Azure 网络Azure networking

Azure 中的网络服务提供可以搭配使用或单独使用的各种网络功能。The networking services in Azure provide a variety of networking capabilities that can be used together or separately. 请单击以下任一重要功能了解更多相关信息:Click any of the following key capabilities to learn more about them:

  • 连接服务:使用 Azure 中的以下任一网络服务或其组合连接 Azure 资源和本地资源 - 虚拟网络 (VNet)、虚拟 WAN、ExpressRoute、VPN 网关、Azure DNS。Connectivity services: Connect Azure resources and on-premises resources using any or a combination of these networking services in Azure - Virtual Network (VNet), Virtual WAN, ExpressRoute, VPN Gateway, Azure DNS.
  • 应用程序保护服务:使用 Azure 中的以下任一网络服务或其组合来保护应用程序 - 防火墙、网络安全组或虚拟网络终结点。Application protection services Protect your applications using any or a combination of these networking services in Azure - Firewall, Network Security Groups or Virtual Network Endpoints.
  • 应用程序分发服务:使用 Azure 中的以下任一网络服务或其组合在 Azure 网络中分发应用程序 - 内容分发网络 (CDN)、流量管理器、应用程序网关或负载均衡器。Application delivery services Deliver applications in the Azure network using any or a combination of these networking services in Azure - Content Delivery Network (CDN), Traffic Manager, Application Gateway, or Load Balancer.
  • 网络监视 – 使用 Azure 中的以下任一网络服务或其组合来监视网络资源 - 网络观察程序、ExpressRoute Monitor、Azure Monitor。Network monitoring – Monitor your network resources using any or a combination of these networking services in Azure - Network Watcher, ExpressRoute Monitor, Azure Monitor.

连接服务Connectivity services

本部分介绍用于在 Azure 资源之间提供连接、建立从本地网络到 Azure 资源的连接,以及在 Azure 中建立分支到分支连接的服务 - 虚拟网络、ExpressRoute、VPN 网关、DNS。This section describes services that provide connectivity between Azure resources, connectivity from an on-premises network to Azure resources, and branch to branch connectivity in Azure - Virtual network, ExpressRoute, VPN Gateway, DNS.

服务Service 为何使用此类服务?Why use? 方案Scenarios
虚拟网络Virtual network 可让 Azure 资源以安全方式彼此通信、与 Internet 通信,以及与本地网络通信。Enables Azure resources to securely communicate with each other, the internet, and on-premises networks.

筛选网络流量Filter network traffic

路由网络流量Route network traffic

限制对资源的网络访问Restrict network access to resources

连接虚拟网络Connect virtual networks

ExpressRouteExpressRoute 通过连接服务提供商所提供的专用连接,将本地网络扩展到 Microsoft 云。Extends your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider.

创建和修改 ExpressRoute 线路Create and modify an ExpressRoute circuit

创建和修改 ExpressRoute 线路的对等互连Create and modify peering for an ExpressRoute circuit

将 VNet 链接到 ExpressRoute 线路Link a VNet to an ExpressRoute circuit

配置和管理 ExpressRoute 线路的路由筛选器Configure and manage route filters for ExpressRoute circuits

VPN 网关VPN Gateway 通过公共 Internet 在 Azure 虚拟网络与本地位置之间发送加密流量。Sends encrypted traffic between an Azure virtual network and an on-premises location over the public Internet.

站点到站点连接Site-to-site-connections

VNet 到 VNet 连接VNet-to-VNet connections

点到站点连接Point-to-site connections

虚拟 WANVirtual WAN 优化并自动化到 Azure 和通过 Azure 的分支连接。Optimizes and automates branch connectivity to, and through, Azure. Azure 区域充当可以选择将分支连接到的中心。Azure regions serve as hubs that you can choose to connect your branches to.

站点到站点连接Site-to-site connections

Azure DNSAzure DNS 托管使用 Microsoft Azure 基础结构提供名称解析的 DNS 域。Hosts DNS domains that provide name resolution by using Microsoft Azure infrastructure.

在 Azure DNS 中托管域Host your domain in Azure DNS

为 Web 应用创建 DNS 记录Create DNS records for a web app

虚拟网络Virtual network

Azure 虚拟网络 (VNet) 是 Azure 中专用网络的基本构建块。Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. 使用 VNet 可以:You can use a VNets to:

  • 在 Azure 资源之间通信:可以将 VM 和多个其他类型的 Azure 资源部署到虚拟网络,如 Azure 应用服务环境、Azure Kubernetes 服务 (AKS) 和 Azure 虚拟机规模集。Communicate between Azure resources: You can deploy VMs, and several other types of Azure resources to a virtual network, such as Azure App Service Environments, the Azure Kubernetes Service (AKS), and Azure Virtual Machine Scale Sets. 若要查看可部署到虚拟网络的 Azure 资源的完整列表,请参阅虚拟网络服务集成To view a complete list of Azure resources that you can deploy into a virtual network, see Virtual network service integration.
  • 相互通信:可以互相连接虚拟网络,使虚拟网络中的资源能够通过虚拟网络对等互连相互进行通信。Communicate between each other: You can connect virtual networks to each other, enabling resources in either virtual network to communicate with each other, using virtual network peering. 连接的虚拟网络可以在相同或不同的 Azure 区域中。The virtual networks you connect can be in the same, or different, Azure regions. 有关详细信息,请参阅虚拟网络对等互连For more information, see Virtual network peering.
  • 与 Internet 通信:默认情况下,VNet 中的所有资源都可以与 Internet 进行出站通信。Communicate to the internet: All resources in a VNet can communicate outbound to the internet, by default. 可以通过分配公共 IP 地址或公共负载均衡器来与资源进行入站通信。You can communicate inbound to a resource by assigning a public IP address or a public Load Balancer. 还可以使用公共 IP 地址或公共负载均衡器来管理出站连接。You can also use Public IP addresses or public Load Balancer to manage your outbound connections.
  • 与本地网络通信:可以使用 VPN 网关ExpressRoute 将本地计算机和网络连接到虚拟网络。Communicate with on-premises networks: You can connect your on-premises computers and networks to a virtual network using VPN Gateway or ExpressRoute.

有关详细信息,请参阅什么是 Azure 虚拟网络?For more information, see What is Azure Virtual Network?.

ExpressRouteExpressRoute

使用 ExpressRoute 可通过连接服务提供商所提供的专用连接,将本地网络扩展到 Microsoft 云。ExpressRoute enables you to extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. 此连接是专用连接。This connection is private. 流量不经过 Internet。Traffic does not go over the internet. 使用 ExpressRoute 可与 Microsoft Azure、Office 365 和 Dynamics 365 等 Microsoft 云服务建立连接。With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365. 有关详细信息,请参阅什么是 ExpressRoute?For more information, see What is ExpressRoute?.

Azure ExpressRoute

VPN 网关VPN Gateway

VPN 网关可帮助你创建从本地位置到虚拟网络的加密跨界连接,或者在 VNet 之间创建加密连接。VPN Gateway helps you create encrypted cross-premises connections to your virtual network from on-premises locations, or create encrypted connections between VNets. VPN 网关连接可以使用不同的配置,例如站点到站点连接、点到站点连接,或 VNet 到 VNet 连接。There are different configurations available for VPN Gateway connections, such as, site-to-site, point-to-site, or VNet to VNet. 下图演示了与同一虚拟网络建立的多个站点到站点 VPN 连接。The following diagram illustrates multiple site-to-site VPN connections to the same virtual network.

站点到站点 Azure VPN 网关连接

有关不同类型的 VPN 连接的详细信息,请参阅 VPN 网关For more information about different types of VPN connections, see VPN Gateway.

虚拟 WANVirtual WAN

Azure Virtual WAN 是一种网络服务,提供到 Azure 并穿过该服务的经优化的自动分支连接。Azure Virtual WAN is a networking service that provides optimized and automated branch connectivity to, and through, Azure. Azure 区域充当可以选择将分支连接到的中心。Azure regions serve as hubs that you can choose to connect your branches to. 利用 Azure 主干网还可以连接分支并享用分支到 VNet 的连接。You can leverage the Azure backbone to also connect branches and enjoy branch-to-VNet connectivity. Azure 虚拟 WAN 将许多 Azure 云连接服务(例如,站点到站点 VPN、ExpressRoute、点到站点用户 VPN)汇集到一个操作界面中。Azure Virtual WAN brings together many Azure cloud connectivity services such as site-to-site VPN, ExpressRoute, point-to-site user VPN into a single operational interface. 通过使用虚拟网络连接建立与 Azure VNet 的连接。Connectivity to Azure VNets is established by using virtual network connections. 有关详细信息,请参阅什么是 Azure 虚拟 WAN?For more information, see What is Azure virtual WAN?.

虚拟 WAN 示意图

Azure DNSAzure DNS

Azure DNS 是 DNS 域的托管服务,它使用 Azure 基础结构提供名称解析。Azure DNS is a hosting service for DNS domains that provides name resolution by using Azure infrastructure. 通过在 Azure 中托管域,可以使用与其他 Azure 服务相同的凭据、API、工具和计费来管理 DNS 记录。By hosting your domains in Azure, you can manage your DNS records by using the same credentials, APIs, tools, and billing as your other Azure services. 有关详细信息,请参阅什么是 Azure DNS?For more information, see What is Azure DNS?.

应用程序保护服务Application protection services

本部分介绍 Azure 中可帮助你保护网络资源的网络服务 - Azure 防火墙、网络安全组和服务终结点。This section describes networking services in Azure that help protect your network resources - Azure Firewall, network security groups, and service endpoints.

服务Service 为何使用此类服务?Why use? 方案Scenario
Azure 防火墙Azure Firewall Azure 防火墙是托管的基于云的网络安全服务,可保护 Azure 虚拟网络资源。Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. 它是一个服务形式的完全有状态防火墙,具有内置的高可用性和不受限制的云可伸缩性。It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

在 Vnet 中部署 Azure 防火墙Deploy an Azure Firewall in a Vnet

- 在混合网络中部署 Azure 防火墙- Deploy an Azure Firewall in a hybrid network

使用 Azure 防火墙 DNAT 筛选入站流量Filter inbound traffic with Azure Firewall DNAT

网络安全组Network security groups 在 VM/子网中对所有网络流量进行完全粒度的分布式终端节点控制Full granular distributed end node control at VM/subnet for all network traffic flows 使用网络安全组筛选网络流量Filter network traffic using network security groups
虚拟网络服务终结点Virtual network service endpoints 使你可以将对某些 Azure 服务资源的网络访问限制到虚拟网络子网Enables you to limit network access to some Azure service resources to a virtual network subnet 限制 PaaS 资源的网络访问Restrict network access to PaaS resources

网络安全组Network security groups

可以使用网络安全组来筛选 Azure 虚拟网络中出入 Azure 资源的网络流量。You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. 有关详细信息,请参阅安全性概述For more information, see Security Overview.

服务终结点Service endpoints

虚拟网络 (VNet) 服务终结点可通过直接连接将 VNet 的虚拟网络专用地址空间和标识扩展到 Azure 服务。Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. 使用终结点可以保护关键的 Azure 服务资源,只允许在客户自己的虚拟网络中对其进行访问。Endpoints allow you to secure your critical Azure service resources to only your virtual networks. 从 VNet 发往 Azure 服务的流量始终保留在 Azure 主干网络中。Traffic from your VNet to the Azure service always remains on the Azure backbone network. 有关详细信息,请参阅虚拟网络服务终结点For more information, see Virtual network service endpoints.

虚拟网络服务终结点

应用程序分发服务Application delivery services

本部分介绍 Azure 中可帮助分发应用程序的网络服务 - 流量管理器、应用程序网关和负载均衡器。This section describes networking services in Azure that help deliver applications - Traffic Manager, Application Gateway, and Load Balancer.

服务Service 为何使用此类服务?Why use? 方案Scenario
流量管理器Traffic Manager 基于 DNS 将流量分发到全球 Azure 区域中的服务,同时提供高可用性和响应度。Distributes traffic based on DNS to services across global Azure regions, while providing high availability and responsiveness

路由流量以降低延迟Route traffic for low latency

将流量路由到优先终结点Route traffic to a priority endpoint

使用加权的终结点控制流量Control traffic with weighted endpoints

基于终结点的地理位置路由流量Route traffic based on geographic location of the endpoint

根据用户的子网路由流量Route traffic based on user's subnet

负载均衡器Load Balancer 通过将流量路由到不同的可用性区域和你的 VNet 来提供区域负载均衡。Provides regional load-balancing by routing traffic across availability zones and into your VNets. 通过在资源中和资源之间路由流量来提供内部负载均衡,以构建区域性应用程序。Provides internal load-balancing by routing traffic across and between your resources to build your regional application.

对传入 VM 的 Internet 流量进行负载均衡Load balance internet traffic to VMs

对虚拟网络中 VM 之间的流量进行负载均衡Load-balance traffic across VMs inside a virtual network

通过端口转发将流量发送到特定 VM 上的特定端口Port forward traffic to a specific port on specific VMs

配置负载均衡和出站规则Configure load balancing and outbound rules

应用程序网关Application Gateway Azure 应用程序网关是一种 Web 流量负载均衡器,可用于管理 Web 应用程序的流量。Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications.

使用 Azure 应用程序网关定向 Web 流量Direct web traffic with Azure Application Gateway

配置带有 SSL 终端的应用程序网关Configure an application gateway with SSL termination

创建支持基于 URL 路径进行重定向的应用程序网关Create an application gateway with URL path-based redirection

流量管理器Traffic Manager

Azure 流量管理器是一种基于 DNS 的流量负载均衡器,可以在 Azure 区域内以最佳方式向服务分发流量,同时提供高可用性和响应度。Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across Azure regions, while providing high availability and responsiveness. 流量管理器提供一系列流量路由方法来分发流量,例如优先级、加权、性能、地理位置、多值或子网路由方法。Traffic Manager provides a range of traffic-routing methods to distribute traffic such as priority, weighted, performance, geographic, multi-value, or subnet. 有关流量路由方法的详细信息,请参阅流量管理器路由方法For more information about traffic routing methods, see Traffic Manager routing methods.

下图演示了流量管理器的基于终结点优先级的路由方法:The following diagram shows endpoint priority-based routing with Traffic Manager:

Azure 流量管理器的“优先级”流量路由方法

有关流量管理器的详细信息,请参阅什么是 Azure 流量管理器?For more information about Traffic Manager, see What is Azure Traffic Manager?

负载均衡器Load Balancer

Azure 负载均衡器为所有 UDP 和 TCP 协议提供高性能、低延迟的第 4 层负载均衡。The Azure Load Balancer provides high-performance, low-latency Layer 4 load-balancing for all UDP and TCP protocols. 它管理入站和出站连接。It manages inbound and outbound connections. 可以配置公共和内部负载均衡终结点。You can configure public and internal load-balanced endpoints. 可以定义规则,以便将入站连接映射到后端池目标,并在其中包含 TCP 和 HTTP 运行状况探测选项来管理服务的可用性。You can define rules to map inbound connections to back-end pool destinations by using TCP and HTTP health-probing options to manage service availability. 若要了解有关负载均衡器的详细信息,请参阅负载均衡器概述一文。To learn more about Load Balancer, read the Load Balancer overview article.

下图显示了利用外部和内部负载均衡器的面向 Internet 的多层应用程序:The following picture shows an Internet-facing multi-tier application that utilizes both external and internal load balancers:

Azure 负载均衡器示例

应用程序网关Application Gateway

Azure 应用程序网关是一种 Web 流量负载均衡器,可用于管理 Web 应用程序的流量。Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. 它是服务形式的应用程序传送控制器 (ADC),借此为应用程序提供各种第 7 层负载均衡功能。It is an Application Delivery Controller (ADC) as a service, offering various layer 7 load-balancing capabilities for your applications. 有关详细信息,请参阅什么是 Azure 应用程序网关?For more information, see What is Azure Application Gateway?.

下图演示了应用程序网关的基于 URL 路径的路由方法。The following diagram shows url path-based routing with Application Gateway.

应用程序网关示例

网络监视服务Network monitoring services

本部分介绍 Azure 中可帮助监视网络资源的网络服务 - 网络观察程序、ExpressRoute Monitor、Azure Monitor 和虚拟网络 TAP。This section describes networking services in Azure that help monitor your network resources - Network Watcher, ExpressRoute Monitor, Azure Monitor, and Virtual Network TAP.

服务Service 为何使用此类服务?Why use? 方案Scenario
网络观察程序Network Watcher 帮助监视和排查连接问题,帮助诊断 VPN、NSG 和路由问题,捕获 VM 上的数据包,使用 Azure Functions 和逻辑应用自动触发诊断工具Helps monitor and troubleshoot connectivity issues, helps diagnose VPN, NSG, and routing issues, capture packets on your VM, automates triggering diagnostics tools using Azure Functions and Logic Apps

诊断 VM 流量筛选器问题Diagnose VM traffic filter problem

诊断 VM 路由问题Diagnose VM routing problem

监视 VM 之间的通信Monitor communications between VMs

诊断网络之间的通信问题Diagnose communication problems between networks

记录传入和传出 VM 的网络流量Log network traffic to and from a VM

ExpressRoute 监视器ExpressRoute Monitor 提供网络性能、可用性和利用率的实时监视,帮助自动发现网络拓扑,提供更快的故障隔离,检测暂时性网络问题,帮助分析历史网络性能特征,支持多订阅Provides real-time monitoring of network performance, availability, and utilization, helps with auto-discovery of network topology, provides faster fault isolation, detects transient network issues, helps analyze historical network performance characteristics, supports multi-subscription

ExpressRoute 监视、指标和警报ExpressRoute monitoring, metrics, and alerts

网络观察程序Network Watcher

Azure 网络观察程序提供所需的工具用于监视、诊断 Azure 虚拟网络中的资源、查看其指标,以及为其启用或禁用日志。Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. 有关详细信息,请参阅什么是网络观察程序?For more information, see What is Network Watcher?.

ExpressRoute MonitorExpressRoute Monitor

若要了解如何查看 ExpressRoute 线路指标、诊断日志和警报,请参阅 ExpressRoute 监视、指标和警报To learn about how view ExpressRoute circuit metrics, diagnostic logs and alerts, see ExpressRoute monitoring, metrics, and alerts.

后续步骤Next steps