创建***隧道连通AWS和Azure内网环境

搜索泥称

本文旨实现Azure和AWS内网互联互通，创建站点到站点的IPsec ***，通过IPsec ***实现VM到VM的互通。在本次项目中Azure将利用平台自带***服务，AWS使用windows server 2012 R2服务器作为隧道的端点。因为AWS平台无法自定义IPsec配置，像预共享密钥就是平台随机生成的无法更改并且密钥中带有特殊字符，而且Azure中预共享密钥不能携带特殊符号，所以无法直接平台到平台间建立连接。



准备Azure端
1.首先我们需要创建一个资源组

2.向资源组添加虚拟网络

3.填写虚拟网络地址空间以及该地址空间中的子网范围，也就是Azure 虚机IP网段。


4.添加网关子网

5.创建虚拟网络网关用来与AWS端建立连接

　　

6.选择创建的虚拟网络并添加用于Ipsec连接的公网ip

  注：等待大约45分钟才能建立好虚拟网络网关，创建完毕后记录分配的公共IP用于互联AWS


7.创建本地网络网关，需要填入AWS用于IPsec建立连接的公网IP和AWS内网IP地址

　　

8.建立IPsec连接

　　

9.选择虚拟网络网关和IPsec共享密钥

　　

到此,Azure端配置完成
　　

AWS端配置

• 创建一个VPC
  

　　2.设置内网网段和子网
　　
3.查看创建完的internet网关

4.创建2012实例，用于和Azure建立IPsec

　　

5.给实例分配公网ip地址

　　

6.选择实例取消源/目标，检查

　　

7.配置Windows 2012 R2服务器RRAS服务器
复制下列脚本至Windows 2012 R2 以管理员身份运行PowerShell中
# Windows Azure Virtual Network
# This configuration template applies to Microsoft RRAS running on WindowsServer 2012 R2.
# It configures an IPSec *** tunnel connecting your on-premise *** device withthe Azure gateway.

# !!! Please notice that we have the following restrictions in our support forRRAS:
# !!! 1. Only IKEv2 is currently supported
# !!! 2. Only route-based *** configuration is supported.
# !!! 3. Admin priveleges are required in order to run this script

Function Invoke-WindowsApi(
   [string] $dllName,  
   [Type] $returnType,  
   [string] $methodName,
   [Type[]] $parameterTypes,
   [Object[]] $parameters
   )
{
## Begin to build the dynamic assembly
$domain = [AppDomain]::CurrentDomain
$name = New-Object Reflection.AssemblyName 'PInvokeAssembly'
$assembly = $domain.DefineDynamicAssembly($name, 'Run')
$module = $assembly.DefineDynamicModule('PInvokeModule')
$type = $module.DefineType('PInvokeType',"Public,BeforeFieldInit")

$inputParameters = @()

for($counter = 1; $counter -le $parameterTypes.Length; $counter++)
{
    $inputParameters += $parameters[$counter - 1]
}

$method = $type.DefineMethod($methodName,'Public,HideBySig,Static,PinvokeImpl',$returnType, $parameterTypes)

## Apply the P/Invoke constructor
$ctor =[Runtime.InteropServices.DllImportAttribute].GetConstructor([string])
$attr = New-Object Reflection.Emit.CustomAttributeBuilder $ctor, $dllName
$method.SetCustomAttribute($attr)

## Create the temporary type, and invoke the method.
$realType = $type.CreateType()

$ret = $realType.InvokeMember($methodName, 'Public,Static,InvokeMethod',$null, $null, $inputParameters)

return $ret
}

Function Set-PrivateProfileString(
   $file,
   $category,
   $key,
   $value)
{
## Prepare the parameter types and parameter values for theInvoke-WindowsApi script
$parameterTypes = [string], [string], [string], [string]
$parameters = [string] $category, [string] $key, [string] $value,[string] $file

## Invoke the API
[void] (Invoke-WindowsApi "kernel32.dll" ([UInt32])"WritePrivateProfileString" $parameterTypes $parameters)
}

# Install RRAS role
Import-Module ServerManager
Install-WindowsFeature RemoteAccess -IncludeManagementTools
Add-WindowsFeature -name Routing -IncludeManagementTools

# !!! NOTE: A reboot of the machine might be required here after which thescript can be executed again.

# Install S2S ***
Import-Module RemoteAccess
if ((Get-RemoteAccess).***S2SStatus -ne "Installed")
{
Install-RemoteAccess -***Type ***S2S
}

# Add and configure S2S *** interface
Add-***S2SInterface -Protocol IKEv2 -AuthenticationMethod PSKOnly-NumberOfTries 3 -ResponderAuthenticationMethod PSKOnly -Name ***连接名称 -Destination Azure公网IP -IPv4Subnet @("Azure内网网段/掩码:100") -SharedSecret 预共享密钥

Set-***ServerIPsecConfiguration -EncryptionType MaximumEncryption

Set-***S2Sinterface -Name ***连接名称-InitiateConfigPayload $false -Force

# Set S2S *** connection to be persistent by editing the router.pbk file(required admin priveleges)
Set-PrivateProfileString $env:windir\System32\ras\router.pbk "Azure公网IP " "IdleDisconnectSeconds" "0"
Set-PrivateProfileString $env:windir\System32\ras\router.pbk "Azure公网IP " "RedialOnLinkFailure" "1"

# Restart the RRAS service
Restart-Service RemoteAccess

# Dial-in to Azure gateway
Connect-***S2SInterface -Name ***连接名称
　　

8.打开路由远程访问查看连接状态

　　

9.查看到Azure内网路由条目

　　注：到此步骤,Azure-AWS Windows 2012 R2 间***已经联通，如需AWS其他虚机与Azure通信 则需要在当前VPC 中指定路由条目