您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

关于 VPN 网关配置设置About VPN Gateway configuration settings

VPN 网关是一种虚拟网络网关,它通过公共连接在虚拟网络和本地位置之间发送加密流量。A VPN gateway is a type of virtual network gateway that sends encrypted traffic between your virtual network and your on-premises location across a public connection. 还可使用 VPN 网关跨 Azure 主干网在虚拟网络间发送流量。You can also use a VPN gateway to send traffic between virtual networks across the Azure backbone.

VPN 网关连接依赖于多个资源的配置,每个资源都包含可配置的设置。A VPN gateway connection relies on the configuration of multiple resources, each of which contains configurable settings. 本文的各部分介绍了与在 Resource Manager 部署模型中创建的虚拟网络的 VPN 网关相关的资源和设置。The sections in this article discuss the resources and settings that relate to a VPN gateway for a virtual network created in Resource Manager deployment model. 可在 关于 VPN 网关一文中找到每种连接解决方案的介绍和拓扑图。You can find descriptions and topology diagrams for each connection solution in the About VPN Gateway article.

本文中的值适用于 VPN 网关(使用 -GatewayType Vpn 的虚拟网络网关)。The values in this article apply VPN gateways (virtual network gateways that use the -GatewayType Vpn). 本文未涵盖所有网关类型或区域冗余网关。This article does not cover all gateway types or zone-redundant gateways.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

网关类型Gateway types

每个虚拟网络只能有一种类型的虚拟网络网关。Each virtual network can only have one virtual network gateway of each type. 创建虚拟网络网关时,必须确保用于配置的网关类型正确。When you are creating a virtual network gateway, you must make sure that the gateway type is correct for your configuration.

-GatewayType 的可用值为:The available values for -GatewayType are:

  • VpnVpn
  • ExpressRouteExpressRoute

VPN 网关需要 -GatewayType VpnA VPN gateway requires the -GatewayType Vpn.

示例:Example:

New-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg `
-Location 'West US' -IpConfigurations $gwipconfig -GatewayType Vpn `
-VpnType RouteBased

网关 SKUGateway SKUs

创建虚拟网络网关时,需要指定要使用的网关 SKU。When you create a virtual network gateway, you need to specify the gateway SKU that you want to use. 请根据工作负荷、吞吐量、功能和 SLA 的类型,选择满足需求的 SKU。Select the SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs. 有关 Azure 可用性区域中的虚拟网络网关 Sku,请参阅Azure 可用性区域网关 skuFor virtual network gateway SKUs in Azure Availability Zones, see Azure Availability Zones gateway SKUs.

按隧道、连接和吞吐量列出的网关 SKUGateway SKUs by tunnel, connection, and throughput

VPN
网关
代系
VPN
Gateway
Generation
SKUSKU S2S/VNet 到 VNet
隧道
S2S/VNet-to-VNet
Tunnels
P2S
SSTP 连接
P2S
SSTP Connections
P2S
IKEv2/OpenVPN 连接
P2S
IKEv2/OpenVPN Connections
聚合
吞吐量基准
Aggregate
Throughput Benchmark
BGPBGP 区域冗余Zone-redundant
第 1 代Generation1 基本Basic 最大Max. 1010 最大Max. 128128 不支持Not Supported 100 Mbps100 Mbps 不支持Not Supported No
第 1 代Generation1 VpnGw1 VpnGw1 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支持Supported No
第 1 代Generation1 VpnGw2 VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支持Supported No
第 1 代Generation1 VpnGw3 VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支持Supported No
第 1 代Generation1 VpnGw1AZVpnGw1AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支持Supported Yes
第 1 代Generation1 VpnGw2AZVpnGw2AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支持Supported Yes
第 1 代Generation1 VpnGw3AZVpnGw3AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支持Supported Yes
第 2 代Generation2 VpnGw2 VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1.25 Gbps1.25 Gbps 支持Supported No
第 2 代Generation2 VpnGw3 VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 2.5 Gbps2.5 Gbps 支持Supported No
第 2 代Generation2 VpnGw4VpnGw4 最大Max. 30*30* 最大Max. 128128 最大Max. 50005000 5 Gbps5 Gbps 支持Supported No
第 2 代Generation2 VpnGw5VpnGw5 最大Max. 30*30* 最大Max. 128128 最大Max. 1000010000 10 Gbps10 Gbps 支持Supported No
第 2 代Generation2 VpnGw2AZVpnGw2AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1.25 Gbps1.25 Gbps 支持Supported Yes
第 2 代Generation2 VpnGw3AZVpnGw3AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 2.5 Gbps2.5 Gbps 支持Supported Yes
第 2 代Generation2 VpnGw4AZVpnGw4AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 50005000 5 Gbps5 Gbps 支持Supported Yes
第 2 代Generation2 VpnGw5AZVpnGw5AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 1000010000 10 Gbps10 Gbps 支持Supported Yes

(*) 如果需要 30 个以上 S2S VPN 隧道,请使用虚拟 WAN(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.

  • 在同一代中允许调整 VpnGw SKU 的大小,但基本 SKU 的大小调整除外。The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. 基本 SKU 是旧版 SKU,并且具有功能限制。The Basic SKU is a legacy SKU and has feature limitations. 若要从基本 VpnGw SKU 移到其他 VpnGw SKU,必须删除基本 SKU VPN 网关,并使用所需代系和 SKU 大小组合来创建新网关。In order to move from Basic to another VpnGw SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.

  • 这些连接限制是独立的。These connection limits are separate. 例如,在 VpnGw1 SKU 上可以有 128 个 SSTP 连接,还可以有 250 个 IKEv2 连接。For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

  • 可在 定价 页上找到定价信息。Pricing information can be found on the Pricing page.

  • 可在 SLA 页查看 SLA(服务级别协议)信息。SLA (Service Level Agreement) information can be found on the SLA page.

  • 在单个隧道中,最多可以达到 1 Gbps 的吞吐量。On a single tunnel a maximum of 1 Gbps throughput can be achieved. 上表中的聚合吞吐量基准基于对通过单个网关聚合的多个隧道的测量。Aggregate Throughput Benchmark in the above table is based on measurements of multiple tunnels aggregated through a single gateway. 适用于 VPN 网关的聚合吞吐量基准组合了 S2S 和 P2S。The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. 如果有大量的 P2S 连接,则可能会对 S2S 连接造成负面影响,因为存在吞吐量限制。If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. 受 Internet 流量情况和应用程序行为影响,无法保证聚合吞吐量基准。The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.

为了帮助我们的客户了解使用不同算法的 SKU 的相对性能,我们使用市售 iPerf 和 CTSTraffic 工具来衡量性能。To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances. 下表列出了第 1 代 VpnGw SKU 的性能测试结果。The table below lists the results of performance tests for Generation 1, VpnGw SKUs. 可以看到,对 IPsec 加密和完整性使用 GCMAES256 算法时,可获得最佳性能。As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. 对 IPsec 加密使用 AES256 以及对完整性使用 SHA256 时,可获得平均性能。We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. 对 IPsec 加密使用 DES3 以及对完整性使用 SHA256 可获得最低性能。When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.

代系Generation SKUSKU 使用
的算法
Algorithms
used
观察到的
吞吐量
Throughput
observed
观察到的
每秒数据包数
Packets per second
observed
第 1 代Generation1 VpnGw1 VpnGw1 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
58,00058,000
50,00050,000
50,00050,000
第 1 代Generation1 VpnGw2 VpnGw2 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
90,00090,000
80,00080,000
55,00055,000
第 1 代Generation1 VpnGw3 VpnGw3 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps
105,000105,000
90,00090,000
60,00060,000
第 1 代Generation1 VpnGw1AZVpnGw1AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
58,00058,000
50,00050,000
50,00050,000
第 1 代Generation1 VpnGw2AZVpnGw2AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
90,00090,000
80,00080,000
55,00055,000
第 1 代Generation1 VpnGw3AZVpnGw3AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps
105,000105,000
90,00090,000
60,00060,000

备注

仅资源管理器部署模型支持 VpnGw Sku (VpnGw1、VpnGw1AZ、VpnGw2、VpnGw2AZ、VpnGw3、VpnGw3AZ、VpnGw4、VpnGw4AZ、VpnGw5 和 VpnGw5AZ)。VpnGw SKUs (VpnGw1, VpnGw1AZ, VpnGw2, VpnGw2AZ, VpnGw3, VpnGw3AZ, VpnGw4, VpnGw4AZ, VpnGw5, and VpnGw5AZ) are supported for the Resource Manager deployment model only. 经典虚拟网络应继续使用老版(旧版)SKU。Classic virtual networks should continue to use the old (legacy) SKUs.

按功能集列出的网关 SKUGateway SKUs by feature set

新 VPN 网关 SKU 简化了网关上提供的功能集:The new VPN gateway SKUs streamline the feature sets offered on the gateways:

SKUSKU 功能Features
基本 (**)Basic (**) 基于路由的 VPN:用于 S2S /连接的 10 个隧道;无适用于 P2S 的 RADIUS 身份验证;无适用于 P2S 的 IKEv2Route-based VPN: 10 tunnels for S2S/connections; no RADIUS authentication for P2S; no IKEv2 for P2S
基于策略的 VPN:(IKEv1):1 个 S2S/连接隧道;无 P2SPolicy-based VPN: (IKEv1): 1 S2S/connection tunnel; no P2S
所有 Generation1.xml 和 Generation2 Sku,基本除外All Generation1 and Generation2 SKUs except Basic 基于路由的 VPN:最多 30 个隧道 (*)、P2S、BGP、主动-主动、自定义 IPsec/IKE 策略、ExpressRoute/VPN 共存Route-based VPN: up to 30 tunnels (*), P2S, BGP, active-active, custom IPsec/IKE policy, ExpressRoute/VPN coexistence

(*)可以配置 "PolicyBasedTrafficSelectors",将基于路由的 VPN 网关连接到多个基于策略的本地防火墙设备。(*) You can configure "PolicyBasedTrafficSelectors" to connect a route-based VPN gateway to multiple on-premises policy-based firewall devices. 有关详细信息,请参阅使用 PowerShell 将 VPN 网关连接到多个本地的基于策略的 VPN 设备Refer to Connect VPN gateways to multiple on-premises policy-based VPN devices using PowerShell for details.

(**) 基本 SKU 被视为旧版 SKU。(**) The Basic SKU is considered a legacy SKU. 基本 SKU 具有某些功能限制。The Basic SKU has certain feature limitations. 使用基本 SKU 的网关无法调整为新网关 SKU 中的一种,必须更改为新的 SKU,这就需要删除并新建 VPN 网关。You can't resize a gateway that uses a Basic SKU to one of the new gateway SKUs, you must instead change to a new SKU, which involves deleting and recreating your VPN gateway.

网关 Sku-生产与开发测试工作负荷Gateway SKUs - Production vs. Dev-Test Workloads

由于 SLA 和功能集的差异,建议使用以下 SKU 比较生产与开发-测试:Due to the differences in SLAs and feature sets, we recommend the following SKUs for production vs. dev-test:

工作负荷Workload SKUSKUs
生产、关键工作负荷Production, critical workloads 所有 Generation1.xml 和 Generation2 Sku,基本除外All Generation1 and Generation2 SKUs except Basic
开发-测试或概念证明Dev-test or proof of concept 基本 (**)Basic (**)

(**) 基本 SKU 被视为旧版 SKU,并且具有功能限制。(**) The Basic SKU is considered a legacy SKU and has feature limitations. 使用基本 SKU 前,请验证所需功能是否受支持。Verify that the feature that you need is supported before you use the Basic SKU.

如果使用老版 SKU(旧版),则推荐使用的生产 SKU 为标准和高性能。If you are using the old SKUs (legacy), the production SKU recommendations are Standard and HighPerformance. 有关老版 SKU 的信息和说明,请参阅网关 SKU(旧版)For information and instructions for old SKUs, see Gateway SKUs (legacy).

配置网关 SKUConfigure a gateway SKU

Azure 门户Azure portal

如果使用 Azure 门户创建 Resource Manager 虚拟网络网关,可以使用下拉列表选择网关 SKU。If you use the Azure portal to create a Resource Manager virtual network gateway, you can select the gateway SKU by using the dropdown. 显示的选项对应于所选的网关类型和 VPN 类型。The options you are presented with correspond to the Gateway type and VPN type that you select.

PowerShellPowerShell

以下 PowerShell 示例将 -GatewaySku 指定为 VpnGw1。The following PowerShell example specifies the -GatewaySku as VpnGw1. 使用 PowerShell 创建网关时,需要首先创建 IP 配置,然后变量引用它。When using PowerShell to create a gateway, you have to first create the IP configuration, then use a variable to refer to it. 在此示例中,配置变量为 $gwipconfig。In this example, the configuration variable is $gwipconfig.

New-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 `
-Location 'US East' -IpConfigurations $gwipconfig -GatewaySku VpnGw1 `
-GatewayType Vpn -VpnType RouteBased

Azure CLIAzure CLI

az network vnet-gateway create --name VNet1GW --public-ip-address VNet1GWPIP --resource-group TestRG1 --vnet VNet1 --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1 --no-wait

调整 SKU 的大小或对其进行更改Resizing or changing a SKU

如果具有 VPN 网关并且希望使用不同的网关 SKU,则可以采用的选项是调整网关 SKU 的大小,或者更改为另一个 SKU。If you have a VPN gateway and you want to use a different gateway SKU, your options are to either resize your gateway SKU, or to change to another SKU. 如果更改为另一个网关 SKU,这会完全删除现有网关并构建一个新网关。When you change to another gateway SKU, you delete the existing gateway entirely and build a new one. 构建网关最多可能需要 45 分钟。A gateway can take up to 45 minutes to build. 与之相比,当调整网关 SKU 的大小时,停机时间非常短,因为这不需要删除并重建网关。In comparison, when you resize a gateway SKU, there is not much downtime because you do not have to delete and rebuild the gateway. 如果能够调整网关 SKU 的大小而不需要更改它,则这是首选方式。If you have the option to resize your gateway SKU, rather than change it, you will want to do that. 但是,大小调整有如下规则:However, there are rules regarding resizing:

  1. 除了基本 SKU 以外,你还可以将 VPN 网关 SKU 重设为同一代内的另一个 VPN 网关 SKU (Generation1.xml 或 Generation2)。With the exception of the Basic SKU, you can resize a VPN gateway SKU to another VPN gateway SKU within the same generation (Generation1 or Generation2). 例如,可以将 Generation1.xml 的 VpnGw1 调整为 VpnGw2 of Generation1.xml,而不是 VpnGw2 的 Generation2。For example, VpnGw1 of Generation1 can be resized to VpnGw2 of Generation1 but not to VpnGw2 of Generation2.
  2. 使用旧版网关 SKU 时,仍可在基本、标准和高性能 SKU 之间调整大小。When working with the old gateway SKUs, you can resize between Basic, Standard, and HighPerformance SKUs.
  3. 不能从基本/标准/高性能 sku 调整为 VpnGw sku。You cannot resize from Basic/Standard/HighPerformance SKUs to VpnGw SKUs. 而只能更改为新版 SKU。You must instead, change to the new SKUs.

重设网关大小To resize a gateway

你可以使用 Resize-AzVirtualNetworkGateway PowerShell cmdlet 来升级或降级 Generation1.xml 或 Generation2 SKU (所有 VpnGw Sku 均可调整基本 Sku 除外)。You can use the Resize-AzVirtualNetworkGateway PowerShell cmdlet to upgrade or downgrade a Generation1 or Generation2 SKU (all VpnGw SKUs can be resized except Basic SKUs). 如果使用的是基本网关 SKU,请改用这些说明来调整网关大小。If you are using the Basic gateway SKU, use these instructions instead to resize your gateway.

以下 PowerShell 示例演示如何将网关 SKU 的大小调整为 VpnGw2。The following PowerShell example shows a gateway SKU being resized to VpnGw2.

$gw = Get-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg
Resize-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -GatewaySku VpnGw2

还可以通过转到虚拟网关的“配置”页并从下拉列表中选择其他 SKU,在 Azure 门户中调整网关大小。You can also resize a gateway in the Azure portal by going to the Configuration page for your virtual network gateway and selecting a different SKU from the dropdown.

从旧版 SKU 更改为新版 SKUTo change from an old (legacy) SKU to a new SKU

如果使用的是资源管理器部署模型,则可更改到新式网关 SKU。If you are working with the Resource Manager deployment model, you can change to the new gateway SKUs. 当从旧式网关 SKU 更改到新式 SKU 时,需删除现有 VPN 网关并创建新的 VPN 网关。When you change from a legacy gateway SKU to a new SKU, you delete the existing VPN gateway and create a new VPN gateway.

工作流程:Workflow:

  1. 删除到虚拟网关的任何连接。Remove any connections to the virtual network gateway.
  2. 删除旧的 VPN 网关。Delete the old VPN gateway.
  3. 创建新的 VPN 网关。Create the new VPN gateway.
  4. 使用新的 VPN 网关 IP 地址更新本地 VPN 设备(适用于站点到站点连接)。Update your on-premises VPN devices with the new VPN gateway IP address (for Site-to-Site connections).
  5. 更新将连接到本网关的任何 VNet 到 VNet 本地网关的网关 IP 地址值。Update the gateway IP address value for any VNet-to-VNet local network gateways that will connect to this gateway.
  6. 下载适用于 P2S 客户端(通过此 VPN 网关连接到虚拟网络)的新客户端 VPN 配置包。Download new client VPN configuration packages for P2S clients connecting to the virtual network through this VPN gateway.
  7. 重新创建到虚拟网关的连接。Recreate the connections to the virtual network gateway.

注意事项:Considerations:

  • 若要更改到新式 SKU,VPN 网关必须处于资源管理器部署模型中。To move to the new SKUs, your VPN gateway must be in the Resource Manager deployment model.
  • 如果有经典的 VPN 网关,必须对该网关继续使用早期的旧式 SKU,但可以在旧式 SKU 之间重设网关大小。If you have a classic VPN gateway, you must continue using the older legacy SKUs for that gateway, however, you can resize between the legacy SKUs. 不能更改为新式 SKU。You cannot change to the new SKUs.
  • 当从旧式 SKU 更改到新式 SKU 时,连接将中断。You will have connectivity downtime when you change from a legacy SKU to a new SKU.
  • 更改为新网关 SKU 时,VPN 网关的公有 IP 地址将更改。When changing to a new gateway SKU, the public IP address for your VPN gateway will change. 即使指定以前使用的同一公共 IP 地址对象,也会出现这种情况。This happens even if you specify the same public IP address object that you used previously.

连接类型Connection types

在 Resource Manager 部署模型中,每个配置都需要特定的虚拟网络网关连接类型。In the Resource Manager deployment model, each configuration requires a specific virtual network gateway connection type. -ConnectionType 的可用 Resource Manager PowerShell 值为:The available Resource Manager PowerShell values for -ConnectionType are:

  • IPsecIPsec
  • Vnet2VnetVnet2Vnet
  • ExpressRouteExpressRoute
  • VPNClientVPNClient

在以下 PowerShell 示例中,我们将创建需要 IPsec 连接类型的 S2S 连接。In the following PowerShell example, we create a S2S connection that requires the connection type IPsec.

New-AzVirtualNetworkGatewayConnection -Name localtovon -ResourceGroupName testrg `
-Location 'West US' -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local `
-ConnectionType IPsec -RoutingWeight 10 -SharedKey 'abc123'

VPN 类型VPN types

为 VPN 网关配置创建虚拟网络网关时,必须指定 VPN 类型。When you create the virtual network gateway for a VPN gateway configuration, you must specify a VPN type. 选择的 VPN 类型取决于要创建的连接拓扑。The VPN type that you choose depends on the connection topology that you want to create. 例如,P2S 连接需要 RouteBased VPN 类型。For example, a P2S connection requires a RouteBased VPN type. VPN 类型还取决于使用的硬件。A VPN type can also depend on the hardware that you are using. S2S 配置需要 VPN 设备。S2S configurations require a VPN device. 有些 VPN 设备仅支持特定的 VPN 类型。Some VPN devices only support a certain VPN type.

选择的 VPN 类型必须满足所要创建的解决方案的所有连接要求。The VPN type you select must satisfy all the connection requirements for the solution you want to create. 例如,如果要为同一虚拟网络创建 S2S VPN 网关连接和 P2S VPN 网关连接,应使用 VPN 类型基于路由,因为 P2S 需要“基于路由”VPN 类型。For example, if you want to create a S2S VPN gateway connection and a P2S VPN gateway connection for the same virtual network, you would use VPN type RouteBased because P2S requires a RouteBased VPN type. 此外,需确认 VPN 设备支持 RouteBased VPN 连接。You would also need to verify that your VPN device supported a RouteBased VPN connection.

创建虚拟网络网关后,无法更改 VPN 类型。Once a virtual network gateway has been created, you can't change the VPN type. 必须删除虚拟网络网关,并新建一个。You have to delete the virtual network gateway and create a new one. 有两种 VPN 类型:There are two VPN types:

  • PolicyBased: PolicyBased VPN 以前在经典部署模型中称为“静态路由网关”。PolicyBased: PolicyBased VPNs were previously called static routing gateways in the classic deployment model. 基于策略的 VPN 会根据使用本地网络和 Azure VNet 之间的地址前缀的各种组合配置的 IPsec 策略,加密数据包并引导其通过 IPsec 隧道。Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies configured with the combinations of address prefixes between your on-premises network and the Azure VNet. 通常会在 VPN 设备配置中将策略(或流量选择器)定义为访问列表。The policy (or traffic selector) is usually defined as an access list in the VPN device configuration. 基于策略的 VPN 类型的值为 PolicyBasedThe value for a PolicyBased VPN type is PolicyBased. 使用 PolicyBased VPN 时,请记住下列限制:When using a PolicyBased VPN, keep in mind the following limitations:

    • 基于策略的 VPN 能在基本网关 SKU 上使用。PolicyBased VPNs can only be used on the Basic gateway SKU. 此 VPN 类型与其他网关 SKU 不兼容。This VPN type is not compatible with other gateway SKUs.
    • 如果使用 PolicyBased VPN,可以只有 1 个隧道。You can have only 1 tunnel when using a PolicyBased VPN.
    • 只能将 PolicyBased VPN 用于 S2S 连接且只能用于特定配置。You can only use PolicyBased VPNs for S2S connections, and only for certain configurations. 大多数 VPN 网关配置需要 RouteBased VPN。Most VPN Gateway configurations require a RouteBased VPN.
  • RouteBased:RouteBased VPN 以前在经典部署模型中称为“动态路由网关”。RouteBased: RouteBased VPNs were previously called dynamic routing gateways in the classic deployment model. RouteBased VPN 使用 IP 转发或路由表中的“路由”将数据包引导到相应的隧道接口中。RouteBased VPNs use "routes" in the IP forwarding or routing table to direct packets into their corresponding tunnel interfaces. 然后,隧道接口会加密或解密出入隧道的数据包。The tunnel interfaces then encrypt or decrypt the packets in and out of the tunnels. RouteBased VPN 的策略(或流量选择器)配置为任意到任意(或通配符)。The policy (or traffic selector) for RouteBased VPNs are configured as any-to-any (or wild cards). 基于路由的 VPN 类型的值为 RouteBasedThe value for a RouteBased VPN type is RouteBased.

以下 PowerShell 示例将 -VpnType 指定为基于路由The following PowerShell example specifies the -VpnType as RouteBased. 在创建网关时,必须确保用于配置的 -VpnType 正确。When you are creating a gateway, you must make sure that the -VpnType is correct for your configuration.

New-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg `
-Location 'West US' -IpConfigurations $gwipconfig `
-GatewayType Vpn -VpnType RouteBased

网关要求Gateway requirements

下表列出了基于策略和基于路由的 VPN 网关的要求。The following table lists the requirements for PolicyBased and RouteBased VPN gateways. 此表适用于 Resource Manager 与经典部署模型。This table applies to both the Resource Manager and classic deployment models. 对于经典模型,基于策略的 VPN 网关与静态网关相同,基于路由的网关与动态网关相同。For the classic model, PolicyBased VPN gateways are the same as Static gateways, and Route-based gateways are the same as Dynamic gateways.

基于策略的基本 VPN 网关PolicyBased Basic VPN Gateway 基于路由的基本 VPN 网关RouteBased Basic VPN Gateway 基于路由的标准 VPN 网关RouteBased Standard VPN Gateway 基于路由的高性能 VPN 网关RouteBased High Performance VPN Gateway
站点到站点连接 (S2S)Site-to-Site connectivity (S2S) 基于策略的 VPN 配置PolicyBased VPN configuration 基于路由的 VPN 配置RouteBased VPN configuration 基于路由的 VPN 配置RouteBased VPN configuration 基于路由的 VPN 配置RouteBased VPN configuration
点到站点连接 (P2S)Point-to-Site connectivity (P2S) 不支持Not supported 支持(可与 S2S 共存)Supported (Can coexist with S2S) 支持(可与 S2S 共存)Supported (Can coexist with S2S) 支持(可与 S2S 共存)Supported (Can coexist with S2S)
身份验证方法Authentication method 预共享密钥Pre-shared key S2S 连接的预共享密钥,P2S 连接的证书Pre-shared key for S2S connectivity, Certificates for P2S connectivity S2S 连接的预共享密钥,P2S 连接的证书Pre-shared key for S2S connectivity, Certificates for P2S connectivity S2S 连接的预共享密钥,P2S 连接的证书Pre-shared key for S2S connectivity, Certificates for P2S connectivity
S2S 连接的最大数目Maximum number of S2S connections 1 1010 1010 3030
P2S 连接的最大数目Maximum number of P2S connections 不支持Not supported 128128 128128 128128
活动路由支持 (BGP) (*)Active routing support (BGP) (*) 不支持Not supported 不支持Not supported 支持Supported 支持Supported

(*) 经典部署模型不支持 BGP。(*) BGP is not supported for the classic deployment model.

网关子网Gateway subnet

在创建 VPN 网关之前,必须创建一个网关子网。Before you create a VPN gateway, you must create a gateway subnet. 网关子网包含虚拟网络网关 VM 和服务使用的 IP 地址。The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. 在创建虚拟网络网关时,将网关 VM 部署到网关子网,并使用所需的 VPN 网关设置进行配置。When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings. 永远不要将任何其他设备(例如,其他 VM)部署到网关子网。Never deploy anything else (for example, additional VMs) to the gateway subnet. 网关子网必须命名为“GatewaySubnet”才能正常工作。The gateway subnet must be named 'GatewaySubnet' to work properly. 将网关子网命名为“GatewaySubnet”,可以让 Azure 知道这就是要将虚拟网络网关 VM 和服务部署到的目标子网。Naming the gateway subnet 'GatewaySubnet' lets Azure know that this is the subnet to deploy the virtual network gateway VMs and services to.

备注

不支持在 GatewaySubnet 上使用 0.0.0.0/0 Destination 和 nsg 的用户定义路由。User defined routes with a 0.0.0.0/0 destination and NSGs on the GatewaySubnet are not supported. 将阻止创建通过此配置创建的网关。Gateways created with this configuration will be blocked from creation. 网关需要访问管理控制器才能正常工作。Gateways require access to the management controllers in order to function properly.

创建网关子网时,需指定子网包含的 IP 地址数。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 将网关子网中的 IP 地址分配到网关 VM 和网关服务。The IP addresses in the gateway subnet are allocated to the gateway VMs and gateway services. 有些配置需要具有比其他配置更多的 IP 地址。Some configurations require more IP addresses than others.

规划网关子网大小时,请参阅你计划创建的配置的相关文档。When you are planning your gateway subnet size, refer to the documentation for the configuration that you are planning to create. 例如,ExpressRoute/VPN 网关共存配置所需的网关子网比大多数其他配置要大。For example, the ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet than most other configurations. 此外,可能需要确保网关子网包含足够多的 IP 地址,以便应对将来可能会添加的配置。Additionally, you may want to make sure your gateway subnet contains enough IP addresses to accommodate possible future additional configurations. 虽然你可以创建小到/29 的网关子网,但如果你有可用的地址空间,则建议你创建/27 或更大(/27、/26 等)的网关子网。While you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26 etc.) if you have the available address space to do so. 这将适合大多数配置。This will accommodate most configurations.

以下 Resource Manager PowerShell 示例显示名为 GatewaySubnet 的网关子网。The following Resource Manager PowerShell example shows a gateway subnet named GatewaySubnet. 可以看到,CIDR 表示法指定了 /27,这可提供足够的 IP 地址供大多数现有配置使用。You can see the CIDR notation specifies a /27, which allows for enough IP addresses for most configurations that currently exist.

Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.0.3.0/27

重要

使用网关子网时,避免将网络安全组 (NSG) 与网关子网关联。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组关联到此子网可能导致虚拟网络网关(VPN、快速路由网关)停止按预期方式工作。Associating a network security group to this subnet may cause your Virtual Network gateway(VPN, Express Route gateway) to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

本地网络网关Local network gateways

本地网络网关不同于虚拟网络网关。A local network gateway is different than a virtual network gateway. 创建 VPN 网关配置时,本地网络网关通常代表本地位置。When creating a VPN gateway configuration, the local network gateway usually represents your on-premises location. 在经典部署模型中,本地网络网关称为本地站点。In the classic deployment model, the local network gateway was referred to as a Local Site.

指定本地网络网关的名称(即本地 VPN 设备的公共 IP 地址),并指定位于本地位置的地址前缀。You give the local network gateway a name, the public IP address of the on-premises VPN device, and specify the address prefixes that are located on the on-premises location. Azure 将查看网络流量的目标地址前缀、查阅针对本地网络网关指定的配置,并相应地路由数据包。Azure looks at the destination address prefixes for network traffic, consults the configuration that you have specified for your local network gateway, and routes packets accordingly. 也应该针对使用 VPN 网关连接的 VNet 到 VNet 配置指定本地网络网关。You also specify local network gateways for VNet-to-VNet configurations that use a VPN gateway connection.

以下 PowerShell 示例创建新的本地网络网关:The following PowerShell example creates a new local network gateway:

New-AzLocalNetworkGateway -Name LocalSite -ResourceGroupName testrg `
-Location 'West US' -GatewayIpAddress '23.99.221.164' -AddressPrefix '10.5.51.0/24'

有时需要修改本地网络网关设置。Sometimes you need to modify the local network gateway settings. 例如,在添加或修改地址范围时,或 VPN 设备的 IP 地址发生变化时。For example, when you add or modify the address range, or if the IP address of the VPN device changes. 请参阅使用 PowerShell 修改本地网络网关设置See Modify local network gateway settings using PowerShell.

REST APIs、PowerShell cmdlet 和 CLIREST APIs, PowerShell cmdlets, and CLI

有关将 REST API、PowerShell cmdlet 或 Azure CLI 用于 VPN 网关配置的其他技术资源和具体语法要求,请参阅以下页面:For additional technical resources and specific syntax requirements when using REST APIs, PowerShell cmdlets, or Azure CLI for VPN Gateway configurations, see the following pages:

经典Classic Resource ManagerResource Manager
PowerShellPowerShell PowerShellPowerShell
REST APIREST API REST APIREST API
不支持Not supported Azure CLIAzure CLI

后续步骤Next steps

有关可用连接配置的详细信息,请参阅关于 VPN 网关For more information about available connection configurations, see About VPN Gateway.