使用 Azure PowerShell 将 Azure 网络安全组 (NSG) 移到另一个区域Move Azure network security group (NSG) to another region using Azure PowerShell

在多种情况下,可能需要将现有的 NSG 从一个区域移到另一个区域。There are various scenarios in which you'd want to move your existing NSGs from one region to another. 例如,可能需要创建一个具有相同配置和安全规则的 NSG,以便进行测试。For example, you may want to create an NSG with the same configuration and security rules for testing. 还可能需要按照灾难恢复规划将 NSG 移到另一个区域。You may also want to move an NSG to another region as part of disaster recovery planning.

Azure 安全组不能从一个区域移到另一个区域。Azure security groups can't be moved from one region to another. 但是,可以使用 Azure 资源管理器模板来导出 NSG 的现有配置和安全规则。You can however, use an Azure Resource Manager template to export the existing configuration and security rules of an NSG. 然后,可以将资源暂存在另一区域,方法是:将 NSG 导出到模板,根据目标区域的情况修改参数,然后将模板部署到新区域。You can then stage the resource in another region by exporting the NSG to a template, modifying the parameters to match the destination region, and then deploy the template to the new region. 有关资源管理器和模板的详细信息,请参阅将资源组导出到模板For more information on Resource Manager and templates, see Export resource groups to templates.

先决条件Prerequisites

  • 请确保 Azure 网络安全组位于要从其移动的 Azure 区域中。Make sure that the Azure network security group is in the Azure region from which you want to move.

  • Azure 网络安全组不能在区域之间移动。Azure network security groups can't be moved between regions. 必须将新的 NSG 关联到目标区域中的资源。You'll have to associate the new NSG to resources in the target region.

  • 若要导出 NSG 配置并部署模板,以便在另一区域创建 NSG,需要“网络参与者”角色或更高级别的角色。To export an NSG configuration and deploy a template to create an NSG in another region, you'll need the Network Contributor role or higher.

  • 确定源网络布局和当前正在使用的所有资源。Identify the source networking layout and all the resources that you're currently using. 此布局包括但不限于负载均衡器、公共 IP 和虚拟网络。This layout includes but isn't limited to load balancers, public IPs, and virtual networks.

  • 验证 Azure 订阅是否允许在已使用的目标区域中创建 NSG。Verify that your Azure subscription allows you to create NSGs in the target region that's used. 请联系支持部门,启用所需配额。Contact support to enable the required quota.

  • 确保订阅提供足够的资源,以便为此过程添加 NSG。Make sure that your subscription has enough resources to support the addition of NSGs for this process. 请参阅 Azure 订阅和服务限制、配额和约束See Azure subscription and service limits, quotas, and constraints.

准备并移动Prepare and move

以下步骤介绍了如何使用资源管理器模板准备网络安全组,以便进行配置和安全规则的移动,通过 Azure PowerShell 将 NSG 配置和安全规则移到目标区域。The following steps show how to prepare the network security group for the configuration and security rule move using a Resource Manager template, and move the NSG configuration and security rules to the target region using Azure PowerShell.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

通过脚本导出模板并进行部署Export the template and deploy from a script

  1. 使用 Connect-AzAccount -Environment AzureChinaCloud 命令登录到 Azure 订阅,并按屏幕说明操作:Sign in to your Azure subscription with the Connect-AzAccount -Environment AzureChinaCloud command and follow the on-screen directions:

    Connect-AzAccount -Environment AzureChinaCloud
    
  2. 使用 Get-AzNetworkSecurityGroup 获取要移到目标区域的 NSG 的资源 ID,将其置于一个变量中:Obtain the resource ID of the NSG you want to move to the target region and place it in a variable using Get-AzNetworkSecurityGroup:

    $sourceNSGID = (Get-AzNetworkSecurityGroup -Name <source-nsg-name> -ResourceGroupName <source-resource-group-name>).Id
    
    
  3. 将源 NSG 导出到执行 Export-AzResourceGroup 命令时所在的目录中的某个 .json 文件:Export the source NSG to a .json file into the directory where you execute the command Export-AzResourceGroup:

    Export-AzResourceGroup -ResourceGroupName <source-resource-group-name> -Resource $sourceNSGID -IncludeParameterDefaultValue
    
  4. 已下载的文件将根据从其导出了资源的资源组来命名。The file downloaded will be named after the resource group the resource was exported from. 找到通过名为 <resource-group-name>.json 的命令导出的文件,在所选编辑器中将其打开:Locate the file that was exported from the command named <resource-group-name>.json and open it in an editor of your choice:

    notepad <source-resource-group-name>.json
    
  5. 若要编辑 NSG 名称的参数,请将源 NSG 名称的属性 defaultValue 更改为目标 NSG 的名称,确保对名称使用引号:To edit the parameter of the NSG name, change the property defaultValue of the source NSG name to the name of your target NSG, ensure the name is in quotes:

            {
        "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
        "contentVersion": "1.0.0.0",
        "parameters": {
            "networkSecurityGroups_myVM1_nsg_name": {
            "defaultValue": "<target-nsg-name>",
            "type": "String"
            }
        }
    
    
  6. 若要编辑要将 NSG 配置和安全规则移到其中的目标区域,请更改 resources 下的 location 属性:To edit the target region where the NSG configuration and security rules will be moved, change the location property under resources:

            "resources": [
            {
            "type": "Microsoft.Network/networkSecurityGroups",
            "apiVersion": "2019-06-01",
            "name": "[parameters('networkSecurityGroups_myVM1_nsg_name')]",
            "location": "<target-region>",
            "properties": {
                "provisioningState": "Succeeded",
                "resourceGuid": "2c846acf-58c8-416d-be97-ccd00a4ccd78", 
             }
            }
    
  7. 若要获取区域位置代码,可以通过运行以下命令来使用 Azure PowerShell cmdlet Get-AzLocationTo obtain region location codes, you can use the Azure PowerShell cmdlet Get-AzLocation by running the following command:

    
    Get-AzLocation | format-table
    
    
  8. 也可选择更改 <resource-group-name>.json 中的其他参数,这些参数是可选的,具体取决于你的要求:You can also change other parameters in the <resource-group-name>.json if you choose, and are optional depending on your requirements:

    • 安全规则 - 可以通过编辑的方式设置哪些规则能够部署到目标 NSG 中,只需在 <resource-group-name>.json 文件的 securityRules 节中添加或删除规则即可:Security rules - You can edit which rules are deployed into the target NSG by adding or removing rules to the securityRules section in the <resource-group-name>.json file:

         "resources": [
                {
                "type": "Microsoft.Network/networkSecurityGroups",
                "apiVersion": "2019-06-01",
                "name": "[parameters('networkSecurityGroups_myVM1_nsg_name')]",
                "location": "TARGET REGION",
                "properties": {
                     "provisioningState": "Succeeded",
                     "resourceGuid": "2c846acf-58c8-416d-be97-ccd00a4ccd78",
                "securityRules": [
                  {
                      "name": "RDP",
                      "etag": "W/\"c630c458-6b52-4202-8fd7-172b7ab49cf5\"",
                      "properties": {
                           "provisioningState": "Succeeded",
                           "protocol": "TCP",
                           "sourcePortRange": "*",
                           "destinationPortRange": "3389",
                           "sourceAddressPrefix": "*",
                           "destinationAddressPrefix": "*",
                           "access": "Allow",
                           "priority": 300,
                           "direction": "Inbound",
                           "sourcePortRanges": [],
                           "destinationPortRanges": [],
                           "sourceAddressPrefixes": [],
                           "destinationAddressPrefixes": []
                          }
                      ]
          }  
      
      

      若要完成在目标 NSG 中添加或删除规则的操作,还需编辑 <resource-group-name>.json 文件末尾的自定义规则类型,具体格式见下面的示例:To complete the addition or the removal of the rules in the target NSG, you must also edit the custom rule types at the end of the <resource-group-name>.json file in the format of the example below:

         {
          "type": "Microsoft.Network/networkSecurityGroups/securityRules",
          "apiVersion": "2019-06-01",
          "name": "[concat(parameters('networkSecurityGroups_myVM1_nsg_name'), '/Port_80')]",
          "dependsOn": [
              "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_myVM1_nsg_name'))]"
          ],
          "properties": {
              "provisioningState": "Succeeded",
              "protocol": "*",
              "sourcePortRange": "*",
              "destinationPortRange": "80",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 310,
              "direction": "Inbound",
              "sourcePortRanges": [],
              "destinationPortRanges": [],
              "sourceAddressPrefixes": [],
              "destinationAddressPrefixes": []
          }
      
  9. 保存 <resource-group-name>.json 文件。Save the <resource-group-name>.json file.

  10. 使用 New-AzResourceGroup 在目标区域创建资源组,以便部署目标 NSG:Create a resource group in the target region for the target NSG to be deployed using New-AzResourceGroup:

    New-AzResourceGroup -Name <target-resource-group-name> -location <target-region>
    
  11. 使用 New-AzResourceGroupDeployment 将编辑的 <resource-group-name>.json 文件部署到在上一步创建的资源组:Deploy the edited <resource-group-name>.json file to the resource group created in the previous step using New-AzResourceGroupDeployment:

    
    New-AzResourceGroupDeployment -ResourceGroupName <target-resource-group-name> -TemplateFile <source-resource-group-name>.json
    
    
  12. 若要验证是否已在目标区域创建这些资源,请使用 Get-AzResourceGroupGet-AzNetworkSecurityGroupTo verify the resources were created in the target region, use Get-AzResourceGroup and Get-AzNetworkSecurityGroup:

    
    Get-AzResourceGroup -Name <target-resource-group-name>
    
    
    
    Get-AzNetworkSecurityGroup -Name <target-nsg-name> -ResourceGroupName <target-resource-group-name>
    
    

弃用Discard

部署以后,如果希望重新开始或弃用目标中的 NSG,请删除在目标中创建的资源组,系统就会删除已移动的 NSG。After the deployment, if you wish to start over or discard the NSG in the target, delete the resource group that was created in the target and the moved NSG will be deleted. 若要删除资源组,请使用 Remove-AzResourceGroupTo remove the resource group, use Remove-AzResourceGroup:


Remove-AzResourceGroup -Name <target-resource-group-name>

清理Clean up

若要提交所做的更改并完成 NSG 的移动,以及删除源 NSG 或资源组,请使用 Remove-AzResourceGroupRemove-AzNetworkSecurityGroupTo commit the changes and complete the move of the NSG, delete the source NSG or resource group, use Remove-AzResourceGroup or Remove-AzNetworkSecurityGroup:


Remove-AzResourceGroup -Name <source-resource-group-name>


Remove-AzNetworkSecurityGroup -Name <source-nsg-name> -ResourceGroupName <source-resource-group-name>

后续步骤Next steps

在本教程中,我们将 Azure 网络安全组从一个区域移到了另一个区域,并清理了源资源。In this tutorial, you moved an Azure network security group from one region to another and cleaned up the source resources. 若要详细了解如何在区域之间移动资源,以及如何在 Azure 中进行灾难恢复,请参阅:To learn more about moving resources between regions and disaster recovery in Azure, refer to: