允许从特定虚拟网络访问 Azure 服务总线命名空间Allow access to Azure Service Bus namespace from specific virtual networks

通过将服务总线与虚拟网络 (VNet) 服务终结点集成可从绑定到虚拟网络的工作负荷(如虚拟机)安全地访问消息传递功能,同时在两端保护网络流量路径。The integration of Service Bus with Virtual Network (VNet) service endpoints enables secure access to messaging capabilities from workloads like virtual machines that are bound to virtual networks, with the network traffic path being secured on both ends.

配置为绑定到至少一个虚拟网络子网服务终结点后,相应的服务总线命名空间将不再接受授权虚拟网络以及特定 Internet IP 地址(可选)以外的任何位置的流量。Once configured to be bound to at least one virtual network subnet service endpoint, the respective Service Bus namespace will no longer accept traffic from anywhere but authorized virtual network(s) and, optionally, specific internet IP addresses. 从虚拟网络的角度来看,通过将服务总线命名空间绑定到服务终结点,可配置从虚拟网络子网到消息传递服务的独立网络隧道。From the virtual network perspective, binding a Service Bus namespace to a service endpoint configures an isolated networking tunnel from the virtual network subnet to the messaging service.

然后,绑定到子网的工作负荷与相应的服务总线命名空间之间将存在专用和独立的关系,消息传递服务终结点的可观察网络地址位于公共 IP 范围内对此没有影响。The result is a private and isolated relationship between the workloads bound to the subnet and the respective Service Bus namespace, in spite of the observable network address of the messaging service endpoint being in a public IP range.

警告

实现虚拟网络集成可以防止其他 Azure 服务与服务总线交互。Implementing Virtual Networks integration can prevent other Azure services from interacting with Service Bus.

实现虚拟网络时,受信任的 Azure 服务不受支持。Trusted Azure services are not supported when Virtual Networks are implemented.

不适用于虚拟网络常见 Azure 方案(请注意,该列表内容并不详尽)-Common Azure scenarios that don't work with Virtual Networks (note that the list is NOT exhaustive) -

  • 与 Azure 事件网格的集成Integration with Azure Event Grid
  • Azure IoT 中心路由Azure IoT Hub Routes
  • Azure IoT Device ExplorerAzure IoT Device Explorer

以下 Azure 服务必须在虚拟网络中The below Azure services are required to be on a virtual network

  • Azure 应用服务Azure App Service
  • Azure FunctionsAzure Functions
  • Azure Monitor(诊断设置)Azure Monitor (diagnostic setting)

重要

虚拟网络仅在高级层服务总线命名空间中受支持。Virtual Networks are supported only in Premium tier Service Bus namespaces.

在服务总线中使用 VNet 服务终结点时,不应在将标准层服务总线命名空间和高级层服务总线命名空间混合使用的应用程序中启用这些终结点。When using VNet service endpoints with Service Bus, you should not enable these endpoints in applications that mix Standard and Premium tier Service Bus namespaces. 原因是标准层不支持 VNet。Because Standard tier does not support VNets. 此终结点仅限于高级层命名空间。The endpoint is restricted to Premium tier namespaces only.

通过 VNet 集成启用的高级安全方案Advanced security scenarios enabled by VNet integration

对于需要严格和隔离安全性的解决方案和虚拟网络子网在其中的隔离服务之间提供分段的解决方案,它们通常仍然需要驻留在这些隔离舱中的服务之间的通信路径。Solutions that require tight and compartmentalized security, and where virtual network subnets provide the segmentation between the compartmentalized services, generally still need communication paths between services residing in those compartments.

隔离舱之间的任何即时 IP 路由(包括通过 TCP/IP 承载 HTTPS 的)都存在利用网络层漏洞的风险。Any immediate IP route between the compartments, including those carrying HTTPS over TCP/IP, carries the risk of exploitation of vulnerabilities from the network layer on up. 消息传递服务提供完全隔离的通信路径,其中消息在各方之间转换时会以平均方式写入磁盘。Messaging services provide completely insulated communication paths, where messages are even written to disk as they transition between parties. 绑定到同一个服务总线实例的两个不同虚拟网络中的工作负荷可通过消息进行高效和可靠的通信,同时保留各自的网络隔离边界完整性。Workloads in two distinct virtual networks that are both bound to the same Service Bus instance can communicate efficiently and reliably via messages, while the respective network isolation boundary integrity is preserved.

这意味着安全敏感云解决方案不仅可以访问 Azure 行业领先的可靠且可扩展的异步消息传递功能,而且现在可以使用消息传递在安全解决方案隔离舱之间创建通信路径,这些隔离舱本质上比利用任何对等通信模式(包括 HTTPS 和其他 TLS 安全套接字协议)更加安全。That means your security sensitive cloud solutions not only gain access to Azure industry-leading reliable and scalable asynchronous messaging capabilities, but they can now use messaging to create communication paths between secure solution compartments that are inherently more secure than what is achievable with any peer-to-peer communication mode, including HTTPS and other TLS-secured socket protocols.

将服务总线绑定到虚拟网络Binding Service Bus to Virtual Networks

虚拟网络规则是一种防火墙安全功能,用于控制是否允许 Azure 服务总线服务器接受来自特定虚拟网络子网的连接。Virtual network rules are the firewall security feature that controls whether your Azure Service Bus server accepts connections from a particular virtual network subnet.

将服务总线命名空间绑定到虚拟网络的过程分为两步。Binding a Service Bus namespace to a virtual network is a two-step process. 首先需要在虚拟网络子网上创建“虚拟网络服务终结点”,并按照服务终结点概述中的说明为“Microsoft.ServiceBus”启用该终结点 。You first need to create a Virtual Network service endpoint on a Virtual Network subnet and enable it for Microsoft.ServiceBus as explained in the service endpoint overview. 添加服务终结点后,使用虚拟网络规则将服务总线命名空间绑定到该终结点。Once you have added the service endpoint, you bind the Service Bus namespace to it with a virtual network rule.

虚拟网络规则是服务总线命名空间与虚拟网络子网的关联。The virtual network rule is an association of the Service Bus namespace with a virtual network subnet. 存在此规则时,绑定到子网的所有工作负荷都有权访问服务总线命名空间。While the rule exists, all workloads bound to the subnet are granted access to the Service Bus namespace. 服务总线本身永远不会建立出站连接,不需要获得访问权限,因此永远不会通过启用此规则来授予对子网的访问权限。Service Bus itself never establishes outbound connections, does not need to gain access, and is therefore never granted access to your subnet by enabling this rule.

使用 Azure 门户Use Azure portal

本部分演示如何使用 Azure 门户添加虚拟网络服务终结点。This section shows you how to use Azure portal to add a virtual network service endpoint. 若要限制访问,需要集成此事件中心命名空间的虚拟网络服务终结点。To limit access, you need to integrate the virtual network service endpoint for this Event Hubs namespace.

  1. Azure 门户中,导航到“服务总线命名空间”。Navigate to your Service Bus namespace in the Azure portal.

  2. 在左侧菜单上,选择“设置”下的“网络”选项 。On the left menu, select Networking option under Settings.

    备注

    只会为“高级”命名空间显示“网络”选项卡 。You see the Networking tab only for premium namespaces.

    默认情况下,“选定网络”选项处于选中状态。By default, the Selected networks option is selected. 如果未在此页上添加至少一个 IP 防火墙规则或虚拟网络,则可以通过公共 Internet(使用访问密钥)访问该命名空间。If you don't add at least one IP firewall rule or a virtual network on this page, the namespace can be accessed over public internet (using the access key).

    网络页面 - 默认

    如果你选择“所有网络”选项,你的服务总线命名空间将接受来自 IP 地址的连接。If you select the All networks option, your Service Bus namespace accepts connections from any IP address. 此默认设置等效于接受 0.0.0.0/0 IP 地址范围的规则。This default setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.

    防火墙 - 选中了“所有网络”选项

  3. 若要限制对特定虚拟网络的访问,请选择“选定网络”选项(如果尚未选择)。To restrict access to specific virtual networks, select the Selected networks option if it isn't already selected.

  4. 在页面的“虚拟网络”部分,选择“+添加现有虚拟网络” 。In the Virtual Network section of the page, select +Add existing virtual network.

    添加现有虚拟网络

  5. 从虚拟网络列表中选择虚拟网络,然后选择“子网”。Select the virtual network from the list of virtual networks, and then pick the subnet. 将虚拟网络添加到列表之前,必须启用服务终结点。You have to enable the service endpoint before adding the virtual network to the list. 如果未启用服务终结点,门户将提示启用。If the service endpoint isn't enabled, the portal will prompt you to enable it.

    选择子网

  6. 为 Microsoft.ServiceBus 启用子网的服务终结点后,应显示指示启用成功的以下消息。You should see the following successful message after the service endpoint for the subnet is enabled for Microsoft.ServiceBus. 选择页面底部的“添加”,添加网络。Select Add at the bottom of the page to add the network.

    选择子网并启用终结点

    备注

    如果无法使用资源管理器模板启用服务终结点,可以忽略有关缺少虚拟网络服务终结点的消息。If you are unable to enable the service endpoint, you may ignore the missing virtual network service endpoint using the Resource Manager template. 此功能在门户中不可用。This functionality is not available on the portal.

  7. 在工具栏上选择“保存”,保存这些设置。Select Save on the toolbar to save the settings. 等待几分钟,直到门户通知中显示确认消息。Wait for a few minutes for the confirmation to show up in the portal notifications. 应禁用“保存”按钮。The Save button should be disabled.

    保存网络

    备注

    有关允许从特定 IP 地址或范围访问的说明,请参阅允许从特定 IP 地址或范围访问For instructions on allowing access from specific IP addresses or ranges, see Allow access from specific IP addresses or ranges.

使用 Resource Manager 模板Use Resource Manager template

以下资源管理器模板支持向现有服务总线命名空间添加虚拟网络规则。The following Resource Manager template enables adding a virtual network rule to an existing Service Bus namespace.

模板参数:Template parameters:

  • namespaceName:服务总线命名空间。namespaceName: Service Bus namespace.
  • virtualNetworkingSubnetId:虚拟网络子网的完全限定的资源管理器路径;例如,虚拟网络默认子网的 /subscriptions/{id}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/defaultvirtualNetworkingSubnetId: Fully qualified Resource Manager path for the virtual network subnet; for example, /subscriptions/{id}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnet}/subnets/default for the default subnet of a virtual network.

备注

虽然不可能具有拒绝规则,但 Azure 资源管理器模板的默认操作设置为“允许”,不限制连接。While there are no deny rules possible, the Azure Resource Manager template has the default action set to "Allow" which doesn't restrict connections. 制定虚拟网络或防火墙规则时,必须更改“defaultAction”When making Virtual Network or Firewalls rules, we must change the "defaultAction"

fromfrom

"defaultAction": "Allow"

toto

"defaultAction": "Deny"

模板:Template:

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "servicebusNamespaceName": {
        "type": "string",
        "metadata": {
          "description": "Name of the Service Bus namespace"
        }
      },
      "virtualNetworkName": {
        "type": "string",
        "metadata": {
          "description": "Name of the Virtual Network Rule"
        }
      },
      "subnetName": {
        "type": "string",
        "metadata": {
          "description": "Name of the Virtual Network Sub Net"
        }
      },
      "location": {
        "type": "string",
        "metadata": {
          "description": "Location for Namespace"
        }
      }
    },
    "variables": {
      "namespaceNetworkRuleSetName": "[concat(parameters('servicebusNamespaceName'), concat('/', 'default'))]",
      "subNetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets/', parameters('virtualNetworkName'), parameters('subnetName'))]"
    },
    "resources": [
      {
        "apiVersion": "2018-01-01-preview",
        "name": "[parameters('servicebusNamespaceName')]",
        "type": "Microsoft.ServiceBus/namespaces",
        "location": "[parameters('location')]",
        "sku": {
          "name": "Premium",
          "tier": "Premium"
        },
        "properties": { }
      },
      {
        "apiVersion": "2017-09-01",
        "name": "[parameters('virtualNetworkName')]",
        "location": "[parameters('location')]",
        "type": "Microsoft.Network/virtualNetworks",
        "properties": {
          "addressSpace": {
            "addressPrefixes": [
              "10.0.0.0/23"
            ]
          },
          "subnets": [
            {
              "name": "[parameters('subnetName')]",
              "properties": {
                "addressPrefix": "10.0.0.0/23",
                "serviceEndpoints": [
                  {
                    "service": "Microsoft.ServiceBus"
                  }
                ]
              }
            }
          ]
        }
      },
      {
        "apiVersion": "2018-01-01-preview",
        "name": "[variables('namespaceNetworkRuleSetName')]",
        "type": "Microsoft.ServiceBus/namespaces/networkruleset",
        "dependsOn": [
          "[concat('Microsoft.ServiceBus/namespaces/', parameters('servicebusNamespaceName'))]"
        ],
        "properties": {
          "virtualNetworkRules": 
          [
            {
              "subnet": {
                "id": "[variables('subNetId')]"
              },
              "ignoreMissingVnetServiceEndpoint": false
            }
          ],
          "ipRules":[<YOUR EXISTING IP RULES>],
          "trustedServiceAccessEnabled": false,          
          "defaultAction": "Deny"
        }
      }
    ],
    "outputs": { }
  }

若要部署模板,请按照 Azure 资源管理器的说明进行操作。To deploy the template, follow the instructions for Azure Resource Manager.

后续步骤Next steps

有关虚拟网络的详细信息,请参阅以下链接:For more information about virtual networks, see the following links: