在 Azure CLI 中使用网络安全组筛选网络流量Filter network traffic with a network security group using the Azure CLI

可以使用网络安全组来筛选虚拟网络子网的入站和出站网络流量。You can filter network traffic inbound to and outbound from a virtual network subnet with a network security group. 网络安全组包含安全规则,这些规则可按 IP 地址、端口和协议筛选网络流量。Network security groups contain security rules that filter network traffic by IP address, port, and protocol. 安全规则应用到子网中部署的资源。Security rules are applied to resources deployed in a subnet. 在本文中,学习如何:In this article, you learn how to:

  • 创建网络安全组和安全规则Create a network security group and security rules
  • 创建虚拟网络并将网络安全组关联到子网Create a virtual network and associate a network security group to a subnet
  • 将虚拟机 (VM) 部署到子网中Deploy virtual machines (VM) into a subnet
  • 测试流量筛选器Test traffic filters

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

备注

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

如果选择在本地安装并使用 CLI,本文要求运行 Azure CLI 2.0.28 或更高版本。If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0.28 or later. 若要查找版本,请运行 az --versionTo find the version, run az --version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

创建网络安全组Create a network security group

网络安全组包含安全规则。A network security group contains security rules. 安全规则指定源和目标。Security rules specify a source and destination. 源和目标可以是应用程序安全组。Sources and destinations can be application security groups.

创建应用程序安全组Create application security groups

首先使用 az group create 针对本文中创建的所有资源创建一个资源组。First create a resource group for all the resources created in this article with az group create. 以下示例在“chinaeast”位置创建一个资源组:The following example creates a resource group in the chinaeast location:

az group create \
  --name myResourceGroup \
  --location chinaeast

使用 az network asg create 创建应用程序安全组。Create an application security group with az network asg create. 使用应用程序安全组可以分组具有类似端口筛选要求的服务器。An application security group enables you to group servers with similar port filtering requirements. 以下示例创建两个应用程序安全组。The following example creates two application security groups.

az network asg create \
  --resource-group myResourceGroup \
  --name myAsgWebServers \
  --location chinaeast

az network asg create \
  --resource-group myResourceGroup \
  --name myAsgMgmtServers \
  --location chinaeast

创建网络安全组Create a network security group

使用 az network nsg create 创建网络安全组。Create a network security group with az network nsg create. 以下示例创建名为 myNsg 的网络安全组:The following example creates a network security group named myNsg:

# Create a network security group
az network nsg create \
  --resource-group myResourceGroup \
  --name myNsg

创建安全规则Create security rules

使用 az network nsg rule create 创建安全规则。Create a security rule with az network nsg rule create. 以下示例创建一个规则,该规则允许通过端口 80 和 443 将来自 Internet 的入站流量发往 myWebServers 应用程序安全组:The following example creates a rule that allows traffic inbound from the internet to the myWebServers application security group over ports 80 and 443:

az network nsg rule create \
  --resource-group myResourceGroup \
  --nsg-name myNsg \
  --name Allow-Web-All \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 100 \
  --source-address-prefix Internet \
  --source-port-range "*" \
  --destination-asgs "myAsgWebServers" \
  --destination-port-range 80 443

以下示例创建一个规则,该规则允许通过端口 22 将来自 Internet 的入站流量发往 myMgmtServers 应用程序安全组:The following example creates a rule that allows traffic inbound from the Internet to the myMgmtServers application security group over port 22:

az network nsg rule create \
  --resource-group myResourceGroup \
  --nsg-name myNsg \
  --name Allow-SSH-All \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 110 \
  --source-address-prefix Internet \
  --source-port-range "*" \
  --destination-asgs "myAsgMgmtServers" \
  --destination-port-range 22

在本文中,将在 Internet 上为 myAsgMgmtServers VM 公开 SSH(端口 22)。In this article, SSH (port 22) is exposed to the internet for the myAsgMgmtServers VM. 在生产环境中,我们建议使用 VPN专用网络连接来连接到要管理的 Azure 资源,而不要向 Internet 公开端口 22。For production environments, instead of exposing port 22 to the internet, it's recommended that you connect to Azure resources that you want to manage using a VPN or private network connection.

创建虚拟网络Create a virtual network

使用 az network vnet create 创建虚拟网络。Create a virtual network with az network vnet create. 以下示例创建名为 myVirtualNetwork 的虚拟网络:The following example creates a virtual named myVirtualNetwork:

az network vnet create \
  --name myVirtualNetwork \
  --resource-group myResourceGroup \
  --address-prefixes 10.0.0.0/16

使用 az network vnet subnet create 将子网添加到虚拟网络。Add a subnet to a virtual network with az network vnet subnet create. 以下示例将名为 mySubnet 的子网添加到虚拟网络,并将 myNsg 网络安全组关联到该虚拟网络:The following example adds a subnet named mySubnet to the virtual network and associates the myNsg network security group to it:

az network vnet subnet create \
  --vnet-name myVirtualNetwork \
  --resource-group myResourceGroup \
  --name mySubnet \
  --address-prefix 10.0.0.0/24 \
  --network-security-group myNsg

创建虚拟机Create virtual machines

在虚拟网络中创建两个 VM,以便在后续步骤中可以验证流量筛选。Create two VMs in the virtual network so you can validate traffic filtering in a later step.

使用 az vm create 创建 VM。Create a VM with az vm create. 以下示例创建充当 Web 服务器的 VM。The following example creates a VM that will serve as a web server. --asgs myAsgWebServers 选项导致 Azure 将它为 VM 创建的网络接口设置为 myAsgWebServers 应用程序安全组的成员。The --asgs myAsgWebServers option causes Azure to make the network interface it creates for the VM a member of the myAsgWebServers application security group.

指定 --nsg "" 选项可防止 Azure 为创建 VM 时创建的网络接口创建默认的网络安全组。The --nsg "" option is specified to prevent Azure from creating a default network security group for the network interface Azure creates when it creates the VM. 为了简化本文的内容,此处使用了密码。To streamline this article, a password is used. 在生产部署中通常使用密钥。Keys are typically used in production deployments. 如果使用密钥,还必须配置 SSH 代理转发才能完成剩余步骤。If you use keys, you must also configure SSH agent forwarding for the remaining steps. 有关详细信息,请参阅 SSH 客户端的文档。For more information, see the documentation for your SSH client. 将以下命令中的 <replace-with-your-password> 替换为所选的密码。Replace <replace-with-your-password> in the following command with a password of your choosing.

adminPassword="<replace-with-your-password>"

az vm create \
  --resource-group myResourceGroup \
  --name myVmWeb \
  --image UbuntuLTS \
  --vnet-name myVirtualNetwork \
  --subnet mySubnet \
  --nsg "" \
  --asgs myAsgWebServers \
  --admin-username azureuser \
  --admin-password $adminPassword

创建 VM 需要几分钟时间。The VM takes a few minutes to create. 创建 VM 后,将返回以下示例所示的输出:After the VM is created, output similar to the following example is returned:

{
  "fqdns": "",
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVmWeb",
  "location": "chinaeast",
  "macAddress": "00-0D-3A-23-9A-49",
  "powerState": "VM running",
  "privateIpAddress": "10.0.0.4",
  "publicIpAddress": "13.90.242.231",
  "resourceGroup": "myResourceGroup"
}

记下 publicIpAddress。Take note of the publicIpAddress. 在后面的步骤中会使用此地址通过 Internet 访问 VM。This address is used to access the VM from the internet in a later step. 创建充当管理服务器的 VM:Create a VM to serve as a management server:

az vm create \
  --resource-group myResourceGroup \
  --name myVmMgmt \
  --image UbuntuLTS \
  --vnet-name myVirtualNetwork \
  --subnet mySubnet \
  --nsg "" \
  --asgs myAsgMgmtServers \
  --admin-username azureuser \
  --admin-password $adminPassword

创建 VM 需要几分钟时间。The VM takes a few minutes to create. 创建 VM 后,记下返回的输出中的 publicIpAddressAfter the VM is created, note the publicIpAddress in the returned output. 在后续步骤中,将使用此地址访问 VM。This address is used to access the VM in the next step. 请 Azure 创建完 VM 之前,请不要继续下一步。Don't continue with the next step until Azure finishes creating the VM.

测试流量筛选器Test traffic filters

使用以下命令来与 myVmMgmt VM 建立 SSH 会话。Use the command that follows to create an SSH session with the myVmMgmt VM. <publicIpAddress> 替换为 VM 的公共 IP 地址。Replace <publicIpAddress> with the public IP address of your VM. 在上面的示例中,IP 地址为 13.90.242.231In the example above, the IP address is 13.90.242.231.

ssh azureuser@<publicIpAddress>

当系统提示输入密码时,输入在创建 VM 中输入的密码。When prompted for a password, enter the password you entered in Create VMs.

连接将会成功,因为允许通过端口 22 将入站流量从 Internet 发往已附加到 myVmMgmt VM 的网络接口所在的 myAsgMgmtServers 应用程序安全组。The connection succeeds, because port 22 is allowed inbound from the Internet to the myAsgMgmtServers application security group that the network interface attached to the myVmMgmt VM is in.

使用以下命令通过 SSH 从 myVmMgmt VM 连接到 myVmWeb VM:Use the following command to SSH to the myVmWeb VM from the myVmMgmt VM:

ssh azureuser@myVmWeb

连接将会成功,因为每个网络安全组中的默认安全规则允许通过虚拟网络中所有 IP 地址之间的所有端口发送流量。The connection succeeds because a default security rule within each network security group allows traffic over all ports between all IP addresses within a virtual network. 无法通过 SSH 从 Internet 连接到 myVmWeb VM,因为 myAsgWebServers 的安全规则不允许通过端口 22 发送来自 Internet 的入站流量。You can't SSH to the myVmWeb VM from the Internet because the security rule for the myAsgWebServers doesn't allow port 22 inbound from the Internet.

使用以下命令在 myVmWeb VM 上安装 nginx Web 服务器:Use the following commands to install the nginx web server on the myVmWeb VM:

# Update package source
sudo apt-get -y update

# Install NGINX
sudo apt-get -y install nginx

允许 myVmWeb VM 向 Internet 发送出站流量以检索 nginx,因为默认安全规则允许发往 Internet 的所有出站流量。The myVmWeb VM is allowed outbound to the Internet to retrieve nginx because a default security rule allows all outbound traffic to the Internet. 退出 myVmWeb SSH 会话。随即会在 myVmMgmt VM 的 username@myVmMgmt:~$ 提示符下退出。Exit the myVmWeb SSH session, which leaves you at the username@myVmMgmt:~$ prompt of the myVmMgmt VM. 若要从 myVmWeb VM 检索 nginx 欢迎屏幕,请输入以下命令:To retrieve the nginx welcome screen from the myVmWeb VM, enter the following command:

curl myVmWeb

myVmMgmt VM 注销。Logout of the myVmMgmt VM. 若要确认是否可以从 Azure 外部访问 myVmWeb Web 服务器,请在自己的计算机上输入 curl <publicIpAddress>To confirm that you can access the myVmWeb web server from outside of Azure, enter curl <publicIpAddress> from your own computer. 连接将会成功,因为允许通过端口 80 将入站流量从 Internet 发往已附加到 myVmWeb VM 的网络接口所在的 myAsgWebServers 应用程序安全组。The connection succeeds, because port 80 is allowed inbound from the Internet to the myAsgWebServers application security group that the network interface attached to the myVmWeb VM is in.

清理资源Clean up resources

如果不再需要资源组及其包含的所有资源,可以使用 az group delete 将其删除。When no longer needed, use az group delete to remove the resource group and all of the resources it contains.

az group delete --name myResourceGroup --yes

后续步骤Next steps

在本文中,我们已创建一个网络安全组并将其关联到虚拟网络子网。In this article, you created a network security group and associated it to a virtual network subnet. 若要详细了解网络安全组,请参阅网络安全组概述管理网络安全组To learn more about network security groups, see Network security group overview and Manage a network security group.

默认情况下,Azure 在子网之间路由流量。Azure routes traffic between subnets by default. 你也可以选择通过某个 VM(例如,充当防火墙的 VM)在子网之间路由流量。You may instead, choose to route traffic between subnets through a VM, serving as a firewall, for example. 若要了解操作方法,请参阅创建路由表To learn how, see Create a route table.