您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是安全合作伙伴提供程序?What are security partner providers?

通过 Azure 防火墙管理器中的安全合作伙伴提供程序,你可使用熟悉的同类最佳第三方安全即服务 (SECaaS) 产品/服务来保护用户的 Internet 访问。Security partner providers in Azure Firewall Manager allow you to use your familiar, best-in-breed, third-party security as a service (SECaaS) offerings to protect Internet access for your users.

通过快速配置,你可以使用受支持的安全合作伙伴保护中心的安全,并从虚拟网络 (VNet) 或区域中的分支位置路由和筛选 Internet 流量。With a quick configuration, you can secure a hub with a supported security partner, and route and filter Internet traffic from your Virtual Networks (VNets) or branch locations within a region. 可使用自动化路由管理来做到这一点,无需设置和管理用户定义的路由 (UDR)。You can do this with automated route management, without setting up and managing User Defined Routes (UDRs).

可以在多个 Azure 区域中部署配置有所选安全合作伙伴的安全中心,使全球任何地方的用户可以在这些区域中进行连接并获得安全性。You can deploy secured hubs configured with the security partner of your choice in multiple Azure regions to get connectivity and security for your users anywhere across the globe in those regions. 通过将安全合作伙伴的产品/服务用于 Internet/SaaS 应用程序流量并将 Azure 防火墙用于安全中心中的专用流量,现在,你可以开始在 Azure 上构建与全球分布的用户和应用程序非常接近的安全边缘。With the ability to use the security partner’s offering for Internet/SaaS application traffic, and Azure Firewall for private traffic in the secured hubs, you can now start building your security edge on Azure that is close to your globally distributed users and applications.

受支持的安全合作伙伴有 Zscaler、Check Point 和 iboss 。The supported security partners are Zscaler, Check Point, and iboss.

安全合作伙伴提供程序

关键方案Key scenarios

可以在以下方案中使用安全合作伙伴来筛选 Internet 流量:You can use the security partners to filter Internet traffic in following scenarios:

  • 虚拟网络 (VNet) 到 InternetVirtual Network (VNet)-to-Internet

    对 Azure 上运行的云工作负载使用高级用户感知型 Internet 保护。Use advanced user-aware Internet protection for your cloud workloads running on Azure.

  • 分支位置到 InternetBranch-to-Internet

    使用 Azure 连接和全球分布,轻松为分支位置到 Internet 方案添加第三方 NSaaS 筛选。Use your Azure connectivity and global distribution to easily add third-party NSaaS filtering for branch to Internet scenarios. 可以使用 Azure 虚拟 WAN 构建全球传输网络和安全边缘。You can build your global transit network and security edge using Azure Virtual WAN.

支持以下方案:The following scenarios are supported:

  • 中心中有两个安全提供程序Two security providers in the hub

    通过安全合作伙伴提供程序的 VNet/分支位置到 Internet,以及通过 Azure 防火墙的其他流量(分支到分支、分支到分支位置、分支位置到分支)。VNet/Branch-to-Internet via a security partner provider and the other traffic (spoke-to-spoke, spoke-to-branch, branch-to-spoke) via Azure Firewall.

  • 中心中有单个提供程序Single provider in the hub

    • 受 Azure 防火墙保护的所有流量(分支到分支、分支到分支位置、分支位置到分支、VNet/分支位置到 Internet)All traffic (spoke-to-spoke, spoke-to-branch, branch-to-spoke, VNet/Branch-to-Internet) secured by Azure Firewall
      or
    • 通过安全合作伙伴提供程序的 VNet/分支位置到 InternetVNet/Branch-to-Internet via security partner provider

安全虚拟中心中筛选 Internet 流量的最佳做法Best practices for Internet traffic filtering in secured virtual hubs

Internet 流量通常包括 Web 流量。Internet traffic typically includes web traffic. 但它也包括传到 Microsoft 365 等 SaaS 应用程序以及 Azure 公共 PaaS 服务(例如 Azure 存储和 Azure Sql 等)的流量。But it also includes traffic destined to SaaS applications like Microsoft 365 and Azure public PaaS services like Azure Storage, Azure Sql, and so on. 以下是处理传到这些服务的流量的最佳做法建议:The following are best practice recommendations for handling traffic to these services:

处理 Azure PaaS 流量Handling Azure PaaS traffic

  • 如果流量主要包含 Azure PaaS,并且可以使用 IP 地址、FQDN、服务标记或 FQDN 标记来筛选针对应用程序的资源访问,请使用 Azure 防火墙进行保护。Use Azure Firewall for protection if your traffic consists mostly of Azure PaaS, and the resource access for your applications can be filtered using IP addresses, FQDNs, Service tags, or FQDN tags.

  • 如果流量包含对 SaaS 应用程序的访问,或者你需要用户感知的筛选(例如,对于你的虚拟桌面基础结构 (VDI) 工作负荷),或者你需要高级 Internet 筛选功能,请在你的中心中使用第三方合作伙伴解决方案。Use a third-party partner solution in your hubs if your traffic consists of SaaS application access, or you need user-aware filtering (for example, for your virtual desktop infrastructure (VDI) workloads) or you need advanced Internet filtering capabilities.

适用于 Azure 防火墙管理器的所有方案

处理 Microsoft 365 流量Handling Microsoft 365 traffic

在全球分布的分支位置方案中,你应该直接在分支处重定向 Microsoft 365 流量,然后再将剩余的 Internet 流量发送到 Azure 安全中心。In globally distributed branch location scenarios, you should redirect Microsoft 365 traffic directly at the branch before sending the remaining Internet traffic your Azure secured hub.

对于 Microsoft 365 而言,网络延迟和性能对于成功的用户体验至关重要。For Microsoft 365, network latency and performance are critical for successful user experience. 若要围绕最佳性能和用户体验实现这些目标,客户必须首先实现 Microsoft 365 直接和本地转义,然后再考虑通过 Azure 路由剩余的 Internet 流量。To achieve these goals around optimal performance and user experience, customers must implement Microsoft 365 direct and local escape before considering routing the rest of Internet traffic through Azure.

Microsoft 365 网络连接原则要求将关键的 Microsoft 365 网络连接从用户分支或移动设备进行本地路由,并通过 Internet 直接路由到最近的 Microsoft 网络接入点。Microsoft 365 network connectivity principles call for key Microsoft 365 network connections to be routed locally from the user branch or mobile device and directly over the Internet into nearest Microsoft network point of presence.

此外,Microsoft 365 连接经过了加密以保护隐私,并且使用有效的专用协议来保障性能。Furthermore, Microsoft 365 connections are encrypted for privacy and use efficient, proprietary protocols for performance reasons. 这使得将这些连接受制于传统的网络级别安全解决方案不切实际并且会造成影响。This makes it impractical and impactful to subject those connections to traditional network level security solutions. 出于这些原因,我们强烈建议客户首先直接从分支发送 Microsoft 365 流量,然后再通过 Azure 发送剩余流量。For these reasons we strongly recommend that customers send Microsoft 365 traffic directly from branches, before sending rest of the traffic through Azure. Microsoft 与多个 SD-WAN 解决方案提供商建立了合作伙伴关系,这些提供商与 Azure 和 Microsoft 365 集成,让客户能够轻松启用 Microsoft 365 直接和本地 Internet 突破。Microsoft has partnered with several SD-WAN solution providers, who integrate with Azure and Microsoft 365 and make it easy for customers to enable Microsoft 365 direct and local Internet breakout. 请参阅什么是 Azure 虚拟 WAN?了解详情For details, see What is Azure Virtual WAN?

后续步骤Next steps

使用 Azure 防火墙管理器在安全中心中部署安全合作伙伴产品/服务Deploy a security partner offering in a secured hub, using Azure Firewall Manager.