您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure PowerShell 管理 Azure 虚拟网络和 Windows 虚拟机Manage Azure Virtual Networks and Windows Virtual Machines with Azure PowerShell

Azure 虚拟机使用 Azure 网络进行内部和外部网络通信。Azure virtual machines use Azure networking for internal and external network communication. 本教程会指导读者部署两个虚拟机,并为这些 VM 配置 Azure 网络。This tutorial walks through deploying two virtual machines and configuring Azure networking for these VMs. 本教程中的示例假设 VM 将要托管包含数据库后端的 Web 应用程序,但本教程并未介绍如何部署应用程序。The examples in this tutorial assume that the VMs are hosting a web application with a database back-end, however an application is not deployed in the tutorial. 本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 创建虚拟网络和子网Create a virtual network and subnet
  • 创建公共 IP 地址Create a public IP address
  • 创建前端 VMCreate a front-end VM
  • 保护网络流量的安全Secure network traffic
  • 创建后端 VMCreate back-end VM

完成本教程时,可以看到创建了以下资源:While completing this tutorial, you can see these resources created:

包含两个子网的虚拟网络

  • myVNet - VM 用于彼此通信以及与 Internet 通信的虚拟网络。myVNet - The virtual network that the VMs use to communicate with each other and the internet.
  • myFrontendSubnet - myVNet 中前端资源使用的子网。myFrontendSubnet - The subnet in myVNet used by the front-end resources.
  • myPublicIPAddress - 用于从 Internet 访问 myFrontendVM 的公共 IP 地址。myPublicIPAddress - The public IP address used to access myFrontendVM from the internet.
  • myFrontentNic - myFrontendVM 用于与 myBackendVM 通信的网络接口。myFrontentNic - The network interface used by myFrontendVM to communicate with myBackendVM.
  • myFrontendVM - 用于在 Internet 和 myBackendVM 之间进行通信的 VM。myFrontendVM - The VM used to communicate between the internet and myBackendVM.
  • myBackendNSG - 控制 myFrontendVMmyBackendVM 之间的通信的网络安全组。myBackendNSG - The network security group that controls communication between the myFrontendVM and myBackendVM.
  • myBackendSubnet - 与 myBackendNSG 关联且由后端资源使用的子网。myBackendSubnet - The subnet associated with myBackendNSG and used by the back-end resources.
  • myBackendNic - myBackendVM 用于与 myFrontendVM 通信的网络接口。myBackendNic - The network interface used by myBackendVM to communicate with myFrontendVM.
  • myBackendVM - 使用端口 1433 与 myFrontendVM 通信的 VM。myBackendVM - The VM that uses port 1433 to communicate with myFrontendVM.

本教程需要 Azure PowerShell 模块 3.6 或更高版本。This tutorial requires the Azure PowerShell module version 3.6 or later. 若要查找版本,请运行 Get-Module -ListAvailable AzureRMTo find the version, run Get-Module -ListAvailable AzureRM. 如果需要升级,请参阅安装 Azure PowerShell 模块If you need to upgrade, see Install Azure PowerShell module.

VM 网络概述VM networking overview

Azure 虚拟网络在虚拟机、Internet 与其他 Azure 服务(例如 Azure SQL 数据库)之间实现安全网络连接。Azure virtual networks enable secure network connections between virtual machines, the internet, and other Azure services such as Azure SQL database. 虚拟网络分解为称作“子网”的逻辑段。Virtual networks are broken down into logical segments called subnets. 子网用于控制网络流,并充当安全边界。Subnets are used to control network flow, and as a security boundary. 部署 VM 时,该 VM 通常包含一个附加到子网的虚拟网络接口。When deploying a VM, it generally includes a virtual network interface, which is attached to a subnet.

创建虚拟网络和子网Create a virtual network and subnet

本教程会创建包含两个子网的单个虚拟网络。For this tutorial, a single virtual network is created with two subnets. 一个前端子网用于托管 Web 应用程序,一个后端子网用于托管数据库服务器。A front-end subnet for hosting a web application, and a back-end subnet for hosting a database server.

创建虚拟网络之前,需使用 New-AzureRmResourceGroup 创建资源组。Before you can create a virtual network, create a resource group using New-AzureRmResourceGroup. 以下示例在“EastUS”位置创建名为 myRGNetwork 的资源组:The following example creates a resource group named myRGNetwork in the EastUS location:

New-AzureRmResourceGroup -ResourceGroupName myRGNetwork -Location EastUS

创建子网配置Create subnet configurations

使用 New-AzureRmVirtualNetworkSubnetConfig 创建一个名为 myFrontendSubnet 的子网配置:Create a subnet configuration named myFrontendSubnet using New-AzureRmVirtualNetworkSubnetConfig:

$frontendSubnet = New-AzureRmVirtualNetworkSubnetConfig `
  -Name myFrontendSubnet `
  -AddressPrefix 10.0.0.0/24

然后,创建一个名为 myBackendSubnet 的子网配置:And, create a subnet configuration named myBackendSubnet:

$backendSubnet = New-AzureRmVirtualNetworkSubnetConfig `
  -Name myBackendSubnet `
  -AddressPrefix 10.0.1.0/24

创建虚拟网络Create virtual network

通过 New-AzureRmVirtualNetwork 使用 myFrontendSubnetmyBackendSubnet 创建名为“myVNet”的 VNET:Create a VNET named myVNet using myFrontendSubnet and myBackendSubnet using New-AzureRmVirtualNetwork:

$vnet = New-AzureRmVirtualNetwork `
  -ResourceGroupName myRGNetwork `
  -Location EastUS `
  -Name myVNet `
  -AddressPrefix 10.0.0.0/16 `
  -Subnet $frontendSubnet, $backendSubnet

此时,已创建一个网络并将其分段为两个子网,其中一个子网用于前端服务,另一个用于后端服务。At this point, a network has been created and segmented into two subnets, one for front-end services, and another for back-end services. 下一部分将创建虚拟机并将其连接到这些子网。In the next section, virtual machines are created and connected to these subnets.

创建公共 IP 地址Create a public IP address

使用公共 IP 地址可在 Internet 上访问 Azure 资源。A public IP address allows Azure resources to be accessible on the internet. 公共 IP 地址的分配方法可以配置为动态或静态。The allocation method of the public IP address can be configured as dynamic or static. 默认情况下,将动态分配公共 IP 地址。By default, a public IP address is dynamically allocated. 解除分配 VM 时,将释放动态 IP 地址。Dynamic IP addresses are released when a VM is deallocated. 在执行涉及到 VM 解除分配的任何操作期间,此行为会导致 IP 地址发生更改。This behavior causes the IP address to change during any operation that includes a VM deallocation.

可将分配方法设置为静态,这可确保分配给 VM 的 IP 地址保持不变,即使该 VM 处于解除分配状态也是如此。The allocation method can be set to static, which ensures that the IP address remains assigned to a VM, even during a deallocated state. 使用静态分配的 IP 地址时,无法指定 IP 地址本身。When using a statically allocated IP address, the IP address itself cannot be specified. 该地址是从可用地址池中分配的。Instead, it is allocated from a pool of available addresses.

使用 New-AzureRmPublicIpAddress 创建名为 myPublicIPAddress 的公共 IP 地址:Create a public IP address named myPublicIPAddress using New-AzureRmPublicIpAddress:

$pip = New-AzureRmPublicIpAddress `
  -ResourceGroupName myRGNetwork `
  -Location EastUS `
  -AllocationMethod Dynamic `
  -Name myPublicIPAddress

可以将 -AllocationMethod 参数更改为 Static,以分配静态公共 IP 地址。You could change the -AllocationMethod parameter to Static to assign a static public IP address.

创建前端 VMCreate a front-end VM

VM 需要虚拟网络接口 (NIC) 才能在虚拟网络中进行通信。For a VM to communicate in a virtual network, it needs a virtual network interface (NIC). 使用 New-AzureRmNetworkInterface 创建 NIC:Create a NIC using New-AzureRmNetworkInterface:

$frontendNic = New-AzureRmNetworkInterface `
  -ResourceGroupName myRGNetwork `
  -Location EastUS `
  -Name myFrontendNic `
  -SubnetId $vnet.Subnets[0].Id `
  -PublicIpAddressId $pip.Id

使用 Get-Credential 设置 VM 上管理员帐户所需的用户名和密码。Set the username and password needed for the administrator account on the VM using Get-Credential. 若要使用这些凭据连接到 VM,请执行其他步骤:You use these credentials to connect to the VM in additional steps:

$cred = Get-Credential

使用 New-AzureRmVMConfigSet-AzureRmVMOperatingSystemSet-AzureRmVMSourceImageSet-AzureRmVMOSDiskAdd-AzureRmVMNetworkInterfaceNew-AzureRmVM 创建 VM:Create the VMs using New-AzureRmVMConfig, Set-AzureRmVMOperatingSystem, Set-AzureRmVMSourceImage, Set-AzureRmVMOSDisk, Add-AzureRmVMNetworkInterface, and New-AzureRmVM:

$frontendVM = New-AzureRmVMConfig `
    -VMName myFrontendVM `
    -VMSize Standard_D1
$frontendVM = Set-AzureRmVMOperatingSystem `
    -VM $frontendVM `
    -Windows `
    -ComputerName myFrontendVM `
    -Credential $cred `
    -ProvisionVMAgent `
    -EnableAutoUpdate
$frontendVM = Set-AzureRmVMSourceImage `
    -VM $frontendVM `
    -PublisherName MicrosoftWindowsServer `
    -Offer WindowsServer `
    -Skus 2016-Datacenter `
    -Version latest
$frontendVM = Set-AzureRmVMOSDisk `
    -VM $frontendVM `
    -Name myFrontendOSDisk `
    -DiskSizeInGB 128 `
    -CreateOption FromImage `
    -Caching ReadWrite
$frontendVM = Add-AzureRmVMNetworkInterface `
    -VM $frontendVM `
    -Id $frontendNic.Id
New-AzureRmVM `
    -ResourceGroupName myRGNetwork `
    -Location EastUS `
    -VM $frontendVM

保护网络流量的安全Secure network traffic

网络安全组 (NSG) 包含一系列安全规则,这些规则可以允许或拒绝流向连接到 Azure 虚拟网络 (VNet) 的资源的网络流量。A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSG 可以关联到子网或单个网络接口。NSGs can be associated to subnets or individual network interfaces. 当 NSG 与网络接口关联时,NSG 只会应用到关联的 VM。When an NSG is associated with a network interface, it applies only the associated VM. 将 NSG 关联到子网时,规则适用于连接到该子网的所有资源。When an NSG is associated to a subnet, the rules apply to all resources connected to the subnet.

网络安全组规则Network security group rules

NSG 规则定义要允许或拒绝哪些网络端口上的流量。NSG rules define networking ports over which traffic is allowed or denied. 这些规则可以包括源和目标 IP 地址范围,以便控制特定系统或子网之间的流量。The rules can include source and destination IP address ranges so that traffic is controlled between specific systems or subnets. NSG 规则还包括优先级(介于 1 和 4096 之间)。NSG rules also include a priority (between 1—and 4096). 将按优先级顺序来评估规则。Rules are evaluated in the order of priority. 优先级为 100 的规则会在优先级为 200 的规则之前评估。A rule with a priority of 100 is evaluated before a rule with priority 200.

所有 NSG 都包含一组默认规则。All NSGs contain a set of default rules. 默认规则无法删除,但由于给它们分配的优先级最低,可以用创建的规则来重写它们。The default rules cannot be deleted, but because they are assigned the lowest priority, they can be overridden by the rules that you create.

  • 虚拟网络 - 从方向上来说,在虚拟网络中发起和结束的通信可以是入站通信,也可以是出站通信。Virtual network - Traffic originating and ending in a virtual network is allowed both in inbound and outbound directions.
  • Internet - 允许出站通信,但阻止入站通信。Internet - Outbound traffic is allowed, but inbound traffic is blocked.
  • 负载均衡器 - 允许 Azure 的负载均衡器探测 VM 和角色实例的运行状况。Load balancer - Allow Azure’s load balancer to probe the health of your VMs and role instances. 如果不使用负载均衡集,则可替代此规则。If you are not using a load balanced set, you can override this rule.

创建网络安全组Create network security groups

使用 New-AzureRmNetworkSecurityRuleConfig 创建名为 myFrontendNSGRule 的入站规则以允许 myFrontendVM 上的传入 Web 流量:Create an inbound rule named myFrontendNSGRule to allow incoming web traffic on myFrontendVM using New-AzureRmNetworkSecurityRuleConfig:

$nsgFrontendRule = New-AzureRmNetworkSecurityRuleConfig `
  -Name myFrontendNSGRule `
  -Protocol Tcp `
  -Direction Inbound `
  -Priority 200 `
  -SourceAddressPrefix * `
  -SourcePortRange * `
  -DestinationAddressPrefix * `
  -DestinationPortRange 80 `
  -Access Allow

可通过为后端子网创建 NSG,将内部流量限制为仅从 myFrontendVM 流向 myBackendVM。You can limit internal traffic to myBackendVM from only myFrontendVM by creating an NSG for the back-end subnet. 以下示例创建名为“myBackendNSGRule”的 NSG 规则:The following example creates an NSG rule named myBackendNSGRule:

$nsgBackendRule = New-AzureRmNetworkSecurityRuleConfig `
  -Name myBackendNSGRule `
  -Protocol Tcp `
  -Direction Inbound `
  -Priority 100 `
  -SourceAddressPrefix 10.0.0.0/24 `
  -SourcePortRange * `
  -DestinationAddressPrefix * `
  -DestinationPortRange 1433 `
  -Access Allow

使用 New-AzureRmNetworkSecurityGroup 添加名为 myFrontendNSG 的网络安全组:Add a network security group named myFrontendNSG using New-AzureRmNetworkSecurityGroup:

$nsgFrontend = New-AzureRmNetworkSecurityGroup `
  -ResourceGroupName myRGNetwork `
  -Location EastUS `
  -Name myFrontendNSG `
  -SecurityRules $nsgFrontendRule

现在,使用 New-AzureRmNetworkSecurityGroup 添加名为 myBackendNSG 的网络安全组:Now, add a network security group named myBackendNSG using New-AzureRmNetworkSecurityGroup:

$nsgBackend = New-AzureRmNetworkSecurityGroup `
  -ResourceGroupName myRGNetwork `
  -Location EastUS `
  -Name myBackendNSG `
  -SecurityRules $nsgBackendRule

将网络安全组添加到子网:Add the network security groups to the subnets:

$vnet = Get-AzureRmVirtualNetwork `
  -ResourceGroupName myRGNetwork `
  -Name myVNet
$frontendSubnet = $vnet.Subnets[0]
$backendSubnet = $vnet.Subnets[1]
$frontendSubnetConfig = Set-AzureRmVirtualNetworkSubnetConfig `
  -VirtualNetwork $vnet `
  -Name myFrontendSubnet `
  -AddressPrefix $frontendSubnet.AddressPrefix `
  -NetworkSecurityGroup $nsgFrontend
$backendSubnetConfig = Set-AzureRmVirtualNetworkSubnetConfig `
  -VirtualNetwork $vnet `
  -Name myBackendSubnet `
  -AddressPrefix $backendSubnet.AddressPrefix `
  -NetworkSecurityGroup $nsgBackend
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

创建后端 VMCreate a back-end VM

创建本教程的后端 VM 的最简单方法是使用 SQL Server 映像。The easiest way to create the back-end VM for this tutorial is by using a SQL Server image. 本教程仅使用数据库服务器创建 VM,但不提供有关访问数据库的信息。This tutorial only creates the VM with the database server, but doesn't provide information about accessing the database.

创建 myBackendNic:Create myBackendNic:

$backendNic = New-AzureRmNetworkInterface `
  -ResourceGroupName myRGNetwork `
  -Location EastUS `
  -Name myBackendNic `
  -SubnetId $vnet.Subnets[1].Id

使用 Get-Credential 设置 VM 上管理员帐户所需的用户名和密码:Set the username and password needed for the administrator account on the VM with Get-Credential:

$cred = Get-Credential

创建 myBackendVM:Create myBackendVM:

$backendVM = New-AzureRmVMConfig `
  -VMName myBackendVM `
  -VMSize Standard_D1
$backendVM = Set-AzureRmVMOperatingSystem `
  -VM $backendVM `
  -Windows `
  -ComputerName myBackendVM `
  -Credential $cred `
  -ProvisionVMAgent `
  -EnableAutoUpdate
$backendVM = Set-AzureRmVMSourceImage `
  -VM $backendVM `
  -PublisherName MicrosoftSQLServer `
  -Offer SQL2016SP1-WS2016 `
  -Skus Enterprise `
  -Version latest
$backendVM = Set-AzureRmVMOSDisk `
  -VM $backendVM `
  -Name myBackendOSDisk `
  -DiskSizeInGB 128 `
  -CreateOption FromImage `
  -Caching ReadWrite
$backendVM = Add-AzureRmVMNetworkInterface `
  -VM $backendVM `
  -Id $backendNic.Id
New-AzureRmVM `
  -ResourceGroupName myRGNetwork `
  -Location EastUS `
  -VM $backendVM

虽然使用的映像安装了 SQL Server,但本教程中不会使用 SQL Server。The image that is used has SQL Server installed, but is not used in this tutorial. 安装它是为了演示如何配置处理 Web 流量的 VM 和处理数据库管理的 VM。It is included to show you how you can configure a VM to handle web traffic and a VM to handle database management.

后续步骤Next steps

本教程介绍了如何创建和保护与虚拟机相关的 Azure 网络。In this tutorial, you created and secured Azure networks as related to virtual machines.

  • 创建虚拟网络和子网Create a virtual network and subnet
  • 创建公共 IP 地址Create a public IP address
  • 创建前端 VMCreate a front-end VM
  • 保护网络流量的安全Secure network traffic
  • 创建后端 VMCreate a back-end VM

请继续学习下一教程,了解如何使用 Azure 备份监视和保护虚拟机上的数据。Advance to the next tutorial to learn about monitoring securing data on virtual machines using Azure backup.