教學課程:使用 Azure CLI 來建立和管理 Linux 虛擬機器的 Azure 虛擬網路Tutorial: Create and manage Azure virtual networks for Linux virtual machines with the Azure CLI

Azure 虛擬機器會使用 Azure 網路進行內部和外部的網路通訊。Azure virtual machines use Azure networking for internal and external network communication. 本教學課程會逐步部署兩部虛擬機器 (VM),並設定這兩部 VM 的 Azure 網路功能。This tutorial walks through deploying two virtual machines and configuring Azure networking for these VMs. 本教學課程中的範例假設 VM 已裝載 Web 應用程式與資料庫後端,不過應用程式的部署不在本教學課程範圍中。The examples in this tutorial assume that the VMs are hosting a web application with a database back-end, however an application is not deployed in the tutorial. 在本教學課程中,您了解如何:In this tutorial, you learn how to:

  • 建立虛擬網路和子網路Create a virtual network and subnet
  • 建立公用 IP 位址Create a public IP address
  • 建立前端 VMCreate a front-end VM
  • 保護網路流量Secure network traffic
  • 建立後端 VMCreate a back-end VM

開啟 Azure Cloud ShellOpen Azure Cloud Shell

Azure Cloud Shell 是裝載於 Azure 中的互動式殼層環境,並且會透過瀏覽器來使用。Azure Cloud Shell is an interactive shell environment hosted in Azure and used through your browse. Azure Cloud Shell 可讓您使用 bashPowerShell 殼層來執行各種可與 Azure 服務搭配運作的工具。Azure Cloud Shell allows you to use either bash or PowerShell shells to run a variety of tools to work with Azure services. Azure Cloud Shell 已預先安裝一些命令,可讓您執行本文的內容,而不必在本機環境上安裝任何工具。Azure Cloud Shell comes pre-installed with the commands to allow you to run the content of this article without having to install anything on your local environment.

若要在 Azure Cloud Shell 上執行本文所包含的任何程式碼,請開啟 Cloud Shell 工作階段、使用某個程式碼區塊上的 [複製] 按鈕來複製程式碼,然後使用 Ctrl+Shift+V (在 Windows 和 Linux 上) 或 Cmd+Shift+V (在 macOS 上) 將程式碼貼到 Cloud Shell 工作階段中。To run any code contained in this article on Azure Cloud Shell, open a Cloud Shell session, use the Copy button on a code block to copy the code, and paste it into the Cloud Shell session with Ctrl+Shift+V on Windows and Linux, or Cmd+Shift+V on macOS. 貼上的文字不會自動執行,因此請按 Enter 來執行程式碼。Pasted text is not automatically executed, so press Enter to run code.

您可以使用下列方式來啟動 Azure Cloud Shell:You can launch Azure Cloud Shell with:

選項Option 範例/連結Example/Link
選取程式碼區塊右上角的 [試試看] 。Select Try It in the upper-right corner of a code block. 這__不會__自動將文字複製到 Cloud Shell。This doesn't automatically copy text to Cloud Shell. Azure Cloud Shell 的試試看範例
在瀏覽器中開啟 Azure Cloud ShellOpen Azure Cloud Shell in your browser. <a href="https://shell.azure.com" title="啟動 Azure Cloud Shell
選取 Azure 入口網站右上角功能表上的 [Cloud Shell] 按鈕。Select the Cloud Shell button on the menu in the upper-right corner of the Azure portal. Azure 入口網站中的 [Cloud Shell] 按鈕

如果您選擇在本機安裝和使用 CLI,本教學課程會要求您執行 Azure CLI 2.0.30 版或更新版本。If you choose to install and use the CLI locally, this tutorial requires that you are running the Azure CLI version 2.0.30 or later. 執行 az --version 以尋找版本。Run az --version to find the version. 如果您需要安裝或升級,請參閱安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

VM 網路概觀VM networking overview

Azure 虛擬網路可以讓虛擬機器、網際網路與其他 Azure 服務 (例如 Azure SQL 資料庫) 之間的網路連線更安全。Azure virtual networks enable secure network connections between virtual machines, the internet, and other Azure services such as Azure SQL database. 虛擬網路會被分割成邏輯區段,稱為子網路。Virtual networks are broken down into logical segments called subnets. 子網路是用來控制網路流量,並作為安全性界限。Subnets are used to control network flow, and as a security boundary. 在部署 VM 時,通常會包含連結至子網路的虛擬網路介面。When deploying a VM, it generally includes a virtual network interface, which is attached to a subnet.

完成本教學課程時會建立下列虛擬網路資源:As you complete the tutorial, the following virtual network resources are created:

具有兩個子網路的虛擬網路

  • myVNet - VM 彼此進行通訊以及與網際網路進行通訊使用的虛擬網路。myVNet - The virtual network that the VMs use to communicate with each other and the internet.
  • myFrontendSubnet - 前端資源所使用之 myVNet 中的子網路。myFrontendSubnet - The subnet in myVNet used by the front-end resources.
  • myPublicIPAddress - 從網際網路存取 myFrontendVM 所使用的公用 IP 位址。myPublicIPAddress - The public IP address used to access myFrontendVM from the internet.
  • myFrontentNic - myFrontendVMmyBackendVM 進行通訊所使用的網路介面。myFrontentNic - The network interface used by myFrontendVM to communicate with myBackendVM.
  • myFrontendVM - VM 在網際網路和 myBackendVM 之間進行通訊所使用的 VM。myFrontendVM - The VM used to communicate between the internet and myBackendVM.
  • myBackendNSG - 控制 myFrontendVMmyBackendVM 之間通訊的網路安全性群組。myBackendNSG - The network security group that controls communication between the myFrontendVM and myBackendVM.
  • myBackendSubnet - 與 myBackendNSG 相關聯且由後端資源所使用的子網路。myBackendSubnet - The subnet associated with myBackendNSG and used by the back-end resources.
  • myBackendNic - myBackendVMmyFrontendVM 進行通訊所使用的網路介面。myBackendNic - The network interface used by myBackendVM to communicate with myFrontendVM.
  • myBackendVM - 使用連接埠 22 和 3306 與 myFrontendVM 進行通訊的 VM。myBackendVM - The VM that uses port 22 and 3306 to communicate with myFrontendVM.

建立虛擬網路和子網路Create a virtual network and subnet

在本教學課程中,會建立一個具有兩個子網路的虛擬網路。For this tutorial, a single virtual network is created with two subnets. 一個是裝載 Web 應用程式的前端子網路,一個是裝載資料庫伺服器的後端子網路。A front-end subnet for hosting a web application, and a back-end subnet for hosting a database server.

建立虛擬網路前,請先使用 az group create 建立資源群組。Before you can create a virtual network, create a resource group with az group create. 下列範例會在 eastus 建立名為 myRGNetwork 的資源群組。The following example creates a resource group named myRGNetwork in the eastus location.

az group create --name myRGNetwork --location eastus

建立虛擬網路Create virtual network

使用 az network vnet create 命令建立虛擬網路。Use the az network vnet create command to create a virtual network. 在此範例中,將網路命名為 mvVNet,並將位址首碼指定為 10.0.0.0/16In this example, the network is named mvVNet and is given an address prefix of 10.0.0.0/16. 也會建立名為 myFrontendSubnet 且首碼為 10.0.1.0/24 的子網路。A subnet is also created with a name of myFrontendSubnet and a prefix of 10.0.1.0/24. 本教學課程稍後,會將前端 VM 連線到此子網路。Later in this tutorial a front-end VM is connected to this subnet.

az network vnet create \
  --resource-group myRGNetwork \
  --name myVNet \
  --address-prefix 10.0.0.0/16 \
  --subnet-name myFrontendSubnet \
  --subnet-prefix 10.0.1.0/24

建立子網路Create subnet

使用 az network vnet subnet create 命令將新的子網路新增至虛擬網路。A new subnet is added to the virtual network using the az network vnet subnet create command. 在此範例中,將子網路命名為 myBackendSubnet,並將位址首碼指定為 10.0.2.0/24In this example, the subnet is named myBackendSubnet and is given an address prefix of 10.0.2.0/24. 所有的後端服務都會使用此子網路。This subnet is used with all back-end services.

az network vnet subnet create \
  --resource-group myRGNetwork \
  --vnet-name myVNet \
  --name myBackendSubnet \
  --address-prefix 10.0.2.0/24

此時,已建立一個網路並分割成兩個子網路,一個用於前端的服務,另一個用於後端服務。At this point, a network has been created and segmented into two subnets, one for front-end services, and another for back-end services. 在下一節會建立虛擬機器,並將其連線到這些子網路。In the next section, virtual machines are created and connected to these subnets.

建立公用 IP 位址Create a public IP address

公用 IP 位址讓您能夠存取網際網路上的 Azure 資源。A public IP address allows Azure resources to be accessible on the internet. 公用 IP 位址的配置方法可以設定為動態或靜態。The allocation method of the public IP address can be configured as dynamic or static. 預設是以動態方式配置公用 IP 位址。By default, a public IP address is dynamically allocated. VM 解除配置時,就會釋放動態 IP 位址。Dynamic IP addresses are released when a VM is deallocated. 在任何包括 VM 解除配置的作業期間,這個行為會導致 IP 位址變更。This behavior causes the IP address to change during any operation that includes a VM deallocation.

配置方法可以設定為靜態,這可確保即使在已取消配置的狀態下,仍將 IP 位址指派給 VM。The allocation method can be set to static, which ensures that the IP address remains assigned to a VM, even during a deallocated state. 使用靜態配置的 IP 位址,則無法指定 IP 位址本身,When using a statically allocated IP address, the IP address itself cannot be specified. 而是從可用位址集區配置一個給它。Instead, it is allocated from a pool of available addresses.

az network public-ip create --resource-group myRGNetwork --name myPublicIPAddress

使用 az vm create 命令建立 VM 時,預設的公用 IP 位址配置方法為動態。When creating a VM with the az vm create command, the default public IP address allocation method is dynamic. 使用 az vm create命令建立虛擬機器時,需包括 --public-ip-address-allocation static 引數來指派靜態公用 IP 位址。When creating a virtual machine using the az vm create command, include the --public-ip-address-allocation static argument to assign a static public IP address. 這項作業不會示範在本教學課程中,不過在下一節會將動態配置的 IP 位址變更為靜態配置的位址。This operation is not demonstrated in this tutorial, however in the next section a dynamically allocated IP address is changed to a statically allocated address.

變更配置方法Change allocation method

使用 az network public-ip update 命令可以變更 IP 位址的配置方法。The IP address allocation method can be changed using the az network public-ip update command. 在此範例中,會將前端 VM 的 IP 位址配置方法變更為靜態。In this example, the IP address allocation method of the front-end VM is changed to static.

首先,解除配置 VM。First, deallocate the VM.

az vm deallocate --resource-group myRGNetwork --name myFrontendVM

使用 az network public-ip update 命令更新配置方式。Use the az network public-ip update command to update the allocation method. 在此,將 --allocation-method 設為 static。In this case, the --allocation-method is being set to static.

az network public-ip update --resource-group myRGNetwork --name myPublicIPAddress --allocation-method static

啟動 VM。Start the VM.

az vm start --resource-group myRGNetwork --name myFrontendVM --no-wait

無公用 IP 位址No public IP address

通常,VM 不需要透過網際網路存取。Often, a VM does not need to be accessible over the internet. 若要建立無公用 IP 位址的 VM,請使用 --public-ip-address "" 引數加上以雙引號括住的空集合。To create a VM without a public IP address, use the --public-ip-address "" argument with an empty set of double quotes. 此組態稍後會在本教學課程中示範。This configuration is demonstrated later in this tutorial.

建立前端 VMCreate a front-end VM

使用 az vm create 命令建立名為 myFrontendVM 且使用 myPublicIPAddress 的 VM。Use the az vm create command to create the VM named myFrontendVM using myPublicIPAddress.

az vm create \
  --resource-group myRGNetwork \
  --name myFrontendVM \
  --vnet-name myVNet \
  --subnet myFrontendSubnet \
  --nsg myFrontendNSG \
  --public-ip-address myPublicIPAddress \
  --image UbuntuLTS \
  --generate-ssh-keys

保護網路流量Secure network traffic

網路安全性群組 (NSG) 包含安全性規則的清單,可允許或拒絕已連線至 Azure 虛擬網路 (VNet) 之資源的網路流量。A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSG 可與子網路或個別網路介面建立關聯。NSGs can be associated to subnets or individual network interfaces. 當 NSG 與網路介面相關聯時,只會套用相關聯的 VM。When an NSG is associated with a network interface, it applies only the associated VM. 當 NSG 與子網路相關聯時,系統會將規則套用至已連線至子網路的所有資源。When an NSG is associated to a subnet, the rules apply to all resources connected to the subnet.

網路安全性群組規則Network security group rules

NSG 規則定義允許或拒絕流量的網路連接埠。NSG rules define networking ports over which traffic is allowed or denied. 規則可以包含來源和目的地 IP 位址範圍,以便控制特定系統或子網路之間的流量。The rules can include source and destination IP address ranges so that traffic is controlled between specific systems or subnets. NSG 規則也包含優先順序 (介於 1 和 4096)。NSG rules also include a priority (between 1—and 4096). 系統會依照優先順序評估規則。Rules are evaluated in the order of priority. 優先順序 100 的規則會比優先順序 200 的規則優先評估。A rule with a priority of 100 is evaluated before a rule with priority 200.

所有 NSG 都包含一組預設規則。All NSGs contain a set of default rules. 預設規則無法刪除,但因為其會指派為最低優先權,因此可以由您所建立的規則覆寫預設規則。The default rules cannot be deleted, but because they are assigned the lowest priority, they can be overridden by the rules that you create.

預設的 NSG 規則如下:The default rules for NSGs are:

  • 虛擬網路 - 虛擬網路中的流量起始和結束同時允許輸入和輸出方向。Virtual network - Traffic originating and ending in a virtual network is allowed both in inbound and outbound directions.
  • 網際網路 - 允許輸出流量,但會封鎖輸入流量。Internet - Outbound traffic is allowed, but inbound traffic is blocked.
  • 負載平衡器 - 允許 Azure 的負載平衡器探查 VM 和角色執行個體的健康狀態。Load balancer - Allow Azure’s load balancer to probe the health of your VMs and role instances. 如果您不使用負載平衡的集合,則可以覆寫此規則。If you are not using a load balanced set, you can override this rule.

建立網路安全性群組Create network security groups

使用 az vm create 命令建立 VM 時,可以同時建立網路安全性群組。A network security group can be created at the same time as a VM using the az vm create command. 這麼做時,NSG 是與 VM 網路介面相關聯,並會自動建立 NSG 規則以允許從任何來源到連接埠 22 的流量。When doing so, the NSG is associated with the VMs network interface and an NSG rule is auto created to allow traffic on port 22 from any source. 稍早在本教學課程中,前端 NSG 已自動和前端 VM 一起建立。Earlier in this tutorial, the front-end NSG was auto-created with the front-end VM. 也會自動建立連接埠 22 的 NSG 規則。An NSG rule was also auto created for port 22.

在某些情況下,預先建立 NSG 可能較有幫助,例如不應建立預設 SSH 規則時,或當 NSG 應該連結至子網路時。In some cases, it may be helpful to pre-create an NSG, such as when default SSH rules should not be created, or when the NSG should be attached to a subnet.

使用 az network nsg create 命令建立網路安全性群組。Use the az network nsg create command to create a network security group.

az network nsg create --resource-group myRGNetwork --name myBackendNSG

它不會將 NSG 關聯至網路介面,而是關聯至子網路。Instead of associating the NSG to a network interface, it is associated with a subnet. 在此組態中,任何連結至子網路的 VM 都會繼承此 NSG 規則。In this configuration, any VM that is attached to the subnet inherits the NSG rules.

以新的 NSG 更新名為 myBackendSubnet 的現有子網路。Update the existing subnet named myBackendSubnet with the new NSG.

az network vnet subnet update \
  --resource-group myRGNetwork \
  --vnet-name myVNet \
  --name myBackendSubnet \
  --network-security-group myBackendNSG

保護傳入的流量Secure incoming traffic

建立前端 VM 時,已建立 NSG 規則以允許連接埠 22 上的傳入流量。When the front-end VM was created, an NSG rule was created to allow incoming traffic on port 22. 此規則允許連到 VM 的 SSH 連線。This rule allows SSH connections to the VM. 在此範例中,應該也允許連接埠 80 上的流量。For this example, traffic should also be allowed on port 80. 此組態讓 VM 上的 Web 應用程式可被存取。This configuration allows a web application to be accessed on the VM.

使用 az network nsg rule create 命令建立連接埠 80 的規則。Use the az network nsg rule create command to create a rule for port 80.

az network nsg rule create \
  --resource-group myRGNetwork \
  --nsg-name myFrontendNSG \
  --name http \
  --access allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 200 \
  --source-address-prefix "*" \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range 80

只可以在連接埠 22 和連接埠 80 上存取前端 VM。The front-end VM is only accessible on port 22 and port 80. 所有其他的傳入流量會在網路安全性群組遭到封鎖。All other incoming traffic is blocked at the network security group. 以視覺化方式檢視 NSG 規則組態可能有幫助。It may be helpful to visualize the NSG rule configurations. az network rule list 命令傳回 NSG 規則組態。Return the NSG rule configuration with the az network rule list command.

az network nsg rule list --resource-group myRGNetwork --nsg-name myFrontendNSG --output table

保護 VM 至 VM 的流量Secure VM to VM traffic

網路安全性群組規則也可以套用在 VM 之間。Network security group rules can also apply between VMs. 在此範例中,前端 VM 需要與連接埠 22 和 3306上的後端 VM 通訊。For this example, the front-end VM needs to communicate with the back-end VM on port 22 and 3306. 此組態允許來自前端 VM 的 SSH 連線,也允許前端 VM 上的 應用程式與後端 MySQL 資料庫通訊。This configuration allows SSH connections from the front-end VM, and also allow an application on the front-end VM to communicate with a back-end MySQL database. 前端和後端虛擬機器之間的所有其他流量應該會被封鎖。All other traffic should be blocked between the front-end and back-end virtual machines.

使用 az network nsg rule create 命令建立連接埠 22 的規則。Use the az network nsg rule create command to create a rule for port 22. 請注意,--source-address-prefix 引數指定 10.0.1.0/24 值。Notice that the --source-address-prefix argument specifies a value of 10.0.1.0/24. 此組態可確保透過 NSG 只允許來自前端子網路的流量。This configuration ensures that only traffic from the front-end subnet is allowed through the NSG.

az network nsg rule create \
  --resource-group myRGNetwork \
  --nsg-name myBackendNSG \
  --name SSH \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 100 \
  --source-address-prefix 10.0.1.0/24 \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range "22"

現在新增連接埠 3306 上 MySQL 流量的規則。Now add a rule for MySQL traffic on port 3306.

az network nsg rule create \
  --resource-group myRGNetwork \
  --nsg-name myBackendNSG \
  --name MySQL \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 200 \
  --source-address-prefix 10.0.1.0/24 \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range "3306"

最後,由於 NSG 的預設規則允許相同 VNet 中 VM 之間的所有流量,可以建立一條後端 NSG 規則來封鎖所有流量。Finally, because NSGs have a default rule allowing all traffic between VMs in the same VNet, a rule can be created for the back-end NSGs to block all traffic. 請注意,指定的 --priority 值為 300,會降低 NSG 和 MySQL 規則的優先順序。Notice here that the --priority is given a value of 300, which is lower that both the NSG and MySQL rules. 此組態可確保透過 NSG 會允許 SSH 和 MySQL 流量。This configuration ensures that SSH and MySQL traffic is still allowed through the NSG.

az network nsg rule create \
  --resource-group myRGNetwork \
  --nsg-name myBackendNSG \
  --name denyAll \
  --access Deny \
  --protocol Tcp \
  --direction Inbound \
  --priority 300 \
  --source-address-prefix "*" \
  --source-port-range "*" \
  --destination-address-prefix "*" \
  --destination-port-range "*"

建立後端 VMCreate back-end VM

現在,建立連接至 myBackendSubnet 的虛擬機器。Now create a virtual machine, which is attached to the myBackendSubnet. 請注意,--nsg 引數的值為一對空的雙引號。Notice that the --nsg argument has a value of empty double quotes. NSG 不需要和 VM 一起建立。An NSG does not need to be created with the VM. VM 連結到後端子網路,後者以預先建立的後端 NSG 的保護。The VM is attached to the back-end subnet, which is protected with the pre-created back-end NSG. 這個 NSG 會套用至 VM。This NSG applies to the VM. 也請注意,--public-ip-address 引數的值為一對空的雙引號。Also, notice here that the --public-ip-address argument has a value of empty double quotes. 此組態會建立無公用 IP 位址的 VM。This configuration creates a VM without a public IP address.

az vm create \
  --resource-group myRGNetwork \
  --name myBackendVM \
  --vnet-name myVNet \
  --subnet myBackendSubnet \
  --public-ip-address "" \
  --nsg "" \
  --image UbuntuLTS \
  --generate-ssh-keys

只可以從前端子網路在連接埠 22 和連接埠 3306 上存取後端 VM。The back-end VM is only accessible on port 22 and port 3306 from the front-end subnet. 所有其他的傳入流量會在網路安全性群組遭到封鎖。All other incoming traffic is blocked at the network security group. 以視覺化方式檢視 NSG 規則組態可能有幫助。It may be helpful to visualize the NSG rule configurations. az network rule list 命令傳回 NSG 規則組態。Return the NSG rule configuration with the az network rule list command.

az network nsg rule list --resource-group myRGNetwork --nsg-name myBackendNSG --output table

後續步驟Next steps

在本教學課程中,您已建立並保護與虛擬機器相關的 Azure 網路。In this tutorial, you created and secured Azure networks as related to virtual machines. 您已了解如何︰You learned how to:

  • 建立虛擬網路和子網路Create a virtual network and subnet
  • 建立公用 IP 位址Create a public IP address
  • 建立前端 VMCreate a front-end VM
  • 保護網路流量Secure network traffic
  • 建立後端 VMCreate back-end VM

請前進到下一個教學課程,了解如何使用 Azure 備份保護虛擬機器上的資料。Advance to the next tutorial to learn about securing data on virtual machines using Azure backup.