设置 Azure 应用服务访问限制Set up Azure App Service access restrictions

通过设置访问限制可以定义一个按优先级排序的允许/拒绝列表,用于控制在网络中对应用的访问。By setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app. 该列表可以包含 IP 地址或 Azure 虚拟网络子网。The list can include IP addresses or Azure Virtual Network subnets. 如果存在一个或多个条目,则列表末尾会存在一个隐式的“全部拒绝”。When there are one or more entries, an implicit deny all exists at the end of the list.

访问限制功能适用于所有 Azure 应用服务托管的工作负载。The access-restriction capability works with all Azure App Service-hosted workloads. 工作负载可包括 Web 应用、API 应用、Linux 应用、Linux 容器应用和函数。The workloads can include web apps, API apps, Linux apps, Linux container apps, and functions.

向应用发出请求时,将会根据访问限制列表中的 IP 地址规则评估 FROM 地址。When a request is made to your app, the FROM address is evaluated against the IP address rules in your access-restriction list. 如果 FROM 地址位于配置为使用 Microsoft.Web 服务终结点的子网中,则会根据访问限制列表中的虚拟网络规则比较源子网。If the FROM address is in a subnet that's configured with service endpoints to Microsoft.Web, the source subnet is compared against the virtual network rules in your access-restriction list. 如果列表中的规则不允许访问该地址,则服务会以“HTTP 403”状态代码进行答复。If the address isn't allowed access based on the rules in the list, the service replies with an HTTP 403 status code.

访问限制功能是在应用服务前端角色(即代码运行所在的辅助角色主机中的上游)中实现的。The access-restriction capability is implemented in the App Service front-end roles, which are upstream of the worker hosts where your code runs. 因此,访问限制是有效的网络访问控制列表 (ACL)。Therefore, access restrictions are effectively network access-control lists (ACLs).

限制从 Azure 虚拟网络访问 Web 应用的功能通过服务终结点启用。The ability to restrict access to your web app from an Azure virtual network is enabled by service endpoints. 使用服务终结点,可以限制从选定的子网对多租户服务进行访问。With service endpoints, you can restrict access to a multitenant service from selected subnets. 对托管在应用服务环境中的应用的流量进行限制不起作用。It doesn't work to restrict traffic to apps that are hosted in an App Service Environment. 如果处于应用服务环境中,可应用 IP 地址规则控制对应用的访问。If you're in an App Service Environment, you can control access to your app by applying IP address rules.

备注

必须在网络端以及要对其启用服务终结点的 Azure 服务上同时启用服务终结点。The service endpoints must be enabled both on the networking side and for the Azure service that they're being enabled with. 有关支持服务终结点的 Azure 服务列表,请参阅虚拟网络服务终结点For a list of Azure services that support service endpoints, see Virtual Network service endpoints.

访问限制流程图。

在门户中添加或编辑访问限制规则Add or edit access-restriction rules in the portal

若要向应用添加访问限制规则,请执行以下操作:To add an access-restriction rule to your app, do the following:

  1. 登录到 Azure 门户。Sign in to the Azure portal.

  2. 在左窗格中,选择“网络”。On the left pane, select Networking.

  3. 在“网络”窗格的“访问限制”下,选择“配置访问限制” 。On the Networking pane, under Access Restrictions, select Configure Access Restrictions.

    Azure 门户中的“应用服务网络选项”窗格的屏幕截图。

  4. 在“访问限制”页上查看为应用定义的访问限制规则列表。On the Access Restrictions page, review the list of access-restriction rules that are defined for your app.

    Azure 门户中“访问限制”页面的屏幕截图,显示为所选应用定义的访问限制规则列表。

    列表显示当前应用于该应用的所有限制。The list displays all the current restrictions that are applied to the app. 如果应用中存在虚拟网络限制,该表将显示是否为 Microsoft.Web 启用了服务终结点。If you have a virtual-network restriction on your app, the table shows whether the service endpoints are enabled for Microsoft.Web. 如果未对应用定义任何限制,则可从任何位置访问该应用。If no restrictions are defined on your app, the app is accessible from anywhere.

添加访问限制规则Add an access-restriction rule

若要向应用添加访问限制规则,请在“访问限制”窗格中选择“添加规则” 。To add an access-restriction rule to your app, on the Access Restrictions pane, select Add rule. 规则在添加后会立即生效。After you add a rule, it becomes effective immediately.

规则会从“优先级”列中最小的数字开始,按优先级顺序强制执行。Rules are enforced in priority order, starting from the lowest number in the Priority column. 即使只添加了一条规则,一个隐式的“全部拒绝”也会立即生效。An implicit deny all is in effect after you add even a single rule.

在“添加访问限制”窗格上创建规则时,请执行以下操作:On the Add Access Restriction pane, when you create a rule, do the following:

  1. 在“操作”下,选择“允许”或“拒绝” 。Under Action, select either Allow or Deny.

    “添加访问策略”窗格的屏幕截图。

  2. (可选)输入规则名称和说明。Optionally, enter a name and description of the rule.

  3. 在“类型”下拉列表中选择规则类型。In the Type drop-down list, select the type of rule.

  4. 在“优先级”框中,输入一个优先级值。In the Priority box, enter a priority value.

  5. 在“订阅”、“虚拟网络”和“子网”下拉列表中,选择要限制访问的内容 。In the Subscription, Virtual Network, and Subnet drop-down lists, select what you want to restrict access to.

设置基于 IP 地址的规则Set an IP address-based rule

按照上一部分所述的过程操作,但有以下差异:Follow the procedure as outlined in the preceding section, but with the following variation:

  • 在步骤 3 的“类型”下拉列表中,选择“IPv4”或“IPv6” 。For step 3, in the Type drop-down list, select IPv4 or IPv6.

以无类别域际路由选择 (CIDR) 表示法为 IPv4 和 IPv6 地址指定 IP 地址。Specify the IP address in Classless Inter-Domain Routing (CIDR) notation for both the IPv4 and IPv6 addresses. 若要指定地址,可以使用类似 1.2.3.4/32 的格式,其中前四个八位字节代表自己的 IP 地址,/32 为掩码 。To specify an address, you can use something like 1.2.3.4/32, where the first four octets represent your IP address and /32 is the mask. 所有地址的 IPv4 CIDR 表示法都为 0.0.0.0/0。The IPv4 CIDR notation for all addresses is 0.0.0.0/0. 若要详细了解 CIDR 表示法,请查看“无类别域际路由选择”。To learn more about CIDR notation, see Classless Inter-Domain Routing.

管理访问限制规则Manage access-restriction rules

可编辑或删除现有的访问限制规则。You can edit or delete an existing access-restriction rule.

编辑规则Edit a rule

  1. 若要开始编辑现有的访问限制规则,请在“访问限制”页上双击要编辑的规则。To begin editing an existing access-restriction rule, on the Access Restrictions page, double-click the rule you want to edit.

  2. 在“编辑访问限制”窗格中进行更改,然后选择“更新规则” 。On the Edit access Restriction pane, make your changes, and then select Update rule. 编辑的内容会立即生效,包括在优先级排序方面的更改。Edits are effective immediately, including changes in priority ordering.

    Azure 门户中“编辑访问限制”窗格的屏幕截图,显示现有访问限制规则的字段。

删除规则Delete a rule

若要删除规则,请在“访问限制”页上选择要删除的规则旁边的省略号 (...),然后选择“删除” 。To delete a rule, on the Access Restrictions page, select the ellipsis (...) next to the rule you want to delete, and then select Remove.

“访问限制”页的屏幕截图,显示要删除的访问限制规则旁边的“删除”省略号。

阻止单个 IP 地址Block a single IP address

添加第一个访问限制规则时,服务将添加优先级为 2147483647 的显式“全部拒绝”规则。When you add your first Access restriction rule, the service adds an explicit Deny all rule with a priority of 2147483647. 实际上,显式“全部拒绝”规则将是最后执行的规则,并将阻止访问未被“允许”规则明确允许的任何 IP 地址 。In practice, the explicit Deny all rule is the final rule to be executed, and it blocks access to any IP address that's not explicitly allowed by an Allow rule.

如果你希望显式阻止单个 IP 地址或 IP 地址块,但允许所有其他访问,请添加一个显式的“全部允许”规则。For a scenario where you want to explicitly block a single IP address or a block of IP addresses, but allow access to everything else, add an explicit Allow All rule.

Azure 门户中的“访问限制”页的屏幕截图,只显示一个受阻止的 IP 地址。

限制对 SCM 站点的访问Restrict access to an SCM site

除了能够控制对应用的访问以外,还可以限制对应用所用的 SCM 站点的访问。In addition to being able to control access to your app, you can restrict access to the SCM site that's used by your app. SCM 站点既是 Web 部署终结点,也是 Kudu 控制台。The SCM site is both the web deploy endpoint and the Kudu console. 对于 SCM 站点,可以分配不同于应用的访问限制;也可以对应用和 SCM 站点使用相同的限制设置。You can assign access restrictions to the SCM site from the app separately or use the same set of restrictions for both the app and the SCM site. 如果选择“与 <app name> 相同的限制”复选框,则所有内容都将作废。如果清除该复选框,则会重新应用 SCM 站点设置。When you select the Same restrictions as <app name> check box, everything is blanked out. If you clear the check box, your SCM site settings are reapplied.

Azure 门户中“访问限制”页的屏幕截图,显示没有为 SCM 站点或应用设置访问限制。

以编程方式管理访问限制规则Manage access-restriction rules programatically

可通过以下任一方法以编程方式添加访问限制:You can add access restrictions programatically by doing either of the following:

az webapp config access-restriction add --resource-group ResourceGroup --name AppName \
    --rule-name 'IP example rule' --action Allow --ip-address 122.133.144.0/24 --priority 100
Add-AzWebAppAccessRestrictionRule -ResourceGroupName "ResourceGroup" -WebAppName "AppName"
    -Name "Ip example rule" -Priority 100 -Action Allow -IpAddress 122.133.144.0/24

还可通过以下任一方法手动设置值:You can also set values manually by doing either of the following:

  • 在 Azure 资源管理器中对应用配置使用 Azure REST API PUT 操作。Use an Azure REST API PUT operation on the app configuration in Azure Resource Manager. 此信息在 Azure 资源管理器中的位置为:The location for this information in Azure Resource Manager is:

    management.chinacloudapi.cn/subscriptions/subscription ID/resourceGroups/resource groups/providers/Microsoft.Web/sites/web app name/config/web?api-version=2018-02-01management.chinacloudapi.cn/subscriptions/subscription ID/resourceGroups/resource groups/providers/Microsoft.Web/sites/web app name/config/web?api-version=2018-02-01

  • 使用 ARM 模板。Use an ARM template. 例如,可以使用 resources.azure.com 并编辑 ipSecurityRestrictions 块以添加所需的 JSON。As an example, you can use resources.azure.com and edit the ipSecurityRestrictions block to add the required JSON.

前面的示例的 JSON 语法为:The JSON syntax for the earlier example is:

{
  "properties": {
    "ipSecurityRestrictions": [
      {
        "ipAddress": "122.133.144.0/24",
        "action": "Allow",
        "priority": 100,
        "name": "IP example rule"
      }
    ]
  }
}

设置 Azure Functions 访问限制Set up Azure Functions access restrictions

访问限制也适用于与应用服务计划具有相同功能的函数应用。Access restrictions are also available for function apps with the same functionality as App Service plans. 启用访问限制时,还可针对任何不允许的 IP 禁用 Azure 门户代码编辑器。When you enable access restrictions, you also disable the Azure portal code editor for any disallowed IPs.

后续步骤Next steps

Azure Functions 的访问限制Access restrictions for Azure Functions
应用程序网关与服务终结点的集成Application Gateway integration with service endpoints