筛选入站和出站 VM 网络流量脚本示例Filter inbound and outbound VM network traffic script sample

该脚本示例创建了包含前端和后端子网的虚拟网络。This script sample creates a virtual network with front-end and back-end subnets. 前端子网的入站网络流量仅限于 HTTP 和 HTTPS,不允许从后端子网到 Internet 的出站流量。Inbound network traffic to the front-end subnet is limited to HTTP, and HTTPS, while outbound traffic to the internet from the back-end subnet is not permitted. 运行该脚本后,将具有一个包含两个 NIC 的虚拟机。After running the script, you have one virtual machine with two NICs. 每个 NIC 连接到不同的子网。Each NIC is connected to a different subnet.

可以通过本地 PowerShell 安装来执行脚本。You can execute the script from a local PowerShell installation. 如果在本地使用 PowerShell,则此脚本需要 Azure PowerShell 模块 1.0.0 版或更高版本。If you use PowerShell locally, this script requires the Azure PowerShell module version 1.0.0 or later. 要查找已安装的版本,请运行 Get-Module -ListAvailable AzTo find the installed version, run Get-Module -ListAvailable Az. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需运行 Connect-AzAccount -Environment AzureChinaCloud 来创建与 Azure 的连接。If you are running PowerShell locally, you also need to run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

示例脚本Sample script

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

# Variables for common values
$rgName='MyResourceGroup'
$location='chinaeast'

# Create user object
$cred = Get-Credential -Message 'Enter a username and password for the virtual machine.'

# Create a resource group.
New-AzResourceGroup -Name $rgName -Location $location

# Create a virtual network, a front-end subnet, and a back-end subnet.
$fesubnet = New-AzVirtualNetworkSubnetConfig -Name 'MySubnet-FrontEnd' -AddressPrefix '10.0.1.0/24'
$besubnet = New-AzVirtualNetworkSubnetConfig -Name 'MySubnet-BackEnd' -AddressPrefix '10.0.2.0/24'

$vnet = New-AzVirtualNetwork -ResourceGroupName $rgName -Name 'MyVnet' -AddressPrefix '10.0.0.0/16' `
  -Location $location -Subnet $fesubnet, $besubnet

# Create NSG rules to allow HTTP & HTTPS traffic inbound.
$rule1 = New-AzNetworkSecurityRuleConfig -Name 'Allow-HTTP-ALL' -Description 'Allow HTTP' `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 80

$rule2 = New-AzNetworkSecurityRuleConfig -Name 'Allow-HTTPS-All' -Description 'Allow HTTPS' `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 200 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 443

# Create an NSG rule to allow RDP traffic in from the Internet to the front-end subnet.
$rule3 = New-AzNetworkSecurityRuleConfig -Name 'Allow-RDP-All' -Description 'Allow RDP' `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 300 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 3389

# Create a network security group (NSG) for the front-end subnet.
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
  -Name "MyNsg-FrontEnd" -SecurityRules $rule1,$rule2,$rule3

# Associate the front-end NSG to the front-end subnet.
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-FrontEnd' `
  -AddressPrefix 10.0.1.0/24 -NetworkSecurityGroup $nsg

# Create an NSG rule to block all outbound traffic from the back-end subnet to the Internet (inbound blocked by default).
$rule1 = New-AzNetworkSecurityRuleConfig -Name 'Deny-Internet-All' -Description "Deny all Internet" `
  -Access Allow -Protocol Tcp -Direction Outbound -Priority 100 `
  -SourceAddressPrefix * -SourcePortRange * `
  -DestinationAddressPrefix Internet -DestinationPortRange *

# Create a network security group for the back-end subnet.
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
  -Name "MyNsg-BackEnd" -SecurityRules $rule1

# Associate the back-end NSG to the back-end subnet.
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-backEnd' `
  -AddressPrefix 10.0.2.0/24 -NetworkSecurityGroup $nsg

# Create a public IP address for the VM front-end network interface.
$publicipvm = New-AzPublicIpAddress -ResourceGroupName $rgName -Name 'MyPublicIp-FrontEnd' `
  -location $location -AllocationMethod Dynamic

# Create a network interface for the VM attached to the front-end subnet.
$nicVMfe = New-AzNetworkInterface -ResourceGroupName $rgName -Location $location `
  -Name MyNic-FrontEnd -PublicIpAddress $publicipvm -Subnet $vnet.Subnets[0]

# Create a network interface for the VM attached to the back-end subnet.
$nicVMbe = New-AzNetworkInterface -ResourceGroupName $rgName -Location $location `
  -Name MyNic-BackEnd -Subnet $vnet.Subnets[1]

# Create the VM with both the FrontEnd and BackEnd NICs.
$vmConfig = New-AzVMConfig -VMName 'myVM' -VMSize Standard_DS2 | `
  Set-AzVMOperatingSystem -Windows -ComputerName 'myVM' -Credential $cred | `
  Set-AzVMSourceImage -PublisherName 'MicrosoftWindowsServer' -Offer 'WindowsServer' `
  -Skus '2016-Datacenter' -Version 'latest'

$vmconfig = Add-AzVMNetworkInterface -VM $vmConfig -id $nicVMfe.Id -Primary
$vmconfig = Add-AzVMNetworkInterface -VM $vmConfig -id $nicVMbe.Id

# Create a virtual machine
$vm = New-AzVM -ResourceGroupName $rgName -Location $location -VM $vmConfig

清理部署Clean up deployment

运行以下命令来删除资源组、VM 和所有相关资源:Run the following command to remove the resource group, VM, and all related resources:

Remove-AzResourceGroup -Name myResourceGroup -Force

脚本说明Script explanation

此脚本使用以下命令创建资源组、虚拟网络和网络安全组。This script uses the following commands to create a resource group, virtual network, and network security groups. 下表中的每条命令均链接到特定于命令的文档:Each command in the following table links to command-specific documentation:

命令Command 注释Notes
New-AzResourceGroupNew-AzResourceGroup 创建用于存储所有资源的资源组。Creates a resource group in which all resources are stored.
New-AzVirtualNetworkSubnetConfigNew-AzVirtualNetworkSubnetConfig 创建子网配置对象Creates a subnet configuration object
New-AzVirtualNetworkNew-AzVirtualNetwork 创建 Azure 虚拟网络和前端子网。Creates an Azure virtual network and front-end subnet.
New-AzNetworkSecurityRuleConfigNew-AzNetworkSecurityRuleConfig 创建要分配到网络安全组的安全规则。Creates security rules to be assigned to a network security group.
New-AzNetworkSecurityGroupNew-AzNetworkSecurityGroup 创建 NSG 规则,允许或阻止特定子网的特定端口。Creates NSG rules that allow or block specific ports to specific subnets.
Set-AzVirtualNetworkSubnetConfigSet-AzVirtualNetworkSubnetConfig 将 NSG 关联到子网。Associates NSGs to subnets.
New-AzPublicIpAddressNew-AzPublicIpAddress 创建用于从 Internet 访问 VM 的公共 IP 地址。Creates a public IP address to access the VM from the internet.
New-AzNetworkInterfaceNew-AzNetworkInterface 创建虚拟网络接口,并将其附加到虚拟网络的前端和后端子网。Creates virtual network interfaces and attaches them to the virtual network's front-end and back-end subnets.
New-AzVMConfigNew-AzVMConfig 创建 VM 配置。Creates a VM configuration. 此配置包括 VM 名称、操作系统和管理凭据等信息。This configuration includes information such as VM name, operating system, and administrative credentials. 在创建 VM 期间使用此配置。The configuration is used during VM creation.
New-AzVMNew-AzVM 创建虚拟机。Create a virtual machine.
Remove-AzResourceGroupRemove-AzResourceGroup 删除资源组及其中包含的所有资源。Removes a resource group and all resources contained within.

后续步骤Next steps

有关 Azure PowerShell 的详细信息,请参阅 Azure PowerShell 文档For more information on the Azure PowerShell, see Azure PowerShell documentation.

可在虚拟网络 PowerShell 示例中查找其他虚拟网络 PowerShell 脚本示例。Additional virtual network PowerShell script samples can be found in Virtual network PowerShell samples.