網路安全性群組篩選網路流量的方式How network security groups filter network traffic

您可以使用 Azure 網路安全性群組來篩選與 Azure 虛擬網路中的 Azure 資源之間的網路流量。You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. 網路安全性群組包含 安全性規則 ,可允許或拒絕來自數種 Azure 資源類型的輸入網路流量或輸出網路流量。A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. 您可以為每個規則指定來源和目的地、連接埠及通訊協定。For each rule, you can specify source and destination, port, and protocol.

您可以將數個 Azure 服務的資源部署到 Azure 虛擬網路。You can deploy resources from several Azure services into an Azure virtual network. 如需完整清單,請參閱可以部署至虛擬網路的服務For a complete list, see Services that can be deployed into a virtual network. 您可以將零個或一個網路安全性群組關聯至每個虛擬網路子網路,以及虛擬機器中的網路介面You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. 您可以將相同的網路安全性群組關聯至所需數量的子網路和網路介面。The same network security group can be associated to as many subnets and network interfaces as you choose.

下圖以不同案例說明網路安全性群組可如何部署,以允許網路流量透過 TCP 連接埠 80 來進出網際網路:The following picture illustrates different scenarios for how network security groups might be deployed to allow network traffic to and from the internet over TCP port 80:

NSG 處理

請參考上圖及下列文字,以了解 Azure 如何處理網路安全性群組的輸入和輸出規則:Reference the previous picture, along with the following text, to understand how Azure processes inbound and outbound rules for network security groups:

輸入流量Inbound traffic

針對輸入流量,Azure 會先針對與子網路相關聯的網路安全性群組,處理其中的規則 (如果有的話),然後再針對與網路介面相關聯的網路安全性群組,處理其中的規則 (如果有的話)。For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a network security group associated to the network interface, if there is one.

  • VM1:NSG1 中的安全性規則會進行處理,因為它與 Subnet1 和 VM1 相關聯,並且位於 Subnet1 中。VM1: The security rules in NSG1 are processed, since it is associated to Subnet1 and VM1 is in Subnet1. 除非您已建立一個規則來允許連接埠 80 的輸入,否則流量會遭到 DenyAllInbound 預設安全性規則拒絕,並永遠不會由 NSG2 進行評估,因為 NSG2 與網路介面相關聯。Unless you've created a rule that allows port 80 inbound, the traffic is denied by the DenyAllInbound default security rule, and never evaluated by NSG2, since NSG2 is associated to the network interface. 如果 NSG1 具有允許連接埠 80 的安全性規則,流量接著會由 NSG2 進行處理。If NSG1 has a security rule that allows port 80, the traffic is then processed by NSG2. 若要允許流量從連接埠 80 輸入虛擬機器,則 NSG1 和 NSG2 都必須有規則來允許從網際網路輸入流量的連接埠 80。To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet.
  • VM2:在 NSG1 中的規則會進行處理,因為VM2 也位於 Subnet1 中。VM2: The rules in NSG1 are processed because VM2 is also in Subnet1. 由於 VM2 沒有與其網路介面相關聯的網路安全性群組,因此會接收允許通過 NSG1 的所有流量,或拒絕所有 NSG1 拒絕的流量。Since VM2 does not have a network security group associated to its network interface, it receives all traffic allowed through NSG1 or is denied all traffic denied by NSG1. 如果網路安全性群組與子網路相關聯,則相同子網路中的所有資源會一起接收或拒絕流量。Traffic is either allowed or denied to all resources in the same subnet when a network security group is associated to a subnet.
  • VM3:由於沒有任何網路安全性群組與 Subnet2 相關聯,流量會允許進入子網路並由NSG2 處理流量,因為 NSG2 與連結至 VM3 的網路介面相關聯。VM3: Since there is no network security group associated to Subnet2, traffic is allowed into the subnet and processed by NSG2, because NSG2 is associated to the network interface attached to VM3.
  • VM4:流量會允許進入 VM4,因為網路安全性群組未與 Subnet3 或虛擬機器中的網路介面相關聯。VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. 如果沒有任何網路安全性群組與子網路和網路介面相關聯,則所有網路流量都可以通過子網路和網路介面。All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them.

輸出流量Outbound traffic

針對輸出流量,Azure 會先針對與網路介面相關聯的網路安全性群組,處理其中的規則 (如果有的話),然後再針對與子網路相關聯的網路安全性群組,處理其中的規則 (如果有的話)。For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there is one, and then the rules in a network security group associated to the subnet, if there is one.

  • VM1:NSG2 中的安全性規則會進行處理。VM1: The security rules in NSG2 are processed. 除非您建立安全性規則來拒絕向網際網路輸出流量的連接埠 80,否則 NSG1 和 NSG2 中的 AllowInternetOutbound 預設安全性規則會允許流量通過。Unless you create a security rule that denies port 80 outbound to the internet, the traffic is allowed by the AllowInternetOutbound default security rule in both NSG1 and NSG2. 如果 NSG2 具有拒絕連接埠 80 的安全性規則,則流量會遭到拒絕,且永遠不會由 NSG1 進行評估。If NSG2 has a security rule that denies port 80, the traffic is denied, and never evaluated by NSG1. 若要拒絕流量從連接埠 80 輸出虛擬機器,其中一個網路安全性群組或兩個網路安全性群組必須有規則來拒絕將流量流向網際網路的連接埠 80。To deny port 80 from the virtual machine, either, or both of the network security groups must have a rule that denies port 80 to the internet.
  • VM2:所有流量都會通過網路介面流向子網路,因為連結到 VM2 的網路介面沒有與網路安全性群組相關聯。VM2: All traffic is sent through the network interface to the subnet, since the network interface attached to VM2 does not have a network security group associated to it. NSG1 中的規則會進行處理。The rules in NSG1 are processed.
  • VM3:如果 NSG2 具有拒絕連接埠 80 的安全性規則,則流量會遭到拒絕。VM3: If NSG2 has a security rule that denies port 80, the traffic is denied. 如果 NSG2 有允許連接埠 80 的安全性規則,則連接埠 80 允許輸出流量到網際網路,因為沒有與 Subnet2 相關聯的網路安全性群組。If NSG2 has a security rule that allows port 80, then port 80 is allowed outbound to the internet, since a network security group is not associated to Subnet2.
  • VM4:所有網路流量會允許從 VM4 輸出,因為網路安全性群組未與連結至虛擬機器的網路介面或 Subnet3 相關聯。VM4: All network traffic is allowed from VM4, because a network security group isn't associated to the network interface attached to the virtual machine, or to Subnet3.

Intra-Subnet 流量Intra-Subnet traffic

請務必注意,與子網相關聯之 NSG 中的安全性規則可能會影響其內部 VM 之間的連線能力。It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VM's within it. 例如,如果將規則新增至拒絕所有輸入和輸出流量的 NSG1VM1VM2 將無法再彼此通訊。For example, if a rule is added to NSG1 which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each other. 您必須特別新增另一個規則,以允許這種情況。Another rule would have to be added specifically to allow this.

藉由檢視網路介面的有效安全性規則,可以輕鬆地檢視套用至網路介面的彙總規則。You can easily view the aggregate rules applied to a network interface by viewing the effective security rules for a network interface. 您也可以使用 Azure 網路監看員中的 IP 流量確認功能來判斷是否允許網路介面的雙向通訊。You can also use the IP flow verify capability in Azure Network Watcher to determine whether communication is allowed to or from a network interface. IP 流程驗證會告訴您是否允許或拒絕通訊,以及哪個網路安全性規則允許或拒絕流量。IP flow verify tells you whether a communication is allowed or denied, and which network security rule allows or denies the traffic.

注意

網路安全性群組會與子網或部署在傳統部署模型中的虛擬機器和雲端服務相關聯,以及 Resource Manager 部署模型中的子網或網路介面相關聯。Network security groups are associated to subnets or to virtual machines and cloud services deployed in the classic deployment model, and to subnets or network interfaces in the Resource Manager deployment model. 若要深入了解 Azure 部署模型,請參閱了解 Azure 部署模型To learn more about Azure deployment models, see Understand Azure deployment models.

提示

除非您有特定原因,否則建議您將網路安全性群組與子網或網路介面建立關聯,但不能同時與兩者建立關聯。Unless you have a specific reason to, we recommend that you associate a network security group to a subnet, or a network interface, but not both. 因為如果與子網路相關聯的網路安全性群組中,以及與網路介面相關聯的網路安全性群組中都存在規則,則這兩個規則可能會發生衝突,您可能會遇到需要進行疑難排解的非預期通訊問題。Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.

下一步Next steps