配置或禁用对 Azure Batch 池中计算节点的远程访问Configure or disable remote access to compute nodes in an Azure Batch pool

默认情况下,Batch 允许已建立网络连接的节点用户从外部连接到 Batch 池中的计算节点。By default, Batch allows a node user with network connectivity to connect externally to a compute node in a Batch pool. 例如,用户可以在端口 3389 上通过远程桌面 (RDP) 连接到 Windows 池中的计算节点。For example, a user can connect by Remote Desktop (RDP) on port 3389 to a compute node in a Windows pool. 同样,在默认情况下,用户可以在端口 22 上通过安全外壳 (SSH) 连接到 Linux 池中的计算节点。Similarly, by default, a user can connect by Secure Shell (SSH) on port 22 to a compute node in a Linux pool.

在环境中,可能需要限制或禁用这些默认的外部访问设置。In your environment, you might need to restrict or disable these default external access settings. 使用 Batch API 设置 PoolEndpointConfiguration 属性,可以修改这些设置。You can modify these settings by using the Batch APIs to set the PoolEndpointConfiguration property.

关于池终结点配置About the pool endpoint configuration

终结点配置由一个或多个前端端口的网络地址转换 (NAT) 池构成。The endpoint configuration consists of one or more network address translation (NAT) pools of frontend ports. (请不要将 NAT 池与计算节点的 Batch 池相混淆。)将每个 NAT 池设置为覆盖此池的计算节点上的默认连接设置。(Do not confuse a NAT pool with the Batch pool of compute nodes.) You set up each NAT pool to override the default connection settings on the pool's compute nodes.

每个 NAT 池配置包括一个或多个网络安全组 (NSG) 规则Each NAT pool configuration includes one or more network security group (NSG) rules. 每个 NSG 规则允许或拒绝特定的网络流量流向终结点。Each NSG rule allows or denies certain network traffic to the endpoint. 可以选择允许或拒绝所有流量、由服务标记(例如“Internet”)标识的流量,或者来自特定 IP 地址或子网的流量。You can choose to allow or deny all traffic, traffic identified by a service tag (such as "Internet"), or traffic from specific IP addresses or subnets.

注意事项Considerations

  • 池终结点配置是池的网络配置的一部分。The pool endpoint configuration is part of the pool's network configuration. 网络配置可以选择性地包含用于将池加入 Azure 虚拟网络的设置。The network configuration can optionally include settings to join the pool to an Azure virtual network. 如果在虚拟网络中设置池,可以创建使用虚拟网络中的地址设置的 NSG 规则。If you set up the pool in a virtual network, you can create NSG rules that use address settings in the virtual network.
  • 配置 NAT 池时,可以配置多个 NSG 规则。You can configure multiple NSG rules when you configure a NAT pool. 将按优先顺序检查规则。The rules are checked in the order of priority. 一旦应用某个规则,不再检查其他规则的匹配情况。Once a rule applies, no more rules are tested for matching.

示例:拒绝所有 RDP 流量Example: Deny all RDP traffic

以下 C# 代码片段演示如何在 Windows 池中的计算节点上配置 RDP 终结点,用于拒绝所有网络流量。The following C# snippet shows how to configure the RDP endpoint on compute nodes in a Windows pool to deny all network traffic. 该终结点使用 60000 - 60099 范围内的端口的前端池。The endpoint uses a frontend pool of ports in the range 60000 - 60099 .

pool.NetworkConfiguration = new NetworkConfiguration
{
    EndpointConfiguration = new PoolEndpointConfiguration(new InboundNatPool[]
    {
      new InboundNatPool("RDP", InboundEndpointProtocol.Tcp, 3389, 60000, 60099, new NetworkSecurityGroupRule[]
        {
            new NetworkSecurityGroupRule(162, NetworkSecurityGroupRuleAccess.Deny, "*"),
        })
    })    
};

示例:拒绝来自 Internet 的所有 SSH 流量Example: Deny all SSH traffic from the internet

以下 Python 代码片段演示如何在 Linux 池中的计算节点上配置 SSH 终结点,用于拒绝所有 Internet 流量。The following Python snippet shows how to configure the SSH endpoint on compute nodes in a Linux pool to deny all internet traffic. 该终结点使用 4000 - 4100 范围内的端口的前端池。The endpoint uses a frontend pool of ports in the range 4000 - 4100 .

pool.network_configuration = batchmodels.NetworkConfiguration(
    endpoint_configuration=batchmodels.PoolEndpointConfiguration(
        inbound_nat_pools=[batchmodels.InboundNATPool(
            name='SSH',
            protocol='tcp',
            backend_port=22,
            frontend_port_range_start=4000,
            frontend_port_range_end=4100,
            network_security_group_rules=[
                batchmodels.NetworkSecurityGroupRule(
                    priority=170,
                    access=batchmodels.NetworkSecurityGroupRuleAccess.deny,
                    source_address_prefix='Internet'
                )
            ]
        )
        ]
    )
)

示例:允许来自特定 IP 地址的 RDP 流量Example: Allow RDP traffic from a specific IP address

以下 C# 代码片段演示如何在 Windows 池中的计算节点上配置 RDP 终结点,以便仅允许来自 IP 地址 198.51.100.7 的 RDP 访问。The following C# snippet shows how to configure the RDP endpoint on compute nodes in a Windows pool to allow RDP access only from IP address 198.51.100.7 . 第二条 NSG 规则拒绝与该 IP 地址不匹配的流量。The second NSG rule denies traffic that does not match the IP address.

pool.NetworkConfiguration = new NetworkConfiguration
{
    EndpointConfiguration = new PoolEndpointConfiguration(new InboundNatPool[]
    {
        new InboundNatPool("RDP", InboundEndpointProtocol.Tcp, 3389, 7500, 8000, new NetworkSecurityGroupRule[]
        {   
            new NetworkSecurityGroupRule(179,NetworkSecurityGroupRuleAccess.Allow, "198.51.100.7"),
            new NetworkSecurityGroupRule(180,NetworkSecurityGroupRuleAccess.Deny, "*")
        })
    })    
};

示例:允许来自特定子网的 SSH 流量Example: Allow SSH traffic from a specific subnet

以下 Python 代码片段演示如何在 Linux 池中的计算节点上配置 SSH 终结点,以便仅允许来自子网 192.168.1.0/24 的访问。The following Python snippet shows how to configure the SSH endpoint on compute nodes in a Linux pool to allow access only from the subnet 192.168.1.0/24 . 第二条 NSG 规则拒绝与该子网不匹配的流量。The second NSG rule denies traffic that does not match the subnet.

pool.network_configuration = batchmodels.NetworkConfiguration(
    endpoint_configuration=batchmodels.PoolEndpointConfiguration(
        inbound_nat_pools=[batchmodels.InboundNATPool(
            name='SSH',
            protocol='tcp',
            backend_port=22,
            frontend_port_range_start=4000,
            frontend_port_range_end=4100,
            network_security_group_rules=[
                batchmodels.NetworkSecurityGroupRule(
                    priority=170,
                    access='allow',
                    source_address_prefix='192.168.1.0/24'
                ),
                batchmodels.NetworkSecurityGroupRule(
                    priority=175,
                    access='deny',
                    source_address_prefix='*'
                )
            ]
        )
        ]
    )
)

后续步骤Next steps