您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 PowerShell 创建具有站点到站点 VPN 连接的 VNetCreate a VNet with a Site-to-Site VPN connection using PowerShell

本文介绍如何使用 PowerShell 创建站点到站点 VPN 网关连接,以便从本地网络连接到 VNet。This article shows you how to use PowerShell to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. 本文中的步骤适用于 Resource Manager 部署模型。The steps in this article apply to the Resource Manager deployment model. 也可使用不同的部署工具或部署模型来创建此配置,方法是从以下列表中选择另一选项:You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

使用站点到站点 VPN 网关连接,通过 IPsec/IKE(IKEv1 或 IKEv2)VPN 隧道将本地网络连接到 Azure 虚拟网络。A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. 此类型的连接要求位于本地的 VPN 设备分配有一个面向外部的公共 IP 地址。This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. 有关 VPN 网关的详细信息,请参阅关于 VPN 网关For more information about VPN gateways, see About VPN gateway.

站点到站点 VPN 网关跨界连接示意图

准备工作Before you begin

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

在开始配置之前,请验证你是否符合以下条件:Verify that you have met the following criteria before beginning your configuration:

  • 确保有一台兼容的 VPN 设备,并且可对其进行配置。Make sure you have a compatible VPN device and someone who is able to configure it. 有关兼容的 VPN 设备和设备配置的详细信息,请参阅关于 VPN 设备For more information about compatible VPN devices and device configuration, see About VPN Devices.
  • 确认 VPN 设备有一个面向外部的公共 IPv4 地址。Verify that you have an externally facing public IPv4 address for your VPN device.
  • 如果不熟悉本地网络配置中的 IP 地址范围,则需咨询能够提供此类详细信息的人员。If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. 创建此配置时,必须指定 IP 地址范围前缀,Azure 会将该前缀路由到本地位置。When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. 本地网络的任何子网都不得与要连接到的虚拟网络子网重叠。None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.

使用 Azure Cloud ShellUse Azure Cloud Shell

Azure 托管 Azure Cloud Shell(一个可通过浏览器使用的交互式 shell 环境)。Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. 可以将 Bash 或 PowerShell 与 Cloud Shell 配合使用来使用 Azure 服务。You can use either Bash or PowerShell with Cloud Shell to work with Azure services. 可以使用 Azure Cloud Shell 预安装的命令来运行本文中的代码,而不必在本地环境中安装任何内容。You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.

若要启动 Azure Cloud Shell,请执行以下操作:To start Azure Cloud Shell:

选项Option 示例/链接Example/Link
选择代码块右上角的“试用”。 Select Try It in the upper-right corner of a code block. 选择“试用” 不会自动将代码复制到 Cloud Shell。Selecting Try It doesn't automatically copy the code to Cloud Shell. Azure Cloud Shell 的“试用”示例
转到 https://shell.azure.com 或选择“启动 Cloud Shell” 按钮可在浏览器中打开 Cloud Shell。Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. 在新窗口中启动 Cloud ShellLaunch Cloud Shell in a new window
选择 Azure 门户右上方菜单栏中的“Cloud Shell” 按钮。Select the Cloud Shell button on the top-right menu bar in the Azure portal. Azure 门户中的“Cloud Shell”按钮

若要在 Azure Cloud Shell 中运行本文中的代码,请执行以下操作:To run the code in this article in Azure Cloud Shell:

  1. 启动 Cloud Shell。Start Cloud Shell.

  2. 选择代码块上的“复制”按钮 以复制代码。Select the Copy button on a code block to copy the code.

  3. 在 Windows 和 Linux 上选择 Ctrl+Shift+V 将代码粘贴到 Cloud Shell 会话中,或在 macOS 上选择 Cmd+Shift+V 将代码粘贴到 Cloud Shell 会话中。Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.

  4. 选择 Enter 运行此代码。Select Enter to run the code.

在本地运行 PowerShellRunning PowerShell locally

如果选择在本地安装和使用 PowerShell,请安装最新版本的 Azure 资源管理器 PowerShell cmdlet。If you choose to install and use the PowerShell locally, install the latest version of the Azure Resource Manager PowerShell cmdlets. PowerShell cmdlet 经常会更新,因此,你通常需要更新 PowerShell cmdlet 才能获取最新的功能。PowerShell cmdlets are updated frequently and you will typically need to update your PowerShell cmdlets to get the latest feature functionality. 如果未更新 PowerShell cmdlet,指定的值可能无法使用。If you don't update your PowerShell cmdlets, the values specify may fail.

若要查找所使用的版本,请运行“Get-Module -ListAvailable Az”。To find the version you are using, run 'Get-Module -ListAvailable Az'. 如果需要升级,请参阅安装 Azure PowerShell 模块If you need to upgrade, see Install the Azure PowerShell module. 有关详细信息,请参阅如何安装和配置 Azure PowerShellFor more information, see How to install and configure Azure PowerShell. 如果在本地运行 PowerShell,则还需运行“Connect-AzAccount”以创建与 Azure 的连接。If you are running PowerShell locally, you also need to run 'Connect-AzAccount' to create a connection with Azure.

示例值Example values

本文中的示例使用以下值。The examples in this article use the following values. 可使用这些值创建测试环境,或参考这些值以更好地理解本文中的示例。You can use these values to create a test environment, or refer to them to better understand the examples in this article.

#Example values

VnetName                = VNet1
ResourceGroup           = TestRG1
Location                = East US 
AddressSpace            = 10.1.0.0/16 
SubnetName              = Frontend 
Subnet                  = 10.1.0.0/24 
GatewaySubnet           = 10.1.255.0/27
LocalNetworkGatewayName = Site1
LNG Public IP           = <On-premises VPN device IP address> 
Local Address Prefixes  = 10.101.0.0/24, 10.101.1.0/24
Gateway Name            = VNet1GW
PublicIP                = VNet1GWPIP
Gateway IP Config       = gwipconfig1 
VPNType                 = RouteBased 
GatewayType             = Vpn 
ConnectionName          = VNet1toSite1

1.创建虚拟网络和网关子网1. Create a virtual network and a gateway subnet

如果还没有虚拟网络,请创建。If you don't already have a virtual network, create one. 创建虚拟网络时,请确保指定的地址空间不与本地网络的任一个地址空间相重叠。When creating a virtual network, make sure that the address spaces you specify don't overlap any of the address spaces that you have on your on-premises network.

备注

为了让此 VNet 连接到本地位置,需与本地网络管理员协调操作,指定一个 IP 地址范围,将其专用于此虚拟网络。In order for this VNet to connect to an on-premises location, you need to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. 如果 VPN 连接的两侧存在重复的地址范围,则流量不会按预期的方式路由。If a duplicate address range exists on both sides of the VPN connection, traffic does not route the way you may expect it to. 另外,若要将此 VNet 连接到其他 VNet,则地址空间不能与其他 VNet 重叠。Additionally, if you want to connect this VNet to another VNet, the address space cannot overlap with other VNet. 请注意对网络配置进行相应的计划。Take care to plan your network configuration accordingly.

关于网关子网About the gateway subnet

虚拟网络网关使用称作“网关子网”的特定子网。The virtual network gateway uses specific subnet called the gateway subnet. 网关子网是虚拟网络 IP 地址范围的一部分,该范围是在配置虚拟网络时指定的。The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. 网关子网包含虚拟网络网关资源和服务使用的 IP 地址。It contains the IP addresses that the virtual network gateway resources and services use. 要使 Azure 能够部署网关资源,必须将子网命名为“GatewaySubnet”。The subnet must be named 'GatewaySubnet' in order for Azure to deploy the gateway resources. 不能指定要将网关资源部署到的其他子网。You can't specify a different subnet to deploy the gateway resources to. 如果没有名为“GatewaySubnet”的子网,则无法创建 VPN 网关。If you don't have a subnet named 'GatewaySubnet', when you create your VPN gateway, it will fail.

创建网关子网时,请指定子网包含的 IP 地址数。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 所需的 IP 地址数目取决于要创建的 VPN 网关配置。The number of IP addresses needed depends on the VPN gateway configuration that you want to create. 有些配置需要具有比其他配置更多的 IP 地址。Some configurations require more IP addresses than others. 我们建议创建使用 /27 或 /28 的网关子网。We recommend that you create a gateway subnet that uses a /27 or /28.

如果出现错误,指出地址空间与子网重叠,或者子网不包含在虚拟网络的地址空间中,请检查 VNet 地址范围。If you see an error that specifies that the address space overlaps with a subnet, or that the subnet is not contained within the address space for your virtual network, check your VNet address range. 出错的原因可能是为虚拟网络创建的地址范围中没有足够的可用 IP 地址。You may not have enough IP addresses available in the address range you created for your virtual network. 例如,如果默认子网包含整个地址范围,则不会有剩余的 IP 地址用于创建更多子网。For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. 可以调整现有地址空间中的子网以释放 IP 地址,或指定额外的地址范围并在其中创建网关子网。You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there.

重要

使用网关子网时,避免将网络安全组 (NSG) 与网关子网关联。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组关联到此子网可能导致虚拟网络网关(VPN、快速路由网关)停止按预期方式工作。Associating a network security group to this subnet may cause your Virtual Network gateway(VPN, Express Route gateway) to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

创建虚拟网络和网关子网Create a virtual network and a gateway subnet

此示例创建虚拟网络和网关子网。This example creates a virtual network and a gateway subnet. 如果已经有一个虚拟网络且需要向其添加网关子网,请参阅向已创建的虚拟网络添加网关子网If you already have a virtual network that you need to add a gateway subnet to, see To add a gateway subnet to a virtual network you have already created.

创建资源组:Create a resource group:

New-AzResourceGroup -Name TestRG1 -Location 'East US'

创建虚拟网络。Create your virtual network.

  1. 设置变量。Set the variables.

    $subnet1 = New-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.1.255.0/27
    $subnet2 = New-AzVirtualNetworkSubnetConfig -Name 'Frontend' -AddressPrefix 10.1.0.0/24
    
  2. 创建 VNet。Create the VNet.

    New-AzVirtualNetwork -Name VNet1 -ResourceGroupName TestRG1 `
    -Location 'East US' -AddressPrefix 10.1.0.0/16 -Subnet $subnet1, $subnet2
    

将网关子网添加到已创建的虚拟网络To add a gateway subnet to a virtual network you have already created

如果已经有虚拟网络,但需添加网关子网,则请使用此部分的步骤。Use the steps in this section if you already have a virtual network, but need to add a gateway subnet.

  1. 设置变量。Set the variables.

    $vnet = Get-AzVirtualNetwork -ResourceGroupName TestRG1 -Name VNet1
    
  2. 创建网关子网。Create the gateway subnet.

    Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.1.255.0/27 -VirtualNetwork $vnet
    
  3. 设置配置。Set the configuration.

    Set-AzVirtualNetwork -VirtualNetwork $vnet
    

2.创建本地网关2. Create the local network gateway

本地网关 (LNG) 通常是指本地位置。The local network gateway (LNG) typically refers to your on-premises location. 它与虚拟网关不同。It is not the same as a virtual network gateway. 可以为站点提供一个名称供 Azure 引用,并指定本地 VPN 设备的 IP 地址,以便创建一个连接来连接到该设备。You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. 此外还可指定 IP 地址前缀,以便通过 VPN 网关将其路由到 VPN 设备。You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. 指定的地址前缀是位于本地网络的前缀。The address prefixes you specify are the prefixes located on your on-premises network. 如果本地网络出现变化,可以轻松更新这些前缀。If your on-premises network changes, you can easily update the prefixes.

使用以下值:Use the following values:

  • GatewayIPAddress 是本地 VPN 设备的 IP 地址。The GatewayIPAddress is the IP address of your on-premises VPN device.
  • AddressPrefix 是本地地址空间。The AddressPrefix is your on-premises address space.

若要添加具有单个地址前缀的局域网网关:To add a local network gateway with a single address prefix:

New-AzLocalNetworkGateway -Name Site1 -ResourceGroupName TestRG1 `
-Location 'East US' -GatewayIpAddress '23.99.221.164' -AddressPrefix '10.101.0.0/24'

若要添加具有多个地址前缀的局域网网关:To add a local network gateway with multiple address prefixes:

New-AzLocalNetworkGateway -Name Site1 -ResourceGroupName TestRG1 `
-Location 'East US' -GatewayIpAddress '23.99.221.164' -AddressPrefix @('10.101.0.0/24','10.101.1.0/24')

若要为本地网关修改 IP 地址前缀:To modify IP address prefixes for your local network gateway:

有时局域网网关前缀会有变化。Sometimes your local network gateway prefixes change. 修改 IP 地址前缀时采取的步骤取决于是否已创建 VPN 网关连接。The steps you take to modify your IP address prefixes depend on whether you have created a VPN gateway connection. 请参阅本文的 修改本地网关的 IP 地址前缀 部分。See the Modify IP address prefixes for a local network gateway section of this article.

3.请求公共 IP 地址3. Request a Public IP address

VPN 网关必须具有公共 IP 地址。A VPN gateway must have a Public IP address. 请先请求 IP 地址资源,然后在创建虚拟网关时参阅该资源。You first request the IP address resource, and then refer to it when creating your virtual network gateway. 创建 VPN 网关时,IP 地址是动态分配给资源的。The IP address is dynamically assigned to the resource when the VPN gateway is created.

VPN 网关当前仅支持动态公共 IP 地址分配。VPN Gateway currently only supports Dynamic Public IP address allocation. 不能请求静态公共 IP 地址分配。You cannot request a Static Public IP address assignment. 但这并不意味着 IP 地址在分配到 VPN 网关后会更改。However, this does not mean that the IP address will change after it has been assigned to your VPN gateway. 公共 IP 地址只在删除或重新创建网关时更改。The only time the Public IP address changes is when the gateway is deleted and re-created. 该地址不会因为 VPN 网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

请求一个公共 IP 地址,该地址将分配给虚拟网络 VPN 网关。Request a Public IP address that will be assigned to your virtual network VPN gateway.

$gwpip= New-AzPublicIpAddress -Name VNet1GWPIP -ResourceGroupName TestRG1 -Location 'East US' -AllocationMethod Dynamic

4.创建网关 IP 寻址配置4. Create the gateway IP addressing configuration

网关配置定义要使用的子网(“GatewaySubnet”)和公共 IP 地址。The gateway configuration defines the subnet (the 'GatewaySubnet') and the public IP address to use. 使用以下示例创建网关配置:Use the following example to create your gateway configuration:

$vnet = Get-AzVirtualNetwork -Name VNet1 -ResourceGroupName TestRG1
$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
$gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

5.创建 VPN 网关5. Create the VPN gateway

创建虚拟网络 VPN 网关。Create the virtual network VPN gateway.

使用以下值:Use the following values:

  • 站点到站点配置的 -GatewayTypeVpnThe -GatewayType for a Site-to-Site configuration is Vpn. 网关类型永远是你要实现的配置的特定类型。The gateway type is always specific to the configuration that you are implementing. 例如,其他网关配置可能需要 -GatewayType ExpressRoute。For example, other gateway configurations may require -GatewayType ExpressRoute.
  • -VpnType 可以是 RouteBased(在某些文档中称为动态网关)或 PolicyBased(在某些文档中称为静态网关)。The -VpnType can be RouteBased (referred to as a Dynamic Gateway in some documentation), or PolicyBased (referred to as a Static Gateway in some documentation). 有关 VPN 网关类型的详细信息,请参阅关于 VPN 网关For more information about VPN gateway types, see About VPN Gateway.
  • 选择要使用的网关 SKU。Select the Gateway SKU that you want to use. 某些 SKU 存在配置限制。There are configuration limitations for certain SKUs. 有关详细信息,请参阅网关 SKUFor more information, see Gateway SKUs. 如果创建 VPN 网关时出错(不管 -GatewaySku 是什么),请检查是否已安装最新版本的 PowerShell cmdlet。If you get an error when creating the VPN gateway regarding the -GatewaySku, verify that you have installed the latest version of the PowerShell cmdlets.
New-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 `
-Location 'East US' -IpConfigurations $gwipconfig -GatewayType Vpn `
-VpnType RouteBased -GatewaySku VpnGw1

运行此命令以后,可能需要长达 45 分钟的时间才能完成网关配置。After running this command, it can take up to 45 minutes for the gateway configuration to complete.

6.配置 VPN 设备6. Configure your VPN device

通过站点到站点连接连接到本地网络需要 VPN 设备。Site-to-Site connections to an on-premises network require a VPN device. 在此步骤中,请配置 VPN 设备。In this step, you configure your VPN device. 配置 VPN 设备时,需要以下项:When configuring your VPN device, you need the following items:

  • 共享密钥。A shared key. 此共享密钥就是在创建站点到站点 VPN 连接时指定的共享密钥。This is the same shared key that you specify when creating your Site-to-Site VPN connection. 在示例中,我们使用基本的共享密钥。In our examples, we use a basic shared key. 建议生成更复杂的可用密钥。We recommend that you generate a more complex key to use.

  • 虚拟网关的“公共 IP 地址”。The Public IP address of your virtual network gateway. 可以通过 Azure 门户、PowerShell 或 CLI 查看公共 IP 地址。You can view the public IP address by using the Azure portal, PowerShell, or CLI. 若要使用 PowerShell 查找虚拟网关的公共 IP 地址,请使用以下示例。To find the Public IP address of your virtual network gateway using PowerShell, use the following example. 在此示例中,VNet1GWPIP 是在前面步骤中创建的公共 IP 地址资源的名称。In this example, VNet1GWPIP is the name of the public IP address resource that you created in an earlier step.

    Get-AzPublicIpAddress -Name VNet1GWPIP -ResourceGroupName TestRG1
    

下载 VPN 设备配置脚本:To download VPN device configuration scripts:

根据所用的 VPN 设备,有时可以下载 VPN 设备配置脚本。Depending on the VPN device that you have, you may be able to download a VPN device configuration script. 有关详细信息,请参阅下载 VPN 设备配置脚本For more information, see Download VPN device configuration scripts.

参阅以下链接了解其他配置信息:See the following links for additional configuration information:

7.创建 VPN 连接7. Create the VPN connection

接下来,会在虚拟网络网关和 VPN 设备之间创建站点到站点 VPN 连接。Next, create the Site-to-Site VPN connection between your virtual network gateway and your VPN device. 请务必替换成自己的值。Be sure to replace the values with your own. 共享密钥必须与用于 VPN 设备配置的值匹配。The shared key must match the value you used for your VPN device configuration. 请注意,站点到站点的“-ConnectionType”为 IPsecNotice that the '-ConnectionType' for Site-to-Site is IPsec.

  1. 设置变量。Set the variables.

    $gateway1 = Get-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1
    $local = Get-AzLocalNetworkGateway -Name Site1 -ResourceGroupName TestRG1
    
  2. 创建连接。Create the connection.

    New-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 -ResourceGroupName TestRG1 `
    -Location 'East US' -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local `
    -ConnectionType IPsec -RoutingWeight 10 -SharedKey 'abc123'
    

在一小段时间后,将建立该连接。After a short while, the connection will be established.

8.验证 VPN 连接8. Verify the VPN connection

VPN 连接有几种不同的验证方式。There are a few different ways to verify your VPN connection.

可以验证连接是否成功,方法是使用“Get-AzVirtualNetworkGatewayConnection”cmdlet,带或不带“-Debug”。You can verify that your connection succeeded by using the 'Get-AzVirtualNetworkGatewayConnection' cmdlet, with or without '-Debug'.

  1. 使用以下 cmdlet 示例,配置符合自己需要的值。Use the following cmdlet example, configuring the values to match your own. 如果出现提示,请选择“A”运行“所有”。If prompted, select 'A' in order to run 'All'. 在此示例中,“ -Name”是指要测试的连接的名称。In the example, '-Name' refers to the name of the connection that you want to test.

    Get-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 -ResourceGroupName TestRG1
    
  2. cmdlet 运行完毕后,查看该值。After the cmdlet has finished, view the values. 在以下示例中,连接状态显示为“已连接”,且可以看到入口和出口字节数。In the example below, the connection status shows as 'Connected' and you can see ingress and egress bytes.

    "connectionStatus": "Connected",
    "ingressBytesTransferred": 33509044,
    "egressBytesTransferred": 4142431
    

连接到虚拟机To connect to a virtual machine

可以连接到已部署到 VNet 的 VM,方法是创建到 VM 的远程桌面连接。You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. 若要通过初始验证来确认能否连接到 VM,最好的方式是使用其专用 IP 地址而不是计算机名称进行连接。The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. 这种方式是测试能否进行连接,而不是测试名称解析是否已正确配置。That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. 定位专用 IP 地址。Locate the private IP address. 可通过多种方式查找 VM 的专用 IP 地址。You can find the private IP address of a VM in multiple ways. 下方展示用于 Azure 门户和 PowerShell 的步骤。Below, we show the steps for the Azure portal and for PowerShell.

    • Azure 门户 - 在 Azure 门户中定位虚拟机。Azure portal - Locate your virtual machine in the Azure portal. 查看 VM 的属性。View the properties for the VM. 专用 IP 地址已列出。The private IP address is listed.

    • PowerShell - 通过此示例查看资源组中的 VM 和专用 IP 地址的列表。PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. 在使用此示例之前不需对其进行修改。You don't need to modify this example before using it.

      $VMs = Get-AzVM
      $Nics = Get-AzNetworkInterface | Where VirtualMachine -ne $null
      
      foreach($Nic in $Nics)
      {
      $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
      $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
      $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
      Write-Output "$($VM.Name): $Prv,$Alloc"
      }
      
  2. 验证是否已使用 VPN 连接连接到 VNet。Verify that you are connected to your VNet using the VPN connection.

  3. 打开远程桌面连接,方法是:在任务栏的搜索框中键入“RDP”或“远程桌面连接”,并选择“远程桌面连接”。Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. 也可在 PowerShell 中使用“mstsc”命令打开远程桌面连接。You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. 在远程桌面连接中,输入 VM 的专用 IP 地址。In Remote Desktop Connection, enter the private IP address of the VM. 可以通过单击“显示选项”来调整其他设置,并进行连接。You can click "Show Options" to adjust additional settings, then connect.

排查到 VM 的 RDP 连接的问题To troubleshoot an RDP connection to a VM

如果无法通过 VPN 连接连接到虚拟机,请查看以下项目:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 验证 VPN 连接是否成功。Verify that your VPN connection is successful.
  • 验证是否已连接到 VM 的专用 IP 地址。Verify that you are connecting to the private IP address for the VM.
  • 如果可以使用专用 IP 地址连接到 VM,但不能使用计算机名称进行连接,则请验证是否已正确配置 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 若要详细了解如何对 VM 进行名称解析,请参阅针对 VM 的名称解析For more information about how name resolution works for VMs, see Name Resolution for VMs.
  • 若要详细了解 RDP 连接,请参阅排查到 VM 的远程桌面连接问题For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

修改本地网关的 IP 地址前缀To modify IP address prefixes for a local network gateway

如果需要路由到本地位置的 IP 地址前缀更改,则可修改本地网关。If the IP address prefixes that you want routed to your on-premises location change, you can modify the local network gateway. 提供了两套说明。Two sets of instructions are provided. 要选择哪套说明取决于是否创建了网关连接。The instructions you choose depend on whether you have already created your gateway connection. 使用这些示例时,修改这些值以匹配你的环境。When using these examples, modify the values to match your environment.

修改本地网关 IP 地址前缀 - 无网关连接To modify local network gateway IP address prefixes - no gateway connection

添加其他地址前缀:To add additional address prefixes:

  1. 设置 LocalNetworkGateway 的变量。Set the variable for the LocalNetworkGateway.

    $local = Get-AzLocalNetworkGateway -Name Site1 -ResourceGroupName TestRG1
    
  2. 修改前缀。Modify the prefixes.

    Set-AzLocalNetworkGateway -LocalNetworkGateway $local `
    -AddressPrefix @('10.101.0.0/24','10.101.1.0/24','10.101.2.0/24')
    

删除地址前缀:To remove address prefixes:

省去你不再需要的前缀。Leave out the prefixes that you no longer need. 在此示例中,我们不再需要前缀 10.101.2.0/24(来自前面的示例),因此需更新本地网关,排除该前缀。In this example, we no longer need prefix 10.101.2.0/24 (from the previous example), so we update the local network gateway, excluding that prefix.

  1. 设置 LocalNetworkGateway 的变量。Set the variable for the LocalNetworkGateway.

    $local = Get-AzLocalNetworkGateway -Name Site1 -ResourceGroupName TestRG1
    
  2. 使用更新的前缀设置网关。Set the gateway with the updated prefixes.

    Set-AzLocalNetworkGateway -LocalNetworkGateway $local `
    -AddressPrefix @('10.101.0.0/24','10.101.1.0/24')
    

修改本地网关 IP 地址前缀 - 存在网关连接To modify local network gateway IP address prefixes - existing gateway connection

如果有一个网关连接并且想要添加或删除包含在本地网关中的 IP 地址前缀,则需要按顺序执行以下步骤。If you have a gateway connection and want to add or remove the IP address prefixes contained in your local network gateway, you need to do the following steps, in order. 这会导致 VPN 连接中断一段时间。This results in some downtime for your VPN connection. 修改 IP 地址前缀时,不需删除 VPN 网关。When modifying IP address prefixes, you don't need to delete the VPN gateway. 只需删除连接。You only need to remove the connection.

  1. 删除连接。Remove the connection.

    Remove-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 -ResourceGroupName TestRG1
    
  2. 使用修改的地址前缀设置本地网络网关。Set the local network gateway with the modified address prefixes.

    设置 LocalNetworkGateway 的变量。Set the variable for the LocalNetworkGateway.

    $local = Get-AzLocalNetworkGateway -Name Site1 -ResourceGroupName TestRG1
    

    修改前缀。Modify the prefixes.

    Set-AzLocalNetworkGateway -LocalNetworkGateway $local `
    -AddressPrefix @('10.101.0.0/24','10.101.1.0/24')
    
  3. 创建连接。Create the connection. 在此示例中,我们配置 IPsec 连接类型。In this example, we configure an IPsec connection type. 重新创建连接时,请使用针对配置指定的连接类型。When you recreate your connection, use the connection type that is specified for your configuration. 有关其他连接类型,请参阅 PowerShell cmdlet 页面。For additional connection types, see the PowerShell cmdlet page.

    设置 VirtualNetworkGateway 的变量。Set the variable for the VirtualNetworkGateway.

    $gateway1 = Get-AzVirtualNetworkGateway -Name VNet1GW  -ResourceGroupName TestRG1
    

    创建连接。Create the connection. 此示例使用在步骤 2 中设置的变量 $local。This example uses the variable $local that you set in step 2.

    New-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 `
    -ResourceGroupName TestRG1 -Location 'East US' `
    -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local `
    -ConnectionType IPsec `
    -RoutingWeight 10 -SharedKey 'abc123'
    

修改本地网关的 IP 地址To modify the gateway IP address for a local network gateway

修改本地网关的“GatewayIpAddress”- 无网关连接To modify the local network gateway 'GatewayIpAddress' - no gateway connection

如果要连接的 VPN 设备已更改其公共 IP 地址,则需根据该更改修改本地网关。If the VPN device that you want to connect to has changed its public IP address, you need to modify the local network gateway to reflect that change. 请使用此示例修改没有网关连接的本地网关。Use the example to modify a local network gateway that does not have a gateway connection.

修改此值时,还可同时修改地址前缀。When modifying this value, you can also modify the address prefixes at the same time. 请务必使用本地网关的现有名称来覆盖当前设置。Be sure to use the existing name of your local network gateway in order to overwrite the current settings. 如果使用其他名称,请创建一个新的本地网关,而不是覆盖现有的。If you use a different name, you create a new local network gateway, instead of overwriting the existing one.

New-AzLocalNetworkGateway -Name Site1 `
-Location "East US" -AddressPrefix @('10.101.0.0/24','10.101.1.0/24') `
-GatewayIpAddress "5.4.3.2" -ResourceGroupName TestRG1

修改本地网关的“GatewayIpAddress”- 现有网关连接To modify the local network gateway 'GatewayIpAddress' - existing gateway connection

如果要连接的 VPN 设备已更改其公共 IP 地址,则需根据该更改修改本地网关。If the VPN device that you want to connect to has changed its public IP address, you need to modify the local network gateway to reflect that change. 如果网关连接已存在,首先需要删除该连接。If a gateway connection already exists, you first need to remove the connection. 删除连接后,可修改网关 IP 地址并重新创建一个新的连接。After the connection is removed, you can modify the gateway IP address and recreate a new connection. 此外可同时修改地址前缀。You can also modify the address prefixes at the same time. 这会导致 VPN 连接中断一段时间。This results in some downtime for your VPN connection. 修改网关 IP 地址时,不需删除 VPN 网关。When modifying the gateway IP address, you don't need to delete the VPN gateway. 只需删除连接。You only need to remove the connection.

  1. 删除连接。Remove the connection. 可以使用“Get-AzVirtualNetworkGatewayConnection”cmdlet 查找连接的名称。You can find the name of your connection by using the 'Get-AzVirtualNetworkGatewayConnection' cmdlet.

    Remove-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 `
    -ResourceGroupName TestRG1
    
  2. 修改“GatewayIpAddress”值。Modify the 'GatewayIpAddress' value. 此外可同时修改地址前缀。You can also modify the address prefixes at the same time. 请务必使用本地网关的现有名称来覆盖当前设置。Be sure to use the existing name of your local network gateway to overwrite the current settings. 如果不这样做,请创建一个新的本地网关,而不是覆盖现有的。If you don't, you create a new local network gateway, instead of overwriting the existing one.

    New-AzLocalNetworkGateway -Name Site1 `
    -Location "East US" -AddressPrefix @('10.101.0.0/24','10.101.1.0/24') `
    -GatewayIpAddress "104.40.81.124" -ResourceGroupName TestRG1
    
  3. 创建连接。Create the connection. 在此示例中,我们配置 IPsec 连接类型。In this example, we configure an IPsec connection type. 重新创建连接时,请使用针对配置指定的连接类型。When you recreate your connection, use the connection type that is specified for your configuration. 有关其他连接类型,请参阅 PowerShell cmdlet 页面。For additional connection types, see the PowerShell cmdlet page. 若要获取 VirtualNetworkGateway 名称,可运行“Get-AzVirtualNetworkGateway”cmdlet。To obtain the VirtualNetworkGateway name, you can run the 'Get-AzVirtualNetworkGateway' cmdlet.

    设置变量。Set the variables.

    $local = Get-AzLocalNetworkGateway -Name Site1 -ResourceGroupName TestRG1
    
    $vnetgw = Get-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1
    

    创建连接。Create the connection.

    New-AzVirtualNetworkGatewayConnection -Name VNet1Site1 -ResourceGroupName TestRG1 `
    -Location "East US" `
    -VirtualNetworkGateway1 $vnetgw `
    -LocalNetworkGateway2 $local `
    -ConnectionType IPsec -RoutingWeight 10 -SharedKey 'abc123'
    

后续步骤Next steps