使用 Azure ExpressRoute 将 Azure Stack Hub 连接到 AzureConnect Azure Stack Hub to Azure using Azure ExpressRoute

本文介绍如何使用 Azure ExpressRoute 直接连接将 Azure Stack Hub 虚拟网络连接到 Azure 虚拟网络。This article describes how to connect an Azure Stack Hub virtual network to an Azure virtual network using a Azure ExpressRoute direct connection.

可以使用本文作为教程,并使用示例设置相同的测试环境。You can use this article as a tutorial and use the examples to set up the same test environment. 或者,可以阅读本文,将其作为引导性的演练来设置自己的 ExpressRoute 环境。Or, you can read the article as a walkthrough that guides you through setting up your own ExpressRoute environment.

概述、假设和先决条件Overview, assumptions, and prerequisites

使用 Azure ExpressRoute 可通过连接服务提供商所提供的专用连接,将本地网络扩展到 Azure 云。Azure ExpressRoute lets you extend your on-premises networks into the Azure cloud over a private connection supplied by a connectivity provider. ExpressRoute 不是通过公共 Internet 的 VPN 连接。ExpressRoute is not a VPN connection over the public Internet.

有关 Azure ExpressRoute 的详细信息,请参阅 ExpressRoute 概述For more information about Azure ExpressRoute, see the ExpressRoute overview.

假设Assumptions

本文假设读者:This article assumes that:

  • 在 Azure 方面有实践经验。You have a working knowledge of Azure.
  • 对 Azure Stack Hub 有基本的了解。You have a basic understanding of Azure Stack Hub.
  • 对网络有基本的了解。You have a basic understanding of networking.

先决条件Prerequisites

若要使用 ExpressRoute 连接 Azure Stack Hub 和 Azure,必须满足以下要求:To connect Azure Stack Hub and Azure using ExpressRoute, you must meet the following requirements:

  • 通过连接提供商预配的 ExpressRoute 线路A provisioned ExpressRoute circuit through a connectivity provider.
  • 一个用于在 Azure 中创建 ExpressRoute 线路和 VNet 的 Azure 订阅。An Azure subscription to create an ExpressRoute circuit and VNets in Azure.
  • 满足以下要求的路由器:A router that must:
    • 支持在其 LAN 接口与 Azure Stack Hub 多租户共享网关之间建立站点到站点 VPN 连接。Support site-to-site VPN connections between its LAN interface and Azure Stack Hub multi-tenant gateway.
    • 如果 Azure Stack Hub 部署中有多个租户,则该路由器必须支持创建多个 VRF(虚拟路由和转发)。Support creating multiple VRFs (Virtual Routing and Forwarding) if there is more than one tenant in your Azure Stack Hub deployment.
  • 具有以下组件的路由器:A router that has:
    • 已连接到 ExpressRoute 线路的 WAN 端口。A WAN port connected to the ExpressRoute circuit.
    • 已连接到 Azure Stack Hub 多租户网关的 LAN 端口。A LAN port connected to the Azure Stack Hub multi-tenant gateway.

ExpressRoute 网络体系结构ExpressRoute network architecture

下图显示了使用本文中的示例完成设置 ExpressRoute 后的 Azure Stack Hub 和 Azure 环境:The following figure shows the Azure Stack Hub and Azure environments after you finish setting up ExpressRoute using the examples in this article:

ExpressRoute 网络

下图显示多个租户如何从 Azure Stack Hub 基础结构通过 ExpressRoute 路由器连接到 Azure:The following figure shows how multiple tenants connect from the Azure Stack Hub infrastructure through the ExpressRoute router to Azure:

使用 ExpressRoute 的多租户连接

本文中的示例使用此图中所示的相同多租户体系结构,通过 ExpressRoute 专用对等互连将 Azure Stack Hub 连接到 Azure。The example in this article uses the same multi-tenant architecture shown in this diagram to connect Azure Stack Hub to Azure using ExpressRoute private peering. 连接方式是使用站点到站点 VPN 连接从 Azure Stack Hub 中的虚拟网络网关连接到 ExpressRoute 路由器。The connection is done using a site-to-site VPN connection from the virtual network gateway in Azure Stack Hub to an ExpressRoute router.

本文中的步骤说明如何在两个 VNet 之间创建端到端连接:从 Azure Stack Hub 中的不同租户连接到它们在 Azure 中的相应 VNet。The steps in this article show you how to create an end-to-end connection between two VNets from two different tenants in Azure Stack Hub to corresponding VNets in Azure. 设置两个租户是可选的操作;也可以针对单个租户使用这些步骤。Setting up two tenants is optional; you can also use these steps for a single tenant.

配置 Azure Stack HubConfigure Azure Stack Hub

若要为第一个租户设置 Azure Stack Hub 环境,请使用以下步骤作为指导。To set up the Azure Stack Hub environment for the first tenant, use the following steps as a guide. 若要设置多个租户,请重复这些步骤:If you're setting up more than one tenant, repeat these steps:

备注

以下步骤说明如何使用 Azure Stack Hub 门户创建资源,但也可以使用 PowerShell。These steps show how to create resources using the Azure Stack Hub portal, but you can also use PowerShell.

Azure Stack Hub 网络设置

准备阶段Before you begin

在开始配置 Azure Stack Hub 之前,需要:Before you start configuring Azure Stack Hub, you need:

在 Azure Stack Hub 中创建网络资源Create network resources in Azure Stack Hub

使用以下过程在 Azure Stack Hub 中创建租户所需的网络资源。Use the following procedures to create the required network resources in Azure Stack Hub for a tenant.

创建虚拟网络和 VM 子网Create the virtual network and VM subnet

  1. 登录到 Azure Stack Hub 用户门户。Sign in to the Azure Stack Hub user portal.

  2. 在门户中,选择“+ 创建资源”。In the portal, select + Create a resource.

  3. 在“Azure 市场”下,选择“网络”。 Under Azure Marketplace, select Networking.

  4. 在“特色”下,选择“虚拟网络”。 Under Featured, select Virtual network.

  5. 在“创建虚拟网络”下,将下表中显示的值输入相应字段中:Under Create virtual network, enter the values shown in the following table into the appropriate fields:

    字段Field ValueValue
    名称Name Tenant1VNet1Tenant1VNet1
    地址空间Address space 10.1.0.0/1610.1.0.0/16
    子网名称Subnet name Tenant1-Sub1Tenant1-Sub1
    子网地址范围Subnet address range 10.1.1.0/2410.1.1.0/24
  6. 此时会看到此前创建的订阅填充到“订阅”字段中。You should see the subscription you created earlier populated in the Subscription field. 对于其余字段:For the remaining fields:

    • 在“资源组”下,选择“新建”以创建新资源组;如果已有一个资源组,请选择“使用现有项”。 Under Resource group, select Create new to create a new resource group or if you already have one, select Use existing.
    • 确认默认“位置”。Verify the default Location.
    • 单击创建Click Create.
    • (可选)单击“固定到仪表板”。(Optional) Click Pin to dashboard.

创建网关子网Create the gateway subnet

  1. 在“虚拟网络”下,选择“Tenant1VNet1”。 Under Virtual network, select Tenant1VNet1.
  2. 在“设置”下选择“子网”。 Under SETTINGS, select Subnets.
  3. 选择“+ 网关子网”,将网关子网添加到虚拟网络。Select + Gateway subnet to add a gateway subnet to the virtual network.
  4. 默认情况下,子网的名称设置为 GatewaySubnetThe name of the subnet is set to GatewaySubnet by default. 网关子网很特殊,必须使用此名称才能正常运行。Gateway subnets are a special case and must use this name to function correctly.
  5. 确认“地址范围”是否为 10.1.0.0/24Verify that the Address range is 10.1.0.0/24.
  6. 单击“确定” 创建网关子网。Click OK to create the gateway subnet.

创建虚拟网络网关Create the virtual network gateway

  1. 在 Azure Stack Hub 用户门户中,单击“+ 创建资源”。In the Azure Stack Hub user portal, click + Create a resource.
  2. 在“Azure 市场”下,选择“网络”。 Under Azure Marketplace, select Networking.
  3. 从网络资源列表中选择“虚拟网关”。Select Virtual network gateway from the list of network resources.
  4. 在“名称”字段中,输入 GW1In the Name field, enter GW1.
  5. 选择“虚拟网络”。Select Virtual network.
  6. 从下拉列表中选择“Tenant1VNet1”。Select Tenant1VNet1 from the drop-down list.
  7. 依次选择“公共 IP 地址”、“选择公共 IP 地址”,然后单击“新建”。 Select Public IP address, then Choose public IP address, and then click Create new.
  8. 在“名称”字段中键入 GW1-PiP,然后单击“确定”。 In the Name field, type GW1-PiP, and then click OK.
  9. 默认情况下,应已选择“基于路由”作为“VPN 类型”。 The VPN type should have Route-based selected by default. 保留该设置。Keep this setting.
  10. 验证“订阅”和“位置”是否正确。 Verify that Subscription and Location are correct. 单击创建Click Create.

创建本地网关Create the local network gateway

本地网络网关资源识别位于 VPN 连接另一端的远程网关。The local network gateway resource identifies the remote gateway at the other end of the VPN connection. 在本示例中,连接的远程端是 ExpressRoute 路由器的 LAN 子接口。For this example, the remote end of the connection is the LAN sub-interface of the ExpressRoute router. 对于上图中的租户 1,远程地址为 10.60.3.255。For Tenant 1 in the previous diagram, the remote address is 10.60.3.255.

  1. 登录到 Azure Stack Hub 用户门户,选择“+ 创建资源”。Sign in to the Azure Stack Hub user portal and select + Create a resource.

  2. 在“Azure 市场”下,选择“网络”。 Under Azure Marketplace, select Networking.

  3. 从资源列表中选择“本地网关”。Select local network gateway from the list of resources.

  4. 在“名称”字段中,键入 ER-Router-GWIn the Name field, type ER-Router-GW.

  5. 对于“IP 地址”字段,请参阅上图。For the IP address field, see the previous figure. 对于租户 1,ExpressRoute 路由器的 LAN 子接口 IP 地址是 10.60.3.255。The IP address of the ExpressRoute router LAN sub-interface for Tenant 1 is 10.60.3.255. 根据自己的环境,输入路由器对应接口的 IP 地址。For your own environment, enter the IP address of your router's corresponding interface.

  6. 在“地址空间”字段中,输入 Azure 中要连接到的 VNet 的地址空间。In the Address Space field, enter the address space of the VNets that you want to connect to in Azure. 租户 1 的子网如下所示:The subnets for Tenant 1 are as follows:

    • 192.168.2.0/24 是 Azure 中的中心 VNet。192.168.2.0/24 is the hub VNet in Azure.
    • 10.100.0.0/16 是 Azure 中的分支 VNet。10.100.0.0/16 is the spoke VNet in Azure.

    重要

    对于 Azure Stack Hub 网关和 ExpressRoute 路由器之间的站点到站点 VPN 连接,本示例假设使用静态路由。This example assumes that you are using static routes for the site-to-site VPN connection between the Azure Stack Hub gateway and the ExpressRoute router.

  7. 确认“订阅”、“资源组”和“位置”正确无误。 Verify that your Subscription, Resource Group, and Location are correct. 然后选择“创建”。Then select Create.

创建连接Create the connection

  1. 在 Azure Stack Hub 用户门户中,选择“+ 创建资源”。In the Azure Stack Hub user portal, select + Create a resource.
  2. 在“Azure 市场”下,选择“网络”。 Under Azure Marketplace, select Networking.
  3. 从资源列表中选择“连接”。Select Connection from the list of resources.
  4. 在“基本设置”下,选择“站点到站点(IPSec)”作为“连接类型”。 Under Basics, choose Site-to-site (IPSec) as the Connection type.
  5. 选择“订阅”、“资源组”和“位置” 。Select the Subscription, Resource group, and Location. 单击 “确定”Click OK.
  6. 在“设置”下,依次选择“虚拟网络网关”、“GW1”。 Under Settings, select Virtual network gateway, and then select GW1.
  7. 依次选择“本地网络网关”、“ER Router GW”。 Select Local network gateway, and then select ER Router GW.
  8. 在“连接名称”字段中,输入 ConnectToAzureIn the Connection name field, enter ConnectToAzure.
  9. 在“共享密钥(PSK)”字段中,输入 abc123 并选择“确定”。 In the Shared key (PSK) field, enter abc123 and then select OK.
  10. 在“摘要”下,选择“确定”。 Under Summary, select OK.

获取虚拟网络网关的公共 IP 地址Get the virtual network gateway public IP address

创建虚拟网络网关后,可以获取该网关的公共 IP 地址。After you create the virtual network gateway, you can get the gateway's public IP address. 请记下此地址,因为稍后需要在部署中使用。Make a note of this address in case you need it later for your deployment. 根据部署,此地址将用作内部 IP 地址Depending on your deployment, this address is used as the Internal IP address.

  1. 在 Azure Stack Hub 用户门户中,选择“所有资源”。In the Azure Stack Hub user portal, select All resources.
  2. 在“所有资源”下选择虚拟网络网关(在本示例中为 GW1)。Under All resources, select the virtual network gateway, which is GW1 in the example.
  3. 在“虚拟网络网关”下,从资源列表中选择“概述”。 Under Virtual network gateway, select Overview from the list of resources. 或者,可以选择“属性”。Alternatively, you can select Properties.
  4. 要记下的 IP 地址列在“公共 IP 地址”下。The IP address that you want to note is listed under Public IP address. 对于示例配置,此地址为 192.68.102.1。For the example configuration, this address is 192.68.102.1.

创建虚拟机 (VM)Create a virtual machine (VM)

若要通过 VPN 连接测试数据流量,需要使用 VM 在 Azure Stack Hub VNet 中发送和接收数据。To test data traffic over the VPN connection, you need VMs to send and receive data in the Azure Stack Hub VNet. 请创建一个 VM,并将其部署到虚拟网络的 VM 子网。Create a VM and deploy it to the VM subnet for your virtual network.

  1. 在 Azure Stack Hub 用户门户中,选择“+ 创建资源”。In the Azure Stack Hub user portal, select + Create a resource.

  2. 在“Azure 市场”下,选择“计算”。 Under Azure Marketplace, select Compute.

  3. 在 VM 映像列表中,选择“Windows Server 2016 Datacenter Eval”映像。In the list of VM images, select the Windows Server 2016 Datacenter Eval image.

    备注

    如果用于本文的映像不可用,请让 Azure Stack Hub 运营商提供不同的 Windows Server 映像。If the image used for this article is not available, ask your Azure Stack Hub operator to provide a different Windows Server image.

  4. 在“创建虚拟机”中选择“基本信息”,然后键入 VM01 作为名称In Create virtual machine, select Basics, then type VM01 as the Name.

  5. 输入有效的用户名和密码。Enter a valid user name and password. 创建 VM 后,将使用此帐户登录到该 VM。You'll use this account to sign in to the VM after it has been created.

  6. 提供“订阅”、“资源组”和“位置” 。Provide a Subscription, Resource group, and a Location. 选择“确定” 。Select OK.

  7. 在“选择大小”下,为此实例选择一种 VM 大小,然后选择“选择”。 Under Choose a size, select a VM size for this instance, and then select Select.

  8. 在“设置”下,确认:Under Settings, confirm that:

    • 虚拟网络为 Tenant1VNet1The virtual network is Tenant1VNet1.
    • 子网已设置为 10.1.1.0/24The subnet is set to 10.1.1.0/24.

    使用默认设置,并单击“确定”。Use the default settings and click OK.

  9. 在“摘要”下检查 VM 配置,然后单击“确定”。 Under Summary, review the VM configuration and then click OK.

若要添加更多租户,请重复以下部分中执行的步骤:To add more tenants, repeat the steps you followed in these sections:

如果使用租户 2 作为示例,请记得更改 IP 地址以避免重叠。If you're using Tenant 2 as an example, remember to change the IP addresses to avoid overlaps.

针对网关遍历配置 NAT VMConfigure the NAT VM for gateway traversal

重要

本部分仅适用于 ASDK 部署。This section is for ASDK deployments only. 多节点部署无需 NAT。The NAT is not needed for multi-node deployments.

ASDK 是自主性的,与部署物理主机的网络相隔离。The ASDK is self-contained and isolated from the network where the physical host is deployed. 网关连接到的 VIP 网络不是在外部,而是隐藏在执行网络地址转换 (NAT) 的路由器后面。The VIP network that the gateways are connected to is not external; it is hidden behind a router performing Network Address Translation (NAT).

路由器是运行路由和远程访问服务 (RRAS) 角色的 ASDK 主机。The router is the ASDK host running the Routing and Remote Access Services (RRAS) role. 必须在 ASDK 主机上配置 NAT,才能在两端建立站点到站点 VPN 连接。You must configure NAT on the ASDK host to enable the site-to-site VPN connection to connect on both ends.

配置 NATConfigure the NAT

  1. 使用管理员帐户登录到 Azure Stack Hub 主机。Sign in to the Azure Stack Hub host computer with your admin account.

  2. 在提升的 PowerShell ISE 中运行脚本。Run the script in an elevated PowerShell ISE. 此脚本返回外部 BGPNAT 地址This script returns your External BGPNAT address.

    Get-NetNatExternalAddress
    
  3. 若要配置 NAT,请复制并编辑以下 PowerShell 脚本。To configure the NAT, copy and edit the following PowerShell script. 编辑脚本,将 External BGPNAT addressInternal IP address 替换为以下示例值:Edit the script to replace the External BGPNAT address and Internal IP address with the following example values:

    • 对于“外部 BGPNAT 地址”,请使用 10.10.0.62For External BGPNAT address use 10.10.0.62
    • 对于“内部 IP 地址”,请使用 192.168.102.1For Internal IP address use 192.168.102.1

    在权限提升的 PowerShell ISE 中运行以下脚本:Run the following script from an elevated PowerShell ISE:

    $ExtBgpNat = 'External BGPNAT address'
    $IntBgpNat = 'Internal IP address'
    
    # Designate the external NAT address for the ports that use the IKE authentication.
    Add-NetNatExternalAddress `
       -NatName BGPNAT `
       -IPAddress $Using:ExtBgpNat `
       -PortStart 499 `
       -PortEnd 501
    Add-NetNatExternalAddress `
       -NatName BGPNAT `
       -IPAddress $Using:ExtBgpNat `
       -PortStart 4499 `
       -PortEnd 4501
    # Create a static NAT mapping to map the external address to the Gateway public IP address to map the ISAKMP port 500 for PHASE 1 of the IPSEC tunnel.
    Add-NetNatStaticMapping `
       -NatName BGPNAT `
       -Protocol UDP `
       -ExternalIPAddress $Using:ExtBgpNat `
       -InternalIPAddress $Using:IntBgpNat `
       -ExternalPort 500 `
       -InternalPort 500
    # Configure NAT traversal which uses port 4500 to  establish the complete IPSEC tunnel over NAT devices.
    Add-NetNatStaticMapping `
       -NatName BGPNAT `
       -Protocol UDP `
       -ExternalIPAddress $Using:ExtBgpNat `
       -InternalIPAddress $Using:IntBgpNat `
       -ExternalPort 4500 `
       -InternalPort 4500
    

配置 AzureConfigure Azure

完成 Azure Stack Hub 的配置后,可以部署 Azure 资源。After you finish configuring Azure Stack Hub, you can deploy the Azure resources. 下图显示了 Azure 中的租户虚拟网络示例。The following figure shows an example of a tenant virtual network in Azure. 对于 Azure 中的 VNet,可以使用任何名称和地址方案。You can use any name and addressing scheme for your VNet in Azure. 但是,在 Azure 和 Azure Stack Hub 中,VNet 的地址范围必须唯一,不得重叠:However, the address range of the VNets in Azure and Azure Stack Hub must be unique and must not overlap:

Azure VNet

在 Azure 中部署的资源类似于在 Azure Stack Hub 中部署的资源。The resources you deploy in Azure are similar to the resources you deployed in Azure Stack Hub. 部署以下组件:You deploy the following components:

  • 虚拟网络和子网Virtual networks and subnets
  • 网关子网A gateway subnet
  • 一个虚拟网络网关A virtual network gateway
  • 连接A connection
  • ExpressRoute 线路An ExpressRoute circuit

示例 Azure 网络基础结构的配置方式如下:The example Azure network infrastructure is configured as follows:

  • 标准的中心 (192.168.2.0/24) 和分支 (10.100.0.0./16) VNet 模型。A standard hub (192.168.2.0/24) and spoke (10.100.0.0./16) VNet model. 有关中心辐射型网络拓扑的详细信息,请参阅在 Azure 中实现中心辐射型网络拓扑For more information about hub-spoke network topology, see Implement a hub-spoke network topology in Azure.
  • 工作负荷部署在分支 VNet 中,ExpressRoute 线路连接到中心 VNet。The workloads are deployed in the spoke VNet and the ExpressRoute circuit is connected to the hub VNet.
  • 使用 VNet 对等互连连接这两个 VNet。The two VNets are connected using VNet peering.

配置 Azure VNetConfigure the Azure VNets

  1. 使用 Azure 凭据登录到 Azure 门户。Sign in to the Azure portal with your Azure credentials.
  2. 使用 192.168.2.0/24 地址范围创建中心 VNet。Create the hub VNet using the 192.168.2.0/24 address range.
  3. 使用 192.168.2.0/25 地址范围创建子网,使用 192.168.2.128/27 地址范围添加网关子网。Create a subnet using the 192.168.2.0/25 address range, and add a gateway subnet using the 192.168.2.128/27 address range.
  4. 使用 10.100.0.0/16 地址范围创建分支 VNet 和子网。Create the spoke VNet and subnet using the 10.100.0.0/16 address range.

有关在 Azure 中创建虚拟网络的详细信息,请参阅创建虚拟网络For more information about creating virtual networks in Azure, see Create a virtual network.

配置 ExpressRoute 线路Configure an ExpressRoute circuit

  1. 查看 ExpressRoute 先决条件和查检表中的 ExpressRoute 先决条件。Review the ExpressRoute prerequisites in ExpressRoute prerequisites & checklist.

  2. 根据创建和修改 ExpressRoute 线路中的步骤,使用 Azure 订阅创建 ExpressRoute 线路。Follow the steps in Create and modify an ExpressRoute circuit to create an ExpressRoute circuit using your Azure subscription.

    备注

    将线路的服务密钥提供给服务提供商,使提供商能够在他们一端设置 ExpressRoute 线路。Give the service key for your circuit to your service so they can set up your ExpressRoute circuit at their end.

  3. 根据创建和修改 ExpressRoute 线路的对等互连中的步骤,在 ExpressRoute 线路上配置专用对等互连。Follow the steps in Create and modify peering for an ExpressRoute circuit to configure private peering on the ExpressRoute circuit.

创建虚拟网络网关Create the virtual network gateway

根据使用 PowerShell 配置 ExpressRoute 的虚拟网络网关中的步骤,在中心 VNet 中为 ExpressRoute 创建虚拟网络网关。Follow the steps in Configure a virtual network gateway for ExpressRoute using PowerShell to create a virtual network gateway for ExpressRoute in the hub VNet.

创建连接Create the connection

若要将 ExpressRoute 线路链接到中心 VNet,请遵循将虚拟网络连接到 ExpressRoute 线路中的步骤。To link the ExpressRoute circuit to the hub VNet, follow the steps in Connect a virtual network to an ExpressRoute circuit.

在 VNet 之间建立对等互连Peer the VNets

根据使用 Azure 门户创建虚拟网络对等互连中的步骤,在中心与分支 VNet 之间建立对等互连。Peer the hub and spoke VNets using the steps in Create a virtual network peering using the Azure portal. 配置 VNet 对等互连时,请务必使用以下选项:When configuring VNet peering, make sure you use the following options:

  • 从中心到分支:“允许网关传输”。From the hub to the spoke, Allow gateway transit.
  • 从分支到中心:“使用远程网关”。From the spoke to the hub, Use remote gateway.

创建虚拟机Create a virtual machine

将工作负荷 VM 部署到分支 VNet。Deploy your workload VMs into the spoke VNet.

针对 Azure 中要通过相应 ExpressRoute 线路连接的其他任何租户 VNet,重复这些步骤。Repeat these steps for any additional tenant VNets you want to connect in Azure through their respective ExpressRoute circuits.

配置路由器Configure the router

可以使用以下 ExpressRoute 路由器配置示意图作为指导来配置 ExpressRoute 路由器。You can use the following ExpressRoute router configuration diagram as a guide for configuring your ExpressRoute Router. 此图显示了两个租户(租户 1 和租户 2)及其各自的 ExpressRoute 线路。This figure shows two tenants (Tenant 1 and Tenant 2) with their respective ExpressRoute circuits. 每个租户链接到各自在 ExpressRoute 路由器的 LAN 和 WAN 端的 VRF(虚拟路由和转发)。Each tenant is linked to their own VRF (Virtual Routing and Forwarding) in the LAN and WAN side of the ExpressRoute router. 此配置可确保在两个租户之间保持端到端隔离。This configuration ensures end-to-end isolation between the two tenants. 在学习示例配置的过程中,请记下路由器接口中使用的 IP 地址。Take note of the IP addresses used in the router interfaces as you follow the configuration example.

ExpressRoute 路由器配置

可以使用任何支持 IKEv2 VPN 和 BGP 的路由器,来终止 Azure Stack Hub 的站点到站点 VPN 连接。You can use any router that supports IKEv2 VPN and BGP to terminate the site-to-site VPN connection from Azure Stack Hub. 同一路由器用于通过 ExpressRoute 线路连接到 Azure。The same router is used to connect to Azure using an ExpressRoute circuit.

以下 Cisco ASR 1000 系列聚合服务路由器配置示例支持 ExpressRoute 路由器配置图中所示的网络基础结构。The following Cisco ASR 1000 Series Aggregation Services Router configuration example supports the network infrastructure shown in the ExpressRoute router configuration diagram.

ip vrf Tenant 1
 description Routing Domain for PRIVATE peering to Azure for Tenant 1
 rd 1:1
!
ip vrf Tenant 2
 description Routing Domain for PRIVATE peering to Azure for Tenant 2
 rd 1:5
!
crypto ikev2 proposal V2-PROPOSAL2
description IKEv2 proposal for Tenant 1
encryption aes-cbc-256
 integrity sha256
 group 2
crypto ikev2 proposal V4-PROPOSAL2
description IKEv2 proposal for Tenant 2
encryption aes-cbc-256
 integrity sha256
 group 2
!
crypto ikev2 policy V2-POLICY2
description IKEv2 Policy for Tenant 1
match fvrf Tenant 1
 match address local 10.60.3.255
 proposal V2-PROPOSAL2
description IKEv2 Policy for Tenant 2
crypto ikev2 policy V4-POLICY2
 match fvrf Tenant 2
 match address local 10.60.3.251
 proposal V4-PROPOSAL2
!
crypto ikev2 profile V2-PROFILE
description IKEv2 profile for Tenant 1
match fvrf Tenant 1
 match address local 10.60.3.255
 match identity remote any
 authentication remote pre-share key abc123
 authentication local pre-share key abc123
 ivrf Tenant 1
!
crypto ikev2 profile V4-PROFILE
description IKEv2 profile for Tenant 2
 match fvrf Tenant 2
 match address local 10.60.3.251
 match identity remote any
 authentication remote pre-share key abc123
 authentication local pre-share key abc123
 ivrf Tenant 2
!
crypto ipsec transform-set V2-TRANSFORM2 esp-gcm 256
 mode tunnel
crypto ipsec transform-set V4-TRANSFORM2 esp-gcm 256
 mode tunnel
!
crypto ipsec profile V2-PROFILE
 set transform-set V2-TRANSFORM2
 set ikev2-profile V2-PROFILE
!
crypto ipsec profile V4-PROFILE
 set transform-set V4-TRANSFORM2
 set ikev2-profile V4-PROFILE
!
interface Tunnel10
description S2S VPN Tunnel for Tenant 1
 ip vrf forwarding Tenant 1
 ip address 11.0.0.2 255.255.255.252
 ip tcp adjust-mss 1350
 tunnel source TenGigabitEthernet0/1/0.211
 tunnel mode ipsec ipv4
 tunnel destination 10.10.0.62
 tunnel vrf Tenant 1
 tunnel protection ipsec profile V2-PROFILE
!
interface Tunnel20
description S2S VPN Tunnel for Tenant 2
 ip vrf forwarding Tenant 2
 ip address 11.0.0.2 255.255.255.252
 ip tcp adjust-mss 1350
 tunnel source TenGigabitEthernet0/1/0.213
 tunnel mode ipsec ipv4
 tunnel destination 10.10.0.62
 tunnel vrf VNET3
 tunnel protection ipsec profile V4-PROFILE
!
interface GigabitEthernet0/0/1
 description PRIMARY ExpressRoute Link to AZURE over Equinix
 no ip address
 negotiation auto
!
interface GigabitEthernet0/0/1.100
description Primary WAN interface of Tenant 1
 description PRIMARY ER link supporting Tenant 1 to Azure
 encapsulation dot1Q 101
 ip vrf forwarding Tenant 1
 ip address 192.168.1.1 255.255.255.252
!
interface GigabitEthernet0/0/1.102
description Primary WAN interface of Tenant 2
 description PRIMARY ER link supporting Tenant 2 to Azure
 encapsulation dot1Q 102
 ip vrf forwarding Tenant 2
 ip address 192.168.1.17 255.255.255.252
!
interface GigabitEthernet0/0/2
 description BACKUP ExpressRoute Link to AZURE over Equinix
 no ip address
 negotiation auto
!
interface GigabitEthernet0/0/2.100
description Secondary WAN interface of Tenant 1
 description BACKUP ER link supporting Tenant 1 to Azure
 encapsulation dot1Q 101
 ip vrf forwarding Tenant 1
 ip address 192.168.1.5 255.255.255.252
!
interface GigabitEthernet0/0/2.102
description Secondary WAN interface of Tenant 2
description BACKUP ER link supporting Tenant 2 to Azure
 encapsulation dot1Q 102
 ip vrf forwarding Tenant 2
 ip address 192.168.1.21 255.255.255.252
!
interface TenGigabitEthernet0/1/0
 description Downlink to ---Port 1/47
 no ip address
!
interface TenGigabitEthernet0/1/0.211
 description LAN interface of Tenant 1
description Downlink to --- Port 1/47.211
 encapsulation dot1Q 211
 ip vrf forwarding Tenant 1
 ip address 10.60.3.255 255.255.255.254
!
interface TenGigabitEthernet0/1/0.213
description LAN interface of Tenant 2
 description Downlink to --- Port 1/47.213
 encapsulation dot1Q 213
 ip vrf forwarding Tenant 2
 ip address 10.60.3.251 255.255.255.254
!
router bgp 65530
 bgp router-id <removed>
 bgp log-neighbor-changes
 description BGP neighbor config and route advertisement for Tenant 1 VRF
 address-family ipv4 vrf Tenant 1
  network 10.1.0.0 mask 255.255.0.0
  network 10.60.3.254 mask 255.255.255.254
  network 192.168.1.0 mask 255.255.255.252
  network 192.168.1.4 mask 255.255.255.252
  neighbor 10.10.0.62 remote-as 65100
  neighbor 10.10.0.62 description VPN-BGP-PEER-for-Tenant 1
  neighbor 10.10.0.62 ebgp-multihop 5
  neighbor 10.10.0.62 activate
  neighbor 10.60.3.254 remote-as 4232570301
  neighbor 10.60.3.254 description LAN peer for CPEC:INET:2112 VRF
  neighbor 10.60.3.254 activate
  neighbor 10.60.3.254 route-map BLOCK-ALL out
  neighbor 192.168.1.2 remote-as 12076
  neighbor 192.168.1.2 description PRIMARY ER peer for Tenant 1 to Azure
  neighbor 192.168.1.2 ebgp-multihop 5
  neighbor 192.168.1.2 activate
  neighbor 192.168.1.2 soft-reconfiguration inbound
  neighbor 192.168.1.2 route-map Tenant 1-ONLY out
  neighbor 192.168.1.6 remote-as 12076
  neighbor 192.168.1.6 description BACKUP ER peer for Tenant 1 to Azure
  neighbor 192.168.1.6 ebgp-multihop 5
  neighbor 192.168.1.6 activate
  neighbor 192.168.1.6 soft-reconfiguration inbound
  neighbor 192.168.1.6 route-map Tenant 1-ONLY out
  maximum-paths 8
 exit-address-family
 !
description BGP neighbor config and route advertisement for Tenant 2 VRF
address-family ipv4 vrf Tenant 2
  network 10.1.0.0 mask 255.255.0.0
  network 10.60.3.250 mask 255.255.255.254
  network 192.168.1.16 mask 255.255.255.252
  network 192.168.1.20 mask 255.255.255.252
  neighbor 10.10.0.62 remote-as 65300
  neighbor 10.10.0.62 description VPN-BGP-PEER-for-Tenant 2
  neighbor 10.10.0.62 ebgp-multihop 5
  neighbor 10.10.0.62 activate
  neighbor 10.60.3.250 remote-as 4232570301
  neighbor 10.60.3.250 description LAN peer for CPEC:INET:2112 VRF
  neighbor 10.60.3.250 activate
  neighbor 10.60.3.250 route-map BLOCK-ALL out
  neighbor 192.168.1.18 remote-as 12076
  neighbor 192.168.1.18 description PRIMARY ER peer for Tenant 2 to Azure
  neighbor 192.168.1.18 ebgp-multihop 5
  neighbor 192.168.1.18 activate
  neighbor 192.168.1.18 soft-reconfiguration inbound
  neighbor 192.168.1.18 route-map VNET-ONLY out
  neighbor 192.168.1.22 remote-as 12076
  neighbor 192.168.1.22 description BACKUP ER peer for Tenant 2 to Azure
  neighbor 192.168.1.22 ebgp-multihop 5
  neighbor 192.168.1.22 activate
  neighbor 192.168.1.22 soft-reconfiguration inbound
  neighbor 192.168.1.22 route-map VNET-ONLY out
  maximum-paths 8
 exit-address-family
!
ip forward-protocol nd
!
ip as-path access-list 1 permit ^$
ip route vrf Tenant 1 10.1.0.0 255.255.0.0 Tunnel10
ip route vrf Tenant 2 10.1.0.0 255.255.0.0 Tunnel20
!
ip prefix-list BLOCK-ALL seq 5 deny 0.0.0.0/0 le 32
!
route-map BLOCK-ALL permit 10
 match ip address prefix-list BLOCK-ALL
!
route-map VNET-ONLY permit 10
 match as-path 1
!

测试连接Test the connection

建立站点到站点连接和 ExpressRoute 线路之后,请测试连接。Test your connection after you establish the site-to-site connection and the ExpressRoute circuit.

执行以下 ping 测试:Perform the following ping tests:

  • 登录到 Azure VNet 中的 VM 之一,然后针对 Azure Stack Hub 中创建的 VM 执行 ping。Sign in to one of the VMs in your Azure VNet and ping the VM you created in Azure Stack Hub.
  • 登录到在 Azure Stack Hub 中创建的 VM 之一,然后针对 Azure VNet 中创建的 VM 执行 ping。Sign in to one of the VMs you created in Azure Stack Hub and ping the VM you created in the Azure VNet.

备注

为了确保通过站点到站点和 ExpressRoute 连接发送流量,必须在两端 ping VM 的专用 IP (DIP) 地址,而不是 VM 的 VIP 地址。To make sure you are sending traffic over the site-to-site and ExpressRoute connections, you must ping the dedicated IP (DIP) address of the VM at both ends and not the VIP address of the VM.

允许 ICMP 通过防火墙Allow ICMP in through the firewall

默认情况下,Windows Server 2016 不允许通过防火墙传入 ICMP 数据包。By default, Windows Server 2016 does not allow incoming ICMP packets through the firewall. 对于用于 ping 测试的每个 VM,必须允许传入 ICMP 数据包。For every VM that you use for ping tests, you must allow incoming ICMP packets. 若要为 ICMP 创建防火墙规则,请在权限提升的 PowerShell 窗口中运行以下 cmdlet:To create a firewall rule for ICMP, run the following cmdlet in an elevated PowerShell window:

# Create ICMP firewall rule.
New-NetFirewallRule `
  -DisplayName "Allow ICMPv4-In" `
  -Protocol ICMPv4

Ping Azure Stack Hub VMPing the Azure Stack Hub VM

  1. 登录到 Azure Stack Hub 用户门户。Sign in to the Azure Stack Hub user portal.

  2. 找到创建的 VM,然后将其选中。Find the VM that you created and select it.

  3. 选择“连接” 。Select Connect.

  4. 在权限提升的 Windows 或 PowerShell 命令提示符下,输入 ipconfig /allFrom an elevated Windows or PowerShell command prompt, enter ipconfig /all. 记下输出中返回的 IPv4 地址。Note the IPv4 address returned in the output.

  5. 从 Azure VNet 中的 VM Ping IPv4 地址。Ping the IPv4 address from the VM in the Azure VNet.

    在示例环境中,该 IPv4 地址来自 10.1.1.x/24 子网。In the example environment, the IPv4 address is from the 10.1.1.x/24 subnet. 在你的环境中,该地址可能不同,但是,该地址应在为租户 VNet 子网创建的子网中。In your environment, the address might be different, but it should be in the subnet you created for the tenant VNet subnet.

查看数据传输统计信息View data transfer statistics

若要了解有多少流量通过连接,可以在 Azure Stack Hub 用户门户中查找此信息。If you want to know how much traffic is passing through your connection, you can find this information on the Azure Stack Hub user portal. 查看数据传输统计信息也很适用于确认 ping 测试数据是否通过了 VPN 和 ExpressRoute 连接:Viewing data transfer statistics is also a good way to find out whether or not your ping test data went through the VPN and ExpressRoute connections:

  1. 登录到 Azure Stack Hub 用户门户,选择“所有资源”。Sign in to the Azure Stack Hub user portal and select All resources.

  2. 导航到 VPN 网关的资源组,然后选择“连接”对象类型。Navigate to the resource group for your VPN Gateway and select the Connection object type.

  3. 从列表中选择“ConnectToAzure”连接。Select the ConnectToAzure connection from the list.

  4. 在“连接” > “概述”下,可以看到“传入数据”和“传出数据”的统计信息。 应会看到一些非零值。Under Connections > Overview, you can see statistics for Data in and Data out. You should see some non-zero values.

    “传入数据”和“传出数据”

后续步骤Next steps

将应用部署到 Azure 和 Azure Stack HubDeploy apps to Azure and Azure Stack Hub