使用 REST API 配置网络安全组流日志Configuring Network Security Group flow logs using REST API

网络安全组流日志是网络观察程序的一项功能,用于查看通过网络安全组的入口和出口 IP 流量的信息。Network Security Group flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through a Network Security Group. 这些流日志以 json 格式编写,并根据规则显示出站和入站流、流所适用的 NIC、有关流的 5 元组信息(源/目标 IP、源/目标端口、协议),以及是允许还是拒绝流量。These flow logs are written in json format and show outbound and inbound flows on a per rule basis, the NIC the flow applies to, 5-tuple information about the flow (Source/Destination IP, Source/Destination Port, Protocol), and if the traffic was allowed or denied.

开始之前Before you begin

通过 PowerShell 调用 REST API 时,使用的是 ARMclient。ARMclient is used to call the REST API using PowerShell. 根据 Chocolatey 上的 ARMClient 中所述在 chocolatey 上找到 ARMClientARMClient is found on chocolatey at ARMClient on Chocolatey

此方案假定已按照创建网络观察程序中的步骤创建网络观察程序。This scenario assumes you have already followed the steps in Create a Network Watcher to create a Network Watcher.

重要

对于网络观察程序 REST API 调用来说,请求 URI 中的资源组名称是包含网络观察程序的资源组,而不是要对其执行诊断操作的资源。For Network Watcher REST API calls the resource group name in the request URI is the resource group that contains the Network Watcher, not the resources you are performing the diagnostic actions on.

场景Scenario

本文中介绍的方案演示了如何使用 REST API 启用、禁用和查询流日志。The scenario covered in this article shows you how to enable, disable, and query flow logs using the REST API. 若要了解有关网络安全组流日志记录的详细信息,请访问网络安全组流日志记录 - 概述To learn more about Network Security Group flow loggings, visit Network Security Group flow logging - Overview.

在此方案中,将:In this scenario, you will:

  • 启用流日志(版本 2)Enable flow logs (Version 2)
  • 禁用流日志Disable flow logs
  • 查询流日志状态Query flow logs status

使用 ARMClient 登录Log in with ARMClient

使用 Azure 凭据登录到 armclient。Log in to armclient with your Azure credentials.

$env:ARMCLIENT_ENV="MOONCAKE"
armclient login

注册 Insights 提供程序Register Insights provider

要使流日志记录正常工作,必须注册 Microsoft.Insights 提供程序。In order for flow logging to work successfully, the Microsoft.Insights provider must be registered. 如果不确定 Microsoft.Insights 提供程序是否已注册,请运行以下脚本。If you are not sure if the Microsoft.Insights provider is registered, run the following script.

$subscriptionId = "00000000-0000-0000-0000-000000000000"
armclient post "https://management.chinacloudapi.cn//subscriptions/${subscriptionId}/providers/Microsoft.Insights/register?api-version=2016-09-01"

启用网络安全组流日志Enable Network Security Group flow logs

以下示例显示了用于启用流日志版本 2 的命令。The command to enable flow logs version 2 is shown in the following example. 对于版本 1,请将“version”字段替换为“1”:For version 1 replace the 'version' field with '1':

$subscriptionId = "00000000-0000-0000-0000-000000000000"
$targetUri = "" # example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName/providers/Microsoft.Network/networkSecurityGroups/{nsgName}"
$storageId = "/subscriptions/00000000-0000-0000-0000-000000000000/{resourceGroupName/providers/Microsoft.Storage/storageAccounts/{saName}"
$resourceGroupName = "NetworkWatcherRG"
$networkWatcherName = "NetworkWatcher_chinaeast"
$requestBody = @"
{
    'targetResourceId': '${targetUri}',
    'properties': {
    'storageId': '${storageId}',
    'enabled': 'true',
    'retentionPolicy' : {
            days: 5,
            enabled: true
        },
    'format': {
        'type': 'JSON',
        'version': 2
    }
    }
}
"@

armclient post "https://management.chinacloudapi.cn/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/configureFlowLog?api-version=2016-12-01" $requestBody

上述示例返回的响应如下所示:The response returned from the preceding example is as follows:

{
  "targetResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}",
  "properties": {
    "storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{saName}",
    "enabled": true,
    "retentionPolicy": {
      "days": 5,
      "enabled": true
    },
    "format": {
    "type": "JSON",
    "version": 2
    }
  }
}

禁用网络安全组流日志Disable Network Security Group flow logs

使用以下示例禁用流日志。Use the following example to disable flow logs. 该调用与启用流日志相同,但为 enabled 属性设置 false 除外。The call is the same as enabling flow logs, except false is set for the enabled property.

$subscriptionId = "00000000-0000-0000-0000-000000000000"
$targetUri = "" # example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName/providers/Microsoft.Network/networkSecurityGroups/{nsgName}"
$storageId = "/subscriptions/00000000-0000-0000-0000-000000000000/{resourceGroupName/providers/Microsoft.Storage/storageAccounts/{saName}"
$resourceGroupName = "NetworkWatcherRG"
$networkWatcherName = "NetworkWatcher_chinaeast"
$requestBody = @"
{
    'targetResourceId': '${targetUri}',
    'properties': {
    'storageId': '${storageId}',
    'enabled': 'false',
    'retentionPolicy' : {
            days: 5,
            enabled: true
        },
    'format': {
        'type': 'JSON',
        'version': 2
    }
    }
}
"@

armclient post "https://management.chinacloudapi.cn/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/configureFlowLog?api-version=2016-12-01" $requestBody

上述示例返回的响应如下所示:The response returned from the preceding example is as follows:

{
  "targetResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}",
  "properties": {
    "storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{saName}",
    "enabled": false,
    "retentionPolicy": {
      "days": 5,
      "enabled": true
    },
    "format": {
    "type": "JSON",
    "version": 2
    }
  }
}

查询流日志Query flow logs

以下 REST 调用查询有关网络安全组的流日志的状态。The following REST call queries the status of flow logs on a Network Security Group.

$subscriptionId = "00000000-0000-0000-0000-000000000000"
$targetUri = "" # example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName/providers/Microsoft.Network/networkSecurityGroups/{nsgName}"
$resourceGroupName = "NetworkWatcherRG"
$networkWatcherName = "NetworkWatcher_chinaeast"
$requestBody = @"
{
    'targetResourceId': '${targetUri}',
}
"@

armclient post "https://management.chinacloudapi.cn/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/queryFlowLogStatus?api-version=2016-12-01" $requestBody

以下是返回的响应的示例:The following is an example of the response returned:

{
  "targetResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}",
  "properties": {
    "storageId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{saName}",
    "enabled": true,
   "retentionPolicy": {
      "days": 5,
      "enabled": true
    },
    "format": {
    "type": "JSON",
    "version": 2
    }
  }
}

下载流日志Download a flow log

流日志的存储位置是在创建时定义的。The storage location of a flow log is defined at creation. 用于访问这些保存到存储帐户的流日志的便利工具是 Azure 存储资源管理器,下载地址为: https://storageexplorer.com/A convenient tool to access these flow logs saved to a storage account is Azure Storage Explorer, which can be downloaded here: https://storageexplorer.com/

如果指定了存储帐户,则数据包捕获文件将保存到以下位置的存储帐户:If a storage account is specified, packet capture files are saved to a storage account at the following location:

https://{storageAccountName}.blob.core.chinacloudapi.cn/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{nsgName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json

后续步骤Next steps

了解如何使用 PowerBI 直观地显示 NSG 流日志Learn how to Visualize your NSG flow logs with PowerBI

了解如何使用开源工具直观地显示 NSG 流日志Learn how to Visualize your NSG flow logs with open source tools