IP 地址 168.63.129.16 是什么?What is IP address 168.63.129.16?

IP 地址 168.63.129.16 是虚拟公共 IP 地址,用于简化 Azure 平台资源的通信通道。IP address 168.63.129.16 is a virtual public IP address that is used to facilitate a communication channel to Azure platform resources. 客户可以在 Azure 中为其专有虚拟网络定义任何地址空间。Customers can define any address space for their private virtual network in Azure. 因此,Azure 平台资源必须显示为一个唯一的公共 IP 地址。Therefore, the Azure platform resources must be presented as a unique public IP address. 此虚拟公共 IP 地址有助于实现以下几个方面:This virtual public IP address facilitates the following things:

  • 使 VM 代理能够与 Azure 平台通信,以表明它处于“就绪”状态。Enables the VM Agent to communicate with the Azure platform to signal that it is in a "Ready" state.
  • 启用与 DNS 虚拟服务器的通信,以便为没有自定义 DNS 服务器的资源(如 VM)提供筛选的名称解析。Enables communication with the DNS virtual server to provide filtered name resolution to the resources (such as VM) that do not have a custom DNS server. 此筛选确保客户只能解析其自己资源的主机名。This filtering makes sure that customers can resolve only the hostnames of their resources.
  • 启用来自 Azure 负载均衡器的运行状况探测,以确定 VM 的运行状况状态。Enables health probes from Azure load balancer to determine the health state of VMs.
  • 使 VM 能够从 Azure 中的 DHCP 服务获取动态 IP 地址。Enables the VM to obtain a dynamic IP address from the DHCP service in Azure.
  • 为 PaaS 角色启用来宾代理检测信号消息。Enables Guest Agent heartbeat messages for the PaaS role.

IP 地址 168.63.129.16 的作用域Scope of IP address 168.63.129.16

公共 IP 地址 168.63.129.16 用于所有区域和所有国家云。The public IP address 168.63.129.16 is used in all regions and all national clouds. 此特殊公共 IP 地址由 Azure 所有,不会更改。This special public IP address is owned by Azure and will not change. 建议在任何本地(在 VM 中)防火墙策略(出站方向)中都允许此 IP 地址。We recommend that you allow this IP address in any local (in the VM) firewall policies (outbound direction). 此特殊 IP 地址和资源之间的通信是安全的,因为只有内部 Azure 平台才能从此 IP 地址获得消息。The communication between this special IP address and the resources is safe because only the internal Azure platform can source a message from this IP address. 如果阻止此地址,可能会在各种场景中出现意外行为。If this address is blocked, unexpected behavior can occur in a variety of scenarios. 168.63.129.16 是主机节点的虚拟 IP,因此不受用户定义的路由的限制。168.63.129.16 is a virtual IP of the host node and as such it is not subject to user defined routes.

  • VM 代理需要通过端口 80、443、32526 与 WireServer (168.63.129.16) 进行出站通信。The VM Agent requires outbound communication over ports 80, 443, 32526 with WireServer (168.63.129.16). 这些端口应在 VM 上的本地防火墙中打开。These should be open in the local firewall on the VM. 在这些端口上进行的与 168.63.129.16 的通信不受配置的网络安全组的限制。The communication on these ports with 168.63.129.16 is not subject to the configured network security groups.

  • 168.63.129.16 可向 VM 提供 DNS 服务。168.63.129.16 can provide DNS services to the VM. 如果不需要它,则可在 VM 上的本地防火墙中阻止此流量。If this is not desired, this traffic can be blocked in the local firewall on the VM. 默认情况下,DNS 通信不受配置的网络安全组的限制,除非在专门针对的情况下利用 AzurePlatformDNS 服务标记。By default DNS communication is not subject to the configured network security groups unless specifically targeted leveraging the AzurePlatformDNS service tag.

  • 如果 VM 是负载均衡器后端池的一部分,则应允许运行状况探测通信来自 168.63.129.16。When the VM is part of a load balancer backend pool, health probe communication should be allowed to originate from 168.63.129.16. 默认网络安全组配置有允许此通信的规则。The default network security group configuration has a rule that allows this communication. 此规则利用 AzureLoadBalancer 服务标记。This rule leverages the AzureLoadBalancer service tag. 如果需要,可以通过配置网络安全组来阻止此流量,但这会导致探测失败。If desired this traffic can be blocked by configuring the network security group however this will result in probes that fail.

在非虚拟网络方案(经典)中,运行状况探测源自专用 IP,而不使用 168.63.129.16。In a non-virtual network scenario (Classic), the health probe is sourced from a private IP and 168.63.129.16 is not used.

后续步骤Next steps