创建、更改或删除网络安全组Create, change, or delete a network security group

通过网络安全组中的安全规则,可以筛选可流入和流出虚拟网络子网和网络接口的流量类型。Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. 如果不熟悉网络安全组,请参阅网络安全组概述了解有关详细信息,并完成筛选流量教程,获得有关网络安全组的一些经验。If you're not familiar with network security groups, see Network security group overview to learn more about them and complete the Filter network traffic tutorial to gain some experience with network security groups.

准备阶段Before you begin

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

在完成本文任何部分中的步骤之前,请完成以下任务:Complete the following tasks before completing steps in any section of this article:

  • 如果还没有 Azure 帐户,请注册试用帐户If you don't already have an Azure account, sign up for a trial account.
  • 如果使用门户,请打开 https://portal.azure.cn,并使用 Azure 帐户登录。If using the portal, open https://portal.azure.cn, and log in with your Azure account.
  • 如果使用 PowerShell 命令来完成本文中的任务,请从计算机运行 PowerShell。If using PowerShell commands to complete tasks in this article, by running PowerShell from your computer. 本教程需要 Azure PowerShell 模块 1.0.0 或更高版本。This tutorial requires the Azure PowerShell module version 1.0.0 or later. 运行 Get-Module -ListAvailable Az 查找已安装的版本。Run Get-Module -ListAvailable Az to find the installed version. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 如果在本地运行 PowerShell,则还需运行 Connect-AzAccount -Environment AzureChinaCloud 来创建与 Azure 的连接。If you are running PowerShell locally, you also need to run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.
  • 如果使用 Azure 命令行接口 (CLI) 命令来完成本文中的任务,请从计算机运行 CLI。If using Azure Command-line interface (CLI) commands to complete tasks in this article, by running the CLI from your computer. 本教程需要 Azure CLI 2.0.28 或更高版本。This tutorial requires the Azure CLI version 2.0.28 or later. 运行 az --version 查找已安装的版本。Run az --version to find the installed version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI. 如果在本地运行 Azure CLI,则还需运行 az login 以创建与 Azure 的连接。If you are running the Azure CLI locally, you also need to run az login to create a connection with Azure.

必须将登录或连接到 Azure 所用的帐户分配给网络参与者角色或分配有“权限”中所列适当操作的自定义角色The account you log into, or connect to Azure with must be assigned to the network contributor role or to a custom role that is assigned the appropriate actions listed in Permissions.

使用网络安全组Work with network security groups

对于网络安全组可执行创建、查看所有查看详细信息更改以及删除操作。You can create, view all, view details of, change, and delete a network security group. 也可从网络接口或子网关联或取消关联网络安全组。You can also associate or dissociate a network security group from a network interface or subnet.

创建网络安全组Create a network security group

在每个 Azure 位置和订阅中可创建的网络安全组数目有限制。There is a limit to how many network security groups you can create per Azure location and subscription. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.

  1. 在门户左上角选择“+ 创建资源” 。In the top-left corner of the portal, select + Create a resource.
  2. 依次选择“网络”、“网络安全组” 。Select Networking, then select network security group.
  3. 输入网络资源组的“名称”,选择自己的“订阅”,创建新的“资源组”或选择现有的资源组,选择一个“位置”,然后选择“创建” 。Enter a Name for the network security group, select your Subscription, create a new Resource group, or select an existing resource group, select a Location, and then select Create.

命令Commands

查看所有网络安全组View all network security groups

在门户顶部的搜索框中,输入“网络安全组” 。In the search box at the top of the portal, enter network security groups. “网络安全组”出现在搜索结果中时,将其选中 。When network security groups appear in the search results, select it. 随后将列出订阅中存在的网络安全组。The network security groups that exist in your subscription are listed.

命令Commands

查看网络安全组的详细信息View details of a network security group

  1. 在门户顶部的搜索框中,输入“网络安全组” 。In the search box at the top of the portal, enter network security groups. “网络安全组”出现在搜索结果中时,将其选中 。When network security groups appear in the search results, select it.

  2. 在列表中选择要查看其详细信息的网络安全组。Select the network security group in the list that you want to view details for. 在“设置”下,可查看“入站安全规则”和“出站安全规则”以及与网络安全组相关联的“网络接口”和“子网” 。Under SETTINGS you can view the Inbound security rules and Outbound security rules, the Network interfaces and Subnets the network security group is associated to. 也可启用或禁用“诊断日志”和查看“有效的安全规则” 。You can also enable or disable Diagnostic logs and view Effective security rules. 若要了解详细信息,请参阅查看有效的安全规则To learn more, see View effective security rules.

  3. 要了解有关列出的常见 Azure 设置的详细信息,请参阅以下文章:To learn more about the common Azure settings listed, see the following articles:

命令Commands

更改网络安全组Change a network security group

  1. 在门户顶部的搜索框中,输入“网络安全组” 。In the search box at the top of the portal, enter network security groups in the search box. “网络安全组”出现在搜索结果中时,将其选中 。When network security groups appear in the search results, select it.
  2. 选择要更改的网络安全组。Select the network security group you want to change. 最常见的更改是添加删除安全规则以及将网络安全组关联到子网或网络接口或从其中取消关联The most common changes are adding or removing security rules and Associating or dissociating a network security group to or from a subnet or network interface.

命令Commands

将网络安全组与子网或网络接口关联或取消关联Associate or dissociate a network security group to or from a subnet or network interface

要将网络安全组关联到网络接口,或从网络接口取消关联网络安全组,请参阅将网络安全组与网络接口关联或取消关联To associate a network security group to, or dissociate a network security group from a network interface, see Associate a network security group to, or dissociate a network security group from a network interface. 要将网络安全组关联到子网,或从子网取消关联网络安全组,请参阅更改子网设置To associate a network security group to, or dissociate a network security group from a subnet, see Change subnet settings.

删除网络安全组Delete a network security group

如果网络安全组与任何子网或网络接口相关联,则无法删除。If a network security group is associated to any subnets or network interfaces, it cannot be deleted. 从所有子网和网络接口取消关联网络安全组,然后再尝试将其删除。Dissociate a network security group from all subnets and network interfaces before attempting to delete it.

  1. 在门户顶部的搜索框中,输入“网络安全组” 。In the search box at the top of the portal, enter network security groups in the search box. “网络安全组”出现在搜索结果中时,将其选中 。When network security groups appear in the search results, select it.
  2. 从列表中选择要删除的网络安全组。Select the network security group you want to delete from the list.
  3. 依次选择“删除”、“是”。 Select Delete, and then select Yes.

命令Commands

使用安全规则Work with security rules

网络安全组包含零个或多个安全规则。A network security group contains zero or more security rules. 对于安全规则,可执行创建、查看所有查看详细信息更改以及删除操作。You can create, view all, view details of, change, and delete a security rule.

创建安全规则Create a security rule

在每个 Azure 位置和订阅的每个网络安全组可创建的规则数目有限制。There is a limit to how many rules per network security group can create per Azure location and subscription. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.

  1. 在门户顶部的搜索框中,输入“网络安全组” 。In the search box at the top of the portal, enter network security groups in the search box. “网络安全组”出现在搜索结果中时,将其选中 。When network security groups appear in the search results, select it.

  2. 从列表中选择要添加安全规则的网络安全组。Select the network security group from the list that you want to add a security rule to.

  3. 在“设置”下选择“入站安全规则” 。Select Inbound security rules under SETTINGS. 列出了几个现有规则。Several existing rules are listed. 某些规则可能尚未添加。Some of the rules you may not have added. 创建网络安全组时,会在其中创建几个默认安全规则。When a network security group is created, several default security rules are created in it. 要了解详细信息,请参阅默认安全规则To learn more, see default security rules. 无法删除默认安全规则,但可以使用更高优先级的规则将其覆盖。You can't delete default security rules, but you can override them with rules that have a higher priority.

  4. 选择“+ 添加” 。Select + Add. 为以下设置选择或添加值,然后选择“确定” :Select or add values for the following settings and then select OK:

    设置Setting ValueValue 详细信息Details
    SourceSource 为入站安全规则选择“任何项”、“应用程序安全组”、“IP 地址”或“服务标记” 。Select Any, Application security group, IP Addresses, or Service Tag for inbound security rules. 如果要创建出站安全规则,所用选项与为“目标”列出的选项相同 。If you're creating an outbound security rule, the options are the same as options listed for Destination. 如果选择“应用程序安全组”,则选择一个或多个与网络接口存在于同一区域的现有的应用程序安全组 。If you select Application security group, then select one or more existing application security groups that exist in the same region as the network interface. 了解如何创建应用程序安全组Learn how to create an application security group. 如果为“源”和“目标”都选择“应用程序安全组”,则两个应用程序安全组中的网络接口必须在同一虚拟网络中 。If you select Application security group for both the Source and Destination, the network interfaces within both application security groups must be in the same virtual network. 如果选择“IP 地址”,请指定“源 IP 地址/CIDR 范围” 。If you select IP Addresses, then specify Source IP addresses/CIDR ranges. 可指定单个值或以逗号分隔的多个值的列表。You can specify a single value or comma-separated list of multiple values. 多个值的示例为 10.0.0.0/16, 192.188.1.1。An example of multiple values is 10.0.0.0/16, 192.188.1.1. 可指定的值的数目有限制。There are limits to the number of values you can specify. 有关详细信息,请参阅 Azure 限制See Azure limits for details. 如果选择“服务标记”,请选择一个服务标记 。If you select Service Tag, then select one service tag. 服务标记是 IP 地址类别的预定义标识符。A service tag is a predefined identifier for a category of IP addresses. 若要了解有关可用服务标记以及每个标记表示的含义的详细信息,请参阅服务标记To learn more about available service tags, and what each tag represents, see Service tags. 如果指定的 IP 地址已分配给 Azure 虚拟机,请确保指定的是专用 IP,而不是已分配给虚拟机的公共 IP 地址。If the IP address you specify is assigned to an Azure virtual machine, ensure that you specify the private IP, not the public IP address assigned to the virtual machine. 在 Azure 将公共 IP 地址转换为专用 IP 地址以符合入站安全规则后,在 Azure 将专用 IP 地址转换为公共 IP 地址以符合出站规则之前,会处理安全规则。Security rules are processed after Azure translates the public IP address to a private IP address for inbound security rules, and before Azure translates a private IP address to a public IP address for outbound rules. 若要了解有关 Azure 中的公共和专用 IP 地址的详细信息,请参阅 IP 地址类型To learn more about public and private IP addresses in Azure, see IP address types.
    源端口范围Source port ranges 指定单个端口(如 80)、端口范围(如 1024-65535)或单个端口和/或端口范围的以逗号分隔的列表(如 80, 1024-65535)。Specify a single port, such as 80, a range of ports, such as 1024-65535, or a comma-separated list of single ports and/or port ranges, such as 80, 1024-65535. 输入星号可允许任何端口上的流量。Enter an asterisk to allow traffic on any port. 端口和范围指定规则允许或拒绝哪个端口流量。The ports and ranges specify which ports traffic is allowed or denied by the rule. 可指定的端口数目有限制。There are limits to the number of ports you can specify. 有关详细信息,请参阅 Azure 限制See Azure limits for details.
    目标Destination 为入站安全规则选择“任何项”、“应用程序安全组”、“IP 地址”或“虚拟网络” 。Select Any, Application security group, IP addresses, or Virtual Network for inbound security rules. 如果要创建出站安全规则,则使用选项与为“源”列出的选项相同 。If you're creating an outbound security rule, the options are the same as options listed for Source. 如果选择“应用程序安全组”,那么必须选择一个或多个与网络接口存在于同一区域的现有的应用程序安全组 。If you select Application security group you must then select one or more existing application security groups that exist in the same region as the network interface. 了解如何创建应用程序安全组Learn how to create an application security group. 如果选择“应用程序安全组”,则选择一个与网络接口存在于同一区域的现有的应用程序安全组 。If you select Application security group, then select one existing application security group that exists in the same region as the network interface. 如果选择“IP 地址”,则指定“目标 IP 地址/CIDR 范围” 。If you select IP addresses, then specify Destination IP addresses/CIDR ranges. 类似于“源”和“源 IP 地址/CIDR 范围”,你可指定单个或多个地址或范围,并且可指定的数目有限制 。Similar to Source and Source IP addresses/CIDR ranges, you can specify a single, or multiple addresses or ranges, and there are limits to the number you can specify. 选择“虚拟网络”,它是一个服务标记,意味着流量可到虚拟网络地址空间内的所有 IP 地址 。Selecting Virtual network, which is a service tag, means that traffic is allowed to all IP addresses within the address space of the virtual network. 如果指定的 IP 地址已分配给 Azure 虚拟机,请确保指定的是专用 IP,而不是已分配给虚拟机的公共 IP 地址。If the IP address you specify is assigned to an Azure virtual machine, ensure that you specify the private IP, not the public IP address assigned to the virtual machine. 在 Azure 将公共 IP 地址转换为专用 IP 地址以符合入站安全规则后,在 Azure 将专用 IP 地址转换为公共 IP 地址以符合出站规则之前,会处理安全规则。Security rules are processed after Azure translates the public IP address to a private IP address for inbound security rules, and before Azure translates a private IP address to a public IP address for outbound rules. 若要了解有关 Azure 中的公共和专用 IP 地址的详细信息,请参阅 IP 地址类型To learn more about public and private IP addresses in Azure, see IP address types.
    目标端口范围Destination port ranges 指定单个值或以逗号分隔的多个值的列表。Specify a single value, or comma-separated list of values. 类似于“源端口范围”,可指定单个或多个端口和范围,并且可指定的数目有限制 。Similar to Source port ranges, you can specify a single, or multiple ports and ranges, and there are limits to the number you can specify.
    协议Protocol 选择“任何”、“TCP”或“UDP” 。Select Any, TCP, or UDP.
    操作Action 选择“允许”或“拒绝” 。Select Allow or Deny.
    PriorityPriority 输入一个介于 100-4096 之间的值,该值对于网络安全组内的所有安全规则都是唯一的。Enter a value between 100-4096 that is unique for all security rules within the network security group. 规则按优先顺序处理。Rules are processed in priority order. 编号越低,优先级越高。The lower the number, the higher the priority. 建议创建规则时在优先级数字之间留出空隙,例如 100, 200, 300。It's recommended that you leave a gap between priority numbers when creating rules, such as 100, 200, 300. 留出空隙后,未来在需要使规则高于或低于现有规则时,可更轻松添加规则。Leaving gaps makes it easier to add rules in the future that you may need to make higher or lower than existing rules.
    NameName 网络安全组内规则的唯一名称。A unique name for the rule within the network security group. 名称最多可包含 80 个字符。The name can be up to 80 characters. 它必须以字母或数字开头,以字母、数字或下划线结尾,且仅可包含字母、数字、下划线、句点或连字符。It must begin with a letter or number, end with a letter, number, or underscore, and may contain only letters, numbers, underscores, periods, or hyphens.
    说明Description 可选说明。An optional description.

命令Commands

查看所有安全规则View all security rules

网络安全组包含零个或多个规则。A network security group contains zero or multiple rules. 要详细了解有关查看规则时所列的信息,请参阅网络安全组概述To learn more about the information listed when viewing rules, see Network security group overview.

  1. 在门户顶部的搜索框中,输入“网络安全组” 。In the search box at the top of the portal, enter network security groups. “网络安全组”出现在搜索结果中时,将其选中 。When network security groups appear in the search results, select it.
  2. 从列表中选择要查看其规则的网络安全组。Select the network security group from the list that you want to view rules for.
  3. 在“设置”下选择“入站安全规则”或“出站安全规则” 。Select Inbound security rules or Outbound security rules under SETTINGS.

列表包含已创建的任何规则以及网络安全组默认安全规则The list contains any rules you have created and the network security group default security rules.

命令Commands

查看安全规则的详细信息View details of a security rule

  1. 在门户顶部的搜索框中,输入“网络安全组” 。In the search box at the top of the portal, enter network security groups. “网络安全组”出现在搜索结果中时,将其选中 。When network security groups appear in the search results, select it.
  2. 选择要查看其安全规则详细信息的网络安全组。Select the network security group you want to view details of a security rule for.
  3. 在“设置”下选择“入站安全规则”或“出站安全规则” 。Select Inbound security rules or Outbound security rules under SETTINGS.
  4. 选择要查看其详细信息的规则。Select the rule you want to view details for. 有关所有设置的详细说明,请参阅安全规则设置For a detailed explanation of all settings, see security rule settings.

命令Commands

更改安全规则Change a security rule

  1. 完成查看安全规则的详细信息中的步骤。Complete the steps in View details of a security rule.
  2. 根据需要更改设置,然后选择“保存” 。Change the settings as desired, and then select Save. 有关所有设置的详细说明,请参阅安全规则设置For a detailed explanation of all settings, see security rule settings.

命令Commands

删除安全规则Delete a security rule

  1. 完成查看安全规则的详细信息中的步骤。Complete the steps in View details of a security rule.
  2. 依次选择“删除”、“是”。 Select Delete, and then select Yes.

命令Commands

使用应用程序安全组Work with application security groups

应用程序安全组包含零个或多个网络接口。An application security group contains zero or more network interfaces. 要了解详细信息,请参阅应用程序安全组To learn more, see application security groups. 应用程序安全组中的所有网络接口必须存在于同一虚拟网络中。All network interfaces in an application security group must exist in the same virtual network. 要了解如何将网络接口添加到应用程序安全组,请参阅将网络接口添加到应用程序安全组To learn how to add a network interface to an application security group, see Add a network interface to an application security group.

创建应用程序安全组Create an application security group

  1. 选择 Azure 门户左上角的“+ 创建资源” 。Select + Create a resource on the upper, left corner of the Azure portal.

  2. 在“在市场中搜索”框中输入“应用程序安全组” 。In the Search the Marketplace box, enter Application security group. 当“应用程序安全组”显示在搜索结果中时,将其选中,再次在“所有项”下选择“应用程序安全组”,然后选择“创建” 。When Application security group appears in the search results, select it, select Application security group again under Everything, and then select Create.

  3. 输入或选择以下信息,然后选择“创建” :Enter, or select, the following information, and then select Create:

    设置Setting Value
    NameName 名称在资源组中必须唯一。The name must be unique within a resource group.
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择现有的资源组,或创建一个新的组。Select an existing resource group, or create a new one.
    位置Location 选择位置Select a location

命令Commands

查看所有应用程序安全组View all application security groups

  1. 选择 Azure 门户左上角的“所有服务” 。Select All services on the upper, left corner of the Azure portal.
  2. 在“所有服务筛选器”框中输入“应用程序安全组”,然后在其显示在搜索结果中时,选择“应用程序安全组” 。Enter application security groups in the All services Filter box, and then select Application security groups when it appears in the search results.

命令Commands

查看特定应用程序安全组的详细信息View details of a specific application security group

  1. 选择 Azure 门户左上角的“所有服务” 。Select All services on the upper, left corner of the Azure portal.
  2. 在“所有服务筛选器”框中输入“应用程序安全组”,然后在其显示在搜索结果中时,选择“应用程序安全组” 。Enter application security groups in the All services Filter box, and then select Application security groups when it appears in the search results.
  3. 选择要查看其详细信息的应用程序安全组。Select the application security group that you want to view the details of.

命令Commands

更改应用程序安全组Change an application security group

  1. 选择 Azure 门户左上角的“所有服务” 。Select All services on the upper, left corner of the Azure portal.
  2. 在“所有服务筛选器”框中输入“应用程序安全组”,然后在其显示在搜索结果中时,选择“应用程序安全组” 。Enter application security groups in the All services Filter box, and then select Application security groups when it appears in the search results.
  3. 选择要更改其设置的应用程序安全组。Select the application security group that you want to change settings for. 可以对应用程序安全组添加或删除标记,或者分配或删除权限。You can add or remove tags, or assign or remove permissions to the application security group.

删除应用程序安全组Delete an application security group

如果应用程序安全组中有任何网络接口,则不能将其删除。You cannot delete an application security group if it has any network interfaces in it. 通过更改网络接口设置或删除网络接口,从应用程序安全组中移除所有网络接口。Remove all network interfaces from the application security group by either changing network interface settings, or deleting the network interfaces. 有关详细信息,请参阅在应用程序安全组中添加或删除网络接口删除网络接口For details, see Add to or remove a network interface from application security groups or delete a network interface.

  1. 选择 Azure 门户左上角的“所有服务” 。Select All services on the upper, left corner of the Azure portal.
  2. 在“所有服务筛选器”框中输入“应用程序安全组”,然后在其显示在搜索结果中时,选择“应用程序安全组” 。Enter application security groups in the All services Filter box, and then select Application security groups when it appears in the search results.
  3. 选择要删除的应用程序安全组。Select the application security group that you want to delete.
  4. 选择“删除”,然后选择“是”,删除应用程序安全组 。Select Delete, and then select Yes to delete the application security group.

命令Commands

权限Permissions

若要在网络安全组、安全规则和应用程序安全组上执行任务,必须将你的帐户分配给网络参与者角色或分配有下表中所列相应权限的自定义角色To perform tasks on network security groups, security rules, and application security groups, your account must be assigned to the network contributor role or to a custom role that is assigned the appropriate permissions listed in the following tables:

网络安全组Network security group

操作Action NameName
Microsoft.Network/networkSecurityGroups/readMicrosoft.Network/networkSecurityGroups/read 获取网络安全组Get network security group
Microsoft.Network/networkSecurityGroups/writeMicrosoft.Network/networkSecurityGroups/write 创建或更新网络安全组Create or update network security group
Microsoft.Network/networkSecurityGroups/deleteMicrosoft.Network/networkSecurityGroups/delete 删除网络安全组Delete network security group
Microsoft.Network/networkSecurityGroups/join/actionMicrosoft.Network/networkSecurityGroups/join/action 将网络安全组与子网或网络接口关联Associate a network security group to a subnet or network interface

网络安全组规则Network security group rule

操作Action NameName
Microsoft.Network/networkSecurityGroups/rules/readMicrosoft.Network/networkSecurityGroups/rules/read 获取规则Get rule
Microsoft.Network/networkSecurityGroups/rules/writeMicrosoft.Network/networkSecurityGroups/rules/write 创建或更新规则Create or update rule
Microsoft.Network/networkSecurityGroups/rules/deleteMicrosoft.Network/networkSecurityGroups/rules/delete 删除规则Delete rule

应用程序安全组Application security group

操作Action NameName
Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/actionMicrosoft.Network/applicationSecurityGroups/joinIpConfiguration/action 将 IP 配置加入到应用程序安全组中Join an IP configuration to an application security group
Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/actionMicrosoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action 将安全规则加入到应用程序安全组中Join a security rule to an application security group
Microsoft.Network/applicationSecurityGroups/readMicrosoft.Network/applicationSecurityGroups/read 获取应用程序安全组Get an application security group
Microsoft.Network/applicationSecurityGroups/writeMicrosoft.Network/applicationSecurityGroups/write 创建或更新应用程序安全组Create or update an application security group
Microsoft.Network/applicationSecurityGroups/deleteMicrosoft.Network/applicationSecurityGroups/delete 删除应用程序安全组Delete an application security group

后续步骤Next steps