關於 VPN 閘道組態設定About VPN Gateway configuration settings

VPN 閘道是一種虛擬網路閘道,可透過公用連線在您的虛擬網路和內部部署位置之間傳送加密流量。A VPN gateway is a type of virtual network gateway that sends encrypted traffic between your virtual network and your on-premises location across a public connection. 您也可以使用 VPN 閘道,透過 Azure 骨幹,在虛擬網路之間傳送流量。You can also use a VPN gateway to send traffic between virtual networks across the Azure backbone.

VPN 閘道連線依賴多個資源的設定,每一個都包含可設定的設定值。A VPN gateway connection relies on the configuration of multiple resources, each of which contains configurable settings. 本文各節討論在 Resource Manager 部署模型中所建立之虛擬網路 VPN 閘道相關的資源和設定。The sections in this article discuss the resources and settings that relate to a VPN gateway for a virtual network created in Resource Manager deployment model. 您可以在關於 VPN 閘道 一文中找到每個連線解決方案的描述和拓撲圖。You can find descriptions and topology diagrams for each connection solution in the About VPN Gateway article.

本文中的值適用於 VPN 閘道 (使用 -GatewayType Vpn 的虛擬網路閘道)。The values in this article apply VPN gateways (virtual network gateways that use the -GatewayType Vpn). 本文並未涵蓋所有閘道類型或區域備援閘道。This article does not cover all gateway types or zone-redundant gateways.

閘道類型Gateway types

每個虛擬網路只能有一個各類型的虛擬網路閘道。Each virtual network can only have one virtual network gateway of each type. 建立虛擬網路閘道時,您必須確定組態的閘道類型是正確的。When you are creating a virtual network gateway, you must make sure that the gateway type is correct for your configuration.

-GatewayType 的可用值為:The available values for -GatewayType are:

  • VpnVpn
  • ExpressRouteExpressRoute

VPN 閘道需要 -GatewayType VpnA VPN gateway requires the -GatewayType Vpn.

範例:Example:

New-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg `
-Location 'West US' -IpConfigurations $gwipconfig -GatewayType Vpn `
-VpnType RouteBased

閘道 SKUGateway SKUs

建立虛擬網路閘道時,您必須指定想要使用的閘道 SKU。When you create a virtual network gateway, you need to specify the gateway SKU that you want to use. 根據工作負載、輸送量、功能和 SLA 的類型,選取符合您需求的 SKU。Select the SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs. 如需 Azure 可用性區域中的虛擬網路閘道 SKU,請參閱 Azure 可用性區域閘道 SKUFor virtual network gateway SKUs in Azure Availability Zones, see Azure Availability Zones gateway SKUs.

依通道、連線和輸送量區分的閘道 SKUGateway SKUs by tunnel, connection, and throughput

VPN
閘道
世代
VPN
Gateway
Generation
SKUSKU S2S/VNet-to-VNet
通道
S2S/VNet-to-VNet
Tunnels
P2S
SSTP 連線
P2S
SSTP Connections
P2S
IKEv2/OpenVPN 連線
P2S
IKEv2/OpenVPN Connections
彙總
輸送量基準測試
Aggregate
Throughput Benchmark
BGPBGP Zone-redundantZone-redundant
第 1 代Generation1 基本Basic 最大Max. 1010 最大Max. 128128 不支援Not Supported 100 Mbps100 Mbps 不支援Not Supported No
第 1 代Generation1 VpnGw1VpnGw1 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支援Supported No
第 1 代Generation1 VpnGw2VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支援Supported No
第 1 代Generation1 VpnGw3VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支援Supported No
第 1 代Generation1 VpnGw1AZVpnGw1AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支援Supported Yes
第 1 代Generation1 VpnGw2AZVpnGw2AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支援Supported Yes
第 1 代Generation1 VpnGw3AZVpnGw3AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支援Supported Yes
第 2 代Generation2 VpnGw2VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1.25 Gbps1.25 Gbps 支援Supported No
第 2 代Generation2 VpnGw3VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 2.5 Gbps2.5 Gbps 支援Supported No
第 2 代Generation2 VpnGw4VpnGw4 最大Max. 30*30* 最大Max. 128128 最大Max. 50005000 5 Gbps5 Gbps 支援Supported No
第 2 代Generation2 VpnGw5VpnGw5 最大Max. 30*30* 最大Max. 128128 最大Max. 1000010000 10 Gbps10 Gbps 支援Supported No
第 2 代Generation2 VpnGw2AZVpnGw2AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1.25 Gbps1.25 Gbps 支援Supported Yes
第 2 代Generation2 VpnGw3AZVpnGw3AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 2.5 Gbps2.5 Gbps 支援Supported Yes
第 2 代Generation2 VpnGw4AZVpnGw4AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 50005000 5 Gbps5 Gbps 支援Supported Yes
第 2 代Generation2 VpnGw5AZVpnGw5AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 1000010000 10 Gbps10 Gbps 支援Supported Yes

(*) 如果您需要超過 30 個 S2S VPN 通道,請使用虛擬 WAN(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.

  • VpnGw SKU 的大小重新調整可在相同世代內進行,但「基本」SKU 的大小重新調整除外。The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. 「基本」SKU 是舊版 SKU,而且有功能限制。The Basic SKU is a legacy SKU and has feature limitations. 若要從「基本」移到另一個 VpnGw SKU,您必須刪除「基本」SKU VPN 閘道,並使用所需的世代和 SKU 大小組合建立新閘道。In order to move from Basic to another VpnGw SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.

  • 這些連線數限制是個別的。These connection limits are separate. 例如,您在 VpnGw1 SKU 上可以有 128 個 SSTP 連線和 250 個 IKEv2 連線。For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

  • 價格 頁面上可以找到價格資訊。Pricing information can be found on the Pricing page.

  • 可以在 SLA 頁面上找到 SLA (服務等級協定) 資訊。SLA (Service Level Agreement) information can be found on the SLA page.

  • 在單一通道上,可以達到最多 1 Gbps 的輸送量。On a single tunnel a maximum of 1 Gbps throughput can be achieved. 上表中的「彙總輸送量基準測試」是以透過單一閘道所彙總多個通道的量值為基礎。Aggregate Throughput Benchmark in the above table is based on measurements of multiple tunnels aggregated through a single gateway. VPN 閘道的彙總輸送量基準是 S2S + P2S 的組合。The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. 如果您有許多 P2S 連線,S2S 連線即可能因為輸送量限制而受到負面影響。If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. 由於網際網路流量條件和您的應用程式行為,彙總輸送量基準測試不是保證的輸送量。The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.

為了協助我們的客戶了解 SKU 使用不同演算法的相對效能,我們使用了可公開取得的 iPerf 和 CTSTraffic 工具來測量效能。To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances. 下表列出第 1 代、VpnGw SKU 的效能測試結果。The table below lists the results of performance tests for Generation 1, VpnGw SKUs. 如您所見,當我們針對 IPsec 加密和完整性使用 GCMAES256 演算法時,將會取得最佳效能。As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. 當您針對 IPsec 加密和完整性使用 AES256 和 SHA256 時,我們會取得平均效能。We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. 當您針對 IPsec 加密和完整性使用 DES3 和 SHA256 時,我們會取得最低效能。When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.

世代Generation SKUSKU 使用的
演算法
Algorithms
used
觀察到的
輸送量
Throughput
observed
觀察到的
每秒封包數
Packets per second
observed
第 1 代Generation1 VpnGw1VpnGw1 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
58,00058,000
50,00050,000
50,00050,000
第 1 代Generation1 VpnGw2VpnGw2 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
90,00090,000
80,00080,000
55,00055,000
第 1 代Generation1 VpnGw3VpnGw3 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps
105,000105,000
90,00090,000
60,00060,000
第 1 代Generation1 VpnGw1AZVpnGw1AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
58,00058,000
50,00050,000
50,00050,000
第 1 代Generation1 VpnGw2AZVpnGw2AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
90,00090,000
80,00080,000
55,00055,000
第 1 代Generation1 VpnGw3AZVpnGw3AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps
105,000105,000
90,00090,000
60,00060,000

注意

只有 Resource Manager 部署模型支援 VpnGw SKU (VpnGw1、VpnGw1AZ、VpnGw2、VpnGw2AZ、VpnGw3、VpnGw3AZ、VpnGw4、VpnGw4AZ、VpnGw5 和 VpnGw5AZ)。VpnGw SKUs (VpnGw1, VpnGw1AZ, VpnGw2, VpnGw2AZ, VpnGw3, VpnGw3AZ, VpnGw4, VpnGw4AZ, VpnGw5, and VpnGw5AZ) are supported for the Resource Manager deployment model only. 傳統虛擬網路應該繼續使用舊式 (舊版) SKU。Classic virtual networks should continue to use the old (legacy) SKUs.

依功能集區分的閘道 SKUGateway SKUs by feature set

新式 VPN 閘道 SKU 可簡化閘道上提供的功能集:The new VPN gateway SKUs streamline the feature sets offered on the gateways:

SKUSKU 功能Features
基本 (**)Basic (**) 路由式 VPN:適用於 P2S/連線的 10 個通道;沒有適用於 P2S 的 RADIUS 驗證;沒有適用於 P2S 的 IKEv2Route-based VPN: 10 tunnels for S2S/connections; no RADIUS authentication for P2S; no IKEv2 for P2S
原則式 VPN (IKEv1):1 個 S2S/連線通道;沒有 P2SPolicy-based VPN: (IKEv1): 1 S2S/connection tunnel; no P2S
基本以外的所有 Generation1 和 Generation2 SKUAll Generation1 and Generation2 SKUs except Basic 路由式 VPN:最多 30 個通道 ( * ),P2S、BGP、主動-主動、自訂 IPsec/IKE 原則、ExpressRoute/VPN 共存Route-based VPN: up to 30 tunnels (*), P2S, BGP, active-active, custom IPsec/IKE policy, ExpressRoute/VPN coexistence

(*) 您可以設定 "PolicyBasedTrafficSelectors",將以路由為基礎的 VPN 閘道連線至多個內部部署以原則為基礎的防火牆裝置。(*) You can configure "PolicyBasedTrafficSelectors" to connect a route-based VPN gateway to multiple on-premises policy-based firewall devices. 如需詳細資訊,請參閱使用 PowerShell 將 VPN 閘道連線至多個內部部署原則式 VPN 裝置Refer to Connect VPN gateways to multiple on-premises policy-based VPN devices using PowerShell for details.

(**) 基本 SKU 被視為舊版 SKU。(**) The Basic SKU is considered a legacy SKU. 基本 SKU 有某些功能限制。The Basic SKU has certain feature limitations. 您無法調整使用基本 SKU 的閘道大小來成為新的閘道 SKU,您必須改以變更為新的 SKU,而需要刪除並重新建立 VPN 閘道。You can't resize a gateway that uses a Basic SKU to one of the new gateway SKUs, you must instead change to a new SKU, which involves deleting and recreating your VPN gateway.

閘道 SKU - 生產與開發測試工作負載Gateway SKUs - Production vs. Dev-Test Workloads

由於 SLA 和功能集的差異,我們建議將下列 SKU 用於產生與開發測試:Due to the differences in SLAs and feature sets, we recommend the following SKUs for production vs. dev-test:

[工作負載]Workload SKUSKUs
生產、重要工作負載Production, critical workloads 基本以外的所有 Generation1 和 Generation2 SKUAll Generation1 and Generation2 SKUs except Basic
開發測試或概念證明Dev-test or proof of concept 基本 (**)Basic (**)

(**) 基本 SKU 被視為舊版 SKU,而且有功能限制。(**) The Basic SKU is considered a legacy SKU and has feature limitations. 請先確認其有支援您需要的功能,再使用基本 SKU。Verify that the feature that you need is supported before you use the Basic SKU.

如果您使用舊式 SKU (舊版),生產 SKU 建議為標準和高效能。If you are using the old SKUs (legacy), the production SKU recommendations are Standard and HighPerformance. 如需舊式 SKU 的資訊和指示,請參閱閘道 SKU (舊版)For information and instructions for old SKUs, see Gateway SKUs (legacy).

設定閘道 SKUConfigure a gateway SKU

Azure 入口網站Azure portal

如果您使用 Azure 入口網站來建立 Resource Manager 虛擬網路閘道,可以使用下拉式清單選取閘道 SKU。If you use the Azure portal to create a Resource Manager virtual network gateway, you can select the gateway SKU by using the dropdown. 您看到的選項對應於您選取的閘道類型和 VPN 類型。The options you are presented with correspond to the Gateway type and VPN type that you select.

PowerShellPowerShell

下列 PowerShell 範例將 -GatewaySku 指定為 VpnGw1。The following PowerShell example specifies the -GatewaySku as VpnGw1. 使用 PowerShell 來建立閘道時,您必須先建立 IP 組態,然後使用變數來參考它。When using PowerShell to create a gateway, you have to first create the IP configuration, then use a variable to refer to it. 在此範例中,組態變數是 $gwipconfig。In this example, the configuration variable is $gwipconfig.

New-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 `
-Location 'US East' -IpConfigurations $gwipconfig -GatewaySku VpnGw1 `
-GatewayType Vpn -VpnType RouteBased

Azure CLIAzure CLI

az network vnet-gateway create --name VNet1GW --public-ip-address VNet1GWPIP --resource-group TestRG1 --vnet VNet1 --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1 --no-wait

調整大小或變更 SKUResizing or changing a SKU

如果您擁有 VPN 閘道,且您想要使用不同的閘道 SKU,您可選擇調整您的閘道 SKU,或是變更為另一個 SKU。If you have a VPN gateway and you want to use a different gateway SKU, your options are to either resize your gateway SKU, or to change to another SKU. 當您變更為另一個閘道 SKU 時,會完全刪除現有的閘道並建立一個新的閘道。When you change to another gateway SKU, you delete the existing gateway entirely and build a new one. 建立閘道最多可能需要45分鐘的時間。A gateway can take up to 45 minutes to build. 相較之下,當您調整閘道 SKU 的大小時,因為您不需要刪除和重建閘道,所以不會有太多停機時間。In comparison, when you resize a gateway SKU, there is not much downtime because you do not have to delete and rebuild the gateway. 如果您可以選擇調整您閘道 SKU 的大小,而不必加以變更,建議您這麼做。If you have the option to resize your gateway SKU, rather than change it, you will want to do that. 不過,關於調整大小有一些規則:However, there are rules regarding resizing:

  1. 除了基本 SKU 之外,您還可以將 VPN 閘道 SKU 的大小調整為相同世代 (Generation1.xml 或 Generation2) 中的另一個 VPN 閘道 SKU。With the exception of the Basic SKU, you can resize a VPN gateway SKU to another VPN gateway SKU within the same generation (Generation1 or Generation2). 例如,Generation1.xml 的 VpnGw1 可以調整大小為 VpnGw2 的 Generation1.xml,而不是 VpnGw2 Generation2。For example, VpnGw1 of Generation1 can be resized to VpnGw2 of Generation1 but not to VpnGw2 of Generation2.
  2. 使用舊式閘道 SKU 時,您可以在基本、標準和高效能 SKU 之間調整大小。When working with the old gateway SKUs, you can resize between Basic, Standard, and HighPerformance SKUs.
  3. 無法 從基本/標準/HighPerformance sku 調整為 VpnGw sku。You cannot resize from Basic/Standard/HighPerformance SKUs to VpnGw SKUs. 您必須改為變更為新的 SKU。You must instead, change to the new SKUs.

調整閘道大小To resize a gateway

Azure 入口網站Azure portal

  1. 移至虛擬網路閘道的 [設定] 頁面。Go to the Configuration page for your virtual network gateway.

  2. 選取下拉式清單的箭號。Select the arrows for the dropdown.

    調整閘道大小

  3. 選取下拉式清單的 SKU。Select the SKU from the dropdown.

    選取 SKU

PowerShellPowerShell

您可以使用 Resize-AzVirtualNetworkGateway PowerShell Cmdlet 來升級或降級 Generation1 或 Generation2 SKU (所有 VpnGw SKU 都可以調整大小,但基本 SKU 除外)。You can use the Resize-AzVirtualNetworkGateway PowerShell cmdlet to upgrade or downgrade a Generation1 or Generation2 SKU (all VpnGw SKUs can be resized except Basic SKUs). 如果您使用基本閘道 SKU, 會改為使用這些指示調整您的閘道大小。If you are using the Basic gateway SKU, use these instructions instead to resize your gateway.

下列 PowerShell 範例示範將閘道 SKU 的大小調整為 VpnGw2。The following PowerShell example shows a gateway SKU being resized to VpnGw2.

$gw = Get-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg
Resize-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -GatewaySku VpnGw2

從舊式 (舊版) SKU 變更為新的 SKUTo change from an old (legacy) SKU to a new SKU

如果您使用的是資源管理員部署模型,則可以變更為新的閘道 SKU。If you are working with the Resource Manager deployment model, you can change to the new gateway SKUs. 從舊版閘道 SKU 變更到新的 SKU 時,您會刪除現有的 VPN 閘道,並建立新的 VPN 閘道。When you change from a legacy gateway SKU to a new SKU, you delete the existing VPN gateway and create a new VPN gateway.

工作流程:Workflow:

  1. 移除虛擬網路閘道的任何連線。Remove any connections to the virtual network gateway.
  2. 刪除舊的 VPN 閘道。Delete the old VPN gateway.
  3. 建立新的 VPN 閘道。Create the new VPN gateway.
  4. 以新的 VPN 閘道 IP 位址更新內部部署 VPN 裝置 (適用於站對站連線)。Update your on-premises VPN devices with the new VPN gateway IP address (for Site-to-Site connections).
  5. 針對將連線到此閘道的任何 VNet 對 VNet 區域網路閘道,更新其閘道 IP 位址值。Update the gateway IP address value for any VNet-to-VNet local network gateways that will connect to this gateway.
  6. 下載新的用戶端 VPN 組態套件,以便 P2S 用戶端透過此 VPN 閘道連線至虛擬網路。Download new client VPN configuration packages for P2S clients connecting to the virtual network through this VPN gateway.
  7. 重新建立虛擬網路閘道的連線。Recreate the connections to the virtual network gateway.

考量:Considerations:

  • 若要移至新的 SKU,您的 VPN 閘道必須在資源管理員部署模型中。To move to the new SKUs, your VPN gateway must be in the Resource Manager deployment model.
  • 如果您有傳統的 VPN 閘道,您必須繼續使用該閘道較舊的舊版 SKU;不過,您可以調整舊版 SKU 間的大小。If you have a classic VPN gateway, you must continue using the older legacy SKUs for that gateway, however, you can resize between the legacy SKUs. 您無法變更為新的 SKU。You cannot change to the new SKUs.
  • 從舊版的 SKU 變更到新的 SKU 時,會有一段時間連線中斷。You will have connectivity downtime when you change from a legacy SKU to a new SKU.
  • 變更為新的閘道 SKU 時,您 VPN 閘道的公用 IP 位址也會變更。When changing to a new gateway SKU, the public IP address for your VPN gateway will change. 即使您指定了之前用過的相同公用 IP 位址物件,也會發生這種情況。This happens even if you specify the same public IP address object that you used previously.

連線類型Connection types

在 Resource Manager 部署模型中,每個組態皆需要特定的虛擬網路閘道連線類型。In the Resource Manager deployment model, each configuration requires a specific virtual network gateway connection type. -ConnectionType 的可用 Resource Manager PowerShell 值為:The available Resource Manager PowerShell values for -ConnectionType are:

  • IPsecIPsec
  • Vnet2VnetVnet2Vnet
  • ExpressRouteExpressRoute
  • VPNClientVPNClient

在下列 PowerShell 範例中,我們會建立需要 IPsec 連線類型的 S2S 連線。In the following PowerShell example, we create a S2S connection that requires the connection type IPsec.

New-AzVirtualNetworkGatewayConnection -Name localtovon -ResourceGroupName testrg `
-Location 'West US' -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local `
-ConnectionType IPsec -RoutingWeight 10 -SharedKey 'abc123'

VPN 類型VPN types

當您為 VPN 閘道組態建立虛擬網路閘道時,必須指定 VPN 類型。When you create the virtual network gateway for a VPN gateway configuration, you must specify a VPN type. 您所選擇的 VPN 類型取決於您想要建立的連線拓撲。The VPN type that you choose depends on the connection topology that you want to create. 例如,P2S 連線需要 RouteBased VPN 類型。For example, a P2S connection requires a RouteBased VPN type. VPN 類型也取決於您使用的硬體。A VPN type can also depend on the hardware that you are using. S2S 組態需要 VPN 裝置。S2S configurations require a VPN device. 有些 VPN 裝置僅支援特定 VPN 類型。Some VPN devices only support a certain VPN type.

您選取的 VPN 類型必須滿足您想建立的解決方案的所有連線需求。The VPN type you select must satisfy all the connection requirements for the solution you want to create. 例如,如果您想為相同的虛擬網路建立 S2S VPN 閘道連線和 P2S VPN 閘道連線,您會使用 VPN 類型 RouteBased ,因為 P2S 需要 RouteBased VPN 類型。For example, if you want to create a S2S VPN gateway connection and a P2S VPN gateway connection for the same virtual network, you would use VPN type RouteBased because P2S requires a RouteBased VPN type. 您也必須確認您的 VPN 裝置支援 RouteBased VPN 連線。You would also need to verify that your VPN device supported a RouteBased VPN connection.

一旦建立虛擬網路閘道,就無法變更 VPN 類型。Once a virtual network gateway has been created, you can't change the VPN type. 您必須刪除虛擬網路閘道,然後再建立新的。You have to delete the virtual network gateway and create a new one. 有兩種 VPN 類型:There are two VPN types:

  • PolicyBased︰ 原則式 VPN 先前在傳統部署模型內稱為靜態路由閘道。PolicyBased: PolicyBased VPNs were previously called static routing gateways in the classic deployment model. 原則式 VPN 會根據使用內部部署網路與 Azure VNet 之間的位址首碼組合所設定的 IPsec 原則,透過 IPsec 通道加密和導向封包。Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies configured with the combinations of address prefixes between your on-premises network and the Azure VNet. 原則 (或流量選取器) 通常定義為 VPN 裝置組態中的存取清單。The policy (or traffic selector) is usually defined as an access list in the VPN device configuration. 原則式 VPN 類型的值是 PolicyBased 。The value for a PolicyBased VPN type is PolicyBased. 使用 PolicyBased VPN,請記住下列限制︰When using a PolicyBased VPN, keep in mind the following limitations:

    • PolicyBased VPN「只有」 在「基本」閘道 SKU 上才能使用。PolicyBased VPNs can only be used on the Basic gateway SKU. 這個 VPN 類型與其他閘道 SKU 不相容。This VPN type is not compatible with other gateway SKUs.
    • 使用 PolicyBased VPN 時,您只能有 1 個通道。You can have only 1 tunnel when using a PolicyBased VPN.
    • 您只能將 PolicyBased VPN 用於 S2S 連線,而且僅限用於特定組態。You can only use PolicyBased VPNs for S2S connections, and only for certain configurations. 大多數「VPN 閘道」組態都需要一個 RouteBased VPN。Most VPN Gateway configurations require a RouteBased VPN.
  • RouteBased︰ 路由式 VPN 先前在傳統部署模型內稱為動態路由閘道。RouteBased: RouteBased VPNs were previously called dynamic routing gateways in the classic deployment model. 路由式 Vpn 會使用 IP 轉送或路由表中的「路由」,直接封包至其對應的通道介面。RouteBased VPNs use "routes" in the IP forwarding or routing table to direct packets into their corresponding tunnel interfaces. 然後,通道介面會加密或解密輸入和輸出通道的封包。The tunnel interfaces then encrypt or decrypt the packets in and out of the tunnels. 路由式 VPN 的原則或流量選取器會設定為任何對任何 (或萬用字元)。The policy (or traffic selector) for RouteBased VPNs are configured as any-to-any (or wild cards). 路由式 VPN 類型的值是 路由式The value for a RouteBased VPN type is RouteBased.

下列 PowerShell 範例將 -VpnType 指定為 RouteBasedThe following PowerShell example specifies the -VpnType as RouteBased. 在建立閘道時,您必須確定用於組態的 -VpnType 是正確的。When you are creating a gateway, you must make sure that the -VpnType is correct for your configuration.

New-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg `
-Location 'West US' -IpConfigurations $gwipconfig `
-GatewayType Vpn -VpnType RouteBased

閘道需求Gateway requirements

下表列出 PolicyBased 和 RouteBased VPN 閘道的需求。The following table lists the requirements for PolicyBased and RouteBased VPN gateways. 此資料表適用於資源管理員與傳統部署模型。This table applies to both the Resource Manager and classic deployment models. 就傳統模型而言,PolicyBased VPN 閘道與「靜態」閘道相同,而 RouteBased 閘道則與「動態」閘道相同。For the classic model, PolicyBased VPN gateways are the same as Static gateways, and Route-based gateways are the same as Dynamic gateways.

PolicyBased 基本 VPN 閘道PolicyBased Basic VPN Gateway RouteBased 基本 VPN 閘道RouteBased Basic VPN Gateway RouteBased 標準 VPN 閘道RouteBased Standard VPN Gateway RouteBased 高效能 VPN 閘道RouteBased High Performance VPN Gateway
站對站連線能力 (S2S)Site-to-Site connectivity (S2S) PolicyBased VPN 組態PolicyBased VPN configuration RouteBased VPN 組態RouteBased VPN configuration RouteBased VPN 組態RouteBased VPN configuration RouteBased VPN 組態RouteBased VPN configuration
點對站連線 (P2S)Point-to-Site connectivity (P2S) 不支援Not supported 支援 (可與 S2S 並存)Supported (Can coexist with S2S) 支援 (可與 S2S 並存)Supported (Can coexist with S2S) 支援 (可與 S2S 並存)Supported (Can coexist with S2S)
驗證方法Authentication method 預先共用金鑰Pre-shared key S2S 連線的預先共用金鑰,P2S 連線的憑證Pre-shared key for S2S connectivity, Certificates for P2S connectivity S2S 連線的預先共用金鑰,P2S 連線的憑證Pre-shared key for S2S connectivity, Certificates for P2S connectivity S2S 連線的預先共用金鑰,P2S 連線的憑證Pre-shared key for S2S connectivity, Certificates for P2S connectivity
S2S 連接的數目上限Maximum number of S2S connections 11 1010 1010 3030
P2S 連接的數目上限Maximum number of P2S connections 不支援Not supported 128128 128128 128128
作用中路由支援 (BGP) (*)Active routing support (BGP) (*) 不支援Not supported 不支援Not supported 支援Supported 支援Supported

(*) BGP 傳統部署模型則不支援。(*) BGP is not supported for the classic deployment model.

閘道子網路Gateway subnet

建立 VPN 閘道之前,您必須先建立閘道子網路。Before you create a VPN gateway, you must create a gateway subnet. 閘道子網路包含虛擬網路閘道 VM 與服務所使用的 IP 位址。The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. 建立虛擬網路閘道時,會將閘道 VM 部署到閘道子網路,並為 VM 設定必要的 VPN 閘道設定。When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings. 絕不部署任何其他 (例如,其他 Vm) 至閘道子網。Never deploy anything else (for example, additional VMs) to the gateway subnet. 此閘道子網路必須命名為 'GatewaySubnet' 才能正常運作。The gateway subnet must be named 'GatewaySubnet' to work properly. 將閘道子網路命名為 'GatewaySubnet' 可讓 Azure 知道這是要用來部署虛擬網路閘道 VM 和服務的子網路。Naming the gateway subnet 'GatewaySubnet' lets Azure know that this is the subnet to deploy the virtual network gateway VMs and services to.

注意

不支援 具有 0.0.0.0/0 目的地的使用者定義路由和 GatewaySubnet 上的 NSG。User-defined routes with a 0.0.0.0/0 destination and NSGs on the GatewaySubnet are not supported. 使用此組態建立的閘道將會遭到封鎖而無法建立。Gateways created with this configuration will be blocked from creation. 閘道需要存取管理控制器,才能正常運作。Gateways require access to the management controllers in order to function properly. GatewaySubnet 上的 BGP 路由傳播應該設定為 [已啟用],以確保閘道的可用性。BGP Route Propagation should be set to "Enabled" on the GatewaySubnet to ensure availability of the gateway. 如果這設定為已停用,閘道將無法運作。If this is set to disabled, the gateway will not function.

當您建立閘道子網路時,您可指定子網路包含的 IP 位址數目。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 閘道子網路中的 IP 位址會配置給閘道 VM 和閘道服務。The IP addresses in the gateway subnet are allocated to the gateway VMs and gateway services. 有些組態需要的 IP 位址比其他組態多。Some configurations require more IP addresses than others.

當您規劃閘道子網大小時,請參閱您打算建立的設定檔。When you are planning your gateway subnet size, refer to the documentation for the configuration that you are planning to create. 例如,ExpressRoute/VPN 閘道並存設定需要較大的閘道子網,而不是大部分的其他設定。For example, the ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet than most other configurations. 此外,您可能會想要確定閘道子網路包含足夠的 IP 位址,以因應未來可能的額外組態需求。Additionally, you may want to make sure your gateway subnet contains enough IP addresses to accommodate possible future additional configurations. 雖然您可以建立小至/29 的閘道子網,但建議您建立/27 或更大 (/27、/26 等閘道子網,) 是否有可用的位址空間。While you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26 etc.) if you have the available address space to do so. 這會容納大部分的設定。This will accommodate most configurations.

下列 Resource Manager PowerShell 範例顯示名為 GatewaySubnet 的閘道子網路。The following Resource Manager PowerShell example shows a gateway subnet named GatewaySubnet. 您可以看到 CIDR 標記法指定 /27,這可提供足以供大多數現有組態使用的 IP 位址。You can see the CIDR notation specifies a /27, which allows for enough IP addresses for most configurations that currently exist.

Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.0.3.0/27

重要

使用閘道子網路時,避免將網路安全性群組 (NSG) 與閘道子網路產生關聯。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 將網路安全性群組與此子網路產生關聯,可能會導致您的虛擬網路閘道 (VPN,Express Route 閘道) 如預期般停止運作。Associating a network security group to this subnet may cause your Virtual Network gateway(VPN, Express Route gateway) to stop functioning as expected. 如需有關網路安全性群組的詳細資訊,請參閱什麼是網路安全性群組?For more information about network security groups, see What is a network security group?

區域網路閘道Local network gateways

區域網路閘道與虛擬網路閘道並不相同。A local network gateway is different than a virtual network gateway. 建立 VPN 閘道設定時,局域網路閘道通常代表您的內部部署網路和對應的 VPN 裝置。When creating a VPN gateway configuration, the local network gateway usually represents your on-premises network and the corresponding VPN device. 在傳統部署模型中,區域網路閘道被稱為本機站台。In the classic deployment model, the local network gateway was referred to as a Local Site.

您可以為局域網路閘道指定內部部署 VPN 裝置的名稱、公用 IP 位址或完整功能變數名稱 (FQDN) ,並指定位於內部部署位置的位址首碼。You give the local network gateway a name, the public IP address or the fully qualified domain name (FQDN) of the on-premises VPN device, and specify the address prefixes that are located on the on-premises location. Azure 會查看網路流量的目的地位址首碼、查閱您為區域網路閘道指定的組態,然後根據這些來路由傳送封包。Azure looks at the destination address prefixes for network traffic, consults the configuration that you have specified for your local network gateway, and routes packets accordingly. 如果您在 VPN 裝置上使用邊界閘道協定 (BGP) ,您將會提供 VPN 裝置的 BGP 對等 IP 位址,以及內部部署網路 (ASN) 的自發系統編號。If you use Border Gateway Protocol (BGP) on your VPN device, you will provide the BGP peer IP address of your VPN device and the autonomous system number (ASN) of your on premises network. 您也可以針對使用 VPN 閘道連線的 VNet 對 VNet 組態指定區域網路閘道。You also specify local network gateways for VNet-to-VNet configurations that use a VPN gateway connection.

下列 PowerShell 範例會建立新的區域網路閘道︰The following PowerShell example creates a new local network gateway:

New-AzLocalNetworkGateway -Name LocalSite -ResourceGroupName testrg `
-Location 'West US' -GatewayIpAddress '23.99.221.164' -AddressPrefix '10.5.51.0/24'

有時,您會需要修改區域網路閘道設定。Sometimes you need to modify the local network gateway settings. 例如,當您新增或修改位址範圍時,或 VPN 裝置的 IP 位址變更時。For example, when you add or modify the address range, or if the IP address of the VPN device changes. 請參閱使用 PowerShell 修改區域網路閘道設定See Modify local network gateway settings using PowerShell.

REST API、PowerShell Cmdlet、CLIREST APIs, PowerShell cmdlets, and CLI

使用 REST API、PowerShell Cmdlet 或 Azure CLI 來設定 VPN 閘道組態時,如需其他技術資源和特定語法需求,請參閱下列頁面:For additional technical resources and specific syntax requirements when using REST APIs, PowerShell cmdlets, or Azure CLI for VPN Gateway configurations, see the following pages:

傳統Classic Resource ManagerResource Manager
PowerShellPowerShell PowerShellPowerShell
REST APIREST API REST APIREST API
不受支援Not supported Azure CLIAzure CLI

後續步驟Next steps

如需有關可用連線組態的詳細資訊,請參閱關於 VPN 閘道For more information about available connection configurations, see About VPN Gateway.