快速入门:创建具有多个公共 IP 地址的 Azure 防火墙 - ARM 模板

本快速入门使用 Azure 资源管理器模板(ARM 模板)从公共 IP 前缀部署具有多个公共 IP 地址的 Azure 防火墙。 部署的防火墙具有 NAT 规则收集规则,这些规则允许通过 RDP 连接与两个 Windows Server 2019 虚拟机进行连接。

Azure 资源管理器模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。 模板使用声明性语法。 你可以在不编写用于创建部署的编程命令序列的情况下,描述预期部署。

若要详细了解具有多个公共 IP 地址的 Azure 防火墙,请参阅使用 Azure PowerShell 部署具有多个公共 IP 地址的 Azure 防火墙

如果你的环境满足先决条件,并且你熟悉如何使用 ARM 模板,请选择“部署到 Azure”按钮。 Azure 门户中会打开模板。

部署到 Azure

先决条件

查看模板

此模板创建具有两个公共 IP 地址的 Azure 防火墙,以及用于支持 Azure 防火墙的必要资源。

本快速入门中使用的模板来自 Azure 快速启动模板

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.26.54.24096",
      "templateHash": "8395247770070350203"
    }
  },
  "parameters": {
    "adminUsername": {
      "type": "string",
      "metadata": {
        "description": "Admin username for the backend servers"
      }
    },
    "adminPassword": {
      "type": "securestring",
      "metadata": {
        "description": "Password for the admin account on the backend servers"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    },
    "vmSize": {
      "type": "string",
      "defaultValue": "Standard_B2ms",
      "metadata": {
        "description": "Size of the virtual machine."
      }
    }
  },
  "variables": {
    "copy": [
      {
        "name": "azureFirewallIpConfigurations",
        "count": "[length(range(0, 2))]",
        "input": {
          "name": "[format('IpConf{0}', add(range(0, 2)[copyIndex('azureFirewallIpConfigurations')], 1))]",
          "properties": {
            "subnet": "[if(equals(range(0, 2)[copyIndex('azureFirewallIpConfigurations')], 0), json(format('{{\"id\": \"{0}\"}}', variables('azureFirewallSubnetId'))), null())]",
            "publicIPAddress": {
              "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIpAddressName'), add(range(0, 2)[range(0, 2)[copyIndex('azureFirewallIpConfigurations')]], 1)))]"
            }
          }
        }
      }
    ],
    "virtualMachineName": "myVM",
    "virtualNetworkName": "myVNet",
    "networkInterfaceName": "net-int",
    "ipConfigName": "ipconfig",
    "ipPrefixName": "public_ip_prefix",
    "ipPrefixSize": 31,
    "publicIpAddressName": "public_ip",
    "nsgName": "vm-nsg",
    "firewallName": "FW-01",
    "vnetPrefix": "10.0.0.0/16",
    "fwSubnetPrefix": "10.0.0.0/24",
    "backendSubnetPrefix": "10.0.1.0/24",
    "azureFirewallSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), 'AzureFirewallSubnet')]"
  },
  "resources": [
    {
      "copy": {
        "name": "nsg",
        "count": "[length(range(0, 2))]"
      },
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2023-09-01",
      "name": "[format('{0}{1}', variables('nsgName'), add(range(0, 2)[copyIndex()], 1))]",
      "location": "[parameters('location')]",
      "properties": {
        "securityRules": [
          {
            "name": "RDP",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "3389",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 300,
              "direction": "Inbound"
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Network/publicIPPrefixes",
      "apiVersion": "2023-09-01",
      "name": "[variables('ipPrefixName')]",
      "location": "[parameters('location')]",
      "properties": {
        "prefixLength": "[variables('ipPrefixSize')]",
        "publicIPAddressVersion": "IPv4"
      },
      "sku": {
        "name": "Standard"
      }
    },
    {
      "copy": {
        "name": "publicIPAddress",
        "count": "[length(range(0, 2))]"
      },
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2023-09-01",
      "name": "[format('{0}{1}', variables('publicIpAddressName'), add(range(0, 2)[copyIndex()], 1))]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard"
      },
      "properties": {
        "publicIPAddressVersion": "IPv4",
        "publicIPAllocationMethod": "Static",
        "publicIPPrefix": {
          "id": "[resourceId('Microsoft.Network/publicIPPrefixes', variables('ipPrefixName'))]"
        },
        "idleTimeoutInMinutes": 4
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/publicIPPrefixes', variables('ipPrefixName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2023-09-01",
      "name": "[variables('virtualNetworkName')]",
      "location": "[parameters('location')]",
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "[variables('vnetPrefix')]"
          ]
        },
        "subnets": [
          {
            "name": "myBackendSubnet",
            "properties": {
              "addressPrefix": "[variables('backendSubnetPrefix')]",
              "routeTable": {
                "id": "[resourceId('Microsoft.Network/routeTables', 'rt-01')]"
              },
              "privateEndpointNetworkPolicies": "Enabled",
              "privateLinkServiceNetworkPolicies": "Enabled"
            }
          }
        ],
        "enableDdosProtection": false,
        "enableVmProtection": false
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/routeTables', 'rt-01')]"
      ]
    },
    {
      "type": "Microsoft.Network/virtualNetworks/subnets",
      "apiVersion": "2023-09-01",
      "name": "[format('{0}/{1}', variables('virtualNetworkName'), 'AzureFirewallSubnet')]",
      "properties": {
        "addressPrefix": "[variables('fwSubnetPrefix')]",
        "privateEndpointNetworkPolicies": "Enabled",
        "privateLinkServiceNetworkPolicies": "Enabled"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]"
      ]
    },
    {
      "copy": {
        "name": "virtualMachine",
        "count": "[length(range(0, 2))]"
      },
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2023-09-01",
      "name": "[format('{0}{1}', variables('virtualMachineName'), add(range(0, 2)[copyIndex()], 1))]",
      "location": "[parameters('location')]",
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('vmSize')]"
        },
        "storageProfile": {
          "imageReference": {
            "publisher": "MicrosoftWindowsServer",
            "offer": "WindowsServer",
            "sku": "2019-Datacenter",
            "version": "latest"
          },
          "osDisk": {
            "osType": "Windows",
            "createOption": "FromImage",
            "caching": "ReadWrite",
            "managedDisk": {
              "storageAccountType": "StandardSSD_LRS"
            },
            "diskSizeGB": 127
          }
        },
        "osProfile": {
          "computerName": "[format('{0}{1}', variables('virtualMachineName'), add(range(0, 2)[copyIndex()], 1))]",
          "adminUsername": "[parameters('adminUsername')]",
          "adminPassword": "[parameters('adminPassword')]",
          "windowsConfiguration": {
            "provisionVMAgent": true,
            "enableAutomaticUpdates": true
          },
          "allowExtensionOperations": true
        },
        "networkProfile": {
          "networkInterfaces": [
            {
              "id": "[resourceId('Microsoft.Network/networkInterfaces', format('{0}{1}', variables('networkInterfaceName'), add(range(0, 2)[range(0, 2)[copyIndex()]], 1)))]"
            }
          ]
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkInterfaces', format('{0}{1}', variables('networkInterfaceName'), add(range(0, 2)[range(0, 2)[copyIndex()]], 1)))]"
      ]
    },
    {
      "copy": {
        "name": "netInterface",
        "count": "[length(range(0, 2))]"
      },
      "type": "Microsoft.Network/networkInterfaces",
      "apiVersion": "2023-09-01",
      "name": "[format('{0}{1}', variables('networkInterfaceName'), add(range(0, 2)[copyIndex()], 1))]",
      "location": "[parameters('location')]",
      "properties": {
        "ipConfigurations": [
          {
            "name": "[format('{0}{1}', variables('ipConfigName'), add(range(0, 2)[copyIndex()], 1))]",
            "properties": {
              "subnet": {
                "id": "[reference(resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName')), '2023-09-01').subnets[0].id]"
              },
              "primary": true
            }
          }
        ],
        "enableAcceleratedNetworking": false,
        "enableIPForwarding": false,
        "networkSecurityGroup": {
          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', format('{0}{1}', variables('nsgName'), add(range(0, 2)[range(0, 2)[copyIndex()]], 1)))]"
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkSecurityGroups', format('{0}{1}', variables('nsgName'), add(range(0, 2)[range(0, 2)[copyIndex()]], 1)))]",
        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/azureFirewalls",
      "apiVersion": "2023-09-01",
      "name": "[variables('firewallName')]",
      "location": "[parameters('location')]",
      "properties": {
        "sku": {
          "name": "AZFW_VNet",
          "tier": "Standard"
        },
        "threatIntelMode": "Deny",
        "ipConfigurations": "[variables('azureFirewallIpConfigurations')]",
        "applicationRuleCollections": [
          {
            "name": "web",
            "properties": {
              "priority": 100,
              "action": {
                "type": "Allow"
              },
              "rules": [
                {
                  "name": "wan-address",
                  "protocols": [
                    {
                      "protocolType": "Http",
                      "port": 80
                    },
                    {
                      "protocolType": "Https",
                      "port": 443
                    }
                  ],
                  "targetFqdns": [
                    "getmywanip.com"
                  ],
                  "sourceAddresses": [
                    "*"
                  ]
                },
                {
                  "name": "qq",
                  "protocols": [
                    {
                      "protocolType": "Http",
                      "port": 80
                    },
                    {
                      "protocolType": "Https",
                      "port": 443
                    }
                  ],
                  "targetFqdns": [
                    "www.qq.com"
                  ],
                  "sourceAddresses": [
                    "10.0.1.0/24"
                  ]
                },
                {
                  "name": "wupdate",
                  "protocols": [
                    {
                      "protocolType": "Http",
                      "port": 80
                    },
                    {
                      "protocolType": "Https",
                      "port": 443
                    }
                  ],
                  "fqdnTags": [
                    "WindowsUpdate"
                  ],
                  "sourceAddresses": [
                    "*"
                  ]
                }
              ]
            }
          }
        ],
        "natRuleCollections": [
          {
            "name": "Coll-01",
            "properties": {
              "priority": 100,
              "action": {
                "type": "Dnat"
              },
              "rules": [
                {
                  "name": "rdp-01",
                  "protocols": [
                    "TCP"
                  ],
                  "translatedAddress": "10.0.1.4",
                  "translatedPort": "3389",
                  "sourceAddresses": [
                    "*"
                  ],
                  "destinationAddresses": [
                    "[reference(resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIpAddressName'), add(range(0, 2)[0], 1))), '2023-09-01').ipAddress]"
                  ],
                  "destinationPorts": [
                    "3389"
                  ]
                },
                {
                  "name": "rdp-02",
                  "protocols": [
                    "TCP"
                  ],
                  "translatedAddress": "10.0.1.5",
                  "translatedPort": "3389",
                  "sourceAddresses": [
                    "*"
                  ],
                  "destinationAddresses": [
                    "[reference(resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIpAddressName'), add(range(0, 2)[1], 1))), '2023-09-01').ipAddress]"
                  ],
                  "destinationPorts": [
                    "3389"
                  ]
                }
              ]
            }
          }
        ]
      },
      "dependsOn": [
        "publicIPAddress",
        "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), 'AzureFirewallSubnet')]"
      ]
    },
    {
      "type": "Microsoft.Network/routeTables",
      "apiVersion": "2023-09-01",
      "name": "rt-01",
      "location": "[parameters('location')]",
      "properties": {
        "disableBgpRoutePropagation": false,
        "routes": [
          {
            "name": "fw",
            "properties": {
              "addressPrefix": "0.0.0.0/0",
              "nextHopType": "VirtualAppliance",
              "nextHopIpAddress": "10.0.0.4"
            }
          }
        ]
      }
    }
  ],
  "outputs": {
    "name": {
      "type": "string",
      "value": "[variables('firewallName')]"
    },
    "resourceId": {
      "type": "string",
      "value": "[resourceId('Microsoft.Network/azureFirewalls', variables('firewallName'))]"
    },
    "location": {
      "type": "string",
      "value": "[parameters('location')]"
    },
    "resourceGroupName": {
      "type": "string",
      "value": "[resourceGroup().name]"
    }
  }
}

模板中定义了多个 Azure 资源:

部署模板

将 ARM 模板部署到 Azure:

  1. 选择“部署到 Azure”,登录到 Azure 并打开模板。 该模板将创建 Azure 防火墙、网络基础结构和两个虚拟机。

    部署到 Azure

  2. 在门户中的“创建具有多个公共 IP 地址的 Azure 防火墙”页上,键入或选择以下值:

    • 订阅:从现有订阅中选择
    • 资源组:从现有资源组中选择,或者选择“新建”,然后选择“确定”。
    • 位置:选择一个位置
    • 管理员用户名:键入管理员用户帐户的用户名
    • 管理员密码:键入管理员密码或密钥
  3. 选择“我同意上述条款和条件”,然后选择“购买” 。 部署可能需要 10 分钟或更长时间才能完成。

验证部署

在 Azure 门户中,查看已部署的资源。 记下防火墙公共 IP 地址。

使用“远程桌面连接”连接到防火墙公共 IP 地址。 成功的连接演示了允许连接到后端服务器的防火墙 NAT 规则。

清理资源

如果不再需要为防火墙创建的资源,请删除资源组。 删除资源组会删除防火墙和所有相关资源。

若要删除资源组,请调用 Remove-AzResourceGroup cmdlet:

Remove-AzResourceGroup -Name "<your resource group name>"

后续步骤