什么是数据中心防火墙?What is Datacenter Firewall?

适用于:Azure Stack HCI 版本 20H2;Windows Server 2019Applies to: Azure Stack HCI, version 20H2; Windows Server 2019

数据中心防火墙是网络层、5元组 (协议、源和目标端口号、源和目标 IP 地址) 、有状态、多租户软件定义的网络 (SDN) 防火墙。Datacenter Firewall is a network layer, 5-tuple (protocol, source and destination port numbers, source and destination IP addresses), stateful, multitenant Software Defined Networking (SDN) firewall. 数据中心防火墙可跨虚拟网络和传统 VLAN 网络的网络层保护东西部和北南部流量。The Datacenter Firewall protects east-west and north-south traffic flows across the network layer of virtual networks and traditional VLAN networks.

数据中心防火墙的工作原理How Datacenter Firewall works

通过创建应用于子网或网络接口的访问控制列表 (Acl) 来启用和配置数据中心防火墙。You enable and configure Datacenter Firewall by creating access control lists (ACLs) that get applied to a subnet or a network interface. 在每个租户虚拟机 (VM) 的 vSwitch 端口上强制实施防火墙策略。Firewall policies are enforced at the vSwitch port of each tenant virtual machine (VM). 策略通过租户门户推送, 网络控制器 将其分发给所有适用的主机。The policies are pushed through the tenant portal, and Network Controller distributes them to all applicable hosts.

租户管理员可以安装和配置防火墙策略来帮助保护其网络免受来自 internet 和 intranet 网络的不需要的通信。Tenant administrators can install and configure firewall policies to help protect their networks from unwanted traffic originating from internet and intranet networks.

网络堆栈中的数据中心防火墙

服务提供商管理员或租户管理员可以通过网络控制器和 northbound Api 来管理数据中心防火墙策略。The service provider administrator or the tenant administrator can manage Datacenter Firewall policies via Network Controller and the northbound APIs. 你还可以使用 Windows 管理中心配置和管理数据中心防火墙策略。You can also configure and manage Datacenter Firewall policies using Windows Admin Center.

云服务提供商的优势Advantages for cloud service providers

数据中心防火墙为 Csp 提供以下优点:Datacenter Firewall offers the following advantages for CSPs:

  • 可提供给租户的高度可扩展、可管理和 diagnosable 的基于软件的防火墙解决方案A highly scalable, manageable, and diagnosable software-based firewall solution that can be offered to tenants

  • 无需中断租户防火墙策略即可自由地将租户 Vm 移到不同的计算主机Freedom to move tenant VMs to different compute hosts without breaking tenant firewall policies

    • 部署为 vSwitch 端口主机代理防火墙Deployed as a vSwitch port host agent firewall

    • 租户 Vm 获取分配给其 vSwitch 主机代理防火墙的策略Tenant VMs get the policies assigned to their vSwitch host agent firewall

    • 防火墙规则配置在每个 vSwitch 端口中,独立于运行 VM 的实际主机Firewall rules are configured in each vSwitch port, independent of the actual host running the VM

  • 向独立于租户来宾操作系统的租户 Vm 提供保护Offers protection to tenant VMs independent of the tenant guest operating system

租户的优点Advantages for tenants

数据中心防火墙为租户提供了以下优势:The Datacenter Firewall offers the following advantages for tenants:

  • 能够定义防火墙规则来帮助保护面向 internet 的工作负荷和网络上的内部工作负荷Ability to define firewall rules to help protect internet-facing workloads and internal workloads on networks

  • 能够定义防火墙规则,以帮助保护同一第2层上的 Vm 之间的流量 (L2) 子网以及不同 L2 子网上的 Vm 之间的通信Ability to define firewall rules to help protect traffic between VMs on the same Layer 2 (L2) subnet as well as between VMs on different L2 subnets

  • 能够定义防火墙规则来帮助保护和隔离租户本地网络及其虚拟网络与服务提供商之间的网络流量Ability to define firewall rules to help protect and isolate network traffic between tenant on-premises networks and their virtual networks at the service provider

  • 能够将防火墙策略应用于传统的 VLAN 网络和基于覆盖的虚拟网络Ability to apply firewall policies to traditional VLAN networks and overlay-based virtual networks

后续步骤Next steps

如需相关信息,另请参阅:For related information, see also: