允许从特定 IP 地址或范围访问 Azure 事件中心命名空间Allow access to Azure Event Hubs namespaces from specific IP addresses or ranges

默认情况下,只要请求附带有效的身份验证和授权,就可以从 Internet 访问事件中心命名空间。By default, Event Hubs namespaces are accessible from internet as long as the request comes with valid authentication and authorization. 使用 IP 防火墙,可以将其进一步限制为采用 CIDR(无类域间路由)表示法的一组 IPv4 地址或一个 IPv4 地址。With IP firewall, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation.

在仅应从某些知名站点访问 Azure 事件中心的情况下,此功能很有用。This feature is helpful in scenarios in which Azure Event Hubs should be only accessible from certain well-known sites. 可以通过防火墙规则来配置规则,以便接受来自特定 IPv4 地址的流量。Firewall rules enable you to configure rules to accept traffic originating from specific IPv4 addresses. 例如,如果将事件中心与 Azure Express Route 配合使用,则可创建防火墙规则,仅允许来自本地基础结构 IP 地址的流量。For example, if you use Event Hubs with Azure Express Route, you can create a firewall rule to allow traffic from only your on-premises infrastructure IP addresses.

重要

默认情况下,除非请求源自从允许的公共 IP 地址运行的服务,否则,为事件中心命名空间启用防火墙规则会阻止传入请求。Turning on firewall rules for your Event Hubs namespace blocks incoming requests by default, unless requests originate from a service operating from allowed public IP addresses. 被阻止的请求包括来自其他 Azure 服务、来自 Azure 门户、来自日志记录和指标服务等的请求。Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on.

下面是一些在启用 IP 筛选后无法访问事件中心资源的服务。Here are some of the services that can't access Event Hubs resources when the IP filtering is enabled. 请注意,该列表并未囊括所有方式。Note that the list is NOT exhaustive.

  • Azure 流分析Azure Stream Analytics
  • Azure IoT 中心路由Azure IoT Hub Routes
  • Azure IoT Device ExplorerAzure IoT Device Explorer
  • Azure 事件网格Azure Event Grid
  • Azure Monitor(诊断设置)Azure Monitor (Diagnostic Settings)

例外情况是,可以允许从某些受信任的服务访问事件中心资源,即使在启用了 IP 筛选功能时也是如此。As an exception, you can allow access to Event Hubs resources from certain trusted services even when the IP filtering is enabled. 有关受信任服务的列表,请参阅受信任的 Microsoft 服务For a list of trusted services, see Trusted Microsoft services.

IP 防火墙规则IP firewall rules

IP 防火墙规则应用于事件中心命名空间级别。The IP firewall rules are applied at the Event Hubs namespace level. 因此,这些规则适用于通过任何受支持协议从客户端发出的所有连接。So, the rules apply to all connections from clients using any supported protocol. 如果某 IP 地址与事件中心命名空间上的允许 IP 规则不匹配,则将拒绝来自该地址的任何连接尝试并将其标记为“未经授权”。Any connection attempt from an IP address that doesn't match an allowed IP rule on the Event Hubs namespace is rejected as unauthorized. 响应不会提及 IP 规则。The response doesn't mention the IP rule. IP 筛选器规则将按顺序应用,与 IP 地址匹配的第一个规则决定了将执行接受操作还是执行拒绝操作。IP filter rules are applied in order, and the first rule that matches the IP address determines the accept or reject action.

使用 Azure 门户Use Azure portal

本部分演示如何使用 Azure 门户为事件中心命名空间创建 IP 防火墙规则。This section shows you how to use the Azure portal to create IP firewall rules for an Event Hubs namespace.

  1. Azure 门户中导航到“事件中心命名空间”。Navigate to your Event Hubs namespace in the Azure portal.

  2. 在左侧“设置”下选择“网络” 。Select Networking under Settings on the left menu. 只会为“标准”或“专用”命名空间显示“网络”选项卡。You see the Networking tab only for standard or dedicated namespaces.

    备注

    默认情况下,“所选网络”选项处于选中状态,如下图所示。By default, the Selected networks option is selected as shown in the following image. 如果未在此页上指定 IP 防火墙规则或添加虚拟网络,则可以通过公共 Internet(使用访问密钥)访问该命名空间。If you don't specify an IP firewall rule or add a virtual network on this page, the namespace can be accessed via public internet (using the access key).

    网络选项卡 -“所选网络”选项

    如果选择“所有网络”选项,则事件中心接受来自任何 IP 地址的连接(使用访问密钥)。If you select the All networks option, the event hub accepts connections from any IP address (using the access key). 此设置等效于一个接受 0.0.0.0/0 IP 地址范围的规则。This setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.

    防火墙 - 选中了“所有网络”选项

  3. 若要将访问范围限制为特定 IP 地址,请确认“所选网络”选项处于选中状态。To restrict access to specific IP addresses, confirm that the Selected networks option is selected. 在“防火墙”部分中执行以下步骤:In the Firewall section, follow these steps:

    1. 选择“添加客户端 IP 地址”选项,使当前客户端 IP 可以访问命名空间。Select Add your client IP address option to give your current client IP the access to the namespace.
    2. 对于“地址范围”,请输入某个特定的 IPv4 地址或以 CIDR 表示法表示的 IPv4 地址范围。For address range, enter a specific IPv4 address or a range of IPv4 address in CIDR notation.
  4. 指定是否要“允许受信任的 Microsoft 服务绕过此防火墙”。Specify whether you want to allow trusted Microsoft services to bypass this firewall. 有关详细信息,请参阅受信任的 Microsoft 服务See Trusted Microsoft services for details.

    防火墙 - 选中了“所有网络”选项

  5. 在工具栏上选择“保存”,保存这些设置。Select Save on the toolbar to save the settings. 请等待几分钟,直到门户通知中显示确认消息。Wait for a few minutes for the confirmation to show up on the portal notifications.

Trusted Microsoft services

When you enable the Allow trusted Microsoft services to bypass this firewall setting, the following services are granted access to your Event Hubs resources.

Trusted service Supported usage scenarios
Azure Event Grid Allows Azure Event Grid to send events to event hubs in your Event Hubs namespace.
Azure Monitor (Diagnostic Settings) Allows Azure Monitor to send diagnostic information to event hubs in your Event Hubs namespace.

使用 Resource Manager 模板Use Resource Manager template

重要

事件中心的标准层和专用层支持防火墙规则 。Firewall rules are supported in standard and dedicated tiers of Event Hubs. 基本层不支持它。It's not supported in basic tier.

以下资源管理器模板可用于向现有的事件中心命名空间添加 IP 筛选器规则。The following Resource Manager template enables adding an IP filter rule to an existing Event Hubs namespace.

模板参数:Template parameters:

  • ipMask 是单个 IPv4 地址或者是以 CIDR 表示法表示的一个 IP 地址块。ipMask is a single IPv4 address or a block of IP addresses in CIDR notation. 例如,在 CIDR 表示法中,70.37.104.0/24 表示从 70.37.104.0 到 70.37.104.255 的 256 个 IPv4 地址,其中 24 表示范围的有效前缀位数。For example, in CIDR notation 70.37.104.0/24 represents the 256 IPv4 addresses from 70.37.104.0 to 70.37.104.255, with 24 indicating the number of significant prefix bits for the range.

备注

虽然不可能具有拒绝规则,但 Azure 资源管理器模板的默认操作设置为“允许”,不限制连接。While there are no deny rules possible, the Azure Resource Manager template has the default action set to "Allow" which doesn't restrict connections. 制定虚拟网络或防火墙规则时,必须更改“defaultAction”When making Virtual Network or Firewalls rules, we must change the "defaultAction"

fromfrom

"defaultAction": "Allow"

toto

"defaultAction": "Deny"
{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "eventhubNamespaceName": {
        "type": "string",
        "metadata": {
          "description": "Name of the Event Hubs namespace"
        }
      },
      "location": {
        "type": "string",
        "metadata": {
          "description": "Location for Namespace"
        }
      }
    },
    "variables": {
      "namespaceNetworkRuleSetName": "[concat(parameters('eventhubNamespaceName'), concat('/', 'default'))]",
    },
    "resources": [
      {
        "apiVersion": "2018-01-01-preview",
        "name": "[parameters('eventhubNamespaceName')]",
        "type": "Microsoft.EventHub/namespaces",
        "location": "[parameters('location')]",
        "sku": {
          "name": "Standard",
          "tier": "Standard"
        },
        "properties": { }
      },
      {
        "apiVersion": "2018-01-01-preview",
        "name": "[variables('namespaceNetworkRuleSetName')]",
        "type": "Microsoft.EventHub/namespaces/networkruleset",
        "dependsOn": [
          "[concat('Microsoft.EventHub/namespaces/', parameters('eventhubNamespaceName'))]"
        ],
        "properties": {
          "virtualNetworkRules": [<YOUR EXISTING VIRTUAL NETWORK RULES>],
          "ipRules": 
          [
            {
                "ipMask":"10.1.1.1",
                "action":"Allow"
            },
            {
                "ipMask":"11.0.0.0/24",
                "action":"Allow"
            }
          ],
          "trustedServiceAccessEnabled": false,
          "defaultAction": "Deny"
        }
      }
    ],
    "outputs": { }
  }

若要部署模板,请按照 Azure 资源管理器的说明进行操作。To deploy the template, follow the instructions for Azure Resource Manager.