针对虚拟网络对等互连配置 VPN 网关传输Configure VPN gateway transit for virtual network peering

本文介绍如何针对虚拟网络对等互连配置网关传输。This article helps you configure gateway transit for virtual network peering. 虚拟网络对等互连可以无缝地连接两个 Azure 虚拟网络,为了连接目的将两个虚拟网络合并成一个。Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes. 网关传输是一种对等互连属性,可以让一个虚拟网络利用对等互连的虚拟网络中的 VPN 网关进行跨界连接或 VNet 到 VNet 连接。Gateway transit is a peering property that enables one virtual network to utilize the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. 下图说明了在虚拟网络对等互连中使用网关传输的工作原理。The following diagram shows how gateway transit works with virtual network peering.

网关传输

在图中,对等互连的虚拟网络通过网关传输来使用 Hub-RM 中的 Azure VPN 网关。In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. 在 VPN 网关上提供的连接(包括 S2S 连接、P2S 连接和 VNet 到 VNet 连接)适用于所有三种虚拟网络。Connectivity available on the VPN gateway, including S2S, P2S, and VNet-to-VNet connections, applies to all three virtual networks. 传输选项适用于在相同的或不同的部署模型之间进行对等互连。The transit option is available for peering between the same or different deployment models. 约束条件是,VPN 网关只能位于使用资源管理器部署模型的虚拟网络中,如图所示。The constraint is that the VPN gateway can only be in the virtual network using Resource Manager deployment model, as shown in the diagram.

在中心辐射型网络体系结构中,辐射虚拟网络可以通过网关传输共享中心的 VPN 网关,不必在每个辐射虚拟网络中部署 VPN 网关。In hub-and-spoke network architecture, gateway transit allows spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways in every spoke virtual network. 通往网关连接的虚拟网络或本地网络的路由会通过网关传输传播到对等互连的虚拟网络的路由表。Routes to the gateway-connected virtual networks or on-premises networks will propagate to the routing tables for the peered virtual networks using gateway transit. 可以禁用源自 VPN 网关的自动路由传播。You can disable the automatic route propagation from the VPN gateway. 使用“禁用 BGP 路由传播”选项创建一个路由表,将路由表关联到子网,防止将路由分发到这些子网。Create a routing table with the "Disable BGP route propagation" option, and associate the routing table to the subnets to prevent the route distribution to those subnets. 有关详细信息,请参阅虚拟网络路由表For more information, see Virtual network routing table.

本文档介绍两个方案:There are two scenarios described in this document:

  1. 两种虚拟网络都使用资源管理器部署模型Both virtual networks are using the Resource Manager deployment model
  2. 辐射虚拟网络为经典部署模型,带网关的中心虚拟网络为资源管理器部署模型The spoke virtual network is classic, and the hub virtual network with gateway is in Resource Manager

要求Requirements

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

本文档中的示例要求创建以下资源:The example in this document requires the following resources to be created:

  1. 带 VPN 网关的 Hub-RM 虚拟网络Hub-RM virtual network with a VPN gateway
  2. Spoke-RM 虚拟网络Spoke-RM virtual network
  3. 使用经典部署模型的 Spoke-Classic 虚拟网络Spoke-Classic virtual network with the classic deployment model
  4. 所用帐户要求必需的角色和权限。The account you use requires the necessary roles and permission. 有关详细信息,请参阅本文的权限部分。See the Permissions section of this article for details.

有关说明,请参阅以下文档:Refer to the following documents for instructions:

  1. 在虚拟网络中创建 VPN 网关Create a VPN gateway in a virtual network
  2. 使用相同的部署模型创建虚拟网络对等互连Create virtual network peering with the same deployment model
  3. 使用不同的部署模型创建虚拟网络对等互连Create virtual network peering with different deployment models

权限Permissions

用于创建虚拟网络对等互连的帐户必须具有所需的角色或权限。The accounts you use to create a virtual network peering must have the necessary roles or permissions. 在以下示例中,若要将两个名为 Hub-RM 和 Spoke-Classic 的虚拟网络进行对等互连,帐户必须具有适用于每个虚拟网络的以下角色或权限:In the example below, if you were peering two virtual networks named Hub-RM and Spoke-Classic, your account must have the following roles or permissions for each virtual network:

虚拟网络Virtual network 部署模型Deployment model 角色Role 权限Permissions
Hub-RMHub-RM Resource ManagerResource Manager 网络参与者Network Contributor Microsoft.Network/virtualNetworks/virtualNetworkPeerings/writeMicrosoft.Network/virtualNetworks/virtualNetworkPeerings/write
经典Classic 经典网络参与者Classic Network Contributor 不适用N/A
Spoke-ClassicSpoke-Classic Resource ManagerResource Manager 网络参与者Network Contributor Microsoft.Network/virtualNetworks/peerMicrosoft.Network/virtualNetworks/peer
经典Classic 经典网络参与者Classic Network Contributor Microsoft.ClassicNetwork/virtualNetworks/peerMicrosoft.ClassicNetwork/virtualNetworks/peer

详细了解内置角色以及将特定的权限分配到自定义角色(仅限 Resource Manager)。Learn more about built-in roles and assigning specific permissions to custom roles (Resource Manager only).

通过网关传输进行的资源管理器到资源管理器对等互连Resource Manager to Resource Manager peering with gateway transit

请按说明创建或更新虚拟网络对等互连,以便启用网关传输。Follow the instructions to create or update the virtual network peerings to enable gateway transit.

  1. 在 Azure 门户中创建或更新从 Spoke-RM 到 Hub-RM 的虚拟网络对等互连。Create or update the virtual network peering from Spoke-RM to Hub-RM from the Azure portal. 导航到 Spoke-RM 虚拟网络资源,单击“对等互连”,然后单击“添加”:Navigate to the Spoke-RM virtual network resource, click on "Peerings", then "Add":

    • 设置“资源管理器”选项Set the "Resource Manager" option

    • 在相应的订阅中选择 Hub-RM 虚拟网络Select the Hub-RM virtual network in the corresponding subscription

    • 确保“允许虚拟网络访问”为“已启用”Make sure "Allow virtual network access" is "Enabled"

    • 设置“使用远程网关”选项Set the "Use remote gateways" option

    • 单击“确定”Click "OK"

      spokerm-to-hubrm

  2. 如果已创建对等互连,请导航到对等互连资源,然后启用“使用远程网关”选项(类似于步骤 (1) 中所示的屏幕截图)If the peering is already created, navigate to the peering resource, then enable the "Use remote gateways" option similar to the screenshot shown in step (1)

  3. 在 Azure 门户中创建或更新从 Hub-RM 到 Spoke-RM 的虚拟网络对等互连。Create or update the virtual network peering from Hub-RM to Spoke-RM from the Azure portal. 导航到 Hub-RM 虚拟网络资源,单击“对等互连”,然后单击“添加”:Navigate to the Hub-RM virtual network resource, click on "Peerings", then "Add":

    • 设置“资源管理器”选项Set the "Resource Manager" option

    • 确保“允许虚拟网络访问”为“已启用”Make sure "Allow virtual network access" is "Enabled"

    • 在相应的订阅中选择“Spoke-RM”虚拟网络Select the "Spoke-RM" virtual network in the corresponding subscription

    • 设置“允许网关传输”选项Set the "Allow gateway transit" option

    • 单击“确定”Click "OK"

      hubrm-to-spokerm

  4. 如果已创建对等互连,请导航到对等互连资源,然后启用“允许网关传输”选项(类似于步骤 (3) 中所示的屏幕截图)If the peering is already created, navigate to the peering resource, then enable the "Allow gateway transit" option similar to the screenshot shown in step (3)

  5. 验证两个虚拟网络上的对等互连状态是否为“已连接”Verify the peering status as "Connected" on both virtual networks

PowerShell 示例PowerShell sample

也可使用 PowerShell 来创建或更新以上示例的对等互连。You can also use PowerShell to create or update the peering with the example above. 将变量替换为虚拟网络和资源组的名称。Replace the variables with the names of your virtual networks and resource groups.

$SpokeRG = "SpokeRG1"
$SpokeRM = "Spoke-RM"
$HubRG   = "HubRG1"
$HubRM   = "Hub-RM"

$spokermvnet = Get-AzVirtualNetwork -Name $SpokeRM -ResourceGroup $SpokeRG
$hubrmvnet   = Get-AzVirtualNetwork -Name $HubRM -ResourceGroup $HubRG

Add-AzVirtualNetworkPeering `
  -Name SpokeRMtoHubRM `
  -VirtualNetwork $spokermvnet `
  -RemoteVirtualNetworkId $hubrmvnet.Id `
  -UseRemoteGateways

Add-AzVirtualNetworkPeering `
  -Name HubRMToSpokeRM `
  -VirtualNetwork $hubrmvnet `
  -RemoteVirtualNetworkId $spokermvnet.Id `
  -AllowGatewayTransit

通过网关传输进行的经典到资源管理器对等互连Classic to Resource Manager peering with gateway transit

步骤类似于资源管理器示例,区别是操作仅应用于 Hub-RM 虚拟网络。The steps are similar to the Resource Manager example, except the operations are applied on the Hub-RM virtual network only.

  1. 在 Azure 门户中创建或更新从 Hub-RM 到 Spoke-RM 的虚拟网络对等互连。Create or update the virtual network peering from Hub-RM to Spoke-RM from the Azure portal. 导航到 Hub-RM 虚拟网络资源,单击“对等互连”,然后单击“添加”:Navigate to the Hub-RM virtual network resource, click on "Peerings", then "Add":

    • 设置“经典”选项作为虚拟网络部署模型Set the "Classic" option for Virtual network deployment model

    • 在相应的订阅中选择“Spoke-Classic”虚拟网络Select the "Spoke-Classic" virtual network in the corresponding subscription

    • 确保“允许虚拟网络访问”为“已启用”Make sure "Allow virtual network access" is "Enabled"

    • 设置“允许网关传输”选项Set the "Allow gateway transit" option

    • 单击“确定”Click "OK"

      hubrm-to-spokeclassic

  2. 如果已创建对等互连,请导航到对等互连资源,然后启用“允许网关传输”选项(类似于步骤 (1) 中所示的屏幕截图)If the peering is already created, navigate to the peering resource, then enable the "Allow gateway transit" option similar to the screenshot shown in step (1)

  3. 在 Spoke-Classic 虚拟网络上没有任何操作There is no operation on the Spoke-Classic virtual network

  4. 验证 Hub-RM 虚拟网络上的对等互连状态是否为“已连接”Verify the peering status as "Connected" on the Hub-RM virtual network

状态显示“已连接”后,辐射虚拟网络即可通过中心虚拟网络中的 VPN 网关使用 VNet 到 VNet 连接或跨界连接。Once the status shows "Connected", the spoke virtual networks can start using VNet-to-VNet or cross-premises connectivity through the VPN gateway in the hub virtual network.

PowerShell 示例PowerShell sample

也可使用 PowerShell 来创建或更新以上示例的对等互连。You can also use PowerShell to create or update the peering with the example above. 将变量和订阅 ID 替换为虚拟网络和资源组以及订阅的值。Replace the variables and subscription ID with the values of your virtual network and resource groups, and subscription. 只需在中心虚拟网络上创建虚拟网络对等互连。You only need to create virtual network peering on the hub virtual network.

$HubRG   = "HubRG1"
$HubRM   = "Hub-RM"

$hubrmvnet   = Get-AzVirtualNetwork -Name $HubRM -ResourceGroup $HubRG

Add-AzVirtualNetworkPeering `
  -Name HubRMToSpokeRM `
  -VirtualNetwork $hubrmvnet `
  -RemoteVirtualNetworkId "/subscriptions/<subscription Id>/resourceGroups/Default-Networking/providers/Microsoft.ClassicNetwork/virtualNetworks/Spoke-Classic" `
  -AllowGatewayTransit

后续步骤Next steps