使用 Azure CLI 通过虚拟网络服务终结点限制对 PaaS 资源的网络访问Restrict network access to PaaS resources with virtual network service endpoints using the Azure CLI

通过虚拟网络服务终结点,可将某些 Azure 服务资源限制为仅允许某个虚拟网络子网通过网络进行访问。Virtual network service endpoints enable you to limit network access to some Azure service resources to a virtual network subnet. 还可以删除对资源的 Internet 访问。You can also remove internet access to the resources. 服务终结点提供从虚拟网络到受支持 Azure 服务的直接连接,使你能够使用虚拟网络的专用地址空间访问 Azure 服务。Service endpoints provide direct connection from your virtual network to supported Azure services, allowing you to use your virtual network's private address space to access the Azure services. 通过服务终结点发往 Azure 资源的流量始终保留在 Azure 主干网络上。Traffic destined to Azure resources through service endpoints always stays on the Azure backbone network. 在本文中,学习如何:In this article, you learn how to:

  • 创建包含一个子网的虚拟网络Create a virtual network with one subnet
  • 添加子网并启用服务终结点Add a subnet and enable a service endpoint
  • 创建 Azure 资源并且仅允许从一个子网对其进行网络访问Create an Azure resource and allow network access to it from only a subnet
  • 将虚拟机 (VM) 部署到每个子网Deploy a virtual machine (VM) to each subnet
  • 确认从某个子网对资源的访问Confirm access to a resource from a subnet
  • 确认已拒绝从某个子网和 Internet 来访问资源Confirm access is denied to a resource from a subnet and the internet

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

备注

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

如果选择在本地安装并使用 CLI,本快速入门要求运行 Azure CLI 2.0.28 或更高版本。If you choose to install and use the CLI locally, this quickstart requires that you are running the Azure CLI version 2.0.28 or later. 若要查找版本,请运行 az --versionTo find the version, run az --version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

创建虚拟网络Create a virtual network

创建虚拟网络之前,必须为虚拟网络创建资源组以及本文中创建的所有其他资源。Before creating a virtual network, you have to create a resource group for the virtual network, and all other resources created in this article. 使用 az group create 创建资源组。Create a resource group with az group create. 以下示例在“chinaeast”位置创建名为“myResourceGroup”的资源组。The following example creates a resource group named myResourceGroup in the chinaeast location.

az group create \
  --name myResourceGroup \
  --location chinaeast

使用 az network vnet create 创建包含一个子网的虚拟网络。Create a virtual network with one subnet with az network vnet create.

az network vnet create \
  --name myVirtualNetwork \
  --resource-group myResourceGroup \
  --address-prefix 10.0.0.0/16 \
  --subnet-name Public \
  --subnet-prefix 10.0.0.0/24

启用服务终结点Enable a service endpoint

只能为支持服务终结点的服务启用服务终结点。You can enable service endpoints only for services that support service endpoints. 使用 az network vnet list-endpoint-services 查看某个 Azure 位置中可用的启用了服务终结点的服务。View service endpoint-enabled services available in an Azure location with az network vnet list-endpoint-services. 以下示例返回 chinaeast 区域中可用的启用了服务终结点的服务列表。The following example returns a list of service-endpoint-enabled services available in the chinaeast region. 随着更多的 Azure 服务启用服务终结点,返回的服务列表将随时间增大。The list of services returned will grow over time, as more Azure services become service endpoint enabled.

az network vnet list-endpoint-services \
  --location chinaeast \
  --out table

使用 az network vnet subnet create 在虚拟网络中创建另一个子网。Create an additional subnet in the virtual network with az network vnet subnet create. 在此示例中,将为子网创建一个用于 Microsoft.Storage 的服务终结点:In this example, a service endpoint for Microsoft.Storage is created for the subnet:

az network vnet subnet create \
  --vnet-name myVirtualNetwork \
  --resource-group myResourceGroup \
  --name Private \
  --address-prefix 10.0.1.0/24 \
  --service-endpoints Microsoft.Storage

限制子网的网络访问Restrict network access for a subnet

使用 az network nsg create 创建网络安全组。Create a network security group with az network nsg create. 以下示例创建名为 myNsgPrivate 的网络安全组。The following example creates a network security group named myNsgPrivate.

az network nsg create \
  --resource-group myResourceGroup \
  --name myNsgPrivate

使用 az network vnet subnet update 将该网络安全组关联到 Private 子网。Associate the network security group to the Private subnet with az network vnet subnet update. 以下示例将 myNsgPrivate 网络安全组关联到 Private 子网:The following example associates the myNsgPrivate network security group to the Private subnet:

az network vnet subnet update \
  --vnet-name myVirtualNetwork \
  --name Private \
  --resource-group myResourceGroup \
  --network-security-group myNsgPrivate

使用 az network nsg rule create 创建安全规则。Create security rules with az network nsg rule create. 下面的规则允许对分配给 Azure 存储服务的公共 IP 地址进行出站访问:The rule that follows allows outbound access to the public IP addresses assigned to the Azure Storage service:

az network nsg rule create \
  --resource-group myResourceGroup \
  --nsg-name myNsgPrivate \
  --name Allow-Storage-All \
  --access Allow \
  --protocol "*" \
  --direction Outbound \
  --priority 100 \
  --source-address-prefix "VirtualNetwork" \
  --source-port-range "*" \
  --destination-address-prefix "Storage" \
  --destination-port-range "*"

每个网络安全组包含多个默认安全规则Each network security group contains several default security rules. 以下规则将替代允许对所有公共 IP 地址进行出站访问的默认安全规则。The rule that follows overrides a default security rule that allows outbound access to all public IP addresses. destination-address-prefix "Internet" 选项拒绝对所有公共 IP 地址进行出站访问。The destination-address-prefix "Internet" option denies outbound access to all public IP addresses. 上一个规则将替代此规则,因为它的优先级更高,上一个规则允许对 Azure 存储的公共 IP 地址进行访问。The previous rule overrides this rule, due to its higher priority, which allows access to the public IP addresses of Azure Storage.

az network nsg rule create \
  --resource-group myResourceGroup \
  --nsg-name myNsgPrivate \
  --name Deny-Internet-All \
  --access Deny \
  --protocol "*" \
  --direction Outbound \
  --priority 110 \
  --source-address-prefix "VirtualNetwork" \
  --source-port-range "*" \
  --destination-address-prefix "Internet" \
  --destination-port-range "*"

以下规则允许 SSH 流量从任何位置入站到子网。The following rule allows SSH traffic inbound to the subnet from anywhere. 该规则将替代拒绝来自 Internet 的所有入站流量的默认安全规则。The rule overrides a default security rule that denies all inbound traffic from the internet. 允许通过 SSH 访问子网,以便在稍后的步骤中测试连接。SSH is allowed to the subnet so that connectivity can be tested in a later step.

az network nsg rule create \
  --resource-group myResourceGroup \
  --nsg-name myNsgPrivate \
  --name Allow-SSH-All \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 120 \
  --source-address-prefix "*" \
  --source-port-range "*" \
  --destination-address-prefix "VirtualNetwork" \
  --destination-port-range "22"

限制对资源的网络访问Restrict network access to a resource

对于通过为服务终结点启用的 Azure 服务创建的资源,限制对其的网络访问时所需的步骤因服务而异。The steps necessary to restrict network access to resources created through Azure services enabled for service endpoints varies across services. 请参阅各个服务的文档来了解适用于每个服务的具体步骤。See the documentation for individual services for specific steps for each service. 作为示例,本文的剩余部分包括了针对 Azure 存储帐户限制网络访问的步骤。The remainder of this article includes steps to restrict network access for an Azure Storage account, as an example.

创建存储帐户Create a storage account

使用 az storage account create 创建一个 Azure 存储帐户。Create an Azure storage account with az storage account create. <replace-with-your-unique-storage-account-name> 替换为在所有 Azure 位置中唯一的、长度为 3-24 个字符且仅使用数字和小写字母的名称。Replace <replace-with-your-unique-storage-account-name> with a name that is unique across all Azure locations, between 3-24 characters in length, using only numbers and lower-case letters.

storageAcctName="<replace-with-your-unique-storage-account-name>"

az storage account create \
  --name $storageAcctName \
  --resource-group myResourceGroup \
  --sku Standard_LRS \
  --kind StorageV2

创建存储帐户后,使用 az storage account show-connection-string 将存储帐户的连接字符串检索到一个变量中。After the storage account is created, retrieve the connection string for the storage account into a variable with az storage account show-connection-string. 在后面的步骤中将使用此连接字符串来创建文件共享。The connection string is used to create a file share in a later step.

saConnectionString=$(az storage account show-connection-string \
  --name $storageAcctName \
  --resource-group myResourceGroup \
  --query 'connectionString' \
  --out tsv)

查看变量的内容并记下在输出中返回的 AccountKey 的值,因为后面的步骤中将使用该值。View the contents of the variable and note the value for AccountKey returned in the output, because it's used in a later step.

echo $saConnectionString

在存储帐户中创建文件共享Create a file share in the storage account

使用 az storage share create 在存储帐户中创建一个文件共享。Create a file share in the storage account with az storage share create. 在后面的步骤中,将装载此文件共享来确认对它的网络访问。In a later step, this file share is mounted to confirm network access to it.

az storage share create \
  --name my-file-share \
  --quota 2048 \
  --connection-string $saConnectionString > /dev/null

拒绝对存储帐户的所有网络访问Deny all network access to a storage account

默认情况下,存储帐户接受来自任何网络中的客户端的网络连接。By default, storage accounts accept network connections from clients in any network. 若要仅允许所选的网络进行访问,请使用 az storage account update 将默认操作更改为 DenyTo limit access to selected networks, change the default action to Deny with az storage account update. 在拒绝网络访问后,将无法从任何网络访问存储帐户。Once network access is denied, the storage account is not accessible from any network.

az storage account update \
  --name $storageAcctName \
  --resource-group myResourceGroup \
  --default-action Deny

启用从子网的网络访问Enable network access from a subnet

使用 az storage account network-rule add 允许从 Private 子网对存储帐户进行网络访问。Allow network access to the storage account from the Private subnet with az storage account network-rule add.

az storage account network-rule add \
  --resource-group myResourceGroup \
  --account-name $storageAcctName \
  --vnet-name myVirtualNetwork \
  --subnet Private

创建虚拟机Create virtual machines

若要测试对存储帐户的网络访问,请向每个子网部署 VM。To test network access to a storage account, deploy a VM to each subnet.

创建第一个虚拟机Create the first virtual machine

使用 az vm create 在公共子网中创建一个 VM。Create a VM in the Public subnet with az vm create. 如果默认密钥位置中尚不存在 SSH 密钥,该命令会创建它们。If SSH keys do not already exist in a default key location, the command creates them. 若要使用特定的一组密钥,请使用 --ssh-key-value 选项。To use a specific set of keys, use the --ssh-key-value option.

az vm create \
  --resource-group myResourceGroup \
  --name myVmPublic \
  --image UbuntuLTS \
  --vnet-name myVirtualNetwork \
  --subnet Public \
  --generate-ssh-keys

创建 VM 需要几分钟时间。The VM takes a few minutes to create. 创建 VM 之后,Azure CLI 将显示类似于以下示例的信息:After the VM is created, the Azure CLI shows information similar to the following example:

{
  "fqdns": "",
  "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVmPublic",
  "location": "chinaeast",
  "macAddress": "00-0D-3A-23-9A-49",
  "powerState": "VM running",
  "privateIpAddress": "10.0.0.4",
  "publicIpAddress": "13.90.242.231",
  "resourceGroup": "myResourceGroup"
}

记下返回的输出中的 publicIpAddressTake note of the publicIpAddress in the returned output. 在后面的步骤中会使用此地址通过 Internet 访问 VM。This address is used to access the VM from the internet in a later step.

创建第二个虚拟机Create the second virtual machine

az vm create \
  --resource-group myResourceGroup \
  --name myVmPrivate \
  --image UbuntuLTS \
  --vnet-name myVirtualNetwork \
  --subnet Private \
  --generate-ssh-keys

创建 VM 需要几分钟时间。The VM takes a few minutes to create. 在创建后,记下返回的输出中的 publicIpAddressAfter creation, take note of the publicIpAddress in the output returned. 在后面的步骤中会使用此地址通过 Internet 访问 VM。This address is used to access the VM from the internet in a later step.

确认对存储帐户的访问Confirm access to storage account

通过 SSH 登录到 myVmPrivate VM。SSH into the myVmPrivate VM. <publicIpAddress> 替换为 myVmPrivate VM 的公共 IP 地址。Replace <publicIpAddress> with the public IP address of your myVmPrivate VM.

ssh <publicIpAddress>

为装入点创建一个文件夹:Create a folder for a mount point:

sudo mkdir /mnt/MyAzureFileShare

将 Azure 文件共享装载到你创建的目录中。Mount the Azure file share to the directory you created. 在运行以下命令之前,将 <storage-account-name> 替换为在创建存储帐户中检索到的帐户名称,将 <storage-account-key> 替换为检索到的密钥。Before running the following command, replace <storage-account-name> with the account name and <storage-account-key> with the key you retrieved in Create a storage account.

sudo mount --types cifs //<storage-account-name>.file.core.chinacloudapi.cn/my-file-share /mnt/MyAzureFileShare --options vers=3.0,username=<storage-account-name>,password=<storage-account-key>,dir_mode=0777,file_mode=0777,serverino

你将收到 user@myVmPrivate:~$ 提示。You receive the user@myVmPrivate:~$ prompt. Azure 文件共享已成功装载到 /mnt/MyAzureFileShareThe Azure file share successfully mounted to /mnt/MyAzureFileShare.

确认 VM 没有到任何其他公共 IP 地址的出站连接:Confirm that the VM has no outbound connectivity to any other public IP addresses:

ping bing.com -c 4

你不会收到回复,因为除了分配给 Azure 存储服务的地址之外,关联到 Private 子网的网络安全组不允许对其他公共 IP 地址的出站访问。You receive no replies, because the network security group associated to the Private subnet does not allow outbound access to public IP addresses other than the addresses assigned to the Azure Storage service.

退出与 myVmPrivate VM 建立的 SSH 会话。Exit the SSH session to the myVmPrivate VM.

确认已拒绝对存储帐户的访问Confirm access is denied to storage account

使用以下命令来与 myVmPublic VM 建立 SSH 会话。Use the following command to create an SSH session with the myVmPublic VM. <publicIpAddress> 替换为 myVmPublic VM 的公共 IP 地址:Replace <publicIpAddress> with the public IP address of your myVmPublic VM:

ssh <publicIpAddress>

为装入点创建一个目录:Create a directory for a mount point:

sudo mkdir /mnt/MyAzureFileShare

尝试将 Azure 文件共享装载到你创建的目录中。Attempt to mount the Azure file share to the directory you created. 本文假定你已部署了 Ubuntu 的最新版本。This article assumes you deployed the latest version of Ubuntu. 如果使用的是 Ubuntu 的早期版本,请参阅在 Linux 上装载来了解有关装载文件共享的其他说明。If you are using earlier versions of Ubuntu, see Mount on Linux for additional instructions about mounting file shares. 在运行以下命令之前,将 <storage-account-name> 替换为在创建存储帐户中检索到的帐户名称,将 <storage-account-key> 替换为检索到的密钥:Before running the following command, replace <storage-account-name> with the account name and <storage-account-key> with the key you retrieved in Create a storage account:

sudo mount --types cifs //storage-account-name>.file.core.chinacloudapi.cn/my-file-share /mnt/MyAzureFileShare --options vers=3.0,username=<storage-account-name>,password=<storage-account-key>,dir_mode=0777,file_mode=0777,serverino

访问被拒绝,并且你将收到一个 mount error(13): Permission denied 错误,因为 myVmPublic VM 部署在 Public 子网内。Access is denied, and you receive a mount error(13): Permission denied error, because the myVmPublic VM is deployed within the Public subnet. “公共”子网没有为 Azure 存储启用服务终结点,并且存储帐户仅允许来自“专用”子网的网络访问,不允许来自“公共”子网的网络访问。 The Public subnet does not have a service endpoint enabled for Azure Storage, and the storage account only allows network access from the Private subnet, not the Public subnet.

退出与 myVmPublic VM 建立的 SSH 会话。Exit the SSH session to the myVmPublic VM.

从计算机中,尝试使用 az storage share list 查看存储帐户中的共享。From your computer, attempt to view the shares in your storage account with az storage share list. <account-name><account-key> 替换为在创建存储帐户中获得的存储帐户名称和密钥:Replace <account-name> and <account-key> with the storage account name and key from Create a storage account:

az storage share list \
  --account-name <account-name> \
  --account-key <account-key>

访问被拒绝,你将收到“此请求无权执行此操作” 错误,因为你的计算机不在 MyVirtualNetwork 虚拟网络的 Private 子网中。Access is denied and you receive a This request is not authorized to perform this operation error, because your computer is not in the Private subnet of the MyVirtualNetwork virtual network.

清理资源Clean up resources

如果不再需要资源组及其包含的所有资源,可以使用 az group delete 将其删除。When no longer needed, use az group delete to remove the resource group and all of the resources it contains.

az group delete --name myResourceGroup --yes

后续步骤Next steps

在本文中,已为虚拟网络子网启用了服务终结点。In this article, you enabled a service endpoint for a virtual network subnet. 我们已了解,可为通过多个 Azure 服务部署的资源启用服务终结点。You learned that service endpoints can be enabled for resources deployed with multiple Azure services. 我们创建了一个 Azure 存储帐户并将该存储帐户限制为仅可供某个虚拟网络子网中的资源进行网络访问。You created an Azure Storage account and limited network access to the storage account to only resources within a virtual network subnet. 若要详细了解服务终结点,请参阅服务终结点概述管理子网To learn more about service endpoints, see Service endpoints overview and Manage subnets.

如果帐户中有多个虚拟网络,可将两个虚拟网络连接到一起,使每个虚拟网络中的资源可以相互通信。If you have multiple virtual networks in your account, you may want to connect two virtual networks together so the resources within each virtual network can communicate with each other. 若要了解如何操作,请参阅连接虚拟网络To learn how, see Connect virtual networks.