診斷虛擬機器網路流量篩選問題Diagnose a virtual machine network traffic filter problem

在本文中,您將了解如何藉由檢視對虛擬機器 (VM) 有效的網路安全性群組 (NSG) 安全性規則來診斷網路流量篩選問題。In this article, you learn how to diagnose a network traffic filter problem by viewing the network security group (NSG) security rules that are effective for a virtual machine (VM).

NSG 可讓您針對流入和流出 VM 的流量,控制流量的類型。NSGs enable you to control the types of traffic that flow in and out of a VM. 您可以將 NSG 關聯至 Azure 虛擬網路中的子網路、附加至 VM 的網路介面,或是上述兩者。You can associate an NSG to a subnet in an Azure virtual network, a network interface attached to a VM, or both. 套用至網路介面的有效安全性規則,乃是針對網路介面及該網路介面所在子網路關聯的 NSG,存在其中的規則彙總。The effective security rules applied to a network interface are an aggregation of the rules that exist in the NSG associated to a network interface, and the subnet the network interface is in. 不同 NSG 中的規則有時會互相衝突,並影響 VM 的網路連線能力。Rules in different NSGs can sometimes conflict with each other and impact a VM's network connectivity. 您可以從 VM 網路介面上套用的 NSG 中檢視所有的有效安全性規則。You can view all the effective security rules from NSGs that are applied on your VM's network interfaces. 如果您不熟悉虛擬網路、網路介面或 NSG 概念,請參閱虛擬網路概觀網路介面網路安全性群組概觀If you're not familiar with virtual network, network interface, or NSG concepts, see Virtual network overview, Network interface, and Network security groups overview.

狀況Scenario

您嘗試從網際網路透過連接埠 80 連線到 VM,但連線失敗。You attempt to connect to a VM over port 80 from the internet, but the connection fails. 若要判斷為何無法從網際網路存取連接埠 80,您可以使用 Azure 入口網站PowerShellAzure CLI 來檢視網路介面的有效安全性規則。To determine why you can't access port 80 from the Internet, you can view the effective security rules for a network interface using the Azure portal, PowerShell, or the Azure CLI.

下列步驟假設您具有可檢視有效安全性規則的現有 VM。The steps that follow assume you have an existing VM to view the effective security rules for. 如果您沒有現有的 VM,請先部署 LinuxWindows VM,以用來完成本文中的工作。If you don't have an existing VM, first deploy a Linux or Windows VM to complete the tasks in this article with. 本文中的範例適用於名為 myVM 的 VM,且該 VM 具有名為 myVMVMNic 的網路介面。The examples in this article are for a VM named myVM with a network interface named myVMVMNic. VM 和網路介面皆位於名為 myResourceGroup 的資源群組,且位於「美國東部」 區域。The VM and network interface are in a resource group named myResourceGroup, and are in the East US region. 請針對您要診斷問題的 VM,適當地變更步驟中的值。Change the values in the steps, as appropriate, for the VM you are diagnosing the problem for.

使用 Azure 入口網站進行診斷Diagnose using Azure portal

  1. 使用具有必要權限的 Azure 帳戶登入 Azure 入口網站Log into the Azure portal with an Azure account that has the necessary permissions.

  2. 在 Azure 入口網站頂端的搜尋方塊中輸入 VM 的名稱。At the top of the Azure portal, enter the name of the VM in the search box. 當 VM 的名稱出現在搜尋結果中時,請選取它。When the name of the VM appears in the search results, select it.

  3. 在 [設定] 下方,選取 [網路] ,如下圖所示:Under SETTINGS, select Networking, as shown in the following picture:

    檢視安全性規則

    上圖所列的規則適用於名為 myVMVMNic 的網路介面。The rules you see listed in the previous picture are for a network interface named myVMVMNic. 其中有來自兩個不同網路安全性群組的網路介面 [輸入連接埠規則] :You see that there are INBOUND PORT RULES for the network interface from two different network security groups:

    • mySubnetNSG:關聯至網路介面所在的子網路。mySubnetNSG: Associated to the subnet that the network interface is in.
    • myVMNSG:關聯至名為 myVMVMNic 的 VM 中網路介面。myVMNSG: Associated to the network interface in the VM named myVMVMNic.

    名為 DenyAllInBound 的規則是防止從網際網路透過連接埠 80 與 VM 進行輸入通訊的規則,如案例中所述。The rule named DenyAllInBound is what's preventing inbound communication to the VM over port 80, from the internet, as described in the scenario. 此規則針對 [來源] 列出 0.0.0.0/0,這包括網際網路。The rule lists 0.0.0.0/0 for SOURCE, which includes the internet. 沒有其他具較高優先順序 (較低數字) 的規則允許透過連接埠 80 進行輸入。No other rule with a higher priority (lower number) allows port 80 inbound. 若要允許從網際網路透過連接埠 80 對 VM 進行輸入,請參閱解決問題To allow port 80 inbound to the VM from the internet, see Resolve a problem. 若要深入了解安全性規則及 Azure 套用它們的方式,請參閱網路安全性群組To learn more about security rules and how Azure applies them, see Network security groups.

    您也會在圖片底部看到 [輸出連接埠規則] 。At the bottom of the picture, you also see OUTBOUND PORT RULES. 位於其下方的是適用於網路介面的輸出連接埠規則。Under that are the outbound port rules for the network interface. 雖然圖片針對每個 NSG 只有顯示四個輸入規則,您的 NSG 可能會具有四個以上的規則。Though the picture only shows four inbound rules for each NSG, your NSGs may have many more than four rules. 在圖中,您會在 [來源] 和 [目的地] 下方看到 [VirtualNetwork] ,並在 [來源] 下方看到 [AzureLoadBalancer] 。In the picture, you see VirtualNetwork under SOURCE and DESTINATION and AzureLoadBalancer under SOURCE. [VirtualNetwork] 和 [AzureLoadBalancer] 為服務標籤VirtualNetwork and AzureLoadBalancer are service tags. 服務標籤代表一組 IP 位址前置詞,有助於降低建立安全性規則的複雜性。Service tags represent a group of IP address prefixes to help minimize complexity for security rule creation.

  4. 確認 VM 處於執行中狀態,然後選取 [有效的安全性規則] (如上圖所示),以查看有效的安全性規則 (如下圖所示):Ensure that the VM is in the running state, and then select Effective security rules, as shown in the previous picture, to see the effective security rules, shown in the following picture:

    檢視有效的安全性規則

    列出的規則與您在步驟 3 中看到的一樣,不過針對關聯至網路介面和子網路的 NSG 則有不同的索引標籤。The rules listed are the same as you saw in step 3, though there are different tabs for the NSG associated to the network interface and the subnet. 如同您可以在圖中看到的,系統只會顯示前 50 個的規則。As you can see in the picture, only the first 50 rules are shown. 若要下載包含所有規則的 .csv 檔案,請選取 [下載] 。To download a .csv file that contains all of the rules, select Download.

    若要查看每個服務標籤所代表的前置詞,請選取其中一個規則 (例如名為 AllowAzureLoadBalancerInbound 的規則)。To see which prefixes each service tag represents, select a rule, such as the rule named AllowAzureLoadBalancerInbound. 下圖顯示適用於 AzureLoadBalancer 服務標籤的前置詞:The following picture shows the prefixes for the AzureLoadBalancer service tag:

    檢視有效的安全性規則

    雖然 AzureLoadBalancer 服務標籤只代表一個前置詞,其他服務標籤可能會代表數個前置詞。Though the AzureLoadBalancer service tag only represents one prefix, other service tags represent several prefixes.

  5. 先前的步驟示範 myVMVMNic 網路介面的安全性規則,但您也在先前某些圖片中看過 myVMVMNic2 的網路介面。The previous steps showed the security rules for a network interface named myVMVMNic, but you've also seen a network interface named myVMVMNic2 in some of the previous pictures. 此範例中的 VM 具有兩個附加的網路介面。The VM in this example has two network interfaces attached to it. 針對每個網路介面的有效安全性規則可能會不同。The effective security rules can be different for each network interface.

    若要查看適用於 myVMVMNic2 網路介面的規則,請選取它。To see the rules for the myVMVMNic2 network interface, select it. 如下圖所示,與該網路介面的子網路關聯規則與 myVMVMNic 網路介面相同,因為這兩個網路介面都位於相同的子網路。As shown in the picture that follows, the network interface has the same rules associated to its subnet as the myVMVMNic network interface, because both network interfaces are in the same subnet. 當您將 NSG 關聯至子網路時,系統會將其規則套用至子網路中的所有網路介面。When you associate an NSG to a subnet, its rules are applied to all network interfaces in the subnet.

    檢視安全性規則

    不同於 myVMVMNic 網路介面,myVMVMNic2 網路介面沒有與它相關聯的網路安全性群組。Unlike the myVMVMNic network interface, the myVMVMNic2 network interface does not have a network security group associated to it. 每個網路介面和子網路皆可有零個或一個與它相關聯的 NSG。Each network interface and subnet can have zero, or one, NSG associated to it. 與每個網路介面或子網路相關聯的 NSG 可以是相同或不同的。The NSG associated to each network interface or subnet can be the same, or different. 您可以將相同的網路安全性群組關聯至任意數目的網路介面和子網路。You can associate the same network security group to as many network interfaces and subnets as you choose.

雖然可以透過 VM 檢視有效的安全性規則,您也可以透過下列個別的項目來檢視有效的安全性規則:Though effective security rules were viewed through the VM, you can also view effective security rules through an individual:

使用 PowerShell 進行診斷Diagnose using PowerShell

注意

本文已更新為使用新的 Azure PowerShell Az 模組。This article has been updated to use the new Azure PowerShell Az module. AzureRM 模組在至少 2020 年 12 月之前都還會持續收到錯誤 (Bug) 修正,因此您仍然可以持續使用。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要深入了解新的 Az 模組和 AzureRM 的相容性,請參閱新的 Azure PowerShell Az 模組簡介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 如需 Az 模組安裝指示,請參閱安裝 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

您可以執行 Azure Cloud Shell 中採用的命令,或從您的電腦執行 PowerShell。You can run the commands that follow in the Azure Cloud Shell, or by running PowerShell from your computer. Azure Cloud Shell 是免費的互動式殼層。The Azure Cloud Shell is a free interactive shell. 它具有預先安裝和設定的共用 Azure 工具,可與您的帳戶搭配使用。It has common Azure tools preinstalled and configured to use with your account. 如果您是從您的電腦執行 PowerShell,您需要 Azure PowerShell 模組版本 1.0.0 或更新版本。If you run PowerShell from your computer, you need the Azure PowerShell module, version 1.0.0 or later. 請在您的電腦上執行 Get-Module -ListAvailable Az,以尋找已安裝的版本。Run Get-Module -ListAvailable Az on your computer, to find the installed version. 如果您需要升級,請參閱安裝 Azure PowerShell 模組If you need to upgrade, see Install Azure PowerShell module. 如果您在本機執行 PowerShell,還需要執行 Connect-AzAccount 以使用具有必要權限的帳戶登入 Azure。If you are running PowerShell locally, you also need to run Connect-AzAccount to log into Azure with an account that has the necessary permissions].

取得網路介面的有效安全性規則Get AzEffectiveNetworkSecurityGroupGet the effective security rules for a network interface with Get-AzEffectiveNetworkSecurityGroup. 下列範例會針對名為 myVMVMNic 的網路介面取得有效的安全性規則,該介面位於名為 myResourceGroup 的資源群組中:The following example gets the effective security rules for a network interface named myVMVMNic, that is in a resource group named myResourceGroup:

Get-AzEffectiveNetworkSecurityGroup `
  -NetworkInterfaceName myVMVMNic `
  -ResourceGroupName myResourceGroup

輸出會以 json 格式傳回。Output is returned in json format. 若要了解輸出,請參閱解譯命令輸出To understand the output, see interpret command output. 只有在 NSG 與網路介面、與網路介面所在的子網路,或是上述兩者相關聯時,才會傳回輸出。Output is only returned if an NSG is associated with the network interface, the subnet the network interface is in, or both. VM 必須處於執行中狀態。The VM must be in the running state. 一個 VM 可能有多個套用不同 NSG 的網路介面。A VM may have multiple network interfaces with different NSGs applied. 進行疑難排解時,請針對每個網路介面執行命令。When troubleshooting, run the command for each network interface.

如果您仍然有連線問題,請參閱其他診斷考量If you're still having a connectivity problem, see additional diagnosis and considerations.

如果您不知道網路介面的名稱,但知道該網路介面所附加至的 VM 名稱,則下列命令會針對所有附加至 VM 的網路介面,傳回其識別碼:If you don't know the name of a network interface, but do know the name of the VM the network interface is attached to, the following commands return the IDs of all network interfaces attached to a VM:

$VM = Get-AzVM -Name myVM -ResourceGroupName myResourceGroup
$VM.NetworkProfile

您會收到類似於下列範例的輸出:You receive output similar to the following example:

NetworkInterfaces
-----------------
{/subscriptions/<ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myVMVMNic

在上述輸出中,網路介面名稱是 myVMVMNicIn the previous output, the network interface name is myVMVMNic.

使用 Azure CLI 進行診斷Diagnose using Azure CLI

如果使用命令列介面 (CLI) 命令來完成這篇文章中的工作,請在 Azure Cloud Shell (英文) 中執行命令,或從您的電腦執行 CLI。If using Azure Command-line interface (CLI) commands to complete tasks in this article, either run the commands in the Azure Cloud Shell, or by running the CLI from your computer. 本文需要 Azure CLI 2.0.32 版或更新的版本。This article requires the Azure CLI version 2.0.32 or later. 執行 az --version 來了解安裝的版本。Run az --version to find the installed version. 如果您需要安裝或升級,請參閱安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI. 如果您在本機執行 Azure CLI,還需要執行 az login 並使用具有必要權限的帳戶登入 Azure。If you are running the Azure CLI locally, you also need to run az login and log into Azure with an account that has the necessary permissions.

使用 az network nic list-effective-nsg 來取得網路介面的有效安全性規則。Get the effective security rules for a network interface with az network nic list-effective-nsg. 下列範例會取得 myResourceGroup 資源群組中 myVMVMNic 網路介面的有效安全性規則:The following example gets the effective security rules for a network interface named myVMVMNic that is in a resource group named myResourceGroup:

az network nic list-effective-nsg \
  --name myVMVMNic \
  --resource-group myResourceGroup

輸出會以 json 格式傳回。Output is returned in json format. 若要了解輸出,請參閱解譯命令輸出To understand the output, see interpret command output. 只有在 NSG 與網路介面、與網路介面所在的子網路,或是上述兩者相關聯時,才會傳回輸出。Output is only returned if an NSG is associated with the network interface, the subnet the network interface is in, or both. VM 必須處於執行中狀態。The VM must be in the running state. 一個 VM 可能有多個套用不同 NSG 的網路介面。A VM may have multiple network interfaces with different NSGs applied. 進行疑難排解時,請針對每個網路介面執行命令。When troubleshooting, run the command for each network interface.

如果您仍然有連線問題,請參閱其他診斷考量If you're still having a connectivity problem, see additional diagnosis and considerations.

如果您不知道網路介面的名稱,但知道該網路介面所附加至的 VM 名稱,則下列命令會針對所有附加至 VM 的網路介面,傳回其識別碼:If you don't know the name of a network interface, but do know the name of the VM the network interface is attached to, the following commands return the IDs of all network interfaces attached to a VM:

az vm show \
  --name myVM \
  --resource-group myResourceGroup

在傳回的輸出內,您會看到類似下列範例的資訊:Within the returned output, you see information similar to the following example:

"networkProfile": {
    "additionalProperties": {},
    "networkInterfaces": [
      {
        "additionalProperties": {},
        "id": "/subscriptions/<ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myVMVMNic",
        "primary": true,
        "resourceGroup": "myResourceGroup"
      },

在上述輸出中,網路介面名稱是 myVMVMNic interfaceIn the previous output, the network interface name is myVMVMNic interface.

解譯命令輸出Interpret command output

不論您是使用 PowerShellAzure CLI 來診斷問題,都會收到包含下列資訊的輸出:Regardless of whether you used the PowerShell, or the Azure CLI to diagnose the problem, you receive output that contains the following information:

  • NetworkSecurityGroup:網路安全性群組的識別碼。NetworkSecurityGroup: The ID of the network security group.
  • Association:網路安全性群組是否關聯至 NetworkInterfaceSubnetAssociation: Whether the network security group is associated to a NetworkInterface or Subnet. 如果 NSG 同時關聯至兩者,則會針對每個 NSG 以 NetworkSecurityGroupAssociationEffectiveSecurityRules 傳回輸出。If an NSG is associated to both, output is returned with NetworkSecurityGroup, Association, and EffectiveSecurityRules, for each NSG. 如果在執行命令以檢視有效安全性規則之前建立/解除 NSG 的關聯,您可能需要等候幾秒鐘的時間,變更才會反映在命令輸出中。If the NSG is associated or disassociated immediately before running the command to view the effective security rules, you may need to wait a few seconds for the change to reflect in the command output.
  • EffectiveSecurityRules建立安全性規則中會詳述每個屬性的說明。EffectiveSecurityRules: An explanation of each property is detailed in Create a security rule. 前面加上 defaultSecurityRules/ 的規則名稱是存在於每個 NSG 中的預設安全性規則。Rule names prefaced with defaultSecurityRules/ are default security rules that exist in every NSG. 前面加上 securityRules/ 的規則名稱是您已建立的規則。Rule names prefaced with securityRules/ are rules that you've created. 針對 destinationAddressPrefixsourceAddressPrefix 屬性指定服務標籤 (例如 InternetVirtualNetworkAzureLoadBalancer) 的規則,也會具有 expandedDestinationAddressPrefix 屬性值。Rules that specify a service tag, such as Internet, VirtualNetwork, and AzureLoadBalancer for the destinationAddressPrefix or sourceAddressPrefix properties, also have values for the expandedDestinationAddressPrefix property. expandedDestinationAddressPrefix 屬性會列出服務標籤所代表的所有位址前置詞。The expandedDestinationAddressPrefix property lists all address prefixes represented by the service tag.

如果您看到輸出中有列出重複的規則,那是因為有某個 NSG 同時關聯至網路介面和子網路。If you see duplicate rules listed in the output, it's because an NSG is associated to both the network interface and the subnet. 這兩個 NSG 都具有相同的預設規則,且如果您在這兩個 NSG 中自行建立相同的規則,則這兩個 NSG 可能會有其他重複的規則。Both NSGs have the same default rules, and may have additional duplicate rules, if you've created your own rules that are the same in both NSGs.

名為 defaultSecurityRules/DenyAllInBound 的規則是防止從網際網路透過連接埠 80 與 VM 進行輸入通訊的規則,如案例中所述。The rule named defaultSecurityRules/DenyAllInBound is what's preventing inbound communication to the VM over port 80, from the internet, as described in the scenario. 沒有其他具較高優先順序 (較低數字) 的規則允許從網際網路透過連接埠 80 進行輸入。No other rule with a higher priority (lower number) allows port 80 inbound from the internet.

解決問題Resolve a problem

無論您是使用 Azure 入口網站PowerShellAzure CLI 來診斷本文案例中所呈現的問題,其解決方案都是使用下列屬性來建立網路安全性規則:Whether you use the Azure portal, PowerShell, or the Azure CLI to diagnose the problem presented in the scenario in this article, the solution is to create a network security rule with the following properties:

屬性Property Value
SourceSource AnyAny
Source port rangesSource port ranges AnyAny
目的地Destination VM 的 IP 位址、IP 位址範圍,或是子網路中的所有位址。The IP address of the VM, a range of IP addresses, or all addresses in the subnet.
目的地連接埠範圍Destination port ranges 8080
ProtocolProtocol TCPTCP
動作Action 允許Allow
優先順序Priority 100100
名稱Name Allow-HTTP-AllAllow-HTTP-All

當您建立規則之後,系統就會允許從網際網路經由連接埠 80 進行輸入,因為該規則的優先順序高於名為 DenyAllInBound 且會拒絕該流量的預設安全性規則。After you create the rule, port 80 is allowed inbound from the internet, because the priority of the rule is higher than the default security rule named DenyAllInBound, that denies the traffic. 了解如何建立安全性規則Learn how to create a security rule. 如果有不同的 NSG 同時關聯至網路介面和子網路,您就必須在那兩個 NSG 中建立相同的規則。If different NSGs are associated to both the network interface, and the subnet, you must create the same rule in both NSGs.

當 Azure 處理輸入流量時,會先處理與子網路關聯 NSG 中的規則 (如果有相關聯的 NSG 的話),然後再處理與網路介面相關聯 NSG 中的規則。When Azure processes inbound traffic, it processes rules in the NSG associated to the subnet (if there is an associated NSG), and then it processes the rules in the NSG associated to the network interface. 如果有某個 NSG 同時關聯至網路介面和子網路,就必須同時在那兩個 NSG 中開啟該連接埠來使流量能抵達 VM。If there is an NSG associated to the network interface and the subnet, the port must be open in both NSGs, for the traffic to reach the VM. 為了簡化管理和通訊問題,我們建議您將 NSG 關聯至子網路,而不是個別的網路介面。To ease administration and communication problems, we recommend that you associate an NSG to a subnet, rather than individual network interfaces. 如果子網路內的 VM 需要不同的安全性規則,您可以使網路介面成為應用程式安全性群組 (ASG) 的成員,並將 ASG 指定為安全性規則的來源和目的地。If VMs within a subnet need different security rules, you can make the network interfaces members of an application security group (ASG), and specify an ASG as the source and destination of a security rule. 深入了解應用程式安全性群組Learn more about application security groups.

如果仍有通訊問題,請參閱考量和其他診斷。If you're still having communication problems, see Considerations and Additional diagnosis.

考量Considerations

對連線問題進行疑難排解時,請考量下列幾點︰Consider the following points when troubleshooting connectivity problems:

  • 預設的安全性規則會封鎖來自網際網路的輸入存取,並且只允許來自虛擬網路的輸入流量。Default security rules block inbound access from the internet, and only permit inbound traffic from the virtual network. 若要允許來自網際網路的輸入流量,請新增優先順序高於預設規則的安全性規則。To allow inbound traffic from the Internet, add security rules with a higher priority than default rules. 深入了解預設安全性規則,或如何新增安全性規則Learn more about default security rules, or how to add a security rule.
  • 如果您有對等互連的虛擬網路,VIRTUAL_NETWORK 服務標籤預設會自動展開以包含適用於對等互連虛擬網路的前置詞。If you have peered virtual networks, by default, the VIRTUAL_NETWORK service tag automatically expands to include prefixes for peered virtual networks. 若要對任何與虛擬網路對等互連相關的問題進行疑難排解,您可以在 ExpandedAddressPrefix 清單中檢視前置詞。To troubleshoot any issues related to virtual network peering, you can view the prefixes in the ExpandedAddressPrefix list. 深入了解虛擬網路對等互連服務標籤Learn more about virtual network peering and service tags.
  • 有效安全性規則只會在有 NSG 已關聯至 VM 的網路介面和/或子網路,且 VM 處於執行中狀態的情況下顯示。Effective security rules are only shown for a network interface if there is an NSG associated with the VM's network interface and, or, subnet, and if the VM is in the running state.
  • 如果沒有 NSG 關聯至網路介面或子網路,而且您將公用 IP 位址指派給 VM,則系統會開啟所有連接埠,並可從任何地方對它進行輸入和輸出存取。If there are no NSGs associated with the network interface or subnet, and you have a public IP address assigned to a VM, all ports are open for inbound access from and outbound access to anywhere. 如果 VM 具有公用 IP 位址,我們建議將 NSG 套用至網路介面所在的子網路。If the VM has a public IP address, we recommend applying an NSG to the subnet the network interface.

其他診斷Additional diagnosis

  • 若要執行快速測試來判斷系統是否允許流量進出 VM,請使用 Azure 網路監看員的 IP 流程驗證功能。To run a quick test to determine if traffic is allowed to or from a VM, use the IP flow verify capability of Azure Network Watcher. IP 流程驗證會告訴您流量是否被允許或拒絕。IP flow verify tells you if traffic is allowed or denied. 如果被拒絕,IP 流程驗證會告訴您流量是被哪一個安全性規則拒絕。If denied, IP flow verify tells you which security rule is denying the traffic.
  • 如果沒有任何安全性規則導致 VM 的網路連線能力失敗,則問題可能來自於:If there are no security rules causing a VM's network connectivity to fail, the problem may be due to:
    • VM 作業系統內執行的防火牆軟體Firewall software running within the VM's operating system
    • 為虛擬設備或內部部署流量設定的路由。Routes configured for virtual appliances or on-premises traffic. 網際網路流量可以透過強制通道重新導向至您的內部部署網路。Internet traffic can be redirected to your on-premises network via forced-tunneling. 如果您透過強制通道將網際網路流量重新導向至虛擬設備或內部部署,便可能會無法從網際網路連線至 VM。If you force tunnel internet traffic to a virtual appliance, or on-premises, you may not be able to connect to the VM from the internet. 若要了解如何診斷可能會妨礙從 VM 流出流量的路由問題,請參閱診斷虛擬機器網路流量路由問題To learn how to diagnose route problems that may impede the flow of traffic out of the VM, see Diagnose a virtual machine network traffic routing problem.

後續步驟Next steps