Azure 中继的网络安全性Network security for Azure Relay

本文介绍如何将以下安全功能与 Azure 中继配合使用:This article describes how to use the following security features with Azure Relay:

  • IP 防火墙规则IP firewall rules


Azure 中继不支持网络服务终结点。Azure Relay doesn't support network service endpoints.

IP 防火墙IP firewall

默认情况下,只要请求附带有效的身份验证和授权,就可以从 Internet 访问中继命名空间。By default, Relay namespaces are accessible from internet as long as the request comes with valid authentication and authorization. 使用 IP 防火墙,可以将其进一步限制为采用 CIDR(无类域间路由)表示法的一组 IPv4 地址或一个 IPv4 地址。With IP firewall, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation.

在仅应从某些知名站点访问 Azure 中继的情况下,此功能很有用。This feature is helpful in scenarios in which Azure Relay should be only accessible from certain well-known sites. 可以通过防火墙规则来配置规则,以便接受来自特定 IPv4 地址的流量。Firewall rules enable you to configure rules to accept traffic originating from specific IPv4 addresses. 例如,如果将中继与 Azure Express Route 配合使用,则可创建防火墙规则,仅允许来自本地基础结构 IP 地址的流量。For example, if you use Relay with Azure Express Route, you can create a firewall rule to allow traffic from only your on-premises infrastructure IP addresses.

IP 防火墙规则应用于中继命名空间级别。The IP firewall rules are applied at the Relay namespace level. 因此,这些规则适用于通过任何受支持协议从客户端发出的所有连接。Therefore, the rules apply to all connections from clients using any supported protocol. 如果某 IP 地址与中继命名空间的允许 IP 规则不匹配,系统会拒绝来自该地址的任何连接尝试并将其标记为“未经授权”。Any connection attempt from an IP address that does not match an allowed IP rule on the Relay namespace is rejected as unauthorized. 响应不会提及 IP 规则。The response does not mention the IP rule. IP 筛选器规则将按顺序应用,与 IP 地址匹配的第一个规则决定了将执行接受操作还是执行拒绝操作。IP filter rules are applied in order, and the first rule that matches the IP address determines the accept or reject action.

有关详细信息,请参阅如何为中继命名空间配置 IP 防火墙For more information, see How to configure IP firewall for a Relay namespace

后续步骤Next steps

请参阅以下文章:See the following articles: