Azure 中的 IP 地址类型和分配方法IP address types and allocation methods in Azure

可以将 IP 地址分配到与其他 Azure 资源通信的 Azure 资源,也可以将其分配到本地网络和 Internet。You can assign IP addresses to Azure resources to communicate with other Azure resources, your on-premises network, and the Internet. Azure 中可使用两种类型的 IP 地址:There are two types of IP addresses you can use in Azure:

  • 公共 IP 地址:用来与 Internet 通信,包括与面向公众的 Azure 服务通信。Public IP addresses: Used for communication with the Internet, including Azure public-facing services.
  • 专用 IP 地址:使用 VPN 网关或 ExpressRoute 线路将网络扩展到 Azure 时,用于在 Azure 虚拟网络 (VNet) 和本地网络中通信。Private IP addresses: Used for communication within an Azure virtual network (VNet), and your on-premises network, when you use a VPN gateway or ExpressRoute circuit to extend your network to Azure.

此外,通过公共 IP 前缀创建连续的静态公共 IP 地址范围。You can also create a contiguous range of static public IP addresses through a public IP prefix. 了解公共 IP 前缀。Learn about a public IP prefix.

Note

Azure 具有用于创建和处理资源的两个不同的部署模型:资源管理器部署模型和经典部署模型Azure has two different deployment models for creating and working with resources: Resource Manager and classic. 本文介绍如何使用 Resource Manager 部署模型。Azure 建议对大多数新的部署使用该模型,而不是使用经典部署模型This article covers using the Resource Manager deployment model, which Azure recommends for most new deployments instead of the classic deployment model.

如果熟悉经典部署模型,请参阅经典部署与 Resource Manager 之间 IP 寻址的差异If you are familiar with the classic deployment model, check the differences in IP addressing between classic and Resource Manager.

公共 IP 地址Public IP addresses

公共 IP 地址允许 Internet 资源与 Azure 资源进行入站通信。Public IP addresses allow Internet resources to communicate inbound to Azure resources. 在 IP 地址已分配给 Azure 资源的情况下,公共 IP 地址还允许这些资源与 Internet 和面向公众的 Azure 服务进行出站通信。Public IP addresses also enable Azure resources to communicate outbound to Internet and public-facing Azure services with an IP address assigned to the resource. 此地址专门用于该资源,直到你对其取消分配。The address is dedicated to the resource, until it is unassigned by you. 如果公共 IP 地址未分配给资源,该资源仍可与 Internet 进行出站通信,但 Azure 会动态分配不专用于该资源的可用 IP 地址。If a public IP address is not assigned to a resource, the resource can still communicate outbound to the Internet, but Azure dynamically assigns an available IP address that is not dedicated to the resource. 有关 Azure 中的出站连接的详细信息,请参阅了解出站连接For more information about outbound connections in Azure, see Understand outbound connections.

在 Azure Resource Manager 中,公共 IP 地址是具有其自身属性的资源。In Azure Resource Manager, a public IP address is a resource that has its own properties. 可与公共 IP 地址资源关联的部分资源包括:Some of the resources you can associate a public IP address resource with are:

  • 虚拟机网络接口Virtual machine network interfaces
  • 面向 Internet 的负载均衡器Internet-facing load balancers
  • VPN 网关VPN gateways
  • 应用程序网关Application gateways

IP 地址版本IP address version

公共 IP 地址是使用 IPv4 地址创建的。Public IP addresses are created with an IPv4 address.

SKUSKU

使用以下 SKU 之一创建公共 IP 地址:Public IP addresses are created with one of the following SKUs:

Important

必须为负载均衡器和公用 IP 资源使用匹配的 SKU。Matching SKUs must be used for load balancer and public IP resources. 不能混合使用基本 SKU 资源和标准 SKU 资源。You can't have a mixture of basic SKU resources and standard SKU resources. 无法将独立的虚拟机、可用性集资源中的虚拟机或虚拟机规模集资源同时附加到两个 SKU。You can't attach standalone virtual machines, virtual machines in an availability set resource, or a virtual machine scale set resources to both SKUs simultaneously. 新的设计应当考虑使用标准 SKU 资源。New designs should consider using Standard SKU resources. 有关详细信息,请查看标准负载均衡器Please review Standard Load Balancer for details.

基本Basic

推出 SKU 之前创建的所有公共 IP 地址为基本 SKU 公共 IP 地址。All public IP addresses created before the introduction of SKUs are Basic SKU public IP addresses. 随着 SKU 的推出,可以选择指定公共 IP 地址要采用的 SKU。With the introduction of SKUs, you have the option to specify which SKU you would like the public IP address to be. 基本 SKU 地址为:Basic SKU addresses are:

  • 使用静态或动态分配方法分配。Assigned with the static or dynamic allocation method.
  • 具有可调整的入站发起流空闲超时,范围为 4-30 分钟,默认值为 4 分钟,出站发起流的空闲超时固定为 4 分钟。Have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and fixed outbound originated flow idle timeout of 4 minutes.
  • 默认情况下处于打开状态。Are open by default. 建议使用网络安全组来对入站或出站流量进行限制,但这是可选的。Network security groups are recommended but optional for restricting inbound or outbound traffic.
  • 分配到可以采用公共 IP 地址的任何 Azure 资源,例如网络接口、VPN 网关、应用程序网关和面向 Internet 的负载均衡器。Assigned to any Azure resource that can be assigned a public IP address, such as network interfaces, VPN Gateways, Application Gateways, and Internet-facing load balancers.
  • 不支持可用性区域方案。Do not support Availability Zone scenarios.

标准Standard

标准 SKU 公共 IP 地址为:Standard SKU public IP addresses are:

  • 始终使用静态分配方法。Always use static allocation method.
  • 具有可调整的入站发起流空闲超时,范围为 4-30 分钟,默认值为 4 分钟,出站发起流的空闲超时固定为 4 分钟。Have an adjustable inbound originated flow idle timeout of 4-30 minutes, with a default of 4 minutes, and fixed outbound originated flow idle timeout of 4 minutes.
  • 默认情况下为安全的,并且对入站流量关闭。Are secure by default and closed to inbound traffic. 必须使用网络安全组将允许的入站流量显式列入允许列表中。You must explicit whitelist allowed inbound traffic with a network security group.
  • 分配到网络接口、标准公共负载均衡器、应用程序网关或 VPN 网关。Assigned to network interfaces, Standard public Load Balancers, Application Gateways, or VPN Gateways. 有关标准负载均衡器的详细信息,请参阅 Azure 标准负载均衡器For more information about Standard Load Balancer, see Azure Standard Load Balancer.

Note

在创建并关联网络安全组且显式允许所需入站流量之前,到标准 SKU 资源的入站通信将会失败。Inbound communication with a Standard SKU resource fails until you create and associate a network security group and explicitly allow the desired inbound traffic.

Note

使用实例元数据服务 IMDS 时,只有具有基本 SKU 的公共 IP 地址可用。Only Public IP addresses with basic SKU are available when using instance metadata service IMDS. 不支持标准 SKU。Standard SKU is not supported.

分配方法Allocation method

基本和标准 SKU 公共 IP 地址都支持“静态” 分配方法。Both basic and standard SKU public IP addresses support the static allocation method. 在创建资源时会为其分配 IP 地址,在删除资源时将释放 IP 地址。The resource is assigned an IP address at the time it is created and the IP address is released when the resource is deleted.

基本 SKU 公共 IP 地址还支持“动态” 分配方法,这是未指定分配方法时将采用的默认方法。Basic SKU public IP addresses also support a dynamic allocation method, which is the default if allocation method is not specified. 为基本的公共 IP 地址资源选择“动态” 分配方法意味着在创建资源时“不”分配 IP 地址。 Selecting dynamic allocation method for a basic public IP address resource means the IP address is not allocated at the time of the resource creation. 将公共 IP 地址与虚拟机进行关联时或者将第一个虚拟机实例放置到基本负载均衡器的后端池中时,将分配公共 IP 地址。The public IP address is allocated when you associate the public IP address with a virtual machine or when you place the first virtual machine instance into the backend pool of a basic load balancer. 停止(或删除)该资源时,就会释放该 IP 地址。The IP address is released when you stop (or delete) the resource. 例如,从资源 A 中释放后,可将该 IP 地址分配到不同的资源。After being released from resource A, for example, the IP address can be assigned to a different resource. 如果在停止资源 A 的情况下将 IP 地址分配到不同的资源,则重启资源 A 时,会分配一个不同的 IP 地址。If the IP address is assigned to a different resource while resource A is stopped, when you restart resource A, a different IP address is assigned. 如果将基本的公共 IP 地址资源的分配方法从“静态”更改为“动态”,则会释放地址。 If you change the allocation method of a basic public IP address resource from static to dynamic, the address is released. 要确保所关联资源的 IP 地址保持不变,可将分配方法显式设置为静态To ensure the IP address for the associated resource remains the same, you can set the allocation method explicitly to static. 静态 IP 地址是立即分配的。A static IP address is assigned immediately.

Note

即使将分配方法设置为“静态”,也无法通过指定方式将实际 IP 地址分配到公共 IP 地址资源。 Even when you set the allocation method to static, you cannot specify the actual IP address assigned to the public IP address resource. Azure 会从创建资源时所在的 Azure 位置的可用 IP 地址池中分配 IP 地址。Azure assigns the IP address from a pool of available IP addresses in the Azure location the resource is created in.

Note

请注意,公共IP地址由平台自动分配,无法定制。当IP地址被释放后,将无法恢复。 Please be kindly noted that public IP addresses are automatically assigned by the platform and cannot be customized. Once the IP address is released, it cannot be restored.

以下情况通常使用静态公共 IP 地址:Static public IP addresses are commonly used in the following scenarios:

  • 必须更新防火墙规则才能与 Azure 资源通信。When you must update firewall rules to communicate with your Azure resources.
  • 对 DNS 名称进行解析时,如果更改了 IP 地址,则需更新 A 记录。DNS name resolution, where a change in IP address would require updating A records.
  • Azure 资源可与使用基于 IP 地址的安全模型的其他应用或服务通信。Your Azure resources communicate with other apps or services that use an IP address-based security model.
  • 使用链接到 IP 地址的 SSL 证书。You use SSL certificates linked to an IP address.

Note

Azure 会从每个 Azure 云中每个区域的唯一地址范围中分配公共 IP 地址。Azure allocates public IP addresses from a range unique to each region in each Azure cloud. 可以下载 Azure 中国云的范围(前缀)列表。You can download the list of ranges (prefixes) for the Azure China clouds.

DNS 主机名解析DNS hostname resolution

可以为公共 IP 资源指定一个 DNS 域名标签,以便在 Azure 托管的 DNS 服务器中创建 domainnamelabel.location.cloudapp.chinacloudapi.cn 到公共 IP 地址的映射。You can specify a DNS domain name label for a public IP resource, which creates a mapping for domainnamelabel.location.cloudapp.chinacloudapi.cn to the public IP address in the Azure-managed DNS servers. 例如,如果在创建公共 IP 资源时将 domainnamelabel 指定为 contoso,将 Azure 的“位置”指定为“中国北部”,则会将完全限定域名 (FQDN) contoso.chinanorth.cloudapp.chinacloudapi.cn 解析成该资源的公共 IP 地址。 For instance, if you create a public IP resource with contoso as a domainnamelabel in the China North Azure location, the fully qualified domain name (FQDN) contoso.chinanorth.cloudapp.chinacloudapi.cn resolves to the public IP address of the resource.

Important

所创建的每个域名标签在其 Azure 位置必须是唯一的。Each domain name label created must be unique within its Azure location.

DNS 最佳做法DNS Best Practices

如果需要迁移到其他区域,则不能迁移公共 IP 地址的 FQDN。If you ever need to migrate to a different region, you cannot migrate the FQDN of your public IP Address. 最佳做法是,使用 FQDN 创建指向 Azure 中的公共 IP 地址的自定义域 CNAME 记录。As a best practice, you can use the FQDN to create a custom domain CNAME record pointing to the public IP address in Azure. 如果需要移动到其他公共 IP,则需要更新 CNAME 记录,而不必手动将 FQDN 更新到新地址。If you need to move to a different public IP, it will require an update to the CNAME record instead of having to manually update the FQDN to the new address. 可以将 Azure DNS 或外部 DNS 提供程序用于 DNS 记录。You can use Azure DNS or an external DNS provider for your DNS Record.

虚拟机Virtual machines

将公共 IP 地址分配到其网络接口可将其与 WindowsLinux 虚拟机相关联。You can associate a public IP address with a Windows or Linux virtual machine by assigning it to its network interface. 可以向虚拟机分配动态或静态公共 IP 地址。You can assign either a dynamic or a static public IP address to a virtual machine. 详细了解如何将 IP 地址分配到网络接口Learn more about assigning IP addresses to network interfaces.

面向 Internet 的负载均衡器Internet-facing load balancers

可将通过任一 SKU 创建的公共 IP 地址与 Azure 负载均衡器相关联,只需将其分配给负载均衡器前端配置即可。You can associate a public IP address created with either SKU with an Azure Load Balancer, by assigning it to the load balancer frontend configuration. 此公共 IP 地址充当负载均衡型虚拟 IP 地址 (VIP)。The public IP address serves as a load-balanced virtual IP address (VIP). 可以向负载均衡器前端分配动态或静态公共 IP 地址。You can assign either a dynamic or a static public IP address to a load balancer front-end. 还可以向负载均衡器前端分配多个公共 IP 地址,这会启用多 VIP 方案,如包含基于 SSL 的网站的多租户环境。You can also assign multiple public IP addresses to a load balancer front-end, which enables multi-VIP scenarios like a multi-tenant environment with SSL-based websites. 有关 Azure 负载均衡器 SKU 的详细信息,请参阅 Azure 负载均衡器标准 SKUFor more information about Azure load balancer SKUs, see Azure load balancer standard SKU.

VPN 网关VPN gateways

Azure VPN 网关将 Azure 虚拟网络连接到其他 Azure 虚拟网络或本地网络。An Azure VPN Gateway connects an Azure virtual network to other Azure virtual networks, or to an on-premises network. 需将公共 IP 地址分配到 VPN 网关才能与远程网络通信。A public IP address is assigned to the VPN Gateway to enable it to communicate with the remote network. 只能向 VPN 网关分配”动态”基本的公共 IP 地址。 You can only assign a dynamic basic public IP address to a VPN gateway.

应用程序网关Application gateways

将公共 IP 地址分配给网关的前端配置可以将其与 Azure 应用程序网关相关联。You can associate a public IP address with an Azure Application Gateway, by assigning it to the gateway's frontend configuration. 此公共 IP 地址充当负载均衡型 VIP。This public IP address serves as a load-balanced VIP. 只能将“动态”基本公共 IP 地址分配给应用程序网关 V1 前端配置。 You can only assign a dynamic basic public IP address to an application gateway V1 front-end configuration.

概览At-a-glance

下表显示了将公共 IP 地址关联到顶级资源时所依据的特定属性,以及能够使用的可能分配方法(动态或静态)。The following table shows the specific property through which a public IP address can be associated to a top-level resource, and the possible allocation methods (dynamic or static) that can be used.

顶级资源Top-level resource IP 地址关联IP Address association 动态Dynamic 静态Static
虚拟机Virtual machine LinuxNetwork interface Yes Yes
面向 Internet 的负载均衡器Internet-facing Load balancer 前端配置Front-end configuration Yes Yes
VPN 网关VPN gateway 网关 IP 配置Gateway IP configuration Yes Yes
应用程序网关Application gateway 前端配置Front-end configuration 是(仅限 V1)Yes (V1 only)

专用 IP 地址Private IP addresses

专用 IP 地址能够让 Azure 资源在不使用可访问 Internet 的 IP 地址的情况下,与虚拟网络或本地网络中的其他资源(通过 VPN 网关或 ExpressRoute 线路)通信。Private IP addresses allow Azure resources to communicate with other resources in a virtual network or an on-premises network through a VPN gateway or ExpressRoute circuit, without using an Internet-reachable IP address.

在 Azure Resource Manager 部署模型中,可将专用 IP 地址关联到以下类型的 Azure 资源:In the Azure Resource Manager deployment model, a private IP address is associated to the following types of Azure resources:

  • 虚拟机网络接口Virtual machine network interfaces
  • 内部负载均衡器 (ILB)Internal load balancers (ILBs)
  • 应用程序网关Application gateways

IP 地址版本IP address version

专用 IP 地址是使用 IPv4 地址创建的。Private IP addresses are created with an IPv4 address.

分配方法Allocation method

可以根据资源所部署到的虚拟网络子网的地址范围来分配专用 IP 地址。A private IP address is allocated from the address range of the virtual network subnet a resource is deployed in. Azure 保留每个子网地址范围中的前四个地址,因此无法将这些地址分配给资源。Azure reserves the first four addresses in each subnet address range, so the addresses cannot be assigned to resources. 例如,如果子网的地址范围是 10.0.0.0/16,则地址 10.0.0.0-10.0.0.3 无法分配给资源。For example, if the subnet's address range is 10.0.0.0/16, addresses 10.0.0.0-10.0.0.3 cannot be assigned to resources. 子网的地址范围内的 IP 地址一次只能分配给一个资源。IP addresses within the subnet's address range can only be assigned to one resource at a time.

分配专用 IP 地址有两种方法:There are two methods in which a private IP address is allocated:

  • 动态:Azure 会分配子网的地址范围内下一个未分配或未保留的可用 IP 地址。Dynamic: Azure assigns the next available unassigned or unreserved IP address in the subnet's address range. 例如,如果地址 10.0.0.4-10.0.0.9 已分配给其他资源,Azure 会将 10.0.0.10 分配给新资源。For example, Azure assigns 10.0.0.10 to a new resource, if addresses 10.0.0.4-10.0.0.9 are already assigned to other resources. 动态方法是默认的分配方法。Dynamic is the default allocation method. 动态 IP 地址在分配后,仅在以下情况下才会释放:网络接口已删除、已分配到同一虚拟网络中的另一子网,或者分配方法已更改为静态,这种情况下会指定另一 IP 地址。Once assigned, dynamic IP addresses are only released if a network interface is deleted, assigned to a different subnet within the same virtual network, or the allocation method is changed to static, and a different IP address is specified. 默认情况下,当分配方法从动态更改为静态时,Azure 会将以前动态分配的地址作为静态地址分配。By default, Azure assigns the previous dynamically assigned address as the static address when you change the allocation method from dynamic to static.
  • 静态:选择并分配子网的地址范围内任何未分配或未保留的 IP 地址。Static: You select and assign any unassigned or unreserved IP address in the subnet's address range. 例如,如果子网的地址范围是 10.0.0.0/16,并且地址 10.0.0.4-10.0.0.9 已分配给其他资源,则可以指定 10.0.0.10 - 10.0.255.254 之间的任何地址。For example, if a subnet's address range is 10.0.0.0/16 and addresses 10.0.0.4-10.0.0.9 are already assigned to other resources, you can assign any address between 10.0.0.10 - 10.0.255.254. 只有在删除网络接口之后,静态地址才会释放。Static addresses are only released if a network interface is deleted. 如果将分配方法更改为动态,Azure 会动态地将以前分配的静态 IP 地址作为动态地址分配,即使该地址不是子网地址范围内的下一个可用地址。If you change the allocation method to dynamic, Azure dynamically assigns the previously assigned static IP address as the dynamic address, even if the address isn't the next available address in the subnet's address range. 如果将网络接口分配给同一虚拟网络中的另一子网,则该地址也会更改。但是,若要将网络接口分配给另一子网,必须先将分配方法从静态更改为动态。The address also changes if the network interface is assigned to a different subnet within the same virtual network, but to assign the network interface to a different subnet, you must first change the allocation method from static to dynamic. 将网络接口分配给另一子网以后,即可将分配方法改回为静态,并根据新子网的地址范围分配 IP 地址。Once you've assigned the network interface to a different subnet, you can change the allocation method back to static, and assign an IP address from the new subnet's address range.

虚拟机Virtual machines

可将一个或多个专用 IP 地址分配给 WindowsLinux 虚拟机的一个或多个网络接口One or more private IP addresses are assigned to one or more network interfaces of a Windows or Linux virtual machine. 可将每个专用 IP 地址的分配方法指定为动态或静态。You can specify the allocation method as either dynamic or static for each private IP address.

内部 DNS 主机名解析(针对虚拟机)Internal DNS hostname resolution (for virtual machines)

所有 Azure 虚拟机都默认配置了 Azure 托管的 DNS 服务器,除非显式配置了自定义 DNS 服务器。All Azure virtual machines are configured with Azure-managed DNS servers by default, unless you explicitly configure custom DNS servers. 这些 DNS 服务器为驻留在同一个虚拟网络内的虚拟机提供内部名称解析。These DNS servers provide internal name resolution for virtual machines that reside within the same virtual network.

创建虚拟机时,主机名到其专用 IP 地址的映射将添加到 Azure 托管的 DNS 服务器。When you create a virtual machine, a mapping for the hostname to its private IP address is added to the Azure-managed DNS servers. 如果虚拟机有多个网络接口,或者一个网络接口有多个 IP 配置,主机名会映射到主要网络接口的主要 IP 配置的专用 IP 地址。If a virtual machine has multiple network interfaces, or multiple IP configurations for a network interface the hostname is mapped to the private IP address of the primary IP configuration of the primary network interface.

使用 Azure 托管的 DNS 服务器配置的虚拟机可将同一虚拟网络中的所有虚拟机的主机名解析为其专用 IP 地址。Virtual machines configured with Azure-managed DNS servers are able to resolve the hostnames of all virtual machines within the same virtual network to their private IP addresses. 若要在连接的虚拟网络中解析虚拟机的主机名,必须使用自定义 DNS 服务器。To resolve host names of virtual machines in connected virtual networks, you must use a custom DNS server.

内部负载均衡器 (ILB) 和应用程序网关Internal load balancers (ILB) & Application gateways

可以将专用 IP 地址分配到 Azure 内部负载均衡器 (ILB) 或 Azure 应用程序网关前端配置。You can assign a private IP address to the front-end configuration of an Azure Internal Load Balancer (ILB) or an Azure Application Gateway. 此专用 IP 地址将用作内部终结点,仅供其虚拟网络和连接到该虚拟网络的远程网络中的资源访问。This private IP address serves as an internal endpoint, accessible only to the resources within its virtual network and the remote networks connected to the virtual network. 可将动态或静态专用 IP 地址分配到前端配置。You can assign either a dynamic or static private IP address to the front-end configuration.

概览At-a-glance

下表显示了将专用 IP 地址关联到顶级资源时所依据的特定属性,以及能够使用的可能分配方法(动态或静态)。The following table shows the specific property through which a private IP address can be associated to a top-level resource, and the possible allocation methods (dynamic or static) that can be used.

顶级资源Top-level resource IP 地址关联IP address association 动态Dynamic 静态Static
虚拟机Virtual machine LinuxNetwork interface Yes Yes
负载均衡器Load balancer 前端配置Front-end configuration Yes Yes
应用程序网关Application gateway 前端配置Front-end configuration Yes Yes

限制Limits

Azure 中的网络限制全面阐述了对 IP 寻址施加的限制。The limits imposed on IP addressing are indicated in the full set of limits for networking in Azure. 这些限制根据区域和订阅设置。The limits are per region and per subscription. 可以与支持人员联系,根据业务需求将默认限制提高到最大限制。You can contact support to increase the default limits up to the maximum limits based on your business needs.

定价Pricing

公共 IP 地址可能会产生少许费用。Public IP addresses may have a nominal charge. 有关 Azure 中 IP 地址定价的详细信息,请阅读 IP 地址定价页。To learn more about IP address pricing in Azure, review the IP address pricing page.

后续步骤Next steps