虚拟网络服务标记Virtual network service tags

服务标记代表给定 Azure 服务中的一组 IP 地址前缀。A service tag represents a group of IP address prefixes from a given Azure service. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记,最大限度地降低频繁更新网络安全规则的复杂性。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.

可以在网络安全组Azure 防火墙中使用服务标记来定义网络访问控制。You can use service tags to define network access controls on network security groups or Azure Firewall. 创建安全规则时,请使用服务标记代替特定 IP 地址。Use service tags in place of specific IP addresses when you create security rules. 在规则的相应源或目标字段中指定服务标记名称(例如 ApiManagement),可以允许或拒绝相应服务的流量 。By specifying the service tag name, such as ApiManagement, in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service.

可使用服务标记来实现网络隔离,保护 Azure 资源免受常规 Internet 侵害,同时访问具有公共终结点的 Azure 服务。You can use service tags to achieve network isolation and protect your Azure resources from the general Internet while accessing Azure services that have public endpoints. 可创建入站/出站网络安全组规则,以拒绝进出 Internet 的流量并允许进出 AzureCloud 或特定 Azure 服务的其他可用服务标记的流量 。Create inbound/outbound network security group rules to deny traffic to/from Internet and allow traffic to/from AzureCloud or other available service tags of specific Azure services.

可用服务标记Available service tags

下表列出了可在网络安全组规则中使用的所有服务标记。The following table includes all the service tags available for use in network security group rules.

列指示标记是否:The columns indicate whether the tag:

  • 适用于涵盖入站或出站流量的规则。Is suitable for rules that cover inbound or outbound traffic.
  • 支持区域范围。Supports regional scope.
  • 可在 Azure 防火墙规则中使用。Is usable in Azure Firewall rules.

默认情况下,服务标记反映了整个云的范围。By default, service tags reflect the ranges for the entire cloud. 某些服务标记还可以通过将相应 IP 范围限制为指定的区域,来实现更精细的控制。Some service tags also allow more granular control by restricting the corresponding IP ranges to a specified region. 例如,服务标记 Storage 代表整个云的 Azure 存储,而 Storage.ChinaNorth 将范围局限于 ChinaNorth 区域中的存储 IP 地址范围 。For example, the service tag Storage represents Azure Storage for the entire cloud, but Storage.ChinaNorth narrows the range to only the storage IP address ranges from the ChinaNorth region. 下表指示每个服务标记是否支持此区域范围。The following table indicates whether each service tag supports such regional scope.

标记Tag 目的Purpose 可以使用入站还是出站连接?Can use inbound or outbound? 可以支持区域范围?Can be regional? 是否可与 Azure 防火墙一起使用?Can use with Azure Firewall?
ActionGroupActionGroup 操作组。Action Group. 入站Inbound No No
ApiManagementApiManagement 专用于 Azure API 管理的部署的管理流量。Management traffic for Azure API Management-dedicated deployments.

注意: 此标记表示每个区域的控制平面的 Azure API 管理服务终结点。Note: This tag represents the Azure API Management service endpoint for control plane per region. 这使得客户可以对在 API 管理服务中配置的 API、操作、策略和 NamedValues 执行管理操作。This enables customers to perform management operations on the APIs, Operations, Policies, NamedValues configured on the API Management service.
入站Inbound Yes Yes
ApplicationInsightsAvailabilityApplicationInsightsAvailability Application Insights 可用性。Application Insights Availability. 入站Inbound No No
AppConfigurationAppConfiguration 应用配置。App Configuration. 出站Outbound No No
AppServiceAppService Azure 应用服务。Azure App Service. 建议将此标记用于 Web 应用和函数应用的出站安全规则。This tag is recommended for outbound security rules to web apps and Function apps. 出站Outbound Yes Yes
AppServiceManagementAppServiceManagement 应用服务环境专用部署的管理流量。Management traffic for deployments dedicated to App Service Environment. 推送、请求和匿名Both No Yes
AzureActiveDirectoryAzureActiveDirectory Azure Active Directory。Azure Active Directory. 出站Outbound No Yes
AzureActiveDirectoryDomainServicesAzureActiveDirectoryDomainServices Azure Active Directory 域服务专用部署的管理流量。Management traffic for deployments dedicated to Azure Active Directory Domain Services. 推送、请求和匿名Both No Yes
AzureBackupAzureBackup Azure 备份。Azure Backup.

注意: 此标记依赖于 存储AzureActiveDirectory 标记。Note: This tag has a dependency on the Storage and AzureActiveDirectory tags.
出站Outbound No Yes
AzureBotServiceAzureBotService Azure 机器人服务。Azure Bot Service. 出站Outbound No No
AzureCloudAzureCloud 所有数据中心公共 IP 地址All datacenter public IP addresses. 出站Outbound Yes Yes
AzureCognitiveSearchAzureCognitiveSearch Azure 认知搜索。Azure Cognitive Search.

可以使用此标记或此标记涵盖的 IP 地址授予索引器对数据源的安全访问权限。This tag or the IP addresses covered by this tag can be used to grant indexers secure access to data sources. 有关更多详细信息,请参阅索引器连接文档Refer to the indexer connection documentation for more details.

注意:此服务标记的 IP 范围列表中不包含搜索服务的 IP,该 IP 也需要添加 到数据源的 IP 防火墙中。Note: The IP of the search service is not included in the list of IP ranges for this service tag and also needs to be added to the IP firewall of data sources.
入站Inbound No No
AzureConnectorsAzureConnectors 用于探测/后端连接的 Azure 逻辑应用连接器。Azure Logic Apps connectors for probe/back-end connections. 入站Inbound Yes Yes
AzureContainerRegistryAzureContainerRegistry Azure 容器注册表。Azure Container Registry. 出站Outbound Yes Yes
AzureCosmosDBAzureCosmosDB Azure Cosmos DB。Azure Cosmos DB. 出站Outbound Yes Yes
AzureDatabricksAzureDatabricks Azure Databricks。Azure Databricks. 推送、请求和匿名Both No No
AzureDataExplorerManagementAzureDataExplorerManagement Azure 数据资源管理器管理。Azure Data Explorer Management. 入站Inbound No No
AzureEventGridAzureEventGrid Azure 事件网格。Azure Event Grid. 推送、请求和匿名Both No No
AzureIoTHubAzureIoTHub Azure IoT 中心。Azure IoT Hub. 出站Outbound No No
AzureKeyVaultAzureKeyVault Azure Key Vault。Azure Key Vault.

注意: 此标记依赖于 AzureActiveDirectory 标记。Note: This tag has a dependency on the AzureActiveDirectory tag.
出站Outbound Yes Yes
AzureLoadBalancerAzureLoadBalancer Azure 基础结构负载均衡器。The Azure infrastructure load balancer. 此标记将转换为主机的虚拟 IP 地址 (168.63.129.16),Azure 的运行状况探测源于该 IP。The tag translates to the virtual IP address of the host (168.63.129.16) where the Azure health probes originate. 这只包括探测流量,而不包括到后端资源的实际流量。This only includes probe traffic, not real traffic to your backend resource. 如果不使用 Azure 负载均衡器,则可替代此规则。If you're not using Azure Load Balancer, you can override this rule. 推送、请求和匿名Both No No
AzureMachineLearningAzureMachineLearning Azure 机器学习。Azure Machine Learning. 推送、请求和匿名Both No Yes
AzureMonitorAzureMonitor Log Analytics、Application Insights、AzMon 和自定义指标(GiG 终结点)。Log Analytics, Application Insights, AzMon, and custom metrics (GiG endpoints).

注意: 对于 Log Analytics,此标记依赖于 Storage 标记。Note: For Log Analytics, this tag has a dependency on the Storage tag.
出站Outbound No Yes
AzurePlatformDNSAzurePlatformDNS 基本基础结构(默认)DNS 服务。The basic infrastructure (default) DNS service.

可以使用此标记来禁用默认 DNS。You can use this tag to disable the default DNS. 使用此标记时要格外小心。Be cautious when you use this tag. 建议你阅读 Azure 平台注意事项We recommend that you read Azure platform considerations. 我们还建议你在使用此标记之前执行测试。We also recommend that you perform testing before you use this tag.
出站Outbound No No
AzurePlatformIMDSAzurePlatformIMDS Azure 实例元数据服务 (IMDS),它是一个基本基础结构服务。Azure Instance Metadata Service (IMDS), which is a basic infrastructure service.

可以使用此标记来禁用默认 IMDS。You can use this tag to disable the default IMDS. 使用此标记时要格外小心。Be cautious when you use this tag. 建议你阅读 Azure 平台注意事项We recommend that you read Azure platform considerations. 我们还建议你在使用此标记之前执行测试。We also recommend that you perform testing before you use this tag.
出站Outbound No No
AzurePlatformLKMAzurePlatformLKM Windows 授权或密钥管理服务。Windows licensing or key management service.

可以使用此标记来禁用授权默认值。You can use this tag to disable the defaults for licensing. 使用此标记时要格外小心。Be cautious when you use this tag. 建议你阅读 Azure 平台注意事项We recommend that you read Azure platform considerations. 我们还建议你在使用此标记之前执行测试。We also recommend that you perform testing before you use this tag.
出站Outbound No No
AzureResourceManagerAzureResourceManager Azure 资源管理器。Azure Resource Manager. 出站Outbound No No
AzureSignalRAzureSignalR Azure SignalR。Azure SignalR. 出站Outbound No No
AzureSiteRecoveryAzureSiteRecovery Azure Site Recovery。Azure Site Recovery.

注意: 此标记依赖于 AzureActiveDirectoryAzureKeyVaultEventHubGuestAndHybridManagementStorage 标记。Note: This tag has a dependency on the AzureActiveDirectory, AzureKeyVault, EventHub,GuestAndHybridManagement and Storage tags.
出站Outbound No No
AzureTrafficManagerAzureTrafficManager Azure 流量管理器探测 IP 地址。Azure Traffic Manager probe IP addresses.

有关流量管理器探测 IP 地址的详细信息,请参阅 Azure 流量管理器常见问题解答For more information on Traffic Manager probe IP addresses, see Azure Traffic Manager FAQ.
入站Inbound No Yes
BatchNodeManagementBatchNodeManagement Azure Batch 专用部署的管理流量。Management traffic for deployments dedicated to Azure Batch. 推送、请求和匿名Both No Yes
CognitiveServicesManagementCognitiveServicesManagement Azure 认知服务的流量的地址范围。The address ranges for traffic for Azure Cognitive Services. 推送、请求和匿名Both No No
DataFactoryDataFactory Azure 数据工厂Azure Data Factory 推送、请求和匿名Both No No
DataFactoryManagementDataFactoryManagement Azure 数据工厂的管理流量。Management traffic for Azure Data Factory. 出站Outbound No No
Dynamics365ForMarketingEmailDynamics365ForMarketingEmail Dynamics 365 的营销电子邮件服务的地址范围。The address ranges for the marketing email service of Dynamics 365. 出站Outbound Yes No
EventHubEventHub Azure 事件中心。Azure Event Hubs. 出站Outbound Yes Yes
GatewayManagerGatewayManager Azure VPN 网关和应用程序网关专用部署的管理流量。Management traffic for deployments dedicated to Azure VPN Gateway and Application Gateway. 入站Inbound No No
GuestAndHybridManagementGuestAndHybridManagement Azure 自动化和来宾配置。Azure Automation and Guest Configuration. 出站Outbound No Yes
HDInsightHDInsight Azure HDInsight。Azure HDInsight. 入站Inbound Yes No
InternetInternet 虚拟网络外部的 IP 地址空间,可以通过公共 Internet 进行访问。The IP address space that's outside the virtual network and reachable by the public internet.

此地址范围包括 Azure 拥有的公共 IP 地址空间The address range includes the Azure-owned public IP address space.
推送、请求和匿名Both No No
LogicAppsLogicApps 逻辑应用。Logic Apps. 推送、请求和匿名Both No No
LogicAppsManagementLogicAppsManagement 逻辑应用的管理流量。Management traffic for Logic Apps. 入站Inbound No No
MicrosoftCloudAppSecurityMicrosoftCloudAppSecurity Azure Cloud App Security。Azure Cloud App Security. 出站Outbound No No
MicrosoftContainerRegistryMicrosoftContainerRegistry Azure 容器映像的容器注册表。Container registry for Azure container images.

注意: 此标记依赖于 AzureFrontDoor.FirstParty 标记。Note: This tag has a dependency on the AzureFrontDoor.FirstParty tag.
出站Outbound Yes Yes
PowerQueryOnlinePowerQueryOnline Power Query Online。Power Query Online. 推送、请求和匿名Both No No
服务总线ServiceBus 使用高级服务层级的 Azure 服务总线流量。Azure Service Bus traffic that uses the Premium service tier. 出站Outbound Yes Yes
ServiceFabricServiceFabric Azure Service Fabric。Azure Service Fabric.

注意: 此标记表示每个区域的控制平面的 Service Fabric 服务终结点。Note: This tag represents the Service Fabric service endpoint for control plane per region. 这使得客户能够从其 VNET(例如终结点:This enables customers to perform management operations for their Service Fabric clusters from their VNET (endpoint eg. https:// chinanorth.servicefabric.azure.com)对其 Service Fabric 群集执行管理操作。https:// chinanorth.servicefabric.azure.com)
推送、请求和匿名Both No No
SqlSql Azure SQL 数据库、Azure Database for MySQL、Azure Database for PostgreSQL 和 Azure Synapse Analytics。Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, and Azure Synapse Analytics.

注意: 此标记代表服务,而不是服务的特定实例。Note: This tag represents the service, but not specific instances of the service. 例如,标记可表示 Azure SQL 数据库服务,但不能表示特定的 SQL 数据库或服务器。For example, the tag represents the Azure SQL Database service, but not a specific SQL database or server. 此标记不适用于 SQL 托管实例。This tag does not apply to SQL managed instance.
出站Outbound Yes Yes
SqlManagementSqlManagement SQL 专用部署的管理流量。Management traffic for SQL-dedicated deployments. 推送、请求和匿名Both No Yes
存储Storage Azure 存储。Azure Storage.

注意: 此标记表示服务而不是服务的特定实例。Note: This tag represents the service, but not specific instances of the service. 例如,标记可表示 Azure 存储服务,但不能表示特定的 Azure 存储帐户。For example, the tag represents the Azure Storage service, but not a specific Azure Storage account.
出站Outbound Yes Yes
VirtualNetworkVirtualNetwork 虚拟网络地址空间(为虚拟网络定义的所有 IP 地址范围)、所有连接的本地地址空间、对等互连的虚拟网络、已连接到虚拟网络网关的虚拟网络、主机的虚拟 IP 地址以及在用户定义的路由上使用的地址前缀。The virtual network address space (all IP address ranges defined for the virtual network), all connected on-premises address spaces, peered virtual networks, virtual networks connected to a virtual network gateway, the virtual IP address of the host, and address prefixes used on user-defined routes. 此标记还可能包含默认路由。This tag might also contain default routes. 推送、请求和匿名Both No No

备注

在经典部署模型中(Azure 资源管理器之前),支持上表中列出的标记的子集。In the classic deployment model (before Azure Resource Manager), a subset of the tags listed in the previous table are supported. 这些标记的拼写不同:These tags are spelled differently:

经典拼写Classic spelling 等效的资源管理器标记Equivalent Resource Manager tag
AZURE_LOADBALANCERAZURE_LOADBALANCER AzureLoadBalancerAzureLoadBalancer
INTERNETINTERNET InternetInternet
VIRTUAL_NETWORKVIRTUAL_NETWORK VirtualNetworkVirtualNetwork

备注

Azure 服务的服务标记表示来自所使用的特定云的地址前缀。Service tags of Azure services denote the address prefixes from the specific cloud being used. 例如,与 Azure 公有云上的 Sql 标记值对应的基础 IP 范围将不同于 Azure 中国云上的基础范围。For example, the underlying IP ranges that correspond to the Sql tag value on the Azure Public cloud will be different from the underlying ranges on the Azure China cloud.

备注

如果为某个服务(例如 Azure 存储或 Azure SQL 数据库)实现了虚拟网络服务终结点,Azure 会将路由添加到该服务的虚拟网络子网。If you implement a virtual network service endpoint for a service, such as Azure Storage or Azure SQL Database, Azure adds a route to a virtual network subnet for the service. 路由中的地址前缀与相应服务标记的地址前缀或 CIDR 范围相同。The address prefixes in the route are the same address prefixes, or CIDR ranges, as those of the corresponding service tag.

本地服务标记Service tags on-premises

可获取服务标记和范围的当前信息,将其包含在本地防火墙配置中。You can obtain the current service tag and range information to include as part of your on-premises firewall configurations. 此信息是对应于每个服务标记的 IP 范围的最新列表(截止目前)。This information is the current point-in-time list of the IP ranges that correspond to each service tag. 可以通过编程方式或通过 JSON 文件下载获取信息,如以下各节所述。You can obtain the information programmatically or via a JSON file download, as described in the following sections.

使用服务标记发现 API(公共预览版)Use the Service Tag Discovery API (public preview)

可以编程方式检索最新的服务标记列表和 IP 地址范围详细信息:You can programmatically retrieve the current list of service tags together with IP address range details:

备注

在公共预览版中,发现 API 返回的信息可能不如 JSON 下载所返回的信息新。While it's in public preview, the Discovery API might return information that's less current than information returned by the JSON downloads. (请参阅下一节。)(See the next section.)

使用可下载的 JSON 文件发现服务标记Discover service tags by using downloadable JSON files

可以下载包含最新服务标记列表和 IP 地址范围详细信息的 JSON 文件。You can download JSON files that contain the current list of service tags together with IP address range details. 这些列表每周更新和发布。These lists are updated and published weekly. 每个云的位置如下:Locations for each cloud are:

这些文件中的 IP 地址范围采用 CIDR 表示法。The IP address ranges in these files are in CIDR notation.

备注

在这些信息中,有一部分已在 Azure 公有云Azure 中国云Azure 德国云的 XML 文件中发布。A subset of this information has been published in XML files for Azure Public, Azure China and Azure Germany. 这些 XML 下载内容将在 2020 年 6 月 30 日弃用,在该日期过后将不再提供。These XML downloads will be deprecated by June 30, 2020 and will no longer be available after that date. 应按照前面几节中所述,使用发现 API 或 JSON 文件下载进行迁移。You should migrate to using the Discovery API or JSON file downloads as described in the previous sections.

提示Tips

  • 可以通过增大 JSON 文件中的 changeNumber 值,检测各个发布的更新。You can detect updates from one publication to the next by noting increased changeNumber values in the JSON file. 每个子节(例如 Storage.ChinaNorth)都包含自身的 changeNumber,发生更改后,该编号会递增。Each subsection (for example, Storage.ChinaNorth) has its own changeNumber that's incremented as changes occur. 当任意子节发生更改时,文件的顶级 changeNumber 将会递增。The top level of the file's changeNumber is incremented when any of the subsections is changed.
  • 有关如何分析服务标记信息的示例(例如,获取 ChinaNorth 中的存储的所有地址范围),请参阅服务标记发现 API PowerShell 文档。For examples of how to parse the service tag information (for example, get all address ranges for Storage in ChinaNorth), see the Service Tag Discovery API PowerShell documentation.

后续步骤Next steps