Azure 网络观察程序中的“IP 流验证”简介Introduction to IP flow verify in Azure Network Watcher

“IP 流验证”检查是允许还是拒绝进出虚拟机的数据包。IP flow verify checks if a packet is allowed or denied to or from a virtual machine. 这些信息包括方向、协议、本地 IP、远程 IP、本地端口和远程端口。The information consists of direction, protocol, local IP, remote IP, local port, and remote port. 如果数据包被安全组拒绝,则返回拒绝数据包的规则的名称。If the packet is denied by a security group, the name of the rule that denied the packet is returned. 虽然可以选择任何源或目标 IP,“IP 流验证”功能可帮助管理员快速诊断与 Internet 的连接问题,以及与本地环境的连接问题。While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

IP 流验证查看应用于网络接口的所有网络安全组 (NSG) 的规则,例如子网或虚拟机 NIC。IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a subnet or virtual machine NIC. 然后,将基于网络接口的配置设置验证流量流。Traffic flow is then verified based on the configured settings to or from that network interface. “IP 流验证”功能可用于确认网络安全组中的规则是否正在阻止进出虚拟机的入口或出口流量。IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.

需要在要运行“IP 流验证”的所有区域中创建网络观察程序实例。An instance of Network Watcher needs to be created in all regions that you plan to run IP flow verify. 网络观察程序是一个区域性服务,只能针对同一区域中的资源运行。Network Watcher is a regional service and can only be ran against resources in the same region. 所使用的实例不会影响“IP 流验证”的结果,因为仍将返回与 NIC 或子网关联的任何路由。The instance used does not affect the results of IP flow verify, as any route associated with the NIC or subnet is still be returned.


后续步骤Next steps

请访问以下文章,通过门户了解是允许还是拒绝特定虚拟机的数据包。Visit the following article to learn if a packet is allowed or denied for a specific virtual machine through the portal. 通过门户使用“IP 流验证”检查是否允许 VM 上的流量Check if traffic is allowed on a VM with IP Flow Verify using the portal