使用 Fortinet FortiGate NVA 在 Azure Stack Hub 中建立 VNET 到 VNET 连接Establish a VNET to VNET connection in Azure Stack Hub with Fortinet FortiGate NVA

本文介绍了如何使用 Fortinet FortiGate NVA(网络虚拟设备)将一个 Azure Stack Hub 中的 VNET 连接到另一个 Azure Stack Hub 中的 VNET。In this article, you'll connect a VNET in one Azure Stack Hub to a VNET in another Azure Stack Hub using Fortinet FortiGate NVA, a network virtual appliance.

本文介绍了当前的 Azure Stack Hub 限制:租户只能在两个环境之间设置一个 VPN 连接。This article addresses the current Azure Stack Hub limitation, which lets tenants to only set up one VPN connection across two environments. 用户将了解如何在 Linux 虚拟机上设置自定义网关,以便在不同的 Azure Stack Hub 之间建立多个 VPN 连接。Users will learn how to set up a custom gateway on a Linux virtual machine that will allow multiple VPN connections across different Azure Stack Hub. 本文中的过程将在每个 VNET 中部署两个具有 FortiGate NVA 的 VNET:每个 Azure Stack Hub 环境各部署一个。The procedure in this article deploys two VNETs with a FortiGate NVA in each VNET: one deployment per Azure Stack Hub environment. 此外,其中详细说明了在这两个 VNET 之间设置 IPSec VPN 所要做出的更改。It also details the changes required to set up an IPSec VPN between the two VNETs. 对于每个 Azure Stack Hub 中的每个 VNET,应该重复本文中的步骤。The steps in this article should be repeated for each VNET in each Azure Stack Hub.

先决条件Prerequisites

  • 有权访问可提供足够容量用于部署此解决方案所需的计算、网络和资源的 Azure Stack Hub 集成系统。Access to an Azure Stack Hub integrated systems with available capacity to deploy the required compute, network, and resource requirements needed for this solution.

    备注

    由于 ASDK 的网络限制,本文中的说明适用于 Azure Stack 开发工具包 (ASDK)。These instructions will not work with an Azure Stack Development Kit (ASDK) because of the network limitations in the ASDK. 有关详细信息,请参阅 ASDK 的要求和注意事项For more information, see ASDK requirements and considerations.

  • 已下载网络虚拟设备 (NVA) 解决方案并将其发布到 Azure Stack Hub 市场。A network virtual appliance (NVA) solution downloaded and published to the Azure Stack Hub Marketplace. NVA 控制从外围网络到其他网络或子网的网络流量。An NVA controls the flow of network traffic from a perimeter network to other networks or subnets. 此过程使用 Fortinet FortiGate 下一代防火墙单一 VM 解决方案This procedure uses the Fortinet FortiGate Next-Generation Firewall Single VM Solution.

  • 至少有两个可用于激活 FortiGate NVA 的 FortiGate 许可证文件。At least two available FortiGate license files to activate the FortiGate NVA. 有关如何获取这些许可证的信息,请参阅 Fortinet 文档库文章注册和下载许可证Information on how to get these licenses, see the Fortinet Document Library article Registering and downloading your license.

    此过程使用单一 FortiGate-VM 部署This procedure uses the Single FortiGate-VM deployment. 其中提供了在本地网络中将 FortiGate NVA 连接到 Azure Stack Hub VNET 的步骤。You can find steps on how to connect the FortiGate NVA to the Azure Stack Hub VNET to in your on-premises network.

    有关如何在主动-被动 (HA) 设置中部署 FortiGate 解决方案的详细信息,请参阅 Fortinet 文档库文章 Azure 上的 FortiGate-VM 的 HAFor more information on how to deploy the FortiGate solution in an active-passive (HA) set up, see the Fortinet Document Library article HA for FortiGate-VM on Azure.

部署参数Deployment parameters

下表汇总了在这些部署中使用的参数供用户参考:The following table summarizes the parameters that are used in these deployments for reference:

部署 1:Forti1Deployment one: Forti1

FortiGate 实例名称FortiGate Instance Name Forti1Forti1
BYOL 许可证/版本BYOL License/Version 6.0.36.0.3
FortiGate 管理用户名FortiGate administrative username fortiadminfortiadmin
资源组名称Resource Group name forti1-rg1forti1-rg1
虚拟网络名称Virtual network name forti1vnet1forti1vnet1
VNET 地址空间VNET Address Space 172.16.0.0/16*172.16.0.0/16*
公共 VNET 子网名称Public VNET subnet name forti1-PublicFacingSubnetforti1-PublicFacingSubnet
公共 VNET 地址前缀Public VNET address prefix 172.16.0.0/24*172.16.0.0/24*
内部 VNET 子网名称Inside VNET subnet name forti1-InsideSubnetforti1-InsideSubnet
内部 VNET 子网前缀Inside VNET subnet prefix 172.16.1.0/24*172.16.1.0/24*
FortiGate NVA 的 VM 大小VM Size of FortiGate NVA 标准 F2s_v2Standard F2s_v2
公共 IP 地址名称Public IP address name forti1-publicip1forti1-publicip1
公共 IP 地址类型Public IP address type 静态Static

部署 2:Forti2Deployment two: Forti2

FortiGate 实例名称FortiGate Instance Name Forti2Forti2
BYOL 许可证/版本BYOL License/Version 6.0.36.0.3
FortiGate 管理用户名FortiGate administrative username fortiadminfortiadmin
资源组名称Resource Group name forti2-rg1forti2-rg1
虚拟网络名称Virtual network name forti2vnet1forti2vnet1
VNET 地址空间VNET Address Space 172.17.0.0/16*172.17.0.0/16*
公共 VNET 子网名称Public VNET subnet name forti2-PublicFacingSubnetforti2-PublicFacingSubnet
公共 VNET 地址前缀Public VNET address prefix 172.17.0.0/24*172.17.0.0/24*
内部 VNET 子网名称Inside VNET subnet name Forti2-InsideSubnetForti2-InsideSubnet
内部 VNET 子网前缀Inside VNET subnet prefix 172.17.1.0/24*172.17.1.0/24*
FortiGate NVA 的 VM 大小VM Size of FortiGate NVA 标准 F2s_v2Standard F2s_v2
公共 IP 地址名称Public IP address name Forti2-publicip1Forti2-publicip1
公共 IP 地址类型Public IP address type 静态Static

备注

* 如果上述设置与本地网络环境存在任何重叠情况(包括任一 Azure Stack Hub 的 VIP 池),请选择一组不同的地址空间和子网前缀。* Choose a different set of address spaces and subnet prefixes if the above overlap in any way with the on-premises network environment including the VIP Pool of either Azure Stack Hub. 另请确保地址范围不相互重叠。**Also ensure that the address ranges do not overlap with one another.**

部署 FortiGate NGFW 市场项Deploy the FortiGate NGFW Marketplace Items

对两个 Azure Stack Hub 环境重复这些步骤。Repeat these steps for both Azure Stack Hub environments.

  1. 打开 Azure Stack Hub 用户门户。Open the Azure Stack Hub user portal. 请务必使用至少拥有订阅“参与者”权限的凭据。Be sure to use credentials that have at least Contributor rights to a subscription.

  2. 选择“创建资源”,然后搜索 FortiGateSelect Create a resource and search for FortiGate.

  3. 依次选择“FortiGate NGFW”、“创建”。 Select the FortiGate NGFW and select the Create.

  4. 使用部署参数表格中的参数填写“基本信息”。 Complete Basics using the parameters from the Deployment parameters table.

    窗体中应包含以下信息:Your form should contain the following information:

  5. 选择“确定” 。Select OK.

  6. 提供部署参数中的虚拟网络、子网和 VM 大小详细信息。Provide the virtual network, subnets, and VM size details from the Deployment parameters.

    若要使用不同的名称和范围,请小心不要使用与其他 Azure Stack Hub 环境中的其他 VNET 和 FortiGate 资源冲突的参数。If you wish to use different names and ranges, take care not to use parameters that will conflict with the other VNET and FortiGate resources in the other Azure Stack Hub environment. 在 VNET 中设置 VNET IP 范围和子网范围时,请特别留意。This is especially true when setting the VNET IP range and subnet ranges within the VNET. 请检查它们是否不与创建的其他 VNET 的 IP 范围重叠。Check that they don't overlap with the IP ranges for the other VNET you create.

  7. 选择“确定” 。Select OK.

  8. 配置 FortiGate NVA 要使用的公共 IP:Configure the public IP that will be used for the FortiGate NVA:

  9. 选择“确定”,然后再次选择“确定”。 Select OK and then Select OK.

  10. 选择“创建” 。Select Create.

完成部署大约需要 10 分钟。The deployment will take about 10 minutes. 现在可以重复上述步骤,以在另一 Azure Stack Hub 环境中创建另一个 FortiGate NVA 和 VNET 部署。You can now repeat the steps to create the other FortiGate NVA and VNET deployment in the other Azure Stack Hub environment.

配置每个 VNET 的路由 (UDR)Configure routes (UDRs) for each VNET

对 forti1-rg1 和 forti2-rg1 这两个部署执行以下步骤。Perform these steps for both deployments, forti1-rg1 and forti2-rg1.

  1. 在 Azure Stack Hub 门户中导航到“forti1-rg1”资源组。Navigate to the forti1-rg1 Resource Group in the Azure Stack Hub portal.

  2. 选择“forti1-forti1-InsideSubnet-routes-xxxx”资源。Select on the 'forti1-forti1-InsideSubnet-routes-xxxx' resource.

  3. 在“设置”下选择“路由”。 Select Routes under Settings.

  4. 删除“to-Internet”路由。 Delete the to-Internet Route.

  5. 请选择“是”。 Select Yes.

  6. 选择“添加” 。Select Add.

  7. 路由命名为 to-forti1to-forti2Name the Route to-forti1 or to-forti2. 如果你的 IP 范围与此不同,请使用自己的 IP 范围。Use your IP range if you are using a different IP range.

  8. 输入:Enter:

    • forti1:172.17.0.0/16forti1: 172.17.0.0/16
    • forti2:172.16.0.0/16forti2: 172.16.0.0/16

    如果你的 IP 范围与此不同,请使用自己的 IP 范围。Use your IP range if you are using a different IP range.

  9. 对于“下一跃点类型”,请选择“虚拟设备”。 Select Virtual appliance for the Next hop type.

    • forti1:172.16.1.4forti1: 172.16.1.4
    • forti2:172.17.0.4forti2: 172.17.0.4

    如果你的 IP 范围与此不同,请使用自己的 IP 范围。Use your IP range if you are using a different IP range.

  10. 选择“保存” 。Select Save.

对每个资源组的每个 InsideSubnet 路由重复上述步骤。Repeat the steps for each InsideSubnet route for each resource group.

激活 FortiGate NVA,并在每个 NVA 上配置 IPSec VPN 连接Activate the FortiGate NVAs and Configure an IPSec VPN connection on each NVA

需要使用 Fortinet 提供的有效许可证文件来激活每个 FortiGate NVA。You will require a valid license file from Fortinet to activate each FortiGate NVA. 在激活每个 NVA 之前,NVA 无法正常运行。The NVAs will not function until you have activated each NVA. 有关如何获取许可证文件和 NVA 激活步骤的详细信息,请参阅 Fortinet 文档库文章注册和下载许可证For more information how to get a license file and steps to activate the NVA, see the Fortinet Document Library article Registering and downloading your license.

需要两个许可证文件 – 每个 NVA 各需一个。Two license files will need to be acquired – one for each NVA.

在两个 NVA 之间创建 IPSec VPNCreate an IPSec VPN between the two NVAs

激活 NVA 之后,遵循以下步骤在两个 NVA 之间创建 IPSec VPN。Once the NVAs have been activated, follow these steps to create an IPSec VPN between the two NVAs.

对 forti1 NVA 和 forti2 NVA,请执行以下步骤:Following the below steps for both the forti1 NVA and forti2 NVA:

  1. 导航到 fortiX VM 的“概述”页,获取分配的公共 IP 地址:Get the assigned Public IP address by navigating to the fortiX VM Overview page:

  2. 复制分配的 IP 地址,打开浏览器,然后将该地址粘贴到地址栏中。Copy the assigned IP address, open a browser, and paste the address into the address bar. 浏览器可能会警告安全证书不受信任。Your browser may warn you that the security certificate is not trusted. 请继续操作。Continue anyway.

  3. 输入在部署期间提供的 FortiGate 管理用户名和密码。Enter the FortiGate administrative user name and password you provided during the deployment.

  4. 选择“系统” > “固件”。 Select System > Firmware.

  5. 选中显示最新固件的框,例如 FortiOS v6.2.0 build0866Select the box showing the latest firmware, for example, FortiOS v6.2.0 build0866.

  6. 选择“备份配置并升级”,并在出现提示时选择“继续”。 Select Backup config and upgrade and Continue when prompted.

  7. NVA 会将其固件更新到最新内部版本,然后重新启动。The NVA updates its firmware to the latest build and reboots. 此过程大约需要五分钟时间。The process takes about five minutes. 重新登录到 FortiGate Web 控制台。Log back into the FortiGate web console.

  8. 单击“VPN” > “IPSec 向导”。 Click VPN > IPSec Wizard.

  9. 在“VPN 创建向导”中输入 VPN 的名称,例如 conn1Enter a name for the VPN, for example, conn1 in the VPN Creation Wizard.

  10. 选择“此站点位于 NAT 后”。 Select This site is behind NAT.

  11. 选择“下一步”。Select Next.

  12. 输入要连接到的本地 VPN 设备的远程 IP 地址。Enter the remote IP address of the on-premises VPN device to which you are going to connect.

  13. 选择“port1”作为“传出接口”。 Select port1 as the Outgoing Interface.

  14. 选择“预共享密钥”,输入(并记下)一个预共享密钥。 Select Pre-shared Key and enter (and record) a pre-shared key.

    备注

    稍后需要使用此密钥来设置本地 VPN 设备上的连接,即,密钥必须完全匹配。 You will need this key to set up the connection on the on-premises VPN device, that is, they must match exactly.

  15. 选择“下一步”。Select Next.

  16. 对于“本地接口”,请选择“port2”。 Select port2 for the Local Interface.

  17. 输入本地子网范围:Enter the local subnet range:

    • forti1:172.16.0.0/16forti1: 172.16.0.0/16
    • forti2:172.17.0.0/16forti2: 172.17.0.0/16

    如果你的 IP 范围与此不同,请使用自己的 IP 范围。Use your IP range if you are using a different IP range.

  18. 输入代表本地网络的相应远程子网,你将通过本地 VPN 设备连接到此网络。Enter the appropriate Remote Subnet(s) that represent the on-premises network, which you will connect to through the on-premises VPN device.

    • forti1:172.16.0.0/16forti1: 172.16.0.0/16
    • forti2:172.17.0.0/16forti2: 172.17.0.0/16

    如果你的 IP 范围与此不同,请使用自己的 IP 范围。Use your IP range if you are using a different IP range.

  19. 选择“创建” Select Create

  20. 选择“网络” > “接口”。 Select Network > Interfaces.

  21. 双击“port2”。 Double-click port2.

  22. 在“角色”列表中选择“LAN”,选择“DHCP”作为寻址模式。 Choose LAN in the Role list and DHCP for the Addressing mode.

  23. 选择“确定” 。Select OK.

对另一个 NVA 重复上述步骤。Repeat the steps for the other NVA.

启动所有阶段 2 选择器Bring Up All Phase 2 Selectors

两个 NVA 完成上述步骤后:Once the above has been completed for both NVAs:

  1. 在 forti2 FortiGate Web 控制台上,选择“监视” > “IPsec 监视器”。 On the forti2 FortiGate web console, select to Monitor > IPsec Monitor.

  2. 突出显示 conn1,选择“启动” > “所有的阶段 2 选择器”。 Highlight conn1 and select the Bring Up > All Phase 2 Selectors.

测试并验证连接Test and validate connectivity

现在,应该可以通过 FortiGate NVA 在每个 VNET 之间进行路由。You should now be able to route in between each VNET via the FortiGate NVAs. 若要验证连接,请在每个 VNET 的 InsideSubnet 中创建一个 Azure Stack Hub VM。To validate the connection, create an Azure Stack Hub VM in each VNET's InsideSubnet. 可以通过门户、CLI 或 PowerShell 创建 Azure Stack Hub VM。Creating an Azure Stack Hub VM can be done via the portal, CLI, or PowerShell. 创建 VM 时:When creating the VMs:

  • Azure Stack Hub VM 放在每个 VNET 的 InsideSubnet 上。The Azure Stack Hub VMs are placed on the InsideSubnet of each VNET.

  • 创建 VM 时,请不要将任何 NSG 应用到该 VM(即,如果从门户创建 VM,请删除默认添加的 NSG)。You do not apply any NSGs to the VM upon creation (That is, remove the NSG that gets added by default if creating the VM from the portal.

  • 确保 VM 防火墙规则允许用来测试连接的通信。Ensure that the VM firewall rules allow the communication you are going to use to test connectivity. 出于测试目的,建议在 OS 中完全禁用防火墙(如果可能)。For testing purposes, it is recommended to disable the firewall completely within the OS if at all possible.

后续步骤Next steps

Azure Stack Hub 网络的差异和注意事项Differences and considerations for Azure Stack Hub networking
使用 Fortinet FortiGate 在 Azure Stack Hub 中提供网络解决方案Offer a network solution in Azure Stack Hub with Fortinet FortiGate