您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 PowerShell 将 Azure VPN 网关连接到多个基于策略的本地 VPN 设备Connect Azure VPN gateways to multiple on-premises policy-based VPN devices using PowerShell

本文帮助了解如何利用 S2S VPN 连接的 IPsec/IKE 策略将基于路由的 Azure VPN 网关配置为连接到多个基于策略的本地 VPN 设备。This article helps you configure an Azure route-based VPN gateway to connect to multiple on-premises policy-based VPN devices leveraging custom IPsec/IKE policies on S2S VPN connections.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

关于基于策略的 VPN 网关和基于路由的 VPN 网关About policy-based and route-based VPN gateways

基于策略的 VPN 设备与基于路由的 VPN 设备在对连接设置 IPsec 流量选择器的方式上有所不同:Policy- vs. route-based VPN devices differ in how the IPsec traffic selectors are set on a connection:

  • 基于策略的 VPN 设备结合使用两个网络的前缀组合来定义流量通过 IPsec 隧道加密/解密的方式。Policy-based VPN devices use the combinations of prefixes from both networks to define how traffic is encrypted/decrypted through IPsec tunnels. 它通常基于执行包筛选的防火墙设备。It is typically built on firewall devices that perform packet filtering. 包筛选和处理引擎添加了 IPsec 隧道加密和解密。IPsec tunnel encryption and decryption are added to the packet filtering and processing engine.
  • 基于路由的 VPN 设备使用任意到任意(通配符)流量选择器,并让路由/转发表将流量直接导向不同 IPsec 隧道。Route-based VPN devices use any-to-any (wildcard) traffic selectors, and let routing/forwarding tables direct traffic to different IPsec tunnels. 它通常基于路由器平台,在此平台中,每个 IPsec 隧道建模为网络接口或 VTI(虚拟隧道接口)。It is typically built on router platforms where each IPsec tunnel is modeled as a network interface or VTI (virtual tunnel interface).

下图突出显示了以下两种模型:The following diagrams highlight the two models:

基于策略的 VPN 示例Policy-based VPN example

基于策略

基于路由的 VPN 示例Route-based VPN example

基于路由

Azure 对基于策略的 VPN 的支持情况Azure support for policy-based VPN

目前,Azure 支持两种 VPN 网关模式:基于路由的 VPN 网关和基于策略的 VPN 网关。Currently, Azure supports both modes of VPN gateways: route-based VPN gateways and policy-based VPN gateways. 两者基于不同的内部平台,因而规格也不同:They are built on different internal platforms, which result in different specifications:

基于策略的 VPN 网关PolicyBased VPN Gateway 基于路由的 VPN 网关RouteBased VPN Gateway 基于路由的 VPN 网关RouteBased VPN Gateway
Azure 网关 SKUAzure Gateway SKU 基本Basic 基本Basic Standard、高性能、VpnGw1、VpnGw2、VpnGw3Standard, HighPerformance, VpnGw1, VpnGw2, VpnGw3
IKE 版本IKE version IKEv1IKEv1 IKEv2IKEv2 IKEv1 和 IKEv2IKEv1 and IKEv2
数量.S2S 连接Max. S2S connections 11 1010 标准:10Standard: 10
其他 Sku:30Other SKUs: 30

使用自定义 IPsec/IKE 策略,现在可以将基于路由的 Azure VPN 网关配置为使用带“PolicyBasedTrafficSelectors”选项的基于前缀的流量选择器,从而连接到基于策略的本地 VPN 设备。With the custom IPsec/IKE policy, you can now configure Azure route-based VPN gateways to use prefix-based traffic selectors with option "PolicyBasedTrafficSelectors", to connect to on-premises policy-based VPN devices. 此功能允许从 Azure 虚拟网络和 VPN 网关连接到多个基于策略的本地 VPN/防火墙设备,从当前基于 Azure Policy 的 VPN 网关中删除单个连接限制。This capability allows you to connect from an Azure virtual network and VPN gateway to multiple on-premises policy-based VPN/firewall devices, removing the single connection limit from the current Azure policy-based VPN gateways.

重要

  1. 若要启用此连接,基于策略的本地 VPN 设备必须支持 IKEv2,才能连接到基于路由的 Azure VPN 网关。To enable this connectivity, your on-premises policy-based VPN devices must support IKEv2 to connect to the Azure route-based VPN gateways. 请查看 VPN 设备规格。Check your VPN device specifications.
  2. 通过基于策略的 VPN 设备采用此机制进行连接的本地网络只能连接到 Azure 虚拟网络;不能经由相同的 Azure VPN 网关传输到其他本地网络或虚拟网络。The on-premises networks connecting through policy-based VPN devices with this mechanism can only connect to the Azure virtual network; they cannot transit to other on-premises networks or virtual networks via the same Azure VPN gateway.
  3. 配置选项是自定义 IPsec/IKE 连接策略的一部分。The configuration option is part of the custom IPsec/IKE connection policy. 如果启用基于策略的流量选择器选项,则必须指定完整的策略(IPsec/IKE 加密和完整性算法、密钥强度和 SA 生存期)。If you enable the policy-based traffic selector option, you must specify the complete policy (IPsec/IKE encryption and integrity algorithms, key strengths, and SA lifetimes).

下图显示了在选择基于策略的 VPN 时,经由 Azure VPN 网关的传输路由为何无法工作:The following diagram shows why transit routing via Azure VPN gateway doesn't work with the policy-based option:

基于策略的传输

如图所示,针对每个本地网络前缀,Azure VPN 网关都有来自虚拟网络的流量选择器,而交叉连接前缀却没有。As shown in the diagram, the Azure VPN gateway has traffic selectors from the virtual network to each of the on-premises network prefixes, but not the cross-connection prefixes. 例如,本地站点 2、站点 3 和站点 4 可以分别与 VNet1 通信,但不能经由 Azure VPN 网关相互连接。For example, on-premises site 2, site 3, and site 4 can each communicate to VNet1 respectively, but cannot connect via the Azure VPN gateway to each other. 该图显示若采用此配置,交叉连接流量选择器在 Azure VPN 网关中不可用。The diagram shows the cross-connect traffic selectors that are not available in the Azure VPN gateway under this configuration.

对连接配置基于策略的流量选择器Configure policy-based traffic selectors on a connection

本文中的说明采用为 S2S 或 VNet 到 VNet 的连接配置 IPsec/IKE 策略中所述的示例,建立 S2S VPN 连接。The instructions in this article follow the same example as described in Configure IPsec/IKE policy for S2S or VNet-to-VNet connections to establish a S2S VPN connection. 下图显示了此特点:This is shown in the following diagram:

s2s-policy

启用此连接的工作流:The workflow to enable this connectivity:

  1. 为跨站点连接创建虚拟网络、VPN 网关和本地网关Create the virtual network, VPN gateway, and local network gateway for your cross-premises connection
  2. 创建 IPsec/IKE 策略Create an IPsec/IKE policy
  3. 创建 S2S 或 VNet 到 VNet 的连接时,应用该策略,并对连接启用基于策略的流量选择器Apply the policy when you create a S2S or VNet-to-VNet connection, and enable the policy-based traffic selectors on the connection
  4. 如已创建连接,可对现有连接应用或更新策略If the connection is already created, you can apply or update the policy to an existing connection

开始之前Before you begin

确保拥有 Azure 订阅。Verify that you have an Azure subscription. 如果还没有 Azure 订阅,可以激活 MSDN 订户权益或注册获取免费帐户If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.

本文使用 PowerShell cmdlet。This article uses PowerShell cmdlets. 若要运行这些 cmdlet,可以使用 Azure Cloud Shell(在 Azure 中托管并通过浏览器使用的交互式 shell 环境)。To run the cmdlets, you can use Azure Cloud Shell, an interactive shell environment hosted in Azure and used through the browser. Azure Cloud Shell 随预安装的 Azure PowerShell cmdlet 一起提供。Azure Cloud Shell comes with the Azure PowerShell cmdlets pre-installed.

若要在 Azure Cloud Shell 上运行本文中包含的任何代码,请打开 Cloud Shell 会话,对代码块使用“复制”按钮以复制代码,然后使用 Ctrl+Shift+V(在 Windows 和 Linux 上)或 Cmd+Shift+V(在 macOS 上)将其粘贴到 Cloud Shell 会话中。To run any code contained in this article on Azure Cloud Shell, open a Cloud Shell session, use the Copy button on a code block to copy the code, and paste it into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS. 粘贴的文本不会自动执行,因此请按 Enter 运行代码。Pasted text is not automatically executed, so press Enter to run code.

可以通过以下方式启动 Azure Cloud Shell:You can launch Azure Cloud Shell with:

选择代码块右上角的“试用”。Select Try It in the upper-right corner of a code block. 这__不__会自动将文本复制到 Cloud Shell。This doesn't automatically copy text to Cloud Shell. Azure Cloud Shell 的“试用”示例
在浏览器中打开 shell.azure.comOpen shell.azure.com in your browser. “启动 Azure Cloud Shell”按钮Launch Azure Cloud Shell button
选择 Azure 门户右上角菜单上的“Cloud Shell”按钮。Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal. Azure 门户中的“Cloud Shell”按钮

在本地运行 PowerShellRunning PowerShell locally

你还可以在计算机上本地安装并运行 Azure PowerShell cmdlet。You can also install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlet 会频繁更新。PowerShell cmdlets are updated frequently. 如果运行的不是最新版本,说明中指定的值可能会失败。If you are not running the latest version, the values specified in the instructions may fail. 若要查找计算机上安装的 Azure PowerShell 的版本,请使用 Get-Module -ListAvailable Az cmdlet。To find the versions of Azure PowerShell installed on your computer, use the Get-Module -ListAvailable Az cmdlet. 若要安装或更新,请参阅安装 Azure PowerShell 模块To install or update, see Install the Azure PowerShell module.

如果在本地运行 PowerShell,请务必运行 "AzAccount" 以创建与 Azure 的连接。If you are running PowerShell locally, be sure to run 'Connect-AzAccount' to create your connection to Azure.

对连接启用基于策略的流量选择器Enable policy-based traffic selectors on a connection

确保已通读了本节的第 3 部分 - 配置 IPsec/IKE 策略一文。Make sure you have completed Part 3 of the Configure IPsec/IKE policy article for this section. 以下示例采用相同的参数和步骤:The following example uses the same parameters and steps:

步骤 1 - 创建虚拟网络、VPN 网关和本地网关Step 1 - Create the virtual network, VPN gateway, and local network gateway

1. 连接到你的订阅并声明你的变量1. Connect to your subscription and declare your variables

使用提升的权限打开 PowerShell 控制台。Open your PowerShell console with elevated privileges.

如果要在本地运行 Azure PowerShell,请连接到 Azure 帐户。If you are running Azure PowerShell locally, connect to your Azure account. Connect-AzureRmAccount cmdlet 会提示输入凭据 。The Connect-AzAccount cmdlet prompts you for credentials. 进行身份验证后,它会下载帐户设置,以便 Azure PowerShell 可以使用这些设置。After authenticating, it downloads your account settings so that they are available to Azure PowerShell. 如果未在本地运行 PowerShell,而是在浏览器中使用 Azure Cloud Shell“试用”,请跳过此第一步。If you are not running PowerShell locally and are instead using the Azure Cloud Shell 'Try it' in the browser, skip this first step. 你将自动连接到 Azure 帐户。You will connect to your Azure account automatically.

Connect-AzAccount

如果有多个订阅,请获取 Azure 订阅的列表。If you have more than one subscription, get a list of your Azure subscriptions.

Get-AzSubscription

指定要使用的订阅。Specify the subscription that you want to use.

Select-AzSubscription -SubscriptionName "Name of subscription"

声明变量。Declare your variables. 在本练习中,我们使用以下变量:For this exercise, we use the following variables:

$Sub1          = "<YourSubscriptionName>"
$RG1           = "TestPolicyRG1"
$Location1     = "East US 2"
$VNetName1     = "TestVNet1"
$FESubName1    = "FrontEnd"
$BESubName1    = "Backend"
$GWSubName1    = "GatewaySubnet"
$VNetPrefix11  = "10.11.0.0/16"
$VNetPrefix12  = "10.12.0.0/16"
$FESubPrefix1  = "10.11.0.0/24"
$BESubPrefix1  = "10.12.0.0/24"
$GWSubPrefix1  = "10.12.255.0/27"
$DNS1          = "8.8.8.8"
$GWName1       = "VNet1GW"
$GW1IPName1    = "VNet1GWIP1"
$GW1IPconf1    = "gw1ipconf1"
$Connection16  = "VNet1toSite6"

$LNGName6      = "Site6"
$LNGPrefix61   = "10.61.0.0/16"
$LNGPrefix62   = "10.62.0.0/16"
$LNGIP6        = "131.107.72.22"

2. 创建虚拟网络、VPN 网关和本地网关2. Create the virtual network, VPN gateway, and local network gateway

创建资源组。Create a resource group.

New-AzResourceGroup -Name $RG1 -Location $Location1

使用以下示例创建具有三个子网的虚拟网络 TestVNet1 和 VPN 网关。Use the following example to create the virtual network TestVNet1 with three subnets, and the VPN gateway. 如果想替换值,务必始终将网关子网特意命名为“GatewaySubnet”。If you want to substitute values, it's important that you always name your gateway subnet specifically 'GatewaySubnet'. 如果命名为其他名称,网关创建会失败。If you name it something else, your gateway creation fails.

$fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1
$besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
$gwsub1 = New-AzVirtualNetworkSubnetConfig -Name $GWSubName1 -AddressPrefix $GWSubPrefix1

New-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1 -Location $Location1 -AddressPrefix $VNetPrefix11,$VNetPrefix12 -Subnet $fesub1,$besub1,$gwsub1

$gw1pip1    = New-AzPublicIpAddress -Name $GW1IPName1 -ResourceGroupName $RG1 -Location $Location1 -AllocationMethod Dynamic
$vnet1      = Get-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1
$subnet1    = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet1
$gw1ipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GW1IPconf1 -Subnet $subnet1 -PublicIpAddress $gw1pip1

New-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 -Location $Location1 -IpConfigurations $gw1ipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku HighPerformance

New-AzLocalNetworkGateway -Name $LNGName6 -ResourceGroupName $RG1 -Location $Location1 -GatewayIpAddress $LNGIP6 -AddressPrefix $LNGPrefix61,$LNGPrefix62

步骤 2 - 创建含 IPsec/IKE 策略的 S2S VPN 连接Step 2 - Create a S2S VPN connection with an IPsec/IKE policy

1. 创建 IPsec/IKE 策略1. Create an IPsec/IKE policy

重要

需创建 IPsec/IKE 策略,才能对连接启用“UsePolicyBasedTrafficSelectors”选项。You need to create an IPsec/IKE policy in order to enable "UsePolicyBasedTrafficSelectors" option on the connection.

下面的示例使用以下算法和参数创建 IPsec/IKE 策略:The following example creates an IPsec/IKE policy with these algorithms and parameters:

  • IKEv2:AES256、SHA384、DHGroup24IKEv2: AES256, SHA384, DHGroup24
  • IPsec:AES256、SHA256、PFS 无、SA 生存期 14400 秒和 102400000KBIPsec: AES256, SHA256, PFS None, SA Lifetime 14400 seconds & 102400000KB
$ipsecpolicy6 = New-AzIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup24 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup None -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000

2. 通过基于策略的流量选择器和 IPsec/IKE 策略创建 S2S VPN 连接2. Create the S2S VPN connection with policy-based traffic selectors and IPsec/IKE policy

创建 S2S VPN 连接并应用上一步创建的 IPsec/IKE 策略。Create an S2S VPN connection and apply the IPsec/IKE policy created in the previous step. 请注意其他参数“-UsePolicyBasedTrafficSelectors $True”可对连接启用基于策略的流量选择器。Be aware of the additional parameter "-UsePolicyBasedTrafficSelectors $True" which enables policy-based traffic selectors on the connection.

$vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1  -ResourceGroupName $RG1
$lng6 = Get-AzLocalNetworkGateway  -Name $LNGName6 -ResourceGroupName $RG1

New-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng6 -Location $Location1 -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy6 -SharedKey 'AzureA1b2C3'

完成这些步骤后,S2S VPN 连接将使用定义的 IPsec/IKE 策略,并对连接启用基于策略的流量选择器。After completing the steps, the S2S VPN connection will use the IPsec/IKE policy defined, and enable policy-based traffic selectors on the connection. 可重复这些步骤,从同一 Azure VPN 网关添加更多连接到其他基于策略的本地 VPN 设备。You can repeat the same steps to add more connections to additional on-premises policy-based VPN devices from the same Azure VPN gateway.

对连接更新基于策略的流量选择器Update policy-based traffic selectors for a connection

最后一节将介绍如何对现有 S2S VPN 连接更新基于策略的流量选择器选项。The last section shows you how to update the policy-based traffic selectors option for an existing S2S VPN connection.

1. 获取连接1. Get the connection

获取连接资源。Get the connection resource.

$RG1          = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6  = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1

2. 检查基于策略的流量选择器选项2. Check the policy-based traffic selectors option

以下行显示连接是否使用了基于策略的流量选择器:The following line shows whether the policy-based traffic selectors are used for the connection:

$connection6.UsePolicyBasedTrafficSelectors

如果行返回“True”,则表示对连接配置了基于策略的流量选择器;否则返回“False”。If the line returns "True", then policy-based traffic selectors are configured on the connection; otherwise it returns "False."

3. 启用/禁用连接上基于策略的流量选择器3. Enable/Disable the policy-based traffic selectors on a connection

获取连接资源后,可启用或禁用该选项。Once you obtain the connection resource, you can enable or disable the option.

启用 UsePolicyBasedTrafficSelectorsTo Enable UsePolicyBasedTrafficSelectors

下面的示例启用了基于策略的流量选择器选项,但未改变 IPsec/IKE 策略:The following example enables the policy-based traffic selectors option, but leaves the IPsec/IKE policy unchanged:

$RG1          = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6  = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1

Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -UsePolicyBasedTrafficSelectors $True

禁用 UsePolicyBasedTrafficSelectorsTo Disable UsePolicyBasedTrafficSelectors

下面的示例禁用了基于策略的流量选择器选项,但未改变 IPsec/IKE 策略:The following example disables the policy-based traffic selectors option, but leaves the IPsec/IKE policy unchanged:

$RG1          = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6  = Get-AzVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1

Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -UsePolicyBasedTrafficSelectors $False

后续步骤Next steps

连接完成后,即可将虚拟机添加到虚拟网络。Once your connection is complete, you can add virtual machines to your virtual networks. 请参阅 创建虚拟机 以获取相关步骤。See Create a Virtual Machine for steps.

有关自定义 IPsec/IKE 策略的详细信息,请参阅为 S2S VPN 或 VNet 到 VNet 的连接配置 IPsec/IKE 策略Also review Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections for more details on custom IPsec/IKE policies.