教程:使用 Azure 门户部署和配置 Azure 防火墙Tutorial: Deploy and configure Azure Firewall using the Azure portal

控制出站网络访问是整个网络安全计划的重要组成部分。Controlling outbound network access is an important part of an overall network security plan. 例如,你可能想要限制对网站的访问,For example, you may want to limit access to web sites. 或者限制可以访问的出站 IP 地址和端口。Or, you may want to limit the outbound IP addresses and ports that can be accessed.

可以控制 Azure 子网的出站网络访问的一种方法是使用 Azure 防火墙。One way you can control outbound network access from an Azure subnet is with Azure Firewall. 使用 Azure 防火墙,可以配置:With Azure Firewall, you can configure:

  • 应用程序规则,用于定义可从子网访问的完全限定域名 (FQDN)。Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
  • 网络规则,用于定义源地址、协议、目标端口和目标地址。Network rules that define source address, protocol, destination port, and destination address.

将网络流量路由到用作子网默认网关的防火墙时,网络流量受到配置的防火墙规则的控制。Network traffic is subjected to the configured firewall rules when you route your network traffic to the firewall as the subnet default gateway.

在本教程中,你将创建一个包含两个子网的单个简化 VNet,以便于部署。For this tutorial, you create a simplified single VNet with two subnets for easy deployment.

对于生产部署,我们建议使用中心辐射模型,其中,防火墙在其自身的 VNet 中。For production deployments, a hub and spoke model is recommended, where the firewall is in its own VNet. 工作负荷服务器在包含一个或多个子网的同一区域中的对等 VNet 内。The workload servers are in peered VNets in the same region with one or more subnets.

  • AzureFirewallSubnet - 防火墙在此子网中。AzureFirewallSubnet - the firewall is in this subnet.
  • Workload-SN - 工作负荷服务器在此子网中。Workload-SN - the workload server is in this subnet. 此子网的网络流量通过防火墙。This subnet's network traffic goes through the firewall.

教程网络基础结构

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 设置测试网络环境Set up a test network environment
  • 部署防火墙Deploy a firewall
  • 创建默认路由Create a default route
  • 配置一个应用程序规则以允许访问 www.qq.comConfigure an application rule to allow access to www.qq.com
  • 配置网络规则,以允许访问外部 DNS 服务器Configure a network rule to allow access to external DNS servers
  • 测试防火墙Test the firewall

如果需要,可以使用 Azure PowerShell 完成本教程中的步骤。If you prefer, you can complete this tutorial using Azure PowerShell.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

设置网络Set up the network

首先,创建一个资源组用于包含部署防火墙所需的资源。First, create a resource group to contain the resources needed to deploy the firewall. 然后创建 VNet、子网和测试服务器。Then create a VNet, subnets, and test servers.

创建资源组Create a resource group

资源组包含本教程所需的所有资源。The resource group contains all the resources for the tutorial.

  1. https://portal.azure.cn 中登录 Azure 门户。Sign in to the Azure portal at https://portal.azure.cn.
  2. 在 Azure 门户菜单上,选择“资源组”或从任意页面搜索并选择“资源组”。On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. 然后选择“添加”。Then select Add.
  3. 对于“资源组名称”,请输入“Test-FW-RG”。For Resource group name, enter Test-FW-RG.
  4. 对于“订阅”,请选择自己的订阅。 For Subscription, select your subscription.
  5. 对于“资源组位置”,请选择一个位置。For Resource group location, select a location. 你创建的所有其他资源必须位于同一位置。All other resources that you create must be in the same location.
  6. 选择“创建”。Select Create.

创建 VNetCreate a VNet

此 VNet 将包含三个子网。This VNet will contain three subnets.

备注

AzureFirewallSubnet 子网的大小为 /26。The size of the AzureFirewallSubnet subnet is /26. 有关子网大小的详细信息,请参阅 Azure 防火墙常见问题解答For more information about the subnet size, see Azure Firewall FAQ.

  1. 在 Azure 门户菜单或“主页”页上,选择“创建资源” 。On the Azure portal menu or from the Home page, select Create a resource.
  2. 选择“网络” > “虚拟网络”。Select Networking > Virtual network.
  3. 对于“订阅”,请选择自己的订阅。For Subscription, select your subscription.
  4. 对于“资源组”,请选择“Test-FW-RG”。For Resource group, select Test-FW-RG.
  5. 对于“名称”,请键入 Test-FW-VNFor Name, type Test-FW-VN.
  6. 对于“区域”,请选择以前使用的同一位置。For Region, select the same location that you used previously.
  7. 在完成时选择“下一步:IP 地址”。Select Next: IP addresses.
  8. 对于“IPv4 地址空间”,请键入“10.0.0.0/16”。For IPv4 Address space, type 10.0.0.0/16.
  9. 在“子网”下,选择“默认值”。Under Subnet, select default.
  10. 对于“子网名称”,键入“AzureFirewallSubnet”。 For Subnet name type AzureFirewallSubnet. 防火墙将位于此子网中,子网名称必须是 AzureFirewallSubnet。The firewall will be in this subnet, and the subnet name must be AzureFirewallSubnet.
  11. 对于“地址范围”,请键入 10.0.1.0/26For Address range, type 10.0.1.0/26.
  12. 选择“保存”。Select Save.

接下来,创建工作负荷服务器的子网。Next, create a subnet for the workload server.

  1. 选择“添加子网”。Select Add subnet.
  2. 对于“子网名称”,请键入“Workload-SN”。For Subnet name, type Workload-SN.
  3. 键入“10.0.2.0/24”作为“子网地址范围” 。For Subnet address range, type 10.0.2.0/24.
  4. 选择 添加Select Add.
  5. 选择“查看 + 创建” 。Select Review + create.
  6. 选择“创建” 。Select Create.

创建虚拟机Create a virtual machine

现在创建工作负荷虚拟机,将其置于“Workload-SN”子网中。Now create the workload virtual machine, and place it in the Workload-SN subnet.

  1. 在 Azure 门户菜单或“主页”页上,选择“创建资源” 。On the Azure portal menu or from the Home page, select Create a resource.
  2. 选择“虚拟机”。Select Virtual machine.
  3. 在特色列表中选择“Windows Server 2016 Datacenter”。Windows Server 2016 Datacenter in the Featured list.
  4. 输入虚拟机的以下值:Enter these values for the virtual machine:
设置Setting Value
资源组Resource group Test-FW-RGTest-FW-RG
虚拟机名称Virtual machine name Srv-WorkSrv-Work
区域Region 与前面相同Same as previous
映像Image Windows Server 2019 DatacenterWindows Server 2019 Datacenter
管理员用户名Administrator user name 键入用户名Type a user name
密码Password 键入密码Type a password
  1. 在“公用入站端口”,“入站端口规则”下 ,选择“无”。Under Inbound port rules, Public inbound ports, select None.
  2. 接受其他默认值,然后选择“下一步:磁盘”Accept the other defaults and select Next: Disks.
  3. 接受磁盘默认值,然后选择“下一步:网络”。Accept the disk defaults and select Next: Networking.
  4. 请确保为虚拟网络选择“Test-FW-VN”,并且子网为“Workload-SN”。Make sure that Test-FW-VN is selected for the virtual network and the subnet is Workload-SN.
  5. 对于“公共 IP”,请选择“无”。 For Public IP, select None.
  6. 接受其他默认值,然后选择“下一步:管理”Accept the other defaults and select Next: Management.
  7. 选择“关闭”以禁用启动诊断。Select Off to disable boot diagnostics. 接受其他默认值,然后选择“查看 + 创建”。Accept the other defaults and select Review + create.
  8. 检查摘要页上的设置,然后选择“创建”。Review the settings on the summary page, and then select Create.

部署防火墙Deploy the firewall

将防火墙部署到 VNet。Deploy the firewall into the VNet.

  1. 在 Azure 门户菜单或“主页”页上,选择“创建资源” 。On the Azure portal menu or from the Home page, select Create a resource.

  2. 在搜索框中键入“防火墙”,然后按 EnterType firewall in the search box and press Enter.

  3. 选择“防火墙”,然后选择“创建” 。Select Firewall and then select Create.

  4. 在“创建防火墙”页上,使用下表配置防火墙:On the Create a Firewall page, use the following table to configure the firewall:

    设置Setting “值”Value
    订阅Subscription <your subscription>
    资源组Resource group Test-FW-RGTest-FW-RG
    名称Name Test-FW01Test-FW01
    位置Location 选择前面使用的同一位置Select the same location that you used previously
    选择虚拟网络Choose a virtual network 使用现有项Test-FW-VNUse existing: Test-FW-VN
    公共 IP 地址Public IP address 添加新内容Add new
    名称:fw-pipName: fw-pip
  5. 选择“查看 + 创建”。Select Review + create.

  6. 查看摘要,然后选择“创建”以创建防火墙。Review the summary, and then select Create to create the firewall.

    需要花费几分钟时间来完成部署。This will take a few minutes to deploy.

  7. 部署完成后,转到“Test-FW-RG”资源组,然后选择“Test-FW01”防火墙。After deployment completes, go to the Test-FW-RG resource group, and select the Test-FW01 firewall.

  8. 记下防火墙专用 IP 地址和公共 IP 地址。Note the firewall private and public IP addresses. 稍后将使用这些地址。You'll use these addresses later.

创建默认路由Create a default route

对于“Workload-SN”子网,请配置要通过防火墙的出站默认路由。For the Workload-SN subnet, configure the outbound default route to go through the firewall.

  1. 在 Azure 门户菜单上,选择“所有服务”或在任何页面中搜索并选择“所有服务”。On the Azure portal menu, select All services or search for and select All services from any page.

  2. 在“网络”下,选择“路由表”。Under Networking, select Route tables.

  3. 选择“添加” 。Select Add.

  4. 对于“名称”,请键入 Firewall-routeFor Name, type Firewall-route.

  5. 对于“订阅”,请选择自己的订阅。For Subscription, select your subscription.

  6. 对于“资源组”,请选择“Test-FW-RG”。For Resource group, select Test-FW-RG.

  7. 对于“位置”,请选择前面使用的同一位置。For Location, select the same location that you used previously.

  8. 选择“创建”。Select Create.

  9. 依次选择“刷新”、“Firewall-route”路由表。Select Refresh, and then select the Firewall-route route table.

  10. 依次选择“子网”、“关联” 。Select Subnets and then select Associate.

  11. 选择“虚拟网络” > “Test-FW-VN”。Select Virtual network > Test-FW-VN.

  12. 对于“子网”,请选择“Workload-SN”。For Subnet, select Workload-SN. 请确保仅为此路由选择“Workload-SN” 子网,否则防火墙将无法正常工作Make sure that you select only the Workload-SN subnet for this route, otherwise your firewall won't work correctly.

  13. 选择“确定” 。Select OK.

  14. 依次选择“路由”、“添加” 。Select Routes and then select Add.

  15. 对于“路由名称”,请键入 fw-dgFor Route name, type fw-dg.

  16. 对于“地址前缀”,请键入 0.0.0.0/0For Address prefix, type 0.0.0.0/0.

  17. 对于“下一跃点类型”,请选择“虚拟设备”。For Next hop type, select Virtual appliance.

    Azure 防火墙实际上是一个托管服务,但虚拟设备可在此场合下正常工作。Azure Firewall is actually a managed service, but virtual appliance works in this situation.

  18. 对于“下一跃点地址”,请键入前面记下的防火墙专用 IP 地址。For Next hop address, type the private IP address for the firewall that you noted previously.

  19. 选择“确定”。Select OK.

配置应用程序规则Configure an application rule

这是允许出站访问 www.qq.com 的应用程序规则。This is the application rule that allows outbound access to www.qq.com.

  1. 打开“Test-FW-RG”,然后选择“Test-FW01”防火墙。 Open the Test-FW-RG, and select the Test-FW01 firewall.
  2. 在“Test-FW01”页上的“设置”下,选择“规则”。On the Test-FW01 page, under Settings, select Rules.
  3. 选择“应用程序规则集合”选项卡。Select the Application rule collection tab.
  4. 选择“添加应用程序规则集合”。Select Add application rule collection.
  5. 对于“名称”,请键入 App-Coll01For Name, type App-Coll01.
  6. 对于“优先级”,请键入 200For Priority, type 200.
  7. 对于“操作”,请选择“允许”。For Action, select Allow.
  8. 在“规则” 下的“目标 FQDN” 中,键入 Allow-QQ 作为名称Under Rules, Target FQDNs, for Name, type Allow-QQ.
  9. 对于源类型,请选择“IP 地址” 。For Source type, select IP address.
  10. 对于,请键入 10.0.2.0/24For Source, type 10.0.2.0/24.
  11. 对于“协议:端口”,请键入 http, httpsFor Protocol:port, type http, https.
  12. 对于“目标 FQDN”,请键入 www.qq.com For Target FQDNS, type www.qq.com
  13. 选择“添加” 。Select Add.

Azure 防火墙包含默认情况下允许的基础结构 FQDN 的内置规则集合。Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. 这些 FQDN 特定于平台,不能用于其他目的。These FQDNs are specific for the platform and can't be used for other purposes. 有关详细信息,请参阅基础结构 FQDNFor more information, see Infrastructure FQDNs.

配置网络规则Configure a network rule

这是允许在端口 53 (DNS) 上对两个 IP 地址进行出站访问的网络规则。This is the network rule that allows outbound access to two IP addresses at port 53 (DNS).

  1. 选择“网络规则集合”选项卡。Select the Network rule collection tab.

  2. 选择“添加网络规则集合”。Select Add network rule collection.

  3. 对于“名称”,请键入 Net-Coll01For Name, type Net-Coll01.

  4. 对于“优先级”,请键入 200For Priority, type 200.

  5. 对于“操作”,请选择“允许”。For Action, select Allow.

  6. 在“规则”下,对于“名称”键入 Allow-DNSUnder Rules, IP addresses, for Name, type Allow-DNS.

  7. 对于“协议”,请选择“UDP”。For Protocol, select UDP.

  8. 对于源类型,请选择“IP 地址” 。For Source type, select IP address.

  9. 对于,请键入 10.0.2.0/24For Source, type 10.0.2.0/24.

  10. 对于“目标类型”,请选择“IP 地址”。 For Destination type select IP address.

  11. 对于目标地址,请键入 209.244.0.3,209.244.0.4For Destination address, type 209.244.0.3,209.244.0.4

    这些是由 CenturyLink 操作的公共 DNS 服务器。These are public DNS servers operated by CenturyLink.

  12. 对于“目标端口”,请键入 53For Destination Ports, type 53.

  13. 选择 添加Select Add.

配置 DNAT 规则Configure a DNAT rule

此规则允许通过防火墙将远程桌面连接到 Srv-Work 虚拟机。This rule allows you to connect a remote desktop to the Srv-Work virtual machine through the firewall.

  1. 选择“NAT 规则集合”选项卡。Select the NAT rule collection tab.
  2. 选择“添加 NAT 规则集合”。Select Add NAT rule collection.
  3. 对于“名称”,请键入“rdp”。 For Name, type rdp.
  4. 对于“优先级”,请键入 200For Priority, type 200.
  5. 在“规则”下,对于“名称”,键入“rdp-nat” 。Under Rules, for Name, type rdp-nat.
  6. 对于“协议”,请选择“TCP”。For Protocol, select TCP.
  7. 对于源类型,请选择“IP 地址”。For Source type, select IP address.
  8. 对于“源”,请键入 * 。For Source, type *.
  9. 对于“目标地址”,键入防火墙的公共 IP 地址。For Destination address, type the firewall public IP address.
  10. 对于“目标端口”,请键入 3389For Destination Ports, type 3389.
  11. 对于“已翻译的地址”,键入 Srv-work 的专用 IP 地址。For Translated address, type the Srv-work private IP address.
  12. 对于“已翻译的端口” ,键入 3389For Translated port, type 3389.
  13. 选择 添加Select Add.

更改 Srv-Work 网络接口的主要和辅助 DNS 地址Change the primary and secondary DNS address for the Srv-Work network interface

为了在本教程中进行测试,请配置服务器的主要和辅助 DNS 地址。For testing purposes in this tutorial, configure the server's primary and secondary DNS addresses. 这并不是一项常规的 Azure 防火墙要求。This isn't a general Azure Firewall requirement.

  1. 在 Azure 门户菜单上,选择“资源组”或从任意页面搜索并选择“资源组”。On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. 选择“Test-FW-RG”资源组。Select the Test-FW-RG resource group.
  2. 选择 Srv-Work 虚拟机的网络接口。Select the network interface for the Srv-Work virtual machine.
  3. 在“设置”下,选择“DNS 服务器”。 Under Settings, select DNS servers.
  4. 在“DNS 服务器”下,选择“自定义”。Under DNS servers, select Custom.
  5. 在“添加 DNS 服务器”文本框中键入 209.244.0.3,在下一个文本框中键入 209.244.0.4Type 209.244.0.3 in the Add DNS server text box, and 209.244.0.4 in the next text box.
  6. 选择“保存”。Select Save.
  7. 重启 Srv-Work 虚拟机。Restart the Srv-Work virtual machine.

测试防火墙Test the firewall

现在测试防火墙,以确认它是否按预期方式工作。Now, test the firewall to confirm that it works as expected.

  1. 将远程桌面连接到防火墙公共 IP 地址,并登录到“Srv-Work”虚拟机。Connect a remote desktop to firewall public IP address and sign in to the Srv-Work virtual machine.

  2. 打开 Internet Explorer 并浏览到 https://www.qq.com。Open Internet Explorer and browse to https://www.qq.com.

  3. 出现 Internet Explorer 安全警报时,请选择“确定” > “关闭”。 Select OK > Close on the Internet Explorer security alerts.

    应会看到 QQ 主页。You should see the QQ home page.

  4. 浏览到 https://www.microsoft.comBrowse to https://www.microsoft.com.

    防火墙应会阻止你访问。You should be blocked by the firewall.

现已验证防火墙规则可正常工作:So now you've verified that the firewall rules are working:

  • 可以浏览到一个允许的 FQDN,但不能浏览到其他任何 FQDN。You can browse to the one allowed FQDN, but not to any others.
  • 可以使用配置的外部 DNS 服务器解析 DNS 名称。You can resolve DNS names using the configured external DNS server.

清理资源Clean up resources

可以将防火墙资源保留到下一教程使用。不再需要时,请删除 Test-FW-RG 资源组,以删除与防火墙相关的所有资源。You can keep your firewall resources for the next tutorial, or if no longer needed, delete the Test-FW-RG resource group to delete all firewall-related resources.

后续步骤Next steps