您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

规划入站和出站 internet 连接Plan for inbound and outbound internet connectivity

本部分介绍与公共 internet 之间的入站和出站连接的推荐连接模型。This section describes recommended connectivity models for inbound and outbound connectivity to and from the public internet.

设计注意事项:Design considerations:

  • Azure 本机网络安全服务(如 Azure 防火墙、Azure 应用程序网关上的 Azure Web 应用程序防火墙 (WAF) 和 Azure Front Door)都是完全托管的服务。Azure-native network security services such as Azure Firewall, Azure Web Application Firewall (WAF) on Azure Application Gateway, and Azure Front Door are fully managed services. 因此,尽管基础结构部署在规模上可能会非常复杂,但此部署也不会产生相关的运营和管理成本。So you don't incur the operational and management costs associated with infrastructure deployments, which can become complex at scale.

  • 如果你的组织倾向于使用 Nva,或在本机服务无法满足你的组织的特定要求的情况下使用,企业规模体系结构将与合作伙伴 Nva 完全兼容。The enterprise-scale architecture is fully compatible with partner NVAs, if your organization prefers to use NVAs or for situations where native services don't satisfy your organization's specific requirements.

设计建议:Design recommendations:

  • 使用 Azure 防火墙管理:Use Azure Firewall to govern:

    • 到 internet 的 Azure 出站流量。Azure outbound traffic to the internet.

    • 非 HTTP/S 入站连接。Non-HTTP/S inbound connections.

    • 如果你的组织需要) ,则 "东部/西部" 流量筛选 (。East/west traffic filtering (if your organization requires it).

  • 通过虚拟 WAN 使用防火墙管理器跨虚拟 WAN 中心或中心虚拟网络部署和管理 Azure 防火墙。Use Firewall Manager with Virtual WAN to deploy and manage Azure firewalls across Virtual WAN hubs or in hub virtual networks. 防火墙管理器现已正式上市,适用于虚拟 WAN 和常规虚拟网络。Firewall Manager is now in general availability for both Virtual WAN and regular virtual networks.

  • 创建全局 Azure 防火墙策略来控制全局网络环境中的安全状况,并将其分配给所有 Azure 防火墙实例。Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. 通过 Azure 基于角色的访问控制将增量防火墙策略委托给本地安全团队,允许精细的策略满足特定区域的要求。Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.

  • 如果你的组织想要使用此类解决方案来帮助保护出站连接,请在防火墙管理器中配置受支持的合作伙伴 SaaS 安全提供程序。Configure supported partner SaaS security providers within Firewall Manager if your organization wants to use such solutions to help protect outbound connections.

  • 使用登陆区域虚拟网络中的 WAF 来保护来自 internet 的入站 HTTP/S 流量。Use WAF within a landing-zone virtual network for protecting inbound HTTP/S traffic from the internet.

  • 使用 Azure 前门和 WAF 策略提供跨 Azure 区域的全局保护,以实现到登陆区域的入站 HTTP/秒连接。Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.

  • 使用 Azure 前门并 Azure 应用程序关来帮助保护 HTTP/S 应用程序时,请使用 Azure 前门中的 WAF 策略。When you're using Azure Front Door and Azure Application Gateway to help protect HTTP/S applications, use WAF policies in Azure Front Door. 锁定 Azure 应用程序网关以仅从 Azure 前门接收流量。Lock down Azure Application Gateway to receive traffic only from Azure Front Door.

  • 如果在美国东部/西部或南/北流量防护和筛选中需要合作伙伴 Nva:If partner NVAs are required for east/west or south/north traffic protection and filtering:

    • 对于虚拟 WAN 网络拓扑,将 Nva 部署到单独的虚拟网络 (例如,NVA 虚拟网络) 。For Virtual WAN network topologies, deploy the NVAs to a separate virtual network (for example, NVA virtual network). 然后,将其连接到区域虚拟 WAN 中心,并连接到需要访问 Nva 的登录区域。Then connect it to the regional Virtual WAN hub and to the landing zones that require access to NVAs. 本文 介绍了该过程。This article describes the process.
    • 对于非虚拟 WAN 网络拓扑,请将合作伙伴 Nva 部署在中心虚拟网络中。For non-Virtual WAN network topologies, deploy the partner NVAs in the central-hub virtual network.
  • 如果入站 HTTP/S 连接需要合作伙伴 Nva,请将它们部署在登陆区域虚拟网络中,并将其部署到要保护的应用程序并向 internet 公开。If partner NVAs are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the applications that they're protecting and exposing to the internet.

  • 使用 Azure DDoS 保护标准保护计划 来帮助保护在虚拟网络中托管的所有公共终结点。Use Azure DDoS Protection Standard protection plans to help protect all public endpoints hosted within your virtual networks.

  • 请勿将本地外围网络概念和体系结构复制到 Azure 中。Don't replicate on-premises perimeter network concepts and architectures into Azure. Azure 中提供类似的安全功能,但需要根据云环境调整实现方式和体系结构。Similar security capabilities are available in Azure, but the implementation and architecture must be adapted to the cloud.