Instradare il traffico attraverso un'appliance virtuale di reteRoute traffic through a network virtual appliance

Questo script di esempio crea una rete virtuale con subnet front-end e back-end.This script sample creates a virtual network with front-end and back-end subnets. Crea anche una VM con inoltro IP attivato per instradare il traffico tra le due subnet.It also creates a VM with IP forwarding enabled to route traffic between the two subnets. Dopo aver eseguito lo script รจ possibile distribuire il software di rete, ad esempio un'applicazione firewall, nella VM.After running the script you can deploy network software, such as a firewall application, to the VM.

Se necessario, installare Azure PowerShell usando l'istruzione presente nella Guida di Azure PowerShell e quindi eseguire Login-AzureRmAccount per creare una connessione con Azure.If needed, install the Azure PowerShell using the instruction found in the Azure PowerShell guide, and then run Login-AzureRmAccount to create a connection with Azure.

Se non si ha una sottoscrizione di Azure, creare un account gratuito prima di iniziare.If you don't have an Azure subscription, create a free account before you begin.

Script di esempioSample script

# Variables for common values
$rgName='MyResourceGroup'
$location='eastus'

# Create user object
$cred = Get-Credential -Message 'Enter a username and password for the virtual machine.'

# Create a resource group.
New-AzureRmResourceGroup -Name $rgName -Location $location

# Create a virtual network, a front-end subnet, a back-end subnet, and a DMZ subnet.
$fesubnet = New-AzureRmVirtualNetworkSubnetConfig -Name 'MySubnet-FrontEnd' -AddressPrefix 10.0.1.0/24
$besubnet = New-AzureRmVirtualNetworkSubnetConfig -Name 'MySubnet-BackEnd' -AddressPrefix 10.0.2.0/24
$dmzsubnet = New-AzureRmVirtualNetworkSubnetConfig -Name 'MySubnet-Dmz' -AddressPrefix 10.0.0.0/24

$vnet = New-AzureRmVirtualNetwork -ResourceGroupName $rgName -Name 'MyVnet' -AddressPrefix 10.0.0.0/16 `
  -Location $location -Subnet $fesubnet, $besubnet, $dmzsubnet

# Create NSG rules to allow HTTP & HTTPS traffic inbound.
$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name 'Allow-HTTP-ALL' -Description 'Allow HTTP' `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 80

$rule2 = New-AzureRmNetworkSecurityRuleConfig -Name 'Allow-HTTPS-All' -Description 'Allow HTTPS' `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 200 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 443

# Create a network security group (NSG) for the front-end subnet.
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
-Name 'MyNsg-FrontEnd' -SecurityRules $rule1,$rule2

# Associate the front-end NSG to the front-end subnet.
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-FrontEnd' `
  -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsg

# Create a public IP address for the firewall VM.
$publicip = New-AzureRmPublicIpAddress -ResourceGroupName $rgName -Name 'MyPublicIP-Firewall' `
  -location $location -AllocationMethod Dynamic

# Create a NIC for the firewall VM and enable IP forwarding.
$nicVMFW = New-AzureRmNetworkInterface -ResourceGroupName $rgName -Location $location -Name 'MyNic-Firewall' `
  -PublicIpAddress $publicip -Subnet $vnet.Subnets[2] -EnableIPForwarding

#Create a firewall VM to accept all traffic between the front and back-end subnets.
$vmConfig = New-AzureRmVMConfig -VMName 'MyVm-Firewall' -VMSize Standard_DS2 | `
    Set-AzureRmVMOperatingSystem -Windows -ComputerName 'MyVm-Firewall' -Credential $cred | `
    Set-AzureRmVMSourceImage -PublisherName MicrosoftWindowsServer -Offer WindowsServer `
    -Skus 2016-Datacenter -Version latest | Add-AzureRmVMNetworkInterface -Id $nicVMFW.Id
    
$vm = New-AzureRmVM -ResourceGroupName $rgName -Location $location -VM $vmConfig

# Create a route for traffic from the front-end to the back-end subnet through the firewall VM.
$route = New-AzureRmRouteConfig -Name 'RouteToBackEnd' -AddressPrefix 10.0.2.0/24 `
  -NextHopType VirtualAppliance -NextHopIpAddress $nicVMFW.IpConfigurations[0].PrivateIpAddress

# Create a route for traffic from the front-end subnet to the Internet through the firewall VM.
$route2 = New-AzureRmRouteConfig -Name 'RouteToInternet' -AddressPrefix 0.0.0.0/0 `
  -NextHopType VirtualAppliance -NextHopIpAddress $nicVMFW.IpConfigurations[0].PrivateIpAddress

# Create route table for the FrontEnd subnet.
$routeTableFEtoBE = New-AzureRmRouteTable -Name 'MyRouteTable-FrontEnd' -ResourceGroupName $rgName `
  -location $location -Route $route, $route2

# Associate the route table to the FrontEnd subnet.
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-FrontEnd' -AddressPrefix 10.0.1.0/24 `
  -NetworkSecurityGroup $nsg -RouteTable $routeTableFEtoBE
  
# Create a route for traffic from the back-end subnet to the front-end subnet through the firewall VM.
$route = New-AzureRmRouteConfig -Name 'RouteToFrontEnd' -AddressPrefix '10.0.1.0/24' -NextHopType VirtualAppliance `
  -NextHopIpAddress $nicVMFW.IpConfigurations[0].PrivateIPAddress

# Create a route for traffic from the back-end subnet to the Internet through the firewall VM.
$route2 = New-AzureRmRouteConfig -Name 'RouteToInternet' -AddressPrefix '0.0.0.0/0' -NextHopType VirtualAppliance `
  -NextHopIpAddress $nicVMFW.IpConfigurations[0].PrivateIPAddress

# Create route table for the BackEnd subnet.
$routeTableBE = New-AzureRmRouteTable -Name 'MyRouteTable-BackEnd' -ResourceGroupName $rgName `
  -location $location -Route $route, $route2

# Associate the route table to the BackEnd subnet.
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-BackEnd' `
  -AddressPrefix '10.0.2.0/24' -RouteTable $routeTableBE

Pulire la distribuzioneClean up deployment

Eseguire questo comando per rimuovere il gruppo di risorse, la macchina virtuale e tutte le risorse correlate.Run the following command to remove the resource group, VM, and all related resources.

Remove-AzureRmResourceGroup -Name myResourceGroup

Spiegazione dello scriptScript explanation

Questo script usa i comandi seguenti per creare un gruppo di risorse, una rete virtuale e i gruppi di sicurezza di rete.This script uses the following commands to create a resource group, virtual network, and network security groups. Ogni comando della tabella include collegamenti alla documentazione specifica del comando.Each command in the table links to command-specific documentation.

ComandoCommand NoteNotes
New-AzureRmResourceGroupNew-AzureRmResourceGroup Consente di creare un gruppo di risorse in cui sono archiviate tutte le risorse.Creates a resource group in which all resources are stored.
New-AzureRmVirtualNetworkNew-AzureRmVirtualNetwork Consente di creare una rete virtuale e una subnet front-end di Azure.Creates an Azure virtual network and front-end subnet.
New-AzureRmVirtualNetworkSubnetConfigNew-AzureRmVirtualNetworkSubnetConfig Consente di creare le subnet back-end e di rete perimetrale.Creates back-end and DMZ subnets.
New-AzureRmPublicIpAddressNew-AzureRmPublicIpAddress Consente di creare un indirizzo IP pubblico per accedere alla VM da Internet.Creates a public IP address to access the VM from the Internet.
New-AzureRmNetworkInterfaceNew-AzureRmNetworkInterface Consente di creare un'interfaccia di rete virtuale e attiva l'inoltro IP.Creates a virtual network interface and enable IP forwarding for it.
New-AzureRmNetworkSecurityGroupNew-AzureRmNetworkSecurityGroup Consente di creare un gruppo di sicurezza di rete.Creates a network security group (NSG).
New-AzureRmNetworkSecurityRuleConfigNew-AzureRmNetworkSecurityRuleConfig Consente di creare regole del gruppo di sicurezza di rete per le porte HTTP e HTTPS in ingresso alla VM.Creates NSG rules that allow HTTP and HTTPS ports inbound to the VM.
Set-AzureRmVirtualNetworkSubnetConfigSet-AzureRmVirtualNetworkSubnetConfig Consente di associare il gruppo di sicurezza di rete e le tabelle di route alle subnet.Associates the NSGs and route tables to subnets.
New-AzureRmRouteTableNew-AzureRmRouteTable Consente di creare una tabella di route per tutte le route.Creates a route table for all routes.
New-AzureRMRouteConfigNew-AzureRMRouteConfig Consente di creare le route per instradare il traffico tra subnet e Internet attraverso la VM.Creates routes to route traffic between subnets and the Internet through the VM.
New-AzureRmVMNew-AzureRmVM Consente di creare una macchina virtuale e vi connette la NIC.Creates a virtual machine and attaches the NIC to it. Questo comando specifica anche l'immagine della macchina virtuale da usare e le credenziali di amministrazione.This command also specifies the virtual machine image to use and administrative credentials.
Remove-AzureRmResourceGroupRemove-AzureRmResourceGroup Consente di eliminare un gruppo di risorse e tutte le risorse in esso contenute.Deletes a resource group and all resources it contains.

Passaggi successiviNext steps

Per altre informazioni su Azure PowerShell, vedere la documentazione di Azure PowerShell.For more information on the Azure PowerShell, see Azure PowerShell documentation.

Altri esempi di script di PowerShell per la rete sono disponibili nella documentazione con la panoramica delle reti di Azure.Additional networking PowerShell script samples can be found in the Azure Networking Overview documentation.