網路封包代理
Azure 運算子連接點的網路封包代理程式是專為電信服務提供商設計的 Microsoft Azure 特殊供應項目。 透過 Azure 運算子連接點的網路封包代理程式,電信營運商可以有效地擷取、彙總、篩選和監視其基礎結構 (AON) 的流量,以便進行深入的封包檢查、流量分析和增強的網路監視。 這在電信業中尤其重要,因為維護高品質服務、確保安全性,以及遵守法規要求對於該行業而言至關重要。 藉由利用此解決方案,營運商可以更清楚地了解其網路流量、更有效地疑難解答問題,並最終為客戶提供更優質的服務,同時維持最高的網路安全性和效能標準。
NPB 已設計並模型化為獨立最上層 Azure Resource Manager (ARM) 資源,位於 Microsoft.managednetworkfabric 之下。 營運商可以建立、讀取、更新和刪除網路 TAP、網路 TAP 規則和鄰近群組功能。 每個網路封包代理程式都會有多個資源,例如網路 TAP、鄰近群組和網路 TAP 規則,用以管理、篩選和轉送指定的流量。
啟用網路封包代理程式的步驟
先決條件
- NPB 裝置已正確安裝至機架、堆疊和佈建。 關於如何佈建網路網狀架構的程序,請參閱網路網狀架構佈建。
- 個別的 vProbes 應設定為專用 IP
- 針對內部 vProbes,應該建立具有內部網路的第 3 層隔離網域。 應設定必要的連線子網路,此外,延伸模組旗標應該設定為 NPB (在內部網路中)。 關於如何在隔離網域上建立內部和外部網路的程序,以及將延伸模組旗標設定為 NPB,請參閱隔離網域。
- 針對網路對網路互連 (NNI) 使用案例,應該將 NNI 建立為
NPB類型。 建立 NNI 期間應該定義適當的第 2 層和第 3 層屬性。 關於如何建立網路到網路互連 (NNI) 的程序,請參閱網路網狀架構佈建。
步驟
- 建立提供比對組態的網路 TAP 規則 (僅支援內嵌輸入方法)
- 建立定義目的地的鄰近群組資源。
- 建立參考 Tap 規則和鄰近群組的網路 TAP 資源。
- 啟用網路 TAP 資源。
NPB
此資源會在啟動程序期間由 NNF 自動建立。
顯示 NPB
此命令會顯示 NPB 邏輯資源的詳細資料。
az networkfabric npb show --resource-group "example-rg" --resource-name "NPB1"
預期輸出
{
"properties": {
"networkFabricId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkFabrics/example-networkFabric",
"networkDeviceIds": [
"/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice"
],
"sourceInterfaceIds": [
"/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkDevices/example-networkDevice/networkInterfaces/example-networkInterface"
],
"networkTapIds": [
"/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-networkTap"
],
"neighborGroupIds": [
"/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup"
],
"provisioningState": "Succeeded"
},
"tags": {
"key2806": "key"
},
"location": "eastuseuap",
"id": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkPacketBrokers/example-networkPacketBroker",
"name": "example-networkPacketBroker",
"type": "microsoft.managednetworkfabric/networkPacketBrokers",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-05-17T11:56:12.100Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-17T11:56:12.100Z"
}
}
網路 TAP 規則
NetworkTapRule 資源可讓您提供條件和動作的篩選和轉送組合。
網路 TAP 規則的參數
| 參數 | 描述 | 範例 | 必要 |
|---|---|---|---|
| 資源群組 | 針對 NetworkTapRule 使用適當的資源群組名稱 | resourceGroupName | True |
| resource-name | 網路 TAP 的資源名稱 | InternetTAPrule1 | True |
| location | 在 NFC 建立期間使用的 AzON Azure 區域 | eastus | True |
| configuration-type | 設定網路 TAP 規則的輸入方法。 | 內嵌或檔案 | True |
| match-configurations | 比對組態的清單。 | ||
| match-configurations/matchconfigurationName | 比對組態區塊的名稱 | ||
| match-configurations/sequenceNumber | 比對組態的序號 | ||
| match-configurations/ipAddressType | IP 位址家族 | ||
| match-configurations/matchconditions | 根據連接埠、通訊協定、Vlan 和 Ip 條件的動態比對條件清單。 | ||
| match-configurations/action | 提供動作詳細資料。 動作可以是 Drop、Count、Log、Goto、Redirect、Mirror | ||
| dynamic-match-configurations | 以連接埠、Vlan 和 IP 為基礎的動態比對組態清單 |
注意
必須先建立網路 TAP 規則和鄰近群組,才能在網路 TAP 中重新調整規則
建立網路 TAP 規則
此指令會建立網路 TAP 規則:
az networkfabric taprule create --resource-group "example-rg" --location "westus3"--resource-name "example-networktaprule"\
--configuration-type "Inline" \
--match-configurations "[{matchConfigurationName:config1,sequenceNumber:10,ipAddressType:IPv4,matchConditions:[{encapsulationType:None,portCondition:{portType:SourcePort,layer4Protocol:TCP,ports:[100],portGroupNames:['example-portGroup1']},protocolTypes:[TCP],vlanMatchCondition:{vlans:['10'],innerVlans:['11-20']},ipCondition:{type:SourceIP,prefixType:Prefix,ipPrefixValues:['10.10.10.10/20']}}],\
actions:[{type:Drop,truncate:100,isTimestampEnabled:True,destinationId:'/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup',matchConfigurationName:match1}]}]"\
--dynamic-match-configurations"[{ipGroups:[{name:'example-ipGroup1',ipAddressType:IPv4,ipPrefixes:['10.10.10.10/30']}],vlanGroups:[{name:'exmaple-vlanGroup',vlans:['10']}],portGroups:[{name:'example-portGroup1',ports:['100-200']}]}]"
預期輸出:
{
"properties": {
"networkTapId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-taprule",
"pollingIntervalInSeconds": 30,
"lastSyncedTime": "2023-06-12T07:11:22.485Z",
"configurationState": "Succeeded",
"provisioningState": "Accepted",
"administrativeState": "Enabled",
"annotation": "annotation",
"configurationType": "Inline",
"tapRulesUrl": "",
"matchConfigurations": [
{
"matchConfigurationName": "config1",
"sequenceNumber": 10,
"ipAddressType": "IPv4",
"matchConditions": [
{
"encapsulationType": "None",
"portCondition": {
"portType": "SourcePort",
"l4Protocol": "TCP",
"ports": [
"100"
],
"portGroupNames": [
"example-portGroup1"
]
},
"protocolTypes": [
"TCP"
],
"vlanMatchCondition": {
"vlans": [
"10"
],
"innerVlans": [
"11-20"
],
"vlanGroupNames": [
"exmaple-vlanGroup"
]
},
"ipCondition": {
"type": "SourceIP",
"prefixType": "Prefix",
"ipPrefixValues": [
"10.10.10.10/20"
],
"ipGroupNames": [
"example-ipGroup"
]
}
}
],
"actions": [
{
"type": "Drop",
"truncate": "100",
"isTimestampEnabled": "True",
"destinationId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"matchConfigurationName": "match1"
}
]
}
],
"dynamicMatchConfigurations": [
{
"ipGroups": [
{
"name": "example-ipGroup1",
"ipPrefixes": [
"10.10.10.10/30"
]
}
],
"vlanGroups": [
{
"name": "exmaple-vlanGroup",
"vlans": [
"10",
"100-200"
]
}
],
"portGroups": [
{
"name": "example-portGroup1",
"ports": [
"100-200"
]
},
{
"name": "example-portGroup2",
"ports": [
"900",
"1000-2000"
]
}
]
}
]
},
"tags": {
"keyID": "keyValue"
},
"location": "eastuseuap",
"id": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTapRules/example-tapRule",
"name": "example-tapRule",
"type": "microsoft.managednetworkfabric/networkTapRules",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-06-12T07:11:22.488Z",
"lastModifiedBy": "user@mail.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-06-12T07:11:22.488Z"
}
}
顯示網路 TAP 規則
此指令會顯示 IP 社群資源:
az networkfabric taprule show --resource-group "example-rg" --resource-name "example-networktaprule"
預期輸出:
{
"properties": {
"networkTapId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTaps/example-taprule",
"pollingIntervalInSeconds": 30,
"lastSyncedTime": "2023-06-12T07:11:22.485Z",
"configurationState": "Succeeded",
"provisioningState": "Accepted",
"administrativeState": "Enabled",
"annotation": "annotation",
"configurationType": "Inline",
"tapRulesUrl": "",
"matchConfigurations": [
{
"matchConfigurationName": "config1",
"sequenceNumber": 10,
"ipAddressType": "IPv4",
"matchConditions": [
{
"encapsulationType": "None",
"portCondition": {
"portType": "SourcePort",
"l4Protocol": "TCP",
"ports": [
"100"
],
"portGroupNames": [
"example-portGroup1"
]
},
"protocolTypes": [
"TCP"
],
"vlanMatchCondition": {
"vlans": [
"10"
],
"innerVlans": [
"11-20"
],
"vlanGroupNames": [
"exmaple-vlanGroup"
]
},
"ipCondition": {
"type": "SourceIP",
"prefixType": "Prefix",
"ipPrefixValues": [
"10.10.10.10/20"
],
"ipGroupNames": [
"example-ipGroup"
]
}
}
],
"actions": [
{
"type": "Drop",
"truncate": "100",
"isTimestampEnabled": "True",
"destinationId": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"matchConfigurationName": "match1"
}
]
}
],
"dynamicMatchConfigurations": [
{
"ipGroups": [
{
"name": "example-ipGroup1",
"ipPrefixes": [
"10.10.10.10/30"
]
}
],
"vlanGroups": [
{
"name": "exmaple-vlanGroup",
"vlans": [
"10",
"100-200"
]
}
],
"portGroups": [
{
"name": "example-portGroup1",
"ports": [
"100-200"
]
},
{
"name": "example-portGroup2",
"ports": [
"900",
"1000-2000"
]
}
]
}
]
},
"tags": {
"keyID": "keyValue"
},
"location": "eastuseuap",
"id": "/subscriptions/1234ABCD-0A1B-1234-5678-123456ABCDEF/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkTapRules/example-tapRule",
"name": "example-tapRule",
"type": "microsoft.managednetworkfabric/networkTapRules",
"systemData": {
"createdBy": "email@address.com",
"createdByType": "User",
"createdAt": "2023-06-12T07:11:22.488Z",
"lastModifiedBy": "user@mail.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-06-12T07:11:22.488Z"
}
}
鄰近群組
鄰近群組資源能夠將目的地分組以轉送篩選的流量
鄰近群組的參數
| 參數 | 描述 | 範例 | 必要 |
|---|---|---|---|
| 資源群組 | 特別針對您的 NeighborGroup 使用適當的資源群組名稱 | resourceGroupName | True |
| resource-name | NeighborGroup 的資源名稱 | example-Neighbor | True |
| location | 在 NFC 建立期間使用的 AzON Azure 區域 | eastus | True |
| 目的地 | 要轉送流量的 Ipv4 或 Ipv6 目的地清單 | 10.10.10.10 | True |
建立鄰近群組
此指令會建立鄰近群組資源:
az networkfabric neighborgroup create --resource-group "example-rg" --location "westus3"
--resource-name "example-neighborgroup" --destination "{ipv4Addresses:['10.10.10.10']}"
預期輸出:
{
"properties": {
"networkTapIds": [
],
"networkTapRuleIds": [
],
"destination": {
"ipv4Addresses": [
"10.10.10.10",
]
},
"provisioningState": "Succeeded",
"annotation": "annotation"
},
"tags": {
"keyID": "KeyValue"
},
"location": "eastus",
"id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"name": "example-neighborGroup",
"type": "microsoft.managednetworkfabric/neighborGroups",
"systemData": {
"createdBy": "user@mail.com",
"createdByType": "User",
"createdAt": "2023-05-23T05:49:59.193Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-23T05:49:59.194Z"
}
}
顯示鄰近群組資源
此指令會顯示 IP 擴充社群資源:
az networkfabric neighborgroup show --resource-group "example-rg" --resource-name "example-neighborgroup"
預期輸出:
{
"properties": {
"networkTapIds": [
],
"networkTapRuleIds": [
],
"destination": {
"ipv4Addresses": [
"10.10.10.10",
]
},
"provisioningState": "Succeeded",
"annotation": "annotation"
},
"tags": {
"keyID": "KeyValue"
},
"location": "eastus",
"id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
"name": "example-neighborGroup",
"type": "microsoft.managednetworkfabric/neighborGroups",
"systemData": {
"createdBy": "user@mail.com",
"createdByType": "User",
"createdAt": "2023-05-23T05:49:59.193Z",
"lastModifiedBy": "email@address.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-05-23T05:49:59.194Z"
}
}
網路 TAP
網路 TAP 可讓營運商定義目的地和封裝機制,以根據網路 TAP 規則轉送篩選的流量
網路 TAP 的參數
| 參數 | 描述 | 範例 | 必要 |
|---|---|---|---|
| 資源群組 | 針對網路 Tap 使用適當的資源群組名稱 | resourceGroupName | True |
| resource-name | 網路 TAP 的資源名稱 | NetworkTAP-Austin | True |
| location | 在 NFC 建立期間使用的 AzON Azure 區域 | eastus | True |
| network-packet-broker-id | 網路封包代理程式資源的 ARMID | True | |
| polling-type | 網路 TAP 規則的輪詢方法 (推送或提取) | 提取] | True |
| 目的地 | 目的地定義 | True | |
| destination/name | 目的地名稱 | ||
| destination/type | destination.IsolationDomain 或 NNI 類型 | ||
| destination/IsolationDomainProperties | 隔離網域的詳細資料。 封裝、鄰近群組識別碼 | 內部網路或 NNI 的 Azure Resource Manager (ARM) 識別碼 | False |
| destinationTapRuleId | TAP 規則的 ARMID,必須套用 | True |
建立網路 TAP
此指令會建立網路 TAP 資源:
az networkfabric tap create --resource-group "example-rg" --location "westus3" \
--resource-name "example-networktap" \
--network-packet-broker-id "/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/networkPacketBrokers/example-networkPacketBroker" \
--polling-type "Pull"\
--destinations "[{name:'example-destinationName',destinationType:IsolationDomain,destinationId:'/subscriptions/xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/l3IsloationDomains/example-l3Domain/internalNetworks/example-internalNetwork',\
isolationDomainProperties:{encapsulation:None,neighborGroupIds:['/subscriptions/xxxxx-xxxx-xxxx-xxxx-xxxxx/resourcegroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup']},\