VNet 对等互连和 Azure Bastion(预览版)VNet peering and Azure Bastion (Preview)

Azure Bastion 和 VNet 对等互连可以一起使用。Azure Bastion and VNet peering can be used together. 配置 VNet 对等互连后,无需在每个对等互连的 VNet 中部署 Azure Bastion。When VNet peering is configured, you don't have to deploy Azure Bastion in each peered VNet. 这就意味着,如果在一个虚拟网络 (VNet) 中配置了 Azure Bastion 主机,则可使用该主机连接到在对等互连的 VNet 中部署的 VM,而无需部署其他 Bastion 主机。This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional Bastion host. 有关 VNet 对等互连的详细信息,请参阅关于虚拟网络对等互连For more information about VNet peering, see About virtual network peering.

Azure Bastion 使用以下类型的对等互连:Azure Bastion works with the following types of peering:

  • 虚拟网络对等互连: 连接同一 Azure 区域中的虚拟网络。Virtual network peering: Connect virtual networks within the same Azure region.
  • 全局虚拟网络对等互连: 跨 Azure 区域连接虚拟网络。Global virtual network peering: Connecting virtual networks across Azure regions.

体系结构Architecture

配置 VNet 对等互连后,可以在中心辐射型拓扑或全网格型拓扑中部署 Azure Bastion。When VNet peering is configured, Azure Bastion can be deployed in hub-and-spoke or full-mesh topologies. Azure Bastion 部署是按虚拟网络进行的,而不是按订阅/帐户或虚拟机进行的。Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine.

在虚拟网络中预配 Azure Bastion 服务后,同一 VNet(以及对等互连的 VNet)中所有的 VM 均可获得 RDP/SSH 体验。Once you provision the Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same VNet, as well as peered VNets. 这就意味着,可以将 Bastion 部署合并到一个 VNet,而仍然可以访问对等互连的 VNet 中部署的 VM,集中进行总体部署。This means you can consolidate Bastion deployment to single VNet and still reach VMs deployed in a peered VNet, centralizing the overall deployment.

设计和体系结构图

此图显示了中心辐射型模型中 Azure Bastion 部署的体系结构。This figure shows the architecture of an Azure Bastion deployment in a hub-and-spoke model. 在此图中,可以看到以下配置:In this diagram you can see the following configuration:

  • Bastion 主机部署在集中式中心虚拟网络中。The Bastion host is deployed in the centralized Hub virtual network.
  • 已部署集中式网络安全组 (NSG)。Centralized Network Security Group (NSG) is deployed.
  • Azure VM 无需公共 IP。A public IP is not required on the Azure VM.

步骤:Steps:

  1. 使用任何 HTML5 浏览器连接到 Azure 门户。Connect to the Azure portal using any HTML5 browser.

  2. 选择要连接到的虚拟机。Select the virtual machine to connect to.

  3. 在对等互连的 VNet 中会顺利检测到 Azure Bastion。Azure Bastion is seamlessly detected across the peered VNet.

  4. 单击一下,在浏览器中打开 RDP/SSH 会话。With a single click, the RDP/SSH session opens in the browser. 有关 RDP 和 SSH 并发会话的限制,请参阅 RDP 和 SSH 会话For RDP and SSH concurrent session limits, see RDP and SSH sessions.

    “连接”

    若要详细了解如何通过 Azure Bastion 连接到 VM,请参阅:For more information about connecting to a VM via Azure Bastion, see:

常见问题解答FAQ

是否仍可将多个 Bastion 主机部署到对等互连虚拟网络中?Can I still deploy multiple Bastion hosts across peered virtual networks?

是的。Yes. 默认情况下,用户会看到在 VM 所在的虚拟网络中部署的 Bastion 主机。By default, a user sees the Bastion host that is deployed in the same virtual network in which VM resides. 但是,在“连接”菜单中,用户可以看到在对等互连网络上检测到的多个 Bastion 主机。However, in the Connect menu, a user can see multiple Bastion hosts detected across peered networks. 他们可以选择首选用于连接到虚拟网络中部署的 VM 的 Bastion 主机。They can select the Bastion host that they prefer to use to connect to the VM deployed in the virtual network.

如果将对等互连的 VNet 部署在不同的订阅中,通过 Bastion 进行的连接是否可以正常工作?If my peered VNets are deployed in different subscriptions, will connectivity via Bastion work?

可以,对于单个租户的跨不同订阅的对等互连 VNet,通过 Bastion 进行的连接会继续正常工作。Yes, connectivity via Bastion will continue to work for peered VNets across different subscription for a single Tenant. 不支持跨两个不同租户的订阅。Subscriptions across two different Tenants are not supported. 若要在“连接”下拉菜单中查看 Bastion,用户必须在“订阅”>“全局订阅”中选择他们有权访问的订阅。To see Bastion in the Connect drop down menu, the user must select the subs they have access to in Subscription > global subscription.

全局订阅筛选器

我有权访问对等互连 VNet,但看不到在其中部署的 VM。I have access to the peered VNet, but I can't see the VM deployed there.

请确保用户对 VM 和对等互连 VNet 都具有“读取”访问权限。Make sure the user has read access to both the VM, and the peered VNet. 此外,请在 IAM 下检查用户是否对以下资源具有“读取”访问权限:Additionally, check under IAM that the user has read access to following resources:

  • 虚拟机上的读者角色。Reader role on the virtual machine.
  • NIC 上的读者角色(使用虚拟机的专用 IP)。Reader role on the NIC with private IP of the virtual machine.
  • Azure Bastion 资源上的读者角色。Reader role on the Azure Bastion resource.
  • 虚拟网络上的读者角色(如果没有对等互连虚拟网络,则不需要)。Reader Role on the Virtual Network (Not needed if there is no peered virtual network).
权限Permissions 描述Description 权限类型Permission type
Microsoft.Network/bastionHosts/readMicrosoft.Network/bastionHosts/read 获取守护主机Gets a Bastion Host 操作Action
Microsoft.Network/virtualNetworks/BastionHosts/actionMicrosoft.Network/virtualNetworks/BastionHosts/action 获取虚拟网络中的守护主机引用。Gets Bastion Host references in a Virtual Network. 操作Action
Microsoft.Network/virtualNetworks/bastionHosts/default/actionMicrosoft.Network/virtualNetworks/bastionHosts/default/action 获取虚拟网络中的守护主机引用。Gets Bastion Host references in a Virtual Network. 操作Action
Microsoft.Network/networkInterfaces/readMicrosoft.Network/networkInterfaces/read 获取网络接口定义。Gets a network interface definition. 操作Action
Microsoft.Network/networkInterfaces/ipconfigurations/readMicrosoft.Network/networkInterfaces/ipconfigurations/read 获取网络接口 IP 配置定义。Gets a network interface IP configuration definition. 操作Action
Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/read 获取虚拟网络定义Get the virtual network definition 操作Action
Microsoft.Network/virtualNetworks/subnets/virtualMachines/readMicrosoft.Network/virtualNetworks/subnets/virtualMachines/read 获取对虚拟网络子网中的所有虚拟机的引用Gets references to all the virtual machines in a virtual network subnet 操作Action
Microsoft.Network/virtualNetworks/virtualMachines/readMicrosoft.Network/virtualNetworks/virtualMachines/read 获取对虚拟网络中的所有虚拟机的引用Gets references to all the virtual machines in a virtual network 操作Action

后续步骤Next steps

阅读 Bastion 常见问题解答Read the Bastion FAQ.