- Configure a virtual network and a dynamic routing gateway
- Create your certificates
- Configure your VPN client
A point-to-site connection requires a virtual network with a dynamic routing gateway. The steps below will walk you through creating both.
Create a virtual network
Create a dynamic routing gateway
Create a virtual network
- Log in to the Windows Azure Management Portal.
- In the lower left-hand corner of the screen, click New. In the navigation pane, click Network Services, and then click Virtual Network. Click Custom Create to begin the configuration wizard.
- On the Virtual Network Details page, enter the following information, and then click the next arrow on the lower right. For more information about the settings on the details page, see the Virtual Network Details page.
- Name – Name your virtual network. For example “VNetEast”. This will be the name that you’ll refer to when you deploy VMs and PaaS instances to this VNet.
- Location – The location is directly related to the physical location (region) where you want your resources (VMs) to reside. For example, if you want the VMs that you deploy to this virtual network to be physically located in East US, select that location. You can’t change the region associated with your virtual network after you create it.
- Name – Name your virtual network. For example “VNetEast”. This will be the name that you’ll refer to when you deploy VMs and PaaS instances to this VNet.
- On the DNS Servers and VPN Connectivity page, enter the following information, and then click the next arrow on the lower right. For more information, see the DNS Servers and VPN Connectivity page.
- DNS Servers – Enter the DNS server name and IP address, or select a previously registered DNS server from the dropdown. This setting does not create a DNS server, it allows you to specify the DNS servers that you want to use for name resolution for this virtual network. If you want to use the Azure default name resolution service, leave this section blank.
- Configure Point-To-Site VPN – Select the checkbox.
- DNS Servers – Enter the DNS server name and IP address, or select a previously registered DNS server from the dropdown. This setting does not create a DNS server, it allows you to specify the DNS servers that you want to use for name resolution for this virtual network. If you want to use the Azure default name resolution service, leave this section blank.
- On the Point-To-Site Connectivity page, specify the IP address range from which your VPN clients will receive an IP address when connected. There are a few rules regarding the address ranges that you are able to specify. It’s very important to verify that the range that you specify doesn’t overlap with any of the ranges located on your on-premises network. See the Point-To-Site Connectivity page page for more information.
Enter the following information, and then click the next arrow.
- Address Space – Include the Starting IP and CIDR (Address Count).
- Add address space – Add only if required for your network design.
- Address Space – Include the Starting IP and CIDR (Address Count).
- On the Virtual Network Address Spaces page, specify the address range that you want to use for your virtual network. These are the dynamic IP addresses (DIPS) that will be assigned to the VMs and other role instances that you deploy to this virtual network. There are quite a few rules regarding virtual network address space, so you will want to see the Virtual Network Address Spaces page for more information. It’s especially important to select a range that does not overlap with any of the ranges that are used for your on-premises network. You’ll need to coordinate with your network administrator, who may need to carve out a range of IP addresses from your on-premises network address space for you to use for your virtual network.
Enter the following information, and then click the checkmark to begin creating your virtual network.
- Address Space – Add the internal IP address range that you want to use for this virtual network, including Starting IP and Count. There are quite a few rules regarding virtual network address space, so you will want to see the Virtual Network Address Spaces page for more information. It’s especially important to select a range that does not overlap with any of the ranges that are used for your on-premises network. You’ll need to coordinate with your network administrator, who may need to carve out a range of IP addresses from your on-premises network address space for you to use for your virtual network.
- Add subnet – Additional subnets are not required, but you may want to create a separate subnet for VMs that will have static DIPS. Or you might want to have your VMs in a subnet that’s separate from your other role instances.
- Add gateway subnet – The gateway subnet is required for a point-to-site VPN. Click to add the gateway subnet. The gateway subnet is used only for the virtual network gateway.
- Address Space – Add the internal IP address range that you want to use for this virtual network, including Starting IP and Count. There are quite a few rules regarding virtual network address space, so you will want to see the Virtual Network Address Spaces page for more information. It’s especially important to select a range that does not overlap with any of the ranges that are used for your on-premises network. You’ll need to coordinate with your network administrator, who may need to carve out a range of IP addresses from your on-premises network address space for you to use for your virtual network.
- When your virtual network has been created, you will see Created listed under Status on the networks page in the Management Portal. Once your virtual network has been created, you can create your dynamic routing gateway.
Create a dynamic routing gateway
- In the Management Portal, on the Networks page, click the virtual network that you just created, and navigate to the Dashboard page.
- Click Create Gateway, located at the bottom of the Dashboard page. A message will appear asking Do you want to create a gateway for virtual network ‘yournetwork’. Click Yes to begin creating the gateway. It can take around 15 minutes for the gateway to create.
Create your certificates
Certificates are used to authenticate VPN clients for point-to-site VPNs. This procedure has multiple steps. Use the links below to complete each step, in order.
Generate a self-signed root certificate
- Generate a self-signed root certificate - Only self-signed root certificates are supported at this time
- Upload the root certificate file to the Management Portal
- Generate a client certificate
- Export and install the client certificate
Generate a self-signed root certificate
- One way to create an X.509 certificate is by using the Certificate Creation Tool (makecert.exe). To use makecert, download and install Microsoft Visual Studio Express 2013 for Windows Desktop, which is free of charge.
- Navigate to the Visual Studio Tools folder and launch the command prompt as Administrator.
- The command in the example below will create and install a root certificate in the Personal certificate store on your computer and also create a corresponding .cer file that you’ll later upload to the Management Portal.
Change to the directory that you want the .cer file to be located in and run command listed below, where RootCertificateName is the name that you want to use for the certificate. If you run the example below with no changes, the result will be a root certificate and the corresponding file RootCertificateName.cer.
Note - Because you have created a root certificate from which client certificates will be generated, you may want to export this certificate along with its private key and save it to a safe location where it may be recovered.
makecert -sky exchange -r -n "CN=RootCertificateName" -pe -a sha1 -len 2048 -ss My "RootCertificateName.cer"
原文链接:http://msdn.microsoft.com/library/azure/dn133792.aspx