使用 Azure CLI 脚本示例为多层应用程序创建虚拟网络Create a virtual network for multi-tier applications using an Azure CLI script sample

该脚本示例创建了包含前端和后端子网的虚拟网络。This script sample creates a virtual network with front-end and back-end subnets. 传入前端子网的流量仅限 HTTP 和 SSH,而传入后端子网的流量限于 MySQL、端口 3306。Traffic to the front-end subnet is limited to HTTP and SSH, while traffic to the back-end subnet is limited to MySQL, port 3306. 运行该脚本后,将具有两个虚拟机(在可向其中部署 Web 服务器和 MySQL 软件的每个子网中各具有一个虚拟机)。After running the script, you have two virtual machines, one in each subnet, that you can deploy web server and MySQL software to.

可以通过本地 Azure CLI 安装来执行脚本。You can execute the script from a local Azure CLI installation. 如果在本地使用 CLI,此脚本要求运行版本 2.0.28 或更高版本。If you use the CLI locally, this script requires that you are running version 2.0.28 or later. 要查找已安装的版本,请运行 az --versionTo find the installed version, run az --version. 如需进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install the Azure CLI. 如果在本地运行 CLI,则还需运行 az login 以创建与 Azure 的连接。If you are running the CLI locally, you also need to run az login to create a connection with Azure.

如果没有 Azure 试用版订阅,请在开始前创建一个试用版订阅If you don't have an Azure trail subscription, create a trial subscription before you begin.

备注

请先运行 az cloud set -n AzureChinaCloud 更改云环境,然后才能在 Azure 中国中使用 Azure CLI。Before you can use Azure CLI in Azure China , please run az cloud set -n AzureChinaCloud first to change the cloud environment. 若要切换回 Azure 公有云,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Azure Public Cloud, run az cloud set -n AzureCloud again.

示例脚本Sample script

#!/bin/bash

RgName="MyResourceGroup"
Location="chinaeast"

# Create a resource group.
az group create \
  --name $RgName \
  --location $Location

# Create a virtual network with a front-end subnet.
az network vnet create \
  --name MyVnet \
  --resource-group $RgName \
  --location $Location \
  --address-prefix 10.0.0.0/16 \
  --subnet-name MySubnet-FrontEnd \
  --subnet-prefix 10.0.1.0/24

# Create a back-end subnet.
az network vnet subnet create \
  --address-prefix 10.0.2.0/24 \
  --name MySubnet-BackEnd \
  --resource-group $RgName \
  --vnet-name MyVnet

# Create a network security group for the front-end subnet.
az network nsg create \
  --resource-group $RgName \
  --name MyNsg-FrontEnd \
  --location $Location

# Create an NSG rule to allow HTTP traffic in from the Internet to the front-end subnet.
az network nsg rule create \
  --resource-group $RgName \
  --nsg-name MyNsg-FrontEnd \
  --name Allow-HTTP-All \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 100 \
  --source-address-prefix Internet \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range 80

# Create an NSG rule to allow SSH traffic in from the Internet to the front-end subnet.
az network nsg rule create \
  --resource-group $RgName \
  --nsg-name MyNsg-FrontEnd \
  --name Allow-SSH-All \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 300 \
  --source-address-prefix Internet \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range 22

# Associate the front-end NSG to the front-end subnet.
az network vnet subnet update \
  --vnet-name MyVnet \
  --name MySubnet-FrontEnd \
  --resource-group $RgName \
  --network-security-group MyNsg-FrontEnd

# Create a network security group for back-end subnet.
az network nsg create \
  --resource-group $RgName \
  --name MyNsg-BackEnd \
  --location $Location

# Create an NSG rule to allow MySQL traffic from the front-end subnet to the back-end subnet.
az network nsg rule create \
  --resource-group $RgName \
  --nsg-name MyNsg-BackEnd \
  --name Allow-MySql-FrontEnd \
  --access Allow --protocol Tcp \
  --direction Inbound \
  --priority 100 \
  --source-address-prefix 10.0.1.0/24 \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range 3306

# Create an NSG rule to allow SSH traffic from the Internet to the front-end subnet.
az network nsg rule create \
  --resource-group $RgName \
  --nsg-name MyNsg-BackEnd \
  --name Allow-SSH-All \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 200 \
  --source-address-prefix Internet \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range 22

# Create an NSG rule to block all outbound traffic from the back-end subnet to the Internet (NOTE: If you run the MySQL installation below this rule will be disabled and then re-enabled).
az network nsg rule create \
  --resource-group $RgName \
  --nsg-name MyNsg-BackEnd \
  --name Deny-Internet-All \
  --access Deny --protocol Tcp \
  --direction Outbound --priority 300 \
  --source-address-prefix "*" \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range "*"

# Associate the back-end NSG to the back-end subnet.
az network vnet subnet update \
  --vnet-name MyVnet \
  --name MySubnet-BackEnd \
  --resource-group $RgName \
  --network-security-group MyNsg-BackEnd

# Create a public IP address for the web server VM.
az network public-ip create \
  --resource-group $RgName \
  --name MyPublicIP-Web

# Create a NIC for the web server VM.
az network nic create \
  --resource-group $RgName \
  --name MyNic-Web \
  --vnet-name MyVnet \
  --subnet MySubnet-FrontEnd \
  --network-security-group MyNsg-FrontEnd \
  --public-ip-address MyPublicIP-Web

# Create a Web Server VM in the front-end subnet.
az vm create \
  --resource-group $RgName \
  --name MyVm-Web \
  --nics MyNic-Web \
  --image UbuntuLTS \
  --admin-username azureadmin \
  --generate-ssh-keys

# Create a public IP address for the MySQL VM.
az network public-ip create \
  --resource-group $RgName \
  --name MyPublicIP-Sql

# Create a NIC for the MySQL VM.
az network nic create \
  --resource-group $RgName \
  --name MyNic-Sql \
  --vnet-name MyVnet \
  --subnet MySubnet-BackEnd \
  --network-security-group MyNsg-BackEnd \
  --public-ip-address MyPublicIP-Sql

# Create a MySQL VM in the back-end subnet.
az vm create \
  --resource-group $RgName \
  --name MyVm-Sql \
  --nics MyNic-Sql \
  --image UbuntuLTS \
  --admin-username azureadmin \
  --generate-ssh-keys

清理部署Clean up deployment

运行以下命令来删除资源组、VM 和所有相关资源:Run the following command to remove the resource group, VM, and all related resources:

az group delete --name MyResourceGroup --yes

脚本说明Script explanation

此脚本使用以下命令创建资源组、虚拟网络和网络安全组。This script uses the following commands to create a resource group, virtual network, and network security groups. 下表中的每条命令均链接到特定于命令的文档:Each command in the following table links to command-specific documentation:

CommandCommand 注释Notes
az group createaz group create 创建用于存储所有资源的资源组。Creates a resource group in which all resources are stored.
az network vnet createaz network vnet create 创建 Azure 虚拟网络和前端子网。Creates an Azure virtual network and front-end subnet.
az network subnet createaz network subnet create 创建后端子网。Creates a back-end subnet.
az network public-ip createaz network public-ip create 创建用于从 Internet 访问 VM 的公共 IP 地址。Creates a public IP address to access the VM from the internet.
az network nic createaz network nic create 创建虚拟网络接口,并将其附加到虚拟网络的前端和后端子网。Creates virtual network interfaces and attaches them to the virtual network's front-end and back-end subnets.
az network nsg createaz network nsg create 创建关联到前端和后端子网的网络安全组 (NSG)。Creates network security groups (NSG) that are associated to the front-end and back-end subnets.
az network nsg rule createaz network nsg rule create 创建 NSG 规则,允许或阻止特定子网的特定端口。Creates NSG rules that allow or block specific ports to specific subnets.
az vm createaz vm create 创建虚拟机,并将 NIC 附加到每个 VM。Creates virtual machines and attaches a NIC to each VM. 此命令还指定要使用的虚拟机映像和管理凭据。This command also specifies the virtual machine image to use and administrative credentials.
az group deleteaz group delete 删除资源组及其包含的所有资源。Deletes a resource group and all resources it contains.

后续步骤Next steps

有关 Azure CLI 的详细信息,请参阅 Azure CLI 文档For more information on the Azure CLI, see Azure CLI documentation.

可在虚拟网络 CLI 示例中查找其他虚拟网络 CLI 脚本示例。Additional virtual network CLI script samples can be found in Virtual network CLI samples.