什么是子网委托?What is subnet delegation?

使用子网委托可为需要注入到虚拟网络的所选 Azure PaaS 服务指定特定的子网。Subnet delegation enables you to designate a specific subnet for an Azure PaaS service of your choice that needs to be injected into your virtual network. 子网委托为客户提供完全控制权,使他们能够管理 Azure 服务与虚拟网络的集成。Subnet delegation provides full control to the customer on managing the integration of Azure services into their virtual networks.

将某个子网委托给 Azure 服务即表示你允许该服务为该子网建立一些基本的网络配置规则,这有助于该 Azure 服务稳定地操作其实例。When you delegate a subnet to an Azure service, you allow that service to establish some basic network configuration rules for that subnet, which help the Azure service operate their instances in a stable manner. 因此,Azure 服务可以建立一些部署前或部署后的条件,例如:As a result, the Azure service may establish some pre or post deployment conditions, such as:

  • 在共享子网或专用子网中部署服务。deploy the service in a shared versus dedicated subnet.
  • 在部署后将一组网络意向策略添加到服务,使服务能够正常运行。add to the service a set of Network Intent Policies post deployment that is required for the service to work properly.

子网委托的优势Advantages of subnet delegation

将子网委托给特定的服务可提供以下优势:Delegating a subnet to specific services provides the following advantages:

  • 有助于为一个或多个 Azure 服务指定子网,并根据要求管理子网中的实例。helps to designate a subnet for one or more Azure services and manage the instances in the subnet as per requirements. 例如,虚拟网络所有者可为委托的子网定义以下设置,以便更好地管理资源和访问权限,如下所述:For example, the virtual network owner can define the following for a delegated subnet to better manage resources and access as follows:
    • 对网络安全组定义网络筛选流量策略。network filtering traffic policies with network security groups.
    • 对用户定义的路由定义路由策略。routing policies with user-defined routes.
    • 对服务终结点配置定义服务集成。services integration with service endpoints configurations.
  • 以网络意向策略的形式定义已注入服务的部署前提条件,帮助这些服务更好地与虚拟网络集成。helps injected services to better integrate with the virtual network by defining their pre-conditions of deployments in the form of Network Intent Policies. 这会确保在执行 PUT 时,可以阻止可能会影响已注入服务正常运行的任何操作。This ensures any actions that can affect functioning of the injected service can be blocked at PUT.

谁可以委托子网?Who can delegate?

子网委托是虚拟网络所有者针对特定 Azure 服务指定某个子网而需要执行的操作。Subnet delegation is an exercise that the virtual network owners need to perform to designate one of the subnets for a specific Azure Service. 而 Azure 服务又会将实例部署到此子网,供客户工作负荷使用。Azure Service in turn deploys the instances into this subnet for consumption by the customer workloads.

子网委托对子网的影响Impact of subnet delegation on your subnet

每个 Azure 服务将定义自身的部署模型,在此模型中,这些服务可以定义出于注入目的,它们支持或不支持委托子网中的哪些属性,如下所述:Each Azure service defines their own deployment model, where they can define what properties they do or do not support in a delegated subnet for injection purposes, such as follows:

  • 支持同一子网中与其他 Azure 服务或 VM/虚拟机规模集共享的子网,或仅支持专用子网(仅包含此服务自身的实例)。shared subnet with other Azure Services or VM / virtual machine scale set in the same subnet, or it only supports a dedicated subnet with only instances of this service in it.
  • 支持与委托子网关联的 NSG。supports NSG association with the delegated subnet.
  • 支持还可以与任何其他子网关联的委托子网的关联 NSG。supports NSG associated with the delegated subnet can be also associated with any other subnet.
  • 允许路由表与委托子网的关联。allows route table association with the delegated subnet.
  • 允许与任何其他子网关联的委托子网的关联路由表。allows the route table associated with the delegated subnet to be associated with any other subnet.
  • 指定委托子网中的最小 IP 地址数。dictates the minimum number of IP Addresses in the delegated subnet.
  • 指定委托子网中来自专用 IP 地址空间(10.0.0.0/8、192.168.0.0/16、172.16.0.0/12)的 IP 地址空间。dictates the IP Address space in the delegated subnet to be from Private IP Address space (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12).
  • 指定自定义 DNS 配置包含 Azure DNS 条目。dictates that the custom DNS configuration has an Azure DNS entry.
  • 需要先删除委派,然后才能删除子网或虚拟网络。requires delegation to be removed before the subnet or virtual network can be deleted.

注入的服务也可以添加自身的策略,如下所述:Injected services can also add their own policies as follows:

  • 安全策略:给定服务正常运行所需的安全规则集合。Security policies: Collection of security rules required for a given service to work.
  • 路由策略:给定服务正常运行所需的路由集合。Route policies: Collection of routes required for a given service to work.

子网委托无法实现的目的What subnet delegation does not do

要注入到委托子网中的 Azure 服务仍有一组基本属性可用于非委托子网,例如:The Azure services being injected into a delegated subnet still have the basic set of properties that are available for non-delegated subnets, such as:

  • Azure 服务可将实例注入到客户子网,但不能影响现有的工作负荷。Azure services can inject instances into customer subnets, but cannot impact the existing workloads.
  • 这些服务应用的策略或路由非常灵活,可由客户替代。The policies or routes that these services apply are flexible and can be overridden by the customer.

后续步骤Next steps