[AZURE.INCLUDE virtual-networks-create-nsg-selectors-arm-include]
[AZURE.INCLUDE virtual-networks-create-nsg-intro-include]
[AZURE.IMPORTANT]在使用 Azure 资源之前,请务必了解 Azure 当前使用两种部署模型:资源管理器部署模型和经典部署模型。在使用任何 Azure 资源之前,请确保你了解部署模型和工具。可以通过单击本文顶部的选项卡来查看不同工具的文档。本文介绍资源管理器部署模型。你还可以在经典部署模型中创建 NSG。
[AZURE.INCLUDE virtual-networks-create-nsg-scenario-include]
下面的示例 PowerShell 命令需要一个已经基于上述方案创建的简单环境。如果你想要运行本文档中所显示的命令,首先通过部署此模板构建测试环境,单击“部署至 Azure”,如有必要替换默认参数值,然后按照门户中的说明进行操作。
若要基于上述方案创建名为 NSG-FrontEnd 的 NSG,请执行下面的步骤:
[AZURE.INCLUDE powershell-preview-include.md]
-
如果你从未使用过 Azure PowerShell,请参阅 How to Install and Configure Azure PowerShell(如何安装和配置 Azure PowerShell),并始终按照说明进行操作,以登录到 Azure 并选择你的订阅。
-
创建允许从 Internet 访问端口 3389 的安全规则。
$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name rdp-rule -Description "Allow RDP" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389
-
创建允许从 Internet 访问端口 80 的安全规则。
$rule2 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule -Description "Allow HTTP" -Access Allow -Protocol Tcp -Direction Inbound -Priority 101 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 80
-
将上面创建的规则添加到名为 NSG-FrontEnd 的新 NSG。
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName TestRG -Location chinanorth -Name "NSG-FrontEnd" -SecurityRules $rule1,$rule2
-
检查在 NSG 中创建的规则。
$nsg
输出仅显示安全规则:
SecurityRules : [ { "Name": "rdp-rule", "Etag": "W/"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"", "Id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd/securityRules/rdp-rule", "Description": "Allow RDP", "Protocol": "Tcp", "SourcePortRange": "*", "DestinationPortRange": "3389", "SourceAddressPrefix": "Internet", "DestinationAddressPrefix": "*", "Access": "Allow", "Priority": 100, "Direction": "Inbound", "ProvisioningState": "Succeeded" }, { "Name": "web-rule", "Etag": "W/"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"", "Id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd/securityRules/web-rule", "Description": "Allow HTTP", "Protocol": "Tcp", "SourcePortRange": "*", "DestinationPortRange": "80", "SourceAddressPrefix": "Internet", "DestinationAddressPrefix": "*", "Access": "Allow", "Priority": 101, "Direction": "Inbound", "ProvisioningState": "Succeeded" } ]
-
将上面创建的 NSG 与 FrontEnd 子网关联起来。
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName TestRG -Name TestVNet Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name FrontEnd -AddressPrefix 192.168.1.0/24 -NetworkSecurityGroup $nsg Output showing only the *FrontEnd* subnet settings, notice the value for the **NetworkSecurityGroup** property: Subnets : [ { "Name": "FrontEnd", "Etag": "W/"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"", "Id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/FrontEnd", "AddressPrefix": "192.168.1.0/24", "IpConfigurations": [ { "Id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNICWeb2/ipConfigurations/ipconfig1" }, { "Id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkInterfaces/TestNICWeb1/ipConfigurations/ipconfig1" } ], "NetworkSecurityGroup": { "Id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd" }, "RouteTable": null, "ProvisioningState": "Succeeded" }
[AZURE.WARNING] 上述命令的输出显示虚拟网络配置对象的内容,该对象仅存在于运行 PowerShell 的计算机上。若要将这些设置保存到 Azure,需要运行
Set-AzureRmVirtualNetwork
cmdlet。 -
将新的 VNet 设置保存到 Azure。
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
输出仅显示 NSG 部分:
"NetworkSecurityGroup": { "Id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-FrontEnd" }
若要基于上述方案创建名为 NSG-BackEnd 的 NSG,请执行下面的步骤:
-
创建允许从前端子网访问端口 1433(SQL Server 使用的默认端口)的安全规则。
$rule1 = New-AzureRmNetworkSecurityRuleConfig -Name frontend-rule -Description "Allow FE subnet" -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix 192.168.1.0/24 -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 1433
-
创建阻止访问 Internet 的安全规则。
$rule2 = New-AzureRmNetworkSecurityRuleConfig -Name web-rule -Description "Block Internet" -Access Deny -Protocol * -Direction Outbound -Priority 200 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix Internet -DestinationPortRange *
-
将上面创建的规则添加到名为 NSG-BackEnd 的新 NSG。
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName TestRG -Location chinanorth -Name "NSG-BackEnd" -SecurityRules $rule1,$rule2
-
将上面创建的 NSG 与 BackEnd 子网关联起来。
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name BackEnd -AddressPrefix 192.168.2.0/24 -NetworkSecurityGroup $nsg
输出只显示 BackEnd 子网设置,注意 NetworkSecurityGroup 属性值:
Subnets : [ { "Name": "BackEnd", "Etag": "W/"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"", "Id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/virtualNetworks/TestVNet/subnets/BackEnd", "AddressPrefix": "192.168.2.0/24", "IpConfigurations": [...], "NetworkSecurityGroup": { "Id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/TestRG/providers/Microsoft.Network/networkSecurityGroups/NSG-BackEnd" }, "RouteTable": null, "ProvisioningState": "Succeeded" }
-
将新的 VNet 设置保存到 Azure。
Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
若要删除现有的 NSG(在本例中名为 NSG-Frontend),请执行以下步骤:
如下所示运行 Remove-AzureRmNetworkSecurityGroup,请务必包含 NSG 所在的资源组。
Remove-AzureRmNetworkSecurityGroup -Name "NSG-FrontEnd" -ResourceGroupName "TestRG"