Avvio rapido: Creare un Firewall di Azure e gruppi IP - Bicep
In questa guida introduttiva si usa un file Bicep per distribuire un Firewall di Azure con gruppi IP di esempio usati in una regola di rete e in una regola dell'applicazione. Un gruppo IP è una risorsa di primo livello che consente di definire e raggruppare indirizzi IP, intervalli e subnet in un singolo oggetto. Il gruppo IP è utile per la gestione degli indirizzi IP nelle regole di Firewall di Azure. È possibile immettere manualmente gli indirizzi IP o importarli da un file.
Bicep è un linguaggio specifico di dominio (DSL) che usa la sintassi dichiarativa per distribuire le risorse di Azure. Offre sintassi concisa, indipendenza dai tipi affidabile e supporto per il riutilizzo del codice. Bicep offre la migliore esperienza di creazione per le soluzioni in base al codice dell'infrastruttura in Azure.
Prerequisiti
- Un account Azure con una sottoscrizione attiva. Creare un account gratuitamente.
Esaminare il file Bicep
Questo file Bicep crea un Firewall di Azure e gruppi IP, insieme alle risorse necessarie per supportare la Firewall di Azure.
Il file Bicep usato in questo avvio rapido proviene dai modelli di avvio rapido di Azure.
@description('virtual network name')
param virtualNetworkName string = 'vnet${uniqueString(resourceGroup().id)}'
param ipgroups_name1 string = 'ipgroup1${uniqueString(resourceGroup().id)}'
param ipgroups_name2 string = 'ipgroup2${uniqueString(resourceGroup().id)}'
@description('Username for the Virtual Machine.')
param adminUsername string
@description('Location for all resources.')
param location string = resourceGroup().location
@description('Zone numbers e.g. 1,2,3.')
param vmSize string = 'Standard_D2s_v3'
@description('Number of public IP addresses for the Azure Firewall')
@minValue(1)
@maxValue(100)
param numberOfFirewallPublicIPAddresses int = 1
@description('Type of authentication to use on the Virtual Machine. SSH key is recommended.')
@allowed([
'sshPublicKey'
'password'
])
param authenticationType string = 'sshPublicKey'
@description('SSH Key or password for the Virtual Machine. SSH key is recommended.')
@secure()
param adminPasswordOrKey string
var vnetAddressPrefix = '10.0.0.0/16'
var serversSubnetPrefix = '10.0.2.0/24'
var azureFirewallSubnetPrefix = '10.0.1.0/24'
var jumpboxSubnetPrefix = '10.0.0.0/24'
var nextHopIP = '10.0.1.4'
var azureFirewallSubnetName = 'AzureFirewallSubnet'
var jumpBoxSubnetName = 'JumpboxSubnet'
var serversSubnetName = 'ServersSubnet'
var jumpBoxPublicIPAddressName = 'JumpHostPublicIP'
var jumpBoxNsgName = 'JumpHostNSG'
var jumpBoxNicName = 'JumpHostNic'
var jumpBoxSubnetId = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, jumpBoxSubnetName)
var serverNicName = 'ServerNic'
var serverSubnetId = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, serversSubnetName)
var storageAccountName = '${uniqueString(resourceGroup().id)}sajumpbox'
var azfwRouteTableName = 'AzfwRouteTable'
var firewallName = 'firewall1'
var publicIPNamePrefix = 'publicIP'
var azureFirewallSubnetId = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, azureFirewallSubnetName)
var linuxConfiguration = {
disablePasswordAuthentication: true
ssh: {
publicKeys: [
{
path: '/home/${adminUsername}/.ssh/authorized_keys'
keyData: adminPasswordOrKey
}
]
}
}
var networkSecurityGroupName = '${serversSubnetName}-nsg'
var azureFirewallIpConfigurations = [for i in range(0, numberOfFirewallPublicIPAddresses): {
name: 'IpConf${i}'
properties: {
subnet: {
id: (i == 0) ? azureFirewallSubnetId : null
}
publicIPAddress: {
id: publicIP[i].id
}
}
}]
resource ipgroup1 'Microsoft.Network/ipGroups@2023-09-01' = {
name: ipgroups_name1
location: location
properties: {
ipAddresses: [
'13.73.64.64/26'
'13.73.208.128/25'
'52.126.194.0/23'
]
}
}
resource ipgroup2 'Microsoft.Network/ipGroups@2023-09-01' = {
name: ipgroups_name2
location: location
properties: {
ipAddresses: [
'12.0.0.0/24'
'13.9.0.0/24'
]
}
}
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
properties: {}
}
resource azfwRouteTable 'Microsoft.Network/routeTables@2023-09-01' = {
name: azfwRouteTableName
location: location
properties: {
disableBgpRoutePropagation: false
routes: [
{
name: 'AzfwDefaultRoute'
properties: {
addressPrefix: '0.0.0.0/0'
nextHopType: 'VirtualAppliance'
nextHopIpAddress: nextHopIP
}
}
]
}
}
resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {
name: networkSecurityGroupName
location: location
properties: {}
}
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-09-01' = {
name: virtualNetworkName
location: location
tags: {
displayName: virtualNetworkName
}
properties: {
addressSpace: {
addressPrefixes: [
vnetAddressPrefix
]
}
subnets: [
{
name: jumpBoxSubnetName
properties: {
addressPrefix: jumpboxSubnetPrefix
}
}
{
name: azureFirewallSubnetName
properties: {
addressPrefix: azureFirewallSubnetPrefix
}
}
{
name: serversSubnetName
properties: {
addressPrefix: serversSubnetPrefix
routeTable: {
id: azfwRouteTable.id
}
networkSecurityGroup: {
id: networkSecurityGroup.id
}
}
}
]
}
}
resource publicIP 'Microsoft.Network/publicIPAddresses@2023-09-01' = [for i in range(0, numberOfFirewallPublicIPAddresses): {
name: '${publicIPNamePrefix}${i + 1}'
location: location
sku: {
name: 'Standard'
}
properties: {
publicIPAllocationMethod: 'Static'
publicIPAddressVersion: 'IPv4'
}
}]
resource jumpBoxPublicIPAddress 'Microsoft.Network/publicIPAddresses@2023-09-01' = {
name: jumpBoxPublicIPAddressName
location: location
properties: {
publicIPAllocationMethod: 'Dynamic'
}
}
resource jumpBoxNsg 'Microsoft.Network/networkSecurityGroups@2023-09-01' = {
name: jumpBoxNsgName
location: location
properties: {
securityRules: [
{
name: 'myNetworkSecurityGroupRuleSSH'
properties: {
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '22'
sourceAddressPrefix: '*'
destinationAddressPrefix: '*'
access: 'Allow'
priority: 1000
direction: 'Inbound'
}
}
]
}
}
resource JumpBoxNic 'Microsoft.Network/networkInterfaces@2023-09-01' = {
name: jumpBoxNicName
location: location
properties: {
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
privateIPAllocationMethod: 'Dynamic'
publicIPAddress: {
id: jumpBoxPublicIPAddress.id
}
subnet: {
id: jumpBoxSubnetId
}
}
}
]
networkSecurityGroup: {
id: jumpBoxNsg.id
}
}
dependsOn: [
virtualNetwork
]
}
resource ServerNic 'Microsoft.Network/networkInterfaces@2023-09-01' = {
name: serverNicName
location: location
properties: {
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
privateIPAllocationMethod: 'Dynamic'
subnet: {
id: serverSubnetId
}
}
}
]
}
dependsOn: [
virtualNetwork
]
}
resource JumpBoxVm 'Microsoft.Compute/virtualMachines@2023-09-01' = {
name: 'JumpBox'
location: location
properties: {
hardwareProfile: {
vmSize: vmSize
}
storageProfile: {
imageReference: {
publisher: 'Canonical'
offer: 'UbuntuServer'
sku: '18.04-LTS'
version: 'latest'
}
osDisk: {
createOption: 'FromImage'
}
}
osProfile: {
computerName: 'JumpBox'
adminUsername: adminUsername
adminPassword: adminPasswordOrKey
linuxConfiguration: ((authenticationType == 'password') ? json('null') : linuxConfiguration)
}
networkProfile: {
networkInterfaces: [
{
id: JumpBoxNic.id
}
]
}
diagnosticsProfile: {
bootDiagnostics: {
enabled: true
storageUri: storageAccount.properties.primaryEndpoints.blob
}
}
}
}
resource ServerVm 'Microsoft.Compute/virtualMachines@2023-09-01' = {
name: 'Server'
location: location
properties: {
hardwareProfile: {
vmSize: vmSize
}
storageProfile: {
imageReference: {
publisher: 'Canonical'
offer: 'UbuntuServer'
sku: '18.04-LTS'
version: 'latest'
}
osDisk: {
createOption: 'FromImage'
}
}
osProfile: {
computerName: 'Server'
adminUsername: adminUsername
adminPassword: adminPasswordOrKey
linuxConfiguration: ((authenticationType == 'password') ? null : linuxConfiguration)
}
networkProfile: {
networkInterfaces: [
{
id: ServerNic.id
}
]
}
diagnosticsProfile: {
bootDiagnostics: {
enabled: true
storageUri: storageAccount.properties.primaryEndpoints.blob
}
}
}
}
resource firewall 'Microsoft.Network/azureFirewalls@2023-09-01' = {
name: firewallName
location: location
dependsOn: [
virtualNetwork
publicIP
]
properties: {
ipConfigurations: azureFirewallIpConfigurations
applicationRuleCollections: [
{
name: 'appRc1'
properties: {
priority: 101
action: {
type: 'Allow'
}
rules: [
{
name: 'someAppRule'
protocols: [
{
protocolType: 'Http'
port: 8080
}
]
targetFqdns: [
'*bing.com'
]
sourceIpGroups: [
ipgroup1.id
]
}
{
name: 'someOtherAppRule'
protocols: [
{
protocolType: 'Mssql'
port: 1433
}
]
targetFqdns: [
'sql1${environment().suffixes.sqlServerHostname}'
]
sourceIpGroups: [
ipgroup1.id
ipgroup2.id
]
}
]
}
}
]
networkRuleCollections: [
{
name: 'netRc1'
properties: {
priority: 200
action: {
type: 'Allow'
}
rules: [
{
name: 'networkRule'
description: 'desc1'
protocols: [
'UDP'
'TCP'
'ICMP'
]
sourceAddresses: [
'10.0.0.0'
'111.1.0.0/23'
]
sourceIpGroups: [
ipgroup1.id
]
destinationIpGroups: [
ipgroup2.id
]
destinationPorts: [
'90'
]
}
]
}
}
]
}
}
output location string = location
output name string = firewall.name
output resourceGroupName string = resourceGroup().name
output resourceId string = firewall.id
Più risorse di Azure sono definite nel file Bicep:
- Microsoft.Network/ipGroups
- Microsoft.Storage/storageAccounts
- Microsoft.Network/routeTables
- Microsoft.Network/networkSecurityGroups
- Microsoft.Network/virtualNetworks
- Microsoft.Network/publicIPAddresses
- Microsoft.Network/networkInterfaces
- Microsoft.Compute/virtualMachines
- Microsoft.Network/azureFirewalls
Distribuire il file Bicep
Salvare il file Bicep come main.bicep nel computer locale.
Distribuire il file Bicep usando l'interfaccia della riga di comando di Azure o Azure PowerShell.
az group create --name exampleRG --location eastus az deployment group create --resource-group exampleRG --template-file main.bicep
Verrà richiesto di immettere i valori seguenti:
- Amministrazione Nome utente: digitare nome utente per l'account utente amministratore
- Amministrazione password: digitare una password o una chiave di amministratore
Al termine della distribuzione, verrà visualizzato un messaggio che indica che la distribuzione ha avuto esito positivo.
Esaminare le risorse distribuite
Usare la portale di Azure, l'interfaccia della riga di comando di Azure o Azure PowerShell per convalidare la distribuzione e esaminare le risorse distribuite.
az resource list --resource-group exampleRG
Per informazioni sulla sintassi e le proprietà bicep per un firewall in un file Bicep, vedere Informazioni di riferimento sul modello di AzureFirewalls di Microsoft.Network.
Pulire le risorse
Quando non sono più necessari, usare la portale di Azure, l'interfaccia della riga di comando di Azure o Azure PowerShell per rimuovere il gruppo di risorse, il firewall e tutte le risorse correlate.
az group delete --name exampleRG