使用 Azure 门户将 Azure 网络安全组 (NSG) 移到另一个区域Move Azure network security group (NSG) to another region using the Azure portal

在多种情况下,可能需要将现有的 NSG 从一个区域移到另一个区域。There are various scenarios in which you'd want to move your existing NSGs from one region to another. 例如,可能需要创建一个具有相同配置和安全规则的 NSG,以便进行测试。For example, you may want to create an NSG with the same configuration and security rules for testing. 还可能需要按照灾难恢复规划将 NSG 移到另一个区域。You may also want to move an NSG to another region as part of disaster recovery planning.

Azure 安全组不能从一个区域移到另一个区域。Azure security groups can't be moved from one region to another. 但是,可以使用 Azure 资源管理器模板来导出 NSG 的现有配置和安全规则。You can however, use an Azure Resource Manager template to export the existing configuration and security rules of an NSG. 然后,可以将资源暂存在另一区域,方法是:将 NSG 导出到模板,根据目标区域的情况修改参数,然后将模板部署到新区域。You can then stage the resource in another region by exporting the NSG to a template, modifying the parameters to match the destination region, and then deploy the template to the new region. 有关资源管理器和模板的详细信息,请参阅快速入门:使用 Azure 门户创建和部署 Azure 资源管理器模板For more information on Resource Manager and templates, see Quickstart: Create and deploy Azure Resource Manager templates by using the Azure portal.

先决条件Prerequisites

  • 请确保 Azure 网络安全组位于要从其移动的 Azure 区域中。Make sure that the Azure network security group is in the Azure region from which you want to move.

  • Azure 网络安全组不能在区域之间移动。Azure network security groups can't be moved between regions. 必须将新的 NSG 关联到目标区域中的资源。You'll have to associate the new NSG to resources in the target region.

  • 若要导出 NSG 配置并部署模板,以便在另一区域创建 NSG,需要“网络参与者”角色或更高级别的角色。To export an NSG configuration and deploy a template to create an NSG in another region, you'll need the Network Contributor role or higher.

  • 确定源网络布局和当前正在使用的所有资源。Identify the source networking layout and all the resources that you're currently using. 此布局包括但不限于负载均衡器、公共 IP 和虚拟网络。This layout includes but isn't limited to load balancers, public IPs, and virtual networks.

  • 验证 Azure 订阅是否允许在已使用的目标区域中创建 NSG。Verify that your Azure subscription allows you to create NSGs in the target region that's used. 请联系支持部门,启用所需配额。Contact support to enable the required quota.

  • 确保订阅提供足够的资源,以便为此过程添加 NSG。Make sure that your subscription has enough resources to support the addition of NSGs for this process. 请参阅 Azure 订阅和服务限制、配额和约束See Azure subscription and service limits, quotas, and constraints.

准备并移动Prepare and move

以下步骤说明如何使用资源管理器模板准备网络安全组,以进行配置和安全规则的移动,并使用门户将 NSG 配置和安全规则移到目标区域。The following steps show how to prepare the network security group for the configuration and security rule move using a Resource Manager template, and move the NSG configuration and security rules to the target region using the portal.

通过门户导出模板并进行部署Export the template and deploy from the portal

  1. 登录到 Azure 门户 > 选择“资源组”。 Login to the Azure portal > Resource Groups.

  2. 找到包含源 NSG 的资源组并单击它。Locate the Resource Group that contains the source NSG and click on it.

  3. 选择“设置” > “导出模板”。 Select > Settings > Export template.

  4. 在“导出模板”边栏选项卡中选择“部署”。 Choose Deploy in the Export template blade.

  5. 单击“模板” > “编辑参数”,在在线编辑器中打开 parameters.json 文件。 Click TEMPLATE > Edit parameters to open the parameters.json file in the online editor.

  6. 若要编辑 NSG 名称的参数,请更改 parameters 下的 value 属性:To edit the parameter of the NSG name, change the value property under parameters:

    {
        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
        "contentVersion": "1.0.0.0",
        "parameters": {
            "networkSecurityGroups_myVM1_nsg_name": {
                "value": "<target-nsg-name>"
            }
        }
    }
    
  7. 将编辑器中的源 NSG 值更改为目标 NSG 的所选名称。Change the source NSG value in the editor to a name of your choice for the target NSG. 请务必将名称括在引号中。Ensure you enclose the name in quotes.

  8. 在编辑器中单击“保存”。 Click Save in the editor.

  9. 单击“模板” > “编辑模板”,在在线编辑器中打开 template.json 文件。 Click TEMPLATE > Edit template to open the template.json file in the online editor.

  10. 若要编辑要将 NSG 配置和安全规则移到其中的目标区域,请在在线编辑器中更改 resources 下的 location 属性:To edit the target region where the NSG configuration and security rules will be moved, change the location property under resources in the online editor:

    "resources": [
        {
            "type": "Microsoft.Network/networkSecurityGroups",
            "apiVersion": "2019-06-01",
            "name": "[parameters('networkSecurityGroups_myVM1_nsg_name')]",
            "location": "<target-region>",
            "properties": {
                "provisioningState": "Succeeded",
                "resourceGuid": "2c846acf-58c8-416d-be97-ccd00a4ccd78",
            }
        }
    ]
    
    
  11. 若要获取区域位置代码,请参阅 Azure 位置To obtain region location codes, see Azure Locations. 区域的代码是不带空格的区域名称,中国北部 = chinanorthThe code for a region is the region name with no spaces, China North = chinanorth.

  12. 也可选择更改模板中的其他参数,这些参数是可选的,具体取决于你的要求:You can also change other parameters in the template if you choose, and are optional depending on your requirements:

    • 安全规则 - 可以通过编辑的方式设置哪些规则能够部署到目标 NSG 中,只需在 template.json 文件的 securityRules 节中添加或删除规则即可:Security rules - You can edit which rules are deployed into the target NSG by adding or removing rules to the securityRules section in the template.json file:

      "resources": [
          {
              "type": "Microsoft.Network/networkSecurityGroups",
              "apiVersion": "2019-06-01",
              "name": "[parameters('networkSecurityGroups_myVM1_nsg_name')]",
              "location": "<target-region>",
              "properties": {
                  "provisioningState": "Succeeded",
                  "resourceGuid": "2c846acf-58c8-416d-be97-ccd00a4ccd78",
                  "securityRules": [
                      {
                          "name": "RDP",
                          "etag": "W/\"c630c458-6b52-4202-8fd7-172b7ab49cf5\"",
                          "properties": {
                              "provisioningState": "Succeeded",
                              "protocol": "TCP",
                              "sourcePortRange": "*",
                              "destinationPortRange": "3389",
                              "sourceAddressPrefix": "*",
                              "destinationAddressPrefix": "*",
                              "access": "Allow",
                              "priority": 300,
                              "direction": "Inbound",
                              "sourcePortRanges": [],
                              "destinationPortRanges": [],
                              "sourceAddressPrefixes": [],
                              "destinationAddressPrefixes": []
                          }
                      }
                  ]
          }
      

      若要完成在目标 NSG 中添加或删除规则的操作,还需编辑 template.json 文件末尾的自定义规则类型,具体格式见下面的示例:To complete the addition or the removal of the rules in the target NSG, you must also edit the custom rule types at the end of the template.json file in the format of the example below:

      {
          "type": "Microsoft.Network/networkSecurityGroups/securityRules",
          "apiVersion": "2019-06-01",
          "name": "[concat(parameters('networkSecurityGroups_myVM1_nsg_name'), '/Port_80')]",
          "dependsOn": [
              "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_myVM1_nsg_name'))]"
          ],
          "properties": {
              "provisioningState": "Succeeded",
              "protocol": "*",
              "sourcePortRange": "*",
              "destinationPortRange": "80",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 310,
              "direction": "Inbound",
              "sourcePortRanges": [],
              "destinationPortRanges": [],
              "sourceAddressPrefixes": [],
              "destinationAddressPrefixes": []
      }
      
  13. 在在线编辑器中单击“保存”。 Click Save in the online editor.

  14. 单击“基本信息” > “订阅”,以选择要将目标 NSG 部署到的订阅。 Click BASICS > Subscription to choose the subscription where the target NSG will be deployed.

  15. 单击“基本信息” > “资源组”,以选择要将目标 NSG 部署到的资源组。 Click BASICS > Resource group to choose the resource group where the target NSG will be deployed. 可以单击“新建”来为目标 NSG 创建新的资源组。 You can click Create new to create a new resource group for the target NSG. 确保该名称不同于现有 NSG 的源资源组名称。Ensure the name isn't the same as the source resource group of the existing NSG.

  16. 确认“基本信息” > “位置”是否设置为要将 NSG 部署到的目标位置。 Verify BASICS > Location is set to the target location where you wish for the NSG to be deployed.

  17. 在“设置”下,确认名称是否与先前在 parameters 编辑器中输入的名称相匹配。 Verify under SETTINGS that the name matches the name that you entered in the parameters editor above.

  18. 选中“条款和条件”下的框。 Check the box under TERMS AND CONDITIONS.

  19. 单击“购买”按钮部署目标网络安全组。 Click the Purchase button to deploy the target network security group.

弃用Discard

若要丢弃目标 NSG,请删除包含目标 NSG 的资源组。If you wish to discard the target NSG, delete the resource group that contains the target NSG. 为此,请从门户上的仪表板中选择该资源组,然后选择概述页顶部的“删除”。 To do so, select the resource group from your dashboard in the portal and select Delete at the top of the overview page.

清理Clean up

若要提交更改并完成 NSG 的移动,请删除源 NSG 或资源组。To commit the changes and complete the move of the NSG, delete the source NSG or resource group. 为此,请从门户上的仪表板中选择该网络安全组或资源组,然后选择每个页面顶部的“删除”。 To do so, select the network security group or resource group from your dashboard in the portal and select Delete at the top of each page.

后续步骤Next steps

在本教程中,我们将 Azure 网络安全组从一个区域移到了另一个区域,并清理了源资源。In this tutorial, you moved an Azure network security group from one region to another and cleaned up the source resources. 若要详细了解如何在区域之间移动资源,以及如何在 Azure 中进行灾难恢复,请参阅:To learn more about moving resources between regions and disaster recovery in Azure, refer to: