NSG 的默认规则如下所示。
入境:
+-----------------------------------+----------+--------------------+-------------+-----------------+------------------+----------+--------+
| Name | Priority | Source IP | Source Port | Destination IP | Destination Port | Protocol | Access |
+-----------------------------------+----------+--------------------+-------------+-----------------+------------------+----------+--------+
| ALLOW VNET INBOUND | 65000 | VIRTUAL_NETWORK | * | VIRTUAL_NETWORK | * | * | ALLOW |
| ALLOW AZURE LOAD BALANCER INBOUND | 65001 | AZURE_LOADBALANCER | * | * | * | * | ALLOW |
| DENY ALL INBOUND | 65500 | * | * | * | * | * | DENY |
+-----------------------------------+----------+--------------------+-------------+-----------------+------------------+----------+--------+
出境:
+-------------------------+----------+-----------------+-------------+-----------------+------------------+----------+--------+
| Name | Priority | Source IP | Source Port | Destination IP | Destination Port | Protocol | Access |
+-------------------------+----------+-----------------+-------------+-----------------+------------------+----------+--------+
| ALLOW VNET OUTBOUND | 65000 | VIRTUAL_NETWORK | * | VIRTUAL_NETWORK | * | * | ALLOW |
| ALLOW INTERNET OUTBOUND | 65001 | * | * | INTERNET | * | * | ALLOW |
| DENY ALL OUTBOUND | 65500 | * | * | * | * | * | DENY |
+-------------------------+----------+-----------------+-------------+-----------------+------------------+----------+--------+
如果与此 NSG 关联的 VM 进入 Internet 浏览器并导航到网站,该网站如何返回到 VM?
据我所知,允许出站流量,但只允许来自 VNET 或 LB 的流量返回。
VM是否会发出 HTTP 请求(该请求会命中目标服务器(,目标服务器会将响应发送回 VM,最终会被 NSG 阻止?
因为允许出站流量 - 连接已建立,数据包使用已建立的连接。NSG 阻止创建新连接,不会触及现有连接。