通过网络虚拟设备脚本示例路由流量Route traffic through a network virtual appliance script sample

该脚本示例创建了包含前端和后端子网的虚拟网络。This script sample creates a virtual network with front-end and back-end subnets. 它还会创建一个 VM,并启用 IP 转发,在两个子网之间路由流量。It also creates a VM with IP forwarding enabled to route traffic between the two subnets. 运行脚本后,可将网络软件(例如防火墙应用程序)部署到 VM。After running the script you can deploy network software, such as a firewall application, to the VM.

可以通过本地 Azure CLI 安装来执行脚本。You can execute the script from a local Azure CLI installation. 如果在本地使用 CLI,此脚本要求运行版本 2.0.28 或更高版本。If you use the CLI locally, this script requires that you are running version 2.0.28 or later. 要查找已安装的版本,请运行 az --versionTo find the installed version, run az --version. 如需进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install the Azure CLI. 如果在本地运行 CLI,则还需运行 az login 以创建与 Azure 的连接。If you are running the CLI locally, you also need to run az login to create a connection with Azure.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

备注

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

示例脚本Sample script

#!/bin/bash

RgName="MyResourceGroup"
Location="chinaeast"

# Create a resource group.
az group create \
  --name $RgName \
  --location $Location

# Create a virtual network with a front-end subnet.
az network vnet create \
  --name MyVnet \
  --resource-group $RgName \
  --location $Location \
  --address-prefix 10.0.0.0/16 \
  --subnet-name MySubnet-FrontEnd \
  --subnet-prefix 10.0.1.0/24

# Create a network security group for the front-end subnet allowing HTTP and HTTPS inbound.
az network nsg create \
  --resource-group $RgName \
  --name MyNsg-FrontEnd \
  --location $Location

# Create NSG rules to allow HTTP & HTTPS traffic inbound.
az network nsg rule create \
  --resource-group $RgName \
  --nsg-name MyNsg-FrontEnd \
  --name Allow-HTTP-All \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 100 \
  --source-address-prefix Internet \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range 80
az network nsg rule create \
  --resource-group $RgName \
  --nsg-name MyNsg-FrontEnd \
  --name Allow-HTTPS-All \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 200 \
  --source-address-prefix Internet \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range 443

# Associate the front-end NSG to the front-end subnet.
az network vnet subnet update \
  --vnet-name MyVnet \
  --name MySubnet-FrontEnd \
  --resource-group $RgName \
  --network-security-group MyNsg-FrontEnd

# Create the back-end subnet.
az network vnet subnet create \
  --address-prefix 10.0.2.0/24 \
  --name MySubnet-BackEnd \
  --resource-group $RgName \
  --vnet-name MyVnet

#Create the DMZ subnet.
az network vnet subnet create \
  --address-prefix 10.0.0.0/24 \
  --name MySubnet-Dmz \
  --resource-group $RgName \
  --vnet-name MyVnet

# Create a public IP address for the firewall VM.
az network public-ip create \
  --resource-group $RgName \
  --name MyPublicIP-Firewall

# Create a NIC for the firewall VM and enable IP forwarding.
az network nic create \
  --resource-group $RgName \
  --name MyNic-Firewall \
  --vnet-name MyVnet \
  --subnet MySubnet-Dmz \
  --public-ip-address MyPublicIp-Firewall \
  --ip-forwarding

#Create a firewall VM to accept all traffic between the front and back-end subnets.
az vm create \
  --resource-group $RgName \
  --name MyVm-Firewall \
  --nics MyNic-Firewall \
  --image UbuntuLTS \
  --admin-username azureadmin \
  --generate-ssh-keys

# Get the private IP address from the VM for the user-defined route.
Fw1Ip=$(az vm list-ip-addresses \
  --resource-group $RgName \
  --name MyVm-Firewall \
  --query [].virtualMachine.network.privateIpAddresses[0] --out tsv)

# Create route table for the FrontEnd subnet.
az network route-table create \
  --name MyRouteTable-FrontEnd \
  --resource-group $RgName

# Create a route for traffic from the front-end to the back-end subnet through the firewall VM.
az network route-table route create \
  --name RouteToBackEnd \
  --resource-group $RgName \
  --route-table-name MyRouteTable-FrontEnd \
  --address-prefix 10.0.2.0/24 \
  --next-hop-type VirtualAppliance \
  --next-hop-ip-address $Fw1Ip

# Create a route for traffic from the front-end subnet to the Internet through the firewall VM.
az network route-table route create \
  --name RouteToInternet \
  --resource-group $RgName \
  --route-table-name MyRouteTable-FrontEnd \
  --address-prefix 0.0.0.0/0 \
  --next-hop-type VirtualAppliance \
  --next-hop-ip-address $Fw1Ip

# Associate the route table to the FrontEnd subnet.
az network vnet subnet update \
  --name MySubnet-FrontEnd \
  --vnet-name MyVnet \
  --resource-group $RgName \
  --route-table MyRouteTable-FrontEnd

# Create route table for the BackEnd subnet.
az network route-table create \
  --name MyRouteTable-BackEnd \
  --resource-group $RgName

# Create a route for traffic from the back-end subnet to the front-end subnet through the firewall VM.
az network route-table route create \
  --name RouteToFrontEnd \
  --resource-group $RgName \
  --route-table-name MyRouteTable-BackEnd \
  --address-prefix 10.0.1.0/24 \
  --next-hop-type VirtualAppliance \
  --next-hop-ip-address $Fw1Ip

# Create a route for traffic from the back-end subnet to the Internet through the firewall VM.
az network route-table route create \
  --name RouteToInternet \
  --resource-group $RgName \
  --route-table-name MyRouteTable-BackEnd \
  --address-prefix 0.0.0.0/0 \
  --next-hop-type VirtualAppliance \
  --next-hop-ip-address $Fw1Ip

# Associate the route table to the BackEnd subnet.
az network vnet subnet update \
  --name MySubnet-BackEnd \
  --vnet-name MyVnet \
  --resource-group $RgName \
  --route-table MyRouteTable-BackEnd

清理部署Clean up deployment

运行以下命令来删除资源组、VM 和所有相关资源:Run the following command to remove the resource group, VM, and all related resources:

az group delete --name MyResourceGroup --yes

脚本说明Script explanation

此脚本使用以下命令创建资源组、虚拟网络和网络安全组。This script uses the following commands to create a resource group, virtual network, and network security groups. 下表中的每条命令均链接到特定于命令的文档:Each command in the following table links to command-specific documentation:

CommandCommand 说明Notes
az group createaz group create 创建用于存储所有资源的资源组。Creates a resource group in which all resources are stored.
az network vnet createaz network vnet create 创建 Azure 虚拟网络和前端子网。Creates an Azure virtual network and front-end subnet.
az network vnet subnet createaz network vnet subnet create 创建后端子网和 DMZ 子网。Creates back-end and DMZ subnets.
az network public-ip createaz network public-ip create 创建用于从 Internet 访问 VM 的公共 IP 地址。Creates a public IP address to access the VM from the internet.
az network nic createaz network nic create 创建虚拟网络接口,并对它启用 IP 转发。Creates a virtual network interface and enable IP forwarding for it.
az network nsg createaz network nsg create 创建网络安全组 (NSG)。Creates a network security group (NSG).
az network nsg rule createaz network nsg rule create 创建允许 HTTP 和 HTTPS 端口入站到 VM 的 NSG 规则。Creates NSG rules that allow HTTP and HTTPS ports inbound to the VM.
az network vnet subnet updateaz network vnet subnet update 将 NSG 和路由表关联到子网。Associates the NSGs and route tables to subnets.
az network route-table createaz network route-table create 为所有路由创建路由表。Creates a route table for all routes.
az network route-table route createaz network route-table route create 创建路由,通过 VM 在子网和 Internet 之间路由流量。Creates routes to route traffic between subnets and the internet through the VM.
az vm createaz vm create 创建虚拟机并向其附加 NIC。Creates a virtual machine and attaches the NIC to it. 此命令还指定要使用的虚拟机映像和管理凭据。This command also specifies the virtual machine image to use and administrative credentials.
az group deleteaz group delete 删除资源组及其包含的所有资源。Deletes a resource group and all resources it contains.

后续步骤Next steps

有关 Azure CLI 的详细信息,请参阅 Azure CLI 文档For more information on the Azure CLI, see Azure CLI documentation.

可在虚拟网络 CLI 示例中查找其他虚拟网络 CLI 脚本示例。Additional virtual network CLI script samples can be found in Virtual network CLI samples.