如何使用 PowerShell 打开 VM 的端口和终结点How to open ports and endpoints to a VM using PowerShell

通过在子网或 VM 网络接口上创建网络筛选器可为 Azure 中的虚拟机 (VM) 打开端口或创建终结点。You open a port, or create an endpoint, to a virtual machine (VM) in Azure by creating a network filter on a subnet or a VM network interface. 将这些筛选器(控制入站和出站流量)置于附加到接收流量的资源的网络安全组中。You place these filters, which control both inbound and outbound traffic, on a network security group attached to the resource that receives the traffic.

本文中的示例演示了如何创建使用标准 TCP 端口 80 的网络筛选器(假设已启动了相应的服务并在 VM 上打开了任何 OS 防火墙规则)。The example in this article demonstrates how to create a network filter that uses the standard TCP port 80 (it's assumed you've already started the appropriate services and opened any OS firewall rules on the VM).

在创建配置为在标准 TCP 端口 80 上处理 Web 请求的 VM 之后,可以:After you've created a VM that's configured to serve web requests on the standard TCP port 80, you can:

  1. 创建网络安全组。Create a network security group.

  2. 创建允许流量的入站安全规则并将值分配给以下设置:Create an inbound security rule allowing traffic and assign values to the following settings:

    • 目标端口范围:80Destination port ranges: 80

    • 源端口范围:*(允许任何源端口)Source port ranges: * (allows any source port)

    • 优先级值:输入优先级小于 65,500 且高于默认 catch-all 拒绝入站规则的值。Priority value: Enter a value that is less than 65,500 and higher in priority than the default catch-all deny inbound rule.

  3. 将网络安全组与 VM 网络接口或子网相关联。Associate the network security group with the VM network interface or subnet.

    虽然此示例使用简单规则来允许 HTTP 流量,但你也可以使用网络安全组和规则来创建更复杂的网络配置。Although this example uses a simple rule to allow HTTP traffic, you can also use network security groups and rules to create more complex network configurations.

快速命令Quick commands

若要创建网络安全组和 ACL 规则,需要安装最新版本的 Azure PowerShellTo create a Network Security Group and ACL rules you need the latest version of Azure PowerShell installed. 也可以使用 Azure 门户执行这些步骤You can also perform these steps using the Azure portal.

登录 Azure 帐户:Log in to your Azure account:

Connect-AzAccount -Environment AzureChinaCloud

在以下示例中,请将参数名称替换成自己的值。In the following examples, replace parameter names with your own values. 示例参数名称包括了 myResourceGroup、myNetworkSecurityGroup 和 myVnet。Example parameter names included myResourceGroup, myNetworkSecurityGroup, and myVnet.

使用 New-AzNetworkSecurityRuleConfig 创建规则。Create a rule with New-AzNetworkSecurityRuleConfig. 以下示例创建一个名为 myNetworkSecurityGroupRule 的规则,以允许端口 80 上的 tcp 流量:The following example creates a rule named myNetworkSecurityGroupRule to allow tcp traffic on port 80:

$httprule = New-AzNetworkSecurityRuleConfig `
    -Name "myNetworkSecurityGroupRule" `
    -Description "Allow HTTP" `
    -Access "Allow" `
    -Protocol "Tcp" `
    -Direction "Inbound" `
    -Priority "100" `
    -SourceAddressPrefix "Internet" `
    -SourcePortRange * `
    -DestinationAddressPrefix * `
    -DestinationPortRange 80

接下来,使用 New-AzNetworkSecurityGroup 创建网络安全组,并按以下步骤分配刚刚创建的 HTTP 规则。Next, create your Network Security group with New-AzNetworkSecurityGroup and assign the HTTP rule you just created as follows. 以下示例创建名为“myNetworkSecurityGroup”的网络安全组:The following example creates a Network Security Group named myNetworkSecurityGroup:

$nsg = New-AzNetworkSecurityGroup `
    -ResourceGroupName "myResourceGroup" `
    -Location "ChinaEast" `
    -Name "myNetworkSecurityGroup" `
    -SecurityRules $httprule

现在将网络安全组分配给子网。Now let's assign your Network Security Group to a subnet. 以下示例使用 Get-AzVirtualNetwork 向变量 $vnet 分配名为 myVnet 的现有虚拟网络:The following example assigns an existing virtual network named myVnet to the variable $vnet with Get-AzVirtualNetwork:

$vnet = Get-AzVirtualNetwork `
    -ResourceGroupName "myResourceGroup" `
    -Name "myVnet"

使用 Set-AzVirtualNetworkSubnetConfig 将网络安全组关联到子网。Associate your Network Security Group with your subnet with Set-AzVirtualNetworkSubnetConfig. 以下示例将名为 mySubnet 的子网与网络安全组相关联:The following example associates the subnet named mySubnet with your Network Security Group:

$subnetPrefix = $vnet.Subnets|?{$_.Name -eq 'mySubnet'}

Set-AzVirtualNetworkSubnetConfig `
    -VirtualNetwork $vnet `
    -Name "mySubnet" `
    -AddressPrefix $subnetPrefix.AddressPrefix `
    -NetworkSecurityGroup $nsg

最后,使用 Set-AzVirtualNetwork 更新虚拟网络,使更改生效:Finally, update your virtual network with Set-AzVirtualNetwork in order for your changes to take effect:

Set-AzVirtualNetwork -VirtualNetwork $vnet

有关网络安全组的详细信息More information on Network Security Groups

利用此处的快速命令,可以让流向 VM 的流量开始正常运行。The quick commands here allow you to get up and running with traffic flowing to your VM. 网络安全组提供许多出色的功能和粒度来控制资源的访问。Network Security Groups provide many great features and granularity for controlling access to your resources. 可以在此处详细了解如何创建网络安全组和 ACL 规则You can read more about creating a Network Security Group and ACL rules here.

对于高可用性 Web 应用程序,应将 VM 放置在 Azure 负载均衡器后。For highly available web applications, you should place your VMs behind an Azure Load Balancer. 当负载均衡器向 VM 分配流量时,网络安全组可以筛选流量。The load balancer distributes traffic to VMs, with a Network Security Group that provides traffic filtering. 有关详细信息,请参阅如何在 Azure 中均衡 Linux 虚拟机负载以创建高可用性应用程序For more information, see How to load balance Linux virtual machines in Azure to create a highly available application.

后续步骤Next steps

在本示例中,创建了简单的规则来允许 HTTP 流量。In this example, you created a simple rule to allow HTTP traffic. 下列文章更介绍了有关创建更详细环境的信息:You can find information on creating more detailed environments in the following articles: