教程:使用 PowerShell 创建和管理 VPN 网关Tutorial: Create and manage a VPN gateway using PowerShell

Azure VPN 网关在客户本地与 Azure 之间提供跨界连接。Azure VPN gateways provide cross-premises connectivity between customer premises and Azure. 本教程介绍了基本的 Azure VPN 网关部署项目,例如创建和管理 VPN 网关。This tutorial covers basic Azure VPN gateway deployment items such as creating and managing a VPN gateway. 你将学习如何执行以下操作:You learn how to:

  • 创建 VPN 网关Create a VPN gateway
  • 查看公共 IP 地址View the public IP address
  • 调整 VPN 网关大小Resize a VPN gateway
  • 重置 VPN 网关Reset a VPN gateway

下图展示了本教程中创建的虚拟网络和 VPN 网关。The following diagram shows the virtual network and the VPN gateway created as part of this tutorial.

VNet 和 VPN 网关

使用 Azure PowerShellWorking with Azure PowerShell

可以在计算机本地安装并运行 Azure PowerShell cmdlet。You can install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlet 经常更新。PowerShell cmdlets are updated frequently. 如果尚未安装最新版本,说明中指定的值可能会导致出错。If you have not installed the latest version, the values specified in the instructions may fail. 若要查找计算机上安装的 Azure PowerShell 的版本,请使用 Get-Module -ListAvailable Az cmdlet。To find the versions of Azure PowerShell installed on your computer, use the Get-Module -ListAvailable Az cmdlet. 若要进行安装或更新,请参阅安装 Azure PowerShell 模块To install or update, see Install the Azure PowerShell module.

通用网络参数值Common network parameter values

下面是本教程中使用的参数值。Below are the parameter values used for this tutorial. 在示例中,变量转换为以下内容:In the examples, the variables translate to the following:

#$RG1         = The name of the resource group
#$VNet1       = The name of the virtual network
#$Location1   = The location region
#$FESubnet1   = The name of the first subnet
#$BESubnet1   = The name of the second subnet
#$VNet1Prefix = The address range for the virtual network
#$FEPrefix1   = Addresses for the first subnet
#$BEPrefix1   = Addresses for the second subnet
#$GwPrefix1   = Addresses for the GatewaySubnet
#$VNet1ASN    = ASN for the virtual network
#$DNS1        = The IP address of the DNS server you want to use for name resolution
#$Gw1         = The name of the virtual network gateway
#$GwIP1       = The public IP address for the virtual network gateway
#$GwIPConf1   = The name of the IP configuration

根据你的环境和网络设置更改以下值,然后复制并粘贴以设置本教程的变量。Change the values below based on your environment and network setup, then copy and paste to set the variables for this tutorial.

$RG1         = "TestRG1"
$VNet1       = "VNet1"
$Location1   = "China North"
$FESubnet1   = "FrontEnd"
$BESubnet1   = "Backend"
$VNet1Prefix = "10.1.0.0/16"
$FEPrefix1   = "10.1.0.0/24"
$BEPrefix1   = "10.1.1.0/24"
$GwPrefix1   = "10.1.255.0/27"
$VNet1ASN    = 65010
$DNS1        = "8.8.8.8"
$Gw1         = "VNet1GW"
$GwIP1       = "VNet1GWIP"
$GwIPConf1   = "gwipconf1"

创建资源组Create a resource group

使用 New-AzResourceGroup 命令创建资源组。Create a resource group with the New-AzResourceGroup command. Azure 资源组是在其中部署和管理 Azure 资源的逻辑容器。An Azure resource group is a logical container into which Azure resources are deployed and managed. 必须先创建资源组。A resource group must be created first. 以下示例在“中国北部” 区域中创建名为 TestRG1 的资源组:In the following example, a resource group named TestRG1 is created in the China North region:

New-AzResourceGroup -ResourceGroupName $RG1 -Location $Location1

创建虚拟网络Create a virtual network

Azure VPN 网关为虚拟网络提供跨界连接和 P2S VPN 服务器功能。Azure VPN gateway provides cross-premises connectivity and P2S VPN server functionality for your virtual network. 可以将 VPN 网关添加到现有虚拟网络,也可以创建新的虚拟网络和网关。Add the VPN gateway to an existing virtual network or create a new virtual network and the gateway. 请注意,该示例特别指定了网关子网的名称。Notice that the example specifies the name of the gateway subnet specifically. 必须始终将网关子网的名称指定为“GatewaySubnet”,才能使其正常工作。You must always specify the name of the gateway subnet as "GatewaySubnet" in order for it to function properly. 此示例创建包含三个子网的全新虚拟网络:Frontend、Backend 和 GatewaySubnet,使用 New-AzVirtualNetworkSubnetConfigNew-AzVirtualNetwork 进行创建:This example creates a new virtual network with three subnets: Frontend, Backend, and GatewaySubnet using New-AzVirtualNetworkSubnetConfig and New-AzVirtualNetwork:

$fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubnet1 -AddressPrefix $FEPrefix1
$besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubnet1 -AddressPrefix $BEPrefix1
$gwsub1 = New-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -AddressPrefix $GwPrefix1
$vnet   = New-AzVirtualNetwork `
            -Name $VNet1 `
            -ResourceGroupName $RG1 `
            -Location $Location1 `
            -AddressPrefix $VNet1Prefix `
            -Subnet $fesub1,$besub1,$gwsub1

为 VPN 网关请求一个公共 IP 地址Request a public IP address for the VPN gateway

Azure VPN 网关通过 Internet 与本地 VPN 设备进行通信,执行 IKE(Internet 密钥交换)协商并建立 IPsec 隧道。Azure VPN gateways communicate with your on-premises VPN devices over the Internet to performs IKE (Internet Key Exchange) negotiation and establish IPsec tunnels. 使用 New-AzPublicIpAddressNew-AzVirtualNetworkGatewayIpConfig 创建一个公共 IP 地址并将其分配给 VPN 网关,如以下示例中所示:Create and assign a public IP address to your VPN gateway as shown in the example below with New-AzPublicIpAddress and New-AzVirtualNetworkGatewayIpConfig:

Important

目前,只能为网关使用“动态”公共 IP 地址。Currently, you can only use a Dynamic public IP address for the gateway. Azure VPN 网关不支持静态 IP 地址。Static IP address is not supported on Azure VPN gateways.

$gwpip    = New-AzPublicIpAddress -Name $GwIP1 -ResourceGroupName $RG1 `
              -Location $Location1 -AllocationMethod Dynamic
$subnet   = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' `
              -VirtualNetwork $vnet
$gwipconf = New-AzVirtualNetworkGatewayIpConfig -Name $GwIPConf1 `
              -Subnet $subnet -PublicIpAddress $gwpip

创建 VPN 网关Create a VPN gateway

创建 VPN 网关可能需要 45 分钟或更长时间。A VPN gateway can take 45 minutes or more to create. 完成网关创建后,可以在虚拟网络与另一个 VNet 之间创建连接。Once the gateway creation has completed, you can create a connection between your virtual network and another VNet. 或者,在虚拟网络与本地位置之间创建连接。Or create a connection between your virtual network and an on-premises location. 使用 New-AzVirtualNetworkGateway cmdlet 创建 VPN 网关。Create a VPN gateway using the New-AzVirtualNetworkGateway cmdlet.

New-AzVirtualNetworkGateway -Name $Gw1 -ResourceGroupName $RG1 `
  -Location $Location1 -IpConfigurations $gwipconf -GatewayType Vpn `
  -VpnType RouteBased -GatewaySku VpnGw1

关键参数值:Key parameter values:

  • GatewayType:对于站点到站点和 VNet 到 VNet 连接,请使用 VpnGatewayType: Use Vpn for site-to-site and VNet-to-VNet connections
  • VpnType:使用 RouteBased 与更广范围的 VPN 设备和更多路由功能进行交互VpnType: Use RouteBased to interact with wider range of VPN devices and more routing features
  • GatewaySku:默认值为“VpnGw1”;如果需要更高的吞吐量或更多连接,请将其更改为另一个 VpnGw SKU 。GatewaySku: VpnGw1 is the default; change it to another VpnGw SKU if you need higher throughputs or more connections. 有关详细信息,请参阅网关 SKUFor more information, see Gateway SKUs.

完成网关创建后,可以在虚拟网络与另一个 VNet 之间创建连接,或者在虚拟网络与本地位置之间创建连接。Once the gateway creation has completed, you can create a connection between your virtual network and another VNet, or create a connection between your virtual network and an on-premises location. 还可以配置从客户端计算机到 VNet 的 P2S 连接。You can also configure a P2S connection to your VNet from a client computer.

查看网关公共 IP 地址View the gateway public IP address

如果知道公共 IP 地址的名称,可使用 Get-AzPublicIpAddress 来显示分配给网关的公共 IP 地址。If you know the name of the public IP address, use Get-AzPublicIpAddress to show the public IP address assigned to the gateway.

如果会话超时,请将本教程开头的常用网络参数复制到新会话中,然后继续操作。If your session timed out, copy the common network parameters from the beginning of this tutorial into your new session and proceed, then proceed.

$myGwIp = Get-AzPublicIpAddress -Name $GwIP1 -ResourceGroup $RG1
$myGwIp.IpAddress

重设网关大小Resize a gateway

可以在创建网关之后更改 VPN 网关 SKU。You can change the VPN gateway SKU after the gateway is created. 不同的网关 SKU 支持不同的规范,例如吞吐量、连接数,等等。以下示例使用 Resize-AzVirtualNetworkGateway 将网关的大小从 VpnGw1 调整为 VpnGw2。Different gateway SKUs support different specifications such as throughputs, number of connections, etc. The following example uses Resize-AzVirtualNetworkGateway to resize your gateway from VpnGw1 to VpnGw2. 有关详细信息,请参阅网关 SKUFor more information, see Gateway SKUs.

$gateway = Get-AzVirtualNetworkGateway -Name $Gw1 -ResourceGroup $RG1
Resize-AzVirtualNetworkGateway -GatewaySku VpnGw2 -VirtualNetworkGateway $gateway

调整 VPN 网关大小也将花费大约 30 到 45 分钟,但是此操作“不会” 中断或删除现有连接和配置。Resizing a VPN gateway also takes about 30 to 45 minutes, although this operation will not interrupt or remove existing connections and configurations.

重置网关Reset a gateway

作为故障排除步骤的一部分,你可以重置 Azure VPN 网关来强制 VPN 网关重新启动 IPsec/IKE 隧道配置。As part of the troubleshooting steps, you can reset your Azure VPN gateway to force the VPN gateway to restart the IPsec/IKE tunnel configurations. 使用 Reset-AzVirtualNetworkGateway 重置网关。Use Reset-AzVirtualNetworkGateway to reset your gateway.

$gateway = Get-AzVirtualNetworkGateway -Name $Gw1 -ResourceGroup $RG1
Reset-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway

有关详细信息,请参阅重置 VPN 网关For more information, see Reset a VPN gateway.

清理资源Clean up resources

如果要转到下一个教程,你将需要保留这些资源,因为它们是先决条件。If you're advancing to the next tutorial, you will want to keep these resources because they are the prerequisites.

但是,如果网关是某个原型、测试或概念证明部署的一部分,则可以使用 Remove-AzResourceGroup 命令来删除资源组、VPN 网关和所有相关资源。However, if the gateway is part of a prototype, test, or proof-of-concept deployment, you can use the Remove-AzResourceGroup command to remove the resource group, the VPN gateway, and all related resources.

Remove-AzResourceGroup -Name $RG1

后续步骤Next steps

在本教程中,你已了解了 VPN 创建和管理基本知识,例如如何:In this tutorial, you learned about basic VPN gateway creation and management such as how to:

  • 创建 VPN 网关Create a VPN gateway
  • 查看公共 IP 地址View the public IP address
  • 调整 VPN 网关大小Resize a VPN gateway
  • 重置 VPN 网关Reset a VPN gateway

若要了解 S2S 连接、VNet 到 VNet 连接和 P2S 连接,请转到以下教程。Advance to the following tutorials to learn about S2S, VNet-to-VNet, and P2S connections.