教程:使用 Azure 防火墙管理器保护虚拟中心Tutorial: Secure your virtual hub using Azure Firewall Manager

使用 Azure 防火墙管理器,可以创建安全虚拟中心来保护发往专用 IP 地址、Azure PaaS 和 Internet 的云网络流量。Using Azure Firewall Manager, you can create secured virtual hubs to secure your cloud network traffic destined to private IP addresses, Azure PaaS, and the Internet. 到防火墙的流量路由是自动的,因此无需创建用户定义的路由 (UDR)。Traffic routing to the firewall is automated, so there's no need to create user defined routes (UDRs).

保护云网络

防火墙管理器还支持中心虚拟网络体系结构。Firewall Manager also supports a hub virtual network architecture. 有关安全虚拟中心和中心虚拟网络体系结构类型的比较,请参阅有哪些 Azure 防火墙管理器体系结构选项?For a comparison of the secured virtual hub and hub virtual network architecture types, see What are the Azure Firewall Manager architecture options?

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 创建分支虚拟网络Create the spoke virtual network
  • 创建安全虚拟中心Create a secured virtual hub
  • 连接中心和辐射型虚拟网络Connect the hub and spoke virtual networks
  • 将流量路由到中心Route traffic to your hub
  • 部署服务器Deploy the servers
  • 创建防火墙策略并保护中心Create a firewall policy and secure your hub
  • 测试防火墙Test the firewall

先决条件Prerequisites

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

创建中心和辐射体系结构Create a hub and spoke architecture

首先,创建一个可放置服务器的辐射型虚拟网络。First, create spoke virtual networks where you can place your servers.

创建两个辐射型虚拟网络和子网Create two spoke virtual networks and subnets

两个虚拟网络将各自具有工作负载服务器,并且都受防火墙保护。The two virtual networks will each have a workload server in them and will be protected by the firewall.

  1. 在 Azure 门户主页上,选择“创建资源”。From the Azure portal home page, select Create a resource.
  2. 在“网络”下,选择“虚拟网络”。Under Networking, select Virtual network.
  3. 对于“订阅”,请选择自己的订阅。For Subscription, select your subscription.
  4. 对于“资源组”,选择“新建”,键入“fw-manager”作为名称,然后选择“确定” 。For Resource group, select Create new, and type fw-manager for the name and select OK.
  5. 对于“名称”,请键入“Spoke-01”。For Name, type Spoke-01.
  6. 对于“区域”,请选择“中国东部 2”。For Region, select China East 2.
  7. 在完成时选择“下一步:IP 地址”。Select Next: IP Addresses.
  8. 对于“地址空间”,请键入“10.1.0.0/16” 。For Address space, type 10.1.0.0/16.
  9. 选择“添加子网”。Select Add subnet.
  10. 键入“Workload-01-SN”。Type Workload-01-SN.
  11. 键入“10.1.1.0/24”作为“子网地址范围” 。For Subnet address range, type 10.1.1.0/24.
  12. 选择 添加Select Add.
  13. 选择“查看 + 创建” 。Select Review + create.
  14. 选择“创建” 。Select Create.

重复此过程以创建另一个类似的虚拟网络:Repeat this procedure to create another similar virtual network:

姓名:Spoke-02Name: Spoke-02
地址空间:10.2.0.0/16Address space: 10.2.0.0/16
子网名称:Workload-02-SNSubnet name: Workload-02-SN
子网地址范围:10.2.1.0/24Subnet address range: 10.2.1.0/24

创建安全虚拟中心Create the secured virtual hub

使用防火墙管理器创建安全虚拟中心。Create your secured virtual hub using Firewall Manager.

  1. 在 Azure 门户主页上,选择“所有服务”。From the Azure portal home page, select All services.
  2. 在搜索框中,键入“防火墙管理器”并选择“防火墙管理器”。In the search box, type Firewall Manager and select Firewall Manager.
  3. 在“防火墙管理器”页上,选择“查看安全虚拟中心”。On the Firewall Manager page, select View secured virtual hubs.
  4. 在“防火墙管理器 | 安全虚拟中心”页上,选择“新建安全虚拟中心”。On the Firewall Manager | Secured virtual hubs page, select Create new secured virtual hub.
  5. 对于“资源组”,请选择“fw-manager” 。For Resource group, select fw-manager.
  6. 对于“区域”,请选择“中国东部 2”。For Region, select China East 2.
  7. 对于“安全虚拟中心名称”,键入“Hub-01”。For the Secured virtual hub name, type Hub-01.
  8. 对于“中心地址空间”,请键入“10.0.0.0/16”。For Hub address space, type 10.0.0.0/16.
  9. 对于新的 vWAN 名称,请键入“Vwan-01”。For the new vWAN name, type Vwan-01.
  10. 使“包含 VPN 网关以启用受信任的安全合作伙伴”复选框处于清除状态。Leave the Include VPN gateway to enable Trusted Security Partners check box cleared.
  11. 在完成时选择“下一步:Azure 防火墙”。Select Next: Azure Firewall.
  12. 接受默认的“Azure 防火墙”的“启用”设置,然后选择“下一步:受信任的安全合作伙伴”。Accept the default Azure Firewall Enabled setting and then select Next: Trusted Security Partner.
  13. 接受默认的“受信任的安全合作伙伴”的“禁用”设置,然后选择“下一步:查看 + 创建”。Accept the default Trusted Security Partner Disabled setting, and select Next: Review + create.
  14. 选择“创建”。Select Create. 这将耗时大约 30 分钟进行部署。It will take about 30 minutes to deploy.

现在你可以获取防火墙的公共 IP 地址。Now you can get the firewall public IP address.

  1. 部署完成后,在 Azure 门户中选择“所有服务”。After the deployment is complete, on the Azure portal select All services.
  2. 键入“防火墙管理器”并选择“防火墙管理器” 。Type firewall manager and then select Firewall Manager.
  3. 选择“安全虚拟中心”。Select Secured virtual hubs.
  4. 选择“hub-01”。Select hub-01.
  5. 选择“公共 IP 配置”。Select Public IP configuration.
  6. 记下公共 IP 地址以供稍后使用。Note the public IP address to use later.

连接中心和辐射型虚拟网络Connect the hub and spoke virtual networks

现在,你可以将中心和辐射型虚拟网络对等互连。Now you can peer the hub and spoke virtual networks.

  1. 选择“fw-manager”资源组,然后选择“Vwan-01”虚拟 WAN。Select the fw-manager resource group, then select the Vwan-01 virtual WAN.
  2. 在“连接”下,选择“虚拟网络连接”。Under Connectivity, select Virtual network connections.
  3. 选择“添加连接”。Select Add connection.
  4. 对于“连接名称”,键入“hub-spoke-01”。For Connection name, type hub-spoke-01.
  5. 对于“中心”,选择“Hub-01”。For Hubs, select Hub-01.
  6. 对于“资源组”,请选择“fw-manager” 。For Resource group, select fw-manager.
  7. 对于“虚拟网络”,选择“Spoke-01”。For Virtual network, select Spoke-01.
  8. 选择“创建”。Select Create.

重复此步骤以连接“Spoke-02”虚拟网络:连接名称 -“hub-spoke-02” Repeat to connect the Spoke-02 virtual network: connection name - hub-spoke-02

部署服务器Deploy the servers

  1. 在 Azure 门户中,选择“创建资源”。 On the Azure portal, select Create a resource.

  2. 在“常用”列表中选择“Windows Server 2016 Datacenter” 。Select Windows Server 2016 Datacenter in the Popular list.

  3. 输入虚拟机的以下值:Enter these values for the virtual machine:

    设置Setting ValueValue
    资源组Resource group fw-managerfw-manager
    虚拟机名称Virtual machine name Srv-workload-01Srv-workload-01
    区域Region 中国东部 2China East 2
    管理员用户名Administrator user name 键入用户名type a user name
    密码Password 键入密码type a password
  4. 在“入站端口规则”下,对于“公共入站端口”,选择“无” 。Under Inbound port rules, for Public inbound ports, select None.

  5. 接受其他默认值,然后选择“下一步:磁盘”Accept the other defaults and select Next: Disks.

  6. 接受磁盘默认值,然后选择“下一步:网络”。Accept the disk defaults and select Next: Networking.

  7. 选择“Spoke-01”作为虚拟网络,并选择“Workload-01-SN”作为子网 。Select Spoke-01 for the virtual network and select Workload-01-SN for the subnet.

  8. 对于“公共 IP”,请选择“无”。For Public IP, select None.

  9. 接受其他默认值,然后选择“下一步:管理”Accept the other defaults and select Next: Management.

  10. 选择“关闭” 以禁用启动诊断。Select Off to disable boot diagnostics. 接受其他默认值,然后选择“查看 + 创建”。Accept the other defaults and select Review + create.

  11. 检查摘要页上的设置,然后选择“创建”。Review the settings on the summary page, and then select Create.

使用下表中的信息配置名为 Srv-Workload-02 的另一台虚拟机。Use the information in the following table to configure another virtual machine named Srv-Workload-02. 剩余的配置与 Srv-workload-01 虚拟机相同。The rest of the configuration is the same as the Srv-workload-01 virtual machine.

设置Setting ValueValue
虚拟网络Virtual network Spoke-02Spoke-02
子网Subnet Workload-02-SNWorkload-02-SN

部署服务器后,选择服务器资源,并记下“网络”中每个服务器的专用 IP 地址。After the servers are deployed, select a server resource, and in Networking note the private IP address for each server.

创建防火墙策略并保护中心Create a firewall policy and secure your hub

防火墙策略定义规则集合,以在一个或多个安全虚拟中心上定向流量。A firewall policy defines collections of rules to direct traffic on one or more Secured virtual hubs. 你将创建防火墙策略,然后保护你的中心。You'll create your firewall policy and then secure your hub.

  1. 从防火墙管理器中,选择“查看 Azure 防火墙策略”。From Firewall Manager, select View Azure Firewall policies.
  2. 选择“创建 Azure 防火墙策略”。Select Create Azure Firewall Policy.
  3. 在“策略详细信息”下,针对“名称”键入“Policy-01”并针对“区域”选择“中国东部 2”。Under Policy details, for the Name type Policy-01 and for Region select China East 2.
  4. 在完成时选择“下一步:DNS 设置(预览)”。Select Next: DNS Settings (preview).
  5. 在完成时选择“下一步:规则”。Select Next: Rules.
  6. 在“规则”选项卡上,选择“添加规则集合”。On the Rules tab, select Add a rule collection.
  7. 在“添加规则集合”页上,键入“App-RC-01”作为“名称”。On the Add a rule collection page, type App-RC-01 for the Name.
  8. 对于“规则集合类型”,选择“应用程序”。For Rule collection type, select Application.
  9. 对于“优先级”,请键入 100For Priority, type 100.
  10. 确保“规则集合操作”设置为“允许”。Ensure Rule collection action is Allow.
  11. 对于规则的“名称”,键入“Allow-msft”。For the rule Name type Allow-msft.
  12. 对于“源类型”,请选择“IP 地址” 。For the Source type, select IP address.
  13. 对于“源”,请键入*。For Source, type ** _.
  14. 对于“协议”,请键入“http,https”。For _*Protocol**, type http,https.
  15. 确保“目标类型”是“FQDN” 。Ensure Destination type is FQDN.
  16. 对于“目标”,键入“.microsoft.com” *For Destination, type *.microsoft.com.
  17. 选择 添加Select Add.

添加 DNAT 规则,以便可以将远程桌面连接到 Srv-Workload-01 虚拟机。Add a DNAT rule so you can connect a remote desktop to the Srv-Workload-01 virtual machine.

  1. 选择“添加规则集合”。Select Add a rule collection.
  2. 对于“名称”,请键入“DNAT-rdp” 。For Name, type DNAT-rdp.
  3. 对于“规则集合类型”,请选择“DNAT” 。For Rule collection type, select DNAT.
  4. 对于“优先级”,请键入 100For Priority, type 100.
  5. 对于规则的“名称”,键入“Allow-rdp”。For the rule Name type Allow-rdp.
  6. 对于“源类型”,请选择“IP 地址” 。For the Source type, select IP address.
  7. 对于“源”,请键入*。For Source, type ** _.
  8. 对于“协议”,请选择“TCP”。For _*Protocol**, select TCP.
  9. 对于“目标端口”,请键入 3389For Destination Ports, type 3389.
  10. 对于“目标类型”,请选择“IP 地址”。 For Destination Type, select IP Address.
  11. 对于“目标”,键入之前记下的防火墙公共 IP 地址。For Destination, type the firewall public IP address that you noted previously.
  12. 对于“转换的地址”,键入之前记下的 Srv-Workload-01 的专用 IP 地址 。For Translated address, type the private IP address for Srv-Workload-01 that you noted previously.
  13. 对于“已翻译的端口” ,键入 3389For Translated port, type 3389.
  14. 选择 添加Select Add.

添加网络规则,以便可以将远程桌面从 Srv-Workload-01 连接到 Srv-Workload-02 。Add a network rule so you can connect a remote desktop from Srv-Workload-01 to Srv-Workload-02.

  1. 选择“添加规则集合”。Select Add a rule collection.
  2. 对于“名称”,键入“vnet-rdp” 。For Name, type vnet-rdp.
  3. 对于“规则集合类型”,请选择“网络”。For Rule collection type, select Network.
  4. 对于“优先级”,请键入 100For Priority, type 100.
  5. 对于规则的“名称”,键入“Allow-vnet”。For the rule Name type Allow-vnet.
  6. 对于“源类型”,请选择“IP 地址” 。For the Source type, select IP address.
  7. 对于“源”,请键入*。For Source, type ** _.
  8. 对于“协议”,请选择“TCP”。For _*Protocol**, select TCP.
  9. 对于“目标端口”,请键入 3389For Destination Ports, type 3389.
  10. 对于“目标类型”,请选择“IP 地址”。 For Destination Type, select IP Address.
  11. 对于“目标”,键入之前记下的 Srv-Workload-02 专用 IP 地址 。For Destination, type the Srv-Workload-02 private IP address that you noted previously.
  12. 选择 添加Select Add.
  13. 在完成时选择“下一步:威胁智能”Select Next: Threat intelligence.
  14. 在完成时选择“下一步:中心”。Select Next: Hubs.
  15. 在“中心”选项卡上,选择“关联虚拟中心”。On the Hubs tab, select Associate virtual hubs.
  16. 选择“Hub-01”,然后选择“添加”。Select Hub-01 and then select Add.
  17. 选择“查看 + 创建” 。Select Review + create.
  18. 选择“创建”。Select Create.

这可能需要 5 分钟或更长时间才能完成。This can take about five minutes or more to complete.

将流量路由到中心Route traffic to your hub

现在必须确保通过防火墙路由网络流量。Now you must ensure that network traffic gets routed through your firewall.

  1. 从防火墙管理器中,选择“安全虚拟中心”。From Firewall Manager, select Secured virtual hubs.
  2. 选择“Hub-01”。Select Hub-01.
  3. 在“设置”下,选择“安全配置” 。Under Settings, select Security configuration.
  4. 在“Internet 流量”下,选择“Azure 防火墙” 。Under Internet traffic, select Azure Firewall.
  5. 在“专用流量”下,选择“通过 Azure 防火墙发送” 。Under Private traffic, select Send via Azure Firewall.
  6. 验证“hub-spoke”连接是否显示“Internet 流量”的状态为“安全”。Verify that the hub-spoke connection shows Internet Traffic as Secured.
  7. 选择“保存”。Select Save.

测试防火墙Test your firewall

若要测试防火墙规则,需使用防火墙公共 IP 地址(该地址已 NAT 到 Srv-Workload-01)连接远程桌面。To test your firewall rules, you'll connect a remote desktop using the firewall public IP address, which is NATed to Srv-Workload-01. 在这里,你将使用浏览器测试应用程序规则并将远程桌面连接到 Srv-Workload-02 来测试网络规则。From there you'll use a browser to test the application rule and connect a remote desktop to Srv-Workload-02 to test the network rule.

测试应用程序规则Test the application rule

现在,测试防火墙以确认它可按预期工作。Now, test the firewall rules to confirm that it works as expected.

  1. 将远程桌面连接到防火墙公共 IP 地址,然后进行登录。Connect a remote desktop to firewall public IP address, and sign in.

  2. 打开 Internet Explorer 并浏览到 https://www.microsoft.comOpen Internet Explorer and browse to https://www.microsoft.com.

  3. 出现 Internet Explorer 安全警报时,请选择“确定” > “关闭”。 Select OK > Close on the Internet Explorer security alerts.

    应会看到 Microsoft 主页。You should see the Microsoft home page.

  4. 浏览到 https://www.baidu.com。Browse to https://www.baidu.com.

    防火墙应会阻止你访问。You should be blocked by the firewall.

现已验证防火墙应用程序规则可正常工作:So now you've verified that the firewall application rule is working:

  • 可以浏览到一个允许的 FQDN,但不能浏览到其他任何 FQDN。You can browse to the one allowed FQDN, but not to any others.

测试网络规则Test the network rule

现在测试网络规则。Now test the network rule.

  • 打开 Srv-Workload-02 专用 IP 地址的远程桌面。Open a remote desktop to the Srv-Workload-02 private IP address.

    远程桌面应连接到 Srv-Workload-02。A remote desktop should connect to Srv-Workload-02.

现已验证防火墙网络规则可正常工作:So now you've verified that the firewall network rule is working:

  • 你可以将远程桌面连接到另一个虚拟网络中的服务器。You can connect a remote desktop to a server located in another virtual network.

清理资源Clean up resources

完成防火墙资源测试后,删除 fw-manager 资源组,以删除所有与防火墙相关的资源。When you are done testing your firewall resources, delete the fw-manager resource group to delete all firewall-related resources.

后续步骤Next steps