Szybki start: tworzenie usługi Azure Firewall i grup adresów IP — szablon usługi ARM
W tym przewodniku Szybki start użyjesz szablonu usługi Azure Resource Manager (szablonu usługi ARM), aby wdrożyć usługę Azure Firewall z przykładowymi grupami adresów IP używanymi w regule sieciowej i regule aplikacji. Grupa adresów IP to zasób najwyższego poziomu, który umożliwia definiowanie i grupowanie adresów IP, zakresów i podsieci w pojedynczy obiekt. Jest to przydatne w przypadku zarządzania adresami IP w regułach usługi Azure Firewall. Możesz ręcznie wprowadzić adresy IP lub zaimportować je z pliku.
Szablon usługi Azure Resource Manager to plik JavaScript Object Notation (JSON), który definiuje infrastrukturę i konfigurację projektu. W szablonie używana jest składnia deklaratywna. Możesz opisać zamierzone wdrożenie bez konieczności pisania sekwencji poleceń programowania w celu utworzenia wdrożenia.
Jeśli Twoje środowisko spełnia wymagania wstępne i masz doświadczenie w korzystaniu z szablonów ARM, wybierz przycisk Wdróż na platformie Azure. Szablon zostanie otwarty w witrynie Azure Portal.
- Konto platformy Azure z aktywną subskrypcją. Utwórz konto bezpłatnie.
Ten szablon tworzy usługę Azure Firewall i grupy adresów IP wraz z niezbędnymi zasobami do obsługi usługi Azure Firewall.
Szablon używany w tym przewodniku Szybki start jest jednym z szablonów szybkiego startu platformy Azure.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.25.53.49325",
"templateHash": "9380698035208685611"
}
},
"parameters": {
"virtualNetworkName": {
"type": "string",
"defaultValue": "[format('vnet{0}', uniqueString(resourceGroup().id))]",
"metadata": {
"description": "virtual network name"
}
},
"ipgroups_name1": {
"type": "string",
"defaultValue": "[format('ipgroup1{0}', uniqueString(resourceGroup().id))]"
},
"ipgroups_name2": {
"type": "string",
"defaultValue": "[format('ipgroup2{0}', uniqueString(resourceGroup().id))]"
},
"adminUsername": {
"type": "string",
"metadata": {
"description": "Username for the Virtual Machine."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"vmSize": {
"type": "string",
"defaultValue": "Standard_D2s_v3",
"metadata": {
"description": "Zone numbers e.g. 1,2,3."
}
},
"numberOfFirewallPublicIPAddresses": {
"type": "int",
"defaultValue": 1,
"minValue": 1,
"maxValue": 100,
"metadata": {
"description": "Number of public IP addresses for the Azure Firewall"
}
},
"authenticationType": {
"type": "string",
"defaultValue": "sshPublicKey",
"allowedValues": [
"sshPublicKey",
"password"
],
"metadata": {
"description": "Type of authentication to use on the Virtual Machine. SSH key is recommended."
}
},
"adminPasswordOrKey": {
"type": "securestring",
"metadata": {
"description": "SSH Key or password for the Virtual Machine. SSH key is recommended."
}
}
},
"variables": {
"copy": [
{
"name": "azureFirewallIpConfigurations",
"count": "[length(range(0, parameters('numberOfFirewallPublicIPAddresses')))]",
"input": {
"name": "[format('IpConf{0}', range(0, parameters('numberOfFirewallPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')])]",
"properties": {
"subnet": {
"id": "[if(equals(range(0, parameters('numberOfFirewallPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')], 0), variables('azureFirewallSubnetId'), null())]"
},
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIPNamePrefix'), add(range(0, parameters('numberOfFirewallPublicIPAddresses'))[range(0, parameters('numberOfFirewallPublicIPAddresses'))[copyIndex('azureFirewallIpConfigurations')]], 1)))]"
}
}
}
}
],
"vnetAddressPrefix": "10.0.0.0/16",
"serversSubnetPrefix": "10.0.2.0/24",
"azureFirewallSubnetPrefix": "10.0.1.0/24",
"jumpboxSubnetPrefix": "10.0.0.0/24",
"nextHopIP": "10.0.1.4",
"azureFirewallSubnetName": "AzureFirewallSubnet",
"jumpBoxSubnetName": "JumpboxSubnet",
"serversSubnetName": "ServersSubnet",
"jumpBoxPublicIPAddressName": "JumpHostPublicIP",
"jumpBoxNsgName": "JumpHostNSG",
"jumpBoxNicName": "JumpHostNic",
"jumpBoxSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('jumpBoxSubnetName'))]",
"serverNicName": "ServerNic",
"serverSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('serversSubnetName'))]",
"storageAccountName": "[format('{0}sajumpbox', uniqueString(resourceGroup().id))]",
"azfwRouteTableName": "AzfwRouteTable",
"firewallName": "firewall1",
"publicIPNamePrefix": "publicIP",
"azureFirewallSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('azureFirewallSubnetName'))]",
"linuxConfiguration": {
"disablePasswordAuthentication": true,
"ssh": {
"publicKeys": [
{
"path": "[format('/home/{0}/.ssh/authorized_keys', parameters('adminUsername'))]",
"keyData": "[parameters('adminPasswordOrKey')]"
}
]
}
},
"networkSecurityGroupName": "[format('{0}-nsg', variables('serversSubnetName'))]"
},
"resources": [
{
"type": "Microsoft.Network/ipGroups",
"apiVersion": "2023-09-01",
"name": "[parameters('ipgroups_name1')]",
"location": "[parameters('location')]",
"properties": {
"ipAddresses": [
"13.73.64.64/26",
"13.73.208.128/25",
"52.126.194.0/23"
]
}
},
{
"type": "Microsoft.Network/ipGroups",
"apiVersion": "2023-09-01",
"name": "[parameters('ipgroups_name2')]",
"location": "[parameters('location')]",
"properties": {
"ipAddresses": [
"12.0.0.0/24",
"13.9.0.0/24"
]
}
},
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "[variables('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2",
"properties": {}
},
{
"type": "Microsoft.Network/routeTables",
"apiVersion": "2023-09-01",
"name": "[variables('azfwRouteTableName')]",
"location": "[parameters('location')]",
"properties": {
"disableBgpRoutePropagation": false,
"routes": [
{
"name": "AzfwDefaultRoute",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "VirtualAppliance",
"nextHopIpAddress": "[variables('nextHopIP')]"
}
}
]
}
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2023-09-01",
"name": "[variables('networkSecurityGroupName')]",
"location": "[parameters('location')]",
"properties": {}
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2023-09-01",
"name": "[parameters('virtualNetworkName')]",
"location": "[parameters('location')]",
"tags": {
"displayName": "[parameters('virtualNetworkName')]"
},
"properties": {
"addressSpace": {
"addressPrefixes": [
"[variables('vnetAddressPrefix')]"
]
},
"subnets": [
{
"name": "[variables('jumpBoxSubnetName')]",
"properties": {
"addressPrefix": "[variables('jumpboxSubnetPrefix')]"
}
},
{
"name": "[variables('azureFirewallSubnetName')]",
"properties": {
"addressPrefix": "[variables('azureFirewallSubnetPrefix')]"
}
},
{
"name": "[variables('serversSubnetName')]",
"properties": {
"addressPrefix": "[variables('serversSubnetPrefix')]",
"routeTable": {
"id": "[resourceId('Microsoft.Network/routeTables', variables('azfwRouteTableName'))]"
},
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
}
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/routeTables', variables('azfwRouteTableName'))]",
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
]
},
{
"copy": {
"name": "publicIP",
"count": "[length(range(0, parameters('numberOfFirewallPublicIPAddresses')))]"
},
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2023-09-01",
"name": "[format('{0}{1}', variables('publicIPNamePrefix'), add(range(0, parameters('numberOfFirewallPublicIPAddresses'))[copyIndex()], 1))]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"properties": {
"publicIPAllocationMethod": "Static",
"publicIPAddressVersion": "IPv4"
}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2023-09-01",
"name": "[variables('jumpBoxPublicIPAddressName')]",
"location": "[parameters('location')]",
"properties": {
"publicIPAllocationMethod": "Dynamic"
}
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2023-09-01",
"name": "[variables('jumpBoxNsgName')]",
"location": "[parameters('location')]",
"properties": {
"securityRules": [
{
"name": "myNetworkSecurityGroupRuleSSH",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 1000,
"direction": "Inbound"
}
}
]
}
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2023-09-01",
"name": "[variables('jumpBoxNicName')]",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('jumpBoxPublicIPAddressName'))]"
},
"subnet": {
"id": "[variables('jumpBoxSubnetId')]"
}
}
}
],
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('jumpBoxNsgName'))]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('jumpBoxNsgName'))]",
"[resourceId('Microsoft.Network/publicIPAddresses', variables('jumpBoxPublicIPAddressName'))]",
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
]
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2023-09-01",
"name": "[variables('serverNicName')]",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[variables('serverSubnetId')]"
}
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
]
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2023-09-01",
"name": "JumpBox",
"location": "[parameters('location')]",
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"storageProfile": {
"imageReference": {
"publisher": "Canonical",
"offer": "UbuntuServer",
"sku": "18.04-LTS",
"version": "latest"
},
"osDisk": {
"createOption": "FromImage"
}
},
"osProfile": {
"computerName": "JumpBox",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPasswordOrKey')]",
"linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), json('null'), variables('linuxConfiguration'))]"
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('jumpBoxNicName'))]"
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true,
"storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]"
}
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', variables('jumpBoxNicName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
]
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2023-09-01",
"name": "Server",
"location": "[parameters('location')]",
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"storageProfile": {
"imageReference": {
"publisher": "Canonical",
"offer": "UbuntuServer",
"sku": "18.04-LTS",
"version": "latest"
},
"osDisk": {
"createOption": "FromImage"
}
},
"osProfile": {
"computerName": "Server",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPasswordOrKey')]",
"linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]"
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', variables('serverNicName'))]"
}
]
},
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true,
"storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-01-01').primaryEndpoints.blob]"
}
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', variables('serverNicName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"
]
},
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2023-09-01",
"name": "[variables('firewallName')]",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": "[variables('azureFirewallIpConfigurations')]",
"applicationRuleCollections": [
{
"name": "appRc1",
"properties": {
"priority": 101,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "someAppRule",
"protocols": [
{
"protocolType": "Http",
"port": 8080
}
],
"targetFqdns": [
"*bing.com"
],
"sourceIpGroups": [
"[resourceId('Microsoft.Network/ipGroups', parameters('ipgroups_name1'))]"
]
},
{
"name": "someOtherAppRule",
"protocols": [
{
"protocolType": "Mssql",
"port": 1433
}
],
"targetFqdns": [
"[format('sql1{0}', environment().suffixes.sqlServerHostname)]"
],
"sourceIpGroups": [
"[resourceId('Microsoft.Network/ipGroups', parameters('ipgroups_name1'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('ipgroups_name2'))]"
]
}
]
}
}
],
"networkRuleCollections": [
{
"name": "netRc1",
"properties": {
"priority": 200,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "networkRule",
"description": "desc1",
"protocols": [
"UDP",
"TCP",
"ICMP"
],
"sourceAddresses": [
"10.0.0.0",
"111.1.0.0/23"
],
"sourceIpGroups": [
"[resourceId('Microsoft.Network/ipGroups', parameters('ipgroups_name1'))]"
],
"destinationIpGroups": [
"[resourceId('Microsoft.Network/ipGroups', parameters('ipgroups_name2'))]"
],
"destinationPorts": [
"90"
]
}
]
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/ipGroups', parameters('ipgroups_name1'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('ipgroups_name2'))]",
"publicIP",
"[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
]
}
],
"outputs": {
"location": {
"type": "string",
"value": "[parameters('location')]"
},
"name": {
"type": "string",
"value": "[variables('firewallName')]"
},
"resourceGroupName": {
"type": "string",
"value": "[resourceGroup().name]"
},
"resourceId": {
"type": "string",
"value": "[resourceId('Microsoft.Network/azureFirewalls', variables('firewallName'))]"
}
}
}
W szablonie zdefiniowano wiele zasobów platformy Azure:
- Microsoft.Network/ipGroups
- Microsoft.Storage/storageAccounts
- Microsoft.Network/routeTables
- Microsoft.Network/networkSecurityGroups
- Microsoft.Network/virtualNetworks
- Microsoft.Network/publicIPAddresses
- Microsoft.Network/networkInterfaces
- Microsoft.Compute/virtualMachines
- Microsoft.Network/azureFirewalls
Wdróż szablon usługi ARM na platformie Azure:
Wybierz pozycję Wdróż na platformie Azure, aby zalogować się na platformie Azure i otworzyć szablon. Szablon tworzy usługę Azure Firewall, infrastrukturę sieci i dwie maszyny wirtualne.
W portalu na stronie Tworzenie usługi Azure Firewall z grupami ip wpisz lub wybierz następujące wartości:
- Subskrypcja: wybierz z istniejących subskrypcji
- Grupa zasobów: wybierz z istniejących grup zasobów lub wybierz pozycję Utwórz nową, a następnie wybierz przycisk OK.
- Lokalizacja: wybierz lokalizację
- Nazwa sieci wirtualnej: wpisz nazwę nowej sieci wirtualnej
- Nazwa grupy adresów IP 1: nazwa typu grupy adresów IP 1
- Nazwa grupy adresów IP 2: nazwa typu grupy adresów IP 2
- Nazwa użytkownika administratora: wpisz nazwę użytkownika konta użytkownika administratora
- Uwierzytelnianie: wybierz pozycję sshPublicKey lub hasło
- Hasło administratora: wpisz hasło lub klucz administratora
Wybierz pozycję Zgadzam się na powyższe warunki i postanowienia, a następnie wybierz pozycję Kup. Ukończenie wdrożenia może potrwać 10 minut lub dłużej.
W witrynie Azure Portal przejrzyj wdrożone zasoby, zwłaszcza reguły zapory korzystające z grup adresów IP.
Aby dowiedzieć się więcej o składni i właściwościach JSON zapory w szablonie, zobacz Microsoft.Network azureFirewalls template reference (Dokumentacja szablonu usługi Microsoft.Network azureFirewalls).
Jeśli nie potrzebujesz już zasobów utworzonych za pomocą zapory, usuń grupę zasobów. Spowoduje to usunięcie zapory i wszystkich powiązanych zasobów.
Aby usunąć grupę zasobów, wywołaj Remove-AzResourceGroup
polecenie cmdlet:
Remove-AzResourceGroup -Name "<your resource group name>"