Azure Stack 中心耐用网络集成Azure Stack Hub ruggedized network integration

本主题介绍 Azure Stack 网络集成。This topic covers Azure Stack network integration.

网络集成规划是成功进行 Azure Stack 集成系统部署、操作和管理的重要先决条件。Network integration planning is an important prerequisite for successful Azure Stack integrated systems deployment, operation, and management. 边界连接规划从选择是否要将动态路由与边界网关协议 (BGP) 一起使用开始。Border connectivity planning begins by choosing if you want use dynamic routing with border gateway protocol (BGP). 这需要分配 16 位的 BGP 自治系统编号(公共或专用),或者使用静态路由(在这种情况下会将静态默认路由分配给边界设备)。This requires assigning a 16-bit BGP autonomous system number (public or private) or using static routing, where a static default route is assigned to the border devices.

架顶式 (TOR) 交换机需要在物理接口上配置具有点到点 IP(/30 网络)的第 3 层上行链路。The top of rack (TOR) switches require Layer 3 uplinks with Point-to-Point IPs (/30 networks) configured on the physical interfaces. 不支持具有支持 Azure Stack 操作的 TOR 交换机的第 2 层上行链路。Layer 2 uplinks with TOR switches supporting Azure Stack operations isn't supported.

BGP 路由BGP routing

使用 BGP 等动态路由协议可以保证系统始终会注意到网络更改和便于管理。Using a dynamic routing protocol like BGP guarantees that your system is always aware of network changes and facilitates administration. 为了增强安全性,可以针对 TOR 和边界之间的 BGP 对等互连设置密码。For enhanced security, a password may be set on the BGP peering between the TOR and the Border.

如下图所示,将使用前缀列表阻止播发 TOR 交换机上的专用 IP 空间。As shown in the following diagram, advertising of the private IP space on the TOR switch is blocked using a prefix-list. 前缀列表将拒绝播发专用网络,它会作为路由映射应用于 TOR 与边界之间的连接。The prefix list denies the advertisement of the Private Network and it's applied as a route-map on the connection between the TOR and the border.

Azure Stack 解决方案内运行的软件负载均衡器 (SLB) 将对等互连到 TOR 设备,以便它可以动态播发 VIP 地址。The Software Load Balancer (SLB) running inside the Azure Stack solution peers to the TOR devices so it can dynamically advertise the VIP addresses.

若要确保用户流量立即以透明方式从故障中恢复,TOR 设备之间配置的 VPC 或 MLAG 允许对主机和 HSRP 或 VRRP 使用多底盘链接聚合以便为 IP 网络提供网络冗余。To ensure that user traffic immediately and transparently recovers from failure, the VPC or MLAG configured between the TOR devices allows the use of multi-chassis link aggregation to the hosts and HSRP or VRRP that provides network redundancy for the IP networks.

静态路由Static routing

静态路由需要额外配置边界设备。Static routing requires additional configuration to the border devices. 它需要更多的手动干预和管理,以及在任何更改之前进行彻底的分析。It requires more manual intervention and management as well as thorough analysis before any change. 配置错误导致的问题可能需要更多时间进行回退,具体取决于所做的更改。Issues caused by a configuration error may take more time to rollback depending on the changes made. 不建议使用此路由方法,但支持此方法。This routing method isn't recommended, but it's supported.

若要使用静态路由将 Azure Stack 集成到网络环境,必须连接边界和 TOR 设备之间的所有四个物理链路。To integrate Azure Stack into your networking environment using static routing, all four physical links between the border and the TOR device must be connected. 由于静态路由的工作方式,无法保证高可用性。High availability can't be guaranteed because of how static routing works.

必须将边界设备配置为具有指向 TOR 之间的四个 P2P Ip 中的每一个 Ip 的静态路由,并将路由到 Azure Stack 中的任何网络的流量的边框,但操作仅需要 外部 或公共 VIP 网络。The border device must be configured with static routes pointing to each one of the four P2P IPs set between the TOR and the Border for traffic destined to any network inside Azure Stack, but only the External or Public VIP network is required for operation. 初始部署需要到 BMC 网络和外部网络的静态路由。Static routes to the BMC and the External networks are required for initial deployment. 操作员可以选择在边框中保留静态路由,以访问位于 BMC基础结构 网络上的管理资源。Operators can choose to leave static routes in the border to access management resources that reside on the BMC and the Infrastructure network. 添加指向 交换机基础结构交换机管理 网络的静态路由是可选的。Adding static routes to switch infrastructure and switch management networks is optional.

TOR 设备配置有将所有流量发送到边界设备的静态默认路由。The TOR devices are configured with a static default route sending all traffic to the border devices. 默认规则的一个流量例外是,对于专用空间,将使用应用于 TOR 到边界连接的访问控制列表阻止该流量。The one traffic exception to the default rule is for the private space, which is blocked using an Access Control List applied on the TOR to border connection.

静态路由仅适用于 TOR 与边界交换机之间的上行链路。Static routing applies only to the uplinks between the TOR and border switches. 机架内使用的是 BGP 动态路由,因为它对于 SLB 和其他组件来说是基本工具,无法禁用或删除。BGP dynamic routing is used inside the rack because it's an essential tool for the SLB and other components and can't be disabled or removed.

* 在部署后,BMC 网络是可选的。* The BMC network is optional after deployment.

** 交换机基础结构网络是可选的,因为整个网络可以包含在交换机管理网络中。** The Switch Infrastructure network is optional, as the whole network can be included in the Switch Management network.

*** 交换机管理网络是必需的,可以与交换机基础结构网络分开添加。*** The Switch Management network is required and can be added separately from the Switch Infrastructure network.

透明代理Transparent proxy

如果数据中心要求所有流量都使用代理,则必须配置“透明代理”以便根据策略处理来自机架的所有流量,并分离网络上不同区域之间的流量。If your datacenter requires all traffic to use a proxy, you must configure a transparent proxy to process all traffic from the rack to handle it according to policy, separating traffic between the zones on your network.

Azure Stack 解决方案不支持普通 Web 代理The Azure Stack solution doesn't support normal web proxies

透明代理(也称为截获、内联或强制代理)将截获网络层的正常通信,而无需任何特殊的客户端配置。A transparent proxy (also known as an intercepting, inline, or forced proxy) intercepts normal communication at the network layer without requiring any special client configuration. 客户端不需要知道代理是否存在。Clients don't need to be aware of the existence of the proxy.

SSL 流量拦截不受支持,并且在访问终结点时可能会导致服务故障。SSL traffic interception is not supported and can lead to service failures when accessing endpoints. 与标识所需的终结点进行通信时,支持的最大超时值为 60 秒,并可以进行 3 次重试尝试。The maximum supported timeout to communicate with endpoints required for identity is 60s with 3 retry attempts.

DNSDNS

本部分介绍域名系统 (DNS) 配置。This section covers Domain Name System (DNS) configuration.

配置条件性 DNS 转发Configure conditional DNS forwarding

这仅适用于 AD FS 部署。This only applies to an AD FS deployment.

若要通过现有的 DNS 基础结构启用名称解析,请配置条件性转发。To enable name resolution with your existing DNS infrastructure, configure conditional forwarding.

若要添加条件性转发器,必须使用特权终结点。To add a conditional forwarder, you must use the privileged endpoint.

对于此过程,请使用能够与 Azure Stack 中的特权终结点通信的数据中心网络中的计算机。For this procedure, use a computer in your datacenter network that can communicate with the privileged endpoint in Azure Stack.

  1. 打开提升了权限的 Windows PowerShell 会话(以管理员身份运行),连接到特权终结点的 IP 地址。Open an elevated Windows PowerShell session (run as administrator), and connect to the IP address of the privileged endpoint. 使用进行 CloudAdmin 身份验证的凭据。Use the credentials for CloudAdmin authentication.

    \$cred=Get-Credential Enter-PSSession -ComputerName \<IP Address of ERCS\> -ConfigurationName PrivilegedEndpoint -Credential \$cred 
    
  2. 连接到特权终结点后,运行以下 PowerShell 命令。After you connect to the privileged endpoint, run the following PowerShell command. 将提供的示例值替换为要使用的 DNS 服务器的域名和 IP 地址。Substitute the sample values provided with your domain name and IP addresses of the DNS servers you want to use.

    Register-CustomDnsServer -CustomDomainName "contoso.com" -CustomDnsIPAddresses "192.168.1.1","192.168.1.2" 
    

从 Azure Stack 外部解析 Azure Stack DNS 名称Resolving Azure Stack DNS names from outside Azure Stack

权威服务器是指保存了外部 DNS 区域信息以及任何用户创建的区域的服务器。The authoritative servers are the ones that hold the external DNS zone information, and any user-created zones. 与这些服务器集成即可启用区域委托或条件性转发,以便从 Azure Stack 外部解析 Azure Stack DNS 名称。Integrate with these servers to enable zone delegation or conditional forwarding to resolve Azure Stack DNS names from outside Azure Stack.

获取 DNS 服务器外部终结点信息Get DNS Server external endpoint information

若要将 Azure Stack 部署与 DNS 基础结构集成,需提供以下信息:To integrate your Azure Stack deployment with your DNS infrastructure, you need the following information:

  • DNS 服务器 FQDNDNS server FQDNs

  • DNS 服务器 IP 地址DNS server IP addresses

Azure Stack DNS 服务器的 FQDN 具有以下格式:The FQDNs for the Azure Stack DNS servers have the following format:

<NAMINGPREFIX>-ns01.<REGION>.<EXTERNALDOMAINNAME><NAMINGPREFIX>-ns01.<REGION>.<EXTERNALDOMAINNAME>

<NAMINGPREFIX>-ns02.<REGION>.<EXTERNALDOMAINNAME><NAMINGPREFIX>-ns02.<REGION>.<EXTERNALDOMAINNAME>

使用示例值时,DNS 服务器的 FQDN 如下所示:Using the sample values, the FQDNs for the DNS servers are:

azs-ns01.east.cloud.fabrikam.comazs-ns01.east.cloud.fabrikam.com

azs-ns02.east.cloud.fabrikam.comazs-ns02.east.cloud.fabrikam.com

此信息可在管理门户中获得,但也可以在所有 Azure Stack 部署结束时在名为“AzureStackStampInformation.json”的文件中创建。This information is available in the admin portal but also created at the end of all Azure Stack deployments in a file named AzureStackStampInformation.json. 该文件位于部署虚拟机的“C:\CloudDeployment\logs”文件夹中。This file is located in the C:\CloudDeployment\logs folder of the Deployment virtual machine. 如果不确定对 Azure Stack 部署使用了什么值,可以从该文件中获取这些值。If you're not sure what values were used for your Azure Stack deployment, you can get the values from here.

如果部署虚拟机不再可用或无法访问,你可以连接到特权终结点并运行 Get-AzureStackStampInformation PowerShell cmdlet,以便获取这些值。If the Deployment virtual machine is no longer available or is inaccessible, you can obtain the values by connecting to the privileged endpoint and running the Get-AzureStackStampInformation PowerShell cmdlet. 有关详细信息,请参阅特权终结点。For more information, see privileged endpoint.

设置到 Azure Stack 的条件性转发Setting up conditional forwarding to Azure Stack

若要将 Azure Stack 与 DNS 基础结构集成,最简单也最安全的方式是将区域从托管父区域的服务器进行条件性转发。The simplest and most secure way to integrate Azure Stack with your DNS infrastructure is to do conditional forwarding of the zone from the server that hosts the parent zone. 如果可以直接控制为 Azure Stack 外部 DNS 命名空间托管父区域的 DNS 服务器,建议使用此方法。This approach is recommended if you have direct control over the DNS servers that host the parent zone for your Azure Stack external DNS namespace.

如果你不熟悉如何使用 DNS 进行条件转发,请参阅以下 TechNet 文章:“为域名分配条件转发器”或特定于 DNS 解决方案的文档。If you're not familiar with how to do conditional forwarding with DNS, see the following TechNet article: Assign a Conditional Forwarder for a Domain Name, or the documentation specific to your DNS solution.

如果已将外部 Azure Stack DNS 区域指定为类似公司域名的子域那样,则无法使用条件性转发。In scenarios where you specified your external Azure Stack DNS Zone to look like a child domain of your corporate domain name, conditional forwarding can't be used. 必须配置 DNS 委托。DNS delegation must be configured.

例如:Example:

  • 公司 DNS 域名:contoso.comCorporate DNS Domain Name: contoso.com

  • Azure Stack 外部 DNS 域名:azurestack.contoso.comAzure Stack External DNS Domain Name: azurestack.contoso.com

编辑 DNS 转发器 IPEditing DNS Forwarder IPs

DNS 转发器 IP 是在 Azure Stack 部署期间设置的。DNS Forwarder IPs are set during deployment of Azure Stack. 但是,如果转发器 Ip 需要出于任何原因进行更新,则可以通过连接到特权终结点并运行 Get-AzSDnsForwarder 并 Set-AzSDnsForwarder [[-IPAddress]] PowerShell cmdlet 来编辑这些值 <IPAddress[]> 。However, if the Forwarder IPs need to be updated for any reason, you can edit the values by connecting to the privileged endpoint and running the Get-AzSDnsForwarder and Set-AzSDnsForwarder [[-IPAddress] <IPAddress[]>] PowerShell cmdlets. 有关详细信息,请参阅特权终结点。For more information, see privileged endpoint.

将外部 DNS 区域委托到 Azure StackDelegating the external DNS zone to Azure Stack

若要从 Azure Stack 部署外部来解析 DNS 名称,需设置 DNS 委托。For DNS names to be resolvable from outside an Azure Stack deployment, you need to set up DNS delegation.

每个注册机构都有自身的 DNS 管理工具,可以更改域的名称服务器记录。Each registrar has their own DNS management tools to change the name server records for a domain. 在注册机构的 DNS 管理页中,请编辑 NS 记录并将区域的 NS 记录替换为 Azure Stack 中的相应记录。In the registrar's DNS management page, edit the NS records and replace the NS records for the zone with the ones in Azure Stack.

大多数 DNS 注册机构要求至少提供两个 DNS 服务器才能完成委托。Most DNS registrars require you to provide a minimum of two DNS servers to complete the delegation.

防火墙Firewall

Azure Stack 为其基础结构角色设置虚拟 IP 地址 (VIP)。Azure Stack sets up virtual IP addresses (VIPs) for its infrastructure roles. 这些 VIP 是从公共 IP 地址池分配的。These VIPs are allocated from the public IP address pool. 每个 VIP 受软件定义的网络层中的访问控制列表 (ACL) 保护。Each VIP is secured with an access control list (ACL) in the software-defined network layer. 还可以在物理交换机(TOR 和 BMC)之间使用 ACL 来进一步强化解决方案。ACLs are also used across the physical switches (TORs and BMC) to further harden the solution. 将会根据部署时的指定,针对外部 DNS 区域中的每个终结点创建一个 DNS 条目。A DNS entry is created for each endpoint in the external DNS zone that's specified at deployment time. 例如,将为用户门户分配 DNS 主机条目 portal. <region>.<fqdn>For example, the user portal is assigned the DNS host entry of portal.<region>.<fqdn>.

以下体系结构图显示了不同的网络层和 ACL:The following architectural diagram shows the different network layers and ACLs:

体系结构图显示了不同的网络层和 ACL

端口和 URLPorts and URLs

要使 Azure Stack 服务(例如门户、Azure 资源管理器、DNS 等)可供外部网络使用,必须允许特定 URL、端口和协议的入站流量发往这些终结点。To make Azure Stack services (like the portals, Azure Resource Manager, DNS, and so on) available to external networks, you must allow inbound traffic to these endpoints for specific URLs, ports, and protocols.

在到传统代理服务器或防火墙的透明代理上行链路正在保护解决方案的部署中,必须允许特定的端口和 URL,以便进行入站和出站通信。In a deployment where a transparent proxy uplinks to a traditional proxy server or a firewall is protecting the solution, you must allow specific ports and URLs for both inbound and outbound communication. 这包括用于标识、市场、修补和更新、注册和使用情况数据的端口与 URL。These include ports and URLs for identity, the marketplace, patch and update, registration, and usage data.

出站通信Outbound communication

Azure Stack 仅支持透明代理服务器。Azure Stack supports only transparent proxy servers. 以连接模式部署时,在使用到传统代理服务器的透明代理上行链路的部署中,必须允许下表中的端口和 URL,以便进行出站通信。In a deployment with a transparent proxy uplink to a traditional proxy server, you must allow the ports and URLs in the following table for outbound communication when deploying in connected mode.

SSL 流量拦截不受支持,并且在访问终结点时可能会导致服务故障。SSL traffic interception is not supported and can lead to service failures when accessing endpoints. 与标识所需的终结点进行通信时,支持的最大超时值为 60 秒。The maximum supported timeout to communicate with endpoints required for identity is 60s.

备注

Azure Stack 不支持使用 ExpressRoute 访问下表中列出的 Azure 服务,因为 ExpressRoute 可能无法将流量路由到所有终结点。Azure Stack doesn’t support using ExpressRoute to reach the Azure services listed in the following table because ExpressRoute may not be able to route traffic to all of the endpoints.

目的Purpose 目标 URLDestination URL 协议Protocol 端口Ports 源网络Source Network
标识Identity AzureAzure
login.windows.netlogin.windows.net
login.microsoftonline.comlogin.microsoftonline.com
graph.windows.netgraph.windows.net
https://secure.aadcdn.microsoftonline-p.comhttps://secure.aadcdn.microsoftonline-p.com
www.office.comwww.office.com
ManagementServiceUri = https: / /management.core.windows.netManagementServiceUri = https://management.core.windows.net
ARMUri = https: / /management.azure.comARMUri = https://management.azure.com
https: / / * . msftauth.nethttps://*.msftauth.net
https: / / * . msauth.nethttps://*.msauth.net
https: / / * . msocdn.comhttps://*.msocdn.com
Azure GovernmentAzure Government
https: / /login.microsoftonline.us/https://login.microsoftonline.us/
https: / /graph.windows.net/https://graph.windows.net/
Azure 中国世纪互联Azure China 21Vianet
https://login.chinacloudapi.cn/https://login.chinacloudapi.cn/
https://graph.chinacloudapi.cn/https://graph.chinacloudapi.cn/
Azure 德国Azure Germany
https: / /login.microsoftonline.de/https://login.microsoftonline.de/
https: / /graph.cloudapi.de/https://graph.cloudapi.de/
HTTPHTTP
HTTPSHTTPS
8080
443443
公共 VIP - /27Public VIP - /27
公共基础结构网络Public infrastructure Network
市场联合Marketplace syndication AzureAzure
https://management.azure.comhttps://management.azure.com
https://*. blob.core.windows.nethttps://*.blob.core.windows.net
https://*.azureedge.nethttps://*.azureedge.net
Azure GovernmentAzure Government
https: / /management.usgovcloudapi.net/https://management.usgovcloudapi.net/
https://*. blob.core.usgovcloudapi.net/https://*.blob.core.usgovcloudapi.net/
Azure 中国世纪互联Azure China 21Vianet
https://management.chinacloudapi.cn/https://management.chinacloudapi.cn/
http://*.blob.core.chinacloudapi.cnhttp://*.blob.core.chinacloudapi.cn
HTTPSHTTPS 443443 公共 VIP - /27Public VIP - /27
修补程序和更新Patch & Update https://*.azureedge.nethttps://*.azureedge.net
https://aka.ms/azurestackautomaticupdatehttps://aka.ms/azurestackautomaticupdate
HTTPSHTTPS 443443 公共 VIP - /27Public VIP - /27
注册Registration AzureAzure
https://management.azure.comhttps://management.azure.com
Azure GovernmentAzure Government
https: / /management.usgovcloudapi.net/https://management.usgovcloudapi.net/
Azure 中国世纪互联Azure China 21Vianet
https://management.chinacloudapi.cnhttps://management.chinacloudapi.cn
HTTPSHTTPS 443443 公共 VIP - /27Public VIP - /27
使用情况Usage AzureAzure
https://*. trafficmanager.nethttps://*.trafficmanager.net
Azure GovernmentAzure Government
https://*. usgovtrafficmanager.nethttps://*.usgovtrafficmanager.net
Azure 中国世纪互联Azure China 21Vianet
https://*.trafficmanager.cnhttps://*.trafficmanager.cn
HTTPSHTTPS 443443 公共 VIP - /27Public VIP - /27
Windows DefenderWindows Defender *.wdcp.microsoft.com*.wdcp.microsoft.com
*.wdcpalt.microsoft.com*.wdcpalt.microsoft.com
*.wd.microsoft.com*.wd.microsoft.com
*.update.microsoft.com*.update.microsoft.com
*.download.microsoft.com*.download.microsoft.com
https://www.microsoft.com/pkiops/crlhttps://www.microsoft.com/pkiops/crl
https://www.microsoft.com/pkiops/certshttps://www.microsoft.com/pkiops/certs
https://crl.microsoft.com/pki/crl/productshttps://crl.microsoft.com/pki/crl/products
https://www.microsoft.com/pki/certshttps://www.microsoft.com/pki/certs
https://secure.aadcdn.microsoftonline-p.comhttps://secure.aadcdn.microsoftonline-p.com
HTTPSHTTPS 8080
443443
公共 VIP - /27Public VIP - /27
公共基础结构网络Public infrastructure Network
NTPNTP (为部署提供的 NTP 服务器的 IP)(IP of NTP server provided for deployment) UDPUDP 123123 公共 VIP - /27Public VIP - /27
DNSDNS (为部署提供的 DNS 服务器的 IP)(IP of DNS server provided for deployment) TCPTCP
UDPUDP
5353 公共 VIP - /27Public VIP - /27
CRLCRL (证书上的 CRL 分发点下的 URL)(URL under CRL Distribution Points on your certificate) HTTPHTTP 8080 公共 VIP - /27Public VIP - /27
LDAPLDAP 为 Graph 集成提供的 Active Directory 林Active Directory Forest provided for Graph integration TCPTCP
UDPUDP
389389 公共 VIP - /27Public VIP - /27
LDAP SSLLDAP SSL 为 Graph 集成提供的 Active Directory 林Active Directory Forest provided for Graph integration TCPTCP 636636 公共 VIP - /27Public VIP - /27
LDAP GCLDAP GC 为 Graph 集成提供的 Active Directory 林Active Directory Forest provided for Graph integration TCPTCP 32683268 公共 VIP - /27Public VIP - /27
LDAP GC SSLLDAP GC SSL 为 Graph 集成提供的 Active Directory 林Active Directory Forest provided for Graph integration TCPTCP 32693269 公共 VIP - /27Public VIP - /27
AD FSAD FS 为 AD FS 集成提供的 AD FS 元数据终结点AD FS metadata endpoint provided for AD FS integration TCPTCP 443443 公共 VIP - /27Public VIP - /27
诊断日志收集服务Diagnostic Log collection service Azure 存储提供的 Blob SAS URLAzure Storage provided Blob SAS URL HTTPSHTTPS 443443 公共 VIP - /27Public VIP - /27

入站通信Inbound communication

将 Azure Stack 终结点发布到外部网络需要一组基础结构 VIP。A set of infrastructure VIPs is required for publishing Azure Stack endpoints to external networks. “终结点 (VIP)”表显示了每个终结点、所需的端口和协议。The Endpoint (VIP) table shows each endpoint, the required port, and protocol. 请参阅特定资源提供程序部署文档,了解需要其他资源提供程序(例如 SQL 资源提供程序)的终结点。Refer to the specific resource provider deployment documentation for endpoints that require additional resource providers, like the SQL resource provider.

此处未列出内部基础结构 VIP,因为发布 Azure Stack 时不需要这些 VIP。Internal infrastructure VIPs aren't listed because they're not required for publishing Azure Stack. 用户 VIP 是动态的,由用户自己定义,而不受 Azure Stack 操作员的控制User VIPs are dynamic and defined by the users themselves, with no control by the Azure Stack operator

备注

IKEv2 VPN 是一个基于标准的 IPsec VPN 解决方案,它使用 UDP 端口 500 和 4500 以及 TCP 端口 50。IKEv2 VPN is a standards-based IPsec VPN solution that uses UDP port 500 and 4500 and TCP port 50. 防火墙并不总是打开这些端口,因此 IKEv2 VPN 可能无法遍历代理和防火墙。Firewalls don’t always open these ports, so an IKEv2 VPN might not be able to traverse proxies and firewalls.

终结点 (VIP)Endpoint (VIP) DNS 主机 A 记录DNS host A record 协议Protocol 端口Ports
AD FSAD FS Adfs. <region>.<fqdn>Adfs.<region>.<fqdn> HTTPSHTTPS 443443
门户(管理员)Portal (administrator) Adminportal. <region>.<fqdn>Adminportal.<region>.<fqdn> HTTPSHTTPS 443443
AdminhostingAdminhosting *.adminhosting.<region>.<fqdn>*.adminhosting.<region>.<fqdn> HTTPSHTTPS 443443
Azure 资源管理器(管理员)Azure Resource Manager (administrator) Adminmanagement. <region>.<fqdn>Adminmanagement.<region>.<fqdn> HTTPSHTTPS 443443
门户(用户)Portal (user) Portal. <region>.<fqdn>Portal.<region>.<fqdn> HTTPSHTTPS 443443
Azure 资源管理器(用户)Azure Resource Manager (user) Management. <region>.<fqdn>Management.<region>.<fqdn> HTTPSHTTPS 443443
GraphGraph Graph. <region>.<fqdn>Graph.<region>.<fqdn> HTTPSHTTPS 443443
证书吊销列表Certificate revocation list Crl. <region>.<fqdn>Crl.<region>.<fqdn> HTTPHTTP 8080
DNSDNS *. <region>.<fqdn>*.<region>.<fqdn> TCP 和 UDPTCP & UDP 5353
HostingHosting *.hosting.<region>.<fqdn>*.hosting.<region>.<fqdn> HTTPSHTTPS 443443
Key Vault(用户)Key Vault (user) *.vault. <region>.<fqdn>*.vault.<region>.<fqdn> HTTPSHTTPS 443443
Key Vault(管理员)Key Vault (administrator) *.adminvault. <region>.<fqdn>*.adminvault.<region>.<fqdn> HTTPSHTTPS 443443
存储队列Storage Queue *.queue. <region>.<fqdn>*.queue.<region>.<fqdn> HTTPHTTP
HTTPSHTTPS
8080
443443
存储表Storage Table *.table. <region>.<fqdn>*.table.<region>.<fqdn> HTTPHTTP
HTTPSHTTPS
8080
443443
存储 BlobStorage Blob *.blob. <region>.<fqdn>*.blob.<region>.<fqdn> HTTPHTTP
HTTPSHTTPS
8080
443443
SQL 资源提供程序SQL Resource Provider sqladapter.dbadapter. <region>.<fqdn>sqladapter.dbadapter.<region>.<fqdn> HTTPSHTTPS 44300-4430444300-44304
MySQL 资源提供程序MySQL Resource Provider mysqladapter.dbadapter. <region>.<fqdn>mysqladapter.dbadapter.<region>.<fqdn> HTTPSHTTPS 44300-4430444300-44304
应用服务App Service *.appservice. <region>.<fqdn>*.appservice.<region>.<fqdn> TCPTCP 80 (HTTP)80 (HTTP)
443 (HTTPS)443 (HTTPS)
8172 (MSDeploy)8172 (MSDeploy)
*.scm.appservice. <region>.<fqdn>*.scm.appservice.<region>.<fqdn> TCPTCP 443 (HTTPS)443 (HTTPS)
api.appservice. <region>.<fqdn>api.appservice.<region>.<fqdn> TCPTCP 443 (HTTPS)443 (HTTPS)
44300(Azure 资源管理器)44300 (Azure Resource Manager)
ftp.appservice. <region>.<fqdn>ftp.appservice.<region>.<fqdn> TCP、UDPTCP, UDP 21、1021、10001-10100 (FTP)21, 1021, 10001-10100 (FTP)
990 (FTPS)990 (FTPS)
VPN 网关VPN Gateways 请参阅 VPN 网关常见问题解答See the VPN gateway FAQ.