您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

虚拟 WAN 合作伙伴的自动化准则Automation guidelines for Virtual WAN partners

本文介绍如何设置自动化环境以连接和配置 Azure 虚拟 WAN 的分支设备(客户本地 VPN 设备或 SDWAN CPE)。This article helps you understand how to set up the automation environment to connect and configure a branch device (a customer on-premises VPN device or SDWAN CPE) for Azure Virtual WAN. 如果你是可通过 IPsec/IKEv2 或 IPsec/IKEv1 容纳 VPN 连接的分支设备的提供商,那么本文对你有帮助。If you are a provider that provides branch devices that can accommodate VPN connectivity over IPsec/IKEv2 or IPsec/IKEv1, this article is for you.

分支设备(客户的本地 VPN 设备或 SDWAN CPE)通常使用需要预配的控制器/设备仪表板。A branch device (a customer on-premises VPN device or SDWAN CPE) typically uses a controller/device dashboard to be provisioned. SD-WAN 解决方案管理员通常可以使用管理控制台来提前预配一个设备,然后再将该设备加入到网络中。SD-WAN solution administrators can often use a management console to pre-provision a device before it gets plugged into the network. 这个支持 VPN 的设备从控制器获取其控制平面逻辑。This VPN capable device gets its control plane logic from a controller. VPN 设备或 SD-WAN 控制器可使用 Azure API 自动连接到 Azure 虚拟 WAN。The VPN Device or SD-WAN controller can use Azure APIs to automate connectivity to Azure Virtual WAN. 此类型的连接要求本地设备分配有一个面向外部的公共 IP 地址。This type of connection requires the on-premises device to have an externally facing public IP address assigned to it.

开始自动化操作之前Before you begin automating

  • 验证设备是否支持 IPsec IKEv1/IKEv2。Verify that your device supports IPsec IKEv1/IKEv2. 请参阅默认策略See default policies.

  • 查看用于自动连接到 Azure 虚拟 WAN 的REST apiView the REST APIs that you use to automate connectivity to Azure Virtual WAN.

  • 测试 Azure 虚拟 WAN 的门户体验。Test out the portal experience of Azure Virtual WAN.

  • 然后,确定连接步骤中的哪部分需要自动化。Then, decide which part of the connectivity steps you would like to automate. 建议至少自动化以下部分:At a minimum, we recommend automating:

    • Access ControlAccess Control
    • 将分支设备信息上传到 Azure 虚拟 WANUpload of branch device information into Azure Virtual WAN
    • 下载 Azure 配置,并设置从分支设备到 Azure 虚拟 WAN 的连接Downloading Azure configuration and setting up connectivity from branch device into Azure Virtual WAN

附加信息Additional information

客户体验Customer experience

了解客户在结合 Azure 虚拟 WAN 进行操作时的预期体验。Understand the expected customer experience in conjunction with Azure Virtual WAN.

  1. 通常情况下,虚拟 WAN 用户一开始会创建虚拟 WAN 资源。Typically, a virtual WAN user will start the process by creating a Virtual WAN resource.
  2. 该用户会为本地系统(分支控制器或 VPN 设备预配软件)设置基于服务主体的资源组访问权限,以便将分支信息写入到 Azure 虚拟 WAN 中。The user will set up a service principal-based resource group access for the on-premises system (your branch controller or VPN device provisioning software) to write branch info into Azure Virtual WAN.
  3. 用户可能会在此时决定登录 UI 并设备服务主体凭据。The user may decide at this time to log into your UI and set up the service principal credentials. 该操作完成以后,控制器应该就能够使用你将要提供的自动化设置来上传分支信息。Once that is complete, your controller should be able to upload branch information with the automation you will provide. 此操作在 Azure 端的手动等效项是“创建站点”。The manual equivalent of this on the Azure side is 'Create Site'.
  4. 一旦 Azure 中提供了站点(分支设备)信息,用户就会将该站点连接到中心。Once the Site (branch device) information is available in Azure, the user will connect the site to a hub. 虚拟中心是 Microsoft 托管的虚拟网络。A virtual hub is a Microsoft-managed virtual network. 中心包含不同的服务终结点,可从本地网络 (vpnsite) 建立连接。The hub contains various service endpoints to enable connectivity from your on-premises network (vpnsite). 中心是区域中网络的核心。The hub is the core of your network in a region. 每个 Azure 区域只能有一个中心,其中的 VPN 终结点 (vpngateway) 在此过程中创建。There can only be one hub per Azure region and the vpn endpoint (vpngateway) inside it is created during this process. VPN 网关是一个可扩展的网关,可根据带宽和连接需求进行适当调整。The VPN gateway is a scalable gateway which sizes appropriately based on bandwidth and connection needs. 可以在分支设备控制器仪表板中选择自动创建虚拟中心和 vpngateway。You may choose to automate virtual hub and vpngateway creation from your branch device controller dashboard.
  5. 将虚拟中心关联到站点以后,将会生成一个配置文件,供用户手动下载。Once the virtual Hub is associated to the site, a configuration file is generated for the user to manually download. 可以在其中放置自动化设置,实现无缝的用户体验。This is where your automation comes in and makes the user experience seamless. 可以在 UI 中设置自动化并提供尽量减少点击的体验,这样就不需用户手动下载和配置分支设备,减少典型的连接问题,例如共享密钥不匹配问题、IPSec 参数不匹配问题、配置文件可读性问题,等等。Instead of the user having to manually download and configure the branch device, you can set the automation and provide minimal click-through experience on your UI, thereby alleviating typical connectivity issues such as shared key mismatch, IPSec parameter mismatch, configuration file readability etc.
  6. 解决方案中的此步骤结束时,用户就可以在分支设备和虚拟中心之间进行无缝的站点到站点连接。At the end of this step in your solution, the user will have a seamless site-to-site connection between the branch device and virtual hub. 也可设置跨其他中心的其他连接。You can also set up additional connections across other hubs. 每个连接都是主动-主动隧道。Each connection is an active-active tunnel. 客户可以选择针对隧道的每个链路使用不同的 ISP。Your customer may choose to use a different ISP for each of the links for the tunnel.
  7. 请考虑在 CPE 管理界面中提供故障排除和监视功能。Consider providing troubleshooting and monitoring capabilities in the CPE management interface. 典型方案包括 "客户无法访问 Azure 资源,因为出现了 CPE 问题"、"在 CPE 端显示 IPsec 参数" 等。Typical scenarios include "Customer not able to access Azure resources due to a CPE issue", "Show IPsec parameters at the CPE side" etc.

自动化详细信息Automation details

访问控制Access control

客户必须能够在设备 UI 中为虚拟 WAN 设置正确的访问控制。Customers must be able to set up appropriate access control for Virtual WAN in the device UI. 建议使用 Azure 服务主体。This is recommended using an Azure Service Principal. 基于服务主体的访问为设备控制器提供正确的身份验证以上传分支信息。Service principal-based access provides the device controller appropriate authentication to upload branch information. 有关详细信息,请参阅创建服务主体For more information, see Create service principal. 虽然此功能不在 Azure 虚拟 WAN 套餐之中,但我们仍将在 Azure 中设置访问权限所需采取的典型步骤列在下面。相关详细信息随后会输入到设备管理仪表板中While this functionality is outside of the Azure Virtual WAN offering, we list below the typical steps taken to set up access in Azure after which the relevant details are inputted into the device management dashboard

  • 为本地设备控制器创建 Azure Active Directory 应用程序。Create an Azure Active Directory application for your on-premises device controller.
  • 获取应用程序 ID 和身份验证密钥Get application ID and authentication key
  • 获取租户 IDGet tenant ID
  • 将应用程序分配到“参与者”角色Assign application to role "Contributor"

上传分支设备信息Upload branch device information

你应设计用户体验,将分支(本地站点)信息上载到 Azure。You should design the user experience to upload branch (on-premises site) information to Azure. 可以使用 VPNSite 的REST api在虚拟 WAN 中创建站点信息。You can use REST APIs for VPNSite to create the site information in Virtual WAN. 可提供所有分支 SDWAN/VPN 设备,或根据需要选择设备自定义。You can provide all branch SDWAN/VPN devices or select device customizations as appropriate.

设备配置下载和连接Device configuration download and connectivity

此步骤包括下载 Azure 配置,并设置从分支设备到 Azure 虚拟 WAN 的连接。This step involves downloading Azure configuration and setting up connectivity from the branch device into Azure Virtual WAN. 在此步骤中,未使用提供程序的客户将手动下载 Azure 配置并将其应用于本地 SDWAN/VPN 设备。In this step, a customer that is not using a provider would manually download the Azure configuration and apply it to their on-premises SDWAN/VPN device. 作为提供商,你应自动执行此步骤。As a provider, you should automate this step. 有关其他信息,请查看下载REST apiView the download REST APIs for additional information. 设备控制器可以调用 "GetVpnConfiguration" REST API 下载 Azure 配置。The device controller can call 'GetVpnConfiguration' REST API to download the Azure configuration.

配置说明Configuration notes

  • 如果 Azure VNet 附加到虚拟中心,它们将显示为 ConnectedSubnets。If Azure VNets are attached to the virtual hub, they will appear as ConnectedSubnets.
  • VPN 连接使用基于路由的配置,同时支持 IKEv1 和 IKEv2 协议。VPN connectivity uses route-based configuration and supports both IKEv1, and IKEv2 protocols.

设备配置文件Device configuration file

设备配置文件包含配置本地 VPN 设备时要使用的设置。The device configuration file contains the settings to use when configuring your on-premises VPN device. 查看此文件时,请留意以下信息:When you view this file, notice the following information:

  • vpnSiteConfiguration - 此部分表示当站点连接到虚拟 WAN 时设置的设备详细信息。vpnSiteConfiguration - This section denotes the device details set up as a site connecting to the virtual WAN. 它包含分支设备的名称和公共 IP 地址。It includes the name and public ip address of the branch device.

  • vpnSiteConnections - 此部分提供以下信息:vpnSiteConnections - This section provides information about the following:

    • 虚拟中心 VNet 的地址空间。Address space of the virtual hub(s) VNet.
      示例:Example:

      "AddressSpace":"10.1.0.0/24"
      
    • 已连接到中心的 VNet 的地址空间。Address space of the VNets that are connected to the hub.
      示例:Example:

      "ConnectedSubnets":["10.2.0.0/16","10.3.0.0/16"]
      
    • 虚拟中心 vpngateway 的 IP 地址。IP addresses of the virtual hub vpngateway. 由于 vpngateway 的每个连接由采用主动-主动配置的 2 个隧道构成,因此,此文件中列出了这两个 IP 地址。Because the vpngateway has each connection comprising of 2 tunnels in active-active configuration, you will see both IP addresses listed in this file. 在此示例中,可以看到为每个站点指定了“Instance0”和“Instance1”。In this example, you see "Instance0" and "Instance1" for each site.
      示例:Example:

      "Instance0":"104.45.18.186"
      "Instance1":"104.45.13.195"
      
    • Vpngateway 连接配置详细信息,例如 BGP、预共享密钥等等。PSK 是自动为您生成的预共享密钥。Vpngateway connection configuration details such as BGP, pre-shared key etc. The PSK is the pre-shared key that is automatically generated for you. 始终可以在“概述”页中为自定义 PSK 编辑连接。You can always edit the connection in the Overview page for a custom PSK.

设备配置文件示例Example device configuration file

{ 
    "configurationVersion":{ 
       "LastUpdatedTime":"2018-07-03T18:29:49.8405161Z",
       "Version":"r403583d-9c82-4cb8-8570-1cbbcd9983b5"
    },
    "vpnSiteConfiguration":{ 
       "Name":"testsite1",
       "IPAddress":"73.239.3.208"
    },
    "vpnSiteConnections":[ 
       { 
          "hubConfiguration":{ 
             "AddressSpace":"10.1.0.0/24",
             "Region":"West Europe",
             "ConnectedSubnets":[ 
                "10.2.0.0/16",
                "10.3.0.0/16"
             ]
          },
          "gatewayConfiguration":{ 
             "IpAddresses":{ 
                "Instance0":"104.45.18.186",
                "Instance1":"104.45.13.195"
             }
          },
          "connectionConfiguration":{ 
             "IsBgpEnabled":false,
             "PSK":"bkOWe5dPPqkx0DfFE3tyuP7y3oYqAEbI",
             "IPsecParameters":{ 
                "SADataSizeInKilobytes":102400000,
                "SALifeTimeInSeconds":3600
             }
          }
       }
    ]
 },
 { 
    "configurationVersion":{ 
       "LastUpdatedTime":"2018-07-03T18:29:49.8405161Z",
       "Version":"1f33f891-e1ab-42b8-8d8c-c024d337bcac"
    },
    "vpnSiteConfiguration":{ 
       "Name":" testsite2",
       "IPAddress":"66.193.205.122"
    },
    "vpnSiteConnections":[ 
       { 
          "hubConfiguration":{ 
             "AddressSpace":"10.1.0.0/24",
             "Region":"West Europe"
          },
          "gatewayConfiguration":{ 
             "IpAddresses":{ 
                "Instance0":"104.45.18.187",
                "Instance1":"104.45.13.195"
             }
          },
          "connectionConfiguration":{ 
             "IsBgpEnabled":false,
             "PSK":"XzODPyAYQqFs4ai9WzrJour0qLzeg7Qg",
             "IPsecParameters":{ 
                "SADataSizeInKilobytes":102400000,
                "SALifeTimeInSeconds":3600
             }
          }
       }
    ]
 },
 { 
    "configurationVersion":{ 
       "LastUpdatedTime":"2018-07-03T18:29:49.8405161Z",
       "Version":"cd1e4a23-96bd-43a9-93b5-b51c2a945c7"
    },
    "vpnSiteConfiguration":{ 
       "Name":" testsite3",
       "IPAddress":"182.71.123.228"
    },
    "vpnSiteConnections":[ 
       { 
          "hubConfiguration":{ 
             "AddressSpace":"10.1.0.0/24",
             "Region":"West Europe"
          },
          "gatewayConfiguration":{ 
             "IpAddresses":{ 
                "Instance0":"104.45.18.187",
                "Instance1":"104.45.13.195"
             }
          },
          "connectionConfiguration":{ 
             "IsBgpEnabled":false,
             "PSK":"YLkSdSYd4wjjEThR3aIxaXaqNdxUwSo9",
             "IPsecParameters":{ 
                "SADataSizeInKilobytes":102400000,
                "SALifeTimeInSeconds":3600
             }
          }
       }
    ]
 }

连接详细信息Connectivity details

本地 SDWAN/VPN 设备或 SD-WAN 配置必须匹配或包含在 Azure IPsec/IKE 策略中指定的以下算法和参数。Your on-premises SDWAN/VPN device or SD-WAN configuration must match or contain the following algorithms and parameters, which you specify in the Azure IPsec/IKE policy.

  • IKE 加密算法IKE encryption algorithm
  • IKE 完整性算法IKE integrity algorithm
  • DH 组DH Group
  • IPsec 加密算法IPsec encryption algorithm
  • IPsec 完整性算法IPsec integrity algorithm
  • PFS 组PFS Group

IPsec 连接的默认策略Default policies for IPsec connectivity

备注

使用默认策略时,Azure 可以在安装 IPsec 隧道期间充当发起方和响应方。When working with Default policies, Azure can act as both initiator and responder during an IPsec tunnel setup. 不支持仅将 Azure 作为响应方。There is no support for Azure as a responder only.

发起程序Initiator

以下部分列出了 Azure 作为隧道发起程序时支持的策略组合。The following sections list the supported policy combinations when Azure is the initiator for the tunnel.

阶段 1Phase-1

  • AES_256, SHA1, DH_GROUP_2AES_256, SHA1, DH_GROUP_2
  • AES_256, SHA_256, DH_GROUP_2AES_256, SHA_256, DH_GROUP_2
  • AES_128, SHA1, DH_GROUP_2AES_128, SHA1, DH_GROUP_2
  • AES_128, SHA_256, DH_GROUP_2AES_128, SHA_256, DH_GROUP_2

阶段 2Phase-2

  • GCM_AES_256, GCM_AES_256, PFS_NONEGCM_AES_256, GCM_AES_256, PFS_NONE
  • AES_256, SHA_1, PFS_NONEAES_256, SHA_1, PFS_NONE
  • AES_256, SHA_256, PFS_NONEAES_256, SHA_256, PFS_NONE
  • AES_128, SHA_1, PFS_NONEAES_128, SHA_1, PFS_NONE

响应方Responder

以下部分列出了 Azure 作为隧道响应方时支持的策略组合。The following sections list the supported policy combinations when Azure is the responder for the tunnel.

阶段 1Phase-1

  • AES_256, SHA1, DH_GROUP_2AES_256, SHA1, DH_GROUP_2
  • AES_256, SHA_256, DH_GROUP_2AES_256, SHA_256, DH_GROUP_2
  • AES_128, SHA1, DH_GROUP_2AES_128, SHA1, DH_GROUP_2
  • AES_128, SHA_256, DH_GROUP_2AES_128, SHA_256, DH_GROUP_2

阶段 2Phase-2

  • GCM_AES_256, GCM_AES_256, PFS_NONEGCM_AES_256, GCM_AES_256, PFS_NONE
  • AES_256, SHA_1, PFS_NONEAES_256, SHA_1, PFS_NONE
  • AES_256, SHA_256, PFS_NONEAES_256, SHA_256, PFS_NONE
  • AES_128, SHA_1, PFS_NONEAES_128, SHA_1, PFS_NONE
  • AES_256, SHA_1, PFS_1AES_256, SHA_1, PFS_1
  • AES_256, SHA_1, PFS_2AES_256, SHA_1, PFS_2
  • AES_256, SHA_1, PFS_14AES_256, SHA_1, PFS_14
  • AES_128, SHA_1, PFS_1AES_128, SHA_1, PFS_1
  • AES_128, SHA_1, PFS_2AES_128, SHA_1, PFS_2
  • AES_128, SHA_1, PFS_14AES_128, SHA_1, PFS_14
  • AES_256, SHA_256, PFS_1AES_256, SHA_256, PFS_1
  • AES_256, SHA_256, PFS_2AES_256, SHA_256, PFS_2
  • AES_256, SHA_256, PFS_14AES_256, SHA_256, PFS_14
  • AES_256, SHA_1, PFS_24AES_256, SHA_1, PFS_24
  • AES_256, SHA_256, PFS_24AES_256, SHA_256, PFS_24
  • AES_128, SHA_256, PFS_NONEAES_128, SHA_256, PFS_NONE
  • AES_128, SHA_256, PFS_1AES_128, SHA_256, PFS_1
  • AES_128, SHA_256, PFS_2AES_128, SHA_256, PFS_2
  • AES_128, SHA_256, PFS_14AES_128, SHA_256, PFS_14

IPsec 连接的自定义策略Custom policies for IPsec connectivity

使用自定义 IPsec 策略时,请记住以下要求:When working with custom IPsec policies, keep in mind the following requirements:

  • Ike -对于 ike,你可以从 ike 加密中选择任何参数,并从 ike 完整性中选择任何参数,以及从 DH 组中选择任何参数。IKE - For IKE, you can select any parameter from IKE Encryption, plus any parameter from IKE Integrity, plus any parameter from DH Group.
  • Ipsec -对于 ipsec,可以从 ipsec 加密中选择任何参数,并从 ipsec 完整性和 PFS 中选择任何参数。IPsec - For IPsec, you can select any parameter from IPsec Encryption, plus any parameter from IPsec Integrity, plus PFS. 如果 IPsec 加密或 IPsec 完整性的任何参数都是 GCM,则这两个设置的参数必须是 GCM。If any of the parameters for IPsec Encryption or IPsec Integrity is GCM, then the parameters for both settings must be GCM.

备注

对于自定义 IPsec 策略,不存在响应方和发起方的概念(与默认 IPsec 策略不同)。With Custom IPsec policies, there is no concept of responder and initiator (unlike Default IPsec policies). 两侧(本地和 Azure VPN 网关)将为 IKE 阶段1和 IKE 阶段2使用相同的设置。Both sides (on-premises and Azure VPN gateway) will use the same settings for IKE Phase 1 and IKE Phase 2. 支持 IKEv1 和 IKEv2 协议。Both IKEv1 and IKEv2 protocols are supported. 不支持仅将 Azure 作为响应方。There is no support for Azure as a responder only.

可用的设置和参数Available settings and parameters

设置Setting ParametersParameters
IKE 加密IKE Encryption AES256、AES192、AES128AES256, AES192, AES128
IKE 完整性IKE Integrity SHA384、SHA256、SHA1SHA384, SHA256, SHA1
DH 组DH Group DHGroup24、ECP384、ECP256、DHGroup14、DHGroup2048、DHGroup2DHGroup24, ECP384, ECP256, DHGroup14, DHGroup2048, DHGroup2
IPsec 加密IPsec Encryption GCMAES256、GCMAES192、GCMAES128、AES256、AES192、AES128GCMAES256, GCMAES192, GCMAES128, AES256, AES192, AES128
IPsec 完整性IPsec Integrity GCMASE256、GCMAES192、GCMAES128、SHA256、SHA1GCMASE256, GCMAES192, GCMAES128, SHA256, SHA1
PFS 组PFS Group PFS24、ECP384、ECP256、PFS2048、PFS2PFS24, ECP384, ECP256, PFS2048, PFS2

后续步骤Next steps

有关虚拟 WAN 的详细信息,请参阅关于 Azure 虚拟 WANAzure 虚拟 WAN 常见问题解答For more information about Virtual WAN, see About Azure Virtual WAN and the Azure Virtual WAN FAQ.

有关其他信息,请发送电子邮件至 azurevirtualwan@microsoft.comFor any additional information, please send an email to azurevirtualwan@microsoft.com. 请在主题行中添加你的公司名称(用“[ ]”括起来)。Include your company name in “[ ]” in the subject line.