您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 VPN 网关?What is VPN Gateway?

VPN 网关是特定类型的虚拟网关,用于跨公共 Internet 在 Azure 虚拟网络和本地位置之间发送加密的流量。A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. 也可使用 VPN 网关在基于 Microsoft 网络的 Azure 虚拟网络之间发送加密流量。You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. 每个虚拟网络只能有一个 VPN 网关。Each virtual network can have only one VPN gateway. 但是,可以创建连接到相同 VPN 网关的多个连接。However, you can create multiple connections to the same VPN gateway. 与同一个 VPN 网关建立多个连接时,所有 VPN 隧道共享可用的网关带宽。When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.

什么是虚拟网关?What is a virtual network gateway?

虚拟网络网关由两个或多个 VM 组成,这些 VM 部署到所创建的名为“网关子网”的特定子网 。A virtual network gateway is composed of two or more VMs that are deployed to a specific subnet you create called the gateway subnet. 虚拟网络网关 VM 包含路由表,并运行特定的网关服务。Virtual network gateway VMs contain routing tables and run specific gateway services. 这些 VM 是在创建虚拟网络网关时创建的。These VMs are created when you create the virtual network gateway. 不能直接配置属于虚拟网络网关的 VM。You can't directly configure the VMs that are part of the virtual network gateway.

为虚拟网络网关配置的一项设置是网关类型。One setting that you configure for a virtual network gateway is the gateway type. 网关类型指定如何使用虚拟网络网关以及网关所采取的操作。Gateway type specifies how the virtual network gateway will be used and the actions that the gateway takes. 网关类型“vpn”指定创建的虚拟网关类型为“VPN 网关”,而非 ExpressRoute 网关。The gateway type 'Vpn' specifies that the type of virtual network gateway created is a 'VPN gateway', rather than an ExpressRoute gateway. 一个虚拟网络可以有两个虚拟网络网关:一个 VPN 网关和一个 ExpressRoute 网关,与共存连接配置的情况相同。A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway - as is the case with coexisting connection configurations. 有关详细信息,请参阅网关类型For more information, see Gateway types.

VPN 网关可以部署在 Azure 可用性区域中。VPN gateways can be deployed in Azure Availability Zones. 这样可以提高虚拟网络网关的复原性、可伸缩性和可用性。This brings resiliency, scalability, and higher availability to virtual network gateways. 如果在 Azure 可用性区域中部署网关,可以在地理位置和逻辑上将区域内的网关分隔开来,同时还能保护本地网络与 Azure 的连接免受区域级故障的影响。Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures. 请参阅关于 Azure 可用性区域中的区域冗余虚拟网络网关see About zone-redundant virtual network gateways in Azure Availability Zones

创建虚拟网关可能需要多达 45 分钟才能完成。Creating a virtual network gateway can take up to 45 minutes to complete. 创建虚拟网关时,会将网关 VM 部署到网关子网,并使用指定的设置进行配置。When you create a virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the settings that you specify. 在创建 VPN 网关以后,即在一个 VPN 网关和另一个 VPN 网关之间(VNet 到 VNet)创建 IPsec/IKE VPN 隧道连接,或者在 VPN 网关和本地 VPN 设备(站点到站点)之间创建跨界 IPsec/IKE VPN 隧道连接。After you create a VPN gateway, you can create an IPsec/IKE VPN tunnel connection between that VPN gateway and another VPN gateway (VNet-to-VNet), or create a cross-premises IPsec/IKE VPN tunnel connection between the VPN gateway and an on-premises VPN device (Site-to-Site). 也可创建点到站点 VPN 连接(基于 OpenVPN、IKEv2 或 SSTP 的 VPN),以便从远程位置(例如从会议室或家)连接到虚拟网络。You can also create a Point-to-Site VPN connection (VPN over OpenVPN, IKEv2, or SSTP), which lets you connect to your virtual network from a remote location, such as from a conference or from home.

配置 VPN 网关Configuring a VPN Gateway

VPN 网关连接依赖于使用特定设置配置的多个资源。A VPN gateway connection relies on multiple resources that are configured with specific settings. 大多数资源可以单独配置,虽然某些资源必须按特定顺序配置。Most of the resources can be configured separately, although some resources must be configured in a certain order.

设置Settings

为每个资源选择的设置对于成功创建连接至关重要。The settings that you chose for each resource are critical to creating a successful connection. 有关 VPN 网关的各个资源和设置的信息,请参阅 关于 VPN 网关设置For information about individual resources and settings for VPN Gateway, see About VPN Gateway settings. 本文包含的信息有助于了解网关类型、网关 SKU、VPN 类型、连接类型、网关子网、本地网关,以及可能需要考虑的其他各项资源设置。The article contains information to help you understand gateway types, gateway SKUs, VPN types, connection types, gateway subnets, local network gateways, and various other resource settings that you may want to consider.

部署工具Deployment tools

开始时可以使用一个配置工具(如 Azure 门户)创建和配置资源。You can start out creating and configuring resources using one configuration tool, such as the Azure portal. 可在以后切换到另一个工具(如 PowerShell)来配置其他资源或修改现有资源(如果适用)。You can later decide to switch to another tool, such as PowerShell, to configure additional resources, or modify existing resources when applicable. 目前,无法在 Azure 门户中配置每个资源和资源设置。Currently, you can't configure every resource and resource setting in the Azure portal. 每个连接拓扑的文章中的说明指定了何时需要特定配置工具。The instructions in the articles for each connection topology specify when a specific configuration tool is needed.

部署模型Deployment model

目前有两种适用于 Azure 的部署模型。There are currently two deployment models for Azure. 配置 VPN 网关时,采取的步骤取决于用于创建虚拟网络的部署模型。When you configure a VPN gateway, the steps you take depend on the deployment model that you used to create your virtual network. 例如,如果使用经典部署模型创建的 VNet,则使用经典部署模型的指导原则和说明来创建及配置 VPN 网关设置。For example, if you created your VNet using the classic deployment model, you use the guidelines and instructions for the classic deployment model to create and configure your VPN gateway settings. 有关部署模型的详细信息,请参阅 了解 Resource Manager 和经典部署模型For more information about deployment models, see Understanding Resource Manager and classic deployment models.

规划表Planning table

下表可帮助选择最适合解决方案的连接选项。The following table can help you decide the best connectivity option for your solution.

点到站点Point-to-Site 站点到站点Site-to-Site ExpressRouteExpressRoute
Azure 支持的服务Azure Supported Services 云服务和虚拟机Cloud Services and Virtual Machines 云服务和虚拟机Cloud Services and Virtual Machines 服务列表Services list
典型带宽Typical Bandwidths 基于网关 SKUBased on the gateway SKU 通常 < 1 Gbps(总计)Typically < 1 Gbps aggregate 50 Mbps、100 Mbps、200 Mbps、500 Mbps、1 Gbps、2 Gbps、5 Gbps、10 Gbps50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps
支持的协议Protocols Supported 安全套接字隧道协议 (SSTP)、OpenVPN 和 IPsecSecure Sockets Tunneling Protocol (SSTP), OpenVPN and IPsec IPsecIPsec 通过 VLAN、NSP 的 VPN 技术(MPLS、VPLS...)直接连接Direct connection over VLANs, NSP's VPN technologies (MPLS, VPLS,...)
路由Routing 基于路由(动态)RouteBased (dynamic) 支持基于策略(静态路由)和基于路由(动态路由 VPN)We support PolicyBased (static routing) and RouteBased (dynamic routing VPN) BGPBGP
连接复原能力Connection resiliency 主动-被动active-passive 主动-被动或主动-主动active-passive or active-active 主动-主动active-active
典型用例Typical use case 云服务和虚拟机的原型设计、开发/测试/实验方案Prototyping, dev / test / lab scenarios for cloud services and virtual machines 云服务和虚拟机的开发/测试/实验方案和小规模生产工作负荷Dev / test / lab scenarios and small scale production workloads for cloud services and virtual machines 访问所有 Azure 服务(已验证列表)、企业级和任务关键型工作负荷、备份、大数据、Azure 即 DR 站点Access to all Azure services (validated list), Enterprise-class and mission critical workloads, Backup, Big Data, Azure as a DR site
SLASLA SLASLA SLASLA SLASLA
定价Pricing 定价Pricing 定价Pricing 定价Pricing
技术文档Technical Documentation VPN 网关文档VPN Gateway Documentation VPN 网关文档VPN Gateway Documentation ExpressRoute 文档ExpressRoute Documentation
常见问题FAQ VPN 网关常见问题VPN Gateway FAQ VPN 网关常见问题VPN Gateway FAQ ExpressRoute 常见问题ExpressRoute FAQ

网关 SKUGateway SKUs

创建虚拟网络网关时,需指定要使用的网关 SKU。When you create a virtual network gateway, you specify the gateway SKU that you want to use. 请根据工作负荷、吞吐量、功能和 SLA 的类型,选择满足需求的 SKU。Select the SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs. 有关网关 SKU 的详细信息(包括支持的功能、生产和开发测试以及配置步骤),请参阅 VPN 网关设置 - 网关 SKU 一文。For more information about gateway SKUs, including supported features, production and dev-test, and configuration steps, see the VPN Gateway Settings - Gateway SKUs article. 有关旧版 SKU 的信息,请参阅使用旧版 SKUFor Legacy SKU information, see Working with Legacy SKUs.

按隧道、连接和吞吐量列出的网关 SKUGateway SKUs by tunnel, connection, and throughput

VPN
网关
代系
VPN
Gateway
Generation
SKUSKU S2S/VNet 到 VNet
隧道
S2S/VNet-to-VNet
Tunnels
P2S
SSTP 连接
P2S
SSTP Connections
P2S
IKEv2/OpenVPN 连接
P2S
IKEv2/OpenVPN Connections
聚合
吞吐量基准
Aggregate
Throughput Benchmark
BGPBGP 区域冗余Zone-redundant
第 1 代Generation1 基本Basic 最大Max. 1010 最大Max. 128128 不支持Not Supported 100 Mbps100 Mbps 不支持Not Supported No
第 1 代Generation1 VpnGw1 VpnGw1 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支持Supported No
第 1 代Generation1 VpnGw2 VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支持Supported No
第 1 代Generation1 VpnGw3 VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支持Supported No
第 1 代Generation1 VpnGw1AZVpnGw1AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支持Supported Yes
第 1 代Generation1 VpnGw2AZVpnGw2AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支持Supported Yes
第 1 代Generation1 VpnGw3AZVpnGw3AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支持Supported Yes
第 2 代Generation2 VpnGw2 VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1.25 Gbps1.25 Gbps 支持Supported No
第 2 代Generation2 VpnGw3 VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 2.5 Gbps2.5 Gbps 支持Supported No
第 2 代Generation2 VpnGw4VpnGw4 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 5 Gbps5 Gbps 支持Supported No
第 2 代Generation2 VpnGw5VpnGw5 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 10 Gbps10 Gbps 支持Supported No
第 2 代Generation2 VpnGw2AZVpnGw2AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1.25 Gbps1.25 Gbps 支持Supported Yes
第 2 代Generation2 VpnGw3AZVpnGw3AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 2.5 Gbps2.5 Gbps 支持Supported Yes
第 2 代Generation2 VpnGw4AZVpnGw4AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 5 Gbps5 Gbps 支持Supported Yes
第 2 代Generation2 VpnGw5AZVpnGw5AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 10 Gbps10 Gbps 支持Supported Yes

(*) 如果需要 30 个以上 S2S VPN 隧道,请使用虚拟 WAN(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.

  • 在同一代中允许调整 VpnGw SKU 的大小,但基本 SKU 的大小调整除外。The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. 基本 SKU 是旧版 SKU,并且具有功能限制。The Basic SKU is a legacy SKU and has feature limitations. 若要从基本 VpnGw SKU 移到其他 VpnGw SKU,必须删除基本 SKU VPN 网关,并使用所需代系和 SKU 大小组合来创建新网关。In order to move from Basic to another VpnGw SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.

  • 这些连接限制是独立的。These connection limits are separate. 例如,在 VpnGw1 SKU 上可以有 128 个 SSTP 连接,还可以有 250 个 IKEv2 连接。For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

  • 可在 定价 页上找到定价信息。Pricing information can be found on the Pricing page.

  • 可在 SLA 页查看 SLA(服务级别协议)信息。SLA (Service Level Agreement) information can be found on the SLA page.

  • 在单个隧道中,最多可以达到 1 Gbps 的吞吐量。On a single tunnel a maximum of 1 Gbps throughput can be achieved. 上表中的聚合吞吐量基准基于对通过单个网关聚合的多个隧道的测量。Aggregate Throughput Benchmark in the above table is based on measurements of multiple tunnels aggregated through a single gateway. 适用于 VPN 网关的聚合吞吐量基准组合了 S2S 和 P2S。The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. 如果有大量的 P2S 连接,则可能会对 S2S 连接造成负面影响,因为存在吞吐量限制。If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. 受 Internet 流量情况和应用程序行为影响,无法保证聚合吞吐量基准。The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.

为了帮助我们的客户了解使用不同算法的 SKU 的相对性能,我们使用市售 iPerf 和 CTSTraffic 工具来衡量性能。To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances. 下表列出了第 1 代 VpnGw SKU 的性能测试结果。The table below lists the results of performance tests for Generation 1, VpnGw SKUs. 可以看到,对 IPsec 加密和完整性使用 GCMAES256 算法时,可获得最佳性能。As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. 对 IPsec 加密使用 AES256 以及对完整性使用 SHA256 时,可获得平均性能。We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. 对 IPsec 加密使用 DES3 以及对完整性使用 SHA256 可获得最低性能。When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.

代系Generation SKUSKU 使用
的算法
Algorithms
used
观察到的
吞吐量
Throughput
observed
观察到的
每秒数据包数
Packets per second
observed
第 1 代Generation1 VpnGw1 VpnGw1 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
58,00058,000
50,00050,000
50,00050,000
第 1 代Generation1 VpnGw2 VpnGw2 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
90,00090,000
80,00080,000
55,00055,000
第 1 代Generation1 VpnGw3 VpnGw3 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps
105,000105,000
90,00090,000
60,00060,000
第 1 代Generation1 VpnGw1AZVpnGw1AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
58,00058,000
50,00050,000
50,00050,000
第 1 代Generation1 VpnGw2AZVpnGw2AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
90,00090,000
80,00080,000
55,00055,000
第 1 代Generation1 VpnGw3AZVpnGw3AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps
105,000105,000
90,00090,000
60,00060,000

连接拓扑示意图Connection topology diagrams

必须知道,VPN 网关连接可以使用不同的配置。It's important to know that there are different configurations available for VPN gateway connections. 必须确定哪种配置最适合自己的需要。You need to determine which configuration best fits your needs. 在下面的部分中,可以查看有关以下 VPN 网关连接的信息和拓扑示意图:以下部分包含的表列出了:In the sections below, you can view information and topology diagrams about the following VPN gateway connections: The following sections contain tables which list:

  • 可用的部署模型Available deployment model
  • 可用的配置工具Available configuration tools
  • 直接转到某篇文章的链接(如果适用)Links that take you directly to an article, if available

使用示意图和说明来帮助选择符合要求的连接拓扑。Use the diagrams and descriptions to help select the connection topology to match your requirements. 示意图显示了主要的基准拓扑,但可以使用示意图作为准则生成更复杂的配置。The diagrams show the main baseline topologies, but it's possible to build more complex configurations using the diagrams as a guideline.

站点到站点和多站点(IPsec/IKE VPN 隧道)Site-to-Site and Multi-Site (IPsec/IKE VPN tunnel)

站点到站点Site-to-Site

站点到站点 (S2S) VPN 网关连接是通过 IPsec/IKE(IKEv1 或 IKEv2)VPN 隧道建立的连接。A Site-to-Site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. S2S 连接可以用于跨界和混合配置。S2S connections can be used for cross-premises and hybrid configurations. S2S 连接要求位于本地的 VPN 设备分配有一个公共 IP 地址,并且不位于 NAT 后面。A S2S connection requires a VPN device located on-premises that has a public IP address assigned to it and is not located behind a NAT. 若要了解如何选择 VPN 设备,请参阅 VPN 网关常见问题解答 - VPN 设备For information about selecting a VPN device, see the VPN Gateway FAQ - VPN devices.

Azure VPN 网关站点到站点连接示例

多站点Multi-Site

这种类型的连接是站点到站点连接的另一种形式。This type of connection is a variation of the Site-to-Site connection. 可从虚拟网络网关创建多个 VPN 连接(通常是连接到多个本地站点)。You create more than one VPN connection from your virtual network gateway, typically connecting to multiple on-premises sites. 使用多个连接时,必须使用 RouteBased VPN 类型(使用经典 VNet 时称为动态网关)。When working with multiple connections, you must use a RouteBased VPN type (known as a dynamic gateway when working with classic VNets). 由于每个虚拟网络只能有一个 VPN 网关,因此通过网关的所有连接都共享可用带宽。Because each virtual network can only have one VPN gateway, all connections through the gateway share the available bandwidth. 此类连接通常称为“多站点”连接。This type of connection is often called a "multi-site" connection.

Azure VPN 网关多站点连接示例

适用于站点到站点和多站点的部署模型和方法Deployment models and methods for Site-to-Site and Multi-Site

部署模型/方法Deployment model/method Azure 门户Azure portal PowerShellPowerShell Azure CLIAzure CLI
资源管理器Resource Manager 教程Tutorial
教程 +Tutorial+
教程Tutorial 教程Tutorial
经典Classic 教程**Tutorial** 教程+Tutorial+ 不支持Not Supported

( ** ) 表示此方法包含的步骤需要使用 PowerShell。(**) denotes that this method contains steps that require PowerShell.

(+) 表示此文章是针对多站点连接编写的。(+) denotes that this article is written for multi-site connections.

点到站点 VPNPoint-to-Site VPN

点到站点 (P2S) VPN 网关连接用于创建从单个客户端计算机到虚拟网络的安全连接。A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. 可通过从客户端计算机启动连接来建立 P2S 连接。A P2S connection is established by starting it from the client computer. 对于要从远程位置(例如从家里或会议室)连接到 Azure VNet 的远程工作者,此解决方案很有用。This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. 如果只有一些客户端需要连接到 VNet,则还可以使用 P2S VPN 这一解决方案来代替 S2S VPN。P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.

与 S2S 连接不同,P2S 连接不需本地面向公众的 IP 地址或 VPN 设备。Unlike S2S connections, P2S connections do not require an on-premises public-facing IP address or a VPN device. 可以通过同一 VPN 网关将 P2S 连接与 S2S 连接结合使用,前提是这两种连接的所有配置要求都兼容。P2S connections can be used with S2S connections through the same VPN gateway, as long as all the configuration requirements for both connections are compatible. 有关点到站点连接的详细信息,请参阅关于点到站点 VPNFor more information about Point-to-Site connections, see About Point-to-Site VPN.

Azure VPN 网关点到站点连接示例

适用于 P2S 的部署模型和方法Deployment models and methods for P2S

Azure 本机证书身份验证Azure native certificate authentication

部署模型/方法Deployment model/method Azure 门户Azure portal PowerShellPowerShell
资源管理器Resource Manager 教程Tutorial 教程Tutorial
经典Classic 教程Tutorial 支持Supported

RADIUS 身份验证RADIUS authentication

部署模型/方法Deployment model/method Azure 门户Azure portal PowerShellPowerShell
资源管理器Resource Manager 支持Supported 教程Tutorial
经典Classic 不支持Not Supported 不支持Not Supported

VNet 到 VNet 连接(IPsec/IKE VPN 隧道)VNet-to-VNet connections (IPsec/IKE VPN tunnel)

将一个虚拟网络连接到另一个虚拟网络(VNet 到 VNet)类似于将 VNet 连接到本地站点位置。Connecting a virtual network to another virtual network (VNet-to-VNet) is similar to connecting a VNet to an on-premises site location. 这两种连接类型都使用 VPN 网关来提供使用 IPsec/IKE 的安全隧道。Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. 甚至可以将 VNet 到 VNet 通信与多站点连接配置组合使用。You can even combine VNet-to-VNet communication with multi-site connection configurations. 这样,便可以建立将跨界连接与虚拟网络间连接相结合的网络拓扑。This lets you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity.

连接的 VNet 可以:The VNets you connect can be:

  • 在相同或不同区域中in the same or different regions
  • 在相同或不同订阅中in the same or different subscriptions
  • 在相同或不同部署模型中in the same or different deployment models

Azure VPN 网关 VNet 到 VNet 连接示例

部署模型之间的连接Connections between deployment models

Azure 当前有两种部署模型:经典模型和 Resource Manager 模型。Azure currently has two deployment models: classic and Resource Manager. 如果 Azure 已经使用了一段时间,则 Azure VM 和实例角色可能是在经典 VNet 上运行。If you have been using Azure for some time, you probably have Azure VMs and instance roles running in a classic VNet. 而较新的 VM 和角色实例可能是在 Resource Manager 中创建的 VNet 上运行。Your newer VMs and role instances may be running in a VNet created in Resource Manager. 可以在 VNet 之间创建连接,以允许一个 VNet 中的资源直接与另一个 VNet 中的资源进行通信。You can create a connection between the VNets to allow the resources in one VNet to communicate directly with resources in another.

VNet 对等互连VNet peering

可能能够使用 VNet 对等互连来创建连接,前提是虚拟网络符合特定要求。You may be able to use VNet peering to create your connection, as long as your virtual network meets certain requirements. VNet 对等互连不使用虚拟网络网关。VNet peering does not use a virtual network gateway. 有关详细信息,请参阅 VNet 对等互连For more information, see VNet peering.

适用于 VNet 到 VNet 的部署模型和方法Deployment models and methods for VNet-to-VNet

部署模型/方法Deployment model/method Azure 门户Azure portal PowerShellPowerShell Azure CLIAzure CLI
经典Classic 教程*Tutorial* 支持Supported 不支持Not Supported
资源管理器Resource Manager 教程+Tutorial+ 教程Tutorial 教程Tutorial
不同部署模型之间的连接Connections between different deployment models 教程*Tutorial* 教程Tutorial 不支持Not Supported

(+) 表示这种部署方法仅适用于同一订阅中的 VNet。(+) denotes this deployment method is available only for VNets in the same subscription.
( * ) 表示这种部署方法也需要 PowerShell。(*) denotes that this deployment method also requires PowerShell.

ExpressRoute(专用连接)ExpressRoute (private connection)

使用 ExpressRoute 可通过连接服务提供商所提供的专用连接,将本地网络扩展到 Microsoft 云。ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. 使用 ExpressRoute 可与 Microsoft Azure、Office 365 和 CRM Online 等 Microsoft 云服务建立连接。With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and CRM Online. 可以从任意位置之间的 (IP VPN) 网络、点到点以太网或在共置设施上通过连接服务提供商的虚拟交叉连接来建立这种连接。Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility.

ExpressRoute 连接不通过公共 Internet 。ExpressRoute connections do not go over the public Internet. 与通过 Internet 的典型连接相比,ExpressRoute 连接提供更高的可靠性、更快的速度、更低的延迟和更高的安全性。This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.

ExpressRoute 连接使用虚拟网关作为其所需配置的一部分。An ExpressRoute connection uses a virtual network gateway as part of its required configuration. 在 ExpressRoute 连接中,虚拟网络网关配置了网关类型“ExpressRoute”,而不是“Vpn”。In an ExpressRoute connection, the virtual network gateway is configured with the gateway type 'ExpressRoute', rather than 'Vpn'. 虽然经 ExpressRoute 线路传送的流量默认不加密,但可以创建一项解决方案,通过 ExpressRoute 线路来发送加密的流量。While traffic that travels over an ExpressRoute circuit is not encrypted by default, it is possible create a solution that allows you to send encrypted traffic over an ExpressRoute circuit. 有关 ExpressRoute 的详细信息,请参阅 ExpressRoute 技术概述For more information about ExpressRoute, see the ExpressRoute technical overview.

站点到站点和 ExpressRoute 共存连接Site-to-Site and ExpressRoute coexisting connections

ExpressRoute 是从 WAN (不通过公共 Internet)到 Microsoft 服务(包括 Azure)的直接专用连接。ExpressRoute is a direct, private connection from your WAN (not over the public Internet) to Microsoft Services, including Azure. 站点到站点 VPN 流量以加密方式通过公共 Internet 传输。Site-to-Site VPN traffic travels encrypted over the public Internet. 能够为同一个虚拟网络配置站点到站点 VPN 和 ExpressRoute 连接有诸多优点。Being able to configure Site-to-Site VPN and ExpressRoute connections for the same virtual network has several advantages.

可以将站点到站点 VPN 配置为 ExpressRoute 的安全故障转移路径,或者使用站点到站点 VPN 连接到不属于网络但却已通过 ExpressRoute 进行连接的站点。You can configure a Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that are not part of your network, but that are connected through ExpressRoute. 请注意,此配置要求对同一虚拟网络使用两个虚拟网络网关,一个网关使用网关类型“Vpn”,另一个网关使用网关类型“ExpressRoute”。Notice that this configuration requires two virtual network gateways for the same virtual network, one using the gateway type 'Vpn', and the other using the gateway type 'ExpressRoute'.

ExpressRoute 和 VPN 网关共存连接示例

适用于 S2S 和 ExpressRoute 的部署模型和方法共存Deployment models and methods for S2S and ExpressRoute coexist

部署模型/方法Deployment model/method Azure 门户Azure portal PowerShellPowerShell
资源管理器Resource Manager 支持Supported 教程Tutorial
经典Classic 不支持Not Supported 教程Tutorial

定价Pricing

支付两项内容:虚拟网络网关的每小时计算成本和虚拟网络网关的出口数据传输。You pay for two things: the hourly compute costs for the virtual network gateway, and the egress data transfer from the virtual network gateway. 可在 定价 页上找到定价信息。Pricing information can be found on the Pricing page. 有关旧版网关 SKU 定价的信息,请参阅 ExpressRoute 定价页并滚动至“虚拟网络网关” 部分。For legacy gateway SKU pricing, see the ExpressRoute pricing page and scroll to the Virtual Network Gateways section.

虚拟网络网关计算成本Virtual network gateway compute costs
每个虚拟网络网关都有每小时计算成本。Each virtual network gateway has an hourly compute cost. 价格基于创建虚拟网络网关时指定的网关 SKU。The price is based on the gateway SKU that you specify when you create a virtual network gateway. 成本与网关本身以及流经网关的数据传输相关。The cost is for the gateway itself and is in addition to the data transfer that flows through the gateway. 主动-主动设置的成本与主动-被动设置的成本相同。Cost of an active-active setup is the same as active-passive.

数据传输成本Data transfer costs
数据传输成本根据源虚拟网络网关的出口流量计算。Data transfer costs are calculated based on egress traffic from the source virtual network gateway.

  • 如果要将流量发送到本地 VPN 设备,以 Internet 出口数据传输率收取费用。If you are sending traffic to your on-premises VPN device, it will be charged with the Internet egress data transfer rate.
  • 如果要在不同区域的虚拟网络之间发送流量,定价因区域而异。If you are sending traffic between virtual networks in different regions, the pricing is based on the region.
  • 如果要仅在属于同一区域的虚拟网络之间发送流量,则没有数据成本。If you are sending traffic only between virtual networks that are in the same region, there are no data costs. 同一区域的 VNet 之间的流量免费。Traffic between VNets in the same region is free.

有关用于 VPN 网关的网关 SKU 的详细信息,请参阅网关 SKUFor more information about gateway SKUs for VPN Gateway, see Gateway SKUs.

常见问题解答FAQ

有关 VPN 网关的常见问题,请参阅 VPN 网关常见问题For frequently asked questions about VPN gateway, see the VPN Gateway FAQ.

后续步骤Next steps