是否可以使用 ARM 模板为 2 个不同的 Azure VM 创建具有单个模板的不同 nsg

Posted

技术标签:

【中文标题】是否可以使用 ARM 模板为 2 个不同的 Azure VM 创建具有单个模板的不同 nsg【英文标题】:Is it possible to created different nsg with single template for 2 different Azure VM using ARM template 【发布时间】:2018-12-24 02:03:13 【问题描述】:

我想使用具有不同 NSG 的单个模板 json 文件创建 2 个 Azure VM。

vm-template.json

  "resources": [
    
        "name": "[parameters('vmName')]",
        "type": "Microsoft.Compute/virtualMachines",
        "apiVersion": "[variables('computeApiVersion')]",
        "location": "[variables('location')]",
        "tags": 
            "Created By": "PAMC"
        ,
        "dependsOn": [
            "[concat('Microsoft.Network/networkInterfaces/', parameters('networkInterfaceName'))]"
        ],
        "properties": 
            "osProfile": 
                "computerName": "[parameters('vmName')]",
                "adminUsername": "[parameters('vmUsername')]",
                "adminPassword": "[parameters('vmPassword')]"
            ,
            "hardwareProfile": 
                "vmSize": "[parameters('vmSize')]"
            ,
            "storageProfile": 
                "imageReference": 
                    "publisher": "[variables('imagePublisher')]",
                    "offer": "[variables('imageOffer')]",
                    "sku": "[variables('imageSku')]",
                    "version": "latest"
                
            ,
            "networkProfile": 
                "networkInterfaces": [
                    
                        "id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]"
                    
                ]
            
        
    ,
    
        "name": "[parameters('networkInterfaceName')]",
        "type": "Microsoft.Network/networkInterfaces",
        "apiVersion": "[variables('networkApiVersion')]",
        "location": "[variables('location')]",
        "dependsOn": [
            "[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIPAddressName'))]",
            "[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]"
        ],
        "properties": 
            "ipConfigurations": [
                
                    "name": "ipconfig1",
                    "properties": 
                        "subnet": 
                            "id": "[variables('subnetRef')]"
                        ,
                        "privateIPAllocationMethod": "Dynamic",
                        "publicIpAddress": 
                            "id": "[resourceId(variables('resourceGroupName'),'Microsoft.Network/publicIpAddresses', parameters('publicIPAddressName'))]"
                        
                    
                
            ],
            "networkSecurityGroup": 
                "id": "[resourceId(variables('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]"
            
        
    ,
    
        "name": "[parameters('publicIPAddressName')]",
        "type": "Microsoft.Network/publicIpAddresses",
        "apiVersion": "[variables('networkApiVersion')]",
        "location": "[variables('location')]",
        "properties": 
            "publicIpAllocationMethod": "[variables('publicIPAddressType')]"
        
    ,
    
        "name": "nsg1",
        "type": "Microsoft.Network/networkSecurityGroups",
        "apiVersion": "[variables('networkApiVersion')]",
        "location": "[variables('location')]",
        "properties": 
            "securityRules": [
                
                    "name": "default-allow-ssh",
                    "properties": 
                        "priority": 1000,
                        "sourceAddressPrefix": "*",
                        "protocol": "TCP",
                        "destinationPortRange": "22",
                        "access": "Allow",
                        "direction": "Inbound",
                        "sourcePortRange": "*",
                        "destinationAddressPrefix": "*"
                    
                ,
                
                    "name": "port1",
                    "properties": 
                        "priority": 1010,
                        "sourceAddressPrefix": "*",
                        "protocol": "TCP",
                        "destinationPortRange": "[parameters('port1')]",
                        "access": "Allow",
                        "direction": "Inbound",
                        "sourcePortRange": "*",
                        "destinationAddressPrefix": "*"
                    
                
            ]
        
    ,
    
        "name": 'nsg2')]",
        "type": "Microsoft.Network/networkSecurityGroups",
        "apiVersion": "[variables('networkApiVersion')]",
        "location": "[variables('location')]",
        "properties": 
            "securityRules": [
                
                    "name": "default-allow-ssh",
                    "properties": 
                        "priority": 1000,
                        "sourceAddressPrefix": "*",
                        "protocol": "TCP",
                        "destinationPortRange": "22",
                        "access": "Allow",
                        "direction": "Inbound",
                        "sourcePortRange": "*",
                        "destinationAddressPrefix": "*"
                    
                ,
                
                    "name": "port2",
                    "properties": 
                        "priority": 1010,
                        "sourceAddressPrefix": "*",
                        "protocol": "TCP",
                        "destinationPortRange": "[parameters('port2')]",
                        "access": "Allow",
                        "direction": "Inbound",
                        "sourcePortRange": "*",
                        "destinationAddressPrefix": "*"
                    
                ,
                
                    "name": "port3",
                    "properties": 
                        "priority": 1020,
                        "sourceAddressPrefix": "*",
                        "protocol": "TCP",
                        "destinationPortRange": "[parameters('port3')]",
                        "access": "Allow",
                        "direction": "Inbound",
                        "sourcePortRange": "*",
                        "destinationAddressPrefix": "*"
                    
                
            ]
        
    
  ]

我会用不同的参数从另一个模板调用上面的 vm-template.json 2 次。

 
        "apiVersion": "[variables('resourceDeploymentApiVersion')]",
        "name": "template1",
        "type": "Microsoft.Resources/deployments",
        "properties": 
            "mode": "Incremental",
            "templateLink": 
                "uri": "[variables('vmTemplateURL')]"
            ,
            "parameters": 
                ....
            
                     
    ,
 
        "apiVersion": "[variables('resourceDeploymentApiVersion')]",
        "name": "template2",
        "type": "Microsoft.Resources/deployments",
        "properties": 
            "mode": "Incremental",
            "templateLink": 
                "uri": "[variables('vmTemplateURL')]"
            ,
            "parameters": 
                ....
            
                     
    ,

如何在 vm-template.json 中将 nsg1 用于模板 1,将 nsg2 用于模板 2?

【问题讨论】:

【参考方案1】:

我没有发现问题,只需为 nsg 名称创建一个新参数并使用它来创建 NSG 并将其链接到 vm。此外,看来您应该为此使用副本,这更有意义(至少对我而言)。

如果它们有不同的规则,您可以使用变量来创建适当的规则:

"baseRule":     [
    
        "name": "default-allow-ssh",
        "properties": 
            "priority": 1000,
            "sourceAddressPrefix": "*",
            "protocol": "TCP",
            "destinationPortRange": "22",
            "access": "Allow",
            "direction": "Inbound",
            "sourcePortRange": "*",
            "destinationAddressPrefix": "*"
        
    ,
    
        "name": "port2",
        "properties": 
            "priority": 1010,
            "sourceAddressPrefix": "*",
            "protocol": "TCP",
            "destinationPortRange": "[parameters('port2')]",
            "access": "Allow",
            "direction": "Inbound",
            "sourcePortRange": "*",
            "destinationAddressPrefix": "*"
        
    
],
"extendedRule": [
    
        "name": "port3",
        "properties": 
            "priority": 1020,
            "sourceAddressPrefix": "*",
            "protocol": "TCP",
            "destinationPortRange": "[parameters('port3')]",
            "access": "Allow",
            "direction": "Inbound",
            "sourcePortRange": "*",
            "destinationAddressPrefix": "*"
        
    
]

并使用它来构建适当的规则:

"securityRules": "[if(equals(nsgname, firstnsg), variables('baseRule'), concat(variables('baseRule'), variables('extendedRule'))]"

【讨论】:

它将为第一个和第二个虚拟机创建 2 个 NSG。如何将特定的 nsg 链接到特定的 VM? 就像您通常会使用不同的输入运行相同的模板两次以获得 2 个虚拟机一样,只需在此处执行相同的操作,只是在您的情况下使用嵌套部署。就像在这个模板中一样:github.com/Azure/azure-quickstart-templates/blob/… 每个 NSG 都有不同的安全规则,所以我不知道如何为每个 VM 链接它。如果它具有相同的安全规则并使其工作,我可以为 2 个虚拟机传递不同的 NSG 名称。

以上是关于是否可以使用 ARM 模板为 2 个不同的 Azure VM 创建具有单个模板的不同 nsg的主要内容,如果未能解决你的问题,请参考以下文章

是否可以使用 ARM 模板重新部署 Azure 数据工厂

是否可以通过 ARM 模板将分配的 Azure DSC 配置更新到 VM?

是否有用于为日志分析创建 OMS 警报的 ARM 模板解决方案

如何安排部署ARM模板?

如何使用 arm 模板更新 azure appsettings

使用 azure ARM 模板配置逻辑应用失败警报