创建、更改或删除网络安全组Create, change, or delete a network security group

通过网络安全组中的安全规则,可以筛选可流入和流出虚拟网络子网和网络接口的流量类型。Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. 若要深入了解网络安全组,请参阅网络安全组概述To learn more about network security groups, see Network security group overview. 接下来请完成筛选网络流量教程,以获得有关网络安全组的一些经验。Next, complete the Filter network traffic tutorial to gain some experience with network security groups.

准备阶段Before you begin

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

如果你没有 Azure 帐户,请使用有效的订阅设置一个帐户。If you don't have one, set up an Azure account with an active subscription. 创建试用帐户Create a trial account. 在开始学习本文的余下内容之前,请完成以下任务之一:Complete one of these tasks before starting the remainder of this article:

  • 门户用户:使用 Azure 帐户登录到 Azure 门户Portal users: Sign in to the Azure portal with your Azure account.

  • PowerShell 用户:在计算机中运行 PowerShell。PowerShell users: Run PowerShell from your computer.

    如果在本地运行 PowerShell,请使用 Azure PowerShell 模块 1.0.0 或更高版本。When you're running PowerShell locally, use Azure PowerShell module version 1.0.0 or later. 运行 Get-Module -ListAvailable Az.Network 查找已安装的版本。Run Get-Module -ListAvailable Az.Network to find the installed version. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 运行 Connect-AzAccount -Environment AzureChinaCloud,创建与 Azure 的连接。Run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

  • Azure 命令行接口 (CLI) 用户:在计算机中运行 CLI。Azure Command-line interface (CLI) users: Run the CLI from your computer.

    如果在本地运行 Azure CLI,请使用 Azure CLI 2.0.28 或更高版本。Use Azure CLI version 2.0.28 or later if you're running the Azure CLI locally. 运行 az --version 查找已安装的版本。Run az --version to find the installed version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI. 运行 az login,创建与 Azure 的连接。Run az login to create a connection with Azure.

用于登录或者用于连接 Azure 的帐户必须分配有网络参与者角色,或者分配有自定义角色,并且该自定义角色分配有权限中列出的相应操作。The account you log into, or connect to Azure with must be assigned to the Network contributor role or to a Custom role that's assigned the appropriate actions listed in Permissions.

使用网络安全组Work with network security groups

对于网络安全组可执行创建、查看所有查看详细信息更改以及删除操作。You can create, view all, view details of, change, and delete a network security group. 也可从网络接口或子网关联或取消关联网络安全组。You can also associate or dissociate a network security group from a network interface or subnet.

创建网络安全组Create a network security group

在每个 Azure 位置和订阅中可创建的网络安全组数目有限制。There's a limit to how many network security groups you can create for each Azure location and subscription. 有关详细信息,请参阅 Azure 订阅和服务限制、配额和约束To learn more, see Azure subscription and service limits, quotas, and constraints.

  1. Azure 门户菜单或“主页”页上,选择“创建资源” 。On the Azure portal menu or from the Home page, select Create a resource.

  2. 依次选择“网络”、“网络安全组” 。Select Networking, then select Network security group.

  3. 在“创建网络安全组”页中的“基本信息”选项卡下,为以下设置指定值: In the Create network security group page, under the Basics tab, set values for the following settings:

    设置Setting 操作Action
    订阅Subscription 选择订阅。Choose your subscription.
    资源组Resource group 选择现有的资源组,或选择“新建”以创建新的资源组。 Choose an existing resource group, or select Create new to create a new resource group.
    名称Name 输入在资源组中唯一的文本字符串。Enter a unique text string within a resource group.
    区域Region 选择所需的位置。Choose the location you want.
  4. 选择“查看 + 创建” 。Select Review + create.

  5. 看到“验证通过”消息后,选择“创建”。 After you see the Validation passed message, select Create.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg createaz network nsg create
PowerShellPowerShell New-AzNetworkSecurityGroupNew-AzNetworkSecurityGroup

查看所有网络安全组View all network security groups

转到 Azure 门户查看你的网络安全组。Go to the Azure portal to view your network security groups. 搜索并选择“网络安全组”。 Search for and select Network security groups. 此时会显示你的订阅的网络安全组列表。The list of network security groups appears for your subscription.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg listaz network nsg list
PowerShellPowerShell Get-AzNetworkSecurityGroupGet-AzNetworkSecurityGroup

查看网络安全组的详细信息View details of a network security group

  1. 转到 Azure 门户查看你的网络安全组。Go to the Azure portal to view your network security groups. 搜索并选择“网络安全组”。 Search for and select Network security groups.

  2. 选择网络安全组的名称。Select the name of your network security group.

在网络安全组的菜单栏中的“设置”下,可以查看与网络安全组关联的“入站安全规则”、“出站安全规则”、“网络接口”和“子网” 。In the menu bar of the network security group, under Settings, you can view the Inbound security rules, Outbound security rules, Network interfaces, and Subnets that the network security group is associated to.

在“监视”下,可以启用或禁用“诊断设置”。 Under Monitoring, you can enable or disable Diagnostic settings. 在“支持 + 故障排除”下,可以查看“有效安全规则” 。Under Support + troubleshooting, you can view Effective security rules. 有关详细信息,请参阅诊断 VM 网络流量筛选器问题To learn more, see Diagnose a VM network traffic filter problem.

要了解有关列出的常见 Azure 设置的详细信息,请参阅以下文章:To learn more about the common Azure settings listed, see the following articles:

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg showaz network nsg show
PowerShellPowerShell Get-AzNetworkSecurityGroupGet-AzNetworkSecurityGroup

更改网络安全组Change a network security group

  1. 转到 Azure 门户查看你的网络安全组。Go to the Azure portal to view your network security groups. 搜索并选择“网络安全组”。 Search for and select Network security groups.

  2. 选择要更改的网络安全组的名称。Select the name of the network security group you want to change.

最常见的更改是添加安全规则删除规则,以及将网络安全组与子网或网络接口关联或取消关联The most common changes are to add a security rule, remove a rule, and associate or dissociate a network security group to or from a subnet or network interface.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg updateaz network nsg update
PowerShellPowerShell Set-AzNetworkSecurityGroupSet-AzNetworkSecurityGroup

将网络安全组与子网或网络接口关联或取消关联Associate or dissociate a network security group to or from a subnet or network interface

要将网络安全组关联到网络接口,或从网络接口取消关联网络安全组,请参阅将网络安全组与网络接口关联或取消关联To associate a network security group to, or dissociate a network security group from a network interface, see Associate a network security group to, or dissociate a network security group from a network interface. 要将网络安全组关联到子网,或从子网取消关联网络安全组,请参阅更改子网设置To associate a network security group to, or dissociate a network security group from a subnet, see Change subnet settings.

删除网络安全组Delete a network security group

无法删除已关联到任何子网或网络接口的网络安全组。If a network security group is associated to any subnets or network interfaces, it can't be deleted. 从所有子网和网络接口取消关联网络安全组,然后再尝试将其删除。Dissociate a network security group from all subnets and network interfaces before attempting to delete it.

  1. 转到 Azure 门户查看你的网络安全组。Go to the Azure portal to view your network security groups. 搜索并选择“网络安全组”。 Search for and select Network security groups.

  2. 选择要删除的网络安全组的名称。Select the name of the network security group you want to delete.

  3. 在网络安全组的工具栏中,选择“删除”。 In the network security group's toolbar, select Delete. 在确认对话框中选择“是”。 Then select Yes in the confirmation dialog box.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg deleteaz network nsg delete
PowerShellPowerShell Remove-AzNetworkSecurityGroupRemove-AzNetworkSecurityGroup

使用安全规则Work with security rules

网络安全组包含零个或多个安全规则。A network security group contains zero or more security rules. 对于安全规则,可执行创建、查看所有查看详细信息更改以及删除操作。You can create, view all, view details of, change, and delete a security rule.

创建安全规则Create a security rule

在每个 Azure 位置和订阅中可为每个网络安全组创建的规则数目有限制。There's a limit to how many rules per network security group you can create for each Azure location and subscription. 有关详细信息,请参阅 Azure 订阅和服务限制、配额和约束To learn more, see Azure subscription and service limits, quotas, and constraints.

  1. 转到 Azure 门户查看你的网络安全组。Go to the Azure portal to view your network security groups. 搜索并选择“网络安全组”。 Search for and select Network security groups.

  2. 选择要将安全规则添加到的网络安全组的名称。Select the name of the network security group you want to add a security rule to.

  3. 在网络安全组的菜单栏中,选择“入站安全规则”或“出站安全规则”。 In the network security group's menu bar, choose Inbound security rules or Outbound security rules.

    此外列出了多个现有规则,其中的一些规则可能不是你添加的。Several existing rules are listed, including some you may not have added. 创建网络安全组时,会在其中创建多个默认安全规则。When you create a network security group, several default security rules are created in it. 要了解详细信息,请参阅默认安全规则To learn more, see default security rules. 无法删除默认安全规则,但可以使用更高优先级的规则将其覆盖。You can't delete default security rules, but you can override them with rules that have a higher priority.

  4. 选择“添加”。 Select Add. 为以下设置选择或添加值,然后选择“确定” :Select or add values for the following settings, and then select OK:

    设置Setting ValueValue 详细信息Details
    SourceSource 下列其中一项:One of:
    • 任意Any
    • IP 地址IP Addresses
    • 服务标记(入站安全规则)或 VirtualNetwork(出站安全规则)Service Tag (inbound security rule) or VirtualNetwork (outbound security rule)
    • 应用程序安全组Application security group

    如果选择“IP 地址”,则还必须指定“源 IP 地址/CIDR 范围” 。If you choose IP Addresses, you must also specify Source IP addresses/CIDR ranges.

    如果选择“服务标记”,则还可以选择“源服务标记”。 If you choose Service Tag, you may also pick a Source service tag.

    如果选择“应用程序安全组”,则还必须选择现有的应用程序安全组。 If you choose Application security group, you must also pick an existing application security group. 如果为“源”和“目标”都选择“应用程序安全组”,则两个应用程序安全组中的网络接口必须在同一虚拟网络中 。If you choose Application security group for both Source and Destination, the network interfaces within both application security groups must be in the same virtual network.

    源 IP 地址/CIDR 范围Source IP addresses/CIDR ranges 逗号分隔的 IP 地址和无类域间路由 (CIDR) 范围列表A comma-delimited list of IP addresses and Classless Interdomain Routing (CIDR) ranges

    如果将“源”更改为“IP 地址”,则会显示此设置。 This setting appears if you change Source to IP Addresses. 必须指定单个值或以逗号分隔的多个值的列表。You must specify a single value or comma-separated list of multiple values. 多个值的示例为 10.0.0.0/16, 192.188.1.1An example of multiple values is 10.0.0.0/16, 192.188.1.1. 可指定的值的数目有限制。There are limits to the number of values you can specify. 有关更多详细信息,请参阅 Azure 限制For more details, see Azure limits.

    如果指定的 IP 地址要分配给某个 Azure VM,请指定该 VM 的专用 IP 地址,而不是其公共 IP 地址。If the IP address you specify is assigned to an Azure VM, specify its private IP address, not its public IP address. Azure 会处理安全规则,具体时间是在其针对入站安全规则将公共 IP 地址转换为专用 IP 地址之后,但在其针对出站规则将专用 IP 地址转换为公共 IP 地址之前。Azure processes security rules after it translates the public IP address to a private IP address for inbound security rules, but before it translates a private IP address to a public IP address for outbound rules. 若要了解有关 Azure 中的公共和专用 IP 地址的详细信息,请参阅 IP 地址类型To learn more about public and private IP addresses in Azure, see IP address types.

    源服务标记Source service tag 下拉列表中的服务标记A service tag from the dropdown list 如果将“源”设置为入站安全规则的“服务标记”,则会显示此可选设置。 This optional setting appears if you set Source to Service Tag for an inbound security rule. 服务标记是 IP 地址类别的预定义标识符。A service tag is a predefined identifier for a category of IP addresses. 若要了解有关可用服务标记以及每个标记表示的含义的详细信息,请参阅服务标记To learn more about available service tags, and what each tag represents, see Service tags.
    源应用程序安全组Source application security group 现有的应用程序安全组An existing application security group 如果将“源”设置为“应用程序安全组”,则会显示此设置。 This setting appears if you set Source to Application security group. 选择与网络接口位于同一区域中的应用程序安全组。Select an application security group that exists in the same region as the network interface. 了解如何创建应用程序安全组Learn how to create an application security group.
    源端口范围Source port ranges 下列其中一项:One of:
    • 单个端口,例如 80A single port, such as 80
    • 端口范围,例如 1024-65535A range of ports, such as 1024-65535
    • 单个端口和/或端口范围的逗号分隔列表,例如 80, 1024-65535A comma-separated list of single ports and/or port ranges, such as 80, 1024-65535
    • 一个星号 (*),用于允许任何端口上的流量An asterisk (*) to allow traffic on any port
    此设置指定规则允许或拒绝哪些端口上的流量。This setting specifies the ports on which the rule allows or denies traffic. 可指定的端口数目有限制。There are limits to the number of ports you can specify. 有关更多详细信息,请参阅 Azure 限制For more details, see Azure limits.
    目标Destination 下列其中一项:One of:
    • 任意Any
    • IP 地址IP Addresses
    • 服务标记(出站安全规则)或 VirtualNetwork(入站安全规则)Service Tag (outbound security rule) or VirtualNetwork (inbound security rule)
    • 应用程序安全组Application security group

    如果选择“IP 地址”,则还要指定“目标 IP 地址/CIDR 范围” 。If you choose IP addresses, then also specify Destination IP addresses/CIDR ranges.

    如果选择“VirtualNetwork”,则会允许流量发送到虚拟网络地址空间中的所有 IP 地址。 If you choose VirtualNetwork, traffic is allowed to all IP addresses within the virtual network's address space. VirtualNetwork 是一个服务标记。 VirtualNetwork is a service tag.

    如果选择“应用程序安全组”,则必须选择现有的应用程序安全组。 If you select Application security group, you must then select an existing application security group. 了解如何创建应用程序安全组Learn how to create an application security group.

    目标 IP 地址/CIDR 范围Destination IP addresses/CIDR ranges 以逗号分隔的 IP 地址和 CIDR 范围列表A comma-delimited list of IP addresses and CIDR ranges

    如果将“目标”更改为“IP 地址”,则会显示此设置。 This setting appears if you change Destination to IP Addresses. 与“源”和“源 IP 地址/CIDR 范围”类似,可以指定一个或多个地址或范围。 Similar to Source and Source IP addresses/CIDR ranges, you can specify single or multiple addresses or ranges. 可指定的数目有限制。There are limits to the number you can specify. 有关更多详细信息,请参阅 Azure 限制For more details, see Azure limits.

    如果指定的 IP 地址要分配给某个 Azure VM,请确保指定该 VM 的专用 IP,而不是其公共 IP 地址。If the IP address you specify is assigned to an Azure VM, ensure that you specify its private IP, not its public IP address. Azure 会处理安全规则,具体时间是在其针对入站安全规则将公共 IP 地址转换为专用 IP 地址之后,但在其针对出站规则将专用 IP 地址转换为公共 IP 地址之前。Azure processes security rules after it translates the public IP address to a private IP address for inbound security rules, but before Azure translates a private IP address to a public IP address for outbound rules. 若要了解有关 Azure 中的公共和专用 IP 地址的详细信息,请参阅 IP 地址类型To learn more about public and private IP addresses in Azure, see IP address types.

    目标服务标记Destination service tag 下拉列表中的服务标记A service tag from the dropdown list 如果为某个出站安全规则将“目标”更改为“服务标记”,则会显示此可选设置。 This optional setting appears if you change Destination to Service Tag for an outbound security rule. 服务标记是 IP 地址类别的预定义标识符。A service tag is a predefined identifier for a category of IP addresses. 若要了解有关可用服务标记以及每个标记表示的含义的详细信息,请参阅服务标记To learn more about available service tags, and what each tag represents, see Service tags.
    目标应用程序安全组Destination application security group 现有的应用程序安全组An existing application security group 如果将“目标”设置为“应用程序安全组”,则会显示此设置。 This setting appears if you set Destination to Application security group. 选择与网络接口位于同一区域中的应用程序安全组。Select an application security group that exists in the same region as the network interface. 了解如何创建应用程序安全组Learn how to create an application security group.
    目标端口范围Destination port ranges 下列其中一项:One of:
    • 单个端口,例如 80A single port, such as 80
    • 端口范围,例如 1024-65535A range of ports, such as 1024-65535
    • 单个端口和/或端口范围的逗号分隔列表,例如 80, 1024-65535A comma-separated list of single ports and/or port ranges, such as 80, 1024-65535
    • 一个星号 (*),用于允许任何端口上的流量An asterisk (*) to allow traffic on any port
    与“源端口范围”一样,可以指定一个或多个端口和范围。 As with Source port ranges, you can specify single or multiple ports and ranges. 可指定的数目有限制。There are limits to the number you can specify. 有关更多详细信息,请参阅 Azure 限制For more details, see Azure limits.
    协议Protocol “任意”、“TCP”、“UDP”或“ICMP” Any, TCP, UDP, or ICMP 可将规则限制为“传输控制协议 (TCP)”、“用户数据报协议 (UDP)”或“Internet 控制消息协议 (ICMP)”。You may restrict the rule to the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP). 默认值使该规则适用于所有协议。The default is for the rule to apply to all protocols.
    操作Action “允许”或“拒绝” Allow or Deny 此设置指定该规则是允许还是拒绝对提供的源和目标配置进行访问。This setting specifies whether this rule allows or denies access for the supplied source and destination configuration.
    优先级Priority 一个介于 100 和 4096 之间的值,该值对于网络安全组中的所有安全规则都是唯一的A value between 100 and 4096 that's unique for all security rules within the network security group Azure 按优先级顺序处理安全规则。Azure processes security rules in priority order. 编号越低,优先级越高。The lower the number, the higher the priority. 我们建议创建规则时在优先级数字之间留出空隙,例如 100、200 和 300。We recommend that you leave a gap between priority numbers when you create rules, such as 100, 200, and 300. 留出空隙可便于在将来添加规则,使你可以为添加的规则分配比现有规则更高或更低的优先级。Leaving gaps makes it easier to add rules in the future, so that you can give them higher or lower priority than existing rules.
    名称Name 规则在网络安全组中的唯一名称A unique name for the rule within the network security group 名称最多可包含 80 个字符。The name can be up to 80 characters. 该名称必须以字母或数字开头,必须以字母、数字或下划线结尾。It must begin with a letter or number, and it must end with a letter, number, or underscore. 名称只能包含字母、数字、下划线、句点和连字符。The name may contain only letters, numbers, underscores, periods, or hyphens.
    说明Description 文本说明A text description 可以选择性地指定安全规则的文本说明。You may optionally specify a text description for the security rule.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg rule createaz network nsg rule create
PowerShellPowerShell New-AzNetworkSecurityRuleConfigNew-AzNetworkSecurityRuleConfig

查看所有安全规则View all security rules

网络安全组包含零个或多个规则。A network security group contains zero or more rules. 要详细了解有关查看规则时所列的信息,请参阅网络安全组概述To learn more about the information listed when viewing rules, see Network security group overview.

  1. 转到 Azure 门户查看网络安全组的规则。Go to the Azure portal to view the rules of a network security group. 搜索并选择“网络安全组”。 Search for and select Network security groups.

  2. 选择要查看其规则的网络安全组的名称。Select the name of the network security group that you want to view the rules for.

  3. 在网络安全组的菜单栏中,选择“入站安全规则”或“出站安全规则”。 In the network security group's menu bar, choose Inbound security rules or Outbound security rules.

列表包含已创建的任何规则以及网络安全组的默认安全规则The list contains any rules you've created and the network security group's default security rules.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg rule listaz network nsg rule list
PowerShellPowerShell Get-AzNetworkSecurityRuleConfigGet-AzNetworkSecurityRuleConfig

查看安全规则的详细信息View details of a security rule

  1. 转到 Azure 门户查看网络安全组的规则。Go to the Azure portal to view the rules of a network security group. 搜索并选择“网络安全组”。 Search for and select Network security groups.

  2. 选择要查看其规则详细信息的网络安全组的名称。Select the name of the network security group that you want to view the details of a rule for.

  3. 在网络安全组的菜单栏中,选择“入站安全规则”或“出站安全规则”。 In the network security group's menu bar, choose Inbound security rules or Outbound security rules.

  4. 选择要查看其详细信息的规则。Select the rule you want to view details for. 有关所有设置的说明,请参阅安全规则设置For an explanation of all settings, see Security rule settings.

    Note

    此过程仅适用于自定义安全规则。This procedure only applies to a custom security rule. 如果选择了默认安全规则,则此过程不适用。It doesn't work if you choose a default security rule.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg rule showaz network nsg rule show
PowerShellPowerShell Get-AzNetworkSecurityRuleConfigGet-AzNetworkSecurityRuleConfig

更改安全规则Change a security rule

  1. 完成查看安全规则的详细信息中的步骤。Complete the steps in View details of a security rule.

  2. 根据需要更改设置,然后选择“保存” 。Change the settings as needed, and then select Save. 有关所有设置的说明,请参阅安全规则设置For an explanation of all settings, see Security rule settings.

    Note

    此过程仅适用于自定义安全规则。This procedure only applies to a custom security rule. 不允许更改默认安全规则。You aren't allowed to change a default security rule.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg rule updateaz network nsg rule update
PowerShellPowerShell Set-AzNetworkSecurityRuleConfigSet-AzNetworkSecurityRuleConfig

删除安全规则Delete a security rule

  1. 完成查看安全规则的详细信息中的步骤。Complete the steps in View details of a security rule.

  2. 依次选择“删除”、“是”。 Select Delete, and then select Yes.

    Note

    此过程仅适用于自定义安全规则。This procedure only applies to a custom security rule. 不允许删除默认安全规则。You aren't allowed to delete a default security rule.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg rule deleteaz network nsg rule delete
PowerShellPowerShell Remove-AzNetworkSecurityRuleConfigRemove-AzNetworkSecurityRuleConfig

使用应用程序安全组Work with application security groups

应用程序安全组包含零个或多个网络接口。An application security group contains zero or more network interfaces. 要了解详细信息,请参阅应用程序安全组To learn more, see application security groups. 应用程序安全组中的所有网络接口必须存在于同一虚拟网络中。All network interfaces in an application security group must exist in the same virtual network. 要了解如何将网络接口添加到应用程序安全组,请参阅将网络接口添加到应用程序安全组To learn how to add a network interface to an application security group, see Add a network interface to an application security group.

创建应用程序安全组Create an application security group

  1. Azure 门户菜单或“主页”页上,选择“创建资源” 。On the Azure portal menu or from the Home page, select Create a resource.

  2. 在搜索框中,输入“应用程序安全组”。 In the search box, enter Application security group.

  3. 在“应用程序安全组”页中,选择“创建”。 In the Application security group page, select Create.

  4. 在“创建应用程序安全组”页中的“基本信息”选项卡下,为以下设置设定值: In the Create an application security group page, under the Basics tab, set values for the following settings:

    设置Setting 操作Action
    订阅Subscription 选择订阅。Choose your subscription.
    资源组Resource group 选择现有的资源组,或选择“新建”以创建新的资源组。 Choose an existing resource group, or select Create new to create a new resource group.
    名称Name 输入在资源组中唯一的文本字符串。Enter a unique text string within a resource group.
    区域Region 选择所需的位置。Choose the location you want.
  5. 选择“查看 + 创建” 。Select Review + create.

  6. 在“查看 + 创建”选项卡下,看到“验证通过”消息后,选择“创建”。 Under the Review + create tab, after you see the Validation passed message, select Create.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network asg createaz network asg create
PowerShellPowerShell New-AzApplicationSecurityGroupNew-AzApplicationSecurityGroup

查看所有应用程序安全组View all application security groups

转到 Azure 门户查看应用程序安全组。Go to the Azure portal to view your application security groups. 搜索并选择“应用程序安全组”。 Search for and select Application security groups. Azure 门户会显示应用程序安全组的列表。The Azure portal displays a list of your application security groups.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network asg listaz network asg list
PowerShellPowerShell Get-AzApplicationSecurityGroupGet-AzApplicationSecurityGroup

查看特定应用程序安全组的详细信息View details of a specific application security group

  1. 转到 Azure 门户查看应用程序安全组。Go to the Azure portal to view an application security group. 搜索并选择“应用程序安全组”。 Search for and select Application security groups.

  2. 选择要查看其详细信息的应用程序安全组的名称。Select the name of the application security group that you want to view the details of.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network asg showaz network asg show
PowerShellPowerShell Get-AzApplicationSecurityGroupGet-AzApplicationSecurityGroup

更改应用程序安全组Change an application security group

  1. 转到 Azure 门户查看应用程序安全组。Go to the Azure portal to view an application security group. 搜索并选择“应用程序安全组”。 Search for and select Application security groups.

  2. 选择要更改的应用程序安全组的名称。Select the name of the application security group that you want to change.

  3. 选择要修改的设置旁边的“更改”。 Select change next to the setting that you want to modify. 例如,可以添加或删除“标记”,或者更改“资源组”或“订阅”。 For example, you can add or remove Tags, or you can change the Resource group or Subscription.

    Note

    无法更改位置。You can't change the location.

    在菜单栏中,还可以选择“访问控制(IAM)”。 In the menu bar, you can also select Access control (IAM). 在“访问控制(IAM)”页中,可以分配或删除对应用程序安全组的权限。 In the Access control (IAM) page, you can assign or remove permissions to the application security group.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network asg updateaz network asg update
PowerShellPowerShell 没有 PowerShell cmdletNo PowerShell cmdlet

删除应用程序安全组Delete an application security group

无法删除包含任何网络接口的应用程序安全组。You can't delete an application security group if it contains any network interfaces. 若要从应用程序安全组中删除所有网络接口,请更改网络接口设置,或删除网络接口。To remove all network interfaces from the application security group, either change the network interface settings or delete the network interfaces. 有关详细信息,请参阅添加到应用程序安全组或从中删除删除网络接口To learn more, see Add to or remove from application security groups or Delete a network interface.

  1. 转到 Azure 门户来管理应用程序安全组。Go to the Azure portal to manage your application security groups. 搜索并选择“应用程序安全组”。 Search for and select Application security groups.

  2. 选择要删除的应用程序安全组的名称。Select the name of the application security group that you want to delete.

  3. 选择“删除”,然后选择“是”,删除应用程序安全组 。Select Delete, and then select Yes to delete the application security group.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network asg deleteaz network asg delete
PowerShellPowerShell Remove-AzApplicationSecurityGroupRemove-AzApplicationSecurityGroup

权限Permissions

若要对网络安全组、安全规则和应用程序安全组执行任务,你的帐户必须分配有网络参与者角色,或者分配有自定义角色,并且该自定义角色分配有下表中列出的相应权限:To do tasks on network security groups, security rules, and application security groups, your account must be assigned to the Network contributor role or to a Custom role that's assigned the appropriate permissions as listed in the following tables:

网络安全组Network security group

操作Action 名称Name
Microsoft.Network/networkSecurityGroups/readMicrosoft.Network/networkSecurityGroups/read 获取网络安全组Get network security group
Microsoft.Network/networkSecurityGroups/writeMicrosoft.Network/networkSecurityGroups/write 创建或更新网络安全组Create or update network security group
Microsoft.Network/networkSecurityGroups/deleteMicrosoft.Network/networkSecurityGroups/delete 删除网络安全组Delete network security group
Microsoft.Network/networkSecurityGroups/join/actionMicrosoft.Network/networkSecurityGroups/join/action 将网络安全组与子网或网络接口关联Associate a network security group to a subnet or network interface

网络安全组规则Network security group rule

操作Action 名称Name
Microsoft.Network/networkSecurityGroups/rules/readMicrosoft.Network/networkSecurityGroups/rules/read 获取规则Get rule
Microsoft.Network/networkSecurityGroups/rules/writeMicrosoft.Network/networkSecurityGroups/rules/write 创建或更新规则Create or update rule
Microsoft.Network/networkSecurityGroups/rules/deleteMicrosoft.Network/networkSecurityGroups/rules/delete 删除规则Delete rule

应用程序安全组Application security group

操作Action 名称Name
Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/actionMicrosoft.Network/applicationSecurityGroups/joinIpConfiguration/action 将 IP 配置加入到应用程序安全组中Join an IP configuration to an application security group
Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/actionMicrosoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action 将安全规则加入到应用程序安全组中Join a security rule to an application security group
Microsoft.Network/applicationSecurityGroups/readMicrosoft.Network/applicationSecurityGroups/read 获取应用程序安全组Get an application security group
Microsoft.Network/applicationSecurityGroups/writeMicrosoft.Network/applicationSecurityGroups/write 创建或更新应用程序安全组Create or update an application security group
Microsoft.Network/applicationSecurityGroups/deleteMicrosoft.Network/applicationSecurityGroups/delete 删除应用程序安全组Delete an application security group

后续步骤Next steps