Azure 防火墙 SNAT 专用 IP 地址范围Azure Firewall SNAT private IP address ranges

对于发往公共 IP 地址的所有出站流量,Azure 防火墙提供自动 SNAT。Azure Firewall provides automatic SNAT for all outbound traffic to public IP addresses. 默认情况下,如果目标 IP 地址在符合 IANA RFC 1918 的专用 IP 地址范围内或符合 IANA RFC 6598 的共享地址空间内,Azure 防火墙将不使用网络规则执行 SNAT。By default, Azure Firewall doesn't SNAT with Network rules when the destination IP address is in a private IP address range per IANA RFC 1918 or shared address space per IANA RFC 6598. 无论目标 IP 地址是什么,始终使用透明代理来应用应用程序规则。Application rules are always applied using a transparent proxy whatever the destination IP address.

将流量直接路由到 Internet 时,此逻辑非常有效。This logic works well when you route traffic directly to the Internet. 但是,如果已启用强制隧道,则会将 Internet 绑定的流量由 SNAT 转换为 AzureFirewallSubnet 中的某个防火墙专用 IP 地址,从而向本地防火墙隐藏源。However, if you've enabled forced tunneling, Internet-bound traffic is SNATed to one of the firewall private IP addresses in AzureFirewallSubnet, hiding the source from your on-premises firewall.

如果组织对专用网络使用公共 IP 地址范围,Azure 防火墙会通过 SNAT 将流量发送到 AzureFirewallSubnet 中的某个防火墙专用 IP 地址。If your organization uses a public IP address range for private networks, Azure Firewall SNATs the traffic to one of the firewall private IP addresses in AzureFirewallSubnet. 但是,可以将 Azure 防火墙配置为不 SNAT 公共 IP 地址范围。However, you can configure Azure Firewall to not SNAT your public IP address range. 例如,若要指定单个 IP 地址,可以按如下所示指定它:192.168.1.10For example, to specify an individual IP address you can specify it like this: 192.168.1.10. 若要指定 IP 地址范围,可以按如下所示指定它:192.168.1.0/24To specify a range of IP addresses, you can specify it like this: 192.168.1.0/24.

  • 若要将 Azure 防火墙配置为无论目标 IP 地址为何都不会执行 SNAT,请使用“0.0.0.0/0”作为专用 IP 地址范围 。To configure Azure Firewall to never SNAT regardless of the destination IP address, use 0.0.0.0/0 as your private IP address range. 通过此配置,Azure 防火墙永远不能将流量直接路由到 Internet。With this configuration, Azure Firewall can never route traffic directly to the Internet.

  • 若要将防火墙配置为无论目标地址为何都始终执行 SNAT,请使用“255.255.255.255/32”作为专用 IP 地址范围 。To configure the firewall to always SNAT regardless of the destination address, use 255.255.255.255/32 as your private IP address range.

重要

指定的专用地址范围仅适用于网络规则。The private address range that you specify only applies to network rules. 目前,应用程序规则始终为 SNAT。Currently, application rules always SNAT.

重要

若要指定自己的专用 IP 地址范围,并保留默认的 IANA RFC 1918 地址范围,请确保自定义列表仍包含 IANA RFC 1918 范围。If you want to specify your own private IP address ranges, and keep the default IANA RFC 1918 address ranges, make sure your custom list still includes the IANA RFC 1918 range.

可以使用以下方法配置 SNAT 专用 IP 地址。You can configure the SNAT private IP addresses using the following methods. 必须使用适用于配置的方法配置 SNAT 专用地址。You must configure the SNAT private addresses using the method appropriate for your configuration. 与防火墙策略关联的防火墙必须在策略中指定范围,而不是使用 AdditionalPropertiesFirewalls associated with a firewall policy must specify the range in the policy and not use AdditionalProperties.

方法Method 使用经典规则Using classic rules 使用防火墙策略Using firewall policy
Azure 门户Azure portal 支持supported 支持supported
Azure PowerShellAzure PowerShell 配置 PrivateRangeconfigure PrivateRange 目前不支持currently unsupported
Azure CLIAzure CLI 配置 --private-rangesconfigure --private-ranges 目前不支持currently unsupported
ARM 模板ARM template 在防火墙属性中配置 AdditionalPropertiesconfigure AdditionalProperties in firewall property 在防火墙策略中配置 snat/privateRangesconfigure snat/privateRanges in firewall policy

配置 SNAT 专用 IP 地址范围 - Azure PowerShellConfigure SNAT private IP address ranges - Azure PowerShell

经典规则Classic rules

可以使用 Azure PowerShell 为防火墙指定专用 IP 地址范围。You can use Azure PowerShell to specify private IP address ranges for the firewall.

备注

对于与防火墙策略关联的防火墙,会忽略防火墙 PrivateRange 属性。The firewall PrivateRange property is ignored for firewalls associated with a Firewall Policy. 必须按照配置 SNAT 专用 IP 地址范围 - ARM 模板中所述,在 firewallPolicies 中使用 SNAT 属性。You must use the SNAT property in firewallPolicies as described in Configure SNAT private IP address ranges - ARM template.

新建防火墙New firewall

对于使用经典规则的新建防火墙,Azure PowerShell cmdlet 如下:For a new firewall using classic rules, the Azure PowerShell cmdlet is:

$azFw = @{
    Name               = '<fw-name>'
    ResourceGroupName  = '<resourcegroup-name>'
    Location           = '<location>'
    VirtualNetworkName = '<vnet-name>'
    PublicIpName       = '<public-ip-name>'
    PrivateRange       = @("IANAPrivateRanges", "192.168.1.0/24", "192.168.1.10")
}

New-AzFirewall @azFw

备注

使用 New-AzFirewall 部署 Azure 防火墙需要一个现有的 VNet 和公共 IP 地址。Deploying Azure Firewall using New-AzFirewall requires an existing VNet and Public IP address. 有关完整的部署指南,请参阅使用 Azure PowerShell 部署和配置 Azure 防火墙See Deploy and configure Azure Firewall using Azure PowerShell for a full deployment guide.

备注

将其他范围添加到 Azure 防火墙中时,IANAPrivateRanges 将扩展到 Azure 防火墙上的当前默认值。IANAPrivateRanges is expanded to the current defaults on Azure Firewall while the other ranges are added to it. 若要在专用范围规范中保留 IANAPrivateRanges 默认值,则必须将其保留在 PrivateRange 规范中,如以下示例所示。To keep the IANAPrivateRanges default in your private range specification, it must remain in your PrivateRange specification as shown in the following examples.

有关详细信息,请参阅 New-AzFirewallFor more information, see New-AzFirewall.

现有防火墙Existing firewall

若要使用经典规则配置现有防火墙,请使用以下 Azure PowerShell cmdlet:To configure an existing firewall using classic rules, use the following Azure PowerShell cmdlets:

$azfw = Get-AzFirewall -Name '<fw-name>' -ResourceGroupName '<resourcegroup-name>'
$azfw.PrivateRange = @("IANAPrivateRanges","192.168.1.0/24", "192.168.1.10")
Set-AzFirewall -AzureFirewall $azfw

配置 SNAT 专用 IP 地址范围 - Azure CLIConfigure SNAT private IP address ranges - Azure CLI

经典规则Classic rules

可以使用 Azure CLI 为使用经典规则的防火墙指定专用 IP 地址范围。You can use Azure CLI to specify private IP address ranges for the firewall using classic rules.

新建防火墙New firewall

对于使用经典规则的新建防火墙,Azure CLI 命令如下:For a new firewall using classic rules, the Azure CLI command is:

az network firewall create \
-n <fw-name> \
-g <resourcegroup-name> \
--private-ranges 192.168.1.0/24 192.168.1.10 IANAPrivateRanges

备注

使用 Azure CLI 命令 az network firewall create 部署 Azure 防火墙需要额外的配置步骤来创建公共 IP 地址和 IP 配置。Deploying Azure Firewall using Azure CLI command az network firewall create requires additional configuration steps to create public IP addresses and IP configuration. 有关完整的部署指南,请参阅使用 Azure CLI 部署和配置 Azure 防火墙See Deploy and configure Azure Firewall using Azure CLI for a full deployment guide.

备注

将其他范围添加到 Azure 防火墙中时,IANAPrivateRanges 将扩展到 Azure 防火墙上的当前默认值。IANAPrivateRanges is expanded to the current defaults on Azure Firewall while the other ranges are added to it. 若要在专用范围规范中保留 IANAPrivateRanges 默认值,则必须将其保留在 private-ranges 规范中,如以下示例所示。To keep the IANAPrivateRanges default in your private range specification, it must remain in your private-ranges specification as shown in the following examples.

现有防火墙Existing firewall

若要使用经典规则配置现有防火墙,Azure CLI 命令如下:To configure an existing firewall using classic rules, the Azure CLI command is:

az network firewall update \
-n <fw-name> \
-g <resourcegroup-name> \
--private-ranges 192.168.1.0/24 192.168.1.10 IANAPrivateRanges

配置 SNAT 专用 IP 地址范围 - ARM 模板Configure SNAT private IP address ranges - ARM template

经典规则Classic rules

若要在 ARM 模板部署期间配置 SNAT,可将以下内容添加到 additionalProperties 属性:To configure SNAT during ARM Template deployment, you can add the following to the additionalProperties property:

"additionalProperties": {
   "Network.SNAT.PrivateRanges": "IANAPrivateRanges , IPRange1, IPRange2"
},

防火墙策略Firewall policy

自 2020-11-01 API 版本起,与防火墙策略关联的 Azure 防火墙已支持 SNAT 专用范围。Azure Firewalls associated with a firewall policy have supported SNAT private ranges since the 2020-11-01 API version. 目前,可以使用模板更新防火墙策略中的 SNAT 专用范围。Currently, you can use a template to update the SNAT private range on the Firewall Policy. 下面的示例将防火墙配置为始终使用 SNAT 网络流量:The following sample configures the firewall to always SNAT network traffic:

{ 

            "type": "Microsoft.Network/firewallPolicies", 
            "apiVersion": "2020-11-01", 
            "name": "[parameters('firewallPolicies_DatabasePolicy_name')]", 
            "location": "chinanorth", 
            "properties": { 
                "sku": { 
                    "tier": "Standard" 
                }, 
                "snat": { 
                    "privateRanges": [255.255.255.255/32] 
                } 
            } 

配置 SNAT 专用 IP 地址范围 - Azure 门户Configure SNAT private IP address ranges - Azure portal

经典规则Classic rules

可以使用 Azure 门户为防火墙指定专用 IP 地址范围。You can use the Azure portal to specify private IP address ranges for the firewall.

  1. 选择资源组,然后选择防火墙。Select your resource group, and then select your firewall.

  2. 在“概述”页上的“专用 IP 范围”中,选择默认值“IANA RFC 1918” 。On the Overview page, Private IP Ranges, select the default value IANA RFC 1918.

    此时将打开“编辑专用 IP 前缀”页:The Edit Private IP Prefixes page opens:

    编辑专用 IP 前缀

  3. 默认情况下,“IANAPrivateRanges”已配置。By default, IANAPrivateRanges is configured.

  4. 编辑环境的专用 IP 地址范围,然后选择“保存”。Edit the private IP address ranges for your environment and then select Save.

防火墙策略Firewall policy

  1. 选择资源组,然后选择防火墙策略。Select your resource group, and then select your firewall policy.

  2. 在“设置”列中选择“专用 IP 范围(SNAT)” 。Select Private IP ranges (SNAT) in the Settings column.

    默认情况下,“使用默认 Azure 防火墙策略 SNAT 行为”处于选中状态。By default, Use the default Azure Firewall Policy SNAT behavior is selected.

  3. 若要自定义 SNAT 配置,请清除该复选框,并在“ 执行 SNAT”下选择要为环境执行 SNAT 的条件。To customize the SNAT configuration, clear the check box, and under Perform SNAT select the conditions to perform SNAT for your environment. 专用 IP 范围 (SNAT)

  4. 选择“应用”。Select Apply.

后续步骤Next steps