如何使用 PowerShell 在 Azure VPN 网关上配置 BGPHow to configure BGP on Azure VPN Gateways using PowerShell

本文介绍使用 Resource Manager 部署模型和 PowerShell 在跨界站点到站点 (S2S) VPN 连接和 VNet 到 VNet 连接上启用 BGP 的步骤。This article walks you through the steps to enable BGP on a cross-premises Site-to-Site (S2S) VPN connection and a VNet-to-VNet connection using the Resource Manager deployment model and PowerShell.

关于 BGPAbout BGP

BGP 是通常在 Internet 上使用的,用于在两个或更多网络之间交换路由和可访问性信息的标准路由协议。BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability information between two or more networks. BGP 允许 Azure VPN 网关和本地 VPN 设备(称为 BGP 对等节点或邻居)交换“路由”,这些路由将通知这两个网关这些前缀的可用性和可访问性,以便这些前缀可通过涉及的网关或路由器。BGP enables the Azure VPN Gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange "routes" that will inform both gateways on the availability and reachability for those prefixes to go through the gateways or routers involved. BGP 还可以通过将 BGP 网关从一个 BGP 对等节点获知的路由传播到所有其他 BGP 对等节点来允许在多个网络之间传输路由。BGP can also enable transit routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other BGP peers.

有关 BGP 优点的更多讨论,以及若要了解使用 BGP 的技术要求和注意事项,请参阅 Azure VPN 网关的 BGP 概述See Overview of BGP with Azure VPN Gateways for more discussion on benefits of BGP and to understand the technical requirements and considerations of using BGP.

在 Azure VPN 网关上使用 BGP 入门Getting started with BGP on Azure VPN gateways

本文指导完成执行以下任务的步骤:This article walks you through the steps to do the following tasks:

说明的每一部分构成用于在网络连接中启用 BGP 的基本构建基块。Each part of the instructions forms a basic building block for enabling BGP in your network connectivity. 如果完成这所有三个部分,将生成拓扑,如下面的图中所示:If you complete all three parts, you build the topology as shown in the following diagram:

BGP 拓扑

可以将这些部分组合在一起,生成更复杂的多跃点传输网络,以满足需求。You can combine parts together to build a more complex, multi-hop, transit network that meets your needs.

第 1 部分 - 在 Azure VPN 网关上配置 BGPPart 1 - Configure BGP on the Azure VPN Gateway

以下配置步骤设置 Azure VPN 网关的 BGP 参数,如下面的图中所示:The configuration steps set up the BGP parameters of the Azure VPN gateway as shown in the following diagram:

BGP 网关

准备阶段Before you begin

步骤 1 - 创建并配置 VNet1Step 1 - Create and configure VNet1

1.声明变量1. Declare your variables

对于本练习,我们首先要声明变量。For this exercise, we start by declaring our variables. 以下示例使用此练习中的值来声明变量。The following example declares the variables using the values for this exercise. 请务必在配置生产环境时,使用自己的值来替换该值。Be sure to replace the values with your own when configuring for production. 如果执行这些步骤是为了熟悉此类型的配置,则可以使用这些变量。You can use these variables if you are running through the steps to become familiar with this type of configuration. 修改变量,并将其复制并粘贴到 PowerShell 控制台中。Modify the variables, and then copy and paste into your PowerShell console.

$Sub1 = "Replace_With_Your_Subscription_Name"
$RG1 = "TestBGPRG1"
$Location1 = "China North"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$VNet1ASN = 65010
$DNS1 = "8.8.8.8"
$GWName1 = "VNet1GW"
$GWIPName1 = "VNet1GWIP"
$GWIPconfName1 = "gwipconf1"
$Connection12 = "VNet1toVNet2"
$Connection15 = "VNet1toSite5"

2.连接到订阅并创建新资源组2. Connect to your subscription and create a new resource group

若要使用资源管理器 cmdlet,请确保切换到 PowerShell 模式。To use the Resource Manager cmdlets, Make sure you switch to PowerShell mode. 有关详细信息,请参阅将 Windows PowerShell 与资源管理器配合使用For more information, see Using Windows PowerShell with Resource Manager.

打开 PowerShell 控制台并连接到帐户。Open your PowerShell console and connect to your account. 使用下面的示例来帮助连接:Use the following sample to help you connect:

Connect-AzAccount -Environment AzureChinaCloud
Select-AzSubscription -SubscriptionName $Sub1
New-AzResourceGroup -Name $RG1 -Location $Location1

3.创建 TestVNet13. Create TestVNet1

以下示例创建一个名为 TestVNet1 的虚拟网络和三个子网,这三个子网分别名为 GatewaySubnet、FrontEnd 和 Backend。The following sample creates a virtual network named TestVNet1 and three subnets, one called GatewaySubnet, one called FrontEnd, and one called Backend. 替换值时,请务必始终将网关子网特意命名为 GatewaySubnet。When substituting values, it's important that you always name your gateway subnet specifically GatewaySubnet. 如果命名为其他名称,网关创建会失败。If you name it something else, your gateway creation fails.

$fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1
$besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
$gwsub1 = New-AzVirtualNetworkSubnetConfig -Name $GWSubName1 -AddressPrefix $GWSubPrefix1

New-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1 -Location $Location1 -AddressPrefix $VNetPrefix11,$VNetPrefix12 -Subnet $fesub1,$besub1,$gwsub1

步骤 2 - 使用 BGP 参数为 TestVNet1 创建 VPN 网关Step 2 - Create the VPN Gateway for TestVNet1 with BGP parameters

1.创建 IP 和子网配置1. Create the IP and subnet configurations

请求一个公共 IP 地址,以分配给要为 VNet 创建的网关。Request a public IP address to be allocated to the gateway you will create for your VNet. 还将定义所需的子网和 IP 配置。You'll also define the required subnet and IP configurations.

$gwpip1 = New-AzPublicIpAddress -Name $GWIPName1 -ResourceGroupName $RG1 -Location $Location1 -AllocationMethod Dynamic

$vnet1 = Get-AzVirtualNetwork -Name $VNetName1 -ResourceGroupName $RG1
$subnet1 = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet1
$gwipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfName1 -Subnet $subnet1 -PublicIpAddress $gwpip1

2.使用 AS 编号创建 VPN 网关2. Create the VPN gateway with the AS number

为 TestVNet1 创建虚拟网络网关。Create the virtual network gateway for TestVNet1. BGP 需要基于路由的 VPN 网关,还需要添加参数 -Asn 来为 TestVNet1 设置 ASN(AS 编号)。BGP requires a Route-Based VPN gateway, and also the addition parameter, -Asn, to set the ASN (AS Number) for TestVNet1. 如果未设置 ASN 参数,将分配 ASN 65515。If you do not set the ASN parameter, ASN 65515 is assigned. 创建网关可能需要花费一段时间(30 分钟或更久才能完成)。Creating a gateway can take a while (30 minutes or more to complete).

New-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1 -Location $Location1 -IpConfigurations $gwipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1 -Asn $VNet1ASN

3.获取 Azure BGP 对等节点 IP 地址3. Obtain the Azure BGP Peer IP address

创建网关后,需要在 Azure VPN 网关上获取 BGP 对等节点 IP 地址。Once the gateway is created, you need to obtain the BGP Peer IP address on the Azure VPN Gateway. 需要此地址才能将 Azure VPN 网关配置为本地 VPN 设备的 BGP 对等节点。This address is needed to configure the Azure VPN Gateway as a BGP Peer for your on-premises VPN devices.

$vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$vnet1gw.BgpSettingsText

最后一个命令会显示 Azure VPN 网关上的相应 BGP 配置,例如:The last command shows the corresponding BGP configurations on the Azure VPN Gateway; for example:

$vnet1gw.BgpSettingsText
{
    "Asn": 65010,
    "BgpPeeringAddress": "10.12.255.30",
    "PeerWeight": 0
}

创建网关后,可以使用此网关通过 BGP 建立跨界连接或 VNet 到 VNet 连接。Once the gateway is created, you can use this gateway to establish cross-premises connection or VNet-to-VNet connection with BGP. 以下各节介绍完成该练习所需的步骤。The following sections walk through the steps to complete the exercise.

第 2 部分 - 使用 BGP 建立跨界连接Part 2 - Establish a cross-premises connection with BGP

要建立跨界连接,需要创建本地网关来表示本地 VPN 设备,并创建连接将 VPN 网关与本地网关连接在一起。To establish a cross-premises connection, you need to create a Local Network Gateway to represent your on-premises VPN device, and a Connection to connect the VPN gateway with the local network gateway. 尽管存在可引导完成这些步骤的文章,但本文包含用于指定 BGP 配置参数所需的其他属性。While there are articles that walk you through these steps, this article contains the additional properties required to specify the BGP configuration parameters.

跨界的 BGP

在继续下一步之前,请确保已完成本练习的第 1 部分Before proceeding, make sure you have completed Part 1 of this exercise.

步骤 1 - 创建和配置本地网关Step 1 - Create and configure the local network gateway

1.声明变量1. Declare your variables

此练习将继续生成图中所示的配置。This exercise continues to build the configuration shown in the diagram. 请务必将值替换为要用于配置的值。Be sure to replace the values with the ones that you want to use for your configuration.

$RG5 = "TestBGPRG5"
$Location5 = "China North"
$LNGName5 = "Site5"
$LNGPrefix50 = "10.52.255.254/32"
$LNGIP5 = "Your_VPN_Device_IP"
$LNGASN5 = 65050
$BGPPeerIP5 = "10.52.255.254"

关于本地网关参数,有几个事项需要注意:A couple of things to note regarding the local network gateway parameters:

  • 本地网关可以与 VPN 网关在相同或不同的位置和资源组中。The local network gateway can be in the same or different location and resource group as the VPN gateway. 此示例演示它们在不同位置的不同资源组中。This example shows them in different resource groups in different locations.
  • 需要为本地网关声明的前缀是 VPN 设备上的 BGP 对等节点 IP 地址中的主机地址。The prefix you need to declare for the local network gateway is the host address of your BGP Peer IP address on your VPN device. 在此示例中,它是“10.52.255.254/32”中的 /32 前缀。In this case, it's a /32 prefix of "10.52.255.254/32".
  • 提醒一下,在本地网络与 Azure VNet 之间必须使用不同的 BGP ASN。As a reminder, you must use different BGP ASNs between your on-premises networks and Azure VNet. 如果它们是相同的,则需要更改 VNet ASN(如果本地 VPN 设备已使用该 ASN 与其他 BGP 邻居对等)。If they are the same, you need to change your VNet ASN if your on-premises VPN device already uses the ASN to peer with other BGP neighbors.

继续操作之前,请确保仍与订阅 1 保持连接。Before you continue, make sure you are still connected to Subscription 1.

2.为 Site5 创建本地网关2. Create the local network gateway for Site5

在创建本地网关之前,请务必创建资源组(如果尚未创建)。Be sure to create the resource group if it is not created, before you create the local network gateway. 请注意本地网关的两个附加参数:Asn 和 BgpPeerAddress。Notice the two additional parameters for the local network gateway: Asn and BgpPeerAddress.

New-AzResourceGroup -Name $RG5 -Location $Location5

New-AzLocalNetworkGateway -Name $LNGName5 -ResourceGroupName $RG5 -Location $Location5 -GatewayIpAddress $LNGIP5 -AddressPrefix $LNGPrefix50 -Asn $LNGASN5 -BgpPeeringAddress $BGPPeerIP5

步骤 2 - 连接 VNet 网关和本地网关Step 2 - Connect the VNet gateway and local network gateway

1.获取这两个网关1. Get the two gateways

$vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1  -ResourceGroupName $RG1
$lng5gw  = Get-AzLocalNetworkGateway -Name $LNGName5 -ResourceGroupName $RG5

2.创建 TestVNet1 到 Site5 的连接2. Create the TestVNet1 to Site5 connection

在此步骤中,创建从 TestVNet1 到 Site5 的连接。In this step, you create the connection from TestVNet1 to Site5. 必须指定“-EnableBGP $True”,以便为此连接启用 BGP。You must specify "-EnableBGP $True" to enable BGP for this connection. 如前所述,同一 Azure VPN 网关可以同时具有 BGP 连接和非 BGP 连接。As discussed earlier, it is possible to have both BGP and non-BGP connections for the same Azure VPN Gateway. 除非在连接属性中启用了 BGP,否则 Azure 不会为此连接启用 BGP,即使已在这两个网关上配置了 BGP 参数,也是如此。Unless BGP is enabled in the connection property, Azure will not enable BGP for this connection even though BGP parameters are already configured on both gateways.

New-AzVirtualNetworkGatewayConnection -Name $Connection15 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng5gw -Location $Location1 -ConnectionType IPsec -SharedKey 'AzureA1b2C3' -EnableBGP $True

下面的示例列出了可在本地 VPN 设备上的 BGP 配置节中为此练习输入的参数:The following example lists the parameters you enter into the BGP configuration section on your on-premises VPN device for this exercise:


- Site5 ASN            : 65050
- Site5 BGP IP         : 10.52.255.254
- Prefixes to announce : (for example) 10.51.0.0/16 and 10.52.0.0/16
- Azure VNet ASN       : 65010
- Azure VNet BGP IP    : 10.12.255.30
- Static route         : Add a route for 10.12.255.30/32, with nexthop being the VPN tunnel interface on your device
- eBGP Multihop        : Ensure the "multihop" option for eBGP is enabled on your device if needed

连接在几分钟后建立,且 BGP 对等会话在建立 IPsec 连接后启动。The connection is established after a few minutes, and the BGP peering session starts once the IPsec connection is established.

第 3 部分 - 使用 BGP 建立 VNet 到 VNet 连接Part 3 - Establish a VNet-to-VNet connection with BGP

此部分使用 BGP 添加 VNet 到 VNet 连接,如下图所示:This section adds a VNet-to-VNet connection with BGP, as shown in the following diagram:

VNet 到 VNet 的 BGP

以下说明延续前面的步骤。The following instructions continue from the previous steps. 必须完成 第 I 部分 ,以使用 BGP 创建和配置 TestVNet1 和 VPN 网关。You must complete Part I to create and configure TestVNet1 and the VPN Gateway with BGP.

步骤 1 - 创建 TestVNet2 和 VPN 网关Step 1 - Create TestVNet2 and the VPN gateway

必须确保新虚拟网络的 IP 地址空间 TestVNet2 不与任何 VNet 范围重叠。It is important to make sure that the IP address space of the new virtual network, TestVNet2, does not overlap with any of your VNet ranges.

1.声明变量1. Declare your variables

请务必将值替换为要用于配置的值。Be sure to replace the values with the ones that you want to use for your configuration.

$RG2 = "TestBGPRG2"
$Location2 = "China North"
$VNetName2 = "TestVNet2"
$FESubName2 = "FrontEnd"
$BESubName2 = "Backend"
$GWSubName2 = "GatewaySubnet"
$VNetPrefix21 = "10.21.0.0/16"
$VNetPrefix22 = "10.22.0.0/16"
$FESubPrefix2 = "10.21.0.0/24"
$BESubPrefix2 = "10.22.0.0/24"
$GWSubPrefix2 = "10.22.255.0/27"
$VNet2ASN = 65020
$DNS2 = "8.8.8.8"
$GWName2 = "VNet2GW"
$GWIPName2 = "VNet2GWIP"
$GWIPconfName2 = "gwipconf2"
$Connection21 = "VNet2toVNet1"
$Connection12 = "VNet1toVNet2"

2.在新资源组中创建 TestVNet22. Create TestVNet2 in the new resource group

New-AzResourceGroup -Name $RG2 -Location $Location2

$fesub2 = New-AzVirtualNetworkSubnetConfig -Name $FESubName2 -AddressPrefix $FESubPrefix2
$besub2 = New-AzVirtualNetworkSubnetConfig -Name $BESubName2 -AddressPrefix $BESubPrefix2
$gwsub2 = New-AzVirtualNetworkSubnetConfig -Name $GWSubName2 -AddressPrefix $GWSubPrefix2

New-AzVirtualNetwork -Name $VNetName2 -ResourceGroupName $RG2 -Location $Location2 -AddressPrefix $VNetPrefix21,$VNetPrefix22 -Subnet $fesub2,$besub2,$gwsub2

3.使用 BGP 参数为 TestVNet2 创建 VPN 网关3. Create the VPN gateway for TestVNet2 with BGP parameters

请求一个公共 IP 地址,以分配给要为 VNet 创建的网关,并定义所需的子网和 IP 配置。Request a public IP address to be allocated to the gateway you will create for your VNet and define the required subnet and IP configurations.

$gwpip2    = New-AzPublicIpAddress -Name $GWIPName2 -ResourceGroupName $RG2 -Location $Location2 -AllocationMethod Dynamic

$vnet2     = Get-AzVirtualNetwork -Name $VNetName2 -ResourceGroupName $RG2
$subnet2   = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet2
$gwipconf2 = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfName2 -Subnet $subnet2 -PublicIpAddress $gwpip2

使用 AS 编号创建 VPN 网关。Create the VPN gateway with the AS number. 必须覆盖 Azure VPN 网关上的默认 ASN。You must override the default ASN on your Azure VPN gateways. 连接的 VNet 的 ASN 必须不同,才能启用 BGP 和传输路由。The ASNs for the connected VNets must be different to enable BGP and transit routing.

New-AzVirtualNetworkGateway -Name $GWName2 -ResourceGroupName $RG2 -Location $Location2 -IpConfigurations $gwipconf2 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1 -Asn $VNet2ASN

步骤 2 - 连接 TestVNet1 和 TestVNet2 网关Step 2 - Connect the TestVNet1 and TestVNet2 gateways

在此示例中,这两个网关位于同一订阅中。In this example, both gateways are in the same subscription. 可以在同一 PowerShell 会话中完成此步骤。You can complete this step in the same PowerShell session.

1.获取这两个网关1. Get both gateways

请确保登录并连接到订阅 1。Make sure you log in and connect to Subscription 1.

$vnet1gw = Get-AzVirtualNetworkGateway -Name $GWName1 -ResourceGroupName $RG1
$vnet2gw = Get-AzVirtualNetworkGateway -Name $GWName2 -ResourceGroupName $RG2

2.创建两个连接2. Create both connections

在此步骤中,将创建从 TestVNet1 到 TestVNet2 的连接,以及从 TestVNet2 到 TestVNet1 的连接。In this step, you create the connection from TestVNet1 to TestVNet2, and the connection from TestVNet2 to TestVNet1.

New-AzVirtualNetworkGatewayConnection -Name $Connection12 -ResourceGroupName $RG1 -VirtualNetworkGateway1 $vnet1gw -VirtualNetworkGateway2 $vnet2gw -Location $Location1 -ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3' -EnableBgp $True

New-AzVirtualNetworkGatewayConnection -Name $Connection21 -ResourceGroupName $RG2 -VirtualNetworkGateway1 $vnet2gw -VirtualNetworkGateway2 $vnet1gw -Location $Location2 -ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3' -EnableBgp $True

重要

请确保为这两个连接启用 BGP。Be sure to enable BGP for BOTH connections.

完成这些步骤后,将在几分钟后建立连接。After completing these steps, the connection is established after a few minutes. 完成 VNet 到 VNet 连接后,BGP 对等互连会话将运行。The BGP peering session is up once the VNet-to-VNet connection is completed.

如果已完成此练习的所有三个部分,则已建立以下网络拓扑:If you completed all three parts of this exercise, you have established the following network topology:

VNet 到 VNet 的 BGP

后续步骤Next steps

连接完成后,即可将虚拟机添加到虚拟网络。Once your connection is complete, you can add virtual machines to your virtual networks. 请参阅 创建虚拟机 以获取相关步骤。See Create a Virtual Machine for steps.