您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

在 Azure 可用性区域中创建区域冗余虚拟网络网关Create a zone-redundant virtual network gateway in Azure Availability Zones

可以在 Azure 可用性区域中部署 VPN 网关和 ExpressRoute 网关。You can deploy VPN and ExpressRoute gateways in Azure Availability Zones. 这样可以提高虚拟网络网关的复原性、可伸缩性和可用性。This brings resiliency, scalability, and higher availability to virtual network gateways. 如果在 Azure 可用性区域中部署网关,可以在地理位置和逻辑上将区域内的网关分隔开来,同时还能保护本地网络与 Azure 的连接免受区域级故障的影响。Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures. 有关信息,请参阅关于区域冗余虚拟网络网关关于 Azure 可用性区域For information, see About zone-redundant virtual network gateways and About Azure Availability Zones.

开始之前Before you begin

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

可以使用在计算机上本地安装的 PowerShell,也可以使用 Azure Cloud Shell。You can use either PowerShell installed locally on your computer, or the Azure Cloud Shell. 如果选择在本地安装并使用 PowerShell,必须使用最新版 PowerShell 模块,才能使用此功能。If you choose to install and use the PowerShell locally, this feature requires the latest version of the PowerShell module.

本文使用 PowerShell cmdlet。This article uses PowerShell cmdlets. 若要运行这些 cmdlet,可以使用 Azure Cloud Shell(在 Azure 中托管并通过浏览器使用的交互式 shell 环境)。To run the cmdlets, you can use Azure Cloud Shell, an interactive shell environment hosted in Azure and used through the browser. Azure Cloud Shell 随预安装的 Azure PowerShell cmdlet 一起提供。Azure Cloud Shell comes with the Azure PowerShell cmdlets pre-installed.

若要在 Azure Cloud Shell 上运行本文中包含的任何代码,请打开 Cloud Shell 会话,对代码块使用“复制” 按钮以复制代码,然后使用 Ctrl + Shift + V(在 Windows 和 Linux 上)或 Cmd + Shift + V(在 macOS 上)将其粘贴到 Cloud Shell 会话中。To run any code contained in this article on Azure Cloud Shell, open a Cloud Shell session, use the Copy button on a code block to copy the code, and paste it into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS. 粘贴的文本不会自动执行,因此请按 Enter 运行代码。Pasted text is not automatically executed, so press Enter to run code.

可以通过以下方式启动 Azure Cloud Shell:You can launch Azure Cloud Shell with:

选择代码块右上角的“试用”。 Select Try It in the upper-right corner of a code block. 这__不__会自动将文本复制到 Cloud Shell。This doesn't automatically copy text to Cloud Shell. Azure Cloud Shell 的“试用”示例
在浏览器中打开 shell.azure.comOpen shell.azure.com in your browser. “启动 Azure Cloud Shell”按钮Launch Azure Cloud Shell button
选择 Azure 门户右上角菜单上的“Cloud Shell” 按钮。Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal. Azure 门户中的“Cloud Shell”按钮

在本地使用 PowerShell 的具体步骤To use PowerShell locally

如果在计算机本地使用 PowerShell(而不使用 Cloud Shell),必须安装 PowerShell 模块 1.0.0 或更高版本。If you are using PowerShell locally on your computer, rather than using Cloud Shell, you must install PowerShell module 1.0.0 or higher. 若要检查已安装 PowerShell 的版本,请运行下面的命令:To check the version of PowerShell that you have installed, use the following command:

Get-Module Az -ListAvailable | Select-Object -Property Name,Version,Path

如果需要升级,请参阅安装 Azure PowerShell 模块If you need to upgrade, see Install Azure PowerShell module.

在开始此配置之前,必须登录到 Azure 帐户。Before beginning this configuration, you must sign in to your Azure account. 该 cmdlet 会提示提供 Azure 帐户的登录凭据。The cmdlet prompts you for the sign-in credentials for your Azure account. 登录后,它会下载帐户设置,供 Azure PowerShell 使用。After signing in, it downloads your account settings so they are available to Azure PowerShell. 有关详细信息,请参阅将 Windows PowerShell 与 Resource Manager 配合使用For more information, see Using Windows PowerShell with Resource Manager.

若要登录,请使用提升的权限打开 PowerShell 控制台,并连接到帐户。To sign in, open your PowerShell console with elevated privileges, and connect to your account. 使用下面的示例来帮助连接:Use the following example to help you connect:

Connect-AzAccount

如果有多个 Azure 订阅,请查看该帐户的订阅。If you have multiple Azure subscriptions, check the subscriptions for the account.

Get-AzSubscription

指定要使用的订阅。Specify the subscription that you want to use.

Select-AzSubscription -SubscriptionName "Replace_with_your_subscription_name"

1. 声明变量1. Declare your variables

下面列出了示例步骤中需要用到的值。The values used for the example steps are listed below. 此外,一些示例步骤还使用已声明的变量。Additionally, some of the examples use declared variables within the steps. 若要在自己的环境中执行这些步骤,请务必将这些值替换为自己的值。If you are using these steps in your own environment, be sure to replace these values with your own. 指定位置时,请确认指定的区域是否受支持。When specifying location, verify that the region you specify is supported. 有关详细信息,请参阅常见问题For more information, see the FAQ.

$RG1         = "TestRG1"
$VNet1       = "VNet1"
$Location1   = "CentralUS"
$FESubnet1   = "FrontEnd"
$BESubnet1   = "Backend"
$GwSubnet1   = "GatewaySubnet"
$VNet1Prefix = "10.1.0.0/16"
$FEPrefix1   = "10.1.0.0/24"
$BEPrefix1   = "10.1.1.0/24"
$GwPrefix1   = "10.1.255.0/27"
$Gw1         = "VNet1GW"
$GwIP1       = "VNet1GWIP"
$GwIPConf1   = "gwipconf1"

2. 创建虚拟网络2. Create the virtual network

创建资源组。Create a resource group.

New-AzResourceGroup -ResourceGroupName $RG1 -Location $Location1

创建虚拟网络。Create a virtual network.

$fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubnet1 -AddressPrefix $FEPrefix1
$besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubnet1 -AddressPrefix $BEPrefix1
$vnet = New-AzVirtualNetwork -Name $VNet1 -ResourceGroupName $RG1 -Location $Location1 -AddressPrefix $VNet1Prefix -Subnet $fesub1,$besub1

3. 添加网关子网3. Add the gateway subnet

网关子网包含虚拟网络网关服务使用的保留 IP 地址。The gateway subnet contains the reserved IP addresses that the virtual network gateway services use. 运行下面的示例,以添加并设置网关子网:Use the following examples to add and set a gateway subnet:

添加网关子网。Add the gateway subnet.

$getvnet = Get-AzVirtualNetwork -ResourceGroupName $RG1 -Name VNet1
Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.1.255.0/27 -VirtualNetwork $getvnet

设置虚拟网络的网关子网配置。Set the gateway subnet configuration for the virtual network.

$getvnet | Set-AzVirtualNetwork

4. 请求公共 IP 地址4. Request a public IP address

在这一步中,选择适用于要创建的网关的说明。In this step, choose the instructions that apply to the gateway that you want to create. 选择用于部署网关的区域取决于为公共 IP 地址指定的区域。The selection of zones for deploying the gateways depends on the zones specified for the public IP address.

对于区域冗余网关For zone-redundant gateways

使用标准 PublicIpaddress SKU 请求获取公共 IP 地址,但不指定任何区域。Request a public IP address with a Standard PublicIpaddress SKU and do not specify any zone. 在这种情况下,创建的标准公共 IP 地址是区域冗余公共 IP。In this case, the Standard public IP address created will be a zone-redundant public IP.

$pip1 = New-AzPublicIpAddress -ResourceGroup $RG1 -Location $Location1 -Name $GwIP1 -AllocationMethod Static -Sku Standard

对于区块网关For zonal gateways

使用标准 PublicIpaddress SKU 请求获取公共 IP 地址。Request a public IP address with a Standard PublicIpaddress SKU. 指定区域(1、2 或 3)。Specify the zone (1, 2 or 3). 所有网关实例都会部署在此区域中。All gateway instances will be deployed in this zone.

$pip1 = New-AzPublicIpAddress -ResourceGroup $RG1 -Location $Location1 -Name $GwIP1 -AllocationMethod Static -Sku Standard -Zone 1

对于区域网关For regional gateways

使用基本 PublicIpaddress SKU 请求获取公共 IP 地址。Request a public IP address with a Basic PublicIpaddress SKU. 在这种情况下,网关部署为区域网关,并且不会内置有任何区域冗余。In this case, the gateway is deployed as a regional gateway and does not have any zone-redundancy built into the gateway. 网关实例分别会在任意区域中创建。The gateway instances are created in any zones, respectively.

$pip1 = New-AzPublicIpAddress -ResourceGroup $RG1 -Location $Location1 -Name $GwIP1 -AllocationMethod Dynamic -Sku Basic

5. 创建 IP 配置5. Create the IP configuration

$getvnet = Get-AzVirtualNetwork -ResourceGroupName $RG1 -Name $VNet1
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $GwSubnet1 -VirtualNetwork $getvnet
$gwipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GwIPConf1 -Subnet $subnet -PublicIpAddress $pip1

6. 创建网关6. Create the gateway

创建虚拟网络网关。Create the virtual network gateway.

对于 ExpressRoute 网关For ExpressRoute

New-AzVirtualNetworkGateway -ResourceGroup $RG1 -Location $Location1 -Name $Gw1 -IpConfigurations $GwIPConf1 -GatewayType ExpressRoute -GatewaySku ErGw1AZ

对于 VPN 网关For VPN Gateway

New-AzVirtualNetworkGateway -ResourceGroup $RG1 -Location $Location1 -Name $Gw1 -IpConfigurations $GwIPConf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1AZ

常见问题解答FAQ

部署这些新 SKU 时会发生什么变化?What will change when I deploy these new SKUs?

从你的角度来看,可以部署区域冗余网关。From your perspective, you can deploy your gateways with zone-redundancy. 也就是说,所有网关实例都会跨 Azure 可用性区域部署,每个可用性区域都是不同的容错域和更新域。This means that all instances of the gateways will be deployed across Azure Availability Zones, and each Availability Zone is a different fault and update domain. 这样可以提高网关的可靠性、可用性和区域故障复原性。This makes your gateways more reliable, available, and resilient to zone failures.

是否可以使用 Azure 门户?Can I use the Azure portal?

是的,可以使用 Azure 门户部署新 SKU。Yes, you can use the Azure portal to deploy the new SKUs. 但是,你将仅在具有 Azure 可用性区域的 Azure 区域中看到这些新 SKU。However, you will see these new SKUs only in those Azure regions that have Azure Availability Zones.

我可以在哪些区域中使用新 SKU?What regions are available for me to use the new SKUs?

有关可用区域的最新列表,请参阅可用性区域See Availability Zones for the latest list of available regions.

我能否将现有虚拟网络网关更改/迁移/升级为区域冗余网关或区域网关?Can I change/migrate/upgrade my existing virtual network gateways to zone-redundant or zonal gateways?

暂不支持将现有虚拟网络网关迁移到区域冗余网关或区块网关。Migrating your existing virtual network gateways to zone-redundant or zonal gateways is currently not supported. 不过,可以删除现有网关,并重新创建区域冗余网关或区块网关。You can, however, delete your existing gateway and re-create a zone-redundant or zonal gateway.

我能否在同一虚拟网络中同时部署 VPN 网关和 ExpressRoute 网关?Can I deploy both VPN and Express Route gateways in same virtual network?

支持 VPN 网关和 ExpressRoute 网关同时共存于同一虚拟网络中。Co-existence of both VPN and Express Route gateways in the same virtual network is supported. 但是,应为网关子网保留 /27 IP 地址范围。However, you should reserve a /27 IP address range for the gateway subnet.