Esempio di script per la creazione di una rete per applicazioni multilivelloCreate a network for multi-tier applications script sample

Questo script di esempio crea una rete virtuale con subnet front-end e back-end.This script sample creates a virtual network with front-end and back-end subnets. Il traffico verso la subnet front-end è limitato a HTTP e SSH, mentre il traffico verso la subnet back-end è limitato a MySQL sulla porta 3306.Traffic to the front-end subnet is limited to HTTP and SSH, while traffic to the back-end subnet is limited to MySQL, port 3306. Dopo aver eseguito lo script saranno presenti due macchine virtuali, una in ogni subnet in cui è possibile distribuire server Web e software MySQL.After running the script, you will have two virtual machines, one in each subnet that you can deploy web server and MySQL software to.

È possibile eseguire lo script da Azure Cloud Shell o da un'installazione di PowerShell locale.You can execute the script from the Azure Cloud Shell, or from a local PowerShell installation. Se si usa PowerShell in locale, per questo script è necessario il modulo Azure PowerShell versione 1.0.0 o successiva.If you use PowerShell locally, this script requires the Azure PowerShell module version 1.0.0 or later. Per trovare la versione installata, eseguire Get-Module -ListAvailable Az.To find the installed version, run Get-Module -ListAvailable Az. Se è necessario eseguire l'aggiornamento, vedere Installare e configurare Azure PowerShell.If you need to upgrade, see Install Azure PowerShell module. Se si esegue PowerShell in locale, è anche necessario eseguire Connect-AzAccount per creare una connessione con Azure.If you are running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

Se non si ha una sottoscrizione di Azure, creare un account gratuito prima di iniziare.If you don't have an Azure subscription, create a free account before you begin.

Script di esempioSample script

Nota

Questo articolo è stato aggiornato per usare il modulo Az di Azure PowerShell.This article has been updated to use the Azure Az PowerShell module. Il modulo Az di PowerShell è ora il modulo di PowerShell consigliato per l'interazione con Azure.The Az PowerShell module is the recommended PowerShell module for interacting with Azure. Per iniziare a usare il modulo Az PowerShell, vedere Installare Azure PowerShell.To get started with the Az PowerShell module, see Install Azure PowerShell. Per informazioni su come eseguire la migrazione al modulo AZ PowerShell, vedere Eseguire la migrazione di Azure PowerShell da AzureRM ad Az.To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Un ID subnet viene assegnato dopo aver creato una rete virtuale, nello specifico usando il cmdlet New-AzVirtualNetwork con l'opzione -Subnet.A subnet ID is assigned after you have created a virtual network; specifically, using the New-AzVirtualNetwork cmdlet with the -Subnet option. Se si configura la subnet usando il cmdlet New-AzVirtualNetworkSubnetConfig prima della chiamata a New-AzVirtualNetwork, l'ID subnet non sarà visibile fino a dopo la chiamata di New-AzVirtualNetwork.If you configure the subnet using the New-AzVirtualNetworkSubnetConfig cmdlet before the call to New-AzVirtualNetwork, you won't see the subnet ID until after you call New-AzVirtualNetwork.

# Variables for common values
$rgName='MyResourceGroup'
$location='eastus'

# Create user object
$cred = Get-Credential -Message "Enter a username and password for the virtual machine."

# Create a resource group.
New-AzResourceGroup -Name $rgName -Location $location

# Create a virtual network with a front-end subnet and back-end subnet.
$fesubnet = New-AzVirtualNetworkSubnetConfig -Name 'MySubnet-FrontEnd' -AddressPrefix '10.0.1.0/24'
$besubnet = New-AzVirtualNetworkSubnetConfig -Name 'MySubnet-BackEnd' -AddressPrefix '10.0.2.0/24'
$vnet = New-AzVirtualNetwork -ResourceGroupName $rgName -Name 'MyVnet' -AddressPrefix '10.0.0.0/16' `
  -Location $location -Subnet $fesubnet, $besubnet

# Create an NSG rule to allow HTTP traffic in from the Internet to the front-end subnet.
$rule1 = New-AzNetworkSecurityRuleConfig -Name 'Allow-HTTP-All' -Description 'Allow HTTP' `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 80

# Create an NSG rule to allow RDP traffic from the Internet to the front-end subnet.
$rule2 = New-AzNetworkSecurityRuleConfig -Name 'Allow-RDP-All' -Description "Allow RDP" `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 200 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 3389


# Create a network security group for the front-end subnet.
$nsgfe = New-AzNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
  -Name 'MyNsg-FrontEnd' -SecurityRules $rule1,$rule2

# Associate the front-end NSG to the front-end subnet.
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-FrontEnd' `
  -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsgfe

# Create an NSG rule to allow SQL traffic from the front-end subnet to the back-end subnet.
$rule1 = New-AzNetworkSecurityRuleConfig -Name 'Allow-SQL-FrontEnd' -Description "Allow SQL" `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
  -SourceAddressPrefix '10.0.1.0/24' -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 1433

# Create an NSG rule to allow RDP traffic from the Internet to the back-end subnet.
$rule2 = New-AzNetworkSecurityRuleConfig -Name 'Allow-RDP-All' -Description "Allow RDP" `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 200 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 3389

# Create a network security group for back-end subnet.
$nsgbe = New-AzNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
  -Name "MyNsg-BackEnd" -SecurityRules $rule1,$rule2

# Associate the back-end NSG to the back-end subnet
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-BackEnd' `
  -AddressPrefix '10.0.2.0/24' -NetworkSecurityGroup $nsgbe

# Create a public IP address for the web server VM.
$publicipvm1 = New-AzPublicIpAddress -ResourceGroupName $rgName -Name 'MyPublicIp-Web' `
  -location $location -AllocationMethod Dynamic

# Create a NIC for the web server VM.
$nicVMweb = New-AzNetworkInterface -ResourceGroupName $rgName -Location $location `
  -Name 'MyNic-Web' -PublicIpAddress $publicipvm1 -NetworkSecurityGroup $nsgfe -Subnet $vnet.Subnets[0]

# Create a Web Server VM in the front-end subnet
$vmConfig = New-AzVMConfig -VMName 'MyVm-Web' -VMSize 'Standard_DS2' | `
  Set-AzVMOperatingSystem -Windows -ComputerName 'MyVm-Web' -Credential $cred | `
  Set-AzVMSourceImage -PublisherName 'MicrosoftWindowsServer' -Offer 'WindowsServer' `
  -Skus '2016-Datacenter' -Version latest | Add-AzVMNetworkInterface -Id $nicVMweb.Id

$vmweb = New-AzVM -ResourceGroupName $rgName -Location $location -VM $vmConfig

# Create a public IP address for the SQL VM.
$publicipvm2 = New-AzPublicIpAddress -ResourceGroupName $rgName -Name MyPublicIP-Sql `
  -location $location -AllocationMethod Dynamic

# Create a NIC for the SQL VM.
$nicVMsql = New-AzNetworkInterface -ResourceGroupName $rgName -Location $location `
  -Name MyNic-Sql -PublicIpAddress $publicipvm2 -NetworkSecurityGroup $nsgbe -Subnet $vnet.Subnets[1] 

# Create a SQL VM in the back-end subnet.
$vmConfig = New-AzVMConfig -VMName 'MyVm-Sql' -VMSize 'Standard_DS2' | `
  Set-AzVMOperatingSystem -Windows -ComputerName 'MyVm-Sql' -Credential $cred | `
  Set-AzVMSourceImage -PublisherName 'MicrosoftSQLServer' -Offer 'SQL2016-WS2016' `
  -Skus 'Web' -Version latest | Add-AzVMNetworkInterface -Id $nicVMsql.Id

$vmsql = New-AzVM -ResourceGroupName $rgName -Location $location -VM $vmConfig

# Create an NSG rule to block all outbound traffic from the back-end subnet to the Internet (must be done after VM creation)
$rule3 = New-AzNetworkSecurityRuleConfig -Name 'Deny-Internet-All' -Description "Deny Internet All" `
  -Access Deny -Protocol Tcp -Direction Outbound -Priority 300 `
  -SourceAddressPrefix * -SourcePortRange * `
  -DestinationAddressPrefix Internet -DestinationPortRange *

# Add NSG rule to Back-end NSG
$nsgbe.SecurityRules.add($rule3)

Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsgbe

Pulire la distribuzioneClean up deployment

Eseguire questo comando per rimuovere il gruppo di risorse, la macchina virtuale e tutte le risorse correlate:Run the following command to remove the resource group, VM, and all related resources:

Remove-AzResourceGroup -Name myResourceGroup -Force

Spiegazione dello scriptScript explanation

Questo script usa i comandi seguenti per creare un gruppo di risorse, una rete virtuale e i gruppi di sicurezza di rete.This script uses the following commands to create a resource group, virtual network, and network security groups. Ogni comando della tabella seguente include collegamenti alla documentazione specifica del comando:Each command in the following table links to command-specific documentation:

ComandoCommand NoteNotes
New-AzResourceGroupNew-AzResourceGroup Consente di creare un gruppo di risorse in cui sono archiviate tutte le risorse.Creates a resource group in which all resources are stored.
New-AzVirtualNetworkNew-AzVirtualNetwork Consente di creare una rete virtuale e una subnet front-end di Azure.Creates an Azure virtual network and front-end subnet.
New-AzVirtualNetworkSubnetConfigNew-AzVirtualNetworkSubnetConfig Consente di creare una subnet back-end.Creates a back-end subnet.
New-AzPublicIpAddressNew-AzPublicIpAddress Consente di creare un indirizzo IP pubblico per accedere alla macchina virtuale da Internet.Creates a public IP address to access the VM from the internet.
New-AzNetworkInterfaceNew-AzNetworkInterface Consente di creare interfacce di rete virtuale e di associarle alle subnet front-end e back-end della rete virtuale.Creates virtual network interfaces and attaches them to the virtual network's front-end and back-end subnets.
New-AzNetworkSecurityGroupNew-AzNetworkSecurityGroup Consente di creare gruppi di sicurezza di rete associati alle subnet front-end e back-end.Creates network security groups (NSG) that are associated to the front-end and back-end subnets.
New-AzNetworkSecurityRuleConfigNew-AzNetworkSecurityRuleConfig Consente di creare regole del gruppo di sicurezza di rete che consentono o bloccano porte specifiche su subnet specifiche.Creates NSG rules that allow or block specific ports to specific subnets.
New-AzVMNew-AzVM Consente di creare macchine virtuali e associa una NIC a ogni VM.Creates virtual machines and attaches a NIC to each VM. Questo comando specifica anche l'immagine della macchina virtuale da usare e le credenziali di amministrazione.This command also specifies the virtual machine image to use and administrative credentials.
Remove-AzResourceGroupRemove-AzResourceGroup Consente di eliminare un gruppo di risorse e tutte le risorse in esso contenute.Deletes a resource group and all resources it contains.

Passaggi successiviNext steps

Per altre informazioni su Azure PowerShell, vedere la documentazione di Azure PowerShell.For more information on the Azure PowerShell, see Azure PowerShell documentation.

Altri esempi di script di PowerShell della rete virtuale sono disponibili in Virtual network PowerShell samples (Esempi di PowerShell della rete virtuale).Additional virtual network PowerShell script samples can be found in Virtual network PowerShell samples.