为 Azure Stack HCI 配置防火墙Configure firewalls for Azure Stack HCI

适用于:Azure Stack HCI,版本 20H2Applies to: Azure Stack HCI, version 20H2

本主题提供有关如何为 Azure Stack HCI 操作系统配置防火墙的指南。This topic provides guidance on how to configure firewalls for the Azure Stack HCI operating system. 它包括连接要求,并说明服务标记如何在 Azure 中将操作系统需要访问的 IP 地址分组。It includes connectivity requirements, and explains how service tags group IP addresses in Azure that the operating system needs to access. 本主题还提供更新 Microsoft Defender 防火墙的步骤。The topic also provides steps to update Microsoft Defender Firewall.

连接要求Connectivity requirements

Azure Stack HCI 需要定期连接到 Azure。Azure Stack HCI needs to periodically connect to Azure. 访问仅限于:Access is limited to only:

  • 众所周知的 Azure IpWell-known Azure IPs
  • 出站方向Outbound direction
  • 端口 443 (HTTPS) Port 443 (HTTPS)

有关详细信息,请参阅AZURE STACK HCI 常见问题中的 "Azure Stack HCI 连接性" 部分For more information, see the "Azure Stack HCI connectivity" section of the Azure Stack HCI FAQ

本主题介绍如何选择使用高度锁定的防火墙配置来阻止所有目标流量(包括在允许列表中的流量除外)。This topic describes how to optionally use a highly locked-down firewall configuration to block all traffic to all destinations except those included on your allow list.

重要

如果外部企业防火墙或代理服务器限制了出站连接,请确保不阻止下表中列出的 Url。If outbound connectivity is restricted by your external corporate firewall or proxy server, ensure that the URLs listed in the table below are not blocked. 相关信息,请参阅 支持 Azure Arc 的服务器代理概述中的 "网络配置" 部分。For related information, see the "Networking configuration" section of Overview of Azure Arc enabled servers agent.

如下所示,Azure Stack HCI 可能会使用多个防火墙访问 Azure。As shown below, Azure Stack HCI accesses Azure using more than one firewall potentially.

关系图显示 Azure Stack HCI 通过端口 443 (HTTPS) 防火墙访问服务标记终结点。

使用服务标记Working with service tags

服务标记 代表来自给定 Azure 服务的一组 IP 地址。A service tag represents a group of IP addresses from a given Azure service. Microsoft 管理服务标记中包含的 IP 地址,并在 IP 地址更改时自动更新服务标记以保持最小更新。Microsoft manages the IP addresses included in the service tag, and automatically updates the service tag as IP addresses change to keep updates to a minimum. 若要了解详细信息,请参阅 虚拟网络服务标记To learn more, see Virtual network service tags.

Azure 注册后 (每日所需的终结点访问权限) Required endpoint daily access (after Azure registration)

Azure 为使用服务标记组织的 Azure 服务维护众所周知的 IP 地址。Azure maintains well-known IP addresses for Azure services that are organized using service tags. Azure 发布每个服务的所有 IP 地址的每周一个 JSON 文件。Azure publishes a weekly JSON file of all the IP addresses for every service. IP 地址不会经常更改,但是每年更改几次。The IP addresses don’t change often, but they do change a few times per year. 下表显示了操作系统需要访问的服务标记终结点。The following table shows the service tag endpoints that the operating system needs to access.

说明Description IP 范围的服务标记Service tag for IP range URLURL
Azure Active DirectoryAzure Active Directory AzureActiveDirectoryAzureActiveDirectory https://login.microsoftonline.com
https://graph.microsoft.com
Azure 资源管理器Azure Resource Manager AzureResourceManagerAzureResourceManager https://management.azure.com
Azure Stack HCI 云服务Azure Stack HCI Cloud Service AzureFrontDoor.FrontendAzureFrontDoor.Frontend https://azurestackhci.azurefd.net
Azure ArcAzure Arc AzureArcInfrastructureAzureArcInfrastructure
AzureTrafficManagerAzureTrafficManager
取决于您要使用的功能:Depends on the functionality you want to use:
混合标识服务: *.his.arc.azure.comHybrid Identity Service: *.his.arc.azure.com
来宾配置: *.guestconfiguration.azure.comGuest Configuration: *.guestconfiguration.azure.com
注意: 当我们启用更多功能时,需要更多的 Url。Note: Expect more URLs as we enable more functionality.

更新 Microsoft Defender 防火墙Update Microsoft Defender Firewall

本部分说明如何将 Microsoft Defender 防火墙配置为允许与服务标记相关联的 IP 地址连接到操作系统:This section shows how to configure Microsoft Defender Firewall to allow IP addresses associated with a service tag to connect with the operating system:

  1. 将以下资源的 JSON 文件下载到运行操作系统的目标计算机: AZURE IP 范围和服务标记–公有云Download the JSON file from the following resource to the target computer running the operating system: Azure IP Ranges and Service Tags – Public Cloud.

  2. 使用以下 PowerShell 命令打开 JSON 文件:Use the following PowerShell command to open the JSON file:

    $json = Get-Content -Path .\ServiceTags_Public_20201012.json | ConvertFrom-Json
    
  3. 获取给定服务标记的 IP 地址范围列表,如 "AzureResourceManager" 服务标记:Get the list of IP address ranges for a given service tag, such as the “AzureResourceManager” service tag:

    $IpList = ($json.values | where Name -Eq "AzureResourceManager").properties.addressPrefixes
    
  4. 将 IP 地址列表导入到外部公司防火墙(如果你使用的是允许列表)。Import the list of IP addresses to your external corporate firewall, if you're using an allow list with it.

  5. 为群集中的每个服务器创建防火墙规则,以允许出站 443 (HTTPS) 到 IP 地址范围列表的流量:Create a firewall rule for each server in the cluster to allow outbound 443 (HTTPS) traffic to the list of IP address ranges:

    New-NetFirewallRule -DisplayName "Allow Azure Resource Manager" -RemoteAddress $IpList -Direction Outbound -LocalPort 443 -Protocol TCP -Action Allow -Profile Any -Enabled True
    

用于一次性 Azure 注册的其他终结点Additional endpoint for one-time Azure registration

在 Azure 注册过程中,当你运行 Register-AzStackHCI 或使用 Windows 管理中心时,该 cmdlet 将尝试与 PowerShell 库联系以验证你是否具有所需的最新版本的 PowerShell 模块,如 Az 和 AzureAD。During the Azure registration process, when you run either Register-AzStackHCI or use Windows Admin Center, the cmdlet tries to contact the PowerShell Gallery to verify that you have the latest version of required PowerShell modules, such as Az and AzureAD. 尽管 PowerShell 库在 Azure 上托管,但目前没有服务标记。Although the PowerShell Gallery is hosted on Azure, currently there isn't a service tag for it. 如果无法 Register-AzStackHCI 从服务器节点运行该 cmdlet,原因是没有 internet 访问权限,我们建议将这些模块下载到管理计算机,然后手动将它们传输到要运行 cmdlet 的服务器节点。If you can't run the Register-AzStackHCI cmdlet from a server node because of no internet access, we recommend downloading the modules to your management computer, and then manually transferring them to the server node where you want to run the cmdlet.

后续步骤Next steps

有关详细信息,请参阅:For more information, see also: