安全性群組Security groups

您可以透過網路安全性群組,篩選在 Azure 虛擬網路中進出 Azure 資源的網路流量。You can filter network traffic to and from Azure resources in an Azure virtual network with a network security group. 網路安全性群組包含安全性規則,用來允許或拒絕進出多種 Azure 資源類型的輸入和輸出網路流量。A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. 若要了解虛擬網路中可部署哪些 Azure 資源,並使這些資源與網路安全性群組產生關聯,請參閱 Azure 服務的虛擬網路整合To learn about which Azure resources can be deployed into a virtual network and have network security groups associated to them, see Virtual network integration for Azure services. 您可以為每個規則指定來源和目的地、連接埠及通訊協定。For each rule, you can specify source and destination, port, and protocol.

本文將說明網路安全性群組的概念,協助您有效地使用此功能。This article explains network security group concepts, to help you use them effectively. 如果您從未建立過網路安全性群組,可以完成快速教學課程,以取得一些建立體驗。If you've never created a network security group, you can complete a quick tutorial to get some experience creating one. 如果您熟悉網路安全性群組,並且有管理需求,請參閱管理網路安全性群組If you're familiar with network security groups and need to manage them, see Manage a network security group. 如果您有通訊問題,因而需要對網路安全性群組進行疑難排解,請參閱診斷虛擬機器網路流量篩選問題If you're having communication problems and need to troubleshoot network security groups, see Diagnose a virtual machine network traffic filter problem. 您可以啟用網路安全性群組流程記錄,針對與網路安全性群組相關聯的資源,分析進出其中的網路流量You can enable network security group flow logs to analyze network traffic to and from resources that have an associated network security group.

安全性規則Security rules

視 Azure 訂用帳戶限制而定,網路安全性群組可包含零個或多個規則。A network security group contains zero, or as many rules as desired, within Azure subscription limits. 每個規則都會指定下列屬性:Each rule specifies the following properties:

屬性Property 說明Explanation
名稱Name 網路安全性群組中的唯一名稱。A unique name within the network security group.
優先順序Priority 100 和 4096 之間的數字。A number between 100 and 4096. 系統會依照優先權順序處理規則,較低的數字會在較高的數字之前處理,因為較低的數字具有較高的優先順序。Rules are processed in priority order, with lower numbers processed before higher numbers, because lower numbers have higher priority. 一旦流量符合規則,處理就會停止。Once traffic matches a rule, processing stops. 因此,如果存在較低優先順序 (較高數字) 的規則具有與較高優先順序之規則相同的屬性,則不會進行處理。As a result, any rules that exist with lower priorities (higher numbers) that have the same attributes as rules with higher priorities are not processed.
來源或目的地Source or destination 任何或個別的 IP 位址、無類別網域間路由 (CIDR) 區塊 (例如 10.0.0.0/24)、服務標籤應用程式安全性群組Any, or an individual IP address, classless inter-domain routing (CIDR) block (10.0.0.0/24, for example), service tag, or application security group. 當您指定 Azure 資源的位址時,可以指定指派給資源的私人 IP 位址。If you specify an address for an Azure resource, specify the private IP address assigned to the resource. 在 Azure 針對輸入流量將公用 IP 位址轉譯為私人 IP 位址之後,和 Azure 針對輸出流量將私人 IP 位址轉譯為公用 IP 位址之前,網路安全性群組會進行處理。Network security groups are processed after Azure translates a public IP address to a private IP address for inbound traffic, and before Azure translates a private IP address to a public IP address for outbound traffic. 深入了解 Azure IP 位址Learn more about Azure IP addresses. 指定範圍、服務標籤或應用程式安全性群組,可讓您建立較少的安全性規則。Specifying a range, a service tag, or application security group, enables you to create fewer security rules. 在規則中指定多個個別 IP 位址和範圍 (您無法指定多個服務標籤或應用程式群組) 的功能也稱為增強型安全性規則The ability to specify multiple individual IP addresses and ranges (you cannot specify multiple service tags or application groups) in a rule is referred to as augmented security rules. 增強型安全性規則只可以在透過 Resource Manager 部署模型建立的網路安全性群組中建立。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 您無法在透過傳統部署模型建立的網路安全性群組中指定多個 IP 位址與 IP 位址範圍。You cannot specify multiple IP addresses and IP address ranges in network security groups created through the classic deployment model. 深入了解 Azure 部署模型Learn more about Azure deployment models.
ProtocolProtocol TCP、UDP 或 [任何],其中包括 (但不限於) TCP、 UDP 和 ICMP。TCP, UDP, or Any, which includes (but not limited to) TCP, UDP, and ICMP. 您無法單獨指定 ICMP,如果您需要 ICMP,則必須使用 [任何]。You cannot specify ICMP alone, so if you require ICMP, use Any.
DirectionDirection 規則是否套用至輸入或輸出流量。Whether the rule applies to inbound, or outbound traffic.
連接埠範圍Port range 您可以指定個別連接埠或連接埠範圍。You can specify an individual or range of ports. 例如,您可以指定 80 或 10000-10005。For example, you could specify 80 or 10000-10005. 指定範圍可讓您建立較少的安全性規則。Specifying ranges enables you to create fewer security rules. 增強型安全性規則只可以在透過 Resource Manager 部署模型建立的網路安全性群組中建立。Augmented security rules can only be created in network security groups created through the Resource Manager deployment model. 您無法在透過傳統部署模型建立之網路安全性群組的相同安全性規則中指定多個連接埠與連接埠範圍。You cannot specify multiple ports or port ranges in the same security rule in network security groups created through the classic deployment model.
動作Action 允許或拒絕Allow or deny

系統會依優先順序使用 5 項 Tuple 資訊 (來源、來源連接埠、目的地、目的地連接埠和通訊協定) 來評估網路安全性群組的安全性規則,以允許或拒絕流量。Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. 系統會為現有連線建立流程記錄。A flow record is created for existing connections. 允許或拒絕通訊都會以此流程記錄的連線狀態為依據。Communication is allowed or denied based on the connection state of the flow record. 流程記錄可讓網路安全性群組成為具狀態的形式。The flow record allows a network security group to be stateful. 如果您將輸出安全性規則指定至任何透過連接埠 80 (舉例來說) 的位址,則不必為了回應輸出流量來指定輸入安全性規則。If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. 如果在外部起始通訊,您只需要指定輸入安全性規則。You only need to specify an inbound security rule if communication is initiated externally. 反之亦然。The opposite is also true. 如果允許透過連接埠傳送輸入流量,則不必指定輸出安全性規則來透過連接埠回應流量。If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port. 當您移除啟用流量的安全性規則時,現有的連線不會中斷。Existing connections may not be interrupted when you remove a security rule that enabled the flow. 當連線停止,且兩個方向至少有數分鐘都沒有流量時,流量即會中斷。Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.

您可以在網路安全性群組中建立的安全性規則數量會有所限制。There are limits to the number of security rules you can create in a network security group. 如需詳細資訊,請參閱 Azure 限制For details, see Azure limits.

增強型安全性規則Augmented security rules

增強型安全性規則可簡化虛擬網路的安全性定義,讓您定義更大且複雜的網路安全性原則 (但規則比較少)。Augmented security rules simplify security definition for virtual networks, allowing you to define larger and complex network security policies, with fewer rules. 您可以將多個連接埠和多個明確 IP 位址與範圍,合併成易於了解的單一安全性規則。You can combine multiple ports and multiple explicit IP addresses and ranges into a single, easily understood security rule. 在規則的來源、目的地和連接埠欄位中使用增強型規則。Use augmented rules in the source, destination, and port fields of a rule. 若要簡化安全性規則定義的維護,請合併增強型安全性規則與服務標籤應用程式安全性群組To simplify maintenance of your security rule definition, combine augmented security rules with service tags or application security groups. 您可以在規則中指定的位址、範圍和連接埠數量會有所限制。There are limits to the number of addresses, ranges, and ports that you can specify in a rule. 如需詳細資訊,請參閱 Azure 限制For details, see Azure limits.

服務標籤Service tags

服務標籤表示一組 IP 位址前置詞,有助於降低建立安全性規則的複雜性。A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. 您無法建立自己的服務標籤,或指定標籤中包含哪些 IP 位址。You cannot create your own service tag, nor specify which IP addresses are included within a tag. Microsoft 會管理服務標籤包含的位址前置詞,並隨著位址變更自動更新服務標籤。Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change. 建立安全性規則時,您可以使用服務標籤取代特定的 IP 位址。You can use service tags in place of specific IP addresses when creating security rules.

您可以從 Azure 公用美國政府中國德國雲端的下列每週發行集下載服務標記清單與前置詞詳細資料,並與內部部署防火牆整合。You can download and integrate with an on premises firewall the list of service tags with prefix details on the following weekly publications for Azure Public, US government, China, and Germany clouds.

下列服務標籤可使用於安全性規則定義中。The following service tags are available for use in security rule definition. 其在 Azure 部署模型之間的名稱稍有不同。Their names vary slightly between Azure deployment models.

  • VirtualNetwork (Resource Manager) (在傳統模型為 VIRTUAL_NETWORK):這個標籤包含虛擬網路位址空間 (定義的所有 CIDR 範圍的虛擬網路),所有已連線內部部署位址空間,並對等互連虛擬網路或虛擬網路連線至虛擬網路閘道並處理上使用的前置詞使用者定義的路由VirtualNetwork (Resource Manager) (VIRTUAL_NETWORK for classic): This tag includes the virtual network address space (all CIDR ranges defined for the virtual network), all connected on-premises address spaces, and peered virtual networks or virtual network connected to a virtual network gateway and address prefixes used on user defined routes.
  • AzureLoadBalancer (Resource Manager) (在傳統模型為 AZURE_LOADBALANCER):此標記代表 Azure 基礎結構的負載平衡器。AzureLoadBalancer (Resource Manager) (AZURE_LOADBALANCER for classic): This tag denotes Azure's infrastructure load balancer. 此標記會轉譯成作為 Azure 健康情況探查來源的主機虛擬 IP 位址 (168.63.129.16)。The tag translates to the Virtual IP address of the host (168.63.129.16) where Azure's health probes originate. 如果您未使用 Azure 負載平衡器,則可以覆寫此規則。If you are not using the Azure load balancer, you can override this rule.
  • Internet (Resource Manager) (在傳統模型為 INTERNET):此標記代表虛擬網路以外且可以透過公用網際網路進行存取的 IP 位址空間。Internet (Resource Manager) (INTERNET for classic): This tag denotes the IP address space that is outside the virtual network and reachable by the public Internet. 此位址範圍也包括 Azure 擁有的公用 IP 位址空間The address range includes the Azure owned public IP address space.
  • AzureCloud (僅限 Resource Manager):此標記代表包含所有資料中心公用 IP 位址的 Azure IP 位址空間。AzureCloud (Resource Manager only): This tag denotes the IP address space for Azure including all datacenter public IP addresses. 如果您指定 AzureCloud 作為值,就會允許或拒絕 Azure 公用 IP 位址的流量。If you specify AzureCloud for the value, traffic is allowed or denied to Azure public IP addresses. 如果您只想要在特定區域中允許存取 AzureCloud,您可以指定區域。If you only want to allow access to AzureCloud in a specific region, you can specify the region. 例如,如果您只想要在美國東部區域允許存取 Azure AzureCloud,您可以指定 AzureCloud.EastUS 作為服務標記。For example, if you want to allow access only to Azure AzureCloud in the East US region, you could specify AzureCloud.EastUS as a service tag.
  • AzureTrafficManager (僅限 Resource Manager):此標記代表 Azure 流量管理員探查 IP 位址的 IP 位址空間。AzureTrafficManager (Resource Manager only): This tag denotes the IP address space for the Azure Traffic Manager probe IP addresses. 如需流量管理員探查 IP 位址的詳細資訊,請參閱 Azure 流量管理員常見問題集More information on Traffic Manager probe IP addresses can be found in the Azure Traffic Manager FAQ.
  • Storage (僅限 Resource Manager):此標記代表 Azure 儲存體服務的 IP 位址空間。Storage (Resource Manager only): This tag denotes the IP address space for the Azure Storage service. 如果您指定 Storage 值,則會允許或拒絕儲存體的流量。If you specify Storage for the value, traffic is allowed or denied to storage. 如果您只想要允許存取特定地區中的儲存體,您可以指定地區。If you only want to allow access to storage in a specific region, you can specify the region. 例如,如果您只想要允許存取美國東部地區的 Azure 儲存體,您可以指定 Storage.EastUS 作為服務標籤。For example, if you want to allow access only to Azure Storage in the East US region, you could specify Storage.EastUS as a service tag. 標籤代表服務,但不代表服務的特定執行個體。The tag represents the service, but not specific instances of the service. 例如,標籤代表 Azure 儲存體服務,但不代表特定的 Azure 儲存體帳戶。For example, the tag represents the Azure Storage service, but not a specific Azure Storage account.
  • Sql (僅限 Resource Manager):這個標籤代表 Azure SQL Database、 適用於 MySQL 的 Azure 資料庫、 適用於 PostgreSQL 的 Azure 資料庫的位址首碼和 Azure SQL 資料倉儲服務。Sql (Resource Manager only): This tag denotes the address prefixes of the Azure SQL Database, Azure Database for MySQL, Azure Database for PostgreSQL, and Azure SQL Data Warehouse services. 如果您指定 Sql 作為值,就會允許或拒絕 Sql 的流量。If you specify Sql for the value, traffic is allowed or denied to Sql. 如果您只需要允許存取特定地區中的 Sql,可以指定地區。If you only want to allow access to Sql in a specific region, you can specify the region. 例如,如果您只想要允許存取美國東部地區的 Azure SQL Database,您可以指定 Sql.EastUS 作為服務標籤。For example, if you want to allow access only to Azure SQL Database in the East US region, you could specify Sql.EastUS as a service tag. 標籤代表服務,但不代表服務的特定執行個體。The tag represents the service, but not specific instances of the service. 例如,標籤代表 SQL Database 或伺服器服務,但不代表特定的 Azure SQL Database。For example, the tag represents the Azure SQL Database service, but not a specific SQL database or server.
  • AzureCosmosDB (僅限 Resource Manager):此標記代表 Azure Cosmos Database 服務的位址前置詞。AzureCosmosDB (Resource Manager only): This tag denotes the address prefixes of the Azure Cosmos Database service. 如果您指定 AzureCosmosDB 作為值,就會允許或拒絕 AzureCosmosDB 的流量。If you specify AzureCosmosDB for the value, traffic is allowed or denied to AzureCosmosDB. 如果您只要在特定區域中允許存取 AzureCosmosDB,您可以用 AzureCosmosDB.[region name] 的格式指定區域。If you only want to allow access to AzureCosmosDB in a specific region, you can specify the region in the following format AzureCosmosDB.[region name].
  • AzureKeyVault (僅限 Resource Manager):此標記代表 Azure KeyVault 服務的位址前置詞。AzureKeyVault (Resource Manager only): This tag denotes the address prefixes of the Azure KeyVault service. 如果您指定 AzureKeyVault 作為值,就會允許或拒絕 AzureKeyVault 的流量。If you specify AzureKeyVault for the value, traffic is allowed or denied to AzureKeyVault. 如果您只要在特定區域中允許存取 AzureKeyVault,您可以用 AzureKeyVault.[region name] 的格式指定區域。If you only want to allow access to AzureKeyVault in a specific region, you can specify the region in the following format AzureKeyVault.[region name].
  • EventHub (僅限 Resource Manager):此標記代表 Azure EventHub 服務的位址前置詞。EventHub (Resource Manager only): This tag denotes the address prefixes of the Azure EventHub service. 如果您指定 EventHub 作為值,就會允許或拒絕 EventHub 的流量。If you specify EventHub for the value, traffic is allowed or denied to EventHub. 如果您只想要在特定區域中允許存取 EventHub,您可以用 EventHub.[region name] 的格式指定區域。If you only want to allow access to EventHub in a specific region, you can specify the region in the following format EventHub.[region name].
  • ServiceBus (僅限 Resource Manager):這個標籤代表使用 Premium 服務層的 Azure 服務匯流排服務的位址前置詞。ServiceBus (Resource Manager only): This tag denotes the address prefixes of the Azure ServiceBus service using the Premium service tier. 如果您指定 ServiceBus 作為值,就會允許或拒絕 ServiceBus 的流量。If you specify ServiceBus for the value, traffic is allowed or denied to ServiceBus. 如果您只想要在特定區域中允許存取 ServiceBus,您可以用 ServiceBus.[region name] 的格式指定區域。If you only want to allow access to ServiceBus in a specific region, you can specify the region in the following format ServiceBus.[region name].
  • MicrosoftContainerRegistry (僅限 Resource Manager):此標記代表 Microsoft Container Registry 服務的位址前置詞。MicrosoftContainerRegistry (Resource Manager only): This tag denotes the address prefixes of the Microsoft Container Registry service. 如果您指定 MicrosoftContainerRegistry 作為值,就會允許或拒絕 MicrosoftContainerRegistry 的流量。If you specify MicrosoftContainerRegistry for the value, traffic is allowed or denied to MicrosoftContainerRegistry. 如果您只想要在特定區域中允許存取 MicrosoftContainerRegistry,您可以用 MicrosoftContainerRegistry.[region name] 的格式指定區域。If you only want to allow access to MicrosoftContainerRegistry in a specific region, you can specify the region in the following format MicrosoftContainerRegistry.[region name].
  • AzureContainerRegistry (僅限 Resource Manager):此標記代表 Azure Container Registry 服務的位址前置詞。AzureContainerRegistry (Resource Manager only): This tag denotes the address prefixes of the Azure Container Registry service. 如果您指定 AzureContainerRegistry 作為值,就會允許或拒絕 AzureContainerRegistry 的流量。If you specify AzureContainerRegistry for the value, traffic is allowed or denied to AzureContainerRegistry. 如果您只想要在特定區域中允許存取 AzureContainerRegistry,您可以用 AzureContainerRegistry.[region name] 的格式指定區域。If you only want to allow access to AzureContainerRegistry in a specific region, you can specify the region in the following format AzureContainerRegistry.[region name].
  • AppService (僅限 Resource Manager):此標記代表 Azure AppService 服務的位址前置詞。AppService (Resource Manager only): This tag denotes the address prefixes of the Azure AppService service. 如果您指定 AppService 作為值,就會允許或拒絕 AppService 的流量。If you specify AppService for the value, traffic is allowed or denied to AppService. 如果您只想要在特定區域中允許存取 AppService,您可以用 AppService.[region name] 的格式指定區域。If you only want to allow access to AppService in a specific region, you can specify the region in the following format AppService.[region name].
  • AppServiceManagement (僅限 Resource Manager):此標記代表 Azure AppService Management 服務的位址前置詞。AppServiceManagement (Resource Manager only): This tag denotes the address prefixes of the Azure AppService Management service. 如果您指定 AppServiceManagement 作為值,就會允許或拒絕 AppServiceManagement 的流量。If you specify AppServiceManagement for the value, traffic is allowed or denied to AppServiceManagement.
  • ApiManagement (僅限 Resource Manager):此標記代表 Azure API Management 服務的位址前置詞。ApiManagement (Resource Manager only): This tag denotes the address prefixes of the Azure Api Management service. 如果您指定ApiManagement的值,允許或拒絕授與 ApiManagement 的管理介面流量。If you specify ApiManagement for the value, traffic is allowed or denied from the management interface of ApiManagement.
  • AzureConnectors (僅限 Resource Manager):此標記代表 Azure Connectors 服務的位址前置詞。AzureConnectors (Resource Manager only): This tag denotes the address prefixes of the Azure Connectors service. 如果您指定 AzureConnectors 作為值,就會允許或拒絕 AzureConnectors 的流量。If you specify AzureConnectors for the value, traffic is allowed or denied to AzureConnectors. 如果您只要在特定區域中允許存取 AzureConnectors,您可以用 AzureConnectors.[region name] 的格式指定區域。If you only want to allow access to AzureConnectors in a specific region, you can specify the region in the following format AzureConnectors.[region name].
  • GatewayManager (僅限 Resource Manager):此標記代表 Azure Gateway Manager 服務的位址前置詞。GatewayManager (Resource Manager only): This tag denotes the address prefixes of the Azure Gateway Manager service. 如果您指定 GatewayManager 作為值,就會允許或拒絕 GatewayManager 的流量。If you specify GatewayManager for the value, traffic is allowed or denied to GatewayManager.
  • AzureDataLake (僅限 Resource Manager):此標記代表 Azure Data Lake 服務的位址前置詞。AzureDataLake (Resource Manager only): This tag denotes the address prefixes of the Azure Data Lake service. 如果您指定 AzureDataLake 作為值,就會允許或拒絕 AzureDataLake 的流量。If you specify AzureDataLake for the value, traffic is allowed or denied to AzureDataLake.
  • AzureActiveDirectory (僅限 Resource Manager):此標記代表 AzureActiveDirectory 服務的位址前置詞。AzureActiveDirectory (Resource Manager only): This tag denotes the address prefixes of the AzureActiveDirectory service. 如果您指定 AzureActiveDirectory 作為值,就會允許或拒絕 AzureActiveDirectory 的流量。If you specify AzureActiveDirectory for the value, traffic is allowed or denied to AzureActiveDirectory.
  • AzureMonitor (僅限 Resource Manager):此標記代表 AzureMonitor 服務的位址前置詞。AzureMonitor (Resource Manager only): This tag denotes the address prefixes of the AzureMonitor service. 如果您指定 AzureMonitor 作為值,就會允許或拒絕 AzureMonitor 的流量。If you specify AzureMonitor for the value, traffic is allowed or denied to AzureMonitor.
  • ServiceFabric (僅限 Resource Manager):此標記代表 ServiceFabric 服務的位址前置詞。ServiceFabric (Resource Manager only): This tag denotes the address prefixes of the ServiceFabric service. 如果您指定 ServiceFabric 作為值,就會允許或拒絕 ServiceFabric 的流量。If you specify ServiceFabric for the value, traffic is allowed or denied to ServiceFabric.
  • AzureMachineLearning (僅限 Resource Manager):此標記代表 AzureMachineLearning 服務的位址前置詞。AzureMachineLearning (Resource Manager only): This tag denotes the address prefixes of the AzureMachineLearning service. 如果您指定 AzureMachineLearning 作為值,就會允許或拒絕 AzureMachineLearning 的流量。If you specify AzureMachineLearning for the value, traffic is allowed or denied to AzureMachineLearning.
  • BatchNodeManagement (僅限 Resource Manager):這個標籤代表 Azure BatchNodeManagement 服務的位址首碼。BatchNodeManagement (Resource Manager only): This tag denotes the address prefixes of the Azure BatchNodeManagement service. 如果您指定BatchNodeManagement的值,是允許或拒絕流量從 Batch 服務至計算節點。If you specify BatchNodeManagement for the value, traffic is allowed or denied from the Batch service to compute nodes.
  • AzureBackup(僅限 Resource Manager): 這個標籤代表 AzureBackup 服務的位址首碼。AzureBackup(Resource Manager only):This tag denotes the address prefixes of the AzureBackup service. 如果您指定 AzureBackup 值時,允許或拒絕流量以 AzureBackup。If you specify AzureBackup for the value, traffic is allowed or denied to AzureBackup.

注意

Azure 服務的服務標記代表所使用之特定雲端中的位址前置詞。Service tags of Azure services denotes the address prefixes from the specific cloud being used.

注意

如果您對服務 (例如 Azure 儲存體或 Azure SQL Database) 實作虛擬網路服務端點,Azure 會將路由新增至服務的虛擬網路子網路。If you implement a virtual network service endpoint for a service, such as Azure Storage or Azure SQL Database, Azure adds a route to a virtual network subnet for the service. 路由中的位址前置詞為相同的位址前置詞,或 CIDR 範圍,以及對應的服務標籤。The address prefixes in the route are the same address prefixes, or CIDR ranges, as the corresponding service tag.

預設安全性規則Default security rules

Azure 會在您建立的每個網路安全性群組中,建立下列預設規則:Azure creates the following default rules in each network security group that you create:

輸入Inbound

AllowVNetInBoundAllowVNetInBound

優先順序Priority sourceSource 來源連接埠Source ports 目的地Destination 目的地連接埠Destination ports ProtocolProtocol AccessAccess
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 全部All 允許Allow

AllowAzureLoadBalancerInBoundAllowAzureLoadBalancerInBound

優先順序Priority sourceSource 來源連接埠Source ports 目的地Destination 目的地連接埠Destination ports ProtocolProtocol AccessAccess
6500165001 AzureLoadBalancerAzureLoadBalancer 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 全部All 允許Allow

DenyAllInboundDenyAllInbound

優先順序Priority sourceSource 來源連接埠Source ports 目的地Destination 目的地連接埠Destination ports ProtocolProtocol AccessAccess
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 全部All 拒絕Deny

輸出Outbound

AllowVnetOutBoundAllowVnetOutBound

優先順序Priority sourceSource 來源連接埠Source ports 目的地Destination 目的地連接埠Destination ports ProtocolProtocol AccessAccess
6500065000 VirtualNetworkVirtualNetwork 0-655350-65535 VirtualNetworkVirtualNetwork 0-655350-65535 全部All 允許Allow

AllowInternetOutBoundAllowInternetOutBound

優先順序Priority sourceSource 來源連接埠Source ports 目的地Destination 目的地連接埠Destination ports ProtocolProtocol AccessAccess
6500165001 0.0.0.0/00.0.0.0/0 0-655350-65535 InternetInternet 0-655350-65535 全部All 允許Allow

DenyAllOutBoundDenyAllOutBound

優先順序Priority sourceSource 來源連接埠Source ports 目的地Destination 目的地連接埠Destination ports ProtocolProtocol AccessAccess
6550065500 0.0.0.0/00.0.0.0/0 0-655350-65535 0.0.0.0/00.0.0.0/0 0-655350-65535 全部All 拒絕Deny

在 [來源] 和 [目的地] 欄中,VirtualNetworkAzureLoadBalancerInternet 都是服務標籤,而不是 IP 位址。In the Source and Destination columns, VirtualNetwork, AzureLoadBalancer, and Internet are service tags, rather than IP addresses. 在 [通訊協定] 欄中,[全部] 包含 TCP、 UDP 和 ICMP。In the protocol column, All encompasses TCP, UDP, and ICMP. 建立規則時,您可以指定 TCP、UDP 或 [全部],但不能單獨指定 ICMP。When creating a rule, you can specify TCP, UDP, or All, but you cannot specify ICMP alone. 因此,如果您的規則需要 ICMP,請針對通訊協定選取 [所有] 。Therefore, if your rule requires ICMP, select All for protocol. [來源] 和 [目的地] 欄中的 0.0.0.0/0 代表所有位址。0.0.0.0/0 in the Source and Destination columns represents all addresses. 用戶端讓 Azure 入口網站中,Azure CLI 或 Powershell 可以使用 * 或 any 代表此運算式。Clients like Azure portal, Azure CLI, or Powershell can use * or any for this expression.

您無法移除預設規則,但可以建立較高優先順序的規則來覆寫預設規則。You cannot remove the default rules, but you can override them by creating rules with higher priorities.

應用程式安全性群組Application security groups

應用程式安全性群組可讓您將網路安全性設定為應用程式結構的自然擴充功能,讓您將虛擬機器分組,並定義以這些群組為基礎的網路安全性原則。Application security groups enable you to configure network security as a natural extension of an application's structure, allowing you to group virtual machines and define network security policies based on those groups. 您可以大規模重複使用您的安全性原則,而不需進行明確 IP 位址的手動維護。You can reuse your security policy at scale without manual maintenance of explicit IP addresses. 此平台可處理明確 IP 位址和多個規則集的複雜性,讓您專注於商務邏輯。The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic. 若要進一步了解應用程式安全性群組,請考慮下列範例:To better understand application security groups, consider the following example:

應用程式安全性群組

在上圖中,NIC1 和 NIC2 都是 AsgWeb 應用程式安全性群組的成員。In the previous picture, NIC1 and NIC2 are members of the AsgWeb application security group. NIC3 是 AsgLogic 應用程式安全性群組的成員。NIC3 is a member of the AsgLogic application security group. NIC4 是 AsgDb 應用程式安全性群組的成員。NIC4 is a member of the AsgDb application security group. 雖然在此範例中的每個網路介面都只是一個應用程式安全性群組的成員,但網路介面可以是多個應用程式安全性群組的成員,數量上限可參照 Azure 限制Though each network interface in this example is a member of only one application security group, a network interface can be a member of multiple application security groups, up to the Azure limits. 這些網路介面都沒有相關聯的網路安全性群組。None of the network interfaces have an associated network security group. NSG1 與這兩個子網路相關聯且包含下列規則:NSG1 is associated to both subnets and contains the following rules:

Allow-HTTP-Inbound-InternetAllow-HTTP-Inbound-Internet

需要此規則才能讓流量從網際網路流向 Web 伺服器。This rule is needed to allow traffic from the internet to the web servers. 因為來自網際網路的輸入流量會遭到 DenyAllInbound 預設安全性規則拒絕,而 AsgLogic 或 AsgDb 應用程式安全性群組則不需要其他規則。Because inbound traffic from the internet is denied by the DenyAllInbound default security rule, no additional rule is needed for the AsgLogic or AsgDb application security groups.

優先順序Priority sourceSource 來源連接埠Source ports 目的地Destination 目的地連接埠Destination ports ProtocolProtocol AccessAccess
100100 InternetInternet * AsgWebAsgWeb 8080 TCPTCP 允許Allow

Deny-Database-AllDeny-Database-All

由於 AllowVNetInBound 預設安全性規則允許相同虛擬網路中各資源之間的所有通訊,因此需要此規則才能拒絕來自所有資源的流量。Because the AllowVNetInBound default security rule allows all communication between resources in the same virtual network, this rule is needed to deny traffic from all resources.

優先順序Priority sourceSource 來源連接埠Source ports 目的地Destination 目的地連接埠Destination ports ProtocolProtocol AccessAccess
120120 * * AsgDbAsgDb 14331433 全部All 拒絕Deny

Allow-Database-BusinessLogicAllow-Database-BusinessLogic

此規則會允許流量從 AsgLogic 應用程式安全性群組流向 AsgDb 應用程式安全性群組。This rule allows traffic from the AsgLogic application security group to the AsgDb application security group. 此規則的優先順序高於 Deny-Database-All 規則的優先順序。The priority for this rule is higher than the priority for the Deny-Database-All rule. 如此一來,此規則會在 Deny-Database-All 規則之前進行處理,因此系統會允許來自 AsgLogic 應用程式安全性群組的流量,但所有其他流量仍會遭到封鎖。As a result, this rule is processed before the Deny-Database-All rule, so traffic from the AsgLogic application security group is allowed, whereas all other traffic is blocked.

優先順序Priority sourceSource 來源連接埠Source ports 目的地Destination 目的地連接埠Destination ports ProtocolProtocol AccessAccess
110110 AsgLogicAsgLogic * AsgDbAsgDb 14331433 TCPTCP 允許Allow

用於將應用程式安全性群組指定為來源或目的地的規則,只會套用至屬於此應用程式安全性群組成員的網路介面。The rules that specify an application security group as the source or destination are only applied to the network interfaces that are members of the application security group. 如果網路介面不是應用程式安全性群組的成員,則此規則不適用於此網路介面,即使子網路與網路安全性群組相關聯也一樣。If the network interface is not a member of an application security group, the rule is not applied to the network interface, even though the network security group is associated to the subnet.

應用程式安全性群組具有下列條件約束:Application security groups have the following constraints:

  • 您可以在訂用帳戶中擁有的應用程式安全性群組數量會有所限制,而且還有其他與應用程式安全性群組相關的限制。There are limits to the number of application security groups you can have in a subscription, as well as other limits related to application security groups. 如需詳細資訊,請參閱 Azure 限制For details, see Azure limits.
  • 您可以將一個應用程式安全性群組指定為安全性規則中的來源和目的地。You can specify one application security group as the source and destination in a security rule. 您無法在來源或目的地中指定多個應用程式安全性群組。You cannot specify multiple application security groups in the source or destination.
  • 指派給應用程式安全性群組的所有網路介面,都必須與指派給應用程式安全性群組的第一個網路介面位於相同虛擬網路中。All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. 例如,如果指派給應用程式安全性群組 AsgWeb 的第一個網路介面位於名為 VNet1 的虛擬網路中,則後續所有指派給 ASGWeb 的網路介面都必須存在於 VNet1 中。For example, if the first network interface assigned to an application security group named AsgWeb is in the virtual network named VNet1, then all subsequent network interfaces assigned to ASGWeb must exist in VNet1. 您無法將不同虛擬網路的網路介面新增至相同的應用程式安全性群組。You cannot add network interfaces from different virtual networks to the same application security group.
  • 如果您指定安全性群組作為安全性規則中的來源和目的地,兩個應用程式安全性群組中的網路介面都必須在相同的虛擬網路中。If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network. 例如,如果 AsgLogic 包含來自 VNet1 的網路介面,而 AsgDb 包含來自 VNet2 的網路介面,您無法在規則中將 AsgLogic 指派為來源,將 AsgDb 指派為目的地。For example, if AsgLogic contained network interfaces from VNet1, and AsgDb contained network interfaces from VNet2, you could not assign AsgLogic as the source and AsgDb as the destination in a rule. 來源和目的地應用程式安全性群組的所有網路介面都必須位在相同的虛擬網路中。All network interfaces for both the source and destination application security groups need to exist in the same virtual network.

提示

若要將所需的安全性規則數量及規則變更需求降到最低,請規劃好您需要的應用程式安全性群組,並盡可能使用服務標籤或應用程式安全性群組來建立規則,而不是使用個別的 IP 位址或 IP 位址範圍。To minimize the number of security rules you need, and the need to change the rules, plan out the application security groups you need and create rules using service tags or application security groups, rather than individual IP addresses, or ranges of IP addresses, whenever possible.

評估流量的方式How traffic is evaluated

您可以將數個 Azure 服務的資源部署到 Azure 虛擬網路。You can deploy resources from several Azure services into an Azure virtual network. 如需完整清單,請參閱可以部署至虛擬網路的服務For a complete list, see Services that can be deployed into a virtual network. 您可以將零個或一個網路安全性群組關聯至每個虛擬網路子網路,以及虛擬機器中的網路介面You can associate zero, or one, network security group to each virtual network subnet and network interface in a virtual machine. 您可以將相同的網路安全性群組關聯至所需數量的子網路和網路介面。The same network security group can be associated to as many subnets and network interfaces as you choose.

下圖以不同案例說明網路安全性群組可如何部署,以允許網路流量透過 TCP 連接埠 80 來進出網際網路:The following picture illustrates different scenarios for how network security groups might be deployed to allow network traffic to and from the internet over TCP port 80:

NSG 處理

請參考上圖及下列文字,以了解 Azure 如何處理網路安全性群組的輸入和輸出規則:Reference the previous picture, along with the following text, to understand how Azure processes inbound and outbound rules for network security groups:

輸入流量Inbound traffic

針對輸入流量,Azure 會先針對與子網路相關聯的網路安全性群組,處理其中的規則 (如果有的話),然後再針對與網路介面相關聯的網路安全性群組,處理其中的規則 (如果有的話)。For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a network security group associated to the network interface, if there is one.

  • VM1:NSG1 中的安全性規則會進行處理,因為它與 Subnet1 和 VM1 相關聯,並且位於 Subnet1 中。VM1: The security rules in NSG1 are processed, since it is associated to Subnet1 and VM1 is in Subnet1. 除非您已建立一個規則來允許連接埠 80 的輸入,否則流量會遭到 DenyAllInbound 預設安全性規則拒絕,並永遠不會由 NSG2 進行評估,因為 NSG2 與網路介面相關聯。Unless you've created a rule that allows port 80 inbound, the traffic is denied by the DenyAllInbound default security rule, and never evaluated by NSG2, since NSG2 is associated to the network interface. 如果 NSG1 具有允許連接埠 80 的安全性規則,流量接著會由 NSG2 進行處理。If NSG1 has a security rule that allows port 80, the traffic is then processed by NSG2. 若要允許流量從連接埠 80 輸入虛擬機器,則 NSG1 和 NSG2 都必須有規則來允許從網際網路輸入流量的連接埠 80。To allow port 80 to the virtual machine, both NSG1 and NSG2 must have a rule that allows port 80 from the internet.
  • VM2:在 NSG1 中的規則會進行處理,因為VM2 也位於 Subnet1 中。VM2: The rules in NSG1 are processed because VM2 is also in Subnet1. 由於 VM2 沒有與其網路介面相關聯的網路安全性群組,因此會接收允許通過 NSG1 的所有流量,或拒絕所有 NSG1 拒絕的流量。Since VM2 does not have a network security group associated to its network interface, it receives all traffic allowed through NSG1 or is denied all traffic denied by NSG1. 如果網路安全性群組與子網路相關聯,則相同子網路中的所有資源會一起接收或拒絕流量。Traffic is either allowed or denied to all resources in the same subnet when a network security group is associated to a subnet.
  • VM3:由於沒有任何網路安全性群組與 Subnet2 相關聯,流量會允許進入子網路並由NSG2 處理流量,因為 NSG2 與連結至 VM3 的網路介面相關聯。VM3: Since there is no network security group associated to Subnet2, traffic is allowed into the subnet and processed by NSG2, because NSG2 is associated to the network interface attached to VM3.
  • VM4:流量會允許進入 VM4 ,因為網路安全性群組未與 Subnet3 或虛擬機器中的網路介面相關聯。VM4: Traffic is allowed to VM4, because a network security group isn't associated to Subnet3, or the network interface in the virtual machine. 如果沒有任何網路安全性群組與子網路和網路介面相關聯,則所有網路流量都可以通過子網路和網路介面。All network traffic is allowed through a subnet and network interface if they don't have a network security group associated to them.

輸出流量Outbound traffic

針對輸出流量,Azure 會先針對與網路介面相關聯的網路安全性群組,處理其中的規則 (如果有的話),然後再針對與子網路相關聯的網路安全性群組,處理其中的規則 (如果有的話)。For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there is one, and then the rules in a network security group associated to the subnet, if there is one.

  • VM1:NSG2 中的安全性規則會進行處理。VM1: The security rules in NSG2 are processed. 除非您建立安全性規則來拒絕向網際網路輸出流量的連接埠 80,否則 NSG1 和 NSG2 中的 AllowInternetOutbound 預設安全性規則會允許流量通過。Unless you create a security rule that denies port 80 outbound to the internet, the traffic is allowed by the AllowInternetOutbound default security rule in both NSG1 and NSG2. 如果 NSG2 具有拒絕連接埠 80 的安全性規則,則流量會遭到拒絕,且永遠不會由 NSG1 進行評估。If NSG2 has a security rule that denies port 80, the traffic is denied, and never evaluated by NSG1. 若要拒絕流量從連接埠 80 輸出虛擬機器,其中一個網路安全性群組或兩個網路安全性群組必須有規則來拒絕將流量流向網際網路的連接埠 80。To deny port 80 from the virtual machine, either, or both of the network security groups must have a rule that denies port 80 to the internet.
  • VM2:所有流量都會通過網路介面流向子網路,因為連結到 VM2 的網路介面沒有與網路安全性群組相關聯。VM2: All traffic is sent through the network interface to the subnet, since the network interface attached to VM2 does not have a network security group associated to it. NSG1 中的規則會進行處理。The rules in NSG1 are processed.
  • VM3:如果 NSG2 具有拒絕連接埠 80 的安全性規則,則流量會遭到拒絕。VM3: If NSG2 has a security rule that denies port 80, the traffic is denied. 如果 NSG2 有允許連接埠 80 的安全性規則,則連接埠 80 允許輸出流量到網際網路,因為沒有與 Subnet2 相關聯的網路安全性群組。If NSG2 has a security rule that allows port 80, then port 80 is allowed outbound to the internet, since a network security group is not associated to Subnet2.
  • VM4:所有網路流量會允許從 VM4 輸出,因為網路安全性群組未與連結至虛擬機器的網路介面或 Subnet3 相關聯。VM4: All network traffic is allowed from VM4, because a network security group isn't associated to the network interface attached to the virtual machine, or to Subnet3.

藉由檢視網路介面的有效安全性規則,可以輕鬆地檢視套用至網路介面的彙總規則。You can easily view the aggregate rules applied to a network interface by viewing the effective security rules for a network interface. 您也可以使用 Azure 網路監看員中的 IP 流量確認功能來判斷是否允許網路介面的雙向通訊。You can also use the IP flow verify capability in Azure Network Watcher to determine whether communication is allowed to or from a network interface. IP 流量確認會告訴您已允許會拒絕通訊,以及哪個網路安全性規則允許或拒絕流量。IP flow verify tells you whether communication is allowed or denied, and which network security rule allows or denies the traffic.

注意

網路安全性群組會關聯至子網路或虛擬機器和雲端服務部署在傳統部署模型中,以及子網路或 Resource Manager 部署模型中的網路介面。Network security groups are associated to subnets or to virtual machines and cloud services deployed in the classic deployment model, and to subnets or network interfaces in the Resource Manager deployment model. 若要深入了解 Azure 部署模型,請參閱了解 Azure 部署模型To learn more about Azure deployment models, see Understand Azure deployment models.

提示

除非您有特殊原因要這麼做,否則我們建議您讓網路安全性群組與子網路或網路介面的其中一個建立關聯,而非同時與這兩者建立關聯。Unless you have a specific reason to, we recommended that you associate a network security group to a subnet, or a network interface, but not both. 因為如果與子網路相關聯的網路安全性群組中,以及與網路介面相關聯的網路安全性群組中都存在規則,則這兩個規則可能會發生衝突,您可能會遇到需要進行疑難排解的非預期通訊問題。Since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.

Azure 平台的考量Azure platform considerations

  • 主機節點的虛擬 IP:基本的基礎結構服務,例如 DHCP、DNS、IMDS 和健康情況監控是透過虛擬化主機 IP 位址 168.63.129.16 和 169.254.169.254 所提供。Virtual IP of the host node: Basic infrastructure services such as DHCP, DNS, IMDS, and health monitoring are provided through the virtualized host IP addresses 168.63.129.16 and 169.254.169.254. 這些 IP 位址屬於 Microsoft,而且是針對此目的唯一用於所有地區的虛擬 IP。These IP addresses belong to Microsoft and are the only virtualized IP addresses used in all regions for this purpose.

  • 授權 (金鑰管理服務) :必須授權在虛擬機器中執行的 Windows 映像。Licensing (Key Management Service): Windows images running in virtual machines must be licensed. 若要確保授權,授權要求會傳送至處理此類查詢的金鑰管理服務主機伺服器。To ensure licensing, a request is sent to the Key Management Service host servers that handle such queries. 此要求是透過連接埠 1688 輸出。The request is made outbound through port 1688. 若為使用預設路由 0.0.0.0/0組態的部署,將會停用此平台規則。For deployments using default route 0.0.0.0/0 configuration, this platform rule will be disabled.

  • 負載平衡集區中的虛擬機器:套用的來源連接埠和位址範圍是來自原始電腦,而不是負載平衡器。Virtual machines in load-balanced pools: The source port and address range applied are from the originating computer, not the load balancer. 目的地連接埠和位址範圍屬於目的地電腦,而不是負載平衡器。The destination port and address range are for the destination computer, not the load balancer.

  • Azure 服務執行個體:虛擬網路子網路中會部署數個 Azure 服務的執行個體,例如 HDInsight、應用程式服務環境及虛擬機器擴展集。Azure service instances: Instances of several Azure services, such as HDInsight, Application Service Environments, and Virtual Machine Scale Sets are deployed in virtual network subnets. 如需您可以部署到虛擬網路的完整服務清單,請參閱 Azure 服務的虛擬網路For a complete list of services you can deploy into virtual networks, see Virtual network for Azure services. 將網路安全性群組套用至部署資源的子網路之前,請先確定您熟悉每個服務的連接埠需求。Ensure you familiarize yourself with the port requirements for each service before applying a network security group to the subnet the resource is deployed in. 如果您拒絕服務所需要的連接埠,服務就無法正常運作。If you deny ports required by the service, the service doesn't function properly.

  • 傳送外寄電子郵件:Microsoft 建議您利用已驗證的 SMTP 轉送服務 (通常透過 TCP 連接埠 587 連線,但也可透過其他連接埠連線),從 Azure 虛擬機器傳送電子郵件。Sending outbound email: Microsoft recommends that you utilize authenticated SMTP relay services (typically connected via TCP port 587, but often others, as well) to send email from Azure Virtual Machines. SMTP 轉送服務是專為寄件者信譽所設計,可將第三方電子郵件提供者拒絕訊息的可能性降到最低。SMTP relay services specialize in sender reputation, to minimize the possibility that third-party email providers reject messages. 這類 SMTP 轉送服務包括但不限於 Exchange Online Protection 和 SendGrid。Such SMTP relay services include, but are not limited to, Exchange Online Protection and SendGrid. 不論您的訂用帳戶類型為何,在 Azure 中使用 SMTP 轉送服務不受限制。Use of SMTP relay services is in no way restricted in Azure, regardless of your subscription type.

    如果您在 2017 年 11 月 15 日前建立了 Azure 訂用帳戶,除了能夠使用 SMTP 轉送服務,您還可以直接透過 TCP 連接埠 25 傳送電子郵件。If you created your Azure subscription prior to November 15, 2017, in addition to being able to use SMTP relay services, you can send email directly over TCP port 25. 如果您在 2017 年 11 月 15 日後建立了訂用帳戶,您可能無法直接透過連接埠 25 傳送電子郵件。If you created your subscription after November 15, 2017, you may not be able to send email directly over port 25. 透過連接埠 25 的連出通訊行為取決於您擁有的訂用帳戶類型,如下所示:The behavior of outbound communication over port 25 depends on the type of subscription you have, as follows:

    • Enterprise 合約:允許輸出通訊埠 25 通訊。Enterprise Agreement: Outbound port 25 communication is allowed. 您能夠從虛擬機器將外寄電子郵件直接傳送到外部電子郵件提供者 (Azure 平台沒有限制)。You are able to send outbound email directly from virtual machines to external email providers, with no restrictions from the Azure platform.
    • 隨用隨付:所有資源的輸出連接埠 25 通訊都遭到封鎖。Pay-as-you-go: Outbound port 25 communication is blocked from all resources. 如果您需要將電子郵件從虛擬機器直接傳送給外部電子郵件提供者 (不使用已驗證的 SMTP 轉送),可以提出移除限制的要求。If you need to send email from a virtual machine directly to external email providers (not using an authenticated SMTP relay), you can make a request to remove the restriction. 要求是在 Microsoft 的斟酌之下審查與核准,而且只會在執行反詐騙檢查之後授權。Requests are reviewed and approved at Microsoft's discretion and are only granted after anti-fraud checks are performed. 若要提出要求,請開啟問題類型為 [技術] 、[虛擬網路連線] 、[無法傳送電子郵件 (SMTP/連接埠 25)] 的支援案例。To make a request, open a support case with the issue type Technical, Virtual Network Connectivity, Cannot send e-mail (SMTP/Port 25). 在您的支援案例中,請包含訂用帳戶需要將電子郵件直接傳送到郵件提供者,而不需經過已驗證 SMTP 轉送之原因的詳細資料。In your support case, include details about why your subscription needs to send email directly to mail providers, instead of going through an authenticated SMTP relay. 如果您的訂用帳戶獲得豁免,則只有在豁免日期之後建立的虛擬機器能夠透過連接埠 25 對外通訊。If your subscription is exempted, only virtual machines created after the exemption date are able to communicate outbound over port 25.
    • MSDN、Azure Pass、Azure in Open、Education、BizSpark 及免費試用:所有資源的輸出連接埠 25 通訊都遭到封鎖。MSDN, Azure Pass, Azure in Open, Education, BizSpark, and Free trial: Outbound port 25 communication is blocked from all resources. 無法進行任何移除限制的要求,因為要求未獲授權。No requests to remove the restriction can be made, because requests are not granted. 如果您必須從虛擬機器傳送電子郵件,就必須使用 SMTP 轉送服務。If you need to send email from your virtual machine, you have to use an SMTP relay service.
    • 雲端服務提供者:透過雲端服務提供者使用 Azure 資源的客戶,可以建立其雲端服務提供者的支援案例,以及在安全的 SMTP 轉送無法使用時,要求提供者代表他們建立解除封鎖案例。Cloud service provider: Customers that are consuming Azure resources via a cloud service provider can create a support case with their cloud service provider, and request that the provider create an unblock case on their behalf, if a secure SMTP relay cannot be used.

    如果 Azure 允許您透過連接埠 25 傳送電子郵件,Microsoft 無法保證電子郵件提供者會接受您虛擬機器所發出的內送電子郵件。If Azure allows you to send email over port 25, Microsoft cannot guarantee email providers will accept inbound email from your virtual machine. 如果特定提供者拒絕來自虛擬機器的郵件,請直接與提供者合作以解決任何訊息傳遞或垃圾郵件篩選問題,或使用已驗證的 SMTP 轉送服務。If a specific provider rejects mail from your virtual machine, work directly with the provider to resolve any message delivery or spam filtering issues, or use an authenticated SMTP relay service.

後續步驟Next steps