快速入门:使用 Azure PowerShell 创建 Azure 专用终结点Quickstart: Create an Azure Private Endpoint using Azure PowerShell

使用专用终结点安全连接到 Azure Web 应用以开始使用 Azure 专用链接。Get started with Azure Private Link by using a Private Endpoint to connect securely to an Azure web app.

在本快速入门中,你将创建 Azure Web 应用的专用终结点,并部署虚拟机以测试专用连接。In this quickstart, you'll create a private endpoint for an Azure web app and deploy a virtual machine to test the private connection.

可以为不同类型的 Azure 服务(例如 Azure SQL 和 Azure 存储)创建专用终结点。Private endpoints can be created for different kinds of Azure services, such as Azure SQL and Azure Storage.

必备条件Prerequisites

如果选择在本地安装并使用 PowerShell,则本文需要 Azure PowerShell 模块 5.4.1 或更高版本。If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. 运行 Get-Module -ListAvailable Az 查找已安装的版本。Run Get-Module -ListAvailable Az to find the installed version. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需运行 Connect-AzAccount -Environment AzureChinaCloud 以创建与 Azure 的连接。If you're running PowerShell locally, you also need to run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

创建资源组Create a resource group

Azure 资源组是在其中部署和管理 Azure 资源的逻辑容器。An Azure resource group is a logical container into which Azure resources are deployed and managed.

使用 New-AzResourceGroup 创建资源组:Create a resource group with New-AzResourceGroup:

New-AzResourceGroup -Name 'CreatePrivateEndpointQS-rg' -Location 'chinaeast2'

创建虚拟网络和堡垒主机Create a virtual network and bastion host

在本部分中,你将创建虚拟网络、子网和堡垒主机。In this section, you'll create a virtual network, subnet, and bastion host.

堡垒主机将用于安全地连接到虚拟机,以测试专用终结点。The bastion host will be used to connect securely to the virtual machine for testing the private endpoint.

使用以下命令创建虚拟网络和堡垒主机:Create a virtual network and bastion host with:

## Create backend subnet config. ##
$subnetConfig = New-AzVirtualNetworkSubnetConfig -Name myBackendSubnet -AddressPrefix 10.0.0.0/24

## Create Azure Bastion subnet. ##
$bastsubnetConfig = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix 10.0.1.0/24

## Create the virtual network. ##
$parameters1 = @{
    Name = 'MyVNet'
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    Location = 'chinaeast2'
    AddressPrefix = '10.0.0.0/16'
    Subnet = $subnetConfig, $bastsubnetConfig
}
$vnet = New-AzVirtualNetwork @parameters1

## Create public IP address for bastion host. ##
$parameters2 = @{
    Name = 'myBastionIP'
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    Location = 'chinaeast2'
    Sku = 'Standard'
    AllocationMethod = 'Static'
}
$publicip = New-AzPublicIpAddress @parameters2

## Create bastion host ##
$parameters3 = @{
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    Name = 'myBastion'
    PublicIpAddress = $publicip
    VirtualNetwork = $vnet
}
New-AzBastion @parameters3

部署 Azure Bastion 主机需要几分钟时间。It can take a few minutes for the Azure Bastion host to deploy.

创建测试虚拟机Create test virtual machine

在本部分中,你将创建将用来测试专用终结点的虚拟机。In this section, you'll create a virtual machine that will be used to test the private endpoint.

使用以下内容创建虚拟机:Create the virtual machine with:

## Set credentials for server admin and password. ##
$cred = Get-Credential

## Command to get virtual network configuration. ##
$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName CreatePrivateEndpointQS-rg

## Command to create network interface for VM ##
$parameters1 = @{
    Name = 'myNicVM'
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    Location = 'chinaeast2'
    Subnet = $vnet.Subnets[0]
}
$nicVM = New-AzNetworkInterface @parameters1

## Create a virtual machine configuration.##
$parameters2 = @{
    VMName = 'myVM'
    VMSize = 'Standard_DS1_v2'
}
$parameters3 = @{
    ComputerName = 'myVM'
    Credential = $cred
}
$parameters4 = @{
    PublisherName = 'MicrosoftWindowsServer'
    Offer = 'WindowsServer'
    Skus = '2019-Datacenter'
    Version = 'latest'
}
$vmConfig = 
New-AzVMConfig @parameters2 | Set-AzVMOperatingSystem -Windows @parameters3 | Set-AzVMSourceImage @parameters4 | Add-AzVMNetworkInterface -Id $nicVM.Id

## Create the virtual machine ##
New-AzVM -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Location 'chinaeast2' -VM $vmConfig

备注

Azure 为未获得公共 IP 地址或位于内部基本 Azure 负载均衡器后端池中的 Azure 虚拟机提供临时 IP。Azure provides an ephemeral IP for Azure Virtual Machines which aren't assigned a public IP address, or are in the backend pool of an internal Basic Azure Load Balancer. 临时 IP 机制可提供无法配置的出站 IP 地址。The ephemeral IP mechanism provides an outbound IP address that isn't configurable.

如果将公共 IP 地址分配给某个虚拟机或将该虚拟机置入具有或不具有出站规则的标准负载均衡器的后端池中时,将禁用其原有的临时 IP。The ephemeral IP is disabled when a public IP address is assigned to the virtual machine or the virtual machine is placed in the backend pool of a Standard Load Balancer with or without outbound rules. 如果向虚拟机的子网分配 Azure 虚拟网络 NAT 网关资源,也会禁用其临时 IP。If a Azure Virtual Network NAT gateway resource is assigned to the subnet of the virtual machine, the ephemeral IP is disabled.

有关 Azure 中出站连接的详细信息,请参阅为出站连接使用源网络地址转换 (SNAT)For more information on outbound connections in Azure, see Using Source Network Address Translation (SNAT) for outbound connections.

创建专用终结点Create private endpoint

在本部分中,你将使用以下命令创建专用终结点和连接:In this section, you'll create the private endpoint and connection using:

## Place web app into variable. Replace <webapp-resource-group-name> with the resource group of your webapp. ##
## Replace <your-webapp-name> with your webapp name ##
$webapp = Get-AzWebApp -ResourceGroupName <webapp-resource-group-name> -Name <your-webapp-name>

## Create private endpoint connection. ##
$parameters1 = @{
    Name = 'myConnection'
    PrivateLinkServiceId = $webapp.ID
    GroupID = 'sites'
}
$privateEndpointConnection = New-AzPrivateLinkServiceConnection @parameters1

## Place virtual network into variable. ##
$vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'

## Disable private endpoint network policy ##
$vnet.Subnets[0].PrivateEndpointNetworkPolicies = "Disabled"
$vnet | Set-AzVirtualNetwork

## Create private endpoint
$parameters2 = @{
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    Name = 'myPrivateEndpoint'
    Location = 'chinaeast2'
    Subnet = $vnet.Subnets[0]
    PrivateLinkServiceConnection = $privateEndpointConnection
}
New-AzPrivateEndpoint @parameters2

配置专用 DNS 区域Configure the private DNS zone

在本部分中,你将使用以下命令创建和配置专用 DNS 区域:In this section you'll create and configure the private DNS zone using:

## Place virtual network into variable. ##
$vnet = Get-AzVirtualNetwork -ResourceGroupName 'CreatePrivateEndpointQS-rg' -Name 'myVNet'

## Create private dns zone. ##
$parameters1 = @{
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    Name = 'privatelink.chinacloudsites.cn'
}
$zone = New-AzPrivateDnsZone @parameters1

## Create dns network link. ##
$parameters2 = @{
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    ZoneName = 'privatelink.chinacloudsites.cn'
    Name = 'myLink'
    VirtualNetworkId = $vnet.Id
}
$link = New-AzPrivateDnsVirtualNetworkLink @parameters2

## Create DNS configuration ##
$parameters3 = @{
    Name = 'privatelink.chinacloudsites.cn'
    PrivateDnsZoneId = $zone.ResourceId
}
$config = New-AzPrivateDnsZoneConfig @parameters3

## Create DNS zone group. ##
$parameters4 = @{
    ResourceGroupName = 'CreatePrivateEndpointQS-rg'
    PrivateEndpointName = 'myPrivateEndpoint'
    Name = 'myZoneGroup'
    PrivateDnsZoneConfig = $config
}
New-AzPrivateDnsZoneGroup @parameters4

测试到专用终结点的连接Test connectivity to private endpoint

本部分将使用在上一步骤中创建的虚拟机通过专用终结点连接到 SQL 服务器。In this section, you'll use the virtual machine you created in the previous step to connect to the SQL server across the private endpoint.

  1. 登录到 Azure 门户Sign in to the Azure portal

  2. 在左侧导航窗格中选择“资源组”。Select Resource groups in the left-hand navigation pane.

  3. 选择“CreatePrivateEndpointQS-rg”。Select CreatePrivateEndpointQS-rg.

  4. 选择“myVM”。Select myVM.

  5. myVM 的“概述”页上,选择“连接”,然后选择“堡垒”。On the overview page for myVM, select Connect then Bastion.

  6. 选择蓝色的“使用堡垒”按钮。Select the blue Use Bastion button.

  7. 输入在创建虚拟机期间输入的用户名和密码。Enter the username and password that you entered during the virtual machine creation.

  8. 连接后,在服务器上打开 Windows PowerShell。Open Windows PowerShell on the server after you connect.

  9. 输入 nslookup <your-webapp-name>.chinacloudsites.cnEnter nslookup <your-webapp-name>.chinacloudsites.cn. 将 <your-webapp-name> 替换为在之前的步骤中创建的 Web 应用的名称。Replace <your-webapp-name> with the name of the web app you created in the previous steps. 你将收到类似于以下所示内容的消息:You'll receive a message similar to what is displayed below:

    Server:  UnKnown
    Address:  168.63.129.16
    
    Non-authoritative answer:
    Name:    mywebapp8675.privatelink.chinacloudsites.cn
    Address:  10.0.0.5
    Aliases:  mywebapp8675.chinacloudsites.cn
    

    将为 Web 应用名称返回专用 IP 地址 10.0.0.5。A private IP address of 10.0.0.5 is returned for the web app name. 此地址位于你之前创建的虚拟网络的子网中。This address is in the subnet of the virtual network you created previously.

  10. 在到 myVM 的堡垒连接中,打开 Internet Explorer。In the bastion connection to myVM, open Internet Explorer.

  11. 输入 Web 应用的 URL: https://<your-webapp-name>.chinacloudsites.cn。Enter the url of your web app, https://<your-webapp-name>.chinacloudsites.cn.

  12. 如果你的应用程序尚未部署,你将收到默认 Web 应用页:You'll receive the default web app page if your application hasn't been deployed:

    默认 Web 应用页面。

  13. 关闭到 myVM 的连接。Close the connection to myVM.

清理资源Clean up resources

用完专用终结点和 VM 后,请使用 Remove-AzResourceGroup 删除资源组和组内所有资源:When you're done using the private endpoint and the VM, use Remove-AzResourceGroup to remove the resource group and all the resources it has:

Remove-AzResourceGroup -Name CreatePrivateEndpointQS-rg -Force

后续步骤Next steps

在本快速入门中,我们创建了:In this quickstart, you created a:

  • 虚拟网络和堡垒主机。Virtual network and bastion host.
  • 虚拟机。Virtual machine.
  • Azure Web 应用的专用终结点。Private endpoint for an Azure Web App.

你使用虚拟机通过专用终结点安全测试了到 Web 应用的连接。You used the virtual machine to test connectivity securely to the web app across the private endpoint.

有关支持专用终结点的服务的详细信息,请参阅:For more information on the services that support a private endpoint, see: