ExpressRoute 加密:虚拟 WAN 的基于 ExpressRoute 的 IPsecExpressRoute encryption: IPsec over ExpressRoute for Virtual WAN

本文介绍如何使用 Azure 虚拟 WAN 通过 Azure ExpressRoute 线路的专用对等互连建立从本地网络到 Azure 的 IPsec/IKE VPN 连接。This article shows you how to use Azure Virtual WAN to establish an IPsec/IKE VPN connection from your on-premises network to Azure over the private peering of an Azure ExpressRoute circuit. 此方法可以通过 ExpressRoute 在本地网络与 Azure 虚拟网络之间提供加密的传输,而无需通过公共 Internet 进行传输或使用公共 IP 地址。This technique can provide an encrypted transit between the on-premises networks and Azure virtual networks over ExpressRoute, without going over the public internet or using public IP addresses.

拓扑和路由Topology and routing

下图显示了通过 ExpressRoute 专用对等互连建立的 VPN 连接的示例:The following diagram shows an example of VPN connectivity over ExpressRoute private peering:

通过 ExpressRoute 建立的 VPN 连接

该图显示了通过 ExpressRoute 专用对等互连连接到 Azure 中心 VPN 网关的本地网络中的某个网络。The diagram shows a network within the on-premises network connected to the Azure hub VPN gateway over ExpressRoute private peering. 连接的建立非常直接:The connectivity establishment is straightforward:

  1. 与 ExpressRoute 线路和专用对等互连建立 ExpressRoute 连接。Establish ExpressRoute connectivity with an ExpressRoute circuit and private peering.
  2. 根据本文中所述建立 VPN 连接。Establish the VPN connectivity as described in this article.

此配置的一个重要方面是通过 ExpressRoute 和 VPN 路径在本地网络与 Azure 之间进行路由。An important aspect of this configuration is routing between the on-premises networks and Azure over both the ExpressRoute and VPN paths.

从本地网络发往 Azure 的流量Traffic from on-premises networks to Azure

对于从本地网络发往 Azure 的流量,Azure 前缀(包括虚拟中心以及连接到中心的所有辐射虚拟网络)通过 ExpressRoute 专用对等互连 BGP 和 VPN BGP 进行播发。For traffic from on-premises networks to Azure, the Azure prefixes (including the virtual hub and all the spoke virtual networks connected to the hub) are advertised via both the ExpressRoute private peering BGP and the VPN BGP. 这会建立从本地网络到 Azure 的两个网络路由(路径):This results in two network routes (paths) toward Azure from the on-premises networks:

  • 一个路由是通过受 IPsec 保护的路径建立的One over the IPsec-protected path
  • 一个路由是通过不受 IPsec 保护的 ExpressRoute 直接建立的One directly over ExpressRoute without IPsec protection

若要将加密应用于通信,必须确保对于图中所示的已连接 VPN 的网络,优先使用通过本地 VPN 网关建立的 Azure 路由,而不是通过直接 ExpressRoute 路径建立的路由。To apply encryption to the communication, you must make sure that for the VPN-connected network in the diagram, the Azure routes via on-premises VPN gateway are preferred over the direct ExpressRoute path.

从 Azure 发往本地网络的流量Traffic from Azure to on-premises networks

相同的要求适用于从 Azure 发往本地网络的流量。The same requirement applies to the traffic from Azure to on-premises networks. 为了确保优先使用 IPsec 路径而不是直接 ExpressRoute 路径(不受 IPsec 保护),可以采用两种做法:To ensure that the IPsec path is preferred over the direct ExpressRoute path (without IPsec), you have two options:

  • 在已连接 VPN 的网络的 VPN BGP 会话中播发更具体的前缀。Advertise more specific prefixes on the VPN BGP session for the VPN-connected network. 可以通过 ExpressRoute 专用对等互连播发包含已连接 VPN 的网络的更大范围,然后在 VPN BGP 会话中播发更具体的范围。You can advertise a larger range that encompasses the VPN-connected network over ExpressRoute private peering, then more specific ranges in the VPN BGP session. 例如,通过 ExpressRoute 播发 10.0.0.0/16,通过 VPN 播发 10.0.1.0/24。For example, advertise 10.0.0.0/16 over ExpressRoute, and 10.0.1.0/24 over VPN.

  • 为 VPN 和 ExpressRoute 播发不相交的前缀。Advertise disjoint prefixes for VPN and ExpressRoute. 如果已连接 VPN 的网络范围与已连接 ExpressRoute 的其他网络不相交,则可以分别在 VPN 和 ExpressRoute BGP 会话中播发这些前缀。If the VPN-connected network ranges are disjoint from other ExpressRoute connected networks, you can advertise the prefixes in the VPN and ExpressRoute BGP sessions respectively. 例如,通过 ExpressRoute 播发 10.0.0.0/24,通过 VPN 播发 10.0.1.0/24。For example, advertise 10.0.0.0/24 over ExpressRoute, and 10.0.1.0/24 over VPN.

在这两个示例中,Azure 将通过 VPN 连接将流量发送到 10.0.1.0/24,而不是直接通过不受 VPN 保护的 ExpressRoute 发送。In both of these examples, Azure will send traffic to 10.0.1.0/24 over the VPN connection rather than directly over ExpressRoute without VPN protection.

警告

如果通过 ExpressRoute 和 VPN 连接播发相同的前缀,Azure 将直接使用不受 VPN 保护的 ExpressRoute 路径。If you advertise the same prefixes over both ExpressRoute and VPN connections, Azure will use the ExpressRoute path directly without VPN protection.

准备阶段Before you begin

在开始配置之前,请验证是否符合以下条件:Before you start your configuration, verify that you meet the following criteria:

  • 如果已有要连接的虚拟网络,请验证本地网络的任何子网都没有与之重叠。If you already have virtual network that you want to connect to, verify that none of the subnets of your on-premises network overlap with it. 虚拟网络不需要网关子网,并且不能包含任何虚拟网络网关。Your virtual network doesn't require a gateway subnet and can't have any virtual network gateways. 如果没有虚拟网络,可以使用本文中的步骤创建一个。If you don't have a virtual network, you can create one by using the steps in this article.
  • 获取中心区域的 IP 地址范围。Obtain an IP address range for your hub region. 中心是一个虚拟网络,为中心区域指定的地址范围不能与连接到的现有虚拟网络重叠。The hub is a virtual network, and the address range that you specify for the hub region can't overlap with an existing virtual network that you connect to. 此外,它也不能与连接到本地的地址范围重叠。It also can't overlap with the address ranges that you connect to on-premises. 如果不熟悉本地网络配置中的 IP 地址范围,请咨询能够提供此类详细信息的人员。If you're unfamiliar with the IP address ranges located in your on-premises network configuration, coordinate with someone who can provide those details for you.
  • 如果没有 Azure 订阅,可在开始前创建一个 试用帐户If you don't have an Azure subscription, create a trial account before you begin.

1.创建带有网关的虚拟 WAN 和中心1. Create a virtual WAN and hub with gateways

在继续操作之前,必须准备好以下 Azure 资源和相应的本地配置:The following Azure resources and the corresponding on-premises configurations must be in place before you proceed:

有关创建带有 ExpressRoute 关联的 Azure 虚拟 WAN 和中心的步骤,请参阅使用 Azure 虚拟 WAN 创建 ExpressRoute 关联For the steps to create an Azure virtual WAN and a hub with an ExpressRoute association, see Create an ExpressRoute association using Azure Virtual WAN. 有关在虚拟 WAN 中创建 VPN 网关的步骤,请参阅使用 Azure 虚拟 WAN 创建站点到站点连接For the steps to create a VPN gateway in the virtual WAN, see Create a site-to-site connection using Azure Virtual WAN.

2.为本地网络创建站点2. Create a site for the on-premises network

站点资源与虚拟 WAN 的非 ExpressRoute VPN 站点相同。The site resource is the same as the non-ExpressRoute VPN sites for a virtual WAN. 本地 VPN 设备的 IP 地址现在可以是专用 IP 地址,或者是可通过步骤 1 中创建的 ExpressRoute 专用对等互连访问的本地网络中的公共 IP 地址。The IP address of the on-premises VPN device can now be either a private IP address, or a public IP address in the on-premises network reachable via ExpressRoute private peering created in step 1.

备注

本地 VPN 设备的 IP 地址必须是通过 Azure ExpressRoute 专用对等互连播发到虚拟 WAN 中心的地址前缀的一部分。The IP address for the on-premises VPN device must be part of the address prefixes advertised to the virtual WAN hub via Azure ExpressRoute private peering.

  1. 在浏览器中转到 Azure 门户。Go to the Azure portal in your browser.

  2. 选择创建的 WAN。Select the WAN that you created. 在“WAN”页上的“连接”下,选择“VPN 站点”。 On the WAN page, under Connectivity, select VPN sites.

  3. 在“VPN 站点”页上,选择“+创建站点”。 On the VPN sites page, select +Create site.

  4. 在“创建站点”页上填写以下字段:On the Create site page, fill in the following fields:

    • 订阅:验证订阅。Subscription: Verify the subscription.
    • 资源组:选择或创建要使用的资源组。Resource Group: Select or create the resource group that you want to use.
    • 区域:输入 VPN 站点资源的 Azure 区域。Region: Enter the Azure region for the VPN site resource.
    • 名称:输入用于指代你的本地站点的名称。Name: Enter the name by which you want to refer to your on-premises site.
    • 设备供应商:输入本地 VPN 设备的供应商。Device vendor: Enter the vendor of the on-premises VPN device.
    • 边界网关协议:如果本地网络使用 BGP,请选择“启用”。Border Gateway Protocol: Select "Enable" if your on-premises network uses BGP.
    • 专用地址空间:输入位于本地站点上的 IP 地址空间。Private address space: Enter the IP address space that's located on your on-premises site. 发往此地址空间的流量将通过 VPN 网关路由到本地网络。Traffic destined for this address space is routed to the on-premises network via the VPN gateway.
    • 中心:选择要连接此 VPN 站点的一个或多个中心。Hubs: Select one or more hubs to connect this VPN site. 选定的中心必须已创建了 VPN 网关。The selected hubs must have VPN gateways already created.
  5. 在完成时选择“下一步:链接 >”完成 VPN 链接设置:Select Next: Links > for the VPN link settings:

    • 链接名称:用于指代此连接的名称。Link Name: The name by which you want to refer to this connection.
    • 提供商名称:此站点的 Internet 服务提供商的名称。Provider Name: The name of the internet service provider for this site. 对于 ExpressRoute 本地网络,该名称是 ExpressRoute 服务提供商的名称。For an ExpressRoute on-premises network, it's the name of the ExpressRoute service provider.
    • 速度:Internet 服务链接或 ExpressRoute 线路的速度。Speed: The speed of the internet service link or ExpressRoute circuit.
    • IP 地址:驻留在本地站点上的 VPN 设备的公共 IP 地址。IP address: The public IP address of the VPN device that resides on your on-premises site. 对于本地 ExpressRoute,它是通过 ExpressRoute 连接的 VPN 设备的专用 IP 地址。Or, for ExpressRoute on-premises, it's the private IP address of the VPN device via ExpressRoute.

    如果启用了 BGP,BGP 将应用到在 Azure 中为此站点创建的所有连接。If BGP is enabled, it will apply to all connections created for this site in Azure. 在虚拟 WAN 上配置 BGP 等同于在 Azure VPN 网关上配置 BGP。Configuring BGP on a virtual WAN is equivalent to configuring BGP on an Azure VPN gateway.

    本地 BGP 对等方地址不能与连接到设备的 VPN 的 IP 地址或 VPN 站点的虚拟网络地址空间相同。Your on-premises BGP peer address must not be the same as the IP address of your VPN to the device or the virtual network address space of the VPN site. 在 VPN 设备上对 BGP 对等节点 IP 使用不同的 IP 地址。Use a different IP address on the VPN device for your BGP peer IP. 它可以是分配给该设备上环回接口的地址。It can be an address assigned to the loopback interface on the device. 但是,该地址不能是 APIPA (169.254.x.x) 地址。However, it can't be an APIPA (169.254.x.x) address. 在代表该位置的相应本地网关中指定此地址。Specify this address in the corresponding local network gateway that represents the location. 有关 BGP 先决条件,请参阅关于 Azure VPN 网关的 BGPFor BGP prerequisites, see About BGP with Azure VPN Gateway.

  6. 在完成时选择“下一步:查看 + 创建 >”检查设置值并创建 VPN 站点。Select Next: Review + create > to check the setting values and create the VPN site. 如果选择了要连接的中心,则连接将在本地网络与中心 VPN 网关之间建立。If you selected Hubs to connect, the connection will be established between the on-premises network and the hub VPN gateway.

3.将 VPN 连接设置更新为使用 ExpressRoute3. Update the VPN connection setting to use ExpressRoute

创建 VPN 站点并连接到中心后,使用以下步骤将连接配置为使用 ExpressRoute 专用对等互连:After you create the VPN site and connect to the hub, use the following steps to configure the connection to use ExpressRoute private peering:

  1. 返回到虚拟 WAN 资源页,选择中心资源。Go back to the virtual WAN resource page, and select the hub resource. 或者从 VPN 站点导航到已连接的中心。Or navigate from the VPN site to the connected hub.

  2. 在“连接”下,选择“VPN (站点到站点)”。 Under Connectivity, select VPN (Site-to-Site).

  3. 选择通过 ExpressRoute 连接的 VPN 站点对应的省略号 ( ... ),然后选择“编辑指向此中心的 VPN 连接”。Select the ellipsis (...) on the VPN site over ExpressRoute, and select Edit VPN connection to this hub.

  4. 对于“使用 Azure 专用 IP 地址”,请选择“是”。 For Use Azure Private IP Address, select Yes. 此设置将中心 VPN 网关配置为对此连接使用网关上的中心地址范围内的专用 IP 地址,而不是使用公共 IP 地址。The setting configures the hub VPN gateway to use private IP addresses within the hub address range on the gateway for this connection, instead of the public IP addresses. 这将确保来自本地网络的流量通过 ExpressRoute 专用对等互连路径,而不是对此 VPN 连接使用公共 Internet。This will ensure that the traffic from the on-premises network traverses the ExpressRoute private peering paths rather than using the public internet for this VPN connection. 以下屏幕截图显示了该设置。The following screenshot shows the setting.

    将专用 IP 地址用于 VPN 连接的设置

  5. 选择“保存” 。Select Save.

保存更改后,中心 VPN 网关将使用 VPN 网关上的专用 IP 地址,通过 ExpressRoute 来与本地 VPN 设备建立 IPsec/IKE 连接。After you save your changes, the hub VPN gateway will use the private IP addresses on the VPN gateway to establish the IPsec/IKE connections with the on-premises VPN device over ExpressRoute.

4.获取中心 VPN 网关的专用 IP 地址4. Get the private IP addresses for the hub VPN gateway

下载 VPN 设备配置,以获取中心 VPN 网关的专用 IP 地址。Download the VPN device configuration to get the private IP addresses of the hub VPN gateway. 需要使用这些地址来配置本地 VPN 设备。You need these addresses to configure the on-premises VPN device.

  1. 在中心的页面上,选择“连接”下的“VPN (站点到站点)”。 On the page for your hub, select VPN (Site-to-Site) under Connectivity.

  2. 在“概述”页的顶部,选择“下载 VPN 配置”。 At the top of the Overview page, select Download VPN Config.

    Azure 将在资源组“microsoft-network-[location]”中创建一个存储帐户,其中,location 是 WAN 的位置。Azure creates a storage account in the resource group "microsoft-network-[location]," where location is the location of the WAN. 将配置应用到 VPN 设备后,可以删除此存储帐户。After you apply the configuration to your VPN devices, you can delete this storage account.

  3. 创建文件后,选择相应的链接下载该文件。After the file is created, select the link to download it.

  4. 将配置应用到 VPN 设备。Apply the configuration to your VPN device.

VPN 设备配置文件VPN device configuration file

设备配置文件包含配置本地 VPN 设备时要使用的设置。The device configuration file contains the settings to use when you're configuring your on-premises VPN device. 查看此文件时,请留意以下信息:When you view this file, notice the following information:

  • vpnSiteConfiguration:此节表示设置为要连接到虚拟 WAN 的站点的设备详细信息。vpnSiteConfiguration: This section denotes the device details set up as a site that's connecting to the virtual WAN. 其中包括分支设备的名称和公共 IP 地址。It includes the name and public IP address of the branch device.

  • vpnSiteConnections:此节提供有关以下设置的信息:vpnSiteConnections: This section provides information about the following settings:

    • 虚拟中心的虚拟网络的地址空间。Address space of the virtual hub's virtual network.
      示例:Example:
      "AddressSpace":"10.51.230.0/24"
      
    • 已连接到中心的虚拟网络的地址空间。Address space of the virtual networks that are connected to the hub.
      示例:Example:
      "ConnectedSubnets":["10.51.231.0/24"]
      
    • 虚拟中心 VPN 网关的 IP 地址。IP addresses of the virtual hub's VPN gateway. 由于 VPN 网关的每个连接由采用“主动 - 主动”配置的 2 个隧道构成,因此,此文件中列出了这两个 IP 地址。Because each connection of the VPN gateway is composed of two tunnels in active-active configuration, you'll see both IP addresses listed in this file. 在此示例中,你会看到每个站点的 Instance0Instance1,它们是专用 IP 地址而不是公共 IP 地址。In this example, you see Instance0 and Instance1 for each site, and they're private IP addresses instead of public IP addresses.
      示例:Example:
      "Instance0":"10.51.230.4"
      "Instance1":"10.51.230.5"
      
    • VPN 网关连接的配置详细信息,例如 BGP 和预共享密钥。Configuration details for the VPN gateway connection, such as BGP and pre-shared key. 预共享密钥是系统自动生成的。The pre-shared key is automatically generated for you. 始终可以在自定义预共享密钥的“概述”页上编辑连接。You can always edit the connection on the Overview page for a custom pre-shared key.

示例设备配置文件Example device configuration file

[{
      "configurationVersion":{
        "LastUpdatedTime":"2019-10-11T05:57:35.1803187Z",
        "Version":"5b096293-edc3-42f1-8f73-68c14a7c4db3"
      },
      "vpnSiteConfiguration":{
        "Name":"VPN-over-ER-site",
        "IPAddress":"172.24.127.211",
        "LinkName":"VPN-over-ER"
      },
      "vpnSiteConnections":[{
        "hubConfiguration":{
          "AddressSpace":"10.51.230.0/24",
          "Region":"China North 2",
          "ConnectedSubnets":["10.51.231.0/24"]
        },
        "gatewayConfiguration":{
          "IpAddresses":{
            "Instance0":"10.51.230.4",
            "Instance1":"10.51.230.5"
          }
        },
        "connectionConfiguration":{
          "IsBgpEnabled":false,
          "PSK":"abc123",
          "IPsecParameters":{"SADataSizeInKilobytes":102400000,"SALifeTimeInSeconds":3600}
        }
      }]
    },
    {
      "configurationVersion":{
        "LastUpdatedTime":"2019-10-11T05:57:35.1803187Z",
        "Version":"fbdb34ea-45f8-425b-9bc2-4751c2c4fee0"
      },
      "vpnSiteConfiguration":{
        "Name":"VPN-over-INet-site",
        "IPAddress":"13.75.195.234",
        "LinkName":"VPN-over-INet"
      },
      "vpnSiteConnections":[{
        "hubConfiguration":{
          "AddressSpace":"10.51.230.0/24",
          "Region":"China North 2",
          "ConnectedSubnets":["10.51.231.0/24"]
        },
        "gatewayConfiguration":{
          "IpAddresses":{
            "Instance0":"51.143.63.104",
            "Instance1":"52.137.90.89"
          }
        },
        "connectionConfiguration":{
          "IsBgpEnabled":false,
          "PSK":"abc123",
          "IPsecParameters":{"SADataSizeInKilobytes":102400000,"SALifeTimeInSeconds":3600}
        }
      }]
}]

配置 VPN 设备Configuring your VPN device

如需有关如何配置设备的说明,可以使用 VPN 设备配置脚本页中的说明,并注意以下事项:If you need instructions to configure your device, you can use the instructions on the VPN device configuration scripts page with the following caveats:

  • VPN 设备页上的说明不是针对虚拟 WAN 编写的。The instructions on the VPN device page are not written for a virtual WAN. 但你可以使用配置文件中的虚拟 WAN 值来手动配置 VPN 设备。But you can use the virtual WAN values from the configuration file to manually configure your VPN device.
  • 适用于 VPN 网关的可下载设备配置脚本并不适用于虚拟 WAN,因为配置不同。The downloadable device configuration scripts that are for the VPN gateway don't work for the virtual WAN, because the configuration is different.
  • 新的虚拟 WAN 可以支持 IKEv1 和 IKEv2。A new virtual WAN can support both IKEv1 and IKEv2.
  • 虚拟 WAN 只能使用基于路由的 VPN 设备和设备说明。A virtual WAN can use only route-based VPN devices and device instructions.

5.查看虚拟 WAN5. View your virtual WAN

  1. 转到虚拟 WAN。Go to the virtual WAN.
  2. 在“概述”页上,地图中的每个点表示一个中心。On the Overview page, each point on the map represents a hub.
  3. 在“中心和连接”部分,可以查看中心、站点、区域和 VPN 连接状态。In the Hubs and connections section, you can view hub, site, region, and VPN connection status. 还可以查看传入与传出的字节数。You can also view bytes in and out.

7.监视连接7. Monitor a connection

创建一个连接,用于监视 Azure 虚拟机 (VM) 与远程站点之间的通信。Create a connection to monitor communication between an Azure virtual machine (VM) and a remote site. 有关如何设置连接监视器的信息,请参阅监视网络通信For information about how to set up a connection monitor, see Monitor network communication. 源字段是 Azure 中的 VM IP,目标 IP 是站点 IP。The source field is the VM IP in Azure, and the destination IP is the site IP.

8.清理资源8. Clean up resources

不再需要这些资源时,可以使用 Remove-AzResourceGroup 删除资源组及其包含的所有资源。When you no longer need these resources, you can use Remove-AzResourceGroup to remove the resource group and all of the resources that it contains. 运行以下 PowerShell 命令(请将 myResourceGroup 替换为资源组的名称):Run the following PowerShell command, and replace myResourceGroup with the name of your resource group:

Remove-AzResourceGroup -Name myResourceGroup -Force

后续步骤Next steps

本文帮助你使用虚拟 WAN 通过 ExpressRoute 专用对等互连创建 VPN 连接。This article helps you create a VPN connection over ExpressRoute private peering by using Virtual WAN. 若要详细了解虚拟 WAN 和相关功能,请参阅虚拟 WAN 概述To learn more about Virtual WAN and related features, see the Virtual WAN overview.