Creare una rete per applicazioni multilivelloCreate a network for multi-tier applications

Questo script di esempio crea una rete virtuale con subnet front-end e back-end.This script sample creates a virtual network with front-end and back-end subnets. Il traffico verso la subnet front-end è limitato a HTTP e SSH, mentre il traffico verso la subnet back-end è limitato a MySQL sulla porta 3306.Traffic to the front-end subnet is limited to HTTP and SSH, while traffic to the back-end subnet is limited to MySQL, port 3306. Dopo aver eseguito lo script saranno presenti due macchine virtuali, una in ogni subnet in cui è possibile distribuire server Web e software MySQL.After running the script, you will have two virtual machines, one in each subnet that you can deploy web server and MySQL software to.

Se necessario, installare Azure PowerShell usando l'istruzione presente nella Guida di Azure PowerShell e quindi eseguire Login-AzureRmAccount per creare una connessione con Azure.If needed, install the Azure PowerShell using the instruction found in the Azure PowerShell guide, and then run Login-AzureRmAccount to create a connection with Azure.

Se non si ha una sottoscrizione di Azure, creare un account gratuito prima di iniziare.If you don't have an Azure subscription, create a free account before you begin.

Script di esempioSample script

# Variables for common values
$rgName='MyResourceGroup'
$location='eastus'

# Create user object
$cred = Get-Credential -Message "Enter a username and password for the virtual machine."

# Create a resource group.
New-AzureRmResourceGroup -Name $rgName -Location $location

# Create a virtual network with a front-end subnet and back-end subnet.
$fesubnet = New-AzureRmVirtualNetworkSubnetConfig -Name 'MySubnet-FrontEnd' -AddressPrefix '10.0.1.0/24'
$besubnet = New-AzureRmVirtualNetworkSubnetConfig -Name 'MySubnet-BackEnd' -AddressPrefix '10.0.2.0/24'
$vnet = New-AzureRmVirtualNetwork -ResourceGroupName $rgName -Name 'MyVnet' -AddressPrefix '10.0.0.0/16' `
  -Location $location -Subnet $fesubnet, $besubnet

# Create an NSG rule to allow HTTP traffic in from the Internet to the front-end subnet.
$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name 'Allow-HTTP-All' -Description 'Allow HTTP' `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 80

# Create an NSG rule to allow RDP traffic from the Internet to the front-end subnet.
$rule2 = New-AzureRmNetworkSecurityRuleConfig -Name 'Allow-RDP-All' -Description "Allow RDP" `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 200 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 3389


# Create a network security group for the front-end subnet.
$nsgfe = New-AzureRmNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
  -Name 'MyNsg-FrontEnd' -SecurityRules $rule1,$rule2

# Associate the front-end NSG to the front-end subnet.
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-FrontEnd' `
  -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsgfe

# Create an NSG rule to allow SQL traffic from the front-end subnet to the back-end subnet.
$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name 'Allow-SQL-FrontEnd' -Description "Allow SQL" `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
  -SourceAddressPrefix '10.0.1.0/24' -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 1433

# Create an NSG rule to allow RDP traffic from the Internet to the back-end subnet.
$rule2 = New-AzureRmNetworkSecurityRuleConfig -Name 'Allow-RDP-All' -Description "Allow RDP" `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 200 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 3389

# Create a network security group for back-end subnet.
$nsgbe = New-AzureRmNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
  -Name "MyNsg-BackEnd" -SecurityRules $rule1,$rule2

# Associate the back-end NSG to the back-end subnet
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-BackEnd' `
  -AddressPrefix '10.0.2.0/24' -NetworkSecurityGroup $nsgbe

# Create a public IP address for the web server VM.
$publicipvm1 = New-AzureRmPublicIpAddress -ResourceGroupName $rgName -Name 'MyPublicIp-Web' `
  -location $location -AllocationMethod Dynamic

# Create a NIC for the web server VM.
$nicVMweb = New-AzureRmNetworkInterface -ResourceGroupName $rgName -Location $location `
  -Name 'MyNic-Web' -PublicIpAddress $publicipvm1 -NetworkSecurityGroup $nsgfe -Subnet $vnet.Subnets[0]

# Create a Web Server VM in the front-end subnet
$vmConfig = New-AzureRmVMConfig -VMName 'MyVm-Web' -VMSize 'Standard_DS2' | `
  Set-AzureRmVMOperatingSystem -Windows -ComputerName 'MyVm-Web' -Credential $cred | `
  Set-AzureRmVMSourceImage -PublisherName 'MicrosoftWindowsServer' -Offer 'WindowsServer' `
  -Skus '2016-Datacenter' -Version latest | Add-AzureRmVMNetworkInterface -Id $nicVMweb.Id

$vmweb = New-AzureRmVM -ResourceGroupName $rgName -Location $location -VM $vmConfig

# Create a public IP address for the SQL VM.
$publicipvm2 = New-AzureRmPublicIpAddress -ResourceGroupName $rgName -Name MyPublicIP-Sql `
  -location $location -AllocationMethod Dynamic

# Create a NIC for the SQL VM.
$nicVMsql = New-AzureRmNetworkInterface -ResourceGroupName $rgName -Location $location `
  -Name MyNic-Sql -PublicIpAddress $publicipvm2 -NetworkSecurityGroup $nsgbe -Subnet $vnet.Subnets[1] 

# Create a SQL VM in the back-end subnet.
$vmConfig = New-AzureRmVMConfig -VMName 'MyVm-Sql' -VMSize 'Standard_DS2' | `
  Set-AzureRmVMOperatingSystem -Windows -ComputerName 'MyVm-Sql' -Credential $cred | `
  Set-AzureRmVMSourceImage -PublisherName 'MicrosoftSQLServer' -Offer 'SQL2016-WS2016' `
  -Skus 'Web' -Version latest | Add-AzureRmVMNetworkInterface -Id $nicVMsql.Id

$vmsql = New-AzureRmVM -ResourceGroupName $rgName -Location $location -VM $vmConfig

# Create an NSG rule to block all outbound traffic from the back-end subnet to the Internet (must be done after VM creation)
$rule3 = New-AzureRmNetworkSecurityRuleConfig -Name 'Deny-Internet-All' -Description "Deny Internet All" `
  -Access Deny -Protocol Tcp -Direction Outbound -Priority 300 `
  -SourceAddressPrefix * -SourcePortRange * `
  -DestinationAddressPrefix Internet -DestinationPortRange *

# Add NSG rule to Back-end NSG
$nsgbe.SecurityRules.add($rule3)

Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsgbe

Pulire la distribuzioneClean up deployment

Eseguire questo comando per rimuovere il gruppo di risorse, la macchina virtuale e tutte le risorse correlate.Run the following command to remove the resource group, VM, and all related resources.

Remove-AzureRmResourceGroup -Name myResourceGroup

Spiegazione dello scriptScript explanation

Questo script usa i comandi seguenti per creare un gruppo di risorse, una rete virtuale e i gruppi di sicurezza di rete.This script uses the following commands to create a resource group, virtual network, and network security groups. Ogni comando della tabella include collegamenti alla documentazione specifica del comando.Each command in the table links to command-specific documentation.

ComandoCommand NoteNotes
New-AzureRmResourceGroupNew-AzureRmResourceGroup Consente di creare un gruppo di risorse in cui sono archiviate tutte le risorse.Creates a resource group in which all resources are stored.
New-AzureRmVirtualNetworkNew-AzureRmVirtualNetwork Consente di creare una rete virtuale e una subnet front-end di Azure.Creates an Azure virtual network and front-end subnet.
New-AzureRmVirtualNetworkSubnetConfigNew-AzureRmVirtualNetworkSubnetConfig Consente di creare una subnet back-end.Creates a back-end subnet.
New-AzureRmPublicIpAddressNew-AzureRmPublicIpAddress Consente di creare un indirizzo IP pubblico per accedere alla VM da Internet.Creates a public IP address to access the VM from the Internet.
New-AzureRmNetworkInterfaceNew-AzureRmNetworkInterface Consente di creare interfacce di rete virtuale e di associarle alle subnet front-end e back-end della rete virtuale.Creates virtual network interfaces and attaches them to the virtual network's front-end and back-end subnets.
New-AzureRmNetworkSecurityGroupNew-AzureRmNetworkSecurityGroup Consente di creare gruppi di sicurezza di rete associati alle subnet front-end e back-end.Creates network security groups (NSG) that are associated to the front-end and back-end subnets.
New-AzureRmNetworkSecurityRuleConfigNew-AzureRmNetworkSecurityRuleConfig Consente di creare regole del gruppo di sicurezza di rete che consentono o bloccano porte specifiche su subnet specifiche.Creates NSG rules that allow or block specific ports to specific subnets.
New-AzureRmVMNew-AzureRmVM Consente di creare macchine virtuali e associa una NIC a ogni VM.Creates virtual machines and attaches a NIC to each VM. Questo comando specifica anche l'immagine della macchina virtuale da usare e le credenziali di amministrazione.This command also specifies the virtual machine image to use and administrative credentials.
Remove-AzureRmResourceGroupRemove-AzureRmResourceGroup Consente di eliminare un gruppo di risorse e tutte le risorse in esso contenute.Deletes a resource group and all resources it contains.

Passaggi successiviNext steps

Per altre informazioni su Azure PowerShell, vedere la documentazione di Azure PowerShell.For more information on the Azure PowerShell, see Azure PowerShell documentation.

Altri esempi di script di PowerShell per la rete sono disponibili nella documentazione con la panoramica delle reti di Azure.Additional networking PowerShell script samples can be found in the Azure Networking Overview documentation.