您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 企业基架 - 出于合规目的监管订阅Azure enterprise scaffold - prescriptive subscription governance

为了敏捷性和灵活性,企业越来越多地采用公有云。Enterprises are increasingly adopting the public cloud for its agility and flexibility. 它们利用云的优势来产生营收或优化企业资源。They are utilizing the cloud's strengths to generate revenue or optimize resources for the business. Microsoft Azure 提供多种不同的服务,企业可以像构建块一样将它们组合,解决广泛的工作负荷与应用程序需求。Microsoft Azure provides a multitude of services that enterprises can assemble like building blocks to address a wide array of workloads and applications.

但是,往往难以知道从何处着手。But, knowing where to begin is often difficult. 决定使用 Azure 之后,经常会涌现以下几个问题:After deciding to use Azure, a few questions commonly arise:

  • “如何满足特定国家/地区针对数据所有权制定的法规要求?”"How do I meet our legal requirements for data sovereignty in certain countries?"
  • “如何确保用户不会无意中更改关键系统?”"How do I ensure that someone does not inadvertently change a critical system?"
  • “怎么知道每个资源是否发挥了作用,以便可以准确地做出规划和预算?”"How do I know what every resource is supporting so I can account for it and bill it back accurately?"

不带任何防护措施的空白订阅,其前景是让人担忧的。The prospect of an empty subscription with no guard rails is daunting. 如果不在这方面有所作为,可能会给 Azure 过渡造成阻碍。This blank space can hamper your move to Azure.

本文为技术专业人员提供一个起点,帮助他们解决监管需求,并在监管需求与敏捷性需求之间权衡利弊。This article provides a starting point for technical professionals to address the need for governance, and balance it with the need for agility. 其中会介绍企业基架的概念,它可以引导组织实施和管理 Azure 订阅。It introduces the concept of an enterprise scaffold that guides organizations in implementing and managing their Azure subscriptions.

监管需求Need for governance

在过渡到 Azure 时,必须提前解决监管方面的问题,确保成功地在企业中利用云。When moving to Azure, you must address the topic of governance early to ensure the successful use of the cloud within the enterprise. 遗憾的是,建立全面监管系统所花费的时间和存在的官僚主义,意味着某些业务小组必须直接与供应商对话,而不与企业 IT 部门沟通。Unfortunately, the time and bureaucracy of creating a comprehensive governance system means some business groups go directly to vendors without involving enterprise IT. 如果资源未得到正确管理,这种方法可能会导致企业出现漏洞。This approach can leave the enterprise open to vulnerabilities if the resources are not properly managed. 公有云的特征 - 敏捷性、灵活性和基于消耗量的定价 - 对于需要快速满足客户(内部和外部)需求的业务小组而言非常重要。The characteristics of the public cloud - agility, flexibility, and consumption-based pricing - are important to business groups that need to quickly meet the demands of customers (both internal and external). 但是,企业 IT 部门需要确保有效地保护数据和系统。But, enterprise IT needs to ensure that data and systems are effectively protected.

在现实生活中,我们可以使用基架来打好建筑物的基础。In real life, scaffolding is used to create the basis of the structure. 基架主导总体框架,为需要安装的更长久系统提供定位点。The scaffold guides the general outline, and provides anchor points for more permanent systems to be mounted. 企业基架也是如此:一套灵活的控制机制和 Azure 功能为环境提供结构,为公有云上生成的服务提供定位点。An enterprise scaffold is the same: a set of flexible controls and Azure capabilities that provide structure to the environment, and anchors for services built on the public cloud. 它为构建者(IT 人员和业务小组)提供创建和附加新服务的基础。It provides the builders (IT and business groups) a foundation to create and attach new services.

该基架建立在我们与各种规模的客户交往时收获的实践经验基础之上。The scaffold is based on practices we have gathered from many engagements with clients of various sizes. 这些客户既包括在云中开发解决方案的小型组织,也包括财富 500 强企业,还包括在云中迁移和开发解决方案的独立软件供应商。Those clients range from small organizations developing solutions in the cloud to Fortune 500 enterprises and independent software vendors who are migrating and developing solutions in the cloud. 企业基架采用灵活设计,为传统的 IT 工作负载和敏捷工作负载提供有针对性的支持;例如,开发人员可以基于 Azure 功能创建软件即服务 (SaaS) 应用程序。The enterprise scaffold is "purpose-built" to be flexible to support both traditional IT workloads and agile workloads; such as, developers creating software-as-a-service (SaaS) applications based on Azure capabilities.

企业基架旨在用作 Azure 中每个新订阅的基础。The enterprise scaffold is intended to be the foundation of each new subscription within Azure. 它能使管理员确保工作负荷满足组织的最低监管要求,同时又不妨碍业务小组和开发人员尽快实现自身的目标。It enables administrators to ensure workloads meet the minimum governance requirements of an organization without preventing business groups and developers from quickly meeting their own goals.

重要

监管对于 Azure 的成功至关重要。Governance is crucial to the success of Azure. 本文阐述企业基架的技术实现,不过,对于宏观的流程以及组件之间的关系,只是一笔带过。This article targets the technical implementation of an enterprise scaffold but only touches on the broader process and relationships between the components. 策略监管的流程是自顶向下实施的,由企业的目标决定。Policy governance flows from the top down and is determined by what the business wants to achieve. 为 Azure 创建的监管模型自然包括 IT 部门的主张,但更重要的是,它应该融入业务小组负责人以及安全和风险管理部门的有力表述。Naturally, the creation of a governance model for Azure includes representatives from IT, but more importantly it should have strong representation from business group leaders, and security and risk management. 最终,企业基架都应该缓解业务风险,帮助实现组织的使命和目标。In the end, an enterprise scaffold is about mitigating business risk to facilitate an organization's mission and objectives.

下图描绘了基架的组件。The following image describes the components of the scaffold. 基础依赖于坚实的部门、帐户和订阅计划。The foundation relies on a solid plan for departments, accounts, and subscriptions. 支柱包括 Resource Manager 策略和强有力的命名标准。The pillars consist of Resource Manager policies and strong naming standards. 基架的剩余部分由 Azure 核心功能和特性构成,它们实现一个可托管的安全环境。The rest of the scaffold comes from core Azure capabilities and features that enable a secure and manageable environment.

基架组件

备注

Azure 自 2008 年推出以来不断快速发展。Azure has grown rapidly since its introduction in 2008. 这种发展要求 Microsoft 工程团队反复思考服务的管理和部署方式。This growth required Microsoft engineering teams to rethink their approach for managing and deploying services. Azure 资源管理器模型在 2014 年推出,现已取代经典部署模型。The Azure Resource Manager model was introduced in 2014 and replaces the classic deployment model. 组织可以使用 Resource Manager 更轻松地部署、管理和控制 Azure 资源。Resource Manager enables organizations to more easily deploy, organize, and control Azure resources. Resource Manager 在创建资源时允许并行化,可以更快部署复杂、相互依赖的解决方案。Resource Manager includes parallelization when creating resources for faster deployment of complex, interdependent solutions. 它还包括精细访问控制,能够使用元数据标记资源。It also includes granular access control, and the ability to tag resources with metadata. Microsoft 建议通过 Resource Manager 模型创建所有资源。Microsoft recommends that you create all resources through the Resource Manager model. 企业基架是专门针对 Resource Manager 模型设计的。The enterprise scaffold is explicitly designed for the Resource Manager model.

定义层次结构Define your hierarchy

基架的基础是 Azure 企业许可登记表(和企业门户)。The foundation of the scaffold is the Azure Enterprise Enrollment (and the Enterprise Portal). 企业许可登记表定义 Azure 服务在公司内部的形式与用法,属于核心监管结构。The enterprise enrollment defines the shape and use of Azure services within a company and is the core governance structure. 在企业协议中,客户可以将环境进一步细分为部门、帐户,最终细分为订阅。Within the enterprise agreement, customers are able to further subdivide the environment into departments, accounts, and finally, subscriptions. Azure 订阅是包含所有资源的基本单位。An Azure subscription is the basic unit where all resources are contained. 它还定义 Azure 中的多种限制,例如核心数、资源数,等等。It also defines several limits within Azure, such as number of cores, resources, etc.

层次结构

每家企业都是独特的,使用上图中的层次结构可以在公司内部十分灵活地对 Azure 进行组织。Every enterprise is different and the hierarchy in the previous image allows for significant flexibility in how Azure is organized within the company. 在实施本文档中的指导之前,应该为层次结构建模,了解对帐单、资源访问权限和复杂性造成的影响。Before implementing the guidance contained in this document, you should model your hierarchy and understand the impact on billing, resource access, and complexity.

Azure 注册的三种常见模式为:The three common patterns for Azure Enrollments are:

  • 功能模式The functional pattern

    功能

  • 业务单位模式The business unit pattern

    业务

  • 地理模式The geographic pattern

    地理

可以在订阅级别应用基架,将企业的监管要求扩展到订阅中。You apply the scaffold at the subscription level to extend the governance requirements of the enterprise into the subscription.

命名标准Naming standards

基架的第一个支柱是命名标准。The first pillar of the scaffold is naming standards. 使用妥善设计的命名标准,可以在门户、帐单和脚本中识别资源。Well-designed naming standards enable you to identify resources in the portal, on a bill, and within scripts. 企业很可能已针对本地基础结构制定了命名标准。Most likely, you already have naming standards for on-premises infrastructure. 将 Azure 添加到环境时,应该将这些命名标准扩展到 Azure 资源。When adding Azure to your environment, you should extend those naming standards to your Azure resources. 命名约定有助于在所有级别提高环境管理的效率。Naming standard facilitate more efficient management of the environment at all levels.

提示

关于命名约定:For naming conventions:

  • 如果可能,请审阅并采纳模式与实践指南Review and adopt where possible the Patterns and Practices guidance. 可以借助此指南来确定一套有意义的命名标准。This guidance helps you decide on a meaningful naming standard.
  • 对资源名称使用骆驼拼写法(例如,myResourceGroup 和 vnetNetworkName)。Use camelCasing for names of resources (such as myResourceGroup and vnetNetworkName). 注意:某些资源,例如存储帐户,只允许使用小写字母(不能包括其他特殊字符)。Note: There are certain resources, such as storage accounts, where the only option is to use lower case (and no other special characters).
  • 考虑使用 Azure 资源管理器策略(下一部分会介绍)强制实施命名标准。Consider using Azure Resource Manager policies (described in the next section) to enforce naming standards.

前面的提示可帮助实现一致的命名约定。The preceding tips help you implement a consistent naming convention.

策略和审核Policies and auditing

基架的第二个支柱涉及到创建 Azure 策略审核活动日志The second pillar of the scaffold involves creating Azure policies and auditing the activity log. 使用 Resource Manager 可以控制 Azure 中的风险。Resource Manager policies provide you with the ability to manage risk in Azure. 可以定义策略,通过限制、强制实施或审核特定的操作来确保数据所有权。You can define policies that ensure data sovereignty by restricting, enforcing, or auditing certain actions.

  • 策略是默认的允许系统。Policy is a default allow system. 通过针对资源定义并分配策略以便拒绝或审核针对资源执行的操作,来控制这些操作。You control actions by defining and assigning policies to resources that deny or audit actions on resources.
  • 策略由策略定义(采用某种策略定义语言,if-then 条件)描述。Policies are described by policy definitions in a policy definition language (if-then conditions).
  • 使用 JSON(Javascript 对象表示法)格式的文件创建策略。You create polices with JSON (Javascript Object Notation) formatted files. 定义策略后,将其分配到特定的范围:订阅、资源组或资源。After defining a policy, you assign it to a particular scope: subscription, resource group, or resource.

策略包含多个操作,从而可以根据方案采用精细控制方法。Policies have multiple actions that allow for a fine-grained approach to your scenarios. 操作包括:The actions are:

  • 拒绝:阻止资源请求Deny: Blocks the resource request
  • 审核:允许请求,但在活动日志中添加一行(可用于提供警报或触发 Runbook)Audit: Allows the request but adds a line to the activity log (which can be used to provide alerts or to trigger runbooks)
  • 追加:将指定的信息添加到资源。Append: Adds specified information to the resource. 例如,如果某个资源没有“CostCenter”标记,则添加该标记并使用默认值。For example, if there is not a "CostCenter" tag on a resource, add that tag with a default value.

Resource Manager 策略的常见用途Common uses of Resource Manager policies

Azure 资源管理器策略是 Azure 工具包中的一个强大工具。Azure Resource Manager policies are a powerful tool in the Azure toolkit. 使用这些策略可以避免意外的成本,通过标记识别资源的成本中心,以及确保满足法规要求。They enable you to avoid unexpected costs, to identify a cost center for resources through tagging, and to ensure that compliancy requirements are met. 将策略与内置审核功能相结合,可以创建复杂而灵活的解决方案。When policies are combined with the built-in auditing features, you can fashion complex and flexible solutions. 策略允许公司针对“传统 IT”工作负荷和“敏捷”工作负荷(例如,开发客户应用程序)提供控制。Policies allow companies to provide controls for "Traditional IT" workloads and "Agile" workloads; such as, developing customer applications. 策略的最常见模式包括:The most common patterns we see for policies are:

  • 地域法规遵从/数据所有权 - Azure 在全球各区域运营。Geo-compliance/data sovereignty - Azure provides regions across the world. 企业总是希望能够控制创建资源的位置(不管是为了确保数据所有权,还是只为了确保在靠近最终使用者的位置创建资源)。Enterprises often wish to control where resources are created (whether to ensure data sovereignty or just to ensure resources are created close to the end consumers of the resources).
  • 成本管理 - 一个 Azure 订阅可以包含多种类型和规模的资源。Cost management - An Azure subscription can contain resources of many types and scale. 公司总是希望标准订阅能够避免不必要地使用大型资源,否则每月需要损耗数百美元甚至更多。Corporations often wish to ensure that standard subscriptions avoid using unnecessarily large resources, which can cost hundreds of dollars a month or more.
  • 通过必需标记进行默认监管 - 要求使用标记,是最常见的且客户最想要的功能之一。Default governance through required tags - Requiring tags is one of the most common and highly desired features. 使用 Azure 资源管理器策略,企业可以确保适当地标记资源。Using Azure Resource Manager Policies enterprises are able to ensure that a resource is appropriately tagged. 最常见的标记包括:部门、资源所有者和环境类型(例如生产、测试、开发)The most common tags are: Department, Resource Owner, and Environment type (for example - production, test, development)

示例Examples

业务线应用程序的“传统 IT”订阅"Traditional IT" subscription for line-of-business applications

  • 强制针对所有资源使用“部门”和“所有者”标记Enforce Department and Owner tags on all resources
  • 仅限在北美区域创建资源Restrict resource creation to the North American Region
  • 仅限创建 G 系列 VM 和 HDInsight 群集Restrict the ability to create G-Series VMs and HDInsight Clusters

创建云应用程序的业务单位使用的“敏捷”环境"Agile" Environment for a business unit creating cloud applications

  • 为满足数据所有权要求,只允许在特定区域创建资源。To meet data sovereignty requirements, allow the creation of resources ONLY in a specific region.
  • 强制针对所有资源使用“环境”标记。Enforce Environment tag on all resources. 如果创建的资源不带标记,则在该资源后面追加“环境: 未知”标记。If a resource is created without a tag, append the Environment: Unknown tag to the resource.
  • 如果资源在北美以外的区域创建,则审核资源,但不阻止创建资源。Audit when resources are created outside of North America but do not prevent.
  • 创建高成本资源时审核。Audit when high-cost resources are created.

提示

跨组织使用 Resource Manager 策略的最常见场合是控制可以在哪里创建资源,以及可以创建什么类型的资源。The most common use of Resource Manager policies across organizations is to control where resources can be created and what types of resources can be created. 除了针对哪里什么提供控件以外,许多企业还使用策略来确保资源包含相应的元数据,能够抵消使用费。In addition to providing controls on where and what, many enterprises use policies to ensure resources have the appropriate metadata to bill back for consumption. 对于以下目的,建议在订阅级别应用策略:We recommend applying policies at the subscription level for:

  • 地域法规遵从/数据所有权Geo-compliance/data sovereignty
  • 成本管理Cost management
  • 必需标记(由业务需求决定,例如“付款人”、“应用程序所有者”)Required tags (Determined by business need, such as BillTo, Application Owner)

可在更低的范围级别应用其他策略。You can apply additional policies at lower levels of scope.

审核 - 发生了什么?Audit - what happened?

若要查看环境是否正常运行,需要审核用户活动。To view how your environment is functioning, you need to audit user activity. Azure 中的大多数资源类型都会创建诊断日志,可以通过日志工具或在 Azure Operations Management Suite 中对其进行分析。Most resource types within Azure create diagnostic logs that you can analyze through a log tool or in Azure Operations Management Suite. 可以跨多个订阅收集活动日志,提供部门或企业视图。You can gather activity logs across multiple subscriptions to provide a departmental or enterprise view. 审核记录既是一个重要的诊断工具,也是在 Azure 环境中触发事件的关键机制。Audit records are both an important diagnostic tool and a crucial mechanism to trigger events in the Azure environment.

使用 Resource Manager 部署中的活动日志,可以确定执行了哪些操作,以及谁执行了这些操作。Activity logs from Resource Manager deployments enable you to determine the operations that took place and who performed them. 可以使用 Log Analytics 等工具来收集和聚合活动日志。Activity logs can be collected and aggregated using tools like Log Analytics.

资源标记Resource tags

随着组织中的用户不断地在订阅中添加资源,将资源与相应的部门、客户和环境相关联就变得越发重要。As users in your organization add resources to the subscription, it becomes increasingly important to associate resources with the appropriate department, customer, and environment. 可以通过标记将元数据附加到资源。You can attach metadata to resources through tags. 可以使用标记提供有关资源或所有者的信息。You use tags to provide information about the resource or the owner. 使用标记不仅可以通过多种方式聚合与分组资源,而且还能使用这些数据实现费用分摊的目的。Tags enable you to not only aggregate and group resources in various ways, but use that data for the purposes of chargeback. 可以标记最多包含 15 个“键:值”对的资源。You can tag resources with up to 15 key:value pairs.

资源标记十分灵活,应附加到大多数资源。Resource tags are flexible and should be attached to most resources. 常见的资源标记示例包括:Examples of common resource tags are:

  • 付款人BillTo
  • 部门(或业务单位)Department (or Business Unit)
  • 环境(生产、过渡、开发)Environment (Production, Stage, Development)
  • 层(Web 层、应用程序层)Tier (Web Tier, Application Tier)
  • 应用程序所有者Application Owner
  • 项目名称ProjectName

标记

有关标记的示例,请参阅 Recommended naming conventions for Azure resources(Azure 资源的建议命名约定)。For more examples of tags, see Recommended naming conventions for Azure resources.

提示

考虑制定强制要求对以下各项使用标记的策略:Consider making a policy that mandates tagging for:

  • 资源组Resource groups
  • 存储Storage
  • 虚拟机Virtual Machines
  • 应用程序服务环境/Web 服务器Application Service Environments/web servers

此标记策略标识业务、财务、安全、风险管理和综合环境管理需要各个订阅中的哪些元数据。This tagging strategy identifies across your subscriptions what metadata is needed for the business, finance, security, risk management, and overall management of the environment.

资源组Resource group

使用 Resource Manager 可将资源放入有意义的组中,便于管理、记帐或自然关联。Resource Manager enables you to put resources into meaningful groups for management, billing, or natural affinity. 如前所述,Azure 有两种部署模型。As mentioned earlier, Azure has two deployment models. 在早期的经典模型中,管理的基本单位是订阅。In the earlier Classic model, the basic unit of management was the subscription. 订阅中的资源很难分解,导致需要创建大量的订阅。It was difficult to break down resources within a subscription, which led to the creation of large numbers of subscriptions. Resource Manager 模型中引入了资源组。With the Resource Manager model, we saw the introduction of resource groups. 资源组是具有相同生命周期的或共享某个属性(例如“所有 SQL 服务器”或“应用程序 A”)的资源的容器。Resource groups are containers of resources that have a common lifecycle or share an attribute such as "all SQL servers" or "Application A".

资源组不能彼此包含,资源只能属于一个资源组。Resource groups cannot be contained within each other and resources can only belong to one resource group. 可以针对资源组中的所有资源应用特定操作。You can apply certain actions on all resources in a resource group. 例如,删除某个资源组会删除该资源组中的所有资源。For example, deleting a resource group removes all resources within the resource group. 通常,可将整个应用程序或相关系统放在同一个资源组中。Typically, you place an entire application or related system in the same resource group. 例如,名为 Contoso Web 应用程序的三层应用程序在同一个资源组中包含 Web 服务器、应用程序服务器和 SQL 服务器。For example, a three-tier application called Contoso Web Application would contain the web server, application server and SQL server in the same resource group.

提示

资源组的组织方式根据“传统 IT”工作负荷与“敏捷 IT”工作负荷而有所不同:How you organize your resource groups may vary from "Traditional IT" workloads to "Agile IT" workloads:

  • “传统 IT”工作负荷通常按同一生命周期中的项(例如某个应用程序)分组。"Traditional IT" workloads are most commonly grouped by items within the same lifecycle, such as an application. 由于可按应用程序分组,因此可以管理每个应用程序。Grouping by application allows for individual application management.
  • “敏捷 IT”工作负荷往往侧重面向外部客户的云应用程序。"Agile IT" workloads tend to focus on external customer-facing cloud applications. 资源组应反映部署层(如 Web 层、应用程序层)和管理层。The resource groups should reflect the layers of deployment (such as Web Tier, App Tier) and management.

了解工作负荷可帮助制定资源组策略。Understanding your workload helps you develop a resource group strategy.

基于角色的访问控制Role-based access control

我们可能会问自己,“谁才有权访问资源?”You probably are asking yourself "who should have access to resources?" 或者“如何控制这种访问权限?”and "how do I control this access?" 允许或禁止访问 Azure 门户,以及控制在门户中对资源的访问至关重要。Allowing or disallowing access to the Azure portal, and controlling access to resources in the portal is crucial.

Azure 在最初发布时,对订阅的访问控制非常直接:只允许管理员或共同管理员访问。When Azure was initially released, access controls to a subscription were basic: Administrator or Co-Administrator. 有权访问经典模型中的订阅意味着有权访问门户中的所有资源。Access to a subscription in the Classic model implied access to all the resources in the portal. 缺少精细控制导致需要衍生订阅来针对 Azure 注册提供合理的访问控制级别。This lack of fine-grained control led to the proliferation of subscriptions to provide a level of reasonable access control for an Azure Enrollment.

现在不再需要衍生订阅。This proliferation of subscriptions is no longer needed. 使用基于角色的访问控制,可将用户分配到标准角色(例如常见的“读取者”和“写入者”角色类型)。With role-based access control, you can assign users to standard roles (such as common "reader" and "writer" types of roles). 还可以自定义角色。You can also define custom roles.

提示

实现基于角色的访问控制:To implement role-based access control:

  • 使用 AD Connect 工具将企业标识存储(最常见的包括 Active Directory)连接到 Azure Active Directory。Connect your corporate identity store (most commonly Active Directory) to Azure Active Directory using the AD Connect tool.
  • 使用托管标记控制管理员/共同管理员订阅。Control the Admin/Co-Admin of a subscription using a managed identity. 不要将管理员/共同管理员分配到新的订阅所有者。Don't assign Admin/Co-admin to a new subscription owner. 而要使用 RBAC 角色为组或个人提供“所有者”权限。Instead, use RBAC roles to provide Owner rights to a group or individual.
  • 将 Azure 用户添加到 Active Directory 中的组(例如,应用程序 X 所有者)。Add Azure users to a group (for example, Application X Owners) in Active Directory. 使用同步组为组成员提供适当的权限来管理包含应用程序的资源组。Use the synced group to provide group members the appropriate rights to manage the resource group containing the application.
  • 遵循授予最低特权的原则,以便完成所需的工作。Follow the principle of granting the least privilege required to do the expected work. 例如:For example:
    • 部署组:只能部署资源的组。Deployment Group: A group that is only able to deploy resources.
    • 虚拟机管理:能够重新启动 VM(为了操作)的组Virtual Machine Management: A group that is able to restart VMs (for operations)

这些提示可帮助跨订阅管理用户访问。These tips help you manage user access across your subscription.

Azure 资源锁Azure resource locks

随着组织不断在订阅中添加核心服务,确保这些服务随时可用,避免业务中断已变得越来越重要。As your organization adds core services to the subscription, it becomes increasingly important to ensure that those services are available to avoid business disruption. 使用资源锁可以限制针对高价值资源(修改或删除这些资源会给应用程序或云基础结构造成重大影响)的操作。Resource locks enable you to restrict operations on high-value resources where modifying or deleting them would have a significant impact on your applications or cloud infrastructure. 可以将锁应用于订阅、资源组或资源。You can apply locks to a subscription, resource group, or resource. 通常,我们会将锁应用于虚拟网络、网关和存储帐户等基础资源。Typically, you apply locks to foundational resources such as virtual networks, gateways, and storage accounts.

资源锁目前支持两个值:CanNotDelete 和 ReadOnly。Resource locks currently support two values: CanNotDelete and ReadOnly. CanNotDelete 表示用户(具有相应权限)仍可读取或修改某个资源,但无法删除该资源。CanNotDelete means that users (with the appropriate rights) can still read or modify a resource but cannot delete it. ReadOnly 表示经过授权的用户无法删除或修改某个资源。ReadOnly means that authorized users can't delete or modify a resource.

若要创建或删除管理锁,必须有权执行 Microsoft.Authorization/*Microsoft.Authorization/locks/* 操作。To create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. 在内置角色中,只有“所有者”和“用户访问管理员”有权执行这些操作。Of the built-in roles, only Owner and User Access Administrator are granted those actions.

提示

应该用锁保护核心网络选项。Core network options should be protected with locks. 意外删除网关或站点到站点 VPN 会给 Azure 订阅造成严重影响。Accidental deletion of a gateway, site-to-site VPN would be disastrous to an Azure subscription. Azure 不允许删除正在使用的虚拟网络,但应用更多限制是有利的预防措施。Azure doesn't allow you to delete a virtual network that is in use, but applying more restrictions is a helpful precaution.

  • 虚拟网络:CanNotDeleteVirtual Network: CanNotDelete
  • 网络安全组:CanNotDeleteNetwork Security Group: CanNotDelete
  • 策略:CanNotDeletePolicies: CanNotDelete

此外,策略对于相应控制机制的维护至关重要。Policies are also crucial to the maintenance of appropriate controls. 建议对使用中的策略应用 CanNotDelete 锁。We recommend that you apply a CanNotDelete lock to polices that are in use.

核心网络资源Core networking resources

对资源的访问可能是从内部(在企业网络中)或外部(通过 Internet)发起的。Access to resources can be either internal (within the corporation's network) or external (through the internet). 组织中的用户经常会无意中将资源放在错误的位置,使其遭到恶意访问。It is easy for users in your organization to inadvertently put resources in the wrong spot, and potentially open them to malicious access. 与对待本地设备一样,企业必须增设相应的控制机制,确保 Azure 用户做出正确的决策。As with on-premises devices, enterprises must add appropriate controls to ensure that Azure users make the right decisions. 为了进行订阅监管,我们指定了可提供基本访问控制的核心资源。For subscription governance, we identify core resources that provide basic control of access. 这些核心资源包括:The core resources consist of:

  • 虚拟网络是子网的容器对象。Virtual networks are container objects for subnets. 尽管严格意义上没有必要,但将应用程序连接到内部企业资源时往往要用到它。Though not strictly necessary, it is often used when connecting applications to internal corporate resources.
  • 网络安全组类似于防火墙,为资源如何通过网络“通信”提供规则。Network security groups are similar to a firewall and provide rules for how a resource can "talk" over the network. 它们针对子网(或虚拟机)如何/是否能够连接到 Internet 或同一虚拟网络中的其他子网提供精细控制。They provide granular control over how/if a subnet (or virtual machine) can connect to the Internet or other subnets in the same virtual network.

核心网络

提示

关于网络:For networking:

  • 为面向外部的工作负荷和面向内部的工作负荷创建专用的虚拟网络。Create virtual networks dedicated to external-facing workloads and internal-facing workloads. 这种方法可以减少将原本用于内部工作负荷的虚拟机意外放入外向空间的可能性。This approach reduces the chance of inadvertently placing virtual machines that are intended for internal workloads in an external facing space.
  • 配置网络安全组以限制访问。Configure network security groups to limit access. 最起码应该阻止从内部虚拟网络访问 Internet,并阻止从外部虚拟网络访问企业网络。At a minimum, block access to the internet from internal virtual networks, and block access to the corporate network from external virtual networks.

这些提示可帮助实现安全的网络资源。These tips help you implement secure networking resources.

自动化Automation

单独管理每个资源不仅费时,而且在执行某些操作时还很容易出错。Managing resources individually is both time-consuming and potentially error prone for certain operations. Azure 提供多种自动化功能,包括 Azure 自动化、逻辑应用和 Azure Functions。Azure provides various automation capabilities including Azure Automation, Logic Apps, and Azure Functions. Azure 自动化可让管理员创建和定义 Runbook 来处理常见的资源管理任务。Azure Automation enables administrators to create and define runbooks to handle common tasks in managing resources. 可以使用 PowerShell 代码编辑器或图形编辑器创建 Runbook。You create runbooks by using either a PowerShell code editor or a graphical editor. 可以生成复杂的多阶段工作流。You can produce complex multi-stage workflows. Azure 自动化通常用于处理常见任务,例如,关闭未使用的资源,无需人工干预创建资源来响应特定的触发器。Azure Automation is often used to handle common tasks such as shutting down unused resources, or creating resources in response to a specific trigger without needing human intervention.

提示

关于自动化:For automation:

  • 创建 Azure 自动化帐户,查看 Runbook 库中提供 Runbook(图形和命令行)。Create an Azure Automation account and review the available runbooks (both graphical and command line) available in the Runbook Gallery.
  • 导入并自定义重要的 Runbook 供自己使用。Import and customize key runbooks for your own use.

一种常见方案是按计划启动/关闭虚拟机。A common scenario is the ability to Start/Shutdown virtual machines on a schedule. 库中提供了示例 Runbook,它们可以处理这种方案,同时解释如何对其扩展。There are example runbooks that are available in the Gallery that both handle this scenario and teach you how to expand it.

Azure 安全中心Azure Security Center

在采用云的过程中,最大的阻碍之一也许是安全忧虑。Perhaps one of the biggest blockers to cloud adoption has been the concerns over security. IT 风险管理人员和安全部门需确保 Azure 中资源的安全。IT risk managers and security departments need to ensure that resources in Azure are secure.

Azure 安全中心在一个中心视图中提供订阅中资源的安全状态,并提供建议帮助避免资源泄密。The Azure Security Center provides a central view of the security status of resources in the subscriptions, and provides recommendations that help prevent compromised resources. 它支持更精细的策略(例如,向特定的资源组应用策略,使企业能够根据面临的风险调整立场)。It can enable more granular policies (for example, applying policies to specific resource groups that allow the enterprise to tailor their posture to the risk they are addressing). 最后,Azure 安全中心是一个开放式平台,允许 Microsoft 合作伙伴和独立软件供应商创建可与 Azure 安全中心对接的软件来增强其功能。Finally, Azure Security Center is an open platform that enables Microsoft partners and independent software vendors to create software that plugs into Azure Security Center to enhance its capabilities.

提示

Azure 安全中心默认已在每个订阅中启用。Azure Security Center is enabled by default in each subscription. 但是,必须通过虚拟机启用数据收集,才能允许 Azure 安全中心安装其代理并开始收集数据。However, you must enable data collection from virtual machines to allow Azure Security Center to install its agent and begin gathering data.

数据收集

后续步骤Next steps