您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

如何在 Azure 中的经典 Windows 虚拟机上设置终结点How to set up endpoints on a classic Windows virtual machine in Azure

在 Azure 中使用经典部署模型创建的所有 Windows 虚拟机都可以通过专用网络通道与同一云服务或虚拟网络中的其他虚拟机自动通信。All Windows virtual machines that you create in Azure using the classic deployment model can automatically communicate over a private network channel with other virtual machines in the same cloud service or virtual network. 但是,Internet 上的计算机或其他虚拟网络需要终结点才能定向虚拟机的入站网络流量。However, computers on the Internet or other virtual networks require endpoints to direct the inbound network traffic to a virtual machine. 本文也适用于 Linux 虚拟机This article is also available for Linux virtual machines.

重要

Azure 提供两个不同的部署模型用于创建和处理资源:Resource Manager 和经典模型Azure has two different deployment models for creating and working with resources: Resource Manager and Classic. 本文介绍如何使用经典部署模型。This article covers using the Classic deployment model. Microsoft 建议大多数新部署使用 Resource Manager 模型。Microsoft recommends that most new deployments use the Resource Manager model.

自 2017 年 11 月 15 日起,仅在 Azure 门户提供虚拟机。Starting November 15, 2017, Virtual Machines will be available only in the Azure portal.

Resource Manager 部署模型中,终结点使用网络安全组 (NSG) 进行配置。In the Resource Manager deployment model, endpoints are configured using Network Security Groups (NSGs). 有关详细信息,请参阅 Allow external access to your VM using the Azure portal(允许通过 Azure 门户对 VM 进行外部访问)。For more information, see Allow external access to your VM using the Azure portal.

在 Azure 门户中创建 Windows 虚拟机时,通常会自动创建常用终结点(如用于远程桌面和 Windows PowerShell 远程处理的终结点)。When you create a Windows virtual machine in the Azure portal, common endpoints like those for Remote Desktop and Windows PowerShell Remoting are typically created for you automatically. 可以在创建虚拟机时或之后根据需要配置其他终结点。You can configure additional endpoints while creating the virtual machine or afterwards as needed.

每个终结点都拥有公用端口专用端口Each endpoint has a public port and a private port:

  • Azure 负载均衡器使用公用端口侦听从 Internet 传入的虚拟机流量。The public port is used by the Azure load balancer to listen for incoming traffic to the virtual machine from the Internet.
  • 虚拟机使用专用端口侦听传入流量(通常发送到虚拟机上运行的应用程序或服务)。The private port is used by the virtual machine to listen for incoming traffic, typically destined to an application or service running on the virtual machine.

使用 Azure 门户创建终结点时,将为 IP 协议和众所周知的网络协议的 TCP 或 UDP 端口提供默认值。Default values for the IP protocol and TCP or UDP ports for well-known network protocols are provided when you create endpoints with the Azure portal. 对于自定义终结点,需要指定正确的 IP 协议(TCP 或 UDP),以及公用和专用端口。For custom endpoints, you'll need to specify the correct IP protocol (TCP or UDP) and the public and private ports. 要将传入流量随机分布到多个虚拟机,需要创建包含多个终结点的负载均衡集。To distribute incoming traffic randomly across multiple virtual machines, you'll need to create a load-balanced set consisting of multiple endpoints.

创建终结点后,可以使用访问控制列表 (ACL) 定义规则,根据传入流量的源 IP 地址允许或拒绝终结点的公用端口的传入流量。After you create an endpoint, you can use an access control list (ACL) to define rules that permit or deny the incoming traffic to the public port of the endpoint based on its source IP address. 但是,如果虚拟机位于 Azure 虚拟网络中,则应改为使用网络安全组。However, if the virtual machine is in an Azure virtual network, you should use network security groups instead. 有关详细信息,请参阅关于网络安全组For details, see About network security groups.

备注

将对与 Azure 自动设置的远程连接终结点关联的端口自动完成 Azure 虚拟机的防火墙配置。Firewall configuration for Azure virtual machines is done automatically for ports associated with remote connectivity endpoints that Azure sets up automatically. 对于为所有其他终结点指定的端口,不会自动对虚拟机防火墙进行任何配置。For ports specified for all other endpoints, no configuration is done automatically to the firewall of the virtual machine. 为虚拟机创建终结点时,需要确保虚拟机的防火墙也允许与终结点配置对应的协议和专用端口的流量。When you create an endpoint for the virtual machine, you'll need to ensure that the firewall of the virtual machine also allows the traffic for the protocol and private port corresponding to the endpoint configuration. 若要配置防火墙,请参阅有关在虚拟机上运行的操作系统的文档或联机帮助。To configure the firewall, see the documentation or on-line help for the operating system running on the virtual machine.

创建终结点Create an endpoint

  1. 如果尚未登录 Azure 门户,请先登录。If you haven't already done so, sign in to the Azure portal.
  2. 单击“虚拟机”,并单击要配置的虚拟机的名称。Click Virtual Machines, and then click the name of the virtual machine that you want to configure.
  3. 在“设置”组中,单击“终结点”。Click Endpoints in the Settings group. “终结点”页面列出虚拟机的所有当前终结点。The Endpoints page lists all the current endpoints for the virtual machine. (此示例中的是 Windows VM。(This example is a Windows VM. 如果是 Linux VM,则默认显示一个 SSH 终结点。)A Linux VM will by default show an endpoint for SSH.)

    终结点

  4. 在终结点条目上方的命令栏中,单击“添加”。In the command bar above the endpoint entries, click Add.

  5. 在“添加终结点”页面的“名称”中,键入终结点的名称。On the Add endpoint page, type a name for the endpoint in Name.
  6. 在“协议”中,选择“TCP”或“UDP”。In Protocol, choose either TCP or UDP.
  7. 在“公用端口”中,键入来自 Internet 的传入流量的端口号。In Public Port, type the port number for the incoming traffic from the Internet. 在“专用端口”中,键入虚拟机正在侦听的端口号。In Private Port, type the port number on which the virtual machine is listening. 这些端口号可以不同。These port numbers can be different. 确保已将虚拟机的防火墙配置为允许与协议(在步骤 6 中)和专用端口对应的流量。Ensure that the firewall on the virtual machine has been configured to allow the traffic corresponding to the protocol (in step 6) and private port.
  8. 单击“确定” 。Click Ok.

新终结点会在“终结点”页面上列出。The new endpoint will be listed on the Endpoints page.

成功创建终结点

管理终结点上的 ACLManage the ACL on an endpoint

若要定义一组可以发送流量的计算机,终结点上的 ACL 可以基于源 IP 地址限制流量。To define the set of computers that can send traffic, the ACL on an endpoint can restrict traffic based upon source IP address. 按照下列步骤,在终结点上添加、修改或删除 ACL。Follow these steps to add, modify, or remove an ACL on an endpoint.

备注

如果终结点是负载均衡集的一部分,则会将对终结点上 ACL 作出的任何更改应用到该集中的所有终结点。If the endpoint is part of a load-balanced set, any changes you make to the ACL on an endpoint are applied to all endpoints in the set.

如果虚拟机位于 Azure 虚拟网络中,则建议使用网络安全组(而不是 ACL)。If the virtual machine is in an Azure virtual network, we recommend network security groups instead of ACLs. 有关详细信息,请参阅关于网络安全组For details, see About network security groups.

  1. 如果尚未登录 Azure 门户,请先登录。If you haven't already done so, sign in to the Azure portal.
  2. 单击“虚拟机”,并单击要配置的虚拟机的名称。Click Virtual Machines, and then click the name of the virtual machine that you want to configure.
  3. 单击“终结点” 。Click Endpoints. 从列表中选择适当的终结点。From the list, select the appropriate endpoint. ACL 列表位于页面底部。The ACL list is at the bottom of the page.

    指定 ACL 详细信息

  4. 使用列表中的行为 ACL 添加、删除或编辑规则,并更改其顺序。Use rows in the list to add, delete, or edit rules for an ACL and change their order. 远程子网值是从 Internet 传入流量的 IP 地址范围,Azure 负载均衡器将使用该值根据流量的源 IP 地址允许或拒绝传入流量。The Remote Subnet value is an IP address range for incoming traffic from the Internet that the Azure load balancer uses to permit or deny the traffic based on its source IP address. 请务必以 CIDR 格式(也称为地址前缀格式)指定 IP 地址范围。Be sure to specify the IP address range in CIDR format, also known as address prefix format. 例如 10.1.0.0/8An example is 10.1.0.0/8.

    新的 ACL 条目

可以使用规则只允许来自与 Internet 上计算机对应的特定计算机的流量,或拒绝来自特定已知地址范围的流量。You can use rules to allow only traffic from specific computers corresponding to your computers on the Internet or to deny traffic from specific, known address ranges.

按照从第一个规则开始并以最后一个规则结束的顺序评估规则。The rules are evaluated in order starting with the first rule and ending with the last rule. 这意味着规则应按最少限制到最多限制排序。This means that rules should be ordered from least restrictive to most restrictive. 有关示例和详细信息,请参阅什么是网络访问控制列表For examples and more information, see What is a Network Access Control List.

后续步骤Next steps