使用 PowerShell 通过路由表路由网络流量Route network traffic with a route table using PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

默认情况下,Azure 自动在虚拟网络中的所有子网之间路由流量。Azure automatically routes traffic between all subnets within a virtual network, by default. 可以创建自己的路由来覆盖 Azure 的默认路由。You can create your own routes to override Azure's default routing. 创建自定义路由的功能非常有用,例如,可以通过网络虚拟设备 (NVA) 在子网之间路由流量。The ability to create custom routes is helpful if, for example, you want to route traffic between subnets through a network virtual appliance (NVA). 在本文中,学习如何:In this article, you learn how to:

  • 创建路由表Create a route table
  • 创建路由Create a route
  • 创建包含多个子网的虚拟网络Create a virtual network with multiple subnets
  • 将路由表关联到子网Associate a route table to a subnet
  • 创建用于流量路由的 NVACreate an NVA that routes traffic
  • 将虚拟机 (VM) 部署到不同子网Deploy virtual machines (VM) into different subnets
  • 通过 NVA 将从一个子网的流量路由到另一个子网Route traffic from one subnet to another through an NVA

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

如果选择在本地安装和使用 PowerShell,则本文需要 Azure PowerShell 模块 1.0.0 或更高版本。If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. 运行 Get-Module -ListAvailable Az 查找已安装的版本。Run Get-Module -ListAvailable Az to find the installed version. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需运行 Connect-AzAccount -Environment AzureChinaCloud 来创建与 Azure 的连接。If you are running PowerShell locally, you also need to run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

创建路由表Create a route table

创建路由表之前,需使用 New-AzResourceGroup 创建资源组。Before you can create a route table, create a resource group with New-AzResourceGroup. 以下示例为本文中创建的所有资源创建名为 myResourceGroup 的资源组。The following example creates a resource group named myResourceGroup for all resources created in this article.

Connect-AzAccount -Environment AzureChinaCloud
New-AzResourceGroup -ResourceGroupName myResourceGroup -Location ChinaEast

使用 New-AzRouteTable 创建路由表。Create a route table with New-AzRouteTable. 以下示例创建名为 myRouteTablePublic 的路由表。The following example creates a route table named myRouteTablePublic.

$routeTablePublic = New-AzRouteTable `
  -Name 'myRouteTablePublic' `
  -ResourceGroupName myResourceGroup `
  -location ChinaEast

创建路由Create a route

使用 Get-AzRouteTable 检索路由表对象以创建路由,使用 Add-AzRouteConfig 创建路由,然后使用 Set-AzRouteTable 将路由配置写入路由表。Create a route by retrieving the route table object with Get-AzRouteTable, create a route with Add-AzRouteConfig, then write the route configuration to the route table with Set-AzRouteTable.

Get-AzRouteTable `
  -ResourceGroupName "myResourceGroup" `
  -Name "myRouteTablePublic" `
  | Add-AzRouteConfig `
  -Name "ToPrivateSubnet" `
  -AddressPrefix 10.0.1.0/24 `
  -NextHopType "VirtualAppliance" `
  -NextHopIpAddress 10.0.2.4 `
 | Set-AzRouteTable

将路由表关联到子网Associate a route table to a subnet

将路由表关联到子网之前,必须先创建虚拟网络和子网。Before you can associate a route table to a subnet, you have to create a virtual network and subnet. 使用 New-AzVirtualNetwork 创建虚拟网络。Create a virtual network with New-AzVirtualNetwork. 以下示例使用地址前缀 10.0.0.0/16 创建一个名为 myVirtualNetwork 的虚拟网络。The following example creates a virtual network named myVirtualNetwork with the address prefix 10.0.0.0/16.

$virtualNetwork = New-AzVirtualNetwork `
  -ResourceGroupName myResourceGroup `
  -Location ChinaEast `
  -Name myVirtualNetwork `
  -AddressPrefix 10.0.0.0/16

使用 New-AzVirtualNetworkSubnetConfig 创建三个子网配置,以创建三个子网。Create three subnets by creating three subnet configurations with New-AzVirtualNetworkSubnetConfig. 以下示例针对公共、专用和外围网络子网创建三个子网配置: The following example creates three subnet configurations for Public, Private, and DMZ subnets:

$subnetConfigPublic = Add-AzVirtualNetworkSubnetConfig `
  -Name Public `
  -AddressPrefix 10.0.0.0/24 `
  -VirtualNetwork $virtualNetwork

$subnetConfigPrivate = Add-AzVirtualNetworkSubnetConfig `
  -Name Private `
  -AddressPrefix 10.0.1.0/24 `
  -VirtualNetwork $virtualNetwork

$subnetConfigDmz = Add-AzVirtualNetworkSubnetConfig `
  -Name DMZ `
  -AddressPrefix 10.0.2.0/24 `
  -VirtualNetwork $virtualNetwork

使用 Set-AzVirtualNetwork 将子网配置写入虚拟网络,以便在虚拟网络中创建子网:Write the subnet configurations to the virtual network with Set-AzVirtualNetwork, which creates the subnets in the virtual network:

$virtualNetwork | Set-AzVirtualNetwork

使用 Set-AzVirtualNetworkSubnetConfigmyRouteTablePublic 路由表关联到 Public 子网,然后使用 Set-AzVirtualNetwork 将子网配置写入虚拟网络。Associate the myRouteTablePublic route table to the Public subnet with Set-AzVirtualNetworkSubnetConfig and then write the subnet configuration to the virtual network with Set-AzVirtualNetwork.

Set-AzVirtualNetworkSubnetConfig `
  -VirtualNetwork $virtualNetwork `
  -Name 'Public' `
  -AddressPrefix 10.0.0.0/24 `
  -RouteTable $routeTablePublic | `
Set-AzVirtualNetwork

创建 NVACreate an NVA

NVA 是执行网络功能(如路由、防火墙或 WAN 优化)的 VM。An NVA is a VM that performs a network function, such as routing, firewalling, or WAN optimization.

在创建 VM 之前,请创建网络接口。Before creating a VM, create a network interface.

创建网络接口Create a network interface

在创建网络接口之前,必须使用 Get-AzVirtualNetwork 检索虚拟网络 ID,然后使用 Get-AzVirtualNetworkSubnetConfig 检索子网 ID。Before creating a network interface, you have to retrieve the virtual network Id with Get-AzVirtualNetwork, then the subnet Id with Get-AzVirtualNetworkSubnetConfig. 使用 New-AzNetworkInterface 在已启用 IP 转发的 DMZ 子网中创建网络接口: Create a network interface with New-AzNetworkInterface in the DMZ subnet with IP forwarding enabled:

# Retrieve the virtual network object into a variable.
$virtualNetwork=Get-AzVirtualNetwork `
  -Name myVirtualNetwork `
  -ResourceGroupName myResourceGroup

# Retrieve the subnet configuration into a variable.
$subnetConfigDmz = Get-AzVirtualNetworkSubnetConfig `
  -Name DMZ `
  -VirtualNetwork $virtualNetwork

# Create the network interface.
$nic = New-AzNetworkInterface `
  -ResourceGroupName myResourceGroup `
  -Location ChinaEast `
  -Name 'myVmNva' `
  -SubnetId $subnetConfigDmz.Id `
  -EnableIPForwarding

创建 VMCreate a VM

若要创建 VM 并在其上附加现有的网络接口,必须先使用 New-AzVMConfig 创建 VM 配置。To create a VM and attach an existing network interface to it, you must first create a VM configuration with New-AzVMConfig. 该配置包含上一步骤中创建的网络接口。The configuration includes the network interface created in the previous step. 系统提示输入用户名和密码时,请选择用来登录 VM 的用户名和密码。When prompted for a username and password, select the user name and password you want to log into the VM with.

# Create a credential object.
$cred = Get-Credential -Message "Enter a username and password for the VM."

# Create a VM configuration.
$vmConfig = New-AzVMConfig `
  -VMName 'myVmNva' `
  -VMSize Standard_DS2 | `
  Set-AzVMOperatingSystem -Windows `
    -ComputerName 'myVmNva' `
    -Credential $cred | `
  Set-AzVMSourceImage `
    -PublisherName MicrosoftWindowsServer `
    -Offer WindowsServer `
    -Skus 2016-Datacenter `
    -Version latest | `
  Add-AzVMNetworkInterface -Id $nic.Id

运行 New-AzVM 使用 VM 配置创建 VM。Create the VM using the VM configuration with New-AzVM. 以下示例创建名为 myVmNva 的 VM。The following example creates a VM named myVmNva.

$vmNva = New-AzVM `
  -ResourceGroupName myResourceGroup `
  -Location ChinaEast `
  -VM $vmConfig `
  -AsJob

-AsJob 选项会在后台创建 VM,因此可继续执行下一步。The -AsJob option creates the VM in the background, so you can continue to the next step.

创建虚拟机Create virtual machines

在虚拟网络中创建两个 VM,以便可以在后续步骤中验证来自公共子网的流量是否通过网络虚拟设备路由到专用子网。 Create two VMs in the virtual network so you can validate that traffic from the Public subnet is routed to the Private subnet through the network virtual appliance in a later step.

使用 New-AzVM 在 Public 子网中创建一个 VM。Create a VM in the Public subnet with New-AzVM. 以下示例在 myVirtualNetwork 虚拟网络的公共子网中创建名为 myVmPublic 的 VM。The following example creates a VM named myVmPublic in the Public subnet of the myVirtualNetwork virtual network.

New-AzVm `
  -ResourceGroupName "myResourceGroup" `
  -Location "China East" `
  -VirtualNetworkName "myVirtualNetwork" `
  -SubnetName "Public" `
  -ImageName "Win2016Datacenter" `
  -Name "myVmPublic" `
  -AsJob

在专用子网中创建一个 VM 。Create a VM in the Private subnet.

New-AzVm `
  -ResourceGroupName "myResourceGroup" `
  -Location "China East" `
  -VirtualNetworkName "myVirtualNetwork" `
  -SubnetName "Private" `
  -ImageName "Win2016Datacenter" `
  -Name "myVmPrivate"

创建 VM 需要几分钟时间。The VM takes a few minutes to create. 请等到 VM 创建完毕且 Azure 向 PowerShell 返回了输出之后再继续下一步。Don't continue with the next step until the VM is created and Azure returns output to PowerShell.

通过 NVA 路由流量Route traffic through an NVA

使用 Get-AzPublicIpAddress 返回 myVmPrivate VM 的公共 IP 地址。Use Get-AzPublicIpAddress to return the public IP address of the myVmPrivate VM. 以下示例返回 myVmPrivate VM 的公共 IP 地址:The following example returns the public IP address of the myVmPrivate VM:

Get-AzPublicIpAddress `
  -Name myVmPrivate `
  -ResourceGroupName myResourceGroup `
  | Select IpAddress

从本地计算机使用以下命令创建与 myVmPrivate VM 的远程桌面会话。Use the following command to create a remote desktop session with the myVmPrivate VM from your local computer. <publicIpAddress> 替换为上一命令返回的 IP 地址。Replace <publicIpAddress> with the IP address returned from the previous command.

mstsc /v:<publicIpAddress>

打开下载的 RDP 文件。Open the downloaded RDP file. 出现提示时,选择“连接” 。If prompted, select Connect.

输入在创建 VM 时指定的用户名和密码(可能需要选择“更多选择”,然后选择“使用其他帐户”,以便指定在创建 VM 时输入的凭据),然后选择“确定”。 Enter the user name and password you specified when creating the VM (you may need to select More choices, then Use a different account, to specify the credentials you entered when you created the VM), then select OK. 你可能会在登录过程中收到证书警告。You may receive a certificate warning during the sign-in process. 选择“是”以继续进行连接。 Select Yes to proceed with the connection.

在稍后的步骤中,tracert.exe 命令用于测试路由。In a later step, the tracert.exe command is used to test routing. Tracert 使用 Internet 控制消息协议 (ICMP),而 Windows 防火墙会拒绝该协议。Tracert uses the Internet Control Message Protocol (ICMP), which is denied through the Windows Firewall. myVmPrivate VM 上,通过 PowerShell 输入以下命令来允许 ICMP 通过 Windows 防火墙:Enable ICMP through the Windows firewall by entering the following command from PowerShell on the myVmPrivate VM:

New-NetFirewallRule -DisplayName "Allow ICMPv4-In" -Protocol ICMPv4

虽然本文中使用跟踪路由来测试路由,但在生产部署中,不建议允许 ICMP 通过 Windows 防火墙。Though trace route is used to test routing in this article, allowing ICMP through the Windows Firewall for production deployments is not recommended.

在“启用 IP 转发”中,已经在 Azure 中为 VM 的网络接口启用了 IP 转发。You enabled IP forwarding within Azure for the VM's network interface in Enable IP forwarding. 在 VM 中,VM 中运行的操作系统或应用程序也必须能够转发网络流量。Within the VM, the operating system, or an application running within the VM, must also be able to forward network traffic. myVmNva 的操作系统中启用 IP 转发。Enable IP forwarding within the operating system of the myVmNva.

myVmPrivate VM 中的命令提示符下,通过远程桌面连接到 myVmNvaFrom a command prompt on the myVmPrivate VM, remote desktop to the myVmNva:

mstsc /v:myvmnva

若要在操作系统中启用 IP 转发,请通过 myVmNva VM 在 PowerShell 中输入以下命令:To enable IP forwarding within the operating system, enter the following command in PowerShell from the myVmNva VM:

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name IpEnableRouter -Value 1

重启 myVmNva VM,这也会断开远程桌面会话的连接。Restart the myVmNva VM, which also disconnects the remote desktop session.

在仍与 myVmPrivate VM 保持连接的情况下重启 myVmNva VM 后,与 myVmPublic VM 建立远程桌面会话:While still connected to the myVmPrivate VM, create a remote desktop session to the myVmPublic VM, after the myVmNva VM restarts:

mstsc /v:myVmPublic

myVmPublic VM 上,通过 PowerShell 输入以下命令来允许 ICMP 通过 Windows 防火墙:Enable ICMP through the Windows firewall by entering the following command from PowerShell on the myVmPublic VM:

New-NetFirewallRule -DisplayName "Allow ICMPv4-In" -Protocol ICMPv4

若要测试从 myVmPublic VM 发往 myVmPrivate VM 的网络流量的路由,请在 myVmPublic VM 上通过 PowerShell 输入以下命令:To test routing of network traffic to the myVmPrivate VM from the myVmPublic VM, enter the following command from PowerShell on the myVmPublic VM:

tracert myVmPrivate

其响应类似于如下示例:The response is similar to the following example:

Tracing route to myVmPrivate.vpgub4nqnocezhjgurw44dnxrc.bx.internal.chinacloudapp.cn [10.0.1.4]
over a maximum of 30 hops:

1    <1 ms     *        1 ms  10.0.2.4
2     1 ms     1 ms     1 ms  10.0.1.4

Trace complete.

可以看到,第一个跃点为 10.0.2.4,即 NVA 的专用 IP 地址。You can see that the first hop is 10.0.2.4, which is the NVA's private IP address. 第二个跃点为 10.0.1.4,即 myVmPrivate VM 的专用 IP 地址。The second hop is 10.0.1.4, the private IP address of the myVmPrivate VM. 添加到 myRouteTablePublic 路由表并关联到公共子网的路由导致 Azure 通过 NVA 路由流量,而不是直接将流量路由到专用子网。 The route added to the myRouteTablePublic route table and associated to the Public subnet caused Azure to route the traffic through the NVA, rather than directly to the Private subnet.

关闭与 myVmPublic VM 建立的远程桌面会话,这样,就会与 myVmPrivate VM 保持连接。Close the remote desktop session to the myVmPublic VM, which leaves you still connected to the myVmPrivate VM.

若要测试从 myVmPrivate VM 发往 myVmPublic VM 的网络流量的路由,请在 myVmPrivate VM 上通过命令提示符下输入以下命令:To test routing of network traffic to the myVmPublic VM from the myVmPrivate VM, enter the following command from a command prompt on the myVmPrivate VM:

tracert myVmPublic

其响应类似于如下示例:The response is similar to the following example:

Tracing route to myVmPublic.vpgub4nqnocezhjgurw44dnxrc.bx.internal.chinacloudapp.cn [10.0.0.4]
over a maximum of 30 hops:

1     1 ms     1 ms     1 ms  10.0.0.4

Trace complete.

可以看到流量从 myVmPrivate VM 直接路由到 myVmPublic VM。You can see that traffic is routed directly from the myVmPrivate VM to the myVmPublic VM. 默认情况下,Azure 直接在子网之间路由流量。By default, Azure routes traffic directly between subnets.

关闭与 myVmPrivate VM 建立的远程桌面会话。Close the remote desktop session to the myVmPrivate VM.

清理资源Clean up resources

如果不再需要资源组及其包含的所有资源,请使用 Remove-AzResourcegroup 将其删除。When no longer needed, use Remove-AzResourcegroup to remove the resource group and all of the resources it contains.

Remove-AzResourceGroup -Name myResourceGroup -Force

后续步骤Next steps

在本文中,我们创建了一个路由表并将其关联到了某个子网。In this article, you created a route table and associated it to a subnet. 我们还创建了一个简单网络虚拟设备,用于将流量从公共子网路由到专用子网。You created a simple network virtual appliance that routed traffic from a public subnet to a private subnet. Azure 市场部署各种执行网络功能(例如防火墙和 WAN 优化)的预配置网络虚拟设备。Deploy a variety of pre-configured network virtual appliances that perform network functions such as firewall and WAN optimization from the Azure Marketplace. 若要了解有关路由的详细信息,请参阅路由概述管理路由表To learn more about routing, see Routing overview and Manage a route table.

尽管可以在一个虚拟网络中部署多个 Azure 资源,但无法将某些 Azure PaaS 服务的资源部署到虚拟网络。While you can deploy many Azure resources within a virtual network, resources for some Azure PaaS services cannot be deployed into a virtual network. 不过,仍可以限制为只允许来自某个虚拟网络子网的流量访问某些 Azure PaaS 服务的资源。You can still restrict access to the resources of some Azure PaaS services to traffic only from a virtual network subnet though. 若要了解如何操作,请参阅限制对 PaaS 资源的网络访问To learn how, see Restrict network access to PaaS resources.