使用 Azure 入口網站設定 VNet 對 VNet 的 VPN 閘道連線Configure a VNet-to-VNet VPN gateway connection by using the Azure portal

本文協助您使用 VNet 對 VNet 連線類型來連線虛擬網路 (VNet)。This article helps you connect virtual networks (VNets) by using the VNet-to-VNet connection type. VNet 可位於不同的區域且來自不同的訂用帳戶。Virtual networks can be in different regions and from different subscriptions. 當您連線來自不同訂用帳戶的 VNet 時,訂用帳戶不需與相同的 Active Directory 租用戶相關聯。When you connect VNets from different subscriptions, the subscriptions don't need to be associated with the same Active Directory tenant.

v2v 圖表

本文中的步驟適用於 Azure Resource Manager 部署模型並使用 Azure 入口網站。The steps in this article apply to the Azure Resource Manager deployment model and use the Azure portal. 您可以使用下列文章中所述的選項,透過不同的部署工具或模型來建立這個組態:You can create this configuration with a different deployment tool or model by using options that are described in the following articles:

關於連線 VNetAbout connecting VNets

下列各節說明不同的虛擬網路連線方式。The following sections describe the different ways to connect virtual networks.

VNet 對 VNetVNet-to-VNet

設定 VNet 對 VNet 連線是輕鬆連線 VNet 的方法。Configuring a VNet-to-VNet connection is a simple way to connect VNets. 當您透過 VNet 對 VNet 連線類型 (VNet2VNet) 將虛擬網路連線到另一個虛擬網路時,類似於建立內部部署位置的站對站 IPsec 連線。When you connect a virtual network to another virtual network with a VNet-to-VNet connection type (VNet2VNet), it's similar to creating a Site-to-Site IPsec connection to an on-premises location. 這兩種連線類型都使用 VPN 閘道來提供採用 IPsec/IKE 的安全通道,而且在通訊時的運作方式相同。Both connection types use a VPN gateway to provide a secure tunnel with IPsec/IKE and function the same way when communicating. 不過,其差異在於區域網路閘道的設定方式。However, they differ in the way the local network gateway is configured.

當您建立 VNet 對 VNet 連線時,系統會自動建立和填入區域網路閘道位址空間。When you create a VNet-to-VNet connection, the local network gateway address space is automatically created and populated. 如果您更新一個 VNet 的位址空間,另一個 VNet 就會自動路由到已更新的位址空間。If you update the address space for one VNet, the other VNet automatically routes to the updated address space. 相較於站對站連線,建立 VNet 對 VNet 連線通常比較快速而容易。It's typically faster and easier to create a VNet-to-VNet connection than a Site-to-Site connection.

站對站 (IPsec)Site-to-Site (IPsec)

如果您使用複雜的網路組態,您可能偏好使用站對站連線來連線 VNet。If you're working with a complicated network configuration, you may prefer to connect your VNets by using a Site-to-Site connection instead. 當您遵循站對站 IPsec 步驟時,您會以手動方式建立及設定區域網路閘道。When you follow the Site-to-Site IPsec steps, you create and configure the local network gateways manually. 每個 VNet 的區域網路閘道都會將其他 VNet 視為本機網站。The local network gateway for each VNet treats the other VNet as a local site. 這些步驟可讓您為區域網路閘道指定其他位址空間,以便路由傳送流量。These steps allow you to specify additional address spaces for the local network gateway to route traffic. 如果 VNet 的位址空間變更,您必須手動更新對應的區域網路閘道。If the address space for a VNet changes, you must manually update the corresponding local network gateway.

VNet 對等互連VNet peering

您也可以使用 VNet 對等互連來連線 VNet。You can also connect your VNets by using VNet peering. VNet 對等互連不會使用 VPN 閘道,且具有不同的條件約束。VNet peering doesn't use a VPN gateway and has different constraints. 此外,VNet 對等互連價格VNet 對 VNet VPN 閘道價格的計算方式不同。Additionally, VNet peering pricing is calculated differently than VNet-to-VNet VPN Gateway pricing. 如需詳細資訊,請參閱 VNet 對等互連For more information, see VNet peering.

為何要建立 VNet 對 VNet 連線?Why create a VNet-to-VNet connection?

基於下列原因,建議您使用 VNet 對 VNet 連線來進行虛擬網路連線:You may want to connect virtual networks by using a VNet-to-VNet connection for the following reasons:

跨區域的異地備援和異地目前狀態Cross region geo-redundancy and geo-presence

  • 您可以使用安全連線設定自己的異地複寫或同步處理,而不用查看網際網路對向端點。You can set up your own geo-replication or synchronization with secure connectivity without going over internet-facing endpoints.
  • 您可以使用 Azure 流量管理員和 Azure Load Balancer,利用異地備援跨多個 Azure 區域設定高度可用的工作負載。With Azure Traffic Manager and Azure Load Balancer, you can set up highly available workload with geo-redundancy across multiple Azure regions. 例如,您可以設定分散於多個 Azure 區域的 SQL Server Always On 可用性群組。For example, you can set up SQL Server Always On availability groups across multiple Azure regions.

具有隔離或管理界限的區域性多層式應用程式Regional multi-tier applications with isolation or administrative boundaries

  • 在相同區域中,您可以因為隔離或管理需求,設定將多層式應用程式與多個虛擬網路連線在一起。Within the same region, you can set up multi-tier applications with multiple virtual networks that are connected together because of isolation or administrative requirements.

您可以將 VNet 對 VNet 通訊與多站台組態結合。VNet-to-VNet communication can be combined with multi-site configurations. 這些組態可讓您建立使用內部虛擬網路連線結合跨單位連線的網路拓撲,如下圖所示:These configurations lets you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity, as shown in the following diagram:

關於連接About connections

本文說明如何使用 VNet 對 VNet 連線類型來連線 VNet。This article shows you how to connect VNets by using the VNet-to-VNet connection type. 練習這些步驟時,您可以使用下列範例設定值。When you follow these steps as an exercise, you can use the following example settings values. 在範例中,虛擬網路位於相同的訂用帳戶,但在不同的資源群組。In the example, the virtual networks are in the same subscription, but in different resource groups. 如果您的 Vnet 位於不同的訂用帳戶中,就無法在入口網站中建立連線。If your VNets are in different subscriptions, you can't create the connection in the portal. 改用 PowerShellCLIUse PowerShell or CLI instead. 如需 VNet 對 VNet 連線的詳細資訊,請參閱 VNet 對 VNet 常見問題集For more information about VNet-to-VNet connections, see VNet-to-VNet FAQ.

範例設定Example settings

TestVNet1 的值︰Values for TestVNet1:

  • 虛擬網路設定Virtual network settings

    • 名稱:輸入 TestVNet1 。Name: Enter TestVNet1.
    • 位址空間:輸入 10.11.0.0/16 。Address space: Enter 10.11.0.0/16.
    • 訂用帳戶 :選取您要使用的訂用帳戶。Subscription: Select the subscription you want to use.
    • 資源群組:輸入 TestRG1 。Resource group: Enter TestRG1.
    • 位置:選取 [美國東部] 。Location: Select East US.
    • 子網路Subnet
      • 名稱:輸入 FrontEnd 。Name: Enter FrontEnd.
      • 位址範圍:輸入 10.11.0.0/24 。Address range: Enter 10.11.0.0/24.
    • 閘道器子網路Gateway subnet:
      • 名稱:自動填入 GatewaySubnet 。Name: GatewaySubnet is autofilled.
      • 位址範圍:輸入 10.11.255.0/27 。Address range: Enter 10.11.255.0/27.
    • DNS 伺服器:選取 [自訂] ,並輸入您 DNS 伺服器的 IP 位址。DNS server: Select Custom and enter the IP address of your DNS server.
  • 虛擬網路閘道設定Virtual network gateway settings

    • 名稱:輸入 TestVNet1GW 。Name: Enter TestVNet1GW.
    • 閘道類型:選取 [VPN] 。Gateway type: Select VPN.
    • VPN 類型:選取 [依路由] 。VPN type: Select Route-based.
    • SKU:選取您想要使用的閘道 SKU。SKU: Select the gateway SKU you want to use.
    • 公用 IP 位址名稱:輸入 TestVNet1GWIP 。Public IP address name: Enter TestVNet1GWIP
    • 連接Connection
      • 名稱:輸入 TestVNet1toTestVNet4 。Name: Enter TestVNet1toTestVNet4.
      • 共用金鑰:輸入 abc123 。Shared key: Enter abc123. 您可以自行建立共用金鑰。You can create the shared key yourself. 當您建立 VNet 之間的連線時,值必須相符。When you create the connection between the VNets, the values must match.

TestVNet4 的值︰Values for TestVNet4:

  • 虛擬網路設定Virtual network settings

    • 名稱:輸入 TestVNet4 。Name: Enter TestVNet4.
    • 位址空間:輸入 10.41.0.0/16 。Address space: Enter 10.41.0.0/16.
    • 訂用帳戶 :選取您要使用的訂用帳戶。Subscription: Select the subscription you want to use.
    • 資源群組:輸入 TestRG4 。Resource group: Enter TestRG4.
    • 位置:選取 [美國西部] 。Location: Select West US.
    • 子網路Subnet
      • 名稱:輸入 FrontEnd 。Name: Enter FrontEnd.
      • 位址範圍:輸入 10.41.0.0/24 。Address range: Enter 10.41.0.0/24.
    • GatewaySubnetGatewaySubnet
      • 名稱:自動填入 GatewaySubnet 。Name: GatewaySubnet is autofilled.
      • 位址範圍:輸入 10.41.255.0/27 。Address range: Enter 10.41.255.0/27.
    • DNS 伺服器:選取 [自訂] ,並輸入您 DNS 伺服器的 IP 位址。DNS server: Select Custom and enter the IP address of your DNS server.
  • 虛擬網路閘道設定Virtual network gateway settings

    • 名稱:輸入 TestVNet4GW 。Name: Enter TestVNet4GW.
    • 閘道類型:選取 [VPN] 。Gateway type: Select VPN.
    • VPN 類型:選取 [依路由] 。VPN type: Select Route-based.
    • SKU:選取您想要使用的閘道 SKU。SKU: Select the gateway SKU you want to use.
    • 公用 IP 位址名稱:輸入 TestVNet4GW 。Public IP address name: Enter TestVNet4GWIP.
    • 連接Connection
      • 名稱:輸入 TestVNet4toTestVNet1 。Name: Enter TestVNet4toTestVNet1.
      • 共用金鑰:輸入 abc123 。Shared key: Enter abc123. 您可以自行建立共用金鑰。You can create the shared key yourself. 當您建立 VNet 之間的連線時,值必須相符。When you create the connection between the VNets, the values must match.

建立及設定 TestVNet1Create and configure TestVNet1

如果您已經有 VNet,請驗證設定是否與您的 VPN 閘道設計相容。If you already have a VNet, verify that the settings are compatible with your VPN gateway design. 請特別注意任何可能與其他網路重疊的子網路。Pay particular attention to any subnets that may overlap with other networks. 如果有重疊的子網路,您的連線便無法正常運作。Your connection won't work properly if you have overlapping subnets. 您的 VNet 已設定為正確的設定後,即可開始執行「指定 DNS 伺服器」一節中的步驟。After your VNet is configured with the correct settings, you can begin the steps in the Specify a DNS server section.

建立虛擬網路To create a virtual network

您可以使用下列步驟,透過 Resource Manager 部署模型和 Azure 入口網站建立 VNet。You can create a VNet with the Resource Manager deployment model and the Azure portal by following these steps. 如需虛擬網路的詳細資訊,請參閱虛擬網路概觀For more information about virtual networks, see Virtual Network overview.

注意

若要讓 VNet 連線到內部部署位置,請與內部部署網路系統管理員協調,以切割出此虛擬網路專用的 IP 位址範圍。For the VNet to connect to an on-premises location, coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. 如果 VPN 連線的兩端存在重複的位址範圍,流量就會以未預期的方式路由傳送。If a duplicate address range exists on both sides of the VPN connection, traffic will route in an unexpected way. 此外,如果您想要將此 VNet 連線到另一個 VNet,則位址空間不能與其他 VNet 重疊。Additionally, if you want to connect this VNet to another VNet, the address space cannot overlap with other VNet. 請據此規劃您的網路組態。Plan your network configuration accordingly.

  1. 登入 Azure 入口網站,然後選取 [建立資源] 。Sign in to the Azure portal and select Create a resource. [新增] 頁面隨即開啟。The New page opens.

  2. 在 [搜尋 Marketplace] 欄位中,輸入「虛擬網路」 ,然後從傳回的清單中選取 [虛擬網路] 。In the Search the marketplace field, enter virtual network and select Virtual network from the returned list. [虛擬網路] 頁面隨即開啟。The Virtual network page opens.

    找出虛擬網路資源頁面Locate Virtual Network resource page

  3. 從接近頁面底部的 [選取部署模型] 清單中,選取 [Resource Manager] ,然後選取 [建立] 。From the Select a deployment model list near the bottom of the page, select Resource Manager, and then select Create. [建立虛擬網路] 頁面隨即開啟。The Create virtual network page opens.

    建立虛擬網路頁面Create virtual network page

  4. 在 [建立虛擬網路] 頁面上進行 VNet 設定。On the Create virtual network page, configure the VNet settings. 當您填寫欄位時,若欄位中輸入的字元經過驗證,紅色驚嘆號就會變成綠色核取記號。When you fill in the fields, the red exclamation mark becomes a green check mark when the characters you enter in the field are validated. 系統會自動填寫某些值,您可使用自己的值加以取代:Some values are autofilled, which you can replace with your own values:

    • 名稱:輸入虛擬網路的名稱。Name: Enter the name for your virtual network.

    • 位址空間:輸入位址空間。Address space: Enter the address space. 如果您有多個要新增的位址空間,請在此輸入您的第一個位址空間。If you have multiple address spaces to add, enter your first address space here. 稍後,您可以在建立 VNet 之後新增其他位址空間。You can add additional address spaces later, after you create the VNet.

    • 訂用帳戶 :請確認列出的訂用帳戶是否正確。Subscription: Verify that the subscription listed is the correct one. 您可以使用下拉式清單變更訂用帳戶。You can change subscriptions by using the drop-down.

    • 資源群組:選取現有資源群組,或輸入新資源群組的名稱以建立新的資源群組。Resource group: Select an existing resource group, or create a new one by entering a name for your new resource group. 如果您要建立新的群組,請根據您計劃的組態值來命名資源群組。If you're creating a new group, name the resource group according to your planned configuration values. 如需有關資源群組的詳細資訊,請參閱 Azure Resource Manager 概觀For more information about resource groups, see Azure Resource Manager overview.

    • 位置:選取您的 VNet 位置。Location: Select the location for your VNet. 此位置會決定您部署到此 VNet 的資源存留的位置。The location determines where the resources that you deploy to this VNet will live.

    • 子網路:新增子網路 [名稱] 和子網路 [位址範圍] 。Subnet: Add the subnet Name and subnet Address range. 稍後,您可以在建立 VNet 之後新增其他子網路。You can add additional subnets later, after you create the VNet.

  5. 選取 [建立] 。Select Create.

新增其他位址空間和建立子網路Add additional address space and create subnets

建立 VNet 之後,您可以新增其他位址空間和建立子網路。You can add additional address space and create subnets once your VNet has been created.

新增其他位址空間To add additional address space

  1. 若要為您的位址空間新增額外的位址範圍,請在虛擬網路頁面的 [設定] 區段中,選取 [位址空間] 。To add additional address ranges to your address space, in the Settings section of your virtual network page, select Address space. 隨即會顯示 [位址空間] 頁面。The Address space page appears.

  2. 新增額外的位址範圍,然後選取頁面頂端的 [儲存] 。Add the additional address range, and then select Save at the top of the page.

    新增位址空間

建立其他子網路To create additional subnets

  1. 若要建立子網路,請在虛擬網路頁面的 [設定] 區段中,選取 [子網路] 。To create subnets, in the Settings section of your virtual network page, select Subnets. 隨即會顯示 [子網路] 頁面。The Subnets page appears.

  2. 選取 [子網路] 以開啟 [新增子網路] 頁面。Select Subnet to open the Add subnet page. 輸入新子網路的 [名稱] ,並指定 [位址範圍] 。Enter the Name of your new subnet and specify the Address range.

    子網路設定

  3. 若要儲存變更,請選取頁面底部的 [確定] 。To save your changes, select OK at the bottom of the page.

建立閘道子網路Create a gateway subnet

建立虛擬網路的虛擬網路閘道之前,您必須先建立閘道子網路。Before creating a virtual network gateway for your virtual network, you first need to create the gateway subnet. 閘道子網路包含虛擬網路閘道所使用的 IP 位址。The gateway subnet contains the IP addresses that are used by the virtual network gateway. 可能的話,最好使用 /28 或 /27 的 CIDR 區塊來建立閘道子網路,以便提供足以容納未來其他組態需求的 IP 位址。If possible, it's best to create a gateway subnet by using a CIDR block of /28 or /27 to provide enough IP addresses to accommodate future additional configuration requirements.

如果您要練習建立此組態,請在建立閘道子網路時參考這些範例值If you're creating this configuration as an exercise, refer to these Example settings when creating your gateway subnet.

重要

使用閘道子網路時,避免將網路安全性群組 (NSG) 與閘道子網路產生關聯。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 將網路安全性群組與此子網路產生關聯,可能會導致您的 VPN 閘道如預期般停止運作。Associating a network security group to this subnet may cause your VPN gateway to stop functioning as expected. 如需有關網路安全性群組的詳細資訊,請參閱什麼是網路安全性群組?For more information about network security groups, see What is a network security group?

建立閘道子網路To create a gateway subnet

  1. Azure 入口網站中,選取要建立虛擬網路閘道的 Resource Manager 虛擬網路。In the Azure portal, select the Resource Manager virtual network for which you want to create a virtual network gateway.

  2. 在虛擬網路頁面的 [設定] 區段中,選取 [子網路] 以展開 [子網路] 頁面。In the Settings section of your virtual network page, select Subnets to expand the Subnets page.

  3. 在 [子網路] 頁面中,選取 [閘道子網路] 以開啟 [新增子網路] 頁面。On the Subnets page, select Gateway subnet to open the Add subnet page.

    新增閘道子網路Add the gateway subnet

  4. 子網路的 [名稱] 會自動填入 GatewaySubnet 這個值。The Name for your subnet is automatically autofilled with the value GatewaySubnet. 若要讓 Azure 將此子網路視為閘道子網路,則必須要有此值。This value is required for Azure to recognize the subnet as the gateway subnet. 請調整自動填入的 [位址範圍] 值,以符合您的組態需求,然後選取 [確定] 以建立子網路。Adjust the autofilled Address range values to match your configuration requirements, then select OK to create the subnet.

    新增子網路Adding the subnet

指定 DNS 伺服器 (選擇性)Specify a DNS server (optional)

VNet 對 VNet 連線不需要 DNS。DNS isn't required for VNet-to-VNet connections. 不過,如果您想要對部署至虛擬網路的資源進行名稱解析,請指定 DNS 伺服器。However, if you want to have name resolution for resources that are deployed to your virtual network, specify a DNS server. 此設定可讓您指定要用於此虛擬網路之名稱解析的 DNS 伺服器服務。This setting lets you specify the DNS server that you want to use for name resolution for this virtual network. 它不會建立 DNS 伺服器。It doesn't create a DNS server.

  1. 在虛擬網路頁面的 [設定] 區段中,選取 [DNS 伺服器] 以開啟 [DNS 伺服器] 頁面。In the Settings section of your virtual network page, select DNS servers to open the DNS servers page.

  2. 在 [DNS 伺服器] 頁面上,填入下列值:On the DNS servers page, fill in the following values:

    • DNS 伺服器:選取 [自訂] 。DNS servers: Select Custom.

    • 新增 DNS 伺服器:輸入您想要用於名稱解析的 DNS 伺服器的 IP 位址。Add DNS server: Enter the IP address of the DNS server that you want to use for name resolution.

  3. 當您完成新增 DNS 伺服器時,選取 [儲存] 。When you're done adding DNS servers, select Save.

    指定 DNS 伺服器Specify a DNS server

建立虛擬網路閘道Create a virtual network gateway

此步驟將帶您建立 VNet 的虛擬網路閘道。In this step, you create the virtual network gateway for your VNet. 建立閘道通常可能需要 45 分鐘或更久,視選取的閘道 SKU 而定。Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. 如果您要練習建立此組態,請參閱範例設定If you're creating this configuration as an exercise, see the Example settings.

建立虛擬網路閘道To create a virtual network gateway

  1. 登入 Azure 入口網站,然後選取 [建立資源] 。Sign in to the Azure portal and select Create a resource. [新增] 頁面隨即開啟。The New page opens.

  2. 在 [搜尋 Marketplace] 欄位中,輸入「虛擬網路閘道」 ,然後從搜尋清單中選取 [虛擬網路閘道] 。In the Search the marketplace field, enter virtual network gateway, and select Virtual network gateway from the search list.

  3. 在 [虛擬網路閘道] 頁面上,選取 [建立] 以開啟 [建立虛擬網路閘道] 頁面。On the Virtual network gateway page, select Create to open the Create virtual network gateway page.

    建立虛擬網路閘道頁面欄位Create virtual network gateway page fields

  4. 在 [建立虛擬網路閘道] 頁面上,填入您虛擬網路閘道的值:On the Create virtual network gateway page, fill in the values for your virtual network gateway:

    • 名稱:輸入您要建立的閘道物件的名稱。Name: Enter a name for the gateway object you're creating. 這個名稱與閘道子網路名稱不同。This name is different than the gateway subnet name.

    • 閘道類型:VPN 閘道請選取 VPNGateway type: Select VPN for VPN gateways.

    • VPN 類型:選取針對您的組態指定的 VPN 類型。VPN type: Select the VPN type that is specified for your configuration. 大部分組態需要路由式 VPN 類型。Most configurations require a Route-based VPN type.

    • SKU:從下拉式清單中選取閘道 SKU。SKU: Select the gateway SKU from the dropdown. 下拉式清單中所列的 SKU 取決於您選取的 VPN 類型。The SKUs listed in the dropdown depend on the VPN type you select. 如需閘道 SKU 的詳細資訊,請參閱閘道 SKUFor more information about gateway SKUs, see Gateway SKUs.

      只有當您要建立「主動-主動」閘道設定時,才選取 [啟用主動 - 主動模式] 。Only select Enable active-active mode if you're creating an active-active gateway configuration. 否則,請不要選取此設定。Otherwise, leave this setting unselected.

    • 位置:您可能需要捲動,才能看見 [位置] 。Location: You may need to scroll to see Location. 請將 [位置] 設定為您虛擬網路所在的位置。Set Location to the location where your virtual network is located. 例如,美國西部For example, West US. 如果並未將位置設定為虛擬網路所在的區域,在您選取虛擬網路時就不會出現在下拉式清單中。If you don't set the location to the region where your virtual network is located, it won't appear in the drop-down list when you select a virtual network.

    • 虛擬網路:選擇您要新增此閘道的虛擬網路。Virtual network: Choose the virtual network to which you want to add this gateway. 選取 [虛擬網路] 開啟 [選擇虛擬網路] 頁面,並選取 VNet。Select Virtual network to open the Choose virtual network page and select the VNet. 如果您並未看到您的 VNet,請確定 [位置] 欄位是否有設定為您的虛擬網路所在的區域。If you don't see your VNet, make sure the Location field is set to the region in which your virtual network is located.

    • 閘道子網路位址範圍︰僅在您先前未建立虛擬網路的閘道子網路時,才會看到這項設定。Gateway subnet address range: You'll only see this setting if you didn't previously create a gateway subnet for your virtual network. 如果您先前已建立有效的閘道子網路,這項設定就不會出現。If you previously created a valid gateway subnet, this setting won't appear.

    • 公用 IP 位址:此設定可指定會與 VPN 閘道建立關聯的公用 IP 位址物件。Public IP address: This setting specifies the public IP address object that's associated with the VPN gateway. 建立 VPN 閘道時,系統會將公用 IP 位址動態指派給此物件。The public IP address is dynamically assigned to this object when the VPN gateway is created. VPN 閘道目前僅支援動態 公用 IP 位址配置。The VPN gateway currently supports only Dynamic public IP address allocation. 不過,動態配置不表示之後的 IP 位址變更均已指派至您的 VPN 閘道。However, dynamic allocation doesn't mean that the IP address changes after it has been assigned to your VPN gateway. 公用 IP 位址只會在刪除或重新建立閘道時變更。The only time the public IP address changes is when the gateway is deleted and re-created. 它不會因為重新調整、重設或 VPN 閘道的其他內部維護/升級而變更。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

      • 將 [新建] 保持選取。Leave Create new selected.

      • 在文字方塊中,輸入公用 IP 位址的名稱。In the text box, enter a name for your public IP address.

    • 設定 BGP ASN:將此設定保持未選取 (除非您的設定特別需要此設定)。Configure BGP ASN: Leave this setting unselected, unless your configuration specifically requires it. 如果您需要此設定,預設的 ASN 為 65515,但這可以變更。If you do require this setting, the default ASN is 65515, which you can change.

  5. 確認設定,並選取 [建立] 開始建立 VPN 閘道。Verify the settings and select Create to begin creating the VPN gateway. 設定會經過驗證,而您將會在儀表板上看到 [部署虛擬網路閘道] 圖格。The settings are validated and you'll see the Deploying Virtual network gateway tile on the dashboard. 建立閘道可能需要長達 45 分鐘。Creating a gateway can take up to 45 minutes. 您可能需要重新整理入口網站頁面,才能看到完成的狀態。You may need to refresh your portal page to see the completed status.

  6. 建立閘道之後,請至入口網站檢視虛擬網路,確認已指派給閘道的 IP 位址。After you create the gateway, verify the IP address that's been assigned to it by viewing the virtual network in the portal. 閘道會顯示為已連接的裝置。The gateway appears as a connected device. 您可以選取已連線的裝置 (虛擬網路閘道) 以檢視詳細資訊。You can select the connected device (your virtual network gateway) to view more information.

建立及設定 TestVNet4Create and configure TestVNet4

在設定 TestVNet1 之後,請重複先前步驟並換成 TestVNet4 的值,以建立 TestVNet4。After you've configured TestVNet1, create TestVNet4 by repeating the previous steps and replacing the values with TestVNet4 values. 您不需要等到 TestVNet1 的虛擬網路閘道建立完成後才設定 TestVNet4。You don't need to wait until the virtual network gateway for TestVNet1 has finished creating before you configure TestVNet4. 如果您使用自己的值,請確定位址空間沒有與任何您想要連線的 VNet 重疊。If you're using your own values, make sure the address spaces don't overlap with any of the VNets to which you want to connect.

設定 TestVNet1 閘道連線Configure the TestVNet1 gateway connection

當 TestVNet1 和 TestVNet4 的虛擬網路閘道完成後,您可以建立虛擬網路閘道連接。When the virtual network gateways for both TestVNet1 and TestVNet4 have completed, you can create your virtual network gateway connections. 在本節中,您要建立從 VNet1 到 VNet4 的連線。In this section, you create a connection from VNet1 to VNet4. 這些步驟只適用於相同的訂用帳戶中的 VNet。These steps work only for VNets in the same subscription. 如果您的 VNet 位於不同的訂用帳戶中,則必須使用 PowerShell 來進行連線。If your VNets are in different subscriptions, you must use PowerShell to make the connection. 不過,如果 Vnet 位於相同訂用帳戶中的不同資源群組,您可以使用入口網站將它們連線。However, if your VNets are in different resource groups in the same subscription, you can connect them by using the portal.

  1. 在 Azure 入口網站中,選取 [所有資源] ,在搜尋方塊中輸入「虛擬網路閘道」 ,然後瀏覽至您 VNet 的虛擬網路閘道。In the Azure portal, select All resources, enter virtual network gateway in the search box, and then navigate to the virtual network gateway for your VNet. 例如,TestVNet1GWFor example, TestVNet1GW. 選取它來開啟 [虛擬網路閘道] 頁面。Select it to open the Virtual network gateway page.

    連線頁面Connections page

  2. 在 [設定] 之下,選取 [連線] ,然後選取 [新增] 以開啟 [新增連線] 頁面。Under Settings, select Connections, and then select Add to open the Add connection page.

    新增連接Add connection

  3. 在 [新增連線] 頁面上,填入您的連線值:On the Add connection page, fill in the values for your connection:

    • 名稱:輸入您的連線名稱。Name: Enter a name for your connection. 例如,TestVNet1toTestVNet4For example, TestVNet1toTestVNet4.

    • 連線類型:從下拉式清單中選取 [VNet 對 VNet] 。Connection type: Select VNet-to-VNet from the drop-down.

    • 第一個虛擬網路閘道:因為您是從指定的虛擬網路閘道建立此連線,所以會自動填入這個欄位值。First virtual network gateway: This field value is automatically filled in because you're creating this connection from the specified virtual network gateway.

    • 第二個虛擬網路閘道:這個欄位是您想要建立連線的 VNet 的虛擬網路閘道。Second virtual network gateway: This field is the virtual network gateway of the VNet that you want to create a connection to. 選取 [選擇另一個虛擬網路閘道] ,以開啟 [選擇虛擬網路閘道] 頁面。Select Choose another virtual network gateway to open the Choose virtual network gateway page.

      • 檢視此頁面上列出的虛擬網路閘道。View the virtual network gateways that are listed on this page. 請注意,只會列出您的訂用帳戶中的虛擬網路閘道。Notice that only virtual network gateways that are in your subscription are listed. 如果想要連線的虛擬網路閘道不在您的訂用帳戶中,請使用 PowerShellIf you want to connect to a virtual network gateway that isn't in your subscription, use the PowerShell.

      • 選取您想要連線的虛擬網路閘道。Select the virtual network gateway to which you want to connect.

      • 共用金鑰 (PSK) :在此欄位中,輸入您連線的共用金鑰。Shared key (PSK): In this field, enter a shared key for your connection. 您可以產生此金鑰,或自行建立此金鑰。You can generate or create this key yourself. 在站對站連線中,您用於內部部署裝置與虛擬網路閘道連線的金鑰完全相同。In a site-to-site connection, the key you use is the same for your on-premises device and your virtual network gateway connection. 此處的概念類似,差別在於是連線到另一個虛擬網路閘道,而不是連線到 VPN 裝置。The concept is similar here, except that rather than connecting to a VPN device, you're connecting to another virtual network gateway.

  4. 選取 [ 確定 ] 以儲存變更。Select OK to save your changes.

設定 TestVNet4 閘道連線Configure the TestVNet4 gateway connection

接下來,建立從 TestVNet4 至 TestVNet1 的連接。Next, create a connection from TestVNet4 to TestVNet1. 在入口網站中,找出與 TestVNet4 相關聯的虛擬網路閘道。In the portal, locate the virtual network gateway associated with TestVNet4. 遵循上一節中的步驟,取代建立 TestVNet4 到 TestVNet1 連線的值。Follow the steps from the previous section, replacing the values to create a connection from TestVNet4 to TestVNet1. 請確定您使用相同的共用金鑰。Make sure that you use the same shared key.

確認您的連線Verify your connections

在 Azure 入口網站中找出虛擬網路閘道。Locate the virtual network gateway in the Azure portal. 在 [虛擬網路閘道] 頁面上,選取 [連線] ,以檢視虛擬網路閘道的 [連線] 頁面。On the Virtual network gateway page, select Connections to view the Connections page for the virtual network gateway. 建立連線後,您會看到 [狀態] 值變更為 [成功] 和 [已連線] 。After the connection is established, you'll see the Status values change to Succeeded and Connected. 選取連線來開啟 [基本資訊] 頁面,並檢視的詳細資訊。Select a connection to open the Essentials page and view more information.

已成功Succeeded

當資料開始流動時,您會看到 [資料輸入] 和 [資料輸出] 的值。When data begins flowing, you'll see values for Data in and Data out.

程式集Essentials

新增其他連線Add additional connections

如果您需要新增其他連線,請瀏覽至您想建立連線的虛擬網路閘道,然後選取 [連線] 。If you want to add additional connections, navigate to the virtual network gateway from which you want to create the connection, then select Connections. 您可以建立另一個 VNet 對 VNet 連線,或建立 IPsec 站對站連線到內部部署位置。You can create another VNet-to-VNet connection, or create an IPsec Site-to-Site connection to an on-premises location. 請務必調整 [連線類型] 來符合您需要建立的連線類型。Be sure to adjust the Connection type to match the type of connection you want to create. 建立其他連線之前,請確認您虛擬網路的位址空間與任何您需要連線的位址空間不重疊。Before you create additional connections, verify that the address space for your virtual network doesn't overlap with any of the address spaces you want to connect to. 如需建立站對站連線的步驟,請參閱建立站對站連線For steps to create a Site-to-Site connection, see Create a Site-to-Site connection.

VNet 對 VNet 常見問題集VNet-to-VNet FAQ

檢視常見問題集詳細資料以取得 VNet 對 VNet 連線的其他資訊。View the FAQ details for additional information about VNet-to-VNet connections.

VNet 對 VNet 常見問題集適用於 VPN 閘道連線。The VNet-to-VNet FAQ applies to VPN gateway connections. 如需 VNet 對等互連的資訊,請參閱虛擬網路對等互連For information about VNet peering, see Virtual network peering.

Azure 會對 VNet 之間的流量收費嗎?Does Azure charge for traffic between VNets?

使用 VPN 閘道連線時,相同區域內的 VNet 對 VNet 流量雙向皆為免費。VNet-to-VNet traffic within the same region is free for both directions when you use a VPN gateway connection. 跨區域 VNet 對 VNet 輸出流量會根據來源區域的輸出 VNet 間資料轉送費率收費。Cross-region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on the source regions. 如需詳細資訊,請參閱 VPN 閘道定價頁面For more information, see VPN Gateway pricing page. 如果使用 VNet 對等互連而非 VPN 閘道來連線 Vnet,請參閱虛擬網路定價If you're connecting your VNets by using VNet peering instead of a VPN gateway, see Virtual network pricing.

VNet 對 VNet 流量是否會透過網際網路傳輸?Does VNet-to-VNet traffic travel across the internet?

沒有。No. VNet 對 VNet 流量會透過 Microsoft Azure 骨幹傳輸,而非透過網際網路。VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the internet.

是否可建立跨 Azure Active Directory (AAD) 租用戶的 VNet 對 VNet 連線?Can I establish a VNet-to-VNet connection across Azure Active Directory (AAD) tenants?

是,使用 Azure VPN 閘道的 VNet 對 VNet 連線可在 AAD 租用戶之間運作。Yes, VNet-to-VNet connections that use Azure VPN gateways work across AAD tenants.

VNet 對 VNet 流量是否安全?Is VNet-to-VNet traffic secure?

是,它是由 IPsec/IKE 加密保護。Yes, it's protected by IPsec/IKE encryption.

我需要將 VNet 連接在一起的 VPN 裝置嗎?Do I need a VPN device to connect VNets together?

沒有。No. 將多個 Azure 虛擬網路連接在一起並不需要 VPN 裝置,除非需要跨單位連線能力。Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises connectivity is required.

我的 VNet 需要位於相同區域嗎?Do my VNets need to be in the same region?

沒有。No. 虛擬網路可位於相同或不同的 Azure 區域 (位置)。The virtual networks can be in the same or different Azure regions (locations).

如果 VNet 不在相同的訂用帳戶中,訂用帳戶是否需要與相同的 Active Directory 租用戶相關聯?If the VNets aren't in the same subscription, do the subscriptions need to be associated with the same Active Directory tenant?

沒有。No.

可以使用 VNet 對 VNet 連線不同 Azure 執行個體中的虛擬網路嗎?Can I use VNet-to-VNet to connect virtual networks in separate Azure instances?

沒有。No. VNet 對 VNet 支援連線相同 Azure 執行個體中的虛擬網路。VNet-to-VNet supports connecting virtual networks within the same Azure instance. 例如,您無法建立全域 Azure 與中文版/德文版/美國政府版 Azure 執行個體間的連線。For example, you can’t create a connection between global Azure and Chinese/German/US government Azure instances. 這些案例中,請考慮使用站對站 VPN 連線。Consider using a Site-to-Site VPN connection for these scenarios.

可以使用 VNet 對 VNet 以及多站台連線嗎?Can I use VNet-to-VNet along with multi-site connections?

是。Yes. 虛擬網路連線能力可以與多站台 VPN 同時使用。Virtual network connectivity can be used simultaneously with multi-site VPNs.

一個虛擬網路可以連接多少內部部署網站和虛擬網路?How many on-premises sites and virtual networks can one virtual network connect to?

請參閱閘道需求表格。See the Gateway requirements table.

是否可以使用 VNet 對 VNet 連線來連接 VNet 外部的 VM 或雲端服務?Can I use VNet-to-VNet to connect VMs or cloud services outside of a VNet?

沒有。No. VNet 對 VNet 支援連接虛擬網路。VNet-to-VNet supports connecting virtual networks. 但是不支援連接不在虛擬網路中的虛擬機器或雲端服務。It doesn't support connecting virtual machines or cloud services that aren't in a virtual network.

雲端服務或負載平衡端點是否可以跨越 VNet?Can a cloud service or a load-balancing endpoint span VNets?

沒有。No. 即使虛擬網路連接在一起,雲端服務或負載平衡端點也無法跨虛擬網路。A cloud service or a load-balancing endpoint can't span across virtual networks, even if they're connected together.

是否可以使用 PolicyBased VPN 類型進行 VNet 對 VNet 或多站台連線?Can I use a PolicyBased VPN type for VNet-to-VNet or Multi-Site connections?

沒有。No. VNet 對 VNet 和多站台連線需要 VPN 類型為 RouteBased (前稱為動態路由) 的 Azure VPN 閘道。VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called dynamic routing) VPN types.

是否可以將 RouteBased VPN 類型的 VNet 連線到另一個 PolicyBased VPN 類型的 VNet?Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?

否,這兩個虛擬網路必須使用路由式 (先前稱為動態路由) VPN。No, both virtual networks MUST use route-based (previously called dynamic routing) VPNs.

VPN 通道是否共用頻寬?Do VPN tunnels share bandwidth?

是。Yes. 虛擬網路的所有 VPN 通道一起共用 Azure VPN 閘道上可用的頻寬,以及 Azure 中相同的 VPN 閘道運作時間 SLA。All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.

是否支援備援通道?Are redundant tunnels supported?

當一個虛擬網路閘道設定為主動-主動時,支援成對虛擬網路之間的備援通道。Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is configured as active-active.

VNet 對 VNet 組態的位址空間是否可以重疊?Can I have overlapping address spaces for VNet-to-VNet configurations?

沒有。No. 您的 IP 位址範圍不能重疊。You can't have overlapping IP address ranges.

在連接的虛擬網路和內部部署本機網站之間是否可以有重疊的位址空間?Can there be overlapping address spaces among connected virtual networks and on-premises local sites?

沒有。No. 您的 IP 位址範圍不能重疊。You can't have overlapping IP address ranges.

後續步驟Next steps

如需如何在虛擬網路中限制資源網路流量的資訊,請參閱網路安全性For information about how you can limit network traffic to resources in a virtual network, see Network Security.

如需 Azure 如何在 Azure、內部部署和網際網路資源間路由流量的資訊,請參閱虛擬網路流量路由For information about how Azure routes traffic between Azure, on-premises, and Internet resources, see Virtual network traffic routing.