为 Azure 事件中心命名空间配置 IP 防火墙规则Configure IP firewall rules for an Azure Event Hubs namespace

默认情况下,只要请求附带有效的身份验证和授权,就可以从 Internet 访问事件中心命名空间。By default, Event Hubs namespaces are accessible from internet as long as the request comes with valid authentication and authorization. 使用 IP 防火墙,可以将其进一步限制为采用 CIDR(无类域间路由)表示法的一组 IPv4 地址或一个 IPv4 地址。With IP firewall, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation.

在仅应从某些知名站点访问 Azure 事件中心的情况下,此功能很有用。This feature is helpful in scenarios in which Azure Event Hubs should be only accessible from certain well-known sites. 可以通过防火墙规则来配置规则,以便接受来自特定 IPv4 地址的流量。Firewall rules enable you to configure rules to accept traffic originating from specific IPv4 addresses. 例如,如果将事件中心与 Azure Express Route 配合使用,则可创建防火墙规则,仅允许来自本地基础结构 IP 地址的流量。For example, if you use Event Hubs with Azure Express Route, you can create a firewall rule to allow traffic from only your on-premises infrastructure IP addresses.

警告

实现 IP 筛选可以阻止其他 Azure 服务与事件中心进行交互。Enabling IP filtering can prevent other Azure services from interacting with Event Hubs.

实现虚拟网络时,受信任的 Microsoft 服务不受支持。Trusted Microsoft services are not supported when Virtual Networks are implemented.

不适用于虚拟网络常见 Azure 方案(请注意,该列表内容并不详尽)-Common Azure scenarios that don't work with Virtual Networks (note that the list is NOT exhaustive) -

  • Azure Monitor(诊断设置)Azure Monitor (diagnostic setting)
  • Azure 流分析Azure Stream Analytics
  • 与 Azure 事件网格的集成Integration with Azure Event Grid
  • Azure IoT 中心路由Azure IoT Hub Routes
  • Azure IoT Device ExplorerAzure IoT Device Explorer

以下 Microsoft 服务必须在虚拟网络中The following Microsoft services are required to be on a virtual network

  • Azure Web 应用Azure Web Apps
  • Azure FunctionsAzure Functions

IP 防火墙规则IP firewall rules

IP 防火墙规则应用于事件中心命名空间级别。The IP firewall rules are applied at the Event Hubs namespace level. 因此,这些规则适用于通过任何受支持协议从客户端发出的所有连接。Therefore, the rules apply to all connections from clients using any supported protocol. 如果某 IP 地址与事件中心命名空间上的允许 IP 规则不匹配,则将拒绝来自该地址的任何连接尝试并将其标记为“未经授权”。Any connection attempt from an IP address that does not match an allowed IP rule on the Event Hubs namespace is rejected as unauthorized. 响应不会提及 IP 规则。The response does not mention the IP rule. IP 筛选器规则将按顺序应用,与 IP 地址匹配的第一个规则决定了将执行接受操作还是执行拒绝操作。IP filter rules are applied in order, and the first rule that matches the IP address determines the accept or reject action.

使用 Azure 门户Use Azure portal

本部分演示如何使用 Azure 门户为事件中心命名空间创建 IP 防火墙规则。This section shows you how to use the Azure portal to create IP firewall rules for an Event Hubs namespace.

  1. Azure 门户中导航到“事件中心命名空间”。Navigate to your Event Hubs namespace in the Azure portal.

  2. 在左侧菜单中,选择“网络”选项。On the left menu, select Networking option. 如果选择“所有网络”选项,则事件中心将接受来自任何 IP 地址的连接。If you select the All networks option, the event hub accepts connections from any IP address. 此设置等效于一个接受 0.0.0.0/0 IP 地址范围的规则。This setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.

    防火墙 - 已选择“所有网络”选项

  3. 若要将访问限制为特定网络和 IP 地址,请选择“所选网络”选项。To restrict access to specific networks and IP addresses, select the Selected networks option. 在“防火墙”部分中执行以下步骤:In the Firewall section, follow these steps:

    1. 选择“添加客户端 IP 地址”选项,使当前客户端 IP 可以访问命名空间。Select Add your client IP address option to give your current client IP the access to the namespace.

    2. 对于“地址范围”,请输入某个特定的 IPv4 地址或以 CIDR 表示法表示的 IPv4 地址范围。For address range, enter a specific IPv4 address or a range of IPv4 address in CIDR notation.

    3. 指定是否要“允许受信任的 Microsoft 服务绕过此防火墙”。Specify whether you want to allow trusted Microsoft services to bypass this firewall.

      警告

      如果选择“选定的网络”选项但未指定 IP 地址或地址范围,则服务将允许来自所有网络的流量。If you choose the Selected networks option and don't specify an IP address or address range, the service will allow traffic from all networks.

      防火墙 - 已选择“所有网络”选项

  4. 选择工具栏上的“保存”以保存设置。Select Save on the toolbar to save the settings. 请等待几分钟,直到门户通知中显示确认消息。Wait for a few minutes for the confirmation to show up on the portal notifications.

使用 Resource Manager 模板Use Resource Manager template

重要

事件中心的标准层和专用层支持防火墙规则 。Firewall rules are supported in standard and dedicated tiers of Event Hubs. 基本层不支持它。It's not supported in basic tier.

以下资源管理器模板可用于向现有的事件中心命名空间添加 IP 筛选器规则。The following Resource Manager template enables adding an IP filter rule to an existing Event Hubs namespace.

模板参数:Template parameters:

  • ipMask 是单个 IPv4 地址或者是以 CIDR 表示法表示的一个 IP 地址块。ipMask is a single IPv4 address or a block of IP addresses in CIDR notation. 例如,在 CIDR 表示法中,70.37.104.0/24 表示从 70.37.104.0 到 70.37.104.255 的 256 个 IPv4 地址,其中 24 表示范围的有效前缀位数。For example, in CIDR notation 70.37.104.0/24 represents the 256 IPv4 addresses from 70.37.104.0 to 70.37.104.255, with 24 indicating the number of significant prefix bits for the range.

备注

虽然不可能具有拒绝规则,但 Azure 资源管理器模板的默认操作设置为“允许”,不限制连接。While there are no deny rules possible, the Azure Resource Manager template has the default action set to "Allow" which doesn't restrict connections. 制定虚拟网络或防火墙规则时,必须更改“defaultAction”When making Virtual Network or Firewalls rules, we must change the "defaultAction"

from

"defaultAction": "Allow"

toto

"defaultAction": "Deny"
{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "eventhubNamespaceName": {
        "type": "string",
        "metadata": {
          "description": "Name of the Event Hubs namespace"
        }
      },
      "location": {
        "type": "string",
        "metadata": {
          "description": "Location for Namespace"
        }
      }
    },
    "variables": {
      "namespaceNetworkRuleSetName": "[concat(parameters('eventhubNamespaceName'), concat('/', 'default'))]",
    },
    "resources": [
      {
        "apiVersion": "2018-01-01-preview",
        "name": "[parameters('eventhubNamespaceName')]",
        "type": "Microsoft.EventHub/namespaces",
        "location": "[parameters('location')]",
        "sku": {
          "name": "Standard",
          "tier": "Standard"
        },
        "properties": { }
      },
      {
        "apiVersion": "2018-01-01-preview",
        "name": "[variables('namespaceNetworkRuleSetName')]",
        "type": "Microsoft.EventHub/namespaces/networkruleset",
        "dependsOn": [
          "[concat('Microsoft.EventHub/namespaces/', parameters('eventhubNamespaceName'))]"
        ],
        "properties": {
          "virtualNetworkRules": [<YOUR EXISTING VIRTUAL NETWORK RULES>],
          "ipRules": 
          [
            {
                "ipMask":"10.1.1.1",
                "action":"Allow"
            },
            {
                "ipMask":"11.0.0.0/24",
                "action":"Allow"
            }
          ],
          "trustedServiceAccessEnabled": false,
          "defaultAction": "Deny"
        }
      }
    ],
    "outputs": { }
  }

若要部署模板,请按照 Azure 资源管理器的说明进行操作。To deploy the template, follow the instructions for Azure Resource Manager.