面向网络工程师的 AzureAzure for network engineers

作为传统网络工程师,你之前负责通过物理资产(例如路由器、交换机、电缆、防火墙)来构建基础设施。As a conventional network engineer you have dealt with physical assets such as routers, switches, cables, firewalls to build infrastructure. 在逻辑层上,你曾经配置过虚拟 LAN (VLAN)、跨树协议 (STP)、路由协议(RIP、OSPF、BGP)。At a logical layer you have configured virtual LAN (VLAN), Spanning Tree Protocol (STP), routing protocols (RIP, OSPF, BGP). 你曾经使用管理工具和 CLI 来管理你的网络。You have managed your network using management tools and CLI. 云中的网络有所不同,其中的网络终结点是逻辑终结点,很少使用路由协议。Networking in the cloud is different where network endpoints are logical and use of routing protocols is minimum. 你将使用 Azure 资源管理器 API、Azure CLI 和 PowerShell 来配置和管理 Azure 中的资产。You will work with Azure Resource Manager API, Azure CLI, and PowerShell for configuring and managing assets in Azure. 你将首先了解 Azure 网络的基本租户,从而开始你在云中的网络探索旅程。You will start your network journey in the cloud by understanding basic tenants of Azure networking.

虚拟网络Virtual network

从下到上设计网络时,你需要收集一些基本信息。When you design a network from bottom up, you gather some basic information. 该信息可能包括主机数、网络设备数、子网数、子网之间的路由、隔离域(例如 VLAN)。This information could be number of hosts, network devices, number of subnets, routing between subnets, isolation domains such as VLANs. 此信息可用于确定网络和安全设备的规模,以及创建支持应用程序和服务的体系结构。This information helps in sizing the network and security devices as well creating the architecture to support applications and services.

当你计划在 Azure 中部署应用程序和服务时,你首先在 Azure 中创建逻辑边界,这称为“虚拟网络”。When you plan to deploy your applications and services in Azure, you will start by creating a logical boundary in Azure, which is called a virtual network. 此虚拟网络与物理网络边界类似。This virtual network is akin to a physical network boundary. 由于它是一个虚拟网络,因此你不需要物理设备,但仍需规划逻辑实体,例如 IP 地址、IP 子网、路由和策略。As it is a virtual network, you don't need physical gear but still have to plan for the logical entities such as IP addresses, IP subnets, routing, and policies.

当你在 Azure 中创建虚拟网络时,系统会为其预先配置一个 IP 范围 (10.0.0.0/16)。When you create a virtual network in Azure, it's pre-configured with an IP range (10.0.0.0/16). 此范围不是固定的,你可以定义自己的 IP 范围。This range isn't fixed, you can define your own IP range. 可以同时定义 IPv4 和 IPv6 地址范围。You can define both IPv4 and IPv6 address ranges. 为虚拟网络定义的 IP 范围不会播发到 Internet。IP ranges defined for the virtual network are not advertised to Internet. 可以基于 IP 范围创建多个子网。You can create multiple subnets from your IP range. 这些子网将用于向虚拟网络接口 (vNIC) 分配 IP 地址。These subnets will be used to assign IP addresses to virtual network interfaces (vNICs). 每个子网中的前四个 IP 地址都是保留地址,不能用于 IP 分配。First four IP addresses from each subnet are reserved and can't be used for IP allocation. 公有云中没有 VLAN 的概念。There is no concept of VLANs in a public cloud. 但是,你可以根据所定义的子网在虚拟网络中形成隔离。However, you can create isolation within a virtual network based on your defined subnets.

你可以创建一个包含所有虚拟网络地址空间的大型子网,也可以选择创建多个子网。You can create one large subnet encompassing all the virtual network address space or choose to create multiple subnets. 但是,如果你使用的是虚拟网关,Azure 会要求你创建一个名为“网关子网”的子网。However, if you are using a virtual network gateway, Azure requires you to create a subnet with the name "gateway subnet". Azure 将使用此子网向虚拟网关分配 IP 地址。Azure will use this subnet to assign IP addresses to virtual network gateways.

IP 分配IP allocation

将 IP 地址分配给主机时,实际上会将 IP 分配给网络接口卡 (NIC)。When you assign an IP address to a host, you actually assign IP to a network interface card (NIC). 可将两种类型的 IP 地址分配给 Azure 中的 NIC:You can assign two types of IP addresses to a NIC in Azure:

  • 公共 IP 地址 - 用来与 Internet 以及未连接到虚拟网络的其他 Azure 资源进行入站和出站通信(不提供网络地址转换 (NAT))。Public IP addresses - Used to communicate inbound and outbound (without network address translation (NAT)) with the Internet and other Azure resources not connected to a virtual network. 向 NIC 分配公共 IP 地址是可选操作。Assigning a public IP address to a NIC is optional. 公共 IP 地址属于 Microsoft IP 地址空间。Public IP addresses belong to Microsoft IP address space.
  • 专用 IP 地址 - 用于在虚拟网络、本地网络和 Internet 中通信(提供 NAT)。Private IP addresses - Used for communication within a virtual network, your on-premises network, and the Internet (with NAT). 即使配置公共 IP 地址空间,在虚拟网络中定义的 IP 地址空间也会被视为专用的空间。IP address space that you define in the virtual network is considered private even if you configure your public IP address space. Microsoft 不会将此空间播发到 Internet。Microsoft does not advertise this space to Internet. 必须至少将一个专用 IP 地址分配给 VM。You must assign at least one private IP address to a VM.

就像使用物理主机或设备一样,可以通过两种方法(动态方法和静态方法)将 IP 地址分配给资源。As with physical hosts or devices, there are two ways to allocate an IP address to a resource - dynamic or static. 在 Azure 中,默认分配方法为动态方法,即在创建虚拟机 (VM) 或启动已停止的 VM 时分配 IP 地址。In Azure, default allocation method is dynamic, where an IP address is allocated when you create a virtual machine (VM) or start a stopped VM. 停止或删除该 VM 时,会释放该 IP 地址。The IP address is released when you stop or delete the VM. 要确保 VM 的 IP 地址保持不变,可将分配方法显式设置为静态。To ensure the IP address for the VM remains the same, you can set the allocation method explicitly to static. 在这种情况下,IP 地址是即时分配的。In this case, an IP address is assigned immediately. 只有在删除该 VM 或将其分配方法更改为动态时,才会释放该地址。It is released only when you delete the VM or change its allocation method to dynamic.

专用 IP 地址是从虚拟网络中定义的子网中分配的。Private IP addresses are allocated from the subnets you have defined within a virtual network. 对于 VM,请选择一个用于分配 IP 的子网。For a VM, you choose a subnet for the IP allocation. 如果某个 VM 包含多个 NIC,则可以为每个 NIC 选择不同的子网。If a VM contains multiple NICs, you can choose a different subnet for each NIC.

路由Routing

当你创建虚拟网络时,Azure 将为你的网络创建路由表。When you create a virtual network, Azure creates a routing table for your network. 此路由表包含以下类型的路由。This routing table contains following types of routes.

  • 系统路由System routes
  • 子网默认路由Subnet default routes
  • 来自其他虚拟网络的路由Routes from other virtual networks
  • BGP 路由BGP routes
  • 服务终结点路由Service endpoint routes
  • 用户定义的路由 (UDR)User Defined Routes (UDR)

如果在未定义任何子网的情况下首次创建虚拟网络,Azure 将在路由表中创建路由条目。When you create a virtual network for the first time without defining any subnets, Azure creates routing entries in the routing table. 这些路由称为系统路由。These routes are called system routes. 系统路由是在此位置定义的。System routes are defined at this location. 你无法修改这些路由。You cannot modify these routes. 不过,你可以通过配置 UDR 来替代系统路由。However, you can override systems routes by configuring UDRs.

在虚拟网络中创建一个或多个子网时,Azure 会在路由表中创建默认条目,以便在虚拟网络中的这些子网之间通信。When you create one or multiple subnets inside a virtual network, Azure creates default entries in the routing table to enable communication between these subnets within a virtual network. 可以使用静态路由(在 Azure 中是用户定义的路由 (UDR))修改这些路由。These routes can be modified by using static routes, which are User Defined Routes (UDR) in Azure.

在两个虚拟网络之间创建虚拟网络对等互连时,会为每个虚拟网络(已为其创建对等互连)的地址空间中的每个地址范围添加一个路由。When you create a virtual network peering between two virtual networks, a route is added for each address range within the address space of each virtual network a peering is created for.

如果本地网关与 Azure 虚拟网关交换了边界网关协议 (BGP) 路由,则会为每个从本地网关传播的路由添加一个路由。If your on-premises network gateway exchanges border gateway protocol (BGP) routes with an Azure virtual network gateway, a route is added for each route propagated from the on-premises network gateway. 这些路由在路由表中显示为 BGP 路由。These routes appear in the routing table as BGP routes.

启用特定服务的服务终结点时,Azure 会将该服务的公共 IP 地址添加到路由表。The public IP addresses for certain services are added to the route table by Azure when you enable a service endpoint to the service. 服务终结点是针对虚拟网络中的单个子网启用的。Service endpoints are enabled for individual subnets within a virtual network. 启用某个服务终结点时,路由将仅添加到属于此服务的子网的路由表。When you enable a service endpoint, route is only added to the route table of for the subnet that belongs to this service. 当地址更改时,Azure 自动管理路由表中的地址。Azure manages the addresses in the route table automatically when the addresses change.

用户定义的路由也称为自定义路由。User-defined routes are also called Custom routes. 可以在 Azure 中创建 UDR 来替代 Azure 的默认系统路由,或者向子网的路由表添加其他路由。You create UDR in Azure to override Azure's default system routes, or to add additional routes to a subnet's route table. 可以在 Azure 中创建一个路由表,然后将该路由表关联到虚拟网络子网。In Azure, you create a route table, then associate the route table to virtual network subnets.

当路由表中有竞争的条目时,Azure 会基于最长的前缀匹配来选择下一个跃点,这与传统路由器类似。When you have competing entries in a routing table, Azure selects the next hop based on the longest prefix match similar to traditional routers. 但是,如果存在多个具有相同地址前缀的下一跃点条目,Azure 将按以下顺序选择路由。However, if there are multiple next hop entries with the same address prefix then Azure selects the routes in following order.

  1. 用户定义的路由 (UDR)User-defined routes (UDR)
  2. BGP 路由BGP routes
  3. 系统路由System routes

安全性Security

可使用网络安全组来筛选虚拟网络中到达或来自资源的网络流量。You can filter network traffic to and from resources in a virtual network using network security groups. 还可以使用网络虚拟设备 (NVA),例如 Azure 防火墙或其他供应商提供的防火墙。You cane also use network virtual appliances (NVA) such as Azure Firewall or firewalls from other vendors. 可控制 Azure 如何路由来自子网的流量。You can control how Azure routes traffic from subnets. 还可限制组织中的人员使用虚拟网络中的资源。You can also limit who in your organization can work with resources in virtual networks.

网络安全组 (NSG) 包含一系列访问控制列表 (ACL) 规则,这些规则可以允许或拒绝流向子网和/或 NIC 的网络流量。A network security group (NSG) contains a list of Access Control List (ACL) rules that allow or deny network traffic to subnets, NICs, or both. NSG 可与子网或者已连接到子网的各个 NIC 相关联。NSGs can be associated with either subnets or individual NICs connected to a subnet. 当 NSG 与某个子网相关联时,ACL 规则将应用到该子网中的所有 VM。When an NSG is associated with a subnet, the ACL rules apply to all the VMs in that subnet. 另外,可以通过将 NSG 直接关联到 NIC,对流向单个 NIC 的流量进行限制。In addition, traffic to an individual NIC can be restricted by associating an NSG directly to a NIC.

NSG 包含两种类型的规则:入站规则和出站规则。NSGs contain two sets of rules: inbound and outbound. 在每组中,规则的优先级必须保持唯一。The priority for a rule must be unique within each set. 每个规则包含以下属性:协议、源和目标端口范围、地址前缀、流量方向、优先级和访问类型。Each rule has properties of protocol, source and destination port ranges, address prefixes, direction of traffic, priority, and access type. 所有 NSG 都包含一组默认规则。All NSGs contain a set of default rules. 默认规则无法删除,但由于给它们分配的优先级最低,可以用创建的规则来重写它们。The default rules cannot be deleted, but because they are assigned the lowest priority, they can be overridden by the rules that you create.

验证Verification

虚拟网络中的路由Routes in virtual network

创建的路由、Azure 的默认路由,以及使用边界网关协议 (BGP) 通过 Azure VPN 网关(如果虚拟网络已连接到本地网络)从本地网络传播的任何路由的组合,就是子网中所有网络接口的有效路由。The combination of routes you create, Azure's default routes, and any routes propagated from your on-premises network through an Azure VPN gateway (if your virtual network is connected to your on-premises network) via the border gateway protocol (BGP), are the effective routes for all network interfaces in a subnet. 可以使用门户、PowerShell 或 CLI 通过导航到 NIC 来查看这些生效的路由。You can see these effective routes by navigating to NIC either via Portal, PowerShell, or CLI.

网络安全组Network Security Groups

应用到网络接口的有效安全规则是关联到网络接口以及网络接口所在子网的 NSG 的聚合。The effective security rules applied to a network interface are an aggregation of the rules that exist in the NSG associated to a network interface, and the subnet the network interface is in. 可以使用门户、PowerShell 或 CLI 通过导航到 NIC 来查看 NSG 中对 VM 网络接口应用的所有生效的安全规则。You can view all the effective security rules from NSGs that are applied on your VM's network interfaces by navigating to the NIC via Portal, PowerShell, or CLI.

后续步骤Next steps

了解虚拟网络Learn about virtual network.

了解虚拟网络路由Learn about virtual network routing.

了解网络安全组Learn about the network security groups.