流量分析Traffic Analytics

流量分析是一种基于云的解决方案,可用于洞察云网络中的用户和应用程序活动。Traffic Analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. 流量分析可以分析网络观察程序网络安全组 (NSG) 流日志,帮助洞察 Azure 云中的流量流。Traffic analytics analyzes Network Watcher network security group (NSG) flow logs to provide insights into traffic flow in your Azure cloud. 使用流量分析可以:With traffic analytics, you can:

  • 直观查看各个 Azure 订阅中的网络活动,以及识别热点。Visualize network activity across your Azure subscriptions and identify hot spots.
  • 参考有关开放的端口、尝试访问 Internet 的应用程序以及连接到恶意网络的虚拟机 (VM) 的信息,来识别网络安全威胁和保护网络。Identify security threats to, and secure your network, with information such as open-ports, applications attempting internet access, and virtual machines (VM) connecting to rogue networks.
  • 了解 Azure 区域与 Internet 之间的流量流模式,优化网络部署以提高性能和容量。Understand traffic flow patterns across Azure regions and the internet to optimize your network deployment for performance and capacity.
  • 查明导致网络连接失败的不当网络配置。Pinpoint network misconfigurations leading to failed connections in your network.

备注

流量分析现在支持以高于 10 分钟每次的频率收集 NSG 流日志数据Traffic Analytics now supports collecting NSG Flow Logs data at a higher frequency of 10 mins

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

为何要使用流量分析?Why traffic analytics?

在监视、管理自己的网络,以及识别网络中是否存在安全性、合规性和性能问题时,流量分析非常关键。It is vital to monitor, manage, and know your own network for uncompromised security, compliance, and performance. 在保护和优化自己的环境之前,了解该环境至关重要。Knowing your own environment is of paramount importance to protect and optimize it. 通常需要知道网络的当前状态、谁正在连接、他们从哪里进行连接、向 Internet 开放了哪些端口、预期网络行为、异常网络行为,以及流量的突发性增长。You often need to know the current state of the network, who is connecting, where they're connecting from, which ports are open to the internet, expected network behavior, irregular network behavior, and sudden rises in traffic.

云网络不同于本地企业网络,后者往往部署有支持 Netflow 或类似协议的路由器和交换机,当 IP 网络流量进入或退出网络接口时,它们能够收集这些流量。Cloud networks are different than on-premises enterprise networks, where you have netflow or equivalent protocol capable routers and switches, which provide the capability to collect IP network traffic as it enters or exits a network interface. 通过分析流量流数据,可以生成网络流量流和流量大小的分析数据。By analyzing traffic flow data, you can build an analysis of network traffic flow and volume.

Azure 虚拟网络提供 NSG 流日志,其中提供了传入和传出与单个网络接口、VM 或子网相关联的网络安全组的 IP 流量的信息。Azure virtual networks have NSG flow logs, which provide you information about ingress and egress IP traffic through a Network Security Group associated to individual network interfaces, VMs, or subnets. 通过分析原始 NSG 流日志并插入安全、拓扑和地理智能功能,流量分析可以提供环境中流量流的深入信息。By analyzing raw NSG flow logs, and inserting intelligence of security, topology, and geography, traffic analytics can provide you with insights into traffic flow in your environment. 流量分析提供的信息包括通信最活跃的主机、通信最活跃的应用程序协议、对话最活跃的主机对、允许/阻止的流量、入站/出站流量、开放的 Internet 端口、最严厉的规则、每个 Azure 数据中心的流量分布、虚拟网络、子网或恶意网络等。Traffic Analytics provides information such as most communicating hosts, most communicating application protocols, most conversing host pairs, allowed/blocked traffic, inbound/outbound traffic, open internet ports, most blocking rules, traffic distribution per Azure datacenter, virtual network, subnets, or, rogue networks.

关键组件Key components

  • 网络安全组 (NSG) :包含一系列安全规则,这些规则可以允许或拒绝流向连接到 Azure 虚拟网络的资源的网络流量。Network security group (NSG): Contains a list of security rules that allow or deny network traffic to resources connected to an Azure Virtual Network. 可以将 NSG 关联到子网、单个 VM(经典)或附加到 VM 的单个网络接口 (NIC) (Resource Manager)。NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager). 有关详细信息,请参阅网络安全组概述For more information, see Network security group overview.
  • 网络安全组 (NSG) 流日志:用于查看有关通过网络安全组的传入和传出 IP 流量的信息。Network security group (NSG) flow logs: Allow you to view information about ingress and egress IP traffic through a network security group. NSG 流日志以 JSON 格式编写,并基于每个规则显示出站和入站流、流所适用的 NIC、有关流的五元组信息(源/目标 IP 地址、源/目标端口和协议),以及是允许还是拒绝流量。NSG flow logs are written in json format and show outbound and inbound flows on a per rule basis, the NIC the flow applies to, five-tuple information about the flow (source/destination IP address, source/destination port, and protocol), and if the traffic was allowed or denied. 有关 NSG 流日志的详细信息,请参阅 NSG 流日志For more information about NSG flow logs, see NSG flow logs.
  • Log Analytics:一个 Azure 服务,可以收集监视数据并将数据存储在中心存储库中。Log Analytics: An Azure service that collects monitoring data and stores the data in a central repository. 这些数据可能包括事件、性能数据或通过 Azure API 提供的自定义数据。This data can include events, performance data, or custom data provided through the Azure API. 收集后,可以分析、导出数据或针对它们发出警报。Once collected, the data is available for alerting, analysis, and export. 网络性能监视器和流量分析等监视应用程序是在 Azure Monitor 日志的基础上构建的。Monitoring applications such as network performance monitor and traffic analytics are built using Azure Monitor logs as a foundation. 有关详细信息,请参阅 Azure Monitor 日志For more information, see Azure Monitor logs.
  • Log Analytics 工作区:Azure Monitor 日志的一个实例,用于存储与 Azure 帐户相关的数据。Log Analytics workspace: An instance of Azure Monitor logs, where the data pertaining to an Azure account, is stored. 有关 Log Analytics 工作区的详细信息,请参阅创建 Log Analytics 工作区For more information about Log Analytics workspaces, see Create a Log Analytics workspace.
  • 网络观察程序:一个区域性服务,用于在 Azure 中监视和诊断网络方案级别的状态。Network Watcher: A regional service that enables you to monitor and diagnose conditions at a network scenario level in Azure. 可以使用网络观察程序启用和禁用 NSG 流日志。You can turn NSG flow logs on and off with Network Watcher. 有关详细信息,请参阅网络观察程序For more information, see Network Watcher.

流量分析的工作原理How traffic analytics works

流量分析检查原始 NSG 流日志,并通过聚合相同源 IP 地址、目标 IP 地址、目标端口和协议之间的通用流来捕获精简的日志。Traffic analytics examines the raw NSG flow logs and captures reduced logs by aggregating common flows among the same source IP address, destination IP address, destination port, and protocol. 例如,主机 1(IP 地址:10.10.10.10) 与主机 2(IP 地址:10.10.20.10)之间在 1 小时内通过端口(例如 80)和协议(例如 http)进行了 100 次通信。For example, Host 1 (IP address: 10.10.10.10) communicating to Host 2 (IP address: 10.10.20.10), 100 times over a period of 1 hour using port (for example, 80) and protocol (for example, http). 精简的日志只包含条目,指出主机 1 与主机 2 在 1 小时内使用端口 80 和协议 HTTP 通信 100 次;而不是包含 100 个条目。The reduced log has one entry, that Host 1 & Host 2 communicated 100 times over a period of 1 hour using port 80 and protocol HTTP, instead of having 100 entries. 系统会使用地理、安全和拓扑信息增强精简的日志,然后将其存储在 Log Analytics 工作区中。Reduced logs are enhanced with geography, security, and topology information, and then stored in a Log Analytics workspace. 下图显示了数据流:The following picture shows the data flow:

NSG 流日志处理的数据流

支持的区域:NSGSupported regions: NSG

可以在以下任何受支持的区域中对 NSG 使用流量分析:You can use traffic analytics for NSGs in any of the following supported regions:

  • 中国东部 2China East 2

支持的区域:Log Analytics 工作区Supported regions: Log Analytics Workspaces

Log Analytics 工作区必须存在于以下区域中:The Log Analytics workspace must exist in the following regions:

  • 中国东部 2China East 2

先决条件Prerequisites

用户访问要求User access requirements

帐户必须是以下 Azure 内置角色之一的成员:Your account must be a member of one of the following Azure built-in roles:

部署模型Deployment model 角色Role
Resource ManagerResource Manager 所有者Owner
参与者Contributor
读取器Reader
网络参与者Network Contributor

如果未将帐户分配给内置角色之一,则必须在订阅级别将其分配给分配有以下操作的自定义角色If your account is not assigned to one of the built-in roles, it must be assigned to a custom role that is assigned the following actions, at the subscription level:

  • "Microsoft.Network/applicationGateways/read""Microsoft.Network/applicationGateways/read"
  • "Microsoft.Network/connections/read""Microsoft.Network/connections/read"
  • "Microsoft.Network/loadBalancers/read""Microsoft.Network/loadBalancers/read"
  • "Microsoft.Network/localNetworkGateways/read""Microsoft.Network/localNetworkGateways/read"
  • "Microsoft.Network/networkInterfaces/read""Microsoft.Network/networkInterfaces/read"
  • "Microsoft.Network/networkSecurityGroups/read""Microsoft.Network/networkSecurityGroups/read"
  • "Microsoft.Network/publicIPAddresses/read""Microsoft.Network/publicIPAddresses/read"
  • "Microsoft.Network/routeTables/read""Microsoft.Network/routeTables/read"
  • "Microsoft.Network/virtualNetworkGateways/read""Microsoft.Network/virtualNetworkGateways/read"
  • "Microsoft.Network/virtualNetworks/read""Microsoft.Network/virtualNetworks/read"
  • "Microsoft.Network/expressRouteCircuits/read""Microsoft.Network/expressRouteCircuits/read"

有关如何检查用户访问权限的信息,请参阅流量分析常见问题解答For information on how to check user access permissions, see Traffic analytics FAQ.

启用网络观察程序Enable Network Watcher

若要分析流量,需要提供现有的网络观察程序,或者在要分析其流量的 NSG 所在的每个区域启用网络观察程序To analyze traffic, you need to have an existing network watcher, or enable a network watcher in each region that you have NSGs that you want to analyze traffic for. 可对任一受支持区域中托管的 NSG 启用流量分析。Traffic analytics can be enabled for NSGs hosted in any of the supported regions.

选择网络安全组Select a network security group

在启用 NSG 流日志记录之前,必须提供要记录其流的网络安全组。Before enabling NSG flow logging, you must have a network security group to log flows for. 如果没有网络安全组,请参阅创建网络安全组来创建一个。If you don't have a network security group, see Create a network security group to create one.

在 Azure 门户中,转到“网络观察程序”,然后选择“NSG 流日志” 。In Azure portal, go to Network watcher, and then select NSG flow logs. 选择要为其启用 NSG 流日志的网络安全组,如下图所示:Select the network security group that you want to enable an NSG flow log for, as shown in the following picture:

选择需要启用 NSG 流日志的 NSG

尝试为受支持区域以外的任何区域中托管的 NSG 启用流量分析时,会收到“未找到”错误。If you try to enable traffic analytics for an NSG that is hosted in any region other than the supported regions, you receive a "Not found" error.

启用流日志设置Enable flow log settings

启用流日志设置之前,必须完成以下任务:Before enabling flow log settings, you must complete the following tasks:

如果尚未为订阅注册 Azure Insights 提供程序,请注册该提供程序:Register the Azure Insights provider, if it's not already registered for your subscription:

Register-AzResourceProvider -ProviderNamespace Microsoft.Insights

如果尚未创建一个用于存储 NSG 流日志的 Azure 存储帐户,则必须创建一个存储帐户。If you don't already have an Azure Storage account to store NSG flow logs in, you must create a storage account. 可以使用以下命令创建存储帐户。You can create a storage account with the command that follows. 运行该命令之前,请将 <replace-with-your-unique-storage-account-name> 替换为在所有 Azure 位置中唯一的、长度为 3-24 个字符且仅使用数字和小写字母的名称。Before running the command, replace <replace-with-your-unique-storage-account-name> with a name that is unique across all Azure locations, between 3-24 characters in length, using only numbers and lower-case letters. 还可以根据需要更改资源组名称。You can also change the resource group name, if necessary.

New-AzStorageAccount `
  -Location chinaeast `
  -Name <replace-with-your-unique-storage-account-name> `
  -ResourceGroupName myResourceGroup `
  -SkuName Standard_LRS `
  -Kind StorageV2

如图所示选择以下选项:Select the following options, as shown in the picture:

  1. 为“状态”选择“打开”Select On for Status

  2. 对于“流日志版本”,选择“版本2”。Select Version 2 for Flow Logs version. 版本 2 包含流会话统计信息(字节和数据包)Version 2 contains flow-session statistics (Bytes and Packets)

  3. 选择用于存储流日志的现有存储帐户。Select an existing storage account to store the flow logs in. 确保存储未将“已启用 Data Lake Storage Gen2 分层命名空间”设置为 true。Ensure that your storage does not have "Data Lake Storage Gen2 Hierarchical Namespace Enabled" set to true.

  4. 将“保留期”设置为存储数据的天数。Set Retention to the number of days you want to store data for. 若要永久存储数据,请将值设置为 0If you want to store the data forever, set the value to 0. 存储帐户会产生 Azure 存储费用。You incur Azure Storage fees for the storage account.

  5. 为“流量分析状态”选择“打开”。Select On for Traffic Analytics Status.

  6. 选择处理时间间隔。Select processing interval. 根据你的选择,流量分析将从存储帐户收集流日志并进行处理。Based on your choice, flow logs will be collected from storage account and processed by Traffic Analytics. 你可以选择每 1 个小时或每 10 分钟的处理间隔。You can choose processing interval of every 1 hour or every 10 mins.

  7. 选择现有的 Log Analytics (OMS) 工作区,或选择“创建新工作区”来创建一个新工作区。Select an existing Log Analytics (OMS) Workspace, or select Create New Workspace to create a new one. 流量分析使用 Log Analytics 工作区来存储聚合数据和索引数据,然后,这些数据用于生成分析。A Log Analytics workspace is used by Traffic Analytics to store the aggregated and indexed data that is then used to generate the analytics. 如果选择现有的工作区,该工作区必须位于某个受支持区域,并且已升级为新查询语言。If you select an existing workspace, it must exist in one of the supported regions and have been upgraded to the new query language. 如果不希望升级现有工作区,或者受支持区域中没有工作区,请创建一个新工作区。If you do not wish to upgrade an existing workspace, or do not have a workspace in a supported region, create a new one.

    备注

    托管流量分析解决方案和 NSG 的 Log Analytics 工作区不一定要位于同一个区域。The log analytics workspace hosting the traffic analytics solution and the NSGs do not have to be in the same region. 例如,可将流量分析部署在 China East 2 区域的某个工作区中,同时将 NSG 部署在中国东部和中国北部。For example, you may have traffic analytics in a workspace in the China East 2 region, while you may have NSGs in China East and China North. 可在同一工作区中配置多个 NSG。Multiple NSGs can be configured in the same workspace.

  8. 选择“保存”。Select Save.

    选择存储帐户和 Log Analytics 工作区并启用流量分析

针对想要为其启用流量分析的其他任何 NSG 重复前面的步骤。Repeat the previous steps for any other NSGs for which you wish to enable traffic analytics for. 流日志中的数据将发送到工作区,因此,请确保所在国家/地区的当地法律和法规允许将数据存储在工作区所在的区域。Data from flow logs is sent to the workspace, so ensure that the local laws and regulations in your country/region permit data storage in the region where the workspace exists. 如果为不同的 NSG 设置了不同的处理间隔,系统会以不同的时间间隔收集数据。If you have set different processing intervals for different NSGs, data will be collected at different intervals. 例如:对于关键 VNET,可以选择启用 10 分钟的处理间隔,对于非关键 VNET,则是 1 小时。For example: You can choose to enable processing interval of 10 mins for critical VNETs and 1 hour for noncritical VNETs.

还可以使用 Azure PowerShell 中的 Set-AzNetworkWatcherConfigFlowLog PowerShell cmdlet 来配置流量分析。You can also configure traffic analytics using the Set-AzNetworkWatcherConfigFlowLog PowerShell cmdlet in Azure PowerShell. 运行 Get-Module -ListAvailable Az 来查找已安装的版本。Run Get-Module -ListAvailable Az to find your installed version. 如果需要升级,请参阅安装 Azure PowerShell 模块If you need to upgrade, see Install Azure PowerShell module.

查看流量分析View traffic analytics

若要查看流量分析,请在门户搜索栏中搜索“网络观察程序”。To view Traffic Analytics, search for Network Watcher in the portal search bar. 在网络观察程序中,若要浏览流量分析及其功能,请从左侧菜单中选择“流量分析”。Once inside Network Watcher, to explore traffic analytics and its capabilities, select Traffic Analytics from the left menu.

访问流量分析仪表板

首次显示仪表板最长可能需要花费 30 分钟时间,因为流量分析必须先聚合足够的数据来派生有意义的见解,然后才能生成任何报告。The dashboard may take up to 30 minutes to appear the first time because Traffic Analytics must first aggregate enough data for it to derive meaningful insights, before it can generate any reports.

使用方案Usage scenarios

完全配置流量分析之后,可以获取的某些见解如下:Some of the insights you might want to gain after Traffic Analytics is fully configured, are as follows:

查找流量热点Find traffic hotspots

查找Look for

  • 哪些主机、子网和虚拟网络正在发送或接收最多的流量、有最大恶意流量流过以及阻止重要流?Which hosts, subnets, and virtual networks are sending or receiving the most traffic, traversing maximum malicious traffic and blocking significant flows?

    • 检查主机、子网和虚拟网络的比较图表。Check comparative chart for host, subnet, and virtual network. 了解哪些主机、子网和虚拟网络正在发送或接收大部分流量有助于识别正在处理大部分流量的主机,以及是否正确进行了流量分发。Understanding which hosts, subnets, and virtual networks are sending or receiving the most traffic can help you identify the hosts that are processing the most traffic, and whether the traffic distribution is done properly.
    • 然后,可以评估流量大小是否适合让某台主机来处理。You can evaluate if the volume of traffic is appropriate for a host. 流量行为是否正常,或者是否需要进一步的调查?Is the volume of traffic normal behavior, or does it merit further investigation?
  • 有多少入站/出站流量?How much inbound/outbound traffic is there?

    • 主机预期收到的入站流量是否多过出站流量,或反之?Is the host expected to receive more inbound traffic than outbound, or vice-versa?
  • 阻止的流量统计信息。Statistics of blocked traffic.

    • 主机为何阻止大量良性流量?Why is a host blocking a significant volume of benign traffic? 对于此行为,需要进一步进行调查,并且可能需要对配置进行优化。This behavior requires further investigation and probably optimization of configuration
  • 允许/阻止的恶意流量统计信息Statistics of malicious allowed/blocked traffic

    • 主机为何在接收恶意流量以及为何允许来自恶意源的流?Why is a host receiving malicious traffic and why flows from malicious source is allowed? 对于此行为,需要进一步进行调查,并且可能需要对配置进行优化。This behavior requires further investigation and probably optimization of configuration.

      在“主机”下选择“查看全部”,如下图所示 :Select See all, under Host, as shown in the following picture:

      展示处理大部分流量的主机详细信息的仪表板

  • 下图显示了对话最活跃的五台主机的时间趋势,以及主机的流相关详细信息(允许 - 入站/出站流,拒绝 - 入站/出站流):The following picture shows time trending for the top five talking hosts and the flow-related details (allowed - inbound/outbound and denied - inbound/outbound flows) for a host:

    对话最活跃的五台主机的趋势

查找Look for

  • 对话最活跃的主机对有哪些?Which are the most conversing host pairs?

    • 预期行为(例如前端与后端之间的通信)或异常行为(例如后端与 Internet 之间的流量)。Expected behavior like front-end or back-end communication or irregular behavior, like back-end internet traffic.
  • 允许/阻止的流量统计信息Statistics of allowed/blocked traffic

    • 主机为何允许或阻止大量的流量?Why a host is allowing or blocking significant traffic volume
  • 对话最活跃的主机对之间最常用的应用程序协议:Most frequently used application protocol among most conversing host pairs:

    • 此网络中是否允许这些应用程序?Are these applications allowed on this network?

    • 应用程序的配置是否正确?Are the applications configured properly? 它们是否使用适当的协议进行通信?Are they using the appropriate protocol for communication? 在“频繁的对话” 下选择“查看全部”,如下图所示:Select See all under Frequent conversation, as show in the following picture:

      展示最频繁对话的仪表板

  • 下图显示了最频繁的五个对话的时间趋势,以及流相关的详细信息,例如,某个对话对允许和拒绝的入站与出站流:The following picture shows time trending for the top five conversations and the flow-related details such as allowed and denied inbound and outbound flows for a conversation pair:

    最频繁的五个对话的详细信息和趋势

查找Look for

  • 环境中最常使用的应用程序协议是哪个,哪些对话主机对最常使用该应用程序协议?Which application protocol is most used in your environment, and which conversing host pairs are using the application protocol the most?

    • 此网络中是否允许这些应用程序?Are these applications allowed on this network?

    • 应用程序的配置是否正确?Are the applications configured properly? 它们是否使用适当的协议进行通信?Are they using the appropriate protocol for communication? 预期行为是使用常用端口,例如 80 和 443。Expected behavior is common ports such as 80 and 443. 如果为标准通信显示了任何非寻常端口,可能需要对端口进行配置更改。For standard communication, if any unusual ports are displayed, they might require a configuration change. 在“应用程序端口” 下选择“查看全部”,如下图所示:Select See all under Application port, in the following picture:

      展示最常使用的应用程序协议的仪表板

  • 下图显示了最常使用的五个 L7 协议的时间趋势,以及某个 L7 协议的流相关详细信息(例如,允许和拒绝的流):The following pictures show time trending for the top five L7 protocols and the flow-related details (for example, allowed and denied flows) for an L7 protocol:

    最常使用的五个第 7 层协议的详细信息和趋势

    日志搜索中应用程序协议的流详细信息

查找Look for

  • 环境中 VPN 网关的容量利用率趋势。Capacity utilization trends of a VPN gateway in your environment.

    • 每个 VPN SKU 允许特定的带宽量。Each VPN SKU allows a certain amount of bandwidth. VPN 网关是否利用不足?Are the VPN gateways underutilized?
    • 网关是否即将达到容量?Are your gateways reaching capacity? 是否应升级到下一个更高的 SKU?Should you upgrade to the next higher SKU?
  • 哪些主机的对话最活跃,它们通过哪个 VPN 网关和端口对话?Which are the most conversing hosts, via which VPN gateway, over which port?

    • 此模式是否正常?Is this pattern normal? 在“VPN 网关”下选择“查看全部”,如下图所示 :Select See all under VPN gateway, as shown in the following picture:

      展示最活跃的 VPN 连接的仪表板

  • 下图显示了某个 Azure VPN 网关的容量利用率时间趋势,以及流相关的详细信息(例如允许的流和端口):The following picture shows time trending for capacity utilization of an Azure VPN Gateway and the flow-related details (such as allowed flows and ports):

    VPN 网关利用率趋势和流详细信息

按地理位置可视化流量分布Visualize traffic distribution by geography

查找Look for

  • 每个数据中心的流量分布,例如,向数据中心传送流量的最主要来源、与数据中心对话的最主要恶意网络,以及对话最活跃的应用程序协议。Traffic distribution per data center such as top sources of traffic to a datacenter, top rogue networks conversing with the data center, and top conversing application protocols.

    • 如果发现数据中心的负载增加,可以规划高效的流量分布。If you observe more load on a data center, you can plan for efficient traffic distribution.

    • 如果恶意网络在数据中心对话,请更正 NSG 规则以阻止这些网络。If rogue networks are conversing in the data center, then correct NSG rules to block them.

      在“你的环境”下选择“查看地图”,如下图所示 :Select View map under Your environment, as shown in the following picture:

      展示流量分布的仪表板

  • 使用地图顶部的功能区可以选择参数,例如数据中心(已部署/未部署/活动/非活动/已启用流量分析/未启用流量分析),以及向活动部署分配良性/恶意流量的国家/地区:The geo-map shows the top ribbon for selection of parameters such as data centers (Deployed/No-deployment/Active/Inactive/Traffic Analytics Enabled/Traffic Analytics Not Enabled) and countries/regions contributing Benign/Malicious traffic to the active deployment:

    展示活动部署的地图视图

  • 地图中显示了不同国家/地区和大洲在与数据中心通信时分配的流量情况,蓝线表示良性流量,红线表示恶意流量:The geo-map shows the traffic distribution to a data center from countries/regions and continents communicating to it in blue (Benign traffic) and red (malicious traffic) colored lines:

    展示不同国家/地区和大洲流量分布的地图视图

    日志搜索中流量分布的流详细信息

按虚拟网络可视化流量分布Visualize traffic distribution by virtual networks

查找Look for

  • 每个虚拟网络的流量分布、拓扑、向虚拟网络传送流量的最主要来源、与虚拟网络对话的最主要恶意网络,以及对话最活跃的应用程序协议。Traffic distribution per virtual network, topology, top sources of traffic to the virtual network, top rogue networks conversing to the virtual network, and top conversing application protocols.

    • 了解哪两个虚拟网络正在对话。Knowing which virtual network is conversing to which virtual network. 如果对话不符合预期,可将其更正。If the conversation is not expected, it can be corrected.

    • 如果恶意网络正在与虚拟网络对话,可以更正 NSG 规则以阻止恶意网络。If rogue networks are conversing with a virtual network, you can correct NSG rules to block the rogue networks.

      在“你的环境”下选择“查看 VNet”,如下图所示 :Select View VNets under Your environment, as shown in the following picture:

      展示虚拟网络分布的仪表板

  • 使用虚拟网络拓扑顶部的功能区可以选择参数,例如虚拟网络的(虚拟网络连接之间/活动/非活动)、外部连接、活动流和虚拟网络的恶意流。The Virtual Network Topology shows the top ribbon for selection of parameters like a virtual network's (Inter virtual network Connections/Active/Inactive), External Connections, Active Flows, and Malicious flows of the virtual network.

  • 可以根据订阅、工作区、资源组和时间间隔筛选虚拟网络拓扑。You can filter the Virtual Network Topology based on subscriptions, workspaces, resource groups and time interval. 可以帮助你了解流的其他筛选器包括:流类型(InterVNet、IntraVNET,等等),流方向(入站、出站),流状态(已允许、已阻止)、VNET(已定向和已连接)、连接类型(对等互连或网关 - P2S 和 S2S)以及 NSG。Additional filters that help you understand the flow are: Flow Type (InterVNet, IntraVNET, and so on), Flow Direction (Inbound, Outbound), Flow Status (Allowed, Blocked), VNETs (Targeted and Connected), Connection Type (Peering or Gateway - P2S and S2S), and NSG. 使用这些筛选器可以专注于你要详细观察的 VNet。Use these filters to focus on VNets that you want to examine in detail.

  • 虚拟网络拓扑显示虚拟网络的流相关流量分布(允许/阻止/入站/出站/良性/恶意)、应用程序协议和网络安全组,例如:The Virtual Network Topology shows the traffic distribution to a virtual network with regards to flows (Allowed/Blocked/Inbound/Outbound/Benign/Malicious), application protocol, and network security groups, for example:

    展示流量分布和流详细信息的虚拟网络拓扑

    展示最高级别和更多筛选器的虚拟网络拓扑

    日志搜索中虚拟网络流量分布的流详细信息

查找Look for

  • 每个子网的流量分布、拓扑、向子网传送流量的最主要来源、与子网对话的最主要未授权网络,以及对话最活跃的应用程序协议。Traffic distribution per subnet, topology, top sources of traffic to the subnet, top rogue networks conversing to the subnet, and top conversing application protocols.

    • 了解哪两个子网正在对话。Knowing which subnet is conversing to which subnet. 如果发现意外的对话,可以更正配置。If you see unexpected conversations, you can correct your configuration.
    • 如果未授权网络正在与子网对话,可以配置 NSG 规则来阻止未授权网络,从而更正此行为。If rogue networks are conversing with a subnet, you are able to correct it by configuring NSG rules to block the rogue networks.
  • 使用子网拓扑顶部的功能区可以选择参数,例如活动/非活动的子网、外部连接、活动流和子网的恶意流。The Subnets Topology shows the top ribbon for selection of parameters such as Active/Inactive subnet, External Connections, Active Flows, and Malicious flows of the subnet.

  • 子网拓扑显示虚拟网络的流相关流量分布(允许/阻止/入站/出站/良性/恶意)、应用程序协议和 NSG,例如:The Subnet Topology shows the traffic distribution to a virtual network with regards to flows (Allowed/Blocked/Inbound/Outbound/Benign/Malicious), application protocol, and NSGs, for example:

    展示虚拟网络子网的流相关流量分布的子网拓扑

查找Look for

每个应用程序网关和负载均衡器的流量分布、拓扑、最主要的流量来源、与应用程序网关和负载均衡器对话的最主要未授权网络,以及对话最活跃的应用程序协议。Traffic distribution per Application gateway & Load Balancer, topology, top sources of traffic, top rogue networks conversing to the Application gateway & Load Balancer, and top conversing application protocols.

  • 了解哪个子网正在与哪个应用程序网关或负载均衡器对话。Knowing which subnet is conversing to which Application gateway or Load Balancer. 如果观察到意外的对话,可以更正配置。If you observe unexpected conversations, you can correct your configuration.

  • 如果未授权网络正在与应用程序网关或负载均衡器对话,可以配置 NSG 规则来阻止未授权网络,从而更正此行为。If rogue networks are conversing with an Application gateway or Load Balancer, you are able to correct it by configuring NSG rules to block the rogue networks.

    展示应用程序网关子网的流相关流量分布的子网拓扑

查看从 Internet 接收流量的端口和虚拟机View ports and virtual machines receiving traffic from the internet

查找Look for

  • 哪些开放的端口正在通过 Internet 对话?Which open ports are conversing over the internet?
    • 如果发现打开了意外的端口,可以更正配置:If unexpected ports are found open, you can correct your configuration:

      展示与 Internet 相互接收和发送流量的端口的仪表板

      Azure 目标端口和主机的详细信息

查找Look for

环境中是否存在恶意流量?Do you have malicious traffic in your environment? 该流量源于何处?Where is it originating from? 该流量传往何处?Where is it destined to?

日志搜索中的恶意流量流详细信息

查找Look for

  • 哪些 NSG/NSG 规则在比较图表中具有与流分布最多的命中数?Which NSG/NSG rules have the most hits in comparative chart with flows distribution?

  • 每个 NSG/NSG 规则的最常见源和目标对话对是什么?What are the top source and destination conversation pairs per NSG/NSG rules?

    展示 NSG 触发统计信息的仪表板

  • 下图显示了 NSG 规则的触发时间趋势,以及网络安全组的源-目标流详细信息:The following pictures show time trending for hits of NSG rules and source-destination flow details for a network security group:

    • 快速检测哪些 NSG 和 NSG 规则在遍历恶意流,以及哪些是访问你的云环境的主要恶意 IP 地址。Quickly detect which NSGs and NSG rules are traversing malicious flows and which are the top malicious IP addresses accessing your cloud environment

    • 查明哪些 NSG/NSG 规则在允许/阻止大量的网络流量Identify which NSG/NSG rules are allowing/blocking significant network traffic

    • 选择顶部的用于对 NSG 或 NSG 规则进行精细检查的筛选器Select top filters for granular inspection of an NSG or NSG rules

      展示 NSG 规则的触发时间趋势,以及触发次数最多的 NSG 规则

      日志搜索中触发次数最多的 NSG 规则详细统计信息

常见问题Frequently asked questions

若要获取常见问题的解答,请参阅流量分析常见问题解答To get answers to frequently asked questions, see Traffic analytics FAQ.

后续步骤Next steps