您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

将站点到站点连接添加到包含现有 VPN 网关连接的 VNetAdd a Site-to-Site connection to a VNet with an existing VPN gateway connection

本文可帮助你通过 Azure 门户将站点到站点 (S2S) 连接添加到现已具有连接的 VPN 网关。This article helps you add Site-to-Site (S2S) connections to a VPN gateway that has an existing connection by using the Azure portal. 这种类型的连接通常称为“多站点”配置。This type of connection is often referred to as a "multi-site" configuration. 可将 S2S 连接添加到已有 S2S 连接、点到站点连接或 VNet 到 VNet 连接的 VNet。You can add a S2S connection to a VNet that already has a S2S connection, Point-to-Site connection, or VNet-to-VNet connection. 添加连接时,请注意一些限制。There are some limitations when adding connections. 在开始之前,请查看本文的开始之前部分检查配置。Check the Before you begin section in this article to verify before you start your configuration.

本文适用于具有基于路由的 VPN 网关的资源管理器 VNet。This article applies to Resource Manager VNets that have a RouteBased VPN gateway. 这些步骤不适用于新的 ExpressRoute/站点到站点共存连接配置。These steps do not apply to new ExpressRoute/Site-to-Site coexisting connection configurations. 但是,如果只是将新的 VPN 连接添加到现有的共存配置,则可以使用这些步骤。However, if you are merely adding a new VPN connection to an already existing coexist configuration, you can use these steps. 有关共存连接的信息,请参阅 ExpressRoute/S2S 共存连接See ExpressRoute/S2S coexisting connections for information about coexisting connections.

部署模型和方法Deployment models and methods

Azure 当前使用两种部署模型:资源管理器部署模型和经典部署模型。Azure currently works with two deployment models: Resource Manager and classic. 这两个模型相互不完全兼容。The two models are not completely compatible with each other. 在开始之前,需要知道所要使用的模型。Before you begin, you need to know which model that you want to work in. 有关部署模型的信息,请参阅了解部署模型For information about the deployment models, see Understanding deployment models. 如果不熟悉 Azure,建议使用 Resource Manager 部署模型。If you are new to Azure, we recommend that you use the Resource Manager deployment model.

当我们发布有关此配置的新文章和其他可用工具时,会更新此表格。We update this table as new articles and additional tools become available for this configuration. 有相关的文章发布时,我们会直接从此表格链接到该文章。When an article is available, we link directly to it from this table.

部署模型/方法Deployment model/method Azure 门户Azure portal PowerShellPowerShell
资源管理器Resource Manager 教程Tutorial 支持Supported
经典Classic 不支持Not Supported 教程Tutorial

准备工作Before you begin

确认以下各项:Verify the following items:

  • 你不会配置新的已共存 ExpressRoute 和 VPN 网关配置。You are not configuring a new coexisting ExpressRoute and VPN Gateway configuration.
  • 有一个使用 Resource Manager 部署模型创建的、包含现有连接的虚拟网络。You have a virtual network that was created using the Resource Manager deployment model with an existing connection.
  • VNet 的虚拟网络网关是 RouteBased 类型。The virtual network gateway for your VNet is RouteBased. 如果使用 PolicyBased VPN 网关,必须先删除虚拟网络网关,然后创建新的 RouteBased VPN 网关。If you have a PolicyBased VPN gateway, you must delete the virtual network gateway and create a new VPN gateway as RouteBased.
  • 此 VNet 连接到的任何 VNet 都不存在地址范围重叠的情况。None of the address ranges overlap for any of the VNets that this VNet is connecting to.
  • 有一台兼容的 VPN 设备,并且可对其进行配置。You have compatible VPN device and someone who is able to configure it. 请参阅 关于 VPN 设备See About VPN Devices. 如果不熟悉 VPN 设备的配置,或者不熟悉本地网络配置中的 IP 地址范围,则需咨询能够提供此类详细信息的人员。If you aren't familiar with configuring your VPN device, or are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you.
  • VPN 设备有一个面向外部的公共 IP 地址。You have an externally facing public IP address for your VPN device. 此 IP 地址不得位于 NAT 之后。This IP address cannot be located behind a NAT.

第 1 部分 - 配置连接Part 1 - Configure a connection

  1. 从浏览器导航到 Azure 门户,并在必要时用 Azure 帐户登录。From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.

  2. 单击“所有资源”,从资源列表中找到“虚拟网络网关”并单击它。Click All resources and locate your virtual network gateway from the list of resources and click it.

  3. 在“虚拟网络网关”页面上,单击“连接”。On the Virtual network gateway page, click Connections.

    “连接”页Connections page

  4. 在“连接”页面上,单击“+添加”。On the Connections page, click +Add.

    添加连接按钮Add connection button

  5. 在“添加连接”页面上,填写以下字段:On the Add connection page, fill out the following fields:

    • 名称: 想与其建立连接的站点的名称。Name: The name you want to give to the site you are creating the connection to.

    • 连接类型: 选择“站点到站点 (IPsec)”。Connection type: Select Site-to-site (IPsec).

      “添加连接”页面Add connection page

第 2 部分 - 添加本地网络网关Part 2 - Add a local network gateway

  1. 单击“本地网络网关”“选择本地网络网关”。Click Local network gateway Choose a local network gateway. 这将打开“选择本地网络网关”页面。This will open the Choose local network gateway page.

    选择本地网络网关Choose local network gateway

  2. 单击“新建”,打开“创建本地网络网关”页面。Click Create new to open the Create local network gateway page.

    “创建本地网络网关”页面Create local network gateway page

  3. 在“创建本地网络网关”页面上,填写以下字段:On the Create local network gateway page, fill out the following fields:

    • 名称: 要分配给本地网络网关资源的名称。Name: The name you want to give to the local network gateway resource.
    • IP 地址: 站点上要连接到的 VPN 设备的公共 IP 地址。IP address: The public IP address of the VPN device on the site that you want to connect to.
    • 地址空间: 要路由到新本地网络站点的地址空间。Address space: The address space that you want to be routed to the new local network site.
  4. 在“创建本地网络网关”页面上单击“确定”保存所做更改。Click OK on the Create local network gateway page to save the changes.

第 3 部分 - 添加共享密钥并创建连接Part 3 - Add the shared key and create the connection

  1. 在“添加连接”页面上,添加要用于创建连接的共享密钥。On the Add connection page, add the shared key that you want to use to create your connection. 可以从 VPN 设备获取共享密钥,或者在此边栏选项卡中创建一个共享密钥,然后将 VPN 设备配置为使用这个共享密钥。You can either get the shared key from your VPN device, or make one up here and then configure your VPN device to use the same shared key. 重要的一点是,这两个密钥必须完全相同。The important thing is that the keys are exactly the same.

    共享密钥Shared key

  2. 在页面底部,单击“确定”以创建连接。At the bottom of the page, click OK to create the connection.

第 4 部分 - 验证 VPN 连接Part 4 - Verify the VPN connection

可以验证连接是否成功,方法是使用“Get-AzVirtualNetworkGatewayConnection”cmdlet,带或不带“-Debug”。You can verify that your connection succeeded by using the 'Get-AzVirtualNetworkGatewayConnection' cmdlet, with or without '-Debug'.

  1. 使用以下 cmdlet 示例,配置符合自己需要的值。Use the following cmdlet example, configuring the values to match your own. 如果出现提示,请选择“A”运行“所有”。If prompted, select 'A' in order to run 'All'. 在此示例中,“ -Name”是指要测试的连接的名称。In the example, '-Name' refers to the name of the connection that you want to test.

    Get-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 -ResourceGroupName TestRG1
    
  2. cmdlet 运行完毕后,查看该值。After the cmdlet has finished, view the values. 在以下示例中,连接状态显示为“已连接”,且可以看到入口和出口字节数。In the example below, the connection status shows as 'Connected' and you can see ingress and egress bytes.

    "connectionStatus": "Connected",
    "ingressBytesTransferred": 33509044,
    "egressBytesTransferred": 4142431
    

后续步骤Next steps

连接完成后,即可将虚拟机添加到虚拟网络。Once your connection is complete, you can add virtual machines to your virtual networks. 有关详细信息,请参阅虚拟机的学习路径See the virtual machines learning path for more information.