您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

通过门户从不同部署模型中连接虚拟网络Connect virtual networks from different deployment models using the portal

本文介绍如何将经典 VNet 连接到 Resource Manager VNet,以使位于单独部署模型中的资源能够相互通信。This article shows you how to connect classic VNets to Resource Manager VNets to allow the resources located in the separate deployment models to communicate with each other. 本文中的步骤主要使用 Azure 门户完成,但也可通过从此列表中选择文章使用 PowerShell 来创建此配置。The steps in this article primarily use the Azure portal, but you can also create this configuration using the PowerShell by selecting the article from this list.

将经典 VNet 连接到 Resource Manager VNet 类似于将 VNet 连接到本地站点位置。Connecting a classic VNet to a Resource Manager VNet is similar to connecting a VNet to an on-premises site location. 这两种连接类型都使用 VPN 网关来提供使用 IPsec/IKE 的安全隧道。Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. 可以在位于不同订阅、不同区域中的 VNet 之间创建连接。You can create a connection between VNets that are in different subscriptions and in different regions. 还可以连接已连接到本地网络的 VNet,只要它们配置的网关是动态或基于路由的。You can also connect VNets that already have connections to on-premises networks, as long as the gateway that they have been configured with is dynamic or route-based. 有关 VNet 到 VNet 连接的详细信息,请参阅本文末尾的 VNet 到 VNet常见问题解答For more information about VNet-to-VNet connections, see the VNet-to-VNet FAQ at the end of this article.

如果还没有虚拟网络网关并且不想创建一个,建议你改为考虑使用 VNet 对等互连连接 VNet。If you do not already have a virtual network gateway and do not want to create one, you may want to instead consider connecting your VNets using VNet Peering. VNet 对等互连不使用 VPN 网关。VNet peering does not use a VPN gateway. 有关详细信息,请参阅 VNet 对等互连For more information, see VNet peering.

准备工作Before you begin

  • 这些步骤假定已创建了两个 VNet。These steps assume that both VNets have already been created. 如果使用本文进行练习并且还没有 VNet,相关步骤中的链接可以帮助你创建它们。If you are using this article as an exercise and don't have VNets, there are links in the steps to help you create them.
  • 请确认两个 VNet 的地址范围不相互重叠,也不与网关可能连接到的其他连接的任何范围重叠。Verify that the address ranges for the VNets do not overlap with each other, or overlap with any of the ranges for other connections that the gateways may be connected to.
  • 为 Resource Manager 和服务管理(经典)安装最新的 PowerShell cmdlet。Install the latest PowerShell cmdlets for both Resource Manager and Service Management (classic). 本文中同时使用 Azure 门户和 PowerShell。In this article, we use both the Azure portal and PowerShell. 要创建从经典 VNet 到 Resource Manager VNet 的连接,必须使用 PowerShell。PowerShell is required to create the connection from the classic VNet to the Resource Manager VNet. 有关详细信息,请参阅如何安装和配置 Azure PowerShellFor more information, see How to install and configure Azure PowerShell.

示例设置Example settings

可使用这些值创建测试环境,或参考这些值以更好地理解本文中的示例。You can use these values to create a test environment, or refer to them to better understand the examples in this article.

经典 VNetClassic VNet

VNet 名称 = ClassicVNetVNet name = ClassicVNet
地址空间 = 10.0.0.0/24Address space = 10.0.0.0/24
子网名称 = Subnet-1Subnet name = Subnet-1
子网地址范围 = 10.0.0.0/27Subnet address range = 10.0.0.0/27
订阅 = 要使用的订阅Subscription = the subscription you want to use
资源组 = ClassicRGResource Group = ClassicRG
位置 = 美国西部Location = West US
GatewaySubnet = 10.0.0.32/28GatewaySubnet = 10.0.0.32/28
本地站点 = RMVNetLocalLocal site = RMVNetLocal

Resource Manager VNetResource Manager VNet

VNet 名称 = RMVNetVNet name = RMVNet
地址空间 = 192.168.0.0/16Address space = 192.168.0.0/16
资源组 = RG1Resource Group = RG1
位置 = 美国东部Location = East US
子网名称 = Subnet-1Subnet name = Subnet-1
地址范围 = 192.168.1.0/24Address range = 192.168.1.0/24
网关子网 = 192.168.0.0/26GatewaySubnet = 192.168.0.0/26
虚拟网络网关名称 = RMGatewayVirtual network gateway name = RMGateway
网关类型 = VPNGateway type = VPN
VPN 类型 = 基于路由VPN type = Route-based
SKU = VpnGw1SKU = VpnGw1
位置 = 美国东部Location = East US
虚拟网络 = RMVNetVirtual network = RMVNet
(将 VPN 网关关联到此 VNet)第一个 IP 配置 = rmgwpip(associate the VPN gateway to this VNet) First IP configuration = rmgwpip
(网关公共 IP 地址)本地网络网关 = ClassicVNetLocal(gateway public IP address) Local network gateway = ClassicVNetLocal
连接名称 = RMtoClassicConnection name = RMtoClassic

连接概述Connection overview

对于此配置,会在虚拟网络之间创建基于 IPsec/IKE VPN 隧道的 VPN 网关连接。For this configuration, you create a VPN gateway connection over an IPsec/IKE VPN tunnel between the virtual networks. 请确保 VNet 的范围不互相重叠,也不与它们连接到的任何本地网络重叠。Make sure that none of your VNet ranges overlap with each other, or with any of the local networks that they connect to.

下表显示了有关如何定义示例 VNet 和本地站点的示例:The following table shows an example of how the example VNets and local sites are defined:

虚拟网络Virtual Network 地址空间Address Space 区域Region 连接到本地网络站点Connects to local network site
ClassicVNetClassicVNet (10.0.0.0/24)(10.0.0.0/24) 美国西部West US RMVNetLocal (192.168.0.0/16)RMVNetLocal (192.168.0.0/16)
RMVNetRMVNet (192.168.0.0/16)(192.168.0.0/16) 美国东部East US ClassicVNetLocal (10.0.0.0/24)ClassicVNetLocal (10.0.0.0/24)

第 1 节 - 配置经典 VNet 设置Section 1 - Configure the classic VNet settings

在本部分中,会为经典 VNet 创建本地网络(本地站点)和虚拟网络网关。In this section, you create the classic VNet, the local network (local site), and the virtual network gateway. 这些屏幕截图仅供参考。Screenshots are provided as examples. 请务必将值替换成自己的值,或者使用示例值。Be sure to replace the values with your own, or use the Example values.

1.创建经典 VNet1. Create a classic VNet

如果还没有经典 VNet 并且运行这些步骤进行练习,则可以使用此文章以及上文中的示例设置值创建 VNet。If you don't have a classic VNet and are running these steps as an exercise, you can create a VNet by using this article and the Example settings values from above.

如果已有具有 VPN 网关的 VNet,请验证该网关是否为动态的。If you already have a VNet with a VPN gateway, verify that the gateway is Dynamic. 如果它是静态,必须首先删除 VPN 网关在执行前配置本地站点If it's Static, you must first delete the VPN gateway before you proceed to Configure the local site.

  1. 打开 Azure 门户,然后使用 Azure 帐户登录。Open the Azure portal and sign in with your Azure account.
  2. 单击“+ 创建资源”打开“新建”页。Click + Create a resource to open the 'New' page.
  3. 在“搜索 Marketplace”字段中,键入“虚拟网络”。In the 'Search the marketplace' field, type 'Virtual Network'. 如果改为选择“网络”->“虚拟网络”,则不会显示用于创建经典 VNet 的选项。If you instead, select Networking -> Virtual Network, you will not get the option to create a classic VNet.
  4. 从返回的列表中找到“虚拟网络”,单击它打开“虚拟网络”页面。Locate 'Virtual Network' from the returned list and click it to open the Virtual Network page.
  5. 在“虚拟网络”页面上,选择“经典”以创建经典 VNet。On the virtual network page, select 'Classic' to create a classic VNet. 如果此处采用默认值,最终会创建资源管理器 VNet。If you take the default here, you will wind up with a Resource Manager VNet instead.

2.配置本地站点2. Configure the local site

  1. 导航到“所有资源”并在列表中找到“ClassicVNet”。Navigate to All resources and locate the ClassicVNet in the list.
  2. 在“概述”页面的“VPN 连接”部分中,单击“网关”,创建网关。On the Overview page, in the VPN connections section, click Gateway to create a gateway. 配置 VPN 网关Configure a VPN gateway
  3. 在“新建 VPN 连接”页面上,对于“连接类型”,选择“站点到站点”。On the New VPN Connection page, for Connection type, select Site-to-site.
  4. 对于“本地站点”,单击“配置所需设置”。For Local site, click Configure required settings. 这会打开“本地站点”页面。This opens the Local site page.
  5. 在“本地站点”页面上,创建一个表示资源管理器 VNet 的名称。On the Local site page, create a name to refer to the Resource Manager VNet. 例如,RMVNetLocal。For example, 'RMVNetLocal'.
  6. 如果 Resource Manager VNet 的 VPN 网关已具有一个公共 IP 地址,则使用“VPN 网关 IP 地址”字段的值。If the VPN gateway for the Resource Manager VNet already has a Public IP address, use the value for the VPN gateway IP address field. 如果执行这些步骤进行练习,或者 Resource Manager VNet 尚没有虚拟网关,则可以虚构一个占位符 IP 地址。If you are doing these steps as an exercise, or don't yet have a virtual network gateway for your Resource Manager VNet, you can make up a placeholder IP address. 请确保占位符 IP 地址使用的格式有效。Make sure that the placeholder IP address uses a valid format. 稍后,将使用 Resource Manager 虚拟网络网关的公共 IP 地址替换占位符 IP 地址。Later, you replace the placeholder IP address with the Public IP address of the Resource Manager virtual network gateway.
  7. 对于客户端地址空间,请使用资源管理器 VNet 的虚拟网络 IP 地址空间的 For Client Address Space, use the values for the virtual network IP address spaces for the Resource Manager VNet. 此设置用于指定要路由到 Resource Manager 虚拟网络的地址空间。This setting is used to specify the address spaces to route to the Resource Manager virtual network. 在示例中,我们使用 192.168.0.0/16 作为 RMVNet 的地址范围。In the example, we use 192.168.0.0/16, the address range for the RMVNet.
  8. 单击“确定”,保存值并返回“新建 VPN 连接”页面。Click OK to save the values and return to the New VPN Connection page.

3.创建虚拟网络网关3. Create the virtual network gateway

  1. 在“新建 VPN 连接”页上,选中“立即创建网关”复选框。On the New VPN Connection page, select the Create gateway immediately checkbox.
  2. 单击“可选网关配置”打开“网关配置”页。Click Optional gateway configuration to open the Gateway configuration page.

    打开网关配置页面Open gateway configuration page

  3. 单击“子网 - 配置所需设置”,打开“添加子网”页面。Click Subnet - Configure required settings to open the Add subnet page. “名称”已配置有所需值 GatewaySubnetThe Name is already configured with the required value: GatewaySubnet.
  4. “地址范围”指网关子网的范围。The Address range refers to the range for the gateway subnet. 虽然可以创建具有地址范围 /29(3 个地址)的网关子网,但建议创建包含更多 IP 地址的网关子网。Although you can create a gateway subnet with a /29 address range (3 addresses), we recommend creating a gateway subnet that contains more IP addresses. 这可以适应将来可能需要更多可用 IP 地址的配置。This will accommodate future configurations that may require more available IP addresses. 如果可能,请使用 /27 或 /28。If possible, use /27 or /28. 如果使用这些步骤进行练习,可以参考示例值。If you are using these steps as an exercise, you can refer to the Example values. 本示例使用“10.0.0.32/28”。For this example, we use '10.0.0.32/28'. 单击“确定”创建网关子网。Click OK to create the gateway subnet.
  5. “网关配置”页面上的“大小”指的是网关 SKU。On the Gateway configuration page, Size refers to the gateway SKU. 为 VPN 网关选择网关 SKU。Select the gateway SKU for your VPN gateway.
  6. 验证“路由类型”是否为“动态”,并单击“确定”,返回“新建 VPN 连接”页面。Verify the Routing Type is Dynamic, then click OK to return to the New VPN Connection page.
  7. 在“新建 VPN 连接”页面上,单击“确定”,开始创建 VPN 网关。On the New VPN Connection page, click OK to begin creating your VPN gateway. 创建 VPN 网关可能需要多达 45 分钟才能完成。Creating a VPN gateway can take up to 45 minutes to complete.

4.复制虚拟网络网关的公共 IP 地址4. Copy the virtual network gateway Public IP address

创建虚拟网络网关后,可查看网关 IP 地址。After the virtual network gateway has been created, you can view the gateway IP address.

  1. 导航到经典 VNet,并单击“概述”。Navigate to your classic VNet, and click Overview.
  2. 单击“VPN 连接”,打开“VPN 连接”页面。Click VPN connections to open the VPN connections page. 在“VPN 连接”页面上,可查看公共 IP 地址。On the VPN connections page, you can view the Public IP address. 这是分配给虚拟网络网关的公共 IP 地址。This is the Public IP address assigned to your virtual network gateway. 记下 IP 地址。Make a note of the IP address. 在稍后的步骤中处理 Resource Manager 本地网络网关配置设置时会使用此地址。You use it in later steps when you work with your Resource Manager local network gateway configuration settings.
  3. 可查看网关连接的状态。You can view the status of your gateway connections. 请注意,创建的本地网络站点被列为“连接”。Notice the local network site you created is listed as 'Connecting'. 创建连接后,状态会改变。The status will change after you have created your connections. 查看完状态后,可以关闭此页。You can close this page when you are finished viewing the status.

第 2 节 - 配置资源管理器 VNet 设置Section 2 - Configure the Resource Manager VNet settings

在本部分中,会为 Resource Manager VNet 创建虚拟网络网关和本地网络网关。In this section, you create the virtual network gateway and the local network gateway for your Resource Manager VNet. 这些屏幕截图仅供参考。Screenshots are provided as examples. 请务必将值替换成自己的值,或者使用示例值。Be sure to replace the values with your own, or use the Example values.

1.创建虚拟网络1. Create a virtual network

示例值:Example values:

  • VNet 名称 = RMVNetVNet name = RMVNet
  • 地址空间 = 192.168.0.0/16Address space = 192.168.0.0/16
  • 资源组 = RG1Resource Group = RG1
  • 位置 = 美国东部Location = East US
  • 子网名称 = Subnet-1Subnet name = Subnet-1
  • 地址范围 = 192.168.1.0/24Address range = 192.168.1.0/24

如果还没有资源管理器 VNet 并且运行这些步骤进行练习,则可以使用创建虚拟网络中的步骤以及示例设置值创建虚拟网络。If you don't have a Resource Manager VNet and are running these steps as an exercise, create a virtual network with the steps in Create a virtual network, using the example values.

2.创建网关子网2. Create a gateway subnet

示例值: GatewaySubnet = 192.168.0.0/26Example value: GatewaySubnet = 192.168.0.0/26

创建虚拟网络网关前,先要创建网关子网。Before creating a virtual network gateway, you first need to create the gateway subnet. 创建 CIDR 计数为 /28 或更大(/27、/26 等)的网关子网。Create a gateway subnet with CIDR count of /28 or larger (/27, /26, etc.). 如果正在练习创建此配置,可以使用示例值。If you are creating this as part of an exercise, you can use the Example values.

  1. 门户中,导航到要为其创建虚拟网关的 Resource Manager 虚拟网络。In the portal, navigate to the Resource Manager virtual network for which you want to create a virtual network gateway.
  2. 在 VNet 页的“设置”部分单击“子网”,展开“子网”页。In the Settings section of your VNet page, click Subnets to expand the Subnets page.
  3. 在“子网”页中,单击“+网关子网”打开“添加子网”页。On the Subnets page, click +Gateway subnet to open the Add subnet page.

    添加网关子网Add the gateway subnet

  4. 子网的“名称”自动填充为值“GatewaySubnet”。The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. Azure 需要此值才能识别作为网关子网的子网。This value is required in order for Azure to recognize the subnet as the gateway subnet. 根据配置要求调整自动填充的“地址范围”值,然后单击页面底部的“确定”以创建该子网。Adjust the auto-filled Address range values to match your configuration requirements, then click OK at the bottom of the page to create the subnet.

    添加子网Adding the subnet

重要

使用网关子网时,避免将网络安全组 (NSG) 与网关子网关联。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组与此子网关联可能会导致 VPN 网关停止按预期方式工作。Associating a network security group to this subnet may cause your VPN gateway to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

3.创建虚拟网络网关3. Create a virtual network gateway

示例值:Example values:

  • 虚拟网络网关名称 = RMGatewayVirtual network gateway name = RMGateway
  • 网关类型 = VPNGateway type = VPN
  • VPN 类型 = 基于路由VPN type = Route-based
  • SKU = VpnGw1SKU = VpnGw1
  • 位置 = 美国东部Location = East US
  • 虚拟网络 = RMVNetVirtual network = RMVNet
  • 第一个 IP 配置 = rmgwpipFirst IP configuration = rmgwpip
  1. 在门户左侧单击 +,并在搜索框中键入“虚拟网关”。In the portal, on the left side, click + and type 'virtual network gateway' in search. 在搜索返回结果中找到“虚拟网络网关”,并单击该条目。Locate Virtual network gateway in the search return and click the entry. 在“虚拟网关”页上,单击底部的“创建”打开“创建虚拟网关”页。On the Virtual network gateway page, click Create at the bottom of the page to open the Create virtual network gateway page.
  2. 在“创建虚拟网关”页中,填写虚拟网关的值。On the Create virtual network gateway page, fill in the values for your virtual network gateway.

    创建虚拟网关页字段Create virtual network gateway page fields

  3. 在“创建虚拟网关”页中,指定虚拟网关的值。On the Create virtual network gateway page, specify the values for your virtual network gateway.

    • 名称:为网关命名。Name: Name your gateway. 这与为网关子网命名不同。This is not the same as naming a gateway subnet. 它是要创建的网关对象的名称。It's the name of the gateway object you are creating.
    • 网关类型:选择“VPN”。Gateway type: Select VPN. VPN 网关使用虚拟网络网关类型“VPN”。VPN gateways use the virtual network gateway type VPN.
    • VPN 类型:选择为配置指定的 VPN 类型。VPN type: Select the VPN type that is specified for your configuration. 大多数配置要求基于路由的 VPN 类型。Most configurations require a Route-based VPN type.
    • SKU:从下拉列表中选择网关 SKU。SKU: Select the gateway SKU from the dropdown. 下拉列表中列出的 SKU 取决于选择的 VPN 类型。The SKUs listed in the dropdown depend on the VPN type you select. 有关网关 SKU 的详细信息,请参阅网关 SKUFor more information about gateway SKUs, see Gateway SKUs.
    • 位置:可能需要滚动才能看到“位置”。Location: You may need to scroll to see Location. 调整“位置” 字段,使其指向虚拟网络所在的位置。Adjust the Location field to point to the location where your virtual network is located. 如果该位置未指向虚拟网络所在的区域,则在下一步中选择虚拟网络时,该位置将不会显示在下拉列表中。If the location is not pointing to the region where your virtual network resides, when you select a virtual network in the next step, it will not appear in the drop-down list.
    • 虚拟网络:选择要将此网关添加到其中的虚拟网络。Virtual network: Choose the virtual network to which you want to add this gateway. 单击“虚拟网络”打开“选择虚拟网络”页。Click Virtual network to open the 'Choose a virtual network' page. 选择 VNet。Select the VNet. 如果看不到 VNet,请确保“位置”字段指向虚拟网络所在的区域。If you don't see your VNet, make sure the Location field is pointing to the region in which your virtual network is located.
    • 网关子网地址范围:仅当以前未为虚拟网络创建网关子网时,才会看到此设置。Gateway subnet address range: You will only see this setting if you did not previously create a gateway subnet for your virtual network. 如果之前创建了有效的网关子网,则不会显示此设置。If you previously created a valid gateway subnet, this setting will not appear.
    • 第一个 IP 配置:“选择公共 IP 地址”页创建可关联到 VPN 网关的公共 IP 地址对象。First IP configuration: The 'Choose public IP address' page creates a public IP address object that gets associated to the VPN gateway. 创建 VPN 网关后,会将公共 IP 地址动态分配给此对象。The public IP address is dynamically assigned to this object when the VPN gateway is created. VPN 网关当前仅支持动态公共 IP 地址分配。VPN Gateway currently only supports Dynamic Public IP address allocation. 但这并不意味着 IP 地址在分配到 VPN 网关后会更改。However, this does not mean that the IP address changes after it has been assigned to your VPN gateway. 公共 IP 地址只在删除或重新创建网关时更改。The only time the Public IP address changes is when the gateway is deleted and re-created. 该地址不会因为 VPN 网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

      • 首先,请单击“创建网关 IP 配置”打开“选择公共 IP 地址”页,然后单击“+新建”打开“创建公共 IP 地址”页。First, click Create gateway IP configuration to open the 'Choose public IP address' page, then click +Create new to open the 'Create public IP address' page.
      • 接下来,输入公共 IP 地址的名称Next, input a Name for your public IP address. 将 SKU 保留为“基本”(除非有特殊原因要将其更改为其他内容),然后在此页底部单击“确定”以保存所做的更改。Leave the SKU as Basic unless there is a specific reason to change it to something else, then click OK at the bottom of this page to save your changes.

        创建公共 IPCreate public IP

  4. 验证设置。Verify the settings. 如果希望网关显示在仪表板上,可以在页底部选择“固定到仪表板”。You can select Pin to dashboard at the bottom of the page if you want your gateway to appear on the dashboard.

  5. 单击“创建”开始创建 VPN 网关。Click Create to begin creating the VPN gateway. 将会验证这些设置,并会在仪表板上看到“正在部署虚拟网络网关”磁贴。The settings are validated and you'll see the "Deploying Virtual network gateway" tile on the dashboard. 创建网关最多可能需要 45 分钟。Creating a gateway can take up to 45 minutes. 可能需要刷新门户页才能看到完成状态。You may need to refresh your portal page to see the completed status.

创建网关后,即可在门户中查看虚拟网络,从而查看分配给网关的 IP 地址。After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in the portal. 网关显示为连接的设备。The gateway appears as a connected device. 可以单击连接的设备(虚拟网络网关),查看详细信息。You can click the connected device (your virtual network gateway) to view more information.

4.创建本地网络网关4. Create a local network gateway

示例值: 本地网络网关 = ClassicVNetLocalExample values: Local network gateway = ClassicVNetLocal

虚拟网络Virtual Network 地址空间Address Space 区域Region 连接到本地网络站点Connects to local network site 网关公共 IP 地址Gateway Public IP address
ClassicVNetClassicVNet (10.0.0.0/24)(10.0.0.0/24) 美国西部West US RMVNetLocal (192.168.0.0/16)RMVNetLocal (192.168.0.0/16) 分配给 ClassicVNet 网关的公共 IP 地址The Public IP address that is assigned to the ClassicVNet gateway
RMVNetRMVNet (192.168.0.0/16)(192.168.0.0/16) 美国东部East US ClassicVNetLocal (10.0.0.0/24)ClassicVNetLocal (10.0.0.0/24) 分配给 RMVNet 网关的公共 IP 地址。The Public IP address that is assigned to the RMVNet gateway.

本地网络网关指定与经典 VNet 和其虚拟网络网关关联的地址范围和公共 IP 地址。The local network gateway specifies the address range and the Public IP address associated with your classic VNet and its virtual network gateway. 如果执行这些步骤进行练习,可以参考示例值。If you are doing these steps as an exercise, refer to the Example values.

  1. 在门户中,从“所有资源”单击“+添加”。In the portal, from All resources, click +Add.
  2. 在“所有内容”页搜索框中键入“本地网关”,单击即可返回资源的列表。In the Everything page search box, type Local network gateway, then click to return a list of resources. 单击“本地网络网关”打开相应页,然后单击“创建”打开“创建本地网络网关”页。Click Local network gateway to open the page, then click Create to open the Create local network gateway page.

    创建局域网网关

  3. 在“创建本地网络网关”页上,指定本地网络网关的值。On the Create local network gateway page, specify the values for your local network gateway.

    • “名称”:指定本地网络网关对象的名称。Name: Specify a name for your local network gateway object. 请尽可能使用直观的名称,例如 ClassicVNetLocalTestVNet1LocalIf possible, use something intuitive, such as ClassicVNetLocal or TestVNet1Local. 这样即可更轻松地在门户中标识本地网关。This makes it easier for you to identify the local network gateway in the portal.
    • IP 地址: 为要连接的 VPN 设备或虚拟网络网关指定一个有效的公共 IP 地址IP address: Specify a valid Public IP address for the VPN device or virtual network gateway to which you want to connect.

      • 如果此本地网络代表本地位置: 请指定要连接的 VPN 设备的公共 IP 地址。If this local network represents an on-premises location: Specify the Public IP address of the VPN device that you want to connect to. 它不能位于 NAT 后面,并且必须可让 Azure 访问。It cannot be behind NAT and has to be reachable by Azure.
      • 如果此本地网络代表另一个 VNet: 请指定已分配给该 VNet 的虚拟网络网关的公共 IP 地址。If this local network represents another VNet: Specify the Public IP address that was assigned to the virtual network gateway for that VNet.
      • 如果还没有 IP 地址: 可以生成一个有效的占位符 IP 地址,并在连接之前回来修改此设置。If you don't yet have the IP address: You can make up a valid placeholder IP address, and then come back and modify this setting before connecting.
    • “地址空间”指的是此本地网络所代表的网络的地址范围。Address Space refers to the address ranges for the network that this local network represents. 可以添加多个地址空间范围。You can add multiple address space ranges. 请确保此处所指定的范围没有与连接到的其他网络的范围相重叠。Make sure that the ranges you specify here do not overlap with ranges of other networks to which you connect.
    • 配置 BGP 设置: 仅在配置 BGP 时使用。Configure BGP settings: Use only when configuring BGP. 否则,不选择此项。Otherwise, don't select this.
    • “订阅”:确保显示的是正确订阅。Subscription: Verify that the correct subscription is showing.
    • “资源组”:选择要使用的资源组。Resource Group: Select the resource group that you want to use. 可以创建新的资源组或选择已创建的资源组。You can either create a new resource group, or select one that you have already created.
    • “位置”:选择将在其中创建此对象的位置。Location: Select the location that this object will be created in. 可选择 VNet 所在的位置,但这不是必须的。You may want to select the same location that your VNet resides in, but you are not required to do so.
  4. 单击“创建” 以创建本地网关。Click Create to create the local network gateway.

第 3 节 - 修改经典 VNet 本地站点设置Section 3 - Modify the classic VNet local site settings

在本部分中,会使用 Resource Manager VPN 网关 IP 地址替换在指定本地站点设置时使用的占位符 IP 地址。In this section, you replace the placeholder IP address that you used when specifying the local site settings, with the Resource Manager VPN gateway IP address. 本部分使用经典 (SM) PowerShell cmdlet。This section uses the classic (SM) PowerShell cmdlets.

  1. 在 Azure 门户中,导航到经典虚拟网络。In the Azure portal, navigate to the classic virtual network.
  2. 在虚拟网络页面上,单击“概述”。On the page for your virtual network, click Overview.
  3. 在“VPN 连接”部分中,单击图形中本地站点的名称。In the VPN connections section, click the name of your local site in the graphic.

    VPN 连接VPN-connections

  4. 在“站点到站点 VPN 连接”页面上,单击站点名称。On the Site-to-site VPN connections page, click the name of the site.

    站点名称Site-name

  5. 在本地站点的连接页面上,单击本地站点的名称以打开“本地站点”页面。On the connection page for your local site, click the name of the local site to open the Local site page.

    打开本地站点Open-local-site

  6. 在“本地站点”页面上,将 VPN 网关的 IP 地址替换为 Resource Manager 网关的 IP 地址。On the Local site page, replace the VPN gateway IP address with the IP address of the Resource Manager gateway.

    网关 IP 地址Gateway-ip-address

  7. 单击“确定”,更新 IP 地址。Click OK to update the IP address.

第 4 节 - 创建从资源管理器虚拟网络到经典虚拟网络的连接Section 4 - Create Resource Manager to classic connection

在以下步骤中,将使用 Azure 门户配置从 Resource Manager VNet 到经典 VNet 的连接。In these steps, you configure the connection from the Resource Manager VNet to the classic VNet using the Azure portal.

  1. 在“所有资源”中,找到本地网络网关。In All resources, locate the local network gateway. 在我们的示例中,本地网络网关是 ClassicVNetLocalIn our example, the local network gateway is ClassicVNetLocal.
  2. 单击“配置”并验证 IP 地址值是否是经典 VNet 的 VPN 网关。Click Configuration and verify that the IP address value is the VPN gateway for the classic VNet. 如果需要,进行更新,并单击“保存”。Update, if needed, then click Save. 关闭页面。Close the page.
  3. 在“所有资源”中,单击本地网络网关。In All resources, click the local network gateway.
  4. 单击“连接”以打开“连接”页面。Click Connections to open the Connections page.
  5. 在“连接”页面上,单击 + 以添加连接。On the Connections page, click + to add a connection.
  6. 在“添加连接”页面上,为连接命名。On the Add connection page, name the connection. 例如,RMtoClassic。For example, 'RMtoClassic'.
  7. 在此页面上已选择了“站点到站点”。Site-to-Site is already selected on this page.
  8. 选择要与此站点关联的虚拟网络网关。Select the virtual network gateway that you want to associate with this site.
  9. 创建一个共享密钥Create a shared key. 在创建的从经典 VNet 到 Resource Manager VNet 的连接中也将使用该密钥。This key is also used in the connection that you create from the classic VNet to the Resource Manager VNet. 可以生成该密钥或者虚构一个密钥。You can generate the key or make one up. 在我们的示例中,我们使用的是“abc123”,但可以(而且应该)使用更复杂的。In our example, we use 'abc123', but you can (and should) use something more complex.
  10. 单击“确定”以创建连接。Click OK to create the connection.

第 5 节 - 创建从经典虚拟网络到资源管理器虚拟网络的连接Section 5 - Create classic to Resource Manager connection

在以下步骤中,将配置从经典 VNet 到 Resource Manager VNet 的连接。In these steps, you configure the connection from the classic VNet to the Resource Manager VNet. 这些步骤需要 PowerShell。These steps require PowerShell. 无法在门户中创建此连接。You can't create this connection in the portal. 请确保已下载并安装了经典 (SM) 和 Resource Manager (RM) PowerShell cmdlet。Make sure you have downloaded and installed both the classic (SM) and Resource Manager (RM) PowerShell cmdlets.

1.连接到 Azure 帐户1. Connect to your Azure account

使用提升的权限打开 PowerShell 控制台并登录 Azure 帐户。Open the PowerShell console with elevated rights and log in to your Azure account. 登录后将下载帐户设置,以便 Azure PowerShell 使用这些设置。After logging in, your account settings are downloaded so that they are available to Azure PowerShell. 以下 cmdlet 会提示为资源管理器部署模型提供 Azure 帐户的登录凭据:The following cmdlet prompts you for the login credentials for your Azure Account for the Resource Manager deployment model:

Connect-AzureRmAccount

获取 Azure 订阅的列表。Get a list of your Azure subscriptions.

Get-AzureRmSubscription

如果有多个订阅,请指定要使用的订阅。If you have more than one subscription, specify the subscription that you want to use.

Select-AzureRmSubscription -SubscriptionName "Name of subscription"

接下来,登录以使用经典 PowerShell cmdlet(服务管理)。Next, log in to use the classic PowerShell cmdlets (Service Management). 使用以下命令为经典部署模型添加 Azure 帐户:Use the following command to add your Azure account for the classic deployment model:

Add-AzureAccount

获取订阅的列表。Get a list of your subscriptions. 添加服务管理 cmdlet 时可能需要此步骤,具体取决于 Azure 模块安装。This step may be necessary when adding the Service Management cmdlets, depending on your Azure module install.

Get-AzureSubscription

如果有多个订阅,请指定要使用的订阅。If you have more than one subscription, specify the subscription that you want to use.

Select-AzureSubscription -SubscriptionName "Name of subscription"

2.查看网络配置文件值2. View the network configuration file values

在 Azure 门户中创建 VNet 时,Azure 使用的全名在 Azure 门户中不可见。When you create a VNet in the Azure portal, the full name that Azure uses is not visible in the Azure portal. 例如,在 Azure 门户中命名为“ClassicVNet”的 VNet 在网络配置文件中可能具有更长的名称。For example, a VNet that appears to be named 'ClassicVNet' in the Azure portal may have a much longer name in the network configuration file. 该名称可能如下所示:“Group ClassicRG ClassicVNet”。The name might look something like: 'Group ClassicRG ClassicVNet'. 在这些步骤中,将下载网络配置文件并查看值。In these steps, you download the network configuration file and view the values.

在计算机上创建一个目录,然后将网络配置文件导出到该目录。Create a directory on your computer and then export the network configuration file to the directory. 在此示例中,网络配置文件导出到 C:\AzureNet。In this example, the network configuration file is exported to C:\AzureNet.

Get-AzureVNetConfig -ExportToFile C:\AzureNet\NetworkConfig.xml

使用文本编辑器打开文件,并查看经典 VNet 的名称。Open the file with a text editor and view the name for your classic VNet. 运行 PowerShell cmdlet 时,请使用网络配置文件中的名称。Use the names in the network configuration file when running your PowerShell cmdlets.

  • VNet 名称以 VirtualNetworkSite name = 形式列出VNet names are listed as VirtualNetworkSite name =
  • 站点名称以 LocalNetworkSite name= 形式列出Site names are listed as LocalNetworkSite name=

3.创建连接3. Create the connection

设置共享密钥并创建从经典 VNet 到 Resource Manager VNet 的连接。Set the shared key and create the connection from the classic VNet to the Resource Manager VNet. 无法使用门户设置共享密钥。You cannot set the shared key using the portal. 使用经典版本的 PowerShell cmdlet 登录时,请确保运行这些步骤。Make sure you run these steps while logged in using the classic version of the PowerShell cmdlets. 为此,请使用 Add-AzureAccount。To do so, use Add-AzureAccount. 否则无法设置“-AzureVNetGatewayKey”。Otherwise, you will not be able to set the '-AzureVNetGatewayKey'.

  • 在此示例中,-VNetName 是在网络配置文件中找到的经典 VNet 的名称。In this example, -VNetName is the name of the classic VNet as found in your network configuration file.
  • -LocalNetworkSiteName 是为本地站点指定的名称,与在网络配置文件中找到的一致。The -LocalNetworkSiteName is the name you specified for the local site, as found in your network configuration file.
  • -SharedKey 是生成并指定的值。The -SharedKey is a value that you generate and specify. 对于此示例,我们使用了 abc123,但可以生成更复杂的内容。For this example, we used abc123, but you can generate something more complex. 重要的是,在此处指定的值必须与创建从 Resource Manager 虚拟网络到经典虚拟网络的连接时指定的值相同。The important thing is that the value you specify here must be the same value that you specified when creating your Resource Manager to classic connection.
Set-AzureVNetGatewayKey -VNetName "Group ClassicRG ClassicVNet" `
-LocalNetworkSiteName "172B9E16_RMVNetLocal" -SharedKey abc123

第 6 节:验证连接Section 6 - Verify your connections

可使用 Azure 门户或 PowerShell 来验证连接。You can verify your connections by using the Azure portal or PowerShell. 验证时,由于正在创建连接,因此可能需要等待一两分钟。When verifying, you may need to wait a minute or two as the connection is being created. 连接成功后,连接状态将从“正在连接”变为“已连接”。When a connection is successful, the connectivity state changes from 'Connecting' to 'Connected'.

验证从经典 VNet 到 Resource Manager VNet 的连接To verify the connection from your classic VNet to your Resource Manager VNet

在 Azure 门户中,可通过导航到连接来查看经典 VNet VPN 网关的连接状态。In the Azure portal, you can view the connection status for a classic VNet VPN Gateway by navigating to the connection. 以下步骤演示导航到连接并进行验证的一种方法。The following steps show one way to navigate to your connection and verify.

  1. Azure 门户中单击“所有资源”,并导航到经典虚拟网络。In the Azure portal, click All resources and navigate to your classic virtual network.
  2. 在虚拟网络边栏选项卡中,单击“概述”访问该边栏选项卡的“VPN 连接”部分。On the virtual network blade, click Overview to access the VPN connections section of the blade.
  3. 在 VPN 连接图中单击站点。On the VPN connections graphic, click the site.

    本地站点Local site

  4. 在“站点到站点 VPN 连接”边栏选项卡中,查看有关站点的信息。On the Site-to-site VPN connections blade, view the information about your site.

    连接状态Connection status

  5. 若要查看有关连接的详细信息,请单击连接名称打开“站点到站点 VPN 连接”边栏选项卡。To view more information about the connection, click the name of the connection to open the Site-to-site VPN Connection blade.

    连接状态详细信息Connection status more

验证从 Resource Manager VNet 到经典 VNet 的连接To verify the connection from your Resource Manager VNet to your classic VNet

在 Azure 门户中,可通过导航到连接来查看 Resource Manager VPN 网关的连接状态。In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection. 以下步骤演示导航到连接并进行验证的一种方法。The following steps show one way to navigate to your connection and verify.

  1. Azure 门户中,单击“所有资源”,并导航到虚拟网络网关。In the Azure portal, click All resources and navigate to your virtual network gateway.
  2. 在“虚拟网络网关”边栏选项卡中,单击“连接”。On the blade for your virtual network gateway, click Connections. 可查看每个连接的状态。You can see the status of each connection.
  3. 单击想要验证的连接的名称,打开“概要”。Click the name of the connection that you want to verify to open Essentials. 在“概要”中,可以查看有关连接的详细信息。In Essentials, you can view more information about your connection. 成功连接后,“状态”为“已成功”和“已连接”。The Status is 'Succeeded' and 'Connected' when you have made a successful connection.

    使用 Azure 门户验证 VPN 网关连接

VNet 到 VNet 常见问题解答VNet-to-VNet FAQ

VNet 到 VNet 连接常见问题解答适用于 VPN 网关连接。The VNet-to-VNet FAQ applies to VPN Gateway connections. 若要了解 VNet 对等互连,请参阅虚拟网络对等互连If you are looking for VNet Peering, see Virtual Network Peering

Azure 会对 VNet 之间的流量收费吗?Does Azure charge for traffic between VNets?

当使用 VPN 网关连接时,同一区域中的 VNet 到 VNet 流量双向均免费。VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection. 跨区域 VNet 到 VNet 出口流量根据源区域的出站 VNet 间数据传输费率收费。Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on the source regions. 有关详细信息,请参阅 VPN 网关定价页Refer to the VPN Gateway pricing page for details. 如果使用 VNet 对等互连而非 VPN 网关连接 VNet,请参阅虚拟网络定价页If you are connecting your VNets using VNet Peering, rather than VPN Gateway, see the Virtual Network pricing page.

VNet 到 VNet 流量是否流经 Internet?Does VNet-to-VNet traffic travel across the Internet?

不会。No. VNet 到 VNet 流量通过 Microsoft Azure 主干而不是 Internet 传输。VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.

是否可以跨 AAD 租户建立 VNet 到 VNet 连接?Can I establish a VNet-to-VNet connection across AAD Tenants?

是的。可以使用 Azure VPN 网关跨 AAD 租户进行 VNet 到 VNet 连接。Yes, VNet-to-VNet connections using Azure VPN gateways work across AAD Tenants.

VNet 到 VNet 通信安全吗?Is VNet-to-VNet traffic secure?

安全,它通过 IPsec/IKE 加密进行保护。Yes, it is protected by IPsec/IKE encryption.

是否需要 VPN 设备将 VNet 连接到一起?Do I need a VPN device to connect VNets together?

不会。No. 将多个 Azure 虚拟网络连接在一起不需要 VPN 设备,除非需要跨界连接。Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises connectivity is required.

我的 VNet 是否需要位于同一区域?Do my VNets need to be in the same region?

不会。No. 虚拟网络可以在相同或不同的 Azure 区域(位置)中。The virtual networks can be in the same or different Azure regions (locations).

如果 VNet 不在同一订阅中,订阅是否需要与相同的 AD 租户相关联?If the VNets are not in the same subscription, do the subscriptions need to be associated with the same AD tenant?

不会。No.

能否在单独的 Azure 实例中使用 VNet 到 VNet 通信来连接虚拟网络?Can I use VNet-to-VNet to connect virtual networks in separate Azure instances?

不会。No. VNet 到 VNet 通信支持在同一 Azure 实例中连接虚拟网络。VNet-to-VNet supports connecting virtual networks within the same Azure instance. 例如,不能在公共 Azure 和中国/德国/美国政府 Azure 实例之间创建连接。For example, you can’t create a connection between public Azure and the Chinese / German / US Gov Azure instances. 对于上述情形,可考虑使用站点到站点 VPN 连接。For these scenarios, consider using a Site-to-Site VPN connection.

能否将 VNet 到 VNet 用于多站点连接?Can I use VNet-to-VNet along with multi-site connections?

是的。Yes. 虚拟网络连接可与多站点 VPN 同时使用。Virtual network connectivity can be used simultaneously with multi-site VPNs.

一个虚拟网络可以连接到多少个本地站点和虚拟网络?How many on-premises sites and virtual networks can one virtual network connect to?

请参阅网关要求表。See Gateway requirements table.

能否使用 VNet 到 VNet 来连接 VNet 外部的 VM 或云服务?Can I use VNet-to-VNet to connect VMs or cloud services outside of a VNet?

不会。No. VNet 到 VNet 通信支持连接虚拟网络。VNet-to-VNet supports connecting virtual networks. 它不支持连接不在虚拟网络中的虚拟机或云服务。It does not support connecting virtual machines or cloud services that are not in a virtual network.

云服务或负载均衡终结点能否跨 VNet?Can a cloud service or a load balancing endpoint span VNets?

不会。No. 云服务或负载均衡终结点不能跨虚拟网络,即使它们连接在一起,也是如此。A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected together.

能否将 PolicyBased VPN 类型用于 VNet 到 VNet 连接或多站点连接?Can I used a PolicyBased VPN type for VNet-to-VNet or Multi-Site connections?

不会。No. VNet 到 VNet 连接和多站点连接需要 RouteBased(以前称为动态路由)VPN 类型的 Azure VPN 网关。VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called Dynamic Routing) VPN types.

是否可以将 RouteBased VPN 类型的 VNet 连接到另一个 PolicyBased VPN 类型的 VNet?Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?

不能,两种虚拟网络都必须使用基于路由的(以前称为“动态路由”)VPN。No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.

VPN 隧道是否共享带宽?Do VPN tunnels share bandwidth?

是的。Yes. 虚拟网络的所有 VPN 隧道共享 Azure VPN 网关上的可用带宽,以及 Azure 中的相同 VPN 网关运行时间 SLA。All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.

是否支持冗余隧道?Are redundant tunnels supported?

将一个虚拟网络网关配置为主动-主动模式时,支持在一对虚拟网络之间使用冗余隧道。Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is configured as active-active.

对于 VNet 到 VNet 配置,能否使用重叠地址空间?Can I have overlapping address spaces for VNet-to-VNet configurations?

不会。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.

连接的虚拟网络与内部本地站点之间能否存在重叠的地址空间?Can there be overlapping address spaces among connected virtual networks and on-premises local sites?

不会。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.