教程:使用 Azure 门户通过网络安全组筛选网络流量Tutorial: Filter network traffic with a network security group using the Azure portal

可以使用网络安全组来筛选虚拟网络子网的入站和出站网络流量。You can filter network traffic inbound to and outbound from a virtual network subnet with a network security group. 网络安全组包含安全规则,这些规则可按 IP 地址、端口和协议筛选网络流量。Network security groups contain security rules that filter network traffic by IP address, port, and protocol. 安全规则应用到子网中部署的资源。Security rules are applied to resources deployed in a subnet. 本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 创建网络安全组和安全规则Create a network security group and security rules
  • 创建虚拟网络并将网络安全组关联到子网Create a virtual network and associate a network security group to a subnet
  • 将虚拟机 (VM) 部署到子网中Deploy virtual machines (VM) into a subnet
  • 测试流量筛选器Test traffic filters

可以根据需要使用 Azure CLIPowerShell 完成本教程中的步骤。If you prefer, you can complete this tutorial using the Azure CLI or PowerShell.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

登录 AzureSign in to Azure

通过 https://portal.azure.cn 登录到 Azure 门户。Sign in to the Azure portal at https://portal.azure.cn.

创建虚拟网络Create a virtual network

  1. 在 Azure 门户菜单中,选择“+ 创建资源” 。On the Azure portal menu, select + Create a resource.

  2. 选择“网络”,然后选择“虚拟网络” 。Select Networking, and then select Virtual network.

  3. 输入或选择以下信息,接受剩下的默认设置,然后选择“创建” :Enter, or select, the following information, accept the defaults for the remaining settings, and then select Create:

    设置Setting ValueValue
    名称Name myVirtualNetworkmyVirtualNetwork
    地址空间Address space 10.0.0.0/1610.0.0.0/16
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“新建”,并输入 myResourceGroup Select Create new and enter myResourceGroup.
    位置Location 选择“中国东部”。 Select China East.
    子网 - 名称Subnet- Name mySubnetmySubnet
    子网 - 地址范围Subnet - Address range 10.0.0.0/2410.0.0.0/24

创建应用程序安全组Create application security groups

使用应用程序安全组可以将功能类似的服务器(例如 Web 服务器)组合在一起。An application security group enables you to group together servers with similar functions, such as web servers.

  1. 在 Azure 门户菜单中,选择“+ 创建资源” 。On the Azure portal menu, select + Create a resource.

  2. 在“在市场中搜索”框中输入“应用程序安全组” 。In the Search the Marketplace box, enter Application security group. 当“应用程序安全组”显示在搜索结果中时,将其选中,再次在“所有项”下选择“应用程序安全组”,然后选择“创建” 。When Application security group appears in the search results, select it, select Application security group again under Everything, and then select Create.

  3. 输入或选择以下信息,然后选择“创建” :Enter, or select, the following information, and then select Create:

    设置Setting ValueValue
    名称Name myAsgWebServersmyAsgWebServers
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“使用现有”,然后选择“myResourceGroup” 。Select Use existing and then select myResourceGroup.
    位置Location 中国东部China East
  4. 再次完成步骤 3 并指定以下值:Complete step 3 again, specifying the following values:

    设置Setting ValueValue
    名称Name myAsgMgmtServersmyAsgMgmtServers
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“使用现有”,然后选择“myResourceGroup” 。Select Use existing and then select myResourceGroup.
    位置Location 中国东部China East

创建网络安全组Create a network security group

  1. 在 Azure 门户菜单中,选择“+ 创建资源” 。On the Azure portal menu, select + Create a resource.

  2. 依次选择“网络”、“网络安全组” 。Select Networking, and then select Network security group.

  3. 输入或选择以下信息,然后选择“创建” :Enter, or select, the following information, and then select Create:

    设置Setting ValueValue
    名称Name myNsgmyNsg
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“使用现有”,然后选择“myResourceGroup” 。Select Use existing and then select myResourceGroup.
    位置Location 中国东部China East

将网络安全组关联到子网Associate network security group to subnet

  1. 在门户顶部的“搜索资源”框中,开始键入 myNsg 。In the Search resources box at the top of the portal, begin typing myNsg. 当“myNsg”出现在搜索结果中时,将其选中。 When myNsg appears in the search results, select it.

  2. 在“设置”下选择“子网”,然后选择“+ 关联”,如下图所示: Under SETTINGS, select Subnets and then select + Associate, as shown in the following picture:

    将 NSG 关联到子网

  3. 在“关联子网”下选择“虚拟网络”,然后选择“myVirtualNetwork”。 Under Associate subnet, select Virtual network and then select myVirtualNetwork. 依次选择“子网”、“mySubnet”、“确定”。 Select Subnet, select mySubnet, and then select OK.

创建安全规则Create security rules

  1. 在“设置”下选择“入站安全规则”,然后选择“+ 添加”,如下图所示: Under SETTINGS, select Inbound security rules and then select + Add, as shown in the following picture:

    添加入站安全规则

  2. 创建一项允许端口 80 和 443 与 myAsgWebServers 应用程序安全组通信的安全规则。Create a security rule that allows ports 80 and 443 to the myAsgWebServers application security group. 在“添加入站安全规则”下输入或选择以下值,接受其余默认值,然后选择“添加” :Under Add inbound security rule, enter, or select the following values, accept the remaining defaults, and then select Add:

    设置Setting ValueValue
    目标Destination 选择“应用程序安全组”,然后选择 myAsgWebServers 作为应用程序安全组Select Application security group, and then select myAsgWebServers for Application security group.
    目标端口范围Destination port ranges 输入 80,443Enter 80,443
    协议Protocol 选择 TCPSelect TCP
    名称Name Allow-Web-AllAllow-Web-All
  3. 使用以下值再次完成步骤 2:Complete step 2 again, using the following values:

    设置Setting ValueValue
    目标Destination 选择“应用程序安全组”,然后选择 myAsgMgmtServers 作为应用程序安全组Select Application security group, and then select myAsgMgmtServers for Application security group.
    目标端口范围Destination port ranges 输入 3389Enter 3389
    协议Protocol 选择 TCPSelect TCP
    优先级Priority 输入 110Enter 110
    名称Name Allow-RDP-AllAllow-RDP-All

    在本教程中,将在 Internet 上为分配给 myAsgMgmtServers 应用程序安全组的 VM 公开 RDP(端口 3389)。In this tutorial, RDP (port 3389) is exposed to the internet for the VM that is assigned to the myAsgMgmtServers application security group. 在生产环境中,建议使用 VPN 或专用网络连接来连接到要管理的 Azure 资源,而不要向 Internet 公开端口 3389。For production environments, instead of exposing port 3389 to the internet, it's recommended that you connect to Azure resources that you want to manage using a VPN or private network connection.

完成步骤 1-3 以后,请复查所创建的规则。Once you've completed steps 1-3, review the rules you created. 你的列表应如下图中的列表所示:Your list should look like the list in the following picture:

安全规则

创建虚拟机Create virtual machines

在虚拟网络中创建两个 VM。Create two VMs in the virtual network.

创建第一个 VMCreate the first VM

  1. 在 Azure 门户菜单中,选择“+ 创建资源” 。On the Azure portal menu, select + Create a resource.

  2. 选择“虚拟机”,然后选择“Windows Server 2016 Datacenter”。 Select Virtual Machines, and then select Windows Server 2016 Datacenter.

  3. 输入或选择以下信息,并接受剩下的默认设置:Enter, or select, the following information, and accept the defaults for the remaining settings:

    设置Setting ValueValue
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“使用现有资源组”,再选择“myResourceGroup” 。Select Use existing and select myResourceGroup.
    名称Name myVmWebmyVmWeb
    位置Location 选择“中国东部”。 Select China East.
    用户名User name 输入所选用户名。Enter a user name of your choosing.
    密码Password 输入所选密码。Enter a password of your choosing. 密码必须至少 12 个字符长,且符合定义的复杂性要求The password must be at least 12 characters long and meet the defined complexity requirements.
  4. 选择 VM 的大小,然后选择“选择” 。Select a size for the VM and then select Select.

  5. 在“网络” 下选择以下值,并接受剩下的默认设置:Under Networking, select the following values, and accept the remaining defaults:

    设置Setting ValueValue
    虚拟网络Virtual network 选择“myVirtualNetwork” 。Select myVirtualNetwork.
    NIC 网络安全组NIC network security group 选择“无”。 Select None.
  6. 选择左下角的“查看 + 创建” ,选择“创建” 以开始 VM 部署。Select Review + Create at the bottom, left corner, select Create to start VM deployment.

创建第二个 VMCreate the second VM

再次完成步骤 1-6,但在步骤 3 中,将 VM 命名为“myVmMgmt” 。Complete steps 1-6 again, but in step 3, name the VM myVmMgmt. 部署 VM 需要几分钟时间。The VM takes a few minutes to deploy. 在 VM 部署完以前,请勿转到下一步。Do not continue to the next step until the VM is deployed.

将网络接口关联到 ASGAssociate network interfaces to an ASG

门户在创建 VM 时,已为每个 VM 创建一个网络接口,并将该网络接口附加到 VM。When the portal created the VMs, it created a network interface for each VM, and attached the network interface to the VM. 请将每个 VM 的网络接口添加到以前创建的应用程序安全组:Add the network interface for each VM to one of the application security groups you created previously:

  1. 在门户顶部的“搜索资源、服务和文档” 框中,开始键入“myVmWeb”。 In the Search resources, services, and docs box at the top of the portal, begin typing myVmWeb. 当“myVmWeb”VM 出现在搜索结果中时,请将其选中。 When the myVmWeb VM appears in the search results, select it.

  2. 在“设置”下选择“网络” 。Under SETTINGS, select Networking. 选择“配置应用程序安全组”,然后选择 myAsgWebServers 作为应用程序安全组,最后选择“保存”,如下图所示: Select Configure the application security groups, select myAsgWebServers for Application security groups, and then select Save, as shown in the following picture:

    关联到 ASG

  3. 再次完成步骤 1 和 2,搜索 myVmMgmt VM 并选择 myAsgMgmtServers ASG。Complete steps 1 and 2 again, searching for the myVmMgmt VM and selecting the myAsgMgmtServers ASG.

测试流量筛选器Test traffic filters

  1. 连接到 myVmMgmt VM。Connect to the myVmMgmt VM. 在门户顶部的“搜索”框中输入“myVmMgmt” 。Enter myVmMgmt in the search box at the top of the portal. 当“myVmMgmt”出现在搜索结果中时,将其选中。 When myVmMgmt appears in the search results, select it. 选择“连接”按钮。 Select the Connect button.

  2. 选择“下载 RDP 文件”。 Select Download RDP file.

  3. 打开下载的 rdp 文件,然后选择“连接”。 Open the downloaded rdp file and select Connect. 输入在创建 VM 时指定的用户名和密码。Enter the user name and password you specified when creating the VM. 可能需要选择“更多选择” ,然后选择“使用其他帐户” ,以指定在创建 VM 时输入的凭据。You may need to select More choices, then Use a different account, to specify the credentials you entered when you created the VM.

  4. 选择“确定” 。Select OK.

  5. 你可能会在登录过程中收到证书警告。You may receive a certificate warning during the sign-in process. 如果收到警告,请选择“是”或“继续”以继续连接。 If you receive the warning, select Yes or Continue, to proceed with the connection.

    连接将会成功,因为允许通过端口 3389 将入站流量从 Internet 发往已附加到 myVmMgmt VM 的网络接口所在的 myAsgMgmtServers 应用程序安全组。The connection succeeds, because port 3389 is allowed inbound from the internet to the myAsgMgmtServers application security group that the network interface attached to the myVmMgmt VM is in.

  6. 在 PowerShell 会话中输入以下命令,从 myVmMgmt VM 连接到 myVmWeb VM:Connect to the myVmWeb VM from the myVmMgmt VM by entering the following command in a PowerShell session:

    mstsc /v:myVmWeb
    

    可以从 myVmMgmt VM 连接到 myVmWeb VM,因为默认情况下,同一虚拟网络中的 VM 可以彼此通过任何端口通信。You are able to connect to the myVmWeb VM from the myVmMgmt VM because VMs in the same virtual network can communicate with each other over any port, by default. 但是,无法创建一个从 Internet 连接到 myVmWeb VM 的远程桌面连接,因为默认情况下,myAsgWebServers 的安全规则不允许通过端口 3389 发送来自 Internet 的入站流量,并且系统会拒绝从 Internet 到所有资源的入站流量。You can't however, create a remote desktop connection to the myVmWeb VM from the internet, because the security rule for the myAsgWebServers doesn't allow port 3389 inbound from the internet and inbound traffic from the Internet is denied to all resources, by default.

  7. 若要在 myVmWeb VM 上安装 Microsoft IIS,请在 myVmWeb VM 上通过 PowerShell 会话输入以下命令:To install Microsoft IIS on the myVmWeb VM, enter the following command from a PowerShell session on the myVmWeb VM:

    Install-WindowsFeature -name Web-Server -IncludeManagementTools
    
  8. 完成 IIS 安装后,从 myVmWeb VM 断开连接,从而保留 myVmMgmt 远程桌面连接。After the IIS installation is complete, disconnect from the myVmWeb VM, which leaves you in the myVmMgmt VM remote desktop connection.

  9. myVmMgmt VM 断开连接。Disconnect from the myVmMgmt VM.

  10. 在 Azure 门户顶部的“搜索资源、服务和文档” 框中,开始在计算机中键入“myVmWeb”。 In the Search resources, services, and docs box at the top of the Azure portal, begin typing myVmWeb from your computer. 当“myVmWeb”出现在搜索结果中时,请选择它。 When myVmWeb appears in the search results, select it. 记下 VM 的公共 IP 地址Note the Public IP address for your VM. 下图所示地址为 137.135.84.74,但你的地址不同于此:The address shown in the following picture is 137.135.84.74, but your address is different:

    公共 IP 地址

  11. 若要确认能否从 Internet 访问 myVmWeb Web 服务器,请在计算机上打开 Internet 浏览器并浏览到 http://<public-ip-address-from-previous-step>To confirm that you can access the myVmWeb web server from the internet, open an internet browser on your computer and browse to http://<public-ip-address-from-previous-step>. 此时会看到 IIS 欢迎屏幕,因为允许通过端口 80 将入站流量从 Internet 发往已附加到 myVmWeb VM 的网络接口所在的 myAsgWebServers 应用程序安全组。You see the IIS welcome screen, because port 80 is allowed inbound from the internet to the myAsgWebServers application security group that the network interface attached to the myVmWeb VM is in.

清理资源Clean up resources

不再需要资源组时,可将资源组及其包含的所有资源一并删除:When no longer needed, delete the resource group and all of the resources it contains:

  1. 在门户顶部的“搜索”框中输入“myResourceGroup” 。Enter myResourceGroup in the Search box at the top of the portal. 当在搜索结果中看到“myResourceGroup”时,将其选中。 When you see myResourceGroup in the search results, select it.
  2. 选择“删除资源组” 。Select Delete resource group.
  3. 对于“键入资源组名称:”,输入“myResourceGroup”,然后选择“删除”。 Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME: and select Delete.

后续步骤Next steps

在本教程中,你已创建一个网络安全组并将其关联到虚拟网络子网。In this tutorial, you created a network security group and associated it to a virtual network subnet. 若要详细了解网络安全组,请参阅网络安全组概述管理网络安全组To learn more about network security groups, see Network security group overview and Manage a network security group.

默认情况下,Azure 在子网之间路由流量。Azure routes traffic between subnets by default. 你也可以选择通过某个 VM(例如,充当防火墙的 VM)在子网之间路由流量。You may instead, choose to route traffic between subnets through a VM, serving as a firewall, for example. 若要了解如何创建路由表,请继续学习下一教程。To learn how to create a route table, advance to the next tutorial.