使用 Azure 门户创建站点到站点连接(经典)Create a Site-to-Site connection using the Azure portal (classic)

本文介绍如何使用 Azure 门户创建站点到站点 VPN 网关连接,以便从本地网络连接到 VNet。This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. 本文中的步骤适用于经典部署模型,不适用于当前部署模型“资源管理器”。The steps in this article apply to the classic deployment model and do not apply to the current deployment model, Resource Manager. 也可使用不同的部署工具或部署模型创建此配置,方法是从以下列表中选择另一选项:You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

使用站点到站点 VPN 网关连接,通过 IPsec/IKE(IKEv1 或 IKEv2)VPN 隧道将本地网络连接到 Azure 虚拟网络。A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. 此类型的连接要求位于本地的 VPN 设备分配有一个面向外部的公共 IP 地址。This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. 有关 VPN 网关的详细信息,请参阅关于 VPN 网关For more information about VPN gateways, see About VPN gateway.

站点到站点 VPN 网关跨界连接示意图

准备工作Before you begin

在开始配置之前,请验证是否符合以下条件:Verify that you have met the following criteria before beginning configuration:

  • 确认要使用经典部署模型。Verify that you want to work in the classic deployment model. 如果要使用资源管理器部署模型,请参阅创建站点到站点连接(资源管理器)If you want to work in the Resource Manager deployment model, see Create a Site-to-Site connection (Resource Manager). 我们建议在可能的情况下使用资源管理器部署模型。When possible, we recommend that you use the Resource Manager deployment model.
  • 确保有一台兼容的 VPN 设备和能够对其进行配置的人员。Make sure you have a compatible VPN device and someone who is able to configure it. 有关兼容的 VPN 设备和设备配置的详细信息,请参阅关于 VPN 设备For more information about compatible VPN devices and device configuration, see About VPN Devices.
  • 确认 VPN 设备有一个面向外部的公共 IPv4 地址。Verify that you have an externally facing public IPv4 address for your VPN device.
  • 如果熟悉本地网络配置中的 IP 地址范围,则需咨询能够提供此类详细信息的人员。If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. 创建此配置时,必须指定 IP 地址范围前缀,Azure 会将该前缀路由到本地位置。When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. 本地网络的任何子网都不得与要连接到的虚拟网络子网重叠。None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.
  • 需要使用 PowerShell 来指定共享密钥和创建 VPN 网关连接。PowerShell is required in order to specify the shared key and create the VPN gateway connection. 使用经典部署模型时,必须在本地计算机上安装最新版本的 Azure 服务管理 (SM) PowerShell cmdlet。When working with the classic deployment model, you must install the latest version of the Azure Service Management (SM) PowerShell cmdlets locally on your computer. 这些 cmdlet 不同于 AzureRM 或 Az cmdlet。These cmdlets are different from the AzureRM or Az cmdlets. 若要安装 SM cmdlet,请参阅安装服务管理 cmdletTo install the SM cmdlets, see Install Service Management cmdlets. 有关一般 Azure PowerShell 的详细信息,请参阅 Azure PowerShell 文档For more information about Azure PowerShell in general, see the Azure PowerShell documentation.

此练习的示例配置值Sample configuration values for this exercise

本文中的示例使用以下值。The examples in this article use the following values. 可使用这些值创建测试环境,或参考这些值以更好地理解本文中的示例。You can use these values to create a test environment, or refer to them to better understand the examples in this article.

  • VNet 名称: TestVNet1VNet Name: TestVNet1
  • 地址空间:Address Space:
    •可选,适用于本练习) (optional for this exercise)
  • 子网:Subnets:
    • FrontEnd:
    • BackEnd:对于本练习来说是可选的)BackEnd: (optional for this exercise)
  • 网关子网:
  • 资源组: TestRG1Resource Group: TestRG1
  • 位置: 中国北部Location: China North
  • DNS 服务器:对于本练习来说是可选的)DNS Server: (optional for this exercise)
  • 本地站点名称: Site2Local site name: Site2
  • 客户端地址空间: 位于本地站点的地址空间。Client address space: The address space that is located on your on-premises site.

1.创建虚拟网络1. Create a virtual network

创建适用于 S2S 连接的虚拟网络时,需确保指定的地址空间与适用于本地站点(需要连接到这些站点)的任何客户端地址空间不重叠。When you create a virtual network to use for a S2S connection, you need to make sure that the address spaces that you specify do not overlap with any of the client address spaces for the local sites that you want to connect to. 如果有重叠子网,连接无法正常工作。If you have overlapping subnets, your connection won't work properly.

  • 如果已有一个 VNet,请检查其设置是否与 VPN 网关设计兼容。If you already have a VNet, verify that the settings are compatible with your VPN gateway design. 请特别注意任何可能与其他网络重叠的子网。Pay particular attention to any subnets that may overlap with other networks.

  • 如果还没有虚拟网络,请创建。If you don't already have a virtual network, create one. 这些屏幕截图仅供参考。Screenshots are provided as examples. 请务必替换成自己的值。Be sure to replace the values with your own.

创建虚拟网络To create a virtual network

  1. 从浏览器导航到 Azure 门户,并在必要时用 Azure 帐户登录。From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.

  2. 单击*“+创建资源” 。Click *+Create a resource. 在“在市场中搜索” 字段中,键入“虚拟网络”。In the Search the marketplace field, type 'Virtual Network'. 从返回的列表中找到“虚拟网络” ,单击打开“虚拟网络” 页。Locate Virtual Network from the returned list and click to open the Virtual Network page.

  3. 单击“(更改为经典)”,然后单击“创建”。 click (change to Classic), and then click Create.

  4. 在“创建虚拟网络(经典)” 页上,配置 VNet 设置。On the Create virtual network(classic) page, configure the VNet settings. 在此页上,添加第一个地址空间和单个子网地址范围。On this page, you add your first address space and a single subnet address range. 创建 VNet 之后,可以返回并添加其他子网和地址空间。After you create the VNet, you can go back and add additional subnets and address spaces.

    “创建虚拟网络”页Create virtual network page

  5. 验证“订阅” 是否正确。Verify that the Subscription is the correct one. 可以使用下拉列表更改订阅。You can change subscriptions by using the drop-down.

  6. 单击“资源组” ,然后选择现有资源组,或通过键入名称创建新资源组。Click Resource group and either select an existing resource group, or create a new one by typing a name. 有关资源组的详细信息,请访问 Azure Resource Manager 概述For more information about resource groups, visit Azure Resource Manager Overview.

  7. 接下来,选择 VNet 的“位置” 设置。Next, select the Location settings for your VNet. 该位置确定要部署到此 VNet 的资源所在的位置。The location determines where the resources that you deploy to this VNet will reside.

  8. 单击“创建”以创建 VNet。 Click Create to create your VNet.

  9. 单击“创建”后,仪表板上会出现一个磁贴,反映 VNet 的进度。After clicking 'Create', a tile appears on the dashboard that reflects the progress of your VNet. 创建 VNet 时,该磁贴会更改。The tile changes as the VNet is being created.

2.添加其他地址空间2. Add additional address space

创建虚拟网络后,即可添加其他地址空间。After you create your virtual network, you can add additional address space. 进行 S2S 配置时,不需添加额外的地址空间,但如果需要多个地址空间,请执行以下步骤:Adding additional address space is not a required part of a S2S configuration, but if you require multiple address spaces, use the following steps:

  1. 在门户中找到虚拟网络。Locate the virtual network in the portal.
  2. 在虚拟网络页的“设置”部分,单击“地址空间”。 On the page for your virtual network, under the Settings section, click Address space.
  3. 在“地址空间”页上单击“+添加”,并输入其他地址空间。 On the Address space page, click +Add and enter additional address space.

3.指定 DNS 服务器3. Specify a DNS server

在 S2S 配置过程中不需进行 DNS 设置,但如果需要名称解析,则 DNS 是必需的。DNS settings are not a required part of a S2S configuration, but DNS is necessary if you want name resolution. 指定一个值不会创建新的 DNS 服务器。Specifying a value does not create a new DNS server. 指定的 DNS 服务器 IP 地址应该是可以解析所连接的资源名称的 DNS 服务器。The DNS server IP address that you specify should be a DNS server that can resolve the names for the resources you are connecting to. 对于示例设置,我们使用了专用 IP 地址。For the example settings, we used a private IP address. 我们使用的 IP 地址可能不是你 DNS 服务器的 IP 地址。The IP address we use is probably not the IP address of your DNS server. 请务必使用自己的值。Be sure to use your own values.

创建虚拟网络后,可以添加 DNS 服务器的 IP 地址来处理名称解析。After you create your virtual network, you can add the IP address of a DNS server to handle name resolution. 打开虚拟网络的设置,单击 DNS 服务器,并添加要用于名称解析的 DNS 服务器的 IP 地址。Open the settings for your virtual network, click DNS servers, and add the IP address of the DNS server that you want to use for name resolution.

  1. 在门户中找到虚拟网络。Locate the virtual network in the portal.
  2. 在虚拟网络页的“设置”部分,单击“DNS 服务器”。 On the page for your virtual network, under the Settings section, click DNS servers.
  3. 添加 DNS 服务器。Add a DNS server.
  4. 若要保存设置,请单击页面顶部的“保存”。 To save your settings, click Save at the top of the page.

4.配置本地站点4. Configure the local site

本地站点通常指本地位置。The local site typically refers to your on-premises location. 它包含 VPN 设备的 IP 地址和地址范围,需要创建到该设备的连接,并且需要通过 VPN 网关将地址范围路由到该设备。It contains the IP address of the VPN device to which you will create a connection, and the IP address ranges that will be routed through the VPN gateway to the VPN device.

  1. 在 VNet 页面的“设置”下,单击“图示”。 On the page for your VNet, under Settings, click Diagram.

  2. 在“VPN 连接”页面上 ,单击“你没有任何现有的 VPN 连接。 单击此处开始操作”。On the VPN connections page, click You don't have any existing VPN connections. Click here to get started.

  3. 对于“连接类型”,请让“站点到站点”保持选中状态 。For Connection type, leave Site-to-site selected.

  4. 单击“本地站点 - 配置所需的设置” 打开“本地站点” 页。Click Local site - Configure required settings to open the Local site page. 配置设置,然后单击“确定” 保存设置。Configure the settings, and then click OK to save the settings.

    • 名称: 为本地站点创建一个名称,方便进行识别。Name: Create a name for your local site to make it easy for you to identify.
    • VPN 网关 IP 地址: 这是本地网络的 VPN 设备的公共 IP 地址。VPN gateway IP address: This is the public IP address of the VPN device for your on-premises network. VPN 设备需要 IPv4 公共 IP 地址。The VPN device requires an IPv4 public IP address. 为要连接到的 VPN 设备指定一个有效的公共 IP 地址。Specify a valid public IP address for the VPN device to which you want to connect. 它必须可由 Azure 访问。It must be reachable by Azure. 如果不知道 VPN 设备的 IP 地址,则始终可以先添加一个占位符值(只要其格式是有效的公共 IP 地址),等到以后再更改。If you don't know the IP address of your VPN device, you can always put in a placeholder value (as long as it is in the format of a valid public IP address) and then change it later.
    • 客户端地址空间: 列出要通过此网关路由到本地网络的 IP 地址范围。Client Address space: List the IP address ranges that you want routed to the local on-premises network through this gateway. 可以添加多个地址空间范围。You can add multiple address space ranges. 请确保在此处指定的范围与虚拟网络连接到的其他网络的范围不重叠,也与虚拟网络本身的地址范围不重叠。Make sure that the ranges you specify here do not overlap with ranges of other networks your virtual network connects to, or with the address ranges of the virtual network itself.

    本地站点Local site

单击“确定”,关闭“本地站点”页 。Click OK to close the Local site page. 请勿单击“确定”以关闭“新建 VPN 连接”页Do not click OK to close the New VPN Connection page.

5.配置网关子网5. Configure the gateway subnet

必须为 VPN 网关创建一个网关子网。You must create a gateway subnet for your VPN gateway. 网关子网包含 VPN 网关服务使用的 IP 地址。The gateway subnet contains the IP addresses that the VPN gateway services use.

  1. 在“新建 VPN 连接” 页上,选中“立即创建网关”复选框 。On the New VPN Connection page, select the checkbox Create gateway immediately. 此时会显示“可选网关配置”页。The 'Optional gateway configuration' page appears. 如果不选中该复选框,则看不到配置网关子网的页面。If you don't select the checkbox, you won't see the page to configure the gateway subnet.

    网关配置 - 子网、大小、路由类型Gateway configuration - Subnet, size, routing type

  2. 若要打开“网关配置”页,请单击“可选网关配置 - 子网、大小和路由类型”。 To open the Gateway configuration page, click Optional gateway configuration - Subnet, size, and routing type.

  3. 在“网关配置”页上,单击“子网 - 配置所需的设置”打开“添加子网”页。 On the Gateway Configuration page, click Subnet - Configure required settings to open the Add subnet page. 配置完这些设置后,请单击“确定”。 When you are finished configuring these settings, click OK.

    网关配置 - 网关子网Gateway configuration - gateway subnet

  4. 在“添加子网” 页上,添加网关子网。On the Add subnet page, add the gateway subnet. 指定的网关子网的大小取决于要创建的 VPN 网关配置。The size of the gateway subnet that you specify depends on the VPN gateway configuration that you want to create. 尽管网关子网最小可以创建为 /29,但建议使用 /27 或 /28。While it is possible to create a gateway subnet as small as /29, we recommend that you use /27 or /28. 这样可以创建较大的子网,包含的地址更多。This creates a larger subnet that includes more addresses. 使用更大的网关子网可以有足够的 IP 地址来应对未来可能会有的配置。Using a larger gateway subnet allows for enough IP addresses to accommodate possible future configurations.

    添加网关子网Add gateway subnet

6.指定 SKU 和 VPN 类型6. Specify the SKU and VPN type

  1. 选择网关“大小” 。Select the gateway Size. 这是用于创建虚拟网关的网关 SKU。This is the gateway SKU that you use to create your virtual network gateway. 经典 VPN 使用老版(旧版)网关 SKU。Classic VPN gateways use the old (legacy) gateway SKUs. 有关旧版网关 SKU 的详细信息,请参阅使用虚拟网关 SKU(老版 SKU)For more information about the legacy gateway SKUs, see Working with virtual network gateway SKUs (old SKUs).

    选择 SKU 和 VPN 类型Select SKUL and VPN type

  2. 选择网关的“路由类型” 。Select the Routing Type for your gateway. 这也称为 VPN 类型。This is also known as the VPN type. 选择正确的类型很重要,因为无法将网关从一个类型转换为另一个类型。It's important to select the correct type because you cannot convert the gateway from one type to another. VPN 设备必须兼容所选路由类型。Your VPN device must be compatible with the routing type you select. 有关路由类型的详细信息,请参阅关于 VPN 网关设置For more information about Routing Type, see About VPN Gateway Settings. 可能会有文章引用“RouteBased”和“PolicyBased”VPN 类型。You may see articles referring to 'RouteBased' and 'PolicyBased' VPN types. “动态”对应于“RouteBased”,“静态”对应于“PolicyBased”。'Dynamic' corresponds to 'RouteBased', and 'Static' corresponds to' PolicyBased'.

  3. 单击“确定” 保存设置。Click OK to save the settings.

  4. 在“新建 VPN 连接” 页中,单击底部的“确定” 开始部署虚拟网关。On the New VPN Connection page, click OK at the bottom of the page to begin deploying your virtual network gateway. 创建虚拟网关可能需要长达 45 分钟的时间,具体取决于所选 SKU。Depending on the SKU you select, it can take up to 45 minutes to create a virtual network gateway.

7.配置 VPN 设备7. Configure your VPN device

通过站点到站点连接连接到本地网络需要 VPN 设备。Site-to-Site connections to an on-premises network require a VPN device. 在此步骤中,请配置 VPN 设备。In this step, you configure your VPN device. 配置 VPN 设备时,需要以下项:When configuring your VPN device, you need the following:

  • 共享密钥。A shared key. 此共享密钥就是在创建站点到站点 VPN 连接时指定的共享密钥。This is the same shared key that you specify when creating your Site-to-Site VPN connection. 在示例中,我们使用基本的共享密钥。In our examples, we use a basic shared key. 建议生成更复杂的密钥来使用。We recommend that you generate a more complex key to use.
  • 虚拟网关的“公共 IP 地址”。The Public IP address of your virtual network gateway. 可以通过 Azure 门户、PowerShell 或 CLI 查看公共 IP 地址。You can view the public IP address by using the Azure portal, PowerShell, or CLI.

下载 VPN 设备配置脚本:To download VPN device configuration scripts:

根据所用的 VPN 设备,有时可以下载 VPN 设备配置脚本。Depending on the VPN device that you have, you may be able to download a VPN device configuration script. 有关详细信息,请参阅下载 VPN 设备配置脚本For more information, see Download VPN device configuration scripts.

参阅以下链接了解其他配置信息:See the following links for additional configuration information:

8.创建连接8. Create the connection

此步骤设置共享密钥并创建连接。In this step, you set the shared key and create the connection. 设置的密钥必须是在 VPN 设备配置中使用过的同一密钥。The key you set is must be the same key that was used in your VPN device configuration.


此步骤目前在 Azure 门户中不可用。Currently, this step is not available in the Azure portal. 必须使用服务管理 (SM) 版本的 Azure PowerShell cmdlet。You must use the Service Management (SM) version of the Azure PowerShell cmdlets. 请参阅准备工作,了解如何安装这些 cmdlet。See Before you Begin for information about installing these cmdlets.

步骤 1。Step 1. 连接到 Azure 帐户Connect to your Azure account

必须使用 PowerShell 服务管理模块在本地运行这些命令。You must run these commands locally using the PowerShell service management module.

  1. 使用提升的权限打开 PowerShell 控制台。Open your PowerShell console with elevated rights. 若要切换到服务管理,请使用以下命令:To switch to service management, use this command:

    azure config mode asm
  2. 连接到帐户。Connect to your account. 使用下面的示例来帮助连接:Use the following example to help you connect:

    Add-AzureAccount -Environment AzureChinaCloud
  3. 检查该帐户的订阅。Check the subscriptions for the account.

  4. 如果有多个订阅,请选择要使用的订阅。If you have more than one subscription, select the subscription that you want to use.

    Select-AzureSubscription -SubscriptionId "Replace_with_your_subscription_ID"

步骤 2.Step 2. 设置共享密钥并创建连接Set the shared key and create the connection

在门户中(不使用 PowerShell)创建经典 VNet 时,Azure 会将资源组名称添加到短名称。When you create a classic VNet in the portal (not using PowerShell), Azure adds the resource group name to the short name. 例如,根据 Azure 的规范,你为此练习创建的 VNet 的名称为“Group TestRG1 TestVNet1”,而不是“TestVNet1”。For example, according to Azure, the name of the VNet that you created for this exercise is "Group TestRG1 TestVNet1", not "TestVNet1". PowerShell 需要虚拟网络的完整名称,而不是出现在门户中的短名称。PowerShell requires the full name of the virtual network, not the short name that appears in the portal. 长名称在门户中不可见。The long name is not visible in the portal. 可通过以下步骤导出网络配置文件,获取虚拟网络名称的确切值。The following steps help you export the network configuration file to obtain the exact values for the virtual network name.

  1. 在计算机上创建一个目录,并将网络配置文件导出到该目录。Create a directory on your computer and then export the network configuration file to the directory. 在此示例中,网络配置文件导出到 C:\AzureNet。In this example, the network configuration file is exported to C:\AzureNet.

    Get-AzureVNetConfig -ExportToFile C:\AzureNet\NetworkConfig.xml
  2. 使用 XML 编辑器打开网络配置文件,检查值中是否包含“LocalNetworkSite name”和“VirtualNetworkSite name”。Open the network configuration file with an xml editor and check the values for 'LocalNetworkSite name' and 'VirtualNetworkSite name'. 根据 xml 中的值修改此练习的示例。Modify the example for this exercise to reflect the values in the xml. 指定包含空格的名称时,请使用单引号将值引起来。When specifying a name that contains spaces, use single quotation marks around the value.

  3. 设置共享密钥并创建连接。Set the shared key and create the connection. “-SharedKey”是生成并指定的值。The '-SharedKey' is a value that you generate and specify. 在示例中,我们使用的是“abc123”,但可以生成并且应该使用更复杂的。In the example, we used 'abc123', but you can generate (and should) use something more complex. 重要的是,此处指定的值必须与配置 VPN 设备时指定的值相同。The important thing is that the value you specify here must be the same value that you specified when configuring your VPN device.

    Set-AzureVNetGatewayKey -VNetName 'Group TestRG1 TestVNet1' `
    -LocalNetworkSiteName 'D1BFC9CB_Site2' -SharedKey abc123

    创建连接后,结果为:状态: 成功”。When the connection is created, the result is: Status: Successful.

9.验证连接9. Verify your connection

在 Azure 门户中,可通过导航到连接来查看经典 VNet VPN 网关的连接状态。In the Azure portal, you can view the connection status for a classic VNet VPN Gateway by navigating to the connection. 以下步骤演示导航到连接并进行验证的一种方法。The following steps show one way to navigate to your connection and verify.

  1. Azure 门户中单击“所有资源”,然后导航到经典虚拟网络。 In the Azure portal, click All resources and navigate to your classic virtual network.

  2. 在虚拟网络边栏选项卡中,单击“概述”访问该边栏选项卡的“VPN 连接”部分。 On the virtual network blade, click Overview to access the VPN connections section of the blade.

  3. 在 VPN 连接图中单击站点。On the VPN connections graphic, click the site.

    本地站点Local site

  4. 在“站点到站点 VPN 连接”边栏选项卡中,查看有关站点的信息。 On the Site-to-site VPN connections blade, view the information about your site.

    连接状态Connection status

  5. 若要查看有关连接的详细信息,请单击连接名称,打开“站点到站点 VPN 连接” 边栏选项卡。To view more information about the connection, click the name of the connection to open the Site-to-site VPN Connection blade.

    连接状态 - 更多Connection status more

如果无法进行连接,请参阅左窗格目录的“故障排除” 部分。If you are having trouble connecting, see the Troubleshoot section of the table of contents in the left pane.

如何重置 VPN 网关How to reset a VPN gateway

如果丢失一个或多个站点到站点隧道上的跨界 VPN 连接,重置 Azure VPN 网关可有效解决该情况。Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more Site-to-Site VPN tunnels. 在此情况下,本地 VPN 设备都在正常工作,但却无法与 Azure VPN 网关建立 IPsec 隧道。In this situation, your on-premises VPN devices are all working correctly, but are not able to establish IPsec tunnels with the Azure VPN gateways. 有关步骤,请参阅重置 VPN 网关For steps, see Reset a VPN gateway.

如何更改网关 SKUHow to change a gateway SKU

有关更改网关 SKU 的步骤,请参阅重设网关 SKU 大小For the steps to change a gateway SKU, see Resize a gateway SKU.

后续步骤Next steps

  • 连接完成后,即可将虚拟机添加到虚拟网络。Once your connection is complete, you can add virtual machines to your virtual networks. 有关详细信息,请参阅虚拟机For more information, see Virtual Machines.
  • 有关强制隧道的信息,请参阅关于强制隧道For information about Forced Tunneling, see About Forced Tunneling.