你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
快速入门:使用 Azure 防火墙管理器保护虚拟中心安全 - ARM 模板
在本快速入门中,使用 Azure 资源管理器模板(ARM 模板),通过 Azure 防火墙管理器来保护虚拟中心的安全。 部署的防火墙具有允许连接到 www.microsoft.com 的应用程序规则。 部署了两个 Windows Server 2019 虚拟机以测试防火墙。 一个跳转服务器用于连接到工作负载服务器。 从工作负载服务器,只能连接到 www.microsoft.com。
Azure 资源管理器模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。 模板使用声明性语法。 你可以在不编写用于创建部署的编程命令序列的情况下,描述预期部署。
有关 Azure 防火墙管理器的详细信息,请参阅什么是 Azure 防火墙管理器?。
如果你的环境满足先决条件,并且你熟悉如何使用 ARM 模板,请选择“部署到 Azure”按钮。 Azure 门户中会打开模板。
先决条件
- 具有活动订阅的 Azure 帐户。 免费创建帐户。
查看模板
此模板使用 Azure 防火墙管理器以及支持该场景所需的资源创建了一个安全虚拟中心。
本快速入门中使用的模板来自 Azure 快速启动模板。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.9.1.41621",
"templateHash": "1093777410793723808"
}
},
"parameters": {
"adminUsername": {
"type": "string",
"metadata": {
"description": "Admin username for the servers"
}
},
"adminPassword": {
"type": "secureString",
"metadata": {
"description": "Password for the admin account on the servers"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"vmSize": {
"type": "string",
"defaultValue": "Standard_D2_v3",
"metadata": {
"description": "Size of the virtual machine."
}
}
},
"resources": [
{
"type": "Microsoft.Network/virtualWans",
"apiVersion": "2021-08-01",
"name": "VWan-01",
"location": "[parameters('location')]",
"properties": {
"disableVpnEncryption": false,
"allowBranchToBranchTraffic": true,
"type": "Standard"
}
},
{
"type": "Microsoft.Network/virtualHubs",
"apiVersion": "2021-08-01",
"name": "Hub-01",
"location": "[parameters('location')]",
"properties": {
"addressPrefix": "10.1.0.0/16",
"virtualWan": {
"id": "[resourceId('Microsoft.Network/virtualWans', 'VWan-01')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualWans', 'VWan-01')]"
]
},
{
"type": "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections",
"apiVersion": "2021-08-01",
"name": "[format('{0}/{1}', 'Hub-01', 'hub-spoke')]",
"properties": {
"remoteVirtualNetwork": {
"id": "[resourceId('Microsoft.Network/virtualNetworks', 'Spoke-01')]"
},
"allowHubToRemoteVnetTransit": true,
"allowRemoteVnetToUseHubVnetGateways": false,
"enableInternetSecurity": true,
"routingConfiguration": {
"associatedRouteTable": {
"id": "[resourceId('Microsoft.Network/virtualHubs/hubRouteTables', 'Hub-01', 'RT_VNet')]"
},
"propagatedRouteTables": {
"labels": [
"VNet"
],
"ids": [
{
"id": "[resourceId('Microsoft.Network/virtualHubs/hubRouteTables', 'Hub-01', 'RT_VNet')]"
}
]
}
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/azureFirewalls', 'AzfwTest')]",
"[resourceId('Microsoft.Network/virtualHubs/hubRouteTables', 'Hub-01', 'RT_VNet')]",
"[resourceId('Microsoft.Network/virtualHubs', 'Hub-01')]",
"[resourceId('Microsoft.Network/virtualNetworks', 'Spoke-01')]"
]
},
{
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2021-08-01",
"name": "Policy-01",
"location": "[parameters('location')]",
"properties": {
"threatIntelMode": "Alert"
}
},
{
"type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
"apiVersion": "2021-08-01",
"name": "[format('{0}/{1}', 'Policy-01', 'DefaultApplicationRuleCollectionGroup')]",
"properties": {
"priority": 300,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"name": "RC-01",
"priority": 100,
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "ApplicationRule",
"name": "Allow-msft",
"sourceAddresses": [
"*"
],
"protocols": [
{
"port": 80,
"protocolType": "Http"
},
{
"port": 443,
"protocolType": "Https"
}
],
"targetFqdns": [
"*.microsoft.com"
]
}
]
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/firewallPolicies', 'Policy-01')]"
]
},
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2021-08-01",
"name": "AzfwTest",
"location": "[parameters('location')]",
"properties": {
"sku": {
"name": "AZFW_Hub",
"tier": "Standard"
},
"hubIPAddresses": {
"publicIPs": {
"count": 1
}
},
"virtualHub": {
"id": "[resourceId('Microsoft.Network/virtualHubs', 'Hub-01')]"
},
"firewallPolicy": {
"id": "[resourceId('Microsoft.Network/firewallPolicies', 'Policy-01')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/firewallPolicies', 'Policy-01')]",
"[resourceId('Microsoft.Network/virtualHubs', 'Hub-01')]"
]
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2021-08-01",
"name": "Spoke-01",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"enableDdosProtection": false,
"enableVmProtection": false
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2021-08-01",
"name": "[format('{0}/{1}', 'Spoke-01', 'Workload-SN')]",
"properties": {
"addressPrefix": "10.0.1.0/24",
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'Spoke-01')]"
]
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2021-08-01",
"name": "[format('{0}/{1}', 'Spoke-01', 'Jump-SN')]",
"properties": {
"addressPrefix": "10.0.2.0/24",
"routeTable": {
"id": "[resourceId('Microsoft.Network/routeTables', 'RT-01')]"
},
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
},
"dependsOn": [
"[resourceId('Microsoft.Network/routeTables', 'RT-01')]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01', 'Workload-SN')]",
"[resourceId('Microsoft.Network/virtualNetworks', 'Spoke-01')]"
]
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-03-01",
"name": "Jump-Srv",
"location": "[parameters('location')]",
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2019-Datacenter",
"version": "latest"
},
"osDisk": {
"osType": "Windows",
"createOption": "FromImage",
"caching": "ReadWrite",
"managedDisk": {
"storageAccountType": "StandardSSD_LRS"
},
"diskSizeGB": 127
}
},
"osProfile": {
"computerName": "Jump-Srv",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"windowsConfiguration": {
"provisionVMAgent": true,
"enableAutomaticUpdates": true
},
"allowExtensionOperations": true
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', 'netInterface-jump-srv')]"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', 'netInterface-jump-srv')]"
]
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-03-01",
"name": "Workload-Srv",
"location": "[parameters('location')]",
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2019-Datacenter",
"version": "latest"
},
"osDisk": {
"osType": "Windows",
"createOption": "FromImage",
"caching": "ReadWrite",
"managedDisk": {
"storageAccountType": "StandardSSD_LRS"
},
"diskSizeGB": 127
}
},
"osProfile": {
"computerName": "Workload-Srv",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"windowsConfiguration": {
"provisionVMAgent": true,
"enableAutomaticUpdates": true
},
"allowExtensionOperations": true
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', 'netInterface-workload-srv')]"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', 'netInterface-workload-srv')]"
]
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2021-08-01",
"name": "netInterface-workload-srv",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01', 'Workload-SN')]"
},
"primary": true,
"privateIPAddressVersion": "IPv4"
}
}
],
"enableAcceleratedNetworking": false,
"enableIPForwarding": false,
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-workload-srv')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-workload-srv')]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01', 'Workload-SN')]"
]
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2021-08-01",
"name": "netInterface-jump-srv",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', 'publicIP-jump-srv')]"
},
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01', 'Jump-SN')]"
},
"primary": true,
"privateIPAddressVersion": "IPv4"
}
}
],
"enableAcceleratedNetworking": false,
"enableIPForwarding": false,
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-jump-srv')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-jump-srv')]",
"[resourceId('Microsoft.Network/publicIPAddresses', 'publicIP-jump-srv')]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01', 'Jump-SN')]"
]
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2021-08-01",
"name": "nsg-jump-srv",
"location": "[parameters('location')]",
"properties": {
"securityRules": [
{
"name": "RDP",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound"
}
}
]
}
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2021-08-01",
"name": "nsg-workload-srv",
"location": "[parameters('location')]",
"properties": {}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2021-08-01",
"name": "publicIP-jump-srv",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"properties": {
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Static",
"idleTimeoutInMinutes": 4
}
},
{
"type": "Microsoft.Network/routeTables",
"apiVersion": "2021-08-01",
"name": "RT-01",
"location": "[parameters('location')]",
"properties": {
"disableBgpRoutePropagation": false,
"routes": [
{
"name": "jump-to-inet",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "Internet"
}
}
]
}
},
{
"type": "Microsoft.Network/virtualHubs/hubRouteTables",
"apiVersion": "2021-08-01",
"name": "[format('{0}/{1}', 'Hub-01', 'RT_VNet')]",
"properties": {
"routes": [
{
"name": "Workload-SNToFirewall",
"destinationType": "CIDR",
"destinations": [
"10.0.1.0/24"
],
"nextHopType": "ResourceId",
"nextHop": "[resourceId('Microsoft.Network/azureFirewalls', 'AzfwTest')]"
},
{
"name": "InternetToFirewall",
"destinationType": "CIDR",
"destinations": [
"0.0.0.0/0"
],
"nextHopType": "ResourceId",
"nextHop": "[resourceId('Microsoft.Network/azureFirewalls', 'AzfwTest')]"
}
],
"labels": [
"VNet"
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/azureFirewalls', 'AzfwTest')]",
"[resourceId('Microsoft.Network/virtualHubs', 'Hub-01')]"
]
}
]
}
模板中定义了多个 Azure 资源:
- Microsoft.Network/virtualWans
- Microsoft.Network/virtualHubs
- Microsoft.Network/firewallPolicies
- Microsoft.Network/azureFirewalls
- Microsoft.Network/virtualNetworks
- Microsoft.Compute/virtualMachines
- Microsoft.Storage/storageAccounts
- Microsoft.Network/networkInterfaces
- Microsoft.Network/networkSecurityGroups
- Microsoft.Network/publicIPAddresses
- Microsoft.Network/routeTables
部署模板
将 ARM 模板部署到 Azure:
选择“部署到 Azure”,登录到 Azure 并打开模板。 此模板会创建 Azure 防火墙、虚拟 WAN 和虚拟中心、网络基础结构和两个虚拟机。
在门户中的“安全虚拟中心”页上,键入或选择以下值:
- 订阅:从现有订阅中选择
- 资源组:从现有资源组中选择,或者选择“新建”,然后选择“确定”。
- 位置:选择一个位置
- 管理员用户名:键入管理员用户帐户的用户名
- 管理员密码:键入管理员密码或密钥
选择“查看 + 创建”,然后选择“创建” 。 部署可能需要 10 分钟或更长时间才能完成。
验证部署
现在,测试防火墙以确认它可按预期工作。
在 Azure 门户中,查看“Workload-Srv”虚拟机的网络设置并记下专用 IP 地址。
将远程桌面连接到“Jump-Srv”虚拟机,然后登录。 在这里,打开与“Workload-Srv”专用 IP 地址建立的远程桌面连接。
打开 Internet Explorer 并浏览到
www.microsoft.com。出现 Internet Explorer 安全警报时,请选择“确定”>“关闭”。
应会看到 Microsoft 主页。
浏览到
www.google.com。防火墙应会阻止你访问。
现已验证防火墙规则可正常工作:
- 可以浏览到一个允许的 FQDN,但不能浏览到其他任何 FQDN。
清理资源
如果不再需要为防火墙创建的资源,请删除资源组。 这会删除该防火墙和所有相关资源。
若要删除资源组,请调用 Remove-AzResourceGroup cmdlet:
Remove-AzResourceGroup -Name "<your resource group name>"