创建 Azure 防火墙测试环境Create an Azure Firewall test environment

此脚本示例创建防火墙和测试网络环境。This script sample creates a firewall and a test network environment. 网络有一个 VNet,其中包含三个子网:AzureFirewallSubnetServersSubnetJumpboxSubnetThe network has one VNet, with three subnets: an AzureFirewallSubnet, and ServersSubnet, and a JumpboxSubnet. ServersSubnet 和 JumpboxSubnet 每个中都有一个 2 核 Windows Server。The ServersSubnet and JumpboxSubnet each have one 2-core Windows Server in them.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

防火墙在 AzureFirewallSubnet 中并配置有一个应用程序规则集合,其中包含允许访问 www.microsoft.com 的单个规则。The firewall is in the AzureFirewallSubnet and is configured with an Application Rule Collection with a single rule that allows access to www.microsoft.com.

创建了用户定义的一个路由,它引导来自 ServersSubnet 的网络流量穿过应用了防火墙规则的防火墙。A user defined route is created that points the network traffic from the ServersSubnet through the firewall, where the firewall rules are applied.

可以通过本地 PowerShell 安装来运行脚本。You can run the script from a local PowerShell installation.

如果在本地运行 PowerShell,则此脚本需要 Azure PowerShell。If you run PowerShell locally, this script requires Azure PowerShell. 要查找已安装的版本,请运行 Get-Module -ListAvailable AzTo find the installed version, run Get-Module -ListAvailable Az.

如果需要升级,则可以使用 PowerShellGet,它内置在 Windows 10 和 Windows Server 2016 中。You can use PowerShellGet if you need to upgrade, which is built into Windows 10 and Windows Server 2016.

备注

对于其他 Windows 版本,需要先安装 PowerShellGet,然后才能使用它。Other Windows version require you to install PowerShellGet before you can use it. 可以运行 Get-Module -Name PowerShellGet -ListAvailable | Select-Object -Property Name,Version,Path 来确定它是否已安装在你的系统上。You can run Get-Module -Name PowerShellGet -ListAvailable | Select-Object -Property Name,Version,Path to determine if it is installed on your system. 如果输出为空,则需要安装最新的 Windows Management FrameworkIf the output is blank, you need to install the latest Windows Management framework.

有关详细信息,请参阅安装 Azure PowerShellFor more information, see Install Azure PowerShell

使用 Web 平台安装程序执行的任何现有 Azure PowerShell 安装都将与 PowerShellGet 安装冲突并且需要删除。Any existing Azure PowerShell installation done with the Web Platform installer will conflict with the PowerShellGet installation and needs to be removed.

请注意,如果在本地运行 PowerShell,则还需运行 Connect-AzAccount -Environment AzureChinaCloud 来创建与 Azure 的连接。Remember that if you run PowerShell locally, you also need to run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

如果没有 Azure 订阅,请在开始前创建一个试用订阅If you don't have an Azure subscription, create a Trial Subscription before you begin.

示例脚本Sample script


#ResourceGroup name and location
$RG="AzfwSampleScriptChinaEast"
$Location="China East"

#User credentials for JumpBox and Server VMs
$securePassword = ConvertTo-SecureString 'P@$$W0rd010203' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("AzfwUser", $securePassword)

#Create new RG
New-AzResourceGroup -Name $RG -Location $Location

#Create Vnet
$VnetName=$RG+"Vnet"
New-AzVirtualNetwork -ResourceGroupName $RG -Name $VnetName -AddressPrefix 192.168.0.0/16 -Location $Location

#Configure subnets
$vnet = Get-AzVirtualNetwork -ResourceGroupName $RG -Name $VnetName
Add-AzVirtualNetworkSubnetConfig -Name AzureFirewallSubnet -VirtualNetwork $vnet -AddressPrefix 192.168.1.0/24
Add-AzVirtualNetworkSubnetConfig -Name JumpBoxSubnet -VirtualNetwork $vnet -AddressPrefix 192.168.0.0/24
Add-AzVirtualNetworkSubnetConfig -Name ServersSubnet -VirtualNetwork $vnet -AddressPrefix 192.168.2.0/24
Set-AzVirtualNetwork -VirtualNetwork $vnet

#create Public IP for jumpbox and LB
$LBPipName = $RG + "PublicIP"
$LBPip = New-AzPublicIpAddress -Name $LBPipName  -ResourceGroupName $RG -Location $Location -AllocationMethod Static -Sku Standard
$JumpBoxpip = New-AzPublicIpAddress -Name "JumpHostPublicIP"  -ResourceGroupName $RG -Location $Location -AllocationMethod Static -Sku Basic

# Create an inbound network security group rule for port 3389
$nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name myNetworkSecurityGroupRuleSSH  -Protocol Tcp -Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow

# Create a network security group
$NsgName = $RG+"NSG"
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RG -Location $Location -Name $NsgName -SecurityRules $nsgRuleRDP

#Create jumpbox
$vnet = Get-AzVirtualNetwork -ResourceGroupName $RG -Name $VnetName
$JumpBoxSubnetId = $vnet.Subnets[1].Id
# Create a virtual network card and associate with jumpbox public IP address
$JumpBoxNic = New-AzNetworkInterface -Name JumpBoxNic -ResourceGroupName $RG -Location $Location -SubnetId $JumpBoxSubnetId -PublicIpAddressId $JumpBoxpip.Id -NetworkSecurityGroupId $nsg.Id
$JumpBoxConfig = New-AzVMConfig -VMName JumpBox -VMSize Standard_DS1_v2 | Set-AzVMOperatingSystem -Windows -ComputerName JumpBox -Credential $cred | Set-AzVMSourceImage -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Skus "2012-R2-Datacenter" -Version latest | Add-AzVMNetworkInterface -Id $JumpBoxNic.Id
New-AzVM -ResourceGroupName $RG -Location $Location -VM $JumpBoxConfig

#Create Server VM
$ServersSubnetId = $vnet.Subnets[2].Id
$ServerVmNic = New-AzNetworkInterface -Name ServerVmNic -ResourceGroupName $RG -Location $Location -SubnetId $ServersSubnetId
$ServerVmConfig = New-AzVMConfig -VMName ServerVm -VMSize Standard_DS1_v2 | Set-AzVMOperatingSystem -Windows -ComputerName ServerVm -Credential $cred | Set-AzVMSourceImage -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Skus "2012-R2-Datacenter" -Version latest | Add-AzVMNetworkInterface -Id $ServerVmNic.Id
New-AzVM -ResourceGroupName $RG -Location $Location -VM $ServerVmConfig

#Create AZFW
$GatewayName = $RG + "Azfw"
$Azfw = New-AzFirewall -Name $GatewayName -ResourceGroupName $RG -Location $Location -VirtualNetworkName $vnet.Name -PublicIpName $LBPip.Name

#Add a rule to allow *microsoft.com
$Azfw = Get-AzFirewall -ResourceGroupName $RG
$Rule = New-AzFirewallApplicationRule -Name R1 -Protocol "http:80","https:443" -TargetFqdn "*microsoft.com"
$RuleCollection = New-AzFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $Rule -ActionType "Allow"
$Azfw.ApplicationRuleCollections = $RuleCollection
Set-AzFirewall -AzureFirewall $Azfw

#Create UDR rule
$Azfw = Get-AzFirewall -ResourceGroupName $RG
$AzfwRouteName = $RG + "AzfwRoute"
$AzfwRouteTableName = $RG + "AzfwRouteTable"
$IlbCA = $Azfw.IpConfigurations[0].PrivateIPAddress
$AzfwRoute = New-AzRouteConfig -Name $AzfwRouteName -AddressPrefix 0.0.0.0/0 -NextHopType VirtualAppliance -NextHopIpAddress $IlbCA
$AzfwRouteTable = New-AzRouteTable -Name $AzfwRouteTableName -ResourceGroupName $RG -location $Location -Route $AzfwRoute

#associate to Servers Subnet
$vnet.Subnets[2].RouteTable = $AzfwRouteTable
Set-AzVirtualNetwork -VirtualNetwork $vnet

清理部署Clean up deployment

运行以下命令来删除资源组、VM 和所有相关资源:Run the following command to remove the resource group, VM, and all related resources:

Remove-AzResourceGroup -Name AzfwSampleScriptChinaEast -Force

脚本说明Script explanation

此脚本使用以下命令创建资源组、虚拟网络和网络安全组。This script uses the following commands to create a resource group, virtual network, and network security groups. 下表中的每条命令均链接到特定于命令的文档:Each command in the following table links to command-specific documentation:

CommandCommand 说明Notes
New-AzResourceGroupNew-AzResourceGroup 创建用于存储所有资源的资源组。Creates a resource group in which all resources are stored.
New-AzVirtualNetworkSubnetConfigNew-AzVirtualNetworkSubnetConfig 创建子网配置对象Creates a subnet configuration object
New-AzVirtualNetworkNew-AzVirtualNetwork 创建 Azure 虚拟网络和前端子网。Creates an Azure virtual network and front-end subnet.
New-AzNetworkSecurityRuleConfigNew-AzNetworkSecurityRuleConfig 创建要分配到网络安全组的安全规则。Creates security rules to be assigned to a network security group.
New-AzNetworkSecurityGroupNew-AzNetworkSecurityGroup 创建 NSG 规则,允许或阻止特定子网的特定端口。Creates NSG rules that allow or block specific ports to specific subnets.
Set-AzVirtualNetworkSubnetConfigSet-AzVirtualNetworkSubnetConfig 将 NSG 关联到子网。Associates NSGs to subnets.
New-AzPublicIpAddressNew-AzPublicIpAddress 创建用于从 Internet 访问 VM 的公共 IP 地址。Creates a public IP address to access the VM from the internet.
New-AzNetworkInterfaceNew-AzNetworkInterface 创建虚拟网络接口,并将其附加到虚拟网络的前端和后端子网。Creates virtual network interfaces and attaches them to the virtual network's front-end and back-end subnets.
New-AzVMConfigNew-AzVMConfig 创建 VM 配置。Creates a VM configuration. 此配置包括 VM 名称、操作系统和管理凭据等信息。This configuration includes information such as VM name, operating system, and administrative credentials. 在创建 VM 期间将使用此配置。The configuration is used during VM creation.
New-AzVMNew-AzVM 创建虚拟机。Create a virtual machine.
Remove-AzResourceGroupRemove-AzResourceGroup 删除资源组及其中包含的所有资源。Removes a resource group and all resources contained within.
New-AzFirewallNew-AzFirewall 创建新的 Azure 防火墙。Creates a new Azure Firewall.
Get-AzFirewallGet-AzFirewall 获取 Azure 防火墙对象。Gets an Azure Firewall object.
New-AzFirewallApplicationRuleNew-AzFirewallApplicationRule 创建新的 Azure 防火墙应用程序规则。Creates a new Azure Firewall application rule.
Set-AzFirewallSet-AzFirewall 将更改提交到 Azure 防火墙对象。Commits changes to the Azure Firewall object.

后续步骤Next steps

有关 Azure PowerShell 的详细信息,请参阅 Azure PowerShell 文档For more information on the Azure PowerShell, see Azure PowerShell documentation.