你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
快速入门:部署具有可用性区域的 Azure 防火墙 - Bicep
本快速入门使用 Bicep 在三个可用性区域中部署 Azure 防火墙。
Bicep 是一种特定于域的语言 (DSL),使用声明性语法来部署 Azure 资源。 它提供简明的语法、可靠的类型安全性以及对代码重用的支持。 Bicep 会针对你的 Azure 基础结构即代码解决方案提供最佳创作体验。
此 Bicep 文件创建带防火墙的测试网络环境。 网络具有一个虚拟网络 (VNet),其中包含三个子网:AzureFirewallSubnet、ServersSubnet 和 JumpboxSubnet。 ServersSubnet 和 JumpboxSubnet 子网均包含一个单个、双核 Windows Server 虚拟机。
防火墙在 AzureFirewallSubnet 子网中,并配置有一个应用程序规则集合,其中包含允许访问 www.microsoft.com
的单个规则。
用户定义的一个路由,它引导来自 ServersSubnet 子网的网络流量穿过应用了防火墙规则的防火墙。
有关 Azure 防火墙的详细信息,请参阅使用 Azure 门户部署和配置 Azure 防火墙。
- 具有活动订阅的 Azure 帐户。 免费创建帐户。
此 Bicep 文件创建具有可用性区域的 Azure 防火墙,以及用于支持 Azure 防火墙的必要资源。
本快速入门中使用的 Bicep 文件来自 Azure 快速入门模板。
@description('virtual network name')
param virtualNetworkName string = 'test-vnet'
@description('Location for all resources.')
param location string = resourceGroup().location
@description('Username for the Virtual Machine.')
param adminUsername string
@description('Password for the Virtual Machine.')
@secure()
param adminPassword string
@description('Availability zone numbers e.g. 1,2,3.')
param availabilityZones array = [
'1'
'2'
'3'
]
@description('Number of public IP addresses for the Azure Firewall')
@minValue(1)
@maxValue(100)
param numberOfFirewallPublicIPAddresses int = 1
@description('Size of the virtual machine.')
param jumpBoxSize string = 'Standard_D2s_v3'
@description('Size of the virtual machine.')
param serverSize string = 'Standard_D2s_v3'
var vnetAddressPrefix = '10.0.0.0/16'
var serversSubnetPrefix = '10.0.2.0/24'
var azureFirewallSubnetPrefix = '10.0.1.0/24'
var jumpboxSubnetPrefix = '10.0.0.0/24'
var nextHopIP = '10.0.1.4'
var azureFirewallSubnetName = 'AzureFirewallSubnet'
var jumpBoxSubnetName = 'JumpboxSubnet'
var serversSubnetName = 'ServersSubnet'
var jumpBoxPublicIPAddressName = 'JumpHostPublicIP'
var jumpBoxNsgName = 'JumpHostNSG'
var jumpBoxNicName = 'JumpHostNic'
var jumpBoxSubnetId = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, jumpBoxSubnetName)
var serverNicName = 'ServerNic'
var serverSubnetId = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, serversSubnetName)
var storageAccountName = '${uniqueString(resourceGroup().id)}sajumpbox'
var azfwRouteTableName = 'AzfwRouteTable'
var firewallName = 'firewall1'
var publicIPNamePrefix = 'publicIP'
var azureFirewallSubnetId = resourceId('Microsoft.Network/virtualNetworks/subnets', virtualNetworkName, azureFirewallSubnetName)
var azureFirewallSubnetJSON = json('{"id": "${azureFirewallSubnetId}"}')
var networkSecurityGroupName = '${serversSubnetName}-nsg'
var azureFirewallIpConfigurations = [for i in range(0, numberOfFirewallPublicIPAddresses): {
name: 'IpConf${i}'
properties: {
subnet: ((i == 0) ? azureFirewallSubnetJSON : json('null'))
publicIPAddress: {
id: publicIPAddress[i].id
}
}
}]
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = {
name: storageAccountName
location: location
sku: {
name: 'Standard_LRS'
}
kind: 'Storage'
properties: {}
}
resource azfwRouteTable 'Microsoft.Network/routeTables@2021-03-01' = {
name: azfwRouteTableName
location: location
properties: {
disableBgpRoutePropagation: false
routes: [
{
name: 'AzfwDefaultRoute'
properties: {
addressPrefix: '0.0.0.0/0'
nextHopType: 'VirtualAppliance'
nextHopIpAddress: nextHopIP
}
}
]
}
}
resource nsg 'Microsoft.Network/networkSecurityGroups@2021-03-01' = {
name: networkSecurityGroupName
location: location
properties: {}
}
resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-05-01' = {
name: virtualNetworkName
location: location
tags: {
displayName: virtualNetworkName
}
properties: {
addressSpace: {
addressPrefixes: [
vnetAddressPrefix
]
}
subnets: [
{
name: jumpBoxSubnetName
properties: {
addressPrefix: jumpboxSubnetPrefix
}
}
{
name: azureFirewallSubnetName
properties: {
addressPrefix: azureFirewallSubnetPrefix
}
}
{
name: serversSubnetName
properties: {
addressPrefix: serversSubnetPrefix
routeTable: {
id: azfwRouteTable.id
}
networkSecurityGroup: {
id: nsg.id
}
}
}
]
}
}
resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-03-01' = [for i in range(0, numberOfFirewallPublicIPAddresses): {
name: '${publicIPNamePrefix}${i+1}'
location: location
sku: {
name: 'Standard'
}
properties: {
publicIPAllocationMethod: 'Static'
publicIPAddressVersion: 'IPv4'
}
zones: availabilityZones
}]
resource jumpBoxPublicIPAddress 'Microsoft.Network/publicIPAddresses@2021-03-01' = {
name: jumpBoxPublicIPAddressName
location: location
properties: {
publicIPAllocationMethod: 'Dynamic'
}
}
resource jumpBoxNsg 'Microsoft.Network/networkSecurityGroups@2021-05-01' = {
name: jumpBoxNsgName
location: location
properties: {
securityRules: [
{
name: 'myNetworkSecurityGroupRuleRDP'
properties: {
protocol: 'Tcp'
sourcePortRange: '*'
destinationPortRange: '3389'
sourceAddressPrefix: '*'
destinationAddressPrefix: '*'
access: 'Allow'
priority: 1000
direction: 'Inbound'
}
}
]
}
}
resource JumpBoxNic 'Microsoft.Network/networkInterfaces@2021-05-01' = {
name: jumpBoxNicName
location: location
properties: {
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
privateIPAllocationMethod: 'Dynamic'
publicIPAddress: {
id: jumpBoxPublicIPAddress.id
}
subnet: {
id: jumpBoxSubnetId
}
}
}
]
networkSecurityGroup: {
id: jumpBoxNsg.id
}
}
dependsOn: [
virtualNetwork
]
}
resource ServerNic 'Microsoft.Network/networkInterfaces@2021-05-01' = {
name: serverNicName
location: location
properties: {
ipConfigurations: [
{
name: 'ipconfig1'
properties: {
privateIPAllocationMethod: 'Dynamic'
subnet: {
id: serverSubnetId
}
}
}
]
}
dependsOn: [
virtualNetwork
]
}
resource JumpBoxVM 'Microsoft.Compute/virtualMachines@2021-11-01' = {
name: 'JumpBox'
location: location
tags: {
AzSecPackAutoConfigReady: true
}
properties: {
hardwareProfile: {
vmSize: jumpBoxSize
}
storageProfile: {
imageReference: {
publisher: 'MicrosoftCBLMariner'
offer: 'cbl-mariner'
sku: 'cbl-mariner-2-gen2'
version: 'latest'
}
osDisk: {
osType: 'Linux'
createOption: 'FromImage'
diskSizeGB: 127
}
}
osProfile: {
computerName: 'JumpBox'
adminUsername: adminUsername
adminPassword: adminPassword
linuxConfiguration:{
patchSettings: {
patchMode: 'AutomaticByPlatform'
}
}
}
networkProfile: {
networkInterfaces: [
{
id: JumpBoxNic.id
}
]
}
diagnosticsProfile: {
bootDiagnostics: {
enabled: true
storageUri: storageAccount.properties.primaryEndpoints.blob
}
}
}
}
resource ServerVM 'Microsoft.Compute/virtualMachines@2021-11-01' = {
name: 'Server'
location: location
tags: {
AzSecPackAutoConfigReady: true
}
properties: {
hardwareProfile: {
vmSize: serverSize
}
storageProfile: {
imageReference: {
publisher: 'MicrosoftCBLMariner'
offer: 'cbl-mariner'
sku: 'cbl-mariner-2-gen2'
version: 'latest'
}
osDisk: {
osType: 'Linux'
createOption: 'FromImage'
diskSizeGB: 127
}
}
osProfile: {
computerName: 'Server'
adminUsername: adminUsername
adminPassword: adminPassword
linuxConfiguration:{
patchSettings: {
patchMode: 'AutomaticByPlatform'
}
}
}
networkProfile: {
networkInterfaces: [
{
id: ServerNic.id
}
]
}
diagnosticsProfile: {
bootDiagnostics: {
enabled: true
storageUri: storageAccount.properties.primaryEndpoints.blob
}
}
}
}
resource firewall 'Microsoft.Network/azureFirewalls@2021-05-01' = {
name: firewallName
location: location
zones: ((length(availabilityZones) == 0) ? json('null') : availabilityZones)
properties: {
ipConfigurations: azureFirewallIpConfigurations
applicationRuleCollections: [
{
name: 'appRc1'
properties: {
priority: 101
action: {
type: 'Allow'
}
rules: [
{
name: 'appRule1'
protocols: [
{
port: 80
protocolType: 'Http'
}
{
port: 443
protocolType: 'Https'
}
]
targetFqdns: [
'www.microsoft.com'
]
sourceAddresses: [
'10.0.2.0/24'
]
}
]
}
}
]
networkRuleCollections: [
{
name: 'netRc1'
properties: {
priority: 200
action: {
type: 'Allow'
}
rules: [
{
name: 'netRule1'
protocols: [
'TCP'
]
sourceAddresses: [
'10.0.2.0/24'
]
destinationAddresses: [
'*'
]
destinationPorts: [
'8000-8999'
]
}
]
}
}
]
}
dependsOn: [
virtualNetwork
publicIPAddress
]
}
该 Bicep 文件中定义了多个 Azure 资源:
- Microsoft.Storage/storageAccounts
- Microsoft.Network/routeTables
- Microsoft.Network/networkSecurityGroups
- Microsoft.Network/virtualNetworks
- Microsoft.Network/publicIPAddresses
- Microsoft.Network/networkInterfaces
- Microsoft.Compute/virtualMachines
- Microsoft.Network/azureFirewalls
将该 Bicep 文件在本地计算机上另存为
main.bicep
。使用 Azure CLI 或 Azure PowerShell 来部署该 Bicep 文件。
az group create --name exampleRG --location eastus az deployment group create --resource-group exampleRG --template-file main.bicep --parameters adminUsername=<admin-user>
备注
将 <admin-user> 替换为虚拟机的管理员登录用户名。 系统会提示输入 adminPassword。
部署完成后,应会看到一条指出部署成功的消息。
使用 Azure 门户、Azure CLI 或 Azure PowerShell 验证部署并查看已部署的资源。
az resource list --resource-group exampleRG
若要了解 Bicep 文件中防火墙的语法和属性,请参阅 Microsoft.Network/azureFirewalls。
如果不再需要资源,请使用 Azure 门户、Azure CLI 或 Azure PowerShell 删除资源组、防火墙和所有相关资源。
az group delete --name exampleRG
接下来,可以监视 Azure 防火墙日志。