配置 Azure 认知服务虚拟网络Configure Azure Cognitive Services virtual networks

Azure 认知服务提供了分层的安全模型。Azure Cognitive Services provides a layered security model. 借助此模型,可保护认知服务帐户,使其可供网络的特定子集访问。This model enables you to secure your Cognitive Services accounts to a specific subset of networks. 配置网络规则后,仅通过指定网络集请求数据的应用程序才能访问帐户。When network rules are configured, only applications requesting data over the specified set of networks can access the account. 可以使用请求筛选来限制对资源的访问。You can limit access to your resources with request filtering. 只允许来自指定的 IP 地址、IP 范围或 Azure 虚拟网络中一系列子网的请求。Allowing only requests originating from specified IP addresses, IP ranges or from a list of subnets in Azure Virtual Networks.

当网络规则生效时访问认知服务资源的应用程序需要授权。An application that accesses a Cognitive Services resource when network rules are in effect requires authorization. 使用 Azure Active Directory (Azure AD) 凭据或使用有效的 API 密钥支持授权。Authorization is supported with Azure Active Directory (Azure AD) credentials or with a valid API key.

重要

默认情况下,为认知服务帐户启用防火墙规则会阻止传入的数据请求。Turning on firewall rules for your Cognitive Services account blocks incoming requests for data by default. 为了允许请求通过,需要满足以下条件之一:In order to allow requests through, one of the following conditions needs to be met:

  • 该请求应来自目标认知服务帐户的允许子网列表上的 Azure 虚拟网络 (VNet) 中运行的服务。The request should originate from a service operating within an Azure Virtual Network (VNet) on the allowed subnet list of the target Cognitive Services account. 来自 VNet 的请求中的终结点需要设置为认知服务帐户的自定义子域The endpoint in requests originated from VNet needs to be set as the custom subdomain of your Cognitive Services account.
  • 或者请求应来自一系列允许的 IP 地址。Or the request should originate from an allowed list of IP addresses.

被阻止的请求包括来自其他 Azure 服务、来自 Azure 门户、来自日志记录和指标服务等的请求。Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

方案Scenarios

若要保护认知服务资源,应该先配置一个规则,以便在默认情况下拒绝来自所有网络的流量(包括 Internet 流量)进行访问。To secure your Cognitive Services resource, you should first configure a rule to deny access to traffic from all networks (including internet traffic) by default. 然后,应配置允许访问特定 vnet 流量的规则。Then, you should configure rules that grant access to traffic from specific VNets. 借助此配置,可为应用程序生成安全网络边界。This configuration enables you to build a secure network boundary for your applications. 还可以配置规则以授予对来自所选公共 internet IP 地址范围的流量的访问权限,从而支持来自特定 internet 或本地客户端的连接。You can also configure rules to grant access to traffic from select public internet IP address ranges, enabling connections from specific internet or on-premises clients.

对于面向 Azure 认知服务的所有网络协议(包括 REST 和 WebSocket),将强制实施网络规则。Network rules are enforced on all network protocols to Azure Cognitive Services, including REST and WebSocket. 若要使用 Azure 测试控制台等工具访问数据,必须配置显式网络规则。To access data using tools such as the Azure test consoles, explicit network rules must be configured. 可以将网络规则应用于现有的认知服务资源,也可以在创建新的认知服务资源时应用。You can apply network rules to existing Cognitive Services resources, or when you create new Cognitive Services resources. 一旦应用网络规则,就会对所有请求强制实施这些规则。Once network rules are applied, they're enforced for all requests.

支持的区域和服务产品Supported regions and service offerings

虚拟网络 (VNET) 在认知服务可用的区域中受支持。Virtual networks (VNETs) are supported in regions where Cognitive Services are available. 认知服务支持网络规则配置的服务标记。Cognitive Services supports service tags for network rules configuration. 下面列出的服务包含在 CognitiveServicesManagement 服务标记中。The services listed below are included in the CognitiveServicesManagement service tag.

  • 异常检测器Anomaly Detector
  • 计算机视觉Computer Vision
  • 内容审查器Content Moderator
  • 自定义视觉Custom Vision
  • 人脸Face
  • 表单识别器Form Recognizer
  • 语言理解 (LUIS)Language Understanding (LUIS)
  • 个性化体验创建服务Personalizer
  • 文本分析Text Analytics
  • QnA MakerQnA Maker
  • 文本翻译Translator Text
  • 沉浸式阅读器Immersive Reader

备注

如果使用的是 LUIS,CognitiveServicesManagement 标记只允许通过 SDK 或 REST API 使用服务。If you're using LUIS, the CognitiveServicesManagement tag only enables you use the service using the SDK or REST API. 若要从虚拟网络访问和使用 LUIS 门户,需要使用以下标记:To access and use the LUIS portal from a virtual network, you will need to use the following tags:

  • AzureResourceManagerAzureResourceManager
  • CognitiveServicesManagementCognitiveServicesManagement
  • AzureActiveDirectoryAzureActiveDirectory
  • AzureFrontDoor.FrontendAzureFrontDoor.Frontend

更改默认网络访问规则Change the default network access rule

默认情况下,认知服务资源接受来自任何网络上客户端的连接。By default, Cognitive Services resources accept connections from clients on any network. 若要限制为仅允许选定网络访问,必须先更改默认操作。To limit access to selected networks, you must first change the default action.

警告

更改网络规则可能会使应用程序无法正常连接到 Azure 认知服务。Making changes to network rules can impact your applications' ability to connect to Azure Cognitive Services. 除非还应用了 授予 访问权限的特定网络规则,否则将默认网络规则设置为“拒绝”会阻止对数据的所有访问。Setting the default network rule to deny blocks all access to the data unless specific network rules that grant access are also applied. 在将默认规则更改为拒绝访问之前,务必先使用网络规则对所有许可网络授予访问权限。Be sure to grant access to any allowed networks using network rules before you change the default rule to deny access. 如果允许列出本地网络的 IP 地址,请确保添加本地网络中所有可能的传出公共 IP 地址。If you are allow listing IP addresses for your on-premises network, be sure to add all possible outgoing public IP addresses from your on-premises network.

管理默认网络访问规则Managing default network access rules

可以通过 Azure 门户、PowerShell 或 Azure CLI 管理认知服务资源的默认网络访问规则。You can manage default network access rules for Cognitive Services resources through the Azure portal, PowerShell, or the Azure CLI.

  1. 转到要保护的认知服务资源。Go to the Cognitive Services resource you want to secure.

  2. 选择名为“虚拟网络”的“资源管理”菜单 。Select the RESOURCE MANAGEMENT menu called Virtual network.

    虚拟网络选项

  3. 若要默认拒绝访问,请选择允许从“所选网络”进行访问。To deny access by default, choose to allow access from Selected networks. 只有“所选网络”设置,而没有配置的“虚拟网络”或“地址范围”,则所有访问都将被有效拒绝 。With the Selected networks setting alone, unaccompanied by configured Virtual networks or Address ranges - all access is effectively denied. 当所有访问都被拒绝时,就不会允许试图使用认知服务资源的请求。When all access is denied, requests attempting to consume the Cognitive Services resource aren't permitted. Azure 门户、Azure PowerShell 或 Azure CLI 仍可用于配置认知服务资源。The Azure portal, Azure PowerShell or, Azure CLI can still be used to configure the Cognitive Services resource.

  4. 若要允许来自所有网络的流量,请选择允许从“所有网络”进行访问。To allow traffic from all networks, choose to allow access from All networks.

    虚拟网络拒绝

  5. 单击“保存”应用所做的更改。Select Save to apply your changes.