从 Azure 资源管理器模板部署 NSG 流日志Configure NSG Flow Logs from an Azure Resource Manager template

Azure 资源管理器是 Azure 的本机方法且功能强大,可以将基础结构作为代码进行管理。Azure Resource Manager is Azure's native and powerful way to manage your infrastructure as code.

本文介绍如何使用 Azure 资源管理器模板和 Azure PowerShell 以编程方式启用 NSG 流日志This article shows how you to enable NSG Flow Logs programmatically using an Azure Resource Manager template and Azure PowerShell. 首先,提供 NSG 流日志对象属性的概述,并提供一些示例模板。We start by providing an overview of the properties of the NSG Flow Log object, followed by a few sample templates. 然后,使用本地 PowerShell 实例部署模板。Then we the deploy template using a local PowerShell instance.

NSG 流日志对象NSG Flow Logs object

下面显示了包含所有参数的 NSG 流日志对象。The NSG Flow Logs object with all parameters is shown below.

{
  "name": "string",
  "type": "Microsoft.Network/networkWatchers/flowLogs",
  "location": "string",
  "apiVersion": "2019-09-01",
  "properties": {
    "targetResourceId": "string",
    "storageId": "string",
    "enabled": "boolean",
    "flowAnalyticsConfiguration": {
      "networkWatcherFlowAnalyticsConfiguration": {
         "enabled": "boolean",
         "workspaceResourceId": "string",
          "trafficAnalyticsInterval": "integer"
        },
        "retentionPolicy": {
           "days": "integer",
           "enabled": "boolean"
         },
        "format": {
           "type": "string",
           "version": "integer"
         }
      }
    }
  }

若要创建 Microsoft.Network/networkWatchers/flowLogs 资源,请将上面的 JSON 添加到模板的 resources 节。To create a Microsoft.Network/networkWatchers/flowLogs resource, add the above JSON to the resources section of your template.

创建模板Creating your template

如果是首次使用 Azure 资源管理器模板,可以通过以下链接了解有关这些模板的详细信息。If you are using Azure Resource Manager templates for the first time, you can learn more about them using the links below.

下面是用于设置 NSG 流日志的完整模板的两个示例。Below are two examples of complete templates to set up NSG Flow Logs.

示例 1:以上模板的最简单版本,其中传递了最少的参数。Example 1: The simplest version of the above with minimum parameters passed. 以下模板启用了目标 NSG 上的 NSG 流日志,并将其存储在给定的存储帐户中。The below template enables NSG Flow Logs on a target NSG and stores them in a given storage account.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "apiProfile": "2019-09-01",
  "resources": [
 {
    "name": "NetworkWatcher_chinaeasteuap/Microsoft.NetworkDalanDemoPerimeterNSG",
    "type": "Microsoft.Network/networkWatchers/FlowLogs/",
    "location": "chinaeasteuap",
    "apiVersion": "2019-09-01",
    "properties": {
      "targetResourceId": "/subscriptions/56abfbd6-ec72-4ce9-831f-bc2b6f2c5505/resourceGroups/DalanDemo/providers/Microsoft.Network/networkSecurityGroups/PerimeterNSG",
      "storageId": "/subscriptions/56abfbd6-ec72-4ce9-831f-bc2b6f2c5505/resourceGroups/MyCanaryFlowLog/providers/Microsoft.Storage/storageAccounts/storagev2ira",
      "enabled": true,
      "flowAnalyticsConfiguration": {},
      "retentionPolicy": {},
      "format": {}
    }

  }
  ]
}

备注

  • 资源名称采用“Parent Resource_Child resource”格式。The name of resource has the format "Parent Resource_Child resource". 在这里,父资源为区域网络观察程序实例(格式:NetworkWatcher_RegionName。Here, the parent resource is the regional Network Watcher instance (Format: NetworkWatcher_RegionName. 示例:NetworkWatcher_chinaeasteuap)Example: NetworkWatcher_chinaeasteuap)
  • targetResourceId 是目标 NSG 的资源 IDtargetResourceId is the resource ID of the target NSG
  • storageId 是目标存储帐户的资源 IDstorageId is the resource ID of the destination storage account

示例 2:以下模板启用了保留期为 5 天的 NSG 流日志(版本 2)。Example 2: The following templates enabling NSG Flow Logs (version 2) with a retention for 5 days. 启用流量分析,处理间隔为 10 分钟。Enabling Traffic Analytics with a processing interval of 10 minutes.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "apiProfile": "2019-09-01",
  "resources": [
 {
    "name": "NetworkWatcher_chinaeasteuap/Microsoft.NetworkDalanDemoPerimeterNSG",
    "type": "Microsoft.Network/networkWatchers/FlowLogs/",
    "location": "chinaeasteuap",
    "apiVersion": "2019-09-01",
    "properties": {
      "targetResourceId": "/subscriptions/56abfbd6-ec72-4ce9-831f-bc2b6f2c5505/resourceGroups/DalanDemo/providers/Microsoft.Network/networkSecurityGroups/PerimeterNSG",
      "storageId": "/subscriptions/56abfbd6-ec72-4ce9-831f-bc2b6f2c5505/resourceGroups/MyCanaryFlowLog/providers/Microsoft.Storage/storageAccounts/storagev2ira",
      "enabled": true,
      "flowAnalyticsConfiguration": {
        "networkWatcherFlowAnalyticsConfiguration": {
            "enabled": true,
            "workspaceResourceId": "/subscriptions/56abfbd6-ec72-4ce9-831f-bc2b6f2c5505/resourceGroups/defaultresourcegroup-wcus/providers/Microsoft.OperationalInsights/workspaces/1c4f42e5-3a02-4146-ac9b-3051d8501db0",
            "trafficAnalyticsInterval": 10
                }
      },
      "retentionPolicy": {
        "days": 5,
        "enabled": true
      },
      "format": {
        "type": "JSON",
        "version": 2            
      }
    }

  }
  ]
}

部署 Azure 资源管理器模板Deploying your Azure Resource Manager template

本教程假定你已有一个资源组和一个可以启用流登录的 NSG。This tutorial assumes you have an existing Resource group and an NSG you can enable Flow logging on. 可以在本地将上述任何示例模板保存为 azuredeploy.jsonYou can save any of the above example templates locally as azuredeploy.json. 更新属性值,使其指向订阅中的有效资源。Update the property values so that they point to valid resources in your subscription.

若要部署模板,请在 PowerShell 中运行以下命令。To deploy the template, run the following command in PowerShell.

$context = Get-AzSubscription -SubscriptionId 56acfbd6-vc72-43e9-831f-bcdb6f2c5505
Set-AzContext $context
New-AzResourceGroupDeployment -Name EnableFlowLog -ResourceGroupName NetworkWatcherRG `
    -TemplateFile "C:\MyTemplates\azuredeploy.json"

备注

上述命令会将资源部署到 NetworkWatcherRG 资源组,而不是包含 NSG 的资源组The above commands are deploying a resource to the NetworkWatcherRG resource group and not the resource group containing the NSG

验证部署Verifying your deployment

可以通过多种方法来检查部署是否成功。There are a couple of ways to check if your deployment has Succeeded. PowerShell 控制台应将“ProvisioningState”显示为“Succeeded”。Your PowerShell console should show "ProvisioningState" as "Succeeded". 此外,还可以访问 NSG 流日志门户页来确认所做的更改。Additionally, you can visit the NSG Flow Logs portal page to confirm your changes. 如果部署出现问题,请参阅排查使用 Azure 资源管理器时的常见 Azure 部署错误If there were issues with the deployment, take a look at Troubleshoot common Azure deployment errors with Azure Resource Manager.

删除资源Deleting your resource

Azure 可通过“完整”部署模式删除资源。Azure enables resource deletion through the "Complete" deployment mode. 若要删除流日志资源,请在“完整”模式下指定部署,而不包含要删除的资源。To delete a Flow Logs resource, specify a deployment in Complete mode without including the resource you wish to delete. 详细了解“完整”部署模式Read more about the Complete deployment mode

后续步骤Next steps

了解如何使用以下工具直观地显示 NSG 流日志:Learn how to visualize your NSG Flow data using: