为 Azure Stack Hub 创建 VPN 网关Create VPN gateways for Azure Stack Hub

必须先为虚拟网络创建虚拟网络 (VPN) 网关,然后才能发送 Azure 虚拟网络和本地站点之间的网络流量。Before you can send network traffic between your Azure virtual network and your on-premises site, you must create a virtual network (VPN) gateway for your virtual network.

VPN 网关是一种虚拟网络网关,可以通过公共连接发送加密的流量。A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection. 可以使用 VPN 网关在 Azure Stack Hub 中的虚拟网络和 Azure 中的虚拟网络之间安全地发送流量。You can use VPN gateways to send traffic securely between a virtual network in Azure Stack Hub and a virtual network in Azure. 还可以在虚拟网络和连接到 VPN 设备的另一个网络之间安全地发送流量。You can also send traffic securely between a virtual network and another network that is connected to a VPN device.

创建虚拟网络网关时,需指定要创建的网关类型。When you create a virtual network gateway, you specify the gateway type that you want to create. Azure Stack Hub 支持一种类型的虚拟网络网关:Vpn 类型。Azure Stack Hub supports one type of virtual network gateway: the Vpn type.

每个虚拟网络可以使用两个虚拟网络网关,但每种类型的网关只能有一个网关。Each virtual network can have two virtual network gateways, but only one of each type. 根据选择的设置,可与一个 VPN 网关建立多个连接。Depending on the settings that you choose, you can create multiple connections to a single VPN gateway. 此类设置的一个示例是多站点连接配置。An example of this kind of setup is a multi-site connection configuration.

在为 Azure Stack Hub 创建和配置 VPN 网关之前,请查看 Azure Stack Hub 网络的注意事项,以了解 Azure Stack Hub 的配置与 Azure 的不同之处。Before you create and configure VPN gateways for Azure Stack Hub, review the considerations for Azure Stack Hub networking to learn how configurations for Azure Stack Hub differ from Azure.

备注

在 Azure 中,所选 VPN 网关 SKU 的带宽吞吐量必须分配给连接到网关的所有连接。In Azure, the bandwidth throughput for the VPN gateway SKU you choose must be divided across all connections that are connected to the gateway. 但在 Azure Stack Hub 中,VPN 网关 SKU 的带宽值会应用于连接到网关的每个连接资源。In Azure Stack Hub however, the bandwidth value for the VPN gateway SKU is applied to each connection resource that is connected to the gateway.

例如:For example:

  • 在 Azure 中,基本 VPN 网关 SKU 可以容纳大约 100 Mbps 的聚合吞吐量。In Azure, the basic VPN gateway SKU can accommodate approximately 100 Mbps of aggregate throughput. 如果对该 VPN 网关创建两个连接,而且其中一个连接使用 50 Mbps 的带宽,则 50 Mbps 可供另一个连接使用。If you create two connections to that VPN gateway, and one connection is using 50 Mbps of bandwidth, then 50 Mbps is available to the other connection.
  • 在 Azure Stack Hub 中,与基本 VPN 网关 SKU 的每个连接都分配了 100 Mbps 的吞吐量。In Azure Stack Hub, each connection to the basic VPN gateway SKU is allocated 100 Mbps of throughput.

配置 VPN 网关Configuring a VPN gateway

VPN 网关连接需依赖于多个具有特定设置的资源。A VPN gateway connection relies on several resources that are configured with specific settings. 大多数资源可单独进行配置,但在某些情况下,必须按特定的顺序配置这些资源。Most of these resources can be configured separately, but in some cases they must be configured in a specific order.

设置Settings

为每个资源选择的设置对于创建成功的连接至关重要。The settings that you choose for each resource are critical for creating a successful connection.

有关 VPN 网关的各个资源和设置的信息,请参阅关于 Azure Stack Hub 的 VPN 网关设置For information about individual resources and settings for a VPN gateway, see About VPN gateway settings for Azure Stack Hub. 本文可帮助你了解:This article helps you understand:

  • 网关类型、VPN 类型和连接类型。Gateway types, VPN types, and connection types.
  • 网关子网、本地网络网关和可能需要考虑的其他资源设置。Gateway subnets, local network gateways, and other resource settings that you might want to consider.

部署工具Deployment tools

可以使用一个配置工具(如 Azure 门户)创建和配置资源。You can create and configure resources using one configuration tool, such as the Azure portal. 稍后,可以切换到 PowerShell 等其他工具来配置其他资源或修改现有资源(如果适用)。Later, you might switch to another tool such as PowerShell to configure additional resources or modify existing resources when applicable. 目前,无法在 Azure 门户中配置每个资源和资源设置。Currently, you cannot configure every resource and resource setting in the Azure portal. 每个连接拓扑的文章中的说明指定了何时需要特定配置工具。The instructions in the articles for each connection topology specify when a specific configuration tool is needed.

连接拓扑图Connection topology diagrams

VPN 网关连接可以使用不同的配置。There are different configurations available for VPN gateway connections. 确定哪种配置最适合自己的需要。Determine which configuration best fits your needs. 在以下部分,可以查看有关以下 VPN 网关连接的信息和拓扑图示:In the following sections, you can view information and topology diagrams about the following VPN gateway connections:

  • 可用的部署模型Available deployment model
  • 可用的配置工具Available configuration tools
  • 直接转到某篇文章的链接(如果适用)Links that take you directly to an article, if available

以下部分中的图示和说明可帮助你选择符合要求的连接拓扑。The diagrams and descriptions in the following sections can help you select a connection topology to match your requirements. 这些图示显示主要基准拓扑,但也可以使用这些图示作为指导来构建更复杂的配置。The diagrams show the main baseline topologies, but it's possible to build more complex configurations using the diagrams as a guide.

站点到站点和多站点(IPsec/IKE VPN 隧道)Site-to-site and multi-site (IPsec/IKE VPN tunnel)

站点到站点Site-to-site

站点到站点 (S2S) VPN 网关连接是通过 IPsec/IKE (IKEv2) VPN 隧道建立的连接。 A site-to-site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv2) VPN tunnel. 此类连接需要一个位于本地的 VPN 设备,并需要为此类连接分配公共 IP 地址。This type of connection requires a VPN device that is located on-premises and is assigned a public IP address. 此设备不能位于 NAT 之后。This device cannot be located behind a NAT. S2S 连接可以用于跨界和混合配置。S2S connections can be used for cross-premises and hybrid configurations.

站点到站点 VPN 连接配置示例

多站点Multi-site

多站点连接是站点到站点连接的变体。 A multi-site connection is a variation of the site-to-site connection. 可从虚拟网络网关创建多个 VPN 连接(通常是连接到多个本地站点)。You create more than one VPN connection from your virtual network gateway, typically connecting to multiple on-premises sites. 使用多个连接时,必须使用基于路由的 VPN 类型(使用经典 VNet 时称为动态网关)。When working with multiple connections, you must use a route-based VPN type (known as a dynamic gateway when working with classic VNets). 由于每个虚拟网络只能有一个 VPN 网关,因此通过网关的所有连接都共享可用带宽。Because each virtual network can only have one VPN gateway, all connections through the gateway share the available bandwidth.

Azure VPN 网关多站点连接示例

网关 SKUGateway SKUs

为 Azure Stack Hub 创建虚拟网络网关时,需要指定要使用的网关 SKU。When you create a virtual network gateway for Azure Stack Hub, you specify the gateway SKU that you want to use. 支持以下 VPN 网关 SKU:The following VPN gateway SKUs are supported:

  • 基本Basic
  • StandardStandard
  • 高性能High Performance

当选择较高的网关 SKU 时(例如,“标准”高于“基本”,“高性能”高于“标准”或“基本”),会将更多 CPU 和网络带宽分配给网关。When you select a higher gateway SKU, such as Standard over Basic, or High Performance over Standard or Basic, more CPUs and network bandwidth are allocated to the gateway. 如此一来,网关可以对虚拟网络支持更高的网络吞吐量。As a result, the gateway can support higher network throughput to the virtual network.

Azure Stack Hub 不支持专门搭配 Express Route 使用的超性能网关 SKU。Azure Stack Hub does not support the Ultra Performance gateway SKU, which is used exclusively with Express Route.

选择 SKU 时请考虑以下事项:Consider the following when you select the SKU:

  • Azure Stack Hub 不支持基于策略的网关。Azure Stack Hub does not support policy-based gateways.
  • 基本 SKU 不支持边界网关协议 (BGP)。Border Gateway Protocol (BGP) is not supported on the Basic SKU.
  • Azure Stack Hub 不支持 ExpressRoute-VPN 网关共存配置。ExpressRoute-VPN gateway coexisting configurations are not supported in Azure Stack Hub.

网关可用性Gateway availability

高可用性方案只能在 高性能网关 连接 SKU 上配置。High availability scenarios can only be configured on the High Performance Gateway connection SKU. 与同时通过主动/主动和主动/被动配置提供可用性的 Azure 不同,Azure Stack Hub 仅支持主动/被动配置。Unlike Azure, which provides availability through both active/active and active/passive configurations, Azure Stack Hub only supports the active/passive configuration.

故障转移Failover

Azure Stack Hub 中有三个多租户网关基础结构 VM。There are three multi-tenant gateway infrastructure VMs in Azure Stack Hub. 其中两个 VM 处于活动模式,第三个 VM 处于冗余模式。Two of these VMs are in active mode, and the third is in redundant mode. 活动 VM 支持在其上创建 VPN 连接,而冗余 VM 只在发生故障转移时才接受 VPN 连接。Active VMs enable the creation of VPN connections on them, and the redundant VM only accepts VPN connections if a failover happens. 如果活动网关 VM 变得不可用,VPN 连接在短时间(几秒)的连接丢失之后就会故障转移到冗余 VM。If an active gateway VM becomes unavailable, the VPN connection fails over to the redundant VM after a short period (a few seconds) of connection loss.

按 SKU 估算的聚合隧道吞吐量Estimated aggregate tunnel throughput by SKU

下表显示了网关类型和每个隧道/连接按网关 SKU 估算的聚合吞吐量:The following table shows the gateway types and the estimated aggregate throughput for each tunnel/connection by gateway SKU:

隧道吞吐量 (1)Tunnel throughput (1) VPN 网关最大 IPsec 隧道数 (2)VPN Gateway max IPsec tunnels (2)
基本 SKU (3)Basic SKU (3) 100 Mbps100 Mbps 2020
标准 SKUStandard SKU 100 Mbps100 Mbps 2020
高性能 SKUHigh Performance SKU 200 Mbps200 Mbps 1010

表格注释Table notes

(1) - 隧道吞吐量不是 Internet 上跨界连接的保证吞吐量。(1) - Tunnel throughput is not a guaranteed throughput for cross-premises connections across the internet. 它是可能的最大吞吐量。It is the maximum possible throughput measurement.
(2) - 最大隧道数是所有订阅的每个 Azure Stack Hub 部署的总数。(2) - Max tunnels is the total per Azure Stack Hub deployment for all subscriptions.
(3) - 基本 SKU 不支持 BGP 路由。(3) - BGP routing is not supported for the Basic SKU.

备注

在两个 Azure Stack Hub 部署之间只能创建一个站点到站点 VPN 连接。Only one site-to-site VPN connection can be created between two Azure Stack Hub deployments. 这是因为平台中的某个限制仅允许同一 IP 地址具有单个 VPN 连接。This is due to a limitation in the platform that only allows a single VPN connection to the same IP address. 由于 Azure Stack Hub 利用多租户网关,该网关将单一公共 IP 用于 Azure Stack Hub 系统中的所有 VPN 网关,因此两个 Azure Stack Hub 系统之间只能有一个 VPN 连接。Because Azure Stack Hub leverages the multi-tenant gateway, which uses a single public IP for all VPN gateways in the Azure Stack Hub system, there can be only one VPN connection between two Azure Stack Hub systems. 此限制也适用于将多个站点到站点 VPN 连接连接到使用单一 IP 地址的任何 VPN 网关。This limitation also applies to connecting more than one site-to-site VPN connection to any VPN gateway that uses a single IP address. Azure Stack Hub 不允许使用同一 IP 地址创建多个本地网络网关资源。Azure Stack Hub does not allow more than one local network gateway resource to be created using the same IP address.

后续步骤Next steps