建立、變更或刪除網路安全性群組Create, change, or delete a network security group

網路安全性群組中的安全性規則能讓您篩選可在虛擬網路子網路及網路介面中流入和流出的網路流量類型。Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces. 若要深入了解網路安全性群組,請參閱網路安全性群組概觀To learn more about network security groups, see Network security group overview. 接下來,請完成 篩選網路流量 教學課程,以獲得網路安全性群組的一些經驗。Next, complete the Filter network traffic tutorial to gain some experience with network security groups.

開始之前Before you begin

注意

本文已更新為使用 Azure Az PowerShell 模組。This article has been updated to use the Azure Az PowerShell module. Az PowerShell 模組是用來與 Azure 互動的建議 PowerShell 模組。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要開始使用 Az PowerShell 模組,請參閱安裝 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要瞭解如何遷移至 Az PowerShell 模組,請參閱將 Azure PowerShell 從 AzureRM 遷移至 Az。To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

如果您沒有帳戶,請使用有效的訂用帳戶來設定 Azure 帳戶。If you don't have one, set up an Azure account with an active subscription. 免費建立帳戶Create an account for free. 開始本文的其餘部分之前,請先完成下列其中一項工作:Complete one of these tasks before starting the remainder of this article:

  • 入口網站使用者:使用您的 Azure 帳戶登入 Azure 入口網站Portal users: Sign in to the Azure portal with your Azure account.

  • PowerShell 使用者:請在 Azure Cloud Shell中執行命令,或從您的電腦執行 powershell。PowerShell users: Either run the commands in the Azure Cloud Shell, or run PowerShell from your computer. Azure Cloud Shell 是免費的互動式 Shell,可讓您用來執行本文中的步驟。The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. 它具有預先安裝和設定的共用 Azure 工具,可與您的帳戶搭配使用。It has common Azure tools preinstalled and configured to use with your account. 在 Azure Cloud Shell 瀏覽器] 索引標籤中,尋找 [ 選取環境 ] 下拉式清單,然後挑選 PowerShell (若尚未選取)。In the Azure Cloud Shell browser tab, find the Select environment dropdown list, then pick PowerShell if it isn't already selected.

    如果您在本機執行 PowerShell,請使用 Azure PowerShell 模組1.0.0 版或更新版本。If you're running PowerShell locally, use Azure PowerShell module version 1.0.0 or later. 執行 Get-Module -ListAvailable Az.Network 來了解安裝的版本。Run Get-Module -ListAvailable Az.Network to find the installed version. 如果您需要升級,請參閱安裝 Azure PowerShell 模組If you need to upgrade, see Install Azure PowerShell module. 執行 Connect-AzAccount 來建立與 Azure 的連線。Run Connect-AzAccount to create a connection with Azure.

  • Azure 命令列介面 (CLI) 使用者:請在 Azure Cloud Shell中執行命令,或從您的電腦執行 cli。Azure Command-line interface (CLI) users: Either run the commands in the Azure Cloud Shell, or run the CLI from your computer. 如果您是在本機執行 Azure CLI,請使用 Azure CLI 版本2.0.28 版或更新版本。Use Azure CLI version 2.0.28 or later if you're running the Azure CLI locally. 執行 az --version 來了解安裝的版本。Run az --version to find the installed version. 如果您需要安裝或升級,請參閱安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI. 執行 az login 來建立與 Azure 的連線。Run az login to create a connection with Azure.

您登入或連線到 Azure 的帳戶必須指派給「網路參與者」角色,或指派給已獲指派 [許可權] 中所列適當動作的自訂角色The account you log into, or connect to Azure with must be assigned to the Network contributor role or to a Custom role that's assigned the appropriate actions listed in Permissions.

使用網路安全性群組Work with network security groups

您可以建立網路安全性群組、檢視所有網路安全性群組檢視網路安全性群組的詳細資料,以及變更刪除網路安全性群組。You can create, view all, view details of, change, and delete a network security group. 您也可以讓網路安全性群組與網路介面或子網路建立關聯或中斷關聯You can also associate or dissociate a network security group from a network interface or subnet.

建立網路安全性群組Create a network security group

您可以為每個 Azure 位置和訂用帳戶建立的網路安全性群組數目有所限制。There's a limit to how many network security groups you can create for each Azure location and subscription. 若要深入瞭解,請參閱 Azure 訂用帳戶和服務限制、配額和條件約束To learn more, see Azure subscription and service limits, quotas, and constraints.

  1. Azure 入口網站 功能表上,或從 [首頁] 頁面,選取 [建立資源]。On the Azure portal menu or from the Home page, select Create a resource.

  2. 選取 [網路],然後 選取 [ 網路安全性群組]。Select Networking, then select Network security group.

  3. 在 [ 建立網路安全性群組 ] 頁面的 [ 基本 ] 索引標籤底下,設定下列設定的值:In the Create network security group page, under the Basics tab, set values for the following settings:

    設定Setting 動作Action
    訂用帳戶Subscription 選擇您的訂用帳戶。Choose your subscription.
    資源群組Resource group 選擇現有的資源群組,或選取 [ 建立新 的] 以建立新的資源群組。Choose an existing resource group, or select Create new to create a new resource group.
    名稱Name 輸入資源群組內的唯一文字字串。Enter a unique text string within a resource group.
    區域Region 選擇您想要的位置。Choose the location you want.
  4. 選取 [檢閱 + 建立]。Select Review + create.

  5. 當您看到 [ 通過驗證 ] 訊息之後,請選取 [ 建立]。After you see the Validation passed message, select Create.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg createaz network nsg create
PowerShellPowerShell New-AzNetworkSecurityGroupNew-AzNetworkSecurityGroup

檢視所有網路安全性群組View all network security groups

移至 Azure 入口網站 以查看您的網路安全性群組。Go to the Azure portal to view your network security groups. 搜尋並選取 [ 網路安全性群組]。Search for and select Network security groups. 訂用帳戶的網路安全性群組清單隨即出現。The list of network security groups appears for your subscription.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg listaz network nsg list
PowerShellPowerShell Get-AzNetworkSecurityGroupGet-AzNetworkSecurityGroup

檢視網路安全性群組的詳細資料View details of a network security group

  1. 移至 Azure 入口網站 以查看您的網路安全性群組。Go to the Azure portal to view your network security groups. 搜尋並選取 [ 網路安全性群組]。Search for and select Network security groups.

  2. 選取您的網路安全性群組名稱。Select the name of your network security group.

在網路安全性群組的功能表列中,您可以在 [ 設定] 底下,查看網路安全性群組相關聯的 輸入安全性規則輸出安全性規則網路介面子網In the menu bar of the network security group, under Settings, you can view the Inbound security rules, Outbound security rules, Network interfaces, and Subnets that the network security group is associated to.

在 [ 監視] 底下,您可以啟用或停用 診斷設定Under Monitoring, you can enable or disable Diagnostic settings. 在 [ 支援 + 疑難排解] 下,您可以看到 有效的安全性規則Under Support + troubleshooting, you can view Effective security rules. 若要深入瞭解,請參閱 網路安全性群組的診斷記錄 ,以及 診斷 VM 網路流量篩選問題To learn more, see Diagnostic logging for a network security group and Diagnose a VM network traffic filter problem.

若要深入了解列出的一般 Azure 設定,請參閱下列文章:To learn more about the common Azure settings listed, see the following articles:

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg showaz network nsg show
PowerShellPowerShell Get-AzNetworkSecurityGroupGet-AzNetworkSecurityGroup

變更網路安全性群組Change a network security group

  1. 移至 Azure 入口網站 以查看您的網路安全性群組。Go to the Azure portal to view your network security groups. 搜尋並選取 [ 網路安全性群組]。Search for and select Network security groups.

  2. 選取您要變更的網路安全性群組名稱。Select the name of the network security group you want to change.

最常見的變更是 新增安全性規則移除規則,以及 將網路安全性群組與子網或網路介面建立關聯或中斷關聯The most common changes are to add a security rule, remove a rule, and associate or dissociate a network security group to or from a subnet or network interface.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg updateaz network nsg update
PowerShellPowerShell Set-AzNetworkSecurityGroupSet-AzNetworkSecurityGroup

讓網路安全性群組與子網路或網路介面建立關聯或中斷關聯Associate or dissociate a network security group to or from a subnet or network interface

若要讓網路安全性群組與網路介面建立關聯或中斷關聯,請參閱讓網路安全性群組與網路介面建立關聯或中斷關聯To associate a network security group to, or dissociate a network security group from a network interface, see Associate a network security group to, or dissociate a network security group from a network interface. 若要讓網路安全性群組與子網路建立關聯或中斷關聯,請參閱變更子網路設定To associate a network security group to, or dissociate a network security group from a subnet, see Change subnet settings.

刪除網路安全性群組Delete a network security group

如果網路安全性群組與任何子網或網路介面相關聯,則無法刪除。If a network security group is associated to any subnets or network interfaces, it can't be deleted. 請先將網路安全性群組與所有子網路和網路介面中斷關聯,再嘗試刪除它。Dissociate a network security group from all subnets and network interfaces before attempting to delete it.

  1. 移至 Azure 入口網站 以查看您的網路安全性群組。Go to the Azure portal to view your network security groups. 搜尋並選取 [ 網路安全性群組]。Search for and select Network security groups.

  2. 選取您要刪除的網路安全性群組名稱。Select the name of the network security group you want to delete.

  3. 在網路安全性群組的工具列中,選取 [ 刪除]。In the network security group's toolbar, select Delete. 然後,選取確認對話方塊中的 [是]。Then select Yes in the confirmation dialog box.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg deleteaz network nsg delete
PowerShellPowerShell 移除->new-aznetworksecuritygroupRemove-AzNetworkSecurityGroup

使用安全性規則Work with security rules

網路安全性群組包含零個或多個安全性規則。A network security group contains zero or more security rules. 您可以建立安全性規則、檢視所有安全性規則檢視安全性規則的詳細資料,以及變更刪除安全性規則。You can create, view all, view details of, change, and delete a security rule.

建立安全性規則Create a security rule

針對每個 Azure 位置和訂用帳戶,您可以為每個網路安全性群組建立的規則數目有所限制。There's a limit to how many rules per network security group you can create for each Azure location and subscription. 若要深入瞭解,請參閱 Azure 訂用帳戶和服務限制、配額和條件約束To learn more, see Azure subscription and service limits, quotas, and constraints.

  1. 移至 Azure 入口網站 以查看您的網路安全性群組。Go to the Azure portal to view your network security groups. 搜尋並選取 [ 網路安全性群組]。Search for and select Network security groups.

  2. 選取您要新增安全性規則的網路安全性群組名稱。Select the name of the network security group you want to add a security rule to.

  3. 在網路安全性群組的功能表列中,選擇 [ 輸入安全性規則 ] 或 [ 輸出安全性規則]。In the network security group's menu bar, choose Inbound security rules or Outbound security rules.

    列出數個現有的規則,包括您可能未新增的規則。Several existing rules are listed, including some you may not have added. 當您建立網路安全性群組時,會在其中建立數個預設安全性規則。When you create a network security group, several default security rules are created in it. 若要深入了解,請參閱預設安全性規則To learn more, see default security rules. 您無法刪除預設安全性規則,但是可以使用優先順序較高的規則來覆寫它們。You can't delete default security rules, but you can override them with rules that have a higher priority.

  4. 選取 [ 新增]。Select Add. 選取或新增下列設定的值,然後選取 [確定]Select or add values for the following settings, and then select OK:

    設定Setting Value 詳細資料Details
    來源Source 值為下列其中之一:One of:
    • 任何Any
    • IP 位址IP Addresses
    • 服務標記 (輸入安全性規則) 或 VirtualNetwork (輸出安全性規則) Service Tag (inbound security rule) or VirtualNetwork (outbound security rule)
    • 應用程式   安全   組Application security group

    如果您選擇 IP 位址,您也必須指定 來源 IP 位址/CIDR 範圍If you choose IP Addresses, you must also specify Source IP addresses/CIDR ranges.

    如果您選擇 服務 標籤,也可以挑選 來源服務標記If you choose Service Tag, you may also pick a Source service tag.

    如果您選擇 [ 應用程式安全性群組],則也必須挑選現有的應用程式安全性群組。If you choose Application security group, you must also pick an existing application security group. 如果您選擇 [ 應用程式安全性群組 ] 作為 來源目的地,兩個應用程式安全性群組內的網路介面都必須位於相同的虛擬網路中。If you choose Application security group for both Source and Destination, the network interfaces within both application security groups must be in the same virtual network.

    來源 IP 位址/CIDR 範圍Source IP addresses/CIDR ranges 以逗號分隔的 IP 位址清單以及無類別網域間路由 (CIDR) 範圍A comma-delimited list of IP addresses and Classless Interdomain Routing (CIDR) ranges

    如果您將 來源 變更為 IP 位址,就會顯示此設定。This setting appears if you change Source to IP Addresses. 您必須指定單一值或以逗號分隔的多個值清單。You must specify a single value or comma-separated list of multiple values. 多個值的範例為 10.0.0.0/16, 192.188.1.1An example of multiple values is 10.0.0.0/16, 192.188.1.1. 您可以指定的值數目有所限制。There are limits to the number of values you can specify. 如需詳細資訊,請參閱 Azure 限制For more details, see Azure limits.

    如果您指定的 IP 位址已指派給 Azure VM,請指定其私人 IP 位址,而非其公用 IP 位址。If the IP address you specify is assigned to an Azure VM, specify its private IP address, not its public IP address. Azure 會在將公用 IP 位址轉譯為輸入安全性規則的私人 IP 位址之後,但在將私人 IP 位址轉譯為輸出規則的公用 IP 位址之前,處理安全性規則。Azure processes security rules after it translates the public IP address to a private IP address for inbound security rules, but before it translates a private IP address to a public IP address for outbound rules. 若要深入了解 Azure 中的公用和私人 IP 位址,請參閱 IP 位址類型To learn more about public and private IP addresses in Azure, see IP address types.

    來源服務標籤Source service tag 下拉式清單中的服務標記A service tag from the dropdown list 如果您針對輸入安全性規則設定 來源服務 標籤,則會出現此選用設定。This optional setting appears if you set Source to Service Tag for an inbound security rule. 服務標籤是為 IP 位址類別預先定義的識別碼。A service tag is a predefined identifier for a category of IP addresses. 若要深入瞭解可用的服務標籤,以及每個標記所代表的內容,請參閱 服務標記To learn more about available service tags, and what each tag represents, see Service tags.
    來源應用程式安全性群組Source application security group 現有的應用程式安全性群組An existing application security group 如果您將 來源 設定為 [ 應用程式安全性群組],則會出現此設定。This setting appears if you set Source to Application security group. 選取與網路介面位於相同區域中的應用程式安全性群組。Select an application security group that exists in the same region as the network interface. 了解如何建立應用程式安全性群組Learn how to create an application security group.
    來源連接埠範圍Source port ranges 值為下列其中之一:One of:
    • 單一端口,例如 80A single port, such as 80
    • 埠範圍,例如 1024-65535A range of ports, such as 1024-65535
    • 單一端口及/或埠範圍的逗號分隔清單,例如 80, 1024-65535A comma-separated list of single ports and/or port ranges, such as 80, 1024-65535
    • 星號 (*) 允許任何埠上的流量An asterisk (*) to allow traffic on any port
    此設定會指定規則允許或拒絕流量的埠。This setting specifies the ports on which the rule allows or denies traffic. 您可以指定的連接埠數目有所限制。There are limits to the number of ports you can specify. 如需詳細資訊,請參閱 Azure 限制For more details, see Azure limits.
    目的地Destination 值為下列其中之一:One of:
    • 任何Any
    • IP 位址IP Addresses
    • 服務標記 (輸出安全性規則) 或 VirtualNetwork (輸入安全性規則) Service Tag (outbound security rule) or VirtualNetwork (inbound security rule)
    • 應用程式   安全   組Application security group

    如果您選擇 [ ip 位址],請同時指定 目的地 IP 位址/CIDR 範圍If you choose IP addresses, then also specify Destination IP addresses/CIDR ranges.

    如果您選擇 VirtualNetwork,則會允許流量流向虛擬網路位址空間內的所有 IP 位址。If you choose VirtualNetwork, traffic is allowed to all IP addresses within the virtual network's address space. VirtualNetwork 是服務標記。VirtualNetwork is a service tag.

    如果您選取 [ 應用程式安全性群組],則必須選取現有的應用程式安全性群組。If you select Application security group, you must then select an existing application security group. 了解如何建立應用程式安全性群組Learn how to create an application security group.

    目的地 IP 位址/CIDR 範圍Destination IP addresses/CIDR ranges IP 位址和 CIDR 範圍的逗號分隔清單A comma-delimited list of IP addresses and CIDR ranges

    如果您將 目的地 變更為 IP 位址,就會顯示此設定。This setting appears if you change Destination to IP Addresses. 類似于 來源來源 IP 位址/CIDR 範圍,您可以指定單一或多個位址或範圍。Similar to Source and Source IP addresses/CIDR ranges, you can specify single or multiple addresses or ranges. 您可以指定的數目有所限制。There are limits to the number you can specify. 如需詳細資訊,請參閱 Azure 限制For more details, see Azure limits.

    如果您指定的 IP 位址已指派給 Azure VM,請確定您指定其私人 IP,而不是其公用 IP 位址。If the IP address you specify is assigned to an Azure VM, ensure that you specify its private IP, not its public IP address. Azure 會在將公用 IP 位址轉譯為輸入安全性規則的私人 IP 位址之後,但在 Azure 將私人 IP 位址轉譯為輸出規則的公用 IP 位址之前,處理安全性規則。Azure processes security rules after it translates the public IP address to a private IP address for inbound security rules, but before Azure translates a private IP address to a public IP address for outbound rules. 若要深入了解 Azure 中的公用和私人 IP 位址,請參閱 IP 位址類型To learn more about public and private IP addresses in Azure, see IP address types.

    目的地服務標記Destination service tag 下拉式清單中的服務標記A service tag from the dropdown list 如果您將輸出安全性規則的 目的地 變更為 服務 標籤,則會出現此選用設定。This optional setting appears if you change Destination to Service Tag for an outbound security rule. 服務標籤是為 IP 位址類別預先定義的識別碼。A service tag is a predefined identifier for a category of IP addresses. 若要深入瞭解可用的服務標籤,以及每個標記所代表的內容,請參閱 服務標記To learn more about available service tags, and what each tag represents, see Service tags.
    目的地應用程式安全性群組Destination application security group 現有的應用程式安全性群組An existing application security group 如果您將 目的地 設定為 [ 應用程式安全性群組],則會顯示此設定。This setting appears if you set Destination to Application security group. 選取與網路介面位於相同區域中的應用程式安全性群組。Select an application security group that exists in the same region as the network interface. 了解如何建立應用程式安全性群組Learn how to create an application security group.
    目的地連接埠範圍Destination port ranges 值為下列其中之一:One of:
    • 單一端口,例如 80A single port, such as 80
    • 埠範圍,例如 1024-65535A range of ports, such as 1024-65535
    • 單一端口及/或埠範圍的逗號分隔清單,例如 80, 1024-65535A comma-separated list of single ports and/or port ranges, such as 80, 1024-65535
    • 星號 (*) 允許任何埠上的流量An asterisk (*) to allow traffic on any port
    如同 來源埠範圍,您可以指定單一或多個埠和範圍。As with Source port ranges, you can specify single or multiple ports and ranges. 您可以指定的數目有所限制。There are limits to the number you can specify. 如需詳細資訊,請參閱 Azure 限制For more details, see Azure limits.
    通訊協定Protocol AnyTCPUDPICMPAny, TCP, UDP, or ICMP 您可以將規則限制為傳輸控制通訊協定 (TCP) 、使用者資料包協定 (UDP) 或網際網路控制訊息通訊協定 (ICMP) 。You may restrict the rule to the Transmission Control Protocol (TCP), User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP). 預設值是適用于所有通訊協定的規則。The default is for the rule to apply to all protocols.
    動作Action 允許拒絕Allow or Deny 此設定會指定此規則是否允許或拒絕所提供來源和目的地設定的存取權。This setting specifies whether this rule allows or denies access for the supplied source and destination configuration.
    優先順序Priority 介於100和4096之間的值,在網路安全性群組內的所有安全性規則中都是唯一的。A value between 100 and 4096 that's unique for all security rules within the network security group Azure 會依優先權連續處理安全性規則。Azure processes security rules in priority order. 編號愈低,優先順序愈高。The lower the number, the higher the priority. 當您建立規則時,建議您在優先順序數位之間留出間距,例如100、200和300。We recommend that you leave a gap between priority numbers when you create rules, such as 100, 200, and 300. 留出間距可讓您更輕鬆地在未來新增規則,讓您可以提供比現有規則更高或較低的優先順序。Leaving gaps makes it easier to add rules in the future, so that you can give them higher or lower priority than existing rules.
    名稱Name 網路安全性群組中規則的唯一名稱A unique name for the rule within the network security group 此名稱最多可有 80 個字元。The name can be up to 80 characters. 它必須以字母或數位開頭,且必須以字母、數位或底線結尾。It must begin with a letter or number, and it must end with a letter, number, or underscore. 名稱只可包含字母、數位、底線、句點或連字號。The name may contain only letters, numbers, underscores, periods, or hyphens.
    說明Description 文字描述A text description 您可以選擇性地指定安全性規則的文字描述。You may optionally specify a text description for the security rule. 描述的長度不能超過140個字元。The description cannot be longer than 140 characters.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg rule createaz network nsg rule create
PowerShellPowerShell New-AzNetworkSecurityRuleConfigNew-AzNetworkSecurityRuleConfig

檢視所有安全性規則View all security rules

網路安全性群組包含零或多個規則。A network security group contains zero or more rules. 若要深入了解檢視規則時列出的資訊,請參閱網路安全性群組概觀To learn more about the information listed when viewing rules, see Network security group overview.

  1. 移至 Azure 入口網站 以查看網路安全性群組的規則。Go to the Azure portal to view the rules of a network security group. 搜尋並選取 [ 網路安全性群組]。Search for and select Network security groups.

  2. 選取您要查看其規則的網路安全性群組名稱。Select the name of the network security group that you want to view the rules for.

  3. 在網路安全性群組的功能表列中,選擇 [ 輸入安全性規則 ] 或 [ 輸出安全性規則]。In the network security group's menu bar, choose Inbound security rules or Outbound security rules.

此清單包含您已建立的任何規則,以及網路安全性群組的 預設安全性規則The list contains any rules you've created and the network security group's default security rules.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg rule listaz network nsg rule list
PowerShellPowerShell >new-aznetworksecurityruleconfigGet-AzNetworkSecurityRuleConfig

檢視安全性規則的詳細資料View details of a security rule

  1. 移至 Azure 入口網站 以查看網路安全性群組的規則。Go to the Azure portal to view the rules of a network security group. 搜尋並選取 [ 網路安全性群組]。Search for and select Network security groups.

  2. 選取您要查看其規則詳細資料的網路安全性群組名稱。Select the name of the network security group that you want to view the details of a rule for.

  3. 在網路安全性群組的功能表列中,選擇 [ 輸入安全性規則 ] 或 [ 輸出安全性規則]。In the network security group's menu bar, choose Inbound security rules or Outbound security rules.

  4. 選取您想要檢視其詳細資料的規則。Select the rule you want to view details for. 如需所有設定的說明,請參閱 安全性規則設定For an explanation of all settings, see Security rule settings.

    注意

    此程式只適用于自訂安全性規則。This procedure only applies to a custom security rule. 如果您選擇預設安全性規則,則無法使用。It doesn't work if you choose a default security rule.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg rule showaz network nsg rule show
PowerShellPowerShell >new-aznetworksecurityruleconfigGet-AzNetworkSecurityRuleConfig

變更安全性規則Change a security rule

  1. 完成檢視安全性規則的詳細資料中的步驟。Complete the steps in View details of a security rule.

  2. 視需要變更設定,然後選取 [ 儲存]。Change the settings as needed, and then select Save. 如需所有設定的說明,請參閱 安全性規則設定For an explanation of all settings, see Security rule settings.

    注意

    此程式只適用于自訂安全性規則。This procedure only applies to a custom security rule. 您不允許變更預設安全性規則。You aren't allowed to change a default security rule.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg rule updateaz network nsg rule update
PowerShellPowerShell Set-AzNetworkSecurityRuleConfigSet-AzNetworkSecurityRuleConfig

刪除安全性規則Delete a security rule

  1. 完成檢視安全性規則的詳細資料中的步驟。Complete the steps in View details of a security rule.

  2. 選取 [刪除],然後選取 [是]。Select Delete, and then select Yes.

    注意

    此程式只適用于自訂安全性規則。This procedure only applies to a custom security rule. 您不允許刪除預設安全性規則。You aren't allowed to delete a default security rule.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network nsg rule deleteaz network nsg rule delete
PowerShellPowerShell 移除->new-aznetworksecurityruleconfigRemove-AzNetworkSecurityRuleConfig

使用應用程式安全性群組Work with application security groups

應用程式安全性群組包含零個或多個網路介面。An application security group contains zero or more network interfaces. 若要深入了解,請參閱應用程式安全性群組To learn more, see application security groups. 應用程式安全性群組內的所有網路介面都必須存在於相同的虛擬網路中。All network interfaces in an application security group must exist in the same virtual network. 若要了解如何將網路介面新增至應用程式安全性群組,請參閱將網路介面新增至應用程式安全性群組To learn how to add a network interface to an application security group, see Add a network interface to an application security group.

建立應用程式安全性群組Create an application security group

  1. Azure 入口網站 功能表上,或從 [首頁] 頁面,選取 [建立資源]。On the Azure portal menu or from the Home page, select Create a resource.

  2. 在搜尋方塊中,輸入 應用程式安全性群組In the search box, enter Application security group.

  3. 在 [ 應用程式安全性群組 ] 頁面中,選取 [ 建立]。In the Application security group page, select Create.

  4. 在 [ 建立應用程式安全性群組 ] 頁面的 [ 基本 ] 索引標籤底下,設定下列設定的值:In the Create an application security group page, under the Basics tab, set values for the following settings:

    設定Setting 動作Action
    訂用帳戶Subscription 選擇您的訂用帳戶。Choose your subscription.
    資源群組Resource group 選擇現有的資源群組,或選取 [ 建立新 的] 以建立新的資源群組。Choose an existing resource group, or select Create new to create a new resource group.
    名稱Name 輸入資源群組內的唯一文字字串。Enter a unique text string within a resource group.
    區域Region 選擇您想要的位置。Choose the location you want.
  5. 選取 [檢閱 + 建立]。Select Review + create.

  6. 在 [ 審核 + 建立 ] 索引標籤下,當您看到 [ 通過驗證 ] 訊息之後,請選取 [ 建立]。Under the Review + create tab, after you see the Validation passed message, select Create.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network asg createaz network asg create
PowerShellPowerShell 新 AzApplicationSecurityGroupNew-AzApplicationSecurityGroup

檢視所有應用程式安全性群組View all application security groups

移至 Azure 入口網站 以查看您的應用程式安全性群組。Go to the Azure portal to view your application security groups. 搜尋並選取 [ 應用程式安全性群組]。Search for and select Application security groups. Azure 入口網站會顯示您的應用程式安全性群組清單。The Azure portal displays a list of your application security groups.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network asg listaz network asg list
PowerShellPowerShell AzApplicationSecurityGroupGet-AzApplicationSecurityGroup

檢視特定應用程式安全性群組的詳細資料View details of a specific application security group

  1. 移至 Azure 入口網站 以查看應用程式安全性群組。Go to the Azure portal to view an application security group. 搜尋並選取 [ 應用程式安全性群組]。Search for and select Application security groups.

  2. 選取您要查看其詳細資料的應用程式安全性群組的名稱。Select the name of the application security group that you want to view the details of.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network asg showaz network asg show
PowerShellPowerShell AzApplicationSecurityGroupGet-AzApplicationSecurityGroup

變更應用程式安全性群組Change an application security group

  1. 移至 Azure 入口網站 以查看應用程式安全性群組。Go to the Azure portal to view an application security group. 搜尋並選取 [ 應用程式安全性群組]。Search for and select Application security groups.

  2. 選取您要變更的應用程式安全性群組的名稱。Select the name of the application security group that you want to change.

  3. 選取您要修改之設定旁的 [ 變更 ]。Select change next to the setting that you want to modify. 例如,您可以新增或移除 標記,也可以變更 資源群組 用帳戶。For example, you can add or remove Tags, or you can change the Resource group or Subscription.

    注意

    您無法變更位置。You can't change the location.

    在功能表列中,您也可以選取 [ 存取控制] (IAM)In the menu bar, you can also select Access control (IAM). 在 [ 存取控制 (IAM) ] 頁面上,您可以指派或移除應用程式安全性群組的許可權。In the Access control (IAM) page, you can assign or remove permissions to the application security group.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network asg updateaz network asg update
PowerShellPowerShell 無 PowerShell CmdletNo PowerShell cmdlet

刪除應用程式安全性群組Delete an application security group

如果應用程式安全性群組包含任何網路介面,您就無法刪除它。You can't delete an application security group if it contains any network interfaces. 若要從應用程式安全性群組移除所有網路介面,請變更網路介面設定或刪除網路介面。To remove all network interfaces from the application security group, either change the network interface settings or delete the network interfaces. 若要深入瞭解,請參閱 在應用程式安全性群組中新增或移除刪除網路介面To learn more, see Add to or remove from application security groups or Delete a network interface.

  1. 移至 Azure 入口網站 以管理您的應用程式安全性群組。Go to the Azure portal to manage your application security groups. 搜尋並選取 [ 應用程式安全性群組]。Search for and select Application security groups.

  2. 選取您要刪除的應用程式安全性群組的名稱。Select the name of the application security group that you want to delete.

  3. 選取 [刪除],然後選取 [是] 刪除應用程式安全性群組。Select Delete, and then select Yes to delete the application security group.

命令Commands

工具Tool 命令Command
Azure CLIAzure CLI az network asg deleteaz network asg delete
PowerShellPowerShell 移除-AzApplicationSecurityGroupRemove-AzApplicationSecurityGroup

權限Permissions

若要對網路安全性群組、安全性規則及應用程式安全性群組執行工作,您的帳戶必須指派給「 網路參與者 」角色,或指派給已獲指派適當許可權的 自訂角色 ,如下表所列:To do tasks on network security groups, security rules, and application security groups, your account must be assigned to the Network contributor role or to a Custom role that's assigned the appropriate permissions as listed in the following tables:

網路安全性群組Network security group

動作Action NameName
Microsoft.Network/networkSecurityGroups/readMicrosoft.Network/networkSecurityGroups/read 取得網路安全性群組Get network security group
Microsoft.Network/networkSecurityGroups/writeMicrosoft.Network/networkSecurityGroups/write 建立或更新網路安全性群組Create or update network security group
Microsoft.Network/networkSecurityGroups/deleteMicrosoft.Network/networkSecurityGroups/delete 刪除網路安全性群組Delete network security group
Microsoft.Network/networkSecurityGroups/join/actionMicrosoft.Network/networkSecurityGroups/join/action 將網路安全性群組與子網路或網路介面建立關聯Associate a network security group to a subnet or network interface

注意

若要 write 在網路安全性群組上執行作業,訂用帳戶帳戶至少必須具有 read 資源群組的許可權,以及 Microsoft.Network/networkSecurityGroups/write 許可權。To perform write operations on a network security group, the subscription account must have at least read permissions for resource group along with Microsoft.Network/networkSecurityGroups/write permission.

網路安全性群組規則Network security group rule

動作Action NameName
Microsoft.Network/networkSecurityGroups/securityRules/readMicrosoft.Network/networkSecurityGroups/securityRules/read 取得規則Get rule
Microsoft.Network/networkSecurityGroups/securityRules/writeMicrosoft.Network/networkSecurityGroups/securityRules/write 建立或更新規則Create or update rule
Microsoft.Network/networkSecurityGroups/securityRules/deleteMicrosoft.Network/networkSecurityGroups/securityRules/delete 刪除規則Delete rule

應用程式安全性群組Application security group

動作Action NameName
Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/actionMicrosoft.Network/applicationSecurityGroups/joinIpConfiguration/action 將 IP 設定加入至應用程式安全性群組Join an IP configuration to an application security group
Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/actionMicrosoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action 將安全性規則加入至應用程式安全性群組Join a security rule to an application security group
Microsoft.Network/applicationSecurityGroups/readMicrosoft.Network/applicationSecurityGroups/read 取得應用程式安全性群組Get an application security group
Microsoft.Network/applicationSecurityGroups/writeMicrosoft.Network/applicationSecurityGroups/write 建立或更新應用程式安全性群組Create or update an application security group
Microsoft.Network/applicationSecurityGroups/deleteMicrosoft.Network/applicationSecurityGroups/delete 刪除應用程式安全性群組Delete an application security group

下一步Next steps