安全组Security groups

可以使用网络安全组来筛选 Azure 虚拟网络中出入 Azure 资源的网络流量。You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. 网络安全组包含安全规则,这些规则可允许或拒绝多种 Azure 资源的入站和出站网络流量。A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. 若要了解哪些 Azure 资源可以部署到虚拟网络中并与网络安全组关联,请参阅 Azure 服务的虚拟网络集成To learn about which Azure resources can be deployed into a virtual network and have network security groups associated to them, see Virtual network integration for Azure services. 可以为每项规则指定源和目标、端口以及协议。For each rule, you can specify source and destination, port, and protocol.

本文介绍网络安全组概念,目的是让你提高其使用效率。This article explains network security group concepts, to help you use them effectively. 如果从未创建过网络安全组,可以先完成一个快速教程,获取一些创建经验。If you've never created a network security group, you can complete a quick tutorial to get some experience creating one. 如果已熟悉网络安全组,需要对其进行管理,请参阅管理网络安全组If you're familiar with network security groups and need to manage them, see Manage a network security group. 如果有通信问题,需要对网络安全组进行故障排除,请参阅诊断虚拟机网络流量筛选器问题If you're having communication problems and need to troubleshoot network security groups, see Diagnose a virtual machine network traffic filter problem. 可以通过网络安全组流日志来分析网络流量,这些流量流入和流出的资源组都有关联的网络安全组。You can enable network security group flow logs to analyze network traffic to and from resources that have an associated network security group.

安全规则Security rules

一个网络安全组包含零个或者不超过 Azure 订阅限制的任意数量的规则。A network security group contains zero, or as many rules as desired, within Azure subscription limits. 每个规则指定以下属性:Each rule specifies the following properties:

属性Property 说明Explanation
NameName 网络安全组中的唯一名称。A unique name within the network security group.
PriorityPriority 介于 100 和 4096 之间的数字。A number between 100 and 4096. 规则按优先顺序进行处理。先处理编号较小的规则,因为编号越小,优先级越高。Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. 一旦流量与某个规则匹配,处理即会停止。Once traffic matches a rule, processing stops. 因此,不会处理优先级较低(编号较大)的、其属性与高优先级规则相同的所有规则。As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
源或目标Source or destination 可以是任何值,也可以是单个 IP 地址、无类别域际路由 (CIDR) 块(例如 10.0.0.0/24)、服务标记应用程序安全组Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security group. 如果为 Azure 资源指定一个地址,请指定分配给该资源的专用 IP 地址。If you specify an address for an Azure resource, specify the private IP address assigned to the resource. 在 Azure 针对入站流量将公共 IP 地址转换为专用 IP 地址后,系统会处理网络安全组,然后由 Azure 针对出站流量将专用 IP 地址转换为公共 IP 地址。Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic. 详细了解 Azure IP 地址Learn more about Azure IP addresses. 指定范围、服务标记或应用程序安全组可以减少创建的安全规则数。Specifying a range, a service tag, or application security group, enables you to create fewer security rules. 在一个规则中指定多个单独的 IP 地址和范围(不能指定多个服务标记或应用程序组)的功能称为扩充式安全规则The ability to specify multiple individual IP addresses and ranges (you cannot specify multiple service tags or application groups) in a rule is referred to as augmented security rules. 只能在通过资源管理器部署模型创建的网络安全组中创建扩充式安全规则。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 在通过经典部署模型创建的网络安全组中,不能指定多个 IP 地址和 IP 地址范围。You cannot specify multiple IP addresses and IP address ranges in network security groups created through the classic deployment model. 详细了解 Azure 部署模型Learn more about Azure deployment models.
协议Protocol TCP、UDP、ICMP 或 Any。TCP, UDP, ICMP or Any.
方向Direction 该规则是应用到入站还是出站流量。Whether the rule applies to inbound, or outbound traffic.
端口范围Port range 可以指定单个端口或端口范围。You can specify an individual or range of ports. 例如,可以指定 80 或 10000-10005。For example, you could specify 80 or 10000-10005. 指定范围可以减少创建的安全规则数。Specifying ranges enables you to create fewer security rules. 只能在通过资源管理器部署模型创建的网络安全组中创建扩充式安全规则。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 在通过经典部署模型创建的网络安全组中,不能在同一个安全规则中指定多个端口或端口范围。You cannot specify multiple ports or port ranges in the same security rule in network security groups created through the classic deployment model.
操作Action 允许或拒绝Allow or deny

在允许或拒绝流量之前,将使用 5 元组信息(源、源端口、目标、目标端口和协议)按优先级对网络安全组安全规则进行评估。Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. 将为现有连接创建流记录。A flow record is created for existing connections. 是允许还是拒绝通信取决于流记录的连接状态。Communication is allowed or denied based on the connection state of the flow record. 流记录允许网络安全组有状态。The flow record allows a network security group to be stateful. 例如,如果针对通过端口 80 访问的任何地址指定了出站安全规则,则不需要指定入站安全规则来响应出站流量。If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. 如果通信是从外部发起的,则只需指定入站安全规则。You only need to specify an inbound security rule if communication is initiated externally. 反之亦然。The opposite is also true. 如果允许通过某个端口发送入站流量,则不需要指定出站安全规则来响应通过该端口发送的流量。If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port. 删除启用了流的安全规则时,现有连接不一定会中断。Existing connections may not be interrupted when you remove a security rule that enabled the flow. 当连接停止并且至少几分钟内在任一方向都没有流量流过时,流量流会中断。Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.

在网络安全组中创建的安全规则存在数量限制。There are limits to the number of security rules you can create in a network security group. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.

扩充式安全规则Augmented security rules

扩充式安全规则简化了虚拟网络的安全定义,可让我们以更少的规则定义更大、更复杂的网络安全策略。Augmented security rules simplify security definition for virtual networks, allowing you to define larger and complex network security policies, with fewer rules. 可将多个端口和多个显式 IP 地址和范围合并成一个易于理解的安全规则。You can combine multiple ports and multiple explicit IP addresses and ranges into a single, easily understood security rule. 可在规则的源、目标和端口字段中使用扩充式规则。Use augmented rules in the source, destination, and port fields of a rule. 若要简化安全规则定义的维护,可将扩充式安全规则与服务标记应用程序安全组合并。To simplify maintenance of your security rule definition, combine augmented security rules with service tags or application security groups. 可在规则中指定的地址、范围和端口的数量存在限制。There are limits to the number of addresses, ranges, and ports that you can specify in a rule. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.

服务标记Service tags

服务标记表示一组 IP 地址前缀,帮助最大程度地降低安全规则创建过程的复杂性。A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. 无法创建自己的服务标记,也无法指定要将哪些 IP 地址包含在标记中。You cannot create your own service tag, nor specify which IP addresses are included within a tag. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Azure manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change. 创建安全规则时,可以使用服务标记代替特定的 IP 地址。You can use service tags in place of specific IP addresses when creating security rules.

可在网络安全组规则中使用以下服务标记。The following service tags are available for use in network security groups rules.

  • **ApiManagement***(仅限资源管理器):此标记表示 APIM 专用部署的管理流量地址前缀。ApiManagement* (Resource Manager only): This tag denotes the address prefixes of the management traffic for APIM dedicated deployments. 如果指定 ApiManagement 作为值,则会允许或拒绝发往 ApiManagement 的流量 。If you specify ApiManagement for the value, traffic is allowed or denied to ApiManagement. 对于入站/出站安全规则,建议使用此标记。This tag is recommended for inbound/outbound security rule.

  • **AppService***(仅限资源管理器):此标记表示“Azure 应用服务”服务的地址前缀。AppService* (Resource Manager only): This tag denotes the address prefixes of the Azure AppService service. 如果指定 AppService 作为值,则会允许或拒绝发往 AppService 的流量 。If you specify AppService for the value, traffic is allowed or denied to AppService. 对于 WebApps 前端的出站安全规则,建议使用此标记。This tag is recommended for outbound security rule to WebApps frontends.

  • **AppServiceManagement***(仅限资源管理器):此标记表示应用服务环境专用部署的管理流量地址前缀。AppServiceManagement* (Resource Manager only): This tag denotes the address prefixes of the management traffic for App Service Environment dedicated deployments. 如果指定 AppServiceManagement 作为值,则会允许或拒绝发往 AppServiceManagement 的流量 。If you specify AppServiceManagement for the value, traffic is allowed or denied to AppServiceManagement. 对于入站/出站安全规则,建议使用此标记。This tag is recommended for inbound/outbound security rule.

  • **AzureActiveDirectory***(仅限资源管理器):此标记表示 AzureActiveDirectory 服务的地址前缀。AzureActiveDirectory* (Resource Manager only): This tag denotes the address prefixes of the AzureActiveDirectory service. 如果指定 AzureActiveDirectory 作为值,则会允许或拒绝发往 AzureActiveDirectory 的流量 。If you specify AzureActiveDirectory for the value, traffic is allowed or denied to AzureActiveDirectory. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • **AzureBackup***(仅限资源管理器):此标记表示 AzureBackup 服务的地址前缀。AzureBackup* (Resource Manager only): This tag denotes the address prefixes of the AzureBackup service. 如果指定 AzureBackup 作为值,则会允许或拒绝发往 AzureBackup 的流量。If you specify AzureBackup for the value, traffic is allowed or denied to AzureBackup. 此标记依赖于存储AzureActiveDirectory 标记。This tag has a dependency on the Storage and AzureActiveDirectory tags. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • **AzureCloud***(仅限资源管理器):AzureCloud* (Resource Manager only):

    此标记表示 Azure 的 IP 地址空间,包括所有数据中心公共 IP 地址This tag denotes the IP address space for Azure including all datacenter public IP addresses. 如果指定 AzureCloud 作为值,则会允许或拒绝发往 Azure 公共 IP 地址的流量 。If you specify AzureCloud for the value, traffic is allowed or denied to Azure public IP addresses. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • **AzureConnectors***(仅限资源管理器):此标记表示用于探测/后端连接的逻辑应用连接器的地址前缀。AzureConnectors* (Resource Manager only): This tag denotes the address prefixes of the Logic Apps connectors for probe/backend connections. 如果指定 AzureConnectors 作为值,则会允许或拒绝发往 AzureConnectors 的流量 。If you specify AzureConnectors for the value, traffic is allowed or denied to AzureConnectors. 对于入站安全规则,建议使用此标记。This tag is recommended for inbound security rule.

  • **AzureContainerRegistry***(仅限资源管理器):此标记表示 Azure 容器注册表服务的地址前缀。AzureContainerRegistry* (Resource Manager only): This tag denotes the address prefixes of the Azure Container Registry service. 如果指定 AzureContainerRegistry 作为值,则会允许或拒绝发往 AzureContainerRegistry 的流量 。If you specify AzureContainerRegistry for the value, traffic is allowed or denied to AzureContainerRegistry. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • **AzureCosmosDB***(仅限资源管理器):此标记表示 Azure Cosmos 数据库服务的地址前缀。AzureCosmosDB* (Resource Manager only): This tag denotes the address prefixes of the Azure Cosmos Database service. 如果指定 AzureCosmosDB 作为值,则会允许或拒绝发往 AzureCosmosDB 的流量。If you specify AzureCosmosDB for the value, traffic is allowed or denied to AzureCosmosDB. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • **AzureKeyVault***(仅限资源管理器):此标记表示 Azure KeyVault 服务的地址前缀。AzureKeyVault* (Resource Manager only): This tag denotes the address prefixes of the Azure KeyVault service. 如果指定 AzureKeyVault 作为值,则会允许或拒绝发往 AzureKeyVault 的流量。If you specify AzureKeyVault for the value, traffic is allowed or denied to AzureKeyVault. 此标记依赖于 AzureActiveDirectory 标记。This tag has dependency on the AzureActiveDirectory tag. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • AzureLoadBalancer(资源管理器)(如果是经典部署模型,则为 AZURE_LOADBALANCER):此标记表示 Azure 的基础结构负载均衡器。AzureLoadBalancer (Resource Manager) (AZURE_LOADBALANCER for classic): This tag denotes Azure's infrastructure load balancer. 此标记将转换为主机的虚拟 IP 地址 (168.63.129.16),Azure 的运行状况探测源于该 IP。The tag translates to the Virtual IP address of the host (168.63.129.16) where Azure's health probes originate. 如果不使用 Azure 负载均衡器,则可替代此规则。If you are not using the Azure load balancer, you can override this rule.

  • **AzureMonitor***(仅限资源管理器):此标记表示 Log Analytics、App Insights、AzMon 和自定义指标(GiG 终结点)的地址前缀。AzureMonitor* (Resource Manager only): This tag denotes the address prefixes of the Log Analytics, App Insights, AzMon, and custom metrics (GiG endpoints). 如果指定 AzureMonitor 作为值,则会允许或拒绝发往 AzureMonitor 的流量 。If you specify AzureMonitor for the value, traffic is allowed or denied to AzureMonitor. 对于 Log Analytics,此标记依赖于 Storage 标记。For Log Analytics, this tag has dependency on the Storage tag. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • AzurePlatformDNS(仅限资源管理器):此标记表示作为基本基础结构服务的 DNS。AzurePlatformDNS (Resource Manager only): This tag denotes DNS which is a basic infrastructure service. 如果指定 AzurePlatformDNS 作为值,则会对 DNS 禁用默认的 Azure 平台注意事项If you specify AzurePlatformDNS for the value, you can disable the default Azure platform consideration for DNS. 使用此标记时请务必小心。Please take caution in using this tag. 建议在使用此标记之前进行测试。Testing is recommended before using this tag.

  • AzurePlatformLKM(仅限资源管理器):此标记表示 Windows 授权或密钥管理服务。AzurePlatformLKM (Resource Manager only): This tag denotes Windows licensing or key management service. 如果指定 AzurePlatformLKM 作为值,则会对授权禁用默认的 Azure 平台注意事项If you specify AzurePlatformLKM for the value, you can disable the default Azure platform consideration for licensing. 使用此标记时请务必小心。Please take caution in using this tag. 建议在使用此标记之前进行测试。Testing is recommended before using this tag.

  • **AzureTrafficManager***(仅限资源管理器):此标记表示 Azure 流量管理器探测 IP 地址的 IP 地址空间。AzureTrafficManager* (Resource Manager only): This tag denotes the IP address space for the Azure Traffic Manager probe IP addresses. 有关流量管理器探测 IP 地址的详细信息,请参阅 Azure 流量管理器常见问题解答More information on Traffic Manager probe IP addresses can be found in the Azure Traffic Manager FAQ. 对于入站安全规则,建议使用此标记。This tag is recommended for inbound security rule.

  • **BatchNodeManagement***(仅限资源管理器):此标记表示 Azure Batch 专用部署的管理流量地址前缀。BatchNodeManagement* (Resource Manager only): This tag denotes the address prefixes of the management traffic for Azure Batch dedicated deployments. 如果为值指定 BatchNodeManagement,则允许或拒绝从 Batch 服务到计算节点的流量。If you specify BatchNodeManagement for the value, traffic is allowed or denied from the Batch service to compute nodes. 对于入站/出站安全规则,建议使用此标记。This tag is recommended for inbound/outbound security rule.

  • CognitiveServicesManagement(仅限资源管理器):此标记表示认知服务的流量地址前缀。CognitiveServicesManagement (Resource Manager only): This tag denotes the address prefixes of traffic for Cognitive Services. 如果指定CognitiveServicesManagement 作为值,则会允许或拒绝发往 CognitiveServicesManagement 的流量。If you specify CognitiveServicesManagement for the value, traffic is allowed or denied to CognitiveServicesManagement. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • **EventHub***(仅限资源管理器):此标记表示 Azure 事件中心服务的地址前缀。EventHub* (Resource Manager only): This tag denotes the address prefixes of the Azure EventHub service. 如果指定 EventHub 作为值,则会允许或拒绝发往 EventHub 的流量 。If you specify EventHub for the value, traffic is allowed or denied to EventHub. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • GatewayManager(仅限资源管理器):此标记表示 VPN/应用网关专用部署的管理流量地址前缀。GatewayManager (Resource Manager only): This tag denotes the address prefixes of the management traffic for VPN/App Gateways dedicated deployments. 如果指定 GatewayManager 作为值,则会允许或拒绝发往 GatewayManager 的流量 。If you specify GatewayManager for the value, traffic is allowed or denied to GatewayManager. 对于入站安全规则,建议使用此标记。This tag is recommended for inbound security rule.

  • Internet(资源管理器)(如果是经典部署模型,则为 INTERNET):此标记表示虚拟网络外部的 IP 地址空间,可以通过公共 Internet 进行访问。Internet (Resource Manager) (INTERNET for classic): This tag denotes the IP address space that is outside the virtual network and reachable by the public Internet. 地址范围包括 Azure 拥有的公共 IP 地址空间The address range includes the Azure owned public IP address space.

  • **MicrosoftContainerRegistry***(仅限资源管理器):此标记表示 Azure 容器注册表服务的地址前缀。MicrosoftContainerRegistry* (Resource Manager only): This tag denotes the address prefixes of the Azure Container Registry service. 如果指定 MicrosoftContainerRegistry 作为值,则会允许或拒绝发往 MicrosoftContainerRegistry 的流量 。If you specify MicrosoftContainerRegistry for the value, traffic is allowed or denied to MicrosoftContainerRegistry. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • **ServiceBus***(仅限资源管理器):此标记表示使用高级服务层的 Azure ServiceBus 服务的地址前缀。ServiceBus* (Resource Manager only): This tag denotes the address prefixes of the Azure ServiceBus service using the Premium service tier. 如果指定 ServiceBus 作为值,则会允许或拒绝发往 ServiceBus 的流量 。If you specify ServiceBus for the value, traffic is allowed or denied to ServiceBus. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • **ServiceFabric***(仅限资源管理器):此标记表示 ServiceFabric 服务的地址前缀。ServiceFabric* (Resource Manager only): This tag denotes the address prefixes of the ServiceFabric service. 如果指定 ServiceFabric 作为值,则会允许或拒绝发往 ServiceFabric 的流量 。If you specify ServiceFabric for the value, traffic is allowed or denied to ServiceFabric. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • **Sql***(仅限资源管理器):此标记表示 Azure SQL 数据库、Azure Database for MySQL、Azure Database for PostgreSQL 和 Azure SQL 数据仓库服务的地址前缀。Sql* (Resource Manager only): This tag denotes the address prefixes of the Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, and Azure SQL Data Warehouse services. 如果指定 Sql 作为值,则会允许或拒绝发往 Sql 的流量。If you specify Sql for the value, traffic is allowed or denied to Sql. 标记表示服务而不是服务的特定实例。The tag represents the service, but not specific instances of the service. 例如,标记可表示 Azure SQL 数据库服务,但不能表示特定的 SQL 数据库或服务器。For example, the tag represents the Azure SQL Database service, but not a specific SQL database or server. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • **SqlManagement***(仅限资源管理器):此标记表示 SQL 专用部署的管理流量地址前缀。SqlManagement* (Resource Manager only): This tag denotes the address prefixes of the management traffic for SQL dedicated deployments. 如果指定 SqlManagement 作为值,则会允许或拒绝发往 SqlManagement 的流量。If you specify SqlManagement for the value, traffic is allowed or denied to SqlManagement. 对于入站/出站安全规则,建议使用此标记。This tag is recommended for inbound/outbound security rule.

  • **Storage***(仅限资源管理器):此标记表示 Azure 存储服务的 IP 地址空间。Storage* (Resource Manager only): This tag denotes the IP address space for the Azure Storage service. 如果指定 Storage 作为值,则会允许或拒绝发往存储的流量。If you specify Storage for the value, traffic is allowed or denied to storage. 标记表示服务而不是服务的特定实例。The tag represents the service, but not specific instances of the service. 例如,标记可表示 Azure 存储服务,但不能表示特定的 Azure 存储帐户。For example, the tag represents the Azure Storage service, but not a specific Azure Storage account. 对于出站安全规则,建议使用此标记。This tag is recommended for outbound security rule.

  • VirtualNetwork(资源管理器)(如果是经典部署模型,则为 VIRTUAL_NETWORK):此标记包括虚拟网络地址空间(为虚拟网络定义的所有 CIDR 范围)、所有连接的本地地址空间、对等互连的虚拟网络,或已连接到虚拟网关的虚拟网络、主机的虚拟 IP 地址以及在用户定义的路由上使用的地址前缀。VirtualNetwork (Resource Manager) (VIRTUAL_NETWORK for classic): This tag includes the virtual network address space (all CIDR ranges defined for the virtual network), all connected on-premises address spaces, peered virtual networks or virtual network connected to a virtual network gateway, the virtual IP address of the host and address prefixes used on user defined routes. 请注意,此标记可能包含默认路由。Be aware that this tag may contain default route.

Note

Azure 服务的服务标记表示来自所使用的特定云的地址前缀。Service tags of Azure services denotes the address prefixes from the specific cloud being used.

Note

如果为某个服务(例如 Azure 存储或 Azure SQL 数据库)实现了虚拟网络服务终结点,Azure 会将路由添加到该服务的虚拟网络子网。If you implement a virtual network service endpoint for a service, such as Azure Storage or Azure SQL Database, Azure adds a route to a virtual network subnet for the service. 路由中的地址前缀与相应服务标记的地址前缀或 CIDR 范围相同。The address prefixes in the route are the same address prefixes, or CIDR ranges, as the corresponding service tag.

本地服务标记Service tags in on-premises

可下载服务标记列表并将其与本地防火墙集成,其中包含针对 Azure 中国云的以下每周发布的前缀详细信息。You can download and integrate with an on-premises firewall the list of service tags with prefix details on the following weekly publications for Azure China clouds.

也可以使用服务标记发现 API(公共预览版)- RESTAzure PowerShellAzure CLI 以编程方式检索此信息。You can also programmatically retrieve this information using the Service Tag Discovery API (Public Preview) - REST, Azure PowerShell, and Azure CLI.

Note

Azure 中国云的以下每周发布(旧版)将在 2020 年 6 月 30 日弃用。Following weekly publications (old version) for Azure China clouds will be deprecated by June 30, 2020. 请开始使用上面所述的更新发布。Please start using the updated publications as described above.

默认安全规则Default security rules

Azure 在你所创建的每个网络安全组中创建以下默认规则:Azure creates the following default rules in each network security group that you create:

入站Inbound

AllowVNetInBoundAllowVNetInBound

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 任意Any 允许Allow

AllowAzureLoadBalancerInBoundAllowAzureLoadBalancerInBound

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6500165001 AzureLoadBalancerAzureLoadBalancer 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any 允许Allow

DenyAllInboundDenyAllInbound

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any 拒绝Deny

出站Outbound

AllowVnetOutBoundAllowVnetOutBound

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 任意Any 允许Allow

AllowInternetOutBoundAllowInternetOutBound

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6500165001 0.0.0.0/00.0.0.0/0 0-655350-65535 InternetInternet 0-655350-65535 任意Any 允许Allow

DenyAllOutBoundDenyAllOutBound

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any 拒绝Deny

在“源”和“目标”列表中,“VirtualNetwork”、“AzureLoadBalancer”和“Internet”是服务标记,而不是 IP 地址。 In the Source and Destination columns, VirtualNetwork, AzureLoadBalancer, and Internet are service tags, rather than IP addresses. 在“协议”列中,Any 包含 TCP、UDP 和 ICMP。In the protocol column, Any encompasses TCP, UDP, and ICMP. 创建规则时,可以指定 TCP、UDP、ICMP 或 Any。When creating a rule, you can specify TCP, UDP, ICMP or Any. “源”和“目标”列中的“0.0.0.0/0”表示所有地址。 0.0.0.0/0 in the Source and Destination columns represents all addresses. Azure 门户、Azure CLI 或 Powershell 等客户端可以使用 * 或任何字符来表示此表达式。Clients like Azure portal, Azure CLI, or Powershell can use * or any for this expression.

不能删除默认规则,但可以通过创建更高优先级的规则来替代默认规则。You cannot remove the default rules, but you can override them by creating rules with higher priorities.

应用程序安全组Application security groups

使用应用程序安全组可将网络安全性配置为应用程序结构的固有扩展,从而可以基于这些组将虚拟机分组以及定义网络安全策略。Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. 可以大量重复使用安全策略,而无需手动维护显式 IP 地址。You can reuse your security policy at scale without manual maintenance of explicit IP addresses. 平台会处理显式 IP 地址和多个规则集存在的复杂性,让你专注于业务逻辑。The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic. 若要更好地理解应用程序安全组,请考虑以下示例:To better understand application security groups, consider the following example:

应用程序安全组

在上图中,NIC1NIC2AsgWeb 应用程序安全组的成员。In the previous picture, NIC1 and NIC2 are members of the AsgWeb application security group. NIC3AsgLogic 应用程序安全组的成员。NIC3 is a member of the AsgLogic application security group. NIC4AsgDb 应用程序安全组的成员。NIC4 is a member of the AsgDb application security group. 虽然此示例中的每个网络接口只是一个应用程序安全组的成员,但实际上一个网络接口可以是多个应用程序安全组的成员,具体取决于 Azure 限制Though each network interface in this example is a member of only one application security group, a network interface can be a member of multiple application security groups, up to the Azure limits. 这些网络接口都没有关联的网络安全组。None of the network interfaces have an associated network security group. NSG1 关联到两个子网,包含以下规则:NSG1 is associated to both subnets and contains the following rules:

Allow-HTTP-Inbound-InternetAllow-HTTP-Inbound-Internet

若要让流量从 Internet 流到 Web 服务器,此规则是必需的。This rule is needed to allow traffic from the internet to the web servers. 由于来自 Internet 的入站流量被 DenyAllInbound 默认安全规则拒绝,因此 AsgLogicAsgDb 应用程序安全组不需更多规则。Because inbound traffic from the internet is denied by the DenyAllInbound default security rule, no additional rule is needed for the AsgLogic or AsgDb application security groups.

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
100100 InternetInternet * AsgWebAsgWeb 8080 TCPTCP 允许Allow

Deny-Database-AllDeny-Database-All

由于 AllowVNetInBound 默认安全规则允许在同一虚拟网络中的资源之间进行的所有通信,因此需要使用此规则来拒绝来自所有资源的流量。Because the AllowVNetInBound default security rule allows all communication between resources in the same virtual network, this rule is needed to deny traffic from all resources.

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
120120 * * AsgDbAsgDb 14331433 任意Any 拒绝Deny

Allow-Database-BusinessLogicAllow-Database-BusinessLogic

此规则允许从 AsgLogic 应用程序安全组到 AsgDb 应用程序安全组的流量。This rule allows traffic from the AsgLogic application security group to the AsgDb application security group. 此规则的优先级高于 Deny-Database-All 规则的优先级。The priority for this rule is higher than the priority for the Deny-Database-All rule. 因此,此规则在 Deny-Database-All 规则之前处理,这样系统就会允许来自 AsgLogic 应用程序安全组的流量,而阻止所有其他流量。As a result, this rule is processed before the Deny-Database-All rule, so traffic from the AsgLogic application security group is allowed, whereas all other traffic is blocked.

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
110110 AsgLogicAsgLogic * AsgDbAsgDb 14331433 TCPTCP 允许Allow

将应用程序安全组指定为源或目标的规则只会应用到属于应用程序安全组成员的网络接口。The rules that specify an application security group as the source or destination are only applied to the network interfaces that are members of the application security group. 如果网络接口不是应用程序安全组的成员,则规则不会应用到网络接口,即使网络安全组关联到子网。If the network interface is not a member of an application security group, the rule is not applied to the network interface, even though the network security group is associated to the subnet.

应用程序安全组具有以下约束:Application security groups have the following constraints:

  • 一个订阅中可以有的应用程序安全组存在数量限制,此外还有其他与应用程序安全组相关的限制。There are limits to the number of application security groups you can have in a subscription, as well as other limits related to application security groups. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.
  • 可将一个应用程序安全组指定为安全规则中的源和目标。You can specify one application security group as the source and destination in a security rule. 不能在源或目标中指定多个应用程序安全组。You cannot specify multiple application security groups in the source or destination.
  • 分配给应用程序安全组的所有网络接口都必须存在于分配给应用程序安全组的第一个网络接口所在的虚拟网络中。All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. 例如,如果分配给名为 AsgWeb 的应用程序安全组的第一个网络接口位于名为 VNet1 的虚拟网络中,则分配给 ASGWeb 的所有后续网络接口都必须存在于 VNet1 中。For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. 不能向同一应用程序安全组添加来自不同虚拟网络的网络接口。You cannot add network interfaces from different virtual networks to the same application security group.
  • 如果在安全规则中将应用程序安全组指定为源和目标,则两个应用程序安全组中的网络接口必须存在于同一虚拟网络中。If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network. 例如,如果 AsgLogic 包含来自 VNet1 的网络接口,AsgDb 包含来自 VNet2 的网络接口,则不能在一项规则中将 AsgLogic 分配为源,将 AsgDb 分配为目标。For example, if AsgLogic contained network interfaces from VNet1, and AsgDb contained network interfaces from VNet2, you could not assign AsgLogic as the source and AsgDb as the destination in a rule. 源和目标应用程序安全组中的所有网络接口需存在于同一虚拟网络中。All network interfaces for both the source and destination application security groups need to exist in the same virtual network.

Tip

为了尽量减少所需的安全规则数和需要更改规则的情况,请尽可能使用服务标记或应用程序安全组来规划所需的应用程序安全组并创建规则,而不要使用单个 IP 地址或 IP 地址范围。To minimize the number of security rules you need, and the need to change the rules, plan out the application security groups you need and create rules using service tags or application security groups, rather than individual IP addresses, or ranges of IP addresses, whenever possible.

如何评估流量How traffic is evaluated

可以将资源从多个 Azure 服务部署到一个 Azure 虚拟网络中。You can deploy resources from several Azure services into an Azure virtual network. 如需完整列表,请参阅可部署到虚拟网络中的服务For a complete list, see Services that can be deployed into a virtual network. 可将零个或一个网络安全组与虚拟机中的每个虚拟网络子网网络接口相关联。You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. 可将同一网络安全组关联到选定的任意数量的子网和网络接口。The same network security group can be associated to as many subnets and network interfaces as you choose.

下图描述了如何使用不同的方案来部署网络安全组,以便网络流量通过 TCP 端口 80 出入 Internet:The following picture illustrates different scenarios for how network security groups might be deployed to allow network traffic to and from the internet over TCP port 80:

NSG 处理

请参阅上图和以下文本,了解 Azure 如何处理网络安全组的入站和出站规则:Reference the previous picture, along with the following text, to understand how Azure processes inbound and outbound rules for network security groups:

入站流量Inbound traffic

对于入站流量,Azure 先处理与某个子网相关联的网络安全组(如果有)中的规则,然后处理与网络接口相关联的网络安全组(如果有)中的规则。For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a network security group associated to the network interface, if there is one.

  • VM1:系统会处理 NSG1 中的安全规则,因为它与 Subnet1 关联,而 VM1 位于 Subnet1 中。VM1: The security rules in NSG1 are processed, since it is associated to Subnet1 and VM1 is in Subnet1. 除非创建了一条允许端口 80 入站流量的规则,否则流量会被 DenyAllInbound 默认安全规则拒绝,并且永远不会被 NSG2 评估,因为 NSG2 关联到网络接口。Unless you've created a rule that allows port 80 inbound, the traffic is denied by the DenyAllInbound default security rule, and never evaluated by NSG2, since NSG2 is associated to the network interface. 如果 NSG1 有一条允许端口 80 的安全规则,则流量会由 NSG2 处理。If NSG1 has a security rule that allows port 80, the traffic is then processed by NSG2. 若要允许从端口 80 到虚拟机的流量,NSG1NSG2 必须指定一条规则来允许从 Internet 到端口 80 的流量。To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet.
  • VM2:系统会处理 NSG1 中的规则,因为 VM2 也在 Subnet1 中。VM2: The rules in NSG1 are processed because VM2 is also in Subnet1. VM2 没有关联到其网络接口的网络安全组,因此会接收 NSG1 所允许的所有流量,或者会拒绝 NSG1 所拒绝的所有流量。Since VM2 does not have a network security group associated to its network interface, it receives all traffic allowed through NSG1 or is denied all traffic denied by NSG1. 当网络安全组关联到子网时,对于同一子网中的所有资源,流量要么被允许,要么被拒绝。Traffic is either allowed or denied to all resources in the same subnet when a network security group is associated to a subnet.
  • VM3:由于没有网络安全组关联到 Subnet2,系统允许流量进入子网并由 NSG2 处理,因为 NSG2 关联到已附加到 VM3 的网络接口。VM3: Since there is no network security group associated to Subnet2, traffic is allowed into the subnet and processed by NSG2, because NSG2 is associated to the network interface attached to VM3.
  • VM4:允许流量发往 VM4,因为网络安全组没有关联到 Subnet3 或虚拟机中的网络接口。VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. 如果没有关联的网络安全组,则允许所有网络流量通过子网和网络接口。All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them.

出站流量Outbound traffic

对于出站流量,Azure 先处理与某个网络接口相关联的网络安全组(如果有)中的规则,然后处理与子网相关联的网络安全组(如果有)中的规则。For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there is one, and then the rules in a network security group associated to the subnet, if there is one.

  • VM1:系统会处理 NSG2 中的安全规则。VM1: The security rules in NSG2 are processed. 除非创建一条安全规则来拒绝从端口 80 到 Internet 的出站流量,否则 NSG1NSG2 中的 AllowInternetOutbound 默认安全规则都会允许该流量。Unless you create a security rule that denies port 80 outbound to the internet, the traffic is allowed by the AllowInternetOutbound default security rule in both NSG1 and NSG2. 如果 NSG2 有一条拒绝端口 80 的安全规则,则流量会被拒绝,不会由 NSG1 评估。If NSG2 has a security rule that denies port 80, the traffic is denied, and never evaluated by NSG1. 若要拒绝从虚拟机到端口 80 的流量,则两个网络安全组或其中的一个必须有一条规则来拒绝从端口 80 到 Internet 的流量。To deny port 80 from the virtual machine, either, or both of the network security groups must have a rule that denies port 80 to the internet.
  • VM2:所有流量都会通过网络接口发送到子网,因为附加到 VM2 的网络接口没有关联的网络安全组。VM2: All traffic is sent through the network interface to the subnet, since the network interface attached to VM2 does not have a network security group associated to it. 系统会处理 NSG1 中的规则。The rules in NSG1 are processed.
  • VM3:如果 NSG2 有一条拒绝端口 80 的安全规则,则流量会被拒绝。VM3: If NSG2 has a security rule that denies port 80, the traffic is denied. 如果 NSG2 有一条允许端口 80 的安全规则,则允许从端口 80 到 Internet 的出站流量,因为没有关联到 Subnet2 的网络安全组。If NSG2 has a security rule that allows port 80, then port 80 is allowed outbound to the internet, since a network security group is not associated to Subnet2.
  • VM4:允许来自 VM4 的所有网络流量,因为网络安全组没有关联到已附加到虚拟机的网络接口,也没有关联到 Subnet3VM4: All network traffic is allowed from VM4, because a network security group isn't associated to the network interface attached to the virtual machine, or to Subnet3.

可以通过查看网络接口的有效安全规则,轻松查看已应用到网络接口的聚合规则。You can easily view the aggregate rules applied to a network interface by viewing the effective security rules for a network interface. 还可以使用 Azure 网络观察程序中的 IP 流验证功能来确定是否允许发往或发自网络接口的通信。You can also use the IP flow verify capability in Azure Network Watcher to determine whether communication is allowed to or from a network interface. IP 流验证会告知你系统是允许还是拒绝通信,以及哪条网络安全规则允许或拒绝该流量。IP flow verify tells you whether communication is allowed or denied, and which network security rule allows or denies the traffic.

Note

网络安全组关联到子网或关联到部署在经典部署模型中的虚拟机和云服务,以及关联到资源管理器部署模型中的子网或网络接口。Network security groups are associated to subnets or to virtual machines and cloud services deployed in the classic deployment model, and to subnets or network interfaces in the Resource Manager deployment model. 若要详细了解 Azure 部署模型,请参阅了解 Azure 部署模型To learn more about Azure deployment models, see Understand Azure deployment models.

Tip

建议将网络安全组关联到子网或网络接口,但不要二者都关联,除非你有特定的理由来这样做。Unless you have a specific reason to, we recommended that you associate a network security group to a subnet, or a network interface, but not both. 由于关联到子网的网络安全组中的规则可能与关联到网络接口的网络安全组中的规则冲突,因此可能会出现意外的必须进行故障排除的通信问题。Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.

Azure 平台注意事项Azure platform considerations

  • 主机节点的虚拟 IP:基本的基础结构服务(例如 DHCP、DNS、IMDS和运行状况监视)是通过虚拟化主机 IP 地址 168.63.129.16 和 169.254.169.254 提供的。Virtual IP of the host node: Basic infrastructure services such as DHCP, DNS, IMDS, and health monitoring are provided through the virtualized host IP addresses 168.63.129.16 and 169.254.169.254. 这些 IP 地址属于 Azure,是仅有的用于所有区域的虚拟化 IP 地址,没有其他用途。These IP addresses belong to Azure and are the only virtualized IP addresses used in all regions for this purpose.

  • 许可(密钥管理服务) :在虚拟机中运行的 Windows 映像必须获得许可。Licensing (Key Management Service): Windows images running in virtual machines must be licensed. 为了确保许可,会向处理此类查询的密钥管理服务主机服务器发送请求。To ensure licensing, a request is sent to the Key Management Service host servers that handle such queries. 该请求是通过端口 1688 以出站方式提出的。The request is made outbound through port 1688. 对于使用默认路由 0.0.0.0/0 配置的部署,此平台规则会被禁用。For deployments using default route 0.0.0.0/0 configuration, this platform rule will be disabled.

  • 负载均衡池中的虚拟机:应用的源端口和地址范围来自源计算机,而不是来自负载均衡器。Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. 目标端口和地址范围是目标计算机的,而不是负载均衡器的。The destination port and address range are for the destination computer, not the load balancer.

  • Azure 服务实例:在虚拟网络子网中部署了多个 Azure 服务的实例,例如 HDInsight、应用程序服务环境和虚拟机规模集。Azure service instances: Instances of several Azure services, such as HDInsight, Application Service Environments, and Virtual Machine Scale Sets are deployed in virtual network subnets. 有关可部署到虚拟网络的服务的完整列表,请参阅 Azure 服务的虚拟网络For a complete list of services you can deploy into virtual networks, see Virtual network for Azure services. 在将网络安全组应用到部署了资源的子网之前,请确保熟悉每个服务的端口要求。Ensure you familiarize yourself with the port requirements for each service before applying a network security group to the subnet the resource is deployed in. 如果拒绝服务所需的端口,服务将无法正常工作。If you deny ports required by the service, the service doesn't function properly.

  • 发送出站电子邮件:Azure 建议利用经过身份验证的 SMTP 中继服务(通常通过 TCP 端口 587 进行连接,但也经常使用其他端口)从 Azure 虚拟机发送电子邮件。Sending outbound email: Azure recommends that you utilize authenticated SMTP relay services (typically connected via TCP port 587, but often others, as well) to send email from Azure Virtual Machines. SMTP 中继服务特别重视发件人信誉,尽量降低第三方电子邮件提供商拒绝邮件的可能性。SMTP relay services specialize in sender reputation, to minimize the possibility that third-party email providers reject messages. 此类 SMTP 中继服务包括但不限于:Exchange Online Protection 和 SendGrid。Such SMTP relay services include, but are not limited to, Exchange Online Protection and SendGrid. 在 Azure 中使用 SMTP 中继服务绝不会受限制,不管订阅类型如何。Use of SMTP relay services is in no way restricted in Azure, regardless of your subscription type.

    如果是在 2017 年 11 月 15 日之前创建的 Azure 订阅,则除了能够使用 SMTP 中继服务,还可以直接通过 TCP 端口 25 发送电子邮件。If you created your Azure subscription prior to November 15, 2017, in addition to being able to use SMTP relay services, you can send email directly over TCP port 25. 如果是在 2017 年 11 月 15 日之后创建的订阅,则可能无法直接通过端口 25 发送电子邮件。If you created your subscription after November 15, 2017, you may not be able to send email directly over port 25. 经端口 25 的出站通信行为取决于订阅类型,如下所示:The behavior of outbound communication over port 25 depends on the type of subscription you have, as follows:

    • 企业协议:允许端口 25 的出站通信。Enterprise Agreement: Outbound port 25 communication is allowed. 可以将出站电子邮件直接从虚拟机发送到外部电子邮件提供商,不受 Azure 平台的限制。You are able to send outbound email directly from virtual machines to external email providers, with no restrictions from the Azure platform.

    • 标准预付费套餐: 阻止所有资源通过端口 25 进行出站通信。Standard Pay-in-Advance Offer: Outbound port 25 communication is blocked from all resources. 如需将电子邮件从虚拟机直接发送到外部电子邮件提供商(不使用经身份验证的 SMTP 中继),可以请求去除该限制。If you need to send email from a virtual machine directly to external email providers (not using an authenticated SMTP relay), you can make a request to remove the restriction. 21Vianet 会自行审核和批准此类请求,并且只在进行防欺诈检查后授予相关权限。Requests are reviewed and approved at 21Vianet's discretion and are only granted after anti-fraud checks are performed. 若要提交请求,请建立一个问题类型为“技术”、“虚拟网络连接”、“无法发送电子邮件(SMTP/端口 25)”的支持案例。 To make a request, open a support case with the issue type Technical, Virtual Network Connectivity, Cannot send e-mail (SMTP/Port 25). 在支持案例中,请详细说明为何你的订阅需要将电子邮件直接发送到邮件提供商,而不经过经身份验证的 SMTP 中继。In your support case, include details about why your subscription needs to send email directly to mail providers, instead of going through an authenticated SMTP relay. 如果订阅得到豁免,则只有在豁免日期之后创建的虚拟机能够经端口 25 进行出站通信。If your subscription is exempted, only virtual machines created after the exemption date are able to communicate outbound over port 25.

    • MSDN、Azure Pass、Azure 开放许可、教育、BizSpark 和试用版:阻止所有资源通过端口 25 进行出站通信。MSDN, Azure Pass, Azure in Open, Education, BizSpark, and trial: Outbound port 25 communication is blocked from all resources. 不能请求去除该限制,因为不会针对请求授予相关权限。No requests to remove the restriction can be made, because requests are not granted. 若需从虚拟机发送电子邮件,则需使用 SMTP 中继服务。If you need to send email from your virtual machine, you have to use an SMTP relay service.

    • 云服务提供商:如果无法使用安全的 SMTP 中继,通过云服务提供商消耗 Azure 资源的客户可以通过其云服务提供商创建支持案例,并请求提供商代表他们创建取消阻止案例。Cloud service provider: Customers that are consuming Azure resources via a cloud service provider can create a support case with their cloud service provider, and request that the provider create an unblock case on their behalf, if a secure SMTP relay cannot be used.

    即使 Azure 允许经端口 25 发送电子邮件,Azure 也不能保证电子邮件提供商会接受来自你的虚拟机的入站电子邮件。If Azure allows you to send email over port 25, Azure cannot guarantee email providers will accept inbound email from your virtual machine. 如果特定的提供商拒绝了来自你的虚拟机的邮件,请直接与该提供商协商解决邮件传送问题或垃圾邮件过滤问题,否则只能使用经身份验证的 SMTP 中继服务。If a specific provider rejects mail from your virtual machine, work directly with the provider to resolve any message delivery or spam filtering issues, or use an authenticated SMTP relay service.

后续步骤Next steps