在您的資料中心發佈 Azure Stack Hub 服務Publish Azure Stack Hub services in your datacenter

Azure Stack Hub 會為其基礎結構角色設定虛擬 IP 位址 (VIP)。Azure Stack Hub sets up virtual IP addresses (VIPs) for its infrastructure roles. 這些 VIP 是從公用 IP 位址集區配置的。These VIPs are allocated from the public IP address pool. 針對每個 VIP,都會藉由軟體定義網路層中的存取控制清單 (ACL) 來提供保護。Each VIP is secured with an access control list (ACL) in the software-defined network layer. ACL 也用於各個實體交換器 (TOR 和 BMC) 來進一步強化解決方案。ACLs are also used across the physical switches (TORs and BMC) to further harden the solution. 系統會針對在部署時所指定的外部 DNS 區域中的每個端點,分別建立一個 DNS 項目。A DNS entry is created for each endpoint in the external DNS zone that's specified at deployment time. 例如,系統會將 portal. <region>.<fqdn> 的 DNS 主機項目指派給使用者入口網站。For example, the user portal is assigned the DNS host entry of portal.<region>.<fqdn>.

以下架構圖顯示各種不同的網路層和 ACL:The following architectural diagram shows the different network layers and ACLs:

顯示不同網路層和 ACL 的圖表

連接埠和 URLPorts and URLs

若要讓外部網路使用 Azure Stack Hub 服務 (例如入口網站、Azure Resource Manager、DNS 等),您必須針對特定 URL、連接埠和通訊協定允許對這些端點的輸入流量。To make Azure Stack Hub services (like the portals, Azure Resource Manager, DNS, and so on) available to external networks, you must allow inbound traffic to these endpoints for specific URLs, ports, and protocols.

在透明 Proxy 上行連結至傳統 Proxy 伺服器或防火牆的部署中,若要保護解決方案,您必須允許輸入輸出的特定埠和 URL交流。In a deployment where a transparent proxy uplinks to a traditional proxy server or a firewall is protecting the solution, you must allow specific ports and URLs for both inbound and outbound communication. 其中包括用於身分識別、Marketplace、修補和更新、註冊和使用狀況資料的連接埠和 URL。These include ports and URLs for identity, the marketplace, patch and update, registration, and usage data.

不支援 SSL 流量攔截,而且可能會在存取端點時導致服務失敗。SSL traffic interception is not supported and can lead to service failures when accessing endpoints.

連接埠和通訊協定 (輸入)Ports and protocols (inbound)

將 Azure Stack Hub 端點發佈至外部網路時,需有一組基礎結構 VIP。A set of infrastructure VIPs is required for publishing Azure Stack Hub endpoints to external networks. 「端點 (VIP)」 資料表會顯示每個端點、所需的連接埠以及通訊協定。The Endpoint (VIP) table shows each endpoint, the required port, and protocol. 請參閱特定資源提供者部署文件,了解需要其他資源提供者 (例如 SQL 資源提供者等) 的端點。Refer to the specific resource provider deployment documentation for endpoints that require additional resource providers, like the SQL resource provider.

此處並未列出內部基礎結構 VIP,因為在發佈 Azure Stack Hub 時不需要這些 VIP。Internal infrastructure VIPs aren't listed because they're not required for publishing Azure Stack Hub. 使用者 VIP 是動態的,且由使用者本身定義,不受 Azure Stack Hub 操作員控制。User VIPs are dynamic and defined by the users themselves, with no control by the Azure Stack Hub operator.

注意

IKEv2 VPN 是標準型 IPsec VPN 解決方案,會使用 UDP 連接埠 500 和 4500 以及 TCP 連接埠 50。IKEv2 VPN is a standards-based IPsec VPN solution that uses UDP port 500 and 4500 and TCP port 50. 防火牆不一定會開啟這些連接埠,因此 IKEv2 VPN 有可能無法周遊 Proxy 和防火牆。Firewalls don't always open these ports, so an IKEv2 VPN might not be able to traverse proxies and firewalls.

在加入延伸主機後,即不需要12495-30015 範圍內的連接埠。With the addition of the Extension Host, ports in the range of 12495-30015 aren't required.

端點 (VIP)Endpoint (VIP) DNS 主機 A 記錄DNS host A record 通訊協定Protocol 連接埠Ports
AD FSAD FS Adfs. <region>.<fqdn>Adfs.<region>.<fqdn> HTTPSHTTPS 443443
入口網站 (系統管理員)Portal (administrator) Adminportal. <region>.<fqdn>Adminportal.<region>.<fqdn> HTTPSHTTPS 443443
AdminhostingAdminhosting * <region> . .adminhosting。<fqdn>*.adminhosting.<region>.<fqdn> HTTPSHTTPS 443443
Azure Resource Manager (系統管理員)Azure Resource Manager (administrator) Adminmanagement. <region>.<fqdn>Adminmanagement.<region>.<fqdn> HTTPSHTTPS 443443
入口網站 (使用者)Portal (user) Portal. <region>.<fqdn>Portal.<region>.<fqdn> HTTPSHTTPS 443443
Azure Resource Manager (使用者)Azure Resource Manager (user) Management. <region>.<fqdn>Management.<region>.<fqdn> HTTPSHTTPS 443443
圖形Graph Graph. <region>.<fqdn>Graph.<region>.<fqdn> HTTPSHTTPS 443443
憑證撤銷清單Certificate revocation list Crl. <region>.<fqdn>Crl.<region>.<fqdn> HTTPHTTP 8080
DNSDNS *. <region>.<fqdn>*.<region>.<fqdn> TCP 和 UDPTCP & UDP 5353
裝載Hosting * <region> . 裝載。<fqdn>*.hosting.<region>.<fqdn> HTTPSHTTPS 443443
Key Vault (使用者)Key Vault (user) *.vault. <region>.<fqdn>*.vault.<region>.<fqdn> HTTPSHTTPS 443443
Key Vault (系統管理員)Key Vault (administrator) *.adminvault. <region>.<fqdn>*.adminvault.<region>.<fqdn> HTTPSHTTPS 443443
儲存體佇列Storage Queue *.queue. <region>.<fqdn>*.queue.<region>.<fqdn> HTTPHTTP
HTTPSHTTPS
8080
443443
儲存體資料表Storage Table *.table. <region>.<fqdn>*.table.<region>.<fqdn> HTTPHTTP
HTTPSHTTPS
8080
443443
儲存體 BlobStorage Blob *.blob. <region>.<fqdn>*.blob.<region>.<fqdn> HTTPHTTP
HTTPSHTTPS
8080
443443
SQL 資源提供者SQL Resource Provider sqladapter.dbadapter. <region>.<fqdn>sqladapter.dbadapter.<region>.<fqdn> HTTPSHTTPS 44300-4430444300-44304
MySQL 資源提供者MySQL Resource Provider mysqladapter.dbadapter. <region>.<fqdn>mysqladapter.dbadapter.<region>.<fqdn> HTTPSHTTPS 44300-4430444300-44304
App Service 方案App Service *.appservice. <region>.<fqdn>*.appservice.<region>.<fqdn> TCPTCP 80 (HTTP)80 (HTTP)
443 (HTTPS)443 (HTTPS)
8172 (MSDeploy)8172 (MSDeploy)
*.scm.appservice. <region>.<fqdn>*.scm.appservice.<region>.<fqdn> TCPTCP 443 (HTTPS)443 (HTTPS)
api.appservice. <region>.<fqdn>api.appservice.<region>.<fqdn> TCPTCP 443 (HTTPS)443 (HTTPS)
44300 (Azure Resource Manager)44300 (Azure Resource Manager)
ftp.appservice. <region>.<fqdn>ftp.appservice.<region>.<fqdn> TCP、UDPTCP, UDP 21, 1021, 10001-10100 (FTP)21, 1021, 10001-10100 (FTP)
990 (FTPS)990 (FTPS)
VPN 閘道VPN Gateways 請參閱 VPN 閘道常見問題集See the VPN gateway FAQ.

連接埠和 URL (輸出)Ports and URLs (outbound)

Azure Stack Hub 僅支援 Transparent Proxy 伺服器。Azure Stack Hub supports only transparent proxy servers. 在 Transparent Proxy 上行連結至傳統 Proxy 伺服器的部署中,您必須允許下表中的連接埠和 URL 才能進行連出通訊。In a deployment with a transparent proxy uplink to a traditional proxy server, you must allow the ports and URLs in the following table for outbound communication.

不支援 SSL 流量攔截,而且可能會在存取端點時導致服務失敗。SSL traffic interception is not supported and can lead to service failures when accessing endpoints. 針對身分識別所需的端點通訊,支援的逾時上限為 60 秒。The maximum supported timeout to communicate with endpoints required for identity is 60s.

注意

Azure Stack Hub 不支援使用 ExpressRoute 連線到下表列出的 Azure 服務,因為 ExpressRoute 可能無法將流量路由傳送至所有端點。Azure Stack Hub doesn't support using ExpressRoute to reach the Azure services listed in the following table because ExpressRoute may not be able to route traffic to all of the endpoints.

目的Purpose 目的地 URLDestination URL 通訊協定Protocol 連接埠Ports 來源網路Source Network
身分識別Identity AzureAzure
login.windows.netlogin.windows.net
login.microsoftonline.comlogin.microsoftonline.com
graph.windows.netgraph.windows.net
https://secure.aadcdn.microsoftonline-p.comhttps://secure.aadcdn.microsoftonline-p.com
www.office.comwww.office.com
ManagementServiceUri = https://management.core.windows.netManagementServiceUri = https://management.core.windows.net
ARMUri = https://management.azure.comARMUri = https://management.azure.com
https://*.msftauth.nethttps://*.msftauth.net
https://*.msauth.nethttps://*.msauth.net
https://*.msocdn.comhttps://*.msocdn.com
Azure GovernmentAzure Government
https://login.microsoftonline.us/https://login.microsoftonline.us/
https://graph.windows.net/https://graph.windows.net/
Azure China 21VianetAzure China 21Vianet
https://login.chinacloudapi.cn/https://login.chinacloudapi.cn/
https://graph.chinacloudapi.cn/https://graph.chinacloudapi.cn/
Azure GermanyAzure Germany
https://login.microsoftonline.de/https://login.microsoftonline.de/
https://graph.cloudapi.de/https://graph.cloudapi.de/
HTTPHTTP
HTTPSHTTPS
8080
443443
公用 VIP - /27Public VIP - /27
公用基礎結構網路Public infrastructure Network
Marketplace 摘要整合Marketplace syndication AzureAzure
https://management.azure.comhttps://management.azure.com
https://*.blob.core.windows.nethttps://*.blob.core.windows.net
https://*.azureedge.nethttps://*.azureedge.net
Azure GovernmentAzure Government
https://management.usgovcloudapi.net/https://management.usgovcloudapi.net/
https://*.blob.core.usgovcloudapi.net/https://*.blob.core.usgovcloudapi.net/
Azure China 21VianetAzure China 21Vianet
https://management.chinacloudapi.cn/https://management.chinacloudapi.cn/
http://*.blob.core.chinacloudapi.cnhttp://*.blob.core.chinacloudapi.cn
HTTPSHTTPS 443443 公用 VIP - /27Public VIP - /27
修補程式和更新Patch & Update https://*.azureedge.nethttps://*.azureedge.net
https://aka.ms/azurestackautomaticupdatehttps://aka.ms/azurestackautomaticupdate
HTTPSHTTPS 443443 公用 VIP - /27Public VIP - /27
註冊Registration AzureAzure
https://management.azure.comhttps://management.azure.com
Azure GovernmentAzure Government
https://management.usgovcloudapi.net/https://management.usgovcloudapi.net/
Azure China 21VianetAzure China 21Vianet
https://management.chinacloudapi.cnhttps://management.chinacloudapi.cn
HTTPSHTTPS 443443 公用 VIP - /27Public VIP - /27
使用量Usage AzureAzure
https://*.trafficmanager.nethttps://*.trafficmanager.net
Azure GovernmentAzure Government
https://*.usgovtrafficmanager.nethttps://*.usgovtrafficmanager.net
Azure China 21VianetAzure China 21Vianet
https://*.trafficmanager.cnhttps://*.trafficmanager.cn
HTTPSHTTPS 443443 公用 VIP - /27Public VIP - /27
Windows DefenderWindows Defender *.wdcp.microsoft.com*.wdcp.microsoft.com
*.wdcpalt.microsoft.com*.wdcpalt.microsoft.com
*.wd.microsoft.com*.wd.microsoft.com
*.update.microsoft.com*.update.microsoft.com
*.download.microsoft.com*.download.microsoft.com

https://secure.aadcdn.microsoftonline-p.comhttps://secure.aadcdn.microsoftonline-p.com
HTTPSHTTPS 8080
443443
公用 VIP - /27Public VIP - /27
公用基礎結構網路Public infrastructure Network
NTPNTP (可供部署的 NTP 伺服器 IP)(IP of NTP server provided for deployment) UDPUDP 123123 公用 VIP - /27Public VIP - /27
DNSDNS (可供部署的 DNS 伺服器 IP)(IP of DNS server provided for deployment) TCPTCP
UDPUDP
5353 公用 VIP - /27Public VIP - /27
SYSLOGSYSLOG (可供部署的 SYSLOG 伺服器 IP)(IP of SYSLOG server provided for deployment) TCPTCP
UDPUDP
65146514
514514
公用 VIP - /27Public VIP - /27
CRLCRL (您的憑證上 CRL 發佈點之下的 URL)(URL under CRL Distribution Points on your certificate)
http://crl.microsoft.com/pki/crl/products
http://mscrl.microsoft.com/pki/mscorp
http://www.microsoft.com/pki/certs
http://www.microsoft.com/pki/mscorp
http://www.microsoft.com/pkiops/crl
http://www.microsoft.com/pkiops/certs
HTTPHTTP 8080 公用 VIP - /27Public VIP - /27
LDAPLDAP 針對 Graph 整合提供的 Active Directory 樹系Active Directory Forest provided for Graph integration TCPTCP
UDPUDP
389389 公用 VIP - /27Public VIP - /27
LDAP SSLLDAP SSL 針對 Graph 整合提供的 Active Directory 樹系Active Directory Forest provided for Graph integration TCPTCP 636636 公用 VIP - /27Public VIP - /27
LDAP GCLDAP GC 針對 Graph 整合提供的 Active Directory 樹系Active Directory Forest provided for Graph integration TCPTCP 32683268 公用 VIP - /27Public VIP - /27
LDAP GC SSLLDAP GC SSL 針對 Graph 整合提供的 Active Directory 樹系Active Directory Forest provided for Graph integration TCPTCP 32693269 公用 VIP - /27Public VIP - /27
AD FSAD FS 針對 AD FS 整合提供的 AD FS 中繼資料端點AD FS metadata endpoint provided for AD FS integration TCPTCP 443443 公用 VIP - /27Public VIP - /27
診斷記錄集合Diagnostic log collection HTTPs://*. 核心https://*.blob.core.windows.net
https://azsdiagprdlocalwestus02.blob.core.windows.net
https://azsdiagprdwestusfrontend.westus.cloudapp.azure.com
https://azsdiagprdwestusfrontend.westus.cloudapp.azure.com
HTTPSHTTPS 443443 公用 VIP - /27Public VIP - /27

輸出 URL 會使用 Azure 流量管理員進行負載平衡,以根據地理位置提供可能的最佳連線能力。Outbound URLs are load balanced using Azure traffic manager to provide the best possible connectivity based on geographic location. 利用負載平衡的 URL,Microsoft 可以更新和變更後端端點,而不會對客戶造成影響。With load balanced URLs, Microsoft can update and change backend endpoints without affecting customers. Microsoft 不會共用已負載平衡 URL 的 IP 位址清單。Microsoft doesn't share the list of IP addresses for the load balanced URLs. 請使用可支援依照 URL (而非依照 IP) 篩選的裝置。Use a device that supports filtering by URL rather than by IP.

輸出 DNS 一律為必要項目,不同之處在於查詢外部 DNS 的來源,和選擇了何種身分識別整合。Outbound DNS is required at all times; what varies is the source querying the external DNS and what type of identity integration was chosen. 在連線案例的部署期間,位於 BMC 網路上的 DVM 需要輸出存取權。During deployment for a connected scenario, the DVM that sits on the BMC network needs outbound access. 但在部署之後,DNS 服務會移至內部元件,以透過公用 VIP 傳送查詢。But after deployment, the DNS service moves to an internal component that will send queries through a Public VIP. 屆時,便可移除透過 BMC 網路來進行輸出 DNS 存取的能力,但仍需留下該 DNS 伺服器的公用 VIP 存取能力,否則驗證會失敗。At that time, the outbound DNS access through the BMC network can be removed, but the Public VIP access to that DNS server must remain or else authentication will fail.

後續步驟Next steps

Azure Stack Hub PKI 需求Azure Stack Hub PKI requirements