配置 VNet 到 VNet 连接(经典)Configure a VNet-to-VNet connection (classic)

本文介绍如何在虚拟网络之间创建 VPN 网关连接。This article helps you create a VPN gateway connection between virtual networks. 虚拟网络可以位于相同或不同的区域中。The virtual networks can be in the same or different regions.

显示了经典 VNet 到 VNet 体系结构的示意图

备注

本文为经典部署模型而写。This article is written for the classic deployment model. 如果不熟悉 Azure,建议改用资源管理器部署模型。If you're new to Azure, we recommend that you use the Resource Manager deployment model instead. 资源管理器部署模型是最新的部署模型,提供比经典部署模型更多的选项和更强的功能兼容性。The Resource Manager deployment model is the most current deployment model and offers more options and feature compatibility than the classic deployment model. 有关部署模型的详细信息,请参阅了解部署模型For more information about the deployment models, see Understanding deployment models.

如需本文的资源管理器版本,请从下拉列表或左侧的目录中将其选中。For the Resource Manager version of this article, select it from the drop-down list, or from the table of contents on the left.

本文中的步骤适用于经典部署模型和 Azure 门户。The steps in this article apply to the classic deployment model and the Azure portal. 也可使用不同的部署工具或部署模型来创建此配置,方法是从以下列表中选择另一选项:You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

关于 VNet 到 VNet 的连接About VNet-to-VNet connections

在经典部署模型中使用 VPN 网关将一个虚拟网络连接到另一个虚拟网络(VNet 到 VNet)类似于将虚拟网络连接到本地站点位置。Connecting a virtual network to another virtual network (VNet-to-VNet) in the classic deployment model using a VPN gateway is similar to connecting a virtual network to an on-premises site location. 这两种连接类型都使用 VPN 网关来提供使用 IPsec/IKE 的安全隧道。Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE.

连接的 VNet 可位于不同的区域中。The VNets you connect can be in different regions. 可以将 VNet 到 VNet 通信与多站点配置组合使用。You can combine VNet to VNet communication with multi-site configurations. 这样,便可以建立将跨界连接与虚拟网络间连接相结合的网络拓扑。This lets you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity.

显示了连接的示意图

为什么要连接虚拟网络?Why connect virtual networks?

你可能会出于以下原因而连接虚拟网络:You may want to connect virtual networks for the following reasons:

  • 跨区域地域冗余和地域存在Cross region geo-redundancy and geo-presence

    • 可以使用安全连接设置自己的异地复制或同步,而无需借助于面向 Internet 的终结点。You can set up your own geo-replication or synchronization with secure connectivity without going over Internet-facing endpoints.
    • 使用 Azure 负载均衡器和 Microsoft 或第三方群集技术,可以设置支持跨多个 Azure 区域实现地域冗余的高可用性工作负荷。With Azure Load Balancer and Microsoft or third-party clustering technology, you can set up highly available workload with geo-redundancy across multiple Azure regions. 一个重要的示例就是对分布在多个 Azure 区域中的可用性组设置 SQL Always On。One important example is to set up SQL Always On with Availability Groups spreading across multiple Azure regions.
  • 具有强大隔离边界的区域多层应用程序Regional multi-tier applications with strong isolation boundary

    • 在同一区域中,可以设置具有多个 VNet 的多层应用程序,这些虚拟网络相互连接在一起,但同时又能保持强大的隔离性,而且还能进行安全的层间通信。Within the same region, you can set up multi-tier applications with multiple VNets connected together with strong isolation and secure inter-tier communication.

有关 VNet 到 VNet 连接的详细信息,请参阅本文末尾的 VNet 到 VNet 注意事项For more information about VNet-to-VNet connections, see VNet-to-VNet considerations at the end of this article.

必备条件Prerequisites

使用门户即可执行大部分步骤,但必须使用 PowerShell 创建 VNet 之间的连接。We use the portal for most of the steps, but you must use PowerShell to create the connections between the VNets. 无法使用 Azure 门户创建连接,因为在门户中无法指定共享密钥。You can't create the connections using the Azure portal because there is no way to specify the shared key in the portal. 使用经典部署模型时,必须在本地计算机上安装最新版本的 Azure 服务管理 (SM) PowerShell cmdlet。When working with the classic deployment model, you must install the latest version of the Azure Service Management (SM) PowerShell cmdlets locally on your computer. 这些 cmdlet 不同于 AzureRM 或 Az cmdlet。These cmdlets are different from the AzureRM or Az cmdlets. 若要安装 SM cmdlet,请参阅安装服务管理 cmdletTo install the SM cmdlets, see Install Service Management cmdlets. 有关一般 Azure PowerShell 的详细信息,请参阅 Azure PowerShell 文档For more information about Azure PowerShell in general, see the Azure PowerShell documentation.

规划Planning

必须确定要用于配置虚拟网络的范围。It’s important to decide the ranges that you’ll use to configure your virtual networks. 对于此配置,必须确保 VNet 的范围不互相重叠,也不与它们连接到的任何本地网络重叠。For this configuration, you must make sure that none of your VNet ranges overlap with each other, or with any of the local networks that they connect to.

VNetVNets

在本练习中,我们使用以下示例值:For this exercise, we use the following example values:

用于 TestVNet1 的值Values for TestVNet1

名称:TestVNet1Name: TestVNet1
地址空间:10.11.0.0/16、10.12.0.0/16(可选)Address space: 10.11.0.0/16, 10.12.0.0/16 (optional)
子网名称:默认值Subnet name: default
子网地址范围:10.11.0.0/24Subnet address range: 10.11.0.0/24
资源组:ClassicRGResource group: ClassicRG
位置:中国东部Location: China East
GatewaySubnet:10.11.1.0/27GatewaySubnet: 10.11.1.0/27

用于 TestVNet4 的值Values for TestVNet4

名称:TestVNet4Name: TestVNet4
地址空间:10.41.0.0/16、10.42.0.0/16(可选)Address space: 10.41.0.0/16, 10.42.0.0/16 (optional)
子网名称:默认值Subnet name: default
子网地址范围:10.41.0.0/24Subnet address range: 10.41.0.0/24
资源组:ClassicRGResource group: ClassicRG
位置:中国北部Location: China North
GatewaySubnet:10.41.1.0/27GatewaySubnet: 10.41.1.0/27

连接Connections

下表显示了有关如何连接 VNet 的示例。The following table shows an example of how you will connect your VNets. 其中的范围仅供参考。Use the ranges as a guideline only. 请记下虚拟网络的范围。Write down the ranges for your virtual networks. 后面的步骤需要用到此信息。You need this information for later steps.

在此示例中,TestVNet1 连接到所创建的名为“VNet4Local”的本地网络站点。In this example, TestVNet1 connects to a local network site that you create named 'VNet4Local'. VNet4Local 的设置包含 TestVNet4 的地址前缀。The settings for VNet4Local contain the address prefixes for TestVNet4. 每个 VNet 的本地站点是另一个 VNet。The local site for each VNet is the other VNet. 我们的配置使用以下示例值:The following example values are used for our configuration:

示例Example

虚拟网络Virtual Network 地址空间Address Space 位置Location 连接到本地网络站点Connects to local network site
TestVNet1TestVNet1 TestVNet1TestVNet1
(10.11.0.0/16)(10.11.0.0/16)
(10.12.0.0/16)(10.12.0.0/16)
中国东部China East SiteVNet4SiteVNet4
(10.41.0.0/16)(10.41.0.0/16)
(10.42.0.0/16)(10.42.0.0/16)
TestVNet4TestVNet4 TestVNet4TestVNet4
(10.41.0.0/16)(10.41.0.0/16)
(10.42.0.0/16)(10.42.0.0/16)
中国北部China North SiteVNet1SiteVNet1
(10.11.0.0/16)(10.11.0.0/16)
(10.12.0.0/16)(10.12.0.0/16)

创建虚拟网络Create virtual networks

在此步骤中,你将创建两个经典虚拟网络:TestVNet1 和 TestVNet4。In this step, you create two classic virtual networks, TestVNet1 and TestVNet4. 如果你使用本文作为练习,请使用示例值If you are using this article as an exercise, use the example values.

创建 VNet 时,请注意以下设置:When creating your VNets, keep in mind the following settings:

  • 虚拟网络地址空间 - 在“虚拟网络地址空间”页上,指定要用于虚拟网络的地址范围。Virtual Network Address Spaces - On the Virtual Network Address Spaces page, specify the address range that you want to use for your virtual network. 这些都是动态 IP 地址,将分配给你部署到此虚拟网络的 VM 和其他角色实例。These are the dynamic IP addresses that will be assigned to the VMs and other role instances that you deploy to this virtual network.
    选择的地址空间不能与任何其他 VNet 的地址空间重叠,也不能与此 VNet 将连接到的本地位置的地址空间重叠。The address spaces you select cannot overlap with the address spaces for any of the other VNets or on-premises locations that this VNet will connect to.

  • 位置 - 创建虚拟网络时,请将其与某个 Azure 位置(区域)相关联。Location - When you create a virtual network, you associate it with an Azure location (region). 例如,如果希望部署到虚拟网络的 VM 的物理位置位于中国北部,请选择该位置。For example, if you want your VMs that are deployed to your virtual network to be physically located in China North, select that location. 创建虚拟网络后,将无法更改与虚拟网络关联的位置。You can’t change the location associated with your virtual network after you create it.

创建 VNet 后,可以添加以下设置:After creating your VNets, you can add the following settings:

  • 地址空间 - 此配置不需要额外的地址空间,但可以在创建 VNet 后添加额外的地址空间。Address space - Additional address space is not required for this configuration, but you can add additional address space after creating the VNet.

  • 子网 - 此配置不需要额外的子网,但可能需要让 VM 位于不同于其他角色实例的子网中。Subnets - Additional subnets are not required for this configuration, but you might want to have your VMs in a subnet that is separate from your other role instances.

  • DNS 服务器 - 输入 DNS 服务器名称和 IP 地址。DNS servers - Enter the DNS server name and IP address. 此设置不创建 DNS 服务器。This setting does not create a DNS server. 此设置允许指定要用于对此虚拟网络进行名称解析的 DNS 服务器。It allows you to specify the DNS servers that you want to use for name resolution for this virtual network.

创建经典虚拟网络To create a classic virtual network

  1. 从浏览器导航到 Azure 门户,并在必要时用 Azure 帐户登录。From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.
  2. 选择“+创建资源”。Select +Create a resource. 在“在市场中搜索”字段中,键入“虚拟网络”。In the Search the marketplace field, type 'Virtual Network'. 从返回的列表中找到“虚拟网络”,选择它以打开“虚拟网络”页。Locate Virtual Network from the returned list and select it to open the Virtual Network page.
  3. 在“虚拟网络”页的“创建”按钮下,可以看到“使用资源管理器部署(更改为经典)”。On the Virtual Network page, under the Create button, you see "Deploy with Resource Manager (change to Classic)". “资源管理器”是创建 VNet 的默认设置。Resource Manager is the default for creating a VNet. 不需要创建资源管理器 VNet。You don't want to create a Resource Manager VNet. 选择“(更改为经典)”以创建经典 VNet。Select (change to Classic) to create a Classic VNet. 然后,选择“概述”选项卡并选择“创建”。Then, select the Overview tab and select Create.
  4. 在“创建虚拟网络(经典)”页的“基本信息”选项卡上,使用示例值配置 VNet 设置。On the Create virtual network(classic) page, on the Basics tab, configure the VNet settings with the example values.
  5. 选择“查看 + 创建”以验证自己的 VNet。Select Review + create to validate your VNet.
  6. 此时验证将运行。Validation runs. 验证 VNet 后,选择“创建”。After the VNet is validated, select Create.

在此配置过程中不需进行 DNS 设置,但如果希望在 VM 之间进行名称解析,则 DNS 是必需的。DNS settings are not a required part of this configuration, but DNS is necessary if you want name resolution between your VMs. 指定一个值不会创建新的 DNS 服务器。Specifying a value does not create a new DNS server. 指定的 DNS 服务器 IP 地址应该是可以解析所连接的资源名称的 DNS 服务器。The DNS server IP address that you specify should be a DNS server that can resolve the names for the resources you are connecting to.

创建虚拟网络后,可以添加 DNS 服务器的 IP 地址来处理名称解析。After you create your virtual network, you can add the IP address of a DNS server to handle name resolution. 打开虚拟网络的设置,选择“DNS 服务器”,并添加要用于名称解析的 DNS 服务器的 IP 地址。Open the settings for your virtual network, select DNS servers, and add the IP address of the DNS server that you want to use for name resolution.

  1. 在门户中找到虚拟网络。Locate the virtual network in the portal.
  2. 在虚拟网络页的“设置”部分,选择“DNS 服务器”。 On the page for your virtual network, under the Settings section, select DNS servers.
  3. 添加 DNS 服务器。Add a DNS server.
  4. 若要保存设置,请选择页面顶部的“保存”。To save your settings, select Save at the top of the page.

配置站点和网关Configure sites and gateways

Azure 使用在每个本地网络站点中指定的设置来确定如何在 VNet 之间路由流量。Azure uses the settings specified in each local network site to determine how to route traffic between the VNets. 每个 VNet 都必须指向你要将流量路由到的相应本地网络。Each VNet must point to the respective local network that you want to route traffic to. 如果需要使用名称来引用每个本地网络站点,由你来决定该名称。You determine the name you want to use to refer to each local network site. 最好使用描述性文本。It's best to use something descriptive.

例如,TestVNet1 连接到创建的名为“VNet4Local”的本地网络站点。For example, TestVNet1 connects to a local network site that you create named 'VNet4Local'. VNet4Local 的设置包含 TestVNet4 的地址前缀。The settings for VNet4Local contain the address prefixes for TestVNet4.

请记住,每个 VNet 的本地站点是另一个 VNet。Keep in mind, the local site for each VNet is the other VNet.

虚拟网络Virtual Network 地址空间Address Space 位置Location 连接到本地网络站点Connects to local network site
TestVNet1TestVNet1 TestVNet1TestVNet1
(10.11.0.0/16)(10.11.0.0/16)
(10.12.0.0/16)(10.12.0.0/16)
中国东部China East SiteVNet4SiteVNet4
(10.41.0.0/16)(10.41.0.0/16)
(10.42.0.0/16)(10.42.0.0/16)
TestVNet4TestVNet4 TestVNet4TestVNet4
(10.41.0.0/16)(10.41.0.0/16)
(10.42.0.0/16)(10.42.0.0/16)
中国北部China North SiteVNet1SiteVNet1
(10.11.0.0/16)(10.11.0.0/16)
(10.12.0.0/16)(10.12.0.0/16)

配置站点To configure a site

本地站点通常指本地位置。The local site typically refers to your on-premises location. 它包含 VPN 设备的 IP 地址和地址范围,需要创建到该设备的连接,并且需要通过 VPN 网关将地址范围路由到该设备。It contains the IP address of the VPN device to which you will create a connection, and the IP address ranges that will be routed through the VPN gateway to the VPN device.

  1. 在 VNet 页的“设置”下,选择“站点到站点连接”。On the page for your VNet, under Settings, select Site-to-site connections.

  2. 在“站点到站点连接”页上,选择“+ 添加”。On the Site-to-site connections page, select + Add.

  3. 在“配置 VPN 连接和网关”页上,选择“站点到站点”作为“连接类型” 。On the Configure a VPN connection and gateway page, for Connection type, leave Site-to-site selected.

    • VPN 网关 IP 地址: 这是本地网络的 VPN 设备的公共 IP 地址。VPN gateway IP address: This is the public IP address of the VPN device for your on-premises network. 在本练习中,你可以输入一个虚拟地址,因为你还没有另一站点的 VPN 网关的 IP 地址。For this exercise, you can put in a dummy address because you do not yet have the IP address for the VPN gateway for the other site. 例如 5.4.3.2。For example, 5.4.3.2. 稍后,为另一个 VNet 配置网关后,你可以调整此值。Later, once you have configured the gateway for the other VNet, you can adjust this value.

    • 客户端地址空间: 列出要通过此网关路由到另一 VNet 的 IP 地址范围。Client Address space: List the IP address ranges that you want routed to the other VNet through this gateway. 可以添加多个地址空间范围。You can add multiple address space ranges. 请确保在此处指定的范围与虚拟网络连接到的其他网络的范围不重叠,也与虚拟网络本身的地址范围不重叠。Make sure that the ranges you specify here do not overlap with ranges of other networks your virtual network connects to, or with the address ranges of the virtual network itself.

  4. 在页面底部,不要选择“查看 + 创建”,At the bottom of the page, DO NOT select Review + create. 而应选择“下一步:网关”>。Instead, select Next: Gateway>.

配置虚拟网络网关To configure a virtual network gateway

  1. 在“网关”页上,选择以下值:On the Gateway page, select the following values:

    • Size: 这是用于创建虚拟网关的网关 SKU。Size: This is the gateway SKU that you use to create your virtual network gateway. 经典 VPN 使用老版(旧版)网关 SKU。Classic VPN gateways use the old (legacy) gateway SKUs. 有关旧版网关 SKU 的详细信息,请参阅使用虚拟网关 SKU(老版 SKU)For more information about the legacy gateway SKUs, see Working with virtual network gateway SKUs (old SKUs). 在此练习中,可以选择“标准”。You can select Standard for this exercise.

    • 路由类型: 为网关选择路由类型。Routing type: Select the routing type for your gateway. 这也称为 VPN 类型。This is also known as the VPN type. 选择正确的类型很重要,因为无法将网关从一个类型转换为另一个类型。It's important to select the correct type because you cannot convert the gateway from one type to another. VPN 设备必须兼容所选路由类型。Your VPN device must be compatible with the routing type you select. 有关路由类型的详细信息,请参阅关于 VPN 网关设置For more information about Routing Type, see About VPN Gateway Settings. 可能会有文章引用“RouteBased”和“PolicyBased”VPN 类型。You may see articles referring to 'RouteBased' and 'PolicyBased' VPN types. “动态”对应于“RouteBased”,“静态”对应于“PolicyBased”。'Dynamic' corresponds to 'RouteBased', and 'Static' corresponds to' PolicyBased'. 对于此配置,请选择“动态”。For this configuration, select Dynamic.

    • 网关子网: 指定的网关子网的大小取决于要创建的 VPN 网关配置。Gateway subnet: The size of the gateway subnet that you specify depends on the VPN gateway configuration that you want to create. 尽管网关子网最小可以创建为 /29,但建议使用 /27 或 /28。While it is possible to create a gateway subnet as small as /29, we recommend that you use /27 or /28. 这样可以创建较大的子网,包含的地址更多。This creates a larger subnet that includes more addresses. 使用更大的网关子网可以有足够的 IP 地址来应对未来可能会有的配置。Using a larger gateway subnet allows for enough IP addresses to accommodate possible future configurations.

  2. 选择页面底部的“查看 + 创建”以验证你的设置。Select Review + create at the bottom of the page to validate your settings. 选择“创建”以进行部署。Select Create to deploy. 创建虚拟网关可能需要长达 45 分钟的时间,具体取决于所选网关 SKU。It can take up to 45 minutes to create a virtual network gateway, depending on the gateway SKU that you selected.

  3. 在创建此网关期间,你可以开始执行下一步。You can start proceed to the next step while this gateway is creating.

配置 TestVNet4 设置Configure TestVNet4 settings

重复创建站点和网关中的步骤来配置 TestVNet4,并在必要时对值进行替换。Repeat the steps for Create a site and gateway to configure TestVNet4, substituting the values when necessary. 如果是作为练习执行此操作,请使用示例值If you are doing this as an exercise, use the example values.

更新本地站点Update local sites

在为两个 VNet 创建虚拟网关后,必须调整 VPN 网关 IP 地址 的本地站点属性。After your virtual network gateways have been created for both VNets, you must adjust the local site properties for VPN gateway IP address.

VNet 名称VNet name 连接的站点Connected site 网关 IP 地址Gateway IP address
TestVNet1TestVNet1 VNet4LocalVNet4Local TestVNet4 的 VPN 网关 IP 地址VPN gateway IP address for TestVNet4
TestVNet4TestVNet4 VNet1LocalVNet1Local TestVNet1 的 VPN 网关 IP 地址VPN gateway IP address for TestVNet1

第 1 部分 - 获取虚拟网络网关的公共 IP 地址Part 1 - Get the virtual network gateway public IP address

  1. 通过转到“资源组”并选择虚拟网络导航到你的 VNet。Navigate to your VNet by going to the Resource group and selecting the virtual network.
  2. 在虚拟网络的页面上,在右侧的“概要”窗格中找到“网关 IP 地址”并将其复制到剪贴板。On the page for your virtual network, in the Essentials pane on the right, locate the Gateway IP address and copy to clipboard.

第 2 部分 - 修改本地站点属性Part 2 - Modify the local site properties

  1. 在“站点到站点连接”下,选择连接。Under Site-to-site connections, select the connection. 例如,SiteVNet4。For example, SiteVNet4.
  2. 在站点到站点连接的“属性”页上,选择“编辑本地站点”。On the Properties page for the Site-to-site connection, select Edit local site.
  3. 在“VPN 网关 IP 地址”字段中,粘贴你在上一部分复制的 VPN 网关 IP 地址。In the VPN gateway IP address field, paste the VPN gateway IP address you copied in the previous section.
  4. 选择“确定”。Select OK.
  5. 该字段会在系统中更新。The field is updated in the system. 你还可以使用此方法添加要路由到此站点的其他 IP 地址。You can also use this method to add additional IP address that you want to route to this site.

第 3 部分 - 针对其他 VNet 重复上述步骤Part 3 - Repeat steps for the other VNet

针对 TestVNet4 重复上述步骤。Repeat the steps for TestVNet4.

检索配置值Retrieve configuration values

在 Azure 门户中创建经典 VNet 时,看到的名称不是用于 PowerShell 的完整名称。When you create classic VNets in the Azure portal, the name that you view is not the full name that you use for PowerShell. 例如,在门户中命名为 TestVNet1 的 VNet 在网络配置文件中可能具有更长的名称。For example, a VNet that appears to be named TestVNet1 in the portal, may have a much longer name in the network configuration file. 对于资源组中的 VNet,“ClassicRG”名称可能如下所示:Group ClassicRG TestVNet1For a VNet in the resource group "ClassicRG" name might look something like: Group ClassicRG TestVNet1. 在创建连接时,请务必使用在网络配置文件中看到的值。When you create your connections, it's important to use the values that you see in the network configuration file.

在下面的步骤中,将连接到 Azure 帐户并下载和查看网络配置文件来获取连接所需的值。In the following steps, you will connect to your Azure account and download and view the network configuration file to obtain the values that are required for your connections.

  1. 下载和安装最新版本的 Azure 服务管理 (SM) PowerShell cmdlet。Download and install the latest version of the Azure Service Management (SM) PowerShell cmdlets. 大多数人在本地安装了资源管理器模块,但未安装服务管理模块。Most people have the Resource Manager modules installed locally, but do not have Service Management modules. 服务管理模块是旧版的,必须单独安装。Service Management modules are legacy and must be installed separately. 有关详细信息,请参阅安装服务管理 cmdletFor more information, see Install Service Management cmdlets.

  2. 使用提升的权限打开 PowerShell 控制台,并连接到帐户。Open your PowerShell console with elevated rights and connect to your account. 使用下面的示例来帮助你连接。Use the following examples to help you connect. 必须使用 PowerShell 服务管理模块在本地运行这些命令。You must run these commands locally using the PowerShell Service Management module. 连接到帐户。Connect to your account. 使用下面的示例来帮助连接:Use the following example to help you connect:

    Add-AzureAccount -Environment AzureChinaCloud
    
  3. 检查该帐户的订阅。Check the subscriptions for the account.

    Get-AzureSubscription
    
  4. 如果有多个订阅,请选择要使用的订阅。If you have more than one subscription, select the subscription that you want to use.

    Select-AzureSubscription -SubscriptionId "Replace_with_your_subscription_ID"
    
  5. 在计算机上创建目录。Create a directory on your computer. 例如 C:\AzureVNetFor example, C:\AzureVNet

  6. 将网络配置文件导出到目录。Export the network configuration file to the directory. 在此示例中,网络配置文件导出到 C:\AzureNetIn this example, the network configuration file is exported to C:\AzureNet.

    Get-AzureVNetConfig -ExportToFile C:\AzureNet\NetworkConfig.xml
    
  7. 使用文本编辑器打开该文件,并查看 VNet 和站点的名称。Open the file with a text editor and view the names for your VNets and sites. 创建连接时会使用这些名称。These names will be the names you use when you create your connections.
    VNet 名称以 VirtualNetworkSite name = 形式列出 VNet names are listed as VirtualNetworkSite name =
    站点名称以 LocalNetworkSiteRef name = 形式列出 Site names are listed as LocalNetworkSiteRef name =

创建连接Create connections

完成前面的所有步骤后,可以设置 IPsec/IKE 预共享密钥并创建连接。When all the previous steps have been completed, you can set the IPsec/IKE pre-shared keys and create the connection. 这组步骤使用 PowerShell。This set of steps uses PowerShell. 无法在 Azure 门户中配置经典部署模型的 VNet 到 VNet 连接,因为在门户中无法指定共享密钥。VNet-to-VNet connections for the classic deployment model cannot be configured in the Azure portal because the shared key cannot be specified in the portal.

在示例中,可以看到共享密钥完全相同。In the examples, notice that the shared key is exactly the same. 共享的密钥必须始终匹配。The shared key must always match. 务必将这些示例中的值替换为 VNet 和本地网络站点的确切名称。Be sure to replace the values in these examples with the exact names for your VNets and Local Network Sites.

  1. 创建 TestVNet1 到 TestVNet4 的连接。Create the TestVNet1 to TestVNet4 connection. 务必更改值。Make sure to change the values.

    Set-AzureVNetGatewayKey -VNetName 'Group ClassicRG TestVNet1' `
    -LocalNetworkSiteName 'value for _VNet4Local' -SharedKey A1b2C3D4
    
  2. 创建 TestVNet4 到 TestVNet1 的连接。Create the TestVNet4 to TestVNet1 connection.

    Set-AzureVNetGatewayKey -VNetName 'Group ClassicRG TestVNet4' `
    -LocalNetworkSiteName 'value for _VNet1Local' -SharedKey A1b2C3D4
    
  3. 等待连接初始化。Wait for the connections to initialize. 在网关初始化后,状态将变为“成功”。Once the gateway has initialized, the Status is 'Successful'.

    Error          :
    HttpStatusCode : OK
    Id             :
    Status         : Successful
    RequestId      :
    StatusCode     : OK
    

常见问题解答和注意事项FAQ and considerations

这些注意事项适用于经典虚拟网络和经典虚拟网络网关。These considerations apply to classic virtual networks and classic virtual network gateways.

  • 虚拟网络可以在相同或不同的 Azure 区域(位置)中。The virtual networks can be in the same or different Azure regions (locations).
  • 云服务或负载均衡终结点不能跨虚拟网络,即使它们连接在一起,也是如此。A cloud service or a load-balancing endpoint can't span across virtual networks, even if they are connected together.
  • 将多个虚拟网络连接在一起不需要任何 VPN 设备。Connecting multiple virtual networks together doesn't require any VPN devices.
  • VNet 到 VNet 通信支持连接 Azure 虚拟网络。VNet-to-VNet supports connecting Azure Virtual Networks. 它不支持连接未部署到虚拟网络的虚拟机或云服务。It does not support connecting virtual machines or cloud services that are not deployed to a virtual network.
  • VNet 到 VNet 通信需要动态路由网关。VNet-to-VNet requires dynamic routing gateways. 不支持 Azure 静态路由网关。Azure static routing gateways are not supported.
  • 虚拟网络连接可与多站点 VPN 同时使用。Virtual network connectivity can be used simultaneously with multi-site VPNs. 最多可以将一个虚拟网络 VPN 网关的 10 个 VPN 隧道连接到其他虚拟网络或本地站点。There is a maximum of 10 VPN tunnels for a virtual network VPN gateway connecting to either other virtual networks, or on-premises sites.
  • 虚拟网络和本地网络站点的地址空间不得重叠。The address spaces of the virtual networks and on-premises local network sites must not overlap. 地址空间重叠会导致创建虚拟网络或上传 netcfg 配置文件失败。Overlapping address spaces will cause the creation of virtual networks or uploading netcfg configuration files to fail.
  • 不支持一对虚拟网络之间存在冗余隧道。Redundant tunnels between a pair of virtual networks are not supported.
  • VNet 的所有 VPN 隧道(包括 P2S VPN)共享 VPN 网关上的可用带宽,以及 Azure 中的相同 VPN 网关运行时间 SLA。All VPN tunnels for the VNet, including P2S VPNs, share the available bandwidth for the VPN gateway, and the same VPN gateway uptime SLA in Azure.
  • VNet 到 VNet 流量会流经 Azure 主干。VNet-to-VNet traffic travels across the Azure backbone.

后续步骤Next steps

验证连接。Verify your connections. 请参阅验证 VPN 网关连接See Verify a VPN Gateway connection.