什麼是 VPN 閘道?What is VPN Gateway?

VPN 閘道是特定的虛擬網路閘道類型,可透過公用網際網路在 Azure 虛擬網路與內部部署位置之間傳送加密流量。A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. 您也可以使用 VPN 閘道,透過 Microsoft 網路來傳送 Azure 虛擬網路之間的已加密流量。You can also use a VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. 每個虛擬網路只能有一個 VPN 閘道。Each virtual network can have only one VPN gateway. 不過,您可以對相同的 VPN 閘道建立多個連線。However, you can create multiple connections to the same VPN gateway. 當您對相同的 VPN 閘道建立多個連線時,所有 VPN 通道都會共用可用的閘道頻寬。When you create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.

什麼是虛擬網路閘道?What is a virtual network gateway?

虛擬網路閘道是由部署到您所建立的特定子網路 (稱為「閘道子網路」 ) 的兩部以上虛擬機器所組成。A virtual network gateway is composed of two or more virtual machines that are deployed to a specific subnet you create, which is called the gateway subnet. 當您建立虛擬網路閘道時,會建立位於閘道子網路中的 VM。The VMs that are located in the gateway subnet are created when you create the virtual network gateway. 虛擬網路閘道 VM 會設定為包含閘道特有的路由表和閘道服務。Virtual network gateway VMs are configured to contain routing tables and gateway services specific to the gateway. 您無法直接設定屬於虛擬網路閘道的 VM,您不該將額外的資源部署至閘道子網路。You can't directly configure the VMs that are part of the virtual network gateway and you should never deploy additional resources to the gateway subnet.

您可以在 Azure 可用性區域中部署 VPN 閘道。VPN gateways can be deployed in Azure Availability Zones. 此方式可為虛擬網路閘道帶來復原力、延展性和更高的可用性。This brings resiliency, scalability, and higher availability to virtual network gateways. 在 Azure 可用性區域中部署閘道可從根本上和邏輯上分隔區域內的閘道,同時還能在發生區域層級的失敗時,保護您內部部署項目與 Azure 的網路連線。Deploying gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures. 請參閱關於在 Azure 可用性區域中的區域備援虛擬網路閘道see About zone-redundant virtual network gateways in Azure Availability Zones

建立虛擬網路閘道最多可能需要花費 45 分鐘的時間來完成。Creating a virtual network gateway can take up to 45 minutes to complete. 建立虛擬網路閘道時,閘道 VM 會部署到閘道子網路,並使用您指定的設定進行設定。When you create a virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the settings that you specify. 您所設定的其中一個設定是閘道類型。One of the settings you configure is the gateway type. 閘道類型 'vpn' 會指定所建立虛擬網路閘道的類型是 VPN 閘道。The gateway type 'vpn' specifies that the type of virtual network gateway created is a VPN gateway. 建立 VPN 閘道之後,您可以在 VPN 閘道與另一個 VPN 閘道 (VNet 對 VNet) 之間建立 IPsec/IKE VPN 通道連線,或在 VPN 閘道與內部部署 VPN 裝置 (站對站) 之間建立跨單位 IPsec/IKE VPN 通道連線。After you create a VPN gateway, you can create an IPsec/IKE VPN tunnel connection between that VPN gateway and another VPN gateway (VNet-to-VNet), or create a cross-premises IPsec/IKE VPN tunnel connection between the VPN gateway and an on-premises VPN device (Site-to-Site). 您也可以建立點對站 VPN 連線 (透過 OpenVPN、IKEv2 或 SSTP 的 VPN),它可讓您從遠端位置連線到您的虛擬網路,例如從會議或住家。You can also create a Point-to-Site VPN connection (VPN over OpenVPN, IKEv2 or SSTP), which lets you connect to your virtual network from a remote location, such as from a conference or from home.

設定 VPN 閘道Configuring a VPN Gateway

VPN 閘道連線需仰賴多個具有特定設定的資源。A VPN gateway connection relies on multiple resources that are configured with specific settings. 大部分的資源可以分別進行設定,雖然必須以特定順序設定某些資源。Most of the resources can be configured separately, although some resources must be configured in a certain order.

設定Settings

您為每個資源選擇的設定,對於建立成功連線而言極為重要。The settings that you chose for each resource are critical to creating a successful connection. 如需 VPN 閘道個別資源和設定的資訊,請參閱 關於 VPN 閘道設定For information about individual resources and settings for VPN Gateway, see About VPN Gateway settings. 本文包含的資訊可協助您了解閘道類型、閘道 SKU、VPN 類型、連線類型、閘道子網路、區域網路閘道,以及您需要考量的各種其他資源設定。The article contains information to help you understand gateway types, gateway SKUs, VPN types, connection types, gateway subnets, local network gateways, and various other resource settings that you may want to consider.

部署工具Deployment tools

您可以使用設定工具 (例如 Azure 入口網站) 開始建立及設定資源。You can start out creating and configuring resources using one configuration tool, such as the Azure portal. 您可以稍後再決定切換到另一個工具 (如 PowerShell) 來設定其他資源,或是在適用的時機修改現有資源。You can later decide to switch to another tool, such as PowerShell, to configure additional resources, or modify existing resources when applicable. 您目前無法在 Azure 入口網站中進行每一項資源和資源設定。Currently, you can't configure every resource and resource setting in the Azure portal. 文章中各連線拓撲的指示會指定何時需要特定組態工具。The instructions in the articles for each connection topology specify when a specific configuration tool is needed.

部署模型Deployment model

目前有兩種部署模型適用於 Azure。There are currently two deployment models for Azure. 當您設定 VPN 閘道時,您採用的步驟取決於用來建立虛擬網路的部署模型。When you configure a VPN gateway, the steps you take depend on the deployment model that you used to create your virtual network. 例如,如果您使用傳統部署模型建立 VNet,您會使用傳統部署模型的指導方針和指示來建立和進行 VPN 閘道設定。For example, if you created your VNet using the classic deployment model, you use the guidelines and instructions for the classic deployment model to create and configure your VPN gateway settings. 如需部署模型的詳細資訊,請參閱 了解 Resource Manager 和傳統部署模型For more information about deployment models, see Understanding Resource Manager and classic deployment models.

規劃表Planning table

下表可以協助您為您的解決方案決定最佳的連線選項。The following table can help you decide the best connectivity option for your solution.

點對站Point-to-Site 網站間Site-to-Site ExpressRouteExpressRoute
Azure 支援的服務Azure Supported Services 雲端服務及虛擬機器Cloud Services and Virtual Machines 雲端服務及虛擬機器Cloud Services and Virtual Machines 服務清單Services list
典型的頻寬Typical Bandwidths 以閘道 SKU 為基礎Based on the gateway SKU 彙總通常 < 1 GbpsTypically < 1 Gbps aggregate 50 Mbps、100 Mbps、200 Mbps、500 Mbps、1 Gbps、2 Gbps、5 Gbps、10 Gbps50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps
支援的通訊協定Protocols Supported 安全通訊端通道通訊協定 (SSTP)、OpenVPN 和 IPsecSecure Sockets Tunneling Protocol (SSTP), OpenVPN and IPsec IPsecIPsec 透過 VLAN、NSP 的 VPN 技術 (MPLS、VPLS、...) 的直接連接Direct connection over VLANs, NSP's VPN technologies (MPLS, VPLS,...)
路由Routing RouteBased (動態)RouteBased (dynamic) 我們支援 PolicyBased (靜態路由) 和 RouteBased (動態路由) VPNWe support PolicyBased (static routing) and RouteBased (dynamic routing VPN) BGPBGP
連接恢復功能Connection resiliency 主動-被動active-passive 主動-被動或主動-主動active-passive or active-active 主動-主動active-active
典型的使用案例Typical use case 原型設計、雲端服務和虛擬機器的開發人員/測試/實驗室案例Prototyping, dev / test / lab scenarios for cloud services and virtual machines 雲端服務和虛擬機器的開發/測試/實驗室案例和小規模生產工作負載Dev / test / lab scenarios and small scale production workloads for cloud services and virtual machines 所有 Azure 服務 (已驗證的清單)、企業層級與關鍵性工作負載、備份、巨量資料、Azure 做為 DR 網站的存取Access to all Azure services (validated list), Enterprise-class and mission critical workloads, Backup, Big Data, Azure as a DR site
SLASLA SLASLA SLASLA SLASLA
定價Pricing 定價Pricing 定價Pricing 定價Pricing
技術文件Technical Documentation VPN 閘道文件VPN Gateway Documentation VPN 閘道文件VPN Gateway Documentation ExpressRoute 文件ExpressRoute Documentation
常見問題集FAQ VPN 閘道常見問題集VPN Gateway FAQ VPN 閘道常見問題集VPN Gateway FAQ ExpressRoute 常見問題集ExpressRoute FAQ

閘道 SKUGateway SKUs

建立虛擬網路閘道時,您必須指定想要使用的閘道 SKU。When you create a virtual network gateway, you specify the gateway SKU that you want to use. 根據工作負載、輸送量、功能和 SLA 的類型,選取符合您需求的 SKU。Select the SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs. 如需閘道 SKU 的詳細資訊,包括支援功能、實際執行環境和開發測試和設定步驟,請參閱閘道 SKUFor more information about gateway SKUs, including supported features, production and dev-test, and configuration steps, see Gateway SKUs.

依通道、連線和輸送量區分的閘道 SKUGateway SKUs by tunnel, connection, and throughput

SKUSKU S2S/VNet-to-VNet
通道
S2S/VNet-to-VNet
Tunnels
P2S
SSTP 連線
P2S
SSTP Connections
P2S
IKEv2/OpenVPN 連線
P2S
IKEv2/OpenVPN Connections
彙總
輸送量基準測試
Aggregate
Throughput Benchmark
BGPBGP Zone-redundantZone-redundant
基本Basic 最大Max. 1010 最大Max. 128128 不支援Not Supported 100 Mbps100 Mbps 不支援Not Supported No
VpnGw1VpnGw1 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支援Supported No
VpnGw2VpnGw2 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支援Supported No
VpnGw3VpnGw3 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支援Supported No
VpnGw1AZVpnGw1AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 250250 650 Mbps650 Mbps 支援Supported yesYes
VpnGw2AZVpnGw2AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 500500 1 Gbps1 Gbps 支援Supported yesYes
VpnGw3AZVpnGw3AZ 最大Max. 30*30* 最大Max. 128128 最大Max. 10001000 1.25 Gbps1.25 Gbps 支援Supported yesYes

(*) 如果您需要超過 30 個 S2S VPN 通道,請使用虛擬 WAN(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.

  • 「彙總輸送量基準測試」是以透過單一閘道彙總之多個通道的量值為基礎。Aggregate Throughput Benchmark is based on measurements of multiple tunnels aggregated through a single gateway. VPN 閘道的彙總輸送量基準是 S2S + P2S 的組合。The Aggregate Throughput Benchmark for a VPN Gateway is S2S + P2S combined. 如果您有許多 P2S 連線,S2S 連線即可能因為輸送量限制而受到負面影響。If you have a lot of P2S connections, it can negatively impact a S2S connection due to throughput limitations. 由於網際網路流量條件和您的應用程式行為,彙總輸送量基準測試不是保證的輸送量。The Aggregate Throughput Benchmark is not a guaranteed throughput due to Internet traffic conditions and your application behaviors.

  • 這些連線數限制是個別的。These connection limits are separate. 例如,您在 VpnGw1 SKU 上可以有 128 個 SSTP 連線和 250 個 IKEv2 連線。For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.

  • 價格 頁面上可以找到價格資訊。Pricing information can be found on the Pricing page.

  • 可以在 SLA 頁面上找到 SLA (服務等級協定) 資訊。SLA (Service Level Agreement) information can be found on the SLA page.

  • 只有使用資源管理員部署模型的 VPN 閘道支援 VpnGw1、VpnGw2 和 VpnGw3。VpnGw1, VpnGw2, and VpnGw3 are supported for VPN gateways using the Resource Manager deployment model only.

  • 基本 SKU 會被視為舊版 SKU。The Basic SKU is considered a legacy SKU. 基本 SKU 有某些功能限制。The Basic SKU has certain feature limitations. 您無法調整使用基本 SKU 的閘道大小來成為新的閘道 SKU,您必須改以變更為新的 SKU,而需要刪除並重新建立 VPN 閘道。You can't resize a gateway that uses a Basic SKU to one of the new gateway SKUs, you must instead change to a new SKU, which involves deleting and recreating your VPN gateway. 請先確認其有支援您需要的功能,再使用基本 SKU。Verify that the feature that you need is supported before you use the Basic SKU.

連線拓撲圖表Connection topology diagrams

請務必知道 VPN 閘道連線有不同的組態可用。It's important to know that there are different configurations available for VPN gateway connections. 您必須決定哪個組態最符合您的需求。You need to determine which configuration best fits your needs. 在下列各節中,您可以檢視有關下列 VPN 閘道連線的資訊和拓撲圖表︰下列各節包含的資料表會列出以下資訊︰In the sections below, you can view information and topology diagrams about the following VPN gateway connections: The following sections contain tables which list:

  • 可用的部署模型Available deployment model
  • 可用的設定工具Available configuration tools
  • 直接帶您前往某篇文章的連結 (如果可用)Links that take you directly to an article, if available

使用圖形和描述來協助選取符合您需求的連線拓撲。Use the diagrams and descriptions to help select the connection topology to match your requirements. 這些圖表顯示主要基準拓撲,但您也可以使用這些圖表做為指導方針來建置更複雜的組態。The diagrams show the main baseline topologies, but it's possible to build more complex configurations using the diagrams as a guideline.

站對站以及多網站 (IPsec/IKE VPN 通道)Site-to-Site and Multi-Site (IPsec/IKE VPN tunnel)

站對站Site-to-Site

網站間 (S2S) VPN 閘道連線是透過 IPsec/IKE (IKEv1 或 IKEv2) VPN 通道建立的連線。A Site-to-Site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. S2S 連線可以用於跨單位與混合式組態。S2S connections can be used for cross-premises and hybrid configurations. S2S 連線需要位於內部部署的 VPN 裝置,其具有指派的公用 IP 位址且不是位於 NAT 後方。A S2S connection requires a VPN device located on-premises that has a public IP address assigned to it and is not located behind a NAT. 如需選取 VPN 裝置的資訊,請參閱 VPN 閘道常見問題集 - VPN 裝置For information about selecting a VPN device, see the VPN Gateway FAQ - VPN devices.

Azure VPN 閘道站對站連接範例

多站台Multi-Site

這類型的連線是站對站連線的變化。This type of connection is a variation of the Site-to-Site connection. 您可以從虛擬網路閘道建立多個 VPN 連線,通常會連接至多個內部部署網站。You create more than one VPN connection from your virtual network gateway, typically connecting to multiple on-premises sites. 處理多重連線時,您必須使用路由式 VPN 類型 (也就是使用傳統 VNet 時的動態閘道)。When working with multiple connections, you must use a RouteBased VPN type (known as a dynamic gateway when working with classic VNets). 因為每個虛擬網路只能有一個 VPN 閘道,所以透過該閘道的所有連線會共用可用的頻寬。Because each virtual network can only have one VPN gateway, all connections through the gateway share the available bandwidth. 這種組態通常稱為「多站台」連線。This type of connection is often called a "multi-site" connection.

Azure VPN 閘道多網站連接範例

站對站和多網站的部署模型和方法Deployment models and methods for Site-to-Site and Multi-Site

部署模型/方法Deployment model/method Azure 入口網站Azure portal PowerShellPowerShell Azure CLIAzure CLI
Resource ManagerResource Manager 教學課程Tutorial
教學課程+Tutorial+
教學課程Tutorial 教學課程Tutorial
傳統Classic 教學課程**Tutorial** 教學課程+Tutorial+ 不支援Not Supported

( ** ) 表示此方法包含需要 PowerShell 的步驟。(**) denotes that this method contains steps that require PowerShell.

(+) 表示本文是針對多站台連線來進行撰寫。(+) denotes that this article is written for multi-site connections.

點對站 VPNPoint-to-Site VPN

點對站 (P2S) VPN 閘道連線可讓您建立從個別用戶端電腦到您的虛擬網路的安全連線。A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. P2S 連線的建立方式是從用戶端電腦開始。A P2S connection is established by starting it from the client computer. 此解決方案適合於想要從遠端位置 (例如從住家或會議) 連線到 Azure VNet 的遠距工作者。This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. 當您只有少數用戶端必須連線至 VNet 時,P2S VPN 也是很實用的解決方案 (而不是 S2S VPN)。P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.

如同 S2S 連線,P2S 連線不需要內部部署公眾對應 IP 位址或 VPN 裝置。Unlike S2S connections, P2S connections do not require an on-premises public-facing IP address or a VPN device. P2S 連線可與 S2S 連線透過相同的 VPN 閘道一起使用,前提是這兩個連線的所有設定需求都相容。P2S connections can be used with S2S connections through the same VPN gateway, as long as all the configuration requirements for both connections are compatible. 如需點對站連線的詳細資訊,請參閱關於點對站 VPNFor more information about Point-to-Site connections, see About Point-to-Site VPN.

Azure VPN 閘道點對站連接範例

P2S 的部署模型和方法Deployment models and methods for P2S

Azure 原生憑證驗證Azure native certificate authentication

部署模型/方法Deployment model/method Azure 入口網站Azure portal PowerShellPowerShell
Resource ManagerResource Manager 教學課程Tutorial 教學課程Tutorial
傳統Classic 教學課程Tutorial 支援Supported

RADIUS 驗證RADIUS authentication

部署模型/方法Deployment model/method Azure 入口網站Azure portal PowerShellPowerShell
Resource ManagerResource Manager 支援Supported 教學課程Tutorial
傳統Classic 不支援Not Supported 不支援Not Supported

VNet 對 VNet 連線 (IPsec/IKE VPN 通道)VNet-to-VNet connections (IPsec/IKE VPN tunnel)

將虛擬網路連接至另一個虛擬網路 (VNet 對 VNet),類似於將 VNet 連接至內部部署網站位置。Connecting a virtual network to another virtual network (VNet-to-VNet) is similar to connecting a VNet to an on-premises site location. 這兩種連線類型都使用 VPN 閘道提供使用 IPsec/IKE 的安全通道。Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. 您甚至可以將多網站連線組態與 VNet 對 VNet 通訊結合。You can even combine VNet-to-VNet communication with multi-site connection configurations. 這可讓您建立結合了跨單位連線與內部虛擬網路連線的網路拓撲。This lets you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity.

您所連接的 VNet 可以:The VNets you connect can be:

  • 在相同或不同的區域中in the same or different regions
  • 在相同或不同的訂用帳戶中in the same or different subscriptions
  • 在相同或不同的部署模型中in the same or different deployment models

Azure VPN 閘道 VNet 對 VNet 連接範例

部署模型之間的連線Connections between deployment models

Azure 目前有兩種部署模型:傳統和 Resource Manager。Azure currently has two deployment models: classic and Resource Manager. 如果您已使用 Azure 一段時間,則可能具有傳統 VNet 上執行的 Azure VM 和執行個體角色。If you have been using Azure for some time, you probably have Azure VMs and instance roles running in a classic VNet. 較新的 VM 和角色執行個體可能會在 Resource Manager 中建立的 VNet 中執行。Your newer VMs and role instances may be running in a VNet created in Resource Manager. 您可以建立 Vnet 間的連線,讓其中一個 VNet 中的資源直接與另一個 VNet 中的資源通訊。You can create a connection between the VNets to allow the resources in one VNet to communicate directly with resources in another.

VNet 對等互連VNet peering

只要您的虛擬網路符合特定需求,您就能夠使用 VNet 對等互連來建立連線。You may be able to use VNet peering to create your connection, as long as your virtual network meets certain requirements. VNet 對等互連不會使用虛擬網路閘道。VNet peering does not use a virtual network gateway. 如需詳細資訊,請參閱 VNet 對等互連For more information, see VNet peering.

VNet 對 VNet 的部署模型和方法Deployment models and methods for VNet-to-VNet

部署模型/方法Deployment model/method Azure 入口網站Azure portal PowerShellPowerShell Azure CLIAzure CLI
傳統Classic 教學課程*Tutorial* 支援Supported 不支援Not Supported
Resource ManagerResource Manager 教學課程+Tutorial+ 教學課程Tutorial 教學課程Tutorial
不同部署模型之間的連線Connections between different deployment models 教學課程*Tutorial* 教學課程Tutorial 不支援Not Supported

(+) 表示這種部署方法僅適用於相同訂用帳戶中的 VNet。(+) denotes this deployment method is available only for VNets in the same subscription.
( * ) 表示這種部署方法也需要 PowerShell。(*) denotes that this deployment method also requires PowerShell.

ExpressRoute (私人連線)ExpressRoute (private connection)

ExpressRoute 可讓您透過連線提供者所提供的私人連線,將內部部署網路延伸至 Microsoft 雲端。ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. 透過 ExpressRoute,您可以建立 Microsoft 雲端服務的連線,例如 Microsoft Azure、Office 365 和 CRM Online。With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and CRM Online. 從任意點對任意點 (IP VPN) 網路、點對點乙太網路,或在共置設施上透過連線提供者的虛擬交叉連接,都可以進行連線。Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility.

ExpressRoute 連線不會經過公用網際網路。ExpressRoute connections do not go over the public Internet. 相較於一般網際網路連線,這可讓 ExpressRoute 連線提供更可靠、更快速、延遲更短和更安全的連線。This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.

ExpressRoute 連線會以虛擬網路閘道作為其必要組態的一部分。An ExpressRoute connection uses a virtual network gateway as part of its required configuration. 在 ExpressRoute 連線中,虛擬網路閘道的閘道類型已設定為 'ExpressRoute' 而不是 'Vpn'。In an ExpressRoute connection, the virtual network gateway is configured with the gateway type 'ExpressRoute', rather than 'Vpn'. 雖然透過 ExpressRoute 線路傳輸的流量預設並未加密,但有可能建立一個解決方案,讓您透過 ExpressRoute 線路傳送已加密的流量。While traffic that travels over an ExpressRoute circuit is not encrypted by default, it is possible create a solution that allows you to send encrypted traffic over an ExpressRoute circuit. 如需 ExpressRoute 的詳細資訊,請參閱 ExpressRoute 技術概觀For more information about ExpressRoute, see the ExpressRoute technical overview.

站對站及 ExpressRoute 並存連線Site-to-Site and ExpressRoute coexisting connections

ExpressRoute 是從 WAN (不透過公用網際網路) 到 Microsoft 服務 (包括 Azure) 的私人連線。ExpressRoute is a direct, private connection from your WAN (not over the public Internet) to Microsoft Services, including Azure. 站對站 VPN 流量會以加密方式透過公用網際網路進行傳輸。Site-to-Site VPN traffic travels encrypted over the public Internet. 能夠對相同的虛擬網路設定網站間 VPN 和 ExpressRoute 連線有諸多好處。Being able to configure Site-to-Site VPN and ExpressRoute connections for the same virtual network has several advantages.

您可以將網站間 VPN 設定為 ExpressRoute 的安全容錯移轉路徑,或使用網站間 VPN 來連線至不在您網路中但透過 ExpressRoute 連接的網站。You can configure a Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that are not part of your network, but that are connected through ExpressRoute. 請注意,對於相同的虛擬網路,此組態需要兩個虛擬網路閘道,一個使用 'Vpn' 閘道類型,而另一個使用 'ExpressRoute' 閘道類型。Notice that this configuration requires two virtual network gateways for the same virtual network, one using the gateway type 'Vpn', and the other using the gateway type 'ExpressRoute'.

ExpressRoute 和 VPN 閘道並存連接範例

S2S 和 ExpressRoute 的部署模型和方法並存Deployment models and methods for S2S and ExpressRoute coexist

部署模型/方法Deployment model/method Azure 入口網站Azure portal PowerShellPowerShell
Resource ManagerResource Manager 支援Supported 教學課程Tutorial
傳統Classic 不支援Not Supported 教學課程Tutorial

價格Pricing

您需要支付兩件事︰虛擬網路閘道的每小時計算成本,以及虛擬網路閘道的輸出資料傳輸。You pay for two things: the hourly compute costs for the virtual network gateway, and the egress data transfer from the virtual network gateway. 價格 頁面上可以找到價格資訊。Pricing information can be found on the Pricing page.

虛擬網路閘道計算成本Virtual network gateway compute costs
每個虛擬網路閘道都有每小時計算成本。Each virtual network gateway has an hourly compute cost. 價格是以您建立虛擬網路閘道時所指定的閘道 SKU 為基礎。The price is based on the gateway SKU that you specify when you create a virtual network gateway. 除了透過閘道流動的資料傳輸以外,此成本屬於閘道本身。The cost is for the gateway itself and is in addition to the data transfer that flows through the gateway. 主動-主動設定的成本與主動-被動相同。Cost of an active-active setup is the same as active-passive.

資料傳輸成本Data transfer costs
資料傳輸成本是根據來源虛擬網路閘道的輸出流量來計算。Data transfer costs are calculated based on egress traffic from the source virtual network gateway.

  • 如果您將流量傳送到內部部署 VPN 裝置,則會以網際網路輸出資料傳輸費率收費。If you are sending traffic to your on-premises VPN device, it will be charged with the Internet egress data transfer rate.
  • 如果您是傳送不同區域中的虛擬網路之間的流量,則會依據區域定價。If you are sending traffic between virtual networks in different regions, the pricing is based on the region.
  • 如果您只是傳送相同區域中的虛擬網路之間的流量,則沒有資料成本。If you are sending traffic only between virtual networks that are in the same region, there are no data costs. 相同區域中 VNet 之間的流量是免費的。Traffic between VNets in the same region is free.

如需 VPN 閘道之閘道 SKU 的詳細資訊,請參閱閘道 SKUFor more information about gateway SKUs for VPN Gateway, see Gateway SKUs.

常見問題集FAQ

如需 VPN 閘道的常見問題集,請參閱 VPN 閘道常見問題集For frequently asked questions about VPN gateway, see the VPN Gateway FAQ.

後續步驟Next steps