您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

与 Azure PaaS 服务的连接Connectivity to Azure PaaS services

此部分基于前面的连接性部分,探讨了使用 Azure PaaS 服务的推荐连接方法。Building on the previous connectivity sections, this section explores recommended connectivity approaches for using Azure PaaS services.

设计注意事项:Design considerations:

  • 通常通过公共终结点访问 Azure PaaS 服务。Azure PaaS services are typically accessed over public endpoints. 但是,Azure 平台提供了保护此类终结点的功能,甚至使它们完全专用:However, the Azure platform provides capabilities to secure such endpoints or even make them entirely private:

    • 虚拟网络注入专为支持的服务提供专用部署。Virtual network injection provides dedicated private deployments for supported services. 管理平面流量仍流过公共 IP 地址。Management plane traffic still flows through public IP addresses.

    • 专用链接 通过使用 azure PaaS 实例的专用 IP 地址或 Azure 负载均衡器标准层后面的自定义服务提供专用访问。Private Link provides dedicated access by using private IP addresses to Azure PaaS instances or custom services behind Azure Load Balancer Standard tier.

    • 虚拟网络服务终结点提供从所选子网到选定 PaaS 服务的服务级别访问。Virtual network service endpoints provide service-level access from selected subnets to selected PaaS services.

  • 企业通常会关注 PaaS 服务的公共终结点,这些终结点必须得到适当的缓解。Enterprises often have concerns about public endpoints for PaaS services that must be appropriately mitigated.

  • 对于 受支持的服务,专用链接解决了与服务终结点关联的数据渗透问题。For supported services, Private Link addresses data exfiltration concerns associated with service endpoints. 作为替代方法,可以使用通过 Nva 的出站筛选来提供缓解数据渗透的步骤。As an alternative, you can use outbound filtering via NVAs to provide steps to mitigate data exfiltration.

设计建议:Design recommendations:

  • 为受支持的 Azure 服务使用虚拟网络注入,使其在虚拟网络中可用。Use virtual network injection for supported Azure services to make them available from within your virtual network.

  • 已注入到虚拟网络中的 Azure PaaS 服务仍使用公共 IP 地址执行管理平面操作。Azure PaaS services that have been injected into a virtual network still perform management plane operations by using public IP addresses. 确保在虚拟网络中使用 Udr 和 Nsg 锁定此通信。Ensure that this communication is locked down within the virtual network by using UDRs and NSGs.

  • 为共享 Azure PaaS 服务使用专用链接( 如果可用)。Use Private Link, where available, for shared Azure PaaS services. 专用链接通常适用于多个服务,并在公共预览版中适用于许多服务。Private Link is generally available for several services and is in public preview for numerous ones.

  • 通过 ExpressRoute 专用对等互连从本地访问 Azure PaaS 服务。Access Azure PaaS services from on-premises via ExpressRoute private peering. 使用适用于专用 Azure 服务的虚拟网络注入或 Azure 专用链接获取可用的共享 Azure 服务。Use either virtual network injection for dedicated Azure services or Azure Private Link for available shared Azure services. 若要在虚拟网络注入或专用链接不可用的情况下从本地访问 Azure PaaS 服务,请将 ExpressRoute 用于 Microsoft 对等互连。To access Azure PaaS services from on-premises when virtual network injection or Private Link isn't available, use ExpressRoute with Microsoft peering. 此方法可避免传输通过公共 internet。This method avoids transiting over the public internet.

  • 使用虚拟网络服务终结点从虚拟网络中保护对 Azure PaaS 服务的访问,但仅当专用链接不可用时,无数据渗透问题。Use virtual network service endpoints to secure access to Azure PaaS services from within your virtual network, but only when Private Link isn't available and there are no data exfiltration concerns. 若要解决数据渗透的服务终结点问题,请使用 NVA 筛选或使用 Azure 存储的虚拟网络服务终结点策略。To address data exfiltration concerns with service endpoints, use NVA filtering or use virtual network service endpoint policies for Azure Storage.

  • 默认情况下,不要在所有子网上启用虚拟网络服务终结点。Don't enable virtual network service endpoints by default on all subnets.

  • 在出现数据渗透问题时不要使用虚拟网络服务终结点,除非使用 NVA 筛选。Don't use virtual network service endpoints when there are data exfiltration concerns, unless you use NVA filtering.

  • 建议你不要实施强制隧道来实现从 Azure 到 Azure 资源的通信。We don't recommend that you implement forced tunneling to enable communication from Azure to Azure resources.