关于点到站点 VPN 路由About Point-to-Site VPN routing

本文介绍 Azure 点到站点 VPN 路由的工作原理。This article helps you understand how Azure Point-to-Site VPN routing behaves. P2S VPN 路由行为依赖于客户端 OS、用于 VPN 连接的协议,以及虚拟网络 (VNet) 相互之间的连接方式。P2S VPN routing behavior is dependent on the client OS, the protocol used for the VPN connection, and how the virtual networks (VNets) are connected to each other.

Azure 当前支持两种远程访问协议:IKEv2 和 SSTP。Azure currently supports two protocols for remote access, IKEv2 and SSTP. IKEv2 可用于许多客户端操作系统,包括 Windows、Linux、、MacOS、Android 和 iOS。IKEv2 is supported on many client operating systems including Windows, Linux, MacOS, Android, and iOS. SSTP 仅可用于 Windows。SSTP is only supported on Windows. 如果更改网络拓扑并且具有 VPN 客户端,必须再次下载和安装 Windows 客户端的 VPN 客户端包,以使更改应用于客户端。If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to the client.

Note

本文仅适用于 IKEv2。This article applies to IKEv2 only.

关于关系图About the diagrams

本文包含大量不同的关系图。There are a number of different diagrams in this article. 每节都介绍了不同的拓扑或配置。Each section shows a different topology or configuration. 考虑到本文的目的,站点到站点 (S2S) 和 VNet 到 VNet 连接的工作原理都相同,因为两者都是 IPsec 隧道。For the purposes of this article, Site-to-Site (S2S) and VNet-to-VNet connections function the same way, as both are IPsec tunnels. 本文中的所有 VPN 网关都基于路由。All VPN gateways in this article are route-based.

独立 VNetOne isolated VNet

本示例中的点到站点 VPN 网关连接适用于未连接或未与其他任何虚拟网络 (VNet1) 对等互连的 VNet。The Point-to-Site VPN gateway connection in this example is for a VNet that is not connected or peered with any other virtual network (VNet1). 在此示例中,客户端可以访问 VNet1。In this example, clients can access VNet1.

独立 VNet 路由isolated VNet routing

地址空间Address space

  • VNet1:10.1.0.0/16VNet1: 10.1.0.0/16

已添加的路由Routes added

  • 已添加到 Windows 客户端的路由:10.1.0.0/16、192.168.0.0/24Routes added to Windows clients: 10.1.0.0/16, 192.168.0.0/24

  • 已添加到非 Windows 客户端的路由:10.1.0.0/16、192.168.0.0/24Routes added to non-Windows clients: 10.1.0.0/16, 192.168.0.0/24

访问Access

  • Windows 客户端可以访问 VNet1Windows clients can access VNet1

  • 非 Windows 客户端可以访问 VNet1Non-Windows clients can access VNet1

多个对等互连 VNetMultiple peered VNets

在此示例中,点到站点 VPN 网关连接适用于 VNet1。In this example, the Point-to-Site VPN gateway connection is for VNet1. VNet1 与 VNet2 对等互连。VNet1 is peered with VNet2. VNet2 与 VNet3 对等互连。VNet 2 is peered with VNet3. VNet1 与 VNet4 对等互连。VNet1 is peered with VNet4. VNet1 不与 VNet3 直接对等互连。There is no direct peering between VNet1 and VNet3. VNet1 已启用“允许网关传输”,VNet2 和 VNet4 已启用“使用远程网关”。VNet1 has "Allow gateway transit" and VNet2 and VNet4 have "Use remote gateways" enabled.

使用 Windows 的客户端可以直接访问对等互连 VNet,但如果 VNet 对等互连或网络拓扑发生任何更改,必须重新下载 VPN 客户端。Clients using Windows can access directly peered VNets, but the VPN client must be downloaded again if any changes are made to VNet peering or the network topology. 非 Windows 客户端可直接访问对等互连 VNet。Non-Windows clients can access directly peered VNets. 访问不可传递,且仅限直接对等互连的 VNet。Access is not transitive and is limited to only directly peered VNets.

多个对等互连 VNetmultiple peered VNets

地址空间:Address space:

  • VNet1:10.1.0.0/16VNet1: 10.1.0.0/16

  • VNet2:10.2.0.0/16VNet2: 10.2.0.0/16

  • VNet3:10.3.0.0/16VNet3: 10.3.0.0/16

  • VNet4:10.4.0.0/16VNet4: 10.4.0.0/16

已添加的路由Routes added

  • 已添加到 Windows 客户端的路由:10.1.0.0/16、10.2.0.0/16、10.4.0.0/16、192.168.0.0/24Routes added to Windows clients: 10.1.0.0/16, 10.2.0.0/16, 10.4.0.0/16, 192.168.0.0/24

  • 已添加到非 Windows 客户端的路由:10.1.0.0/16、10.2.0.0/16、10.4.0.0/16、192.168.0.0/24Routes added to non-Windows clients: 10.1.0.0/16, 10.2.0.0/16, 10.4.0.0/16, 192.168.0.0/24

访问Access

  • Windows 客户端可以访问 VNet1、VNet2 和 VNet4,但必须重新下载 VPN 客户端,以使拓扑更改生效。Windows clients can access VNet1, VNet2, and VNet4, but the VPN client must be downloaded again for any topology changes to take effect.

  • 非 Windows 客户端可以访问 VNet1、VNet2 和 VNet4Non-Windows clients can access VNet1, VNet2, and VNet4

使用 S2S VPN 连接的多个 VNetMultiple VNets connected using an S2S VPN

在此示例中,点到站点 VPN 网关连接适用于 VNet1。In this example, the Point-to-Site VPN gateway connection is for VNet1. VNet1 使用站点到站点 VPN 连接连接到 VNet2。VNet1 is connected to VNet2 using a Site-to-Site VPN connection. VNet2 使用站点到站点 VPN 连接连接到 VNet3。VNet2 is connected to VNet3 using a Site-to-Site VPN connection. VNet1 和 VNet3 之间没有直接的对等互连或站点到站点 VPN 连接。There is no direct peering or Site-to-Site VPN connection between VNet1 and VNet3. 所有站点到站点连接均未针对路由运行 BGP。All Site-to-Site connections are not running BGP for routing.

使用 Windows 或其他受支持 OS 的客户端只能访问 VNet1。Clients using Windows, or another supported OS, can only access VNet1. 若要访问其他 VNet,必须使用 BGP。To access additional VNets, BGP must be used.

多个 VNet 和 S2Smultiple VNets and S2S

地址空间Address space

  • VNet1:10.1.0.0/16VNet1: 10.1.0.0/16

  • VNet2:10.2.0.0/16VNet2: 10.2.0.0/16

  • VNet3:10.3.0.0/16VNet3: 10.3.0.0/16

已添加的路由Routes added

  • 已添加到 Windows 客户端的路由:10.1.0.0/16、192.168.0.0/24Routes added to Windows clients: 10.1.0.0/16, 192.168.0.0/24

  • 已添加到非 Windows 客户端的路由:10.1.0.0/16、10.2.0.0/16、192.168.0.0/24Routes added to Non-Windows clients: 10.1.0.0/16, 10.2.0.0/16, 192.168.0.0/24

访问Access

  • Windows 客户端只能访问 VNet1Windows clients can only access VNet1

  • 非 Windows 客户端只能访问 VNet1Non-Windows clients can access VNet1 only

使用 S2S VPN 的多个 VNet (BGP)Multiple VNets connected using an S2S VPN (BGP)

在此示例中,点到站点 VPN 网关连接适用于 VNet1。In this example, the Point-to-Site VPN gateway connection is for VNet1. VNet1 使用站点到站点 VPN 连接连接到 VNet2。VNet1 is connected to VNet2 using a Site-to-Site VPN connection. VNet2 使用站点到站点 VPN 连接连接到 VNet3。VNet2 is connected to VNet3 using a Site-to-Site VPN connection. VNet1 和 VNet3 之间没有直接的对等互连或站点到站点 VPN 连接。There is no direct peering or Site-to-Site VPN connection between VNet1 and VNet3. 所有站点到站点连接均针对路由运行 BGP。All Site-to-Site connections are running BGP for routing.

使用 Windows 或其他受支持的 OS 的客户端可以访问使用站点到站点 VPN 连接连接的所有 VNet,但必须将到已连接 VNet 的路由手动添加到 Windows 客户端。Clients using Windows, or another supported OS, can access all VNets that are connected using a Site-to-Site VPN connection, but routes to connected VNets have to be manually added to the Windows clients.

多个 VNet 和 S2S (BGP)multiple VNets and S2S (BGP)

地址空间Address space

  • VNet1:10.1.0.0/16VNet1: 10.1.0.0/16

  • VNet2:10.2.0.0/16VNet2: 10.2.0.0/16

  • VNet3:10.3.0.0/16VNet3: 10.3.0.0/16

已添加的路由Routes added

  • 已添加到 Windows 客户端的路由:10.1.0.0/16Routes added to Windows clients: 10.1.0.0/16

  • 已添加到非 Windows 客户端的路由:10.1.0.0/16、10.2.0.0/16、10.3.0.0/16、192.168.0.0/24Routes added to Non-Windows clients: 10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16, 192.168.0.0/24

访问Access

  • Windows 客户端可以访问 VNet1、VNet2 和 VNet3,但必须手动添加 VNet2 和 VNet3。Windows clients can access VNet1, VNet2, and VNet3, but routes to VNet2 and VNet3 will have to be manually added.

  • 非 Windows 客户端可以访问 VNet1、VNet2 和 VNet3Non-Windows clients can access VNet1, VNet2, and VNet3

一个 VNet 和一个分支机构One VNet and a branch office

在此示例中,点到站点 VPN 网关连接适用于 VNet1。In this example, the Point-to-Site VPN gateway connection is for VNet1. VNet1 不与其他任何虚拟网络连接/对等互连,但通过未运行 BGP 的站点到站点 VPN 连接连接到本地站点。VNet1 is not connected/ peered with any other virtual network, but is connected to an on-premises site through a Site-to-Site VPN connection that is not running BGP.

Windows 客户端和非 Windows 客户端只能访问 VNet1。Windows and non-Windows clients can only access VNet1.

使用 VNet 和分支机构进行路由routing with a VNet and a branch office

地址空间Address space

  • VNet1:10.1.0.0/16VNet1: 10.1.0.0/16

  • Site1:10.101.0.0/16Site1: 10.101.0.0/16

已添加的路由Routes added

  • 已添加到 Windows 客户端的路由:10.1.0.0/16、192.168.0.0/24Routes added to Windows clients: 10.1.0.0/16, 192.168.0.0/24

  • 已添加到非 Windows 客户端的路由:10.1.0.0/16、192.168.0.0/24Routes added to Non-Windows clients: 10.1.0.0/16, 192.168.0.0/24

访问Access

  • Windows 客户端只能访问 VNet1Windows clients can access only VNet1

  • 非 Windows 客户端只能访问 VNet1Non-Windows clients can access VNet1 only

一个 VNet 和一个分支机构 (BGP)One VNet and a branch office (BGP)

在此示例中,点到站点 VPN 网关连接适用于 VNet1。In this example, the Point-to-Site VPN gateway connection is for VNet1. VNet1 不与其他任何虚拟网络连接/对等互连,但通过运行 BGP 的站点到站点 VPN 连接连接到本地站点 (Site1)。VNet1 is not connected or peered with any other virtual network, but is connected to an on-premises site (Site1) through a Site-to-Site VPN connection running BGP.

Windows 客户端可以访问 VNet 和其他分支机构 (Site1),但必须将到 Site1 的路由手动添加到客户端。Windows clients can access the VNet and the branch office (Site1), but the routes to Site1 must be manually added to the client. 非 Windows 客户端可以访问 VNet 以及本地分支机构。Non-Windows clients can access the VNet as well as the on-premises branch office.

一个 VNet 和一个分支机构 (BGP)one VNet and a branch office (BGP)

地址空间Address space

  • VNet1:10.1.0.0/16VNet1: 10.1.0.0/16

  • Site1:10.101.0.0/16Site1: 10.101.0.0/16

已添加的路由Routes added

  • 已添加到 Windows 客户端的路由:10.1.0.0/16、192.168.0.0/24Routes added to Windows clients: 10.1.0.0/16, 192.168.0.0/24

  • 已添加到非 Windows 客户端的路由:10.1.0.0/16、10.101.0.0/16、192.168.0.0/24Routes added to Non-Windows clients: 10.1.0.0/16, 10.101.0.0/16, 192.168.0.0/24

访问Access

  • Windows 客户端可以访问 VNet1 和 Site1,但必须手动添加到 Site1 的路由。Windows clients can access VNet1 and Site1, but routes to Site1 will have to be manually added.

  • 非 Windows 客户端可以访问 VNet1 和 Site1。Non-Windows clients can access VNet1 and Site1.

使用 S2S 和分支机构连接的多个 VNetMultiple VNets connected using S2S and a branch office

在此示例中,点到站点 VPN 网关连接适用于 VNet1。In this example, the Point-to-Site VPN gateway connection is for VNet1. VNet1 使用站点到站点 VPN 连接连接到 VNet2。VNet1 is connected to VNet2 using a Site-to-Site VPN connection. VNet2 使用站点到站点 VPN 连接连接到 VNet3。VNet2 is connected to VNet3 using a Site-to-Site VPN connection. VNet1 和 VNet3 网络之间没有直接的对等互连或站点到站点 VPN 隧道。There is no direct peering or Site-to-Site VPN tunnel between the VNet1 and VNet3 networks. VNet3 使用站点到站点 VPN 连接连接到分支机构 (Site1)。VNet3 is connected to a branch office (Site1) using a Site-to-Site VPN connection. 所有 VPN 连接均未运行 BGP。All VPN connections are not running BGP.

所有客户端都只能访问 VNet1。All clients can access VNet1 only.

多个 VNet S2S 和分支机构multi-VNet S2S and branch office

地址空间Address space

  • VNet1:10.1.0.0/16VNet1: 10.1.0.0/16

  • VNet2:10.2.0.0/16VNet2: 10.2.0.0/16

  • VNet3:10.3.0.0/16VNet3: 10.3.0.0/16

  • Site1:10.101.0.0/16Site1: 10.101.0.0/16

已添加的路由Routes added

  • 已添加到 Windows 客户端的路由:10.1.0.0/16、192.168.0.0/24Routes added to Windows clients: 10.1.0.0/16, 192.168.0.0/24

  • 已添加到非 Windows 客户端的路由:10.1.0.0/16、10.2.0.0/16、10.3.0.0/16、10.101.0.0/16、192.168.0.0/24Routes added to Non-Windows clients: 10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16, 10.101.0.0/16, 192.168.0.0/24

访问Access

  • Windows 客户端只能访问 VNet1The Windows clients can access VNet1 only

  • 非 Windows 客户端只能访问 VNet1Non-Windows clients can access VNet1 only

使用 S2S 和分支机构连接的多个 VNet (BGP)Multiple VNets connected using S2S and a branch office (BGP)

在此示例中,点到站点 VPN 网关连接适用于 VNet1。In this example, the Point-to-Site VPN gateway connection is for VNet1. VNet1 使用站点到站点 VPN 连接连接到 VNet2。VNet1 is connected to VNet2 using a Site-to-Site VPN connection. VNet2 使用站点到站点 VPN 连接连接到 VNet3。VNet2 is connected to VNet3 using a Site-to-Site VPN connection. VNet1 和 VNet3 网络之间没有直接的对等互连或站点到站点 VPN 隧道。There is no direct peering or Site-to-Site VPN tunnel between the VNet1 and VNet3 networks. VNet3 使用站点到站点 VPN 连接连接到分支机构 (Site1)。VNet3 is connected to a branch office (Site1) using a Site-to-Site VPN connection. 所有 VPN 连接均运行 BGP。All VPN connections are running BGP.

使用 Windows 的客户端可以访问使用站点到站点 VPN 连接连接的 VNet 和站点,但必须将到 VNet2、VNet3 和 Site1 的路由手动添加到该客户端。Clients using Windows can access VNets and sites that are connected using a Site-to-Site VPN connection, but the routes to VNet2, VNet3 and Site1 must be manually added to the client. 非 Windows 客户端可以访问使用站点到站点 VPN 连接连接的 VNet 和站点,而无需任何手动干预。Non-Windows clients can access VNets and sites that are connected using a Site-to-Site VPN connection without any manual intervention. 访问权限是可传递的,并且客户端可访问所有已连接 VNet 和站点(本地)中的资源。The access is transitive, and clients can access resources in all connected VNets and sites (on-premises).

多个 VNet S2S 和分支机构multi-VNet S2S and branch office

地址空间Address space

  • VNet1:10.1.0.0/16VNet1: 10.1.0.0/16

  • VNet2:10.2.0.0/16VNet2: 10.2.0.0/16

  • VNet3:10.3.0.0/16VNet3: 10.3.0.0/16

  • Site1:10.101.0.0/16Site1: 10.101.0.0/16

已添加的路由Routes added

  • 已添加到 Windows 客户端的路由:10.1.0.0/16、192.168.0.0/24Routes added to Windows clients: 10.1.0.0/16, 192.168.0.0/24

  • 已添加到非 Windows 客户端的路由:10.1.0.0/16、10.2.0.0/16、10.3.0.0/16、10.101.0.0/16、192.168.0.0/24Routes added to Non-Windows clients: 10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16, 10.101.0.0/16, 192.168.0.0/24

访问Access

  • Windows 客户端可以访问 VNet1、VNet2、VNet3 和 Site1,但必须将到 VNet2、VNet3 和 Site1 的路由手动添加到客户端。The Windows clients can access VNet1, VNet2, VNet3, and Site1, but routes to VNet2, VNet3 and Site1 must be manually added to the client.

  • 非 Windows 客户端可以访问 VNet1、VNet2、VNet3 和 Site1。Non-Windows clients can access VNet1, Vnet2, VNet3, and Site1.

后续步骤Next steps

若要开始创建 P2S VPN,请参阅使用 Azure 门户创建 P2S VPNSee Create a P2S VPN using the Azure portal to begin creating your P2S VPN.