使用 IP 筛选器Use IP filters

安全性对于基于 Azure IoT 中心的任何 IoT 解决方案来说都是一个重要方面。Security is an important aspect of any IoT solution based on Azure IoT Hub. 作为安全配置的一部分,有时需要显式指定设备可从其连接的 IP 地址。Sometimes you need to explicitly specify the IP addresses from which devices can connect as part of your security configuration. 使用 IP 筛选器 功能,可以配置规则来拒绝或接受来自特定 IPv4 地址的流量。The IP filter feature enables you to configure rules for rejecting or accepting traffic from specific IPv4 addresses.

何时使用When to use

使用 IP 筛选器仅接收来自指定范围的 IP 地址流量并拒绝任何其他流量。Use IP filter to receive traffic only from a specified range of IP addresses and reject everything else. 例如,将 IoT 中心与 Azure Express Route 配合使用,以在 IoT 中心与本地基础结构之间创建专用连接。For example, you are using your IoT hub with Azure Express Route to create private connections between an IoT hub and your on-premises infrastructure.

默认设置Default setting

若要转到 IP 筛选器设置页,请依次选择“网络”、“公共访问”、“选定的 IP 范围”: To get to the IP Filter settings page, select Networking, Public access, then choose Selected IP Ranges:

IoT 中心默认 IP 筛选器设置

默认情况下,门户中针对 IoT 中心的“IP 筛选器”网格为空。By default, the IP Filter grid in the portal for an IoT hub is empty. 此默认设置意味着中心会阻止来自所有 IP 地址的连接。This default setting means that your hub blocks connections from all IP addresses. 此默认设置等效于阻止 0.0.0.0/0 IP 地址范围的规则。This default setting is equivalent to a rule that blocks the 0.0.0.0/0 IP address range.

添加或编辑 IP 筛选器规则Add or edit an IP filter rule

若要添加 IP 筛选器规则,请选择“+ 添加 IP 筛选器规则”。To add an IP filter rule, select + Add IP Filter Rule.

向 IoT 中心添加 IP 筛选器规则

选择“添加 IP 筛选器规则”后,填写字段。After selecting Add IP Filter Rule, fill in the fields.

选择“添加 IP 筛选器规则”后

  • 提供 IP 筛选器规则的 名称Provide a name for the IP Filter rule. 此名称必须是不区分大小写的唯一字母数字字符串,长度不超过 128 个字符。This name must be a unique, case-insensitive, alphanumeric string up to 128 characters long. 只接受 ASCII 7 位字母数字字符以及以下字符:{'-', ':', '/', '\', '.', '+', '%', '_', '#', '*', '?', '!', '(', ')', ',', '=', '@', ';', '''}Only the ASCII 7-bit alphanumeric characters plus {'-', ':', '/', '\', '.', '+', '%', '_', '#', '*', '?', '!', '(', ')', ',', '=', '@', ';', '''} are accepted.

  • 提供单个 IPv4 地址或者以 CIDR 表示法提供一个 IP 地址块。Provide a single IPv4 address or a block of IP addresses in CIDR notation. 例如,在 CIDR 表示法中,192.168.100.0/22 表示从 192.168.100.0 到 192.168.103.255 的 1024 个 IPv4 地址。For example, in CIDR notation 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255.

填写这些字段后,请选择“保存”以保存该规则 。After filling in the fields, select Save to save the rule. 随后会出现一条警报,告知更新正在进行。You see an alert notifying you that the update is in progress.

关于保存 IP 筛选器规则的通知

当存在的 IP 筛选规则达到最大数目 10 时,“添加”选项被禁用。The Add option is disabled when you reach the maximum of 10 IP filter rules.

若要编辑现有规则,请选择要更改的数据,进行更改,然后选择“保存”以保存编辑内容。To edit an existing rule, select the data you want to change, make the change, then select Save to save your edit.

删除 IP 筛选器规则Delete an IP filter rule

若要删除 IP 筛选器规则,请选择与该行对应的垃圾桶图标,然后选择“保存”。 To delete an IP filter rule, select the trash can icon on that row and then select Save. 随即会删除该规则并保存更改。The rule is removed and the change is saved.

删除 IoT 中心 IP 筛选器规则

将 IP 筛选器规则应用于与事件中心兼容的内置终结点Apply IP filter rules to the built-in Event Hub compatible endpoint

若要将 IP 筛选器规则应用于内置事件中心兼容终结点,请选中“是否向内置终结点应用 IP 筛选器?”旁边的框,然后选择“保存” 。To apply the IP filter rules to the built-in Event Hub compatible endpoint, check the box next to Apply IP filters to the built-in endpoint?, then select Save.

图像显示内置终结点的切换和保存

备注

此选项不能用于免费 (F1) IoT 中心。This option isn't available to free (F1) IoT hubs. 若要将 IP 筛选器规则应用于内置终结点,请使用付费 IoT 中心。To apply IP filter rules to the built-in endpoint, use a paid IoT hub.

启用此选项后,IP 筛选器规则将复制到内置终结点,这样便只有受信任的 IP 范围才能访问它。By enabling this option, your IP filter rules are replicated to the built-in endpoint, so only trusted IP ranges can access it.

如果禁用此选项,所有 IP 地址都可访问内置终结点。If you disable this option, the built-in endpoint is accessible to all IP addresses. 如果想通过 IP 地址不断变化的服务(例如 Azure 流分析)来读取终结点,则此行为可能很有用。This behavior may be useful if you want to read from the endpoint with services with changing IP addresses like Azure Stream Analytics.

筛选器规则的应用方式How filter rules are applied

在 IoT 中心服务级别应用 IP 筛选器规则。The IP filter rules are applied at the IoT Hub service level. 因此,IP 筛选器规则适用于使用任意受支持协议和从设备和后端应用发出的所有连接。Therefore, the IP filter rules apply to all connections from devices and back-end apps using any supported protocol. 此外,还可以选择是否将与事件中心兼容的内置终结点(而不是通过 IoT 中心连接字符串)绑定到这些规则。Also, you can choose if the built-in Event Hub compatible endpoint (not via the IoT Hub connection string) are bound to these rules.

从非显式允许的 IP 地址发出的任何连接尝试都会收到“未授权”401 状态代码和说明。Any connection attempt from an IP address that isn't explicitly allowed receives an unauthorized 401 status code and description. 响应消息不提及 IP 规则。The response message does not mention the IP rule. 拒绝 IP 地址可以阻止其他 Azure 服务(例如 Azure 门户中的 Azure 流分析、Azure 虚拟机或设备资源管理器)与 IoT 中心进行交互。Rejecting IP addresses can prevent other Azure services such as Azure Stream Analytics, Azure Virtual Machines, or the Device Explorer in Azure portal from interacting with the IoT hub.

备注

如果必须使用 Azure 流分析 (ASA) 从启用了 IP 筛选器的 IoT 中心读取消息,请禁用“向内置终结点应用 IP 筛选器”选项,并使用 IoT 中心的与事件中心兼容的名称和终结点在 ASA 中手动添加事件中心流输入If you must use Azure Stream Analytics (ASA) to read messages from an IoT hub with IP filter enabled, disable the Apply IP filters to the built-in endpoint option, and then use the event hub-compatible name and endpoint of your IoT hub to manually add an Event Hubs stream input in the ASA.

中间件排序Ordering

IP 筛选器规则是允许规则,无需排序即可应用。IP filter rules are allow rules and applied without ordering. 仅允许你添加的 IP 地址连接到 IoT 中心。Only IP addresses that you add are allowed to connect to IoT Hub.

例如,如果希望接受 192.168.100.0/22 范围中的地址并拒绝任何其他地址,仅需在地址范围为 192.168.100.0/22 的网格中添加一条规则。For example, if you want to accept addresses in the range 192.168.100.0/22 and reject everything else, you only need to add one rule in the grid with address range 192.168.100.0/22.

使用 Azure CLI 检索和更新 IP 筛选器Retrieve and update IP filters using Azure CLI

可以通过 Azure CLI 检索和更新 IoT 中心的 IP 筛选器。Your IoT Hub's IP filters can be retrieved and updated through Azure CLI.

若要检索 IoT 中心的当前 IP 筛选器,请运行:To retrieve current IP filters of your IoT Hub, run:

az resource show -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs

这会返回一个 JSON 对象,其中会在 properties.networkRuleSets 键下列出现有 IP 筛选器:This will return a JSON object where your existing IP filters are listed under the properties.networkRuleSets key:

{
...
    "properties": {
        "networkRuleSets": {
            "defaultAction": "Deny",
            "applyToBuiltInEventHubEndpoint": true,
            "ipRules": [{
                    "filterName": "TrustedFactories",
                    "action": "Allow",
                    "ipMask": "1.2.3.4/5"
                },
                {
                    "filterName": "TrustedDevices",
                    "action": "Allow",
                    "ipMask": "1.1.1.1/1"
                }
            ]
        }
    }
}

若要为 IoT 中心添加新 IP 筛选器,请运行:To add a new IP filter for your IoT Hub, run:

az resource update -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs --add properties.networkRuleSets.ipRules "{\"action\":\"Allow\",\"filterName\":\"TrustedIP\",\"ipMask\":\"192.168.0.1\"}"

若要在 IoT 中心删除现有 IP 筛选器,请运行:To remove an existing IP filter in your IoT Hub, run:

az resource update -n <iothubName> -g <resourceGroupName> --resource-type Microsoft.Devices/IotHubs --add properties.networkRuleSets.ipRules <ipFilterIndexToRemove>

此处,<ipFilterIndexToRemove> 必须对应于 IoT 中心 properties.networkRuleSets.ipRules 中的 IP 筛选器顺序。Here, <ipFilterIndexToRemove> must correspond to the ordering of IP filters in your IoT Hub's properties.networkRuleSets.ipRules.

使用 Azure PowerShell 检索和更新 IP 筛选器Retrieve and update IP filters using Azure PowerShell

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

可以通过 Azure PowerShell 检索和设置 IoT 中心的 IP 筛选器。Your IoT Hub's IP filters can be retrieved and set through Azure PowerShell.

# Get your IoT Hub resource using its name and its resource group name
$iothubResource = Get-AzResource -ResourceGroupName <resourceGroupNmae> -ResourceName <iotHubName> -ExpandProperties

# Access existing IP filter rules
$iothubResource.Properties.networkRuleSets.ipRules |% { Write-host $_ }

# Construct a new IP filter
$filter = @{'filterName'='TrustedIP'; 'action'='Allow'; 'ipMask'='192.168.0.1'}

# Add your new IP filter rule
$iothubResource.Properties.networkRuleSets.ipRules += $filter

# Remove an existing IP filter rule using its name, e.g., 'GoodIP'
$iothubResource.Properties.networkRuleSets.ipRules = @($iothubResource.Properties.networkRuleSets.ipRules | Where 'filterName' -ne 'GoodIP')

# Update your IoT Hub resource with your updated IP filters
$iothubResource | Set-AzResource -Force

使用 REST 更新 IP 筛选器Update IP filter rules using REST

还可以使用 Azure 资源提供程序的 REST 终结点检索和修改 IoT 中心的 IP 筛选器。You may also retrieve and modify your IoT Hub's IP filter using Azure resource Provider's REST endpoint. 请参阅 createorupdate 方法properties.networkRuleSetsSee properties.networkRuleSets in createorupdate method.

IP 筛选器(经典)停用IP filter (classic) retirement

经典 IP 筛选器已停用。Classic IP filter has been retired. 若要了解详细信息,请参阅 IoT 中心经典 IP 筛选器和升级方式To learn more, see IoT Hub classic IP filter and how to upgrade.

后续步骤Next steps

若要进一步探索 IoT 中心的功能,请参阅:To further explore the capabilities of IoT Hub, see: