应用程序安全组Application security groups

使用应用程序安全组可将网络安全性配置为应用程序结构的固有扩展,从而可以基于这些组将虚拟机分组以及定义网络安全策略。Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. 可以大量重复使用安全策略,而无需手动维护显式 IP 地址。You can reuse your security policy at scale without manual maintenance of explicit IP addresses. 平台会处理显式 IP 地址和多个规则集存在的复杂性,让你专注于业务逻辑。The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic. 若要更好地理解应用程序安全组,请考虑以下示例:To better understand application security groups, consider the following example:

应用程序安全组

在上图中,NIC1NIC2AsgWeb 应用程序安全组的成员。In the previous picture, NIC1 and NIC2 are members of the AsgWeb application security group. NIC3AsgLogic 应用程序安全组的成员。NIC3 is a member of the AsgLogic application security group. NIC4AsgDb 应用程序安全组的成员。NIC4 is a member of the AsgDb application security group. 虽然此示例中的每个网络接口只是一个网络安全组的成员,但一个网络接口可以是多个应用程序安全组的成员,具体取决于 Azure 限制Though each network interface in this example is a member of only one network security group, a network interface can be a member of multiple application security groups, up to the Azure limits. 这些网络接口都没有关联的网络安全组。None of the network interfaces have an associated network security group. NSG1 关联到两个子网,包含以下规则:NSG1 is associated to both subnets and contains the following rules:

Allow-HTTP-Inbound-InternetAllow-HTTP-Inbound-Internet

若要让流量从 Internet 流到 Web 服务器,此规则是必需的。This rule is needed to allow traffic from the internet to the web servers. 由于来自 Internet 的入站流量被 DenyAllInbound 默认安全规则拒绝,因此 AsgLogicAsgDb 应用程序安全组不需更多规则。Because inbound traffic from the internet is denied by the DenyAllInbound default security rule, no additional rule is needed for the AsgLogic or AsgDb application security groups.

优先级Priority Source 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
100100 InternetInternet * AsgWebAsgWeb 8080 TCPTCP 允许Allow

Deny-Database-AllDeny-Database-All

由于 AllowVNetInBound 默认安全规则允许在同一虚拟网络中的资源之间进行的所有通信,因此需要使用此规则来拒绝来自所有资源的流量。Because the AllowVNetInBound default security rule allows all communication between resources in the same virtual network, this rule is needed to deny traffic from all resources.

优先级Priority Source 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
120120 * * AsgDbAsgDb 14331433 任意Any 拒绝Deny

Allow-Database-BusinessLogicAllow-Database-BusinessLogic

此规则允许从 AsgLogic 应用程序安全组到 AsgDb 应用程序安全组的流量。This rule allows traffic from the AsgLogic application security group to the AsgDb application security group. 此规则的优先级高于 Deny-Database-All 规则的优先级。The priority for this rule is higher than the priority for the Deny-Database-All rule. 因此,此规则在 Deny-Database-All 规则之前处理,这样系统就会允许来自 AsgLogic 应用程序安全组的流量,而阻止所有其他流量。As a result, this rule is processed before the Deny-Database-All rule, so traffic from the AsgLogic application security group is allowed, whereas all other traffic is blocked.

优先级Priority Source 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
110110 AsgLogicAsgLogic * AsgDbAsgDb 14331433 TCPTCP 允许Allow

将应用程序安全组指定为源或目标的规则只会应用到属于应用程序安全组成员的网络接口。The rules that specify an application security group as the source or destination are only applied to the network interfaces that are members of the application security group. 如果网络接口不是应用程序安全组的成员,则规则不会应用到网络接口,即使网络安全组关联到子网。If the network interface is not a member of an application security group, the rule is not applied to the network interface, even though the network security group is associated to the subnet.

应用程序安全组具有以下约束:Application security groups have the following constraints:

  • 一个订阅中可以有的应用程序安全组存在数量限制,此外还有其他与应用程序安全组相关的限制。There are limits to the number of application security groups you can have in a subscription, as well as other limits related to application security groups. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.
  • 可将一个应用程序安全组指定为安全规则中的源和目标。You can specify one application security group as the source and destination in a security rule. 不能在源或目标中指定多个应用程序安全组。You cannot specify multiple application security groups in the source or destination.
  • 分配给应用程序安全组的所有网络接口都必须存在于分配给应用程序安全组的第一个网络接口所在的虚拟网络中。All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. 例如,如果分配给名为 AsgWeb 的应用程序安全组的第一个网络接口位于名为 VNet1 的虚拟网络中,则分配给 ASGWeb 的所有后续网络接口都必须存在于 VNet1 中。For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. 不能向同一应用程序安全组添加来自不同虚拟网络的网络接口。You cannot add network interfaces from different virtual networks to the same application security group.
  • 如果在安全规则中将应用程序安全组指定为源和目标,则两个应用程序安全组中的网络接口必须存在于同一虚拟网络中。If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network. 例如,如果 AsgLogic 包含来自 VNet1 的网络接口,AsgDb 包含来自 VNet2 的网络接口,则不能在一项规则中将 AsgLogic 分配为源,将 AsgDb 分配为目标。For example, if AsgLogic contained network interfaces from VNet1, and AsgDb contained network interfaces from VNet2, you could not assign AsgLogic as the source and AsgDb as the destination in a rule. 源和目标应用程序安全组中的所有网络接口需存在于同一虚拟网络中。All network interfaces for both the source and destination application security groups need to exist in the same virtual network.

提示

为了尽量减少所需的安全规则数和需要更改规则的情况,请尽可能使用服务标记或应用程序安全组来规划所需的应用程序安全组并创建规则,而不要使用单个 IP 地址或 IP 地址范围。To minimize the number of security rules you need, and the need to change the rules, plan out the application security groups you need and create rules using service tags or application security groups, rather than individual IP addresses, or ranges of IP addresses, whenever possible.

后续步骤Next steps