VPN 网关常见问题VPN Gateway FAQ

连接到虚拟网络Connecting to virtual networks

是否可以连接不同 Azure 区域中的虚拟网络?Can I connect virtual networks in different Azure regions?

是的。Yes. 事实上,没有任何区域约束。In fact, there is no region constraint. 一个虚拟网络可以连接到同一区域中的其他虚拟网络,也可以连接到其他 Azure 区域中的其他虚拟网络。One virtual network can connect to another virtual network in the same region, or in a different Azure region.

是否可以连接不同订阅中的虚拟网络?Can I connect virtual networks in different subscriptions?

是的。Yes.

是否可以从一个虚拟网络连接到多个站点?Can I connect to multiple sites from a single virtual network?

可以使用 Windows PowerShell 和 Azure REST API 连接到多个站点。You can connect to multiple sites by using Windows PowerShell and the Azure REST APIs. 请参阅 多站点与 VNet 到 VNet 连接 的“常见问题”部分。See the Multi-Site and VNet-to-VNet Connectivity FAQ section.

将 VPN 网关设置为“主动-主动”是否需要额外费用?Is there an additional cost for setting up a VPN gateway as active-active?

否。No.

我的跨界连接选项有哪些?What are my cross-premises connection options?

支持以下跨界连接:The following cross-premises connections are supported:

  • 站点到站点 - 基于 IPsec(IKE v1 和 IKE v2)的 VPN 连接。Site-to-Site - VPN connection over IPsec (IKE v1 and IKE v2). 此类型的连接需要 VPN 设备或 RRAS。This type of connection requires a VPN device or RRAS. 有关详细信息,请参阅站点到站点For more information, see Site-to-Site.
  • 点到站点 - 基于 SSTP(安全套接字隧道协议)或 IKE v2 的 VPN 连接。Point-to-Site - VPN connection over SSTP (Secure Socket Tunneling Protocol) or IKE v2. 此连接不需要 VPN 设备。This connection does not require a VPN device. 有关详细信息,请参阅点到站点For more information, see Point-to-Site.
  • VNet 到 VNet - 这种连接类型与站点到站点配置相同。VNet-to-VNet - This type of connection is the same as a Site-to-Site configuration. VNet 到 VNet 是一种基于 IPsec(IKE v1 和 IKE v2)的 VPN 连接。VNet to VNet is a VPN connection over IPsec (IKE v1 and IKE v2). 它不需要 VPN 设备。It does not require a VPN device. 有关详细信息,请参阅 VNet 到 VNetFor more information, see VNet-to-VNet.
  • 多站点 - 这是站点到站点配置的变体,可将多个本地站点连接到虚拟网络。Multi-Site - This is a variation of a Site-to-Site configuration that allows you to connect multiple on-premises sites to a virtual network. 有关详细信息,请参阅多站点For more information, see Multi-Site.
  • ExpressRoute - ExpressRoute 是从 WAN 到 Azure 的专用连接,不是通过公共 Internet 的 VPN 连接。ExpressRoute - ExpressRoute is a private connection to Azure from your WAN, not a VPN connection over the public Internet. 有关详细信息,请参阅 ExpressRoute 技术概述ExpressRoute 常见问题For more information, see the ExpressRoute Technical Overview and the ExpressRoute FAQ.

有关 VPN 网关连接的详细信息,请参阅关于 VPN 网关For more information about VPN gateway connections, see About VPN Gateway.

站点到站点连接和点到站点连接的区别是什么?What is the difference between a Site-to-Site connection and Point-to-Site?

站点到站点(IPsec/IKE VPN 隧道)配置是指本地位置与 Azure 之间的配置。Site-to-Site (IPsec/IKE VPN tunnel) configurations are between your on-premises location and Azure. 这意味着,可以将任何本地计算机连接到虚拟网络中的任何虚拟机或角色实例,具体取决于如何选择路由和权限的配置。This means that you can connect from any of your computers located on your premises to any virtual machine or role instance within your virtual network, depending on how you choose to configure routing and permissions. 它对于需要始终可用的跨界连接来说是一个极佳的选项,很适合混合配置。It's a great option for an always-available cross-premises connection and is well-suited for hybrid configurations. 此类连接依赖于 IPsec VPN 设备(硬件设备或软件设备),该设备必须部署在网络边缘。This type of connection relies on an IPsec VPN appliance (hardware device or soft appliance), which must be deployed at the edge of your network. 若要创建此类连接,必须具有面向外部的 IPv4 地址。To create this type of connection, you must have an externally facing IPv4 address.

点到站点(基于 SSTP 的 VPN)配置允许从任何位置的单台计算机连接到虚拟网络中的任何内容。Point-to-Site (VPN over SSTP) configurations let you connect from a single computer from anywhere to anything located in your virtual network. 它使用 Windows 内置的 VPN 客户端。It uses the Windows in-box VPN client. 在进行点到站点配置时,需要安装证书和 VPN 客户端配置包,其中包含的设置允许计算机连接到虚拟网络中的任何虚拟机或角色实例。As part of the Point-to-Site configuration, you install a certificate and a VPN client configuration package, which contains the settings that allow your computer to connect to any virtual machine or role instance within the virtual network. 此连接适用于需要连接到虚拟网络但该虚拟网络不在本地的情况。It's great when you want to connect to a virtual network, but aren't located on-premises. 无法访问 VPN 硬件或面向外部的 IPv4 地址(二者是进行站点到站点连接所必需的)时,它也是一个很好的选项。It's also a good option when you don't have access to VPN hardware or an externally facing IPv4 address, both of which are required for a Site-to-Site connection.

可以将虚拟网络配置为同时使用站点到站点连接和点到站点连接,前提是使用基于路由的 VPN 类型为网关创建站点到站点连接。You can configure your virtual network to use both Site-to-Site and Point-to-Site concurrently, as long as you create your Site-to-Site connection using a route-based VPN type for your gateway. 在经典部署模型中,基于路由的 VPN 类型称为动态网关。Route-based VPN types are called dynamic gateways in the classic deployment model.

虚拟网关Virtual network gateways

VPN 网关是否为虚拟网关?Is a VPN gateway a virtual network gateway?

VPN 网关是一种虚拟网络网关。A VPN gateway is a type of virtual network gateway. VPN 网关通过公共连接在虚拟网络和本地位置之间发送加密流量。A VPN gateway sends encrypted traffic between your virtual network and your on-premises location across a public connection. 还可使用 VPN 网关在虚拟网络之间发送流量。You can also use a VPN gateway to send traffic between virtual networks. 创建 VPN 网关时,指定“GatewayType”的值为“Vpn”。When you create a VPN gateway, you use the -GatewayType value 'Vpn'. 有关详细信息,请参阅关于 VPN 网关配置设置For more information, see About VPN Gateway configuration settings.

什么是基于策略的(静态路由)网关?What is a policy-based (static-routing) gateway?

基于策略的网关实施基于策略的 VPN。Policy-based gateways implement policy-based VPNs. 基于策略的 VPN 会根据本地网络和 Azure VNet 之间的地址前缀的各种组合,加密数据包并引导其通过 IPsec 隧道。Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the combinations of address prefixes between your on-premises network and the Azure VNet. 通常会在 VPN 配置中将策略(或流量选择器)定义为访问列表。The policy (or Traffic Selector) is usually defined as an access list in the VPN configuration.

什么是基于路由的(动态路由)网关?What is a route-based (dynamic-routing) gateway?

基于路由的网关可实施基于路由的 VPN。Route-based gateways implement the route-based VPNs. 基于路由的 VPN 使用 IP 转发或路由表中的“路由”将数据包引导到相应的隧道接口中。Route-based VPNs use "routes" in the IP forwarding or routing table to direct packets into their corresponding tunnel interfaces. 然后,隧道接口会加密或解密出入隧道的数据包。The tunnel interfaces then encrypt or decrypt the packets in and out of the tunnels. 基于路由的 VPN 的策略或流量选择器配置为任意到任意(或通配符)。The policy or traffic selector for route-based VPNs are configured as any-to-any (or wild cards).

能否将基于策略的 VPN 网关更新为基于路由的?Can I update my Policy-based VPN gateway to Route-based?

否。No. Azure Vnet 网关类型不能从基于策略更改为基于路由,反之亦然。 An Azure Vnet gateway type cannot be changed from policy-based to route-based or the other way. 必须先删除该网关,然后再重新创建,此过程需时约 60 分钟。The gateway must be deleted and recreated, a process taking around 60 minutes. 不会保留网关的 IP 地址,也不会保留预共享密钥 (PSK)。The IP address of the gateway will not be preserved nor will the Pre-Shared Key (PSK).

  1. 删除与要删除的网关相关联的任何连接。Delete any connections associated with the gateway to be deleted.
  2. 删除网关:Delete the gateway:
  3. Azure 门户Azure portal
  4. Azure PowerShellAzure PowerShell
  5. Azure Powershell - 经典Azure Powershell - classic
  6. 创建所需类型的新网关并完成 VPN 设置Create a new gateway of desired type and complete the VPN setup

是否需要“GatewaySubnet”?Do I need a 'GatewaySubnet'?

是的。Yes. 网关子网包含虚拟网络网关服务使用的 IP 地址。The gateway subnet contains the IP addresses that the virtual network gateway services use. 若要配置虚拟网关,需要先为 VNet 创建网关子网。You need to create a gateway subnet for your VNet in order to configure a virtual network gateway. 所有网关子网都必须命名为“GatewaySubnet”才能正常工作。All gateway subnets must be named 'GatewaySubnet' to work properly. 不要对网关子网使用其他名称。Don't name your gateway subnet something else. 此外,不要在网关子网中部署 VM 或其他组件。And don't deploy VMs or anything else to the gateway subnet.

创建网关子网时,需指定子网包含的 IP 地址数。When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. 网关子网中的 IP 地址分配到网关服务。The IP addresses in the gateway subnet are allocated to the gateway service. 某些配置相对于其他配置需要将更多 IP 地址分配到网关服务。Some configurations require more IP addresses to be allocated to the gateway services than do others. 需确保网关子网包含足够的 IP 地址,以适应未来的增长和可能的其他新连接配置。You want to make sure your gateway subnet contains enough IP addresses to accommodate future growth and possible additional new connection configurations. 因此,尽管网关子网最小可创建为 /29,但建议创建 /27 或更大(/27、/26 和 /25 等)的网关子网。So, while you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26, /25 etc.). 查看要创建的配置的要求,并验证所拥有的网关子网是否可满足这些要求。Look at the requirements for the configuration that you want to create and verify that the gateway subnet you have will meet those requirements.

是否可以将虚拟机或角色实例部署到网关子网?Can I deploy Virtual Machines or role instances to my gateway subnet?

否。No.

是否可以先获得 VPN 网关 IP 地址,再创建网关?Can I get my VPN gateway IP address before I create it?

否。No. 必须先创建网关,才能获得 IP 地址。You have to create your gateway first to get the IP address. 如果删除再重新创建 VPN 网关,IP 地址将更改。The IP address changes if you delete and recreate your VPN gateway.

能否为 VPN 网关请求静态公共 IP 地址?Can I request a Static Public IP address for my VPN gateway?

否。No. 仅支持动态 IP 地址分配。Only Dynamic IP address assignment is supported. 但这并不意味着 IP 地址在分配到 VPN 网关后会更改。However, this does not mean that the IP address changes after it has been assigned to your VPN gateway. VPN 网关 IP 地址只在删除或重新创建网关时更改。The only time the VPN gateway IP address changes is when the gateway is deleted and re-created. VPN 网关公共 IP 地址不会因为重新调整大小、重置或其他 VPN 网关内部维护/升级而更改。The VPN gateway public IP address doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

VPN 隧道如何进行身份验证?How does my VPN tunnel get authenticated?

Azure VPN 使用 PSK(预共享密钥)身份验证。Azure VPN uses PSK (Pre-Shared Key) authentication. 我们在创建 VPN 隧道时生成一个预共享密钥 (PSK)。We generate a pre-shared key (PSK) when we create the VPN tunnel. 可以使用设置预共享密钥 PowerShell cmdlet 或 REST API 会自动生成的 PSK 更改成自己的 PSK。You can change the auto-generated PSK to your own with the Set Pre-Shared Key PowerShell cmdlet or REST API.

是否可以使用“设置预共享密钥 API”配置基于策略的(静态路由)网关 VPN?Can I use the Set Pre-Shared Key API to configure my policy-based (static routing) gateway VPN?

可以,“设置预共享密钥 API”和 PowerShell cmdlet 可用于配置基于 Azure Policy 的(静态)VPN 和基于路由的(动态)路由 VPN。Yes, the Set Pre-Shared Key API and PowerShell cmdlet can be used to configure both Azure policy-based (static) VPNs and route-based (dynamic) routing VPNs.

是否可以使用其他身份验证选项?Can I use other authentication options?

我们只能使用预共享密钥 (PSK) 进行身份验证。We are limited to using pre-shared keys (PSK) for authentication.

如何指定通过 VPN 网关的流量?How do I specify which traffic goes through the VPN gateway?

Resource Manager 部署模型Resource Manager deployment model

  • PowerShell:使用“AddressPrefix”指定本地网络网关的流量。PowerShell: use "AddressPrefix" to specify traffic for the local network gateway.
  • Azure 门户:导航到“本地网关”>“配置”>“地址空间”。Azure portal: navigate to the Local network gateway > Configuration > Address space.

经典部署模型Classic deployment model

  • Azure 门户:导航到“经典虚拟网络”>“VPN 连接”>“站点到站点 VPN 连接”>“本地站点名称”>“本地站点”>“客户端地址空间”。Azure portal: navigate to the classic virtual network > VPN connections > Site-to-site VPN connections > Local site name > Local site > Client address space.

是否可以配置强制隧道?Can I configure Force Tunneling?

是的。Yes. 请参阅配置强制隧道See Configure force tunneling.

是否可以在 Azure 中设置自己的 VPN 服务器,并使用它连接到本地网络?Can I set up my own VPN server in Azure and use it to connect to my on-premises network?

能。可以在 Azure 中部署自己的 VPN 网关或服务器,可以从 Azure 市场部署,也可以通过创建自己的 VPN 路由器来部署。Yes, you can deploy your own VPN gateways or servers in Azure either from the Azure Marketplace or creating your own VPN routers. 需要在虚拟网络中配置用户定义的路由,确保流量在本地网络和虚拟网络子网之间正确路由。You need to configure user-defined routes in your virtual network to ensure traffic is routed properly between your on-premises networks and your virtual network subnets.

我的虚拟网络网关上的某些端口为何处于打开状态?Why are certain ports opened on my virtual network gateway?

这些端口是进行 Azure 基础结构通信所必需的。They are required for Azure infrastructure communication. 它们受 Azure 证书的保护(处于锁定状态)。They are protected (locked down) by Azure certificates. 如果没有适当的证书,外部实体(包括这些网关的客户)无法对这些终结点施加任何影响。Without proper certificates, external entities, including the customers of those gateways, will not be able to cause any effect on those endpoints.

虚拟网络网关基本上是一个多宿主设备,其中一个 NIC 进入客户专用网络,另一个 NIC 面向公共网络。A virtual network gateway is fundamentally a multi-homed device with one NIC tapping into the customer private network, and one NIC facing the public network. 因合规性原因,Azure 基础结构实体无法进入客户专用网络,因此需利用公共终结点进行基础结构通信。Azure infrastructure entities cannot tap into customer private networks for compliance reasons, so they need to utilize public endpoints for infrastructure communication. Azure 安全审核会定期扫描公共终结点。The public endpoints are periodically scanned by Azure security audit.

有关网关类型、要求和吞吐量的详细信息More information about gateway types, requirements, and throughput

有关详细信息,请参阅关于 VPN 网关配置设置For more information, see About VPN Gateway configuration settings.

站点到站点连接和 VPN 设备Site-to-Site connections and VPN devices

选择 VPN 设备时应考虑什么?What should I consider when selecting a VPN device?

我们在与设备供应商合作的过程中验证了一系列的标准站点到站点 VPN 设备。We have validated a set of standard Site-to-Site VPN devices in partnership with device vendors. 可在关于 VPN 设备一文中找到已知兼容的 VPN 设备及其相应的配置说明/示例和设备规范的列表。A list of known compatible VPN devices, their corresponding configuration instructions or samples, and device specs can be found in the About VPN devices article. 设备系列中列为已知兼容设备的所有设备都应适用于虚拟网络。All devices in the device families listed as known compatible should work with Virtual Network. 若要获取配置 VPN 设备的帮助,请参考对应于相应设备系列的设备配置示例或链接。To help configure your VPN device, refer to the device configuration sample or link that corresponds to appropriate device family.

在哪里可以找到 VPN 设备配置设置?Where can I find VPN device configuration settings?

下载 VPN 设备配置脚本:To download VPN device configuration scripts:

根据所用的 VPN 设备,有时可以下载 VPN 设备配置脚本。Depending on the VPN device that you have, you may be able to download a VPN device configuration script. 有关详细信息,请参阅下载 VPN 设备配置脚本For more information, see Download VPN device configuration scripts.

参阅以下链接了解其他配置信息:See the following links for additional configuration information:

如何编辑 VPN 设备配置示例?How do I edit VPN device configuration samples?

若要了解如何编辑设备配置示例,请参阅编辑示例For information about editing device configuration samples, see Editing samples.

在何处查找 IPsec 和 IKE 参数?Where do I find IPsec and IKE parameters?

对于 IPsec/IKE 参数,请参阅参数For IPsec/IKE parameters, see Parameters.

在流量处于空闲状态时,为何我的基于策略的 VPN 隧道会关闭?Why does my policy-based VPN tunnel go down when traffic is idle?

对于基于策略(也称为静态路由)的 VPN 网关来说,这是预期的行为。This is expected behavior for policy-based (also known as static routing) VPN gateways. 当经过隧道的流量处于空闲状态 5 分钟以上时,将销毁该隧道。When the traffic over the tunnel is idle for more than 5 minutes, the tunnel will be torn down. 当流量朝任一方向开始流动时,该隧道将立刻重新建立。When traffic starts flowing in either direction, the tunnel will be reestablished immediately.

我可以使用软件 VPN 连接到 Azure 吗?Can I use software VPNs to connect to Azure?

我们支持将 Windows Server 2012 路由和远程访问 (RRAS) 服务器用于站点到站点跨界配置。We support Windows Server 2012 Routing and Remote Access (RRAS) servers for Site-to-Site cross-premises configuration.

其他软件 VPN 解决方案只要遵循行业标准 IPsec 实现,就会与我们的网关兼容。Other software VPN solutions should work with our gateway as long as they conform to industry standard IPsec implementations. 有关配置和支持说明,请与该软件的供应商联系。Contact the vendor of the software for configuration and support instructions.

点到站点 - 使用本机 Azure 证书身份验证Point-to-Site using native Azure certificate authentication

本部分适用于资源管理器部署模型。This section applies to the Resource Manager deployment model.

在我的点到站点配置中,可以有多少 VPN 客户端终结点?How many VPN client endpoints can I have in my Point-to-Site configuration?

这取决于网关 SKU。It depends on the gateway SKU. 有关支持的连接数的详细信息,请参阅网关 SKUFor more information on the number of connections supported, see Gateway SKUs.

点到站点连接可以用于哪些客户端操作系统?What client operating systems can I use with Point-to-Site?

支持以下客户端操作系统:The following client operating systems are supported:

  • Windows 7(32 位和 64 位)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2(仅 64 位)Windows Server 2008 R2 (64-bit only)
  • Windows 8.1(32 位和 64 位)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012(仅 64 位)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2(仅 64 位)Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016(仅 64 位)Windows Server 2016 (64-bit only)
  • Windows 10Windows 10
  • Mac OS X 版本 10.11 或更高版本Mac OS X version 10.11 or above
  • Linux (StrongSwan)Linux (StrongSwan)
  • iOSiOS

Note

从 2018 年 7 月 1 日开始,Azure VPN 网关将不再支持 TLS 1.0 和 1.1。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 网关将仅支持 TLS 1.2。VPN Gateway will support only TLS 1.2. 若要保留支持,请参阅通过更新启用对 TLS1.2 的支持To maintain support, see the updates to enable support for TLS1.2.

另外,TLS 也将于 2018 年 7 月 1 日起弃用以下旧算法:Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)RC4 (Rivest Cipher 4)
  • DES(数据加密算法)DES (Data Encryption Algorithm)
  • 3DES(三重数据加密算法)3DES (Triple Data Encryption Algorithm)
  • MD5(消息摘要 5)MD5 (Message Digest 5)

如何在 Windows 7 和 Windows 8.1 中启用对 TLS 1.2 的支持?How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. 右键单击“命令提示符”并选择“以管理员身份运行”,使用提升的权限打开命令提示符。Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. 在命令提示符窗口中运行以下命令:Run the following commands in the command prompt:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    
  3. 安装以下更新:Install the following updates:

  4. 重启计算机。Reboot the computer.

  5. 连接到 VPN。Connect to the VPN.

Note

如果运行的是旧版本的 Windows 10 (10240),则必须设置上述注册表项。You will have to set the above registry key if you are running an older version of Windows 10 (10240).

是否可以使用点到站点功能穿越代理和防火墙?Can I traverse proxies and firewalls using Point-to-Site capability?

Azure 支持两种类型的点到站点 VPN 选项:Azure supports two types of Point-to-site VPN options:

  • 安全套接字隧道协议 (SSTP)。Secure Socket Tunneling Protocol (SSTP). SSTP 是 Microsoft 专有的基于 SSL 的解决方案,它可以穿透防火墙,因为大多数防火墙都打开了 443 SSL 使用的 TCP 端口。SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the TCP port that 443 SSL uses.

  • IKEv2 VPN。IKEv2 VPN. IKEv2 VPN 是一个基于标准的 IPsec VPN 解决方案,它使用 UDP 端口 500 和 4500 以及 IP 协议号 IKEv2 VPN is a standards-based IPsec VPN solution that uses UDP port 500 and 4500 and IP protocol no. 50。50. 防火墙并非始终打开这些端口,因此,IKEv2 VPN 有可能无法穿过代理和防火墙。Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

如果重新启动进行过点到站点配置的客户端计算机,是否会自动重新连接 VPN?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

默认情况下,客户端计算机不自动重新建立 VPN 连接。By default, the client computer will not reestablish the VPN connection automatically.

点到站点在 VPN 客户端上是否支持自动重新连接和 DDNS?Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

点到站点 VPN 中当前不支持自动重新连接和 DDNS。Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

对于同一虚拟网络,站点到站点和点到站点配置能否共存?Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

是的。Yes. 对于资源管理器部署模型,必须为网关使用 RouteBased VPN 类型。For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. 对于经典部署模型,需要一个动态网关。For the classic deployment model, you need a dynamic gateway. 不支持将点到站点配置用于静态路由 VPN 网关或 PolicyBased VPN 网关。We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

是否可以将点到站点客户端配置为同时连接到多个虚拟网络?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

否。No. 点到站点客户端只能连接到虚拟网络网关所在的 VNet 中的资源。A Point-to-Site client can only connect to resources in the VNet in which the virtual network gateway resides.

预计通过站点到站点连接或点到站点连接的吞吐量有多少?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很难维持 VPN 隧道的准确吞吐量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 是重重加密的 VPN 协议。IPsec and SSTP are crypto-heavy VPN protocols. 本地网络与 Internet 之间的延迟和带宽也限制了吞吐量。Throughput is also limited by the latency and bandwidth between your premises and the Internet. 对于仅具有 IKEv2 点到站点 VPN 连接的 VPN 网关,期望可以实现的总吞吐量取决于网关 SKU。For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. 有关吞吐量的详细信息,请参阅网关 SKUFor more information on throughput, see Gateway SKUs.

是否可以将任何软件 VPN 客户端用于支持 SSTP 和/或 IKEv2 的点到站点配置?Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

否。No. 只能将 Windows 上的本机 VPN 客户端用于 SSTP,只能将 Mac 上的本机 VPN 客户端用于 IKEv2。You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. 请参阅支持的客户端操作系统的列表。Refer to the list of supported client operating systems.

Azure 是否支持使用 Windows 的 IKEv2 VPN?Does Azure support IKEv2 VPN with Windows?

在 Windows 10 和 Server 2016 上支持 IKEv2。IKEv2 is supported on Windows 10 and Server 2016. 但是,若要使用 IKEv2,必须在本地安装更新并设置注册表项值。However, in order to use IKEv2, you must install updates and set a registry key value locally. Windows 10 以前的 OS 版本不受支持,并且只能使用 SSTP。OS versions prior to Windows 10 are not supported and can only use SSTP.

为运行 IKEv2 准备 Windows 10 或 Server 2016:To prepare Windows 10 or Server 2016 for IKEv2:

  1. 安装更新。Install the update.

    OS 版本OS version 日期Date 编号/链接Number/Link
    Windows Server 2016Windows Server 2016
    Windows 10 版本 1607Windows 10 Version 1607
    2018 年 1 月 17 日January 17, 2018 KB4057142KB4057142
    Windows 10 版本 1703Windows 10 Version 1703 2018 年 1 月 17 日January 17, 2018 KB4057144KB4057144
    Windows 10 版本 1709Windows 10 Version 1709 2018 年 3 月 22 日March 22, 2018 KB4089848KB4089848
  2. 设置注册表项值。Set the registry key value. 在注册表中创建“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload”REG_DWORD 键或将其设置为 1。Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

为 P2S VPN 连接配置 SSTP 和 IKEv2 时,会发生什么情况?What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

在混合环境(包括 Windows 和 Mac 设备)中同时配置了 SSTP 和 IKEv2 时,Windows VPN 客户端始终将先尝试使用 IKEv2 隧道,但如果 IKEv2 连接不成功将回退到 SSTP。When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX 将仅通过 IKEv2 进行连接。MacOSX will only connect via IKEv2.

除了 Windows 和 Mac 以外,Azure 还支持在其他哪些平台上使用 P2S VPN?Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure 支持将 Windows、Mac 和 Linux 用于 P2S VPN。Azure supports Windows, Mac and Linux for P2S VPN.

我已部署 Azure VPN 网关。I already have an Azure VPN Gateway deployed. 是否可在该网关上启用 RADIUS 和/或 IKEv2 VPN?Can I enable RADIUS and/or IKEv2 VPN on it?

是的,可以使用 Powershell 或 Azure 门户在已部署的网关上启用这些新功能,前提是所用网关 SKU 支持 RADIUS 和/或 IKEv2。Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. 例如,VPN 网关基本 SKU 不支持 RADIUS 或 IKEv2。For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

是否可以将我自己的内部 PKI 根 CA 用于点到站点连接?Can I use my own internal PKI root CA for Point-to-Site connectivity?

是的。Yes. 以前只可使用自签名根证书。Previously, only self-signed root certificates could be used. 仍可上传 20 个根证书。You can still upload 20 root certificates.

可以使用哪些工具来创建证书?What tools can I use to create certificates?

可以使用企业 PKI 解决方案(内部 PKI)、Azure PowerShell、MakeCert 和 OpenSSL。You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, and OpenSSL.

是否有证书设置和参数的说明?Are there instructions for certificate settings and parameters?

  • 内部 PKI/企业 PKI 解决方案: 请参阅生成证书的步骤。Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.

  • Azure PowerShell: 请参阅 Azure PowerShell 一文了解相关步骤。Azure PowerShell: See the Azure PowerShell article for steps.

  • MakeCert: 请参阅 MakeCert 一文了解相关步骤。MakeCert: See the MakeCert article for steps.

  • OpenSSL:OpenSSL:

    • 导出证书时,请务必将根证书转换为 Base64。When exporting certificates, be sure to convert the root certificate to Base64.

    • 对于客户端证书:For the client certificate:

      • 创建私钥时,请将长度指定为 4096。When creating the private key, specify the length as 4096.
      • 创建证书时,对于 -extensions 参数,指定 usr_certWhen creating the certificate, for the -extensions parameter, specify usr_cert.

点到站点 - 使用 RADIUS 身份验证Point-to-Site using RADIUS authentication

本部分适用于资源管理器部署模型。This section applies to the Resource Manager deployment model.

在我的点到站点配置中,可以有多少 VPN 客户端终结点?How many VPN client endpoints can I have in my Point-to-Site configuration?

这取决于网关 SKU。It depends on the gateway SKU. 有关支持的连接数的详细信息,请参阅网关 SKUFor more information on the number of connections supported, see Gateway SKUs.

点到站点连接可以用于哪些客户端操作系统?What client operating systems can I use with Point-to-Site?

支持以下客户端操作系统:The following client operating systems are supported:

  • Windows 7(32 位和 64 位)Windows 7 (32-bit and 64-bit)
  • Windows Server 2008 R2(仅 64 位)Windows Server 2008 R2 (64-bit only)
  • Windows 8.1(32 位和 64 位)Windows 8.1 (32-bit and 64-bit)
  • Windows Server 2012(仅 64 位)Windows Server 2012 (64-bit only)
  • Windows Server 2012 R2(仅 64 位)Windows Server 2012 R2 (64-bit only)
  • Windows Server 2016(仅 64 位)Windows Server 2016 (64-bit only)
  • Windows 10Windows 10
  • Mac OS X 版本 10.11 或更高版本Mac OS X version 10.11 or above
  • Linux (StrongSwan)Linux (StrongSwan)
  • iOSiOS

Note

从 2018 年 7 月 1 日开始,Azure VPN 网关将不再支持 TLS 1.0 和 1.1。Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN 网关将仅支持 TLS 1.2。VPN Gateway will support only TLS 1.2. 若要保留支持,请参阅通过更新启用对 TLS1.2 的支持To maintain support, see the updates to enable support for TLS1.2.

另外,TLS 也将于 2018 年 7 月 1 日起弃用以下旧算法:Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:

  • RC4 (Rivest Cipher 4)RC4 (Rivest Cipher 4)
  • DES(数据加密算法)DES (Data Encryption Algorithm)
  • 3DES(三重数据加密算法)3DES (Triple Data Encryption Algorithm)
  • MD5(消息摘要 5)MD5 (Message Digest 5)

如何在 Windows 7 和 Windows 8.1 中启用对 TLS 1.2 的支持?How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?

  1. 右键单击“命令提示符”并选择“以管理员身份运行”,使用提升的权限打开命令提示符。Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run as administrator.

  2. 在命令提示符窗口中运行以下命令:Run the following commands in the command prompt:

    reg add HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 /v TlsVersion /t REG_DWORD /d 0xfc0
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    if %PROCESSOR_ARCHITECTURE% EQU AMD64 reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /v DefaultSecureProtocols /t REG_DWORD /d 0xaa0
    
  3. 安装以下更新:Install the following updates:

  4. 重启计算机。Reboot the computer.

  5. 连接到 VPN。Connect to the VPN.

Note

如果运行的是旧版本的 Windows 10 (10240),则必须设置上述注册表项。You will have to set the above registry key if you are running an older version of Windows 10 (10240).

是否可以使用点到站点功能穿越代理和防火墙?Can I traverse proxies and firewalls using Point-to-Site capability?

Azure 支持两种类型的点到站点 VPN 选项:Azure supports two types of Point-to-site VPN options:

  • 安全套接字隧道协议 (SSTP)。Secure Socket Tunneling Protocol (SSTP). SSTP 是 Microsoft 专有的基于 SSL 的解决方案,它可以穿透防火墙,因为大多数防火墙都打开了 443 SSL 使用的 TCP 端口。SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the TCP port that 443 SSL uses.

  • IKEv2 VPN。IKEv2 VPN. IKEv2 VPN 是一个基于标准的 IPsec VPN 解决方案,它使用 UDP 端口 500 和 4500 以及 IP 协议号 IKEv2 VPN is a standards-based IPsec VPN solution that uses UDP port 500 and 4500 and IP protocol no. 50。50. 防火墙并非始终打开这些端口,因此,IKEv2 VPN 有可能无法穿过代理和防火墙。Firewalls do not always open these ports, so there is a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

如果重新启动进行过点到站点配置的客户端计算机,是否会自动重新连接 VPN?If I restart a client computer configured for Point-to-Site, will the VPN automatically reconnect?

默认情况下,客户端计算机不自动重新建立 VPN 连接。By default, the client computer will not reestablish the VPN connection automatically.

点到站点在 VPN 客户端上是否支持自动重新连接和 DDNS?Does Point-to-Site support auto-reconnect and DDNS on the VPN clients?

点到站点 VPN 中当前不支持自动重新连接和 DDNS。Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.

对于同一虚拟网络,站点到站点和点到站点配置能否共存?Can I have Site-to-Site and Point-to-Site configurations coexist for the same virtual network?

是的。Yes. 对于资源管理器部署模型,必须为网关使用 RouteBased VPN 类型。For the Resource Manager deployment model, you must have a RouteBased VPN type for your gateway. 对于经典部署模型,需要一个动态网关。For the classic deployment model, you need a dynamic gateway. 不支持将点到站点配置用于静态路由 VPN 网关或 PolicyBased VPN 网关。We do not support Point-to-Site for static routing VPN gateways or PolicyBased VPN gateways.

是否可以将点到站点客户端配置为同时连接到多个虚拟网络?Can I configure a Point-to-Site client to connect to multiple virtual networks at the same time?

否。No. 点到站点客户端只能连接到虚拟网络网关所在的 VNet 中的资源。A Point-to-Site client can only connect to resources in the VNet in which the virtual network gateway resides.

预计通过站点到站点连接或点到站点连接的吞吐量有多少?How much throughput can I expect through Site-to-Site or Point-to-Site connections?

很难维持 VPN 隧道的准确吞吐量。It's difficult to maintain the exact throughput of the VPN tunnels. IPsec 和 SSTP 是重重加密的 VPN 协议。IPsec and SSTP are crypto-heavy VPN protocols. 本地网络与 Internet 之间的延迟和带宽也限制了吞吐量。Throughput is also limited by the latency and bandwidth between your premises and the Internet. 对于仅具有 IKEv2 点到站点 VPN 连接的 VPN 网关,期望可以实现的总吞吐量取决于网关 SKU。For a VPN Gateway with only IKEv2 Point-to-Site VPN connections, the total throughput that you can expect depends on the Gateway SKU. 有关吞吐量的详细信息,请参阅网关 SKUFor more information on throughput, see Gateway SKUs.

是否可以将任何软件 VPN 客户端用于支持 SSTP 和/或 IKEv2 的点到站点配置?Can I use any software VPN client for Point-to-Site that supports SSTP and/or IKEv2?

否。No. 只能将 Windows 上的本机 VPN 客户端用于 SSTP,只能将 Mac 上的本机 VPN 客户端用于 IKEv2。You can only use the native VPN client on Windows for SSTP, and the native VPN client on Mac for IKEv2. 请参阅支持的客户端操作系统的列表。Refer to the list of supported client operating systems.

Azure 是否支持使用 Windows 的 IKEv2 VPN?Does Azure support IKEv2 VPN with Windows?

在 Windows 10 和 Server 2016 上支持 IKEv2。IKEv2 is supported on Windows 10 and Server 2016. 但是,若要使用 IKEv2,必须在本地安装更新并设置注册表项值。However, in order to use IKEv2, you must install updates and set a registry key value locally. Windows 10 以前的 OS 版本不受支持,并且只能使用 SSTP。OS versions prior to Windows 10 are not supported and can only use SSTP.

为运行 IKEv2 准备 Windows 10 或 Server 2016:To prepare Windows 10 or Server 2016 for IKEv2:

  1. 安装更新。Install the update.

    OS 版本OS version 日期Date 编号/链接Number/Link
    Windows Server 2016Windows Server 2016
    Windows 10 版本 1607Windows 10 Version 1607
    2018 年 1 月 17 日January 17, 2018 KB4057142KB4057142
    Windows 10 版本 1703Windows 10 Version 1703 2018 年 1 月 17 日January 17, 2018 KB4057144KB4057144
    Windows 10 版本 1709Windows 10 Version 1709 2018 年 3 月 22 日March 22, 2018 KB4089848KB4089848
  2. 设置注册表项值。Set the registry key value. 在注册表中创建“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload”REG_DWORD 键或将其设置为 1。Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

为 P2S VPN 连接配置 SSTP 和 IKEv2 时,会发生什么情况?What happens when I configure both SSTP and IKEv2 for P2S VPN connections?

在混合环境(包括 Windows 和 Mac 设备)中同时配置了 SSTP 和 IKEv2 时,Windows VPN 客户端始终将先尝试使用 IKEv2 隧道,但如果 IKEv2 连接不成功将回退到 SSTP。When you configure both SSTP and IKEv2 in a mixed environment (consisting of Windows and Mac devices), the Windows VPN client will always try IKEv2 tunnel first, but will fall back to SSTP if the IKEv2 connection is not successful. MacOSX 将仅通过 IKEv2 进行连接。MacOSX will only connect via IKEv2.

除了 Windows 和 Mac 以外,Azure 还支持在其他哪些平台上使用 P2S VPN?Other than Windows and Mac, which other platforms does Azure support for P2S VPN?

Azure 支持将 Windows、Mac 和 Linux 用于 P2S VPN。Azure supports Windows, Mac and Linux for P2S VPN.

我已部署 Azure VPN 网关。I already have an Azure VPN Gateway deployed. 是否可在该网关上启用 RADIUS 和/或 IKEv2 VPN?Can I enable RADIUS and/or IKEv2 VPN on it?

是的,可以使用 Powershell 或 Azure 门户在已部署的网关上启用这些新功能,前提是所用网关 SKU 支持 RADIUS 和/或 IKEv2。Yes, you can enable these new features on already deployed gateways using Powershell or the Azure portal, provided that the gateway SKU that you are using supports RADIUS and/or IKEv2. 例如,VPN 网关基本 SKU 不支持 RADIUS 或 IKEv2。For example, the VPN gateway Basic SKU does not support RADIUS or IKEv2.

是否所有 Azure VPN 网关 SKU 都支持 RADIUS 身份验证?Is RADIUS authentication supported on all Azure VPN Gateway SKUs?

VpnGw1、VpnGw2 和 VpnGw3 SKU 支持 RADIUS 身份验证。RADIUS authentication is supported for VpnGw1, VpnGw2, and VpnGw3 SKUs. 如果使用的是旧版 SKU,则标准和高性能 SKU 支持 RADIUS 身份验证。If you are using legacy SKUs, RADIUS authentication is supported on Standard and High Performance SKUs. 基本网关 SKU 不支持该身份验证。It is not supported on the Basic Gateway SKU. 

经典部署模型是否支持 RADIUS 身份验证?Is RADIUS authentication supported for the classic deployment model?

否。No. 经典部署模型不支持 RADIUS 身份验证。RADIUS authentication is not supported for the classic deployment model.

是否支持第三方 RADIUS 服务器?Are 3rd-party RADIUS servers supported?

是的,支持第三方 RADIUS 服务器。Yes, 3rd-party RADIUS servers are supported.

若要确保 Azure 网关能够访问本地 RADIUS 服务器,对连接有何要求?What are the connectivity requirements to ensure that the Azure gateway is able to reach an on-premises RADIUS server?

需要具有到本地站点的 VPN 站点到站点连接,并且需要配置正确的路由。A VPN Site-to-Site connection to the on-premises site, with the proper routes configured, is required.  

是否可以通过 ExpressRoute 连接来传送(从 Azure VPN 网关)流向本地 RADIUS 服务器的流量?Can traffic to an on-premises RADIUS server (from the Azure VPN gateway) be routed over an ExpressRoute connection?

否。No. 它只能通过站点到站点连接进行传送。It can only be routed over a Site-to-Site connection.

RADIUS 身份验证支持的 SSTP 连接数是否有变化?Is there a change in the number of SSTP connections supported with RADIUS authentication? 支持的最大 SSTP 和 IKEv2 连接数是多少?What is the maximum number of SSTP and IKEv2 connections supported?

RADIUS 身份验证在网关上支持的最大 SSTP 连接数没有变化。There is no change in the maximum number of SSTP connections supported on a gateway with RADIUS authentication. 对于 SSTP,仍然为 128;但对于 IKEv2,则取决于网关 SKU。It remains 128 for SSTP, but depends on the gateway SKU for IKEv2. 有关支持的连接数的详细信息,请参阅网关 SKU For more information on the number of connections supported, see Gateway SKUs.

使用 RADIUS 服务器执行证书身份验证与使用 Azure 本机证书身份验证执行身份验证(通过将受信任的证书上传到 Azure)之间有何区别?What is the difference between doing certificate authentication using a RADIUS server vs. using Azure native certificate authentication (by uploading a trusted certificate to Azure).

在 RADIUS 证书身份验证中,身份验证请求被转发到处理实际证书验证的 RADIUS 服务器。In RADIUS certificate authentication, the authentication request is forwarded to a RADIUS server that handles the actual certificate validation. 如果希望通过 RADIUS 与已有的证书身份验证基础结构进行集成,则此选项非常有用。This option is useful if you want to integrate with a certificate authentication infrastructure that you already have through RADIUS.

使用 Azure 进行证书身份验证时,由 Azure VPN 网关执行证书验证。When using Azure for certificate authentication, the Azure VPN gateway performs the validation of the certificate. 需要将证书公钥上传到网关。You need to upload your certificate public key to the gateway. 还可以指定不允许进行连接的已吊销证书的列表。You can also specify list of revoked certificates that shouldn’t be allowed to connect.

RADIUS 身份验证是否同时适用于 IKEv2 和 SSTP VPN?Does RADIUS authentication work with both IKEv2, and SSTP VPN?

是的,IKEv2 和 SSTP VPN 都支持 RADIUS 身份验证。Yes, RADIUS authentication is supported for both IKEv2, and SSTP VPN. 

VNet 到 VNet 和多站点连接VNet-to-VNet and Multi-Site connections

VNet 到 VNet 连接常见问题解答适用于 VPN 网关连接。The VNet-to-VNet FAQ applies to VPN gateway connections. 有关 VNet 对等互连的信息,请参阅虚拟网络对等互连For information about VNet peering, see Virtual network peering.

Azure 会对 VNet 之间的流量收费吗?Does Azure charge for traffic between VNets?

当使用 VPN 网关连接时,同一区域中的 VNet 到 VNet 流量双向均免费。VNet-to-VNet traffic within the same region is free for both directions when you use a VPN gateway connection. 跨区域 VNet 到 VNet 传出流量根据源区域的出站 VNet 间数据传输费率收费。Cross-region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on the source regions. 有关详细信息,请参阅 VPN 网关定价For more information, see VPN Gateway pricing page. 如果你使用 VNet 对等互连而非 VPN 网关连接 VNet,请参阅虚拟网络定价If you're connecting your VNets by using VNet peering instead of a VPN gateway, see Virtual network pricing.

VNet 到 VNet 流量是否流经 Internet?Does VNet-to-VNet traffic travel across the internet?

否。No. VNet 到 VNet 流量会流经 Azure 主干,而非 Internet。VNet-to-VNet traffic travels across the Azure backbone, not the Internet.

是否可以跨 Azure Active Directory (AAD) 租户建立 VNet 到 VNet 连接?Can I establish a VNet-to-VNet connection across Azure Active Directory (AAD) tenants?

是的。使用 Azure VPN 网关的 VNet 到 VNet 连接可以跨 AAD 租户工作。Yes, VNet-to-VNet connections that use Azure VPN gateways work across AAD tenants.

VNet 到 VNet 流量是否安全?Is VNet-to-VNet traffic secure?

安全,它通过 IPsec/IKE 加密进行保护。Yes, it's protected by IPsec/IKE encryption.

是否需要使用 VPN 设备将 VNet 连接在一起?Do I need a VPN device to connect VNets together?

否。No. 将多个 Azure 虚拟网络连接在一起不需要 VPN 设备,除非需要跨界连接。Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises connectivity is required.

VNet 是否需要处于同一区域?Do my VNets need to be in the same region?

否。No. 虚拟网络可以在相同或不同的 Azure 区域(位置)中。The virtual networks can be in the same or different Azure regions (locations).

如果 VNet 不在同一订阅中,订阅是否需要与同一 Active Directory 租户相关联?If the VNets aren't in the same subscription, do the subscriptions need to be associated with the same Active Directory tenant?

否。No.

能否在单独的 Azure 实例中使用 VNet 到 VNet 通信来连接虚拟网络?Can I use VNet-to-VNet to connect virtual networks in separate Azure instances?

否。No. VNet 到 VNet 通信支持在同一 Azure 实例中连接虚拟网络。VNet-to-VNet supports connecting virtual networks within the same Azure instance. 例如,不能在全球 Azure 和中国/德国/美国政府 Azure 实例之间创建连接。For example, you can’t create a connection between global Azure and Chinese/German/US government Azure instances. 对于上述情形,请考虑使用站点到站点 VPN 连接。Consider using a Site-to-Site VPN connection for these scenarios.

能否将 VNet 到 VNet 连接与多站点连接一起使用?Can I use VNet-to-VNet along with multi-site connections?

是的。Yes. 虚拟网络连接可与多站点 VPN 同时使用。Virtual network connectivity can be used simultaneously with multi-site VPNs.

一个虚拟网络可以连接到多少个本地站点和虚拟网络?How many on-premises sites and virtual networks can one virtual network connect to?

请参阅网关要求表。See the Gateway requirements table.

是否可以使用 VNet 到 VNet 连接 VNet 外的 VM 或云服务?Can I use VNet-to-VNet to connect VMs or cloud services outside of a VNet?

否。No. VNet 到 VNet 支持连接虚拟网络。VNet-to-VNet supports connecting virtual networks. 它不支持连接不在虚拟网络中的虚拟机或云服务。It doesn't support connecting virtual machines or cloud services that aren't in a virtual network.

云服务或负载均衡终结点能否跨 VNet?Can a cloud service or a load-balancing endpoint span VNets?

否。No. 云服务或负载均衡终结点不能跨虚拟网络,即使它们连接在一起,也是如此。A cloud service or a load-balancing endpoint can't span across virtual networks, even if they're connected together.

能否将 PolicyBased VPN 类型用于 VNet 到 VNet 连接或多站点连接?Can I use a PolicyBased VPN type for VNet-to-VNet or Multi-Site connections?

否。No. VNet 到 VNet 连接和多站点连接需要 RouteBased(以前称为动态路由)VPN 类型的 Azure VPN 网关。VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called dynamic routing) VPN types.

是否可以将 RouteBased VPN 类型的 VNet 连接到另一个 PolicyBased VPN 类型的 VNet?Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?

不能,两种虚拟网络都必须使用基于路由的(以前称为“动态路由”)VPN。No, both virtual networks MUST use route-based (previously called dynamic routing) VPNs.

VPN 隧道是否共享带宽?Do VPN tunnels share bandwidth?

是的。Yes. 虚拟网络的所有 VPN 隧道共享 Azure VPN 网关上的可用带宽,以及 Azure 中的相同 VPN 网关运行时间 SLA。All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the same VPN gateway uptime SLA in Azure.

是否支持冗余隧道?Are redundant tunnels supported?

将一个虚拟网络网关配置为主动-主动模式时,支持在一对虚拟网络之间设置冗余隧道。Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is configured as active-active.

VNet 到 VNet 配置是否可以有重叠的地址空间?Can I have overlapping address spaces for VNet-to-VNet configurations?

否。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.

连接的虚拟网络与内部本地站点之间是否可以有重叠的地址空间?Can there be overlapping address spaces among connected virtual networks and on-premises local sites?

否。No. 不能有重叠的 IP 地址范围。You can't have overlapping IP address ranges.

能否使用 Azure VPN 网关在我的本地站点之间传输流量或将流量传输到其他虚拟网络?Can I use Azure VPN gateway to transit traffic between my on-premises sites or to another virtual network?

Resource Manager 部署模型Resource Manager deployment model
是的。Yes. 有关详细信息,请参阅 BGP 部分。See the BGP section for more information.

经典部署模型Classic deployment model
使用经典部署模型通过 Azure VPN 网关传输流量是可行的,但依赖于网络配置文件中静态定义的地址空间。Transit traffic via Azure VPN gateway is possible using the classic deployment model, but relies on statically defined address spaces in the network configuration file. 使用经典部署模型的 Azure 虚拟网络和 VPN 网关尚不支持 BGP。BGP is not yet supported with Azure Virtual Networks and VPN gateways using the classic deployment model. 没有 BGP,手动定义传输地址空间很容易出错,不建议这样做。Without BGP, manually defining transit address spaces is very error prone, and not recommended.

Azure 会为同一虚拟网络的所有 VPN 连接生成同一 IPsec/IKE 预共享密钥吗?Does Azure generate the same IPsec/IKE pre-shared key for all my VPN connections for the same virtual network?

否,默认情况下,Azure 会为不同 VPN 连接生成不同的预共享密钥。No, Azure by default generates different pre-shared keys for different VPN connections. 但是,可以使用设置 VPN 网关密钥 REST API 或 PowerShell cmdlet 设置你想要的密钥值。However, you can use the Set VPN Gateway Key REST API or PowerShell cmdlet to set the key value you prefer. 该密钥必须是长度介于 1 到 128 个字符之间的字母数字字符串。The key MUST be alphanumerical string of length between 1 to 128 characters.

使用更多站点到站点 VPN 是否会比为单个虚拟网络获取更多带宽?Do I get more bandwidth with more Site-to-Site VPNs than for a single virtual network?

否,所有 VPN 隧道(包括点到站点 VPN)共享同一 Azure VPN 网关和可用带宽。No, all VPN tunnels, including Point-to-Site VPNs, share the same Azure VPN gateway and the available bandwidth.

是否可以使用多站点 VPN 在我的虚拟网络和本地站点之间配置多个隧道?Can I configure multiple tunnels between my virtual network and my on-premises site using multi-site VPN?

是,但必须在两个通向同一位置的隧道上配置 BGP。Yes, but you must configure BGP on both tunnels to the same location.

能否将点到站点 VPN 用于具有多个 VPN 隧道的虚拟网络?Can I use Point-to-Site VPNs with my virtual network with multiple VPN tunnels?

能,可以将点到站点 (P2S) VPN 用于连接到多个本地站点的 VPN 网关和其他虚拟网络。Yes, Point-to-Site (P2S) VPNs can be used with the VPN gateways connecting to multiple on-premises sites and other virtual networks.

能否将使用 IPsec VPN 的虚拟网络连接到我的 ExpressRoute 线路?Can I connect a virtual network with IPsec VPNs to my ExpressRoute circuit?

是,系统支持该操作。Yes, this is supported. 有关详细信息,请参阅 配置可共存的 ExpressRoute 连接和站点到站点 VPN 连接For more information, see Configure ExpressRoute and Site-to-Site VPN connections that coexist.

IPsec/IKE 策略IPsec/IKE policy

是否所有 Azure VPN 网关 SKU 都支持自定义 IPsec/IKE 策略?Is Custom IPsec/IKE policy supported on all Azure VPN Gateway SKUs?

自定义 IPsec/IKE 策略在 Azure VpnGw1、VpnGw2、VpnGw3、标准 VPN 网关和高性能 VPN 网关上受支持。Custom IPsec/IKE policy is supported on Azure VpnGw1, VpnGw2, VpnGw3, Standard, and HighPerformance VPN gateways. 不支持基本 SKU。The Basic SKU is not supported.

在一个连接上可以指定多少个策略?How many policies can I specify on a connection?

一个给定的连接只能指定一个策略组合。You can only specify one policy combination for a given connection.

能否在一个连接上指定部分策略?Can I specify a partial policy on a connection? (例如,仅指定 IKE 算法,不指定 IPsec)(for example, only IKE algorithms, but not IPsec)

否,必须指定 IKE(主模式)和 IPsec(快速模式)的所有算法和参数。No, you must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). 不允许指定部分策略。Partial policy specification is not allowed.

自定义策略中支持的算法和密钥强度有哪些?What are the algorithms and key strengths supported in the custom policy?

下表列出了支持的加密算法和密钥强度,客户可自行配置。The following table lists the supported cryptographic algorithms and key strengths configurable by the customers. 必须为每个字段选择一个选项。You must select one option for every field.

IPsec/IKEv2IPsec/IKEv2 选项Options
IKEv2 加密IKEv2 Encryption AES256、AES192、AES128、DES3、DESAES256, AES192, AES128, DES3, DES
IKEv2 完整性IKEv2 Integrity SHA384、SHA256、SHA1、MD5SHA384, SHA256, SHA1, MD5
DH 组DH Group DHGroup24、ECP384、ECP256、DHGroup14 (DHGroup2048)、DHGroup2、DHGroup1、无DHGroup24, ECP384, ECP256, DHGroup14 (DHGroup2048), DHGroup2, DHGroup1, None
IPsec 加密IPsec Encryption GCMAES256、GCMAES192、GCMAES128、AES256、AES192、AES128、DES3、DES、无GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128, DES3, DES, None
IPsec 完整性IPsec Integrity GCMAES256、GCMAES192、GCMAES128、SHA256、SHA1、MD5GCMAES256, GCMAES192, GCMAES128, SHA256, SHA1, MD5
PFS 组PFS Group PFS24、ECP384、ECP256、PFS2048、PFS2、PFS1、无PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1, None
QM SA 生存期QM SA Lifetime 秒(整数;至少为 300 秒/默认为 27000 秒)Seconds (integer; min. 300/default 27000 seconds)
KB(整数;至少为 1024 KB/默认为 102400000 KB)KBytes (integer; min. 1024/default 102400000 KBytes)
流量选择器Traffic Selector UsePolicyBasedTrafficSelectors ($True/$False; default $False)UsePolicyBasedTrafficSelectors ($True/$False; default $False)

Important

  1. 在 IKE 和 IPsec PFS 中,DHGroup2048 和 PFS2048 与 Diffie-Hellman 组 14 相同。DHGroup2048 & PFS2048 are the same as Diffie-Hellman Group 14 in IKE and IPsec PFS. 如需完整的映射,请参阅 Diffie-Hellman 组See Diffie-Hellman Groups for the complete mappings.
  2. 对于 GCMAES 算法,必须为 IPsec 加密和完整性指定相同的 GCMAES 算法和密钥长度。For GCMAES algorithms, you must specify the same GCMAES algorithm and key length for both IPsec Encryption and Integrity.
  3. 在 Azure VPN 网关上,IKEv2 主模式 SA 生存期固定为 28,800 秒IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways
  4. QM SA 生存期是可选参数。QM SA Lifetimes are optional parameters. 如果未指定,则使用默认值 27,000 秒(7.5 小时)和 102400000 KB (102GB)。If none was specified, default values of 27,000 seconds (7.5 hrs) and 102400000 KBytes (102GB) are used.
  5. UsePolicyBasedTrafficSelector 是连接的可选参数。UsePolicyBasedTrafficSelector is an option parameter on the connection. 请参阅下一针对“UsePolicyBasedTrafficSelectors”的常见问题解答项See the next FAQ item for "UsePolicyBasedTrafficSelectors"

Azure VPN 网关策略与本地 VPN 设备配置是否需完全匹配?Does everything need to match between the Azure VPN gateway policy and my on-premises VPN device configurations?

本地 VPN 设备配置必须匹配,或者必须包含可在 Azure IPsec/IKE 策略中指定的以下算法和参数:Your on-premises VPN device configuration must match or contain the following algorithms and parameters that you specify on the Azure IPsec/IKE policy:

  • IKE 加密算法IKE encryption algorithm
  • IKE 完整性算法IKE integrity algorithm
  • DH 组DH Group
  • IPsec 加密算法IPsec encryption algorithm
  • IPsec 完整性算法IPsec integrity algorithm
  • PFS 组PFS Group
  • 流量选择器 (*)Traffic Selector (*)

SA 生存期是本地规范,不需匹配。The SA lifetimes are local specifications only, do not need to match.

如果启用 UsePolicyBasedTrafficSelectors,则需确保对于本地网络(本地网关)前缀与 Azure 虚拟网络前缀的所有组合,VPN 设备都定义了与之匹配的流量选择器(而不是任意到任意)。If you enable UsePolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any. 例如,如果本地网络前缀为 10.1.0.0/16 和 10.2.0.0/16,虚拟网络前缀为 192.168.0.0/16 和 172.16.0.0/16,则需指定以下流量选择器:For example, if your on-premises network prefixes are 10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to specify the following traffic selectors:

  • 10.1.0.0/16 <====> 192.168.0.0/1610.1.0.0/16 <====> 192.168.0.0/16
  • 10.1.0.0/16 <====> 172.16.0.0/1610.1.0.0/16 <====> 172.16.0.0/16
  • 10.2.0.0/16 <====> 192.168.0.0/1610.2.0.0/16 <====> 192.168.0.0/16
  • 10.2.0.0/16 <====> 172.16.0.0/1610.2.0.0/16 <====> 172.16.0.0/16

有关详细信息,请参阅连接多个基于策略的本地 VPN 设备For more information, see Connect multiple on-premises policy-based VPN devices.

支持哪些 Diffie-Hellman 组?Which Diffie-Hellman Groups are supported?

下表列出了支持的 Diffie-Hellman 组,分别针对 IKE (DHGroup) 和 IPsec (PFSGroup):The table below lists the supported Diffie-Hellman Groups for IKE (DHGroup) and IPsec (PFSGroup):

Diffie-Hellman 组Diffie-Hellman Group DHGroupDHGroup PFSGroupPFSGroup 密钥长度Key length
11 DHGroup1DHGroup1 PFS1PFS1 768 位 MODP768-bit MODP
22 DHGroup2DHGroup2 PFS2PFS2 1024 位 MODP1024-bit MODP
1414 DHGroup14DHGroup14
DHGroup2048DHGroup2048
PFS2048PFS2048 2048 位 MODP2048-bit MODP
1919 ECP256ECP256 ECP256ECP256 256 位 ECP256-bit ECP
20 个20 ECP384ECP384 ECP384ECP384 384 位 ECP384-bit ECP
2424 DHGroup24DHGroup24 PFS24PFS24 2048 位 MODP2048-bit MODP

有关详细信息,请参阅 RFC3526RFC5114For more information, see RFC3526 and RFC5114.

自定义策略是否会替换 Azure VPN 网关的默认 IPsec/IKE 策略集?Does the custom policy replace the default IPsec/IKE policy sets for Azure VPN gateways?

是的。一旦在连接上指定自定义策略,Azure VPN 网关就会只使用该连接的策略,既充当 IKE 发起方,又充当 IKE 响应方。Yes, once a custom policy is specified on a connection, Azure VPN gateway will only use the policy on the connection, both as IKE initiator and IKE responder.

如果删除自定义 IPsec/IKE 策略,连接是否会变得不受保护?If I remove a custom IPsec/IKE policy, does the connection become unprotected?

否。连接仍受 IPsec/IKE 保护。No, the connection will still be protected by IPsec/IKE. 从连接中删除自定义策略以后,Azure VPN 网关会还原为默认的 IPsec/IKE 提议列表,并再次重启与本地 VPN 设备的 IKE 握手。Once you remove the custom policy from a connection, the Azure VPN gateway reverts back to the default list of IPsec/IKE proposals and restart the IKE handshake again with your on-premises VPN device.

添加或更新 IPsec/IKE 策略是否会中断 VPN 连接?Would adding or updating an IPsec/IKE policy disrupt my VPN connection?

是的。那样会导致短时中断(数秒),因为 Azure VPN 网关会断开现有连接并重启 IKE 握手,以便使用新的加密算法和参数重建 IPsec 隧道。Yes, it could cause a small disruption (a few seconds) as the Azure VPN gateway tears down the existing connection and restarts the IKE handshake to re-establish the IPsec tunnel with the new cryptographic algorithms and parameters. 请确保也使用匹配的算法和密钥强度对本地 VPN 设备进行配置,尽量减少中断。Ensure your on-premises VPN device is also configured with the matching algorithms and key strengths to minimize the disruption.

是否可以在不同的连接上使用不同的策略?Can I use different policies on different connections?

是的。Yes. 自定义策略是在单个连接的基础上应用的。Custom policy is applied on a per-connection basis. 可以在不同的连接上创建并应用不同的 IPsec/IKE 策略。You can create and apply different IPsec/IKE policies on different connections. 也可选择在连接子集上应用自定义策略。You can also choose to apply custom policies on a subset of connections. 剩余连接使用 Azure 默认 IPsec/IKE 策略集。The remaining ones use the Azure default IPsec/IKE policy sets.

是否也可在 VNet 到 VNet 连接上使用自定义策略?Can I use the custom policy on VNet-to-VNet connection as well?

是的。可以在 IPsec 跨界连接或 VNet 到 VNet 连接上应用自定义策略。Yes, you can apply custom policy on both IPsec cross-premises connections or VNet-to-VNet connections.

是否需在两个 VNet 到 VNet 连接资源上指定同一策略?Do I need to specify the same policy on both VNet-to-VNet connection resources?

是的。Yes. VNet 到 VNet 隧道包含 Azure 中的两个连接资源,一个方向一个资源。A VNet-to-VNet tunnel consists of two connection resources in Azure, one for each direction. 请确保两个连接资源的策略相同,否则无法建立 VNet 到 VNet 连接。Make sure both connection resources have the same policy, otherwise the VNet-to-VNet connection won't establish.

能否在 ExpressRoute 连接上使用自定义 IPsec/IKE 策略?Does custom IPsec/IKE policy work on ExpressRoute connection?

否。No. 只能通过 Azure VPN 网关在 S2S VPN 和 VNet 到 VNet 连接上使用 IPsec/IKE 策略。IPsec/IKE policy only works on S2S VPN and VNet-to-VNet connections via the Azure VPN gateways.

在哪里可以找到有关 IPsec 的详细配置信息?Where can I find more configuration information for IPsec?

请参阅为 S2S 或 VNet 到 VNet 的连接配置 IPsec/IKE 策略See Configure IPsec/IKE policy for S2S or VNet-to-VNet connections

BGPBGP

BGP 是否在所有 Azure VPN 网关 SKU 上受支持?Is BGP supported on all Azure VPN Gateway SKUs?

否,BGP 在 Azure VpnGw1VpnGw2VpnGw3、标准 VPN 网关和高性能 VPN 网关上受支持。No, BGP is supported on Azure VpnGw1, VpnGw2, VpnGw3, Standard and HighPerformance VPN gateways. 基本 SKU。Basic SKU is NOT supported.

能否将 BGP 用于基于 Azure Policy 的 VPN 网关?Can I use BGP with Azure Policy-Based VPN gateways?

否,只有基于路由的 VPN 网关支持 BGP。No, BGP is supported on Route-Based VPN gateways only.

能否使用专用 ASN(自治系统编号)?Can I use private ASNs (Autonomous System Numbers)?

能,可以将自己的公共 ASN 或专用 ASN 同时用于本地网络和 Azure 虚拟网络。Yes, you can use your own public ASNs or private ASNs for both your on-premises networks and Azure virtual networks.

能否使用 32 位 ASN(自治系统编号)?Can I use 32-bit ASNs (Autonomous System Numbers)?

否,Azure VPN 网关目前支持 16 位 ASN。No, the Azure VPN Gateways support 16-Bit ASNs today.

是否存在由 Azure 保留的 ASN?Are there ASNs reserved by Azure?

是,Azure 保留了以下 ASN 用于内部和外部的对等互连:Yes, the following ASNs are reserved by Azure for both internal and external peerings:

  • 公用 ASN:8074、8075、12076Public ASNs: 8074, 8075, 12076
  • 专用 ASN:65515、65517、65518、65519、65520Private ASNs: 65515, 65517, 65518, 65519, 65520

连接到 Azure VPN 网关时,不能为本地 VPN 设备指定这些 ASN。You cannot specify these ASNs for your on premises VPN devices when connecting to Azure VPN gateways.

是否有任何其他我不能使用的 ASN?Are there any other ASNs that I can't use?

是的。以下 ASN 是 IANA 保留的,不能在 Azure VPN 网关上配置:Yes, the following ASNs are reserved by IANA and can't be configured on your Azure VPN Gateway:

23456、64496-64511、65535-65551 和 42949672923456, 64496-64511, 65535-65551 and 429496729

能否将同一个 ASN 同时用于本地 VPN 网络和 Azure VNet?Can I use the same ASN for both on-premises VPN networks and Azure VNets?

否,必须在本地网络和 Azure VNet 之间分配不同 ASN(如果要使用 BGP 将它们连接在一起)。No, you must assign different ASNs between your on-premises networks and your Azure VNets if you are connecting them together with BGP. 无论是否为跨界连接启用了 BGP,都会为 Azure VPN 网关分配默认 ASN(即 65515)。Azure VPN Gateways have a default ASN of 65515 assigned, whether BGP is enabled or not for your cross-premises connectivity. 可以通过在创建 VPN 网关时分配不同 ASN,或者在创建网关后更改 ASN 来覆盖此默认值。You can override this default by assigning a different ASN when creating the VPN gateway, or change the ASN after the gateway is created. 需要将本地 ASN 分配给相应的 Azure 本地网关。You will need to assign your on-premises ASNs to the corresponding Azure Local Network Gateways.

Azure VPN 网关将播发给我哪些地址前缀?What address prefixes will Azure VPN gateways advertise to me?

Azure VPN 网关会将以下路由播发到本地 BGP 设备:Azure VPN gateway will advertise the following routes to your on-premises BGP devices:

  • VNet 地址前缀Your VNet address prefixes
  • 已连接到 Azure VPN 网关的每个本地网关的地址前缀Address prefixes for each Local Network Gateways connected to the Azure VPN gateway
  • 从连接到 Azure VPN 网关的其他 BGP 对等会话获知的路由, 默认路由或与任何 VNet 前缀重叠的路由除外Routes learned from other BGP peering sessions connected to the Azure VPN gateway, except default route or routes overlapped with any VNet prefix.

我可以向 Azure VPN 网关发布多少个前缀?How many prefixes can I advertise to Azure VPN gateway?

我们支持最多 4000 个前缀。We support up to 4000 prefixes. 如果前缀数目超过此限制,将丢弃 BGP 会话。The BGP session is dropped if the number of prefixes exceeds the limit.

能否将默认路由 (0.0.0.0/0) 播发给 Azure VPN 网关?Can I advertise default route (0.0.0.0/0) to Azure VPN gateways?

是的。Yes.

请注意,这样会强制所有的 VNet 出口流量流向本地站点,并且会阻止 VNet VM 接受直接来自 Internet 的公共通信,例如从 Internet 发往 VM 的 RDP 或 SSH。Please note this will force all VNet egress traffic towards your on-premises site, and will prevent the VNet VMs from accepting public communication from the Internet directly, such RDP or SSH from the Internet to the VMs.

能否播发与虚拟网络前缀完全相同的前缀?Can I advertise the exact prefixes as my Virtual Network prefixes?

不能,Azure 平台会阻止播发与任一虚拟网络地址前缀相同的前缀或对其进行筛选。No, advertising the same prefixes as any one of your Virtual Network address prefixes will be blocked or filtered by the Azure platform. 但是,可播发属于虚拟网络内所拥有内容超集的前缀。However you can advertise a prefix that is a superset of what you have inside your Virtual Network.

例如,如果虚拟网络可使用地址空间 10.0.0.0/16,则可以播发 10.0.0.0/8,For example, if your virtual network used the address space 10.0.0.0/16, you could advertise 10.0.0.0/8. 但不能播发 10.0.0.0/16 或 10.0.0.0/24。But you cannot advertise 10.0.0.0/16 or 10.0.0.0/24.

能否将 BGP 用于 VNet 到 VNet 连接?Can I use BGP with my VNet-to-VNet connections?

能,可以将 BGP 同时用于跨界连接和 VNet 到 VNet 连接。Yes, you can use BGP for both cross-premises connections and VNet-to-VNet connections.

能否将 BGP 连接与非 BGP 连接混合用于 Azure VPN 网关?Can I mix BGP with non-BGP connections for my Azure VPN gateways?

能,可以将 BGP 连接和非 BGP 连接混合用于同一 Azure VPN 网关。Yes, you can mix both BGP and non-BGP connections for the same Azure VPN gateway.

Azure VPN 网关是否支持 BGP 传输路由?Does Azure VPN gateway support BGP transit routing?

是,支持 BGP 传输路由,但例外是 Azure VPN 网关 会将默认路由播发到其他 BGP 对等节点。Yes, BGP transit routing is supported, with the exception that Azure VPN gateways will NOT advertise default routes to other BGP peers. 若要启用跨多个 Azure VPN 网关的传输路由,必须在所有中间 VNet 到 VNet 连接上启用 BGP。To enable transit routing across multiple Azure VPN gateways, you must enable BGP on all intermediate VNet-to-VNet connections. 有关详细信息,请参阅关于 BGPFor more information, see About BGP.

在 Azure VPN 网关和我的本地网络之间能否有多个隧道?Can I have more than one tunnel between Azure VPN gateway and my on-premises network?

能,可以在 Azure VPN 网关和本地网络之间建立多个 S2S VPN 隧道。Yes, you can establish more than one S2S VPN tunnel between an Azure VPN gateway and your on-premises network. 请注意,所有这些隧道都会计入 Azure VPN 网关的隧道总数,而且必须在两个隧道上启用 BGP。Please note that all these tunnels will be counted against the total number of tunnels for your Azure VPN gateways and you must enable BGP on both tunnels.

例如,如果在 Azure VPN 网关与一个本地网络之间有两个冗余隧道,它们会占用 Azure VPN 网关的总配额(标准为 10 个,高性能为 30 个)中的 2 个隧道。For example, if you have two redundant tunnels between your Azure VPN gateway and one of your on-premises networks, they will consume 2 tunnels out of the total quota for your Azure VPN gateway (10 for Standard and 30 for HighPerformance).

在两个使用 BGP 的 Azure VNet 之间能否有多个隧道?Can I have multiple tunnels between two Azure VNets with BGP?

是,但其中至少一个虚拟网络网关必须采用主动-主动配置。Yes, but at least one of the virtual network gateways must be in active-active configuration.

能否在 ExpressRoute/S2S VPN 共存配置中对 S2S VPN 使用 BGP?Can I use BGP for S2S VPN in an ExpressRoute/S2S VPN co-existence configuration?

是的。Yes.

Azure VPN 网关将哪个地址用于 BGP 对等节点 IP?What address does Azure VPN gateway use for BGP Peer IP?

Azure VPN 网关将从为虚拟网络定义的 GatewaySubnet 范围内分配单个 IP 地址。The Azure VPN gateway will allocate a single IP address from the GatewaySubnet range defined for the virtual network. 默认情况下,它是该范围的倒数第二个地址。By default, it is the second last address of the range. 例如,如果 GatewaySubnet 是 10.12.255.0/27(范围从 10.12.255.0 到 10.12.255.31),则 Azure VPN 网关上的 BGP 对等 IP 地址是 10.12.255.30。For example, if your GatewaySubnet is 10.12.255.0/27, ranging from 10.12.255.0 to 10.12.255.31, the BGP Peer IP address on the Azure VPN gateway will be 10.12.255.30. 当列出 Azure VPN 网关信息时,可以找到此信息。You can find this information when you list the Azure VPN gateway information.

VPN 设备上的 BGP 对等节点 IP 地址的要求是什么?What are the requirements for the BGP Peer IP addresses on my VPN device?

本地 BGP 对等节点地址 不能 与 VPN 设备的公共 IP 地址相同。Your on-premises BGP peer address MUST NOT be the same as the public IP address of your VPN device. 在 VPN 设备上对 BGP 对等节点 IP 使用不同的 IP 地址。Use a different IP address on the VPN device for your BGP Peer IP. 它可以是一个分配给设备上环回接口的地址,但请注意,它不能是 APIPA (169.254.x.x) 地址。It can be an address assigned to the loopback interface on the device, but please note that it cannot be an APIPA (169.254.x.x) address. 在表示该位置的相应本地网关中指定此地址。Specify this address in the corresponding Local Network Gateway representing the location.

使用 BGP 时应将什么指定为本地网关的地址前缀?What should I specify as my address prefixes for the Local Network Gateway when I use BGP?

Azure 本地网关为本地网络指定初始地址前缀。Azure Local Network Gateway specifies the initial address prefixes for the on-premises network. 使用 BGP 时,必须分配 BGP 对等节点 IP 地址的主机前缀(/32 前缀)作为本地网络的地址空间。With BGP, you must allocate the host prefix (/32 prefix) of your BGP Peer IP address as the address space for that on-premises network. 如果 BGP 对等节点 IP 为 10.52.255.254,则应指定“10.52.255.254/32”作为表示此本地网络的本地网关的 localNetworkAddressSpace。If your BGP Peer IP is 10.52.255.254, you should specify "10.52.255.254/32" as the localNetworkAddressSpace of the Local Network Gateway representing this on-premises network. 这是为了确保 Azure VPN 网关通过 S2S VPN 隧道建立 BGP 会话。This is to ensure that the Azure VPN gateway establishes the BGP session through the S2S VPN tunnel.

应为 BGP 对等会话添加到本地 VPN 设备什么内容?What should I add to my on-premises VPN device for the BGP peering session?

应在指向 IPsec S2S VPN 隧道的 VPN 设备上添加 Azure BGP 对等节点 IP 地址的主机路由。You should add a host route of the Azure BGP Peer IP address on your VPN device pointing to the IPsec S2S VPN tunnel. 例如,如果 Azure VPN 对等节点 IP 为“10.12.255.30”,则应在 VPN 设备上添加“10.12.255.30”的主机路由(包含匹配的 IPsec 隧道接口的下一跃点接口)。For example, if the Azure VPN Peer IP is "10.12.255.30", you should add a host route for "10.12.255.30" with a nexthop interface of the matching IPsec tunnel interface on your VPN device.

跨界连接和 VMCross-premises connectivity and VMs

如果虚拟机位于虚拟网络中,而连接是跨界连接,应如何连接到该 VM?If my virtual machine is in a virtual network and I have a cross-premises connection, how should I connect to the VM?

有几个选择。You have a few options. 如果为 VM 启用了 RDP,则可使用专用 IP 地址连接到虚拟机。If you have RDP enabled for your VM, you can connect to your virtual machine by using the private IP address. 在这种情况下,需要指定要连接到的专用 IP 地址和端口(通常为 3389)。In that case, you would specify the private IP address and the port that you want to connect to (typically 3389). 需要配置用于流量的虚拟机端口。You'll need to configure the port on your virtual machine for the traffic.

也可以使用位于同一虚拟网络中的另一个虚拟机的专用 IP 地址连接到虚拟机。You can also connect to your virtual machine by private IP address from another virtual machine that's located on the same virtual network. 如果要从虚拟网络外部的位置进行连接,则无法使用专用 IP 地址 RDP 到虚拟机。You can't RDP to your virtual machine by using the private IP address if you are connecting from a location outside of your virtual network. 例如,如果配置了点到站点虚拟网络,并且未从计算机建立连接,则无法通过专用 IP 地址连接到虚拟机。For example, if you have a Point-to-Site virtual network configured and you don't establish a connection from your computer, you can't connect to the virtual machine by private IP address.

如果我的虚拟机位于使用跨界连接的虚拟网络中,从我的 VM 流出的所有流量是否都会经过该连接?If my virtual machine is in a virtual network with cross-premises connectivity, does all the traffic from my VM go through that connection?

否。No. 只有其目标 IP 包含在指定虚拟网络本地网络 IP 地址范围内的流量才会通过虚拟网络网关。Only the traffic that has a destination IP that is contained in the virtual network Local Network IP address ranges that you specified will go through the virtual network gateway. 其目标 IP 位于虚拟网络中的流量保留在虚拟网络中。Traffic has a destination IP located within the virtual network stays within the virtual network. 其他流量通过负载均衡器发送到公共网络,或者在使用强制隧道的情况下通过 Azure VPN 网关发送。Other traffic is sent through the load balancer to the public networks, or if forced tunneling is used, sent through the Azure VPN gateway.

如何排查到 VM 的 RDP 连接的问题How do I troubleshoot an RDP connection to a VM

如果无法通过 VPN 连接连接到虚拟机,请检查以下项目:If you are having trouble connecting to a virtual machine over your VPN connection, check the following:

  • 验证 VPN 连接是否成功。Verify that your VPN connection is successful.
  • 验证是否已连接到 VM 的专用 IP 地址。Verify that you are connecting to the private IP address for the VM.
  • 如果可以使用专用 IP 地址连接到 VM,但不能使用计算机名称进行连接,则请验证是否已正确配置 DNS。If you can connect to the VM using the private IP address, but not the computer name, verify that you have configured DNS properly. 若要详细了解如何对 VM 进行名称解析,请参阅针对 VM 的名称解析For more information about how name resolution works for VMs, see Name Resolution for VMs.

通过点到站点进行连接时,请检查下述其他项:When you connect over Point-to-Site, check the following additional items:

  • 使用“ipconfig”检查分配给以太网适配器的 IPv4 地址,该适配器所在的计算机正是要从其进行连接的计算机。Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are connecting. 如果该 IP 地址位于要连接到的 VNet 的地址范围内,或者位于 VPNClientAddressPool 的地址范围内,则称为地址空间重叠。If the IP address is within the address range of the VNet that you are connecting to, or within the address range of your VPNClientAddressPool, this is referred to as an overlapping address space. 当地址空间以这种方式重叠时,网络流量不会抵达 Azure,而是呆在本地网络中。When your address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
  • 验证是否在为 VNet 指定 DNS 服务器 IP 地址之后,才生成 VPN 客户端配置包。Verify that the VPN client configuration package was generated after the DNS server IP addresses were specified for the VNet. 如果更新了 DNS 服务器 IP 地址,请生成并安装新的 VPN 客户端配置包。If you updated the DNS server IP addresses, generate and install a new VPN client configuration package.

若要详细了解如何排查 RDP 连接问题,请参阅排查到 VM 的远程桌面连接问题For more information about troubleshooting an RDP connection, see Troubleshoot Remote Desktop connections to a VM.

虚拟网络常见问题解答Virtual Network FAQ

请在 虚拟网络常见问题中查看更多虚拟网络信息。You view additional virtual network information in the Virtual Network FAQ.

后续步骤Next steps