快速入门:部署具有可用性区域的 Azure 防火墙 - ARM 模板
在本快速入门中,使用 Azure 资源管理器模板(ARM 模板)在三个可用性区域中部署 Azure 防火墙。
资源管理器模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。 模板使用声明性语法。 在声明性语法中,你可以在不编写创建部署的编程命令序列的情况下,描述预期部署。
此模板创建带防火墙的测试网络环境。 网络具有一个虚拟网络 (VNet),其中包含三个子网:AzureFirewallSubnet、ServersSubnet 和 JumpboxSubnet。 ServersSubnet 和 JumpboxSubnet 子网均包含一个单个、双核 Windows Server 虚拟机。
防火墙在 AzureFirewallSubnet 子网中,并配置有一个应用程序规则集合,其中包含允许访问 www.microsoft.com 的单个规则。
用户定义的一个路由,它引导来自 ServersSubnet 子网的网络流量穿过应用了防火墙规则的防火墙。
有关 Azure 防火墙的详细信息,请参阅使用 Azure 门户部署和配置 Azure 防火墙。
如果你的环境满足先决条件,并且你熟悉如何使用 ARM 模板,请选择“部署到 Azure”按钮。 Azure 门户中会打开模板。
先决条件
- 具有活动订阅的 Azure 帐户。 创建试用版订阅。
查看模板
此模板创建具有可用性区域的 Azure 防火墙,以及用于支持 Azure 防火墙的必要资源。
本快速入门中使用的模板来自 Azure 快速启动模板。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"virtualNetworkName": {
"type": "string",
"defaultValue": "test-vnet",
"metadata": {
"description": "virtual network name"
}
},
"adminUsername": {
"type": "string",
"metadata": {
"description": "Username for the Virtual Machine."
}
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Password for the Virtual Machine."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"availabilityZones": {
"type": "array",
"defaultValue": [
"1",
"2",
"3"
],
"metadata": {
"description": "Zone numbers e.g. 1,2,3."
}
},
"numberOfFirewallPublicIPAddresses": {
"type": "int",
"defaultValue": 1,
"minValue": 1,
"maxValue": 100,
"metadata": {
"description": "Number of public IP addresses for the Azure Firewall"
}
},
"jumpBoxSize": {
"type": "string",
"defaultValue": "Standard_A2_v2",
"metadata": {
"description": "Size of the virtual machine."
}
},
"serverSize": {
"type": "string",
"defaultValue": "Standard_A2_v2",
"metadata": {
"description": "Size of the virtual machine."
}
}
},
"variables": {
"vnetAddressPrefix": "10.0.0.0/16",
"serversSubnetPrefix": "10.0.2.0/24",
"azureFirewallSubnetPrefix": "10.0.1.0/24",
"jumpboxSubnetPrefix": "10.0.0.0/24",
"nextHopIP": "10.0.1.4",
"azureFirewallSubnetName": "AzureFirewallSubnet",
"jumpBoxSubnetName": "JumpboxSubnet",
"serversSubnetName": "ServersSubnet",
"jumpBoxPublicIPAddressName": "JumpHostPublicIP",
"jumpBoxNsgName": "JumpHostNSG",
"jumpBoxNicName": "JumpHostNic",
"jumpBoxSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('jumpBoxSubnetName'))]",
"serverNicName": "ServerNic",
"serverSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('serversSubnetName'))]",
"storageAccountName": "[concat(uniquestring(resourceGroup().id), 'sajumpbox')]",
"azfwRouteTableName": "AzfwRouteTable",
"firewallName": "firewall1",
"publicIPNamePrefix": "publicIP",
"azureFirewallSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets',parameters('virtualNetworkName'), variables('azureFirewallSubnetName'))]",
"azureFirewallSubnetJSON": "[json(format('{{\"id\": \"{0}\"}}', variables('azureFirewallSubnetId')))]",
"copy": [
{
"name": "azureFirewallIpConfigurations",
"count": "[parameters('numberOfFirewallPublicIPAddresses')]",
"input": {
"name": "[concat('IpConf', copyIndex('azureFirewallIpConfigurations'))]",
"properties": {
"subnet": "[if(equals(copyIndex('azureFirewallIpConfigurations'), 0), variables('azureFirewallSubnetJSON'), json('null'))]",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', concat(variables('publicIPNamePrefix'), add(copyIndex('azureFirewallIpConfigurations'), 1)))]"
}
}
}
}
],
"networkSecurityGroupName": "[concat(variables('serversSubnetName'), '-nsg')]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[variables('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"properties": {}
},
{
"type": "Microsoft.Network/routeTables",
"apiVersion": "2020-06-01",
"name": "[variables('azfwRouteTableName')]",
"location": "[parameters('location')]",
"properties": {
"disableBgpRoutePropagation": false,
"routes": [
{
"name": "AzfwDefaultRoute",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[variables('nextHopIP')]"
}
}
]
}
},
{
"comments": "Simple Network Security Group for subnet [variables('serversSubnetName')]",
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2020-06-01",
"name": "[variables('networkSecurityGroupName')]",
"location": "[parameters('location')]",
"properties": {}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-06-01",
"name": "[parameters('virtualNetworkName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/routeTables', variables('azfwRouteTableName'))]",
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
],
"tags": {
"displayName": "[parameters('virtualNetworkName')]"
},
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('vnetAddressPrefix')]"
]
},
"subnets": [
{
"name": "[variables('jumpBoxSubnetName')]",
"properties": {
"addressPrefix": "[variables('jumpboxSubnetPrefix')]"
}
},
{
"name": "[variables('azureFirewallSubnetName')]",
"properties": {
"addressPrefix": "[variables('azureFirewallSubnetPrefix')]"
}
},
{
"name": "[variables('serversSubnetName')]",
"properties": {
"addressPrefix": "[variables('serversSubnetPrefix')]",
"routeTable": {
"id": "[resourceId('Microsoft.Network/routeTables', variables('azfwRouteTableName'))]"
},
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
}
}
}
]
}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2020-06-01",
"name": "[concat(variables('publicIPNamePrefix'), add(copyIndex(), 1))]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"copy": {
"name": "publicIpCopy",
"count": "[parameters('numberOfFirewallPublicIPAddresses')]"
},
"properties": {
"publicIPAllocationMethod": "Static",
"publicIPAddressVersion": "IPv4"
}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2020-06-01",
"name": "[variables('jumpBoxPublicIPAddressName')]",
"location": "[parameters('location')]",
"properties": {
"publicIPAllocationMethod": "Dynamic"
}
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2020-06-01",
"name": "[variables('jumpBoxNsgName')]",
"location": "[parameters('location')]",
"properties": {
"securityRules": [
{
"name": "myNetworkSecurityGroupRuleRDP",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 1000,
"direction": "Inbound"
}
}
]
}
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2020-06-01",
"name": "[variables('JumpBoxNicName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses/', variables('jumpBoxPublicIPAddressName'))]",
"[resourceId('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]",
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('jumpBoxNsgName'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('jumpBoxPublicIPAddressName'))]"
},
"subnet": {
"id": "[variables('jumpBoxSubnetId')]"
}
}
}
],
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('jumpBoxNsgName'))]"
}
}
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2020-06-01",
"name": "[variables('ServerNicName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[variables('serverSubnetId')]"
}
}
}
]
}
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2020-06-01",
"name": "JumpBox",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
"[resourceId('Microsoft.Network/networkInterfaces', variables('JumpBoxNicName'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('jumpBoxSize')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2019-Datacenter",
"version": "latest"
},
"osDisk": {
"osType": "Windows",
"createOption": "FromImage",
"diskSizeGB": 127
}
},
"osProfile": {
"computerName": "JumpBox",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]"
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('JumpBoxNicName'))]"
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true,
"storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))).primaryEndpoints.blob]"
}
}
}
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2020-06-01",
"name": "Server",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
"[resourceId('Microsoft.Network/networkInterfaces', variables('ServerNicName'))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('serverSize')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2019-Datacenter",
"version": "latest"
},
"osDisk": {
"osType": "Windows",
"createOption": "FromImage",
"diskSizeGB": 127
}
},
"osProfile": {
"computerName": "Server",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]"
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('ServerNicName'))]"
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true,
"storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))).primaryEndpoints.blob]"
}
}
}
},
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2020-06-01",
"name": "[variables('firewallName')]",
"location": "[parameters('location')]",
"zones": "[if(equals(length(parameters('availabilityZones')), 0), json('null'), parameters('availabilityZones'))]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",
"publicIpCopy"
],
"properties": {
"ipConfigurations": "[variables('azureFirewallIpConfigurations')]",
"applicationRuleCollections": [
{
"name": "appRc1",
"properties": {
"priority": 101,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "appRule1",
"protocols": [
{
"port": 80,
"protocolType": "http"
},
{
"port": 443,
"protocolType": "https"
}
],
"targetFqdns": [
"www.microsoft.com"
],
"sourceAddresses": [
"10.0.2.0/24"
]
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netRc1",
"properties": {
"priority": 200,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "netRule1",
"protocols": [
"TCP"
],
"sourceAddresses": [
"10.0.2.0/24"
],
"destinationAddresses": [
"*"
],
"destinationPorts": [
"8000-8999"
]
}
]
}
}
]
}
}
]
}
模板中定义了多个 Azure 资源:
- Microsoft.Storage/storageAccounts
- Microsoft.Network/routeTables
- Microsoft.Network/networkSecurityGroups
- Microsoft.Network/virtualNetworks
- Microsoft.Network/publicIPAddresses
- Microsoft.Network/networkInterfaces
- Microsoft.Compute/virtualMachines
- Microsoft.Network/azureFirewalls
部署模板
将 ARM 模板部署到 Azure:
选择“部署到 Azure”,登录到 Azure 并打开模板。 该模板将创建 Azure 防火墙、网络基础结构和两个虚拟机。
在门户中的“创建具有区域的 Azure 防火墙的沙盒设置”页上,键入或选择以下值:
- 资源组:选择“新建”,键入资源组的名称,然后选择“确定”。
- 虚拟网络名称:键入新 VNet 的名称。
- 管理员用户名:键入管理员用户帐户的用户名。
- 管理员密码:键入管理员密码。
阅读条款和条件,选择“我同意上述条款和条件”,然后选择“购买”。 部署可能需要 10 分钟或更长时间才能完成。
查看已部署的资源
浏览使用防火墙创建的资源。
若要了解模板中防火墙的 JSON 语法和属性,请参阅 Microsoft.Network/azureFirewalls。
清理资源
当不再需要这些资源时,可以通过运行 PowerShell 命令 Remove-AzResourceGroup 来删除资源组、防火墙和所有相关的资源。 若要删除名为 MyResourceGroup 的资源组,请运行:
Remove-AzResourceGroup -Name MyResourceGroup
如果计划继续学习防火墙监视教程,请不要删除资源组和防火墙。
后续步骤
接下来,可以监视 Azure 防火墙日志。