您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

网络安全组如何筛选网络流量How network security groups filter network traffic

可以使用 Azure 网络安全组来筛选 Azure 虚拟网络中出入 Azure 资源的网络流量。You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. 网络安全组包含安全规则,这些规则可允许或拒绝多种 Azure 资源的入站和出站网络流量。A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. 可以为每项规则指定源和目标、端口以及协议。For each rule, you can specify source and destination, port, and protocol.

可以将资源从多个 Azure 服务部署到一个 Azure 虚拟网络中。You can deploy resources from several Azure services into an Azure virtual network. 如需完整列表,请参阅可部署到虚拟网络中的服务For a complete list, see Services that can be deployed into a virtual network. 可将零个或一个网络安全组与虚拟机中的每个虚拟网络子网网络接口相关联。You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. 可将同一网络安全组关联到选定的任意数量的子网和网络接口。The same network security group can be associated to as many subnets and network interfaces as you choose.

下图描述了如何使用不同的方案来部署网络安全组,以便网络流量通过 TCP 端口 80 出入 Internet:The following picture illustrates different scenarios for how network security groups might be deployed to allow network traffic to and from the internet over TCP port 80:

NSG 处理

请参阅上图和以下文本,了解 Azure 如何处理网络安全组的入站和出站规则:Reference the previous picture, along with the following text, to understand how Azure processes inbound and outbound rules for network security groups:

入站流量Inbound traffic

对于入站流量,Azure 先处理与某个子网相关联的网络安全组(如果有)中的规则,然后处理与网络接口相关联的网络安全组(如果有)中的规则。For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a network security group associated to the network interface, if there is one.

  • VM1:系统会处理 NSG1 中的安全规则,因为它与 Subnet1 关联,而 VM1 位于 Subnet1 中。VM1: The security rules in NSG1 are processed, since it is associated to Subnet1 and VM1 is in Subnet1. 除非创建了一条允许端口 80 入站流量的规则,否则流量会被 DenyAllInbound 默认安全规则拒绝,并且永远不会被 NSG2 评估,因为 NSG2 关联到网络接口。Unless you've created a rule that allows port 80 inbound, the traffic is denied by the DenyAllInbound default security rule, and never evaluated by NSG2, since NSG2 is associated to the network interface. 如果 NSG1 有一条允许端口 80 的安全规则,则流量会由 NSG2 处理。If NSG1 has a security rule that allows port 80, the traffic is then processed by NSG2. 若要允许从端口 80 到虚拟机的流量,NSG1NSG2 必须指定一条规则来允许从 Internet 到端口 80 的流量。To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet.
  • VM2:系统会处理 NSG1 中的规则,因为 VM2 也在 Subnet1 中。VM2: The rules in NSG1 are processed because VM2 is also in Subnet1. VM2 没有关联到其网络接口的网络安全组,因此会接收 NSG1 所允许的所有流量,或者会拒绝 NSG1 所拒绝的所有流量。Since VM2 does not have a network security group associated to its network interface, it receives all traffic allowed through NSG1 or is denied all traffic denied by NSG1. 当网络安全组关联到子网时,对于同一子网中的所有资源,流量要么被允许,要么被拒绝。Traffic is either allowed or denied to all resources in the same subnet when a network security group is associated to a subnet.
  • VM3:由于没有网络安全组关联到 Subnet2,系统允许流量进入子网并由 NSG2 处理,因为 NSG2 关联到已附加到 VM3 的网络接口。VM3: Since there is no network security group associated to Subnet2, traffic is allowed into the subnet and processed by NSG2, because NSG2 is associated to the network interface attached to VM3.
  • VM4:允许流量发往 VM4,因为网络安全组没有关联到 Subnet3 或虚拟机中的网络接口。VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. 如果没有关联的网络安全组,则允许所有网络流量通过子网和网络接口。All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them.

出站流量Outbound traffic

对于出站流量,Azure 先处理与某个网络接口相关联的网络安全组(如果有)中的规则,然后处理与子网相关联的网络安全组(如果有)中的规则。For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there is one, and then the rules in a network security group associated to the subnet, if there is one.

  • VM1:系统会处理 NSG2 中的安全规则。VM1: The security rules in NSG2 are processed. 除非创建一条安全规则来拒绝从端口 80 到 Internet 的出站流量,否则 NSG1NSG2 中的 AllowInternetOutbound 默认安全规则都会允许该流量。Unless you create a security rule that denies port 80 outbound to the internet, the traffic is allowed by the AllowInternetOutbound default security rule in both NSG1 and NSG2. 如果 NSG2 有一条拒绝端口 80 的安全规则,则流量会被拒绝,不会由 NSG1 评估。If NSG2 has a security rule that denies port 80, the traffic is denied, and never evaluated by NSG1. 若要拒绝从虚拟机到端口 80 的流量,则两个网络安全组或其中的一个必须有一条规则来拒绝从端口 80 到 Internet 的流量。To deny port 80 from the virtual machine, either, or both of the network security groups must have a rule that denies port 80 to the internet.
  • VM2:所有流量都会通过网络接口发送到子网,因为附加到 VM2 的网络接口没有关联的网络安全组。VM2: All traffic is sent through the network interface to the subnet, since the network interface attached to VM2 does not have a network security group associated to it. 系统会处理 NSG1 中的规则。The rules in NSG1 are processed.
  • VM3:如果 NSG2 有一条拒绝端口 80 的安全规则,则流量会被拒绝。VM3: If NSG2 has a security rule that denies port 80, the traffic is denied. 如果 NSG2 有一条允许端口 80 的安全规则,则允许从端口 80 到 Internet 的出站流量,因为没有关联到 Subnet2 的网络安全组。If NSG2 has a security rule that allows port 80, then port 80 is allowed outbound to the internet, since a network security group is not associated to Subnet2.
  • VM4:允许来自 VM4 的所有网络流量,因为网络安全组没有关联到已附加到虚拟机的网络接口,也没有关联到 Subnet3VM4: All network traffic is allowed from VM4, because a network security group isn't associated to the network interface attached to the virtual machine, or to Subnet3.

子网内部流量Intra-Subnet traffic

需要注意的是,与子网关联的 NSG 中的安全规则可能会影响子网中 VM 之间的连接。It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VM's within it. 例如,如果将规则添加到拒绝所有入站和出站流量的 NSG1,则 VM1 和 VM2 将无法再相互通信。For example, if a rule is added to NSG1 which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each other. 必须专门添加另一个规则来允许此通信。Another rule would have to be added specifically to allow this.

可以通过查看网络接口的有效安全规则,轻松查看已应用到网络接口的聚合规则。You can easily view the aggregate rules applied to a network interface by viewing the effective security rules for a network interface. 还可以使用 Azure 网络观察程序中的 IP 流验证功能来确定是否允许发往或发自网络接口的通信。You can also use the IP flow verify capability in Azure Network Watcher to determine whether communication is allowed to or from a network interface. IP 流验证会告知你系统是允许还是拒绝通信,以及哪条网络安全规则允许或拒绝该流量。IP flow verify tells you whether a communication is allowed or denied, and which network security rule allows or denies the traffic.

备注

网络安全组关联到子网或关联到部署在经典部署模型中的虚拟机和云服务,以及关联到资源管理器部署模型中的子网或网络接口。Network security groups are associated to subnets or to virtual machines and cloud services deployed in the classic deployment model, and to subnets or network interfaces in the Resource Manager deployment model. 若要详细了解 Azure 部署模型,请参阅了解 Azure 部署模型To learn more about Azure deployment models, see Understand Azure deployment models.

提示

建议将网络安全组关联到子网或网络接口,但不要二者都关联,除非你有特定的理由来这样做。Unless you have a specific reason to, we recommend that you associate a network security group to a subnet, or a network interface, but not both. 由于关联到子网的网络安全组中的规则可能与关联到网络接口的网络安全组中的规则冲突,因此可能会出现意外的必须进行故障排除的通信问题。Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.

后续步骤Next steps