您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 网络安全最佳实践Azure best practices for network security

本文介绍 Azure 最佳实践以增强您的网络安全的集合。This article discusses a collection of Azure best practices to enhance your network security. 这些最佳实践衍生自我们的 Azure 网络经验和客户的经验。These best practices are derived from our experience with Azure networking and the experiences of customers like yourself.

对于每项最佳实践,本文将说明:For each best practice, this article explains:

  • 最佳实践是什么What the best practice is
  • 为何要启用该最佳实践Why you want to enable that best practice
  • 如果无法启用该最佳实践,可能的结果是什么What might be the result if you fail to enable the best practice
  • 最佳实践的可能替代方案Possible alternatives to the best practice
  • 如何学习启用最佳实践How you can learn to enable the best practice

这些最佳实践基于共识以及 Azure 平台功能和功能集,因为它们在编写本文时存在。These best practices are based on a consensus opinion, and Azure platform capabilities and feature sets, as they exist at the time this article was written. 看法和技术将随着时间改变,本文会定期更新以反映这些更改。Opinions and technologies change over time and this article will be updated on a regular basis to reflect those changes.

使用强网络控制Use strong network controls

你可以将 Azure虚拟机 (VM) 和设备放在 Azure虚拟网络上,从而将它们连接到其他网络设备。You can connect Azure virtual machines (VMs) and appliances to other networked devices by placing them on Azure virtual networks. 也就是说,可以将虚拟网络接口卡连接到虚拟网络,允许启用了网络的设备之间进行基于 TCP/IP 的通信。That is, you can connect virtual network interface cards to a virtual network to allow TCP/IP-based communications between network-enabled devices. 连接到 Azure 虚拟网络的虚拟机能够连接到相同虚拟网络、不同虚拟网络、Internet 或自己的本地网络上的设备。Virtual machines connected to an Azure virtual network can connect to devices on the same virtual network, different virtual networks, the internet, or your own on-premises networks.

在规划您的网络和网络安全性,我们建议您集中管理:As you plan your network and the security of your network, we recommend that you centralize:

  • 核心网络功能,例如 ExpressRoute、 虚拟网络和子网预配和 IP 寻址的管理。Management of core network functions like ExpressRoute, virtual network and subnet provisioning, and IP addressing.
  • 网络安全元素,如网络虚拟设备功能,例如 ExpressRoute、 虚拟网络和子网预配和 IP 寻址的调控。Governance of network security elements, such as network virtual appliance functions like ExpressRoute, virtual network and subnet provisioning, and IP addressing.

如果使用一组通用的管理工具来监视你的网络和网络安全性,到会清楚地看到。If you use a common set of management tools to monitor your network and the security of your network, you get clear visibility into both. 一种简单、 统一的安全策略可以减少错误,因为这样可以增加人理解和自动化的可靠性。A straightforward, unified security strategy reduces errors because it increases human understanding and the reliability of automation.

以逻辑方式分段子网Logically segment subnets

Azure 虚拟网络是类似于 Lan 上的本地网络。Azure virtual networks are similar to LANs on your on-premises network. Azure 虚拟网络背后的理念是创建基于单个专用 IP 地址空间,可以将所有 Azure 虚拟机放置在其的网络。The idea behind an Azure virtual network is that you create a network, based on a single private IP address space, on which you can place all your Azure virtual machines. 可用的专用 IP 地址空间位于类别 A (10.0.0.0/8)、类别 B (172.16.0.0/12) 和类别 C (192.168.0.0/16) 范围内。The private IP address spaces available are in the Class A (10.0.0.0/8), Class B (172.16.0.0/12), and Class C (192.168.0.0/16) ranges.

以逻辑方式对子网进行分段的最佳做法包括:Best practices for logically segmenting subnets include:

最佳做法:不分配允许具有广泛范围的规则 (例如,允许通过 255.255.255.255 0.0.0.0)。Best practice: Don’t assign allow rules with broad ranges (for example, allow 0.0.0.0 through 255.255.255.255).
详细信息:请确保故障排除过程不鼓励使用或禁止这些类型的规则设置。Detail: Ensure troubleshooting procedures discourage or ban setting up these types of rules. 这些允许规则导致虚假的安全感和频繁地找到和红队被利用。These allow rules lead to a false sense of security and are frequently found and exploited by red teams.

最佳做法:将较大的地址空间分段成子网。Best practice: Segment the larger address space into subnets.
详细信息:使用基于 CIDR 的子网原理来创建子网。Detail: Use CIDR-based subnetting principles to create your subnets.

最佳做法:在子网之间创建网络访问控制。Best practice: Create network access controls between subnets. 子网之间的路由会自动发生,不需要手动配置路由表。Routing between subnets happens automatically, and you don’t need to manually configure routing tables. 默认情况下,在 Azure 虚拟网络创建子网之间有任何网络访问控制。By default, there are no network access controls between the subnets that you create on an Azure virtual network.
详细信息:使用网络安全组以防止未经请求的流量到 Azure 子网。Detail: Use a network security group to protect against unsolicited traffic into Azure subnets. 网络安全组是简单的有状态数据包检查设备,使用 5 元组的方法 (源 IP、 源端口、 目标 IP、 目标端口和第 4 层协议) 来创建允许/拒绝的网络流量的规则。Network security groups are simple, stateful packet inspection devices that use the 5-tuple approach (source IP, source port, destination IP, destination port, and layer 4 protocol) to create allow/deny rules for network traffic. 可以允许或拒绝流往或来自单个 IP 地址、多个 IP 地址或整个子网的流量。You allow or deny traffic to and from a single IP address, to and from multiple IP addresses, or to and from entire subnets.

当用于子网之间的网络访问控制使用网络安全组时,可以将资源属于同一安全区域或在其自己的子网中的角色。When you use network security groups for network access control between subnets, you can put resources that belong to the same security zone or role in their own subnets.

最佳做法:避免小型虚拟网络和子网,以确保的简洁性与灵活性。Best practice: Avoid small virtual networks and subnets to ensure simplicity and flexibility.
详细信息:大多数组织添加更多的资源比最初计划,并重新分配地址是耗费大量精力。Detail: Most organizations add more resources than initially planned, and re-allocating addresses is labor intensive. 使用较小的子网添加有限的安全值,并映射到每个子网的网络安全组会增加开销。Using small subnets adds limited security value, and mapping a network security group to each subnet adds overhead. 广泛定义子网,以确保有增长的灵活性。Define subnets broadly to ensure that you have flexibility for growth.

最佳做法:通过定义来简化网络安全组规则管理应用程序安全组Best practice: Simplify network security group rule management by defining Application Security Groups.
详细信息:定义应用程序安全组,您认为的 IP 地址的列表可能会在将来更改,或使用跨多个网络安全组。Detail: Define an Application Security Group for lists of IP addresses that you think might change in the future or be used across many network security groups. 一定要对名称应用程序安全组明确因此其他人可以理解其内容和用途。Be sure to name Application Security Groups clearly so others can understand their content and purpose.

采用零信任方法Adopt a Zero Trust approach

基于外围网络的网络运行的网络中的所有系统可以都是受信任的假设。Perimeter-based networks operate on the assumption that all systems within a network can be trusted. 但现在的员工从任意位置访问其组织的资源上的各种设备和应用程序,从而外围安全控制措施不相关。But today’s employees access their organization’s resources from anywhere on a variety of devices and apps, which makes perimeter security controls irrelevant. 访问控制策略仅在焦点可以访问的资源是不够的。Access control policies that focus only on who can access a resource are not enough. 若要掌握安全与效率之间的平衡,安全管理员还需要考虑进来如何资源的访问。To master the balance between security and productivity, security admins also need to factor in how a resource is being accessed.

网络需要进一步发展从传统的防御措施,因为网络可能易受攻击漏洞: 攻击者可以破坏信任边界内的单个终结点,然后在整个网络快速展开据点。Networks need to evolve from traditional defenses because networks might be vulnerable to breaches: an attacker can compromise a single endpoint within the trusted boundary and then quickly expand a foothold across the entire network. 零信任网络消除了以外围网络中的网络位置上基于信任的概念。Zero Trust networks eliminate the concept of trust based on network location within a perimeter. 相反,零信任体系结构使用旨在限制访问组织数据和资源的设备和用户信任声明。Instead, Zero Trust architectures use device and user trust claims to gate access to organizational data and resources. 为新的计划,采用零信任方法的访问权限时验证信任。For new initiatives, adopt Zero Trust approaches that validate trust at the time of access.

最佳做法是:Best practices are:

最佳做法:授予条件性访问基于设备、 标识、 保证、 网络位置和的详细信息的资源。Best practice: Give Conditional Access to resources based on device, identity, assurance, network location, and more.
详细信息Azure AD 条件性访问允许通过实现自动化的访问控制决策基于所需的条件应用适当的访问控制。Detail: Azure AD Conditional Access lets you apply the right access controls by implementing automated access control decisions based on the required conditions. 有关详细信息,请参阅管理对 Azure 管理的条件性访问访问For more information, see Manage access to Azure management with Conditional Access.

最佳做法:工作流批准后仅启用端口访问。Best practice: Enable port access only after workflow approval.
详细信息:可以使用在 Azure 安全中心中实时 VM 访问锁定你的 Azure Vm,降低遭受攻击,同时允许轻松访问要连接到 Vm 时所需的入站流量。Detail: You can use just-in-time VM access in Azure Security Center to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

最佳做法:授予临时权限以执行特权的任务,这样可以防止恶意或未经授权的用户权限过期后获得的访问权限。Best practice: Grant temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. 只有在用户需要的情况下,才会授予访问权限。Access is granted only when users need it.
详细信息:使用在实时访问在 Azure AD Privileged Identity Management 中的或第三方解决方案来授予权限以执行特权的任务。Detail: Use just-in-time access in Azure AD Privileged Identity Management or in a third-party solution to grant permissions to perform privileged tasks.

零信任是网络安全的下一轮革命。Zero Trust is the next evolution in network security. 驱动器的网络攻击状态的组织能够采用"假定违反"思维方式,但这种方法不应存在一些限制。The state of cyberattacks drives organizations to take the “assume breach” mindset, but this approach shouldn’t be limiting. 零信任网络保护公司数据和资源,同时确保组织可以通过使用使员工可以高效工作 anytime,anywhere,以任何方式的技术来构建现代工作区。Zero Trust networks protect corporate data and resources while ensuring that organizations can build a modern workplace by using technologies that empower employees to be productive anytime, anywhere, in any way.

控制路由行为Control routing behavior

将虚拟机置于 Azure 虚拟网络时,即使其他 VM 位于不同的子网,VM 也可以连接到同一虚拟网络上的任何其他 VM。When you put a virtual machine on an Azure virtual network, the VM can connect to any other VM on the same virtual network, even if the other VMs are on different subnets. 这是可能的,原因是默认启用的系统路由集合允许这种类型的通信。This is possible because a collection of system routes enabled by default allows this type of communication. 这些默认路由可让相同虚拟网络上的 VM 彼此发起连接,以及与 Internet 连接(仅适用于 Internet 的出站通信)。These default routes allow VMs on the same virtual network to initiate connections with each other, and with the internet (for outbound communications to the internet only).

尽管默认系统路由适用于许多部署方案,但有时也需要针对部署自定义路由配置。Although the default system routes are useful for many deployment scenarios, there are times when you want to customize the routing configuration for your deployments. 可以配置下一个跃点地址,用于访问特定目标。You can configure the next-hop address to reach specific destinations.

建议你在为虚拟网络部署安全设备时配置用户定义的路由We recommend that you configure user-defined routes when you deploy a security appliance for a virtual network. 我们将在后面的标题为保护关键的 Azure 服务资源,只允许在客户自己的虚拟网络中对其进行访问的部分中讨论此问题。We talk about this in a later section titled secure your critical Azure service resources to only your virtual networks.

备注

不需要用户定义的路由,默认的系统路通常有效。User-defined routes are not required, and the default system routes usually work.

使用虚拟网络设备Use virtual network appliances

网络安全组和用户定义路由可以提供一定程度的网络的网络和传输层安全性OSI 模型Network security groups and user-defined routing can provide a certain measure of network security at the network and transport layers of the OSI model. 但在某些情况下,建议在高级别堆栈中启用安全性。But in some situations, you want or need to enable security at high levels of the stack. 在此类情况下,建议部署 Azure 合作伙伴所提供的虚拟网络安全设备。In such situations, we recommend that you deploy virtual network security appliances provided by Azure partners.

Azure 网络安全设备可提供比网络级控制所提供的更高的安全性。Azure network security appliances can deliver better security than what network-level controls provide. 虚拟网络安全设备的网络安全功能包括:Network security capabilities of virtual network security appliances include:

  • 防火墙Firewalling
  • 入侵检测/入侵防护Intrusion detection/intrusion prevention
  • 漏洞管理Vulnerability management
  • 应用程序控制Application control
  • 基于网络的异常检测Network-based anomaly detection
  • Web 筛选Web filtering
  • 防病毒Antivirus
  • 僵尸网络防护Botnet protection

要查找可用的 Azure 虚拟网络安全设备,请转到 Azure 市场并搜索“安全”和“网络安全”。To find available Azure virtual network security appliances, go to the Azure Marketplace and search for “security” and “network security.”

为安全区部署外围网络Deploy perimeter networks for security zones

外围网格(也称为 DMZ)是物理或逻辑网络区段,可在资产与 Internet 之间提供额外的安全层。A perimeter network (also known as a DMZ) is a physical or logical network segment that provides an additional layer of security between your assets and the internet. 外围网络边缘的专用网络访问控制设备只允许所需流量流入虚拟网络。Specialized network access control devices on the edge of a perimeter network allow only desired traffic into your virtual network.

外围网络非常有用,因为可以将网络访问控制管理、监视、日志记录和报告的重点放在位于 Azure 虚拟网络边缘的设备上。Perimeter networks are useful because you can focus your network access control management, monitoring, logging, and reporting on the devices at the edge of your Azure virtual network. 外围网络是通常情况下允许分布式的拒绝服务 (DDoS) 预防、 入侵检测/入侵防护系统 (IDS/IPS)、 防火墙规则和策略、 web 筛选、 网络反恶意软件,和的详细信息。A perimeter network is where you typically enable distributed denial of service (DDoS) prevention, intrusion detection/intrusion prevention systems (IDS/IPS), firewall rules and policies, web filtering, network antimalware, and more. 网络安全设备位于 Internet 与 Azure 虚拟网络之间,在两个网络上均有接口。The network security devices sit between the internet and your Azure virtual network and have an interface on both networks.

这是外围网络的基本设计,尽管有很多不同的设计,连续、 三闸式和多宿主等。Although this is the basic design of a perimeter network, there are many different designs, like back-to-back, tri-homed, and multi-homed.

根据前面所述的零信任概念,我们建议你考虑使用的所有高安全性部署外围网络以增强 Azure 资源的网络安全性和访问控制级别。Based on the Zero Trust concept mentioned earlier, we recommend that you consider using a perimeter network for all high security deployments to enhance the level of network security and access control for your Azure resources. 可以使用 Azure 或第三方解决方案以你的资产与 internet 之间提供额外的安全层:You can use Azure or a third-party solution to provide an additional layer of security between your assets and the internet:

  • Azure 本机控件。Azure native controls. Azure 防火墙应用程序网关中的 web 应用程序防火墙提供具有完全有状态防火墙即服务,内置的高可用性,不受限制的云可伸缩性的基本安全 FQDN 筛选对 OWASP 核心规则集,并简单安装和配置的支持。Azure Firewall and the web application firewall in Application Gateway offer basic security with a fully stateful firewall as a service, built-in high availability, unrestricted cloud scalability, FQDN filtering, support for OWASP core rule sets, and simple setup and configuration.
  • 第三方产品/服务。Third-party offerings. 搜索Azure Marketplace下一代防火墙 (NGFW) 和其他第三方产品/服务,提供熟悉的安全工具和显著增强的网络安全级别。Search the Azure Marketplace for next-generation firewall (NGFW) and other third-party offerings that provide familiar security tools and significantly enhanced levels of network security. 配置可能更为复杂,但第三方产品/服务可能会允许您使用现有功能和技能集。Configuration might be more complex, but a third-party offering might allow you to use existing capabilities and skillsets.

许多组织选择了混合 IT 路由。Many organizations have chosen the hybrid IT route. 混合 IT 环境,一些公司的信息资产是在 Azure 中,与其他人保留在本地。With hybrid IT, some of the company’s information assets are in Azure, and others remain on-premises. 在许多情况下,服务的某些组件在 Azure 中运行,而其他组件则维持在本地。In many cases, some components of a service are running in Azure while other components remain on-premises.

在混合 IT 方案,通常会有某种类型的跨界连接。In a hybrid IT scenario, there is usually some type of cross-premises connectivity. 跨界连接可让公司将其本地网络连接到 Azure 虚拟网络。Cross-premises connectivity allows the company to connect its on-premises networks to Azure virtual networks. 可用的跨界连接解决方案有两种:Two cross-premises connectivity solutions are available:

  • 站点到站点 VPNSite-to-site VPN. 它是一种值得信赖、可靠且成熟的技术,但连接是通过 Internet 进行的。It’s a trusted, reliable, and established technology, but the connection takes place over the internet. 带宽限制为最多大约 1.25 Gbps。Bandwidth is constrained to a maximum of about 1.25 Gbps. 站点到站点 VPN 是理想的选择在某些情况下。Site-to-site VPN is a desirable option in some scenarios.
  • Azure ExpressRouteAzure ExpressRoute. 建议使用 ExpressRoute 进行跨界连接。We recommend that you use ExpressRoute for your cross-premises connectivity. 使用 ExpressRoute 可通过连接服务提供商所提供的专用连接,将本地网络扩展到 Microsoft 云。ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. 使用 ExpressRoute,你可以建立到 Azure、 Office 365 和 Dynamics 365 等 Microsoft 云服务的连接。With ExpressRoute, you can establish connections to Microsoft cloud services like Azure, Office 365, and Dynamics 365. ExpressRoute 是专用的 WAN 的本地位置或 Microsoft Exchange 托管提供商之间的链接。ExpressRoute is a dedicated WAN link between your on-premises location or a Microsoft Exchange hosting provider. 由于这是电信运营商连接,因此它不公开到 internet 通信的潜在风险,不会在 internet 上传输数据。Because this is a telco connection, your data doesn’t travel over the internet, so it isn’t exposed to the potential risks of internet communications.

防火墙容量、 可伸缩性、 可靠性和网络流量的可见性,则可能会影响你的 ExpressRoute 连接的位置。The location of your ExpressRoute connection can affect firewall capacity, scalability, reliability, and network traffic visibility. 你将需要确定 ExpressRoute 终止现有 (内部) 网络中的位置。You’ll need to identify where to terminate ExpressRoute in existing (on-premises) networks. 可以:You can:

  • 如果需要可见性流量,如果需要继续现有做法的隔离数据中心,或如果你要仅将在 Azure 上的 extranet 资源,则终止外部防火墙 (外围网络模式)。Terminate outside the firewall (the perimeter network paradigm) if you require visibility into the traffic, if you need to continue an existing practice of isolating datacenters, or if you’re solely putting extranet resources on Azure.
  • 终止 (网络扩展模式) 的防火墙内。Terminate inside the firewall (the network extension paradigm). 这是默认的建议。This is the default recommendation. 在所有其他情况下,我们建议将 Azure 视为第 n 个数据中心。In all other cases, we recommend treating Azure as an nth datacenter.

优化运行时间和性能Optimize uptime and performance

如果服务已关闭,便无法访问信息。If a service is down, information can’t be accessed. 如果性能太差而无法使用数据,则可以将此数据视为无法访问。If performance is so poor that the data is unusable, you can consider the data to be inaccessible. 从安全角度来看,需要尽可能确保服务有最佳的运行时间和性能。From a security perspective, you need to do whatever you can to make sure that your services have optimal uptime and performance.

用于增强可用性和性能的常用且有效的方法是负载均衡。A popular and effective method for enhancing availability and performance is load balancing. 负载均衡是将网络流量分布于服务中各服务器的方法。Load balancing is a method of distributing network traffic across servers that are part of a service. 例如,如果服务中有前端 Web 服务器,可以使用负载均衡将流量分布于多台前端 Web 服务器。For example, if you have front-end web servers as part of your service, you can use load balancing to distribute the traffic across your multiple front-end web servers.

这种流量分布将提高可用性,因为如果其中一台 Web 服务器不可用,负载均衡器停止将流量发送到该服务器,并将它重定向到仍在运行的服务器。This distribution of traffic increases availability because if one of the web servers becomes unavailable, the load balancer stops sending traffic to that server and redirects it to the servers that are still online. 负载均衡还对性能有帮助,因为处理请求的处理器、网络和内存开销将分布于所有负载均衡的服务器之间。Load balancing also helps performance, because the processor, network, and memory overhead for serving requests is distributed across all the load-balanced servers.

建议尽可能为服务采用适当的负载均衡。We recommend that you employ load balancing whenever you can, and as appropriate for your services. 以下是 Azure 虚拟网络级别和全球级别的方案,以及每个级别的负载均衡选项。Following are scenarios at both the Azure virtual network level and the global level, along with load-balancing options for each.

场景:你有如下应用程序:Scenario: You have an application that:

  • 要求来自同一用户/客户端会话的请求访问相同后端虚拟机。Requires requests from the same user/client session to reach the same back-end virtual machine. 此类示例如购物车应用和 Web 邮件服务器。Examples of this are shopping cart apps and web mail servers.
  • 仅接受安全连接,因此与服务器进行未加密的通信是不可接受的选项。Accepts only a secure connection, so unencrypted communication to the server is not an acceptable option.
  • 要求将长时间运行的同一 TCP 连接上多个 HTTP 请求路由到或负载均衡到不同的后端服务器。Requires multiple HTTP requests on the same long-running TCP connection to be routed or load balanced to different back-end servers.

负载均衡选项:使用 Azure 应用程序网关,一个 HTTP Web 流量负载均衡器。Load-balancing option: Use Azure Application Gateway, an HTTP web traffic load balancer. 应用程序网关支持网关上的端到端 SSL 加密和 SSL 终止Application Gateway supports end-to-end SSL encryption and SSL termination at the gateway. 然后,Web 服务器可以免受加密和解密开销以及未加密流向后端服务器的流量的负担。Web servers can then be unburdened from encryption and decryption overhead and traffic flowing unencrypted to the back-end servers.

场景:需要在位于 Azure 虚拟网络中的服务器之间对来自 Internet 的传入连接进行负载均衡。Scenario: You need to load balance incoming connections from the internet among your servers located in an Azure virtual network. 也就是说当:Scenarios are when you:

  • 具有接受来自 Internet 的传入请求的无状态应用程序时。Have stateless applications that accept incoming requests from the internet.
  • 不需要粘性会话或 SSL 卸载时。Don’t require sticky sessions or SSL offload. 粘性会话是与应用程序负载均衡一起使用的方法,用于实现服务器关联。Sticky sessions is a method used with Application Load Balancing, to achieve server-affinity.

负载均衡选项:使用 Azure 门户创建外部负载均衡器,该均衡器将多个 VM 之间的传入请求进行分散,以提供更高级别的可用性。Load-balancing option: Use the Azure portal to create an external load balancer that spreads incoming requests across multiple VMs to provide a higher level of availability.

场景:需要从不在 Internet 上的 VM 对连接进行负载均衡。Scenario: You need to load balance connections from VMs that are not on the internet. 大多数情况下,接受的用于进行负载均衡的连接由 Azure 虚拟网络上的设备发起,例如 SQL Server 实例或内部 Web 服务器。In most cases, the connections that are accepted for load balancing are initiated by devices on an Azure virtual network, such as SQL Server instances or internal web servers.
负载均衡选项:使用 Azure 门户创建内部负载均衡器,该均衡器将多个 VM 之间的传入请求进行分散,以提供更高级别的可用性。Load-balancing option: Use the Azure portal to create an internal load balancer that spreads incoming requests across multiple VMs to provide a higher level of availability.

场景:你需要全球负载均衡,因为:Scenario: You need global load balancing because you:

  • 拥有广泛分布在多个地区的云解决方案,并且需要可能的最高级别的正常运行时间(可用性)。Have a cloud solution that is widely distributed across multiple regions and requires the highest level of uptime (availability) possible.
  • 需要可能的最高级别的正常运行时间,以确保即使整个数据中心不可用,服务仍然可用。Need the highest level of uptime possible to make sure that your service is available even if an entire datacenter becomes unavailable.

负载均衡选项:使用 Azure 流量管理器。Load-balancing option: Use Azure Traffic Manager. 流量管理器可以根据用户的位置,对服务的连接进行负载均衡。Traffic Manager makes it possible to load balance connections to your services based on the location of the user.

例如,如果用户从欧盟对服务发出请求,此连接会被定向到位于欧盟数据中心的服务。For example, if the user makes a request to your service from the EU, the connection is directed to your services located in an EU datacenter. 这一部分的流量管理器全局负载均衡有助于改善性能,因为连接到最近的数据中心比连接到远处的数据中心还要快。This part of Traffic Manager global load balancing helps to improve performance because connecting to the nearest datacenter is faster than connecting to datacenters that are far away.

禁用对虚拟机的 RDP/SSH 访问Disable RDP/SSH Access to virtual machines

使用远程桌面协议 (RDP) 和安全外壳 (SSH) 协议可以访问 Azure 虚拟机。It’s possible to reach Azure virtual machines by using Remote Desktop Protocol (RDP) and the Secure Shell (SSH) protocol. 这些协议支持远程管理 VM,并且是数据中心计算中的标准协议。These protocols enable the management VMs from remote locations and are standard in datacenter computing.

在 Internet 上使用这些协议的潜在安全问题是,攻击者可以使用暴力破解技术来访问 Azure 虚拟机。The potential security problem with using these protocols over the internet is that attackers can use brute force techniques to gain access to Azure virtual machines. 攻击者获取访问权限后,就可以使用 VM 作为破坏虚拟网络上其他计算机的启动点,甚至攻击 Azure 之外的网络设备。After the attackers gain access, they can use your VM as a launch point for compromising other machines on your virtual network or even attack networked devices outside Azure.

我们建议禁用从 Internet 对 Azure 虚拟机的直接 RDP 和 SSH 访问。We recommend that you disable direct RDP and SSH access to your Azure virtual machines from the internet. 禁用从 Internet 的直接 RDP 和 SSH 访问之后,有其他选项可用于访问这些 VM 以便进行远程管理。After direct RDP and SSH access from the internet is disabled, you have other options that you can use to access these VMs for remote management.

场景:可让单个用户通过 Internet 连接到 Azure 虚拟网络。Scenario: Enable a single user to connect to an Azure virtual network over the internet.
选项点到站点 VPN 是远程访问 VPN 客户端/服务器连接的另一种说法。Option: Point-to-site VPN is another term for a remote access VPN client/server connection. 建立点到站点连接之后,用户能够使用 RDP 或 SSH 连接到位于用户通过点到站点 VPN 连接的 Azure 虚拟网络上的任何 VM。After the point-to-site connection is established, the user can use RDP or SSH to connect to any VMs located on the Azure virtual network that the user connected to via point-to-site VPN. 此处假设用户有权访问这些 VM。This assumes that the user is authorized to reach those VMs.

点到站点 VPN 比直接 RDP 或 SSH 连接更安全,因为用户必须事先通过两次身份验证才将连接到 VM。Point-to-site VPN is more secure than direct RDP or SSH connections because the user has to authenticate twice before connecting to a VM. 首先,用户需要进行身份验证(并获得授权)以建立点到站点 VPN 连接。First, the user needs to authenticate (and be authorized) to establish the point-to-site VPN connection. 其次,用户需要进行身份验证(并获得授权)以建立 RDP 或 SSH 会话。Second, the user needs to authenticate (and be authorized) to establish the RDP or SSH session.

场景:使本地网络上的用户能够连接到 Azure 虚拟网络上的 VM。Scenario: Enable users on your on-premises network to connect to VMs on your Azure virtual network.
选项站点到站点 VPN 通过 Internet 将整个网络连接到另一个网络。Option: A site-to-site VPN connects an entire network to another network over the internet. 可以使用站点到站点 VPN 将本地网络连接到 Azure 虚拟网络。You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. 本地网络上的用户通过站点到站点 VPN 使用 RDP 或 SSH 协议进行连接。Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. 不必允许通过 Internet 进行的直接 RDP 或 SSH 访问。You don’t have to allow direct RDP or SSH access over the internet.

场景:使用专用的 WAN 链接提供类似于站点到站点 VPN 的功能。Scenario: Use a dedicated WAN link to provide functionality similar to the site-to-site VPN.
选项:使用 ExpressRouteOption: Use ExpressRoute. 它提供类似于站点到站点 VPN 的功能。It provides functionality similar to the site-to-site VPN. 它们的主要区别包括:The main differences are:

  • 专用的 WAN 链接不会遍历 Internet。The dedicated WAN link doesn’t traverse the internet.
  • 专用的 WAN 链接通常更稳定且性能更佳。Dedicated WAN links are typically more stable and perform better.

保护关键的 Azure 服务资源,只允许在客户自己的虚拟网络中对其进行访问Secure your critical Azure service resources to only your virtual networks

使用虚拟网络服务终结点可通过直接连接将虚拟网络专用地址空间和虚拟网络标识扩展到 Azure 服务。Use virtual network service endpoints to extend your virtual network private address space, and the identity of your virtual network to the Azure services, over a direct connection. 使用终结点可以保护关键的 Azure 服务资源,只允许在客户自己的虚拟网络中对其进行访问。Endpoints allow you to secure your critical Azure service resources to only your virtual networks. 从虚拟网络发往 Azure 服务的流量始终保留在 Microsoft Azure 主干网络中。Traffic from your virtual network to the Azure service always remains on the Microsoft Azure backbone network.

服务终结点提供以下优势:Service endpoints provide the following benefits:

  • 提高 Azure 服务资源的安全性:使用服务终结点,可在虚拟网络中保护 Azure 服务资源。Improved security for your Azure service resources: With service endpoints, Azure service resources can be secured to your virtual network. 在虚拟网络中保护服务资源可以完全消除通过公共 Internet 对这些资源进行访问,只允许来自客户自己的虚拟网络的流量,从而提高了安全性。Securing service resources to a virtual network provides improved security by fully removing public internet access to resources, and allowing traffic only from your virtual network.

  • 来自虚拟网络的 Azure 服务流量的最佳路由:虚拟网络中强制 Internet 流量通过本地和/或虚拟设备(称为强制隧道)的任何路由也会强制 Azure 服务流量采用与 Internet 流量相同的路由。Optimal routing for Azure service traffic from your virtual network: Any routes in your virtual network that force internet traffic to your on-premises and/or virtual appliances, known as forced tunneling, also force Azure service traffic to take the same route as the internet traffic. 服务终结点为 Azure 流量提供最佳路由。Service endpoints provide optimal routing for Azure traffic.

    终结点始终将服务流量直接从虚拟网络带至 Azure 主干网络上的服务。Endpoints always take service traffic directly from your virtual network to the service on the Azure backbone network. 将流量保留在 Azure 主干网络上可以通过强制隧道持续审核和监视来自虚拟网络的出站 Internet 流量,而不会影响服务流量。Keeping traffic on the Azure backbone network allows you to continue auditing and monitoring outbound internet traffic from your virtual networks, through forced tunneling, without affecting service traffic. 详细了解用户定义的路由和强制隧道Learn more about user-defined routes and forced tunneling.

  • 设置简单,管理开销更少:不再需要使用虚拟网络中的保留公共 IP 地址通过 IP 防火墙保护 Azure 资源。Simple to set up with less management overhead: You no longer need reserved, public IP addresses in your virtual networks to secure Azure resources through an IP firewall. 无需使用 NAT 或网关设备即可设置服务终结点。There are no NAT or gateway devices required to set up the service endpoints. 只需单击一下子网,即可配置服务终结点。Service endpoints are configured through a simple click on a subnet. 不会产生与终结点维护相关的额外开销。There is no additional overhead to maintain the endpoints.

要了解服务终结点及可使用服务终结点的 Azure 服务和区域的详细信息,请参阅虚拟网络服务终结点To learn more about service endpoints and the Azure services and regions that service endpoints are available for, see Virtual network service endpoints.

后续步骤Next steps

有关通过 Azure 设计、部署和管理云解决方案时可以使用的更多安全最佳做法,请参阅 Azure 安全最佳做法和模式See Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure.