为多层应用程序创建网络脚本示例Create a network for multi-tier applications script sample

该脚本示例创建了包含前端和后端子网的虚拟网络。This script sample creates a virtual network with front-end and back-end subnets. 传入前端子网的流量仅限 HTTP 和 SSH,而传入后端子网的流量限于 MySQL、端口 3306。Traffic to the front-end subnet is limited to HTTP and SSH, while traffic to the back-end subnet is limited to MySQL, port 3306. 运行该脚本后,将具有两个虚拟机(在可向其中部署 Web 服务器和 MySQL 软件的每个子网中各具有一个虚拟机)。After running the script, you will have two virtual machines, one in each subnet that you can deploy web server and MySQL software to.

可以通过本地 PowerShell 安装来执行脚本。You can execute the script from a local PowerShell installation. 如果在本地使用 PowerShell,则此脚本需要 Azure PowerShell 模块 1.0.0 版或更高版本。If you use PowerShell locally, this script requires the Azure PowerShell module version 1.0.0 or later. 要查找已安装的版本,请运行 Get-Module -ListAvailable AzTo find the installed version, run Get-Module -ListAvailable Az. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需运行 Connect-AzAccount -Environment AzureChinaCloud 来创建与 Azure 的连接。If you are running PowerShell locally, you also need to run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

示例脚本Sample script

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

创建虚拟网络之后,将分配子网 ID;具体来说,使用带有 -Subnet 选项的 New-AzVirtualNetwork。A subnet ID is assigned after you have created a virtual network; specifically, using the New-AzVirtualNetwork cmdlet with the -Subnet option. 如果在调用 New-AzVirtualNetwork 之前使用 New-AzVirtualNetworkSubnetConfig cmdlet 配置了子网,则在调用 New-AzVirtualNetwork 之前,将看不到子网 ID。If you configure the subnet using the New-AzVirtualNetworkSubnetConfig cmdlet before the call to New-AzVirtualNetwork, you won't see the subnet ID until after you call New-AzVirtualNetwork.

# Variables for common values
$rgName='MyResourceGroup'
$location='chinaeast'

# Create user object
$cred = Get-Credential -Message "Enter a username and password for the virtual machine."

# Create a resource group.
New-AzResourceGroup -Name $rgName -Location $location

# Create a virtual network with a front-end subnet and back-end subnet.
$fesubnet = New-AzVirtualNetworkSubnetConfig -Name 'MySubnet-FrontEnd' -AddressPrefix '10.0.1.0/24'
$besubnet = New-AzVirtualNetworkSubnetConfig -Name 'MySubnet-BackEnd' -AddressPrefix '10.0.2.0/24'
$vnet = New-AzVirtualNetwork -ResourceGroupName $rgName -Name 'MyVnet' -AddressPrefix '10.0.0.0/16' `
  -Location $location -Subnet $fesubnet, $besubnet

# Create an NSG rule to allow HTTP traffic in from the Internet to the front-end subnet.
$rule1 = New-AzNetworkSecurityRuleConfig -Name 'Allow-HTTP-All' -Description 'Allow HTTP' `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 80

# Create an NSG rule to allow RDP traffic from the Internet to the front-end subnet.
$rule2 = New-AzNetworkSecurityRuleConfig -Name 'Allow-RDP-All' -Description "Allow RDP" `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 200 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 3389

# Create a network security group for the front-end subnet.
$nsgfe = New-AzNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
  -Name 'MyNsg-FrontEnd' -SecurityRules $rule1,$rule2

# Associate the front-end NSG to the front-end subnet.
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-FrontEnd' `
  -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsgfe

# Create an NSG rule to allow SQL traffic from the front-end subnet to the back-end subnet.
$rule1 = New-AzNetworkSecurityRuleConfig -Name 'Allow-SQL-FrontEnd' -Description "Allow SQL" `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
  -SourceAddressPrefix '10.0.1.0/24' -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 1433

# Create an NSG rule to allow RDP traffic from the Internet to the back-end subnet.
$rule2 = New-AzNetworkSecurityRuleConfig -Name 'Allow-RDP-All' -Description "Allow RDP" `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 200 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 3389

# Create a network security group for back-end subnet.
$nsgbe = New-AzNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
  -Name "MyNsg-BackEnd" -SecurityRules $rule1,$rule2

# Associate the back-end NSG to the back-end subnet
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-BackEnd' `
  -AddressPrefix '10.0.2.0/24' -NetworkSecurityGroup $nsgbe

# Create a public IP address for the web server VM.
$publicipvm1 = New-AzPublicIpAddress -ResourceGroupName $rgName -Name 'MyPublicIp-Web' `
  -location $location -AllocationMethod Dynamic

# Create a NIC for the web server VM.
$nicVMweb = New-AzNetworkInterface -ResourceGroupName $rgName -Location $location `
  -Name 'MyNic-Web' -PublicIpAddress $publicipvm1 -NetworkSecurityGroup $nsgfe -Subnet $vnet.Subnets[0]

# Create a Web Server VM in the front-end subnet
$vmConfig = New-AzVMConfig -VMName 'MyVm-Web' -VMSize 'Standard_DS2' | `
  Set-AzVMOperatingSystem -Windows -ComputerName 'MyVm-Web' -Credential $cred | `
  Set-AzVMSourceImage -PublisherName 'MicrosoftWindowsServer' -Offer 'WindowsServer' `
  -Skus '2016-Datacenter' -Version latest | Add-AzVMNetworkInterface -Id $nicVMweb.Id

$vmweb = New-AzVM -ResourceGroupName $rgName -Location $location -VM $vmConfig

# Create a public IP address for the SQL VM.
$publicipvm2 = New-AzPublicIpAddress -ResourceGroupName $rgName -Name MyPublicIP-Sql `
  -location $location -AllocationMethod Dynamic

# Create a NIC for the SQL VM.
$nicVMsql = New-AzNetworkInterface -ResourceGroupName $rgName -Location $location `
  -Name MyNic-Sql -PublicIpAddress $publicipvm2 -NetworkSecurityGroup $nsgbe -Subnet $vnet.Subnets[1] 

# Create a SQL VM in the back-end subnet.
$vmConfig = New-AzVMConfig -VMName 'MyVm-Sql' -VMSize 'Standard_DS2' | `
  Set-AzVMOperatingSystem -Windows -ComputerName 'MyVm-Sql' -Credential $cred | `
  Set-AzVMSourceImage -PublisherName 'MicrosoftSQLServer' -Offer 'SQL2016-WS2016' `
  -Skus 'Web' -Version latest | Add-AzVMNetworkInterface -Id $nicVMsql.Id

$vmsql = New-AzVM -ResourceGroupName $rgName -Location $location -VM $vmConfig

# Create an NSG rule to block all outbound traffic from the back-end subnet to the Internet (must be done after VM creation)
$rule3 = New-AzNetworkSecurityRuleConfig -Name 'Deny-Internet-All' -Description "Deny Internet All" `
  -Access Deny -Protocol Tcp -Direction Outbound -Priority 300 `
  -SourceAddressPrefix * -SourcePortRange * `
  -DestinationAddressPrefix Internet -DestinationPortRange *

# Add NSG rule to Back-end NSG
$nsgbe.SecurityRules.add($rule3)

Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsgbe

清理部署Clean up deployment

运行以下命令来删除资源组、VM 和所有相关资源:Run the following command to remove the resource group, VM, and all related resources:

Remove-AzResourceGroup -Name myResourceGroup -Force

脚本说明Script explanation

此脚本使用以下命令创建资源组、虚拟网络和网络安全组。This script uses the following commands to create a resource group, virtual network, and network security groups. 下表中的每条命令均链接到特定于命令的文档:Each command in the following table links to command-specific documentation:

命令Command 注释Notes
New-AzResourceGroupNew-AzResourceGroup 创建用于存储所有资源的资源组。Creates a resource group in which all resources are stored.
New-AzVirtualNetworkNew-AzVirtualNetwork 创建 Azure 虚拟网络和前端子网。Creates an Azure virtual network and front-end subnet.
New-AzVirtualNetworkSubnetConfigNew-AzVirtualNetworkSubnetConfig 创建后端子网。Creates a back-end subnet.
New-AzPublicIpAddressNew-AzPublicIpAddress 创建用于从 Internet 访问 VM 的公共 IP 地址。Creates a public IP address to access the VM from the internet.
New-AzNetworkInterfaceNew-AzNetworkInterface 创建虚拟网络接口,并将其附加到虚拟网络的前端和后端子网。Creates virtual network interfaces and attaches them to the virtual network's front-end and back-end subnets.
New-AzNetworkSecurityGroupNew-AzNetworkSecurityGroup 创建关联到前端和后端子网的网络安全组 (NSG)。Creates network security groups (NSG) that are associated to the front-end and back-end subnets.
New-AzNetworkSecurityRuleConfigNew-AzNetworkSecurityRuleConfig 创建 NSG 规则,允许或阻止特定子网的特定端口。Creates NSG rules that allow or block specific ports to specific subnets.
New-AzVMNew-AzVM 创建虚拟机,并将 NIC 附加到每个 VM。Creates virtual machines and attaches a NIC to each VM. 此命令还指定要使用的虚拟机映像和管理凭据。This command also specifies the virtual machine image to use and administrative credentials.
Remove-AzResourceGroupRemove-AzResourceGroup 删除资源组及其包含的所有资源。Deletes a resource group and all resources it contains.

后续步骤Next steps

有关 Azure PowerShell 的详细信息,请参阅 Azure PowerShell 文档For more information on the Azure PowerShell, see Azure PowerShell documentation.

可在虚拟网络 PowerShell 示例中查找其他虚拟网络 PowerShell 脚本示例。Additional virtual network PowerShell script samples can be found in Virtual network PowerShell samples.