使用 Azure CLI 打开 VM 的端口和终结点Open ports and endpoints to a VM with the Azure CLI

通过在子网或 VM 网络接口上创建网络筛选器可为 Azure 中的虚拟机 (VM) 打开端口或创建终结点。You open a port, or create an endpoint, to a virtual machine (VM) in Azure by creating a network filter on a subnet or VM network interface. 将这些筛选器(控制入站和出站流量)放在网络安全组中,并附加到将接收流量的资源。You place these filters, which control both inbound and outbound traffic, on a Network Security Group attached to the resource that receives the traffic. 让我们在端口 80 上使用 Web 流量的常见示例。Let's use a common example of web traffic on port 80. 本文说明如何使用 Azure CLI 打开 VM 的端口。This article shows you how to open a port to a VM with the Azure CLI.

若要创建网络安全组和规则,需要安装最新的 Azure CLI,并使用 az login 登录到 Azure 帐户。To create a Network Security Group and rules you need the latest Azure CLI installed and logged in to an Azure account using az login.

备注

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

在以下示例中,请将示例参数名称替换成自己的值。In the following examples, replace example parameter names with your own values. 示例参数名称包括 myResourceGroupmyNetworkSecurityGroupmyVnetExample parameter names include myResourceGroup, myNetworkSecurityGroup, and myVnet.

为 VM 快速打开一个端口Quickly open a port for a VM

如果需要在开发/测试方案中为 VM 快速打开一个端口,可以使用 az vm open-port 命令。If you need to quickly open a port for a VM in a dev/test scenario, you can use the az vm open-port command. 此命令创建一个网络安全组,添加一项规则,然后将其应用到 VM 或子网。This command creates a Network Security Group, adds a rule, and applies it to a VM or subnet. 以下示例在名为 myResourceGroup 的资源组中打开名为 myVM 的 VM 上的端口 80The following example opens port 80 on the VM named myVM in the resource group named myResourceGroup.

az vm open-port --resource-group myResourceGroup --name myVM --port 80

若要对规则进行更多的控制,例如定义源 IP 地址范围,请继续执行本文中的其他步骤。For more control over the rules, such as defining a source IP address range, continue with the additional steps in this article.

创建网络安全组和规则Create a Network Security Group and rules

使用 az network nsg create创建网络安全组。Create the network security group with az network nsg create. 以下示例在 chinaeast 位置创建名为 myNetworkSecurityGroup 的网络安全组:The following example creates a network security group named myNetworkSecurityGroup in the chinaeast location:

az network nsg create \
    --resource-group myResourceGroup \
    --location chinaeast \
    --name myNetworkSecurityGroup

借助 az network nsg rule create 添加规则以允许 HTTP 流量流向 Web 服务器(或者根据自己的情况(例如 SSH 访问或数据库连接)来调整此规则)。Add a rule with az network nsg rule create to allow HTTP traffic to your webserver (or adjust for your own scenario, such as SSH access or database connectivity). 以下示例创建一个名为 myNetworkSecurityGroupRule 的规则,以允许端口 80 上的 TCP 流量:The following example creates a rule named myNetworkSecurityGroupRule to allow TCP traffic on port 80:

az network nsg rule create \
    --resource-group myResourceGroup \
    --nsg-name myNetworkSecurityGroup \
    --name myNetworkSecurityGroupRule \
    --protocol tcp \
    --priority 1000 \
    --destination-port-range 80

对 VM 应用网络安全组Apply Network Security Group to VM

借助 az network nic update 将网络安全组与 VM 的网络接口 (NIC) 相关联。Associate the Network Security Group with your VM's network interface (NIC) with az network nic update. 以下示例将名为 myNic 的现有 NIC 与名为 myNetworkSecurityGroup 的网络安全组相关联:The following example associates an existing NIC named myNic with the Network Security Group named myNetworkSecurityGroup:

az network nic update \
    --resource-group myResourceGroup \
    --name myNic \
    --network-security-group myNetworkSecurityGroup

或者,也可以借助 az network vnet subnet update 将网络安全组与虚拟网络的子网相关联,而不是只与单个 VM 上的网络接口相关联。Alternatively, you can associate your Network Security Group with a virtual network subnet with az network vnet subnet update rather than just to the network interface on a single VM. 以下示例将 myVnet 虚拟网络中名为 mySubnet 的现有子网与名为 myNetworkSecurityGroup 的网络安全组相关联:The following example associates an existing subnet named mySubnet in the myVnet virtual network with the Network Security Group named myNetworkSecurityGroup:

az network vnet subnet update \
    --resource-group myResourceGroup \
    --vnet-name myVnet \
    --name mySubnet \
    --network-security-group myNetworkSecurityGroup

有关网络安全组的详细信息More information on Network Security Groups

利用此处的快速命令,可以让流向 VM 的流量开始正常运行。The quick commands here allow you to get up and running with traffic flowing to your VM. 网络安全组提供许多出色的功能和粒度来控制资源的访问。Network Security Groups provide many great features and granularity for controlling access to your resources. 可以在此处详细了解如何创建网络安全组和 ACL 规则You can read more about creating a Network Security Group and ACL rules here.

对于高可用性 Web 应用程序,应将 VM 放置在 Azure 负载均衡器后。For highly available web applications, you should place your VMs behind an Azure Load Balancer. 当负载均衡器向 VM 分配流量时,网络安全组可以筛选流量。The load balancer distributes traffic to VMs, with a Network Security Group that provides traffic filtering. 有关详细信息,请参阅如何在 Azure 中均衡 Linux 虚拟机负载以创建高可用性应用程序For more information, see How to load balance Linux virtual machines in Azure to create a highly available application.

后续步骤Next steps

在本示例中,创建了简单的规则来允许 HTTP 流量。In this example, you created a simple rule to allow HTTP traffic. 下列文章更介绍了有关创建更详细环境的信息:You can find information on creating more detailed environments in the following articles: