您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 PowerShell 配置 ExpressRoute 和站点到站点共存连接Configure ExpressRoute and Site-to-Site coexisting connections using PowerShell

本文有助于配置可共存的 ExpressRoute 和站点到站点 VPN 连接。This article helps you configure ExpressRoute and Site-to-Site VPN connections that coexist. 能够配置站点到站点 VPN 和 ExpressRoute 具有多项优势。Having the ability to configure Site-to-Site VPN and ExpressRoute has several advantages. 可以将站点到站点 VPN 配置为 ExpressRoute 的安全故障转移路径,或者使用站点到站点 VPN 连接到不是通过 ExpressRoute 进行连接的站点。You can configure Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that are not connected through ExpressRoute. 我们会在本文中介绍这两种方案的配置步骤。We will cover the steps to configure both scenarios in this article. 本文适用于 Resource Manager 部署模型。This article applies to the Resource Manager deployment model.

配置站点到站点 VPN 和 ExpressRoute 共存连接具有多项优势:Configuring Site-to-Site VPN and ExpressRoute coexisting connections has several advantages:

  • 可以将站点到站点 VPN 配置为 ExpressRoute 的安全故障转移路径。You can configure a Site-to-Site VPN as a secure failover path for ExpressRoute.
  • 另外,还可以使用站点到站点 VPN 连接到未通过 ExpressRoute 连接的站点。Alternatively, you can use Site-to-Site VPNs to connect to sites that are not connected through ExpressRoute.

本文中介绍了这两种方案的配置步骤。The steps to configure both scenarios are covered in this article. 本文适用于 Resource Manager 部署模型并使用 PowerShell。This article applies to the Resource Manager deployment model and uses PowerShell. 也可以使用 Azure 门户配置这些方案,但文档尚不可用。You can also configure these scenarios using the Azure portal, although documentation is not yet available. 可以先配置任一网关。You can configure either gateway first. 通常,添加新网关或网关连接时不会导致停机。Typically, you will incur no downtime when adding a new gateway or gateway connection.

备注

如果想要通过 ExpressRoute 线路创建站点到站点 VPN,请参阅此文If you want to create a Site-to-Site VPN over an ExpressRoute circuit, please see this article.

限制和局限性Limits and limitations

  • 不支持传输路由。Transit routing is not supported. 无法在通过站点到站点 VPN 连接的本地网络与通过 ExpressRoute 连接的本地网络之间进行路由(通过 Azure)。You cannot route (via Azure) between your local network connected via Site-to-Site VPN and your local network connected via ExpressRoute.
  • 不支持基本 SKU 网关。Basic SKU gateway is not supported. 必须为 ExpressRoute 网关VPN 网关使用非基本 SKU 网关。You must use a non-Basic SKU gateway for both the ExpressRoute gateway and the VPN gateway.
  • 仅支持基于路由的 VPN 网关。Only route-based VPN gateway is supported. 必须使用基于路由的VPN 网关You must use a route-based VPN gateway. 你还可以使用基于路由的 VPN 网关,并将 VPN 连接配置为基于策略的流量选择器,如连接到多个基于策略的 VPN 设备中所述。You also can use a route-based VPN gateway with a VPN connection configured for 'policy-based traffic selectors' as described in Connect to multiple policy-based VPN devices.
  • 应该为 VPN 网关配置静态路由。Static route should be configured for your VPN gateway. 如果本地网络同时连接到 ExpressRoute 和站点到站点 VPN,则必须在本地网络中配置静态路由,以便将站点到站点 VPN 连接路由到公共 Internet。If your local network is connected to both ExpressRoute and a Site-to-Site VPN, you must have a static route configured in your local network to route the Site-to-Site VPN connection to the public Internet.
  • 如果未指定,则 VPN 网关将默认为 ASN 65515。VPN Gateway defaults to ASN 65515 if not specified. Azure VPN 网关支持 BGP 路由协议。Azure VPN Gateway supports the BGP routing protocol. 通过添加 -Asn 开关,可为虚拟网络指定 ASN(AS 编号)。You can specify ASN (AS Number) for a virtual network by adding the -Asn switch. 如果未指定此参数,则默认 AS 编号为 65515。If you don't specify this parameter, the default AS number is 65515. 可以将任何 ASN 用于配置,但如果选择 65515 以外的其他 ASN,则必须重置网关才能使设置生效。You can use any ASN for the configuration, but if you select something other than 65515, you must reset the gateway for the setting to take effect.

配置设计Configuration designs

将站点到站点 VPN 配置为 ExpressRoute 的故障转移路径Configure a Site-to-Site VPN as a failover path for ExpressRoute

可以将站点到站点 VPN 连接配置为 ExpressRoute 的备份。You can configure a Site-to-Site VPN connection as a backup for ExpressRoute. 此连接仅适用于链接到 Azure 专用对等互连路径的虚拟网络。This connection applies only to virtual networks linked to the Azure private peering path. 对于可通过 Azure Microsoft 对等互连访问的服务,没有基于 VPN 的故障转移解决方案。There is no VPN-based failover solution for services accessible through Azure Microsoft peering. ExpressRoute 线路始终是主链接。The ExpressRoute circuit is always the primary link. 仅当 ExpressRoute 线路失败时,数据才会流经站点到站点 VPN 路径。Data flows through the Site-to-Site VPN path only if the ExpressRoute circuit fails. 若要避免不对称路由,本地网络配置还应当引用基于站点到站点 VPN 的 ExpressRoute 线路。To avoid asymmetrical routing, your local network configuration should also prefer the ExpressRoute circuit over the Site-to-Site VPN. 对于接收 ExpressRoute 的路由,可以通过设置更高的本地优先级来首选 ExpressRoute 路径。You can prefer the ExpressRoute path by setting higher local preference for the routes received the ExpressRoute.

备注

虽然在两个路由相同的情况下 ExpressRoute 线路优先于站点到站点 VPN,Azure 仍会使用最长的前缀匹配来选择指向数据包目标的路由。While ExpressRoute circuit is preferred over Site-to-Site VPN when both routes are the same, Azure will use the longest prefix match to choose the route towards the packet's destination.

共存

配置站点到站点 VPN,以便连接到不通过 ExpressRoute 进行连接的站点Configure a Site-to-Site VPN to connect to sites not connected through ExpressRoute

可以对网络进行配置,使得部分站点通过站点到站点 VPN 直接连接到 Azure,部分站点通过 ExpressRoute 进行连接。You can configure your network where some sites connect directly to Azure over Site-to-Site VPN, and some sites connect through ExpressRoute.

共存

备注

不能将虚拟网络配置为转换路由器。You cannot configure a virtual network as a transit router.

选择要使用的步骤Selecting the steps to use

有两组不同的过程可供选择。There are two different sets of procedures to choose from. 选择的配置过程将取决于有要连接到的现有虚拟网络,还是要创建新的虚拟网络。The configuration procedure that you select depends on whether you have an existing virtual network that you want to connect to, or you want to create a new virtual network.

  • 我没有 VNet,需要创建一个。I don't have a VNet and need to create one.

    如果还没有虚拟网络,此过程将指导使用 Resource Manager 部署模型创建新的虚拟网络,并创建新的 ExpressRoute 和站点到站点 VPN 连接。If you don’t already have a virtual network, this procedure walks you through creating a new virtual network using Resource Manager deployment model and creating new ExpressRoute and Site-to-Site VPN connections. 若要配置虚拟网络,请遵循创建新的虚拟网络和并存连接中的步骤。To configure a virtual network, follow the steps in To create a new virtual network and coexisting connections.

  • 我已有一个 Resource Manager 部署模型 VNet。I already have a Resource Manager deployment model VNet.

    可能已在具有现有站点到站点 VPN 连接或 ExpressRoute 连接的位置拥有虚拟网络。You may already have a virtual network in place with an existing Site-to-Site VPN connection or ExpressRoute connection. 在此场景下,如果网关子网掩码为 /28 或更小(/28、/29、等等),则必须删除现有网关。In this scenario if the gateway subnet mask is /28 or smaller (/28, /29, etc.), you have to delete the existing gateway. 为现有的 VNet 配置并存连接 部分将指导删除网关,并创建新的 ExpressRoute 连接和站点到站点 VPN 连接。The To configure coexisting connections for an already existing VNet section walks you through deleting the gateway, and then creating new ExpressRoute and Site-to-Site VPN connections.

    如果删除并重新创建网关,则跨界连接将会中断一段时间。If you delete and recreate your gateway, you will have downtime for your cross-premises connections. 但是,在配置网关时,如果进行了相应配置,VM 和服务仍可以通过负载均衡器与外界通信。However, your VMs and services will still be able to communicate out through the load balancer while you configure your gateway if they are configured to do so.

开始之前Before you begin

本文中的步骤和示例使用 Azure PowerShell Az 模块。The steps and examples in this article use Azure PowerShell Az modules. 若要在计算机上本地安装 Az 模块,请参阅安装 Azure PowerShellTo install the Az modules locally on your computer, see Install Azure PowerShell. 若要了解有关新 Az 模块的详细信息,请参阅新 Azure PowerShell az Module 简介To learn more about the new Az module, see Introducing the new Azure PowerShell Az module. PowerShell cmdlet 经常更新。PowerShell cmdlets are updated frequently. 如果未运行最新版本,在说明中指定的值可能无法使用。If you are not running the latest version, the values specified in the instructions may fail. 若要在系统上查找安装的 PowerShell 版本,请使用 Get-Module -ListAvailable Az cmdlet。To find the installed versions of PowerShell on your system, use the Get-Module -ListAvailable Az cmdlet.

你可以使用 Azure Cloud Shell 运行大多数 PowerShell cmdlet,而不是本地安装 Azure PowerShell。You can use Azure Cloud Shell to run most PowerShell cmdlets instead of installing Azure PowerShell locally. Azure Cloud Shell 是免费的交互式 Shell,它预安装有常用 Azure 工具并将其配置为与帐户一起使用。Azure Cloud Shell is a free interactive shell that has common Azure tools preinstalled and is configured to use with your account. 若要在 Azure Cloud Shell 上运行本文中包含的任何代码,请打开 Cloud Shell 会话,对代码块使用“复制”按钮以复制代码,然后使用 Ctrl+Shift+V(在 Windows 和 Linux 上)或 Cmd+Shift+V(在 macOS 上)将其粘贴到 Cloud Shell 会话中。To run any code contained in this article on Azure Cloud Shell, open a Cloud Shell session, use the Copy button on a code block to copy the code, and paste it into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS. 粘贴的文本不会自动执行,请按enter运行代码。Pasted text is not automatically executed, press Enter to run code.

可通过多种方式来启动 Cloud Shell:There are a few ways to launch the Cloud Shell:

单击代码块右上角的“试用”。Click Try It in the upper right corner of a code block. 本文中的 Cloud Shell
在浏览器中打开 Cloud Shell。Open Cloud Shell in your browser. https://shell.azure.com/powershell
单击 Azure 门户右上角菜单上的“Cloud Shell”按钮。Click the Cloud Shell button on the menu in the upper right of the Azure portal. 门户中的 Cloud ShellCloud Shell in the portal

创建新的虚拟网络和并存连接To create a new virtual network and coexisting connections

本过程指导创建 VNet 以及将共存的站点到站点连接和 ExpressRoute 连接。This procedure walks you through creating a VNet and Site-to-Site and ExpressRoute connections that will coexist. 针对此配置使用的 cmdlet 可能与你熟悉的 cmdlet 稍有不同。The cmdlets that you use for this configuration may be slightly different than what you might be familiar with. 请务必使用说明内容中指定的 cmdlet。Be sure to use the cmdlets specified in these instructions.

  1. 登录并选择订阅。Sign in and select your subscription.

    如果使用 Azure Cloud Shell,则到 Azure 帐户自动登录后单击试用。If you are using the Azure Cloud Shell, you sign in to your Azure account automatically after clicking 'Try it'. 若要本地登录,请使用提升的权限打开 PowerShell 控制台并运行 cmdlet 来连接。To sign in locally, open your PowerShell console with elevated privileges and run the cmdlet to connect.

    Connect-AzAccount
    

    如果有多个订阅,请获取 Azure 订阅的列表。If you have more than one subscription, get a list of your Azure subscriptions.

    Get-AzSubscription
    

    指定要使用的订阅。Specify the subscription that you want to use.

    Select-AzSubscription -SubscriptionName "Name of subscription"
    
  2. 设置变量。Set variables.

    $location = "Central US"
    $resgrp = New-AzResourceGroup -Name "ErVpnCoex" -Location $location
    $VNetASN = 65515
    
  3. 创建包括网关子网的虚拟网络。Create a virtual network including Gateway Subnet. 有关创建虚拟网络的详细信息,请参阅创建虚拟网络For more information about creating a virtual network, see Create a virtual network. 有关创建子网的详细信息,请参阅创建子网For more information about creating subnets, see Create a subnet

    重要

    网关子网必须是 /27 或更短的前缀(例如 /26 或 /25)。The Gateway Subnet must be /27 or a shorter prefix (such as /26 or /25).

    创建新的 VNet。Create a new VNet.

    $vnet = New-AzVirtualNetwork -Name "CoexVnet" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -AddressPrefix "10.200.0.0/16"
    

    添加子网。Add subnets.

    Add-AzVirtualNetworkSubnetConfig -Name "App" -VirtualNetwork $vnet -AddressPrefix "10.200.1.0/24"
    Add-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet -AddressPrefix "10.200.255.0/24"
    

    保存 VNet 配置。Save the VNet configuration.

    $vnet = Set-AzVirtualNetwork -VirtualNetwork $vnet
    
  4. 接下来,创建站点到站点 VPN 网关。Next, create your Site-to-Site VPN gateway. 有关 VPN 网关配置的详细信息,请参阅使用站点到站点连接配置 VNetFor more information about the VPN gateway configuration, see Configure a VNet with a Site-to-Site connection. 只有 VpnGw1VpnGw2VpnGw3标准高性能 VPN 网关支持 GatewaySku。The GatewaySku is only supported for VpnGw1, VpnGw2, VpnGw3, Standard, and HighPerformance VPN gateways. 基本 SKU 不支持 ExpressRoute-VPN 网关共存配置。ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU. VpnType 必须为 RouteBasedThe VpnType must be RouteBased.

    $gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
    $gwIP = New-AzPublicIpAddress -Name "VPNGatewayIP" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -AllocationMethod Dynamic
    $gwConfig = New-AzVirtualNetworkGatewayIpConfig -Name "VPNGatewayIpConfig" -SubnetId $gwSubnet.Id -PublicIpAddressId $gwIP.Id
    New-AzVirtualNetworkGateway -Name "VPNGateway" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -IpConfigurations $gwConfig -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku "VpnGw1"
    

    Azure VPN 网关支持 BGP 路由协议。Azure VPN gateway supports BGP routing protocol. 通过在以下命令中添加 -Asn 开关,可为该虚拟网络指定 ASN(AS 编号)。You can specify ASN (AS Number) for that Virtual Network by adding the -Asn switch in the following command. 若未指定该参数,将默认为 AS 编号 65515。Not specifying that parameter will default to AS number 65515.

    $azureVpn = New-AzVirtualNetworkGateway -Name "VPNGateway" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -IpConfigurations $gwConfig -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku "VpnGw1" -Asn $VNetASN
    

    可以在 $azureVpn.BgpSettings.BgpPeeringAddress 和 $azureVpn.BgpSettings.Asn 中找到 Azure 用于 VPN 网关的 BGP 对等 IP 和 AS 编号。You can find the BGP peering IP and the AS number that Azure uses for the VPN gateway in $azureVpn.BgpSettings.BgpPeeringAddress and $azureVpn.BgpSettings.Asn. 有关详细信息,请参阅为 Azure VPN 网关配置 BGPFor more information, see Configure BGP for Azure VPN gateway.

  5. 创建一个本地站点 VPN 网关实体。Create a local site VPN gateway entity. 此命令不会配置本地 VPN 网关,This command doesn’t configure your on-premises VPN gateway. 而是允许提供本地网关设置(如公共 IP 和本地地址空间),以便 Azure VPN 网关可以连接到它。Rather, it allows you to provide the local gateway settings, such as the public IP and the on-premises address space, so that the Azure VPN gateway can connect to it.

    如果本地 VPN 设备仅支持静态路由,可按以下方式配置静态路由:If your local VPN device only supports static routing, you can configure the static routes in the following way:

    $MyLocalNetworkAddress = @("10.100.0.0/16","10.101.0.0/16","10.102.0.0/16")
    $localVpn = New-AzLocalNetworkGateway -Name "LocalVPNGateway" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -GatewayIpAddress *<Public IP>* -AddressPrefix $MyLocalNetworkAddress
    

    如果本地 VPN 设备支持 BGP,并且想要启用动态路由,那么需要知道本地 VPN 设备使用的 BGP 对等 IP 和 AS 编号。If your local VPN device supports the BGP and you want to enable dynamic routing, you need to know the BGP peering IP and the AS number that your local VPN device uses.

    $localVPNPublicIP = "<Public IP>"
    $localBGPPeeringIP = "<Private IP for the BGP session>"
    $localBGPASN = "<ASN>"
    $localAddressPrefix = $localBGPPeeringIP + "/32"
    $localVpn = New-AzLocalNetworkGateway -Name "LocalVPNGateway" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -GatewayIpAddress $localVPNPublicIP -AddressPrefix $localAddressPrefix -BgpPeeringAddress $localBGPPeeringIP -Asn $localBGPASN
    
  6. 配置本地 VPN 设备以连接到新的 Azure VPN 网关。Configure your local VPN device to connect to the new Azure VPN gateway. 有关 VPN 设备配置的详细信息,请参阅 VPN 设备配置For more information about VPN device configuration, see VPN Device Configuration.

  7. 将 Azure 上的站点到站点 VPN 网关连接到本地网关。Link the Site-to-Site VPN gateway on Azure to the local gateway.

    $azureVpn = Get-AzVirtualNetworkGateway -Name "VPNGateway" -ResourceGroupName $resgrp.ResourceGroupName
    New-AzVirtualNetworkGatewayConnection -Name "VPNConnection" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -VirtualNetworkGateway1 $azureVpn -LocalNetworkGateway2 $localVpn -ConnectionType IPsec -SharedKey <yourkey>
    
  8. 如果连接到现有 ExpressRoute 线路,请跳过步骤 8 和 9,并跳到步骤 10。If you are connecting to an existing ExpressRoute circuit, skip steps 8 & 9 and, jump to step 10. 配置 ExpressRoute 线路。Configure ExpressRoute circuits. 有关配置 ExpressRoute 线路的详细信息,请参阅创建 ExpressRoute 线路For more information about configuring ExpressRoute circuit, see create an ExpressRoute circuit.

  9. 配置基于 ExpressRoute 线路的 Azure 专用对等互连。Configure Azure private peering over the ExpressRoute circuit. 有关配置基于 ExpressRoute 线路的 Azure 专用对等互连的详细信息,请参阅配置对等互连For more information about configuring Azure private peering over the ExpressRoute circuit, see configure peering

  10. 创建 ExpressRoute 网关。Create an ExpressRoute gateway. 有关 ExpressRoute 网关配置的详细信息,请参阅 ExpressRoute 网关配置For more information about the ExpressRoute gateway configuration, see ExpressRoute gateway configuration. GatewaySKU 必须是 StandardHighPerformanceUltraPerformanceThe GatewaySKU must be Standard, HighPerformance, or UltraPerformance.

    $gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
    $gwIP = New-AzPublicIpAddress -Name "ERGatewayIP" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -AllocationMethod Dynamic
    $gwConfig = New-AzVirtualNetworkGatewayIpConfig -Name "ERGatewayIpConfig" -SubnetId $gwSubnet.Id -PublicIpAddressId $gwIP.Id
    $gw = New-AzVirtualNetworkGateway -Name "ERGateway" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -IpConfigurations $gwConfig -GatewayType "ExpressRoute" -GatewaySku Standard
    
  11. 将 ExpressRoute 网关连接到 ExpressRoute 线路。Link the ExpressRoute gateway to the ExpressRoute circuit. 完成此步骤后,则已通过 ExpressRoute 建立本地网络与 Azure 之间的连接。After this step has been completed, the connection between your on-premises network and Azure, through ExpressRoute, is established. 有关链接操作的详细信息,请参阅将 VNet 链接到 ExpressRouteFor more information about the link operation, see Link VNets to ExpressRoute.

    $ckt = Get-AzExpressRouteCircuit -Name "YourCircuit" -ResourceGroupName "YourCircuitResourceGroup"
    New-AzVirtualNetworkGatewayConnection -Name "ERConnection" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -VirtualNetworkGateway1 $gw -PeerId $ckt.Id -ConnectionType ExpressRoute
    

为现有的 VNet 配置并存连接To configure coexisting connections for an already existing VNet

如果你的虚拟网络只有一个虚拟网络网关(例如,站点到站点 VPN 网关),并且你想要添加另一个不同类型的网关(例如,ExpressRoute 网关),请检查网关子网大小。If you have a virtual network that has only one virtual network gateway (let's say, Site-to-Site VPN gateway) and you want to add another gateway of a different type (let's say, ExpressRoute gateway), check the gateway subnet size. 如果网关子网为 /27 或更大,则可以跳过以下步骤并按照上一部分中的步骤添加站点到站点 VPN 网关或 ExpressRoute 网关。If the gateway subnet is /27 or larger, you can skip the steps below and follow the steps in the previous section to add either a Site-to-Site VPN gateway or an ExpressRoute gateway. 如果网关子网为 /28 或 /29,则必须先删除虚拟网络网关,然后增加网关子网大小。If the gateway subnet is /28 or /29, you have to first delete the virtual network gateway and increase the gateway subnet size. 本部分的步骤说明如何这样做。The steps in this section show you how to do that.

针对此配置使用的 cmdlet 可能与你熟悉的 cmdlet 稍有不同。The cmdlets that you use for this configuration may be slightly different than what you might be familiar with. 请务必使用说明内容中指定的 cmdlet。Be sure to use the cmdlets specified in these instructions.

  1. 删除现有的 ExpressRoute 或站点到站点 VPN 网关。Delete the existing ExpressRoute or Site-to-Site VPN gateway.

    Remove-AzVirtualNetworkGateway -Name <yourgatewayname> -ResourceGroupName <yourresourcegroup>
    
  2. 删除网关子网。Delete Gateway Subnet.

    $vnet = Get-AzVirtualNetwork -Name <yourvnetname> -ResourceGroupName <yourresourcegroup> Remove-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet
    
  3. 添加为 /27 或更大的网关子网。Add a Gateway Subnet that is /27 or larger.

    备注

    如果因为虚拟网络中没有剩余足够的 IP 地址而无法增加网关子网大小,则需增加 IP 地址空间。If you don't have enough IP addresses left in your virtual network to increase the gateway subnet size, you need to add more IP address space.

    $vnet = Get-AzVirtualNetwork -Name <yourvnetname> -ResourceGroupName <yourresourcegroup>
    Add-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet -AddressPrefix "10.200.255.0/24"
    

    保存 VNet 配置。Save the VNet configuration.

    $vnet = Set-AzVirtualNetwork -VirtualNetwork $vnet
    
  4. 此时,已有不带网关的虚拟网络。At this point, you have a virtual network with no gateways. 若要创建新网关并设置连接,请使用以下示例:To create new gateways and set up the connections, use the following examples:

    设置变量。Set the variables.

    $gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
    $gwIP = New-AzPublicIpAddress -Name "ERGatewayIP" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -AllocationMethod Dynamic
    $gwConfig = New-AzVirtualNetworkGatewayIpConfig -Name "ERGatewayIpConfig" -SubnetId $gwSubnet.Id -PublicIpAddressId $gwIP.Id
    

    创建网关。Create the gateway.

    $gw = New-AzVirtualNetworkGateway -Name <yourgatewayname> -ResourceGroupName <yourresourcegroup> -Location <yourlocation) -IpConfigurations $gwConfig -GatewayType "ExpressRoute" -GatewaySku Standard
    

    创建连接。Create the connection.

    $ckt = Get-AzExpressRouteCircuit -Name "YourCircuit" -ResourceGroupName "YourCircuitResourceGroup"
    New-AzVirtualNetworkGatewayConnection -Name "ERConnection" -ResourceGroupName $resgrp.ResourceGroupName -Location $location -VirtualNetworkGateway1 $gw -PeerId $ckt.Id -ConnectionType ExpressRoute
    

将点到站点配置添加到 VPN 网关To add point-to-site configuration to the VPN gateway

可以按照下面的步骤将点到站点配置添加到共存设置中的 VPN 网关。You can follow the steps below to add Point-to-Site configuration to your VPN gateway in a coexistence setup. 若要上传 VPN 根证书,必须以本地方式将 PowerShell 安装到计算机,或者使用 Azure 门户。To upload the VPN root certificate, you must either install PowerShell locally to your computer, or use the Azure portal.

  1. 添加 VPN 客户端地址池。Add VPN Client address pool.

    $azureVpn = Get-AzVirtualNetworkGateway -Name "VPNGateway" -ResourceGroupName $resgrp.ResourceGroupName
    Set-AzVirtualNetworkGatewayVpnClientConfig -VirtualNetworkGateway $azureVpn -VpnClientAddressPool "10.251.251.0/24"
    
  2. 为 VPN 网关将 VPN 根证书上传到 Azure。Upload the VPN root certificate to Azure for your VPN gateway. 在此示例中,假定根证书存储在运行以下 PowerShell cmdlet 的本地计算机中,并且你在本地运行 PowerShell。In this example, it's assumed that the root certificate is stored in the local machine where the following PowerShell cmdlets are run and that you are running PowerShell locally. 也可使用 Azure 门户来上传证书。You can also upload the certificate using the Azure portal.

    $p2sCertFullName = "RootErVpnCoexP2S.cer" 
    $p2sCertMatchName = "RootErVpnCoexP2S" 
    $p2sCertToUpload=get-childitem Cert:\CurrentUser\My | Where-Object {$_.Subject -match $p2sCertMatchName} 
    if ($p2sCertToUpload.count -eq 1){write-host "cert found"} else {write-host "cert not found" exit} 
    $p2sCertData = [System.Convert]::ToBase64String($p2sCertToUpload.RawData) 
    Add-AzVpnClientRootCertificate -VpnClientRootCertificateName $p2sCertFullName -VirtualNetworkGatewayname $azureVpn.Name -ResourceGroupName $resgrp.ResourceGroupName -PublicCertData $p2sCertData
    

有关点到站点 VPN 的详细信息,请参阅 配置点到站点连接For more information on Point-to-Site VPN, see Configure a Point-to-Site connection.

后续步骤Next steps

有关 ExpressRoute 的详细信息,请参阅 ExpressRoute 常见问题For more information about ExpressRoute, see the ExpressRoute FAQ.