Mulai cepat: Membuat Azure Firewall dan kebijakan {i>firewall
Dalam panduan mulai cepat ini, gunakan templat Azure Resource Manager (templat ARM) untuk membuat Azure Firewall dan kebijakan {i>firewall.www.microsoft.com dan aturan yang memungkinkan koneksi ke Windows Update menggunakan tag WindowsUpdate FQDN. Aturan jaringan memungkinkan koneksi UDP ke server waktu di 13.86.101.172.
Selain itu, Grup IP digunakan dalam aturan untuk menentukan alamat IP Sumber.
Templat Azure Resource Manager adalah file JavaScript Object Notation (JSON) yang menentukan infrastruktur dan konfigurasi untuk proyek Anda. Template tersebut menggunakan sintaksis deklaratif. Anda menjelaskan penyebaran yang Dimaksudkan tanpa menulis urutan perintah pemrograman untuk membuat penyebaran.
Untuk informasi tentang Azure Firewall Manager, lihat Apa itu Azure Firewall Manager?.
Untuk informasi tentang Azure Firewall, lihat Apa itu Azure Firewall?.
Untuk informasi tentang Grup IP, lihat Grup IP di Azure Firewall.
Jika lingkungan Anda telah memenuhi prasyarat dan Anda terbiasa menggunakan templat ARM, pilih tombol Sebarkan ke Azure. Templat terbuka di portal Azure.
Prasyarat
- Akun Azure dengan langganan aktif. Buat akun secara gratis.
Meninjau templat
Templat ini membuat jaringan virtual hub, bersama dengan sumber daya yang diperlukan untuk mendukung skenario.
Templat yang digunakan di mulai cepat ini berasal dari Templat Mulai Cepat Azure.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.8.9.13224",
"templateHash": "2614956787969031174"
}
},
"parameters": {
"virtualNetworkName": {
"type": "string",
"defaultValue": "[format('vnet{0}', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "Virtual network name"
}
},
"firewallName": {
"type": "string",
"defaultValue": "[format('fw{0}', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "Azure Firewall name"
}
},
"numberOfPublicIPAddresses": {
"type": "int",
"defaultValue": 2,
"maxValue": 100,
"minValue": 1,
"metadata": {
"description": "Number of public IP addresses for the Azure Firewall"
}
},
"availabilityZones": {
"type": "array",
"defaultValue": [],
"metadata": {
"description": "Zone numbers e.g. 1,2,3."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"infraIpGroupName": {
"type": "string",
"defaultValue": "[format('{0}-infra-ipgroup-{1}', parameters('location'), uniqueString(resourceGroup().id))]"
},
"workloadIpGroupName": {
"type": "string",
"defaultValue": "[format('{0}-workload-ipgroup-{1}', parameters('location'), uniqueString(resourceGroup().id))]"
},
"firewallPolicyName": {
"type": "string",
"defaultValue": "[format('{0}-firewallPolicy', parameters('firewallName'))]"
}
},
"variables": {
"copy": [
{
"name": "azureFirewallIpConfigurations",
"count": "[length(range(0, parameters('numberOfPublicIPAddresses')))]",
"input": {
"name": "[format('IpConf{0}', range(0, parameters('numberOfPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')])]",
"properties": {
"subnet": "[if(equals(range(0, parameters('numberOfPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')], 0), json(format('{{\"id\": \"{0}\"}}', variables('azureFirewallSubnetId'))), json('null'))]",
"publicIPAddress": {
"id": "[format('{0}{1}', variables('azureFirewallPublicIpId'), add(range(0, parameters('numberOfPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')], 1))]"
}
}
}
}
],
"vnetAddressPrefix": "10.10.0.0/24",
"azureFirewallSubnetPrefix": "10.10.0.0/25",
"publicIPNamePrefix": "publicIP",
"azurepublicIpname": "[variables('publicIPNamePrefix')]",
"azureFirewallSubnetName": "AzureFirewallSubnet",
"azureFirewallSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('azureFirewallSubnetName'))]",
"azureFirewallPublicIpId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('publicIPNamePrefix'))]"
},
"resources": [
{
"type": "Microsoft.Network/ipGroups",
"apiVersion": "2022-01-01",
"name": "[parameters('workloadIpGroupName')]",
"location": "[parameters('location')]",
"properties": {
"ipAddresses": [
"10.20.0.0/24",
"10.30.0.0/24"
]
}
},
{
"type": "Microsoft.Network/ipGroups",
"apiVersion": "2022-01-01",
"name": "[parameters('infraIpGroupName')]",
"location": "[parameters('location')]",
"properties": {
"ipAddresses": [
"10.40.0.0/24",
"10.50.0.0/24"
]
}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2022-01-01",
"name": "[parameters('virtualNetworkName')]",
"location": "[parameters('location')]",
"tags": {
"displayName": "[parameters('virtualNetworkName')]"
},
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('vnetAddressPrefix')]"
]
},
"subnets": [
{
"name": "[variables('azureFirewallSubnetName')]",
"properties": {
"addressPrefix": "[variables('azureFirewallSubnetPrefix')]"
}
}
],
"enableDdosProtection": false
}
},
{
"copy": {
"name": "publicIpAddress",
"count": "[length(range(0, parameters('numberOfPublicIPAddresses')))]"
},
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2022-01-01",
"name": "[format('{0}{1}', variables('azurepublicIpname'), add(range(0, parameters('numberOfPublicIPAddresses'))[copyIndex()], 1))]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"properties": {
"publicIPAllocationMethod": "Static",
"publicIPAddressVersion": "IPv4"
}
},
{
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2022-01-01",
"name": "[parameters('firewallPolicyName')]",
"location": "[parameters('location')]",
"properties": {
"threatIntelMode": "Alert"
}
},
{
"type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
"apiVersion": "2022-01-01",
"name": "[format('{0}/{1}', parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]",
"properties": {
"priority": 200,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"action": {
"type": "Allow"
},
"name": "azure-global-services-nrc",
"priority": 1250,
"rules": [
{
"ruleType": "NetworkRule",
"name": "time-windows",
"ipProtocols": [
"UDP"
],
"destinationAddresses": [
"13.86.101.172"
],
"sourceIpGroups": [
"[resourceId('Microsoft.Network/ipGroups', parameters('workloadIpGroupName'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('infraIpGroupName'))]"
],
"destinationPorts": [
"123"
]
}
]
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('infraIpGroupName'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('workloadIpGroupName'))]"
]
},
{
"type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
"apiVersion": "2022-01-01",
"name": "[format('{0}/{1}', parameters('firewallPolicyName'), 'DefaultApplicationRuleCollectionGroup')]",
"properties": {
"priority": 300,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"name": "global-rule-url-arc",
"priority": 1000,
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "ApplicationRule",
"name": "winupdate-rule-01",
"protocols": [
{
"protocolType": "Https",
"port": 443
},
{
"protocolType": "Http",
"port": 80
}
],
"fqdnTags": [
"WindowsUpdate"
],
"terminateTLS": false,
"sourceIpGroups": [
"[resourceId('Microsoft.Network/ipGroups', parameters('workloadIpGroupName'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('infraIpGroupName'))]"
]
}
]
},
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"action": {
"type": "Allow"
},
"name": "Global-rules-arc",
"priority": 1202,
"rules": [
{
"ruleType": "ApplicationRule",
"name": "global-rule-01",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.microsoft.com"
],
"terminateTLS": false,
"sourceIpGroups": [
"[resourceId('Microsoft.Network/ipGroups', parameters('workloadIpGroupName'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('infraIpGroupName'))]"
]
}
]
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('infraIpGroupName'))]",
"[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]",
"[resourceId('Microsoft.Network/ipGroups', parameters('workloadIpGroupName'))]"
]
},
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2021-03-01",
"name": "[parameters('firewallName')]",
"location": "[parameters('location')]",
"zones": "[if(equals(length(parameters('availabilityZones')), 0), null(), parameters('availabilityZones'))]",
"properties": {
"ipConfigurations": "[variables('azureFirewallIpConfigurations')]",
"firewallPolicy": {
"id": "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultApplicationRuleCollectionGroup')]",
"[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('infraIpGroupName'))]",
"[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), 'DefaultNetworkRuleCollectionGroup')]",
"publicIpAddress",
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('workloadIpGroupName'))]"
]
}
]
}
Beberapa sumber daya Azure yang ditentukan dalam templat:
- Microsoft.Network/ipGroups
- Microsoft.Network/firewallPolicies
- Microsoft.Network/firewallPolicies/ruleCollectionGroups
- Microsoft.Network/azureFirewalls
- Microsoft.Network/virtualNetworks
- Microsoft.Network/publicIPAddresses
Menyebarkan templat
Menyebarkan templat ARM ke Azure:
Pilih Sebarkan ke Azure untuk masuk ke Azure dan membuka templat. Templat membuat Azure Firewall, WAN virtual dan hub virtual, infrastruktur jaringan, dan dua komputer virtual.
Di portal, pada halaman Buat Firewall dan FirewallPolicy dengan Aturan dan Ipgroups, ketik atau pilih nilai berikut ini:
- Langganan: Memilih dari langganan yang sudah ada.
- Grup sumber daya: Pilih dari grup sumber daya yang ada atau pilih Buat baru, lalu pilih OK.
- Wilayah: Pilih wilayah.
- Nama Firewall: ketik nama untuk {i>firewall
Pilih Tinjauan + buat kemudian pilih Buat. Penyebaran dapat memakan waktu 10 menit atau lebih lama sampai selesai.
Meninjau sumber daya yang disebarkan
Setelah penyebaran selesai, Anda akan melihat sumber daya yang serupa seperti berikut ini.
Membersihkan sumber daya
Jika Anda tidak lagi membutuhkan sumber daya yang Anda buat dengan {i>firewallfirewall
Untuk menghapus grup sumber daya tersebut, hubungi Remove-AzResourceGroup
cmdlet:
Remove-AzResourceGroup -Name "<your resource group name>"