您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

规划登陆区域网络分段Plan for landing zone network segmentation

本部分介绍在登陆区域内提供高度安全的内部网络分段以驱动网络零信任实现的关键建议。This section explores key recommendations to deliver highly secure internal network segmentation within a landing zone to drive a network zero-trust implementation.

设计注意事项:Design considerations:

  • 零信任模型采用违反状态,并验证每个请求,就像它来自不受控制的网络。The zero-trust model assumes a breached state and verifies each request as though it originates from an uncontrolled network.

  • 高级零信任网络实现使用完全分布式入口/出口云微外围和更深层的微分段。An advanced zero-trust network implementation employs fully distributed ingress/egress cloud micro-perimeters and deeper micro-segmentation.

  • 网络安全组可以使用 Azure 服务标记来促进与 Azure PaaS 服务的连接。Network security groups can use Azure service tags to facilitate connectivity to Azure PaaS services.

  • 应用程序安全组不跨越或提供跨虚拟网络的保护。Application security groups don't span or provide protection across virtual networks.

  • NSG 流日志现在受 Azure 资源管理器模板支持。NSG flow logs are now supported through Azure Resource Manager templates.

设计建议:Design recommendations:

  • 将子网创建委托给登陆区域所有者。Delegate subnet creation to the landing zone owner. 这使它们可以定义如何跨子网对工作负荷进行分段 (例如,单个大型子网、多层应用程序或网络插入的应用程序) 。This will enable them to define how to segment workloads across subnets (for example, a single large subnet, multitier application, or network-injected application). 平台团队可以使用 Azure 策略来确保 NSG 具有特定规则 (例如,拒绝来自 internet 的入站 SSH 或 RDP,或允许/阻止跨平台的流量) 始终与具有仅拒绝策略的子网相关联。The platform team can use Azure Policy to ensure that an NSG with specific rules (such as deny inbound SSH or RDP from internet, or allow/block traffic across landing zones) is always associated with subnets that have deny-only policies.

  • 使用 Nsg 来帮助保护跨子网的流量,以及跨平台的东部/西部流量 (登陆区域) 之间的流量。Use NSGs to help protect traffic across subnets, as well as east/west traffic across the platform (traffic between landing zones).

  • 应用程序团队应使用子网级 Nsg 中的应用程序安全组来帮助保护登陆区域内的多层 Vm。The application team should use application security groups at the subnet-level NSGs to help protect multitier VMs within the landing zone.

  • 使用 Nsg 和应用程序安全组在登陆区域内对流量进行微分段,并避免使用中央 NVA 来筛选流量流。Use NSGs and application security groups to micro-segment traffic within the landing zone and avoid using a central NVA to filter traffic flows.

  • 启用 NSG 流日志并将其输送到流量分析中,以便深入了解内部和外部流量流。Enable NSG flow logs and feed them into Traffic Analytics to gain insights into internal and external traffic flows.

  • 使用 Nsg 可有选择地允许登陆区域之间的连接。Use NSGs to selectively allow connectivity between landing zones.

  • 对于虚拟 WAN 拓扑,如果你的组织需要筛选和日志记录功能,以便在登陆区域间流动流量,请通过 Azure 防火墙在登陆区域之间路由流量。For Virtual WAN topologies, route traffic across landing zones via Azure Firewall if your organization requires filtering and logging capabilities for traffic flowing across landing zones.