教程:配置 Bastion 并通过浏览器连接到 Windows VMTutorial: Configure Bastion and connect to a Windows VM through a browser

本教程介绍如何使用 Azure Bastion 和 Azure 门户通过浏览器连接到虚拟机。This tutorial shows you how to connect to a virtual machine through your browser using Azure Bastion and the Azure portal. 在 Azure 门户中,将 Bastion 部署到虚拟网络。In the Azure portal, you deploy Bastion to your virtual network. 部署 Bastion 之后,使用 Azure 门户通过 VM 的专用 IP 地址连接到该 VM。After deploying Bastion, you connect to a VM via its private IP address using the Azure portal. 你的 VM 不需要公共 IP 地址或特殊软件。Your VM does not need a public IP address or special software. 预配服务后,RDP/SSH 体验即可用于同一虚拟网络中的所有虚拟机。Once the service is provisioned, the RDP/SSH experience is available to all of the virtual machines in the same virtual network. 有关 Azure Bastion 的详细信息,请参阅什么是 Azure BastionFor more information about Azure Bastion, see What is Azure Bastion?.

本教程介绍以下操作:In this tutorial, you'll learn how to:

  • 为你的 VNet 创建 Bastion 主机Create a bastion host for your VNet
  • 连接到 Windows 虚拟机Connect to a Windows virtual machine

如果没有 Azure 订阅,请在开始前创建一个试用订阅If you don't have an Azure subscription, create a Trial Subscription before you begin.

先决条件Prerequisites

  • 一个虚拟网络。A virtual network.

  • 虚拟网络中的 Windows 虚拟机。A Windows virtual machine in the virtual network.

  • 需要以下角色:The following required roles:

    • 虚拟机上的读者角色。Reader role on the virtual machine.
    • NIC 上的读者角色(使用虚拟机的专用 IP)。Reader role on the NIC with private IP of the virtual machine.
    • Azure Bastion 资源上的读者角色。Reader role on the Azure Bastion resource.
  • 端口:若要连接到 Windows VM,必须在 Windows VM 上打开以下端口:Ports: To connect to the Windows VM, you must have the following ports open on your Windows VM:

    • 入站端口:RDP (3389)Inbound ports: RDP (3389)

登录到 Azure 门户Sign in to the Azure portal

登录 Azure 门户Sign in to the Azure portal.

创建 Bastion 主机Create a bastion host

本部分可帮助你在 VNet 中创建 Bastion 对象。This section helps you create the bastion object in your VNet. 为了与 VNet 中的 VM 建立安全连接,这是必需的。This is required in order to create a secure connection to a VM in the VNet.

  1. 从“主页”选择“+ 创建资源” 。From the Home page, select + Create a resource.

  2. 在“新建”页上的“搜索”框中,键入“Bastion”,然后选择 Enter 以获得搜索结果 。On the New page, in the Search box, type Bastion, then select Enter to get to the search results. 在“Bastion”的搜索结果中,确认发布者是 Microsoft。On the result for Bastion, verify that the publisher is Microsoft.

  3. 选择“创建” 。Select Create.

  4. 在“创建 Bastion”页上,配置新的 Bastion 资源。On the Create a Bastion page, configure a new Bastion resource.

    创建 Bastion 主机

    • 订阅:你需要用于新建 Bastion 资源的 Azure 订阅。Subscription: The Azure subscription you want to use to create a new Bastion resource.

    • 资源组:将在其中创建新的 Bastion 资源的 Azure 资源组。Resource Group: The Azure resource group in which the new Bastion resource will be created. 如果目前没有资源组,可新建一个。If you don't have an existing resource group, you can create a new one.

    • 名称:新 Bastion 资源的名称。Name: The name of the new Bastion resource.

    • 区域:将在其中创建资源的 Azure 公共区域。Region: The Azure public region that the resource will be created in.

    • 虚拟网络:将在其中创建 Bastion 资源的虚拟网络。Virtual network: The virtual network in which the Bastion resource will be created. 你可在此过程中通过门户创建新的虚拟网络,也可使用现有虚拟网络。You can create a new virtual network in the portal during this process, or use an existing virtual network. 如果是后者,请确保现有虚拟网络有足够多的空闲地址空间来满足 Bastion 子网的要求。If you are using an existing virtual network, make sure the existing virtual network has enough free address space to accommodate the Bastion subnet requirements. 如果从下拉列表中看不到虚拟网络,请确保已选择正确的“资源组”。If you don't see your virtual network from the dropdown, make sure you have selected the correct Resource Group.

    • 子网:创建或选择虚拟网络后,将显示“子网”字段。Subnet: Once you create or select a virtual network, the subnet field will appear. Bastion 主机将部署到的虚拟网络中的子网。The subnet in your virtual network where the new Bastion host will be deployed. 此子网专用于该 Bastion 主机。The subnet will be dedicated to the Bastion host. 选择“管理子网配置”并创建 Azure Bastion 子网。Select Manage subnet configuration and create the Azure Bastion subnet. 选择“+ 子网”并按照以下指南创建子网:Select +Subnet and create a subnet using the following guidelines:

      • 子网命名必须为 AzureBastionSubnet。The subnet must be named AzureBastionSubnet.
      • 子网必须为 /27 或更大。The subnet must be at least /27 or larger.

      无需填写其他字段。You don't need to fill out additional fields. 选择“确定”,然后在页面顶部选择“创建 Bastion”以返回到 Bastion 配置页面 。Select OK and then, at the top of the page, select Create a Bastion to return to the Bastion configuration page.

    • 公共 IP 地址:Bastion 资源的公共 IP,将在该 IP 上通过端口 443 访问 RDP/SSH。Public IP address: The public IP of the Bastion resource on which RDP/SSH will be accessed (over port 443). 创建新的公共 IP。Create a new public IP. 公共 IP 地址必须与要创建的 Bastion 资源位于同一区域。The public IP address must be in the same region as the Bastion resource you are creating. 此 IP 地址与你要连接的任何 VM 无关。This is IP address does not have anything to do with any of the VMs that you want to connect to. 它是 Bastion 主机资源的公共 IP。It's the public IP for the Bastion host resource.

    • 公共 IP 地址名称:公共 IP 地址资源的名称。Public IP address name: The name of the public IP address resource. 在本教程中,你可以保留默认值。For this tutorial, you can leave the default.

    • 公共 IP 地址 SKU:默认情况下,该设置预填充为“标准”。Public IP address SKU: This setting is prepopulated by default to Standard. Azure Bastion 仅使用/支持标准公共 IP SKU。Azure Bastion uses/supports only the Standard Public IP SKU.

    • 分配:默认情况下,该设置预填充为“静态”。Assignment: This setting is prepopulated by default to Static.

  5. 指定完设置后,选择“查看 + 创建”。When you have finished specifying the settings, select Review + Create. 这会验证值。This validates the values. 验证通过后,即可创建 Bastion 资源。Once validation passes, you can create the Bastion resource.

  6. 选择“创建” 。Select Create.

  7. 你将看到一条消息,其中指出你的部署正在进行中。You will see a message letting you know that your deployment is underway. 创建资源后,此页面上将显示状态。Status will display on this page as the resources are created. 创建和部署 Bastion 资源大约需要 5 分钟的时间。It takes about 5 minutes for the Bastion resource to be created and deployed.

连接到 VMConnect to a VM

  1. 打开 Azure 门户Open the Azure portal. 导航到要连接的虚拟机,然后选择“连接”。Navigate to the virtual machine that you want to connect to, then select Connect . 从下拉列表中选择“Bastion”。Select Bastion from the dropdown.

    选择“Bastion”

  2. 从下拉列表中选择“Bastion”后,将显示一条侧边栏,其中包含三个选项卡:RDP、SSH 和 Bastion。After you select Bastion from the dropdown, a side bar appears that has three tabs: RDP, SSH, and Bastion. 由于已针对虚拟网络预配了 Bastion,因此默认情况下,“Bastion”选项卡处于活动状态。Because Bastion was provisioned for the virtual network, the Bastion tab is active by default. 选择“使用 Bastion”。Select Use Bastion .

    选择“使用 Bastion”

  3. 在“使用 Azure Bastion 连接”页上,输入虚拟机的用户名和密码,然后选择“连接” 。On the Connect using Azure Bastion page, enter the username and password for your virtual machine, then select Connect .

    “连接”

  4. 通过 Bastion 连接到此虚拟机的 RDP 将使用端口 443 和 Bastion 服务在 Azure 门户中(通过 HTML5)直接打开。The RDP connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service.

    使用端口 443 连接

清理资源Clean up resources

如果你不打算继续使用此应用程序,请按以下步骤删除相关的资源:If you're not going to continue to use this application, delete your resources using the following steps:

  1. 在门户顶部的“搜索”框中输入资源组的名称。Enter the name of your resource group in the Search box at the top of the portal. 当在搜索结果中看到你的资源组时,将其选中。When you see your resource group in the search results, select it.
  2. 选择“删除资源组” 。Select Delete resource group.
  3. 输入你的资源组的名称“键入资源组名称”:然后选择“删除” 。Enter the name of your resource group for TYPE THE RESOURCE GROUP NAME: and select Delete.

后续步骤Next steps

在本教程中,你创建了一个 Bastion 主机并将其关联到了虚拟网络,然后连接到了 Windows 虚拟机。In this tutorial, you created a Bastion host and associated it to a virtual network, then connected to a Windows VM. 你可以选择将网络安全组与 Azure Bastion 子网一起使用。You may choose to use Network Security Groups with your Azure Bastion subnet. 为此,请参阅:To do so, see: