教程:使用 Azure 门户通过虚拟网络服务终结点限制对 PaaS 资源的网络访问Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal

通过虚拟网络服务终结点,可将某些 Azure 服务资源限制为仅允许某个虚拟网络子网通过网络进行访问。Virtual network service endpoints enable you to limit network access to some Azure service resources to a virtual network subnet. 还可以删除对资源的 Internet 访问。You can also remove internet access to the resources. 服务终结点提供从虚拟网络到受支持 Azure 服务的直接连接,使你能够使用虚拟网络的专用地址空间访问 Azure 服务。Service endpoints provide direct connection from your virtual network to supported Azure services, allowing you to use your virtual network's private address space to access the Azure services. 通过服务终结点发往 Azure 资源的流量始终保留在 Azure 主干网络上。Traffic destined to Azure resources through service endpoints always stays on the Azure backbone network. 本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 创建包含一个子网的虚拟网络Create a virtual network with one subnet
  • 添加子网并启用服务终结点Add a subnet and enable a service endpoint
  • 创建 Azure 资源并且仅允许从一个子网对其进行网络访问Create an Azure resource and allow network access to it from only a subnet
  • 将虚拟机 (VM) 部署到每个子网Deploy a virtual machine (VM) to each subnet
  • 确认从某个子网对资源的访问Confirm access to a resource from a subnet
  • 确认已拒绝从某个子网和 Internet 来访问资源Confirm access is denied to a resource from a subnet and the internet

如果你愿意,可以使用 Azure CLIAzure PowerShell 完成本教程中的步骤。If you prefer, you can complete this tutorial using the Azure CLI or Azure PowerShell.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

登录 AzureLog in to Azure

https://portal.azure.cn 登录 Azure 门户。Log in to the Azure portal at https://portal.azure.cn.

创建虚拟网络Create a virtual network

  1. 选择 Azure 门户左上角的“+ 创建资源”。Select + Create a resource on the upper, left corner of the Azure portal.

  2. 选择“网络”,然后选择“虚拟网络” 。Select Networking, and then select Virtual network.

  3. 输入或选择以下信息,然后选择“创建”:Enter, or select, the following information, and then select Create:

    设置Setting ValueValue
    名称Name myVirtualNetworkmyVirtualNetwork
    地址空间Address space 10.0.0.0/1610.0.0.0/16
    订阅Subscription 选择订阅Select your subscription
    资源组Resource group 选择“新建”,并输入 myResourceGroupSelect Create new and enter myResourceGroup.
    位置Location 选择“中国东部”Select China East
    子网名称Subnet Name 公共Public
    子网地址范围Subnet Address range 10.0.0.0/2410.0.0.0/24
    服务终结点Service endpoints 已禁用Disabled
    防火墙Firewall 已禁用Disabled

    输入虚拟网络的基本信息

启用服务终结点Enable a service endpoint

每个服务、每个子网均启用服务终结点。Service endpoints are enabled per service, per subnet. 创建子网并为该子网启用服务终结点。Create a subnet and enable a service endpoint for the subnet.

  1. 在门户顶部的“搜索资源、服务和文档”框中,输入 myVirtualNetworkIn the Search resources, services, and docs box at the top of the portal, enter myVirtualNetwork. 当“myVirtualNetwork”出现在搜索结果中时,将其选中。When myVirtualNetwork appears in the search results, select it.

  2. 将子网添加到虚拟网络。Add a subnet to the virtual network. 在“设置”下面选择“子网”,然后选择“+ 子网”,如下图中所示: Under SETTINGS, select Subnets, and then select + Subnet, as shown in the following picture:

    添加子网

  3. 在“添加子网”下,选择或输入以下信息,然后选择“确定”:Under Add subnet, select or enter the following information, and then select OK:

    设置Setting ValueValue
    名称Name 专用Private
    地址范围Address range 10.0.1.0/2410.0.1.0/24
    服务终结点Service endpoints 在“服务”下选择“Microsoft.Storage” Select Microsoft.Storage under Services

    注意

    在为其中有资源的现有子网启用服务终结点之前,请参阅更改子网设置Before enabling a service endpoint for an existing subnet that has resources in it, see Change subnet settings.

限制子网的网络访问Restrict network access for a subnet

默认情况下,子网中的所有虚拟机都可以与所有资源通信。By default, all VMs in a subnet can communicate with all resources. 可以通过创建网络安全组并将其关联到子网来限制与子网中所有资源的通信。You can limit communication to and from all resources in a subnet by creating a network security group, and associating it to the subnet.

  1. 选择 Azure 门户左上角的“+ 创建资源”。Select + Create a resource on the upper, left corner of the Azure portal.

  2. 依次选择“网络”、“网络安全组” 。Select Networking, and then select Network security group.

  3. 在“创建网络安全组”下,输入或选择以下信息,然后选择“创建” :Under Create a network security group, enter, or select, the following information, and then select Create:

    设置Setting ValueValue
    名称Name myNsgPrivatemyNsgPrivate
    订阅Subscription 选择订阅Select your subscription
    资源组Resource group 选择“使用现有资源组”,再选择“myResourceGroup”。Select Use existing and select myResourceGroup.
    位置Location 选择“中国东部”Select China East
  4. 创建网络安全组后,在门户顶部的“搜索资源、服务和文档”框中输入 myNsgPrivateAfter the network security group is created, enter myNsgPrivate, in the Search resources, services, and docs box at the top of the portal. 当“myNsgPrivate”出现在搜索结果中时,将其选中。When myNsgPrivate appears in the search results, select it.

  5. 在“设置”下,选择“出站安全规则”。 Under SETTINGS, select Outbound security rules.

  6. 选择“+ 添加”。Select + Add.

  7. 创建一条允许出站通信到 Azure 存储服务的规则。Create a rule that allows outbound communication to the Azure Storage service. 输入或选择以下信息,然后选择“添加”:Enter, or select, the following information, and then select Add:

    设置Setting ValueValue
    SourceSource 选择“VirtualNetwork”Select VirtualNetwork
    源端口范围Source port ranges *
    目标Destination 选择“服务标记”Select Service Tag
    目标服务标记Destination service tag 选择“存储”Select Storage
    目标端口范围Destination port ranges *
    协议Protocol 任意Any
    操作Action 允许Allow
    优先级Priority 100100
    名称Name Allow-Storage-AllAllow-Storage-All
  8. 创建另一条出站安全规则,拒绝到 Internet 的通信。Create another outbound security rule that denies communication to the internet. 此规则将覆盖所有网络安全组中允许出站 Internet 通信的默认规则。This rule overrides a default rule in all network security groups that allows outbound internet communication. 使用以下值再次完成步骤 5-7:Complete steps 5-7 again, using the following values:

    设置Setting ValueValue
    SourceSource 选择“VirtualNetwork”Select VirtualNetwork
    源端口范围Source port ranges *
    目标Destination 选择“服务标记”Select Service Tag
    目标服务标记Destination service tag 选择“Internet”Select Internet
    目标端口范围Destination port ranges *
    协议Protocol 任意Any
    操作Action 拒绝Deny
    优先级Priority 110110
    名称Name Deny-Internet-AllDeny-Internet-All
  9. 在“设置”下,选择“入站安全规则”。 Under SETTINGS, select Inbound security rules.

  10. 选择“+ 添加”。Select + Add.

  11. 创建一个允许从任何位置向该子网发送远程桌面协议 (RDP) 流量的入站安全规则。Create an inbound security rule that allows Remote Desktop Protocol (RDP) traffic to the subnet from anywhere. 该规则将替代拒绝来自 Internet 的所有入站流量的默认安全规则。The rule overrides a default security rule that denies all inbound traffic from the internet. 允许与子网建立远程桌面连接,以便可以在后续步骤中测试连接。Remote desktop connections are allowed to the subnet so that connectivity can be tested in a later step. 在“设置”下选择“入站安全规则”,然后选择“+ 添加”,输入以下值,然后选择“添加”: Under SETTINGS, select Inbound security rules, select +Add, enter the following values, and then select Add:

    设置Setting ValueValue
    SourceSource 任意Any
    源端口范围Source port ranges *
    目标Destination 选择“VirtualNetwork”Select VirtualNetwork
    目标端口范围Destination port ranges 33893389
    协议Protocol 任意Any
    操作Action 允许Allow
    优先级Priority 120120
    名称Name Allow-RDP-AllAllow-RDP-All
  12. 在“设置”下选择“子网”。 Under SETTINGS, select Subnets.

  13. 选择“+ 关联”Select + Associate

  14. 在“关联子网”下,选择“虚拟网络”,然后在“选择虚拟网络”下选择“myVirtualNetwork”。 Under Associate subnet, select Virtual network and then select myVirtualNetwork under Choose a virtual network.

  15. 在“选择子网”下选择“专用”,然后选择“确定”。 Under Choose subnet, select Private, and then select OK.

限制对资源的网络访问Restrict network access to a resource

对于通过为服务终结点启用的 Azure 服务创建的资源,限制对其的网络访问时所需的步骤因服务而异。The steps necessary to restrict network access to resources created through Azure services enabled for service endpoints varies across services. 请参阅各个服务的文档来了解适用于每个服务的具体步骤。See the documentation for individual services for specific steps for each service. 作为示例,本教程的剩余部分包括了针对 Azure 存储帐户限制网络访问的步骤。The remainder of this tutorial includes steps to restrict network access for an Azure Storage account, as an example.

创建存储帐户Create a storage account

  1. 选择 Azure 门户左上角的“+ 创建资源”。Select + Create a resource on the upper, left corner of the Azure portal.

  2. 选择“存储”,然后选择“存储帐户” 。Select Storage, and then select Storage account.

  3. 输入或选择以下信息,接受剩下的默认设置,然后选择“创建”:Enter, or select, the following information, accept the remaining defaults, and then select Create:

    设置Setting ValueValue
    名称Name 输入在所有 Azure 位置中唯一的、长度为 3-24 个字符且仅使用数字和小写字母的名称。Enter a name that is unique across all Azure locations, between 3-24 characters in length, using only numbers and lower-case letters.
    帐户类型Account kind StorageV2(常规用途 v2)StorageV2 (general purpose v2)
    位置Location 选择“中国东部”Select China East
    复制Replication 本地冗余存储 (LRS)Locally-redundant storage (LRS)
    订阅Subscription 选择订阅Select your subscription
    资源组Resource group 选择“使用现有资源组”,再选择“myResourceGroup”。Select Use existing and select myResourceGroup.

在存储帐户中创建文件共享Create a file share in the storage account

  1. 创建存储帐户后,在门户顶部的“搜索资源、服务和文档”框中输入该存储帐户的名称。After the storage account is created, enter the name of the storage account in the Search resources, services, and docs box, at the top of the portal. 该存储帐户的名称出现在搜索结果中时,请选择它。When the name of your storage account appears in the search results, select it.

  2. 选择“文件”,如下图所示:Select Files, as shown in the following picture:

    存储帐户

  3. 选择“+ 文件共享”。Select + File share.

  4. 在“名称”下输入 my-file-share,然后选择“确定”。 Enter my-file-share under Name, and then select OK.

  5. 关闭“文件服务”框。Close the File service box.

限制对子网的网络访问Restrict network access to a subnet

默认情况下,存储帐户接受来自任何网络(包括 Internet)中的客户端的网络连接。By default, storage accounts accept network connections from clients in any network, including the internet. myVirtualNetwork 虚拟网络中的“专用”子网之外,拒绝来自 Internet 以及所有虚拟网络中的所有其他子网的网络访问。Deny network access from the internet, and all other subnets in all virtual networks, except for the Private subnet in the myVirtualNetwork virtual network.

  1. 在存储帐户的“设置”下,选择“防火墙和虚拟网络”。 Under SETTINGS for the storage account, select Firewalls and virtual networks.

  2. 选择“所选网络”。Select Selected networks.

  3. 选择“+添加现有虚拟网络”。Select +Add existing virtual network.

  4. 在“添加网络”下选择以下值,然后选择“添加”: Under Add networks, select the following values, and then select Add:

    设置Setting ValueValue
    订阅Subscription 选择订阅。Select your subscription.
    虚拟网络Virtual networks 选择“虚拟网络”下的“myVirtualNetwork” Select myVirtualNetwork, under Virtual networks
    子网Subnets 选择“子网”下的“专用” Select Private, under Subnets

    防火墙和虚拟网络

  5. 选择“保存” 。Select Save.

  6. 选中“防火墙和虚拟网络”框。Close the Firewalls and virtual networks box.

  7. 在存储帐户的“设置”下,选择“访问密钥”,如下图所示: Under SETTINGS for the storage account, select Access keys, as shown in the following picture:

    防火墙和虚拟网络

  8. 记下“密钥”值,因为在后续步骤中将文件共享映射到 VM 中的驱动器号时,需要手动输入该值。Note the Key value, as you'll have to manually enter it in a later step when mapping the file share to a drive letter in a VM.

创建虚拟机Create virtual machines

若要测试对存储帐户的网络访问,请向每个子网部署 VM。To test network access to a storage account, deploy a VM to each subnet.

创建第一个虚拟机Create the first virtual machine

  1. 选择 Azure 门户左上角的“+ 创建资源”。Select + Create a resource found on the upper, left corner of the Azure portal.

  2. 选择“虚拟机”,然后选择“Windows Server 2016 Datacenter”。 Select Virtual Machines, and then select Windows Server 2016 Datacenter.

  3. 输入或选择以下信息,然后选择“确定”:Enter, or select, the following information and then select OK:

    设置Setting ValueValue
    名称Name myVmPublicmyVmPublic
    用户名User name 输入所选用户名。Enter a user name of your choosing.
    密码Password 输入所选密码。Enter a password of your choosing. 密码必须至少 12 个字符长,且符合定义的复杂性要求The password must be at least 12 characters long and meet the defined complexity requirements.
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“使用现有资源组”,再选择“myResourceGroup” 。Select Use existing and select myResourceGroup.
    位置Location 选择“中国东部”。Select China East.

    输入虚拟机的基本信息

  4. 选择虚拟机的大小,然后选择“选择”。Select a size for the virtual machine and then select Select.

  5. 在“设置”下选择“网络”,然后选择“myVirtualNetwork”。 Under Settings, select Network and then select myVirtualNetwork. 然后依次选择“子网”、“公共”,如下图中所示: Then select Subnet, and select Public, as shown in the following picture:

    选择虚拟网络

  6. 在“网络安全组”下,选择“高级”。Under Network Security Group, select Advanced. 门户会自动为你创建一个网络安全组,该组允许端口 3389。此端口需保持打开状态,然后才能在后面的步骤中连接到虚拟机。The portal automatically creates a network security group for you that allows port 3389, which you'll need open to connect to the virtual machine in a later step. 在“设置”页中,选择“确定”。 Select OK on the Settings page.

  7. 在“摘要”页上,选择“创建”以启动虚拟机部署 。On the Summary page, select Create to start the virtual machine deployment. 部署 VM 需要几分钟时间,但在创建 VM 期间,可以继续执行下一步骤。The VM takes a few minutes to deploy, but you can continue to the next step while the VM is creating.

创建第二个虚拟机Create the second virtual machine

再次完成步骤 1-7,但在步骤 3 中,请将虚拟机命名为 myVmPrivate,在步骤 5 中选择“专用”子网。Complete steps 1-7 again, but in step 3, name the virtual machine myVmPrivate and in step 5, select the Private subnet.

部署 VM 需要几分钟时间。The VM takes a few minutes to deploy. 只有在创建完 VM 并且其设置已在门户中打开后,才继续下一步。Do not continue to the next step until it finishes creating and its settings open in the portal.

确认对存储帐户的访问Confirm access to storage account

  1. 创建完 myVmPrivate VM 之后,Azure 会打开其设置。Once the myVmPrivate VM finishes creating, Azure opens the settings for it. 选择“连接”按钮连接到 VM,如下图所示:Connect to the VM by selecting the Connect button, as shown in the following picture:

    连接到虚拟机

  2. 选择“连接”按钮后将创建一个远程桌面协议 (.rdp) 文件,该文件会被下载到你的计算机。After selecting the Connect button, a Remote Desktop Protocol (.rdp) file is created and downloaded to your computer.

  3. 打开下载的 rdp 文件。Open the downloaded rdp file. 出现提示时,选择“连接”。If prompted, select Connect. 输入在创建 VM 时指定的用户名和密码。Enter the user name and password you specified when creating the VM. 可能需要选择“更多选择”,然后选择“使用其他帐户”,以指定在创建 VM 时输入的凭据。You may need to select More choices, then Use a different account, to specify the credentials you entered when you created the VM.

  4. 选择“确定” 。Select OK.

  5. 你可能会在登录过程中收到证书警告。You may receive a certificate warning during the sign-in process. 如果收到警告,请选择“是”或“继续”以继续连接。 If you receive the warning, select Yes or Continue, to proceed with the connection.

  6. myVmPrivate VM 上,使用 PowerShell 将 Azure 文件共享映射到驱动器 Z。On the myVmPrivate VM, map the Azure file share to drive Z using PowerShell. 在运行以下命令之前,请将 <storage-account-key><storage-account-name> 替换为在创建存储帐户中提供或检索的值。Before running the commands that follow, replace <storage-account-key> and <storage-account-name> with values you supplied and retrieved in Create a storage account.

    $acctKey = ConvertTo-SecureString -String "<storage-account-key>" -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential -ArgumentList "Azure\<storage-account-name>", $acctKey
    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<storage-account-name>.file.core.chinacloudapi.cn\my-file-share" -Credential $credential
    

    PowerShell 将返回类似于以下示例的输出:PowerShell returns output similar to the following example output:

    Name           Used (GB)     Free (GB) Provider      Root
    ----           ---------     --------- --------      ----
    Z                                      FileSystem    \\vnt.file.core.chinacloudapi.cn\my-f...
    

    Azure 文件共享已成功映射到驱动器 Z。The Azure file share successfully mapped to the Z drive.

  7. 通过命令提示符确认 VM 没有与 Internet 建立出站连接:Confirm that the VM has no outbound connectivity to the internet from a command prompt:

    ping bing.com
    

    不会收到回复,因为关联到“专用”子网的网络安全组不允许与 Internet 建立出站访问。You receive no replies, because the network security group associated to the Private subnet does not allow outbound access to the internet.

  8. 关闭与 myVmPrivate VM 建立的远程桌面会话。Close the remote desktop session to the myVmPrivate VM.

确认已拒绝对存储帐户的访问Confirm access is denied to storage account

  1. 在门户顶部的“搜索资源、服务和文档”框中,输入 myVmPublicEnter myVmPublic In the Search resources, services, and docs box at the top of the portal.

  2. 当“myVmPublic”出现在搜索结果中时,将其选中。When myVmPublic appears in the search results, select it.

  3. 针对 myVmPublic VM 完成确认对存储帐户的访问中的步骤 1-6。Complete steps 1-6 in Confirm access to storage account for the myVmPublic VM.

    稍等片刻,你会收到 New-PSDrive : Access is denied 错误。After a short wait, you receive a New-PSDrive : Access is denied error. 访问被拒绝,因为 myVmPublic VM 部署在“公共”子网中。Access is denied because the myVmPublic VM is deployed in the Public subnet. “公共”子网没有为 Azure 存储启用服务终结点。The Public subnet does not have a service endpoint enabled for Azure Storage. 存储帐户仅允许从“专用”子网访问网络,而不允许从“公共”子网访问。The storage account only allows network access from the Private subnet, not the Public subnet.

  4. 关闭与 myVmPublic VM 建立的远程桌面会话。Close the remote desktop session to the myVmPublic VM.

  5. 在计算机上浏览到 Azure 门户From your computer, browse to the Azure portal.

  6. 在“搜索资源、服务和文档”框中输入创建的存储帐户的名称。Enter the name of the storage account you created in the Search resources, services, and docs box. 该存储帐户的名称出现在搜索结果中时,请选择它。When the name of your storage account appears in the search results, select it.

  7. 选择“文件”。Select Files.

  8. 会收到下图所示的错误:You receive the error shown in the following picture:

    访问被拒绝错误

    访问被拒绝,因为计算机不在 MyVirtualNetwork 虚拟网络的“专用”子网中。Access is denied, because your computer is not in the Private subnet of the MyVirtualNetwork virtual network.

清理资源Clean up resources

不再需要资源组时,可将资源组及其包含的所有资源一并删除:When no longer needed, delete the resource group and all resources it contains:

  1. 在门户顶部的“搜索”框中输入“myResourceGroup”。Enter myResourceGroup in the Search box at the top of the portal. 当在搜索结果中看到“myResourceGroup”时,将其选中。When you see myResourceGroup in the search results, select it.
  2. 选择“删除资源组”。Select Delete resource group.
  3. 对于“键入资源组名称:”,输入“myResourceGroup”,然后选择“删除”。 Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME: and select Delete.

后续步骤Next steps

在本教程中,我们为虚拟网络子网启用了服务终结点。In this tutorial, you enabled a service endpoint for a virtual network subnet. 我们已了解,可为通过多个 Azure 服务部署的资源启用服务终结点。You learned that you can enable service endpoints for resources deployed from multiple Azure services. 已创建了一个 Azure 存储帐户并将该存储帐户限制为仅可供某个虚拟网络子网中的资源进行网络访问。You created an Azure Storage account and restricted network access to the storage account to only resources within a virtual network subnet. 若要详细了解服务终结点,请参阅服务终结点概述管理子网To learn more about service endpoints, see Service endpoints overview and Manage subnets.

如果帐户中有多个虚拟网络,可将两个虚拟网络连接到一起,使每个虚拟网络中的资源可以相互通信。If you have multiple virtual networks in your account, you may want to connect two virtual networks together so the resources within each virtual network can communicate with each other. 若要了解如何连接虚拟网络,请继续学习下一教程。To learn how to connect virtual networks, advance to the next tutorial.