您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:使用 Azure 门户通过虚拟网络服务终结点限制对 PaaS 资源的网络访问Tutorial: Restrict network access to PaaS resources with virtual network service endpoints using the Azure portal

通过虚拟网络服务终结点,可将某些 Azure 服务资源限制为仅允许某个虚拟网络子网通过网络进行访问。Virtual network service endpoints enable you to limit network access to some Azure service resources to a virtual network subnet. 还可以删除对资源的 Internet 访问。You can also remove internet access to the resources. 服务终结点提供从虚拟网络到受支持 Azure 服务的直接连接,使你能够使用虚拟网络的专用地址空间访问 Azure 服务。Service endpoints provide direct connection from your virtual network to supported Azure services, allowing you to use your virtual network's private address space to access the Azure services. 通过服务终结点发往 Azure 资源的流量始终保留在 Microsoft Azure 主干网络上。Traffic destined to Azure resources through service endpoints always stays on the Microsoft Azure backbone network. 本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 创建包含一个子网的虚拟网络Create a virtual network with one subnet
  • 添加子网并启用服务终结点Add a subnet and enable a service endpoint
  • 创建 Azure 资源并且仅允许从一个子网对其进行网络访问Create an Azure resource and allow network access to it from only a subnet
  • 将虚拟机 (VM) 部署到每个子网Deploy a virtual machine (VM) to each subnet
  • 确认从某个子网对资源的访问Confirm access to a resource from a subnet
  • 确认已拒绝从某个子网和 Internet 来访问资源Confirm access is denied to a resource from a subnet and the internet

如果你愿意,可以使用 Azure CLIAzure PowerShell 完成本教程中的步骤。If you prefer, you can complete this tutorial using the Azure CLI or Azure PowerShell.

如果没有 Azure 订阅,请在开始之前创建一个免费帐户If you don't have an Azure subscription, create a free account before you begin.

登录 AzureLog in to Azure

https://portal.azure.com 登录 Azure 门户。Log in to the Azure portal at https://portal.azure.com.

创建虚拟网络Create a virtual network

  1. 选择 Azure 门户左上角的“+ 创建资源”。Select + Create a resource on the upper, left corner of the Azure portal.

  2. 选择“网络”,然后选择“虚拟网络” 。Select Networking, and then select Virtual networks.

  3. 单击“+ 添加”,然后输入以下信息:Click + Add and enter the following information:

    设置Setting ValueValue
    订阅Subscription 选择订阅Select your subscription
    资源组Resource group 选择“新建”,并输入 myResourceGroupSelect Create new and enter myResourceGroup.
    名称Name 输入“myVirtualNetwork”Enter myVirtualNetwork
    区域Region 选择“(US)美国东部”Select (US) East US

    输入虚拟网络的基本信息

  4. 单击“下一步:IP 地址 >”Click Next: IP addresses >

    设置Setting Value
    IPv4Address 空间IPv4Address space 保留为默认值Leave as default
    子网名称Subnet name 单击“默认”并将名称从“默认”更改为“公共”Click default and change the name from "default" to "Public"
    子网地址范围Subnet Address Range 保留为默认值Leave as default
  5. 单击“下一步:安全性 >”Click Next: Security >

    设置Setting Value
    BastionHostBastionHost 禁用Disable
    DDOS 保护DDoS protection 禁用Disable
    防火墙Firewall 禁用Disable
  6. 完成后,单击“查看并创建”。When complete, click Review and create.

  7. 如果验证检查通过,请单击“创建”。If the validation checks pass, click Create.

  8. 等待部署完成,然后单击“转到资源”或转到下一节。Wait for the deployment to finish, then click Go to resource or move on to the next section.

启用服务终结点Enable a service endpoint

每个服务、每个子网均启用服务终结点。Service endpoints are enabled per service, per subnet. 创建子网并为该子网启用服务终结点:To create a subnet and enable a service endpoint for the subnet:

  1. 如果你尚未进入虚拟网络资源页,可在门户顶部的“搜索资源、服务和文档”框中搜索新创建的网络,输入“myVirtualNetwork”并从列表中选择它。If you are not already on the virtual network resource page, you can search for the newly created network in the Search resources, services, and docs box at the top of the portal, enter myVirtualNetwork, and select it from the list.

  2. 在“设置”菜单(左侧)中选择“子网”,然后选择“+ 子网”,如下所示 :In the Settings menu (left), select Subnets, and then select + Subnet, as shown:

    添加子网

  3. 在“添加子网”下,选择或输入以下信息,然后选择“确定”:Under Add subnet, select or enter the following information, and then select OK:

    设置Setting Value
    名称Name 专用Private
    地址范围Address range 保留为默认值Leave as default
    服务终结点Service endpoints 选择“Microsoft.Storage”Select Microsoft.Storage
    服务终结点策略Service endpoint policies 保留默认值为 0Leave default as 0

注意

在为其中有资源的现有子网启用服务终结点之前,请参阅更改子网设置Before enabling a service endpoint for an existing subnet that has resources in it, see Change subnet settings.

  1. 单击“保存”,然后关闭右侧的“子网”窗口。Click Save, then close the Subnet window on the right. 新创建的子网应会显示在列表中。The newly created subnet should appear the list.

限制子网的网络访问Restrict network access for a subnet

默认情况下,子网中的所有虚拟机实例均可与所有资源通信。By default, all virtual machine instances in a subnet can communicate with all resources. 可以通过创建网络安全组并将其关联到子网来限制与子网中所有资源的通信:You can limit communication to and from all resources in a subnet by creating a network security group, and associating it to the subnet:

  1. 选择 Azure 门户左上角的“所有服务”。Select All services in the upper left corner of the Azure portal.

  2. 选择“网络”,然后选择(或搜索)“网络安全组” 。Select Networking, and then select (or search for) Network security groups.

  3. 在“网络安全组”页中,单击“+ 添加” 。From the Network security groups page, click + Add.

  4. 输入以下信息Enter the following information

    设置Setting Value
    订阅Subscription 选择订阅Select your subscription
    资源组Resource group 从列表中选择“myResourceGroup”Select myResourceGroup from the list
    名称Name 输入“myNsgPrivate”Enter myNsgPrivate
    位置Location 选择“美国东部”Select East US
  5. 单击“查看 + 创建”,并在验证检查通过后单击“创建” 。Click Review + create, and when the validation check is passed, click Create.

  6. 创建网络安全组后,单击“转到资源”或搜索 myNsgPrivate。After the network security group is created, click Go to resource or search for myNsgPrivate.

  7. 在左侧的“设置”下,选择“出站安全规则” 。Under Settings on the left, select Outbound security rules.

  8. 选择“+ 添加”。Select + Add.

  9. 创建一条允许出站通信到 Azure 存储服务的规则。Create a rule that allows outbound communication to the Azure Storage service. 输入或选择以下信息,然后选择“添加”:Enter, or select, the following information, and then select Add:

    设置Setting Value
    SourceSource 选择“VirtualNetwork”Select VirtualNetwork
    源端口范围Source port ranges *
    目标Destination 选择“服务标记”Select Service Tag
    目标服务标记Destination service tag 选择“存储”Select Storage
    目标端口范围Destination port ranges 保留默认值为 8080Leave default as 8080
    协议Protocol 任意Any
    操作Action AllowAllow
    优先级Priority 100100
    名称Name 重命名为 Allow-Storage-AllRename to Allow-Storage-All
  10. 创建另一条出站安全规则,拒绝到 Internet 的通信。Create another outbound security rule that denies communication to the internet. 此规则将覆盖所有网络安全组中允许出站 Internet 通信的默认规则。This rule overrides a default rule in all network security groups that allows outbound internet communication. 使用以下值完成上述步骤 6-9:Complete steps 6-9 from above using the following values:

    设置Setting Value
    SourceSource 选择“VirtualNetwork”Select VirtualNetwork
    源端口范围Source port ranges *
    目标Destination 选择“服务标记”Select Service Tag
    目标服务标记Destination service tag 选择“Internet”Select Internet
    目标端口范围Destination port ranges *
    协议Protocol 任意Any
    操作Action 将默认值更改为“拒绝”Change default to Deny
    优先级Priority 110110
    名称Name 更改为 Deny-Internet-AllChange to Deny-Internet-All
  11. 创建一个允许从任何位置向该子网发送远程桌面协议 (RDP) 流量的入站安全规则。Create an inbound security rule that allows Remote Desktop Protocol (RDP) traffic to the subnet from anywhere. 该规则将替代拒绝来自 Internet 的所有入站流量的默认安全规则。The rule overrides a default security rule that denies all inbound traffic from the internet. 允许与子网建立远程桌面连接,以便可以在后续步骤中测试连接。Remote desktop connections are allowed to the subnet so that connectivity can be tested in a later step.

  12. 在“设置”下,选择“入站安全规则”。 Under Settings, select Inbound security rules.

  13. 选择“+ 添加”,然后使用以下值:Select + Add and use the following values:

    设置Setting Value
    Source 任意Any
    源端口范围Source port ranges *
    目标Destination 选择“VirtualNetwork”Select VirtualNetwork
    目标端口范围Destination port ranges 更改为 3389Change to 3389
    协议Protocol 任意Any
    操作Action AllowAllow
    优先级Priority 120120
    名称Name 更改为 Allow-RDP-AllChange to Allow-RDP-All

警告

RDP 端口 3389 公开给 Internet。RDP port 3389 is exposed to the Internet. 建议仅用于测试。This is only recommended for testing. 对于生产环境,建议使用 VPN 或专用连接。For Production environments, we recommend using a VPN or private connection.

  1. 在“设置”下,选择“子网”。Under Settings, select Subnets.
  2. 单击“+ 关联”。Click + Associate.
  3. 在“虚拟网络”下,选择“myVirtualNetwork” 。Under Virtual network, select myVirtualNetwork.
  4. 在“子网”下选择“专用”,然后选择“确定” 。Under Subnet, select Private, and then select Ok.

限制对资源的网络访问Restrict network access to a resource

对于通过为服务终结点启用的 Azure 服务创建的资源,限制对其的网络访问时所需的步骤因服务而异。The steps required to restrict network access to resources created through Azure services, which are enabled for service endpoints will vary across services. 请参阅各个服务的文档来了解适用于每个服务的具体步骤。See the documentation for individual services for specific steps for each service. 作为示例,本教程的剩余部分包括了针对 Azure 存储帐户限制网络访问的步骤。The remainder of this tutorial includes steps to restrict network access for an Azure Storage account, as an example.

创建存储帐户Create a storage account

  1. 选择 Azure 门户左上角的“+ 创建资源”。Select + Create a resource on the upper, left corner of the Azure portal.

  2. 在搜索栏中输入“存储帐户”,然后从下拉菜单中选择它。Enter "Storage account" in the search bar, and select it from the drop-down menu.

  3. 单击“+ 添加”。Click + Add.

  4. 输入以下信息:Enter the following information:

    设置Setting Value
    订阅Subscription 选择订阅Select your subscription
    资源组Resource group 选择“myResourceGroup”Select myResourceGroup
    存储帐户名称Storage Account Name 输入在所有 Azure 位置中唯一的、长度为 3-24 个字符且仅使用数字和小写字母的名称。Enter a name that is unique across all Azure locations, between 3-24 characters in length, using only numbers and lower-case letters.
    位置Location 选择“(US)美国东部”Select (US) East US
    性能Performance 标准Standard
    帐户类型Account kind StorageV2(常规用途 v2)StorageV2 (general purpose v2)
    复制Replication 本地冗余存储 (LRS)Locally-redundant storage (LRS)
  5. 选择“创建 + 查看”,并在验证检查通过后单击“创建” 。Select Create + review, and when validation checks have passed, click Create.

备注

部署可能需要几分钟时间完成。The deployment may take a couple of minutes to complete.

  1. 创建存储帐户后,单击“转到资源”After the storage account is created, click Go to resource

在存储帐户中创建文件共享Create a file share in the storage account

  1. 转到存储帐户的“概述”页。Go to your storage account overview page.

  2. 选择“文件共享”应用图标,然后单击“+ 文件共享” 。Select the File Shares app icon, then click + File share.

    设置Setting Value
    名称Name my-file-sharemy-file-share
    QuotaQuota “设置为最大值”'Set to maximum'

    存储帐户

  3. 单击“创建”。Click Create.

  4. 如果不单击“刷新”,文件共享应显示在 Azure 窗口中The file share should be shown in the Azure window, if not click Refresh

限制对子网的网络访问Restrict network access to a subnet

默认情况下,存储帐户接受来自任何网络(包括 Internet)中的客户端的网络连接。By default, storage accounts accept network connections from clients in any network, including the internet. 可限制来自 Internet 以及所有虚拟网络中的所有其他子网的网络访问(除 myVirtualNetwork 虚拟网络中的“专用”子网外) 。限制对子网的网络访问:You can restrict network access from the internet, and all other subnets in all virtual networks (except the Private subnet in the myVirtualNetwork virtual network.) To restrict network access to a subnet:

  1. 在你的(唯一命名)存储帐户的“设置”下,选择“网络” 。Under Settings for your (uniquely named) storage account, select Networking.

  2. 选择“所选网络”。Select Selected networks.

  3. 选择“+ 添加现有虚拟网络”。Select + Add existing virtual network.

  4. 在“添加网络”下选择以下值,然后选择“添加”: Under Add networks, select the following values, and then select Add:

    设置Setting Value
    订阅Subscription 选择订阅Select your subscription
    虚拟网络Virtual networks myVirtualNetworkmyVirtualNetwork
    子网Subnets 专用Private

    屏幕截图显示了可在其中输入指定值的“添加网络”窗格。

  5. 单击“添加”,随后立即单击“保存”图标以保存更改 。Click Add and, then immediately click the Save icon to save the changes.

  6. 在存储帐户的“设置”下,选择“访问密钥”,如下图所示: Under Settings for the storage account, select Access keys, as shown in the following image:

    屏幕截图显示了从“设置”中选择的“访问密钥”,可在其中获取密钥。

  7. 单击“显示密钥”并记下“密钥”值,因为在后续步骤中将文件共享映射到 VM 中的驱动器号时,需要手动输入 key1。 Click Show keys and note the Key values, as you'll have to manually enter key1 in a later step when mapping the file share to a drive letter in a VM.

创建虚拟机Create virtual machines

若要测试对存储帐户的网络访问,请向每个子网部署 VM。To test network access to a storage account, deploy a VM to each subnet.

创建第一个虚拟机Create the first virtual machine

  1. 在“搜索资源.From the "Search resources . .. ."." 栏中,搜索“虚拟机”。bar, search for Virtual machines.

  2. 选择“+ 添加”>“虚拟机”。Select + Add > Virtual machine.

  3. 输入以下信息:Enter, the following information:

    设置Setting Value
    订阅Subscription 选择订阅Select your subscription
    资源组Resource group 选择之前创建的 **myResourceGroup。Select **myResourceGroup, which was created earlier.
    虚拟机名称Virtual machine name 输入“myVmPublic”Enter myVmPublic
    区域Region (美国)美国东部(US) East US
    可用性选项Availability options 可用性区域Availability zone
    可用性区域Availability zone 11
    图像Image Windows Server 2019 Datacenter - Gen1Windows Server 2019 Datacenter - Gen1
    大小Size 选择要使用的 VM 实例大小Select the VM Instance size you want to use
    用户名Username 输入所选用户名。Enter a user name of your choosing.
    密码Password 输入所选密码。Enter a password of your choosing. 密码必须至少 12 个字符长,且符合定义的复杂性要求The password must be at least 12 characters long and meet the defined complexity requirements.
    公共入站端口Public inbound ports 允许所选端口Allow selected ports
    选择入站端口Select inbound ports 保留默认设置为“RDP (3389)”Leave default set to RDP (3389)

    选择虚拟网络

  4. 选择“网络”选项卡,然后选择“myVirtualNetwork” 。Select the Networking tab and then select myVirtualNetwork.

  5. 选择“公共”子网。Select the Public subnet.

  6. 在“NIC 网络安全组”下,选择“高级”。 Under NIC Network Security Group, select Advanced. 门户会自动为你创建一个网络安全组,该组允许端口 3389。此端口需保持打开状态,然后才能在后面的步骤中连接到虚拟机。The portal automatically creates a network security group for you that allows port 3389, which you'll need open to connect to the virtual machine in a later step.

    输入虚拟机的基本信息

  7. 依次选择“查看并创建”、“创建”,然后等待部署完成 。Select Review and create, then Create and wait for the deployment to finish.

  8. 单击“转到资源”,或打开“主页”>“虚拟机”页,然后选择刚刚创建的 VM“myVmPublic”,应会启动该 VM 。Click Go to resource, or open the Home > Virtual machines page, and select the VM you just created myVmPublic, which should be started.

创建第二个虚拟机Create the second virtual machine

  1. 再次完成步骤 1-8,但在步骤 3 中,请将虚拟机命名为 myVmPrivate,并将“公共入站端口”设置为“无”。Complete steps 1-8 again, but in step 3, name the virtual machine myVmPrivate and set Public inbound port to "None".
  2. 在步骤 4-5 中,选择“专用”子网。In step 4-5, select the Private subnet.

备注

“NIC 网络安全组”和“公共入站端口”设置应按照如下所示进行设置,包括指示“默认阻止所有公共 Internet 流量”的蓝色确认窗口 。The NIC network security group and Public inbound ports settings should mirror the image shown below, including the blue confirmation window stating: "all public internet traffic will be blocked by default".

创建专用虚拟机

  1. 依次选择“查看并创建”、“创建”,然后等待部署完成 。Select Review and create, then Create and wait for the deployment to finish.

警告

在部署完成之前,请勿转到下一步。Please do not continue to the next step until the deployment is complete.

  1. 等待下面显示的确认窗口,然后单击“转到资源”。Wait for the confirmation window shown below and click Go to resource.

    创建专用虚拟机确认窗口

确认对存储帐户的访问Confirm access to storage account

  1. 创建完“myVmPrivate”VM 后,单击“转到资源”。Once the myVmPrivate VM has been created, click Go to resource.

  2. 选择“连接”>“RDP”以连接到 VM。Connect to the VM by selecting the Connect > RDP.

  3. 选择“连接”按钮后将创建一个远程桌面协议 (.rdp) 文件。After selecting the Connect button, a Remote Desktop Protocol (.rdp) file is created. 单击“下载 RDP 文件”以下载到计算机中。Click Download RDP File to download to your computer.

  4. 打开下载的 rdp 文件。Open the downloaded rdp file. 出现提示时,选择“连接”。If prompted, select Connect. 输入在创建 VM 时指定的用户名和密码。Enter the user name and password you specified when creating the VM. 可能需要选择“更多选择”,然后选择“使用其他帐户”,以指定在创建 VM 时输入的凭据 。You may need to select More choices, then Use a different account to specify the credentials you entered when you created the VM. 对于电子邮件字段,请输入前面指定的“管理员帐户: 用户名”凭据。For the email field, enter the "Administrator account: username" credentials you specified earlier.

  5. 选择“确定” 。Select OK.

  6. 你可能会在登录过程中收到证书警告。You may receive a certificate warning during the sign-in process. 如果收到警告,请选择“是”或“继续”以继续连接。 If you receive the warning, select Yes or Continue, to proceed with the connection. 你应会看到 VM 启动,如下所示:You should see the VM start as shown:

    显示运行的专用虚拟机

  7. 在 VM 窗口中,打开 PowerShell CLI 实例。In the VM window, open a PowerShell CLI instance.

  8. 使用下面的脚本,通过 PowerShell 将 Azure 文件共享映射到驱动器 Z。Using the script below, map the Azure file share to drive Z using PowerShell. 在运行以下命令之前,请将 <storage-account-key><storage-account-name> 字段替换为之前在创建存储帐户中提供或检索的值。Before running the commands that follow, replace <storage-account-key> and both <storage-account-name> fields with values you supplied and "d earlier in Create a storage account.

    $acctKey = ConvertTo-SecureString -String "<storage-account-key>" -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential -ArgumentList "Azure\<storage-account-name>", $acctKey
    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\<storage-account-name>.file.core.windows.net\my-file-share" -Credential $credential
    

    PowerShell 将返回类似于以下示例的输出:PowerShell returns output similar to the following example output:

    Name           Used (GB)     Free (GB) Provider      Root
    ----           ---------     --------- --------      ----
    Z                                      FileSystem    \\vnt.file.core.windows.net\my-f...
    

    Azure 文件共享已成功映射到驱动器 Z。The Azure file share successfully mapped to the Z drive.

  9. 关闭与 myVmPrivate VM 建立的远程桌面会话。Close the remote desktop session to the myVmPrivate VM.

确认已拒绝对存储帐户的访问Confirm access is denied to storage account

  1. 在门户顶部的“搜索资源、服务和文档”框中,输入 myVmPublicEnter myVmPublic In the Search resources, services, and docs box at the top of the portal.

  2. 当“myVmPublic”出现在搜索结果中时,将其选中。When myVmPublic appears in the search results, select it.

  3. 针对 myVmPublic VM 完成以上确认对存储帐户的访问权限中的步骤 1-8。Complete steps 1-8 above in Confirm access to storage account for the myVmPublic VM.

    稍等片刻,你会收到 New-PSDrive : Access is denied 错误。After a short wait, you receive a New-PSDrive : Access is denied error. 访问被拒绝,因为 myVmPublic VM 部署在“公共”子网中。Access is denied because the myVmPublic VM is deployed in the Public subnet. “公共”子网没有为 Azure 存储启用服务终结点。The Public subnet does not have a service endpoint enabled for Azure Storage. 存储帐户仅允许从“专用”子网访问网络,而不允许从“公共”子网访问。The storage account only allows network access from the Private subnet, not the Public subnet.

  4. 关闭与 myVmPublic VM 建立的远程桌面会话。Close the remote desktop session to the myVmPublic VM.

  5. 返回 Azure 门户,转到之前创建的唯一命名的存储帐户。Back in the Azure portal, go to the uniquely named storage account you created earlier.

  6. 在“文件服务”下,选择“文件共享”然后选择之前创建的 my-file-share。Under File Service, select File shares, the my-file-share, created earlier.

  7. 会收到以下错误信息:You should receive the following error message:

    访问被拒绝错误

备注

访问被拒绝,因为计算机不在 MyVirtualNetwork 虚拟网络的“专用”子网中。Access is denied, because your computer is not in the Private subnet of the MyVirtualNetwork virtual network.

清理资源Clean up resources

不再需要资源组时,可将资源组及其包含的所有资源一并删除:When no longer needed, delete the resource group and all resources it contains:

  1. 在门户顶部的“搜索”框中输入“myResourceGroup”。Enter myResourceGroup in the Search box at the top of the portal. 当在搜索结果中看到“myResourceGroup”时,将其选中。When you see myResourceGroup in the search results, select it.
  2. 选择“删除资源组” 。Select Delete resource group.
  3. 对于“键入资源组名称:”,输入“myResourceGroup”,然后选择“删除”。 Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME: and select Delete.

后续步骤Next steps

在本教程中,我们为虚拟网络子网启用了服务终结点。In this tutorial, you enabled a service endpoint for a virtual network subnet. 我们已了解,可为通过多个 Azure 服务部署的资源启用服务终结点。You learned that you can enable service endpoints for resources deployed from multiple Azure services. 已创建了一个 Azure 存储帐户并将该存储帐户限制为仅可供某个虚拟网络子网中的资源进行网络访问。You created an Azure Storage account and restricted network access to the storage account to only resources within a virtual network subnet. 若要详细了解服务终结点,请参阅服务终结点概述管理子网To learn more about service endpoints, see Service endpoints overview and Manage subnets.

如果帐户中有多个虚拟网络,可将两个虚拟网络连接到一起,使每个虚拟网络中的资源可以相互通信。If you have multiple virtual networks in your account, you may want to connect two virtual networks together so the resources within each virtual network can communicate with each other. 若要了解如何连接虚拟网络,请继续学习下一教程。To learn how to connect virtual networks, advance to the next tutorial.