教程:使用 Azure PowerShell 创建 NAT 网关Tutorial: Create a NAT gateway using Azure PowerShell

本教程介绍如何使用 Azure 虚拟网络 NAT 服务。This tutorial shows you how to use Azure Virtual Network NAT service. 你将创建一个 NAT 网关,以便为 Azure 中的虚拟机提供出站连接。You'll create a NAT gateway to provide outbound connectivity for a virtual machine in Azure.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 创建虚拟网络。Create a virtual network.
  • 创建虚拟机。Create a virtual machine.
  • 创建 NAT 网关并将其与虚拟网络关联。Create a NAT gateway and associate with the virtual network.
  • 连接到虚拟机并验证 NAT IP 地址。Connect to virtual machine and verify NAT IP address.

先决条件Prerequisites

如果选择在本地安装并使用 PowerShell,则本文需要 Azure PowerShell 模块 5.4.1 或更高版本。If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 5.4.1 or later. 运行 Get-Module -ListAvailable Az 查找已安装的版本。Run Get-Module -ListAvailable Az to find the installed version. 如果需要升级,请参阅安装 Azure PowerShell 模块If you need to upgrade, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需运行 Connect-AzAccount -Environment AzureChinaCloud 以创建与 Azure 的连接。If you're running PowerShell locally, you also need to run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

创建资源组Create a resource group

使用 New-AzResourceGroup 创建资源组。Create a resource group with New-AzResourceGroup. Azure 资源组是在其中部署和管理 Azure 资源的逻辑容器。An Azure resource group is a logical container into which Azure resources are deployed and managed.

以下示例在“chinaeast2”位置创建名为“myResourceGroupNAT”的资源组:The following example creates a resource group named myResourceGroupNAT in the chinaeast2 location:

$rsg = @{
    Name = 'myResourceGroupNAT'
    Location = 'chinaeast2'
}
New-AzResourceGroup @rsg

创建 NAT 网关Create the NAT gateway

本部分介绍如何创建 NAT 网关和支持资源。In this section we create the NAT gateway and supporting resources.

  • 若要访问 Internet,需要提供 NAT 网关的一个或多个公共 IP 地址。To access the Internet, you need one or more public IP addresses for the NAT gateway. 使用 New-AzPublicIpAddressmyResourceGroupNAT 中创建名为 myPublicIP 的公共 IP 地址资源。Use New-AzPublicIpAddress to create a public IP address resource named myPublicIP in myResourceGroupNAT.

  • 使用 New-AzNatGateway 创建全局 Azure NAT 网关。Create a global Azure NAT gateway with New-AzNatGateway. 此命令的结果就是创建名为“myNATgateway”的网关资源,该资源使用公共 IP 地址“myPublicIP” 。The result of this command will create a gateway resource named myNATgateway that uses the public IP address myPublicIP. 空闲超时设置为 10 分钟。The idle timeout is set to 10 minutes.

  • 使用 New-AzVirtualNetworkmyResourceGroup 中创建名为 myVnet 的虚拟网络,并使用 New-AzVirtualNetworkSubnetConfig 创建名为 mySubnet 的子网。Create a virtual network named myVnet with a subnet named mySubnet using New-AzVirtualNetworkSubnetConfig in the myResourceGroup using New-AzVirtualNetwork. 虚拟网络的 IP 地址空间为 10.1.0.0/16。The IP address space for the virtual network is 10.1.0.0/16. 虚拟网络中的子网为 10.1.0.0/24。The subnet within the virtual network is 10.1.0.0/24.

  • 创建名为“myBastionHost”的 Azure Bastion 主机以访问虚拟机。Create an Azure Bastion host named myBastionHost to access the virtual machine. 使用 New-AzBastion 创建堡垒主机。Use New-AzBastion to create the bastion host. 使用 New-AzPublicIpAddress 为堡垒主机创建公共 IP 地址。Create a public IP address for the bastion host with New-AzPublicIpAddress.

## Create public IP address for NAT gateway ##
$ip = @{
    Name = 'myPublicIP'
    ResourceGroupName = 'myResourceGroupNAT'
    Location = 'chinaeast2'
    Sku = 'Standard'
    AllocationMethod = 'Static'
}
$publicIP = New-AzPublicIpAddress @ip

## Create NAT gateway resource ##
$nat = @{
    ResourceGroupName = 'myResourceGroupNAT'
    Name = 'myNATgateway'
    IdleTimeoutInMinutes = '10'
    Sku = 'Standard'
    Location = 'chinaeast2'
    PublicIpAddress = $publicIP
}
$natGateway = New-AzNatGateway @nat

## Create subnet config and associate NAT gateway to subnet##
$subnet = @{
    Name = 'mySubnet'
    AddressPrefix = '10.1.0.0/24'
    NatGateway = $natGateway
}
$subnetConfig = New-AzVirtualNetworkSubnetConfig @subnet 

## Create Azure Bastion subnet. ##
$bastsubnet = @{
    Name = 'AzureBastionSubnet' 
    AddressPrefix = '10.1.1.0/24'
}
$bastsubnetConfig = New-AzVirtualNetworkSubnetConfig @bastsubnet

## Create the virtual network ##
$net = @{
    Name = 'myVNet'
    ResourceGroupName = 'myResourceGroupNAT'
    Location = 'chinaeast2'
    AddressPrefix = '10.1.0.0/16'
    Subnet = $subnetConfig,$bastsubnetConfig
}
$vnet = New-AzVirtualNetwork @net

## Create public IP address for bastion host. ##
$ip = @{
    Name = 'myBastionIP'
    ResourceGroupName = 'myResourceGroupNAT'
    Location = 'chinaeast2'
    Sku = 'Standard'
    AllocationMethod = 'Static'
}
$publicip = New-AzPublicIpAddress @ip

## Create bastion host ##
$bastion = @{
    ResourceGroupName = 'myResourceGroupNAT'
    Name = 'myBastion'
    PublicIpAddress = $publicip
    VirtualNetwork = $vnet
}
New-AzBastion @bastion -AsJob

虚拟机Virtual machine

在本部分中,你将创建虚拟机来测试 NAT 网关并验证出站连接的公共 IP 地址。In this section, you'll create a virtual machine to test the NAT gateway and verify the public IP address of the outbound connection.

# Set the administrator and password for the VMs. ##
$cred = Get-Credential

## Place the virtual network into a variable. ##
$vnet = Get-AzVirtualNetwork -Name 'myVNet' -ResourceGroupName 'myResourceGroupNAT'

## Create network interface for virtual machine. ##
$nic = @{
    Name = "myNicVM"
    ResourceGroupName = 'myResourceGroupNAT'
    Location = 'chinaeast2'
    Subnet = $vnet.Subnets[0]
}
$nicVM = New-AzNetworkInterface @nic

## Create a virtual machine configuration for VMs ##
$vmsz = @{
    VMName = "myVM"
    VMSize = 'Standard_DS1_v2'  
}
$vmos = @{
    ComputerName = "myVM"
    Credential = $cred
}
$vmimage = @{
    PublisherName = 'MicrosoftWindowsServer'
    Offer = 'WindowsServer'
    Skus = '2019-Datacenter'
    Version = 'latest'    
}
$vmConfig = New-AzVMConfig @vmsz `
    | Set-AzVMOperatingSystem @vmos -Windows `
    | Set-AzVMSourceImage @vmimage `
    | Add-AzVMNetworkInterface -Id $nicVM.Id

## Create the virtual machine for VMs ##
$vm = @{
    ResourceGroupName = 'myResourceGroupNAT'
    Location = 'chinaeast2'
    VM = $vmConfig
}
New-AzVM @vm

请先等待虚拟机创建完成,然后再转到下一部分。Wait for the virtual machine creation to complete before moving on to the next section.

测试 NAT 网关Test NAT gateway

在本部分中,我们将测试 NAT 网关。In this section, we'll test the NAT gateway. 首先,我们将发现 NAT 网关的公共 IP。We'll first discover the public IP of the NAT gateway. 然后,我们将连接到测试虚拟机,并通过 NAT 网关验证出站连接。We'll then connect to the test virtual machine and verify the outbound connection through the NAT gateway.

  1. 登录到 Azure 门户Sign in to the Azure portal

  2. 在“概述”屏幕上找到 NAT 网关的公共 IP 地址。Find the public IP address for the NAT gateway on the Overview screen. 在左侧菜单中选择“所有服务”,选择“所有资源”,然后选择“myPublicIP”。Select All services in the left-hand menu, select All resources, and then select myPublicIP.

  3. 记下公共 IP 地址:Make note of the public IP address:

    发现 NAT 网关的公共 IP 地址

  4. 在左侧菜单中选择“所有服务”,选择“所有资源”,然后从资源列表中选择位于“myResourceGroupNAT”资源组中的“myVM” 。Select All services in the left-hand menu, select All resources, and then from the resources list, select myVM that is located in the myResourceGroupNAT resource group.

  5. 在“概述”页上,选择“连接”,然后选择“Bastion” 。On the Overview page, select Connect, then Bastion.

  6. 选择蓝色的“使用堡垒”按钮。Select the blue Use Bastion button.

  7. 输入在 VM 创建过程中输入的用户名和密码。Enter the username and password entered during VM creation.

  8. 在 myTestVM 中打开 Internet Explorer 。Open Internet Explorer on myTestVM.

  9. 在地址栏中输入“https://whatsmyip.com”。Enter https://whatsmyip.com in the address bar.

  10. 验证显示的 IP 地址与你在上一步中记下的 NAT 网关地址是否匹配:Verify the IP address displayed matches the NAT gateway address you noted in the previous step:

    显示外部出站 IP 的 Internet Explorer

清理资源Clean up resources

如果你不打算继续使用此应用程序,请按以下步骤删除虚拟网络、虚拟机和 NAT 网关:If you're not going to continue to use this application, delete the virtual network, virtual machine, and NAT gateway with the following steps:

Remove-AzResourceGroup -Name 'myResourceGroupNAT' -Force

后续步骤Next steps

有关 Azure 虚拟网络 NAT 的详细信息,请参阅:For more information on Azure Virtual Network NAT, see: