在 Azure 门户中创建站点到站点连接Create a Site-to-Site connection in the Azure portal

本文介绍如何使用 Azure 门户创建站点到站点 VPN 网关连接,以便从本地网络连接到 VNet。This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your on-premises network to the VNet. 本文中的步骤适用于 Resource Manager 部署模型。The steps in this article apply to the Resource Manager deployment model. 也可使用不同的部署工具或部署模型创建此配置,方法是从以下列表中选择另一选项:You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

使用站点到站点 VPN 网关连接,通过 IPsec/IKE(IKEv1 或 IKEv2)VPN 隧道将本地网络连接到 Azure 虚拟网络。A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. 此类型的连接要求位于本地的 VPN 设备分配有一个面向外部的公共 IP 地址。This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it. 有关 VPN 网关的详细信息,请参阅关于 VPN 网关For more information about VPN gateways, see About VPN gateway.

站点到站点 VPN 网关跨界连接示意图

准备阶段Before you begin

在开始配置之前,请验证是否符合以下条件:Verify that you have met the following criteria before beginning your configuration:

  • 确保有一台兼容的 VPN 设备和能够对其进行配置的人员。Make sure you have a compatible VPN device and someone who is able to configure it. 有关兼容的 VPN 设备和设备配置的详细信息,请参阅关于 VPN 设备For more information about compatible VPN devices and device configuration, see About VPN Devices.
  • 确认 VPN 设备有一个面向外部的公共 IPv4 地址。Verify that you have an externally facing public IPv4 address for your VPN device.
  • 如果熟悉本地网络配置中的 IP 地址范围,则需咨询能够提供此类详细信息的人员。If you are unfamiliar with the IP address ranges located in your on-premises network configuration, you need to coordinate with someone who can provide those details for you. 创建此配置时,必须指定 IP 地址范围前缀,Azure 会将该前缀路由到本地位置。When you create this configuration, you must specify the IP address range prefixes that Azure will route to your on-premises location. 本地网络的任何子网都不得与要连接到的虚拟网络子网重叠。None of the subnets of your on-premises network can over lap with the virtual network subnets that you want to connect to.

示例值Example values

本文中的示例使用以下值。The examples in this article use the following values. 可使用这些值创建测试环境,或参考这些值以更好地理解本文中的示例。You can use these values to create a test environment, or refer to them to better understand the examples in this article. 有关通用 VPN 网关设置的详细信息,请参阅关于 VPN 网关设置For more information about VPN Gateway settings in general, see About VPN Gateway Settings.

  • 虚拟网络名称: VNet1Virtual network name: VNet1
  • 地址空间: 10.1.0.0/16Address Space: 10.1.0.0/16
  • 订阅: 要使用的订阅Subscription: The subscription you want to use
  • 资源组: TestRG1Resource Group: TestRG1
  • 区域: 中国北部Region: China North
  • 子网: FrontEnd:10.1.0.0/24,BackEnd:10.1.1.0/24(可选,适用于本练习)Subnet: FrontEnd: 10.1.0.0/24, BackEnd: 10.1.1.0/24 (optional for this exercise)
  • 网关子网地址范围: 10.1.255.0/27Gateway subnet address range: 10.1.255.0/27
  • 虚拟网络网关名称: VNet1GWVirtual network gateway name: VNet1GW
  • 公共 IP 地址名称: VNet1GWpipPublic IP address name: VNet1GWpip
  • VPN 类型: 基于路由VPN type: Route-based
  • 连接类型: 站点到站点 (IPsec)Connection type: Site-to-site (IPsec)
  • 网关类型: VPNGateway type: VPN
  • 本地网络网关名称: Site1Local network gateway name: Site1
  • 连接名称: VNet1toSite1Connection name: VNet1toSite1
  • 共享机密: 本示例使用“abc123”。Shared key: For this example, we use abc123. 但是,你可以使用与 VPN 硬件兼容的任何密钥。But, you can use whatever is compatible with your VPN hardware. 重要的是连接两端的值要匹配。The important thing is that the values match on both sides of the connection.

1.创建虚拟网络1. Create a virtual network

可以通过以下步骤使用资源管理器部署模型和 Azure 门户创建一个 VNet。You can create a VNet with the Resource Manager deployment model and the Azure portal by following these steps. 有关虚拟网络的详细信息,请参阅虚拟网络概述For more information about virtual networks, see Virtual Network overview.

Note

使用虚拟网络作为跨界体系结构的一部分时,请务必与本地网络管理员进行协调,以划分一个 IP 地址范围专供此虚拟网络使用。When using a virtual network as part of a cross-premises architecture, be sure to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. 如果 VPN 连接的两端存在重复的地址范围,则会以意外方式路由流量。If a duplicate address range exists on both sides of the VPN connection, traffic will route in an unexpected way. 此外,若要将此虚拟网络连接到另一个虚拟网络,地址空间不能与另一虚拟网络重叠。Additionally, if you want to connect this virtual network to another virtual network, the address space cannot overlap with the other virtual network. 相应地规划网络配置。Plan your network configuration accordingly.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 在“搜索资源、服务和文档(G+/)”中,键入“虚拟网络”。 In Search resources, service, and docs (G+/), type virtual network.

    查找“虚拟网络”资源页Locate Virtual Network resource page

  3. 从“市场”结果中选择“虚拟网络”。 Select Virtual Network from the Marketplace results.

    选择虚拟网络Select virtual network

  4. 在“虚拟网络”页上选择“创建”。 On the Virtual Network page, select Create.

    虚拟网络页virtual network page

  5. 选择“创建”后,会打开“创建虚拟网络”页。 Once you select Create, the Create virtual network page opens.

  6. 在“基本信息”选项卡上,配置“项目详细信息”和“实例详细信息”VNet 设置。 On the Basics tab, configure Project details and Instance details VNet settings.

    “基本信息”选项卡在填写字段时,如果在字段中输入的字符通过了验证,则会出现绿色的对钩标记。Basics tab When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. 某些值是自动填写的,你可以将其替换为自己的值:Some values are autofilled, which you can replace with your own values:

    • 订阅:确认列出的订阅是正确的。Subscription: Verify that the subscription listed is the correct one. 可以使用下拉列表更改订阅。You can change subscriptions by using the drop-down.
    • 资源组:选择现有资源组,或单击“新建”以创建新资源组 。Resource group: Select an existing resource group, or click Create new to create a new one. 有关资源组的详细信息,请参阅 Azure 资源管理器概述For more information about resource groups, see Azure Resource Manager overview.
    • 名称:输入虚拟网络的名称。Name: Enter the name for your virtual network.
    • 区域:选择 VNet 的位置。Region: Select the location for your VNet. 该位置确定要部署到此 VNet 的资源将位于哪里。The location determines where the resources that you deploy to this VNet will live.
  7. 在“IP 地址”选项卡上配置值。 On the IP Addresses tab, configure the values. 以下示例中显示的值用于演示目的。The values shown in the examples below are for demonstration purposes. 根据所需的设置调整这些值。Adjust these values according to the settings that you require.

    “IP 地址”选项卡IP addresses tab

    • IPv4 地址空间:默认情况下,系统会自动创建一个地址空间。IPv4 address space: By default, an address space is automatically created. 可以单击该地址空间,将其调整为反映你自己的值。You can click the address space to adjust it to reflect your own values. 还可以添加更多的地址空间。You can also add additional address spaces.
    • IPv6:如果配置需要 IPv6 地址空间,请选中“添加 IPv6 地址空间”框以输入该信息。 IPv6: If your configuration requires IPv6 address space, select the Add IPv6 address space box to enter that information.
    • 子网:如果你使用默认地址空间,则系统会自动创建一个默认子网。Subnet: If you use the default address space, a default subnet is created automatically. 如果更改了地址空间,则需要添加子网。If you change the address space, you need to add a subnet. 选择“+ 添加子网”打开“添加子网”窗口。 Select + Add subnet to open the Add subnet window. 配置以下设置,然后选择“添加”以添加值: Configure the following settings and then select Add to add the values:
      • 子网名称:在此示例中,我们已将子网命名为“FrontEnd”。Subnet name: In this example, we named the subnet "FrontEnd".
      • 子网地址范围:此子网的地址范围。Subnet address range: The address range for this subnet.
  8. 在“安全性”选项卡上,此时请保留默认值: On the Security tab, at this time, leave the default values:

    • DDos 防护:基本DDos protection: Basic
    • 防火墙:已禁用Firewall: Disabled
  9. 选择“查看 + 创建”以验证虚拟网络设置。 Select Review + create to validate the virtual network settings.

  10. 验证设置后,选择“创建”。 After the settings have been validated, select Create.

2.创建 VPN 网关2. Create the VPN gateway

在此步骤中为 VNet 创建虚拟网络网关。In this step, you create the virtual network gateway for your VNet. 创建网关通常需要 45 分钟或更长的时间,具体取决于所选网关 SKU。Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

虚拟网络网关使用称作“网关子网”的特定子网。The virtual network gateway uses specific subnet called the gateway subnet. 网关子网是虚拟网络 IP 地址范围的一部分,该范围是在配置虚拟网络时指定的。The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. 网关子网包含虚拟网络网关资源和服务使用的 IP 地址。It contains the IP addresses that the virtual network gateway resources and services use.

创建网关子网时,请指定子网包含的 IP 地址数。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 所需的 IP 地址数目取决于要创建的 VPN 网关配置。The number of IP addresses needed depends on the VPN gateway configuration that you want to create. 有些配置需要具有比其他配置更多的 IP 地址。Some configurations require more IP addresses than others. 我们建议创建使用 /27 或 /28 的网关子网。We recommend that you create a gateway subnet that uses a /27 or /28.

如果出现错误,指出地址空间与子网重叠,或者子网不包含在虚拟网络的地址空间中,请检查 VNet 地址范围。If you see an error that specifies that the address space overlaps with a subnet, or that the subnet is not contained within the address space for your virtual network, check your VNet address range. 出错的原因可能是为虚拟网络创建的地址范围中没有足够的可用 IP 地址。You may not have enough IP addresses available in the address range you created for your virtual network. 例如,如果默认子网包含整个地址范围,则不会有剩余的 IP 地址用于创建更多子网。For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. 可以调整现有地址空间中的子网以释放 IP 地址,或指定额外的地址范围并在其中创建网关子网。You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there.

示例设置Example settings

  • 实例详细信息 > 区域: 中国北部Instance details > Region: China North
  • 虚拟网络 > 虚拟网络: VNet1Virtual Network > Virtual network: VNet1
  • 实例详细信息 > 名称: VNet1GWInstance details > Name: VNet1GW
  • 实例详细信息 > 网关类型: VPNInstance details > Gateway type: VPN
  • 实例详细信息 > VPN 类型: 基于路由Instance details > VPN type: Route-based
  • 虚拟网络 > 网关子网地址范围: 10.1.255.0/27Virtual Network > Gateway subnet address range: 10.1.255.0/27
  • 公共 IP 地址 > 公共 IP 地址名称: VNet1GWpipPublic IP address > Public IP address name: VNet1GWpip
  1. Azure 门户菜单中,选择“创建资源” 。From the Azure portal menu, select Create a resource.

    在 Azure 门户中创建资源

  2. 在“在市场中搜索”字段中,键入“虚拟网关”。 In the Search the Marketplace field, type 'Virtual Network Gateway'. 在搜索返回的结果中找到“虚拟网关”,并选择该条目 。Locate Virtual network gateway in the search return and select the entry. 在“虚拟网关”页上,选择“创建” 。On the Virtual network gateway page, select Create. 这会打开“创建虚拟网关”页 。This opens the Create virtual network gateway page.

  3. 在“基本信息”选项卡上,填写虚拟网关的值。 On the Basics tab, fill in the values for your virtual network gateway.

    “创建虚拟网关”页字段Create virtual network gateway page fields

    “创建虚拟网关”页字段Create virtual network gateway page fields

    • 名称:为网关命名。Name: Name your gateway. 为网关命名与为网关子网命名不同。Naming your gateway not the same as naming a gateway subnet. 它是要创建的网关对象的名称。It's the name of the gateway object you are creating.
    • 网关类型:选择“VPN”。 Gateway type: Select VPN. VPN 网关使用虚拟网络网关类型“VPN” 。VPN gateways use the virtual network gateway type VPN.
    • VPN 类型:选择为你的配置指定的 VPN 类型。VPN type: Select the VPN type that is specified for your configuration. 大多数配置需要''基于路由'' VPN 类型。Most configurations require a Route-based VPN type.
    • SKU:从下拉列表中选择网关 SKU。SKU: Select the gateway SKU from the dropdown. 下拉列表中列出的 SKU 取决于选择的 VPN 类型。The SKUs listed in the dropdown depend on the VPN type you select. 有关网关 SKU 的详细信息,请参阅网关 SKUFor more information about gateway SKUs, see Gateway SKUs.
    • 虚拟网络:选择要将此网关添加到的虚拟网络。Virtual network: Select the virtual network to which you want to add this gateway.

    公共 IP 地址:此设置指定与 VPN 网关关联的公共 IP 地址对象。Public IP address: This setting specifies the public IP address object that gets associated to the VPN gateway. 创建 VPN 网关后,会将公共 IP 地址动态分配给此对象。The public IP address is dynamically assigned to this object when the VPN gateway is created. 公共 IP 地址只在删除或重新创建网关时更改。The only time the Public IP address changes is when the gateway is deleted and re-created. 该地址不会因为 VPN 网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    • 公共 IP 地址:让“新建” 保持选中状态。Public IP address: Leave Create new selected.
    • 公共 IP 地址名称:在文本框中,键入公共 IP 地址实例的名称。Public IP address name: In the text box, type a name for your public IP address instance.
    • 分配:VPN 网关仅支持“动态”。Assignment: VPN gateway supports only Dynamic.

    主动-主动模式:仅当要创建主动-主动网关配置时,才选择“启用主动-主动模式” 。Active-Active mode: Only select Enable active-active mode if you are creating an active-active gateway configuration. 否则,请将此设置保留未选择状态。Otherwise, leave this setting unselected.

    让“配置 BGP ASN”保留 取消选中状态,除非你的配置特别需要此设置。Leave Configure BGP ASN deselected, unless your configuration specifically requires this setting. 如果确实需要此设置,则默认 ASN 为 65515,但可以更改此值。If you do require this setting, the default ASN is 65515, although this can be changed.

  4. 选择“查看 + 创建” ,运行验证。Select Review + create to run validation. 验证通过后,选择“创建” 以部署 VPN 网关。Once validation passes, select Create to deploy the VPN gateway. 网关可能需要长达 45 分钟才能完全创建和部署。A gateway can take up to 45 minutes to fully create and deploy. 可以在网关的“概述”页上查看部署状态。You can see the deployment status on the Overview page for your gateway.

创建网关后,可以通过在门户中查看虚拟网络,来查看已分配给网关的 IP 地址。After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. 网关显示为连接的设备。The gateway appears as a connected device.

Important

使用网关子网时,避免将网络安全组 (NSG) 与网关子网关联。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组与此子网关联可能会导致虚拟网络网关(VPN、Express Route 网关)停止按预期方式工作。Associating a network security group to this subnet may cause your Virtual Network gateway(VPN, Express Route gateway) to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

3.创建本地网关3. Create the local network gateway

本地网络网关通常是指本地位置。The local network gateway typically refers to your on-premises location. 可以为站点提供一个名称供 Azure 引用,并指定本地 VPN 设备的 IP 地址,以便创建一个连接来连接到该设备。You give the site a name by which Azure can refer to it, then specify the IP address of the on-premises VPN device to which you will create a connection. 此外还可指定 IP 地址前缀,以便通过 VPN 网关将其路由到 VPN 设备。You also specify the IP address prefixes that will be routed through the VPN gateway to the VPN device. 指定的地址前缀是位于本地网络的前缀。The address prefixes you specify are the prefixes located on your on-premises network. 如果之后本地网络发生了更改,或需要更改 VPN 设备的公共 IP 地址,可轻松更新这些值。If your on-premises network changes or you need to change the public IP address for the VPN device, you can easily update the values later.

示例值Example values

  • 名称: Site1Name: Site1
  • 资源组: TestRG1Resource Group: TestRG1
  • 位置: 中国北部Location: China North
  1. Azure 门户菜单中,选择“创建资源” 。From the Azure portal menu, select Create a resource.

    在 Azure 门户中创建资源

  2. 在“搜索市场” 字段中,键入“本地网关” ,然后按 Enter 进行搜索。In the Search the marketplace field, type Local network gateway, then press Enter to search. 这会返回一个结果列表。This will return a list of results. 单击“本地网关”,然后单击“创建”按钮,打开“创建本地网关”页 。Click Local network gateway, then click the Create button to open the Create local network gateway page.

    创建本地网络网关Create the local network gateway

  3. 在“创建本地网络网关”页上,指定本地网络网关的值 。On the Create local network gateway page, specify the values for your local network gateway.

    • 名称: 指定本地网络网关对象的名称。Name: Specify a name for your local network gateway object.
    • IP 地址: 这是 Azure 要连接的 VPN 设备的公共 IP 地址。IP address: This is the public IP address of the VPN device that you want Azure to connect to. 指定有效的公共 IP 地址。Specify a valid public IP address. 如果目前没有 IP 地址,可以使用示例中显示的值,但是需要返回并将占位符 IP 地址替换为 VPN 设备的公共 IP 地址。If you don't have the IP address right now, you can use the values shown in the example, but you'll need to go back and replace your placeholder IP address with the public IP address of your VPN device. 否则,Azure 不能连接。Otherwise, Azure will not be able to connect.
    • 地址空间指的是此本地网络所代表的网络的地址范围。Address Space refers to the address ranges for the network that this local network represents. 可以添加多个地址空间范围。You can add multiple address space ranges. 请确保此处所指定的范围没有与要连接到的其他网络的范围相重叠。Make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to. Azure 会将指定的地址范围路由到本地 VPN 设备 IP 地址。Azure will route the address range that you specify to the on-premises VPN device IP address. 如果需要连接到本地站点,请在此处使用自己的值,而不是示例中显示的值。 Use your own values here if you want to connect to your on-premises site, not the values shown in the example.
    • 配置 BGP 设置: 仅在配置 BGP 时使用。Configure BGP settings: Use only when configuring BGP. 否则,不选择此项。Otherwise, don't select this.
    • 订阅: 确保显示的是正确订阅。Subscription: Verify that the correct subscription is showing.
    • 资源组: 选择要使用的资源组。Resource Group: Select the resource group that you want to use. 可以创建新的资源组或选择已创建的资源组。You can either create a new resource group, or select one that you have already created.
    • 位置: 位置与其他设置中的区域相同。Location: The location is the same as Region in other settings. 选择将在其中创建此对象的位置。Select the location that this object will be created in. 可选择 VNet 所在的位置,但这不是必须的。You may want to select the same location that your VNet resides in, but you are not required to do so.
  4. 完成指定值后,单击页底部的“创建”按钮即可创建本地网关 。When you have finished specifying the values, click the Create button at the bottom of the page to create the local network gateway.

4.配置 VPN 设备4. Configure your VPN device

通过站点到站点连接连接到本地网络需要 VPN 设备。Site-to-Site connections to an on-premises network require a VPN device. 在此步骤中,请配置 VPN 设备。In this step, you configure your VPN device. 配置 VPN 设备时,需要以下项:When configuring your VPN device, you need the following:

  • 共享密钥。A shared key. 此共享密钥就是在创建站点到站点 VPN 连接时指定的共享密钥。This is the same shared key that you specify when creating your Site-to-Site VPN connection. 在示例中,我们使用基本的共享密钥。In our examples, we use a basic shared key. 建议生成更复杂的密钥来使用。We recommend that you generate a more complex key to use.
  • 虚拟网关的“公共 IP 地址”。The Public IP address of your virtual network gateway. 可以通过 Azure 门户、PowerShell 或 CLI 查看公共 IP 地址。You can view the public IP address by using the Azure portal, PowerShell, or CLI. 若要使用 Azure 门户查找 VPN 网关的公共 IP 地址,请导航到“虚拟网关”,然后单击网关的名称。 To find the Public IP address of your VPN gateway using the Azure portal, navigate to Virtual network gateways, then click the name of your gateway.

下载 VPN 设备配置脚本:To download VPN device configuration scripts:

根据所用的 VPN 设备,有时可以下载 VPN 设备配置脚本。Depending on the VPN device that you have, you may be able to download a VPN device configuration script. 有关详细信息,请参阅下载 VPN 设备配置脚本For more information, see Download VPN device configuration scripts.

参阅以下链接了解其他配置信息:See the following links for additional configuration information:

5.创建 VPN 连接5. Create the VPN connection

在虚拟网关和本地 VPN 设备之间创建站点到站点 VPN 连接。Create the Site-to-Site VPN connection between your virtual network gateway and your on-premises VPN device.

  1. 打开虚拟网络网关的页面。Open the page for your virtual network gateway. 可通过多种方法进行导航。There are multiple ways to navigate. 可以通过转到“VNet 名称”->“概述”->“已连接的设备”->“网关名称” 导航到网关。You can navigate to the gateway by going to Name of your VNet -> Overview -> Connected devices -> Name of your gateway.

  2. 在网关的页面上,单击“连接” 。On the page for the gateway, click Connections. 在“连接”页的顶部,单击“+添加” 打开“添加连接” 页。At the top of the Connections page, click +Add to open the Add connection page.

    创建站点到站点连接

  3. 在“添加连接” 页上,配置连接的值。On the Add connection page, configure the values for your connection.

    • “名称”: 命名连接。Name: Name your connection.
    • “连接类型”: 选择“站点到站点(IPSec)” 。Connection type: Select Site-to-site(IPSec).
    • “虚拟网络网关”: 由于要从此网关连接,因此该值是固定的。Virtual network gateway: The value is fixed because you are connecting from this gateway.
    • “本地网络网关”: 单击“选择本地网络网关” 并选择要使用的本地网络网关。Local network gateway: Click Choose a local network gateway and select the local network gateway that you want to use.
    • “共享密钥”: 此处的值必须与用于本地 VPN 设备的值匹配。Shared Key: the value here must match the value that you are using for your local on-premises VPN device. 此示例使用“abc123”,但可以(而且应该)使用更复杂的。The example uses 'abc123', but you can (and should) use something more complex. 重要的是,此处指定的值必须与配置 VPN 设备时指定的值相同。The important thing is that the value you specify here must be the same value that you specify when configuring your VPN device.
    • 剩下的“订阅”、“资源组”和“位置”值是固定的 。The remaining values for Subscription, Resource Group, and Location are fixed.
  4. 单击“确定”以创建连接 。Click OK to create your connection. 会看到屏幕上闪烁“正在创建连接” 。You'll see Creating Connection flash on the screen.

  5. 可在虚拟网络网关的“连接” 页中查看连接。You can view the connection in the Connections page of the virtual network gateway. “状态”会从“未知” 转换为“正在连接” ,再转换为“成功” 。The Status will go from Unknown to Connecting, and then to Succeeded.

6.验证 VPN 连接6. Verify the VPN connection

在 Azure 门户中,可通过导航到连接来查看 Resource Manager VPN 网关的连接状态。In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection. 以下步骤演示导航到连接并进行验证的一种方法。The following steps show one way to navigate to your connection and verify.

  1. Azure 门户菜单中选择“所有资源” ,或从任何页面搜索并选择“所有资源” 。In the Azure portal menu, select All resources or search for and select All resources from any page.

  2. 选择此项可转到虚拟网络网关。Select to your virtual network gateway.

  3. 在“虚拟网络网关”边栏选项卡中,单击“连接”。 On the blade for your virtual network gateway, click Connections. 可查看每个连接的状态。You can see the status of each connection.

  4. 单击想要验证的连接的名称,打开“概要”。 Click the name of the connection that you want to verify to open Essentials. 在“概要”中,可以查看有关连接的详细信息。In Essentials, you can view more information about your connection. 成功连接后,“状态”为“已成功”和“已连接”。 The Status is 'Succeeded' and 'Connected' when you have made a successful connection.

    使用 Azure 门户验证 VPN 网关连接

连接到虚拟机To connect to a virtual machine

可以连接到已部署到 VNet 的 VM,方法是创建到 VM 的远程桌面连接。You can connect to a VM that is deployed to your VNet by creating a Remote Desktop Connection to your VM. 若要通过初始验证来确认能否连接到 VM,最好的方式是使用其专用 IP 地址而不是计算机名称进行连接。The best way to initially verify that you can connect to your VM is to connect by using its private IP address, rather than computer name. 这种方式是测试能否进行连接,而不是测试名称解析是否已正确配置。That way, you are testing to see if you can connect, not whether name resolution is configured properly.

  1. 定位专用 IP 地址。Locate the private IP address. 可通过多种方式查找 VM 的专用 IP 地址。You can find the private IP address of a VM in multiple ways. 下方展示用于 Azure 门户和 PowerShell 的步骤。Below, we show the steps for the Azure portal and for PowerShell.

    • Azure 门户 - 在 Azure 门户中定位虚拟机。Azure portal - Locate your virtual machine in the Azure portal. 查看 VM 的属性。View the properties for the VM. 专用 IP 地址已列出。The private IP address is listed.

    • PowerShell - 通过此示例查看资源组中的 VM 和专用 IP 地址的列表。PowerShell - Use the example to view a list of VMs and private IP addresses from your resource groups. 在使用此示例之前不需对其进行修改。You don't need to modify this example before using it.

      $VMs = Get-AzVM
      $Nics = Get-AzNetworkInterface | Where VirtualMachine -ne $null
      
      foreach($Nic in $Nics)
      {
      $VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
      $Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
      $Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
      Write-Output "$($VM.Name): $Prv,$Alloc"
      }
      
  2. 验证你是否已使用 VPN 连接连接到 VNet。Verify that you are connected to your VNet using the VPN connection.

  3. 打开远程桌面连接,方法是:在任务栏的搜索框中键入“RDP”或“远程桌面连接”,并选择“远程桌面连接”。Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on the taskbar, then select Remote Desktop Connection. 也可在 PowerShell 中使用“mstsc”命令打开远程桌面连接。You can also open Remote Desktop Connection using the 'mstsc' command in PowerShell.

  4. 在远程桌面连接中,输入 VM 的专用 IP 地址。In Remote Desktop Connection, enter the private IP address of the VM. 可以通过单击“显示选项”来调整其他设置,并进行连接。You can click "Show Options" to adjust additional settings, then connect.

排查到 VM 的 RDP 连接的问题To troubleshoot an RDP connection to a VM

如果无法通过 VPN 连接连接到虚拟机,请查看以下项目:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 验证 VPN 连接是否成功。Verify that your VPN connection is successful.
  • 验证是否已连接到 VM 的专用 IP 地址。Verify that you are connecting to the private IP address for the VM.
  • 如果可以使用专用 IP 地址连接到 VM,但不能使用计算机名称进行连接,则请验证是否已正确配置 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 若要详细了解如何对 VM 进行名称解析,请参阅针对 VM 的名称解析For more information about how name resolution works for VMs, see Name Resolution for VMs.
  • 若要详细了解 RDP 连接,请参阅排查远程桌面连接到 VM 的问题For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.

如何重置 VPN 网关How to reset a VPN gateway

如果丢失一个或多个站点到站点隧道上的跨界 VPN 连接,重置 Azure VPN 网关可有效解决该情况。Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more Site-to-Site VPN tunnels. 在此情况下,本地 VPN 设备都在正常工作,但却无法与 Azure VPN 网关建立 IPsec 隧道。In this situation, your on-premises VPN devices are all working correctly, but are not able to establish IPsec tunnels with the Azure VPN gateways. 有关步骤,请参阅重置 VPN 网关For steps, see Reset a VPN gateway.

如何更改网关 SKU(重设网关大小)How to change a gateway SKU (resize a gateway)

有关更改网关 SKU 的步骤,请参阅网关 SKUFor the steps to change a gateway SKU, see Gateway SKUs.

如何将其他连接添加到 VPN 网关How to add an additional connection to a VPN gateway

可以添加其他连接,前提是连接之间不存在地址空间重叠。You can add additional connections, provided that none of the address spaces overlap between connections.

  1. 若要添加其他连接,请导航到 VPN 网关,然后单击“连接” 打开“连接”页。To add an additional connection, navigate to the VPN gateway, then click Connections to open the Connections page.
  2. 单击“+添加” 添加连接。Click +Add to add your connection. 调整连接类型以反映“VNet 到 VNet”(如果连接到另一个 VPN 网关)或“站点到站点”。Adjust the connection type to reflect either VNet-to-VNet (if connecting to another VPN gateway), or Site-to-site.
  3. 如果要使用“站点到站点”连接进行连接,并且尚未为要连接到的站点创建本地网络网关,则可以创建一个新的本地网络网关。If you are connecting using Site-to-site and you have not already created a local network gateway for the site you want to connect to, you can create a new one.
  4. 指定要使用的共享密钥,然后单击“确定” 以创建连接。Specify the shared key that you want to use, then click OK to create the connection.

后续步骤Next steps