教程:使用 PowerShell 创建和管理 S2S VPN 连接Tutorial: Create and manage S2S VPN connections using PowerShell

Azure S2S VPN 连接提供客户本地和 Azure 间的安全跨界连接。Azure S2S VPN connections provide secure, cross-premises connectivity between customer premises and Azure. 本教程介绍 IPsec S2S VPN 连接的生命周期,例如创建和管理 S2S VPN 连接。This tutorial walks through IPsec S2S VPN connection life cycles such as creating and managing a S2S VPN connection. 你将学习如何执行以下操作:You learn how to:

  • 创建 S2S VPN 连接Create an S2S VPN connection
  • 更新连接属性:预共享密钥、BGP、IPsec/IKE 策略Update the connection property: pre-shared key, BGP, IPsec/IKE policy
  • 添加更多的 VPN 连接Add more VPN connections
  • 删除 VPN 连接Delete a VPN connection

下图显示了本教程的拓扑:The following diagram shows the topology for this tutorial:

站点到站点 VPN 连接图

使用 Azure PowerShellWorking with Azure PowerShell

可以在计算机本地安装并运行 Azure PowerShell cmdlet。You can install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlet 经常更新。PowerShell cmdlets are updated frequently. 如果尚未安装最新版本,说明中指定的值可能会导致出错。If you have not installed the latest version, the values specified in the instructions may fail. 若要查找计算机上安装的 Azure PowerShell 的版本,请使用 Get-Module -ListAvailable Az cmdlet。To find the versions of Azure PowerShell installed on your computer, use the Get-Module -ListAvailable Az cmdlet. 若要进行安装或更新,请参阅安装 Azure PowerShell 模块To install or update, see Install the Azure PowerShell module.

要求Requirements

完成第一个教程:使用 Azure PowerShell 创建 VPN 网关,以便创建以下资源:Complete the first tutorial: Create VPN gateway with Azure PowerShell to create the following resources:

  1. 资源组 (TestRG1)、虚拟网络 (VNet1) 和 GatewaySubnetResource group (TestRG1), virtual network (VNet1), and the GatewaySubnet
  2. VPN 网关 (VNet1GW)VPN gateway (VNet1GW)

下面列出的是虚拟网络参数值。The virtual network parameter values are listed below. 请注意本地网关用来表示本地网络的其他值。Note the additional values for the local network gateway which represent your on-premises network. 根据你的环境和网络设置更改以下值,然后复制并粘贴以设置本教程的变量。Change the values below based on your environment and network setup, then copy and paste to set the variables for this tutorial.

Note

如果用它进行连接,请务必更改相关值,使之与本地网络匹配。If you are using this to make a connection, be sure to change the values to match your on-premises network. 如果只是作为教程来运行这些步骤,则不需进行更改,但不能进行连接。If you are just running these steps as a tutorial, you don't need to make changes, but the connection will not work.

# Virtual network
$RG1         = "TestRG1"
$VNet1       = "VNet1"
$Location1   = "China North"
$VNet1Prefix = "10.1.0.0/16"
$VNet1ASN    = 65010
$Gw1         = "VNet1GW"

# On-premises network - LNGIP1 is the VPN device public IP address
$LNG1        = "VPNsite1"
$LNGprefix1  = "10.101.0.0/24"
$LNGprefix2  = "10.101.1.0/24"
$LNGIP1      = "5.4.3.2"

# Optional - on-premises BGP properties
$LNGASN1     = 65011
$BGPPeerIP1  = "10.101.1.254"

# Connection
$Connection1 = "VNet1ToSite1"

用于创建 S2S VPN 连接的工作流非常简单:The workflow to create an S2S VPN connection is straightforward:

  1. 创建用来代表本地网络的本地网关Create a local network gateway to represent your on-premises network
  2. 在 Azure VPN 网关与本地网关之间创建连接Create a connection between your Azure VPN gateway and the local network gateway

创建本地网关Create a local network gateway

本地网关代表本地网络。A local network gateway represents your on-premises network. 可以在本地网关中指定本地网络的属性,其中包括:You can specify the properties of your on-premises network in the local network gateway, including:

  • VPN 设备的公共 IP 地址Public IP address of your VPN device
  • 本地地址空间On-premises address space
  • (可选)BGP 属性(BGP 对等机 IP 地址和 AS 编号)(Optional) BGP attributes (BGP peer IP address and AS number)

使用 New-AzLocalNetworkGateway 命令创建本地网关。Create a local network gateway with the New-AzLocalNetworkGateway command.

New-AzLocalNetworkGateway -Name $LNG1 -ResourceGroupName $RG1 `
  -Location $Location1 -GatewayIpAddress $LNGIP1 -AddressPrefix $LNGprefix1,$LNGprefix2

创建 S2S VPN 连接Create a S2S VPN connection

接下来,请使用 New-AzVirtualNetworkGatewayConnection 在虚拟网关和 VPN 设备之间创建站点到站点 VPN 连接。Next, create a Site-to-Site VPN connection between your virtual network gateway and your VPN device with the New-AzVirtualNetworkGatewayConnection. 请注意,站点到站点 VPN 的“-ConnectionType”为 IPsecNotice that the '-ConnectionType' for Site-to-Site VPN is IPsec.

$vng1 = Get-AzVirtualNetworkGateway -Name $GW1  -ResourceGroupName $RG1
$lng1 = Get-AzLocalNetworkGateway   -Name $LNG1 -ResourceGroupName $RG1

New-AzVirtualNetworkGatewayConnection -Name $Connection1 -ResourceGroupName $RG1 `
  -Location $Location1 -VirtualNetworkGateway1 $vng1 -LocalNetworkGateway2 $lng1 `
  -ConnectionType IPsec -SharedKey "Azure@!b2C3" -ConnectionProtocol IKEv2

若要使用 BGP,请添加可选的“ -EnableBGP $True”属性,以便为连接启用 BGP。Add the optional "-EnableBGP $True" property to enable BGP for the connection if you are using BGP. 此项默认禁用。It is disabled by default. 参数“-ConnectionProtocol”是可选的(IKEv2 作为默认值)。Parameter '-ConnectionProtocol' is optional with IKEv2 as default. 可以通过指定“-ConnectionProtocol IKEv1” 来创建与 IKEv1 协议的连接。You can create the connection with IKEv1 protocols by specifying -ConnectionProtocol IKEv1.

更新 VPN 连接预共享密钥、BGP 和 IPsec/IKE 策略Update the VPN connection pre-shared key, BGP, and IPsec/IKE policy

查看和更新预共享密钥View and update your pre-shared key

Azure S2S VPN 连接使用预共享密钥(机密)在本地 VPN 设备和 Azure VPN 网关之间进行身份验证。Azure S2S VPN connection uses a pre-shared key (secret) to authenticate between your on-premises VPN device and the Azure VPN gateway. 可以使用 Get-AzVirtualNetworkGatewayConnectionSharedKeySet-AzVirtualNetworkGatewayConnectionSharedKey 查看和更新连接的预共享密钥。You can view and update the pre-shared key for a connection with Get-AzVirtualNetworkGatewayConnectionSharedKey and Set-AzVirtualNetworkGatewayConnectionSharedKey.

Important

预共享密钥是一个由可打印 ASCII 字符组成的字符串,长度不得超出 128 个字符。The pre-shared key is a string of printable ASCII characters no longer than 128 in length.

以下命令显示连接的预共享密钥:This command shows the pre-shared key for the connection:

Get-AzVirtualNetworkGatewayConnectionSharedKey `
  -Name $Connection1 -ResourceGroupName $RG1

执行上面的示例时,输出将为“Azure@!b2C3” 。The output will be "Azure@!b2C3" following the example above. 使用以下命令可以将预共享密钥值更改为“Azure@!_b2=C3” :Use the command below to change the pre-shared key value to "Azure@!_b2=C3":

Set-AzVirtualNetworkGatewayConnectionSharedKey `
  -Name $Connection1 -ResourceGroupName $RG1 `
  -Value "Azure@!_b2=C3"

在 VPN 连接上启用 BGPEnable BGP on VPN connection

Azure VPN 网关支持 BGP 动态路由协议。Azure VPN gateway supports BGP dynamic routing protocol. 可以在每个单独的连接上启用 BGP,具体取决于你是否在本地网络和设备上使用 BGP。You can enable BGP on each individual connection, depending on whether you are using BGP in your on-premises networks and devices. 请指定以下 BGP 属性,然后再在连接上启用 BGP:Specify the following BGP properties before enabling BGP on the connection:

  • Azure VPN ASN(自治系统编号)Azure VPN ASN (Autonomous System Number)
  • 本地网关 ASNOn-premises local network gateway ASN
  • 本地网关 BGP 对等机 IP 地址On-premises local network gateway BGP peer IP address

如果尚未配置 BGP 属性,请使用以下命令将这些属性添加到 VPN 网关和本地网关:Set-AzVirtualNetworkGatewaySet-AzLocalNetworkGatewayIf you have not configured the BGP properties, the following commands add these properties to your VPN gateway and local network gateway: Set-AzVirtualNetworkGateway and Set-AzLocalNetworkGateway.

使用以下示例配置 BGP 属性:Use the following example to configure BGP properties:

$vng1 = Get-AzVirtualNetworkGateway -Name $GW1  -ResourceGroupName $RG1
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $vng1 -Asn $VNet1ASN

$lng1 = Get-AzLocalNetworkGateway   -Name $LNG1 -ResourceGroupName $RG1
Set-AzLocalNetworkGateway -LocalNetworkGateway $lng1 `
  -Asn $LNGASN1 -BgpPeeringAddress $BGPPeerIP1

使用 Set-AzVirtualNetworkGatewayConnection 启用 BGP。Enable BGP with Set-AzVirtualNetworkGatewayConnection.

$connection = Get-AzVirtualNetworkGatewayConnection `
  -Name $Connection1 -ResourceGroupName $RG1

Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection `
  -EnableBGP $True

将“-EnableBGP”属性值更改为 $False 即可禁用 BGP。You can disable BGP by changing the "-EnableBGP" property value to $False. 请参阅 Azure VPN 网关上的 BGP,获取有关 Azure VPN 网关上的 BGP 的更多详细说明。Refer to BGP on Azure VPN gateways for more detailed explanations of BGP on Azure VPN gateways.

在连接上应用自定义 IPsec/IKE 策略Apply a custom IPsec/IKE policy on the connection

可以应用可选的 IPsec/IKE 策略,以便在连接上指定 IPsec/IKE 加密算法和密钥强度的具体组合,不必使用默认建议You can apply an optional IPsec/IKE policy to specify the exact combination of IPsec/IKE cryptographic algorithms and key strengths on the connection, instead of using the default proposals. 下方示例脚本使用以下算法和参数创建其他 IPsec/IKE 策略:The following sample script creates a different IPsec/IKE policy with the following algorithms and parameters:

  • IKEv2:AES256、SHA256、DHGroup14IKEv2: AES256, SHA256, DHGroup14
  • IPsec:AES128、SHA1、PFS14、SA 生存期 14,400 秒和 102,400,000 KBIPsec: AES128, SHA1, PFS14, SA Lifetime 14,400 seconds & 102,400,000 KB
$connection = Get-AzVirtualNetworkGatewayConnection -Name $Connection1 `
                -ResourceGroupName $RG1
$newpolicy  = New-AzIpsecPolicy `
                -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup14 `
                -IpsecEncryption AES128 -IpsecIntegrity SHA1 -PfsGroup PFS2048 `
                -SALifeTimeSeconds 14400 -SADataSizeKilobytes 102400000

Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection `
  -IpsecPolicies $newpolicy

请参阅适用于 S2S 或 VNet 到 VNet 连接的 IPsec/IKE 策略,以获取算法和说明的完整列表。Refer to IPsec/IKE policy for S2S or VNet-to-VNet connections for a complete list of algorithms and instructions.

添加另一 S2S VPN 连接Add another S2S VPN connection

添加另一个到同一 VPN 网关的 S2S VPN 连接,创建另一本地网关,然后在新的本地网关和 VPN 网关之间创建新连接。Add an additional S2S VPN connection to the same VPN gateway, create another local network gateway, and create a new connection between the new local network gateway and the VPN gateway. 使用以下示例,确保修改变量,使之反映你自己的网络配置。Use the following examples, making sure to modify the variables to reflect your own network configuration.

# On-premises network - LNGIP2 is the VPN device public IP address
$LNG2        = "VPNsite2"
$Location2   = "China North"
$LNGprefix21 = "10.102.0.0/24"
$LNGprefix22 = "10.102.1.0/24"
$LNGIP2      = "4.3.2.1"
$Connection2 = "VNet1ToSite2"

New-AzLocalNetworkGateway -Name $LNG2 -ResourceGroupName $RG1 `
  -Location $Location2 -GatewayIpAddress $LNGIP2 -AddressPrefix $LNGprefix21,$LNGprefix22

$vng1 = Get-AzVirtualNetworkGateway -Name $GW1  -ResourceGroupName $RG1
$lng2 = Get-AzLocalNetworkGateway   -Name $LNG2 -ResourceGroupName $RG1

New-AzVirtualNetworkGatewayConnection -Name $Connection2 -ResourceGroupName $RG1 `
  -Location $Location1 -VirtualNetworkGateway1 $vng1 -LocalNetworkGateway2 $lng2 `
  -ConnectionType IPsec -SharedKey "AzureA1%b2_C3+"

现在有两个到 Azure VPN 网关的 S2S VPN 连接。There are now two S2S VPN connections to your Azure VPN gateway.

多站点 VPN 连接

删除 S2S VPN 连接Delete a S2S VPN connection

使用 Remove-AzVirtualNetworkGatewayConnection 删除 S2S VPN 连接。Delete a S2S VPN connection with Remove-AzVirtualNetworkGatewayConnection.

Remove-AzVirtualNetworkGatewayConnection -Name $Connection2 -ResourceGroupName $RG1

在不再需要的情况下删除本地网关。Delete the local network gateway if you no longer need it. 如果有其他连接与本地网关相关联,则不能删除本地网关。You cannot delete a local network gateway if there are other connections associated with it.

Remove-AzVirtualNetworkGatewayConnection -Name $LNG2 -ResourceGroupName $RG1

清理资源Clean up resources

如果此配置是某个原型、测试或概念证明部署的一部分,则可以使用 Remove-AzResourceGroup 命令来删除资源组、VPN 网关和所有相关资源。If this configuration is part of a prototype, test, or proof-of-concept deployment, you can use the Remove-AzResourceGroup command to remove the resource group, the VPN gateway, and all related resources.

Remove-AzResourceGroup -Name $RG1

后续步骤Next steps

本教程介绍了如何创建和管理 S2S VPN 连接,例如,如何:In this tutorial, you learned about creating and managing S2S VPN connections such as how to:

  • 创建 S2S VPN 连接Create an S2S VPN connection
  • 更新连接属性:预共享密钥、BGP、IPsec/IKE 策略Update the connection property: pre-shared key, BGP, IPsec/IKE policy
  • 添加更多的 VPN 连接Add more VPN connections
  • 删除 VPN 连接Delete a VPN connection

若要了解 S2S 连接、VNet 到 VNet 连接和 P2S 连接,请转到以下教程。Advance to the following tutorials to learn about S2S, VNet-to-VNet, and P2S connections.