 VNet A 和 VNet C 已对等互连?If I peer VNet A to VNet B and I peer VNet B to VNet C, does that mean VNet A and VNet C are peered?

否。No. 不支持可传递对等互连。Transitive peering is not supported. 必须将 VNet A 与 VNet C 对等互连。You must peer VNet A and VNet C.

后续步骤Next steps