教程:使用 Azure 门户创建和管理 VPN 网关Tutorial: Create and manage a VPN gateway using Azure portal

Azure VPN 网关在客户本地与 Azure 之间提供跨界连接。Azure VPN gateways provide cross-premises connectivity between customer premises and Azure. 本教程介绍了基本的 Azure VPN 网关部署项目,例如创建和管理 VPN 网关。This tutorial covers basic Azure VPN gateway deployment items such as creating and managing a VPN gateway. 也可以使用 Azure CLIAzure PowerShell 创建网关。You can also create a gateway using Azure CLI or Azure PowerShell.

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 创建虚拟网络Create a virtual network
  • 创建 VPN 网关Create a VPN gateway
  • 查看网关公共 IP 地址View the gateway public IP address
  • 重设 VPN 网关大小(重设 SKU 大小)Resize a VPN gateway (resize SKU)
  • 重置 VPN 网关Reset a VPN gateway

下图展示了本教程中创建的虚拟网络和 VPN 网关。The following diagram shows the virtual network and the VPN gateway created as part of this tutorial.

VNet 和 VPN 网关关系图

先决条件Prerequisites

具有活动订阅的 Azure 帐户。An Azure account with an active subscription. 如果没有帐户,请创建一个试用帐户If you don't have one, create one trial account.

创建虚拟网络Create a virtual network

使用以下值创建 VNet:Create a VNet using the following values:

  • 资源组: TestRG1Resource group: TestRG1
  • 名称: VNet1Name: VNet1
  • 区域: 中国东部 2Region: China East 2
  • IPv4 地址空间: 10.1.0.0/16IPv4 address space: 10.1.0.0/16
  • 子网名称: FrontEndSubnet name: FrontEnd
  • 子网地址空间: 10.1.0.0/24Subnet address space: 10.1.0.0/24
  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 在“搜索资源、服务和文档(G+/)”中,键入“虚拟网络”。 In Search resources, service, and docs (G+/), type virtual network.

    查找“虚拟网络”资源页Locate Virtual Network resource page

  3. 从“市场”结果中选择“虚拟网络”。 Select Virtual Network from the Marketplace results.

    选择虚拟网络Select virtual network

  4. 在“虚拟网络”页上选择“创建”。 On the Virtual Network page, select Create.

    虚拟网络页virtual network page

  5. 选择“创建”后,会打开“创建虚拟网络”页。 Once you select Create, the Create virtual network page opens.

  6. 在“基本信息”选项卡上,配置“项目详细信息”和“实例详细信息”VNet 设置。 On the Basics tab, configure Project details and Instance details VNet settings.

    “基本信息”选项卡在填写字段时,如果在字段中输入的字符通过了验证,则会出现绿色的对钩标记。Basics tab When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. 某些值是自动填写的,你可以将其替换为自己的值:Some values are autofilled, which you can replace with your own values:

    • 订阅:确认列出的订阅是正确的。Subscription: Verify that the subscription listed is the correct one. 可以使用下拉列表更改订阅。You can change subscriptions by using the drop-down.
    • 资源组:选择现有资源组,或单击“新建”以创建新资源组 。Resource group: Select an existing resource group, or click Create new to create a new one. 有关资源组的详细信息,请参阅 Azure 资源管理器概述For more information about resource groups, see Azure Resource Manager overview.
    • 名称:输入虚拟网络的名称。Name: Enter the name for your virtual network.
    • 区域:选择 VNet 的位置。Region: Select the location for your VNet. 该位置确定要部署到此 VNet 的资源将位于哪里。The location determines where the resources that you deploy to this VNet will live.
  7. 在“IP 地址”选项卡上配置值。 On the IP Addresses tab, configure the values. 以下示例中显示的值用于演示目的。The values shown in the examples below are for demonstration purposes. 根据所需的设置调整这些值。Adjust these values according to the settings that you require.

    “IP 地址”选项卡IP addresses tab

    • IPv4 地址空间:默认情况下,系统会自动创建一个地址空间。IPv4 address space: By default, an address space is automatically created. 可以单击该地址空间,将其调整为反映你自己的值。You can click the address space to adjust it to reflect your own values. 还可以添加更多的地址空间。You can also add additional address spaces.
    • 子网:如果你使用默认地址空间,则会自动创建一个默认子网。Subnet: If you use the default address space, a default subnet is created automatically. 如果你更改地址空间,则需要添加一个子网。If you change the address space, you need to add a subnet. 选择“+添加子网”,打开“添加子网”窗口 。Select + Add subnet to open the Add subnet window. 配置以下设置,然后选择“添加”来添加值:Configure the following settings and then select Add to add the values:
      • 子网名称:在本例中,我们已将子网命名为“FrontEnd”。Subnet name: In this example, we named the subnet "FrontEnd".
      • 子网地址范围:此子网的地址范围。Subnet address range: The address range for this subnet.
  8. 暂时在“安全”选项卡上保留默认值:On the Security tab, at this time, leave the default values:

    • 防火墙:已禁用Firewall: Disabled
  9. 选择“审阅 + 创建”,验证虚拟网络设置。Select Review + create to validate the virtual network settings.

  10. 验证设置后,选择“创建”。After the settings have been validated, select Create.

创建 VPN 网关Create a VPN gateway

在此步骤中,为 VNet 创建虚拟网络网关。In this step, you create the virtual network gateway for your VNet. 创建网关通常需要 45 分钟或更长的时间,具体取决于所选的网关 SKU。Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

使用以下值创建虚拟网络网关:Create a virtual network gateway using the following values:

  • 名称: VNet1GWName: VNet1GW
  • 区域: 中国东部 2Region: China East 2
  • 网关类型: VPNGateway type: VPN
  • VPN 类型: 基于路由VPN type: Route-based
  • SKU: VpnGw1SKU: VpnGw1
  • 代系: 第 1 代Generation: Generation1
  • 虚拟网络: VNet1Virtual network: VNet1
  • 网关子网地址范围: 10.1.255.0/27Gateway subnet address range: 10.1.255.0/27
  • 公共 IP 地址:新建Public IP address: Create new
  • 公共 IP 地址名称:VNet1GWpipPublic IP address name: VNet1GWpip
  • 启用主动-主动模式: 已禁用Enable active-active mode: Disabled
  • 配置 BGP: 已禁用Configure BGP: Disabled
  1. Azure 门户的“搜索资源、服务和文档(G+/)”中,键入“虚拟网络网关” 。From the Azure portal, in Search resources, services, and docs (G+/) type virtual network gateway. 在搜索结果中找到“虚拟网络网关”,并选中它。Locate Virtual network gateway in the search results and select it.

    搜索字段

  2. 在“虚拟网络网关”页上选择“+ 添加” 。On the Virtual network gateway page, select + Add. 这会打开“创建虚拟网关”页 。This opens the Create virtual network gateway page.

    “虚拟网络网关”页

  3. 在“基本信息”选项卡上,填写虚拟网关的值。 On the Basics tab, fill in the values for your virtual network gateway.

    网关字段

    其他网关字段

    • 订阅:从下拉列表中选择要使用的订阅。Subscription: Select the subscription you want to use from the dropdown.
    • 资源组:在此页上选择虚拟网络后,此设置将自动进行填充。Resource Group: This setting is autofilled when you select your virtual network on this page.

    实例详细信息Instance details

    • 名称:为网关命名。Name: Name your gateway. 为网关命名与为网关子网命名不同。Naming your gateway not the same as naming a gateway subnet. 它是要创建的网关对象的名称。It's the name of the gateway object you are creating.
    • 区域:选择要在其中创建此资源的区域。Region: Select the region in which you want to create this resource. 网关的区域必须与虚拟网络相同。The region for the gateway must be the same as the virtual network.
    • 网关类型:选择“VPN”。 Gateway type: Select VPN. VPN 网关使用虚拟网络网关类型“VPN” 。VPN gateways use the virtual network gateway type VPN.
    • VPN 类型:选择为你的配置指定的 VPN 类型。VPN type: Select the VPN type that is specified for your configuration. 大多数配置需要''基于路由'' VPN 类型。Most configurations require a Route-based VPN type.
    • SKU:从下拉列表中选择网关 SKU。SKU: Select the gateway SKU from the dropdown. 下拉列表中列出的 SKU 取决于选择的 VPN 类型。The SKUs listed in the dropdown depend on the VPN type you select. 有关网关 SKU 的详细信息,请参阅网关 SKUFor more information about gateway SKUs, see Gateway SKUs.
    • 生成:有关 VPN 网关生成的信息,请参阅 网关 SKUGeneration: For information about VPN Gateway Generation, see Gateway SKUs.
    • 虚拟网络:从下拉列表中,选择要将此网关添加到其中的虚拟网络。Virtual network: From the dropdown, select the virtual network to which you want to add this gateway.
    • 网关子网地址范围:仅当 VNet 没有网关子网时,此字段才会显示。Gateway subnet address range: This field only appears if your VNet doesn't have a gateway subnet. 如果可能,请将范围设置为 /27 或更大(/26、/25 等)。If possible, make the range /27 or larger (/26,/25 etc.). 建议不要创建任何小于 /28 的范围。We don't recommend creating a range any smaller than /28. 如果你已有网关子网,可通过导航到虚拟网络来查看 GatewaySubnet 详细信息。If you already have a gateway subnet, you can view GatewaySubnet details by navigating to your virtual network. 单击“子网”,以查看范围。Click Subnets to view the range. 如果要更改范围,可以删除并重新创建 GatewaySubnet。If you want to change the range, you can delete and recreate the GatewaySubnet.

    公共 IP 地址Public IP address

    此设置指定与 VPN 网关关联的公共 IP 地址对象。This setting specifies the public IP address object that gets associated to the VPN gateway. 创建 VPN 网关后,会将公共 IP 地址动态分配给此对象。The public IP address is dynamically assigned to this object when the VPN gateway is created. 公共 IP 地址只在删除或重新创建网关时更改。The only time the Public IP address changes is when the gateway is deleted and re-created. 该地址不会因为 VPN 网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    • 公共 IP 地址:让“新建” 保持选中状态。Public IP address: Leave Create new selected.
    • 公共 IP 地址名称:在文本框中,键入公共 IP 地址实例的名称。Public IP address name: In the text box, type a name for your public IP address instance.
    • 分配:VPN 网关仅支持“动态”。Assignment: VPN gateway supports only Dynamic.
    • 启用主动-主动模式:仅当要创建主动-主动网关配置时,才选择“启用主动-主动模式”。Enable active-active mode: Only select Enable active-active mode if you are creating an active-active gateway configuration. 否则,请让此设置保留“禁用”状态。Otherwise, leave this setting Disabled.
    • 让“配置 BGP”保留“禁用”状态,除非你的配置特别需要此设置 。Leave Configure BGP as Disabled, unless your configuration specifically requires this setting. 如果确实需要此设置,则默认 ASN 为 65515,但可以更改此值。If you do require this setting, the default ASN is 65515, although this can be changed.
  4. 选择“查看 + 创建” ,运行验证。Select Review + create to run validation.

  5. 验证通过后,选择“创建” 以部署 VPN 网关。Once validation passes, select Create to deploy the VPN gateway.

网关可能需要长达 45 分钟才能完全创建和部署。A gateway can take up to 45 minutes to fully create and deploy. 可以在网关的“概述”页上查看部署状态。You can see the deployment status on the Overview page for your gateway. 创建网关后,可以通过在门户中查看虚拟网络,来查看已分配给网关的 IP 地址。After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. 网关显示为连接的设备。The gateway appears as a connected device.

重要

使用网关子网时,避免将网络安全组 (NSG) 与网关子网关联。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组与此子网关联可能会导致虚拟网络网关(VPN、Express Route 网关)停止按预期方式工作。Associating a network security group to this subnet may cause your Virtual Network gateway(VPN, Express Route gateway) to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

查看公共 IP 地址View the public IP address

可以在网关的“概述”页面查看网关的公共 IP 地址。You can view the gateway public IP address on the Overview page for your gateway.

概述页

若要查看有关公共 IP 地址对象的其他信息,请单击“公共 IP 地址”旁边的名称/IP 地址链接。To see additional information about the public IP address object, click the name/IP address link next to Public IP address.

重设网关 SKU 大小Resize a gateway SKU

下面是关于重设网关 SKU 大小并对其进行更改的特定规则。There are specific rules regarding resizing vs. changing a gateway SKU. 在本部分中,我们将重设 SKU 大小。In this section, we will resize the SKU. 有关详细信息,请参阅网关设置 - 重设 SKU 大小并对其进行更改For more information, see Gateway settings - resizing and changing SKUs.

  1. 请转到“配置”页面,查看虚拟网络网关。Go to the Configuration page for your virtual network gateway.

  2. 选择下拉列表箭头。Select the arrows for the dropdown.

    调整网关大小

  3. 选择下拉列表的 SKU。Select the SKU from the dropdown.

    选择 SKU

重置网关Reset a gateway

  1. 在门户中,导航到想要重置的虚拟网络网关。In the portal, navigate to the virtual network gateway that you want to reset.

  2. 在虚拟网络网关的页面上,选择“重置”。On the page for the virtual network gateway, select Reset.

    菜单 - 重置网关

  3. 在“重置”页上,单击“重置” 。On the Reset page, click Reset. 发出命令后,将立即重新启动 Azure VPN 网关的当前活动实例。Once the command is issued, the current active instance of the Azure VPN gateway is rebooted immediately. 重置网关将导致 VPN 连接中断,还可能会限制未来的问题根本原因分析。Resetting the gateway will cause a gap in VPN connectivity, and may limit future root cause analysis of the issue.

    重置网关

清理资源Clean up resources

如果不打算继续使用此应用程序或转到下一个教程,请按照以下步骤删除相关的资源:If you're not going to continue to use this application or go to the next tutorial, delete these resources using the following steps:

  1. 在门户顶部的“搜索”框中输入资源组的名称,并从搜索结果中选择资源组。Enter the name of your resource group in the Search box at the top of the portal and select it from the search results.

  2. 选择“删除资源组” 。Select Delete resource group.

  3. 在“键入资源组名称”中输入资源组名称,然后选择“删除” 。Enter your resource group for TYPE THE RESOURCE GROUP NAME and select Delete.

后续步骤Next steps

有了 VPN 网关后,就可以配置连接。Once you have a VPN gateway, you can configure connections. 下面的文章将有助于你创建一些最常见的配置:The articles below will help you create a few of the most common configurations: