Shulou(Shulou.com)06/03 Report--

Background

Because of business needs, it is necessary to set up an IPSec connection between the company, AWS and Azure. The main challenges are:

AWS only supports IKEv1Azure by default supports IKEv2, if you use IKEv1, you can only build one policy based connection; the company's router is Cisco RV340, the latest version supports IKEv2, but does not support BGP dynamic routing, and AWS connection is no problem, but the Azure connection can only use policy based connection by default, that is, there is a connection limit, if I want to connect to more offices, I can't.

The solution is as follows: if the space is limited, I will not write the specific operation. I can query from the relevant links, and what's more, I will provide an idea.

1. The connection between AWS and the company

AWS can connect directly to the router using its own IPSEC gateway. Different router configuration interfaces are different, but the basic idea is the same. I have already written a blog post to record the operation.

Https://blog.51cto.com/beanxyz/2177992

2. The connection between Azure and the company

Microsoft provides a solution that allows routers that do not support BGP to use route-based 's IPSEC connection, thus bypassing the limit of one connection. User-defined IPSEC/IKE standards are required. This operation is not supported in the graphical interface and can only be implemented through PowerShell.

Https://docs.microsoft.com/en-us/azure/***-gateway/***-gateway-connect-multiple-policybased-rm-ps

# Connect to AzureConnect-AzureRmAccount$Sub1 = "Free Trial" $RG1 = "MyResourceGroup" $Location1 = "australiaeast" $VNetName1 = "TestVNet1" $FESubName1 = "FrontEnd" $BESubName1 = "Backend" $GWSubName1 = "GatewaySubnet" $VNetPrefix11 = "10.11.0.0GWSubName1 16" $VNetPrefix12 = "10.12.0.0Comp16" $FESubPrefix1 = "10.11.0.0Univer 24" $BESubPrefix1 = "10.12.0.0Univer 24" $GWSubPrefix1 = "10.12.255.0 / 27 "$DNS1 =" 8.8.8.8 "$GWName1 =" VNet1GW "$GW1IPName1 =" VNet1GWIP1 "$GW1IPconf1 =" gw1ipconf1 "$ConnectionIT =" VNet1toSiteIT "$LNGNameIT =" SiteIT "$LNGPrefixIT =" 10.2.13.0 LNGPrefixIT 24 "$LNGIPIT =" 19.12.127.94 "# Create subnets$fesub1 = New-AzureRmVirtualNetworkSubnetConfig-Name $FESubName1-AddressPrefix $FESubPrefix1 $besub1 = New-AzureRmVirtualNetworkSubnetConfig-Name $BESubName1-AddressPrefix $BESubPrefix1 $gwsub1 = New-AzureRmVirtualNetworkSubnetConfig-Name $GWSubName1-AddressPrefix $GWSubPrefix1#Create VNetNew-AzureRmVirtualNetwork-Name $VNetName1-ResourceGroupName $RG1-Location $Location-Location1 $Location $VNetPrefix12-Subnet $fesub1,$besub1 $gwsub1#Create a public IP and associate it to the gateway subnet$gw1pip1 = New-AzureRmPublicIpAddress-Name $GW1IPName1-ResourceGroupName $RG1-Location $Location1-AllocationMethod Dynamic$vnet1 = Get-AzureRmVirtualNetwork-Name $VNetName1-ResourceGroupName $RG1 $subnet1 = Get-AzureRmVirtualNetworkSubnetConfig-Name "GatewaySubnet"-VirtualNetwork $vnet1 $gw1ipconf1 = New-AzureRmVirtualNetworkGatewayIpConfig-Name $GW1IPconf1-Subnet $subnet1-PublicIpAddress $gw1pip1#Create route-based Virtual GatewayNew-AzureRmVirtualNetworkGateway-Name $GWName1-ResourceGroupName $RG1-Location $Location1-IpConfigurations $gw1ipconf1-gw1ipconf1 * *-* GatewayType-GatewayType * * GatewayType-Type RouteBased $Type RouteBased-Type RouteBased $Type RouteBased -Location $Location1-GatewayIpAddress $LNGIPIT-AddressPrefix $LNGPrefixIT#Define IPSEC/IKE $ipsecpolicy6 = New-AzureRmIpsecPolicy-IkeEncryption AES256-IkeIntegrity SHA256-DhGroup DHGroup2-IpsecEncryption AES256-IpsecIntegrity SHA256-PfsGroup None $vnet1gw = Get-AzureRmVirtualNetworkGateway-Name $GWName1-ResourceGroupName $RG1 $lng6 = Get-AzureRmLocalNetworkGateway-Name $LNGNameIT-ResourceGroupName $RG1#Create new ConnectionNew-AzureRmVirtualNetworkGatewayConnection-Name $Connectionit-ResourceGroupName $RG1-VirtualNetworkGateway1 $vnet1gw-LocalNetworkGateway2 $lng6-Location $Location1-Location1-ConnectionType IPsec $ConnectionType IPsec-ConnectionType IPsec 'IpsecPolicies

Just execute the above code and replace your own IP address. Note that it will take 20 minutes to create a Virtual Network Gateway. Just wait patiently. (disdain for creating a gateway with the same function in Azure,AWS for one minute)

Just choose and configure the corresponding IKE standard on the company router according to the standard defined by yourself.

3. Connection between AWS and Azure

Because AWS supports IKEv1 and Azure supports IKEv2, the solution can only be to build a new instance on AWS to act as a soft route.

Douzi tried Vyos, but it didn't work very well, and finally found that it could be realized with the routing service that comes with the Windows server. See synonyms at specific operation

Http://awsfeed.com/post/165181537929/connecting-clouds-aws-to-azure-site-to-site-***

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.