Azure 防火墙强制隧道Azure Firewall forced tunneling

当配置新的 Azure 防火墙时,将所有 Internet 绑定的流量路由到指定的下一个跃点,而不是直接转到 Internet。When you configure a new Azure Firewall, you can route all Internet-bound traffic to a designated next hop instead of going directly to the Internet. 例如,你可能有一个本地边缘防火墙或其他网络虚拟设备 (NVA),用于对网络流量进行处理,然后再将其传递到 Internet。For example, you may have an on-premises edge firewall or other network virtual appliance (NVA) to process network traffic before it's passed to the Internet. 但不能配置现有的防火墙来实现强制隧道的目的。However, you can't configure an existing firewall for forced tunneling.

默认情况下,Azure 防火墙不允许强制隧道,以确保满足所有的出站 Azure 依赖关系。By default, forced tunneling isn't allowed on Azure Firewall to ensure all its outbound Azure dependencies are met. AzureFirewallSubnet 上的其默认路由不直接指向 Internet 的用户定义路由 (UDR) 配置处于禁用状态。User Defined Route (UDR) configurations on the AzureFirewallSubnet that have a default route not going directly to the Internet are disabled.

强制隧道配置Forced tunneling configuration

为了支持强制隧道,服务管理流量将与客户流量分开。To support forced tunneling, Service Management traffic is separated from customer traffic. 还需要一个名为“AzureFirewallManagementSubnet”的专用子网(最小子网大小为“/26”),此子网有其自己的关联公共 IP 地址。An additional dedicated subnet named AzureFirewallManagementSubnet (minimum subnet size /26) is required with its own associated public IP address. 此子网上允许的唯一路由是到 Internet 的默认路由,并且必须禁用 BGP 路由传播。The only route allowed on this subnet is a default route to the Internet, and BGP route propagation must be disabled.

如果你的默认路由通过 BGP 进行播发以强制将流量传输到本地,则必须在部署防火墙之前创建 AzureFirewallSubnet 和 AzureFirewallManagementSubnet,并且具备一个带有通往 Internet 的默认路由且已禁用“传播网关路由”的 UDR。If you have a default route advertised via BGP to force traffic to on-premises, you must create the AzureFirewallSubnet and AzureFirewallManagementSubnet before deploying your firewall and have a UDR with a default route to the Internet, and Propagate gateway routes disabled.

在此配置中,AzureFirewallSubnet 现在可以包括到任何本地防火墙或 NVA 的路由,以便在将流量传递到 Internet 之前对其进行处理。Within this configuration, the AzureFirewallSubnet can now include routes to any on-premises firewall or NVA to process traffic before it's passed to the Internet. 如果在此子网上启用了“传播网关路由”,还可以通过 BGP 将这些路由发布到 AzureFirewallSubnet。You can also publish these routes via BGP to AzureFirewallSubnet if Propagate gateway routes is enabled on this subnet.

例如,你可以在 AzureFirewallSubnet 上创建一个默认路由并使用你的 VPN 网关作为下一跃点,以到达你的本地设备。For example, you can create a default route on the AzureFirewallSubnet with your VPN gateway as the next hop to get to your on-premises device. 还可以启用“传播网关路由”以获得通向本地网络的合适路由。Or you can enable Propagate gateway routes to get the appropriate routes to the on-premises network.

虚拟网络网关路由传播

如果启用强制隧道,则会将 Internet 绑定的流量由 SNAT 转换为 AzureFirewallSubnet 中的某个防火墙专用 IP 地址,从而向本地防火墙隐藏源。If you enable forced tunneling, Internet-bound traffic is SNATed to one of the firewall private IP addresses in AzureFirewallSubnet, hiding the source from your on-premises firewall.

如果组织对专用网络使用公共 IP 地址范围,Azure 防火墙会通过 SNAT 将流量发送到 AzureFirewallSubnet 中的某个防火墙专用 IP 地址。If your organization uses a public IP address range for private networks, Azure Firewall SNATs the traffic to one of the firewall private IP addresses in AzureFirewallSubnet. 但是,可以将 Azure 防火墙配置为不 SNAT 公共 IP 地址范围。However, you can configure Azure Firewall to not SNAT your public IP address range. 有关详细信息,请参阅 Azure 防火墙 SNAT 专用 IP 地址范围For more information, see Azure Firewall SNAT private IP address ranges.

将 Azure 防火墙配置为支持强制隧道后,便无法撤消配置。Once you configure Azure Firewall to support forced tunneling, you can't undo the configuration. 如果删除防火墙上的所有其他 IP 配置,管理 IP 配置也会被删除,防火墙会被解除分配。If you remove all other IP configurations on your firewall, the management IP configuration is removed as well and the firewall is deallocated. 无法删除分配给管理 IP 配置的公共 IP 地址,但可以分配不同的公共 IP 地址。The public IP address assigned to the management IP configuration can't be removed, but you can assign a different public IP address.

后续步骤Next steps