您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

安全组Security groups

可以使用网络安全组来筛选 Azure 虚拟网络中出入 Azure 资源的网络流量。You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. 网络安全组包含安全规则,这些规则可允许或拒绝多种 Azure 资源的入站和出站网络流量。A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. 若要了解哪些 Azure 资源可以部署到虚拟网络中并与网络安全组关联,请参阅 Azure 服务的虚拟网络集成To learn about which Azure resources can be deployed into a virtual network and have network security groups associated to them, see Virtual network integration for Azure services. 可以为每项规则指定源和目标、端口以及协议。For each rule, you can specify source and destination, port, and protocol.

本文介绍网络安全组概念,目的是让你提高其使用效率。This article explains network security group concepts, to help you use them effectively. 如果从未创建过网络安全组,可以先完成一个快速教程,获取一些创建经验。If you've never created a network security group, you can complete a quick tutorial to get some experience creating one. 如果已熟悉网络安全组,需要对其进行管理,请参阅管理网络安全组If you're familiar with network security groups and need to manage them, see Manage a network security group. 如果有通信问题,需要对网络安全组进行故障排除,请参阅诊断虚拟机网络流量筛选器问题If you're having communication problems and need to troubleshoot network security groups, see Diagnose a virtual machine network traffic filter problem. 可以通过网络安全组流日志分析网络流量,这些流量流入和流出的资源组都有关联的网络安全组。You can enable network security group flow logs to analyze network traffic to and from resources that have an associated network security group.

安全规则Security rules

一个网络安全组包含零个或者不超过 Azure 订阅限制的任意数量的规则。A network security group contains zero, or as many rules as desired, within Azure subscription limits. 每个规则指定以下属性:Each rule specifies the following properties:

属性Property 说明Explanation
名称Name 网络安全组中的唯一名称。A unique name within the network security group.
PriorityPriority 介于 100 和 4096 之间的数字。A number between 100 and 4096. 规则按优先顺序进行处理。先处理编号较小的规则,因为编号越小,优先级越高。Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. 一旦流量与某个规则匹配,处理即会停止。Once traffic matches a rule, processing stops. 因此,不会处理优先级较低(编号较大)的、其属性与高优先级规则相同的所有规则。As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
源或目标Source or destination 可以是任何值,也可以是单个 IP 地址、无类别域际路由 (CIDR) 块(例如 10.0.0.0/24)、服务标记应用程序安全组Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security group. 如果为 Azure 资源指定一个地址,请指定分配给该资源的专用 IP 地址。If you specify an address for an Azure resource, specify the private IP address assigned to the resource. 在 Azure 针对入站流量将公共 IP 地址转换为专用 IP 地址后,系统会处理网络安全组,然后由 Azure 针对出站流量将专用 IP 地址转换为公共 IP 地址。Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic. 详细了解 Azure IP 地址Learn more about Azure IP addresses. 指定范围、服务标记或应用程序安全组可以减少创建的安全规则数。Specifying a range, a service tag, or application security group, enables you to create fewer security rules. 在一个规则中指定多个单独的 IP 地址和范围(不能指定多个服务标记或应用程序组)的功能称为扩充式安全规则The ability to specify multiple individual IP addresses and ranges (you cannot specify multiple service tags or application groups) in a rule is referred to as augmented security rules. 只能在通过资源管理器部署模型创建的网络安全组中创建扩充式安全规则。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 在通过经典部署模型创建的网络安全组中,不能指定多个 IP 地址和 IP 地址范围。You cannot specify multiple IP addresses and IP address ranges in network security groups created through the classic deployment model. 详细了解 Azure 部署模型Learn more about Azure deployment models.
协议Protocol TCP、UDP、ICMP 或 Any。TCP, UDP, ICMP or Any.
DirectionDirection 该规则是应用到入站还是出站流量。Whether the rule applies to inbound, or outbound traffic.
端口范围Port range 可以指定单个端口或端口范围。You can specify an individual or range of ports. 例如,可以指定 80 或 10000-10005。For example, you could specify 80 or 10000-10005. 指定范围可以减少创建的安全规则数。Specifying ranges enables you to create fewer security rules. 只能在通过资源管理器部署模型创建的网络安全组中创建扩充式安全规则。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 在通过经典部署模型创建的网络安全组中,不能在同一个安全规则中指定多个端口或端口范围。You cannot specify multiple ports or port ranges in the same security rule in network security groups created through the classic deployment model.
操作Action 允许或拒绝Allow or deny

在允许或拒绝流量之前,将使用 5 元组信息(源、源端口、目标、目标端口和协议)按优先级对网络安全组安全规则进行评估。Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. 将为现有连接创建流记录。A flow record is created for existing connections. 是允许还是拒绝通信取决于流记录的连接状态。Communication is allowed or denied based on the connection state of the flow record. 流记录允许网络安全组有状态。The flow record allows a network security group to be stateful. 例如,如果针对通过端口 80 访问的任何地址指定了出站安全规则,则不需要指定入站安全规则来响应出站流量。If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. 如果通信是从外部发起的,则只需指定入站安全规则。You only need to specify an inbound security rule if communication is initiated externally. 反之亦然。The opposite is also true. 如果允许通过某个端口发送入站流量,则不需要指定出站安全规则来响应通过该端口发送的流量。If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port. 删除启用了流的安全规则时,现有连接不一定会中断。Existing connections may not be interrupted when you remove a security rule that enabled the flow. 当连接停止并且至少几分钟内在任一方向都没有流量流过时,流量流会中断。Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.

在网络安全组中创建的安全规则存在数量限制。There are limits to the number of security rules you can create in a network security group. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.

扩充式安全规则Augmented security rules

扩充式安全规则简化了虚拟网络的安全定义,可让我们以更少的规则定义更大、更复杂的网络安全策略。Augmented security rules simplify security definition for virtual networks, allowing you to define larger and complex network security policies, with fewer rules. 可将多个端口和多个显式 IP 地址和范围合并成一个易于理解的安全规则。You can combine multiple ports and multiple explicit IP addresses and ranges into a single, easily understood security rule. 可在规则的源、目标和端口字段中使用扩充式规则。Use augmented rules in the source, destination, and port fields of a rule. 若要简化安全规则定义的维护,可将扩充式安全规则与服务标记应用程序安全组合并。To simplify maintenance of your security rule definition, combine augmented security rules with service tags or application security groups. 可在规则中指定的地址、范围和端口的数量存在限制。There are limits to the number of addresses, ranges, and ports that you can specify in a rule. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.

服务标记Service tags

服务标记表示给定 Azure 服务中的一组 IP 地址前缀。A service tag represents a group of IP address prefixes from a given Azure service. 它有助于最大程度地减少对网络安全规则的频繁更新的复杂性。It helps to minimize complexity of frequent updates on network security rules.

有关详细信息,请参阅Azure 服务标记For more information, see Azure service tags.

默认安全规则Default security rules

Azure 在你所创建的每个网络安全组中创建以下默认规则:Azure creates the following default rules in each network security group that you create:

入站Inbound

AllowVNetInBoundAllowVNetInBound

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol AccessAccess
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 任意Any ALLOWAllow

AllowAzureLoadBalancerInBoundAllowAzureLoadBalancerInBound

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol AccessAccess
6500165001 AzureLoadBalancerAzureLoadBalancer 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any ALLOWAllow

DenyAllInboundDenyAllInbound

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol AccessAccess
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any DENYDeny

出站Outbound

AllowVnetOutBoundAllowVnetOutBound

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol AccessAccess
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 任意Any ALLOWAllow

AllowInternetOutBoundAllowInternetOutBound

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol AccessAccess
6500165001 0.0.0.0/00.0.0.0/0 0-655350-65535 InternetInternet 0-655350-65535 任意Any ALLOWAllow

DenyAllOutBoundDenyAllOutBound

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol AccessAccess
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any DENYDeny

在“源”和“目标”列表中,“VirtualNetwork”、“AzureLoadBalancer”和“Internet”是服务标记,而不是 IP 地址。In the Source and Destination columns, VirtualNetwork, AzureLoadBalancer, and Internet are service tags, rather than IP addresses. 在“协议”列中,Any 包含 TCP、UDP 和 ICMP。In the protocol column, Any encompasses TCP, UDP, and ICMP. 创建规则时,可以指定 TCP、UDP、ICMP 或 Any。When creating a rule, you can specify TCP, UDP, ICMP or Any. “源”和“目标”列中的“0.0.0.0/0”表示所有地址。0.0.0.0/0 in the Source and Destination columns represents all addresses. Azure 门户、Azure CLI 或 Powershell 等客户端可以使用 * 或任何字符来表示此表达式。Clients like Azure portal, Azure CLI, or Powershell can use * or any for this expression.

不能删除默认规则,但可以通过创建更高优先级的规则来替代默认规则。You cannot remove the default rules, but you can override them by creating rules with higher priorities.

应用程序安全组Application security groups

使用应用程序安全组可将网络安全性配置为应用程序结构的固有扩展,从而可以基于这些组将虚拟机分组以及定义网络安全策略。Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. 可以大量重复使用安全策略,而无需手动维护显式 IP 地址。You can reuse your security policy at scale without manual maintenance of explicit IP addresses. 平台会处理显式 IP 地址和多个规则集存在的复杂性,让你专注于业务逻辑。The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic. 若要更好地理解应用程序安全组,请考虑以下示例:To better understand application security groups, consider the following example:

应用程序安全组

在上图中,NIC1NIC2AsgWeb 应用程序安全组的成员。In the previous picture, NIC1 and NIC2 are members of the AsgWeb application security group. NIC3AsgLogic 应用程序安全组的成员。NIC3 is a member of the AsgLogic application security group. NIC4AsgDb 应用程序安全组的成员。NIC4 is a member of the AsgDb application security group. 虽然此示例中的每个网络接口只是一个应用程序安全组的成员,但实际上一个网络接口可以是多个应用程序安全组的成员,具体取决于 Azure 限制Though each network interface in this example is a member of only one application security group, a network interface can be a member of multiple application security groups, up to the Azure limits. 这些网络接口都没有关联的网络安全组。None of the network interfaces have an associated network security group. NSG1 关联到两个子网,包含以下规则:NSG1 is associated to both subnets and contains the following rules:

Allow-HTTP-Inbound-InternetAllow-HTTP-Inbound-Internet

若要让流量从 Internet 流到 Web 服务器,此规则是必需的。This rule is needed to allow traffic from the internet to the web servers. 由于来自 Internet 的入站流量被 DenyAllInbound 默认安全规则拒绝,因此 AsgLogicAsgDb 应用程序安全组不需更多规则。Because inbound traffic from the internet is denied by the DenyAllInbound default security rule, no additional rule is needed for the AsgLogic or AsgDb application security groups.

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol AccessAccess
100 个100 InternetInternet * AsgWebAsgWeb 8080 TCPTCP ALLOWAllow

Deny-Database-AllDeny-Database-All

由于 AllowVNetInBound 默认安全规则允许在同一虚拟网络中的资源之间进行的所有通信,因此需要使用此规则来拒绝来自所有资源的流量。Because the AllowVNetInBound default security rule allows all communication between resources in the same virtual network, this rule is needed to deny traffic from all resources.

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol AccessAccess
120120 * * AsgDbAsgDb 14331433 任意Any DENYDeny

Allow-Database-BusinessLogicAllow-Database-BusinessLogic

此规则允许从 AsgLogic 应用程序安全组到 AsgDb 应用程序安全组的流量。This rule allows traffic from the AsgLogic application security group to the AsgDb application security group. 此规则的优先级高于 Deny-Database-All 规则的优先级。The priority for this rule is higher than the priority for the Deny-Database-All rule. 因此,此规则在 Deny-Database-All 规则之前处理,这样系统就会允许来自 AsgLogic 应用程序安全组的流量,而阻止所有其他流量。As a result, this rule is processed before the Deny-Database-All rule, so traffic from the AsgLogic application security group is allowed, whereas all other traffic is blocked.

PriorityPriority SourceSource 源端口Source ports 目标Destination 目标端口Destination ports 协议Protocol AccessAccess
110110 AsgLogicAsgLogic * AsgDbAsgDb 14331433 TCPTCP ALLOWAllow

将应用程序安全组指定为源或目标的规则只会应用到属于应用程序安全组成员的网络接口。The rules that specify an application security group as the source or destination are only applied to the network interfaces that are members of the application security group. 如果网络接口不是应用程序安全组的成员,则规则不会应用到网络接口,即使网络安全组关联到子网。If the network interface is not a member of an application security group, the rule is not applied to the network interface, even though the network security group is associated to the subnet.

应用程序安全组具有以下约束:Application security groups have the following constraints:

  • 一个订阅中可以有的应用程序安全组存在数量限制,此外还有其他与应用程序安全组相关的限制。There are limits to the number of application security groups you can have in a subscription, as well as other limits related to application security groups. 有关详细信息,请参阅 Azure 限制For details, see Azure limits.
  • 可将一个应用程序安全组指定为安全规则中的源和目标。You can specify one application security group as the source and destination in a security rule. 不能在源或目标中指定多个应用程序安全组。You cannot specify multiple application security groups in the source or destination.
  • 分配给应用程序安全组的所有网络接口都必须存在于分配给应用程序安全组的第一个网络接口所在的虚拟网络中。All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. 例如,如果分配给名为 AsgWeb 的应用程序安全组的第一个网络接口位于名为 VNet1 的虚拟网络中,则分配给 ASGWeb 的所有后续网络接口都必须存在于 VNet1 中。For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. 不能向同一应用程序安全组添加来自不同虚拟网络的网络接口。You cannot add network interfaces from different virtual networks to the same application security group.
  • 如果在安全规则中将应用程序安全组指定为源和目标,则两个应用程序安全组中的网络接口必须存在于同一虚拟网络中。If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network. 例如,如果 AsgLogic 包含来自 VNet1 的网络接口,AsgDb 包含来自 VNet2 的网络接口,则不能在一项规则中将 AsgLogic 分配为源,将 AsgDb 分配为目标。For example, if AsgLogic contained network interfaces from VNet1, and AsgDb contained network interfaces from VNet2, you could not assign AsgLogic as the source and AsgDb as the destination in a rule. 源和目标应用程序安全组中的所有网络接口需存在于同一虚拟网络中。All network interfaces for both the source and destination application security groups need to exist in the same virtual network.

提示

为了尽量减少所需的安全规则数和需要更改规则的情况,请尽可能使用服务标记或应用程序安全组来规划所需的应用程序安全组并创建规则,而不要使用单个 IP 地址或 IP 地址范围。To minimize the number of security rules you need, and the need to change the rules, plan out the application security groups you need and create rules using service tags or application security groups, rather than individual IP addresses, or ranges of IP addresses, whenever possible.

如何评估流量How traffic is evaluated

可以将资源从多个 Azure 服务部署到一个 Azure 虚拟网络中。You can deploy resources from several Azure services into an Azure virtual network. 如需完整列表,请参阅可部署到虚拟网络中的服务For a complete list, see Services that can be deployed into a virtual network. 可将零个或一个网络安全组与虚拟机中的每个虚拟网络子网网络接口相关联。You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. 可将同一网络安全组关联到选定的任意数量的子网和网络接口。The same network security group can be associated to as many subnets and network interfaces as you choose.

下图描述了如何使用不同的方案来部署网络安全组,以便网络流量通过 TCP 端口 80 出入 Internet:The following picture illustrates different scenarios for how network security groups might be deployed to allow network traffic to and from the internet over TCP port 80:

NSG 处理

请参阅上图和以下文本,了解 Azure 如何处理网络安全组的入站和出站规则:Reference the previous picture, along with the following text, to understand how Azure processes inbound and outbound rules for network security groups:

入站流量Inbound traffic

对于入站流量,Azure 先处理与某个子网相关联的网络安全组(如果有)中的规则,然后处理与网络接口相关联的网络安全组(如果有)中的规则。For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a network security group associated to the network interface, if there is one.

  • VM1:系统会处理 NSG1 中的安全规则,因为它与 Subnet1 关联,而 VM1 位于 Subnet1 中。VM1: The security rules in NSG1 are processed, since it is associated to Subnet1 and VM1 is in Subnet1. 除非创建了一条允许端口 80 入站流量的规则,否则流量会被 DenyAllInbound 默认安全规则拒绝,并且永远不会被 NSG2 评估,因为 NSG2 关联到网络接口。Unless you've created a rule that allows port 80 inbound, the traffic is denied by the DenyAllInbound default security rule, and never evaluated by NSG2, since NSG2 is associated to the network interface. 如果 NSG1 有一条允许端口 80 的安全规则,则流量会由 NSG2 处理。If NSG1 has a security rule that allows port 80, the traffic is then processed by NSG2. 若要允许从端口 80 到虚拟机的流量,NSG1NSG2 必须指定一条规则来允许从 Internet 到端口 80 的流量。To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet.
  • VM2:系统会处理 NSG1 中的规则,因为 VM2 也在 Subnet1 中。VM2: The rules in NSG1 are processed because VM2 is also in Subnet1. VM2 没有关联到其网络接口的网络安全组,因此会接收 NSG1 所允许的所有流量,或者会拒绝 NSG1 所拒绝的所有流量。Since VM2 does not have a network security group associated to its network interface, it receives all traffic allowed through NSG1 or is denied all traffic denied by NSG1. 当网络安全组关联到子网时,对于同一子网中的所有资源,流量要么被允许,要么被拒绝。Traffic is either allowed or denied to all resources in the same subnet when a network security group is associated to a subnet.
  • VM3:由于没有网络安全组关联到 Subnet2,系统允许流量进入子网并由 NSG2 处理,因为 NSG2 关联到已附加到 VM3 的网络接口。VM3: Since there is no network security group associated to Subnet2, traffic is allowed into the subnet and processed by NSG2, because NSG2 is associated to the network interface attached to VM3.
  • VM4:允许流量发往 VM4,因为网络安全组没有关联到 Subnet3 或虚拟机中的网络接口。VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. 如果没有关联的网络安全组,则允许所有网络流量通过子网和网络接口。All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them.

出站流量Outbound traffic

对于出站流量,Azure 先处理与某个网络接口相关联的网络安全组(如果有)中的规则,然后处理与子网相关联的网络安全组(如果有)中的规则。For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there is one, and then the rules in a network security group associated to the subnet, if there is one.

  • VM1:系统会处理 NSG2 中的安全规则。VM1: The security rules in NSG2 are processed. 除非创建一条安全规则来拒绝从端口 80 到 Internet 的出站流量,否则 NSG1NSG2 中的 AllowInternetOutbound 默认安全规则都会允许该流量。Unless you create a security rule that denies port 80 outbound to the internet, the traffic is allowed by the AllowInternetOutbound default security rule in both NSG1 and NSG2. 如果 NSG2 有一条拒绝端口 80 的安全规则,则流量会被拒绝,不会由 NSG1 评估。If NSG2 has a security rule that denies port 80, the traffic is denied, and never evaluated by NSG1. 若要拒绝从虚拟机到端口 80 的流量,则两个网络安全组或其中的一个必须有一条规则来拒绝从端口 80 到 Internet 的流量。To deny port 80 from the virtual machine, either, or both of the network security groups must have a rule that denies port 80 to the internet.
  • VM2:所有流量都会通过网络接口发送到子网,因为附加到 VM2 的网络接口没有关联的网络安全组。VM2: All traffic is sent through the network interface to the subnet, since the network interface attached to VM2 does not have a network security group associated to it. 系统会处理 NSG1 中的规则。The rules in NSG1 are processed.
  • VM3:如果 NSG2 有一条拒绝端口 80 的安全规则,则流量会被拒绝。VM3: If NSG2 has a security rule that denies port 80, the traffic is denied. 如果 NSG2 有一条允许端口 80 的安全规则,则允许从端口 80 到 Internet 的出站流量,因为没有关联到 Subnet2 的网络安全组。If NSG2 has a security rule that allows port 80, then port 80 is allowed outbound to the internet, since a network security group is not associated to Subnet2.
  • VM4:允许来自 VM4 的所有网络流量,因为网络安全组没有关联到已附加到虚拟机的网络接口,也没有关联到 Subnet3VM4: All network traffic is allowed from VM4, because a network security group isn't associated to the network interface attached to the virtual machine, or to Subnet3.

子网内部流量Intra-Subnet traffic

请注意,与子网关联的 NSG 中的安全规则可能会影响它在其中的 VM 之间的连接。It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VM's within it. 例如,如果将规则添加到NSG1 ,这会拒绝所有入站和出站流量,则VM1VM2将无法再相互通信。For example, if a rule is added to NSG1 which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each other. 必须专门添加另一个规则来允许这样做。Another rule would have to be added specifically to allow this.

可以通过查看网络接口的有效安全规则,轻松查看已应用到网络接口的聚合规则。You can easily view the aggregate rules applied to a network interface by viewing the effective security rules for a network interface. 还可以使用 Azure 网络观察程序中的 IP 流验证功能来确定是否允许发往或发自网络接口的通信。You can also use the IP flow verify capability in Azure Network Watcher to determine whether communication is allowed to or from a network interface. IP 流验证会告知你系统是允许还是拒绝通信,以及哪条网络安全规则允许或拒绝该流量。IP flow verify tells you whether communication is allowed or denied, and which network security rule allows or denies the traffic.

备注

网络安全组关联到子网或关联到部署在经典部署模型中的虚拟机和云服务,以及关联到资源管理器部署模型中的子网或网络接口。Network security groups are associated to subnets or to virtual machines and cloud services deployed in the classic deployment model, and to subnets or network interfaces in the Resource Manager deployment model. 若要详细了解 Azure 部署模型,请参阅了解 Azure 部署模型To learn more about Azure deployment models, see Understand Azure deployment models.

提示

建议将网络安全组关联到子网或网络接口,但不要二者都关联,除非你有特定的理由来这样做。Unless you have a specific reason to, we recommended that you associate a network security group to a subnet, or a network interface, but not both. 由于关联到子网的网络安全组中的规则可能与关联到网络接口的网络安全组中的规则冲突,因此可能会出现意外的必须进行故障排除的通信问题。Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.

Azure 平台注意事项Azure platform considerations

  • 主机节点的虚拟 IP:通过虚拟化主机 IP 地址168.63.129.16 和169.254.169.254 提供基本基础结构服务(如 DHCP、DNS、IMDS 和运行状况监视)。Virtual IP of the host node: Basic infrastructure services such as DHCP, DNS, IMDS, and health monitoring are provided through the virtualized host IP addresses 168.63.129.16 and 169.254.169.254. 这些 IP 地址属于 Microsoft,是仅有的用于所有区域的虚拟化 IP 地址,没有其他用途。These IP addresses belong to Microsoft and are the only virtualized IP addresses used in all regions for this purpose.

  • 许可(密钥管理服务) :在虚拟机中运行的 Windows 映像必须获得许可。Licensing (Key Management Service): Windows images running in virtual machines must be licensed. 为了确保许可,会向处理此类查询的密钥管理服务主机服务器发送请求。To ensure licensing, a request is sent to the Key Management Service host servers that handle such queries. 该请求是通过端口 1688 以出站方式提出的。The request is made outbound through port 1688. 对于使用默认路由 0.0.0.0/0 配置的部署,此平台规则会被禁用。For deployments using default route 0.0.0.0/0 configuration, this platform rule will be disabled.

  • 负载均衡池中的虚拟机:应用的源端口和地址范围来自源计算机,而不是来自负载均衡器。Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. 目标端口和地址范围是目标计算机的,而不是负载均衡器的。The destination port and address range are for the destination computer, not the load balancer.

  • Azure 服务实例:在虚拟网络子网中部署了多个 Azure 服务的实例,例如 HDInsight、应用程序服务环境和虚拟机规模集。Azure service instances: Instances of several Azure services, such as HDInsight, Application Service Environments, and Virtual Machine Scale Sets are deployed in virtual network subnets. 有关可部署到虚拟网络的服务的完整列表,请参阅 Azure 服务的虚拟网络For a complete list of services you can deploy into virtual networks, see Virtual network for Azure services. 在将网络安全组应用到部署了资源的子网之前,请确保熟悉每个服务的端口要求。Ensure you familiarize yourself with the port requirements for each service before applying a network security group to the subnet the resource is deployed in. 如果拒绝服务所需的端口,服务将无法正常工作。If you deny ports required by the service, the service doesn't function properly.

  • 发送出站电子邮件:Microsoft 建议你利用经过身份验证的 SMTP 中继服务(通常通过 TCP 端口 587 进行连接,但也经常使用其他端口)从 Azure 虚拟机发送电子邮件。Sending outbound email: Microsoft recommends that you utilize authenticated SMTP relay services (typically connected via TCP port 587, but often others, as well) to send email from Azure Virtual Machines. SMTP 中继服务特别重视发件人信誉,尽量降低第三方电子邮件提供商拒绝邮件的可能性。SMTP relay services specialize in sender reputation, to minimize the possibility that third-party email providers reject messages. 此类 SMTP 中继服务包括但不限于:Exchange Online Protection 和 SendGrid。Such SMTP relay services include, but are not limited to, Exchange Online Protection and SendGrid. 在 Azure 中使用 SMTP 中继服务绝不会受限制,不管订阅类型如何。Use of SMTP relay services is in no way restricted in Azure, regardless of your subscription type.

    如果是在 2017 年 11 月 15 日之前创建的 Azure 订阅,则除了能够使用 SMTP 中继服务,还可以直接通过 TCP 端口 25 发送电子邮件。If you created your Azure subscription prior to November 15, 2017, in addition to being able to use SMTP relay services, you can send email directly over TCP port 25. 如果是在 2017 年 11 月 15 日之后创建的订阅,则可能无法直接通过端口 25 发送电子邮件。If you created your subscription after November 15, 2017, you may not be able to send email directly over port 25. 经端口 25 的出站通信行为取决于订阅类型,如下所示:The behavior of outbound communication over port 25 depends on the type of subscription you have, as follows:

    • 企业协议:允许端口 25 的出站通信。Enterprise Agreement: Outbound port 25 communication is allowed. 可以将出站电子邮件直接从虚拟机发送到外部电子邮件提供商,不受 Azure 平台的限制。You are able to send outbound email directly from virtual machines to external email providers, with no restrictions from the Azure platform.
    • 即用即付: 阻止所有资源通过端口 25 进行出站通信。Pay-as-you-go: Outbound port 25 communication is blocked from all resources. 如需将电子邮件从虚拟机直接发送到外部电子邮件提供商(不使用经身份验证的 SMTP 中继),可以请求去除该限制。If you need to send email from a virtual machine directly to external email providers (not using an authenticated SMTP relay), you can make a request to remove the restriction. Microsoft 会自行审核和批准此类请求,并且只在进行防欺诈检查后授予相关权限。Requests are reviewed and approved at Microsoft's discretion and are only granted after anti-fraud checks are performed. 若要提交请求,请建立一个问题类型为“技术”、“虚拟网络连接”、“无法发送电子邮件(SMTP/端口 25)”的支持案例。To make a request, open a support case with the issue type Technical, Virtual Network Connectivity, Cannot send e-mail (SMTP/Port 25). 在支持案例中,请详细说明为何你的订阅需要将电子邮件直接发送到邮件提供商,而不经过经身份验证的 SMTP 中继。In your support case, include details about why your subscription needs to send email directly to mail providers, instead of going through an authenticated SMTP relay. 如果订阅得到豁免,则只有在豁免日期之后创建的虚拟机能够经端口 25 进行出站通信。If your subscription is exempted, only virtual machines created after the exemption date are able to communicate outbound over port 25.
    • MSDN、Azure Pass、Azure 开放许可、教育、BizSpark 和免费试用版:阻止所有资源经端口 25 进行出站通信。MSDN, Azure Pass, Azure in Open, Education, BizSpark, and Free trial: Outbound port 25 communication is blocked from all resources. 不能请求去除该限制,因为不会针对请求授予相关权限。No requests to remove the restriction can be made, because requests are not granted. 若需从虚拟机发送电子邮件,则需使用 SMTP 中继服务。If you need to send email from your virtual machine, you have to use an SMTP relay service.
    • 云服务提供商:如果无法使用安全的 SMTP 中继,通过云服务提供商消耗 Azure 资源的客户可以通过其云服务提供商创建支持案例,并请求提供商代表他们创建取消阻止案例。Cloud service provider: Customers that are consuming Azure resources via a cloud service provider can create a support case with their cloud service provider, and request that the provider create an unblock case on their behalf, if a secure SMTP relay cannot be used.

    即使 Azure 允许经端口 25 发送电子邮件,Microsoft 也不能保证电子邮件提供商会接受来自你的虚拟机的入站电子邮件。If Azure allows you to send email over port 25, Microsoft cannot guarantee email providers will accept inbound email from your virtual machine. 如果特定的提供商拒绝了来自你的虚拟机的邮件,请直接与该提供商协商解决邮件传送问题或垃圾邮件过滤问题,否则只能使用经身份验证的 SMTP 中继服务。If a specific provider rejects mail from your virtual machine, work directly with the provider to resolve any message delivery or spam filtering issues, or use an authenticated SMTP relay service.

后续步骤Next steps