您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 PowerShell 从不同的部署模型连接虚拟网络Connect virtual networks from different deployment models using PowerShell

本文可帮助你将经典 VNet 连接到资源管理器 VNet,以使位于单独部署模型中的资源能够相互通信。This article helps you connect classic VNets to Resource Manager VNets to allow the resources located in the separate deployment models to communicate with each other. 本文中的步骤使用 PowerShell 完成,但也可通过从此列表中选择文章使用 Azure 门户来创建此配置。The steps in this article use PowerShell, but you can also create this configuration using the Azure portal by selecting the article from this list.

将经典 VNet 连接到 Resource Manager VNet 类似于将 VNet 连接到本地站点位置。Connecting a classic VNet to a Resource Manager VNet is similar to connecting a VNet to an on-premises site location. 这两种连接类型都使用 VPN 网关来提供使用 IPsec/IKE 的安全隧道。Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. 可以在位于不同订阅、不同区域中的 VNet 之间创建连接。You can create a connection between VNets that are in different subscriptions and in different regions. 还可以连接已连接到本地网络的 VNet,只要它们配置的网关是动态或基于路由的。You can also connect VNets that already have connections to on-premises networks, as long as the gateway that they have been configured with is dynamic or route-based. 有关 VNet 到 VNet 连接的详细信息,请参阅本文末尾的 VNet 到 VNet常见问题解答For more information about VNet-to-VNet connections, see the VNet-to-VNet FAQ at the end of this article.

如果还没有虚拟网络网关并且不想创建一个,建议你改为考虑使用 VNet 对等互连连接 VNet。If you do not already have a virtual network gateway and do not want to create one, you may want to instead consider connecting your VNets using VNet Peering. VNet 对等互连不使用 VPN 网关。VNet peering does not use a VPN gateway. 有关详细信息,请参阅 VNet 对等互连For more information, see VNet peering.

准备工作Before you begin

以下步骤指导完成为每个 VNet 配置动态或基于路由的网关以及在网关之间创建 VPN 连接所需的设置。The following steps walk you through the settings necessary to configure a dynamic or route-based gateway for each VNet and create a VPN connection between the gateways. 此配置不支持静态或基于策略的网关。This configuration does not support static or policy-based gateways.

先决条件Prerequisites

  • 已创建了两个 VNet。Both VNets have already been created.
  • 两个 VNet 的地址范围不相互重叠,也不与网关可能连接到的其他连接的任何范围重叠。The address ranges for the VNets do not overlap with each other, or overlap with any of the ranges for other connections that the gateways may be connected to.
  • 已安装最新 PowerShell cmdlet。You have installed the latest PowerShell cmdlets. 有关详细信息,请参阅如何安装和配置 Azure PowerShellSee How to install and configure Azure PowerShell for more information. 请确保安装服务管理 (SM) 和 Resource Manager (RM) cmdlet。Make sure you install both the Service Management (SM) and the Resource Manager (RM) cmdlets.

示例设置Example settings

可使用这些值创建测试环境,或参考这些值以更好地理解本文中的示例。You can use these values to create a test environment, or refer to them to better understand the examples in this article.

经典 VNet 设置Classic VNet settings

VNet 名称 = ClassicVNetVNet Name = ClassicVNet
位置 = 美国西部Location = West US
虚拟网络地址空间 = 10.0.0.0/24Virtual Network Address Spaces = 10.0.0.0/24
子网 1 = 10.0.0.0/27Subnet-1 = 10.0.0.0/27
网关子网 = 10.0.0.32/29GatewaySubnet = 10.0.0.32/29
本地网络名称 = RMVNetLocalLocal Network Name = RMVNetLocal
网关类型 = DynamicRoutingGatewayType = DynamicRouting

Resource Manager VNet 设置Resource Manager VNet settings

VNet 名称 = RMVNetVNet Name = RMVNet
资源组 = RG1Resource Group = RG1
虚拟网络 IP 地址空间 = 192.168.0.0/16Virtual Network IP Address Spaces = 192.168.0.0/16
子网 1 = 192.168.1.0/24Subnet-1 = 192.168.1.0/24
网关子网 = 192.168.0.0/26GatewaySubnet = 192.168.0.0/26
位置 = 美国东部Location = East US
网关公共 IP 名称 = gwpipGateway public IP name = gwpip
本地网络网关 = ClassicVNetLocalLocal Network Gateway = ClassicVNetLocal
虚拟网络网关名称 = RMGatewayVirtual Network Gateway name = RMGateway
网关 IP 地址配置 = gwipconfigGateway IP addressing configuration = gwipconfig

第 1 节 - 配置经典 VNetSection 1 - Configure the classic VNet

1.下载网络配置文件1. Download your network configuration file

  1. 在 PowerShell 控制台中,使用提升的权限登录到 Azure 帐户。Log in to your Azure account in the PowerShell console with elevated rights. 以下 cmdlet 会提示提供 Azure 帐户的登录凭据。The following cmdlet prompts you for the login credentials for your Azure Account. 登录后它会下载帐户设置,以便这些信息可供 Azure PowerShell 使用。After logging in, it downloads your account settings so that they are available to Azure PowerShell. 在本部分中使用经典服务管理 (SM) Azure PowerShell cmdlet。The classic Service Management (SM) Azure PowerShell cmdlets are used in this section.

    Add-AzureAccount
    

    获取 Azure 订阅。Get your Azure subscription.

    Get-AzureSubscription
    

    如果有多个订阅,请选择要使用的订阅。If you have more than one subscription, select the subscription that you want to use.

    Select-AzureSubscription -SubscriptionName "Name of subscription"
    
  2. 通过运行以下命令,导出 Azure 网络配置文件。Export your Azure network configuration file by running the following command. 如有必要,可以将文件的导出位置更改为其他位置。You can change the location of the file to export to a different location if necessary.

    Get-AzureVNetConfig -ExportToFile C:\AzureNet\NetworkConfig.xml
    
  3. 打开下载的 .xml 文件进行编辑。Open the .xml file that you downloaded to edit it. 有关网络配置文件的示例,请参阅网络配置架构For an example of the network configuration file, see the Network Configuration Schema.

2.验证网关子网2. Verify the gateway subnet

VirtualNetworkSites 元素中,向 VNet 添加一个网关子网(如果尚未创建)。In the VirtualNetworkSites element, add a gateway subnet to your VNet if one has not already been created. 使用网络配置文件时,网关子网必须命名为“GatewaySubnet”,否则 Azure 无法识别并将其用作网关子网。When working with the network configuration file, the gateway subnet MUST be named "GatewaySubnet" or Azure cannot recognize and use it as a gateway subnet.

重要

使用网关子网时,避免将网络安全组 (NSG) 与网关子网关联。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组与此子网关联可能会导致 VPN 网关停止按预期方式工作。Associating a network security group to this subnet may cause your VPN gateway to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

示例:Example:

<VirtualNetworkSites>
  <VirtualNetworkSite name="ClassicVNet" Location="West US">
    <AddressSpace>
      <AddressPrefix>10.0.0.0/24</AddressPrefix>
    </AddressSpace>
    <Subnets>
      <Subnet name="Subnet-1">
        <AddressPrefix>10.0.0.0/27</AddressPrefix>
      </Subnet>
      <Subnet name="GatewaySubnet">
        <AddressPrefix>10.0.0.32/29</AddressPrefix>
      </Subnet>
    </Subnets>
  </VirtualNetworkSite>
</VirtualNetworkSites>

3.添加本地网络站点3. Add the local network site

所添加的本地网络站点表示要连接到的 RM VNet。The local network site you add represents the RM VNet to which you want to connect. 如果文件中尚不存在 LocalNetworkSites 元素,请进行添加。Add a LocalNetworkSites element to the file if one doesn't already exist. 此时,在配置中,VPNGatewayAddress 可以是任何有效的公共 IP 地址,因为我们尚未针对 Resource Manager VNet 创建网关。At this point in the configuration, the VPNGatewayAddress can be any valid public IP address because we haven't yet created the gateway for the Resource Manager VNet. 一旦创建网关,便会将此占位符 IP 地址替换为已分配给 RM 网关的正确公共 IP 地址。Once we create the gateway, we replace this placeholder IP address with the correct public IP address that has been assigned to the RM gateway.

<LocalNetworkSites>
  <LocalNetworkSite name="RMVNetLocal">
    <AddressSpace>
      <AddressPrefix>192.168.0.0/16</AddressPrefix>
    </AddressSpace>
    <VPNGatewayAddress>13.68.210.16</VPNGatewayAddress>
  </LocalNetworkSite>
</LocalNetworkSites>

4.将 VNet 与本地网络站点关联4. Associate the VNet with the local network site

在此部分中,我们将指定要将 VNet 连接到的本地网络站点。In this section, we specify the local network site that you want to connect the VNet to. 在本例中,该站点即前面提到的 Resource Manager VNet。In this case, it is the Resource Manager VNet that you referenced earlier. 请确保名称相匹配。Make sure the names match. 此步骤不会创建网关。This step does not create a gateway. 它指定网关将连接到的本地网络。It specifies the local network that the gateway will connect to.

    <Gateway>
      <ConnectionsToLocalNetwork>
        <LocalNetworkSiteRef name="RMVNetLocal">
          <Connection type="IPsec" />
        </LocalNetworkSiteRef>
      </ConnectionsToLocalNetwork>
    </Gateway>

5.保存文件并上传5. Save the file and upload

保存文件,然后运行以下命令以将其导入到 Azure。Save the file, then import it to Azure by running the following command. 确保根据环境需要更改文件路径。Make sure you change the file path as necessary for your environment.

Set-AzureVNetConfig -ConfigurationPath C:\AzureNet\NetworkConfig.xml

表明导入成功的类似结果会随即显示。You will see a similar result showing that the import succeeded.

    OperationDescription        OperationId                      OperationStatus                                                
    --------------------        -----------                      ---------------                                                
    Set-AzureVNetConfig        e0ee6e66-9167-cfa7-a746-7casb9    Succeeded 

6.创建网关6. Create the gateway

运行此示例之前,请参阅所下载的网络配置文件,了解 Azure 所需要的确切名称。Before running this example, refer to the network configuration file that you downloaded for the exact names that Azure expects to see. 网络配置文件包含了经典虚拟网络的值。The network configuration file contains the values for your classic virtual networks. 在 Azure 门户中创建经典 VNet 设置时,由于部署模型的不同,有时经典 Vnet 的名称在网络配置文件中会发生变化。Sometimes the names for classic VNets are changed in the network configuration file when creating classic VNet settings in the Azure portal due to the differences in the deployment models. 例如,如果使用 Azure 门户创建一个名为“Classic VNet”的经典 VNet,并在资源组中创建一个名为“ClassicRG”的经典 VNet,则网络配置文件中的名称将变为“Group ClassicRG Classic VNet”。For example, if you used the Azure portal to create a classic VNet named 'Classic VNet' and created it in a resource group named 'ClassicRG', the name that is contained in the network configuration file is converted to 'Group ClassicRG Classic VNet'. 指定包含空格的 VNet 的名称时,请使用引号将值引起来。When specifying the name of a VNet that contains spaces, use quotation marks around the value.

使用以下示例创建动态路由网关:Use the following example to create a dynamic routing gateway:

New-AzureVNetGateway -VNetName ClassicVNet -GatewayType DynamicRouting

可以使用 Get-AzureVNetGateway cmdlet 检查网关状态。You can check the status of the gateway by using the Get-AzureVNetGateway cmdlet.

第 2 节 - 配置 RM VNet 网关Section 2 - Configure the RM VNet gateway

若要为 RM VNet 创建 VPN 网关,请遵循以下说明。To create a VPN gateway for the RM VNet, follow the following instructions. 请务必在检索到经典 VNet 的网关的公共 IP 地址之后再开始执行以下步骤。Don't start the steps until after you have retrieved the public IP address for the classic VNet's gateway.

  1. 在 PowerShell 控制台中,登录到 Azure 帐户。Log in to your Azure account in the PowerShell console. 以下 cmdlet 会提示提供 Azure 帐户的登录凭据。The following cmdlet prompts you for the login credentials for your Azure Account. 登录后将下载帐户设置,以便 Azure PowerShell 使用这些设置。After logging in, your account settings are downloaded so that they are available to Azure PowerShell.

    Login-AzureRmAccount
    

    获取 Azure 订阅的列表。Get a list of your Azure subscriptions.

    Get-AzureRmSubscription
    

    如果有多个订阅,请指定要使用的订阅。If you have more than one subscription, specify the subscription that you want to use.

    Select-AzureRmSubscription -SubscriptionName "Name of subscription"
    
  2. 创建本地网络网关。Create a local network gateway. 在虚拟网络中,局域网网关通常指本地位置。In a virtual network, the local network gateway typically refers to your on-premises location. 在本例中,本地网络网关是指经典 VNet。In this case, the local network gateway refers to your Classic VNet. 指定该网关的名称以供 Azure 引用,同时指定地址空间前缀。Give it a name by which Azure can refer to it, and also specify the address space prefix. Azure 使用指定的 IP 地址前缀来识别要发送到本地位置的流量。Azure uses the IP address prefix you specify to identify which traffic to send to your on-premises location. 如果稍后需要在创建网关之前调整此处的信息,可以修改这些值并再次运行该示例。If you need to adjust the information here later, before creating your gateway, you can modify the values and run the sample again.

    -Name 是要分配以指代本地网络网关的名称。-Name is the name you want to assign to refer to the local network gateway.
    -AddressPrefix 是经典 VNet 的地址空间。-AddressPrefix is the Address Space for your classic VNet.
    -GatewayIpAddress 是经典 VNet 网关的公共 IP 地址。-GatewayIpAddress is the public IP address of the classic VNet's gateway. 请务必更改下面的示例以反映正确的 IP 地址。Be sure to change the following sample to reflect the correct IP address.

    New-AzureRmLocalNetworkGateway -Name ClassicVNetLocal `
    -Location "West US" -AddressPrefix "10.0.0.0/24" `
    -GatewayIpAddress "n.n.n.n" -ResourceGroupName RG1
    
  3. 请求一个公共 IP 地址并将其分配到 Resource Manager VNet 的虚拟网络网关。Request a public IP address to be allocated to the virtual network gateway for the Resource Manager VNet. 无法指定要使用的 IP 地址。You can't specify the IP address that you want to use. IP 地址动态分配到虚拟网络网关。The IP address is dynamically allocated to the virtual network gateway. 但是,这并不意味着 IP 地址会更改。However, this does not mean the IP address changes. 虚拟网络网关 IP 地址只在删除或重新创建网关时更改。The only time the virtual network gateway IP address changes is when the gateway is deleted and recreated. 该地址不会因为网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of the gateway.

    本步骤还将设置一个要在后续步骤中使用的变量。In this step, we also set a variable that is used in a later step.

    $ipaddress = New-AzureRmPublicIpAddress -Name gwpip `
    -ResourceGroupName RG1 -Location 'EastUS' `
    -AllocationMethod Dynamic
    
  4. 验证虚拟网络是否包含网关子网。Verify that your virtual network has a gateway subnet. 如果不存在任何网关子网,则添加一个。If no gateway subnet exists, add one. 请确保网关子网命名为 GatewaySubnetMake sure the gateway subnet is named GatewaySubnet.

  5. 通过运行以下命令,检索用于网关的子网。Retrieve the subnet used for the gateway by running the following command. 在此步骤中,我们还将设置一个要在下一步使用的变量。In this step, we also set a variable to be used in the next step.

    -Name 是 Resource Manager VNet 的名称。-Name is the name of your Resource Manager VNet.
    -ResourceGroupName 是 VNet 所关联的资源组。-ResourceGroupName is the resource group that the VNet is associated with. 此 VNet 必须已经存在网关子网,并且该子网必须命名为 GatewaySubnet 才能正常工作。The gateway subnet must already exist for this VNet and must be named GatewaySubnet to work properly.

    $subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name GatewaySubnet `
    -VirtualNetwork (Get-AzureRmVirtualNetwork -Name RMVNet -ResourceGroupName RG1)
    
  6. 创建网关 IP 寻址配置。Create the gateway IP addressing configuration. 网关配置定义要使用的子网和公共 IP 地址。The gateway configuration defines the subnet and the public IP address to use. 使用以下示例创建网关配置。Use the following sample to create your gateway configuration.

    在本步骤中,-SubnetId-PublicIpAddressId 参数必须分别从子网和 IP 地址对象传递 ID 属性。In this step, the -SubnetId and -PublicIpAddressId parameters must be passed the id property from the subnet, and IP address objects, respectively. 不能使用简单字符串。You can't use a simple string. 将在请求公共 IP 的步骤和检索子网的步骤中设置这些变量。These variables are set in the step to request a public IP and the step to retrieve the subnet.

    $gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig `
    -Name gwipconfig -SubnetId $subnet.id `
    -PublicIpAddressId $ipaddress.id
    
  7. 通过运行以下命令,创建 Resource Manager 虚拟网络网关。Create the Resource Manager virtual network gateway by running the following command. -VpnType 必须是 RouteBasedThe -VpnType must be RouteBased. 创建网关可能需要 45 分钟或更长时间。It can take 45 minutes or more for the gateway to create.

    New-AzureRmVirtualNetworkGateway -Name RMGateway -ResourceGroupName RG1 `
    -Location "EastUS" -GatewaySKU Standard -GatewayType Vpn `
    -IpConfigurations $gwipconfig `
    -EnableBgp $false -VpnType RouteBased
    
  8. VPN 网关创建好后,复制公共 IP 地址。Copy the public IP address once the VPN gateway has been created. 为经典 VNet 配置本地网络设置时要使用该地址。You use it when you configure the local network settings for your Classic VNet. 可以使用以下 cmdlet 来检索公共 IP 地址。You can use the following cmdlet to retrieve the public IP address. 公共 IP 地址在返回结果中作为 IpAddress 列出。The public IP address is listed in the return as IpAddress.

    Get-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName RG1
    

第 3 节 - 修改经典 VNet 本地站点设置Section 3 - Modify the classic VNet local site settings

本节涉及经典 VNet。In this section, you work with the classic VNet. 在指定用于连接到 Resource Manager VNet 网关的本地站点设置时所指定的占位符 IP 地址会被替换。You replace the placeholder IP address that you used when specifying the local site settings that will be used to connect to the Resource Manager VNet gateway.

  1. 导出网络配置文件。Export the network configuration file.

    Get-AzureVNetConfig -ExportToFile C:\AzureNet\NetworkConfig.xml
    
  2. 使用文本编辑器,修改 VPNGatewayAddress 的值。Using a text editor, modify the value for VPNGatewayAddress. 将占位符 IP 地址替换为 Resource Manager 网关的公共 IP 地址,然后保存所做的更改。Replace the placeholder IP address with the public IP address of the Resource Manager gateway and then save the changes.

    <VPNGatewayAddress>13.68.210.16</VPNGatewayAddress>
    
  3. 将修改后的网络配置文件导入到 Azure。Import the modified network configuration file to Azure.

    Set-AzureVNetConfig -ConfigurationPath C:\AzureNet\NetworkConfig.xml
    

第 4 节 - 在网关之间创建连接Section 4 - Create a connection between the gateways

在网关之间创建连接需要用到 PowerShell。Creating a connection between the gateways requires PowerShell. 可能需要添加 Azure 帐户才能使用经典版 PowerShell cmdlet。You may need to add your Azure Account to use the classic version of the PowerShell cmdlets. 为此,请使用 Add-AzureAccount。To do so, use Add-AzureAccount.

  1. 在 PowerShell 控制台中设置共享密钥。In the PowerShell console, set your shared key. 运行 cmdlet 之前,请参阅已下载的网络配置文件,了解 Azure 所需要的确切名称。Before running the cmdlets, refer to the network configuration file that you downloaded for the exact names that Azure expects to see. 指定包含空格的 VNet 的名称时,请使用单引号将值引起来。When specifying the name of a VNet that contains spaces, use single quotation marks around the value.

    在以下示例中,-VNetName 是经典 VNet 的名称,-LocalNetworkSiteName 是为本地网络站点指定的名称。In following example, -VNetName is the name of the classic VNet and -LocalNetworkSiteName is the name you specified for the local network site. -SharedKey 是生成并指定的值。The -SharedKey is a value that you generate and specify. 在示例中,我们使用的是“abc123”,但可以生成和使用更复杂的。In the example, we used 'abc123', but you can generate and use something more complex. 重要的是,此处指定的值必须与下一步中创建连接时指定的值相同。The important thing is that the value you specify here must be the same value that you specify in the next step when you create your connection. 返回结果应显示“状态:成功”。The return should show Status: Successful.

    Set-AzureVNetGatewayKey -VNetName ClassicVNet `
    -LocalNetworkSiteName RMVNetLocal -SharedKey abc123
    
  2. 运行以下命令创建 VPN 连接:Create the VPN connection by running the following commands:

    设置变量。Set the variables.

    $vnet01gateway = Get-AzureRMLocalNetworkGateway -Name ClassicVNetLocal -ResourceGroupName RG1
    $vnet02gateway = Get-AzureRmVirtualNetworkGateway -Name RMGateway -ResourceGroupName RG1
    

    创建连接。Create the connection. 请注意,-ConnectionType 是 IPsec,而不是 Vnet2Vnet。Notice that the -ConnectionType is IPsec, not Vnet2Vnet.

    New-AzureRmVirtualNetworkGatewayConnection -Name RM-Classic -ResourceGroupName RG1 `
    -Location "East US" -VirtualNetworkGateway1 `
    $vnet02gateway -LocalNetworkGateway2 `
    $vnet01gateway -ConnectionType IPsec -RoutingWeight 10 -SharedKey 'abc123'
    

第 5 节 - 验证连接Section 5 - Verify your connections

验证从经典 VNet 到 Resource Manager VNet 的连接To verify the connection from your classic VNet to your Resource Manager VNet

PowerShellPowerShell

可使用“Get-AzureVNetConnection”cmdlet 来验证连接是否已成功。You can verify that your connection succeeded by using the 'Get-AzureVNetConnection' cmdlet.

  1. 使用以下 cmdlet 示例,配置符合自己需要的值。Use the following cmdlet example, configuring the values to match your own. 如果虚拟网络的名称包含空格,必须将该名称括在引号中。The name of the virtual network must be in quotes if it contains spaces.

    Get-AzureVNetConnection "Group ClassicRG ClassicVNet"
    
  2. cmdlet 运行完毕后,查看该值。After the cmdlet has finished, view the values. 在以下示例中,“连接状态”显示为“已连接”,且可以看到入口和出口字节数。In the example below, the Connectivity State shows as 'Connected' and you can see ingress and egress bytes.

     ConnectivityState         : Connected
     EgressBytesTransferred    : 181664
     IngressBytesTransferred   : 182080
     LastConnectionEstablished : 1/7/2016 12:40:54 AM
     LastEventID               : 24401
     LastEventMessage          : The connectivity state for the local network site 'RMVNetLocal' changed from Connecting to
                                 Connected.
     LastEventTimeStamp        : 1/7/2016 12:40:54 AM
     LocalNetworkSiteName      : RMVNetLocal
    

Azure 门户Azure portal

在 Azure 门户中,可通过导航到连接来查看经典 VNet VPN 网关的连接状态。In the Azure portal, you can view the connection status for a classic VNet VPN Gateway by navigating to the connection. 以下步骤演示导航到连接并进行验证的一种方法。The following steps show one way to navigate to your connection and verify.

  1. Azure 门户中单击“所有资源”,并导航到经典虚拟网络。In the Azure portal, click All resources and navigate to your classic virtual network.
  2. 在虚拟网络边栏选项卡中,单击“概述”访问该边栏选项卡的“VPN 连接”部分。On the virtual network blade, click Overview to access the VPN connections section of the blade.
  3. 在 VPN 连接图中单击站点。On the VPN connections graphic, click the site.

    本地站点Local site

  4. 在“站点到站点 VPN 连接”边栏选项卡中,查看有关站点的信息。On the Site-to-site VPN connections blade, view the information about your site.

    连接状态Connection status

  5. 若要查看有关连接的详细信息,请单击连接名称打开“站点到站点 VPN 连接”边栏选项卡。To view more information about the connection, click the name of the connection to open the Site-to-site VPN Connection blade.

    连接状态详细信息Connection status more

验证从 Resource Manager VNet 到经典 VNet 的连接To verify the connection from your Resource Manager VNet to your classic VNet

PowerShellPowerShell

可以验证连接是否成功,方法是使用“Get-AzureRmVirtualNetworkGatewayConnection”cmdlet,带或不带“-Debug”。You can verify that your connection succeeded by using the 'Get-AzureRmVirtualNetworkGatewayConnection' cmdlet, with or without '-Debug'.

  1. 使用以下 cmdlet 示例,配置符合自己需要的值。Use the following cmdlet example, configuring the values to match your own. 如果出现提示,请选择“A”运行“所有”。If prompted, select 'A' in order to run 'All'. 在此示例中,“ -Name”是指要测试的连接的名称。In the example, '-Name' refers to the name of the connection that you want to test.

    Get-AzureRmVirtualNetworkGatewayConnection -Name VNet1toSite1 -ResourceGroupName TestRG1
    
  2. cmdlet 运行完毕后,查看该值。After the cmdlet has finished, view the values. 在以下示例中,连接状态显示为“已连接”,且可以看到入口和出口字节数。In the example below, the connection status shows as 'Connected' and you can see ingress and egress bytes.

    "connectionStatus": "Connected",
    "ingressBytesTransferred": 33509044,
    "egressBytesTransferred": 4142431
    

Azure 门户Azure portal

在 Azure 门户中,可通过导航到连接来查看 Resource Manager VPN 网关的连接状态。In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection. 以下步骤演示导航到连接并进行验证的一种方法。The following steps show one way to navigate to your connection and verify.

  1. Azure 门户中,单击“所有资源”,并导航到虚拟网络网关。In the Azure portal, click All resources and navigate to your virtual network gateway.
  2. 在“虚拟网络网关”边栏选项卡中,单击“连接”。On the blade for your virtual network gateway, click Connections. 可查看每个连接的状态。You can see the status of each connection.
  3. 单击想要验证的连接的名称,打开“概要”。Click the name of the connection that you want to verify to open Essentials. 在“概要”中,可以查看有关连接的详细信息。In Essentials, you can view more information about your connection. 成功连接后,“状态”为“已成功”和“已连接”。The Status is 'Succeeded' and 'Connected' when you have made a successful connection.

    使用 Azure 门户验证 VPN 网关连接

VNet 到 VNet 常见问题解答VNet-to-VNet FAQ

VNet 到 VNet 连接常见问题解答适用于 VPN 网关连接。The VNet-to-VNet FAQ applies to VPN Gateway connections. 若要了解 VNet 对等互连,请参阅虚拟网络对等互连If you are looking for VNet Peering, see Virtual Network Peering

Azure 会对 VNet 之间的流量收费吗?Does Azure charge for traffic between VNets?

当使用 VPN 网关连接时,同一区域中的 VNet 到 VNet 流量双向均免费。VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection. 跨区域 VNet 到 VNet 出口流量根据源区域的出站 VNet 间数据传输费率收费。Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on the source regions. 有关详细信息,请参阅 VPN 网关定价页Refer to the VPN Gateway pricing page for details. 如果使用 VNet 对等互连而非 VPN 网关连接 VNet,请参阅虚拟网络定价页If you are connecting your VNets using VNet Peering, rather than VPN Gateway, see the Virtual Network pricing page.

VNet 到 VNet 流量是否流经 Internet?Does VNet-to-VNet traffic travel across the Internet?

不会。No. VNet 到 VNet 流量通过 Microsoft Azure 主干而不是 Internet 传输。VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.

是否可以跨 AAD 租户建立 VNet 到 VNet 连接?Can I establish a VNet-to-VNet connection across AAD Tenants?

是的。可以使用 Azure VPN 网关跨 AAD 租户进行 VNet 到 VNet 连接。Yes, VNet-to-VNet connections using Azure VPN gateways work across AAD Tenants.

VNet 到 VNet 通信安全吗?Is VNet-to-VNet traffic secure?

安全,它通过 IPsec/IKE 加密进行保护。Yes, it is protected by IPsec/IKE encryption.

是否需要 VPN 设备将 VNet 连接到一起?Do I need a VPN device to connect VNets together?

不会。No. 将多个 Azure 虚拟网络连接在一起不需要 VPN 设备,除非需要跨界连接。Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises connectivity is required.

我的 VNet 是否需要位于同一区域?Do my VNets need to be in the same region?

不会。No. 虚拟网络可以在相同或不同的 Azure 区域(位置)中。The virtual networks can be in the same or different Azure regions (locations).

如果 VNet 不在同一订阅中,订阅是否需要与相同的 AD 租户相关联?If the VNets are not in the same subscription, do the subscriptions need to be associated with the same AD tenant?

不会。No.

能否在单独的 Azure 实例中使用 VNet 到 VNet 通信来连接虚拟网络?Can I use VNet-to-VNet to connect virtual networks in separate Azure instances?

不会。No. VNet 到 VNet 通信支持在同一 Azure 实例中连接虚拟网络。VNet-to-VNet supports connecting virtual networks within the same Azure instance. 例如,不能在公共 Azure 和中国/德国/美国政府 Azure 实例之间创建连接。For example, you can’t create a connection between public Azure and the Chinese / German / US Gov Azure instances. 对于上述情形,可考虑使用站点到站点 VPN 连接。For these scenarios, consider using a Site-to-Site VPN connection.

能否将 VNet 到 VNet 用于多站点连接?Can I use VNet-to-VNet along with multi-site connections?

是的。Yes. 虚拟网络连接可与多站点 VPN 同时使用。Virtual network connectivity can be used simultaneously with multi-site VPNs.

一个虚拟网络可以连接到多少个本地站点和虚拟网络?How many on-premises sites and virtual networks can one virtual network connect to?

请参阅网关要求表。See Gateway requirements table.

能否使用 VNet 到 VNet 来连接 VNet 外部的 VM 或云服务?Can I use VNet-to-VNet to connect VMs or cloud services outside of a VNet?

不会。No. VNet 到 VNet 通信支持连接虚拟网络。VNet-to-VNet supports connecting virtual networks. 它不支持连接不在虚拟网络中的虚拟机或云服务。It does not support connecting virtual machines or cloud services that are not in a virtual network.

云服务或负载均衡终结点能否跨 VNet?Can a cloud service or a load balancing endpoint span VNets?

不会。No. 云服务或负载均衡终结点不能跨虚拟网络,即使它们连接在一起,也是如此。A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected together.

能否将 PolicyBased VPN 类型用于 VNet 到 VNet 连接或多站点连接?Can I used a PolicyBased VPN type for VNet-to-VNet or Multi-Site connections?

不会。No. VNet 到 VNet 连接和多站点连接需要 RouteBased(以前称为动态路由)VPN 类型的 Azure VPN 网关。VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called Dynamic Routing) VPN types.

是否可以将 RouteBased VPN 类型的 VNet 连接到另一个 PolicyBased VPN 类型的 VNet?Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?

不能,两种虚拟网络都必须使用基于路由的(以前称为“动态路由”)VPN。No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.

VPN 隧道是否共享带宽?Do VPN tunnels share bandwidth?

是的。Yes. 虚拟网络的所有 VPN 隧道共享 Azure VPN 网关上的可用带宽,以及 Azure 中的相同 VPN 网关运行时间 SLA。All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.

是否支持冗余隧道?Are redundant tunnels supported?

将一个虚拟网络网关配置为主动-主动模式时,支持在一对虚拟网络之间使用冗余隧道。Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is configured as active-active.

对于 VNet 到 VNet 配置,能否使用重叠地址空间?Can I have overlapping address spaces for VNet-to-VNet configurations?

不会。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.

连接的虚拟网络与内部本地站点之间能否存在重叠的地址空间?Can there be overlapping address spaces among connected virtual networks and on-premises local sites?

不会。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.