Azure 網路監看員中的 IP 流量驗證簡介Introduction to IP flow verify in Azure Network Watcher

IP 流量驗證會檢查系統允許或拒絕進出虛擬機器的封包。IP flow verify checks if a packet is allowed or denied to or from a virtual machine. 這些資訊包括方向、通訊協定、本機 IP、遠端 IP、本機連接埠和遠端連接埠。The information consists of direction, protocol, local IP, remote IP, local port, and remote port. 如果封包遭到安全性群組拒絕,則會傳回拒絕封包之規則的名稱。If the packet is denied by a security group, the name of the rule that denied the packet is returned. 雖然任何來源或目的地 IP 均可供選擇,但是 IP 流量驗證可協助系統管理員快速診斷網際網路和內部部署環境的往來連線問題。While any source or destination IP can be chosen, IP flow verify helps administrators quickly diagnose connectivity issues from or to the internet and from or to the on-premises environment.

IP 流量驗證會查看套用至網路介面的所有網路安全性群組 (NSG) 的規則,例如子網路或虛擬機器 NIC。IP flow verify looks at the rules for all Network Security Groups (NSGs) applied to the network interface, such as a subnet or virtual machine NIC. 接著會根據所設的設定,驗證該網路介面往來的流量。Traffic flow is then verified based on the configured settings to or from that network interface. IP 流量驗證可用於確認網路安全性群組中的規則是否會封鎖虛擬機器的輸入或輸出流量。IP flow verify is useful in confirming if a rule in a Network Security Group is blocking ingress or egress traffic to or from a virtual machine.

在您計劃執行 IP 流量驗證的所有區域中,都必須建立網路監看員執行個體。An instance of Network Watcher needs to be created in all regions that you plan to run IP flow verify. 網路監看員是區域性服務,只能針對相同區域中的資源執行。Network Watcher is a regional service and can only be ran against resources in the same region. 使用的執行個體不會影響 IP 流量驗證的結果,因為與 NIC 或子網路相關聯的任何路由仍會傳回。The instance used does not affect the results of IP flow verify, as any route associated with the NIC or subnet is still be returned.


後續步驟Next steps

瀏覽下列文章,以透過入口網站了解特定虛擬機器的封包是受到允許或拒絕。Visit the following article to learn if a packet is allowed or denied for a specific virtual machine through the portal. 使用入口網站以 IP 流量驗證檢查 VM 上的流量是否受到允許Check if traffic is allowed on a VM with IP Flow Verify using the portal