使用 Azure PowerShell 在混合网络中部署和配置 Azure 防火墙Deploy and configure Azure Firewall in a hybrid network using Azure PowerShell

将本地网络连接到 Azure 虚拟网络以创建混合网络时,必须能够控制对 Azure 网络资源的访问,这是整体安全计划的重要部分。When you connect your on-premises network to an Azure virtual network to create a hybrid network, the ability to control access to your Azure network resources is an important part of an overall security plan.

可以使用 Azure 防火墙通过规则来定义允许的和拒绝的网络流量,以便控制混合网络中的网络访问。You can use Azure Firewall to control network access in a hybrid network using rules that define allowed and denied network traffic.

在本文中,将创建三个虚拟网络:For this article, you create three virtual networks:

  • VNet-Hub - 防火墙在此虚拟网络中。VNet-Hub - the firewall is in this virtual network.
  • VNet-Spoke - 分支虚拟网络代表 Azure 中的工作负荷。VNet-Spoke - the spoke virtual network represents the workload located on Azure.
  • VNet-Onprem - 本地虚拟网络代表本地网络。VNet-Onprem - The on-premises virtual network represents an on-premises network. 在实际部署中,可以使用 VPN 或 ExpressRoute 来连接它。In an actual deployment, it can be connected by either a VPN or ExpressRoute connection. 为简单起见,本文将使用 VPN 网关连接,并使用 Azure 中的某个虚拟网络来代表本地网络。For simplicity, this article uses a VPN gateway connection, and an Azure-located virtual network is used to represent an on-premises network.

混合网络中的防火墙

在本文中,学习如何:In this article, you learn how to:

  • 声明变量Declare the variables
  • 创建防火墙中心虚拟网络Create the firewall hub virtual network
  • 创建分支虚拟网络Create the spoke virtual network
  • 创建本地虚拟网络Create the on-premises virtual network
  • 配置和部署防火墙Configure and deploy the firewall
  • 创建并连接 VPN 网关Create and connect the VPN gateways
  • 将中心和分支虚拟网络对等互连Peer the hub and spoke virtual networks
  • 创建路由Create the routes
  • 创建虚拟机Create the virtual machines
  • 测试防火墙Test the firewall

如果想改用 Azure 门户来完成本教程,请参阅教程:使用 Azure 门户在混合网络中部署和配置 Azure 防火墙If you want to use Azure portal instead to complete this tutorial, see Tutorial: Deploy and configure Azure Firewall in a hybrid network using the Azure portal.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

本文要求在本地运行 PowerShell。This article requires that you run PowerShell locally. 必须安装 Azure PowerShell 模块。You must have the Azure PowerShell module installed. 运行 Get-Module -ListAvailable Az 即可查找版本。Run Get-Module -ListAvailable Az to find the version. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 验证 PowerShell 版本以后,请运行 Connect-AzAccount -Environment AzureChinaCloud,以便创建与 Azure 的连接。After you verify the PowerShell version, run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

若要正常开展此方案,必须符合三项关键要求:There are three key requirements for this scenario to work correctly:

  • 分支子网中有一个指向 Azure 防火墙 IP 地址(用作默认网关)的用户定义的路由 (UDR)。A User Defined Route (UDR) on the spoke subnet that points to the Azure Firewall IP address as the default gateway. 必须在此路由表上禁用虚拟网络网关路由传播。Virtual network gateway route propagation must be Disabled on this route table.

  • 中心网关子网中的 UDR 必须指向用作分支网络下一跃点的防火墙 IP 地址。A UDR on the hub gateway subnet must point to the firewall IP address as the next hop to the spoke networks.

    无需在 Azure 防火墙子网中创建 UDR,因为它会从 BGP 探测路由。No UDR is required on the Azure Firewall subnet, as it learns routes from BGP.

  • 在 VNet-Hub 与 VNet-Spoke 之间建立对等互连时,请务必设置 AllowGatewayTransit;在 VNet-Spoke 与 VNet-Hub 之间建立对等互连时,请务必设置 UseRemoteGatewaysMake sure to set AllowGatewayTransit when peering VNet-Hub to VNet-Spoke and UseRemoteGateways when peering VNet-Spoke to VNet-Hub.

请参阅本文的创建路由部分来了解如何创建这些路由。See the Create Routes section in this article to see how these routes are created.

备注

Azure 防火墙必须具有直接的 Internet 连接。Azure Firewall must have direct Internet connectivity. 如果 AzureFirewallSubnet 知道通过 BGP 的本地网络的默认路由,则必须将其替代为 0.0.0.0/0 UDR,将 NextHopType 值设置为 Internet 以保持 Internet 直接连接 。If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity.

可将 Azure 防火墙配置为支持强制隧道。Azure Firewall can be configured to support forced tunneling. 有关详细信息,请参阅 Azure 防火墙强制隧道For more information, see Azure Firewall forced tunneling.

备注

即使 UDR 指向作为默认网关的 Azure 防火墙,也会直接路由直接对等互连 VNet 之间的流量。Traffic between directly peered VNets is routed directly even if a UDR points to Azure Firewall as the default gateway. 若要在此方案中将子网到子网流量发送到防火墙,UDR 必须在这两个子网上显式地包含目标子网网络前缀。To send subnet to subnet traffic to the firewall in this scenario, a UDR must contain the target subnet network prefix explicitly on both subnets.

若要查看相关的 Azure PowerShell 参考文档,请访问 Azure PowerShell 参考To review the related Azure PowerShell reference documentation, see Azure PowerShell Reference.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

声明变量Declare the variables

以下示例使用本文中的值来声明变量。The following example declares the variables using the values for this article. 在某些情况下,可能需要根据订阅情况将某些值替换为你自己的值。In some cases, you might need to replace some values with your own to work in your subscription. 根据需要修改变量,并将其复制并粘贴到 PowerShell 控制台中。Modify the variables if needed, then copy and paste them into your PowerShell console.

$RG1 = "FW-Hybrid-Test"
$Location1 = "China East"

# Variables for the firewall hub VNet

$VNetnameHub = "VNet-hub"
$SNnameHub = "AzureFirewallSubnet"
$VNetHubPrefix = "10.5.0.0/16"
$SNHubPrefix = "10.5.0.0/24"
$SNGWHubPrefix = "10.5.1.0/24"
$GWHubName = "GW-hub"
$GWHubpipName = "VNet-hub-GW-pip"
$GWIPconfNameHub = "GW-ipconf-hub"
$ConnectionNameHub = "hub-to-Onprem"

# Variables for the spoke virtual network

$VnetNameSpoke = "VNet-Spoke"
$SNnameSpoke = "SN-Workload"
$VNetSpokePrefix = "10.6.0.0/16"
$SNSpokePrefix = "10.6.0.0/24"
$SNSpokeGWPrefix = "10.6.1.0/24"

# Variables for the on-premises virtual network

$VNetnameOnprem = "Vnet-Onprem"
$SNNameOnprem = "SN-Corp"
$VNetOnpremPrefix = "192.168.0.0/16"
$SNOnpremPrefix = "192.168.1.0/24"
$SNGWOnpremPrefix = "192.168.2.0/24"
$GWOnpremName = "GW-Onprem"
$GWIPconfNameOnprem = "GW-ipconf-Onprem"
$ConnectionNameOnprem = "Onprem-to-hub"
$GWOnprempipName = "VNet-Onprem-GW-pip"

$SNnameGW = "GatewaySubnet"

创建防火墙中心虚拟网络Create the firewall hub virtual network

首先,创建资源组以包含本文的资源:First, create the resource group to contain the resources for this article:

  New-AzResourceGroup -Name $RG1 -Location $Location1

定义要包含在虚拟网络中的子网:Define the subnets to be included in the virtual network:

$FWsub = New-AzVirtualNetworkSubnetConfig -Name $SNnameHub -AddressPrefix $SNHubPrefix
$GWsub = New-AzVirtualNetworkSubnetConfig -Name $SNnameGW -AddressPrefix $SNGWHubPrefix

现在,创建防火墙中心虚拟网络:Now, create the firewall hub virtual network:

$VNetHub = New-AzVirtualNetwork -Name $VNetnameHub -ResourceGroupName $RG1 `
-Location $Location1 -AddressPrefix $VNetHubPrefix -Subnet $FWsub,$GWsub

请求一个要分配到为虚拟网络创建的 VPN 网关的公共 IP 地址。Request a public IP address to be allocated to the VPN gateway you'll create for your virtual network. 请注意,AllocationMethodDynamic(动态)。Notice that the AllocationMethod is Dynamic. 无法指定要使用的 IP 地址。You can't specify the IP address that you want to use. 该 IP 地址会动态分配到 VPN 网关。It's dynamically allocated to your VPN gateway.

  $gwpip1 = New-AzPublicIpAddress -Name $GWHubpipName -ResourceGroupName $RG1 `
  -Location $Location1 -AllocationMethod Dynamic

创建分支虚拟网络Create the spoke virtual network

定义要包含在分支虚拟网络中的子网:Define the subnets to be included in the spoke virtual network:

$Spokesub = New-AzVirtualNetworkSubnetConfig -Name $SNnameSpoke -AddressPrefix $SNSpokePrefix
$GWsubSpoke = New-AzVirtualNetworkSubnetConfig -Name $SNnameGW -AddressPrefix $SNSpokeGWPrefix

创建分支虚拟网络:Create the spoke virtual network:

$VNetSpoke = New-AzVirtualNetwork -Name $VnetNameSpoke -ResourceGroupName $RG1 `
-Location $Location1 -AddressPrefix $VNetSpokePrefix -Subnet $Spokesub,$GWsubSpoke

创建本地虚拟网络Create the on-premises virtual network

定义要包含在虚拟网络中的子网:Define the subnets to be included in the virtual network:

$Onpremsub = New-AzVirtualNetworkSubnetConfig -Name $SNNameOnprem -AddressPrefix $SNOnpremPrefix
$GWOnpremsub = New-AzVirtualNetworkSubnetConfig -Name $SNnameGW -AddressPrefix $SNGWOnpremPrefix

现在,创建本地虚拟网络:Now, create the on-premises virtual network:

$VNetOnprem = New-AzVirtualNetwork -Name $VNetnameOnprem -ResourceGroupName $RG1 `
-Location $Location1 -AddressPrefix $VNetOnpremPrefix -Subnet $Onpremsub,$GWOnpremsub

请求一个要分配到为虚拟网络创建的网关的公共 IP 地址。Request a public IP address to be allocated to the gateway you'll create for the virtual network. 请注意,AllocationMethodDynamic(动态)。Notice that the AllocationMethod is Dynamic. 无法指定要使用的 IP 地址。You can't specify the IP address that you want to use. 它会动态分配到网关。It's dynamically allocated to your gateway.

$gwOnprempip = New-AzPublicIpAddress -Name $GWOnprempipName -ResourceGroupName $RG1 `
-Location $Location1 -AllocationMethod Dynamic

配置和部署防火墙Configure and deploy the firewall

现在,将防火墙部署到中心虚拟网络。Now deploy the firewall into the hub virtual network.

# Get a Public IP for the firewall
$FWpip = New-AzPublicIpAddress -Name "fw-pip" -ResourceGroupName $RG1 `
  -Location $Location1 -AllocationMethod Static -Sku Standard
# Create the firewall
$Azfw = New-AzFirewall -Name AzFW01 -ResourceGroupName $RG1 -Location $Location1 -VirtualNetworkName $VNetnameHub -PublicIpName fw-pip

#Save the firewall private IP address for future use

$AzfwPrivateIP = $Azfw.IpConfigurations.privateipaddress
$AzfwPrivateIP

配置网络规则Configure network rules

$Rule1 = New-AzFirewallNetworkRule -Name "AllowWeb" -Protocol TCP -SourceAddress $SNOnpremPrefix `
   -DestinationAddress $VNetSpokePrefix -DestinationPort 80

$Rule2 = New-AzFirewallNetworkRule -Name "AllowRDP" -Protocol TCP -SourceAddress $SNOnpremPrefix `
   -DestinationAddress $VNetSpokePrefix -DestinationPort 3389

$NetRuleCollection = New-AzFirewallNetworkRuleCollection -Name RCNet01 -Priority 100 `
   -Rule $Rule1,$Rule2 -ActionType "Allow"
$Azfw.NetworkRuleCollections = $NetRuleCollection
Set-AzFirewall -AzureFirewall $Azfw

创建并连接 VPN 网关Create and connect the VPN gateways

通过 VPN 网关连接中心和本地虚拟网络。The hub and on-premises virtual networks are connected via VPN gateways.

为中心虚拟网络创建 VPN 网关Create a VPN gateway for the hub virtual network

创建 VPN 网关配置。Create the VPN gateway configuration. VPN 网关配置定义要使用的子网和公共 IP 地址。The VPN gateway configuration defines the subnet and the public IP address to use.

$vnet1 = Get-AzVirtualNetwork -Name $VNetnameHub -ResourceGroupName $RG1
$subnet1 = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet1
$gwipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfNameHub `
-Subnet $subnet1 -PublicIpAddress $gwpip1

现在,为中心虚拟网络创建 VPN 网关。Now create the VPN gateway for the hub virtual network. 网络到网络配置需要 RouteBased VpnType。Network-to-network configurations require a RouteBased VpnType. 创建 VPN 网关通常需要 45 分钟或更长时间,具体取决于所选 VPN 网关的 SKU。Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.

New-AzVirtualNetworkGateway -Name $GWHubName -ResourceGroupName $RG1 `
-Location $Location1 -IpConfigurations $gwipconf1 -GatewayType Vpn `
-VpnType RouteBased -GatewaySku basic

为本地虚拟网络创建 VPN 网关Create a VPN gateway for the on-premises virtual network

创建 VPN 网关配置。Create the VPN gateway configuration. VPN 网关配置定义要使用的子网和公共 IP 地址。The VPN gateway configuration defines the subnet and the public IP address to use.

$vnet2 = Get-AzVirtualNetwork -Name $VNetnameOnprem -ResourceGroupName $RG1
$subnet2 = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet2
$gwipconf2 = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfNameOnprem `
  -Subnet $subnet2 -PublicIpAddress $gwOnprempip

现在,为本地虚拟网络创建 VPN 网关。Now create the VPN gateway for the on-premises virtual network. 网络到网络配置需要 RouteBased VpnType。Network-to-network configurations require a RouteBased VpnType. 创建 VPN 网关通常需要 45 分钟或更长时间,具体取决于所选 VPN 网关的 SKU。Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.

New-AzVirtualNetworkGateway -Name $GWOnpremName -ResourceGroupName $RG1 `
-Location $Location1 -IpConfigurations $gwipconf2 -GatewayType Vpn `
-VpnType RouteBased -GatewaySku basic

创建 VPN 连接Create the VPN connections

现在,可在中心与本地网关之间创建 VPN 连接Now you can create the VPN connections between the hub and on-premises gateways

获取 VPN 网关Get the VPN gateways

$vnetHubgw = Get-AzVirtualNetworkGateway -Name $GWHubName -ResourceGroupName $RG1
$vnetOnpremgw = Get-AzVirtualNetworkGateway -Name $GWOnpremName -ResourceGroupName $RG1

创建连接Create the connections

此步骤创建从中心虚拟网络到本地虚拟网络的连接。In this step, you create the connection from the hub virtual network to the on-premises virtual network. 示例中引用了共享密钥。You'll see a shared key referenced in the examples. 可以对共享密钥使用自己的值。You can use your own values for the shared key. 共享密钥必须与两个连接匹配,这一点非常重要。The important thing is that the shared key must match for both connections. 创建连接可能需要简短的一段时间才能完成。Creating a connection can take a short while to complete.

New-AzVirtualNetworkGatewayConnection -Name $ConnectionNameHub -ResourceGroupName $RG1 `
-VirtualNetworkGateway1 $vnetHubgw -VirtualNetworkGateway2 $vnetOnpremgw -Location $Location1 `
-ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3'

创建本地到中心虚拟网络连接。Create the on-premises to hub virtual network connection. 此步骤类似于前一步骤,但这次是创建从 VNet-Onprem 到 VNet-hub 的连接。This step is similar to the previous one, except you create the connection from VNet-Onprem to VNet-hub. 确保共享密钥匹配。Make sure the shared keys match. 几分钟后会建立连接。The connection will be established after a few minutes.

New-AzVirtualNetworkGatewayConnection -Name $ConnectionNameOnprem -ResourceGroupName $RG1 `
-VirtualNetworkGateway1 $vnetOnpremgw -VirtualNetworkGateway2 $vnetHubgw -Location $Location1 `
-ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3'

验证连接Verify the connection

可以验证连接是否成功,方法是使用 Get-AzVirtualNetworkGatewayConnection cmdlet,带或不带 -DebugYou can verify a successful connection by using the Get-AzVirtualNetworkGatewayConnection cmdlet, with or without -Debug. 使用以下 cmdlet 示例,配置符合自己需要的值。Use the following cmdlet example, configuring the values to match your own. 如果出现提示,请选择“A”(表示“所有”)。 If prompted, select A to run All. 在此示例中, -Name 是指要测试的连接的名称。In the example, -Name refers to the name of the connection that you want to test.

Get-AzVirtualNetworkGatewayConnection -Name $ConnectionNameHub -ResourceGroupName $RG1

cmdlet 运行完毕后,查看值。After the cmdlet finishes, view the values. 在以下示例中,连接状态显示为 Connected,且可以看到入口和出口字节数。In the following example, the connection status shows as Connected and you can see ingress and egress bytes.

"connectionStatus": "Connected",
"ingressBytesTransferred": 33509044,
"egressBytesTransferred": 4142431

将中心和分支虚拟网络对等互连Peer the hub and spoke virtual networks

现在,将中心和分支虚拟网络对等互连。Now peer the hub and spoke virtual networks.

# Peer hub to spoke
Add-AzVirtualNetworkPeering -Name HubtoSpoke -VirtualNetwork $VNetHub -RemoteVirtualNetworkId $VNetSpoke.Id -AllowGatewayTransit

# Peer spoke to hub
Add-AzVirtualNetworkPeering -Name SpoketoHub -VirtualNetwork $VNetSpoke -RemoteVirtualNetworkId $VNetHub.Id -AllowForwardedTraffic -UseRemoteGateways

创建路由Create the routes

接下来创建一对路由:Next, create a couple routes:

  • 通过防火墙 IP 地址从中心网关子网连接到分支子网的路由A route from the hub gateway subnet to the spoke subnet through the firewall IP address
  • 通过防火墙 IP 地址从分支子网连接的默认路由A default route from the spoke subnet through the firewall IP address
#Create a route table
$routeTableHubSpoke = New-AzRouteTable `
  -Name 'UDR-Hub-Spoke' `
  -ResourceGroupName $RG1 `
  -location $Location1

#Create a route
Get-AzRouteTable `
  -ResourceGroupName $RG1 `
  -Name UDR-Hub-Spoke `
  | Add-AzRouteConfig `
  -Name "ToSpoke" `
  -AddressPrefix $VNetSpokePrefix `
  -NextHopType "VirtualAppliance" `
  -NextHopIpAddress $AzfwPrivateIP `
 | Set-AzRouteTable

#Associate the route table to the subnet

Set-AzVirtualNetworkSubnetConfig `
  -VirtualNetwork $VNetHub `
  -Name $SNnameGW `
  -AddressPrefix $SNGWHubPrefix `
  -RouteTable $routeTableHubSpoke | `
Set-AzVirtualNetwork

#Now create the default route

#Create a table, with BGP route propagation disabled. The property is now called "Virtual network gateway route propagation," but the API still refers to the parameter as "DisableBgpRoutePropagation."
$routeTableSpokeDG = New-AzRouteTable `
  -Name 'UDR-DG' `
  -ResourceGroupName $RG1 `
  -location $Location1 `
  -DisableBgpRoutePropagation

#Create a route
Get-AzRouteTable `
  -ResourceGroupName $RG1 `
  -Name UDR-DG `
  | Add-AzRouteConfig `
  -Name "ToFirewall" `
  -AddressPrefix 0.0.0.0/0 `
  -NextHopType "VirtualAppliance" `
  -NextHopIpAddress $AzfwPrivateIP `
 | Set-AzRouteTable

#Associate the route table to the subnet

Set-AzVirtualNetworkSubnetConfig `
  -VirtualNetwork $VNetSpoke `
  -Name $SNnameSpoke `
  -AddressPrefix $SNSpokePrefix `
  -RouteTable $routeTableSpokeDG | `
Set-AzVirtualNetwork

创建虚拟机Create virtual machines

现在,创建分支工作负荷与本地虚拟机,并将其放入相应的子网。Now create the spoke workload and on-premises virtual machines, and place them in the appropriate subnets.

创建工作负荷虚拟机Create the workload virtual machine

在分支虚拟网络中,创建运行 IIS 且不使用公共 IP 地址的虚拟机,并允许 ping 它。Create a virtual machine in the spoke virtual network, running IIS, with no public IP address, and allows pings in. 出现提示时,请键入该虚拟机的用户名和密码。When prompted, type a user name and password for the virtual machine.

# Create an inbound network security group rule for ports 3389 and 80
$nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name Allow-RDP  -Protocol Tcp `
  -Direction Inbound -Priority 200 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix $SNSpokePrefix -DestinationPortRange 3389 -Access Allow
$nsgRuleWeb = New-AzNetworkSecurityRuleConfig -Name Allow-web  -Protocol Tcp `
  -Direction Inbound -Priority 202 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix $SNSpokePrefix -DestinationPortRange 80 -Access Allow

# Create a network security group
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RG1 -Location $Location1 -Name NSG-Spoke02 -SecurityRules $nsgRuleRDP,$nsgRuleWeb

#Create the NIC
$NIC = New-AzNetworkInterface -Name spoke-01 -ResourceGroupName $RG1 -Location $Location1 -SubnetId $VnetSpoke.Subnets[0].Id -NetworkSecurityGroupId $nsg.Id

#Define the virtual machine
$VirtualMachine = New-AzVMConfig -VMName VM-Spoke-01 -VMSize "Standard_DS2"
$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName Spoke-01 -ProvisionVMAgent -EnableAutoUpdate
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC.Id
$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName 'MicrosoftWindowsServer' -Offer 'WindowsServer' -Skus '2016-Datacenter' -Version latest

#Create the virtual machine
New-AzVM -ResourceGroupName $RG1 -Location $Location1 -VM $VirtualMachine -Verbose

#Install IIS on the VM
Set-AzVMExtension `
    -ResourceGroupName $RG1 `
    -ExtensionName IIS `
    -VMName VM-Spoke-01 `
    -Publisher Microsoft.Compute `
    -ExtensionType CustomScriptExtension `
    -TypeHandlerVersion 1.4 `
    -SettingString '{"commandToExecute":"powershell Add-WindowsFeature Web-Server"}' `
    -Location $Location1

创建本地虚拟机Create the on-premises virtual machine

这是一个简单的虚拟机,用于通过远程桌面连接到公共 IP 地址。This is a simple virtual machine that you use to connect using Remote Desktop to the public IP address. 然后,请在该虚拟机中通过防火墙连接到本地服务器。From there, you then connect to the on-premises server through the firewall. 出现提示时,请键入该虚拟机的用户名和密码。When prompted, type a user name and password for the virtual machine.

New-AzVm `
    -ResourceGroupName $RG1 `
    -Name "VM-Onprem" `
    -Location $Location1 `
    -VirtualNetworkName $VNetnameOnprem `
    -SubnetName $SNNameOnprem `
    -OpenPorts 3389 `
    -Size "Standard_DS2"

测试防火墙Test the firewall

首先,获取并记下 VM-spoke-01 虚拟机的专用 IP 地址。First, get and then note the private IP address for VM-spoke-01 virtual machine.

$NIC.IpConfigurations.privateipaddress

在 Azure 门户中,连接到 VM-Onprem 虚拟机。From the Azure portal, connect to the VM-Onprem virtual machine.

在 VM-Onprem 上打开 Web 浏览器并浏览到 http://<VM-spoke-01 private IP>。Open a web browser on VM-Onprem, and browse to http://<VM-spoke-01 private IP>.

应会看到 Internet Information Services 的默认页。You should see the Internet Information Services default page.

VM-Onprem 中,打开远程桌面并连接到 VM-spoke-01 的专用 IP 地址。From VM-Onprem, open a remote desktop to VM-spoke-01 at the private IP address.

连接应会成功,并且应该可以使用所选的用户名和密码登录。Your connection should succeed, and you should be able to sign in using your chosen username and password.

现已验证防火墙规则可正常工作:So now you've verified that the firewall rules are working:

  • 可以浏览分支虚拟网络中的 Web 服务器。You can browse web server on the spoke virtual network.
  • 可以使用 RDP 连接到分支虚拟网络中的服务器。You can connect to the server on the spoke virtual network using RDP.

接下来,将防火墙网络规则集合操作更改为“拒绝”,以验证防火墙规则是否按预期工作。 Next, change the firewall network rule collection action to Deny to verify that the firewall rules work as expected. 运行以下脚本,将规则集合操作更改为“拒绝”。 Run the following script to change the rule collection action to Deny.

$rcNet = $azfw.GetNetworkRuleCollectionByName("RCNet01")
$rcNet.action.type = "Deny"

Set-AzFirewall -AzureFirewall $azfw

现在再次运行测试。Now run the tests again. 这一次,这些规则应该全部失败。They should all fail this time. 在测试更改的规则之前,请关闭所有现有的远程桌面。Close any existing remote desktops before testing the changed rules.

清理资源Clean up resources

可以保留防火墙资源以便在下一篇教程中使用。不再需要时,请删除 FW-Hybrid-Test 资源组,以删除与防火墙相关的所有资源。You can keep your firewall resources for the next tutorial, or if no longer needed, delete the FW-Hybrid-Test resource group to delete all firewall-related resources.

后续步骤Next steps

接下来,可以监视 Azure 防火墙日志。Next, you can monitor the Azure Firewall logs.

教程:监视 Azure 防火墙日志Tutorial: Monitor Azure Firewall logs