创建虚拟网络接口卡,以及在 Azure 上使用内部 DNS 进行 VM 名称解析Create virtual network interface cards and use internal DNS for VM name resolution on Azure

本文介绍了如何通过 Azure CLI 使用虚拟网络接口卡 (vNic) 和 DNS 标签名称为 Linux VM 设置静态内部 DNS 名称。This article shows you how to set static internal DNS names for Linux VMs using virtual network interface cards (vNics) and DNS label names with the Azure CLI. 静态 DNS 名称用于永久基础结构服务,如本文档所使用的 Jenkins 生成服务器或 Git 服务器。Static DNS names are used for permanent infrastructure services like a Jenkins build server, which is used for this document, or a Git server.

要求如下:The requirements are:

快速命令Quick commands

如果需要快速完成任务,以下部分详细介绍所需的命令。If you need to quickly accomplish the task, the following section details the commands needed. 本文档的余下部分(从此处开始)提供了每个步骤的更详细信息和上下文。More detailed information and context for each step can be found in the rest of the document, starting here. 若要执行这些步骤,需要安装最新的 Azure CLI,并使用 az login 登录到 Azure 帐户。To perform these steps, you need the latest Azure CLI installed and logged in to an Azure account using az login.

备注

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

先决条件:资源组、虚拟网络和子网、带 SSH 入站的网络安全组。Pre-Requirements: Resource Group, virtual network and subnet, Network Security Group with SSH inbound.

使用静态内部 DNS 名称创建虚拟网络接口卡Create a virtual network interface card with a static internal DNS name

使用 az network nic create 创建 vNic。Create the vNic with az network nic create. --internal-dns-name CLI 标志用于设置 DNS 标签,该标签为虚拟网络接口卡 (vNic) 提供静态 DNS 名称。The --internal-dns-name CLI flag is for setting the DNS label, which provides the static DNS name for the virtual network interface card (vNic). 以下示例创建名为 myNic 的 vNic,将其连接到 myVnet 虚拟网络,并创建名为 jenkins 的内部 DNS 名称记录:The following example creates a vNic named myNic, connects it to the myVnet virtual network, and creates an internal DNS name record called jenkins:

az network nic create \
    --resource-group myResourceGroup \
    --name myNic \
    --vnet-name myVnet \
    --subnet mySubnet \
    --internal-dns-name jenkins

部署 VM 并连接 vNicDeploy a VM and connect the vNic

使用 az vm create创建 VM。Create a VM with az vm create. 在部署到 Azure 期间,--nics 标志将 vNic 连接到 VM。The --nics flag connects the vNic to the VM during the deployment to Azure. 以下示例使用 Azure 托管磁盘创建名为 myVM 的 VM,并附加上一步中名为 myNic 的 vNic:The following example creates a VM named myVM with Azure Managed Disks and attaches the vNic named myNic from the preceding step:

az vm create \
    --resource-group myResourceGroup \
    --name myVM \
    --nics myNic \
    --image UbuntuLTS \
    --admin-username azureuser \
    --ssh-key-value ~/.ssh/id_rsa.pub

详细演练Detailed walkthrough

Azure 上的完整持续集成和持续部署 (CiCd) 基础结构需要某些服务器是静态服务器或长期存在的服务器。A full continuous integration and continuous deployment (CiCd) infrastructure on Azure requires certain servers to be static or long-lived servers. 建议选择静态的、长期存在的且部署频率极低的资源作为 Azure 资产,例如虚拟网络和网络安全组。It is recommended that Azure assets like the virtual networks and Network Security Groups are static and long lived resources that are rarely deployed. 部署虚拟网络后,新部署可以重复使用它,而不会对基础结构产生任何负面影响。Once a virtual network has been deployed, it can be reused by new deployments without any adverse affects to the infrastructure. 以后可在开发或测试环境中添加 Git 存储库服务器或 Jenkins 自动化服务器,将 CiCd 提供给此虚拟网络。You can later add a Git repository server or a Jenkins automation server delivers CiCd to this virtual network for your development or test environments.

内部 DNS 名称仅在 Azure 虚拟网络内可解析。Internal DNS names are only resolvable inside an Azure virtual network. 由于 DNS 名称是内部类,因此它们无法解析到外部 Internet,从而为基础结构提供了附加安全性。Because the DNS names are internal, they are not resolvable to the outside internet, providing additional security to the infrastructure.

在以下示例中,请将示例参数名称替换成自己的值。In the following examples, replace example parameter names with your own values. 示例参数名称包括 myResourceGroupmyNicmyVMExample parameter names include myResourceGroup, myNic, and myVM.

创建资源组Create the resource group

首先,使用 az group create 创建资源组。First, create the resource group with az group create. 以下示例在 chinanorth 位置创建一个名为 myResourceGroup 的资源组:The following example creates a resource group named myResourceGroup in the chinanorth location:

az group create --name myResourceGroup --location chinanorth

创建虚拟网络Create the virtual network

下一步是构建虚拟网络,以便在其中启动 VM。The next step is to build a virtual network to launch the VMs into. 该虚拟网络包含本演练中使用的一个子网。The virtual network contains one subnet for this walkthrough. 有关 Azure 虚拟网络的详细信息,请参阅创建虚拟网络For more information on Azure virtual networks, see Create a virtual network.

使用 az network vnet create 创建虚拟网络。Create the virtual network with az network vnet create. 以下示例创建一个名为 myVnet 的虚拟网络和名为 mySubnet 的子网:The following example creates a virtual network named myVnet and subnet named mySubnet:

az network vnet create \
    --resource-group myResourceGroup \
    --name myVnet \
    --address-prefix 192.168.0.0/16 \
    --subnet-name mySubnet \
    --subnet-prefix 192.168.1.0/24

创建网络安全组Create the Network Security Group

Azure 网络安全组相当于网络层防火墙。Azure Network Security Groups are equivalent to a firewall at the network layer. 有关网络安全组的详细信息,请参阅如何在 Azure CLI 中创建 NSGFor more information about Network Security Groups, see How to create NSGs in the Azure CLI.

使用 az network nsg create创建网络安全组。Create the network security group with az network nsg create. 以下示例创建名为 myNetworkSecurityGroup的网络安全组:The following example creates a network security group named myNetworkSecurityGroup:

az network nsg create \
    --resource-group myResourceGroup \
    --name myNetworkSecurityGroup

添加入站规则以允许 SSHAdd an inbound rule to allow SSH

使用 az network nsg rule create为网络安全组添加入站规则。Add an inbound rule for the network security group with az network nsg rule create. 以下示例创建名为 myRuleAllowSSH的规则:The following example creates a rule named myRuleAllowSSH:

az network nsg rule create \
    --resource-group myResourceGroup \
    --nsg-name myNetworkSecurityGroup \
    --name myRuleAllowSSH \
    --protocol tcp \
    --direction inbound \
    --priority 1000 \
    --source-address-prefix '*' \
    --source-port-range '*' \
    --destination-address-prefix '*' \
    --destination-port-range 22 \
    --access allow

将子网与网络安全组相关联Associate the subnet with the Network Security Group

要将子网与网络安全组相关联,请使用 az network vnet subnet updateTo associate the subnet with the Network Security Group, use az network vnet subnet update. 以下示例将名为 mySubnet 的子网与名为 myNetworkSecurityGroup 的网络安全组相关联:The following example associates the subnet name mySubnet with the Network Security Group named myNetworkSecurityGroup:

az network vnet subnet update \
    --resource-group myResourceGroup \
    --vnet-name myVnet \
    --name mySubnet \
    --network-security-group myNetworkSecurityGroup

创建虚拟网络接口卡和静态 DNS 名称Create the virtual network interface card and static DNS names

Azure 非常灵活,但若要使用 DNS 名称进行 VM 名称解析,则需要创建包含 DNS 标签的虚拟网络接口卡 (vNic)。Azure is very flexible, but to use DNS names for VM name resolution, you need to create virtual network interface cards (vNics) that include a DNS label. 可通过基础结构生命周期将 VNic 连接到不同的 VM 供用户重复使用,因此 VNic 很重要。vNics are important as you can reuse them by connecting them to different VMs over the infrastructure lifecycle. 通过这种方法可将 vNic 用作静态资源,而 VM 可能是临时性的。This approach keeps the vNic as a static resource while the VMs can be temporary. 在 VNic 上使用 DNS 标签可从 VNet 中的其他 VM 启用简单名称解析。By using DNS labeling on the vNic, we are able to enable simple name resolution from other VMs in the VNet. 使用可解析名称可使其他 VM 能够通过 DNS 名称 Jenkins 或作为 gitrepo 的 Git 服务器访问自动化服务器。Using resolvable names enables other VMs to access the automation server by the DNS name Jenkins or the Git server as gitrepo.

使用 az network nic create 创建 vNic。Create the vNic with az network nic create. 以下示例创建名为 myNic 的 vNic,将其连接到名为 myVnetmyVnet 虚拟网络,并创建名为 jenkins 的内部 DNS 名称记录:The following example creates a vNic named myNic, connects it to the myVnet virtual network named myVnet, and creates an internal DNS name record called jenkins:

az network nic create \
    --resource-group myResourceGroup \
    --name myNic \
    --vnet-name myVnet \
    --subnet mySubnet \
    --internal-dns-name jenkins

将 VM 部署到虚拟网络基础结构中Deploy the VM into the virtual network infrastructure

现在,我们已有一个虚拟网络和子网、一个充当防火墙的网络安全组(可以通过阻止所有入站流量(用于 SSH 的端口 22 除外)来保护子网),以及一个 vNic。We now have a virtual network and subnet, a Network Security Group acting as a firewall to protect our subnet by blocking all inbound traffic except port 22 for SSH, and a vNic. 现在,可在此现有网络基础结构中部署 VM。You can now deploy a VM inside this existing network infrastructure.

使用 az vm create 创建 VM。Create a VM with az vm create. 以下示例使用 Azure 托管磁盘创建名为 myVM 的 VM,并附加上一步中名为 myNic 的 vNic:The following example creates a VM named myVM with Azure Managed Disks and attaches the vNic named myNic from the preceding step:

az vm create \
    --resource-group myResourceGroup \
    --name myVM \
    --nics myNic \
    --image UbuntuLTS \
    --admin-username azureuser \
    --ssh-key-value ~/.ssh/id_rsa.pub

使用 CLI 标志调用现有资源是为了指示 Azure 将 VM 部署到现有网络中。By using the CLI flags to call out existing resources, we instruct Azure to deploy the VM inside the existing network. 重述一遍,VNet 和子网一经部署,便可在 Azure 区域内保留为静态或永久资源。To reiterate, once a VNet and subnet have been deployed, they can be left as static or permanent resources inside your Azure region.

后续步骤Next steps