Notitie
Voor toegang tot deze pagina is autorisatie vereist. U kunt proberen u aan te melden of de directory te wijzigen.
Voor toegang tot deze pagina is autorisatie vereist. U kunt proberen de mappen te wijzigen.
In deze quickstart gebruikt u een Azure Resource Manager-sjabloon (ARM-sjabloon) om een Azure Firewall in drie beschikbaarheidszones te implementeren.
Een Azure Resource Manager-sjabloon is een JSON-bestand (JavaScript Object Notation) dat de infrastructuur en configuratie voor uw project definieert. Voor de sjabloon is declaratieve syntaxis vereist. U beschrijft de beoogde implementatie zonder de reeks programmeeropdrachten te schrijven om de implementatie te maken.
Met de sjabloon wordt een testnetwerkomgeving gemaakt met een firewall. Het netwerk heeft één virtueel netwerk (VNet) met drie subnetten: AzureFirewallSubnet, ServersSubnet en JumpboxSubnet. De subnetten ServersSubnet en JumpboxSubnet hebben elk een enkele virtuele Windows Server-machine met twee kernen.
De firewall bevindt zich in het subnet AzureFirewallSubnet en heeft een toepassingsregelverzameling met één regel die toegang geeft tot www.microsoft.com.
Een door de gebruiker gedefinieerde route leidt het netwerkverkeer vanuit het subnet ServersSubnet door de firewall, waar de firewallregels worden toegepast.
Raadpleeg voor meer informatie over Azure Firewall Azure Firewall implementeren en configureren met Azure Portal.
Als uw omgeving voldoet aan de vereisten en u benkend bent met het gebruik van ARM-sjablonen, selecteert u de knop Implementeren naar Azure. De sjabloon wordt in Azure Portal geopend.
Vereisten
- Een Azure-account met een actief abonnement. Gratis een account maken
De sjabloon controleren
Met deze sjabloon maakt u een Azure-firewall met beschikbaarheidszones, samen met de benodigde resources die ondersteuning bieden voor de Azure-firewall.
De sjabloon die in deze quickstart wordt gebruikt, komt uit Azure-snelstartsjablonen.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.28.1.47646",
"templateHash": "1943314503988412451"
}
},
"parameters": {
"virtualNetworkName": {
"type": "string",
"defaultValue": "test-vnet",
"metadata": {
"description": "virtual network name"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"adminUsername": {
"type": "string",
"metadata": {
"description": "Username for the Virtual Machine."
}
},
"adminPassword": {
"type": "securestring",
"metadata": {
"description": "Password for the Virtual Machine."
}
},
"availabilityZones": {
"type": "array",
"defaultValue": [
"1",
"2",
"3"
],
"metadata": {
"description": "Availability zone numbers e.g. 1,2,3."
}
},
"numberOfFirewallPublicIPAddresses": {
"type": "int",
"defaultValue": 1,
"minValue": 1,
"maxValue": 100,
"metadata": {
"description": "Number of public IP addresses for the Azure Firewall"
}
},
"jumpBoxSize": {
"type": "string",
"defaultValue": "Standard_D2s_v3",
"metadata": {
"description": "Size of the virtual machine."
}
},
"serverSize": {
"type": "string",
"defaultValue": "Standard_D2s_v3",
"metadata": {
"description": "Size of the virtual machine."
}
}
},
"variables": {
"copy": [
{
"name": "azureFirewallIpConfigurations",
"count": "[length(range(0, parameters('numberOfFirewallPublicIPAddresses')))]",
"input": {
"name": "[format('IpConf{0}', range(0, parameters('numberOfFirewallPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')])]",
"properties": {
"subnet": "[if(equals(range(0, parameters('numberOfFirewallPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')], 0), variables('azureFirewallSubnetJSON'), json('null'))]",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIPNamePrefix'), add(range(0, parameters('numberOfFirewallPublicIPAddresses'))[range(0, parameters('numberOfFirewallPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')]], 1)))]"
}
}
}
}
],
"vnetAddressPrefix": "10.0.0.0/16",
"serversSubnetPrefix": "10.0.2.0/24",
"azureFirewallSubnetPrefix": "10.0.1.0/24",
"jumpboxSubnetPrefix": "10.0.0.0/24",
"nextHopIP": "10.0.1.4",
"azureFirewallSubnetName": "AzureFirewallSubnet",
"jumpBoxSubnetName": "JumpboxSubnet",
"serversSubnetName": "ServersSubnet",
"jumpBoxPublicIPAddressName": "JumpHostPublicIP",
"jumpBoxNsgName": "JumpHostNSG",
"jumpBoxNicName": "JumpHostNic",
"jumpBoxSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('jumpBoxSubnetName'))]",
"serverNicName": "ServerNic",
"serverSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('serversSubnetName'))]",
"storageAccountName": "[format('{0}sajumpbox', uniqueString(resourceGroup().id))]",
"azfwRouteTableName": "AzfwRouteTable",
"firewallName": "firewall1",
"publicIPNamePrefix": "publicIP",
"azureFirewallSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('azureFirewallSubnetName'))]",
"azureFirewallSubnetJSON": "[json(format('{{\"id\": \"{0}\"}}', variables('azureFirewallSubnetId')))]",
"networkSecurityGroupName": "[format('{0}-nsg', variables('serversSubnetName'))]"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-08-01",
"name": "[variables('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "Storage",
"properties": {}
},
{
"type": "Microsoft.Network/routeTables",
"apiVersion": "2021-03-01",
"name": "[variables('azfwRouteTableName')]",
"location": "[parameters('location')]",
"properties": {
"disableBgpRoutePropagation": false,
"routes": [
{
"name": "AzfwDefaultRoute",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[variables('nextHopIP')]"
}
}
]
}
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2021-03-01",
"name": "[variables('networkSecurityGroupName')]",
"location": "[parameters('location')]",
"properties": {}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2021-05-01",
"name": "[parameters('virtualNetworkName')]",
"location": "[parameters('location')]",
"tags": {
"displayName": "[parameters('virtualNetworkName')]"
},
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('vnetAddressPrefix')]"
]
},
"subnets": [
{
"name": "[variables('jumpBoxSubnetName')]",
"properties": {
"addressPrefix": "[variables('jumpboxSubnetPrefix')]"
}
},
{
"name": "[variables('azureFirewallSubnetName')]",
"properties": {
"addressPrefix": "[variables('azureFirewallSubnetPrefix')]"
}
},
{
"name": "[variables('serversSubnetName')]",
"properties": {
"addressPrefix": "[variables('serversSubnetPrefix')]",
"routeTable": {
"id": "[resourceId('Microsoft.Network/routeTables', variables('azfwRouteTableName'))]"
},
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
}
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/routeTables', variables('azfwRouteTableName'))]",
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
]
},
{
"copy": {
"name": "publicIPAddress",
"count": "[length(range(0, parameters('numberOfFirewallPublicIPAddresses')))]"
},
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2021-03-01",
"name": "[format('{0}{1}', variables('publicIPNamePrefix'), add(range(0, parameters('numberOfFirewallPublicIPAddresses'))[copyIndex()], 1))]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"properties": {
"publicIPAllocationMethod": "Static",
"publicIPAddressVersion": "IPv4"
},
"zones": "[parameters('availabilityZones')]"
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2021-03-01",
"name": "[variables('jumpBoxPublicIPAddressName')]",
"location": "[parameters('location')]",
"properties": {
"publicIPAllocationMethod": "Dynamic"
}
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2021-05-01",
"name": "[variables('jumpBoxNsgName')]",
"location": "[parameters('location')]",
"properties": {
"securityRules": [
{
"name": "myNetworkSecurityGroupRuleRDP",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 1000,
"direction": "Inbound"
}
}
]
}
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2021-05-01",
"name": "[variables('jumpBoxNicName')]",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('jumpBoxPublicIPAddressName'))]"
},
"subnet": {
"id": "[variables('jumpBoxSubnetId')]"
}
}
}
],
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('jumpBoxNsgName'))]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('jumpBoxNsgName'))]",
"[resourceId('Microsoft.Network/publicIPAddresses', variables('jumpBoxPublicIPAddressName'))]",
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
]
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2021-05-01",
"name": "[variables('serverNicName')]",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[variables('serverSubnetId')]"
}
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
]
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2021-11-01",
"name": "JumpBox",
"location": "[parameters('location')]",
"tags": {
"AzSecPackAutoConfigReady": true
},
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('jumpBoxSize')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftCBLMariner",
"offer": "cbl-mariner",
"sku": "cbl-mariner-2-gen2",
"version": "latest"
},
"osDisk": {
"osType": "Linux",
"createOption": "FromImage",
"diskSizeGB": 127
}
},
"osProfile": {
"computerName": "JumpBox",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"linuxConfiguration": {
"patchSettings": {
"patchMode": "AutomaticByPlatform"
}
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('jumpBoxNicName'))]"
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true,
"storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2021-08-01').primaryEndpoints.blob]"
}
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', variables('jumpBoxNicName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
]
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2021-11-01",
"name": "Server",
"location": "[parameters('location')]",
"tags": {
"AzSecPackAutoConfigReady": true
},
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('serverSize')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftCBLMariner",
"offer": "cbl-mariner",
"sku": "cbl-mariner-2-gen2",
"version": "latest"
},
"osDisk": {
"osType": "Linux",
"createOption": "FromImage",
"diskSizeGB": 127
}
},
"osProfile": {
"computerName": "Server",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"linuxConfiguration": {
"patchSettings": {
"patchMode": "AutomaticByPlatform"
}
}
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('serverNicName'))]"
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true,
"storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2021-08-01').primaryEndpoints.blob]"
}
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', variables('serverNicName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
]
},
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2021-05-01",
"name": "[variables('firewallName')]",
"location": "[parameters('location')]",
"zones": "[if(equals(length(parameters('availabilityZones')), 0), json('null'), parameters('availabilityZones'))]",
"properties": {
"ipConfigurations": "[variables('azureFirewallIpConfigurations')]",
"applicationRuleCollections": [
{
"name": "appRc1",
"properties": {
"priority": 101,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "appRule1",
"protocols": [
{
"port": 80,
"protocolType": "Http"
},
{
"port": 443,
"protocolType": "Https"
}
],
"targetFqdns": [
"www.microsoft.com"
],
"sourceAddresses": [
"10.0.2.0/24"
]
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netRc1",
"properties": {
"priority": 200,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "netRule1",
"protocols": [
"TCP"
],
"sourceAddresses": [
"10.0.2.0/24"
],
"destinationAddresses": [
"*"
],
"destinationPorts": [
"8000-8999"
]
}
]
}
}
]
},
"dependsOn": [
"publicIPAddress",
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
]
}
]
}
Er worden meerdere Azure-resources gedefinieerd in de sjabloon:
- Microsoft.Storage/storageAccounts
- Microsoft.Network/routeTables
- Microsoft.Network/networkSecurityGroups
- Microsoft.Network/virtualNetworks
- Microsoft.Network/publicIPAddresses
- Microsoft.Network/networkInterfaces
- Microsoft.Compute/virtualMachines
- Microsoft.Network/azureFirewalls
De sjabloon implementeren
Het ARM-sjabloon implementeren in Azure:
Selecteer Implementeren in Azure om u aan te melden bij Azure en de sjabloon te openen. Met de sjabloon maakt u een Azure-firewall, de netwerkinfrastructuur en twee virtuele machines.
Typ of selecteer de volgende waarden in de portal, op de pagina Een sandbox-instelling maken met Azure-firewall met zones:
- Resourcegroep: Selecteer Nieuwe maken, typ een naam voor de resourcegroep en selecteer OK.
- Naam van virtueel netwerk: typ een naam voor het nieuwe VNet.
- Gebruikersnaam van beheerder: typ een gebruikersnaam voor het gebruikersaccount van de beheerder.
- Beheerderswachtwoord: typ een beheerderswachtwoord.
Lees de voorwaarden en schakel vervolgens het selectievakje Ik ga akkoord met de bovenstaande voorwaarden in en selecteer Aankoop. De implementatie kan 10 minuten of langer duren.
Ingezette middelen bekijken
Verken de resources die naast de firewall zijn gecreëerd.
Raadpleeg Microsoft.Network/azureFirewalls voor meer informatie over de syntaxis en eigenschappen van JSON voor een firewall in een sjabloon.
Middelen opschonen
Wanneer u ze niet meer nodig hebt, kunt u de resourcegroep, de firewall en alle gerelateerde resources verwijderen door de PowerShell-opdracht Remove-AzResourceGroup uit te voeren. Wanneer u een resourcegroep met de naam myResourceGroup wilt verwijderen, voert u het volgende uit:
Remove-AzResourceGroup -Name MyResourceGroup
Verwijder de resourcegroep en de firewall niet als u van plan bent om door te gaan met de zelfstudie over firewallbewaking.
Volgende stappen
Als volgende kunt u de Azure Firewall-logboeken bewaken.