網路封包代理
Azure 操作員 Nexus 的網路封包代理人是專為電信服務提供商量身打造的 Microsoft Azure 特製供應專案。 透過 Azure 操作員 Nexus 的網路封包代理程式,電信操作員可以有效地擷取、匯總、篩選和監視其基礎結構 (AON) 的流量,以便進行深入的封包檢查、流量分析和增強的網路監視。 這在電信業中尤其重要,其中維護高品質服務、確保安全性,以及遵守法規要求至關重要。 藉由利用此解決方案,操作員可以更清楚地瞭解其網路流量、更有效地疑難解答問題,並最終為客戶提供改善的服務,同時維持最高的網路安全性和效能標準。
NPB 已設計並模型化為 Microsoft.managednetworkfabric 下的個別最上層 Azure Resource Manager (ARM) 資源。 操作員可以建立、讀取、更新和刪除網路 TAP、網路 TAP 規則和鄰近群組功能。 每個網路封包代理程式都會有多個資源,例如網路 TAP、鄰近群組和網路 TAP 規則,以管理、篩選和轉送指定的流量。
啟用網路封包代理程式的步驟
先決條件
- NPB 裝置已正確機架、堆疊和布建。 如需如何布建網路網狀架構的程式,請參閱 網路網狀架構布建。
- 應使用專用IP來設定個別的 vProbes
- 針對內部 vProbes,應該建立具有內部網路的第 3 層隔離網域。 除了必要連線子網之外,應該設定必要的連線子網,擴充旗標應該設定為 NPB(在內部網路中)。 如需如何在隔離網域上建立內部和外部網路的程式,以及設定NPB的擴充旗標,請參閱隔離網域。
- 針對網路對網路間連線 (NNI) 使用案例,應該將 NNI 建立為 類型
NPB。 建立 NNI 期間應該定義適當的第 2 層和第 3 層屬性。 如需如何建立網路到網路互連的程式(NNI),請參閱 網路網狀架構布建。
步驟
- 建立提供比對組態的網路 TAP 規則(僅支援內嵌輸入法)
- 建立定義目的地的芳鄰群組資源。
- 建立參考 Tap 規則和鄰近群組的網路 TAP 資源。
- 啟用網路 TAP 資源。
NPB
此資源會在啟動程序期間由NF自動建立。
顯示 NPB
此命令會顯示 NPB 邏輯資源的詳細資料。
az networkfabric npb show --resource-group "example-rg" --resource-name "NPB1"
預期的輸出
{
"properties": {
"networkFabricId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabrics/example-networkFabric",
"networkDeviceIds": [
"/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice"
],
"sourceInterfaceIds": [
"/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice/networkInterfaces/example-networkInterface"
],
"networkTapIds": [
"/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-networkTap"
],
"neighborGroupIds": [
"/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup"
],
"provisioningState": "Succeeded"
},
"tags": {
"key2806": "key"
},
"location": "eastuseuap",
"id": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkPacketBrokers/example-networkPacketBroker",
"name": "example-networkPacketBroker",
"type": "microsoft.managednetworkfabric/networkPacketBrokers",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-05-17T11:56:12.100Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-17T11:56:12.100Z"
}
}
網路 TAP 規則
NetworkTapRule 資源可讓您提供條件和動作的篩選和轉送組合。
網路 TAP 規則的參數
| 參數 | 描述 | 範例 | 必要 |
|---|---|---|---|
| 資源群組 | 特別針對 NetworkTapRule 使用適當的資源組名 | resourceGroupName | True |
| resource-name | 網路點選的資源名稱 | InternetTAPrule1 | True |
| location | AzON Azure 區域在 NFC 建立期間使用 | eastus | True |
| configuration-type | 設定網路點選規則的輸入方法。 | 內嵌或檔案 | True |
| match-configurations | 比對組態的清單。 | ||
| match-configurations/matchconfigurationName | Match 組態區塊的名稱 | ||
| match-configurations/sequenceNumber | 相符組態的序號 | ||
| match-configurations/ipAddressType | Ip 位址系列 | ||
| match-configurations/matchconditions | 根據埠、通訊協定、Vlan 和Ip條件的動態比對條件清單。 | ||
| match-configurations/action | 提供動作詳細數據。 動作可以是Drop、Count、Log、Goto、Redirect、Mirror | ||
| dynamic-match-configurations | 以埠、Vlan 和IP為基礎的動態比對組態清單 |
注意
網路點選規則和鄰近群組必須先建立,才能在網路點選中重新調整規則
建立網路點選規則
此指令會建立網路點選規則:
az networkfabric taprule create --resource-group "example-rg" --location "westus3"--resource-name "example-networktaprule"\
--configuration-type "Inline" \
--match-configurations "[{matchConfigurationName:config1,sequenceNumber:10,ipAddressType:IPv4,matchConditions:[{encapsulationType:None,portCondition:{portType:SourcePort,layer4Protocol:TCP,ports:[100],portGroupNames:['example-portGroup1']},protocolTypes:[TCP],vlanMatchCondition:{vlans:['10'],innerVlans:['11-20']},ipCondition:{type:SourceIP,prefixType:Prefix,ipPrefixValues:['10.10.10.10/20']}}],\
actions:[{type:Drop,truncate:100,isTimestampEnabled:True,destinationId:'/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup',matchConfigurationName:match1}]}]"\
--dynamic-match-configurations"[{ipGroups:[{name:'example-ipGroup1',ipAddressType:IPv4,ipPrefixes:['10.10.10.10/30']}],vlanGroups:[{name:'exmaple-vlanGroup',vlans:['10']}],portGroups:[{name:'example-portGroup1',ports:['100-200']}]}]"
預期輸出:
{
"properties": {
"networkTapId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-taprule",
"pollingIntervalInSeconds": 30,
"lastSyncedTime": "2023-06-12T07:11:22.485Z",
"configurationState": "Succeeded",
"provisioningState": "Accepted",
"administrativeState": "Enabled",
"annotation": "annotation",
"configurationType": "Inline",
"tapRulesUrl": "",
"matchConfigurations": [
{
"matchConfigurationName": "config1",
"sequenceNumber": 10,
"ipAddressType": "IPv4",
"matchConditions": [
{
"encapsulationType": "None",
"portCondition": {
"portType": "SourcePort",
"l4Protocol": "TCP",
"ports": [
"100"
],
"portGroupNames": [
"example-portGroup1"
]
},
"protocolTypes": [
"TCP"
],
"vlanMatchCondition": {
"vlans": [
"10"
],
"innerVlans": [
"11-20"
],
"vlanGroupNames": [
"exmaple-vlanGroup"
]
},
"ipCondition": {
"type": "SourceIP",
"prefixType": "Prefix",
"ipPrefixValues": [
"10.10.10.10/20"
],
"ipGroupNames": [
"example-ipGroup"
]
}
}
],
"actions": [
{
"type": "Drop",
"truncate": "100",
"isTimestampEnabled": "True",
"destinationId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"matchConfigurationName": "match1"
}
]
}
],
"dynamicMatchConfigurations": [
{
"ipGroups": [
{
"name": "example-ipGroup1",
"ipPrefixes": [
"10.10.10.10/30"
]
}
],
"vlanGroups": [
{
"name": "exmaple-vlanGroup",
"vlans": [
"10",
"100-200"
]
}
],
"portGroups": [
{
"name": "example-portGroup1",
"ports": [
"100-200"
]
},
{
"name": "example-portGroup2",
"ports": [
"900",
"1000-2000"
]
}
]
}
]
},
"tags": {
"keyID": "keyValue"
},
"location": "eastuseuap",
"id": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTapRules/example-tapRule",
"name": "example-tapRule",
"type": "microsoft.managednetworkfabric/networkTapRules",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-06-12T07:11:22.488Z",
"lastModifiedBy": "user@mail.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-06-12T07:11:22.488Z"
}
}
顯示網路點選規則
此指令會顯示 IP 社群資源:
az networkfabric taprule show --resource-group "example-rg" --resource-name "example-networktaprule"
預期輸出:
{
"properties": {
"networkTapId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-taprule",
"pollingIntervalInSeconds": 30,
"lastSyncedTime": "2023-06-12T07:11:22.485Z",
"configurationState": "Succeeded",
"provisioningState": "Accepted",
"administrativeState": "Enabled",
"annotation": "annotation",
"configurationType": "Inline",
"tapRulesUrl": "",
"matchConfigurations": [
{
"matchConfigurationName": "config1",
"sequenceNumber": 10,
"ipAddressType": "IPv4",
"matchConditions": [
{
"encapsulationType": "None",
"portCondition": {
"portType": "SourcePort",
"l4Protocol": "TCP",
"ports": [
"100"
],
"portGroupNames": [
"example-portGroup1"
]
},
"protocolTypes": [
"TCP"
],
"vlanMatchCondition": {
"vlans": [
"10"
],
"innerVlans": [
"11-20"
],
"vlanGroupNames": [
"exmaple-vlanGroup"
]
},
"ipCondition": {
"type": "SourceIP",
"prefixType": "Prefix",
"ipPrefixValues": [
"10.10.10.10/20"
],
"ipGroupNames": [
"example-ipGroup"
]
}
}
],
"actions": [
{
"type": "Drop",
"truncate": "100",
"isTimestampEnabled": "True",
"destinationId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"matchConfigurationName": "match1"
}
]
}
],
"dynamicMatchConfigurations": [
{
"ipGroups": [
{
"name": "example-ipGroup1",
"ipPrefixes": [
"10.10.10.10/30"
]
}
],
"vlanGroups": [
{
"name": "exmaple-vlanGroup",
"vlans": [
"10",
"100-200"
]
}
],
"portGroups": [
{
"name": "example-portGroup1",
"ports": [
"100-200"
]
},
{
"name": "example-portGroup2",
"ports": [
"900",
"1000-2000"
]
}
]
}
]
},
"tags": {
"keyID": "keyValue"
},
"location": "eastuseuap",
"id": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTapRules/example-tapRule",
"name": "example-tapRule",
"type": "microsoft.managednetworkfabric/networkTapRules",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-06-12T07:11:22.488Z",
"lastModifiedBy": "user@mail.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-06-12T07:11:22.488Z"
}
}
鄰近群組
鄰近群組資源能夠將目的地分組以轉送篩選的流量
芳鄰群組的參數
| 參數 | 描述 | 範例 | 必要 |
|---|---|---|---|
| 資源群組 | 特別針對您的 NeighborGroup 使用適當的資源組名 | resourceGroupName | True |
| resource-name | NeighborGroup 的資源名稱 | example-Neighbor | True |
| location | AzON Azure 區域在 NFC 建立期間使用 | eastus | True |
| 目的地 | 要轉送流量的 Ipv4 或 Ipv6 目的地清單 | 10.10.10.10 | True |
建立芳鄰群組
此指令會建立芳鄰群組資源:
az networkfabric neighborgroup create --resource-group "example-rg" --location "westus3"
--resource-name "example-neighborgroup" --destination "{ipv4Addresses:['10.10.10.10']}"
預期輸出:
{
"properties": {
"networkTapIds": [
],
"networkTapRuleIds": [
],
"destination": {
"ipv4Addresses": [
"10.10.10.10",
]
},
"provisioningState": "Succeeded",
"annotation": "annotation"
},
"tags": {
"keyID": "KeyValue"
},
"location": "eastus",
"id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"name": "example-neighborGroup",
"type": "microsoft.managednetworkfabric/neighborGroups",
"systemData": {
"createdBy": "user@mail.com",
"createdByType": "User",
"createdAt": "2023-05-23T05:49:59.193Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-23T05:49:59.194Z"
}
}
顯示鄰近群組資源
此指令會顯示 IP 擴充社群資源:
az networkfabric neighborgroup show --resource-group "example-rg" --resource-name "example-neighborgroup"
預期輸出:
{
"properties": {
"networkTapIds": [
],
"networkTapRuleIds": [
],
"destination": {
"ipv4Addresses": [
"10.10.10.10",
]
},
"provisioningState": "Succeeded",
"annotation": "annotation"
},
"tags": {
"keyID": "KeyValue"
},
"location": "eastus",
"id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"name": "example-neighborGroup",
"type": "microsoft.managednetworkfabric/neighborGroups",
"systemData": {
"createdBy": "user@mail.com",
"createdByType": "User",
"createdAt": "2023-05-23T05:49:59.193Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-23T05:49:59.194Z"
}
}
網路 TAP
網路 TAP 可讓操作員定義目的地和封裝機制,以根據網路 TAP 規則轉送篩選的流量
網路 TAP 的參數
| 參數 | 描述 | 範例 | 必要 |
|---|---|---|---|
| 資源群組 | 特別針對您的網路點選使用適當的資源組名 | resourceGroupName | True |
| resource-name | 網路點選的資源名稱 | NetworkTAP-奧斯丁 | True |
| location | AzON Azure 區域在 NFC 建立期間使用 | eastus | True |
| network-packet-broker-id | 網路封包代理人資源的 ARMID | True | |
| polling-type | 網路點選規則的輪詢方法(推送或提取) | 提取] | True |
| 目的地 | 目的地定義 | True | |
| destination/name | 目的地名稱 | ||
| destination/type | 目的地的類型。IsolationDomain 或 NNI | ||
| destination/IsolationDomainProperties | 隔離網域的詳細數據。 封裝、鄰近群組標識碼 | 內部網路或 NNI 的 Azure Resource Manager (ARM) 識別碼 | False |
| destinationTapRuleId | 點選規則的 ARMID,必須套用 | True |
建立網路 TAP
此指令會建立網路 Tap 資源:
az networkfabric tap create --resource-group "example-rg" --location "westus3" \
--resource-name "example-networktap" \
--network-packet-broker-id "/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkPacketBrokers/example-networkPacketBroker" \
--polling-type "Pull"\
--destinations "[{name:'example-destinationName',destinationType:IsolationDomain,destinationId:'/subscriptions/xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/l3IsloationDomains/example-l3Domain/internalNetworks/example-internalNetwork',\
isolationDomainProperties:{encapsulation:None,neighborGroupIds:['/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup']},\