您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

如何使用 CLI 在 Azure VPN 网关上配置 BGPHow to configure BGP on an Azure VPN gateway by using CLI

本文将帮助用户使用 Azure 资源管理器部署模型和 Azure CLI 在跨界站点到站点 (S2S) VPN 连接和 VNet 到 VNet 连接(即虚拟网络之间的连接)上启用 BGP。This article helps you enable BGP on a cross-premises Site-to-Site (S2S) VPN connection and a VNet-to-VNet connection (that is, a connection between virtual networks) by using the Azure Resource Manager deployment model and Azure CLI.

关于 BGPAbout BGP

BGP 是通常在 Internet 上使用的,用于在两个或更多网络之间交换路由和可访问性信息的标准路由协议。BGP is the standard routing protocol commonly used on the internet to exchange routing and reachability information between two or more networks. BGP 使 VPN 网关和本地 VPN 设备(称为 BGP 对等节点或邻域)能够交换路由。BGP enables the VPN gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange routes. 路由会向这两个网关提供有关前缀可用性和可访问性的信息,以便通过所涉及的网关或路由器。The routes inform both gateways about the availability and reachability for prefixes to go through the gateways or routers involved. 此外,BGP 还可以通过将 BGP 网关从一个 BGP 对等节点获知的路由传播到所有其他 BGP 对等节点,以实现在多个网络之间传输路由。BGP can also enable transit routing among multiple networks by propagating the routes that a BGP gateway learns from one BGP peer, to all other BGP peers.

有关 BGP 优点的详细信息,以及使用 BGP 的技术要求和注意事项,请参阅 Azure VPN 网关的 BGP 概述For more information on the benefits of BGP, and to understand the technical requirements and considerations of using BGP, see Overview of BGP with Azure VPN gateways.

本文有助于执行以下任务:This article helps you with the following tasks:

这三个部分中的每一部分都构成用于在网络连接中启用 BGP 的基本构建基块。Each of these three sections forms a basic building block for enabling BGP in your network connectivity. 如果完成所有这三个部分,可生成如下图所示的拓扑:If you complete all three sections, you build the topology as shown in the following diagram:

BGP 拓扑

可将这些部分组合在一起,生成更复杂的多跃点传输网络来满足需求。You can combine these sections to build a more complex multihop transit network that meets your needs.

为 VPN 网关启用 BGPEnable BGP for your VPN gateway

需要先完成此部分,才可执行另外两个配置部分中的任何步骤。This section is required before you perform any of the steps in the other two configuration sections. 以下配置步骤设置如下图所示的 Azure VPN 网关的 BGP 参数:The following configuration steps set up the BGP parameters of the Azure VPN gateway as shown in the following diagram:

BGP 网关

准备阶段Before you begin

安装最新版本的 CLI 命令(2.0 或更高版本)。Install the latest version of the CLI commands (2.0 or later). 有关安装 CLI 命令的信息,请参阅安装 Azure CLIAzure CLI 入门For information about installing the CLI commands, see Install the Azure CLI and Get Started with Azure CLI.

步骤 1:创建并配置 TestVNet1Step 1: Create and configure TestVNet1

1.连接到订阅1. Connect to your subscription

使用 az login 命令登录到 Azure 订阅,并按照屏幕上的说明进行操作。Sign in to your Azure subscription with the az login command and follow the on-screen directions. 有关登录的详细信息,请参阅 Azure CLI 入门For more information about signing in, see Get Started with Azure CLI.

az login

如果有多个 Azure 订阅,请列出该帐户的订阅。If you have more than one Azure subscription, list the subscriptions for the account.

az account list --all

指定要使用的订阅。Specify the subscription that you want to use.

az account set --subscription <replace_with_your_subscription_id>

2.创建资源组2. Create a resource group

以下示例在“eastus”位置创建名为 TestRG1 的资源组。The following example creates a resource group named TestRG1 in the "eastus" location. 如果在想要创建虚拟网络的区域中已经有了一个资源组,则可改用该资源组。If you already have a resource group in the region where you want to create your virtual network, you can use that one instead.

az group create --name TestBGPRG1 --location eastus

3.创建 TestVNet13. Create TestVNet1

以下示例创建一个名为 TestVNet1 的虚拟网络和三个子网:GatewaySubnet、FrontEnd 和 Backend。The following example creates a virtual network named TestVNet1 and three subnets: GatewaySubnet, FrontEnd, and BackEnd. 替换值时,请务必始终将网关子网特意命名为 GatewaySubnet。When you're substituting values, it's important that you always name your gateway subnet specifically GatewaySubnet. 如果命名为其他名称,网关创建会失败。If you name it something else, your gateway creation fails.

第一个命令创建前端地址空间和 FrontEnd 子网。The first command creates the front-end address space and the FrontEnd subnet. 第二个命令为后端子网创建额外的地址空间。The second command creates an additional address space for the BackEnd subnet. 第三个和第四个命令创建 BackEnd 子网和 GatewaySubnet。The third and fourth commands create the BackEnd subnet and GatewaySubnet.

az network vnet create -n TestVNet1 -g TestBGPRG1 --address-prefix 10.11.0.0/16 -l eastus --subnet-name FrontEnd --subnet-prefix 10.11.0.0/24 
 
az network vnet update -n TestVNet1 --address-prefixes 10.11.0.0/16 10.12.0.0/16 -g TestBGPRG1 
 
az network vnet subnet create --vnet-name TestVNet1 -n BackEnd -g TestBGPRG1 --address-prefix 10.12.0.0/24 
 
az network vnet subnet create --vnet-name TestVNet1 -n GatewaySubnet -g TestBGPRG1 --address-prefix 10.12.255.0/27 

步骤 2:使用 BGP 参数为 TestVNet1 创建 VPN 网关Step 2: Create the VPN gateway for TestVNet1 with BGP parameters

1.创建公共 IP 地址1. Create the public IP address

请求公共 IP 地址。Request a public IP address. 将向为虚拟网络创建的 VPN 网关分配公共 IP 地址。The public IP address will be allocated to the VPN gateway that you create for your virtual network.

az network public-ip create -n GWPubIP -g TestBGPRG1 --allocation-method Dynamic 

2.使用 AS 编号创建 VPN 网关2. Create the VPN gateway with the AS number

为 TestVNet1 创建虚拟网络网关。Create the virtual network gateway for TestVNet1. BGP 需要基于路由的 VPN 网关。BGP requires a Route-Based VPN gateway. 此外,还需要额外的参数 -Asn,为 TestVNet1 设置自治系统编号 (ASN)。You also need the additional parameter -Asn to set the autonomous system number (ASN) for TestVNet1. 创建网关可能需要一点时间(45 分钟或更久)才能完成。Creating a gateway can take a while (45 minutes or more) to complete.

如果使用 --no-wait 参数运行该命令,则不会显示任何反馈或输出。If you run this command by using the --no-wait parameter, you don't see any feedback or output. --no-wait 参数允许在后台创建网关。The --no-wait parameter allows the gateway to be created in the background. 但并不意味着 VPN 网关会立即创建。It does not mean that the VPN gateway is created immediately.

az network vnet-gateway create -n VNet1GW -l eastus --public-ip-address GWPubIP -g TestBGPRG1 --vnet TestVNet1 --gateway-type Vpn --sku HighPerformance --vpn-type RouteBased --asn 65010 --no-wait

3.获取 Azure BGP 对等节点 IP 地址3. Obtain the Azure BGP peer IP address

创建网关后,需要在 Azure VPN 网关上获取 BGP 对等节点 IP 地址。After the gateway is created, you need to obtain the BGP peer IP address on the Azure VPN gateway. 需要此地址才能将 VPN 网关配置为本地 VPN 设备的 BGP 对等节点。This address is needed to configure the VPN gateway as a BGP peer for your on-premises VPN devices.

运行以下命令,并检查输出顶部的 bgpSettings 部分:Run the following command and check the bgpSettings section at the top of the output:

az network vnet-gateway list -g TestBGPRG1 
 
  
"bgpSettings": { 
      "asn": 65010, 
      "bgpPeeringAddress": "10.12.255.30", 
      "peerWeight": 0 
    }

创建网关后,可以使用此网关通过 BGP 建立跨界连接或 VNet 到 VNet 连接。After the gateway is created, you can use this gateway to establish a cross-premises connection or a VNet-to-VNet connection with BGP.

使用 BGP 建立跨界连接Establish a cross-premises connection with BGP

要建立跨界连接,需要创建本地网关来表示本地 VPN 设备。To establish a cross-premises connection, you need to create a local network gateway to represent your on-premises VPN device. 然后将 Azure VPN 网关与本地网关连接在一起。Then you connect the Azure VPN gateway with the local network gateway. 虽然这些步骤与创建其他连接的步骤类似,但它们包括指定 BGP 配置参数所需的其他属性。Although these steps are similar to creating other connections, they include the additional properties required to specify the BGP configuration parameters.

跨界的 BGP

步骤 1:创建和配置本地网关Step 1: Create and configure the local network gateway

此练习将继续生成图中所示的配置。This exercise continues to build the configuration shown in the diagram. 请务必将值替换为要用于配置的值。Be sure to replace the values with the ones that you want to use for your configuration. 使用本地网络网关时,请记住以下事项:When you're working with local network gateways, keep in mind the following things:

  • 本地网关可以与 VPN 网关在相同的位置和资源组中,也可以在不同的位置和资源组中。The local network gateway can be in the same location and resource group as the VPN gateway, or it can be in a different location and resource group. 此示例演示网关在不同位置的不同资源组中。This example shows the gateways in different resource groups in different locations.
  • 需要为本地网关声明的最小前缀是 VPN 设备上的 BGP 对等节点 IP 地址中的主机地址。The minimum prefix that you need to declare for the local network gateway is the host address of your BGP peer IP address on your VPN device. 在此示例中,它是“10.51.255.254/32”中的 /32 前缀。In this case, it's a /32 prefix of 10.51.255.254/32.
  • 提醒一下,在本地网络与 Azure 虚拟网络之间必须使用不同的 BGP ASN。As a reminder, you must use different BGP ASNs between your on-premises networks and the Azure virtual network. 如果它们是相同的,则需要更改 VNet ASN(如果本地 VPN 设备已使用该 ASN 与其他 BGP 邻居对等)。If they are the same, you need to change your VNet ASN if your on-premises VPN devices already use the ASN to peer with other BGP neighbors.

请确保已完成此练习的为 VPN 网关启用 BGP 部分,并且仍与订阅 1 连接,然后再继续操作。Before you proceed, make sure that you've completed the Enable BGP for your VPN gateway section of this exercise and that you're still connected to Subscription 1. 请注意,在此示例中会创建新的资源组。Notice that in this example, you create a new resource group. 另请注意,本地网关的两个附加参数:AsnBgpPeerAddressAlso, notice the two additional parameters for the local network gateway: Asn and BgpPeerAddress.

az group create -n TestBGPRG5 -l eastus2 
 
az network local-gateway create --gateway-ip-address 23.99.221.164 -n Site5 -g TestBGPRG5 --local-address-prefixes 10.51.255.254/32 --asn 65050 --bgp-peering-address 10.51.255.254

步骤 2:连接 VNet 网关和本地网关Step 2: Connect the VNet gateway and local network gateway

在此步骤中,创建从 TestVNet1 到 Site5 的连接。In this step, you create the connection from TestVNet1 to Site5. 必须指定 --enable-bgp 参数,以便为此连接启用 BGP。You must specify the --enable-bgp parameter to enable BGP for this connection.

在此示例中,虚拟网关和本地网关位于不同的资源组中。In this example, the virtual network gateway and local network gateway are in different resource groups. 网关位于不同的资源组中时,必须指定两个网关的整个资源 ID,以便在虚拟网络之间建立连接。When the gateways are in different resource groups, you must specify the entire resource ID of the two gateways to set up a connection between the virtual networks.

1.获取 VNet1GW 的资源 ID1. Get the resource ID of VNet1GW

使用以下命令的输出,获取 VNet1GW 的资源 ID:Use the output from the following command to get the resource ID for VNet1GW:

az network vnet-gateway show -n VNet1GW -g TestBGPRG1

在输出中,找到 "id": 行。In the output, find the "id": line. 引号中的值是在下一部分创建连接所必需的。You need the values within the quotation marks to create the connection in the next section.

示例输出:Example output:

{ 
  "activeActive": false, 
  "bgpSettings": { 
    "asn": 65010, 
    "bgpPeeringAddress": "10.12.255.30", 
    "peerWeight": 0 
  }, 
  "enableBgp": true, 
  "etag": "W/\"<your etag number>\"", 
  "gatewayDefaultSite": null, 
  "gatewayType": "Vpn", 
  "id": "/subscriptions/<subscription ID>/resourceGroups/TestBGPRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW",

"id": 后的值复制到文本编辑器(例如记事本),这样就可以在创建连接时轻松粘贴它们。Copy the values after "id": to a text editor, such as Notepad, so that you can easily paste them when creating your connection.

"id": "/subscriptions/<subscription ID>/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW"

2.获取 Site5 的资源 ID2. Get the resource ID of Site5

使用以下命令,从输出中获取 Site5 的资源 ID:Use the following command to get the resource ID of Site5 from the output:

az network local-gateway show -n Site5 -g TestBGPRG5

3.创建 TestVNet1 到 Site5 的连接3. Create the TestVNet1-to-Site5 connection

在此步骤中,创建从 TestVNet1 到 Site5 的连接。In this step, you create the connection from TestVNet1 to Site5. 如前所述,同一 Azure VPN 网关可以同时具有 BGP 连接和非 BGP 连接。As discussed earlier, it is possible to have both BGP and non-BGP connections for the same Azure VPN gateway. 除非在连接属性中启用了 BGP,否则 Azure 不会为此连接启用 BGP,即使已在这两个网关上配置了 BGP 参数。Unless BGP is enabled in the connection property, Azure will not enable BGP for this connection, even though BGP parameters are already configured on both gateways. 将该订阅 ID 替换为自己的订阅 ID。Replace the subscription IDs with your own.

az network vpn-connection create -n VNet1ToSite5 -g TestBGPRG1 --vnet-gateway1 /subscriptions/<subscription ID>/resourceGroups/TestBGPRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW --enable-bgp -l eastus --shared-key "abc123" --local-gateway2 /subscriptions/<subscription ID>/resourceGroups/TestBGPRG5/providers/Microsoft.Network/localNetworkGateways/Site5 --no-wait

在此练习中,以下示例列出了要在本地 VPN 设备上的 BGP 配置部分中输入的参数:For this exercise, the following example lists the parameters to enter in the BGP configuration section of your on-premises VPN device:

Site5 ASN            : 65050
Site5 BGP IP         : 10.52.255.254
Prefixes to announce : (for example) 10.51.0.0/16 and 10.52.0.0/16
Azure VNet ASN       : 65010
Azure VNet BGP IP    : 10.12.255.30
Static route         : Add a route for 10.12.255.30/32, with nexthop being the VPN tunnel interface on your device
eBGP Multihop        : Ensure the "multihop" option for eBGP is enabled on your device if needed

几分钟后,应会建立连接。The connection should be established after a few minutes. 建立 IPsec 连接后,可开始 BGP 对等会话。The BGP peering session starts after the IPsec connection is established.

使用 BGP 建立 VNet 到 VNet 连接Establish a VNet-to-VNet connection with BGP

此部分使用 BGP 添加 VNet 到 VNet 连接,如下图所示:This section adds a VNet-to-VNet connection with BGP, as shown in the following diagram:

VNet 到 VNet 的 BGP

以下说明延续前面各部分中的步骤。The following instructions continue from the steps in the preceding sections. 必须完成为 VPN 网关启用 BGP 部分,才能使用 BGP 创建和配置 TestVNet1 和 VPN 网关。To create and configure TestVNet1 and the VPN gateway with BGP, you must complete the Enable BGP for your VPN gateway section.

步骤 1:创建 TestVNet2 和 VPN 网关Step 1: Create TestVNet2 and the VPN gateway

必须确保新虚拟网络的 IP 地址空间 TestVNet2 不与任何 VNet 范围重叠。It's important to make sure that the IP address space of the new virtual network, TestVNet2, does not overlap with any of your VNet ranges.

在本示例中,虚拟网络属于同一订阅。In this example, the virtual networks belong to the same subscription. 可在不同订阅之间设置 VNet 到 VNet 连接。You can set up VNet-to-VNet connections between different subscriptions. 若要了解详细信息,请参阅配置 VNet 到 VNet 的连接To learn more, see Configure a VNet-to-VNet connection. 请确保在创建连接时添加 -EnableBgp $True,以启用 BGP。Make sure that you add -EnableBgp $True when creating the connections to enable BGP.

1. 创建新的资源组1. Create a new resource group

az group create -n TestBGPRG2 -l westus

2.在新资源组中创建 TestVNet22. Create TestVNet2 in the new resource group

第一个命令创建前端地址空间和 FrontEnd 子网。The first command creates the front-end address space and the FrontEnd subnet. 第二个命令为后端子网创建额外的地址空间。The second command creates an additional address space for the BackEnd subnet. 第三个和第四个命令创建 BackEnd 子网和 GatewaySubnet。The third and fourth commands create the BackEnd subnet and GatewaySubnet.

az network vnet create -n TestVNet2 -g TestBGPRG2 --address-prefix 10.21.0.0/16 -l westus --subnet-name FrontEnd --subnet-prefix 10.21.0.0/24 
 
az network vnet update -n TestVNet2 --address-prefixes 10.21.0.0/16 10.22.0.0/16 -g TestBGPRG2 
 
az network vnet subnet create --vnet-name TestVNet2 -n BackEnd -g TestBGPRG2 --address-prefix 10.22.0.0/24 
 
az network vnet subnet create --vnet-name TestVNet2 -n GatewaySubnet -g TestBGPRG2 --address-prefix 10.22.255.0/27

3. 创建公共 IP 地址3. Create the public IP address

请求公共 IP 地址。Request a public IP address. 将向为虚拟网络创建的 VPN 网关分配公共 IP 地址。The public IP address will be allocated to the VPN gateway that you create for your virtual network.

az network public-ip create -n GWPubIP2 -g TestBGPRG2 --allocation-method Dynamic

4. 用 AS 编号创建 VPN 网关4. Create the VPN gateway with the AS number

为 TestVNet2 创建虚拟网络网关。Create the virtual network gateway for TestVNet2. 必须覆盖 Azure VPN 网关上的默认 ASN。You must override the default ASN on your Azure VPN gateways. 连接的虚拟网络的 ASN 必须不同,才能启用 BGP 和传输路由。The ASNs for the connected virtual networks must be different to enable BGP and transit routing.  

az network vnet-gateway create -n VNet2GW -l westus --public-ip-address GWPubIP2 -g TestBGPRG2 --vnet TestVNet2 --gateway-type Vpn --sku Standard --vpn-type RouteBased --asn 65020 --no-wait

步骤 2:连接 TestVNet1 和 TestVNet2 网关Step 2: Connect the TestVNet1 and TestVNet2 gateways

在此步骤中,创建从 TestVNet1 到 Site5 的连接。In this step, you create the connection from TestVNet1 to Site5. 必须指定 --enable-bgp 参数,以便为此连接启用 BGP。To enable BGP for this connection, you must specify the --enable-bgp parameter.

在以下示例中,虚拟网关和本地网关位于不同的资源组中。In the following example, the virtual network gateway and local network gateway are in different resource groups. 网关位于不同的资源组中时,必须指定两个网关的整个资源 ID,以便在虚拟网络之间建立连接。When the gateways are in different resource groups, you must specify the entire resource ID of the two gateways to set up a connection between the virtual networks. 

1. 获取 VNet1GW 的资源 ID1. Get the resource ID of VNet1GW

从以下命令的输出中获取 VNet1GW 的资源 ID:Get the resource ID of VNet1GW from the output of the following command:

az network vnet-gateway show -n VNet1GW -g TestBGPRG1

2. 获取 VNet2GW 的资源 ID2. Get the resource ID of VNet2GW

从以下命令的输出中获取 VNet2GW 的资源 ID:Get the resource ID of VNet2GW from the output of the following command:

az network vnet-gateway show -n VNet2GW -g TestBGPRG2

3. 创建连接3. Create the connections

创建从 TestVNet1 到 TestVNet2 的连接,以及从 TestVNet2 到 TestVNet1 的连接。Create the connection from TestVNet1 to TestVNet2, and the connection from TestVNet2 to TestVNet1. 将该订阅 ID 替换为自己的订阅 ID。Replace the subscription IDs with your own.

az network vpn-connection create -n VNet1ToVNet2 -g TestBGPRG1 --vnet-gateway1 /subscriptions/<subscription ID>/resourceGroups/TestBGPRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW --enable-bgp -l eastus --shared-key "efg456" --vnet-gateway2 /subscriptions/<subscription ID>/resourceGroups/TestBGPRG2/providers/Microsoft.Network/virtualNetworkGateways/VNet2GW
az network vpn-connection create -n VNet2ToVNet1 -g TestBGPRG2 --vnet-gateway1 /subscriptions/<subscription ID>/resourceGroups/TestBGPRG2/providers/Microsoft.Network/virtualNetworkGateways/VNet2GW --enable-bgp -l westus --shared-key "efg456" --vnet-gateway2 /subscriptions/<subscription ID>/resourceGroups/TestBGPRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW

重要

为这两个** 连接启用 BGP。Enable BGP for both connections.

完成这些步骤后,可在几分钟内建立连接。After you complete these steps, the connection will be established in a few minutes. 完成 VNet 到 VNet 的连接后,BGP 对等会话即可运行。The BGP peering session will be up after the VNet-to-VNet connection is completed.

后续步骤Next steps

连接完成后,即可将虚拟机添加到虚拟网络。After your connection is completed, you can add virtual machines to your virtual networks. 相关步骤,请参阅创建虚拟机For steps, see Create a virtual machine.