什麼是 VPN 閘道?What is VPN Gateway?

VPN 閘道是特定的虛擬網路閘道類型,可透過公用網際網路在 Azure 虛擬網路與內部部署位置之間傳送加密流量。A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. 您也可以使用 VPN 閘道,透過 Microsoft 網路來傳送 Azure 虛擬網路之間的已加密流量。You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. 每個虛擬網路只能有一個 VPN 閘道。Each virtual network can have only one VPN gateway. 不過,您可以對相同的 VPN 閘道建立多個連線。However, you can create multiple connections to the same VPN gateway. 當您對相同的 VPN 閘道建立多個連線時,所有 VPN 通道都會共用可用的閘道頻寬。When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.

什麼是虛擬網路閘道?What is a virtual network gateway?

虛擬網路閘道是由部署到特定子網路 (由您所建並稱為「閘道子網路」) 的兩部或多部 VM 所組成。A virtual network gateway is composed of two or more VMs that are deployed to a specific subnet you create called the gateway subnet. 虛擬網路閘道 VM 包含路由表,並且會執行特定的閘道服務。Virtual network gateway VMs contain routing tables and run specific gateway services. 當您建立虛擬網路閘道時,這些 VM 也會隨之建立。These VMs are created when you create the virtual network gateway. 您無法直接設定屬於虛擬網路閘道的 VM。You can't directly configure the VMs that are part of the virtual network gateway.

當您設定虛擬網路閘道時,可以進行指定閘道類型的設定。When you configure a virtual network gateway, you configure a setting that specifies the gateway type. 閘道類型會決定使用虛擬網路閘道的方式,以及閘道所採取的動作。The gateway type determines how the virtual network gateway will be used and the actions that the gateway takes. 閘道類型 'Vpn' 會指定所建立虛擬網路閘道的類型是「VPN 閘道」。The gateway type 'Vpn' specifies that the type of virtual network gateway created is a 'VPN gateway'. 這與使用不同閘道類型的 ExpressRoute 閘道不同。This distinguishes it from an ExpressRoute gateway, which uses a different gateway type. 虛擬網路可以有兩個虛擬網路閘道;一個是 VPN 閘道和一個 ExpressRoute 閘道。A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway. 如需詳細資訊,請參閱閘道類型For more information, see Gateway types.

建立虛擬網路閘道最多可能需要花費 45 分鐘的時間來完成。Creating a virtual network gateway can take up to 45 minutes to complete. 建立虛擬網路閘道時,閘道 VM 會部署到閘道子網路,並使用您指定的設定進行設定。When you create a virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the settings that you specify. 建立 VPN 閘道之後,您可以在 VPN 閘道與另一個 VPN 閘道 (VNet 對 VNet) 之間建立 IPsec/IKE VPN 通道連線,或在 VPN 閘道與內部部署 VPN 裝置 (站對站) 之間建立跨單位 IPsec/IKE VPN 通道連線。After you create a VPN gateway, you can create an IPsec/IKE VPN tunnel connection between that VPN gateway and another VPN gateway (VNet-to-VNet), or create a cross-premises IPsec/IKE VPN tunnel connection between the VPN gateway and an on-premises VPN device (Site-to-Site). 您也可以建立點對站 VPN 連線 (透過 OpenVPN、IKEv2 或 SSTP 的 VPN),它可讓您從遠端位置連線到您的虛擬網路,例如從會議或住家。You can also create a Point-to-Site VPN connection (VPN over OpenVPN, IKEv2, or SSTP), which lets you connect to your virtual network from a remote location, such as from a conference or from home.

設定 VPN 閘道Configuring a VPN Gateway

VPN 閘道連線需仰賴多個具有特定設定的資源。A VPN gateway connection relies on multiple resources that are configured with specific settings. 大部分的資源可以分別進行設定,雖然必須以特定順序設定某些資源。Most of the resources can be configured separately, although some resources must be configured in a certain order.

設計Design

請務必知道 VPN 閘道連線有不同的組態可用。It's important to know that there are different configurations available for VPN gateway connections. 您必須決定哪個組態最符合您的需求。You need to determine which configuration best fits your needs. 例如,點對站、站對站及共存的 ExpressRoute/站對站連線,都有不同的指示與設定需求。For example, Point-to-Site, Site-to-Site, and coexisting ExpressRoute/Site-to-Site connections all have different instructions and configuration requirements. 如需設計相關資訊及檢視連線拓撲圖表,請參閱設計For information about design and to view connection topology diagrams, see Design.

規劃表Planning table

下表可以協助您為您的解決方案決定最佳的連線選項。The following table can help you decide the best connectivity option for your solution.

點對站Point-to-Site 網站間Site-to-Site ExpressRouteExpressRoute
Azure 支援的服務Azure Supported Services 雲端服務及虛擬機器Cloud Services and Virtual Machines 雲端服務及虛擬機器Cloud Services and Virtual Machines 服務清單Services list
典型的頻寬Typical Bandwidths 以閘道 SKU 為基礎Based on the gateway SKU 彙總通常 < 1 GbpsTypically < 1 Gbps aggregate 50 Mbps、100 Mbps、200 Mbps、500 Mbps、1 Gbps、2 Gbps、5 Gbps、10 Gbps50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps
支援的通訊協定Protocols Supported 安全通訊端通道通訊協定 (SSTP)、OpenVPN 和 IPsecSecure Sockets Tunneling Protocol (SSTP), OpenVPN and IPsec IPsecIPsec 透過 VLAN、NSP 的 VPN 技術 (MPLS、VPLS、...) 的直接連接Direct connection over VLANs, NSP's VPN technologies (MPLS, VPLS,...)
路由Routing RouteBased (動態)RouteBased (dynamic) 我們支援 PolicyBased (靜態路由) 和 RouteBased (動態路由) VPNWe support PolicyBased (static routing) and RouteBased (dynamic routing VPN) BGPBGP
連接恢復功能Connection resiliency 主動-被動active-passive 主動-被動或主動-主動active-passive or active-active 主動-主動active-active
典型的使用案例Typical use case 原型設計、雲端服務和虛擬機器的開發人員/測試/實驗室案例Prototyping, dev / test / lab scenarios for cloud services and virtual machines 雲端服務和虛擬機器的開發/測試/實驗室案例和小規模生產工作負載Dev / test / lab scenarios and small scale production workloads for cloud services and virtual machines 所有 Azure 服務 (已驗證的清單)、企業層級與關鍵性工作負載、備份、巨量資料、Azure 做為 DR 網站的存取Access to all Azure services (validated list), Enterprise-class and mission critical workloads, Backup, Big Data, Azure as a DR site
SLASLA SLASLA SLASLA SLASLA
定價Pricing 定價Pricing 定價Pricing 定價Pricing
技術文件Technical Documentation VPN 閘道文件VPN Gateway Documentation VPN 閘道文件VPN Gateway Documentation ExpressRoute 文件ExpressRoute Documentation
常見問題集FAQ VPN 閘道常見問題集VPN Gateway FAQ VPN 閘道常見問題集VPN Gateway FAQ ExpressRoute 常見問題集ExpressRoute FAQ

設定Settings

您為每個資源選擇的設定,對於建立成功連線而言極為重要。The settings that you chose for each resource are critical to creating a successful connection. 如需 VPN 閘道個別資源和設定的資訊,請參閱 關於 VPN 閘道設定For information about individual resources and settings for VPN Gateway, see About VPN Gateway settings. 本文包含的資訊可協助您了解閘道類型、閘道 SKU、VPN 類型、連線類型、閘道子網路、區域網路閘道,以及您需要考量的各種其他資源設定。The article contains information to help you understand gateway types, gateway SKUs, VPN types, connection types, gateway subnets, local network gateways, and various other resource settings that you may want to consider.

部署工具Deployment tools

您可以使用設定工具 (例如 Azure 入口網站) 開始建立及設定資源。You can start out creating and configuring resources using one configuration tool, such as the Azure portal. 您可以稍後再決定切換到另一個工具 (如 PowerShell) 來設定其他資源,或是在適用的時機修改現有資源。You can later decide to switch to another tool, such as PowerShell, to configure additional resources, or modify existing resources when applicable. 您目前無法在 Azure 入口網站中進行每一項資源和資源設定。Currently, you can't configure every resource and resource setting in the Azure portal. 文章中各連線拓撲的指示會指定何時需要特定組態工具。The instructions in the articles for each connection topology specify when a specific configuration tool is needed.

閘道 SKUGateway SKUs

建立虛擬網路閘道時,您必須指定想要使用的閘道 SKU。When you create a virtual network gateway, you specify the gateway SKU that you want to use. 根據工作負載、輸送量、功能和 SLA 的類型,選取符合您需求的 SKU。Select the SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs.

依通道、連線和輸送量區分的閘道 SKUGateway SKUs by tunnel, connection, and throughput

VPN
閘道
世代
VPN
Gateway
Generation
SKUSKU S2S/VNet-to-VNet
通道
S2S/VNet-to-VNet
Tunnels
P2S
SSTP 連線
P2S
SSTP Connections
P2S
IKEv2/OpenVPN 連線
P2S
IKEv2/OpenVPN Connections
彙總
輸送量基準測試
Aggregate
Throughput Benchmark
BGPBGP Zone-redundantZone-redundant
第 1 代Generation1 基本Basic 最大Max. 1010 最大Max. 128128 不支援Not Supported 100 Mbps100 Mbps 不支援Not Supported No
第 1 代Generation1 VpnGw1VpnGw1 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支援Supported No
第 1 代Generation1 VpnGw2VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支援Supported No
第 1 代Generation1 VpnGw3VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支援Supported No
第 1 代Generation1 VpnGw1AZVpnGw1AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支援Supported Yes
第 1 代Generation1 VpnGw2AZVpnGw2AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支援Supported Yes
第 1 代Generation1 VpnGw3AZVpnGw3AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支援Supported Yes
第 2 代Generation2 VpnGw2VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1.25 Gbps1.25 Gbps 支援Supported No
第 2 代Generation2 VpnGw3VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 2.5 Gbps2.5 Gbps 支援Supported No
第 2 代Generation2 VpnGw4VpnGw4 最大Max. 30*30* 最大Max. 128128 最大Max. 50005000 5 Gbps5 Gbps 支援Supported No
第 2 代Generation2 VpnGw5VpnGw5 最大Max. 30*30* 最大Max. 128128 最大Max. 1000010000 10 Gbps10 Gbps 支援Supported No
第 2 代Generation2 VpnGw2AZVpnGw2AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1.25 Gbps1.25 Gbps 支援Supported Yes
第 2 代Generation2 VpnGw3AZVpnGw3AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 2.5 Gbps2.5 Gbps 支援Supported Yes
第 2 代Generation2 VpnGw4AZVpnGw4AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 50005000 5 Gbps5 Gbps 支援Supported Yes
第 2 代Generation2 VpnGw5AZVpnGw5AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 1000010000 10 Gbps10 Gbps 支援Supported Yes

(*) 如果您需要超過 30 個 S2S VPN 通道,請使用虛擬 WAN(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.

  • VpnGw SKU 的大小重新調整可在相同世代內進行,但「基本」SKU 的大小重新調整除外。The resizing of VpnGw SKUs is allowed within the same generation, except resizing of the Basic SKU. 「基本」SKU 是舊版 SKU,而且有功能限制。The Basic SKU is a legacy SKU and has feature limitations. 若要從「基本」移到另一個 VpnGw SKU,您必須刪除「基本」SKU VPN 閘道,並使用所需的世代和 SKU 大小組合建立新閘道。In order to move from Basic to another VpnGw SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.

  • 這些連線數限制是個別的。These connection limits are separate. 例如,您在 VpnGw1 SKU 上可以有 128 個 SSTP 連線和 250 個 IKEv2 連線。For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

  • 價格 頁面上可以找到價格資訊。Pricing information can be found on the Pricing page.

  • 可以在 SLA 頁面上找到 SLA (服務等級協定) 資訊。SLA (Service Level Agreement) information can be found on the SLA page.

  • 在單一通道上,可以達到最多 1 Gbps 的輸送量。On a single tunnel a maximum of 1 Gbps throughput can be achieved. 上表中的「彙總輸送量基準測試」是以透過單一閘道所彙總多個通道的量值為基礎。Aggregate Throughput Benchmark in the above table is based on measurements of multiple tunnels aggregated through a single gateway. VPN 閘道的彙總輸送量基準是 S2S + P2S 的組合。The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. 如果您有許多 P2S 連線,S2S 連線即可能因為輸送量限制而受到負面影響。If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. 由於網際網路流量條件和您的應用程式行為,彙總輸送量基準測試不是保證的輸送量。The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.

為了協助我們的客戶了解 SKU 使用不同演算法的相對效能,我們使用了可公開取得的 iPerf 和 CTSTraffic 工具來測量效能。To help our customers understand the relative performance of SKUs using different algorithms, we used publicly available iPerf and CTSTraffic tools to measure performances. 下表列出第 1 代、VpnGw SKU 的效能測試結果。The table below lists the results of performance tests for Generation 1, VpnGw SKUs. 如您所見,當我們針對 IPsec 加密和完整性使用 GCMAES256 演算法時,將會取得最佳效能。As you can see, the best performance is obtained when we used GCMAES256 algorithm for both IPsec Encryption and Integrity. 當您針對 IPsec 加密和完整性使用 AES256 和 SHA256 時,我們會取得平均效能。We got average performance when using AES256 for IPsec Encryption and SHA256 for Integrity. 當您針對 IPsec 加密和完整性使用 DES3 和 SHA256 時,我們會取得最低效能。When we used DES3 for IPsec Encryption and SHA256 for Integrity we got lowest performance.

世代Generation SKUSKU 使用的
演算法
Algorithms
used
觀察到的
輸送量
Throughput
observed
觀察到的
每秒封包數
Packets per second
observed
第 1 代Generation1 VpnGw1VpnGw1 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
58,00058,000
50,00050,000
50,00050,000
第 1 代Generation1 VpnGw2VpnGw2 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
90,00090,000
80,00080,000
55,00055,000
第 1 代Generation1 VpnGw3VpnGw3 GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps
105,000105,000
90,00090,000
60,00060,000
第 1 代Generation1 VpnGw1AZVpnGw1AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
650 Mbps650 Mbps
500 Mbps500 Mbps
120 Mbps120 Mbps
58,00058,000
50,00050,000
50,00050,000
第 1 代Generation1 VpnGw2AZVpnGw2AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1 Gbps1 Gbps
500 Mbps500 Mbps
120 Mbps120 Mbps
90,00090,000
80,00080,000
55,00055,000
第 1 代Generation1 VpnGw3AZVpnGw3AZ GCMAES256GCMAES256
AES256 & SHA256AES256 & SHA256
DES3 & SHA256DES3 & SHA256
1.25 Gbps1.25 Gbps
550 Mbps550 Mbps
120 Mbps120 Mbps
105,000105,000
90,00090,000
60,00060,000

可用性區域Availability Zones

您可以在 Azure 可用性區域中部署 VPN 閘道。VPN gateways can be deployed in Azure Availability Zones. 此方式可為虛擬網路閘道帶來復原力、延展性和更高的可用性。This brings resiliency, scalability, and higher availability to virtual network gateways. 在 Azure 可用性區域中部署閘道可從根本上和邏輯上分隔區域內的閘道,同時還能在發生區域層級的失敗時,保護您內部部署項目與 Azure 的網路連線。Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures. 請參閱關於在 Azure 可用性區域中的區域備援虛擬網路閘道 (機器翻譯)。see About zone-redundant virtual network gateways in Azure Availability Zones.

定價Pricing

您需要支付兩件事︰虛擬網路閘道的每小時計算成本,以及虛擬網路閘道的輸出資料傳輸。You pay for two things: the hourly compute costs for the virtual network gateway, and the egress data transfer from the virtual network gateway. 價格 頁面上可以找到價格資訊。Pricing information can be found on the Pricing page. 如需舊版閘道 SKU 定價,請參閱 ExpressRoute 定價頁面,然後捲動至 [虛擬網路閘道] 區段。For legacy gateway SKU pricing, see the ExpressRoute pricing page and scroll to the Virtual Network Gateways section.

虛擬網路閘道計算成本Virtual network gateway compute costs
每個虛擬網路閘道都有每小時計算成本。Each virtual network gateway has an hourly compute cost. 價格是以您建立虛擬網路閘道時所指定的閘道 SKU 為基礎。The price is based on the gateway SKU that you specify when you create a virtual network gateway. 除了透過閘道流動的資料傳輸以外,此成本屬於閘道本身。The cost is for the gateway itself and is in addition to the data transfer that flows through the gateway. 主動-主動設定的成本與主動-被動相同。Cost of an active-active setup is the same as active-passive.

資料傳輸成本Data transfer costs
資料傳輸成本是根據來源虛擬網路閘道的輸出流量來計算。Data transfer costs are calculated based on egress traffic from the source virtual network gateway.

  • 如果您將流量傳送到內部部署 VPN 裝置,則會以網際網路輸出資料傳輸費率收費。If you are sending traffic to your on-premises VPN device, it will be charged with the Internet egress data transfer rate.
  • 如果您是傳送不同區域中的虛擬網路之間的流量,則會依據區域定價。If you are sending traffic between virtual networks in different regions, the pricing is based on the region.
  • 如果您只是傳送相同區域中的虛擬網路之間的流量,則沒有資料成本。If you are sending traffic only between virtual networks that are in the same region, there are no data costs. 相同區域中 VNet 之間的流量是免費的。Traffic between VNets in the same region is free.

如需 VPN 閘道之閘道 SKU 的詳細資訊,請參閱閘道 SKUFor more information about gateway SKUs for VPN Gateway, see Gateway SKUs.

常見問題集FAQ

如需 VPN 閘道的常見問題集,請參閱 VPN 閘道常見問題集For frequently asked questions about VPN gateway, see the VPN Gateway FAQ.

新功能What's new?

訂閱 RSS 摘要,並在 Azure 更新頁面上檢視最新的 VPN 閘道功能更新。Subscribe to the RSS feed and view the latest VPN Gateway feature updates on the Azure Updates page.

後續步驟Next steps