您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

配置 Azure 存储防火墙和虚拟网络Configure Azure Storage firewalls and virtual networks

Azure 存储提供分层安全模型。Azure Storage provides a layered security model. 借助此模型,可保护存储帐户,使其仅可供受支持的一组特定网络访问。This model enables you to secure your storage accounts to a specific set of supported networks. 配置网络规则后,仅通过指定网络组请求数据的应用程序才能访问存储帐户。When network rules are configured, only applications requesting data from over the specified set of networks can access a storage account.

在网络规则生效后访问存储帐户的应用程序需要在请求中提供适当的授权。An application that accesses a storage account when network rules are in effect requires proper authorization on the request. 支持通过 Azure Active Directory (Azure AD) 凭据(适用于 Blob 和队列)、有效的帐户访问密钥或 SAS 令牌进行授权。Authorization is supported with Azure Active Directory (Azure AD) credentials for blobs and queues, with a valid account access key, or with an SAS token.

重要

默认情况下,除非请求来自在 Azure 虚拟网络 (VNet) 内运行的服务,否则开启存储帐户的防火墙规则会阻止数据传入请求。Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests come from a service that is operating within an Azure Virtual Network (VNet). 被阻止的请求包括来自其他 Azure 服务、来自 Azure 门户、来自日志记录和指标服务等的请求。Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on.

可通过允许服务实例的子网,授予在 VNet 内运行的 Azure 服务相应的访问权限。You can grant access to Azure services that operate from within a VNet by allowing the subnet of the service instance. 通过下一部分介绍的例外机制,启用有限数量的方案。Enable a limited number of scenarios through the Exceptions mechanism described in the following section. 若要访问 Azure 门户,需要从设置的可信边界(IP 或 VNet)内的计算机进行访问。To access the Azure portal, you would need to be on a machine within the trusted boundary (either IP or VNet) that you set up.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

方案Scenarios

将存储帐户配置为默认拒绝来自所有网络的流量(包括 Internet 流量)的访问。Configure storage accounts to deny access to traffic from all networks (including internet traffic) by default. 然后授予来自特定 VNet 的流量相应的访问权限。Then grant access to traffic from specific VNets. 借助此配置,可为应用程序生成安全网络边界。This configuration enables you to build a secure network boundary for your applications. 还可向公共 Internet IP 地址范围授予访问权限,支持来自特定 Internet 或本地客户端的连接。You can also grant access to public internet IP address ranges, enabling connections from specific internet or on-premises clients.

对于面向 Azure 存储的所有网络协议(包括 REST 和 SMB),将强制实施网络规则。Network rules are enforced on all network protocols to Azure storage, including REST and SMB. 若要使用 Azure 门户、存储资源管理器和 AZCopy 等工具访问数据,需要提供显式网络规则。To access the data with tools like Azure portal, Storage Explorer, and AZCopy, explicit network rules are required.

可将网络规则应用于现有存储帐户,也可在创建新存储帐户时应用网络规则。You can apply network rules to existing storage accounts, or when you create new storage accounts.

一旦应用网络规则,就会对所有请求强制实施这些规则。Once network rules are applied, they're enforced for all requests. 用于向特定 IP 地址授予访问权限的 SAS 令牌可限制令牌持有者的访问权限,但不会越过已配置的网络规则授予新的访问权限。SAS tokens that grant access to a specific IP address serve to limit the access of the token holder, but don't grant new access beyond configured network rules.

虚拟机磁盘流量(包括装载和卸载操作以及磁盘 IO)不受网络规则影响。Virtual machine disk traffic (including mount and unmount operations, and disk IO) is not affected by network rules. 对页 blob 的 REST 访问受网络规则保护。REST access to page blobs is protected by network rules.

经典存储帐户不支持防火墙和虚拟网络。Classic storage accounts do not support firewalls and virtual networks.

可通过创建例外,使用应用了网络规则的存储帐户中的非托管磁盘来备份和还原 VM。You can use unmanaged disks in storage accounts with network rules applied to backup and restore VMs by creating an exception. 此过程在本文的例外部分中记录。This process is documented in the Exceptions section of this article. 防火墙例外不适用于托管磁盘,因为它们已由 Azure 托管。Firewall exceptions aren't applicable with managed disks as they're already managed by Azure.

更改默认网络访问规则Change the default network access rule

默认情况下,存储帐户接受来自任何网络上客户端的连接。By default, storage accounts accept connections from clients on any network. 若要限制为仅允许选定网络访问,必须先更改默认操作。To limit access to selected networks, you must first change the default action.

警告

更改网络规则可能会使应用程序无法正常连接到 Azure 存储。Making changes to network rules can impact your applications' ability to connect to Azure Storage. 除非还应用了授予访问权限的特定网络规则,否则将默认网络规则设置为“拒绝”会阻止对数据的所有访问。Setting the default network rule to deny blocks all access to the data unless specific network rules to grant access are also applied. 在将默认规则更改为拒绝访问之前,务必先使用网络规则对所有许可网络授予访问权限。Be sure to grant access to any allowed networks using network rules before you change the default rule to deny access.

管理默认网络访问规则Managing default network access rules

可以通过 Azure 门户、PowerShell 或 CLIv2 管理存储帐户的默认网络访问规则。You can manage default network access rules for storage accounts through the Azure portal, PowerShell, or CLIv2.

Azure 门户Azure portal

  1. 转至要保护的存储帐户。Go to the storage account you want to secure.

  2. 单击名为“防火墙和虚拟网络”的设置菜单。Click on the settings menu called Firewalls and virtual networks.

  3. 若要默认拒绝访问,请选择允许从“所选网络”进行访问。To deny access by default, choose to allow access from Selected networks. 若要允许来自所有网络的流量,请选择允许从“所有网络”进行访问。To allow traffic from all networks, choose to allow access from All networks.

  4. 单击“保存”应用所做的更改。Click Save to apply your changes.

PowerShellPowerShell

  1. 安装 Azure PowerShell登录Install the Azure PowerShell and sign in.

  2. 显示存储帐户默认规则的状态。Display the status of the default rule for the storage account.

    (Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").DefaultAction
    
  3. 将默认规则设置为默认拒绝网络访问。Set the default rule to deny network access by default.

    Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Deny
    
  4. 将默认规则设置为默认允许网络访问。Set the default rule to allow network access by default.

    Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -DefaultAction Allow
    

CLIv2CLIv2

  1. 安装 Azure CLI登录Install the Azure CLI and sign in.

  2. 显示存储帐户默认规则的状态。Display the status of the default rule for the storage account.

    az storage account show --resource-group "myresourcegroup" --name "mystorageaccount" --query networkRuleSet.defaultAction
    
  3. 将默认规则设置为默认拒绝网络访问。Set the default rule to deny network access by default.

    az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Deny
    
  4. 将默认规则设置为默认允许网络访问。Set the default rule to allow network access by default.

    az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --default-action Allow
    

允许从虚拟网络进行访问Grant access from a virtual network

可将存储帐户配置为仅允许从特定 VNet 进行访问。You can configure storage accounts to allow access only from specific VNets.

在 VNet 内为 Azure 存储启用服务终结点Enable a Service endpoint for Azure Storage within the VNet. 此终结点为流量提供到 Azure 存储服务的最优路径。This endpoint gives traffic an optimal route to the Azure Storage service. 虚拟网络和子网的标识也随每个请求进行传输。The identities of the virtual network and the subnet are also transmitted with each request. 管理员随后可以配置存储帐户的网络规则,允许从 VNet 中的特定子网接收请求。Administrators can then configure network rules for the storage account that allow requests to be received from specific subnets in the VNet. 通过这些网络规则获得访问权限的客户端必须继续满足存储帐户的授权要求,才能访问数据。Clients granted access via these network rules must continue to meet the authorization requirements of the storage account to access the data.

每个存储帐户最多支持 100 条虚拟网络规则,这些规则可与 IP 网络规则组合使用。Each storage account supports up to 100 virtual network rules, which may be combined with IP network rules.

可用的虚拟网络区域Available virtual network regions

服务终结点一般在位于同一 Azure 区域的虚拟网络和服务实例之间运行。In general, service endpoints work between virtual networks and service instances in the same Azure region. 将服务终结点与 Azure 存储配合使用时,此范围扩大到包含配对区域When using service endpoints with Azure Storage, this scope grows to include the paired region. 服务终结点可以在区域性故障转移期间提供连续性,并允许访问读取访问权限异地冗余存储 (RA-GRS) 实例。Service endpoints allow continuity during a regional failover and access to read-only geo-redundant storage (RA-GRS) instances. 允许从虚拟网络访问存储帐户的网络规则同样允许访问所有 RA-GRS 实例。Network rules that grant access from a virtual network to a storage account also grant access to any RA-GRS instance.

在计划区域性服务中断期间的灾难恢复时,应该在配对区域中提前创建 VNet。When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance. 为 Azure 存储启用服务终结点,并提供允许从这些备用虚拟网络进行访问的网络规则。Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. 然后将这些规则应用于异地冗余存储帐户。Then apply these rules to your geo-redundant storage accounts.

备注

服务终结点不适用于位于虚拟网络所在区域和指定区域对之外的流量。Service endpoints don't apply to traffic outside the region of the virtual network and the designated region pair. 可以将允许从虚拟网络访问存储帐户的网络规则仅应用于存储帐户主区域或指定配对区域中的存储帐户。You can only apply network rules granting access from virtual networks to storage accounts in the primary region of a storage account or in the designated paired region.

所需权限Required permissions

若要向存储帐户应用虚拟网络规则,用户必须对要添加的子网拥有适当的权限。To apply a virtual network rule to a storage account, the user must have the appropriate permissions for the subnets being added. 所需的权限为向子网加入服务权限,该权限包含在存储帐户参与者内置角色中。The permission needed is Join Service to a Subnet and is included in the Storage Account Contributor built-in role. 该权限还可以添加到自定义角色定义中。It can also be added to custom role definitions.

存储帐户和获得访问权限的虚拟网络可以位于不同的订阅中,但这些订阅必须属于同一个 Azure AD 租户。Storage account and the virtual networks granted access may be in different subscriptions, but those subscriptions must be part of the same Azure AD tenant.

管理虚拟网络规则Managing virtual network rules

可以通过 Azure 门户、PowerShell 或 CLIv2 管理存储帐户的虚拟网络规则。You can manage virtual network rules for storage accounts through the Azure portal, PowerShell, or CLIv2.

Azure 门户Azure portal

  1. 转至要保护的存储帐户。Go to the storage account you want to secure.

  2. 单击名为“防火墙和虚拟网络”的设置菜单。Click on the settings menu called Firewalls and virtual networks.

  3. 检查并确保已选择允许从“所选网络”进行访问。Check that you've selected to allow access from Selected networks.

  4. 若要使用新的网络规则向虚拟网络授予访问权限,请在“虚拟网络”下,单击“添加现有虚拟网络”,选择“虚拟网络”和“子网”选项,然后单击“添加”。To grant access to a virtual network with a new network rule, under Virtual networks, click Add existing virtual network, select Virtual networks and Subnets options, and then click Add. 若要创建新的虚拟网络并授予其访问权限,请单击“添加新的虚拟网络”。To create a new virtual network and grant it access, click Add new virtual network. 提供创建新的虚拟网络所需的信息,然后单击“创建”。Provide the information necessary to create the new virtual network, and then click Create.

    备注

    如果之前没有为所选的虚拟网络和子网配置 Azure 存储的服务终结点,则可在执行此操作时进行配置。If a service endpoint for Azure Storage wasn't previously configured for the selected virtual network and subnets, you can configure it as part of this operation.

  5. 若要删除虚拟网络或子网规则,请单击“...”打开虚拟网络或子网的上下文菜单,然后单击“删除”。To remove a virtual network or subnet rule, click ... to open the context menu for the virtual network or subnet, and click Remove.

  6. 单击“保存”应用所做的更改。Click Save to apply your changes.

PowerShellPowerShell

  1. 安装 Azure PowerShell登录Install the Azure PowerShell and sign in.

  2. 列出虚拟网络规则。List virtual network rules.

    (Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").VirtualNetworkRules
    
  3. 在现有虚拟网络和子网上启用 Azure 存储的服务终结点。Enable service endpoint for Azure Storage on an existing virtual network and subnet.

    Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Set-AzVirtualNetworkSubnetConfig -Name "mysubnet" -AddressPrefix "10.0.0.0/24" -ServiceEndpoint "Microsoft.Storage" | Set-AzVirtualNetwork
    
  4. 为虚拟网络和子网添加网络规则。Add a network rule for a virtual network and subnet.

    $subnet = Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet"
    Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -VirtualNetworkResourceId $subnet.Id
    
  5. 为虚拟网络和子网删除网络规则。Remove a network rule for a virtual network and subnet.

    $subnet = Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Get-AzVirtualNetworkSubnetConfig -Name "mysubnet"
    Remove-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -VirtualNetworkResourceId $subnet.Id
    

重要

请务必将默认规则设置为“拒绝”,否则网络规则不会有任何效果。Be sure to set the default rule to deny, or network rules have no effect.

CLIv2CLIv2

  1. 安装 Azure CLI登录Install the Azure CLI and sign in.

  2. 列出虚拟网络规则。List virtual network rules.

    az storage account network-rule list --resource-group "myresourcegroup" --account-name "mystorageaccount" --query virtualNetworkRules
    
  3. 在现有虚拟网络和子网上启用 Azure 存储的服务终结点。Enable service endpoint for Azure Storage on an existing virtual network and subnet.

    az network vnet subnet update --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --service-endpoints "Microsoft.Storage"
    
  4. 为虚拟网络和子网添加网络规则。Add a network rule for a virtual network and subnet.

    $subnetid=(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)
    az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --subnet $subnetid
    
  5. 为虚拟网络和子网删除网络规则。Remove a network rule for a virtual network and subnet.

    $subnetid=(az network vnet subnet show --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --query id --output tsv)
    az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --subnet $subnetid
    

重要

请务必将默认规则设置为“拒绝”,否则网络规则不会有任何效果。Be sure to set the default rule to deny, or network rules have no effect.

允许从 Internet IP 范围进行访问Grant access from an internet IP range

可以将存储帐户配置为允许从特定的公共 Internet IP 地址范围进行访问。You can configure storage accounts to allow access from specific public internet IP address ranges. 此配置向基于 Internet 的特定服务和本地网络授予访问权限,并阻止一般 Internet 流量。This configuration grants access to specific internet-based services and on-premises networks and blocks general internet traffic.

使用 CIDR 表示法16.17.18.0/24 的形式,或使用单独的 IP 地址(如 16.17.18.19)提供允许的 Internet 地址范围。Provide allowed internet address ranges using CIDR notation in the form 16.17.18.0/24 or as individual IP addresses like 16.17.18.19.

备注

不支持使用“/31”或“/32”前缀大小的小型地址范围。Small address ranges using "/31" or "/32" prefix sizes are not supported. 这些范围应使用单独的 IP 地址规则配置。These ranges should be configured using individual IP address rules.

IP 网络规则仅适用于公共 Internet IP 地址。IP network rules are only allowed for public internet IP addresses. IP 规则不允许使用为专用网络保留的 IP 地址范围(如 RFC 1918 中所定义)。IP address ranges reserved for private networks (as defined in RFC 1918) aren't allowed in IP rules. 专用网络包括以 10.*172.16.* - 172.31.*192.168.* 开头的地址。Private networks include addresses that start with 10.*, 172.16.* - 172.31.*, and 192.168.*.

备注

IP 网络规则对源自与存储帐户相同的 Azure 区域的请求不起作用。IP network rules have no effect on requests originating from the same Azure region as the storage account. 请使用虚拟网络规则来允许相同区域的请求。Use Virtual network rules to allow same-region requests.

目前仅支持 IPV4 地址。Only IPV4 addresses are supported at this time.

每个存储帐户最多支持 100 条 IP 网络规则,这些规则可与 虚拟网络规则组合使用。Each storage account supports up to 100 IP network rules, which may be combined with Virtual network rules.

配置从本地网络的访问Configuring access from on-premises networks

若要使用 IP 网络规则授予本地网络访问存储帐户的权限,则必须标识网络所用的面向 Internet 的 IP 地址。To grant access from your on-premises networks to your storage account with an IP network rule, you must identify the internet facing IP addresses used by your network. 若要获得帮助,请联系网络管理员。Contact your network administrator for help.

如果是在本地使用 ExpressRoute,则在进行公共对等互连或 Microsoft 对等互连时,需标识所用的 NAT IP 地址。If you are using ExpressRoute from your premises, for public peering or Microsoft peering, you will need to identify the NAT IP addresses that are used. 进行公共对等互连时,每条 ExpressRoute 线路默认情况下会使用两个 NAT IP 地址。当流量进入 Microsoft Azure 网络主干时,会向 Azure 服务流量应用这些地址。For public peering, each ExpressRoute circuit by default uses two NAT IP addresses applied to Azure service traffic when the traffic enters the Microsoft Azure network backbone. 进行 Microsoft 对等互连时,所用 NAT IP 地址由客户或服务提供商提供。For Microsoft peering, the NAT IP address(es) that are used are either customer provided or are provided by the service provider. 若要允许访问服务资源,必须在资源 IP 防火墙设置中允许这些公共 IP 地址。To allow access to your service resources, you must allow these public IP addresses in the resource IP firewall setting. 若要查找公共对等互连 ExpressRoute 线路 IP 地址,请通过 Azure 门户开具 ExpressRoute 支持票证To find your public peering ExpressRoute circuit IP addresses, open a support ticket with ExpressRoute via the Azure portal. 详细了解适用于 ExpressRoute 公共对等互连和 Microsoft 对等互连的 NATLearn more about NAT for ExpressRoute public and Microsoft peering.

管理 IP 网络规则Managing IP network rules

可以通过 Azure 门户、PowerShell 或 CLIv2 管理存储帐户的 IP 网络规则。You can manage IP network rules for storage accounts through the Azure portal, PowerShell, or CLIv2.

Azure 门户Azure portal

  1. 转至要保护的存储帐户。Go to the storage account you want to secure.

  2. 单击名为“防火墙和虚拟网络”的设置菜单。Click on the settings menu called Firewalls and virtual networks.

  3. 检查并确保已选择允许从“所选网络”进行访问。Check that you've selected to allow access from Selected networks.

  4. 若要向 Internet IP 范围授予访问权限,请在“防火墙” > “地址范围”下输入 IP 地址或地址范围(采用 CIDR 格式)。To grant access to an internet IP range, enter the IP address or address range (in CIDR format) under Firewall > Address Range.

  5. 若要删除某个 IP 网络规则,请单击该地址范围旁边的垃圾桶图标。To remove an IP network rule, click the trash can icon next to the address range.

  6. 单击“保存”应用所做的更改。Click Save to apply your changes.

PowerShellPowerShell

  1. 安装 Azure PowerShell登录Install the Azure PowerShell and sign in.

  2. 列出 IP 网络规则。List IP network rules.

    (Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount").IPRules
    
  3. 为单个 IP 地址添加网络规则。Add a network rule for an individual IP address.

    Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.19"
    
  4. 为 IP 地址范围添加网络规则。Add a network rule for an IP address range.

    Add-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.0/24"
    
  5. 为单个 IP 地址删除网络规则。Remove a network rule for an individual IP address.

    Remove-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.19"
    
  6. 为 IP 地址范围删除网络规则。Remove a network rule for an IP address range.

    Remove-AzStorageAccountNetworkRule -ResourceGroupName "myresourcegroup" -AccountName "mystorageaccount" -IPAddressOrRange "16.17.18.0/24"
    

重要

请务必将默认规则设置为“拒绝”,否则网络规则不会有任何效果。Be sure to set the default rule to deny, or network rules have no effect.

CLIv2CLIv2

  1. 安装 Azure CLI登录Install the Azure CLI and sign in.

  2. 列出 IP 网络规则。List IP network rules.

    az storage account network-rule list --resource-group "myresourcegroup" --account-name "mystorageaccount" --query ipRules
    
  3. 为单个 IP 地址添加网络规则。Add a network rule for an individual IP address.

    az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.19"
    
  4. 为 IP 地址范围添加网络规则。Add a network rule for an IP address range.

    az storage account network-rule add --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.0/24"
    
  5. 为单个 IP 地址删除网络规则。Remove a network rule for an individual IP address.

    az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.19"
    
  6. 为 IP 地址范围删除网络规则。Remove a network rule for an IP address range.

    az storage account network-rule remove --resource-group "myresourcegroup" --account-name "mystorageaccount" --ip-address "16.17.18.0/24"
    

重要

请务必将默认规则设置为“拒绝”,否则网络规则不会有任何效果。Be sure to set the default rule to deny, or network rules have no effect.

ExceptionsExceptions

大多数情况下,网络规则可以实现安全的网络配置。Network rules can enable a secure network configuration for most scenarios. 但是,在某些情况下,必须允许例外才能启用完整功能。However, there are some cases where exceptions must be granted to enable full functionality. 可以为存储帐户针对受信任的 Microsoft 服务和存储分析数据访问配置例外。You can configure storage accounts with exceptions for trusted Microsoft services, and for access to storage analytics data.

受信任的 Microsoft 服务Trusted Microsoft services

某些与存储帐户交互的 Microsoft 服务在网络上运行,但这些网络无法通过网络规则获得访问权限。Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules.

若要帮助此类服务按预期方式工作,请允许受信任的 Microsoft 服务集绕过网络规则。To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. 这些服务随后会使用强身份验证访问存储帐户。These services will then use strong authentication to access the storage account.

如果启用“允许受信任的 Microsoft 服务...”例外,以下服务(在订阅中注册后)有权访问存储帐户:If you enable the Allow trusted Microsoft services... exception, the following services (when registered in your subscription), are granted access to the storage account:

服务Service 资源提供程序名称Resource Provider Name 用途Purpose
Azure 备份Azure Backup Microsoft.RecoveryServicesMicrosoft.RecoveryServices 在 IAAS 虚拟机中运行非托管磁盘的备份和还原。Run backups and restores of unmanaged disks in IAAS virtual machines. (不是托管磁盘的必需操作)。(not required for managed disks). 了解详细信息Learn more.
Azure Data BoxAzure Data Box Microsoft.DataBoxMicrosoft.DataBox 允许使用 Data Box 将数据导入到 Azure。Enables import of data to Azure using Data Box. 了解详细信息Learn more.
Azure 开发测试实验室Azure DevTest Labs Microsoft.DevTestLabMicrosoft.DevTestLab 自定义映像创建和项目安装。Custom image creation and artifact installation. 了解详细信息Learn more.
Azure 事件网格Azure Event Grid Microsoft.EventGridMicrosoft.EventGrid 启用 Blob 存储事件发布并允许事件网格发布到存储队列。Enable Blob Storage event publishing and allow Event Grid to publish to storage queues. 了解有关 blob 存储事件发布到队列的信息。Learn about blob storage events and publishing to queues.
Azure 事件中心Azure Event Hubs Microsoft.EventHubMicrosoft.EventHub 使用事件中心捕获功能存档数据。Archive data with Event Hubs Capture. 了解详细信息Learn More.
Azure 文件同步Azure File Sync Microsoft.StorageSyncMicrosoft.StorageSync 使你能够将本地文件服务器转换为 Azure 文件共享的缓存。Enables you to transform your on-prem file server to a cache for Azure File shares. 允许多站点同步、快速灾难恢复和云端备份。Allowing for multi-site sync, fast disaster-recovery, and cloud-side backup. 了解详细信息Learn more
Azure HDInsightAzure HDInsight Microsoft.HDInsightMicrosoft.HDInsight 为新的 HDInsight 群集预配默认文件系统的初始内容。Provision the initial contents of the default file system for a new HDInsight cluster. 了解详细信息Learn more.
Azure 机器学习服务Azure Machine Learning Service Microsoft.MachineLearningServicesMicrosoft.MachineLearningServices 授权 Azure 机器学习工作区将试验输出、模型和日志写入 Blob 存储。Authorized Azure Machine Learning workspaces write experiment output, models, and logs to Blob storage. 了解详细信息Learn more.
Azure MonitorAzure Monitor Microsoft.InsightsMicrosoft.Insights 允许将监视数据写入受保护存储帐户了解详细信息Allows writing of monitoring data to a secured storage account Learn more.
Azure 网络Azure Networking Microsoft.NetworkMicrosoft.Network 存储和分析网络流量日志。Store and analyze network traffic logs. 了解详细信息Learn more.
Azure Site RecoveryAzure Site Recovery Microsoft.SiteRecoveryMicrosoft.SiteRecovery 通过启用 Azure IaaS 虚拟机的复制来配置灾难恢复。Configure disaster recovery by enabling replication for Azure IaaS virtual machines. 如果使用启用了防火墙的缓存存储帐户、源存储帐户或目标存储帐户,则这是必需的。This is required if you are using firewall enabled cache storage account or source storage account or target storage account. 了解详细信息Learn more.
Azure SQL 数据仓库Azure SQL Data Warehouse Microsoft.SqlMicrosoft.Sql 允许使用 PolyBase 从特定 SQL 数据库实例导入和导出方案。Allows import and export scenarios from specific SQL Databases instances using PolyBase. 了解详细信息Learn more.
Azure 流分析Azure Stream Analytics Microsoft.StreamAnalyticsMicrosoft.StreamAnalytics 允许将流式处理作业中的数据写入 Blob 存储。Allows data from a streaming job to be written to Blob storage. 请注意, 此功能目前处于预览阶段。Note that this feature is currently in preview. 了解详细信息Learn more.

存储分析数据访问Storage analytics data access

在某些情况下,需要从网络边界外访问读取诊断日志和指标。In some cases, access to read diagnostic logs and metrics is required from outside the network boundary. 可以授予网络规则例外来允许对存储帐户日志文件和/或指标表进行读取访问。You can grant exceptions to the network rules to allow read-access to storage account log files, metrics tables, or both. 详细了解如何使用存储分析。Learn more about working with storage analytics.

管理例外Managing exceptions

可以通过 Azure 门户、PowerShell 或 Azure CLI v2 管理网络规则例外。You can manage network rule exceptions through the Azure portal, PowerShell, or Azure CLI v2.

Azure 门户Azure portal

  1. 转至要保护的存储帐户。Go to the storage account you want to secure.

  2. 单击名为“防火墙和虚拟网络”的设置菜单。Click on the settings menu called Firewalls and virtual networks.

  3. 检查并确保已选择允许从“所选网络”进行访问。Check that you've selected to allow access from Selected networks.

  4. 在“例外”下,选择要允许的例外。Under Exceptions, select the exceptions you wish to grant.

  5. 单击“保存”应用所做的更改。Click Save to apply your changes.

PowerShellPowerShell

  1. 安装 Azure PowerShell登录Install the Azure PowerShell and sign in.

  2. 显示存储帐户的网络规则例外。Display the exceptions for the storage account network rules.

    (Get-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount").Bypass
    
  3. 配置存储帐户的网络规则例外。Configure the exceptions to the storage account network rules.

    Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -Bypass AzureServices,Metrics,Logging
    
  4. 删除存储帐户的网络规则例外。Remove the exceptions to the storage account network rules.

    Update-AzStorageAccountNetworkRuleSet -ResourceGroupName "myresourcegroup" -Name "mystorageaccount" -Bypass None
    

重要

请务必将默认规则设置为“拒绝”,否则,删除例外操作不会有任何效果。Be sure to set the default rule to deny, or removing exceptions have no effect.

CLIv2CLIv2

  1. 安装 Azure CLI登录Install the Azure CLI and sign in.

  2. 显示存储帐户的网络规则例外。Display the exceptions for the storage account network rules.

    az storage account show --resource-group "myresourcegroup" --name "mystorageaccount" --query networkRuleSet.bypass
    
  3. 配置存储帐户的网络规则例外。Configure the exceptions to the storage account network rules.

    az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --bypass Logging Metrics AzureServices
    
  4. 删除存储帐户的网络规则例外。Remove the exceptions to the storage account network rules.

    az storage account update --resource-group "myresourcegroup" --name "mystorageaccount" --bypass None
    

重要

请务必将默认规则设置为“拒绝”,否则,删除例外操作不会有任何效果。Be sure to set the default rule to deny, or removing exceptions have no effect.

后续步骤Next steps

服务终结点中了解有关 Azure 网络服务终结点的详细信息。Learn more about Azure Network service endpoints in Service endpoints.

Azure 存储安全指南中深入了解 Azure 存储安全。Dig deeper into Azure Storage security in Azure Storage security guide.