您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure PowerShell 管理资源Manage resources with Azure PowerShell

将资源部署到 Azure 时,可以灵活选择想要部署的资源类型、资源的位置以及对它们的设置方式。When deploying resources to Azure, you have tremendous flexibility when deciding what types of resources to deploy, where they are located, and how to set them up. 但是,除了你想要在组织中允许的选项,这种灵活性可能还会开放更多其他选项。However, that flexibility may open more options than you would like to allow in your organization. 在考虑将资源部署到 Azure 时,你可能想知道以下问题:As you consider deploying resources to Azure, you might be wondering:

  • 如何满足特定国家/地区针对数据所有权制定的法规要求?How do I meet legal requirements for data sovereignty in certain countries?
  • 如何控制成本?How do I control costs?
  • 如何确保用户不会无意中更改关键系统?How do I ensure that someone does not inadvertently change a critical system?
  • 如何跟踪资源成本并准确地进行计费?How do I track resource costs and bill it accurately?

本文会为你解答这些问题。This article addresses those questions. 具体而言,你需要:Specifically, you:

  • 将用户分配到角色并分配角色对应的作用域,这样用户就能具备执行预期操作所需的权限,同时并不会涉及其他操作。Assign users to roles and assign the roles to a scope so users have permission to perform expected actions but not more actions.
  • 应用策略来对订阅中的资源进行约定。Apply policies that prescribe conventions for resources in your subscription.
  • 锁定系统中的关键资源。Lock resources that are critical to your system.
  • 标记资源,以便按它们对组织的价值进行跟踪。Tag resources so you can track them by values that make sense to your organization.

本文重点介绍实现管理需要完成的任务。This article focuses on the tasks you take to implement governance. 请参阅 Azure 中的监管,查看对相关概念更广泛的讨论。For a broader discussion of the concepts, see Governance in Azure.

启动 Azure Cloud ShellLaunch Azure Cloud Shell

Azure Cloud Shell 是免费的交互式 shell,可以使用它运行本文中的步骤。The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. 它预安装有常用 Azure 工具并将其配置与帐户一起使用。It has common Azure tools preinstalled and configured to use with your account. 请直接单击“复制”对代码进行复制,将其粘贴到 Cloud Shell 中,然后按 Enter 来运行它。Just click the Copy to copy the code, paste it into the Cloud Shell, and then press enter to run it. 可通过多种方式来启动 Cloud Shell:There are a few ways to launch the Cloud Shell:

单击代码块右上角的“试用”。Click Try It in the upper right corner of a code block. 本文中的 Cloud Shell
在浏览器中打开 Cloud Shell。Open Cloud Shell in your browser. https://shell.azure.com/powershell
单击 Azure 门户右上角菜单上的“Cloud Shell”按钮。Click the Cloud Shell button on the menu in the upper right of the Azure portal. 门户中的 Cloud ShellCloud Shell in the portal

如果选择在本地安装并使用 PowerShell,请参阅安装 Azure PowerShell 模块If you choose to install and use the PowerShell locally, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需运行 Connect-AzureRmAccount 以创建与 Azure 的连接。If you are running PowerShell locally, you also need to run Connect-AzureRmAccount to create a connection with Azure.

了解范围Understand scope

在创建任何项之前,让我们复习一下作用域的概念。Before creating any items, let's review the concept of scope. Azure 提供四个级别的管理:管理组、订阅、资源组和资源。Azure provides four levels of management: management groups, subscription, resource group, and resource. 管理组处于预览状态。Management groups are in a preview release. 下图显示了一个这些层的示例。The following image shows an example of these layers.


将在上述任何级别的作用域中应用管理设置。You apply management settings at any of these levels of scope. 所选的级别确定应用设置的广泛程度。The level you select determines how widely the setting is applied. 较低级别继承较高级别的设置。Lower levels inherit settings from higher levels. 将设置应用到订阅时,该设置将应用于订阅中的所有资源组和资源。When you apply a setting to the subscription, that setting is applied to all resource groups and resources in your subscription. 将设置应用到资源组时,该设置将应用到资源组及其所有资源。When you apply a setting on the resource group, that setting is applied the resource group and all its resources. 但是,其他资源组不具有该设置。However, another resource group does not have that setting.

通常情况下,最好在较高级别应用关键设置,在较低级别应用特定于项目的要求。Usually, it makes sense to apply critical settings at higher levels and project-specific requirements at lower levels. 例如,可能想要确保组织的所有资源均已部署到特定区域。For example, you might want to make sure all resources for your organization are deployed to certain regions. 若要完成此要求,请将策略应用到指定允许位置的订阅。To accomplish this requirement, apply a policy to the subscription that specifies the allowed locations. 当组织中的其他用户添加新资源组和资源时,会自动强制实施允许的位置。As other users in your organization add new resource groups and resources, the allowed locations are automatically enforced.

在本文中,请将所有管理设置应用到资源组,以便在完成后可以轻松地删除这些设置。In this article, you apply all management settings to a resource group so you can easily remove those settings when done.

让我们创建该资源组。Let's create the resource group.

Set-AzureRmContext -Subscription <subscription-name>
New-AzureRmResourceGroup -Name myResourceGroup -Location EastUS

目前,资源组为空。Currently, the resource group is empty.

基于角色的访问控制Role-based access control

你希望确保你的组织中的用户对这些资源具有合适级别的访问权限。You want to make sure users in your organization have the right level of access to these resources. 你不希望向用户授予不受限的访问权限,但还需要确保他们可以执行其工作。You don't want to grant unlimited access to users, but you also need to make sure they can do their work. 使用基于角色的访问控制 (RBAC),你可以管理哪些用户有权在某个范围内完成特定操作。Role-based access control (RBAC) enables you to manage which users have permission to complete specific actions at a scope. 一个角色定义一组允许的操作。A role defines a set of permitted actions. 将角色分配至某一范围,并指定哪些用户在此范围内属于该角色。You assign the role to a scope, and specify which users belong to that role for the scope.

规划访问控制策略时,请授予用户完成工作所需的最低权限。When planning your access control strategy, grant users the least privilege to get their work done. 下图显示了分配 RBAC 的建议模式。The following image shows a suggested pattern for assigning RBAC.


有三个适用于所有资源的角色 - “所有者”、“参与者”和“读取者”。There are three roles that apply to all resources - Owner, Contributor, and Reader. 分配到“所有者”角色的所有帐户都应是严格控制且很少使用的。Any accounts assigned to the Owner role should be tightly controlled and rarely used. 只需查看解决方案状态的用户应被授予“读取者”角色。Users that only need to observe the state of solutions should be granted the Reader role.

在订阅级别或资源组级别,大多数用户都被授予特定于资源的角色自定义角色Most users are granted resource-specific roles or custom roles at either the subscription or resource group level. 这些角色严格定义了允许的操作。These roles tightly define the permitted actions. 通过将用户分配到这些角色,可以为用户提供必要的访问权限,同时不会让他们得到过多的控制权限。By assigning users to these roles, you grant the required access for users without permitting too much control. 可以向一个帐户分配多个角色,此用户就能获取各个角色综合的权限。You can assign an account to more than one role, and that user gets the combined permissions of the roles. 在资源级别授予访问权限对用户而言通常过于受限,但可能适用于为特定任务设计的自动化流程。Granting access at the resource level is often too restrictive for users, but may work for an automated process designed for specific task.

谁能分配角色Who can assign roles

若要创建和删除角色分配,用户必须具有 Microsoft.Authorization/roleAssignments/* 访问权限。To create and remove role assignments, users must have Microsoft.Authorization/roleAssignments/* access. 此访问权限是通过“所有者”或“用户访问”管理员角色授权的。This access is granted through the Owner or User Access Administrator roles.

分配角色Assign a role

在本文中,请部署一个虚拟机及其相关的虚拟网络。In this article, you deploy a virtual machine and its related virtual network. 若要管理虚拟机解决方案,可以使用三种特定于资源的角色来进行通常所需的访问:For managing virtual machine solutions, there are three resource-specific roles that provide commonly needed access:

通常情况下,与其向单个用户分配角色,不如为需要进行相似操作的用户创建一个 Azure Active Directory 组Instead of assigning roles to individual users, it's often easier to create an Azure Active Directory group for users who need to take similar actions. 然后向该组分配相应的角色。Then, assign that group to the appropriate role. 为了简单起见,本文创建一个没有成员的 Azure Active Directory 组。To simplify this article, you create an Azure Active Directory group without members. 仍然可以为该组分配一个负责某个范围的角色。You can still assign this group to a role for a scope.

以下示例创建一个组,然后为其分配了资源组的“虚拟机参与者”角色。The following example creates a group and assigns it to the Virtual Machine Contributor role for the resource group. 若要运行 New-AzureAdGroup 命令,必须使用 Azure Cloud Shell下载 Azure AD PowerShell 模块To run the New-AzureAdGroup command, you must either use the Azure Cloud Shell or download the Azure AD PowerShell module.

$adgroup = New-AzureADGroup -DisplayName VMDemoContributors `
  -MailNickName vmDemoGroup `
  -MailEnabled $false `
  -SecurityEnabled $true
New-AzureRmRoleAssignment -ObjectId $adgroup.ObjectId `
  -ResourceGroupName myResourceGroup `
  -RoleDefinitionName "Virtual Machine Contributor"

通常情况下,请对网络参与者存储帐户参与者重复执行此过程,确保分配用户来管理已部署的资源。Typically, you repeat the process for Network Contributor and Storage Account Contributor to make sure users are assigned to manage the deployed resources. 在本文中,可以跳过这些步骤。In this article, you can skip those steps.

Azure PolicyAzure Policy

Azure Policy 可帮助确保订阅中的所有资源符合企业标准。Azure Policy helps you make sure all resources in subscription meet corporate standards. 订阅已经有多个策略定义。Your subscription already has several policy definitions. 若要查看可用的策略定义,请使用:To see the available policy definitions, use:

(Get-AzureRmPolicyDefinition).Properties | Format-Table displayName, policyType

可以看到现有的策略定义。You see the existing policy definitions. 策略类型为“内置”或“自定义”。The policy type is either BuiltIn or Custom. 在这些定义中查找所述条件正是你要分配的条件的定义。Look through the definitions for ones that describe a condition you want assign. 在本文中,分配的策略要符合以下条件:In this article, you assign policies that:

  • 限制所有资源的位置limit the locations for all resources
  • 限制虚拟机的 SKUlimit the SKUs for virtual machines
  • 审核不使用托管磁盘的虚拟机audit virtual machines that do not use managed disks
$locations ="eastus", "eastus2"
$skus = "Standard_DS1_v2", "Standard_E2s_v2"

$rg = Get-AzureRmResourceGroup -Name myResourceGroup

$locationDefinition = Get-AzureRmPolicyDefinition | where-object {$_.properties.displayname -eq "Allowed locations"}
$skuDefinition = Get-AzureRmPolicyDefinition | where-object {$_.properties.displayname -eq "Allowed virtual machine SKUs"}
$auditDefinition = Get-AzureRmPolicyDefinition | where-object {$_.properties.displayname -eq "Audit VMs that do not use managed disks"}

New-AzureRMPolicyAssignment -Name "Set permitted locations" `
  -Scope $rg.ResourceId `
  -PolicyDefinition $locationDefinition `
  -listOfAllowedLocations $locations
New-AzureRMPolicyAssignment -Name "Set permitted VM SKUs" `
  -Scope $rg.ResourceId `
  -PolicyDefinition $skuDefinition `
  -listOfAllowedSKUs $skus
New-AzureRMPolicyAssignment -Name "Audit unmanaged disks" `
  -Scope $rg.ResourceId `
  -PolicyDefinition $auditDefinition

部署虚拟机Deploy the virtual machine

分配角色和策略以后,即可部署解决方案。You have assigned roles and policies, so you're ready to deploy your solution. 默认大小为 Standard_DS1_v2,这是允许的 SKU 之一。The default size is Standard_DS1_v2, which is one of your allowed SKUs. 运行此步骤时,会提示输入凭据。When running this step, you are prompted for credentials. 输入的值将配置为用于虚拟机的用户名和密码。The values that you enter are configured as the user name and password for the virtual machine.

New-AzureRmVm -ResourceGroupName "myResourceGroup" `
     -Name "myVM" `
     -Location "East US" `
     -VirtualNetworkName "myVnet" `
     -SubnetName "mySubnet" `
     -SecurityGroupName "myNetworkSecurityGroup" `
     -PublicIpAddressName "myPublicIpAddress" `
     -OpenPorts 80,3389

部署完成后,可以对解决方案应用更多的管理设置。After your deployment finishes, you can apply more management settings to the solution.

锁定资源Lock resources

资源锁可以防止组织中的用户意外删除或修改重要资源。Resource locks prevent users in your organization from accidentally deleting or modifying critical resources. 与基于角色的访问控制不同,资源锁对所有用户和角色应用限制。Unlike role-based access control, resource locks apply a restriction across all users and roles.

可以将锁定级别设置为 CanNotDeleteReadOnlyYou can set the lock level to CanNotDelete or ReadOnly. 在门户中,锁定级别分别显示为“删除”和“只读”。In the portal, the locks levels are displayed as Delete and Read-only respectively.

  • CanNotDelete 表示经授权的用户仍可读取和修改资源,但不能删除资源。CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
  • ReadOnly 表示经授权的用户可以读取资源,但不能删除或更新资源。ReadOnly means authorized users can read a resource, but they can't delete or update the resource. 应用此锁类似于将所有经授权的用户限制于使用“读者”角色授予的权限。Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.


应用 ReadOnly 锁时请小心。Be careful when applying a ReadOnly lock. 某些看起来像读取操作的操作实际需要其他操作。Some operations that seem like read operations actually require additional actions. 例如,存储帐户上的 ReadOnly 锁将阻止所有用户列出密钥。For example, a ReadOnly lock on a storage account prevents all users from listing the keys. 列出密钥操作通过 POST 请求进行处理,因为返回的密钥可用于写入操作。The list keys operation is handled through a POST request because the returned keys are available for write operations. 应用服务资源上的 ReadOnly 锁将阻止 Visual Studio 服务器资源管理器显示资源文件,因为该交互需要写访问权限。A ReadOnly lock on an App Service resource prevents Visual Studio Server Explorer from displaying files for the resource because that interaction requires write access.

在父范围应用锁时,该范围内所有资源都将继承相同的锁。When you apply a lock at a parent scope, all resources within that scope inherit the same lock. 即使是之后添加的资源也会从父作用域继承该锁。Even resources you add later inherit the lock from the parent. 继承中限制性最强的锁优先执行。The most restrictive lock in the inheritance takes precedence.

Resource Manager 锁仅适用于管理平面内发生的操作,包括发送到 https://management.azure.com 的操作。Resource Manager locks apply only to operations that happen in the management plane, which consists of operations sent to https://management.azure.com. 锁不会限制资源处理其自己的功能的方式。The locks don't restrict how resources process their own functions. 资源更改将受到限制,但资源操作不受限制。Resource changes are restricted, but resource operations aren't restricted. 例如,SQL 数据库上的 ReadOnly 锁会阻止你删除或修改数据库。For example, a ReadOnly lock on a SQL Database prevents you from deleting or modifying the database. 它不会阻止你在数据库中创建、更新或删除数据。It doesn't prevent you from creating, updating, or deleting data in the database. 允许数据事务,因为这些操作不会发送到 https://management.azure.comData transactions are allowed because those operations are not sent to https://management.azure.com.

谁可以在组织中创建或删除锁Who can create or delete locks in your organization

若要创建或删除管理锁,必须有权执行 Microsoft.Authorization/locks/* 操作。To create or delete management locks, you must have access to Microsoft.Authorization/locks/* actions. 在内置角色中,只有“所有者”和“用户访问管理员”有权执行这些操作。Of the built-in roles, only Owner and User Access Administrator are granted those actions.

锁定资源Lock a resource

若要锁定虚拟机和网络安全组,请使用:To lock the virtual machine and network security group, use:

New-AzureRmResourceLock -LockLevel CanNotDelete `
  -LockName LockVM `
  -ResourceName myVM `
  -ResourceType Microsoft.Compute/virtualMachines `
  -ResourceGroupName myResourceGroup
New-AzureRmResourceLock -LockLevel CanNotDelete `
  -LockName LockNSG `
  -ResourceName myNetworkSecurityGroup `
  -ResourceType Microsoft.Network/networkSecurityGroups `
  -ResourceGroupName myResourceGroup

只有在明确解除锁定以后,才能删除虚拟机。The virtual machine can only be deleted if you specifically remove the lock. 该步骤显示在清理资源中。That step is shown in Clean up resources.

标记资源Tag resources

可以将标记应用于 Azure 资源,从而将元数据按逻辑组织到分类中。You apply tags to your Azure resources giving metadata to logically organize them into a taxonomy. 每个标记由名称和值对组成。Each tag consists of a name and a value pair. 例如,可以对生产中的所有资源应用名称“Environment”和值“Production”。For example, you can apply the name "Environment" and the value "Production" to all the resources in production.

应用标记以后,即可使用该标记名称和值检索订阅中的所有资源。After you apply tags, you can retrieve all the resources in your subscription with that tag name and value. 使用标记可以从不同资源组中检索相关资源。Tags enable you to retrieve related resources from different resource groups. 需要为计费或管理目的组织资源时,此方法十分有用。This approach is helpful when you need to organize resources for billing or management.

除了自动标记策略之外,你的分类还应考虑自助式元数据标记策略,以减轻用户负担并提高准确性。Your taxonomy should consider a self-service metadata tagging strategy in addition to an auto-tagging strategy to reduce the burden on users and increase accuracy.

以下限制适用于标记:The following limitations apply to tags:

  • 并非所有资源类型都支持标记。Not all resource types support tags. 若要确定是否可以将标记应用到资源类型,请参阅 Azure 资源的标记支持To determine if you can apply a tag to a resource type, see Tag support for Azure resources.
  • 每个资源或资源组最多可以有 15 个标记名称值对。Each resource or resource group can have a maximum of 15 tag name/value pairs. 此限制仅适用于直接应用到资源组或资源的标记。This limitation applies only to tags directly applied to the resource group or resource. 资源组可以包含多个资源,这些资源每个都有 15 个标记名称值对。A resource group can contain many resources that each have 15 tag name/value pairs. 如果有超过 15 个需要与资源关联的值,请将 JSON 字符串用于标记值。If you have more than 15 values that you need to associate with a resource, use a JSON string for the tag value. JSON 字符串可以包含多个应用于单个标记名称的值。The JSON string can contain many values that are applied to a single tag name. 本文介绍了一个将 JSON 字符串分配给标记的示例。This article shows an example of assigning a JSON string to the tag.
  • 标记名称不能超过 512 个字符,标记值不能超过 256 个字符。The tag name is limited to 512 characters, and the tag value is limited to 256 characters. 对于存储帐户,标记名称不能超过 128 个字符,标记值不能超过 256 个字符。For storage accounts, the tag name is limited to 128 characters, and the tag value is limited to 256 characters.
  • 对于所有标记名称和值,虚拟机限制总共为 2048 个字符。Virtual Machines are limited to a total of 2048 characters for all tag names and values.
  • 应用于资源组的标记不会被该资源组中的资源继承。Tags applied to the resource group are not inherited by the resources in that resource group.
  • 不能将标记应用到云服务等经典资源。Tags can't be applied to classic resources such as Cloud Services.
  • 标记名称不能包含以下字符:<>%&\?/Tag names can't contain these characters: <, >, %, &, \, ?, /

标记资源Tag resources

若要为资源组添加两个标记,请使用 Set-AzureRmResourceGroup 命令:To add two tags to a resource group, use the Set-AzureRmResourceGroup command:

Set-AzureRmResourceGroup -Name myResourceGroup -Tag @{ Dept="IT"; Environment="Test" }

让我们假设要添加第三个标记。Let's suppose you want to add a third tag. 每次将标记应用到某个资源或资源组时,都会覆盖该资源或资源组中的现有标记。Every time you apply tags to a resource or a resource group, you overwrite the existing tags on that resource or resource group. 若要添加新标记而不会丢失现有标记,必须检索现有标记、添加新标记,并重新应用标记集合:To add a new tag without losing the existing tags, you must retrieve the existing tags, add a new tag, and reapply the collection of tags:

# Get existing tags and add a new tag
$tags = (Get-AzureRmResourceGroup -Name myResourceGroup).Tags
$tags.Add("Project", "Documentation")

# Reapply the updated set of tags 
Set-AzureRmResourceGroup -Tag $tags -Name myResourceGroup

资源不从资源组继承标记。Resources don't inherit tags from the resource group. 目前,资源组有三个标记,但资源没有任何标记。Currently, your resource group has three tags but the resources do not have any tags. 要将资源组中的所有标记应用于其资源,并且保留资源上不重复的现有标记,请使用以下脚本:To apply all tags from a resource group to its resources, and retain existing tags on resources that are not duplicates, use the following script:

# Get the resource group
$group = Get-AzureRmResourceGroup myResourceGroup

if ($group.Tags -ne $null) {
    # Get the resources in the resource group
    $resources = Get-AzureRmResource -ResourceGroupName $group.ResourceGroupName

    # Loop through each resource
    foreach ($r in $resources)
        # Get the tags for this resource
        $resourcetags = (Get-AzureRmResource -ResourceId $r.ResourceId).Tags

        # If the resource has existing tags, add new ones
        if ($resourcetags)
            foreach ($key in $group.Tags.Keys)
                if (-not($resourcetags.ContainsKey($key)))
                    $resourcetags.Add($key, $group.Tags[$key])

            # Reapply the updated tags to the resource 
            Set-AzureRmResource -Tag $resourcetags -ResourceId $r.ResourceId -Force
            Set-AzureRmResource -Tag $group.Tags -ResourceId $r.ResourceId -Force

或者,可以将资源组中的标记应用于资源而不保留现有标记:Alternatively, you can apply tags from the resource group to the resources without keeping the existing tags:

# Get the resource group
$g = Get-AzureRmResourceGroup -Name myResourceGroup

# Find all the resources in the resource group, and for each resource apply the tags from the resource group
Get-AzureRmResource -ResourceGroupName $g.ResourceGroupName | ForEach-Object {Set-AzureRmResource -ResourceId $_.ResourceId -Tag $g.Tags -Force }

若要将几个值组合到单个标记中,请使用 JSON 字符串。To combine several values in a single tag, use a JSON string.

Set-AzureRmResourceGroup -Name myResourceGroup -Tag @{ CostCenter="{`"Dept`":`"IT`",`"Environment`":`"Test`"}" }

若要添加具有多个值的新标记而不丢失现有标记,必须检索现有标记、对新标记使用 JSON 字符串,并重新应用标记集合:To add a new tag with several values without losing the existing tags, you must retrieve the existing tags, use a JSON string for the new tag, and reapply the collection of tags:

# Get existing tags and add a new tag
$ResourceGroup = Get-AzureRmResourceGroup -Name myResourceGroup
$Tags = $ResourceGroup.Tags
$Tags.Add("CostCenter", "{`"Dept`":`"IT`",`"Environment`":`"Test`"}")

# Reapply the updated set of tags
$ResourceGroup | Set-AzureRmResourceGroup -Tag $Tags

若要删除所有标记,请传递一个空哈希表。To remove all tags, you pass an empty hash table.

Set-AzureRmResourceGroup -Name myResourceGroup -Tag @{ }

若要将标记应用到虚拟机,请使用:To apply tags to a virtual machine, use:

$r = Get-AzureRmResource -ResourceName myVM `
  -ResourceGroupName myResourceGroup `
  -ResourceType Microsoft.Compute/virtualMachines
Set-AzureRmResource -Tag @{ Dept="IT"; Environment="Test"; Project="Documentation" } -ResourceId $r.ResourceId -Force

按标记查找资源Find resources by tag

若要使用标记名称和值来查找资源,请使用:To find resources with a tag name and value, use:

(Find-AzureRmResource -TagName Environment -TagValue Test).Name

可以将返回的值用于管理任务,例如停止带有某个标记值的所有虚拟机。You can use the returned values for management tasks like stopping all virtual machines with a tag value.

Find-AzureRmResource -TagName Environment -TagValue Test | Where-Object {$_.ResourceType -eq "Microsoft.Compute/virtualMachines"} | Stop-AzureRmVM

按标记值查看成本View costs by tag values

对资源应用标记以后,即可使用这些标记查看资源的成本。After applying tags to resources, you can view costs for resources with those tags. 成本分析显示最新使用情况需要一定的时间,因此可能还看不到这些成本。It takes a while for cost analysis to show the latest usage, so you may not see the costs yet. 成本可用以后,即可在订阅中跨资源组查看资源的成本。When the costs are available, you can view costs for resources across resource groups in your subscription. 用户必须具有计费信息的订阅级别访问权限才能查看这些成本。Users must have subscription level access to billing information to see the costs.

若要在门户中按标记查看成本,请先选择订阅,然后选择“成本分析”。To view costs by tag in the portal, select your subscription and select Cost Analysis.


然后,按标记值进行筛选并选择“应用”。Then, filter by the tag value, and select Apply.


也可使用 Azure 计费 API 以编程方式查看成本。You can also use the Azure Billing APIs to programmatically view costs.

清理资源Clean up resources

在解除锁定之前,不能删除锁定的网络安全组。The locked network security group can't be deleted until the lock is removed. 若要解除锁定,请使用:To remove the lock, use:

Remove-AzureRmResourceLock -LockName LockVM `
  -ResourceName myVM `
  -ResourceType Microsoft.Compute/virtualMachines `
  -ResourceGroupName myResourceGroup
Remove-AzureRmResourceLock -LockName LockNSG `
  -ResourceName myNetworkSecurityGroup `
  -ResourceType Microsoft.Network/networkSecurityGroups `
  -ResourceGroupName myResourceGroup

如果不再需要资源组、VM 和所有相关的资源,可以使用 Remove-AzureRmResourceGroup 命令将其删除。When no longer needed, you can use the Remove-AzureRmResourceGroup command to remove the resource group, VM, and all related resources.

Remove-AzureRmResourceGroup -Name myResourceGroup

后续步骤Next steps