保护虚拟机之间的网络流量Secure network traffic between virtual machines

此脚本创建两个虚拟机,并保护这两个虚拟机的传入流量。This script creates two virtual machines and secures incoming traffic to both. 一个虚拟机可在 Internet 上访问,其网络安全组 (NSG) 配置为允许端口 3389 和端口 80 上的流量。One virtual machine is accessible on the internet and has a network security group (NSG) configured to allow traffic on port 3389 and port 80. 第二个虚拟机无法在 Internet 上访问,其 NSG 配置为仅允许来自第一个虚拟机的流量。The second virtual machine is not accessible on the internet, and has an NSG configured to only allow traffic from the first virtual machine.

若要运行此示例,请安装最新版本的 Azure CLITo run this sample, install the latest version of the Azure CLI. 若要开始,请运行 az login 以创建与 Azure 的连接。To start, run az login to create a connection with Azure.

适用于 Azure CLI 的示例是针对 bash shell 编写的。Samples for the Azure CLI are written for the bash shell. 若要在 Windows PowerShell 或命令提示符中运行此示例,可能需要更改脚本的元素。To run this sample in Windows PowerShell or Command Prompt, you may need to change elements of the script.

如果没有 Azure 试用版订阅,请在开始前创建一个试用版订阅If you don't have an Azure trail subscription, create a trial subscription before you begin.

示例脚本Sample script

#!/bin/bash

# Sign in the Azure China Cloud
az cloud set -n AzureChinaCloud
az login

# Update for your admin password
AdminPassword=ChangeYourAdminPassword1

# Create a resource group.
az group create --name myResourceGroup --location chinanorth

# Create a virtual network and front-end subnet.
az network vnet create --resource-group myResourceGroup --name myVnet --address-prefix 10.0.0.0/16 \
--subnet-name mySubnetFrontEnd --subnet-prefix 10.0.1.0/24

# Create a back-end subnet and associate with virtual network. 
az network vnet subnet create --resource-group myResourceGroup --vnet-name myVnet \
  --name mySubnetBackEnd --address-prefix 10.0.2.0/24

# Create a front-end virtual machine.
az vm create --resource-group myResourceGroup --name myVMFrontEnd --image win2016datacenter \
  --admin-username azureuser --admin-password $AdminPassword --vnet-name myVnet --subnet mySubnetFrontEnd \
   --nsg myNetworkSecurityGroupFrontEnd --no-wait

# Create a back-end virtual machine without a public IP address.
az vm create --resource-group myResourceGroup --name myVMBackEnd --image win2016datacenter \
  --admin-username azureuser --admin-password $AdminPassword --public-ip-address "" --vnet-name myVnet \
  --subnet mySubnetBackEnd --nsg myNetworkSecurityGroupBackEnd

# Create front-end NSG rule to allow traffic on port 80.
az network nsg rule create --resource-group myResourceGroup --nsg-name myNetworkSecurityGroupFrontEnd \
  --name http --access allow --protocol Tcp --direction Inbound --priority 200 \
  --source-address-prefix "*" --source-port-range "*" --destination-address-prefix "*" --destination-port-range 80

# Get nsg rule name.
nsgrule=$(az network nsg rule list --resource-group myResourceGroup --nsg-name myNetworkSecurityGroupBackEnd --query [0].name -o tsv)

# Update back-end network security group rule to limit SSH to source prefix (priority 100).
az network nsg rule update --resource-group myResourceGroup --nsg-name myNetworkSecurityGroupBackEnd \
  --name $nsgrule --protocol tcp --direction inbound --priority 100 \
  --source-address-prefix 10.0.1.0/24 --source-port-range '*' --destination-address-prefix '*' \
  --destination-port-range 22 --access allow

# Create backend NSG rule to block all incoming traffic (priority 200).
az network nsg rule create --resource-group myResourceGroup --nsg-name myNetworkSecurityGroupBackEnd \
  --name denyAll --access Deny --protocol Tcp --direction Inbound --priority 200 \
  --source-address-prefix "*" --source-port-range "*" --destination-address-prefix "*" --destination-port-range "*"

清理部署Clean up deployment

运行以下命令来删除资源组、VM 和所有相关资源。Run the following command to remove the resource group, VM, and all related resources.

az group delete --name myResourceGroup --yes

脚本说明Script explanation

此脚本使用以下命令创建资源组、虚拟机和所有相关资源。This script uses the following commands to create a resource group, virtual machine, and all related resources. 表中的每条命令均链接到特定于命令的文档。Each command in the table links to command specific documentation.

命令Command 注释Notes
az group createaz group create 创建用于存储所有资源的资源组。Creates a resource group in which all resources are stored.
az network vnet createaz network vnet create 创建 Azure 虚拟网络和子网。Creates an Azure virtual network and subnet.
az network vnet subnet createaz network vnet subnet create 创建子网。Creates a subnet.
az vm createaz vm create 创建虚拟机并将其连接到网卡、虚拟网络、子网和 NSG。Creates the virtual machine and connects it to the network card, virtual network, subnet, and NSG. 此命令还指定要使用的虚拟机映像和管理凭据。This command also specifies the virtual machine image to be used, and administrative credentials.
az network nsg rule updateaz network nsg rule update 更新 NSG 规则。Updates an NSG rule. 在本例中,将更新后端规则,仅从前端子网传递流量。In this sample, the back-end rule is updated to pass through traffic only from the front-end subnet.
az network nsg rule listaz network nsg rule list 返回有关网络安全组规则的信息。Returns information about a network security group rule. 在此示例中,规则名称存储在变量中,以便以后在脚本中使用。In this sample, the rule name is stored in a variable for use later in the script.
az group deleteaz group delete 删除资源组,包括所有嵌套的资源。Deletes a resource group including all nested resources.

后续步骤Next steps

有关 Azure CLI 的详细信息,请参阅 Azure CLI 文档For more information on the Azure CLI, see Azure CLI documentation.

可以在 Azure Windows VM 文档中找到其他虚拟机 CLI 脚本示例。Additional virtual machine CLI script samples can be found in the Azure Windows VM documentation.