將網路虛擬化閘道新增到 VMM 網狀架構Add a network virtualization gateway to the VMM fabric

重要

已不再支援此版本的 Virtual Machine Manager (VMM),建議升級至 VMM 2019This version of Virtual Machine Manager (VMM) has reached the end of support, we recommend you to upgrade to VMM 2019.

請閱讀本文,以了解如何在 System Center - Virtual Machine Manager (VMM) 網路網狀架構中設定網路虛擬化閘道。Read this article to learn about setting up network virtualization gateways in the System Center - Virtual Machine Manager (VMM) networking fabric.

如果您在 VMM 光纖中使用隔離的 VM 網路,與網路相關聯的 VM 預設只能連線至相同子網路中的電腦。By default, if you're using isolated VM networks in your VMM fabric, VMs associated with a network can only connect to machines in the same subnet. 如果您不只想要將 VM 進一步連線至子網路,則需要閘道。If you want to connect VMs further than the subnet, you'll need a gateway.

網路虛擬化Network virtualization

您可以設定網路虛擬化,以在建立實體網路拓樸模型的 VMM 邏輯網路上多載多個 VM 網路,因此減少實體網路基礎結構的 VM 網路。You set up network virtualization so that multiple VM networks are overload on the VMM logical networks that model your physical network topology and thus decouple the VM networks from the physical network infrastructure. 網路虛擬化使用 NVGRE (使用 Generic Routing Encapsulation 的網路虛擬化) 來虛擬化 IP 位址。Network virtualization uses NVGRE (Network Virtualization using Generic Routing Encapsulation) to virtualize IP addresses. 請檢閱下列內容,以深入了解 NVGREReview the following to learn more about NVGRE.

若要找出網路中是否需要網路虛擬化閘道,請考慮︰To figure out whether you need a network virtualization gateway in your network consider:

  • 是否需要從隔離 VM 網路的 VM 連線至其他內部部署應用程式?Do you need to connect from VMs in isolated VM networks to other on-premises apps?
  • 是否需要從隔離 VM 連線至網際網路?Do you need to connect from isolated VMs to the internet?
  • 是否需要從隔離 VM 網路連線至共用服務 (例如 DNS)?Do you need to connect from isolated VM networks to shared services such as DNS?

根據您的需求,您可以使用數種方式設定閘道︰You can set up your gateway in a number of ways depending on your requirements:

  • 透過 NAT,可以連線至公用網路。Connectivity to a public network can be achieved through NAT.
  • 透過 VPN 通道連線至內部部署網路 (不管有沒有邊界閘道協定 (BGP))Connectivity to an on-premises network is over a VPN tunnel (with or without Border Gateway Protocol (BGP)
  • 沒有 NAT 的直接路由可以用於不同 VM 網路之間的連線。Direct routing without NAT can be used for connectivity between different VM networks.

先決條件Prerequisites

  • 提供者軟體:如果您想要使用非 Windows 閘道裝置,則需要提供者以及具有閘道設定權限的帳戶。Provider software: If you want to use a non-Windows gateway device, you'll need the provider and an account with permissions to configure the gateway. 您可以在 VMM 伺服器上安裝提供者。You install the provider on the VMM server. 如果需要憑證 (例如,如果閘道位於不信任的網域),則需要可以檢視這些憑證的指紋資訊。If certificates are required (for example if the gateway is in an untrusted domain) you'll need to be able to view thumbprint information for those certificates.
  • Windows Server 閘道:如果您想要設定執行 Windows Server 的閘道,則可以使用可從 Microsoft 下載中心取得的預先定義範本。Windows Server gateway: If you want to configure a gateway running Windows Server, you can use a predefined template available from the Microsoft Download Center. 範本支援 System Center 2012 R2 或更新版本。The template supports System Center 2012 R2 or later versions.
  • 邏輯網路:您需要邏輯網路 (如果您想要將閘道從某個邏輯網路中的 VM 網路連線至另一個邏輯網路中的 VM 網路,則需要多個)。Logical networks: You need logical networks (you'll need more than one if you want the gateway to connect from VM networks in one logical network to VM networks in another).
  • 遠端 VPN 設定:如果您想要將閘道連線至遠端 VPN 伺服器,則需要:Remote VPN settings: If you want to connect the gateway to a remote VPN server you'll need:
    • 遠端伺服器 IP 位址以及內部部署子網路的相關資訊或 BGP 位址 (相關的話)。The remote server IP address and information about on-premises subnets or the BGP address if relevant.
    • 您必須找出如何向遠端 VPN 伺服器進行驗證。You'll need to identify how you'll authenticate with the remote VPN server. 如果它使用預先共用金鑰,則您可以使用執行身分帳戶進行驗證,並將共用金鑰指定為密碼。If it uses a preshared key you can authenticate with a Run As account and specify the shared key as the password. 或者,您可以使用憑證進行驗證。Or you can authenticate with a certificate. 憑證可為遠端 VPN 伺服器自動選取的憑證,或您已取得並放置於網路中的憑證。The certificate can be either a certificate that the remote VPN server selects automatically or a certificate that you have obtained and placed on your network.
    • 請檢查您是否需要特定 VPN 連線設定 (加密、完整性檢查、密碼轉換、驗證轉換、完整轉寄密碼 (PFS) 群組、Diffie-Hellman 群組和 VPN 通訊協定),或者您可以使用預設設定。Check whether you need specific VPN connection settings (encryption, integrity checks, cipher transforms, authentication transforms, Perfect Forward Secrecy (PFS) group, Diffie-Hellman group, and VPN protocol) or you can use the default settings.

新增 Windows Server 閘道Add a Windows Server Gateway

服務範本提供作用中-待命模式的高可用性 Windows Server 閘道部署。The service template provides a highly available Windows Server Gateway deployment in active-standby mode.

  1. 您需要從下載中心下載範本。You'll need to download the template from the Download center.

注意

下載的範本也適用於 VMM 2012 R2、2016 及 1801。The templates downloaded are applicable for VMM 2012 R2, 2016 and 1801.

  1. 下載是壓縮 zip 檔案。The download is a compressed zip file. 您必須解壓縮檔案。You'll need to extract the file. 檔案包括使用者指南、兩個服務範本,以及自訂資源資料夾 (副檔名為 .cr),其中包含服務範本需要的檔案。Files include a user guide, two service templates, and a custom resource folder (a folder with a .cr extension) that contains files required for the service templates.
  2. 您必須決定使用哪一個範本,然後遵循《快速入門指南》中的指示進行。You'll need to decide which template to use, and then follow the instructions in the Quick Start Guide. 本指南包括範本部署的必要條件,以及設定邏輯網路、建立向外延展檔案伺服器、準備閘道 VM 的虛擬硬碟以及將自訂資源檔複製至程式庫的指示。The guide includes prerequisites for the template deployment, and instructions for setting up logical networks, creating a scale-out file server, preparing virtual hard disks for the gateway VM, and copying the custom resource file to the library. 設定好基礎結構之後,它會描述如何匯入和自訂範本,以及其部署方式。After you've set up the infrastructure it describes how to import and customize the template, and how to deploy it. 也會有發生問題時的疑難排解資訊。There's also troubleshooting information if issues arise.

新增非 Windows 閘道Add a non-Windows gateway

注意

您必須在 VMM 管理伺服器上安裝提供者軟體,並將閘道新增至光纖。You'll need to install the provider software on the VMM management server and add the gateway to the fabric. 取得提供者軟體。Obtain the provider software. 您可以在 [設定] > [設定提供者] 中檢閱所支援提供者的清單。You can review a list of supported providers in Settings > Configuration Providers

使用下列程序,可新增非 Windows 閘道:Use the following procedure to add the non-windows gateway:

  1. 按一下 [網狀架構] > [網路服務] 。Click Fabric > Network Service. 以滑鼠右鍵按一下並選取 [新增網路服務] 以開啟 [網路服務精靈]。Right-click and select Add Network Service to open the Network Service wizard. 網路服務包括閘道、虛擬交換器擴充功能、網路管理員和 Top-of-Rack (TOR) 交換器。Network services include gateways, virtual switch extensions, network managers, and top-of-rack (TOR) switches. 或者,在 [常用] 上,按一下 [新增資源] > [網路服務] 。or On Home, click Add Resources > Network Service.
  2. 在 [新增網路服務精靈] > [名稱] 中,指定閘道的名稱和描述。In Add Network Service Wizard > Name specify a name and description for the gateway.
  3. 在 [製造商和型號] 中,按一下所需的設定。In Manufacturer and Model click the required settings.
  4. 在 [認證] 中,指定閘道所連線之網域中具有權限的執行身分帳戶。In Credentials, specify a Run As account with permissions in the domain to which the gateway is connected.
  5. 在 [連線字串] 中,輸入閘道應該使用的字串。In Connection String type the string that the gateway should use. 字串語法是由閘道廠商所定義。The string syntax is defined by the gateway vendor.
  6. 在列出的 [憑證] 中,確認憑證的指紋符合閘道上所安裝憑證的指紋。In Certificates if listed, verify the thumbprints of the certificates match those installed on the gateway. 選取以確認可以匯入憑證。Select to confirm that the certificates can be imported. 如果未列出任何項目,閘道可能不需要憑證驗證。If none is listed the gateway probably doesn't need certificate authentication. 如果需要它們,請確定它們已正確安裝在閘道上。If they're needed make sure they're installed correctly on the gateway.
  7. 在 [收集資訊] 中,按一下 [掃描提供者] 以對閘道執行基本驗證測試。In Gather Information click Scan Provider to run the basic validation test against the gateway.
  8. 在 [主機群組] 中,選取可使用閘道的一或多個主機群組。In Host Group select one or more host groups to which the gateway will be available.
  9. 檢閱 [摘要] 中的設定,然後按一下 [完成] 。In Summary, review the settings and click Finish.
  10. 新增閘道之後,請在 [網路服務] 中尋找其清單,並按一下滑鼠右鍵 > [內容] > [連線] 。After the gateway is added find its listing in Network Services and right-click > Properties > Connectivity.
  11. 選取 [啟用前端連線] ,然後選取在企業資料中心或主機服務提供者以外提供連線的閘道網路介面卡和網站。Select Enable front end connection and select the gateway network adapter and network site that provides connectivity outside the enterprise datacenter or hosting provider. 選取 [啟用後端連線] ,然後選取企業內邏輯網路中的閘道網路介面卡和網站。Select Enable back end connection and select a gateway network adapter and network site in a logical network within the enterprise. 網路必須啟用網路虛擬化,網站則必須具有靜態 IP 位址。The network must have network virtualization enabled and the network site must have a static IP address.
  12. 當您建立 VM 網路時,可以指派其閘道,並選取所需的連線選項。When you create a VM network you can assign the gateway to it, and select the required connectivity options.