多个 Azure VPN 网关
[英]Multiple Azure VPN Gateways
问题描述
I have been trying to tackle a problem where I need to create a second VPN tunnel to a site (SiteA), this site already has a VPN tunnel set up with our VPN Gateway.
我一直在尝试解决我需要创建第二个 VPN 隧道到站点 (SiteA) 的问题,该站点已经使用我们的 VPN 网关设置了 VPN 隧道。
SiteA is unable to create a second tunnel to our VPN gateway public IP, as a route already exists. SiteA 无法创建到我们的 VPN 网关公共 IP 的第二条隧道,因为路由已经存在。
I need to knnow can I add a second IP to the vPN gateway, which I think is a NO, but I can't find anything concrete to validate that, and if that's not possible, can we add a second VPN gateway into the same GatewaySu.net, in our hub .NET.我需要知道我是否可以向 vPN 网关添加第二个 IP,我认为这是一个 NO,但我找不到任何具体的东西来验证它,如果那不可能,我们可以添加第二个 VPN 网关到同一个GatewaySu.net,在我们的中心 .NET。
Although I think this would be problematic as how would the traffic from firewall know which tunnel to send the taffic to.尽管我认为这会有问题,因为来自防火墙的流量如何知道将流量发送到哪个隧道。
Some backgound: Hub and spoke design with hub consisting of Az firewall and Az VPN gateway.一些背景:中心辐射设计,中心由 Az 防火墙和 Az VPN 网关组成。 Peered spokes route through FW to get to VPN gateway. Peered spoke 通过 FW 路由到达 VPN 网关。 Hope that makes sense.希望这是有道理的。
Thanks in advance.提前致谢。
1 个解决方案
解决方案1
1 已采纳 2022-10-03 12:57:53
To create a second VPN tunnel to a site (SiteA), which already has a VPN tunnel set up with your VPN Gateway, you can enable your Azure VPN gateway for an active-active configuration, where both instances of the gateway VMs will establish S2S VPN tunnels to your on-premises VPN device, as shown in the following diagram:要创建到站点 (SiteA) 的第二个 VPN 隧道,该站点已经使用您的 VPN 网关设置了 VPN 隧道,您可以启用 Azure VPN 网关进行主动-主动配置,其中网关 VM 的两个实例都将建立 S2S到本地 VPN 设备的 VPN 隧道,如下图所示:
Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gateways参考: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable#active-active-vpn-gateways
In the Active-active Azure VPN gateway configuration, each Azure gateway instance will have a unique public IP address, and each will establish an IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local.network gateway and connection.在 Active-active Azure VPN 网关配置中,每个 Azure 网关实例都有一个唯一的公共 IP 地址,并且每个实例都将建立一个 IPsec/IKE S2S VPN 隧道到您在 local.network 网关和连接中指定的本地 VPN 设备。 You will need to configure your on-premises VPN device to accept or establish two S2S VPN tunnels to the two Azure VPN gateway public IP addresses which are created when active-active option is enabled and because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual.network to your on-premises.network will be routed through both tunnels simultaneously, even if your on-premises VPN device may favor one tunnel over the other.您将需要配置本地 VPN 设备以接受或建立两个 S2S VPN 隧道到两个 Azure VPN 网关公共 IP 地址,这些地址是在启用主动-主动选项时创建的,因为 Azure 网关实例处于主动-主动配置,从您的 Azure virtual.network 到您的 on-premises.network 的流量将同时通过两个隧道路由,即使您的本地 VPN 设备可能更喜欢一个隧道。
To change/update an existing Azure VPN gateway from active-standby to active-active mode, refer the below doc:要将现有的 Azure VPN 网关从主动-备用模式更改/更新为主动-主动模式,请参阅以下文档:
https://learn.microsoft.com/en-us/azure/vpn-gateway/active-active-portal#-update-an-existing-vpn-gateway https://learn.microsoft.com/en-us/azure/vpn-gateway/active-active-portal#-update-an-existing-vpn-gateway
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.