在网络规则中使用 FQDN 筛选(预览版)Use FQDN filtering in network rules (preview)

重要

网络规则中的 FQDN 筛选目前为公共预览版。FQDN filtering in network rules is currently in public preview. 此预览版在提供时没有附带服务级别协议,不建议将其用于生产工作负荷。This preview version is provided without a service level agreement, and it's not recommended for production workloads. 某些功能可能不受支持或者受限。Certain features might not be supported or might have constrained capabilities. 有关详细信息,请参阅适用于 Azure 预览版的补充使用条款For more information, see Supplemental Terms of Use for Azure Previews.

完全限定的域名 (FQDN) 表示主机或 IP 地址的域名。A fully qualified domain name (FQDN) represents a domain name of a host or IP address(es). 你可以基于 Azure 防火墙和防火墙策略中的 DNS 解析在网络规则中使用 FQDN。You can use FQDNs in network rules based on DNS resolution in Azure Firewall and Firewall policy. 此功能允许你筛选采用任何 TCP/UDP 协议(包括 NTP、SSH、RDP 等)的出站流量。This capability allows you to filter outbound traffic with any TCP/UDP protocol (including NTP, SSH, RDP, and more). 若要在网络规则中使用 FQDN,你必须启用 DNS 代理。You must enable DNS Proxy to use FQDNs in your network rules. 有关详细信息,请参阅 Azure 防火墙 DNS 设置(预览版)For more information see Azure Firewall DNS settings (preview).

备注

按照设计,FQDN 筛选不支持通配符。By design, FQDN filtering doesn't support wildcards.

工作原理How it works

定义你的组织需要的 DNS 服务器(Azure DNS 或你自己的自定义 DNS)后,Azure 防火墙将基于所选 DNS 服务器将 FQDN 转换为 IP 地址。Once you define which DNS server your organization needs (Azure DNS or your own custom DNS), Azure Firewall translates the FQDN to an IP address(es) based on the selected DNS server. 将针对应用程序和网络规则处理进行此转换。This translation happens for both application and network rule processing.

在应用程序规则中使用域名与在网络规则中使用域名有何区别?What's the difference between using domain names in application rules compared to that of network rules?

  • 应用程序规则中针对 HTTP/S 和 MSSQL 的 FQDN 筛选基于应用程序级透明代理和 SNI 标头。FQDN filtering in application rules for HTTP/S and MSSQL is based on an application level transparent proxy and the SNI header. 因此,它可以区分解析为同一 IP 地址的两个 FQDN。As such, it can discern between two FQDNs that are resolved to the same IP address. 对于网络规则中的 FQDN 筛选,情况并非如此。This is not the case with FQDN filtering in network rules. 如果可能,请始终使用应用程序规则。Always use application rules when possible.
  • 在应用程序规则中,可以使用 HTTP/S 和 MSSQL 作为所选协议。In application rules, you can use HTTP/S and MSSQL as your selected protocols. 在网络规则中,可以将任何 TCP/UDP 协议与目标 FQDN 结合使用。In network rules, you can use any TCP/UDP protocol with your destination FQDNs.

后续步骤Next steps

Azure 防火墙 DNS 设置Azure Firewall DNS settings