允许从特定 IP 地址或范围访问 Azure 服务总线命名空间Allow access to Azure Service Bus namespace from specific IP addresses or ranges

默认情况下,只要请求附带有效的身份验证和授权,就可以从 Internet 访问服务总线命名空间。By default, Service Bus namespaces are accessible from internet as long as the request comes with valid authentication and authorization. 使用 IP 防火墙,可以将其进一步限制为采用 CIDR(无类域间路由)表示法的一组 IPv4 地址或一个 IPv4 地址。With IP firewall, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation.

在仅应从某些知名站点访问 Azure 服务总线的情况下,此功能很有用。This feature is helpful in scenarios in which Azure Service Bus should be only accessible from certain well-known sites. 可以通过防火墙规则来配置规则,以便接受来自特定 IPv4 地址的流量。Firewall rules enable you to configure rules to accept traffic originating from specific IPv4 addresses. 例如,如果将服务总线与 Azure Express Route 配合使用,则可创建防火墙规则,以便仅允许来自本地基础结构 IP 地址或企业 NAT 网关地址的流量。For example, if you use Service Bus with Azure Express Route, you can create a firewall rule to allow traffic from only your on-premises infrastructure IP addresses or addresses of a corporate NAT gateway.

重要

防火墙和虚拟网络仅在服务总线的高级层中受支持。Firewalls and Virtual Networks are supported only in the premium tier of Service Bus. 如果无法升级到高级层,我们建议保护共享访问签名 (SAS) 令牌的安全,只与已获授权的用户共享。If upgrading to the premier tier isn't an option, we recommend that you keep the Shared Access Signature (SAS) token secure and share with only authorized users. 有关 SAS 身份验证的信息,请参阅身份验证和授权For information about SAS authentication, see Authentication and authorization.

IP 防火墙规则IP firewall rules

IP 防火墙规则在服务总线命名空间级别应用。The IP firewall rules are applied at the Service Bus namespace level. 因此,这些规则适用于通过任何受支持协议从客户端发出的所有连接。Therefore, the rules apply to all connections from clients using any supported protocol. 如果某 IP 地址与服务总线命名空间上的允许 IP 规则不匹配,则将拒绝来自该地址的任何连接尝试并将其标记为“未经授权”。Any connection attempt from an IP address that does not match an allowed IP rule on the Service Bus namespace is rejected as unauthorized. 响应不会提及 IP 规则。The response does not mention the IP rule. IP 筛选器规则将按顺序应用,与 IP 地址匹配的第一个规则决定了将执行接受操作还是执行拒绝操作。IP filter rules are applied in order, and the first rule that matches the IP address determines the accept or reject action.

警告

实施防火墙规则可以组织其他 Azure 服务与服务总线进行交互。Implementing Firewall rules can prevent other Azure services from interacting with Service Bus.

实施 IP 筛选(防火墙规则)时,受信任的 Azure 服务不受支持,但很快就会变得可用。Trusted Azure services are not supported when IP Filtering (Firewall rules) are implemented, and will be made available soon.

不适用于 IP 筛选的常见 Azure 方案(请注意,该列表内容并不详尽)-Common Azure scenarios that don't work with IP Filtering (note that the list is NOT exhaustive) -

  • 与 Azure 事件网格的集成Integration with Azure Event Grid
  • Azure IoT 中心路由Azure IoT Hub Routes
  • Azure IoT Device ExplorerAzure IoT Device Explorer

以下 Azure 服务必须在虚拟网络中The following Azure services are required to be on a virtual network

  • Azure 应用服务Azure App Service
  • Azure FunctionsAzure Functions
  • Azure Monitor(诊断设置)Azure Monitor (diagnostic setting)

使用 Azure 门户Use Azure portal

本部分介绍了如何使用 Azure 门户为服务总线命名空间创建 IP 防火墙规则。This section shows you how to use the Azure portal to create IP firewall rules for a Service Bus namespace.

  1. Azure 门户中,导航到“服务总线命名空间”。Navigate to your Service Bus namespace in the Azure portal.

  2. 在左侧菜单上,选择“设置”下的“网络”选项 。On the left menu, select Networking option under Settings.

    备注

    只会为“高级”命名空间显示“网络”选项卡 。You see the Networking tab only for premium namespaces.

    默认情况下,“选定网络”选项处于选中状态。By default, the Selected networks option is selected. 如果未在此页上添加至少一个 IP 防火墙规则或虚拟网络,则可以通过公共 Internet(使用访问密钥)访问该命名空间。If you don't add at least one IP firewall rule or a virtual network on this page, the namespace can be accessed over public internet (using the access key).

    网络页面 - 默认

    如果你选择“所有网络”选项,你的服务总线命名空间将接受来自 IP 地址的连接。If you select the All networks option, your Service Bus namespace accepts connections from any IP address. 此默认设置等效于接受 0.0.0.0/0 IP 地址范围的规则。This default setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.

    防火墙 - 选中了“所有网络”选项

  3. 若要仅允许从指定的 IP 地址进行访问,请选择“选定网络”选项(如果尚未选择)。To allow access from only specified IP address, select the Selected networks option if it isn't already selected. 在“防火墙”部分中执行以下步骤:In the Firewall section, follow these steps:

    1. 选择“添加客户端 IP 地址”选项,使当前客户端 IP 可以访问命名空间。Select Add your client IP address option to give your current client IP the access to the namespace.

    2. 对于“地址范围”,请输入某个特定的 IPv4 地址或以 CIDR 表示法表示的 IPv4 地址范围。For address range, enter a specific IPv4 address or a range of IPv4 address in CIDR notation.

    3. 指定是否要“允许受信任的 Microsoft 服务绕过此防火墙”。Specify whether you want to allow trusted Microsoft services to bypass this firewall.

      警告

      如果选择“选定的网络”选项但未指定 IP 地址或地址范围,则服务将允许来自所有网络的流量。If you choose the Selected networks option and don't specify an IP address or address range, the service will allow traffic from all networks.

      防火墙 - 已选择“所有网络”选项

  4. 在工具栏上选择“保存”,保存这些设置。Select Save on the toolbar to save the settings. 请等待几分钟,直到门户通知中显示确认消息。Wait for a few minutes for the confirmation to show up on the portal notifications.

    备注

    若要限制对特定虚拟网络的访问,请参阅允许从特定网络访问To restrict access to specific virtual networks, see Allow access from specific networks.

使用 Resource Manager 模板Use Resource Manager template

本部分提供了一个用于创建虚拟网络和防火墙规则的 Azure 资源管理器模板示例。This section has a sample Azure Resource Manager template that creates a virtual network and a firewall rule.

以下资源管理器模板支持向现有服务总线命名空间添加虚拟网络规则。The following Resource Manager template enables adding a virtual network rule to an existing Service Bus namespace.

模板参数:Template parameters:

  • ipMask 是单个 IPv4 地址或者是以 CIDR 表示法表示的一个 IP 地址块。ipMask is a single IPv4 address or a block of IP addresses in CIDR notation. 例如,在 CIDR 表示法中,70.37.104.0/24 表示从 70.37.104.0 到 70.37.104.255 的 256 个 IPv4 地址,其中 24 表示范围的有效前缀位数。For example, in CIDR notation 70.37.104.0/24 represents the 256 IPv4 addresses from 70.37.104.0 to 70.37.104.255, with 24 indicating the number of significant prefix bits for the range.

备注

虽然不可能具有拒绝规则,但 Azure 资源管理器模板的默认操作设置为“允许”,不限制连接。While there are no deny rules possible, the Azure Resource Manager template has the default action set to "Allow" which doesn't restrict connections. 制定虚拟网络或防火墙规则时,必须更改“defaultAction”When making Virtual Network or Firewalls rules, we must change the "defaultAction"

fromfrom

"defaultAction": "Allow"

toto

"defaultAction": "Deny"
{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "servicebusNamespaceName": {
        "type": "string",
        "metadata": {
          "description": "Name of the Service Bus namespace"
        }
      },
      "location": {
        "type": "string",
        "metadata": {
          "description": "Location for Namespace"
        }
      }
    },
    "variables": {
      "namespaceNetworkRuleSetName": "[concat(parameters('servicebusNamespaceName'), concat('/', 'default'))]",
    },
    "resources": [
      {
        "apiVersion": "2018-01-01-preview",
        "name": "[parameters('servicebusNamespaceName')]",
        "type": "Microsoft.ServiceBus/namespaces",
        "location": "[parameters('location')]",
        "sku": {
          "name": "Premium",
          "tier": "Premium"
        },
        "properties": { }
      },
      {
        "apiVersion": "2018-01-01-preview",
        "name": "[variables('namespaceNetworkRuleSetName')]",
        "type": "Microsoft.ServiceBus/namespaces/networkruleset",
        "dependsOn": [
          "[concat('Microsoft.ServiceBus/namespaces/', parameters('servicebusNamespaceName'))]"
        ],
        "properties": {
          "virtualNetworkRules": [<YOUR EXISTING VIRTUAL NETWORK RULES>],
          "ipRules": 
          [
            {
                "ipMask":"10.1.1.1",
                "action":"Allow"
            },
            {
                "ipMask":"11.0.0.0/24",
                "action":"Allow"
            }
          ],
          "trustedServiceAccessEnabled": false,          
          "defaultAction": "Deny"
        }
      }
    ],
    "outputs": { }
  }

若要部署模板,请按照 Azure 资源管理器的说明进行操作。To deploy the template, follow the instructions for Azure Resource Manager.

后续步骤Next steps

若要限制服务总线到 Azure 虚拟网络的访问,请参阅以下链接:For constraining access to Service Bus to Azure virtual networks, see the following link: