Azure Stack 数据中心集成 - 发布 Azure Stack 服务Azure Stack datacenter integration - Publish Azure Stack Services

Azure Stack 为其基础结构角色设置虚拟 IP 地址 (VIP)。Azure Stack sets up virtual IP addresses (VIPs) for its infrastructure roles. 这些 VIP 是从公共 IP 地址池分配的。These VIPs are allocated from the public IP address pool. 每个 VIP 受软件定义的网络层中的访问控制列表 (ACL) 保护。Each VIP is secured with an access control list (ACL) in the software-defined network layer. 还可以在物理交换机(TOR 和 BMC)之间使用 ACL 来进一步强化解决方案。ACLs are also used across the physical switches (TORs and BMC) to further harden the solution. 将会根据部署时的指定,针对外部 DNS 区域中的每个终结点创建一个 DNS 条目。A DNS entry is created for each endpoint in the external DNS zone that specified at deployment time. 例如,将为用户门户分配 DNS 主机条目 portal. <region>.<fqdn>For example, the user portal is assigned the DNS host entry of portal.<region>.<fqdn>.

以下体系结构图显示了不同的网络层和 ACL:The following architectural diagram shows the different network layers and ACLs:


端口和 URLPorts and URLs

若要使 Azure Stack 服务(例如门户、Azure 资源管理器、DNS 等)可供外部网络使用,必须允许特定 URL、端口和协议的入站流量发往这些终结点。To make Azure Stack services (such as the portals, Azure Resource Manager, DNS, etc.) available to external networks, you must allow inbound traffic to these endpoints for specific URLs, ports, and protocols.

在到传统代理服务器或防火墙的透明代理上行链路正在保护解决方案的部署中,必须允许特定的端口和 URL,以便进行入站出站通信。In a deployment where a transparent proxy uplinks to a traditional proxy server or a firewall is protecting the solution, you must allow specific ports and URLs for both inbound and outbound communication. 这包括用于标识、市场、修补和更新、注册和使用情况数据的端口与 URL。These include ports and URLs for identity, the marketplace, patch and update, registration, and usage data.

端口和协议(入站)Ports and protocols (inbound)

将 Azure Stack 终结点发布到外部网络需要一组基础结构 VIP。A set of infrastructure VIPs is required for publishing Azure Stack endpoints to external networks. “终结点 (VIP)”表显示了每个终结点、所需的端口和协议。The Endpoint (VIP) table shows each endpoint, the required port, and protocol. 请参阅特定资源提供程序部署文档,了解需要其他资源提供程序(例如 SQL 资源提供程序)的终结点。Refer to the specific resource provider deployment documentation for endpoints that require additional resource providers, such as the SQL resource provider.

此处未列出内部基础结构 VIP,因为发布 Azure Stack 时不需要这些 VIP。Internal infrastructure VIPs aren't listed because they're not required for publishing Azure Stack. 用户 VIP 是动态的,由用户自己定义,而不受 Azure Stack 操作员的控制。User VIPs are dynamic, defined by the users themselves with no control by the Azure Stack operator.


IKEv2 VPN 是一个基于标准的 IPsec VPN 解决方案,它使用 UDP 端口 500 和 4500 以及 TCP 端口 50。IKEv2 VPN is a standards-based IPsec VPN solution that uses UDP port 500 and 4500 and TCP port 50. 防火墙并非始终打开这些端口,因此,IKEv2 VPN 可能无法穿过代理和防火墙。Firewalls do not always open these ports, so an IKEv2 VPN might not be able to traverse proxies and firewalls.

添加扩展主机后,不需要 12495-30015 范围内的端口。With the addition of the Extension Host, ports in the range of 12495-30015 are not required.

终结点 (VIP)Endpoint (VIP) DNS 主机 A 记录DNS host A record 协议Protocol 端口Ports
AD FSAD FS Adfs. <region>.<fqdn>Adfs.<region>.<fqdn> HTTPSHTTPS 443443
门户(管理员)Portal (administrator) Adminportal. <region>.<fqdn>Adminportal.<region>.<fqdn> HTTPSHTTPS 443443
AdminhostingAdminhosting *.adminhosting.<region>.<fqdn>*.adminhosting.<region>.<fqdn> HTTPSHTTPS 443443
Azure 资源管理器(管理员)Azure Resource Manager (administrator) Adminmanagement. <region>.<fqdn>Adminmanagement.<region>.<fqdn> HTTPSHTTPS 443443
门户(用户)Portal (user) Portal. <region>.<fqdn>Portal.<region>.<fqdn> HTTPSHTTPS 443443
Azure 资源管理器(用户)Azure Resource Manager (user) Management. <region>.<fqdn>Management.<region>.<fqdn> HTTPSHTTPS 443443
GraphGraph Graph. <region>.<fqdn>Graph.<region>.<fqdn> HTTPSHTTPS 443443
证书吊销列表Certificate revocation list Crl. <region>.<fqdn>Crl.<region>.<fqdn> HTTPHTTP 8080
DNSDNS *. <region>.<fqdn>*.<region>.<fqdn> TCP 和 UDPTCP & UDP 5353
HostingHosting *.hosting.<region>.<fqdn>*.hosting.<region>.<fqdn> HTTPSHTTPS 443443
Key Vault(用户)Key Vault (user) *.vault. <region>.<fqdn>*.vault.<region>.<fqdn> HTTPSHTTPS 443443
Key Vault(管理员)Key Vault (administrator) *.adminvault. <region>.<fqdn>*.adminvault.<region>.<fqdn> HTTPSHTTPS 443443
存储队列Storage Queue *.queue. <region>.<fqdn>*.queue.<region>.<fqdn> HTTPHTTP
存储表Storage Table *.table. <region>.<fqdn>*.table.<region>.<fqdn> HTTPHTTP
存储 BlobStorage Blob *.blob. <region>.<fqdn>*.blob.<region>.<fqdn> HTTPHTTP
SQL 资源提供程序SQL Resource Provider sqladapter.dbadapter. <region>.<fqdn>sqladapter.dbadapter.<region>.<fqdn> HTTPSHTTPS 44300-4430444300-44304
MySQL 资源提供程序MySQL Resource Provider mysqladapter.dbadapter. <region>.<fqdn>mysqladapter.dbadapter.<region>.<fqdn> HTTPSHTTPS 44300-4430444300-44304
应用服务App Service *.appservice. <region>.<fqdn>*.appservice.<region>.<fqdn> TCPTCP 80 (HTTP)80 (HTTP)
443 (HTTPS)443 (HTTPS)
8172 (MSDeploy)8172 (MSDeploy)
*.scm.appservice. <region>.<fqdn>*.scm.appservice.<region>.<fqdn> TCPTCP 443 (HTTPS)443 (HTTPS)
api.appservice. <region>.<fqdn>api.appservice.<region>.<fqdn> TCPTCP 443 (HTTPS)443 (HTTPS)
44300(Azure 资源管理器)44300 (Azure Resource Manager)
ftp.appservice. <region>.<fqdn>ftp.appservice.<region>.<fqdn> TCP、UDPTCP, UDP 21、1021、10001-10100 (FTP)21, 1021, 10001-10100 (FTP)
990 (FTPS)990 (FTPS)
VPN 网关VPN Gateways 请参阅 VPN 网关常见问题解答See the VPN gateway FAQ.

端口和 URL(出站)Ports and URLs (outbound)

Azure Stack 仅支持透明代理服务器。Azure Stack supports only transparent proxy servers. 在使用到传统代理服务器的透明代理上行链路的部署中,必须允许下表中的端口和 URL,以便进行出站通信。In a deployment with a transparent proxy uplink to a traditional proxy server, you must allow the ports and URLs in the following table for outbound communication.


Azure Stack 不支持使用 ExpressRoute 访问下表中列出的 Azure 服务,因为 ExpressRoute 可能无法将流量路由到所有终结点。Azure Stack does not support using ExpressRoute to reach the Azure services listed in the following table because ExpressRoute may not be able to route traffic to all of the endpoints.

目的Purpose 目标 URLDestination URL 协议Protocol 端口Ports 源网络Source Network
标识Identity Azure 中国世纪互联Azure China 21Vianet
公共 VIP - /27Public VIP - /27
公共基础结构网络Public infrastructure Network
市场联合Marketplace syndication Azure 中国世纪互联Azure China 21Vianet
HTTPSHTTPS 443443 公共 VIP - /27Public VIP - /27
修补程序和更新Patch & Update https://*.azureedge.nethttps://*
HTTPSHTTPS 443443 公共 VIP - /27Public VIP - /27
注册Registration Azure 中国世纪互联Azure China 21Vianet
HTTPSHTTPS 443443 公共 VIP - /27Public VIP - /27
使用情况Usage Azure 中国世纪互联Azure China 21Vianet
HTTPSHTTPS 443443 公共 VIP - /27Public VIP - /27
Windows DefenderWindows Defender **
公共 VIP - /27Public VIP - /27
公共基础结构网络Public infrastructure Network
NTPNTP (为部署提供的 NTP 服务器的 IP)(IP of NTP server provided for deployment) UDPUDP 123123 公共 VIP - /27Public VIP - /27
DNSDNS (为部署提供的 DNS 服务器的 IP)(IP of DNS server provided for deployment) TCPTCP
5353 公共 VIP - /27Public VIP - /27
CRLCRL (证书上的 CRL 分发点下的 URL)(URL under CRL Distribution Points on your certificate) HTTPHTTP 8080 公共 VIP - /27Public VIP - /27
LDAPLDAP 为 Graph 集成提供的 Active Directory 林Active Directory Forest provided for Graph integration TCPTCP
389389 公共 VIP - /27Public VIP - /27
LDAP SSLLDAP SSL 为 Graph 集成提供的 Active Directory 林Active Directory Forest provided for Graph integration TCPTCP 636636 公共 VIP - /27Public VIP - /27
LDAP GCLDAP GC 为 Graph 集成提供的 Active Directory 林Active Directory Forest provided for Graph integration TCPTCP 32683268 公共 VIP - /27Public VIP - /27
LDAP GC SSLLDAP GC SSL 为 Graph 集成提供的 Active Directory 林Active Directory Forest provided for Graph integration TCPTCP 32693269 公共 VIP - /27Public VIP - /27
AD FSAD FS 为 AD FS 集成提供的 AD FS 元数据终结点AD FS metadata endpoint provided for AD FS integration TCPTCP 443443 公共 VIP - /27Public VIP - /27
诊断日志收集服务Diagnostic Log collection service Azure 存储提供的 Blob SAS URLAzure Storage provided Blob SAS URL HTTPSHTTPS 443443 公共 VIP - /27Public VIP - /27

使用 Azure 流量管理器对出站 URL 进行负载均衡,以根据地理位置提供尽可能最佳的连接。Outbound URLs are load balanced using Azure traffic manager to provide the best possible connectivity based on geographical location. 使用负载均衡 URL,Azure 可以更新和更改后端终结点,而不会影响客户。With load balanced URLs, Azure can update and change backend endpoints without impacting customers. Azure 不共享负载均衡 URL 的 IP 地址列表。Azure does not share the list of IP addresses for the load balanced URLs. 应使用支持按 URL 而不是按 IP 筛选的设备。You should use a device that supports filtering by URL rather than by IP.

任何时候都需要出站 DNS,不同的是查询外部 DNS 的源以及选择了哪种标识集成。Outbound DNS is required at all times; what varies is the source querying the external DNS and what sort of identity integration was chosen. 在联网场景的部署过程中,位于 BMC 网络上的 DVM 需要出站访问权限。During deployment for a connected scenario, the DVM that sits on the BMC network needs outbound access. 但在部署后,DNS 服务会移到通过公共 VIP 发送查询的内部组件。But after deployment, the DNS service moves to an internal component that will send queries through a Public VIP. 此时,可以删除通过 BMC 网络的出站 DNS 访问权限,但是必须保留对该 DNS 服务器的公共 VIP 访问权限,否则身份验证将失败。At that time, the outbound DNS access through the BMC network can be removed, but the Public VIP access to that DNS server must remain or else authentication will fail.

后续步骤Next steps

Azure Stack PKI 要求Azure Stack PKI requirements