教程:使用 Azure 门户通过网络安全组筛选网络流量Tutorial: Filter network traffic with a network security group using the Azure portal

可以使用网络安全组来筛选来自虚拟网络子网的入站和出站网络流量。You can use a network security group to filter network traffic inbound and outbound from a virtual network subnet.

网络安全组包含安全规则,这些规则可按 IP 地址、端口和协议筛选网络流量。Network security groups contain security rules that filter network traffic by IP address, port, and protocol. 安全规则应用到子网中部署的资源。Security rules are applied to resources deployed in a subnet.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 创建网络安全组和安全规则Create a network security group and security rules
  • 创建虚拟网络并将网络安全组关联到子网Create a virtual network and associate a network security group to a subnet
  • 将虚拟机 (VM) 部署到子网中Deploy virtual machines (VM) into a subnet
  • 测试流量筛选器Test traffic filters

如果没有 Azure 订阅,请在开始前创建一个试用版订阅If you don't have an Azure subscription, create a trial subscription before you begin.

先决条件Prerequisites

  • Azure 订阅。An Azure subscription.

登录 AzureSign in to Azure

通过 https://portal.azure.cn 登录到 Azure 门户。Sign in to the Azure portal at https://portal.azure.cn.

创建虚拟网络Create a virtual network

  1. 在门户的左上角选择“创建资源”。Select Create a resource in the upper left-hand corner of the portal.

  2. 在搜索框中,输入“虚拟网络”。In the search box, enter Virtual Network. 在搜索结果中,选择“虚拟网络”。Select Virtual Network in the search results.

  3. 在“虚拟网络”页中选择“创建” 。In the Virtual Network page, select Create.

  4. 在“创建虚拟网络” 的“基本信息”选项卡中输入或选择以下信息 :In Create virtual network, enter or select this information in the Basics tab:

    设置Setting Value
    项目详细信息Project details
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“新建”。Select Create new.
    输入“myResourceGroup”。Enter myResourceGroup.
    选择“确定”。Select OK.
    实例详细信息Instance details
    名称Name 输入 myVNetEnter myVNet.
    区域Region 选择“中国东部”。Select ** China East**.
  5. 选择“查看 + 创建”选项卡,或选择页面底部的“查看 + 创建”按钮 。Select the Review + create tab, or select the blue Review + create button at the bottom of the page.

  6. 选择“创建”。Select Create.

创建应用程序安全组Create application security groups

使用应用程序安全组可以将功能类似的服务器(例如 Web 服务器)组合在一起。An application security group enables you to group together servers with similar functions, such as web servers.

  1. 在门户的左上角选择“创建资源”。Select Create a resource in the upper left-hand corner of the portal.

  2. 在搜索框中,输入“应用程序安全组”。In the search box, enter Application security group. 在搜索结果中选择“应用程序安全组”。Select Application security group in the search results.

  3. 在“应用程序安全组”页中,选择“创建”。 In the Application security group page, select Create.

  4. 在“创建应用程序安全组”的“基本信息”选项卡中,输入或选择以下信息 :In Create an application security group, enter or select this information in the Basics tab:

    设置Setting Value
    项目详细信息Project details
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“myResourceGroup”。Select myResourceGroup.
    实例详细信息Instance details
    名称Name 输入“myAsgWebServers”。Enter myAsgWebServers.
    区域Region 选择“中国东部”。Select ** China East**.
  5. 选择“查看 + 创建”选项卡,或选择页面底部的“查看 + 创建”按钮 。Select the Review + create tab, or select the blue Review + create button at the bottom of the page.

  6. 选择“创建”。Select Create.

  7. 重复步骤 4 并指定以下值:Repeat step 4 again, specifying the following values:

    设置Setting Value
    项目详细信息Project details
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“myResourceGroup”。Select myResourceGroup.
    实例详细信息Instance details
    名称Name 输入“myAsgMgmtServers”。Enter myAsgMgmtServers.
    区域Region 选择“中国东部”。Select ** China East**.
  8. 选择“查看 + 创建”选项卡,或选择页面底部的“查看 + 创建”按钮 。Select the Review + create tab, or select the blue Review + create button at the bottom of the page.

  9. 选择“创建”。Select Create.

创建网络安全组Create a network security group

网络安全组保护虚拟网络中的网络流量。A network security group secures network traffic in your virtual network.

  1. 在门户的左上角选择“创建资源”。Select Create a resource in the upper left-hand corner of the portal.

  2. 在搜索框中,输入“网络安全组”。In the search box, enter Network security group. 在搜索结果中选择“网络安全组”。Select Network security group in the search results.

  3. 在网络安全组页中,选择“创建” 。In the Network security group page, select Create.

  4. 在“创建网络安全组”的“基本信息”选项卡中,输入或选择以下信息 :In Create network security group, enter or select this information in the Basics tab:

    设置Setting Value
    项目详细信息Project details
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“myResourceGroup”。Select myResourceGroup.
    实例详细信息Instance details
    名称Name 输入“myNSG”。Enter myNSG.
    位置Location 选择“中国东部”。Select ** China East**.
  5. 选择“查看 + 创建”选项卡,或选择页面底部的“查看 + 创建”按钮 。Select the Review + create tab, or select the blue Review + create button at the bottom of the page.

  6. 选择“创建”。Select Create.

将网络安全组关联到子网Associate network security group to subnet

在本部分中,我们会将网络安全组与之前创建的虚拟网络的子网相关联。In this section, we'll associate the network security group with the subnet of the virtual network we created earlier.

  1. 在门户顶部的“搜索资源、服务和文档”框中,开始键入“myNsg”。In the Search resources, services, and docs box at the top of the portal, begin typing myNsg. 当“myNsg”出现在搜索结果中时,将其选中。When myNsg appears in the search results, select it.

  2. 在“myNSG”的概述页中,选择“设置”中的“子网” 。In the overview page of myNSG, select Subnets in Settings.

  3. 在“设置”页中,选择“关联” :In the Settings page, select Associate:

    将 NSG 关联到子网。

  4. 在“关联子网”下选择“虚拟网络”,然后选择“myVNet” 。Under Associate subnet, select Virtual network and then select myVNet.

  5. 依次选择“子网”、“默认”、“确定” 。Select Subnet, select default, and then select OK.

创建安全规则Create security rules

  1. 在“myNSG”的“设置”中,选择“入站安全规则” 。In Settings of myNSG, select Inbound security rules.

  2. 在“入站安全规则”中,单击“+ 添加” :In Inbound security rules, select + Add:

    添加入站安全规则。

  3. 创建一项允许端口 80 和 443 与 myAsgWebServers 应用程序安全组通信的安全规则。Create a security rule that allows ports 80 and 443 to the myAsgWebServers application security group. 在“添加入站安全规则”中,输入或选择以下信息:In Add inbound security rule, enter or select the following information:

    设置Setting Value
    Source 保留默认值“任意”。Leave the default of Any.
    源端口范围Source port ranges 保留默认值“(*)”Leave the default of (*)
    目标Destination 选择“应用程序安全组”。Select Application security group.
    目标应用程序安全组Destination application security group 选择“myAsgWebServers”。Select myAsgWebServers.
    目标端口范围Destination port ranges 输入“80,443”。Enter 80,443.
    协议Protocol 选择“TCP”。Select TCP.
    操作Action 保留默认值“允许”。Leave the default of Allow.
    优先级Priority 保留默认值“100”。Leave the default of 100.
    名称Name 输入“Allow-Web-All”。Enter Allow-Web-All.

    入站安全规则。

  4. 使用以下值再次完成步骤 2:Complete step 2 again, using the following values:

    设置Setting Value
    Source 保留默认值“任意”。Leave the default of Any.
    源端口范围Source port ranges 保留默认值“(*)”Leave the default of (*)
    目标Destination 选择“应用程序安全组”。Select Application security group.
    目标应用程序安全组Destination application security group 选择“myAsgMgmtServers”。Select myAsgMgmtServers.
    目标端口范围Destination port ranges 输入“3389”。Enter 3389.
    协议Protocol 选择“TCP”。Select TCP.
    操作Action 保留默认值“允许”。Leave the default of Allow.
    优先级Priority 保留默认值“110”。Leave the default of 110.
    名称Name 输入“Allow-RDP-All”。Enter Allow-RDP-All.

    注意

    在本文中,将在 Internet 上为分配给“myAsgMgmtServers”应用程序安全组的 VM 公开 RDP(端口 3389)。In this article, RDP (port 3389) is exposed to the internet for the VM that is assigned to the myAsgMgmtServers application security group.

    在生产环境中,建议使用 VPN、专用网络连接或 Azure Bastion 来连接到要管理的 Azure 资源,而不要向 Internet 公开端口 3389。For production environments, instead of exposing port 3389 to the internet, it's recommended that you connect to Azure resources that you want to manage using a VPN, private network connection, or Azure Bastion.

    有关 Azure Bastion 的详细信息,请参阅什么是 Azure Bastion?For more information on Azure Bastion, see What is Azure Bastion?.

完成步骤 1-3 以后,请复查所创建的规则。Once you've completed steps 1-3, review the rules you created. 你的列表应如以下示例中的列表所示:Your list should look like the list in the following example:

安全规则。

创建虚拟机Create virtual machines

在虚拟网络中创建两个 VM。Create two VMs in the virtual network.

创建第一个 VMCreate the first VM

  1. 在门户的左上角选择“创建资源”。Select Create a resource in the upper left-hand corner of the portal.

  2. 在“新建”页的搜索筛选器中键入“Windows Server 2019 Datacenter”,然后在搜索结果中选择“Windows Server 2019 Datacenter”项,接着选择“创建” 。Type Windows Server 2019 Datacenter in search filter in New page, then select Windows Server 2019 Datacenter itme in search results and select Create.

  3. 在“创建虚拟机”的“基本信息”选项卡中,输入或选择以下信息 :In Create a virtual machine, enter or select this information in the Basics tab:

    设置Setting Value
    项目详细信息Project details
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“myResourceGroup”。Select myResourceGroup.
    实例详细信息Instance details
    虚拟机名称Virtual machine name 输入“myVMWeb”。Enter myVMWeb.
    区域Region 选择“中国东部”。Select ** China East**.
    可用性选项Availability options 保留默认值“无需冗余”。Leave the default of no redundancy required.
    映像Image 选择“Windows Server 2019 Datacenter - Gen1”。Select Windows Server 2019 Datacenter - Gen1.
    大小Size 选择“Standard_D2s_V3”。Select Standard_D2s_V3.
    管理员帐户Administrator account
    用户名Username 输入用户名。Enter a username.
    PasswordPassword 输入密码。Enter a password.
    确认密码Confirm password 重新输入密码。Reenter password.
    入站端口规则Inbound port rules
    公共入站端口Public inbound ports 选择“无”。Select None.
  4. 选择“网络”选项卡。Select the Networking tab.

  5. 在“网络”中,输入或选择以下信息:In the Networking tab, enter or select the following information:

    设置Setting Value
    网络接口Network interface
    虚拟网络Virtual network 选择“myVNet”。Select myVNet.
    子网Subnet 选择“默认值 (10.0.0.0/24)”。Select default (10.0.0.0/24).
    公共 IPPublic IP 保留默认值“新建公共 IP”。Leave the default of a new public IP.
    NIC 网络安全组NIC network security group 选择“无”。Select None.
  6. 选择“查看 + 创建”选项卡,或选择页面底部的“查看 + 创建”按钮 。Select the Review + create tab, or select the blue Review + create button at the bottom of the page.

  7. 选择“创建”。Select Create.

创建第二个 VMCreate the second VM

再次完成步骤 1-7,但在步骤 3 中,将 VM 命名为“myVMMgmt”。Complete steps 1-7 again, but in step 3, name the VM myVMMgmt. 部署 VM 需要几分钟时间。The VM takes a few minutes to deploy.

在 VM 部署完以前,请勿转到下一步。Don't continue to the next step until the VM is deployed.

将网络接口关联到 ASGAssociate network interfaces to an ASG

门户在创建 VM 时,已为每个 VM 创建一个网络接口,并将该网络接口附加到 VM。When the portal created the VMs, it created a network interface for each VM, and attached the network interface to the VM.

请将每个 VM 的网络接口添加到以前创建的应用程序安全组:Add the network interface for each VM to one of the application security groups you created previously:

  1. 在门户顶部的“搜索资源、服务和文档”框中,开始键入“myVMWeb” 。In the Search resources, services, and docs box at the top of the portal, begin typing myVMWeb. 当“myVMWeb”虚拟机出现在搜索结果中时,请将其选中。When the myVMWeb virtual machine appears in the search results, select it.

  2. 在“设置”中,选择“网络”。In Settings, select Networking.

  3. 选择“应用程序安全组”选项卡,然后选择“配置应用程序安全组” 。Select the Application security groups tab, then select Configure the application security groups.

    配置应用程序安全组。

  4. 在“配置应用程序安全组”中,选择“myAsgWebServers” 。In Configure the application security groups, select myAsgWebServers. 选择“保存”。Select Save.

    选择“应用程序安全组”。

  5. 再次完成步骤 1 和 2,搜索 myVMMgmt 虚拟机并选择 myAsgMgmtServers ASG 。Complete steps 1 and 2 again, searching for the myVMMgmt virtual machine and selecting the myAsgMgmtServers ASG.

测试流量筛选器Test traffic filters

  1. 连接到“myVMMgmt”VM。Connect to the myVMMgmt VM. 在门户顶部的“搜索”框中输入“myVMMgmt”。Enter myVMMgmt in the search box at the top of the portal. 当“myVMMgmt”出现在搜索结果中时,将其选中。When myVMMgmt appears in the search results, select it. 选择“连接”按钮。Select the Connect button.

  2. 选择“下载 RDP 文件”。Select Download RDP file.

  3. 打开下载的 rdp 文件,然后选择“连接”。Open the downloaded rdp file and select Connect. 输入在创建 VM 时指定的用户名和密码。Enter the user name and password you specified when creating the VM.

  4. 选择“确定”。Select OK.

  5. 在连接过程中可能会收到证书警告。You may receive a certificate warning during the connection process. 如果收到警告,请选择“是”或“继续”以继续连接 。If you receive the warning, select Yes or Continue, to continue with the connection.

    连接将会成功,因为允许通过端口 3389 将入站流量从 Internet 发往“myAsgMgmtServers”应用程序安全组。The connection succeeds, because port 3389 is allowed inbound from the internet to the myAsgMgmtServers application security group.

    “myVMMgmt”的网络接口与“myAsgMgmtServers”应用程序安全组相关联,并允许连接 。The network interface for myVMMgmt is associated with the myAsgMgmtServers application security group and allows the connection.

  6. 在“myVMMgmt”上打开 PowerShell 会话。Open a PowerShell session on myVMMgmt. 使用以下示例连接到“myVMWeb”:Connect to myVMWeb using the following example:

    mstsc /v:myVmWeb
    

    从“myVMMgmt”到“myVMWeb”的 RDP 连接成功,因为同一网络中的虚拟机默认情况下可以通过任何端口与每个虚拟机进行通信 。The RDP connection from myVMMgmt to myVMWeb succeeds because virtual machines in the same network can communicate with each over any port by default.

    不能从 Internet 创建到“myVMWeb”虚拟机的 RDP 连接。You can't create an RDP connection to the myVMWeb virtual machine from the internet. “myAsgWebServers”的安全规则阻止从 Internet 连接到端口 3389 入站。The security rule for the myAsgWebServers prevents connections to port 3389 inbound from the internet. 默认情况下,拒绝来自 Internet 的入站流量到所有资源。Inbound traffic from the Internet is denied to all resources by default.

  7. 若要在“myVMWeb”虚拟机上安装 Microsoft IIS,请在“myVMWeb”虚拟机上通过 PowerShell 会话输入以下命令 :To install Microsoft IIS on the myVMWeb virtual machine, enter the following command from a PowerShell session on the myVMWeb virtual machine:

    Install-WindowsFeature -name Web-Server -IncludeManagementTools
    
  8. 完成 IIS 安装后,从“myVMWeb”虚拟机断开连接,从而保留“myVMMgmt”虚拟机远程桌面连接 。After the IIS installation is complete, disconnect from the myVMWeb virtual machine, which leaves you in the myVMMgmt virtual machine remote desktop connection.

  9. 从“myVMMgmt”VM 断开连接。Disconnect from the myVMMgmt VM.

  10. 在 Azure 门户顶部的“搜索资源、服务和文档”框中,开始在计算机中键入“myVMWeb” 。In the Search resources, services, and docs box at the top of the Azure portal, begin typing myVMWeb from your computer. 当“myVMWeb”出现在搜索结果中时,请选择它。When myVMWeb appears in the search results, select it. 记下 VM 的 公共 IP 地址Note the Public IP address for your VM. 以下示例所示地址为 23.96.39.113,但你的地址与此不同:The address shown in the following example is 23.96.39.113, but your address is different:

    公共 IP 地址。

  11. 若要确认能否从 Internet 访问“myVMWeb”Web 服务器,请在计算机上打开 Internet 浏览器并浏览到 http://<public-ip-address-from-previous-step>To confirm that you can access the myVMWeb web server from the internet, open an internet browser on your computer and browse to http://<public-ip-address-from-previous-step>.

此时会看到 IIS 欢迎屏幕,因为允许通过端口 80 将入站流量从 Internet 发往“myAsgWebServers”应用程序安全组。You see the IIS welcome screen, because port 80 is allowed inbound from the internet to the myAsgWebServers application security group.

附加到“myVMWeb”的网络接口与“myAsgWebServers”应用程序安全组相关联,并允许连接 。The network interface attached for myVMWeb is associated with the myAsgWebServers application security group and allows the connection.

清理资源Clean up resources

不再需要资源组时,可将资源组及其包含的所有资源一并删除:When no longer needed, delete the resource group and all of the resources it contains:

  1. 在门户顶部的“搜索”框中输入“myResourceGroup”。Enter myResourceGroup in the Search box at the top of the portal. 当在搜索结果中看到“myResourceGroup”时,将其选中。When you see myResourceGroup in the search results, select it.
  2. 选择“删除资源组” 。Select Delete resource group.
  3. 对于“键入资源组名称:”,输入“myResourceGroup”,然后选择“删除”。 Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME: and select Delete.

后续步骤Next steps

在本教程中,你将了解:In this tutorial, you:

  • 已创建一个网络安全组并将其关联到虚拟网络子网。Created a network security group and associated it to a virtual network subnet.
  • 已为 Web 和管理创建应用程序安全组。Created application security groups for web and management.
  • 已创建两个虚拟机。Created two virtual machines.
  • 已测试应用程序安全组网络筛选。Tested the application security group network filtering.

若要详细了解网络安全组,请参阅网络安全组概述管理网络安全组To learn more about network security groups, see Network security group overview and Manage a network security group.

默认情况下,Azure 在子网之间路由流量。Azure routes traffic between subnets by default. 你也可以选择通过某个 VM(例如,充当防火墙的 VM)在子网之间路由流量。You may instead, choose to route traffic between subnets through a VM, serving as a firewall, for example.

若要了解如何创建路由表,请继续学习下一教程。To learn how to create a route table, advance to the next tutorial.