使用 RRAS 的 VNet 對 VNet 連線能力VNet to VNet connectivity with RRAS

您可以在相同的 Azure Stack Hub 環境中,讓兩個 Azure Stack Hub VNet 彼此互連。You can connect two Azure Stack Hub VNets to one another within the same Azure Stack Hub environment. 您目前無法使用內建的虛擬網路閘道來連接 Azure Stack Hub VNet。It is not currently possible to connect Azure Stack Hub VNets using the built-in Virtual Network Gateway. 您必須使用 NVA 設備來建立兩個 Azure Stack Hub VNet 之間的 VPN 通道。You must use NVA appliances to create a VPN tunnel between two Azure Stack Hub VNets. 本文的範本參考會部署兩個安裝了 RRAS 的 Windows Server 2016 VM。In the template references in this article, two Windows Server 2016 VMs are deployed with RRAS installed. 這兩個 RRAS 伺服器會設定為在兩個 VNet 之間實作 S2SVPN IKEv2 通道。The two RRAS servers are configured to implement a S2SVPN IKEv2 tunnel between two VNETs. 系統會建立適當的 NSG 和 UDR 規則,以允許將每個 VNET 上子網路之間的路由指定為 內部The appropriate NSG and UDR rules are created to allow routing between the subnets on each VNET designated as internal.

此部署模式可作為基礎,讓您能夠不只在 Azure Stack Hub 執行個體中,也能在 Azure Stack Hub 執行個體之間以及在其他資源上 (例如,使用 Windows RRAS S2S VPN 通道在內部部署網路上) 建立 VPN 通道。This deployment pattern is the foundation that will allow VPN Tunnels to be created not only within an Azure Stack Hub instance but also between Azure Stack Hub Instances and to other resources such as on-premises networks with the use of the Windows RRAS S2S VPN Tunnels.

您可以在 Azure 智慧邊緣模式 GitHub 存放庫中找到範本。You can find the templates in the Azure Intelligent Edge Patterns GitHub repository. 此範本位於 S2SVPNTunnel 資料夾中。The template is in the S2SVPNTunnel folder.

此圖顯示在兩個 Vnet 之間提供 VPN 通道的執行。

需求Requirements

  • 已套用最新更新的部署。A deployment with latest updates applied.
  • 必要的 Azure Stack Hub Marketplace 項目:Required Azure Stack Hub Marketplace items:
    • Windows Server 2016 Datacenter (建議使用最新組建)Windows Server 2016 Datacenter (latest build recommended)
    • 自訂指令碼延伸模組Custom Script Extension

考量事項Things to consider

  • 網路安全性群組會套用至範本通道子網路。A Network Security Group is applied to the template Tunnel Subnet. 建議使用額外的 NSG 來保護每個 VNet 中的內部子網路。It is recommended to secure the internal subnet in each VNet with an additional NSG.
  • RDP 拒絕規則會套用至通道 NSG,而且如果您傾向透過公用 IP 位址來存取 VM,則必須將此規則設定為 [允許]An RDP Deny rule is applied to the Tunnel NSG and will need to be set to allow if you intend to access the VMs via the Public IP address
  • 此解決方案不會考慮到 DNS 解析This solution does not take into account DNS resolution
  • VNet 名稱和 vmName 的組合必須少於 15 個字元The combination of VNet name and vmName must be fewer than 15 characters
  • 此範本可讓您自訂 VNet1 和 VNet2 的 VNet 名稱This template is designed to have the VNet names customized for VNet1 and VNet2
  • 此範本會使用 BYOL WindowsThis template is using BYOL windows
  • 刪除目前在 (1907) 上的資源群組時,您必須手動地讓 NSG 與通道子網路中斷連結,以確保刪除資源群組能夠完成When deleting the resource group, currently on (1907) you have to manually detach the NSGs from the tunnel subnet to ensure the delete resource group completes
  • 此範本會使用 DS3v2 vm。This template is using a DS3v2 vm. RRAS 服務會安裝並執行 Windows 內部 SQL Server。The RRAS service installs and run Windows internal SQL Server. 如果您的 VM 太小,這可能會造成記憶體問題。This can cause memory issues if your VM size is too small. 請先驗證效能,再縮減 VM 大小。Validate performance before reducing the VM size.
  • 這不是高可用性的解決方案。This is not a highly available solution. 如果您需要更多 HA 樣式的解決方案,則可以新增第二個 VM,您必須以手動方式將路由表中的路由變更為次要介面的內部 IP。If you require a more HA style solution you can add a second VM, you would have to manually Change the route in the route table to the internal IP of the secondary interface. 您也必須設定多個通道以便能夠交叉連線。You would also need to configure the multiple Tunnels to cross connect.

選項。Options

  • 您可以使用自己的 Blob 儲存體帳戶和 SAS 權杖,並使用 _artifactsLocation 和 _artifactsLocationSasToken 參數You can use your own Blob storage account and SAS token using the _artifactsLocation and _artifactsLocationSasToken parameters
  • 此範本上有兩個輸出,分別是 INTERNALSUBNETREFVNET1 和 INTERNALSUBNETREFVNET2,如果您想要在管線樣式部署模式中使用,則這兩個輸出是內部子網路的資源識別碼。There are two outputs on this template INTERNALSUBNETREFVNET1 and INTERNALSUBNETREFVNET2, which is the Resource IDs for the internal subnets, if you want to use this in a pipeline style deployment pattern.

此範本會提供 VNet 命名和 IP 位址的預設值。The template provides default values for VNet naming and IP addressing. 其需要系統管理員的密碼 (rrasadmin),而且也能讓您使用自己的儲存體 Blob 和 SAS 權杖。It requires a password for the administrator (rrasadmin) and also offers the ability to use your own storage blob with SAS token. 請仔細地讓這些值保持在合法範圍內,否則部署可能會失敗。Be careful to keep these values within legal ranges as deployment may fail. PowerShell DSC 套件會在每個 RRAS VM 上執行,並安裝路由和所有必要的相依服務與功能。The PowerShell DSC package is executed on each RRAS VM and installing routing and all required dependent services and features. 如有需要,則可進一步自訂此 DSC。This DSC can be customized further if needed. 自訂指令碼擴充功能會執行下列指令碼,而且 Add-Site2Site.ps1 會使用共用金鑰來設定兩個 RRAS 伺服器之間的 VPNS2S 通道。The custom script extension run the following script and Add-Site2Site.ps1 configures the VPNS2S tunnel between the two RRAS servers with a shared key. 您可以檢視來自自訂指令碼擴充功能的詳細輸出,以查看 VPN 通道設定的結果You can view the detailed output from the custom script extension to see the results of the VPN tunnel configuration

標題為 S2SVPNTunnel 的圖表會顯示兩個由站對站 VPN 通道所連接的 Vnet。

後續步驟Next steps

Azure Stack Hub 網路服務的差異與注意事項Differences and considerations for Azure Stack Hub networking