快速入门:诊断虚拟机网络流量筛选器问题 - Azure PowerShellQuickstart: Diagnose a virtual machine network traffic filter problem - Azure PowerShell

在本快速入门中,将部署虚拟机 (VM),然后检查到某个 IP 地址和 URL 的通信以及来自某个 IP 地址的通信。In this quickstart, you deploy a virtual machine (VM), and then check communications to an IP address and URL and from an IP address. 确定通信失败的原因以及解决方法。You determine the cause of a communication failure and how you can resolve it.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

如果选择在本地安装并使用 PowerShell,则本快速入门需要 AzureRM PowerShell 模块 5.4.1 或更高版本。If you choose to install and use PowerShell locally, this quickstart requires the AzureRM PowerShell module version 5.4.1 or later. 要查找已安装的版本,请运行 Get-Module -ListAvailable AzureRMTo find the installed version, run Get-Module -ListAvailable AzureRM. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需运行 Login-AzureRmAccount -EnvironmentName AzureChinaCloud 以创建与 Azure 的连接。If you are running PowerShell locally, you also need to run Login-AzureRmAccount -EnvironmentName AzureChinaCloud to create a connection with Azure.

创建 VMCreate a VM

在创建 VM 之前,必须创建该 VM 所属的资源组。Before you can create a VM, you must create a resource group to contain the VM. 使用 New-AzureRmResourceGroup 创建资源组。Create a resource group with New-AzureRmResourceGroup. 以下示例在“chinaeast”位置创建名为“myResourceGroup”的资源组。The following example creates a resource group named myResourceGroup in the chinaeast location.

New-AzureRmResourceGroup -Name myResourceGroup -Location ChinaEast

使用 New-AzureRmVM 创建 VM。Create the VM with New-AzureRmVM. 运行此步骤时,会提示输入凭据。When running this step, you are prompted for credentials. 输入的值将配置为用于 VM 的用户名和密码。The values that you enter are configured as the user name and password for the VM.

$vM = New-AzureRmVm `
    -ResourceGroupName "myResourceGroup" `
    -Name "myVm" `
    -Location "China East"

创建 VM 需要几分钟时间。The VM takes a few minutes to create. 在创建好 VM 且 PowerShell 返回输出之前,请勿继续执行剩余的步骤。Don't continue with remaining steps until the VM is created and PowerShell returns output.

测试网络通信Test network communication

若要通过网络观察程序测试网络通信,必须先在要测试的 VM 所在的区域中启用网络观察程序,然后使用网络观察程序的 IP 流验证功能来测试通信。To test network communication with Network Watcher, you must first enable a network watcher in the region the VM that you want to test is in, and then use Network Watcher's IP flow verify capability to test communication.

启用网络观察程序Enable network watcher

如果已在中国东部区域启用了网络观察程序,请使用 Get-AzureRmNetworkWatcher 来检索网络观察程序。If you already have a network watcher enabled in the China East region, use Get-AzureRmNetworkWatcher to retrieve the network watcher. 以下示例检索 NetworkWatcherRG 资源组中名为 NetworkWatcher_chinaeast 的现有网络观察程序:The following example retrieves an existing network watcher named NetworkWatcher_chinaeast that is in the NetworkWatcherRG resource group:

$networkWatcher = Get-AzureRmNetworkWatcher `
  -Name NetworkWatcher_chinaeast `
  -ResourceGroupName NetworkWatcherRG

如果还没有在中国东部区域启用网络观察程序,请使用 New-AzureRmNetworkWatcher 在中国东部区域创建网络观察程序:If you don't already have a network watcher enabled in the China East region, use New-AzureRmNetworkWatcher to create a network watcher in the China East region:

$networkWatcher = New-AzureRmNetworkWatcher `
  -Name "NetworkWatcher_chinaeast" `
  -ResourceGroupName "NetworkWatcherRG" `
  -Location "China East"

使用 IP 流验证Use IP flow verify

创建 VM 时,Azure 在默认情况下会允许或拒绝出入 VM 的网络流量。When you create a VM, Azure allows and denies network traffic to and from the VM, by default. 可以在以后覆盖 Azure 的默认设置,允许或拒绝其他类型的流量。You might later override Azure's defaults, allowing or denying additional types of traffic. 若要测试来自一个源 IP 地址但发往不同目标的流量是获得允许还是被拒绝,请使用 Test-AzureRmNetworkWatcherIPFlow 命令。To test whether traffic is allowed or denied to different destinations and from a source IP address, use the Test-AzureRmNetworkWatcherIPFlow command.

测试从 VM 发往 www.bing.com 的某个 IP 地址的出站通信:Test outbound communication from the VM to one of the IP addresses for www.bing.com:

Test-AzureRmNetworkWatcherIPFlow `
  -NetworkWatcher $networkWatcher `
  -TargetVirtualMachineId $vM.Id `
  -Direction Outbound `
  -Protocol TCP `
  -LocalIPAddress 192.168.1.4 `
  -LocalPort 60000 `
  -RemoteIPAddress 13.107.21.200 `
  -RemotePort 80

数秒钟后返回结果,指示名为 AllowInternetOutbound 的安全规则已允许访问。After several seconds, the result returned informs you that access is allowed by a security rule named AllowInternetOutbound.

测试从 VM 发往 172.31.0.100 的出站通信:Test outbound communication from the VM to 172.31.0.100:

Test-AzureRmNetworkWatcherIPFlow `
  -NetworkWatcher $networkWatcher `
  -TargetVirtualMachineId $vM.Id `
  -Direction Outbound `
  -Protocol TCP `
  -LocalIPAddress 192.168.1.4 `
  -LocalPort 60000 `
  -RemoteIPAddress 172.31.0.100 `
  -RemotePort 80

返回的结果指示名为 DefaultOutboundDenyAll 的安全规则已拒绝了访问。The result returned informs you that access is denied by a security rule named DefaultOutboundDenyAll.

测试从 172.31.0.100 发往 VM 的入站通信:Test inbound communication to the VM from 172.31.0.100:

Test-AzureRmNetworkWatcherIPFlow `
  -NetworkWatcher $networkWatcher `
  -TargetVirtualMachineId $vM.Id `
  -Direction Inbound `
  -Protocol TCP `
  -LocalIPAddress 192.168.1.4 `
  -LocalPort 80 `
  -RemoteIPAddress 172.31.0.100 `
  -RemotePort 60000

返回的结果指示名为 DefaultInboundDenyAll 的安全规则已拒绝了访问。The result returned informs you that access is denied because of a security rule named DefaultInboundDenyAll. 了解哪些安全规则允许或拒绝出入 VM 的流量以后,即可确定问题解决方法。Now that you know which security rules are allowing or denying traffic to or from a VM, you can determine how to resolve the problems.

查看安全规则的详细信息View details of a security rule

若要确定测试网络通信中的规则为何允许或阻止通信,请使用 Get-AzureRmEffectiveNetworkSecurityGroup 查看网络接口的有效安全规则:To determine why the rules in Test network communication are allowing or preventing communication, review the effective security rules for the network interface with Get-AzureRmEffectiveNetworkSecurityGroup:

Get-AzureRmEffectiveNetworkSecurityGroup `
  -NetworkInterfaceName myVm `
  -ResourceGroupName myResourceGroup

返回的输出包含 AllowInternetOutbound 规则的以下文本,该规则在使用 IP 流验证中允许对 www.bing.com 进行出站访问:The returned output includes the following text for the AllowInternetOutbound rule that allowed outbound access to www.bing.com in Use IP flow verify:

{
  "Name":
"defaultSecurityRules/AllowInternetOutBound",
  "Protocol": "All",
  "SourcePortRange": [
    "0-65535"
  ],
  "DestinationPortRange": [
    "0-65535"
  ],
  "SourceAddressPrefix": [
    "0.0.0.0/0"
  ],
  "DestinationAddressPrefix": [
    "Internet"
  ],
  "ExpandedSourceAddressPrefix": [],
  "ExpandedDestinationAddressPrefix": [
    "1.0.0.0/8",
    "2.0.0.0/7",
    "4.0.0.0/6",
    "8.0.0.0/7",
    "11.0.0.0/8",
    "12.0.0.0/6",
    ...
    ],
    "Access": "Allow",
    "Priority": 65001,
    "Direction": "Outbound"
  },

在上述输出中,可以看到 DestinationAddressPrefixInternetYou can see in the output that DestinationAddressPrefix is Internet. 尚不清楚在使用 IP 流验证中测试的地址 13.107.21.200 与 Internet 的关系如何。It's not clear how 13.107.21.200, the address you tested in Use IP flow verify, relates to Internet though. 可以看到 ExpandedDestinationAddressPrefix 下列出了多个地址前缀。You see several address prefixes listed under ExpandedDestinationAddressPrefix. 列表中的前缀之一为 12.0.0.0/6,它涵盖了 IP 地址范围 12.0.0.1-15.255.255.254。One of the prefixes in the list is 12.0.0.0/6, which encompasses the 12.0.0.1-15.255.255.254 range of IP addresses. 由于 13.107.21.200 在该地址范围内,因此 AllowInternetOutBound 规则允许此出站流量。Since 13.107.21.200 is within that address range, the AllowInternetOutBound rule allows the outbound traffic. 另外,在 Get-AzureRmEffectiveNetworkSecurityGroup 返回的输出中没有列出优先级更高(数字更小)的可以覆盖此规则的规则。Additionally, there are no higher priority (lower number) rules listed in the output returned by Get-AzureRmEffectiveNetworkSecurityGroup, that override this rule. 若要拒绝到 13.107.21.200 的出站通信,可以添加一项优先级更高的安全规则,拒绝通过端口 80 向该 IP 地址发送出站流量。To deny outbound communication to 13.107.21.200, you could add a security rule with a higher priority, that denies port 80 outbound to the IP address.

使用 IP 流验证中运行 Test-AzureRmNetworkWatcherIPFlow 命令以测试发往 172.131.0.100 的出站通信时,输出指示 DefaultOutboundDenyAll 规则拒绝了该通信。When you ran the Test-AzureRmNetworkWatcherIPFlow command to test outbound communication to 172.131.0.100 in Use IP flow verify, the output informed you that the DefaultOutboundDenyAll rule denied the communication. DefaultOutboundDenyAll 规则相当于在 Get-AzureRmEffectiveNetworkSecurityGroup 命令的以下输出中列出的 DenyAllOutBound 规则:The DefaultOutboundDenyAll rule equates to the DenyAllOutBound rule listed in the following output from the Get-AzureRmEffectiveNetworkSecurityGroup command:

{
"Name": "defaultSecurityRules/DenyAllOutBound",
"Protocol": "All",
"SourcePortRange": [
  "0-65535"
],
"DestinationPortRange": [
  "0-65535"
],
"SourceAddressPrefix": [
  "0.0.0.0/0"
],
"DestinationAddressPrefix": [
  "0.0.0.0/0"
],
"ExpandedSourceAddressPrefix": [],
"ExpandedDestinationAddressPrefix": [],
"Access": "Deny",
"Priority": 65500,
"Direction": "Outbound"
}

该规则将 0.0.0.0/0 列为 DestinationAddressPrefixThe rule lists 0.0.0.0/0 as the DestinationAddressPrefix. 此规则拒绝到 172.131.0.100 的出站通信,因为此地址不在 Get-AzureRmEffectiveNetworkSecurityGroup 命令输出中的任何其他出站规则的 DestinationAddressPrefix 范围内。The rule denies the outbound communication to 172.131.0.100, because the address is not within the DestinationAddressPrefix of any of the other outbound rules in the output from the Get-AzureRmEffectiveNetworkSecurityGroup command. 若要允许出站通信,可以添加一项优先级更高的安全规则,允许出站流量到达 172.131.0.100 的端口 80。To allow the outbound communication, you could add a security rule with a higher priority, that allows outbound traffic to port 80 at 172.131.0.100.

使用 IP 流验证中运行 Test-AzureRmNetworkWatcherIPFlow 命令来测试来自 172.131.0.100 的入站通信时,输出指示 DefaultInboundDenyAll 规则拒绝了该通信。When you ran the Test-AzureRmNetworkWatcherIPFlow command to test inbound communication from 172.131.0.100 in Use IP flow verify, the output informed you that the DefaultInboundDenyAll rule denied the communication. DefaultInboundDenyAll 规则相当于在 Get-AzureRmEffectiveNetworkSecurityGroup 命令的以下输出中列出的 DenyAllInBound 规则:The DefaultInboundDenyAll rule equates to the DenyAllInBound rule listed in the following output from the Get-AzureRmEffectiveNetworkSecurityGroup command:

{
"Name": "defaultSecurityRules/DenyAllInBound",
"Protocol": "All",
"SourcePortRange": [
  "0-65535"
],
"DestinationPortRange": [
  "0-65535"
],
"SourceAddressPrefix": [
  "0.0.0.0/0"
],
"DestinationAddressPrefix": [
  "0.0.0.0/0"
],
"ExpandedSourceAddressPrefix": [],
"ExpandedDestinationAddressPrefix": [],
"Access": "Deny",
"Priority": 65500,
"Direction": "Inbound"
},

DenyAllInBound 规则会应用,因为如 Get-AzureRmEffectiveNetworkSecurityGroup 命令的输出所示,没有任何其他允许端口 80 将入站流量从 172.131.0.100 发往 VM 的规则有更高的优先级。The DenyAllInBound rule is applied because, as shown in the output, no other higher priority rule exists in the output from the Get-AzureRmEffectiveNetworkSecurityGroup command that allows port 80 inbound to the VM from 172.131.0.100. 若要允许入站通信,可以添加一项优先级更高的安全规则,允许通过端口 80 从 172.131.0.100 发送入站流量。To allow the inbound communication, you could add a security rule with a higher priority that allows port 80 inbound from 172.131.0.100.

本快速入门中的检查测试了 Azure 配置。The checks in this quickstart tested Azure configuration. 如果检查返回预期的结果,而网络问题仍然存在,请确保在 VM 和要与之通信的终结点之间没有防火墙,且 VM 中的操作系统没有防火墙来允许或拒绝通信。If the checks return expected results and you still have network problems, ensure that you don't have a firewall between your VM and the endpoint you're communicating with and that the operating system in your VM doesn't have a firewall that is allowing or denying communication.

清理资源Clean up resources

如果不再需要资源组及其包含的所有资源,请使用 Remove-AzureRmResourceGroup 将其删除:When no longer needed, you can use Remove-AzureRmResourceGroup to remove the resource group and all of the resources it contains:

Remove-AzureRmResourceGroup -Name myResourceGroup -Force

后续步骤Next steps

在本快速入门中,你已创建 VM 并对入站和出站网络流量筛选器进行诊断。In this quickstart, you created a VM and diagnosed inbound and outbound network traffic filters. 你已了解了如何通过网络安全组规则来允许或拒绝出入 VM 的流量。You learned that network security group rules allow or deny traffic to and from a VM. 请详细了解安全规则以及如何创建安全规则Learn more about security rules and how to create security rules.

即使相应的网络流量筛选器已就位,与 VM 的通信仍可能因路由配置问题而失败。Even with the proper network traffic filters in place, communication to a VM can still fail, due to routing configuration. 若要了解如何诊断 VM 网络路由问题,请参阅诊断 VM 路由问题;若要使用某个工具诊断出站路由、延迟和流量筛选问题,请参阅排查连接问题To learn how to diagnose VM network routing problems, see Diagnose VM routing problems or, to diagnose outbound routing, latency, and traffic filtering problems, with one tool, see Connection troubleshoot.