2016年2月15日

以ARM Template佈署Azure Point-to-Site VPN

Azure Resource Manager已經開始支援Point-to-Site VPN這裡有如何透過Powershell建置ARM模式下P2S VPN的方式。這裡會透過ARM Template來佈署P2S VPN
  • 首先是準備ARM Template,這個template只是非常單純的建立一個VNet、一個Public IP以及VPN Gateway;並將Public IP設定給VPN Gateway
  • 先定義Public IPVNet

   "apiVersion":"[variables('apiVersion')]",
   "type":"Microsoft.Network/virtualNetworks",
   "name":"[parameters('virtualNetworkName')]",
   "location":"[variables('location')]",
   "properties":{ 
      "addressSpace":{ 
         "addressPrefixes":[ 
            "[parameters('vnetAddressPrefix')]"
         ]
      },
      "subnets":[ 
         { 
            "name":"GatewaySubnet",
            "properties":{ 
               "addressPrefix":"[parameters('gatewaySubnetPrefix')]"
            }
         }
      ]
   }
},

   "apiVersion":"[variables('apiVersion')]",
   "type":"Microsoft.Network/publicIPAddresses",
   "name":"[parameters('gatewayPublicIPName')]",
   "location":"[variables('location')]",
   "properties":{ 
      "publicIPAllocationMethod":"Dynamic"
   }
},
  • 接著定義VNet Gateway

         "apiVersion":"[variables('apiVersion')]",
         "type":"Microsoft.Network/virtualNetworkGateways",
         "name":"[parameters('gatewayName')]",
         "location":"[variables('location')]",
         "dependsOn":[ 
            "[concat('Microsoft.Network/publicIPAddresses/', parameters('gatewayPublicIPName'))]",
            "[concat('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]"
         ],
         "properties":{ 
            "ipConfigurations":[ 
               { 
                  "properties":{ 
                     "privateIPAllocationMethod":"Dynamic",
                     "subnet":{ 
                        "id":"[variables('gatewaySubnetRef')]"
                     },
                     "publicIPAddress":{ 
                        "id":"[resourceId('Microsoft.Network/publicIPAddresses',parameters('gatewayPublicIPName'))]"
                     }
                  },
                  "name":"vnetGatewayConfig"
               }
            ],
        "sku": {
          "name": “myVNetGateway”,
         "tier": "[parameters('gatewaySku')]"
        },           
            "gatewayType":"Vpn",
            "vpnType":"RouteBased",
            "enableBgp":"false",
            "vpnClientConfiguration":{ 
               "vpnClientAddressPool":{ 
                  "addressPrefixes":[ 
                     "[parameters('vpnClientAddressPoolPrefix')]"
                  ]
               },
               "vpnClientRootCertificates":[ 
                  { 
                     "name": "[parameters('clientRootCertName')]",
                     "properties":{
                        "PublicCertData": "[parameters('clientRootCertData')]"
                     }
                  }
               ],
               "vpnClientRevokedCertificates":[ 
                  { 
                     "name": "[parameters('revokedCertName')]",
                     "properties":{ 
                        "Thumbprint": "[parameters('revokedCertThumbprint')]"
                     }
                  }
               ]
            }
         }
      }
    • 其中tier可以是BasicStandard或是HighPerformance;各自對應到不同的VPN Gateway SKU
    • PublicCertData則是用來連線驗證的Certificate內容,下面會以self-signed certificate為例說明如何設定此內容
    • vpnClientRevokedCertificatesOptional;在這裡可以設定要拒絕連線的Client Certificate;由於Azure VPN是透過憑證來做身分驗證,因此被設定在Revoked的憑證便無法使用Point-to-Site連線。
  • 產生Self-Signed Certificate
    • 開啟Visual Studio Command Prompt或是安裝Windows SDK後,在以下位置找到makecert.exe
    • 執行以下指令產生Root certificate
      • makecert -sky exchange -r -n "CN=RootCertificateName" -pe -a sha1 -len 2048 -ss My "RootCertificateName.cer"
    • 執行以下指令產生Client certificate
      • makecert.exe -n "CN=ClientCertificateName" -pe -sky exchange -m 96 -ss My -in "RootCertificateName" -is my -a sha1
    • 開啟certmgr.msc
    • 找到Root憑證,Export
    • 不要匯出Private Key
    • 匯出BASE64編碼的檔案
    • Notepad打開該檔案,反白的部分就是ARM TemplatePublicCertData欄位的內容(需去掉換行)
    • 注意:vpnClientRevokedCertificates不可以與vpnClientRootCertificates相同,否則佈署時會出現錯誤。
      • 接著,執行Powershell佈署此ARM Template
      • 佈署完成後,我們還需要下載Client Package才能連線;打開Powershell透過下列指令取的下載位址
        • Get-AzureRmVpnClientPackage -ResourceGroupName $rgn -VirtualNetworkGatewayName $gwName -ProcessorArchitecture Amd64
        • 其中$rgn$gwName代表Resource Group NameVNet Gateway的名稱
      透過回傳的網址下載並安裝Client Package
  • 接著便可以以一般連線VPN的方式連線了


沒有留言:

Blog Archive

About Me