创建***隧道连通AWS和Azure内网环境
本文旨实现Azure和AWS内网互联互通,创建站点到站点的IPsec ***,通过IPsec ***实现VM到VM的互通。在本次项目中Azure将利用平台自带***服务,AWS使用windows server 2012 R2服务器作为隧道的端点。因为AWS平台无法自定义IPsec配置,像预共享密钥就是平台随机生成的无法更改并且密钥中带有特殊字符,而且Azure中预共享密钥不能携带特殊符号,所以无法直接平台到平台间建立连接。https://s2.运维网.com/wyfs02/M00/8E/E4/wKiom1jOkYvhtqAGAADeFtLQGCI296.png-wh_500x0-wm_3-wmp_4-s_3385840130.png
准备Azure端
1.首先我们需要创建一个资源组
https://s1.运维网.com/wyfs02/M01/8E/E4/wKiom1jOkbvCSm44AAC0jhoMChQ387.png-wh_500x0-wm_3-wmp_4-s_924652081.png
https://s5.运维网.com/wyfs02/M01/8E/E4/wKiom1jOkbuxLTEmAACBUsUv4Vg327.png-wh_500x0-wm_3-wmp_4-s_3042782265.png
2.向资源组添加虚拟网络
https://s2.运维网.com/wyfs02/M01/8E/E2/wKioL1jOkemQjtjMAADCq_0-qTE729.png-wh_500x0-wm_3-wmp_4-s_3666419811.png
https://s2.运维网.com/wyfs02/M00/8E/E4/wKiom1jOkeqh-DjEAAFQydqayQo698.png-wh_500x0-wm_3-wmp_4-s_1513142611.png
https://s2.运维网.com/wyfs02/M02/8E/E4/wKiom1jOkeqSlei6AADJDEMItLU082.png-wh_500x0-wm_3-wmp_4-s_2743722804.png
3.填写虚拟网络地址空间以及该地址空间中的子网范围,也就是Azure 虚机IP网段。
https://s4.运维网.com/wyfs02/M00/8E/E2/wKioL1jOkguDqYVUAADaTthTXok574.png-wh_500x0-wm_3-wmp_4-s_3595009164.png
4.添加网关子网
https://s3.运维网.com/wyfs02/M02/8E/E2/wKioL1jOkjLz49__AADBefehbNU435.png-wh_500x0-wm_3-wmp_4-s_3626325722.png
https://s2.运维网.com/wyfs02/M01/8E/E4/wKiom1jOklSSlqx8AACJXsG72lI561.png-wh_500x0-wm_3-wmp_4-s_795245154.png
https://s2.运维网.com/wyfs02/M01/8E/E2/wKioL1jOklTx8QFVAADKo9wB-w8563.png-wh_500x0-wm_3-wmp_4-s_3606565543.png
5.创建虚拟网络网关用来与AWS端建立连接
https://s1.运维网.com/wyfs02/M02/8E/E4/wKiom1jOkn6hC05rAAB_Qeq3Ft4884.png-wh_500x0-wm_3-wmp_4-s_3195729037.png
https://s5.运维网.com/wyfs02/M02/8E/E2/wKioL1jOkn-RIjBbAADVBO-rj-g413.png-wh_500x0-wm_3-wmp_4-s_2003578547.png
https://s5.运维网.com/wyfs02/M00/8E/E4/wKiom1jOkn_DpyB5AACkpTmwAOk968.png-wh_500x0-wm_3-wmp_4-s_3072409807.png
6.选择创建的虚拟网络并添加用于Ipsec连接的公网ip
https://s2.运维网.com/wyfs02/M00/8E/E4/wKiom1jOkqKR***cAAGmBwata6w075.png-wh_500x0-wm_3-wmp_4-s_2184768080.png
https://s5.运维网.com/wyfs02/M01/8E/E4/wKiom1jOktmjRfTVAAIJWXzp2Qc140.png-wh_500x0-wm_3-wmp_4-s_3706879479.png
注:等待大约45分钟才能建立好虚拟网络网关,创建完毕后记录分配的公共IP用于互联AWS
7.创建本地网络网关,需要填入AWS用于IPsec建立连接的公网IP和AWS内网IP地址
https://s5.运维网.com/wyfs02/M01/8E/E4/wKiom1jOkxaxqfTrAACiHpTgS8k669.png-wh_500x0-wm_3-wmp_4-s_143003689.png
https://s5.运维网.com/wyfs02/M01/8E/E2/wKioL1jOkxbyTkgzAACCHThf6XU033.png-wh_500x0-wm_3-wmp_4-s_2550120987.png
https://s4.运维网.com/wyfs02/M02/8E/E4/wKiom1jOkxfwve4nAACCFv6HPj8882.png-wh_500x0-wm_3-wmp_4-s_1888149729.png
https://s5.运维网.com/wyfs02/M01/8E/E2/wKioL1jOkxfTp3ovAADr2PGXnXs585.png-wh_500x0-wm_3-wmp_4-s_833632673.png
8.建立IPsec连接
https://s4.运维网.com/wyfs02/M00/8E/E2/wKioL1jOkzmA7LT8AADbLRvD4mg332.png-wh_500x0-wm_3-wmp_4-s_1056272350.png
https://s5.运维网.com/wyfs02/M02/8E/E4/wKiom1jOkzrRCWu7AACdg3913No133.png-wh_500x0-wm_3-wmp_4-s_4116142264.png
9.选择虚拟网络网关和IPsec共享密钥
https://s5.运维网.com/wyfs02/M02/8E/E2/wKioL1jOk12ja9-mAAF7stk7sq8125.png-wh_500x0-wm_3-wmp_4-s_2004773583.png
到此,Azure端配置完成
AWS端配置
[*]创建一个VPC
https://s1.运维网.com/wyfs02/M01/8E/E4/wKiom1jOk5XxFhI9AAHco9JIHvw695.png-wh_500x0-wm_3-wmp_4-s_3358881539.png
https://s5.运维网.com/wyfs02/M01/8E/E2/wKioL1jOk5bwSjo1AAEUiAe1_bo426.png-wh_500x0-wm_3-wmp_4-s_3180296470.png
2.设置内网网段和子网
https://s5.运维网.com/wyfs02/M02/8E/E4/wKiom1jOk7Cya8XxAACtye65aNE853.png-wh_500x0-wm_3-wmp_4-s_3345563638.png
3.查看创建完的internet网关
https://s3.运维网.com/wyfs02/M02/8E/E2/wKioL1jOk86QZasSAAC_tLX_eHY891.png-wh_500x0-wm_3-wmp_4-s_4077319217.png
4.创建2012实例,用于和Azure建立IPsec
https://s2.运维网.com/wyfs02/M01/8E/E2/wKioL1jOlEmgSMyPAAExz8MO1AA195.png-wh_500x0-wm_3-wmp_4-s_3602503728.png
https://s2.运维网.com/wyfs02/M02/8E/E4/wKiom1jOlEmhFAoTAAIPIwKmUEo094.png-wh_500x0-wm_3-wmp_4-s_524910600.png
https://s3.运维网.com/wyfs02/M00/8E/E2/wKioL1jOlErgnyy2AAGZPY8HOr4224.png-wh_500x0-wm_3-wmp_4-s_3133227515.png
https://s3.运维网.com/wyfs02/M02/8E/E2/wKioL1jOlErwbR6MAAFZtNtQE98712.png-wh_500x0-wm_3-wmp_4-s_3730356625.png
https://s1.运维网.com/wyfs02/M01/8E/E4/wKiom1jOlEuAA3E4AAERxV6KxDU225.png-wh_500x0-wm_3-wmp_4-s_578835726.png
https://s1.运维网.com/wyfs02/M00/8E/E4/wKiom1jOlEyhVV7aAAFBLpa6Kto060.png-wh_500x0-wm_3-wmp_4-s_2345602187.png
https://s1.运维网.com/wyfs02/M01/8E/E2/wKioL1jOlEzi6SslAAHyNmqfUi0976.png-wh_500x0-wm_3-wmp_4-s_2374639503.png
5.给实例分配公网ip地址
https://s3.运维网.com/wyfs02/M02/8E/E4/wKiom1jOlH3RXy9wAAFWLaZZ1Bg248.jpg-wh_500x0-wm_3-wmp_4-s_3804881933.jpg
https://s5.运维网.com/wyfs02/M00/8E/E2/wKioL1jOlH6xFqoGAADYzf-Nczk656.png-wh_500x0-wm_3-wmp_4-s_4076616662.png
6.选择实例取消源/目标,检查
https://s5.运维网.com/wyfs02/M02/8E/E2/wKioL1jOlJXRFZSOAAFbAQJfwts904.png-wh_500x0-wm_3-wmp_4-s_1123012587.png
7.配置Windows 2012 R2服务器RRAS服务器
复制下列脚本至Windows 2012 R2 以管理员身份运行PowerShell中
# Windows Azure Virtual Network
# This configuration template applies to Microsoft RRAS running on WindowsServer 2012 R2.
# It configures an IPSec *** tunnel connecting your on-premise *** device withthe Azure gateway.
# !!! Please notice that we have the following restrictions in our support forRRAS:
# !!! 1. Only IKEv2 is currently supported
# !!! 2. Only route-based *** configuration is supported.
# !!! 3. Admin priveleges are required in order to run this script
Function Invoke-WindowsApi(
$dllName,
$returnType,
$methodName,
] $parameterTypes,
] $parameters
)
{
## Begin to build the dynamic assembly
$domain = ::CurrentDomain
$name = New-Object Reflection.AssemblyName 'PInvokeAssembly'
$assembly = $domain.DefineDynamicAssembly($name, 'Run')
$module = $assembly.DefineDynamicModule('PInvokeModule')
$type = $module.DefineType('PInvokeType',"Public,BeforeFieldInit")
$inputParameters = @()
for($counter = 1; $counter -le $parameterTypes.Length; $counter++)
{
$inputParameters += $parameters[$counter - 1]
}
$method = $type.DefineMethod($methodName,'Public,HideBySig,Static,PinvokeImpl',$returnType, $parameterTypes)
## Apply the P/Invoke constructor
$ctor =.GetConstructor()
$attr = New-Object Reflection.Emit.CustomAttributeBuilder $ctor, $dllName
$method.SetCustomAttribute($attr)
## Create the temporary type, and invoke the method.
$realType = $type.CreateType()
$ret = $realType.InvokeMember($methodName, 'Public,Static,InvokeMethod',$null, $null, $inputParameters)
return $ret
}
Function Set-PrivateProfileString(
$file,
$category,
$key,
$value)
{
## Prepare the parameter types and parameter values for theInvoke-WindowsApi script
$parameterTypes = , , ,
$parameters = $category, $key, $value, $file
## Invoke the API
(Invoke-WindowsApi "kernel32.dll" ()"WritePrivateProfileString" $parameterTypes $parameters)
}
# Install RRAS role
Import-Module ServerManager
Install-WindowsFeature RemoteAccess -IncludeManagementTools
Add-WindowsFeature -name Routing -IncludeManagementTools
# !!! NOTE: A reboot of the machine might be required here after which thescript can be executed again.
# Install S2S ***
Import-Module RemoteAccess
if ((Get-RemoteAccess).***S2SStatus -ne "Installed")
{
Install-RemoteAccess -***Type ***S2S
}
# Add and configure S2S *** interface
Add-***S2SInterface -Protocol IKEv2 -AuthenticationMethod PSKOnly-NumberOfTries 3 -ResponderAuthenticationMethod PSKOnly -Name ***连接名称 -Destination Azure公网IP -IPv4Subnet @("Azure内网网段/掩码:100") -SharedSecret 预共享密钥
Set-***ServerIPsecConfiguration -EncryptionType MaximumEncryption
Set-***S2Sinterface -Name ***连接名称-InitiateConfigPayload $false -Force
# Set S2S *** connection to be persistent by editing the router.pbk file(required admin priveleges)
Set-PrivateProfileString $env:windir\System32\ras\router.pbk "Azure公网IP " "IdleDisconnectSeconds" "0"
Set-PrivateProfileString $env:windir\System32\ras\router.pbk "Azure公网IP " "RedialOnLinkFailure" "1"
# Restart the RRAS service
Restart-Service RemoteAccess
# Dial-in to Azure gateway
Connect-***S2SInterface -Name ***连接名称
8.打开路由远程访问查看连接状态
https://s1.运维网.com/wyfs02/M00/8E/E2/wKioL1jOlMHRf5T4AABWflz4OHU778.png-wh_500x0-wm_3-wmp_4-s_872632273.png
9.查看到Azure内网路由条目
https://s1.运维网.com/wyfs02/M01/8E/E4/wKiom1jOlNnzUrUbAAA9t29lUX4145.png-wh_500x0-wm_3-wmp_4-s_2815183999.png
注:到此步骤,Azure-AWS Windows 2012 R2 间***已经联通,如需AWS其他虚机与Azure通信 则需要在当前VPC 中指定路由条目
https://s3.运维网.com/wyfs02/M02/8E/E4/wKiom1jOlQHB9RC2AAGJTfxtrNo512.png-wh_500x0-wm_3-wmp_4-s_1209926525.png
页:
[1]