規劃流量檢查Plan for traffic inspection

在許多產業中,組織要求將 Azure 中的流量鏡像至網路封包收集器,以進行深度檢查和分析。In many industries, organizations require that traffic in Azure is mirrored to a network packet collector for deep inspection and analysis. 這項需求通常著重于輸入和輸出網際網路流量。This requirement typically focuses on inbound and outbound internet traffic. 本節探討在 Azure 虛擬網路內鏡像或點擊流量的重要考慮和建議方法。This section explores key considerations and recommended approaches for mirroring or tapping traffic within Azure Virtual Network.

設計考慮:Design considerations:

  • Azure 虛擬網路終端機存取點 (點) 目前為預覽狀態。Azure Virtual Network terminal access point (TAP) is in preview. 連絡人 azurevnettap@microsoft.com 以取得可用性詳細資料。Contact azurevnettap@microsoft.com for availability details.

  • Azure 網路監看員中的封包捕獲已正式運作,但會限制為五小時的最長期間。Packet capture in Azure Network Watcher is generally available, but captures are limited to a maximum period of five hours.

設計建議:Design recommendations:

您可以使用 Azure 虛擬網路的替代方法來評估下列選項:As an alternative to Azure Virtual Network TAP, evaluate the following options:

  • 您可以使用網路監看員封包來捕獲有限的捕獲視窗。Use Network Watcher packets to capture despite the limited capture window.

  • 評估最新版本的 NSG 流量記錄是否提供您所需的詳細資料層級。Evaluate whether the latest version of NSG flow logs provides the level of detail that you need.

  • 針對需要深入封包檢查的案例,請使用合作夥伴解決方案。Use partner solutions for scenarios that require deep packet inspection.

  • 請勿開發自訂解決方案來鏡像流量。Don't develop a custom solution to mirror traffic. 雖然小規模案例可能可接受這種方法,但由於複雜性和可能發生的可支援性問題,我們不鼓勵大規模進行。Although this approach might be acceptable for small-scale scenarios, we don't encourage it at scale because of complexity and the supportability issues that might arise.