您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用网络安全组筛选网络流量Filter network traffic with network security groups

网络安全组 (NSG) 包含一系列安全规则,这些规则可以允许或拒绝流向连接到 Azure 虚拟网络 (VNet) 的资源的网络流量。A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). 可以将 NSG 关联到子网、单个 VM(经典)或附加到 VM 的单个网络接口 (NIC) (Resource Manager)。NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager). 将 NSG 关联到子网时,规则适用于连接到该子网的所有资源。When an NSG is associated to a subnet, the rules apply to all resources connected to the subnet. 也可通过将 NSG 关联到 VM 或 NIC 来进一步限制流量。Traffic can further be restricted by also associating an NSG to a VM or NIC.

备注

Azure 具有用于创建和处理资源的两个不同的部署模型:Resource Manager 和经典Azure has two different deployment models for creating and working with resources: Resource Manager and classic. 这篇文章介绍如何使用这两种模型,但 Microsoft 建议大多数最新部署使用 Resource Manager 模型。This article covers using both models, but Microsoft recommends that most new deployments use the Resource Manager model.

NSG 资源NSG resource

NSG 包含以下属性:NSGs contain the following properties:

属性Property 说明Description 约束Constraints 注意事项Considerations
名称Name NSG 的名称Name for the NSG 必须在区域内唯一。Must be unique within the region.
可以包含字母、数字、下划线、句点和连字符。Can contain letters, numbers, underscores, periods, and hyphens.
必须以字母或数字开头。Must start with a letter or number.
必须以字母、数字或下划线结尾。Must end with a letter, number, or underscore.
不能超过 80 个字符。Cannot exceed 80 characters.
由于可能需要创建多个 NSG,因此请确保设置命名约定,以便轻松标识 NSG 的功能。Since you may need to create several NSGs, make sure you have a naming convention that makes it easy to identify the function of your NSGs.
区域Region 在其中创建 NSG 的 Azure 区域Azure region where the NSG is created. 只能将多个 NSG 关联到该 NSG 所在区域中的资源。NSGs can only be associated to resources within the same region as the NSG. 若要了解一个区域可以有多少 NSG,请阅读 Azure 限制一文。To learn about how many NSGs you can have per region, read the Azure limits article.
资源组Resource group NSG 所在的资源组The resource group the NSG exists in. 虽然 NSG 存在于一个资源组中,但可将其关联到任意资源组中的资源,只要该资源与 NSG 属于同一 Azure 区域。Although an NSG exists in a resource group, it can be associated to resources in any resource group, as long as the resource is part of the same Azure region as the NSG. 资源组用于以部署单元的形式集中管理多个资源。Resource groups are used to manage multiple resources together, as a deployment unit.
可以考虑将 NSG 与相关联的资源组合在一起。You may consider grouping the NSG with resources it is associated to.
规则Rules 入站或出站规则,用于定义允许或拒绝的具体流量。Inbound or outbound rules that define what traffic is allowed or denied. 请参阅本文的 NSG 规则部分。See the NSG rules section of this article.

备注

不支持将基于终结点的 ACL 和网络安全组置于相同 VM 实例上。Endpoint-based ACLs and network security groups are not supported on the same VM instance. 如果想要使用 NSG,但已有了终结点 ACL,则请先删除该终结点 ACL。If you want to use an NSG and have an endpoint ACL already in place, first remove the endpoint ACL. 若要了解如何删除 ACL,请阅读使用 PowerShell 管理终结点的访问控制列表 (ACL) 一文。To learn how to remove an ACL, read the Managing Access Control Lists (ACLs) for Endpoints by using PowerShell article.

NSG 规则NSG rules

NSG 规则包含以下属性:NSG rules contain the following properties:

属性Property 说明Description 约束Constraints 注意事项Considerations
NameName 规则的名称。Name for the rule. 必须在区域内唯一。Must be unique within the region.
可以包含字母、数字、下划线、句点和连字符。Can contain letters, numbers, underscores, periods, and hyphens.
必须以字母或数字开头。Must start with a letter or number.
必须以字母、数字或下划线结尾。Must end with a letter, number, or underscore.
不能超过 80 个字符。Cannot exceed 80 characters.
一个 NSG 中可以有多个规则,因此请确保遵循命名约定,以便标识规则的功能。You may have several rules within an NSG, so make sure you follow a naming convention that allows you to identify the function of your rule.
协议Protocol 要与规则匹配的协议。Protocol to match for the rule. TCP、UDP 或 *TCP, UDP, or * 使用 * 作为协议时,会包括 ICMP(仅限东西通信),以及 UDP 和 TCP,可能会减少所需规则的数量。Using * as a protocol includes ICMP (East-West traffic only), as well as UDP and TCP, and may reduce the number of rules you need.
同时,使用 * 可能是过于宽泛的方法,因此建议只在必要时使用 *。At the same time, using * might be too broad an approach, so it's recommended that you use * only when necessary.
Source port rangeSource port range 要与规则匹配的源端口范围。Source port range to match for the rule. 单个端口号(从 1 到 65535)、端口范围(示例:1-65535)、或 *(表示所有端口)。Single port number from 1 to 65535, port range (example: 1-65535), or * (for all ports). 源端口可以是暂时的。Source ports could be ephemeral. 除非客户端程序在使用特定端口,否则请在大多数情况下使用 *。Unless your client program is using a specific port, use * in most cases.
尽可能尝试使用端口范围,这样就不需使用多个规则。Try to use port ranges as much as possible to avoid the need for multiple rules.
不能使用逗号对多个端口或端口范围分组。Multiple ports or port ranges cannot be grouped by a comma.
Destination port rangeDestination port range 要与规则匹配的目标端口范围。Destination port range to match for the rule. 单个端口号(从 1 到 65535)、端口范围(示例:1-65535)、或 *(表示所有端口)。Single port number from 1 to 65535, port range (example: 1-65535), or * (for all ports). 尽可能尝试使用端口范围,这样就不需使用多个规则。Try to use port ranges as much as possible to avoid the need for multiple rules.
不能使用逗号对多个端口或端口范围分组。Multiple ports or port ranges cannot be grouped by a comma.
Source address prefixSource address prefix 要与规则匹配的源地址前缀或标记。Source address prefix or tag to match for the rule. 单个 IP 地址(示例:10.10.10.10)、IP 子网(示例:192.168.1.0/24)、默认标记或 *(表示所有地址)。Single IP address (example: 10.10.10.10), IP subnet (example: 192.168.1.0/24), default tag, or * (for all addresses). 考虑使用范围、默认标记和 * 来减少规则数。Consider using ranges, default tags, and * to reduce the number of rules.
Destination address prefixDestination address prefix 要与规则匹配的目标地址前缀或标记。Destination address prefix or tag to match for the rule. 单个 IP 地址(示例:10.10.10.10)、IP 子网(示例:192.168.1.0/24)、默认标记或 *(表示所有地址)。Single IP address (example: 10.10.10.10), IP subnet (example: 192.168.1.0/24), default tag, or * (for all addresses). 考虑使用范围、默认标记和 * 来减少规则数。Consider using ranges, default tags, and * to reduce the number of rules.
DirectionDirection 要与规则匹配的流量方向。Direction of traffic to match for the rule. 入站或出站。Inbound or outbound. 入站和出站规则会根据方向分别处理。Inbound and outbound rules are processed separately, based on direction.
PriorityPriority 将按优先级顺序来检查规则。Rules are checked in the order of priority. 一旦应用某个规则,不再检查其他规则的匹配情况。Once a rule applies, no more rules are tested for matching. 介于 100 到 4096 之间的数字。Number between 100 and 4096. 考虑以 100 为增量,为每个规则创建规则跳转优先级,为将来可能创建的新规则留出空间。Consider creating rules jumping priorities by 100 for each rule to leave space for new rules you might create in the future.
AccessAccess 规则匹配时要应用的访问类型。Type of access to apply if the rule matches. 允许或拒绝。Allow or deny. 请记住,如果找不到某个数据包的允许规则,则会丢弃该数据包。Keep in mind that if an allow rule is not found for a packet, the packet is dropped.

NSG 包含两组规则:入站规则和出站规则。NSGs contain two sets of rules: Inbound and outbound. 在每组中,规则的优先级必须保持唯一。The priority for a rule must be unique within each set.

NSG 规则处理

上图显示如何处理 NSG 规则。The previous picture shows how NSG rules are processed.

默认标记Default Tags

默认标记是系统提供的针对某类 IP 地址的标识符。Default tags are system-provided identifiers to address a category of IP addresses. 可以使用任何规则的源地址前缀目标地址前缀属性中的默认标记。You can use default tags in the source address prefix and destination address prefix properties of any rule. 有三个可使用的默认标记:There are three default tags you can use:

  • VirtualNetwork (Resource Manager)(如果是经典部署模型,则为 VIRTUAL_NETWORK):此标记包括虚拟网络地址空间(Azure 中定义的 CIDR 范围)、所有连接的本地地址空间,以及连接的 Azure VNet(本地网络)。VirtualNetwork (Resource Manager) (VIRTUAL_NETWORK for classic): This tag includes the virtual network address space (CIDR ranges defined in Azure), all connected on-premises address spaces, and connected Azure VNets (local networks).
  • AzureLoadBalancer (Resource Manager)(如果是经典部署模型,则为 AZURE_LOADBALANCER):此标记表示 Azure 的基础结构负载均衡器。AzureLoadBalancer (Resource Manager) (AZURE_LOADBALANCER for classic): This tag denotes Azure’s infrastructure load balancer. 此标记将转换为 Azure 数据中心 IP,Azure 负载均衡器的运行状况探测源于该 IP。The tag translates to an Azure datacenter IP where Azure Load Balancer's health probes originate.
  • Internet (Resource Manager)(如果是经典部署模型,则为 INTERNET):此标记表示虚拟网络外部的 IP 地址空间,可以通过公共 Internet 进行访问。Internet (Resource Manager) (INTERNET for classic): This tag denotes the IP address space that is outside the virtual network and reachable by public Internet. 范围包括 Azure 拥有的公共 IP 空间The range includes the Azure owned public IP space.

默认规则Default rules

所有 NSG 都包含一组默认规则。All NSGs contain a set of default rules. 默认规则无法删除,但由于给它们分配的优先级最低,可以用创建的规则来重写它们。The default rules cannot be deleted, but because they are assigned the lowest priority, they can be overridden by the rules that you create.

默认规则允许和禁止的流量如下所示:The default rules allow and disallow traffic as follows:

  • 虚拟网络:从方向上来说,在虚拟网络中发起和结束的通信可以是入站通信,也可以是出站通信。Virtual network: Traffic originating and ending in a virtual network is allowed both in inbound and outbound directions.
  • Internet:允许出站通信,但阻止入站通信。Internet: Outbound traffic is allowed, but inbound traffic is blocked.
  • 负载均衡器:允许 Azure 负载均衡器探测 VM 和角色实例的运行状况。Load balancer: Allow Azure Load Balancer to probe the health of your VMs and role instances. 如果重写此规则,Azure 负载均衡器运行状况探测会失败,这可能对服务造成影响。If you override this rule, Azure Load Balancer health probes will fail which could cause impact to your service.

入站默认规则Inbound default rules

名称Name PriorityPriority Source IPSource IP Source PortSource Port Destination IPDestination IP Destination PortDestination Port 协议Protocol AccessAccess
AllowVNetInBoundAllowVNetInBound 6500065000 VirtualNetworkVirtualNetwork * VirtualNetworkVirtualNetwork * * 允许Allow
AllowAzureLoadBalancerInBoundAllowAzureLoadBalancerInBound 6500165001 AzureLoadBalancerAzureLoadBalancer * * * * 允许Allow
DenyAllInBoundDenyAllInBound 6550065500 * * * * * 拒绝Deny

出站默认规则Outbound default rules

名称Name PriorityPriority Source IPSource IP Source PortSource Port Destination IPDestination IP Destination PortDestination Port 协议Protocol AccessAccess
AllowVnetOutBoundAllowVnetOutBound 6500065000 VirtualNetworkVirtualNetwork * VirtualNetworkVirtualNetwork * * 允许Allow
AllowInternetOutBoundAllowInternetOutBound 6500165001 * * InternetInternet * * 允许Allow
DenyAllOutBoundDenyAllOutBound 6550065500 * * * * * 拒绝Deny

将 NSG 相关联Associating NSGs

可以根据所使用的部署模型将 NSG 关联到 VM、NIC 和子网,如下所示:You can associate an NSG to VMs, NICs, and subnets, depending on the deployment model you are using, as follows:

  • VM(仅经典部署模型):安全规则适用于所有出入 VM 的流量。VM (classic only): Security rules are applied to all traffic to/from the VM.
  • NIC(仅 Resource Manager 部署模型):安全规则适用于所有与 NSG 关联的出入 NIC 的流量。NIC (Resource Manager only): Security rules are applied to all traffic to/from the NIC the NSG is associated to. 在多 NIC VM 中,可以为每个 NIC 单独应用不同(或相同)的 NSG。In a multi-NIC VM, you can apply different (or the same) NSG to each NIC individually.
  • 子网(资源管理器部署模型和经典部署模型):安全规则适用于出入任何连接到子网的资源的任何流量。Subnet (Resource Manager and classic): Security rules are applied to any traffic to/from any resources connected to the Subnet.

可以将不同的 NSG 关联到 VM(或 NIC,具体取决于部署模型)以及 NIC 或 VM 连接到的子网。You can associate different NSGs to a VM (or NIC, depending on the deployment model) and the subnet that a NIC or VM is connected to. 安全规则在每个 NSG 中按优先级参照以下顺序应用到流量:Security rules are applied to the traffic, by priority, in each NSG, in the following order:

  • 入站流量Inbound traffic

    1. 应用到子网的 NSG:如果子网 NSG 存在相应的拒绝流量的规则,则会丢弃数据包。NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet is dropped.

    2. 应用到 NIC (Resource Manager) 或 VM(经典)的 NSG:如果 VM\NIC NSG 存在相应的拒绝流量的规则,则会丢弃 VM\NIC 上的数据包,即使子网 NSG 存在相应的允许流量的规则。NSG applied to NIC (Resource Manager) or VM (classic): If VM\NIC NSG has a matching rule that denies traffic, packets are dropped at the VM\NIC, even if a subnet NSG has a matching rule that allows traffic.

  • 出站流量Outbound traffic

    1. 应用到 NIC (Resource Manager) 或 VM(经典)的 NSG:如果 VM\NIC NSG 存在相应的拒绝流量的规则,则会丢弃数据包。NSG applied to NIC (Resource Manager) or VM (classic): If a VM\NIC NSG has a matching rule that denies traffic, packets are dropped.

    2. 应用到子网的 NSG:如果子网 NSG 存在相应的拒绝流量的规则,则会丢弃数据包,即使 VM\NIC NSG 存在相应的允许流量的规则。NSG applied to subnet: If a subnet NSG has a matching rule that denies traffic, packets are dropped, even if a VM\NIC NSG has a matching rule that allows traffic.

备注

尽管只能将一个 NSG 关联到一个子网、VM 或 NIC,但可以将同一个 NSG 关联到任意数量的资源。Although you can only associate a single NSG to a subnet, VM, or NIC; you can associate the same NSG to as many resources as you want.

实现Implementation

可以使用以下工具,在 Resource Manager 部署模型或经典部署模型中实现 NSG:You can implement NSGs in the Resource Manager or classic deployment models using the following tools:

部署工具Deployment tool 经典Classic 资源管理器Resource Manager
Azure 门户Azure portal Yes Yes
PowerShellPowerShell Yes Yes
Azure CLI V1Azure CLI V1 Yes Yes
Azure CLI V2Azure CLI V2 No Yes
Azure 资源管理器模板Azure Resource Manager template No Yes

规划Planning

在实施 NSG 之前,需要回答以下问题:Before implementing NSGs, you need to answer the following questions:

  1. 想要使用什么类型的资源来筛选出入流量?What types of resources do you want to filter traffic to or from? 可以连接多种资源,例如 NIC (Resource Manager)、VM(经典)、云服务、应用程序服务环境以及 VM 规模集。You can connect resources such as NICs (Resource Manager), VMs (classic), Cloud Services, Application Service Environments, and VM Scale Sets.
  2. 需要过滤其出入流量的资源是否连接到现有 VNet 中的子网?Are the resources you want to filter traffic to/from connected to subnets in existing VNets?

若要详细了解如何针对 Azure 中的网络安全进行规划,请阅读云服务和网络安全一文。For more information on planning for network security in Azure, read the Cloud services and network security article.

设计注意事项Design considerations

了解规划部分问题的答案以后,请查看以下部分的内容,再定义 NSG:Once you know the answers to the questions in the Planning section, review the following sections before defining your NSGs:

限制Limits

订阅中的 NSG 数目以及每个 NSG 的规则数目均存在限制。There are limits to the number of NSGs you can have in a subscription and number of rules per NSG. 有关限制的详细信息,请阅读 Azure limits(Azure 限制)一文。To learn more about the limits, read the Azure limits article.

VNet 和子网设计VNet and subnet design

由于 NSG 可以应用于子网,因此可以通过按子网来组合资源以及将 NSG 应用到子网来尽量减少 NSG 的数量。Since NSGs can be applied to subnets, you can minimize the number of NSGs by grouping your resources by subnet, and applying NSGs to subnets. 如果决定将 NSG 应用到子网,你可能会发现,现有的 VNet 和子网不是通过所要的 NSG 定义的。If you decide to apply NSGs to subnets, you may find that existing VNets and subnets you have were not defined with NSGs in mind. 为了支持 NSG 设计以及将新资源部署到新子网,可能需要定义新的 VNet 和子网。You may need to define new VNets and subnets to support your NSG design and deploy your new resources to your new subnets. 然后,才能定义一个迁移策略,将现有资源移到新子网。You could then define a migration strategy to move existing resources to the new subnets.

特殊规则Special rules

如果阻止以下规则允许的流量,则基础结构无法与基本的 Azure 服务通信:If you block traffic allowed by the following rules, your infrastructure can't communicate with essential Azure services:

  • 主机节点的虚拟 IP:基本的基础结构服务(例如 DHCP、DNS 和运行状况监视)是通过虚拟化主机 IP 地址 168.63.129.16 提供的。Virtual IP of the host node: Basic infrastructure services such as DHCP, DNS, and health monitoring are provided through the virtualized host IP address 168.63.129.16. 此公共 IP 地址属于 Microsoft,是唯一用于所有区域的虚拟化 IP 地址,而且没有其他用途。This public IP address belongs to Microsoft and is the only virtualized IP address used in all regions for this purpose. 此 IP 地址映射到托管 VM 的服务器计算机(主机节点)的物理 IP 地址。This IP address maps to the physical IP address of the server machine (host node) hosting the VM. 主机节点充当 DHCP 中继、DNS 递归解析器,以及进行负载均衡器运行状况探测和计算机运行状况探测的探测源。The host node acts as the DHCP relay, the DNS recursive resolver, and the probe source for the load balancer health probe and the machine health probe. 与此 IP 地址的通信不是攻击。Communication to this IP address is not an attack.
  • 许可(密钥管理服务):在 VM 中运行的 Windows 映像必须获得许可。Licensing (Key Management Service): Windows images running in VMs must be licensed. 为了确保许可,会向处理此类查询的密钥管理服务主机服务器发送请求。To ensure licensing, a request is sent to the Key Management Service host servers that handle such queries. 该请求是通过端口 1688 以出站方式提出的。The request is made outbound through port 1688.

ICMP 通信ICMP traffic

当前的 NSG 规则只允许使用 TCPUDP 协议。The current NSG rules only allow for protocols TCP or UDP. 没有 ICMP的特定标记。There is not a specific tag for ICMP. 但在 VNet 中,AllowVNetInBound 默认规则允许 ICMP 流量,即允许流量出入 VNet 中的任何端口和协议。However, ICMP traffic is allowed within a VNet by the AllowVNetInBound default rule, that allows traffic to and from any port and protocol within the VNet.

子网Subnets

  • 考虑工作负荷所需的层数。Consider the number of tiers your workload requires. 可以通过使用子网来隔离每个层,并可将 NSG 应用到该子网。Each tier can be isolated by using a subnet, with an NSG applied to the subnet.
  • 如需针对 VPN 网关或 ExpressRoute 线路实现一个子网,请将 NSG 应用到该子网。If you need to implement a subnet for a VPN gateway, or ExpressRoute circuit, do not apply an NSG to that subnet. 否则,可能无法进行跨 VNet 或跨界连接。If you do so, cross-VNet or cross-premises connectivity may fail.
  • 如需实现一个网络虚拟设备 (NVA),请将该 NVA 连接到其自身的子网并创建出入该 NVA 的用户定义的路由 (UDR)。If you need to implement a network virtual appliance (NVA), connect the NVA to its own subnet and create user-defined routes (UDR) to and from the NVA. 可以实现一个子网级 NSG,以便筛选进出该子网的流量。You can implement a subnet level NSG to filter traffic in and out of this subnet. 若要详细了解 UDR,请阅读用户定义的路由一文。To learn more about UDRs, read the User-defined routes article.

负载均衡器Load balancers

  • 考虑为每个工作负荷所使用的每个负载均衡器设置负载均衡和网络地址转换 (NAT) 规则。Consider the load balancing and network address translation (NAT) rules for each load balancer used by each of your workloads. NAT 规则绑定到一个后端池,其中包含 NIC (Resource Manager) 或 VM/云服务角色实例(经典)。NAT rules are bound to a back-end pool that contains NICs (Resource Manager) or VMs/Cloud Services role instances (classic). 考虑为每个后端池创建一个 NSG,只允许通过负载均衡器中实施的规则映射的流量。Consider creating an NSG for each back-end pool, allowing only traffic mapped through the rules implemented in the load balancers. 为每个后端池创建一个 NSG 可确保直接进入(而不是通过负载均衡器进入)后端池的流量也会得到筛选。Creating an NSG for each back-end pool guarantees that traffic coming to the back-end pool directly (rather than through the load balancer), is also filtered.
  • 在经典部署中,创建的终结点会将负载均衡器上的端口映射到 VM 或角色实例上的端口。In classic deployments, you create endpoints that map ports on a load balancer to ports on your VMs or role instances. 还可以通过 Resource Manager 创建自己的单个公用负载均衡器。You can also create your own individual public-facing load balancer through Resource Manager. 传入流量的目标端口是 VM 或角色实例中的实际端口,不是负载均衡器公开的端口。The destination port for incoming traffic is the actual port in the VM or role instance, not the port exposed by a load balancer. 到 VM 的连接的源端口和地址是 Internet 中远程计算机的端口和地址,不是负载均衡器公开的端口和地址。The source port and address for the connection to the VM is a port and address on the remote computer in the Internet, not the port and address exposed by the load balancer.
  • 通过创建 NSG 来筛选经过 Azure 负载均衡器的流量时,所应用的源端口和地址范围来自原始计算机,不是来自负载均衡器前端。When you create NSGs to filter traffic coming through an Azure Load Balancer, the source port and address range applied are from the originating computer, not the load balancer frontend. 目标端口和地址范围是目标计算机的,而不是负载均衡器前端的。The destination port and address range are those of the destination computer, not the load balancer frontend.
  • 如果阻止 AzureLoadBalancer 标记,来自 Azure 负载均衡器的运行状况探测会失败,服务会受影响。If you block the AzureLoadBalancer tag, the health probes from Azure Load Balancer will fail and your service may be impacted.

其他Other

  • 不支持将基于终结点的访问控制列表 (ACL) 和 NSG 置于相同的 VM 实例上。Endpoint-based access control lists (ACL) and NSGs are not supported on the same VM instance. 如果想要使用 NSG,但已有了终结点 ACL,则请先删除该终结点 ACL。If you want to use an NSG and have an endpoint ACL already in place, first remove the endpoint ACL. 有关如何删除终结点 ACL 的信息,请参阅管理终结点 ACL 一文。For information about how to remove an endpoint ACL, see the Manage endpoint ACLs article.
  • 在 Resource Manager 中,可以将与 VM 的 NIC 关联的 NSG 用于多个 NIC,以便通过 NIC 进行管理(远程访问)。In Resource Manager, you can use an NSG associated to a NIC for VMs with multiple NICs to enable management (remote access) on a per NIC basis. 将唯一 NSG 关联到每个 NIC 可以跨 NIC 分隔流量类型。Associating unique NSGs to each NIC enables separation of traffic types across NICs.
  • 与使用负载均衡器类似,在筛选来自其他 VNet 的流量时,必须使用远程计算机的源地址范围,而不能使用连接 VNet 的网关。Similar to the use of load balancers, when filtering traffic from other VNets, you must use the source address range of the remote computer, not the gateway connecting the VNets.
  • 许多 Azure 服务无法连接到 VNet。Many Azure services cannot be connected to VNets. 如果某个 Azure 资源未连接到 VNet,则不能使用 NSG 筛选进入该资源的流量。If an Azure resource is not connected to a VNet, you cannot use an NSG to filter traffic to the resource. 请阅读所用服务的文档,确定该服务能否连接到 VNet。Read the documentation for the services you use to determine whether the service can be connected to a VNet.

部署示例Sample deployment

请考虑下图显示的双层应用程序常见方案,此方案说明了如何应用本文中的信息:To illustrate the application of the information in this article, consider a common scenario of a two tier application shown in the following picture:

NSG

如图所示,Web1Web2 VM 连接到 FrontEnd 子网,DB1DB2 VM 连接到 BackEnd 子网。As shown in the diagram, the Web1 and Web2 VMs are connected to the FrontEnd subnet, and the DB1 and DB2 VMs are connected to the BackEnd subnet. 两个子网都属于 TestVNet VNet。Both subnets are part of the TestVNet VNet. 应用程序组件每个都在连接到 VNet 的 Azure VM 中运行。The application components each run within an Azure VM connected to a VNet. 此方案具有以下要求:The scenario has the following requirements:

  1. 分隔 WEB 和 DB 服务器之间的流量。Separation of traffic between the WEB and DB servers.
  2. 负载均衡规则将流量从负载均衡器转发到端口 80 上的所有 Web 服务器。Load balancing rules forward traffic from the load balancer to all web servers on port 80.
  3. 负载均衡器 NAT 规则将传入端口 50001 上的负载均衡器的流量转发到 WEB1 VM 上的端口 3389。Load balancer NAT rules forward traffic coming into the load balancer on port 50001 to port 3389 on the WEB1 VM.
  4. 不能从 Internet 访问前端或后端 VM,要求 2 和 3 例外。No access to the front-end or back-end VMs from the Internet, except requirements 2 and 3.
  5. 不能从 WEB 或 DB 服务器进行出站 Internet 访问。No outbound Internet access from the WEB or DB servers.
  6. 允许从 FrontEnd 子网访问任何 Web 服务器的端口 3389。Access from the FrontEnd subnet is allowed to port 3389 of any web server.
  7. 允许从 FrontEnd 子网访问任何 DB 服务器的端口 3389。Access from the FrontEnd subnet is allowed to port 3389 of any DB server.
  8. 允许从 FrontEnd 子网访问所有 DB 服务器的端口 1433。Access from the FrontEnd subnet is allowed to port 1433 of all DB servers.
  9. 将管理流量(端口 3389)和数据库流量(端口 1433)分隔到 DB 服务器的不同 NIC 上。Separation of management traffic (port 3389) and database traffic (1433) on different NICs in DB servers.

要求 1-6(要求 3 和 4 除外)均限于子网空间。Requirements 1-6 (except requirements 3 and 4) are all confined to subnet spaces. 以下 NSG 符合上述要求,同时又可将所需 NSG 数降至最低:The following NSGs meet the previous requirements, while minimizing the number of NSGs required:

FrontEndFrontEnd

入站规则Inbound rules

规则Rule AccessAccess PriorityPriority Source address rangeSource address range Source PortSource port Destination address rangeDestination address range Destination PortDestination port 协议Protocol
Allow-Inbound-HTTP-InternetAllow-Inbound-HTTP-Internet 允许Allow 100100 InternetInternet * * 8080 TCPTCP
Allow-Inbound-RDP-InternetAllow-Inbound-RDP-Internet 允许Allow 200200 InternetInternet * * 33893389 TCPTCP
Deny-Inbound-AllDeny-Inbound-All 拒绝Deny 300300 InternetInternet * * * TCPTCP

出站规则Outbound rules

规则Rule AccessAccess PriorityPriority Source address rangeSource address range Source PortSource port Destination address rangeDestination address range Destination PortDestination port 协议Protocol
Deny-Internet-AllDeny-Internet-All 拒绝Deny 100100 * * InternetInternet * *

BackEndBackEnd

入站规则Inbound rules

规则Rule AccessAccess PriorityPriority Source address rangeSource address range Source PortSource port Destination address rangeDestination address range Destination PortDestination port 协议Protocol
Deny-Internet-AllDeny-Internet-All 拒绝Deny 100100 InternetInternet * * * *

出站规则Outbound rules

规则Rule AccessAccess PriorityPriority Source address rangeSource address range Source PortSource port Destination address rangeDestination address range Destination PortDestination port 协议Protocol
Deny-Internet-AllDeny-Internet-All 拒绝Deny 100100 * * InternetInternet * *

以下 NSG 在以下 VM 中创建并关联到 NIC:The following NSGs are created and associated to NICs in the following VMs:

WEB1WEB1

入站规则Inbound rules

规则Rule AccessAccess PriorityPriority Source address rangeSource address range Source PortSource port Destination address rangeDestination address range Destination PortDestination port 协议Protocol
Allow-Inbound-RDP-InternetAllow-Inbound-RDP-Internet 允许Allow 100100 InternetInternet * * 33893389 TCPTCP
Allow-Inbound-HTTP-InternetAllow-Inbound-HTTP-Internet 允许Allow 200200 InternetInternet * * 8080 TCPTCP

备注

上述规则的源地址范围是 Internet,而不是负载均衡器的虚拟 IP 地址。The source address range for the previous rules is Internet, not the virtual IP address of for the load balancer. 源端口是 *,而不是 500001。The source port is *, not 500001. 负载均衡器的 NAT 规则不同于 NSG 安全规则。NAT rules for load balancers are not the same as NSG security rules. NSG 安全规则始终与流量的最初源和最终目标相关,与二者之间的负载均衡器无关NSG security rules are always related to the original source and final destination of traffic, not the load balancer between the two. Azure 负载均衡器始终保留源 IP 地址和端口。Azure Load Balancer always preserves the source IP address and port.

WEB2WEB2

入站规则Inbound rules

规则Rule AccessAccess PriorityPriority Source address rangeSource address range Source PortSource port Destination address rangeDestination address range Destination PortDestination port 协议Protocol
Deny-Inbound-RDP-InternetDeny-Inbound-RDP-Internet 拒绝Deny 100100 InternetInternet * * 33893389 TCPTCP
Allow-Inbound-HTTP-InternetAllow-Inbound-HTTP-Internet 允许Allow 200200 InternetInternet * * 8080 TCPTCP

DB 服务器(管理 NIC)DB servers (Management NIC)

入站规则Inbound rules

规则Rule AccessAccess PriorityPriority Source address rangeSource address range Source PortSource port Destination address rangeDestination address range Destination PortDestination port 协议Protocol
Allow-Inbound-RDP-Front-endAllow-Inbound-RDP-Front-end 允许Allow 100100 192.168.1.0/24192.168.1.0/24 * * 33893389 TCPTCP

DB 服务器(数据库流量 NIC)DB servers (Database traffic NIC)

入站规则Inbound rules

规则Rule AccessAccess PriorityPriority Source address rangeSource address range Source PortSource port Destination address rangeDestination address range Destination PortDestination port 协议Protocol
Allow-Inbound-SQL-Front-endAllow-Inbound-SQL-Front-end 允许Allow 100100 192.168.1.0/24192.168.1.0/24 * * 14331433 TCPTCP

由于某些 NSG 关联到单个 NIC,因此这些规则适用于通过 Resource Manager 部署的资源。Since some of the NSGs are associated to individual NICs, the rules are for resources deployed through Resource Manager. 规则针对子网和 NIC 进行组合,具体取决于其关联方式。Rules are combined for subnet and NIC, depending on how they are associated.

后续步骤Next steps