為多層式應用程式建立網路的指令碼範例Create a network for multi-tier applications script sample

此指令碼範例會建立一個具有前端和後端子網路的虛擬網路。This script sample creates a virtual network with front-end and back-end subnets. 傳送到前端子網路的流量會限制為 HTTP 和 SSH,而傳送到後端子網路的流量則限制為 MySQL 且連接埠為 3306。Traffic to the front-end subnet is limited to HTTP and SSH, while traffic to the back-end subnet is limited to MySQL, port 3306. 執行此指令碼之後,您將有兩部虛擬機器,每個子網路中各有一部,可供您在其中部署 Web 伺服器和 MySQL 軟體。After running the script, you will have two virtual machines, one in each subnet that you can deploy web server and MySQL software to.

您可以從 Azure Cloud Shell 或從本機的 PowerShell 安裝來執行指令碼。You can execute the script from the Azure Cloud Shell, or from a local PowerShell installation. 如果您在本機使用 PowerShell,此指令碼需要使用 Azure PowerShell 模組 1.0.0 版或更新版本。If you use PowerShell locally, this script requires the Azure PowerShell module version 1.0.0 or later. 若要尋找已安裝的版本,請執行 Get-Module -ListAvailable AzTo find the installed version, run Get-Module -ListAvailable Az. 如果您需要升級,請參閱安裝 Azure PowerShell 模組If you need to upgrade, see Install Azure PowerShell module. 如果您在本機執行 PowerShell,則也需要執行 Connect-AzAccount 以建立與 Azure 的連線。If you are running PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.

如果您沒有 Azure 訂用帳戶,請在開始前建立免費帳戶If you don't have an Azure subscription, create a free account before you begin.

範例指令碼Sample script

注意

本文已更新為使用 Azure Az PowerShell 模組。This article has been updated to use the Azure Az PowerShell module. Az PowerShell 模組是用來與 Azure 互動的建議 PowerShell 模組。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要開始使用 Az PowerShell 模組,請參閱安裝 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要瞭解如何遷移至 Az PowerShell 模組,請參閱將 Azure PowerShell 從 AzureRM 遷移至 Az。To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

子網路識別碼會在虛擬網路建立完成後指派;具體來說,會使用 New-AzVirtualNetwork Cmdlet 搭配 -Subnet 選項。A subnet ID is assigned after you have created a virtual network; specifically, using the New-AzVirtualNetwork cmdlet with the -Subnet option. 如果您在呼叫 New-AzVirtualNetwork 前使用 New-AzVirtualNetworkSubnetConfig Cmdlet 設定子網路,您就不會看到子網路識別碼,直到您呼叫 New-AzVirtualNetwork 後才能看到。If you configure the subnet using the New-AzVirtualNetworkSubnetConfig cmdlet before the call to New-AzVirtualNetwork, you won't see the subnet ID until after you call New-AzVirtualNetwork.

# Variables for common values
$rgName='MyResourceGroup'
$location='eastus'

# Create user object
$cred = Get-Credential -Message "Enter a username and password for the virtual machine."

# Create a resource group.
New-AzResourceGroup -Name $rgName -Location $location

# Create a virtual network with a front-end subnet and back-end subnet.
$fesubnet = New-AzVirtualNetworkSubnetConfig -Name 'MySubnet-FrontEnd' -AddressPrefix '10.0.1.0/24'
$besubnet = New-AzVirtualNetworkSubnetConfig -Name 'MySubnet-BackEnd' -AddressPrefix '10.0.2.0/24'
$vnet = New-AzVirtualNetwork -ResourceGroupName $rgName -Name 'MyVnet' -AddressPrefix '10.0.0.0/16' `
  -Location $location -Subnet $fesubnet, $besubnet

# Create an NSG rule to allow HTTP traffic in from the Internet to the front-end subnet.
$rule1 = New-AzNetworkSecurityRuleConfig -Name 'Allow-HTTP-All' -Description 'Allow HTTP' `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 80

# Create an NSG rule to allow RDP traffic from the Internet to the front-end subnet.
$rule2 = New-AzNetworkSecurityRuleConfig -Name 'Allow-RDP-All' -Description "Allow RDP" `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 200 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 3389


# Create a network security group for the front-end subnet.
$nsgfe = New-AzNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
  -Name 'MyNsg-FrontEnd' -SecurityRules $rule1,$rule2

# Associate the front-end NSG to the front-end subnet.
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-FrontEnd' `
  -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsgfe

# Create an NSG rule to allow SQL traffic from the front-end subnet to the back-end subnet.
$rule1 = New-AzNetworkSecurityRuleConfig -Name 'Allow-SQL-FrontEnd' -Description "Allow SQL" `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 `
  -SourceAddressPrefix '10.0.1.0/24' -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 1433

# Create an NSG rule to allow RDP traffic from the Internet to the back-end subnet.
$rule2 = New-AzNetworkSecurityRuleConfig -Name 'Allow-RDP-All' -Description "Allow RDP" `
  -Access Allow -Protocol Tcp -Direction Inbound -Priority 200 `
  -SourceAddressPrefix Internet -SourcePortRange * `
  -DestinationAddressPrefix * -DestinationPortRange 3389

# Create a network security group for back-end subnet.
$nsgbe = New-AzNetworkSecurityGroup -ResourceGroupName $RgName -Location $location `
  -Name "MyNsg-BackEnd" -SecurityRules $rule1,$rule2

# Associate the back-end NSG to the back-end subnet
Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name 'MySubnet-BackEnd' `
  -AddressPrefix '10.0.2.0/24' -NetworkSecurityGroup $nsgbe

# Create a public IP address for the web server VM.
$publicipvm1 = New-AzPublicIpAddress -ResourceGroupName $rgName -Name 'MyPublicIp-Web' `
  -location $location -AllocationMethod Dynamic

# Create a NIC for the web server VM.
$nicVMweb = New-AzNetworkInterface -ResourceGroupName $rgName -Location $location `
  -Name 'MyNic-Web' -PublicIpAddress $publicipvm1 -NetworkSecurityGroup $nsgfe -Subnet $vnet.Subnets[0]

# Create a Web Server VM in the front-end subnet
$vmConfig = New-AzVMConfig -VMName 'MyVm-Web' -VMSize 'Standard_DS2' | `
  Set-AzVMOperatingSystem -Windows -ComputerName 'MyVm-Web' -Credential $cred | `
  Set-AzVMSourceImage -PublisherName 'MicrosoftWindowsServer' -Offer 'WindowsServer' `
  -Skus '2016-Datacenter' -Version latest | Add-AzVMNetworkInterface -Id $nicVMweb.Id

$vmweb = New-AzVM -ResourceGroupName $rgName -Location $location -VM $vmConfig

# Create a public IP address for the SQL VM.
$publicipvm2 = New-AzPublicIpAddress -ResourceGroupName $rgName -Name MyPublicIP-Sql `
  -location $location -AllocationMethod Dynamic

# Create a NIC for the SQL VM.
$nicVMsql = New-AzNetworkInterface -ResourceGroupName $rgName -Location $location `
  -Name MyNic-Sql -PublicIpAddress $publicipvm2 -NetworkSecurityGroup $nsgbe -Subnet $vnet.Subnets[1] 

# Create a SQL VM in the back-end subnet.
$vmConfig = New-AzVMConfig -VMName 'MyVm-Sql' -VMSize 'Standard_DS2' | `
  Set-AzVMOperatingSystem -Windows -ComputerName 'MyVm-Sql' -Credential $cred | `
  Set-AzVMSourceImage -PublisherName 'MicrosoftSQLServer' -Offer 'SQL2016-WS2016' `
  -Skus 'Web' -Version latest | Add-AzVMNetworkInterface -Id $nicVMsql.Id

$vmsql = New-AzVM -ResourceGroupName $rgName -Location $location -VM $vmConfig

# Create an NSG rule to block all outbound traffic from the back-end subnet to the Internet (must be done after VM creation)
$rule3 = New-AzNetworkSecurityRuleConfig -Name 'Deny-Internet-All' -Description "Deny Internet All" `
  -Access Deny -Protocol Tcp -Direction Outbound -Priority 300 `
  -SourceAddressPrefix * -SourcePortRange * `
  -DestinationAddressPrefix Internet -DestinationPortRange *

# Add NSG rule to Back-end NSG
$nsgbe.SecurityRules.add($rule3)

Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsgbe

清除部署Clean up deployment

執行下列命令來移除資源群組、VM 和所有相關資源:Run the following command to remove the resource group, VM, and all related resources:

Remove-AzResourceGroup -Name myResourceGroup -Force

指令碼說明Script explanation

此指令碼會使用下列命令來建立資源群組、虛擬網路及網路安全性群組。This script uses the following commands to create a resource group, virtual network, and network security groups. 下表中的每個命令都會連結至命令特定的文件:Each command in the following table links to command-specific documentation:

CommandCommand 注意Notes
New-AzResourceGroupNew-AzResourceGroup 建立用來存放所有資源的資源群組。Creates a resource group in which all resources are stored.
New-AzVirtualNetworkNew-AzVirtualNetwork 建立 Azure 虛擬網路和前端子網路。Creates an Azure virtual network and front-end subnet.
New-AzVirtualNetworkSubnetConfigNew-AzVirtualNetworkSubnetConfig 建立後端子網路。Creates a back-end subnet.
New-AzPublicIpAddressNew-AzPublicIpAddress 建立公用 IP 位址以從網際網路存取 VM。Creates a public IP address to access the VM from the internet.
New-AzNetworkInterfaceNew-AzNetworkInterface 建立虛擬網路介面,並將它們連結到虛擬網路的前端和後端子網路。Creates virtual network interfaces and attaches them to the virtual network's front-end and back-end subnets.
New-AzNetworkSecurityGroupNew-AzNetworkSecurityGroup 建立與前端和後端子網路關聯的網路安全性群組 (NSG)。Creates network security groups (NSG) that are associated to the front-end and back-end subnets.
New-AzNetworkSecurityRuleConfigNew-AzNetworkSecurityRuleConfig 建立對特定子網路允許或封鎖特定連接埠的 NSG 規則。Creates NSG rules that allow or block specific ports to specific subnets.
New-AzVMNew-AzVM 建立虛擬機器,並將 NIC 連結到每個 VM。Creates virtual machines and attaches a NIC to each VM. 此命令也會指定要使用的虛擬機器映像和系統管理認證。This command also specifies the virtual machine image to use and administrative credentials.
Remove-AzResourceGroupRemove-AzResourceGroup 刪除資源群組及其包含的所有資源。Deletes a resource group and all resources it contains.

後續步驟Next steps

如需有關 Azure PowerShell 的詳細資訊,請參閱 Azure PowerShell 文件For more information on the Azure PowerShell, see Azure PowerShell documentation.

可以在虛擬網路 PowerShell 範例中找到其他的虛擬網路 PowerShell 指令碼範例。Additional virtual network PowerShell script samples can be found in Virtual network PowerShell samples.