在 Azure 门户中创建站点到站点连接Create a Site-to-Site connection in the Azure portal

本文介绍如何使用 Azure 门户创建站点到站点 VPN 网关连接,以便从本地网络连接到 VNet。This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. 本文中的步骤适用于 Resource Manager 部署模型。The steps in this article apply to the Resource Manager deployment model. 也可使用不同的部署工具或部署模型来创建此配置,方法是从以下列表中选择另一选项:You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

使用站点到站点 VPN 网关连接,通过 IPsec/IKE(IKEv1 或 IKEv2)VPN 隧道将本地网络连接到 Azure 虚拟网络。A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. 此类型的连接要求位于本地的 VPN 设备分配有一个面向外部的公共 IP 地址。This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. 有关 VPN 网关的详细信息,请参阅关于 VPN 网关For more information about VPN gateways, see About VPN gateway.

站点到站点 VPN 网关跨界连接示意图


在开始配置之前,请验证你是否符合以下条件:Verify that you have met the following criteria before beginning your configuration:

  • 具有活动订阅的 Azure 帐户。An Azure account with an active subscription. 如果没有帐户,请创建一个试用帐户If you don't have one, create one trial account.
  • 确保有一台兼容的 VPN 设备,并且可对其进行配置。Make sure you have a compatible VPN device and someone who is able to configure it. 有关兼容的 VPN 设备和设备配置的详细信息,请参阅关于 VPN 设备For more information about compatible VPN devices and device configuration, see About VPN Devices.
  • 确认 VPN 设备有一个面向外部的公共 IPv4 地址。Verify that you have an externally facing public IPv4 address for your VPN device.
  • 如果不熟悉本地网络配置中的 IP 地址范围,则需咨询能够提供此类详细信息的人员。If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. 创建此配置时,必须指定 IP 地址范围前缀,Azure 会将该前缀路由到本地位置。When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. 本地网络的任何子网都不得与要连接到的虚拟网络子网重叠。None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.

创建虚拟网络Create a virtual network

使用以下值创建虚拟网络 (VNet):Create a virtual network (VNet) using the following values:

  • 资源组: TestRG1Resource group: TestRG1
  • 名称: VNet1Name: VNet1
  • 区域: 中国北部Region: China North
  • IPv4 地址空间: address space:
  • 子网名称: FrontEndSubnet name: FrontEnd
  • 子网地址空间: address space:


使用虚拟网络作为跨界体系结构的一部分时,请务必与本地网络管理员进行协调,以划分一个 IP 地址范围专供此虚拟网络使用。When using a virtual network as part of a cross-premises architecture, be sure to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. 如果 VPN 连接的两端存在重复的地址范围,则会以意外方式路由流量。If a duplicate address range exists on both sides of the VPN connection, traffic will route in an unexpected way. 此外,若要将此虚拟网络连接到另一个虚拟网络,地址空间不能与另一虚拟网络重叠。Additionally, if you want to connect this virtual network to another virtual network, the address space cannot overlap with the other virtual network. 相应地规划网络配置。Plan your network configuration accordingly.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 在“搜索资源、服务和文档(G+/)”中,键入“虚拟网络”。 In Search resources, service, and docs (G+/), type virtual network.

    查找“虚拟网络”资源页Locate Virtual Network resource page

  3. 从“市场”结果中选择“虚拟网络”。 Select Virtual Network from the Marketplace results.

    选择虚拟网络Select virtual network

  4. 在“虚拟网络”页上选择“创建”。 On the Virtual Network page, select Create.

    虚拟网络页virtual network page

  5. 选择“创建”后,会打开“创建虚拟网络”页。 Once you select Create, the Create virtual network page opens.

  6. 在“基本信息”选项卡上,配置“项目详细信息”和“实例详细信息”VNet 设置。 On the Basics tab, configure Project details and Instance details VNet settings.

    “基本信息”选项卡在填写字段时,如果在字段中输入的字符通过了验证,则会出现绿色的对钩标记。Basics tab When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. 某些值是自动填写的,你可以将其替换为自己的值:Some values are autofilled, which you can replace with your own values:

    • 订阅:确认列出的订阅是正确的。Subscription: Verify that the subscription listed is the correct one. 可以使用下拉列表更改订阅。You can change subscriptions by using the drop-down.
    • 资源组:选择现有资源组,或单击“新建”以创建新资源组 。Resource group: Select an existing resource group, or click Create new to create a new one. 有关资源组的详细信息,请参阅 Azure 资源管理器概述For more information about resource groups, see Azure Resource Manager overview.
    • 名称:输入虚拟网络的名称。Name: Enter the name for your virtual network.
    • 区域:选择 VNet 的位置。Region: Select the location for your VNet. 该位置确定要部署到此 VNet 的资源将位于哪里。The location determines where the resources that you deploy to this VNet will live.
  7. 在“IP 地址”选项卡上配置值。 On the IP Addresses tab, configure the values. 以下示例中显示的值用于演示目的。The values shown in the examples below are for demonstration purposes. 根据所需的设置调整这些值。Adjust these values according to the settings that you require.

    “IP 地址”选项卡IP addresses tab

    • IPv4 地址空间:默认情况下,系统会自动创建一个地址空间。IPv4 address space: By default, an address space is automatically created. 可以单击该地址空间,将其调整为反映你自己的值。You can click the address space to adjust it to reflect your own values. 还可以添加更多的地址空间。You can also add additional address spaces.
    • 子网:如果你使用默认地址空间,则会自动创建一个默认子网。Subnet: If you use the default address space, a default subnet is created automatically. 如果你更改地址空间,则需要添加一个子网。If you change the address space, you need to add a subnet. 选择“+添加子网”,打开“添加子网”窗口 。Select + Add subnet to open the Add subnet window. 配置以下设置,然后选择“添加”来添加值:Configure the following settings and then select Add to add the values:
      • 子网名称:在本例中,我们已将子网命名为“FrontEnd”。Subnet name: In this example, we named the subnet "FrontEnd".
      • 子网地址范围:此子网的地址范围。Subnet address range: The address range for this subnet.
  8. 暂时在“安全”选项卡上保留默认值:On the Security tab, at this time, leave the default values:

    • 防火墙:已禁用Firewall: Disabled
  9. 选择“审阅 + 创建”,验证虚拟网络设置。Select Review + create to validate the virtual network settings.

  10. 验证设置后,选择“创建”。After the settings have been validated, select Create.

创建 VPN 网关Create a VPN gateway

在此步骤中,为 VNet 创建虚拟网络网关。In this step, you create the virtual network gateway for your VNet. 创建网关通常需要 45 分钟或更长的时间,具体取决于所选的网关 SKU。Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

关于网关子网About the gateway subnet

虚拟网络网关使用称作“网关子网”的特定子网。The virtual network gateway uses specific subnet called the gateway subnet. 网关子网是虚拟网络 IP 地址范围的一部分,该范围是在配置虚拟网络时指定的。The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. 网关子网包含虚拟网络网关资源和服务使用的 IP 地址。It contains the IP addresses that the virtual network gateway resources and services use.

创建网关子网时,请指定子网包含的 IP 地址数。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 所需的 IP 地址数目取决于要创建的 VPN 网关配置。The number of IP addresses needed depends on the VPN gateway configuration that you want to create. 有些配置需要具有比其他配置更多的 IP 地址。Some configurations require more IP addresses than others. 我们建议创建使用 /27 或 /28 的网关子网。We recommend that you create a gateway subnet that uses a /27 or /28.

如果出现错误,指出地址空间与子网重叠,或者子网不包含在虚拟网络的地址空间中,请检查 VNet 地址范围。If you see an error that specifies that the address space overlaps with a subnet, or that the subnet is not contained within the address space for your virtual network, check your VNet address range. 出错的原因可能是为虚拟网络创建的地址范围中没有足够的可用 IP 地址。You may not have enough IP addresses available in the address range you created for your virtual network. 例如,如果默认子网包含整个地址范围,则不会有剩余的 IP 地址用于创建更多子网。For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. 可以调整现有地址空间中的子网以释放 IP 地址,或指定额外的地址范围并在其中创建网关子网。You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there.

创建网关Create the gateway

使用以下值创建 VPN 网关:Create a VPN gateway using the following values:

  • 名称: VNet1GWName: VNet1GW
  • 区域: 中国北部Region: China North
  • 网关类型: VPNGateway type: VPN
  • VPN 类型: 基于路由VPN type: Route-based
  • SKU: VpnGw1SKU: VpnGw1
  • 虚拟网络: VNet1Virtual network: VNet1
  • 网关子网地址范围: subnet address range:
  • 公共 IP 地址:新建Public IP address: Create new
  • 公共 IP 地址名称:VNet1GWpipPublic IP address name: VNet1GWpip
  • 启用主动-主动模式: 已禁用Enable active-active mode: Disabled
  • 配置 BGP: 已禁用Configure BGP: Disabled
  1. Azure 门户的“搜索资源、服务和文档(G+/)”中,键入“虚拟网络网关” 。From the Azure portal, in Search resources, services, and docs (G+/) type virtual network gateway. 在搜索结果中找到“虚拟网络网关”,并选中它。Locate Virtual network gateway in the search results and select it.


  2. 在“虚拟网络网关”页上选择“+ 添加” 。On the Virtual network gateway page, select + Add. 这会打开“创建虚拟网关”页 。This opens the Create virtual network gateway page.


  3. 在“基本信息”选项卡上,填写虚拟网关的值。 On the Basics tab, fill in the values for your virtual network gateway.



    • 订阅:从下拉列表中选择要使用的订阅。Subscription: Select the subscription you want to use from the dropdown.
    • 资源组:在此页上选择虚拟网络后,此设置将自动进行填充。Resource Group: This setting is autofilled when you select your virtual network on this page.

    实例详细信息Instance details

    • 名称:为网关命名。Name: Name your gateway. 为网关命名与为网关子网命名不同。Naming your gateway not the same as naming a gateway subnet. 它是要创建的网关对象的名称。It's the name of the gateway object you are creating.
    • 区域:选择要在其中创建此资源的区域。Region: Select the region in which you want to create this resource. 网关的区域必须与虚拟网络相同。The region for the gateway must be the same as the virtual network.
    • 网关类型:选择“VPN”。 Gateway type: Select VPN. VPN 网关使用虚拟网络网关类型“VPN” 。VPN gateways use the virtual network gateway type VPN.
    • VPN 类型:选择为你的配置指定的 VPN 类型。VPN type: Select the VPN type that is specified for your configuration. 大多数配置需要''基于路由'' VPN 类型。Most configurations require a Route-based VPN type.
    • SKU:从下拉列表中选择网关 SKU。SKU: Select the gateway SKU from the dropdown. 下拉列表中列出的 SKU 取决于选择的 VPN 类型。The SKUs listed in the dropdown depend on the VPN type you select. 有关网关 SKU 的详细信息,请参阅网关 SKUFor more information about gateway SKUs, see Gateway SKUs.
    • 虚拟网络:从下拉列表中,选择要将此网关添加到其中的虚拟网络。Virtual network: From the dropdown, select the virtual network to which you want to add this gateway.
    • 网关子网地址范围:仅当 VNet 没有网关子网时,此字段才会显示。Gateway subnet address range: This field only appears if your VNet doesn't have a gateway subnet. 如果可能,请将范围设置为 /27 或更大(/26、/25 等)。If possible, make the range /27 or larger (/26,/25 etc.). 建议不要创建任何小于 /28 的范围。We don't recommend creating a range any smaller than /28. 如果你已有网关子网,可通过导航到虚拟网络来查看 GatewaySubnet 详细信息。If you already have a gateway subnet, you can view GatewaySubnet details by navigating to your virtual network. 单击“子网”,以查看范围。Click Subnets to view the range. 如果要更改范围,可以删除并重新创建 GatewaySubnet。If you want to change the range, you can delete and recreate the GatewaySubnet.

    公共 IP 地址Public IP address

    此设置指定与 VPN 网关关联的公共 IP 地址对象。This setting specifies the public IP address object that gets associated to the VPN gateway. 创建 VPN 网关后,会将公共 IP 地址动态分配给此对象。The public IP address is dynamically assigned to this object when the VPN gateway is created. 公共 IP 地址只在删除或重新创建网关时更改。The only time the Public IP address changes is when the gateway is deleted and re-created. 该地址不会因为 VPN 网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    • 公共 IP 地址:让“新建” 保持选中状态。Public IP address: Leave Create new selected.
    • 公共 IP 地址名称:在文本框中,键入公共 IP 地址实例的名称。Public IP address name: In the text box, type a name for your public IP address instance.
    • 分配:VPN 网关仅支持“动态”。Assignment: VPN gateway supports only Dynamic.
    • 启用主动-主动模式:仅当要创建主动-主动网关配置时,才选择“启用主动-主动模式”。Enable active-active mode: Only select Enable active-active mode if you are creating an active-active gateway configuration. 否则,请让此设置保留“禁用”状态。Otherwise, leave this setting Disabled.
    • 让“配置 BGP”保留“禁用”状态,除非你的配置特别需要此设置 。Leave Configure BGP as Disabled, unless your configuration specifically requires this setting. 如果确实需要此设置,则默认 ASN 为 65515,但可以更改此值。If you do require this setting, the default ASN is 65515, although this can be changed.
  4. 选择“查看 + 创建” ,运行验证。Select Review + create to run validation.

  5. 验证通过后,选择“创建” 以部署 VPN 网关。Once validation passes, select Create to deploy the VPN gateway.

网关可能需要长达 45 分钟才能完全创建和部署。A gateway can take up to 45 minutes to fully create and deploy. 可以在网关的“概述”页上查看部署状态。You can see the deployment status on the Overview page for your gateway. 创建网关后,可以通过在门户中查看虚拟网络,来查看已分配给网关的 IP 地址。After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. 网关显示为连接的设备。The gateway appears as a connected device.


使用网关子网时,避免将网络安全组 (NSG) 与网关子网关联。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组与此子网关联可能会导致虚拟网络网关(VPN、Express Route 网关)停止按预期方式工作。Associating a network security group to this subnet may cause your Virtual Network gateway(VPN, Express Route gateway) to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

创建本地网络网关Create a local network gateway

本地网络网关是代表用于路由的本地位置(站点)的特定对象。The local network gateway is a specific object that represents your on-premises location (the site) for routing purposes. 可以为站点提供一个名称供 Azure 引用,并指定本地 VPN 设备的 IP 地址,以便创建一个连接来连接到该设备。You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. 此外还可指定 IP 地址前缀,以便通过 VPN 网关将其路由到 VPN 设备。You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. 指定的地址前缀是位于本地网络的前缀。The address prefixes you specify are the prefixes located on your on-premises network. 如果之后本地网络发生了更改,或需要更改 VPN 设备的公共 IP 地址,可轻松更新这些值。If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

使用以下值创建本地网络网关:Create a local network gateway using the following values:

  • 名称: Site1Name: Site1
  • 资源组: TestRG1Resource Group: TestRG1
  • 位置: 中国北部Location: China North
  1. Azure 门户的“搜索资源、服务和文档(G+/)”中,键入“本地网关” 。From the Azure portal, in Search resources, services, and docs (G+/) type local network gateway. 在搜索结果中找到“市场”下的“本地网关”,并选择它 。Locate local network gateway under Marketplace in the search results and select it. 此操作将打开“创建本地网关”页。This opens the Create local network gateway page.

  2. 在“创建本地网络网关”页上,指定本地网络网关的值 。On the Create local network gateway page, specify the values for your local network gateway.

    创建一个具有 IP 地址的本地网关

    • 名称: 指定本地网络网关对象的名称。Name: Specify a name for your local network gateway object.
    • 终结点: 为本地 VPN 设备选择终结点类型 - IP 地址或 FQDN(完全限定的域名) 。Endpoint: Select the endpoint type for the on-premises VPN device - IP address or FQDN (Fully Qualified Domain Name).
      • IP 地址:如果你的 Internet 服务提供商向你分配了静态公共 IP 地址可用于 VPN 设备,那么请选择“IP 地址”选项,再填写示例所示的 IP 地址。IP address: If you have a static public IP address allocated from your Internet service provider for your VPN device, select the IP address option and fill in the IP address as shown in the example. 这是 Azure VPN 网关要连接的 VPN 设备的公共 IP 地址。This is the public IP address of the VPN device that you want Azure VPN gateway to connect to. 如果目前没有 IP 地址,可以使用示例中显示的值,但是需要返回并将占位符 IP 地址替换为 VPN 设备的公共 IP 地址。If you don't have the IP address right now, you can use the values shown in the example, but you'll need to go back and replace your placeholder IP address with the public IP address of your VPN device. 否则,Azure 不能连接。Otherwise, Azure will not be able to connect.
      • FQDN: 如果你有动态公共 IP 地址,且该地址可能会在某段时间(通常由你的 Internet 服务提供商决定)后发生变化,那么你可对动态 DNS 服务使用常量 DNS 名称来指向你的 DNS 设备的当前公共 IP 地址。FQDN: If you have a dynamic public IP address that could change after certain period of time, usually determined by your Internet service provider, you can use a constant DNS name with a Dynamic DNS service to point to your current public IP address of your VPN device. 你的 Azure VPN 网关将解析 FQDN 来确定要连接到的公共 IP 地址。Your Azure VPN gateway will resolve the FQDN to determine the public IP address to connect to.
    • “地址空间”指的是此本地网络所代表的网络的地址范围。Address Space refers to the address ranges for the network that this local network represents. 可以添加多个地址空间范围。You can add multiple address space ranges. 请确保此处所指定的范围没有与要连接到的其他网络的范围相重叠。Make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to. Azure 会将指定的地址范围路由到本地 VPN 设备 IP 地址。Azure will route the address range that you specify to the on-premises VPN device IP address. 如果需要连接到本地站点,请在此处使用自己的值,而不是示例中显示的值。Use your own values here if you want to connect to your on-premises site, not the values shown in the example.
    • 配置 BGP 设置: 仅在配置 BGP 时使用。Configure BGP settings: Use only when configuring BGP. 否则,不选择此项。Otherwise, don't select this.
    • 订阅: 确保显示正确的订阅。Subscription: Verify that the correct subscription is showing.
    • 资源组: 选择要使用的资源组。Resource Group: Select the resource group that you want to use. 可以创建新的资源组或选择已创建的资源组。You can either create a new resource group, or select one that you have already created.
    • 位置: 该位置与其他设置中的“区域”相同。Location: The location is the same as Region in other settings. 选择将在其中创建此对象的位置。Select the location that this object will be created in. 可选择 VNet 所在的位置,但这不是必须的。You may want to select the same location that your VNet resides in, but you are not required to do so.


    • Azure VPN 支持一个 FQDN 只使用一个 IPv4 地址。Azure VPN supports only one IPv4 address for each FQDN. 如果域名解析为多个 IP 地址,Azure VPN 网关将使用 DNS 服务器返回的第一个 IP 地址。If the domain name resolves to multiple IP addresses, Azure VPN Gateway will use the first IP address returned by the DNS servers. 为了消除这种不确定性,建议你的 FQDN 始终解析为一个 IPv4 地址。To eliminate the uncertainty, we recommend that your FQDN always resolve to a single IPv4 address. 不支持 IPv6。IPv6 is not supported.
    • Azure VPN 网关维护一个 DNS 缓存,该缓存每 5 分钟刷新一次。Azure VPN Gateway maintains a DNS cache refreshed every 5 minutes. 此网关仅尝试解析已断开连接的隧道的 FQDN。The gateway tries to resolve the FQDNs for disconnected tunnels only. 重置网关也将触发 FQDN 解析。Resetting the gateway will also trigger FQDN resolution.
  3. 将值指定完以后,选择页面底部的“创建”按钮即可创建本地网关。When you have finished specifying the values, select the Create button at the bottom of the page to create the local network gateway.

配置 VPN 设备Configure your VPN device

通过站点到站点连接连接到本地网络需要 VPN 设备。Site-to-Site connections to an on-premises network require a VPN device. 在此步骤中,请配置 VPN 设备。In this step, you configure your VPN device. 配置 VPN 设备时,需要以下值:When configuring your VPN device, you need the following values:

  • 共享密钥。A shared key. 此共享密钥就是在创建站点到站点 VPN 连接时指定的共享密钥。This is the same shared key that you specify when creating your Site-to-Site VPN connection. 在示例中,我们使用基本的共享密钥。In our examples, we use a basic shared key. 建议生成更复杂的可用密钥。We recommend that you generate a more complex key to use.
  • 虚拟网络网关的“公共 IP 地址”。The Public IP address of your virtual network gateway. 可以通过 Azure 门户、PowerShell 或 CLI 查看公共 IP 地址。You can view the public IP address by using the Azure portal, PowerShell, or CLI. 若要使用 Azure 门户查找 VPN 网关的公共 IP 地址,请导航到“虚拟网关”,然后选择网关的名称。To find the Public IP address of your VPN gateway using the Azure portal, navigate to Virtual network gateways, then select the name of your gateway.

下载 VPN 设备配置脚本:To download VPN device configuration scripts:

根据所用的 VPN 设备,有时可以下载 VPN 设备配置脚本。Depending on the VPN device that you have, you may be able to download a VPN device configuration script. 有关详细信息,请参阅下载 VPN 设备配置脚本For more information, see Download VPN device configuration scripts.

参阅以下链接了解其他配置信息:See the following links for additional configuration information:

创建 VPN 连接Create a VPN connection

在虚拟网关和本地 VPN 设备之间创建站点到站点 VPN 连接。Create the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.

使用以下值创建连接:Create a connection using the following values:

  • 本地网络网关名称: Site1Local network gateway name: Site1
  • 连接名称: VNet1toSite1Connection name: VNet1toSite1
  • 共享密钥: 在此示例中,我们将使用 abc123。Shared key: For this example, we use abc123. 但是,你可以使用与 VPN 硬件兼容的任何密钥。But, you can use whatever is compatible with your VPN hardware. 重要的是连接两端的值要匹配。The important thing is that the values match on both sides of the connection.
  1. 打开虚拟网络网关的页面。Open the page for your virtual network gateway. 可通过转到你的 VNet 名称 ->“概述”->“已连接的设备”-> 你的网关名称来导航到网关(但也可以通过多种其他方法进行导航)。You can navigate to the gateway by going to Name of your VNet -> Overview -> Connected devices -> Name of your gateway, although there are multiple other ways to navigate as well.

  2. 在网关的页面上,选择“连接”。On the page for the gateway, select Connections. 在“连接”页的顶部,选择“+添加”打开“添加连接”页。At the top of the Connections page, select +Add to open the Add connection page.


  3. 在“添加连接”页上,配置连接的值。On the Add connection page, configure the values for your connection.

    • 名称: 命名连接。Name: Name your connection.
    • 连接类型: 选择“站点到站点(IPsec)”。Connection type: Select Site-to-site (IPSec).
    • 虚拟网络网关: 由于要从此网关连接,因此该值是固定的。Virtual network gateway: The value is fixed because you are connecting from this gateway.
    • 本地网络网关: 选择“选择本地网关”并选择要使用的本地网关。Local network gateway: Select Choose a local network gateway and select the local network gateway that you want to use.
    • “共享密钥”:此处的值必须与用于本地 VPN 设备的值匹配。Shared Key: the value here must match the value that you are using for your local on-premises VPN device. 此示例使用“abc123”,但可以(而且应该)使用更复杂的。The example uses 'abc123', but you can (and should) use something more complex. 重要的是,此处指定的值必须与配置 VPN 设备时指定的值相同。The important thing is that the value you specify here must be the same value that you specify when configuring your VPN device.
    • 将“使用 Azure 专用 IP 地址”保持为未选中状态。Leave Use Azure Private IP Address unchecked.
    • 将“启用 BGP”保持为未选中状态。Leave Enable BGP unchecked.
    • 选择“IKEv2”。Select IKEv2.
    • 剩下的“订阅”、“资源组”和“位置”值是固定的。The remaining values for Subscription, Resource Group, and Location are fixed.
  4. 选择“确定”以创建连接。Select OK to create your connection. 会看到屏幕上闪烁“正在创建连接”。You'll see Creating Connection flash on the screen.

  5. 可在虚拟网络网关的“连接”页中查看连接。You can view the connection in the Connections page of the virtual network gateway. “状态”会从“未知”转换为“正在连接”,再转换为“成功”。The Status will go from Unknown to Connecting, and then to Succeeded.

验证 VPN 连接Verify the VPN connection

在 Azure 门户中,可通过导航到连接来查看 Resource Manager VPN 网关的连接状态。In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection. 以下步骤演示导航到连接并进行验证的一种方法。The following steps show one way to navigate to your connection and verify.

  1. Azure 门户菜单中选择“所有资源” ,或从任何页面搜索并选择“所有资源” 。In the Azure portal menu, select All resources or search for and select All resources from any page.

  2. 选择此项可转到虚拟网络网关。Select to your virtual network gateway.

  3. 在“虚拟网络网关”边栏选项卡中,单击“连接”。 On the blade for your virtual network gateway, click Connections. 可查看每个连接的状态。You can see the status of each connection.

  4. 单击想要验证的连接的名称,打开“概要”。 Click the name of the connection that you want to verify to open Essentials. 在“概要”中,可以查看有关连接的详细信息。In Essentials, you can view more information about your connection. 成功连接后,“状态”为“已成功”和“已连接”。 The Status is 'Succeeded' and 'Connected' when you have made a successful connection.

    使用 Azure 门户验证 VPN 网关连接

如何连接到虚拟机How to connect to a virtual machine

可以连接到已部署到 VNet 的 VM,方法是创建到 VM 的远程桌面连接。You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. 若要通过初始验证来确认能否连接到 VM,最好的方式是使用其专用 IP 地址而不是计算机名称进行连接。The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. 这种方式是测试能否进行连接,而不是测试名称解析是否已正确配置。That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. 定位专用 IP 地址。Locate the private IP address. 查找 VM 的专用 IP 地址时,可以通过 Azure 门户或 PowerShell 查看 VM 的属性。You can find the private IP address of a VM by either looking at the properties for the VM in the Azure portal, or by using PowerShell.

    • Azure 门户 - 在 Azure 门户中定位虚拟机。Azure portal - Locate your virtual machine in the Azure portal. 查看 VM 的属性。View the properties for the VM. 专用 IP 地址已列出。The private IP address is listed.

    • PowerShell - 通过此示例查看资源组中的 VM 和专用 IP 地址的列表。PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. 在使用此示例之前不需对其进行修改。You don't need to modify this example before using it.

      $VMs = Get-AzVM
      $Nics = Get-AzNetworkInterface | Where VirtualMachine -ne $null
      foreach($Nic in $Nics)
      $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
      $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
      $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
      Write-Output "$($VM.Name): $Prv,$Alloc"
  2. 验证你是否已使用点到站点 VPN 连接连接到 VNet。Verify that you are connected to your VNet using the Point-to-Site VPN connection.

  3. 打开 远程桌面连接,方法是:在任务栏的搜索框中键入“RDP”或“远程桌面连接”,并选择“远程桌面连接”。Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. 也可在 PowerShell 中使用“mstsc”命令打开远程桌面连接。You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. 在远程桌面连接中,输入 VM 的专用 IP 地址。In Remote Desktop Connection, enter the private IP address of the VM. 可以通过单击“显示选项”来调整其他设置,并进行连接。You can click "Show Options" to adjust additional settings, then connect.

排查连接问题Troubleshoot a connection

如果无法通过 VPN 连接连接到虚拟机,请查看以下项目:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 验证 VPN 连接是否成功。Verify that your VPN connection is successful.

  • 验证是否已连接到 VM 的专用 IP 地址。Verify that you are connecting to the private IP address for the VM.

  • 如果可以使用专用 IP 地址连接到 VM,但不能使用计算机名称进行连接,则请验证是否已正确配置 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 若要详细了解如何对 VM 进行名称解析,请参阅针对 VM 的名称解析For more information about how name resolution works for VMs, see Name Resolution for VMs.

  • 若要详细了解 RDP 连接,请参阅排查远程桌面连接到 VM 的问题For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

如何重置 VPN 网关How to reset a VPN gateway

如果丢失一个或多个站点到站点隧道上的跨界 VPN 连接,重置 VPN 网关可有效解决该情况。Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more Site-to-Site VPN tunnels. 在此情况下,本地 VPN 设备都在正常工作,但却无法与 Azure VPN 网关建立 IPsec 隧道。In this situation, your on-premises VPN devices are all working correctly, but are not able to establish IPsec tunnels with the Azure VPN gateways. 有关步骤,请参阅重置 VPN 网关For steps, see Reset a VPN gateway.

如何更改网关 SKU(重设网关大小)How to change a gateway SKU (resize a gateway)

有关更改网关 SKU 的步骤,请参阅网关 SKUFor the steps to change a gateway SKU, see Gateway SKUs.

如何将其他连接添加到 VPN 网关How to add an additional connection to a VPN gateway

可以添加其他连接,前提是连接之间不存在地址空间重叠。You can add additional connections, provided that none of the address spaces overlap between connections.

  1. 若要添加其他连接,请导航到 VPN 网关,然后选择“连接”以打开“连接”页。To add an additional connection, navigate to the VPN gateway, then select Connections to open the Connections page.
  2. 选择“+添加”以添加连接。Select +Add to add your connection. 调整连接类型以反映“VNet 到 VNet”(如果连接到另一个 VPN 网关)或“站点到站点”。Adjust the connection type to reflect either VNet-to-VNet (if connecting to another VPN gateway), or Site-to-site.
  3. 如果要使用“站点到站点”连接进行连接,并且尚未为要连接到的站点创建本地网络网关,则可以创建一个新的本地网络网关。If you are connecting using Site-to-site and you have not already created a local network gateway for the site you want to connect to, you can create a new one.
  4. 指定要使用的共享密钥,然后选择“确定”以创建连接。Specify the shared key that you want to use, then select OK to create the connection.

后续步骤Next steps