使用 Azure 门户创建站点到站点连接(经典)Create a Site-to-Site connection using the Azure portal (classic)

本文介绍如何使用 Azure 门户创建站点到站点 VPN 网关连接,以便从本地网络连接到 VNet。This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. 本文中的步骤适用于经典部署模型,不适用于当前部署模型“资源管理器”。The steps in this article apply to the classic deployment model and do not apply to the current deployment model, Resource Manager. 也可使用不同的部署工具或部署模型创建此配置,方法是从以下列表中选择另一选项:You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

使用站点到站点 VPN 网关连接,通过 IPsec/IKE(IKEv1 或 IKEv2)VPN 隧道将本地网络连接到 Azure 虚拟网络。A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. 此类型的连接要求位于本地的 VPN 设备分配有一个面向外部的公共 IP 地址。This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. 有关 VPN 网关的详细信息,请参阅关于 VPN 网关For more information about VPN gateways, see About VPN gateway.

站点到站点 VPN 网关跨界连接示意图

准备工作Before you begin

在开始配置之前,请验证是否符合以下条件:Verify that you have met the following criteria before beginning configuration:

  • 确认要使用经典部署模型。Verify that you want to work in the classic deployment model. 如果要使用资源管理器部署模型,请参阅创建站点到站点连接(资源管理器)If you want to work in the Resource Manager deployment model, see Create a Site-to-Site connection (Resource Manager). 我们建议你使用资源管理器部署模型,因为经典模型是旧模型。We recommend that you use the Resource Manager deployment model, as the classic model is legacy.
  • 确保有一台兼容的 VPN 设备和能够对其进行配置的人员。Make sure you have a compatible VPN device and someone who is able to configure it. 有关兼容的 VPN 设备和设备配置的详细信息,请参阅关于 VPN 设备For more information about compatible VPN devices and device configuration, see About VPN Devices.
  • 确认 VPN 设备有一个面向外部的公共 IPv4 地址。Verify that you have an externally facing public IPv4 address for your VPN device.
  • 如果不熟悉本地网络配置中的 IP 地址范围,则需咨询能够提供此类详细信息的人员。If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. 创建此配置时,必须指定 IP 地址范围前缀,Azure 会将该前缀路由到本地位置。When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. 本地网络的任何子网都不得与要连接到的虚拟网络子网重叠。None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.
  • 需要使用 PowerShell 来指定共享密钥和创建 VPN 网关连接。PowerShell is required in order to specify the shared key and create the VPN gateway connection. 使用经典部署模型时,必须在本地计算机上安装最新版本的 Azure 服务管理 (SM) PowerShell cmdlet。When working with the classic deployment model, you must install the latest version of the Azure Service Management (SM) PowerShell cmdlets locally on your computer. 这些 cmdlet 不同于 AzureRM 或 Az cmdlet。These cmdlets are different from the AzureRM or Az cmdlets. 若要安装 SM cmdlet,请参阅安装服务管理 cmdletTo install the SM cmdlets, see Install Service Management cmdlets. 有关一般 Azure PowerShell 的详细信息,请参阅 Azure PowerShell 文档For more information about Azure PowerShell in general, see the Azure PowerShell documentation.

此练习的示例配置值Sample configuration values for this exercise

本文中的示例使用以下值。The examples in this article use the following values. 可使用这些值创建测试环境,或参考这些值以更好地理解本文中的示例。You can use these values to create a test environment, or refer to them to better understand the examples in this article. 通常,在使用地址空间的 IP 地址值时,你需要与网络管理员进行协调,以避免地址空间重叠,重叠可能会影响路由。Typically, when working with IP address values for Address space, you want to coordinate with your network administrator in order to avoid overlapping address spaces, which can affect routing. 在这种情况下,若要创建工作连接,请将 IP 地址值替换成自己的值。In this case, replace the IP address values with your own if you want to create a working connection.

  • 资源组: TestRG1Resource Group: TestRG1
  • VNet 名称: TestVNet1VNet Name: TestVNet1
  • 地址空间: 10.11.0.0/16Address space: 10.11.0.0/16
  • 子网名称: FrontEndSubnet name: FrontEnd
  • 子网地址范围: 10.11.0.0/24Subnet address range: 10.11.0.0/24
  • 网关子网: 10.11.255.0/27GatewaySubnet: 10.11.255.0/27
  • 区域: 中国北部Region: China North
  • 本地站点名称: Site2Local site name: Site2
  • 客户端地址空间:位于本地站点的地址空间。Client address space: The address space that is located on your on-premises site.

创建虚拟网络Create a virtual network

创建适用于 S2S 连接的虚拟网络时,需确保指定的地址空间与适用于本地站点(需要连接到这些站点)的任何客户端地址空间不重叠。When you create a virtual network to use for a S2S connection, you need to make sure that the address spaces that you specify do not overlap with any of the client address spaces for the local sites that you want to connect to. 如果有重叠子网,连接将无法正常工作。If you have overlapping subnets, your connection won't work properly.

  • 如果已有一个 VNet,请验证这些设置是否与 VPN 网关设计兼容。If you already have a VNet, verify that the settings are compatible with your VPN gateway design. 请特别注意任何可能与其他网络重叠的子网。Pay particular attention to any subnets that may overlap with other networks.

  • 如果还没有虚拟网络,请创建。If you don't already have a virtual network, create one. 这些屏幕截图仅供参考。Screenshots are provided as examples. 请务必替换成自己的值。Be sure to replace the values with your own.

创建虚拟网络To create a virtual network

  1. 从浏览器导航到 Azure 门户,并在必要时用 Azure 帐户登录。From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.
  2. 选择“+创建资源”。Select +Create a resource. 在“在市场中搜索”字段中,键入“虚拟网络”。In the Search the marketplace field, type 'Virtual Network'. 从返回的列表中找到“虚拟网络”,选择它以打开“虚拟网络”页。Locate Virtual Network from the returned list and select it to open the Virtual Network page.
  3. 在“虚拟网络”页的“创建”按钮下,可以看到“使用资源管理器部署(更改为经典)”。On the Virtual Network page, under the Create button, you see "Deploy with Resource Manager (change to Classic)". “资源管理器”是创建 VNet 的默认设置。Resource Manager is the default for creating a VNet. 不需要创建资源管理器 VNet。You don't want to create a Resource Manager VNet. 选择“(更改为经典)”以创建经典 VNet。Select (change to Classic) to create a Classic VNet. 然后,选择“概述”选项卡并选择“创建”。Then, select the Overview tab and select Create.
  4. 在“创建虚拟网络(经典)”页的“基本信息”选项卡上,使用示例值配置 VNet 设置。On the Create virtual network(classic) page, on the Basics tab, configure the VNet settings with the example values.
  5. 选择“查看 + 创建”以验证自己的 VNet。Select Review + create to validate your VNet.
  6. 此时验证将运行。Validation runs. 验证 VNet 后,选择“创建”。After the VNet is validated, select Create.

在此配置过程中不需进行 DNS 设置,但如果希望在 VM 之间进行名称解析,则 DNS 是必需的。DNS settings are not a required part of this configuration, but DNS is necessary if you want name resolution between your VMs. 指定一个值不会创建新的 DNS 服务器。Specifying a value does not create a new DNS server. 指定的 DNS 服务器 IP 地址应该是可以解析所连接的资源名称的 DNS 服务器。The DNS server IP address that you specify should be a DNS server that can resolve the names for the resources you are connecting to.

创建虚拟网络后,可以添加 DNS 服务器的 IP 地址来处理名称解析。After you create your virtual network, you can add the IP address of a DNS server to handle name resolution. 打开虚拟网络的设置,选择“DNS 服务器”,并添加要用于名称解析的 DNS 服务器的 IP 地址。Open the settings for your virtual network, select DNS servers, and add the IP address of the DNS server that you want to use for name resolution.

  1. 在门户中找到虚拟网络。Locate the virtual network in the portal.
  2. 在虚拟网络页的“设置”部分,选择“DNS 服务器”。 On the page for your virtual network, under the Settings section, select DNS servers.
  3. 添加 DNS 服务器。Add a DNS server.
  4. 若要保存设置,请选择页面顶部的“保存”。To save your settings, select Save at the top of the page.

配置站点和网关Configure the site and gateway

配置站点To configure the site

本地站点通常指本地位置。The local site typically refers to your on-premises location. 它包含 VPN 设备的 IP 地址和地址范围,需要创建到该设备的连接,并且需要通过 VPN 网关将地址范围路由到该设备。It contains the IP address of the VPN device to which you will create a connection, and the IP address ranges that will be routed through the VPN gateway to the VPN device.

  1. 在 VNet 页的“设置”下,选择“站点到站点连接”。On the page for your VNet, under Settings, select Site-to-site connections.

  2. 在“站点到站点连接”页上,选择“+ 添加”。On the Site-to-site connections page, select + Add.

  3. 在“配置 VPN 连接和网关”页上,选择“站点到站点”作为“连接类型” 。On the Configure a VPN connection and gateway page, for Connection type, leave Site-to-site selected. 在此练习中,你需要结合使用示例值和你自己的值。For this exercise, you will need to use a combination of the example values and your own values.

    • VPN 网关 IP 地址: 这是本地网络的 VPN 设备的公共 IP 地址。VPN gateway IP address: This is the public IP address of the VPN device for your on-premises network. VPN 设备需要 IPv4 公共 IP 地址。The VPN device requires an IPv4 public IP address. 为要连接到的 VPN 设备指定一个有效的公共 IP 地址。Specify a valid public IP address for the VPN device to which you want to connect. 它必须可由 Azure 访问。It must be reachable by Azure. 如果不知道 VPN 设备的 IP 地址,则始终可以先添加一个占位符值(只要其格式是有效的公共 IP 地址),等到以后再更改。If you don't know the IP address of your VPN device, you can always put in a placeholder value (as long as it is in the format of a valid public IP address) and then change it later.

    • 客户端地址空间: 列出一个 IP 地址范围,需通过该网关将此范围路由到本地网络。Client Address space: List the IP address ranges that you want routed to the local on-premises network through this gateway. 可以添加多个地址空间范围。You can add multiple address space ranges. 请确保在此处指定的范围与虚拟网络连接到的其他网络的范围不重叠,也与虚拟网络本身的地址范围不重叠。Make sure that the ranges you specify here do not overlap with ranges of other networks your virtual network connects to, or with the address ranges of the virtual network itself.

  4. 在页面底部,不要选择“查看 + 创建”,At the bottom of the page, DO NOT select Review + create. 而应选择“下一步:网关>”。Instead, select Next: Gateway>.

配置虚拟网络网关To configure the virtual network gateway

  1. 在“网关”页上,选择以下值:On the Gateway page, select the following values:

    • Size: 这是用于创建虚拟网关的网关 SKU。Size: This is the gateway SKU that you use to create your virtual network gateway. 经典 VPN 使用老版(旧版)网关 SKU。Classic VPN gateways use the old (legacy) gateway SKUs. 有关旧版网关 SKU 的详细信息,请参阅使用虚拟网关 SKU(老版 SKU)For more information about the legacy gateway SKUs, see Working with virtual network gateway SKUs (old SKUs). 在此练习中,可以选择“标准”。You can select Standard for this exercise.

    • 路由类型: 为网关选择路由类型。Routing type: Select the routing type for your gateway. 这也称为 VPN 类型。This is also known as the VPN type. 选择正确的类型很重要,因为无法将网关从一个类型转换为另一个类型。It's important to select the correct type because you cannot convert the gateway from one type to another. VPN 设备必须兼容所选路由类型。Your VPN device must be compatible with the routing type you select. 有关路由类型的详细信息,请参阅关于 VPN 网关设置For more information about Routing Type, see About VPN Gateway Settings. 可能会有文章引用“RouteBased”和“PolicyBased”VPN 类型。You may see articles referring to 'RouteBased' and 'PolicyBased' VPN types. “动态”对应于“RouteBased”,“静态”对应于“PolicyBased”。'Dynamic' corresponds to 'RouteBased', and 'Static' corresponds to' PolicyBased'. 通常,需要“动态”路由。Typically, you want Dynamic routing.

    • 网关子网: 指定的网关子网的大小取决于要创建的 VPN 网关配置。Gateway subnet: The size of the gateway subnet that you specify depends on the VPN gateway configuration that you want to create. 尽管网关子网最小可以创建为 /29,但建议使用 /27 或 /28。While it is possible to create a gateway subnet as small as /29, we recommend that you use /27 or /28. 这样可以创建较大的子网,包含的地址更多。This creates a larger subnet that includes more addresses. 使用更大的网关子网可以有足够的 IP 地址来应对未来可能会有的配置。Using a larger gateway subnet allows for enough IP addresses to accommodate possible future configurations.

  2. 选择页面底部的“查看 + 创建”以验证你的设置。Select Review + create at the bottom of the page to validate your settings. 选择“创建”以进行部署。Select Create to deploy. 创建虚拟网关可能需要长达 45 分钟的时间,具体取决于所选网关 SKU。It can take up to 45 minutes to create a virtual network gateway, depending on the gateway SKU that you selected.

配置 VPN 设备Configure your VPN device

通过站点到站点连接连接到本地网络需要 VPN 设备。Site-to-Site connections to an on-premises network require a VPN device. 在此步骤中,请配置 VPN 设备。In this step, you configure your VPN device. 配置 VPN 设备时,需要以下值:When configuring your VPN device, you need the following values:

  • 共享密钥。A shared key. 此共享密钥就是在创建站点到站点 VPN 连接时指定的共享密钥。This is the same shared key that you specify when creating your Site-to-Site VPN connection. 在示例中,我们使用基本的共享密钥。In our examples, we use a basic shared key. 建议生成更复杂的可用密钥。We recommend that you generate a more complex key to use.
  • 虚拟网络网关的“公共 IP 地址”。The Public IP address of your virtual network gateway. 可以通过 Azure 门户、PowerShell 或 CLI 查看公共 IP 地址。You can view the public IP address by using the Azure portal, PowerShell, or CLI.

下载 VPN 设备配置脚本:To download VPN device configuration scripts:

根据所用的 VPN 设备,有时可以下载 VPN 设备配置脚本。Depending on the VPN device that you have, you may be able to download a VPN device configuration script. 有关详细信息,请参阅下载 VPN 设备配置脚本For more information, see Download VPN device configuration scripts.

参阅以下链接了解其他配置信息:See the following links for additional configuration information:

检索值Retrieve values

在 Azure 门户中创建经典 VNet 时,看到的名称不是用于 PowerShell 的完整名称。When you create classic VNets in the Azure portal, the name that you view is not the full name that you use for PowerShell. 例如,在门户中命名为 TestVNet1 的 VNet 在网络配置文件中可能具有更长的名称。For example, a VNet that appears to be named TestVNet1 in the portal, may have a much longer name in the network configuration file. 对于资源组中的 VNet,“ClassicRG”名称可能如下所示:Group ClassicRG TestVNet1For a VNet in the resource group "ClassicRG" name might look something like: Group ClassicRG TestVNet1. 在创建连接时,请务必使用在网络配置文件中看到的值。When you create your connections, it's important to use the values that you see in the network configuration file.

在下面的步骤中,将连接到 Azure 帐户并下载和查看网络配置文件来获取连接所需的值。In the following steps, you will connect to your Azure account and download and view the network configuration file to obtain the values that are required for your connections.

  1. 下载和安装最新版本的 Azure 服务管理 (SM) PowerShell cmdlet。Download and install the latest version of the Azure Service Management (SM) PowerShell cmdlets. 大多数人在本地安装了资源管理器模块,但未安装服务管理模块。Most people have the Resource Manager modules installed locally, but do not have Service Management modules. 服务管理模块是旧版的,必须单独安装。Service Management modules are legacy and must be installed separately. 有关详细信息,请参阅安装服务管理 cmdletFor more information, see Install Service Management cmdlets.

  2. 使用提升的权限打开 PowerShell 控制台,并连接到帐户。Open your PowerShell console with elevated rights and connect to your account. 使用下面的示例来帮助你连接。Use the following examples to help you connect. 必须使用 PowerShell 服务管理模块在本地运行这些命令。You must run these commands locally using the PowerShell Service Management module. 连接到帐户。Connect to your account. 使用下面的示例来帮助连接:Use the following example to help you connect:

    Add-AzureAccount -Environment AzureChinaCloud
    
  3. 检查该帐户的订阅。Check the subscriptions for the account.

    Get-AzureSubscription
    
  4. 如果有多个订阅,请选择要使用的订阅。If you have more than one subscription, select the subscription that you want to use.

    Select-AzureSubscription -SubscriptionId "Replace_with_your_subscription_ID"
    
  5. 在计算机上创建目录。Create a directory on your computer. 例如 C:\AzureVNetFor example, C:\AzureVNet

  6. 将网络配置文件导出到目录。Export the network configuration file to the directory. 在此示例中,网络配置文件导出到 C:\AzureNetIn this example, the network configuration file is exported to C:\AzureNet.

    Get-AzureVNetConfig -ExportToFile C:\AzureNet\NetworkConfig.xml
    
  7. 使用文本编辑器打开该文件,并查看 VNet 和站点的名称。Open the file with a text editor and view the names for your VNets and sites. 创建连接时会使用这些名称。These names will be the names you use when you create your connections.
    VNet 名称以 VirtualNetworkSite name = 形式列出 VNet names are listed as VirtualNetworkSite name =
    站点名称以 LocalNetworkSiteRef name = 形式列出 Site names are listed as LocalNetworkSiteRef name =

创建连接Create the connection

备注

对于经典部署模型,此步骤在 Azure 门户中不可用。For the classic deployment model, this step is not available in the Azure portal. 必须通过桌面以本地方式使用 Azure PowerShell cmdlet 的服务管理 (SM) 版本。You must use the Service Management (SM) version of the Azure PowerShell cmdlets locally from your desktop.

在此步骤中,请使用前面步骤中的值设置共享密钥并创建连接。In this step, using the values from the previous steps, you set the shared key and create the connection. 设置的密钥必须是在 VPN 设备配置中使用过的同一密钥。The key you set is must be the same key that was used in your VPN device configuration.

  1. 设置共享密钥并创建连接。Set the shared key and create the connection.

    • 更改 -VNetName 值和 -LocalNetworkSiteName 值。Change the -VNetName value and the -LocalNetworkSiteName value. 指定包含空格的名称时,请使用单引号将值引起来。When specifying a name that contains spaces, use single quotation marks around the value.
    • “-SharedKey”是你生成并指定的值。The '-SharedKey' is a value that you generate, and then specify. 在示例中,我们使用了“abc123”,但你可以(也应该)生成更复杂的内容。In the example, we used 'abc123', but you can (and should) generate something more complex. 重要的是,此处指定的值必须与配置 VPN 设备时指定的值相同。The important thing is that the value you specify here must be the same value that you specified when configuring your VPN device.
    Set-AzureVNetGatewayKey -VNetName 'Group TestRG1 TestVNet1' `
    -LocalNetworkSiteName '6C74F6E6_Site2' -SharedKey abc123
    
  2. 创建连接后,结果为“状态: 成功”。When the connection is created, the result is: Status: Successful.

验证连接Verify your connection

在 Azure 门户中,可通过导航到连接来查看经典 VNet VPN 网关的连接状态。In the Azure portal, you can view the connection status for a classic VNet VPN Gateway by navigating to the connection. 以下步骤演示导航到连接并进行验证的一种方法。The following steps show one way to navigate to your connection and verify.

  1. Azure 门户中单击“所有资源”,然后导航到经典虚拟网络 (VNet)。In the Azure portal, click All resources and navigate to your classic virtual network (VNet).

  2. 在虚拟网络页上,选择要查看的连接类型。On the virtual network page, select the type of connection that you want to see. 例如,“站点到站点连接”。For example, Site-to-site connections.

    本地站点

  3. 在“站点到站点连接”页的“名称”下,选择要查看的站点连接。On the Site-to-site connections page, under Name, select the site connection you want to view.

    本地站点名称

  4. 在“属性”页上,查看有关连接的信息。On the Properties page, view the information about the connection.

如果无法进行连接,请参阅左窗格目录的“故障排除”部分。If you are having trouble connecting, see the Troubleshoot section of the table of contents in the left pane.

如何重置 VPN 网关How to reset a VPN gateway

如果丢失一个或多个站点到站点隧道上的跨界 VPN 连接,重置 VPN 网关可有效解决该情况。Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more Site-to-Site VPN tunnels. 在此情况下,本地 VPN 设备都在正常工作,但却无法与 Azure VPN 网关建立 IPsec 隧道。In this situation, your on-premises VPN devices are all working correctly, but are not able to establish IPsec tunnels with the Azure VPN gateways. 有关步骤,请参阅重置 VPN 网关For steps, see Reset a VPN gateway.

如何更改网关 SKUHow to change a gateway SKU

有关更改网关 SKU 的步骤,请参阅重设网关 SKU 大小For steps to change a gateway SKU, see Resize a gateway SKU.

后续步骤Next steps

  • 连接完成后,即可将虚拟机添加到虚拟网络。Once your connection is complete, you can add virtual machines to your virtual networks. 有关详细信息,请参阅虚拟机For more information, see Virtual Machines.
  • 有关强制隧道的信息,请参阅关于强制隧道For information about Forced Tunneling, see About Forced Tunneling.