你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
网络数据包代理
Azure 运营商 Nexus 的网络数据包代理是 Microsoft Azure 专为电信服务提供商定制的专用产品/服务。 借助 Azure 操作员 Nexus 的网络数据包代理,电信运营商可以有效地捕获、聚合、筛选和监视其基础结构(AON)中的流量,从而进行深度数据包检查、流量分析和增强的网络监视。 在电信行业,保持高质量服务、确保安全和遵守监管要求至关重要。 通过利用此解决方案,操作员可以更好地了解其网络流量、更有效地解决问题,并最终为客户提供改进的服务,同时保持最高的网络安全和性能标准。
NPB 已设计并建模为 Microsoft.managednetworkfabric 下的单独顶级 Azure 资源管理器 (ARM) 资源。 操作员可以创建、读取、更新和删除网络 TAP、网络 TAP 规则和邻居组函数。 每个网络数据包代理将具有多个资源,例如网络 TAP、邻居组和网络 TAP 规则,用于管理、筛选和转发指定的流量。
启用网络数据包代理的步骤
先决条件
- NPB 设备已正确机架、堆叠和预配。 有关如何预配网络构造的过程,请参阅 Network Fabric 预配。
- 应使用专用 IP 设置相应的 vProbes
- 对于内部 vProbes,应创建具有内部网络的第 3 层隔离域。 除了配置所需的连接子网外,还应将扩展标志设置为 NPB(在内部网络中)。 有关如何在隔离域上创建内部和外部网络并为 NPB 设置扩展标志的过程,请参阅 隔离域。
- 对于网络到网络间连接(NNI)用例,应将 NNI 创建为类型
NPB。 应在创建 NNI 期间定义适当的第 2 层和第 3 层属性。 有关如何创建网络到网络互连(NNI)的过程,请参阅 Network Fabric 预配。
步骤
- 创建提供匹配配置的网络 TAP 规则(仅支持内联输入法)
- 创建定义目标的邻居组资源。
- 创建引用 Tap 规则和邻居组的网络 TAP 资源。
- 启用网络 TAP 资源。
NPB
此资源将在启动期间由 NNF 自动创建。
显示 NPB
此命令显示 NPB 逻辑资源的详细信息。
az networkfabric npb show --resource-group "example-rg" --resource-name "NPB1"
预期输出
{
"properties": {
"networkFabricId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabrics/example-networkFabric",
"networkDeviceIds": [
"/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice"
],
"sourceInterfaceIds": [
"/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice/networkInterfaces/example-networkInterface"
],
"networkTapIds": [
"/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-networkTap"
],
"neighborGroupIds": [
"/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup"
],
"provisioningState": "Succeeded"
},
"tags": {
"key2806": "key"
},
"location": "eastuseuap",
"id": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkPacketBrokers/example-networkPacketBroker",
"name": "example-networkPacketBroker",
"type": "microsoft.managednetworkfabric/networkPacketBrokers",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-05-17T11:56:12.100Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-17T11:56:12.100Z"
}
}
网络 TAP 规则
NetworkTapRule 资源提供提供条件和操作的筛选和转发组合的功能。
网络 TAP 规则的参数
| 参数 | 说明 | 示例 | 必须 |
|---|---|---|---|
| resource-group | 专门为 NetworkTapRule 使用适当的资源组名称 | ResourceGroupName | True |
| resource-name | 网络点击的资源名称 | InternetTAPrule1 | True |
| location | AzON Azure 区域在 NFC 创建期间使用 | eastus | True |
| configuration-type | 用于配置网络点击规则的输入方法。 | 内联或文件 | True |
| match-configurations | 匹配配置列表。 | ||
| match-configurations/matchconfigurationName | Match 配置块的名称 | ||
| match-configurations/sequenceNumber | 匹配配置的序列号 | ||
| match-configurations/ipAddressType | Ip 地址系列 | ||
| match-configurations/matchconditions | 基于端口、协议、Vlan 和 Ip 条件的动态匹配条件列表。 | ||
| match-configurations/action | 提供操作详细信息。 操作可以是 Drop、Count、Log、Goto、Redirect、Mirror | ||
| dynamic-match-configurations | 基于端口、Vlan 和 IP 的动态匹配配置列表 |
注意
必须在网络点击规则和邻居组重新打开之前创建网络点击规则和邻居组
创建网络点击规则
此命令创建网络点击规则:
az networkfabric taprule create --resource-group "example-rg" --location "westus3"--resource-name "example-networktaprule"\
--configuration-type "Inline" \
--match-configurations "[{matchConfigurationName:config1,sequenceNumber:10,ipAddressType:IPv4,matchConditions:[{encapsulationType:None,portCondition:{portType:SourcePort,layer4Protocol:TCP,ports:[100],portGroupNames:['example-portGroup1']},protocolTypes:[TCP],vlanMatchCondition:{vlans:['10'],innerVlans:['11-20']},ipCondition:{type:SourceIP,prefixType:Prefix,ipPrefixValues:['10.10.10.10/20']}}],\
actions:[{type:Drop,truncate:100,isTimestampEnabled:True,destinationId:'/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup',matchConfigurationName:match1}]}]"\
--dynamic-match-configurations"[{ipGroups:[{name:'example-ipGroup1',ipAddressType:IPv4,ipPrefixes:['10.10.10.10/30']}],vlanGroups:[{name:'exmaple-vlanGroup',vlans:['10']}],portGroups:[{name:'example-portGroup1',ports:['100-200']}]}]"
预期输出:
{
"properties": {
"networkTapId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-taprule",
"pollingIntervalInSeconds": 30,
"lastSyncedTime": "2023-06-12T07:11:22.485Z",
"configurationState": "Succeeded",
"provisioningState": "Accepted",
"administrativeState": "Enabled",
"annotation": "annotation",
"configurationType": "Inline",
"tapRulesUrl": "",
"matchConfigurations": [
{
"matchConfigurationName": "config1",
"sequenceNumber": 10,
"ipAddressType": "IPv4",
"matchConditions": [
{
"encapsulationType": "None",
"portCondition": {
"portType": "SourcePort",
"l4Protocol": "TCP",
"ports": [
"100"
],
"portGroupNames": [
"example-portGroup1"
]
},
"protocolTypes": [
"TCP"
],
"vlanMatchCondition": {
"vlans": [
"10"
],
"innerVlans": [
"11-20"
],
"vlanGroupNames": [
"exmaple-vlanGroup"
]
},
"ipCondition": {
"type": "SourceIP",
"prefixType": "Prefix",
"ipPrefixValues": [
"10.10.10.10/20"
],
"ipGroupNames": [
"example-ipGroup"
]
}
}
],
"actions": [
{
"type": "Drop",
"truncate": "100",
"isTimestampEnabled": "True",
"destinationId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"matchConfigurationName": "match1"
}
]
}
],
"dynamicMatchConfigurations": [
{
"ipGroups": [
{
"name": "example-ipGroup1",
"ipPrefixes": [
"10.10.10.10/30"
]
}
],
"vlanGroups": [
{
"name": "exmaple-vlanGroup",
"vlans": [
"10",
"100-200"
]
}
],
"portGroups": [
{
"name": "example-portGroup1",
"ports": [
"100-200"
]
},
{
"name": "example-portGroup2",
"ports": [
"900",
"1000-2000"
]
}
]
}
]
},
"tags": {
"keyID": "keyValue"
},
"location": "eastuseuap",
"id": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTapRules/example-tapRule",
"name": "example-tapRule",
"type": "microsoft.managednetworkfabric/networkTapRules",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-06-12T07:11:22.488Z",
"lastModifiedBy": "user@mail.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-06-12T07:11:22.488Z"
}
}
显示网络点击规则
此命令显示 IP 社区资源:
az networkfabric taprule show --resource-group "example-rg" --resource-name "example-networktaprule"
预期输出:
{
"properties": {
"networkTapId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-taprule",
"pollingIntervalInSeconds": 30,
"lastSyncedTime": "2023-06-12T07:11:22.485Z",
"configurationState": "Succeeded",
"provisioningState": "Accepted",
"administrativeState": "Enabled",
"annotation": "annotation",
"configurationType": "Inline",
"tapRulesUrl": "",
"matchConfigurations": [
{
"matchConfigurationName": "config1",
"sequenceNumber": 10,
"ipAddressType": "IPv4",
"matchConditions": [
{
"encapsulationType": "None",
"portCondition": {
"portType": "SourcePort",
"l4Protocol": "TCP",
"ports": [
"100"
],
"portGroupNames": [
"example-portGroup1"
]
},
"protocolTypes": [
"TCP"
],
"vlanMatchCondition": {
"vlans": [
"10"
],
"innerVlans": [
"11-20"
],
"vlanGroupNames": [
"exmaple-vlanGroup"
]
},
"ipCondition": {
"type": "SourceIP",
"prefixType": "Prefix",
"ipPrefixValues": [
"10.10.10.10/20"
],
"ipGroupNames": [
"example-ipGroup"
]
}
}
],
"actions": [
{
"type": "Drop",
"truncate": "100",
"isTimestampEnabled": "True",
"destinationId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"matchConfigurationName": "match1"
}
]
}
],
"dynamicMatchConfigurations": [
{
"ipGroups": [
{
"name": "example-ipGroup1",
"ipPrefixes": [
"10.10.10.10/30"
]
}
],
"vlanGroups": [
{
"name": "exmaple-vlanGroup",
"vlans": [
"10",
"100-200"
]
}
],
"portGroups": [
{
"name": "example-portGroup1",
"ports": [
"100-200"
]
},
{
"name": "example-portGroup2",
"ports": [
"900",
"1000-2000"
]
}
]
}
]
},
"tags": {
"keyID": "keyValue"
},
"location": "eastuseuap",
"id": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTapRules/example-tapRule",
"name": "example-tapRule",
"type": "microsoft.managednetworkfabric/networkTapRules",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-06-12T07:11:22.488Z",
"lastModifiedBy": "user@mail.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-06-12T07:11:22.488Z"
}
}
邻居组
邻居组资源能够对目标进行分组,以便转发筛选的流量
邻居组的参数
| 参数 | 说明 | 示例 | 必须 |
|---|---|---|---|
| resource-group | 专门为邻居组使用适当的资源组名称 | ResourceGroupName | True |
| resource-name | 邻居组的资源名称 | example-Neighbor | True |
| location | AzON Azure 区域在 NFC 创建期间使用 | eastus | True |
| destination | 要转发流量的 Ipv4 或 Ipv6 目标列表 | 10.10.10.10 | True |
创建邻居组
此命令创建邻居组资源:
az networkfabric neighborgroup create --resource-group "example-rg" --location "westus3"
--resource-name "example-neighborgroup" --destination "{ipv4Addresses:['10.10.10.10']}"
预期输出:
{
"properties": {
"networkTapIds": [
],
"networkTapRuleIds": [
],
"destination": {
"ipv4Addresses": [
"10.10.10.10",
]
},
"provisioningState": "Succeeded",
"annotation": "annotation"
},
"tags": {
"keyID": "KeyValue"
},
"location": "eastus",
"id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"name": "example-neighborGroup",
"type": "microsoft.managednetworkfabric/neighborGroups",
"systemData": {
"createdBy": "user@mail.com",
"createdByType": "User",
"createdAt": "2023-05-23T05:49:59.193Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-23T05:49:59.194Z"
}
}
显示邻居组资源
此命令显示 IP 扩展社区资源:
az networkfabric neighborgroup show --resource-group "example-rg" --resource-name "example-neighborgroup"
预期输出:
{
"properties": {
"networkTapIds": [
],
"networkTapRuleIds": [
],
"destination": {
"ipv4Addresses": [
"10.10.10.10",
]
},
"provisioningState": "Succeeded",
"annotation": "annotation"
},
"tags": {
"keyID": "KeyValue"
},
"location": "eastus",
"id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"name": "example-neighborGroup",
"type": "microsoft.managednetworkfabric/neighborGroups",
"systemData": {
"createdBy": "user@mail.com",
"createdByType": "User",
"createdAt": "2023-05-23T05:49:59.193Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-23T05:49:59.194Z"
}
}
网络 TAP
网络 TAP 允许操作员定义目标并封装机制,以根据网络 TAP 规则转发筛选的流量
网络 TAP 的参数
| 参数 | 说明 | 示例 | 必须 |
|---|---|---|---|
| resource-group | 专门为网络点击使用适当的资源组名称 | ResourceGroupName | True |
| resource-name | 网络点击的资源名称 | NetworkTAP-Austin | True |
| location | AzON Azure 区域在 NFC 创建期间使用 | eastus | True |
| network-packet-broker-id | 网络数据包代理资源的 ARMID | True | |
| polling-type | 网络点击规则的轮询方法(推送或拉取) | 拉动 | True |
| destination | 目标定义 | True | |
| destination/name | 目标名称 | ||
| destination/type | 目标类型。IsolationDomain 或 NNI | ||
| destination/IsolationDomainProperties | 隔离域的详细信息。 封装、邻居组 ID | 内部网络或 NNI 的 Azure 资源管理器 (ARM) ID | False |
| destinationTapRuleId | 需要应用的 Tap 规则的 ARMID | True |
创建网络 TAP
此命令创建网络 Tap 资源:
az networkfabric tap create --resource-group "example-rg" --location "westus3" \
--resource-name "example-networktap" \
--network-packet-broker-id "/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkPacketBrokers/example-networkPacketBroker" \
--polling-type "Pull"\
--destinations "[{name:'example-destinationName',destinationType:IsolationDomain,destinationId:'/subscriptions/xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/l3IsloationDomains/example-l3Domain/internalNetworks/example-internalNetwork',\
isolationDomainProperties:{encapsulation:None,neighborGroupIds:['/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup']},\