如何在 Azure Stack Hub 中使用 IPSEC 创建 VPN 隧道How to create a VPN Tunnel using IPSEC in Azure Stack Hub

可以使用此解决方案中的 Azure Stack Hub 资源管理器模板来连接同一 Azure Stack Hub 环境中的两个 Azure Stack Hub VNet。You can use the Azure Stack Hub Resource Manager template in this solution to connect two Azure Stack Hub VNets within the same Azure Stack Hub environment. 使用内置虚拟网络网关无法连接 Azure Stack Hub VNetYou can't connect Azure Stack Hub VNets using the built-in Virtual Network Gateway. 目前,必须使用网络虚拟设备 (NVA) 在两个 Azure Stack Hub VNet 之间创建 VPN 隧道。For now, you must use network virtual appliances (NVA)s to create a VPN tunnel between two Azure Stack Hub VNets. 此解决方案模板会部署两个安装了 RRAS 的 Windows Server 2016 VM。The solution template deploys two Windows Server 2016 VMs with RRAS installed. 此解决方案配置两个 RRAS 服务器以使用两个 VNET 之间的 S2SVPN IKEv2 隧道。The solution configures the two RRAS servers to use a S2SVPN IKEv2 tunnel between the two VNETs. 创建适当的 NSG 和 UDR 规则以允许在指定为“内部”的每个 VNET 上的子网之间进行路由 The appropriate NSG and UDR rules are created to allow routing between the subnets on each VNET designated as internal

此解决方案是一个基础,它使得 VPN 隧道不仅可以在 Azure Stack Hub 实例内部创建,而且还可以在 Azure Stack Hub 实例之间创建,以及创建到本地网络等其他资源(通过使用 Windows RRAS S2S VPN 隧道)。This solution is the foundation that will allow VPN Tunnels to be created not only within an Azure Stack Hub instance but also between Azure Stack Hub Instances and to other resources such as on-premises networks with the use of the Windows RRAS S2S VPN Tunnels.

可以在 Azure 智能边缘模式 GitHub 存储库中找到这些模板。You can find the templates in the Azure Intelligent Edge Patterns GitHub repository. 该模板位于 rras-gre-vnet-vnet 文件夹中。The template is in the rras-gre-vnet-vnet folder.

此图显示了一个实现,该实现在两个 VNET 之间提供一个 VPN 隧道。


  • 应用了最新更新的已部署系统。A system deployed with latest updates applied.
  • 所需的 Azure Stack Hub 市场项:Required Azure Stack Hub Marketplace items:
    • Windows Server 2016 Datacenter 或 Windows Server 2019 Datacenter(建议使用最新内部版本)Windows Server 2016 Datacenter or Windows Server 2019 Datacenter (latest build recommended)
    • 自定义脚本扩展Custom Script Extension

注意事项Things to consider

  • 某个网络安全组将应用到模板隧道子网。A Network Security Group is applied to the template Tunnel Subnet. 建议使用其他 NSG 保护每个 VNet 中的内部子网。It is recommended to secure the internal subnet in each VNet with an additional NSG.
  • RDP“拒绝”规则将应用到隧道 NSG,如果你想要通过公共 IP 地址访问 VM,则需要将此规则设置为“允许”An RDP Deny rule is applied to the Tunnel NSG and will need to be set to allow if you intend to access the VMs via the Public IP address
  • 此解决方案不考虑 DNS 解析This solution does not take into account DNS resolution
  • VNet 名称和 vmName 的组合必须少于 15 个字符The combination of VNet name and vmName must be fewer than 15 characters
  • 此模板设计用于为 VNet1 和 VNet2 自定义 VNet 名称This template is designed to have the VNet names customized for VNet1 and VNet2
  • 此模板使用的是 BYOL windowsThis template is using BYOL windows
  • 删除资源组时,目前在 (1907) 上必须手动将 NSG 与隧道子网分离,以确保删除资源组完成When deleting the resource group, currently on (1907) you have to manually detach the NSGs from the tunnel subnet to ensure the delete resource group completes
  • 此模板使用的是 DS3v2 VM。This template is using a DS3v2 vm. RRAS 服务将安装并运行 Windows 内部 SQL Server。The RRAS service installs and run Windows internal SQL Server. 如果 VM 太小,则可能会导致内存问题。This can cause memory issues if your VM size is too small. 在减小 VM 大小之前,请验证性能。Validate performance before reducing the VM size.
  • 这不是一个高度可用的解决方案。This is not a highly available solution. 如果需要更高可用性样式的解决方案,可以添加第二个 VM,必须手动将路由表中的路由更改为辅助接口的内部 IP。If you require a more HA style solution you can add a second VM, you would have to manually Change the route in the route table to the internal IP of the secondary interface. 还需要配置多个隧道以建立交叉连接。You would also need to configure the multiple Tunnels to cross connect.


  • 可以通过 _artifactsLocation 和 _artifactsLocationSasToken 参数使用自己的 Blob 存储帐户和 SAS 令牌You can use your own Blob storage account and SAS token using the _artifactsLocation and _artifactsLocationSasToken parameters
  • 此模板上有两个输出 INTERNALSUBNETREFVNET1 和 INTERNALSUBNETREFVNET2,这是内部子网的资源 ID(如果要在管道样式部署模式中使用)。There are two outputs on this template INTERNALSUBNETREFVNET1 and INTERNALSUBNETREFVNET2, which is the Resource IDs for the internal subnets, if you want to use this in a pipeline style deployment pattern.

此模板为 VNet 命名和 IP 寻址提供默认值。This template provides default values for VNet naming and IP addressing. 它需要管理员 (rrasadmin) 的密码,还提供了将自己的存储 blob 与 SAS 令牌配合使用的功能。It requires a password for the administrator (rrasadmin) and also offers the ability to use your own storage blob with SAS token. 请谨慎地使这些值保持在合法的范围内,否则部署可能失败。Be careful to keep these values within legal ranges as deployment may fail. PowerShell DSC 包将在每个 RRAS VM 上执行,并安装路由和所有必需的依赖服务和功能。The powershell DSC package is executed on each RRAS VM and installing routing and all required dependent services and features. 如果需要,可以进一步自定义此 DSC。This DSC can be customized further if needed. 自定义脚本扩展运行以下脚本,Add-Site2SiteIKE.ps1 使用共享密钥在两个 RRAS 服务器之间配置 VPNS2S 隧道。The custom script extension run the following script and Add-Site2SiteIKE.ps1 configures the VPNS2S tunnel between the two RRAS servers with a shared key. 可以查看自定义脚本扩展的详细输出,以查看 VPN 隧道配置的结果You can view the detailed output from the custom script extension to see the results of the VPN tunnel configuration

该图(标题为 S2SVPNTunnel)显示了两个由站点到站点 VPN 隧道连接的 VNET。

后续步骤Next steps

Azure Stack Hub 网络的差异和注意事项Differences and considerations for Azure Stack Hub networking
如何设置多个站点到站点 VPN 隧道How to set up a multiple site-to-site VPN tunnel
如何使用 GRE 创建 VPN 隧道How to create a VPN Tunnel using GRE