您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

在 Azure 门户中创建站点到站点连接Create a Site-to-Site connection in the Azure portal

本文介绍如何使用 Azure 门户创建站点到站点 VPN 网关连接,以便从本地网络连接到 VNet。This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. 本文中的步骤适用于 Resource Manager 部署模型。The steps in this article apply to the Resource Manager deployment model. 也可使用不同的部署工具或部署模型来创建此配置,方法是从以下列表中选择另一选项:You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

使用站点到站点 VPN 网关连接,通过 IPsec/IKE(IKEv1 或 IKEv2)VPN 隧道将本地网络连接到 Azure 虚拟网络。A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. 此类型的连接要求位于本地的 VPN 设备分配有一个面向外部的公共 IP 地址。This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. 有关 VPN 网关的详细信息,请参阅关于 VPN 网关For more information about VPN gateways, see About VPN gateway.

站点到站点 VPN 网关跨界连接示意图

开始之前Before you begin

在开始配置之前,请验证你是否符合以下条件:Verify that you have met the following criteria before beginning your configuration:

  • 确保有一台兼容的 VPN 设备,并且可对其进行配置。Make sure you have a compatible VPN device and someone who is able to configure it. 有关兼容的 VPN 设备和设备配置的详细信息,请参阅关于 VPN 设备For more information about compatible VPN devices and device configuration, see About VPN Devices.
  • 确认 VPN 设备有一个面向外部的公共 IPv4 地址。Verify that you have an externally facing public IPv4 address for your VPN device.
  • 如果不熟悉本地网络配置中的 IP 地址范围,则需咨询能够提供此类详细信息的人员。If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. 创建此配置时,必须指定 IP 地址范围前缀,Azure 会将该前缀路由到本地位置。When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. 本地网络的任何子网都不得与要连接到的虚拟网络子网重叠。None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.

示例值Example values

本文中的示例使用以下值。The examples in this article use the following values. 可使用这些值创建测试环境,或参考这些值以更好地理解本文中的示例。You can use these values to create a test environment, or refer to them to better understand the examples in this article. 有关通用 VPN 网关设置的详细信息,请参阅关于 VPN 网关设置For more information about VPN Gateway settings in general, see About VPN Gateway Settings.

  • 虚拟网络名称: VNet1Virtual network name: VNet1
  • 地址空间: 10.1.0.0/16Address Space: 10.1.0.0/16
  • 订阅: 要使用的订阅Subscription: The subscription you want to use
  • 资源组: TestRG1Resource Group: TestRG1
  • 区域: 美国东部Region: East US
  • 子网: FrontEnd:10.1.0.0/24,BackEnd:10.1.1.0/24(可选,适用于本练习)Subnet: FrontEnd: 10.1.0.0/24, BackEnd: 10.1.1.0/24 (optional for this exercise)
  • 网关子网地址范围: 10.1.255.0/27Gateway subnet address range: 10.1.255.0/27
  • 虚拟网关名称:VNet1GWVirtual network gateway name: VNet1GW
  • 公共 IP 地址名称: VNet1GWIPPublic IP address name: VNet1GWIP
  • VPN 类型:基于路由VPN type: Route-based
  • 连接类型: 站点到站点(IPsec)Connection type: Site-to-site (IPsec)
  • 网关类型:VPNGateway type: VPN
  • 本地网络网关名称: Site1Local network gateway name: Site1
  • 连接名称: VNet1toSite1Connection name: VNet1toSite1
  • 共享密钥: 在此示例中,我们将使用 abc123。Shared key: For this example, we use abc123. 但是,你可以使用与 VPN 硬件兼容的任何密钥。But, you can use whatever is compatible with your VPN hardware. 重要的是连接两端的值要匹配。The important thing is that the values match on both sides of the connection.

1. 创建虚拟网络1. Create a virtual network

若要使用 Azure 门户在 Resource Manager 部署模型中创建 VNet,请执行以下步骤。To create a VNet in the Resource Manager deployment model by using the Azure portal, follow the steps below. 如果是在教程中使用这些步骤,请使用示例值Use the Example values if you are using these steps as a tutorial. 如果并非在教程中使用这些步骤,请务必将其中的值替换为自己的值。If you are not doing these steps as a tutorial, be sure to replace the values with your own. 有关使用虚拟网络的详细信息,请参阅 虚拟网络概述For more information about working with virtual networks, see the Virtual Network Overview.

备注

为了让此 VNet 连接到本地位置,需与本地网络管理员协调操作,指定一个 IP 地址范围,将其专用于此虚拟网络。In order for this VNet to connect to an on-premises location you need to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. 如果 VPN 连接的两侧存在重复的地址范围,则流量不会按预期的方式路由。If a duplicate address range exists on both sides of the VPN connection, traffic does not route the way you may expect it to. 另外,若要将此 VNet 连接到其他 VNet,则地址空间不能与其他 VNet 重叠。Additionally, if you want to connect this VNet to another VNet, the address space cannot overlap with other VNet. 请注意对网络配置进行相应的计划。Take care to plan your network configuration accordingly.

  1. 从 " Azure 门户" 菜单中,选择 "创建资源"。From the Azure portal menu, select Create a resource.

    在 Azure 门户中创建资源

  2. 在“在市场中搜索”字段中,键入“虚拟网络”。In the Search the marketplace field, type 'virtual network'. 从返回的列表中找到“虚拟网络”,单击打开“虚拟网络”页。Locate Virtual network from the returned list and click to open the Virtual Network page.

  3. 单击“创建”。Click Create. 这会打开“创建虚拟网络”页。This opens the Create virtual network page.

  4. 在“创建虚拟网络”页上,配置 VNet 设置。On the Create virtual network page, configure the VNet settings. 填写字段时,如果在字段中输入的字符有效,红色感叹号标记会变成绿色对钩标记。When you fill in the fields, the red exclamation mark becomes a green check mark when the characters entered in the field are valid. 使用以下值:Use the following values:

    • 名称: VNet1Name: VNet1
    • 地址空间:10.1.0.0/16Address space: 10.1.0.0/16
    • 订阅:确认列出的订阅是你想要使用的订阅。Subscription: Verify that the subscription listed is the one you want to use. 可以使用下拉列表更改订阅。You can change subscriptions by using the drop-down.
    • 资源组: TestRG1 (单击 "新建" 创建新组)Resource group: TestRG1 (click Create new to create a new group)
    • 位置:美国东部Location: East US
    • 子网:FrontendSubnet: Frontend
    • 地址范围:10.1.0.0/24Address range: 10.1.0.0/24

    创建虚拟网络页

  5. 将 DDoS 作为基本、服务终结点和禁用的防火墙保持为禁用状态。Leave DDoS as Basic, Service endpoints as Disabled, and Firewall as Disabled.

  6. 单击“创建”以创建该 VNet 。Click Create to create the VNet.

2. 创建 VPN 网关2. Create the VPN gateway

在此步骤中,为 VNet 创建虚拟网络网关。In this step, you create the virtual network gateway for your VNet. 创建网关通常需要 45 分钟或更长的时间,具体取决于所选的网关 SKU。Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

虚拟网络网关使用称作“网关子网”的特定子网。The virtual network gateway uses specific subnet called the gateway subnet. 网关子网是虚拟网络 IP 地址范围的一部分,该范围是在配置虚拟网络时指定的。The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. 网关子网包含虚拟网络网关资源和服务使用的 IP 地址。It contains the IP addresses that the virtual network gateway resources and services use.

创建网关子网时,请指定子网包含的 IP 地址数。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 所需的 IP 地址数目取决于要创建的 VPN 网关配置。The number of IP addresses needed depends on the VPN gateway configuration that you want to create. 有些配置需要具有比其他配置更多的 IP 地址。Some configurations require more IP addresses than others. 我们建议创建使用 /27 或 /28 的网关子网。We recommend that you create a gateway subnet that uses a /27 or /28.

如果出现错误,指出地址空间与子网重叠,或者子网不包含在虚拟网络的地址空间中,请检查 VNet 地址范围。If you see an error that specifies that the address space overlaps with a subnet, or that the subnet is not contained within the address space for your virtual network, check your VNet address range. 出错的原因可能是为虚拟网络创建的地址范围中没有足够的可用 IP 地址。You may not have enough IP addresses available in the address range you created for your virtual network. 例如,如果默认子网包含整个地址范围,则不会有剩余的 IP 地址用于创建更多子网。For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. 可以调整现有地址空间中的子网以释放 IP 地址,或指定额外的地址范围并在其中创建网关子网。You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there.

示例设置Example settings

  • 实例详细信息 > 地区: 美国东部Instance details > Region: East US
  • 虚拟网络 > 虚拟网络: VNet1Virtual Network > Virtual network: VNet1
  • 实例详细信息 > 名称: VNet1GWInstance details > Name: VNet1GW
  • 实例详细信息 > 网关类型: UPNInstance details > Gateway type: VPN
  • 实例详细信息 > VPN 类型: 基于路由Instance details > VPN type: Route-based
  • 虚拟网络 > 网关子网地址范围: 10.1.255.0/27Virtual Network > Gateway subnet address range: 10.1.255.0/27
  • 公共ip 地址 > 公共 ip 地址名称: VNet1GWIPPublic IP address > Public IP address name: VNet1GWIP
  1. 从 " Azure 门户" 菜单中,选择 "创建资源"。From the Azure portal menu, select Create a resource.

    在 Azure 门户中创建资源

  2. 在 "搜索 marketplace " 字段中,键入 "虚拟网络网关"。In the Search the marketplace field, type 'Virtual Network Gateway'. 在搜索返回结果中找到“虚拟网络网关”,并单击该条目。Locate Virtual network gateway in the search return and click the entry. 在“虚拟网络网关”页上,单击“创建”。On the Virtual network gateway page, click Create. 这会打开“创建虚拟网关”页。This opens the Create virtual network gateway page.

    !["创建虚拟网络网关" 页字段](./media/vpn-gateway-add-gw-rm-portal-include/p2sgw.png ""创建虚拟网络网关" 页字段")Create virtual network gateway page fields

    !["创建虚拟网络网关" 页字段](./media/vpn-gateway-add-gw-rm-portal-include/p2sgw2.png ""创建虚拟网络网关" 页字段")Create virtual network gateway page fields

  3. 在“创建虚拟网关”页中,填写虚拟网关的值。On the Create virtual network gateway page, fill in the values for your virtual network gateway.

    项目详细信息Project details

    • 订阅:从下拉列表中选择要使用的订阅。Subscription: Select the subscription you want to use from the dropdown.
    • 资源组:在此页上选择虚拟网络后,将 autofilled 此设置。Resource Group: This setting is autofilled when you select your virtual network on this page.

    实例详细信息Instance details

    • 名称:为网关命名。Name: Name your gateway. 为网关命名与为网关子网命名不同。Naming your gateway not the same as naming a gateway subnet. 它是要创建的网关对象的名称。It's the name of the gateway object you are creating.

    • 区域:选择要在其中创建此资源的区域。Region: Select the region in which you want to create this resource. 网关的区域必须与虚拟网络相同。The region for the gateway must be the same as the virtual network.

    • 网关类型:选择“VPN”。Gateway type: Select VPN. VPN 网关使用虚拟网络网关类型“VPN”。VPN gateways use the virtual network gateway type VPN.

    • VPN 类型:选择为配置指定的 VPN 类型。VPN type: Select the VPN type that is specified for your configuration. 大多数配置要求基于路由的 VPN 类型。Most configurations require a Route-based VPN type.

    • SKU:从下拉列表中选择网关 SKU。SKU: Select the gateway SKU from the dropdown. 下拉列表中列出的 SKU 取决于选择的 VPN 类型。The SKUs listed in the dropdown depend on the VPN type you select. 有关网关 SKU 的详细信息,请参阅网关 SKUFor more information about gateway SKUs, see Gateway SKUs.

      虚拟网络:选择要将此网关添加到其中的虚拟网络。Virtual network: Choose the virtual network to which you want to add this gateway.

      网关子网地址范围:只有在 VNet 没有网关子网时,才会显示此字段。Gateway subnet address range: This field only appears if your VNet doesn't have a gateway subnet. 如果可能,请将范围/27 或更大(/26、/25 等)设置为。If possible, make the range /27 or larger (/26,/25 etc.). 建议不要创建小于/28 的范围。We don't recommend creating a range any smaller than /28. 如果已有网关子网,可以通过导航到虚拟网络来查看 GatewaySubnet 详细信息。If you already have a gateway subnet, you can view GatewaySubnet details by navigating to your virtual network. 单击 "子网" 以查看范围。Click Subnets to view the range. 如果要更改范围,可以删除并重新创建 GatewaySubnet。If you want to change the range, you can delete and recreate the GatewaySubnet.

    公共 IP 地址:此设置指定与 VPN 网关关联的公共 IP 地址对象。Public IP address: This setting specifies the public IP address object that gets associated to the VPN gateway. 创建 VPN 网关后,会将公共 IP 地址动态分配给此对象。The public IP address is dynamically assigned to this object when the VPN gateway is created. 公共 IP 地址只在删除或重新创建网关时更改。The only time the Public IP address changes is when the gateway is deleted and re-created. 该地址不会因为 VPN 网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    • 公共 IP 地址:选择 "新建"。Public IP address: Leave Create new selected.
    • 公共 ip 地址名称:在文本框中,键入公共 ip 地址实例的名称。Public IP address name: In the text box, type a name for your public IP address instance.
    • 分配: VPN 网关仅支持动态网关。Assignment: VPN gateway supports only Dynamic.

    主动-主动模式:仅当要创建主动-主动网关配置时,才选择 "启用主动-主动模式"。Active-Active mode: Only select Enable active-active mode if you are creating an active-active gateway configuration. 否则,请将此设置保留未选择状态。Otherwise, leave this setting unselected.

    让“配置 BGP ASN”保留取消选中状态,除非你的配置特别需要此设置。Leave Configure BGP ASN deselected, unless your configuration specifically requires this setting. 如果确实需要此设置,则默认 ASN 为 65515,但可以更改此值。If you do require this setting, the default ASN is 65515, although this can be changed.

  4. 单击“查看 + 创建”以运行验证。Click Review + Create to run validation. 验证通过后,单击“创建”以部署 VPN 网关。Once validation passes, click Create to deploy the VPN gateway. 网关可能需要长达 45 分钟才能完全创建和部署。A gateway can take up to 45 minutes to fully create and deploy. 可以在网关的“概述”页上查看部署状态。You can see the deployment status on the Overview page for your gateway.

创建网关后,可以通过在门户中查看虚拟网络,来查看已分配给网关的 IP 地址。After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. 网关显示为连接的设备。The gateway appears as a connected device.

重要

使用网关子网时,避免将网络安全组 (NSG) 与网关子网关联。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组关联到此子网可能导致虚拟网络网关(VPN、快速路由网关)停止按预期方式工作。Associating a network security group to this subnet may cause your Virtual Network gateway(VPN, Express Route gateway) to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

3. 创建本地网络网关3. Create the local network gateway

本地网络网关通常是指本地位置。The local network gateway typically refers to your on-premises location. 可以为站点提供一个名称供 Azure 引用,并指定本地 VPN 设备的 IP 地址,以便创建一个连接来连接到该设备。You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. 此外还可指定 IP 地址前缀,以便通过 VPN 网关将其路由到 VPN 设备。You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. 指定的地址前缀是位于本地网络的前缀。The address prefixes you specify are the prefixes located on your on-premises network. 如果之后本地网络发生了更改,或需要更改 VPN 设备的公共 IP 地址,可轻松更新这些值。If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

示例值Example values

  • 名称: Site1Name: Site1
  • 资源组: TestRG1Resource Group: TestRG1
  • 位置: 美国东部Location: East US
  1. 从 " Azure 门户" 菜单中,选择 "创建资源"。From the Azure portal menu, select Create a resource.

    在 Azure 门户中创建资源

  2. 在 "搜索应用商店" 字段中,键入 "本地网络网关",然后按enter进行搜索。In the Search the marketplace field, type Local network gateway, then press Enter to search. 这会返回一个结果列表。This will return a list of results. 单击“本地网关”,然后单击“创建”按钮,打开“创建本地网关”页。Click Local network gateway, then click the Create button to open the Create local network gateway page.

    创建本地网络网关Create the local network gateway

  3. 在“创建本地网络网关”页上,指定本地网络网关的值。On the Create local network gateway page, specify the values for your local network gateway.

    • 名称:指定本地网络网关对象的名称。Name: Specify a name for your local network gateway object.
    • “IP 地址”:这是 Azure 要连接的 VPN 设备的公共 IP 地址。IP address: This is the public IP address of the VPN device that you want Azure to connect to. 指定有效的公共 IP 地址。Specify a valid public IP address. 如果目前没有 IP 地址,可以使用示例中显示的值,但是需要返回并将占位符 IP 地址替换为 VPN 设备的公共 IP 地址。If you don't have the IP address right now, you can use the values shown in the example, but you'll need to go back and replace your placeholder IP address with the public IP address of your VPN device. 否则,Azure 不能连接。Otherwise, Azure will not be able to connect.
    • “地址空间”指的是此本地网络所代表的网络的地址范围。Address Space refers to the address ranges for the network that this local network represents. 可以添加多个地址空间范围。You can add multiple address space ranges. 请确保此处所指定的范围没有与要连接到的其他网络的范围相重叠。Make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to. Azure 会将指定的地址范围路由到本地 VPN 设备 IP 地址。Azure will route the address range that you specify to the on-premises VPN device IP address. 如果需要连接到本地站点,请在此处使用自己的值,而不是示例中显示的值。Use your own values here if you want to connect to your on-premises site, not the values shown in the example.
    • 配置 BGP 设置: 仅在配置 BGP 时使用。Configure BGP settings: Use only when configuring BGP. 否则,不选择此项。Otherwise, don't select this.
    • “订阅”:确保显示的是正确订阅。Subscription: Verify that the correct subscription is showing.
    • “资源组”:选择要使用的资源组。Resource Group: Select the resource group that you want to use. 可以创建新的资源组或选择已创建的资源组。You can either create a new resource group, or select one that you have already created.
    • 位置: 位置与其他设置中的区域相同。Location: The location is the same as Region in other settings. 选择将在其中创建此对象的位置。Select the location that this object will be created in. 可选择 VNet 所在的位置,但这不是必须的。You may want to select the same location that your VNet resides in, but you are not required to do so.
  4. 完成指定值后,单击页底部的“创建”按钮即可创建本地网关。When you have finished specifying the values, click the Create button at the bottom of the page to create the local network gateway.

4. 配置 VPN 设备4. Configure your VPN device

通过站点到站点连接连接到本地网络需要 VPN 设备。Site-to-Site connections to an on-premises network require a VPN device. 在此步骤中,请配置 VPN 设备。In this step, you configure your VPN device. 配置 VPN 设备时,需要以下项:When configuring your VPN device, you need the following:

  • 共享密钥。A shared key. 此共享密钥就是在创建站点到站点 VPN 连接时指定的共享密钥。This is the same shared key that you specify when creating your Site-to-Site VPN connection. 在示例中,我们使用基本的共享密钥。In our examples, we use a basic shared key. 建议生成更复杂的可用密钥。We recommend that you generate a more complex key to use.
  • 虚拟网络网关的“公共 IP 地址”。The Public IP address of your virtual network gateway. 可以通过 Azure 门户、PowerShell 或 CLI 查看公共 IP 地址。You can view the public IP address by using the Azure portal, PowerShell, or CLI. 要使用 Azure 门户查找 VPN 网关的公共 IP 地址,请导航到“虚拟网关”,并单击网关的名称。To find the Public IP address of your VPN gateway using the Azure portal, navigate to Virtual network gateways, then click the name of your gateway.

下载 VPN 设备配置脚本:To download VPN device configuration scripts:

根据所用的 VPN 设备,有时可以下载 VPN 设备配置脚本。Depending on the VPN device that you have, you may be able to download a VPN device configuration script. 有关详细信息,请参阅下载 VPN 设备配置脚本For more information, see Download VPN device configuration scripts.

参阅以下链接了解其他配置信息:See the following links for additional configuration information:

5. 创建 VPN 连接5. Create the VPN connection

在虚拟网关和本地 VPN 设备之间创建站点到站点 VPN 连接。Create the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.

  1. 打开虚拟网络网关的页面。Open the page for your virtual network gateway. 可通过多种方法进行导航。There are multiple ways to navigate. 你可以导航到该网关, 方法是转到你的 VNet > 概述-> 连接的设备的名称-> 网关的名称You can navigate to the gateway by going to Name of your VNet -> Overview -> Connected devices -> Name of your gateway.

  2. 在网关的页面上, 单击 "连接"。On the page for the gateway, click Connections. 在“连接”页的顶部,单击“+添加”打开“添加连接”页。At the top of the Connections page, click +Add to open the Add connection page.

    创建站点到站点连接

  3. 在“添加连接”页上,配置连接的值。On the Add connection page, configure the values for your connection.

    • 名称: 命名连接。Name: Name your connection.
    • 连接类型: 选择“站点到站点(IPSec)”。Connection type: Select Site-to-site(IPSec).
    • 虚拟网络网关: 由于要从此网关连接,因此该值是固定的。Virtual network gateway: The value is fixed because you are connecting from this gateway.
    • 本地网络网关: 单击“选择本地网络网关”并选择要使用的本地网络网关。Local network gateway: Click Choose a local network gateway and select the local network gateway that you want to use.
    • “共享密钥”:此处的值必须与用于本地 VPN 设备的值匹配。Shared Key: the value here must match the value that you are using for your local on-premises VPN device. 此示例使用“abc123”,但可以(而且应该)使用更复杂的。The example uses 'abc123', but you can (and should) use something more complex. 重要的是,此处指定的值必须与配置 VPN 设备时指定的值相同。The important thing is that the value you specify here must be the same value that you specify when configuring your VPN device.
    • 剩下的“订阅”、“资源组”和“位置”值是固定的。The remaining values for Subscription, Resource Group, and Location are fixed.
  4. 单击“确定”以创建连接。Click OK to create your connection. 会看到屏幕上闪烁“正在创建连接”。You'll see Creating Connection flash on the screen.

  5. 可在虚拟网络网关的“连接”页中查看连接。You can view the connection in the Connections page of the virtual network gateway. “状态”会从“未知”转换为“正在连接”,再转换为“成功”。The Status will go from Unknown to Connecting, and then to Succeeded.

6. 验证 VPN 连接6. Verify the VPN connection

在 Azure 门户中,可通过导航到连接来查看 Resource Manager VPN 网关的连接状态。In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection. 以下步骤演示导航到连接并进行验证的一种方法。The following steps show one way to navigate to your connection and verify.

  1. 在 " Azure 门户" 菜单中,选择 "所有资源" 或搜索并选择任何页面中的所有资源In the Azure portal menu, select All resources or search for and select All resources from any page.

  2. 选择虚拟网络网关。Select to your virtual network gateway.

  3. 在“虚拟网络网关”边栏选项卡中,单击“连接”。On the blade for your virtual network gateway, click Connections. 可查看每个连接的状态。You can see the status of each connection.

  4. 单击想要验证的连接的名称,打开“概要”。Click the name of the connection that you want to verify to open Essentials. 在“概要”中,可以查看有关连接的详细信息。In Essentials, you can view more information about your connection. 成功连接后,“状态”为“已成功”和“已连接”。The Status is 'Succeeded' and 'Connected' when you have made a successful connection.

    使用 Azure 门户验证 VPN 网关连接

连接到虚拟机To connect to a virtual machine

可以连接到已部署到 VNet 的 VM,方法是创建到 VM 的远程桌面连接。You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. 若要通过初始验证来确认能否连接到 VM,最好的方式是使用其专用 IP 地址而不是计算机名称进行连接。The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. 这种方式是测试能否进行连接,而不是测试名称解析是否已正确配置。That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. 定位专用 IP 地址。Locate the private IP address. 可通过多种方式查找 VM 的专用 IP 地址。You can find the private IP address of a VM in multiple ways. 下方展示用于 Azure 门户和 PowerShell 的步骤。Below, we show the steps for the Azure portal and for PowerShell.

    • Azure 门户 - 在 Azure 门户中定位虚拟机。Azure portal - Locate your virtual machine in the Azure portal. 查看 VM 的属性。View the properties for the VM. 专用 IP 地址已列出。The private IP address is listed.

    • PowerShell - 通过此示例查看资源组中的 VM 和专用 IP 地址的列表。PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. 在使用此示例之前不需对其进行修改。You don't need to modify this example before using it.

      $VMs = Get-AzVM
      $Nics = Get-AzNetworkInterface | Where VirtualMachine -ne $null
      
      foreach($Nic in $Nics)
      {
      $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
      $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
      $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
      Write-Output "$($VM.Name): $Prv,$Alloc"
      }
      
  2. 验证是否已使用 VPN 连接连接到 VNet。Verify that you are connected to your VNet using the VPN connection.

  3. 打开远程桌面连接,方法是:在任务栏的搜索框中键入“RDP”或“远程桌面连接”,并选择“远程桌面连接”。Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. 也可在 PowerShell 中使用“mstsc”命令打开远程桌面连接。You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. 在远程桌面连接中,输入 VM 的专用 IP 地址。In Remote Desktop Connection, enter the private IP address of the VM. 可以通过单击“显示选项”来调整其他设置,并进行连接。You can click "Show Options" to adjust additional settings, then connect.

排查到 VM 的 RDP 连接的问题To troubleshoot an RDP connection to a VM

如果无法通过 VPN 连接连接到虚拟机,请查看以下项目:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 验证 VPN 连接是否成功。Verify that your VPN connection is successful.
  • 验证是否已连接到 VM 的专用 IP 地址。Verify that you are connecting to the private IP address for the VM.
  • 如果可以使用专用 IP 地址连接到 VM,但不能使用计算机名称进行连接,则请验证是否已正确配置 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 若要详细了解如何对 VM 进行名称解析,请参阅针对 VM 的名称解析For more information about how name resolution works for VMs, see Name Resolution for VMs.
  • 若要详细了解 RDP 连接,请参阅排查到 VM 的远程桌面连接问题For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

如何重置 VPN 网关How to reset a VPN gateway

如果丢失一个或多个站点到站点隧道上的跨界 VPN 连接,重置 VPN 网关可有效解决该情况。Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more Site-to-Site VPN tunnels. 在此情况下,本地 VPN 设备都在正常工作,但却无法与 Azure VPN 网关建立 IPsec 隧道。In this situation, your on-premises VPN devices are all working correctly, but are not able to establish IPsec tunnels with the Azure VPN gateways. 有关步骤,请参阅重置 VPN 网关For steps, see Reset a VPN gateway.

如何更改网关 SKU(重设网关大小)How to change a gateway SKU (resize a gateway)

有关更改网关 SKU 的步骤,请参阅网关 SKUFor the steps to change a gateway SKU, see Gateway SKUs.

如何将其他连接添加到 VPN 网关How to add an additional connection to a VPN gateway

可以添加其他连接,前提是连接之间不存在地址空间重叠。You can add additional connections, provided that none of the address spaces overlap between connections.

  1. 若要添加其他连接,请导航到 VPN 网关,然后单击“连接”打开“连接”页。To add an additional connection, navigate to the VPN gateway, then click Connections to open the Connections page.
  2. 单击“+添加”添加连接。Click +Add to add your connection. 调整连接类型以反映“VNet 到 VNet”(如果连接到另一个 VNet 网关)或“站点到站点”。Adjust the connection type to reflect either VNet-to-VNet (if connecting to another VNet gateway), or Site-to-site.
  3. 如果要使用“站点到站点”连接进行连接,并且尚未为要连接到的站点创建本地网络网关,则可以创建一个新的本地网络网关。If you are connecting using Site-to-site and you have not already created a local network gateway for the site you want to connect to, you can create a new one.
  4. 指定要使用的共享密钥,然后单击“确定”以创建连接。Specify the shared key that you want to use, then click OK to create the connection.

后续步骤Next steps