Azure 应用服务访问限制Azure App Service Access Restrictions

使用访问限制可以定义一个按优先级排序的允许/拒绝列表,用于控制在网络中对应用的访问。Access Restrictions enable you to define a priority ordered allow/deny list that controls network access to your app. 该列表可以包含 IP 地址或 Azure 虚拟网络子网。The list can include IP addresses or Azure Virtual Network subnets. 如果存在一个或多个条目,则在列表末尾会存在一个隐式的“拒绝所有”。When there are one or more entries, there is then an implicit "deny all" that exists at the end of the list.

访问限制功能适用于所有应用服务托管工作负荷,包括 Web 应用、API 应用、Linux 应用、Linux 容器应用和 Functions。The Access Restrictions capability works with all App Service hosted work loads including; web apps, API apps, Linux apps, Linux container apps, and Functions.

向应用发出请求时,将会根据访问限制列表中的 IP 地址规则评估 FROM IP 地址。When a request is made to your app, the FROM address is evaluated against the IP address rules in your access restrictions list. 如果 FROM 地址位于配置为使用 Microsoft.Web 服务终结点的子网中,则会根据访问限制列表中的虚拟网络规则比较源子网。If the FROM address is in a subnet that is configured with service endpoints to Microsoft.Web, then the source subnet is compared against the virtual network rules in your access restrictions list. 如果列表中的规则不允许访问该地址,则服务会以 HTTP 403 状态代码进行答复。If the address is not allowed access based on the rules in the list, the service replies with an HTTP 403 status code.

访问限制功能是在应用服务前端角色(即代码运行所在的辅助角色主机中的上游)中实现的。The access restrictions capability is implemented in the App Service front-end roles, which are upstream of the worker hosts where your code runs. 因此,访问限制是有效的网络 ACL。Therefore, access restrictions are effectively network ACLs.

限制从 Azure 虚拟网络 (VNet) 访问 Web 应用的功能称为服务终结点The ability to restrict access to your web app from an Azure Virtual Network (VNet) is called service endpoints. 使用服务终结点可以限制为从选定的子网对多租户服务进行访问。Service endpoints enable you to restrict access to a multi-tenant service from selected subnets. 必须在网络端以及用于启用该功能的服务中启用该功能。It must be enabled on both the networking side as well as the service that it is being enabled with.

访问限制流

在门户中添加并编辑访问限制规则Adding and editing Access Restriction rules in the portal

若要向应用添加访问限制规则,请使用菜单打开“网络”>“访问限制”,然后单击“配置访问限制” To add an access restriction rule to your app, use the menu to open Network>Access Restrictions and click on Configure Access Restrictions

应用服务网络选项

从访问限制 UI 可以查看为应用定义的访问限制规则列表。From the Access Restrictions UI, you can review the list of access restriction rules defined for your app.

列出访问限制

该列表将显示应用中的所有当前限制。The list will show all of the current restrictions that are on your app. 如果应用中存在 VNet 限制,该表将显示是否为 Microsoft.Web 启用了服务终结点。If you have a VNet restriction on your app, the table will show if service endpoints are enabled for Microsoft.Web. 如果应用中未定义限制,则可以从任何位置访问应用。When there are no defined restrictions on your app, your app will be accessible from anywhere.

添加 IP 地址规则Adding IP address rules

可单击“[+] 添加”以添加新的访问限制规则 。You can click on [+] Add to add a new access restriction rule. 规则在添加后会立即生效。Once you add a rule, it will become effective immediately. 规则会从最小的数字开始往上,按优先级顺序强制执行。Rules are enforced in priority order starting from the lowest number and going up. 即使仅添加了一个规则,一个隐式的“拒绝所有”也会立即生效。There is an implicit deny all that is in effect once you add even a single rule.

创建规则时,必须选择“允许/拒绝”以及规则的类型。When creating a rule, you must select allow/deny and also the type of rule. 此时,需要提供优先级值,以及要限制访问的内容。You are also required to provide the priority value and what you are restricting access to. 可以选择性地添加规则的名称和说明。You can optionally add a name, and description to the rule.

添加 IP 访问限制规则

若要设置基于 IP 地址的规则,请选择 IPv4 或 IPv6 类型。To set an IP address based rule, select a type of IPv4 or IPv6. 对于 IPv4 和 IPv6 地址,必须在 CIDR 表示法中指定 IP 地址表示法。IP Address notation must be specified in CIDR notation for both IPv4 and IPv6 addresses. 若要指定确切的地址,可以使用类似 1.2.3.4/32 的格式,其中前四个八位字节代表自己的 IP 地址,/32 为掩码。To specify an exact address, you can use something like 1.2.3.4/32 where the first four octets represent your IP address and /32 is the mask. 所有地址的 IPv4 CIDR 表示法都为 0.0.0.0/0。The IPv4 CIDR notation for all addresses is 0.0.0.0/0. 要详细了解 CIDR 表示法,请阅读无类别域际路由选择To learn more about CIDR notation, you can read Classless Inter-Domain Routing.

服务终结点Service endpoints

通过服务终结点,可以限制对选定 Azure 虚拟网络子网的访问。Service endpoints enables you to restrict access to selected Azure virtual network subnets. 若要限制对特定子网的访问,请使用虚拟网络类型创建限制规则。To restrict access to a specific subnet, create a restriction rule with a type of Virtual Network. 可以选择要允许或拒绝访问的订阅、VNet 和子网。You can pick the subscription, VNet, and subnet you wish to allow or deny access with. 如果尚未为选定子网的 Microsoft.Web 启用服务终结点,系统会自动启用它,除非你选中了不再询问的相应复选框。If service endpoints are not already enabled with Microsoft.Web for the subnet that you selected, it will automatically be enabled for you unless you check the box asking not to do that. 有关何时要在应用而不是子网中启用它,在很大程度上取决于你是否有权在子网中启用服务终结点。The situation where you would want to enable it on the app but not the subnet is largely related to if you have the permissions to enable service endpoints on the subnet or not. 如果需要让其他某人在子网中启用服务终结点,可以选中相应的复选框,在预期将来要在子网中启用服务终结点的情况下,为服务终结点配置应用。If you need to get somebody else to enable service endpoints on the subnet, you can check the box and have your app configured for service endpoints in anticipation of it being enabled later on the subnet.

添加 VNet 访问限制规则

管理访问限制规则Managing access restriction rules

单击任一行,可编辑现有访问限制规则。You can click on any row to edit an existing access restriction rule. 编辑的内容会立即生效,包括在优先级排序方面的变化。Edits are effective immediately including changes in priority ordering.

编辑访问限制规则

编辑规则时,无法更改 IP 地址规则与虚拟网络规则这两种类型。When you edit a rule, you cannot change the type between an IP address rule and a Virtual Network rule.

编辑访问限制规则

若要删除某个规则,请单击规则上的“...”然后单击“删除” 。To delete a rule, click the ... on your rule and then click remove.

删除访问限制规则

阻止单个 IP 地址Blocking a single IP Address

添加第一个 IP 限制规则时,服务将添加优先级为 2147483647 的显式“全部拒绝” 规则。When adding your first IP Restriction rule, the service will add an explicit deny all rule with a priority of 2147483647. 实际上,显式“全部拒绝” 规则将是最后执行的规则,并将阻止访问使用“允许” 规则未明确允许的任何 IP 地址。In practice, the explicit deny all rule will be last rule executed and will block access to any IP address that is not explicitly allowed using an Allow rule.

如果用户希望显式阻止单个 IP 地址或 IP 地址块,但允许所有其他访问,则有必要添加一个显式的“全部允许” 规则。For the scenario where users want to explicitly block a single IP address or IP address block, but allow everything else access, it is necessary to add an explicit Allow All rule.

阻止单个 IP 地址

SCM 站点SCM site

除了能够控制对应用的访问以外,还可以限制对应用所用的 scm 站点的访问。In addition to being able to control access to your app, you can also restrict access to the scm site used by your app. scm 站点是 Web 部署终结点,也是 Kudu 控制台。The scm site is the web deploy endpoint and also the Kudu console. 对于 scm 站点,可以分配不同于应用的访问限制;也可以对应用和 scm 站点使用相同的设置。You can separately assign access restrictions to the scm site from the app or use the same set for both the app and the scm site. 选中相应的框来使用与应用相同的限制时,所有设置都会留空。如果取消选中该框,将应用前面针对 scm 站点指定的所有设置。When you check the box to have the same restrictions as your app, everything is blanked out. If you uncheck the box, whatever settings you had earlier on the scm site are applied.

列出访问限制

访问限制规则的编程操作Programmatic manipulation of access restriction rules

新的访问限制功能目前没有适用的 CLI 或 PowerShell,但是可以通过 PUT 操作在资源管理器中的应用配置上手动设置值。There currently is no CLI or PowerShell for the new Access Restrictions capability but the values can be set manually with a PUT operation on the app configuration in Resource Manager. 例如,可以使用 resources.azure.com 并编辑 ipSecurityRestrictions 块以添加所需的 JSON。As an example, you can use resources.azure.com and edit the ipSecurityRestrictions block to add the required JSON.

此信息在资源管理器中的位置为:The location for this information in Resource Manager is:

management.azure.com/subscriptions/subscription ID/resourceGroups/resource groups/providers/Microsoft.Web/sites/web app name/config/web?api-version=2018-02-01 management.azure.com/subscriptions/subscription ID/resourceGroups/resource groups/providers/Microsoft.Web/sites/web app name/config/web?api-version=2018-02-01

前面的示例的 JSON 语法为:The JSON syntax for the earlier example is:

"ipSecurityRestrictions": [
  {
    "ipAddress": "131.107.159.0/24",
    "action": "Allow",
    "tag": "Default",
    "priority": 100,
    "name": "allowed access"
  }
],

函数应用 IP 限制Function App IP Restrictions

IP 限制适用于与应用服务计划具有相同功能的两种函数应用。IP restrictions are available for both Function Apps with the same functionality as App Service plans. 启用 IP 限制会针对任何不允许的 IP 禁用门户代码编辑器。Enabling IP restrictions will disable the portal code editor for any disallowed IPs.