使用 PowerShell 建立具有站對站 VPN 連接的 VNetCreate a VNet with a Site-to-Site VPN connection using PowerShell

本文說明如何使用 PowerShell 來建立從內部部署網路到 VNet 的站對站 VPN 閘道連線。This article shows you how to use PowerShell to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. 本文中的步驟適用於 Resource Manager 部署模型。The steps in this article apply to the Resource Manager deployment model. 您也可從下列清單中選取不同的選項,以使用不同的部署工具或部署模型來建立此組態:You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

站對站 VPN 閘道連線可用來透過 IPsec/IKE (IKEv1 或 IKEv2) VPN 通道,將內部部署網路連線到 Azure 虛擬網路。A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. 此類型的連線需要位於內部部署的 VPN 裝置,且您已對該裝置指派對外開放的公用 IP 位址。This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. 如需 VPN 閘道的詳細資訊,請參閱關於 VPN 閘道For more information about VPN gateways, see About VPN gateway.

站對站 VPN 閘道跨單位連線圖表

開始之前Before you begin

在開始設定之前,請確認您已符合下列條件:Verify that you have met the following criteria before beginning your configuration:

  • 確定您有相容的 VPN 裝置以及能夠對其進行設定的人員。Make sure you have a compatible VPN device and someone who is able to configure it. 如需相容 VPN 裝置和裝置組態的詳細資訊,請參閱關於 VPN 裝置For more information about compatible VPN devices and device configuration, see About VPN Devices.
  • 確認您的 VPN 裝置有對外開放的公用 IPv4 位址。Verify that you have an externally facing public IPv4 address for your VPN device.
  • 如果您不熟悉位於內部部署網路組態的 IP 位址範圍,您需要與能夠提供那些詳細資料的人協調。If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. 當您建立此組態時,您必須指定 IP 位址範圍的首碼,以供 Azure 路由傳送至您的內部部署位置。When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. 內部部署網路的子網路皆不得與您所要連線的虛擬網路子網路重疊。None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.

Azure PowerShellAzure PowerShell

本文使用 PowerShell Cmdlet。This article uses PowerShell cmdlets. 若要執行 Cmdlet,您可以使用 Azure Cloud Shell。To run the cmdlets, you can use Azure Cloud Shell. Azure Cloud Shell 是免費的互動式 Shell,可讓您用來執行本文中的步驟。The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. 它具有預先安裝和設定的共用 Azure 工具,可與您的帳戶搭配使用。It has common Azure tools preinstalled and configured to use with your account.

若要開啟 Cloud Shell,只要選取程式碼區塊右上角的 [試試看] 即可。To open the Cloud Shell, just select Try it from the upper right corner of a code block. 您也可以移至 https://shell.azure.com/powershell,從另一個瀏覽器索引標籤啟動 Cloud Shell。You can also launch Cloud Shell in a separate browser tab by going to https://shell.azure.com/powershell. 選取 [複製] 即可複製程式碼區塊,將它貼到 Cloud Shell 中,然後按 enter 鍵加以執行。Select Copy to copy the blocks of code, paste it into the Cloud Shell, and press enter to run it.

您也可以在本機電腦上安裝和執行 Azure PowerShell Cmdlet。You can also install and run the Azure PowerShell cmdlets locally on your computer. PowerShell Cmdlet 會經常更新。PowerShell cmdlets are updated frequently. 如果您尚未安裝最新版本,指示中指定的值可能會失敗。If you have not installed the latest version, the values specified in the instructions may fail. 若要尋找電腦上安裝的 Azure PowerShell 版本,請使用 Get-Module -ListAvailable Az Cmdlet。To find the versions of Azure PowerShell installed on your computer, use the Get-Module -ListAvailable Az cmdlet. 若要安裝或更新,請參閱 安裝 Azure PowerShell 模組To install or update, see Install the Azure PowerShell module.

範例值Example values

本文的範例使用下列值。The examples in this article use the following values. 您可以使用這些值來建立測試環境,或參考這些值,進一步了解本文中的範例。You can use these values to create a test environment, or refer to them to better understand the examples in this article.

#Example values

VnetName                = VNet1
ResourceGroup           = TestRG1
Location                = East US 
AddressSpace            = 10.1.0.0/16 
SubnetName              = Frontend 
Subnet                  = 10.1.0.0/24 
GatewaySubnet           = 10.1.255.0/27
LocalNetworkGatewayName = Site1
LNG Public IP           = <On-premises VPN device IP address> 
Local Address Prefixes  = 10.101.0.0/24, 10.101.1.0/24
Gateway Name            = VNet1GW
PublicIP                = VNet1GWPIP
Gateway IP Config       = gwipconfig1 
VPNType                 = RouteBased 
GatewayType             = Vpn 
ConnectionName          = VNet1toSite1

1. 建立虛擬網路和閘道子網1. Create a virtual network and a gateway subnet

如果您還沒有虛擬網路,請建立一個。If you don't already have a virtual network, create one. 在建立虛擬網路時,請確定您指定的位址空間沒有與您在內部部署網路上所擁有的任何位址空間重疊。When creating a virtual network, make sure that the address spaces you specify don't overlap any of the address spaces that you have on your on-premises network.

注意

為了讓此 VNet 連線到內部部署位置,您需要與內部部署網路系統管理員協調,以切割出此虛擬網路專用的 IP 位址範圍。In order for this VNet to connect to an on-premises location, you need to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. 如果 VPN 連線的兩端存在重複的位址範圍,流量就不會如預期的方式進行路由。If a duplicate address range exists on both sides of the VPN connection, traffic does not route the way you may expect it to. 此外,如果您想要將此 VNet 連線到另一個 VNet,則位址空間不能與其他 VNet 重疊。Additionally, if you want to connect this VNet to another VNet, the address space cannot overlap with other VNet. 因此,請謹慎規劃您的網路組態。Take care to plan your network configuration accordingly.

關於閘道子網路About the gateway subnet

虛擬網路閘道會使用稱為閘道子網路的特定子網路。The virtual network gateway uses specific subnet called the gateway subnet. 閘道子網路是您設定虛擬網路時,所指定虛擬網路 IP 位址範圍的一部分。The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. 其包含虛擬網路閘道資源和服務所使用的 IP 位址。It contains the IP addresses that the virtual network gateway resources and services use. 子網路必須命名為 'GatewaySubnet' 才可供 Azure 部署閘道資源。The subnet must be named 'GatewaySubnet' in order for Azure to deploy the gateway resources. 您無法指定不同的子網路來作為閘道資源的部署目的地。You can't specify a different subnet to deploy the gateway resources to. 如果您沒有名為 'GatewaySubnet' 的子網路,當您建立 VPN 閘道時,它將會失敗。If you don't have a subnet named 'GatewaySubnet', when you create your VPN gateway, it will fail.

當您建立閘道子網路時,您可指定子網路包含的 IP 位址數目。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 所需的 IP 位址數目取決於您想要建立的 VPN 閘道組態。The number of IP addresses needed depends on the VPN gateway configuration that you want to create. 有些組態需要的 IP 位址比其他組態多。Some configurations require more IP addresses than others. 我們建議您建立使用 /27 或/28 的閘道子網路。We recommend that you create a gateway subnet that uses a /27 or /28.

如果您看到錯誤指出位址空間與子網路重疊,或子網路未包含在虛擬網路的位址空間內,請檢查您的 VNet 位址範圍。If you see an error that specifies that the address space overlaps with a subnet, or that the subnet is not contained within the address space for your virtual network, check your VNet address range. 您為虛擬網路所建立的位址範圍中可能沒有足夠的可用 IP 位址。You may not have enough IP addresses available in the address range you created for your virtual network. 例如,如果您的預設子網路包含整個位址範圍,則沒有剩餘任何 IP 位址可供建立其他子網路。For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. 您可以調整現有位址空間內的子網路以釋出 IP 位址,也可以指定其他位址範圍並於該處建立閘道子網路。You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there.

重要

使用閘道子網路時,避免將網路安全性群組 (NSG) 與閘道子網路產生關聯。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 將網路安全性群組與此子網路產生關聯,可能會導致您的虛擬網路閘道 (VPN,Express Route 閘道) 如預期般停止運作。Associating a network security group to this subnet may cause your Virtual Network gateway(VPN, Express Route gateway) to stop functioning as expected. 如需有關網路安全性群組的詳細資訊,請參閱什麼是網路安全性群組?For more information about network security groups, see What is a network security group?

建立虛擬網路和閘道子網路Create a virtual network and a gateway subnet

此範例會建立虛擬網路和閘道子網路。This example creates a virtual network and a gateway subnet. 如果您已經有虛擬網路,並需要對它新增閘道子網路,請參閱將閘道子網路新增至您已建立的虛擬網路If you already have a virtual network that you need to add a gateway subnet to, see To add a gateway subnet to a virtual network you have already created.

建立資源群組:Create a resource group:

New-AzResourceGroup -Name TestRG1 -Location 'East US'

建立虛擬網路。Create your virtual network.

  1. 設定變數。Set the variables.

    $subnet1 = New-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.1.255.0/27
    $subnet2 = New-AzVirtualNetworkSubnetConfig -Name 'Frontend' -AddressPrefix 10.1.0.0/24
    
  2. 建立 VNet。Create the VNet.

    New-AzVirtualNetwork -Name VNet1 -ResourceGroupName TestRG1 `
    -Location 'East US' -AddressPrefix 10.1.0.0/16 -Subnet $subnet1, $subnet2
    

將閘道器子網路加入至您已建立的虛擬網路To add a gateway subnet to a virtual network you have already created

如果您已經有虛擬網路,但需要新增閘道子網路,請使用本節中的步驟。Use the steps in this section if you already have a virtual network, but need to add a gateway subnet.

  1. 設定變數。Set the variables.

    $vnet = Get-AzVirtualNetwork -ResourceGroupName TestRG1 -Name VNet1
    
  2. 建立閘道子網路。Create the gateway subnet.

    Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.1.255.0/27 -VirtualNetwork $vnet
    
  3. 設定組態。Set the configuration.

    Set-AzVirtualNetwork -VirtualNetwork $vnet
    

2. 建立局域網路閘道2. Create the local network gateway

區域網路閘道 (LNG) 通常是指您的內部部署位置。The local network gateway (LNG) typically refers to your on-premises location. 它與虛擬網路閘道不同。It is not the same as a virtual network gateway. 請賦予網站可供 Azure 參考的名稱,然後指定您想要與其建立連線之內部部署 VPN 裝置的 IP 位址。You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. 也請指定 IP 位址首碼,以供系統透過 VPN 閘道路由至 VPN 裝置。You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. 您指定的位址首碼是位於內部部署網路上的首碼。The address prefixes you specify are the prefixes located on your on-premises network. 如果您的內部部署網路有所變更,您可以輕鬆地更新首碼。If your on-premises network changes, you can easily update the prefixes.

輸入下列值:Use the following values:

  • GatewayIPAddress 是內部部署 VPN 裝置的 IP 位址。The GatewayIPAddress is the IP address of your on-premises VPN device.
  • AddressPrefix 是您的內部部署位址空間。The AddressPrefix is your on-premises address space.

若要新增具有單一位址前置詞的區域網路閘道:To add a local network gateway with a single address prefix:

New-AzLocalNetworkGateway -Name Site1 -ResourceGroupName TestRG1 `
-Location 'East US' -GatewayIpAddress '23.99.221.164' -AddressPrefix '10.101.0.0/24'

若要新增具有多個位址前置詞的區域網路閘道:To add a local network gateway with multiple address prefixes:

New-AzLocalNetworkGateway -Name Site1 -ResourceGroupName TestRG1 `
-Location 'East US' -GatewayIpAddress '23.99.221.164' -AddressPrefix @('10.101.0.0/24','10.101.1.0/24')

修改區域網路閘道的 IP 位址首碼:To modify IP address prefixes for your local network gateway:

有時候您的區域網路閘道首碼會有所變更。Sometimes your local network gateway prefixes change. 若要修改您的 IP 位址前置詞,採取的步驟取決於您是否已建立 VPN 閘道連線。The steps you take to modify your IP address prefixes depend on whether you have created a VPN gateway connection. 請參閱本文的 修改區域網路閘道的 IP 位址首碼 一節。See the Modify IP address prefixes for a local network gateway section of this article.

3. 要求公用 IP 位址3. Request a Public IP address

VPN 閘道必須具有公用 IP 位址。A VPN gateway must have a Public IP address. 您會先要求 IP 位址資源,然後在建立虛擬網路閘道時參考它。You first request the IP address resource, and then refer to it when creating your virtual network gateway. 建立 VPN 閘道時,系統會將 IP 位址動態指派給此資源。The IP address is dynamically assigned to the resource when the VPN gateway is created.

VPN 閘道目前僅支援 動態 公用 IP 位址配置。VPN Gateway currently only supports Dynamic Public IP address allocation. 您無法要求靜態公用 IP 位址指派。You cannot request a Static Public IP address assignment. 不過,這不表示 IP 位址被指派至您的 VPN 閘道之後會變更。However, this does not mean that the IP address will change after it has been assigned to your VPN gateway. 公用 IP 位址只會在刪除或重新建立閘道時變更。The only time the Public IP address changes is when the gateway is deleted and re-created. 它不會因為重新調整、重設或 VPN 閘道的其他內部維護/升級而變更。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

請要求公用 IP 位址,以指派給虛擬網路 VPN 閘道。Request a Public IP address that will be assigned to your virtual network VPN gateway.

$gwpip= New-AzPublicIpAddress -Name VNet1GWPIP -ResourceGroupName TestRG1 -Location 'East US' -AllocationMethod Dynamic

4. 建立閘道 IP 位址設定4. Create the gateway IP addressing configuration

閘道設定定義要使用的子網路 ('GatewaySubnet') 和公用 IP 位址。The gateway configuration defines the subnet (the 'GatewaySubnet') and the public IP address to use. 使用下列範例來建立閘道組態:Use the following example to create your gateway configuration:

$vnet = Get-AzVirtualNetwork -Name VNet1 -ResourceGroupName TestRG1
$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
$gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

5. 建立 VPN 閘道5. Create the VPN gateway

建立虛擬網路 VPN 閘道。Create the virtual network VPN gateway.

輸入下列值:Use the following values:

  • 網站間組態的 -GatewayType 是 Vpn。The -GatewayType for a Site-to-Site configuration is Vpn. 閘道器類型永遠是您實作的組態的特定類型。The gateway type is always specific to the configuration that you are implementing. 例如,其他閘道器組態可能需要 -GatewayType ExpressRoute。For example, other gateway configurations may require -GatewayType ExpressRoute.
  • VpnType 可以是 路由式 (在某些檔中稱為動態閘道) 或 原則式 (在某些檔) 中稱為靜態閘道。The -VpnType can be RouteBased (referred to as a Dynamic Gateway in some documentation), or PolicyBased (referred to as a Static Gateway in some documentation). 如需 VPN 閘道類型的詳細資訊,請參閱關於 VPN 閘道For more information about VPN gateway types, see About VPN Gateway.
  • 選取您想要使用的閘道 SKU。Select the Gateway SKU that you want to use. 某些 SKU 有組態限制。There are configuration limitations for certain SKUs. 如需詳細資訊,請參閱閘道 SKUFor more information, see Gateway SKUs. 如果您在建立有關 -GatewaySku 的 VPN 閘道時發生錯誤,請確認您已安裝最新版的 PowerShell Cmdlet。If you get an error when creating the VPN gateway regarding the -GatewaySku, verify that you have installed the latest version of the PowerShell cmdlets.
New-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 `
-Location 'East US' -IpConfigurations $gwipconfig -GatewayType Vpn `
-VpnType RouteBased -GatewaySku VpnGw1

執行此命令後,可能需要 45 分鐘的時間才能完成閘道設定。After running this command, it can take up to 45 minutes for the gateway configuration to complete.

6. 設定您的 VPN 裝置6. Configure your VPN device

內部部署網路的站對站連線需要 VPN 裝置。Site-to-Site connections to an on-premises network require a VPN device. 在此步驟中,設定 VPN 裝置。In this step, you configure your VPN device. 設定 VPN 裝置時,您需要下列項目:When configuring your VPN device, you need the following items:

  • 共用金鑰。A shared key. 這個共同金鑰與您建立站對站 VPN 連線時指定的共用金鑰相同。This is the same shared key that you specify when creating your Site-to-Site VPN connection. 在我們的範例中,我們會使用基本的共用金鑰。In our examples, we use a basic shared key. 我們建議您產生更複雜的金鑰以供使用。We recommend that you generate a more complex key to use.

  • 虛擬網路閘道的公用 IP 位址。The Public IP address of your virtual network gateway. 您可以使用 Azure 入口網站、PowerShell 或 CLI 來檢視公用 IP 位址。You can view the public IP address by using the Azure portal, PowerShell, or CLI. 若要使用 PowerShell 尋找虛擬網路閘道的公用 IP 位址,請使用下列範例。To find the Public IP address of your virtual network gateway using PowerShell, use the following example. 在此範例中,VNet1GWPIP 是您在先前步驟中所建立公用 IP 位址資源的名稱。In this example, VNet1GWPIP is the name of the public IP address resource that you created in an earlier step.

    Get-AzPublicIpAddress -Name VNet1GWPIP -ResourceGroupName TestRG1
    

若要下載 VPN 裝置組態指令碼:To download VPN device configuration scripts:

根據您所擁有的 VPN 裝置,您或許可以下載 VPN 裝置組態指令碼。Depending on the VPN device that you have, you may be able to download a VPN device configuration script. 如需詳細資訊,請參閱下載 VPN 裝置組態指令碼For more information, see Download VPN device configuration scripts.

請參閱下列連結以取得其他組態資訊︰See the following links for additional configuration information:

7. 建立 VPN 連接7. Create the VPN connection

接下來,在虛擬網路閘道與 VPN 裝置之間建立網站間 VPN 連線。Next, create the Site-to-Site VPN connection between your virtual network gateway and your VPN device. 請務必將值取代為您自己的值。Be sure to replace the values with your own. 共用的金鑰必須符合您用於 VPN 裝置設定的值。The shared key must match the value you used for your VPN device configuration. 請注意,網站間的「-ConnectionType」為 IPsec。Notice that the '-ConnectionType' for Site-to-Site is IPsec.

  1. 設定變數。Set the variables.

    $gateway1 = Get-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1
    $local = Get-AzLocalNetworkGateway -Name Site1 -ResourceGroupName TestRG1
    
  2. 建立連線。Create the connection.

    New-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 -ResourceGroupName TestRG1 `
    -Location 'East US' -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local `
    -ConnectionType IPsec -RoutingWeight 10 -SharedKey 'abc123'
    

過一會兒,連接將會建立。After a short while, the connection will be established.

8. 驗證 VPN 連線8. Verify the VPN connection

VPN 連線有幾種不同的驗證方式。There are a few different ways to verify your VPN connection.

您可以使用 'Get-AzVirtualNetworkGatewayConnection' Cmdlet,並在搭配或不搭配 '-Debug' 的情況下驗證連線是否成功。You can verify that your connection succeeded by using the 'Get-AzVirtualNetworkGatewayConnection' cmdlet, with or without '-Debug'.

  1. 請使用下列 Cmdlet 範例,並將值設定為與您狀況相符的值。Use the following cmdlet example, configuring the values to match your own. 出現提示時,請選取 [A] 以執行 [全部]。If prompted, select 'A' in order to run 'All'. 在範例中,'-Name' 是指您想要測試之連線的名稱。In the example, '-Name' refers to the name of the connection that you want to test.

    Get-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 -ResourceGroupName TestRG1
    
  2. 完成 Cmdlet 之後,請檢視值。After the cmdlet has finished, view the values. 在下列範例中,連接狀態會顯示為 [已連接],且您可以看見輸入和輸出位元組。In the example below, the connection status shows as 'Connected' and you can see ingress and egress bytes.

    "connectionStatus": "Connected",
    "ingressBytesTransferred": 33509044,
    "egressBytesTransferred": 4142431
    

連線至虛擬機器To connect to a virtual machine

您可以建立 VM 的遠端桌面連線,以連線至已部署至 VNet 的 VM。You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. 一開始確認您可以連線至 VM 的最佳方法是使用其私人 IP 位址 (而不是電腦名稱) 進行連線。The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. 這樣一來,您會測試以查看您是否可以連線,而不是否已正確設定名稱解析。That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. 找出私人 IP 位址。Locate the private IP address. 在 Azure 入口網站中或使用 PowerShell 查看 VM 的屬性,即可找到 VM 的私人 IP 位址。You can find the private IP address of a VM by either looking at the properties for the VM in the Azure portal, or by using PowerShell.

    • Azure 入口網站 - 在 Azure 入口網站中尋找您的虛擬機器。Azure portal - Locate your virtual machine in the Azure portal. 檢視 VM 的屬性。View the properties for the VM. 系統會列出私人 IP 位址。The private IP address is listed.

    • PowerShell - 使用範例來檢視資源群組中的 VM 和私人 IP 位址清單。PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. 使用此範例前,您不需要加以修改。You don't need to modify this example before using it.

      $VMs = Get-AzVM
      $Nics = Get-AzNetworkInterface | Where VirtualMachine -ne $null
      
      foreach($Nic in $Nics)
      {
      $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
      $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
      $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
      Write-Output "$($VM.Name): $Prv,$Alloc"
      }
      
  2. 確認您已使用點對站 VPN 連線來連線至 VNet。Verify that you are connected to your VNet using the Point-to-Site VPN connection.

  3. 在工作列上的搜尋方塊中輸入「RDP」或「遠端桌面連線」以開啟遠端桌面連線,然後選取 [遠端桌面連線]。Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. 您也可以使用 PowerShell 中的 'mstsc' 命令開啟遠端桌面連線。You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. 在 [遠端桌面連線] 中,輸入 VM 的私人 IP 位址。In Remote Desktop Connection, enter the private IP address of the VM. 您可以按一下 [顯示選項] 來調整其他設定,然後進行連線。You can click "Show Options" to adjust additional settings, then connect.

疑難排解連接Troubleshoot a connection

如果您無法透過 VPN 連線與虛擬機器連線,請檢查下列各項:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 確認您的 VPN 連線成功。Verify that your VPN connection is successful.

  • 確認您是連線至 VM 的私人 IP 位址。Verify that you are connecting to the private IP address for the VM.

  • 如果您可以使用私人 IP 位址 (而非電腦名稱) 來連線至 VM,請確認您已正確設定 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 如需 VM 的名稱解析運作方式的詳細資訊,請參閱 VM 的名稱解析For more information about how name resolution works for VMs, see Name Resolution for VMs.

  • 如需 RDP 連線的詳細資訊,請參閱針對 VM 的遠端桌面連線進行疑難排解For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

修改區域網路閘道的 IP 位址首碼To modify IP address prefixes for a local network gateway

如果您要路由傳送到內部部署位置的 IP 位址首碼變更,您可以修改區域網路閘道。If the IP address prefixes that you want routed to your on-premises location change, you can modify the local network gateway. 使用這些範例時,請將值修改為符合您的環境。When using these examples, modify the values to match your environment.

若要新增其他位址首碼:To add additional address prefixes:

  1. 設定 LocalNetworkGateway 的變數。Set the variable for the LocalNetworkGateway.

    $local = Get-AzLocalNetworkGateway -Name Site1 -ResourceGroupName TestRG1
    
  2. 修改首碼。Modify the prefixes.

    Set-AzLocalNetworkGateway -LocalNetworkGateway $local `
    -AddressPrefix @('10.101.0.0/24','10.101.1.0/24','10.101.2.0/24')
    

若要移除位址首碼:To remove address prefixes:

省略您不再需要的首碼。Leave out the prefixes that you no longer need. 此範例中不再需要首碼 10.101.2.0/24 (來自先前的範例),因此我們將更新區域網路閘道,並排除該首碼。In this example, we no longer need prefix 10.101.2.0/24 (from the previous example), so we update the local network gateway, excluding that prefix.

  1. 設定 LocalNetworkGateway 的變數。Set the variable for the LocalNetworkGateway.

    $local = Get-AzLocalNetworkGateway -Name Site1 -ResourceGroupName TestRG1
    
  2. 使用更新的首碼設定閘道。Set the gateway with the updated prefixes.

    Set-AzLocalNetworkGateway -LocalNetworkGateway $local `
    -AddressPrefix @('10.101.0.0/24','10.101.1.0/24')
    

修改區域網路閘道的閘道 IP 位址To modify the gateway IP address for a local network gateway

如果您想要連線的 VPN 裝置已變更其公用 IP 位址,您需要修改區域網路閘道,以反映該變更。If the VPN device that you want to connect to has changed its public IP address, you need to modify the local network gateway to reflect that change. 修改此值時,您也可以同時修改位址首碼。When modifying this value, you can also modify the address prefixes at the same time. 務必使用區域網路閘道的現有名稱,以便覆寫目前的設定。Be sure to use the existing name of your local network gateway in order to overwrite the current settings. 如果您使用不同的名稱,您會建立新的區域網路閘道,而不是覆寫現有閘道。If you use a different name, you create a new local network gateway, instead of overwriting the existing one.

New-AzLocalNetworkGateway -Name Site1 `
-Location "East US" -AddressPrefix @('10.101.0.0/24','10.101.1.0/24') `
-GatewayIpAddress "5.4.3.2" -ResourceGroupName TestRG1

刪除閘道連線To delete a gateway connection

如果您不知道連線的名稱,可以使用 ' Get-azvirtualnetworkgatewayconnection ' Cmdlet 來尋找它。If you don't know the name of your connection, you can find it by using the 'Get-AzVirtualNetworkGatewayConnection' cmdlet.

Remove-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 `
-ResourceGroupName TestRG1

下一步Next steps