快速入门:使用 Azure 防火墙管理器保护虚拟中心安全 - ARM 模板Quickstart: Secure your virtual hub using Azure Firewall Manager - ARM template

在本快速入门中,使用 Azure 资源管理器模板(ARM 模板),通过 Azure 防火墙管理器来保护虚拟中心的安全。In this quickstart, you use an Azure Resource Manager template (ARM template) to secure your virtual hub using Azure Firewall Manager. 部署的防火墙具有允许连接到 www.microsoft.com 的应用程序规则。The deployed firewall has an application rule that allows connections to www.microsoft.com . 部署了两个 Windows Server 2019 虚拟机以测试防火墙。Two Windows Server 2019 virtual machines are deployed to test the firewall. 一个跳转服务器用于连接到工作负载服务器。One jump server is used to connect to the workload server. 从工作负载服务器,只能连接到 www.microsoft.comFrom the workload server, you can only connect to www.microsoft.com.

ARM 模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. 该模板使用声明性语法,使你可以声明要部署的内容,而不需要编写一系列编程命令来进行创建。The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it.

有关 Azure 防火墙管理器的详细信息,请参阅什么是 Azure 防火墙管理器?For more information about Azure Firewall Manager, see What is Azure Firewall Manager?.

如果你的环境满足先决条件,并且你熟悉如何使用 ARM 模板,请选择“部署到 Azure”按钮。If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. Azure 门户中会打开模板。The template will open in the Azure portal.

部署到 AzureDeploy to Azure

先决条件Prerequisites

查看模板Review the template

此模板使用 Azure 防火墙管理器以及支持该场景所需的资源创建了一个安全虚拟中心。This template creates a secured virtual hub using Azure Firewall Manager, along with the necessary resources to support the scenario.

本快速入门中使用的模板来自 Azure 快速启动模板The template used in this quickstart is from Azure Quickstart Templates.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
       "adminUsername": {
           "type": "String",
           "metadata": {
               "description": "Admin username for the servers"
           }
       },
       "adminPassword": {
           "type": "SecureString",
           "metadata": {
               "description": "Password for the admin account on the servers"
           }
       },
        "location": {
            "defaultValue": "[resourceGroup().location]",
            "type": "String",
            "metadata": {
                "description": "Location for all resources."
            }
        },
    "vmSize": {
      "type": "string",
      "defaultValue": "Standard_D2_v3",
      "metadata": {
        "description": "Size of the virtual machine."
      }
    }
    },
    "resources": [
        {
            "type": "Microsoft.Network/virtualWans",
            "apiVersion": "2019-08-01",
            "name": "VWan-01",
            "location": "[parameters('location')]",
            "properties": {
                "disableVpnEncryption": false,
                "allowBranchToBranchTraffic": true,
                "allowVnetToVnetTraffic": false,
                "office365LocalBreakoutCategory": "None",
                "type": "Standard"
            }
        },
        {
            "type": "Microsoft.Network/virtualHubs",
            "apiVersion": "2020-04-01",
            "name": "Hub-01",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/virtualWans', 'VWan-01')]"
            ],
            "properties": {
                "virtualNetworkConnections": [
                    {
                        "name": "hub-spoke",
                        "properties": {
                            "remoteVirtualNetwork": {
                                "id": "[resourceId('Microsoft.Network/virtualNetworks', 'Spoke-01')]"
                            },
                            "allowHubToRemoteVnetTransit": true,
                            "allowRemoteVnetToUseHubVnetGateways": false,
                            "enableInternetSecurity": true
                        }
                    }
                ],
                "addressPrefix": "10.1.0.0/16",
                "virtualWan": {
                    "id": "[resourceId('Microsoft.Network/virtualWans', 'VWan-01')]"
                },
                "azureFirewall": {
                    "id": "[resourceId('Microsoft.Network/azureFirewalls', 'AzfwTest')]"
                }
            }
        },
        {
            "type": "Microsoft.Network/firewallPolicies",
            "apiVersion": "2019-08-01",
            "name": "Policy-01",
            "location": "[parameters('location')]",
            "properties": {
                "threatIntelMode": "Alert"
            }
        },
        {
            "type": "Microsoft.Network/firewallPolicies/ruleGroups",
            "apiVersion": "2019-08-01",
            "name": "Policy-01/DefaultApplicationRuleCollectionGroup",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/firewallPolicies','Policy-01')]"
                    ],
            "properties": {
                "priority": 300,
                    "rules": [
                            {
                                "name": "RC-01",
                                "priority": 100,
                                "ruleType": "FirewallPolicyFilterRule",
                                "action": {
                                    "type": "Allow"
                                },
                                "ruleConditions": [
                                    {
                                        "name": "Allow-msft",
                                        "protocols": [
                                            {
                                                "protocolType": "http",
                                                "port": 80
                                            },
                                            {
                                                "protocolType": "https",
                                                "port": 443
                                            }
                                        ],
                                        "sourceAddresses": [
                                            "*"
                                        ],
                                        "targetFqdns": [
                                            "*.microsoft.com"
                                        ],
                                        "ruleConditionType": "ApplicationRuleCondition"
                                    }
                                ]
                            }
                        ]
                    }
        },
        {
            "type": "Microsoft.Network/azureFirewalls",
            "apiVersion": "2020-05-01",
            "name": "AzfwTest",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/virtualHubs', 'Hub-01')]",
                "[resourceId('Microsoft.Network/firewallPolicies', 'Policy-01')]"
            ],
            "properties": {
                "sku": {
                    "name": "AZFW_Hub",
                    "tier": "Standard"
                },
                "hubIPAddresses": {
                                    "publicIPs": {
                                        "count": 1
                                    }
                                },
                "virtualHub": {
                    "id": "[resourceId('Microsoft.Network/virtualHubs', 'Hub-01')]"
                },
                "firewallPolicy": {
                    "id": "[resourceId('Microsoft.Network/firewallPolicies', 'Policy-01')]"
                }
            }
        },
        {
            "type": "Microsoft.Network/virtualNetworks",
            "apiVersion": "2019-11-01",
            "name": "Spoke-01",
            "location": "[parameters('location')]",
            "properties": {
                "addressSpace": {
                    "addressPrefixes": [
                        "10.0.0.0/16"
                    ]
                },
                "enableDdosProtection": false,
                "enableVmProtection": false
            }
        },
        {
           "type": "Microsoft.Network/virtualNetworks/subnets",
           "apiVersion": "2019-11-01",
           "name": "Spoke-01/Workload-SN",
           "dependsOn": [
               "[resourceId('Microsoft.Network/virtualNetworks', 'Spoke-01')]"
           ],
           "properties": {
               "addressPrefix": "10.0.1.0/24",
               "privateEndpointNetworkPolicies": "Enabled",
               "privateLinkServiceNetworkPolicies": "Enabled"
           }
       },
        {
           "type": "Microsoft.Network/virtualNetworks/subnets",
           "apiVersion": "2019-11-01",
           "name": "Spoke-01/Jump-SN",
           "dependsOn": [
               "[resourceId('Microsoft.Network/virtualNetworks', 'Spoke-01')]",
               "[resourceId('Microsoft.Network/routeTables', 'RT-01')]"
           ],
           "properties": {
               "addressPrefix": "10.0.2.0/24",
                "routeTable": {
                    "id": "[resourceId('Microsoft.Network/routeTables','RT-01')]"
                },
               "privateEndpointNetworkPolicies": "Enabled",
               "privateLinkServiceNetworkPolicies": "Enabled"
           }
       },
        {
            "type": "Microsoft.Compute/virtualMachines",
            "apiVersion": "2019-07-01",
            "name": "Jump-Srv",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/networkInterfaces', 'netInterface-jump-srv')]"
            ],
            "properties": {
                "hardwareProfile": {
                    "vmSize": "[parameters('vmSize')]"
                },
                "storageProfile": {
                    "imageReference": {
                        "publisher": "MicrosoftWindowsServer",
                        "offer": "WindowsServer",
                        "sku": "2019-Datacenter",
                        "version": "latest"
                    },
                    "osDisk": {
                        "osType": "Windows",
                        "createOption": "FromImage",
                        "caching": "ReadWrite",
                        "managedDisk": {
                            "storageAccountType": "StandardSSD_LRS"
                        },
                        "diskSizeGB": 127
                    }
                },
                "osProfile": {
                    "computerName": "Jump-Srv",
                    "adminUsername": "[parameters('adminUsername')]",
                    "adminPassword": "[parameters('adminPassword')]",
                    "windowsConfiguration": {
                        "provisionVMAgent": true,
                        "enableAutomaticUpdates": true
                    },
                    "allowExtensionOperations": true
                },
                "networkProfile": {
                    "networkInterfaces": [
                        {
                            "id": "[resourceId('Microsoft.Network/networkInterfaces', 'netInterface-jump-srv')]"
                        }
                    ]
                }
            }
        },
        {
            "type": "Microsoft.Compute/virtualMachines",
            "apiVersion": "2019-07-01",
            "name": "Workload-Srv",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/networkInterfaces', 'netInterface-workload-srv')]"
            ],
            "properties": {
                "hardwareProfile": {
                    "vmSize": "[parameters('vmSize')]"
                },
                "storageProfile": {
                    "imageReference": {
                        "publisher": "MicrosoftWindowsServer",
                        "offer": "WindowsServer",
                        "sku": "2019-Datacenter",
                        "version": "latest"
                    },
                    "osDisk": {
                        "osType": "Windows",
                        "createOption": "FromImage",
                        "caching": "ReadWrite",
                        "managedDisk": {
                            "storageAccountType": "StandardSSD_LRS"
                        },
                        "diskSizeGB": 127
                    }
                },
                "osProfile": {
                    "computerName": "Workload-Srv",
                    "adminUsername": "[parameters('adminUsername')]",
                    "adminPassword": "[parameters('adminPassword')]",
                    "windowsConfiguration": {
                        "provisionVMAgent": true,
                        "enableAutomaticUpdates": true
                    },
                    "allowExtensionOperations": true
                },
                "networkProfile": {
                    "networkInterfaces": [
                        {
                            "id": "[resourceId('Microsoft.Network/networkInterfaces', 'netInterface-workload-srv')]"
                        }
                    ]
                }
            }
        },
        {
            "type": "Microsoft.Network/networkInterfaces",
            "apiVersion": "2020-03-01",
            "name": "netInterface-workload-srv",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01','Workload-SN')]",
                "[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-workload-srv')]"
            ],
            "properties": {
                "ipConfigurations": [
                    {
                        "name": "ipconfig1",
                        "properties": {
                            "privateIPAllocationMethod": "Dynamic",
                            "subnet": {
                                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01', 'Workload-SN')]"
                            },
                            "primary": true,
                            "privateIPAddressVersion": "IPv4"
                        }
                    }
                ],
                "enableAcceleratedNetworking": false,
                "enableIPForwarding": false,
                "networkSecurityGroup": {
                    "id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-workload-srv')]"
                }
            }
        },
        {
            "type": "Microsoft.Network/networkInterfaces",
            "apiVersion": "2020-03-01",
            "name": "netInterface-jump-srv",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/publicIPAddresses', 'publicIP-jump-srv')]",
                "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01','Jump-SN')]",
                "[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-jump-srv')]"
            ],
            "properties": {
                "ipConfigurations": [
                    {
                        "name": "ipconfig1",
                        "properties": {
                            "privateIPAllocationMethod": "Dynamic",
                            "publicIPAddress": {
                                "id": "[resourceId('Microsoft.Network/publicIPAddresses', 'publicIP-jump-srv')]"
                            },
                            "subnet": {
                                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01', 'Jump-SN')]"
                            },
                            "primary": true,
                            "privateIPAddressVersion": "IPv4"
                        }
                    }
                ],
                "enableAcceleratedNetworking": false,
                "enableIPForwarding": false,
                "networkSecurityGroup": {
                    "id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-jump-srv')]"
                }
            }
        },
       {
           "type": "Microsoft.Network/networkSecurityGroups",
           "apiVersion": "2020-03-01",
           "name": "nsg-jump-srv",
           "location": "[parameters('location')]",
           "properties": {
               "securityRules": [
                   {
                       "name": "RDP",
                       "properties": {
                           "protocol": "TCP",
                           "sourcePortRange": "*",
                           "destinationPortRange": "3389",
                           "sourceAddressPrefix": "*",
                           "destinationAddressPrefix": "*",
                           "access": "Allow",
                           "priority": 300,
                           "direction": "Inbound"
                       }
                   }
               ]
           }
       },
       {
            "type": "Microsoft.Network/networkSecurityGroups",
            "apiVersion": "2020-03-01",
            "name": "nsg-workload-srv",
            "location": "[parameters('location')]",
            "properties": {
            }
        },
       {
           "type": "Microsoft.Network/publicIPAddresses",
           "apiVersion": "2019-11-01",
           "name": "publicIP-jump-srv",
           "location": "[parameters('location')]",
           "sku": {
               "name": "Standard"
           },
           "properties": {
               "publicIPAddressVersion": "IPv4",
               "publicIPAllocationMethod": "Static",
               "idleTimeoutInMinutes": 4
           }
       },
        {
            "type": "Microsoft.Network/routeTables",
            "apiVersion": "2020-03-01",
            "name": "RT-01",
            "location": "[parameters('location')]",
            "properties": {
                "disableBgpRoutePropagation": false,
                "routes": [
                    {
                        "name": "jump-to-inet",
                        "properties": {
                            "addressPrefix": "0.0.0.0/0",
                            "nextHopType": "Internet"
                        }
                    }
                ]
            }
        },
        {
            "type": "Microsoft.Network/virtualHubs/routeTables",
            "apiVersion": "2019-07-01",
            "name": "Hub-01/VirtualNetworkRouteTable",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/virtualHubs', 'Hub-01')]",
                "[resourceId('Microsoft.Network/azureFirewalls', 'AzfwTest')]"
            ],
            "properties": {
                "routes": [
                {
                   "destinationType": "CIDR",
                        "destinations": [
                            "10.0.1.0/24",
                            "0.0.0.0/0"
                                        ],
                         "nextHopType": "IPAddress",
                            "nextHops": [
                                "10.1.64.4"
                                        ]
                                    }
                 ],
                "attachedConnections": [
                    "All_Vnets"
                ]
            }
        },
        {
            "type": "Microsoft.Network/virtualHubs/routeTables",
            "apiVersion": "2019-07-01",
            "name": "Hub-01/BranchRouteTable",
            "location": "[parameters('location')]",
            "dependsOn": [
                    "[resourceId('Microsoft.Network/virtualHubs', 'Hub-01')]",
                    "[resourceId('Microsoft.Network/azureFirewalls', 'AzfwTest')]",
                    "[resourceId('Microsoft.Network/virtualHubs/routeTables', 'Hub-01','VirtualNetworkRouteTable')]"
            ],
            "properties": {
                    "routes": [
                    {
                        "destinationType": "CIDR",
                           "destinations": [
                               "10.0.1.0/24"
                            ],
                        "nextHopType": "IPAddress",
                            "nextHops": [
                                "10.1.64.4"
                            ]
                    }
                    ],
                        "attachedConnections": [
                           "All_Branches"

模板中定义了多个 Azure 资源:Multiple Azure resources are defined in the template:

部署模板Deploy the template

将 ARM 模板部署到 Azure:Deploy the ARM template to Azure:

  1. 选择“部署到 Azure”,登录到 Azure 并打开模板。Select Deploy to Azure to sign in to Azure and open the template. 此模板会创建 Azure 防火墙、虚拟 WAN 和虚拟中心、网络基础结构和两个虚拟机。The template creates an Azure Firewall, a virtual WAN and virtual hub, the network infrastructure, and two virtual machines.

    部署到 AzureDeploy to Azure

  2. 在门户中的“安全虚拟中心”页上,键入或选择以下值:In the portal, on the Secured virtual hubs page, type or select the following values:

    • 订阅:从现有订阅中选择Subscription: Select from existing subscriptions
    • 资源组:从现有资源组中选择,或者选择“新建”,然后选择“确定”。 Resource group: Select from existing resource groups or select Create new, and select OK.
    • 位置:选择一个位置Location: Select a location
    • 管理员用户名:键入管理员用户帐户的用户名Admin Username: Type username for the administrator user account
    • 管理员密码:键入管理员密码或密钥Admin Password: Type an administrator password or key
  3. 选择“查看 + 创建”,然后选择“创建” 。Select Review + create and then select Create. 部署可能需要 10 分钟或更长时间才能完成。The deployment can take 10 minutes or longer to complete.

验证部署Validate the deployment

现在,测试防火墙以确认它可按预期工作。Now, test the firewall rules to confirm that it works as expected.

  1. 在 Azure 门户中,查看“Workload-Srv”虚拟机的网络设置并记下专用 IP 地址。From the Azure portal, review the network settings for the Workload-Srv virtual machine and note the private IP address.

  2. 将远程桌面连接到“Jump-Srv”虚拟机,然后登录。Connect a remote desktop to Jump-Srv virtual machine, and sign in. 在这里,打开与“Workload-Srv”专用 IP 地址建立的远程桌面连接。From there, open a remote desktop connection to the Workload-Srv private IP address.

  3. 打开 Internet Explorer 并浏览到 www.microsoft.comOpen Internet Explorer and browse to www.microsoft.com.

  4. 出现 Internet Explorer 安全警报时,请选择“确定” > “关闭”。 Select OK > Close on the Internet Explorer security alerts.

    应会看到 Azure 主页。You should see the Azure home page.

  5. 浏览到 www.baidu.comBrowse to www.baidu.com.

    防火墙应会阻止你访问。You should be blocked by the firewall.

现已验证防火墙规则可正常工作:So now you've verified that the firewall rules are working:

  • 可以浏览到一个允许的 FQDN,但不能浏览到其他任何 FQDN。You can browse to the one allowed FQDN, but not to any others.

清理资源Clean up resources

如果不再需要为防火墙创建的资源,请删除资源组。When you no longer need the resources that you created with the firewall, delete the resource group. 这会删除该防火墙和所有相关资源。This removes the firewall and all the related resources.

若要删除资源组,请调用 Remove-AzResourceGroup cmdlet:To delete the resource group, call the Remove-AzResourceGroup cmdlet:

Remove-AzResourceGroup -Name "<your resource group name>"

后续步骤Next steps