诊断虚拟机网络流量筛选器问题Diagnose a virtual machine network traffic filter problem

本文介绍如何通过查看虚拟机 (VM) 的有效网络安全组 (NSG) 安全规则来诊断网络流量筛选器问题。In this article, you learn how to diagnose a network traffic filter problem by viewing the network security group (NSG) security rules that are effective for a virtual machine (VM).

使用 NSG 可以控制流入和流出 VM 的流量类型。NSGs enable you to control the types of traffic that flow in and out of a VM. 可将 NSG 关联到 Azure 虚拟网络中的子网和/或附加到 VM 的网络接口。You can associate an NSG to a subnet in an Azure virtual network, a network interface attached to a VM, or both. 应用到网络接口的有效安全规则是关联到网络接口以及网络接口所在子网的 NSG 的聚合。The effective security rules applied to a network interface are an aggregation of the rules that exist in the NSG associated to a network interface, and the subnet the network interface is in. 不同 NSG 中的规则有时互相冲突,影响 VM 的网络连接。Rules in different NSGs can sometimes conflict with each other and impact a VM's network connectivity. 可以查看 NSG 中对 VM 网络接口应用的所有有效安全规则。You can view all the effective security rules from NSGs that are applied on your VM's network interfaces. 如果不熟悉虚拟网络、网络接口或 NSG 的概念,请参阅虚拟网络概述网络接口网络安全组概述If you're not familiar with virtual network, network interface, or NSG concepts, see Virtual network overview, Network interface, and Network security groups overview.

方案Scenario

尝试通过端口 80 从 Internet 连接到 VM,但连接失败。You attempt to connect to a VM over port 80 from the internet, but the connection fails. 若要确定为何无法从 Internet 访问端口 80,可以使用 Azure 门户PowerShellAzure CLI 查看网络接口的有效安全规则。To determine why you can't access port 80 from the Internet, you can view the effective security rules for a network interface using the Azure portal, PowerShell, or the Azure CLI.

以下步骤假设有一个要查看其有效安全规则的现有 VM。The steps that follow assume you have an existing VM to view the effective security rules for. 如果没有 VM,请先部署 LinuxWindows VM 以完成本文中的任务。If you don't have an existing VM, first deploy a Linux or Windows VM to complete the tasks in this article with. 本文中的示例适用于名为 myVM 的 VM,其中包含名为 myVMVMNic 的网络接口。The examples in this article are for a VM named myVM with a network interface named myVMVMNic. VM 和网络接口位于名为 myResourceGroup 的资源组中,并位于“中国东部” 区域中。The VM and network interface are in a resource group named myResourceGroup, and are in the China East region. 针对想要诊断其问题的 VM,相应地更改步骤中的值。Change the values in the steps, as appropriate, for the VM you are diagnosing the problem for.

使用 Azure 门户诊断Diagnose using Azure portal

  1. 使用拥有所需权限的 Azure 帐户登录到 Azure 门户Log into the Azure portal with an Azure account that has the necessary permissions.

  2. 在 Azure 门户顶部的搜索框中输入 VM 的名称。At the top of the Azure portal, enter the name of the VM in the search box. 当 VM 名称显示在搜索结果中时,请选择它。When the name of the VM appears in the search results, select it.

  3. 如下图所示,在“设置”下选择“网络”: Under SETTINGS, select Networking, as shown in the following picture:

    查看安全规则

    上图中列出的规则适用于名为 myVMVMNic 的网络接口。The rules you see listed in the previous picture are for a network interface named myVMVMNic. 可以看到两个不同网络安全组中网络接口的“入站端口规则”: You see that there are INBOUND PORT RULES for the network interface from two different network security groups:

    • mySubnetNSG:已关联到网络接口所在的子网。mySubnetNSG: Associated to the subnet that the network interface is in.
    • myVMNSG:已关联到 VM 中名为 myVMVMNic 的网络接口。myVMNSG: Associated to the network interface in the VM named myVMVMNic.

    场景中所述,名为 DenyAllInBound 的规则阻止端口 80 从 Internet 与 VM 进行入站通信。The rule named DenyAllInBound is what's preventing inbound communication to the VM over port 80, from the internet, as described in the scenario. 规则中为“源”列出了 0.0.0.0/0,其中包括 Internet。 The rule lists 0.0.0.0/0 for SOURCE, which includes the internet. 其他更高优先级(较小的数字)的规则都不允许端口 80 入站通信。No other rule with a higher priority (lower number) allows port 80 inbound. 若要允许通过端口 80 从 Internet 与 VM 进行入站通信,请参阅解决问题To allow port 80 inbound to the VM from the internet, see Resolve a problem. 若要详细了解安全规则以及 Azure 如何应用这些规则,请参阅网络安全组To learn more about security rules and how Azure applies them, see Network security groups.

    在图片底部,还可以看到“出站端口规则”。 At the bottom of the picture, you also see OUTBOUND PORT RULES. 其下面是网络接口的出站端口规则。Under that are the outbound port rules for the network interface. 尽管图片中仅显示了每个 NSG 的四个入站规则,但 NSG 包含的规则可能远远超过四个。Though the picture only shows four inbound rules for each NSG, your NSGs may have many more than four rules. 在图片中“源”和“目标”下面可以看到“VirtualNetwork”,在“源”下面可以看到“AzureLoadBalancer”。 In the picture, you see VirtualNetwork under SOURCE and DESTINATION and AzureLoadBalancer under SOURCE. VirtualNetworkAzureLoadBalancer服务标记VirtualNetwork and AzureLoadBalancer are service tags. 服务标记表示一组 IP 地址前缀,帮助最大程度地降低安全规则创建过程的复杂性。Service tags represent a group of IP address prefixes to help minimize complexity for security rule creation.

  4. 确保 VM 处于运行状态,然后如上图所示选择“有效安全规则”,以查看下图所示的有效安全规则: Ensure that the VM is in the running state, and then select Effective security rules, as shown in the previous picture, to see the effective security rules, shown in the following picture:

    查看有效的安全规则

    列出的规则与步骤 3 中相同,不过,与网络接口和子网关联的 NSG 有不同的选项卡。The rules listed are the same as you saw in step 3, though there are different tabs for the NSG associated to the network interface and the subnet. 图片中只显示了前 50 个规则。As you can see in the picture, only the first 50 rules are shown. 若要下载包含所有规则的 .csv 文件,请选择“下载”。 To download a .csv file that contains all of the rules, select Download.

    若要查看每个服务标记表示的前缀,请选择一个规则,例如名为 AllowAzureLoadBalancerInbound 的规则。To see which prefixes each service tag represents, select a rule, such as the rule named AllowAzureLoadBalancerInbound. 下图显示 AzureLoadBalancer 服务标记的前缀:The following picture shows the prefixes for the AzureLoadBalancer service tag:

    查看有效的安全规则

    尽管 AzureLoadBalancer 服务标记仅表示一个前缀,但其他服务标记表示多个前缀。Though the AzureLoadBalancer service tag only represents one prefix, other service tags represent several prefixes.

  5. 前面的步骤显示了名为 myVMVMNic 的网络接口的安全规则,但前面某些图片中也显示了名为 myVMVMNic2 的网络接口。The previous steps showed the security rules for a network interface named myVMVMNic, but you've also seen a network interface named myVMVMNic2 in some of the previous pictures. 本示例中的 VM 上附加了两个网络接口。The VM in this example has two network interfaces attached to it. 每个网络接口的有效安全规则可能不同。The effective security rules can be different for each network interface.

    若要查看 myVMVMNic2 网络接口的规则,请选择它。To see the rules for the myVMVMNic2 network interface, select it. 如下图所示,关联到网络接口子网的规则与 myVMVMNic 网络接口相同,因为这两个网络接口位于同一子网中。As shown in the picture that follows, the network interface has the same rules associated to its subnet as the myVMVMNic network interface, because both network interfaces are in the same subnet. 将 NSG 关联到某个子网时,其规则将应用到该子网中的所有网络接口。When you associate an NSG to a subnet, its rules are applied to all network interfaces in the subnet.

    查看安全规则

    myVMVMNic 网络接口不同,myVMVMNic2 网络接口没有关联的网络安全组。Unlike the myVMVMNic network interface, the myVMVMNic2 network interface does not have a network security group associated to it. 每个网络接口和子网可以有零个或一个关联的 NSG。Each network interface and subnet can have zero, or one, NSG associated to it. 关联到每个网络接口或子网的 NSG 可以相同或不同。The NSG associated to each network interface or subnet can be the same, or different. 可将同一网络安全组关联到选定的任意数量的网络接口和子网。You can associate the same network security group to as many network interfaces and subnets as you choose.

尽管前面是通过 VM 查看有效安全规则,但也可以通过以下各项查看有效安全规则:Though effective security rules were viewed through the VM, you can also view effective security rules through an individual:

使用 PowerShell 诊断Diagnose using PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

可以通过从计算机运行 PowerShell 来运行命令。You can run the commands by running PowerShell from your computer. 如果在计算机上运行 PowerShell,需要 Azure PowerShell 模块 1.0.0 或更高版本。If you run PowerShell from your computer, you need the Azure PowerShell module, version 1.0.0 or later. 在计算机上运行 Get-Module -ListAvailable Az,找到已安装的版本。Run Get-Module -ListAvailable Az on your computer, to find the installed version. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需要运行 Connect-AzAccount -Environment AzureChinaCloud,以使用拥有所需权限的帐户登录到 Azure。If you are running PowerShell locally, you also need to run Connect-AzAccount -Environment AzureChinaCloud to log into Azure with an account that has the necessary permissions].

使用 Get-AzEffectiveNetworkSecurityGroup 获取网络接口的有效安全规则。Get the effective security rules for a network interface with Get-AzEffectiveNetworkSecurityGroup. 以下示例获取资源组 myResourceGroup 中名为 myVMVMNic 的网络接口的有效安全规则:The following example gets the effective security rules for a network interface named myVMVMNic, that is in a resource group named myResourceGroup:

Get-AzEffectiveNetworkSecurityGroup `
  -NetworkInterfaceName myVMVMNic `
  -ResourceGroupName myResourceGroup

输出以 json 格式返回。Output is returned in json format. 若要了解输出,请参阅解释命令输出To understand the output, see interpret command output. 仅当 NSG 已关联到网络接口和/或该网络接口所在的子网时,才返回输出。Output is only returned if an NSG is associated with the network interface, the subnet the network interface is in, or both. VM 必须处于运行状态。The VM must be in the running state. 一个 VM 可以包含多个应用了不同 NSG 的网络接口。A VM may have multiple network interfaces with different NSGs applied. 故障排除时,请针对每个网络接口运行该命令。When troubleshooting, run the command for each network interface.

如果仍遇到连接问题,请参阅其他诊断注意事项If you're still having a connectivity problem, see additional diagnosis and considerations.

如果不知道网络接口的名称,但知道网络接口所附加到的 VM 的名称,则运行以下命令会返回附加到 VM 的所有网络接口的 ID:If you don't know the name of a network interface, but do know the name of the VM the network interface is attached to, the following commands return the IDs of all network interfaces attached to a VM:

$VM = Get-AzVM -Name myVM -ResourceGroupName myResourceGroup
$VM.NetworkProfile

将会收到类似于以下示例的输出:You receive output similar to the following example:

NetworkInterfaces
-----------------
{/subscriptions/<ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myVMVMNic

在前面的输出中,网络接口名称为 myVMVMNicIn the previous output, the network interface name is myVMVMNic.

使用 Azure CLI 诊断Diagnose using Azure CLI

如果使用 Azure 命令行界面 (CLI) 命令来完成本文中的任务,请从计算机运行 CLI。If using Azure Command-line interface (CLI) commands to complete tasks in this article, by running the CLI from your computer. 本文需要 Azure CLI 2.0.32 或更高版本。This article requires the Azure CLI version 2.0.32 or later. 运行 az --version 查找已安装的版本。Run az --version to find the installed version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI. 如果在本地运行 Azure CLI,则还需要运行 az login,并使用拥有所需权限的帐户登录到 Azure。If you are running the Azure CLI locally, you also need to run az login and log into Azure with an account that has the necessary permissions.

使用 az network nic list-effective-nsg 获取网络接口的有效安全规则。Get the effective security rules for a network interface with az network nic list-effective-nsg. 以下示例获取资源组 myResourceGroup 中名为 myVMVMNic 的网络接口的有效安全规则:The following example gets the effective security rules for a network interface named myVMVMNic that is in a resource group named myResourceGroup:

az network nic list-effective-nsg \
  --name myVMVMNic \
  --resource-group myResourceGroup

输出以 json 格式返回。Output is returned in json format. 若要了解输出,请参阅解释命令输出To understand the output, see interpret command output. 仅当 NSG 已关联到网络接口和/或该网络接口所在的子网时,才返回输出。Output is only returned if an NSG is associated with the network interface, the subnet the network interface is in, or both. VM 必须处于运行状态。The VM must be in the running state. 一个 VM 可以包含多个应用了不同 NSG 的网络接口。A VM may have multiple network interfaces with different NSGs applied. 故障排除时,请针对每个网络接口运行该命令。When troubleshooting, run the command for each network interface.

如果仍遇到连接问题,请参阅其他诊断注意事项If you're still having a connectivity problem, see additional diagnosis and considerations.

如果不知道网络接口的名称,但知道网络接口所附加到的 VM 的名称,则运行以下命令会返回附加到 VM 的所有网络接口的 ID:If you don't know the name of a network interface, but do know the name of the VM the network interface is attached to, the following commands return the IDs of all network interfaces attached to a VM:

az vm show \
  --name myVM \
  --resource-group myResourceGroup

在返回的输出中,将会看到类似于以下示例的信息:Within the returned output, you see information similar to the following example:

"networkProfile": {
    "additionalProperties": {},
    "networkInterfaces": [
      {
        "additionalProperties": {},
        "id": "/subscriptions/<ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myVMVMNic",
        "primary": true,
        "resourceGroup": "myResourceGroup"
      },

在前面的输出中,网络接口名称为 myVMVMNic interfaceIn the previous output, the network interface name is myVMVMNic interface.

解释命令输出Interpret command output

无论使用 PowerShell 还是 Azure CLI 诊断问题,都会收到包含以下信息的输出:Regardless of whether you used the PowerShell, or the Azure CLI to diagnose the problem, you receive output that contains the following information:

  • NetworkSecurityGroup:网络安全组的 ID。NetworkSecurityGroup: The ID of the network security group.
  • Association:网络安全组是关联到 NetworkInterface 还是 SubnetAssociation: Whether the network security group is associated to a NetworkInterface or Subnet. 如果 NSG 关联到两者,则返回的输出将包含每个 NSG 的 NetworkSecurityGroupAssociationEffectiveSecurityRulesIf an NSG is associated to both, output is returned with NetworkSecurityGroup, Association, and EffectiveSecurityRules, for each NSG. 如果在关联或取消关联 NSG 之后紧接着运行此命令来查看有效安全规则,则可能需要等待几秒钟时间,更改才会反映在命令输出中。If the NSG is associated or disassociated immediately before running the command to view the effective security rules, you may need to wait a few seconds for the change to reflect in the command output.
  • EffectiveSecurityRules创建安全规则中详细说明了每个属性。EffectiveSecurityRules: An explanation of each property is detailed in Create a security rule. 带有 defaultSecurityRules/ 前缀的规则名称是每个 NSG 中存在的默认安全规则。Rule names prefaced with defaultSecurityRules/ are default security rules that exist in every NSG. 带有 securityRules/ 前缀的规则名称是创建的规则。Rule names prefaced with securityRules/ are rules that you've created. destinationAddressPrefixsourceAddressPrefix 属性指定服务标记(例如 InternetVirtualNetworkAzureLoadBalancer)的规则也包含 expandedDestinationAddressPrefix 属性的值。Rules that specify a service tag, such as Internet, VirtualNetwork, and AzureLoadBalancer for the destinationAddressPrefix or sourceAddressPrefix properties, also have values for the expandedDestinationAddressPrefix property. expandedDestinationAddressPrefix 属性列出服务标记表示的所有地址前缀。The expandedDestinationAddressPrefix property lists all address prefixes represented by the service tag.

如果输出中列出了重复规则,原因是 NSG 同时关联到了网络接口和子网。If you see duplicate rules listed in the output, it's because an NSG is associated to both the network interface and the subnet. 两个 NSG 具有相同的默认规则,如果在两个 NSG 创建相同的规则,则它们可能包含其他重复规则。Both NSGs have the same default rules, and may have additional duplicate rules, if you've created your own rules that are the same in both NSGs.

场景中所述,名为 defaultSecurityRules/DenyAllInBound 的规则阻止端口 80 从 Internet 与 VM 进行入站通信。The rule named defaultSecurityRules/DenyAllInBound is what's preventing inbound communication to the VM over port 80, from the internet, as described in the scenario. 其他更高优先级(较小的数字)的规则都不允许通过端口 80 从 Internet 进行入站通信。No other rule with a higher priority (lower number) allows port 80 inbound from the internet.

解决问题Resolve a problem

无论使用 Azure 门户PowerShell 还是 Azure CLI 来诊断本文场景中所述的问题,解决方法都是创建具有以下属性的网络安全规则:Whether you use the Azure portal, PowerShell, or the Azure CLI to diagnose the problem presented in the scenario in this article, the solution is to create a network security rule with the following properties:

属性Property ValueValue
SourceSource 任意Any
源端口范围Source port ranges 任意Any
目标Destination VM 的 IP 地址、IP 地址范围,或子网中的所有地址。The IP address of the VM, a range of IP addresses, or all addresses in the subnet.
目标端口范围Destination port ranges 8080
协议Protocol TCPTCP
操作Action 允许Allow
优先级Priority 100100
名称Name Allow-HTTP-AllAllow-HTTP-All

创建规则后,允许通过端口 80 从 Internet 进行入站通信,因为该规则的优先级高于名为 DenyAllInBound 的默认安全规则(拒绝流量)。After you create the rule, port 80 is allowed inbound from the internet, because the priority of the rule is higher than the default security rule named DenyAllInBound, that denies the traffic. 了解如何创建安全规则Learn how to create a security rule. 如果不同的 NSG 已关联到网络接口和子网,则必须在两个 NSG 中创建相同的规则。If different NSGs are associated to both the network interface, and the subnet, you must create the same rule in both NSGs.

当 Azure 处理入站流量时,会先处理关联到子网的 NSG 中的规则(如果有关联的 NSG),然后处理关联到网络接口的 NSG 中的规则。When Azure processes inbound traffic, it processes rules in the NSG associated to the subnet (if there is an associated NSG), and then it processes the rules in the NSG associated to the network interface. 如果有某个 NSG 关联到网络接口和子网,则必须在两个 NSG 中打开端口,使流量能够抵达 VM。If there is an NSG associated to the network interface and the subnet, the port must be open in both NSGs, for the traffic to reach the VM. 为便于解决管理和通信问题,我们建议将 NSG 关联到子网,而不要关联到单个网络接口。To ease administration and communication problems, we recommend that you associate an NSG to a subnet, rather than individual network interfaces. 如果子网中的 VM 需要不同的安全规则,可使网络接口成为应用程序安全组 (ASG) 的成员,并将某个 ASG 指定为安全规则的源和目标。If VMs within a subnet need different security rules, you can make the network interfaces members of an application security group (ASG), and specify an ASG as the source and destination of a security rule. 详细了解应用程序安全组Learn more about application security groups.

如果仍然遇到通信问题,请参阅“注意事项”和“其他诊断”。If you're still having communication problems, see Considerations and Additional diagnosis.

注意事项Considerations

排查连接问题时,请注意以下几点:Consider the following points when troubleshooting connectivity problems:

  • 默认安全规则阻止来自 Internet 的入站访问,只允许来自虚拟网络的入站流量。Default security rules block inbound access from the internet, and only permit inbound traffic from the virtual network. 若要允许来自 Internet 的入站流量,请添加优先级高于默认规则的安全规则。To allow inbound traffic from the Internet, add security rules with a higher priority than default rules. 详细了解默认安全规则,或如何添加安全规则Learn more about default security rules, or how to add a security rule.
  • 如果已创建对等互连的虚拟网络,则默认情况下,VIRTUAL_NETWORK 服务标记会自动扩展,以包含对等互连虚拟网络的前缀。If you have peered virtual networks, by default, the VIRTUAL_NETWORK service tag automatically expands to include prefixes for peered virtual networks. 若要排查与虚拟网络对等连接相关的任何问题,可以查看 ExpandedAddressPrefix 列表中的前缀。To troubleshoot any issues related to virtual network peering, you can view the prefixes in the ExpandedAddressPrefix list. 详细了解虚拟网络对等互连服务标记Learn more about virtual network peering and service tags.
  • 仅当某个 NSG 已关联到 VM 的网络接口和/或子网,并且 VM 处于运行状态时,才显示网络接口的有效安全规则。Effective security rules are only shown for a network interface if there is an NSG associated with the VM's network interface and, or, subnet, and if the VM is in the running state.
  • 如果没有任何 NSG 关联到网络接口或子网,并且向 VM 分配了公共 IP 地址,则会打开所有端口,以便在任意位置进行入站和出站访问。If there are no NSGs associated with the network interface or subnet, and you have a public IP address assigned to a VM, all ports are open for inbound access from and outbound access to anywhere. 如果 VM 有公共 IP 地址,我们建议将 NSG 应用到子网和网络接口。If the VM has a public IP address, we recommend applying an NSG to the subnet the network interface.

其他诊断Additional diagnosis

  • 若要运行快速测试来确定是否允许传入或传出 VM 的流量,请使用 Azure 网络观察程序的 IP 流验证功能。To run a quick test to determine if traffic is allowed to or from a VM, use the IP flow verify capability of Azure Network Watcher. IP 流验证会告知是允许还是拒绝了流量。IP flow verify tells you if traffic is allowed or denied. 如果被拒绝,IP 流验证会告知哪个安全规则拒绝了流量。If denied, IP flow verify tells you which security rule is denying the traffic.
  • 如果没有任何安全规则导致 VM 出现网络连接失败,则问题的原因可能是:If there are no security rules causing a VM's network connectivity to fail, the problem may be due to:
    • VM 操作系统中运行的防火墙软件Firewall software running within the VM's operating system
    • 为虚拟设备或本地流量配置的路由。Routes configured for virtual appliances or on-premises traffic. Internet 流量可以通过强制隧道重定向到本地网络。Internet traffic can be redirected to your on-premises network via forced-tunneling. 如果通过强制隧道将 Internet 流量定向到虚拟设备或本地,可能无法从 Internet 连接到 VM。If you force tunnel internet traffic to a virtual appliance, or on-premises, you may not be able to connect to the VM from the internet. 若要了解如何诊断可能影响了从 VM 传出的流量的路由问题,请参阅诊断虚拟机网络流量路由问题To learn how to diagnose route problems that may impede the flow of traffic out of the VM, see Diagnose a virtual machine network traffic routing problem.

后续步骤Next steps