配置 Azure 存储防火墙和虚拟网络Configure Azure Storage firewalls and virtual networks

Azure 存储提供分层安全模型。Azure Storage provides a layered security model. 使用此模型可以根据所用网络的类型和子集,来保护和控制应用程序与企业环境所需的存储帐户访问级别。This model enables you to secure and control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks used. 配置网络规则后,仅通过指定网络组请求数据的应用程序才能访问存储帐户。When network rules are configured, only applications requesting data over the specified set of networks can access a storage account. 可将存储帐户的访问权限限制给源自指定的 IP 地址、IP 范围,或 Azure 虚拟网络 (VNet) 中某个子网列表的请求。You can limit access to your storage account to requests originating from specified IP addresses, IP ranges or from a list of subnets in an Azure Virtual Network (VNet).

存储帐户具有可通过 internet 访问的公共终结点。Storage accounts have a public endpoint that is accessible through the internet. 还可以为存储帐户创建专用终结点,该终结点将从 VNet 向存储帐户分配专用 IP 地址,并通过专用链接保护 VNet 和存储帐户之间往来的所有流量。You can also create Private Endpoints for your storage account, which assigns a private IP address from your VNet to the storage account, and secures all traffic between your VNet and the storage account over a private link. Azure 存储防火墙为存储帐户的公共终结点提供访问控制。The Azure storage firewall provides access control access for the public endpoint of your storage account. 使用专用终结点时,还可以使用防火墙阻止通过公用终结点进行的所有访问。You can also use the firewall to block all access through the public endpoint when using private endpoints. 通过存储防火墙配置,还可以选择受信任的 Azure 平台服务安全地访问存储帐户。Your storage firewall configuration also enables select trusted Azure platform services to access the storage account securely.

在网络规则生效后访问存储帐户的应用程序仍需要在请求中提供适当的授权。An application that accesses a storage account when network rules are in effect still requires proper authorization for the request. 支持适用于 Blob 和队列的 Azure Active Directory (Azure AD) 凭据、有效帐户访问密钥或 SAS 令牌提供授权。Authorization is supported with Azure Active Directory (Azure AD) credentials for blobs and queues, with a valid account access key, or with an SAS token.

重要

默认情况下,除非请求源自在 Azure 虚拟网络 (VNet) 中运行的服务或者源自允许的公共 IP 地址,否则启用存储帐户的防火墙规则会阻止数据传入请求。Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service operating within an Azure Virtual Network (VNet) or from allowed public IP addresses. 被阻止的请求包括来自其他 Azure 服务、来自 Azure 门户、来自日志记录和指标服务等的请求。Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on.

通过允许来自托管服务实例的子网的流量,可以授予对在 VNet 内运行的 Azure 服务相应的访问权限。You can grant access to Azure services that operate from within a VNet by allowing traffic from the subnet hosting the service instance. 此外,可以通过下面所述的例外机制,启用有限数量的方案。You can also enable a limited number of scenarios through the Exceptions mechanism described below. 若要通过 Azure 门户访问存储帐户中的数据,需要从设置的受信任的边界(IP 或 VNet)内的计算机进行访问。To access data from the storage account through the Azure portal, you would need to be on a machine within the trusted boundary (either IP or VNet) that you set up.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

方案Scenarios

若要保护存储帐户,应该先配置一个规则,以便在公共终结点上默认拒绝来自所有网络的流量(包括 Internet 流量)进行访问。To secure your storage account, you should first configure a rule to deny access to traffic from all networks (including internet traffic) on the public endpoint, by default. 然后,应配置允许访问特定 vnet 流量的规则。Then, you should configure rules that grant access to traffic from specific VNets. 还可以配置规则以授予对来自所选公共 internet IP 地址范围的流量的访问权限,从而支持来自特定 internet 或本地客户端的连接。You can also configure rules to grant access to traffic from select public internet IP address ranges, enabling connections from specific internet or on-premises clients. 借助此配置,可为应用程序生成安全网络边界。This configuration enables you to build a secure network boundary for your applications.

可在同一存储帐户中,将允许从特定虚拟网络以及从公共 IP 地址范围进行访问的防火墙规则组合到一起。You can combine firewall rules that allow access from specific virtual networks and from public IP address ranges on the same storage account. 可对现有的存储帐户应用存储防火墙规则,或者在创建新存储帐户时应用这些规则。Storage firewall rules can be applied to existing storage accounts, or when creating new storage accounts.

存储防火墙规则适用于存储帐户的公共终结点。Storage firewall rules apply to the public endpoint of a storage account. 不需要配置任何防火墙访问规则来允许存储帐户的专用终结点的流量。You don't need any firewall access rules to allow traffic for private endpoints of a storage account. 通过批准专用终结点的创建,可授予对来自托管该专用终结点的子网的流量的隐式访问权限。The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint.

对于面向 Azure 存储的所有网络协议(包括 REST 和 SMB),将强制实施网络规则。Network rules are enforced on all network protocols to Azure storage, including REST and SMB. 若要使用 Azure 门户、存储资源管理器和 AZCopy 等工具访问数据,必须配置显式网络规则。To access data using tools such as the Azure portal, Storage Explorer, and AZCopy, explicit network rules must be configured.

一旦应用网络规则,就会对所有请求强制实施这些规则。Once network rules are applied, they're enforced for all requests. 用于向特定 IP 地址授予访问权限的 SAS 令牌可限制令牌持有者的访问权限,但不会越过已配置的网络规则授予新的访问权限。SAS tokens that grant access to a specific IP address serve to limit the access of the token holder, but don't grant new access beyond configured network rules.

虚拟机磁盘流量(包括装载和卸载操作以及磁盘 IO)不受网络规则影响。Virtual machine disk traffic (including mount and unmount operations, and disk IO) is not affected by network rules. 对页 blob 的 REST 访问受网络规则保护。REST access to page blobs is protected by network rules.

经典存储帐户不支持防火墙和虚拟网络。Classic storage accounts do not support firewalls and virtual networks.

可通过创建例外,使用应用了网络规则的存储帐户中的非托管磁盘来备份和还原 VM。You can use unmanaged disks in storage accounts with network rules applied to backup and restore VMs by creating an exception. 此过程在本文的例外部分中记录。This process is documented in the Exceptions section of this article. 防火墙例外不适用于托管磁盘,因为它们已由 Azure 托管。Firewall exceptions aren't applicable with managed disks as they're already managed by Azure.

更改默认网络访问规则Change the default network access rule

默认情况下,存储帐户接受来自任何网络上客户端的连接。By default, storage accounts accept connections from clients on any network. 若要限制为仅允许选定网络访问,必须先更改默认操作。To limit access to selected networks, you must first change the default action.

警告

更改网络规则可能会使应用程序无法正常连接到 Azure 存储。Making changes to network rules can impact your applications' ability to connect to Azure Storage. 除非还应用了 授予 访问权限的特定网络规则,否则将默认网络规则设置为“拒绝”会阻止对数据的所有访问。Setting the default network rule to deny blocks all access to the data unless specific network rules that grant access are also applied. 在将默认规则更改为拒绝访问之前,务必先使用网络规则对所有许可网络授予访问权限。Be sure to grant access to any allowed networks using network rules before you change the default rule to deny access.

管理默认网络访问规则Managing default network access rules

可以通过 Azure 门户、PowerShell 或 CLIv2 管理存储帐户的默认网络访问规则。You can manage default network access rules for storage accounts through the Azure portal, PowerShell, or CLIv2.

Azure 门户Azure portal

  1. 转至要保护的存储帐户。Go to the storage account you want to secure.

  2. 单击名为“防火墙和虚拟网络”的设置菜单。Click on the settings menu called Firewalls and virtual networks.

  3. 若要默认拒绝访问,请选择允许从“所选网络”进行访问。To deny access by default, choose to allow access from Selected networks. 若要允许来自所有网络的流量,请选择允许从“所有网络”进行访问。To allow traffic from all networks, choose to allow access from All networks.

  4. 单击“保存”应用所做的更改。Click Save to apply your changes.

PowerShellPowerShell

  1. 安装 Azure PowerShell登录Install the Azure PowerShell and sign in.

  2. 显示存储帐户默认规则的状态。Display the status of the default rule for the storage account.

    (Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").DefaultAction
    
  3. 将默认规则设置为默认拒绝网络访问。Set the default rule to deny network access by default.

    Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Deny
    
  4. 将默认规则设置为默认允许网络访问。Set the default rule to allow network access by default.

    Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Allow
    

CLIv2CLIv2

  1. 安装 Azure CLI登录Install the Azure CLI and sign in.

  2. 显示存储帐户默认规则的状态。Display the status of the default rule for the storage account.

    az storage account show --resource-group "myresourcegroup" --name "mystorageaccount" --query networkRuleSet.defaultAction
    
  3. 将默认规则设置为默认拒绝网络访问。Set the default rule to deny network access by default.

    az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Deny
    
  4. 将默认规则设置为默认允许网络访问。Set the default rule to allow network access by default.

    az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Allow
    

允许从虚拟网络进行访问Grant access from a virtual network

可将存储帐户配置为仅允许从特定子网进行访问。You can configure storage accounts to allow access only from specific subnets. 允许的子网可以属于同一订阅中的 VNet,也可以属于不同订阅(包括属于不同 Azure Active Directory 租户的订阅)中的 VNet。The allowed subnets may belong to a VNet in the same subscription, or those in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant.

在 VNet 内为 Azure 存储启用服务终结点Enable a Service endpoint for Azure Storage within the VNet. 服务终结点通过最佳路径将流量从 VNet 路由到 Azure 存储服务。The service endpoint routes traffic from the VNet through an optimal path to the Azure Storage service. 子网和虚拟网络的标识也随每个请求进行传输。The identities of the subnet and the virtual network are also transmitted with each request. 管理员随后可以配置存储帐户的网络规则,允许从 VNet 中的特定子网接收请求。Administrators can then configure network rules for the storage account that allow requests to be received from specific subnets in a VNet. 通过这些网络规则获得访问权限的客户端必须继续满足存储帐户的授权要求,才能访问数据。Clients granted access via these network rules must continue to meet the authorization requirements of the storage account to access the data.

每个存储帐户最多支持 200 条虚拟网络规则,这些规则可与 IP 网络规则组合使用。Each storage account supports up to 200 virtual network rules, which may be combined with IP network rules.

可用的虚拟网络区域Available virtual network regions

服务终结点一般在位于同一 Azure 区域的虚拟网络和服务实例之间运行。In general, service endpoints work between virtual networks and service instances in the same Azure region. 将服务终结点与 Azure 存储配合使用时,此范围扩大到包含配对区域When using service endpoints with Azure Storage, this scope grows to include the paired region. 服务终结点可以在区域性故障转移期间提供连续性,并允许访问读取访问权限异地冗余存储 (RA-GRS) 实例。Service endpoints allow continuity during a regional failover and access to read-only geo-redundant storage (RA-GRS) instances. 允许从虚拟网络访问存储帐户的网络规则同样允许访问所有 RA-GRS 实例。Network rules that grant access from a virtual network to a storage account also grant access to any RA-GRS instance.

在计划区域性服务中断期间的灾难恢复时,应该在配对区域中提前创建 VNet。When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance. 为 Azure 存储启用服务终结点,并提供允许从这些备用虚拟网络进行访问的网络规则。Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. 然后将这些规则应用于异地冗余存储帐户。Then apply these rules to your geo-redundant storage accounts.

备注

服务终结点不适用于位于虚拟网络所在区域和指定区域对之外的流量。Service endpoints don't apply to traffic outside the region of the virtual network and the designated region pair. 可以将允许从虚拟网络访问存储帐户的网络规则仅应用于存储帐户主区域或指定配对区域中的存储帐户。You can only apply network rules granting access from virtual networks to storage accounts in the primary region of a storage account or in the designated paired region.

所需的权限Required permissions

若要向存储帐户应用虚拟网络规则,用户必须对要添加的子网拥有适当的权限。To apply a virtual network rule to a storage account, the user must have the appropriate permissions for the subnets being added. 所需的权限为 向子网加入服务 权限,该权限包含在 存储帐户参与者 内置角色中。The permission needed is Join Service to a Subnet and is included in the Storage Account Contributor built-in role. 该权限还可以添加到自定义角色定义中。It can also be added to custom role definitions.

存储帐户和获得访问权限的虚拟网络可以位于不同的订阅中,包括属于不同 Azure AD 租户的订阅。Storage account and the virtual networks granted access may be in different subscriptions, including subscriptions that are a part of a different Azure AD tenant.

备注

目前,仅支持通过 Powershell、CLI 和 REST API 来配置对属于不同 Azure Active Directory 租户的虚拟网络中的子网授予访问权限的规则。Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure Active Directory tenant are currently only supported through Powershell, CLI and REST APIs. 无法通过 Azure 门户配置此类规则,但可以在门户中查看此类规则。Such rules cannot be configured through the Azure portal, though they may be viewed in the portal.

管理虚拟网络规则Managing virtual network rules

可以通过 Azure 门户、PowerShell 或 CLIv2 管理存储帐户的虚拟网络规则。You can manage virtual network rules for storage accounts through the Azure portal, PowerShell, or CLIv2.

Azure 门户Azure portal

  1. 转至要保护的存储帐户。Go to the storage account you want to secure.

  2. 单击名为“防火墙和虚拟网络”的设置菜单。Click on the settings menu called Firewalls and virtual networks.

  3. 检查并确保已选择允许从“所选网络”进行访问。Check that you've selected to allow access from Selected networks.

  4. 若要使用新的网络规则向虚拟网络授予访问权限,请在“虚拟网络”下,单击“添加现有虚拟网络”,选择“虚拟网络”和“子网”选项,然后单击“添加” 。To grant access to a virtual network with a new network rule, under Virtual networks, click Add existing virtual network, select Virtual networks and Subnets options, and then click Add. 若要创建新的虚拟网络并授予其访问权限,请单击“添加新的虚拟网络”。To create a new virtual network and grant it access, click Add new virtual network. 提供创建新的虚拟网络所需的信息,然后单击“创建”。Provide the information necessary to create the new virtual network, and then click Create.

    备注

    如果之前没有为所选的虚拟网络和子网配置 Azure 存储的服务终结点,则可在执行此操作时进行配置。If a service endpoint for Azure Storage wasn't previously configured for the selected virtual network and subnets, you can configure it as part of this operation.

    目前,在创建规则期间,只会显示属于同一 Azure Active Directory 租户的虚拟网络供用户选择。Presently, only virtual networks belonging to the same Azure Active Directory tenant are shown for selection during rule creation. 若要对属于其他租户的虚拟网络中的子网授予访问权限,请使用 Powershell、CLI 或 REST API。To grant access to a subnet in a virtual network belonging to another tenant, please use Powershell, CLI or REST APIs.

  5. 若要删除虚拟网络或子网规则,请单击“...”打开虚拟网络或子网的上下文菜单,然后单击“删除” 。To remove a virtual network or subnet rule, click ... to open the context menu for the virtual network or subnet, and click Remove.

  6. 单击“保存”应用所做的更改。Click Save to apply your changes.

PowerShellPowerShell

  1. 安装 Azure PowerShell登录Install the Azure PowerShell and sign in.

  2. 列出虚拟网络规则。List virtual network rules.

    (Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").VirtualNetworkRules
    
  3. 在现有虚拟网络和子网上启用 Azure 存储的服务终结点。Enable service endpoint for Azure Storage on an existing virtual network and subnet.

    Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Set-AzVirtualNetworkSubnetConfig -Name "mysubnet" -AddressPrefix "10.0.0.0/24" -ServiceEndpoint "Microsoft.Storage" | Set-AzVirtualNetwork
    
  4. 为虚拟网络和子网添加网络规则。Add a network rule for a virtual network and subnet.

    $subnet = Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet"
    Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -VirtualNetworkResourceId $subnet.Id
    

    提示

    若要为属于其他 Azure AD 租户的 VNet 中的子网添加网络规则,请使用“/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name”格式的完全限定的 VirtualNetworkResourceId 参数。To add a network rule for a subnet in a VNet belonging to another Azure AD tenant, use a fully-qualified VirtualNetworkResourceId parameter in the form "/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name".

  5. 为虚拟网络和子网删除网络规则。Remove a network rule for a virtual network and subnet.

    $subnet = Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet"
    Remove-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -VirtualNetworkResourceId $subnet.Id
    

重要

请务必将默认规则设置为“拒绝”,否则网络规则不会有任何效果。Be sure to set the default rule to deny, or network rules have no effect.

CLIv2CLIv2

  1. 安装 Azure CLI登录Install the Azure CLI and sign in.

  2. 列出虚拟网络规则。List virtual network rules.

    az storage account network-rule list --resource-group "myresourcegroup" --account-name "mystorageaccount" --query virtualNetworkRules
    
  3. 在现有虚拟网络和子网上启用 Azure 存储的服务终结点。Enable service endpoint for Azure Storage on an existing virtual network and subnet.

    az network vnet subnet update --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --service-endpoints "Microsoft.Storage"
    
  4. 为虚拟网络和子网添加网络规则。Add a network rule for a virtual network and subnet.

    $subnetid=(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)
    az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --subnet $subnetid
    

    提示

    若要为属于其他 Azure AD 租户的 VNet 中的子网添加规则,请使用“/subscriptions/<subscription-ID>/resourceGroups/<resourceGroup-Name>/providers/Microsoft.Network/virtualNetworks/<vNet-name>/subnets/<subnet-name>”格式的完全限定的子网 ID。To add a rule for a subnet in a VNet belonging to another Azure AD tenant, use a fully-qualified subnet ID in the form "/subscriptions/<subscription-ID>/resourceGroups/<resourceGroup-Name>/providers/Microsoft.Network/virtualNetworks/<vNet-name>/subnets/<subnet-name>".

    可以使用 subscription 参数检索属于其他 Azure AD 租户的 VNet 的子网 ID。You can use the subscription parameter to retrieve the subnet ID for a VNet belonging to another Azure AD tenant.

  5. 为虚拟网络和子网删除网络规则。Remove a network rule for a virtual network and subnet.

    $subnetid=(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)
    az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --subnet $subnetid
    

重要

请务必将默认规则设置为“拒绝”,否则网络规则不会有任何效果。Be sure to set the default rule to deny, or network rules have no effect.

允许从 Internet IP 范围进行访问Grant access from an internet IP range

可以将存储帐户配置为允许从特定的公共 Internet IP 地址范围进行访问。You can configure storage accounts to allow access from specific public internet IP address ranges. 此配置向基于 Internet 的特定服务和本地网络授予访问权限,并阻止一般 Internet 流量。This configuration grants access to specific internet-based services and on-premises networks and blocks general internet traffic.

使用 CIDR 表示法16.17.18.0/24 的形式,或使用单独的 IP 地址(如 16.17.18.19)提供允许的 Internet 地址范围。Provide allowed internet address ranges using CIDR notation in the form 16.17.18.0/24 or as individual IP addresses like 16.17.18.19.

备注

不支持使用“/31”或“/32”前缀大小的小型地址范围。Small address ranges using "/31" or "/32" prefix sizes are not supported. 这些范围应使用单独的 IP 地址规则配置。These ranges should be configured using individual IP address rules.

IP 网络规则仅适用于 公共 Internet IP 地址。IP network rules are only allowed for public internet IP addresses. IP 规则不允许使用为专用网络保留的 IP 地址范围(如 RFC 1918 中所定义)。IP address ranges reserved for private networks (as defined in RFC 1918) aren't allowed in IP rules. 专用网络包括以 10.*172.16.* - 172.31.*192.168.* 开头的地址。Private networks include addresses that start with 10.*, 172.16.* - 172.31.*, and 192.168.*.

备注

IP 网络规则对源自与存储帐户相同的 Azure 区域的请求不起作用。IP network rules have no effect on requests originating from the same Azure region as the storage account. 请使用虚拟网络规则来允许相同区域的请求。Use Virtual network rules to allow same-region requests.

备注

与存储帐户部署在同一区域中的服务使用专用的 Azure IP 地址进行通信。Services deployed in the same region as the storage account use private Azure IP addresses for communication. 因此,无法根据特定 Azure 服务的公共出站 IP 地址范围将访问限制为这些服务。Thus, you cannot restrict access to specific Azure services based on their public outbound IP address range.

存储防火墙规则的配置仅支持 IPV4 地址。Only IPV4 addresses are supported for configuration of storage firewall rules.

每个存储帐户最多支持 200 个 IP 网络规则。Each storage account supports up to 200 IP network rules.

配置从本地网络的访问Configuring access from on-premises networks

若要使用 IP 网络规则授予本地网络访问存储帐户的权限,则必须标识网络所用的面向 Internet 的 IP 地址。To grant access from your on-premises networks to your storage account with an IP network rule, you must identify the internet facing IP addresses used by your network. 若要获得帮助,请联系网络管理员。Contact your network administrator for help.

如果是在本地使用 ExpressRoute,则在进行公共对等互连或 Microsoft 对等互连时,需标识所用的 NAT IP 地址。If you are using ExpressRoute from your premises, for public peering or Microsoft peering, you will need to identify the NAT IP addresses that are used. 进行公共对等互连时,每条 ExpressRoute 线路默认情况下会使用两个 NAT IP 地址。当流量进入 Azure 网络主干时,会向 Azure 服务流量应用这些地址。For public peering, each ExpressRoute circuit by default uses two NAT IP addresses applied to Azure service traffic when the traffic enters the Azure network backbone. 对于 Microsoft 对等互连,所用 NAT IP 地址要么由客户提供,要么由服务提供商提供。For Microsoft peering, the NAT IP addresses used are either customer provided or are provided by the service provider. 若要允许访问服务资源,必须在资源 IP 防火墙设置中允许这些公共 IP 地址。To allow access to your service resources, you must allow these public IP addresses in the resource IP firewall setting. 若要查找公共对等互连 ExpressRoute 线路 IP 地址,请通过 Azure 门户开具 ExpressRoute 支持票证To find your public peering ExpressRoute circuit IP addresses, open a support ticket with ExpressRoute via the Azure portal. 详细了解适用于 ExpressRoute 公共对等互连和 Microsoft 对等互连的 NATLearn more about NAT for ExpressRoute public and Microsoft peering.

管理 IP 网络规则Managing IP network rules

可以通过 Azure 门户、PowerShell 或 CLIv2 管理存储帐户的 IP 网络规则。You can manage IP network rules for storage accounts through the Azure portal, PowerShell, or CLIv2.

Azure 门户Azure portal

  1. 转至要保护的存储帐户。Go to the storage account you want to secure.

  2. 单击名为“防火墙和虚拟网络”的设置菜单。Click on the settings menu called Firewalls and virtual networks.

  3. 检查并确保已选择允许从“所选网络”进行访问。Check that you've selected to allow access from Selected networks.

  4. 若要向 Internet IP 范围授予访问权限,请在“防火墙” > “地址范围”下输入 IP 地址或地址范围(采用 CIDR 格式) 。To grant access to an internet IP range, enter the IP address or address range (in CIDR format) under Firewall > Address Range.

  5. 若要删除某个 IP 网络规则,请单击该地址范围旁边的垃圾桶图标。To remove an IP network rule, click the trash can icon next to the address range.

  6. 单击“保存”应用所做的更改。Click Save to apply your changes.

PowerShellPowerShell

  1. 安装 Azure PowerShell登录Install the Azure PowerShell and sign in.

  2. 列出 IP 网络规则。List IP network rules.

    (Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").IPRules
    
  3. 为单个 IP 地址添加网络规则。Add a network rule for an individual IP address.

    Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.19"
    
  4. 为 IP 地址范围添加网络规则。Add a network rule for an IP address range.

    Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.0/24"
    
  5. 为单个 IP 地址删除网络规则。Remove a network rule for an individual IP address.

    Remove-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.19"
    
  6. 为 IP 地址范围删除网络规则。Remove a network rule for an IP address range.

    Remove-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.0/24"
    

重要

请务必将默认规则设置为“拒绝”,否则网络规则不会有任何效果。Be sure to set the default rule to deny, or network rules have no effect.

CLIv2CLIv2

  1. 安装 Azure CLI登录Install the Azure CLI and sign in.

  2. 列出 IP 网络规则。List IP network rules.

    az storage account network-rule list --resource-group "myresourcegroup" --account-name "mystorageaccount" --query ipRules
    
  3. 为单个 IP 地址添加网络规则。Add a network rule for an individual IP address.

    az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.19"
    
  4. 为 IP 地址范围添加网络规则。Add a network rule for an IP address range.

    az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.0/24"
    
  5. 为单个 IP 地址删除网络规则。Remove a network rule for an individual IP address.

    az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.19"
    
  6. 为 IP 地址范围删除网络规则。Remove a network rule for an IP address range.

    az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.0/24"
    

重要

请务必将默认规则设置为“拒绝”,否则网络规则不会有任何效果。Be sure to set the default rule to deny, or network rules have no effect.

例外Exceptions

在大多数情况下,网络规则有助于为应用程序与数据之间的连接创建安全环境。Network rules help to create a secure environment for connections between your applications and your data for most scenarios. 不过,某些应用程序依赖于无法通过虚拟网络或 IP 地址规则单独隔离的 Azure 服务。However, some applications depend on Azure services that cannot be uniquely isolated through virtual network or IP address rules. 但是,必须授予此类服务访问存储的权限,才能完全实现应用程序的功能。But such services must be granted to storage to enable full application functionality. 在此类情况下,可以使用“允许受信任的 Microsoft 服务...”设置来允许此类服务访问数据、日志或分析。In such situations, you can use the *Allow trusted Microsoft services... _ setting to enable such services to access your data, logs, or analytics.

受信任的 Microsoft 服务Trusted Microsoft services

某些 Microsoft 服务是从不能在网络规则中包含的网络上运行的。Some Microsoft services operate from networks that can't be included in your network rules. 可以向此类受信任的 Microsoft 服务中的一部分授予对存储帐户的访问权限,同时对其他应用维持网络规则。You can grant a subset of such trusted Microsoft services access to the storage account, while maintaining network rules for other apps. 然后,这些受信任的服务将使用强身份验证安全地连接到存储帐户。These trusted services will then use strong authentication to connect to your storage account securely. 我们为 Microsoft 服务启用了两种受信任的访问模式。We've enabled two modes of trusted access for Microsoft services.

  • 某些服务的资源在注册到订阅后,可在同一订阅中访问存储帐户进行选定操作,例如写入日志或备份。Resources of some services, _*when registered in your subscription**, can access your storage account in the same subscription for select operations, such as writing logs or backup.
  • 可通过向其系统分配的托管标识分配 Azure 角色,向某些服务的资源授予对存储帐户的显式访问权限。Resources of some services can be granted explicit access to your storage account by assigning an Azure role to its system-assigned managed identity.

如果启用“允许受信任的 Microsoft 服务...”设置,则会向以下服务的、已注册到存储帐户所在的同一订阅的资源授予对有限一组操作的访问权限,如下所述:When you enable the Allow trusted Microsoft services... setting, resources of the following services that are registered in the same subscription as your storage account are granted access for a limited set of operations as described:

服务Service 资源提供程序名称Resource Provider Name 允许的操作Operations allowed
Azure 备份Azure Backup Microsoft.RecoveryServicesMicrosoft.RecoveryServices 在 IAAS 虚拟机中运行非托管磁盘的备份和还原。Run backups and restores of unmanaged disks in IAAS virtual machines. (不是托管磁盘的必需操作)。(not required for managed disks). 了解详细信息Learn more.
Azure Data BoxAzure Data Box Microsoft.DataBoxMicrosoft.DataBox 支持使用 Data Box 将数据导入到 Azure。Enables import of data to Azure using Data Box. 了解详细信息Learn more.
Azure 事件网格Azure Event Grid Microsoft.EventGridMicrosoft.EventGrid 启用 Blob 存储事件发布并允许事件网格发布到存储队列。Enable Blob Storage event publishing and allow Event Grid to publish to storage queues. 了解有关 blob 存储事件发布到队列的信息。Learn about blob storage events and publishing to queues.
Azure 事件中心Azure Event Hubs Microsoft.EventHubMicrosoft.EventHub 使用事件中心捕获功能存档数据。Archive data with Event Hubs Capture. 了解详细信息Learn More.
Azure HDInsightAzure HDInsight Microsoft.HDInsightMicrosoft.HDInsight 为新的 HDInsight 群集预配默认文件系统的初始内容。Provision the initial contents of the default file system for a new HDInsight cluster. 了解详细信息Learn more.
Azure 导入导出Azure Import Export Microsoft.ImportExportMicrosoft.ImportExport 允许使用 Azure 存储导入/导出服务将数据导入到 Azure 存储或从 Azure 存储导出数据。Enables import of data to Azure Storage or export of data from Azure Storage using the Azure Storage Import/Export service. 了解详细信息Learn more.
Azure MonitorAzure Monitor Microsoft.InsightsMicrosoft.Insights 允许向受保护的存储帐户写入监视数据,包括资源日志、Azure Active Directory 登录和审核日志,以及 Microsoft Intune 日志。Allows writing of monitoring data to a secured storage account, including resource logs, Azure Active Directory sign-in and audit logs, and Microsoft Intune logs. 了解详细信息Learn more.
Azure 网络Azure Networking Microsoft.NetworkMicrosoft.Network 以多种方式(包括使用网络观察程序和流量分析服务)存储和分析网络流量日志。Store and analyze network traffic logs, including through the Network Watcher and Traffic Analytics services. 了解详细信息Learn more.
Azure Site RecoveryAzure Site Recovery Microsoft.SiteRecoveryMicrosoft.SiteRecovery 使用启用了防火墙的缓存、源或目标存储帐户时,请启用复制,以实现 Azure IaaS 虚拟机的灾难恢复。Enable replication for disaster-recovery of Azure IaaS virtual machines when using firewall-enabled cache, source, or target storage accounts. 了解详细信息Learn more.

如果已显式将 Azure 角色分配到以下服务的特定实例的系统分配的托管标识,则“允许受信任的 Microsoft 服务...”设置也允许该资源实例访问存储帐户。The Allow trusted Microsoft services... setting also allows a particular instance of the below services to access the storage account, if you explicitly assign an Azure role to the system-assigned managed identity for that resource instance. 在这种情况下,实例的访问范围对应于分配给托管标识的 Azure 角色。In this case, the scope of access for the instance corresponds to the Azure role assigned to the managed identity.

服务Service 资源提供程序名称Resource Provider Name 目的Purpose
Azure API 管理Azure API Management Microsoft.ApiManagement/serviceMicrosoft.ApiManagement/service 使用策略允许 API 管理服务访问防火墙后的存储帐户。Enables Api Management service access to storage accounts behind firewall using policies. 了解详细信息Learn more.
Azure 认知搜索Azure Cognitive Search Microsoft.Search/searchServicesMicrosoft.Search/searchServices 使认知搜索服务能够访问存储帐户,以进行索引编制、处理和查询。Enables Cognitive Search services to access storage accounts for indexing, processing and querying.
Azure 容器注册表任务Azure Container Registry Tasks Microsoft.ContainerRegistry/registriesMicrosoft.ContainerRegistry/registries ACR 任务可以在生成容器映像时访问存储帐户。ACR Tasks can access storage accounts when building container images.
Azure 数据工厂Azure Data Factory Microsoft.DataFactory/factoriesMicrosoft.DataFactory/factories 用于通过 ADF 运行时访问存储帐户。Allows access to storage accounts through the ADF runtime.
Azure 逻辑应用Azure Logic Apps Microsoft.Logic/workflowsMicrosoft.Logic/workflows 使逻辑应用能够访问存储帐户。Enables logic apps to access storage accounts. 了解详细信息Learn more.
Azure 机器学习服务Azure Machine Learning Service Microsoft.MachineLearningServicesMicrosoft.MachineLearningServices 经过授权的 Azure 机器学习工作区将实验输出、模型和日志写入 Blob 存储并读取数据。Authorized Azure Machine Learning workspaces write experiment output, models, and logs to Blob storage and read the data.
Azure Synapse Analytics(以前称为 SQL 数据仓库)Azure Synapse Analytics (formerly SQL Data Warehouse) Microsoft.SqlMicrosoft.Sql 允许使用 COPY 语句或 PolyBase 通过特定 SQL 数据库导入和导出数据。Allows import and export of data from specific SQL databases using the COPY statement or PolyBase. 了解详细信息Learn more.
Azure SQL 数据库Azure SQL Database Microsoft.SqlMicrosoft.Sql 允许从存储帐户导入数据,并将审核数据写入防火墙后的存储帐户。Allows import of data from storage accounts and writing audit data to storage accounts behind firewall.
Azure Synapse AnalyticsAzure Synapse Analytics Microsoft.Synapse/workspacesMicrosoft.Synapse/workspaces 允许从 Synapse Analytics 访问 Azure 存储中的数据。Enables access to data in Azure Storage from Synapse Analytics.

存储分析数据访问Storage analytics data access

在某些情况下,需要从网络边界外访问读取资源日志和指标。In some cases, access to read resource logs and metrics is required from outside the network boundary. 在为受信任的服务配置对存储帐户的访问时,可以允许对日志文件、度量值表或两者的读取访问。When configuring trusted services access to the storage account, you can allow read-access for the log files, metrics tables, or both. 详细了解如何使用存储分析。Learn more about working with storage analytics.

管理例外Managing exceptions

可以通过 Azure 门户、PowerShell 或 Azure CLI v2 管理网络规则例外。You can manage network rule exceptions through the Azure portal, PowerShell, or Azure CLI v2.

Azure 门户Azure portal

  1. 转至要保护的存储帐户。Go to the storage account you want to secure.

  2. 单击名为“防火墙和虚拟网络”的设置菜单。Click on the settings menu called Firewalls and virtual networks.

  3. 检查并确保已选择允许从“所选网络”进行访问。Check that you've selected to allow access from Selected networks.

  4. 在“例外”下,选择要允许的例外。Under Exceptions, select the exceptions you wish to grant.

  5. 单击“保存”应用所做的更改。Click Save to apply your changes.

PowerShellPowerShell

  1. 安装 Azure PowerShell登录Install the Azure PowerShell and sign in.

  2. 显示存储帐户的网络规则例外。Display the exceptions for the storage account network rules.

    (Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount").Bypass
    
  3. 配置存储帐户的网络规则例外。Configure the exceptions to the storage account network rules.

    Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -Bypass AzureServices,Metrics,Logging
    
  4. 删除存储帐户的网络规则例外。Remove the exceptions to the storage account network rules.

    Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -Bypass None
    

重要

请务必将默认规则设置为“拒绝”,否则,删除例外操作不会有任何效果。Be sure to set the default rule to deny, or removing exceptions have no effect.

CLIv2CLIv2

  1. 安装 Azure CLI登录Install the Azure CLI and sign in.

  2. 显示存储帐户的网络规则例外。Display the exceptions for the storage account network rules.

    az storage account show --resource-group "myresourcegroup" --name "mystorageaccount" --query networkRuleSet.bypass
    
  3. 配置存储帐户的网络规则例外。Configure the exceptions to the storage account network rules.

    az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --bypass Logging Metrics AzureServices
    
  4. 删除存储帐户的网络规则例外。Remove the exceptions to the storage account network rules.

    az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --bypass None
    

重要

请务必将默认规则设置为“拒绝”,否则,删除例外操作不会有任何效果。Be sure to set the default rule to deny, or removing exceptions have no effect.

后续步骤Next steps

服务终结点中了解有关 Azure 网络服务终结点的详细信息。Learn more about Azure Network service endpoints in Service endpoints.

Azure 存储安全指南中深入了解 Azure 存储安全。Dig deeper into Azure Storage security in Azure Storage security guide.