快速入门:创建具有多个公共 IP 地址的 Azure 防火墙 - ARM 模板
本快速入门使用 Azure 资源管理器模板(ARM 模板)从公共 IP 前缀部署具有多个公共 IP 地址的 Azure 防火墙。 部署的防火墙具有 NAT 规则收集规则,这些规则允许通过 RDP 连接与两个 Windows Server 2019 虚拟机进行连接。
资源管理器模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。 模板使用声明性语法。 在声明性语法中,你可以在不编写创建部署的编程命令序列的情况下,描述预期部署。
若要详细了解具有多个公共 IP 地址的 Azure 防火墙,请参阅使用 Azure PowerShell 部署具有多个公共 IP 地址的 Azure 防火墙。
如果你的环境满足先决条件,并且你熟悉如何使用 ARM 模板,请选择“部署到 Azure”按钮。 Azure 门户中会打开模板。
先决条件
- 具有活动订阅的 Azure 帐户。 创建试用版订阅。
查看模板
此模板创建具有两个公共 IP 地址的 Azure 防火墙,以及用于支持 Azure 防火墙的必要资源。
本快速入门中使用的模板来自 Azure 快速启动模板。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminUsername": {
"type": "String",
"metadata": {
"description": "Admin username for the backend servers"
}
},
"adminPassword": {
"type": "SecureString",
"metadata": {
"description": "Password for the admin account on the backend servers"
}
},
"location": {
"defaultValue": "[resourceGroup().location]",
"type": "String",
"metadata": {
"description": "Location for all resources."
}
},
"vmSize": {
"defaultValue": "Standard_B2ms",
"type": "String",
"metadata": {
"description": "Size of the virtual machine."
}
}
},
"variables": {
"virtualMachines_myVM_name": "myVM",
"virtualNetworks_myVNet_name": "myVNet",
"net_interface": "net-int",
"ipconfig_name": "ipconfig",
"ipprefix_name": "public_ip_prefix",
"ipprefix_size": 31,
"publicIPAddress": "public_ip",
"nsg_name": "vm-nsg",
"firewall_name": "FW-01",
"vnet_prefix": "10.0.0.0/16",
"fw_subnet_prefix": "10.0.0.0/24",
"backend_subnet_prefix": "10.0.1.0/24",
"azureFirewallSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets',variables('virtualNetworks_myVNet_name'), 'AzureFirewallSubnet')]",
"azureFirewallSubnetJSON": "[json(format('{{\"id\": \"{0}\"}}', variables('azureFirewallSubnetId')))]",
"copy": [
{
"name": "azureFirewallIpConfigurations",
"count": 2,
"input": {
"name": "[concat('IpConf', copyIndex('azureFirewallIpConfigurations',1))]",
"properties": {
"subnet": "[if(equals(copyIndex('azureFirewallIpConfigurations',1), 1), variables('azureFirewallSubnetJSON'), json('null'))]",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', concat(variables('publicIPAddress'), copyIndex('azureFirewallIpConfigurations',1)))]"
}
}
}
}
]
},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2020-06-01",
"name": "[concat(variables('nsg_name'), copyIndex(1))]",
"location": "[parameters('location')]",
"copy": {
"name": "nsg-loop",
"count": 2
},
"properties": {
"securityRules": [
{
"name": "RDP",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound"
}
}
]
}
},
{
"apiVersion": "2020-06-01",
"type": "Microsoft.Network/publicIPPrefixes",
"name": "[variables('ipprefix_name')]",
"location": "[parameters('location')]",
"properties": {
"prefixLength": "[variables('ipprefix_size')]",
"publicIPAddressVersion": "IPv4"
},
"sku": {
"name": "Standard",
"tier": "Regional"
}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2020-06-01",
"name": "[concat(variables('publicIPAddress'), copyIndex(1))]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"copy": {
"name": "publicip-loop",
"count": 2
},
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPPrefixes', variables('ipprefix_name'))]"
],
"properties": {
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Static",
"publicIPPrefix": {
"id": "[resourceId('Microsoft.Network/publicIPPrefixes',variables('ipprefix_name'))]"
},
"idleTimeoutInMinutes": 4
}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-06-01",
"name": "[variables('virtualNetworks_myVNet_name')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/routeTables', 'rt-01')]"
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('vnet_prefix')]"
]
},
"subnets": [
{
"name": "myBackendSubnet",
"properties": {
"addressPrefix": "[variables('backend_subnet_prefix')]",
"routeTable": {
"id": "[resourceId('Microsoft.Network/routeTables', 'rt-01')]"
},
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
}
],
"enableDdosProtection": false,
"enableVmProtection": false
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2020-06-01",
"name": "[concat(variables('virtualNetworks_myVNet_name'), '/AzureFirewallSubnet')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]"
],
"properties": {
"addressPrefix": "[variables('fw_subnet_prefix')]",
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
}
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2020-06-01",
"name": "[concat(variables('virtualMachines_myVM_name'), copyIndex(1))]",
"location": "[parameters('location')]",
"copy": {
"name": "vm-loop",
"count": 2
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', concat(variables('net_interface'), copyIndex(1)))]"
],
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2019-Datacenter",
"version": "latest"
},
"osDisk": {
"osType": "Windows",
"createOption": "FromImage",
"caching": "ReadWrite",
"managedDisk": {
"storageAccountType": "StandardSSD_LRS"
},
"diskSizeGB": 127
}
},
"osProfile": {
"computerName": "[concat(variables('virtualMachines_myVM_name'), copyIndex(1))]",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"windowsConfiguration": {
"provisionVMAgent": true,
"enableAutomaticUpdates": true
},
"allowExtensionOperations": true
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('net_interface'), copyIndex(1)))]"
}
]
}
}
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2020-06-01",
"name": "[concat(variables('net_interface'), copyIndex(1))]",
"location": "[parameters('location')]",
"copy": {
"name": "int-loop",
"count": 2
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworks_myVNet_name'))]",
"[resourceId('Microsoft.Network/networkSecurityGroups', concat(variables('nsg_name'), copyIndex(1)))]"
],
"properties": {
"ipConfigurations": [
{
"name": "[concat(variables('ipconfig_name'), copyIndex(1))]",
"properties": {
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'myBackendSubnet')]"
},
"primary": true
}
}
],
"enableAcceleratedNetworking": false,
"enableIPForwarding": false,
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', concat(variables('nsg_name'), copyIndex(1)))]"
}
}
},
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2020-06-01",
"name": "[variables('firewall_name')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses', concat(variables('publicIPAddress'), 1))]",
"[resourceId('Microsoft.Network/publicIPAddresses', concat(variables('publicIPAddress'), 2))]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworks_myVNet_name'), 'AzureFirewallSubnet')]"
],
"properties": {
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"threatIntelMode": "Alert",
"ipConfigurations": "[variables('azureFirewallIpConfigurations')]",
"applicationRuleCollections": [
{
"name": "web",
"properties": {
"priority": 100,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "wan-address",
"protocols": [
{
"protocolType": "Http",
"port": 80
},
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"getmywanip.com"
],
"sourceAddresses": [
"*"
]
},
{
"name": "qq",
"protocols": [
{
"protocolType": "Http",
"port": 80
},
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.qq.com"
],
"sourceAddresses": [
"10.0.1.0/24"
]
},
{
"name": "wupdate",
"protocols": [
{
"protocolType": "Http",
"port": 80
},
{
"protocolType": "Https",
"port": 443
}
],
"fqdnTags": [
"WindowsUpdate"
],
"sourceAddresses": [
"*"
]
}
]
}
}
],
"natRuleCollections": [
{
"name": "Coll-01",
"properties": {
"priority": 100,
"action": {
"type": "Dnat"
},
"rules": [
{
"name": "rdp-01",
"protocols": [
"TCP"
],
"translatedAddress": "10.0.1.4",
"translatedPort": "3389",
"sourceAddresses": [
"*"
],
"destinationAddresses": [ "[reference(resourceId('Microsoft.Network/publicIPAddresses/', concat(variables('publicIPAddress'), 1))).ipAddress]" ],
"destinationPorts": [
"3389"
]
},
{
"name": "rdp-02",
"protocols": [
"TCP"
],
"translatedAddress": "10.0.1.5",
"translatedPort": "3389",
"sourceAddresses": [
"*"
],
"destinationAddresses": [ "[reference(resourceId('Microsoft.Network/publicIPAddresses/', concat(variables('publicIPAddress'), 2))).ipAddress]" ],
"destinationPorts": [
"3389"
]
}
]
}
}
]
}
},
{
"type": "Microsoft.Network/routeTables",
"apiVersion": "2020-06-01",
"name": "rt-01",
"location": "[parameters('location')]",
"properties": {
"disableBgpRoutePropagation": false,
"routes": [
{
"name": "fw",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "10.0.0.4"
}
}
]
}
}
]
}
模板中定义了多个 Azure 资源:
- Microsoft.Network/networkSecurityGroups
- Microsoft.Network/publicIPPrefix
- Microsoft.Network/publicIPAddresses
- Microsoft.Network/virtualNetworks
- Microsoft.Compute/virtualMachines
- Microsoft.Storage/storageAccounts
- Microsoft.Network/networkInterfaces
- Microsoft.Network/azureFirewalls
- Microsoft.Network/routeTables
部署模板
将 ARM 模板部署到 Azure:
选择“部署到 Azure”,登录到 Azure 并打开模板。 该模板将创建 Azure 防火墙、网络基础结构和两个虚拟机。
在门户中的“创建具有多个公共 IP 地址的 Azure 防火墙”页上,键入或选择以下值:
- 订阅:从现有订阅中选择
- 资源组:从现有资源组中选择,或者选择“新建”,然后选择“确定”。
- 位置:选择一个位置
- 管理员用户名:键入管理员用户帐户的用户名
- 管理员密码:键入管理员密码或密钥
选择“我同意上述条款和条件”,然后选择“购买” 。 部署可能需要 10 分钟或更长时间才能完成。
验证部署
在 Azure 门户中,查看已部署的资源。 记下防火墙公共 IP 地址。
使用“远程桌面连接”连接到防火墙公共 IP 地址。 成功的连接演示了允许连接到后端服务器的防火墙 NAT 规则。
清理资源
如果不再需要为防火墙创建的资源,请删除资源组。 删除资源组会删除防火墙和所有相关资源。
若要删除资源组,请调用 Remove-AzResourceGroup cmdlet:
Remove-AzResourceGroup -Name "<your resource group name>"