使用 PowerShell 在 Azure Stack HCI 上配置网络安全组。
适用范围:Azure Stack HCI 版本 22H2、Windows Server 2022、Windows Server 2019、Windows Server 2016
本文件介绍了如何通过 Windows PowerShell 将数据中心防火墙用于 Azure Stack HCI 中软件定义的网络 (SDN),以便配置网络安全组 (NSG) 来管理数据流量流。 可以通过创建应用于子网或网络接口的网络安全组来启用和配置数据中心防火墙。
本文中的示例脚本使用从 NetworkController 模块导出的 Windows PowerShell 命令。 你还可以使用 Windows Admin Center 来配置和管理网络安全组。
配置数据中心防火墙以允许所有流量
部署 SDN 后,应在新环境中针对基本网络连接性进行测试。 为实现此目的,请为数据中心防火墙创建一个规则,以允许所有网络流量,不设限制。
使用下表中的条目创建一组规则,以允许所有入站和出站网络流量。
| 源 IP | 目标 IP | 协议 | Source Port | Destination Port | 方向 | 操作 | 优先级 |
|---|---|---|---|---|---|---|---|
| * | * | All | * | * | 入站 | Allow | 100 |
| * | * | All | * | * | 出站 | Allow | 110 |
在此示例中,将创建一个包含两条规则的网络安全组:
- AllowAll_Inbound - 允许所有网络流量进入配置了此网络安全组的网络接口。
- AllowAllOutbound - 允许所有流量从网络接口传出。 由资源 ID“AllowAll-1”标识的此网络安全组现已就绪,可在虚拟子网和网络接口中使用。
可以从有权访问网络控制器 REST 终结点的任何计算机运行此命令。 首先,打开 PowerShell 会话。 在此示例中,使用 Enter-PSSession cmdlet 并将 <computer-name> 替换为具有网络控制器 REST 终结点的计算机的名称。
Enter-PSSession <computer-name>
然后,运行以下脚本以创建网络安全组:
$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "100"
$ruleproperties.Type = "Inbound"
$ruleproperties.Logging = "Enabled"
$aclrule1 = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule1.Properties = $ruleproperties
$aclrule1.ResourceId = "AllowAll_Inbound"
$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "110"
$ruleproperties.Type = "Outbound"
$ruleproperties.Logging = "Enabled"
$aclrule2 = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule2.Properties = $ruleproperties
$aclrule2.ResourceId = "AllowAll_Outbound"
$acllistproperties = new-object Microsoft.Windows.NetworkController.AccessControlListProperties
$acllistproperties.AclRules = @($aclrule1, $aclrule2)
New-NetworkControllerAccessControlList -ResourceId "AllowAll" -Properties $acllistproperties -ConnectionUri <NC REST FQDN>
注意
适用于网络控制器的 Windows PowerShell 命令参考在网络控制器 cmdlet 中。
使用网络安全组来限制子网上的流量
在此示例中,你将创建一个网络安全组,用于阻止 192.168.0.0/24 子网中的虚拟机 (VM) 相互通信。 此类型的网络安全组可用于限制攻击者在子网内横向攻击的能力,同时仍允许 VM 接收来自子网外部的请求,以及与其他子网上的其他服务进行通信。
| 源 IP | 目标 IP | 协议 | Source Port | Destination Port | 方向 | 操作 | 优先级 |
|---|---|---|---|---|---|---|---|
| 192.168.0.1 | * | All | * | * | 入站 | Allow | 100 |
| * | 192.168.0.1 | All | * | * | 出站 | Allow | 101 |
| 192.168.0.0/24 | * | All | * | * | 入站 | 阻止 | 102 |
| * | 192.168.0.0/24 | All | * | * | 出站 | 阻止 | 103 |
| * | * | All | * | * | 入站 | Allow | 104 |
| * | * | All | * | * | 出站 | Allow | 105 |
由以下示例脚本创建的网络安全组(由资源 ID Subnet-192-168-0-0 标识)现在可以应用于使用“192.168.0.0/24”子网地址的虚拟网络子网。 附加到该虚拟网络子网的任何网络接口都会自动应用上述网络安全组规则。
以下是一个示例脚本,用于通过网络控制器 REST API 创建此网络安全组:
import-module networkcontroller
$ncURI = "https://mync.contoso.local"
$aclrules = @()
$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "192.168.0.1"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "100"
$ruleproperties.Type = "Inbound"
$ruleproperties.Logging = "Enabled"
$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "AllowRouter_Inbound"
$aclrules += $aclrule
$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "192.168.0.1"
$ruleproperties.Priority = "101"
$ruleproperties.Type = "Outbound"
$ruleproperties.Logging = "Enabled"
$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "AllowRouter_Outbound"
$aclrules += $aclrule
$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Deny"
$ruleproperties.SourceAddressPrefix = "192.168.0.0/24"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "102"
$ruleproperties.Type = "Inbound"
$ruleproperties.Logging = "Enabled"
$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "DenySubnet_Inbound"
$aclrules += $aclrule
$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Deny"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "192.168.0.0/24"
$ruleproperties.Priority = "103"
$ruleproperties.Type = "Outbound"
$ruleproperties.Logging = "Enabled"
$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "DenySubnet_Outbound"
$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "104"
$ruleproperties.Type = "Inbound"
$ruleproperties.Logging = "Enabled"
$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "AllowAll_Inbound"
$aclrules += $aclrule
$ruleproperties = new-object Microsoft.Windows.NetworkController.AclRuleProperties
$ruleproperties.Protocol = "All"
$ruleproperties.SourcePortRange = "0-65535"
$ruleproperties.DestinationPortRange = "0-65535"
$ruleproperties.Action = "Allow"
$ruleproperties.SourceAddressPrefix = "*"
$ruleproperties.DestinationAddressPrefix = "*"
$ruleproperties.Priority = "105"
$ruleproperties.Type = "Outbound"
$ruleproperties.Logging = "Enabled"
$aclrule = new-object Microsoft.Windows.NetworkController.AclRule
$aclrule.Properties = $ruleproperties
$aclrule.ResourceId = "AllowAll_Outbound"
$aclrules += $aclrule
$acllistproperties = new-object Microsoft.Windows.NetworkController.AccessControlListProperties
$acllistproperties.AclRules = $aclrules
New-NetworkControllerAccessControlList -ResourceId "Subnet-192-168-0-0" -Properties $acllistproperties -ConnectionUri $ncURI
将网络安全组添加到网络接口
创建网络安全组并将其分配给虚拟子网后,可能需要使用单个网络接口的特定网络安全组替代虚拟子网上的默认网络安全组。 从 Windows Server 2019 Datacenter 开始,除了 SDN 虚拟网络之外,还可以将特定网络安全组直接应用于附加到 SDN 逻辑网络的网络接口。 如果在连接到网络接口的虚拟子网上设置了网络安全组,就会应用这两个网络安全组,且网络接口网络安全组的优先级高于虚拟子网网络安全组。
在此示例中,我们演示如何将网络安全组添加到虚拟网络。
提示
还可以在创建网络接口的同时添加网络安全组。
获取或创建要将网络安全组添加到其中的网络接口。
$nic = get-networkcontrollernetworkinterface -ConnectionUri $uri -ResourceId "MyVM_Ethernet1"获取或创建要添加到网络接口的网络安全组。
$acl = get-networkcontrolleraccesscontrollist -ConnectionUri $uri -ResourceId "AllowAllACL"将网络安全组分配到网络接口的 AccessControlList 属性。
$nic.properties.ipconfigurations[0].properties.AccessControlList = $acl在网络控制器中添加网络接口。
new-networkcontrollernetworkinterface -ConnectionUri $uri -Properties $nic.properties -ResourceId $nic.resourceid
从网络接口中删除网络安全组
在此示例中,我们演示如何从网络接口中删除网络安全组。 删除网络安全组会将默认的规则集应用于网络接口。 默认规则集允许所有出站流量,但阻止所有入站流量。 如果要允许所有入站流量,必须按照前面的示例添加允许所有入站和出站流量的网络安全组。
获取将从中删除网络安全组的网络接口。
$nic = get-networkcontrollernetworkinterface -ConnectionUri $uri -ResourceId "MyVM_Ethernet1"将 $null 分配到 ipConfiguration 的 AccessControlList 属性。
$nic.properties.ipconfigurations[0].properties.AccessControlList = $null在网络控制器中添加网络接口对象。
new-networkcontrollernetworkinterface -ConnectionUri $uri -Properties $nic.properties -ResourceId $nic.resourceid
防火墙审核
数据中心防火墙的防火墙审核功能可记录由 SDN 防火墙规则处理的任何流。 系统将记录已启用日志记录的所有网络安全组。 日志文件必须采用与 Azure 网络观察程序流日志一致的语法。 可以使用这些日志进行诊断,也可以将其存档供以后分析。
下面是一个示例脚本,用于在主机服务器上启用防火墙审核。 请更新开头的变量,并在部署了网络控制器的 Azure Stack HCI 群集上运行此操作:
$logpath = "C:\test\log1"
$servers = @("sa18n22-2", "sa18n22-3", "sa18n22-4")
$uri = "https://sa18n22sdn.sa18.nttest.microsoft.com"
# Create log directories on the hosts
invoke-command -Computername $servers {
param(
$Path
)
mkdir $path -force
} -argumentlist $LogPath
# Set firewall auditing settings on Network Controller
$AuditProperties = new-object Microsoft.Windows.NetworkController.AuditingSettingsProperties
$AuditProperties.OutputDirectory = $logpath
set-networkcontrollerauditingsettingsconfiguration -connectionuri $uri -properties $AuditProperties -force | out-null
# Enable logging on each server
$servers = get-networkcontrollerserver -connectionuri $uri
foreach ($s in $servers) {
$s.properties.AuditingEnabled = @("Firewall")
new-networkcontrollerserver -connectionuri $uri -resourceid $s.resourceid -properties $s.properties -force | out-null
}
启用后,每台主机上的指定目录中大约一小时会出现一个新文件。 应定期处理这些文件并将它们从主机中删除。 当前文件的长度为零。该文件处于锁定状态,一直锁定到在下一个小时标记处进行刷新为止:
PS C:\test\log1> dir
Directory: C:\test\log1
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/19/2018 6:28 AM 17055 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL122803093.json
-a---- 7/19/2018 7:28 AM 7880 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL132803173.json
-a---- 7/19/2018 8:28 AM 7867 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL142803264.json
-a---- 7/19/2018 9:28 AM 10949 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL152803360.json
-a---- 7/19/2018 9:28 AM 0 SdnFirewallAuditing.d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a.20180719TL162803464.json
这些文件包含一个流事件序列,例如:
{
"records": [
{
"properties":{
"Version":"1.0",
"flows":[
{
"flows":[
{
"flowTuples":["1531963580,192.122.0.22,192.122.255.255,138,138,U,I,A"],
"portId":"9",
"portName":"7290436D-0422-498A-8EB8-C6CF5115DACE"
}
],
"rule":"Allow_Inbound"
}
]
},
"operationName":"NetworkSecurityGroupFlowEvents",
"resourceId":"394f647d-2ed0-4c31-87c5-389b8c0c8132",
"time":"20180719:L012620622",
"category":"NetworkSecurityGroupFlowEvent",
"systemId":"d8b3b697-5355-40e2-84d2-1bf2f0e0dc4a"
},
请注意,只有“日志记录”设置为“启用”的规则才会进行日志记录 ,例如:
{
"Tags": null,
"ResourceRef": "/accessControlLists/AllowAll",
"InstanceId": "4a63e1a5-3264-4986-9a59-4e77a8b107fa",
"Etag": "W/\"1535a780-0fc8-4bba-a15a-093ecac9b88b\"",
"ResourceMetadata": null,
"ResourceId": "AllowAll",
"Properties": {
"ConfigurationState": null,
"ProvisioningState": "Succeeded",
"AclRules": [
{
"ResourceMetadata": null,
"ResourceRef": "/accessControlLists/AllowAll/aclRules/AllowAll_Inbound",
"InstanceId": "ba8710a8-0f01-422b-9038-d1f2390645d7",
"Etag": "W/\"1535a780-0fc8-4bba-a15a-093ecac9b88b\"",
"ResourceId": "AllowAll_Inbound",
"Properties": {
"Protocol": "All",
"SourcePortRange": "0-65535",
"DestinationPortRange": "0-65535",
"Action": "Allow",
"SourceAddressPrefix": "*",
"DestinationAddressPrefix": "*",
"Priority": "101",
"Description": null,
"Type": "Inbound",
"Logging": "Enabled",
"ProvisioningState": "Succeeded"
}
},
{
"ResourceMetadata": null,
"ResourceRef": "/accessControlLists/AllowAll/aclRules/AllowAll_Outbound",
"InstanceId": "068264c6-2186-4dbc-bbe7-f504c6f47fa8",
"Etag": "W/\"1535a780-0fc8-4bba-a15a-093ecac9b88b\"",
"ResourceId": "AllowAll_Outbound",
"Properties": {
"Protocol": "All",
"SourcePortRange": "0-65535",
"DestinationPortRange": "0-65535",
"Action": "Allow",
"SourceAddressPrefix": "*",
"DestinationAddressPrefix": "*",
"Priority": "110",
"Description": null,
"Type": "Outbound",
"Logging": "Enabled",
"ProvisioningState": "Succeeded"
}
}
],
"IpConfigurations": [
],
"Subnets": [
{
"ResourceMetadata": null,
"ResourceRef": "/virtualNetworks/10_0_1_0/subnets/Subnet1",
"InstanceId": "00000000-0000-0000-0000-000000000000",
"Etag": null,
"ResourceId": null,
"Properties": null
}
]
}
}
后续步骤
如需相关信息,请参阅: