使用 Azure CLI 來處理虛擬網路 TAPWork with a virtual network TAP using the Azure CLI

Azure 虛擬網路 TAP (終端機存取點) 可讓您持續將虛擬機器網路流量串流到網路封包收集器或分析工具。Azure virtual network TAP (Terminal Access Point) allows you to continuously stream your virtual machine network traffic to a network packet collector or analytics tool. 收集器或分析工具是由 網路虛擬裝置 合作夥伴提供。The collector or analytics tool is provided by a network virtual appliance partner. 如需經驗證能與虛擬網路 TAP 相容的合作夥伴解決方案清單,請參閱合作夥伴解決方案For a list of partner solutions that are validated to work with virtual network TAP, see partner solutions.

建立虛擬網路 TAP 資源Create a virtual network TAP resource

建立虛擬網路 TAP 資源之前,請先閱讀必要條件Read prerequisites before you create a virtual network TAP resource. 您可以執行 Azure Cloud Shell 中採用的命令,或從您的電腦執行 Azure 命令列介面 (CLI)。You can run the commands that follow in the Azure Cloud Shell, or by running the Azure command-line interface (CLI) from your computer. Azure Cloud Shell 是免費的互動式殼層,而且不會要求您必須在電腦上安裝 Azure CLI。The Azure Cloud Shell is a free interactive shell, that doesn't require installing the Azure CLI on your computer. 您必須使用具有適當權限的帳戶登入 Azure。You must sign in to Azure with an account that has the appropriate permissions. 此文章需要 Azure CLI 2.0.46 版或更新版本。This article requires the Azure CLI version 2.0.46 or later. 執行 az --version 來了解安裝的版本。Run az --version to find the installed version. 如果您需要安裝或升級,請參閱安裝 Azure CLI 2.0If you need to install or upgrade, see Install Azure CLI 2.0. 虛擬網路點擊目前以延伸模組的形式提供。Virtual network TAP is currently available as an extension. 若要安裝擴充功能,您必須執行 az extension add -n virtual-network-tapTo install the extension you need to run az extension add -n virtual-network-tap. 如果您在本機執行 Azure CLI,則也需要執行 az login 以建立與 Azure 的連線。If you are running the Azure CLI locally, you also need to run az login to create a connection with Azure.

  1. 將您訂用帳戶的識別碼擷取到在稍後步驟使用的變數中:Retrieve the ID of your subscription into a variable that is used in a later step:

    subscriptionId=$(az account show \
    --query id \
    --out tsv)
    
  2. 設定您將用來建立虛擬網路 TAP 資源的訂用帳戶識別碼。Set the subscription id that you will use to create a virtual network TAP resource.

    az account set --subscription $subscriptionId
    
  3. 重新註冊您將用來建立虛擬網路 TAP 資源的訂用帳戶識別碼。Re-register the subscription ID that you'll use to create a virtual network TAP resource. 若建立 TAP 資源時發生註冊錯誤,請執行下列命令:If you get a registration error when you create a TAP resource, run the following command:

    az provider register --namespace Microsoft.Network --subscription $subscriptionId
    
  4. 若虛擬網路 TAP 的目的地是收集器或分析工具之網路虛擬設備上的網路介面 -If the destination for the virtual network TAP is the network interface on the network virtual appliance for collector or analytics tool -

    • 將網路虛擬設備之網路介面的 IP 設定擷取到在稍後步驟使用的變數中。Retrieve the IP configuration of the network virtual appliance's network interface into a variable that is used in a later step. 識別碼是將會彙總 TAP 流量的端點。The ID is the end point that will aggregate the TAP traffic. 下列範例會擷取名為 myResourceGroup 之資源群組中名為 myNetworkInterface 的網路介面 ipconfig1 IP 設定識別碼:The following example retrieves the ID of the ipconfig1 IP configuration for a network interface named myNetworkInterface, in a resource group named myResourceGroup:

        IpConfigId=$(az network nic ip-config show \
        --name ipconfig1 \
        --nic-name myNetworkInterface \
        --resource-group myResourceGroup \
        --query id \
        --out tsv)
      
    • 使用 IP 設定的識別碼做為目的地與選擇性的連接埠屬性,在美國中西部 Azure 區域中建立虛擬網路 TAP。Create the virtual network TAP in westcentralus azure region using the ID of the IP configuration as the destination and an optional port property. 連接埠會指定將會接收 TAP 流量之網路介面 IP 設定上的目的地連接埠:The port specifies the destination port on network interface IP configuration where the TAP traffic will be received :

        az network vnet tap create \
        --resource-group myResourceGroup \
        --name myTap \
        --destination $IpConfigId \
        --port 4789 \
        --location westcentralus
      
  5. 若虛擬網路 TAP 的目的地是 Azure 內部負載平衡器:If the destination for the virtual network TAP is an azure internal load balancer:

    • 將 Azure 內部負載平衡器的前端 IP 設定擷取到在稍後步驟使用的變數中。Retrieve the front end IP configuration of the Azure internal load balancer into a variable that is used in a later step. 識別碼是將會彙總 TAP 流量的端點。The ID is the end point that will aggregate the TAP traffic. 下列範例會擷取名為 myResourceGroup 之資源群組中名為 myInternalLoadBalancer 的負載平衡器 frontendipconfig1 前端 IP 設定的識別碼:The following example retrieves the ID of the frontendipconfig1 front end IP configuration for a load balancer named myInternalLoadBalancer, in a resource group named myResourceGroup:

      FrontendIpConfigId=$(az network lb frontend-ip show \
      --name frontendipconfig1 \
      --lb-name myInternalLoadBalancer \
      --resource-group myResourceGroup \
      --query id \
      --out tsv)
      
    • 使用前端 IP 設定的識別碼做為目的地與選擇性的連接埠屬性,建立虛擬網路 TAP。Create the virtual network TAP using the ID of the frontend IP configuration as the destination and an optional port property. 連接埠會指定將會接收 TAP 流量之前端 IP 設定上的目的地連接埠:The port specifies the destination port on front end IP configuration where the TAP traffic will be received :

      az network vnet tap create \
      --resource-group myResourceGroup \
      --name myTap \
      --destination $FrontendIpConfigId \
      --port 4789 \
      --location westcentralus
      
  6. 確認已建立虛擬網路 TAP:Confirm creation of the virtual network TAP:

    az network vnet tap show \
    --resource-group myResourceGroup
    --name myTap
    

新增 TAP 設定到網路介面Add a TAP configuration to a network interface

  1. 擷取現有虛擬網路 TAP 資源的識別碼。Retrieve the ID of an existing virtual network TAP resource. 下列範例會擷取名為 myResourceGroup 之資源群組中名為 myTap 的虛擬網路 TAP:The following example retrieves a virtual network TAP named myTap in a resource group named myResourceGroup:

    tapId=$(az network vnet tap show \
    --name myTap \
    --resource-group myResourceGroup \
    --query id \
    --out tsv)
    
  2. 在監視之虛擬機器的網路介面上建立 TAP 設定。Create a TAP configuration on the network interface of the monitored virtual machine. 下列範例會為名為 myNetworkInterface 的網路介面建立 TAP 設定:The following example creates a TAP configuration for a network interface named myNetworkInterface:

    az network nic vtap-config create \
    --resource-group myResourceGroup \
    --nic myNetworkInterface \
    --vnet-tap $tapId \
    --name mytapconfig \
    --subscription subscriptionId
    
  3. 確認已建立 TAP 設定:Confirm creation of the TAP configuration:

    az network nic vtap-config show \
    --resource-group myResourceGroup \
    --nic-name myNetworkInterface \
    --name mytapconfig \
    --subscription subscriptionId
    

刪除網路介面上的 TAP 設定Delete the TAP configuration on a network interface

az network nic vtap-config delete \
--resource-group myResourceGroup \
--nic myNetworkInterface \
--name myTapConfig \
--subscription subscriptionId

列出訂用帳戶中的虛擬網路 TAPList virtual network TAPs in a subscription

az network vnet tap list

刪除資源群組中的虛擬網路 TAPDelete a virtual network TAP in a resource group

az network vnet tap delete \
--resource-group myResourceGroup \
--name myTap