网络安全组Network security groups

可以使用 Azure 网络安全组来筛选 Azure 虚拟网络中出入 Azure 资源的网络流量。You can use Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. 网络安全组包含安全规则,这些规则可允许或拒绝多种 Azure 资源的入站和出站网络流量。A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. 可以为每项规则指定源和目标、端口以及协议。For each rule, you can specify source and destination, port, and protocol. 本文介绍网络安全组规则的属性、应用的默认安全规则,以及可以修改以创建扩充安全规则的规则属性。This article describes properties of a network security group rule, the default security rules that are applied, and the rule properties that you can modify to create an augmented security rule.

安全规则Security rules

一个网络安全组包含零个或者不超过 Azure 订阅限制的任意数量的规则。A network security group contains zero, or as many rules as desired, within Azure subscription limits. 每个规则指定以下属性:Each rule specifies the following properties:

属性Property 说明Explanation
名称Name 网络安全组中的唯一名称。A unique name within the network security group.
优先级Priority 介于 100 和 4096 之间的数字。A number between 100 and 4096. 规则按优先顺序进行处理。先处理编号较小的规则,因为编号越小,优先级越高。Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. 一旦流量与某个规则匹配,处理即会停止。Once traffic matches a rule, processing stops. 因此,不会处理优先级较低(编号较大)的、其属性与高优先级规则相同的所有规则。As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
源或目标Source or destination 可以是任何值,也可以是单个 IP 地址、无类别域际路由 (CIDR) 块(例如 10.0.0.0/24)、服务标记应用程序安全组Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security group. 如果为 Azure 资源指定一个地址,请指定分配给该资源的专用 IP 地址。If you specify an address for an Azure resource, specify the private IP address assigned to the resource. 在 Azure 针对入站流量将公共 IP 地址转换为专用 IP 地址后,系统会处理网络安全组,然后由 Azure 针对出站流量将专用 IP 地址转换为公共 IP 地址。Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic. 详细了解 Azure IP 地址Learn more about Azure IP addresses. 指定范围、服务标记或应用程序安全组可以减少创建的安全规则数。Specifying a range, a service tag, or application security group, enables you to create fewer security rules. 在一个规则中指定多个单独的 IP 地址和范围(不能指定多个服务标记或应用程序组)的功能称为扩充式安全规则The ability to specify multiple individual IP addresses and ranges (you cannot specify multiple service tags or application groups) in a rule is referred to as augmented security rules. 只能在通过资源管理器部署模型创建的网络安全组中创建扩充式安全规则。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 在通过经典部署模型创建的网络安全组中,不能指定多个 IP 地址和 IP 地址范围。You cannot specify multiple IP addresses and IP address ranges in network security groups created through the classic deployment model. 详细了解 Azure 部署模型Learn more about Azure deployment models.
协议Protocol TCP、UDP、ICMP 或 Any。TCP, UDP, ICMP or Any.
方向Direction 该规则是应用到入站还是出站流量。Whether the rule applies to inbound, or outbound traffic.
端口范围Port range 可以指定单个端口或端口范围。You can specify an individual or range of ports. 例如,可以指定 80 或 10000-10005。For example, you could specify 80 or 10000-10005. 指定范围可以减少创建的安全规则数。Specifying ranges enables you to create fewer security rules. 只能在通过资源管理器部署模型创建的网络安全组中创建扩充式安全规则。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 在通过经典部署模型创建的网络安全组中,不能在同一个安全规则中指定多个端口或端口范围。You cannot specify multiple ports or port ranges in the same security rule in network security groups created through the classic deployment model.
操作Action 允许或拒绝Allow or deny

在允许或拒绝流量之前,将使用 5 元组信息(源、源端口、目标、目标端口和协议)按优先级对网络安全组安全规则进行评估。Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. 将为现有连接创建流记录。A flow record is created for existing connections. 是允许还是拒绝通信取决于流记录的连接状态。Communication is allowed or denied based on the connection state of the flow record. 流记录允许网络安全组有状态。The flow record allows a network security group to be stateful. 例如,如果针对通过端口 80 访问的任何地址指定了出站安全规则,则不需要指定入站安全规则来响应出站流量。If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. 如果通信是从外部发起的,则只需指定入站安全规则。You only need to specify an inbound security rule if communication is initiated externally. 反之亦然。The opposite is also true. 如果允许通过某个端口发送入站流量,则不需要指定出站安全规则来响应通过该端口发送的流量。If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port. 删除启用了流的安全规则时,现有连接不一定会中断。Existing connections may not be interrupted when you remove a security rule that enabled the flow. 当连接停止并且至少几分钟内在任一方向都没有流量流过时,流量流会中断。Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.

在网络安全组中创建的安全规则存在数量限制。There are limits to the number of security rules you can create in a network security group. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.

默认安全规则Default security rules

Azure 在你所创建的每个网络安全组中创建以下默认规则:Azure creates the following default rules in each network security group that you create:

入站Inbound

AllowVNetInBoundAllowVNetInBound
优先级Priority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 任意Any 允许Allow
AllowAzureLoadBalancerInBoundAllowAzureLoadBalancerInBound
优先级Priority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6500165001 AzureLoadBalancerAzureLoadBalancer 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any 允许Allow
DenyAllInboundDenyAllInbound
优先级Priority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any 拒绝Deny

出站Outbound

AllowVnetOutBoundAllowVnetOutBound
优先级Priority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 任意Any 允许Allow
AllowInternetOutBoundAllowInternetOutBound
优先级Priority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6500165001 0.0.0.0/00.0.0.0/0 0-655350-65535 InternetInternet 0-655350-65535 任意Any 允许Allow
DenyAllOutBoundDenyAllOutBound
优先级Priority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol 访问Access
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any 拒绝Deny

在“源”和“目标”列表中,“VirtualNetwork”、“AzureLoadBalancer”和“Internet”是服务标记,而不是 IP 地址。**** ****** ** **In the Source and Destination columns, VirtualNetwork, AzureLoadBalancer, and Internet are service tags, rather than IP addresses. 在“协议”列中,Any 包含 TCP、UDP 和 ICMP。In the protocol column, Any encompasses TCP, UDP, and ICMP. 创建规则时,可以指定 TCP、UDP、ICMP 或 Any。When creating a rule, you can specify TCP, UDP, ICMP or Any. “源”和“目标”列中的“0.0.0.0/0”表示所有地址。****** ****0.0.0.0/0 in the Source and Destination columns represents all addresses. Azure 门户、Azure CLI 或 PowerShell 等客户端可以使用“*”或任何字符来表示此表达式。Clients like Azure portal, Azure CLI, or PowerShell can use * or any for this expression.

不能删除默认规则,但可以通过创建更高优先级的规则来替代默认规则。You cannot remove the default rules, but you can override them by creating rules with higher priorities.

扩充式安全规则Augmented security rules

扩充式安全规则简化了虚拟网络的安全定义,可让我们以更少的规则定义更大、更复杂的网络安全策略。Augmented security rules simplify security definition for virtual networks, allowing you to define larger and complex network security policies, with fewer rules. 可将多个端口和多个显式 IP 地址和范围合并成一个易于理解的安全规则。You can combine multiple ports and multiple explicit IP addresses and ranges into a single, easily understood security rule. 可在规则的源、目标和端口字段中使用扩充式规则。Use augmented rules in the source, destination, and port fields of a rule. 若要简化安全规则定义的维护,可将扩充式安全规则与服务标记应用程序安全组合并。To simplify maintenance of your security rule definition, combine augmented security rules with service tags or application security groups. 可在规则中指定的地址、范围和端口的数量存在限制。There are limits to the number of addresses, ranges, and ports that you can specify in a rule. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.

服务标记Service tags

服务标记表示给定 Azure 服务中的一组 IP 地址前缀。A service tag represents a group of IP address prefixes from a given Azure service. 它有助于将频繁更新网络安全规则的复杂性降至最低。It helps to minimize complexity of frequent updates on network security rules.

有关详细信息,请参阅 Azure 服务标记For more information, see Azure service tags. 有关如何使用存储服务标记限制网络访问的示例,请参阅限制对 PaaS 资源的网络访问For an example on how to use the Storage service tag to restrict network access, see Restrict network access to PaaS resources.

应用程序安全组Application security groups

使用应用程序安全组可将网络安全性配置为应用程序结构的固有扩展,从而可以基于这些组将虚拟机分组以及定义网络安全策略。Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. 可以大量重复使用安全策略,而无需手动维护显式 IP 地址。You can reuse your security policy at scale without manual maintenance of explicit IP addresses. 若要了解详细信息,请参阅应用程序安全组To learn more, see Application security groups.

如何评估流量How traffic is evaluated

可以将资源从多个 Azure 服务部署到一个 Azure 虚拟网络中。You can deploy resources from several Azure services into an Azure virtual network. 如需完整列表,请参阅可部署到虚拟网络中的服务For a complete list, see Services that can be deployed into a virtual network. 可将零个或一个网络安全组与虚拟机中的每个虚拟网络子网网络接口相关联。You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. 可将同一网络安全组关联到选定的任意数量的子网和网络接口。The same network security group can be associated to as many subnets and network interfaces as you choose.

下图描述了如何使用不同的方案来部署网络安全组,以便网络流量通过 TCP 端口 80 出入 Internet:The following picture illustrates different scenarios for how network security groups might be deployed to allow network traffic to and from the internet over TCP port 80:

NSG 处理

请参阅上图和以下文本,了解 Azure 如何处理网络安全组的入站和出站规则:Reference the previous picture, along with the following text, to understand how Azure processes inbound and outbound rules for network security groups:

入站流量Inbound traffic

对于入站流量,Azure 先处理与某个子网相关联的网络安全组(如果有)中的规则,然后处理与网络接口相关联的网络安全组(如果有)中的规则。For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a network security group associated to the network interface, if there is one.

  • VM1:系统会处理 NSG1 中的安全规则,因为它与 Subnet1 关联,而 VM1 位于 Subnet1 中。VM1: The security rules in NSG1 are processed, since it is associated to Subnet1 and VM1 is in Subnet1. 除非创建了一条允许端口 80 入站流量的规则,否则流量会被 DenyAllInbound 默认安全规则拒绝,并且永远不会被 NSG2 评估,因为 NSG2 关联到网络接口。Unless you've created a rule that allows port 80 inbound, the traffic is denied by the DenyAllInbound default security rule, and never evaluated by NSG2, since NSG2 is associated to the network interface. 如果 NSG1 有一条允许端口 80 的安全规则,则流量会由 NSG2 处理。If NSG1 has a security rule that allows port 80, the traffic is then processed by NSG2. 若要允许从端口 80 到虚拟机的流量,NSG1NSG2 必须指定一条规则来允许从 Internet 到端口 80 的流量。To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet.
  • VM2:系统会处理 NSG1 中的规则,因为 VM2 也在 Subnet1 中。VM2: The rules in NSG1 are processed because VM2 is also in Subnet1. VM2 没有关联到其网络接口的网络安全组,因此会接收 NSG1 所允许的所有流量,或者会拒绝 NSG1 所拒绝的所有流量。Since VM2 does not have a network security group associated to its network interface, it receives all traffic allowed through NSG1 or is denied all traffic denied by NSG1. 当网络安全组关联到子网时,对于同一子网中的所有资源,流量要么被允许,要么被拒绝。Traffic is either allowed or denied to all resources in the same subnet when a network security group is associated to a subnet.
  • VM3:由于没有网络安全组关联到 Subnet2,系统允许流量进入子网并由 NSG2 处理,因为 NSG2 关联到已附加到 VM3 的网络接口。VM3: Since there is no network security group associated to Subnet2, traffic is allowed into the subnet and processed by NSG2, because NSG2 is associated to the network interface attached to VM3.
  • VM4:允许流量发往 VM4,因为网络安全组没有关联到 Subnet3 或虚拟机中的网络接口。VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. 如果没有关联的网络安全组,则允许所有网络流量通过子网和网络接口。All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them.

出站流量Outbound traffic

对于出站流量,Azure 先处理与某个网络接口相关联的网络安全组(如果有)中的规则,然后处理与子网相关联的网络安全组(如果有)中的规则。For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there is one, and then the rules in a network security group associated to the subnet, if there is one.

  • VM1:系统会处理 NSG2 中的安全规则。VM1: The security rules in NSG2 are processed. 除非创建一条安全规则来拒绝从端口 80 到 Internet 的出站流量,否则 NSG1NSG2 中的 AllowInternetOutbound 默认安全规则都会允许该流量。Unless you create a security rule that denies port 80 outbound to the internet, the traffic is allowed by the AllowInternetOutbound default security rule in both NSG1 and NSG2. 如果 NSG2 有一条拒绝端口 80 的安全规则,则流量会被拒绝,不会由 NSG1 评估。If NSG2 has a security rule that denies port 80, the traffic is denied, and never evaluated by NSG1. 若要拒绝从虚拟机到端口 80 的流量,则两个网络安全组或其中的一个必须有一条规则来拒绝从端口 80 到 Internet 的流量。To deny port 80 from the virtual machine, either, or both of the network security groups must have a rule that denies port 80 to the internet.
  • VM2:所有流量都会通过网络接口发送到子网,因为附加到 VM2 的网络接口没有关联的网络安全组。VM2: All traffic is sent through the network interface to the subnet, since the network interface attached to VM2 does not have a network security group associated to it. 系统会处理 NSG1 中的规则。The rules in NSG1 are processed.
  • VM3:如果 NSG2 有一条拒绝端口 80 的安全规则,则流量会被拒绝。VM3: If NSG2 has a security rule that denies port 80, the traffic is denied. 如果 NSG2 有一条允许端口 80 的安全规则,则允许从端口 80 到 Internet 的出站流量,因为没有关联到 Subnet2 的网络安全组。If NSG2 has a security rule that allows port 80, then port 80 is allowed outbound to the internet, since a network security group is not associated to Subnet2.
  • VM4:允许来自 VM4 的所有网络流量,因为网络安全组没有关联到已附加到虚拟机的网络接口,也没有关联到 Subnet3VM4: All network traffic is allowed from VM4, because a network security group isn't associated to the network interface attached to the virtual machine, or to Subnet3.

子网内部流量Intra-Subnet traffic

需要注意的是,与子网关联的 NSG 中的安全规则可能会影响子网中 VM 之间的连接。It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VM's within it. 例如,如果将规则添加到拒绝所有入站和出站流量的 NSG1**,则 VM1** 和 VM2** 将无法再相互通信。For example, if a rule is added to NSG1 which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each other. 必须专门添加另一个规则来允许此通信。Another rule would have to be added specifically to allow this.

可以通过查看网络接口的有效安全规则,轻松查看已应用到网络接口的聚合规则。You can easily view the aggregate rules applied to a network interface by viewing the effective security rules for a network interface. 还可以使用 Azure 网络观察程序中的 IP 流验证功能来确定是否允许发往或发自网络接口的通信。You can also use the IP flow verify capability in Azure Network Watcher to determine whether communication is allowed to or from a network interface. IP 流验证会告知你系统是允许还是拒绝通信,以及哪条网络安全规则允许或拒绝该流量。IP flow verify tells you whether communication is allowed or denied, and which network security rule allows or denies the traffic.

备注

网络安全组关联到子网或关联到部署在经典部署模型中的虚拟机和云服务,以及关联到资源管理器部署模型中的子网或网络接口。Network security groups are associated to subnets or to virtual machines and cloud services deployed in the classic deployment model, and to subnets or network interfaces in the Resource Manager deployment model. 若要详细了解 Azure 部署模型,请参阅了解 Azure 部署模型To learn more about Azure deployment models, see Understand Azure deployment models.

提示

建议将网络安全组关联到子网或网络接口,但不要二者都关联,除非你有特定的理由来这样做。Unless you have a specific reason to, we recommended that you associate a network security group to a subnet, or a network interface, but not both. 由于关联到子网的网络安全组中的规则可能与关联到网络接口的网络安全组中的规则冲突,因此可能会出现意外的必须进行故障排除的通信问题。Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.

Azure 平台注意事项Azure platform considerations

  • 主机节点的虚拟 IP:基本的基础结构服务(如 DHCP、DNS、IMDS 和运行状况监视)通过虚拟化主机 IP 地址 168.63.129.16 和 169.254.169.254 提供。Virtual IP of the host node: Basic infrastructure services like DHCP, DNS, IMDS, and health monitoring are provided through the virtualized host IP addresses 168.63.129.16 and 169.254.169.254. 这些 IP 地址属于 Azure,是仅有的用于所有区域的虚拟化 IP 地址,没有其他用途。These IP addresses belong to Azure and are the only virtualized IP addresses used in all regions for this purpose. 有效安全规则和有效路由不会包括这些平台规则。Effective security rules and effective routes will not include these platform rules. 若要替代此基本基础结构通信,可以在网络安全组规则上使用以下服务标记创建一个安全规则来拒绝流量:AzurePlatformDNS、AzurePlatformIMDS、AzurePlatformLKM。To override this basic infrastructure communication, you can create a security rule to deny traffic by using the following service tags on your Network Security Group rules: AzurePlatformDNS, AzurePlatformIMDS, AzurePlatformLKM. 了解如何诊断网络流量筛选诊断网络路由Learn how to diagnose network traffic filtering and diagnose network routing.

  • 许可(密钥管理服务) :在虚拟机中运行的 Windows 映像必须获得许可。Licensing (Key Management Service): Windows images running in virtual machines must be licensed. 为了确保许可,会向处理此类查询的密钥管理服务主机服务器发送请求。To ensure licensing, a request is sent to the Key Management Service host servers that handle such queries. 该请求是通过端口 1688 以出站方式提出的。The request is made outbound through port 1688. 对于使用默认路由 0.0.0.0/0 配置的部署,此平台规则会被禁用。For deployments using default route 0.0.0.0/0 configuration, this platform rule will be disabled.

  • 负载均衡池中的虚拟机:应用的源端口和地址范围来自源计算机,而不是来自负载均衡器。Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. 目标端口和地址范围是目标计算机的,而不是负载均衡器的。The destination port and address range are for the destination computer, not the load balancer.

  • Azure 服务实例:在虚拟网络子网中部署了多个 Azure 服务的实例,例如 HDInsight、应用程序服务环境和虚拟机规模集。Azure service instances: Instances of several Azure services, such as HDInsight, Application Service Environments, and Virtual Machine Scale Sets are deployed in virtual network subnets. 有关可部署到虚拟网络的服务的完整列表,请参阅 Azure 服务的虚拟网络For a complete list of services you can deploy into virtual networks, see Virtual network for Azure services. 在将网络安全组应用到部署了资源的子网之前,请确保熟悉每个服务的端口要求。Ensure you familiarize yourself with the port requirements for each service before applying a network security group to the subnet the resource is deployed in. 如果拒绝服务所需的端口,服务将无法正常工作。If you deny ports required by the service, the service doesn't function properly.

  • 发送出站电子邮件:Azure 建议利用经过身份验证的 SMTP 中继服务(通常通过 TCP 端口 587 进行连接,但也经常使用其他端口)从 Azure 虚拟机发送电子邮件。Sending outbound email: Azure recommends that you utilize authenticated SMTP relay services (typically connected via TCP port 587, but often others, as well) to send email from Azure Virtual Machines. SMTP 中继服务特别重视发件人信誉,尽量降低第三方电子邮件提供商拒绝邮件的可能性。SMTP relay services specialize in sender reputation, to minimize the possibility that third-party email providers reject messages. 此类 SMTP 中继服务包括但不限于:Exchange Online Protection 和 SendGrid。Such SMTP relay services include, but are not limited to, Exchange Online Protection and SendGrid. 在 Azure 中使用 SMTP 中继服务绝不会受限制,不管订阅类型如何。Use of SMTP relay services is in no way restricted in Azure, regardless of your subscription type.

    如果是在 2017 年 11 月 15 日之前创建的 Azure 订阅,则除了能够使用 SMTP 中继服务,还可以直接通过 TCP 端口 25 发送电子邮件。If you created your Azure subscription prior to November 15, 2017, in addition to being able to use SMTP relay services, you can send email directly over TCP port 25. 如果是在 2017 年 11 月 15 日之后创建的订阅,则可能无法直接通过端口 25 发送电子邮件。If you created your subscription after November 15, 2017, you may not be able to send email directly over port 25. 经端口 25 的出站通信行为取决于订阅类型,如下所示:The behavior of outbound communication over port 25 depends on the type of subscription you have, as follows:

    • 企业协议:允许端口 25 的出站通信。Enterprise Agreement: Outbound port 25 communication is allowed. 可以将出站电子邮件直接从虚拟机发送到外部电子邮件提供商,不受 Azure 平台的限制。You are able to send outbound email directly from virtual machines to external email providers, with no restrictions from the Azure platform.

    • 标准预付费套餐: 阻止所有资源通过端口 25 进行出站通信。Standard Pay-in-Advance Offer: Outbound port 25 communication is blocked from all resources. 如需将电子邮件从虚拟机直接发送到外部电子邮件提供商(不使用经身份验证的 SMTP 中继),可以请求去除该限制。If you need to send email from a virtual machine directly to external email providers (not using an authenticated SMTP relay), you can make a request to remove the restriction. Azure 会自行审核和批准此类请求,并且只在进行防欺诈检查后授予相关权限。Requests are reviewed and approved at Azure's discretion and are only granted after anti-fraud checks are performed. 若要提交请求,请建立一个问题类型为“技术”、“虚拟网络连接”、“无法发送电子邮件(SMTP/端口 25)”的支持案例。** ** **To make a request, open a support case with the issue type Technical, Virtual Network Connectivity, Cannot send e-mail (SMTP/Port 25). 在支持案例中,请详细说明为何你的订阅需要将电子邮件直接发送到邮件提供商,而不经过经身份验证的 SMTP 中继。In your support case, include details about why your subscription needs to send email directly to mail providers, instead of going through an authenticated SMTP relay. 如果订阅得到豁免,则只有在豁免日期之后创建的虚拟机能够经端口 25 进行出站通信。If your subscription is exempted, only virtual machines created after the exemption date are able to communicate outbound over port 25.

    • MSDN、Azure Pass、Azure 开放许可、教育、BizSpark 和试用版:阻止所有资源通过端口 25 进行出站通信。MSDN, Azure Pass, Azure in Open, Education, BizSpark, and trial: Outbound port 25 communication is blocked from all resources. 不能请求去除该限制,因为不会针对请求授予相关权限。No requests to remove the restriction can be made, because requests are not granted. 若需从虚拟机发送电子邮件,则需使用 SMTP 中继服务。If you need to send email from your virtual machine, you have to use an SMTP relay service.

    • 云服务提供商:如果无法使用安全的 SMTP 中继,通过云服务提供商消耗 Azure 资源的客户可以通过其云服务提供商创建支持案例,并请求提供商代表他们创建取消阻止案例。Cloud service provider: Customers that are consuming Azure resources via a cloud service provider can create a support case with their cloud service provider, and request that the provider create an unblock case on their behalf, if a secure SMTP relay cannot be used.

    即使 Azure 允许经端口 25 发送电子邮件,Azure 也不能保证电子邮件提供商会接受来自你的虚拟机的入站电子邮件。If Azure allows you to send email over port 25, Azure cannot guarantee email providers will accept inbound email from your virtual machine. 如果特定的提供商拒绝了来自你的虚拟机的邮件,请直接与该提供商协商解决邮件传送问题或垃圾邮件过滤问题,否则只能使用经身份验证的 SMTP 中继服务。If a specific provider rejects mail from your virtual machine, work directly with the provider to resolve any message delivery or spam filtering issues, or use an authenticated SMTP relay service.

后续步骤Next steps