标准免责声明,对于 powershell 和 Azure 远程计算机来说非常新。这是我的 powershell 脚本。它执行此命令失败:
$setupSession = New-PSSession -计算机名称 $pip -端口 5986 -凭据 $serviceCreds -UseSSL
这是我的脚本。
# Variables for common values
$resourceGroup = "rgTest"
$location = "East US"
$vmName = "vmTest"
$SubscriptionName = "subscription test"
$StorageAccountName = "sanTest"
$NetworkSecurityGroupName = "nsgTest"
$myNic = 'nicTest'
$MYvNET = 'vnetTest'
$myNetworkSecurityGroupRuleHTTP = 'nsgruleHTTPTest'
$myNetworkSecurityGroupRuleRDP = 'nsgruleRDPTest'
$myNetworkSecurityGroupRuleWWW = 'nsgruleWWWTest'
$myNetworkSecurityGroupRulePS = 'nsgrulePSTest'
$myNetworkSecurityGroup = 'nsgTest'
$rcgTest = 'rcgTest'
$secpasswd = ConvertTo-SecureString "password1" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("[email protected]", $secpasswd)
Add-AzureRmAccount -Credential $cred
Login-AzureRmAccount -Credential $cred
Select-AzureRmSubscription -SubscriptionName $SubscriptionName
Get-AzureRmResourceGroup -Name $resourceGroup -ev notPresent -ea 0
if ($notPresent)
{
New-AzureRmResourceGroup -Name $resourceGroup -Location $location
}
$subnetConfig = New-AzureRmVirtualNetworkSubnetConfig `
-Name mySubnet `
-AddressPrefix 192.168.1.0/24
New-AzureRmStorageAccount `
-Location $Location `
-ResourceGroupName $ResourceGroup `
–StorageAccountName $StorageAccountName `
-SkuName Standard_GRS `
-SubscriptionName $SubscriptionName
$vnet = New-AzureRmVirtualNetwork `
-ResourceGroupName $resourceGroup `
-Location $location `
-Name $MYvNET `
-AddressPrefix 192.168.0.0/16 `
-Subnet $subnetConfig
$pip = New-AzureRmPublicIpAddress `
-ResourceGroupName $resourceGroup `
-Location $location `
-Name "mypublicdns$(Get-Random)" `
-AllocationMethod Static `
-IdleTimeoutInMinutes 4
$nsgRuleHTTP = New-AzureRmNetworkSecurityRuleConfig `
-Name $myNetworkSecurityGroupRuleHTTP `
-Protocol Tcp `
-Direction Inbound `
-Priority 1000 `
-SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 80 `
-Access Allow
$nsgRuleRDP = New-AzureRmNetworkSecurityRuleConfig `
-Name $myNetworkSecurityGroupRuleRDP `
-Protocol Tcp `
-Direction Inbound `
-Priority 1100 `
-SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 3389 `
-Access Allow
$nsgRulePS = New-AzureRmNetworkSecurityRuleConfig `
-Name $myNetworkSecurityGroupRulePS `
-Protocol Tcp `
-Direction Inbound `
-Priority 1200 -SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 5986 `
-Access Allow
$nsg = New-AzureRmNetworkSecurityGroup `
-ResourceGroupName $resourceGroup `
-Location $location `
-Name $myNetworkSecurityGroup `
-SecurityRules $nsgRuleHTTP,$nsgRuleRDP
$nic = New-AzureRmNetworkInterface `
-Name $myNic `
-ResourceGroupName
$resourceGroup
-Location $location `
-SubnetId $vnet.Subnets[0].Id `
-PublicIpAddressId $pip.Id `
-NetworkSecurityGroupId $nsg.Id
$VMLocalAdminUser = "LocalAdminUser"
$VMLocalAdminSecurePassword = ConvertTo-SecureString "password1!" `
-AsPlainText
-Force
$Credential = New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser, $VMLocalAdminSecurePassword);
$vmConfig = New-AzureRmVMConfig -VMName $vmName -VMSize Standard_DS1_v2 | `
Set-AzureRmVMOperatingSystem -Windows -ComputerName $vmName -Credential $Credential | `
Set-AzureRmVMSourceImage -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version latest | `
Add-AzureRmVMNetworkInterface -Id $nic.Id
New-AzureRmVM `
-ResourceGroupName $resourceGroup `
-Location $location `
-VM $vmConfig
Get-AzureRmPublicIpAddress `
-ResourceGroupName $resourceGroup | Select IpAddress
$PublicSettings = '{"commandToExecute":"powershell Add-WindowsFeature Web-Server"}'
Set-Item WSMan:\localhost\Client\TrustedHosts `
-Value * #$pip.ToString()
Enable-PSRemoting –Force
$serviceCreds = New-Object `
-TypeName System.Management.Automation.PSCredential `
-ArgumentList $VMLocalAdminUser, $VMLocalAdminSecurePassword
$setupSession = New-PSSession `
-ComputerName $pip `
-Port 5986 `
-Credential $serviceCreds `
-UseSSL
Remove-PSSession $setupSession
答案1
据我所知,您从未将 NSG 与子网关联。您需要运行类似下面的命令
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName TestRG -Name TestVNet
Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vnet -Name FrontEnd `
-AddressPrefix 192.168.1.0/24 -NetworkSecurityGroup $nsg
另外,如果您想看一下 ARM 模板,它们会使这一切变得更加简单。
答案2
我在我的实验室中测试过,在你的脚本中,有一些错误。你没有$nsgRulePS
向你的 NSG 添加规则。你需要修改你的脚本,如下所示:
$nsg = New-AzureRmNetworkSecurityGroup `
-ResourceGroupName $resourceGroup `
-Location $location `
-Name $myNetworkSecurityGroup `
-SecurityRules $nsgRuleHTTP,$nsgRuleRDP,$nsgRulePS
我按如下方式修改您的脚本,它对我有用。
# Variables for common values
$resourceGroup = "rgTest"
$location = "East US"
$vmName = "vmTest"
$SubscriptionName = "subscription test"
##storage account name is wrong New-AzureRmStorageAccount : sanTest is not a valid storage account name. Storage account name must be between 3 and 24 characters in length and use numbers and lower-case letters only.
#$StorageAccountName = "sanTest"
$StorageAccountName = "shuitest12"
$NetworkSecurityGroupName = "nsgTest"
$myNic = 'nicTest'
$MYvNET = 'vnetTest'
$myNetworkSecurityGroupRuleHTTP = 'nsgruleHTTPTest'
$myNetworkSecurityGroupRuleRDP = 'nsgruleRDPTest'
$myNetworkSecurityGroupRuleWWW = 'nsgruleWWWTest'
$myNetworkSecurityGroupRulePS = 'nsgrulePSTest'
$myNetworkSecurityGroup = 'nsgTest'
$rcgTest = 'rcgTest'
$secpasswd = ConvertTo-SecureString "password1" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("[email protected]", $secpasswd)
Add-AzureRmAccount -Credential $cred
Login-AzureRmAccount -Credential $cred
Select-AzureRmSubscription -SubscriptionName $SubscriptionName
Get-AzureRmResourceGroup -Name $resourceGroup -ev notPresent -ea 0
if ($notPresent)
{
New-AzureRmResourceGroup -Name $resourceGroup -Location $location
}
$subnetConfig = New-AzureRmVirtualNetworkSubnetConfig `
-Name mySubnet `
-AddressPrefix 192.168.1.0/24
New-AzureRmStorageAccount `
-Location $Location `
-ResourceGroupName $ResourceGroup `
–StorageAccountName $StorageAccountName `
-SkuName Standard_GRS
$vnet = New-AzureRmVirtualNetwork `
-ResourceGroupName $resourceGroup `
-Location $location `
-Name $MYvNET `
-AddressPrefix 192.168.0.0/16 `
-Subnet $subnetConfig
$pip = New-AzureRmPublicIpAddress -ResourceGroupName $resourceGroup `
-Location $location `
-Name "mypublicdns$(Get-Random)" `
-AllocationMethod Static `
-IdleTimeoutInMinutes 4
$nsgRuleHTTP = New-AzureRmNetworkSecurityRuleConfig `
-Name $myNetworkSecurityGroupRuleHTTP `
-Protocol Tcp `
-Direction Inbound `
-Priority 1000 `
-SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 80 `
-Access Allow
$nsgRuleRDP = New-AzureRmNetworkSecurityRuleConfig `
-Name $myNetworkSecurityGroupRuleRDP `
-Protocol Tcp `
-Direction Inbound `
-Priority 1100 `
-SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 3389 `
-Access Allow
$nsgRulePS = New-AzureRmNetworkSecurityRuleConfig `
-Name $myNetworkSecurityGroupRulePS `
-Protocol Tcp `
-Direction Inbound `
-Priority 1200 -SourceAddressPrefix * `
-SourcePortRange * `
-DestinationAddressPrefix * `
-DestinationPortRange 5986 `
-Access Allow
$nsg = New-AzureRmNetworkSecurityGroup `
-ResourceGroupName $resourceGroup `
-Location $location `
-Name $myNetworkSecurityGroup `
-SecurityRules $nsgRuleHTTP,$nsgRuleRDP,$nsgRulePS
$nic = New-AzureRmNetworkInterface `
-Name $myNic `
-ResourceGroupName $resourceGroup `
-Location $location `
-SubnetId $vnet.Subnets[0].Id `
-PublicIpAddressId $pip.Id `
-NetworkSecurityGroupId $nsg.Id
##use name could not admin
$VMLocalAdminUser = "<your user name>"
$VMLocalAdminSecurePassword = ConvertTo-SecureString "<your password>" `
-AsPlainText `
-Force
$Credential = New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser, $VMLocalAdminSecurePassword);
$vmConfig = New-AzureRmVMConfig -VMName $vmName -VMSize Standard_DS1_v2 | Set-AzureRmVMOperatingSystem -Windows -ComputerName $vmName -Credential $Credential | `
Set-AzureRmVMSourceImage -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version latest | `
Add-AzureRmVMNetworkInterface -Id $nic.Id
New-AzureRmVM `
-ResourceGroupName $resourceGroup `
-Location $location `
-VM $vmConfig
Get-AzureRmPublicIpAddress `
-ResourceGroupName $resourceGroup | Select IpAddress
但是虚拟机创建成功后,你还不能winrm
直接连接服务器,需要进行如下操作:
1.在 Windows VM 上打开端口 5986,您需要 RDP 连接到 VM 并进行设置。Azure PowerShell 无法执行此操作。
2.配置 winrm 监听 5986,默认情况下它监听 5985。您还需要在虚拟机上添加证书。请参考此关联。
更新:
如果您想使用 WinRM-HTTP 而不是 HTTPs,则不需要在虚拟机上配置证书,只需要在 Windows 防火墙上打开端口 5985。
注意:您应该在 Azure NSG 上打开端口 5985。
你可以这样做自定义脚本扩展,它在创建虚拟机时执行。只需将您的脚本作为 ps 文件即可。
New-NetFirewallRule -DisplayName "WinRM-HTTP- Allow Port 5985" -Direction Inbound -LocalPort 5985 -Protocol TCP -Action Allow
您可以将脚本上传到 Azure 存储帐户或 github。
有关它的更多信息,请参阅关联。