設定為 Virtual 子網路加密Configure Encryption for a Virtual Subnet

適用於:Windows ServerApplies To: Windows Server

本主題包含下列區段,描述,才能加密 Virtual 網路上的步驟。This topic contains the following sections which describe the steps required to enable encryption on a Virtual Network.

建立的加密憑證Creating the Encryption Certificate

使用加密的每個主機上安裝需要加密憑證。An encryption certificate is required to be installed on each host where encryption is to be used. 您可以使用相同憑證所有 tenants,或必要產生唯一憑證每一位房客。You can use the same certificate for all tenants, or generate a unique certificate per-tenant if required.

步驟 1:產生憑證Step 1: Generate the certificate

$subjectName = "EncryptedVirtualNetworks"
$cryptographicProviderName = "Microsoft Base Cryptographic Provider v1.0";
[int] $privateKeyLength = 1024;
$sslServerOidString = "1.3.6.1.5.5.7.3.1";
$sslClientOidString = "1.3.6.1.5.5.7.3.2";
[int] $validityPeriodInYear = 5;

$name = new-object -com "X509Enrollment.CX500DistinguishedName.1"
$name.Encode("CN=" + $SubjectName, 0)

#Generate Key
$key = new-object -com "X509Enrollment.CX509PrivateKey.1"
$key.ProviderName = $cryptographicProviderName
$key.KeySpec = 1 #X509KeySpec.XCN_AT_KEYEXCHANGE
$key.Length = $privateKeyLength
$key.MachineContext = 1
$key.ExportPolicy = 0x2 #X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG 
$key.Create()

#Configure Eku
$serverauthoid = new-object -com "X509Enrollment.CObjectId.1"
$serverauthoid.InitializeFromValue($sslServerOidString)
$clientauthoid = new-object -com "X509Enrollment.CObjectId.1"
$clientauthoid.InitializeFromValue($sslClientOidString)
$ekuoids = new-object -com "X509Enrollment.CObjectIds.1"
$ekuoids.add($serverauthoid)
$ekuoids.add($clientauthoid)
$ekuext = new-object -com "X509Enrollment.CX509ExtensionEnhancedKeyUsage.1"
$ekuext.InitializeEncode($ekuoids)

# Set the hash algorithm to sha512 instead of the default sha1
$hashAlgorithmObject = New-Object -ComObject X509Enrollment.CObjectId
$hashAlgorithmObject.InitializeFromAlgorithmName( $ObjectIdGroupId.XCN_CRYPT_HASH_ALG_OID_GROUP_ID, $ObjectIdPublicKeyFlags.XCN_CRYPT_OID_INFO_PUBKEY_ANY, $AlgorithmFlags.AlgorithmFlagsNone, "SHA512")


#Request Certificate
$cert = new-object -com "X509Enrollment.CX509CertificateRequestCertificate.1"

$cert.InitializeFromPrivateKey(2, $key, "")
$cert.Subject = $name
$cert.Issuer = $cert.Subject
$cert.NotBefore = (get-date).ToUniversalTime()
$cert.NotAfter = $cert.NotBefore.AddYears($validityPeriodInYear);
$cert.X509Extensions.Add($ekuext)
$cert.HashAlgorithm = $hashAlgorithmObject
$cert.Encode()

$enrollment = new-object -com "X509Enrollment.CX509Enrollment.1"
$enrollment.InitializeFromRequest($cert)
$certdata = $enrollment.CreateRequest(0)
$enrollment.InstallResponse(2, $certdata, 0, "")

執行上述之後,您將會看到新的憑證在我市集您已執行指令碼的電腦:After running the above you will see a new certificate in the My store of the machine where you ran the script:

PS D:\> dir cert:\\localmachine\my


PSParentPath: Microsoft.PowerShell.Security\Certificate::localmachine\my

Thumbprint                                Subject
----------                                -------
84857CBBE7A1C851A80AE22391EB2C39BF820CE7  CN=MyNetwork
5EFF2CE51EACA82408572A56AE1A9BCC7E0843C6  CN=EncryptedVirtualNetworks

步驟 2:將您將需要憑證私密金鑰的其中一個,而不需要兩份檔案匯出憑證。Step 2: Export the certificate to a file You will need two copies of the certificate, one with the private key and one without.

$subjectName = "EncryptedVirtualNetworks"
$cert = Get-ChildItem cert:\localmachine\my | ? {$_.Subject -eq "CN=$subjectName"}
[System.io.file]::WriteAllBytes("c:\$subjectName.pfx", $cert.Export("PFX", "secret"))
Export-Certificate -Type CERT -FilePath "c:\$subjectName.cer" -cert $cert

執行上述之後,您現在將會有兩個憑證檔案。After running the above you will now have two certificate files. 這需要在每個您超 hyper-v 主機上安裝。These need to be installed on each of your hyper-v hosts.

PS C:\> dir c:\$subjectname.*


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        9/22/2017   4:54 PM            543 EncryptedVirtualNetworks.cer
-a----        9/22/2017   4:54 PM           1706 EncryptedVirtualNetworks.pfx

步驟 3: HYPER-V 主機上安裝Step 3: Installing on a Hyper-V host

$server = "Server01"

$subjectname = "EncryptedVirtualNetworks"
copy c:\$SubjectName.* \\$server\c$
invoke-command -computername $server -ArgumentList $subjectname,"secret" {
    param (
        [string] $SubjectName,
        [string] $Secret
    )
    $certFullPath = "c:\$SubjectName.cer"

    # create a representation of the certificate file
    $certificate = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
    $certificate.import($certFullPath){$_}

    # import into the store
    $store = new-object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
    $store.open("MaxAllowed")
    $store.add($certificate)
    $store.close()

    $certFullPath = "c:\$SubjectName.pfx"
    $certificate = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
    $certificate.import($certFullPath, $Secret, "MachineKeySet,PersistKeySet")

    # import into the store
    $store = new-object System.Security.Cryptography.X509Certificates.X509Store("My", "LocalMachine")
    $store.open("MaxAllowed")
    $store.add($certificate)
    $store.close()

    # Important: Remove the certficate files when finished
    remove-item C:\$SubjectName.cer
    remove-item C:\$SubjectName.pfx
}    

重複的環境中的每個伺服器。Repeat for each server in your environment. 您現在應該會有根和我的每個 HYPER-V 主機市集安裝的憑證You should now have a certificate installed in the root and my store of each Hyper-V host

您可以藉由到驗證憑證的安裝我根憑證存放區與:You can verify the installation of the certificate by checking the contents of the My and Root certificate stores:

PS C:\> enter-pssession Server1

[Server1]: PS C:\> get-childitem cert://localmachine/my,cert://localmachine/root | ? {$_.Subject -eq "CN=EncryptedVirtualNetworks"}

PSParentPath: Microsoft.PowerShell.Security\Certificate::localmachine\my

Thumbprint                                Subject
----------                                -------
5EFF2CE51EACA82408572A56AE1A9BCC7E0843C6  CN=EncryptedVirtualNetworks


PSParentPath: Microsoft.PowerShell.Security\Certificate::localmachine\root

Thumbprint                                Subject
----------                                -------
5EFF2CE51EACA82408572A56AE1A9BCC7E0843C6  CN=EncryptedVirtualNetworks

記下的指紋當您將需要的網路控制器上建立的憑證 credential 物件。Make note of the Thumbprint as you will need it for creating the certificate credential object in the network controller.

建立的憑證認證Creating the Certificate Credential

憑證已成功安裝在每個 HYPER-V 主機的網路控制器連接之後,您可以設定網路控制器來使用它。After the certficate is successfully installed on each of the Hyper-V hosts connected to the network controller, you can configure the network controller to use it.

您將需要建立包含憑證指紋的認證物件。You will need to create a credential object that contains the certificate thumbprint. 您將需要這樣的電腦上有安裝 Network Controller powershell 模組。You will need to do this from a machine where you have the Network Controller powershell modules installed.

# Replace with thumbprint from your certificate
$thumbprint = "5EFF2CE51EACA82408572A56AE1A9BCC7E0843C6"  

# Replace with your Network Controller URI
$uri = "https://nc.contoso.com"

Import-module networkcontroller

$credproperties = new-object Microsoft.Windows.NetworkController.CredentialProperties
$credproperties.Type = "X509Certificate"
$credproperties.Value = $thumbprint
New-networkcontrollercredential -connectionuri $uri -resourceid "EncryptedNetworkCertificate" -properties $credproperties -force

您可以重新使用此認證的每個加密 virtual netwokr 或部署及使用每個承租人獨特的憑證。You can reuse this credential for each encrypted virtual netwokr, or you can deploy and use a unique certificate for each tenant.

設定 Virtual 網路加密Configuring a Virtual Network for Encryption

這個步驟假設您已建立 virtual 網路的名稱「我的網路」,而且它包含至少一個 virtual 子網路。This step assumes you have already created a virtual network name "My Network" and it contains at least one virtual subnet. 建立 virtual 網路的資訊,請查看建立、Delete 或更新承租人 Virtual 網路For information on creating virtual networks, see Create, Delete, or Update Tenant Virtual Networks.

步驟 1:從網路控制器擷取 Virtual 網路和認證物件Step 1: Retrieve the Virtual Network and Credential objects from the network controller

$vnet = Get-NetworkControllerVirtualNetwork -ConnectionUri $uri -ResourceId "MyNetwork"
$certcred = Get-NetworkControllerCredential -ConnectionUri $uri -ResourceId "EncryptedNetworkCertificate"

步驟 2:新增憑證 credential 指向以及加密個人子網路上。Step 2: Add a reference to the certificate credential and enable encryption on individual subnets.

$vnet.properties.EncryptionCredential = $certcred

# Replace the Subnets index with the value corresponding to the subnet you want encrypted.  
# Repeat for each subnet where encryption is needed
$vnet.properties.Subnets[0].properties.EncryptionEnabled = $true

步驟 3:進入網路控制器更新 Virtual 網路物件Step 3: Put the updated Virtual Network object into the network controller

New-NetworkControllerVirtualNetwork -ConnectionUri $uri -ResourceId $vnet.ResourceId -Properties $vnet.Properties -force

完成後,任何額外的步驟不會需要。Once this is complete, no additional steps are required. 目前連接任何 VM 和任何 VM 稍後連接到上述子網路會有其流量與相同子網路上的另一個 VM 聯繫時,會自動加密。Any VM that is currently connected and any VM that is later connected to the above subnet will have its traffic encrypted automatically when communicating with another VM on the same subnet.