使用 PowerShell 通过安全组视图分析虚拟机安全性Analyze your Virtual Machine security with Security Group View using PowerShell

备注

安全组视图 API 不再维护,很快就会被弃用。The Security Group View API is no longer being maintained and will be deprecated soon. 请使用提供相同功能的有效安全规则功能Please use the Effective Security Rules feature which provides the same functionality.

安全组视图返回已应用于虚拟机的已配置的有效网络安全规则。Security group view returns configured and effective network security rules that are applied to a virtual machine. 此功能可用于审核和诊断已在 VM 上配置以确保正确允许或拒绝流量的网络安全组和规则。This capability is useful to audit and diagnose Network Security Groups and rules that are configured on a VM to ensure traffic is being correctly allowed or denied. 在本文中,我们将说明如何使用 PowerShell 检索虚拟机的已配置的有效安全规则In this article, we show you how to retrieve the configured and effective security rules to a virtual machine using PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

准备阶段Before you begin

在此方案中,运行 Get-AzNetworkWatcherSecurityGroupView cmdlet 检索安全规则信息。In this scenario, you run the Get-AzNetworkWatcherSecurityGroupView cmdlet to retrieve the security rule information.

此方案假定已按照创建网络观察程序中的步骤创建网络观察程序。This scenario assumes you have already followed the steps in Create a Network Watcher to create a Network Watcher.

方案Scenario

本文中介绍的方案检索给定虚拟机的已配置有效安全规则。The scenario covered in this article retrieves the configured and effective security rules for a given virtual machine.

检索网络观察程序Retrieve Network Watcher

第一步是检索网络观察程序实例。The first step is to retrieve the Network Watcher instance. 将此变量传递给 Get-AzNetworkWatcherSecurityGroupView cmdlet。This variable is passed to the Get-AzNetworkWatcherSecurityGroupView cmdlet.

$networkWatcher = Get-AzResource | Where {$_.ResourceType -eq "Microsoft.Network/networkWatchers" -and $_.Location -eq "chinanorth" }

获取 VMGet a VM

需要针对虚拟机运行 Get-AzNetworkWatcherSecurityGroupView cmdlet。A virtual machine is required to run the Get-AzNetworkWatcherSecurityGroupView cmdlet against. 以下示例获取 VM 对象。The following example gets a VM object.

$VM = Get-AzVM -ResourceGroupName testrg -Name testvm1

检索安全组视图Retrieve security group view

下一步是检索安全组视图结果。The next step is to retrieve the security group view result.

$secgroup = Get-AzNetworkWatcherSecurityGroupView -NetworkWatcher $networkWatcher -TargetVirtualMachineId $VM.Id

查看结果Viewing the results

以下示例是返回的结果的缩短响应。The following example is a shortened response of the results returned. 该结果显示虚拟机上所有已应用的有效安全规则,分为以下几组:NetworkInterfaceSecurityRulesDefaultSecurityRulesEffectiveSecurityRulesThe results show all the effective and applied security rules on the virtual machine broken down in groups of NetworkInterfaceSecurityRules, DefaultSecurityRules, and EffectiveSecurityRules.

NetworkInterfaces : [
                      {
                        "NetworkInterfaceSecurityRules": [
                          {
                            "Name": "default-allow-rdp",
                            "Etag": "W/\"d4c411d4-0d62-49dc-8092-3d4b57825740\"",
                            "Id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testrg2/providers/Microsoft.Network/networkSecurityGroups/testvm2-nsg/securityRules/default-allow-rdp",
                            "Protocol": "TCP",
                            "SourcePortRange": "*",
                            "DestinationPortRange": "3389",
                            "SourceAddressPrefix": "*",
                            "DestinationAddressPrefix": "*",
                            "Access": "Allow",
                            "Priority": 1000,
                            "Direction": "Inbound",
                            "ProvisioningState": "Succeeded"
                          }
                          ...
                        ],
                        "DefaultSecurityRules": [
                          {
                            "Name": "AllowVnetInBound",
                            "Id": "/subscriptions00000000-0000-0000-0000-000000000000/resourceGroups/testrg2/providers/Microsoft.Network/networkSecurityGroups/testvm2-nsg/defaultSecurityRules/",
                            "Description": "Allow inbound traffic from all VMs in VNET",
                            "Protocol": "*",
                            "SourcePortRange": "*",
                            "DestinationPortRange": "*",
                            "SourceAddressPrefix": "VirtualNetwork",
                            "DestinationAddressPrefix": "VirtualNetwork",
                            "Access": "Allow",
                            "Priority": 65000,
                            "Direction": "Inbound",
                            "ProvisioningState": "Succeeded"
                          }
                          ...
                        ],
                        "EffectiveSecurityRules": [
                          {
                            "Name": "DefaultOutboundDenyAll",
                            "Protocol": "All",
                            "SourcePortRange": "0-65535",
                            "DestinationPortRange": "0-65535",
                            "SourceAddressPrefix": "*",
                            "DestinationAddressPrefix": "*",
                            "ExpandedSourceAddressPrefix": [],
                            "ExpandedDestinationAddressPrefix": [],
                            "Access": "Deny",
                            "Priority": 65500,
                            "Direction": "Outbound"
                          },
                          ...
                        ]
                      }
                    ]

后续步骤Next steps

请访问使用网络观察程序审核网络安全组 (NSG),了解如何自动执行网络安全组的验证。Visit Auditing Network Security Groups (NSG) with Network Watcher to learn how to automate validation of Network Security Groups.