您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 CLI 创建具有站点到站点 VPN 连接的虚拟网络Create a virtual network with a Site-to-Site VPN connection using CLI

本文介绍如何使用 Azure CLI 创建站点到站点 VPN 网关连接,以便从本地网络连接到 VNet。This article shows you how to use the Azure CLI to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. 本文中的步骤适用于 Resource Manager 部署模型。The steps in this article apply to the Resource Manager deployment model. 也可使用不同的部署工具或部署模型来创建此配置,方法是从以下列表中选择另一选项:You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

站点到站点 VPN 网关跨界连接示意图

使用站点到站点 VPN 网关连接,通过 IPsec/IKE(IKEv1 或 IKEv2)VPN 隧道将本地网络连接到 Azure 虚拟网络。A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. 此类型的连接要求位于本地的 VPN 设备分配有一个面向外部的公共 IP 地址。This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. 有关 VPN 网关的详细信息,请参阅关于 VPN 网关For more information about VPN gateways, see About VPN gateway.

开始之前Before you begin

在开始配置之前,请验证是否符合以下条件:Verify that you have met the following criteria before beginning configuration:

  • 确保有一台兼容的 VPN 设备,并且可对其进行配置。Make sure you have a compatible VPN device and someone who is able to configure it. 有关兼容的 VPN 设备和设备配置的详细信息,请参阅关于 VPN 设备For more information about compatible VPN devices and device configuration, see About VPN Devices.

  • 确认 VPN 设备有一个面向外部的公共 IPv4 地址。Verify that you have an externally facing public IPv4 address for your VPN device.

  • 如果不熟悉本地网络配置中的 IP 地址范围,则需咨询能够提供此类详细信息的人员。If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. 创建此配置时,必须指定 IP 地址范围前缀,Azure 会将该前缀路由到本地位置。When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. 本地网络的任何子网都不得与要连接到的虚拟网络子网重叠。None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.

  • 可以使用 Azure Cloud Shell 运行 CLI 命令(参见以下说明)。You can use Azure Cloud Shell to run your CLI commands (instructions below). 但是,如果希望在本地运行命令,请验证是否已安装最新版本的 CLI 命令(2.0 或更高版本)。However, if you prefer to run your commands locally, verify that you have installed latest version of the CLI commands (2.0 or later). 有关安装 CLI 命令的信息,请参阅安装 Azure CLIAzure CLI 入门For information about installing the CLI commands, see Install the Azure CLI and Get Started with Azure CLI.

    使用 Azure Cloud ShellUse Azure Cloud Shell

    Azure 托管 Azure Cloud Shell(一个可通过浏览器使用的交互式 shell 环境)。Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. 可以将 Bash 或 PowerShell 与 Cloud Shell 配合使用来使用 Azure 服务。You can use either Bash or PowerShell with Cloud Shell to work with Azure services. 可以使用 Azure Cloud Shell 预安装的命令来运行本文中的代码,而不必在本地环境中安装任何内容。You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.

    若要启动 Azure Cloud Shell,请执行以下操作:To start Azure Cloud Shell:

    选项Option 示例/链接Example/Link
    选择代码块右上角的“试用”。 Select Try It in the upper-right corner of a code block. 选择“试用” 不会自动将代码复制到 Cloud Shell。Selecting Try It doesn't automatically copy the code to Cloud Shell. Azure Cloud Shell 的“试用”示例
    转到 https://shell.azure.com 或选择“启动 Cloud Shell” 按钮可在浏览器中打开 Cloud Shell。Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. 在新窗口中启动 Cloud ShellLaunch Cloud Shell in a new window
    选择 Azure 门户右上方菜单栏中的“Cloud Shell” 按钮。Select the Cloud Shell button on the top-right menu bar in the Azure portal. Azure 门户中的“Cloud Shell”按钮

    若要在 Azure Cloud Shell 中运行本文中的代码,请执行以下操作:To run the code in this article in Azure Cloud Shell:

    1. 启动 Cloud Shell。Start Cloud Shell.

    2. 选择代码块上的“复制”按钮 以复制代码。Select the Copy button on a code block to copy the code.

    3. 在 Windows 和 Linux 上选择 Ctrl+Shift+V 将代码粘贴到 Cloud Shell 会话中,或在 macOS 上选择 Cmd+Shift+V 将代码粘贴到 Cloud Shell 会话中。Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.

    4. 选择 Enter 运行此代码。Select Enter to run the code.

示例值Example values

可使用以下值创建测试环境,或参考这些值以更好地理解本文中的示例:You can use the following values to create a test environment, or refer to these values to better understand the examples in this article:

#Example values

VnetName                = TestVNet1 
ResourceGroup           = TestRG1 
Location                = eastus 
AddressSpace            = 10.11.0.0/16 
SubnetName              = Subnet1 
Subnet                  = 10.11.0.0/24 
GatewaySubnet           = 10.11.255.0/27 
LocalNetworkGatewayName = Site2 
LNG Public IP           = <VPN device IP address>
LocalAddrPrefix1        = 10.0.0.0/24
LocalAddrPrefix2        = 20.0.0.0/24   
GatewayName             = VNet1GW 
PublicIP                = VNet1GWIP 
VPNType                 = RouteBased 
GatewayType             = Vpn 
ConnectionName          = VNet1toSite2

1.连接到订阅1. Connect to your subscription

如果选择在本地运行 CLI,请连接到订阅。If you choose to run CLI locally, connect to your subscription. 如果是在浏览器中使用 Azure Cloud Shell,则无需连接到订阅。If you are using Azure Cloud Shell in the browser, you don't need to connect to your subscription. 将在 Azure Cloud Shell 中自动连接。You will connect automatically in Azure Cloud Shell. 但是,你可能需要在连接后验证是否使用了正确的订阅。However, you may want to verify that you are using the correct subscription after you connect.

使用 az login 命令登录到 Azure 订阅,并按照屏幕上的说明进行操作。Sign in to your Azure subscription with the az login command and follow the on-screen directions. 有关登录的详细信息,请参阅 Azure CLI 入门For more information about signing in, see Get Started with Azure CLI.

az login

如果有多个 Azure 订阅,请列出该帐户的订阅。If you have more than one Azure subscription, list the subscriptions for the account.

az account list --all

指定要使用的订阅。Specify the subscription that you want to use.

az account set --subscription <replace_with_your_subscription_id>

2.创建资源组2. Create a resource group

以下示例在“eastus”位置创建名为“TestRG1”的资源组。The following example creates a resource group named 'TestRG1' in the 'eastus' location. 如果在需创建 VNet 的区域中已经有了一个资源组,则可改用该资源组。If you already have a resource group in the region that you want to create your VNet, you can use that one instead.

az group create --name TestRG1 --location eastus

3.创建虚拟网络3. Create a virtual network

如果还没有虚拟网络,请使用 az network vnet create 命令创建一个。If you don't already have a virtual network, create one using the az network vnet create command. 创建虚拟网络时,请确保指定的地址空间不与本地网络的任一个地址空间相重叠。When creating a virtual network, make sure that the address spaces you specify don't overlap any of the address spaces that you have on your on-premises network.

备注

为了让此 VNet 连接到本地位置,需与本地网络管理员协调操作,指定一个 IP 地址范围,将其专用于此虚拟网络。In order for this VNet to connect to an on-premises location, you need to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. 如果 VPN 连接的两侧存在重复的地址范围,则流量不会按预期的方式路由。If a duplicate address range exists on both sides of the VPN connection, traffic does not route the way you may expect it to. 另外,若要将此 VNet 连接到其他 VNet,则地址空间不能与其他 VNet 重叠。Additionally, if you want to connect this VNet to another VNet, the address space cannot overlap with other VNet. 请注意对网络配置进行相应的计划。Take care to plan your network configuration accordingly.

以下示例创建一个名为“TestVNet1”的虚拟网络和一个名为“Subnet1”的子网。The following example creates a virtual network named 'TestVNet1' and a subnet, 'Subnet1'.

az network vnet create --name TestVNet1 --resource-group TestRG1 --address-prefix 10.11.0.0/16 --location eastus --subnet-name Subnet1 --subnet-prefix 10.11.0.0/24

4.创建网关子网4. Create the gateway subnet

虚拟网络网关使用称作“网关子网”的特定子网。The virtual network gateway uses specific subnet called the gateway subnet. 网关子网是虚拟网络 IP 地址范围的一部分,该范围是在配置虚拟网络时指定的。The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. 网关子网包含虚拟网络网关资源和服务使用的 IP 地址。It contains the IP addresses that the virtual network gateway resources and services use. 要使 Azure 能够部署网关资源,必须将子网命名为“GatewaySubnet”。The subnet must be named 'GatewaySubnet' in order for Azure to deploy the gateway resources. 不能指定要将网关资源部署到的其他子网。You can't specify a different subnet to deploy the gateway resources to. 如果没有名为“GatewaySubnet”的子网,则无法创建 VPN 网关。If you don't have a subnet named 'GatewaySubnet', when you create your VPN gateway, it will fail.

创建网关子网时,请指定子网包含的 IP 地址数。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 所需的 IP 地址数目取决于要创建的 VPN 网关配置。The number of IP addresses needed depends on the VPN gateway configuration that you want to create. 有些配置需要具有比其他配置更多的 IP 地址。Some configurations require more IP addresses than others. 我们建议创建使用 /27 或 /28 的网关子网。We recommend that you create a gateway subnet that uses a /27 or /28.

如果出现错误,指出地址空间与子网重叠,或者子网不包含在虚拟网络的地址空间中,请检查 VNet 地址范围。If you see an error that specifies that the address space overlaps with a subnet, or that the subnet is not contained within the address space for your virtual network, check your VNet address range. 出错的原因可能是为虚拟网络创建的地址范围中没有足够的可用 IP 地址。You may not have enough IP addresses available in the address range you created for your virtual network. 例如,如果默认子网包含整个地址范围,则不会有剩余的 IP 地址用于创建更多子网。For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. 可以调整现有地址空间中的子网以释放 IP 地址,或指定额外的地址范围并在其中创建网关子网。You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there.

使用 az network vnet subnet create 命令创建网关子网。Use the az network vnet subnet create command to create the gateway subnet.

az network vnet subnet create --address-prefix 10.11.255.0/27 --name GatewaySubnet --resource-group TestRG1 --vnet-name TestVNet1

重要

使用网关子网时,避免将网络安全组 (NSG) 与网关子网关联。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组关联到此子网可能导致虚拟网络网关(VPN、快速路由网关)停止按预期方式工作。Associating a network security group to this subnet may cause your Virtual Network gateway(VPN, Express Route gateway) to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

5.创建本地网关5. Create the local network gateway

本地网络网关通常是指本地位置。The local network gateway typically refers to your on-premises location. 可以为站点提供一个名称供 Azure 引用,并指定本地 VPN 设备的 IP 地址,以便创建一个连接来连接到该设备。You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. 此外还可指定 IP 地址前缀,以便通过 VPN 网关将其路由到 VPN 设备。You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. 指定的地址前缀是位于本地网络的前缀。The address prefixes you specify are the prefixes located on your on-premises network. 如果本地网络出现变化,可以轻松更新这些前缀。If your on-premises network changes, you can easily update the prefixes.

使用以下值:Use the following values:

  • --gateway-ip-address 是本地 VPN 设备的 IP 地址。The --gateway-ip-address is the IP address of your on-premises VPN device.
  • --local-address-prefixes 是本地地址空间。The --local-address-prefixes are your on-premises address spaces.

使用 az network local-gateway create 命令添加具有多个地址前缀的本地网关:Use the az network local-gateway create command to add a local network gateway with multiple address prefixes:

az network local-gateway create --gateway-ip-address 23.99.221.164 --name Site2 --resource-group TestRG1 --local-address-prefixes 10.0.0.0/24 20.0.0.0/24

6.请求公共 IP 地址6. Request a Public IP address

VPN 网关必须具有公共 IP 地址。A VPN gateway must have a Public IP address. 请先请求 IP 地址资源,然后在创建虚拟网关时参阅该资源。You first request the IP address resource, and then refer to it when creating your virtual network gateway. 创建 VPN 网关时,IP 地址是动态分配给资源的。The IP address is dynamically assigned to the resource when the VPN gateway is created. VPN 网关当前仅支持动态公共 IP 地址分配。VPN Gateway currently only supports Dynamic Public IP address allocation. 不能请求静态公共 IP 地址分配。You cannot request a Static Public IP address assignment. 但这并不意味着 IP 地址在分配到 VPN 网关后会更改。However, this does not mean that the IP address changes after it has been assigned to your VPN gateway. 公共 IP 地址只在删除或重新创建网关时更改。The only time the Public IP address changes is when the gateway is deleted and re-created. 该地址不会因为 VPN 网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

使用 az network public-ip create 命令请求动态公共 IP 地址。Use the az network public-ip create command to request a Dynamic Public IP address.

az network public-ip create --name VNet1GWIP --resource-group TestRG1 --allocation-method Dynamic

7.创建 VPN 网关7. Create the VPN gateway

创建虚拟网络 VPN 网关。Create the virtual network VPN gateway. 创建 VPN 网关可能需要长达 45 分钟或更长时间才能完成。Creating a VPN gateway can take up to 45 minutes or more to complete.

使用以下值:Use the following values:

  • 站点到站点配置的 --gateway-typeVpnThe --gateway-type for a Site-to-Site configuration is Vpn. 网关类型永远是你要实现的配置的特定类型。The gateway type is always specific to the configuration that you are implementing. 有关详细信息,请参阅网关类型For more information, see Gateway types.
  • --vpn-type 可以是 RouteBased(在某些文档中称为动态网关)或 PolicyBased(在某些文档中称为静态网关)。The --vpn-type can be RouteBased (referred to as a Dynamic Gateway in some documentation), or PolicyBased (referred to as a Static Gateway in some documentation). 具体设置取决于要连接到的设备的要求。The setting is specific to requirements of the device that you are connecting to. 有关 VPN 网关类型的详细信息,请参阅关于 VPN 网关配置设置For more information about VPN gateway types, see About VPN Gateway configuration settings.
  • 选择要使用的网关 SKU。Select the Gateway SKU that you want to use. 某些 SKU 存在配置限制。There are configuration limitations for certain SKUs. 有关详细信息,请参阅网关 SKUFor more information, see Gateway SKUs.

使用 az network vnet-gateway create 命令创建 VPN 网关。Create the VPN gateway using the az network vnet-gateway create command. 如果使用“--no-wait”参数运行该命令,则不会显示任何反馈或输出。If you run this command using the '--no-wait' parameter, you don't see any feedback or output. 此参数允许在后台创建网关。This parameter allows the gateway to create in the background. 创建网关大约需要 45 分钟时间。It takes around 45 minutes to create a gateway.

az network vnet-gateway create --name VNet1GW --public-ip-address VNet1GWIP --resource-group TestRG1 --vnet TestVNet1 --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1 --no-wait 

8.配置 VPN 设备8. Configure your VPN device

通过站点到站点连接连接到本地网络需要 VPN 设备。Site-to-Site connections to an on-premises network require a VPN device. 在此步骤中,请配置 VPN 设备。In this step, you configure your VPN device. 配置 VPN 设备时,需要以下项:When configuring your VPN device, you need the following:

  • 共享密钥。A shared key. 此共享密钥就是在创建站点到站点 VPN 连接时指定的共享密钥。This is the same shared key that you specify when creating your Site-to-Site VPN connection. 在示例中,我们使用基本的共享密钥。In our examples, we use a basic shared key. 建议生成更复杂的可用密钥。We recommend that you generate a more complex key to use.

  • 虚拟网关的“公共 IP 地址”。The Public IP address of your virtual network gateway. 可以通过 Azure 门户、PowerShell 或 CLI 查看公共 IP 地址。You can view the public IP address by using the Azure portal, PowerShell, or CLI. 若要查找虚拟网关的公共 IP 地址,请使用 az network public-ip list 命令。To find the public IP address of your virtual network gateway, use the az network public-ip list command. 为了方便阅读,对输出进行了格式化,以表格式显示一系列公共 IP。For easy reading, the output is formatted to display the list of public IPs in table format.

    az network public-ip list --resource-group TestRG1 --output table
    

下载 VPN 设备配置脚本:To download VPN device configuration scripts:

根据所用的 VPN 设备,有时可以下载 VPN 设备配置脚本。Depending on the VPN device that you have, you may be able to download a VPN device configuration script. 有关详细信息,请参阅下载 VPN 设备配置脚本For more information, see Download VPN device configuration scripts.

参阅以下链接了解其他配置信息:See the following links for additional configuration information:

9.创建 VPN 连接9. Create the VPN connection

在虚拟网关和本地 VPN 设备之间创建站点到站点 VPN 连接。Create the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device. 请特别注意共享密钥值,该值必须与为 VPN 设备配置的共享密钥值相符。Pay particular attention to the shared key value, which must match the configured shared key value for your VPN device.

使用 az network vpn-connection create 命令创建连接。Create the connection using the az network vpn-connection create command.

az network vpn-connection create --name VNet1toSite2 --resource-group TestRG1 --vnet-gateway1 VNet1GW -l eastus --shared-key abc123 --local-gateway2 Site2

在一小段时间后,将建立该连接。After a short while, the connection will be established.

10.验证 VPN 连接10. Verify the VPN connection

可使用 az network vpn-connection show 命令来验证连接是否成功。You can verify that your connection succeeded by using the az network vpn-connection show command. 在此示例中,“ --Name”是指要测试的连接的名称。In the example, '--name' refers to the name of the connection that you want to test. 当连接处于建立过程中时,连接状态会显示“正在连接”。When the connection is in the process of being established, its connection status shows 'Connecting'. 建立连接后,状态更改为“已连接”。Once the connection is established, the status changes to 'Connected'.

az network vpn-connection show --name VNet1toSite2 --resource-group TestRG1

若要使用其他方法来验证连接,请参阅验证 VPN 网关连接If you want to use another method to verify your connection, see Verify a VPN Gateway connection.

连接到虚拟机To connect to a virtual machine

可以连接到已部署到 VNet 的 VM,方法是创建到 VM 的远程桌面连接。You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. 若要通过初始验证来确认能否连接到 VM,最好的方式是使用其专用 IP 地址而不是计算机名称进行连接。The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. 这种方式是测试能否进行连接,而不是测试名称解析是否已正确配置。That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. 定位专用 IP 地址。Locate the private IP address. 可通过多种方式查找 VM 的专用 IP 地址。You can find the private IP address of a VM in multiple ways. 下方展示用于 Azure 门户和 PowerShell 的步骤。Below, we show the steps for the Azure portal and for PowerShell.

    • Azure 门户 - 在 Azure 门户中定位虚拟机。Azure portal - Locate your virtual machine in the Azure portal. 查看 VM 的属性。View the properties for the VM. 专用 IP 地址已列出。The private IP address is listed.

    • PowerShell - 通过此示例查看资源组中的 VM 和专用 IP 地址的列表。PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. 在使用此示例之前不需对其进行修改。You don't need to modify this example before using it.

      $VMs = Get-AzVM
      $Nics = Get-AzNetworkInterface | Where VirtualMachine -ne $null
      
      foreach($Nic in $Nics)
      {
      $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
      $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
      $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
      Write-Output "$($VM.Name): $Prv,$Alloc"
      }
      
  2. 验证是否已使用 VPN 连接连接到 VNet。Verify that you are connected to your VNet using the VPN connection.

  3. 打开远程桌面连接,方法是:在任务栏的搜索框中键入“RDP”或“远程桌面连接”,并选择“远程桌面连接”。Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. 也可在 PowerShell 中使用“mstsc”命令打开远程桌面连接。You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. 在远程桌面连接中,输入 VM 的专用 IP 地址。In Remote Desktop Connection, enter the private IP address of the VM. 可以通过单击“显示选项”来调整其他设置,并进行连接。You can click "Show Options" to adjust additional settings, then connect.

排查到 VM 的 RDP 连接的问题To troubleshoot an RDP connection to a VM

如果无法通过 VPN 连接连接到虚拟机,请查看以下项目:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 验证 VPN 连接是否成功。Verify that your VPN connection is successful.
  • 验证是否已连接到 VM 的专用 IP 地址。Verify that you are connecting to the private IP address for the VM.
  • 如果可以使用专用 IP 地址连接到 VM,但不能使用计算机名称进行连接,则请验证是否已正确配置 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 若要详细了解如何对 VM 进行名称解析,请参阅针对 VM 的名称解析For more information about how name resolution works for VMs, see Name Resolution for VMs.
  • 若要详细了解 RDP 连接,请参阅排查到 VM 的远程桌面连接问题For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

常见任务Common tasks

本部分包含各种常用命令,这些命令在进行站点到站点配置时很有用。This section contains common commands that are helpful when working with site-to-site configurations. 有关 CLI 网络命令的完整列表,请参阅 Azure CLI - 网络For the full list of CLI networking commands, see Azure CLI - Networking.

查看本地网关To view local network gateways

若要查看本地网关的列表,请使用 az network local-gateway list 命令。To view a list of the local network gateways, use the az network local-gateway list command.

az network local-gateway list --resource-group TestRG1

修改本地网关 IP 地址前缀 - 无网关连接To modify local network gateway IP address prefixes - no gateway connection

如果没有网关连接且需要添加或删除 IP 地址前缀,则可使用 az network local-gateway create 命令,该命令也是用来创建本地网关的。If you don't have a gateway connection and you want to add or remove IP address prefixes, you use the same command that you use to create the local network gateway, az network local-gateway create. 也可使用该命令来更新 VPN 设备的网关 IP 地址。You can also use this command to update the gateway IP address for the VPN device. 请使用本地网关的现有名称来覆盖当前设置。To overwrite the current settings, use the existing name of your local network gateway. 如果使用其他名称,请创建一个新的本地网关,而不是覆盖现有的。If you use a different name, you create a new local network gateway, instead of overwriting the existing one.

每次进行更改时,必须指定前缀的完整列表,不能仅指定要更改的前缀。Each time you make a change, the entire list of prefixes must be specified, not just the prefixes that you want to change. 仅指定需要保留的前缀。Specify only the prefixes that you want to keep. 此例中为 10.0.0.0/24 和 20.0.0.0/24In this case, 10.0.0.0/24 and 20.0.0.0/24

az network local-gateway create --gateway-ip-address 23.99.221.164 --name Site2 -g TestRG1 --local-address-prefixes 10.0.0.0/24 20.0.0.0/24

修改本地网关 IP 地址前缀 - 存在网关连接To modify local network gateway IP address prefixes - existing gateway connection

如果有网关连接且需要添加或删除 IP 地址前缀,可使用 az network local-gateway update 更新前缀。If you have a gateway connection and want to add or remove IP address prefixes, you can update the prefixes using az network local-gateway update. 这会导致 VPN 连接中断一段时间。This results in some downtime for your VPN connection. 修改 IP 地址前缀时,不需删除 VPN 网关。When modifying the IP address prefixes, you don't need to delete the VPN gateway.

每次进行更改时,必须指定前缀的完整列表,不能仅指定要更改的前缀。Each time you make a change, the entire list of prefixes must be specified, not just the prefixes that you want to change. 在此示例中,10.0.0.0/24 和 20.0.0.0/24 已存在。In this example, 10.0.0.0/24 and 20.0.0.0/24 are already present. 我们会添加前缀 30.0.0.0/24 和 40.0.0.0/24,并在更新时指定所有 4 个前缀。We add the prefixes 30.0.0.0/24 and 40.0.0.0/24 and specify all 4 of the prefixes when updating.

az network local-gateway update --local-address-prefixes 10.0.0.0/24 20.0.0.0/24 30.0.0.0/24 40.0.0.0/24 --name VNet1toSite2 -g TestRG1

修改本地网关的“gatewayIpAddress”To modify the local network gateway 'gatewayIpAddress'

如果要连接的 VPN 设备已更改其公共 IP 地址,则需根据该更改修改本地网关。If the VPN device that you want to connect to has changed its public IP address, you need to modify the local network gateway to reflect that change. 可以更改网关 IP 地址而不删除现有的 VPN 网关连接(如果有)。The gateway IP address can be changed without removing an existing VPN gateway connection (if you have one). 要修改网关 IP 地址,请使用 az network local-gateway update 命令将值“Site2”和“TestRG1”替换为自己的值。To modify the gateway IP address, replace the values 'Site2' and 'TestRG1' with your own using the az network local-gateway update command.

az network local-gateway update --gateway-ip-address 23.99.222.170 --name Site2 --resource-group TestRG1

验证输出中的 IP 地址是否正确:Verify that the IP address is correct in the output:

"gatewayIpAddress": "23.99.222.170",

验证共享密钥值To verify the shared key values

验证共享密钥值与用于 VPN 设备配置的值是否相同。Verify that the shared key value is the same value that you used for your VPN device configuration. 如果不同,请使用设备提供的值再次运行链接,或者使用返回的值更新设备。If it is not, either run the connection again using the value from the device, or update the device with the value from the return. 值必须匹配。The values must match. 若要查看共享的密钥,请使用 az network vpn-connection-listTo view the shared key, use the az network vpn-connection-list.

az network vpn-connection shared-key show --connection-name VNet1toSite2 --resource-group TestRG1

查看 VPN 网关的公共 IP 地址To view the VPN gateway Public IP address

若要查找虚拟网关的公共 IP 地址,请使用 az network public-ip list 命令。To find the public IP address of your virtual network gateway, use the az network public-ip list command. 为了方便阅读,对本示例的输出进行了格式化,以表格式显示一系列公共 IP。For easy reading, the output for this example is formatted to display the list of public IPs in table format.

az network public-ip list --resource-group TestRG1 --output table

后续步骤Next steps