VPN 网关设计VPN Gateway design

必须知道,VPN 网关连接可以使用不同的配置。It's important to know that there are different configurations available for VPN gateway connections. 必须确定哪种配置最适合自己的需要。You need to determine which configuration best fits your needs. 在以下部分,可以查看有关下述 VPN 网关连接的设计信息和拓扑示意图。In the sections below, you can view design information and topology diagrams about the following VPN gateway connections. 使用图示和描述来帮助选择符合要求的连接拓扑。Use the diagrams and descriptions to help select the connection topology to match your requirements. 这些示意图显示了主要的基准拓扑。但是,你也可以使用这些示意图作为指导来构建更复杂的配置。The diagrams show the main baseline topologies, but it's possible to build more complex configurations using the diagrams as guidelines.

站点到站点和多站点(IPsec/IKE VPN 隧道)Site-to-Site and Multi-Site (IPsec/IKE VPN tunnel)

站点到站点Site-to-Site

站点到站点 (S2S) VPN 网关连接是通过 IPsec/IKE(IKEv1 或 IKEv2)VPN 隧道建立的连接。A Site-to-Site (S2S) VPN gateway connection is a connection over IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. S2S 连接可用于跨界和混合配置。S2S connections can be used for cross-premises and hybrid configurations. S2S 连接要求位于本地的 VPN 设备分配有一个公共 IP 地址。A S2S connection requires a VPN device located on-premises that has a public IP address assigned to it. 若要了解如何选择 VPN 设备,请参阅 VPN 网关常见问题解答 - VPN 设备For information about selecting a VPN device, see the VPN Gateway FAQ - VPN devices.

Azure VPN 网关站点到站点连接示例

VPN 网关可使用一个公共 IP 以主动-备用模式配置,也可使用两个公共 IP 以主动-主动模式配置。VPN Gateway can be configured in active-standby mode using one public IP or in active-active mode using two public IPs. 在主动-备用模式下,一个 IPsec 隧道处于活动状态,另一个处于备用状态。In active-standby mode, one IPsec tunnel is active and the other tunnel is in standby. 在此设置中,流量流经活动隧道,如果此隧道出现问题,则流量将切换到备用隧道。In this setup, traffic flows through the active tunnel, and if some issue happens with this tunnel, the traffic switches over to the standby tunnel. 建议在主动-主动模式下设置 VPN 网关,此时两个 IPsec 隧道都处于活动状态,数据同时流经这两个隧道。Setting up VPN Gateway in active-active mode is recommended in which both the IPsec tunnels are simultaneously active, with data flowing through both tunnels at the same time. 主动-主动模式的另一优点是,客户可处理更高的吞吐量。An additional advantage of active-active mode is that customers experience higher throughputs.

多站点Multi-Site

此类型的连接是站点到站点连接的变体。This type of connection is a variation of the Site-to-Site connection. 从虚拟网络网关创建多个 VPN 连接,通常情况下连接到多个本地站点。You create more than one VPN connection from your virtual network gateway, typically connecting to multiple on-premises sites. 使用多个连接时,必须使用 RouteBased VPN 类型(使用经典 VNet 时称为动态网关)。When working with multiple connections, you must use a RouteBased VPN type (known as a dynamic gateway when working with classic VNets). 由于每个虚拟网络只能有一个 VPN 网关,因此通过该网关的所有连接都共享可用带宽。Because each virtual network can only have one VPN gateway, all connections through the gateway share the available bandwidth. 此类连接通常称为“多站点”连接。This type of connection is often called a "multi-site" connection.

Azure VPN 网关多站点连接示例

适用于站点到站点和多站点的部署模型和方法Deployment models and methods for Site-to-Site and Multi-Site

部署模型/方法Deployment model/method Azure 门户Azure portal PowerShellPowerShell Azure CLIAzure CLI
资源管理器Resource Manager 教程Tutorial
教程+Tutorial+
教程Tutorial 教程Tutorial
经典Classic 教程**Tutorial** 教程+Tutorial+ 不支持Not Supported

( ** ) 表示此方法包含的步骤需要使用 PowerShell。(**) denotes that this method contains steps that require PowerShell.

(+) 表示此文章是针对多站点连接编写的。(+) denotes that this article is written for multi-site connections.

点到站点 VPNPoint-to-Site VPN

点到站点 (P2S) VPN 网关连接用于创建从单个客户端计算机到虚拟网络的安全连接。A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. 可通过从客户端计算机启动连接来建立 P2S 连接。A P2S connection is established by starting it from the client computer. 对于要从远程位置(例如从家里或会议室)连接到 Azure VNet 的远程工作者,此解决方案很有用。This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. 如果只有一些客户端需要连接到 VNet,则还可以使用 P2S VPN 这一解决方案来代替 S2S VPN。P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.

与 S2S 连接不同,P2S 连接不需要本地面向公众的 IP 地址或 VPN 设备。Unlike S2S connections, P2S connections do not require an on-premises public-facing IP address or a VPN device. 可以通过同一 VPN 网关将 P2S 连接与 S2S 连接结合使用,前提是这两种连接的所有配置要求都兼容。P2S connections can be used with S2S connections through the same VPN gateway, as long as all the configuration requirements for both connections are compatible. 有关点到站点连接的详细信息,请参阅关于点到站点 VPNFor more information about Point-to-Site connections, see About Point-to-Site VPN.

Azure VPN 网关点到站点连接示例

适用于 P2S 的部署模型和方法Deployment models and methods for P2S

Azure 本机证书身份验证Azure native certificate authentication

部署模型/方法Deployment model/method Azure 门户Azure portal PowerShellPowerShell
资源管理器Resource Manager 教程Tutorial 教程Tutorial
经典Classic 教程Tutorial 支持Supported

RADIUS 身份验证RADIUS authentication

部署模型/方法Deployment model/method Azure 门户Azure portal PowerShellPowerShell
资源管理器Resource Manager 支持Supported 教程Tutorial
经典Classic 不支持Not Supported 不支持Not Supported

VNet 到 VNet 连接(IPsec/IKE VPN 隧道)VNet-to-VNet connections (IPsec/IKE VPN tunnel)

将一个虚拟网络连接到另一个虚拟网络(VNet 到 VNet)类似于将 VNet 连接到本地站点位置。Connecting a virtual network to another virtual network (VNet-to-VNet) is similar to connecting a VNet to an on-premises site location. 这两种连接类型都使用 VPN 网关来提供使用 IPsec/IKE 的安全隧道。Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. 甚至可以将 VNet 到 VNet 通信与多站点连接配置结合使用。You can even combine VNet-to-VNet communication with multi-site connection configurations. 这样,便可以建立将跨界连接与虚拟网络间连接相结合的网络拓扑。This lets you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity.

连接的 VNet 可以:The VNets you connect can be:

  • 在相同或不同的区域中in the same or different regions
  • 在相同或不同部署模型中in the same or different deployment models

Azure VPN 网关 VNet 到 VNet 连接示例

部署模型之间的连接Connections between deployment models

Azure 当前具有两个部署模型:经典模型和 Resource Manager 模型。Azure currently has two deployment models: classic and Resource Manager. 如果 Azure 已经使用了一段时间,则 Azure VM 和实例角色可能是在经典 VNet 上运行。If you have been using Azure for some time, you probably have Azure VMs and instance roles running in a classic VNet. 而较新的 VM 和角色实例可能是在 Resource Manager 中创建的 VNet 上运行。Your newer VMs and role instances may be running in a VNet created in Resource Manager. 可以在 Vnet 之间创建连接,使其中一个 VNet 中的资源能够直接与另一个 VNet 中的资源通信。You can create a connection between the VNets to allow the resources in one VNet to communicate directly with resources in another.

VNet 对等互连VNet peering

只要虚拟网络符合特定要求,就能使用 VNet 对等互连来创建连接。You may be able to use VNet peering to create your connection, as long as your virtual network meets certain requirements. VNet 对等互连不使用虚拟网络网关。VNet peering does not use a virtual network gateway. 有关详细信息,请参阅 VNet 对等互连For more information, see VNet peering.

适用于 VNet 到 VNet 的部署模型和方法Deployment models and methods for VNet-to-VNet

部署模型/方法Deployment model/method Azure 门户Azure portal PowerShellPowerShell Azure CLIAzure CLI
经典Classic 教程*Tutorial* 支持Supported 不支持Not Supported
资源管理器Resource Manager 教程+Tutorial+ 教程Tutorial 教程Tutorial
不同部署模型之间的连接Connections between different deployment models 教程*Tutorial* 教程Tutorial 不支持Not Supported

(+) 表示这种部署方法仅适用于同一订阅中的 VNet。(+) denotes this deployment method is available only for VNets in the same subscription.
(*) 表示这种部署方法也需要 PowerShell。(*) denotes that this deployment method also requires PowerShell.

ExpressRoute(专用连接)ExpressRoute (private connection)

使用 ExpressRoute 可通过连接服务提供商所提供的专用连接,将本地网络扩展到 Microsoft 云。ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. 使用 ExpressRoute 可与 Azure、Office 365 和 CRM Online 等 Microsoft 云服务建立连接。With ExpressRoute, you can establish connections to Microsoft cloud services, such as Azure, Office 365, and CRM Online. 可以从任意位置之间的 (IP VPN) 网络、点到点以太网或在场地租用设施上通过连接服务提供商的虚拟交叉连接来建立这种连接。Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a colocation facility.

ExpressRoute 连接不通过公共 Internet 。ExpressRoute connections do not go over the public Internet. 与通过 Internet 的典型连接相比,ExpressRoute 连接提供更高的可靠性、更快的速度、更低的延迟和更高的安全性。This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.

ExpressRoute 连接使用虚拟网关作为其所需配置的一部分。An ExpressRoute connection uses a virtual network gateway as part of its required configuration. 在 ExpressRoute 连接中,虚拟网络网关的网关类型配置为“ExpressRoute”而不是“Vpn”。In an ExpressRoute connection, the virtual network gateway is configured with the gateway type 'ExpressRoute', rather than 'Vpn'. 虽然经 ExpressRoute 线路传送的流量默认不加密,但可以创建一项解决方案,通过 ExpressRoute 线路来发送加密的流量。While traffic that travels over an ExpressRoute circuit is not encrypted by default, it is possible create a solution that allows you to send encrypted traffic over an ExpressRoute circuit. 有关 ExpressRoute 的详细信息,请参阅 ExpressRoute 技术概述For more information about ExpressRoute, see the ExpressRoute technical overview.

站点到站点和 ExpressRoute 共存连接Site-to-Site and ExpressRoute coexisting connections

ExpressRoute 是从 WAN (不通过公共 Internet)到 Microsoft 服务(包括 Azure)的直接专用连接。ExpressRoute is a direct, private connection from your WAN (not over the public Internet) to Microsoft Services, including Azure. 站点到站点 VPN 流量以加密方式通过公共 Internet 传输。Site-to-Site VPN traffic travels encrypted over the public Internet. 能够为同一个虚拟网络配置站点到站点 VPN 和 ExpressRoute 连接可带来诸多好处。Being able to configure Site-to-Site VPN and ExpressRoute connections for the same virtual network has several advantages.

可以将站点到站点 VPN 配置为 ExpressRoute 的安全故障转移路径,或者使用站点到站点 VPN 连接到不属于网络但却已通过 ExpressRoute 进行连接的站点。You can configure a Site-to-Site VPN as a secure failover path for ExpressRoute, or use Site-to-Site VPNs to connect to sites that are not part of your network, but that are connected through ExpressRoute. 请注意,对于同一虚拟网络,此配置需要两个虚拟网络网关,一个使用“Vpn”网关类型,另一个使用“ExpressRoute”网关类型。Notice that this configuration requires two virtual network gateways for the same virtual network, one using the gateway type 'Vpn', and the other using the gateway type 'ExpressRoute'.

ExpressRoute 和 VPN 网关共存连接示例

适用于 S2S 和 ExpressRoute 的部署模型和方法共存Deployment models and methods for S2S and ExpressRoute coexist

部署模型/方法Deployment model/method Azure 门户Azure portal PowerShellPowerShell
资源管理器Resource Manager 支持Supported 教程Tutorial
经典Classic 不支持Not Supported 教程Tutorial

高可用连接Highly available connections

有关高可用连接的规划和设计,请参阅高可用连接For planning and design for highly available connections, see Highly available connections.

后续步骤Next steps