Bagikan melalui


Mulai cepat: Sebarkan Azure Firewall dengan Zona Ketersediaan - templat ARM

Dalam mulai cepat ini, Anda menggunakan templat Azure Resource Manager (templat ARM) untuk menggunakan Azure Firewall di tiga Zona ketersediaan.

Templat Azure Resource Manager adalah file JavaScript Object Notation (JSON) yang menentukan infrastruktur dan konfigurasi untuk proyek Anda. Template tersebut menggunakan sintaksis deklaratif. Anda menjelaskan penyebaran yang Dimaksudkan tanpa menulis urutan perintah pemrograman untuk membuat penyebaran.

Templat membuat lingkungan jaringan uji dengan firewall. Jaringan ini memiliki satu jaringan virtual (VNet) dengan tiga subnet: AzureFirewallSubnet, ServersSubnet, dan JumpboxSubnet. Subnet ServerSubnet dan JumpboxSubnet masing-masing memiliki dua inti komputer virtual Windows Server.

Firewall berada di subnet AzureFirewallSubnet dan dikonfigurasi dengan koleksi aturan aplikasi dengan satu aturan yang memungkinkan akses ke www.microsoft.com.

Rute yang ditentukan pengguna mengarahkan lalu lintas jaringan dari subnet ServerSubnet melalui firewall, tempat aturan firewall diterapkan.

Untuk informasi selengkapnya tentang Azure Firewall, lihat Menyebarkan dan mengonfigurasi Azure Firewall menggunakan portal Microsoft Azure.

Jika lingkungan Anda telah memenuhi prasyarat dan Anda terbiasa menggunakan templat ARM, pilih tombol Sebarkan ke Azure. Templat akan terbuka di portal Microsoft Azure.

Tombol untuk menyebarkan templat Resource Manager ke Azure.

Prasyarat

Meninjau templat

Templat ini membuat Azure Firewall dengan Zona Ketersediaan, bersama dengan sumber daya yang diperlukan untuk mendukung Azure Firewall.

Templat yang digunakan di mulai cepat ini berasal dari Templat Mulai Cepat Azure.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.7.4.23292",
      "templateHash": "1131141795323801257"
    }
  },
  "parameters": {
    "virtualNetworkName": {
      "type": "string",
      "defaultValue": "test-vnet",
      "metadata": {
        "description": "virtual network name"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    },
    "adminUsername": {
      "type": "string",
      "metadata": {
        "description": "Username for the Virtual Machine."
      }
    },
    "adminPassword": {
      "type": "secureString",
      "metadata": {
        "description": "Password for the Virtual Machine."
      }
    },
    "availabilityZones": {
      "type": "array",
      "defaultValue": [
        "1",
        "2",
        "3"
      ],
      "metadata": {
        "description": "Availability zone numbers e.g. 1,2,3."
      }
    },
    "numberOfFirewallPublicIPAddresses": {
      "type": "int",
      "defaultValue": 1,
      "maxValue": 100,
      "minValue": 1,
      "metadata": {
        "description": "Number of public IP addresses for the Azure Firewall"
      }
    },
    "jumpBoxSize": {
      "type": "string",
      "defaultValue": "Standard_D2s_v3",
      "metadata": {
        "description": "Size of the virtual machine."
      }
    },
    "serverSize": {
      "type": "string",
      "defaultValue": "Standard_D2s_v3",
      "metadata": {
        "description": "Size of the virtual machine."
      }
    }
  },
  "variables": {
    "copy": [
      {
        "name": "azureFirewallIpConfigurations",
        "count": "[length(range(0, parameters('numberOfFirewallPublicIPAddresses')))]",
        "input": {
          "name": "[format('IpConf{0}', range(0, parameters('numberOfFirewallPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')])]",
          "properties": {
            "subnet": "[if(equals(range(0, parameters('numberOfFirewallPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')], 0), variables('azureFirewallSubnetJSON'), json('null'))]",
            "publicIPAddress": {
              "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIPNamePrefix'), add(range(0, parameters('numberOfFirewallPublicIPAddresses'))[range(0, parameters('numberOfFirewallPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')]], 1)))]"
            }
          }
        }
      }
    ],
    "vnetAddressPrefix": "10.0.0.0/16",
    "serversSubnetPrefix": "10.0.2.0/24",
    "azureFirewallSubnetPrefix": "10.0.1.0/24",
    "jumpboxSubnetPrefix": "10.0.0.0/24",
    "nextHopIP": "10.0.1.4",
    "azureFirewallSubnetName": "AzureFirewallSubnet",
    "jumpBoxSubnetName": "JumpboxSubnet",
    "serversSubnetName": "ServersSubnet",
    "jumpBoxPublicIPAddressName": "JumpHostPublicIP",
    "jumpBoxNsgName": "JumpHostNSG",
    "jumpBoxNicName": "JumpHostNic",
    "jumpBoxSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('jumpBoxSubnetName'))]",
    "serverNicName": "ServerNic",
    "serverSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('serversSubnetName'))]",
    "storageAccountName": "[format('{0}sajumpbox', uniqueString(resourceGroup().id))]",
    "azfwRouteTableName": "AzfwRouteTable",
    "firewallName": "firewall1",
    "publicIPNamePrefix": "publicIP",
    "azureFirewallSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('azureFirewallSubnetName'))]",
    "azureFirewallSubnetJSON": "[json(format('{{\"id\": \"{0}\"}}', variables('azureFirewallSubnetId')))]",
    "networkSecurityGroupName": "[format('{0}-nsg', variables('serversSubnetName'))]"
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2021-08-01",
      "name": "[variables('storageAccountName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard_LRS"
      },
      "kind": "Storage",
      "properties": {}
    },
    {
      "type": "Microsoft.Network/routeTables",
      "apiVersion": "2021-03-01",
      "name": "[variables('azfwRouteTableName')]",
      "location": "[parameters('location')]",
      "properties": {
        "disableBgpRoutePropagation": false,
        "routes": [
          {
            "name": "AzfwDefaultRoute",
            "properties": {
              "addressPrefix": "0.0.0.0/0",
              "nextHopType": "VirtualAppliance",
              "nextHopIpAddress": "[variables('nextHopIP')]"
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2021-03-01",
      "name": "[variables('networkSecurityGroupName')]",
      "location": "[parameters('location')]",
      "properties": {}
    },
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2021-05-01",
      "name": "[parameters('virtualNetworkName')]",
      "location": "[parameters('location')]",
      "tags": {
        "displayName": "[parameters('virtualNetworkName')]"
      },
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "[variables('vnetAddressPrefix')]"
          ]
        },
        "subnets": [
          {
            "name": "[variables('jumpBoxSubnetName')]",
            "properties": {
              "addressPrefix": "[variables('jumpboxSubnetPrefix')]"
            }
          },
          {
            "name": "[variables('azureFirewallSubnetName')]",
            "properties": {
              "addressPrefix": "[variables('azureFirewallSubnetPrefix')]"
            }
          },
          {
            "name": "[variables('serversSubnetName')]",
            "properties": {
              "addressPrefix": "[variables('serversSubnetPrefix')]",
              "routeTable": {
                "id": "[resourceId('Microsoft.Network/routeTables', variables('azfwRouteTableName'))]"
              },
              "networkSecurityGroup": {
                "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
              }
            }
          }
        ]
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/routeTables', variables('azfwRouteTableName'))]",
        "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
      ]
    },
    {
      "copy": {
        "name": "publicIPAddress",
        "count": "[length(range(0, parameters('numberOfFirewallPublicIPAddresses')))]"
      },
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2021-03-01",
      "name": "[format('{0}{1}', variables('publicIPNamePrefix'), add(range(0, parameters('numberOfFirewallPublicIPAddresses'))[copyIndex()], 1))]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard"
      },
      "properties": {
        "publicIPAllocationMethod": "Static",
        "publicIPAddressVersion": "IPv4"
      },
      "zones": "[parameters('availabilityZones')]"
    },
    {
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2021-03-01",
      "name": "[variables('jumpBoxPublicIPAddressName')]",
      "location": "[parameters('location')]",
      "properties": {
        "publicIPAllocationMethod": "Dynamic"
      }
    },
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2021-05-01",
      "name": "[variables('jumpBoxNsgName')]",
      "location": "[parameters('location')]",
      "properties": {
        "securityRules": [
          {
            "name": "myNetworkSecurityGroupRuleRDP",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "3389",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 1000,
              "direction": "Inbound"
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Network/networkInterfaces",
      "apiVersion": "2021-05-01",
      "name": "[variables('jumpBoxNicName')]",
      "location": "[parameters('location')]",
      "properties": {
        "ipConfigurations": [
          {
            "name": "ipconfig1",
            "properties": {
              "privateIPAllocationMethod": "Dynamic",
              "publicIPAddress": {
                "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('jumpBoxPublicIPAddressName'))]"
              },
              "subnet": {
                "id": "[variables('jumpBoxSubnetId')]"
              }
            }
          }
        ],
        "networkSecurityGroup": {
          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('jumpBoxNsgName'))]"
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkSecurityGroups', variables('jumpBoxNsgName'))]",
        "[resourceId('Microsoft.Network/publicIPAddresses', variables('jumpBoxPublicIPAddressName'))]",
        "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/networkInterfaces",
      "apiVersion": "2021-05-01",
      "name": "[variables('serverNicName')]",
      "location": "[parameters('location')]",
      "properties": {
        "ipConfigurations": [
          {
            "name": "ipconfig1",
            "properties": {
              "privateIPAllocationMethod": "Dynamic",
              "subnet": {
                "id": "[variables('serverSubnetId')]"
              }
            }
          }
        ]
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
      ]
    },
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2021-11-01",
      "name": "JumpBox",
      "location": "[parameters('location')]",
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('jumpBoxSize')]"
        },
        "storageProfile": {
          "imageReference": {
            "publisher": "MicrosoftWindowsServer",
            "offer": "WindowsServer",
            "sku": "2019-Datacenter",
            "version": "latest"
          },
          "osDisk": {
            "osType": "Windows",
            "createOption": "FromImage",
            "diskSizeGB": 127
          }
        },
        "osProfile": {
          "computerName": "JumpBox",
          "adminUsername": "[parameters('adminUsername')]",
          "adminPassword": "[parameters('adminPassword')]"
        },
        "networkProfile": {
          "networkInterfaces": [
            {
              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('jumpBoxNicName'))]"
            }
          ]
        },
        "diagnosticsProfile": {
          "bootDiagnostics": {
            "enabled": true,
            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))).primaryEndpoints.blob]"
          }
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkInterfaces', variables('jumpBoxNicName'))]",
        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
      ]
    },
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2021-11-01",
      "name": "Server",
      "location": "[parameters('location')]",
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('serverSize')]"
        },
        "storageProfile": {
          "imageReference": {
            "publisher": "MicrosoftWindowsServer",
            "offer": "WindowsServer",
            "sku": "2019-Datacenter",
            "version": "latest"
          },
          "osDisk": {
            "osType": "Windows",
            "createOption": "FromImage",
            "diskSizeGB": 127
          }
        },
        "osProfile": {
          "computerName": "Server",
          "adminUsername": "[parameters('adminUsername')]",
          "adminPassword": "[parameters('adminPassword')]"
        },
        "networkProfile": {
          "networkInterfaces": [
            {
              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('serverNicName'))]"
            }
          ]
        },
        "diagnosticsProfile": {
          "bootDiagnostics": {
            "enabled": true,
            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))).primaryEndpoints.blob]"
          }
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkInterfaces', variables('serverNicName'))]",
        "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/azureFirewalls",
      "apiVersion": "2021-05-01",
      "name": "[variables('firewallName')]",
      "location": "[parameters('location')]",
      "zones": "[if(equals(length(parameters('availabilityZones')), 0), json('null'), parameters('availabilityZones'))]",
      "properties": {
        "ipConfigurations": "[variables('azureFirewallIpConfigurations')]",
        "applicationRuleCollections": [
          {
            "name": "appRc1",
            "properties": {
              "priority": 101,
              "action": {
                "type": "Allow"
              },
              "rules": [
                {
                  "name": "appRule1",
                  "protocols": [
                    {
                      "port": 80,
                      "protocolType": "Http"
                    },
                    {
                      "port": 443,
                      "protocolType": "Https"
                    }
                  ],
                  "targetFqdns": [
                    "www.microsoft.com"
                  ],
                  "sourceAddresses": [
                    "10.0.2.0/24"
                  ]
                }
              ]
            }
          }
        ],
        "networkRuleCollections": [
          {
            "name": "netRc1",
            "properties": {
              "priority": 200,
              "action": {
                "type": "Allow"
              },
              "rules": [
                {
                  "name": "netRule1",
                  "protocols": [
                    "TCP"
                  ],
                  "sourceAddresses": [
                    "10.0.2.0/24"
                  ],
                  "destinationAddresses": [
                    "*"
                  ],
                  "destinationPorts": [
                    "8000-8999"
                  ]
                }
              ]
            }
          }
        ]
      },
      "dependsOn": [
        "publicIPAddress",
        "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
      ]
    }
  ]
}

Beberapa sumber daya Azure yang ditentukan dalam templat:

Menyebarkan templat

Menyebarkan templat ARM ke Azure:

  1. Pilih Sebarkan ke Azure untuk masuk ke Azure dan membuka templat. Templat tersebut membuat Azure Firewall, infrastruktur jaringan, dan dua komputer virtual.

    Tombol untuk menyebarkan templat Resource Manager ke Azure.

  2. Dalam portal,di Buat set kotak pasir Azure Firewall dengan Zona halaman, ketik atau pilih nilai berikut ini:

    • Grup sumber daya: Pilih Buat baru, ketik nama untuk grup sumber daya, dan pilih OK.
    • Nama Virtual Network: Ketik nama untuk Vnet baru.
    • Nama Pengguna Admin: Ketik nama pengguna untuk akun pengguna admin.
    • Kata Sandi Admin: Ketik kata sandi admin.
  3. Baca syarat dan ketentuan, lalu pilih Saya setuju dengan syarat dan ketentuan yang tercantum di atas lalu pilih Beli. Penyebaran dapat memakan waktu 10 menit atau lebih lama sampai selesai.

Meninjau sumber daya yang disebarkan

Jelajahi sumber daya yang sudah dibuat dengan firewall.

Untuk mempelajari tentang sintaks dan properti JSON untuk firewall dalam templat, lihat tMicrosoft.Network azureFirewalls.

Membersihkan sumber daya

Ketika Anda tidak lagi membutuhkannya, Anda bisa menghapus grup sumber daya, firewall, dan semua sumber daya terkait dengan menjalankan Remove-AzResourceGroup perintah PowerShell. Hapus grup sumber daya bernama myResourceGroup, jalankan:

Remove-AzResourceGroup -Name MyResourceGroup

Jangan hapus grup sumber daya dan firewall jika Anda berencana untuk melanjutkan ke tutorial pemantauan firewall.

Langkah berikutnya

Selanjutnya, Anda dapat memantau log Azure Firewall.