網路安全性群組Network security groups

您可以使用 Azure 網路安全性群組來篩選進出 Azure 虛擬網路中 Azure 資源的網路流量。You can use Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. 網路安全性群組包含安全性規則,可允許或拒絕來自數種 Azure 資源類型的輸入網路流量或輸出網路流量。A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. 您可以為每個規則指定來源和目的地、連接埠及通訊協定。For each rule, you can specify source and destination, port, and protocol. 本文說明網路安全性群組規則的屬性、套用的預設安全性規則,以及您可以修改的規則內容,以建立增強的安全性規則This article describes properties of a network security group rule, the default security rules that are applied, and the rule properties that you can modify to create an augmented security rule.

安全性規則Security rules

視 Azure 訂用帳戶限制而定,網路安全性群組可包含零個或多個規則。A network security group contains zero, or as many rules as desired, within Azure subscription limits. 每個規則都會指定下列屬性:Each rule specifies the following properties:

屬性Property 說明Explanation
NameName 網路安全性群組中的唯一名稱。A unique name within the network security group.
優先順序Priority 100 和 4096 之間的數字。A number between 100 and 4096. 系統會依照優先權順序處理規則,較低的數字會在較高的數字之前處理,因為較低的數字具有較高的優先順序。Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. 一旦流量符合規則,處理就會停止。Once traffic matches a rule, processing stops. 因此,如果存在較低優先順序 (較高數字) 的規則具有與較高優先順序之規則相同的屬性,則不會進行處理。As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
來源或目的地Source or destination 任何或個別的 IP 位址、無類別網域間路由 (CIDR) 區塊 (例如 10.0.0.0/24)、服務標籤應用程式安全性群組Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security group. 當您指定 Azure 資源的位址時,可以指定指派給資源的私人 IP 位址。If you specify an address for an Azure resource, specify the private IP address assigned to the resource. 在 Azure 針對輸入流量將公用 IP 位址轉譯為私人 IP 位址之後,和 Azure 針對輸出流量將私人 IP 位址轉譯為公用 IP 位址之前,網路安全性群組會進行處理。Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic. 深入了解 Azure IP 位址Learn more about Azure IP addresses. 指定範圍、服務標籤或應用程式安全性群組,可讓您建立較少的安全性規則。Specifying a range, a service tag, or application security group, enables you to create fewer security rules. 在規則中指定多個個別 IP 位址和範圍(您無法指定多個服務標籤或應用程式群組)的功能稱為增強型安全性規則The ability to specify multiple individual IP addresses and ranges (you cannot specify multiple service tags or application groups) in a rule is referred to as augmented security rules. 增強型安全性規則只可以在透過 Resource Manager 部署模型建立的網路安全性群組中建立。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 您無法在透過傳統部署模型建立的網路安全性群組中指定多個 IP 位址與 IP 位址範圍。You cannot specify multiple IP addresses and IP address ranges in network security groups created through the classic deployment model. 深入瞭解Azure 部署模型Learn more about Azure deployment models.
通訊協定Protocol TCP、UDP、ICMP 或 Any。TCP, UDP, ICMP or Any.
方向Direction 規則是否套用至輸入或輸出流量。Whether the rule applies to inbound, or outbound traffic.
連接埠範圍Port range 您可以指定個別連接埠或連接埠範圍。You can specify an individual or range of ports. 例如,您可以指定 80 或 10000-10005。For example, you could specify 80 or 10000-10005. 指定範圍可讓您建立較少的安全性規則。Specifying ranges enables you to create fewer security rules. 增強型安全性規則只可以在透過 Resource Manager 部署模型建立的網路安全性群組中建立。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 您無法在透過傳統部署模型建立之網路安全性群組的相同安全性規則中指定多個連接埠與連接埠範圍。You cannot specify multiple ports or port ranges in the same security rule in network security groups created through the classic deployment model.
動作Action 允許或拒絕Allow or deny

系統會依優先順序使用 5 項 Tuple 資訊 (來源、來源連接埠、目的地、目的地連接埠和通訊協定) 來評估網路安全性群組的安全性規則,以允許或拒絕流量。Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. 系統會為現有連線建立流程記錄。A flow record is created for existing connections. 允許或拒絕通訊都會以此流程記錄的連線狀態為依據。Communication is allowed or denied based on the connection state of the flow record. 流程記錄可讓網路安全性群組成為具狀態的形式。The flow record allows a network security group to be stateful. 如果您將輸出安全性規則指定至任何透過連接埠 80 (舉例來說) 的位址,則不必為了回應輸出流量來指定輸入安全性規則。If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. 如果在外部起始通訊,您只需要指定輸入安全性規則。You only need to specify an inbound security rule if communication is initiated externally. 反之亦然。The opposite is also true. 如果允許透過連接埠傳送輸入流量,則不必指定輸出安全性規則來透過連接埠回應流量。If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port. 當您移除啟用流量的安全性規則時,現有的連線不會中斷。Existing connections may not be interrupted when you remove a security rule that enabled the flow. 當連線停止,且兩個方向至少有數分鐘都沒有流量時,流量即會中斷。Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.

您可以在網路安全性群組中建立的安全性規則數量會有所限制。There are limits to the number of security rules you can create in a network security group. 如需詳細資訊,請參閱 Azure 限制For details, see Azure limits.

預設安全性規則Default security rules

Azure 會在您建立的每個網路安全性群組中,建立下列預設規則:Azure creates the following default rules in each network security group that you create:

輸入Inbound

AllowVNetInBoundAllowVNetInBound
優先順序Priority 來源Source 來源連接埠Source ports DestinationDestination 目的地連接埠Destination ports 通訊協定Protocol 存取權Access
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 任意Any AllowAllow
AllowAzureLoadBalancerInBoundAllowAzureLoadBalancerInBound
優先順序Priority 來源Source 來源連接埠Source ports DestinationDestination 目的地連接埠Destination ports 通訊協定Protocol 存取權Access
6500165001 AzureLoadBalancerAzureLoadBalancer 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any AllowAllow
DenyAllInboundDenyAllInbound
優先順序Priority 來源Source 來源連接埠Source ports DestinationDestination 目的地連接埠Destination ports 通訊協定Protocol 存取權Access
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any 拒絕Deny

輸出Outbound

AllowVnetOutBoundAllowVnetOutBound
優先順序Priority 來源Source 來源連接埠Source ports DestinationDestination 目的地連接埠Destination ports 通訊協定Protocol 存取權Access
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 任意Any AllowAllow
AllowInternetOutBoundAllowInternetOutBound
優先順序Priority 來源Source 來源連接埠Source ports DestinationDestination 目的地連接埠Destination ports 通訊協定Protocol 存取權Access
6500165001 0.0.0.0/00.0.0.0/0 0-655350-65535 InternetInternet 0-655350-65535 任意Any AllowAllow
DenyAllOutBoundDenyAllOutBound
優先順序Priority 來源Source 來源連接埠Source ports DestinationDestination 目的地連接埠Destination ports 通訊協定Protocol 存取權Access
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 任意Any 拒絕Deny

在 [來源]**** 和 [目的地]**** 欄中,VirtualNetworkAzureLoadBalancerInternet 都是服務標籤,而不是 IP 位址。In the Source and Destination columns, VirtualNetwork, AzureLoadBalancer, and Internet are service tags, rather than IP addresses. [通訊協定] 資料行中包含 TCP 、UDP 和 ICMP。In the protocol column, Any encompasses TCP, UDP, and ICMP. 建立規則時,您可以指定 [TCP]、[UDP]、[ICMP] 或 [任何]。When creating a rule, you can specify TCP, UDP, ICMP or Any. [來源]**** 和 [目的地]**** 欄中的 0.0.0.0/0 代表所有位址。0.0.0.0/0 in the Source and Destination columns represents all addresses. Azure 入口網站、Azure CLI 或 PowerShell 之類的用戶端可以在此運算式中使用 * 或 any。Clients like Azure portal, Azure CLI, or PowerShell can use * or any for this expression.

您無法移除預設規則,但可以建立較高優先順序的規則來覆寫預設規則。You cannot remove the default rules, but you can override them by creating rules with higher priorities.

增強型安全性規則Augmented security rules

增強型安全性規則可簡化虛擬網路的安全性定義,讓您定義更大且複雜的網路安全性原則 (但規則比較少)。Augmented security rules simplify security definition for virtual networks, allowing you to define larger and complex network security policies, with fewer rules. 您可以將多個連接埠和多個明確 IP 位址與範圍,合併成易於了解的單一安全性規則。You can combine multiple ports and multiple explicit IP addresses and ranges into a single, easily understood security rule. 在規則的來源、目的地和連接埠欄位中使用增強型規則。Use augmented rules in the source, destination, and port fields of a rule. 若要簡化安全性規則定義的維護,請結合增強的安全性規則與服務標籤或應用程式安全性群組To simplify maintenance of your security rule definition, combine augmented security rules with service tags or application security groups. 您可以在規則中指定的位址、範圍和連接埠數量會有所限制。There are limits to the number of addresses, ranges, and ports that you can specify in a rule. 如需詳細資訊,請參閱 Azure 限制For details, see Azure limits.

服務標籤Service tags

服務標記代表來自指定 Azure 服務的一組 IP 位址首碼。A service tag represents a group of IP address prefixes from a given Azure service. 它有助於將網路安全性規則頻繁更新的複雜度降到最低。It helps to minimize complexity of frequent updates on network security rules.

如需詳細資訊,請參閱Azure 服務標記For more information, see Azure service tags. 如需如何使用儲存體服務標籤來限制網路存取的範例,請參閱限制對 PaaS 資源的網路存取For an example on how to use the Storage service tag to restrict network access, see Restrict network access to PaaS resources.

應用程式安全性群組Application security groups

應用程式安全性群組可讓您將網路安全性設定為應用程式結構的自然擴充功能,讓您將虛擬機器分組,並定義以這些群組為基礎的網路安全性原則。Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. 您可以大規模重複使用您的安全性原則,而不需進行明確 IP 位址的手動維護。You can reuse your security policy at scale without manual maintenance of explicit IP addresses. 若要深入瞭解,請參閱應用程式安全性群組To learn more, see Application security groups.

評估流量的方式How traffic is evaluated

您可以將數個 Azure 服務的資源部署到 Azure 虛擬網路。You can deploy resources from several Azure services into an Azure virtual network. 如需完整清單,請參閱可以部署至虛擬網路的服務For a complete list, see Services that can be deployed into a virtual network. 您可以將零個或一個網路安全性群組關聯至每個虛擬網路子網路,以及虛擬機器中的網路介面You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. 您可以將相同的網路安全性群組關聯至所需數量的子網路和網路介面。The same network security group can be associated to as many subnets and network interfaces as you choose.

下圖以不同案例說明網路安全性群組可如何部署,以允許網路流量透過 TCP 連接埠 80 來進出網際網路:The following picture illustrates different scenarios for how network security groups might be deployed to allow network traffic to and from the internet over TCP port 80:

NSG 處理

請參考上圖及下列文字,以了解 Azure 如何處理網路安全性群組的輸入和輸出規則:Reference the previous picture, along with the following text, to understand how Azure processes inbound and outbound rules for network security groups:

輸入流量Inbound traffic

針對輸入流量,Azure 會先針對與子網路相關聯的網路安全性群組,處理其中的規則 (如果有的話),然後再針對與網路介面相關聯的網路安全性群組,處理其中的規則 (如果有的話)。For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a network security group associated to the network interface, if there is one.

  • VM1:NSG1** 中的安全性規則會進行處理,因為它與 Subnet1** 和 VM1** 相關聯,並且位於 Subnet1** 中。VM1: The security rules in NSG1 are processed, since it is associated to Subnet1 and VM1 is in Subnet1. 除非您已建立一個規則來允許連接埠 80 的輸入,否則流量會遭到 DenyAllInbound 預設安全性規則拒絕,並永遠不會由 NSG2** 進行評估,因為 NSG2** 與網路介面相關聯。Unless you've created a rule that allows port 80 inbound, the traffic is denied by the DenyAllInbound default security rule, and never evaluated by NSG2, since NSG2 is associated to the network interface. 如果 NSG1** 具有允許連接埠 80 的安全性規則,流量接著會由 NSG2** 進行處理。If NSG1 has a security rule that allows port 80, the traffic is then processed by NSG2. 若要允許流量從連接埠 80 輸入虛擬機器,則 NSG1** 和 NSG2** 都必須有規則來允許從網際網路輸入流量的連接埠 80。To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet.
  • VM2:在 NSG1** 中的規則會進行處理,因為VM2** 也位於 Subnet1** 中。VM2: The rules in NSG1 are processed because VM2 is also in Subnet1. 由於 VM2** 沒有與其網路介面相關聯的網路安全性群組,因此會接收允許通過 NSG1** 的所有流量,或拒絕所有 NSG1** 拒絕的流量。Since VM2 does not have a network security group associated to its network interface, it receives all traffic allowed through NSG1 or is denied all traffic denied by NSG1. 如果網路安全性群組與子網路相關聯,則相同子網路中的所有資源會一起接收或拒絕流量。Traffic is either allowed or denied to all resources in the same subnet when a network security group is associated to a subnet.
  • VM3:由於沒有任何網路安全性群組與 Subnet2** 相關聯,流量會允許進入子網路並由NSG2 ** 處理流量,因為 NSG2** 與連結至 VM3** 的網路介面相關聯。VM3: Since there is no network security group associated to Subnet2, traffic is allowed into the subnet and processed by NSG2, because NSG2 is associated to the network interface attached to VM3.
  • VM4:流量會允許進入 VM4**,因為網路安全性群組未與 Subnet3** 或虛擬機器中的網路介面相關聯。VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. 如果沒有任何網路安全性群組與子網路和網路介面相關聯,則所有網路流量都可以通過子網路和網路介面。All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them.

輸出流量Outbound traffic

針對輸出流量,Azure 會先針對與網路介面相關聯的網路安全性群組,處理其中的規則 (如果有的話),然後再針對與子網路相關聯的網路安全性群組,處理其中的規則 (如果有的話)。For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there is one, and then the rules in a network security group associated to the subnet, if there is one.

  • VM1:NSG2** 中的安全性規則會進行處理。VM1: The security rules in NSG2 are processed. 除非您建立安全性規則來拒絕向網際網路輸出流量的連接埠 80,否則 NSG1** 和 NSG2** 中的 AllowInternetOutbound 預設安全性規則會允許流量通過。Unless you create a security rule that denies port 80 outbound to the internet, the traffic is allowed by the AllowInternetOutbound default security rule in both NSG1 and NSG2. 如果 NSG2** 具有拒絕連接埠 80 的安全性規則,則流量會遭到拒絕,且永遠不會由 NSG1** 進行評估。If NSG2 has a security rule that denies port 80, the traffic is denied, and never evaluated by NSG1. 若要拒絕流量從連接埠 80 輸出虛擬機器,其中一個網路安全性群組或兩個網路安全性群組必須有規則來拒絕將流量流向網際網路的連接埠 80。To deny port 80 from the virtual machine, either, or both of the network security groups must have a rule that denies port 80 to the internet.
  • VM2:所有流量都會通過網路介面流向子網路,因為連結到 VM2** 的網路介面沒有與網路安全性群組相關聯。VM2: All traffic is sent through the network interface to the subnet, since the network interface attached to VM2 does not have a network security group associated to it. NSG1** 中的規則會進行處理。The rules in NSG1 are processed.
  • VM3:如果 NSG2** 具有拒絕連接埠 80 的安全性規則,則流量會遭到拒絕。VM3: If NSG2 has a security rule that denies port 80, the traffic is denied. 如果 NSG2** 有允許連接埠 80 的安全性規則,則連接埠 80 允許輸出流量到網際網路,因為沒有與 Subnet2** 相關聯的網路安全性群組。If NSG2 has a security rule that allows port 80, then port 80 is allowed outbound to the internet, since a network security group is not associated to Subnet2.
  • VM4:所有網路流量會允許從 VM4** 輸出,因為網路安全性群組未與連結至虛擬機器的網路介面或 Subnet3** 相關聯。VM4: All network traffic is allowed from VM4, because a network security group isn't associated to the network interface attached to the virtual machine, or to Subnet3.

內部子網流量Intra-Subnet traffic

請務必注意,與子網相關聯之 NSG 中的安全性規則,可能會影響其中 VM 之間的連線能力。It's important to note that security rules in an NSG associated to a subnet can affect connectivity between VM's within it. 例如,如果將規則新增至拒絕所有輸入和輸出流量的NSG1VM1VM2將無法再彼此通訊。For example, if a rule is added to NSG1 which denies all inbound and outbound traffic, VM1 and VM2 will no longer be able to communicate with each other. 另一個規則必須特別加入才能允許此情況。Another rule would have to be added specifically to allow this.

藉由檢視網路介面的有效安全性規則,可以輕鬆地檢視套用至網路介面的彙總規則。You can easily view the aggregate rules applied to a network interface by viewing the effective security rules for a network interface. 您也可以使用 Azure 網路監看員中的 IP 流量確認功能來判斷是否允許網路介面的雙向通訊。You can also use the IP flow verify capability in Azure Network Watcher to determine whether communication is allowed to or from a network interface. IP 流量確認會告訴您已允許會拒絕通訊,以及哪個網路安全性規則允許或拒絕流量。IP flow verify tells you whether communication is allowed or denied, and which network security rule allows or denies the traffic.

注意

網路安全性群組會與子網或部署在傳統部署模型中的虛擬機器和雲端服務相關聯,以及 Resource Manager 部署模型中的子網或網路介面。Network security groups are associated to subnets or to virtual machines and cloud services deployed in the classic deployment model, and to subnets or network interfaces in the Resource Manager deployment model. 若要深入了解 Azure 部署模型,請參閱了解 Azure 部署模型To learn more about Azure deployment models, see Understand Azure deployment models.

提示

除非您有特殊原因要這麼做,否則我們建議您讓網路安全性群組與子網路或網路介面的其中一個建立關聯,而非同時與這兩者建立關聯。Unless you have a specific reason to, we recommended that you associate a network security group to a subnet, or a network interface, but not both. 因為如果與子網路相關聯的網路安全性群組中,以及與網路介面相關聯的網路安全性群組中都存在規則,則這兩個規則可能會發生衝突,您可能會遇到需要進行疑難排解的非預期通訊問題。Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.

Azure 平台的考量Azure platform considerations

  • 主機節點的虛擬 IP:基本的基礎結構服務(例如 DHCP、DNS、IMDS 和健康狀態監控)是透過虛擬化主機 IP 位址168.63.129.16 和169.254.169.254 提供。Virtual IP of the host node: Basic infrastructure services like DHCP, DNS, IMDS, and health monitoring are provided through the virtualized host IP addresses 168.63.129.16 and 169.254.169.254. 這些 IP 位址屬於 Microsoft,而且是針對此目的唯一用於所有地區的虛擬 IP。These IP addresses belong to Microsoft and are the only virtualized IP addresses used in all regions for this purpose. 有效的安全性規則和有效的路由不會包含這些平臺規則。Effective security rules and effective routes will not include these platform rules. 若要覆寫此基本基礎結構通訊,您可以在網路安全性群組規則上使用下列服務標籤,建立安全性規則來拒絕流量: AzurePlatformDNS、AzurePlatformIMDS、AzurePlatformLKM。To override this basic infrastructure communication, you can create a security rule to deny traffic by using the following service tags on your Network Security Group rules: AzurePlatformDNS, AzurePlatformIMDS, AzurePlatformLKM. 瞭解如何診斷網路流量篩選診斷網路路由Learn how to diagnose network traffic filtering and diagnose network routing.

  • 授權 (金鑰管理服務):必須授權在虛擬機器中執行的 Windows 映像。Licensing (Key Management Service): Windows images running in virtual machines must be licensed. 若要確保授權,授權要求會傳送至處理此類查詢的金鑰管理服務主機伺服器。To ensure licensing, a request is sent to the Key Management Service host servers that handle such queries. 此要求是透過連接埠 1688 輸出。The request is made outbound through port 1688. 若為使用預設路由 0.0.0.0/0組態的部署,將會停用此平台規則。For deployments using default route 0.0.0.0/0 configuration, this platform rule will be disabled.

  • 負載平衡集區中的虛擬機器:套用的來源連接埠和位址範圍是來自原始電腦,而不是負載平衡器。Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. 目的地連接埠和位址範圍屬於目的地電腦,而不是負載平衡器。The destination port and address range are for the destination computer, not the load balancer.

  • Azure 服務執行個體:虛擬網路子網路中會部署數個 Azure 服務的執行個體,例如 HDInsight、應用程式服務環境及虛擬機器擴展集。Azure service instances: Instances of several Azure services, such as HDInsight, Application Service Environments, and Virtual Machine Scale Sets are deployed in virtual network subnets. 如需您可以部署到虛擬網路的完整服務清單,請參閱 Azure 服務的虛擬網路For a complete list of services you can deploy into virtual networks, see Virtual network for Azure services. 將網路安全性群組套用至部署資源的子網路之前,請先確定您熟悉每個服務的連接埠需求。Ensure you familiarize yourself with the port requirements for each service before applying a network security group to the subnet the resource is deployed in. 如果您拒絕服務所需要的連接埠,服務就無法正常運作。If you deny ports required by the service, the service doesn't function properly.

  • 傳送外寄電子郵件:Microsoft 建議您利用已驗證的 SMTP 轉送服務 (通常透過 TCP 連接埠 587 連線,但也可透過其他連接埠連線),從 Azure 虛擬機器傳送電子郵件。Sending outbound email: Microsoft recommends that you utilize authenticated SMTP relay services (typically connected via TCP port 587, but often others, as well) to send email from Azure Virtual Machines. SMTP 轉送服務是專為寄件者信譽所設計,可將第三方電子郵件提供者拒絕訊息的可能性降到最低。SMTP relay services specialize in sender reputation, to minimize the possibility that third-party email providers reject messages. 這類 SMTP 轉送服務包括但不限於 Exchange Online Protection 和 SendGrid。Such SMTP relay services include, but are not limited to, Exchange Online Protection and SendGrid. 不論您的訂用帳戶類型為何,在 Azure 中使用 SMTP 轉送服務不受限制。Use of SMTP relay services is in no way restricted in Azure, regardless of your subscription type.

    如果您在 2017 年 11 月 15 日前建立了 Azure 訂用帳戶,除了能夠使用 SMTP 轉送服務,您還可以直接透過 TCP 連接埠 25 傳送電子郵件。If you created your Azure subscription prior to November 15, 2017, in addition to being able to use SMTP relay services, you can send email directly over TCP port 25. 如果您在 2017 年 11 月 15 日後建立了訂用帳戶,您可能無法直接透過連接埠 25 傳送電子郵件。If you created your subscription after November 15, 2017, you may not be able to send email directly over port 25. 透過連接埠 25 的連出通訊行為取決於您擁有的訂用帳戶類型,如下所示:The behavior of outbound communication over port 25 depends on the type of subscription you have, as follows:

    • Enterprise 合約:允許輸出通訊埠 25 通訊。Enterprise Agreement: Outbound port 25 communication is allowed. 您能夠從虛擬機器將外寄電子郵件直接傳送到外部電子郵件提供者 (Azure 平台沒有限制)。You are able to send outbound email directly from virtual machines to external email providers, with no restrictions from the Azure platform.
    • 隨用隨付: 所有資源的輸出連接埠 25 通訊都遭到封鎖。Pay-as-you-go: Outbound port 25 communication is blocked from all resources. 如果您需要將電子郵件從虛擬機器直接傳送給外部電子郵件提供者 (不使用已驗證的 SMTP 轉送),可以提出移除限制的要求。If you need to send email from a virtual machine directly to external email providers (not using an authenticated SMTP relay), you can make a request to remove the restriction. 要求是在 Microsoft 的斟酌之下審查與核准,而且只會在執行反詐騙檢查之後授權。Requests are reviewed and approved at Microsoft's discretion and are only granted after anti-fraud checks are performed. 若要提出要求,請開啟問題類型為 [技術]、[虛擬網路連線]、[無法傳送電子郵件 (SMTP/連接埠 25)]** 的支援案例。To make a request, open a support case with the issue type Technical, Virtual Network Connectivity, Cannot send e-mail (SMTP/Port 25). 在您的支援案例中,請包含訂用帳戶需要將電子郵件直接傳送到郵件提供者,而不需經過已驗證 SMTP 轉送之原因的詳細資料。In your support case, include details about why your subscription needs to send email directly to mail providers, instead of going through an authenticated SMTP relay. 如果您的訂用帳戶獲得豁免,則只有在豁免日期之後建立的虛擬機器能夠透過連接埠 25 對外通訊。If your subscription is exempted, only virtual machines created after the exemption date are able to communicate outbound over port 25.
    • MSDN、Azure Pass、Azure in Open、Education、BizSpark 和免費試用:所有資源的輸出連接埠 25 通訊都遭到封鎖。MSDN, Azure Pass, Azure in Open, Education, BizSpark, and Free trial: Outbound port 25 communication is blocked from all resources. 無法進行任何移除限制的要求,因為要求未獲授權。No requests to remove the restriction can be made, because requests are not granted. 如果您必須從虛擬機器傳送電子郵件,就必須使用 SMTP 轉送服務。If you need to send email from your virtual machine, you have to use an SMTP relay service.
    • 雲端服務提供者:透過雲端服務提供者使用 Azure 資源的客戶,可以建立其雲端服務提供者的支援案例,以及在安全的 SMTP 轉送無法使用時,要求提供者代表他們建立解除封鎖案例。Cloud service provider: Customers that are consuming Azure resources via a cloud service provider can create a support case with their cloud service provider, and request that the provider create an unblock case on their behalf, if a secure SMTP relay cannot be used.

    如果 Azure 允許您透過連接埠 25 傳送電子郵件,Microsoft 無法保證電子郵件提供者會接受您虛擬機器所發出的內送電子郵件。If Azure allows you to send email over port 25, Microsoft cannot guarantee email providers will accept inbound email from your virtual machine. 如果特定提供者拒絕來自虛擬機器的郵件,請直接與提供者合作以解決任何訊息傳遞或垃圾郵件篩選問題,或使用已驗證的 SMTP 轉送服務。If a specific provider rejects mail from your virtual machine, work directly with the provider to resolve any message delivery or spam filtering issues, or use an authenticated SMTP relay service.

後續步驟Next steps