Azure 防火墙 SNAT 专用 IP 地址范围Azure Firewall SNAT private IP address ranges

对于发往公共 IP 地址的所有出站流量,Azure 防火墙提供自动 SNAT。Azure Firewall provides automatic SNAT for all outbound traffic to public IP addresses. 默认情况下,当目标 IP 地址在符合 IANA RFC 1918 的专用 IP 地址范围内时,Azure 防火墙不使用网络规则执行 SNAT。By default, Azure Firewall doesn't SNAT with Network rules when the destination IP address is in a private IP address range per IANA RFC 1918. 无论目标 IP 地址如何,始终使用透明代理来应用应用程序规则。Application rules are always applied using a transparent proxy regardless of the destination IP address.

将流量直接路由到 Internet 时,此逻辑非常有效。This logic works well when you route traffic directly to the Internet. 但是,如果已启用强制隧道,则会将 Internet 绑定的流量由 SNAT 转换为 AzureFirewallSubnet 中的某个防火墙专用 IP 地址,从而向本地防火墙隐藏源。However, if you've enabled forced tunneling, Internet-bound traffic is SNATed to one of the firewall private IP addresses in AzureFirewallSubnet, hiding the source from your on-premises firewall.

如果组织对专用网络使用公共 IP 地址范围,Azure 防火墙会通过 SNAT 将流量发送到 AzureFirewallSubnet 中的某个防火墙专用 IP 地址。If your organization uses a public IP address range for private networks, Azure Firewall SNATs the traffic to one of the firewall private IP addresses in AzureFirewallSubnet. 但是,可以将 Azure 防火墙配置为不 SNAT 公共 IP 地址范围。However, you can configure Azure Firewall to not SNAT your public IP address range. 例如,若要指定单个 IP 地址,可以按如下所示指定它:192.168.1.10For example, to specify an individual IP address you can specify it like this: 192.168.1.10. 若要指定 IP 地址范围,可以按如下所示指定它:192.168.1.0/24To specify a range of IP addresses, you can specify it like this: 192.168.1.0/24.

  • 若要将 Azure 防火墙配置为无论目标 IP 地址为何都不会执行 SNAT,请使用“0.0.0.0/0”作为专用 IP 地址范围 。To configure Azure Firewall to never SNAT regardless of the destination IP address, use 0.0.0.0/0 as your private IP address range. 通过此配置,Azure 防火墙永远不能将流量直接路由到 Internet。With this configuration, Azure Firewall can never route traffic directly to the Internet.

  • 若要将防火墙配置为无论目标地址为何都始终执行 SNAT,请使用“255.255.255.255/32”作为专用 IP 地址范围 。To configure the firewall to always SNAT regardless of the destination address, use 255.255.255.255/32 as your private IP address range.

重要

若要指定自己的专用 IP 地址范围,并保留默认的 IANA RFC 1918 地址范围,请确保自定义列表仍包含 IANA RFC 1918 范围。If you want to specify your own private IP address ranges, and keep the default IANA RFC 1918 address ranges, make sure your custom list still includes the IANA RFC 1918 range.

配置 SNAT 专用 IP 地址范围 - Azure PowerShellConfigure SNAT private IP address ranges - Azure PowerShell

可以使用 Azure PowerShell 为防火墙指定专用 IP 地址范围。You can use Azure PowerShell to specify private IP address ranges for the firewall.

新建防火墙New firewall

对于新建防火墙,Azure PowerShell cmdlet 如下:For a new firewall, the Azure PowerShell cmdlet is:

$azFw = @{
    Name               = '<fw-name>'
    ResourceGroupName  = '<resourcegroup-name>'
    Location           = '<location>'
    VirtualNetworkName = '<vnet-name>'
    PublicIpName       = '<public-ip-name>'
    PrivateRange       = @("IANAPrivateRanges", "192.168.1.0/24", "192.168.1.10")
}

New-AzFirewall @azFw

备注

使用 New-AzFirewall 部署 Azure 防火墙需要一个现有的 VNet 和公共 IP 地址。Deploying Azure Firewall using New-AzFirewall requires an existing VNet and Public IP address. 有关完整的部署指南,请参阅使用 Azure PowerShell 部署和配置 Azure 防火墙See Deploy and configure Azure Firewall using Azure PowerShell for a full deployment guide.

备注

将其他范围添加到 Azure 防火墙中时,IANAPrivateRanges 将扩展到 Azure 防火墙上的当前默认值。IANAPrivateRanges is expanded to the current defaults on Azure Firewall while the other ranges are added to it. 若要在专用范围规范中保留 IANAPrivateRanges 默认值,则必须将其保留在 PrivateRange 规范中,如以下示例所示。To keep the IANAPrivateRanges default in your private range specification, it must remain in your PrivateRange specification as shown in the following examples.

有关详细信息,请参阅 New-AzFirewallFor more information, see New-AzFirewall.

现有防火墙Existing firewall

若要配置现有防火墙,请使用以下 Azure PowerShell cmdlet:To configure an existing firewall, use the following Azure PowerShell cmdlets:

$azfw = Get-AzFirewall -Name '<fw-name>' -ResourceGroupName '<resourcegroup-name>'
$azfw.PrivateRange = @("IANAPrivateRanges","192.168.1.0/24", "192.168.1.10")
Set-AzFirewall -AzureFirewall $azfw

配置 SNAT 专用 IP 地址范围 - Azure CLIConfigure SNAT private IP address ranges - Azure CLI

可以使用 Azure CLI 为防火墙指定专用 IP 地址范围。You can use Azure CLI to specify private IP address ranges for the firewall.

新建防火墙New firewall

对于新建防火墙,Azure CLI 命令如下:For a new firewall, the Azure CLI command is:

az network firewall create \
-n <fw-name> \
-g <resourcegroup-name> \
--private-ranges 192.168.1.0/24 192.168.1.10 IANAPrivateRanges

备注

使用 Azure CLI 命令 az network firewall create 部署 Azure 防火墙需要额外的配置步骤来创建公共 IP 地址和 IP 配置。Deploying Azure Firewall using Azure CLI command az network firewall create requires additional configuration steps to create public IP addresses and IP configuration. 有关完整的部署指南,请参阅使用 Azure CLI 部署和配置 Azure 防火墙See Deploy and configure Azure Firewall using Azure CLI for a full deployment guide.

备注

将其他范围添加到 Azure 防火墙中时,IANAPrivateRanges 将扩展到 Azure 防火墙上的当前默认值。IANAPrivateRanges is expanded to the current defaults on Azure Firewall while the other ranges are added to it. 若要在专用范围规范中保留 IANAPrivateRanges 默认值,则必须将其保留在 PrivateRange 规范中,如以下示例所示。To keep the IANAPrivateRanges default in your private range specification, it must remain in your PrivateRange specification as shown in the following examples.

现有防火墙Existing firewall

若要配置现有防火墙,可使用以下 Azure CLI 命令:To configure an existing firewall, the Azure CLI command is:

az network firewall update \
-n <fw-name> \
-g <resourcegroup-name> \
--private-ranges 192.168.1.0/24 192.168.1.10 IANAPrivateRanges

配置 SNAT 专用 IP 地址范围 - ARM 模板Configure SNAT private IP address ranges - ARM Template

若要在 ARM 模板部署期间配置 SNAT,可将以下内容添加到 additionalProperties 属性:To configure SNAT during ARM Template deployment, you can add the following to the additionalProperties property:

"additionalProperties": {
   "Network.SNAT.PrivateRanges": "IANAPrivateRanges , IPRange1, IPRange2"
},

配置 SNAT 专用 IP 地址范围 - Azure 门户Configure SNAT private IP address ranges - Azure portal

可以使用 Azure 门户为防火墙指定专用 IP 地址范围。You can use the Azure portal to specify private IP address ranges for the firewall.

  1. 选择资源组,然后选择防火墙。Select your resource group, and then select your firewall.

  2. 在“概述”页上的“专用 IP 范围”中,选择默认值“IANA RFC 1918” 。On the Overview page, Private IP Ranges, select the default value IANA RFC 1918.

    此时将打开“编辑专用 IP 前缀”页:The Edit Private IP Prefixes page opens:

    编辑专用 IP 前缀

  3. 默认情况下,“IANAPrivateRanges”已配置。By default, IANAPrivateRanges is configured.

  4. 编辑环境的专用 IP 地址范围,然后选择“保存”。Edit the private IP address ranges for your environment and then select Save.

后续步骤Next steps