您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 PowerShell 配置 VNet 到 VNet VPN 网关连接Configure a VNet-to-VNet VPN gateway connection using PowerShell

本文介绍如何使用 VNet 到 VNet 连接类型来连接虚拟网络。This article helps you connect virtual networks by using the VNet-to-VNet connection type. 虚拟网络可以位于相同或不同的区域,也可以来自相同或不同的订阅。The virtual networks can be in the same or different regions, and from the same or different subscriptions. 从不同的订阅连接 VNet 时,订阅不需要与相同的 Active Directory 租户相关联。When connecting VNets from different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant.

本文中的步骤适用于 Resource Manager 部署模型并使用 PowerShell。The steps in this article apply to the Resource Manager deployment model and use PowerShell. 也可使用不同的部署工具或部署模型来创建此配置,方法是从以下列表中选择另一选项:You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

关于连接 VNetAbout connecting VNets

可通过多种方式来连接 VNet。There are multiple ways to connect VNets. 以下各节介绍了如何通过不同方式来连接虚拟网络。The sections below describe different ways to connect virtual networks.

VNet 到 VNetVNet-to-VNet

配置一个 VNet 到 VNet 连接即可轻松地连接 VNet。Configuring a VNet-to-VNet connection is a good way to easily connect VNets. 使用 VNet 到 VNet 连接类型 (VNet2VNet) 将一个虚拟网络连接到另一个虚拟网络类似于创建到本地位置的站点到站点 IPsec 连接。Connecting a virtual network to another virtual network using the VNet-to-VNet connection type (VNet2VNet) is similar to creating a Site-to-Site IPsec connection to an on-premises location. 这两种连接类型都使用 VPN 网关来提供使用 IPsec/IKE 的安全隧道,二者在通信时使用同样的方式运行。Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating. 连接类型的差异在于本地网关的配置方式。The difference between the connection types is the way the local network gateway is configured. 创建 VNet 到 VNet 连接时,看不到本地网关地址空间。When you create a VNet-to-VNet connection, you do not see the local network gateway address space. 它是自动创建并填充的。It is automatically created and populated. 如果更新一个 VNet 的地址空间,另一个 VNet 会自动知道路由到更新的地址空间。If you update the address space for one VNet, the other VNet automatically knows to route to the updated address space. 与在 VNet 之间创建站点到站点连接相比,创建 VNet 到 VNet 连接通常速度更快且更容易。Creating a VNet-to-VNet connection is typically faster and easier than creating a Site-to-Site connection between VNets.

站点到站点 (IPsec)Site-to-Site (IPsec)

如果要进行复杂的网络配置,则与使用 VNet 到 VNet 步骤相比,使用站点到站点步骤来连接 VNet 会更好。If you are working with a complicated network configuration, you may prefer to connect your VNets using the Site-to-Site steps, instead the VNet-to-VNet steps. 使用站点到站点步骤时,可以手动创建和配置本地网关。When you use the Site-to-Site steps, you create and configure the local network gateways manually. 每个 VNet 的本地网关都将其他 VNet 视为本地站点。The local network gateway for each VNet treats the other VNet as a local site. 这样可以为本地网关指定路由流量所需的其他地址空间。This lets you specify additional address space for the local network gateway in order to route traffic. 如果 VNet 的地址空间更改,则需根据更改更新相应的本地网关。If the address space for a VNet changes, you need to update the corresponding local network gateway to reflect the change. 它不自动进行更新。It does not automatically update.

VNet 对等互连VNet peering

可以考虑使用 VNet 对等互连来连接 VNet。You may want to consider connecting your VNets using VNet Peering. VNet 对等互连不使用 VPN 网关,并且有不同的约束。VNet peering does not use a VPN gateway and has different constraints. 另外,VNet 对等互连定价的计算不同于 VNet 到 VNet VPN 网关定价的计算。Additionally, VNet peering pricing is calculated differently than VNet-to-VNet VPN Gateway pricing. 有关详细信息,请参阅 VNet 对等互连For more information, see VNet peering.

为何创建 VNet 到 VNet 连接?Why create a VNet-to-VNet connection?

你可能会出于以下原因而使用 VNet 到 VNet 连接来连接虚拟网络:You may want to connect virtual networks using a VNet-to-VNet connection for the following reasons:

  • 跨区域地域冗余和地域存在Cross region geo-redundancy and geo-presence

    • 可以使用安全连接设置自己的异地复制或同步,而无需借助于面向 Internet 的终结点。You can set up your own geo-replication or synchronization with secure connectivity without going over Internet-facing endpoints.
    • 使用 Azure 流量管理器和负载均衡器,可以设置支持跨多个 Azure 区域实现异地冗余的高可用性工作负荷。With Azure Traffic Manager and Load Balancer, you can set up highly available workload with geo-redundancy across multiple Azure regions. 一个重要的示例就是对分布在多个 Azure 区域中的可用性组设置 SQL Always On。One important example is to set up SQL Always On with Availability Groups spreading across multiple Azure regions.
  • 具有隔离或管理边界的区域多层应用程序Regional multi-tier applications with isolation or administrative boundary

    • 在同一区域中,由于存在隔离或管理要求,可以设置多个虚拟网络连接在一起的多层应用程序。Within the same region, you can set up multi-tier applications with multiple virtual networks connected together due to isolation or administrative requirements.

可以将 VNet 到 VNet 通信与多站点配置组合使用。VNet-to-VNet communication can be combined with multi-site configurations. 这样,便可以建立将跨界连接与虚拟网络间连接相结合的网络拓扑。This lets you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity.

应使用哪些 VNet 到 VNet 步骤?Which VNet-to-VNet steps should I use?

在本文中,可以看到两组不同的步骤。In this article, you see two different sets of steps. 一组步骤适用于驻留在同一订阅中的 VNet,另一组适用于驻留在不同订阅中的 VNetOne set of steps for VNets that reside in the same subscription and one for VNets that reside in different subscriptions. 两组的主要差异是,配置位于不同订阅中的 VNet 的连接时,必须使用单独的 PowerShell 会话。The key difference between the sets is that you must use separate PowerShell sessions when configuring the connections for VNets that reside in different subscriptions.

就本练习来说,可以将配置组合起来,也可以只是选择要使用的配置。For this exercise, you can combine configurations, or just choose the one that you want to work with. 所有配置使用 VNet 到 VNet 连接类型。All of the configurations use the VNet-to-VNet connection type. 网络流量在彼此直接连接的 VNet 之间流动。Network traffic flows between the VNets that are directly connected to each other. 在此练习中,流量不从 TestVNet4 路由到 TestVNet5。In this exercise, traffic from TestVNet4 does not route to TestVNet5.

如何连接同一订阅中的 VNetHow to connect VNets that are in the same subscription

开始之前Before you begin

在开始之前,需要安装最新版本的 Azure 资源管理器 PowerShell cmdlet(4.0 或更高版本)。Before beginning, you need to install the latest version of the Azure Resource Manager PowerShell cmdlets, at least 4.0 or later. 有关安装 PowerShell cmdlet 的详细信息,请参阅如何安装和配置 Azure PowerShellFor more information about installing the PowerShell cmdlets, see How to install and configure Azure PowerShell.

步骤 1 - 规划 IP 地址范围Step 1 - Plan your IP address ranges

以下步骤将创建两个虚拟网络,以及它们各自的网关子网和配置。In the following steps, you create two virtual networks along with their respective gateway subnets and configurations. 然后在两个 VNet 之间创建 VPN 连接。You then create a VPN connection between the two VNets. 必须计划用于网络配置的 IP 地址范围。It’s important to plan the IP address ranges for your network configuration. 请记住,必须确保没有任何 VNet 范围或本地网络范围存在任何形式的重叠。Keep in mind that you must make sure that none of your VNet ranges or local network ranges overlap in any way. 在这些示例中,我们没有包括 DNS 服务器。In these examples, we do not include a DNS server. 如果需要虚拟网络的名称解析,请参阅名称解析If you want name resolution for your virtual networks, see Name resolution.

示例中使用以下值:We use the following values in the examples:

TestVNet1 的值:Values for TestVNet1:

  • VNet 名称:TestVNet1VNet Name: TestVNet1
  • 资源组:TestRG1Resource Group: TestRG1
  • 位置:美国东部Location: East US
  • TestVNet1:10.11.0.0/16 和 10.12.0.0/16TestVNet1: 10.11.0.0/16 & 10.12.0.0/16
  • FrontEnd:10.11.0.0/24FrontEnd: 10.11.0.0/24
  • BackEnd:10.12.0.0/24BackEnd: 10.12.0.0/24
  • GatewaySubnet:10.12.255.0/27GatewaySubnet: 10.12.255.0/27
  • GatewayName:VNet1GWGatewayName: VNet1GW
  • 公共 IP:VNet1GWIPPublic IP: VNet1GWIP
  • VPNType:RouteBasedVPNType: RouteBased
  • Connection(1to4):VNet1toVNet4Connection(1to4): VNet1toVNet4
  • Connection(1to5):VNet1toVNet5(适用于不同订阅中的 VNet)Connection(1to5): VNet1toVNet5 (For VNets in different subscriptions)
  • ConnectionType:VNet2VNetConnectionType: VNet2VNet

TestVNet4 的值:Values for TestVNet4:

  • VNet 名称:TestVNet4VNet Name: TestVNet4
  • TestVNet2:10.41.0.0/16 和 10.42.0.0/16TestVNet2: 10.41.0.0/16 & 10.42.0.0/16
  • FrontEnd:10.41.0.0/24FrontEnd: 10.41.0.0/24
  • BackEnd:10.42.0.0/24BackEnd: 10.42.0.0/24
  • GatewaySubnet:10.42.255.0/27GatewaySubnet: 10.42.255.0/27
  • 资源组:TestRG4Resource Group: TestRG4
  • 位置:美国西部Location: West US
  • GatewayName:VNet4GWGatewayName: VNet4GW
  • 公共 IP:VNet4GWIPPublic IP: VNet4GWIP
  • VPNType:RouteBasedVPNType: RouteBased
  • 连接:VNet4toVNet1Connection: VNet4toVNet1
  • ConnectionType:VNet2VNetConnectionType: VNet2VNet

步骤 2 - 创建并配置 TestVNet1Step 2 - Create and configure TestVNet1

  1. 声明变量。Declare your variables. 本示例使用此练习中的值来声明变量。This example declares the variables using the values for this exercise. 在大多数情况下,应将这些值替换为自己的值。In most cases, you should replace the values with your own. 但是,如果执行这些步骤的目的是熟悉这种类型的配置,可以直接使用这些变量。However, you can use these variables if you are running through the steps to become familiar with this type of configuration. 根据需要修改变量,将变量复制并粘贴到 PowerShell 控制台中。Modify the variables if needed, then copy and paste them into your PowerShell console.

    $Sub1 = "Replace_With_Your_Subscription_Name"
    $RG1 = "TestRG1"
    $Location1 = "East US"
    $VNetName1 = "TestVNet1"
    $FESubName1 = "FrontEnd"
    $BESubName1 = "Backend"
    $GWSubName1 = "GatewaySubnet"
    $VNetPrefix11 = "10.11.0.0/16"
    $VNetPrefix12 = "10.12.0.0/16"
    $FESubPrefix1 = "10.11.0.0/24"
    $BESubPrefix1 = "10.12.0.0/24"
    $GWSubPrefix1 = "10.12.255.0/27"
    $GWName1 = "VNet1GW"
    $GWIPName1 = "VNet1GWIP"
    $GWIPconfName1 = "gwipconf1"
    $Connection14 = "VNet1toVNet4"
    $Connection15 = "VNet1toVNet5"
    
  2. 连接到帐户。Connect to your account. 使用下面的示例来帮助连接:Use the following example to help you connect:

    Connect-AzureRmAccount
    

    检查该帐户的订阅。Check the subscriptions for the account.

    Get-AzureRmSubscription
    

    指定要使用的订阅。Specify the subscription that you want to use.

    Select-AzureRmSubscription -SubscriptionName $Sub1
    
  3. 创建新的资源组。Create a new resource group.

    New-AzureRmResourceGroup -Name $RG1 -Location $Location1
    
  4. 创建 TestVNet1 的子网配置。Create the subnet configurations for TestVNet1. 本示例创建一个名为 TestVNet1 的虚拟网络和三个子网,这三个子网分别名为 GatewaySubnet、FrontEnd 和 Backend。This example creates a virtual network named TestVNet1 and three subnets, one called GatewaySubnet, one called FrontEnd, and one called Backend. 替换值时,请务必始终将网关子网特意命名为 GatewaySubnet。When substituting values, it's important that you always name your gateway subnet specifically GatewaySubnet. 如果命名为其他名称,网关创建会失败。If you name it something else, your gateway creation fails.

    下面的示例使用先前设置的变量。The following example uses the variables that you set earlier. 在本示例中,网关子网使用 /27。In this example, the gateway subnet is using a /27. 尽管创建的网关子网最小可为 /29,但建议至少选择 /28 或 /27,创建包含更多地址的更大子网。While it is possible to create a gateway subnet as small as /29, we recommend that you create a larger subnet that includes more addresses by selecting at least /28 or /27. 这样便可以留出足够多的地址,满足将来可能需要使用的其他配置。This will allow for enough addresses to accommodate possible additional configurations that you may want in the future.

    $fesub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1
    $besub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
    $gwsub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName1 -AddressPrefix $GWSubPrefix1
    
  5. 创建 TestVNet1。Create TestVNet1.

    New-AzureRmVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1 `
    -Location $Location1 -AddressPrefix $VNetPrefix11,$VNetPrefix12 -Subnet $fesub1,$besub1,$gwsub1
    
  6. 请求一个公共 IP 地址,以分配给要为 VNet 创建的网关。Request a public IP address to be allocated to the gateway you will create for your VNet. 注意,AllocationMethod 是动态的。Notice that the AllocationMethod is Dynamic. 无法指定要使用的 IP 地址。You cannot specify the IP address that you want to use. 它动态分配到网关。It's dynamically allocated to your gateway.

    $gwpip1 = New-AzureRmPublicIpAddress -Name $GWIPName1 -ResourceGroupName $RG1 `
    -Location $Location1 -AllocationMethod Dynamic
    
  7. 创建网关配置。Create the gateway configuration. 网关配置定义要使用的子网和公共 IP 地址。The gateway configuration defines the subnet and the public IP address to use. 使用本示例创建网关配置。Use the example to create your gateway configuration.

    $vnet1 = Get-AzureRmVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1
    $subnet1 = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet1
    $gwipconf1 = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName1 `
    -Subnet $subnet1 -PublicIpAddress $gwpip1
    
  8. 为 TestVNet1 创建网关。Create the gateway for TestVNet1. 在此步骤中,将为 TestVNet1 创建虚拟网络网关。In this step, you create the virtual network gateway for your TestVNet1. VNet 到 VNet 配置需要基于路由的 VPN 类型。VNet-to-VNet configurations require a RouteBased VpnType. 创建网关通常需要 45 分钟或更长的时间,具体取决于所选的网关 SKU。Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

    New-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 `
    -Location $Location1 -IpConfigurations $gwipconf1 -GatewayType Vpn `
    -VpnType RouteBased -GatewaySku VpnGw1
    

步骤 3 - 创建并配置 TestVNet4Step 3 - Create and configure TestVNet4

配置 TestVNet1 后,即可创建 TestVNet4。Once you've configured TestVNet1, create TestVNet4. 遵循以下步骤,并根据需要替换为自己的值。Follow the steps below, replacing the values with your own when needed. 此步骤可在相同的 PowerShell 会话中完成,因为其位于相同的订阅中。This step can be done within the same PowerShell session because it is in the same subscription.

  1. 声明变量。Declare your variables. 请务必将值替换为用于配置的值。Be sure to replace the values with the ones that you want to use for your configuration.

    $RG4 = "TestRG4"
    $Location4 = "West US"
    $VnetName4 = "TestVNet4"
    $FESubName4 = "FrontEnd"
    $BESubName4 = "Backend"
    $GWSubName4 = "GatewaySubnet"
    $VnetPrefix41 = "10.41.0.0/16"
    $VnetPrefix42 = "10.42.0.0/16"
    $FESubPrefix4 = "10.41.0.0/24"
    $BESubPrefix4 = "10.42.0.0/24"
    $GWSubPrefix4 = "10.42.255.0/27"
    $GWName4 = "VNet4GW"
    $GWIPName4 = "VNet4GWIP"
    $GWIPconfName4 = "gwipconf4"
    $Connection41 = "VNet4toVNet1"
    
  2. 创建新的资源组。Create a new resource group.

    New-AzureRmResourceGroup -Name $RG4 -Location $Location4
    
  3. 创建 TestVNet4 的子网配置。Create the subnet configurations for TestVNet4.

    $fesub4 = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName4 -AddressPrefix $FESubPrefix4
    $besub4 = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubName4 -AddressPrefix $BESubPrefix4
    $gwsub4 = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName4 -AddressPrefix $GWSubPrefix4
    
  4. 创建 TestVNet4。Create TestVNet4.

    New-AzureRmVirtualNetwork -Name $VnetName4 -ResourceGroupName $RG4 `
    -Location $Location4 -AddressPrefix $VnetPrefix41,$VnetPrefix42 -Subnet $fesub4,$besub4,$gwsub4
    
  5. 请求公共 IP 地址。Request a public IP address.

    $gwpip4 = New-AzureRmPublicIpAddress -Name $GWIPName4 -ResourceGroupName $RG4 `
    -Location $Location4 -AllocationMethod Dynamic
    
  6. 创建网关配置。Create the gateway configuration.

    $vnet4 = Get-AzureRmVirtualNetwork -Name $VnetName4 -ResourceGroupName $RG4
    $subnet4 = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet4
    $gwipconf4 = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName4 -Subnet $subnet4 -PublicIpAddress $gwpip4
    
  7. 创建 TestVNet4 网关。Create the TestVNet4 gateway. 创建网关通常需要 45 分钟或更长的时间,具体取决于所选的网关 SKU。Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

    New-AzureRmVirtualNetworkGateway -Name $GWName4 -ResourceGroupName $RG4 `
    -Location $Location4 -IpConfigurations $gwipconf4 -GatewayType Vpn `
    -VpnType RouteBased -GatewaySku VpnGw1
    

步骤 4 - 创建连接Step 4 - Create the connections

  1. 获取两个虚拟网关。Get both virtual network gateways. 如果两个网关属于同一订阅(如示例所示),则可以在同一 PowerShell 会话中完成此步骤。If both of the gateways are in the same subscription, as they are in the example, you can complete this step in the same PowerShell session.

    $vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
    $vnet4gw = Get-AzureRmVirtualNetworkGateway -Name $GWName4 -ResourceGroupName $RG4
    
  2. 创建 TestVNet1 到 TestVNet4 的连接。Create the TestVNet1 to TestVNet4 connection. 在此步骤中,创建 TestVNet1 到 TestVNet4 的连接。In this step, you create the connection from TestVNet1 to TestVNet4. 示例中引用了共享密钥。You'll see a shared key referenced in the examples. 可以对共享密钥使用自己的值。You can use your own values for the shared key. 共享密钥必须与两个连接匹配,这一点非常重要。The important thing is that the shared key must match for both connections. 创建连接可能需要简短的一段时间才能完成。Creating a connection can take a short while to complete.

    New-AzureRmVirtualNetworkGatewayConnection -Name $Connection14 -ResourceGroupName $RG1 `
    -VirtualNetworkGateway1 $vnet1gw -VirtualNetworkGateway2 $vnet4gw -Location $Location1 `
    -ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3'
    
  3. 创建 TestVNet4 到 TestVNet1 的连接。Create the TestVNet4 to TestVNet1 connection. 此步骤类似上面的步骤,只不过是创建 TestVNet4 到 TestVNet1 的连接。This step is similar to the one above, except you are creating the connection from TestVNet4 to TestVNet1. 确保共享密钥匹配。Make sure the shared keys match. 几分钟后会建立连接。The connection will be established after a few minutes.

    New-AzureRmVirtualNetworkGatewayConnection -Name $Connection41 -ResourceGroupName $RG4 `
    -VirtualNetworkGateway1 $vnet4gw -VirtualNetworkGateway2 $vnet1gw -Location $Location4 `
    -ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3'
    
  4. 验证连接。Verify your connection. 请参阅 如何验证连接部分。See the section How to verify your connection.

如何连接不同订阅中的 VNetHow to connect VNets that are in different subscriptions

在此方案中,连接 TestVNet1 和 TestVNet5。In this scenario, you connect TestVNet1 and TestVNet5. TestVNet1 和 TestVNet5 驻留在不同订阅中。TestVNet1 and TestVNet5 reside in a different subscription. 订阅不需要与相同的 Active Directory 租户相关联。The subscriptions do not need to be associated with the same Active Directory tenant. 这些步骤与上一组的差别在于,一些配置步骤需要在第二个订阅的环境的单独 PowerShell 会话中执行。The difference between these steps and the previous set is that some of the configuration steps need to be performed in a separate PowerShell session in the context of the second subscription. 尤其是当两个订阅属于不同的组织时。Especially when the two subscriptions belong to different organizations.

步骤 5 - 创建并配置 TestVNet1Step 5 - Create and configure TestVNet1

必须完成前述部分的步骤 1步骤 2,才能创建并配置 TestVNet1 及其 VPN 网关。You must complete Step 1 and Step 2 from the previous section to create and configure TestVNet1 and the VPN Gateway for TestVNet1. 就此配置来说,不需创建前一部分的 TestVNet4,虽然创建后不会与这些步骤冲突。For this configuration, you are not required to create TestVNet4 from the previous section, although if you do create it, it will not conflict with these steps. 完成步骤 1 和步骤 2 后,继续执行步骤 6,创建 TestVNet5。Once you complete Step 1 and Step 2, continue with Step 6 to create TestVNet5.

步骤 6 - 验证 IP 地址范围Step 6 - Verify the IP address ranges

必须确保新虚拟网络的 IP 地址空间 TestVNet5 不与任何 VNet 范围或局域网网关范围重叠。It is important to make sure that the IP address space of the new virtual network, TestVNet5, does not overlap with any of your VNet ranges or local network gateway ranges. 在本示例中,虚拟网络可能属于不同的组织。In this example, the virtual networks may belong to different organizations. 对于本练习,可以对 TestVNet5 使用以下值:For this exercise, you can use the following values for the TestVNet5:

TestVNet5 的值:Values for TestVNet5:

  • VNet 名称:TestVNet5VNet Name: TestVNet5
  • 资源组:TestRG5Resource Group: TestRG5
  • 位置:日本东部Location: Japan East
  • TestVNet5:10.51.0.0/16 和 10.52.0.0/16TestVNet5: 10.51.0.0/16 & 10.52.0.0/16
  • FrontEnd:10.51.0.0/24FrontEnd: 10.51.0.0/24
  • BackEnd:10.52.0.0/24BackEnd: 10.52.0.0/24
  • GatewaySubnet:10.52.255.0.0/27GatewaySubnet: 10.52.255.0.0/27
  • GatewayName:VNet5GWGatewayName: VNet5GW
  • 公共 IP:VNet5GWIPPublic IP: VNet5GWIP
  • VPNType:RouteBasedVPNType: RouteBased
  • 连接:VNet5toVNet1Connection: VNet5toVNet1
  • ConnectionType:VNet2VNetConnectionType: VNet2VNet

步骤 7 - 创建并配置 TestVNet5Step 7 - Create and configure TestVNet5

必须在新订阅环境中完成此步骤。This step must be done in the context of the new subscription. 此部分可能由拥有订阅的不同组织的管理员执行。This part may be performed by the administrator in a different organization that owns the subscription.

  1. 声明变量。Declare your variables. 请务必将值替换为用于配置的值。Be sure to replace the values with the ones that you want to use for your configuration.

    $Sub5 = "Replace_With_the_New_Subscription_Name"
    $RG5 = "TestRG5"
    $Location5 = "Japan East"
    $VnetName5 = "TestVNet5"
    $FESubName5 = "FrontEnd"
    $BESubName5 = "Backend"
    $GWSubName5 = "GatewaySubnet"
    $VnetPrefix51 = "10.51.0.0/16"
    $VnetPrefix52 = "10.52.0.0/16"
    $FESubPrefix5 = "10.51.0.0/24"
    $BESubPrefix5 = "10.52.0.0/24"
    $GWSubPrefix5 = "10.52.255.0/27"
    $GWName5 = "VNet5GW"
    $GWIPName5 = "VNet5GWIP"
    $GWIPconfName5 = "gwipconf5"
    $Connection51 = "VNet5toVNet1"
    
  2. 连接到订阅 5。Connect to subscription 5. 打开 PowerShell 控制台并连接到帐户。Open your PowerShell console and connect to your account. 使用下面的示例来帮助你连接:Use the following sample to help you connect:

    Connect-AzureRmAccount
    

    检查该帐户的订阅。Check the subscriptions for the account.

    Get-AzureRmSubscription
    

    指定要使用的订阅。Specify the subscription that you want to use.

    Select-AzureRmSubscription -SubscriptionName $Sub5
    
  3. 创建新的资源组。Create a new resource group.

    New-AzureRmResourceGroup -Name $RG5 -Location $Location5
    
  4. 创建 TestVNet5 的子网配置。Create the subnet configurations for TestVNet5.

    $fesub5 = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName5 -AddressPrefix $FESubPrefix5
    $besub5 = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubName5 -AddressPrefix $BESubPrefix5
    $gwsub5 = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName5 -AddressPrefix $GWSubPrefix5
    
  5. 创建 TestVNet5。Create TestVNet5.

    New-AzureRmVirtualNetwork -Name $VnetName5 -ResourceGroupName $RG5 -Location $Location5 `
    -AddressPrefix $VnetPrefix51,$VnetPrefix52 -Subnet $fesub5,$besub5,$gwsub5
    
  6. 请求公共 IP 地址。Request a public IP address.

    $gwpip5 = New-AzureRmPublicIpAddress -Name $GWIPName5 -ResourceGroupName $RG5 `
    -Location $Location5 -AllocationMethod Dynamic
    
  7. 创建网关配置。Create the gateway configuration.

    $vnet5 = Get-AzureRmVirtualNetwork -Name $VnetName5 -ResourceGroupName $RG5
    $subnet5  = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet5
    $gwipconf5 = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName5 -Subnet $subnet5 -PublicIpAddress $gwpip5
    
  8. 创建 TestVNet5 网关。Create the TestVNet5 gateway.

    New-AzureRmVirtualNetworkGateway -Name $GWName5 -ResourceGroupName $RG5 -Location $Location5 `
    -IpConfigurations $gwipconf5 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1
    

步骤 8 - 创建连接Step 8 - Create the connections

在本示例中,由于网关位于不同订阅中,因此将此步骤拆分为了两个 PowerShell 会话,分别标记为 [订阅 1] 和 [订阅 5]。In this example, because the gateways are in the different subscriptions, we've split this step into two PowerShell sessions marked as [Subscription 1] and [Subscription 5].

  1. [订阅 1] 获取订阅 1 的虚拟网关。[Subscription 1] Get the virtual network gateway for Subscription 1. 登录并连接到订阅 1,并运行以下示例:Log in and connect to Subscription 1 before running the following example:

    $vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
    

    复制以下元素的输出,并通过电子邮件或其他方式将输出发送给订阅 5 的管理员。Copy the output of the following elements and send these to the administrator of Subscription 5 via email or another method.

    $vnet1gw.Name
    $vnet1gw.Id
    

    这两个元素的值类似于以下示例输出:These two elements will have values similar to the following example output:

    PS D:\> $vnet1gw.Name
    VNet1GW
    PS D:\> $vnet1gw.Id
    /subscriptions/b636ca99-6f88-4df4-a7c3-2f8dc4545509/resourceGroupsTestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW
    
  2. [订阅 5] 获取订阅 5 的虚拟网关。[Subscription 5] Get the virtual network gateway for Subscription 5. 登录并连接到订阅 5,运行以下示例:Log in and connect to Subscription 5 before running the following example:

    $vnet5gw = Get-AzureRmVirtualNetworkGateway -Name $GWName5 -ResourceGroupName $RG5
    

    复制以下元素的输出,并通过电子邮件或其他方式将输出发送给订阅 1 的管理员。Copy the output of the following elements and send these to the administrator of Subscription 1 via email or another method.

    $vnet5gw.Name
    $vnet5gw.Id
    

    这两个元素的值类似于以下示例输出:These two elements will have values similar to the following example output:

    PS C:\> $vnet5gw.Name
    VNet5GW
    PS C:\> $vnet5gw.Id
    /subscriptions/66c8e4f1-ecd6-47ed-9de7-7e530de23994/resourceGroups/TestRG5/providers/Microsoft.Network/virtualNetworkGateways/VNet5GW
    
  3. [订阅 1] 创建 TestVNet1 到 TestVNet5 连接。[Subscription 1] Create the TestVNet1 to TestVNet5 connection. 在此步骤中,创建 TestVNet1 到 TestVNet5 的连接。In this step, you create the connection from TestVNet1 to TestVNet5. 此处的差别在于无法直接获取 $vnet5gw ,因为它位于不同订阅中。The difference here is that $vnet5gw cannot be obtained directly because it is in a different subscription. 需要使用上述步骤中从订阅 1 传递的值来创建新的 PowerShell 对象。You will need to create a new PowerShell object with the values communicated from Subscription 1 in the steps above. 使用下面的示例。Use the example below. 将名称、ID 和共享密钥替换为自己的值。Replace the Name, Id, and shared key with your own values. 共享密钥必须与两个连接匹配,这一点非常重要。The important thing is that the shared key must match for both connections. 创建连接可能需要简短的一段时间才能完成。Creating a connection can take a short while to complete.

    连接到订阅 1,并运行以下示例:Connect to Subscription 1 before running the following example:

    $vnet5gw = New-Object -TypeName Microsoft.Azure.Commands.Network.Models.PSVirtualNetworkGateway
    $vnet5gw.Name = "VNet5GW"
    $vnet5gw.Id   = "/subscriptions/66c8e4f1-ecd6-47ed-9de7-7e530de23994/resourceGroups/TestRG5/providers/Microsoft.Network/virtualNetworkGateways/VNet5GW"
    $Connection15 = "VNet1toVNet5"
    New-AzureRmVirtualNetworkGatewayConnection -Name $Connection15 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -VirtualNetworkGateway2 $vnet5gw -Location $Location1 -ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3'
    
  4. [订阅 5] 创建 TestVNet5 到 TestVNet1 连接。[Subscription 5] Create the TestVNet5 to TestVNet1 connection. 此步骤类似上面的步骤,只不过是创建 TestVNet5 到 TestVNet1 的连接。This step is similar to the one above, except you are creating the connection from TestVNet5 to TestVNet1. 此处也适用基于从订阅 1 获取的值创建 PowerShell 对象这一相同过程。The same process of creating a PowerShell object based on the values obtained from Subscription 1 applies here as well. 在此步骤中,请确保共享密钥匹配。In this step, be sure that the shared keys match.

    连接到订阅 5,并运行以下示例:Connect to Subscription 5 before running the following example:

    $vnet1gw = New-Object -TypeName Microsoft.Azure.Commands.Network.Models.PSVirtualNetworkGateway
    $vnet1gw.Name = "VNet1GW"
    $vnet1gw.Id = "/subscriptions/b636ca99-6f88-4df4-a7c3-2f8dc4545509/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW "
    $Connection51 = "VNet5toVNet1"
    New-AzureRmVirtualNetworkGatewayConnection -Name $Connection51 -ResourceGroupName $RG5 -VirtualNetworkGateway1 $vnet5gw -VirtualNetworkGateway2 $vnet1gw -Location $Location5 -ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3'
    

如何验证连接How to verify a connection

重要

使用网关子网时,避免将网络安全组 (NSG) 与网关子网关联。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组与此子网关联可能会导致 VPN 网关停止按预期方式工作。Associating a network security group to this subnet may cause your VPN gateway to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

可以验证连接是否成功,方法是使用“Get-AzureRmVirtualNetworkGatewayConnection”cmdlet,带或不带“-Debug”。You can verify that your connection succeeded by using the 'Get-AzureRmVirtualNetworkGatewayConnection' cmdlet, with or without '-Debug'.

  1. 使用以下 cmdlet 示例,配置符合自己需要的值。Use the following cmdlet example, configuring the values to match your own. 如果出现提示,请选择“A”运行“所有”。If prompted, select 'A' in order to run 'All'. 在此示例中,“ -Name”是指要测试的连接的名称。In the example, '-Name' refers to the name of the connection that you want to test.

    Get-AzureRmVirtualNetworkGatewayConnection -Name VNet1toSite1 -ResourceGroupName TestRG1
    
  2. cmdlet 运行完毕后,查看该值。After the cmdlet has finished, view the values. 在以下示例中,连接状态显示为“已连接”,且可以看到入口和出口字节数。In the example below, the connection status shows as 'Connected' and you can see ingress and egress bytes.

    "connectionStatus": "Connected",
    "ingressBytesTransferred": 33509044,
    "egressBytesTransferred": 4142431
    

VNet 到 VNet 常见问题解答VNet-to-VNet FAQ

VNet 到 VNet 连接常见问题解答适用于 VPN 网关连接。The VNet-to-VNet FAQ applies to VPN Gateway connections. 若要了解 VNet 对等互连,请参阅虚拟网络对等互连If you are looking for VNet Peering, see Virtual Network Peering

Azure 会对 VNet 之间的流量收费吗?Does Azure charge for traffic between VNets?

当使用 VPN 网关连接时,同一区域中的 VNet 到 VNet 流量双向均免费。VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection. 跨区域 VNet 到 VNet 出口流量根据源区域的出站 VNet 间数据传输费率收费。Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on the source regions. 有关详细信息,请参阅 VPN 网关定价页Refer to the VPN Gateway pricing page for details. 如果使用 VNet 对等互连而非 VPN 网关连接 VNet,请参阅虚拟网络定价页If you are connecting your VNets using VNet Peering, rather than VPN Gateway, see the Virtual Network pricing page.

VNet 到 VNet 流量是否流经 Internet?Does VNet-to-VNet traffic travel across the Internet?

不是。No. VNet 到 VNet 流量通过 Microsoft Azure 主干而不是 Internet 传输。VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.

是否可以跨 AAD 租户建立 VNet 到 VNet 连接?Can I establish a VNet-to-VNet connection across AAD Tenants?

是的。可以使用 Azure VPN 网关跨 AAD 租户进行 VNet 到 VNet 连接。Yes, VNet-to-VNet connections using Azure VPN gateways work across AAD Tenants.

VNet 到 VNet 通信安全吗?Is VNet-to-VNet traffic secure?

安全,它通过 IPsec/IKE 加密进行保护。Yes, it is protected by IPsec/IKE encryption.

是否需要 VPN 设备将 VNet 连接到一起?Do I need a VPN device to connect VNets together?

不是。No. 将多个 Azure 虚拟网络连接在一起不需要 VPN 设备,除非需要跨界连接。Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises connectivity is required.

我的 VNet 是否需要位于同一区域?Do my VNets need to be in the same region?

不是。No. 虚拟网络可以在相同或不同的 Azure 区域(位置)中。The virtual networks can be in the same or different Azure regions (locations).

如果 VNet 不在同一订阅中,订阅是否需要与相同的 AD 租户相关联?If the VNets are not in the same subscription, do the subscriptions need to be associated with the same AD tenant?

不是。No.

能否在单独的 Azure 实例中使用 VNet 到 VNet 通信来连接虚拟网络?Can I use VNet-to-VNet to connect virtual networks in separate Azure instances?

不是。No. VNet 到 VNet 通信支持在同一 Azure 实例中连接虚拟网络。VNet-to-VNet supports connecting virtual networks within the same Azure instance. 例如,不能在公共 Azure 和中国/德国/美国政府 Azure 实例之间创建连接。For example, you can’t create a connection between public Azure and the Chinese / German / US Gov Azure instances. 对于上述情形,可考虑使用站点到站点 VPN 连接。For these scenarios, consider using a Site-to-Site VPN connection.

能否将 VNet 到 VNet 用于多站点连接?Can I use VNet-to-VNet along with multi-site connections?

是的。Yes. 虚拟网络连接可与多站点 VPN 同时使用。Virtual network connectivity can be used simultaneously with multi-site VPNs.

一个虚拟网络可以连接到多少个本地站点和虚拟网络?How many on-premises sites and virtual networks can one virtual network connect to?

请参阅网关要求表。See Gateway requirements table.

能否使用 VNet 到 VNet 来连接 VNet 外部的 VM 或云服务?Can I use VNet-to-VNet to connect VMs or cloud services outside of a VNet?

不是。No. VNet 到 VNet 通信支持连接虚拟网络。VNet-to-VNet supports connecting virtual networks. 它不支持连接不在虚拟网络中的虚拟机或云服务。It does not support connecting virtual machines or cloud services that are not in a virtual network.

云服务或负载均衡终结点能否跨 VNet?Can a cloud service or a load balancing endpoint span VNets?

不是。No. 云服务或负载均衡终结点不能跨虚拟网络,即使它们连接在一起,也是如此。A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected together.

能否将 PolicyBased VPN 类型用于 VNet 到 VNet 连接或多站点连接?Can I used a PolicyBased VPN type for VNet-to-VNet or Multi-Site connections?

不是。No. VNet 到 VNet 连接和多站点连接需要 RouteBased(以前称为动态路由)VPN 类型的 Azure VPN 网关。VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called Dynamic Routing) VPN types.

是否可以将 RouteBased VPN 类型的 VNet 连接到另一个 PolicyBased VPN 类型的 VNet?Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?

不能,两种虚拟网络都必须使用基于路由的(以前称为“动态路由”)VPN。No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.

VPN 隧道是否共享带宽?Do VPN tunnels share bandwidth?

是的。Yes. 虚拟网络的所有 VPN 隧道共享 Azure VPN 网关上的可用带宽,以及 Azure 中的相同 VPN 网关运行时间 SLA。All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.

是否支持冗余隧道?Are redundant tunnels supported?

将一个虚拟网络网关配置为主动-主动模式时,支持在一对虚拟网络之间使用冗余隧道。Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is configured as active-active.

对于 VNet 到 VNet 配置,能否使用重叠地址空间?Can I have overlapping address spaces for VNet-to-VNet configurations?

不是。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.

连接的虚拟网络与内部本地站点之间能否存在重叠的地址空间?Can there be overlapping address spaces among connected virtual networks and on-premises local sites?

不是。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.

后续步骤Next steps