计划虚拟网络Plan virtual networks

创建用于试验的虚拟网络非常简单,但却可能是,会在一段时间内部署多个虚拟网络以支持组织的生成需要。Creating a virtual network to experiment with is easy enough, but chances are, you will deploy multiple virtual networks over time to support the production needs of your organization. 通过进行一些规划,能够更有效地部署虚拟网络和连接所需的资源。With some planning, you will be able to deploy virtual networks and connect the resources you need more effectively. 如果已熟悉虚拟网络并具有一定的使用经验,本文中的信息将非常有用。The information in this article is most helpful if you're already familiar with virtual networks and have some experience working with them. 如果不熟悉虚拟网络,建议阅读虚拟网络概述If you are not familiar with virtual networks, it's recommended that you read Virtual network overview.

命名Naming

所有 Azure 资源都有名称。All Azure resources have a name. 该名称在一个范围内必须是唯一的,但每种资源类型可能会有所不同。The name must be unique within a scope, that may vary for each resource type. 例如,虚拟网络的名称在资源组内必须是唯一的,但可在订阅或 Azure 区域内重复。For example, the name of a virtual network must be unique within a resource group, but can be duplicated within a subscription or Azure region. 当一段时间内管理多个网络资源时,定义命名资源时可一致使用的命名约定很有用。Defining a naming convention that you can use consistently when naming resources is helpful when managing several network resources over time. 有关建议,请参阅命名约定For suggestions, see Naming conventions.

区域Regions

在 Azure 区域和订阅中创建所有 Azure 资源。All Azure resources are created in an Azure region and subscription. 只能在与资源位于相同区域和订阅的虚拟网络中创建资源。A resource can only be created in a virtual network that exists in the same region and subscription as the resource. 但是,可连接存在于不同订阅和区域中的虚拟网络。You can however, connect virtual networks that exist in different subscriptions and regions. 有关详细信息,请参阅连接性For more information, see connectivity. 在决定要在哪个区域部署资源时,请考虑资源的使用者位于何处:When deciding which region(s) to deploy resources in, consider where consumers of the resources are physically located:

  • 资源的使用者通常希望其资源的网络延迟最低。Consumers of resources typically want the lowest network latency to their resources. 若要确定指定位置与 Azure 区域之间的相对延迟,请参阅查看相对延迟To determine relative latencies between a specified location and Azure regions, see View relative latencies.

  • 是否有数据驻留、主权、符合性或复原能力需求?Do you have data residency, sovereignty, compliance, or resiliency requirements? 如果有,选择符合需求的区域至关重要。If so, choosing the region that aligns to the requirements is critical. 有关详细信息,请参阅Azure 地域For more information, see Azure geographies.

订阅Subscriptions

可根据需要在每个订阅中部署尽可能多的虚拟网络,直至达到上限You can deploy as many virtual networks as required within each subscription, up to the limit. 例如,一些组织的不同部门有不同的订阅。Some organizations have different subscriptions for different departments, for example.

分段Segmentation

可为每个订阅和每个区域创建多个虚拟网络。You can create multiple virtual networks per subscription and per region. 可在每个虚拟网络中创建多个子网。You can create multiple subnets within each virtual network. 以下注意事项可帮助确定需要多少个虚拟网络和子网:The considerations that follow help you determine how many virtual networks and subnets you require:

虚拟网络Virtual networks

虚拟网络是 Azure 公共网络的虚拟隔离部分。A virtual network is a virtual, isolated portion of the Azure public network. 每个虚拟网络专用于你的订阅。Each virtual network is dedicated to your subscription. 决定在订阅中创建一个虚拟网络还是多个虚拟网络时需要考虑的事项:Things to consider when deciding whether to create one virtual network, or multiple virtual networks in a subscription:

  • 是否存在将流量隔离到单独的虚拟网络中的组织安全需求?Do any organizational security requirements exist for isolating traffic into separate virtual networks? 可选择连接或不连接虚拟网络。You can choose to connect virtual networks or not. 如果连接虚拟网络,则可实施网络虚拟设备(如防火墙)来控制虚拟网络之间的流量流。If you connect virtual networks, you can implement a network virtual appliance, such as a firewall, to control the flow of traffic between the virtual networks. 有关详细信息,请参阅安全性连接性For more information, see security and connectivity.
  • 是否存在将虚拟网络隔离到单独的订阅区域的组织需求?Do any organizational requirements exist for isolating virtual networks into separate subscriptions or regions?
  • 网络接口使 VM 能够与其他资源进行通信。A network interface enables a VM to communicate with other resources. 可为每个网络接口分配一个或多个专用 IP 地址。Each network interface has one or more private IP addresses assigned to it. 虚拟网络中需要多少个网络接口和专用 IP 地址How many network interfaces and private IP addresses do you require in a virtual network? 在虚拟网络中可以拥有的网络接口和专用 IP 地址数有上限There are limits to the number of network interfaces and private IP addresses that you can have within a virtual network.
  • 是否要将虚拟网络连接到其他虚拟网络或本地网络?Do you want to connect the virtual network to another virtual network or on-premises network? 可选择将某些虚拟网络互相连接或连接到本地网络,而不是其他网络。You may choose to connect some virtual networks to each other or on-premises networks, but not others. 有关详细信息,请参阅连接性For more information, see connectivity. 连接到另一个虚拟网络或本地网络的每个虚拟网络必须具有唯一的地址空间。Each virtual network that you connect to another virtual network, or on-premises network, must have a unique address space. 每个虚拟网络都向其地址空间分配了一个或多个公共和专用地址范围。Each virtual network has one or more public or private address ranges assigned to its address space. 地址范围以无类别的 Internet 域路由 (CIDR) 格式指定,例如 10.0.0.0/16。An address range is specified in classless internet domain routing (CIDR) format, such as 10.0.0.0/16. 详细了解虚拟网络的地址范围Learn more about address ranges for virtual networks.
  • 是否对不同虚拟网络中的资源有任何组织管理需求?Do you have any organizational administration requirements for resources in different virtual networks? 如果有,可将资源分隔到单独的虚拟网络中,以简化组织中个体的权限分配,或将不同的策略分配给不同的虚拟网络。If so, you might separate resources into separate virtual network to simplify permission assignment to individuals in your organization or to assign different policies to different virtual networks.
  • 将某些 Azure 服务资源部署到虚拟网络时,他们将创建自己的虚拟网络。When you deploy some Azure service resources into a virtual network, they create their own virtual network. 若要确定 Azure 服务是否创建自己的虚拟网络,请参阅每个可部署到虚拟网络中的 Azure 服务的信息。To determine whether an Azure service creates its own virtual network, see information for each Azure service that can be deployed into a virtual network.

子网Subnets

可将虚拟网络分段为一个或多个子网,直至达到上限A virtual network can be segmented into one or more subnets up to the limits. 决定在订阅中创建一个子网还是多个虚拟网络时需要考虑的事项:Things to consider when deciding whether to create one subnet, or multiple virtual networks in a subscription:

  • 在虚拟网络的地址空间内,每个子网必须具有唯一的地址范围,且以 CIDR 格式指定。Each subnet must have a unique address range, specified in CIDR format, within the address space of the virtual network. 其地址范围不能与虚拟网络中其他子网重叠。The address range cannot overlap with other subnets in the virtual network.
  • 如果计划将某些 Azure 服务资源部署到虚拟网络中,则他们可能需要或创建自己的子网,因此必须有足够的未分配空间才能进行此操作。If you plan to deploy some Azure service resources into a virtual network, they may require, or create, their own subnet, so there must be enough unallocated space for them to do so. 若要确定 Azure 服务是否创建自己的子网,请参阅每个可部署到虚拟网络中的 Azure 服务的信息。To determine whether an Azure service creates its own subnet, see information for each Azure service that can be deployed into a virtual network. 例如,如果使用 Azure VPN 网关将虚拟网络连接到本地网络,虚拟网络必须具有该网关的专用子网。For example, if you connect a virtual network to an on-premises network using an Azure VPN Gateway, the virtual network must have a dedicated subnet for the gateway. 详细了解网关子网Learn more about gateway subnets.
  • 默认情况下,Azure 在虚拟网络中的所有子网之间路由流量。Azure routes network traffic between all subnets in a virtual network, by default. 例如,可替代 Azure 的默认路由以防止在子网之间进行 Azure 路由,或通过网络虚拟设备在子网之间路由流量。You can override Azure's default routing to prevent Azure routing between subnets, or to route traffic between subnets through a network virtual appliance, for example. 如果要求相同虚拟网络中资源之间的流量流经网络虚拟设备 (NVA),请将资源部署到不同的子网。If you require that traffic between resources in the same virtual network flow through a network virtual appliance (NVA), deploy the resources to different subnets. 有关详细信息,请参阅安全性Learn more in security.
  • 可将对 Azure 资源(例如 Azure 存储帐户或 Azure SQL 数据库)的访问权限限制为具有虚拟网络服务终结点的特定子网。You can limit access to Azure resources such as an Azure storage account or Azure SQL database, to specific subnets with a virtual network service endpoint. 此外,可拒绝通过 Internet 访问资源。Further, you can deny access to the resources from the internet. 可创建多个子网,并为某些子网启用服务终结点,但不启用其他项。You may create multiple subnets, and enable a service endpoint for some subnets, but not others. 详细了解服务终结点,以及可为其启用的 Azure 资源。Learn more about service endpoints, and the Azure resources you can enable them for.
  • 可将零个或一个网络安全组与虚拟网络中的每个子网相关联。You can associate zero or one network security group to each subnet in a virtual network. 可将相同或不同的网络安全组关联到每个子网。You can associate the same, or a different, network security group to each subnet. 每个网络安全组都包含规则,允许或拒绝到达和来自源和目标的流量。Each network security group contains rules, which allow or deny traffic to and from sources and destinations. 详细了解网络安全组Learn more about network security groups.

安全性Security

可使用网络安全组和网络虚拟设备来筛选虚拟网络中到达或来自资源的流量。You can filter network traffic to and from resources in a virtual network using network security groups and network virtual appliances. 可控制 Azure 如何路由来自子网的流量。You can control how Azure routes traffic from subnets. 还可限制组织中的人员使用虚拟网络中的资源。You can also limit who in your organization can work with resources in virtual networks.

流量筛选Traffic filtering

  • 可使用网络安全组和/或筛选流量的 NVA 来筛选虚拟网络中资源之间的流量。You can filter network traffic between resources in a virtual network using a network security group, an NVA that filters network traffic, or both. 若要部署 NVA(如防火墙)来筛选流量,请参阅 Azure 市场To deploy an NVA, such as a firewall, to filter network traffic, see the Azure Marketplace. 使用 NVA 时,还可以创建自定义路由将流量从子网路由到 NVA。When using an NVA, you also create custom routes to route traffic from subnets to the NVA. 详细了解流量路由Learn more about traffic routing.

  • 网络安全组包含多个默认安全规则,允许或拒绝到达或来自资源的流量。A network security group contains several default security rules that allow or deny traffic to or from resources. 可将网络安全组关联到网络接口和/或网络接口所在的子网。A network security group can be associated to a network interface, the subnet the network interface is in, or both. 若要简化安全规则的管理,建议尽可能将网络安全组与单独的子网相关联,而不是与子网内单独的网络接口相关联。To simplify management of security rules, it's recommended that you associate a network security group to individual subnets, rather than individual network interfaces within the subnet, whenever possible.

  • 如果子网中不同 VM 需要应用不同的安全规则,则可将 VM 中的网络接口与一个或多个应用程序安全组相关联。If different VMs within a subnet need different security rules applied to them, you can associate the network interface in the VM to one or more application security groups. 安全规则可以在其源和/或目标中指定应用程序安全组。A security rule can specify an application security group in its source, destination, or both. 该规则仅适用于属于应用程序安全组成员的网络接口。That rule then only applies to the network interfaces that are members of the application security group. 详细了解网络安全组应用程序安全组Learn more about network security groups and application security groups.

  • Azure 在每个网络安全组中创建了多个默认安全规则。Azure creates several default security rules within each network security group. 其中一个默认规则允许所有流量在虚拟网络中的所有资源之间流动。One default rule allows all traffic to flow between all resources in a virtual network. 若要替代此行为,可使用网络安全组和/或自定义路由将流量路由到 NVA。To override this behavior, use network security groups, custom routing to route traffic to an NVA, or both. 建议熟悉 Azure 的所有默认安全规则,并了解网络安全组规则如何应用于资源。It's recommended that you familiarize yourself with all of Azure's default security rules and understand how network security group rules are applied to a resource.

流量路由Traffic routing

Azure 为子网中的出站流量创建多个默认路由。Azure creates several default routes for outbound traffic from a subnet. 可通过创建路由表并将其关联到子网来替代 Azure 的默认路由。You can override Azure's default routing by creating a route table and associating it to a subnet. 替代 Azure 的默认路由的常见原因是:Common reasons for overriding Azure's default routing are:

  • 想要子网之间的流量流经 NVA。Because you want traffic between subnets to flow through an NVA. 想要详细了解如何配置路由表以强制流量通过 NVATo learn more about how to configure route tables to force traffic through an NVA.
  • 想要通过 Azure VPN 网关强制所有 Internet 绑定流量通过 NVA 或本地。Because you want to force all internet-bound traffic through an NVA, or on-premises, through an Azure VPN gateway. 强制 Internet 流量本地进行检查和记录通常被称为强制隧道。Forcing internet traffic on-premises for inspection and logging is often referred to as forced tunneling. 详细了解如何配置强制隧道Learn more about how to configure forced tunneling.

如果需要实施自定义路由,建议熟悉 Azure 中的路由If you need to implement custom routing, it's recommended that you familiarize yourself with routing in Azure.

连接Connectivity

可使用虚拟网络对等将虚拟网络连接到其他虚拟网络,或使用 Azure VPN 网关将其连接到本地网络。You can connect a virtual network to other virtual networks using virtual network peering, or to your on-premises network, using an Azure VPN gateway.

对等互连Peering

使用虚拟网络对等时,虚拟网络可位于相同的或不同的受支持 Azure 区域中。When using virtual network peering, the virtual networks can be in the same, or different, supported Azure regions. 虚拟网络可位于相同或不同的 Azure 订阅中(即使订阅属于不同的 Azure Active Directory 租户)。The virtual networks can be in the same or different Azure subscriptions (even subscriptions belonging to different Azure Active Directory tenants). 建立对等之前,建议熟悉所有对等需求和约束Before creating a peering, it's recommended that you familiarize yourself with all of the peering requirements and constraints. 同一区域的对等互连虚拟网络中的资源之间的带宽与资源在同一虚拟网络中的带宽相同。Bandwidth between resources in virtual networks peered in the same region is the same as if the resources were in the same virtual network.

VPN 网关VPN gateway

可通过站点到站点 VPN 或与 Azure ExpressRoute 的专用连接,使用 Azure VPN 网关将虚拟网络连接到本地网络。You can use an Azure VPN Gateway to connect a virtual network to your on-premises network using a site-to-site VPN, or using a dedicated connection with Azure ExpressRoute.

名称解析Name resolution

一个虚拟网络中的资源无法使用 Azure 的内置 DNS 来解析对等互连虚拟网络中的资源名称。Resources in one virtual network cannot resolve the names of resources in a peered virtual network using Azure's built-in DNS. 若要在对等的虚拟网络中解析名称,请部署自己的 DNS 服务器或使用 Azure DNS 专用域To resolve names in a peered virtual network, deploy your own DNS server, or use Azure DNS private domains. 在虚拟网络和本地网络的资源之间解析名称也需要部署自己的 DNS 服务器。Resolving names between resources in a virtual network and on-premises networks also requires you to deploy your own DNS server.

权限Permissions

Azure 对资源使用基于角色的访问控制 (RBAC)。Azure utilizes role based access control (RBAC) to resources. 权限将分配到以下层次结构中的范围:管理组、订阅、资源组和单个资源。Permissions are assigned to a scope in the following hierarchy: management group, subscription, resource group, and individual resource. 若要了解层次结构的详细信息,请参阅组织资源To learn more about the hierarchy, see Organize your resources. 若要使用 Azure 虚拟网络及其所有相关功能(例如对等、网络安全组、服务终结点和路由表),可将组织的成员分配到内置所有者参与者网络参与者角色,然后将该角色分配到相应的范围。To work with Azure virtual networks and all of their related capabilities such as peering, network security groups, service endpoints, and route tables, you can assign members of your organization to the built-in Owner, Contributor, or Network contributor roles, and then assign the role to the appropriate scope. 如果要为虚拟网络功能的子集分配特定权限,请创建自定义角色并为该角色分配虚拟网络子网和服务终结点网络接口对等网络和应用程序安全组路由表所需的特定权限。If you want to assign specific permissions for a subset of virtual network capabilities, create a custom role and assign the specific permissions required for virtual networks, subnets and service endpoints, network interfaces, peering, network and application security groups, or route tables to the role.

策略Policy

通过 Azure Policy,可创建、分配和管理策略定义。Azure Policy enables you to create, assign, and manage policy definitions. 策略定义将在整个资源中强制实施不同的规则,使资源符合组织标准和服务级别协议。Policy definitions enforce different rules over your resources, so the resources stay compliant with your organizational standards and service level agreements. Azure Policy 对资源进行评估,扫描并找到与所定义策略不相符的资源。Azure Policy runs an evaluation of your resources, scanning for resources that are not compliant with the policy definitions you have. 例如,可以定义并应用只允许在特定资源组或区域中创建虚拟网络的策略。For example, you can define and apply a policy that allows creation of virtual networks in only a specific resource group or region. 另一个策略可能要求每个子网都有一个与之关联的网络安全组。Another policy can require that every subnet has a network security group associated to it. 然后,在创建和更新资源时评估此策略。The policies are then evaluated when creating and updating resources.

策略将应用于以下层次结构:管理组、订阅和资源组。Policies are applied to the following hierarchy: management group, subscription, and resource group. 了解有关 Azure Policy 或部署某些虚拟网络 Azure Policy 定义的详细信息。Learn more about Azure Policy or deploy some virtual network Azure Policy definitions.

后续步骤Next steps

了解适合虚拟网络子网和服务终结点网络接口对等互连网络和应用程序安全组路由表的所有任务、设置和选项。Learn about all tasks, settings, and options for a virtual network, subnet and service endpoint, network interface, peering, network and application security group, or route table.