使用 IP 筛选器Use IP filters

安全性对于基于 Azure IoT 中心的任何 IoT 解决方案来说都是一个重要方面。Security is an important aspect of any IoT solution based on Azure IoT Hub. 作为安全配置的一部分,有时需要显式指定设备可从其连接的 IP 地址。Sometimes you need to explicitly specify the IP addresses from which devices can connect as part of your security configuration. 使用 IP 筛选器功能,可以配置规则来拒绝或接受来自特定 IPv4 地址的流量。The IP filter feature enables you to configure rules for rejecting or accepting traffic from specific IPv4 addresses.

何时使用When to use

对于需要阻止特定 IP 地址的 IoT 中心终结点的情况,有两个具体用例:There are two specific use-cases when it is useful to block the IoT Hub endpoints for certain IP addresses:

  • IoT 中心应仅从指定范围内的 IP 地址接收流量并拒绝任何其他流量。Your IoT hub should receive traffic only from a specified range of IP addresses and reject everything else. 例如,将 IoT 中心与 Azure Express Route 配合使用,以在 IoT 中心与本地基础结构之间创建专用连接。For example, you are using your IoT hub with Azure Express Route to create private connections between an IoT hub and your on-premises infrastructure.
  • 需要拒绝来自 IoT 中心管理员已标识为可疑地址的 IP 地址的流量。You need to reject traffic from IP addresses that have been identified as suspicious by the IoT hub administrator.

筛选器规则的应用方式How filter rules are applied

在 IoT 中心服务级别应用 IP 筛选器规则。The IP filter rules are applied at the IoT Hub service level. 因此,IP 筛选器规则适用于使用任意受支持协议和从设备和后端应用发出的所有连接。Therefore, the IP filter rules apply to all connections from devices and back-end apps using any supported protocol. 但是,直接从与事件中心兼容的内置终结点(而不是通过 IoT 中心连接字符串)读取数据的客户端不会绑定到 IP 筛选器规则。However, clients reading directly from the built-in Event Hub compatible endpoint (not via the IoT Hub connection string) are not bound to the IP filter rules.

与 IoT 中心的拒绝 IP 规则匹配的 IP 地址发出的任何连接尝试都会收到“未授权”401 状态代码和说明。Any connection attempt from an IP address that matches a rejecting IP rule in your IoT hub receives an unauthorized 401 status code and description. 响应消息不提及 IP 规则。The response message does not mention the IP rule. 拒绝 IP 地址可以阻止其他 Azure 服务(例如 Azure 门户中的 Azure 流分析、Azure 虚拟机或设备资源管理器)与 IoT 中心进行交互。Rejecting IP addresses can prevent other Azure services such as Azure Stream Analytics, Azure Virtual Machines, or the Device Explorer in Azure portal from interacting with the IoT hub.

备注

如果必须使用 Azure 流分析 (ASA) 从启用了 IP 筛选器的 IoT 中心读取消息,请使用 IoT 中心的与事件中心兼容的名称和终结点在 ASA 中手动添加事件中心流输入If you must use Azure Stream Analytics (ASA) to read messages from an IoT hub with IP filter enabled, use the event hub-compatible name and endpoint of your IoT hub to manually add an Event Hubs stream input in the ASA.

默认设置Default setting

默认情况下,门户中针对 IoT 中心的“IP 筛选器”网格为空。By default, the IP Filter grid in the portal for an IoT hub is empty. 此默认设置意味着中心会接受来自任何 IP 地址的连接。This default setting means that your hub accepts connections from any IP address. 此默认设置等效于接受 0.0.0.0/0 IP 地址范围的规则。This default setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.

若要转到 IP 筛选器设置页,请依次选择“网络”、“公共访问”、“选定的 IP 范围”: To get to the IP Filter settings page, select Networking, Public access, then choose Selected IP Ranges:

IoT 中心默认 IP 筛选器设置

添加或编辑 IP 筛选器规则Add or edit an IP filter rule

若要添加 IP 筛选器规则,请选择“+ 添加 IP 筛选器规则”。To add an IP filter rule, select + Add IP Filter Rule.

向 IoT 中心添加 IP 筛选规则

选择“添加 IP 筛选器规则”后,请填写字段。After selecting Add IP Filter Rule, fill in the fields.

在选择“添加 IP 筛选器规则”后

  • 提供 IP 筛选器规则的名称Provide a name for the IP Filter rule. 此项必须是不区分大小写的唯一字母数字字符串,长度不超过 128 个字符。This must be a unique, case-insensitive, alphanumeric string up to 128 characters long. 只接受 ASCII 7 位字母数字字符以及以下字符:{'-', ':', '/', '\', '.', '+', '%', '_', '#', '*', '?', '!', '(', ')', ',', '=', '@', ';', '''}Only the ASCII 7-bit alphanumeric characters plus {'-', ':', '/', '\', '.', '+', '%', '_', '#', '*', '?', '!', '(', ')', ',', '=', '@', ';', '''} are accepted.

  • 提供单个 IPv4 地址或者以 CIDR 表示法提供一个 IP 地址块。Provide a single IPv4 address or a block of IP addresses in CIDR notation. 例如,在 CIDR 表示法中,192.168.100.0/22 表示从 192.168.100.0 到 192.168.103.255 的 1024 个 IPv4 地址。For example, in CIDR notation 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255.

  • 选择“允许”或“阻止”作为 IP 筛选器规则的“操作”。 Select Allow or Block as the action for the IP filter rule.

填写这些字段后,请选择“保存”以保存该规则。After filling in the fields, select Save to save the rule. 会出现一个提醒,通知你更新正在进行。You see an alert notifying you that the update is in progress.

关于保存 IP 筛选规则的通知

当存在的 IP 筛选规则达到最大数目 10 时,“添加”选项被禁用。The Add option is disabled when you reach the maximum of 10 IP filter rules.

若要编辑现有规则,请选择要更改的数据,进行更改,然后选择“保存”以保存编辑内容。To edit an existing rule, select the data you want to change, make the change, then select Save to save your edit.

删除 IP 筛选器规则Delete an IP filter rule

若要删除 IP 筛选器规则,请选择与该行对应的垃圾桶图标,然后选择“保存”。To delete an IP filter rule, select the trash can icon on that row and then select Save. 此时会删除规则并保存所做的更改。The rule is removed and the change is saved.

删除 IoT 中心 IP 筛选规则

使用 Azure CLI 检索和更新 IP 筛选器Retrieve and update IP filters using Azure CLI

可以通过 Azure CLI 检索和更新 IoT 中心的 IP 筛选器。Your IoT Hub's IP filters can be retrieved and updated through Azure CLI.

若要检索 IoT 中心的当前 IP 筛选器,请运行:To retrieve current IP filters of your IoT Hub, run:

az resource show -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs

这会返回一个 JSON 对象,其中会在 properties.ipFilterRules 键下列出现有 IP 筛选器:This will return a JSON object where your existing IP filters are listed under the properties.ipFilterRules key:

{
...
    "properties": {
        "ipFilterRules": [
        {
            "action": "Reject",
            "filterName": "MaliciousIP",
            "ipMask": "6.6.6.6/6"
        },
        {
            "action": "Allow",
            "filterName": "GoodIP",
            "ipMask": "131.107.160.200"
        },
        ...
        ],
    },
...
}

若要为 IoT 中心添加新 IP 筛选器,请运行:To add a new IP filter for your IoT Hub, run:

az resource update -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs --add properties.ipFilterRules "{\"action\":\"Reject\",\"filterName\":\"MaliciousIP\",\"ipMask\":\"6.6.6.6/6\"}"

若要在 IoT 中心删除现有 IP 筛选器,请运行:To remove an existing IP filter in your IoT Hub, run:

az resource update -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs --add properties.ipFilterRules <ipFilterIndexToRemove>

请注意,<ipFilterIndexToRemove> 必须对应于 IoT 中心 properties.ipFilterRules 中的 IP 筛选器顺序。Note that <ipFilterIndexToRemove> must correspond to the ordering of IP filters in your IoT Hub's properties.ipFilterRules.

使用 Azure PowerShell 检索和更新 IP 筛选器Retrieve and update IP filters using Azure PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

可以通过 Azure PowerShell 检索和设置 IoT 中心的 IP 筛选器。Your IoT Hub's IP filters can be retrieved and set through Azure PowerShell.

# Get your IoT Hub resource using its name and its resource group name
$iothubResource = Get-AzResource -ResourceGroupName <resourceGroupNmae> -ResourceName <iotHubName> -ExpandProperties

# Access existing IP filter rules
$iothubResource.Properties.ipFilterRules |% { Write-host $_ }

# Construct a new IP filter
$filter = @{'filterName'='MaliciousIP'; 'action'='Reject'; 'ipMask'='6.6.6.6/6'}

# Add your new IP filter rule
$iothubResource.Properties.ipFilterRules += $filter

# Remove an existing IP filter rule using its name, e.g., 'GoodIP'
$iothubResource.Properties.ipFilterRules = @($iothubResource.Properties.ipFilterRules | Where 'filterName' -ne 'GoodIP')

# Update your IoT Hub resource with your updated IP filters
$iothubResource | Set-AzResource -Force

使用 REST 更新 IP 筛选器Update IP filter rules using REST

还可以使用 Azure 资源提供程序的 REST 终结点检索和修改 IoT 中心的 IP 筛选器。You may also retrieve and modify your IoT Hub's IP filter using Azure resource Provider's REST endpoint. 请参阅 createorupdate 方法properties.ipFilterRulesSee properties.ipFilterRules in createorupdate method.

IP 筛选器规则评估IP filter rule evaluation

IP 筛选器规则按顺序应用,与 IP 地址匹配的第一条规则决定了是采取接受操作还是拒绝操作。IP filter rules are applied in order and the first rule that matches the IP address determines the accept or reject action.

例如,若要接受 192.168.100.0/22 范围内的地址并拒绝所有其他地址,则网格中的第一条规则应接受 192.168.100.0/22 这一地址范围。For example, if you want to accept addresses in the range 192.168.100.0/22 and reject everything else, the first rule in the grid should accept the address range 192.168.100.0/22. 下一个规则应通过使用 0.0.0.0/0 范围拒绝所有地址。The next rule should reject all addresses by using the range 0.0.0.0/0.

可以通过单击行开头的三个竖直点并使用拖放操作更改 IP 筛选规则在网格中的顺序。You can change the order of your IP filter rules in the grid by clicking the three vertical dots at the start of a row and using drag and drop.

若要保存新的 IP 筛选器规则顺序,请单击“保存”。To save your new IP filter rule order, click Save.

更改 IoT 中心 IP 筛选规则的顺序

后续步骤Next steps

若要进一步探索 IoT 中心的功能,请参阅:To further explore the capabilities of IoT Hub, see: