锁定应用服务环境Locking down an App Service Environment

应用服务环境 (ASE) 需要访问许多的外部依赖项才能正常运行。The App Service Environment (ASE) has a number of external dependencies that it requires access to in order to function properly. ASE 驻留在客户的 Azure 虚拟网络 (VNet) 中。The ASE lives in the customer Azure Virtual Network (VNet). 客户必须允许 ASE 依赖项流量,对于想要锁定从 VNet 传出的所有流量的客户而言,这是一个问题。Customers must allow the ASE dependency traffic, which is a problem for customers that want to lock down all egress from their VNet.

有许多用于管理 ASE 的入站终结点。There are a number of inbound endpoints that are used to manage an ASE. 无法通过防火墙设备发送入站管理流量。The inbound management traffic cannot be sent through a firewall device. 此流量的源地址是已知的,并已在应用服务环境管理地址文档中发布。The source addresses for this traffic are known and are published in the App Service Environment management addresses document. 还有一个名为 AppServiceManagement 的服务标记,可以与网络安全组 (NSG) 一起使用来保护入站流量。There is also a Service Tag named AppServiceManagement which can be used with Network Security Groups (NSGs) to secure inbound traffic.

ASE 出站依赖项几乎完全是使用 FQDN 定义的,不附带任何静态地址。The ASE outbound dependencies are almost entirely defined with FQDNs, which do not have static addresses behind them. 缺少静态地址意味着无法使用网络安全组锁定来自 ASE 的出站流量。The lack of static addresses means that Network Security Groups cannot be used to lock down the outbound traffic from an ASE. 地址会频率更改,用户无法基于当前解析设置规则,然后使用这些规则来创建 NSG。The addresses change often enough that one cannot set up rules based on the current resolution and use that to create NSGs.

保护出站地址的解决方案在于使用可基于域名控制出站流量的防火墙设备。The solution to securing outbound addresses lies in use of a firewall device that can control outbound traffic based on domain names. Azure 防火墙可以根据目标的 FQDN 限制出站 HTTP 和 HTTPS 流量。Azure Firewall can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination.

系统体系结构System architecture

部署出站流量通过防火墙设备的 ASE 需要更改 ASE 子网中的路由。Deploying an ASE with outbound traffic going through a firewall device requires changing routes on the ASE subnet. 路由在 IP 级别运行。Routes operate at an IP level. 如果在定义路由时出了差错,可以强制将 TCP 回复流量从另一个地址发送到源。If you are not careful in defining your routes, you can force TCP reply traffic to source from another address. 如果回复地址不同于流量发送到的地址,则会出现所谓“非对称路由”的问题,这会中断 TCP。When your reply address is different from the address traffic was sent to, the problem is called asymmetric routing and it will break TCP.

必须定义路由,以便发往 ASE 的入站流量能够以传入流量的相同方式做出回复。There must be routes defined so that inbound traffic to the ASE can reply back the same way the traffic came in. 必须为入站管理请求和入站应用程序请求定义路由。Routes must be defined for inbound management requests and for inbound application requests.

传入和传出 ASE 的流量必须遵守以下约定The traffic to and from an ASE must abide by the following conventions

  • 发往 Azure SQL、存储和事件中心的流量不是使用防火墙设备支持的。The traffic to Azure SQL, Storage, and Event Hub are not supported with use of a firewall device. 此流量必须直接发送到这些服务。This traffic must be sent directly to those services. 实现此目的的方法是为这三个服务配置服务终结点。The way to make that happen is to configure service endpoints for those three services.
  • 必须定义路由表规则,用于从入站管理流量的来源位置发回这些流量。Route table rules must be defined that send inbound management traffic back from where it came.
  • 必须定义路由表规则,用于从入站应用程序流量的来源位置发回这些流量。Route table rules must be defined that send inbound application traffic back from where it came.
  • 可以使用路由表规则将离开 ASE 的所有其他流量发送到防火墙设备。All other traffic leaving the ASE can be sent to your firewall device with a route table rule.

使用 Azure 防火墙的 ASE 连接流

锁定入站管理流量Locking down inbound management traffic

如果还没有为 ASE 子网分配 NSG,请创建一个 NSG。If your ASE subnet does not already have an NSG assigned to it, create one. 在 NSG 中,将第一个规则设为允许来自端口 454、455 上名为 AppServiceManagement 的服务标记的流量。Within the NSG, set the first rule to allow traffic from the Service Tag named AppServiceManagement on ports 454, 455. 若要从公共 IP 管理 ASE,只需设置允许从 AppServiceManagement 标记进行访问的规则。The rule to allow access from the AppServiceManagement tag is the only thing that is required from public IPs to manage your ASE. 该服务标记背后的地址仅用于管理 Azure 应用服务。The addresses that are behind that Service Tag are only used to administer the Azure App Service. 流经这些连接的管理流量由身份验证证书提供加密和保护。The management traffic that flows through these connections is encrypted and secured with authentication certificates. 此通道上的典型流量包括客户发起的命令和运行状况探测等等。Typical traffic on this channel includes things like customer initiated commands and health probes.

通过门户生成的包含新子网的 ASE 配置了包含 AppServiceManagement 标记的允许规则的 NSG。ASEs that are made through the portal with a new subnet are made with an NSG that contains the allow rule for the AppServiceManagement tag.

ASE 还必须允许端口 16001 上来自负载均衡器标记的入站请求。Your ASE must also allow inbound requests from the Load Balancer tag on port 16001. 端口 16001 上来自负载均衡器的请求在负载均衡器和 ASE 前端之间进行保持连接检查。The requests from the Load Balancer on port 16001 are keep alive checks between the Load Balancer and the ASE front ends. 如果端口 16001 被阻止,则 ASE 将不正常。If port 16001 is blocked, your ASE will go unhealthy.

在 ASE 中配置 Azure 防火墙Configuring Azure Firewall with your ASE

使用 Azure 防火墙锁定现有 ASE 的传出流量的步骤如下:The steps to lock down egress from your existing ASE with Azure Firewall are:

  1. 为 ASE 子网中的 SQL、存储和事件中心启用服务终结点。Enable service endpoints to SQL, Storage, and Event Hub on your ASE subnet. 若要启用服务终结点,请转到网络门户并选择子网,然后从服务终结点下拉列表中选择“Microsoft.EventHub”、“Microsoft.SQL”和“Microsoft.Storage”。To enable service endpoints, go into the networking portal > subnets and select Microsoft.EventHub, Microsoft.SQL and Microsoft.Storage from the Service endpoints dropdown. 为 Azure SQL 启用服务终结点后,还必须为应用的所有 Azure SQL 依赖项配置服务终结点。When you have service endpoints enabled to Azure SQL, any Azure SQL dependencies that your apps have must be configured with service endpoints as well.

    选择服务终结点

  2. 在 ASE 所在的 VNet 中创建名为 AzureFirewallSubnet 的子网。Create a subnet named AzureFirewallSubnet in the VNet where your ASE exists. 遵循 Azure 防火墙文档中的指导创建 Azure 防火墙。Follow the directions in the Azure Firewall documentation to create your Azure Firewall.

  3. 在 Azure 防火墙 UI >“规则”>“应用程序规则集合”中,选择“添加应用程序规则集合”。From the Azure Firewall UI > Rules > Application rule collection, select Add application rule collection. 提供名称、优先级,并设置“允许”。Provide a name, priority, and set Allow. 在“FQDN 标记”部分提供名称,将源地址设置为 *,然后选择“应用服务环境 FQDN 标记”和“Windows 更新”。In the FQDN tags section, provide a name, set the source addresses to * and select the App Service Environment FQDN Tag and the Windows Update.

    添加应用程序规则

  4. 在 Azure 防火墙 UI >“规则”>“网络规则集合”中,选择“添加网络规则集合”。From the Azure Firewall UI > Rules > Network rule collection, select Add network rule collection. 提供名称、优先级,并设置“允许”。Provide a name, priority, and set Allow. 在“规则”部分的“IP 地址”下,提供一个名称,选择“任何”作为协议,将源和目标地址设置为 *,并将端口设置为 123。In the Rules section under IP addresses, provide a name, select a protocol of Any, set * to Source and Destination addresses, and set the ports to 123. 此规则允许系统使用 NTP 执行时钟同步。This rule allows the system to perform clock sync using NTP. 以相同的方式针对端口 12000 创建另一个规则,以帮助诊断任何系统问题。Create another rule the same way to port 12000 to help triage any system issues.

    添加 NTP 网络规则

  5. 在 Azure 防火墙 UI >“规则”>“网络规则集合”中,选择“添加网络规则集合”。From the Azure Firewall UI > Rules > Network rule collection, select Add network rule collection. 提供名称、优先级,并设置“允许”。Provide a name, priority, and set Allow. 在“规则”部分中,在“服务标记”下,提供一个名称,选择“任何”作为协议,将 * 设置为源地址,选择服务标记 AzureMonitor,然后将端口设置为 80、443。In the Rules section under Service Tags, provide a name, select a protocol of Any, set * to Source addresses, select a service tag of AzureMonitor, and set the ports to 80, 443. 此规则允许系统向 Azure Monitor 提供运行状况和指标信息。This rule allows the system to supply Azure Monitor with health and metrics information.

    添加 NTP 服务标记网络规则

  6. 使用应用服务环境管理地址中的管理地址创建一个路由表并添加 Internet 的下一跃点。Create a route table with the management addresses from App Service Environment management addresses with a next hop of Internet. 需要使用路由表条目来避免非对称路由问题。The route table entries are required to avoid asymmetric routing problems. 在 IP 地址依赖项中为下面所示的 IP 地址依赖项添加路由,并添加 Internet 的下一跃点。Add routes for the IP address dependencies noted below in the IP address dependencies with a next hop of Internet. 将虚拟设备路由添加到 0.0.0.0/0 的路由表,并将 Azure 防火墙专用 IP 地址用作下一跃点。Add a Virtual Appliance route to your route table for 0.0.0.0/0 with the next hop being your Azure Firewall private IP address.

    创建路由表

  7. 将创建的路由表分配到 ASE 子网。Assign the route table you created to your ASE subnet.

在防火墙后部署 ASEDeploying your ASE behind a firewall

在防火墙后部署 ASE 的步骤与使用 Azure 防火墙配置现有 ASE 的步骤相同,不过,需要创建 ASE 子网,然后遵循上述步骤。The steps to deploy your ASE behind a firewall are the same as configuring your existing ASE with an Azure Firewall except you will need to create your ASE subnet and then follow the previous steps. 若要在现有的子网中创建 ASE,需要根据使用资源管理器模板创建 ASE 文档中所述使用资源管理器模板。To create your ASE in a pre-existing subnet, you need to use a Resource Manager template as described in the document on Creating your ASE with a Resource Manager template.

应用程序流量Application traffic

完成上述步骤后,ASE 可以正常运行。The above steps will allow your ASE to operate without problems. 但仍需根据应用程序的需要配置一些设置。You still need to configure things to accommodate your application needs. ASE 中配置了 Azure 防火墙的应用程序存在两个问题。There are two problems for applications in an ASE that is configured with Azure Firewall.

  • 必须将应用程序依赖项添加到 Azure 防火墙或路由表。Application dependencies must be added to the Azure Firewall or the route table.
  • 必须为应用程序流量创建路由,以避免非对称路由问题Routes must be created for the application traffic to avoid asymmetric routing issues

如果应用程序有依赖项,则需要将这些依赖项添加到 Azure 防火墙。If your applications have dependencies, they need to be added to your Azure Firewall. 创建允许 HTTP/HTTPS 流量的应用程序规则,并针对其他方面的控制创建网络规则。Create Application rules to allow HTTP/HTTPS traffic and Network rules for everything else.

如果你知道应用程序请求流量将来自哪个地址范围,则可将该范围添加到要分配给 ASE 子网的路由表。If you know the address range that your application request traffic will come from, you can add that to the route table that is assigned to your ASE subnet. 如果地址范围很大或未指定,则你可以使用应用程序网关等网络设备来提供一个要添加到路由表的地址。If the address range is large or unspecified, then you can use a network appliance like the Application Gateway to give you one address to add to your route table. 有关在 ILB ASE 中配置应用程序网关的详细信息,请阅读将 ILB ASE 与应用程序网关集成For details on configuring an Application Gateway with your ILB ASE, read Integrating your ILB ASE with an Application Gateway

使用应用程序网关只是系统配置方法的一个例子。This use of the Application Gateway is just one example of how to configure your system. 如果遵循此路径,则需要将路由添加到 ASE 子网路由表,以便发送到应用程序网关的回复流量直接通过该路由传送。If you did follow this path, then you would need to add a route to the ASE subnet route table so the reply traffic sent to the Application Gateway would go there directly.

日志记录Logging

Azure 防火墙可将日志发送到 Azure 存储、事件中心或 Azure Monitor 日志。Azure Firewall can send logs to Azure Storage, Event Hub, or Azure Monitor logs. 若要将应用与支持的任何目标相集成,请转到 Azure 防火墙门户 >“诊断日志”,并为所需目标启用日志。To integrate your app with any supported destination, go to the Azure Firewall portal > Diagnostic Logs and enable the logs for your desired destination. 与 Azure Monitor 日志集成后,可以查看已发送到 Azure 防火墙的任何流量的日志记录。If you integrate with Azure Monitor logs, then you can see logging for any traffic sent to Azure Firewall. 若要查看被拒绝的流量,请打开 Log Analytics 工作区门户 >“日志”,并输入如下所示的查询To see the traffic that is being denied, open your Log Analytics workspace portal > Logs and enter a query like

AzureDiagnostics | where msg_s contains "Deny" | where TimeGenerated >= ago(1h)

首次运行应用程序时,如果不知道所有的应用程序依赖项,则将 Azure 防火墙与 Azure Monitor 日志集成会很有用。Integrating your Azure Firewall with Azure Monitor logs is useful when first getting an application working when you are not aware of all of the application dependencies. 可以通过在 Azure Monitor 中分析日志数据详细了解 Azure Monitor 日志。You can learn more about Azure Monitor logs from Analyze log data in Azure Monitor.

依赖项Dependencies

仅当所要配置的防火墙设备不是 Azure 防火墙时,才需要以下信息。The following information is only required if you wish to configure a firewall appliance other than Azure Firewall.

  • 应在支持服务终结点的服务中配置服务终结点。Service Endpoint capable services should be configured with service endpoints.
  • IP 地址依赖项适用于非 HTTP/S 流量(TCP 和 UDP 流量)IP Address dependencies are for non-HTTP/S traffic (both TCP and UDP traffic)
  • 可将 FQDN HTTP/HTTPS 终结点放在防火墙设备中。FQDN HTTP/HTTPS endpoints can be placed in your firewall device.
  • 通配符 HTTP/HTTPS 终结点是可以根据许多限定符随 ASE 一起变化的依赖项。Wildcard HTTP/HTTPS endpoints are dependencies that can vary with your ASE based on a number of qualifiers.
  • 仅当要在 ASE 中部署 Linux 应用时,才需要考虑 Linux 依赖项。Linux dependencies are only a concern if you are deploying Linux apps into your ASE. 如果不将 Linux 应用部署到 ASE,则不需要将这些地址添加到防火墙。If you are not deploying Linux apps into your ASE, then these addresses do not need to be added to your firewall.

支持服务终结点的依赖项Service Endpoint capable dependencies

终结点Endpoint
Azure SQLAzure SQL
Azure 存储Azure Storage
Azure 事件中心Azure Event Hub

IP 地址依赖项IP Address dependencies

终结点Endpoint 详细信息Details
*:123*:123 NTP 时钟检查。NTP clock check. 在端口 123 上的多个终结点中检查流量Traffic is checked at multiple endpoints on port 123
*:12000*:12000 此端口用于某些系统监视活动。This port is used for some system monitoring. 如果阻止此端口,则有些问题将难以诊断,但 ASE 会继续运行If blocked, then some issues will be harder to triage but your ASE will continue to operate
40.77.24.27:8040.77.24.27:80 监视 ASE 问题和发出相关警报时需要此端口Needed to monitor and alert on ASE problems
40.77.24.27:44340.77.24.27:443 监视 ASE 问题和发出相关警报时需要此端口Needed to monitor and alert on ASE problems
13.90.249.229:8013.90.249.229:80 监视 ASE 问题和发出相关警报时需要此端口Needed to monitor and alert on ASE problems
13.90.249.229:44313.90.249.229:443 监视 ASE 问题和发出相关警报时需要此端口Needed to monitor and alert on ASE problems
104.45.230.69:80104.45.230.69:80 监视 ASE 问题和发出相关警报时需要此端口Needed to monitor and alert on ASE problems
104.45.230.69:443104.45.230.69:443 监视 ASE 问题和发出相关警报时需要此端口Needed to monitor and alert on ASE problems
13.82.184.151:8013.82.184.151:80 监视 ASE 问题和发出相关警报时需要此端口Needed to monitor and alert on ASE problems
13.82.184.151:44313.82.184.151:443 监视 ASE 问题和发出相关警报时需要此端口Needed to monitor and alert on ASE problems

使用 Azure 防火墙时,将使用 FQDN 标记自动配置以下所有设置。With an Azure Firewall, you automatically get everything below configured with the FQDN tags.

FQDN HTTP/HTTPS 依赖项FQDN HTTP/HTTPS dependencies

终结点Endpoint
graph.chinacloudapi.cn:443graph.chinacloudapi.cn:443
login.live.com:443login.live.com:443
login.windows.com:443login.windows.com:443
login.chinacloudapi.cn:443login.chinacloudapi.cn:443
login.partner.microsoftonline.cn:443login.partner.microsoftonline.cn:443
client.wns.windows.com:443client.wns.windows.com:443
definitionupdates.microsoft.com:443definitionupdates.microsoft.com:443
go.microsoft.com:80go.microsoft.com:80
go.microsoft.com:443go.microsoft.com:443
www.microsoft.com:80www.microsoft.com:80
www.microsoft.com:443www.microsoft.com:443
wdcpalt.microsoft.com:443wdcpalt.microsoft.com:443
wdcp.microsoft.com:443wdcp.microsoft.com:443
ocsp.msocsp.com:443ocsp.msocsp.com:443
mscrl.microsoft.com:443mscrl.microsoft.com:443
mscrl.microsoft.com:80mscrl.microsoft.com:80
crl.microsoft.com:443crl.microsoft.com:443
crl.microsoft.com:80crl.microsoft.com:80
www.thawte.com:443www.thawte.com:443
crl3.digicert.com:80crl3.digicert.com:80
ocsp.digicert.com:80ocsp.digicert.com:80
csc3-2009-2.crl.verisign.com:80csc3-2009-2.crl.verisign.com:80
crl.verisign.com:80crl.verisign.com:80
ocsp.verisign.com:80ocsp.verisign.com:80
cacerts.digicert.com:80cacerts.digicert.com:80
azperfcounters1.blob.core.chinacloudapi.cn:443azperfcounters1.blob.core.chinacloudapi.cn:443
azurewatsonanalysis-prod.core.chinacloudapi.cn:443azurewatsonanalysis-prod.core.chinacloudapi.cn:443
global.metrics.nsatc.net:80global.metrics.nsatc.net:80
global.metrics.nsatc.net:443global.metrics.nsatc.net:443
az-prod.metrics.nsatc.net:443az-prod.metrics.nsatc.net:443
antares.metrics.nsatc.net:443antares.metrics.nsatc.net:443
azglobal-black.azglobal.metrics.nsatc.net:443azglobal-black.azglobal.metrics.nsatc.net:443
azglobal-red.azglobal.metrics.nsatc.net:443azglobal-red.azglobal.metrics.nsatc.net:443
antares-black.antares.metrics.nsatc.net:443antares-black.antares.metrics.nsatc.net:443
antares-red.antares.metrics.nsatc.net:443antares-red.antares.metrics.nsatc.net:443
prod.microsoftmetrics.com:443prod.microsoftmetrics.com:443
maupdateaccount.blob.core.chinacloudapi.cn:443maupdateaccount.blob.core.chinacloudapi.cn:443
clientconfig.passport.net:443clientconfig.passport.net:443
packages.microsoft.com:443packages.microsoft.com:443
schemas.microsoft.com:80schemas.microsoft.com:80
schemas.microsoft.com:443schemas.microsoft.com:443
management.core.chinacloudapi.cn:443management.core.chinacloudapi.cn:443
management.core.chinacloudapi.cn:80management.core.chinacloudapi.cn:80
management.chinacloudapi.cn:443management.chinacloudapi.cn:443
www.msftconnecttest.com:80www.msftconnecttest.com:80
shavamanifestcdnprod1.azureedge.net:443shavamanifestcdnprod1.azureedge.net:443
validation-v2.sls.microsoft.com:443validation-v2.sls.microsoft.com:443
flighting.cp.wd.microsoft.com:443flighting.cp.wd.microsoft.com:443
dmd.metaservices.microsoft.com:80dmd.metaservices.microsoft.com:80
admin.core.chinacloudapi.cn:443admin.core.chinacloudapi.cn:443
prod.warmpath.msftcloudes.com:443prod.warmpath.msftcloudes.com:443
prod.warmpath.msftcloudes.com:80prod.warmpath.msftcloudes.com:80
gcs.prod.monitoring.core.chinacloudapi.cn:80gcs.prod.monitoring.core.chinacloudapi.cn:80
gcs.prod.monitoring.core.chinacloudapi.cn:443gcs.prod.monitoring.core.chinacloudapi.cn:443
azureprofileruploads.blob.core.chinacloudapi.cn:443azureprofileruploads.blob.core.chinacloudapi.cn:443
azureprofileruploads2.blob.core.chinacloudapi.cn:443azureprofileruploads2.blob.core.chinacloudapi.cn:443
azureprofileruploads3.blob.core.chinacloudapi.cn:443azureprofileruploads3.blob.core.chinacloudapi.cn:443
azureprofileruploads4.blob.core.chinacloudapi.cn:443azureprofileruploads4.blob.core.chinacloudapi.cn:443
azureprofileruploads5.blob.core.chinacloudapi.cn:443azureprofileruploads5.blob.core.chinacloudapi.cn:443
azperfmerges.blob.core.chinacloudapi.cn:443azperfmerges.blob.core.chinacloudapi.cn:443
azprofileruploads1.blob.core.chinacloudapi.cn:443azprofileruploads1.blob.core.chinacloudapi.cn:443
azprofileruploads10.blob.core.chinacloudapi.cn:443azprofileruploads10.blob.core.chinacloudapi.cn:443
azprofileruploads2.blob.core.chinacloudapi.cn:443azprofileruploads2.blob.core.chinacloudapi.cn:443
azprofileruploads3.blob.core.chinacloudapi.cn:443azprofileruploads3.blob.core.chinacloudapi.cn:443
azprofileruploads4.blob.core.chinacloudapi.cn:443azprofileruploads4.blob.core.chinacloudapi.cn:443
azprofileruploads6.blob.core.chinacloudapi.cn:443azprofileruploads6.blob.core.chinacloudapi.cn:443
azprofileruploads7.blob.core.chinacloudapi.cn:443azprofileruploads7.blob.core.chinacloudapi.cn:443
azprofileruploads8.blob.core.chinacloudapi.cn:443azprofileruploads8.blob.core.chinacloudapi.cn:443
azprofileruploads9.blob.core.chinacloudapi.cn:443azprofileruploads9.blob.core.chinacloudapi.cn:443
azureprofilerfrontdoor.cloudapp.cn:443azureprofilerfrontdoor.cloudapp.cn:443
settings-win.data.microsoft.com:443settings-win.data.microsoft.com:443
maupdateaccount2.blob.core.chinacloudapi.cn:443maupdateaccount2.blob.core.chinacloudapi.cn:443
maupdateaccount3.blob.core.chinacloudapi.cn:443maupdateaccount3.blob.core.chinacloudapi.cn:443
dc.services.visualstudio.com:443dc.services.visualstudio.com:443
gmstorageprodsn1.blob.core.chinacloudapi.cn:443gmstorageprodsn1.blob.core.chinacloudapi.cn:443
gmstorageprodsn1.file.core.chinacloudapi.cn:443gmstorageprodsn1.file.core.chinacloudapi.cn:443
gmstorageprodsn1.queue.core.chinacloudapi.cn:443gmstorageprodsn1.queue.core.chinacloudapi.cn:443
gmstorageprodsn1.table.core.chinacloudapi.cn:443gmstorageprodsn1.table.core.chinacloudapi.cn:443
rteventservice.trafficmanager.cn:443rteventservice.trafficmanager.cn:443
ctldl.windowsupdate.com:80ctldl.windowsupdate.com:80
ctldl.windowsupdate.com:443ctldl.windowsupdate.com:443

通配符 HTTP/HTTPS 依赖项Wildcard HTTP/HTTPS dependencies

终结点Endpoint
gr-Prod-*.cloudapp.cn:443gr-Prod-*.cloudapp.cn:443
*.management.chinacloudapi.cn:443*.management.chinacloudapi.cn:443
*.update.microsoft.com:443*.update.microsoft.com:443
*.windowsupdate.microsoft.com:443*.windowsupdate.microsoft.com:443
*.identity.azure.cn:443*.identity.azure.cn:443
*.ctldl.windowsupdate.com:80*.ctldl.windowsupdate.com:80
*.ctldl.windowsupdate.com:443*.ctldl.windowsupdate.com:443

Linux 依赖项Linux dependencies

端点Endpoint
wawsinfraprodbay063.blob.core.chinacloudapi.cn:443wawsinfraprodbay063.blob.core.chinacloudapi.cn:443
registry-1.docker.io:443registry-1.docker.io:443
auth.docker.io:443auth.docker.io:443
production.cloudflare.docker.com:443production.cloudflare.docker.com:443
download.docker.com:443download.docker.com:443
us.archive.ubuntu.com:80us.archive.ubuntu.com:80
download.mono-project.com:80download.mono-project.com:80
packages.treasuredata.com:80packages.treasuredata.com:80
security.ubuntu.com:80security.ubuntu.com:80
oryx-cdn.microsoft.io:443oryx-cdn.microsoft.io:443
*.cdn.mscr.io:443*.cdn.mscr.io:443
mcr.microsoft.com:443mcr.microsoft.com:443
*.data.mcr.microsoft.com:443*.data.mcr.microsoft.com:443
packages.fluentbit.io:80packages.fluentbit.io:80
packages.fluentbit.io:443packages.fluentbit.io:443
apt-mo.trafficmanager.net:80apt-mo.trafficmanager.net:80
apt-mo.trafficmanager.net:443apt-mo.trafficmanager.net:443
azure.archive.ubuntu.com:80azure.archive.ubuntu.com:80
azure.archive.ubuntu.com:443azure.archive.ubuntu.com:443
changelogs.ubuntu.com:80changelogs.ubuntu.com:80
13.74.252.37:1137113.74.252.37:11371
13.75.127.55:1137113.75.127.55:11371
13.76.190.189:1137113.76.190.189:11371
13.80.10.205:1137113.80.10.205:11371
13.91.48.226:1137113.91.48.226:11371
40.76.35.62:1137140.76.35.62:11371
104.215.95.108:11371104.215.95.108:11371