您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用经典部署模型在 Windows 虚拟机上设置终结点Set up endpoints on a Windows virtual machine by using the classic deployment model

在 Azure 中使用经典部署模型创建的 Windows 虚拟机 (VM) 可以通过专用网络通道与同一云服务或虚拟网络中的其他 VM 自动通信。Windows virtual machines (VMs) that you create in Azure by using the classic deployment model can automatically communicate over a private network channel with other VMs in the same cloud service or virtual network. 但是,Internet 上的计算机或其他虚拟网络需要终结点才能将入站网络流量定向到 VM。However, computers on the internet or other virtual networks require endpoints to direct the inbound network traffic to a VM.

也可以在 Linux 虚拟机上设置终结点。You can also set up endpoints on Linux virtual machines.

重要

Azure 具有用于创建和处理资源的两个不同的部署模型: Resource Manager 和经典Azure has two different deployment models for creating and working with resources: Resource Manager and classic. 本文介绍经典部署模型。This article covers the classic deployment model. Microsoft 建议大多数新部署使用资源管理器模型。Microsoft recommends that most new deployments use the Resource Manager model.

自 2017 年 11 月 15 日起,仅在 Azure 门户中提供虚拟机。Starting November 15, 2017, virtual machines will be available only in the Azure portal.

资源管理器部署模型中,终结点使用网络安全组 (NSG) 进行配置。In the Resource Manager deployment model, endpoints are configured by using Network Security Groups (NSGs). 有关详细信息,请参阅使用 Azure 门户允许对 VM 进行外部访问For more information, see Allow external access to your VM by using the Azure portal.

在 Azure 门户中创建 Windows VM 时,通常会自动创建常用终结点(如用于远程桌面和 Windows PowerShell 远程处理的终结点)。When you create a Windows VM in the Azure portal, common endpoints, such as endpoints for Remote Desktop and Windows PowerShell Remoting, are typically created for you automatically. 以后可以根据需要配置其他终结点。You can configure additional endpoints later as needed.

每个终结点都拥有公用端口专用端口Each endpoint has a public port and a private port:

  • Azure 负载均衡器使用公用端口侦听从 Internet 传入的虚拟机流量。The public port is used by the Azure load balancer to listen for incoming traffic to the virtual machine from the internet.
  • 虚拟机使用专用端口侦听传入流量(通常发送到虚拟机上运行的应用程序或服务)。The private port is used by the virtual machine to listen for incoming traffic, typically destined to an application or service running on the virtual machine.

使用 Azure 门户创建终结点时,将为 IP 协议和众所周知的网络协议的 TCP 或 UDP 端口提供默认值。Default values for the IP protocol and TCP or UDP ports for well-known network protocols are provided when you create endpoints with the Azure portal. 对于自定义终结点,请指定正确的 IP 协议(TCP 或 UDP),以及公用和专用端口。For custom endpoints, specify the correct IP protocol (TCP or UDP) and the public and private ports. 若要将传入流量随机分布到多个虚拟机,请创建包含多个终结点的负载均衡集。To distribute incoming traffic randomly across multiple virtual machines, create a load-balanced set consisting of multiple endpoints.

创建终结点后,可以使用访问控制列表 (ACL) 定义规则,根据传入流量的源 IP 地址允许或拒绝终结点的公用端口的传入流量。After you create an endpoint, you can use an access control list (ACL) to define rules that permit or deny the incoming traffic to the public port of the endpoint based on its source IP address. 但是,如果虚拟机位于 Azure 虚拟网络中,请改用网络安全组。However, if the virtual machine is in an Azure virtual network, use network security groups instead. 有关详细信息,请参阅关于网络安全组For more information, see About network security groups.

备注

将对与 Azure 自动设置的远程连接终结点关联的端口自动完成 Azure 虚拟机的防火墙配置。Firewall configuration for Azure virtual machines is done automatically for ports associated with remote connectivity endpoints that Azure sets up automatically. 对于为所有其他终结点指定的端口,不会自动对虚拟机防火墙进行任何配置。For ports specified for all other endpoints, no configuration is done automatically to the firewall of the virtual machine. 为虚拟机创建终结点时,请确保虚拟机的防火墙也允许与终结点配置对应的协议和专用端口的流量。When you create an endpoint for the virtual machine, ensure that the firewall of the virtual machine also allows the traffic for the protocol and private port corresponding to the endpoint configuration. 若要配置防火墙,请参阅有关在虚拟机上运行的操作系统的文档或联机帮助。To configure the firewall, see the documentation or on-line help for the operating system running on the virtual machine.

创建终结点Create an endpoint

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 选择“虚拟机”,然后选择要配置的虚拟机。Select Virtual machines, and then select the virtual machine that you want to configure.

  3. 在“设置”组中选择“终结点”。Select Endpoints in the Settings group. 此时会显示“终结点”页,其中列出了虚拟机的所有当前终结点。The Endpoints page appears, which lists all the current endpoints for the virtual machine. (本示例适用于 Windows VM。(This example is for a Windows VM. 如果是 Linux VM,则默认显示一个 SSH 终结点。)A Linux VM will by default show an endpoint for SSH.)

    终结点 Endpoints

  4. 在终结点条目上方的命令栏中,选择“添加”。In the command bar above the endpoint entries, select Add. 此时会显示“添加终结点”页。The Add endpoint page appears.

  5. 对于“名称”,请输入终结点的名称。For Name, enter a name for the endpoint.

  6. 对于“协议”,请选择“TCP”或“UDP”。For Protocol, choose either TCP or UDP.

  7. 对于“公共端口”,请输入来自 Internet 的传入流量的端口号。For Public port, enter the port number for the incoming traffic from the internet.

  8. 对于“专用端口”,请输入虚拟机正在侦听的端口号。For Private port, enter the port number on which the virtual machine is listening. 公共和专用端口号可以不同。The public and private port numbers can be different. 确保已将虚拟机的防火墙配置为允许与协议和专用端口对应的流量。Ensure that the firewall on the virtual machine has been configured to allow the traffic corresponding to the protocol and private port.

  9. 选择“确定”。Select OK.

新终结点将在“终结点”页上列出。The new endpoint is listed on the Endpoints page.

成功创建终结点

管理终结点上的 ACLManage the ACL on an endpoint

若要定义一组可以发送流量的计算机,终结点上的 ACL 可以基于源 IP 地址限制流量。To define the set of computers that can send traffic, the ACL on an endpoint can restrict traffic based upon source IP address. 按照下列步骤,在终结点上添加、修改或删除 ACL。Follow these steps to add, modify, or remove an ACL on an endpoint.

备注

如果终结点是负载均衡集的一部分,则会将对终结点上 ACL 作出的任何更改应用到该集中的所有终结点。If the endpoint is part of a load-balanced set, any changes you make to the ACL on an endpoint are applied to all endpoints in the set.

如果虚拟机位于 Azure 虚拟网络中,请使用网络安全组,而不要使用 ACL。If the virtual machine is in an Azure virtual network, use network security groups instead of ACLs. 有关详细信息,请参阅关于网络安全组For more information, see About network security groups.

  1. 登录到 Azure 门户。Sign in to the Azure portal.

  2. 选择“虚拟机”,然后选择要配置的虚拟机的名称。Select Virtual machines, and then select the name of the virtual machine that you want to configure.

  3. 选择“终结点”。Select Endpoints. 在终结点列表中选择相应的终结点。From the endpoints list, select the appropriate endpoint. ACL 列表位于页面底部。The ACL list is at the bottom of the page.

    指定 ACL 详细信息

  4. 使用列表中的行为 ACL 添加、删除或编辑规则,并更改其顺序。Use rows in the list to add, delete, or edit rules for an ACL and change their order. “远程子网”值是从 Internet 传入流量的 IP 地址范围,Azure 负载均衡器将使用该值根据流量的源 IP 地址允许或拒绝传入流量。The REMOTE SUBNET value is an IP address range for incoming traffic from the internet that the Azure load balancer uses to permit or deny the traffic based on its source IP address. 请务必以无类域间路由 (CIDR) 格式(也称为地址前缀格式)指定 IP 地址范围。Be sure to specify the IP address range in classless inter-domain routing (CIDR) format, also known as address prefix format. 例如,10.1.0.0/8For example, 10.1.0.0/8.

    新的 ACL 条目

可以使用规则只允许来自与 Internet 上计算机对应的特定计算机的流量,或拒绝来自特定已知地址范围的流量。You can use rules to allow only traffic from specific computers corresponding to your computers on the internet or to deny traffic from specific, known address ranges.

按照从第一个规则开始并以最后一个规则结束的顺序评估规则。The rules are evaluated in order starting with the first rule and ending with the last rule. 因此,规则应按最低限制到最高限制排序。Therefore, rules should be ordered from least restrictive to most restrictive. 有关详细信息,请参阅什么是网络访问控制列表For more information, see What is a Network Access Control List.

后续步骤Next steps