網路安全性群組Network security groups

您可以使用 Azure 網路安全性群組來篩選與 Azure 虛擬網路中的 Azure 資源之間的網路流量。You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. 網路安全性群組包含 安全性規則 ,可允許或拒絕來自數種 Azure 資源類型的輸入網路流量或輸出網路流量。A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. 您可以為每個規則指定來源和目的地、連接埠及通訊協定。For each rule, you can specify source and destination, port, and protocol.

本文說明網路安全性群組規則的屬性、套用的 預設安全性規則 ,以及您可以修改以建立增強型 安全性規則的規則內容。This article describes properties of a network security group rule, the default security rules that are applied, and the rule properties that you can modify to create an augmented security rule.

安全性規則Security rules

視 Azure 訂用帳戶限制而定,網路安全性群組可包含零個或多個規則。A network security group contains zero, or as many rules as desired, within Azure subscription limits. 每個規則都會指定下列屬性:Each rule specifies the following properties:

屬性Property 說明Explanation
名稱Name 網路安全性群組內的唯一名稱。A unique name within the network security group.
優先順序Priority 100 到 4096 之間的數字。A number between 100 and 4096. 系統會依照優先權順序處理規則,較低的數字會在較高的數字之前處理,因為較低的數字具有較高的優先順序。Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. 一旦流量符合規則,處理就會停止。Once traffic matches a rule, processing stops. 因此,如果存在較低優先順序 (較高數字) 的規則具有與較高優先順序之規則相同的屬性,則不會進行處理。As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
來源或目的地Source or destination 任何或個別的 IP 位址、無類別網域間路由 (CIDR) 區塊 (例如 10.0.0.0/24)、服務標籤或應用程式安全性群組。Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security group. 當您指定 Azure 資源的位址時,可以指定指派給資源的私人 IP 位址。If you specify an address for an Azure resource, specify the private IP address assigned to the resource. 在 Azure 針對輸入流量將公用 IP 位址轉譯為私人 IP 位址之後,和 Azure 針對輸出流量將私人 IP 位址轉譯為公用 IP 位址之前,網路安全性群組會進行處理。Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic. .. 指定範圍、服務標籤或應用程式安全性群組,可讓您建立較少的安全性規則。Specifying a range, a service tag, or application security group, enables you to create fewer security rules. 指定多個個別 IP 位址和範圍 (您無法在規則中指定多個服務標籤或應用程式) 群組的功能,稱為增強型 安全性規則The ability to specify multiple individual IP addresses and ranges (you cannot specify multiple service tags or application groups) in a rule is referred to as augmented security rules. 增強型安全性規則只可以在透過 Resource Manager 部署模型建立的網路安全性群組中建立。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 您無法在透過傳統部署模型建立的網路安全性群組中指定多個 IP 位址與 IP 位址範圍。You cannot specify multiple IP addresses and IP address ranges in network security groups created through the classic deployment model.
通訊協定Protocol TCP、UDP、ICMP、ESP、AH 或任何。TCP, UDP, ICMP, ESP, AH, or Any.
方向Direction 規則適用於連入還是連出流量。Whether the rule applies to inbound, or outbound traffic.
連接埠範圍Port range 您可以指定個別連接埠或連接埠範圍。You can specify an individual or range of ports. 例如,您可以指定 80 或 10000-10005。For example, you could specify 80 or 10000-10005. 指定範圍可讓您建立較少的安全性規則。Specifying ranges enables you to create fewer security rules. 增強型安全性規則只可以在透過 Resource Manager 部署模型建立的網路安全性群組中建立。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 您無法在透過傳統部署模型建立之網路安全性群組的相同安全性規則中指定多個連接埠與連接埠範圍。You cannot specify multiple ports or port ranges in the same security rule in network security groups created through the classic deployment model.
動作Action 允許或拒絕Allow or deny

系統會依優先順序使用 5 項 Tuple 資訊 (來源、來源連接埠、目的地、目的地連接埠和通訊協定) 來評估網路安全性群組的安全性規則,以允許或拒絕流量。Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. 您可能不會建立兩個具有相同優先順序和方向的安全性規則。You may not create two security rules with the same priority and direction. 系統會為現有連線建立流程記錄。A flow record is created for existing connections. 允許或拒絕通訊都會以此流程記錄的連線狀態為依據。Communication is allowed or denied based on the connection state of the flow record. 流程記錄可讓網路安全性群組成為具狀態的形式。The flow record allows a network security group to be stateful. 如果您將輸出安全性規則指定至任何透過連接埠 80 (舉例來說) 的位址,則不必為了回應輸出流量來指定輸入安全性規則。If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. 如果在外部起始通訊,您只需要指定輸入安全性規則。You only need to specify an inbound security rule if communication is initiated externally. 反之亦然。The opposite is also true. 如果允許透過連接埠傳送輸入流量,則不必指定輸出安全性規則來透過連接埠回應流量。If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port.

當您移除啟用流量的安全性規則時,現有的連線不會中斷。Existing connections may not be interrupted when you remove a security rule that enabled the flow. 當連線停止,且兩個方向至少有數分鐘都沒有流量時,流量即會中斷。Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.

您可以在網路安全性群組中建立的安全性規則數量會有所限制。There are limits to the number of security rules you can create in a network security group. 如需詳細資訊,請參閱 Azure 限制For details, see Azure limits.

預設安全性規則Default security rules

Azure 會在您建立的每個網路安全性群組中,建立下列預設規則:Azure creates the following default rules in each network security group that you create:

連入Inbound

AllowVNetInBoundAllowVNetInBound
優先順序Priority 來源Source 來源連接埠Source ports DestinationDestination 目的地連接埠Destination ports 通訊協定Protocol AccessAccess
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 任意Any AllowAllow
AllowAzureLoadBalancerInBoundAllowAzureLoadBalancerInBound
優先順序Priority 來源Source 來源連接埠Source ports DestinationDestination 目的地連接埠Destination ports 通訊協定Protocol AccessAccess
6500165001 AzureLoadBalancerAzureLoadBalancer 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any AllowAllow
DenyAllInboundDenyAllInbound
優先順序Priority 來源Source 來源連接埠Source ports DestinationDestination 目的地連接埠Destination ports 通訊協定Protocol AccessAccess
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any 拒絕Deny

輸出Outbound

AllowVnetOutBoundAllowVnetOutBound
優先順序Priority 來源Source 來源連接埠Source ports DestinationDestination 目的地連接埠Destination ports 通訊協定Protocol AccessAccess
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 任意Any AllowAllow
AllowInternetOutBoundAllowInternetOutBound
優先順序Priority 來源Source 來源連接埠Source ports DestinationDestination 目的地連接埠Destination ports 通訊協定Protocol AccessAccess
6500165001 0.0.0.0/00.0.0.0/0 0-655350-65535 網際網路Internet 0-655350-65535 任意Any AllowAllow
DenyAllOutBoundDenyAllOutBound
優先順序Priority 來源Source 來源連接埠Source ports DestinationDestination 目的地連接埠Destination ports 通訊協定Protocol AccessAccess
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any 拒絕Deny

在 [來源] 和 [目的地] 欄中,VirtualNetworkAzureLoadBalancerInternet 都是 服務標籤,而不是 IP 位址。In the Source and Destination columns, VirtualNetwork, AzureLoadBalancer, and Internet are service tags, rather than IP addresses. 在 [通訊協定] 資料行中, 任何 包含 TCP、UDP 和 ICMP。In the protocol column, Any encompasses TCP, UDP, and ICMP. 建立規則時,您可以指定 TCP、UDP、ICMP 或任何。When creating a rule, you can specify TCP, UDP, ICMP or Any. [來源] 和 [目的地] 欄中的 0.0.0.0/0 代表所有位址。0.0.0.0/0 in the Source and Destination columns represents all addresses. 用戶端(例如 Azure 入口網站、Azure CLI 或 PowerShell)可以使用 * 或任何適用于此運算式的。Clients like Azure portal, Azure CLI, or PowerShell can use * or any for this expression.

您無法移除預設規則,但可以建立較高優先順序的規則來覆寫預設規則。You cannot remove the default rules, but you can override them by creating rules with higher priorities.

增強型安全性規則Augmented security rules

增強型安全性規則可簡化虛擬網路的安全性定義,讓您定義更大且複雜的網路安全性原則 (但規則比較少)。Augmented security rules simplify security definition for virtual networks, allowing you to define larger and complex network security policies, with fewer rules. 您可以將多個連接埠和多個明確 IP 位址與範圍,合併成易於了解的單一安全性規則。You can combine multiple ports and multiple explicit IP addresses and ranges into a single, easily understood security rule. 在規則的來源、目的地和連接埠欄位中使用增強型規則。Use augmented rules in the source, destination, and port fields of a rule. 若要簡化安全性規則定義的維護,請結合增強型安全性規則與 服務 標籤或 應用程式安全性群組To simplify maintenance of your security rule definition, combine augmented security rules with service tags or application security groups. 您可以在規則中指定的位址、範圍和連接埠數量會有所限制。There are limits to the number of addresses, ranges, and ports that you can specify in a rule. 如需詳細資訊,請參閱 Azure 限制For details, see Azure limits.

服務標籤Service tags

服務標籤代表來自指定 Azure 服務的一組 IP 位址前置詞。A service tag represents a group of IP address prefixes from a given Azure service. 它有助於將頻繁更新網路安全性規則的複雜性降至最低。It helps to minimize the complexity of frequent updates on network security rules.

如需詳細資訊,請參閱 Azure 服務標記For more information, see Azure service tags. 如需如何使用儲存體服務標記來限制網路存取的範例,請參閱 限制對 PaaS 資源的網路存取For an example on how to use the Storage service tag to restrict network access, see Restrict network access to PaaS resources.

應用程式安全性群組Application security groups

應用程式安全性群組可讓您將網路安全性設定為應用程式結構的自然擴充功能,讓您將虛擬機器分組,並定義以這些群組為基礎的網路安全性原則。Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. 您可以大規模重複使用您的安全性原則,而不需進行明確 IP 位址的手動維護。You can reuse your security policy at scale without manual maintenance of explicit IP addresses. 若要深入瞭解,請參閱 應用程式安全性群組To learn more, see Application security groups.

Azure 平台的考量Azure platform considerations

  • 主機節點的虛擬 IP:基本基礎結構服務(例如 DHCP、DNS、IMDS 和健康情況監視)是透過虛擬化主機 IP 位址168.63.129.16 和169.254.169.254 提供。Virtual IP of the host node: Basic infrastructure services like DHCP, DNS, IMDS, and health monitoring are provided through the virtualized host IP addresses 168.63.129.16 and 169.254.169.254. 這些 IP 位址屬於 Microsoft,而且是針對此目的唯一用於所有地區的虛擬 IP。These IP addresses belong to Microsoft and are the only virtualized IP addresses used in all regions for this purpose. 有效的安全性規則和有效的路由不會包含這些平臺規則。Effective security rules and effective routes will not include these platform rules. 若要覆寫此基本基礎結構通訊,您可以使用網路安全性群組規則上的下列 服務 標籤來建立安全性規則,以拒絕流量: AzurePlatformDNS、AzurePlatformIMDS、AzurePlatformLKM。To override this basic infrastructure communication, you can create a security rule to deny traffic by using the following service tags on your Network Security Group rules: AzurePlatformDNS, AzurePlatformIMDS, AzurePlatformLKM. 瞭解如何 診斷網路流量篩選診斷網路路由Learn how to diagnose network traffic filtering and diagnose network routing.

  • 授權 (金鑰管理服務):必須授權在虛擬機器中執行的 Windows 映像。Licensing (Key Management Service): Windows images running in virtual machines must be licensed. 若要確保授權,授權要求會傳送至處理此類查詢的金鑰管理服務主機伺服器。To ensure licensing, a request is sent to the Key Management Service host servers that handle such queries. 此要求是透過連接埠 1688 輸出。The request is made outbound through port 1688. 若為使用預設路由 0.0.0.0/0組態的部署,將會停用此平台規則。For deployments using default route 0.0.0.0/0 configuration, this platform rule will be disabled.

  • 負載平衡集區中的虛擬機器:套用的來源連接埠和位址範圍是來自原始電腦,而不是負載平衡器。Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. 目的地連接埠和位址範圍屬於目的地電腦,而不是負載平衡器。The destination port and address range are for the destination computer, not the load balancer.

  • Azure 服務執行個體:虛擬網路子網路中會部署數個 Azure 服務的執行個體,例如 HDInsight、應用程式服務環境及虛擬機器擴展集。Azure service instances: Instances of several Azure services, such as HDInsight, Application Service Environments, and Virtual Machine Scale Sets are deployed in virtual network subnets. 如需您可以部署到虛擬網路的完整服務清單,請參閱 Azure 服務的虛擬網路For a complete list of services you can deploy into virtual networks, see Virtual network for Azure services. 將網路安全性群組套用至部署資源的子網路之前,請先確定您熟悉每個服務的連接埠需求。Ensure you familiarize yourself with the port requirements for each service before applying a network security group to the subnet the resource is deployed in. 如果您拒絕服務所需要的連接埠,服務就無法正常運作。If you deny ports required by the service, the service doesn't function properly.

  • 傳送外寄電子郵件:Microsoft 建議您利用已驗證的 SMTP 轉送服務 (通常透過 TCP 連接埠 587 連線,但也可透過其他連接埠連線),從 Azure 虛擬機器傳送電子郵件。Sending outbound email: Microsoft recommends that you utilize authenticated SMTP relay services (typically connected via TCP port 587, but often others, as well) to send email from Azure Virtual Machines. SMTP 轉送服務是專為寄件者信譽所設計,可將第三方電子郵件提供者拒絕訊息的可能性降到最低。SMTP relay services specialize in sender reputation, to minimize the possibility that third-party email providers reject messages. 這類 SMTP 轉送服務包括但不限於 Exchange Online Protection 和 SendGrid。Such SMTP relay services include, but are not limited to, Exchange Online Protection and SendGrid. 不論您的訂用帳戶類型為何,在 Azure 中使用 SMTP 轉送服務不受限制。Use of SMTP relay services is in no way restricted in Azure, regardless of your subscription type.

    如果您在 2017 年 11 月 15 日前建立了 Azure 訂用帳戶,除了能夠使用 SMTP 轉送服務,您還可以直接透過 TCP 連接埠 25 傳送電子郵件。If you created your Azure subscription prior to November 15, 2017, in addition to being able to use SMTP relay services, you can send email directly over TCP port 25. 如果您在 2017 年 11 月 15 日後建立了訂用帳戶,您可能無法直接透過連接埠 25 傳送電子郵件。If you created your subscription after November 15, 2017, you may not be able to send email directly over port 25. 透過連接埠 25 的連出通訊行為取決於您擁有的訂用帳戶類型,如下所示:The behavior of outbound communication over port 25 depends on the type of subscription you have, as follows:

    • Enterprise 合約:允許輸出通訊埠 25 通訊。Enterprise Agreement: Outbound port 25 communication is allowed. 您可以直接從虛擬機器傳送輸出電子郵件給外部電子郵件提供者,而不受 Azure 平臺的限制。You are able to send an outbound email directly from virtual machines to external email providers, with no restrictions from the Azure platform.
    • 隨用隨付: 所有資源的輸出連接埠 25 通訊都遭到封鎖。Pay-as-you-go: Outbound port 25 communication is blocked from all resources. 如果您需要將電子郵件從虛擬機器直接傳送給外部電子郵件提供者 (不使用已驗證的 SMTP 轉送),可以提出移除限制的要求。If you need to send email from a virtual machine directly to external email providers (not using an authenticated SMTP relay), you can make a request to remove the restriction. 要求是在 Microsoft 的斟酌之下審查與核准,而且只會在執行反詐騙檢查之後授權。Requests are reviewed and approved at Microsoft's discretion and are only granted after anti-fraud checks are performed. 若要提出要求,請開啟問題類型為 [技術]、[虛擬網路連線]、[無法傳送電子郵件 (SMTP/連接埠 25)] 的支援案例。To make a request, open a support case with the issue type Technical, Virtual Network Connectivity, Cannot send e-mail (SMTP/Port 25). 在您的支援案例中,請包含訂用帳戶需要將電子郵件直接傳送到郵件提供者,而不需經過已驗證 SMTP 轉送之原因的詳細資料。In your support case, include details about why your subscription needs to send email directly to mail providers, instead of going through an authenticated SMTP relay. 如果您的訂用帳戶獲得豁免,則只有在豁免日期之後建立的虛擬機器能夠透過連接埠 25 對外通訊。If your subscription is exempted, only virtual machines created after the exemption date are able to communicate outbound over port 25.
    • MSDN、Azure Pass、Azure in Open、Education、BizSpark 和免費試用:所有資源的輸出連接埠 25 通訊都遭到封鎖。MSDN, Azure Pass, Azure in Open, Education, BizSpark, and Free trial: Outbound port 25 communication is blocked from all resources. 無法進行任何移除限制的要求,因為要求未獲授權。No requests to remove the restriction can be made, because requests are not granted. 如果您必須從虛擬機器傳送電子郵件,就必須使用 SMTP 轉送服務。If you need to send email from your virtual machine, you have to use an SMTP relay service.
    • 雲端服務提供者:透過雲端服務提供者使用 Azure 資源的客戶,可以建立其雲端服務提供者的支援案例,以及在安全的 SMTP 轉送無法使用時,要求提供者代表他們建立解除封鎖案例。Cloud service provider: Customers that are consuming Azure resources via a cloud service provider can create a support case with their cloud service provider, and request that the provider create an unblock case on their behalf, if a secure SMTP relay cannot be used.

    如果 Azure 允許您透過連接埠 25 傳送電子郵件,Microsoft 無法保證電子郵件提供者會接受您虛擬機器所發出的內送電子郵件。If Azure allows you to send email over port 25, Microsoft cannot guarantee email providers will accept inbound email from your virtual machine. 如果特定提供者拒絕來自虛擬機器的郵件,請直接與提供者合作以解決任何訊息傳遞或垃圾郵件篩選問題,或使用已驗證的 SMTP 轉送服務。If a specific provider rejects mail from your virtual machine, work directly with the provider to resolve any message delivery or spam filtering issues, or use an authenticated SMTP relay service.

下一步Next steps