設定 Azure App Service 存取限制Set up Azure App Service access restrictions

藉由設定存取限制,您可以定義優先順序排序的允許/拒絕清單,以控制對您應用程式的網路存取。By setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app. 此清單可以包含 IP 位址或 Azure 虛擬網路子網。The list can include IP addresses or Azure Virtual Network subnets. 當有一或多個專案時,清單結尾會有隱含的 拒絕When there are one or more entries, an implicit deny all exists at the end of the list.

存取限制功能適用于所有 Azure App Service 主控的工作負載。The access restriction capability works with all Azure App Service-hosted workloads. 工作負載可以包括 web 應用程式、API 應用程式、Linux 應用程式、Linux 容器應用程式和功能。The workloads can include web apps, API apps, Linux apps, Linux container apps, and Functions.

對您的應用程式提出要求時,會根據存取限制清單中的規則來評估 [寄件者] 位址。When a request is made to your app, the FROM address is evaluated against the rules in your access restriction list. 如果 [寄件者] 位址位於設定為 [服務端點] 的子網中,則會將來源子網與存取限制清單中的虛擬網路規則進行比較。If the FROM address is in a subnet that's configured with service endpoints to Microsoft.Web, the source subnet is compared against the virtual network rules in your access restriction list. 如果無法根據清單中的規則來存取位址,服務會回復 HTTP 403 狀態碼。If the address isn't allowed access based on the rules in the list, the service replies with an HTTP 403 status code.

存取限制功能是在 App Service 前端角色中執行,而這些角色是您的程式碼執行所在的背景工作主機上游。The access restriction capability is implemented in the App Service front-end roles, which are upstream of the worker hosts where your code runs. 因此,存取限制實際上是 (Acl) 的網路存取控制清單。Therefore, access restrictions are effectively network access-control lists (ACLs).

服務端點可讓您限制從 Azure 虛擬網路存取 web 應用程式的能力。The ability to restrict access to your web app from an Azure virtual network is enabled by service endpoints. 透過服務端點,您可以限制從選取的子網存取多租使用者服務。With service endpoints, you can restrict access to a multi-tenant service from selected subnets. 將流量限制在 App Service 環境所裝載的應用程式時,並不會有任何作用。It doesn't work to restrict traffic to apps that are hosted in an App Service Environment. 如果您是在 App Service 環境中,您可以套用 IP 位址規則來控制應用程式的存取權。If you're in an App Service Environment, you can control access to your app by applying IP address rules.

注意

您必須同時在網路端和其所啟用的 Azure 服務上啟用服務端點。The service endpoints must be enabled both on the networking side and for the Azure service that they're being enabled with. 如需支援服務端點的 Azure 服務清單,請參閱 虛擬網路服務端點For a list of Azure services that support service endpoints, see Virtual Network service endpoints.

存取限制流程的圖表。

在入口網站中管理存取限制規則Manage access restriction rules in the portal

若要將存取限制規則新增至應用程式,請執行下列動作:To add an access restriction rule to your app, do the following:

  1. 登入 Azure 入口網站。Sign in to the Azure portal.

  2. 在左窗格中,選取 [ 網路]。On the left pane, select Networking.

  3. 在 [ 網路 ] 窗格的 [ 存取限制] 底下,選取 [ 設定存取限制]。On the Networking pane, under Access Restrictions, select Configure Access Restrictions.

    Azure 入口網站中 [網路功能選項] 窗格 App Service 的螢幕擷取畫面。

  4. 在 [ 存取限制 ] 頁面上,檢查針對您的應用程式定義的存取限制規則清單。On the Access Restrictions page, review the list of access restriction rules that are defined for your app.

    Azure 入口網站中 [存取限制] 頁面的螢幕擷取畫面,其中顯示針對所選應用程式定義的存取限制規則清單。

    此清單會顯示套用至應用程式的所有目前限制。The list displays all the current restrictions that are applied to the app. 如果您的應用程式上有虛擬網路限制,則表格會顯示是否已啟用 Microsoft 的服務端點。If you have a virtual network restriction on your app, the table shows whether the service endpoints are enabled for Microsoft.Web. 如果您的應用程式未定義任何限制,則可從任何地方存取應用程式。If no restrictions are defined on your app, the app is accessible from anywhere.

新增存取限制規則Add an access restriction rule

若要將存取限制規則新增至應用程式,請在 [ 存取限制 ] 窗格中選取 [ 新增規則]。To add an access restriction rule to your app, on the Access Restrictions pane, select Add rule. 當您新增規則之後,它會立即生效。After you add a rule, it becomes effective immediately.

規則會依照優先順序來強制執行,從 優先順序 資料行中最小的數位開始。Rules are enforced in priority order, starting from the lowest number in the Priority column. 當您新增甚至是單一規則之後,隱含的 deny 全都 會生效。An implicit deny all is in effect after you add even a single rule.

在 [ 新增存取限制 ] 窗格中,當您建立規則時,請執行下列動作:On the Add Access Restriction pane, when you create a rule, do the following:

  1. 在 [ 動作] 底下,選取 [ 允許 ] 或 [ 拒絕]。Under Action, select either Allow or Deny.

    [新增存取限制] 窗格的螢幕擷取畫面。

  2. (選擇性)輸入規則的名稱和描述。Optionally, enter a name and description of the rule.

  3. 在 [ 優先順序 ] 方塊中,輸入優先權值。In the Priority box, enter a priority value.

  4. 在 [ 類型 ] 下拉式清單中,選取規則的類型。In the Type drop-down list, select the type of rule.

下列各節將說明不同類型的規則。The different types of rules are described in the following sections.

注意

  • 有512存取限制規則的限制。There is a limit of 512 access restriction rules. 如果您需要512個以上的存取限制規則,建議您考慮安裝獨立的安全性產品,例如 Azure Front Door、Azure App 閘道或替代 WAF。If you require more than 512 access restriction rules, we suggest that you consider installing a standalone security product, such as Azure Front Door, Azure App Gateway, or an alternative WAF.

設定以 IP 位址為基礎的規則Set an IP address-based rule

依照上一節所述的程式執行,但使用下列新增功能:Follow the procedure as outlined in the preceding section, but with the following addition:

  • 在步驟4的 [ 類型 ] 下拉式清單中,選取 [ IPv4 ] 或 [ IPv6]。For step 4, in the Type drop-down list, select IPv4 or IPv6.

針對 IPv4 和 IPv6 位址,指定無類別 Inter-Domain 路由 (CIDR) 標記法中的 IP 位址區塊Specify the IP Address Block in Classless Inter-Domain Routing (CIDR) notation for both the IPv4 and IPv6 addresses. 若要指定位址,您可以使用 1.2.3.4/32 之類的內容,其中前四個八位代表您的 IP 位址,而 /32 是遮罩。To specify an address, you can use something like 1.2.3.4/32, where the first four octets represent your IP address and /32 is the mask. 適用於所有位址的 IPv4 CIDR 標記法是 0.0.0.0/0。The IPv4 CIDR notation for all addresses is 0.0.0.0/0. 若要深入瞭解 CIDR 標記法,請參閱無 類別 Inter-Domain 路由To learn more about CIDR notation, see Classless Inter-Domain Routing.

設定以服務端點為基礎的規則Set a service endpoint-based rule

  • 在步驟4的 [ 類型 ] 下拉式清單中,選取 [ 虛擬網路]。For step 4, in the Type drop-down list, select Virtual Network.

    [新增限制] 窗格的螢幕擷取畫面,其中已選取虛擬網路類型。

指定 用帳戶、 虛擬網路子網 下拉式清單,以符合您想要限制存取的內容。Specify the Subscription, Virtual Network, and Subnet drop-down lists, matching what you want to restrict access to.

藉由使用服務端點,您可以限制對選取的 Azure 虛擬網路子網的存取。By using service endpoints, you can restrict access to selected Azure virtual network subnets. 如果您選取的子網尚未啟用 Microsoft 的服務端點,除非您選取 [ 忽略遺失的 Microsoft web 服務端點 ] 核取方塊,否則系統將會自動啟用它們。If service endpoints aren't already enabled with Microsoft.Web for the subnet that you selected, they'll be automatically enabled unless you select the Ignore missing Microsoft.Web service endpoints check box. 您可能想要在應用程式上啟用服務端點而非子網的案例,主要取決於您是否擁有在子網上啟用它們的許可權。The scenario where you might want to enable service endpoints on the app but not the subnet depends mainly on whether you have the permissions to enable them on the subnet.

如果您需要其他人在子網上啟用服務端點,請選取 [ 忽略遺失的 Microsoft Web 服務端點 ] 核取方塊。If you need someone else to enable service endpoints on the subnet, select the Ignore missing Microsoft.Web service endpoints check box. 您的應用程式將會針對服務端點進行設定,以便在稍後於子網上啟用。Your app will be configured for service endpoints in anticipation of having them enabled later on the subnet.

您無法使用服務端點來限制存取在 App Service 環境中執行的應用程式。You can't use service endpoints to restrict access to apps that run in an App Service Environment. 當您的應用程式在 App Service 環境時,您可以藉由套用 IP 存取規則來控制其存取權。When your app is in an App Service Environment, you can control access to it by applying IP access rules.

透過服務端點,您可以使用應用程式閘道或其他 web 應用程式防火牆 (WAF) 裝置來設定您的應用程式。With service endpoints, you can configure your app with application gateways or other web application firewall (WAF) devices. 您也可以使用安全的後端來設定多層式應用程式。You can also configure multi-tier applications with secure back ends. 如需詳細資訊,請參閱 網路功能和 App Service ,以及 應用程式閘道與服務端點的整合For more information, see Networking features and App Service and Application Gateway integration with service endpoints.

注意

  • 使用 IP 安全通訊端層 (SSL) 虛擬 IP (VIP) 的 web 應用程式目前不支援服務端點。Service endpoints aren't currently supported for web apps that use IP Secure Sockets Layer (SSL) virtual IP (VIP).

(預覽版設定以服務標記為基礎的規則) Set a service tag-based rule (preview)

  • 在步驟4的 [ 類型 ] 下拉式清單中,選取 [ 服務標籤 (預覽])For step 4, in the Type drop-down list, select Service Tag (preview).

    [新增限制] 窗格的螢幕擷取畫面,其中已選取服務標記類型。

每個服務標籤代表來自 Azure 服務的 IP 範圍清單。Each service tag represents a list of IP ranges from Azure services. 您可以在 服務標記檔中找到這些服務的清單和特定範圍的連結。A list of these services and links to the specific ranges can be found in the service tag documentation.

預覽階段期間,存取限制規則支援下列服務標記清單:The following list of service tags is supported in access restriction rules during the preview phase:

  • ActionGroupActionGroup
  • AzureCloudAzureCloud
  • AzureCognitiveSearchAzureCognitiveSearch
  • AzureConnectorsAzureConnectors
  • AzureEventGridAzureEventGrid
  • AzureFrontDoor.BackendAzureFrontDoor.Backend
  • AzureMachineLearningAzureMachineLearning
  • AzureSignalRAzureSignalR
  • AzureTrafficManagerAzureTrafficManager
  • LogicAppsLogicApps
  • ServiceFabricServiceFabric

編輯規則Edit a rule

  1. 若要開始編輯現有的存取限制規則,請在 [ 存取限制 ] 頁面上,選取您要編輯的規則。To begin editing an existing access restriction rule, on the Access Restrictions page, select the rule you want to edit.

  2. 在 [ 編輯存取限制 ] 窗格上,進行您的變更,然後選取 [ 更新規則]。On the Edit Access Restriction pane, make your changes, and then select Update rule. 編輯會立即生效,包括優先順序順序的變更。Edits are effective immediately, including changes in priority ordering.

    Azure 入口網站中 [編輯存取限制] 窗格的螢幕擷取畫面,其中顯示現有存取限制規則的欄位。

    注意

    當您編輯規則時,無法在規則類型之間切換。When you edit a rule, you can't switch between rule types.

刪除規則Delete a rule

若要刪除規則,請在 [ 存取限制 ] 頁面上,選取您要刪除的規則旁邊的省略號 (...) ,然後選取 [ 移除]。To delete a rule, on the Access Restrictions page, select the ellipsis (...) next to the rule you want to delete, and then select Remove.

[存取限制] 頁面的螢幕擷取畫面,顯示要刪除之存取限制規則旁邊的 [移除] 省略號。

存取限制的 advanced 案例Access restriction advanced scenarios

下列各節說明一些使用存取限制的先進案例。The following sections describe some advanced scenarios using access restrictions.

封鎖單一 IP 位址Block a single IP address

當您新增第一個存取限制規則時,服務會新增具有優先順序2147483647的明確 拒絕所有 規則。When you add your first access restriction rule, the service adds an explicit Deny all rule with a priority of 2147483647. 在實務上,明確 拒絕全部 規則是最後要執行的規則,而且會封鎖對任何未由 允許 規則明確允許的 IP 位址的存取。In practice, the explicit Deny all rule is the final rule to be executed, and it blocks access to any IP address that's not explicitly allowed by an Allow rule.

如果您想要明確封鎖單一 IP 位址或 IP 位址區塊,但允許存取任何其他專案,請新增明確的 [ 允許所有 規則]。For a scenario where you want to explicitly block a single IP address or a block of IP addresses, but allow access to everything else, add an explicit Allow All rule.

Azure 入口網站中 [存取限制] 頁面的螢幕擷取畫面,其中顯示單一封鎖的 IP 位址。

限制對 SCM 網站的存取Restrict access to an SCM site

除了能夠控制對您應用程式的存取之外,您還可以限制對您應用程式所使用的 SCM 網站的存取。In addition to being able to control access to your app, you can restrict access to the SCM site that's used by your app. SCM 網站是 web deploy 端點和 Kudu 主控台。The SCM site is both the web deploy endpoint and the Kudu console. 您可以從應用程式個別將存取限制指派給 SCM 網站,或對應用程式和 SCM 網站使用相同的限制集。You can assign access restrictions to the SCM site from the app separately or use the same set of restrictions for both the app and the SCM site. 當您選取相同的 [限制 <app name> 為] 核取方塊時,會遮蔽所有專案。如果您清除此核取方塊,則會重新套用您的 SCM 網站設定。When you select the Same restrictions as <app name> check box, everything is blanked out. If you clear the check box, your SCM site settings are reapplied.

Azure 入口網站中 [存取限制] 頁面的螢幕擷取畫面,顯示未針對 SCM 網站或應用程式設定任何存取限制。

限制特定 Azure Front Door 實例的存取權 (預覽) Restrict access to a specific Azure Front Door instance (preview)

從 Azure Front Door 到您應用程式的流量源自于 AzureFrontDoor 後端服務標籤中定義的一組知名的 IP 範圍。Traffic from Azure Front Door to your application originates from a well known set of IP ranges defined in the AzureFrontDoor.Backend service tag. 您可以使用服務標記限制規則,將流量限制為僅來自 Azure Front Door。Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. 為了確保流量只來自于您的特定實例,您將需要根據 Azure Front Door 傳送的唯一 HTTP 標頭,進一步篩選傳入要求。To ensure traffic only originates from your specific instance, you will need to further filter the incoming requests based on the unique http header that Azure Front Door sends. 在預覽期間,您可以使用 PowerShell 或 REST/ARM 來達成此目標。During preview you can achieve this with PowerShell or REST/ARM.

  • 您可以在 Azure 入口網站) 中找到 PowerShell 範例 (Front Door 識別碼:PowerShell example (Front Door ID can be found in the Azure portal):

      $frontdoorId = "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
      Add-AzWebAppAccessRestrictionRule -ResourceGroupName "ResourceGroup" -WebAppName "AppName" `
        -Name "Front Door example rule" -Priority 100 -Action Allow -ServiceTag AzureFrontDoor.Backend `
        -HttpHeader @{'x-azure-fdid' = $frontdoorId}
    

以程式設計方式管理存取限制規則Manage access restriction rules programmatically

您可以藉由執行下列其中一項動作,以程式設計方式新增存取限制:You can add access restrictions programmatically by doing either of the following:

  • 使用 Azure CLIUse the Azure CLI. 例如:For example:

    az webapp config access-restriction add --resource-group ResourceGroup --name AppName \
      --rule-name 'IP example rule' --action Allow --ip-address 122.133.144.0/24 --priority 100
    
  • 使用 Azure PowerShellUse Azure PowerShell. 例如:For example:

    Add-AzWebAppAccessRestrictionRule -ResourceGroupName "ResourceGroup" -WebAppName "AppName"
        -Name "Ip example rule" -Priority 100 -Action Allow -IpAddress 122.133.144.0/24
    

    注意

    使用服務標記、HTTP 標頭或多來源規則都需要至少5.1.0 版。Working with service tags, http headers or multi-source rules requires at least version 5.1.0. 您可以使用下列內容來確認已安裝模組的版本: get-installedmodule uninstall-module-Name AzYou can verify the version of the installed module with: Get-InstalledModule -Name Az

您也可以執行下列其中一項動作,手動設定值:You can also set values manually by doing either of the following:

  • 在 Azure Resource Manager 的應用程式設定上使用 Azure REST API PUT 作業。Use an Azure REST API PUT operation on the app configuration in Azure Resource Manager. 這項資訊在 Azure Resource Manager 的位置為:The location for this information in Azure Resource Manager is:

    management.azure.com/subscriptions/ 用帳戶識別碼/resourceGroups/資源群組/providers/Microsoft.Web/sites/Web 應用程式名稱/config/web? api 版本 = 2020-06-01management.azure.com/subscriptions/subscription ID/resourceGroups/resource groups/providers/Microsoft.Web/sites/web app name/config/web?api-version=2020-06-01

  • 使用 Resource Manager 範本。Use a Resource Manager template. 例如,您可以使用 resources.azure.com,並編輯 ipSecurityRestrictions 區塊來新增必要的 JSON。As an example, you can use resources.azure.com and edit the ipSecurityRestrictions block to add the required JSON.

    先前的 JSON 語法範例為:The JSON syntax for the earlier example is:

    {
      "properties": {
        "ipSecurityRestrictions": [
          {
            "ipAddress": "122.133.144.0/24",
            "action": "Allow",
            "priority": 100,
            "name": "IP example rule"
          }
        ]
      }
    }
    

    使用服務標記和 HTTP 標頭限制之 advanced 範例的 JSON 語法為:The JSON syntax for an advanced example using service tag and http header restriction is:

    {
      "properties": {
        "ipSecurityRestrictions": [
          {
            "ipAddress": "AzureFrontDoor.Backend",
            "tag": "ServiceTag",
            "action": "Allow",
            "priority": 100,
            "name": "Azure Front Door example",
            "headers": {
              "x-azure-fdid": [
                "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
              ]
            }
          }
        ]
      }
    }
    

設定 Azure Functions 存取限制Set up Azure Functions access restrictions

存取限制也適用于具有 App Service 方案相同功能的函式應用程式。Access restrictions are also available for function apps with the same functionality as App Service plans. 當您啟用存取限制時,也會針對任何不允許的 Ip 停用 Azure 入口網站程式碼編輯器。When you enable access restrictions, you also disable the Azure portal code editor for any disallowed IPs.

後續步驟Next steps

Azure Functions 的存取限制Access restrictions for Azure Functions
應用程式閘道與服務端點的整合Application Gateway integration with service endpoints