使用 Azure 门户创建基于路由的 VPN 网关Create a route-based VPN gateway using the Azure portal

本文可帮助你使用 Azure 门户快速创建基于路由的 Azure VPN 网关。This article helps you quickly create a route-based Azure VPN gateway using the Azure portal. 创建与本地网络的 VPN 连接时使用 VPN 网关。A VPN gateway is used when creating a VPN connection to your on-premises network. 还可以使用 VPN 网关连接 VNet。You can also use a VPN gateway to connect VNets.

本文中的步骤将创建 VNet、子网、网关子网和基于路由的 VPN 网关(虚拟网络网关)。The steps in this article will create a VNet, a subnet, a gateway subnet, and a route-based VPN gateway (virtual network gateway). 完成网关创建后,可以创建连接。Once the gateway creation has completed, you can then create connections. 执行这些步骤需要 Azure 订阅。These steps require an Azure subscription. 如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

创建虚拟网络Create a virtual network

可以通过以下步骤使用资源管理器部署模型和 Azure 门户创建一个 VNet。You can create a VNet with the Resource Manager deployment model and the Azure portal by following these steps. 有关虚拟网络的详细信息,请参阅虚拟网络概述For more information about virtual networks, see Virtual Network overview.

Note

使用虚拟网络作为跨界体系结构的一部分时,请务必与本地网络管理员进行协调,以划分一个 IP 地址范围专供此虚拟网络使用。When using a virtual network as part of a cross-premises architecture, be sure to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. 如果 VPN 连接的两端存在重复的地址范围,则会以意外方式路由流量。If a duplicate address range exists on both sides of the VPN connection, traffic will route in an unexpected way. 此外,若要将此虚拟网络连接到另一个虚拟网络,地址空间不能与另一虚拟网络重叠。Additionally, if you want to connect this virtual network to another virtual network, the address space cannot overlap with the other virtual network. 相应地规划网络配置。Plan your network configuration accordingly.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 在“搜索资源、服务和文档(G+/)”中,键入“虚拟网络”。 In Search resources, service, and docs (G+/), type virtual network.

    查找“虚拟网络”资源页Locate Virtual Network resource page

  3. 从“市场”结果中选择“虚拟网络”。 Select Virtual Network from the Marketplace results.

    选择虚拟网络Select virtual network

  4. 在“虚拟网络”页上选择“创建”。 On the Virtual Network page, select Create.

    虚拟网络页virtual network page

  5. 选择“创建”后,会打开“创建虚拟网络”页。 Once you select Create, the Create virtual network page opens.

  6. 在“基本信息”选项卡上,配置“项目详细信息”和“实例详细信息”VNet 设置。 On the Basics tab, configure Project details and Instance details VNet settings.

    “基本信息”选项卡在填写字段时,如果在字段中输入的字符通过了验证,则会出现绿色的对钩标记。Basics tab When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. 某些值是自动填写的,你可以将其替换为自己的值:Some values are autofilled, which you can replace with your own values:

    • 订阅:确认列出的订阅是正确的。Subscription: Verify that the subscription listed is the correct one. 可以使用下拉列表更改订阅。You can change subscriptions by using the drop-down.
    • 资源组:选择现有资源组,或单击“新建”以创建新资源组 。Resource group: Select an existing resource group, or click Create new to create a new one. 有关资源组的详细信息,请参阅 Azure 资源管理器概述For more information about resource groups, see Azure Resource Manager overview.
    • 名称:输入虚拟网络的名称。Name: Enter the name for your virtual network.
    • 区域:选择 VNet 的位置。Region: Select the location for your VNet. 该位置确定要部署到此 VNet 的资源将位于哪里。The location determines where the resources that you deploy to this VNet will live.
  7. 在“IP 地址”选项卡上配置值。 On the IP Addresses tab, configure the values. 以下示例中显示的值用于演示目的。The values shown in the examples below are for demonstration purposes. 根据所需的设置调整这些值。Adjust these values according to the settings that you require.

    “IP 地址”选项卡IP addresses tab

    • IPv4 地址空间:默认情况下,系统会自动创建一个地址空间。IPv4 address space: By default, an address space is automatically created. 可以单击该地址空间,将其调整为反映你自己的值。You can click the address space to adjust it to reflect your own values. 还可以添加更多的地址空间。You can also add additional address spaces.
    • IPv6:如果配置需要 IPv6 地址空间,请选中“添加 IPv6 地址空间”框以输入该信息。 IPv6: If your configuration requires IPv6 address space, select the Add IPv6 address space box to enter that information.
    • 子网:如果你使用默认地址空间,则系统会自动创建一个默认子网。Subnet: If you use the default address space, a default subnet is created automatically. 如果更改了地址空间,则需要添加子网。If you change the address space, you need to add a subnet. 选择“+ 添加子网”打开“添加子网”窗口。 Select + Add subnet to open the Add subnet window. 配置以下设置,然后选择“添加”以添加值: Configure the following settings and then select Add to add the values:
      • 子网名称:在此示例中,我们已将子网命名为“FrontEnd”。Subnet name: In this example, we named the subnet "FrontEnd".
      • 子网地址范围:此子网的地址范围。Subnet address range: The address range for this subnet.
  8. 在“安全性”选项卡上,此时请保留默认值: On the Security tab, at this time, leave the default values:

    • DDos 防护:基本DDos protection: Basic
    • 防火墙:已禁用Firewall: Disabled
  9. 选择“查看 + 创建”以验证虚拟网络设置。 Select Review + create to validate the virtual network settings.

  10. 验证设置后,选择“创建”。 After the settings have been validated, select Create.

配置和创建网关Configure and create the gateway

在此步骤中,为 VNet 创建虚拟网络网关。In this step, you create the virtual network gateway for your VNet. 创建网关通常需要 45 分钟或更长的时间,具体取决于所选的网关 SKU。Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

虚拟网络网关使用称作“网关子网”的特定子网。The virtual network gateway uses specific subnet called the gateway subnet. 网关子网是虚拟网络 IP 地址范围的一部分,该范围是在配置虚拟网络时指定的。The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. 网关子网包含虚拟网络网关资源和服务使用的 IP 地址。It contains the IP addresses that the virtual network gateway resources and services use.

创建网关子网时,请指定子网包含的 IP 地址数。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 所需的 IP 地址数目取决于要创建的 VPN 网关配置。The number of IP addresses needed depends on the VPN gateway configuration that you want to create. 有些配置需要具有比其他配置更多的 IP 地址。Some configurations require more IP addresses than others. 我们建议创建使用 /27 或 /28 的网关子网。We recommend that you create a gateway subnet that uses a /27 or /28.

如果出现错误,指出地址空间与子网重叠,或者子网不包含在虚拟网络的地址空间中,请检查 VNet 地址范围。If you see an error that specifies that the address space overlaps with a subnet, or that the subnet is not contained within the address space for your virtual network, check your VNet address range. 出错的原因可能是为虚拟网络创建的地址范围中没有足够的可用 IP 地址。You may not have enough IP addresses available in the address range you created for your virtual network. 例如,如果默认子网包含整个地址范围,则不会有剩余的 IP 地址用于创建更多子网。For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. 可以调整现有地址空间中的子网以释放 IP 地址,或指定额外的地址范围并在其中创建网关子网。You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there.

  1. Azure 门户菜单中,选择“创建资源” 。From the Azure portal menu, select Create a resource.

    在 Azure 门户中创建资源

  2. 在“在市场中搜索”字段中,键入“虚拟网关”。 In the Search the Marketplace field, type 'Virtual Network Gateway'. 在搜索返回的结果中找到“虚拟网关”,并选择该条目 。Locate Virtual network gateway in the search return and select the entry. 在“虚拟网关”页上,选择“创建” 。On the Virtual network gateway page, select Create. 这会打开“创建虚拟网关”页 。This opens the Create virtual network gateway page.

  3. 在“基本信息”选项卡上,填写虚拟网关的值。 On the Basics tab, fill in the values for your virtual network gateway.

    “创建虚拟网关”页字段Create virtual network gateway page fields

    “创建虚拟网关”页字段Create virtual network gateway page fields

    • 名称:为网关命名。Name: Name your gateway. 为网关命名与为网关子网命名不同。Naming your gateway not the same as naming a gateway subnet. 它是要创建的网关对象的名称。It's the name of the gateway object you are creating.
    • 网关类型:选择“VPN”。 Gateway type: Select VPN. VPN 网关使用虚拟网络网关类型“VPN” 。VPN gateways use the virtual network gateway type VPN.
    • VPN 类型:选择为你的配置指定的 VPN 类型。VPN type: Select the VPN type that is specified for your configuration. 大多数配置需要''基于路由'' VPN 类型。Most configurations require a Route-based VPN type.
    • SKU:从下拉列表中选择网关 SKU。SKU: Select the gateway SKU from the dropdown. 下拉列表中列出的 SKU 取决于选择的 VPN 类型。The SKUs listed in the dropdown depend on the VPN type you select. 有关网关 SKU 的详细信息,请参阅网关 SKUFor more information about gateway SKUs, see Gateway SKUs.
    • 虚拟网络:选择要将此网关添加到的虚拟网络。Virtual network: Select the virtual network to which you want to add this gateway.

    公共 IP 地址:此设置指定与 VPN 网关关联的公共 IP 地址对象。Public IP address: This setting specifies the public IP address object that gets associated to the VPN gateway. 创建 VPN 网关后,会将公共 IP 地址动态分配给此对象。The public IP address is dynamically assigned to this object when the VPN gateway is created. 公共 IP 地址只在删除或重新创建网关时更改。The only time the Public IP address changes is when the gateway is deleted and re-created. 该地址不会因为 VPN 网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    • 公共 IP 地址:让“新建” 保持选中状态。Public IP address: Leave Create new selected.
    • 公共 IP 地址名称:在文本框中,键入公共 IP 地址实例的名称。Public IP address name: In the text box, type a name for your public IP address instance.
    • 分配:VPN 网关仅支持“动态”。Assignment: VPN gateway supports only Dynamic.

    主动-主动模式:仅当要创建主动-主动网关配置时,才选择“启用主动-主动模式” 。Active-Active mode: Only select Enable active-active mode if you are creating an active-active gateway configuration. 否则,请将此设置保留未选择状态。Otherwise, leave this setting unselected.

    让“配置 BGP ASN”保留 取消选中状态,除非你的配置特别需要此设置。Leave Configure BGP ASN deselected, unless your configuration specifically requires this setting. 如果确实需要此设置,则默认 ASN 为 65515,但可以更改此值。If you do require this setting, the default ASN is 65515, although this can be changed.

  4. 选择“查看 + 创建” ,运行验证。Select Review + create to run validation. 验证通过后,选择“创建” 以部署 VPN 网关。Once validation passes, select Create to deploy the VPN gateway. 网关可能需要长达 45 分钟才能完全创建和部署。A gateway can take up to 45 minutes to fully create and deploy. 可以在网关的“概述”页上查看部署状态。You can see the deployment status on the Overview page for your gateway.

创建网关后,可以通过在门户中查看虚拟网络,来查看已分配给网关的 IP 地址。After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. 网关显示为连接的设备。The gateway appears as a connected device.

Note

基本网关 SKU 不支持 IKEv2 或 RADIUS 身份验证。The Basic gateway SKU does not support IKEv2 or RADIUS authentication. 如果计划将 Mac 客户端连接到虚拟网络,请不要使用基本 SKU。If you plan on having Mac clients connect to your virtual network, do not use the Basic SKU.

Important

使用网关子网时,避免将网络安全组 (NSG) 与网关子网关联。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组与此子网关联可能会导致虚拟网络网关(VPN、Express Route 网关)停止按预期方式工作。Associating a network security group to this subnet may cause your Virtual Network gateway(VPN, Express Route gateway) to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

查看 VPN 网关View the VPN gateway

  1. 创建网关后,请在门户中导航到 VNet1。After the gateway is created, navigate to VNet1 in the portal. VPN 网关将作为已连接的设备显示在概述页上。The VPN gateway appears on the Overview page as a connected device.

    连接的设备Connected devices

  2. 在设备列表中,单击 VNet1GW 可查看详细信息。In the device list, click VNet1GW to view more information.

    查看 VPN 网关View VPN gateway

后续步骤Next steps

完成创建网关后,可以创建虚拟网络与另一个 VNet 之间的连接。Once the gateway has finished creating, you can create a connection between your virtual network and another VNet. 或者,创建虚拟网络与本地位置之间的连接。Or, create a connection between your virtual network and an on-premises location.