Azure Resource Manager已經開始支援Point-to-Site VPN;這裡有如何透過Powershell建置ARM模式下P2S VPN的方式。這裡會透過ARM
Template來佈署P2S VPN。
- 首先是準備ARM Template,這個template只是非常單純的建立一個VNet、一個Public IP以及VPN Gateway;並將Public IP設定給VPN Gateway
- 先定義Public IP與VNet
{
"apiVersion":"[variables('apiVersion')]",
"type":"Microsoft.Network/virtualNetworks",
"name":"[parameters('virtualNetworkName')]",
"location":"[variables('location')]",
"properties":{
"addressSpace":{
"addressPrefixes":[
"[parameters('vnetAddressPrefix')]"
]
},
"subnets":[
{
"name":"GatewaySubnet",
"properties":{
"addressPrefix":"[parameters('gatewaySubnetPrefix')]"
}
}
]
}
},
{
"apiVersion":"[variables('apiVersion')]",
"type":"Microsoft.Network/publicIPAddresses",
"name":"[parameters('gatewayPublicIPName')]",
"location":"[variables('location')]",
"properties":{
"publicIPAllocationMethod":"Dynamic"
}
},
"apiVersion":"[variables('apiVersion')]",
"type":"Microsoft.Network/virtualNetworks",
"name":"[parameters('virtualNetworkName')]",
"location":"[variables('location')]",
"properties":{
"addressSpace":{
"addressPrefixes":[
"[parameters('vnetAddressPrefix')]"
]
},
"subnets":[
{
"name":"GatewaySubnet",
"properties":{
"addressPrefix":"[parameters('gatewaySubnetPrefix')]"
}
}
]
}
},
{
"apiVersion":"[variables('apiVersion')]",
"type":"Microsoft.Network/publicIPAddresses",
"name":"[parameters('gatewayPublicIPName')]",
"location":"[variables('location')]",
"properties":{
"publicIPAllocationMethod":"Dynamic"
}
},
- 接著定義VNet Gateway
{
"apiVersion":"[variables('apiVersion')]",
"type":"Microsoft.Network/virtualNetworkGateways",
"name":"[parameters('gatewayName')]",
"location":"[variables('location')]",
"dependsOn":[
"[concat('Microsoft.Network/publicIPAddresses/', parameters('gatewayPublicIPName'))]",
"[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]"
],
"properties":{
"ipConfigurations":[
{
"properties":{
"privateIPAllocationMethod":"Dynamic",
"subnet":{
"id":"[variables('gatewaySubnetRef')]"
},
"publicIPAddress":{
"id":"[resourceId('Microsoft.Network/publicIPAddresses',parameters('gatewayPublicIPName'))]"
}
},
"name":"vnetGatewayConfig"
}
],
"sku": {
"name": “myVNetGateway”,
"tier": "[parameters('gatewaySku')]"
},
"gatewayType":"Vpn",
"vpnType":"RouteBased",
"enableBgp":"false",
"vpnClientConfiguration":{
"vpnClientAddressPool":{
"addressPrefixes":[
"[parameters('vpnClientAddressPoolPrefix')]"
]
},
"vpnClientRootCertificates":[
{
"name": "[parameters('clientRootCertName')]",
"properties":{
"PublicCertData": "[parameters('clientRootCertData')]"
}
}
],
"vpnClientRevokedCertificates":[
{
"name": "[parameters('revokedCertName')]",
"properties":{
"Thumbprint": "[parameters('revokedCertThumbprint')]"
}
}
]
}
}
}
"apiVersion":"[variables('apiVersion')]",
"type":"Microsoft.Network/virtualNetworkGateways",
"name":"[parameters('gatewayName')]",
"location":"[variables('location')]",
"dependsOn":[
"[concat('Microsoft.Network/publicIPAddresses/', parameters('gatewayPublicIPName'))]",
"[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]"
],
"properties":{
"ipConfigurations":[
{
"properties":{
"privateIPAllocationMethod":"Dynamic",
"subnet":{
"id":"[variables('gatewaySubnetRef')]"
},
"publicIPAddress":{
"id":"[resourceId('Microsoft.Network/publicIPAddresses',parameters('gatewayPublicIPName'))]"
}
},
"name":"vnetGatewayConfig"
}
],
"sku": {
"name": “myVNetGateway”,
"tier": "[parameters('gatewaySku')]"
},
"gatewayType":"Vpn",
"vpnType":"RouteBased",
"enableBgp":"false",
"vpnClientConfiguration":{
"vpnClientAddressPool":{
"addressPrefixes":[
"[parameters('vpnClientAddressPoolPrefix')]"
]
},
"vpnClientRootCertificates":[
{
"name": "[parameters('clientRootCertName')]",
"properties":{
"PublicCertData": "[parameters('clientRootCertData')]"
}
}
],
"vpnClientRevokedCertificates":[
{
"name": "[parameters('revokedCertName')]",
"properties":{
"Thumbprint": "[parameters('revokedCertThumbprint')]"
}
}
]
}
}
}
- 其中tier可以是Basic、Standard或是HighPerformance;各自對應到不同的VPN Gateway SKU
- PublicCertData則是用來連線驗證的Certificate內容,下面會以self-signed
certificate為例說明如何設定此內容
- vpnClientRevokedCertificates是Optional;在這裡可以設定要拒絕連線的Client
Certificate;由於Azure VPN是透過憑證來做身分驗證,因此被設定在Revoked的憑證便無法使用Point-to-Site連線。
- 產生Self-Signed
Certificate
- 開啟Visual Studio
Command Prompt或是安裝Windows SDK後,在以下位置找到makecert.exe
- 執行以下指令產生Root
certificate
- makecert
-sky exchange -r -n "CN=RootCertificateName" -pe -a sha1 -len
2048 -ss My "RootCertificateName.cer"
- 執行以下指令產生Client
certificate
- makecert.exe
-n "CN=ClientCertificateName" -pe -sky exchange -m 96 -ss My
-in "RootCertificateName" -is my -a sha1
- 開啟certmgr.msc
- 找到Root憑證,Export
- “不要”匯出Private Key
- 匯出BASE64編碼的檔案
- 用Notepad打開該檔案,反白的部分就是ARM Template中PublicCertData欄位的內容(需去掉換行)
- 注意:vpnClientRevokedCertificates不可以與vpnClientRootCertificates相同,否則佈署時會出現錯誤。
- 接著,執行Powershell佈署此ARM Template
- 佈署完成後,我們還需要下載Client Package才能連線;打開Powershell透過下列指令取的下載位址
- Get-AzureRmVpnClientPackage
-ResourceGroupName $rgn
-VirtualNetworkGatewayName $gwName
-ProcessorArchitecture Amd64
- 其中$rgn與$gwName代表Resource Group
Name與VNet Gateway的名稱
- 接著便可以以一般連線VPN的方式連線了
沒有留言:
張貼留言