您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

保护和管理迁移到 Azure 的工作负荷的最佳做法Best practices to secure and manage workloads migrated to Azure

在规划和设计迁移时,除了考虑迁移本身的问题以外,还需要考虑到迁移后 Azure 中的安全和管理模型。As you plan and design for migration, in addition to thinking about the migration itself, you need to consider your security and management model in Azure after migration. 本文介绍了在迁移后保护 Azure 部署的规划和最佳实践。This article describes planning and best practices for securing your Azure deployment after migrating. 还介绍了持续任务,使你的部署在最佳水平运行。It also covers ongoing tasks to keep your deployment running at an optimal level.

重要

本文介绍的最佳做法和意见以撰写本文时可用的 Azure 平台和服务功能为基础。The best practices and opinions described in this article are based on the Azure platform and service features available at the time of writing. 各种特性和功能随时间而变化。Features and capabilities change over time.

保护已迁移的工作负荷Secure migrated workloads

迁移后,最关键的任务是防范迁移的工作负荷遭受内部和外部威胁。After migration, the most critical task is to secure migrated workloads from internal and external threats. 以下最佳做法可帮助你实现该目的:These best practices help you to do that:

  • 了解如何使用 Azure 安全中心提供的监视、评估和建议。Learn how to work with the monitoring, assessments, and recommendations provided by Azure Security Center.
  • 获取有关加密 Azure 中的数据的最佳做法。Get best practices for encrypting your data in Azure.
  • 防范 VM 受到恶意软件的攻击。Protect your VMs from malware and malicious attacks.
  • 使已迁移的 Web 应用中的敏感信息保持安全。Keep sensitive information secure in migrated web apps.
  • 确认谁可以在迁移后访问你的 Azure 订阅和资源。Verify who can access your Azure subscriptions and resources after migration.
  • 定期查阅 Azure 审核和安全日志。Review your Azure auditing and security logs on a regular basis.
  • 了解和评估 Azure 提供的高级安全功能。Understand and evaluate advanced security features that Azure offers.

以下各节将更详细地介绍这些最佳做法。These best practices are described in more detail in the sections that follow.

最佳做法:遵循 Azure 安全中心建议Best practice: Follow Azure Security Center recommendations

Azure 租户管理员需要启用保护工作负荷免受攻击的安全功能。Azure tenant admins need to enable security features that protect workloads from attacks. 安全中心提供统一的安全管理。Security Center provides unified security management. 从安全中心,你可以跨工作负荷应用安全策略、限制威胁的风险,以及检测和响应攻击。From Security Center, you can apply security policies across workloads, limit threat exposure, and detect and respond to attacks. 安全中心分析 Azure 租户中的资源和配置,并提出安全建议,包括:Security Center analyzes resources and configurations across Azure tenants, and makes security recommendations, including:

  • 集中式策略管理: 通过集中管理所有混合云工作负载中的安全策略,确保符合公司或法规安全要求。Centralized policy management: Ensure compliance with company or regulatory security requirements by centrally managing security policies across all your hybrid cloud workloads.
  • 持续进行安全评估: 监视计算机、网络、存储和数据服务以及应用程序的安全状况,以发现潜在的安全问题。Continuous security assessment: Monitor the security posture of machines, networks, storage and data services, and applications to discover potential security issues.
  • 操作的建议: 利用优先的、可操作的安全建议,在攻击者利用安全漏洞之前对其进行修正。Actionable recommendations: Remediate security vulnerabilities before they can be exploited by attackers, with prioritized and actionable security recommendations.
  • 优先警报和事件: 首先重点关注最重要的威胁,并具有优先级的安全警报和事件。Prioritized alerts and incidents: Focus on the most critical threats first, with prioritized security alerts and incidents.

除了评估和建议外,安全中心还提供可为特定资源启用的其他安全功能。In addition to assessments and recommendations, Security Center provides other security features that you can enable for specific resources.

  • 实时 (JIT) 访问。Just-in-time (JIT) access. 使用对 Azure Vm 上管理端口的实时控制访问权限减少网络攻击面。Reduce your network attack surface with JIT, controlled access to management ports on Azure VMs.
    • 如果在 internet 上打开 VM RDP 端口3389,则会将 Vm 公开给不良参与者的连续活动。Having VM RDP port 3389 open on the internet exposes VMs to continual activity from bad actors. Azure IP 地址是公开的,黑客会不断探测这些地址,并针对端口 3389 发起攻击。Azure IP addresses are well-known, and hackers continually probe them for attacks on open 3389 ports.
    • JIT 使用 (Nsg) 的网络安全组和限制特定端口打开时间的传入规则。JIT uses network security groups (NSGs) and incoming rules that limit the amount of time that a specific port is open.
    • 启用 JIT 访问后,安全中心会检查用户是否具有 Azure 基于角色的访问控制 (Azure RBAC) 对 VM 的写入访问权限。With JIT access enabled, Security Center checks that a user has Azure role-based access control (Azure RBAC) write access permissions for a VM. 此外,还可以指定用户可连接到 Vm 的方式的规则。In addition, you can specify rules for how users can connect to VMs. 如果权限正常,则会批准访问请求,安全中心会将 Nsg 配置为在指定的时间内允许到所选端口的入站流量。If permissions are OK, an access request is approved, and Security Center configures NSGs to allow inbound traffic to the selected ports for the amount of time you specify. 当时间到期时,Nsg 将返回到其以前的状态。NSGs return to their previous state when the time expires.
  • 自适应应用程序控件。Adaptive application controls. 通过使用动态允许列表控制哪些应用程序在 Vm 上运行来使软件和恶意软件远离 Vm。Keep software and malware off VMs by controlling which applications run on them, by using dynamic allow lists.
    • 自适应应用程序控件允许你批准应用程序,并防止恶意用户或管理员在你的 Vm 上安装未经批准或审核的软件应用程序。Adaptive application controls allow you to approve applications, and prevent rogue users or administrators from installing unapproved or vetting software applications on your VMs.
      • 你可以阻止或提醒尝试运行恶意应用程序、避免不需要的或恶意的应用程序,并确保符合组织的应用程序安全策略。You can block or alert attempts to run malicious applications, avoid unwanted or malicious applications, and ensure compliance with your organization's application security policy.
  • 文件完整性监视。File Integrity Monitoring. 确保 VM 上运行的文件的完整性。Ensure the integrity of files running on VMs.
    • 不需要安装软件来导致 VM 问题。You don't need to install software to cause VM issues. 更改系统文件也可能导致 VM 故障或性能降低。Changing a system file can also cause VM failure or performance degradation. 文件完整性监视检查系统文件和注册表设置的更改,并在更新内容时通知您。File Integrity Monitoring examines system files and registry settings for changes, and notifies you if something is updated.
    • 安全中心会建议要监视的文件。Security Center recommends which files you should monitor.

了解更多信息:Learn more:

最佳做法:加密数据Best practice: Encrypt data

加密是 Azure 安全做法的重要部分。Encryption is an important part of Azure security practices. 确保在所有级别启用加密可帮助防止未经授权的一方获取敏感数据(包括传输中的数据和静态数据)的访问权限。Ensuring that encryption is enabled at all levels helps prevent unauthorized parties from gaining access to sensitive data, including data in transit and at rest.

基础结构即服务的加密Encryption for infrastructure as a service

  • 虚拟机: 对于 Vm,可以使用 Azure 磁盘加密来加密 Windows 和 Linux 基础结构即服务 (IaaS) VM 磁盘。Virtual machines: For VMs, you can use Azure Disk Encryption to encrypt your Windows and Linux infrastructure as a service (IaaS) VM disks.
    • Azure 磁盘加密使用适用于 Windows 的 BitLocker 和用于 Linux 的 dm dm-crypt 为操作系统和数据磁盘提供卷加密。Azure Disk Encryption uses BitLocker for Windows, and dm-crypt for Linux, to provide volume encryption for the operating system and data disks.
    • 可以使用 Azure 创建的加密密钥,或者提供自己的、在 Azure Key Vault 中受保护的加密密钥。You can use an encryption key created by Azure, or you can supply your own encryption keys, safeguarded in Azure Key Vault.
    • 通过 Azure 磁盘加密,IaaS VM 数据在磁盘) 上和 VM 启动期间 (静态保护。With Azure Disk Encryption, IaaS VM data is secured at rest (on the disk) and during VM boot.
      • 如果有未加密的 Vm,安全中心会发出警报。Security Center alerts you if you have VMs that aren't encrypted.
  • 存储: 保护存储在 Azure 存储中的静态数据。Storage: Protect at-rest data stored in Azure Storage.
    • 存储在 Azure 存储帐户中的数据可以通过使用符合 FIPS 140-2 的 Microsoft 生成的 AES 密钥进行加密,也可以使用自己的密钥。Data stored in Azure Storage accounts can be encrypted by using Microsoft-generated AES keys that are FIPS 140-2 compliant, or you can use your own keys.
    • 为所有新的和现有的存储帐户启用了 Azure 存储加密,因此无法将其禁用。Azure Storage encryption is enabled for all new and existing storage accounts, and it can't be disabled.

平台即服务的加密Encryption for platform as a service

不同于 IaaS,其中管理自己的 Vm 和基础结构,在平台即服务中 (PaaS) 型号平台,基础结构由提供程序进行管理。Unlike IaaS, in which you manage your own VMs and infrastructure, in a platform as a service (PaaS) model platform and infrastructure is managed by the provider. 你可以重点关注核心应用程序逻辑和功能。You can focus on core application logic and capabilities. 由于 PaaS 服务的类型多种多样,出于安全目的,需要单独评估每个服务。With so many different types of PaaS services, each service is evaluated individually for security purposes. 例如,让我们了解如何为 Azure SQL 数据库启用加密。As an example, let's see how you might enable encryption for Azure SQL Database.

  • Always Encrypted: 使用 SQL Server Management Studio 中的 Always Encrypted 向导来保护静态数据。Always Encrypted: Use the Always Encrypted wizard in SQL Server Management Studio to protect data at rest.
    • 创建 Always Encrypted 密钥来加密单个列数据。You create an Always Encrypted key to encrypt individual column data.
    • 可将 Always Encrypted 密钥以加密形式存储在数据库元数据中,或者存储在 Azure Key Vault 等受信任的密钥存储中。Always Encrypted keys can be stored as encrypted in database metadata, or stored in trusted key stores such as Azure Key Vault.
    • 大多数情况下,你需要进行应用程序更改才能使用此功能。Most likely, you'll need to make application changes to use this feature.
  • 透明数据加密 (TDE) : 在 Azure SQL 数据库中,对数据库、关联的备份和静态事务日志文件进行实时加密和解密。Transparent data encryption (TDE): Protect the Azure SQL Database with real-time encryption and decryption of the database, associated backups, and transaction log files at rest.
    • TDE 允许执行加密活动,而无需在应用程序层进行更改。TDE allows encryption activities to take place without changes at the application layer.
    • TDE 可以使用 Microsoft 提供的加密密钥,也可以自带密钥。TDE can use encryption keys provided by Microsoft, or you can bring your own key.

了解更多信息:Learn more:

最佳做法:利用反恶意软件保护 VmBest practice: Protect VMs with antimalware

特别是,较旧的 Azure 迁移的 Vm 可能没有安装适当级别的反恶意软件。In particular, older Azure-migrated VMs might not have the appropriate level of antimalware installed. Azure 提供一个免费的终结点解决方案,可帮助防范 VM 遭受病毒、间谍软件和其他恶意软件的攻击。Azure provides a free endpoint solution that helps protect VMs from viruses, spyware, and other malware.

  • 当已知恶意软件或不需要的软件尝试自行安装时,适用于 Azure 云服务和虚拟机的 Microsoft 反恶意软件会生成警报。Microsoft Antimalware for Azure Cloud Services and Virtual Machines generates alerts when known malicious or unwanted software tries to install itself.

  • 它是在后台运行的单代理解决方案,无需人工干预。It's a single agent solution that runs in the background without human intervention.

  • 在安全中心,可以确定未运行 endpoint protection 的 Vm,并根据需要安装 Microsoft 反恶意软件。In Security Center, you can identify VMs that don't have endpoint protection running and install Microsoft antimalware as needed.

    Vm 反恶意软件的屏幕截图。 图1: vm 的反恶意软件。Screenshot of Antimalware for VMs. Figure 1: Antimalware for VMs.

了解更多信息:Learn more:

最佳做法:保护 web 应用Best practice: Secure web apps

迁移的 Web 应用面临着以下几个问题:Migrated web apps face a couple of issues:

  • 大部分传统 Web 应用程序往往在配置文件中包含敏感信息。Most legacy web applications tend to have sensitive information inside configuration files. 包含此类信息的文件可能会在备份应用程序时或当应用程序代码签入或签出源代码管理时出现安全问题。Files containing such information can present security issues when applications are backed up, or when application code is checked into or out of source control.
  • 当你迁移位于 VM 中的 web 应用时,可能会将该计算机从本地网络和受防火墙保护的环境移到面向 internet 的环境中。When you migrate web apps residing in a VM, you're likely moving that machine from an on-premises network and firewall-protected environment, to an environment facing the internet. 确保设置一种解决方案用于执行与本地保护资源相同的工作。Make sure that you set up a solution that does the same work as your on-premises protection resources.

Azure 提供以下解决方案:Azure provides the following solutions:

  • Azure Key Vault: 如今,web 应用开发人员采取措施来确保敏感信息不会泄露到这些文件中。Azure Key Vault: Today, web app developers are taking steps to ensure that sensitive information isn't leaked from these files. 一种保护方法是将这些信息提取出来,并将其放入 Azure Key Vault。One method to secure information is to extract it from files and put it into an Azure Key Vault.

    • 你可以使用 Key Vault 来集中存储应用程序机密,并控制其分发。You can use Key Vault to centralize storage of application secrets, and control their distribution. 它无需将安全信息存储在应用程序文件中。It avoids the need to store security information in application files.
    • 应用程序可以使用 Uri 安全地访问保管库中的信息,而无需自定义代码。Applications can securely access information in the vault by using URIs, without needing custom code.
    • Azure Key Vault 允许通过 Azure 安全控制锁定访问,并无缝实现滚动密钥。Azure Key Vault allows you to lock down access via Azure security controls, and to seamlessly implement rolling keys. Microsoft 不会看到或提取你的数据。Microsoft doesn't see or extract your data.
  • 适用于 Power Apps 的应用服务环境: 如果迁移的应用程序需要额外保护,请考虑添加应用服务环境和 Web 应用程序防火墙来保护应用程序资源。App Service Environment for Power Apps: If an application that you migrate needs extra protection, consider adding App Service Environment and Web Application Firewall to protect the application resources.

    • 应用服务环境提供完全隔离和专用的环境来运行应用程序,如 Windows 和 Linux web 应用、Docker 容器、移动应用和函数应用。App Service Environment provides a fully isolated and dedicated environment for running applications, such as Windows and Linux web apps, Docker containers, mobile apps, and function apps.
    • 这对于规模非常高、需要隔离和安全的网络访问或内存使用率较高的应用程序很有用。It's useful for applications that are very high scale, require isolation and secure network access, or have high memory utilization.
  • Web 应用程序防火墙: 这是为 web 应用提供集中保护的 Azure 应用程序网关的一项功能。Web Application Firewall: This is a feature of Azure Application Gateway that provides centralized protection for web apps.

    • 它无需对后端代码进行修改即可保护 Web 应用。It protects web apps without requiring back-end code modifications.
    • 它在应用程序网关后同时保护多个 web 应用。It protects multiple web apps at the same time, behind Application Gateway.
    • 可以使用 Azure Monitor 来监视 Web 应用程序防火墙。You can monitor Web Application Firewall by using Azure Monitor. Web 应用程序防火墙集成到安全中心。Web Application Firewall is integrated into Security Center.

    Azure Key Vault 和保护 web 应用的关系图。 图2: Azure Key Vault。Diagram of Azure Key Vault and secure web apps. Figure 2: Azure Key Vault.

了解更多信息:Learn more:

最佳做法:查看订阅和资源权限Best practice: Review subscriptions and resource permissions

迁移工作负荷后,在 Azure 中运行这些工作负荷的过程中,拥有工作负荷访问权限的人员会不断变动。As you migrate your workloads and run them in Azure, staff with workload access move around. 安全团队应定期评审对 Azure 租户和资源组的访问权限。Your security team should review access to your Azure tenant and resource groups on a regular basis. Azure 提供了用于标识管理和访问控制安全性的产品,包括基于 Azure 角色的访问控制 (Azure RBAC) 授权访问 Azure 资源的权限。Azure has offerings for identity management and access control security, including Azure role-based access control (Azure RBAC) to authorize permissions to access Azure resources.

  • Azure RBAC 分配对安全主体的访问权限。Azure RBAC assigns access permissions for security principals. 安全主体表示用户、组 () 的一组用户、应用程序和) 服务所使用的服务主体 (标识,以及 (Azure Azure Active Directory 自动管理的托管标识。Security principals represent users, groups (a set of users), service principals (identity used by applications and services), and managed identities (an Azure Active Directory identity automatically managed by Azure).
  • Azure RBAC 可以向安全主体分配角色 (如所有者、参与者和读者) 和角色定义 (权限集) 定义角色可以执行的操作。Azure RBAC can assign roles to security principals (such as Owner, Contributor, and Reader) and role definitions (a collection of permissions) that define the operations that the roles can perform.
  • Azure RBAC 还可以设置作用域,用于设置角色的边界。Azure RBAC can also set scopes that set the boundary for a role. 范围可以设置为多个级别,包括管理组、订阅、资源组或资源。The scope can be set at several levels, including a management group, subscription, resource group, or resource.
  • 确保具有 Azure 访问权限的管理员只能访问你想要允许的资源。Ensure that admins with Azure access can access only resources that you want to allow. 如果 Azure 中预定义角色的粒度不足,你可以创建自定义角色来区分和限制访问权限。If the predefined roles in Azure aren't granular enough, you can create custom roles to separate and limit access permissions.

确保具有 Azure 访问权限的管理员只能访问你想要允许的资源。Ensure that admins with Azure access can access only resources that you want to allow. 如果 Azure 中预定义角色的粒度不足,你可以创建自定义角色来区分和限制访问权限。If the predefined roles in Azure aren't granular enough, you can create custom roles to separate and limit access permissions.

访问控制的屏幕截图。Screenshot of Access control. 图3:访问控制。Figure 3: Access control.

了解更多信息:Learn more:

最佳做法:查看审核和安全日志Best practice: Review audit and security logs

Azure AD 提供 Azure Monitor 中出现的活动日志。Azure AD provides activity logs that appear in Azure Monitor. 日志捕获 Azure 租户中执行的操作、操作的执行时间和执行者。The logs capture the operations performed in Azure tenancy, when they occurred, and who performed them.

  • 审核日志显示租户中任务的历史记录。Audit logs show the history of tasks in the tenant. 登录活动日志显示任务的执行者。Sign-in activity logs show who carried out the tasks.

  • 对安全报告的访问权限取决于 Azure AD 许可证。Access to security reports depends on your Azure AD license. 使用免费许可证和基本许可证,可以获得有风险的用户和登录的列表。利用高级许可证,你可以获取基本的事件信息。With the free and basic licenses, you get a list of risky users and sign-ins. With the premium licenses, you get underlying event information.

  • 可将活动日志路由到各个终结点进行长期保留及获取数据见解。You can route activity logs to various endpoints for long-term retention and data insights.

  • 查看日志或集成安全信息和事件管理 (SIEM) 工具来自动查看异常,这是常见做法。Make it a common practice to review the logs, or integrate your security information and event management (SIEM) tools to automatically review abnormalities. 如果使用的不是高级许可证,则需要自行进行大量分析或使用 SIEM 系统进行分析。If you're not using a premium license, you'll need to do a lot of analysis yourself, or by using your SIEM system. 分析包括探查有风险的登录和事件,以及其他用户攻击模式。Analysis includes looking for risky sign-ins and events, and other user attack patterns.

    Azure AD 用户和组的屏幕截图。 图4: Azure AD 用户和组。Screenshot of Azure AD Users and groups. Figure 4: Azure AD users and groups.

了解更多信息:Learn more:

最佳做法:评估其他安全功能Best practice: Evaluate other security features

Azure 中的其他安全功能可以提供高级安全选项。Azure provides other security features that provide advanced security options. 请注意,以下某些最佳实践需要附加许可证和高级选项。Note that some of the following best practices require add-on licenses and premium options.

  • (AU) 实现 Azure AD 管理单元。Implement Azure AD administrative units (AU). 将管理职责委托给支持人员可能比较棘手,因为这只能提供基本的 Azure 访问控制。Delegating administrative duties to support staff can be tricky with just basic Azure access control. 授权支持人员管理 Azure AD 中的所有组可能不是实现组织安全性的理想方法。Giving support staff access to administer all the groups in Azure AD might not be the ideal approach for organizational security. 使用 AU,你可以将 Azure 资源以类似方式隔离到容器中, (Ou) 的本地组织单位。Using AU allows you to segregate Azure resources into containers in a similar way to on-premises organizational units (OUs). 若要使用澳大利亚,AU 管理员必须具有高级 Azure AD 许可证。To use AUs, the AU admin must have a premium Azure AD license. 有关详细信息,请参阅 Azure AD 中的管理单元管理For more information, see Administrative units management in Azure AD.
  • 使用多重身份验证。Use multi-factor authentication. 如果有 Premium Azure AD 许可证,则可以在管理员帐户中启用并强制实施多重身份验证。If you have a premium Azure AD license, you can enable and enforce multi-factor authentication on your admin accounts. 网络钓鱼是窃取帐户凭据的最常见手段。Phishing is the most common way that accounts credentials are compromised. 当错误的执行组件具有管理员帐户凭据时,将不会从更多的操作中阻止它们,例如删除所有资源组。When a bad actor has admin account credentials, there's no stopping them from far-reaching actions, such as deleting all of your resource groups. 可以通过多种方式建立多重身份验证,包括电子邮件、验证器应用和手机短信。You can establish multi-factor authentication in several ways, including with email, an authenticator app, and phone text messages. 管理员可以选择干扰性最低的选项。As an administrator, you can select the least intrusive option. 多重身份验证集成了威胁分析和条件性访问策略,随机要求多重身份验证质询响应。Multi-factor authentication integrates with threat analytics and conditional access policies to randomly require a multi-factor authentication challenge response. 详细了解安全指导如何设置多重身份验证Learn more about security guidance, and how to set up multi-factor authentication.
  • 实现条件性访问。Implement conditional access. 在大多数中小型组织中,Azure 管理员和支持团队可能位于单个地理位置。In most small and medium-sized organizations, Azure admins and the support team are probably located in a single geography. 在这种情况下,大多数登录都来自相同的区域。In this case, most sign-ins come from the same areas. 如果这些位置的 IP 地址是非常静态的,则可以从这些区域外看到管理员登录。If the IP addresses of these locations are fairly static, it makes sense that you shouldn't see administrator sign-ins from outside these areas. 即使远程错误的执行组件损害了管理员的凭据,也可以实现与多重身份验证组合的条件性访问等安全功能,以防止从远程位置登录。Even if a remote bad actor compromises an administrator's credentials, you can implement security features like conditional access, combined with multi-factor authentication, to prevent signing in from remote locations. 这也可能会阻止来自随机 IP 地址的欺骗位置。This can also prevent spoofed locations from random IP addresses. 了解有关 条件性访问 的详细信息,并查看 Azure AD 中条件性访问的 最佳实践Learn more about conditional access and review best practices for conditional access in Azure AD.
  • 查看企业应用程序权限。Review enterprise application permissions. 随着时间的推移,管理员选择 Microsoft 和第三方链接,而无需知道其对组织的影响。Over time, admins select Microsoft and third-party links without knowing their affect on the organization. 链接可以显示向 Azure 应用分配权限的许可屏幕。Links can present consent screens that assign permissions to Azure apps. 这可能会允许对读取 Azure AD 数据的访问,甚至允许对管理整个 Azure 订阅的完全访问权限。This might allow access to read Azure AD data, or even full access to manage your entire Azure subscription. 你应定期查看管理员和用户允许其访问 Azure 资源的应用程序。You should regularly review the applications to which your admins and users have allowed access to Azure resources. 确保这些应用程序仅具有所需的权限。Ensure that these applications have only the permissions that are necessary. 此外,每季度或半半年,你可以使用应用程序页面的链接向用户发送电子邮件,以便他们知道他们允许访问其组织数据的应用程序。Additionally, quarterly or semi-annually you can email users with a link to application pages, so that they're aware of the applications to which they've allowed access to their organizational data. 有关详细信息,请参阅 "我的应用程序" 列表中的意外应用程序以及 如何控制 Azure AD 中的应用程序分配。For more information, see Unexpected application in my applications list, and how to control application assignments in Azure AD.

管理已迁移的工作负荷Managed migrated workloads

在以下部分中,我们将建议 Azure 管理的最佳做法,包括:In the following sections, we'll recommend some best practices for Azure management, including:

  • 有关 Azure 资源组和资源的最佳做法,包括智能命名、防止意外删除、管理资源权限和有效的资源标记。Best practices for Azure resource groups and resources, including smart naming, preventing accidental deletion, managing resource permissions, and effective resource tagging.
  • 获取有关使用蓝图构建和管理部署环境的快速概述。Get a quick overview on using blueprints for building and managing your deployment environments.
  • 查看示例 Azure 体系结构,以便在构建迁移后的部署期间从中获得经验。Review sample Azure architectures to learn from as you build your post-migration deployments.
  • 如果有多个订阅,可将其收集到管理组中,并将调控设置应用到这些组。If you have multiple subscriptions, you can gather them into management groups, and apply governance settings to those groups.
  • 对 Azure 资源应用合规性策略。Apply compliance policies to your Azure resources.
  • 制定业务连续性和灾难恢复 (BCDR) 策略,以便在发生服务中断时保持数据的安全性、环境的复原能力和资源的正常运行。Put together a business continuity and disaster recovery (BCDR) strategy to keep data safe, your environment resilient, and resources up and running when outages occur.
  • 将 VM 分组到可用性组,以实现复原能力和高可用性。Group VMs into availability groups for resilience and high availability. 使用托管磁盘来简化 VM 磁盘和存储的管理。Use managed disks for ease of VM disk and storage management.
  • 为 Azure 资源启用诊断日志记录,生成警报和 Playbook 进行主动故障排除,并使用 Azure 仪表板统一查看部署运行状况和状态。Enable diagnostic logging for Azure resources, build alerts and playbooks for proactive troubleshooting, and use the Azure dashboard for a unified view of your deployment health and status.
  • 了解你的 Azure 支持计划以及如何实现它,获取使 Vm 保持最新状态的最佳实践,并为更改管理制定适当的流程。Understand your Azure Support plan and how to implement it, get best practices for keeping VMs up-to-date, and put processes in place for change management.

最佳做法:命名资源组Best practice: Name resource groups

确保资源组具有有意义的名称,管理员和支持团队成员可以轻松识别和扫描。Ensure that your resource groups have meaningful names that admins and support team members can easily recognize and scan. 这可以大幅提高工作效率和效率。This can drastically improve productivity and efficiency.

如果要使用 Azure AD Connect 将本地 Active Directory 同步到 Azure AD,请考虑将本地安全组的名称与 Azure 中的资源组的名称相匹配。If you're synchronizing your on-premises Active Directory to Azure AD by using Azure AD Connect, consider matching the names of security groups on-premises to the names of resource groups in Azure.

资源组命名的屏幕截图。Screenshot of resource group naming. 图5:资源组命名。Figure 5: Resource group naming.

了解更多信息:Learn more:

最佳做法:对资源组实施删除锁定Best practice: Implement delete locks for resource groups

你不希望意外删除的资源组彻底消失。The last thing you need is for a resource group to disappear because it was deleted accidentally. 建议你实现删除锁定,以便不会发生这种情况。We recommend that you implement delete locks, so that this doesn't happen.

删除锁定的屏幕截图。Screenshot of delete locks. 图6:删除锁。Figure 6: Delete locks.

了解更多信息:Learn more:

最佳做法:了解资源访问权限Best practice: Understand resource access permissions

订阅所有者有权访问你的订阅中的所有资源组和资源。A subscription owner has access to all the resource groups and resources in your subscription.

  • 进行这项重要分配时,请谨慎添加人员。Add people sparingly to this valuable assignment. 了解此类权限产生的后果,对于保持环境的安全稳定非常重要。Understanding the ramifications of these types of permissions is important in keeping your environment secure and stable.
  • 请确保将资源放入相应的资源组:Make sure you place resources in appropriate resource groups:
    • 将具有类似生命周期的资源放在一起。Match resources with a similar lifecycle together. 理想情况下,在需要删除整个资源组时,不应需要移动某个资源。Ideally, you shouldn't need to move a resource when you need to delete an entire resource group.
    • 为简化管理,应将支持某项功能或工作负荷的资源放在一起。Resources that support a function or workload should be placed together for simplified management.

了解更多信息:Learn more:

最佳做法:有效标记资源Best practice: Tag resources effectively

通常,仅使用与资源相关的资源组名称并不能提供足够的元数据来实现有效的机制实现,例如,在订阅中进行内部计费或管理。Often, using only a resource group name related to resources won't provide enough metadata for effective implementation of mechanisms, such as internal billing or management within a subscription.

  • 最佳做法是使用 Azure 标记添加有用的元数据,这些元数据可查询和报告。As a best practice, use Azure tags to add useful metadata that can be queried and reported on.

  • 利用标记可以逻辑方式对包含所定义属性的资源进行组织。Tags provide a way to logically organize resources with properties that you define. 可以直接将标记应用到资源组或资源。Tags can be applied to resource groups or resources directly.

  • 可以针对资源组或单个资源应用标记。Tags can be applied on a resource group or on individual resources. 资源组标记不会由该组中的资源继承。Resource group tags aren't inherited by the resources in the group.

  • 你可以使用 PowerShell 或 Azure 自动化自动标记,或者标记各个组和资源。You can automate tagging by using PowerShell or Azure Automation, or tag individual groups and resources.

  • 如果你已部署请求和变更管理系统,则可以轻松利用请求中的信息来填充特定于公司的资源标记。If you have a request and change management system in place, then you can easily use the information in the request to populate your company-specific resource tags.

    标记的屏幕截图。 图7:标记。Screenshot of tagging. Figure 7: Tagging.

了解更多信息:Learn more:

最佳做法:实现蓝图Best practice: Implement blueprints

正如蓝图允许工程师和架构师草拟项目的设计参数一样,Azure 蓝图服务使云架构师和中心 IT 小组能够定义一组可重复的 Azure 资源。Just as a blueprint allows engineers and architects to sketch a project's design parameters, the Azure Blueprints service enables cloud architects and central IT groups to define a repeatable set of Azure resources. 这可以帮助他们实现并遵守组织的标准、模式和要求。This helps them to implement and adhere to an organization's standards, patterns, and requirements. 使用 Azure 蓝图,开发团队可以快速构建和创建满足组织合规性要求的新环境。Using Azure Blueprints, development teams can rapidly build and create new environments that meet organizational compliance requirements. 这些新环境具有一组内置组件(例如网络),以加快开发和交付速度。These new environments have a set of built-in components, such as networking, to speed up development and delivery.

  • 使用蓝图可以协调资源组、Azure 资源管理器模板以及策略和角色分配的部署。Use blueprints to orchestrate the deployment of resource groups, Azure Resource Manager templates, and policy and role assignments.
  • 在全球分布式服务中存储蓝图,Azure Cosmos DB。Store blueprints in a globally distributed service, Azure Cosmos DB. 蓝图对象将复制到多个 Azure 区域。Blueprint objects are replicated to multiple Azure regions. 复制可提供低延迟、高可用性和一致的蓝图访问权限,而不考虑蓝图要将资源部署到的区域。Replication provides low latency, high availability, and consistent access to a blueprint, regardless of the region to which a blueprint deploys resources.

了解更多信息:Learn more:

最佳做法:查看 Azure 参考体系结构Best practice: Review Azure reference architectures

在 Azure 中构建安全、可缩放且易于管理的工作负荷可能颇费周折。Building secure, scalable, and manageable workloads in Azure can be daunting. 随着不断的变化,可能很难跟上最佳环境所需的不同功能。With continual changes, it can be difficult to keep up with different features for an optimal environment. 设计和迁移工作负荷时,使用一个参考体系结构可能有所帮助。Having a reference to learn from can be helpful when designing and migrating your workloads. Azure 和 Azure 合作伙伴为各种环境构建了多个示例参考体系结构。Azure and Azure partners have built several sample reference architectures for various types of environments. 这些示例旨在提供思路,让你从中学到经验或者在其基础之上构建解决方案。These samples are designed to provide ideas that you can learn from and build on.

参考体系结构按方案进行组织。Reference architectures are arranged by scenario. 它们包含有关管理、可用性、可伸缩性和安全性的最佳实践和建议。They contain best practices and advice on management, availability, scalability, and security. 应用服务环境提供完全隔离和专用的环境来运行应用程序,如 Windows 和 Linux web 应用、Docker 容器、移动应用和功能。App Service Environment provides a fully isolated and dedicated environment for running applications, such as Windows and Linux web apps, Docker containers, mobile apps, and functions. 应用服务可将 Azure 的强大功能添加到应用程序,并提供安全功能、负载均衡、自动缩放和自动管理。App Service adds the power of Azure to your application, with security, load balancing, autoscaling, and automated management. 还可以利用其 DevOps 功能,例如来自 Azure DevOps 和 GitHub 的持续部署,以及包管理、过渡环境、自定义域和 SSL 证书。You can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps and GitHub, package management, staging environments, custom domain, and SSL certificates. 应用服务适用于需要隔离和安全网络访问的应用程序,以及使用大量内存和需要缩放的其他资源的应用程序。App Service is useful for applications that need isolation and secure network access, and those that use high amounts of memory and other resources that need to scale.

了解更多信息:Learn more:

最佳做法:通过 Azure 管理组管理资源Best practice: Manage resources with Azure management groups

如果组织有多个订阅,则你需要管理这些订阅的访问、策略与合规性。If your organization has multiple subscriptions, you need to manage access, policies, and compliance for them. Azure 管理组提供订阅上的作用域级别。Azure management groups provide a level of scope above subscriptions. 下面是一些提示:Here are some tips:

  • 可将订阅组织到名为“管理组”的容器中,并对其应用调控条件。You organize subscriptions into containers called management groups, and apply governance conditions to them.
  • 管理组中的所有订阅自动继承管理组的条件。All subscriptions in a management group automatically inherit the management group conditions.
  • 无论你拥有哪种类型的订阅,管理组都提供大规模的企业级管理。Management groups provide large-scale, enterprise-grade management, no matter what type of subscriptions you have.
  • 例如,可以应用一个管理组策略用于限制可以创建 VM 的区域。For example, you can apply a management group policy that limits the regions in which VMs can be created. 然后,将此策略应用到该管理组下的所有管理组、订阅和资源。This policy is then applied to all management groups, subscriptions, and resources under that management group.
  • 可以构建管理组和订阅的灵活层次结构,以便将资源组织成用于统一策略和访问管理的层次结构。You can build a flexible structure of management groups and subscriptions, to organize your resources into a hierarchy for unified policy and access management.

下图显示了使用管理组创建用于治理的层次结构的示例。The following diagram shows an example of creating a hierarchy for governance by using management groups.

管理组关系图。Diagram of management groups. 图8:管理组。Figure 8: Management groups.

了解更多信息:Learn more:

最佳做法:部署 Azure 策略Best practice: Deploy Azure Policy

Azure Policy 是一项服务,用于创建、分配和管理策略。Azure Policy is a service that you use to create, assign, and manage policies. 策略对资源强制实施不同的规则和影响,因此这些资源符合公司标准和服务级别协议。Policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements.

Azure Policy 将评估资源,并扫描那些不符合策略的资源。Azure Policy evaluates your resources, scanning for those not compliant with your policies. 例如,你可以创建一个策略,该策略只允许在你的环境中为 Vm 指定特定的 SKU 大小。For example, you can create a policy that allows only a specific SKU size for VMs in your environment. 当你创建和更新资源以及扫描现有资源时,Azure 策略将评估此设置。Azure Policy will evaluate this setting when you create and update resources, and when scanning existing resources. 请注意,Azure 提供了一些可分配的内置策略,你也可以创建自己的策略。Note that Azure provides some built-in policies that you can assign, or you can create your own.

Azure 策略的屏幕截图。Screenshot of Azure Policy. 图9: Azure 策略。Figure 9: Azure Policy.

了解更多信息:Learn more:

最佳做法:实现 BCDR 策略Best practice: Implement a BCDR strategy

规划 BCDR 是一个重要的练习,你应在 Azure 迁移规划过程中完成此操作。Planning for BCDR is a critical exercise that you should complete as part of your Azure migration planning process. 在法律术语中,你的合同可能包括一个 强制不可抗力 子句,该子句因强制而产生托辞义务,如飓风或地震。In legal terms, your contracts might include a force majeure clause that excuses obligations due to a greater force, such as hurricanes or earthquakes. 但必须确保在发生灾难时,基本服务会继续运行并进行恢复。But you must ensure that essential services continue to run and recover when disaster strikes. 这种能力可能决定了公司未来的成败。Your ability to do this can make or break your company's future.

概括而言,BCDR 策略必须考虑到:Broadly, your BCDR strategy must consider:

  • 数据备份: 如何保证数据的安全,以便可以在发生中断时轻松地恢复数据。Data backup: How to keep your data safe so that you can recover it easily if outages occur.
  • 灾难恢复: 如果发生中断,如何使应用程序保持复原能力和可用性。Disaster recovery: How to keep your applications resilient and available if outages occur.

设置 BCDRSet up BCDR

迁移到 Azure 时,请注意,尽管 Azure 平台提供了一些内置的复原功能,但你需要设计 Azure 部署才能利用这些功能。When migrating to Azure, understand that although the Azure platform provides some built-in resiliency capabilities, you need to design your Azure deployment to take advantage of them.

  • 你的 BCDR 解决方案将取决于你的公司目标,并受你的 Azure 部署策略的影响。Your BCDR solution will depend on your company objectives, and is influenced by your Azure deployment strategy. 基础结构即服务 (IaaS) 和平台即服务 (PaaS) 部署为 BCDR 带来了不同的挑战。Infrastructure as a service (IaaS) and platform as a service (PaaS) deployments present different challenges for BCDR.
  • 准备就绪后,应定期测试你的 BCDR 解决方案,以检查策略是否仍然可行。After they are in place, your BCDR solutions should be tested regularly to check that your strategy remains viable.

备份 IaaS 部署Back up an IaaS deployment

在大多数情况下,本地工作负荷在迁移后即遭淘汰,必须扩展或更换用于备份数据的本地策略。In most cases, an on-premises workload is retired after migration, and your on-premises strategy for backing up data must be extended or replaced. 如果将整个数据中心迁移到 Azure,则需要使用 Azure 技术或第三方集成解决方案来设计和实现完整备份解决方案。If you migrate your entire datacenter to Azure, you'll need to design and implement a full backup solution by using Azure technologies, or third-party integrated solutions.

对于 Azure IaaS VM 上运行的工作负荷,请考虑以下备份解决方案:For workloads running on Azure IaaS VMs, consider these backup solutions:

  • Azure 备份: 提供适用于 Azure Windows 和 Linux Vm 的应用程序一致性备份。Azure Backup: Provides application-consistent backups for Azure Windows and Linux VMs.
  • 存储快照: 获取 Blob 存储的快照。Storage snapshots: Takes snapshots of Blob Storage.

Azure 备份Azure Backup

Azure 备份创建存储在 Azure 存储中的数据恢复点。Azure Backup creates data recovery points that are stored in Azure Storage. Azure 备份可以备份 Azure VM 磁盘和 Azure 文件(预览版)。Azure Backup can back up Azure VM disks, and Azure Files (preview). Azure 文件提供云中的文件共享,可通过服务器消息块 (SMB) 进行访问。Azure Files provide file shares in the cloud, accessible via Server Message Block (SMB).

可以通过以下方式使用 Azure 备份来备份 Vm:You can use Azure Backup to back up VMs in the following ways:

  • 从 VM 设置直接备份。Direct backup from VM settings. 可以直接通过 Azure 门户中的 VM 选项使用 Azure 备份来备份 VM。You can back up VMs with Azure Backup directly from the VM options in the Azure portal. 可以每天备份一次 VM,还可以根据需要还原 VM 磁盘。You can back up the VM once per day, and you can restore the VM disk as needed. Azure 备份采用识别应用程序的数据快照,并且不会在 VM 上安装代理。Azure Backup takes application-aware data snapshots, and no agent is installed on the VM.
  • 直接备份到恢复服务保管库中。Direct backup in a Recovery Services vault. 可以通过部署 Azure 备份恢复服务保管库来备份 IaaS VM。You can back up your IaaS VMs by deploying an Azure Backup Recovery Services vault. 这提供了一个用于跟踪和管理备份的位置,还提供了精细的备份和还原选项。This provides a single location to track and manage backups, as well as granular backup and restore options. 在文件和文件夹级别,每天备份最多可达三次。Backup is up to three times a day, at the file and folder levels. 它不能识别应用程序,不支持 Linux。It isn't application-aware, and Linux isn't supported. 使用此方法在每个要备份的虚拟机上安装 Microsoft Azure 恢复服务 (MARS) 代理。Install the Microsoft Azure recovery services (MARS) agent on each VM that you want to back up by using this method.
  • 将 VM 保护到 Azure 备份服务器。Protect the VM to Azure Backup server. Azure 备份服务器免费提供 Azure 备份。Azure Backup server is provided free with Azure Backup. VM 备份到本地 Azure 备份服务器存储。The VM is backed up to local Azure Backup server storage. 然后,将 Azure 备份服务器备份到保管库中的 Azure。You then back up the Azure Backup server to Azure in a vault. 备份识别应用程序,完全细化了备份频率和保留期。Backup is application-aware, with full granularity over backup frequency and retention. 可以在应用程序级别进行备份,例如备份 SQL Server 或 SharePoint。You can back up at the application level, for example by backing up SQL Server or SharePoint.

为安全,Azure 备份使用 AES-256 对数据进行加密。For security, Azure Backup encrypts data in-flight by using AES-256. 它通过 HTTPS 发送到 Azure。It sends it over HTTPS to Azure. 使用 Azure 存储加密对 azure 中的备份数据进行加密。Backed-up data-at-rest in Azure is encrypted by using Azure Storage encryption.

Azure 备份的屏幕截图。 图10: Azure 备份。Screenshot of Azure Backup. Figure 10: Azure Backup.

了解更多信息:Learn more:

存储快照Storage snapshots

Azure VM 作为页 Blob 存储在 Azure 存储中。Azure VMs are stored as page blobs in Azure Storage. 快照捕获特定时间点的 Blob 状态。Snapshots capture the blob state at a specific point in time. 作为 Azure VM 磁盘的替代备份方法,可创建存储 Blob 的快照,然后将其复制到另一个存储帐户。As an alternative backup method for Azure VM disks, you can take a snapshot of storage blobs and copy them to another storage account.

可以复制整个 Blob,或使用增量快照复制以便仅复制增量更改并减少存储空间。You can copy an entire blob, or use an incremental snapshot copy to copy only delta changes and reduce storage space. 作为额外的预防措施,可以为 Blob 存储帐户启用软删除。As an extra precaution, you can enable soft delete for Blob Storage accounts. 启用此功能后,删除的 blob 将标记为删除,但不会立即清除。With this feature enabled, a blob that's deleted is marked for deletion, but not immediately purged. 在过渡期间,可以还原 blob。During the interim period, you can restore the blob.

了解更多信息:Learn more:

第三方备份Third-party backup

此外,可以使用第三方解决方案将 Azure VM 和存储容器备份到本地存储或其他云提供商。In addition, you can use third-party solutions to back up Azure VMs and storage containers to local storage or other cloud providers. 有关详细信息,请参阅 Azure Marketplace 中的备份解决方案For more information, see Backup solutions in Azure Marketplace.

为 IaaS 应用程序设置灾难恢复Set up disaster recovery for IaaS applications

除了保护数据以外,BCDR 规划还必须考虑在发生灾难时如何使应用程序和工作负荷保持可用。In addition to protecting data, BCDR planning must consider how to keep applications and workloads available if a disaster occurs. 对于在 Azure IaaS Vm 和 Azure 存储上运行的工作负荷,请考虑以下部分中的解决方案。For workloads that run on Azure IaaS VMs and Azure Storage, consider the solutions in the following sections.

Azure Site RecoveryAzure Site Recovery

Azure Site Recovery 是一种主要的 Azure 服务,可确保在发生故障时可以将 Azure Vm 联机,并使 VM 应用程序可用。Azure Site Recovery is the primary Azure service for ensuring that Azure VMs can be brought online, and VM applications made available, when outages occur.

Site Recovery 将 Vm 从主站点复制到辅助 Azure 区域。Site Recovery replicates VMs from a primary to a secondary Azure region. 如果发生灾难,你可以从主要区域故障转移 Vm,并在次要区域中继续对其进行访问。If disaster strikes, you fail VMs over from the primary region, and continue accessing them as normal in the secondary region. 运营恢复正常后,可将 VM 故障回复到主要区域。When operations return to normal, you can fail back VMs to the primary region.

Azure Site Recovery 的关系图。Diagram of Azure Site Recovery. 图11: Site Recovery。Figure 11: Site Recovery.

了解更多信息:Learn more:

最佳做法:使用托管磁盘和可用性集Best practice: Use managed disks and availability sets

Azure 使用可用性集将 VM 以逻辑方式分组在一起,并使集内的 VM 与其他资源相隔离。Azure uses availability sets to logically group VMs together, and to isolate VMs in a set from other resources. 可用性集中的 Vm 分布在多个容错域中,包含单独的子系统,可防止本地故障。VMs in an availability set are spread across multiple fault domains with separate subsystems, which protects against local failures. Vm 还会分布在多个更新域中,这会阻止集中的所有 Vm 同时重新启动。The VMs are also spread across multiple update domains, preventing a simultaneous reboot of all VMs in the set.

Azure 托管磁盘通过管理与 VM 磁盘关联的存储帐户,简化了 Azure 虚拟机的磁盘管理。Azure managed disks simplify disk management for Azure Virtual Machines by managing the storage accounts associated with the VM disks.

  • 尽可能使用托管磁盘。Use managed disks wherever possible. 你只需指定要使用的存储类型和所需的磁盘大小,Azure 将为你创建和管理磁盘。You only have to specify the type of storage you want to use and the size of disk you need, and Azure creates and manages the disk for you.

  • 可以将现有磁盘转换为托管磁盘。You can convert existing disks to managed disks.

  • 为了实现较高的恢复能力和可用性,应在可用性集内创建 VM。You should create VMs in availability sets for high resilience and availability. 当发生计划内或计划外中断时,可用性集确保集中至少有一个 VM 可用。When planned or unplanned outages occur, availability sets ensure that at least one VM in the set remains available.

    托管磁盘的关系图。 图12:托管磁盘。Diagram of managed disks. Figure 12: Managed disks.

了解更多信息:Learn more:

最佳做法:监视资源使用情况和性能Best practice: Monitor resource usage and performance

你可能已将工作负荷转移到 Azure,以利用 Azure 无限缩放功能。You might have moved your workloads to Azure for its immense scaling capabilities. 但移动工作负荷并不意味着 Azure 会自动实现缩放,无需进行输入。But moving your workload doesn't mean that Azure will automatically implement scaling without your input. 这里是两个示例:Here are two examples:

  • 如果营销组织推出了一个新的电视广告,其中增加了300% 的流量,这可能会导致站点可用性问题。If your marketing organization pushes a new television advertisement that drives 300 percent more traffic, this might cause site availability issues. 新迁移的工作负荷可能会达到分配的限制,并且崩溃。Your newly migrated workload might hit assigned limits, and crash.
  • 如果存在分布式拒绝服务 (DDoS) 对已迁移的工作负荷进行攻击,在这种情况下,不需要进行缩放。If there's a distributed denial-of-service (DDoS) attack on your migrated workload, in this case you don't want to scale. 你需要防止攻击来源到达你的资源。You want to prevent the source of the attacks from reaching your resources.

这两种情况有不同的解决方法,但对于这两种情况,都需要深入了解使用情况和性能监视发生的情况。These two cases have different resolutions, but for both you need insight into what's happening with usage and performance monitoring.

  • Azure Monitor 有助于显示这些指标,并提供警报、自动缩放、事件中心和逻辑应用的响应。Azure Monitor can help surface these metrics, and provide response with alerts, autoscaling, Event Hubs, and Logic Apps.

  • 你还可以集成第三方 SIEM 应用程序来监视 Azure 日志以获取审核和性能事件。You can also integrate your third-party SIEM application to monitor the Azure logs for auditing and performance events.

    Azure Monitor 的屏幕截图。 图13: Azure Monitor。Screenshot of Azure Monitor. Figure 13: Azure Monitor.

了解更多信息:Learn more:

最佳做法:启用诊断日志记录Best practice: Enable diagnostic logging

Azure 资源会生成相当多的日志记录指标和遥测数据。Azure resources generate a fair number of logging metrics and telemetry data. 默认情况下,大多数资源类型并未启用诊断日志记录。By default, most resource types don't have diagnostic logging enabled. 为各个资源启用诊断日志记录后,可以查询日志记录数据,并基于该数据生成警报和 Playbook。By enabling diagnostic logging across your resources, you can query logging data, and build alerts and playbooks based on it.

启用诊断日志记录时,每个资源具有一组特定的类别。When you enable diagnostic logging, each resource will have a specific set of categories. 请选择一个或多个日志记录类别,以及日志数据的位置。You select one or more logging categories, and a location for the log data. 可以将日志发送到存储帐户、事件中心或 Azure Monitor 日志。Logs can be sent to a storage account, event hub, or to Azure Monitor Logs.

诊断日志记录的屏幕截图。 图14:诊断日志记录。Screenshot of diagnostic logging. Figure 14: Diagnostic logging.

了解更多信息:Learn more:

最佳做法:设置警报和行动手册Best practice: Set up alerts and playbooks

为 Azure 资源启用诊断日志记录后,可以开始使用日志记录数据来创建自定义警报。With diagnostic logging enabled for Azure resources, you can start to use logging data to create custom alerts.

  • 在监视数据中发现异常状况时,警报会主动予以通知。Alerts proactively notify you when conditions are found in your monitoring data. 然后,可以在系统用户注意到这些问题之前将其解决。You can then address issues before system users notice them. 你可以对指标值、日志搜索查询、活动日志事件、平台运行状况和网站可用性发出警报。You can alert on metric values, log search queries, activity log events, platform health, and website availability.

  • 触发警报时,可以运行逻辑应用操作手册。When alerts are triggered, you can run a logic app playbook. Playbook 可以帮助你自动编写和协调针对特定警报的响应。A playbook helps you to automate and orchestrate a response to a specific alert. Playbook 基于 Azure 逻辑应用。Playbooks are based on Azure Logic Apps. 可以使用逻辑应用模板创建行动手册,或创建自己的行动手册。You can use logic app templates to create playbooks, or create your own.

  • 作为一个简单的示例,你可以创建一个警报,以便在 NSG 的情况下触发端口扫描。As a simple example, you can create an alert that triggers when a port scan happens against an NSG. 可以设置一个 Playbook 用于运行和锁定扫描源的 IP 地址。You can set up a playbook that runs and locks down the IP address of the scan origin.

  • 另一个示例是应用程序的内存泄漏。Another example is an application with a memory leak. 当内存用量达到特定的水平时,Playbook 可以回收进程。When the memory usage gets to a certain point, a playbook can recycle the process.

    警报的屏幕截图。 图15:警报。Screenshot of alerts. Figure 15: Alerts.

了解更多信息:Learn more:

最佳做法:使用 Azure 仪表板Best practice: Use the Azure dashboard

Azure 门户是一个基于 Web 的统一控制台,用于生成、管理和监视从简单 Web 应用到复杂云应用程序的一切项目。The Azure portal is a web-based unified console that allows you to build, manage, and monitor everything from simple web apps to complex cloud applications. 它包括可自定义仪表板和可访问性选项。It includes a customizable dashboard and accessibility options.

  • 可以创建多个仪表板,并与对 Azure 订阅有访问权限的其他用户共享。You can create multiple dashboards and share them with others who have access to your Azure subscriptions.

  • 利用此共享模型,你的团队可以查看 Azure 环境,这有助于在云中管理系统时它们是主动的。With this shared model, your team has visibility into the Azure environment, which helps them them to be proactive when managing systems in the cloud.

    Azure 仪表板的屏幕截图。

    Azure 仪表板的屏幕截图。 图16: Azure 仪表板。Screenshot of Azure dashboard. Figure 16: Azure dashboard.

了解更多信息:Learn more:

最佳做法:了解支持计划Best practice: Understand support plans

有时,你需要与内部支持人员或 Microsoft 支持人员协作。At some point, you will need to collaborate with your support staff or Microsoft support staff. 在执行灾难恢复等方案期间,制定一套支持策略和过程至关重要。Having a set of policies and procedures for support during scenarios such as disaster recovery is vital. 此外,应该为管理员和支持人员提供有关实施这些策略的培训。In addition, your admins and support staff should be trained on implementing those policies.

  • 如果 Azure 服务问题影响到了工作负荷(这种情况不太可能出现),管理员应该知道如何以最适当且有效的方式向 Microsoft 提交支持票证。In the unlikely event that an Azure service issue affects your workload, admins should know how to submit a support ticket to Microsoft in the most appropriate and efficient way.

  • 熟悉为 Azure 提供的各种支持计划。Familiarize yourself with the various support plans offered for Azure. 它们的范围包括:专用于开发人员实例的响应时间、对不到15分钟的响应时间的高级支持。They range from response times dedicated to developer instances, to premier support with a response time of less than 15 minutes.

    支持计划的屏幕截图。 图17:支持计划。Screenshot of support plans. Figure 17: Support plans.

了解更多信息:Learn more:

最佳做法:管理更新Best practice: Manage updates

使用最新操作系统和软件更新保持 Azure VM 的更新状态是一个非常繁琐的任务。Keeping Azure VMs updated with the latest operating system and software updates is a massive chore. 能够呈现所有 Vm、找出所需的更新,并自动推送这些更新非常有用。The ability to surface all VMs, figure out which updates they need, and automatically push those updates is extremely valuable.

  • 可以使用 Azure 自动化中的更新管理来管理操作系统更新。You can use Update Management in Azure Automation to manage operating system updates. 这适用于运行部署在 Azure、本地和其他云提供程序中的 Windows 和 Linux 计算机的计算机。This applies to machines that run Windows and Linux computers that are deployed in Azure, on-premises, and in other cloud providers.

  • 使用更新管理可以快速评估所有代理计算机上可用更新的状态,并管理更新的安装。Use Update Management to quickly assess the status of available updates on all agent computers, and manage update installation.

  • 可以直接通过 Azure 自动化帐户为 VM 启用更新管理。You can enable Update Management for VMs directly from an Azure Automation account. 还可以通过 Azure 门户中的 VM 页更新单个 VM。You can also update a single VM from the VM page in the Azure portal.

  • 此外,还可以将 Azure Vm 注册到 System Center Configuration Manager。In addition, you can register Azure VMs with System Center Configuration Manager. 然后,你可以将 Configuration Manager 工作负荷迁移到 Azure,并从单个 web 界面进行报告和软件更新。You can then migrate the Configuration Manager workload to Azure and do reporting and software updates from a single web interface.

    VM 更新关系图。 图18: VM 更新。Diagram of VM updates. Figure 18: VM updates.

了解更多信息:Learn more:

实施变更管理流程Implement a change management process

与使用任何生产系统时一样,进行任何类型的更改都可能会影响你的环境。As with any production system, making any type of change can affect your environment. 在迁移的环境中,要求提交请求才能对生产系统做出更改的变更管理流程是很有价值的补充。A change management process that requires requests to be submitted in order to make changes to production systems is a valuable addition in your migrated environment.

  • 可以针对变更管理构建最佳做法框架,以提高管理员和支持人员的意识。You can build best practice frameworks for change management to raise awareness in administrators and support staff.
  • 可以借助 Azure 自动化来对已迁移的工作流进行配置管理和更改跟踪。You can use Azure Automation to help with configuration management and change tracking for your migrated workflows.
  • 在实施更改管理流程时,可以使用审核日志将 Azure 更改日志链接到现有的更改请求。When enforcing change management process, you can use audit logs to link Azure change logs to existing change requests. 然后,如果您看到所做的更改,而没有相应的更改请求,则可以调查该过程中出现的问题。Then, if you see a change made without a corresponding change request, you can investigate what went wrong in the process.

Azure 在 Azure 自动化中具有更改跟踪解决方案:Azure has a change-tracking solution in Azure Automation:

  • 该解决方案跟踪对 Windows 和 Linux 软件与文件、Windows 注册表项、Windows 服务及 Linux 守护程序的更改。The solution tracks changes to Windows and Linux software and files, Windows registry keys, Windows services, and Linux daemons.

  • 监视的服务器上的更改会发送到 Azure Monitor 进行处理。Changes on monitored servers are sent to Azure Monitor for processing.

  • 逻辑应用到接收的数据,云服务记录数据。Logic is applied to the received data, and the cloud service records the data.

  • 在 "更改跟踪" 仪表板上,可以轻松查看服务器基础结构中所做的更改。On the change tracking dashboard, you can easily see the changes that were made in your server infrastructure.

    更改管理图表的屏幕截图。

    图19:更改管理图。Figure 19: A change management chart.

了解更多信息:Learn more:

后续步骤Next steps

查看其他最佳做法:Review other best practices: