您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

配置站点到站点 VPN 以与 Azure 文件存储一起使用Configure a Site-to-Site VPN for use with Azure Files

你可以使用站点到站点 (S2S) VPN 连接从本地网络中通过 SMB 装载 Azure 文件共享,而无需打开端口 445。You can use a Site-to-Site (S2S) VPN connection to mount your Azure file shares over SMB from your on-premises network, without opening up port 445. 你可以使用 Azure VPN 网关设置站点到站点 VPN,该网关是提供 VPN 服务的 Azure 资源,与存储帐户或其他 Azure 资源一起部署在资源组中。You can set up a Site-to-Site VPN using Azure VPN Gateway, which is an Azure resource offering VPN services, and is deployed in a resource group alongside storage accounts or other Azure resources.

此拓扑图描绘了这样的拓扑结构:Azure VPN 网关将 Azure 文件共享连接到使用 S2S VPN 的本地站点

我们强烈建议先阅读 Azure 文件存储网络概述,然后再继续阅读本文章,以全面讨论 Azure 文件存储可用的网络选项。We strongly recommend that you read Azure Files networking overview before continuing with this how to article for a complete discussion of the networking options available for Azure Files.

本文详细介绍了配置站点到站点 VPN 以直接在本地装载 Azure 文件共享的步骤。The article details the steps to configure a Site-to-Site VPN to mount Azure file shares directly on-premises. 如果想要通过站点到站点 VPN 路由 Azure 文件同步的同步流量,请参阅配置 Azure 文件同步代理和防火墙设置If you're looking to route sync traffic for Azure File Sync over a Site-to-Site VPN, please see configuring Azure File Sync proxy and firewall settings.

先决条件Prerequisites

  • 要在本地装载的 Azure 文件共享。An Azure file share you would like to mount on-premises. Azure 文件共享部署在存储帐户中,是代表共享存储池的管理结构,可以在其中部署多个文件共享以及其他存储资源(例如 Blob 容器或队列)。Azure file shares are deployed within storage accounts, which are management constructs that represent a shared pool of storage in which you can deploy multiple file shares, as well as other storage resources, such as blob containers or queues. 可以在创建 Azure 文件共享中详细了解如何部署 Azure 文件共享和存储帐户。You can learn more about how to deploy Azure file shares and storage accounts in Create an Azure file share.

  • 包含要在本地装载的 Azure 文件共享的存储帐户的专用终结点。A private endpoint for the storage account containing the Azure file share you want to mount on-premises. 若要详细了解如何创建专用终结点,请参阅配置 Azure 文件存储网络终结点To learn more about how to create a private endpoint, see Configuring Azure Files network endpoints.

  • 本地数据中心内与 Azure VPN 网关兼容的网络设备或服务器。A network appliance or server in your on-premises datacenter that is compatible with Azure VPN Gateway. Azure 文件存储与所选的本地网络设备无关,但 Azure VPN 网关会保留已测试设备列表Azure Files is agnostic of the on-premises network appliance chosen but Azure VPN Gateway maintains a list of tested devices. 不同的网络设备提供不同的特性、性能特征和管理功能,因此,在选择网络设备时要将这些因素考虑在内。Different network appliances offer different features, performance characteristics, and management functionalities, so consider these when selecting a network appliance.

    如果你没有现有的网络设备,Windows Server 包含内置服务器角色、路由和远程访问 (RRAS),可使用它们作为本地网络设备。If you do not have an existing network appliance, Windows Server contains a built-in Server Role, Routing and Remote Access (RRAS), which may be used as the on-premises network appliance. 若要详细了解如何在 Windows Server 中配置路由和远程访问,请参阅 RAS 网关To learn more about how to configure Routing and Remote Access in Windows Server, see RAS Gateway.

将存储帐户添加到 VNetAdd storage account to VNet

在 Azure 门户中,导航到包含要本地装载的 Azure 文件共享的存储帐户。In the Azure portal, navigate to the storage account containing the Azure file share you would like to mount on-premises. 在存储帐户的目录中,选择“防火墙和虚拟网络”项 。In the table of contents for the storage account, select the Firewalls and virtual networks entry. 除非在创建虚拟网络时将其添加到存储帐户中,否则显示的窗格中“允许的访问来源”部分应选中了“所有网络”单选按钮 。Unless you added a virtual network to your storage account when you created it, the resulting pane should have the Allow access from radio button for All networks selected.

若要将存储帐户添加到所需的虚拟网络,请选择“选定网络” 。To add your storage account to the desired virtual network, select Selected networks. 在小标题“虚拟网络”下,根据所需状态,单击“+ 添加现有虚拟网络”或“+ 添加新的虚拟网络” 。Under the Virtual networks subheading, click either + Add existing virtual network or +Add new virtual network depending on the desired state. 创建新的虚拟网络将导致创建新的 Azure 资源。Creating a new virtual network will result in a new Azure resource being created. 新的或现有的 VNet 资源不需要与存储帐户位于同一资源组或订阅中,但它必须与存储帐户位于同一区域,并且将 VNet 部署到要在其中部署 VPN 网关的资源组和订阅。The new or existing VNet resource does not need to be in the same resource group or subscription as the storage account, however it must be in the same region as the storage account and the resource group and subscription you deploy your VNet into must match the one you will deploy your VPN Gateway into.

Azure 门户的屏幕截图,显示了将现有的或新的虚拟网络添加到存储帐户的选项

如果添加现有虚拟网络,需选择要将存储帐户添加到的该虚拟网络的一个或多个子网。If you add existing virtual network, you will be asked to select one or more subnets of that virtual network which the storage account should be added to. 如果选择新的虚拟网络,则创建虚拟网络时将创建一个子网,稍后还可通过生成的 Azure 资源为该虚拟网络添加更多子网。If you select a new virtual network, you will create a subnet as part of the creation of the virtual network, and you can add more later through the resulting Azure resource for the virtual network.

如果之前未将存储帐户添加到订阅,则需要将 Microsoft.Storage 服务终结点添加到虚拟网络。If you have not added a storage account to your subscription before, the Microsoft.Storage service endpoint will need to be added to the virtual network. 这可能需要一些时间,在此操作完成之前,你将无法访问该存储帐户中的 Azure 文件共享,包括无法通过 VPN 连接进行访问。This may take some time, and until this operation has completed, you will not be able to access the Azure file shares within that storage account, including via the VPN connection.

部署 Azure VPN 网关Deploy an Azure VPN Gateway

在 Azure 门户的目录中,选择“新建资源”,并搜索“虚拟网络网关” 。In the table of contents for the Azure portal, select Create a new resource and search for Virtual network gateway. 虚拟网络网关必须与上一步中部署的虚拟网络位于同一订阅、同一 Azure 区域和同一资源组中(请注意,在选择虚拟网络后,将自动选择资源组)。Your virtual network gateway must be in the same subscription, Azure region, and resource group as the virtual network you deployed in the previous step (note that resource group is automatically selected when the virtual network is picked).

为了部署 Azure VPN 网关,必须填写以下字段:For the purposes of deploying an Azure VPN Gateway, you must populate the following fields:

  • Name :VPN 网关的 Azure 资源的名称。Name : The name of the Azure resource for the VPN Gateway. 此名称可以是任何你认为有助于管理的名称。This name may be any name you find useful for your management.
  • 区域 :要将 VPN 网关部署到的区域。Region : The region into which the VPN Gateway will be deployed.
  • 网关类型 :为了部署站点到站点 VPN,必须选择“VPN” 。Gateway type : For the purpose of deploying a Site-to-Site VPN, you must select VPN.
  • VPN 类型 :可以根据你的 VPN 设备选择“基于路由”或“基于策略” 。VPN type : You may choose either Route-based * or Policy-based depending on your VPN device. 基于路由的 VPN 支持 IKEv2,而基于策略的 VPN 仅支持 IKEv1。Route-based VPNs support IKEv2, while policy-based VPNs only support IKEv1. 若要详细了解两种类型的 VPN 网关,请参阅基于策略的 VPN 网关和基于路由的 VPN 网关To learn more about the two types of VPN gateways, see About policy-based and route-based VPN gateways
  • SKU :SKU 控制允许的站点到站点隧道数和所需的 VPN 性能。SKU : The SKU controls the number of allowed Site-to-Site tunnels and desired performance of the VPN. 若要为用例选择适当的 SKU,请参阅网关 SKU 列表。To select the appropriate SKU for your use case, consult the Gateway SKU listing. 如果需要,稍后可以更改 VPN 网关的 SKU。The SKU of the VPN Gateway may be changed later if necessary.
  • 虚拟网络 :在上一步中创建的虚拟网络。Virtual network : The virtual network you created in the previous step.
  • 公共 IP 地址 :要向 Internet 公开的 VPN 网关 IP 地址。Public IP address : The IP address of VPN Gateway that will be exposed to the internet. 很可能需要创建新的 IP 地址,但如果现有未使用的 IP 地址适用,也可以使用它。Likely, you will need to create a new IP address, however you may also use an existing unused IP address if that is appropriate. 如果选择“新建”,则将在与 VPN 网关相同的资源组中创建新的 IP 地址,并且“公共 IP 地址名称”将是新建的 IP 地址的名称 。If you select to Create new , a new IP address Azure resource will be created in the same resource group as the VPN Gateway and the Public IP address name will be the name of the newly created IP address. 如果选择“使用现有的”,则必须选择现有未使用的 IP 地址 。If you select Use existing , you must select the existing unused IP address.
  • 启用主动-主动模式 :仅当要创建主动-主动网关配置时,才选择“启用”,否则请保持选择“禁用” 。Enable active-active mode : Only select Enabled if you are creating an active-active gateway configuration, otherwise leave Disabled selected. 若要详细了解主动-主动模式,请参阅高可用性跨界连接与 VNet 到 VNet 连接To learn more about active-active mode, see Highly available cross-premises and VNet-to-VNet connectivity.
  • 配置 BGP ASN :仅在配置特别需要此设置的情况下选择“启用” 。Configure BGP ASN : Only select Enabled if your configuration specifically requires this setting. 若要了解有关此设置的详细信息,请参阅关于 Azure VPN 网关的 BGPTo learn more about this setting, see About BGP with Azure VPN Gateway.

选择“查看 + 创建”以创建 VPN 网关 。Select Review + create to create the VPN Gateway. VPN 网关可能需要最多 45 分钟才能创建和部署完毕。A VPN Gateway may take up to 45 minutes to fully create and deploy.

为本地网关创建本地网络网关Create a local network gateway for your on-premises gateway

本地网络网关是代表本地网络设备的 Azure 资源。A local network gateway is an Azure resource that represents your on-premises network appliance. 在 Azure 门户的“目录”中,选择“新建资源”,并搜索“本地网络网关” 。In the table of contents for the Azure portal, select Create a new resource and search for local network gateway. 本地网络网关是一种 Azure 资源,它将与存储帐户、虚拟网络和 VPN 网关一起部署,但无需与存储帐户位于同一资源组或订阅中。The local network gateway is an Azure resource that will be deployed alongside your storage account, virtual network, and VPN Gateway, but does not need to be in the same resource group or subscription as the storage account.

为了部署本地网络网关资源,必须写入以下字段:For the purposes of deploying the local network gateway resource, you must populate the following fields:

  • Name :本地网络网关的 Azure 资源名称。Name : The name of the Azure resource for the local network gateway. 此名称可以是任何你认为有助于管理的名称。This name may be any name you find useful for your management.
  • IP 地址 :本地网关的公共 IP 地址。IP address : The public IP address of your local gateway on-premises.
  • 地址空间 :此本地网络网关所代表的网络的地址范围。Address space : The address ranges for the network this local network gateway represents. 你可以添加多个地址空间范围,但是请确保此处所指定的范围没有与要连接到的其他网络的范围相重叠。You can add multiple address space ranges, but make sure that the ranges you specify here do not overlap with ranges of other networks that you want to connect to.
  • 配置 BGP 设置 :仅在配置需要 BGP 设置时才配置此设置。Configure BGP settings : Only configure BGP settings if your configuration requires this setting. 若要了解有关此设置的详细信息,请参阅关于 Azure VPN 网关的 BGPTo learn more about this setting, see About BGP with Azure VPN Gateway.
  • 订阅 :所需的订阅。Subscription : The desired subscription. 这不需要与用于 VPN 网关或存储帐户的订阅相匹配。This does not need to match the subscription used for the VPN Gateway or the storage account.
  • 资源组 :所需的资源组。Resource group : The desired resource group. 这不需要与用于 VPN 网关或存储帐户的资源组相匹配。This does not need to match the resource group used for the VPN Gateway or the storage account.
  • 位置 :应在其中创建本地网络网关资源的 Azure 区域。Location : The Azure Region the local network gateway resource should be created in. 这应该与你为 VPN 网关和存储帐户选择的区域匹配。This should match the region you selected for the VPN Gateway and the storage account.

选择“创建”以创建本地网络网关资源 。Select Create to create the local network gateway resource.

配置本地网络设备Configure on-premises network appliance

配置本地网络设备的特定步骤取决于组织所选的网络设备。The specific steps to configure your on-premises network appliance depend based on the network appliance your organization has selected. 根据组织所选的设备,已测试设备的列表可能会包含链接,指向设备供应商提供的有关为设备配置 Azure VPN 网关的说明。Depending on the device your organization has chosen, the list of tested devices may have a link out to your device vendor's instructions for configuring with Azure VPN Gateway.

创建站点到站点连接Create the Site-to-Site connection

若要完成 S2S VPN 的部署,必须在本地网络设备(由本地网络网关资源表示)和 VPN 网关之间创建连接。To complete the deployment of a S2S VPN, you must create a connection between your on-premises network appliance (represented by the local network gateway resource) and the VPN Gateway. 为此,请导航到前面创建的 VPN 网关。To do this, navigate to the VPN Gateway you created above. 在 VPN 网关目录中,选择“连接”,然后单击“添加” 。In the table of contents for the VPN Gateway, select Connections , and click Add. 将打开“添加连接”窗格,要求你填充以下字段 :The resulting Add connection pane requires the following fields:

  • Name :连接的名称。Name : The name of the connection. VPN 网关可以承载多个连接,因此请选择一个有助于管理的名称来区分此特定连接。A VPN Gateway can host multiple connections, so pick a name helpful for your management that will distinguish this particular connection.
  • 连接类型 :由于这是 S2S 连接,因此请在下拉列表中选择“站点到站点(IPSec)” 。Connection type : Since this a S2S connection, select Site-to-site (IPSec) in the drop-down list.
  • 虚拟网络网关 :此字段将自动选定到连接中的 VPN 网关,并且无法更改。Virtual network gateway : This field is auto-selected to the VPN Gateway you're making the connection to and can't be changed.
  • 本地网络网关 :这是要连接到 VPN 网关的本地网络网关。Local network gateway : This is the local network gateway you want to connect to your VPN Gateway. 将打开选择窗格,其名称与上面创建的本地网络网关相同。The resulting selection pane should have the name of the local network gateway you created above.
  • 共享密钥(PSK) :字母和数字的组合,用于为连接实现加密。Shared key (PSK) : A mixture of letters and numbers, used to establish encryption for the connection. 虚拟网络网关和本地网络网关必须使用同一共享密钥。The same shared key must be used in both the virtual network and local network gateways. 如果网关设备没有提供密钥,可以在此处创建一个密钥,并将其提供给设备。If your gateway device doesn't provide one, you can make one up here and provide it to your device.

单击“确定”以创建连接 。Select OK to create the connection. 可通过“连接”页面验证是否已成功完成连接 。You can verify the connection has been made successfully through the Connections page.

装载 Azure 文件共享Mount Azure file share

配置 S2S VPN 的最后一步是验证其是否适用于 Azure 文件存储。The final step in configuring a S2S VPN is verifying that it works for Azure Files. 可以在你青睐的 OS 上本地装载 Azure 文件共享来完成此操作。You can do this by mounting your Azure file share on-premises with your preferred OS. 请在这里参阅各 OS 的装载说明:See the instructions to mount by OS here:

另请参阅See also