Compartilhar via

快速入门:创建Azure Firewall和防火墙策略 - ARM 模板

在本快速入门中,你将使用Azure Resource Manager模板(ARM 模板)创建Azure Firewall和防火墙策略。 防火墙策略具有一个应用程序规则,允许连接到 www.microsoft.com,以及允许使用 WindowsUpdate FQDN 标记连接到Windows Update的规则。 网络规则允许 UDP 连接到位于 13.86.101.172 的时间服务器。

此外,规则中的 IP 组用于定义源 IP 地址。

Azure Resource Manager 模板是一个 JavaScript 对象表示法(JSON)文件,用于定义project的基础结构和配置。 模板使用声明性语法。 你可以在不编写用于创建部署的编程命令序列的情况下,描述预期部署。

有关Azure Firewall管理器的信息,请参阅 什么是 Azure Firewall Manager?

有关Azure Firewall的信息,请参阅 什么是 Azure Firewall?

有关 IP 组的信息,请参阅 Azure Firewall 中的 IP 组

如果你的环境满足先决条件,并且你熟悉使用 ARM 模板,请选择 部署到Azure 按钮。 模板将在Azure portal中打开。

部署到 Azure

先决条件

查看模板

此模板创建中心和虚拟网络以及支持环境所需的资源。

本快速入门中使用的模板来自 Azure 快速入门模板

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.8.9.13224",
      "templateHash": "2614956787969031174"
    }
  },
  "parameters": {
    "virtualNetworkName": {
      "type": "string",
      "defaultValue": "[format('vnet{0}', uniqueString(resourceGroup().id))]",
      "metadata": {
        "description": "Virtual network name"
      }
    },
    "firewallName": {
      "type": "string",
      "defaultValue": "[format('fw{0}', uniqueString(resourceGroup().id))]",
      "metadata": {
        "description": "Azure Firewall name"
      }
    },
    "numberOfPublicIPAddresses": {
      "type": "int",
      "defaultValue": 2,
      "maxValue": 100,
      "minValue": 1,
      "metadata": {
        "description": "Number of public IP addresses for the Azure Firewall"
      }
    },
    "availabilityZones": {
      "type": "array",
      "defaultValue": [],
      "metadata": {
        "description": "Zone numbers e.g. 1,2,3."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    },
    "infraIpGroupName": {
      "type": "string",
      "defaultValue": "[format('{0}-infra-ipgroup-{1}', parameters('location'), uniqueString(resourceGroup().id))]"
    },
    "workloadIpGroupName": {
      "type": "string",
      "defaultValue": "[format('{0}-workload-ipgroup-{1}', parameters('location'), uniqueString(resourceGroup().id))]"
    },
    "firewallPolicyName": {
      "type": "string",
      "defaultValue": "[format('{0}-firewallPolicy', parameters('firewallName'))]"
    }
  },
  "variables": {
    "copy": [
      {
        "name": "azureFirewallIpConfigurations",
        "count": "[length(range(0, parameters('numberOfPublicIPAddresses')))]",
        "input": {
          "name": "[format('IpConf{0}', range(0, parameters('numberOfPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')])]",
          "properties": {
            "subnet": "[if(equals(range(0, parameters('numberOfPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')], 0), json(format('{{\"id\": \"{0}\"}}', variables('azureFirewallSubnetId'))), json('null'))]",
            "publicIPAddress": {
              "id": "[format('{0}{1}', variables('azureFirewallPublicIpId'), add(range(0, parameters('numberOfPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')], 1))]"
            }
          }
        }
      }
    ],
    "vnetAddressPrefix": "10.10.0.0/24",
    "azureFirewallSubnetPrefix": "10.10.0.0/25",
    "publicIPNamePrefix": "publicIP",
    "azurepublicIpname": "[variables('publicIPNamePrefix')]",
    "azureFirewallSubnetName": "AzureFirewallSubnet",
    "azureFirewallSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('azureFirewallSubnetName'))]",
    "azureFirewallPublicIpId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPNamePrefix'))]"
  },
  "resources": [
    {
      "type": "Microsoft.Network/ipGroups",
      "apiVersion": "2022-01-01",
      "name": "[parameters('workloadIpGroupName')]",
      "location": "[parameters('location')]",
      "properties": {
        "ipAddresses": [
          "10.20.0.0/24",
          "10.30.0.0/24"
        ]
      }
    },
    {
      "type": "Microsoft.Network/ipGroups",
      "apiVersion": "2022-01-01",
      "name": "[parameters('infraIpGroupName')]",
      "location": "[parameters('location')]",
      "properties": {
        "ipAddresses": [
          "10.40.0.0/24",
          "10.50.0.0/24"
        ]
      }
    },
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2022-01-01",
      "name": "[parameters('virtualNetworkName')]",
      "location": "[parameters('location')]",
      "tags": {
        "displayName": "[parameters('virtualNetworkName')]"
      },
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "[variables('vnetAddressPrefix')]"
          ]
        },
        "subnets": [
          {
            "name": "[variables('azureFirewallSubnetName')]",
            "properties": {
              "addressPrefix": "[variables('azureFirewallSubnetPrefix')]"
            }
          }
        ],
        "enableDdosProtection": false
      }
    },
    {
      "copy": {
        "name": "publicIpAddress",
        "count": "[length(range(0, parameters('numberOfPublicIPAddresses')))]"
      },
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2022-01-01",
      "name": "[format('{0}{1}', variables('azurepublicIpname'), add(range(0, parameters('numberOfPublicIPAddresses'))[copyIndex()], 1))]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard"
      },
      "properties": {
        "publicIPAllocationMethod": "Static",
        "publicIPAddressVersion": "IPv4"
      }
    },
    {
      "type": "Microsoft.Network/firewallPolicies",
      "apiVersion": "2022-01-01",
      "name": "[parameters('firewallPolicyName')]",
      "location": "[parameters('location')]",
      "properties": {
        "threatIntelMode": "Alert"
      }
    },
    {
      "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
      "apiVersion": "2022-01-01",
      "name": "[format('{0}/{1}', parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]",
      "properties": {
        "priority": 200,
        "ruleCollections": [
          {
            "ruleCollectionType": "FirewallPolicyFilterRuleCollection",
            "action": {
              "type": "Allow"
            },
            "name": "azure-global-services-nrc",
            "priority": 1250,
            "rules": [
              {
                "ruleType": "NetworkRule",
                "name": "time-windows",
                "ipProtocols": [
                  "UDP"
                ],
                "destinationAddresses": [
                  "13.86.101.172"
                ],
                "sourceIpGroups": [
                  "[resourceId('Microsoft.Network/ipGroups', parameters('workloadIpGroupName'))]",
                  "[resourceId('Microsoft.Network/ipGroups', parameters('infraIpGroupName'))]"
                ],
                "destinationPorts": [
                  "123"
                ]
              }
            ]
          }
        ]
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]",
        "[resourceId('Microsoft.Network/ipGroups', parameters('infraIpGroupName'))]",
        "[resourceId('Microsoft.Network/ipGroups', parameters('workloadIpGroupName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
      "apiVersion": "2022-01-01",
      "name": "[format('{0}/{1}', parameters('firewallPolicyName'), 'DefaultApplicationRuleCollectionGroup')]",
      "properties": {
        "priority": 300,
        "ruleCollections": [
          {
            "ruleCollectionType": "FirewallPolicyFilterRuleCollection",
            "name": "global-rule-url-arc",
            "priority": 1000,
            "action": {
              "type": "Allow"
            },
            "rules": [
              {
                "ruleType": "ApplicationRule",
                "name": "winupdate-rule-01",
                "protocols": [
                  {
                    "protocolType": "Https",
                    "port": 443
                  },
                  {
                    "protocolType": "Http",
                    "port": 80
                  }
                ],
                "fqdnTags": [
                  "WindowsUpdate"
                ],
                "terminateTLS": false,
                "sourceIpGroups": [
                  "[resourceId('Microsoft.Network/ipGroups', parameters('workloadIpGroupName'))]",
                  "[resourceId('Microsoft.Network/ipGroups', parameters('infraIpGroupName'))]"
                ]
              }
            ]
          },
          {
            "ruleCollectionType": "FirewallPolicyFilterRuleCollection",
            "action": {
              "type": "Allow"
            },
            "name": "Global-rules-arc",
            "priority": 1202,
            "rules": [
              {
                "ruleType": "ApplicationRule",
                "name": "global-rule-01",
                "protocols": [
                  {
                    "protocolType": "Https",
                    "port": 443
                  }
                ],
                "targetFqdns": [
                  "www.microsoft.com"
                ],
                "terminateTLS": false,
                "sourceIpGroups": [
                  "[resourceId('Microsoft.Network/ipGroups', parameters('workloadIpGroupName'))]",
                  "[resourceId('Microsoft.Network/ipGroups', parameters('infraIpGroupName'))]"
                ]
              }
            ]
          }
        ]
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]",
        "[resourceId('Microsoft.Network/ipGroups', parameters('infraIpGroupName'))]",
        "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]",
        "[resourceId('Microsoft.Network/ipGroups', parameters('workloadIpGroupName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/azureFirewalls",
      "apiVersion": "2021-03-01",
      "name": "[parameters('firewallName')]",
      "location": "[parameters('location')]",
      "zones": "[if(equals(length(parameters('availabilityZones')), 0), null(), parameters('availabilityZones'))]",
      "properties": {
        "ipConfigurations": "[variables('azureFirewallIpConfigurations')]",
        "firewallPolicy": {
          "id": "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]"
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultApplicationRuleCollectionGroup')]",
        "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]",
        "[resourceId('Microsoft.Network/ipGroups', parameters('infraIpGroupName'))]",
        "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]",
        "publicIpAddress",
        "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",
        "[resourceId('Microsoft.Network/ipGroups', parameters('workloadIpGroupName'))]"
      ]
    }
  ]
}

模板中定义了多个Azure资源:

部署模板

将 ARM 模板部署到Azure:

  1. 选择 部署到 Azure 登录到 Azure 并打开模板。 该模板创建 Azure 防火墙、虚拟 WAN 和虚拟中心、网络基础设施以及两台虚拟机。

    部署到 Azure

  2. 在门户中的“创建使用规则和 Ipgroups 的防火墙和防火墙策略”页上,键入或选择以下值:

    • 订阅:从现有订阅中选择。
    • 资源组:从现有资源组中选择,或者选择“新建”,然后选择“确定”。
    • 区域:选择区域。
    • 防火墙名称:键入防火墙的名称。

  3. 选择“查看 + 创建”,然后选择“创建” 。 部署可能需要 10 分钟或更长时间才能完成。

查看已部署的资源

部署完成后,将看到以下类似资源。

已部署资源

清理资源

如果不再需要为防火墙创建的资源,请删除资源组。 这会删除该防火墙和所有相关资源。

若要删除资源组,请调用 Remove-AzResourceGroup cmdlet:

Remove-AzResourceGroup -Name "<your resource group name>"

后续步骤

Azure Firewall管理器策略概述

  • Last updated on