快速入门:创建具有多个公共 IP 地址的 Azure 防火墙 - Bicep
在本快速入门中,你将使用 Bicep 文件部署具有来自公共 IP 前缀的多个公共 IP 地址的 Azure 防火墙。 部署的防火墙具有 NAT 规则收集规则,这些规则允许通过 RDP 连接与两个 Windows Server 2019 虚拟机进行连接。
Bicep 是一种特定于域的语言 (DSL),使用声明性语法来部署 Azure 资源。 它提供简明的语法、可靠的类型安全性以及对代码重用的支持。 Bicep 会针对你的 Azure 基础结构即代码解决方案提供最佳创作体验。
若要详细了解具有多个公共 IP 地址的 Azure 防火墙,请参阅使用 Azure PowerShell 部署具有多个公共 IP 地址的 Azure 防火墙。
先决条件
- 具有活动订阅的 Azure 帐户。 创建试用版订阅。
查阅 Bicep 文件
此 Bicep 文件创建具有两个公共 IP 地址的 Azure 防火墙,以及用于支持 Azure 防火墙的必要资源。
本快速入门中使用的 Bicep 文件来自 Azure 快速入门模板。
@description('Admin username for the backend servers')
param adminUsername string
@description('Password for the admin account on the backend servers')
@secure()
param adminPassword string
@description('Location for all resources.')
param location string = resourceGroup().location
@description('Size of the virtual machine.')
param vmSize string = 'Standard_B2ms'
var virtualMachineName = 'myVM'
var virtualNetworkName = 'myVNet'
var networkInterfaceName = 'net-int'
var ipConfigName = 'ipconfig'
var ipPrefixName = 'public_ip_prefix'
var ipPrefixSize = 31
var publicIpAddressName = 'public_ip'
var nsgName = 'vm-nsg'
var firewallName = 'FW-01'
var vnetPrefix = '10.0.0.0/16'
var fwSubnetPrefix = '10.0.0.0/24'
var backendSubnetPrefix = '10.0.1.0/24'
var azureFirewallSubnetId = subnet.id
var azureFirewallIpConfigurations = [for i in range(0, 2): {
name: 'IpConf${(i + 1)}'
properties: {
subnet: ((i == 0) ? json('{"id": "${azureFirewallSubnetId}"}') : null)
publicIPAddress: {
id: publicIPAddress[i].id
}
}
}]
resource nsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' = [for i in range(0, 2): {
name: '${nsgName}${i + 1}'
location: location
properties: {
securityRules: [
{
name: 'RDP'
properties: {
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '3389'
sourceAddressPrefix: '*'
destinationAddressPrefix: '*'
access: 'Allow'
priority: 300
direction: 'Inbound'
}
}
]
}
}]
resource ipprefix 'Microsoft.Network/publicIPPrefixes@2023-09-01' = {
name: ipPrefixName
location: location
properties: {
prefixLength: ipPrefixSize
publicIPAddressVersion: 'IPv4'
}
sku: {
name: 'Standard'
}
}
resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2023-09-01' = [for i in range(0, 2): {
name: '${publicIpAddressName}${i + 1}'
location: location
sku: {
name: 'Standard'
}
properties: {
publicIPAddressVersion: 'IPv4'
publicIPAllocationMethod: 'Static'
publicIPPrefix: {
id: ipprefix.id
}
idleTimeoutInMinutes: 4
}
}]
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-09-01' = {
name: virtualNetworkName
location: location
properties: {
addressSpace: {
addressPrefixes: [
vnetPrefix
]
}
subnets: [
{
name: 'myBackendSubnet'
properties: {
addressPrefix: backendSubnetPrefix
routeTable: {
id: routeTable.id
}
privateEndpointNetworkPolicies: 'Enabled'
privateLinkServiceNetworkPolicies: 'Enabled'
}
}
]
enableDdosProtection: false
enableVmProtection: false
}
}
resource subnet 'Microsoft.Network/virtualNetworks/subnets@2023-09-01' = {
parent: virtualNetwork
name: 'AzureFirewallSubnet'
properties: {
addressPrefix: fwSubnetPrefix
privateEndpointNetworkPolicies: 'Enabled'
privateLinkServiceNetworkPolicies: 'Enabled'
}
}
resource virtualMachine 'Microsoft.Compute/virtualMachines@2023-09-01' = [for i in range(0, 2): {
name: '${virtualMachineName}${i+1}'
location: location
properties: {
hardwareProfile: {
vmSize: vmSize
}
storageProfile: {
imageReference: {
publisher: 'MicrosoftWindowsServer'
offer: 'WindowsServer'
sku: '2019-Datacenter'
version: 'latest'
}
osDisk: {
osType: 'Windows'
createOption: 'FromImage'
caching: 'ReadWrite'
managedDisk: {
storageAccountType: 'StandardSSD_LRS'
}
diskSizeGB: 127
}
}
osProfile: {
computerName: '${virtualMachineName}${i+1}'
adminUsername: adminUsername
adminPassword: adminPassword
windowsConfiguration: {
provisionVMAgent: true
enableAutomaticUpdates: true
}
allowExtensionOperations: true
}
networkProfile: {
networkInterfaces: [
{
id: netInterface[i].id
}
]
}
}
}]
resource netInterface 'Microsoft.Network/networkInterfaces@2023-09-01' = [for i in range(0, 2): {
name: '${networkInterfaceName}${i + 1}'
location: location
properties: {
ipConfigurations: [
{
name: '${ipConfigName}${i + 1}'
properties: {
subnet: {
id: virtualNetwork.properties.subnets[0].id
}
primary: true
}
}
]
enableAcceleratedNetworking: false
enableIPForwarding: false
networkSecurityGroup: {
id: nsg[i].id
}
}
}]
resource firewall 'Microsoft.Network/azureFirewalls@2023-09-01' = {
name: firewallName
location: location
properties: {
sku: {
name: 'AZFW_VNet'
tier: 'Standard'
}
threatIntelMode: 'Deny'
ipConfigurations: azureFirewallIpConfigurations
applicationRuleCollections: [
{
name: 'web'
properties: {
priority: 100
action: {
type: 'Allow'
}
rules: [
{
name: 'wan-address'
protocols: [
{
protocolType: 'Http'
port: 80
}
{
protocolType: 'Https'
port: 443
}
]
targetFqdns: [
'getmywanip.com'
]
sourceAddresses: [
'*'
]
}
{
name: 'qq'
protocols: [
{
protocolType: 'Http'
port: 80
}
{
protocolType: 'Https'
port: 443
}
]
targetFqdns: [
'www.baidu.com'
]
sourceAddresses: [
'10.0.1.0/24'
]
}
{
name: 'wupdate'
protocols: [
{
protocolType: 'Http'
port: 80
}
{
protocolType: 'Https'
port: 443
}
]
fqdnTags: [
'WindowsUpdate'
]
sourceAddresses: [
'*'
]
}
]
}
}
]
natRuleCollections: [
{
name: 'Coll-01'
properties: {
priority: 100
action: {
type: 'Dnat'
}
rules: [
{
name: 'rdp-01'
protocols: [
'TCP'
]
translatedAddress: '10.0.1.4'
translatedPort: '3389'
sourceAddresses: [
'*'
]
destinationAddresses: [
publicIPAddress[0].properties.ipAddress
]
destinationPorts: [
'3389'
]
}
{
name: 'rdp-02'
protocols: [
'TCP'
]
translatedAddress: '10.0.1.5'
translatedPort: '3389'
sourceAddresses: [
'*'
]
destinationAddresses: [
publicIPAddress[1].properties.ipAddress
]
destinationPorts: [
'3389'
]
}
]
}
}
]
}
}
resource routeTable 'Microsoft.Network/routeTables@2023-09-01' = {
name: 'rt-01'
location: location
properties: {
disableBgpRoutePropagation: false
routes: [
{
name: 'fw'
properties: {
addressPrefix: '0.0.0.0/0'
nextHopType: 'VirtualAppliance'
nextHopIpAddress: '10.0.0.4'
}
}
]
}
}
output name string = firewall.name
output resourceId string = firewall.id
output location string = location
output resourceGroupName string = resourceGroup().name
模板中定义了多个 Azure 资源:
- Microsoft.Network/networkSecurityGroups
- Microsoft.Network/publicIPPrefix
- Microsoft.Network/publicIPAddresses
- Microsoft.Network/virtualNetworks
- Microsoft.Compute/virtualMachines
- Microsoft.Storage/storageAccounts
- Microsoft.Network/networkInterfaces
- Microsoft.Network/azureFirewalls
- Microsoft.Network/routeTables
部署 Bicep 文件
将该 Bicep 文件另存为本地计算机上的 main.bicep。
使用 Azure CLI 或 Azure PowerShell 来部署该 Bicep 文件。
az group create --name exampleRG --location chinaeast az deployment group create --resource-group exampleRG --template-file main.bicep --parameters adminUsername=<admin-username>
注意
将 <admin-username> 替换为后端服务器的管理员用户名。
系统将提示你输入管理员密码。
部署完成后,应会看到一条指出部署成功的消息。
验证部署
在 Azure 门户中,查看已部署的资源。 记下防火墙公共 IP 地址。
使用“远程桌面连接”连接到防火墙公共 IP 地址。 成功的连接演示了允许连接到后端服务器的防火墙 NAT 规则。
清理资源
如果不再需要为防火墙创建的资源,请删除资源组。 这会删除该防火墙和所有相关资源。
若要删除资源组,请调用 Remove-AzResourceGroup
cmdlet:
Remove-AzResourceGroup -Name "exampleRG"