您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 安全性简介Introduction to Azure Security

概述Overview

我们知道,安全是云中的首要任务,及时找到有关 Azure 安全性的准确信息极其重要。We know that security is job one in the cloud and how important it is that you find accurate and timely information about Azure security. 将 Azure 用于应用程序和服务的最合理原因之一是可以利用其各种安全工具和功能。One of the best reasons to use Azure for your applications and services is to take advantage of its wide array of security tools and capabilities. 这些工具和功能可帮助在安全的 Azure 平台上创建安全的解决方案。These tools and capabilities help make it possible to create secure solutions on the secure Azure platform. Microsoft Azure 提供具备保密性、完整性和可用性的客户数据,同时还能实现透明的问责制。Microsoft Azure provides confidentiality, integrity, and availability of customer data, while also enabling transparent accountability.

为帮助客户从客户和 Microsoft 操作两个角度更好地了解在 Microsoft Azure 中实施的安全控件集合,特编写本白皮书《Azure 安全性简介》,以全面了解 Microsoft Azure 的安全性。To help you better understand the collection of security controls implemented within Microsoft Azure from both the customer's and Microsoft operations' perspectives, this white paper, "Introduction to Azure Security", is written to provide a comprehensive look at the security available with Microsoft Azure.

Azure 平台Azure Platform

Azure 是一个公有云服务平台,支持极为广泛的操作系统、编程语言、框架、工具、数据库和设备选择。Azure is a public cloud service platform that supports a broad selection of operating systems, programming languages, frameworks, tools, databases, and devices. 它可运行与 Docker 集成的 Linux 容器;使用 JavaScript、Python、.NET、PHP、Java 和 Node.js 生成应用;生成适用于 iOS、Android 和 Windows 设备的后端。It can run Linux containers with Docker integration; build apps with JavaScript, Python, .NET, PHP, Java, and Node.js; build back-ends for iOS, Android, and Windows devices.

Azure 公有云服务支持数百万开发人员和 IT 专业人士已经有所依赖并信任的相同技术。Azure public cloud services support the same technologies millions of developers and IT professionals already rely on and trust. 构建 IT 资产或将其迁移到公有云服务提供商处时,需要借助该组织的能力来保护应用程序和数据,并使用该组织提供的服务和控制机制来管理基于云的资产的安全性。When you build on, or migrate IT assets to, a public cloud service provider you are relying on that organization’s abilities to protect your applications and data with the services and the controls they provide to manage the security of your cloud-based assets.

Azure 的基础结构(从设备到应用程序)经过设计,可同时托管数百万的客户,并为企业提供可靠的基础,使之能够满足其安全要求。Azure’s infrastructure is designed from facility to applications for hosting millions of customers simultaneously, and it provides a trustworthy foundation upon which businesses can meet their security requirements.

此外,Azure 还提供广泛的可配置安全选项以及对这些选项进行控制的功能,方便用户自定义安全措施来满足组织部署的独特要求。In addition, Azure provides you with a wide array of configurable security options and the ability to control them so that you can customize security to meet the unique requirements of your organization’s deployments. 本文档可帮助用户了解 Azure 安全功能如何帮助满足这些要求。This document helps you understand how Azure security capabilities can help you fulfill these requirements.

备注

本文档重点介绍面向客户的控件,客户可以使用这些控件自定义和提高应用程序和服务的安全性。The primary focus of this document is on customer-facing controls that you can use to customize and increase security for your applications and services.

我们还提供一些概述信息,但是若要深入了解 Microsoft 如何保护 Azure 平台本身,请参阅 Microsoft 信任中心中提供的信息。We do provide some overview information, but for detailed information on how Microsoft secures the Azure platform itself, see information provided in the Microsoft Trust Center.

摘要Abstract

最初,成本节约和灵活创新是公有云迁移的驱动力。Initially, public cloud migrations were driven by cost savings and agility to innovate. 一段时间以来,安全性是主要关注的问题,甚至可以说是影响公有云迁移的关键因素。Security was considered a major concern for some time, and even a show stopper, for public cloud migration. 然而,公有云安全性已经从主要关注点转换为云迁移的驱动力之一。However, public cloud security has transitioned from a major concern to one of the drivers for cloud migration. 促成这种转换的原因是大型公有云服务提供商保护应用程序和基于云的资产数据的卓越能力。The rationale behind this is the superior ability of large public cloud service providers to protect applications and the data of cloud-based assets.

Azure 的基础结构(从设备到应用程序)经过设计,可同时托管数百万的客户,并为企业提供可靠的基础,使之能够满足其安全需求。Azure’s infrastructure is designed from the facility to applications for hosting millions of customers simultaneously, and it provides a trustworthy foundation upon which businesses can meet their security needs. 此外,Azure 还提供广泛的可配置安全选项以及对这些选项进行控制的功能,方便用户自定义安全措施来满足部署的独特要求,进而满足 IT 控制策略并遵守外部法规。In addition, Azure provides you with a wide array of configurable security options and the ability to control them so that you can customize security to meet the unique requirements of your deployments to meet your IT control policies and adhere to external regulations.

本文概述了 Microsoft 在 Microsoft Azure 云平台中确保安全性的方法:This paper outlines Microsoft’s approach to security within the Microsoft Azure cloud platform:

  • Microsoft 实施的安全功能可保护 Azure 基础结构、客户数据和应用程序的安全。Security features implemented by Microsoft to secure the Azure infrastructure, customer data, and applications.
  • Azure 服务和安全功能可用于管理 Azure 订阅中的服务安全和数据。Azure services and security features available to you to manage the Security of the Services and your data within your Azure subscriptions.

Azure 安全功能汇总Summary Azure Security Capabilities

下表简要描述了 Microsoft 为保护 Azure 基础结构、客户数据和应用程序的安全而实现的安全功能。The table following provide a brief description of the security features implemented by Microsoft to secure the Azure infrastructure, customer data, and secure applications.

为保护 Azure 平台而实现的安全功能:Security Features Implemented to Secure the Azure Platform:

以下列出的功能可以用于确保以安全的方式管理 Azure 平台。The features listed following are capabilities you can review to provide the assurance that the Azure Platform is managed in a secure manner. 提供了相应链接,方便用户进一步了解 Microsoft 如何从四个方面解决客户信任问题:安全平台、隐私和控制、符合性和透明度。Links have been provided for further drill-down on how Microsoft addresses customer trust questions in four areas: Secure Platform, Privacy & Controls, Compliance, and Transparency.

安全平台Secure Platform 隐私和控制Privacy & Controls 合规性Compliance 透明度Transparency
安全开发周期,内部审核Security Development Cycle, Internal audits 随时进行数据管理Manage your data all the time 信任中心Trust Center Microsoft 如何保护 Azure 服务中的客户数据How Microsoft secures customer data in Azure services
强制性安全培训、背景检查Mandatory Security training, background checks 控制数据位置Control on data location 通用控制中心Common Controls Hub Microsoft 如何管理 Azure 服务中的数据位置How Microsoft manage data location in Azure services
渗透测试入侵检测,DDoS审核和日志记录Penetration testing, intrusion detection, DDoS, Audits & logging 根据条件提供数据访问Provide data access on your terms 云服务审慎调查清单The Cloud Services Due Diligence Checklist Microsoft 中的哪些人员可以根据哪些条款访问数据Who in Microsoft can access your data on what terms
最先进的数据中心、物理安全性、安全网络State of the art data center, physical security, Secure Network 响应执法部门Responding to law enforcement 服务、位置和行业的符合性Compliance by service, location & Industry Microsoft 如何保护 Azure 服务中的客户数据How Microsoft secures customer data in Azure services
安全事件响应共担责任Security Incident response, Shared Responsibility 严格的隐私标准Stringent privacy standards 查看 Azure 服务和透明度中心的认证Review certification for Azure services, Transparency hub

Azure 为保护数据和应用程序而提供的安全功能Security Features Offered by Azure to Secure Data and Application

根据云服务模型,负责管理应用程序或服务的安全的人员需承担各种不同的责任。Depending on the cloud service model, there is variable responsibility for who is responsible for managing the security of the application or service. Azure 平台中提供的功能可帮助用户通过内置功能以及可部署到 Azure 订阅中的合作伙伴解决方案来履行这些职责。There are capabilities available in the Azure Platform to assist you in meeting these responsibilities through built-in features, and through partner solutions that can be deployed into an Azure subscription.

内置功能分为六 (6) 个功能区:操作、应用程序、存储、网络、计算和标识。The built-in capabilities are organized in six (6) functional areas: Operations, Applications, Storage, Networking, Compute, and Identity. 摘要信息对这六 (6) 个区域内 Azure 平台提供的特性和功能进行了详细介绍。Additional detail on the features and capabilities available in the Azure Platform in these six (6) areas are provided through summary information.

操作Operations

本部分提供了关于安全操作中主要特性的其他信息以及有关这些功能的摘要信息。This section provides additional information regarding key features in security operations and summary information about these capabilities.

“安全和审核”仪表板Security and Audit Dashboard

安全和审核解决方案借助内置搜索查询找到需要关注的重要问题,从而提供有关组织的 IT 安全态势的全面观点。The Security and Audit solution provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention. 安全和审核仪表板是主屏幕,所有相关 Azure Monitor 日志中的安全性。The Security and Audit dashboard is the home screen for everything related to security in Azure Monitor logs. 它提供计算机安全状态的高级洞见。It provides high-level insight into the Security state of your computers. 还允许查看过去 24 小时、7 天或任何自定义时间范围的所有事件。It also includes the ability to view all events from the past 24 hours, 7 days, or any other custom time frame.

此外,检测到特定事件时,可以将安全性和符合性配置为自动执行特定操作In addition, you can configure Security & Compliance to automatically carry out specific actions when a specific event is detected.

Azure 资源管理器Azure Resource Manager

可以使用 Azure 资源管理器以组的方式处理解决方案中的资源。Azure Resource Manager enables you to work with the resources in your solution as a group. 可以通过一个协调的操作为解决方案部署、更新或删除所有资源。You can deploy, update, or delete all the resources for your solution in a single, coordinated operation. 可以使用 Azure 资源管理器模板来完成部署,该模板适用于测试、过渡和生产等不同环境。You use an Azure Resource Manager template for deployment and that template can work for different environments such as testing, staging, and production. Resource Manager 提供安全、审核和标记功能,以帮助你在部署后管理资源。Resource Manager provides security, auditing, and tagging features to help you manage your resources after deployment.

基于 Azure 资源管理器模板的部署因其标准的安全控制设置,有助于提高 Azure 中部署的解决方案的安全性,并且还可以集成到基于标准化模板的部署中。Azure Resource Manager template-based deployments help improve the security of solutions deployed in Azure because standard security control settings and can be integrated into standardized template-based deployments. 这样可以降低手动部署期间可能发生的安全配置错误风险。This reduces the risk of security configuration errors that might take place during manual deployments.

Application InsightsApplication Insights

Application Insights 是面向 Web 开发人员的可扩展应用程序性能管理 (APM) 服务。Application Insights is an extensible Application Performance Management (APM) service for web developers. 用户可以使用 Application Insights 监视实时 Web 应用程序并自动检测性能异常。With Application Insights, you can monitor your live web applications and automatically detect performance anomalies. Application Insights 内含强大的分析工具,有助于诊断问题并了解用户在应用中实际执行的操作。It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your apps. 它在应用程序运行时全程进行监视,包括测试期间以及发布或部署之后。It monitors your application all the time it's running, both during testing and after you've published or deployed it.

Application Insights 可创建图表和表格来显示多种信息,例如,一天中的哪些时间用户最多、应用的响应能力如何,以及应用依赖的任何外部服务是否顺利地为其提供服务。Application Insights creates charts and tables that show you, for example, what times of day you get most users, how responsive the app is, and how well it is served by any external services that it depends on.

如果出现崩溃、故障或性能问题,可以搜索详细的遥测数据来诊断原因。If there are crashes, failures or performance issues, you can search through the telemetry data in detail to diagnose the cause. 此外,如果应用的可用性和性能有任何变化,该服务还会向用户发送电子邮件。And the service sends you emails if there are any changes in the availability and performance of your app. Application Insight 就是这样因其有助于实现保密性、完整性和可用性安全三元素的可用性而成为有价值的安全工具。Application Insight thus becomes a valuable security tool because it helps with the availability in the confidentiality, integrity, and availability security triad.

Azure MonitorAzure Monitor

Azure Monitor 对来自 Azure 基础结构(活动日志)和每个单独的 Azure 资源(诊断日志)的数据提供可视化效果、查询、路由、警报、自动缩放和自动化功能。Azure Monitor offers visualization, query, routing, alerting, auto scale, and automation on data both from the Azure infrastructure (Activity Log) and each individual Azure resource (Diagnostic Logs). 可以使用 Azure Monitor 对 Azure 日志中生成的与安全相关的事件发出警报。You can use Azure Monitor to alert you on security-related events that are generated in Azure logs.

Azure Monitor 日志Azure Monitor logs

Azure Monitor 日志– 用于在本地和第三方基于云的基础结构 (例如 AWS) 以及 Azure 资源提供 IT 管理解决方案。Azure Monitor logs – Provides an IT management solution for both on-premises and third-party cloud-based infrastructure (such as AWS) in addition to Azure resources. 可以直接向 Azure Monitor 日志路由 Azure Monitor 中的数据,以便你可以在一个位置查看整个环境中查看指标和日志。Data from Azure Monitor can be routed directly to Azure Monitor logs so you can see metrics and logs for your entire environment in one place.

Azure 监视器日志可能是在取证和其他安全分析中,一个有用的工具,因为该工具,可快速搜索大量与安全相关的条目,具有灵活的查询方法。Azure Monitor logs can be a useful tool in forensic and other security analysis, as the tool enables you to quickly search through large amounts of security-related entries with a flexible query approach. 此外,本地防火墙和代理日志可以导出到 Azure 并可供分析使用 Azure Monitor 日志。In addition, on-premises firewall and proxy logs can be exported into Azure and made available for analysis using Azure Monitor logs.

Azure 顾问Azure Advisor

Azure 顾问是一种个性化的云顾问,可帮助优化 Azure 部署。Azure Advisor is a personalized cloud consultant that helps you to optimize your Azure deployments. 它分析资源配置和使用情况遥测数据。It analyzes your resource configuration and usage telemetry. 然后,它推荐解决方案,帮助提高资源的性能安全性高可用性,同时寻找机会减少总体 Azure 支出It then recommends solutions to help improve the performance, security, and high availability of your resources while looking for opportunities to reduce your overall Azure spend. Azure 顾问提供安全建议,可显著提高在 Azure 中部署的解决方案的总体安全状况。Azure Advisor provides security recommendations, which can significantly improve your overall security posture for solutions you deploy in Azure. 这些建议来自于 Azure 安全中心执行的安全分析。These recommendations are drawn from security analysis performed by Azure Security Center.

Azure 安全中心Azure Security Center

Azure 安全中心有助于预防、检测和响应威胁,同时增加 Azure 资源的可见性和安全可控性。Azure Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources. 它提供 Azure 订阅之间的集成安全监视和策略管理,帮助检测可能被忽略的威胁,且适用于广泛的安全解决方案生态系统。It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

此外,Azure 安全中心通过提供单个仪表板实现可立即执行的警报和建议,从而帮助进行安全操作。In addition, Azure Security Center helps with security operations by providing you a single dashboard that surfaces alerts and recommendations that can be acted upon immediately. 通常,只需在 Azure 安全中心控制台中单击一下就可修复问题。Often, you can remediate issues with a single click within the Azure Security Center console.

应用程序Applications

本部分提供了关于应用程序安全中主要特性的其他信息以及有关这些功能的摘要信息。The section provides additional information regarding key features in application security and summary information about these capabilities.

Web 应用程序漏洞扫描Web Application vulnerability scanning

开始对应用服务应用进行漏洞测试最简单的一种方法是使用与 Tinfoil Security 的集成对应用执行一键式漏洞扫描。One of the easiest ways to get started with testing for vulnerabilities on your App Service app is to use the integration with Tinfoil Security to perform one-click vulnerability scanning on your app. 可以查看易于理解的报告中的测试结果,并了解如何按照分步说明修复每个安全漏洞。You can view the test results in an easy-to-understand report, and learn how to fix each vulnerability with step-by-step instructions.

渗透测试Penetration Testing

如果想要执行自己的渗透测试,或者想要使用其他扫描程序套件或提供程序,则必须按照 Azure 渗透测试审批流程来进行并获得事先批准才能执行所需的渗透测试。If you prefer to perform your own penetration tests or want to use another scanner suite or provider, you must follow the Azure penetration testing approval process and obtain prior approval to perform the desired penetration tests.

Web 应用程序防火墙Web Application firewall

Azure 应用程序网关中的 Web 应用程序防火墙 (WAF) 可帮助保护 Web 应用程序,使其免受常见基于 Web 的攻击威胁,例如 SQL 注入、跨站点脚本攻击和会话劫持。The web application firewall (WAF) in Azure Application Gateway helps protect web applications from common web-based attacks like SQL injection, cross-site scripting attacks, and session hijacking. 同时预先配置保护,免受 Open Web Application Security Project (OWASP) 标识为前 10 种常见漏洞的威胁攻击。It comes preconfigured with protection from threats identified by the Open Web Application Security Project (OWASP) as the top 10 common vulnerabilities.

Azure 应用服务中的身份验证和授权Authentication and authorization in Azure App Service

应用服务身份验证/授权是一项功能,方便应用程序登录用户,避免在应用后端更改代码。App Service Authentication / Authorization is a feature that provides a way for your application to sign in users so that you don't have to change code on the app backend. 该功能可以方便地保护应用程序和处理每个用户的数据。It provides an easy way to protect your application and work with per-user data.

分层安全体系结构Layered Security Architecture

由于应用服务环境提供部署到 Azure 虚拟网络的隔离运行时环境,因此开发人员能够创建分层安全体系结构,针对每个应用层提供不同级别的网络访问权限。Since App Service Environments provide an isolated runtime environment deployed into an Azure Virtual Network, developers can create a layered security architecture providing differing levels of network access for each application tier. 常见的需求之一是要隐藏对 API 后端的常规 Internet 访问,而只允许由上游 Web 应用调用 API。A common desire is to hide API back-ends from general Internet access, and only allow APIs to be called by upstream web apps. 可以在包含应用服务环境的 Azure 虚拟网络子网上使用网络安全组 (NSG),限制对 API 应用程序的公共访问。Network Security groups (NSGs) can be used on Azure Virtual Network subnets containing App Service Environments to restrict public access to API applications.

Web 服务器诊断和应用程序诊断Web server diagnostics and application diagnostics

应用服务 Web 应用为 Web 服务器和 Web 应用程序中的日志记录信息提供诊断功能。App Service web apps provide diagnostic functionality for logging information from both the web server and the web application. 这些诊断功能按逻辑分为 Web 服务器诊断应用程序诊断These are logically separated into web server diagnostics and application diagnostics. Web 服务器包括诊断和排查站点和应用程序这两大改进方面。Web server includes two major advances in diagnosing and troubleshooting sites and applications.

第一个新特点是有关应用程序池、工作进程、站点、应用程序域和运行请求的实时状态信息。The first new feature is real-time state information about application pools, worker processes, sites, application domains, and running requests. 第二个新特点是在整个请求和响应过程中跟踪请求的详细跟踪事件。The second new advantages are the detailed trace events that track a request throughout the complete request-and-response process.

要启用这些跟踪事件的收集,可以将 IIS 7 配置为根据运行时间或错误响应代码自动捕获任何特定请求的完整跟踪日志(采用 XML 格式)。To enable the collection of these trace events, IIS 7 can be configured to automatically capture full trace logs, in XML format, for any particular request based on elapsed time or error response codes.

Web 服务器诊断Web server diagnostics

可以启用或禁用以下种类的日志:You can enable or disable the following kinds of logs:

  • 详细错误日志记录 - 指示故障的 HTTP 状态代码(状态代码 400 或更大数字)的详细错误消息。Detailed Error Logging - Detailed error information for HTTP status codes that indicate a failure (status code 400 or greater). 其中可能包含有助于确定服务器返回错误代码的原因的信息。This may contain information that can help determine why the server returned the error code.

  • 失败请求跟踪 - 有关失败请求的详细信息,包括对用于处理请求的 IIS 组件和每个组件所用的时间的跟踪。Failed Request Tracing - Detailed information on failed requests, including a trace of the IIS components used to process the request and the time taken in each component. 在尝试提高站点性能或隔离导致要返回特定 HTTP 错误的内容时,此信息很有用。This can be useful if you are attempting to increase site performance or isolate what is causing a specific HTTP error to be returned.

  • Web 服务器日志记录 - 使用 W3C 扩展日志文件格式的 HTTP 事务信息。Web Server Logging - Information about HTTP transactions using the W3C extended log file format. 这在确定整体站点度量值(如处理的请求数量或来自特定 IP 地址的请求数)时非常有用。This is useful when determining overall site metrics such as the number of requests handled or how many requests are from a specific IP address.

应用程序诊断Application diagnostics

应用程序诊断可以捕获由 Web 应用程序生成的信息。Application diagnostics allows you to capture information produced by a web application. ASP.NET 应用程序可使用 System.Diagnostics.Trace 类将信息记录到应用程序诊断日志。ASP.NET applications can use the System.Diagnostics.Trace class to log information to the application diagnostics log. 在应用程序诊断中,有两种主要类型的事件,即与应用程序性能相关的事件以及与应用程序故障和错误相关的事件。In Application Diagnostics, there are two major types of events, those related to application performance and those related to application failures and errors. 故障和错误可以进一步分为连接性、安全性和故障问题。The failures and errors can be divided further into connectivity, security, and failure issues. 故障问题通常与应用程序代码问题相关。Failure issues are typically related to a problem with the application code.

在应用程序诊断中,可以查看按以下方式分组的事件:In Application Diagnostics, you can view events grouped in these ways:

  • 全部(显示所有事件)All (displays all events)
  • 应用程序错误(显示异常事件)Application Errors (displays exception events)
  • 性能(显示性能事件)Performance (displays performance events)

存储Storage

本部分提供了关于 Azure 存储安全中主要特性的其他信息以及有关这些功能的摘要信息。The section provides additional information regarding key features in Azure storage security and summary information about these capabilities.

基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC)

可以使用基于角色的访问控制 (RBAC) 来保护存储帐户。You can secure your storage account with Role-Based Access Control (RBAC). 对于想要实施数据访问安全策略的组织而言,必须根据需知原则最低权限安全原则限制访问权限。Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce Security policies for data access. 这些访问权限是通过将相应的 RBAC 角色分配给特定范围内的组和应用程序来授予的。These access rights are granted by assigning the appropriate RBAC role to groups and applications at a certain scope. 可以使用内置 RBAC 角色(例如存储帐户参与者)将权限分配给用户。You can use built-in RBAC roles, such as Storage Account Contributor, to assign privileges to users. 可通过基于角色的访问控制 (RBAC),控制借助 Azure 资源管理器模型访问存储帐户的存储密钥的情况。Access to the storage keys for a storage account using the Azure Resource Manager model can be controlled through Role-Based Access Control (RBAC).

共享访问签名Shared Access Signature

共享访问签名 (SAS) 用于对存储帐户中的资源进行委托访问。A shared access signature (SAS) provides delegated access to resources in your storage account. 使用 SAS,意味着可以授权客户端在指定时间段内,以一组指定权限有限访问存储帐户中的对象。The SAS means that you can grant a client limited permissions to objects in your storage account for a specified period and with a specified set of permissions. 可以授予这些有限的权限,而不必共享帐户访问密钥。You can grant these limited permissions without having to share your account access keys.

传输中加密Encryption in Transit

传输中加密是通过网络传输数据时用于保护数据的一种机制。Encryption in transit is a mechanism of protecting data when it is transmitted across networks. 在 Azure 存储中,可以使用以下加密方式来保护数据:With Azure Storage, you can secure data using:

静态加密Encryption at rest

对许多组织而言,静态数据加密是实现数据隐私性、符合性和数据所有权的必要措施。For many organizations, data encryption at rest is a mandatory step towards data privacy, compliance, and data sovereignty. 有三项 Azure 存储安全功能可提供“静态”数据加密:There are three Azure storage security features that provide encryption of data that is “at rest”:

存储分析Storage Analytics

Azure 存储分析执行日志记录并为存储帐户提供指标数据。Azure Storage Analytics performs logging and provides metrics data for a storage account. 可以使用此数据跟踪请求、分析使用情况趋势以及诊断存储帐户的问题。You can use this data to trace requests, analyze usage trends, and diagnose issues with your storage account. 存储分析记录成功和失败的存储服务请求的详细信息。Storage Analytics logs detailed information about successful and failed requests to a storage service. 可以使用该信息监视各个请求和诊断存储服务问题。This information can be used to monitor individual requests and to diagnose issues with a storage service. 将最大程度地记录请求。Requests are logged on a best-effort basis. 将记录以下类型的已经过身份验证的请求:The following types of authenticated requests are logged:

  • 成功的请求。Successful requests.

  • 失败的请求,包括超时、限制、网络、授权和其他错误。Failed requests, including timeout, throttling, network, authorization, and other errors.

  • 使用共享访问签名 (SAS) 的请求,包括失败和成功的请求。Requests using a Shared Access Signature (SAS), including failed and successful requests.

  • 分析数据请求。Requests to analytics data.

使用 CORS 启用基于浏览器的客户端Enabling Browser-Based Clients Using CORS

跨源资源共享 (CORS) 是一种允许域授予彼此资源访问权限的机制。Cross-Origin Resource Sharing (CORS) is a mechanism that allows domains to give each other permission for accessing each other’s resources. 用户代理发送额外的标头,以确保允许从特定域中加载的 JavaScript 代码访问位于另一个域的资源。The User Agent sends extra headers to ensure that the JavaScript code loaded from a certain domain is allowed to access resources located at another domain. 然后,后一个域使用额外标头进行回复,允许或拒绝原始域访问其资源。The latter domain then replies with extra headers allowing or denying the original domain access to its resources.

Azure 存储服务现支持 CORS,因此,为服务设置 CORS 规则后,便会对从另一个域对服务发出的经过正确验证的请求进行评估,以根据指定的规则确定是否允许该请求。Azure storage services now support CORS so that once you set the CORS rules for the service, a properly authenticated request made against the service from a different domain is evaluated to determine whether it is allowed according to the rules you have specified.

网络Networking

本部分提供了关于 Azure 网络安全中主要特性的其他信息以及有关这些功能的摘要信息。The section provides additional information regarding key features in Azure network security and summary information about these capabilities.

网络层控制Network Layer Controls

网络访问控制是限制特定设备或子网之间的连接的行为,代表了网络安全的核心。Network access control is the act of limiting connectivity to and from specific devices or subnets and represents the core of network security. 网络访问控制旨在确保虚拟机和服务仅让你指定可访问的用户和设备进行访问。The goal of network access control is to make sure that your virtual machines and services are accessible to only users and devices to which you want them accessible.

网络安全组Network Security Groups

网络安全组 (NSG) 是基本的静态数据包筛选防火墙,使用户能够基于 5 元组控制访问权限。A Network Security Group (NSG) is a basic stateful packet filtering firewall and it enables you to control access based on a 5-tuple. NSG 不提供应用程序层检查或经过身份验证的访问控制。NSGs do not provide application layer inspection or authenticated access controls. 它们可用于控制在 Azure 虚拟网络中的子网之间移动的流量以及控制 Azure 虚拟网络和 Internet 之间的流量。They can be used to control traffic moving between subnets within an Azure Virtual Network and traffic between an Azure Virtual Network and the Internet.

路由控制和强制隧道Route Control and Forced Tunneling

在 Azure 虚拟网络上控制路由行为的能力是关键的网络安全和访问控制功能。The ability to control routing behavior on your Azure Virtual Networks is a critical network security and access control capability. 例如,如果要确保与 Azure 虚拟网络之间的所有流量都通过该虚拟安全设备,则必须能够控制和自定义路由行为。For example, if you want to make sure that all traffic to and from your Azure Virtual Network goes through that virtual security appliance, you need to be able to control and customize routing behavior. 可以通过在 Azure 中配置用户定义的路由实现此操作。You can do this by configuring User-Defined Routes in Azure.

用户定义的路由允许用户为进出单个虚拟机或子网的流量自定义入站和出站路径,以确保最安全的路由。User-Defined Routes allow you to customize inbound and outbound paths for traffic moving into and out of individual virtual machines or subnets to insure the most secure route possible. 强制隧道是一种机制,可用于确保不允许服务启动到 Internet 上的设备的连接。Forced tunneling is a mechanism you can use to ensure that your services are not allowed to initiate a connection to devices on the Internet.

这不同于能够接受传入连接然后对其作出响应。This is different from being able to accept incoming connections and then responding to them. 前端 Web 服务器需要响应来自 Internet 主机的请求,因此允许源自 Internet 的流量传入到这些 Web 服务器,而且这些 Web 服务器可以作出响应。Front-end web servers need to respond to requests from Internet hosts, and so Internet-sourced traffic is allowed inbound to these web servers and the web servers can respond.

强制隧道通常用于强制到 Internet 的外部流量通过本地安全代理和防火墙。Forced tunneling is commonly used to force outbound traffic to the Internet to go through on-premises security proxies and firewalls.

虚拟网络安全设备Virtual Network Security Appliances

虽然网络安全组、用户定义的路由和强制隧道在 OSI 模型的网络层和传输层为用户提供了一定程度的安全性,但有时可能想要启用堆栈的更高级别安全性。While Network Security Groups, User-Defined Routes, and forced tunneling provide you a level of security at the network and transport layers of the OSI model, there may be times when you want to enable security at higher levels of the stack. 可以使用 Azure 合作伙伴安全设备解决方案访问这些增强的网络安全功能。You can access these enhanced network security features by using an Azure partner network security appliance solution. 通过访问 Azure 市场并搜索“安全”和“网络安全”,可以找到最新的 Azure 合作伙伴网络安全解决方案。You can find the most current Azure partner network security solutions by visiting the Azure Marketplace and searching for “security” and “network security.”

Azure 虚拟网络Azure Virtual Network

Azure 虚拟网络 (VNet) 是自己的网络在云中的表示形式。An Azure virtual network (VNet) is a representation of your own network in the cloud. 它是对专用于订阅的 Azure 网络结构进行的逻辑隔离。It is a logical isolation of the Azure network fabric dedicated to your subscription. 可以完全控制该网络中的 IP 地址块、DNS 设置、安全策略和路由表。You can fully control the IP address blocks, DNS settings, security policies, and route tables within this network. 可以将 VNet 细分成各个子网,并在 Azure 虚拟网络上放置 Azure IaaS 虚拟机 (VM) 和/或云服务(PaaS 角色实例)You can segment your VNet into subnets and place Azure IaaS virtual machines (VMs) and/or Cloud services (PaaS role instances) on Azure Virtual Networks.

此外,也可以使用 Azure 中提供的连接选项之一,将虚拟网络连接到本地网络。Additionally, you can connect the virtual network to your on-premises network using one of the connectivity options available in Azure. 实际上,可以将网络扩展到 Azure,对 IP 地址块进行完全的控制,并享受企业级 Azure 带来的好处。In essence, you can expand your network to Azure, with complete control on IP address blocks with the benefit of enterprise scale Azure provides.

Azure 网络支持各种安全远程访问方案。Azure networking supports various secure remote access scenarios. 其中包括:Some of these include:

VPN 网关VPN Gateway

若要在 Azure 虚拟网络与本地站点之间发送网络流量,必须为 Azure 虚拟网络创建 VPN 网关。To send network traffic between your Azure Virtual Network and your on-premises site, you must create a VPN gateway for your Azure Virtual Network. VPN 网关是一种虚拟网络网关,可以通过公共连接发送加密流量。A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection. 也可以使用 VPN 网关在基于 Azure 网络结构的 Azure 虚拟网络之间发送流量。You can also use VPN gateways to send traffic between Azure Virtual Networks over the Azure network fabric.

Express RouteExpress Route

Microsoft Azure ExpressRoute 是专用 WAN 链接,可让用户通过连接服务提供商所提供的专用连接,将本地网络扩展到 Microsoft 云。Microsoft Azure ExpressRoute is a dedicated WAN link that lets you extend your on-premises networks into the Microsoft cloud over a dedicated private connection facilitated by a connectivity provider.

Express Route

使用 ExpressRoute 可与 Microsoft Azure、Office 365 和 CRM Online 等 Microsoft 云服务建立连接。With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and CRM Online. 可以从任意位置之间的 (IP VPN) 网络、点到点以太网或在共置设施上通过连接服务提供商的虚拟交叉连接来建立这种连接。Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility.

ExpressRoute 连接不会通过公共 Internet,因此可以认为它比基于 VPN 的解决方案更安全。ExpressRoute connections do not go over the public Internet and thus can be considered more secure than VPN-based solutions. 与通过 Internet 的典型连接相比,ExpressRoute 连接提供更高的可靠性、更快的速度、更低的延迟和更高的安全性。This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.

应用程序网关Application Gateway

Microsoft Azure 应用程序网关以服务形式提供应用程序传送控制器 (ADC),借此为应用程序提供第 7 层各种负载均衡功能。Microsoft Azure Application Gateway provides an Application Delivery Controller (ADC) as a service, offering various layer 7 load balancing capabilities for your application.

应用程序网关

它使用户能够通过将 CPU 密集型 SSL 终端的负载卸载到应用程序网关(也称为“SSL 卸载”或“SSL 桥接”)来优化 Web 场生产率。It allows you to optimize web farm productivity by offloading CPU intensive SSL termination to the Application Gateway (also known as “SSL offload” or “SSL bridging”). 它还提供第 7 层其他路由功能,包括传入流量的轮循机制分配、基于 Cookie 的会话相关性、基于 URL 路径的路由,以及在单个应用程序网关后面托管多个网站的能力。It also provides other Layer 7 routing capabilities including round-robin distribution of incoming traffic, cookie-based session affinity, URL path-based routing, and the ability to host multiple websites behind a single Application Gateway. Azure 应用程序网关是第 7 层负载均衡器。Azure Application Gateway is a layer-7 load balancer.

它在不同服务器之间提供故障转移和性能路由 HTTP 请求,而不管它们是在云中还是本地。It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises.

应用程序网关提供多种应用程序传送控制器 (ADC) 功能,包括 HTTP 负载均衡、基于 cookie 的会话相关性、安全套接字层 (SSL) 卸载、自定义运行状况探测、多站点支持,以及许多其他功能。Application provides many Application Delivery Controller (ADC) features including HTTP load balancing, cookie-based session affinity, Secure Sockets Layer (SSL) offload, custom health probes, support for multi-site, and many others.

Web 应用程序防火墙Web Application Firewall

Web 应用程序防火墙是 Azure 应用程序网关的一项功能,它为使用应用程序网关实现标准应用程序传递控制 (ADC) 功能的 Web 应用程序提供保护。Web Application Firewall is a feature of Azure Application Gateway that provides protection to web applications that use application gateway for standard Application Delivery Control (ADC) functions. Web 应用程序防火墙通过保护这些应用程序,免受 OWASP 前 10 个常见的 Web 漏洞中的大多数漏洞的威胁,来实现此目的。Web application firewall does this by protecting them against most of the OWASP top 10 common web vulnerabilities.

Web 应用程序防火墙

  • SQL 注入保护SQL injection protection

  • 常见 Web 攻击保护,例如命令注入、HTTP 请求走私、HTTP 响应拆分和远程文件包含攻击Common Web Attacks Protection such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion attack

  • 防止 HTTP 协议违反行为Protection against HTTP protocol violations

  • 防止 HTTP 协议异常行为,例如缺少主机用户代理和接受标头Protection against HTTP protocol anomalies such as missing host user-agent and accept headers

  • 防止自动程序、爬网程序和扫描程序Prevention against bots, crawlers, and scanners

  • 检测常见应用程序错误配置(即 Apache、IIS 等)Detection of common application misconfigurations (that is, Apache, IIS, etc.)

可防止 Web 攻击的集中式 Web 应用程序防火墙,可简化安全管理,并可针对入侵威胁为应用程序提供更好的保障。A centralized web application firewall to protect against web attacks makes security management much simpler and gives better assurance to the application against the threats of intrusions. 相较保护每个单独的 Web 应用程序,WAF 解决方案还可通过在中央位置修补已知漏洞,更快地响应安全威胁。A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. 现有应用程序网关可以轻松地转换为带有 Web 应用程序防火墙的应用程序网关。Existing application gateways can be converted to an application gateway with web application firewall easily.

流量管理器Traffic Manager

使用 Microsoft Azure 流量管理器,可以控制用户流量在不同数据中心内的服务终结点上的分布。Microsoft Azure Traffic Manager allows you to control the distribution of user traffic for service endpoints in different data centers. 流量管理器支持的服务终结点包括 Azure VM、Web 应用和云服务。Service endpoints supported by Traffic Manager include Azure VMs, Web Apps, and Cloud services. 也可将流量管理器用于外部的非 Azure 终结点。You can also use Traffic Manager with external, non-Azure endpoints. 流量管理器根据流量路由方法和终结点的运行状况,使用域名系统 (DNS) 将客户端请求定向到最合适的终结点。Traffic Manager uses the Domain Name System (DNS) to direct client requests to the most appropriate endpoint based on a traffic-routing method and the health of the endpoints.

流量管理器提供多种流量路由方法来满足不同的应用程序需求、终结点运行状况监视和自动故障转移。Traffic Manager provides a range of traffic-routing methods to suit different application needs, endpoint health monitoring, and automatic failover. 流量管理器能够灵活应对故障,包括整个 Azure 区域的故障。Traffic Manager is resilient to failure, including the failure of an entire Azure region.

Azure 负载均衡器Azure Load Balancer

Azure 负载均衡器 可提高应用程序的可用性和网络性能。Azure Load Balancer delivers high availability and network performance to your applications. 它是第 4 层(TCP、UDP)类型的负载均衡器,可在负载均衡集中定义的运行状况良好的服务实例之间分配传入流量。It is a Layer 4 (TCP, UDP) load balancer that distributes incoming traffic among healthy instances of services defined in a load-balanced set. 可以将 Azure 负载均衡器配置为:Azure Load Balancer can be configured to:

  • 对传入到虚拟机的 Internet 流量进行负载均衡。Load balance incoming Internet traffic to virtual machines. 此配置称为面向 Internet 的负载均衡This configuration is known as Internet-facing load balancing.

  • 对虚拟网络中虚拟机之间的流量、云服务中虚拟机之间的流量或本地计算机和跨界虚拟网络中虚拟机之间的流量进行负载均衡。Load balance traffic between virtual machines in a virtual network, between virtual machines in cloud services, or between on-premises computers and virtual machines in a cross-premises virtual network. 此配置称为内部负载均衡This configuration is known as internal load balancing.

  • 将外部流量转发到特定的虚拟机Forward external traffic to a specific virtual machine

内部 DNSInternal DNS

可以在管理门户或网络配置文件中管理 VNet 中使用的 DNS 服务器列表。You can manage the list of DNS servers used in a VNet in the Management Portal, or in the network configuration file. 客户最多可以为每个 VNet 添加 12 个 DNS 服务器。Customer can add up to 12 DNS servers for each VNet. 指定 DNS 服务器时,请务必按照客户环境的正确顺序列出客户的 DNS 服务器。When specifying DNS servers, it's important to verify that you list customer’s DNS servers in the correct order for customer’s environment. DNS 服务器列表不采用循环机制。DNS server lists do not work round-robin. 将按指定服务器的顺序使用这些服务器。They are used in the order that they are specified. 如果可访问列表上的第一个 DNS 服务器,则无论该 DNS 服务器是否运行正常,客户端都将使用该服务器。If the first DNS server on the list is able to be reached, the client uses that DNS server regardless of whether the DNS server is functioning properly or not. 要更改客户的虚拟网络的 DNS 服务器顺序,请从列表中删除 DNS 服务器,并按客户希望的顺序重新添加这些服务器。To change the DNS server order for customer’s virtual network, remove the DNS servers from the list and add them back in the order that customer wants. DNS 支持“CIA”安全三因素的可用性方面。DNS supports the availability aspect of the “CIA” security triad.

Azure DNSAzure DNS

域名系统或 DNS 负责将网站或服务名称转换(或解析)为它的 IP 地址。The Domain Name System, or DNS, is responsible for translating (or resolving) a website or service name to its IP address. Azure DNS 是 DNS 域的托管服务,它使用 Microsoft Azure 基础结构提供名称解析。Azure DNS is a hosting service for DNS domains, providing name resolution using Microsoft Azure infrastructure. 通过在 Azure 中托管域,可以使用与其他 Azure 服务相同的凭据、API、工具和计费来管理 DNS 记录。By hosting your domains in Azure, you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services. DNS 支持“CIA”安全三因素的可用性方面。DNS supports the availability aspect of the “CIA” security triad.

Azure 监视器日志 NsgAzure Monitor logs NSGs

可以为 NSG 启用以下诊断日志类别:You can enable the following diagnostic log categories for NSGs:

  • 事件:包含根据 MAC 地址向 VM 和实例角色应用的 NSG 规则条目。Event: Contains entries for which NSG rules are applied to VMs and instance roles based on MAC address. 每隔 60 秒收集一次这些规则的状态。The status for these rules is collected every 60 seconds.

  • 规则计数器:包含应用每个 NSG 规则以拒绝或允许流量的次数的条目。Rules counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic.

Azure 安全中心Azure Security Center

安全中心可帮助预防、检测和响应威胁,同时提高对 Azure 资源安全性的可见性和控制力度。Security Center helps you prevent, detect, and respond to threats, and provides you increased visibility into, and control over, the Security of your Azure resources. 它提供对 Azure 订阅的集成安全监视和策略管理,帮助检测可能被忽略的威胁,且适用于广泛的安全解决方案生态系统。It provides integrated Security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of Security solutions. 网络建议围绕防火墙和网络安全组,配置入站流量规则等。Network recommendations center around firewalls, Network Security Groups, configuring inbound traffic rules, and more.

可用的网络建议如下:Available network recommendations are as follows:

计算Compute

本部分提供了关于此区域中主要特性的其他信息以及有关这些功能的摘要信息。The section provides additional information regarding key features in this area and summary information about these capabilities.

反恶意软件和防病毒软件Antimalware & Antivirus

借助 Azure IaaS,可以使用来自 Microsoft、Symantec、Trend Micro、McAfee 和 Kaspersky 等安全性供应商的反恶意软件,以保护虚拟机免受恶意文件、广告软件和其他威胁的侵害。With Azure IaaS, you can use antimalware software from security vendors such as Microsoft, Symantec, Trend Micro, McAfee, and Kaspersky to protect your virtual machines from malicious files, adware, and other threats. 适用于 Azure 云服务和虚拟机的 Microsoft 反恶意软件是一种保护功能,可帮助识别并删除病毒、间谍软件和其他恶意软件。Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a protection capability that helps identify and remove viruses, spyware, and other malicious software. Microsoft 反恶意软件提供了已知恶意或不需要的软件试图安装自身或在 Azure 系统上运行时的可配置警报。Microsoft Antimalware provides configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems. 此外可以使用 Azure 安全中心部署 Microsoft 反恶意软件Microsoft Antimalware can also be deployed using Azure Security Center

硬件安全模块Hardware Security Module

加密和身份验证不会提高安全性,除非密钥本身受到保护。Encryption and authentication do not improve security unless the keys themselves are protected. 通过将关键密码和密钥存储在 Azure Key Vault 中,可以简化此类密码和密钥的管理和保护。You can simplify the management and security of your critical secrets and keys by storing them in Azure Key Vault. Key Vault 可将用户密钥存储在已通过 FIPS 140-2 Level 2 标准认证的硬件安全模块 (HSM) 中。Key Vault provides the option to store your keys in hardware Security modules (HSMs) certified to FIPS 140-2 Level 2 standards. 用于备份或透明数据加密的 SQL Server 加密密钥均可存储在密钥保管库中,此外还可存储应用程序中的任意密钥或密码。Your SQL Server encryption keys for backup or transparent data encryption can all be stored in Key Vault with any keys or secrets from your applications. 对这些受保护项的权限和访问权限通过 Azure Active Directory 进行管理。Permissions and access to these protected items are managed through Azure Active Directory.

虚拟机备份Virtual machine backup

Azure 备份是一种解决方案,无需资本投资便可保护应用程序数据,最大限度降低运营成本。Azure Backup is a solution that protects your application data with zero capital investment and minimal operating costs. 应用程序错误可能损坏数据,人为错误可能将 bug 引入应用程序,从而导致安全问题。Application errors can corrupt your data, and human errors can introduce bugs into your applications that can lead to security issues. 借助 Azure 备份,可以保护运行 Windows 和 Linux 的虚拟机。With Azure Backup, your virtual machines running Windows and Linux are protected.

Azure Site RecoveryAzure Site Recovery

组织的业务连续性/灾难恢复 (BCDR) 策略的其中一个重要部分是,找出在发生计划内和计划外的中断时让企业工作负荷和应用保持启动并运行的方法。An important part of your organization's business continuity/disaster recovery (BCDR) strategy is figuring out how to keep corporate workloads and apps up and running when planned and unplanned outages occur. Azure Site Recovery 可帮助协调工作负荷和应用的复制、故障转移及恢复,因此能够在主要位置发生故障时通过辅助位置来提供工作负荷和应用。Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they are available from a secondary location if your primary location goes down.

SQL VM TDESQL VM TDE

SQL Server 加密功能包括透明数据加密 (TDE)和列级加密 (CLE)。Transparent data encryption (TDE) and column level encryption (CLE) are SQL server encryption features. 这种加密形式要求客户管理和存储用于加密的加密密钥。This form of encryption requires customers to manage and store the cryptographic keys you use for encryption.

Azure 密钥保管库 (AKV) 服务专用于在一个高度可用的安全位置改进这些密钥的安全性和管理。The Azure Key Vault (AKV) service is designed to improve the security and management of these keys in a secure and highly available location. SQL Server 连接器使 SQL Server 能够使用 Azure Key Vault 中的这些密钥。The SQL Server Connector enables SQL Server to use these keys from Azure Key Vault.

如果在本地计算机上运行 SQL Server,请按照此处提供的步骤通过本地 SQL Server 计算机访问 Azure Key Vault。If you are running SQL Server with on-premises machines, there are steps you can follow to access Azure Key Vault from your on-premises SQL Server machine. 但对于 Azure VM 中的 SQL Server,可以使用 Azure Key Vault 集成功能节省时间。But for SQL Server in Azure VMs, you can save time by using the Azure Key Vault Integration feature. 通过使用几个 Azure PowerShell cmdlet 来启用此功能,可以自动为 SQL VM 进行必要的配置以便访问密钥保管库。With a few Azure PowerShell cmdlets to enable this feature, you can automate the configuration necessary for a SQL VM to access your key vault.

VM 磁盘加密VM Disk Encryption

Azure 磁盘加密是用于加密 Windows 和 Linux IaaS 虚拟机磁盘的新功能。Azure Disk Encryption is a new capability that helps you encrypt your Windows and Linux IaaS virtual machine disks. 它应用 Windows 的行业标准 BitLocker 功能和 Linux 的 DM-Crypt 功能,为 OS 和数据磁盘提供卷加密。It applies the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. 该解决方案与 Azure Key Vault 集成,帮助用户控制和管理 Key Vault 订阅中的磁盘加密密钥和机密。The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your Key Vault subscription. 此解决方案还可确保虚拟机磁盘上的所有数据在 Azure 存储中静态加密。The solution also ensures that all data on the virtual machine disks are encrypted at rest in your Azure storage.

虚拟网络Virtual networking

虚拟机需要网络连接。Virtual machines need network connectivity. 为了满足该要求,Azure 需要虚拟机连接到 Azure 虚拟网络。To support that requirement, Azure requires virtual machines to be connected to an Azure Virtual Network. Azure 虚拟网络是一个构建于物理 Azure 网络结构之上的逻辑构造。An Azure Virtual Network is a logical construct built on top of the physical Azure network fabric. 每个逻辑 Azure 虚拟网络都独立于所有其他 Azure 虚拟网络。Each logical Azure Virtual Network is isolated from all other Azure Virtual Networks. 这种隔离可帮助确保部署中的网络流量对于其他 Microsoft Azure 客户不可访问。This isolation helps insure that network traffic in your deployments is not accessible to other Microsoft Azure customers.

修补程序更新Patch Updates

修补程序更新可以减少必须在企业中部署的软件更新数目并提高监视符合性的能力,从而提供查找及修复潜在问题的基础并简化软件更新管理过程。Patch Updates provide the basis for finding and fixing potential problems and simplify the software update management process, both by reducing the number of software updates you must deploy in your enterprise and by increasing your ability to monitor compliance.

安全策略管理和报告Security policy management and reporting

Azure 安全中心帮助预防、检测和响应威胁,同时提高 Azure 资源安全性的可见性和控制力度。Azure Security Center helps you prevent, detect, and respond to threats, and provides you increased visibility into, and control over, the security of your Azure resources. 它提供对 Azure 订阅的集成安全监视和策略管理,帮助检测可能被忽略的威胁,且适用于广泛的安全解决方案生态系统。It provides integrated Security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

Azure 安全中心Azure Security Center

安全中心有助于预防、检测和响应威胁,同时增加 Azure 资源的可见性和安全可控性。Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources. 它提供 Azure 订阅之间的集成安全监视和策略管理,帮助检测可能被忽略的威胁,且适用于广泛的安全解决方案生态系统。It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

标识和访问管理Identity and access management

保护系统、应用程序和以基于标识的访问控制开始的数据。Securing systems, applications, and data begins with identity-based access controls. Microsoft 企业产品和服务内置的标识和访问管理功能有助于保护组织和个人信息免受未经授权的访问,同时向合法用户提供随时随地访问权限。The identity and access management features that are built into Microsoft business products and services help protect your organizational and personal information from unauthorized access while making it available to legitimate users whenever and wherever they need it.

安全标识Secure Identity

Microsoft 在其产品和服务中使用多种安全实践和技术来管理标识和访问权限。Microsoft uses multiple security practices and technologies across its products and services to manage identity and access.

  • 多重身份验证要求用户在本地和云中使用多种方法进行访问。Multi-Factor Authentication requires users to use multiple methods for access, on-premises and in the cloud. 它提供强大的身份验证和一系列简单的验证选项,同时满足用户对简单登录过程的需求。It provides strong authentication with a range of easy verification options, while accommodating users with a simple sign-in process.

  • Microsoft Authenticator 提供了一种用户友好型多重身份验证体验,它可与 Microsoft Azure Active Directory 和 Microsoft 帐户兼容,并支持可穿戴设备和基于指纹的批准。Microsoft Authenticator provides a user-friendly Multi-Factor Authentication experience that works with both Microsoft Azure Active Directory and Microsoft accounts, and includes support for wearables and fingerprint-based approvals.

  • 强制实施密码策略通过强制执行长度和复杂性要求、强制定期轮换和身份验证尝试失败后的帐户锁定来提高传统密码的安全性。Password policy enforcement increases the security of traditional passwords by imposing length and complexity requirements, forced periodic rotation, and account lockout after failed authentication attempts.

  • 基于令牌的身份验证启用通过 Azure Active Directory 进行身份验证。Token-based authentication enables authentication via Azure Active Directory.

  • 基于角色的访问控制 (RBAC) 能够根据用户分配的角色来授予访问权限,从而轻松为用户仅提供执行作业所需的访问量。Role-based access control (RBAC) enables you to grant access based on the user’s assigned role, making it easy to give users only the amount of access they need to perform their job duties. 可以根据组织的业务模型和风险允许范围自定义 RBAC。You can customize RBAC per your organization’s business model and risk tolerance.

  • 集成标识管理(混合标识)能够保持对用户在内部数据中心和云平台中的访问控制,并为所有资源的身份验证和授权创建单个用户标识。Integrated identity management (hybrid identity) enables you to maintain control of users’ access across internal datacenters and cloud platforms, creating a single user identity for authentication and authorization to all resources.

保护应用和数据Secure Apps and data

Azure Active Directory 是综合性的标识和访问管理云解决方案,可帮助确保安全访问站点和云中的应用程序数据,并简化对用户和组的管理。Azure Active Directory, a comprehensive identity and access management cloud solution, helps secure access to data in applications on site and in the cloud, and simplifies the management of users and groups. 它结合了核心目录服务、高级 Identity Governance、安全性以及应用程序访问管理,使开发人员可以轻松在其应用中构建基于策略的标识管理。It combines core directory services, advanced identity governance, security, and application access management, and makes it easy for developers to build policy-based identity management into their apps. 若要增强 Azure Active Directory,可以使用 Azure Active Directory Basic、Premium P1、和 Premium P2 版添加付费功能。To enhance your Azure Active Directory, you can add paid capabilities using the Azure Active Directory Basic, Premium P1, and Premium P2 editions.

免费/常用功能Free / Common Features 基本功能Basic Features 高级 P1 功能Premium P1 Features 高级 P2 功能Premium P2 Features Azure Active Directory Join – 仅适用于 Windows 10 的相关功能Azure Active Directory Join – Windows 10 only related features
Directory 对象用户/组管理(添加/更新/删除)/基于用户的预配,设备注册单一登录 (SSO)云用户的自助密码更改Connect(将本地目录扩展到 Azure Active Directory 的同步引擎)安全/使用情况报告Directory Objects, User/Group Management (add/update/delete)/ User-based provisioning, Device registration, Single Sign-On (SSO), Self-Service Password Change for cloud users, Connect (Sync engine that extends on-premises directories to Azure Active Directory), Security / Usage Reports 基于组的访问管理/预配云用户的自助密码重置公司品牌(登录页/访问面板自定义)应用程序代理SLA 99.9%Group-based access management / provisioning, Self-Service Password Reset for cloud users, Company Branding (Logon Pages/Access Panel customization), Application Proxy, SLA 99.9% 自助组和应用管理/自助应用程序添加件/动态组通过本地回写实现自助密码重置/更改/解锁多重身份验证(云和本地(MFA 服务器))MIM CAL + MIM 服务器Cloud App DiscoveryConnect Health组帐户的自动密码变换Self-Service Group and app Management/Self-Service application additions/Dynamic Groups, Self-Service Password Reset/Change/Unlock with on-premises write-back, Multi-Factor Authentication (Cloud and On-premises (MFA Server)), MIM CAL + MIM Server, Cloud App Discovery, Connect Health, Automatic password rollover for group accounts 标识保护Privileged Identity ManagementIdentity Protection, Privileged Identity Management 让设备加入 Azure AD、Desktop SSO、Microsoft Passport for Azure AD 和 Administrator BitLocker 恢复MDM 自动注册,自助 BitLocker 恢复,通过 Azure AD Join 将其他本地管理员加入 Windows 10 设备Join a device to Azure AD, Desktop SSO, Microsoft Passport for Azure AD, Administrator BitLocker recovery, MDM auto-enrollment, Self-Service BitLocker recovery, Additional local administrators to Windows 10 devices via Azure AD Join
  • Cloud App Discovery 是 Azure Active Directory 的一项高级功能,能够识别组织中的人员所使用的云应用程序。Cloud App Discovery is a premium feature of Azure Active Directory that enables you to identify cloud applications that are used by the employees in your organization.

  • Azure Active Directory Identity Protection 是一种安全服务,它使用 Azure Active Directory 异常检测功能对风险事件和可能影响组织标识的潜在漏洞提供综合视图。Azure Active Directory Identity Protection is a security service that uses Azure Active Directory anomaly detection capabilities to provide a consolidated view into risk events and potential vulnerabilities that could affect your organization’s identities.

  • Azure Active Directory 域服务让用户可以将 Active VM 加入一个域,且无需部署域控制器。Azure Active Directory Domain Services enables you to join Azure VMs to a domain without the need to deploy domain controllers. 用户可使用他们的企业 Active Directory 凭证登录这些 VM,且可以无缝访问资源。Users sign in to these VMs by using their corporate Active Directory credentials, and can seamlessly access resources.

  • Azure Active Directory B2C 是一个高度可用的全局性标识管理服务,该服务适用于面向用户且可通过伸缩来处理数以亿计标识的应用程序,并可跨移动平台和 Web 平台集成。Azure Active Directory B2C is a highly available, global identity management service for consumer-facing apps that can scale to hundreds of millions of identities and integrate across mobile and web platforms. 客户可以通过使用现有社交媒体帐户的自定义体验登录所有应用,也可以创建新的独立凭据。Your customers can sign in to all your apps through customizable experiences that use existing social media accounts, or you can create new standalone credentials.

  • Azure Active Directory B2B 协作是一种安全的合作伙伴集成解决方案,可让合作伙伴使用其自行管理的标识有选择性地访问企业应用程序和数据,为跨公司合作关系提供支持。Azure Active Directory B2B Collaboration is a secure partner integration solution that supports your cross-company relationships by enabling partners to access your corporate applications and data selectively by using their self-managed identities.

  • Azure Active Directory Join 可以将云功能扩展到 Windows 10 设备进行集中管理。Azure Active Directory Join enables you to extend cloud capabilities to Windows 10 devices for centralized management. 它使用户可以通过 Azure Active Directory 连接到企业或组织云,并简化对应用和资源的访问。It makes it possible for users to connect to the corporate or organizational cloud through Azure Active Directory and simplifies access to apps and resources.

  • Azure Active Directory 应用程序代理为本地托管的 Web 应用程序提供 SSO 和安全远程访问。Azure Active Directory Application Proxy provides SSO and secure remote access for web applications hosted on-premises.

后续步骤Next Steps

可以用来确保 Azure 中服务和数据安全性的 Azure 服务和功能Azure services and features you can use to help secure your services and data within Azure

预防、检测和响应威胁,同时增加 Azure 资源安全性的可见性以及控制力度Prevent, detect, and respond to threats with increased visibility and control over the security of your Azure resources

Azure 安全中心的监视功能,用于监视策略符合性。The monitoring capabilities in Azure Security Center to monitor compliance with policies.