使用 Azure CLI 通过安全组视图分析虚拟机安全性Analyze your Virtual Machine security with Security Group View using Azure CLI

备注

安全组视图 API 不再维护,很快就会被弃用。The Security Group View API is no longer being maintained and will be deprecated soon. 请使用提供相同功能的有效安全规则功能Please use the Effective Security Rules feature which provides the same functionality.

安全组视图返回已应用于虚拟机的已配置的有效网络安全规则。Security group view returns configured and effective network security rules that are applied to a virtual machine. 此功能可用于审核和诊断已在 VM 上配置以确保正确允许或拒绝流量的网络安全组和规则。This capability is useful to audit and diagnose Network Security Groups and rules that are configured on a VM to ensure traffic is being correctly allowed or denied. 在本文中,我们将说明如何使用 Azure CLI 检索虚拟机的已配置的有效安全规则In this article, we show you how to retrieve the configured and effective security rules to a virtual machine using Azure CLI

若要执行本文中的步骤,需要安装适用于 Mac、Linux 和 Windows 的 Azure 命令行接口 (CLI)To perform the steps in this article, you need to install the Azure command-line interface for Mac, Linux, and Windows (CLI).

准备阶段Before you begin

此方案假定已按照创建网络观察程序中的步骤创建网络观察程序。This scenario assumes you have already followed the steps in Create a Network Watcher to create a Network Watcher.

方案Scenario

本文中介绍的方案检索给定虚拟机的已配置有效安全规则。The scenario covered in this article retrieves the configured and effective security rules for a given virtual machine.

获取 VMGet a VM

需要虚拟机才能运行 vm list cmdlet。A virtual machine is required to run the vm list cmdlet. 以下命令列出资源组中的虚拟机:The following command lists the virtual machines in a resource group:

az vm list -resource-group resourceGroupName

知道虚拟机后,可以使用 vm show cmdlet 获取其资源 ID:Once you know the virtual machine, you can use the vm show cmdlet to get its resource Id:

az vm show -resource-group resourceGroupName -name virtualMachineName

检索安全组视图Retrieve security group view

下一步是检索安全组视图结果。The next step is to retrieve the security group view result.

az network watcher show-security-group-view --resource-group resourceGroupName --vm vmName

查看结果Viewing the results

以下示例是返回的结果的缩短响应。The following example is a shortened response of the results returned. 该结果显示虚拟机上所有已应用的有效安全规则,分为以下几组:NetworkInterfaceSecurityRulesDefaultSecurityRulesEffectiveSecurityRulesThe results show all the effective and applied security rules on the virtual machine broken down in groups of NetworkInterfaceSecurityRules, DefaultSecurityRules, and EffectiveSecurityRules.

{
  "networkInterfaces": [
    {
      "id": "/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkInterfaces/{nicName}",
      "resourceGroup": "{resourceGroupName}",
      "securityRuleAssociations": {
        "defaultSecurityRules": [
          {
            "access": "Allow",
            "description": "Allow inbound traffic from all VMs in VNET",
            "destinationAddressPrefix": "VirtualNetwork",
            "destinationPortRange": "*",
            "direction": "Inbound",
            "etag": null,
            "id": "/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups//providers/Microsoft.Network/networkSecurityGroups/{nsgName}/defaultSecurityRules/AllowVnetInBound",
            "name": "AllowVnetInBound",
            "priority": 65000,
            "protocol": "*",
            "provisioningState": "Succeeded",
            "resourceGroup": "",
            "sourceAddressPrefix": "VirtualNetwork",
            "sourcePortRange": "*"
          }...
        ],
        "effectiveSecurityRules": [
          {
            "access": "Deny",
            "destinationAddressPrefix": "*",
            "destinationPortRange": "0-65535",
            "direction": "Outbound",
            "expandedDestinationAddressPrefix": null,
            "expandedSourceAddressPrefix": null,
            "name": "DefaultOutboundDenyAll",
            "priority": 65500,
            "protocol": "All",
            "sourceAddressPrefix": "*",
            "sourcePortRange": "0-65535"
          },
          {
            "access": "Allow",
            "destinationAddressPrefix": "VirtualNetwork",
            "destinationPortRange": "0-65535",
            "direction": "Outbound",
            "expandedDestinationAddressPrefix": [
              "10.1.0.0/24",
              "168.63.129.16/32"
            ],
            "expandedSourceAddressPrefix": [
              "10.1.0.0/24",
              "168.63.129.16/32"
            ],
            "name": "DefaultRule_AllowVnetOutBound",
            "priority": 65000,
            "protocol": "All",
            "sourceAddressPrefix": "VirtualNetwork",
            "sourcePortRange": "0-65535"
          },...
        ],
        "networkInterfaceAssociation": {
          "id": "/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkInterfaces/{nicName}",
          "resourceGroup": "{resourceGroupName}",
          "securityRules": [
            {
              "access": "Allow",
              "description": null,
              "destinationAddressPrefix": "*",
              "destinationPortRange": "3389",
              "direction": "Inbound",
              "etag": "W/\"efb606c1-2d54-475a-ab20-da3f80393577\"",
              "id": "/subscriptions/00000000-0000-0000-0000-0000000000000/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}/securityRules/default-allow-rdp",
              "name": "default-allow-rdp",
              "priority": 1000,
              "protocol": "TCP",
              "provisioningState": "Succeeded",
              "resourceGroup": "{resourceGroupName}",
              "sourceAddressPrefix": "*",
              "sourcePortRange": "*"
            }
          ]
        },
        "subnetAssociation": null
      }
    }
  ]
}

后续步骤Next steps

请访问使用网络观察程序审核网络安全组 (NSG),了解如何自动执行网络安全组的验证。Visit Auditing Network Security Groups (NSG) with Network Watcher to learn how to automate validation of Network Security Groups.

请访问安全组视图概述,了解有关应用于网络资源的安全规则的详细信息Learn more about the security rules that are applied to your network resources by visiting Security group view overview