快速入门:使用 Azure Policy 部署和管理 NSG 流日志QuickStart: Deploy and manage NSG Flow Logs using Azure Policy

概述Overview

Azure Policy 可帮助实施组织标准并大规模评估合规性。Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Azure Policy 的常见用例包括实施监管来满足资源一致性、法规遵从性、安全性、成本和管理方面的要求。Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. 在本文中,我们将使用两个可用于 NSG 流日志的内置策略来管理流日志设置。In this article, we will use two built-in policies available for NSG Flow Logs to manage your flow logs setup. 第一个策略对未启用流日志的所有 NSG 进行标记。The first policy flags any NSGs without flow logs enabled. 第二个策略为未启用流日志的 NSG 自动部署流日志。The second policy automatically deploys Flow logs for NSGs without Flow logs enabled.

如果是首次创建 Azure Policy,可仔细阅读:If you are creating an Azure policy for the first time, you can read through:

查找策略Locate the policies

  1. 转到 Azure 门户 - portal.azure.cnGo to the Azure portal - portal.azure.cn

    在顶部的搜索栏中搜索“策略”,导航到 Azure Policy 页面 策略主页Navigate to Azure Policy page by searching for Policy in the top search bar Policy Home Page

  2. 转到左侧窗格中的“分配”选项卡Head over to the Assignments tab from the left pane

    “分配”选项卡

  3. 单击“分配策略”按钮Click on Assign Policy button

    “分配策略”按钮

  4. 单击“策略定义”下的三点菜单,查看可用策略Click the three dots menu under "Policy Definitions" to see available policies

  5. 使用“类型”筛选器并选择“内置”。Use the Type filter and choose "Built-in". 然后搜索“流日志”Then search for "Flow log"

    此时会看到两个用于流日志的内置策略 策略列表You should see the two built-in policies for Flow logs Policy List

  6. 选择要分配的策略Choose the policy you want to assign

    • 名为“应为每个网络安全组配置流日志”的审核策略将对不合规 NSG(即未启用流日志记录的 NSG)进行标记"Flow log should be configured for every network security group" is the audit policy that flags non-compliant NSGs, that is NSGs without Flow logging enabled
    • 名为“使用目标网络安全组部署流日志资源”的策略包含一个部署操作,它会对没有流日志的所有 NSG 启用流日志"Deploy a flow log resource with target network security group" is the policy with a deployment action, it enables Flow logs on all NSGs without Flow logs

下面是每条策略的单独说明。There are separate instructions for each policy below.

审核策略Audit Policy

策略的工作原理How the policy works

此策略检查“Microsoft.Network/networkSecurityGroups”类型的所有现有 ARM 对象(即查看给定范围内的所有 NSG),并通过 NSG 的“流日志”属性检查是否存在链接的流日志。The policy checks all existing ARM objects of type "Microsoft.Network/networkSecurityGroups", that is it looks at all NSGs in a given scope, and checks for the existence of linked Flow logs via the Flow Logs property of the NSG. 如果该属性不存在,则会对 NSG 进行标记。If the property does not exist, the NSG is flagged.

若要查看策略的完整定义,可访问“定义”选项卡,并搜索“流日志”来查找策略If you want to see the full definition of the policy, you can visit the Definitions tab and search for "Flow logs" to find the policy

分配Assignment

  1. 填写策略详细信息Fill in your policy details

    • 范围:订阅是一种常见选择,你也可选择与你相关的管理组或资源组。Scope: A subscription is the common choice, you can also choose a management group or resource group as relevant to you.
    • 策略定义:应按照“查找策略”部分所示进行选择。Policy Definition: Should be chosen as shown in the "Locate the policies" section.
    • 分配名称:选择一个描述性的名称AssignmentName: Choose a descriptive name
  2. 单击“查看 + 创建”以查看分配Click on "Review + Create" to review your assignment

    此策略不需要任何参数。The policy does not require any parameters. 分配审核策略时,无需在“修正”选项卡中填写详细信息。As you are assigning an audit policy, you do not need to fill the details in the "Remediation" tab.

    审核策略评审

结果Results

若要检查结果,请打开“合规性”选项卡,然后搜索分配名称。To check the results, open the Compliance tab and search for the name of your Assignment. 策略运行后,显示的内容应该类似于以下屏幕截图。You should see something similar to the following screenshot once your policy runs. 如果策略未运行,请稍等一会儿。In case your policy hasn't run, wait for some time.

审核策略结果

Deploy-If-not-exists 策略Deploy-If-not-exists Policy

策略结构Policy Structure

此策略检查“Microsoft.Network/networkSecurityGroups”类型的所有现有 ARM 对象(即查看给定范围内的所有 NSG),并通过 NSG 的“流日志”属性检查是否存在链接的流日志。The policy checks all existing ARM objects of type "Microsoft.Network/networkSecurityGroups", that is it looks at all NSGs in a given scope, and checks for the existence of linked Flow logs via the Flow Logs property of the NSG. 如果该属性不存在,策略将部署流日志。If the property does not exist, the policy deploys a Flow log.

若要查看策略的完整定义,可访问“定义”选项卡,并搜索“流日志”以查找该策略。If you want to see the full definition of the policy, you can visit the Definitions tab and search for "Flow logs" to find the policy.

分配Assignment

  1. 填写策略详细信息Fill in your policy details
  • 范围:订阅是一种常见选择,你也可选择与你相关的管理组或资源组。Scope: A subscription is the common choice, you can also choose a management group or resource group as relevant to you.
  • 策略定义:应按照“查找策略”部分所示进行选择。Policy Definition: Should be chosen as shown in the "Locate the policies" section.
  • 分配名称:选择一个描述性的名称AssignmentName: Choose a descriptive name
  1. 添加策略参数Add policy parameters

    网络观察程序服务是一项区域性服务。The Network Watcher service is a regional service. 通过这些参数可执行部署流日志的策略操作。These parameters allow the policy action of deploying flow logs to be executed.

    • NSG 区域:策略的目标 Azure 区域NSG Region: Azure regions at which the policy is targeted
    • 存储 ID:存储帐户的完整资源 ID。Storage ID: Full resource ID of the storage account. 注意:此存储帐户应与 NSG 位于同一区域。Note: This storage account should be in the same region as the NSG.
    • 网络观察程序 RG:包含网络观察程序资源的资源组的名称。Network Watchers RG: Name of the resource group containing your Network Watcher resource. 如果尚未对其进行重命名,可输入默认值“NetworkWatcherRG”。If you have not renamed it, you can enter 'NetworkWatcherRG' which is the default.
    • 网络观察程序名称:区域网络观察程序服务的名称。Network Watcher name: Name of the regional network watcher service. 格式:NetworkWatcher_RegionName。Format: NetworkWatcher_RegionName. 示例:NetworkWatcher_chinaeast。Example: NetworkWatcher_chinaeast. 请查看完整列表。See the full list.

    DINE 策略参数

  2. 添加修正详细信息Add Remediation details

    • 如果希望策略影响现有资源,请勾选“创建修正任务”Check mark on "Create Remediation task" if you want the policy to affect existing resources
    • “创建托管标识”应已选中"Create a Managed Identity" should be already checked
    • 已选择托管标识之前所在的位置Selected the same location as previous for your Managed Identity
    • 你将需要参与者或所有者权限才能使用此策略。You will need Contributor or Owner permissions to use this policy. 如果你具有这些权限,则不会显示任何错误。If you have these permissions, you should not see any errors.

    DINE 策略修正

  3. 单击“查看 + 创建”以查看分配,显示的内容应该类似于以下屏幕截图。Click on "Review + Create" to review your assignment You should see something similar to the following screenshot.

    DINE 策略评审

结果Results

若要检查结果,请打开“合规性”选项卡,然后搜索分配名称。To check the results, open the Compliance tab and search for the name of your Assignment. 策略运行后,显示的内容应如以下屏幕截图所示。You should see something like following screenshot once your policy. 如果策略未运行,请稍等一会儿。In case your policy hasn't run, wait for some time.

DINE 策略结果

后续步骤Next steps

  • 使用此教程深入了解如何使用 ARM 模板部署流日志和流量分析。Use this tutorial Go deeper by using ARM templates to deploy Flow Logs and Traffic Analytics.
  • 详细了解网络观察程序Learn more about Network Watcher