配置网络访问控制Configure network access control

使用 Azure SignalR 服务,可以根据所用网络的请求类型和子集来保护和控制对服务终结点的访问级别。Azure SignalR Service enables you to secure and control the level of access to your service endpoint, based on the request type and subset of networks used. 配置网络规则后,只有通过指定的网络集请求数据的应用程序才能访问 Azure SignalR 服务。When network rules are configured, only applications requesting data over the specified set of networks can access your Azure SignalR Service.

Azure SignalR 服务具有可通过 Internet 访问的公共终结点。Azure SignalR Service has a public endpoint that is accessible through the internet. 你还可以创建用于 Azure SignalR 服务的专用终结点You can also create Private Endpoints for your Azure SignalR Service. 专用终结点将 VNet 中的专用 IP 地址分配给 Azure SignalR 服务,并通过专用链接保护 VNet 与 Azure SignalR 服务之间的所有流量。Private Endpoint assigns a private IP address from your VNet to the Azure SignalR Service, and secures all traffic between your VNet and the Azure SignalR Service over a private link. Azure SignalR 服务网络访问控制提供对公共终结点和专用终结点的访问控制。The Azure SignalR Service network access control provides access control for both public endpoint and private endpoints.

或者,你可以选择允许或拒绝对公共终结点和每个专用终结点的特定类型的请求。Optionally, you can choose to allow or deny certain types of requests for public endpoint and each private endpoint. 例如,可以阻止来自公共终结点的所有服务器连接,并确保它们仅源自特定的VNet。For example, you can block all Server Connections from public endpoint and make sure they only originate from a specific VNet.

在网络访问控制规则生效的情况下访问 Azure SignalR 服务的应用程序仍需要在请求中提供适当的授权。An application that accesses an Azure SignalR Service when network access control rules are in effect still requires proper authorization for the request.

方案 A - 无公共流量Scenario A - No public traffic

要完全拒绝所有公共流量,应该首先将公用网络规则配置为不允许任何请求类型。To completely deny all public traffic, you should first configure the public network rule to allow no request type. 然后,应配置允许访问特定 vnet 流量的规则。Then, you should configure rules that grant access to traffic from specific VNets. 借助此配置,可为应用程序生成安全网络边界。This configuration enables you to build a secure network boundary for your applications.

方案 B - 仅来自公共网络的客户端连接Scenario B - Only client connections from public network

在这种情况下,可以将公用网络规则配置为仅允许来自公用网络的客户端连接In this scenario, you can configure the public network rule to only allow Client Connections from public network. 然后,可以将专用网络规则配置为允许来自特定 VNet 的其他类型的请求。You can then configure private network rules to allow other types of requests originating from a specific VNet. 此配置将从公用网络中隐藏应用服务器,并在应用服务器与 Azure SignalR 服务之间建立安全连接。This configuration hides your app servers from public network and establishes secure connections between your app servers and Azure SignalR Service.

管理网络访问控制Managing network access control

可以通过 Azure 门户管理 Azure SignalR 服务的网络访问控制。You can manage network access control for Azure SignalR Service through the Azure portal.

Azure 门户Azure portal

  1. 转到要保护的 Azure SignalR 服务。Go to the Azure SignalR Service you want to secure.

  2. 单击名为“网络访问控制”的设置菜单。Click on the settings menu called Network access control.

    门户上的网络 ACL

  3. 要编辑默认操作,请切换“允许/拒绝”按钮。To edit default action, toggle the Allow/Deny button.

    提示

    默认操作是在没有匹配的 ACL 规则时执行的操作。Default action is the action we take when there is no ACL rule matches. 例如,如果默认操作为“拒绝”,则将拒绝以下未明确批准的请求类型。For example, if the default action is Deny, then request types that are not explicitly approved below will be denied.

  4. 要编辑公用网络规则,请在“公用网络”下选择允许的请求类型。To edit public network rule, select allowed types of requests under Public network.

    在门户上编辑公用网络 ACLEdit public network ACL on portal

  5. 要编辑专用终结点网络规则,请在“专用终结点连接”下的每行中选择允许的请求类型。To edit private endpoint network rules, select allowed types of requests in each row under Private endpoint connections.

    在门户上编辑专用终结点 ACLEdit private endpoint ACL on portal

  6. 单击“保存”应用所做的更改。Click Save to apply your changes.