将 Azure 服务与虚拟网络集成以实现网络隔离Integrate Azure services with virtual networks for network isolation

使用 Azure 服务的虚拟网络 (VNet) 集成,你可以仅允许通过你的虚拟网络基础结构来访问服务。Virtual Network (VNet) integration for an Azure service enables you to lock down access to the service to only your virtual network infrastructure. VNet 基础结构还包括对等互连的虚拟网络和本地网络。The VNet infrastructure also includes peered virtual networks and on-premises networks.

VNet 集成可以为 Azure 服务提供网络隔离的优点,可通过以下一种或多种方法实现:VNet integration provides Azure services the benefits of network isolation and can be accomplished by one or more of the following methods:

  • 将服务的专用实例部署到虚拟网络中Deploying dedicated instances of the service into a virtual network. 随后即可在虚拟网络内以及从本地网络私密访问这些服务。The services can then be privately accessed within the virtual network and from on-premises networks.

  • 使用专用终结点,它可以通过私密且安全的方式将你连接到由 Azure 专用链接提供支持的服务。Using Private Endpoint that connects you privately and securely to a service powered by Azure Private Link. 专用终结点使用 VNet 中的专用 IP 地址将服务有效地引入虚拟网络中。Private Endpoint uses a private IP address from your VNet, effectively bringing the service into your virtual network.

  • 通过服务终结点将虚拟网络扩展到服务,使用公共终结点访问服务。Accessing the service using public endpoints by extending a virtual network to the service, through service endpoints. 服务终结点可使服务资源在虚拟网络中得到保护。Service endpoints allow service resources to be secured to the virtual network.

  • 使用服务标记来允许或拒绝 Azure 资源进出公共 IP 终结点的流量。Using service tags to allow or deny traffic to your Azure resources to and from public IP endpoints.

将专用 Azure 服务部署到虚拟网络Deploy dedicated Azure services into virtual networks

在虚拟网络中部署专用 Azure 服务时,可通过专用 IP 地址与服务资源进行私密通信。When you deploy dedicated Azure services in a virtual network, you can communicate with the service resources privately, through private IP addresses.

将专用 Azure 服务部署到虚拟网络

将专用 Azure 服务部署到虚拟网络可提供以下功能:Deploying an dedicated Azure service into your virtual network provides the following capabilities:

  • 虚拟网络内的资源可以通过专用 IP 地址彼此进行私密通信。Resources within the virtual network can communicate with each other privately, through private IP addresses. 例如,在虚拟网络中,在虚拟机上运行的 HDInsight 与 SQL Server 之间可直接传输数据。Example, directly transferring data between HDInsight and SQL Server running on a virtual machine, in the virtual network.

  • 本地资源可通过站点到站点 VPN(VPN 网关)或 ExpressRoute 使用专用 IP 地址访问虚拟网络中的资源。On-premises resources can access resources in a virtual network using private IP addresses over a Site-to-Site VPN (VPN Gateway) or ExpressRoute.

  • 虚拟网络可使用专用 IP 地址进行对等互连,实现虚拟网络中资源之间的彼此通信。Virtual networks can be peered to enable resources in the virtual networks to communicate with each other, using private IP addresses.

  • 虚拟网络中的服务实例通常由 Azure 服务完全托管。Service instances in a virtual network are typically fully managed by the Azure service. 这包括监视资源的运行状况并根据负载进行缩放。This includes monitoring the health of the resources and scaling with load.

  • 服务实例部署在虚拟网络的子网中。Service instances are deployed into a subnet in a virtual network. 根据服务提供的指南,必须通过网络安全组对子网开放入站和出站网络访问。Inbound and outbound network access for the subnet must be opened through network security groups, per guidance provided by the service.

  • 某些服务还会对它们能够部署到其中的子网施加限制,限制策略、路由的应用,或者要求将 VM 和服务资源组合到同一子网中。Certain services also impose restrictions on the subnet they are deployed in, limiting the application of policies, routes or combining VMs and service resources within the same subnet. 请查看每项服务,了解这些具体限制,因为它们会随时间而变化。Check with each service on the specific restrictions as they may change over time. 此类服务的示例包括 Azure 容器实例和应用服务。Examples of such services are Azure Container Instances, App Service.

  • (可选)服务可能需要一个委派子网作为显式标识符,用于表示子网可承载特定服务。Optionally, services might require a delegated subnet as an explicit identifier that a subnet can host a particular service. 服务可以通过委托获得显式权限,可以在委托的子网中创建服务专属资源。By delegating, services get explicit permissions to create service-specific resources in the delegated subnet.

  • 如需 REST API 响应的示例,请参阅包含委托子网的虚拟网络。See an example of a REST API response on a virtual network with a delegated subnet. 可以通过可用委托 API 获得一个内容广泛的列表,其中包含的服务使用委托子网模型。A comprehensive list of services that are using the delegated subnet model can be obtained via the Available Delegations API.

有关可部署到虚拟网络中的服务的列表,请参阅将专用 Azure 服务部署到虚拟网络For a list of services that can be deployed into a virtual network, see Deploy dedicated Azure services into virtual networks.

使用专用终结点,可以允许事件通过专用链接安全地从虚拟网络直接进入 Azure 资源,而无需通过公共 Internet。You can use private endpoints to allow ingress of events directly from your virtual network to Azure resource securely over a private link without going through the public internet. 专用终结点是虚拟网络中的 Azure 服务的特殊网络接口。A private endpoint is a special network interface for an Azure service in your virtual network. 为 Azure 资源创建专用终结点时,它会在虚拟网络上的客户端与你的 Azure 资源之间提供安全连接。When you create a private endpoint for your Azure resource, it provides secure connectivity between clients on your virtual network and your Azure resource. 从虚拟网络的 IP 地址范围为专用终结点分配 IP 地址。The private endpoint is assigned an IP address from the IP address range of your virtual network. 专用终结点与 Azure 服务之间的连接使用安全的专用链接。The connection between the private endpoint and the Azure service uses a secure private link.

下面的示例展示了事件网格资源专用终结点的私密访问,该终结点在虚拟网络上的客户端与事件网格资源之间提供安全连接。The following example shows private access of an Event Grid resource private endpoint that provides secure connectivity between clients on a virtual network and Event Grid resource.

使用专用终结点进行的 SQL DB 资源私密访问

服务终结点Service endpoints

VNet 服务终结点通过 Azure 主干网络的优化路由提供与 Azure 服务的安全的直接连接。VNet service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network. 使用终结点可以保护关键的 Azure 服务资源,只允许在客户自己的虚拟网络中对其进行访问。Endpoints allow you to secure your critical Azure service resources to only your virtual networks. 服务终结点使 VNet 中的专用 IP 地址能够到达 Azure 服务的终结点,且无需在 VNet 中使用公共 IP 地址。Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.

在虚拟网络中保护 Azure 服务

有关详细信息,请参阅虚拟网络服务终结点For more information, see Virtual network service endpoints

服务标记Service tags

服务标记代表给定 Azure 服务中的一组 IP 地址前缀。A service tag represents a group of IP address prefixes from a given Azure service. 使用服务标记,可以在网络安全组Azure 防火墙中定义网络访问控制。Using service tags, you can define network access controls on network security groups or Azure Firewall. 通过在规则的相应源字段或目标字段中指定服务标记名(例如,AzureEventGrid),可以允许或拒绝相应服务的流量。By specifying the service tag name (for example, AzureEventGrid) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service.

使用服务标记允许或拒绝流量

可使用服务标记来实现网络隔离,保护 Azure 资源免受常规 Internet 侵害,同时访问具有公共终结点的 Azure 服务。You can use service tags to achieve network isolation and protect your Azure resources from the general Internet while accessing Azure services that have public endpoints. 可创建入站/出站网络安全组规则,以拒绝进出 Internet 的流量并允许进出 AzureCloud 或特定 Azure 服务的其他可用服务标记的流量 。Create inbound/outbound network security group rules to deny traffic to/from Internet and allow traffic to/from AzureCloud or other available service tags of specific Azure services.

有关服务标记和支持它们的 Azure 服务的详细信息,请参阅服务标记概述For more information about Service Tags and Azure services that support them, see Service Tags Overview

后续步骤Next steps