使用 Azure 门户配置 VNet 到 VNet VPN 网关连接Configure a VNet-to-VNet VPN gateway connection by using the Azure portal

本文介绍如何使用 VNet 到 VNet 连接类型来连接虚拟网络 (VNet)。This article helps you connect virtual networks (VNets) by using the VNet-to-VNet connection type. 虚拟网络可以位于不同区域中。Virtual networks can be in different regions.

v2v 示意图

本文中的步骤适用于 Azure 资源管理器部署模型,并使用 Azure 门户。The steps in this article apply to the Azure Resource Manager deployment model and use the Azure portal. 可使用以下文章中所述的选项,通过不同的部署工具或模型创建此配置:You can create this configuration with a different deployment tool or model by using options that are described in the following articles:

关于连接 VNetAbout connecting VNets

以下部分介绍如何通过不同的方式连接虚拟网络。The following sections describe the different ways to connect virtual networks.

VNet 到 VNetVNet-to-VNet

配置 VNet 到 VNet 连接是连接 VNet 的简单方式。Configuring a VNet-to-VNet connection is a simple way to connect VNets. 使用 VNet 到 VNet 连接类型 (VNet2VNet) 将一个虚拟网络连接到另一个虚拟网络类似于与本地位置建立站点到站点 IPsec 连接。When you connect a virtual network to another virtual network with a VNet-to-VNet connection type (VNet2VNet), it's similar to creating a Site-to-Site IPsec connection to an on-premises location. 这两种连接类型都使用 VPN 网关来提供使用 IPsec/IKE 的安全隧道,两者在通信时的运行方式相同。Both connection types use a VPN gateway to provide a secure tunnel with IPsec/IKE and function the same way when communicating. 但是,两者在本地网络网关的配置方式上有差别。However, they differ in the way the local network gateway is configured.

创建 VNet 到 VNet 连接时,不会自动创建和填充本地网络网关地址空间。When you create a VNet-to-VNet connection, the local network gateway address space is automatically created and populated. 如果更新一个 VNet 的地址空间,另一个 VNet 会自动路由到更新的地址空间。If you update the address space for one VNet, the other VNet automatically routes to the updated address space. 与创建站点到站点连接相比,创建 VNet 到 VNet 连接通常速度更快且更容易。It's typically faster and easier to create a VNet-to-VNet connection than a Site-to-Site connection.

站点到站点 (IPsec)Site-to-Site (IPsec)

如果使用复杂的网络配置,你可能偏向于使用站点到站点连接来连接 VNet。If you're working with a complicated network configuration, you may prefer to connect your VNets by using a Site-to-Site connection instead. 遵循站点到站点 IPsec 步骤时,可以手动创建和配置本地网络网关。When you follow the Site-to-Site IPsec steps, you create and configure the local network gateways manually. 每个 VNet 的本地网关都将其他 VNet 视为本地站点。The local network gateway for each VNet treats the other VNet as a local site. 使用这些步骤可为本地网络网关指定其他地址空间用于路由流量。These steps allow you to specify additional address spaces for the local network gateway to route traffic. 如果 VNet 的地址空间发生更改,必须手动更新相应的本地网络网关。If the address space for a VNet changes, you must manually update the corresponding local network gateway.

VNet 对等互连VNet peering

也可以使用 VNet 对等互连来连接 VNet。You can also connect your VNets by using VNet peering. VNet 对等互连不使用 VPN 网关,并且具有不同的约束。VNet peering doesn't use a VPN gateway and has different constraints. 另外,VNet 对等互连定价的计算不同于 VNet 到 VNet VPN 网关定价的计算。Additionally, VNet peering pricing is calculated differently than VNet-to-VNet VPN Gateway pricing. 有关详细信息,请参阅 VNet 对等互连For more information, see VNet peering.

为何创建 VNet 到 VNet 连接?Why create a VNet-to-VNet connection?

你可能会出于以下原因而使用 VNet 到 VNet 连接来连接虚拟网络:You may want to connect virtual networks by using a VNet-to-VNet connection for the following reasons:

跨区域异地冗余和地区存在Cross region geo-redundancy and geo-presence

  • 可以使用安全连接设置自己的异地复制或同步,而无需借助于面向 Internet 的终结点。You can set up your own geo-replication or synchronization with secure connectivity without going over internet-facing endpoints.
  • 使用 Azure 流量管理器和 Azure 负载均衡器,可以设置支持跨多个 Azure 区域实现异地冗余的高可用性工作负荷。With Azure Traffic Manager and Azure Load Balancer, you can set up highly available workload with geo-redundancy across multiple Azure regions. 例如,可跨多个 Azure 区域中设置 SQL Always On 可用性组。For example, you can set up SQL Server Always On availability groups across multiple Azure regions.

具有隔离或管理边界的区域多层应用程序Regional multi-tier applications with isolation or administrative boundaries

  • 在同一区域中,由于存在隔离或管理要求,可以设置多个虚拟网络连接在一起的多层应用程序。Within the same region, you can set up multi-tier applications with multiple virtual networks that are connected together because of isolation or administrative requirements.

可以将 VNet 到 VNet 通信与多站点配置组合使用。VNet-to-VNet communication can be combined with multi-site configurations. 使用这些配置可以建立将跨界连接与虚拟网络间连接相结合的网络拓扑,如下图所示:These configurations lets you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity, as shown in the following diagram:

关于连接About connections

本文介绍如何使用 VNet 到 VNet 连接类型来连接 VNet。This article shows you how to connect VNets by using the VNet-to-VNet connection type. 遵循这些步骤进行练习时,可以使用以下示例设置值。When you follow these steps as an exercise, you can use the following example settings values. 示例中的虚拟网络在同一订阅中,但却在不同的资源组中。In the example, the virtual networks are in the same subscription, but in different resource groups. 有关 VNet 到 VNet 连接的详细信息,请参阅 VNet 到 VNet 连接常见问题解答For more information about VNet-to-VNet connections, see VNet-to-VNet FAQ.

示例设置Example settings

VNet1 的值:Values for VNet1:

  • 虚拟网络设置Virtual network settings

    • 名称:VNet1Name: VNet1
    • 地址空间:10.1.0.0/16Address space: 10.1.0.0/16
    • 订阅:选择要使用的订阅。Subscription: Select the subscription you want to use.
    • 资源组:TestRG1Resource group: TestRG1
    • 位置:中国北部Location: China North
    • 子网Subnet
      • 名称:FrontEndName: FrontEnd
      • 地址范围:10.1.0.0/24Address range: 10.1.0.0/24
    • 网关子网Gateway subnet:
      • 名称:“GatewaySubnet”会自动填充 Name: GatewaySubnet is autofilled
      • 地址范围:10.1.255.0/27Address range: 10.1.255.0/27
  • 虚拟网络网关设置Virtual network gateway settings

    • 名称:VNet1GWName: VNet1GW
    • 网关类型:选择“VPN”。 Gateway type: Select VPN.
    • VPN 类型:选择“基于路由”。 VPN type: Select Route-based.
    • SKU:选择要使用的网关 SKU。SKU: Select the gateway SKU you want to use.
    • 公共 IP 地址名称:VNet1GWpipPublic IP address name: VNet1GWpip
    • ConnectionConnection
      • 名称:VNet1 到 VNet4Name: VNet1toVNet4
      • 共享密钥:可以自行创建共享密钥。Shared key: You can create the shared key yourself. 在 VNet 之间建立连接时,上述值必须匹配。When you create the connection between the VNets, the values must match. 对于此练习,请使用 abc123。For this exercise, use abc123.

VNet4 的值:Values for VNet4:

  • 虚拟网络设置Virtual network settings

    • 名称:VNet4Name: VNet4
    • 地址空间:10.41.0.0/16Address space: 10.41.0.0/16
    • 订阅:选择要使用的订阅。Subscription: Select the subscription you want to use.
    • 资源组:TestRG4Resource group: TestRG4
    • 位置:中国北部Location: China North
    • 子网Subnet
      • 名称:FrontEndName: FrontEnd
      • 地址范围:10.41.0.0/24Address range: 10.41.0.0/24
    • GatewaySubnetGatewaySubnet
      • 名称:“GatewaySubnet”会自动填充 Name: GatewaySubnet is autofilled
      • 地址范围:10.41.255.0/27Address range: 10.41.255.0/27
  • 虚拟网络网关设置Virtual network gateway settings

    • 名称:VNet4GWName: VNet4GW
    • 网关类型:选择“VPN”。 Gateway type: Select VPN.
    • VPN 类型:选择“基于路由”。 VPN type: Select Route-based.
    • SKU:选择要使用的网关 SKU。SKU: Select the gateway SKU you want to use.
    • 公共 IP 地址名称:VNet4GWpipPublic IP address name: VNet4GWpip
    • ConnectionConnection
      • 名称:VNet4 到 VNet1Name: VNet4toVNet1
      • 共享密钥:可以自行创建共享密钥。Shared key: You can create the shared key yourself. 在 VNet 之间建立连接时,上述值必须匹配。When you create the connection between the VNets, the values must match. 对于此练习,请使用 abc123。For this exercise, use abc123.

创建并配置 VNet1Create and configure VNet1

如果已有一个 VNet,请检查其设置是否与 VPN 网关设计兼容。If you already have a VNet, verify that the settings are compatible with your VPN gateway design. 请特别注意任何可能与其他网络重叠的子网。Pay particular attention to any subnets that may overlap with other networks. 如果有重叠的子网,将无法正常连接。Your connection won't work properly if you have overlapping subnets.

创建虚拟网络To create a virtual network

可以通过以下步骤使用资源管理器部署模型和 Azure 门户创建一个 VNet。You can create a VNet with the Resource Manager deployment model and the Azure portal by following these steps. 有关虚拟网络的详细信息,请参阅虚拟网络概述For more information about virtual networks, see Virtual Network overview.

备注

使用虚拟网络作为跨界体系结构的一部分时,请务必与本地网络管理员进行协调,以划分一个 IP 地址范围专供此虚拟网络使用。When using a virtual network as part of a cross-premises architecture, be sure to coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for this virtual network. 如果 VPN 连接的两端存在重复的地址范围,则会以意外方式路由流量。If a duplicate address range exists on both sides of the VPN connection, traffic will route in an unexpected way. 此外,若要将此虚拟网络连接到另一个虚拟网络,地址空间不能与另一虚拟网络重叠。Additionally, if you want to connect this virtual network to another virtual network, the address space cannot overlap with the other virtual network. 相应地规划网络配置。Plan your network configuration accordingly.

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 在“搜索资源、服务和文档(G+/)”中,键入“虚拟网络”。 In Search resources, service, and docs (G+/), type virtual network.

    查找“虚拟网络”资源页Locate Virtual Network resource page

  3. 从“市场”结果中选择“虚拟网络”。 Select Virtual Network from the Marketplace results.

    选择虚拟网络Select virtual network

  4. 在“虚拟网络”页上选择“创建”。 On the Virtual Network page, select Create.

    虚拟网络页virtual network page

  5. 选择“创建”后,会打开“创建虚拟网络”页。 Once you select Create, the Create virtual network page opens.

  6. 在“基本信息”选项卡上,配置“项目详细信息”和“实例详细信息”VNet 设置。 On the Basics tab, configure Project details and Instance details VNet settings.

    “基本信息”选项卡在填写字段时,如果在字段中输入的字符通过了验证,则会出现绿色的对钩标记。Basics tab When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. 某些值是自动填写的,你可以将其替换为自己的值:Some values are autofilled, which you can replace with your own values:

    • 订阅:确认列出的订阅是正确的。Subscription: Verify that the subscription listed is the correct one. 可以使用下拉列表更改订阅。You can change subscriptions by using the drop-down.
    • 资源组:选择现有资源组,或单击“新建”以创建新资源组 。Resource group: Select an existing resource group, or click Create new to create a new one. 有关资源组的详细信息,请参阅 Azure 资源管理器概述For more information about resource groups, see Azure Resource Manager overview.
    • 名称:输入虚拟网络的名称。Name: Enter the name for your virtual network.
    • 区域:选择 VNet 的位置。Region: Select the location for your VNet. 该位置确定要部署到此 VNet 的资源将位于哪里。The location determines where the resources that you deploy to this VNet will live.
  7. 在“IP 地址”选项卡上配置值。 On the IP Addresses tab, configure the values. 以下示例中显示的值用于演示目的。The values shown in the examples below are for demonstration purposes. 根据所需的设置调整这些值。Adjust these values according to the settings that you require.

    “IP 地址”选项卡IP addresses tab

    • IPv4 地址空间:默认情况下,系统会自动创建一个地址空间。IPv4 address space: By default, an address space is automatically created. 可以单击该地址空间,将其调整为反映你自己的值。You can click the address space to adjust it to reflect your own values. 还可以添加更多的地址空间。You can also add additional address spaces.
    • 子网:如果你使用默认地址空间,则会自动创建一个默认子网。Subnet: If you use the default address space, a default subnet is created automatically. 如果你更改地址空间,则需要添加一个子网。If you change the address space, you need to add a subnet. 选择“+添加子网”,打开“添加子网”窗口 。Select + Add subnet to open the Add subnet window. 配置以下设置,然后选择“添加”来添加值:Configure the following settings and then select Add to add the values:
      • 子网名称:在本例中,我们已将子网命名为“FrontEnd”。Subnet name: In this example, we named the subnet "FrontEnd".
      • 子网地址范围:此子网的地址范围。Subnet address range: The address range for this subnet.
  8. 暂时在“安全”选项卡上保留默认值:On the Security tab, at this time, leave the default values:

    • DDoS 防护:基本DDos protection: Basic
    • 防火墙:已禁用Firewall: Disabled
  9. 选择“审阅 + 创建”,验证虚拟网络设置。Select Review + create to validate the virtual network settings.

  10. 验证设置后,选择“创建”。After the settings have been validated, select Create.

创建 VNet1 网关Create the VNet1 gateway

在此步骤中为 VNet 创建虚拟网络网关。In this step, you create the virtual network gateway for your VNet. 创建网关通常需要 45 分钟或更长的时间,具体取决于所选网关 SKU。Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. 如果你正在练习创建此配置,请参阅示例设置If you're creating this configuration as an exercise, see the Example settings.

虚拟网络网关使用称作“网关子网”的特定子网。The virtual network gateway uses specific subnet called the gateway subnet. 网关子网是虚拟网络 IP 地址范围的一部分,该范围是在配置虚拟网络时指定的。The gateway subnet is part of the virtual network IP address range that you specify when configuring your virtual network. 网关子网包含虚拟网络网关资源和服务使用的 IP 地址。It contains the IP addresses that the virtual network gateway resources and services use.

创建网关子网时,请指定子网包含的 IP 地址数。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 所需的 IP 地址数目取决于要创建的 VPN 网关配置。The number of IP addresses needed depends on the VPN gateway configuration that you want to create. 有些配置需要具有比其他配置更多的 IP 地址。Some configurations require more IP addresses than others. 我们建议创建使用 /27 或 /28 的网关子网。We recommend that you create a gateway subnet that uses a /27 or /28.

如果出现错误,指出地址空间与子网重叠,或者子网不包含在虚拟网络的地址空间中,请检查 VNet 地址范围。If you see an error that specifies that the address space overlaps with a subnet, or that the subnet is not contained within the address space for your virtual network, check your VNet address range. 出错的原因可能是为虚拟网络创建的地址范围中没有足够的可用 IP 地址。You may not have enough IP addresses available in the address range you created for your virtual network. 例如,如果默认子网包含整个地址范围,则不会有剩余的 IP 地址用于创建更多子网。For example, if your default subnet encompasses the entire address range, there are no IP addresses left to create additional subnets. 可以调整现有地址空间中的子网以释放 IP 地址,或指定额外的地址范围并在其中创建网关子网。You can either adjust your subnets within the existing address space to free up IP addresses, or specify an additional address range and create the gateway subnet there.

创建虚拟网络网关To create a virtual network gateway

  1. Azure 门户菜单中,选择“创建资源” 。From the Azure portal menu, select Create a resource.

    在 Azure 门户中创建资源

  2. 在“在市场中搜索”字段中,键入“虚拟网关”。 In the Search the Marketplace field, type 'Virtual Network Gateway'. 在搜索返回的结果中找到“虚拟网关”,并选择该条目 。Locate Virtual network gateway in the search return and select the entry. 在“虚拟网关”页上,选择“创建” 。On the Virtual network gateway page, select Create. 这会打开“创建虚拟网关”页 。This opens the Create virtual network gateway page.

  3. 在“基本信息”选项卡上,填写虚拟网关的值。 On the Basics tab, fill in the values for your virtual network gateway.

    “创建虚拟网关”页字段Create virtual network gateway page fields

    “创建虚拟网关”页字段Create virtual network gateway page fields

    • 名称:为网关命名。Name: Name your gateway. 为网关命名与为网关子网命名不同。Naming your gateway not the same as naming a gateway subnet. 它是要创建的网关对象的名称。It's the name of the gateway object you are creating.
    • 网关类型:选择“VPN”。 Gateway type: Select VPN. VPN 网关使用虚拟网络网关类型“VPN” 。VPN gateways use the virtual network gateway type VPN.
    • VPN 类型:选择为你的配置指定的 VPN 类型。VPN type: Select the VPN type that is specified for your configuration. 大多数配置需要''基于路由'' VPN 类型。Most configurations require a Route-based VPN type.
    • SKU:从下拉列表中选择网关 SKU。SKU: Select the gateway SKU from the dropdown. 下拉列表中列出的 SKU 取决于选择的 VPN 类型。The SKUs listed in the dropdown depend on the VPN type you select. 有关网关 SKU 的详细信息,请参阅网关 SKUFor more information about gateway SKUs, see Gateway SKUs.
    • 虚拟网络:选择要将此网关添加到的虚拟网络。Virtual network: Select the virtual network to which you want to add this gateway.

    公共 IP 地址:此设置指定与 VPN 网关关联的公共 IP 地址对象。Public IP address: This setting specifies the public IP address object that gets associated to the VPN gateway. 创建 VPN 网关后,会将公共 IP 地址动态分配给此对象。The public IP address is dynamically assigned to this object when the VPN gateway is created. 公共 IP 地址只在删除或重新创建网关时更改。The only time the Public IP address changes is when the gateway is deleted and re-created. 该地址不会因为 VPN 网关大小调整、重置或其他内部维护/升级而更改。It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    • 公共 IP 地址:让“新建” 保持选中状态。Public IP address: Leave Create new selected.
    • 公共 IP 地址名称:在文本框中,键入公共 IP 地址实例的名称。Public IP address name: In the text box, type a name for your public IP address instance.
    • 分配:VPN 网关仅支持“动态”。Assignment: VPN gateway supports only Dynamic.

    主动-主动模式:仅当要创建主动-主动网关配置时,才选择“启用主动-主动模式” 。Active-Active mode: Only select Enable active-active mode if you are creating an active-active gateway configuration. 否则,请将此设置保留未选择状态。Otherwise, leave this setting unselected.

    让“配置 BGP ASN”保留 取消选中状态,除非你的配置特别需要此设置。Leave Configure BGP ASN deselected, unless your configuration specifically requires this setting. 如果确实需要此设置,则默认 ASN 为 65515,但可以更改此值。If you do require this setting, the default ASN is 65515, although this can be changed.

  4. 选择“查看 + 创建” ,运行验证。Select Review + create to run validation. 验证通过后,选择“创建” 以部署 VPN 网关。Once validation passes, select Create to deploy the VPN gateway. 网关可能需要长达 45 分钟才能完全创建和部署。A gateway can take up to 45 minutes to fully create and deploy. 可以在网关的“概述”页上查看部署状态。You can see the deployment status on the Overview page for your gateway.

创建网关后,可以通过在门户中查看虚拟网络,来查看已分配给网关的 IP 地址。After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. 网关显示为连接的设备。The gateway appears as a connected device.

重要

使用网关子网时,避免将网络安全组 (NSG) 与网关子网关联。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组与此子网关联可能会导致虚拟网络网关(VPN、Express Route 网关)停止按预期方式工作。Associating a network security group to this subnet may cause your Virtual Network gateway(VPN, Express Route gateway) to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

创建并配置 VNet4Create and configure VNet4

配置 VNet1 后,请创建 VNet4 和 VNet4 网关,方法是:重复上述步骤并将值替换为 VNet4 值。After you've configured VNet1, create VNet4 and the VNet4 gateway by repeating the previous steps and replacing the values with VNet4 values. 无需等到 VNet1 的虚拟网关创建完成即可配置 VNet4。You don't need to wait until the virtual network gateway for VNet1 has finished creating before you configure VNet4. 如果使用自己的值,请确保地址空间不与任何想要连接的 VNet 重叠。If you're using your own values, make sure the address spaces don't overlap with any of the VNets to which you want to connect.

配置 VNet1 网关连接Configure the VNet1 gateway connection

VNet1 和 VNet4 的虚拟网关都已完成后,便可以创建虚拟网关连接。When the virtual network gateways for both VNet1 and VNet4 have completed, you can create your virtual network gateway connections. 在本部分,请创建从 VNet1 到 VNet4 的连接。In this section, you create a connection from VNet1 to VNet4. 这些步骤仅适用于同一订阅中的 VNet。These steps work only for VNets in the same subscription. 不过,如果 VNet 位于同一订阅的不同资源组中,则可使用门户来连接它们。However, if your VNets are in different resource groups in the same subscription, you can connect them by using the portal.

  1. 在 Azure 门户中选择“所有资源”,在搜索框中输入“虚拟网络网关”,然后导航到 VNet 的虚拟网络网关。 In the Azure portal, select All resources, enter virtual network gateway in the search box, and then navigate to the virtual network gateway for your VNet. 例如,VNet1GWFor example, VNet1GW. 选择网关,打开“虚拟网关”页。 Select the gateway to open the Virtual network gateway page. 在“设置” 下,选择“连接” 。Under Settings, select Connections.

    “连接”页Connections page

  2. 选择“+添加” ,打开“添加连接” 页。Select +Add to open the Add connection page.

    添加连接Add connection

  3. 在“添加连接”页上,填写用于建立连接的值: On the Add connection page, fill in the values for your connection:

    • 名称:输入连接的名称。Name: Enter a name for your connection. 例如,VNet1toVNet4For example, VNet1toVNet4.

    • 连接类型:从下拉列表选择“VNet 到 VNet” 。Connection type: Select VNet-to-VNet from the drop-down.

    • 第一个虚拟网络网关:此字段值会自动填充,因为要从指定的虚拟网络网关建立此连接。First virtual network gateway: This field value is automatically filled in because you're creating this connection from the specified virtual network gateway.

    • 第二个虚拟网络网关:此字段是要连接到的 VNet 的虚拟网络网关。Second virtual network gateway: This field is the virtual network gateway of the VNet that you want to create a connection to. 选择“选择另一个虚拟网络网关”打开“选择虚拟网络网关”页。 Select Choose another virtual network gateway to open the Choose virtual network gateway page.

      • 查看此页上列出的虚拟网关。View the virtual network gateways that are listed on this page. 请注意,只会列出订阅中的虚拟网络网关。Notice that only virtual network gateways that are in your subscription are listed.

      • 选择要连接的虚拟网络网关。Select the virtual network gateway to which you want to connect.

      • 共享密钥(PSK) :在此字段中,输入连接的共享密钥。Shared key (PSK): In this field, enter a shared key for your connection. 可以自己生成或创建此密钥。You can generate or create this key yourself. 在站点到站点连接中,使用的密钥与本地设备和虚拟网络网关连接的密钥相同。In a site-to-site connection, the key you use is the same for your on-premises device and your virtual network gateway connection. 此处的概念大致相同,不过,此时不是连接到 VPN 设备,而是连接到另一个虚拟网络网关。The concept is similar here, except that rather than connecting to a VPN device, you're connecting to another virtual network gateway.

  4. 选择“确定” 保存更改。Select OK to save your changes.

配置 VNet4 网关连接Configure the VNet4 gateway connection

接下来,创建一个从 VNet4 到 VNet1 的连接。Next, create a connection from VNet4 to VNet1. 在门户中找到与 VNet4 关联的虚拟网关。In the portal, locate the virtual network gateway associated with VNet4. 按上一部分的步骤替换相关值,创建从 VNet4 到 VNet1 的连接。Follow the steps from the previous section, replacing the values to create a connection from VNet4 to VNet1. 请确保使用相同的共享密钥。Make sure that you use the same shared key.

验证连接Verify your connections

  1. 在 Azure 门户中找到虚拟网络网关。Locate the virtual network gateway in the Azure portal.

  2. 在“虚拟网络网关”页上选择“连接”,查看虚拟网络网关的“连接”页。 On the Virtual network gateway page, select Connections to view the Connections page for the virtual network gateway. 建立连接后,会看到“状态”值更改为“已连接”。 After the connection is established, you'll see the Status values change to Connected.

    验证连接Verify connections

  3. 在“名称” 列下选择一个连接,查看其详细信息。Under the Name column, select one of the connections to view more information. 数据开始流动后,会看到“输入数据”和“输出数据”的值。 When data begins flowing, you'll see values for Data in and Data out.

    状态Status

添加其他连接Add additional connections

若要添加其他连接,请导航到要从中创建连接的虚拟网络网关,然后选择“连接”。 If you want to add additional connections, navigate to the virtual network gateway from which you want to create the connection, then select Connections. 可以创建另一个 VNet 到 VNet 连接,也可以创建一个 IPsec 站点到站点连接,以便连接到本地位置。You can create another VNet-to-VNet connection, or create an IPsec Site-to-Site connection to an on-premises location. 请务必调节“连接类型” ,使之与要创建的连接类型匹配。Be sure to adjust the Connection type to match the type of connection you want to create. 在创建其他连接之前,请验证虚拟网络的地址空间是否不与要连接到的地址空间重叠。Before you create additional connections, verify that the address space for your virtual network doesn't overlap with any of the address spaces you want to connect to. 如需创建站点到站点连接的步骤,请参阅创建站点到站点连接For steps to create a Site-to-Site connection, see Create a Site-to-Site connection.

VNet 到 VNet 常见问题VNet-to-VNet FAQ

查看常见问题解答详细信息以获取有关 VNet 到 VNet 连接的其他信息。View the FAQ details for additional information about VNet-to-VNet connections.

VNet 到 VNet 连接常见问题解答适用于 VPN 网关连接。The VNet-to-VNet FAQ applies to VPN gateway connections. 有关 VNet 对等互连的信息,请参阅虚拟网络对等互连For information about VNet peering, see Virtual network peering.

Azure 会对 VNet 之间的流量收费吗?Does Azure charge for traffic between VNets?

当使用 VPN 网关连接时,同一区域中的 VNet 到 VNet 流量双向均免费。VNet-to-VNet traffic within the same region is free for both directions when you use a VPN gateway connection. 跨区域 VNet 到 VNet 传出流量根据源区域的出站 VNet 间数据传输费率收费。Cross-region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on the source regions. 有关详细信息,请参阅 VPN 网关定价For more information, see VPN Gateway pricing page. 如果你使用 VNet 对等互连而非 VPN 网关连接 VNet,请参阅虚拟网络定价If you're connecting your VNets by using VNet peering instead of a VPN gateway, see Virtual network pricing.

VNet 到 VNet 流量是否流经 Internet?Does VNet-to-VNet traffic travel across the internet?

不是。No. VNet 到 VNet 流量会流经 Azure 主干,而非 Internet。VNet-to-VNet traffic travels across the Azure backbone, not the Internet.

是否可以跨 Azure Active Directory (AAD) 租户建立 VNet 到 VNet 连接?Can I establish a VNet-to-VNet connection across Azure Active Directory (AAD) tenants?

是的。使用 Azure VPN 网关的 VNet 到 VNet 连接可以跨 AAD 租户工作。Yes, VNet-to-VNet connections that use Azure VPN gateways work across AAD tenants.

VNet 到 VNet 通信安全吗?Is VNet-to-VNet traffic secure?

安全,它通过 IPsec/IKE 加密进行保护。Yes, it's protected by IPsec/IKE encryption.

是否需要 VPN 设备将 VNet 连接到一起?Do I need a VPN device to connect VNets together?

不是。No. 将多个 Azure 虚拟网络连接在一起不需要 VPN 设备,除非需要跨界连接。Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises connectivity is required.

如果 VNet 不在同一订阅中,订阅是否需要与同一 Active Directory 租户相关联?If the VNets aren't in the same subscription, do the subscriptions need to be associated with the same Active Directory tenant?

不是。No.

能否在单独的 Azure 实例中使用 VNet 到 VNet 通信来连接虚拟网络?Can I use VNet-to-VNet to connect virtual networks in separate Azure instances?

不是。No. VNet 到 VNet 通信支持在同一 Azure 实例中连接虚拟网络。VNet-to-VNet supports connecting virtual networks within the same Azure instance. 例如,不能在全球 Azure 和中国/德国/美国政府 Azure 实例之间创建连接。For example, you can’t create a connection between global Azure and Chinese/German/US government Azure instances. 对于上述情形,请考虑使用站点到站点 VPN 连接。Consider using a Site-to-Site VPN connection for these scenarios.

能否将 VNet 到 VNet 用于多站点连接?Can I use VNet-to-VNet along with multi-site connections?

是的。Yes. 虚拟网络连接可与多站点 VPN 同时使用。Virtual network connectivity can be used simultaneously with multi-site VPNs.

一个虚拟网络可以连接到多少个本地站点和虚拟网络?How many on-premises sites and virtual networks can one virtual network connect to?

请参阅网关要求表。See the Gateway requirements table.

能否使用 VNet 到 VNet 来连接 VNet 外部的 VM 或云服务?Can I use VNet-to-VNet to connect VMs or cloud services outside of a VNet?

不是。No. VNet 到 VNet 通信支持连接虚拟网络。VNet-to-VNet supports connecting virtual networks. 它不支持连接不在虚拟网络中的虚拟机或云服务。It doesn't support connecting virtual machines or cloud services that aren't in a virtual network.

云服务或负载均衡终结点能否跨 VNet?Can a cloud service or a load-balancing endpoint span VNets?

不是。No. 云服务或负载均衡终结点不能跨虚拟网络,即使它们连接在一起,也是如此。A cloud service or a load-balancing endpoint can't span across virtual networks, even if they're connected together.

能否将 PolicyBased VPN 类型用于 VNet 到 VNet 连接或多站点连接?Can I use a PolicyBased VPN type for VNet-to-VNet or Multi-Site connections?

不是。No. VNet 到 VNet 连接和多站点连接需要 RouteBased(以前称为动态路由)VPN 类型的 Azure VPN 网关。VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called dynamic routing) VPN types.

是否可以将 RouteBased VPN 类型的 VNet 连接到另一个 PolicyBased VPN 类型的 VNet?Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?

不能,两种虚拟网络都必须使用基于路由的(以前称为“动态路由”)VPN。No, both virtual networks MUST use route-based (previously called dynamic routing) VPNs.

VPN 隧道是否共享带宽?Do VPN tunnels share bandwidth?

是的。Yes. 虚拟网络的所有 VPN 隧道共享 Azure VPN 网关上的可用带宽,以及 Azure 中的相同 VPN 网关运行时间 SLA。All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.

是否支持冗余隧道?Are redundant tunnels supported?

将一个虚拟网络网关配置为主动-主动模式时,支持在一对虚拟网络之间使用冗余隧道。Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is configured as active-active.

对于 VNet 到 VNet 配置,能否使用重叠地址空间?Can I have overlapping address spaces for VNet-to-VNet configurations?

不是。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.

连接的虚拟网络与内部本地站点之间能否存在重叠的地址空间?Can there be overlapping address spaces among connected virtual networks and on-premises local sites?

不是。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.

后续步骤Next steps

有关如何限制发往虚拟网络中资源的网络流量的信息,请参阅网络安全性For information about how you can limit network traffic to resources in a virtual network, see Network Security.

有关 Azure 如何在 Azure 资源、本地资源和 Internet 资源之间路由流量的信息,请参阅虚拟网络流量路由For information about how Azure routes traffic between Azure, on-premises, and Internet resources, see Virtual network traffic routing.