配置 Azure 防火墙规则Configure Azure Firewall rules

在 Azure 防火墙上可以配置 NAT 规则、网络规则和应用程序规则。You can configure NAT rules, network rules, and applications rules on Azure Firewall. 处理规则集合时,会根据规则类型按优先级顺序(由低编号到高编号,从 100 到 65,000)进行。Rule collections are processed according to the rule type in priority order, lower numbers to higher numbers from 100 to 65,000. 规则集合名称只能包含字母、数字、下划线、句点或连字符。A rule collection name can have only letters, numbers, underscores, periods, or hyphens. 该名称必须以字母或数字开头,并且以字母、数字或下划线结尾。It must begin with a letter or number, and end with a letter, number, or underscore. 名称最大长度为 80 个字符。The maximum name length is 80 characters.

最好在最初以 100 为增量(100、200、300,依此类推)设置规则集合优先级编号,这样在需要时就还有空间,可以添加更多的规则集合。It's best to initially space your rule collection priority numbers in 100 increments (100, 200, 300, and so on) so you have room to add more rule collections if needed.

备注

如果启用基于威胁情报的筛选,则那些规则具有最高优先级,始终会首先处理。If you enable threat intelligence-based filtering, those rules are highest priority and are always processed first. 在处理任何已配置的规则之前,威胁情报筛选可能会拒绝流量。Threat-intelligence filtering may deny traffic before any configured rules are processed. 有关详细信息,请参阅 Azure 防火墙基于威胁情报的筛选For more information, see Azure Firewall threat intelligence-based filtering.

出站连接Outbound connectivity

网络规则和应用程序规则Network rules and applications rules

如果配置了网络规则和应用程序规则,则会在应用程序规则之前先按优先级顺序应用网络规则。If you configure network rules and application rules, then network rules are applied in priority order before application rules. 规则将终止。The rules are terminating. 因此,如果在网络规则中找到了匹配项,则不会处理其他规则。So if a match is found in a network rule, no other rules are processed. 如果没有网络规则匹配项,并且,如果协议是 HTTP、HTTPS 或 MSSQL,则应用程序规则会按优先级顺序评估数据包。If there's no network rule match, and if the protocol is HTTP, HTTPS, or MSSQL, then the packet is then evaluated by the application rules in priority order. 如果仍未找到匹配项,则会根据基础结构规则集合评估数据包。If still no match is found, then the packet is evaluated against the infrastructure rule collection. 如果仍然没有匹配项,则默认情况下会拒绝该数据包。If there's still no match, then the packet is denied by default.

网络规则协议Network rule protocol

可以为 TCP、UDP、ICMP 或“任意”IP 协议配置网络规则。 Network rules can be configured for TCP, UDP, ICMP, or Any IP protocol. “任意”IP 协议包括 Internet 数字分配机构 (IANA) 协议编号文档中定义的所有 IP 协议。Any IP protocol includes all the IP protocols as defined in the Internet Assigned Numbers Authority (IANA) Protocol Numbers document. 如果显式配置了目标端口,则会将规则转换为 TCP+UDP 规则。If a destination port is explicitly configured, then the rule is translated to a TCP+UDP rule.

在 2020 年 11 月 9 日之前,“任意”意味着 TCP、UDP 或 ICMP。 Before November 9, 2020 Any meant TCP, or UDP, or ICMP. 因此,你可能在该日期之前配置了协议为“任意”、目标端口为“*”的规则。So, you might have configured a rule before that date with Protocol = Any, and destination ports = '*'. 如果实际上不打算像当前定义一样允许任意 IP 协议,请修改规则以显式配置所需的协议(TCP、UDP 或 ICMP)。If you don't actually intend to allow any IP protocol as currently defined, then modify the rule to explicitly configure the protocol(s) you want (TCP, UDP, or ICMP).

入站连接Inbound connectivity

NAT 规则NAT rules

可以通过配置目标网络地址转换 (DNAT) 来启用入站 Internet 连接,如教程:使用 Azure 门户通过 Azure Firewall DNAT 筛选入站流量中所述。Inbound Internet connectivity can be enabled by configuring Destination Network Address Translation (DNAT) as described in Tutorial: Filter inbound traffic with Azure Firewall DNAT using the Azure portal. NAT 规则会在网络规则之前按优先级应用。NAT rules are applied in priority before network rules. 如果找到匹配项,则会添加一个隐式的对应网络规则来允许转换后的流量。If a match is found, an implicit corresponding network rule to allow the translated traffic is added. 可以通过以下方法替代此行为:显式添加一个网络规则集合并在其中包含将匹配转换后流量的拒绝规则。You can override this behavior by explicitly adding a network rule collection with deny rules that match the translated traffic.

示例Examples

下面的示例显示了组合使用其中一些规则时的结果。The following examples show the results of some of these rule combinations.

示例 1Example 1

由于存在匹配的网络规则,因此允许连接到 qq.com。Connection to qq.com is allowed because of a matching network rule.

网络规则Network rule

  • 操作:允许Action: Allow
namename 协议Protocol 源类型Source type Source 目标类型Destination type 目标地址Destination address 目标端口Destination ports
Allow-webAllow-web TCPTCP IP 地址IP address * IP 地址IP address * 80,44380,443

应用程序规则Application rule

  • 操作:DenyAction: Deny
namename 源类型Source type Source 协议:端口Protocol:Port 目标 FQDNTarget FQDNs
Deny-qqDeny-qq IP 地址IP address * http:80,https:443http:80,https:443 qq.comqq.com

结果Result

允许连接到 qq.com,因为该数据包符合 Allow-web 网络规则。The connection to qq.com is allowed because the packet matches the Allow-web network rule. 此时,规则处理停止。Rule processing stops at this point.

示例 2Example 2

由于优先级较高的 Deny 网络规则集合阻止 SSH 流量,因此 SSH 流量被拒绝。SSH traffic is denied because a higher priority Deny network rule collection blocks it.

网络规则集合 1Network rule collection 1

  • 姓名:Allow-collectionName: Allow-collection
  • 优先级:200Priority: 200
  • 操作:允许Action: Allow
namename 协议Protocol 源类型Source type Source 目标类型Destination type 目标地址Destination address 目标端口Destination ports
Allow-SSHAllow-SSH TCPTCP IP 地址IP address * IP 地址IP address * 2222

网络规则集合 2Network rule collection 2

  • 姓名:Deny-collectionName: Deny-collection
  • 优先级:100Priority: 100
  • 操作:DenyAction: Deny
namename 协议Protocol 源类型Source type Source 目标类型Destination type 目标地址Destination address 目标端口Destination ports
Deny-SSHDeny-SSH TCPTCP IP 地址IP address * IP 地址IP address * 2222

结果Result

由于优先级较高的网络规则集合阻止 SSH 连接,因此 SSH 连接被拒绝。SSH connections are denied because a higher priority network rule collection blocks it. 此时,规则处理停止。Rule processing stops at this point.

规则更改Rule changes

如果更改规则以拒绝以前允许的流量,则会删除任何相关的现有会话。If you change a rule to deny previously allowed traffic, any relevant existing sessions are dropped.

后续步骤Next steps