在网络规则中使用 FQDN 筛选Use FQDN filtering in network rules

完全限定的域名 (FQDN) 表示主机或 IP 地址的域名。A fully qualified domain name (FQDN) represents a domain name of a host or IP address(es). 你可以基于 Azure 防火墙和防火墙策略中的 DNS 解析在网络规则中使用 FQDN。You can use FQDNs in network rules based on DNS resolution in Azure Firewall and Firewall policy. 此功能允许你筛选采用任何 TCP/UDP 协议(包括 NTP、SSH、RDP 等)的出站流量。This capability allows you to filter outbound traffic with any TCP/UDP protocol (including NTP, SSH, RDP, and more). 若要在网络规则中使用 FQDN,你必须启用 DNS 代理。You must enable DNS Proxy to use FQDNs in your network rules. 有关详细信息,请参阅 Azure 防火墙 DNS 设置For more information see Azure Firewall DNS settings.

备注

按照设计,FQDN 筛选不支持通配符。By design, FQDN filtering doesn't support wildcards.

工作原理How it works

定义你的组织需要的 DNS 服务器(Azure DNS 或你自己的自定义 DNS)后,Azure 防火墙将基于所选 DNS 服务器将 FQDN 转换为 IP 地址。Once you define which DNS server your organization needs (Azure DNS or your own custom DNS), Azure Firewall translates the FQDN to an IP address(es) based on the selected DNS server. 将针对应用程序和网络规则处理进行此转换。This translation happens for both application and network rule processing.

进行新 DNS 解析时,会将新的 IP 地址添加到防火墙规则。When a new DNS resolution takes place, new IP addresses are added to firewall rules. DNS 服务器不再返回的旧 IP 地址会在 15 分钟后过期。Old IP addresses that are no longer returned by the DNS server expire in 15 minutes. 对网络规则中的 FQDN 进行 DNS 解析时,Azure 防火墙规则每隔 15 秒更新一次。Azure Firewall rules are updated every 15 seconds from DNS resolution of the FQDNs in network rules.

应用程序规则与网络规则的差异Differences in application rules vs. network rules

  • 应用程序规则中针对 HTTP/S 和 MSSQL 的 FQDN 筛选基于应用程序级透明代理和 SNI 标头。FQDN filtering in application rules for HTTP/S and MSSQL is based on an application level transparent proxy and the SNI header. 因此,它可以区分解析为同一 IP 地址的两个 FQDN。As such, it can discern between two FQDNs that are resolved to the same IP address. 对于网络规则中的 FQDN 筛选,情况并非如此。This is not the case with FQDN filtering in network rules.

    如果可能,请始终使用应用程序规则:Always use application rules when possible:

    • 如果协议为 HTTP/S 或 MSSQL,请使用应用程序规则进行 FQDN 筛选。If the protocol is HTTP/S or MSSQL, use application rules for FQDN filtering.
    • 对于 HTTP/S 或 MSSQL 以外的其他任何协议,可以使用应用程序或网络规则进行 FQDN 筛选。For any other protocols besides HTTP/S or MSSQL, you can use application or network rules for FQDN filtering.

后续步骤Next steps

Azure 防火墙 DNS 设置Azure Firewall DNS settings