IoT 中心 IP 地址IoT Hub IP addresses

IoT 中心公共终结点的 IP 地址前缀在 AzureIoTHub 服务标记下定期发布。The IP address prefixes of IoT Hub public endpoints are published periodically under the AzureIoTHub service tag.

可以使用这些 IP 地址前缀来控制 IoT 中心与设备或网络资产之间的连接,以实现各种网络隔离目标:You may use these IP address prefixes to control connectivity between IoT Hub and your devices or network assets in order to implement a variety of network isolation goals:

目标Goal 适用的方案Applicable scenarios 方法Approach
确保设备和服务只与 IoT 中心终结点通信Ensure your devices and services communicate with IoT Hub endpoints only 设备到云云到设备的消息传送、直接方法设备和模块孪生Device-to-cloud, and cloud-to-device messaging, direct methods, device and module twins 使用 AzureIoTHubEventHub 服务标记发现 IoT 中心和事件中心 IP 地址前缀,并相应地在设备和服务的防火墙设置中为这些 IP 地址前缀配置“允许”规则;丢弃发往你不希望设备或服务与其通信的其他目标 IP 地址的流量。Use AzureIoTHub and EventHub service tags to discover IoT Hub, and Event Hub IP address prefixes and configure ALLOW rules on your devices' and services' firewall setting for those IP address prefixes accordingly; drop traffic to other destination IP addresses you do not want the devices or services to communicate with.
确保 IoT 中心设备终结点仅接收来自你的设备和网络资产的连接Ensure your IoT Hub device endpoint receives connections only from your devices and network assets 设备到云云到设备的消息传送、直接方法设备和模块孪生Device-to-cloud, and cloud-to-device messaging, direct methods, device and module twins 使用 IoT 中心 IP 筛选功能允许来自你的设备和网络资产 IP 地址的连接(参阅限制部分)。Use IoT Hub IP filter feature to allow connections from your devices and network asset IP addresses (see limitations section).
确保只能从你的网络资产访问路由的自定义终结点资源(存储帐户、服务总线和事件中心)Ensure your routes' custom endpoint resources (storage accounts, service bus and event hubs) are reachable from your network assets only 消息路由Message routing 遵循有关限制连接的资源指导(例如,通过防火墙规则服务终结点进行限制);使用 AzureIoTHub 服务标记发现 IoT 中心 IP 地址前缀,并在资源的防火墙配置中为这些 IP 前缀添加“允许”规则(参阅限制部分)。Follow your resource's guidance on restrict connectivity (for example via firewall rules or service endpoints); use AzureIoTHub service tags to discover IoT Hub IP address prefixes and add ALLOW rules for those IP prefixes on your resource's firewall configuration (see limitations section).

最佳实践Best practices

  • 在设备的防火墙配置中添加“允许”规则时,最好是提供适用协议使用的特定端口When adding ALLOW rules in your devices' firewall configuration, it is best to provide specific ports used by applicable protocols.

  • IoT 中心的 IP 地址前缀可能会更改。The IP address prefixes of IoT hub are subject to change. 这些更改在生效之前通过服务标记定期发布。These changes are published periodically via service tags before taking effect. 因此,必须制定流程来定期检索并使用最新的服务标记。It is therefore important that you develop processes to regularly retrieve and use the latest service tags. 该流程可以通过服务标记发现 API 自动完成。This process can be automated via the service tags discovery API. 请注意,服务标记发现 API 目前仍为预览版,在某些情况下,它可能不会生成标记和 IP 地址的完整列表。Note that Service tags discovery API is still in preview and in some cases may not produce the full list of tags and IP addresses. 在发现 API 推出正式版之前,请考虑使用可下载 JSON 格式的服务标记Until discovery API is generally available, consider using the service tags in downloadable JSON format.

  • 请使用 AzureIoTHub.[区域名称] 标记来确定特定区域中的 IoT 中心终结点使用的 IP 前缀。Use the AzureIoTHub.[region name] tag to identify IP prefixes used by IoT hub endpoints in a specific region. 如果考虑到数据中心灾难恢复或区域性故障转移,请确保还允许连接到 IoT 中心的异地配对区域的 IP 前缀。To account for datacenter disaster recovery, or regional failover ensure connectivity to IP prefixes of your IoT Hub's geo-pair region is also enabled.

  • 在 IoT 中心设置防火墙规则可能会阻止所需的连接,导致无法对 IoT 中心运行 Azure CLI 和 PowerShell 命令。Setting up firewall rules in IoT Hub may block off connectivity needed to run Azure CLI and PowerShell commands against your IoT Hub. 为避免出现这种情况,可为客户端的 IP 地址前缀添加“允许”规则,再次使得 CLI 或 PowerShell 客户端能够与 IoT 中心通信。To avoid this, you can add ALLOW rules for your clients' IP address prefixes to re-enable CLI or PowerShell clients to communicate with your IoT Hub.

限制和解决方法Limitations and workarounds

  • IoT 中心 IP 筛选功能限制为 10 个规则。IoT Hub IP filter feature has a limit of 10 rules. 可以请求 Azure 客户支持人员提高此限制。This limit and can be raised via requests through Azure Customer Support.

  • 配置的 IP 筛选规则仅在 IoT 中心 IP 终结点上应用,而不会在 IoT 中心的内置事件中心终结点上应用。Your configured IP filtering rules are only applied on your IoT Hub IP endpoints and not on your IoT hub's built-in Event Hub endpoint. 如果还需要在存储消息的事件中心上应用 IP 筛选,可以提供自己的事件中心资源,在其中可以直接配置所需的 IP 筛选规则。If you also require IP filtering to be applied on the Event Hub where your messages are stored, you may do so bringing your own Event Hub resource where you can configure your desired IP filtering rules directly. 为此,需要预配自己的事件中心资源,并将消息路由设置为向该资源发送消息,而不是向 IoT 中心的内置事件中心发送消息。To do so, you need to provision your own Event Hub resource and set up message routing to send your messages to that resource instead of your IoT Hub's built-in Event Hub. 最后,如上表中所述,若要启用消息路由功能,还需要允许从 IoT 中心的 IP 地址前缀连接到预配的事件中心资源。Finally, as discussed in the table above, to enable message routing functionality you also need to allow connectivity from IoT Hub's IP address prefixes to your provisioned Event Hub resource.

  • 路由到存储帐户时,仅当存储帐户与 IoT 中心位于不同区域的情况下,才能允许来自 IoT 中心 IP 地址前缀的流量。When routing to a storage account, allowing traffic from IoT Hub's IP address prefixes is only possible when the storage account is in a different region as your IoT Hub.

对 IPv6 的支持Support for IPv6

目前 IoT 中心不支持 IPv6。IPv6 is currently not supported on IoT Hub.