为容器组的出站和入站流量配置单个公共 IP 地址Configure a single public IP address for outbound and inbound traffic to a container group

使用面向外部的 IP 地址设置容器组可以让外部客户端使用该 IP 地址访问组中的容器。Setting up a container group with an external-facing IP address allows external clients to use the IP address to access a container in the group. 例如,浏览器可以访问在容器中运行的 Web 应用。For example, a browser can access a web app running in a container. 但在目前,容器组将另一 IP 地址用于出站流量。However, currently a container group uses a different IP address for outbound traffic. 此出口 IP 地址不以编程方式公开,这使得容器组监视与客户端防火墙规则配置变得更加复杂。This egress IP address isn't exposed programmatically, which makes container group monitoring and configuration of client firewall rules more complex.

本文介绍如何通过相关步骤在集成了 Azure 防火墙虚拟网络中配置容器组。This article provides steps to configure a container group in a virtual network integrated with Azure Firewall. 通过设置通往容器组的用户定义的路由和防火墙规则,你可以路由并标识流入和流出该容器组的流量。By setting up a user-defined route to the container group and firewall rules, you can route and identify traffic to and from the container group. 容器组入口和出口使用防火墙的公共 IP 地址。Container group ingress and egress use the public IP address of the firewall. 在虚拟网络的子网(已委托到 Azure 容器实例)中部署的多个容器组可以使用单个出口 IP 地址。A single egress IP address can be used by multiple container groups deployed in the virtual network's subnet delegated to Azure Container Instances.

本文使用 Azure CLI 为此方案创建资源:In this article you use the Azure CLI to create the resources for this scenario:

  • 部署在虚拟网络的已委托子网中的容器组Container groups deployed on a delegated subnet in the virtual network
  • 使用静态公共 IP 地址部署在网络中的 Azure 防火墙An Azure firewall deployed in the network with a static public IP address
  • 容器组的子网中的用户定义路由A user-defined route on the container groups' subnet
  • 用于防火墙入口的 NAT 规则,以及用于出口的应用程序规则A NAT rule for firewall ingress and an application rule for egress

然后通过防火墙验证示例容器组中的入口和出口。You then validate ingress and egress from example container groups through the firewall.

在虚拟网络中部署 ACIDeploy ACI in a virtual network

通常情况下,你可能已经有一个要在其中部署容器组的 Azure 虚拟网络。In a typical case, you might already have an Azure virtual network in which to deploy a container group. 出于演示目的,在创建容器组后使用以下命令创建虚拟网络和子网。For demonstration purposes, the following commands create a virtual network and subnet when the container group is created. 此子网委托给 Azure 容器实例。The subnet is delegated to Azure Container Instances.

容器组从 aci-helloworld 映像运行小型 Web 应用。The container group runs a small web app from the aci-helloworld image. 如本文档中的其他文章所述,此映像会打包一个以 Node.js 编写的、可提供静态 HTML 页面的小型 Web 应用。As shown in other articles in the documentation, this image packages a small web app written in Node.js that serves a static HTML page.

如果需要一个,请先使用 az group create 命令创建 Azure 资源组。If you need one, first create an Azure resource group with the az group create command. 例如:For example:

az group create --name myResourceGroup --location chinaeast2

若要简化以下命令示例,请将环境变量用于资源组的名称:To simplify the following command examples, use an environment variable for the resource group's name:

export RESOURCE_GROUP_NAME=myResourceGroup

使用 az container create 命令创建容器组:Create the container group with the az container create command:

az container create \
  --name appcontainer \
  --resource-group $RESOURCE_GROUP_NAME \
  --image mcr.microsoft.com/azuredocs/aci-helloworld \
  --vnet aci-vnet \
  --vnet-address-prefix 10.0.0.0/16 \
  --subnet aci-subnet \
  --subnet-address-prefix 10.0.0.0/24

提示

针对子网中你所需的 IP 地址空间调整 --subnet address-prefix 的值。Adjust the value of --subnet address-prefix for the IP address space you need in your subnet. 支持的最小子网为 /29,此子网提供八个 IP 地址。The smallest supported subnet is /29, which provides eight IP addresses. 某些 IP 地址已保留供 Azure 使用。Some IP addresses are reserved for use by Azure.

为了用于后面的步骤,请通过运行 [az container show][az-container-show] 命令获取容器组的专用 IP 地址:For use in a later step, get the private IP address of the container group by running the [az container show][az-container-show] command:

ACI_PRIVATE_IP="$(az container show --name appcontainer \
  --resource-group $RESOURCE_GROUP_NAME \
  --query ipAddress.ip --output tsv)"

在网络中部署 Azure 防火墙Deploy Azure Firewall in network

在以下部分,请使用 Azure CLI 在虚拟网络中部署 Azure 防火墙。In the following sections, use the Azure CLI to deploy an Azure firewall in the virtual network. 有关背景,请参阅教程:使用 Azure 门户部署和配置 Azure 防火墙For background, see Tutorial: Deploy and configure Azure Firewall using the Azure portal.

首先,使用 az network vnet subnet create 为防火墙添加名为 AzureFirewallSubnet 的子网。First, use the az network vnet subnet create to add a subnet named AzureFirewallSubnet for the firewall. AzureFirewallSubnet 是此子网的必需名称。AzureFirewallSubnet is the required name of this subnet.

az network vnet subnet create \
  --name AzureFirewallSubnet \
  --resource-group $RESOURCE_GROUP_NAME \
  --vnet-name aci-vnet   \
  --address-prefix 10.0.1.0/26

使用以下 Azure CLI 命令在子网中创建防火墙。Use the following Azure CLI commands to create a firewall in the subnet.

如果尚未安装,请使用 az extension add 命令将防火墙扩展添加到 Azure CLI:If not already installed, add the firewall extension to the Azure CLI using the az extension add command:

az extension add --name azure-firewall

创建防火墙资源:Create the firewall resources:

az network firewall create \
  --name myFirewall \
  --resource-group $RESOURCE_GROUP_NAME \
  --location chinaeast2

az network public-ip create \
  --name fw-pip \
  --resource-group $RESOURCE_GROUP_NAME \
  --location chinaeast2 \
  --allocation-method static \
  --sku standard

az network firewall ip-config create \
  --firewall-name myFirewall \
  --name FW-config \
  --public-ip-address fw-pip \
  --resource-group $RESOURCE_GROUP_NAME \
  --vnet-name aci-vnet

使用 az network firewall update 命令更新防火墙配置:Update the firewall configuration using the az network firewall update command:

az network firewall update \
  --name myFirewall \
  --resource-group $RESOURCE_GROUP_NAME

使用 az network firewall ip-config list 命令获取防火墙的专用 IP 地址。Get the firewall's private IP address using the az network firewall ip-config list command. 此专用 IP 地址在后面的命令中使用。This private IP address is used in a later command.

FW_PRIVATE_IP="$(az network firewall ip-config list \
  --resource-group $RESOURCE_GROUP_NAME \
  --firewall-name myFirewall \
  --query "[].privateIpAddress" --output tsv)"

使用 az network public-ip show 命令获取防火墙的公共 IP 地址。Get the firewall's public IP address using the az network public-ip show command. 此公共 IP 地址在后面的命令中使用。This public IP address is used in a later command.

FW_PUBLIC_IP="$(az network public-ip show \
  --name fw-pip \
  --resource-group $RESOURCE_GROUP_NAME \
  --query ipAddress --output tsv)"

在 ACI 子网上定义用户定义的路由Define user-defined route on ACI subnet

在 ACI 子网上定义用户定义的路由,以将流量转到 Azure 防火墙。Define a use-defined route on the ACI subnet, to divert traffic to the Azure firewall. 有关详细信息,请参阅路由网络流量For more information, see Route network traffic.

创建路由表Create route table

首先,运行以下 az network route-table create 命令以创建路由表。First, run the following az network route-table create command to create the route table. 在虚拟网络所在的区域中创建路由表。Create the route table in the same region as the virtual network.

az network route-table create \
  --name Firewall-rt-table \
  --resource-group $RESOURCE_GROUP_NAME \
  --location chinaeast2 \
  --disable-bgp-route-propagation true

创建路由Create route

运行 az network-route-table route create 以在路由表中创建一个路由。Run az network-route-table route create to create a route in the route table. 若要将流量路由到防火墙,请将下一跃点类型设置为 VirtualAppliance,并将防火墙的专用 IP 地址作为下一个跃点地址进行传递。To route traffic to the firewall, set the next hop type to VirtualAppliance, and pass the firewall's private IP address as the next hop address.

az network route-table route create \
  --resource-group $RESOURCE_GROUP_NAME \
  --name DG-Route \
  --route-table-name Firewall-rt-table \
  --address-prefix 0.0.0.0/0 \
  --next-hop-type VirtualAppliance \
  --next-hop-ip-address $FW_PRIVATE_IP

将路由表关联到 ACI 子网Associate route table to ACI subnet

运行 az network vnet subnet update 命令,以将路由表与委托给 Azure 容器实例的子网相关联。Run the az network vnet subnet update command to associate the route table with the subnet delegated to Azure Container Instances.

az network vnet subnet update \
  --name aci-subnet \
  --resource-group $RESOURCE_GROUP_NAME \
  --vnet-name aci-vnet \
  --address-prefixes 10.0.0.0/24 \
  --route-table Firewall-rt-table

在防火墙上配置规则Configure rules on firewall

默认情况下,Azure 防火墙拒绝(阻止)入站和出站流量。By default, Azure Firewall denies (blocks) inbound and outbound traffic.

在 ACI 子网的防火墙上配置 NAT 规则Configure NAT rule on firewall to ACI subnet

在防火墙上创建一项 NAT 规则,用于转换和筛选发往此前在网络中启动的应用程序容器的入站 Internet 流量。Create a NAT rule on the firewall to translate and filter inbound internet traffic to the application container you started previously in the network. 有关详细信息,请参阅通过 Azure 防火墙 DNAT 筛选入站 Internet 流量For details, see Filter inbound Internet traffic with Azure Firewall DNAT

使用 az network firewall nat-rule create 命令创建 NAT 规则和集合:Create a NAT rule and collection by using the az network firewall nat-rule create command:

az network firewall nat-rule create \
  --firewall-name myFirewall \
  --collection-name myNATCollection \
  --action dnat \
  --name myRule \
  --protocols TCP \
  --source-addresses '*' \
  --destination-addresses $FW_PUBLIC_IP \
  --destination-ports 80 \
  --resource-group $RESOURCE_GROUP_NAME \
  --translated-address $ACI_PRIVATE_IP \
  --translated-port 80 \
  --priority 200

根据需要添加 NAT 规则,筛选发往子网中的其他 IP 地址的流量。Add NAT rules as needed to filter traffic to other IP addresses in the subnet. 例如,子网中的其他容器组可以为入站流量公开 IP 地址,或者,其他内部 IP 地址可以在重启后分配给该容器组。For example, other container groups in the subnet could expose IP addresses for inbound traffic, or other internal IP addresses could be assigned to the container group after a restart.

在防火墙上创建出站应用程序规则Create outbound application rule on the firewall

运行以下 az network firewall application-rule create 命令,以在防火墙上创建出站规则。Run the following az network firewall application-rule create command to create an outbound rule on the firewall. 此示例规则允许从委托给 Azure 容器实例的子网访问 FQDN checkip.dyndns.orgThis sample rule allows access from the subnet delegated to Azure Container Instances to the FQDN checkip.dyndns.org. 稍后的步骤中将使用对该站点的 HTTP 访问来确认 Azure 容器实例中的出口 IP 地址。HTTP access to the site is used in a later step to confirm the egress IP address from Azure Container Instances.

az network firewall application-rule create \
  --collection-name myAppCollection \
  --firewall-name myFirewall \
  --name Allow-CheckIP \
  --protocols Http=80 Https=443 \
  --resource-group $RESOURCE_GROUP_NAME \
  --target-fqdns checkip.dyndns.org \
  --source-addresses 10.0.0.0/24 \
  --priority 200 \
  --action Allow

通过防火墙测试容器组访问权限Test container group access through the firewall

以下部分验证委托给 Azure 容器实例的子网是否已在 Azure 防火墙后面正确配置。The following sections verify that the subnet delegated to Azure Container Instances is properly configured behind the Azure firewall. 前面的步骤已通过防火墙路由了发往子网的传入流量和来自子网的传出流量。The previous steps routed both incoming traffic to the subnet and outgoing traffic from the subnet through the firewall.

测试容器组的入口Test ingress to a container group

通过浏览到防火墙的公共 IP 地址,测试对虚拟网络中运行的 appcontainer 的入站访问。Test inbound access to the appcontainer running in the virtual network by browsing to the firewall's public IP address. 以前,你已在变量 $FW_PUBLIC_IP 中存储公共 IP 地址:Previously, you stored the public IP address in variable $FW_PUBLIC_IP:

echo $FW_PUBLIC_IP

输出类似于:Output is similar to:

52.142.18.133

如果正确配置了防火墙上的 NAT 规则,则当你在浏览器中输入防火墙的公共 IP 地址时,会看到以下内容:If the NAT rule on the firewall is configured properly, you see the following when you enter the firewall's public IP address in your browser:

浏览到防火墙的公共 IP 地址

测试容器组的出口Test egress from a container group

将以下示例容器部署到虚拟网络中。Deploy the following sample container into the virtual network. 它在运行时会将单个 HTTP 请求发送到 http://checkip.dyndns.org,后者会显示发送方的 IP 地址(出口 IP 地址)。When it runs, it sends a single HTTP request to http://checkip.dyndns.org, which displays the IP address of the sender (the egress IP address). 如果正确配置了防火墙上的应用程序规则,则会返回防火墙的公共 IP 地址。If the application rule on the firewall is configured properly, the firewall's public IP address is returned.

az container create \
  --resource-group $RESOURCE_GROUP_NAME \
  --name testegress \
  --image mcr.microsoft.com/azuredocs/aci-tutorial-sidecar \
  --command-line "curl -s http://checkip.dyndns.org" \
  --restart-policy OnFailure \
  --vnet aci-vnet \
  --subnet aci-subnet

查看容器日志以确认此 IP 地址是否与防火墙的公共 IP 地址相同。View the container logs to confirm the IP address is the same as the public IP address of the firewall.

az container logs \
  --resource-group $RESOURCE_GROUP_NAME \
  --name testegress 

输出类似于:Output is similar to:

<html><head><title>Current IP Check</title></head><body>Current IP Address: 52.142.18.133</body></html>

后续步骤Next steps

本文介绍了如何在 Azure 防火墙后面的虚拟网络中设置容器组。In this article, you set up container groups in a virtual network behind an Azure firewall. 此外,还说明了如何在防火墙上配置用户定义的路由、NAT 和应用程序规则。You configured a user-defined route and NAT and application rules on the firewall. 通过使用此配置,可以为 Azure 容器实例的入口和出口设置单个静态 IP 地址。By using this configuration, you set up a single, static IP address for ingress and egress from Azure Container Instances.

若要详细了解如何管理流量和保护 Azure 资源,请参阅 Azure 防火墙文档。For more information about managing traffic and protecting Azure resources, see the Azure Firewall documentation.