您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 Azure 防火墙?What is Azure Firewall?

Azure 防火墙是托管的基于云的网络安全服务,可保护 Azure 虚拟网络资源。Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. 它是一个服务形式的完全有状态防火墙,具有内置的高可用性和不受限制的云可伸缩性。It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

防火墙概述

可以跨订阅和虚拟网络集中创建、实施和记录应用程序与网络连接策略。You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure 防火墙对虚拟网络资源使用静态公共 IP 地址,使外部防火墙能够识别来自你的虚拟网络的流量。Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. 该服务与用于日志记录和分析的 Azure Monitor 完全集成。The service is fully integrated with Azure Monitor for logging and analytics.

Azure 防火墙提供以下功能:Azure Firewall offers the following features:

内置的高可用性Built-in high availability

内置高可用性,因此不需要部署额外的负载均衡器,也不需要进行任何配置。High availability is built in, so no additional load balancers are required and there's nothing you need to configure.

可用性区域Availability Zones

在部署期间,可将 Azure 防火墙配置为跨多个可用性区域,以提高可用性。Azure Firewall can be configured during deployment to span multiple Availability Zones for increased availability. 使用可用性区域可将可用性提高到 99.99% 运行时间。With Availability Zones, your availability increases to 99.99% uptime. 有关详细信息,请参阅 Azure 防火墙的服务级别协议 (SLA)For more information, see the Azure Firewall Service Level Agreement (SLA). 如果选择了两个或更多个可用性区域,则可以提供 99.99% 的运行时间 SLA。The 99.99% uptime SLA is offered when two or more Availability Zones are selected.

还可以仅仅出于相互更靠近的原因,将 Azure 防火墙关联到特定的区域,并享用服务标准 99.95% SLA。You can also associate Azure Firewall to a specific zone just for proximity reasons, using the service standard 99.95% SLA.

在可用性区域中部署的防火墙不会产生额外的费用。There's no additional cost for a firewall deployed in an Availability Zone. 但是,与可用性区域关联的入站和出站数据传输会产生额外的费用。However, there are additional costs for inbound and outbound data transfers associated with Availability Zones. 有关详细信息,请参阅带宽定价详细信息For more information, see Bandwidth pricing details.

在支持可用性区域的区域中可以使用 Azure 防火墙可用性区域。Azure Firewall Availability Zones are available in regions that support Availability Zones. 有关详细信息,请参阅 Azure 中的可用性区域是什么?For more information, see What are Availability Zones in Azure?

备注

只能在部署期间配置可用性区域。Availability Zones can only be configured during deployment. 无法将现有的防火墙配置为包含可用性区域。You can't configure an existing firewall to include Availability Zones.

有关可用性区域的详细信息,请参阅Azure 中的可用性区域是什么?For more information about Availability Zones, see What are Availability Zones in Azure?

不受限制的云可伸缩性Unrestricted cloud scalability

为了适应不断变化的网络流量流,Azure 防火墙可尽最大程度进行纵向扩展,因此不需要为峰值流量做出预算。Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don't need to budget for your peak traffic.

应用程序 FQDN 筛选规则Application FQDN filtering rules

可将出站 HTTP/S 流量或 Azure SQL 流量(预览版)限制到指定的一组完全限定的域名 (FQDN)(包括通配符)。You can limit outbound HTTP/S traffic or Azure SQL traffic (preview) to a specified list of fully qualified domain names (FQDN) including wild cards. 此功能不需要 SSL 终止。This feature doesn't require SSL termination.

网络流量筛选规则Network traffic filtering rules

可以根据源和目标 IP 地址、端口和协议,集中创建“允许”或“拒绝”网络筛选规则。 You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure 防火墙是完全有状态的,因此它能区分不同类型的连接的合法数据包。Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. 将跨多个订阅和虚拟网络实施与记录规则。Rules are enforced and logged across multiple subscriptions and virtual networks.

FQDN 标记FQDN tags

FQDN 标记使你可以轻松地允许已知的 Azure 服务网络流量通过防火墙。FQDN tags make it easy for you to allow well known Azure service network traffic through your firewall. 例如,假设你想要允许 Windows 更新网络流量通过防火墙。For example, say you want to allow Windows Update network traffic through your firewall. 创建应用程序规则,并在其中包括 Windows 更新标记。You create an application rule and include the Windows Update tag. 现在,来自 Windows 更新的网络流量将可以流经防火墙。Now network traffic from Windows Update can flow through your firewall.

服务标记Service tags

服务标记表示一组 IP 地址前缀,帮助最大程度地降低安全规则创建过程的复杂性。A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. 无法创建自己的服务标记,也无法指定要将哪些 IP 地址包含在标记中。You can't create your own service tag, nor specify which IP addresses are included within a tag. Microsoft 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change.

威胁情报Threat intelligence

可以为防火墙启用基于威胁智能的筛选,以提醒和拒绝来自/到达已知恶意 IP 地址和域的流量。Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. IP 地址和域源自 Microsoft 威胁智能源。The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.

出站 SNAT 支持Outbound SNAT support

所有出站虚拟网络流量 IP 地址将转换为 Azure 防火墙公共 IP(源网络地址转换)。All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). 可以识别源自你的虚拟网络的流量,并允许将其发往远程 Internet 目标。You can identify and allow traffic originating from your virtual network to remote Internet destinations. 如果目标 IP 是符合 IANA RFC 1918 的专用 IP 范围,Azure 防火墙不会执行 SNAT。Azure Firewall doesn’t SNAT when the destination IP is a private IP range per IANA RFC 1918. 如果组织对专用网络使用公共 IP 地址范围,Azure 防火墙会通过 SNAT 将流量发送到 AzureFirewallSubnet 中的某个防火墙专用 IP 地址。If your organization uses a public IP address range for private networks, Azure Firewall will SNAT the traffic to one of the firewall private IP addresses in AzureFirewallSubnet.

入站 DNAT 支持Inbound DNAT support

转换到防火墙公共 IP 地址的入站网络流量(目标网络地址转换)并将其筛选到虚拟网络上的专用 IP 地址。Inbound network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.

多个公共 IP 地址Multiple public IP addresses

可将多个公共 IP 地址(最多 100 个)关联到防火墙。You can associate multiple public IP addresses (up to 100) with your firewall.

这样可以实现以下方案:This enables the following scenarios:

  • DNAT - 可将多个标准端口实例转换为后端服务器。DNAT - You can translate multiple standard port instances to your backend servers. 例如,如果你有两个公共 IP 地址,可以转换这两个 IP 地址的 TCP 端口 3389 (RDP)。For example, if you have two public IP addresses, you can translate TCP port 3389 (RDP) for both IP addresses.
  • SNAT - 其他端口可用于出站 SNAT 连接,以减少 SNAT 端口耗尽的可能性。SNAT - Additional ports are available for outbound SNAT connections, reducing the potential for SNAT port exhaustion. 目前,Azure 防火墙会随机选择用于建立连接的源公共 IP 地址。At this time, Azure Firewall randomly selects the source public IP address to use for a connection. 如果你在网络中进行任何下游筛选,则需要允许与防火墙关联的所有公共 IP 地址。If you have any downstream filtering on your network, you need to allow all public IP addresses associated with your firewall.

Azure Monitor 日志记录Azure Monitor logging

所有事件与 Azure Monitor 集成,使你能够在存储帐户中存档日志、将事件流式传输到事件中心,或者将其发送到 Azure Monitor 日志。All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your Event Hub, or send them to Azure Monitor logs.

符合 PCI、SOC 和 ISO 标准PCI, SOC, and ISO compliant

Azure 防火墙符合支付卡行业 (PCI)、服务组织控制 (SOC) 和国际标准化组织 (ISO) 标准。Azure Firewall is Payment Card Industry (PCI), Service Organization Controls (SOC), and International Organization for Standardization (ISO) compliant. 它目前支持 SOC 1 类型 2、SOC 2 类型 2、SOC 3、PCI DSS 和 ISO 27001、27018、20000-1、22301、9001、27017。It currently supports SOC 1 Type 2, SOC 2 Type 2, SOC 3, PCI DSS, and ISO 27001, 27018, 20000-1, 22301, 9001, 27017.

有关详细信息,请参阅 Microsoft 合规性指南For more information, see the Microsoft Compliance Guide.

已知问题Known issues

Azure 防火墙存在以下已知问题:Azure Firewall has the following known issues:

问题Issue 说明Description 缓解措施Mitigation
针对 TCP/UDP 协议(例如 ICMP)的网络筛选规则不适用于 Internet 绑定的流量Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work for Internet bound traffic 针对非 TCP/UDP 协议的网络筛选规则不支持公共 IP 地址的 SNAT。Network filtering rules for non-TCP/UDP protocols don’t work with SNAT to your public IP address. 在分支子网与 VNet 之间支持非 TCP/UDP 协议。Non-TCP/UDP protocols are supported between spoke subnets and VNets. Azure 防火墙使用目前不支持 IP 协议 SNAT 的标准负载均衡器。Azure Firewall uses the Standard Load Balancer, which doesn't support SNAT for IP protocols today. 我们正在探索如何在将来的版本中推出支持此方案的选项。We're exploring options to support this scenario in a future release.
缺少对 ICMP 的 PowerShell 和 CLI 支持Missing PowerShell and CLI support for ICMP Azure PowerShell 和 CLI 不支持使用 ICMP 作为网络规则中的有效协议。Azure PowerShell and CLI don’t support ICMP as a valid protocol in network rules. 仍然可以通过门户和 REST API 使用 ICMP 作为协议。It's still possible to use ICMP as a protocol via the portal and the REST API. 我们正在致力于在不久之后在 PowerShell 和 CLI 中添加 ICMP。We're working to add ICMP in PowerShell and CLI soon.
FQDN 标记要求设置 protocol: portFQDN tags require a protocol: port to be set 带有 FQDN 标记的应用程序规则需要 port:protocol 定义。Application rules with FQDN tags require port: protocol definition. 可以将 https 用作 port: protocol 值。You can use https as the port: protocol value. 我们正在致力于使此字段在使用了 FQDN 标记时可选。We're working to make this field optional when FQDN tags are used.
不支持将防火墙移动到不同的资源组或订阅Moving a firewall to a different resource group or subscription isn't supported 不支持将防火墙移动到不同的资源组或订阅。Moving a firewall to a different resource group or subscription isn't supported. 我们已计划提供此功能的支持。Supporting this functionality is on our road map. 若要将防火墙移动到不同的资源组或订阅,必须删除当前实例并在新的资源组或订阅中重新创建它。To move a firewall to a different resource group or subscription, you must delete the current instance and recreate it in the new resource group or subscription.
网络和应用程序规则的端口范围Port range in network and application rules 端口限制为 64,000,因为高端口是为管理和运行状况探测保留的。Ports are limited to 64,000 as high ports are reserved for management and health probes. 我们正在努力放宽此限制。We're working to relax this limitation.
威胁智能警报可能会被屏蔽Threat intelligence alerts may get masked 配置为仅警报模式时,目标为 80/443 的用于出站筛选的网络规则会屏蔽威胁智能警报。Network rules with destination 80/443 for outbound filtering masks threat intelligence alerts when configured to alert only mode. 使用应用程序规则为 80/443 创建出站筛选。Create outbound filtering for 80/443 using application rules. 或者,将威胁智能模式更改为“提醒和拒绝” 。Or, change the threat intelligence mode to Alert and Deny.
Azure 防火墙只将 Azure DNS 用于名称解析Azure Firewall uses Azure DNS only for name resolution Azure 防火墙只使用 Azure DNS 来解析 FQDN。Azure Firewall resolves FQDNs using Azure DNS only. 不支持自定义 DNS 服务器。A custom DNS server isn't supported. 对其他子网上的 DNS 解析没有影响。There's no impact on DNS resolution on other subnets. 我们正在努力放宽此限制。We're working to relax this limitation.
Azure 防火墙 SNAT/DNAT 不适用于专用 IP 目标Azure Firewall SNAT/DNAT doesn't work for private IP destinations Azure 防火墙 SNAT/DNAT 支持仅限于 Internet 出口/入口。Azure Firewall SNAT/DNAT support is limited to Internet egress/ingress. SNAT/DNAT 目前不适用于专用 IP 目标。SNAT/DNAT doesn't currently work for private IP destinations. 例如,分支到分支。For example, spoke to spoke. 这是当前的一项限制。This is a current limitation.
无法删除第一个公共 IP 配置Can't remove first public IP configuration 每个 Azure 防火墙公共 IP 地址都分配给一个 IP 配置 。Each Azure Firewall public IP address is assigned to an IP configuration. 第一个 IP 配置在防火墙部署过程中分配,通常还包含对防火墙子网的引用(除非通过模板部署以不同的方式进行了显式配置)。The first IP configuration is assigned during the firewall deployment, and typically also contains a reference to the firewall subnet (unless configured explicitly differently via a template deployment). 无法删除此 IP 配置,因为它会取消分配防火墙。You can't delete this IP configuration because it would de-allocate the firewall. 如果防火墙至少包含另一个可用的公共 IP 地址,则你仍然可以更改或删除与此 IP 配置相关联的公共 IP 地址。You can still change or remove the public IP address associated with this IP configuration if the firewall has at least one other public IP address available to use. 这是设计使然。This is by design.
只能在部署期间配置可用性区域。Availability zones can only be configured during deployment. 只能在部署期间配置可用性区域。Availability zones can only be configured during deployment. 部署防火墙后无法配置可用性区域。You can't configure Availability Zones after a firewall has been deployed. 这是设计使然。This is by design.
对入站连接的 SNATSNAT on inbound connections 除了 DNAT 以外,通过防火墙公共 IP 地址(入站)建立的连接将通过 SNAT 转换为某个防火墙专用 IP。In addition to DNAT, connections via the firewall public IP address (inbound) are SNATed to one of the firewall private IPs. 当前提出此项要求(也适用于主动/主动 NVA)的目的是确保对称路由。This requirement today (also for Active/Active NVAs) to ensure symmetric routing. 若要保留 HTTP/S 的原始源,请考虑使用 XFF 标头。To preserve the original source for HTTP/S, consider using XFF headers. 例如,在防火墙的前面使用 Azure Front Door 等服务。For example, use a service such as Azure Front Door in front of the firewall. 还可以添加 WAF 作为 Azure Front Door 的一部分,并链接到防火墙。You can also add WAF as part of Azure Front Door and chain to the firewall.
仅在代理模式下支持 SQL FQDN 筛选(端口 1433)SQL FQDN filtering support only in proxy mode (port 1433) 对于 Azure SQL 数据库、Azure SQL 数据仓库和 Azure SQL 托管实例:For Azure SQL Database, Azure SQL Data Warehouse, and Azure SQL Managed Instance:

在预览期间,仅在代理模式下支持 SQL FQDN 筛选(端口 1433)。During the preview, SQL FQDN filtering is supported in proxy-mode only (port 1433).

对于 Azure SQL IaaS:For Azure SQL IaaS:

如果使用的是非标准端口,则可以在应用程序规则中指定这些端口。If you are using non-standard ports, you can specify those ports in the application rules.
对于采用重定向模式的 SQL(这是从 Azure 内连接时采用的默认设置),可以通过将 SQL 服务标记用作 Azure 防火墙网络规则的一部分来改为对访问进行筛选。For SQL in redirect mode, which is the default if connecting from within Azure, you can instead filter access using the SQL service tag as part of Azure Firewall network rules.
不允许 TCP 端口 25 上的出站流量Outbound traffic on TCP port 25 isn't allowed 将阻止使用 TCP 端口 25 的出站 SMTP 连接。Outbound SMTP connections that use TCP port 25 are blocked. 端口 25 主要用于未经身份验证的电子邮件传递。Port 25 is primarily used for unauthenticated email delivery. 这是虚拟机的默认平台行为。This is the default platform behavior for virtual machines. 有关详细信息,请参阅排查 Azure 中的出站 SMTP 连接问题For more information, see more Troubleshoot outbound SMTP connectivity issues in Azure. 但是,与虚拟机不同,目前无法在 Azure 防火墙上启用此功能。However, unlike virtual machines, it isn't currently possible to enable this functionality on Azure Firewall. 按照“SMTP 故障排除”一文中所述的推荐方法发送电子邮件。Follow the recommended method to send email as documented in the SMTP troubleshooting article. 或者,从到防火墙的默认路由中排除需要出站 SMTP 访问的虚拟机,改为配置直接到 Internet 的出站访问。Alternatively, exclude the virtual machine that needs outbound SMTP access from your default route to the firewall, and instead configure outbound access directly to the Internet.

后续步骤Next steps