網路封包代理
Azure 運算子連接點的網路封包代理程式是專為電信服務提供商設計的 Microsoft Azure 特殊供應項目。 透過 Azure 運算子連接點的網路封包代理程式,電信營運商可以有效地擷取、彙總、篩選和監視其基礎結構 (AON) 的流量,以便進行深入的封包檢查、流量分析和增強的網路監視。 這對電信業至關重要,因為電信業會維護高品質的服務、確保安全性,以及遵守法規要求至關重要。 藉由套用此解決方案,操作員可以更清楚地瞭解其網路流量、更有效地對問題進行疑難解答,並最終為客戶提供改善的服務,同時維持最高的網路安全性和效能標準。
網路封包代理程式 (NPB) 是以 Microsoft.managednetworkfabric 底下的個別最上層 Azure Resource Manager (ARM) 資源設計並模型化。 營運商可以建立、讀取、更新和刪除網路 TAP、網路 TAP 規則和鄰近群組功能。 每個網路封包代理程式都有多個資源,例如網路 TAP、鄰近群組和網路 TAP 規則,以管理、篩選和轉送指定的流量。
啟用網路封包代理程式的步驟
先決條件
- NPB 裝置已正確安裝至機架、堆疊和佈建。 關於如何佈建網路網狀架構的程序,請參閱網路網狀架構佈建。
- 個別的 vProbes 應設定為專用 IP
- 針對內部 vProbes,應該建立具有內部網路的第 3 層隔離網域。 此外,應該設定必要的連線子網,擴充旗標應該設定為 NPB(在內部網路中)。 關於如何在隔離網域上建立內部和外部網路的程序,以及將延伸模組旗標設定為 NPB,請參閱隔離網域。
- 針對網路對網路互連 (NNI) 使用案例,應該將 NNI 建立為
NPB
類型。 建立 NNI 期間應該定義適當的第 2 層和第 3 層屬性。 關於如何建立網路到網路互連 (NNI) 的程序,請參閱網路網狀架構佈建。
步驟
- 建立提供比對組態的網路 TAP 規則 (僅支援內嵌輸入方法)
- 建立定義目的地的鄰近群組資源。
- 建立參考 Tap 規則和鄰近群組的網路 TAP 資源。
- 啟用網路 TAP 資源。
NPB
NNF 會在 bootstrap.期間自動建立此資源。
顯示 NPB
此命令會顯示 NPB 邏輯資源的詳細資料。
az networkfabric npb show --resource-group "example-rg" --resource-name "NPB1"
預期輸出
{
"properties": {
"networkFabricId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabrics/example-networkFabric",
"networkDeviceIds": [
"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice"
],
"sourceInterfaceIds": [
"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice/networkInterfaces/example-networkInterface"
],
"networkTapIds": [
"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-networkTap"
],
"neighborGroupIds": [
"/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup"
],
"provisioningState": "Succeeded"
},
"tags": {
"key2806": "key"
},
"location": "eastuseuap",
"id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkPacketBrokers/example-networkPacketBroker",
"name": "example-networkPacketBroker",
"type": "microsoft.managednetworkfabric/networkPacketBrokers",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-05-17T11:56:12.100Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-17T11:56:12.100Z"
}
}
網路 TAP 規則
NetworkTapRule 資源可讓您提供條件和動作的篩選和轉送組合。
網路 TAP 規則的參數
參數 | 描述 | 範例 | 必要 |
---|---|---|---|
資源群組 | 針對 NetworkTapRule 使用適當的資源群組名稱 | resourceGroupName | True |
resource-name | 網路點選的資源名稱 | InternetTAPrule1 | True |
location | 在網路網狀架構控制器建立期間使用的 AzON Azure 區域 | eastus | True |
configuration-type | 設定網路點選規則的輸入方法。 | 內嵌或檔案 | True |
match-configurations | 比對組態的清單。 | ||
match-configurations/matchconfigurationName | 比對組態區塊的名稱 | ||
match-configurations/sequenceNumber | 比對組態的序號 | ||
match-configurations/ipAddressType | IP 位址家族 | ||
match-configurations/matchconditions | 根據埠、通訊協定、VLAN 和IP條件的動態比對條件清單。 | ||
match-configurations/action | 提供動作詳細資料。 動作可以是 Drop、Count、Log、Goto、Redirect、Mirror | ||
dynamic-match-configurations | 以埠、VLAN 和IP為基礎的動態比對組態清單 |
注意
必須先建立網路點選規則和鄰近群組,才能在網路點選中參考它們
建立網路 TAP 規則
此指令會建立網路 TAP 規則:
az networkfabric taprule create --resource-group "example-rg" --location "westus3"--resource-name "example-networktaprule"\
--configuration-type "Inline" \
--match-configurations "[{matchConfigurationName:config1,sequenceNumber:10,ipAddressType:IPv4,matchConditions:[{encapsulationType:None,portCondition:{portType:SourcePort,layer4Protocol:TCP,ports:[100],portGroupNames:['example-portGroup1']},protocolTypes:[TCP],vlanMatchCondition:{vlans:['10'],innerVlans:['11-20']},ipCondition:{type:SourceIP,prefixType:Prefix,ipPrefixValues:['10.10.10.10/20']}}],\
actions:[{type:Drop,truncate:100,isTimestampEnabled:True,destinationId:'/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup',matchConfigurationName:match1}]}]"\
--dynamic-match-configurations"[{ipGroups:[{name:'example-ipGroup1',ipAddressType:IPv4,ipPrefixes:['10.10.10.10/30']}],vlanGroups:[{name:'example-vlanGroup',vlans:['10']}],portGroups:[{name:'example-portGroup1',ports:['100-200']}]}]"
預期輸出:
{
"properties": {
"networkTapId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-taprule",
"pollingIntervalInSeconds": 30,
"lastSyncedTime": "2023-06-12T07:11:22.485Z",
"configurationState": "Succeeded",
"provisioningState": "Accepted",
"administrativeState": "Enabled",
"annotation": "annotation",
"configurationType": "Inline",
"tapRulesUrl": "",
"matchConfigurations": [
{
"matchConfigurationName": "config1",
"sequenceNumber": 10,
"ipAddressType": "IPv4",
"matchConditions": [
{
"encapsulationType": "None",
"portCondition": {
"portType": "SourcePort",
"l4Protocol": "TCP",
"ports": [
"100"
],
"portGroupNames": [
"example-portGroup1"
]
},
"protocolTypes": [
"TCP"
],
"vlanMatchCondition": {
"vlans": [
"10"
],
"innerVlans": [
"11-20"
],
"vlanGroupNames": [
"example-vlanGroup"
]
},
"ipCondition": {
"type": "SourceIP",
"prefixType": "Prefix",
"ipPrefixValues": [
"10.10.10.10/20"
],
"ipGroupNames": [
"example-ipGroup"
]
}
}
],
"actions": [
{
"type": "Drop",
"truncate": "100",
"isTimestampEnabled": "True",
"destinationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"matchConfigurationName": "match1"
}
]
}
],
"dynamicMatchConfigurations": [
{
"ipGroups": [
{
"name": "example-ipGroup1",
"ipPrefixes": [
"10.10.10.10/30"
]
}
],
"vlanGroups": [
{
"name": "example-vlanGroup",
"vlans": [
"10",
"100-200"
]
}
],
"portGroups": [
{
"name": "example-portGroup1",
"ports": [
"100-200"
]
},
{
"name": "example-portGroup2",
"ports": [
"900",
"1000-2000"
]
}
]
}
]
},
"tags": {
"keyID": "keyValue"
},
"location": "eastuseuap",
"id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTapRules/example-tapRule",
"name": "example-tapRule",
"type": "microsoft.managednetworkfabric/networkTapRules",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-06-12T07:11:22.488Z",
"lastModifiedBy": "user@mail.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-06-12T07:11:22.488Z"
}
}
顯示網路 TAP 規則
此指令會顯示 IP 社群資源:
az networkfabric taprule show --resource-group "example-rg" --resource-name "example-networktaprule"
預期輸出:
{
"properties": {
"networkTapId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-taprule",
"pollingIntervalInSeconds": 30,
"lastSyncedTime": "2023-06-12T07:11:22.485Z",
"configurationState": "Succeeded",
"provisioningState": "Accepted",
"administrativeState": "Enabled",
"annotation": "annotation",
"configurationType": "Inline",
"tapRulesUrl": "",
"matchConfigurations": [
{
"matchConfigurationName": "config1",
"sequenceNumber": 10,
"ipAddressType": "IPv4",
"matchConditions": [
{
"encapsulationType": "None",
"portCondition": {
"portType": "SourcePort",
"l4Protocol": "TCP",
"ports": [
"100"
],
"portGroupNames": [
"example-portGroup1"
]
},
"protocolTypes": [
"TCP"
],
"vlanMatchCondition": {
"vlans": [
"10"
],
"innerVlans": [
"11-20"
],
"vlanGroupNames": [
"example-vlanGroup"
]
},
"ipCondition": {
"type": "SourceIP",
"prefixType": "Prefix",
"ipPrefixValues": [
"10.10.10.10/20"
],
"ipGroupNames": [
"example-ipGroup"
]
}
}
],
"actions": [
{
"type": "Drop",
"truncate": "100",
"isTimestampEnabled": "True",
"destinationId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"matchConfigurationName": "match1"
}
]
}
],
"dynamicMatchConfigurations": [
{
"ipGroups": [
{
"name": "example-ipGroup1",
"ipPrefixes": [
"10.10.10.10/30"
]
}
],
"vlanGroups": [
{
"name": "example-vlanGroup",
"vlans": [
"10",
"100-200"
]
}
],
"portGroups": [
{
"name": "example-portGroup1",
"ports": [
"100-200"
]
},
{
"name": "example-portGroup2",
"ports": [
"900",
"1000-2000"
]
}
]
}
]
},
"tags": {
"keyID": "keyValue"
},
"location": "eastuseuap",
"id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTapRules/example-tapRule",
"name": "example-tapRule",
"type": "microsoft.managednetworkfabric/networkTapRules",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-06-12T07:11:22.488Z",
"lastModifiedBy": "user@mail.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-06-12T07:11:22.488Z"
}
}
鄰近群組
鄰近群組資源能夠將目的地分組以轉送篩選的流量
鄰近群組的參數
參數 | 描述 | 範例 | 必要 |
---|---|---|---|
資源群組 | 特別針對您的 NeighborGroup 使用適當的資源群組名稱 | resourceGroupName | True |
resource-name | NeighborGroup 的資源名稱 | example-Neighbor | True |
location | 在建立 NFC 時所使用的 AzON Azure 區域 | eastus | True |
目的地 | 要轉送流量的 Ipv4 或 Ipv6 目的地清單 | 10.10.10.10 | True |
建立鄰近群組
此指令會建立鄰近群組資源:
az networkfabric neighborgroup create --resource-group "example-rg" --location "westus3"
--resource-name "example-neighborgroup" --destination "{ipv4Addresses:['10.10.10.10']}"
預期輸出:
{
"properties": {
"networkTapIds": [
],
"networkTapRuleIds": [
],
"destination": {
"ipv4Addresses": [
"10.10.10.10",
]
},
"provisioningState": "Succeeded",
"annotation": "annotation"
},
"tags": {
"keyID": "KeyValue"
},
"location": "eastus",
"id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"name": "example-neighborGroup",
"type": "microsoft.managednetworkfabric/neighborGroups",
"systemData": {
"createdBy": "user@mail.com",
"createdByType": "User",
"createdAt": "2023-05-23T05:49:59.193Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-23T05:49:59.194Z"
}
}
顯示鄰近群組資源
此指令會顯示 IP 擴充社群資源:
az networkfabric neighborgroup show --resource-group "example-rg" --resource-name "example-neighborgroup"
預期輸出:
{
"properties": {
"networkTapIds": [
],
"networkTapRuleIds": [
],
"destination": {
"ipv4Addresses": [
"10.10.10.10",
]
},
"provisioningState": "Succeeded",
"annotation": "annotation"
},
"tags": {
"keyID": "KeyValue"
},
"location": "eastus",
"id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"name": "example-neighborGroup",
"type": "microsoft.managednetworkfabric/neighborGroups",
"systemData": {
"createdBy": "user@mail.com",
"createdByType": "User",
"createdAt": "2023-05-23T05:49:59.193Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-23T05:49:59.194Z"
}
}
網路 TAP
網路 TAP 可讓營運商定義目的地和封裝機制,以根據網路 TAP 規則轉送篩選的流量
網路 TAP 的參數
參數 | 描述 | 範例 | 必要 |
---|---|---|---|
資源群組 | 針對網路 Tap 使用適當的資源群組名稱 | resourceGroupName | True |
resource-name | 網路 TAP 的資源名稱 | NetworkTAP-Austin | True |
location | 在建立 NFC 時所使用的 AzON Azure 區域 | eastus | True |
network-packet-broker-id | 網路封包代理程式資源的 ARMID | True | |
polling-type | 網路 TAP 規則的輪詢方法 (推送或提取) | 提取] | True |
目的地 | 目的地定義 | True | |
destination/name | 目的地名稱 | ||
destination/type | destination.IsolationDomain 或 NNI 類型 | ||
destination/IsolationDomainProperties | 隔離網域的詳細資料。 封裝、鄰近群組識別碼 | 內部網路或 NNI 的 Azure Resource Manager (ARM) 識別碼 | False |
destinationTapRuleId | TAP 規則的 ARMID,必須套用 | True |
注意
必須先建立網路 TAP 規則和鄰近群組,才能在網路 TAP 中重新調整規則
NetworkTAP 裝置程序設計命名慣例/最佳做法:
請務必確保這些域集名稱內的組態和值(vlanGroupNames、ipGroupNames、PortGroupNames) 是唯 一的,而且不會彼此衝突。
建議:
唯一欄位集名稱: 如果字段集內容不同,則跨 NetworkTAPRules 的功能變數名稱必須是唯一的。
唯一資源名稱: NetworkTAP 和 NetworkTAPRule 資源名稱在網狀架構內的資源群組中必須是唯一的。
區域資源建立: 必須在區域內建立 NetworkTAP 和 NetworkTAPRule 資源,並與區域內的個別網狀架構相關聯。
目的地名稱修改: 已定義網路點選規則目的地組態的目的地名稱是唯一的。 一旦網路點選設定推送至裝置,就無法修改目的地名稱。
建立網路 TAP
此指令會建立網路 TAP 資源:
az networkfabric tap create --resource-group "example-rg" --location "westus3" \
--resource-name "example-networktap" \
--network-packet-broker-id "/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkPacketBrokers/example-networkPacketBroker" \
--polling-type "Pull"\
--destinations "[{name:'example-destinationName',destinationType:IsolationDomain,destinationId:'/subscriptions/xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/l3IsolationDomains/example-l3Domain/internalNetworks/example-internalNetwork',\
isolationDomainProperties:{encapsulation:None,neighborGroupIds:['/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup']},\