网络安全组Network security groups

可以使用 Azure 网络安全组来筛选 Azure 虚拟网络中出入 Azure 资源的网络流量。You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. 网络安全组包含安全规则,这些规则可允许或拒绝多种 Azure 资源的入站和出站网络流量。A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. 可以为每项规则指定源和目标、端口以及协议。For each rule, you can specify source and destination, port, and protocol.

本文介绍网络安全组规则的属性、应用的默认安全规则,以及可以修改以创建扩充安全规则的规则属性。This article describes properties of a network security group rule, the default security rules that are applied, and the rule properties that you can modify to create an augmented security rule.

安全规则Security rules

一个网络安全组包含零个或者不超过 Azure 订阅限制的任意数量的规则。A network security group contains zero, or as many rules as desired, within Azure subscription limits. 每个规则指定以下属性:Each rule specifies the following properties:

属性Property 说明Explanation
名称Name 网络安全组中的唯一名称。A unique name within the network security group.
优先级Priority 介于 100 和 4096 之间的数字。A number between 100 and 4096. 规则按优先顺序进行处理。先处理编号较小的规则,因为编号越小,优先级越高。Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. 一旦流量与某个规则匹配,处理即会停止。Once traffic matches a rule, processing stops. 因此,不会处理优先级较低(编号较大)的、其属性与高优先级规则相同的所有规则。As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
源或目标Source or destination 可以是任何值,也可以是单个 IP 地址、无类别域际路由 (CIDR) 块(例如 10.0.0.0/24)、服务标记或应用程序安全组。Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security group. 如果为 Azure 资源指定一个地址,请指定分配给该资源的专用 IP 地址。If you specify an address for an Azure resource, specify the private IP address assigned to the resource. 在 Azure 针对入站流量将公共 IP 地址转换为专用 IP 地址后,系统会处理网络安全组,然后由 Azure 针对出站流量将专用 IP 地址转换为公共 IP 地址。Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic. .. 指定范围、服务标记或应用程序安全组可以减少创建的安全规则数。Specifying a range, a service tag, or application security group, enables you to create fewer security rules. 在一个规则中指定多个单独的 IP 地址和范围(不能指定多个服务标记或应用程序组)的功能称为扩充式安全规则The ability to specify multiple individual IP addresses and ranges (you cannot specify multiple service tags or application groups) in a rule is referred to as augmented security rules. 只能在通过资源管理器部署模型创建的网络安全组中创建扩充式安全规则。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 在通过经典部署模型创建的网络安全组中,不能指定多个 IP 地址和 IP 地址范围。You cannot specify multiple IP addresses and IP address ranges in network security groups created through the classic deployment model.
协议Protocol TCP、UDP、ICMP 或 Any。TCP, UDP, ICMP or Any.
方向Direction 该规则是应用到入站还是出站流量。Whether the rule applies to inbound, or outbound traffic.
端口范围Port range 可以指定单个端口或端口范围。You can specify an individual or range of ports. 例如,可以指定 80 或 10000-10005。For example, you could specify 80 or 10000-10005. 指定范围可以减少创建的安全规则数。Specifying ranges enables you to create fewer security rules. 只能在通过资源管理器部署模型创建的网络安全组中创建扩充式安全规则。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 在通过经典部署模型创建的网络安全组中,不能在同一个安全规则中指定多个端口或端口范围。You cannot specify multiple ports or port ranges in the same security rule in network security groups created through the classic deployment model.
操作Action 允许或拒绝Allow or deny

在允许或拒绝流量之前,将使用 5 元组信息(源、源端口、目标、目标端口和协议)按优先级对网络安全组安全规则进行评估。Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. 不能创建两个具有相同优先级和方向的安全规则。You may not create two security rules with the same priority and direction. 将为现有连接创建流记录。A flow record is created for existing connections. 是允许还是拒绝通信取决于流记录的连接状态。Communication is allowed or denied based on the connection state of the flow record. 流记录允许网络安全组有状态。The flow record allows a network security group to be stateful. 例如,如果针对通过端口 80 访问的任何地址指定了出站安全规则,则不需要指定入站安全规则来响应出站流量。If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. 如果通信是从外部发起的,则只需指定入站安全规则。You only need to specify an inbound security rule if communication is initiated externally. 反之亦然。The opposite is also true. 如果允许通过某个端口发送入站流量,则不需要指定出站安全规则来响应通过该端口发送的流量。If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port.

删除启用了流的安全规则时,现有连接不一定会中断。Existing connections may not be interrupted when you remove a security rule that enabled the flow. 当连接停止并且至少几分钟内在任一方向都没有流量流过时,流量流会中断。Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.

在网络安全组中创建的安全规则存在数量限制。There are limits to the number of security rules you can create in a network security group. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.

默认安全规则Default security rules

Azure 在你所创建的每个网络安全组中创建以下默认规则:Azure creates the following default rules in each network security group that you create:

入站Inbound

AllowVNetInBoundAllowVNetInBound
优先级Priority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 任意Any 允许Allow
AllowAzureLoadBalancerInBoundAllowAzureLoadBalancerInBound
优先级Priority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6500165001 AzureLoadBalancerAzureLoadBalancer 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any 允许Allow
DenyAllInboundDenyAllInbound
优先级Priority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any 拒绝Deny

出站Outbound

AllowVnetOutBoundAllowVnetOutBound
优先级Priority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 任意Any 允许Allow
AllowInternetOutBoundAllowInternetOutBound
优先级Priority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6500165001 0.0.0.0/00.0.0.0/0 0-655350-65535 InternetInternet 0-655350-65535 任意Any 允许Allow
DenyAllOutBoundDenyAllOutBound
优先级Priority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any 拒绝Deny

在“源”和“目标”列表中,“VirtualNetwork”、“AzureLoadBalancer”和“Internet”是服务标记,而不是 IP 地址。**** ****** ** **In the Source and Destination columns, VirtualNetwork, AzureLoadBalancer, and Internet are service tags, rather than IP addresses. 在“协议”列中,Any 包含 TCP、UDP 和 ICMP。In the protocol column, Any encompasses TCP, UDP, and ICMP. 创建规则时,可以指定 TCP、UDP、ICMP 或 Any。When creating a rule, you can specify TCP, UDP, ICMP or Any. “源”和“目标”列中的“0.0.0.0/0”表示所有地址。****** ****0.0.0.0/0 in the Source and Destination columns represents all addresses. Azure 门户、Azure CLI 或 PowerShell 等客户端可以使用“*”或任何字符来表示此表达式。Clients like Azure portal, Azure CLI, or PowerShell can use * or any for this expression.

不能删除默认规则,但可以通过创建更高优先级的规则来替代默认规则。You cannot remove the default rules, but you can override them by creating rules with higher priorities.

扩充式安全规则Augmented security rules

扩充式安全规则简化了虚拟网络的安全定义,可让我们以更少的规则定义更大、更复杂的网络安全策略。Augmented security rules simplify security definition for virtual networks, allowing you to define larger and complex network security policies, with fewer rules. 可将多个端口和多个显式 IP 地址和范围合并成一个易于理解的安全规则。You can combine multiple ports and multiple explicit IP addresses and ranges into a single, easily understood security rule. 可在规则的源、目标和端口字段中使用扩充式规则。Use augmented rules in the source, destination, and port fields of a rule. 若要简化安全规则定义的维护,可将扩充式安全规则与服务标记应用程序安全组合并。To simplify maintenance of your security rule definition, combine augmented security rules with service tags or application security groups. 可在规则中指定的地址、范围和端口的数量存在限制。There are limits to the number of addresses, ranges, and ports that you can specify in a rule. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.

服务标记Service tags

服务标记代表给定 Azure 服务中的一组 IP 地址前缀。A service tag represents a group of IP address prefixes from a given Azure service. 它有助于将频繁更新网络安全规则的复杂性降至最低。It helps to minimize the complexity of frequent updates on network security rules.

有关详细信息,请参阅 Azure 服务标记For more information, see Azure service tags. 有关如何使用存储服务标记限制网络访问的示例,请参阅限制对 PaaS 资源的网络访问For an example on how to use the Storage service tag to restrict network access, see Restrict network access to PaaS resources.

应用程序安全组Application security groups

使用应用程序安全组可将网络安全性配置为应用程序结构的固有扩展,从而可以基于这些组将虚拟机分组以及定义网络安全策略。Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. 可以大量重复使用安全策略,而无需手动维护显式 IP 地址。You can reuse your security policy at scale without manual maintenance of explicit IP addresses. 若要了解详细信息,请参阅应用程序安全组To learn more, see Application security groups.

Azure 平台注意事项Azure platform considerations

  • 主机节点的虚拟 IP:基本的基础结构服务(如 DHCP、DNS、IMDS 和运行状况监视)通过虚拟化主机 IP 地址 168.63.129.16 和 169.254.169.254 提供。Virtual IP of the host node: Basic infrastructure services like DHCP, DNS, IMDS, and health monitoring are provided through the virtualized host IP addresses 168.63.129.16 and 169.254.169.254. 这些 IP 地址属于 Azure,是仅有的用于所有区域的虚拟化 IP 地址,没有其他用途。These IP addresses belong to Azure and are the only virtualized IP addresses used in all regions for this purpose. 有效安全规则和有效路由不会包括这些平台规则。Effective security rules and effective routes will not include these platform rules. 若要替代此基本基础结构通信,可以在网络安全组规则上使用以下服务标记创建一个安全规则来拒绝流量:AzurePlatformDNS、AzurePlatformIMDS、AzurePlatformLKM。To override this basic infrastructure communication, you can create a security rule to deny traffic by using the following service tags on your Network Security Group rules: AzurePlatformDNS, AzurePlatformIMDS, AzurePlatformLKM. 了解如何诊断网络流量筛选诊断网络路由Learn how to diagnose network traffic filtering and diagnose network routing.

  • 许可(密钥管理服务) :在虚拟机中运行的 Windows 映像必须获得许可。Licensing (Key Management Service): Windows images running in virtual machines must be licensed. 为了确保许可,会向处理此类查询的密钥管理服务主机服务器发送请求。To ensure licensing, a request is sent to the Key Management Service host servers that handle such queries. 该请求是通过端口 1688 以出站方式提出的。The request is made outbound through port 1688. 对于使用默认路由 0.0.0.0/0 配置的部署,此平台规则会被禁用。For deployments using default route 0.0.0.0/0 configuration, this platform rule will be disabled.

  • 负载均衡池中的虚拟机:应用的源端口和地址范围来自源计算机,而不是来自负载均衡器。Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. 目标端口和地址范围是目标计算机的,而不是负载均衡器的。The destination port and address range are for the destination computer, not the load balancer.

  • Azure 服务实例:在虚拟网络子网中部署了多个 Azure 服务的实例,例如 HDInsight、应用程序服务环境和虚拟机规模集。Azure service instances: Instances of several Azure services, such as HDInsight, Application Service Environments, and Virtual Machine Scale Sets are deployed in virtual network subnets. 有关可部署到虚拟网络的服务的完整列表,请参阅 Azure 服务的虚拟网络For a complete list of services you can deploy into virtual networks, see Virtual network for Azure services. 在将网络安全组应用到部署了资源的子网之前,请确保熟悉每个服务的端口要求。Ensure you familiarize yourself with the port requirements for each service before applying a network security group to the subnet the resource is deployed in. 如果拒绝服务所需的端口,服务将无法正常工作。If you deny ports required by the service, the service doesn't function properly.

  • 发送出站电子邮件:Azure 建议利用经过身份验证的 SMTP 中继服务(通常通过 TCP 端口 587 进行连接,但也经常使用其他端口)从 Azure 虚拟机发送电子邮件。Sending outbound email: Azure recommends that you utilize authenticated SMTP relay services (typically connected via TCP port 587, but often others, as well) to send email from Azure Virtual Machines. SMTP 中继服务特别重视发件人信誉,尽量降低第三方电子邮件提供商拒绝邮件的可能性。SMTP relay services specialize in sender reputation, to minimize the possibility that third-party email providers reject messages. 此类 SMTP 中继服务包括但不限于:Exchange Online Protection 和 SendGrid。Such SMTP relay services include, but are not limited to, Exchange Online Protection and SendGrid. 在 Azure 中使用 SMTP 中继服务绝不会受限制,不管订阅类型如何。Use of SMTP relay services is in no way restricted in Azure, regardless of your subscription type.

    如果是在 2017 年 11 月 15 日之前创建的 Azure 订阅,则除了能够使用 SMTP 中继服务,还可以直接通过 TCP 端口 25 发送电子邮件。If you created your Azure subscription prior to November 15, 2017, in addition to being able to use SMTP relay services, you can send email directly over TCP port 25. 如果是在 2017 年 11 月 15 日之后创建的订阅,则可能无法直接通过端口 25 发送电子邮件。If you created your subscription after November 15, 2017, you may not be able to send email directly over port 25. 经端口 25 的出站通信行为取决于订阅类型,如下所示:The behavior of outbound communication over port 25 depends on the type of subscription you have, as follows:

    • 企业协议:允许端口 25 的出站通信。Enterprise Agreement: Outbound port 25 communication is allowed. 可以将出站电子邮件直接从虚拟机发送到外部电子邮件提供商,不受 Azure 平台的限制。You are able to send an outbound email directly from virtual machines to external email providers, with no restrictions from the Azure platform.

    • 标准预付费套餐: 阻止所有资源通过端口 25 进行出站通信。Standard Pay-in-Advance Offer: Outbound port 25 communication is blocked from all resources. 如需将电子邮件从虚拟机直接发送到外部电子邮件提供商(不使用经身份验证的 SMTP 中继),可以请求去除该限制。If you need to send email from a virtual machine directly to external email providers (not using an authenticated SMTP relay), you can make a request to remove the restriction. Azure 会自行审核和批准此类请求,并且只在进行防欺诈检查后授予相关权限。Requests are reviewed and approved at Azure's discretion and are only granted after anti-fraud checks are performed. 若要提交请求,请建立一个问题类型为“技术”、“虚拟网络连接”、“无法发送电子邮件(SMTP/端口 25)”的支持案例。** ** **To make a request, open a support case with the issue type Technical, Virtual Network Connectivity, Cannot send e-mail (SMTP/Port 25). 在支持案例中,请详细说明为何你的订阅需要将电子邮件直接发送到邮件提供商,而不经过经身份验证的 SMTP 中继。In your support case, include details about why your subscription needs to send email directly to mail providers, instead of going through an authenticated SMTP relay. 如果订阅得到豁免,则只有在豁免日期之后创建的虚拟机能够经端口 25 进行出站通信。If your subscription is exempted, only virtual machines created after the exemption date are able to communicate outbound over port 25.

    • MSDN、Azure Pass、Azure 开放许可、教育、BizSpark 和免费试用版:阻止所有资源经端口 25 进行出站通信。MSDN, Azure Pass, Azure in Open, Education, BizSpark, and Free trial: Outbound port 25 communication is blocked from all resources. 不能请求去除该限制,因为不会针对请求授予相关权限。No requests to remove the restriction can be made, because requests are not granted. 若需从虚拟机发送电子邮件,则需使用 SMTP 中继服务。If you need to send email from your virtual machine, you have to use an SMTP relay service.

    • 云服务提供商:如果无法使用安全的 SMTP 中继,通过云服务提供商消耗 Azure 资源的客户可以通过其云服务提供商创建支持案例,并请求提供商代表他们创建取消阻止案例。Cloud service provider: Customers that are consuming Azure resources via a cloud service provider can create a support case with their cloud service provider, and request that the provider create an unblock case on their behalf, if a secure SMTP relay cannot be used.

    即使 Azure 允许经端口 25 发送电子邮件,Azure 也不能保证电子邮件提供商会接受来自你的虚拟机的入站电子邮件。If Azure allows you to send email over port 25, Azure cannot guarantee email providers will accept inbound email from your virtual machine. 如果特定的提供商拒绝了来自你的虚拟机的邮件,请直接与该提供商协商解决邮件传送问题或垃圾邮件过滤问题,否则只能使用经身份验证的 SMTP 中继服务。If a specific provider rejects mail from your virtual machine, work directly with the provider to resolve any message delivery or spam filtering issues, or use an authenticated SMTP relay service.

后续步骤Next steps