您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 网络观察程序是什么?What is Azure Network Watcher?

Azure 网络观察程序提供所需的工具用于监视、诊断 Azure 虚拟网络中的资源、查看其指标,以及为其启用或禁用日志。Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network.

监视Monitoring

监视虚拟机与终结点之间的通信Monitor communication between a virtual machine and an endpoint

终结点可以是另一个虚拟机 (VM)、完全限定的域名 (FQDN)、统一资源标识符 (URI) 或 IPv4 地址。Endpoints can be another virtual machine (VM), a fully qualified domain name (FQDN), a uniform resource identifier (URI), or IPv4 address. 连接监视器功能定期监视通信,并告知 VM 与终结点之间的可访问性、延迟和网络拓扑变化。The connection monitor capability monitors communication at a regular interval and informs you of reachability, latency, and network topology changes between the VM and the endpoint. 例如,你使用了一个 Web 服务器 VM 来与数据库服务器 VM 通信。For example, you might have a web server VM that communicates with a database server VM. 组织中你不认识的某个人可能对 Web 服务器、数据库服务器 VM 或子网应用了自定义的路由或网络安全规则。Someone in your organization may, unknown to you, apply a custom route or network security rule to the web server or database server VM or subnet.

如果某个终结点不可访问,连接故障排除机制会告知原因。If an endpoint becomes unreachable, connection troubleshoot informs you of the reason. 原因可能在于 DNS 名称解析问题、CPU、内存、VM 操作系统中的防火墙、自定义路由的跃点类型、VM 的安全规则,或出站连接的子网。Potential reasons are a DNS name resolution problem, the CPU, memory, or firewall within the operating system of a VM, or the hop type of a custom route, or security rule for the VM or subnet of the outbound connection. 详细了解 Azure 中的安全规则路由跃点类型Learn more about security rules and route hop types in Azure.

连接监视器还提供在不同时间段观察到的最小、平均和最大延迟。Connection monitor also provides the minimum, average, and maximum latency observed over time. 了解连接的延迟后,你可能会发现,将 Azure 资源移到不同的 Azure 区域能够降低延迟。After learning the latency for a connection, you may find that you're able to decrease the latency by moving your Azure resources to different Azure regions. 详细了解如何确定 Azure 区域与 Internet 服务提供商之间的相对延迟,以及如何使用连接监视器监视 VM 与终结点之间的通信。Learn more about determining relative latencies between Azure regions and internet service providers and how to monitor communication between a VM and an endpoint with connection monitor. 若要测试某个时间点的连接,而不是监视各时间段的连接(像使用连接监视器所做的那样),请使用连接故障排除功能。If you'd rather test a connection at a point in time, rather than monitor the connection over time, like you do with connection monitor, use the connection troubleshoot capability.

网络性能监视器是一项基于云的混合网络监视解决方案,可帮助你监视网络基础结构中不同点之间的网络性能。Network performance monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. 它还可以监视到服务和应用程序终结点的网络连接,以及 Azure ExpressRoute 的性能。It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute. 网络性能监视器可检测诸如流量黑洞、路由错误之类的网络问题,以及传统网络监视方法无法检测到的问题。Network performance monitor detects network issues like traffic blackholing, routing errors, and issues that conventional network monitoring methods aren't able to detect. 只要突破网络链接的阈值,解决方案就会生成警报并进行通知。The solution generates alerts and notifies you when a threshold is breached for a network link. 它还可以确保及时检测到网络性能问题,然后确定问题根源所在的特定网络段或设备。It also ensures timely detection of network performance issues and localizes the source of the problem to a particular network segment or device. 详细了解网络性能监视器Learn more about network performance monitor.

查看虚拟网络中的资源及其关系View resources in a virtual network and their relationships

将资源添加到虚拟网络后,可能难以了解哪些资源位于虚拟网络中,以及它们彼此之间的关系。As resources are added to a virtual network, it can become difficult to understand what resources are in a virtual network and how they relate to each other. 使用拓扑功能可以生成虚拟网络中的资源及其相互关系的视觉图示。The topology capability enables you to generate a visual diagram of the resources in a virtual network, and the relationships between the resources. 下图显示了某个虚拟网络的示例拓扑图示,其中包含三个子网、两个 VM、网络接口、公共 IP 地址、网络安全组、路由表和资源之间的关系:The following picture shows an example topology diagram for a virtual network that has three subnets, two VMs, network interfaces, public IP addresses, network security groups, route tables, and the relationships between the resources:

拓扑视图

可以下载 svg 格式的可编辑图片版本。You can download an editable version of the picture in svg format. 详细了解拓扑视图Learn more about topology view.

诊断Diagnostics

诊断传入或传出 VM 的网络流量筛选问题Diagnose network traffic filtering problems to or from a VM

部署 VM 时,Azure 会向 VM 应用多个默认安全规则,以允许或拒绝传入/传出 VM 的流量。When you deploy a VM, Azure applies several default security rules to the VM that allow or deny traffic to or from the VM. 可以替代 Azure 的默认规则,或创建其他规则。You might override Azure's default rules, or create additional rules. 有时,VM 可能会由于安全规则而无法与其他资源通信。At some point, a VM may become unable to communicate with other resources, because of a security rule. 使用 IP 流验证功能可以指定源和目标 IPv4 地址、端口、协议(TCP 或 UDP)和流量方向(入站或出站)。The IP flow verify capability enables you to specify a source and destination IPv4 address, port, protocol (TCP or UDP), and traffic direction (inbound or outbound). 然后,IP 流验证会测试通信,并告知连接是成功还是失败。IP flow verify then tests the communication and informs you if the connection succeeds or fails. 如果连接失败,IP 流验证会告知哪个安全规则允许或拒绝了通信,以便可以解决问题。If the connection fails, IP flow verify tells you which security rule allowed or denied the communication, so that you can resolve the problem. 通过完成诊断虚拟机网络流量筛选问题教程,了解有关 IP 流验证的更多信息。Learn more about IP flow verify by completing the Diagnose a virtual machine network traffic filter problem tutorial.

诊断 VM 的网络路由问题Diagnose network routing problems from a VM

创建虚拟网络时,Azure 将为网络流量创建多个默认出站路由。When you create a virtual network, Azure creates several default outbound routes for network traffic. 来自虚拟网络中部署的所有资源(例如 VM)的出站流量将会根据 Azure 的默认路由进行路由。The outbound traffic from all resources, such as VMs, deployed in a virtual network, are routed based on Azure's default routes. 可以替代 Azure 的默认路由,或创建其他路由。You might override Azure's default routes, or create additional routes. 你可能发现,特定的路由导致 VM 不再能够与其他资源通信。You may find that a VM can no longer communicate with other resources because of a specific route. 使用下一个跃点功能可以指定源和目标 IPv4 地址。The next hop capability enables you to specify a source and destination IPv4 address. 下一跃点会测试通信,并告知使用了哪种类型的下一跃点来路由流量。Next hop then tests the communication and informs you what type of next hop is used to route the traffic. 然后,可以删除、更改或添加路由,以解决路由问题。You can then remove, change, or add a route, to resolve a routing problem. 详细了解下一跃点功能。Learn more about the next hop capability.

诊断 VM 的出站连接Diagnose outbound connections from a VM

使用连接故障排除功能可以测试 VM 与另一个 VM、FQDN、URI 或 IPv4 地址之间的连接。The connection troubleshoot capability enables you to test a connection between a VM and another VM, an FQDN, a URI, or an IPv4 address. 该项测试返回的信息与使用连接监视器功能返回的信息类似,但测试的是某个时间点的连接,而不是像连接监视器那样监视各时间段的连接。The test returns similar information returned when using the connection monitor capability, but tests the connection at a point in time, rather than monitoring it over time, as connection monitor does. 详细了解如何使用连接故障排除来排查连接问题。Learn more about how to troubleshoot connections using connection-troubleshoot.

捕获传入和传出 VM 的数据包Capture packets to and from a VM

高级筛选选项和精细控制(例如设置时间与大小限制的功能)提供了多样性。Advanced filtering options and fine-tuned controls, such as the ability to set time and size limitations, provide versatility. 可将捕获的数据存储在 Azure 存储和/或 VM 磁盘中。The capture can be stored in Azure Storage, on the VM's disk, or both. 然后,可以使用多种标准网络捕获分析工具来分析捕获文件。You can then analyze the capture file using several standard network capture analysis tools. 详细了解数据包捕获Learn more about packet capture.

诊断 Azure 虚拟网络网关和连接的问题Diagnose problems with an Azure Virtual network gateway and connections

虚拟网络网关在本地资源与 Azure 虚拟网络之间提供连接。Virtual network gateways provide connectivity between on-premises resources and Azure virtual networks. 监视网关及其连接对于确保通信不中断至关重要。Monitoring gateways and their connections are critical to ensuring communication is not broken. 使用 VPN 诊断功能可以诊断网关和连接。The VPN diagnostics capability provides the ability to diagnose gateways and connections. VPN 诊断功能诊断网关或网关连接的运行状况,并告知网关和网关连接是否可用。VPN diagnostics diagnoses the health of the gateway, or gateway connection, and informs you whether a gateway and gateway connections, are available. 如果网关或连接不可用,VPN 诊断会告知原因,以便可以解决问题。If the gateway or connection is not available, VPN diagnostics tells you why, so you can resolve the problem. 通过完成诊断网络之间的通信问题教程,了解有关 VPN 诊断的更多信息。Learn more about VPN diagnostics by completing the Diagnose a communication problem between networks tutorial.

确定 Azure 区域与 Internet 服务提供商之间的相对延迟Determine relative latencies between Azure regions and internet service providers

可以在网络观察程序中查询 Azure 区域之间以及不同 Internet 服务提供商之间的延迟信息。You can query Network Watcher for latency information between Azure regions and across internet service providers. 了解 Azure 区域之间以及不同 Internet 服务提供商之间的延迟后,可以部署 Azure 资源来优化网络响应时间。When you know latencies between Azure regions and across Internet service providers, you can deploy Azure resources to optimize network response time. 详细了解相对延迟Learn more about relative latencies.

查看网络接口的安全规则View security rules for a network interface

网络接口的有效安全规则是应用到网络接口以及网络接口所在子网的所有安全规则的组合。The effective security rules for a network interface are a combination of all security rules applied to the network interface, and the subnet the network interface is in. 安全组视图功能显示应用到网络接口、网络接口所在的子网和两者的聚合的所有安全规则。The security group view capability shows you all security rules applied to the network interface, the subnet the network interface is in, and the aggregate of both. 了解已将哪些规则应用到网络接口后,可以添加、删除规则,或者更改规则(如果这些规则允许或拒绝所要更改的流量)。With an understanding of which rules are applied to a network interface, you can add, remove, or change rules, if they're allowing or denying traffic that you want to change. 详细了解安全组视图Learn more about security group view.

度量值Metrics

在一个 Azure 订阅和区域中可以创建的网络资源数有限制There are limits to the number of network resources that you can create within an Azure subscription and region. 如果超过了限制,则无法在该订阅或区域中创建更多的资源。If you meet the limits, you're unable to create more resources within the subscription or region. 网络订阅限制功能汇总每个网络资源在某个订阅和区域中部署的数目,以及该资源的限制。The network subscription limit capability provides a summary of how many of each network resource you have deployed in a subscription and region, and what the limit is for the resource. 下图显示了在美国东部区域为某个示例订阅部署的网络资源的部分输出:The following picture shows the partial output for network resources deployed in the East US region for an example subscription:

订阅限制

在规划将来的资源部署时,此信息非常有用。The information is helpful when planning future resource deployments.

日志Logs

分析传入或传出网络安全组的流量Analyze traffic to or from a network security group

网络安全组 (NSG) 允许或拒绝 VM 中网络接口的入站或出站流量。Network security groups (NSG) allow or deny inbound or outbound traffic to a network interface in a VM. 使用 NSG 流日志功能可以记录源和目标 IP 地址、端口、协议,以及 NSG 是允许还是拒绝了流量。The NSG flow log capability allows you to log the source and destination IP address, port, protocol, and whether traffic was allowed or denied by an NSG. 可以使用各种工具(例如 PowerBI)和流量分析功能来分析日志。You can analyze logs using a variety of tools, such as PowerBI and the traffic analytics capability. 流量分析提供写入 NSG 流日志的数据的丰富可视化效果。Traffic analytics provides rich visualizations of data written to NSG flow logs. 下图显示了流量分析功能在处理 NSG 流日志数据后显示的部分信息和可视化效果:The following picture shows some of the information and visualizations that traffic analytics presents from NSG flow log data:

流量分析

通过完成记录出入虚拟机的网络流量教程,了解有关 NSG 流日志的更多信息以及如何实现流量分析Learn more about NSG flow logs by completing the Log network traffic to and from a virtual machine tutorial and how to implement traffic analytics.

查看网络资源的诊断日志View diagnostic logs for network resources

可以针对网络安全组、公共 IP 地址、负载均衡器、虚拟网络网关和应用程序网关等 Azure 网络资源启用诊断日志记录。You can enable diagnostic logging for Azure networking resources such as network security groups, public IP addresses, load balancers, virtual network gateways, and application gateways. “诊断日志”功能提供单个界面,用于针对生成诊断日志的任何现有网络资源启用和禁用网络资源诊断日志。The Diagnostic logs capability provides a single interface to enable and disable network resource diagnostic logs for any existing network resource that generates a diagnostic log. 可使用 Microsoft Power BI 和 Azure Monitor 日志等工具查看诊断日志。You can view diagnostic logs using tools such as Microsoft Power BI and Azure Monitor logs. 若要详细了解如何分析 Azure 网络诊断日志,请参阅 Azure Monitor 日志中的 Azure 网络解决方案To learn more about analyzing Azure network diagnostic logs, see Azure network solutions in Azure Monitor logs.

网络观察程序自动启用Network Watcher automatic enablement

在订阅中创建或更新虚拟网络时,将在虚拟网络的区域中自动启用网络观察程序。When you create or update a virtual network in your subscription, Network Watcher will be enabled automatically in your Virtual Network's region. 自动启用网络观察程序对资源或相关费用没有任何影响。There is no impact to your resources or associated charge for automatically enabling Network Watcher. 有关详细信息,请参阅网络观察程序 - 创建For more information, see Network Watcher create.

后续步骤Next steps

上面就是 Azure 网络观察程序的概述。You now have an overview of Azure Network Watcher. 若要开始使用网络观察程序,请使用 IP 流验证来诊断与虚拟机之间的常见通信问题。To get started using Network Watcher, diagnose a common communication problem to and from a virtual machine using IP flow verify. 有关操作方法,请参阅诊断虚拟机网络流量筛选问题快速入门。To learn how, see the Diagnose a virtual machine network traffic filter problem quickstart.