教程:使用 PowerShell 创建和管理 VPN 网关Tutorial: Create and manage a VPN gateway using PowerShell

Azure VPN 网关在客户本地与 Azure 之间提供跨界连接。Azure VPN gateways provide cross-premises connectivity between customer premises and Azure. 本教程介绍了基本的 Azure VPN 网关部署项目,例如创建和管理 VPN 网关。This tutorial covers basic Azure VPN gateway deployment items such as creating and managing a VPN gateway. 学习如何:You learn how to:

  • 创建 VPN 网关Create a VPN gateway
  • 查看公用 IP 地址View the public IP address
  • 调整 VPN 网关大小Resize a VPN gateway
  • 重置 VPN 网关Reset a VPN gateway

下图展示了本教程中创建的虚拟网络和 VPN 网关。The following diagram shows the virtual network and the VPN gateway created as part of this tutorial.

VNet 和 VPN 网关

Azure PowerShellAzure PowerShell

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

通用网络参数值Common network parameter values

根据你的环境和网络设置更改以下值,然后复制并粘贴以设置本教程的变量。Change the values below based on your environment and network setup, then copy and paste to set the variables for this tutorial.

$RG1         = "TestRG1"
$VNet1       = "VNet1"
$Location1   = "China North"
$FESubnet1   = "FrontEnd"
$BESubnet1   = "Backend"
$GwSubnet1   = "GatewaySubnet"
$VNet1Prefix = "10.1.0.0/16"
$FEPrefix1   = "10.1.0.0/24"
$BEPrefix1   = "10.1.1.0/24"
$GwPrefix1   = "10.1.255.0/27"
$VNet1ASN    = 65010
$DNS1        = "8.8.8.8"
$Gw1         = "VNet1GW"
$GwIP1       = "VNet1GWIP"
$GwIPConf1   = "gwipconf1"

创建资源组Create a resource group

使用 New-AzResourceGroup 命令创建资源组。Create a resource group with the New-AzResourceGroup command. Azure 资源组是在其中部署和管理 Azure 资源的逻辑容器。An Azure resource group is a logical container into which Azure resources are deployed and managed. 必须先创建资源组。A resource group must be created first. 以下示例在“中国北部”区域中创建名为 TestRG1 的资源组:In the following example, a resource group named TestRG1 is created in the China North region:

New-AzResourceGroup -ResourceGroupName $RG1 -Location $Location1

创建虚拟网络Create a virtual network

Azure VPN 网关为虚拟网络提供跨界连接和 P2S VPN 服务器功能。Azure VPN gateway provides cross-premises connectivity and P2S VPN server functionality for your virtual network. 可以将 VPN 网关添加到现有虚拟网络,也可以创建新的虚拟网络和网关。Add the VPN gateway to an existing virtual network or create a new virtual network and the gateway. 此示例创建包含三个子网的全新虚拟网络:Frontend、Backend 和 GatewaySubnet,使用 New-AzVirtualNetworkSubnetConfigNew-AzVirtualNetwork 进行创建:This example creates a new virtual network with three subnets: Frontend, Backend, and GatewaySubnet using New-AzVirtualNetworkSubnetConfig and New-AzVirtualNetwork:

$fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubnet1 -AddressPrefix $FEPrefix1
$besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubnet1 -AddressPrefix $BEPrefix1
$gwsub1 = New-AzVirtualNetworkSubnetConfig -Name $GWSubnet1 -AddressPrefix $GwPrefix1
$vnet   = New-AzVirtualNetwork `
            -Name $VNet1 `
            -ResourceGroupName $RG1 `
            -Location $Location1 `
            -AddressPrefix $VNet1Prefix `
            -Subnet $fesub1,$besub1,$gwsub1

为 VPN 网关请求一个公共 IP 地址Request a public IP address for the VPN gateway

Azure VPN 网关通过 Internet 与本地 VPN 设备进行通信,执行 IKE(Internet 密钥交换)协商并建立 IPsec 隧道。Azure VPN gateways communicate with your on-premises VPN devices over the Internet to performs IKE (Internet Key Exchange) negotiation and establish IPsec tunnels. 使用 New-AzPublicIpAddressNew-AzVirtualNetworkGatewayIpConfig 创建一个公共 IP 地址并将其分配给 VPN 网关,如以下示例中所示:Create and assign a public IP address to your VPN gateway as shown in the example below with New-AzPublicIpAddress and New-AzVirtualNetworkGatewayIpConfig:

Important

目前,只能为网关使用“动态”公用 IP 地址。Currently, you can only use a Dynamic public IP address for the gateway. Azure VPN 网关不支持静态 IP 地址。Static IP address is not supported on Azure VPN gateways.

$gwpip    = New-AzPublicIpAddress -Name $GwIP1 -ResourceGroupName $RG1 `
              -Location $Location1 -AllocationMethod Dynamic
$subnet   = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' `
              -VirtualNetwork $vnet
$gwipconf = New-AzVirtualNetworkGatewayIpConfig -Name $GwIPConf1 `
              -Subnet $subnet -PublicIpAddress $gwpip

创建 VPN 网关Create a VPN gateway

创建 VPN 网关可能需要 45 分钟或更长时间。A VPN gateway can take 45 minutes or more to create. 完成网关创建后,可以在虚拟网络与另一个 VNet 之间创建连接。Once the gateway creation has completed, you can create a connection between your virtual network and another VNet. 或者,在虚拟网络与本地位置之间创建连接。Or create a connection between your virtual network and an on-premises location. 使用 New-AzVirtualNetworkGateway cmdlet 创建 VPN 网关。Create a VPN gateway using the New-AzVirtualNetworkGateway cmdlet.

New-AzVirtualNetworkGateway -Name $Gw1 -ResourceGroupName $RG1 `
  -Location $Location1 -IpConfigurations $gwipconf -GatewayType Vpn `
  -VpnType RouteBased -GatewaySku VpnGw1

关键参数值:Key parameter values:

  • GatewayType:对于站点到站点和 VNet 到 VNet 连接,请使用 VpnGatewayType: Use Vpn for site-to-site and VNet-to-VNet connections
  • VpnType:使用 RouteBased 与更广范围的 VPN 设备和更多路由功能进行交互VpnType: Use RouteBased to interact with wider range of VPN devices and more routing features
  • GatewaySku:默认值为 VpnGw1;如果需要更高的吞吐量或更多连接,请将其更改为 VpnGw2 或 VpnGw3。GatewaySku: VpnGw1 is the default; change it to VpnGw2 or VpnGw3 if you need higher throughputs or more connections. 有关详细信息,请参阅网关 SKUFor more information, see Gateway SKUs.

完成网关创建后,可以在虚拟网络与另一个 VNet 之间创建连接,或者在虚拟网络与本地位置之间创建连接。Once the gateway creation has completed, you can create a connection between your virtual network and another VNet, or create a connection between your virtual network and an on-premises location. 还可以配置从客户端计算机到 VNet 的 P2S 连接。You can also configure a P2S connection to your VNet from a client computer.

查看网关公共 IP 地址View the gateway public IP address

如果知道公共 IP 地址的名称,可使用 Get-AzPublicIpAddress 来显示分配给网关的公共 IP 地址。If you know the name of the public IP address, use Get-AzPublicIpAddress to show the public IP address assigned to the gateway.

如果会话超时,请将本教程开头的常用网络参数复制到新会话中,然后继续操作。If your session timed out, copy the common network parameters from the beginning of this tutorial into your new session and proceed, then proceed.

$myGwIp = Get-AzPublicIpAddress -Name $GwIP1 -ResourceGroup $RG1
$myGwIp.IpAddress

重设网关大小Resize a gateway

可以在创建网关之后更改 VPN 网关 SKU。You can change the VPN gateway SKU after the gateway is created. 不同的网关 SKU 支持不同的规范,例如吞吐量、连接数,等等。以下示例使用 Resize-AzVirtualNetworkGateway 将网关的大小从 VpnGw1 调整为 VpnGw2。Different gateway SKUs support different specifications such as throughputs, number of connections, etc. The following example uses Resize-AzVirtualNetworkGateway to resize your gateway from VpnGw1 to VpnGw2. 有关详细信息,请参阅网关 SKUFor more information, see Gateway SKUs.

$gateway = Get-AzVirtualNetworkGateway -Name $Gw1 -ResourceGroup $RG1
Resize-AzVirtualNetworkGateway -GatewaySku VpnGw2 -VirtualNetworkGateway $gateway

调整 VPN 网关大小也将花费大约 30 到 45 分钟,但是此操作“不会”中断或删除现有连接和配置。Resizing a VPN gateway also takes about 30 to 45 minutes, although this operation will not interrupt or remove existing connections and configurations.

重置网关Reset a gateway

作为故障排除步骤的一部分,你可以重置 Azure VPN 网关来强制 VPN 网关重新启动 IPsec/IKE 隧道配置。As part of the troubleshooting steps, you can reset your Azure VPN gateway to force the VPN gateway to restart the IPsec/IKE tunnel configurations. 使用 Reset-AzVirtualNetworkGateway 重置网关。Use Reset-AzVirtualNetworkGateway to reset your gateway.

$gateway = Get-AzVirtualNetworkGateway -Name $Gw1 -ResourceGroup $RG1
Reset-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway

有关详细信息,请参阅重置 VPN 网关For more information, see Reset a VPN gateway.

清理资源Clean up resources

如果要转到下一个教程,你将需要保留这些资源,因为它们是先决条件。If you advancing to the next tutorial, you will want to keep these resources because they are the prerequisite.

但是,如果网关是某个原型、测试或概念证明部署的一部分,则可以使用 Remove-AzResourceGroup 命令来删除资源组、VPN 网关和所有相关资源。However, if the gateway is part of a prototype, test, or proof-of-concept deployment, you can use the Remove-AzResourceGroup command to remove the resource group, the VPN gateway, and all related resources.

Remove-AzResourceGroup -Name $RG1

后续步骤Next steps

在本教程中,你已了解了 VPN 创建和管理基本知识,例如如何:In this tutorial, you learned about basic VPN gateway creation and management such as how to:

  • 创建 VPN 网关Create a VPN gateway
  • 查看公用 IP 地址View the public IP address
  • 调整 VPN 网关大小Resize a VPN gateway
  • 重置 VPN 网关Reset a VPN gateway

转到以下教程来了解 S2S、VNet 到 VNet 和 P2S 连接。Advance to the following tutorials to learn about S2S, VNet-to-VNet, and P2S connections.