您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 网络安全概述Azure network security overview

网络安全可以定义为通过对网络流量应用控制来保护资源遭受未经授权的访问或攻击的过程。Network security could be defined as the process of protecting resources from unauthorized access or attack by applying controls to network traffic. 目标是确保仅允许合法流量。The goal is to ensure that only legitimate traffic is allowed. Azure 包括可靠的网络基础结构以支持应用程序和服务连接需求。Azure includes a robust networking infrastructure to support your application and service connectivity requirements. Azure 中的资源之间、本地资源与 Azure 托管的资源之间,以及 Internet 与 Azure 之间都可能存在网络连接。Network connectivity is possible between resources located in Azure, between on-premises and Azure hosted resources, and to and from the internet and Azure.

本文介绍 Azure 在网络安全方面提供的某些选项。This article covers some of the options that Azure offers in the area of network security. 具体内容:You can learn about:

  • Azure 网络Azure networking
  • 网络访问控制Network access control
  • Azure 防火墙Azure Firewall
  • 安全远程访问和跨界连接Secure remote access and cross-premises connectivity
  • 可用性Availability
  • 名称解析Name resolution
  • 外围网络 (DMZ) 体系结构Perimeter network (DMZ) architecture
  • Azure DDoS 防护Azure DDoS protection
  • Azure Front DoorAzure Front Door
  • 流量管理器Traffic manager
  • 监视和威胁检测Monitoring and threat detection

Azure 网络Azure networking

Azure 要求将虚拟机连接到 Azure 虚拟网络。Azure requires virtual machines to be connected to an Azure Virtual Network. 虚拟网络是一个构建于物理 Azure 网络结构之上的逻辑构造。A virtual network is a logical construct built on top of the physical Azure network fabric. 每个虚拟网络与其他所有虚拟网络相互隔离。Each virtual network is isolated from all other virtual networks. 这可帮助确保其他 Azure 客户无法访问部署中的流量。This helps ensure that network traffic in your deployments is not accessible to other Azure customers.

了解更多:Learn more:

网络访问控制Network access control

网络访问控制是限制虚拟网络内特定设备或子网之间的连接的行为。Network access control is the act of limiting connectivity to and from specific devices or subnets within a virtual network. 网络访问控制的目的是将对虚拟机和服务的访问权限限制为仅授予已批准的用户和设备。The goal of network access control is to limit access to your virtual machines and services to approved users and devices. 访问控制基于虚拟机或服务之间的允许或拒绝连接的决策。Access controls are based on decisions to allow or deny connections to and from your virtual machine or service.

Azure 支持多种类型的网络访问控制,例如:Azure supports several types of network access control, such as:

  • 网络层控制Network layer control
  • 路由控制和强制隧道Route control and forced tunneling
  • 虚拟网络安全设备Virtual network security appliances

网络层控制Network layer control

任何安全部署都需要一定程度的网络访问控制。Any secure deployment requires some measure of network access control. 网络访问控制的目的是将虚拟机通信限制为必要的系统。The goal of network access control is to restrict virtual machine communication to the necessary systems. 将阻止其他通信尝试。Other communication attempts are blocked.

备注

要了解存储防火墙,请参阅 Azure 存储安全概述一文Storage Firewalls are covered in the Azure storage security overview article

网络安全规则 (NSG)Network security rules (NSGs)

如果需要基本的网络级别访问控制(基于 IP 地址和 TCP 或 UDP 协议),可使用网络安全组 (NSG)。If you need basic network level access control (based on IP address and the TCP or UDP protocols), you can use Network Security Groups (NSGs). NSG 是基本的静态数据包筛选防火墙,你可使用它来基于 5 元组控制访问。An NSG is a basic, stateful, packet filtering firewall, and it enables you to control access based on a 5-tuple. NSG 包含的功能可以简化管理,并减少配置错误的可能性:NSGs include functionality to simplify management and reduce the chances of configuration mistakes:

  • 扩充式安全规则简化了 NSG 规则定义,并允许创建复杂规则,而无需创建多个简单规则来实现相同的结果。Augmented security rules simplify NSG rule definition and allow you to create complex rules rather than having to create multiple simple rules to achieve the same result.
  • 服务标记是 Microsoft 创建的标签,表示一组 IP 地址。Service tags are Microsoft created labels that represent a group of IP addresses. 这些标记会动态更新,以包含符合在标签中定义包含项的条件的 IP 范围。They update dynamically to include IP ranges that meet the conditions that define inclusion in the label. 例如,如果你要创建一个应用到东部区域的所有 Azure 存储的规则,可以使用 Storage.EastUSFor example, if you want to create a rule that applies to all Azure storage on the east region you can use Storage.EastUS
  • 应用程序安全组可用于将资源部署到应用程序组,并通过创建使用这些应用程序组的规则来控制对这些资源的访问。Application security groups allow you to deploy resources to application groups and control the access to those resources by creating rules that use those application groups. 例如,如果 Web 服务器已部署到“Webservers”应用程序组,则你可以创建一个规则,以便将允许来自 Internet 的 443 流量的 NSG 应用到“Webservers”应用程序组中的所有系统。For example, if you have webservers deployed to the 'Webservers' application group you can create a rule that applies a NSG allowing 443 traffic from the Internet to all systems in the 'Webservers' application group.

NSG 不提供应用程序层检查或经过身份验证的访问控制。NSGs do not provide application layer inspection or authenticated access controls.

了解更多:Learn more:

ASC 实时 VM 访问ASC just in time VM access

Azure 安全中心可以管理 VM 上的 NSG,并将 VM 的访问权限锁定到具有相应基于角色的访问控制 (RBAC) 权限的用户请求访问为止。Azure security center can manage the NSGs on VMs and lock access to the VM until a user with the appropriate role-based access control RBAC permissions requests access. 如果成功为该用户授权,则 ASC 会对 NSG 进行修改,以允许在指定的时间访问选定的端口。When the user is successfully authorized ASC makes modifications to the NSGs to allow access to selected ports for the time specified. 该时间过后,NSG 将还原到其以前的受保护状态。When the time expires the NSGs are restored to their previous secured state.

了解更多:Learn more:

服务终结点Service endpoints

服务终结点是对流量实施控制的另一种方式。Service endpoints are another way to apply control over your traffic. 可以限制为只能在 VNet 中通过直接连接来与支持的服务通信。You can limit communication with supported services to just your VNets over a direct connection. 从 VNet 发往指定 Azure 服务的流量保留在 Microsoft Azure 主干网络中。Traffic from your VNet to the specified Azure service remains on the Microsoft Azure backbone network.

了解更多:Learn more:

路由控制和强制隧道Route control and forced tunneling

能够控制虚拟网络上的路由行为至关重要。The ability to control routing behavior on your virtual networks is critical. 如果路由配置不正确,虚拟机上托管的应用程序和服务可能会连接到未授权的设备,其中包括潜在攻击者所拥有或操作的系统。If routing is configured incorrectly, applications and services hosted on your virtual machine might connect to unauthorized devices, including systems owned and operated by potential attackers.

Azure 网络支持在虚拟网络上为流量自定义路由行为。Azure networking supports the ability to customize the routing behavior for network traffic on your virtual networks. 由此可更改 Azure 虚拟网络中的默认路由表条目。This enables you to alter the default routing table entries in your virtual network. 通过控制路由行为,可帮助你确保特定设备或设备组中的所有流量通过特定位置进入或离开虚拟网络。Control of routing behavior helps you make sure that all traffic from a certain device or group of devices enters or leaves your virtual network through a specific location.

例如,虚拟网络上可能有虚拟网络安全设备。For example, you might have a virtual network security appliance on your virtual network. 想要确保与虚拟网络之间的所有流量都通过该虚拟安全设备。You want to make sure that all traffic to and from your virtual network goes through that virtual security appliance. 可以通过在 Azure 中配置用户定义的路由 (UDR) 实现此操作。You can do this by configuring User Defined Routes (UDRs) in Azure.

强制隧道是一种机制,可用于确保不允许服务启动与 Internet 上设备的连接。Forced tunneling is a mechanism you can use to ensure that your services are not allowed to initiate a connection to devices on the internet. 请注意,这不同于接受传入连接然后对其作出响应。Note that this is different from accepting incoming connections and then responding to them. 前端 Web 服务器需要响应来自 Internet 主机的请求,因此允许源自 Internet 的流量传入到这些 Web 服务器,并允许 Web 服务器作出响应。Front-end web servers need to respond to requests from internet hosts, and so internet-sourced traffic is allowed inbound to these web servers and the web servers are allowed to respond.

不想允许前端 Web 服务器启动出站请求。What you don't want to allow is a front-end web server to initiate an outbound request. 此类请求可能带来安全风险,因为这些连接可用于下载恶意软件。Such requests might represent a security risk because these connections can be used to download malware. 即使想要这些前端服务器启动对 Internet 的出站请求,你可能想要强制它们通过本地 Web 代理服务器。Even if you do want these front-end servers to initiate outbound requests to the internet, you might want to force them to go through your on-premises web proxies. 由此可利用 URL 筛选和日志记录。This enables you to take advantage of URL filtering and logging.

相反,你想要使用强制隧道来防止这种情况。Instead, you would want to use forced tunneling to prevent this. 启用强制隧道后,会强制与 Internet 的所有连接通过本地网关。When you enable forced tunneling, all connections to the internet are forced through your on-premises gateway. 可以利用 UDR 配置强制隧道。You can configure forced tunneling by taking advantage of UDRs.

了解更多:Learn more:

虚拟网络安全设备Virtual network security appliances

当 NSG、UDR 和强制隧道在 OSI 模型的网络层和传输层提供安全级别时,你可能也想要启用级别高于网络的安全性。While NSGs, UDRs, and forced tunneling provide you a level of security at the network and transport layers of the OSI model, you might also want to enable security at levels higher than the network.

例如,安全要求可能包括:For example, your security requirements might include:

  • 必须经过身份验证和授权才允许访问应用程序Authentication and authorization before allowing access to your application
  • 入侵检测和入侵响应Intrusion detection and intrusion response
  • 高级别协议的应用程序层检查Application layer inspection for high-level protocols
  • URL 筛选URL filtering
  • 网络级别防病毒和反恶意软件Network level antivirus and Antimalware
  • 防自动程序保护Anti-bot protection
  • 应用程序访问控制Application access control
  • 其他 DDoS 防护(除了 Azure 结构自身提供的 DDoS 防护以外)Additional DDoS protection (above the DDoS protection provided by the Azure fabric itself)

可以使用 Azure 合作伙伴解决方案访问这些增强的网络安全功能。You can access these enhanced network security features by using an Azure partner solution. 通过访问 Azure 市场并搜索“安全”和“网络安全”,可以找到最新的 Azure 合作伙伴网络安全解决方案。You can find the most current Azure partner network security solutions by visiting the Azure Marketplace, and searching for "security" and "network security."

Azure 防火墙Azure Firewall

Azure 防火墙是托管的基于云的网络安全服务,可保护 Azure 虚拟网络资源。Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. 它是一个服务形式的完全有状态防火墙,具有内置的高可用性和不受限制的云可伸缩性。It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. 包括的一些功能为:Some features include:

  • 高可用性High availability
  • 云可伸缩性Cloud scalability
  • 应用程序 FQDN 筛选规则Application FQDN filtering rules
  • 网络流量筛选规则Network traffic filtering rules

了解更多:Learn more:

安全远程访问和跨界连接Secure remote access and cross-premises connectivity

安装、配置和管理 Azure 资源需要远程完成。Setup, configuration, and management of your Azure resources needs to be done remotely. 此外,你可能想要部署在本地和 Azure 公有云中具有组件的混合 IT 解决方案。In addition, you might want to deploy hybrid IT solutions that have components on-premises and in the Azure public cloud. 这些方案要求安全远程访问。These scenarios require secure remote access.

Azure 网络支持以下安全远程访问方案:Azure networking supports the following secure remote access scenarios:

  • 将单独的工作站连接到虚拟网络Connect individual workstations to a virtual network
  • 通过 VPN 将本地网络连接到虚拟网络Connect your on-premises network to a virtual network with a VPN
  • 通过专用的 WAN 链接将本地网络连接到虚拟网络Connect your on-premises network to a virtual network with a dedicated WAN link
  • 将虚拟网络相互连接Connect virtual networks to each other

将单独的工作站连接到虚拟网络Connect individual workstations to a virtual network

你可能想要让各个开发者或操作人员在 Azure 中管理虚拟机和服务。You might want to enable individual developers or operations personnel to manage virtual machines and services in Azure. 例如,假设需要访问虚拟网络上的虚拟机。For example, let's say you need access to a virtual machine on a virtual network. 但你的安全策略不允许 RDP 或 SSH 远程访问单独的虚拟机。But your security policy does not allow RDP or SSH remote access to individual virtual machines. 在这种情况下,可以使用点到站点 VPN 连接。In this case, you can use a point-to-site VPN connection.

点到站点 VPN 连接允许你在用户和虚拟网络之间设置专用的安全连接。The point-to-site VPN connection enables you to set up a private and secure connection between the user and the virtual network. 建立 VPN 连接后,用户可通过 VPN 链接将 RDP 或 SSH 连接到虚拟网络上的任何虚拟机。When the VPN connection is established, the user can RDP or SSH over the VPN link into any virtual machine on the virtual network. (假设用户可以进行身份验证并获得授权。)点到站点 VPN 支持以下项:(This assumes that the user can authenticate and is authorized.) Point-to-site VPN supports:

  • 安全套接字隧道协议 (SSTP),这是一种基于 SSL 的专属协议。Secure Socket Tunneling Protocol (SSTP), a proprietary SSL-based VPN protocol. 由于大多数防火墙都会打开 SSL 所用的 TCP 端口 443,因此 SSL VPN 解决方案可以穿透防火墙。An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443, which SSL uses. 只有 Windows 设备支持 SSTP。SSTP is only supported on Windows devices. Azure 支持所有采用 SSTP 的 Windows 版本(Windows 7 和更高版本)。Azure supports all versions of Windows that have SSTP (Windows 7 and later).

  • IKEv2 VPN,这是一种基于标准的 IPsec VPN 解决方案。IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN 可用于从 Mac 设备进行连接(OSX 10.11 和更高版本)。IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above).

  • OpenVPNOpenVPN

了解更多:Learn more:

通过 VPN 将本地网络连接到虚拟网络Connect your on-premises network to a virtual network with a VPN

你可能想要将整个企业网络或其中的某些部分连接到虚拟网络。You might want to connect your entire corporate network, or portions of it, to a virtual network. 这是常见的混合 IT 方案,通过该方案组织可以将其本地数据中心扩展到 AzureThis is common in hybrid IT scenarios, where organizations extend their on-premises datacenter into Azure. 在许多情况下,组织在 Azure 和本地中各托管部分服务。In many cases, organizations host parts of a service in Azure, and parts on-premises. 例如,当解决方案包括 Azure 中的前端 Web 服务器和本地后端数据库时,他们可能会执行此操作。For example,they might do so when a solution includes front-end web servers in Azure and back-end databases on-premises. 这些类型的“跨界”连接还使得位于 Azure 的资源的管理更加安全,并且能够启用方案,如将 Active Directory 域控制器扩展到 Azure 中。These types of "cross-premises" connections also make management of Azure located resources more secure, and enable scenarios such as extending Active Directory domain controllers into Azure.

完成此操作的一种方法是使用 site-to-site VPN(站点到站点 VPN)。One way to accomplish this is to use a site-to-site VPN. 站点到站点 VPN 和点到站点 VPN 的区别在于后者将单个设备连接到虚拟网络。The difference between a site-to-site VPN and a point-to-site VPN is that the latter connects a single device to a virtual network. 站点到站点 VPN 将整个网络(如本地网络)连接到虚拟网络。A site-to-site VPN connects an entire network (such as your on-premises network) to a virtual network. 连接到 Azure 虚拟网络的站点到站点 VPN 使用高度安全的 IPsec 隧道模式 VPN 协议。Site-to-site VPNs to a virtual network use the highly secure IPsec tunnel mode VPN protocol.

了解更多:Learn more:

点到站点和站点到站点 VPN 连接对启用跨界连接有效。Point-to-site and site-to-site VPN connections are effective for enabling cross-premises connectivity. 但是,有些组织认为它们具有以下缺点:However, some organizations consider them to have the following drawbacks:

  • VPN 连接通过 Internet 移动数据。VPN connections move data over the internet. 这会导致这些连接存在通过公用网络移动数据所涉及的潜在安全问题。This exposes these connections to potential security issues involved with moving data over a public network. 此外,不能保证 Internet 连接的可靠性和可用性。In addition, reliability and availability for internet connections cannot be guaranteed.
  • 到虚拟网络的 VPN 连接可能没有用于某些应用程序和目的带宽,因为它们达到的最高极限约为 200 Mbps。VPN connections to virtual networks might not have the bandwidth for some applications and purposes, as they max out at around 200 Mbps.

对于其跨界连接需要最高级别的安全性和可用性的组织通常使用专用的 WAN 链路连接到远程站点。Organizations that need the highest level of security and availability for their cross-premises connections typically use dedicated WAN links to connect to remote sites. 凭借 Azure,可使用专用的 WAN 链接将本地网络连接到虚拟网络。Azure provides you the ability to use a dedicated WAN link that you can use to connect your on-premises network to a virtual network. Azure ExpressRoute、Express Route Direct 和 Express Route Global Reach 实现了此功能。Azure ExpressRoute, Express route direct, and Express route global reach enable this.

了解更多:Learn more:

将虚拟网络相互连接Connect virtual networks to each other

可以将多个虚拟网络用于部署。It is possible to use many virtual networks for your deployments. 这样做的原因可能有很多。There are various reasons why you might do this. 你可能想要简化管理或提高安全性。You might want to simplify management, or you might want increased security. 无论将资源放在不同的虚拟网络上的动机是什么,可能有时你都会想要将一个网络上的资源与另一个网络相连接。Regardless of the motivation for putting resources on different virtual networks, there might be times when you want resources on each of the networks to connect with one another.

一个选择是通过 Internet 以“环回”方式将一个虚拟网络上的服务连接到另一个虚拟网络上的服务。One option is for services on one virtual network to connect to services on another virtual network, by "looping back" through the internet. 该连接将在一个虚拟网络上开始,通过 Internet,再回到目标虚拟网络。The connection starts on one virtual network, goes through the internet, and then comes back to the destination virtual network. 此选项会导致连接存在任何基于 Internet 的通信所固有的安全问题。This option exposes the connection to the security issues inherent in any internet-based communication.

创建两个虚拟网络之间相互连接的站点到站点 VPN 可能是最佳选择。A better option might be to create a site-to-site VPN that connects between two virtual networks. 此方法与上述的跨界站点到站点 VPN 连接使用相同的 IPSec 隧道模式协议。This method uses the same IPSec tunnel mode protocol as the cross-premises site-to-site VPN connection mentioned above.

此方法的优点是通过 Azure 网络结构建立 VPN 连接,而不是通过 Internet 进行连接。The advantage of this approach is that the VPN connection is established over the Azure network fabric, instead of connecting over the internet. 与通过 Internet 连接的站点到站点 VPN 相比,这提供了额外的安全层。This provides you an extra layer of security, compared to site-to-site VPNs that connect over the internet.

了解更多:Learn more:

连接到虚拟网络的另一种方式是使用 VNET 对等互连Another way to connect your virtual networks is VNET peering. 使用此功能可以连接两个 Azure 网络,使两者之间的通信通过 Microsoft 主干基础结构进行,而永远无需通过 Internet。This feature allows you to connect two Azure networks so that communication between them happens over the Microsoft backbone infrastructure without it ever going over the Internet. VNET 对等互连可以连接到同一区域中的两个 VNET,或者两个跨 Azure 区域的 VNET。VNET peering can connect two VNETs within the same region or two VNETs across Azure regions. 可以使用 NSG 来限制不同子网或系统之间的连接。NSGs can be used to limit connectivity between different subnets or systems.

可用性Availability

可用性是任何安全程序的一个重要组成部分。Availability is a key component of any security program. 如果用户和系统无法访问他们需要通过网络访问的内容,可视为该服务已遭到入侵。If your users and systems can't access what they need to access over the network, the service can be considered compromised. Azure 具有支持以下高可用性机制的网络技术:Azure has networking technologies that support the following high-availability mechanisms:

  • 基于 HTTP 的负载均衡HTTP-based load balancing
  • 网络级别的负载均衡Network level load balancing
  • 全局负载均衡Global load balancing

负载均衡是专为在多个设备之间均匀分布连接而设计的机制。Load balancing is a mechanism designed to equally distribute connections among multiple devices. 负载均衡的目标是:The goals of load balancing are:

  • 提高可用性。To increase availability. 在跨多个设备对连接进行负载均衡时,一个或多个设备可能变得不可用,但不影响服务。When you load balance connections across multiple devices, one or more of the devices can become unavailable without compromising the service. 在剩余的联机设备上运行的服务可继续提供服务中的内容。The services running on the remaining online devices can continue to serve the content from the service.
  • 提高性能。To increase performance. 在跨多个设备对连接进行负载均衡时,单个设备不必负责所有处理。When you load balance connections across multiple devices, a single device doesn't have to handle all processing. 相反,提供内容的处理和内存需求遍布多个设备。Instead, the processing and memory demands for serving the content is spread across multiple devices.

基于 HTTP 的负载均衡HTTP-based load balancing

运行基于 Web 的服务的组织通常希望在这些 Web 服务前面具有基于 HTTP 的负载均衡器。Organizations that run web-based services often desire to have an HTTP-based load balancer in front of those web services. 这可帮助确保足够级别的性能和高可用性。This helps ensure adequate levels of performance and high availability. 基于网络的传统负载均衡器依赖于网络和传输层协议。Traditional, network-based load balancers rely on network and transport layer protocols. 另一方面,基于 HTTP 的负载均衡器根据 HTTP 协议的特性做出决策。HTTP-based load balancers, on the other hand, make decisions based on characteristics of the HTTP protocol.

Azure 应用程序网关为基于 Web 的服务提供了基于 HTTP 的负载均衡。Azure Application Gateway provides HTTP-based load balancing for your web-based services. 应用程序网关支持:Application Gateway supports:

  • 基于 Cookie 的会话关联。Cookie-based session affinity. 此功能可确保建立到负载均衡器后面的某个服务器的连接在客户端和服务器之间保持不变。This capability makes sure that connections established to one of the servers behind that load balancer stays intact between the client and server. 此操作确保了事务的稳定性。This ensures stability of transactions.
  • SSL 卸载。SSL offload. 当客户端与负载均衡器连接时,会话使用 HTTPS (SSL) 协议进行加密。When a client connects with the load balancer, that session is encrypted by using the HTTPS (SSL) protocol. 但是,为了提高性能,可以使用 HTTP(未加密)协议在负载均衡器和该负载均衡器后面的 Web 服务器之间进行连接。However, in order to increase performance, you can use the HTTP (unencrypted) protocol to connect between the load balancer and the web server behind the load balancer. 这称为“SSL 卸载”,因为负载均衡器后面的 Web 服务器不会遇到涉及加密的处理器开销。This is referred to as "SSL offload," because the web servers behind the load balancer don't experience the processor overhead involved with encryption. 因此 Web 服务器可更快地为请求提供服务。The web servers can therefore service requests more quickly.
  • 基于 URL 的内容路由。URL-based content routing. 此功能可使负载均衡器决定在哪里转接基于目标 URL 的连接。This feature makes it possible for the load balancer to make decisions about where to forward connections based on the target URL. 与基于 IP 地址做出负载均衡决策的解决方案相比,这提供了更多的灵活性。This provides a lot more flexibility than solutions that make load balancing decisions based on IP addresses.

了解更多:Learn more:

网络级别的负载均衡Network level load balancing

与基于 HTTP 的负载均衡相比,网络级别负载均衡基于 IP 地址和端口(TCP 或 UDP)号做出决策。In contrast to HTTP-based load balancing, network level load balancing makes decisions based on IP address and port (TCP or UDP) numbers. 使用 Azure 负载均衡器,可以在 Azure 中获得网络级别负载均衡的优点。You can gain the benefits of network level load balancing in Azure by using Azure Load Balancer. 负载均衡器的一些主要特征包括:Some key characteristics of Load Balancer include:

  • 基于 IP 地址和端口号的网络级别负载均衡。Network level load balancing based on IP address and port numbers.
  • 支持任何应用层协议。Support for any application layer protocol.
  • 对 Azure 虚拟机和云服务角色实例进行负载均衡。Load balances to Azure virtual machines and cloud services role instances.
  • 可用于面向 Internet(外部负载均衡)和面向非 Internet(内部负载均衡)的应用程序和虚拟机。Can be used for both internet-facing (external load balancing) and non-internet facing (internal load balancing) applications and virtual machines.
  • 终结点监视,可用于确定负载均衡器后面的任何服务是否已变得不可用。Endpoint monitoring, which is used to determine if any of the services behind the load balancer have become unavailable.

了解更多:Learn more:

全局负载均衡Global load balancing

某些组织可能想要最高级别的可用性。Some organizations want the highest level of availability possible. 实现此目标的一种方法是在全球分布的数据中心中托管应用程序。One way to reach this goal is to host applications in globally distributed datacenters. 在分布于世界各地的数据中心中托管应用程序时,整个地缘政治区域可能会变得不可用,并且应用程序仍可启动和运行。When an application is hosted in datacenters located throughout the world, it's possible for an entire geopolitical region to become unavailable, and still have the application up and running.

此负载平衡策略也可暂停性能优势。This load-balancing strategy can also yield performance benefits. 可直接向距离提出请求的设备最近的数据中心请求服务。You can direct requests for the service to the datacenter that is nearest to the device that is making the request.

在 Azure 中,可以使用 Azure 流量管理器获得全局负载均衡的优点。In Azure, you can gain the benefits of global load balancing by using Azure Traffic Manager.

了解更多:Learn more:

名称解析Name resolution

名称解析是在 Azure 中托管的所有服务的一个重要功能。Name resolution is a critical function for all services you host in Azure. 从安全角度看,名称解析功能的泄漏可能会导致攻击者将来自站点的请求重定向到攻击者的站点。From a security perspective, compromise of the name resolution function can lead to an attacker redirecting requests from your sites to an attacker's site. 安全的名称解析是所有云托管的服务的要求。Secure name resolution is a requirement for all your cloud hosted services.

需要解决以下两种类型的名称解析:There are two types of name resolution you need to address:

  • 内部名称解析。Internal name resolution. 虚拟网络和/或本地网络上的服务使用此名称解析。This is used by services on your virtual networks, your on-premises networks, or both. 用于内部名称解析的名称无法通过 Internet 访问。Names used for internal name resolution are not accessible over the internet. 为获得最佳的安全性,重要的是内部名称解析方案对于外部用户不可访问。For optimal security, it's important that your internal name resolution scheme is not accessible to external users.
  • 外部名称解析。External name resolution. 本地网络和虚拟网络之外的人员和设备使用此名称解析。This is used by people and devices outside of your on-premises networks and virtual networks. 这些是对 Internet 可见且用于将连接定向到基于云的服务的名称。These are the names that are visible to the internet, and are used to direct connection to your cloud-based services.

对于内部名称解析,有两个选项:For internal name resolution, you have two options:

  • 虚拟网络 DNS 服务器。A virtual network DNS server. 创建新的虚拟网络时,会为你创建 DNS 服务器。When you create a new virtual network, a DNS server is created for you. 此 DNS 服务器可以解析位于该虚拟网络上的计算机的名称。This DNS server can resolve the names of the machines located on that virtual network. 此 DNS 服务器是不可配置的,而且由 Azure 结构管理器进行管理,从而帮助对名称解析解决方案进行安全保护。This DNS server is not configurable, is managed by the Azure fabric manager, and can therefore help you secure your name resolution solution.
  • 自带 DNS 服务器。Bring your own DNS server. 可选择将自己选择的 DNS 服务器放置在虚拟网络上。You have the option of putting a DNS server of your own choosing on your virtual network. 此 DNS 服务器可以是 Active Directory 集成的 DNS 服务器或由 Azure 合作伙伴提供的专用 DNS 服务器解决方案,两者均可从 Azure 市场中获得。This DNS server can be an Active Directory integrated DNS server, or a dedicated DNS server solution provided by an Azure partner, which you can obtain from the Azure Marketplace.

了解更多:Learn more:

对于外部名称解析,有两个选项:For external name resolution, you have two options:

  • 在本地托管自己的外部 DNS 服务器。Host your own external DNS server on-premises.
  • 通过服务提供程序托管自己的外部 DNS 服务器。Host your own external DNS server with a service provider.

许多大型组织在本地托管自己的 DNS 服务器。Many large organizations host their own DNS servers on-premises. 之所以可以这样做,是因为他们具有可以这样做的网络专业知识和全球影响力。They can do this because they have the networking expertise and global presence to do so.

在大多数情况下,最好通过服务提供商托管 DNS 名称解析服务。In most cases, it's better to host your DNS name resolution services with a service provider. 这些服务提供商具有网络专业知识和全球影响力,以确保名称解析服务的超高可用性。These service providers have the network expertise and global presence to ensure very high availability for your name resolution services. 可用性是 DNS 服务所必需的,因为如果名称解析服务失败,则任何人都将无法访问面向 Internet 的服务。Availability is essential for DNS services, because if your name resolution services fail, no one will be able to reach your internet facing services.

Azure 以 Azure DNS 的形式提供一个高可用性且高性能的外部 DNS 解决方案。Azure provides you with a highly available and high-performing external DNS solution in the form of Azure DNS. 此外部名称解析解决方案利用全球 Azure DNS 基础结构。This external name resolution solution takes advantage of the worldwide Azure DNS infrastructure. 由此可使用与其他 Azure 服务相同的凭据、API、工具和计费在 Azure 中托管域。It allows you to host your domain in Azure, using the same credentials, APIs, tools, and billing as your other Azure services. 作为 Azure 的一部分,它还继承了内置在平台中的强大的安全控件。As part of Azure, it also inherits the strong security controls built into the platform.

了解更多:Learn more:

外围网络体系结构Perimeter network architecture

许多大型组织使用外围网络对其网络进行分段,并在 Internet 及其服务之间创建缓冲区域。Many large organizations use perimeter networks to segment their networks, and create a buffer-zone between the internet and their services. 网络的外围部分被视为一个低安全区域,而且不会将重要的资产放在该网络段中。The perimeter portion of the network is considered a low-security zone, and no high-value assets are placed in that network segment. 通常会看到在外围网络段上具有网络接口的网络安全设备。You'll typically see network security devices that have a network interface on the perimeter network segment. 将另一个网络接口连接到具有接受来自 Internet 的入站连接的虚拟机和服务的网络。Another network interface is connected to a network that has virtual machines and services that accept inbound connections from the internet.

可通过多种不同的方式设计外围网络。You can design perimeter networks in a number of different ways. 部署外围网络的决策以及决定使用哪种类型的外围网络取决于你的网络安全需求。The decision to deploy a perimeter network, and then what type of perimeter network to use if you decide to use one, depends on your network security requirements.

了解更多:Learn more:

Azure DDoS 防护Azure DDoS protection

分布式拒绝服务 (DDoS) 攻击是将应用程序移动到云的客户所面临的一些最大的可用性和安全性问题。Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. DDoS 攻击尝试耗尽应用程序的资源,使应用程序对于合法用户不可用。A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS 攻击可能会将任何可通过 Internet 公开访问的终结点作为目标。DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Microsoft 提供“基本”DDoS 防护作为 Azure 平台的一部分。 Microsoft provides DDoS protection known as Basic as part of the Azure Platform. 此防护功能是免费的,包含针对常见网络级攻击的不间断监视和实时缓解。This comes at no charge and includes always on monitoring and real-time mitigation of common network level attacks. 除了“基本”DDoS 防护随附的保护以外,还可以启用“标准”选项。 In addition to the protections included with DDoS protection Basic you can enable the Standard option. DDoS 保护标准功能包括:DDoS Protection Standard features include:

  • 本机平台集成: 以本机方式集成到 Azure 中。Native platform integration: Natively integrated into Azure. 包括通过 Azure 门户进行配置。Includes configuration through the Azure portal. DDoS 保护标准了解你的资源和资源配置。DDoS Protection Standard understands your resources and resource configuration.
  • 成套保护: 一旦启用 DDoS 保护标准,简化后的配置会立即保护虚拟网络上的所有资源。Turn-key protection: Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. 要求没有干预或用户定义。No intervention or user definition is required. 一旦检测到攻击,标准 DDoS 保护会立即自动减轻攻击。DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.
  • 始终可用的流量监控: 应用程序流量模式将全天候受到监控,以寻找 DDoS 攻击的迹象。Always-on traffic monitoring: Your application traffic patterns are monitored 24 hour a day, 7 days a week, looking for indicators of DDoS attacks. 将在超出保护策略范围时执行缓解措施。Mitigation is performed when protection policies are exceeded.
  • 攻击缓解报表 攻击缓解报表使用聚合的网络流数据提供有关针对你的资源的攻击的详细信息。Attack Mitigation Reports Attack Mitigation Reports use aggregated network flow data to provide detailed information about attacks targeted at your resources.
  • 攻击缓解流日志 通过攻击缓解流日志,可在活动 DDoS 攻击期间近乎实时地查看丢弃的流量、转发的流量和其他攻击数据。Attack Mitigation Flow Logs Attack Mitigation Flow Logs allow you to review the dropped traffic, forwarded traffic and other attack data in near real-time during an active DDoS attack.
  • 自适应优化: 智能流量分析了解不同时段的应用程序流量,并选择和更新最适合服务的配置文件。Adaptive tuning: Intelligent traffic profiling learns your application's traffic over time, and selects and updates the profile that is the most suitable for your service. 当流量随时间变化时,配置文件将进行调整。The profile adjusts as traffic changes over time. 第 3 层到第 7 层保护:与 Web 应用程序防火墙配合使用时,提供完整的堆栈 DDoS 保护。Layer 3 to layer 7 protection: Provides full stack DDoS protection, when used with a web application firewall.
  • 广泛的缓解规模: 可以使用全球容量缓解超过 60 种不同攻击类型,从而防止最大的已知 DDoS 攻击。Extensive mitigation scale: Over 60 different attack types can be mitigated, with global capacity, to protect against the largest known DDoS attacks.
  • 攻击指标: 可以通过 Azure Monitor 访问每个攻击的汇总指标。Attack metrics: Summarized metrics from each attack are accessible through Azure Monitor.
  • 攻击警报: 可以使用内置攻击指标在攻击开始和停止时以及攻击持续期间配置警报。Attack alerting: Alerts can be configured at the start and stop of an attack, and over the attack's duration, using built-in attack metrics. 警报会集成到操作软件,如 Microsoft Azure Monitor 日志、 Splunk、 Azure 存储、 电子邮件和 Azure 门户。Alerts integrate into your operational software like Microsoft Azure Monitor logs, Splunk, Azure Storage, Email, and the Azure portal.
  • 成本保证: 记录的 DDoS 攻击的数据传输和应用程序横向扩展服务信用度。Cost guarantee: Data-transfer and application scale-out service credits for documented DDoS attacks.
  • DDoS 快速响应 DDoS 防护标准版客户可以在攻击正在进行时联系“快速响应”团队。DDoS Rapid responsive DDoS Protection Standard customers now have access to Rapid Response team during an active attack. DRR 可以帮助进行攻击调查,在攻击发生期间定制缓解措施以及进行攻击后分析。DRR can help with attack investigation, custom mitigations during an attack and post-attack analysis.

了解更多:Learn more:

Azure Front DoorAzure Front Door

使用 Azure Front Door 服务,你可以定义、管理和监视 Web 流量的全局路由。Azure Front Door Service enables you to define, manage, and monitor the global routing of your web traffic. 它可以优化流量的路由以实现最佳性能和高可用性。It optimizes your traffic's routing for best performance and high availability. Azure Front Door 允许编写自定义 Web 应用程序防火墙 (WAF) 规则进行访问控制,以基于客户端 IP 地址、国家/地区代码和 http 参数来防范 HTTP/HTTPS 工作负荷遭到恶意利用。Azure Front Door allows you to author custom web application firewall (WAF) rules for access control to protect your HTTP/HTTPS workload from exploitation based on client IP addresses, country code, and http parameters. 此外,使用 Front Door 还可以创建速率限制规则来对付恶意的机器人流量,它包括 SSL 卸载和每 HTTP/HTTPS 请求以及应用程序层处理。Additionally, Front Door also enables you to create rate limiting rules to battle malicious bot traffic, it includes SSL offloading and per-HTTP/HTTPS request, application-layer processing.

Front Door 平台本身由 Azure DDoS 防护基本版提供保护。Front Door platform itself is protected by Azure DDoS Protection Basic. 若要进一步提供保护,可在 VNET 中启用 Azure DDoS 防护标准版,并通过自动优化和缓解措施来防范资源遭到网络层 (TCP/UDP) 攻击。For further protection, Azure DDoS Protection Standard may be enabled at your VNETs and safeguard resources from network layer (TCP/UDP) attacks via auto tuning and mitigation. Front Door 是第 7 层反向代理,它仅允许 Web 流量通过后端服务器,默认会阻止其他类型的流量。Front Door is a layer 7 reverse proxy, it only allows web traffic to pass through to back end servers and block other types of traffic by default.

了解更多:Learn more:

Azure 流量管理器Azure Traffic manager

Azure 流量管理器是一种基于 DNS 的流量负载均衡器,可以在全球 Azure 区域内以最佳方式向服务分发流量,同时提供高可用性和响应性。Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions, while providing high availability and responsiveness. 流量管理器根据流量路由方法和终结点的运行状况,使用 DNS 将客户端请求定向到最合适的服务终结点。Traffic Manager uses DNS to direct client requests to the most appropriate service endpoint based on a traffic-routing method and the health of the endpoints. 终结点可以是托管在 Azure 内部或外部的任何面向 Internet 的服务。An endpoint is any Internet-facing service hosted inside or outside of Azure. 流量管理器对终结点进行监视,并且不会将流量定向到不可用的任何终结点。Traffic manager monitors the end points and does not direct traffic to any endpoints that are unavailable.

了解更多:Learn more:

监视和威胁检测Monitoring and threat detection

Azure 提供相关功能来帮助在此关键领域中进行早期检测、监视,并收集和查看流量。Azure provides capabilities to help you in this key area with early detection, monitoring, and collecting and reviewing network traffic.

Azure 网络观察程序Azure Network Watcher

Azure 网络观察程序 可帮助进行排除故障,并提供一套全新的工具来协助识别安全问题。Azure Network Watcher can help you troubleshoot, and provides a whole new set of tools to assist with the identification of security issues.

安全组视图有助于审核以及符合虚拟机的安全要求。Security Group View helps with auditing and security compliance of Virtual Machines. 使用此功能执行编程审核,将组织定义的基线策略与每台 VM 的有效规则进行比较。Use this feature to perform programmatic audits, comparing the baseline policies defined by your organization to effective rules for each of your VMs. 这有助于识别任何配置偏移。This can help you identify any configuration drift.

通过数据包捕获可以捕获流向和流出虚拟机的网络流量。Packet capture allows you to capture network traffic to and from the virtual machine. 可收集网络统计信息并对应用程序问题进行故障排除,这对调查网络入侵非常有用。You can collect network statistics and troubleshoot application issues, which can be invaluable in the investigation of network intrusions. 此功能还可与 Azure Functions 一起使用,使其根据特定 Azure 警报启动网络捕获。You can also use this feature together with Azure Functions to start network captures in response to specific Azure alerts.

若要深入了解网络观察程序以及如何开始测试实验室中的一些功能,请参阅 Azure 网络观察程序监视概述For more information on Network Watcher and how to start testing some of the functionality in your labs, see Azure network watcher monitoring overview.

备注

有关此服务可用性和状态方面的最新通知,请参阅 Azure 更新页For the most up-to-date notifications on availability and status of this service, check the Azure updates page.

Azure 安全中心Azure Security Center

Azure 安全中心帮助预防、检测和响应威胁,同时提高 Azure 资源的可见性并控制其安全性。Azure Security Center helps you prevent, detect, and respond to threats, and provides you increased visibility into, and control over, the security of your Azure resources. 它提供对 Azure 订阅的集成安全监视和策略管理,帮助检测可能被忽略的威胁,且适用于大量的安全解决方案。It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a large set of security solutions.

安全中心通过以下方式来帮助优化和监视网络安全:Security Center helps you optimize and monitor network security by:

  • 提供网络安全建议。Providing network security recommendations.
  • 监视网络安全配置的状态。Monitoring the state of your network security configuration.
  • 在终结点和网络级别发出基于网络的威胁警报。Alerting you to network based threats, both at the endpoint and network levels.

了解更多:Learn more:

虚拟网络 TAPVirtual Network TAP

通过 Azure 虚拟网络 TAP(终端接入点),可让你持续将虚拟机网络流量流式传输到网络数据包收集器或分析工具。Azure virtual network TAP (Terminal Access Point) allows you to continuously stream your virtual machine network traffic to a network packet collector or analytics tool. 收集器或分析工具是由网络虚拟设备合作伙伴提供的。The collector or analytics tool is provided by a network virtual appliance partner. 你可以使用相同的虚拟网络 TAP 资源来聚合来自相同或不同订阅的多个网络接口的流量。You can use the same virtual network TAP resource to aggregate traffic from multiple network interfaces in the same or different subscriptions.

了解更多:Learn more:

日志记录Logging

对任何网络安全方案而言,网络级别的日志记录都是一项关键功能。Logging at a network level is a key function for any network security scenario. 在 Azure 中,可以记录针对 NSG 获得的信息,以获取网络级别的日志记录信息。In Azure, you can log information obtained for NSGs to get network level logging information. 使用 NSG 日志记录,可以从以下日志中获取信息:With NSG logging, you get information from:

  • 活动日志Activity logs. 使用这些日志查看提交到 Azure 订阅的所有操作。Use these logs to view all operations submitted to your Azure subscriptions. 默认情况下,这些日志已启用并可在 Azure 门户中使用。These logs are enabled by default, and can be used within the Azure portal. 这些日志以前称为审核或操作日志。They were previously known as audit or operational logs.
  • 事件日志。Event logs. 这些日志提供有关应用了哪些 NSG 规则的信息。These logs provide information about what NSG rules were applied.
  • 计数器日志。Counter logs. 通过这些日志,可知道所应用每个 NSG 规则拒绝或允许流量的次数。These logs let you know how many times each NSG rule was applied to deny or allow traffic.

还可以使用功能强大的数据可视化工具 Microsoft Power BI 来查看和分析这些日志。You can also use Microsoft Power BI, a powerful data visualization tool, to view and analyze these logs. 了解更多:Learn more: