将站点到站点连接添加到包含现有 VPN 网关连接的 VNet(经典)Add a Site-to-Site connection to a VNet with an existing VPN gateway connection (classic)

备注

本文为经典部署模型而写。This article is written for the classic deployment model. 如果不熟悉 Azure,建议改用资源管理器部署模型。If you're new to Azure, we recommend that you use the Resource Manager deployment model instead. 资源管理器部署模型是最新的部署模型,提供比经典部署模型更多的选项和更强的功能兼容性。The Resource Manager deployment model is the most current deployment model and offers more options and feature compatibility than the classic deployment model. 有关部署模型的详细信息,请参阅了解部署模型For more information about the deployment models, see Understanding deployment models.

若要查看本文的资源管理器版本,请从下面的下拉列表或左侧的目录中将其选中。For the Resource Manager version of this article, select it from the drop-down list below, or from the table of contents on the left.

本文逐步讲解如何使用 PowerShell 将站点到站点 (S2S) 连接添加到包含现有连接的 VPN 网关。This article walks you through using PowerShell to add Site-to-Site (S2S) connections to a VPN gateway that has an existing connection. 这种类型的连接通常称为“多站点”配置。This type of connection is often referred to as a "multi-site" configuration. 本文中的步骤适用于使用经典部署模型(也称为“服务管理”)创建的虚拟网络。The steps in this article apply to virtual networks created using the classic deployment model (also known as Service Management). 本文中的步骤不适用于 ExpressRoute/站点到站点共存连接配置。These steps do not apply to ExpressRoute/Site-to-Site coexisting connection configurations.

部署模型和方法Deployment models and methods

Azure 当前使用两种部署模型:Resource Manager 部署模型和经典部署模型。Azure currently works with two deployment models: Resource Manager and classic. 这两个模型相互不完全兼容。The two models are not completely compatible with each other. 在开始之前,需要知道所要使用的模型。Before you begin, you need to know which model that you want to work in. 有关部署模型的信息,请参阅了解部署模型For information about the deployment models, see Understanding deployment models. 如果不熟悉 Azure,建议使用 Resource Manager 部署模型。If you are new to Azure, we recommend that you use the Resource Manager deployment model.

当我们发布有关此配置的新文章和其他可用工具时,会更新此表格。We update this table as new articles and additional tools become available for this configuration. 有相关的文章发布时,我们会直接从此表格链接到该文章。When an article is available, we link directly to it from this table.

部署模型/方法Deployment model/method Azure 门户Azure portal PowerShellPowerShell
资源管理器Resource Manager 教程Tutorial 支持Supported
经典Classic 不支持Not Supported 教程Tutorial

关于连接About connecting

可以将多个本地站点连接到单个虚拟网络。You can connect multiple on-premises sites to a single virtual network. 在构建混合云解决方案时,这种做法特别有用。This is especially attractive for building hybrid cloud solutions. 创建到 Azure 虚拟网络网关的多站点连接时,其操作与创建其他站点到站点连接的操作类似。Creating a multi-site connection to your Azure virtual network gateway is similar to creating other Site-to-Site connections. 事实上,可以使用现有的 Azure VPN 网关,只要该网关是动态的(基于路由)即可。In fact, you can use an existing Azure VPN gateway, as long as the gateway is dynamic (route-based).

如果已经有连接到虚拟网络的静态网关,可以将网关类型更改为动态,而不需要为了适应多站点而重建虚拟网络。If you already have a static gateway connected to your virtual network, you can change the gateway type to dynamic without needing to rebuild the virtual network in order to accommodate multi-site. 在更改路由类型之前,请确保本地 VPN 网关支持基于路由的 VPN 配置。Before changing the routing type, make sure that your on-premises VPN gateway supports route-based VPN configurations.

多站点示意图multi-site diagram

考虑的要点Points to consider

无法使用门户更改此虚拟网络。You won't be able to use the portal to make changes to this virtual network. 需更改网络配置文件,而不是使用门户。You need to make changes to the network configuration file instead of using the portal. 如果在门户中进行更改,更改将覆盖此虚拟网络的多站点引用设置。If you make changes in the portal, they'll overwrite your multi-site reference settings for this virtual network.

在完成多站点过程后,便可轻松自如地使用网络配置文件。You should feel comfortable using the network configuration file by the time you've completed the multi-site procedure. 但是,如果有多个人在处理网络配置,需要确保每个人都知道这个限制。However, if you have multiple people working on your network configuration, you'll need to make sure that everyone knows about this limitation. 这并不意味着完全不能使用门户。This doesn't mean that you can't use the portal at all. 除了无法对此特定虚拟网络进行配置更改以外,可以使用它来完成其他任何操作。You can use it for everything else, except making configuration changes to this particular virtual network.

准备阶段Before you begin

在开始配置之前,请确认满足以下条件:Before you begin configuration, verify that you have the following:

  • 每个本地位置都有兼容的 VPN 硬件。Compatible VPN hardware for each on-premises location. 查看关于用于虚拟网络连接的 VPN 设备,以确认要使用的设备是否是已知兼容的设备。Check About VPN Devices for Virtual Network Connectivity to verify if the device that you want to use is something that is known to be compatible.
  • 每个 VPN 设备都有一个面向外部的公共 IPv4 IP 地址。An externally facing public IPv4 IP address for each VPN device. 该 IP 地址不能位于 NAT 后面,The IP address cannot be located behind a NAT. 必须满足这一要求。This is requirement.
  • 有人能够熟练地配置 VPN 硬件。Someone who is proficient at configuring your VPN hardware. 必须非常了解如何配置 VPN 设备,或者与具有此能力的人员合作。You'll have to have a strong understanding of how to configure your VPN device, or work with someone who does.
  • 要用于虚拟网络(如果尚未创建)的 IP 地址范围。The IP address ranges that you want to use for your virtual network (if you haven't already created one).
  • 要连接到的每个本地网络站点的 IP 地址范围。The IP address ranges for each of the local network sites that you'll be connecting to. 需确保要连接到的每个本地网络站点的 IP 地址范围不重叠。You'll need to make sure that the IP address ranges for each of the local network sites that you want to connect to do not overlap. 否则,门户或 REST API 将拒绝上传配置。Otherwise, the portal or the REST API will reject the configuration being uploaded.
    例如,如果两个本地网络站点都包含 IP 地址范围 10.2.3.0/24,并且某个包包含目标地址 10.2.3.3,则 Azure 将不知道要将该包发送到哪个站点,因为地址范围是重叠的。For example, if you have two local network sites that both contain the IP address range 10.2.3.0/24 and you have a package with a destination address 10.2.3.3, Azure wouldn't know which site you want to send the package to because the address ranges are overlapping. 为了防止路由问题,Azure 不允许上传具有重叠范围的配置文件。To prevent routing issues, Azure doesn't allow you to upload a configuration file that has overlapping ranges.

使用 Azure PowerShellWorking with Azure PowerShell

使用经典部署模型时,必须在本地计算机上安装最新版本的 Azure 服务管理 (SM) PowerShell cmdlet。When working with the classic deployment model, you must install the latest version of the Azure Service Management (SM) PowerShell cmdlets locally on your computer. 这些 cmdlet 不同于 AzureRM 或 Az cmdlet。These cmdlets are different from the AzureRM or Az cmdlets. 若要安装 SM cmdlet,请参阅安装服务管理 cmdletTo install the SM cmdlets, see Install Service Management cmdlets. 有关一般 Azure PowerShell 的详细信息,请参阅 Azure PowerShell 文档For more information about Azure PowerShell in general, see the Azure PowerShell documentation.

1.创建站点到站点 VPN1. Create a Site-to-Site VPN

如果已有使用动态路由网关的站点到站点 VPN,那太好了!If you already have a Site-to-Site VPN with a dynamic routing gateway, great! 可以转到 导出虚拟网络配置设置You can proceed to Export the virtual network configuration settings. 否则,请执行以下操作:If not, do the following:

如果已有一个站点到站点虚拟网络,但该虚拟网络使用静态(基于策略)路由网关:If you already have a Site-to-Site virtual network, but it has a static (policy-based) routing gateway:

  1. 将网关类型更改为动态路由。Change your gateway type to dynamic routing. 多站点 VPN 需要动态(也称为基于路由)路由网关。A multi-site VPN requires a dynamic (also known as route-based) routing gateway. 如果要更改网关类型,首先需要删除现有网关,然后创建新网关。To change your gateway type, you'll need to first delete the existing gateway, then create a new one.
  2. 配置新网关并创建 VPN 隧道。Configure your new gateway and create your VPN tunnel. 有关说明,请参阅指定 SKU 和 VPN 类型For instructions, For instructions, see Specify the SKU and VPN type. 请确保将“路由类型”指定为“动态”。Make sure you specify the Routing Type as 'Dynamic'.

如果没有站点到站点虚拟网络:If you don't have a Site-to-Site virtual network:

  1. 使用以下说明创建站点到站点虚拟网络:创建具有站点到站点 VPN 连接的虚拟网络Create your Site-to-Site virtual network using these instructions: Create a Virtual Network with a Site-to-Site VPN Connection.
  2. 按照以下说明配置动态路由网关:配置 VPN 网关Configure a dynamic routing gateway using these instructions: Configure a VPN Gateway. 请务必为网关类型选择“动态路由” 。Be sure to select dynamic routing for your gateway type.

2.导出网络配置文件2. Export the network configuration file

使用提升的权限打开 PowerShell 控制台。Open your PowerShell console with elevated rights. 若要切换到服务管理,请使用以下命令:To switch to service management, use this command:

azure config mode asm

连接到帐户。Connect to your account. 使用下面的示例来帮助连接:Use the following example to help you connect:

Add-AzureAccount -Environment AzureChinaCloud

通过运行以下命令,导出 Azure 网络配置文件。Export your Azure network configuration file by running the following command. 如有必要,可以将文件的导出位置更改为其他位置。You can change the location of the file to export to a different location if necessary.

Get-AzureVNetConfig -ExportToFile C:\AzureNet\NetworkConfig.xml

3.打开网络配置文件3. Open the network configuration file

打开你在执行上一步时下载的网络配置文件。Open the network configuration file that you downloaded in the last step. 使用偏好的任何 xml 编辑器。Use any xml editor that you like. 该文件的内容类似于:The file should look similar to the following:

    <NetworkConfiguration xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">
      <VirtualNetworkConfiguration>
        <LocalNetworkSites>
          <LocalNetworkSite name="Site1">
            <AddressSpace>
              <AddressPrefix>10.0.0.0/16</AddressPrefix>
              <AddressPrefix>10.1.0.0/16</AddressPrefix>
            </AddressSpace>
            <VPNGatewayAddress>131.2.3.4</VPNGatewayAddress>
          </LocalNetworkSite>
          <LocalNetworkSite name="Site2">
            <AddressSpace>
              <AddressPrefix>10.2.0.0/16</AddressPrefix>
              <AddressPrefix>10.3.0.0/16</AddressPrefix>
            </AddressSpace>
            <VPNGatewayAddress>131.4.5.6</VPNGatewayAddress>
          </LocalNetworkSite>
        </LocalNetworkSites>
        <VirtualNetworkSites>
          <VirtualNetworkSite name="VNet1" AffinityGroup="ChinaNorth">
            <AddressSpace>
              <AddressPrefix>10.20.0.0/16</AddressPrefix>
              <AddressPrefix>10.21.0.0/16</AddressPrefix>
            </AddressSpace>
            <Subnets>
              <Subnet name="FE">
                <AddressPrefix>10.20.0.0/24</AddressPrefix>
              </Subnet>
              <Subnet name="BE">
                <AddressPrefix>10.20.1.0/24</AddressPrefix>
              </Subnet>
              <Subnet name="GatewaySubnet">
                <AddressPrefix>10.20.2.0/29</AddressPrefix>
              </Subnet>
            </Subnets>
            <Gateway>
              <ConnectionsToLocalNetwork>
                <LocalNetworkSiteRef name="Site1">
                  <Connection type="IPsec" />
                </LocalNetworkSiteRef>
              </ConnectionsToLocalNetwork>
            </Gateway>
          </VirtualNetworkSite>
        </VirtualNetworkSites>
      </VirtualNetworkConfiguration>
    </NetworkConfiguration>

4.添加多个站点引用4. Add multiple site references

在添加或删除站点引用信息时,会对 ConnectionsToLocalNetwork/LocalNetworkSiteRef 进行配置更改。When you add or remove site reference information, you'll make configuration changes to the ConnectionsToLocalNetwork/LocalNetworkSiteRef. 添加新的本地站点引用会触发 Azure 来创建新隧道。Adding a new local site reference triggers Azure to create a new tunnel. 在以下示例中,网络配置适用于单站点连接。In the example below, the network configuration is for a single-site connection. 更改完后,请保存该文件。Save the file once you have finished making your changes.

  <Gateway>
    <ConnectionsToLocalNetwork>
      <LocalNetworkSiteRef name="Site1"><Connection type="IPsec" /></LocalNetworkSiteRef>
    </ConnectionsToLocalNetwork>
  </Gateway>

若要添加其他站点引用(创建多站点配置),只需添加其他“LocalNetworkSiteRef”行,如下例所示:To add additional site references (create a multi-site configuration), simply add additional "LocalNetworkSiteRef" lines, as shown in the example below:

  <Gateway>
    <ConnectionsToLocalNetwork>
      <LocalNetworkSiteRef name="Site1"><Connection type="IPsec" /></LocalNetworkSiteRef>
      <LocalNetworkSiteRef name="Site2"><Connection type="IPsec" /></LocalNetworkSiteRef>
    </ConnectionsToLocalNetwork>
  </Gateway>

5.导入网络配置文件5. Import the network configuration file

导入网络配置文件。Import the network configuration file. 在导入这个包含更改的文件时,会添加新的隧道。When you import this file with the changes, the new tunnels will be added. 这些隧道将使用前面创建的动态网关。The tunnels will use the dynamic gateway that you created earlier. 可以使用 PowerShell 导入文件。You can use PowerShell to import the file.

6.下载密钥6. Download keys

添加新的隧道后,使用 PowerShell cmdlet“Get-AzureVNetGatewayKey”获取每个隧道的 IPsec/IKE 预共享密钥。Once your new tunnels have been added, use the PowerShell cmdlet 'Get-AzureVNetGatewayKey' to get the IPsec/IKE pre-shared keys for each tunnel.

例如:For example:

Get-AzureVNetGatewayKey -VNetName "VNet1" -LocalNetworkSiteName "Site1"
Get-AzureVNetGatewayKey -VNetName "VNet1" -LocalNetworkSiteName "Site2"

如果需要,也可以使用 获取虚拟网络网关共享密钥 REST API 来获取预共享密钥。If you prefer, you can also use the Get Virtual Network Gateway Shared Key REST API to get the pre-shared keys.

7.验证连接7. Verify your connections

检查多站点隧道状态。Check the multi-site tunnel status. 下载每个隧道的密钥后,需要验证连接。After downloading the keys for each tunnel, you'll want to verify connections. 使用“Get-AzureVnetConnection”获取虚拟网络隧道的列表,如下例所示。Use 'Get-AzureVnetConnection' to get a list of virtual network tunnels, as shown in the example below. VNet1 是 VNet 的名称。VNet1 is the name of the VNet.

Get-AzureVnetConnection -VNetName VNET1

示例返回:Example return:

    ConnectivityState         : Connected
    EgressBytesTransferred    : 661530
    IngressBytesTransferred   : 519207
    LastConnectionEstablished : 5/2/2014 2:51:40 PM
    LastEventID               : 23401
    LastEventMessage          : The connectivity state for the local network site 'Site1' changed from Not Connected to Connected.
    LastEventTimeStamp        : 5/2/2014 2:51:40 PM
    LocalNetworkSiteName      : Site1
    OperationDescription      : Get-AzureVNetConnection
    OperationId               : 7f68a8e6-51e9-9db4-88c2-16b8067fed7f
    OperationStatus           : Succeeded

    ConnectivityState         : Connected
    EgressBytesTransferred    : 789398
    IngressBytesTransferred   : 143908
    LastConnectionEstablished : 5/2/2014 3:20:40 PM
    LastEventID               : 23401
    LastEventMessage          : The connectivity state for the local network site 'Site2' changed from Not Connected to Connected.
    LastEventTimeStamp        : 5/2/2014 2:51:40 PM
    LocalNetworkSiteName      : Site2
    OperationDescription      : Get-AzureVNetConnection
    OperationId               : 7893b329-51e9-9db4-88c2-16b8067fed7f
    OperationStatus           : Succeeded

后续步骤Next steps

若要了解有关 VPN 网关的详细信息,请参阅关于 VPN 网关To learn more about VPN Gateways, see About VPN Gateways.