Route traffic through a network virtual appliance
This script sample creates a virtual network with front-end and back-end subnets. It also creates a VM with IP forwarding enabled to route traffic between the two subnets. After running the script you can deploy network software, such as a firewall application, to the VM.
If needed, install the Azure PowerShell using the instruction found in the Azure PowerShell guide, and then run Connect-AzAccount to create a connection with Azure.
If you don't have an Azure subscription, create an Azure free account before you begin.
Sample script
Note
We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
# Variables for common values
$rgName='MyResourceGroup'
$location='eastus'
# Create user object
$cred = Get-Credential -Message 'Enter a username and password for the virtual machine.'
# Create a resource group.
New-AzResourceGroup -Name $rgName -Location $location
# Create a virtual network, a front-end subnet, a back-end subnet, and a DMZ subnet.
$fesubnet = New-AzVirtualNetworkSubnetConfig -Name 'MySubnet-FrontEnd' -AddressPrefix 10.0.1.0/24
$besubnet = New-AzVirtualNetworkSubnetConfig -Name 'MySubnet-BackEnd' -AddressPrefix 10.0.2.0/24
$dmzsubnet = New-AzVirtualNetworkSubnetConfig -Name 'MySubnet-Dmz' -AddressPrefix 10.0.0.0/24
$vnet = New-AzVirtualNetwork -ResourceGroupName $rgName -Name 'MyVnet' -AddressPrefix 10.0.0.0/16 `
-Location $location -Subnet $fesubnet, $besubnet, $dmzsubnet
# Create NSG rules to allow HTTP & HTTPS traffic inbound.
$rule1 = New-AzNetworkSecurityRuleConfig -Name 'Allow-HTTP-ALL' -Description 'Allow HTTP' `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
-SourceAddressPrefix Internet -SourcePortRange * `
-DestinationAddressPrefix * -DestinationPortRange 80
$rule2 = New-AzNetworkSecurityRuleConfig -Name 'Allow-HTTPS-All' -Description 'Allow HTTPS' `
-Access Allow -Protocol Tcp -Direction Inbound -Priority 200 `
-SourceAddressPrefix Internet -SourcePortRange * `
-DestinationAddressPrefix * -DestinationPortRange 443
# Create a network security group (NSG) for the front-end subnet.
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
-Name 'MyNsg-FrontEnd' -SecurityRules $rule1,$rule2
# Associate the front-end NSG to the front-end subnet.
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-FrontEnd' `
-AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsg
# Create a public IP address for the firewall VM.
$publicip = New-AzPublicIpAddress -ResourceGroupName $rgName -Name 'MyPublicIP-Firewall' `
-location $location -AllocationMethod Dynamic
# Create a NIC for the firewall VM and enable IP forwarding.
$nicVMFW = New-AzNetworkInterface -ResourceGroupName $rgName -Location $location -Name 'MyNic-Firewall' `
-PublicIpAddress $publicip -Subnet $vnet.Subnets[2] -EnableIPForwarding
#Create a firewall VM to accept all traffic between the front and back-end subnets.
$vmConfig = New-AzVMConfig -VMName 'MyVm-Firewall' -VMSize Standard_DS2 | `
Set-AzVMOperatingSystem -Windows -ComputerName 'MyVm-Firewall' -Credential $cred | `
Set-AzVMSourceImage -PublisherName MicrosoftWindowsServer -Offer WindowsServer `
-Skus 2016-Datacenter -Version latest | Add-AzVMNetworkInterface -Id $nicVMFW.Id
$vm = New-AzVM -ResourceGroupName $rgName -Location $location -VM $vmConfig
# Create a route for traffic from the front-end to the back-end subnet through the firewall VM.
$route = New-AzRouteConfig -Name 'RouteToBackEnd' -AddressPrefix 10.0.2.0/24 `
-NextHopType VirtualAppliance -NextHopIpAddress $nicVMFW.IpConfigurations[0].PrivateIpAddress
# Create a route for traffic from the front-end subnet to the Internet through the firewall VM.
$route2 = New-AzRouteConfig -Name 'RouteToInternet' -AddressPrefix 0.0.0.0/0 `
-NextHopType VirtualAppliance -NextHopIpAddress $nicVMFW.IpConfigurations[0].PrivateIpAddress
# Create route table for the FrontEnd subnet.
$routeTableFEtoBE = New-AzRouteTable -Name 'MyRouteTable-FrontEnd' -ResourceGroupName $rgName `
-location $location -Route $route, $route2
# Associate the route table to the FrontEnd subnet.
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-FrontEnd' -AddressPrefix 10.0.1.0/24 `
-NetworkSecurityGroup $nsg -RouteTable $routeTableFEtoBE
# Create a route for traffic from the back-end subnet to the front-end subnet through the firewall VM.
$route = New-AzRouteConfig -Name 'RouteToFrontEnd' -AddressPrefix '10.0.1.0/24' -NextHopType VirtualAppliance `
-NextHopIpAddress $nicVMFW.IpConfigurations[0].PrivateIPAddress
# Create a route for traffic from the back-end subnet to the Internet through the firewall VM.
$route2 = New-AzRouteConfig -Name 'RouteToInternet' -AddressPrefix '0.0.0.0/0' -NextHopType VirtualAppliance `
-NextHopIpAddress $nicVMFW.IpConfigurations[0].PrivateIPAddress
# Create route table for the BackEnd subnet.
$routeTableBE = New-AzRouteTable -Name 'MyRouteTable-BackEnd' -ResourceGroupName $rgName `
-location $location -Route $route, $route2
# Associate the route table to the BackEnd subnet.
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-BackEnd' `
-AddressPrefix '10.0.2.0/24' -RouteTable $routeTableBE
Clean up deployment
Run the following command to remove the resource group, VM, and all related resources.
Remove-AzResourceGroup -Name myResourceGroup
Script explanation
This script uses the following commands to create a resource group, virtual network, and network security groups. Each command in the table links to command-specific documentation.
| Command | Notes |
|---|---|
| New-AzResourceGroup | Creates a resource group in which all resources are stored. |
| New-AzVirtualNetwork | Creates an Azure virtual network and front-end subnet. |
| New-AzVirtualNetworkSubnetConfig | Creates back-end and DMZ subnets. |
| New-AzPublicIpAddress | Creates a public IP address to access the VM from the Internet. |
| New-AzNetworkInterface | Creates a virtual network interface and enable IP forwarding for it. |
| New-AzNetworkSecurityGroup | Creates a network security group (NSG). |
| New-AzNetworkSecurityRuleConfig | Creates NSG rules that allow HTTP and HTTPS ports inbound to the VM. |
| Set-AzVirtualNetworkSubnetConfig | Associates the NSGs and route tables to subnets. |
| New-AzRouteTable | Creates a route table for all routes. |
| New-AzRouteConfig | Creates routes to route traffic between subnets and the Internet through the VM. |
| New-AzVM | Creates a virtual machine and attaches the NIC to it. This command also specifies the virtual machine image to use and administrative credentials. |
| Remove-AzResourceGroup | Deletes a resource group and all resources it contains. |
Next steps
For more information on the Azure PowerShell, see Azure PowerShell documentation.
Additional networking PowerShell script samples can be found in the Azure Networking Overview documentation.
Feedback
Submit and view feedback for