快速入门:使用 Azure 门户诊断虚拟机网络流量筛选器问题Quickstart: Diagnose a virtual machine network traffic filter problem using the Azure portal

在本快速入门中,将部署虚拟机 (VM),然后检查到某个 IP 地址和 URL 的通信以及来自某个 IP 地址的通信。In this quickstart, you deploy a virtual machine (VM), and then check communications to an IP address and URL and from an IP address. 确定通信失败的原因以及解决方法。You determine the cause of a communication failure and how you can resolve it.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

登录 AzureLog in to Azure

https://portal.azure.cn 登录 Azure 门户。Log in to the Azure portal at https://portal.azure.cn.

创建 VMCreate a VM

  1. 选择 Azure 门户左上角的“+ 创建资源”。Select + Create a resource found on the upper, left corner of the Azure portal.

  2. 选择“计算”,然后选择“Windows Server 2016 Datacenter”或“Ubuntu Server 17.10 VM”。Select Compute, and then select Windows Server 2016 Datacenter or Ubuntu Server 17.10 VM.

  3. 输入或选择以下信息,保留剩下的默认设置,然后选择“确定”:Enter, or select, the following information, accept the defaults for the remaining settings, and then select OK:

    设置Setting Value
    NameName myVmmyVm
    用户名User name 输入所选用户名。Enter a user name of your choosing.
    密码Password 输入所选密码。Enter a password of your choosing. 密码必须至少 12 个字符长,且符合定义的复杂性要求The password must be at least 12 characters long and meet the defined complexity requirements.
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“新建”,并输入 myResourceGroupSelect Create new and enter myResourceGroup.
    位置Location 选择“中国东部”Select China East
  4. 选择 VM 的大小,然后选择“选择”。Select a size for the VM and then select Select.

  5. 保留“设置”下的所有默认设置,然后选择“确定”。Under Settings, accept all the defaults, and select OK.

  6. 在“摘要”中的“创建”下,选择“创建”以启动 VM 部署。Under Create of the Summary, select Create to start VM deployment. 部署 VM 需要几分钟时间。The VM takes a few minutes to deploy. 在继续余下的步骤之前,请等待 VM 完成部署。Wait for the VM to finish deploying before continuing with the remaining steps.

测试网络通信Test network communication

若要通过网络观察程序测试网络通信,请先在至少一个 Azure 区域中启用网络观察程序,然后使用网络观察程序的 IP 流验证功能。To test network communication with Network Watcher, first enable a network watcher in at least one Azure region, and then use Network Watcher's IP flow verify capability.

启用网络观察程序Enable network watcher

如果已至少在一个区域中启用网络观察程序,请跳到使用 IP 流验证If you already have a network watcher enabled in at least one region, skip to Use IP flow verify.

  1. 在门户中,选择“所有服务”。In the portal, select All services. 在“筛选器”框中,输入“网络观察程序”。In the Filter box, enter Network Watcher. 结果中出现“网络观察程序”后,将其选中。When Network Watcher appears in the results, select it.

  2. 请在“中国东部”区域启用网络观察程序,因为那是在前面的步骤中将 VM 部署到其中的区域。Enable a network watcher in the China East region, because that's the region the VM was deployed to in a previous step. 选择“区域”,以便将其展开,然后选择“中国东部”右侧的“...”,如下图所示:Select Regions, to expand it, and then select ... to the right of China East, as shown in the following picture:

    启用网络观察程序

  3. 选择“启用网络观察程序”。Select Enable Network Watcher.

使用 IP 流验证Use IP flow verify

创建 VM 时,Azure 在默认情况下会允许或拒绝出入 VM 的网络流量。When you create a VM, Azure allows and denies network traffic to and from the VM, by default. 可以在以后覆盖 Azure 的默认设置,允许或拒绝其他类型的流量。You might later override Azure's defaults, allowing or denying additional types of traffic.

  1. 在门户中,选择“所有服务”。In the portal, select All services. 在“所有服务”>“筛选器”框中,输入“网络观察程序”。In the All services Filter box, enter Network Watcher. 结果中出现“网络观察程序”后,将其选中。When Network Watcher appears in the results, select it.

  2. 在“网络诊断工具”下选择“IP 流验证”。Select IP flow verify, under NETWORK DIAGNOSTIC TOOLS.

  3. 选择订阅,输入或选择以下值,然后选择“检查”,如下图所示:Select your subscription, enter or select the following values, and then select Check, as shown in the picture that follows:

    设置Setting Value
    资源组Resource group 选择 myResourceGroupSelect myResourceGroup
    虚拟机Virtual machine 选择 myVmSelect myVm
    LinuxNetwork interface myvm - 你在创建 VM 时由门户创建的网络接口的名称是不同的。myvm - The name of the network interface the portal created when you created the VM is different.
    协议Protocol TCPTCP
    方向Direction 出站Outbound
    本地 IP 地址Local IP address 10.0.0.410.0.0.4
    本地端口Local port 6000060000
    远程 IP 地址Remote IP address 13.107.21.200 - www.bing.com 的一个地址。13.107.21.200 - One of the addresses for www.bing.com.
    远程端口Remote port 8080

    IP 流验证

    数秒钟后返回结果,指示访问已获得名为 AllowInternetOutbound 的安全规则的允许。After a few seconds, the result returned informs you that access is allowed because of a security rule named AllowInternetOutbound. 运行检查时,网络观察程序会自动在“中国东部”区域创建一个网络观察程序,前提是你在运行检查之前,已经在“中国东部”区域以外的其他区域有了一个网络观察程序。When you ran the check, Network Watcher automatically created a network watcher in the China East region, if you had an existing network watcher in a region other than the China East region before you ran the check.

  4. 再次完成步骤 3,但请将“远程 IP 地址”更改为 172.31.0.100Complete step 3 again, but change the Remote IP address to 172.31.0.100. 返回的结果指示访问已被名为 DefaultOutboundDenyAll 的安全规则拒绝。The result returned informs you that access is denied because of a security rule named DefaultOutboundDenyAll.

  5. 再次完成步骤 3,但请将“方向”更改为“入站”,将“本地端口”更改为 80,将“远程端口”更改为 60000Complete step 3 again, but change the Direction to Inbound, the Local port to 80 and the Remote port to 60000. 返回的结果指示访问已被名为 DefaultInboundDenyAll 的安全规则拒绝。The result returned informs you that access is denied because of a security rule named DefaultInboundDenyAll.

了解哪些安全规则允许或拒绝出入 VM 的流量以后,即可确定问题解决方法。Now that you know which security rules are allowing or denying traffic to or from a VM, you can determine how to resolve the problems.

查看安全规则的详细信息View details of a security rule

  1. 若要确定使用 IP 流验证的步骤 3-5 中的规则允许或拒绝通信的原因,请查看 VM 中网络接口的有效安全规则。To determine why the rules in steps 3-5 of Use IP flow verify allow or deny communication, review the effective security rules for the network interface in the VM. 在门户顶部的搜索框中,输入“myvm”。In the search box at the top of the portal, enter myvm. myvm(或网络接口的任何其他名称)网络接口显示在搜索结果中时,请将其选中。When the myvm (or whatever the name of your network interface is) network interface appears in the search results, select it.

  2. 在“支持 + 故障排除”下选择“有效的安全规则”,如下图所示:Select Effective security rules under SUPPORT + TROUBLESHOOTING, as shown in the following picture:

    有效的安全规则

    使用 IP 流验证的步骤 3 中,你了解到允许通信的原因是因为 AllowInternetOutbound 规则。In step 3 of Use IP flow verify, you learned that the reason the communication was allowed is because of the AllowInternetOutbound rule. 可以在上图中看到规则的“目标”是 InternetYou can see in the previous picture that the DESTINATION for the rule is Internet. 尚不清楚在使用 IP 流验证的步骤 3 中测试的地址 13.107.21.200 与 Internet 的关系如何。It's not clear how 13.107.21.200, the address you tested in step 3 of Use IP flow verify, relates to Internet though.

  3. 选择“AllowInternetOutBound”规则,然后选择“目标”,如下图所示:Select the AllowInternetOutBound rule, and then select Destination, as shown in the following picture:

    安全规则前缀

    列表中的一个前缀是 12.0.0.0/6,涵盖了 IP 地址范围 12.0.0.1-15.255.255.254。One of the prefixes in the list is 12.0.0.0/6, which encompasses the 12.0.0.1-15.255.255.254 range of IP addresses. 由于 13.107.21.200 在该地址范围内,因此 AllowInternetOutBound 规则允许此出站流量。Since 13.107.21.200 is within that address range, the AllowInternetOutBound rule allows the outbound traffic. 另外,在步骤 2 的图片中没有显示优先级更高(数字更小)的可以覆盖此规则的规则。Additionally, there are no higher priority (lower number) rules shown in the picture in step 2 that override this rule. 关闭“地址前缀”框。Close the Address prefixes box. 若要拒绝到 13.107.21.200 的出站通信,可以添加一项优先级更高的安全规则,拒绝通过端口 80 向该 IP 地址发送出站流量。To deny outbound communication to 13.107.21.200, you could add a security rule with a higher priority, that denies port 80 outbound to the IP address.

  4. 运行使用 IP 流验证的步骤 4 中针对 172.131.0.100 的出站检查时,你了解到 DefaultOutboundDenyAll 规则拒绝了通信。When you ran the outbound check to 172.131.0.100 in step 4 of Use IP flow verify, you learned that the DefaultOutboundDenyAll rule denied communication. 该规则相当于在步骤 2 的图片中显示的 DenyAllOutBound 规则,后者指定 0.0.0.0/0 作为“目标”。That rule equates to the DenyAllOutBound rule shown in the picture in step 2 that specifies 0.0.0.0/0 as the DESTINATION. 此规则拒绝到 172.131.0.100 的出站通信,因为此地址不在图片中显示的任何其他“出站规则”的“目标”范围内。This rule denies the outbound communication to 172.131.0.100, because the address is not within the DESTINATION of any of the other Outbound rules shown in the picture. 若要允许出站通信,可以添加一项优先级更高的安全规则,允许出站流量到达 172.131.0.100 地址的端口 80。To allow the outbound communication, you could add a security rule with a higher priority, that allows outbound traffic to port 80 for the 172.131.0.100 address.

  5. 运行使用 IP 流验证的步骤 5 中流量来自 172.131.0.100 的入站检查时,你了解到 DefaultInboundDenyAll 规则拒绝了通信。When you ran the inbound check from 172.131.0.100 in step 5 of Use IP flow verify, you learned that the DefaultInboundDenyAll rule denied communication. 该规则相当于在步骤 2 的图片中显示的 DenyAllInBound 规则。That rule equates to the DenyAllInBound rule shown in the picture in step 2. DenyAllInBound 规则会强制实施,因为没有任何其他允许端口 80 将入站流量从 172.31.0.100 发往 VM 的规则有更高的优先级。The DenyAllInBound rule is enforced because no other higher priority rule exists that allows port 80 inbound to the VM from 172.31.0.100. 若要允许入站通信,可以添加一项优先级更高的安全规则,允许通过端口 80 从 172.31.0.100 发送入站流量。To allow the inbound communication, you could add a security rule with a higher priority, that allows port 80 inbound from 172.31.0.100.

本快速入门中的检查测试了 Azure 配置。The checks in this quickstart tested Azure configuration. 如果检查返回预期的结果,而网络问题仍然存在,请确保在 VM 和要与之通信的终结点之间没有防火墙,且 VM 中的操作系统没有防火墙来允许或拒绝通信。If the checks return expected results and you still have network problems, ensure that you don't have a firewall between your VM and the endpoint you're communicating with and that the operating system in your VM doesn't have a firewall that is allowing or denying communication.

清理资源Clean up resources

不再需要资源组时,可将资源组及其包含的所有资源一并删除:When no longer needed, delete the resource group and all of the resources it contains:

  1. 在门户顶部的“搜索”框中输入“myResourceGroup”。Enter myResourceGroup in the Search box at the top of the portal. 当在搜索结果中看到“myResourceGroup”时,将其选中。When you see myResourceGroup in the search results, select it.
  2. 选择“删除资源组”。Select Delete resource group.
  3. 对于“键入资源组名称:”,输入“myResourceGroup”,然后选择“删除”。Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME: and select Delete.

后续步骤Next steps

在本快速入门中,你已创建 VM 并对入站和出站网络流量筛选器进行诊断。In this quickstart, you created a VM and diagnosed inbound and outbound network traffic filters. 你已了解了如何通过网络安全组规则来允许或拒绝出入 VM 的流量。

即使相应的网络流量筛选器已就位,与 VM 的通信仍可能因路由配置问题而失败。Even with the proper network traffic filters in place, communication to a VM can still fail, due to routing configuration. 若要了解如何诊断 VM 网络路由问题,请参阅诊断 VM 路由问题;若要使用某个工具诊断出站路由、延迟和流量筛选问题,请参阅排查连接问题To learn how to diagnose VM network routing problems, see Diagnose VM routing problems or, to diagnose outbound routing, latency, and traffic filtering problems, with one tool, see Connection troubleshoot.