为 Azure Stack HCI 配置防火墙Configure firewalls for Azure Stack HCI

适用于:Azure Stack HCI,版本 20H2Applies to: Azure Stack HCI, version 20H2

本主题提供了有关如何为 Azure Stack HCI 操作系统配置防火墙的指导。This topic provides guidance on how to configure firewalls for the Azure Stack HCI operating system. 它介绍了连接要求,并说明了服务标记如何在 Azure 中将操作系统需要访问的 IP 地址分组。It includes connectivity requirements, and explains how service tags group IP addresses in Azure that the operating system needs to access. 本主题还提供了更新 Microsoft Defender 防火墙的步骤。The topic also provides steps to update Microsoft Defender Firewall.

连接要求Connectivity requirements

Azure Stack HCI 需要定期连接到 Azure。Azure Stack HCI needs to periodically connect to Azure. 访问仅限于:Access is limited to only:

  • 众所周知的 Azure IPWell-known Azure IPs
  • 出站方向Outbound direction
  • 端口 443 (HTTPS)Port 443 (HTTPS)

有关详细信息,请参阅 Azure Stack HCI 常见问题解答中的“Azure Stack HCI 连接”部分For more information, see the "Azure Stack HCI connectivity" section of the Azure Stack HCI FAQ

本主题介绍了如何选择使用高度锁定的防火墙配置来阻止前往所有目标的流量(包含在允许列表中的除外)。This topic describes how to optionally use a highly locked-down firewall configuration to block all traffic to all destinations except those included on your allow list.


如果外部企业防火墙或代理服务器限制了出站连接,请确保不要阻止下表中列出的 URL。If outbound connectivity is restricted by your external corporate firewall or proxy server, ensure that the URLs listed in the table below are not blocked.

如下所示,Azure Stack HCI 可能会通过多个防火墙来访问 Azure。As shown below, Azure Stack HCI accesses Azure using more than one firewall potentially.

示意图显示了 Azure Stack HCI 通过防火墙的端口 443 (HTTPS) 访问服务标记终结点。

使用服务标记Working with service tags

服务标记代表给定 Azure 服务中的一组 IP 地址。A service tag represents a group of IP addresses from a given Azure service. Azure 会管理服务标记中包含的 IP 地址,并会在 IP 地址更改时自动更新服务标记,使更新量保持在最低水平。Azure manages the IP addresses included in the service tag, and automatically updates the service tag as IP addresses change to keep updates to a minimum. 若要了解详细信息,请参阅虚拟网络服务标记To learn more, see Virtual network service tags.

所需的终结点每日访问权限(在进行 Azure 注册后)Required endpoint daily access (after Azure registration)

Azure 为使用服务标记进行组织的 Azure 服务维护众所周知的 IP 地址。Azure maintains well-known IP addresses for Azure services that are organized using service tags. Azure 每周会发布一个 JSON 文件,其中包含每个服务的所有 IP 地址。Azure publishes a weekly JSON file of all the IP addresses for every service. 这些 IP 地址不会经常更改,但是每年会更改几次。The IP addresses don't change often, but they do change a few times per year. 下表显示了操作系统需要访问的服务标记终结点。The following table shows the service tag endpoints that the operating system needs to access.

说明Description IP 范围的服务标记Service tag for IP range URLURL
Azure Active DirectoryAzure Active Directory AzureActiveDirectoryAzureActiveDirectory https://login.partner.microsoftonline.cn
Azure 资源管理器Azure Resource Manager AzureResourceManagerAzureResourceManager https://management.chinacloudapi.cn
Azure Stack HCI 云服务Azure Stack HCI Cloud Service AzureFrontDoor.FrontendAzureFrontDoor.Frontend
AzureCloud.ChinaEast2(面向 Azure 中国)AzureCloud.ChinaEast2 (for Azure China)
Azure ArcAzure Arc AzureArcInfrastructureAzureArcInfrastructure
即将推出。Coming Soon.

更新 Microsoft Defender 防火墙Update Microsoft Defender Firewall

本部分介绍了如何将 Microsoft Defender 防火墙配置为允许与服务标记关联的 IP 地址连接到操作系统:This section shows how to configure Microsoft Defender Firewall to allow IP addresses associated with a service tag to connect with the operating system:

  1. 从以下资源将 JSON 文件下载到运行操作系统的目标计算机:Azure IP 范围和服务标记 - 中国云Download the JSON file from the following resource to the target computer running the operating system: Azure IP Ranges and Service Tags – China Cloud.

  2. 使用以下 PowerShell 命令打开 JSON 文件:Use the following PowerShell command to open the JSON file:

    $json = Get-Content -Path .\ServiceTags_China_20210308.json | ConvertFrom-Json
  3. 获取给定服务标记(例如“AzureResourceManager”服务标记)的 IP 地址范围列表:Get the list of IP address ranges for a given service tag, such as the "AzureResourceManager" service tag:

    $IpList = ($json.values | where Name -Eq "AzureResourceManager").properties.addressPrefixes
  4. 将 IP 地址列表导入到外部公司防火墙(如果你在防火墙中使用允许列表)。Import the list of IP addresses to your external corporate firewall, if you're using an allow list with it.

  5. 为群集中的每台服务器创建防火墙规则,以允许发往 IP 地址范围列表的出站 443 (HTTPS) 流量:Create a firewall rule for each server in the cluster to allow outbound 443 (HTTPS) traffic to the list of IP address ranges:

    New-NetFirewallRule -DisplayName "Allow Azure Resource Manager" -RemoteAddress $IpList -Direction Outbound -LocalPort 443 -Protocol TCP -Action Allow -Profile Any -Enabled True

用于一次性 Azure 注册的其他终结点Additional endpoint for one-time Azure registration

在 Azure 注册过程中,当你运行 Register-AzStackHCI 或使用 Windows Admin Center 时,该 cmdlet 会尝试与 PowerShell 库联系以验证你是否具有所需 PowerShell 模块(例如 Az 和 AzureAD)的最新版本。During the Azure registration process, when you run either Register-AzStackHCI or use Windows Admin Center, the cmdlet tries to contact the PowerShell Gallery to verify that you have the latest version of required PowerShell modules, such as Az and AzureAD.

尽管 PowerShell 库托管在 Azure 上,但它目前没有服务标记。Although the PowerShell Gallery is hosted on Azure, currently there isn't a service tag for it. 如果因不能访问 Internet 而无法从服务器节点运行 Register-AzStackHCI cmdlet,建议你将这些模块下载到管理计算机,然后手动将它们传输到要运行该 cmdlet 的服务器节点。If you can't run the Register-AzStackHCI cmdlet from a server node because of no internet access, we recommend downloading the modules to your management computer, and then manually transferring them to the server node where you want to run the cmdlet.

设置代理服务器Set up a proxy server

若要为 Azure Stack HCI 设置代理服务器,对于群集中的每个服务器,请以管理员身份运行以下 PowerShell 命令:To set up a proxy server for Azure Stack HCI, run the following PowerShell command as an administrator on each server in the cluster:

Set-WinInetProxy -ProxySettingsPerUser 0 -ProxyServer webproxy1.com:9090

使用 ProxySettingsPerUser 0 标志将代理配置的作用域设置为服务器,而不是按用户(默认设置)。Use the ProxySettingsPerUser 0 flag to make the proxy configuration server-wide instead of per user, which is the default.

若要删除代理配置,请不带参数运行 PowerShell 命令 Set-WinInetProxyTo remove the proxy configuration, run the PowerShell command Set-WinInetProxy without arguments.

在以下位置下载 WinInetProxy.psm1 脚本:PowerShell 库 | WinInetProxy.psm1 0.1.0Download the WinInetProxy.psm1 script at: PowerShell Gallery | WinInetProxy.psm1 0.1.0.


使用 Windows Admin Center 中的“代理”设置可重定向所有 Windows Admin Center 出站流量(如下载扩展、连接到 Azure 等等)。Using the Proxy setting in Windows Admin Center redirects all Windows Admin Center outbound traffic (for example, download extensions, connecting to Azure and so on).

网络端口要求Network port requirements

请确保站点内和站点间的所有服务器节点之间的相应网络端口处于打开状态(对于延伸群集)。Ensure that the proper network ports are open between all server nodes both within a site and between sites (for stretched clusters). 你需要适当的防火墙和路由器规则,以允许在群集中的所有服务器之间进行 ICMP、SMB(端口 445,以及适用于 SMB Direct 的端口 5445)和 WS-MAN(端口 5985)双向通信。You'll need appropriate firewall and router rules to allow ICMP, SMB (port 445, plus port 5445 for SMB Direct), and WS-MAN (port 5985) bi-directional traffic between all servers in the cluster.

使用 Windows Admin Center 中的群集创建向导来创建群集时,向导会针对故障转移群集、Hyper-V 和存储副本自动打开群集中每台服务器上的相应防火墙端口。When using the Cluster Creation wizard in Windows Admin Center to create the cluster, the wizard automatically opens the appropriate firewall ports on each server in the cluster for Failover Clustering, Hyper-V, and Storage Replica. 如果在每台服务器上使用不同的防火墙,请打开以下端口:If you're using a different firewall on each server, open the following ports:

故障转移群集端口Failover Clustering ports

  • ICMPv4 和 ICMPv6ICMPv4 and ICMPv6
  • TCP 端口 445TCP port 445
  • RPC 动态端口RPC Dynamic Ports
  • TCP 端口 135TCP port 135
  • TCP 端口 137TCP port 137
  • TCP 端口 3343TCP port 3343
  • UDP 端口 3343UDP port 3343

Hyper-V 端口Hyper-V ports

  • TCP 端口 135TCP port 135
  • TCP 端口 80(HTTP 连接)TCP port 80 (HTTP connectivity)
  • TCP 端口 443(HTTPS 连接)TCP port 443 (HTTPS connectivity)
  • TCP 端口 6600TCP port 6600
  • TCP 端口 2179TCP port 2179
  • RPC 动态端口RPC Dynamic Ports
  • RPC 终结点映射程序RPC Endpoint Mapper
  • TCP 端口 445TCP port 445

存储副本端口(延伸群集)Storage Replica ports (stretched cluster)

  • TCP 端口 445TCP port 445
  • TCP 5445(如果使用 iWarp RDMA)TCP 5445 (if using iWarp RDMA)
  • TCP 端口 5985TCP port 5985
  • ICMPv4 和 ICMPv6(如果使用 Test-SRTopology PowerShell cmdlet)ICMPv4 and ICMPv6 (if using the Test-SRTopology PowerShell cmdlet)

后续步骤Next steps

有关详细信息,请参阅:For more information, see also: