针对虚拟网络对等互连配置 VPN 网关传输Configure VPN gateway transit for virtual network peering

本文介绍如何针对虚拟网络对等互连配置网关传输。This article helps you configure gateway transit for virtual network peering. 虚拟网络对等互连可以无缝地连接两个 Azure 虚拟网络,为了连接目的将两个虚拟网络合并成一个。Virtual network peering seamlessly connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes. 网关传输是一个对等互连属性,它允许一个虚拟网络使用对等互连的虚拟网络中的 VPN 网关进行跨界连接或 VNet 到 VNet 连接。Gateway transit is a peering property that lets one virtual network use the VPN gateway in the peered virtual network for cross-premises or VNet-to-VNet connectivity. 下图说明了在虚拟网络对等互连中使用网关传输的工作原理。The following diagram shows how gateway transit works with virtual network peering.

网关传输示意图

在图中,对等互连的虚拟网络通过网关传输来使用 Hub-RM 中的 Azure VPN 网关。In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM. 在 VPN 网关上提供的连接(包括 S2S 连接、P2S 连接和 VNet 到 VNet 连接)适用于所有三种虚拟网络。Connectivity available on the VPN gateway, including S2S, P2S, and VNet-to-VNet connections, applies to all three virtual networks. 此传输选项适用于在相同的或不同的部署模型之间进行对等互连。The transit option is available for peering between the same, or different deployment models. 如果要配置不同部署模型之间的传输,则中心虚拟网络和虚拟网络网关必须采用资源管理器部署模型,而不是经典部署模型。If you are configuring transit between different deployment models, the hub virtual network and virtual network gateway must be in the Resource Manager deployment model, not the classic deployment model.

在中心辐射型网络体系结构中,辐射虚拟网络可以通过网关传输共享中心的 VPN 网关,不必在每个辐射虚拟网络中部署 VPN 网关。In hub-and-spoke network architecture, gateway transit allows spoke virtual networks to share the VPN gateway in the hub, instead of deploying VPN gateways in every spoke virtual network. 通往网关连接的虚拟网络或本地网络的路由会通过网关传输传播到对等互连的虚拟网络的路由表。Routes to the gateway-connected virtual networks or on-premises networks will propagate to the routing tables for the peered virtual networks using gateway transit. 可以禁用源自 VPN 网关的自动路由传播。You can disable the automatic route propagation from the VPN gateway. 使用“禁用 BGP 路由传播”选项创建一个路由表,将路由表关联到子网,防止将路由分发到这些子网。Create a routing table with the "Disable BGP route propagation" option, and associate the routing table to the subnets to prevent the route distribution to those subnets. 有关详细信息,请参阅虚拟网络路由表For more information, see Virtual network routing table.

本文介绍了两个方案:There are two scenarios in this article:

  • 相同的部署模型:两个虚拟网络都采用资源管理器部署模型创建。Same deployment model: Both virtual networks are created in the Resource Manager deployment model.
  • 不同的部署模型:辐射虚拟网络是采用经典部署模型创建,中心虚拟网络和网关采用资源管理器部署模型创建。Different deployment models: The spoke virtual network is created in the classic deployment model, and the hub virtual network and gateway are in the Resource Manager deployment model.

备注

如果更改网络拓扑并且具有 VPN 客户端,必须再次下载和安装 Windows 客户端的 VPN 客户端包,以使更改应用于客户端。If you make a change to the topology of your network and have Windows VPN clients, the VPN client package for Windows clients must be downloaded and installed again in order for the changes to be applied to the client.

先决条件Prerequisites

在开始之前,请验证你是否具有以下虚拟网络和权限:Before you begin, verify that you have the following virtual networks and permissions:

虚拟网络Virtual networks

VNetVNet 部署模型Deployment model 虚拟网络网关Virtual network gateway
Hub-RMHub-RM 资源管理器Resource Manager Yes
Spoke-RMSpoke-RM 资源管理器Resource Manager No
Spoke-ClassicSpoke-Classic 经典Classic No

PermissionsPermissions

用于创建虚拟网络对等互连的帐户必须具有所需的角色或权限。The accounts you use to create a virtual network peering must have the necessary roles or permissions. 在以下示例中,若要将两个名为 Hub-RM 和 Spoke-Classic 的虚拟网络进行对等互连,帐户必须具有适用于每个虚拟网络的以下角色或权限 :In the example below, if you were peering the two virtual networks named Hub-RM and Spoke-Classic, your account must have the following roles or permissions for each virtual network:

VNetVNet 部署模型Deployment model 角色Role 权限Permissions
Hub-RMHub-RM 资源管理器Resource Manager 网络参与者Network Contributor Microsoft.Network/virtualNetworks/virtualNetworkPeerings/writeMicrosoft.Network/virtualNetworks/virtualNetworkPeerings/write
经典Classic 经典网络参与者Classic Network Contributor 空值N/A
Spoke-ClassicSpoke-Classic 资源管理器Resource Manager 网络参与者Network Contributor Microsoft.Network/virtualNetworks/peerMicrosoft.Network/virtualNetworks/peer
经典Classic 经典网络参与者Classic Network Contributor Microsoft.ClassicNetwork/virtualNetworks/peerMicrosoft.ClassicNetwork/virtualNetworks/peer

详细了解内置角色以及将特定的权限分配到自定义角色(仅限资源管理器)。Learn more about built-in roles and assigning specific permissions to custom roles (Resource Manager only).

相同的部署模型Same deployment model

在此场景中,两个虚拟网络都采用资源管理器部署模型。In this scenario, the virtual networks are both in the Resource Manager deployment model. 使用以下步骤创建或更新虚拟网络对等互连,以便启用网关传输。Use the following steps to create or update the virtual network peerings to enable gateway transit.

添加对等互连并启用传输To add a peering and enable transit

  1. Azure 门户中,创建或更新从 Hub-RM 进行对等互连的虚拟网络。In the Azure portal, create or update the virtual network peering from the Hub-RM. 导航到“Hub-RM”虚拟网络。Navigate to the Hub-RM virtual network. 选择“对等互连”,然后选择“+ 添加”,以便打开“添加对等互连”。Select Peerings, then + Add to open Add peering.

  2. 在“添加对等互连”页面上,配置此虚拟网络的值。On the Add peering page, configure the values for This virtual network.

    • 对等互连链接名称:为链接命名。Peering link name: Name the link. 示例:HubRMToSpokeRMExample: HubRMToSpokeRM

    • 到远程虚拟网络的流量:AllowTraffic to remote virtual network: Allow

    • 从远程虚拟网络转发的流量:AllowTraffic forwarded from remote virtual network: Allow

    • 虚拟网络网关:使用此虚拟网络的网关Virtual network gateway: Use this virtual network's gateway

      屏幕截图显示了“添加对等互连”。

  3. 在同一页面上,继续配置远程虚拟网络的值。On the same page, continue on to configure the values for the Remote virtual network.

    • 对等互连链接名称:为链接命名。Peering link name: Name the link. 示例:SpokeRMtoHubRMExample: SpokeRMtoHubRM

    • 部署模型:Resource ManagerDeployment model: Resource Manager

    • 虚拟网络:Spoke-RMVirtual Network: Spoke-RM

    • 到远程虚拟网络的流量:AllowTraffic to remote virtual network: Allow

    • 从远程虚拟网络转发的流量:AllowTraffic forwarded from remote virtual network: Allow

    • 虚拟网络网关:使用远程虚拟网络的网关Virtual network gateway: Use the remote virtual network's gateway

      屏幕截图显示了远程虚拟网络的值。

  4. 选择“添加”以创建对等互连。Select Add to create the peering.

  5. 验证两个虚拟网络上的对等互连状态是否为“已连接”。Verify the peering status as Connected on both virtual networks.

修改用于传输的现有对等互连To modify an existing peering for transit

如果已创建对等互连,则可以修改用于传输的对等互连。If the peering was already created, you can modify the peering for transit.

  1. 导航到虚拟网络。Navigate to the virtual network. 选择“对等互连”,然后选择要修改的对等互连。Select Peerings and select the peering that you want to modify.

    屏幕截图显示了“选择对等互连”。

  2. 更新 VNet 对等互连。Update the VNet peering.

    • 到远程虚拟网络的流量:AllowTraffic to remote virtual network: Allow

    • 转发到远程虚拟网络的流量;允许Traffic forwarded to virtual network; Allow

    • 虚拟网络网关:使用远程虚拟网络的网关Virtual network gateway: Use remote virtual network's gateway

      屏幕截图显示了“修改对等互连网关”。

  3. 保存对等互连设置。Save the peering settings.

PowerShell 示例PowerShell sample

也可使用 PowerShell 来创建或更新以上示例的对等互连。You can also use PowerShell to create or update the peering with the example above. 将变量替换为虚拟网络和资源组的名称。Replace the variables with the names of your virtual networks and resource groups.

$SpokeRG = "SpokeRG1"
$SpokeRM = "Spoke-RM"
$HubRG   = "HubRG1"
$HubRM   = "Hub-RM"

$spokermvnet = Get-AzVirtualNetwork -Name $SpokeRM -ResourceGroup $SpokeRG
$hubrmvnet   = Get-AzVirtualNetwork -Name $HubRM -ResourceGroup $HubRG

Add-AzVirtualNetworkPeering `
  -Name SpokeRMtoHubRM `
  -VirtualNetwork $spokermvnet `
  -RemoteVirtualNetworkId $hubrmvnet.Id `
  -UseRemoteGateways

Add-AzVirtualNetworkPeering `
  -Name HubRMToSpokeRM `
  -VirtualNetwork $hubrmvnet `
  -RemoteVirtualNetworkId $spokermvnet.Id `
  -AllowGatewayTransit

不同的部署模型Different deployment models

在此配置中,辐射 VNet Spoke-Classic 采用经典部署模型,而中心 VNet Hub-RM 采用资源管理器部署模型。In this configuration, the spoke VNet Spoke-Classic is in the classic deployment model and the hub VNet Hub-RM is in the Resource Manager deployment model. 配置部署模型之间的传输时,必须为资源管理器 VNet 配置虚拟网络网关,不需要为经典 VNet 配置虚拟网络网关。When configuring transit between deployment models, the virtual network gateway must be configured for the Resource Manager VNet, not the classic VNet.

对于此配置,你只需要配置 Hub-RM 虚拟网络。For this configuration, you only need to configure the Hub-RM virtual network. 不需要在 Spoke-Classic VNet 上配置任何内容。You don't need to configure anything on the Spoke-Classic VNet.

  1. 在 Azure 门户中,导航到“Hub-RM”虚拟网络,选择“对等互连”,然后选择“+ 添加”。In the Azure portal, navigate to the Hub-RM virtual network, select Peerings, then select + Add.

  2. 在“添加对等互连”页面上,配置以下值:On the Add peering page, configure the following values:

    • 对等互连链接名称:为链接命名。Peering link name: Name the link. 示例:HubRMToClassicExample: HubRMToClassic

    • 到远程虚拟网络的流量:AllowTraffic to remote virtual network: Allow

    • 从远程虚拟网络转发的流量:AllowTraffic forwarded from remote virtual network: Allow

    • 虚拟网络网关:使用此虚拟网络的网关Virtual network gateway: Use this virtual network's gateway

    • 远程虚拟网络:经典Remote virtual network: Classic

      Spoke-Classic 的“添加对等互连”页面

  3. 验证订阅是否正确,然后从下拉列表中选择虚拟网络。Verify the subscription is correct, then select the virtual network from the dropdown.

  4. 选择“添加”以添加对等互连。Select Add to add the peering.

  5. 验证 Hub-RM 虚拟网络上的对等互连状态是否为“已连接”。Verify the peering status as Connected on the Hub-RM virtual network.

对于此配置,无需在 Spoke-Classic 虚拟网络上配置任何内容。For this configuration, you do not need to configure anything on the Spoke-Classic virtual network. 在状态显示“已连接”后,辐射虚拟网络可以通过中心虚拟网络中的 VPN 网关使用连接。Once the status shows Connected, the spoke virtual network can use the connectivity through the VPN gateway in the hub virtual network.

PowerShell 示例PowerShell sample

也可使用 PowerShell 来创建或更新以上示例的对等互连。You can also use PowerShell to create or update the peering with the example above. 将变量和订阅 ID 替换为虚拟网络和资源组以及订阅的值。Replace the variables and subscription ID with the values of your virtual network and resource groups, and subscription. 只需在中心虚拟网络上创建虚拟网络对等互连。You only need to create virtual network peering on the hub virtual network.

$HubRG   = "HubRG1"
$HubRM   = "Hub-RM"

$hubrmvnet   = Get-AzVirtualNetwork -Name $HubRM -ResourceGroup $HubRG

Add-AzVirtualNetworkPeering `
  -Name HubRMToClassic `
  -VirtualNetwork $hubrmvnet `
  -RemoteVirtualNetworkId "/subscriptions/<subscription Id>/resourceGroups/Default-Networking/providers/Microsoft.ClassicNetwork/virtualNetworks/Spoke-Classic" `
  -AllowGatewayTransit

后续步骤Next steps