鎖定 App Service 環境Locking down an App Service Environment

App Service Environment (ASE) 有一些外部相依性,它需要能夠存取,才能正確運作。The App Service Environment (ASE) has a number of external dependencies that it requires access to in order to function properly. ASE 位於客戶 Azure 虛擬網路 (VNet)。The ASE lives in the customer Azure Virtual Network (VNet). 客戶必須允許 ASE 相依性流量,這對於想要鎖定從其 VNet 所有輸出流量的客戶而言會是個問題。Customers must allow the ASE dependency traffic, which is a problem for customers that want to lock down all egress from their VNet.

有幾個連入端點可用來管理 ASE。There are a number of inbound endpoints that are used to manage an ASE. 輸入的管理流量不能透過防火牆裝置傳送。The inbound management traffic cannot be sent through a firewall device. 此流量的來源位址已知,且發佈在 App Service Environment 管理位址文件。The source addresses for this traffic are known and are published in the App Service Environment management addresses document. 另外還有一個名為 AppServiceManagement 的服務標籤,可以與網路安全性群組 (NSG) 搭配使用,以保護連入流量。There is also a Service Tag named AppServiceManagement which can be used with Network Security Groups (NSGs) to secure inbound traffic.

ASE 輸出相依性幾乎完全使用 FQDN 定義,它背後並沒有靜態位址。The ASE outbound dependencies are almost entirely defined with FQDNs, which do not have static addresses behind them. 缺乏靜態位址表示網路安全性群組無法用來鎖定來自 ASE 的連出流量。The lack of static addresses means that Network Security Groups cannot be used to lock down the outbound traffic from an ASE. 地址經常變更,使得無法根據目前的解析度來設定規則,以用來建立 NSG。The addresses change often enough that one cannot set up rules based on the current resolution and use that to create NSGs.

保護輸出位址的解決方案在於使用可以根據網域名稱控制輸出流量的防火牆裝置。The solution to securing outbound addresses lies in use of a firewall device that can control outbound traffic based on domain names. Azure 防火牆可以依據目的地的 FQDN 限制 HTTP 和 HTTPS 流量輸出。Azure Firewall can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination.

系統架構System architecture

部署連出流量會通過防火牆裝置的 ASE 時,需要變更 ASE 子網路上的路由。Deploying an ASE with outbound traffic going through a firewall device requires changing routes on the ASE subnet. 路由會在 IP 層級運作。Routes operate at an IP level. 如果您未謹慎定義路由,可以強制 TCP 回覆來自其他位址的流量。If you are not careful in defining your routes, you can force TCP reply traffic to source from another address. 當您的回覆位址與流量傳送目的地位址不同時,此問題稱為「非對稱式路由」,而且其將會中斷 TCP。When your reply address is different from the address traffic was sent to, the problem is called asymmetric routing and it will break TCP.

必須定義路由,才能讓 ASE 的連入流量以流量傳入的相同方式回覆。There must be routes defined so that inbound traffic to the ASE can reply back the same way the traffic came in. 您必須針對連入管理要求與連入應用程式要求定義路由。Routes must be defined for inbound management requests and for inbound application requests.

進出 ASE 的流量必須遵守下列慣例The traffic to and from an ASE must abide by the following conventions

  • 使用防火牆裝置時,不支援傳送流量到 Azure SQL、儲存體與事件中樞。The traffic to Azure SQL, Storage, and Event Hub are not supported with use of a firewall device. 此流量必須直接傳送至那些服務。This traffic must be sent directly to those services. 實現直接傳送的方法是設定那三個服務的服務端點。The way to make that happen is to configure service endpoints for those three services.
  • 您必須定義路由表規則,以將連入管理流量從其來源傳送回來。Route table rules must be defined that send inbound management traffic back from where it came.
  • 您必須定義路由表規則,以將連入應用程式流量從其來源傳送回來。Route table rules must be defined that send inbound application traffic back from where it came.
  • 離開 ASE 的所有其他流量,都可以使用路由表規則傳送到您的防火牆裝置。All other traffic leaving the ASE can be sent to your firewall device with a route table rule.

具有 Azure 防火牆連線流程的 ASE

鎖定連入管理流量Locking down inbound management traffic

如果您的 ASE 子網路尚未獲指派 NSG,請建立一個。If your ASE subnet does not already have an NSG assigned to it, create one. 在 NSG 內,設定第一個規則來於連接埠 454 與 455 上允許來自名為 AppServiceManagement 之服務標籤的流量。Within the NSG, set the first rule to allow traffic from the Service Tag named AppServiceManagement on ports 454, 455. 允許從 AppServiceManagement 標記存取的規則,是從公用 IP 管理您 ASE 的唯一必要條件。The rule to allow access from the AppServiceManagement tag is the only thing that is required from public IPs to manage your ASE. 該服務標籤後方的位址只會用來管理 Azure App Service。The addresses that are behind that Service Tag are only used to administer the Azure App Service. 流經這些連線的管理流量會加密,並使用驗證憑證來保護。The management traffic that flows through these connections is encrypted and secured with authentication certificates. 此通道上的典型流量包括像是客戶起始的命令與健康情況探查等等。Typical traffic on this channel includes things like customer initiated commands and health probes.

透過入口網站使用新子網路進行的 ASE,是以包含 AppServiceManagement 標籤允許規則的 NSG 來建立的。ASEs that are made through the portal with a new subnet are made with an NSG that contains the allow rule for the AppServiceManagement tag.

您的 ASE 也必須允許連接埠 16001 上來自負載平衡器標籤的輸入要求。Your ASE must also allow inbound requests from the Load Balancer tag on port 16001. 連接埠 16001 上來自負載平衡器的要求是負載平衡器與 ASE 前端之間的保持運作檢查。The requests from the Load Balancer on port 16001 are keep alive checks between the Load Balancer and the ASE front ends. 如果連接埠 16001 遭到封鎖,ASE 將會變成狀況不良。If port 16001 is blocked, your ASE will go unhealthy.

使用 ASE 設定 Azure 防火牆Configuring Azure Firewall with your ASE

使用 Azure 防火牆來鎖定現有 ASE 輸出流量的步驟如下:The steps to lock down egress from your existing ASE with Azure Firewall are:

  1. 在 ASE 子網路上為 SQL、儲存體和事件中樞啟用服務端點。Enable service endpoints to SQL, Storage, and Event Hub on your ASE subnet. 若要啟用服務端點,請移至網路入口網站 > 子網路,然後從服務端點下拉式清單選取 Microsoft.EventHub、Microsoft.SQL 與 Microsoft.Storage。To enable service endpoints, go into the networking portal > subnets and select Microsoft.EventHub, Microsoft.SQL and Microsoft.Storage from the Service endpoints dropdown. 當您為 Azure SQL 啟用服務端點時,任何具有 Azure SQL 相依性的應用程式也必須設定服務端點。When you have service endpoints enabled to Azure SQL, any Azure SQL dependencies that your apps have must be configured with service endpoints as well.

    選取服務端點

  2. 在存在 ASE 的 VNet 中建立名為 AzureFirewallSubnet 的子網路。Create a subnet named AzureFirewallSubnet in the VNet where your ASE exists. 請遵照 Azure 防火牆文件的指示,來建立您的 Azure 防火牆。Follow the directions in the Azure Firewall documentation to create your Azure Firewall.

  3. 從 [Azure 防火牆 UI > 規則 > 應用程式規則集合] 中,選取 [新增應用程式規則集合]。From the Azure Firewall UI > Rules > Application rule collection, select Add application rule collection. 提供名稱、優先順序,並設定為 [允許]。Provide a name, priority, and set Allow. 在 [FQDN 標記] 區段中,提供名稱、將來源位址設定為 *,然後選取 [App Service 環境 FQDN 標記] 和 [Windows Update]。In the FQDN tags section, provide a name, set the source addresses to * and select the App Service Environment FQDN Tag and the Windows Update.

    加入應用程式規則

  4. 從 [Azure 防火牆 UI > 規則 > 網路規則集合] 中,選取 [新增網路規則集合]。From the Azure Firewall UI > Rules > Network rule collection, select Add network rule collection. 提供名稱、優先順序,並設定為 [允許]。Provide a name, priority, and set Allow. 在 [IP 位址] 下的 [規則] 區段中,提供 [名稱],選取 [ 任何] 的通訊協定、設定 [到來源和目的地位址],然後將埠設定為123。In the Rules section under IP addresses, provide a name, select a protocol of Any, set * to Source and Destination addresses, and set the ports to 123. 此規則可讓系統使用 NTP 執行時鐘同步。This rule allows the system to perform clock sync using NTP. 以與連接埠 12000 相同的方式建立另一個規則,以協助分類任何系統問題。Create another rule the same way to port 12000 to help triage any system issues.

    加入 NTP 網路規則

  5. 從 [Azure 防火牆 UI > 規則 > 網路規則集合] 中,選取 [新增網路規則集合]。From the Azure Firewall UI > Rules > Network rule collection, select Add network rule collection. 提供名稱、優先順序,並設定為 [允許]。Provide a name, priority, and set Allow. 在 [規則] 區段中的 [服務標籤] 下,提供名稱、選取 [任何] 通訊協定、將 * 設定為來源位址、選取 AzureMonitor 的服務標籤,然後將連接埠設定為 80、443。In the Rules section under Service Tags, provide a name, select a protocol of Any, set * to Source addresses, select a service tag of AzureMonitor, and set the ports to 80, 443. 此規則可讓系統提供包含健康情況與計量資訊的 Azure 監視器。This rule allows the system to supply Azure Monitor with health and metrics information.

    新增 NTP 服務標籤網路規則

  6. 建立路由表,其中具有來自 App Service Environment 管理位址的管理位址,以及網際網路的下一個躍點。Create a route table with the management addresses from App Service Environment management addresses with a next hop of Internet. 需要路由表項目,才能避免發生非對稱式路由問題。The route table entries are required to avoid asymmetric routing problems. 針對底下<IP 位址相依性>所註明的 IP 位址相依性,新增具有網際網路下一個躍點的路由。Add routes for the IP address dependencies noted below in the IP address dependencies with a next hop of Internet. 在路由表中新增 0.0.0.0/0 的虛擬設備路由,並且以 Azure 防火牆私人IP 位址作為下一個躍點。Add a Virtual Appliance route to your route table for 0.0.0.0/0 with the next hop being your Azure Firewall private IP address.

    建立路由表

  7. 將您建立的路由表指派給 ASE 子網路。Assign the route table you created to your ASE subnet.

在防火牆後面部署 ASEDeploying your ASE behind a firewall

將 ASE 部署在防火牆後面的步驟與使用 Azure 防火牆設定現有 ASE 的步驟相同,除非您需要建立 ASE 子網路,則依照先前的步驟。The steps to deploy your ASE behind a firewall are the same as configuring your existing ASE with an Azure Firewall except you will need to create your ASE subnet and then follow the previous steps. 若要在預先存在的子網中建立 ASE,您需要使用 Resource Manager 範本,如使用 Resource Manager 範本建立 ASE 中的文件所述。To create your ASE in a pre-existing subnet, you need to use a Resource Manager template as described in the document on Creating your ASE with a Resource Manager template.

應用程式流量Application traffic

上述步驟可讓您的 ASE 正常運作。The above steps will allow your ASE to operate without problems. 您仍然需要設定以容納應用程式需求。You still need to configure things to accommodate your application needs. 針對已設定 Azure 防火牆的 ASE,其中的應用程式有兩個問題。There are two problems for applications in an ASE that is configured with Azure Firewall.

  • 應用程式相依性必須新增至 Azure 防火牆或路由表。Application dependencies must be added to the Azure Firewall or the route table.
  • 必須為應用程式流量建立路由,以避免非對稱式路由問題Routes must be created for the application traffic to avoid asymmetric routing issues

如果您的應用程式有相依性,它們必須新增至您的 Azure 防火牆。If your applications have dependencies, they need to be added to your Azure Firewall. 建立應用程式規則來允許 HTTP/HTTPS 流量,以及建立網路規則來允許其他一切流量。Create Application rules to allow HTTP/HTTPS traffic and Network rules for everything else.

如果您知道應用程式要求流量來源的位址範圍,可以將它新增到指派給您 ASE 子網路的路由表。If you know the address range that your application request traffic will come from, you can add that to the route table that is assigned to your ASE subnet. 如果位址範圍很大或未指定,則可以使用網路設備,例如應用程式閘道,提供您一個位址以便新增至路由表。If the address range is large or unspecified, then you can use a network appliance like the Application Gateway to give you one address to add to your route table. 如需設定應用程式閘道與 ILB ASE 的詳細資訊,請參閱整合 ILB ASE 與應用程式閘道For details on configuring an Application Gateway with your ILB ASE, read Integrating your ILB ASE with an Application Gateway

此應用程式閘道的使用方式只是如何設定系統的範例。This use of the Application Gateway is just one example of how to configure your system. 如果您確實遵循此路徑,則您需要將路由新增至 ASE 子網路路由表,以便傳送至應用程式閘道的回覆流量會直接傳送至該處。If you did follow this path, then you would need to add a route to the ASE subnet route table so the reply traffic sent to the Application Gateway would go there directly.

記錄Logging

Azure 防火牆可以將記錄傳送至 Azure 儲存體、事件中樞或 Azure 監視器記錄。Azure Firewall can send logs to Azure Storage, Event Hub, or Azure Monitor logs. 若要將您的應用程式與任何支援的目的地整合,請移至 [Azure 防火牆入口網站 > 診斷記錄],並啟用所需目的地的記錄。To integrate your app with any supported destination, go to the Azure Firewall portal > Diagnostic Logs and enable the logs for your desired destination. 如果您與 Azure 監視器記錄整合,則可以看到傳送至 Azure 防火牆的任何流量記錄。If you integrate with Azure Monitor logs, then you can see logging for any traffic sent to Azure Firewall. 若要查看被拒絕的流量,請開啟 [Log Analytics 工作區入口網站] > [記錄],然後輸入如下查詢To see the traffic that is being denied, open your Log Analytics workspace portal > Logs and enter a query like

AzureDiagnostics | where msg_s contains "Deny" | where TimeGenerated >= ago(1h)

在不知道所有應用程式相依性存在時,第一次讓應用程式正常運作時,將 Azure 防火牆與 Azure 監視器記錄整合是非常有用的。Integrating your Azure Firewall with Azure Monitor logs is useful when first getting an application working when you are not aware of all of the application dependencies. 您可以從分析 Azure 監視器中的記錄資料深入了解 Azure 監視器記錄。You can learn more about Azure Monitor logs from Analyze log data in Azure Monitor.

相依性Dependencies

當您想要設定 Azure 防 火牆以外的防火牆設備時,才需要下列資訊。The following information is only required if you wish to configure a firewall appliance other than Azure Firewall.

  • 應使用服務端點來設定支援的服務端點服務。Service Endpoint capable services should be configured with service endpoints.
  • 適用於非 HTTP/S 流量的 IP 地址相依性 (TCP 與 UDP 流量)IP Address dependencies are for non-HTTP/S traffic (both TCP and UDP traffic)
  • FQDN HTTP/HTTPS 端點可以放在您的防火牆裝置。FQDN HTTP/HTTPS endpoints can be placed in your firewall device.
  • 萬用字元 HTTP/HTTPS 端點是根據一些限定條件,可能隨著 ASE 而變的相依性。Wildcard HTTP/HTTPS endpoints are dependencies that can vary with your ASE based on a number of qualifiers.
  • 只有在您要將 Linux 應用程式部署到 ASE 時,才需要考量 Linux 相依性。Linux dependencies are only a concern if you are deploying Linux apps into your ASE. 如果您沒有要將 Linux 應用程式部署到 ASE,則這些位址不需要新增至您的防火牆。If you are not deploying Linux apps into your ASE, then these addresses do not need to be added to your firewall.

服務端點功能相依性Service Endpoint capable dependencies

端點Endpoint
Azure SQLAzure SQL
Azure 儲存體Azure Storage
Azure 事件中樞Azure Event Hub

IP 位址相依性IP Address dependencies

端點Endpoint 詳細資料Details
*:123*:123 NTP 時鐘檢查。NTP clock check. 在連接埠 123 上的多個端點檢查流量Traffic is checked at multiple endpoints on port 123
*:12000*:12000 此連接埠用於某些系統監視。This port is used for some system monitoring. 如果被封鎖,則某些問題會更加難以分級,但您的 ASE 會繼續運作If blocked, then some issues will be harder to triage but your ASE will continue to operate
40.77.24.27:8040.77.24.27:80 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
40.77.24.27:44340.77.24.27:443 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
13.90.249.229:8013.90.249.229:80 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
13.90.249.229:44313.90.249.229:443 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
104.45.230.69:80104.45.230.69:80 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
104.45.230.69:443104.45.230.69:443 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
13.82.184.151:8013.82.184.151:80 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
13.82.184.151:44313.82.184.151:443 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems

使用 Azure 防火牆,您可以自動獲得以下使用 FQDN 標記設定的所有內容。With an Azure Firewall, you automatically get everything below configured with the FQDN tags.

FQDN HTTP/HTTPS 相依性FQDN HTTP/HTTPS dependencies

端點Endpoint
graph.microsoft.com:443graph.microsoft.com:443
login.live.com:443login.live.com:443
login.windows.com:443login.windows.com:443
login.windows.net:443login.windows.net:443
login.microsoftonline.com:443login.microsoftonline.com:443
*. login.microsoftonline.com:443*.login.microsoftonline.com:443
*. login.microsoft.com:443*.login.microsoft.com:443
client.wns.windows.com:443client.wns.windows.com:443
definitionupdates.microsoft.com:443definitionupdates.microsoft.com:443
go.microsoft.com:80go.microsoft.com:80
go.microsoft.com:443go.microsoft.com:443
www.microsoft.com:80www.microsoft.com:80
www.microsoft.com:443www.microsoft.com:443
wdcpalt.microsoft.com:443wdcpalt.microsoft.com:443
wdcp.microsoft.com:443wdcp.microsoft.com:443
ocsp.msocsp.com:443ocsp.msocsp.com:443
ocsp.msocsp.com:80ocsp.msocsp.com:80
oneocsp.microsoft.com:80oneocsp.microsoft.com:80
oneocsp.microsoft.com:443oneocsp.microsoft.com:443
mscrl.microsoft.com:443mscrl.microsoft.com:443
mscrl.microsoft.com:80mscrl.microsoft.com:80
crl.microsoft.com:443crl.microsoft.com:443
crl.microsoft.com:80crl.microsoft.com:80
www.thawte.com:443www.thawte.com:443
crl3.digicert.com:80crl3.digicert.com:80
ocsp.digicert.com:80ocsp.digicert.com:80
ocsp.digicert.com:443ocsp.digicert.com:443
csc3-2009-2.crl.verisign.com:80csc3-2009-2.crl.verisign.com:80
crl.verisign.com:80crl.verisign.com:80
ocsp.verisign.com:80ocsp.verisign.com:80
cacerts.digicert.com:80cacerts.digicert.com:80
azperfcounters1.blob.core.windows.net:443azperfcounters1.blob.core.windows.net:443
azurewatsonanalysis-prod.core.windows.net:443azurewatsonanalysis-prod.core.windows.net:443
global.metrics.nsatc.net:80global.metrics.nsatc.net:80
global.metrics.nsatc.net:443global.metrics.nsatc.net:443
az-prod.metrics.nsatc.net:443az-prod.metrics.nsatc.net:443
antares.metrics.nsatc.net:443antares.metrics.nsatc.net:443
azglobal-black.azglobal.metrics.nsatc.net:443azglobal-black.azglobal.metrics.nsatc.net:443
azglobal-red.azglobal.metrics.nsatc.net:443azglobal-red.azglobal.metrics.nsatc.net:443
antares-black.antares.metrics.nsatc.net:443antares-black.antares.metrics.nsatc.net:443
antares-red.antares.metrics.nsatc.net:443antares-red.antares.metrics.nsatc.net:443
prod.microsoftmetrics.com:443prod.microsoftmetrics.com:443
maupdateaccount.blob.core.windows.net:443maupdateaccount.blob.core.windows.net:443
clientconfig.passport.net:443clientconfig.passport.net:443
packages.microsoft.com:443packages.microsoft.com:443
schemas.microsoft.com:80schemas.microsoft.com:80
schemas.microsoft.com:443schemas.microsoft.com:443
management.core.windows.net:443management.core.windows.net:443
management.core.windows.net:80management.core.windows.net:80
management.azure.com:443management.azure.com:443
www.msftconnecttest.com:80www.msftconnecttest.com:80
shavamanifestcdnprod1.azureedge.net:443shavamanifestcdnprod1.azureedge.net:443
validation-v2.sls.microsoft.com:443validation-v2.sls.microsoft.com:443
flighting.cp.wd.microsoft.com:443flighting.cp.wd.microsoft.com:443
dmd.metaservices.microsoft.com:80dmd.metaservices.microsoft.com:80
admin.core.windows.net:443admin.core.windows.net:443
prod.warmpath.msftcloudes.com:443prod.warmpath.msftcloudes.com:443
prod.warmpath.msftcloudes.com:80prod.warmpath.msftcloudes.com:80
gcs.prod.monitoring.core.windows.net:80gcs.prod.monitoring.core.windows.net:80
gcs.prod.monitoring.core.windows.net:443gcs.prod.monitoring.core.windows.net:443
azureprofileruploads.blob.core.windows.net:443azureprofileruploads.blob.core.windows.net:443
azureprofileruploads2.blob.core.windows.net:443azureprofileruploads2.blob.core.windows.net:443
azureprofileruploads3.blob.core.windows.net:443azureprofileruploads3.blob.core.windows.net:443
azureprofileruploads4.blob.core.windows.net:443azureprofileruploads4.blob.core.windows.net:443
azureprofileruploads5.blob.core.windows.net:443azureprofileruploads5.blob.core.windows.net:443
azperfmerges.blob.core.windows.net:443azperfmerges.blob.core.windows.net:443
azprofileruploads1.blob.core.windows.net:443azprofileruploads1.blob.core.windows.net:443
azprofileruploads10.blob.core.windows.net:443azprofileruploads10.blob.core.windows.net:443
azprofileruploads2.blob.core.windows.net:443azprofileruploads2.blob.core.windows.net:443
azprofileruploads3.blob.core.windows.net:443azprofileruploads3.blob.core.windows.net:443
azprofileruploads4.blob.core.windows.net:443azprofileruploads4.blob.core.windows.net:443
azprofileruploads6.blob.core.windows.net:443azprofileruploads6.blob.core.windows.net:443
azprofileruploads7.blob.core.windows.net:443azprofileruploads7.blob.core.windows.net:443
azprofileruploads8.blob.core.windows.net:443azprofileruploads8.blob.core.windows.net:443
azprofileruploads9.blob.core.windows.net:443azprofileruploads9.blob.core.windows.net:443
azureprofilerfrontdoor.cloudapp.net:443azureprofilerfrontdoor.cloudapp.net:443
settings-win.data.microsoft.com:443settings-win.data.microsoft.com:443
maupdateaccount2.blob.core.windows.net:443maupdateaccount2.blob.core.windows.net:443
maupdateaccount3.blob.core.windows.net:443maupdateaccount3.blob.core.windows.net:443
dc.services.visualstudio.com:443dc.services.visualstudio.com:443
gmstorageprodsn1.blob.core.windows.net:443gmstorageprodsn1.blob.core.windows.net:443
gmstorageprodsn1.file.core.windows.net:443gmstorageprodsn1.file.core.windows.net:443
gmstorageprodsn1.queue.core.windows.net:443gmstorageprodsn1.queue.core.windows.net:443
gmstorageprodsn1.table.core.windows.net:443gmstorageprodsn1.table.core.windows.net:443
rteventservice.trafficmanager.net:443rteventservice.trafficmanager.net:443
ctldl.windowsupdate.com:80ctldl.windowsupdate.com:80
ctldl.windowsupdate.com:443ctldl.windowsupdate.com:443
global-dsms.dsms.core.windows.net:443global-dsms.dsms.core.windows.net:443

萬用字元 HTTP/HTTPS 相依性Wildcard HTTP/HTTPS dependencies

端點Endpoint
gr-Prod-*.cloudapp.net:443gr-Prod-*.cloudapp.net:443
*.management.azure.com:443*.management.azure.com:443
*.update.microsoft.com:443*.update.microsoft.com:443
*.windowsupdate.microsoft.com:443*.windowsupdate.microsoft.com:443
*.identity.azure.net:443*.identity.azure.net:443
*.ctldl.windowsupdate.com:80*.ctldl.windowsupdate.com:80
*.ctldl.windowsupdate.com:443*.ctldl.windowsupdate.com:443

Linux 相依項目Linux dependencies

端點Endpoint
wawsinfraprodbay063.blob.core.windows.net:443wawsinfraprodbay063.blob.core.windows.net:443
registry-1.docker.io:443registry-1.docker.io:443
auth.docker.io:443auth.docker.io:443
production.cloudflare.docker.com:443production.cloudflare.docker.com:443
download.docker.com:443download.docker.com:443
us.archive.ubuntu.com:80us.archive.ubuntu.com:80
download.mono-project.com:80download.mono-project.com:80
packages.treasuredata.com:80packages.treasuredata.com:80
security.ubuntu.com:80security.ubuntu.com:80
oryx-cdn.microsoft.io:443oryx-cdn.microsoft.io:443
*.cdn.mscr.io:443*.cdn.mscr.io:443
*. data.mcr.microsoft.com:443*.data.mcr.microsoft.com:443
mcr.microsoft.com:443mcr.microsoft.com:443
*. data.mcr.microsoft.com:443*.data.mcr.microsoft.com:443
packages.fluentbit.io:80packages.fluentbit.io:80
packages.fluentbit.io:443packages.fluentbit.io:443
apt-mo.trafficmanager.net:80apt-mo.trafficmanager.net:80
apt-mo.trafficmanager.net:443apt-mo.trafficmanager.net:443
azure.archive.ubuntu.com:80azure.archive.ubuntu.com:80
azure.archive.ubuntu.com:443azure.archive.ubuntu.com:443
changelogs.ubuntu.com:80changelogs.ubuntu.com:80
13.74.252.37:1137113.74.252.37:11371
13.75.127.55:1137113.75.127.55:11371
13.76.190.189:1137113.76.190.189:11371
13.80.10.205:1137113.80.10.205:11371
13.91.48.226:1137113.91.48.226:11371
40.76.35.62:1137140.76.35.62:11371
104.215.95.108:11371104.215.95.108:11371

US Gov 相依性US Gov dependencies

如需 US Gov 區域中的 ASE 相關資訊,請遵循此文件使用 ASE 設定 Azure 防火牆 (部分機器翻譯) 一節中的指示,使用您的 ASE 設定 Azure 防火牆。For ASEs in US Gov regions, follow the instructions in the Configuring Azure Firewall with your ASE section of this document to configure an Azure Firewall with your ASE.

若要在 US Gov 中使用 Azure 防火牆以外的裝置If you want to use a device other than Azure Firewall in US Gov

  • 應使用服務端點來設定支援的服務端點服務。Service Endpoint capable services should be configured with service endpoints.
  • FQDN HTTP/HTTPS 端點可以放在您的防火牆裝置。FQDN HTTP/HTTPS endpoints can be placed in your firewall device.
  • 萬用字元 HTTP/HTTPS 端點是根據一些限定條件,可能隨著 ASE 而變的相依性。Wildcard HTTP/HTTPS endpoints are dependencies that can vary with your ASE based on a number of qualifiers.

Linux 在 US Gov 區域中無法使用,因此未列為選擇性設定。Linux is not available in US Gov regions and is thus not listed as an optional configuration.

服務端點功能相依性Service Endpoint capable dependencies

端點Endpoint
Azure SQLAzure SQL
Azure 儲存體Azure Storage
Azure 事件中樞Azure Event Hub

IP 位址相依性IP Address dependencies

端點Endpoint 詳細資料Details
*:123*:123 NTP 時鐘檢查。NTP clock check. 在連接埠 123 上的多個端點檢查流量Traffic is checked at multiple endpoints on port 123
*:12000*:12000 此連接埠用於某些系統監視。This port is used for some system monitoring. 如果被封鎖,則某些問題會更加難以分級,但您的 ASE 會繼續運作If blocked, then some issues will be harder to triage but your ASE will continue to operate
40.77.24.27:8040.77.24.27:80 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
40.77.24.27:44340.77.24.27:443 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
13.90.249.229:8013.90.249.229:80 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
13.90.249.229:44313.90.249.229:443 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
104.45.230.69:80104.45.230.69:80 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
104.45.230.69:443104.45.230.69:443 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
13.82.184.151:8013.82.184.151:80 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems
13.82.184.151:44313.82.184.151:443 監視 ASE 問題並發出警示所需Needed to monitor and alert on ASE problems

相依性Dependencies

端點Endpoint
*.ctldl.windowsupdate.com:80*.ctldl.windowsupdate.com:80
*.management.usgovcloudapi.net:80*.management.usgovcloudapi.net:80
*.update.microsoft.com:80*.update.microsoft.com:80
admin.core.usgovcloudapi.net:80admin.core.usgovcloudapi.net:80
azperfmerges.blob.core.windows.net:80azperfmerges.blob.core.windows.net:80
azperfmerges.blob.core.windows.net:80azperfmerges.blob.core.windows.net:80
azprofileruploads1.blob.core.windows.net:80azprofileruploads1.blob.core.windows.net:80
azprofileruploads10.blob.core.windows.net:80azprofileruploads10.blob.core.windows.net:80
azprofileruploads2.blob.core.windows.net:80azprofileruploads2.blob.core.windows.net:80
azprofileruploads3.blob.core.windows.net:80azprofileruploads3.blob.core.windows.net:80
azprofileruploads4.blob.core.windows.net:80azprofileruploads4.blob.core.windows.net:80
azprofileruploads5.blob.core.windows.net:80azprofileruploads5.blob.core.windows.net:80
azprofileruploads6.blob.core.windows.net:80azprofileruploads6.blob.core.windows.net:80
azprofileruploads7.blob.core.windows.net:80azprofileruploads7.blob.core.windows.net:80
azprofileruploads8.blob.core.windows.net:80azprofileruploads8.blob.core.windows.net:80
azprofileruploads9.blob.core.windows.net:80azprofileruploads9.blob.core.windows.net:80
azureprofilerfrontdoor.cloudapp.net:80azureprofilerfrontdoor.cloudapp.net:80
azurewatsonanalysis.usgovcloudapp.net:80azurewatsonanalysis.usgovcloudapp.net:80
cacerts.digicert.com:80cacerts.digicert.com:80
client.wns.windows.com:80client.wns.windows.com:80
crl.microsoft.com:80crl.microsoft.com:80
crl.verisign.com:80crl.verisign.com:80
crl3.digicert.com:80crl3.digicert.com:80
csc3-2009-2.crl.verisign.com:80csc3-2009-2.crl.verisign.com:80
ctldl.windowsupdate.com:80ctldl.windowsupdate.com:80
definitionupdates.microsoft.com:80definitionupdates.microsoft.com:80
download.windowsupdate.com:80download.windowsupdate.com:80
fairfax.warmpath.usgovcloudapi.net:80fairfax.warmpath.usgovcloudapi.net:80
flighting.cp.wd.microsoft.com:80flighting.cp.wd.microsoft.com:80
gcwsprodgmdm2billing.queue.core.usgovcloudapi.net:80gcwsprodgmdm2billing.queue.core.usgovcloudapi.net:80
gcwsprodgmdm2billing.table.core.usgovcloudapi.net:80gcwsprodgmdm2billing.table.core.usgovcloudapi.net:80
global.metrics.nsatc.net:80global.metrics.nsatc.net:80
go.microsoft.com:80go.microsoft.com:80
gr-gcws-prod-bd3.usgovcloudapp.net:80gr-gcws-prod-bd3.usgovcloudapp.net:80
gr-gcws-prod-bn1.usgovcloudapp.net:80gr-gcws-prod-bn1.usgovcloudapp.net:80
gr-gcws-prod-dd3.usgovcloudapp.net:80gr-gcws-prod-dd3.usgovcloudapp.net:80
gr-gcws-prod-dm2.usgovcloudapp.net:80gr-gcws-prod-dm2.usgovcloudapp.net:80
gr-gcws-prod-phx20.usgovcloudapp.net:80gr-gcws-prod-phx20.usgovcloudapp.net:80
gr-gcws-prod-sn5.usgovcloudapp.net:80gr-gcws-prod-sn5.usgovcloudapp.net:80
login.live.com:80login.live.com:80
login.microsoftonline.us:80login.microsoftonline.us:80
management.core.usgovcloudapi.net:80management.core.usgovcloudapi.net:80
management.usgovcloudapi.net:80management.usgovcloudapi.net:80
maupdateaccountff.blob.core.usgovcloudapi.net:80maupdateaccountff.blob.core.usgovcloudapi.net:80
mscrl.microsoft.com:80mscrl.microsoft.com:80
ocsp.digicert.com:80ocsp.digicert.com:80
ocsp.verisign.com:80ocsp.verisign.com:80
rteventse.trafficmanager.net:80rteventse.trafficmanager.net:80
settings-n.data.microsoft.com:80settings-n.data.microsoft.com:80
shavamafestcdnprod1.azureedge.net:80shavamafestcdnprod1.azureedge.net:80
shavanifestcdnprod1.azureedge.net:80shavanifestcdnprod1.azureedge.net:80
v10ortex-win.data.microsoft.com:80v10ortex-win.data.microsoft.com:80
wp.microsoft.com:80wp.microsoft.com:80
dcpalt.microsoft.com:80dcpalt.microsoft.com:80
www.microsoft.com:80www.microsoft.com:80
www.msftconnecttest.com:80www.msftconnecttest.com:80
www.thawte.com:80www.thawte.com:80
*ctldl.windowsupdate.com:443*ctldl.windowsupdate.com:443
*.management.usgovcloudapi.net:443*.management.usgovcloudapi.net:443
*.update.microsoft.com:443*.update.microsoft.com:443
admin.core.usgovcloudapi.net:443admin.core.usgovcloudapi.net:443
azperfmerges.blob.core.windows.net:443azperfmerges.blob.core.windows.net:443
azperfmerges.blob.core.windows.net:443azperfmerges.blob.core.windows.net:443
azprofileruploads1.blob.core.windows.net:443azprofileruploads1.blob.core.windows.net:443
azprofileruploads10.blob.core.windows.net:443azprofileruploads10.blob.core.windows.net:443
azprofileruploads2.blob.core.windows.net:443azprofileruploads2.blob.core.windows.net:443
azprofileruploads3.blob.core.windows.net:443azprofileruploads3.blob.core.windows.net:443
azprofileruploads4.blob.core.windows.net:443azprofileruploads4.blob.core.windows.net:443
azprofileruploads5.blob.core.windows.net:443azprofileruploads5.blob.core.windows.net:443
azprofileruploads6.blob.core.windows.net:443azprofileruploads6.blob.core.windows.net:443
azprofileruploads7.blob.core.windows.net:443azprofileruploads7.blob.core.windows.net:443
azprofileruploads8.blob.core.windows.net:443azprofileruploads8.blob.core.windows.net:443
azprofileruploads9.blob.core.windows.net:443azprofileruploads9.blob.core.windows.net:443
azureprofilerfrontdoor.cloudapp.net:443azureprofilerfrontdoor.cloudapp.net:443
azurewatsonanalysis.usgovcloudapp.net:443azurewatsonanalysis.usgovcloudapp.net:443
cacerts.digicert.com:443cacerts.digicert.com:443
client.wns.windows.com:443client.wns.windows.com:443
crl.microsoft.com:443crl.microsoft.com:443
crl.verisign.com:443crl.verisign.com:443
crl3.digicert.com:443crl3.digicert.com:443
csc3-2009-2.crl.verisign.com:443csc3-2009-2.crl.verisign.com:443
ctldl.windowsupdate.com:443ctldl.windowsupdate.com:443
definitionupdates.microsoft.com:443definitionupdates.microsoft.com:443
download.windowsupdate.com:443download.windowsupdate.com:443
fairfax.warmpath.usgovcloudapi.net:443fairfax.warmpath.usgovcloudapi.net:443
gcs.monitoring.core.usgovcloudapi.net:443gcs.monitoring.core.usgovcloudapi.net:443
flighting.cp.wd.microsoft.com:443flighting.cp.wd.microsoft.com:443
gcwsprodgmdm2billing.queue.core.usgovcloudapi.net:443gcwsprodgmdm2billing.queue.core.usgovcloudapi.net:443
gcwsprodgmdm2billing.table.core.usgovcloudapi.net:443gcwsprodgmdm2billing.table.core.usgovcloudapi.net:443
global.metrics.nsatc.net:443global.metrics.nsatc.net:443
go.microsoft.com:443go.microsoft.com:443
gr-gcws-prod-bd3.usgovcloudapp.net:443gr-gcws-prod-bd3.usgovcloudapp.net:443
gr-gcws-prod-bn1.usgovcloudapp.net:443gr-gcws-prod-bn1.usgovcloudapp.net:443
gr-gcws-prod-dd3.usgovcloudapp.net:443gr-gcws-prod-dd3.usgovcloudapp.net:443
gr-gcws-prod-dm2.usgovcloudapp.net:443gr-gcws-prod-dm2.usgovcloudapp.net:443
gr-gcws-prod-phx20.usgovcloudapp.net:443gr-gcws-prod-phx20.usgovcloudapp.net:443
gr-gcws-prod-sn5.usgovcloudapp.net:443gr-gcws-prod-sn5.usgovcloudapp.net:443
login.live.com:443login.live.com:443
login.microsoftonline.us:443login.microsoftonline.us:443
management.core.usgovcloudapi.net:443management.core.usgovcloudapi.net:443
management.usgovcloudapi.net:443management.usgovcloudapi.net:443
maupdateaccountff.blob.core.usgovcloudapi.net:443maupdateaccountff.blob.core.usgovcloudapi.net:443
mscrl.microsoft.com:443mscrl.microsoft.com:443
ocsp.digicert.com:443ocsp.digicert.com:443
ocsp.msocsp.com:443ocsp.msocsp.com:443
ocsp.msocsp.com:80ocsp.msocsp.com:80
oneocsp.microsoft.com:80oneocsp.microsoft.com:80
oneocsp.microsoft.com:443oneocsp.microsoft.com:443
ocsp.verisign.com:443ocsp.verisign.com:443
rteventservice.trafficmanager.net:443rteventservice.trafficmanager.net:443
settings-win.data.microsoft.com:443settings-win.data.microsoft.com:443
shavamanifestcdnprod1.azureedge.net:443shavamanifestcdnprod1.azureedge.net:443
shavamanifestcdnprod1.azureedge.net:443shavamanifestcdnprod1.azureedge.net:443
v10.vortex-win.data.microsoft.com:443v10.vortex-win.data.microsoft.com:443
wdcp.microsoft.com:443wdcp.microsoft.com:443
wdcpalt.microsoft.com:443wdcpalt.microsoft.com:443
www.microsoft.com:443www.microsoft.com:443
www.msftconnecttest.com:443www.msftconnecttest.com:443
www.thawte.com:443www.thawte.com:443
global-dsms.dsms.core.usgovcloudapi.net:443global-dsms.dsms.core.usgovcloudapi.net:443