快速入门:创建 Azure 防火墙和防火墙策略 - Bicep
在本快速入门中,将使用 Bicep 来创建 Azure 防火墙和防火墙策略。 防火墙策略具有允许连接到 www.microsoft.com 的应用程序规则,还有允许使用 WindowsUpdate FQDN 标记连接到 Windows 更新的规则。 网络规则允许 UDP 连接到位于 13.86.101.172 的时间服务器。
此外,规则中的 IP 组用于定义源 IP 地址。
Bicep 是一种特定于域的语言 (DSL),使用声明性语法来部署 Azure 资源。 它提供简明的语法、可靠的类型安全性以及对代码重用的支持。 Bicep 会针对你的 Azure 基础结构即代码解决方案提供最佳创作体验。
有关 Azure 防火墙管理器的信息,请参阅什么是 Azure 防火墙管理器?。
有关 Azure 防火墙的信息,请参阅什么是 Azure 防火墙?。
先决条件
- 具有活动订阅的 Azure 帐户。 创建试用版订阅。
查阅 Bicep 文件
此 Bicep 文件创建一个中心虚拟网络,以及支持该方案所需的资源。
本快速入门中使用的 Bicep 文件来自 Azure 快速入门模板。
@description('Virtual network name')
param virtualNetworkName string = 'vnet${uniqueString(resourceGroup().id)}'
@description('Azure Firewall name')
param firewallName string = 'fw${uniqueString(resourceGroup().id)}'
@description('Number of public IP addresses for the Azure Firewall')
@minValue(1)
@maxValue(100)
param numberOfPublicIPAddresses int = 2
@description('Zone numbers e.g. 1,2,3.')
param availabilityZones array = []
@description('Location for all resources.')
param location string = resourceGroup().location
param infraIpGroupName string = '${location}-infra-ipgroup-${uniqueString(resourceGroup().id)}'
param workloadIpGroupName string = '${location}-workload-ipgroup-${uniqueString(resourceGroup().id)}'
param firewallPolicyName string = '${firewallName}-firewallPolicy'
var vnetAddressPrefix = '10.10.0.0/24'
var azureFirewallSubnetPrefix = '10.10.0.0/25'
var publicIPNamePrefix = 'publicIP'
var azurepublicIpname = publicIPNamePrefix
var azureFirewallSubnetName = 'AzureFirewallSubnet'
var azureFirewallSubnetId = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, azureFirewallSubnetName)
var azureFirewallPublicIpId = resourceId('Microsoft.Network/publicIPAddresses', publicIPNamePrefix)
var azureFirewallIpConfigurations = [for i in range(0, numberOfPublicIPAddresses): {
name: 'IpConf${i}'
properties: {
subnet: ((i == 0) ? json('{"id": "${azureFirewallSubnetId}"}') : json('null'))
publicIPAddress: {
id: '${azureFirewallPublicIpId}${i + 1}'
}
}
}]
resource workloadIpGroup 'Microsoft.Network/ipGroups@2022-01-01' = {
name: workloadIpGroupName
location: location
properties: {
ipAddresses: [
'10.20.0.0/24'
'10.30.0.0/24'
]
}
}
resource infraIpGroup 'Microsoft.Network/ipGroups@2022-01-01' = {
name: infraIpGroupName
location: location
properties: {
ipAddresses: [
'10.40.0.0/24'
'10.50.0.0/24'
]
}
}
resource vnet 'Microsoft.Network/virtualNetworks@2022-01-01' = {
name: virtualNetworkName
location: location
tags: {
displayName: virtualNetworkName
}
properties: {
addressSpace: {
addressPrefixes: [
vnetAddressPrefix
]
}
subnets: [
{
name: azureFirewallSubnetName
properties: {
addressPrefix: azureFirewallSubnetPrefix
}
}
]
enableDdosProtection: false
}
}
resource publicIpAddress 'Microsoft.Network/publicIPAddresses@2022-01-01' = [for i in range(0, numberOfPublicIPAddresses): {
name: '${azurepublicIpname}${i + 1}'
location: location
sku: {
name: 'Standard'
}
properties: {
publicIPAllocationMethod: 'Static'
publicIPAddressVersion: 'IPv4'
}
}]
resource firewallPolicy 'Microsoft.Network/firewallPolicies@2022-01-01'= {
name: firewallPolicyName
location: location
properties: {
threatIntelMode: 'Alert'
}
}
resource networkRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2022-01-01' = {
parent: firewallPolicy
name: 'DefaultNetworkRuleCollectionGroup'
properties: {
priority: 200
ruleCollections: [
{
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
action: {
type: 'Allow'
}
name: 'azure-global-services-nrc'
priority: 1250
rules: [
{
ruleType: 'NetworkRule'
name: 'time-windows'
ipProtocols: [
'UDP'
]
destinationAddresses: [
'13.86.101.172'
]
sourceIpGroups: [
workloadIpGroup.id
infraIpGroup.id
]
destinationPorts: [
'123'
]
}
]
}
]
}
}
resource applicationRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2022-01-01' = {
parent: firewallPolicy
name: 'DefaultApplicationRuleCollectionGroup'
dependsOn: [
networkRuleCollectionGroup
]
properties: {
priority: 300
ruleCollections: [
{
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
name: 'global-rule-url-arc'
priority: 1000
action: {
type: 'Allow'
}
rules: [
{
ruleType: 'ApplicationRule'
name: 'winupdate-rule-01'
protocols: [
{
protocolType: 'Https'
port: 443
}
{
protocolType: 'Http'
port: 80
}
]
fqdnTags: [
'WindowsUpdate'
]
terminateTLS: false
sourceIpGroups: [
workloadIpGroup.id
infraIpGroup.id
]
}
]
}
{
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
action: {
type: 'Allow'
}
name: 'Global-rules-arc'
priority: 1202
rules: [
{
ruleType: 'ApplicationRule'
name: 'global-rule-01'
protocols: [
{
protocolType: 'Https'
port: 443
}
]
targetFqdns: [
'www.microsoft.com'
]
terminateTLS: false
sourceIpGroups: [
workloadIpGroup.id
infraIpGroup.id
]
}
]
}
]
}
}
resource firewall 'Microsoft.Network/azureFirewalls@2021-03-01' = {
name: firewallName
location: location
zones: ((length(availabilityZones) == 0) ? null : availabilityZones)
dependsOn: [
vnet
publicIpAddress
workloadIpGroup
infraIpGroup
networkRuleCollectionGroup
applicationRuleCollectionGroup
]
properties: {
ipConfigurations: azureFirewallIpConfigurations
firewallPolicy: {
id: firewallPolicy.id
}
}
}
该 Bicep 文件中定义了多个 Azure 资源:
- Microsoft.Network/ipGroups
- Microsoft.Network/firewallPolicies
- Microsoft.Network/firewallPolicies/ruleCollectionGroups
- Microsoft.Network/azureFirewalls
- Microsoft.Network/virtualNetworks
- Microsoft.Network/publicIPAddresses
部署 Bicep 文件
将该 Bicep 文件在本地计算机上另存为
main.bicep。使用 Azure CLI 或 Azure PowerShell 来部署该 Bicep 文件。
az group create --name exampleRG --location chinaeast az deployment group create --resource-group exampleRG --template-file main.bicep --parameters firewallName=<firewall-name>注意
将 <firewall-name> 替换为 Azure 防火墙的名称。
部署完成后,应会看到一条指出部署成功的消息。
查看已部署的资源
使用 Azure CLI 或 Azure PowerShell 来查看部署的资源。
az resource list --resource-group exampleRG
清理资源
如果不再需要为防火墙创建的资源,请删除资源组。 删除了防火墙和所有相关资源。
az group delete --name exampleRG