有关 Azure 网络观察程序的常见问题解答 (FAQ)Frequently asked questions (FAQ) about Azure Network Watcher

Azure 网络观察程序服务提供一套工具用于监视、诊断 Azure 虚拟网络中的资源、查看其指标,以及为其启用或禁用日志。The Azure Network Watcher service provides a suite of tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. 本文解答有关该服务的常见问题。This article answers common questions about the service.

常规General

什么是网络观察程序?What is Network Watcher?

网络观察程序用于监视和修复 IaaS(基础结构即服务)组件的网络运行状况,其中包括虚拟机、虚拟网络、应用程序网关、负载均衡器,以及 Azure 网络中的其他资源。Network Watcher is designed to monitor and repair the network health of IaaS (Infrastructure-as-a-Service) components, which includes Virtual Machines, Virtual Networks, Application Gateways, Load balancers, and other resources in an Azure virtual network. 它不是用于监视 PaaS(平台即服务)基础结构或获取 Web/移动分析数据的解决方案。It is not a solution for monitoring PaaS (Platform-as-a-Service) infrastructure or getting web/mobile analytics.

网络观察程序提供哪些工具?What tools does Network Watcher provide?

网络观察程序提供三个主要功能集Network Watcher provides three major sets of capabilities

  • 监视Monitoring
    • 拓扑视图显示虚拟网络中的资源及其相互关系。Topology view shows you the resources in your virtual network and the relationships between them.
    • 连接监视器可用于监视 VM 与另一网络资源之间的连接和延迟。Connection Monitor allows you to monitor connectivity and latency between a VM and another network resource.
    • 网络性能监视器可用于监视混合网络体系结构、Expressroute 线路和服务/应用程序终结点之间的连接和延迟。Network performance monitor allows you to monitor connectivity and latencies across hybrid network architectures, Expressroute circuits, and service/application endpoints.
  • 诊断Diagnostics
    • IP 流验证可用于在 VM 级别检测流量筛选问题。IP Flow Verify allows you to detect traffic filtering issues at a VM level.
    • 下一跃点可帮助验证流量路由和检测路由问题。Next Hop helps you verify traffic routes and detect routing issues.
    • 连接故障排除可以在 VM 与另一网络资源之间实现一次性连接和延迟检查。Connection Troubleshoot enables a one-time connectivity and latency check between a VM and another network resource.
    • 数据包捕获可用于捕获虚拟网络中 VM 上的所有流量。Packet Capture enables you to capture all traffic on a VM in your virtual network.
    • VPN 故障排除针对 VPN 网关和连接运行多项诊断检查,以帮助调试问题。VPN Troubleshoot runs multiple diagnostics checks on your VPN gateways and connections to help debug issues.
  • 日志记录Logging

有关更多详细信息,请参阅网络观察程序概述页For more detailed information, see the Network Watcher overview page.

网络观察程序如何定价?How does Network Watcher pricing work?

有关网络观察程序组件及其定价,请访问定价页Visit the Pricing page for Network Watcher components and their pricing.

哪些区域支持/提供网络观察程序?Which regions is Network Watcher supported/available in?

可以在 Azure 服务可用性页上查看最新的区域可用性You can view the latest regional availability on the Azure Service availability page

使用网络观察程序需要哪些权限?Which permissions are needed to use Network Watcher?

请查看使用网络观察程序所需的 Azure RBAC 权限的列表。See the list of Azure RBAC permissions required to use Network Watcher. 若要部署资源,需要对 NetworkWatcherRG 的参与者权限(见下)。For deploying resources, you need contributor permissions to the NetworkWatcherRG (see below).

如何启用网络观察程序?How do I enable Network Watcher?

网络观察程序服务是为每个订阅自动启用的。The Network Watcher service is enabled automatically for every subscription.

网络观察程序部署模型是什么?What is the Network Watcher deployment model?

网络观察程序父资源是使用每个区域中的唯一实例部署的。The Network Watcher parent resource is deployed with a unique instance in every region. 命名格式:NetworkWatcher_RegionName。Naming format: NetworkWatcher_RegionName. 示例:NetworkWatcher_chinaeast 是“中国北部”区域的网络观察程序资源。Example: NetworkWatcher_chinaeast is the Network Watcher resource for the "China North" region.

NetworkWatcherRG 是什么?What is the NetworkWatcherRG?

网络观察程序资源位于自动创建的、隐藏的 NetworkWatcherRG 资源组中。Network Watcher resources are located in the hidden NetworkWatcherRG resource group which is created automatically. 例如,NSG 流日志资源是网络观察程序的子资源,在 NetworkWatcherRG 中启用。For example, the NSG Flow Logs resource is a child resource of Network Watcher and is enabled in the NetworkWatcherRG.

为什么需要安装网络观察程序扩展?Why do I need to install the Network Watcher extension?

对于任何需要生成或拦截来自 VM 的流量的功能,网络观察程序扩展都是必需的。The Network Watcher extension is required for any feature that needs to generate or intercept traffic from a VM.

哪些功能需要网络观察程序扩展?Which features require the Network Watcher extension?

数据包捕获、连接故障排除和连接监视器功能需要网络观察程序扩展。The Packet Capture, Connection Troubleshoot and Connection Monitor features need the Network Watcher extension to be present.

网络观察程序的资源限制是怎样的?What are resource limits on Network Watcher?

有关所有限制,请参阅服务限制页。See the Service limits page for all limits.

为何每个区域只允许一个网络观察程序实例?Why is only one instance of Network Watcher allowed per region?

仅需为订阅启用网络观察程序一次,即可正常使用其功能,这并不是一项服务限制。Network Watcher just needs to be enabled once for a subscription for it's features to work, this is a not a service limit.

如何管理网络观察程序资源?How can I manage the Network Watcher Resource?

网络观察程序资源代表网络观察程序的后端服务,由 Azure 完全托管。The Network Watcher resource represents the backend service for Network Watcher and is fully managed by Azure. 客户无需管理它。Customers do no need to manage it. 不支持移动资源等操作。Operations like move are not supported on the resource. 可以删除资源However, the resource can be deleted.

服务可用性和冗余性Service availability and redundancy

网络观察程序服务是否具有区域复原能力?Is the Network Watcher service zone resilient?

是的。Yes. 默认情况下,网络观察程序服务具有区域复原能力。The the Network Watcher service is zone-resilient by default.

如何配置网络观察程序服务,使其具有区域复原能力?How do I configure the Network Watcher service to be zone-resilient?

客户无需配置即可启用区域复原能力。No customer configuration is necessary to enable zone-resiliency. 默认情况下,网络观察程序资源的区域复原能力可用,并由服务本身管理。Zone-resiliency for Network Watcher resources is available by default and managed by the service itself.

NSG 流日志NSG Flow Logs

NSG 流日志有什么作用?What does NSG Flow Logs do?

可以通过网络安全组 (NSG) 来合并和管理 Azure 网络资源。Azure network resources can be combined and managed through Network Security Groups (NSGs). 使用 NSG 流日志可以通过 NSG 记录有关所有流量的 5 元组流信息。NSG Flow Logs enable you to log 5-tuple flow information about all traffic through your NSGs. 原始流日志将写入 Azure 存储帐户,在存储帐户中,可以根据需要进一步处理、分析、查询或导出这些日志。The raw flow logs are written to an Azure Storage account from where they can be further processed, analyzed, queried, or exported as needed.

当存储帐户位于防火墙后面时,如何使用 NSG 流日志?How do I use NSG Flow Logs with a Storage account behind a firewall?

若要使用防火墙后面的存储帐户,必须提供一个例外,以便受信任的 Azure 服务访问你的存储帐户:To use a Storage account behind a firewall, you have to provide an exception for Trusted Azure Services to access your storage account:

  • 在门户或“存储帐户”页的全局搜索框中键入存储帐户的名称,导航到存储帐户Navigate to the storage account by typing the storage account's name in the global search on the portal or from the Storage Accounts page
  • 在“设置”部分,选择“防火墙和虚拟网络” Under the SETTINGS section, select Firewalls and virtual networks
  • 在“允许的访问来源”中,选择“所选网络”。In "Allow access from", select Selected networks. 然后,在“例外”下,勾选“允许受信任的 Azure 服务访问此存储帐户”旁边的框 Then under Exceptions, tick the box next to "Allow trusted Azure services to access this storage account"
  • 如果已选中,则不需进行更改。If it is already selected, no change is needed.
  • NSG 流日志概述页上找到目标 NSG,并启用选择了上述存储帐户的 NSG 流日志。Locate your target NSG on the NSG Flow Logs overview page and enable NSG Flow Logs with the above storage account selected.

可以在数分钟后检查存储日志,应该会看到时间戳已更新,或者会看到新的 JSON 文件已创建。You can check the storage logs after a few minutes, you should see an updated TimeStamp or a new JSON file created.

当存储帐户位于服务终结点后面时,如何使用 NSG 流日志?How do I use NSG Flow Logs with a Storage account behind a Service Endpoint?

NSG 流日志与服务终结点兼容,无需任何额外的配置。NSG Flow Logs are compatible with Service Endpoints without requiring any extra configuration. 请参阅有关如何在虚拟网络中启用服务终结点的教程Please see the tutorial on enabling Service Endpoints in your virtual network.

流日志版本 1 和 2 有何区别?What is the difference between flow logs versions 1 & 2?

流日志版本 2 引入了“流状态”的概念,并会存储有关传输的字节和数据包的信息。Flow Logs version 2 introduces the concept of Flow State & stores information about bytes and packets transmitted. 了解详细信息Read more.

后续步骤Next Steps