是否可以使用 ARM 模板为 2 个不同的 Azure VM 创建具有单个模板的不同 nsg
Posted
技术标签:
【中文标题】是否可以使用 ARM 模板为 2 个不同的 Azure VM 创建具有单个模板的不同 nsg【英文标题】:Is it possible to created different nsg with single template for 2 different Azure VM using ARM template 【发布时间】:2018-12-24 02:03:13 【问题描述】:我想使用具有不同 NSG 的单个模板 json 文件创建 2 个 Azure VM。
vm-template.json
"resources": [
"name": "[parameters('vmName')]",
"type": "Microsoft.Compute/virtualMachines",
"apiVersion": "[variables('computeApiVersion')]",
"location": "[variables('location')]",
"tags":
"Created By": "PAMC"
,
"dependsOn": [
"[concat('Microsoft.Network/networkInterfaces/', parameters('networkInterfaceName'))]"
],
"properties":
"osProfile":
"computerName": "[parameters('vmName')]",
"adminUsername": "[parameters('vmUsername')]",
"adminPassword": "[parameters('vmPassword')]"
,
"hardwareProfile":
"vmSize": "[parameters('vmSize')]"
,
"storageProfile":
"imageReference":
"publisher": "[variables('imagePublisher')]",
"offer": "[variables('imageOffer')]",
"sku": "[variables('imageSku')]",
"version": "latest"
,
"networkProfile":
"networkInterfaces": [
"id": "[resourceId('Microsoft.Network/networkInterfaces', parameters('networkInterfaceName'))]"
]
,
"name": "[parameters('networkInterfaceName')]",
"type": "Microsoft.Network/networkInterfaces",
"apiVersion": "[variables('networkApiVersion')]",
"location": "[variables('location')]",
"dependsOn": [
"[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIPAddressName'))]",
"[concat('Microsoft.Network/networkSecurityGroups/', parameters('networkSecurityGroupName'))]"
],
"properties":
"ipConfigurations": [
"name": "ipconfig1",
"properties":
"subnet":
"id": "[variables('subnetRef')]"
,
"privateIPAllocationMethod": "Dynamic",
"publicIpAddress":
"id": "[resourceId(variables('resourceGroupName'),'Microsoft.Network/publicIpAddresses', parameters('publicIPAddressName'))]"
],
"networkSecurityGroup":
"id": "[resourceId(variables('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]"
,
"name": "[parameters('publicIPAddressName')]",
"type": "Microsoft.Network/publicIpAddresses",
"apiVersion": "[variables('networkApiVersion')]",
"location": "[variables('location')]",
"properties":
"publicIpAllocationMethod": "[variables('publicIPAddressType')]"
,
"name": "nsg1",
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "[variables('networkApiVersion')]",
"location": "[variables('location')]",
"properties":
"securityRules": [
"name": "default-allow-ssh",
"properties":
"priority": 1000,
"sourceAddressPrefix": "*",
"protocol": "TCP",
"destinationPortRange": "22",
"access": "Allow",
"direction": "Inbound",
"sourcePortRange": "*",
"destinationAddressPrefix": "*"
,
"name": "port1",
"properties":
"priority": 1010,
"sourceAddressPrefix": "*",
"protocol": "TCP",
"destinationPortRange": "[parameters('port1')]",
"access": "Allow",
"direction": "Inbound",
"sourcePortRange": "*",
"destinationAddressPrefix": "*"
]
,
"name": 'nsg2')]",
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "[variables('networkApiVersion')]",
"location": "[variables('location')]",
"properties":
"securityRules": [
"name": "default-allow-ssh",
"properties":
"priority": 1000,
"sourceAddressPrefix": "*",
"protocol": "TCP",
"destinationPortRange": "22",
"access": "Allow",
"direction": "Inbound",
"sourcePortRange": "*",
"destinationAddressPrefix": "*"
,
"name": "port2",
"properties":
"priority": 1010,
"sourceAddressPrefix": "*",
"protocol": "TCP",
"destinationPortRange": "[parameters('port2')]",
"access": "Allow",
"direction": "Inbound",
"sourcePortRange": "*",
"destinationAddressPrefix": "*"
,
"name": "port3",
"properties":
"priority": 1020,
"sourceAddressPrefix": "*",
"protocol": "TCP",
"destinationPortRange": "[parameters('port3')]",
"access": "Allow",
"direction": "Inbound",
"sourcePortRange": "*",
"destinationAddressPrefix": "*"
]
]
我会用不同的参数从另一个模板调用上面的 vm-template.json 2 次。
"apiVersion": "[variables('resourceDeploymentApiVersion')]",
"name": "template1",
"type": "Microsoft.Resources/deployments",
"properties":
"mode": "Incremental",
"templateLink":
"uri": "[variables('vmTemplateURL')]"
,
"parameters":
....
,
"apiVersion": "[variables('resourceDeploymentApiVersion')]",
"name": "template2",
"type": "Microsoft.Resources/deployments",
"properties":
"mode": "Incremental",
"templateLink":
"uri": "[variables('vmTemplateURL')]"
,
"parameters":
....
,
如何在 vm-template.json 中将 nsg1 用于模板 1,将 nsg2 用于模板 2?
【问题讨论】:
【参考方案1】:我没有发现问题,只需为 nsg 名称创建一个新参数并使用它来创建 NSG 并将其链接到 vm。此外,看来您应该为此使用副本,这更有意义(至少对我而言)。
如果它们有不同的规则,您可以使用变量来创建适当的规则:
"baseRule": [
"name": "default-allow-ssh",
"properties":
"priority": 1000,
"sourceAddressPrefix": "*",
"protocol": "TCP",
"destinationPortRange": "22",
"access": "Allow",
"direction": "Inbound",
"sourcePortRange": "*",
"destinationAddressPrefix": "*"
,
"name": "port2",
"properties":
"priority": 1010,
"sourceAddressPrefix": "*",
"protocol": "TCP",
"destinationPortRange": "[parameters('port2')]",
"access": "Allow",
"direction": "Inbound",
"sourcePortRange": "*",
"destinationAddressPrefix": "*"
],
"extendedRule": [
"name": "port3",
"properties":
"priority": 1020,
"sourceAddressPrefix": "*",
"protocol": "TCP",
"destinationPortRange": "[parameters('port3')]",
"access": "Allow",
"direction": "Inbound",
"sourcePortRange": "*",
"destinationAddressPrefix": "*"
]
并使用它来构建适当的规则:
"securityRules": "[if(equals(nsgname, firstnsg), variables('baseRule'), concat(variables('baseRule'), variables('extendedRule'))]"
【讨论】:
它将为第一个和第二个虚拟机创建 2 个 NSG。如何将特定的 nsg 链接到特定的 VM? 就像您通常会使用不同的输入运行相同的模板两次以获得 2 个虚拟机一样,只需在此处执行相同的操作,只是在您的情况下使用嵌套部署。就像在这个模板中一样:github.com/Azure/azure-quickstart-templates/blob/… 每个 NSG 都有不同的安全规则,所以我不知道如何为每个 VM 链接它。如果它具有相同的安全规则并使其工作,我可以为 2 个虚拟机传递不同的 NSG 名称。以上是关于是否可以使用 ARM 模板为 2 个不同的 Azure VM 创建具有单个模板的不同 nsg的主要内容,如果未能解决你的问题,请参考以下文章
是否可以通过 ARM 模板将分配的 Azure DSC 配置更新到 VM?
是否有用于为日志分析创建 OMS 警报的 ARM 模板解决方案