Inicio rápido: Protección de un centro virtual mediante Azure Firewall Manager: plantilla de Resource Manager
En este inicio rápido, usará una plantilla de Azure Resource Manager para proteger el centro virtual mediante Azure Firewall Manager. El firewall implementado tiene una regla de aplicación que permite conexiones a www.microsoft.com. Para probar el firewall, se implementan dos máquinas virtuales con Windows Server 2019. Para realizar la conexión al servidor de cargas de trabajo, se usa un servidor de saltos. Desde el servidor de cargas de trabajo, solo puede conectarse a www.microsoft.com.
Una plantilla de Resource Manager es un archivo de notación de objetos JavaScript (JSON) que define la infraestructura y la configuración del proyecto. La plantilla usa sintaxis declarativa. En la sintaxis declarativa, se describe la implementación deseada sin escribir la secuencia de comandos de programación para crearla.
Para más información sobre Azure Firewall Manager, consulte ¿Qué es Azure Firewall Manager?
Si su entorno cumple los requisitos previos y está familiarizado con el uso de plantillas de Resource Manager, seleccione el botón Implementar en Azure. La plantilla se abrirá en Azure Portal.
Requisitos previos
- Una cuenta de Azure con una suscripción activa. Cree una cuenta gratuita.
Revisión de la plantilla
Esta plantilla crea un centro virtual protegido mediante Azure Firewall Manager, junto con los recursos necesarios para admitir el escenario.
La plantilla usada en este inicio rápido forma parte de las plantillas de inicio rápido de Azure.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.7.4.23292",
"templateHash": "15419145689866476339"
}
},
"parameters": {
"adminUsername": {
"type": "string",
"metadata": {
"description": "Admin username for the servers"
}
},
"adminPassword": {
"type": "secureString",
"metadata": {
"description": "Password for the admin account on the servers"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"vmSize": {
"type": "string",
"defaultValue": "Standard_D2_v3",
"metadata": {
"description": "Size of the virtual machine."
}
}
},
"resources": [
{
"type": "Microsoft.Network/virtualWans",
"apiVersion": "2021-08-01",
"name": "VWan-01",
"location": "[parameters('location')]",
"properties": {
"disableVpnEncryption": false,
"allowBranchToBranchTraffic": true,
"type": "Standard"
}
},
{
"type": "Microsoft.Network/virtualHubs",
"apiVersion": "2021-08-01",
"name": "Hub-01",
"location": "[parameters('location')]",
"properties": {
"addressPrefix": "10.1.0.0/16",
"virtualWan": {
"id": "[resourceId('Microsoft.Network/virtualWans', 'VWan-01')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualWans', 'VWan-01')]"
]
},
{
"type": "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections",
"apiVersion": "2021-08-01",
"name": "[format('{0}/{1}', 'Hub-01', 'hub-spoke')]",
"properties": {
"remoteVirtualNetwork": {
"id": "[resourceId('Microsoft.Network/virtualNetworks', 'Spoke-01')]"
},
"allowHubToRemoteVnetTransit": true,
"allowRemoteVnetToUseHubVnetGateways": false,
"enableInternetSecurity": true,
"routingConfiguration": {
"associatedRouteTable": {
"id": "[resourceId('Microsoft.Network/virtualHubs/hubRouteTables', 'Hub-01', 'RT_VNet')]"
},
"propagatedRouteTables": {
"labels": [
"VNet"
],
"ids": [
{
"id": "[resourceId('Microsoft.Network/virtualHubs/hubRouteTables', 'Hub-01', 'RT_VNet')]"
}
]
}
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/azureFirewalls', 'AzfwTest')]",
"[resourceId('Microsoft.Network/virtualHubs/hubRouteTables', 'Hub-01', 'RT_VNet')]",
"[resourceId('Microsoft.Network/virtualHubs', 'Hub-01')]",
"[resourceId('Microsoft.Network/virtualNetworks', 'Spoke-01')]"
]
},
{
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2021-08-01",
"name": "Policy-01",
"location": "[parameters('location')]",
"properties": {
"threatIntelMode": "Alert"
}
},
{
"type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
"apiVersion": "2021-08-01",
"name": "[format('{0}/{1}', 'Policy-01', 'DefaultApplicationRuleCollectionGroup')]",
"properties": {
"priority": 300,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"name": "RC-01",
"priority": 100,
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "ApplicationRule",
"name": "Allow-msft",
"sourceAddresses": [
"*"
],
"protocols": [
{
"port": 80,
"protocolType": "Http"
},
{
"port": 443,
"protocolType": "Https"
}
],
"targetFqdns": [
"*.microsoft.com"
]
}
]
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/firewallPolicies', 'Policy-01')]"
]
},
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2021-08-01",
"name": "AzfwTest",
"location": "[parameters('location')]",
"properties": {
"sku": {
"name": "AZFW_Hub",
"tier": "Standard"
},
"hubIPAddresses": {
"publicIPs": {
"count": 1
}
},
"virtualHub": {
"id": "[resourceId('Microsoft.Network/virtualHubs', 'Hub-01')]"
},
"firewallPolicy": {
"id": "[resourceId('Microsoft.Network/firewallPolicies', 'Policy-01')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/firewallPolicies', 'Policy-01')]",
"[resourceId('Microsoft.Network/virtualHubs', 'Hub-01')]"
]
},
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2021-08-01",
"name": "Spoke-01",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"enableDdosProtection": false,
"enableVmProtection": false
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2021-08-01",
"name": "[format('{0}/{1}', 'Spoke-01', 'Workload-SN')]",
"properties": {
"addressPrefix": "10.0.1.0/24",
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'Spoke-01')]"
]
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2021-08-01",
"name": "[format('{0}/{1}', 'Spoke-01', 'Jump-SN')]",
"properties": {
"addressPrefix": "10.0.2.0/24",
"routeTable": {
"id": "[resourceId('Microsoft.Network/routeTables', 'RT-01')]"
},
"privateEndpointNetworkPolicies": "Enabled",
"privateLinkServiceNetworkPolicies": "Enabled"
},
"dependsOn": [
"[resourceId('Microsoft.Network/routeTables', 'RT-01')]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01', 'Workload-SN')]",
"[resourceId('Microsoft.Network/virtualNetworks', 'Spoke-01')]"
]
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-03-01",
"name": "Jump-Srv",
"location": "[parameters('location')]",
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2019-Datacenter",
"version": "latest"
},
"osDisk": {
"osType": "Windows",
"createOption": "FromImage",
"caching": "ReadWrite",
"managedDisk": {
"storageAccountType": "StandardSSD_LRS"
},
"diskSizeGB": 127
}
},
"osProfile": {
"computerName": "Jump-Srv",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"windowsConfiguration": {
"provisionVMAgent": true,
"enableAutomaticUpdates": true
},
"allowExtensionOperations": true
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', 'netInterface-jump-srv')]"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', 'netInterface-jump-srv')]"
]
},
{
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "2022-03-01",
"name": "Workload-Srv",
"location": "[parameters('location')]",
"properties": {
"hardwareProfile": {
"vmSize": "[parameters('vmSize')]"
},
"storageProfile": {
"imageReference": {
"publisher": "MicrosoftWindowsServer",
"offer": "WindowsServer",
"sku": "2019-Datacenter",
"version": "latest"
},
"osDisk": {
"osType": "Windows",
"createOption": "FromImage",
"caching": "ReadWrite",
"managedDisk": {
"storageAccountType": "StandardSSD_LRS"
},
"diskSizeGB": 127
}
},
"osProfile": {
"computerName": "Workload-Srv",
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"windowsConfiguration": {
"provisionVMAgent": true,
"enableAutomaticUpdates": true
},
"allowExtensionOperations": true
},
"networkProfile": {
"networkInterfaces": [
{
"id": "[resourceId('Microsoft.Network/networkInterfaces', 'netInterface-workload-srv')]"
}
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkInterfaces', 'netInterface-workload-srv')]"
]
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2021-08-01",
"name": "netInterface-workload-srv",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01', 'Workload-SN')]"
},
"primary": true,
"privateIPAddressVersion": "IPv4"
}
}
],
"enableAcceleratedNetworking": false,
"enableIPForwarding": false,
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-workload-srv')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-workload-srv')]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01', 'Workload-SN')]"
]
},
{
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "2021-08-01",
"name": "netInterface-jump-srv",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', 'publicIP-jump-srv')]"
},
"subnet": {
"id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01', 'Jump-SN')]"
},
"primary": true,
"privateIPAddressVersion": "IPv4"
}
}
],
"enableAcceleratedNetworking": false,
"enableIPForwarding": false,
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-jump-srv')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', 'nsg-jump-srv')]",
"[resourceId('Microsoft.Network/publicIPAddresses', 'publicIP-jump-srv')]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', 'Spoke-01', 'Jump-SN')]"
]
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2021-08-01",
"name": "nsg-jump-srv",
"location": "[parameters('location')]",
"properties": {
"securityRules": [
{
"name": "RDP",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 300,
"direction": "Inbound"
}
}
]
}
},
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2021-08-01",
"name": "nsg-workload-srv",
"location": "[parameters('location')]",
"properties": {}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "2021-08-01",
"name": "publicIP-jump-srv",
"location": "[parameters('location')]",
"sku": {
"name": "Standard"
},
"properties": {
"publicIPAddressVersion": "IPv4",
"publicIPAllocationMethod": "Static",
"idleTimeoutInMinutes": 4
}
},
{
"type": "Microsoft.Network/routeTables",
"apiVersion": "2021-08-01",
"name": "RT-01",
"location": "[parameters('location')]",
"properties": {
"disableBgpRoutePropagation": false,
"routes": [
{
"name": "jump-to-inet",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopType": "Internet"
}
}
]
}
},
{
"type": "Microsoft.Network/virtualHubs/hubRouteTables",
"apiVersion": "2021-08-01",
"name": "[format('{0}/{1}', 'Hub-01', 'RT_VNet')]",
"properties": {
"routes": [
{
"name": "Workload-SNToFirewall",
"destinationType": "CIDR",
"destinations": [
"10.0.1.0/24"
],
"nextHopType": "ResourceId",
"nextHop": "[resourceId('Microsoft.Network/azureFirewalls', 'AzfwTest')]"
},
{
"name": "InternetToFirewall",
"destinationType": "CIDR",
"destinations": [
"0.0.0.0/0"
],
"nextHopType": "ResourceId",
"nextHop": "[resourceId('Microsoft.Network/azureFirewalls', 'AzfwTest')]"
}
],
"labels": [
"VNet"
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/azureFirewalls', 'AzfwTest')]",
"[resourceId('Microsoft.Network/virtualHubs', 'Hub-01')]"
]
}
]
}
En la plantilla se definen varios recursos de Azure:
- Microsoft.Network/virtualWans
- Microsoft.Network/virtualHubs
- Microsoft.Network/firewallPolicies
- Microsoft.Network/azureFirewalls
- Microsoft.Network/virtualNetworks
- Microsoft.Compute/virtualMachines:
- Microsoft.Storage/storageAccounts
- Microsoft.Network/networkInterfaces
- Microsoft.Network/networkSecurityGroups
- Microsoft.Network/publicIPAddresses
- Microsoft.Network/routeTables
Implementación de la plantilla
Implementación de la plantilla de Resource Manager en Azure:
Seleccione Implementar en Azure para iniciar sesión en Azure y abrir la plantilla. La plantilla crea una instancia de Azure Firewall, una WAN virtual y un centro virtual, la infraestructura de red y dos máquinas virtuales.
En el portal, en la página Centros virtuales protegidos, escriba o seleccione los valores siguientes:
- Suscripción: seleccione una de las suscripciones existentes.
- Grupo de recursos: seleccione uno de los grupos de recursos existentes o elija Crear nuevo y, luego, Aceptar.
- Ubicación: Seleccionar una ubicación
- Nombre de usuario de administrador: escriba un nombre de usuario para la cuenta de usuario de administrador.
- Contraseña de administrador: escriba una contraseña o clave de administrador.
Seleccione Revisar y crear y, luego, Crear. La implementación puede tardar 10 minutos o más en completarse.
Validación de la implementación
Ahora, pruebe las reglas de firewall para confirmar que funcionan según lo previsto.
En Azure Portal, revise la configuración de red de la máquina virtual Workload-Srv y anote la dirección IP privada.
Conecte un escritorio remoto a la máquina virtual Jump-Srv e inicie sesión. Desde ahí, abra una conexión del escritorio remoto a la dirección IP privada de Workload-Srv.
Abra Internet Explorer y vaya a
www.microsoft.com.Seleccione Aceptar>Cerrar en las alertas de seguridad de Internet Explorer.
Debería ver la página principal de Microsoft.
Vaya a
www.google.com.El firewall debería bloquearle.
Con ello, ha comprobado que las reglas de firewall funcionan:
- Puede navegar al FQDN permitido pero no a ningún otro.
Limpieza de recursos
Cuando ya no necesite los recursos que ha creado con el firewall, elimine el grupo de recursos. Esta acción quita el firewall y todos los recursos relacionados.
Para eliminar el grupo de recursos, llame al cmdlet Remove-AzResourceGroup:
Remove-AzResourceGroup -Name "<your resource group name>"