Filtrare il traffico della VM in ingresso e in uscitaFilter inbound and outbound VM network traffic

Questo script di esempio crea una rete virtuale con subnet front-end e back-end.This script sample creates a virtual network with front-end and back-end subnets. Il traffico di rete in ingresso alla subnet front-end è limitato a HTTP e HTTPS, mentre il traffico in uscita verso Internet dalla subnet back-end non è consentito.Inbound network traffic to the front-end subnet is limited to HTTP, and HTTPS, while outbound traffic to the Internet from the back-end subnet is not permitted. Dopo aver eseguito lo script sarà presente una macchina virtuale con due NIC.After running the script, you will have one virtual machine with two NICs. Ogni NIC è collegata a una subnet diversa.Each NIC is connected to a different subnet.

Se necessario, installare Azure PowerShell usando l'istruzione presente nella Guida di Azure PowerShell e quindi eseguire Connect-AzureRmAccount per creare una connessione con Azure.If needed, install the Azure PowerShell using the instruction found in the Azure PowerShell guide, and then run Connect-AzureRmAccount to create a connection with Azure.

Se non si ha una sottoscrizione di Azure, creare un account gratuito prima di iniziare.If you don't have an Azure subscription, create a free account before you begin.

Script di esempioSample script

# Variables for common values
$rgName='MyResourceGroup'
$location='eastus'

# Create user object
$cred = Get-Credential -Message 'Enter a username and password for the virtual machine.'

# Create a resource group.
New-AzureRmResourceGroup -Name $rgName -Location $location

# Create a virtual network, a front-end subnet, and a back-end subnet.
$fesubnet = New-AzureRmVirtualNetworkSubnetConfig -Name 'MySubnet-FrontEnd' -AddressPrefix '10.0.1.0/24'
$besubnet = New-AzureRmVirtualNetworkSubnetConfig -Name 'MySubnet-BackEnd' -AddressPrefix '10.0.2.0/24'

$vnet = New-AzureRmVirtualNetwork -ResourceGroupName $rgName -Name 'MyVnet' -AddressPrefix '10.0.0.0/16' `
  -Location $location -Subnet $fesubnet, $besubnet

# Create NSG rules to allow HTTP & HTTPS traffic inbound.
$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name 'Allow-HTTP-ALL' -Description 'Allow HTTP' `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 80

$rule2 = New-AzureRmNetworkSecurityRuleConfig -Name 'Allow-HTTPS-All' -Description 'Allow HTTPS' `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 200 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 443

# Create an NSG rule to allow RDP traffic in from the Internet to the front-end subnet.
$rule3 = New-AzureRmNetworkSecurityRuleConfig -Name 'Allow-RDP-All' -Description 'Allow RDP' `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 300 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 3389

# Create a network security group (NSG) for the front-end subnet.
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
  -Name "MyNsg-FrontEnd" -SecurityRules $rule1,$rule2,$rule3

# Associate the front-end NSG to the front-end subnet.
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-FrontEnd' `
  -AddressPrefix 10.0.1.0/24 -NetworkSecurityGroup $nsg

# Create an NSG rule to block all outbound traffic from the back-end subnet to the Internet (inbound blocked by default).
$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name 'Deny-Internet-All' -Description "Deny all Internet" `
  -Access Allow -Protocol Tcp -Direction Outbound -Priority 100 `
  -SourceAddressPrefix * -SourcePortRange * `
  -DestinationAddressPrefix Internet -DestinationPortRange *

# Create a network security group for the back-end subnet.
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
  -Name "MyNsg-BackEnd" -SecurityRules $rule1

# Associate the back-end NSG to the back-end subnet.
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-backEnd' `
  -AddressPrefix 10.0.2.0/24 -NetworkSecurityGroup $nsg

# Create a public IP address for the VM front-end network interface.
$publicipvm = New-AzureRmPublicIpAddress -ResourceGroupName $rgName -Name 'MyPublicIp-FrontEnd' `
  -location $location -AllocationMethod Dynamic

# Create a network interface for the VM attached to the front-end subnet.
$nicVMfe = New-AzureRmNetworkInterface -ResourceGroupName $rgName -Location $location `
  -Name MyNic-FrontEnd -PublicIpAddress $publicipvm -Subnet $vnet.Subnets[0]

# Create a network interface for the VM attached to the back-end subnet.
$nicVMbe = New-AzureRmNetworkInterface -ResourceGroupName $rgName -Location $location `
  -Name MyNic-BackEnd -Subnet $vnet.Subnets[1]

# Create the VM with both the FrontEnd and BackEnd NICs.
$vmConfig = New-AzureRmVMConfig -VMName 'myVM' -VMSize Standard_DS2 | `
  Set-AzureRmVMOperatingSystem -Windows -ComputerName 'myVM' -Credential $cred | `
  Set-AzureRmVMSourceImage -PublisherName 'MicrosoftWindowsServer' -Offer 'WindowsServer' `
  -Skus '2016-Datacenter' -Version 'latest'
    
$vmconfig = Add-AzureRmVMNetworkInterface -VM $vmConfig -id $nicVMfe.Id -Primary
$vmconfig = Add-AzureRmVMNetworkInterface -VM $vmConfig -id $nicVMbe.Id

# Create a virtual machine
$vm = New-AzureRmVM -ResourceGroupName $rgName -Location $location -VM $vmConfig

Pulire la distribuzioneClean up deployment

Eseguire questo comando per rimuovere il gruppo di risorse, la macchina virtuale e tutte le risorse correlate.Run the following command to remove the resource group, VM, and all related resources.

Remove-AzureRmResourceGroup -Name myResourceGroup

Spiegazione dello scriptScript explanation

Questo script usa i comandi seguenti per creare un gruppo di risorse, una rete virtuale e i gruppi di sicurezza di rete.This script uses the following commands to create a resource group, virtual network, and network security groups. Ogni comando della tabella include collegamenti alla documentazione specifica del comando.Each command in the table links to command-specific documentation.

ComandoCommand NoteNotes
New-AzureRmResourceGroupNew-AzureRmResourceGroup Consente di creare un gruppo di risorse in cui sono archiviate tutte le risorse.Creates a resource group in which all resources are stored.
New-AzureRmVirtualNetworkSubnetConfigNew-AzureRmVirtualNetworkSubnetConfig Crea un oggetto di configurazione di subnetCreates a subnet configuration object
New-AzureRmVirtualNetworkNew-AzureRmVirtualNetwork Consente di creare una rete virtuale e una subnet front-end di Azure.Creates an Azure virtual network and front-end subnet.
New-AzureRmNetworkSecurityRuleConfigNew-AzureRmNetworkSecurityRuleConfig Crea regole di sicurezza da assegnare a un gruppo di sicurezza di rete.Creates security rules to be assigned to a network security group.
New-AzureRmNetworkSecurityGroupNew-AzureRmNetworkSecurityGroup Consente di creare regole del gruppo di sicurezza di rete che consentono o bloccano porte specifiche su subnet specifiche.Creates NSG rules that allow or block specific ports to specific subnets.
Set-AzureRmVirtualNetworkSubnetConfigSet-AzureRmVirtualNetworkSubnetConfig Consente di associare i gruppi di risorse di rete alla subnet.Associates NSGs to subnets.
New-AzureRmPublicIpAddressNew-AzureRmPublicIpAddress Consente di creare un indirizzo IP pubblico per accedere alla VM da Internet.Creates a public IP address to access the VM from the Internet.
New-AzureRmNetworkInterfaceNew-AzureRmNetworkInterface Consente di creare interfacce di rete virtuale e di associarle alle subnet front-end e back-end della rete virtuale.Creates virtual network interfaces and attaches them to the virtual network's front-end and back-end subnets.
New-AzureRmVMConfigNew-AzureRmVMConfig Crea una configurazione di VM.Creates a VM configuration. Questa configurazione include informazioni quali il nome della VM, il sistema operativo e le credenziali amministrative.This configuration includes information such as VM name, operating system, and administrative credentials. La configurazione viene usata durante la creazione della VM.The configuration is used during VM creation.
New-AzureRmVMNew-AzureRmVM Creare una macchina virtuale.Create a virtual machine.
Remove-AzureRmResourceGroupRemove-AzureRmResourceGroup Rimuove un gruppo di risorse e tutte le risorse contenute al suo interno.Removes a resource group and all resources contained within.

Passaggi successiviNext steps

Per altre informazioni su Azure PowerShell, vedere la documentazione di Azure PowerShell.For more information on the Azure PowerShell, see Azure PowerShell documentation.

Altri esempi di script di PowerShell per la rete sono disponibili nella documentazione con la panoramica delle reti di Azure.Additional networking PowerShell script samples can be found in the Azure Networking Overview documentation.