您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:使用 Azure CLI 2.0 为 Linux 虚拟机创建和管理 Azure 虚拟网络Tutorial: Create and manage Azure virtual networks for Linux virtual machines with the Azure CLI 2.0

Azure 虚拟机使用 Azure 网络进行内部和外部网络通信。Azure virtual machines use Azure networking for internal and external network communication. 本教程会指导读者部署两个虚拟机,并为这些 VM 配置 Azure 网络。This tutorial walks through deploying two virtual machines and configuring Azure networking for these VMs. 本教程中的示例假设 VM 将要托管包含数据库后端的 Web 应用程序,但本教程并未介绍如何部署应用程序。The examples in this tutorial assume that the VMs are hosting a web application with a database back-end, however an application is not deployed in the tutorial. 本教程介绍如何执行以下操作:In this tutorial, you learn how to:

  • 创建虚拟网络和子网Create a virtual network and subnet
  • 创建公共 IP 地址Create a public IP address
  • 创建前端 VMCreate a front-end VM
  • 保护网络流量的安全Secure network traffic
  • 创建后端 VMCreate a back-end VM

打开 Azure Cloud ShellOpen Azure Cloud Shell

Azure Cloud Shell 是免费的交互式 shell,可以使用它运行本文中的步骤。Azure Cloud Shell is a free, interactive shell that you can use to run the steps in this article. Cloud Shell 中预安装并配置了常用 Azure 工具供你与帐户一起使用。Common Azure tools are preinstalled and configured in Cloud Shell for you to use with your account. 只需选择“复制”按钮即可复制代码,将其粘贴到 Cloud Shell 中,然后按 Enter 来运行它。Just select the Copy button to copy the code, paste it in Cloud Shell, and then press Enter to run it. 可通过多种方式打开 Cloud Shell:There are a few ways to open Cloud Shell:

选择代码块右上角的“试用”。Select Try It in the upper-right corner of a code block. 本文中的 Cloud Shell
在浏览器中打开 Cloud Shell。Open Cloud Shell in your browser. https://shell.azure.com/bash
选择 Azure 门户右上角菜单上的“Cloud Shell”按钮。Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal. 门户中的 Cloud Shell

如果选择在本地安装并使用 CLI,本教程要求运行 Azure CLI 2.0.30 或更高版本。If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version 2.0.30 or later. 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLI 2.0If you need to install or upgrade, see Install Azure CLI 2.0.

VM 网络概述VM networking overview

Azure 虚拟网络在虚拟机、Internet 与其他 Azure 服务(例如 Azure SQL 数据库)之间实现安全网络连接。Azure virtual networks enable secure network connections between virtual machines, the internet, and other Azure services such as Azure SQL database. 虚拟网络分解为称作“子网”的逻辑段。Virtual networks are broken down into logical segments called subnets. 子网用于控制网络流,并充当安全边界。Subnets are used to control network flow, and as a security boundary. 部署 VM 时,该 VM 通常包含一个附加到子网的虚拟网络接口。When deploying a VM, it generally includes a virtual network interface, which is attached to a subnet.

完成本教程后,会创建以下虚拟网络资源:As you complete the tutorial, the following virtual network resources are created:

包含两个子网的虚拟网络

  • myVNet - VM 彼此进行通信以及与 Internet 进行通信时使用的虚拟网络。myVNet - The virtual network that the VMs use to communicate with each other and the internet.
  • myFrontendSubnet - myVNet 中供前端资源使用的子网。myFrontendSubnet - The subnet in myVNet used by the front-end resources.
  • myPublicIPAddress - 用于从 Internet 访问 myFrontendVM 的公共 IP 地址。myPublicIPAddress - The public IP address used to access myFrontendVM from the internet.
  • myFrontentNic - myFrontendVM 用来与 myBackendVM 进行通信的网络接口。myFrontentNic - The network interface used by myFrontendVM to communicate with myBackendVM.
  • myFrontendVM - 用于在 Internet 和 myBackendVM 之间进行通信的 VM。myFrontendVM - The VM used to communicate between the internet and myBackendVM.
  • myBackendNSG - 控制 myFrontendVMmyBackendVM 之间的通信的网络安全组。myBackendNSG - The network security group that controls communication between the myFrontendVM and myBackendVM.
  • myBackendSubnet - 与 myBackendNSG 关联且供后端资源使用的子网。myBackendSubnet - The subnet associated with myBackendNSG and used by the back-end resources.
  • myBackendNic - myBackendVM 用于与 myFrontendVM 进行通信的网络接口。myBackendNic - The network interface used by myBackendVM to communicate with myFrontendVM.
  • myBackendVM - 使用端口 22 和 3306 与 myFrontendVM 进行通信的 VM。myBackendVM - The VM that uses port 22 and 3306 to communicate with myFrontendVM.

创建虚拟网络和子网Create a virtual network and subnet

本教程会创建包含两个子网的单个虚拟网络。For this tutorial, a single virtual network is created with two subnets. 一个前端子网用于托管 Web 应用程序,一个后端子网用于托管数据库服务器。A front-end subnet for hosting a web application, and a back-end subnet for hosting a database server.

在创建虚拟网络之前,请先使用 az group create 创建一个资源组。Before you can create a virtual network, create a resource group with az group create. 以下示例在 eastus 位置创建名为 myRGNetwork 的资源组。The following example creates a resource group named myRGNetwork in the eastus location.

az group create --name myRGNetwork --location eastus

创建虚拟网络Create virtual network

使用 az network vnet create 命令创建虚拟网络。Use the az network vnet create command to create a virtual network. 在本例中,网络被命名为 mvVNet 并且为其分配了地址前缀 10.0.0.0/16In this example, the network is named mvVNet and is given an address prefix of 10.0.0.0/16. 另外,还将创建名为 myFrontendSubnet、前缀为 10.0.1.0/24 的子网。A subnet is also created with a name of myFrontendSubnet and a prefix of 10.0.1.0/24. 本教程稍后会将前端 VM 连接到此子网。Later in this tutorial a front-end VM is connected to this subnet.

az network vnet create \
  --resource-group myRGNetwork \
  --name myVNet \
  --address-prefix 10.0.0.0/16 \
  --subnet-name myFrontendSubnet \
  --subnet-prefix 10.0.1.0/24

创建子网Create subnet

使用 az network vnet subnet create 命令将新子网添加到虚拟网络。A new subnet is added to the virtual network using the az network vnet subnet create command. 在本例中,子网被命名为 myBackendSubnet 并且为其分配了地址前缀 10.0.2.0/24In this example, the subnet is named myBackendSubnet and is given an address prefix of 10.0.2.0/24. 此子网用于所有后端服务。This subnet is used with all back-end services.

az network vnet subnet create \
  --resource-group myRGNetwork \
  --vnet-name myVNet \
  --name myBackendSubnet \
  --address-prefix 10.0.2.0/24

此时,已创建一个网络并将其分段为两个子网,其中一个子网用于前端服务,另一个用于后端服务。At this point, a network has been created and segmented into two subnets, one for front-end services, and another for back-end services. 下一部分将创建虚拟机并将其连接到这些子网。In the next section, virtual machines are created and connected to these subnets.

创建公共 IP 地址Create a public IP address

使用公共 IP 地址可在 Internet 上访问 Azure 资源。A public IP address allows Azure resources to be accessible on the internet. 公共 IP 地址的分配方法可以配置为动态或静态。The allocation method of the public IP address can be configured as dynamic or static. 默认情况下,将动态分配公共 IP 地址。By default, a public IP address is dynamically allocated. 解除分配 VM 时,将释放动态 IP 地址。Dynamic IP addresses are released when a VM is deallocated. 在执行涉及到 VM 解除分配的任何操作期间,此行为会导致 IP 地址发生更改。This behavior causes the IP address to change during any operation that includes a VM deallocation.

可将分配方法设置为静态,这可确保分配给 VM 的 IP 地址保持不变,即使该 VM 处于解除分配状态也是如此。The allocation method can be set to static, which ensures that the IP address remains assigned to a VM, even during a deallocated state. 使用静态分配的 IP 地址时,无法指定 IP 地址本身。When using a statically allocated IP address, the IP address itself cannot be specified. 该地址是从可用地址池中分配的。Instead, it is allocated from a pool of available addresses.

az network public-ip create --resource-group myRGNetwork --name myPublicIPAddress

使用 az vm create 命令创建 VM 时,默认的公共 IP 地址分配方法为动态。When creating a VM with the az vm create command, the default public IP address allocation method is dynamic. 使用 az vm create 命令创建虚拟机时,包含 --public-ip-address-allocation static 参数可以分配静态公共 IP 地址。When creating a virtual machine using the az vm create command, include the --public-ip-address-allocation static argument to assign a static public IP address. 本教程不会演示此操作,但是,下一部分介绍了如何将动态分配的 IP 地址更改为静态分配的地址。This operation is not demonstrated in this tutorial, however in the next section a dynamically allocated IP address is changed to a statically allocated address.

更改分配方法Change allocation method

可以使用 az network public-ip update 命令更改 IP 地址分配方法。The IP address allocation method can be changed using the az network public-ip update command. 在本示例中,前端 VM 的 IP 地址分配方法已更改为静态。In this example, the IP address allocation method of the front-end VM is changed to static.

首先,请解除分配 VM。First, deallocate the VM.

az vm deallocate --resource-group myRGNetwork --name myFrontendVM

使用 az network public-ip update 命令更新分配方法。Use the az network public-ip update command to update the allocation method. 在本例中,--allocation-method 将设置为 staticIn this case, the --allocation-method is being set to static.

az network public-ip update --resource-group myRGNetwork --name myPublicIPAddress --allocation-method static

启动 VM。Start the VM.

az vm start --resource-group myRGNetwork --name myFrontendVM --no-wait

无公共 IP 地址No public IP address

通常,不需要通过 Internet 访问 VM。Often, a VM does not need to be accessible over the internet. 若要创建一个不带公共 IP 地址的 VM,请使用 --public-ip-address "" 参数和一组空双引号。To create a VM without a public IP address, use the --public-ip-address "" argument with an empty set of double quotes. 本教程稍后将演示此配置。This configuration is demonstrated later in this tutorial.

创建前端 VMCreate a front-end VM

使用 az vm create 命令创建名为 myFrontendVM 且使用 myPublicIPAddress 的 VM。Use the az vm create command to create the VM named myFrontendVM using myPublicIPAddress.

az vm create \
  --resource-group myRGNetwork \
  --name myFrontendVM \
  --vnet-name myVNet \
  --subnet myFrontendSubnet \
  --nsg myFrontendNSG \
  --public-ip-address myPublicIPAddress \
  --image UbuntuLTS \
  --generate-ssh-keys

保护网络流量的安全Secure network traffic

网络安全组 (NSG) 包含一系列安全规则,这些规则可以允许或拒绝流向连接到 Azure 虚拟网络 (VNet) 的资源的网络流量。A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSG 可以关联到子网或单个网络接口。NSGs can be associated to subnets or individual network interfaces. 当 NSG 与网络接口关联时,NSG 只会应用到关联的 VM。When an NSG is associated with a network interface, it applies only the associated VM. 将 NSG 关联到子网时,规则适用于连接到该子网的所有资源。When an NSG is associated to a subnet, the rules apply to all resources connected to the subnet.

网络安全组规则Network security group rules

NSG 规则定义要允许或拒绝哪些网络端口上的流量。NSG rules define networking ports over which traffic is allowed or denied. 这些规则可以包括源和目标 IP 地址范围,以便控制特定系统或子网之间的流量。The rules can include source and destination IP address ranges so that traffic is controlled between specific systems or subnets. NSG 规则还包括优先级(介于 1 和 4096 之间)。NSG rules also include a priority (between 1—and 4096). 将按优先级顺序来评估规则。Rules are evaluated in the order of priority. 优先级为 100 的规则会在优先级为 200 的规则之前评估。A rule with a priority of 100 is evaluated before a rule with priority 200.

所有 NSG 都包含一组默认规则。All NSGs contain a set of default rules. 默认规则无法删除,但由于给它们分配的优先级最低,可以用创建的规则来重写它们。The default rules cannot be deleted, but because they are assigned the lowest priority, they can be overridden by the rules that you create.

NSG 的默认规则包括:The default rules for NSGs are:

  • 虚拟网络 - 从方向上来说,在虚拟网络中发起和结束的通信可以是入站通信,也可以是出站通信。Virtual network - Traffic originating and ending in a virtual network is allowed both in inbound and outbound directions.
  • Internet - 允许出站通信,但阻止入站通信。Internet - Outbound traffic is allowed, but inbound traffic is blocked.
  • 负载均衡器 - 允许 Azure 的负载均衡器探测 VM 和角色实例的运行状况。Load balancer - Allow Azure’s load balancer to probe the health of your VMs and role instances. 如果不使用负载均衡集,则可替代此规则。If you are not using a load balanced set, you can override this rule.

创建网络安全组Create network security groups

可以在创建 VM 时使用 az vm create 命令创建网络安全组。A network security group can be created at the same time as a VM using the az vm create command. 执行此操作时,会将 NSG 与 VM 网络接口相关联,并自动创建一个 NSG 规则来允许任何源发到 22 端口上的流量。When doing so, the NSG is associated with the VMs network interface and an NSG rule is auto created to allow traffic on port 22 from any source. 在本教程的前面部分中,已在前端 VM 上自动创建了前端 NSG。Earlier in this tutorial, the front-end NSG was auto-created with the front-end VM. 也会为端口 22 自动创建 NSG 规则。An NSG rule was also auto created for port 22.

在某些情况下,预先创建 NSG 可能会有帮助,例如,在不应创建默认 SSH 规则时,或者应该将 NSG 附加到子网时。In some cases, it may be helpful to pre-create an NSG, such as when default SSH rules should not be created, or when the NSG should be attached to a subnet.

使用 az network nsg create 命令创建网络安全组。Use the az network nsg create command to create a network security group.

az network nsg create --resource-group myRGNetwork --name myBackendNSG

NSG 不会关联到网络接口,而是关联到子网。Instead of associating the NSG to a network interface, it is associated with a subnet. 在此配置中,附加到子网的任何 VM 将继承 NSG 规则。In this configuration, any VM that is attached to the subnet inherits the NSG rules.

使用新 NSG 更新名为 myBackendSubnet 的现有子网。Update the existing subnet named myBackendSubnet with the new NSG.

az network vnet subnet update \
  --resource-group myRGNetwork \
  --vnet-name myVNet \
  --name myBackendSubnet \
  --network-security-group myBackendNSG

保护传入的流量Secure incoming traffic

创建前端 VM 时,会创建一个 NSG 规则来允许端口 22 上的传入流量。When the front-end VM was created, an NSG rule was created to allow incoming traffic on port 22. 此规则允许与 VM 建立 SSH 连接。This rule allows SSH connections to the VM. 对于本示例,也应该允许端口 80 上的流量。For this example, traffic should also be allowed on port 80. 此配置允许在 VM 上访问某个 Web 应用程序。This configuration allows a web application to be accessed on the VM.

使用 az network nsg rule create 命令为端口 80 创建规则。Use the az network nsg rule create command to create a rule for port 80.

az network nsg rule create \
  --resource-group myRGNetwork \
  --nsg-name myFrontendNSG \
  --name http \
  --access allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 200 \
  --source-address-prefix "*" \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range 80

只能在端口 22 和端口 80 上访问前端 VM。The front-end VM is only accessible on port 22 and port 80. 其他所有传入流量会在网络安全组中被阻止。All other incoming traffic is blocked at the network security group. 可视化 NSG 规则配置可能很有帮助。It may be helpful to visualize the NSG rule configurations. 使用 az network rule list 命令返回 NSG 规则配置。Return the NSG rule configuration with the az network rule list command.

az network nsg rule list --resource-group myRGNetwork --nsg-name myFrontendNSG --output table

保护 VM 到 VM 的流量Secure VM to VM traffic

也可以在 VM 之间应用网络安全组规则。Network security group rules can also apply between VMs. 对于本示例,前端 VM 需要通过端口 223306 与后端 VM 端口通信。For this example, the front-end VM needs to communicate with the back-end VM on port 22 and 3306. 此配置允许从前端 VM 建立 SSH 连接,并允许前端 VM 上的应用程序与后端 MySQL 数据库通信。This configuration allows SSH connections from the front-end VM, and also allow an application on the front-end VM to communicate with a back-end MySQL database. 前端与后端虚拟机之间的其他所有流量应被阻止。All other traffic should be blocked between the front-end and back-end virtual machines.

使用 az network nsg rule create 命令为端口 22 创建规则。Use the az network nsg rule create command to create a rule for port 22. 请注意,--source-address-prefix 参数指定了值 10.0.1.0/24Notice that the --source-address-prefix argument specifies a value of 10.0.1.0/24. 此配置确保只允许来自前端子网的流量通过 NSG。This configuration ensures that only traffic from the front-end subnet is allowed through the NSG.

az network nsg rule create \
  --resource-group myRGNetwork \
  --nsg-name myBackendNSG \
  --name SSH \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 100 \
  --source-address-prefix 10.0.1.0/24 \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range "22"

现在,请为端口 3306 上的 MySQL 流量添加规则。Now add a rule for MySQL traffic on port 3306.

az network nsg rule create \
  --resource-group myRGNetwork \
  --nsg-name myBackendNSG \
  --name MySQL \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 200 \
  --source-address-prefix 10.0.1.0/24 \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range "3306"

最后,由于 NSG 包含的默认规则允许同一 VNet 中 VM 之间的所有流量,因此,可为后端 NSG 创建一个规则来阻止所有流量。Finally, because NSGs have a default rule allowing all traffic between VMs in the same VNet, a rule can be created for the back-end NSGs to block all traffic. 此处请注意,为 --priority 指定了值 300,此优先级低于 NSG 和 MySQL 规则的优先级。Notice here that the --priority is given a value of 300, which is lower that both the NSG and MySQL rules. 此配置可确保仍允许 SSH 和 MySQL 流量通过 NSG。This configuration ensures that SSH and MySQL traffic is still allowed through the NSG.

az network nsg rule create \
  --resource-group myRGNetwork \
  --nsg-name myBackendNSG \
  --name denyAll \
  --access Deny \
  --protocol Tcp \
  --direction Inbound \
  --priority 300 \
  --source-address-prefix "*" \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range "*"

创建后端 VMCreate back-end VM

现在,请创建附加到 myBackendSubnet 的虚拟机。Now create a virtual machine, which is attached to the myBackendSubnet. 请注意,--nsg 参数的值为空双引号。Notice that the --nsg argument has a value of empty double quotes. 不需要在 VM 中创建 NSG。An NSG does not need to be created with the VM. VM 将附加到后端子网,该子网受预先创建的后端 NSG 的保护。The VM is attached to the back-end subnet, which is protected with the pre-created back-end NSG. 此 NSG 将应用到 VM。This NSG applies to the VM. 另请注意,此处的 --public-ip-address 参数的值为空双引号。Also, notice here that the --public-ip-address argument has a value of empty double quotes. 此配置将创建一个不带公共 IP 地址的 VM。This configuration creates a VM without a public IP address.

az vm create \
  --resource-group myRGNetwork \
  --name myBackendVM \
  --vnet-name myVNet \
  --subnet myBackendSubnet \
  --public-ip-address "" \
  --nsg "" \
  --image UbuntuLTS \
  --generate-ssh-keys

只能通过前端子网在端口 22 和端口 3306 上访问后端 VM。The back-end VM is only accessible on port 22 and port 3306 from the front-end subnet. 其他所有传入流量会在网络安全组中被阻止。All other incoming traffic is blocked at the network security group. 可视化 NSG 规则配置可能很有帮助。It may be helpful to visualize the NSG rule configurations. 使用 az network rule list 命令返回 NSG 规则配置。Return the NSG rule configuration with the az network rule list command.

az network nsg rule list --resource-group myRGNetwork --nsg-name myBackendNSG --output table

后续步骤Next steps

本教程介绍了如何创建和保护与虚拟机相关的 Azure 网络。In this tutorial, you created and secured Azure networks as related to virtual machines. 你已了解如何:You learned how to:

  • 创建虚拟网络和子网Create a virtual network and subnet
  • 创建公共 IP 地址Create a public IP address
  • 创建前端 VMCreate a front-end VM
  • 保护网络流量的安全Secure network traffic
  • 创建后端 VMCreate back-end VM

请继续学习下一教程,了解如何使用 Azure 备份保护虚拟机上的数据。Advance to the next tutorial to learn about securing data on virtual machines using Azure backup.