将专用 Azure 服务部署到虚拟网络Deploy dedicated Azure services into virtual networks

虚拟网络中部署专用 Azure 服务时,可通过专用 IP 地址与服务资源进行私密通信。When you deploy dedicated Azure services in a virtual network, you can communicate with the service resources privately, through private IP addresses.

虚拟网络中部署的服务

在虚拟网络中部署服务可提供以下功能:Deploying services within a virtual network provides the following capabilities:

  • 虚拟网络内的资源可以通过专用 IP 地址彼此进行私密通信。Resources within the virtual network can communicate with each other privately, through private IP addresses. 例如,在虚拟网络中,在虚拟机上运行的 HDInsight 与 SQL Server 之间可直接传输数据。Example, directly transferring data between HDInsight and SQL Server running on a virtual machine, in the virtual network.

  • 本地资源可通过站点到站点 VPN(VPN 网关)ExpressRoute 使用专用 IP 地址访问虚拟网络中的资源。On-premises resources can access resources in a virtual network using private IP addresses over a Site-to-Site VPN (VPN Gateway) or ExpressRoute.

  • 虚拟网络可使用专用 IP 地址进行对等互连,实现虚拟网络中资源之间的彼此通信。Virtual networks can be peered to enable resources in the virtual networks to communicate with each other, using private IP addresses.

  • 虚拟网络中的服务实例通常由 Azure 服务完全托管。Service instances in a virtual network are typically fully managed by the Azure service. 这包括监视资源的运行状况并根据负载进行缩放。This includes monitoring the health of the resources and scaling with load.

  • 服务实例部署在虚拟网络的子网中。Service instances are deployed into a subnet in a virtual network. 根据服务提供的指南,必须通过网络安全组对子网开放入站和出站网络访问。Inbound and outbound network access for the subnet must be opened through network security groups, per guidance provided by the service.

  • 某些服务还会对它们能够部署到其中的子网施加限制,限制策略、路由的应用,或者要求将 VM 和服务资源组合到同一子网中。Certain services also impose restrictions on the subnet they are deployed in, limiting the application of policies, routes or combining VMs and service resources within the same subnet. 请查看每项服务,了解这些具体限制,因为它们会随时间而变化。Check with each service on the specific restrictions as they may change over time. 此类服务的示例包括 Azure 容器实例和应用服务。Examples of such services are Azure Container Instances, and App Service.

  • (可选)服务可能需要一个委派子网作为显式标识符,用于表示子网可承载特定服务。Optionally, services might require a delegated subnet as an explicit identifier that a subnet can host a particular service. 服务可以通过委托获得显式权限,可以在委托的子网中创建服务专属资源。By delegating, services get explicit permissions to create service-specific resources in the delegated subnet.

  • 如需 REST API 响应的示例,请参阅包含委托子网的虚拟网络See an example of a REST API response on a virtual network with a delegated subnet. 可以通过可用委托 API 获得一个内容广泛的列表,其中包含的服务使用委托子网模型。A comprehensive list of services that are using the delegated subnet model can be obtained via the Available Delegations API.

可部署到虚拟网络中的服务Services that can be deployed into a virtual network

CategoryCategory 服务Service 专用1sup>1子网Dedicated1sup>1 Subnet
计算Compute 虚拟机:LinuxWindowsVirtual machines: Linux or Windows
虚拟机规模集Virtual machine scale sets
云服务:仅限虚拟网络(经典)Cloud Service: Virtual network (classic) only
Azure BatchAzure Batch
No
No
No
2sup>2No2sup>2
网络Network 应用程序网关 - WAFApplication Gateway - WAF
VPN 网关VPN Gateway
Azure 防火墙Azure Firewall
网络虚拟设备Network Virtual Appliances
Yes
Yes
Yes
No
数据Data RedisCacheRedisCache
Azure SQL 数据库托管实例Azure SQL Database Managed Instance
Yes
Yes
分析Analytics Azure HDInsightAzure HDInsight
2No2
容器Containers Azure Kubernetes 服务 (AKS)Azure Kubernetes Service (AKS)
带有 Azure 虚拟网络 CNI 插件Azure 容器服务引擎Azure Container Service Engine with Azure Virtual Network CNI plug-in
Azure FunctionsAzure Functions
2sup>2No2sup>2
Yes

No
Yes
WebWeb API 管理API Management
Web 应用Web Apps
应用服务环境App Service Environment
Yes
Yes
Yes

1“专用”表示只能在此子网中部署服务专用资源,并且不能将其与客户 VM/VMSS 组合使用1 'Dedicated' implies that only service specific resources can be deployed in this subnet and cannot be combined with customer VM/VMSSs
2 建议的最佳做法是将这些服务置于专用子网中,但这并非服务的强制要求。 2 It is recommended as a best practice to have these services in a dedicated subnet, but not a mandatory requirement imposed by the service.