共用方式為


網路封包代理

Azure 運算子連接點的網路封包代理程式是專為電信服務提供商設計的 Microsoft Azure 特殊供應項目。 透過 Azure 運算子連接點的網路封包代理程式,電信營運商可以有效地擷取、彙總、篩選和監視其基礎結構 (AON) 的流量,以便進行深入的封包檢查、流量分析和增強的網路監視。 這對電信業至關重要,因為電信業會維護高品質的服務、確保安全性,以及遵守法規要求至關重要。 藉由套用此解決方案,操作員可以更清楚地瞭解其網路流量、更有效地對問題進行疑難解答,並最終為客戶提供改善的服務,同時維持最高的網路安全性和效能標準。

網路封包代理程式 (NPB) 是以 Microsoft.managednetworkfabric 底下的個別最上層 Azure Resource Manager (ARM) 資源設計並模型化。 營運商可以建立、讀取、更新和刪除網路 TAP、網路 TAP 規則和鄰近群組功能。 每個網路封包代理程式都有多個資源,例如網路 TAP、鄰近群組和網路 TAP 規則,以管理、篩選和轉送指定的流量。

啟用網路封包代理程式的步驟

先決條件

  • NPB 裝置已正確安裝至機架、堆疊和佈建。 關於如何佈建網路網狀架構的程序,請參閱網路網狀架構佈建
  • 個別的 vProbes 應設定為專用 IP
  • 針對內部 vProbes,應該建立具有內部網路的第 3 層隔離網域。 此外,應該設定必要的連線子網,擴充旗標應該設定為 NPB(在內部網路中)。 關於如何在隔離網域上建立內部和外部網路的程序,以及將延伸模組旗標設定為 NPB,請參閱隔離網域
  • 針對網路對網路互連 (NNI) 使用案例,應該將 NNI 建立為 NPB 類型。 建立 NNI 期間應該定義適當的第 2 層和第 3 層屬性。 關於如何建立網路到網路互連 (NNI) 的程序,請參閱網路網狀架構佈建

步驟

  1. 建立提供比對組態的網路 TAP 規則 (僅支援內嵌輸入方法)
  2. 建立定義目的地的鄰近群組資源。
  3. 建立參考 Tap 規則和鄰近群組的網路 TAP 資源。
  4. 啟用網路 TAP 資源。

NPB

NNF 會在 bootstrap.期間自動建立此資源。

顯示 NPB

此命令會顯示 NPB 邏輯資源的詳細資料。

 az networkfabric npb show --resource-group "example-rg" --resource-name "NPB1"

預期輸出

{
  "properties": {
    "networkFabricId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabrics/example-networkFabric",
    "networkDeviceIds": [
      "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice"
    ],
    "sourceInterfaceIds": [
      "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice/networkInterfaces/example-networkInterface"
    ],
    "networkTapIds": [
      "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-networkTap"
    ],
    "neighborGroupIds": [
      "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup"
    ],
    "provisioningState": "Succeeded"
  },
  "tags": {
    "key2806": "key"
  },
  "location": "eastuseuap",
  "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkPacketBrokers/example-networkPacketBroker",
  "name": "example-networkPacketBroker",
  "type": "microsoft.managednetworkfabric/networkPacketBrokers",
  "systemData": {
    "createdBy": "email@address.com",
    "createdByType": "User",
    "createdAt": "2023-05-17T11:56:12.100Z",
    "lastModifiedBy": "email@address.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2023-05-17T11:56:12.100Z"
  }
}

網路 TAP 規則

NetworkTapRule 資源可讓您提供條件和動作的篩選和轉送組合。

網路 TAP 規則的參數

參數 描述 範例 必要
資源群組 針對 NetworkTapRule 使用適當的資源群組名稱 resourceGroupName True
resource-name 網路點選的資源名稱 InternetTAPrule1 True
location 在網路網狀架構控制器建立期間使用的 AzON Azure 區域 eastus True
configuration-type 設定網路點選規則的輸入方法。 內嵌或檔案 True
match-configurations 比對組態的清單。
match-configurations/matchconfigurationName 比對組態區塊的名稱
match-configurations/sequenceNumber 比對組態的序號
match-configurations/ipAddressType IP 位址家族
match-configurations/matchconditions 根據埠、通訊協定、VLAN 和IP條件的動態比對條件清單。
match-configurations/action 提供動作詳細資料。 動作可以是 Drop、Count、Log、Goto、Redirect、Mirror
dynamic-match-configurations 以埠、VLAN 和IP為基礎的動態比對組態清單

注意

必須先建立網路點選規則和鄰近群組,才能在網路點選中參考它們

建立網路 TAP 規則

此指令會建立網路 TAP 規則:

az networkfabric taprule create --resource-group "example-rg" --location "westus3"--resource-name "example-networktaprule"\
 --configuration-type "Inline" \
 --match-configurations "[{matchConfigurationName:config1,sequenceNumber:10,ipAddressType:IPv4,matchConditions:[{encapsulationType:None,portCondition:{portType:SourcePort,layer4Protocol:TCP,ports:[100],portGroupNames:['example-portGroup1']},protocolTypes:[TCP],vlanMatchCondition:{vlans:['10'],innerVlans:['11-20']},ipCondition:{type:SourceIP,prefixType:Prefix,ipPrefixValues:['10.10.10.10/20']}}],\
 actions:[{type:Drop,truncate:100,isTimestampEnabled:True,destinationId:'/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup',matchConfigurationName:match1}]}]"\
 --dynamic-match-configurations"[{ipGroups:[{name:'example-ipGroup1',ipAddressType:IPv4,ipPrefixes:['10.10.10.10/30']}],vlanGroups:[{name:'example-vlanGroup',vlans:['10']}],portGroups:[{name:'example-portGroup1',ports:['100-200']}]}]"

預期輸出:

{
  "properties": {
    "networkTapId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-taprule",
    "pollingIntervalInSeconds": 30,
    "lastSyncedTime": "2023-06-12T07:11:22.485Z",
    "configurationState": "Succeeded",
    "provisioningState": "Accepted",
    "administrativeState": "Enabled",
    "annotation": "annotation",
    "configurationType": "Inline",
    "tapRulesUrl": "",
    "matchConfigurations": [
      {
        "matchConfigurationName": "config1",
        "sequenceNumber": 10,
        "ipAddressType": "IPv4",
        "matchConditions": [
          {
            "encapsulationType": "None",
            "portCondition": {
              "portType": "SourcePort",
              "l4Protocol": "TCP",
              "ports": [
                "100"
              ],
              "portGroupNames": [
                "example-portGroup1"
              ]
            },
            "protocolTypes": [
              "TCP"
            ],
            "vlanMatchCondition": {
              "vlans": [
                "10"
              ],
              "innerVlans": [
                "11-20"
              ],
              "vlanGroupNames": [
                "example-vlanGroup"
              ]
            },
            "ipCondition": {
              "type": "SourceIP",
              "prefixType": "Prefix",
              "ipPrefixValues": [
                "10.10.10.10/20"
              ],
              "ipGroupNames": [
                "example-ipGroup"
              ]
            }
          }
        ],
        "actions": [
          {
            "type": "Drop",
            "truncate": "100",
            "isTimestampEnabled": "True",
            "destinationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
            "matchConfigurationName": "match1"
          }
        ]
      }
    ],
    "dynamicMatchConfigurations": [
      {
        "ipGroups": [
          {
            "name": "example-ipGroup1",
            "ipPrefixes": [
              "10.10.10.10/30"
            ]
          }
        ],
        "vlanGroups": [
          {
            "name": "example-vlanGroup",
            "vlans": [
              "10",
              "100-200"
            ]
          }
        ],
        "portGroups": [
          {
            "name": "example-portGroup1",
            "ports": [
              "100-200"
            ]
          },
          {
            "name": "example-portGroup2",
            "ports": [
              "900",
              "1000-2000"
            ]
          }
        ]
      }
    ]
  },
  "tags": {
    "keyID": "keyValue"
  },
  "location": "eastuseuap",
  "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTapRules/example-tapRule",
  "name": "example-tapRule",
  "type": "microsoft.managednetworkfabric/networkTapRules",
  "systemData": {
    "createdBy": "email@address.com",
    "createdByType": "User",
    "createdAt": "2023-06-12T07:11:22.488Z",
    "lastModifiedBy": "user@mail.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2023-06-12T07:11:22.488Z"
  }
}

顯示網路 TAP 規則

此指令會顯示 IP 社群資源:

az networkfabric taprule show --resource-group "example-rg" --resource-name "example-networktaprule"

預期輸出:

{
  "properties": {
    "networkTapId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-taprule",
    "pollingIntervalInSeconds": 30,
    "lastSyncedTime": "2023-06-12T07:11:22.485Z",
    "configurationState": "Succeeded",
    "provisioningState": "Accepted",
    "administrativeState": "Enabled",
    "annotation": "annotation",
    "configurationType": "Inline",
    "tapRulesUrl": "",
    "matchConfigurations": [
      {
        "matchConfigurationName": "config1",
        "sequenceNumber": 10,
        "ipAddressType": "IPv4",
        "matchConditions": [
          {
            "encapsulationType": "None",
            "portCondition": {
              "portType": "SourcePort",
              "l4Protocol": "TCP",
              "ports": [
                "100"
              ],
              "portGroupNames": [
                "example-portGroup1"
              ]
            },
            "protocolTypes": [
              "TCP"
            ],
            "vlanMatchCondition": {
              "vlans": [
                "10"
              ],
              "innerVlans": [
                "11-20"
              ],
              "vlanGroupNames": [
                "example-vlanGroup"
              ]
            },
            "ipCondition": {
              "type": "SourceIP",
              "prefixType": "Prefix",
              "ipPrefixValues": [
                "10.10.10.10/20"
              ],
              "ipGroupNames": [
                "example-ipGroup"
              ]
            }
          }
        ],
        "actions": [
          {
            "type": "Drop",
            "truncate": "100",
            "isTimestampEnabled": "True",
            "destinationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
            "matchConfigurationName": "match1"
          }
        ]
      }
    ],
    "dynamicMatchConfigurations": [
      {
        "ipGroups": [
          {
            "name": "example-ipGroup1",
            "ipPrefixes": [
              "10.10.10.10/30"
            ]
          }
        ],
        "vlanGroups": [
          {
            "name": "example-vlanGroup",
            "vlans": [
              "10",
              "100-200"
            ]
          }
        ],
        "portGroups": [
          {
            "name": "example-portGroup1",
            "ports": [
              "100-200"
            ]
          },
          {
            "name": "example-portGroup2",
            "ports": [
              "900",
              "1000-2000"
            ]
          }
        ]
      }
    ]
  },
  "tags": {
    "keyID": "keyValue"
  },
  "location": "eastuseuap",
  "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTapRules/example-tapRule",
  "name": "example-tapRule",
  "type": "microsoft.managednetworkfabric/networkTapRules",
  "systemData": {
    "createdBy": "email@address.com",
    "createdByType": "User",
    "createdAt": "2023-06-12T07:11:22.488Z",
    "lastModifiedBy": "user@mail.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2023-06-12T07:11:22.488Z"
  }
}

鄰近群組

鄰近群組資源能夠將目的地分組以轉送篩選的流量

鄰近群組的參數

參數 描述 範例 必要
資源群組 特別針對您的 NeighborGroup 使用適當的資源群組名稱 resourceGroupName True
resource-name NeighborGroup 的資源名稱 example-Neighbor True
location 在建立 NFC 時所使用的 AzON Azure 區域 eastus True
目的地 要轉送流量的 Ipv4 或 Ipv6 目的地清單 10.10.10.10 True

建立鄰近群組

此指令會建立鄰近群組資源:

 az networkfabric neighborgroup create --resource-group "example-rg" --location "westus3"
--resource-name "example-neighborgroup" --destination "{ipv4Addresses:['10.10.10.10']}"

預期輸出:

{
  "properties": {
    "networkTapIds": [
    ],
    "networkTapRuleIds": [
    ],
    "destination": {
      "ipv4Addresses": [
        "10.10.10.10",
      ]
    },
    "provisioningState": "Succeeded",
    "annotation": "annotation"
  },
  "tags": {
    "keyID": "KeyValue"
  },
  "location": "eastus",
  "id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
  "name": "example-neighborGroup",
  "type": "microsoft.managednetworkfabric/neighborGroups",
  "systemData": {
    "createdBy": "user@mail.com",
    "createdByType": "User",
    "createdAt": "2023-05-23T05:49:59.193Z",
    "lastModifiedBy": "email@address.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2023-05-23T05:49:59.194Z"
  }
}

顯示鄰近群組資源

此指令會顯示 IP 擴充社群資源:

 az networkfabric neighborgroup show --resource-group "example-rg" --resource-name "example-neighborgroup"

預期輸出:

{
  "properties": {
    "networkTapIds": [
    ],
    "networkTapRuleIds": [
    ],
    "destination": {
      "ipv4Addresses": [
        "10.10.10.10",
      ]
    },
    "provisioningState": "Succeeded",
    "annotation": "annotation"
  },
  "tags": {
    "keyID": "KeyValue"
  },
  "location": "eastus",
  "id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
  "name": "example-neighborGroup",
  "type": "microsoft.managednetworkfabric/neighborGroups",
  "systemData": {
    "createdBy": "user@mail.com",
    "createdByType": "User",
    "createdAt": "2023-05-23T05:49:59.193Z",
    "lastModifiedBy": "email@address.com",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2023-05-23T05:49:59.194Z"
  }
}

網路 TAP

網路 TAP 可讓營運商定義目的地和封裝機制,以根據網路 TAP 規則轉送篩選的流量

網路 TAP 的參數

參數 描述 範例 必要
資源群組 針對網路 Tap 使用適當的資源群組名稱 resourceGroupName True
resource-name 網路 TAP 的資源名稱 NetworkTAP-Austin True
location 在建立 NFC 時所使用的 AzON Azure 區域 eastus True
network-packet-broker-id 網路封包代理程式資源的 ARMID True
polling-type 網路 TAP 規則的輪詢方法 (推送或提取) 提取] True
目的地 目的地定義 True
destination/name 目的地名稱
destination/type destination.IsolationDomain 或 NNI 類型
destination/IsolationDomainProperties 隔離網域的詳細資料。 封裝、鄰近群組識別碼 內部網路或 NNI 的 Azure Resource Manager (ARM) 識別碼 False
destinationTapRuleId TAP 規則的 ARMID,必須套用 True

注意

必須先建立網路 TAP 規則和鄰近群組,才能在網路 TAP 中重新調整規則

NetworkTAP 裝置程序設計命名慣例/最佳做法:

請務必確保這些域集名稱內的組態和值(vlanGroupNames、ipGroupNames、PortGroupNames) 是唯 一的,而且不會彼此衝突。

  • 建議

    • 唯一欄位集名稱: 如果字段集內容不同,則跨 NetworkTAPRules 的功能變數名稱必須是唯一的。

    • 唯一資源名稱: NetworkTAP 和 NetworkTAPRule 資源名稱在網狀架構內的資源群組中必須是唯一的。

    • 區域資源建立: 必須在區域內建立 NetworkTAP 和 NetworkTAPRule 資源,並與區域內的個別網狀架構相關聯。

    • 目的地名稱修改: 已定義網路點選規則目的地組態的目的地名稱是唯一的。 一旦網路點選設定推送至裝置,就無法修改目的地名稱。

建立網路 TAP

此指令會建立網路 TAP 資源:

az networkfabric tap create --resource-group "example-rg" --location "westus3" \
--resource-name "example-networktap" \
--network-packet-broker-id "/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkPacketBrokers/example-networkPacketBroker" \
--polling-type "Pull"\
--destinations "[{name:'example-destinationName',destinationType:IsolationDomain,destinationId:'/subscriptions/xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/l3IsolationDomains/example-l3Domain/internalNetworks/example-internalNetwork',\
isolationDomainProperties:{encapsulation:None,neighborGroupIds:['/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup']},\