使用经典部署模型配置强制隧道Configure forced tunneling using the classic deployment model

借助强制隧道,可以通过站点到站点 VPN 隧道,将全部 Internet 绑定流量重定向或“强制”返回到本地位置,以进行检查和审核。Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing. 这是很多企业 IT 策略的关键安全要求。This is a critical security requirement for most enterprise IT policies. 如果没有强制隧道,来自 Azure 中 VM 的 Internet 绑定流量会始终通过 Azure 网络基础设施直接连接到 Internet,而无法选择对流量进行检查或审核。Without forced tunneling, Internet-bound traffic from your VMs in Azure will always traverse from Azure network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic. 未经授权的 Internet 访问可能会导致信息泄漏或其他类型的安全漏洞。Unauthorized Internet access can potentially lead to information disclosure or other types of security breaches.

Azure 当前使用两种部署模型:Resource Manager 部署模型和经典部署模型。Azure currently works with two deployment models: Resource Manager and classic. 这两个模型相互不完全兼容。The two models are not completely compatible with each other. 在开始之前,需要知道所要使用的模型。Before you begin, you need to know which model that you want to work in. 有关部署模型的信息,请参阅了解部署模型For information about the deployment models, see Understanding deployment models. 如果不熟悉 Azure,建议使用 Resource Manager 部署模型。If you are new to Azure, we recommend that you use the Resource Manager deployment model.

本文逐步演示如何配置虚拟网络(使用经典部署模型创建)的强制隧道。This article walks you through configuring forced tunneling for virtual networks created using the classic deployment model. 强制隧道可以使用 PowerShell(不通过门户)来配置。Forced tunneling can be configured by using PowerShell, not through the portal. 如果想要配置用于资源管理器部署模型的强制隧道,请从下面的下拉列表中选择与资源管理器模型相关的文章:If you want to configure forced tunneling for the Resource Manager deployment model, select Resource Manager article from the following dropdown list:

要求和注意事项Requirements and considerations

在 Azure 中,可通过虚拟网络用户定义路由 (UDR) 配置强制隧道。Forced tunneling in Azure is configured via virtual network user-defined routes (UDR). 将流量重定向到本地站点,这是 Azure VPN 网关的默认路由。Redirecting traffic to an on-premises site is expressed as a Default Route to the Azure VPN gateway. 以下部分列出了 Azure 虚拟网络路由和路由表的当前限制:The following section lists the current limitation of the routing table and routes for an Azure Virtual Network:

  • 每个虚拟网络子网具有内置的系统路由表。Each virtual network subnet has a built-in, system routing table. 系统路由表具有以下三组路由:The system routing table has the following three groups of routes:

    • 本地 VNet 路由: 直接路由到同一个虚拟网络中的目标 VM。Local VNet routes: Directly to the destination VMs in the same virtual network.
    • 本地路由: 路由到 Azure VPN 网关。On-premises routes: To the Azure VPN gateway.
    • 默认路由: 直接路由到 Internet。Default route: Directly to the Internet. 如果要将数据包发送到不包含在前面两个路由中的专用 IP 地址,数据包会被删除。Packets destined to the private IP addresses not covered by the previous two routes will be dropped.
  • 随着用户定义路由的发布,可以创建路由表来添加默认路由,然后将路由表关联到 VNet 子网,在这些子网启用强制隧道。With the release of user-defined routes, you can create a routing table to add a default route, and then associate the routing table to your VNet subnet(s) to enable forced tunneling on those subnets.

  • 需要在连接到虚拟网络的跨界本地站点中,设置一个“默认站点”。You need to set a "default site" among the cross-premises local sites connected to the virtual network.

  • 强制隧道必须关联到具有动态路由 VPN 网关(而非静态网关)的 VNet。Forced tunneling must be associated with a VNet that has a dynamic routing VPN gateway (not a static gateway).

  • ExpressRoute 强制隧道不是通过此机制配置的,而是通过 ExpressRoute BGP 对等会话播发默认路由来启用的。ExpressRoute forced tunneling is not configured via this mechanism, but instead, is enabled by advertising a default route via the ExpressRoute BGP peering sessions. 有关详细信息,请参阅 ExpressRoute 文档See the ExpressRoute Documentation for more information.

配置概述Configuration overview

在以下示例中,前端子网没有使用强制隧道。In the following example, the Frontend subnet is not forced tunneled. 前端子网中的工作负载可以继续直接接受并响应来自 Internet 的客户请求。The workloads in the Frontend subnet can continue to accept and respond to customer requests from the Internet directly. 中间层和后端子网会使用强制隧道。The Mid-tier and Backend subnets are forced tunneled. 任何从这两个子网到 Internet 的出站连接都会通过一个 S2S VPN 隧道重定向或强制返回到本地站点。Any outbound connections from these two subnets to the Internet will be forced or redirected back to an on-premises site via one of the S2S VPN tunnels.

这样,在继续支持所需的多层服务体系结构的同时,可以限制并检查来自虚拟机或 Azure 云服务的 Internet 访问。This allows you to restrict and inspect Internet access from your virtual machines or cloud services in Azure, while continuing to enable your multi-tier service architecture required. 如果在虚拟网络中没有面向 Internet 的工作负荷,也能选择对整个虚拟网络应用强制隧道连接。You also can apply forced tunneling to the entire virtual networks if there are no Internet-facing workloads in your virtual networks.

强制隧道

准备阶段Before you begin

在开始配置之前,请确认具有以下各项:Verify that you have the following items before beginning configuration:

  • Azure 订阅。An Azure subscription. 如果还没有 Azure 订阅,可以注册一个试用帐户If you don't already have an Azure subscription, you can sign up for a trial account.
  • 已配置虚拟网络。A configured virtual network.
  • 使用经典部署模型时,必须在本地计算机上安装最新版本的 Azure 服务管理 (SM) PowerShell cmdlet。When working with the classic deployment model, you must install the latest version of the Azure Service Management (SM) PowerShell cmdlets locally on your computer. 这些 cmdlet 不同于 AzureRM 或 Az cmdlet。These cmdlets are different from the AzureRM or Az cmdlets. 若要安装 SM cmdlet,请参阅安装服务管理 cmdletTo install the SM cmdlets, see Install Service Management cmdlets. 有关一般 Azure PowerShell 的详细信息,请参阅 Azure PowerShell 文档For more information about Azure PowerShell in general, see the Azure PowerShell documentation.

登录To sign in

  1. 使用提升的权限打开 PowerShell 控制台。Open your PowerShell console with elevated rights. 若要切换到服务管理,请使用以下命令:To switch to service management, use this command:

    azure config mode asm
    
  2. 连接到帐户。Connect to your account. 使用下面的示例来帮助连接:Use the following example to help you connect:

    Add-AzureAccount -Environment AzureChinaCloud
    

配置强制隧道Configure forced tunneling

以下过程帮助您为虚拟网络指定强制隧道。The following procedure will help you specify forced tunneling for a virtual network. 配置步骤与 VNet 网络配置文件相对应。The configuration steps correspond to the VNet network configuration file.

<VirtualNetworkSite name="MultiTier-VNet" Location="China North">
     <AddressSpace>
      <AddressPrefix>10.1.0.0/16</AddressPrefix>
        </AddressSpace>
        <Subnets>
          <Subnet name="Frontend">
            <AddressPrefix>10.1.0.0/24</AddressPrefix>
          </Subnet>
          <Subnet name="Midtier">
            <AddressPrefix>10.1.1.0/24</AddressPrefix>
          </Subnet>
          <Subnet name="Backend">
            <AddressPrefix>10.1.2.0/23</AddressPrefix>
          </Subnet>
          <Subnet name="GatewaySubnet">
            <AddressPrefix>10.1.200.0/28</AddressPrefix>
          </Subnet>
        </Subnets>
        <Gateway>
          <ConnectionsToLocalNetwork>
            <LocalNetworkSiteRef name="DefaultSiteHQ">
              <Connection type="IPsec" />
            </LocalNetworkSiteRef>
            <LocalNetworkSiteRef name="Branch1">
              <Connection type="IPsec" />
            </LocalNetworkSiteRef>
            <LocalNetworkSiteRef name="Branch2">
              <Connection type="IPsec" />
            </LocalNetworkSiteRef>
            <LocalNetworkSiteRef name="Branch3">
              <Connection type="IPsec" />
            </LocalNetworkSiteRef>
        </Gateway>
      </VirtualNetworkSite>
    </VirtualNetworkSite>

在此示例中,虚拟网络“MultiTier-VNet”具有三个子网:“Frontend”、“Midtier”和“Backend”子网,并具有四个跨界连接:“DefaultSiteHQ”和三个分支。In this example, the virtual network 'MultiTier-VNet' has three subnets: 'Frontend', 'Midtier', and 'Backend' subnets, with four cross premises connections: 'DefaultSiteHQ', and three Branches.

以下步骤将“DefaultSiteHQ”设置为使用强制隧道的默认站点连接,并将中间层和后端子网配置为使用强制隧道。The steps will set the 'DefaultSiteHQ' as the default site connection for forced tunneling, and configure the Midtier and Backend subnets to use forced tunneling.

  1. 创建一个路由表。Create a routing table. 使用以下 cmdlet 创建路由表。Use the following cmdlet to create your route table.

    New-AzureRouteTable -Name "MyRouteTable" -Label "Routing Table for Forced Tunneling" -Location "China North"
    
  2. 将默认路由添加到路由表中。Add a default route to the routing table.

    下面的示例将默认路由添加到在步骤 1 中创建的路由表。The following example adds a default route to the routing table created in Step 1. 请注意,唯一支持的路由是“0.0.0.0/0”到“VPN 网关”下一跃点的目标前缀。Note that the only route supported is the destination prefix of "0.0.0.0/0" to the "VPNGateway" NextHop.

    Get-AzureRouteTable -Name "MyRouteTable" | Set-AzureRoute -RouteTable "MyRouteTable" -RouteName "DefaultRoute" -AddressPrefix "0.0.0.0/0" -NextHopType VPNGateway
    
  3. 将路由表关联到子网。Associate the routing table to the subnets.

    创建路由表并添加路由后,可以使用以下示例将路由表添加到 VNet 子网,或将路由表与 VNet 子网关联。After a routing table is created and a route added, use the following example to add or associate the route table to a VNet subnet. 下面的示例将“MyRouteTable”路由表添加到 VNet MultiTier-VNet 的中间层和后端子网。The example adds the route table "MyRouteTable" to the Midtier and Backend subnets of VNet MultiTier-VNet.

    Set-AzureSubnetRouteTable -VirtualNetworkName "MultiTier-VNet" -SubnetName "Midtier" -RouteTableName "MyRouteTable"
    Set-AzureSubnetRouteTable -VirtualNetworkName "MultiTier-VNet" -SubnetName "Backend" -RouteTableName "MyRouteTable"
    
  4. 为强制隧道指定默认站点。Assign a default site for forced tunneling.

    在前面的步骤中,示例 cmdlet 脚本创建了路由表,并将路由表关联到两个 VNet 子网。In the preceding step, the sample cmdlet scripts created the routing table and associated the route table to two of the VNet subnets. 剩下的步骤是在虚拟网络的多站点连接中,选择一个本地站点作为默认站点或隧道。The remaining step is to select a local site among the multi-site connections of the virtual network as the default site or tunnel.

    $DefaultSite = @("DefaultSiteHQ")
    Set-AzureVNetGatewayDefaultSite -VNetName "MultiTier-VNet" -DefaultSite "DefaultSiteHQ"
    

其他 PowerShell cmdletAdditional PowerShell cmdlets

删除路由表To delete a route table

Remove-AzureRouteTable -Name <routeTableName>

列出路由表To list a route table

Get-AzureRouteTable [-Name <routeTableName> [-DetailLevel <detailLevel>]]

从路由表中删除路由To delete a route from a route table

Remove-AzureRouteTable -Name <routeTableName>

从子网中删除路由To remove a route from a subnet

Remove-AzureSubnetRouteTable -VirtualNetworkName <virtualNetworkName> -SubnetName <subnetName>

列出与子网关联的路由表To list the route table associated with a subnet

Get-AzureSubnetRouteTable -VirtualNetworkName <virtualNetworkName> -SubnetName <subnetName>

从 VNet VPN 网关中删除默认站点To remove a default site from a VNet VPN gateway

Remove-AzureVnetGatewayDefaultSite -VNetName <virtualNetworkName>