使用模板创建用户定义的路由 (UDR)

Important

在使用 Azure 资源之前,请务必了解 Azure 当前使用两种部署模型:Azure 资源管理器部署模型和经典部署模型。 在使用任何 Azure 资源之前,请确保了解 部署模型和工具 。 可以通过单击本文顶部的选项卡来查看不同工具的文档。 本文介绍 Resource Manager 部署模型。

方案

为了更好地说明如何创建 UDR,本文档将使用以下方案。

图像说明

此方案需为前端子网创建一个 UDR,并为后端子网创建另一个 UDR,如下所述:

  • UDR-FrontEnd。 前端 UDR 将应用于 FrontEnd 子网,并且包含一个路由:
    • RouteToBackend。 此路由将目标至后端子网的所有流量发送到 FW1 虚拟机。
  • UDR-BackEnd。 后端 UDR 将应用于 BackEnd 子网,并且包含一个路由:
    • RouteToFrontend。 此路由将目标至前端子网的所有流量发送到 FW1 虚拟机。

这些路由的组合将确保从一个子网发送到另一个子网的所有流量都将路由到正用作虚拟设备的 FW1 虚拟机。 你还需要打开该 VM 的 IP 转发,以确保它可以接收发送到其他虚拟机的流量。

模板文件中的 UDR 资源

可查看和下载 示例模板

以下部分说明如何针对方案在 azuredeploy-vnet-nsg-udr.json 文件中定义前端 UDR:

"apiVersion": "2015-06-15",
"type": "Microsoft.Network/routeTables",
"name": "[parameters('frontEndRouteTableName')]",
"location": "[resourceGroup().location]",
"tags": {
  "displayName": "UDR - FrontEnd"   
},
"properties": {
  "routes": [
    {
      "name": "RouteToBackEnd",
      "properties": {
        "addressPrefix": "[parameters('backEndSubnetPrefix')]",
        "nextHopType": "VirtualAppliance",
        "nextHopIpAddress": "[parameters('vmaIpAddress')]"
      }
    }
  ]

要将 UDR 与前端子网关联,需要更改模板中的子网定义,并使用 UDR 的引用 ID。

"subnets": [
    "name": "[parameters('frontEndSubnetName')]",
    "properties": {
      "addressPrefix": "[parameters('frontEndSubnetPrefix')]",
      "networkSecurityGroup": {
        "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('frontEndNSGName'))]"
      },
      "routeTable": {
          "id": "[resourceId('Microsoft.Network/routeTables', parameters('frontEndRouteTableName'))]"
      }
    },

请注意,需要在模板中对后端 NSG 和后端子网执行相同的操作。

还需要确保 FW1 VM 在用于接收和转发数据包的 NIC 上启用了 IP 转发属性。 以下部分说明基于该方案的 azuredeploy-nsg-udr.json 文件中 FW1 的 NIC 定义。

"apiVersion": "2015-06-15",
"type": "Microsoft.Network/networkInterfaces",
"location": "[variables('location')]",
"tags": {
  "displayName": "NetworkInterfaces - DMZ"
},
"name": "[concat(variables('fwVMSettings').nicName, copyindex(1))]",
"dependsOn": [
  "[concat('Microsoft.Network/publicIPAddresses/', variables('fwVMSettings').pipName, copyindex(1))]",
  "[concat('Microsoft.Resources/deployments/', 'vnetTemplate')]"
],
"properties": {
  "ipConfigurations": [
    {
      "name": "ipconfig1",
      "properties": {
        "enableIPForwarding": true,
        "privateIPAllocationMethod": "Static",
        "privateIPAddress": "[concat('192.168.0.',copyindex(4))]",
        "publicIPAddress": {
          "id": "[resourceId('Microsoft.Network/publicIPAddresses',concat(variables('fwVMSettings').pipName, copyindex(1)))]"
        },
        "subnet": {
          "id": "[variables('dmzSubnetRef')]"
        }
      }
    }
  ]
},
"copy": {
  "name": "fwniccount",
  "count": "[parameters('fwCount')]"
}

通过单击部署方式部署模板

公共存储库中提供的示例模板采用参数文件,该参数文件包含用于生成上述方案的默认值。 如果要通过单击部署的方式来部署此模板,请访问此链接,单击“部署至 Azure”,如有必要,请替换默认参数值,并按照门户中的说明进行操作。

  1. 如果从未使用过 Azure PowerShell,请参阅 How to Install and Configure Azure PowerShell(如何安装和配置 Azure PowerShell),并始终按照说明进行操作,以登录到 Azure 并选择订阅。
  2. 运行以下命令创建资源组:

    New-AzureRmResourceGroup -Name TestRG -Location chinanorth
    
  3. 运行以下命令,部署模板:

    New-AzureRmResourceGroupDeployment -Name DeployUDR -ResourceGroupName TestRG `
        -TemplateUri https://raw.githubusercontent.com/telmosampaio/azure-templates/master/IaaS-NSG-UDR/azuredeploy.json `
        -TemplateParameterUri https://raw.githubusercontent.com/telmosampaio/azure-templates/master/IaaS-NSG-UDR/azuredeploy.parameters.json
    

    预期输出:

     ResourceGroupName : TestRG
     Location          : chinanorth
     ProvisioningState : Succeeded
     Tags              : 
     Permissions       : 
                         Actions  NotActions
                         =======  ==========
                         *                  
    
     Resources         : 
                         Name                Type                                     Location
                         ==================  =======================================  ========
                         ASFW                Microsoft.Compute/availabilitySets       chinanorth  
                         ASSQL               Microsoft.Compute/availabilitySets       chinanorth  
                         ASWEB               Microsoft.Compute/availabilitySets       chinanorth  
                         FW1                 Microsoft.Compute/virtualMachines        chinanorth  
                         SQL1                Microsoft.Compute/virtualMachines        chinanorth  
                         SQL2                Microsoft.Compute/virtualMachines        chinanorth  
                         WEB1                Microsoft.Compute/virtualMachines        chinanorth  
                         WEB2                Microsoft.Compute/virtualMachines        chinanorth  
                         NICFW1              Microsoft.Network/networkInterfaces      chinanorth  
                         NICSQL1             Microsoft.Network/networkInterfaces      chinanorth  
                         NICSQL2             Microsoft.Network/networkInterfaces      chinanorth  
                         NICWEB1             Microsoft.Network/networkInterfaces      chinanorth  
                         NICWEB2             Microsoft.Network/networkInterfaces      chinanorth  
                         NSG-BackEnd         Microsoft.Network/networkSecurityGroups  chinanorth  
                         NSG-FrontEnd        Microsoft.Network/networkSecurityGroups  chinanorth  
                         PIPFW1              Microsoft.Network/publicIPAddresses      chinanorth  
                         PIPSQL1             Microsoft.Network/publicIPAddresses      chinanorth  
                         PIPSQL2             Microsoft.Network/publicIPAddresses      chinanorth  
                         PIPWEB1             Microsoft.Network/publicIPAddresses      chinanorth  
                         PIPWEB2             Microsoft.Network/publicIPAddresses      chinanorth  
                         UDR-BackEnd         Microsoft.Network/routeTables            chinanorth  
                         UDR-FrontEnd        Microsoft.Network/routeTables            chinanorth  
                         TestVNet            Microsoft.Network/virtualNetworks        chinanorth  
                         testvnetstorageprm  Microsoft.Storage/storageAccounts        chinanorth  
                         testvnetstoragestd  Microsoft.Storage/storageAccounts        chinanorth
    
     ResourceId        : /subscriptions/[Subscription Id]/resourceGroups/TestRG
    

使用 Azure CLI 部署模板

若要使用 Azure CLI 部署 Azure 资源管理器模板,请完成以下步骤:

  1. 如果从未使用过 Azure CLI,请参阅 Install and Configure the Azure CLI(安装和配置 Azure CLI),并按照说明进行操作,直到选择 Azure 帐户和订阅。
  2. 运行以下命令,切换到 Resource Manager 模式:

    azure config mode arm
    

    下面是上述命令的预期输出:

     info:    New mode is arm
    
  3. 在浏览器中导航到 https://raw.githubusercontent.com/telmosampaio/azure-templates/master/IaaS-NSG-UDR/azuredeploy.parameters.json,复制 json 文件的内容并将其粘贴到计算机中的一个新文件。 对于此方案,请将下面的值复制到名为“c:\udr\azuredeploy.parameters.json”的文件。

        {
          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {
            "fwCount": {
              "value": 1
            },
            "webCount": {
              "value": 2
            },
            "sqlCount": {
              "value": 2
            }
          }
        }
    
  4. 运行以下命令,使用前面下载并修改的模板和参数文件部署新 VNet:

    azure group create -n TestRG -l chinanorth --template-uri 'https://raw.githubusercontent.com/telmosampaio/azure-templates/master/IaaS-NSG-UDR/azuredeploy.json' -e 'c:\udr\azuredeploy.parameters.json'
    

    预期输出:

     info:    Executing command group create
     info:    Getting resource group TestRG
     info:    Updating resource group TestRG
     info:    Updated resource group TestRG
     info:    Initializing template configurations and parameters
     info:    Creating a deployment
     info:    Created template deployment "azuredeploy"
     data:    Id:                  /subscriptions/[Subscription Id]/resourceGroups/TestRG
     data:    Name:                TestRG
     data:    Location:            chinanorth
     data:    Provisioning State:  Succeeded
     data:    Tags: null
     data:    
     info:    group create command OK
    
  5. 运行以下命令,查看在新资源组中创建的资源:

    azure group show TestRG
    

    预期结果:

         info:    Executing command group show
         info:    Listing resource groups
         info:    Listing resources for the group
         data:    Id:                  /subscriptions/[Subscription Id]/resourceGroups/TestRG
         data:    Name:                TestRG
         data:    Location:            chinanorth
         data:    Provisioning State:  Succeeded
         data:    Tags: null
         data:    Resources:
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Compute/availabilitySets/ASFW
         data:      Name    : ASFW
         data:      Type    : availabilitySets
         data:      Location: chinanorth
         data:      Tags    : displayName=AvailabilitySet - DMZ
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Compute/availabilitySets/ASSQL
         data:      Name    : ASSQL
         data:      Type    : availabilitySets
         data:      Location: chinanorth
         data:      Tags    : displayName=AvailabilitySet - SQL
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Compute/availabilitySets/ASWEB
         data:      Name    : ASWEB
         data:      Type    : availabilitySets
         data:      Location: chinanorth
         data:      Tags    : displayName=AvailabilitySet - Web
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/FW1
         data:      Name    : FW1
         data:      Type    : virtualMachines
         data:      Location: chinanorth
         data:      Tags    : displayName=VMs - DMZ
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/SQL1
         data:      Name    : SQL1
         data:      Type    : virtualMachines
         data:      Location: chinanorth
         data:      Tags    : displayName=VMs - SQL
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/SQL2
         data:      Name    : SQL2
         data:      Type    : virtualMachines
         data:      Location: chinanorth
         data:      Tags    : displayName=VMs - SQL
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/WEB1
         data:      Name    : WEB1
         data:      Type    : virtualMachines
         data:      Location: chinanorth
         data:      Tags    : displayName=VMs - Web
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Compute/virtualMachines/WEB2
         data:      Name    : WEB2
         data:      Type    : virtualMachines
         data:      Location: chinanorth
         data:      Tags    : displayName=VMs - Web
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICFW1
         data:      Name    : NICFW1
         data:      Type    : networkInterfaces
         data:      Location: chinanorth
         data:      Tags    : displayName=NetworkInterfaces - DMZ
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICSQL1
         data:      Name    : NICSQL1
         data:      Type    : networkInterfaces
         data:      Location: chinanorth
         data:      Tags    : displayName=NetworkInterfaces - SQL
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICSQL2
         data:      Name    : NICSQL2
         data:      Type    : networkInterfaces
         data:      Location: chinanorth
         data:      Tags    : displayName=NetworkInterfaces - SQL
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICWEB1
         data:      Name    : NICWEB1
         data:      Type    : networkInterfaces
         data:      Location: chinanorth
         data:      Tags    : displayName=NetworkInterfaces - Web
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/NICWEB2
         data:      Name    : NICWEB2
         data:      Type    : networkInterfaces
         data:      Location: chinanorth
         data:      Tags    : displayName=NetworkInterfaces - Web
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-BackEnd
         data:      Name    : NSG-BackEnd
         data:      Type    : networkSecurityGroups
         data:      Location: chinanorth
         data:      Tags    : displayName=NSG - Front End
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd
         data:      Name    : NSG-FrontEnd
         data:      Type    : networkSecurityGroups
         data:      Location: chinanorth
         data:      Tags    : displayName=NSG - Remote Access
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/publicIPAddresses/PIPFW1
         data:      Name    : PIPFW1
         data:      Type    : publicIPAddresses
         data:      Location: chinanorth
         data:      Tags    : displayName=PublicIPAddresses - DMZ
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/publicIPAddresses/PIPSQL1
         data:      Name    : PIPSQL1
         data:      Type    : publicIPAddresses
         data:      Location: chinanorth
         data:      Tags    : displayName=PublicIPAddresses - SQL
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/publicIPAddresses/PIPSQL2
         data:      Name    : PIPSQL2
         data:      Type    : publicIPAddresses
         data:      Location: chinanorth
         data:      Tags    : displayName=PublicIPAddresses - SQL
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/publicIPAddresses/PIPWEB1
         data:      Name    : PIPWEB1
         data:      Type    : publicIPAddresses
         data:      Location: chinanorth
         data:      Tags    : displayName=PublicIPAddresses - Web
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/publicIPAddresses/PIPWEB2
         data:      Name    : PIPWEB2
         data:      Type    : publicIPAddresses
         data:      Location: chinanorth
         data:      Tags    : displayName=PublicIPAddresses - Web
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/routeTables/UDR-BackEnd
         data:      Name    : UDR-BackEnd
         data:      Type    : routeTables
         data:      Location: chinanorth
         data:      Tags    : displayName=Route Table - Back End
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/routeTables/UDR-FrontEnd
         data:      Name    : UDR-FrontEnd
         data:      Type    : routeTables
         data:      Location: chinanorth
         data:      Tags    : displayName=UDR - FrontEnd
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet
         data:      Name    : TestVNet
         data:      Type    : virtualNetworks
         data:      Location: chinanorth
         data:      Tags    : displayName=VNet
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Storage/storageAccounts/testvnetstorageprm
         data:      Name    : testvnetstorageprm
         data:      Type    : storageAccounts
         data:      Location: chinanorth
         data:      Tags    : displayName=Storage Account - Premium
         data:    
         data:      Id      : /subscriptions/[Subscription Id]/resourceGroups/TestRG/providers/Microsoft.Storage/storageAccounts/testvnetstoragestd
         data:      Name    : testvnetstoragestd
         data:      Type    : storageAccounts
         data:      Location: chinanorth
         data:      Tags    : displayName=Storage Account - Simple
         data:    
         data:    Permissions:
         data:      Actions: *
         data:      NotActions: 
         data:
         info:    group show command OK
    

Tip

如果看不到所有资源,可运行 azure group deployment show 命令以确保部署的预配状态为“成功”。