使用 PowerShell 配置 VNet 到 VNet VPN 网关连接Configure a VNet-to-VNet VPN gateway connection using PowerShell

本文介绍如何使用 VNet 到 VNet 连接类型来连接虚拟网络。This article helps you connect virtual networks by using the VNet-to-VNet connection type. 虚拟网络可以位于相同或不同的区域中。The virtual networks can be in the same or different regions.

本文中的步骤适用于 Resource Manager 部署模型并使用 PowerShell。The steps in this article apply to the Resource Manager deployment model and use PowerShell. 也可使用不同的部署工具或部署模型创建此配置,方法是从以下列表中选择另一选项:You can also create this configuration using a different deployment tool or deployment model by selecting a different option from the following list:

关于连接 VNetAbout connecting VNets

可通过多种方式来连接 VNet。There are multiple ways to connect VNets. 以下各节介绍了如何通过不同方式来连接虚拟网络。The sections below describe different ways to connect virtual networks.

VNet 到 VNetVNet-to-VNet

配置一个 VNet 到 VNet 连接即可轻松地连接 VNet。Configuring a VNet-to-VNet connection is a good way to easily connect VNets. 使用 VNet 到 VNet 连接类型 (VNet2VNet) 将一个虚拟网络连接到另一个虚拟网络类似于创建到本地位置的站点到站点 IPsec 连接。Connecting a virtual network to another virtual network using the VNet-to-VNet connection type (VNet2VNet) is similar to creating a Site-to-Site IPsec connection to an on-premises location. 这两种连接类型都使用 VPN 网关来提供使用 IPsec/IKE 的安全隧道,二者在通信时使用同样的方式运行。Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE, and both function the same way when communicating. 连接类型的差异在于本地网关的配置方式。The difference between the connection types is the way the local network gateway is configured. 创建 VNet 到 VNet 连接时,看不到本地网关地址空间。When you create a VNet-to-VNet connection, you do not see the local network gateway address space. 它是自动创建并填充的。It is automatically created and populated. 如果更新一个 VNet 的地址空间,另一个 VNet 会自动知道路由到更新的地址空间。If you update the address space for one VNet, the other VNet automatically knows to route to the updated address space. 与在 VNet 之间创建站点到站点连接相比,创建 VNet 到 VNet 连接通常速度更快且更容易。Creating a VNet-to-VNet connection is typically faster and easier than creating a Site-to-Site connection between VNets.

站点到站点 (IPsec)Site-to-Site (IPsec)

如果要进行复杂的网络配置,则与使用 VNet 到 VNet 步骤相比,使用站点到站点步骤来连接 VNet 会更好。If you are working with a complicated network configuration, you may prefer to connect your VNets using the Site-to-Site steps, instead the VNet-to-VNet steps. 使用站点到站点步骤时,可以手动创建和配置本地网关。When you use the Site-to-Site steps, you create and configure the local network gateways manually. 每个 VNet 的本地网关都将其他 VNet 视为本地站点。The local network gateway for each VNet treats the other VNet as a local site. 这样可以为本地网关指定路由流量所需的其他地址空间。This lets you specify additional address space for the local network gateway in order to route traffic. 如果 VNet 的地址空间更改,则需根据更改更新相应的本地网关。If the address space for a VNet changes, you need to update the corresponding local network gateway to reflect the change. 它不自动进行更新。It does not automatically update.

VNet 对等互连VNet peering

可以考虑使用 VNet 对等互连来连接 VNet。You may want to consider connecting your VNets using VNet Peering. VNet 对等互连不使用 VPN 网关,并且有不同的约束。VNet peering does not use a VPN gateway and has different constraints. 另外,VNet 对等互连定价的计算不同于 VNet 到 VNet VPN 网关定价的计算。Additionally, VNet peering pricing is calculated differently than VNet-to-VNet VPN Gateway pricing. 有关详细信息,请参阅 VNet 对等互连For more information, see VNet peering.

为何创建 VNet 到 VNet 连接?Why create a VNet-to-VNet connection?

你可能会出于以下原因而使用 VNet 到 VNet 连接来连接虚拟网络:You may want to connect virtual networks using a VNet-to-VNet connection for the following reasons:

  • 跨区域地域冗余和地域存在Cross region geo-redundancy and geo-presence

    • 可以使用安全连接设置自己的异地复制或同步,而无需借助于面向 Internet 的终结点。You can set up your own geo-replication or synchronization with secure connectivity without going over Internet-facing endpoints.
    • 使用 Azure 流量管理器和负载均衡器,可以设置支持跨多个 Azure 区域实现异地冗余的高可用性工作负荷。With Azure Traffic Manager and Load Balancer, you can set up highly available workload with geo-redundancy across multiple Azure regions. 一个重要的示例就是对分布在多个 Azure 区域中的可用性组设置 SQL Always On。One important example is to set up SQL Always On with Availability Groups spreading across multiple Azure regions.
  • 具有隔离或管理边界的区域多层应用程序Regional multi-tier applications with isolation or administrative boundary

    • 在同一区域中,由于存在隔离或管理要求,可以设置具有多个虚拟网络的多层应用程序,这些虚拟网络相互连接在一起。Within the same region, you can set up multi-tier applications with multiple virtual networks connected together due to isolation or administrative requirements.

可以将 VNet 到 VNet 通信与多站点配置组合使用。VNet-to-VNet communication can be combined with multi-site configurations. 这样,便可以建立将跨界连接与虚拟网络间连接相结合的网络拓扑。This lets you establish network topologies that combine cross-premises connectivity with inter-virtual network connectivity.

应使用哪些 VNet 到 VNet 步骤?Which VNet-to-VNet steps should I use?

此配置的步骤使用 TestVNet1 和 TestVNet4。The steps for this configuration use TestVNet1 and TestVNet4.

v2v 示意图

如何连接相同订阅中的 VNetHow to connect VNets that are in the same subscription

准备阶段Before you begin

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

如果更想本地安装最新版本的 Azure PowerShell 模块,请参阅如何安装和配置 Azure PowerShellIf you would rather install latest version of the Azure PowerShell module locally, see How to install and configure Azure PowerShell.

步骤 1 - 规划 IP 地址范围Step 1 - Plan your IP address ranges

以下步骤将创建两个虚拟网络,以及它们各自的网关子网和配置。In the following steps, you create two virtual networks along with their respective gateway subnets and configurations. 然后在两个 VNet 之间创建 VPN 连接。You then create a VPN connection between the two VNets. 必须规划好网络配置的 IP 地址范围。It's important to plan the IP address ranges for your network configuration. 请记住,必须确保没有任何 VNet 范围或本地网络范围存在任何形式的重叠。Keep in mind that you must make sure that none of your VNet ranges or local network ranges overlap in any way. 在这些示例中,我们没有包括 DNS 服务器。In these examples, we do not include a DNS server. 如果需要虚拟网络的名称解析,请参阅名称解析If you want name resolution for your virtual networks, see Name resolution.

示例中使用了以下值:We use the following values in the examples:

TestVNet1 的值:Values for TestVNet1:

  • VNet 名称:TestVNet1VNet Name: TestVNet1
  • 资源组:TestRG1Resource Group: TestRG1
  • 位置:中国北部Location: China North
  • TestVNet1:10.11.0.0/16 和 10.12.0.0/16TestVNet1: 10.11.0.0/16 & 10.12.0.0/16
  • FrontEnd:10.11.0.0/24FrontEnd: 10.11.0.0/24
  • BackEnd:10.12.0.0/24BackEnd: 10.12.0.0/24
  • GatewaySubnet:10.12.255.0/27GatewaySubnet: 10.12.255.0/27
  • GatewayName:VNet1GWGatewayName: VNet1GW
  • 公共 IP:VNet1GWIPPublic IP: VNet1GWIP
  • VPNType:RouteBasedVPNType: RouteBased
  • 连接(1 到 4):VNet1 到 VNet4Connection(1to4): VNet1toVNet4
  • 连接类型:VNet2VNetConnectionType: VNet2VNet

TestVNet4 的值:Values for TestVNet4:

  • VNet 名称:TestVNet4VNet Name: TestVNet4
  • TestVNet2:10.41.0.0/16 和 10.42.0.0/16TestVNet2: 10.41.0.0/16 & 10.42.0.0/16
  • FrontEnd:10.41.0.0/24FrontEnd: 10.41.0.0/24
  • BackEnd:10.42.0.0/24BackEnd: 10.42.0.0/24
  • GatewaySubnet:10.42.255.0/27GatewaySubnet: 10.42.255.0/27
  • 资源组:TestRG4Resource Group: TestRG4
  • 位置:中国北部Location: China North
  • GatewayName:VNet4GWGatewayName: VNet4GW
  • 公共 IP:VNet4GWIPPublic IP: VNet4GWIP
  • VPNType:RouteBasedVPNType: RouteBased
  • 连接:VNet4 到 VNet1Connection: VNet4toVNet1
  • 连接类型:VNet2VNetConnectionType: VNet2VNet

步骤 2 - 创建并配置 TestVNet1Step 2 - Create and configure TestVNet1

  1. 验证订阅设置。Verify your subscription settings.

    连接到帐户。Connect to your account.

    Connect-AzAccount -Environment AzureChinaCloud
    

    检查该帐户的订阅。Check the subscriptions for the account.

    Get-AzSubscription
    

    如果有多个订阅,请指定要使用的订阅。If you have more than one subscription, specify the subscription that you want to use.

    Select-AzSubscription -SubscriptionName nameofsubscription
    
  2. 声明变量。Declare your variables. 此示例使用本练习中的值来声明变量。This example declares the variables using the values for this exercise. 在大多数情况下,应该将这些值替换为自己的值。In most cases, you should replace the values with your own. 但是,如果执行这些步骤是为了熟悉此类型的配置,则可以使用这些变量。However, you can use these variables if you are running through the steps to become familiar with this type of configuration. 根据需要修改变量,并将其复制并粘贴到 PowerShell 控制台中。Modify the variables if needed, then copy and paste them into your PowerShell console.

    $RG1 = "TestRG1"
    $Location1 = "China North"
    $VNetName1 = "TestVNet1"
    $FESubName1 = "FrontEnd"
    $BESubName1 = "Backend"
    $VNetPrefix11 = "10.11.0.0/16"
    $VNetPrefix12 = "10.12.0.0/16"
    $FESubPrefix1 = "10.11.0.0/24"
    $BESubPrefix1 = "10.12.0.0/24"
    $GWSubPrefix1 = "10.12.255.0/27"
    $GWName1 = "VNet1GW"
    $GWIPName1 = "VNet1GWIP"
    $GWIPconfName1 = "gwipconf1"
    $Connection14 = "VNet1toVNet4"
    $Connection15 = "VNet1toVNet5"
    
  3. 创建资源组。Create a resource group.

    New-AzResourceGroup -Name $RG1 -Location $Location1
    
  4. 创建 TestVNet1 的子网配置。Create the subnet configurations for TestVNet1. 本示例创建一个名为 TestVNet1 的虚拟网络和三个子网:一个名为 GatewaySubnet、一个名为 FrontEnd,还有一个名为 Backend。This example creates a virtual network named TestVNet1 and three subnets, one called GatewaySubnet, one called FrontEnd, and one called Backend. 替换值时,请务必始终将网关子网特意命名为 GatewaySubnet。When substituting values, it's important that you always name your gateway subnet specifically GatewaySubnet. 如果命名为其他名称,网关创建会失败。If you name it something else, your gateway creation fails. 因此,名称不是通过下面的变量分配的。For this reason, it is not assigned via variable below.

    以下示例使用前面设置的变量。The following example uses the variables that you set earlier. 在本示例中,网关子网使用 /27。In this example, the gateway subnet is using a /27. 尽管创建的网关子网最小可为 /29,但建议至少选择 /28 或 /27,创建包含更多地址的更大子网。While it is possible to create a gateway subnet as small as /29, we recommend that you create a larger subnet that includes more addresses by selecting at least /28 or /27. 这样便可以留出足够的地址,满足将来可能需要使用的其他配置。This will allow for enough addresses to accommodate possible additional configurations that you may want in the future.

    $fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1
    $besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
    $gwsub1 = New-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix $GWSubPrefix1
    
  5. 创建 TestVNet1。Create TestVNet1.

    New-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1 `
    -Location $Location1 -AddressPrefix $VNetPrefix11,$VNetPrefix12 -Subnet $fesub1,$besub1,$gwsub1
    
  6. 请求一个公共 IP 地址,以分配给要为 VNet 创建的网关。Request a public IP address to be allocated to the gateway you will create for your VNet. 请注意,AllocationMethod 为 Dynamic。Notice that the AllocationMethod is Dynamic. 无法指定要使用的 IP 地址。You cannot specify the IP address that you want to use. 它会动态分配到网关。It's dynamically allocated to your gateway.

    $gwpip1 = New-AzPublicIpAddress -Name $GWIPName1 -ResourceGroupName $RG1 `
    -Location $Location1 -AllocationMethod Dynamic
    
  7. 创建网关配置。Create the gateway configuration. 网关配置定义要使用的子网和公共 IP 地址。The gateway configuration defines the subnet and the public IP address to use. 使用该示例创建网关配置。Use the example to create your gateway configuration.

    $vnet1 = Get-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1
    $subnet1 = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet1
    $gwipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfName1 `
    -Subnet $subnet1 -PublicIpAddress $gwpip1
    
  8. 为 TestVNet1 创建网关。Create the gateway for TestVNet1. 本步骤为 TestVNet1 创建虚拟网络网关。In this step, you create the virtual network gateway for your TestVNet1. VNet 到 VNet 配置需要基于路由的 VPN 类型。VNet-to-VNet configurations require a RouteBased VpnType. 创建网关通常需要 45 分钟或更长的时间,具体取决于所选网关 SKU。Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

    New-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 `
    -Location $Location1 -IpConfigurations $gwipconf1 -GatewayType Vpn `
    -VpnType RouteBased -GatewaySku VpnGw1
    

完成命令后,创建此网关将需要多达 45 分钟的时间。After you finish the commands, it will take up to 45 minutes to create this gateway.

步骤 3 - 创建并配置 TestVNet4Step 3 - Create and configure TestVNet4

配置 TestVNet1 后,请创建 TestVNet4。Once you've configured TestVNet1, create TestVNet4. 遵循以下步骤,并根据需要替换为自己的值。Follow the steps below, replacing the values with your own when needed.

  1. 连接并声明变量。Connect and declare your variables. 请务必将值替换为要用于配置的值。Be sure to replace the values with the ones that you want to use for your configuration.

    $RG4 = "TestRG4"
    $Location4 = "China North"
    $VnetName4 = "TestVNet4"
    $FESubName4 = "FrontEnd"
    $BESubName4 = "Backend"
    $VnetPrefix41 = "10.41.0.0/16"
    $VnetPrefix42 = "10.42.0.0/16"
    $FESubPrefix4 = "10.41.0.0/24"
    $BESubPrefix4 = "10.42.0.0/24"
    $GWSubPrefix4 = "10.42.255.0/27"
    $GWName4 = "VNet4GW"
    $GWIPName4 = "VNet4GWIP"
    $GWIPconfName4 = "gwipconf4"
    $Connection41 = "VNet4toVNet1"
    
  2. 创建资源组。Create a resource group.

    New-AzResourceGroup -Name $RG4 -Location $Location4
    
  3. 创建 TestVNet4 的子网配置。Create the subnet configurations for TestVNet4.

    $fesub4 = New-AzVirtualNetworkSubnetConfig -Name $FESubName4 -AddressPrefix $FESubPrefix4
    $besub4 = New-AzVirtualNetworkSubnetConfig -Name $BESubName4 -AddressPrefix $BESubPrefix4
    $gwsub4 = New-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix $GWSubPrefix4
    
  4. 创建 TestVNet4。Create TestVNet4.

    New-AzVirtualNetwork -Name $VnetName4 -ResourceGroupName $RG4 `
    -Location $Location4 -AddressPrefix $VnetPrefix41,$VnetPrefix42 -Subnet $fesub4,$besub4,$gwsub4
    
  5. 请求公共 IP 地址。Request a public IP address.

    $gwpip4 = New-AzPublicIpAddress -Name $GWIPName4 -ResourceGroupName $RG4 `
    -Location $Location4 -AllocationMethod Dynamic
    
  6. 创建网关配置。Create the gateway configuration.

    $vnet4 = Get-AzVirtualNetwork -Name $VnetName4 -ResourceGroupName $RG4
    $subnet4 = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet4
    $gwipconf4 = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfName4 -Subnet $subnet4 -PublicIpAddress $gwpip4
    
  7. 创建 TestVNet4 网关。Create the TestVNet4 gateway. 创建网关通常需要 45 分钟或更长的时间,具体取决于所选网关 SKU。Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

    New-AzVirtualNetworkGateway -Name $GWName4 -ResourceGroupName $RG4 `
    -Location $Location4 -IpConfigurations $gwipconf4 -GatewayType Vpn `
    -VpnType RouteBased -GatewaySku VpnGw1
    

步骤 4 - 创建连接Step 4 - Create the connections

等待两个网关完成创建。Wait until both gateways are completed.

  1. 获取两个虚拟网关。Get both virtual network gateways.

    $vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
    $vnet4gw = Get-AzVirtualNetworkGateway -Name $GWName4 -ResourceGroupName $RG4
    
  2. 创建 TestVNet1 到 TestVNet4 的连接。Create the TestVNet1 to TestVNet4 connection. 本步骤创建从 TestVNet1 到 TestVNet4 的连接。In this step, you create the connection from TestVNet1 to TestVNet4. 示例中引用了共享密钥。You'll see a shared key referenced in the examples. 可以对共享密钥使用自己的值。You can use your own values for the shared key. 共享密钥必须与两个连接匹配,这一点非常重要。The important thing is that the shared key must match for both connections. 创建连接可能需要简短的一段时间才能完成。Creating a connection can take a short while to complete.

    New-AzVirtualNetworkGatewayConnection -Name $Connection14 -ResourceGroupName $RG1 `
    -VirtualNetworkGateway1 $vnet1gw -VirtualNetworkGateway2 $vnet4gw -Location $Location1 `
    -ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3'
    
  3. 创建 TestVNet4 到 TestVNet1 的连接。Create the TestVNet4 to TestVNet1 connection. 此步骤类似上面的步骤,只不过是创建 TestVNet4 到 TestVNet1 的连接。This step is similar to the one above, except you are creating the connection from TestVNet4 to TestVNet1. 确保共享密钥匹配。Make sure the shared keys match. 几分钟后会建立连接。The connection will be established after a few minutes.

    New-AzVirtualNetworkGatewayConnection -Name $Connection41 -ResourceGroupName $RG4 `
    -VirtualNetworkGateway1 $vnet4gw -VirtualNetworkGateway2 $vnet1gw -Location $Location4 `
    -ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3'
    

如何验证连接How to verify a connection

Important

使用网关子网时,避免将网络安全组 (NSG) 与网关子网关联。When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. 将网络安全组与此子网关联可能会导致虚拟网络网关(VPN、Express Route 网关)停止按预期方式工作。Associating a network security group to this subnet may cause your Virtual Network gateway(VPN, Express Route gateway) to stop functioning as expected. 有关网络安全组的详细信息,请参阅什么是网络安全组?For more information about network security groups, see What is a network security group?

可以验证连接是否成功,方法是使用“Get-AzVirtualNetworkGatewayConnection”cmdlet,带或不带“-Debug”。You can verify that your connection succeeded by using the 'Get-AzVirtualNetworkGatewayConnection' cmdlet, with or without '-Debug'.

  1. 使用以下 cmdlet 示例,配置符合自己需要的值。Use the following cmdlet example, configuring the values to match your own. 如果出现提示,请选择“A”运行“所有”。If prompted, select 'A' in order to run 'All'. 在此示例中,“ -Name”是指要测试的连接的名称。In the example, '-Name' refers to the name of the connection that you want to test.

    Get-AzVirtualNetworkGatewayConnection -Name VNet1toSite1 -ResourceGroupName TestRG1
    
  2. cmdlet 运行完毕后,查看该值。After the cmdlet has finished, view the values. 在以下示例中,连接状态显示为“已连接”,且可以看到入口和出口字节数。In the example below, the connection status shows as 'Connected' and you can see ingress and egress bytes.

    "connectionStatus": "Connected",
    "ingressBytesTransferred": 33509044,
    "egressBytesTransferred": 4142431
    

VNet 到 VNet 常见问题解答VNet-to-VNet FAQ

VNet 到 VNet 连接常见问题解答适用于 VPN 网关连接。The VNet-to-VNet FAQ applies to VPN gateway connections. 有关 VNet 对等互连的信息,请参阅虚拟网络对等互连For information about VNet peering, see Virtual network peering.

Azure 会对 VNet 之间的流量收费吗?Does Azure charge for traffic between VNets?

当使用 VPN 网关连接时,同一区域中的 VNet 到 VNet 流量双向均免费。VNet-to-VNet traffic within the same region is free for both directions when you use a VPN gateway connection. 跨区域 VNet 到 VNet 传出流量根据源区域的出站 VNet 间数据传输费率收费。Cross-region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on the source regions. 有关详细信息,请参阅 VPN 网关定价For more information, see VPN Gateway pricing page. 如果你使用 VNet 对等互连而非 VPN 网关连接 VNet,请参阅虚拟网络定价If you're connecting your VNets by using VNet peering instead of a VPN gateway, see Virtual network pricing.

VNet 到 VNet 流量是否流经 Internet?Does VNet-to-VNet traffic travel across the internet?

不是。No. VNet 到 VNet 流量会流经 Azure 主干,而非 Internet。VNet-to-VNet traffic travels across the Azure backbone, not the Internet.

是否可以跨 Azure Active Directory (AAD) 租户建立 VNet 到 VNet 连接?Can I establish a VNet-to-VNet connection across Azure Active Directory (AAD) tenants?

是的。使用 Azure VPN 网关的 VNet 到 VNet 连接可以跨 AAD 租户工作。Yes, VNet-to-VNet connections that use Azure VPN gateways work across AAD tenants.

VNet 到 VNet 通信安全吗?Is VNet-to-VNet traffic secure?

安全,它通过 IPsec/IKE 加密进行保护。Yes, it's protected by IPsec/IKE encryption.

是否需要 VPN 设备将 VNet 连接到一起?Do I need a VPN device to connect VNets together?

不是。No. 将多个 Azure 虚拟网络连接在一起不需要 VPN 设备,除非需要跨界连接。Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises connectivity is required.

如果 VNet 不在同一订阅中,订阅是否需要与同一 Active Directory 租户相关联?If the VNets aren't in the same subscription, do the subscriptions need to be associated with the same Active Directory tenant?

不是。No.

能否在单独的 Azure 实例中使用 VNet 到 VNet 通信来连接虚拟网络?Can I use VNet-to-VNet to connect virtual networks in separate Azure instances?

不是。No. VNet 到 VNet 通信支持在同一 Azure 实例中连接虚拟网络。VNet-to-VNet supports connecting virtual networks within the same Azure instance. 例如,不能在全球 Azure 和中国/德国/美国政府 Azure 实例之间创建连接。For example, you can’t create a connection between global Azure and Chinese/German/US government Azure instances. 对于上述情形,请考虑使用站点到站点 VPN 连接。Consider using a Site-to-Site VPN connection for these scenarios.

能否将 VNet 到 VNet 用于多站点连接?Can I use VNet-to-VNet along with multi-site connections?

是的。Yes. 虚拟网络连接可与多站点 VPN 同时使用。Virtual network connectivity can be used simultaneously with multi-site VPNs.

一个虚拟网络可以连接到多少个本地站点和虚拟网络?How many on-premises sites and virtual networks can one virtual network connect to?

请参阅网关要求表。See the Gateway requirements table.

能否使用 VNet 到 VNet 来连接 VNet 外部的 VM 或云服务?Can I use VNet-to-VNet to connect VMs or cloud services outside of a VNet?

不是。No. VNet 到 VNet 通信支持连接虚拟网络。VNet-to-VNet supports connecting virtual networks. 它不支持连接不在虚拟网络中的虚拟机或云服务。It doesn't support connecting virtual machines or cloud services that aren't in a virtual network.

云服务或负载均衡终结点能否跨 VNet?Can a cloud service or a load-balancing endpoint span VNets?

不是。No. 云服务或负载均衡终结点不能跨虚拟网络,即使它们连接在一起,也是如此。A cloud service or a load-balancing endpoint can't span across virtual networks, even if they're connected together.

能否将 PolicyBased VPN 类型用于 VNet 到 VNet 连接或多站点连接?Can I use a PolicyBased VPN type for VNet-to-VNet or Multi-Site connections?

不是。No. VNet 到 VNet 连接和多站点连接需要 RouteBased(以前称为动态路由)VPN 类型的 Azure VPN 网关。VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called dynamic routing) VPN types.

是否可以将 RouteBased VPN 类型的 VNet 连接到另一个 PolicyBased VPN 类型的 VNet?Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?

不能,两种虚拟网络都必须使用基于路由的(以前称为“动态路由”)VPN。No, both virtual networks MUST use route-based (previously called dynamic routing) VPNs.

VPN 隧道是否共享带宽?Do VPN tunnels share bandwidth?

是的。Yes. 虚拟网络的所有 VPN 隧道共享 Azure VPN 网关上的可用带宽,以及 Azure 中的相同 VPN 网关运行时间 SLA。All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.

是否支持冗余隧道?Are redundant tunnels supported?

将一个虚拟网络网关配置为主动-主动模式时,支持在一对虚拟网络之间使用冗余隧道。Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is configured as active-active.

对于 VNet 到 VNet 配置,能否使用重叠地址空间?Can I have overlapping address spaces for VNet-to-VNet configurations?

不是。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.

连接的虚拟网络与内部本地站点之间能否存在重叠的地址空间?Can there be overlapping address spaces among connected virtual networks and on-premises local sites?

不是。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.

后续步骤Next steps