快速入门:诊断虚拟机网络流量筛选器问题 - Azure CLIQuickstart: Diagnose a virtual machine network traffic filter problem - Azure CLI

在本快速入门中,请先部署虚拟机 (VM),然后检查到某个 IP 地址和 URL 的通信以及来自某个 IP 地址的通信。In this quickstart you deploy a virtual machine (VM), and then check communications to an IP address and URL and from an IP address. 确定通信失败的原因以及解决方法。You determine the cause of a communication failure and how you can resolve it.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

Note

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

如果选择在本地安装并使用 CLI,本快速入门要求运行 Azure CLI 2.0.28 或更高版本。If you choose to install and use the CLI locally, this quickstart requires that you are running the Azure CLI version 2.0.28 or later. 要查找已安装的版本,请运行 az --versionTo find the installed version, run az --version. 如果需要进行安装或升级,请参阅安装 Azure CLI 2.0If you need to install or upgrade, see Install Azure CLI 2.0. 验证 CLI 版本以后,请运行 az login,以便创建与 Azure 的连接。After you verify the CLI version, run az login to create a connection with Azure. 本快速入门中的 CLI 命令已格式化,适合在 Bash Shell 中运行。The CLI commands in this quickstart are formatted to run in a Bash shell.

创建 VMCreate a VM

在创建 VM 之前,必须创建该 VM 所属的资源组。Before you can create a VM, you must create a resource group to contain the VM. 使用 az group create 创建资源组。Create a resource group with az group create. 以下示例在“chinaeast”位置创建名为“myResourceGroup”的资源组:The following example creates a resource group named myResourceGroup in the chinaeast location:

az group create --name myResourceGroup --location chinaeast

使用 az vm create 创建 VM。Create a VM with az vm create. 如果默认密钥位置中尚不存在 SSH 密钥,该命令会创建它们。If SSH keys do not already exist in a default key location, the command creates them. 若要使用特定的一组密钥,请使用 --ssh-key-value 选项。To use a specific set of keys, use the --ssh-key-value option. 以下示例创建名为 myVm 的 VM:The following example creates a VM named myVm:

az vm create \
  --resource-group myResourceGroup \
  --name myVm \
  --image UbuntuLTS \
  --generate-ssh-keys

创建 VM 需要几分钟时间。The VM takes a few minutes to create. 在创建好 VM 且 CLI 返回输出之前,请勿继续执行剩余的步骤。Don't continue with remaining steps until the VM is created and the CLI returns output.

测试网络通信Test network communication

若要通过网络观察程序测试网络通信,必须先在要测试的 VM 所在的区域中启用网络观察程序,然后使用网络观察程序的 IP 流验证功能来测试通信。To test network communication with Network Watcher, you must first enable a network watcher in the region the VM that you want to test is in, and then use Network Watcher's IP flow verify capability to test communication.

启用网络观察程序Enable network watcher

如果已在“中国东部”区域启用网络观察程序,请跳到使用 IP 流验证If you already have a network watcher enabled in the China East region, skip to Use IP flow verify. 使用 az network watcher configure 命令在“中国东部”区域中创建网络观察程序:Use the az network watcher configure command to create a network watcher in the ChinaEast region:

az network watcher configure \
  --resource-group NetworkWatcherRG \
  --locations chinaeast \
  --enabled

使用 IP 流验证Use IP flow verify

创建 VM 时,Azure 在默认情况下会允许或拒绝出入 VM 的网络流量。When you create a VM, Azure allows and denies network traffic to and from the VM, by default. 可以在以后覆盖 Azure 的默认设置,允许或拒绝其他类型的流量。You might later override Azure's defaults, allowing or denying additional types of traffic. 若要测试来自一个源 IP 地址但发往不同目标的流量是获得允许还是被拒绝,请使用 az network watcher test-ip-flow 命令。To test whether traffic is allowed or denied to different destinations and from a source IP address, use the az network watcher test-ip-flow command.

测试从 VM 发往 www.bing.com 的某个 IP 地址的出站通信:Test outbound communication from the VM to one of the IP addresses for www.bing.com:

az network watcher test-ip-flow \
  --direction outbound \
  --local 10.0.0.4:60000 \
  --protocol TCP \
  --remote 13.107.21.200:80 \
  --vm myVm \
  --nic myVmVMNic \
  --resource-group myResourceGroup \
  --out table

数秒钟后返回结果,指示名为 AllowInternetOutbound 的安全规则已允许访问。After several seconds, the result returned informs you that access is allowed by a security rule named AllowInternetOutbound.

测试从 VM 发往 172.31.0.100 的出站通信:Test outbound communication from the VM to 172.31.0.100:

az network watcher test-ip-flow \
  --direction outbound \
  --local 10.0.0.4:60000 \
  --protocol TCP \
  --remote 172.31.0.100:80 \
  --vm myVm \
  --nic myVmVMNic \
  --resource-group myResourceGroup \
  --out table

返回的结果指示名为 DefaultOutboundDenyAll 的安全规则已拒绝了访问。The result returned informs you that access is denied by a security rule named DefaultOutboundDenyAll.

测试从 172.31.0.100 发往 VM 的入站通信:Test inbound communication to the VM from 172.31.0.100:

az network watcher test-ip-flow \
  --direction inbound \
  --local 10.0.0.4:80 \
  --protocol TCP \
  --remote 172.31.0.100:60000 \
  --vm myVm \
  --nic myVmVMNic \
  --resource-group myResourceGroup \
  --out table

返回的结果指示名为 DefaultInboundDenyAll 的安全规则已拒绝了访问。The result returned informs you that access is denied because of a security rule named DefaultInboundDenyAll. 了解哪些安全规则允许或拒绝出入 VM 的流量以后,即可确定问题解决方法。Now that you know which security rules are allowing or denying traffic to or from a VM, you can determine how to resolve the problems.

查看安全规则的详细信息View details of a security rule

若要确定使用 IP 流验证中的规则允许或阻止通信的原因,请使用 az network nic list-effective-nsg 命令查看网络接口的有效安全规则:To determine why the rules in Use IP flow verify are allowing or preventing communication, review the effective security rules for the network interface with the az network nic list-effective-nsg command:

az network nic list-effective-nsg \
  --resource-group myResourceGroup \
  --name myVmVMNic

返回的输出包含 AllowInternetOutbound 规则的以下文本,该规则在使用 IP 流验证下的前述步骤中允许对 www.bing.com 进行出站访问:The returned output includes the following text for the AllowInternetOutbound rule that allowed outbound access to www.bing.com in a previous step under Use IP flow verify:

{
 "access": "Allow",
 "additionalProperties": {},
 "destinationAddressPrefix": "Internet",
 "destinationAddressPrefixes": [
  "Internet"
 ],
 "destinationPortRange": "0-65535",
 "destinationPortRanges": [
  "0-65535"
 ],
 "direction": "Outbound",
 "expandedDestinationAddressPrefix": [
  "1.0.0.0/8",
  "2.0.0.0/7",
  "4.0.0.0/6",
  "8.0.0.0/7",
  "11.0.0.0/8",
  "12.0.0.0/6",
  ...
 ],
 "expandedSourceAddressPrefix": null,
 "name": "defaultSecurityRules/AllowInternetOutBound",
 "priority": 65001,
 "protocol": "All",
 "sourceAddressPrefix": "0.0.0.0/0",
 "sourceAddressPrefixes": [
  "0.0.0.0/0"
 ],
 "sourcePortRange": "0-65535",
 "sourcePortRanges": [
  "0-65535"
 ]
},

可以在上述输出中看到 destinationAddressPrefixInternetYou can see in the previous output that destinationAddressPrefix is Internet. 尚不清楚 13.107.21.200 与 Internet 的关系如何。It's not clear how 13.107.21.200 relates to Internet though. 可以看到多个地址前缀列在 expandedDestinationAddressPrefix 下。You see several address prefixes listed under expandedDestinationAddressPrefix. 列表中的一个前缀是 12.0.0.0/6,涵盖了 IP 地址范围 12.0.0.1-15.255.255.254。One of the prefixes in the list is 12.0.0.0/6, which encompasses the 12.0.0.1-15.255.255.254 range of IP addresses. 由于 13.107.21.200 在该地址范围内,因此 AllowInternetOutBound 规则允许此出站流量。Since 13.107.21.200 is within that address range, the AllowInternetOutBound rule allows the outbound traffic. 另外,在上述输出中没有显示优先级更高(数字更小)的可以覆盖此规则的规则。Additionally, there are no higher priority (lower number) rules shown in the previous output that override this rule. 若要拒绝到某个 IP 地址的出站通信,可以添加一项优先级更高的安全规则,拒绝通过端口 80 向该 IP 地址发送出站流量。To deny outbound communication to an IP address, you could add a security rule with a higher priority, that denies port 80 outbound to the IP address.

使用 IP 流验证中运行 az network watcher test-ip-flow 命令以测试发往 172.131.0.100 的出站通信时,输出指示 DefaultOutboundDenyAll 规则拒绝了该通信。When you ran the az network watcher test-ip-flow command to test outbound communication to 172.131.0.100 in Use IP flow verify, the output informed you that the DefaultOutboundDenyAll rule denied the communication. DefaultOutboundDenyAll 规则相当于在 az network nic list-effective-nsg 命令的以下输出中列出的 DenyAllOutBound 规则:The DefaultOutboundDenyAll rule equates to the DenyAllOutBound rule listed in the following output from the az network nic list-effective-nsg command:

{
 "access": "Deny",
 "additionalProperties": {},
 "destinationAddressPrefix": "0.0.0.0/0",
 "destinationAddressPrefixes": [
  "0.0.0.0/0"
 ],
 "destinationPortRange": "0-65535",
 "destinationPortRanges": [
  "0-65535"
 ],
 "direction": "Outbound",
 "expandedDestinationAddressPrefix": null,
 "expandedSourceAddressPrefix": null,
 "name": "defaultSecurityRules/DenyAllOutBound",
 "priority": 65500,
 "protocol": "All",
 "sourceAddressPrefix": "0.0.0.0/0",
 "sourceAddressPrefixes": [
  "0.0.0.0/0"
 ],
 "sourcePortRange": "0-65535",
 "sourcePortRanges": [
  "0-65535"
 ]
}

该规则将 0.0.0.0/0 列为 destinationAddressPrefixThe rule lists 0.0.0.0/0 as the destinationAddressPrefix. 此规则拒绝到 172.131.0.100 的出站通信,因为此地址不在 az network nic list-effective-nsg 命令输出中的任何其他出站规则的 destinationAddressPrefix 范围内。The rule denies the outbound communication to 172.131.0.100, because the address is not within the destinationAddressPrefix of any of the other outbound rules in the output from the az network nic list-effective-nsg command. 若要允许出站通信,可以添加一项优先级更高的安全规则,允许出站流量到达 172.131.0.100 的端口 80。To allow the outbound communication, you could add a security rule with a higher priority, that allows outbound traffic to port 80 at 172.131.0.100.

使用 IP 流验证中运行 az network watcher test-ip-flow 命令以测试来自 172.131.0.100 的入站通信时,输出指示 DefaultInboundDenyAll 规则拒绝了该通信。When you ran the az network watcher test-ip-flow command in Use IP flow verify to test inbound communication from 172.131.0.100, the output informed you that the DefaultInboundDenyAll rule denied the communication. DefaultInboundDenyAll 规则相当于在 az network nic list-effective-nsg 命令的以下输出中列出的 DenyAllInBound 规则:The DefaultInboundDenyAll rule equates to the DenyAllInBound rule listed in the following output from the az network nic list-effective-nsg command:

{
 "access": "Deny",
 "additionalProperties": {},
 "destinationAddressPrefix": "0.0.0.0/0",
 "destinationAddressPrefixes": [
  "0.0.0.0/0"
 ],
 "destinationPortRange": "0-65535",
 "destinationPortRanges": [
  "0-65535"
 ],
 "direction": "Inbound",
 "expandedDestinationAddressPrefix": null,
 "expandedSourceAddressPrefix": null,
 "name": "defaultSecurityRules/DenyAllInBound",
 "priority": 65500,
 "protocol": "All",
 "sourceAddressPrefix": "0.0.0.0/0",
 "sourceAddressPrefixes": [
  "0.0.0.0/0"
 ],
 "sourcePortRange": "0-65535",
 "sourcePortRanges": [
  "0-65535"
 ]
},

DenyAllInBound 规则会应用,因为如 az network nic list-effective-nsg 命令的输出所示,没有任何其他允许端口 80 将入站流量从 172.131.0.100 发往 VM 的规则有更高的优先级。The DenyAllInBound rule is applied because, as shown in the output, no other higher priority rule exists in the output from the az network nic list-effective-nsg command that allows port 80 inbound to the VM from 172.131.0.100. 若要允许入站通信,可以添加一项优先级更高的安全规则,允许通过端口 80 从 172.131.0.100 发送入站流量。To allow the inbound communication, you could add a security rule with a higher priority that allows port 80 inbound from 172.131.0.100.

本快速入门中的检查测试了 Azure 配置。The checks in this quickstart tested Azure configuration. 如果检查返回预期的结果,而网络问题仍然存在,请确保在 VM 和要与之通信的终结点之间没有防火墙,且 VM 中的操作系统没有防火墙来允许或拒绝通信。If the checks return expected results and you still have network problems, ensure that you don't have a firewall between your VM and the endpoint you're communicating with and that the operating system in your VM doesn't have a firewall that is allowing or denying communication.

清理资源Clean up resources

如果不再需要资源组及其包含的所有资源,可以使用 az group delete 将其删除:When no longer needed, you can use az group delete to remove the resource group and all of the resources it contains:

az group delete --name myResourceGroup --yes

后续步骤Next steps

在本快速入门中,你已创建 VM 并对入站和出站网络流量筛选器进行诊断。In this quickstart, you created a VM and diagnosed inbound and outbound network traffic filters. 你已了解了如何通过网络安全组规则来允许或拒绝出入 VM 的流量。You learned that network security group rules allow or deny traffic to and from a VM. 请详细了解安全规则以及如何创建安全规则Learn more about security rules and how to create security rules.

即使相应的网络流量筛选器已就位,与 VM 的通信仍可能因路由配置问题而失败。Even with the proper network traffic filters in place, communication to a VM can still fail, due to routing configuration. 若要了解如何诊断 VM 网络路由问题,请参阅诊断 VM 路由问题;若要使用某个工具诊断出站路由、延迟和流量筛选问题,请参阅排查连接问题To learn how to diagnose VM network routing problems, see Diagnose VM routing problems or, to diagnose outbound routing, latency, and traffic filtering problems, with one tool, see Connection troubleshoot.