使用 Azure 经典 CLI 创建网络安全组(经典)Create a network security group (classic) using the Azure classic CLI

可在虚拟网络中使用 NSG 控制流向一个或多个虚拟机 (VM)、角色实例、网络适配器 (NIC) 或子网的流量。You can use an NSG to control traffic to one or more virtual machines (VMs), role instances, network adapters (NICs), or subnets in your virtual network. NSG 包含根据流量方向、协议、源地址和端口以及目标地址和端口允许或拒绝流量的访问控制规则。An NSG contains access control rules that allow or deny traffic based on traffic direction, protocol, source address and port, and destination address and port. 可以随时更改 NSG 的规则,所做的更改适用于所有关联的实例。The rules of an NSG can be changed at any time, and changes are applied to all associated instances.

有关 NSG 的详细信息,请访问什么是 NSGFor more information about NSGs, visit what is an NSG.

Important

在使用 Azure 资源之前,请务必了解 Azure 当前具有的两种部署模型:Azure 资源管理器和经典。Before you work with Azure resources, it's important to understand that Azure currently has two deployment models: Azure Resource Manager and classic. 在使用任何 Azure 资源之前,请确保了解 部署模型和工具Make sure you understand deployment models and tools before you work with any Azure resource. 可以通过单击本文顶部的选项卡来查看不同工具的文档。You can view the documentation for different tools by clicking the tabs at the top of this article.

本文介绍经典部署模型。This article covers the classic deployment model. 还可以 在 Resource Manager 部署模型中创建 NSGYou can also create NSGs in the Resource Manager deployment model.

方案Scenario

为了更好地说明如何创建 NSG,本文档使用以下方案:To better illustrate how to create NSGs, this document uses the following scenario:

VNet 方案

在此方案中,需要为 TestVNet 虚拟网络中的每个子网创建 NSG,如下所述:In this scenario, you create an NSG for each subnet in the TestVNet virtual network, as follows:

  • NSG-FrontEndNSG-FrontEnd. 前端 NSG 应用于 FrontEnd 子网,并且包含以下两个规则:The front-end NSG is applied to the FrontEnd subnet, and contains two rules:
    • rdp-rulerdp-rule. 允许将 RDP 流量传输到 FrontEnd 子网。Allows RDP traffic to the FrontEnd subnet.
    • web-ruleweb-rule. 允许将 HTTP 流量传输到 FrontEnd 子网。Allows HTTP traffic to the FrontEnd subnet.
  • NSG-BackEndNSG-BackEnd. 后端 NSG 应用于 BackEnd 子网,并且包含以下两个规则:The back-end NSG is applied to the BackEnd subnet, and contains two rules:
    • sql-rulesql-rule. 仅允许来自 FrontEnd 子网的 SQL 流量。Allows SQL traffic only from the FrontEnd subnet.
    • web-ruleweb-rule. 拒绝来自 BackEnd 子网的所有 Internet 入站流量。Denies all internet bound traffic from the BackEnd subnet.

将这些规则组合起来可创建一个与外围网络类似的方案,其中后端子网只能接收来自前端子网的 SQL 的传入流量且不能访问 Internet,而前端子网可以与 Internet 通信并只接收传入 HTTP 请求。The combination of these rules create a DMZ-like scenario, where the back-end subnet can only receive incoming traffic for SQL from the front-end subnet, and has no access to the Internet, while the front-end subnet can communicate with the Internet, and receive incoming HTTP requests only.

下面的示例 Azure CLI 命令需要一个已经基于方案创建的简单环境。The following sample Azure CLI commands expect a simple environment already created based on the scenario. 如果想要运行本文档中所显示的命令,首先通过 创建 VNet构建测试环境。If you want to run the commands as they are displayed in this document, first build the test environment by creating a VNet.

为前端子网创建 NSGCreate an NSG for the front-end subnet

  1. 如果从未使用过 Azure CLI,请参阅安装和配置 Azure CLIIf you have never used Azure CLI, see Install and Configure the Azure CLI.

  2. 切换到经典模式:Switch to classic mode:

    azure config mode asm
    
  3. 创建 NSG:Create an NSG::

     azure network nsg create -l chinanorth -n NSG-FrontEnd
    
  4. 创建一个允许从 Internet 访问端口 3389 (RDP) 的安全规则:Create a security rule that allows access to port 3389 (RDP) from the internet:

    azure network nsg rule create -a NSG-FrontEnd -n rdp-rule -c Allow -p Tcp -r Inbound -y 100 -f Internet -o * -e * -u 3389
    
  5. 创建一个允许从 Internet 访问端口 80 (HTTP) 的规则:Create a rule that allows access to port 80 (HTTP) from the internet:

    azure network nsg rule create -a NSG-FrontEnd -n web-rule -c Allow -p Tcp -r Inbound -y 200 -f Internet -o * -e * -u 80
    
  6. 将 NSG 关联到前端子网:Associate the NSG to the front-end subnet:

    azure network nsg subnet add -a NSG-FrontEnd --vnet-name TestVNet --subnet-name FrontEnd
    

为后端子网创建 NSGCreate the NSG for the back-end subnet

  1. 创建 NSG:Create the NSG:

    azure network nsg create -l chinanorth -n NSG-BackEnd
    
  2. 创建一个允许从前端子网访问端口 1433 (SQL) 的规则:Create a rule that allows access to port 1433 (SQL) from the front-end subnet:

    azure network nsg rule create -a NSG-BackEnd -n sql-rule -c Allow -p Tcp -r Inbound -y 100 -f 192.168.1.0/24 -o * -e * -u 1433
    
  3. 创建一个拒绝访问 Internet 的规则:Create a rule that denies access to the internet:

    azure network nsg rule create -a NSG-BackEnd -n web-rule -c Deny -p Tcp -r Outbound -y 200 -f * -o * -e Internet -u 80
    
  4. 将 NSG 关联到后端子网:Associate the NSG to the back-end subnet:

    azure network nsg subnet add -a NSG-BackEnd --vnet-name TestVNet --subnet-name BackEnd