您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

快速入门:部署具有可用性区域的 Azure 防火墙 - ARM 模板Quickstart: Deploy Azure Firewall with Availability Zones - ARM template

在本快速入门中,使用 Azure 资源管理器模板(ARM 模板)在三个可用性区域中部署 Azure 防火墙。In this quickstart, you use an Azure Resource Manager template (ARM template) to deploy an Azure Firewall in three Availability Zones.

ARM 模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. 模板使用声明性语法。The template uses declarative syntax. 在声明性语法中,你可以在不编写创建部署的编程命令序列的情况下,描述预期部署。In declarative syntax, you describe your intended deployment without writing the sequence of programming commands to create the deployment.

此模板创建带防火墙的测试网络环境。The template creates a test network environment with a firewall. 网络具有一个虚拟网络 (VNet),其中包含三个子网:AzureFirewallSubnet、ServersSubnet 和 JumpboxSubnet。The network has one virtual network (VNet) with three subnets: AzureFirewallSubnet, ServersSubnet, and JumpboxSubnet. ServersSubnet 和 JumpboxSubnet 子网均包含一个单个、双核 Windows Server 虚拟机。The ServersSubnet and JumpboxSubnet subnet each have a single, two-core Windows Server virtual machine.

防火墙在 AzureFirewallSubnet 子网中,并配置有一个应用程序规则集合,其中包含允许访问 www.microsoft.com 的单个规则。The firewall is in the AzureFirewallSubnet subnet, and has an application rule collection with a single rule that allows access to www.microsoft.com.

用户定义的一个路由,它引导来自 ServersSubnet 子网的网络流量穿过应用了防火墙规则的防火墙。A user-defined route points network traffic from the ServersSubnet subnet through the firewall, where the firewall rules are applied.

有关 Azure 防火墙的详细信息,请参阅使用 Azure 门户部署和配置 Azure 防火墙For more information about Azure Firewall, see Deploy and configure Azure Firewall using the Azure portal.

如果你的环境满足先决条件,并且你熟悉如何使用 ARM 模板,请选择“部署到 Azure”按钮。If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. Azure 门户中会打开模板。The template will open in the Azure portal.

部署到 AzureDeploy to Azure

先决条件Prerequisites

查看模板Review the template

此模板创建具有可用性区域的 Azure 防火墙,以及用于支持 Azure 防火墙的必要资源。This template creates an Azure Firewall with Availability Zones, along with the necessary resources to support the Azure Firewall.

本快速入门中使用的模板来自 Azure 快速启动模板The template used in this quickstart is from Azure Quickstart Templates.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "virtualNetworkName": {
      "type": "string",
      "defaultValue": "test-vnet",
      "metadata": {
        "description": "virtual network name"
      }
    },
    "adminUsername": {
      "type": "string",
      "metadata": {
        "description": "Username for the Virtual Machine."
      }
    },
    "adminPassword": {
      "type": "securestring",
      "metadata": {
        "description": "Password for the Virtual Machine."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    },
    "availabilityZones": {
      "type": "array",
      "defaultValue": [
        "1",
        "2",
        "3"
      ],
      "metadata": {
        "description": "Zone numbers e.g. 1,2,3."
      }
    },
    "numberOfFirewallPublicIPAddresses": {
      "type": "int",
      "defaultValue": 1,
      "minValue": 1,
      "maxValue": 100,
      "metadata": {
        "description": "Number of public IP addresses for the Azure Firewall"
      }
    },
    "jumpBoxSize": {
      "type": "string",
      "defaultValue": "Standard_DS1_v2",
      "metadata": {
        "description": "Size of the virtual machine."
      }
    },
    "serverSize": {
      "type": "string",
      "defaultValue": "Standard_DS1_v2",
      "metadata": {
        "description": "Size of the virtual machine."
      }
    }
  },
  "variables": {
    "vnetAddressPrefix": "10.0.0.0/16",
    "serversSubnetPrefix": "10.0.2.0/24",
    "azureFirewallSubnetPrefix": "10.0.1.0/24",
    "jumpboxSubnetPrefix": "10.0.0.0/24",
    "nextHopIP": "10.0.1.4",
    "azureFirewallSubnetName": "AzureFirewallSubnet",
    "jumpBoxSubnetName": "JumpboxSubnet",
    "serversSubnetName": "ServersSubnet",
    "jumpBoxPublicIPAddressName": "JumpHostPublicIP",
    "jumpBoxNsgName": "JumpHostNSG",
    "jumpBoxNicName": "JumpHostNic",
    "jumpBoxSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('jumpBoxSubnetName'))]",
    "serverNicName": "ServerNic",
    "serverSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('serversSubnetName'))]",
    "storageAccountName": "[concat(uniquestring(resourceGroup().id), 'sajumpbox')]",
    "azfwRouteTableName": "AzfwRouteTable",
    "firewallName": "firewall1",
    "publicIPNamePrefix": "publicIP",
    "azureFirewallSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets',parameters('virtualNetworkName'), variables('azureFirewallSubnetName'))]",
    "azureFirewallSubnetJSON": "[json(format('{{\"id\": \"{0}\"}}', variables('azureFirewallSubnetId')))]",
    "copy": [
      {
        "name": "azureFirewallIpConfigurations",
        "count": "[parameters('numberOfFirewallPublicIPAddresses')]",
        "input": {
          "name": "[concat('IpConf', copyIndex('azureFirewallIpConfigurations'))]",
          "properties": {
            "subnet": "[if(equals(copyIndex('azureFirewallIpConfigurations'), 0), variables('azureFirewallSubnetJSON'), json('null'))]",
            "publicIPAddress": {
              "id": "[resourceId('Microsoft.Network/publicIPAddresses', concat(variables('publicIPNamePrefix'), add(copyIndex('azureFirewallIpConfigurations'), 1)))]"
            }
          }
        }
      }
    ],
    "networkSecurityGroupName": "[concat(variables('serversSubnetName'), '-nsg')]"
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "apiVersion": "2019-06-01",
      "name": "[variables('storageAccountName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard_LRS"
      },
      "kind": "Storage",
      "properties": {}
    },
    {
      "type": "Microsoft.Network/routeTables",
      "apiVersion": "2020-06-01",
      "name": "[variables('azfwRouteTableName')]",
      "location": "[parameters('location')]",
      "properties": {
        "disableBgpRoutePropagation": false,
        "routes": [
          {
            "name": "AzfwDefaultRoute",
            "properties": {
              "addressPrefix": "0.0.0.0/0",
              "nextHopType": "VirtualAppliance",
              "nextHopIpAddress": "[variables('nextHopIP')]"
            }
          }
        ]
      }
    },
    {
      "comments": "Simple Network Security Group for subnet [variables('serversSubnetName')]",
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2020-06-01",
      "name": "[variables('networkSecurityGroupName')]",
      "location": "[parameters('location')]",
      "properties": {}
    },
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2020-06-01",
      "name": "[parameters('virtualNetworkName')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/routeTables', variables('azfwRouteTableName'))]",
        "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
      ],
      "tags": {
        "displayName": "[parameters('virtualNetworkName')]"
      },
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "[variables('vnetAddressPrefix')]"
          ]
        },
        "subnets": [
          {
            "name": "[variables('jumpBoxSubnetName')]",
            "properties": {
              "addressPrefix": "[variables('jumpboxSubnetPrefix')]"
            }
          },
          {
            "name": "[variables('azureFirewallSubnetName')]",
            "properties": {
              "addressPrefix": "[variables('azureFirewallSubnetPrefix')]"
            }
          },
          {
            "name": "[variables('serversSubnetName')]",
            "properties": {
              "addressPrefix": "[variables('serversSubnetPrefix')]",
              "routeTable": {
                "id": "[resourceId('Microsoft.Network/routeTables', variables('azfwRouteTableName'))]"
              },
              "networkSecurityGroup": {
                "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('networkSecurityGroupName'))]"
              }
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2020-06-01",
      "name": "[concat(variables('publicIPNamePrefix'), add(copyIndex(), 1))]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard"
      },
      "copy": {
        "name": "publicIpCopy",
        "count": "[parameters('numberOfFirewallPublicIPAddresses')]"
      },
      "properties": {
        "publicIPAllocationMethod": "Static",
        "publicIPAddressVersion": "IPv4"
      }
    },
    {
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2020-06-01",
      "name": "[variables('jumpBoxPublicIPAddressName')]",
      "location": "[parameters('location')]",
      "properties": {
        "publicIPAllocationMethod": "Dynamic"
      }
    },
    {
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2020-06-01",
      "name": "[variables('jumpBoxNsgName')]",
      "location": "[parameters('location')]",
      "properties": {
        "securityRules": [
          {
            "name": "myNetworkSecurityGroupRuleRDP",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "3389",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 1000,
              "direction": "Inbound"
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Network/networkInterfaces",
      "apiVersion": "2020-06-01",
      "name": "[variables('JumpBoxNicName')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/publicIPAddresses/', variables('jumpBoxPublicIPAddressName'))]",
        "[resourceId('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]",
        "[resourceId('Microsoft.Network/networkSecurityGroups', variables('jumpBoxNsgName'))]"
      ],
      "properties": {
        "ipConfigurations": [
          {
            "name": "ipconfig1",
            "properties": {
              "privateIPAllocationMethod": "Dynamic",
              "publicIPAddress": {
                "id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('jumpBoxPublicIPAddressName'))]"
              },
              "subnet": {
                "id": "[variables('jumpBoxSubnetId')]"
              }
            }
          }
        ],
        "networkSecurityGroup": {
          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('jumpBoxNsgName'))]"
        }
      }
    },
    {
      "type": "Microsoft.Network/networkInterfaces",
      "apiVersion": "2020-06-01",
      "name": "[variables('ServerNicName')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/virtualNetworks/', parameters('virtualNetworkName'))]"
      ],
      "properties": {
        "ipConfigurations": [
          {
            "name": "ipconfig1",
            "properties": {
              "privateIPAllocationMethod": "Dynamic",
              "subnet": {
                "id": "[variables('serverSubnetId')]"
              }
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2020-06-01",
      "name": "JumpBox",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
        "[resourceId('Microsoft.Network/networkInterfaces', variables('JumpBoxNicName'))]"
      ],
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('jumpBoxSize')]"
        },
        "storageProfile": {
          "imageReference": {
            "publisher": "MicrosoftWindowsServer",
            "offer": "WindowsServer",
            "sku": "2019-Datacenter",
            "version": "latest"
          },
          "osDisk": {
            "osType": "Windows",
            "createOption": "FromImage",
            "diskSizeGB": 127
          }
        },
        "osProfile": {
          "computerName": "JumpBox",
          "adminUsername": "[parameters('adminUsername')]",
          "adminPassword": "[parameters('adminPassword')]"
        },
        "networkProfile": {
          "networkInterfaces": [
            {
              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('JumpBoxNicName'))]"
            }
          ]
        },
        "diagnosticsProfile": {
          "bootDiagnostics": {
            "enabled": true,
            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))).primaryEndpoints.blob]"
          }
        }
      }
    },
    {
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2020-06-01",
      "name": "Server",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
        "[resourceId('Microsoft.Network/networkInterfaces', variables('ServerNicName'))]"
      ],
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('serverSize')]"
        },
        "storageProfile": {
          "imageReference": {
            "publisher": "MicrosoftWindowsServer",
            "offer": "WindowsServer",
            "sku": "2019-Datacenter",
            "version": "latest"
          },
          "osDisk": {
            "osType": "Windows",
            "createOption": "FromImage",
            "diskSizeGB": 127
          }
        },
        "osProfile": {
          "computerName": "Server",
          "adminUsername": "[parameters('adminUsername')]",
          "adminPassword": "[parameters('adminPassword')]"
        },
        "networkProfile": {
          "networkInterfaces": [
            {
              "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('ServerNicName'))]"
            }
          ]
        },
        "diagnosticsProfile": {
          "bootDiagnostics": {
            "enabled": true,
            "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))).primaryEndpoints.blob]"
          }
        }
      }
    },
    {
      "type": "Microsoft.Network/azureFirewalls",
      "apiVersion": "2020-06-01",
      "name": "[variables('firewallName')]",
      "location": "[parameters('location')]",
      "zones": "[if(equals(length(parameters('availabilityZones')), 0), json('null'), parameters('availabilityZones'))]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",
        "publicIpCopy"
      ],
      "properties": {
        "ipConfigurations": "[variables('azureFirewallIpConfigurations')]",
        "applicationRuleCollections": [
          {
            "name": "appRc1",
            "properties": {
              "priority": 101,
              "action": {
                "type": "Allow"
              },
              "rules": [
                {
                  "name": "appRule1",
                  "protocols": [
                    {
                      "port": 80,
                      "protocolType": "http"
                    },
                    {
                      "port": 443,
                      "protocolType": "https"
                    }
                  ],
                  "targetFqdns": [
                    "www.microsoft.com"
                  ],
                  "sourceAddresses": [
                    "10.0.2.0/24"
                  ]
                }
              ]
            }
          }
        ],
        "networkRuleCollections": [
          {
            "name": "netRc1",
            "properties": {
              "priority": 200,
              "action": {
                "type": "Allow"
              },
              "rules": [
                {
                  "name": "netRule1",
                  "protocols": [
                    "TCP"
                  ],
                  "sourceAddresses": [
                    "10.0.2.0/24"
                  ],
                  "destinationAddresses": [
                    "*"
                  ],
                  "destinationPorts": [
                    "8000-8999"
                  ]
                }
              ]
            }
          }
        ]
      }
    }
  ]
}

模板中定义了多个 Azure 资源:Multiple Azure resources are defined in the template:

部署模板Deploy the template

将 ARM 模板部署到 Azure:Deploy the ARM template to Azure:

  1. 选择“部署到 Azure”,登录到 Azure 并打开模板。Select Deploy to Azure to sign in to Azure and open the template. 该模板将创建 Azure 防火墙、网络基础结构和两个虚拟机。The template creates an Azure Firewall, the network infrastructure, and two virtual machines.

    部署到 AzureDeploy to Azure

  2. 在门户中的“创建具有区域的 Azure 防火墙的沙盒设置”页上,键入或选择以下值:In the portal, on the Create a sandbox setup of Azure Firewall with Zones page, type or select the following values:

    • 资源组:选择“新建”,键入资源组的名称,然后选择“确定”。Resource group: Select Create new, type a name for the resource group, and select OK.
    • 虚拟网络名称:键入新 VNet 的名称。Virtual Network Name: Type a name for the new VNet.
    • 管理员用户名:键入管理员用户帐户的用户名。Admin Username: Type a username for the administrator user account.
    • 管理员密码:键入管理员密码。Admin Password: Type an administrator password.
  3. 阅读条款和条件,选择“我同意上述条款和条件”,然后选择“购买”。 Read the terms and conditions, and then select I agree to the terms and conditions stated above and then select Purchase. 部署可能需要 10 分钟或更长时间才能完成。The deployment can take 10 minutes or longer to complete.

查看已部署的资源Review deployed resources

浏览使用防火墙创建的资源。Explore the resources that were created with the firewall.

若要了解模板中防火墙的 JSON 语法和属性,请参阅 Microsoft.Network/azureFirewallsTo learn about the JSON syntax and properties for a firewall in a template, see Microsoft.Network/azureFirewalls.

清理资源Clean up resources

当不再需要这些资源时,可以通过运行 PowerShell 命令 Remove-AzResourceGroup 来删除资源组、防火墙和所有相关的资源。When you no longer need them, you can remove the resource group, firewall, and all related resources by running the Remove-AzResourceGroup PowerShell command. 若要删除名为 MyResourceGroup 的资源组,请运行:To remove a resource group named MyResourceGroup, run:

Remove-AzResourceGroup -Name MyResourceGroup

如果计划继续学习防火墙监视教程,请不要删除资源组和防火墙。Don't remove the resource group and firewall if you plan to continue on to the firewall monitoring tutorial.

后续步骤Next steps

接下来,可以监视 Azure 防火墙日志。Next, you can monitor the Azure Firewall logs.