在用户 VPN 客户端的分支 VNet 中管理对资源的安全访问Manage secure access to resources in spoke VNets for User VPN clients

本文将向你介绍如何使用虚拟 WAN 和 Azure 防火墙规则和筛选器来管理对通过点到站点 IKEv2 或 Open VPN 连接到 Azure 中资源的连接的安全访问。This article shows you how to use Virtual WAN and Azure Firewall rules and filters to manage secure access for connections to your resources in Azure over point-to site IKEv2 or Open VPN connections. 如果某些远程用户要限制对 Azure 资源的访问或保护 Azure 中资源的安全,此配置非常有用。This configuration is helpful if you have remote users for whom you want to restrict access to Azure resources, or to secure your resources in Azure.

本文中的步骤可帮助你在下图中创建体系结构,以允许用户 VPN 客户端访问连接到虚拟中心的分支 VNet 中的特定资源 (VM1),但不能访问其他资源 (VM2)。The steps in this article help you create the architecture in the following diagram to allow User VPN clients to access a specific resource (VM1) in a spoke VNet connected to the virtual hub, but not other resources (VM2). 使用此体系结构示例作为基本准则。Use this architecture example as a basic guideline.

示意图:安全虚拟中心

先决条件Prerequisites

  • 你拥有一个要连接到的虚拟网络。You have a virtual network that you want to connect to. 确认本地网络的任何子网都不会与要连接到的虚拟网络重叠。Verify that none of the subnets of your on-premises networks overlap with the virtual networks that you want to connect to. 若要在 Azure 门户中创建虚拟网络,请参阅快速入门To create a virtual network in the Azure portal, see the quickstart.

  • 虚拟网络不包含任何虚拟网络网关。Your virtual network does not have any virtual network gateways. 如果虚拟网络包含网关(VPN 或 ExpressRoute),则必须删除所有网关。If your virtual network has a gateway (either VPN or ExpressRoute), you must remove all gateways. 此配置要求将虚拟网络改为连接到虚拟 WAN 中心网关。This configuration requires that virtual networks are connected instead, to the Virtual WAN hub gateway.

  • 获取中心区域的 IP 地址范围。Obtain an IP address range for your hub region. 该中心是虚拟 WAN 创建和使用的虚拟网络。The hub is a virtual network that is created and used by Virtual WAN. 为中心指定的地址范围不能与要连接到的任何现有虚拟网络重叠。The address range that you specify for the hub cannot overlap with any of your existing virtual networks that you connect to. 此外,它也不能与本地连接到的地址范围重叠。It also cannot overlap with your address ranges that you connect to on premises. 如果不熟悉本地网络配置中的 IP 地址范围,则咨询能够提供此类详细信息的人员。If you are unfamiliar with the IP address ranges located in your on-premises network configuration, coordinate with someone who can provide those details for you.

  • 如果没有 Azure 订阅,请创建一个试用版订阅If you don't have an Azure subscription, create a Trial Subscription.

  • 你具有要使用的身份验证配置的可用值。You have the values available for the authentication configuration that you want to use. 例如 RADIUS 服务器、Azure Active Directory 身份验证或生成和导出证书For example, a RADIUS server, Azure Active Directory authentication, or Generate and export certificates.

创建虚拟 WANCreate a virtual WAN

从浏览器导航到 Azure 门户并使用 Azure 帐户登录。From a browser, navigate to the Azure portal and sign in with your Azure account.

  1. 在门户中,选择“+ 创建资源”。In the portal, select + Create a resource. 在搜索框中键入“虚拟 WAN”,然后选择“Enter” 。Type Virtual WAN into the search box and select Enter.

  2. 从结果中选择“虚拟 WAN”。Select Virtual WAN from the results. 在“虚拟 WAN”页上,选择“创建”以打开“创建 WAN”页。On the Virtual WAN page, select Create to open the Create WAN page.

  3. 在“创建 WAN”页的“基本信息”选项卡上,填写以下字段 :On the Create WAN page, on the Basics tab, fill in the following fields:

    屏幕截图显示已选择“基本”选项卡的“创建 WAN”窗格。

    • 订阅 - 选择要使用的订阅。Subscription - Select the subscription that you want to use.
    • 资源组 - 新建资源组或使用现有的资源组。Resource group - Create new or use existing.
    • 资源组位置 - 从下拉列表中选择资源位置。Resource group location - Choose a resource location from the dropdown. WAN 是一个全局资源,不会驻留在某个特定区域。A WAN is a global resource and does not live in a particular region. 但是,必须选择一个区域才能管理和查找所创建的 WAN 资源。However, you must select a region in order to manage and locate the WAN resource that you create.
    • 名称 - 键入要用于称呼 WAN 的名称。Name - Type the Name that you want to call your WAN.
    • 类型 - 免费、基本或标准。Type - Basic or Standard. 选择“标准”。Select Standard. 如果选择基本 VWAN,请了解基本 VWAN 只能包含基本中心,这会将连接类型限制为站点到站点。If you select Basic VWAN, understand that Basic VWANs can only contain Basic hubs, which limits your connection type to site-to-site.
  4. 填写完字段后,单击“审阅 + 创建”。After you finish filling out the fields, select Review +Create.

  5. 验证通过后,选择“创建”以创建虚拟 WAN。Once validation passes, select Create to create the virtual WAN.

定义 P2S 配置参数Define P2S configuration parameters

点到站点 (P2S) 配置定义连接远程客户端的参数。The point-to-site (P2S) configuration defines the parameters for connecting remote clients. 本部分介绍如何定义 P2S 配置参数,然后创建将用于 VPN 客户端 配置文件的配置。This section helps you define P2S configuration parameters, and then create the configuration that will be used for the VPN client profile. 遵循的说明取决于要使用的身份验证方法。The instructions you follow depend on the authentication method you want to use.

身份验证方法Authentication methods

选择身份验证方法时,有三种选择。When selecting the authentication method, you have three choices. 每种方法都有特定的要求。Each method has specific requirements. 选择以下某种方法,然后完成步骤。Select one of the following methods, and then complete the steps.

  • Azure Active Directory 身份验证: 获取以下内容:Azure Active Directory authentication: Obtain the following:

    • 在 Azure AD 租户中注册的 Azure VPN 企业应用程序的应用程序 ID。The Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
    • 颁发者。The Issuer. 示例:https://sts.chinacloudapi.cn/your-Directory-IDExample: https://sts.chinacloudapi.cn/your-Directory-ID.
    • Azure AD 租户。The Azure AD tenant. 示例:https://login.partner.microsoftonline.cn/your-Directory-IDExample: https://login.partner.microsoftonline.cn/your-Directory-ID.
  • 基于 RADIUS 的身份验证: 获取 RADIUS 服务器 IP、RADIUS 服务器机密和证书信息。Radius-based authentication: Obtain the Radius server IP, Radius server secret, and certificate information.

  • Azure 证书: 此配置需要证书。Azure certificates: For this configuration, certificates are required. 你需要生成或获取证书。You need to either generate or obtain certificates. 每个客户端都需要客户端证书。A client certificate is required for each client. 此外,需要上传根证书信息(公钥)。Additionally, the root certificate information (public key) needs to be uploaded. 有关所需证书的详细信息,请参阅生成和导出证书For more information about the required certificates, see Generate and export certificates.

下面的示例显示 Azure 证书身份验证。The following example shows Azure certificate authentication.

备注

某些功能和设置正处于推出到 Azure 门户的过程中。Some features and settings are in the process of rolling out to the Azure portal.

  1. 导航到“所有资源”,选择已创建的虚拟 WAN,并从左侧菜单中选择“用户 VPN 配置”。Navigate to All resources and select the virtual WAN that you created, then select User VPN configurations from the menu on the left.

  2. 在“用户 VPN 配置”页上,选择页面顶部的“+创建用户 VPN 配置”,以便打开“创建新的用户 VPN 配置”页 。On the User VPN configurations page, select +Create user VPN config at the top of the page to open the Create new user VPN configuration page.

    “用户 VPN 配置”页的屏幕截图。

  3. 在“基本信息”选项卡上的“实例详细信息”下,输入要分配给 VPN 配置的“名称”。On the Basics tab, under Instance details, enter the Name you want to assign to your VPN configuration.

  4. 对于“隧道类型”,请从下拉列表中选择所需的隧道类型。For Tunnel type, from the dropdown, select the tunnel type that you want. 隧道类型选项包括:“IKEV2 VPN”、“OpenVPN”以及“OpenVPN 和 IKEv2”。The tunnel type options are: IKEv2 VPN, OpenVPN, and OpenVpn and IkeV2.

  5. 使用与所选隧道类型相对应的以下步骤。Use the following steps that correspond to the tunnel type that you selected. 指定所有值后,单击“查看 + 创建”,然后单击“创建”以创建配置。After all the values are specified, click Review + create, then Create to create the configuration.

    IKEv2 VPNIKEv2 VPN

    • 要求: 选择“IKEv2”隧道类型时,会显示一条消息,指示你选择一种身份验证方法。Requirements: When you select the IKEv2 tunnel type, you see a message directing you to select an authentication method. 对于 IKEv2,你只能指定一种身份验证方法。For IKEv2, you may specify only one authentication method. 可以选择“Azure 证书”、“Azure Active Directory”或“基于 RADIUS 的身份验证”。You can choose Azure Certificate, Azure Active Directory, or RADIUS-based authentication.

    • IPSec 自定义参数: 若要自定义 IKE 阶段 1 和 IKE 阶段 2 的参数,请将 IPsec 开关切换到“自定义”,然后选择参数值。IPSec custom parameters: To customize the parameters for IKE Phase 1 and IKE Phase 2, toggle the IPsec switch to Custom and select the parameter values.

      已切换到“自定义”的 IPsec 开关的屏幕截图。

    • 身份验证: 导航到要使用的身份验证机制,具体方式是单击页面底部的“下一步”以转到身份验证方法,或单击页面顶部的相应选项卡。Authentication: Navigate to the authentication mechanism that you want to use by either clicking Next at the bottom of the page to advance to the authentication method, or click the appropriate tab at the top of the page. 将开关切换到“是”以选择该方法。Toggle the switch to Yes to select the method.

      在此示例中,选择了“RADIUS 身份验证”。In this example, RADIUS authentication is selected. 对于基于 RADIUS 的身份验证,可以提供辅助 RADIUS 服务器 IP 地址和服务器机密。For RADIUS-based authentication, you can provide a secondary RADIUS server IP address and server secret.

      IKE 的屏幕截图。

    OpenVPNOpenVPN

    • 要求: 选择“OpenVPN”隧道类型时,会显示一条消息,指示你选择一种身份验证机制。Requirements: When you select the OpenVPN tunnel type, you see a message directing you to select an authentication mechanism. 如果选择“OpenVPN”作为隧道类型,则可以指定多种身份验证方法。If OpenVPN is selected as the tunnel type, you may specify multiple authentication methods. 可以选择“Azure 证书”、“Azure Active Directory”和“基于 RADIUS 的身份验证”的任何子集。You can choose any subset of Azure Certificate, Azure Active Directory, or RADIUS-based authentication. 对于基于 RADIUS 的身份验证,可以提供辅助 RADIUS 服务器 IP 地址和服务器机密。For RADIUS-based authentication, you can provide a secondary RADIUS server IP address and server secret.

    • 身份验证: 导航到要使用的身份验证方法,具体方式是单击页面底部的“下一步”以转到身份验证方法,或单击页面顶部的相应选项卡。Authentication: Navigate to the authentication method(s) that you want to use by either clicking Next at the bottom of the page to advance to the authentication method, or click the appropriate tab at the top of the page. 对于要选择的每种方法,请将开关切换到“是”,然后输入相应的值。For each method that you want to select, toggle the switch to Yes and enter the appropriate values.

      在此示例中,选择了“Azure Active Directory”。In this example, Azure Active Directory is selected.

      “OpenVPN”页的屏幕截图。

创建中心和网关Create the hub and gateway

在本部分中,创建具有点到站点网关的虚拟中心。In this section, you create the virtual hub with a point-to-site gateway. 配置时,可以使用以下示例值:When configuring, you can use the following example values:

  • 中心专用 IP 地址空间: 10.0.0.0/24Hub private IP address space: 10.0.0.0/24
  • 客户端地址池: 10.5.0.0/16Client address pool: 10.5.0.0/16
  • 自定义 DNS 服务器: 最多可以列出 5 个 DNS 服务器Custom DNS Servers: You can list up to 5 DNS Servers
  1. 在虚拟 WAN 下选择“中心”,然后选择“+新建中心”。Under your virtual WAN, select Hubs and select +New Hub .

    新中心

  2. 在“创建虚拟中心”页上,请填写以下字段。On the create virtual hub page, fill in the following fields.

    • 区域 - 选择要在其中部署虚拟中心的区域。Region - Select the region that you want to deploy the virtual hub in.
    • 名称 - 输入要用于称呼虚拟中心的名称。Name - Enter the name that you want to call your virtual hub.
    • 中心专用地址空间 - 用 CIDR 表示法来表示的中心地址范围。Hub private address space - The hub's address range in CIDR notation.

    创建虚拟中心

  3. 在“点到站点”选项卡上填写以下字段:On the Point-to-site tab, complete the following fields:

    • 网关缩放单元 - 表示用户 VPN 网关的聚合容量。Gateway scale units - which represents the aggregate capacity of the User VPN gateway.
    • 点到站点配置 - 已在上一步中创建。Point to site configuration - which you created in the previous step.
    • 客户端地址池 - 用于远程用户。Client Address Pool - for the remote users.
    • 自定义 DNS 服务器 IPCustom DNS Server IP .

    包含点到站点的中心

  4. 选择“查看 + 创建”。Select Review + create .

  5. 在“验证已通过”页上,选择“创建” 。On the validation passed page, select Create .

生成 VPN 客户端配置文件Generate VPN client configuration files

在本部分中,生成并下载配置配置文件。In this section, you generate and download the configuration profile files. 这些文件用于在客户端计算机上配置本机 VPN 客户端。These files are used to configure the native VPN client on the client computer. 有关客户端配置文件的内容的信息,请参阅点到站点配置 - 证书For information about the contents of the client profile files, see Point-to-site configuration - certificates.

  1. 在虚拟 WAN 的页面上,选择“用户 VPN 配置”。On the page for your virtual WAN, select User VPN configurations.

  2. 在页面顶部,选择“下载用户 VPN 配置”。下载 WAN 级配置时,你将获得内置的基于流量管理器的用户 VPN 配置文件。At the top of the page, select Download user VPN config. When you download the WAN-level configuration, you get a built-in Traffic Manager-based User VPN profile. 有关全局配置文件或基于中心的配置文件的详细信息,请参阅中心配置文件For more information about Global profiles or a hub-based profile, see Hub profiles. 使用全局配置文件可简化故障转移方案。Failover scenarios are simplified with global profile.

    如果中心由于某种原因而不可用,则该服务提供的内置流量管理可确保(通过不同的中心)连接到点到站点用户的 Azure 资源。If for some reason a hub is unavailable, the built-in traffic management provided by the service ensures connectivity (via a different hub) to Azure resources for point-to-site users. 始终可以通过导航到中心来下载特定于中心的 VPN 配置。You can always download a hub-specific VPN configuration by navigating to the hub. 在“用户 VPN (点到站点)”下,下载虚拟中心用户 VPN 配置文件 。Under User VPN (point to site), download the virtual hub User VPN profile.

  3. 完成创建文件后,选择相应的链接下载该文件。Once the file has finished creating, select the link to download it.

  4. 使用此配置文件配置 VPN 客户端。Use the profile file to configure the VPN clients.

配置 VPN 客户端Configure VPN clients

使用下载的配置文件配置远程访问客户端。Use the downloaded profile to configure the remote access clients. 每个操作系统的过程均不同,请按照适用于你的系统的说明进行操作。The procedure for each operating system is different, follow the instructions that apply to your system.

Microsoft WindowsMicrosoft Windows

OpenVPNOpenVPN
  1. 从官方网站下载并安装 OpenVPN 客户端。Download and install the OpenVPN client from the official website.
  2. 下载网关的 VPN 配置文件。Download the VPN profile for the gateway. 这可以通过 Azure 门户中的“用户 VPN 配置”选项卡或 PowerShell 中的 New-AzureRmVpnClientConfiguration 来完成。This can be done from the User VPN configurations tab in Azure portal, or New-AzureRmVpnClientConfiguration in PowerShell.
  3. 解压缩该配置文件。Unzip the profile. 从记事本中的 OpenVPN 文件夹中打开 vpnconfig.ovpn 配置文件。Open the vpnconfig.ovpn configuration file from the OpenVPN folder in notepad.
  4. 使用 base64 中的 P2S 客户端证书公钥填写 P2S 客户端证书部分。Fill in the P2S client certificate section with the P2S client certificate public key in base64. 在 PEM 格式的证书中,可以打开 .cer 文件并在证书标头之间复制 base64 密钥。In a PEM formatted certificate, you can open the .cer file and copy over the base64 key between the certificate headers. 有关步骤,请参阅如何导出证书以获取已编码的公钥For steps, see How to export a certificate to get the encoded public key.
  5. 使用 base64 中的 P2S 客户端证书私钥填写私钥部分。Fill in the private key section with the P2S client certificate private key in base64. 有关步骤,请参阅如何提取私钥For steps, see How to extract private key..
  6. 不要更改任何其他字段。Do not change any other fields. 使用客户端输入中的已填充的配置连接到 VPN。Use the filled in configuration in client input to connect to the VPN.
  7. 将 vpnconfig.ovpn 文件复制到 C:\Program Files\OpenVPN\config 文件夹。Copy the vpnconfig.ovpn file to C:\Program Files\OpenVPN\config folder.
  8. 右键单击系统托盘中的 OpenVPN 图标,然后选择“连接”。Right-click the OpenVPN icon in the system tray and select connect .
IKEv2IKEv2
  1. 根据 Windows 计算机的体系结构选择 VPN 客户端配置文件。Select the VPN client configuration files that correspond to the architecture of the Windows computer. 对于 64 位处理器体系结构,请选择“VpnClientSetupAmd64”安装程序包。For a 64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. 对于 32 位处理器体系结构,请选择“VpnClientSetupX86”安装程序包。For a 32-bit processor architecture, choose the 'VpnClientSetupX86' installer package.
  2. 双击所需的包进行安装。Double-click the package to install it. 如果看到弹出 SmartScreen,选择“详细信息”,然后选择“仍要运行” 。If you see a SmartScreen popup, select More info , then Run anyway .
  3. 在客户端计算机上,导航到“网络设置”,并选择“VPN” 。On the client computer, navigate to Network Settings and select VPN . VPN 连接显示所连接到的虚拟网络的名称。The VPN connection shows the name of the virtual network that it connects to.
  4. 尝试连接前,请验证客户端计算机上是否已安装客户端证书。Before you attempt to connect, verify that you have installed a client certificate on the client computer. 使用本机 Azure 证书身份验证类型时,客户端证书是身份验证必需的。A client certificate is required for authentication when using the native Azure certificate authentication type. 有关生成证书的详细信息,请参阅生成证书For more information about generating certificates, see Generate Certificates. 有关如何安装客户端证书的信息,请参阅安装客户端证书For information about how to install a client certificate, see Install a client certificate.

连接分支 VNetConnect the spoke VNet

在本部分中,将分支虚拟网络连接到虚拟 WAN 中心。In this section, you attach the spoke virtual network to the virtual WAN hub.

此步骤在中心与 VNet 之间创建互连。In this step, you create the connection between your hub and a VNet. 针对要连接的每个 VNet 重复这些步骤。Repeat these steps for each VNet that you want to connect.

  1. 在虚拟 WAN 的页面上,选择“虚拟网络连接”。On the page for your virtual WAN, select Virtual network connections.

  2. 在虚拟网络连接页上,选择“+ 添加连接”。On the virtual network connection page, select +Add connection.

  3. 在“添加连接”页上填写以下字段:On the Add connection page, fill in the following fields:

    • 连接名称 - 为连接命名。Connection name - Name your connection.
    • 中心 - 选择要与此连接关联的中心。Hubs - Select the hub you want to associate with this connection.
    • 订阅 - 验证订阅。Subscription - Verify the subscription.
    • 虚拟网络 - 选择要连接到此中心的虚拟网络。Virtual network - Select the virtual network you want to connect to this hub. 此虚拟网络不能包含现有的虚拟网络网关。The virtual network cannot have an already existing virtual network gateway.
  4. 单击“确定”以创建连接。Select OK to create the connection.

创建虚拟机Create virtual machines

在本部分,在 VNet 中创建两个 VM:VM1 和 VM2。In this section, you create two VMs in your VNet, VM1 and VM2. 在网络示意图中,我们使用 10.18.0.4 和 10.18.0.5。In the network diagram, we use 10.18.0.4 and 10.18.0.5. 配置 VM 时,请确保选择所创建的虚拟网络(位于“网络”选项卡上)。When configuring your VMs, make sure to select the virtual network that you created (found on the Networking tab). 有关创建 VM 的步骤,请参阅 快速入门:创建 VM 的说明创建一个。For steps to create a VM, see Quickstart: Create a VM.

保护虚拟中心Secure the virtual hub

标准虚拟中心没有用于保护分支虚拟网络中的资源的内置安全策略。A standard virtual hub has no built-in security policies to protect the resources in spoke virtual networks. 安全虚拟中心使用 Azure 防火墙或第三方提供程序来管理传入和传出的流量,从而保护 Azure 中的资源。A secured virtual hub uses Azure Firewall or a third-party provider to manage incoming and outgoing traffic to protect your resources in Azure.

使用以下文章将中心转换为安全中心:在虚拟 WAN 中心配置 Azure 防火墙Convert the hub to a secured hub using the following article: Configure Azure Firewall in a Virtual WAN hub.

创建规则以管理和筛选流量Create rules to manage and filter traffic

创建指示 Azure 防火墙行为的规则。Create rules that dictate the behavior of Azure Firewall. 通过保护中心,我们确保进入虚拟中心的所有数据包在访问 Azure 资源之前都要经过防火墙处理。By securing the hub, we ensure that all packets that enter the virtual hub are subject to firewall processing before accessing your Azure resources.

完成这些步骤后,需要创建一个体系结构,以允许 VPN 用户访问专用 IP 地址为 10.18.0.4 的 VM,但不能访问专用 IP 地址为 10.18.0.5 的 VMOnce you complete these steps, you will have created an architecture that allows VPN users to access the VM with private IP address 10.18.0.4, but NOT access the VM with private IP address 10.18.0.5

  1. 在 Azure 门户中,导航到“防火墙管理器”。In the Azure portal, navigate to Firewall Manager.

  2. 在“安全性”下,选择“Azure 防火墙策略”。Under Security, select Azure Firewall policies.

  3. 选择“创建 Azure 防火墙策略”。Select Create Azure Firewall Policy.

  4. 在“策略详细信息”下,输入名称,然后选择要部署虚拟中心的区域。Under Policy details, type in a name and select the region your virtual hub is deployed in.

  5. 在完成时选择“下一步:DNS 设置(预览)”。Select Next: DNS Settings (preview).

  6. 在完成时选择“下一步:规则”。Select Next: Rules.

  7. 在“规则”选项卡上,选择“添加规则集合”。On the Rules tab, select Add a rule collection.

  8. 为集合提供一个名称。Provide a name for the collection. 将类型设置为“网络”。Set the type as Network. 添加优先级值 100。Add a priority value 100.

  9. 填写规则的名称、源类型、源、协议、目标端口和目标类型,如下例所示。Fill in the name of the rule, source type, source, protocol, destination ports, and destination type, as shown in the example below. 然后选择“添加”。Then, select add. 此规则允许 VPN 客户端池中的任何 IP 地址访问专用 IP 地址为 10.18.04 的 VM,但不能访问连接到虚拟中心的任何其他资源。This rule allows any IP address from the VPN client pool to access the VM with private IP address 10.18.04, but not any other resource connected to the virtual hub. 根据所需的体系结构和权限规则创建所需的任何规则。Create any rules you want that fit your desired architecture and permissions rules.

    防火墙规则

  10. 在完成时选择“下一步:威胁智能”Select Next: Threat intelligence.

  11. 在完成时选择“下一步:中心”。Select Next: Hubs.

  12. 在“中心”选项卡上,选择“关联虚拟中心”。On the Hubs tab, select Associate virtual hubs.

  13. 选择此前创建的虚拟中心,然后选择“添加”。Select the virtual hub you created earlier, and then select Add.

  14. 选择“查看 + 创建”。Select Review + create.

  15. 选择“创建”。Select Create.

此过程可能需要 5 分钟或更长时间才能完成。It can take 5 minutes or more for this process to complete.

通过 Azure 防火墙路由流量Route traffic through Azure Firewall

在本部分,需要确保流量通过 Azure 防火墙路由。In this section, you need to ensure that the traffic is routed through Azure Firewall.

  1. 在门户中,从“防火墙管理器”中选择“安全虚拟中心” 。In the portal, from Firewall Manager, select Secured virtual hubs.
  2. 选择创建的虚拟中心。Select the virtual hub you created.
  3. 在“设置”下,选择“安全配置” 。Under Settings, select Security configuration.
  4. 在“专用流量”下,选择“通过 Azure 防火墙发送” 。Under Private traffic, select Send via Azure Firewall.
  5. 验证 Azure 防火墙是否保护 VNet 连接和分支连接专用流量。Verify that the VNet connection and the Branch connection private traffic is secured by Azure Firewall.
  6. 选择“保存”。 Select Save.

验证Validate

验证安全中心的设置。Verify the setup of your secured hub.

  1. 通过 VPN 从客户端设备连接到“安全虚拟中心”。Connect to the Secured Virtual Hub via VPN from your client device.
  2. 从客户端对 IP 地址 10.18.0.4 执行 Ping 操作。Ping the IP address 10.18.0.4 from your client. 应该会看到响应。You should see a response.
  3. 从客户端对 IP 地址 10.18.0.5 执行 Ping 操作。Ping the IP address 10.18.0.5 from your client. 应该看不到响应。You should not be able to see a response.

注意事项Considerations

  • 确保安全虚拟中心上的“有效路由表”具有防火墙的专用流量的下一个跃点。Make sure that the Effective Routes Table on the secured virtual hub has the next hop for private traffic by the firewall. 要访问“有效路由表”,请导航到“虚拟中心”资源。To access the Effective Routes Table, navigate to your Virtual Hub resource. 在“连接性”下,选择“路由”,然后选择“有效路由” 。Under Connectivity, select Routing, and then select Effective Routes. 在此处,选择“默认”路由表。From there, select the Default Route table.
  • 验证是否在创建规则部分创建了规则。Verify that you created rules in the Create Rules section. 如果缺少这些步骤,则你创建的规则实际上将不会与中心关联,并且路由表和数据包流将不会使用 Azure 防火墙。If these steps are missed, the rules you created will not actually be associated to the hub and the route table and packet flow will not use Azure Firewall.

后续步骤Next steps