使用網路安全性群組來篩選網路流量Filter network traffic with network security groups

網路安全性群組 (NSG) 包含安全性規則的清單,可允許或拒絕已連線至 Azure 虛擬網路 (VNet) 之資源的網路流量。A network security group (NSG) contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNet). NSG 可以與子網路、個別 VM (傳統) 或已連結至 VM (Resource Manager) 的個別網路介面 (NIC) 建立關聯。NSGs can be associated to subnets, individual VMs (classic), or individual network interfaces (NIC) attached to VMs (Resource Manager). 當 NSG 與子網路相關聯時,系統會將規則套用至已連線至子網路的所有資源。When an NSG is associated to a subnet, the rules apply to all resources connected to the subnet. 建立 NSG 與 VM 或 NIC 的關聯也可以進一步限制流量。Traffic can further be restricted by also associating an NSG to a VM or NIC.

注意

Azure 建立和處理資源的部署模型有二種:Resource Manager 和傳統Azure has two different deployment models for creating and working with resources: Resource Manager and classic. 本文將說明如何使用這兩個模型,但 Microsoft 建議大多數新的部署請使用 Resource Manager 模型。This article covers using both models, but Microsoft recommends that most new deployments use the Resource Manager model.

NSG 資源NSG resource

NSG 包含下列屬性:NSGs contain the following properties:

屬性Property 說明Description 條件約束Constraints 考量Considerations
名稱Name NSG 的名稱Name for the NSG 必須是區域內唯一的。Must be unique within the region.
可以包含字母、數字、底線、句號和連字號。Can contain letters, numbers, underscores, periods, and hyphens.
必須以字母或數字開頭。Must start with a letter or number.
必須以字母、數字或底線結尾。Must end with a letter, number, or underscore.
不能超過 80 個字元。Cannot exceed 80 characters.
因為您可能需要建立數個 NSG,請確定您的命名慣例可讓您輕鬆識別 NSG 的功能。Since you may need to create several NSGs, make sure you have a naming convention that makes it easy to identify the function of your NSGs.
區域Region 在其中建立 NSG 的 Azure 區域Azure region where the NSG is created. NSG 只能與 NSG 相同區域內的資源相關聯。NSGs can only be associated to resources within the same region as the NSG. 若要了解每個區域可以有多少個 NSM ,請閱讀 Azure 限制一文。To learn about how many NSGs you can have per region, read the Azure limits article.
資源群組Resource group NSG 所在的資源群組The resource group the NSG exists in. 雖然 NSG 存在於資源群組中,它可以與任何資源群組中的資源相關聯,只要資源是與 NSG 相同的 Azure 區域的一部分。Although an NSG exists in a resource group, it can be associated to resources in any resource group, as long as the resource is part of the same Azure region as the NSG. 資源群組用來以部署單位的形式一起管理多個資源。Resource groups are used to manage multiple resources together, as a deployment unit.
您可以考慮將 NSG 其相關聯的資源群組在一起。You may consider grouping the NSG with resources it is associated to.
規則Rules 定義允許或拒絕流量的輸入或輸出規則。Inbound or outbound rules that define what traffic is allowed or denied. 請參閱本文的 NSG 規則一節。See the NSG rules section of this article.

注意

端點式 ACL 和網路安全性群組,不支援用於相同的 VM 執行個體。Endpoint-based ACLs and network security groups are not supported on the same VM instance. 如果您想要使用 NSG 且已經擁有就地端點 ACL,請先移除端點 ACL。If you want to use an NSG and have an endpoint ACL already in place, first remove the endpoint ACL. 若要了解如何移除 ACL,請閱讀使用 PowerShell 管理端點的存取控制清單 (ACL) 一文。To learn how to remove an ACL, read the Managing Access Control Lists (ACLs) for Endpoints by using PowerShell article.

NSG 規則NSG rules

NSG 規則包含下列屬性:NSG rules contain the following properties:

屬性Property 說明Description 條件約束Constraints 考量Considerations
名稱Name 規則的名稱。Name for the rule. 必須是區域內唯一的。Must be unique within the region.
可以包含字母、數字、底線、句號和連字號。Can contain letters, numbers, underscores, periods, and hyphens.
必須以字母或數字開頭。Must start with a letter or number.
必須以字母、數字或底線結尾。Must end with a letter, number, or underscore.
不能超過 80 個字元。Cannot exceed 80 characters.
在 NSG 內可以有數個規則,因此請確定您遵循可讓您識別規則的功能的命名慣例。You may have several rules within an NSG, so make sure you follow a naming convention that allows you to identify the function of your rule.
通訊協定Protocol 規則要符合的通訊協定。Protocol to match for the rule. TCP、UDP 或 *TCP, UDP, or * 使用 * 做為通訊協定包含 ICMP (僅東西流量),以及 UDP 和 TCP,而且可能會降低您需要的規則數目。Using * as a protocol includes ICMP (East-West traffic only), as well as UDP and TCP, and may reduce the number of rules you need.
同時,使用 * 可能會是過於廣泛的方法,因此建議您只有在必要時使用 *。At the same time, using * might be too broad an approach, so it's recommended that you use * only when necessary.
來源連接埠範圍Source port range 規則要符合的來源連接埠範圍。Source port range to match for the rule. 1 到 65535 的單一連接埠號碼、連接埠範圍 (例如:1-65535),或 * (所有連接埠)。Single port number from 1 to 65535, port range (example: 1-65535), or * (for all ports). 來源連接埠可以是暫時的。Source ports could be ephemeral. 除非您的用戶端程式是使用特定連接埠,否則在大部分情況下請使用 *。Unless your client program is using a specific port, use * in most cases.
請嘗試儘可能使用連接埠範圍以避免需要多個規則。Try to use port ranges as much as possible to avoid the need for multiple rules.
多個連接埠或連接埠範圍不可使用逗號分組。Multiple ports or port ranges cannot be grouped by a comma.
目的地連接埠範圍Destination port range 規則要符合的目的地連接埠範圍。Destination port range to match for the rule. 1 到 65535 的單一連接埠號碼、連接埠範圍 (例如:1-65535),或 * (所有連接埠)。Single port number from 1 to 65535, port range (example: 1-65535), or * (for all ports). 請嘗試儘可能使用連接埠範圍以避免需要多個規則。Try to use port ranges as much as possible to avoid the need for multiple rules.
多個連接埠或連接埠範圍不可使用逗號分組。Multiple ports or port ranges cannot be grouped by a comma.
來源位址首碼Source address prefix 規則要符合的來源位址首碼或標籤。Source address prefix or tag to match for the rule. 單一 IP 位址 (例如:10.10.10.10)、IP 子網路 (例如:192.168.1.0/24)、預設標籤或 * (用於所有位址)。Single IP address (example: 10.10.10.10), IP subnet (example: 192.168.1.0/24), default tag, or * (for all addresses). 考慮使用範圍、預設標籤和 * 以降低規則的數量。Consider using ranges, default tags, and * to reduce the number of rules.
Destination address prefixDestination address prefix 規則要符合的目的地位址首碼或標籤。Destination address prefix or tag to match for the rule. 單一 IP 位址 (例如:10.10.10.10)、IP 子網路 (例如:192.168.1.0/24)、預設標籤或 * (用於所有位址)。Single IP address (example: 10.10.10.10), IP subnet (example: 192.168.1.0/24), default tag, or * (for all addresses). 考慮使用範圍、預設標籤和 * 以降低規則的數量。Consider using ranges, default tags, and * to reduce the number of rules.
DirectionDirection 規則要符合的流量方向。Direction of traffic to match for the rule. 輸入或輸出。Inbound or outbound. 輸入和輸出規則會根據方向分別處理。Inbound and outbound rules are processed separately, based on direction.
優先順序Priority 系統會依照規則優先順序檢查規則。Rules are checked in the order of priority. 一旦套用規則,就不會再測試規則是否符合。Once a rule applies, no more rules are tested for matching. 100 和 4096 之間的數字。Number between 100 and 4096. 考慮為每個規則建立 100 的跳躍優先順序,以保留空間給您未來可能建立的新規則。Consider creating rules jumping priorities by 100 for each rule to leave space for new rules you might create in the future.
AccessAccess 如果規則符合,要套用的存取類型。Type of access to apply if the rule matches. 允許或拒絕。Allow or deny. 請注意,如果找不到封包的允許規則,則會捨棄封包。Keep in mind that if an allow rule is not found for a packet, the packet is dropped.

NSG 包含兩組規則:輸入和輸出。NSGs contain two sets of rules: Inbound and outbound. 規則的優先順序在每一個集合中必須是唯一的。The priority for a rule must be unique within each set.

NSG 規則處理

上圖顯示 NSG 規則的處理方式。The previous picture shows how NSG rules are processed.

預設標籤Default Tags

預設標籤是系統提供的識別項,用來解決 IP 位址的類別。Default tags are system-provided identifiers to address a category of IP addresses. 您可以在任何規則的來源位址首碼目的地位址首碼屬性使用預設標籤。You can use default tags in the source address prefix and destination address prefix properties of any rule. 有三個您可使用的預設標籤:There are three default tags you can use:

  • VirtualNetwork (Resource Manager) (適用於傳統部署的 VIRTUAL_NETWORK):這個標籤包含虛擬網路位址空間 (在 Azure 中定義的 CIDR 範圍)、所有已連線的內部部署位址空間以及已連線的 Azure VNet (區域網路)。VirtualNetwork (Resource Manager) (VIRTUAL_NETWORK for classic): This tag includes the virtual network address space (CIDR ranges defined in Azure), all connected on-premises address spaces, and connected Azure VNets (local networks).
  • AzureLoadBalancer (Resource Manager) (適用於傳統部署的 AZURE_LOADBALANCER):這個標籤代表 Azure 基礎結構的負載平衡器。AzureLoadBalancer (Resource Manager) (AZURE_LOADBALANCER for classic): This tag denotes Azure’s infrastructure load balancer. 此標籤會轉譯成做為 Azure 健康狀態探查來源的 Azure 資料中心 IP。The tag translates to an Azure datacenter IP where Azure’s health probes originate.
  • Internet (Resource Manager) (適用於傳統部署的 INTERNET):這個標籤代表虛擬網路以外且可以透過公用網際網路進行存取的 IP 位址空間。Internet (Resource Manager) (INTERNET for classic): This tag denotes the IP address space that is outside the virtual network and reachable by public Internet. 此範圍也包括 Azure 擁有的公用 IP 空間The range includes the Azure owned public IP space.

預設規則Default rules

所有 NSG 都包含一組預設規則。All NSGs contain a set of default rules. 預設規則無法刪除,但因為其會指派為最低優先權,因此可以由您所建立的規則覆寫預設規則。The default rules cannot be deleted, but because they are assigned the lowest priority, they can be overridden by the rules that you create.

預設規則可允許及不允許流量,如下所示︰The default rules allow and disallow traffic as follows:

  • 虛擬網路中的流量起始和結束同時允許輸入和輸出方向。Virtual network: Traffic originating and ending in a virtual network is allowed both in inbound and outbound directions.
  • 網際網路︰允許輸出流量,但會封鎖輸入流量。Internet: Outbound traffic is allowed, but inbound traffic is blocked.
  • 負載平衡器︰允許 Azure 的負載平衡器探查 VM 和角色執行個體的健康狀態。Load balancer: Allow Azure’s load balancer to probe the health of your VMs and role instances. 如果您不使用負載平衡的集合,則可以覆寫此規則。If you are not using a load balanced set you can override this rule.

輸入預設規則Inbound default rules

名稱Name 優先順序Priority 來源 IPSource IP 來源連接埠Source Port 目的地 IPDestination IP 目的地連接埠Destination Port 通訊協定Protocol AccessAccess
AllowVNetInBoundAllowVNetInBound 6500065000 VirtualNetworkVirtualNetwork * VirtualNetworkVirtualNetwork * * 允許Allow
AllowAzureLoadBalancerInBoundAllowAzureLoadBalancerInBound 6500165001 AzureLoadBalancerAzureLoadBalancer * * * * 允許Allow
DenyAllInBoundDenyAllInBound 6550065500 * * * * * 拒絕Deny

輸出預設規則Outbound default rules

名稱Name 優先順序Priority 來源 IPSource IP 來源連接埠Source Port 目的地 IPDestination IP 目的地連接埠Destination Port 通訊協定Protocol AccessAccess
AllowVnetOutBoundAllowVnetOutBound 6500065000 VirtualNetworkVirtualNetwork * VirtualNetworkVirtualNetwork * * 允許Allow
AllowInternetOutBoundAllowInternetOutBound 6500165001 * * InternetInternet * * 允許Allow
DenyAllOutBoundDenyAllOutBound 6550065500 * * * * * 拒絕Deny

建立 NSG 關聯Associating NSGs

視您使用的部署模型而定,您可以將 NSG 與 VM、NIC 和子網路建立關聯,如下所示:You can associate an NSG to VMs, NICs, and subnets, depending on the deployment model you are using, as follows:

  • VM (僅限傳統):安全性規則會套用至 VM 的所有流量 (雙向)。VM (classic only): Security rules are applied to all traffic to/from the VM.
  • NIC (僅限 Resource Manager):安全性規則會套用至 NSG 相關聯之 NIC 的所有流量 (雙向)。NIC (Resource Manager only): Security rules are applied to all traffic to/from the NIC the NSG is associated to. 在多重 NIC 的 VM 中,您可以將不同 (或相同) 的 NSG 個別套用至每個 NIC。In a multi-NIC VM, you can apply different (or the same) NSG to each NIC individually.
  • 子網路 (Resource Manager 和傳統):安全性規則會套用至連線至 VNet 之任何資源的任何流量 (雙向)。Subnet (Resource Manager and classic): Security rules are applied to any traffic to/from any resources connected to the VNet.

您可以將不同的 NSG 與 VM (或 NIC,依部署模型而定) 進行關聯,也可與 NIC 或 VM 連線的子網域進行關聯。You can associate different NSGs to a VM (or NIC, depending on the deployment model) and the subnet that a NIC or VM is connected to. 安全性規則會依每個 NSG 中的優先順序,以下列順序套用到流量:Security rules are applied to the traffic, by priority, in each NSG, in the following order:

  • 輸入流量Inbound traffic

    1. NSG 套用至子網路:如果子網路 NSG 有拒絕流量的相符規則,封包會遭到捨棄。NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet is dropped.

    2. NSG 套用至 NIC (Resource Manager) 或 VM (傳統):如果 VM\NIC NSG 有拒絕流量的相符規則,封包會在 VM\NIC 遭到捨棄,即使子網路 NSG 有允許流量的相符規則。NSG applied to NIC (Resource Manager) or VM (classic): If VM\NIC NSG has a matching rule that denies traffic, packets are dropped at the VM\NIC, even if a subnet NSG has a matching rule that allows traffic.

  • 輸出流量Outbound traffic

    1. NSG 套用至 NIC (Resource Manager) 或 VM (傳統):如果 VM\NIC NSG 有拒絕流量的相符規則,封包會遭到捨棄。NSG applied to NIC (Resource Manager) or VM (classic): If a VM\NIC NSG has a matching rule that denies traffic, packets are dropped.

    2. NSG 套用至子網路:如果子網路 NSG 有拒絕流量的相符規則,封包會遭到捨棄,即使 VM\NIC NSG 有允許流量的相符規則。NSG applied to subnet: If a subnet NSG has a matching rule that denies traffic, packets are dropped, even if a VM\NIC NSG has a matching rule that allows traffic.

注意

雖然您只能將單一 NSG 與子網路、VM 或 NIC 建立關聯,但您可以盡量將同一個 NSG 與許多您想要的資源建立關聯。Although you can only associate a single NSG to a subnet, VM, or NIC; you can associate the same NSG to as many resources as you want.

實作Implementation

您可以使用下列工具,在 Resource Manager 或傳統部署模型中實作 NSG:You can implement NSGs in the Resource Manager or classic deployment models using the following tools:

部署工具Deployment tool 傳統Classic Resource ManagerResource Manager
Azure 入口網站Azure portal No Yes
PowerShellPowerShell Yes Yes
Azure CLI V1Azure CLI V1 Yes Yes
Azure CLI V2Azure CLI V2 No Yes
Azure Resource Manager 範本Azure Resource Manager template No Yes

規劃Planning

實作 NSG 之前,您需要回答下列問題:Before implementing NSGs, you need to answer the following questions:

  1. 您要篩選何種資源類型的流量 (雙向)?What types of resources do you want to filter traffic to or from? 您可以取得各種資源,例如 NIC (Resource Manager)、VM (傳統)、雲端服務、應用程式服務環境和 VM 擴展集。You can connect resources such as NICs (Resource Manager), VMs (classic), Cloud Services, Application Service Environments, and VM Scale Sets.
  2. 您想要篩選的資源流量是往返於連線至現有 VNet 中的子網路嗎?Are the resources you want to filter traffic to/from connected to subnets in existing VNets?

如需 Azure 中的網路安全性規劃的詳細資訊,請閱讀雲端服務和網路安全性一文。For more information on planning for network security in Azure, read the Cloud services and network security article.

設計考量Design considerations

一旦您知道規劃一節中問題的答案,在定義您的 NSG 之前,請檢閱下列章節:Once you know the answers to the questions in the Planning section, review the following sections before defining your NSGs:

限制Limits

您可以在訂用帳戶中擁有的 NSG 數目和每個 NSG 的規則數目有一些限制。There are limits to the number of NSGs you can have in a subscription and number of rules per NSG. 若要深入了解限制,請參閱 Azure 限制文章。To learn more about the limits, read the Azure limits article.

VNet 和子網路的設計VNet and subnet design

由於 NSG 可以套用至子網路,依子網路群組您的資源並將 NSG 套用至子網路,即可減少 NSG 的數量。Since NSGs can be applied to subnets, you can minimize the number of NSGs by grouping your resources by subnet, and applying NSGs to subnets. 如果您決定將 NSG 套用至子網路,可能會發現您擁有的現有 VNet 與子網路未使用 記憶中的 NSG 定義。If you decide to apply NSGs to subnets, you may find that existing VNets and subnets you have were not defined with NSGs in mind. 您可能需要定義新 VNet 和子網路以支援 NSG 設計,並將新資源部署至新的子網路。You may need to define new VNets and subnets to support your NSG design and deploy your new resources to your new subnets. 然後您就可以定義移轉策略,將現有的資源移至新的子網路。You could then define a migration strategy to move existing resources to the new subnets.

特殊規則Special rules

如果您封鎖這些規則允許的流量,您的基礎結構便無法與基本 Azure 服務進行通訊:If you block traffic allowed by the following rules, your infrastructure can't communicate with essential Azure services:

  • 主機節點的虛擬 IP: 基本的基礎結構服務,例如 DHCP、DNS 和健康狀態監控是透過虛擬化主機 IP 位址 168.63.129.16 所提供。Virtual IP of the host node: Basic infrastructure services such as DHCP, DNS, and health monitoring are provided through the virtualized host IP address 168.63.129.16. 這個公用 IP 位址屬於 Microsoft,而且是針對此目的唯一用於所有區域的虛擬 IP。This public IP address belongs to Microsoft and is the only virtualized IP address used in all regions for this purpose. 此 IP 位址會對應至伺服器電腦的實體 IP 位址 (主機節點),該伺服器用來主控 VM。This IP address maps to the physical IP address of the server machine (host node) hosting the VM. 主機節點的作用如同 DHCP 轉送、DNS 遞迴解析程式,以及負載平衡器健康狀態探查和電腦健康狀態探查的探查來源。The host node acts as the DHCP relay, the DNS recursive resolver, and the probe source for the load balancer health probe and the machine health probe. 此 IP 位址的通訊並不是攻擊。Communication to this IP address is not an attack.
  • 授權 (金鑰管理服務):在 VM 中執行的 Windows 映像必須獲得授權。Licensing (Key Management Service): Windows images running in VMs must be licensed. 若要確保授權,授權要求會傳送至處理此類查詢的金鑰管理服務主機伺服器。To ensure licensing, a request is sent to the Key Management Service host servers that handle such queries. 此要求是透過連接埠 1688 輸出。The request is made outbound through port 1688.

ICMP 流量ICMP traffic

目前的 NSG 規則僅可用於通訊協定 TCP 或 UDP。The current NSG rules only allow for protocols TCP or UDP. ICMP沒有特定的標記。There is not a specific tag for ICMP. 不過,系統會藉由 AllowVNetInBound 預設規則來允許 VNet 內的 ICMP 流量,該規則會允許 VNet 內任何連接埠和通訊協定的流量 (雙向)。However, ICMP traffic is allowed within a VNet by the AllowVNetInBound default rule, that allows traffic to and from any port and protocol within the VNet.

子網路Subnets

  • 請考慮您的工作負載所需要的階層數目。Consider the number of tiers your workload requires. 每個層級可以使用子網路與套用至子網路的 NSG 來隔離。Each tier can be isolated by using a subnet, with an NSG applied to the subnet.
  • 如果您需要為 VPN 閘道或 ExpressRoute 線路實作子網路,請不要將 NSG 套用至該子網路。If you need to implement a subnet for a VPN gateway, or ExpressRoute circuit, do not apply an NSG to that subnet. 如果您這麼做,跨 VNet 或跨單位連線將會失敗。If you do so, cross-VNet or cross-premises connectivity may fail.
  • 如果您需要實作網路虛擬應用裝置 (NVA),請將 NVA 與自己的子網路連線,並建立 NVA 的雙向使用者定義路由 (UDR)。If you need to implement a network virtual appliance (NVA), connect the NVA to its own subnet and create user-defined routes (UDR) to and from the NVA. 您可以實作子網路層級 NSG,以篩選流入和流出此子網路的流量。You can implement a subnet level NSG to filter traffic in and out of this subnet. 若要深入了解 UDR,請閱讀使用者定義的路由一文。To learn more about UDRs, read the User-defined routes article.

負載平衡器Load balancers

  • 針對每個工作負載所使用的每個負載平衡器,考慮負載平衡和網路位址轉譯 (NAT) 規則。Consider the load balancing and network address translation (NAT) rules for each load balancer used by each of your workloads. NAT 規則會繫結至包含 NIC (Resource Manager) 或 VM/雲端服務角色執行個體 (傳統) 的後端集區。NAT rules are bound to a back-end pool that contains NICs (Resource Manager) or VMs/Cloud Services role instances (classic). 請考慮為每個後端集區建立 NSG,僅允許透過負載平衡器中實作的規則對應的流量。Consider creating an NSG for each back-end pool, allowing only traffic mapped through the rules implemented in the load balancers. 為每個後端集區建立 NSG 可保證直接進入後端集區 (而不會透過負載平衡器) 傳遞的流量也會受到篩選。Creating an NSG for each back-end pool guarantees that traffic coming to the back-end pool directly (rather than through the load balancer), is also filtered.
  • 在傳統部署中,您會建立端點,該端點可將負載平衡器上的連接埠對應至您的 VM 或角色執行個體上的連接埠。In classic deployments, you create endpoints that map ports on a load balancer to ports on your VMs or role instances. 您也可以透過 Resource Manager 建立自己個別對外公開的負載平衡器。You can also create your own individual public-facing load balancer through Resource Manager. 連入流量的目的地連接埠是 VM 或角色執行個體中的實際通訊埠,而不是負載平衡器所公開的連接埠。The destination port for incoming traffic is the actual port in the VM or role instance, not the port exposed by a load balancer. 連線至 VM 的來源連接埠和位址是在網際網路中遠端電腦上的連接埠和位址,而不是負載平衡器所公開的連接埠和位址。The source port and address for the connection to the VM is a port and address on the remote computer in the Internet, not the port and address exposed by the load balancer.
  • 當您建立 NSG 來篩選透過內部負載平衡器 (ILB) 的流量時,套用的來源連接埠和位址範圍是來自原始電腦,而不是負載平衡器。When you create NSGs to filter traffic coming through an internal load balancer (ILB), the source port and address range applied are from the originating computer, not the load balancer. 目的地連接埠和位址範圍屬於目的地電腦,而不是負載平衡器。The destination port and address range are those of the destination computer, not the load balancer.

其他Other

  • 不支援將端點式存取控制清單 (ACL) 和 NSG 用於相同的 VM 執行個體。Endpoint-based access control lists (ACL) and NSGs are not supported on the same VM instance. 如果您想要使用 NSG 且已經擁有就地端點 ACL,請先移除端點 ACL。If you want to use an NSG and have an endpoint ACL already in place, first remove the endpoint ACL. 如需如何移除端點 ACL 的詳細資訊,請參閱管理端點 ACL一文。For information about how to remove an endpoint ACL, see the Manage endpoint ACLs article.
  • 在 Resource Manager 中,您可以對具有多個 NIC 的 VM 使用與 NIC 相關聯的 NSG,根據每個 NIC 啟用管理 (遠端存取)。In Resource Manager, you can use an NSG associated to a NIC for VMs with multiple NICs to enable management (remote access) on a per NIC basis. 建立唯一 NSG 與每個 NIC 的關聯可以區隔所有 NIC 的流量類型。Associating unique NSGs to each NIC enables separation of traffic types across NICs.
  • 與使用負載平衡器類似,篩選來自其他 VNet 的流量時,您必須使用遠端電腦的來源位址範圍,而不是連接 VNet 的閘道。Similar to the use of load balancers, when filtering traffic from other VNets, you must use the source address range of the remote computer, not the gateway connecting the VNets.
  • 許多 Azure 服務無法連線至 VNet。Many Azure services cannot be connected to VNets. 如果 Azure 資源未連線至 VNet,您便無法使用 NSG 來篩選對資源的流量。If an Azure resource is not connected to a VNet, you cannot use an NSG to filter traffic to the resource. 閱讀您所使用的服務文件,以判斷服務是否可以連線到 VNet。Read the documentation for the services you use to determine whether the service can be connected to a VNet.

部署範例Sample deployment

為了說明本文中的資訊應用,請考慮下圖所示之雙層應用程式的常見案例:To illustrate the application of the information in this article, consider a common scenario of a two tier application shown in the following picture:

NSG

如圖表所示,Web1 和 Web2 VM 連線至 FrontEnd 子網路,而 DB1 和 DB2 VM 連線至 BackEnd 子網路。As shown in the diagram, the Web1 and Web2 VMs are connected to the FrontEnd subnet, and the DB1 and DB2 VMs are connected to the BackEnd subnet. 這兩個子網路屬於 TestVNet VNet。Both subnets are part of the TestVNet VNet. 每個在 Azure VM 中執行的應用程式元件都會連線至 VNet。The application components each run within an Azure VM connected to a VNet. 此案例具有下列需求︰The scenario has the following requirements:

  1. 間隔 WEB 與 DB 伺服器之間的流量。Separation of traffic between the WEB and DB servers.
  2. 負載平衡規則會將來自負載平衡器的流量轉送至所有 Web 伺服器的連接埠 80。Load balancing rules forward traffic from the load balancer to all web servers on port 80.
  3. 負載平衡器 NAT 規則會將進入通訊埠 50001 上負載平衡器的流量轉送至 WEB1 VM 上的連接埠 3389。Load balancer NAT rules forward traffic coming into the load balancer on port 50001 to port 3389 on the WEB1 VM.
  4. 無法從網際網路存取前端或後端 VM,但要求 2 和 3 除外。No access to the front-end or back-end VMs from the Internet, except requirements 2 and 3.
  5. 沒有來自 WEB 或 DB 伺服器的輸出網際網路存取。No outbound Internet access from the WEB or DB servers.
  6. 允許從前端子網路存取任何 Web 伺服器的連接埠 3389。Access from the FrontEnd subnet is allowed to port 3389 of any web server.
  7. 允許從前端子網路存取任何 DB 伺服器的連接埠 3389。Access from the FrontEnd subnet is allowed to port 3389 of any DB server.
  8. 允許從前端子網路存取所有 DB 伺服器的連接埠 1433。Access from the FrontEnd subnet is allowed to port 1433 of all DB servers.
  9. 區隔 DB 伺服器中不同 NIC 上的管理流量 (連接埠 3389) 和資料庫流量 (1433)。Separation of management traffic (port 3389) and database traffic (1433) on different NICs in DB servers.

需求 1-6 (需求 3 和 4 除外) 均限制在子網路空間。Requirements 1-6 (except requirements 3 and 4) are all confined to subnet spaces. 下列 NSG 符合先前的需求,同時將所需的 NSG 數目降至最低︰The following NSGs meet the previous requirements, while minimizing the number of NSGs required:

FrontEndFrontEnd

輸入規則Inbound rules

規則Rule AccessAccess 優先順序Priority 來源位址範圍Source address range 來源連接埠Source port 目的地連接埠範圍Destination address range 目的地連接埠Destination port 通訊協定Protocol
Allow-Inbound-HTTP-InternetAllow-Inbound-HTTP-Internet 允許Allow 100100 InternetInternet * * 8080 TCPTCP
Allow-Inbound-RDP-InternetAllow-Inbound-RDP-Internet 允許Allow 200200 InternetInternet * * 33893389 TCPTCP
Deny-Inbound-AllDeny-Inbound-All 拒絕Deny 300300 InternetInternet * * * TCPTCP

輸出規則Outbound rules

規則Rule AccessAccess 優先順序Priority 來源位址範圍Source address range 來源連接埠Source port 目的地連接埠範圍Destination address range 目的地連接埠Destination port 通訊協定Protocol
Deny-Internet-AllDeny-Internet-All 拒絕Deny 100100 * * InternetInternet * *

BackEndBackEnd

輸入規則Inbound rules

規則Rule AccessAccess 優先順序Priority 來源位址範圍Source address range 來源連接埠Source port 目的地連接埠範圍Destination address range 目的地連接埠Destination port 通訊協定Protocol
Deny-Internet-AllDeny-Internet-All 拒絕Deny 100100 InternetInternet * * * *

輸出規則Outbound rules

規則Rule AccessAccess 優先順序Priority 來源位址範圍Source address range 來源連接埠Source port 目的地連接埠範圍Destination address range 目的地連接埠Destination port 通訊協定Protocol
Deny-Internet-AllDeny-Internet-All 拒絕Deny 100100 * * InternetInternet * *

建立下列 NSG 並與下列 VM 中的 NIC 產生關聯︰The following NSGs are created and associated to NICs in the following VMs:

WEB1WEB1

輸入規則Inbound rules

規則Rule AccessAccess 優先順序Priority 來源位址範圍Source address range 來源連接埠Source port 目的地連接埠範圍Destination address range 目的地連接埠Destination port 通訊協定Protocol
Allow-Inbound-RDP-InternetAllow-Inbound-RDP-Internet 允許Allow 100100 InternetInternet * * 33893389 TCPTCP
Allow-Inbound-HTTP-InternetAllow-Inbound-HTTP-Internet 允許Allow 200200 InternetInternet * * 8080 TCPTCP

注意

前一個規則的來源位址範圍是網際網路,而不是負載平衡器的虛擬 IP 位址。The source address range for the previous rules is Internet, not the virtual IP address of for the load balancer. 來源連接埠是 ,而不是 500001。The source port is *, not 500001. 負載平衡器的 NAT 規則與 NSG 全性規則不同。NAT rules for load balancers are not the same as NSG security rules. NSG 安全性規則永遠與流量的原始來源和最終目的地相關,而不是兩者之間的負載平衡器。NSG security rules are always related to the original source and final destination of traffic, **not* the load balancer between the two.

WEB2WEB2

輸入規則Inbound rules

規則Rule AccessAccess 優先順序Priority 來源位址範圍Source address range 來源連接埠Source port 目的地連接埠範圍Destination address range 目的地連接埠Destination port 通訊協定Protocol
Deny-Inbound-RDP-InternetDeny-Inbound-RDP-Internet 拒絕Deny 100100 InternetInternet * * 33893389 TCPTCP
Allow-Inbound-HTTP-InternetAllow-Inbound-HTTP-Internet 允許Allow 200200 InternetInternet * * 8080 TCPTCP

DB 伺服器 (管理 NIC)DB servers (Management NIC)

輸入規則Inbound rules

規則Rule AccessAccess 優先順序Priority 來源位址範圍Source address range 來源連接埠Source port 目的地連接埠範圍Destination address range 目的地連接埠Destination port 通訊協定Protocol
Allow-Inbound-RDP-Front-endAllow-Inbound-RDP-Front-end 允許Allow 100100 192.168.1.0/24192.168.1.0/24 * * 33893389 TCPTCP

DB 伺服器 (資料庫流量 NIC)DB servers (Database traffic NIC)

輸入規則Inbound rules

規則Rule AccessAccess 優先順序Priority 來源位址範圍Source address range 來源連接埠Source port 目的地連接埠範圍Destination address range 目的地連接埠Destination port 通訊協定Protocol
Allow-Inbound-SQL-Front-endAllow-Inbound-SQL-Front-end 允許Allow 100100 192.168.1.0/24192.168.1.0/24 * * 14331433 TCPTCP

因為某些 NSG 與個別的 NIC 關聯,所以這些規則適用於透過 Resource Manager 部署的資源。Since some of the NSGs are associated to individual NICs, the rules are for resources deployed through Resource Manager. 視子網路與 NIC 的關聯方式而定,會結合兩者的規則。Rules are combined for subnet and NIC, depending on how they are associated.

後續步驟Next steps