クイック スタート:可用性ゾーンを使用して Azure Firewall をデプロイする - ARM テンプレートQuickstart: Deploy Azure Firewall with Availability Zones - ARM template

このクイックスタートでは、Azure Resource Manager テンプレート (ARM テンプレート) を使用して、3 つの可用性ゾーンに Azure Firewall をデプロイします。In this quickstart, you use an Azure Resource Manager template (ARM template) to deploy an Azure Firewall in three Availability Zones.

ARM テンプレートは JavaScript Object Notation (JSON) ファイルであり、プロジェクトのインフラストラクチャと構成が定義されています。An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. このテンプレートでは、宣言型の構文が使用されています。The template uses declarative syntax. 宣言型の構文では、デプロイしようとしているものを、デプロイを作成する一連のプログラミング コマンドを記述しなくても記述できます。In declarative syntax, you describe your intended deployment without writing the sequence of programming commands to create the deployment.

このテンプレートでは、ファイアウォールを使用したテスト ネットワーク環境を作成します。The template creates a test network environment with a firewall. ネットワークには、次の 3 つのサブネットを含む 1 つの仮想ネットワーク (VNet) があります。AzureFirewallSubnetServersSubnetJumpboxSubnetThe network has one virtual network (VNet) with three subnets: AzureFirewallSubnet, ServersSubnet, and JumpboxSubnet. ServersSubnetJumpboxSubnet には、それぞれ 1 つの 2 コア Windows Server 仮想マシンがあります。The ServersSubnet and JumpboxSubnet subnet each have a single, two-core Windows Server virtual machine.

ファイアウォールは、AzureFirewallSubnet サブネット内にあり、www.microsoft.com へのアクセスを許可する単一のルールを含むアプリケーション ルール コレクションを備えています。The firewall is in the AzureFirewallSubnet subnet, and has an application rule collection with a single rule that allows access to www.microsoft.com.

ユーザー定義のルートは、ファイアウォール規則が適用されるファイアウォールを経由する ServersSubnet サブネットからのネットワーク トラフィックを指します。A user-defined route points network traffic from the ServersSubnet subnet through the firewall, where the firewall rules are applied.

Azure Firewall の詳細については、Azure portal を使用した Azure Firewall のデプロイと構成に関するページを参照してください。For more information about Azure Firewall, see Deploy and configure Azure Firewall using the Azure portal.

環境が前提条件を満たしていて、ARM テンプレートの使用に慣れている場合は、 [Azure へのデプロイ] ボタンを選択します。If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. Azure portal でテンプレートが開きます。The template will open in the Azure portal.

Azure へのデプロイDeploy to Azure

前提条件Prerequisites

テンプレートを確認するReview the template

このテンプレートは、可用性ゾーンを使用して Azure Firewall を作成すると共に、Azure Firewall をサポートするために必要なリソースも作成します。This template creates an Azure Firewall with Availability Zones, along with the necessary resources to support the Azure Firewall.

このクイックスタートで使用されるテンプレートは Azure クイックスタート テンプレートからのものです。The template used in this quickstart is from Azure Quickstart Templates.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "virtualNetworkName": {
      "type": "string",
      "defaultValue": "test-vnet",
      "metadata": {
        "description": "virtual network name"
      }
    },
    "adminUsername": {
      "type": "string",
      "metadata": {
        "description": "Username for the Virtual Machine."
      }
    },
    "adminPassword": {
      "type": "securestring",
      "metadata": {
        "description": "Password for the Virtual Machine."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    },
    "availabilityZones": {
      "type": "array",
      "defaultValue": [
        "1",
        "2",
        "3"
      ],
      "metadata": {
        "description": "Zone numbers e.g. 1,2,3."
      }
    },
    "numberOfFirewallPublicIPAddresses": {
      "type": "int",
      "defaultValue": 1,
      "minValue": 1,
      "maxValue": 100,
      "metadata": {
        "description": "Number of public IP addresses for the Azure Firewall"
      }
    },
    "jumpBoxSize": {
      "type": "string",
      "defaultValue": "Standard_DS1_v2",
      "metadata": {
        "description": "Size of the virtual machine."
      }
    },
    "serverSize": {
      "type": "string",
      "defaultValue": "Standard_DS1_v2",
      "metadata": {
        "description": "Size of the virtual machine."
      }
    }
  },
  "variables": {
    "vnetAddressPrefix": "10.0.0.0/16",
    "serversSubnetPrefix": "10.0.2.0/24",
    "azureFirewallSubnetPrefix": "10.0.1.0/24",
    "jumpboxSubnetPrefix": "10.0.0.0/24",
    "nextHopIP": "10.0.1.4",
    "azureFirewallSubnetName": "AzureFirewallSubnet",
    "jumpBoxSubnetName": "JumpboxSubnet",
    "serversSubnetName": "ServersSubnet",
    "jumpBoxPublicIPAddressName": "JumpHostPublicIP",
    "jumpBoxNsgName": "JumpHostNSG",
    "jumpBoxNicName": "JumpHostNic",
    "jumpBoxSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('jumpBoxSubnetName'))]",
    "serverNicName": "ServerNic",
    "serverSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('serversSubnetName'))]",
    "storageAccountName": "[concat(uniquestring(resourceGroup().id), 'sajumpbox')]",
    "azfwRouteTableName": "AzfwRouteTable",
    "firewallName": "firewall1",
    "publicIPNamePrefix": "publicIP",
    "azureFirewallSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets',parameters('virtualNetworkName'), variables('azureFirewallSubnetName'))]",
    "azureFirewallSubnetJSON": "[json(format('{{\"id\": \"{0}\"}}', variables('azureFirewallSubnetId')))]",
    "copy": [
      {
        "name": "azureFirewallIpConfigurations",
        "count": "[parameters('numberOfFirewallPublicIPAddresses')]",
        "input": {
          "name": "[concat('IpConf', copyIndex('azureFirewallIpConfigurations'))]",
          "properties": {
            "subnet": "[if(equals(copyIndex('azureFirewallIpConfigurations'), 0), variables('azureFirewallSubnetJSON'), json('null'))]",
            "publicIPAddress": {
              "id": "[resourceId('Microsoft.Network/publicIPAddresses', concat(variables('publicIPNamePrefix'), add(copyIndex('azureFirewallIpConfigurations'), 1)))]"
            }
          }
        }
      }
    ],
    "networkSecurityGroupName": "[concat(variables('serversSubnetName'), '-nsg')]"
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2019-06-01",
      "name": "[variables('storageAccountName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard_LRS"
      },
      "kind": "Storage",
      "properties": {}
    },
    {
      "type": "Microsoft.Network/routeTables",
      "apiVersion": "2020-06-01",
      "name": "[variables('azfwRouteTableName')]",
      "location": "[parameters('location')]",
      "properties": {
        "disableBgpRoutePropagation": false,
        "routes": [
          {
            "name": "AzfwDefaultRoute",
            "properties": {
              "addressPrefix": "0.0.0.0/0",
              "nextHopType": "VirtualAppliance",
              "nextHopIpAddress": "[variables('nextHopIP')]"
            }
          }
        ]
      }
    },
    {
      "comments": "Simple Network Security Group for subnet [variables('serversSubnetName')]",
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2020-06-01",
      "name": "[variables('networkSecurityGroupName')]",
      "location": "[parameters('location')]",
      "properties": {}
    },
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2020-06-01",
      "name": "[parameters('virtualNetworkName')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/routeTables', variables('azfwRouteTableName'))]",
        "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
      ],
      "tags": {
        "displayName": "[parameters('virtualNetworkName')]"
      },
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "[variables('vnetAddressPrefix')]"
          ]
        },
        "subnets": [
          {
            "name": "[variables('jumpBoxSubnetName')]",
            "properties": {
              "addressPrefix": "[variables('jumpboxSubnetPrefix')]"
            }
          },
          {
            "name": "[variables('azureFirewallSubnetName')]",
            "properties": {
              "addressPrefix": "[variables('azureFirewallSubnetPrefix')]"
            }
          },
          {
            "name": "[variables('serversSubnetName')]",
            "properties": {
              "addressPrefix": "[variables('serversSubnetPrefix')]",
              "routeTable": {
                "id": "[resourceId('Microsoft.Network/routeTables', variables('azfwRouteTableName'))]"
              },
              "networkSecurityGroup": {
                "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
              }
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2020-06-01",
      "name": "[concat(variables('publicIPNamePrefix'), add(copyIndex(), 1))]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard"
      },
      "copy": {
        "name": "publicIpCopy",
        "count": "[parameters('numberOfFirewallPublicIPAddresses')]"
      },
      "properties": {
        "publicIPAllocationMethod": "Static",
        "publicIPAddressVersion": "IPv4"
      }
    },
    {
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2020-06-01",
      "name": "[variables('jumpBoxPublicIPAddressName')]",
      "location": "[parameters('location')]",
      "properties": {
        "publicIPAllocationMethod": "Dynamic"
      }
    },
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2020-06-01",
      "name": "[variables('jumpBoxNsgName')]",
      "location": "[parameters('location')]",
      "properties": {
        "securityRules": [
          {
            "name": "myNetworkSecurityGroupRuleRDP",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "3389",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 1000,
              "direction": "Inbound"
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Network/networkInterfaces",
      "apiVersion": "2020-06-01",
      "name": "[variables('JumpBoxNicName')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/publicIPAddresses/', variables('jumpBoxPublicIPAddressName'))]",
        "[resourceId('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]",
        "[resourceId('Microsoft.Network/networkSecurityGroups', variables('jumpBoxNsgName'))]"
      ],
      "properties": {
        "ipConfigurations": [
          {
            "name": "ipconfig1",
            "properties": {
              "privateIPAllocationMethod": "Dynamic",
              "publicIPAddress": {
                "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('jumpBoxPublicIPAddressName'))]"
              },
              "subnet": {
                "id": "[variables('jumpBoxSubnetId')]"
              }
            }
          }
        ],
        "networkSecurityGroup": {
          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('jumpBoxNsgName'))]"
        }
      }
    },
    {
      "type": "Microsoft.Network/networkInterfaces",
      "apiVersion": "2020-06-01",
      "name": "[variables('ServerNicName')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]"
      ],
      "properties": {
        "ipConfigurations": [
          {
            "name": "ipconfig1",
            "properties": {
              "privateIPAllocationMethod": "Dynamic",
              "subnet": {
                "id": "[variables('serverSubnetId')]"
              }
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2020-06-01",
      "name": "JumpBox",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
        "[resourceId('Microsoft.Network/networkInterfaces', variables('JumpBoxNicName'))]"
      ],
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('jumpBoxSize')]"
        },
        "storageProfile": {
          "imageReference": {
            "publisher": "MicrosoftWindowsServer",
            "offer": "WindowsServer",
            "sku": "2019-Datacenter",
            "version": "latest"
          },
          "osDisk": {
            "osType": "Windows",
            "createOption": "FromImage",
            "diskSizeGB": 127
          }
        },
        "osProfile": {
          "computerName": "JumpBox",
          "adminUsername": "[parameters('adminUsername')]",
          "adminPassword": "[parameters('adminPassword')]"
        },
        "networkProfile": {
          "networkInterfaces": [
            {
              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('JumpBoxNicName'))]"
            }
          ]
        },
        "diagnosticsProfile": {
          "bootDiagnostics": {
            "enabled": true,
            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))).primaryEndpoints.blob]"
          }
        }
      }
    },
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2020-06-01",
      "name": "Server",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
        "[resourceId('Microsoft.Network/networkInterfaces', variables('ServerNicName'))]"
      ],
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('serverSize')]"
        },
        "storageProfile": {
          "imageReference": {
            "publisher": "MicrosoftWindowsServer",
            "offer": "WindowsServer",
            "sku": "2019-Datacenter",
            "version": "latest"
          },
          "osDisk": {
            "osType": "Windows",
            "createOption": "FromImage",
            "diskSizeGB": 127
          }
        },
        "osProfile": {
          "computerName": "Server",
          "adminUsername": "[parameters('adminUsername')]",
          "adminPassword": "[parameters('adminPassword')]"
        },
        "networkProfile": {
          "networkInterfaces": [
            {
              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('ServerNicName'))]"
            }
          ]
        },
        "diagnosticsProfile": {
          "bootDiagnostics": {
            "enabled": true,
            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))).primaryEndpoints.blob]"
          }
        }
      }
    },
    {
      "type": "Microsoft.Network/azureFirewalls",
      "apiVersion": "2020-06-01",
      "name": "[variables('firewallName')]",
      "location": "[parameters('location')]",
      "zones": "[if(equals(length(parameters('availabilityZones')), 0), json('null'), parameters('availabilityZones'))]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",
        "publicIpCopy"
      ],
      "properties": {
        "ipConfigurations": "[variables('azureFirewallIpConfigurations')]",
        "applicationRuleCollections": [
          {
            "name": "appRc1",
            "properties": {
              "priority": 101,
              "action": {
                "type": "Allow"
              },
              "rules": [
                {
                  "name": "appRule1",
                  "protocols": [
                    {
                      "port": 80,
                      "protocolType": "http"
                    },
                    {
                      "port": 443,
                      "protocolType": "https"
                    }
                  ],
                  "targetFqdns": [
                    "www.microsoft.com"
                  ],
                  "sourceAddresses": [
                    "10.0.2.0/24"
                  ]
                }
              ]
            }
          }
        ],
        "networkRuleCollections": [
          {
            "name": "netRc1",
            "properties": {
              "priority": 200,
              "action": {
                "type": "Allow"
              },
              "rules": [
                {
                  "name": "netRule1",
                  "protocols": [
                    "TCP"
                  ],
                  "sourceAddresses": [
                    "10.0.2.0/24"
                  ],
                  "destinationAddresses": [
                    "*"
                  ],
                  "destinationPorts": [
                    "8000-8999"
                  ]
                }
              ]
            }
          }
        ]
      }
    }
  ]
}

このテンプレートには、次の複数の Azure リソースが定義されています。Multiple Azure resources are defined in the template:

テンプレートのデプロイDeploy the template

ARM テンプレートを Azure にデプロイします。Deploy the ARM template to Azure:

  1. [Azure に配置する] を選択して Azure にサインインし、テンプレートを開きます。Select Deploy to Azure to sign in to Azure and open the template. このテンプレートは、Azure Firewall、ネットワーク インフラストラクチャ、2 つの仮想マシンを作成します。The template creates an Azure Firewall, the network infrastructure, and two virtual machines.

    Azure へのデプロイDeploy to Azure

  2. ポータルの [Create a sandbox setup of Azure Firewall with Zones](ゾーンを使用した Azure Firewall のサンドボックス設定の作成) ページで、次の値を入力または選択します。In the portal, on the Create a sandbox setup of Azure Firewall with Zones page, type or select the following values:

    • [リソース グループ] : [新規作成] を選択して、リソース グループの名前を入力し、 [OK] を選択します。Resource group: Select Create new, type a name for the resource group, and select OK.
    • 仮想ネットワーク名: 新しい VNet の名前を入力します。Virtual Network Name: Type a name for the new VNet.
    • 管理ユーザー名: 管理者ユーザー アカウントのユーザー名を入力します。Admin Username: Type a username for the administrator user account.
    • 管理パスワード: 管理者パスワードを入力します。Admin Password: Type an administrator password.
  3. 使用条件を読み、 [上記の使用条件に同意する] をオンにして、 [購入] を選択します。Read the terms and conditions, and then select I agree to the terms and conditions stated above and then select Purchase. このデプロイの完了には、10 分以上かかる場合があります。The deployment can take 10 minutes or longer to complete.

デプロイされているリソースを確認するReview deployed resources

ファイアウォールを使用して作成されたリソースを探索します。Explore the resources that were created with the firewall.

テンプレートにあるファイアウォールの JSON の構文とプロパティに関する詳細については、Microsoft.Network/azureFirewallsに関する記事を参照してください。To learn about the JSON syntax and properties for a firewall in a template, see Microsoft.Network/azureFirewalls.

リソースをクリーンアップするClean up resources

リソースが必要なくなった場合は、PowerShell コマンド Remove-AzResourceGroup を実行して、リソース グループ、ファイアウォール、およびすべての関連リソースを削除できます。When you no longer need them, you can remove the resource group, firewall, and all related resources by running the Remove-AzResourceGroup PowerShell command. MyResourceGroup という名前のリソース グループを削除するには、次を実行します。To remove a resource group named MyResourceGroup, run:

Remove-AzResourceGroup -Name MyResourceGroup

引き続きファイアウォール監視チュートリアルに進む場合は、リソース グループとファイアウォールを削除しないでください。Don't remove the resource group and firewall if you plan to continue on to the firewall monitoring tutorial.

次のステップNext steps

次に、Azure Firewall のログを監視することができます。Next, you can monitor the Azure Firewall logs.