FQDN 标记概述FQDN tags overview

FQDN 标记表示与已知的 Azure 服务关联的一组完全限定的域名 (FQDN)。An FQDN tag represents a group of fully qualified domain names (FQDNs) associated with well known Azure services. 可以在应用程序规则中使用 FQDN 标记,以允许所需出站网络流量通过防火墙。You can use an FQDN tag in application rules to allow the required outbound network traffic through your firewall.

例如,若要手动允许 Windows 更新网络流量通过防火墙,需要根据 Azure 文档创建多个应用程序规则。For example, to manually allow Windows Update network traffic through your firewall, you need to create multiple application rules per the Azure documentation. 使用 FQDN 标记,可以创建一个应用程序规则,其中包括 Windows 更新 标记,现在到 Microsoft Windows 更新终结点的网络流量可以流经防火墙。Using FQDN tags, you can create an application rule, include the Windows Updates tag, and now network traffic to Microsoft Windows Update endpoints can flow through your firewall.

你无法创建自己的 FQDN 标记,也无法指定标记中包含哪些 FQDN。You can't create your own FQDN tags, nor can you specify which FQDNs are included within a tag. Azure 管理 FQDN 标记包含的 FQDN,并在 FQDN 更改时更新标记。Azure manages the FQDNs encompassed by the FQDN tag, and updates the tag as FQDNs change.

下表显示了当前可使用的 FQDN 标记。The following table shows the current FQDN tags you can use. Azure 维护这些标记,你可以期望定期添加其他标记。Azure maintains these tags and you can expect additional tags to be added periodically.

当前 FQDN 标记Current FQDN tags

FQDN 标记FQDN tag 说明Description
Windows 更新Windows Update 允许出站访问 Microsoft 更新,如如何为软件更新配置防火墙中所述。Allow outbound access to Microsoft Update as described in How to Configure a Firewall for Software Updates.
Windows 诊断Windows Diagnostics 允许出站访问所有 Windows 诊断终结点Allow outbound access to all Windows Diagnostics endpoints.
Microsoft 主动保护服务 (MAPS)Microsoft Active Protection Service (MAPS) 允许出站访问 MAPSAllow outbound access to MAPS.
应用服务环境 (ASE)App Service Environment (ASE) 允许出站访问 ASE 平台流量。Allows outbound access to ASE platform traffic. 此标记未涵盖特定于客户的存储和由 ASE 创建的 SQL 终结点。This tag doesn't cover customer-specific Storage and SQL endpoints created by ASE. 这些应通过服务终结点启用或手动添加。These should be enabled via Service Endpoints or added manually.

有关将 Azure 防火墙与 ASE 集成的详细信息,请参阅锁定应用服务环境For more information about integrating Azure Firewall with ASE, see Locking down an App Service Environment.
Azure 备份Azure Backup 允许对 Azure 备份服务进行出站访问。Allows outbound access to the Azure Backup services.
Azure HDInsightAzure HDInsight 允许出站访问 HDInsight 平台流量。Allows outbound access for HDInsight platform traffic. 此标记未涵盖特定于客户的存储和来自 HDInsight 的 SQL 流量。This tag doesn't cover customer-specific Storage or SQL traffic from HDInsight. 使用服务终结点启用这些项或手动添加它们。Enable these using Service Endpoints or add them manually.
Azure Kubernetes 服务 (AKS)Azure Kubernetes Service (AKS) 允许出站访问 AKS。Allows outbound access to AKS. 有关详细信息,请参阅使用 Azure 防火墙保护 Azure Kubernetes 服务 (AKS) 部署For more information, see Use Azure Firewall to protect Azure Kubernetes Service (AKS) Deployments.


在应用程序规则中选择 FQDN 标记时,“协议:端口”字段必须设置为 httpsWhen selecting FQDN Tag in an application rule, the protocol:port field must be set to https.

后续步骤Next steps

若要了解如何部署 Azure 防火墙,请参阅教程:使用 Azure 门户部署和配置 Azure 防火墙To learn how to deploy an Azure Firewall, see Tutorial: Deploy and configure Azure Firewall using the Azure portal.