IoT 中心经典 IP 筛选器和升级方式IoT Hub classic IP filter and how to upgrade

用于 IoT 中心的已升级 IP 筛选器可保护内置终结点,且在默认情况下处于安全状态。The upgraded IP filter for IoT Hub protects the built-in endpoint and is secure by default. 虽然我们尽力不进行重大更改,但已升级 IP 筛选器的增强安全模型与经典 IP 筛选器不兼容,因此我们宣布将其停用。While we strive to never make breaking changes, the enhanced security model of the upgraded IP filter is incompatible with classic IP filter, so we announce its retirement. 若要了解有关新的已升级 IP 筛选器的详细信息,请参阅新增功能IoT 中心 IP 筛选器To learn more about the new upgraded IP filter, see What's new and IoT hub IP filters.

为了避免服务中断,必须在迁移截止时间之前执行引导式升级,在迁移截止时间将自动执行升级。To avoid service disruption, you must perform the guided upgrade before the migration deadline, at which point the upgrade will be performed automatically. 若要了解有关迁移时间线的详细信息,请参阅 Azure 更新To learn more about the migration timeline, see Azure update.

如何升级How to upgrade

  1. 访问 Azure 门户Visit Azure portal
  2. 导航到 IoT 中心。Navigate to your IoT hub.
  3. 从左侧菜单中选择“网络”。Select Networking from the left-side menu.
  4. 你应看到一个横幅,提示你将 IP 筛选器升级到新模型。You should see a banner prompting you to upgrade your IP Filter to the new model. 选择“是”,以继续操作。Select Yes to continue. 显示从经典 IP 筛选器升级的横幅提示的图像
  5. 由于默认情况下新的 IP 筛选器会阻止所有 IP,因此升级会删除你的个人拒绝规则,但你可以在保存之前查看这些规则。Since the new IP Filter blocks all IP by default, the upgrade removes your individual deny rules but gives you a chance to review them before saving. 请仔细查看规则,确保它们对你有用。Carefully review the rules to make sure they work for you.
  6. 按照提示完成升级。Follow prompts to finish upgrading.

新增功能What's new

默认保护Secure by default

默认情况下,经典 IP 筛选器会隐式允许所有 IP 地址连接到 IoT 中心,这与最常见的网络安全方案不太一致。Classic IP filter implicitly allows all IP addresses to connect to the IoT Hub by default, which doesn't align well with the most common network security scenarios. 通常,你只希望受信任的 IP 地址能够连接到 IoT 中心并拒绝其他所有内容。Typically, you would want only trusted IP addresses to be able to connect to your IoT hub and reject everything else. 若要使用经典 IP 筛选器实现此目标,需要完成一个多步过程。To achieve this goal with classic IP filter, it's a multi-step process. 例如,如果只想接受来自 192.168.100.0/22 的流量,则必须For example, if you want to only accept traffic from 192.168.100.0/22, you must

  1. 192.168.100.0/22 配置单个允许规则。Configure a single allow rule for 192.168.100.0/22.
  2. 0.0.0.0/0 配置不同的阻止规则(“阻止全部”规则)Configure a different block rule for 0.0.0.0/0 (the "block all" rule)
  3. 确保规则排序正确,允许规则位于阻止规则之上。Make sure the rules are ordered correctly, with the allow rule ordered above the block rule.

实际上,此多步过程会造成混淆。In practice, this multi-step process causes confusion. 用户未配置“阻止全部”规则,或未对规则进行正确排序,从而导致意外暴露。Users didn't configure the "block all" rule or didn't order the rules correctly, resulting in unintended exposure.

默认情况下,新的 IP 筛选器会阻止所有 IP 地址。The new IP filter blocks all IP addresses by default. 仅允许显式添加的 IP 范围连接到 IoT 中心。Only the IP ranges that you explicitly add are allowed to connect to IoT Hub. 在上面的示例中,不再需要执行步骤 2 和 3。In the above example, steps 2 and 3 aren't needed anymore. 这一新行为简化了配置,并遵循默认安全原则This new behavior simplifies configuration and abides by the secure by default principle.

保护内置的事件中心兼容终结点Protect the built-in Event Hub compatible endpoint

不能将经典 IP 筛选器应用于内置终结点。Classic IP filter cannot be applied to the built-in endpoint. 此限制意味着,配置了“阻止全部”规则(阻止 0.0.0.0/0)的事件仍可从任何 IP 地址访问内置终结点。This limitation means that, event with a block all rule (block 0.0.0.0/0) configured, the built-in endpoint is still accessible from any IP address.

新的 IP 筛选器提供了一种将规则应用于内置终结点的选项,该选项可减少暴露于网络安全威胁。The new IP filter provides an option to apply rules to the built-in endpoint, which reduces exposure to network security threats.

显示是否应用于内置终结点的切换的图像

备注

此选项不能用于免费 (F1) IoT 中心。This option isn't available to free (F1) IoT hubs. 若要将 IP 筛选器规则应用于内置终结点,请使用付费 IoT 中心。To apply IP filter rules to the built-in endpoint, use a paid IoT hub.

API 影响API impact

2020-08-31(以及 2020-08-31-preview)起,IoT 中心资源 API 中提供已升级 IP 筛选器。The upgraded IP filter is available in IoT Hub resource API from 2020-08-31 (as well as 2020-08-31-preview) and onwards. 所有 API 版本中仍提供经典 IP 筛选器,但在靠近迁移截止时间的未来 API 版本中,将删除该筛选器。Classic IP filter is still available in all API versions, but will be removed in a future API version near the migration deadline. 若要了解有关迁移时间线的详细信息,请参阅 Azure 更新To learn more about the migration timeline, see Azure update.

提示:在应用之前尝试更改Tip: try the changes before they apply

由于默认情况下,新的 IP 筛选器会阻止所有 IP 地址,因此,单独的阻止规则将不再兼容。Since the new IP filter blocks all IP address by default, individual block rules are no longer compatible. 因此,引导式升级过程将删除这些单独的阻止规则。So, the guided upgrade process removes these individual block rules.

若要尝试通过经典 IP 筛选器进行更改,请执行以下操作:To try to the change in with classic IP filter:

  1. 访问 IoT 中心的“网络”选项卡Visit the Networking tab in your IoT hub
  2. 记下现有 IP 筛选器(经典)配置,以防你想要回滚Note down your existing IP filter (classic) configuration, in case you want to roll back
  3. 在包含“阻止”的规则旁边,选择垃圾桶图标以删除这些规则Next to rules with Block, Select the trash icon to remove them
  4. 使用 0.0.0.0/0 在底部添加另一规则,然后选择“阻止”Add another rule at the bottom with 0.0.0.0/0, and choose Block
  5. 选择“保存”Select Save

此配置模拟了从经典升级后新 IP 筛选器的行为。This configuration mimics how the new IP filter behaves after upgrading from classic. 一个例外情况是内置终结点保护,它无法尝试使用经典 IP 筛选器。One exception is the built-in endpoint protection, which is not possible to try using classic IP filter. 不过,该功能是可选的,因此,如果你认为它可能会中断某些内容,则无需使用它。However, that feature is optional, so you don't have to use it if you think it might break something.

提示:检查与 IoT 中心的所有 IP 连接的诊断日志Tip: check diagnostic logs for all IP connections to your IoT hub

若要确保顺利转换,请在“连接”类别下检查诊断日志。To ensure a smooth transition, check your diagnostic logs under the Connections category. 查找 maskedIpAddress 属性以查看这些范围是否符合预期。Look for the maskedIpAddress property to see if the ranges are as you expect. 请记住:新的 IP 筛选器将阻止未显式添加的所有 IP 地址。Remember: the new IP filter will block all IP addresses that haven't been explicitly added.

IoT 中心经典 IP 筛选器文档(已停用)IoT Hub classic IP filter documentation (retired)

重要

下面是将停用的经典 IP 筛选器的原始文档。Below is the original documentation for classic IP filter, which is being retired.

安全性对于基于 Azure IoT 中心的任何 IoT 解决方案来说都是一个重要方面。Security is an important aspect of any IoT solution based on Azure IoT Hub. 作为安全配置的一部分,有时需要显式指定设备可从其连接的 IP 地址。Sometimes you need to explicitly specify the IP addresses from which devices can connect as part of your security configuration. 使用 IP 筛选器 功能,可以配置规则来拒绝或接受来自特定 IPv4 地址的流量。The IP filter feature enables you to configure rules for rejecting or accepting traffic from specific IPv4 addresses.

何时使用When to use

对于需要阻止特定 IP 地址的 IoT 中心终结点的情况,有两个具体用例:There are two specific use-cases when it is useful to block the IoT Hub endpoints for certain IP addresses:

  • IoT 中心应仅从指定范围内的 IP 地址接收流量并拒绝任何其他流量。Your IoT hub should receive traffic only from a specified range of IP addresses and reject everything else. 例如,将 IoT 中心与 Azure Express Route 配合使用,以在 IoT 中心与本地基础结构之间创建专用连接。For example, you are using your IoT hub with Azure Express Route to create private connections between an IoT hub and your on-premises infrastructure.

  • 需要拒绝来自 IoT 中心管理员已标识为可疑地址的 IP 地址的流量。You need to reject traffic from IP addresses that have been identified as suspicious by the IoT hub administrator.

筛选器规则的应用方式How filter rules are applied

在 IoT 中心服务级别应用 IP 筛选器规则。The IP filter rules are applied at the IoT Hub service level. 因此,IP 筛选器规则适用于使用任意受支持协议和从设备和后端应用发出的所有连接。Therefore, the IP filter rules apply to all connections from devices and back-end apps using any supported protocol. 但是,直接从与事件中心兼容的内置终结点(而不是通过 IoT 中心连接字符串)读取数据的客户端不会绑定到 IP 筛选器规则。However, clients reading directly from the built-in Event Hub compatible endpoint (not via the IoT Hub connection string) are not bound to the IP filter rules.

与 IoT 中心的拒绝 IP 规则匹配的 IP 地址发出的任何连接尝试都会收到“未授权”401 状态代码和说明。Any connection attempt from an IP address that matches a rejecting IP rule in your IoT hub receives an unauthorized 401 status code and description. 响应消息不提及 IP 规则。The response message does not mention the IP rule. 拒绝 IP 地址可以阻止其他 Azure 服务(例如 Azure 门户中的 Azure 流分析、Azure 虚拟机或设备资源管理器)与 IoT 中心进行交互。Rejecting IP addresses can prevent other Azure services such as Azure Stream Analytics, Azure Virtual Machines, or the Device Explorer in Azure portal from interacting with the IoT hub.

备注

如果必须使用 Azure 流分析 (ASA) 从启用了 IP 筛选器的 IoT 中心读取消息,请使用 IoT 中心的与事件中心兼容的名称和终结点在 ASA 中手动添加事件中心流输入If you must use Azure Stream Analytics (ASA) to read messages from an IoT hub with IP filter enabled, use the event hub-compatible name and endpoint of your IoT hub to manually add an Event Hubs stream input in the ASA.

默认设置Default setting

默认情况下,门户中针对 IoT 中心的“IP 筛选器”网格为空。By default, the IP Filter grid in the portal for an IoT hub is empty. 此默认设置意味着中心会接受来自任何 IP 地址的连接。This default setting means that your hub accepts connections from any IP address. 此默认设置等效于接受 0.0.0.0/0 IP 地址范围的规则。This default setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.

若要转到 IP 筛选器设置页,请依次选择“网络”、“公共访问”、“选定的 IP 范围”: To get to the IP Filter settings page, select Networking, Public access, then choose Selected IP Ranges:

IoT 中心默认 IP 筛选器设置

添加或编辑 IP 筛选器规则Add or edit an IP filter rule

若要添加 IP 筛选器规则,请选择“+ 添加 IP 筛选器规则”。To add an IP filter rule, select + Add IP Filter Rule.

向 IoT 中心添加 IP 筛选器规则

选择“添加 IP 筛选器规则”后,填写字段。After selecting Add IP Filter Rule, fill in the fields.

选择“添加 IP 筛选器规则”后

  • 提供 IP 筛选器规则的 名称Provide a name for the IP Filter rule. 此项必须是不区分大小写的唯一字母数字字符串,长度不超过 128 个字符。This must be a unique, case-insensitive, alphanumeric string up to 128 characters long. 只接受 ASCII 7 位字母数字字符以及以下字符:{'-', ':', '/', '\', '.', '+', '%', '_', '#', '*', '?', '!', '(', ')', ',', '=', '@', ';', '''}Only the ASCII 7-bit alphanumeric characters plus {'-', ':', '/', '\', '.', '+', '%', '_', '#', '*', '?', '!', '(', ')', ',', '=', '@', ';', '''} are accepted.

  • 提供单个 IPv4 地址或者以 CIDR 表示法提供一个 IP 地址块。Provide a single IPv4 address or a block of IP addresses in CIDR notation. 例如,在 CIDR 表示法中,192.168.100.0/22 表示从 192.168.100.0 到 192.168.103.255 的 1024 个 IPv4 地址。For example, in CIDR notation 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255.

  • 选择“允许”或“阻止”作为 IP 筛选器规则的“操作”。 Select Allow or Block as the action for the IP filter rule.

填写这些字段后,请选择“保存”以保存该规则 。After filling in the fields, select Save to save the rule. 随后会出现一条警报,告知更新正在进行。You see an alert notifying you that the update is in progress.

关于保存 IP 筛选器规则的通知

当存在的 IP 筛选规则达到最大数目 10 时,“添加”选项被禁用。The Add option is disabled when you reach the maximum of 10 IP filter rules.

若要编辑现有规则,请选择要更改的数据,进行更改,然后选择“保存”以保存编辑内容。To edit an existing rule, select the data you want to change, make the change, then select Save to save your edit.

删除 IP 筛选器规则Delete an IP filter rule

若要删除 IP 筛选器规则,请选择与该行对应的垃圾桶图标,然后选择“保存”。 To delete an IP filter rule, select the trash can icon on that row and then select Save. 随即会删除该规则并保存更改。The rule is removed and the change is saved.

删除 IoT 中心 IP 筛选器规则

使用 Azure CLI 检索和更新 IP 筛选器Retrieve and update IP filters using Azure CLI

可以通过 Azure CLI 检索和更新 IoT 中心的 IP 筛选器。Your IoT Hub's IP filters can be retrieved and updated through Azure CLI.

若要检索 IoT 中心的当前 IP 筛选器,请运行:To retrieve current IP filters of your IoT Hub, run:

az resource show -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs

这会返回一个 JSON 对象,其中会在 properties.ipFilterRules 键下列出现有 IP 筛选器:This will return a JSON object where your existing IP filters are listed under the properties.ipFilterRules key:

{
...
    "properties": {
        "ipFilterRules": [
        {
            "action": "Reject",
            "filterName": "MaliciousIP",
            "ipMask": "6.6.6.6/6"
        },
        {
            "action": "Allow",
            "filterName": "GoodIP",
            "ipMask": "131.107.160.200"
        },
        ...
        ],
    },
...
}

若要为 IoT 中心添加新 IP 筛选器,请运行:To add a new IP filter for your IoT Hub, run:

az resource update -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs --add properties.ipFilterRules "{\"action\":\"Reject\",\"filterName\":\"MaliciousIP\",\"ipMask\":\"6.6.6.6/6\"}"

若要在 IoT 中心删除现有 IP 筛选器,请运行:To remove an existing IP filter in your IoT Hub, run:

az resource update -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs --add properties.ipFilterRules <ipFilterIndexToRemove>

请注意,<ipFilterIndexToRemove> 必须对应于 IoT 中心 properties.ipFilterRules 中的 IP 筛选器顺序。Note that <ipFilterIndexToRemove> must correspond to the ordering of IP filters in your IoT Hub's properties.ipFilterRules.

使用 Azure PowerShell 检索和更新 IP 筛选器Retrieve and update IP filters using Azure PowerShell

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

可以通过 Azure PowerShell 检索和设置 IoT 中心的 IP 筛选器。Your IoT Hub's IP filters can be retrieved and set through Azure PowerShell.

# Get your IoT Hub resource using its name and its resource group name
$iothubResource = Get-AzResource -ResourceGroupName <resourceGroupNmae> -ResourceName <iotHubName> -ExpandProperties

# Access existing IP filter rules
$iothubResource.Properties.ipFilterRules |% { Write-host $_ }

# Construct a new IP filter
$filter = @{'filterName'='MaliciousIP'; 'action'='Reject'; 'ipMask'='6.6.6.6/6'}

# Add your new IP filter rule
$iothubResource.Properties.ipFilterRules += $filter

# Remove an existing IP filter rule using its name, e.g., 'GoodIP'
$iothubResource.Properties.ipFilterRules = @($iothubResource.Properties.ipFilterRules | Where 'filterName' -ne 'GoodIP')

# Update your IoT Hub resource with your updated IP filters
$iothubResource | Set-AzResource -Force

使用 REST 更新 IP 筛选器Update IP filter rules using REST

还可以使用 Azure 资源提供程序的 REST 终结点检索和修改 IoT 中心的 IP 筛选器。You may also retrieve and modify your IoT Hub's IP filter using Azure resource Provider's REST endpoint. 请参阅 createorupdate 方法properties.ipFilterRulesSee properties.ipFilterRules in createorupdate method.

IP 筛选器规则评估IP filter rule evaluation

IP 筛选器规则按顺序应用,与 IP 地址匹配的第一条规则决定了是采取接受操作还是拒绝操作。IP filter rules are applied in order and the first rule that matches the IP address determines the accept or reject action.

例如,若要接受 192.168.100.0/22 范围内的地址并拒绝所有其他地址,则网格中的第一条规则应接受 192.168.100.0/22 这一地址范围。For example, if you want to accept addresses in the range 192.168.100.0/22 and reject everything else, the first rule in the grid should accept the address range 192.168.100.0/22. 下一个规则应通过使用 0.0.0.0/0 范围拒绝所有地址。The next rule should reject all addresses by using the range 0.0.0.0/0.

可以通过单击行开头的三个竖直点并使用拖放操作更改 IP 筛选规则在网格中的顺序。You can change the order of your IP filter rules in the grid by clicking the three vertical dots at the start of a row and using drag and drop.

若要保存新的 IP 筛选器规则顺序,请单击“保存”。 To save your new IP filter rule order, click Save.

更改 IoT 中心 IP 筛选规则的顺序

后续步骤Next steps

若要进一步探索 IoT 中心的功能,请参阅:To further explore the capabilities of IoT Hub, see: