您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure CLI 打开 Linux VM 的端口和终结点Open ports and endpoints to a Linux VM with the Azure CLI

通过在子网或 VM 网络接口上创建网络筛选器可为 Azure 中的虚拟机 (VM) 打开端口或创建终结点。You open a port, or create an endpoint, to a virtual machine (VM) in Azure by creating a network filter on a subnet or VM network interface. 将这些筛选器(控制入站和出站流量)放在网络安全组中,并附加到将接收流量的资源。You place these filters, which control both inbound and outbound traffic, on a Network Security Group attached to the resource that receives the traffic. 让我们在端口 80 上使用 Web 流量的常见示例。Let's use a common example of web traffic on port 80. 本文说明如何使用 Azure CLI 打开 VM 的端口。This article shows you how to open a port to a VM with the Azure CLI.

若要创建网络安全组和规则,需要安装最新的 Azure CLI,并使用 az login 登录到 Azure 帐户。To create a Network Security Group and rules you need the latest Azure CLI installed and logged in to an Azure account using az login.

在以下示例中,请将示例参数名称替换为自己的值。In the following examples, replace example parameter names with your own values. 示例参数名称包括 myResourceGroup、myNetworkSecurityGroup 和 myVnet。Example parameter names include myResourceGroup, myNetworkSecurityGroup, and myVnet.

快速打开 VM 的端口Quickly open a port for a VM

如果需要在开发/测试方案中快速打开 VM 的端口,可以使用 az vm open-port 命令。If you need to quickly open a port for a VM in a dev/test scenario, you can use the az vm open-port command. 此命令将创建网络安全组并添加规则,然后将其应用到 VM 或子网。This command creates a Network Security Group, adds a rule, and applies it to a VM or subnet. 以下示例在名为 myResourceGroup 的资源组中打开名为 myVM 的 VM 上的端口 80。The following example opens port 80 on the VM named myVM in the resource group named myResourceGroup.

az vm open-port --resource-group myResourceGroup --name myVM --port 80

若要进一步控制规则(例如定义源 IP 地址范围),请继续执行本文中的其他步骤。For more control over the rules, such as defining a source IP address range, continue with the additional steps in this article.

创建网络安全组和规则Create a Network Security Group and rules

使用 az network nsg create创建网络安全组。Create the network security group with az network nsg create. 以下示例在 eastus 位置创建名为 myNetworkSecurityGroup 的网络安全组:The following example creates a network security group named myNetworkSecurityGroup in the eastus location:

az network nsg create \
    --resource-group myResourceGroup \
    --location eastus \
    --name myNetworkSecurityGroup

借助 az 网络 nsg 规则创建添加规则以允许 HTTP 流量流向 Web 服务器(或者根据自己的情况(例如 SSH 访问或数据库连接)来调整此规则)。Add a rule with az network nsg rule create to allow HTTP traffic to your webserver (or adjust for your own scenario, such as SSH access or database connectivity). 以下示例创建一个名为 myNetworkSecurityGroupRule 的规则,以允许端口 80 上的 TCP 流量:The following example creates a rule named myNetworkSecurityGroupRule to allow TCP traffic on port 80:

az network nsg rule create \
    --resource-group myResourceGroup \
    --nsg-name myNetworkSecurityGroup \
    --name myNetworkSecurityGroupRule \
    --protocol tcp \
    --priority 1000 \
    --destination-port-range 80

将网络安全组应用到 VMApply Network Security Group to VM

借助 az 网络 nic 更新将网络安全组与 VM 的网络接口 (NIC) 相关联。Associate the Network Security Group with your VM's network interface (NIC) with az network nic update. 以下示例将名为 myNic 的现有 NIC 与名为 myNetworkSecurityGroup 的网络安全组相关联:The following example associates an existing NIC named myNic with the Network Security Group named myNetworkSecurityGroup:

az network nic update \
    --resource-group myResourceGroup \
    --name myNic \
    --network-security-group myNetworkSecurityGroup

或者,也可以借助 az 网络 vnet 子网更新将网络安全组与虚拟网络的子网相关联,而不是只与单个 VM 上的网络接口相关联。Alternatively, you can associate your Network Security Group with a virtual network subnet with az network vnet subnet update rather than just to the network interface on a single VM. 以下示例将 myVnet 虚拟网络中名为 mySubnet 的现有子网与名为 myNetworkSecurityGroup 的网络安全组相关联:The following example associates an existing subnet named mySubnet in the myVnet virtual network with the Network Security Group named myNetworkSecurityGroup:

az network vnet subnet update \
    --resource-group myResourceGroup \
    --vnet-name myVnet \
    --name mySubnet \
    --network-security-group myNetworkSecurityGroup

有关网络安全组的详细信息More information on Network Security Groups

利用此处的快速命令,可以让流向 VM 的流量开始正常运行。The quick commands here allow you to get up and running with traffic flowing to your VM. 网络安全组提供许多出色的功能和粒度来控制资源的访问。Network Security Groups provide many great features and granularity for controlling access to your resources. 可以在此处详细了解如何创建网络安全组和 ACL 规则You can read more about creating a Network Security Group and ACL rules here.

对于高可用性 Web 应用程序,应将 VM 放置在 Azure 负载均衡器后。For highly available web applications, you should place your VMs behind an Azure Load Balancer. 当负载均衡器向 VM 分配流量时,网络安全组可以筛选流量。The load balancer distributes traffic to VMs, with a Network Security Group that provides traffic filtering. 有关详细信息,请参阅如何在 Azure 中均衡 Linux 虚拟机负载以创建高可用性应用程序For more information, see How to load balance Linux virtual machines in Azure to create a highly available application.

后续步骤Next steps

在本示例中,创建了简单的规则来允许 HTTP 流量。In this example, you created a simple rule to allow HTTP traffic. 可以从下列文章中,找到有关创建更详细环境的信息:You can find information on creating more detailed environments in the following articles: