使用 Azure CLI 配置 VNet 到 VNet 的 VPN 网关连接Configure a VNet-to-VNet VPN gateway connection using Azure CLI

本文介绍如何使用 VNet 到 VNet 连接类型来连接虚拟网络。This article helps you connect virtual networks by using the VNet-to-VNet connection type. 这些虚拟网络可以位于同一区域。The virtual networks can be in the same.

本文中的步骤适用于资源管理器部署模型并使用 Azure CLI。The steps in this article apply to the Resource Manager deployment model and use Azure CLI. 也可使用不同的部署工具或部署模型来创建此配置,方法是从以下列表中选择另一选项:You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

关于连接 VNetAbout connecting VNets

可通过多种方式来连接 VNet。There are multiple ways to connect VNets. 以下各节介绍了如何通过不同方式来连接虚拟网络。The sections below describe different ways to connect virtual networks.

VNet 到 VNetVNet-to-VNet

配置一个 VNet 到 VNet 连接即可轻松地连接 VNet。Configuring a VNet-to-VNet connection is a good way to easily connect VNets. 使用 VNet 到 VNet 连接类型将一个虚拟网络连接到另一个虚拟网络类似于创建到本地位置的站点到站点 IPsec 连接。Connecting a virtual network to another virtual network using the VNet-to-VNet connection type is similar to creating a Site-to-Site IPsec connection to an on-premises location. 这两种连接类型都使用 VPN 网关来提供使用 IPsec/IKE 的安全隧道,二者在通信时使用同样的方式运行。Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating. 连接类型的差异在于本地网关的配置方式。The difference between the connection types is the way the local network gateway is configured. 创建 VNet 到 VNet 连接时,看不到本地网关地址空间。When you create a VNet-to-VNet connection, you do not see the local network gateway address space. 它是自动创建并填充的。It is automatically created and populated. 如果更新一个 VNet 的地址空间,另一个 VNet 会自动知道路由到更新的地址空间。If you update the address space for one VNet, the other VNet automatically knows to route to the updated address space. 与在 VNet 之间创建站点到站点连接相比,创建 VNet 到 VNet 连接通常速度更快且更容易。Creating a VNet-to-VNet connection is typically faster and easier than creating a Site-to-Site connection between VNets.

使用站点到站点 (IPsec) 步骤连接 VNetConnecting VNets using Site-to-Site (IPsec) steps

如果要进行复杂的网络配置,则与使用 VNet 到 VNet 步骤相比,使用站点到站点步骤来连接 VNet 会更好。If you are working with a complicated network configuration, you may prefer to connect your VNets using the Site-to-Site steps, instead of the VNet-to-VNet steps. 使用站点到站点步骤时,可以手动创建和配置本地网关。When you use the Site-to-Site steps, you create and configure the local network gateways manually. 每个 VNet 的本地网关都将其他 VNet 视为本地站点。The local network gateway for each VNet treats the other VNet as a local site. 这样可以为本地网关指定路由流量所需的其他地址空间。This lets you specify additional address space for the local network gateway in order to route traffic. 如果 VNet 的地址空间更改,则需根据更改手动更新相应的本地网关。If the address space for a VNet changes, you need to manually update the corresponding local network gateway to reflect the change. 它不自动进行更新。It does not automatically update.

VNet 对等互连VNet peering

可以考虑使用 VNet 对等互连来连接 VNet。You may want to consider connecting your VNets using VNet Peering. VNet 对等互连不使用 VPN 网关,并且有不同的约束。VNet peering does not use a VPN gateway and has different constraints. 另外,VNet 对等互连定价的计算不同于 VNet 到 VNet VPN 网关定价的计算。Additionally, VNet peering pricing is calculated differently than VNet-to-VNet VPN Gateway pricing. 有关详细信息,请参阅 VNet 对等互连For more information, see VNet peering.

为何创建 VNet 到 VNet 连接?Why create a VNet-to-VNet connection?

你可能会出于以下原因而使用 VNet 到 VNet 连接来连接虚拟网络:You may want to connect virtual networks using a VNet-to-VNet connection for the following reasons:

  • 跨区域地域冗余和地域存在Cross region geo-redundancy and geo-presence

    • 可以使用安全连接设置自己的异地复制或同步,而无需借助于面向 Internet 的终结点。You can set up your own geo-replication or synchronization with secure connectivity without going over Internet-facing endpoints.
    • 使用 Azure 流量管理器和负载均衡器,可以设置支持跨多个 Azure 区域实现异地冗余的高可用性工作负荷。With Azure Traffic Manager and Load Balancer, you can set up highly available workload with geo-redundancy across multiple Azure regions. 一个重要的示例就是对分布在多个 Azure 区域中的可用性组设置 SQL Always On。One important example is to set up SQL Always On with Availability Groups spreading across multiple Azure regions.
  • 具有隔离或管理边界的区域多层应用程序Regional multi-tier applications with isolation or administrative boundary

    • 在同一区域中,由于存在隔离或管理要求,可以设置多个虚拟网络连接在一起的多层应用程序。Within the same region, you can set up multi-tier applications with multiple virtual networks connected together due to isolation or administrative requirements.

可以将 VNet 到 VNet 通信与多站点配置组合使用。VNet-to-VNet communication can be combined with multi-site configurations. 这样,便可以建立将跨界连接与虚拟网络间连接相结合的网络拓扑。This lets you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity.

应使用哪些 VNet 到 VNet 步骤?Which VNet-to-VNet steps should I use?

此配置的步骤使用 TestVNet1 和 TestVNet4。The steps for this configuration use TestVNet1 and TestVNet4.

v2v 示意图

连接同一订阅中的 VNetConnect VNets that are in the same subscription

开始之前Before you begin

在开始之前,请安装最新版本的 CLI 命令(2.0 或更高版本)。Before beginning, install the latest version of the CLI commands (2.0 or later). 有关安装 CLI 命令的信息,请参阅安装 Azure CLIFor information about installing the CLI commands, see Install the Azure CLI.

计划 IP 地址范围Plan your IP address ranges

以下步骤将创建两个虚拟网络,以及它们各自的网关子网和配置。In the following steps, you create two virtual networks along with their respective gateway subnets and configurations. 然后在两个 VNet 之间创建 VPN 连接。You then create a VPN connection between the two VNets. 必须计划用于网络配置的 IP 地址范围。It’s important to plan the IP address ranges for your network configuration. 请记住,必须确保没有任何 VNet 范围或本地网络范围存在任何形式的重叠。Keep in mind that you must make sure that none of your VNet ranges or local network ranges overlap in any way. 在这些示例中,我们没有包括 DNS 服务器。In these examples, we do not include a DNS server. 如果需要虚拟网络的名称解析,请参阅名称解析If you want name resolution for your virtual networks, see Name resolution.

示例中使用了以下值:We use the following values in the examples:

TestVNet1 的值:Values for TestVNet1:

  • VNet 名称:TestVNet1VNet Name: TestVNet1
  • 资源组:TestRG1Resource Group: TestRG1
  • 位置:中国北部Location: China North
  • TestVNet1:10.11.0.0/16 和 10.12.0.0/16TestVNet1: 10.11.0.0/16 & 10.12.0.0/16
  • FrontEnd:10.11.0.0/24FrontEnd: 10.11.0.0/24
  • BackEnd:10.12.0.0/24BackEnd: 10.12.0.0/24
  • GatewaySubnet:10.12.255.0/27GatewaySubnet: 10.12.255.0/27
  • GatewayName:VNet1GWGatewayName: VNet1GW
  • 公共 IP:VNet1GWIPPublic IP: VNet1GWIP
  • VPNType:RouteBasedVPNType: RouteBased
  • Connection(1to4):VNet1toVNet4Connection(1to4): VNet1toVNet4

TestVNet4 的值:Values for TestVNet4:

  • VNet 名称:TestVNet4VNet Name: TestVNet4
  • TestVNet2:10.41.0.0/16 和 10.42.0.0/16TestVNet2: 10.41.0.0/16 & 10.42.0.0/16
  • FrontEnd:10.41.0.0/24FrontEnd: 10.41.0.0/24
  • BackEnd:10.42.0.0/24BackEnd: 10.42.0.0/24
  • GatewaySubnet:10.42.255.0/27GatewaySubnet: 10.42.255.0/27
  • 资源组:TestRG4Resource Group: TestRG4
  • 位置:中国北部Location: China North
  • GatewayName:VNet4GWGatewayName: VNet4GW
  • 公共 IP:VNet4GWIPPublic IP: VNet4GWIP
  • VPNType:RouteBasedVPNType: RouteBased
  • 连接:VNet4toVNet1Connection: VNet4toVNet1

步骤 1 - 连接到订阅Step 1 - Connect to your subscription

  1. 使用 az login 命令登录到 Azure 订阅,并按照屏幕上的说明进行操作。Sign in to your Azure subscription with the az login command and follow the on-screen directions. 有关登录的详细信息,请参阅 Azure CLI 入门For more information about signing in, see Get Started with Azure CLI.

    az cloud set -n AzureChinaCloud
    az login
    
  2. 如果有多个 Azure 订阅,请列出该帐户的订阅。If you have more than one Azure subscription, list the subscriptions for the account.

    az account list --all
    
  3. 指定要使用的订阅。Specify the subscription that you want to use.

    az account set --subscription <replace_with_your_subscription_id>
    

步骤 2 - 创建并配置 TestVNet1Step 2 - Create and configure TestVNet1

  1. 创建资源组。Create a resource group.

    az group create -n TestRG1  -l chinanorth
    
  2. 创建 TestVNet1 及其子网。Create TestVNet1 and the subnets for TestVNet1. 以下示例创建名为“TestVNet1”的虚拟网络和名为“FrontEnd”的子网。This example creates a virtual network named TestVNet1 and a subnet named FrontEnd.

    az network vnet create -n TestVNet1 -g TestRG1 --address-prefix 10.11.0.0/16 -l chinanorth --subnet-name FrontEnd --subnet-prefix 10.11.0.0/24
    
  3. 为后端子网创建额外的地址空间。Create an additional address space for the backend subnet. 请注意,这一步指定此前创建的地址空间,以及需要添加的额外地址空间。Notice that in this step, we specify both the address space that we created earlier, and the additional address space that we want to add. 这是因为,az network vnet update 命令覆盖以前的设置。This is because the az network vnet update command overwrites the previous settings. 请确保在使用此命令时指定所有地址前缀。Make sure to specify all of the address prefixes when using this command.

    az network vnet update -n TestVNet1 --address-prefixes 10.11.0.0/16 10.12.0.0/16 -g TestRG1
    
  4. 创建后端子网。Create the backend subnet.

    az network vnet subnet create --vnet-name TestVNet1 -n BackEnd -g TestRG1 --address-prefix 10.12.0.0/24 
    
  5. 创建网关子网。Create the gateway subnet. 请注意,网关子网命名为“GatewaySubnet”。Notice that the gateway subnet is named 'GatewaySubnet'. 此名称是必需的。This name is required. 在本示例中,网关子网使用 /27。In this example, the gateway subnet is using a /27. 尽管创建的网关子网最小可为 /29,但建议至少选择 /28 或 /27,创建包含更多地址的更大子网。While it is possible to create a gateway subnet as small as /29, we recommend that you create a larger subnet that includes more addresses by selecting at least /28 or /27. 这样便可以留出足够的地址,满足将来可能需要使用的其他配置。This will allow for enough addresses to accommodate possible additional configurations that you may want in the future.

    az network vnet subnet create --vnet-name TestVNet1 -n GatewaySubnet -g TestRG1 --address-prefix 10.12.255.0/27
    
  6. 请求一个公共 IP 地址,以分配给要为 VNet 创建的网关。Request a public IP address to be allocated to the gateway you will create for your VNet. 注意,AllocationMethod 是动态的。Notice that the AllocationMethod is Dynamic. 无法指定要使用的 IP 地址。You cannot specify the IP address that you want to use. 它会动态分配到网关。It's dynamically allocated to your gateway.

    az network public-ip create -n VNet1GWIP -g TestRG1 --allocation-method Dynamic
    
  7. 为 TestVNet1 创建虚拟网络网关。Create the virtual network gateway for TestVNet1. VNet 到 VNet 配置需要基于路由的 VPN 类型。VNet-to-VNet configurations require a RouteBased VpnType. 如果使用“--no-wait”参数运行该命令,则不会显示任何反馈或输出。If you run this command using the '--no-wait' parameter, you don't see any feedback or output. “--no-wait”参数允许在后台创建网关,The '--no-wait' parameter allows the gateway to create in the background. 但并不意味着 VPN 网关会立即创建完毕。It does not mean that the VPN gateway finishes creating immediately. 创建网关通常需要 45 分钟或更长的时间,具体取决于所使用的网关 SKU。Creating a gateway can often take 45 minutes or more, depending on the gateway SKU that you use.

    az network vnet-gateway create -n VNet1GW -l chinanorth --public-ip-address VNet1GWIP -g TestRG1 --vnet TestVNet1 --gateway-type Vpn --sku VpnGw1 --vpn-type RouteBased --no-wait
    

步骤 3 - 创建并配置 TestVNet4Step 3 - Create and configure TestVNet4

  1. 创建资源组。Create a resource group.

    az group create -n TestRG4  -l chinanorth
    
  2. 创建 TestVNet4。Create TestVNet4.

    az network vnet create -n TestVNet4 -g TestRG4 --address-prefix 10.41.0.0/16 -l chinanorth --subnet-name FrontEnd --subnet-prefix 10.41.0.0/24
    
  3. 为 TestVNet4 创建额外的子网。Create additional subnets for TestVNet4.

    az network vnet update -n TestVNet4 --address-prefixes 10.41.0.0/16 10.42.0.0/16 -g TestRG4 
    az network vnet subnet create --vnet-name TestVNet4 -n BackEnd -g TestRG4 --address-prefix 10.42.0.0/24 
    
  4. 创建网关子网。Create the gateway subnet.

    az network vnet subnet create --vnet-name TestVNet4 -n GatewaySubnet -g TestRG4 --address-prefix 10.42.255.0/27
    
  5. 请求公共 IP 地址。Request a Public IP address.

    az network public-ip create -n VNet4GWIP -g TestRG4 --allocation-method Dynamic
    
  6. 创建 TestVNet4 虚拟网关。Create the TestVNet4 virtual network gateway.

    az network vnet-gateway create -n VNet4GW -l chinanorth --public-ip-address VNet4GWIP -g TestRG4 --vnet TestVNet4 --gateway-type Vpn --sku VpnGw1 --vpn-type RouteBased --no-wait
    

步骤 4 - 创建连接Step 4 - Create the connections

现在有两个带 VPN 网关的 VNet。You now have two VNets with VPN gateways. 下一步是创建虚拟网关之间的 VPN 网关连接。The next step is to create VPN gateway connections between the virtual network gateways. 如果使用了上面的示例,则 VPN 网关位于不同的资源组。If you used the examples above, your VPN gateways are in different resource groups. 如果网关位于不同的资源组中,则在进行连接时需标识并指定每个网关的资源 ID。When gateways are in different resource groups, you need to identify and specify the resource IDs for each gateway when making a connection. 如果 VNet 位于同一资源组中,则可使用第二组说明,因为不需指定资源 ID。If your VNets are in the same resource group, you can use the second set of instructions because you don't need to specify the resource IDs.

若要连接驻留在不同资源组中的 VNet,请执行以下步骤To connect VNets that reside in different resource groups

  1. 从以下命令的输出中获取 VNet1GW 的资源 ID:Get the Resource ID of VNet1GW from the output of the following command:

    az network vnet-gateway show -n VNet1GW -g TestRG1
    

    在输出中,找到“id:”行。In the output, find the "id:" line. 引号中的值是在下一部分创建连接所必需的。The values within the quotes are needed to create the connection in the next section. 将这些值复制到文本编辑器(例如记事本),这样就可以在创建连接时轻松地粘贴它们。Copy these values to a text editor, such as Notepad, so that you can easily paste them when creating your connection.

    示例输出:Example output:

    "activeActive": false, 
    "bgpSettings": { 
     "asn": 65515, 
     "bgpPeeringAddress": "10.12.255.30", 
     "peerWeight": 0 
    }, 
    "enableBgp": false, 
    "etag": "W/\"ecb42bc5-c176-44e1-802f-b0ce2962ac04\"", 
    "gatewayDefaultSite": null, 
    "gatewayType": "Vpn", 
    "id": "/subscriptions/d6ff83d6-713d-41f6-a025-5eb76334fda9/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW", 
    "ipConfigurations":
    

    复制引号中 "id": 后面的值。 Copy the values after "id": within the quotes.

    "id": "/subscriptions/d6ff83d6-713d-41f6-a025-5eb76334fda9/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW"
    
  2. 获取 VNet4GW 的资源 ID 并将值复制到文本编辑器。Get the Resource ID of VNet4GW and copy the values to a text editor.

    az network vnet-gateway show -n VNet4GW -g TestRG4
    
  3. 创建 TestVNet1 到 TestVNet4 的连接。Create the TestVNet1 to TestVNet4 connection. 在此步骤中,创建 TestVNet1 到 TestVNet4 的连接。In this step, you create the connection from TestVNet1 to TestVNet4. 示例中引用了一个共享密钥。There is a shared key referenced in the examples. 可以对共享密钥使用自己的值。You can use your own values for the shared key. 共享密钥必须与两个连接匹配,这一点非常重要。The important thing is that the shared key must match for both connections. 创建连接短时间即可完成。Creating a connection takes a short while to complete.

    az network vpn-connection create -n VNet1ToVNet4 -g TestRG1 --vnet-gateway1 /subscriptions/d6ff83d6-713d-41f6-a025-5eb76334fda9/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW -l chinanorth --shared-key "aabbcc" --vnet-gateway2 /subscriptions/d6ff83d6-713d-41f6-a025-5eb76334fda9/resourceGroups/TestRG4/providers/Microsoft.Network/virtualNetworkGateways/VNet4GW 
    
  4. 创建 TestVNet4 到 TestVNet1 的连接。Create the TestVNet4 to TestVNet1 connection. 此步骤类似上面的步骤,只不过是创建 TestVNet4 到 TestVNet1 的连接。This step is similar to the one above, except you are creating the connection from TestVNet4 to TestVNet1. 确保共享密钥匹配。Make sure the shared keys match. 建立连接需要数分钟的时间。It takes a few minutes to establish the connection.

    az network vpn-connection create -n VNet4ToVNet1 -g TestRG4 --vnet-gateway1 /subscriptions/d6ff83d6-713d-41f6-a025-5eb76334fda9/resourceGroups/TestRG4/providers/Microsoft.Network/virtualNetworkGateways/VNet4GW -l chinanorth --shared-key "aabbcc" --vnet-gateway2 /subscriptions/d6ff83d6-713d-41f6-a025-5eb76334fda9/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1G
    
  5. 验证连接。Verify your connections. 请参阅验证连接See Verify your connection.

若要连接驻留在同一资源组中的 VNet,请执行以下步骤To connect VNets that reside in the same resource group

  1. 创建 TestVNet1 到 TestVNet4 的连接。Create the TestVNet1 to TestVNet4 connection. 在此步骤中,创建 TestVNet1 到 TestVNet4 的连接。In this step, you create the connection from TestVNet1 to TestVNet4. 请注意,示例中的资源组是相同的。Notice the resource groups are the same in the examples. 还可以看到示例中引用了共享密钥。You also see a shared key referenced in the examples. 可以对共享密钥使用你自己的值,但两个连接的共享密钥必须匹配。You can use your own values for the shared key, however, the shared key must match for both connections. 创建连接短时间即可完成。Creating a connection takes a short while to complete.

    az network vpn-connection create -n VNet1ToVNet4 -g TestRG1 --vnet-gateway1 VNet1GW -l chinanorth --shared-key "eeffgg" --vnet-gateway2 VNet4GW
    
  2. 创建 TestVNet4 到 TestVNet1 的连接。Create the TestVNet4 to TestVNet1 connection. 此步骤类似上面的步骤,只不过是创建 TestVNet4 到 TestVNet1 的连接。This step is similar to the one above, except you are creating the connection from TestVNet4 to TestVNet1. 确保共享密钥匹配。Make sure the shared keys match. 建立连接需要数分钟的时间。It takes a few minutes to establish the connection.

     az network vpn-connection create -n VNet4ToVNet1 -g TestRG1 --vnet-gateway1 VNet4GW -l chinanorth --shared-key "eeffgg" --vnet-gateway2 VNet1GW
    
  3. 验证连接。Verify your connections. 请参阅验证连接See Verify your connection.

验证连接Verify the connections

重要

处理网关子网时,请避免将网络安全组 (NSG) 关联到网关子网。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组与此子网关联可能会导致虚拟网络网关(VPN、Express Route 网关)停止按预期方式工作。Associating a network security group to this subnet may cause your Virtual Network gateway(VPN, Express Route gateway) to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

可使用 az network vpn-connection show 命令来验证连接是否成功。You can verify that your connection succeeded by using the az network vpn-connection show command. 在此示例中,“--name”是指要测试的连接的名称。In the example, '--name' refers to the name of the connection that you want to test. 当连接处于建立过程中时,连接状态会显示“正在连接”。When the connection is in the process of being established, its connection status shows 'Connecting'. 建立连接后,状态将更改为“已连接”。Once the connection is established, the status changes to 'Connected'.

az network vpn-connection show --name VNet1toSite2 --resource-group TestRG1

VNet 到 VNet 常见问题解答VNet-to-VNet FAQ

VNet 到 VNet 连接常见问题解答适用于 VPN 网关连接。The VNet-to-VNet FAQ applies to VPN gateway connections. 有关 VNet 对等互连的信息,请参阅虚拟网络对等互连For information about VNet peering, see Virtual network peering.

Azure 会对 VNet 之间的流量收费吗?Does Azure charge for traffic between VNets?

当使用 VPN 网关连接时,同一区域中的 VNet 到 VNet 流量双向均免费。VNet-to-VNet traffic within the same region is free for both directions when you use a VPN gateway connection. 跨区域 VNet 到 VNet 传出流量根据源区域的出站 VNet 间数据传输费率收费。Cross-region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on the source regions. 有关详细信息,请参阅 VPN 网关定价For more information, see VPN Gateway pricing page. 如果你使用 VNet 对等互连而非 VPN 网关连接 VNet,请参阅虚拟网络定价If you're connecting your VNets by using VNet peering instead of a VPN gateway, see Virtual network pricing.

VNet 到 VNet 流量是否流经 Internet?Does VNet-to-VNet traffic travel across the internet?

否。No. VNet 到 VNet 流量会流经 Azure 主干,而非 Internet。VNet-to-VNet traffic travels across the Azure backbone, not the Internet.

是否可以跨 Azure Active Directory (AAD) 租户建立 VNet 到 VNet 连接?Can I establish a VNet-to-VNet connection across Azure Active Directory (AAD) tenants?

是的。使用 Azure VPN 网关的 VNet 到 VNet 连接可以跨 AAD 租户工作。Yes, VNet-to-VNet connections that use Azure VPN gateways work across AAD tenants.

VNet 到 VNet 流量是否安全?Is VNet-to-VNet traffic secure?

安全,它通过 IPsec/IKE 加密进行保护。Yes, it's protected by IPsec/IKE encryption.

是否需要使用 VPN 设备将 VNet 连接在一起?Do I need a VPN device to connect VNets together?

否。No. 将多个 Azure 虚拟网络连接在一起不需要 VPN 设备,除非需要跨界连接。Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises connectivity is required.

如果 VNet 不在同一订阅中,订阅是否需要与同一 Active Directory 租户相关联?If the VNets aren't in the same subscription, do the subscriptions need to be associated with the same Active Directory tenant?

否。No.

能否在单独的 Azure 实例中使用 VNet 到 VNet 通信来连接虚拟网络?Can I use VNet-to-VNet to connect virtual networks in separate Azure instances?

否。No. VNet 到 VNet 通信支持在同一 Azure 实例中连接虚拟网络。VNet-to-VNet supports connecting virtual networks within the same Azure instance. 例如,不能在全球 Azure 和中国/德国/美国政府 Azure 实例之间创建连接。For example, you can’t create a connection between global Azure and Chinese/German/US government Azure instances. 对于上述情形,请考虑使用站点到站点 VPN 连接。Consider using a Site-to-Site VPN connection for these scenarios.

能否将 VNet 到 VNet 连接与多站点连接一起使用?Can I use VNet-to-VNet along with multi-site connections?

是的。Yes. 虚拟网络连接可与多站点 VPN 同时使用。Virtual network connectivity can be used simultaneously with multi-site VPNs.

一个虚拟网络可以连接到多少个本地站点和虚拟网络?How many on-premises sites and virtual networks can one virtual network connect to?

请参阅网关要求表。See the Gateway requirements table.

是否可以使用 VNet 到 VNet 连接 VNet 外的 VM 或云服务?Can I use VNet-to-VNet to connect VMs or cloud services outside of a VNet?

否。No. VNet 到 VNet 支持连接虚拟网络。VNet-to-VNet supports connecting virtual networks. 它不支持连接不在虚拟网络中的虚拟机或云服务。It doesn't support connecting virtual machines or cloud services that aren't in a virtual network.

云服务或负载均衡终结点能否跨 VNet?Can a cloud service or a load-balancing endpoint span VNets?

否。No. 云服务或负载均衡终结点不能跨虚拟网络,即使它们连接在一起,也是如此。A cloud service or a load-balancing endpoint can't span across virtual networks, even if they're connected together.

能否将 PolicyBased VPN 类型用于 VNet 到 VNet 连接或多站点连接?Can I use a PolicyBased VPN type for VNet-to-VNet or Multi-Site connections?

否。No. VNet 到 VNet 连接和多站点连接需要 RouteBased(以前称为动态路由)VPN 类型的 Azure VPN 网关。VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called dynamic routing) VPN types.

是否可以将 RouteBased VPN 类型的 VNet 连接到另一个 PolicyBased VPN 类型的 VNet?Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?

不能,两种虚拟网络都必须使用基于路由的(以前称为“动态路由”)VPN。No, both virtual networks MUST use route-based (previously called dynamic routing) VPNs.

VPN 隧道是否共享带宽?Do VPN tunnels share bandwidth?

是的。Yes. 虚拟网络的所有 VPN 隧道共享 Azure VPN 网关上的可用带宽,以及 Azure 中的相同 VPN 网关运行时间 SLA。All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.

是否支持冗余隧道?Are redundant tunnels supported?

将一个虚拟网络网关配置为主动-主动模式时,支持在一对虚拟网络之间设置冗余隧道。Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is configured as active-active.

VNet 到 VNet 配置是否可以有重叠的地址空间?Can I have overlapping address spaces for VNet-to-VNet configurations?

否。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.

连接的虚拟网络与内部本地站点之间是否可以有重叠的地址空间?Can there be overlapping address spaces among connected virtual networks and on-premises local sites?

否。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.

后续步骤Next steps