使用 REST API 通过安全组视图分析虚拟机安全性Analyze your Virtual Machine security with Security Group View using REST API

备注

安全组视图 API 不再维护,很快就会被弃用。The Security Group View API is no longer being maintained and will be deprecated soon. 请使用提供相同功能的有效安全规则功能Please use the Effective Security Rules feature which provides the same functionality.

安全组视图返回已应用于虚拟机的已配置的有效网络安全规则。Security group view returns configured and effective network security rules that are applied to a virtual machine. 此功能可用于审核和诊断已在 VM 上配置以确保正确允许或拒绝流量的网络安全组和规则。This capability is useful to audit and diagnose Network Security Groups and rules that are configured on a VM to ensure traffic is being correctly allowed or denied. 在本文中,我们将说明如何使用 REST API 检索应用于虚拟机的有效安全规则In this article, we show you how to retrieve the effective and applied security rules to a virtual machine using REST API

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

准备阶段Before you begin

在此方案中,将调用网络观察程序 Rest API 获取虚拟机的安全组视图。In this scenario, you call the Network Watcher Rest API to get the security group view for a virtual machine. 通过 PowerShell 调用 REST API 时,使用的是 ARMclient。ARMclient is used to call the REST API using PowerShell. 根据 Chocolatey 上的 ARMClient 中所述在 chocolatey 上找到 ARMClientARMClient is found on chocolatey at ARMClient on Chocolatey

此方案假定已按照创建网络观察程序中的步骤创建网络观察程序。This scenario assumes you have already followed the steps in Create a Network Watcher to create a Network Watcher. 此方案还假定要使用的包含有效虚拟机的资源组已存在。The scenario also assumes that a Resource Group with a valid virtual machine exists to be used.

方案Scenario

本文中介绍的方案检索给定虚拟机的已应用有效安全规则。The scenario covered in this article retrieves the effective and applied security rules for a given virtual machine.

使用 ARMClient 登录Log in with ARMClient

$env:ARMCLIENT_ENV="MOONCAKE"
armclient login

检索虚拟机Retrieve a virtual machine

运行以下脚本返回虚拟机。以下代码需要变量:Run the following script to return a virtual machineThe following code needs variables:

  • subscriptionId - 还可以使用 Get-AzSubscription cmdlet 检索订阅 ID。subscriptionId - The subscription id can also be retrieved with the Get-AzSubscription cmdlet.
  • resourceGroupName - 包含虚拟机的资源组的名称。resourceGroupName - The name of a resource group that contains virtual machines.
$subscriptionId = '<subscription id>'
$resourceGroupName = '<resource group name>'

armclient get https://management.chinacloudapi.cn/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Compute/virtualMachines?api-version=2015-05-01-preview

所需的信息是响应中类型 Microsoft.Compute/virtualMachines 下的 id,如以下示例中所示:The information that is needed is the id under the type Microsoft.Compute/virtualMachines in response, as seen in the following example:

...,
        "networkProfile": {
          "networkInterfaces": [
            {
              "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft
.Network/networkInterfaces/{nicName}"
            }
          ]
        },
        "provisioningState": "Succeeded"
      },
      "resources": [
        {
          "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Com
pute/virtualMachines/{vmName}/extensions/CustomScriptExtension"
        }
      ],
      "type": "Microsoft.Compute/virtualMachines",
      "location": "chinaeast",
      "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute
/virtualMachines/{vmName}",
      "name": "{vmName}"
    }
  ]
}

获取虚拟机的安全组视图Get security group view for virtual machine

以下示例请求目标虚拟机的安全组视图。The following example requests the security group view of a targeted virtual machine. 本示例的结果可用于比较规则和来源定义的安全性以查找配置漂移。The results from this example can be used to compare to the rules and security defined by the origination to look for configuration drift.

$subscriptionId = "<subscription id>"
$resourceGroupName = "<resource group name>"
$networkWatcherName = "<network watcher name>"
$targetUri = "<uri of target resource>" # Example: /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.compute/virtualMachine/$vmName

$requestBody = @"
{
    'targetResourceId': '${targetUri}'

}
"@
armclient post "https://management.chinacloudapi.cn/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/securityGroupView?api-version=2016-12-01" $requestBody -verbose

查看响应View the response

以下示例是从前一命令返回的响应。The following sample is the response returned from the preceding command. 该结果显示虚拟机上所有已应用的有效安全规则,分为以下几组:NetworkInterfaceSecurityRulesDefaultSecurityRulesEffectiveSecurityRulesThe results show all the effective and applied security rules on the virtual machine broken down in groups of NetworkInterfaceSecurityRules, DefaultSecurityRules, and EffectiveSecurityRules.


{
  "networkInterfaces": [
    {
      "securityRuleAssociations": {
        "networkInterfaceAssociation": {
          "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkInterfaces/{nicName}",
          "securityRules": [
            {
              "name": "default-allow-rdp",
              "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}/securityRules/default-allow-rdp",
              "etag": "W/\"d4c411d4-0d62-49dc-8092-3d4b57825740\"",
              "properties": {
                "provisioningState": "Succeeded",
                "protocol": "TCP",
                "sourcePortRange": "*",
                "destinationPortRange": "3389",
                "sourceAddressPrefix": "*",
                "destinationAddressPrefix": "*",
                "access": "Allow",
                "priority": 1000,
                "direction": "Inbound"
              }
            }
          ]
        },
        "defaultSecurityRules": [
          {
            "name": "AllowVnetInBound",
            "id": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{nsgName}/defaultSecurityRules/",
            "properties": {
              "provisioningState": "Succeeded",
              "description": "Allow inbound traffic from all VMs in VNET",
              "protocol": "*",
              "sourcePortRange": "*",
              "destinationPortRange": "*",
              "sourceAddressPrefix": "VirtualNetwork",
              "destinationAddressPrefix": "VirtualNetwork",
              "access": "Allow",
              "priority": 65000,
              "direction": "Inbound"
            }
          },
          ...
        ],
        "effectiveSecurityRules": [
          {
            "name": "DefaultOutboundDenyAll",
            "protocol": "All",
            "sourcePortRange": "0-65535",
            "destinationPortRange": "0-65535",
            "sourceAddressPrefix": "*",
            "destinationAddressPrefix": "*",
            "access": "Deny",
            "priority": 65500,
            "direction": "Outbound"
          },
          ...
        ]
      }
    }
  ]
}

后续步骤Next steps

请访问使用网络观察程序审核网络安全组 (NSG),了解如何自动执行网络安全组的验证。Visit Auditing Network Security Groups (NSG) with Network Watcher to learn how to automate validation of Network Security Groups.