在本快速入门中,你将使用 Bicep 文件部署 Azure 防火墙,其中包含在网络规则和应用程序规则中使用的示例 IP 组。 IP 组是顶级资源,可用于定义 IP 地址、范围与子网并将其组合到单个对象中。 IP 组对于管理 Azure 防火墙规则中的 IP 地址很有用。 可以手动输入 IP 地址,或者从文件导入。
Bicep 是一种特定于域的语言 (DSL),使用声明性语法来部署 Azure 资源。 它提供简明的语法、可靠的类型安全性以及对代码重用的支持。 Bicep 会针对你的 Azure 基础结构即代码解决方案提供最佳创作体验。
- 具有活动订阅的 Azure 帐户。 创建试用版订阅。
此 Bicep 文件将创建 Azure 防火墙和 IP 组,以及为 Azure 防火墙提供支持所需的资源。
本快速入门中使用的 Bicep 文件来自 Azure 快速入门模板。
@description('virtual network name')
param virtualNetworkName string = 'vnet${uniqueString(resourceGroup().id)}'
param ipgroups_name1 string = 'ipgroup1${uniqueString(resourceGroup().id)}'
param ipgroups_name2 string = 'ipgroup2${uniqueString(resourceGroup().id)}'
@description('Username for the Virtual Machine.')
param adminUsername string
@description('Location for all resources.')
param location string = resourceGroup().location
@description('Zone numbers e.g. 1,2,3.')
param vmSize string = 'Standard_D2s_v3'
@description('Number of public IP addresses for the Azure Firewall')
@minValue(1)
@maxValue(100)
param numberOfFirewallPublicIPAddresses int = 1
@description('Type of authentication to use on the Virtual Machine. SSH key is recommended.')
@allowed([
'sshPublicKey'
'password'
])
param authenticationType string = 'sshPublicKey'
@description('SSH Key or password for the Virtual Machine. SSH key is recommended.')
@secure()
param adminPasswordOrKey string
var vnetAddressPrefix = '10.0.0.0/16'
var serversSubnetPrefix = '10.0.2.0/24'
var azureFirewallSubnetPrefix = '10.0.1.0/24'
var jumpboxSubnetPrefix = '10.0.0.0/24'
var nextHopIP = '10.0.1.4'
var azureFirewallSubnetName = 'AzureFirewallSubnet'
var jumpBoxSubnetName = 'JumpboxSubnet'
var serversSubnetName = 'ServersSubnet'
var jumpBoxPublicIPAddressName = 'JumpHostPublicIP'
var jumpBoxNsgName = 'JumpHostNSG'
var jumpBoxNicName = 'JumpHostNic'
var jumpBoxSubnetId = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, jumpBoxSubnetName)
var serverNicName = 'ServerNic'
var serverSubnetId = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, serversSubnetName)
var storageAccountName = '${uniqueString(resourceGroup().id)}sajumpbox'
var azfwRouteTableName = 'AzfwRouteTable'
var firewallName = 'firewall1'
var publicIPNamePrefix = 'publicIP'
var azureFirewallSubnetId = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, azureFirewallSubnetName)
var linuxConfiguration = {
disablePasswordAuthentication: true
ssh: {
publicKeys: [
{
path: '/home/${adminUsername}/.ssh/authorized_keys'
keyData: adminPasswordOrKey
}
]
}
patchSettings: {
patchMode: 'AutomaticByPlatform'
}
}
var networkSecurityGroupName = '${serversSubnetName}-nsg'
var azureFirewallIpConfigurations = [for i in range(0, numberOfFirewallPublicIPAddresses): {
name: 'IpConf${i}'
properties: {
subnet: {
id: (i == 0) ? azureFirewallSubnetId : null
}
publicIPAddress: {
id: publicIP[i].id
}
}
}]
resource ipgroup1 'Microsoft.Network/ipGroups@2023-09-01' = {
name: ipgroups_name1
location: location
properties: {
ipAddresses: [
'13.73.64.64/26'
'13.73.208.128/25'
'52.126.194.0/23'
]
}
}
resource ipgroup2 'Microsoft.Network/ipGroups@2023-09-01' = {
name: ipgroups_name2
location: location
properties: {
ipAddresses: [
'12.0.0.0/24'
'13.9.0.0/24'
]
}
}
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
properties: {}
}
resource azfwRouteTable 'Microsoft.Network/routeTables@2023-09-01' = {
name: azfwRouteTableName
location: location
properties: {
disableBgpRoutePropagation: false
routes: [
{
name: 'AzfwDefaultRoute'
properties: {
addressPrefix: '0.0.0.0/0'
nextHopType: 'VirtualAppliance'
nextHopIpAddress: nextHopIP
}
}
]
}
}
resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {
name: networkSecurityGroupName
location: location
properties: {}
}
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-09-01' = {
name: virtualNetworkName
location: location
tags: {
displayName: virtualNetworkName
}
properties: {
addressSpace: {
addressPrefixes: [
vnetAddressPrefix
]
}
subnets: [
{
name: jumpBoxSubnetName
properties: {
addressPrefix: jumpboxSubnetPrefix
}
}
{
name: azureFirewallSubnetName
properties: {
addressPrefix: azureFirewallSubnetPrefix
}
}
{
name: serversSubnetName
properties: {
addressPrefix: serversSubnetPrefix
routeTable: {
id: azfwRouteTable.id
}
networkSecurityGroup: {
id: networkSecurityGroup.id
}
}
}
]
}
}
resource publicIP 'Microsoft.Network/publicIPAddresses@2023-09-01' = [for i in range(0, numberOfFirewallPublicIPAddresses): {
name: '${publicIPNamePrefix}${i + 1}'
location: location
sku: {
name: 'Standard'
}
properties: {
publicIPAllocationMethod: 'Static'
publicIPAddressVersion: 'IPv4'
}
}]
resource jumpBoxPublicIPAddress 'Microsoft.Network/publicIPAddresses@2023-09-01' = {
name: jumpBoxPublicIPAddressName
location: location
properties: {
publicIPAllocationMethod: 'Dynamic'
}
}
resource jumpBoxNsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {
name: jumpBoxNsgName
location: location
properties: {
securityRules: [
{
name: 'myNetworkSecurityGroupRuleSSH'
properties: {
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '22'
sourceAddressPrefix: '*'
destinationAddressPrefix: '*'
access: 'Allow'
priority: 1000
direction: 'Inbound'
}
}
]
}
}
resource JumpBoxNic 'Microsoft.Network/networkInterfaces@2023-09-01' = {
name: jumpBoxNicName
location: location
properties: {
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
privateIPAllocationMethod: 'Dynamic'
publicIPAddress: {
id: jumpBoxPublicIPAddress.id
}
subnet: {
id: jumpBoxSubnetId
}
}
}
]
networkSecurityGroup: {
id: jumpBoxNsg.id
}
}
dependsOn: [
virtualNetwork
]
}
resource ServerNic 'Microsoft.Network/networkInterfaces@2023-09-01' = {
name: serverNicName
location: location
properties: {
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
privateIPAllocationMethod: 'Dynamic'
subnet: {
id: serverSubnetId
}
}
}
]
}
dependsOn: [
virtualNetwork
]
}
resource JumpBoxVm 'Microsoft.Compute/virtualMachines@2023-09-01' = {
name: 'JumpBox'
location: location
properties: {
hardwareProfile: {
vmSize: vmSize
}
storageProfile: {
imageReference: {
publisher: 'Canonical'
offer: 'UbuntuServer'
sku: '18.04-LTS'
version: 'latest'
}
osDisk: {
createOption: 'FromImage'
}
}
osProfile: {
computerName: 'JumpBox'
adminUsername: adminUsername
adminPassword: adminPasswordOrKey
linuxConfiguration: ((authenticationType == 'password') ? json('null') : linuxConfiguration)
}
networkProfile: {
networkInterfaces: [
{
id: JumpBoxNic.id
}
]
}
diagnosticsProfile: {
bootDiagnostics: {
enabled: true
storageUri: storageAccount.properties.primaryEndpoints.blob
}
}
}
}
resource ServerVm 'Microsoft.Compute/virtualMachines@2023-09-01' = {
name: 'Server'
location: location
properties: {
hardwareProfile: {
vmSize: vmSize
}
storageProfile: {
imageReference: {
publisher: 'Canonical'
offer: 'UbuntuServer'
sku: '18.04-LTS'
version: 'latest'
}
osDisk: {
createOption: 'FromImage'
}
}
osProfile: {
computerName: 'Server'
adminUsername: adminUsername
adminPassword: adminPasswordOrKey
linuxConfiguration: ((authenticationType == 'password') ? null : linuxConfiguration)
}
networkProfile: {
networkInterfaces: [
{
id: ServerNic.id
}
]
}
diagnosticsProfile: {
bootDiagnostics: {
enabled: true
storageUri: storageAccount.properties.primaryEndpoints.blob
}
}
}
}
resource firewall 'Microsoft.Network/azureFirewalls@2023-09-01' = {
name: firewallName
location: location
dependsOn: [
virtualNetwork
publicIP
]
properties: {
ipConfigurations: azureFirewallIpConfigurations
applicationRuleCollections: [
{
name: 'appRc1'
properties: {
priority: 101
action: {
type: 'Allow'
}
rules: [
{
name: 'someAppRule'
protocols: [
{
protocolType: 'Http'
port: 8080
}
]
targetFqdns: [
'*bing.com'
]
sourceIpGroups: [
ipgroup1.id
]
}
{
name: 'someOtherAppRule'
protocols: [
{
protocolType: 'Mssql'
port: 1433
}
]
targetFqdns: [
'sql1${environment().suffixes.sqlServerHostname}'
]
sourceIpGroups: [
ipgroup1.id
ipgroup2.id
]
}
]
}
}
]
networkRuleCollections: [
{
name: 'netRc1'
properties: {
priority: 200
action: {
type: 'Allow'
}
rules: [
{
name: 'networkRule'
description: 'desc1'
protocols: [
'UDP'
'TCP'
'ICMP'
]
sourceAddresses: [
'10.0.0.0'
'111.1.0.0/23'
]
sourceIpGroups: [
ipgroup1.id
]
destinationIpGroups: [
ipgroup2.id
]
destinationPorts: [
'90'
]
}
]
}
}
]
}
}
output location string = location
output name string = firewall.name
output resourceGroupName string = resourceGroup().name
output resourceId string = firewall.id
该 Bicep 文件中定义了多个 Azure 资源:
- Microsoft.Network/ipGroups
- Microsoft.Storage/storageAccounts
- Microsoft.Network/routeTables
- Microsoft.Network/networkSecurityGroups
- Microsoft.Network/virtualNetworks
- Microsoft.Network/publicIPAddresses
- Microsoft.Network/networkInterfaces
- Microsoft.Compute/virtualMachines
- Microsoft.Network/azureFirewalls
将该 Bicep 文件另存为本地计算机上的 main.bicep。
使用 Azure CLI 或 Azure PowerShell 来部署该 Bicep 文件。
az group create --name exampleRG --location chinaeast az deployment group create --resource-group exampleRG --template-file main.bicep
系统将提示你输入以下值:
- 管理员用户名:键入管理员用户帐户的用户名
- 管理员密码:键入管理员密码或密钥
部署完成后,应会看到一条指出部署成功的消息。
使用 Azure 门户、Azure CLI 或 Azure PowerShell 验证部署并查看已部署的资源。
az resource list --resource-group exampleRG
若要了解 Bicep 文件中防火墙的 Bicep 语法和属性,请参阅 Microsoft.Network azureFirewalls 模板参考。
如果不再需要资源,请使用 Azure 门户、Azure CLI 或 Azure PowerShell 删除资源组、防火墙和所有相关资源。
az group delete --name exampleRG