快速入门:创建 Azure 防火墙和防火墙策略 - ARM 模板
在本快速入门中将使用 Azure 资源管理器模板(ARM 模板)创建 Azure 防火墙和防火墙策略。 防火墙策略具有允许连接到 www.microsoft.com 的应用程序规则,还有允许使用 WindowsUpdate FQDN 标记连接到 Windows 更新的规则。 网络规则允许 UDP 连接到位于 13.86.101.172 的时间服务器。
此外,规则中的 IP 组用于定义源 IP 地址。
资源管理器模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。 模板使用声明性语法。 在声明性语法中,你可以在不编写创建部署的编程命令序列的情况下,描述预期部署。
有关 Azure 防火墙管理器的信息,请参阅什么是 Azure 防火墙管理器?。
有关 Azure 防火墙的信息,请参阅什么是 Azure 防火墙?。
如果你的环境满足先决条件,并且你熟悉如何使用 ARM 模板,请选择“部署到 Azure”按钮。 模板将在 Azure 门户中打开。
先决条件
- 具有活动订阅的 Azure 帐户。 创建试用版订阅。
查看模板
此模板创建一个中心虚拟网络,以及支持该方案所需的资源。
本快速入门中使用的模板来自 Azure 快速启动模板。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualNetworkName": {
"type": "string",
"defaultValue": "[concat('vnet', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "Virtual network name"
}
},
"firewallName": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "Azure Firewall name"
}
},
"numberOfPublicIPAddresses": {
"type": "int",
"defaultValue": 2,
"minValue": 1,
"maxValue": 100,
"metadata": {
"description": "Number of public IP addresses for the Azure Firewall"
}
},
"availabilityZones": {
"type": "array",
"defaultValue": [
],
"metadata": {
"description": "Zone numbers e.g. 1,2,3."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"infraipgroup": {
"defaultValue": "[concat(parameters('location'),'-infra-ipgroup','-',uniqueString(resourceGroup().id))]",
"type": "String"
},
"workloadipgroup": {
"defaultValue": "[concat(parameters('location'),'-workload-ipgroup','-',uniqueString(resourceGroup().id))]",
"type": "String"
},
"firewallPolicyName": {
"defaultValue": "[concat(parameters('firewallName'),'-','firewallPolicy')]",
"type": "String"
}
},
"variables": {
"vnetAddressPrefix": "10.10.0.0/24",
"azureFirewallSubnetPrefix": "10.10.0.0/25",
"publicIPNamePrefix": "publicIP",
"azurepublicIpname": "[variables('publicIPNamePrefix')]",
"azureFirewallSubnetName": "AzureFirewallSubnet",
"azureFirewallSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets',parameters('virtualNetworkName'), variables('azureFirewallSubnetName'))]",
"azureFirewallPublicIpId": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPNamePrefix'))]",
"azureFirewallSubnetJSON": "[json(format('{{\"id\": \"{0}\"}}', variables('azureFirewallSubnetId')))]",
"copy": [
{
"name": "azureFirewallIpConfigurations",
"count": "[parameters('numberOfPublicIPAddresses')]",
"input": {
"name": "[concat('IpConf', copyIndex('azureFirewallIpConfigurations'))]",
"properties": {
"subnet": "[if(equals(copyIndex('azureFirewallIpConfigurations'), 0), variables('azureFirewallSubnetJSON'), json('null'))]",
"publicIPAddress": {
"id": "[concat(variables('azureFirewallPublicIpId'), add(copyIndex('azureFirewallIpConfigurations'), 1))]"
}
}
}
}
]
},
"resources": [
{
"type": "Microsoft.Network/ipGroups",
"apiVersion": "2019-12-01",
"name": "[parameters('workloadipgroup')]",
"location": "[parameters('location')]",
"properties": {
"ipAddresses": [
"10.20.0.0/24",
"10.30.0.0/24"
]
}
},
{
"type": "Microsoft.Network/ipGroups",
"apiVersion": "2019-12-01",
"name": "[parameters('infraipgroup')]",
"location": "[parameters('location')]",
"properties": {
"ipAddresses": [
"10.40.0.0/24",
"10.50.0.0/24"
]
}
},
{
"name": "[parameters('virtualNetworkName')]",
"apiVersion": "2019-04-01",
"type": "Microsoft.Network/virtualNetworks",
"location": "[parameters('location')]",
"tags": {
"displayName": "[parameters('virtualNetworkName')]"
},
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('vnetAddressPrefix')]"
]
},
"subnets": [
{
"name": "[variables('azureFirewallSubnetName')]",
"properties": {
"addressPrefix": "[variables('azureFirewallSubnetPrefix')]"
}
}
],
"enableDdosProtection": false
}
},
{
"name": "[concat(variables('azurepublicIpname'), add(copyIndex(), 1))]",
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2019-04-01",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"properties": {
"publicIPAllocationMethod": "Static",
"publicIPAddressVersion": "IPv4"
},
"copy": {
"name": "publicIpCopy",
"count": "[parameters('numberOfPublicIPAddresses')]"
}
},
{
"apiVersion": "2020-05-01",
"type": "Microsoft.Network/firewallPolicies",
"name": "[parameters('firewallPolicyName')]",
"location": "[parameters('location')]",
"properties": {
"threatIntelMode": "Alert"
}
},
{
"type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
"apiVersion": "2020-05-01",
"name": "[concat(parameters('firewallPolicyName'), '/DefaultNetworkRuleCollectionGroup')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/ipGroups', parameters('workloadipgroup'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('infraipgroup'))]",
"[resourceId('Microsoft.Network/firewallPolicies',parameters('firewallPolicyName'))]"
],
"properties": {
"priority": 200,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"action": {
"type": "Allow"
},
"name": "azure-global-services-nrc",
"priority": 1250,
"rules": [
{
"ruleType": "NetworkRule",
"name": "time-windows",
"ipProtocols": [
"UDP"
],
"destinationAddresses": [
"13.86.101.172"
],
"sourceIpGroups": [
"[resourceId('Microsoft.Network/ipGroups', parameters('workloadipgroup'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('infraipgroup'))]"
],
"destinationPorts": [
"123"
]
}
]
}
]
}
},
{
"apiVersion": "2020-05-01",
"type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
"name": "[concat(parameters('firewallPolicyName'), '/DefaultApplicationRuleCollectionGroup')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/ipGroups', parameters('workloadipgroup'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('infraipgroup'))]",
"[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups',parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]"
],
"properties": {
"priority": 300,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"name": "global-rule-url-arc",
"priority": 1000,
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "ApplicationRule",
"name": "winupdate-rule-01",
"protocols": [
{
"protocolType": "Https",
"port": 443
},
{
"protocolType": "Http",
"port": 80
}
],
"fqdnTags": [ "WindowsUpdate" ],
"terminateTLS": false,
"sourceIpGroups": [
"[resourceId('Microsoft.Network/ipGroups',parameters('workloadipgroup'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('infraipgroup'))]"
]
}
]
},
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"action": {
"type": "Allow"
},
"name": "Global-rules-arc",
"priority": 1202,
"rules": [
{
"ruleType": "ApplicationRule",
"name": "global-rule-01",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.microsoft.com"
],
"terminateTLS": false,
"sourceIpGroups": [
"[resourceId('Microsoft.Network/ipGroups',parameters('workloadipgroup'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('infraipgroup'))]"
]
}
]
}
]
}
},
{
"apiVersion": "2019-04-01",
"type": "Microsoft.Network/azureFirewalls",
"name": "[parameters('firewallName')]",
"location": "[parameters('location')]",
"zones": "[if(equals(length(parameters('availabilityZones')), 0), json('null'), parameters('availabilityZones'))]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",
"publicIpCopy",
"[resourceId('Microsoft.Network/ipGroups', parameters('workloadipgroup'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('infraipgroup'))]",
"[resourceId('Microsoft.Network/firewallPolicies',parameters('firewallPolicyName'))]",
"[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups',parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]",
"[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups',parameters('firewallPolicyName'), 'DefaultApplicationRuleCollectionGroup')]"
],
"properties": {
"ipConfigurations": "[variables('azureFirewallIpConfigurations')]",
"firewallPolicy": {
"id": "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]"
}
}
}
]
}
模板中定义了多个 Azure 资源:
- Microsoft.Network/ipGroups
- Microsoft.Network/firewallPolicies
- Microsoft.Network/firewallPolicies/ruleCollectionGroups
- Microsoft.Network/azureFirewalls
- Microsoft.Network/virtualNetworks
- Microsoft.Network/publicIPAddresses
部署模板
将 ARM 模板部署到 Azure:
选择“部署到 Azure”,登录到 Azure 并打开模板。 此模板会创建 Azure 防火墙、虚拟 WAN 和虚拟中心、网络基础结构和两个虚拟机。
在门户中的“创建使用规则和 Ipgroups 的防火墙和防火墙策略”页上,键入或选择以下值:
- 订阅:从现有订阅中选择。
- 资源组:从现有资源组中选择,或者选择“新建”,然后选择“确定”。
- 区域:选择区域。
- 防火墙名称:键入防火墙的名称。
选择“查看 + 创建”,然后选择“创建” 。 部署可能需要 10 分钟或更长时间才能完成。
查看已部署的资源
部署完成后,将看到以下类似资源。
清理资源
如果不再需要为防火墙创建的资源,请删除资源组。 这会删除该防火墙和所有相关资源。
若要删除资源组,请调用 Remove-AzResourceGroup cmdlet:
Remove-AzResourceGroup -Name "<your resource group name>"