教學課程:使用 Azure 入口網站透過網路安全性群組篩選網路流量Tutorial: Filter network traffic with a network security group using the Azure portal

您可以透過網路安全性群組篩選輸入虛擬網路子網路和從中輸出的網路流量。You can filter network traffic inbound to and outbound from a virtual network subnet with a network security group. 網路安全性群組包含可依 IP 位址、連接埠和通訊協定篩選網路流量的安全性規則。Network security groups contain security rules that filter network traffic by IP address, port, and protocol. 安全性規則會套用至子網路中部署的資源。Security rules are applied to resources deployed in a subnet. 在本教學課程中,您了解如何:In this tutorial, you learn how to:

  • 建立網路安全性群組和安全性規則Create a network security group and security rules
  • 建立虛擬網路,並將網路安全性群組與子網路產生關聯Create a virtual network and associate a network security group to a subnet
  • 將虛擬機器 (VM) 部署至子網路中Deploy virtual machines (VM) into a subnet
  • 測試流量篩選Test traffic filters

您可以依偏好使用 Azure CLIPowerShell 完成本教學課程。If you prefer, you can complete this tutorial using the Azure CLI or PowerShell.

如果您沒有 Azure 訂用帳戶,請在開始前建立 免費帳戶If you don't have an Azure subscription, create a free account before you begin.

登入 AzureSign in to Azure

https://portal.azure.com 登入 Azure 入口網站。Sign in to the Azure portal at https://portal.azure.com.

建立虛擬網路Create a virtual network

  1. 選取 Azure 入口網站左上角的 [+ 建立資源] 。Select + Create a resource on the upper, left corner of the Azure portal.

  2. 選取 [網絡] ,然後選取 [虛擬網路] 。Select Networking, and then select Virtual network.

  3. 輸入或選取下列資訊、接受其餘設定的預設值,然後選取 [建立] :Enter, or select, the following information, accept the defaults for the remaining settings, and then select Create:

    設定Setting Value
    NameName myVirtualNetworkmyVirtualNetwork
    位址空間Address space 10.0.0.0/1610.0.0.0/16
    訂用帳戶Subscription 選取您的訂用帳戶。Select your subscription.
    資源群組Resource group 選取 [新建] ,然後輸入 myResourceGroupSelect Create new and enter myResourceGroup.
    位置Location 選取 [美國東部] 。Select East US.
    子網路 - 名稱Subnet- Name mySubnetmySubnet
    子網路 - 位址範圍Subnet - Address range 10.0.0.0/2410.0.0.0/24

建立應用程式安全性群組Create application security groups

應用程式安全性群組可讓您將具有類似功能 (例如 web 伺服器) 的伺服器群組在一起。An application security group enables you to group together servers with similar functions, such as web servers.

  1. 選取 Azure 入口網站左上角的 [+ 建立資源] 。Select + Create a resource on the upper, left corner of the Azure portal.

  2. 在 [搜尋 Marketplace] 方塊中,輸入「應用程式安全性群組」 。In the Search the Marketplace box, enter Application security group. 當搜尋結果中出現 [應用程式安全性群組] 時,請加以選取,在 [所有項目] 下再次選取 [應用程式安全性群組] ,然後選取 [建立] 。When Application security group appears in the search results, select it, select Application security group again under Everything, and then select Create.

  3. 輸入或選取下列資訊,然後選取 [建立] ︰Enter, or select, the following information, and then select Create:

    設定Setting Value
    NameName myAsgWebServersmyAsgWebServers
    訂用帳戶Subscription 選取您的訂用帳戶。Select your subscription.
    資源群組Resource group 選取 [使用現有的] ,然後選取 [myResourceGroup] 。Select Use existing and then select myResourceGroup.
    位置Location 美國東部East US
  4. 再次完成步驟 3,並指定下列值:Complete step 3 again, specifying the following values:

    設定Setting Value
    NameName myAsgMgmtServersmyAsgMgmtServers
    訂用帳戶Subscription 選取您的訂用帳戶。Select your subscription.
    資源群組Resource group 選取 [使用現有的] ,然後選取 [myResourceGroup] 。Select Use existing and then select myResourceGroup.
    位置Location 美國東部East US

建立網路安全性群組Create a network security group

  1. 選取 Azure 入口網站左上角的 [+ 建立資源] 。Select + Create a resource on the upper, left corner of the Azure portal.

  2. 選擇 [網路] ,然後選取 [網路安全性群組] 。Select Networking, and then select Network security group.

  3. 輸入或選取下列資訊,然後選取 [建立] ︰Enter, or select, the following information, and then select Create:

    設定Setting Value
    NameName myNsgmyNsg
    訂用帳戶Subscription 選取您的訂用帳戶。Select your subscription.
    資源群組Resource group 選取 [使用現有的] ,然後選取 [myResourceGroup] 。Select Use existing and then select myResourceGroup.
    位置Location 美國東部East US

將網路安全性群組關聯至子網路Associate network security group to subnet

  1. 在入口網站頂端的 [搜尋資源、服務和文件] 方塊中,開始鍵入 myNsg 。In the Search resources, services, and docs box at the top of the portal, begin typing myNsg. 當搜尋結果中出現 myNsg 時,請加以選取。When myNsg appears in the search results, select it.

  2. 在 [設定] 底下選取 [子網路] ,然後選取 [+ 關聯] ,如下圖所示:Under SETTINGS, select Subnets and then select + Associate, as shown in the following picture:

    將 NSG 關聯至子網路

  3. 在 [建立子網路關聯] 底下,選取 [虛擬網路] ,然後選取 [myVirtualNetwork] 。Under Associate subnet, select Virtual network and then select myVirtualNetwork. 選取 [子網路] 、選取 [mySubnet] ,然後選取 [確定] 。Select Subnet, select mySubnet, and then select OK.

建立安全性規則Create security rules

  1. 在 [設定] 下,選取 [輸入安全性規則] ,然後選取 [+ 新增] ,如下圖所示:Under SETTINGS, select Inbound security rules and then select + Add, as shown in the following picture:

    新增 [輸入安全性規則]

  2. 建立安全性規則,允許連接埠 80 和 443 連至 myAsgWebServers 應用程式安全性群組。Create a security rule that allows ports 80 and 443 to the myAsgWebServers application security group. 在 [新增輸入安全性規則] 下,輸入或選取下列值、接受其餘預設值,然後選取 [新增] :Under Add inbound security rule, enter, or select the following values, accept the remaining defaults, and then select Add:

    設定Setting Value
    目的地Destination 選取 [應用程式安全性群組] ,然後針對 [應用程式安全性群組] 選取 [myAsgWebServers] 。Select Application security group, and then select myAsgWebServers for Application security group.
    目的地連接埠範圍Destination port ranges 輸入 80,443Enter 80,443
    通訊協定Protocol 選取 TCPSelect TCP
    NameName Allow-Web-AllAllow-Web-All
  3. 使用下列值再次完成步驟 2:Complete step 2 again, using the following values:

    設定Setting Value
    目的地Destination 選取 [應用程式安全性群組] ,然後針對 [應用程式安全性群組] 選取 [myAsgMgmtServers] 。Select Application security group, and then select myAsgMgmtServers for Application security group.
    目的地連接埠範圍Destination port ranges 輸入 3389Enter 3389
    通訊協定Protocol 選取 TCPSelect TCP
    優先順序Priority 輸入 110Enter 110
    NameName Allow-RDP-AllAllow-RDP-All

    在本教學課程中,RDP (連接埠 3389) 會公開至 VM 的網際網路,且這個 VM 會指派給 myAsgMgmtServers 應用程式安全性群組。In this tutorial, RDP (port 3389) is exposed to the internet for the VM that is assigned to the myAsgMgmtServers application security group. 在生產環境中則不應將連接埠 3389 公開至網際網路,而是建議您使用 VPN 或私人網路連線連接到您想要管理的 Azure 資源。For production environments, instead of exposing port 3389 to the internet, it's recommended that you connect to Azure resources that you want to manage using a VPN or private network connection.

一旦您完成步驟 1-3 後,請檢閱您所建立的規則。Once you've completed steps 1-3, review the rules you created. 您的清單看起來應如下圖中所示的清單︰Your list should look like the list in the following picture:

安全性規則

建立虛擬機器Create virtual machines

在虛擬網路內建立兩個 VM。Create two VMs in the virtual network.

建立第一個 VMCreate the first VM

  1. 選取 Azure 入口網站左上角的 [+ 建立資源] 。Select + Create a resource found on the upper, left corner of the Azure portal.

  2. 選取 [計算] ,然後選取 [Windows Server 2016 Datacenter] 。Select Compute, and then select Windows Server 2016 Datacenter.

  3. 輸入或選取下列資訊、接受其餘設定的預設值,然後選取 [確定] :Enter, or select, the following information, accept the defaults for the remaining settings, and then select OK:

    設定Setting Value
    NameName myVmWebmyVmWeb
    使用者名稱User name 輸入您選擇的使用者名稱。Enter a user name of your choosing.
    密碼Password 輸入您選擇的密碼。Enter a password of your choosing. 密碼長度至少必須有 12 個字元,而且符合定義的複雜度需求The password must be at least 12 characters long and meet the defined complexity requirements.
    訂用帳戶Subscription 選取您的訂用帳戶。Select your subscription.
    資源群組Resource group 選取 [使用現有項目] ,然後選取 [myResourceGroup] 。Select Use existing and select myResourceGroup.
    位置Location 選取 [美國東部] Select East US
  4. 選取 VM 的大小,然後選取 [選取] 。Select a size for the VM and then select Select.

  5. 在 [設定] 下,選取下列值、接受其餘預設值,然後選取 [確定] :Under Settings, select the following values, accept the remaining defaults, and then select OK:

    設定Setting Value
    虛擬網路Virtual network 選取 myVirtualNetworkSelect myVirtualNetwork
    網路安全性群組Network Security Group 選取 [進階] 。Select Advanced.
    網路安全性群組 (防火牆)Network security group (firewall) 選取 [(新建) myVmWeb-nsg] ,然後在 [選擇網路安全性群組] 下,選取 [無] 。Select (new) myVmWeb-nsg, and then under Choose network security group, select None.
  6. 在 [摘要] 的 [建立] 底下,選取 [建立] 來開始部署 VM。Under Create of the Summary, select Create to start VM deployment.

建立第二個 VMCreate the second VM

再次完成步驟 1-6,但在步驟 3 中,將 VM 命名為 myVmMgmt 。Complete steps 1-6 again, but in step 3, name the VM myVmMgmt. 部署 VM 需要幾分鐘的時間。The VM takes a few minutes to deploy. 請勿繼續下一個步驟,直到部署 VM 為止。Do not continue to the next step until the VM is deployed.

將網路介面關聯至 ASGAssociate network interfaces to an ASG

當入口網站建立 VM 時,會建立每個 VM 的網路介面,並將網路介面連結至 VM。When the portal created the VMs, it created a network interface for each VM, and attached the network interface to the VM. 請將每個 VM 的網路介面,新增至您先前建立的其中一個應用程式安全性群組:Add the network interface for each VM to one of the application security groups you created previously:

  1. 在入口網站頂端的「搜尋資源、服務和文件」 方塊中,開始輸入 myVmWeb 。In the Search resources, services, and docs box at the top of the portal, begin typing myVmWeb. 當搜尋結果中出現 myVmWeb VM 時,請加以選取。When the myVmWeb VM appears in the search results, select it.

  2. 在 [設定] 底下,選取 [網路] 。Under SETTINGS, select Networking. 選取 [設定應用程式安全性群組] ,針對 [應用程式安全性群組] 選取 myAsgWebServers ,然後選取 [儲存] ,如下圖所示:Select Configure the application security groups, select myAsgWebServers for Application security groups, and then select Save, as shown in the following picture:

    關聯至 ASG

  3. 再次完成步驟 1 和 2、搜尋 myVmMgmt VM,然後選取 myAsgMgmtServers ASG。Complete steps 1 and 2 again, searching for the myVmMgmt VM and selecting the myAsgMgmtServers ASG.

測試流量篩選Test traffic filters

  1. 連線至 myVmMgmt VM。Connect to the myVmMgmt VM. 在入口網站頂端的搜尋方塊中,輸入 myVmMgmt 。Enter myVmMgmt in the search box at the top of the portal. myVmMgmt 出現在搜尋結果中時,請加以選取。When myVmMgmt appears in the search results, select it. 選取 [連線] 按鈕。Select the Connect button.

  2. 選取 [下載 RDP 檔案] 。Select Download RDP file.

  3. 開啟所下載的 RDP 檔案,然後選取 [連線] 。Open the downloaded rdp file and select Connect. 輸入您在建立 VM 時指定的使用者名稱和密碼。Enter the user name and password you specified when creating the VM. 您可能需要選取 [其他選擇] ,然後選取 [使用不同的帳戶] ,以指定您在建立 VM 時輸入的認證。You may need to select More choices, then Use a different account, to specify the credentials you entered when you created the VM.

  4. 選取 [確定] 。Select OK.

  5. 您可能會在登入過程中收到憑證警告。You may receive a certificate warning during the sign-in process. 如果您收到警告,請選取 [是] 或 [繼續] 以繼續進行連線。If you receive the warning, select Yes or Continue, to proceed with the connection.

    由於允許連接埠 3389 從網際網路將流量輸入連結至 myVmMgmt VM 的網路介面所在的 myAsgMgmtServers 應用程式安全性群組,因此連線會成功。The connection succeeds, because port 3389 is allowed inbound from the internet to the myAsgMgmtServers application security group that the network interface attached to the myVmMgmt VM is in.

  6. 在 PowerShell 工作階段中輸入下列命令,從 myVmMgmt VM 連線到 myVmWeb VM:Connect to the myVmWeb VM from the myVmMgmt VM by entering the following command in a PowerShell session:

    mstsc /v:myVmWeb
    

    您可以從 myVmMgmt VM 連線至 myVmWeb VM,因為相同虛擬網路中的 VM 依預設可以透過任何連接埠彼此通訊。You are able to connect to the myVmWeb VM from the myVmMgmt VM because VMs in the same virtual network can communicate with each other over any port, by default. 不過,您無法建立從網際網路到 myVmWeb VM 的遠端桌面連線,因為 myAsgWebServers 的安全性規則不允許從網際網路的連接埠 3389 輸入,且依預設會拒絕從網際網路傳至所有資源的輸入流量。You can't however, create a remote desktop connection to the myVmWeb VM from the internet, because the security rule for the myAsgWebServers doesn't allow port 3389 inbound from the internet and inbound traffic from the Internet is denied to all resources, by default.

  7. 若要在 myVmWeb VM 上安裝 Microsoft IIS,請從 myVmWeb VM 的 PowerShell 工作階段輸入下列命令:To install Microsoft IIS on the myVmWeb VM, enter the following command from a PowerShell session on the myVmWeb VM:

    Install-WindowsFeature -name Web-Server -IncludeManagementTools
    
  8. 完成 IIS 安裝之後,請將 myVmWeb VM 中斷連線,以留在 myVmMgmt VM 遠端桌面連線中。After the IIS installation is complete, disconnect from the myVmWeb VM, which leaves you in the myVmMgmt VM remote desktop connection.

  9. 從 myVmMgmt VM 中斷連線。Disconnect from the myVmMgmt VM.

  10. 在 Azure 入口網站頂端的「搜尋資源、服務和文件」 方塊中,開始從您的電腦輸入 myVmWeb 。In the Search resources, services, and docs box at the top of the Azure portal, begin typing myVmWeb from your computer. myVmWeb 出現在搜尋結果中時,選取它。When myVmWeb appears in the search results, select it. 請記下您 VM 的公用 IP 位址Note the Public IP address for your VM. 下圖中所示的位址是 137.135.84.74,但您的地址並不同:The address shown in the following picture is 137.135.84.74, but your address is different:

    公用 IP 位址

  11. 若要確認您可以從網際網路存取 myVmWeb Web 伺服器,請在電腦上開啟網際網路瀏覽器,並瀏覽至 http://<public-ip-address-from-previous-step>To confirm that you can access the myVmWeb web server from the internet, open an internet browser on your computer and browse to http://<public-ip-address-from-previous-step>. 由於允許連接埠 80 從網際網路將流量輸入連結至 myVmWeb VM 的網路介面所在的 myAsgWebServers 應用程式安全性群組,因此您會看到 IIS 歡迎畫面。You see the IIS welcome screen, because port 80 is allowed inbound from the internet to the myAsgWebServers application security group that the network interface attached to the myVmWeb VM is in.

清除資源Clean up resources

當不再需要資源群組時,請將資源群組及其包含的所有資源刪除:When no longer needed, delete the resource group and all of the resources it contains:

  1. 在入口網站頂端的 [搜尋] 方塊中,輸入 myResourceGroup 。Enter myResourceGroup in the Search box at the top of the portal. 當您在搜尋結果中看到 myResourceGroup 時,請加以選取。When you see myResourceGroup in the search results, select it.
  2. 選取 [刪除資源群組] 。Select Delete resource group.
  3. 針對 [輸入資源群組名稱:] 輸入 myResourceGroup ,然後選取 [刪除] 。Enter myResourceGroup for TYPE THE RESOURCE GROUP NAME: and select Delete.

後續步驟Next steps

在本教學課程中,您已建立網路安全性群組,並將其與虛擬網路子網路產生關聯。In this tutorial, you created a network security group and associated it to a virtual network subnet. 若要深入了解網路安全性群組,請參閱網路安全性群組概觀管理網路安全性群組To learn more about network security groups, see Network security group overview and Manage a network security group.

Azure 依預設會路由傳送子網路之間的流量。Azure routes traffic between subnets by default. 您可以改採其他方式,例如,透過作為防火牆的 VM 路由傳送子網路之間的流量。You may instead, choose to route traffic between subnets through a VM, serving as a firewall, for example. 若想了解如何建立路由表,請移至下一個教學課程。To learn how to create a route table, advance to the next tutorial.