NSG的默认规则如下。
入站:
+-----------------------------------+----------+--------------------+-------------+-----------------+------------------+----------+--------+
| Name | Priority | Source IP | Source Port | Destination IP | Destination Port | Protocol | Access |
+-----------------------------------+----------+--------------------+-------------+-----------------+------------------+----------+--------+
| ALLOW VNET INBOUND | 65000 | VIRTUAL_NETWORK | * | VIRTUAL_NETWORK | * | * | ALLOW |
| ALLOW AZURE LOAD BALANCER INBOUND | 65001 | AZURE_LOADBALANCER | * | * | * | * | ALLOW |
| DENY ALL INBOUND | 65500 | * | * | * | * | * | DENY |
+-----------------------------------+----------+--------------------+-------------+-----------------+------------------+----------+--------+
出站:
+-------------------------+----------+-----------------+-------------+-----------------+------------------+----------+--------+
| Name | Priority | Source IP | Source Port | Destination IP | Destination Port | Protocol | Access |
+-------------------------+----------+-----------------+-------------+-----------------+------------------+----------+--------+
| ALLOW VNET OUTBOUND | 65000 | VIRTUAL_NETWORK | * | VIRTUAL_NETWORK | * | * | ALLOW |
| ALLOW INTERNET OUTBOUND | 65001 | * | * | INTERNET | * | * | ALLOW |
| DENY ALL OUTBOUND | 65500 | * | * | * | * | * | DENY |
+-------------------------+----------+-----------------+-------------+-----------------+------------------+----------+--------+
如果与此NSG关联的VM进入Internet浏览器并导航到网站,该网站如何返回到VM?
据我所知,允许出站流量,但仅允许来自VNET或LB的流量重新进入。
VM是否不会发出HTTP请求,该请求会到达目标服务器,然后将响应发送回VM,最终被NSG阻止?
答案 0 :(得分:1)
因为允许出站流量-建立连接并且数据包正在使用已建立的连接。 NSG阻止创建新连接,不涉及现有连接。