保護和管理遷移至 Azure 之工作負載的最佳作法Best practices to secure and manage workloads migrated to Azure

在您針對移轉進行規劃及設計的同時,除了思考有關移轉本身的事項之外,您也需要考慮移轉後在 Azure 中的安全性和管理模型。As you plan and design for migration, in addition to thinking about the migration itself, you need to consider your security and management model in Azure after migration. 本文說明在遷移後保護 Azure 部署的規劃和最佳作法。This article describes planning and best practices for securing your Azure deployment after migrating. 它也涵蓋進行中的工作,讓您的部署以最佳層級執行。It also covers ongoing tasks to keep your deployment running at an optimal level.


本文所述的最佳做法和意見是以本文撰寫當下可用的 Azure 平台和服務功能作為基礎。The best practices and opinions described in this article are based on the Azure platform and service features available at the time of writing. 特色與功能會隨著時間改變。Features and capabilities change over time.

保護已移轉的工作負載Secure migrated workloads

在移轉之後,最重要的工作便是保護已移轉的工作負載,使其不受來自內部和外部的威脅。After migration, the most critical task is to secure migrated workloads from internal and external threats. 這些最佳做法可以協助您執行此作業:These best practices help you to do that:

  • 了解如何運用由 Azure 資訊安全中心所提供的監視、評量及建議。Learn how to work with the monitoring, assessments, and recommendations provided by Azure Security Center.
  • 取得對您在 Azure 中的資料進行加密的最佳做法。Get best practices for encrypting your data in Azure.
  • 保護您的 VM 不受惡意程式碼和惡意攻擊的危害。Protect your VMs from malware and malicious attacks.
  • 保護已移轉之 Web 應用程式中的機密資訊。Keep sensitive information secure in migrated web apps.
  • 確認在移轉後可以存取您 Azure 訂用帳戶和資源的人員。Verify who can access your Azure subscriptions and resources after migration.
  • 定期檢閱您的 Azure 稽核和安全性記錄。Review your Azure auditing and security logs on a regular basis.
  • 了解及評估 Azure 提供的進階安全性功能。Understand and evaluate advanced security features that Azure offers.

下列各節會更詳細地說明這些最佳做法。These best practices are described in more detail in the sections that follow.

最佳做法:遵循 Azure 安全性中心建議Best practice: Follow Azure Security Center recommendations

Azure 租使用者系統管理員必須啟用安全性功能,以保護工作負載免于遭受攻擊。Azure tenant admins need to enable security features that protect workloads from attacks. 安全性中心提供統一的安全性管理。Security Center provides unified security management. 從安全性中心,您可以在工作負載之間套用安全性原則、限制暴露于威脅的風險,以及偵測和回應攻擊。From Security Center, you can apply security policies across workloads, limit threat exposure, and detect and respond to attacks. 安全性中心會分析 Azure 租使用者之間的資源和設定,並提出安全性建議,包括:Security Center analyzes resources and configurations across Azure tenants, and makes security recommendations, including:

  • 集中式原則管理: 集中管理所有混合式雲端工作負載的安全性原則,以確保符合公司或法規的安全性需求。Centralized policy management: Ensure compliance with company or regulatory security requirements by centrally managing security policies across all your hybrid cloud workloads.
  • 持續安全性評估: 監視機器、網路、儲存體和資料服務以及應用程式的安全性狀態,以找出潛在的安全性問題。Continuous security assessment: Monitor the security posture of machines, networks, storage and data services, and applications to discover potential security issues.
  • 操作的建議: 使用優先順序且可採取動作的安全性建議,在攻擊者遭到攻擊之前補救安全性弱點。Actionable recommendations: Remediate security vulnerabilities before they can be exploited by attackers, with prioritized and actionable security recommendations.
  • 排定優先順序的警示和事件: 使用優先的安全性警示和事件,先將焦點放在最嚴重的威脅。Prioritized alerts and incidents: Focus on the most critical threats first, with prioritized security alerts and incidents.

除了評量和建議之外,「安全性中心」還提供您可以針對特定資源啟用的其他安全性功能。In addition to assessments and recommendations, Security Center provides other security features that you can enable for specific resources.

  • 及時 (JIT) 存取。Just-in-time (JIT) access. 利用 JIT、受控存取 Azure Vm 上的管理埠,減少網路攻擊面。Reduce your network attack surface with JIT, controlled access to management ports on Azure VMs.
    • 在網際網路上開啟 VM RDP 埠3389,會將 Vm 公開給不良執行者的持續活動。Having VM RDP port 3389 open on the internet exposes VMs to continual activity from bad actors. 由於 Azure IP 位址是眾所周知的,因此駭客會持續對它們進行探查,以對開啟的 3389 連接埠發動攻擊。Azure IP addresses are well-known, and hackers continually probe them for attacks on open 3389 ports.
    • JIT 會使用網路安全性群組 (Nsg) 和內送規則,以限制特定埠的開啟時間量。JIT uses network security groups (NSGs) and incoming rules that limit the amount of time that a specific port is open.
    • 啟用 JIT 存取後,安全性中心會檢查使用者是否有 Azure 角色型存取控制 (Azure RBAC) VM 的寫入存取權限。With JIT access enabled, Security Center checks that a user has Azure role-based access control (Azure RBAC) write access permissions for a VM. 此外,您可以指定使用者如何連線至 Vm 的規則。In addition, you can specify rules for how users can connect to VMs. 如果許可權沒問題,就會核准存取要求,而「安全性中心」會將 Nsg 設定為在您指定的時間量內允許輸入流量進入選取的埠。If permissions are OK, an access request is approved, and Security Center configures NSGs to allow inbound traffic to the selected ports for the amount of time you specify. 當時間過期時,Nsg 會回到其先前的狀態。NSGs return to their previous state when the time expires.
  • 適應性應用程式控制。Adaptive application controls. 使用動態允許清單來控制 Vm 上執行的應用程式,以將軟體和惡意程式碼保留在 Vm 上。Keep software and malware off VMs by controlling which applications run on them, by using dynamic allow lists.
    • 適應性應用程式控制可讓您核准應用程式,並防止惡意使用者或系統管理員在您的 Vm 上安裝未經核准或調查的軟體應用程式。Adaptive application controls allow you to approve applications, and prevent rogue users or administrators from installing unapproved or vetting software applications on your VMs.
      • 您可以封鎖或警示執行惡意應用程式的嘗試、避免不想要或惡意的應用程式,並確保符合您組織的應用程式安全性原則。You can block or alert attempts to run malicious applications, avoid unwanted or malicious applications, and ensure compliance with your organization's application security policy.
  • 檔案完整性監視。File Integrity Monitoring. 確保在 VM 上執行之檔案的完整性。Ensure the integrity of files running on VMs.
    • 您不需要安裝軟體就會導致 VM 問題。You don't need to install software to cause VM issues. 變更系統檔案也可能會造成 VM 失敗或效能降低。Changing a system file can also cause VM failure or performance degradation. 檔案完整性監視會檢查系統檔案和登錄設定的變更,並在更新內容時通知您。File Integrity Monitoring examines system files and registry settings for changes, and notifies you if something is updated.
    • 資訊安全中心會建議您應監視的檔案。Security Center recommends which files you should monitor.

瞭解更多資訊:Learn more:

最佳做法:加密資料Best practice: Encrypt data

加密是 Azure 安全性作法相當重要的一部分。Encryption is an important part of Azure security practices. 確保加密已在所有層級啟用,可協助防止未經授權的對象取得敏感性資料 (包括傳輸及待用中的資料) 的存取權。Ensuring that encryption is enabled at all levels helps prevent unauthorized parties from gaining access to sensitive data, including data in transit and at rest.

基礎結構即服務的加密Encryption for infrastructure as a service

  • 虛擬機器: 針對 Vm,您可以使用 Azure 磁片加密來加密您的 Windows 和 Linux 基礎結構即服務 (IaaS) VM 磁片。Virtual machines: For VMs, you can use Azure Disk Encryption to encrypt your Windows and Linux infrastructure as a service (IaaS) VM disks.
    • Azure 磁片加密會使用適用于 Windows 的 BitLocker,以及適用于 Linux 的 dm crypt,為作業系統和資料磁片提供磁片區加密。Azure Disk Encryption uses BitLocker for Windows, and dm-crypt for Linux, to provide volume encryption for the operating system and data disks.
    • 您可以使用由 Azure 所建立的加密金鑰,或是自行提供保護於 Azure Key Vault 中的加密金鑰。You can use an encryption key created by Azure, or you can supply your own encryption keys, safeguarded in Azure Key Vault.
    • 使用 Azure 磁片加密時,IaaS VM 資料會在磁片) 和 VM 開機期間受到待用 (保護。With Azure Disk Encryption, IaaS VM data is secured at rest (on the disk) and during VM boot.
      • 如果您有未加密的 Vm,則安全性中心會發出警示。Security Center alerts you if you have VMs that aren't encrypted.
  • 儲存體: 保護儲存在 Azure 儲存體中的待用資料。Storage: Protect at-rest data stored in Azure Storage.
    • 儲存在 Azure 儲存體帳戶中的資料可以使用符合 FIPS 140-2 規範的 Microsoft 產生的 AES 金鑰進行加密,或者您也可以使用自己的金鑰。Data stored in Azure Storage accounts can be encrypted by using Microsoft-generated AES keys that are FIPS 140-2 compliant, or you can use your own keys.
    • 已針對所有新的和現有的儲存體帳戶啟用 Azure 儲存體加密,且無法停用。Azure Storage encryption is enabled for all new and existing storage accounts, and it can't be disabled.

平臺即服務的加密Encryption for platform as a service

不同于 IaaS,在您管理自己的 Vm 和基礎結構的平臺即服務 (PaaS) 模型平臺和基礎結構是由提供者所管理。Unlike IaaS, in which you manage your own VMs and infrastructure, in a platform as a service (PaaS) model platform and infrastructure is managed by the provider. 您可以專注于核心應用程式邏輯和功能。You can focus on core application logic and capabilities. 由於 PaaS 服務類型眾多,因此基於安全性目的,我們會對每個服務進行個別評估。With so many different types of PaaS services, each service is evaluated individually for security purposes. 例如,讓我們看看您可能如何啟用 Azure SQL Database 的加密。As an example, let's see how you might enable encryption for Azure SQL Database.

  • Always Encrypted: 使用 SQL Server Management Studio 中的 [永遠加密] 嚮導來保護待用資料。Always Encrypted: Use the Always Encrypted wizard in SQL Server Management Studio to protect data at rest.
    • 您可以建立永遠加密金鑰來加密個別的資料行資料。You create an Always Encrypted key to encrypt individual column data.
    • Always Encrypted 金鑰能以加密的形式儲存在資料庫中繼資料中,或是儲存在受信任的金鑰存放區中,例如 Azure Key Vault。Always Encrypted keys can be stored as encrypted in database metadata, or stored in trusted key stores such as Azure Key Vault.
    • 最有可能的情況是,您必須進行應用程式變更,才能使用此功能。Most likely, you'll need to make application changes to use this feature.
  • 透明資料加密 (TDE) : 使用靜止的資料庫、相關聯的備份和交易記錄檔的即時加密和解密,保護 Azure SQL Database。Transparent data encryption (TDE): Protect the Azure SQL Database with real-time encryption and decryption of the database, associated backups, and transaction log files at rest.
    • TDE 可讓加密活動在應用層沒有變更的情況下進行。TDE allows encryption activities to take place without changes at the application layer.
    • TDE 可以使用 Microsoft 所提供的加密金鑰,或者您可以攜帶自己的金鑰。TDE can use encryption keys provided by Microsoft, or you can bring your own key.

瞭解更多資訊:Learn more:

最佳做法:使用反惡意程式碼保護 VmBest practice: Protect VMs with antimalware

尤其是,較舊的 Azure 遷移的 Vm 可能不會安裝適當的反惡意程式碼層級。In particular, older Azure-migrated VMs might not have the appropriate level of antimalware installed. Azure 提供免費的端點解決方案,可協助保護 VM 不受病毒、間諜軟體及其他惡意程式碼的威脅。Azure provides a free endpoint solution that helps protect VMs from viruses, spyware, and other malware.

  • 當已知惡意或垃圾軟體嘗試自行安裝時,適用于 Azure 雲端服務和虛擬機器的 Microsoft 反惡意程式碼會產生警示。Microsoft Antimalware for Azure Cloud Services and Virtual Machines generates alerts when known malicious or unwanted software tries to install itself.

  • 它是能在無人為介入的情況下於背景中執行的單一代理程式解決方案。It's a single agent solution that runs in the background without human intervention.

  • 在 [安全性中心] 中,您可以識別未執行 endpoint protection 的 Vm,並視需要安裝 Microsoft 反惡意程式碼。In Security Center, you can identify VMs that don't have endpoint protection running and install Microsoft antimalware as needed.

    Vm 的反惡意程式碼螢幕擷取畫面。 圖1:虛擬機器的反惡意程式碼。Screenshot of Antimalware for VMs. Figure 1: Antimalware for VMs.

瞭解更多資訊:Learn more:

最佳做法:保護 web 應用程式的安全Best practice: Secure web apps

已移轉的 Web 應用程式會面臨幾個問題:Migrated web apps face a couple of issues:

  • 大部分的舊版 Web 應用程式,在設定檔中通常都會有機密資訊。Most legacy web applications tend to have sensitive information inside configuration files. 包含這類資訊的檔案可能會在備份應用程式時,或在應用程式程式碼簽入或移出原始檔控制時出現安全性問題。Files containing such information can present security issues when applications are backed up, or when application code is checked into or out of source control.
  • 當您遷移位於 VM 中的 web 應用程式時,您可能會將該機器從內部部署網路和受防火牆保護的環境移至面向網際網路的環境。When you migrate web apps residing in a VM, you're likely moving that machine from an on-premises network and firewall-protected environment, to an environment facing the internet. 確定自己已設定能執行與內部部署保護資源相同工作的解決方案。Make sure that you set up a solution that does the same work as your on-premises protection resources.

Azure 提供下列解決方案:Azure provides the following solutions:

  • Azure Key Vault: 現今,web 應用程式開發人員會採取步驟來確保這些檔案不會洩漏機密資訊。Azure Key Vault: Today, web app developers are taking steps to ensure that sensitive information isn't leaked from these files. 保護資訊的其中一個方法,是將它從檔案中擷取出來,並置於 Azure Key Vault 中。One method to secure information is to extract it from files and put it into an Azure Key Vault.

    • 您可以使用 Key Vault 來集中儲存應用程式秘密,以及控制其散發。You can use Key Vault to centralize storage of application secrets, and control their distribution. 它可避免在應用程式檔中儲存安全性資訊的需要。It avoids the need to store security information in application files.
    • 應用程式可以使用 Uri 安全地存取保存庫中的資訊,而不需要自訂程式碼。Applications can securely access information in the vault by using URIs, without needing custom code.
    • Azure Key Vault 可讓您透過 Azure 安全性控制來鎖定存取,以及順暢地執行輪流金鑰。Azure Key Vault allows you to lock down access via Azure security controls, and to seamlessly implement rolling keys. Microsoft 看不到或不會將您的資料解壓縮。Microsoft doesn't see or extract your data.
  • 適用于 Power Apps 的 App Service 環境: 如果您遷移的應用程式需要額外的保護,請考慮新增 App Service 環境和 Web 應用程式防火牆來保護應用程式資源。App Service Environment for Power Apps: If an application that you migrate needs extra protection, consider adding App Service Environment and Web Application Firewall to protect the application resources.

    • App Service 環境可提供完全隔離且專用的環境來執行應用程式,例如 Windows 和 Linux web 應用程式、Docker 容器、行動應用程式和函式應用程式。App Service Environment provides a fully isolated and dedicated environment for running applications, such as Windows and Linux web apps, Docker containers, mobile apps, and function apps.
    • 它適用于非常高的應用程式、需要隔離和安全的網路存取,或是具有高記憶體使用量的應用程式。It's useful for applications that are very high scale, require isolation and secure network access, or have high memory utilization.
  • Web 應用程式防火牆: 這是 Azure 應用程式閘道的一項功能,可為 web 應用程式提供集中式保護。Web Application Firewall: This is a feature of Azure Application Gateway that provides centralized protection for web apps.

    • 它能在無需後端程式碼修改的情況下保護 Web 應用程式。It protects web apps without requiring back-end code modifications.
    • 它會在應用程式閘道背後同時保護多個 web 應用程式。It protects multiple web apps at the same time, behind Application Gateway.
    • 您可以使用 Azure 監視器來監視 Web 應用程式防火牆。You can monitor Web Application Firewall by using Azure Monitor. Web 應用程式防火牆已整合至「安全性中心」。Web Application Firewall is integrated into Security Center.

    Azure Key Vault 與安全 web 應用程式的圖表。 圖2: Azure Key Vault。Diagram of Azure Key Vault and secure web apps. Figure 2: Azure Key Vault.

瞭解更多資訊:Learn more:

最佳做法:審查訂用帳戶和資源許可權Best practice: Review subscriptions and resource permissions

在您移轉工作負載並在 Azure 中執行它們的同時,具有工作負載存取權的人員也會四處移動。As you migrate your workloads and run them in Azure, staff with workload access move around. 您的安全性小組應該定期檢閱針對您 Azure 租用戶和資源群組的存取權。Your security team should review access to your Azure tenant and resource groups on a regular basis. Azure 提供身分識別管理和存取控制安全性的供應專案,包括 Azure 角色型存取控制 (Azure RBAC) ,以授與存取 Azure 資源的許可權。Azure has offerings for identity management and access control security, including Azure role-based access control (Azure RBAC) to authorize permissions to access Azure resources.

  • Azure RBAC 會為安全性主體指派存取權限。Azure RBAC assigns access permissions for security principals. 安全性主體代表使用者、群組 (一組使用者) 、服務主體 (應用程式和服務所使用的身分識別) ,以及受控識別 (Azure) 自動管理的 Azure Active Directory 身分識別。Security principals represent users, groups (a set of users), service principals (identity used by applications and services), and managed identities (an Azure Active Directory identity automatically managed by Azure).
  • Azure RBAC 可將角色指派給安全性主體 (例如擁有者、參與者和讀取者) 和角色定義 () 定義角色可執行之作業的許可權集合。Azure RBAC can assign roles to security principals (such as Owner, Contributor, and Reader) and role definitions (a collection of permissions) that define the operations that the roles can perform.
  • Azure RBAC 也可以設定設定角色界限的範圍。Azure RBAC can also set scopes that set the boundary for a role. 範圍可以設定于數個層級上,包括管理群組、訂用帳戶、資源群組或資源。The scope can be set at several levels, including a management group, subscription, resource group, or resource.
  • 確定具有 Azure 存取權的系統管理員只能存取您想要允許的資源。Ensure that admins with Azure access can access only resources that you want to allow. 如果 Azure 中預先定義的角色不夠細微,您可以建立自訂角色以區分並限制存取權限。If the predefined roles in Azure aren't granular enough, you can create custom roles to separate and limit access permissions.

確定具有 Azure 存取權的系統管理員只能存取您想要允許的資源。Ensure that admins with Azure access can access only resources that you want to allow. 如果 Azure 中預先定義的角色不夠細微,您可以建立自訂角色以區分並限制存取權限。If the predefined roles in Azure aren't granular enough, you can create custom roles to separate and limit access permissions.

存取控制的螢幕擷取畫面。Screenshot of Access control. 圖3:存取控制。Figure 3: Access control.

瞭解更多資訊:Learn more:

最佳做法:審核審核和安全性記錄Best practice: Review audit and security logs

Azure AD 提供出現在 Azure 監視器中的活動記錄。Azure AD provides activity logs that appear in Azure Monitor. 記錄會擷取在 Azure 租用戶中執行的作業、其發生的時間,以及執行它們的人員。The logs capture the operations performed in Azure tenancy, when they occurred, and who performed them.

  • 稽核記錄會顯示租用戶中的工作歷程記錄。Audit logs show the history of tasks in the tenant. 登入活動記錄會顯示執行該工作的人員。Sign-in activity logs show who carried out the tasks.

  • 安全性報告的存取方式取決於您的 Azure AD 授權。Access to security reports depends on your Azure AD license. 您可以使用免費和基本授權,取得有風險的使用者和登入清單。利用 premium 授權,您可以取得基礎事件資訊。With the free and basic licenses, you get a list of risky users and sign-ins. With the premium licenses, you get underlying event information.

  • 您可以將活動記錄路由傳送到各種端點,以進行長期保留並取得資料見解。You can route activity logs to various endpoints for long-term retention and data insights.

  • 請檢查記錄,或整合您的安全性資訊與事件管理 (SIEM) 工具來自動審核異常狀況,這是常見的作法。Make it a common practice to review the logs, or integrate your security information and event management (SIEM) tools to automatically review abnormalities. 如果您不是使用 premium 授權,您必須自行進行大量分析,或使用您的 SIEM 系統。If you're not using a premium license, you'll need to do a lot of analysis yourself, or by using your SIEM system. 分析包含尋找具風險的登入和事件,以及其他使用者攻擊模式。Analysis includes looking for risky sign-ins and events, and other user attack patterns.

    Azure AD 使用者和群組的螢幕擷取畫面。 圖4: AZURE AD 使用者和群組。Screenshot of Azure AD Users and groups. Figure 4: Azure AD users and groups.

瞭解更多資訊:Learn more:

最佳做法:評估其他安全性功能Best practice: Evaluate other security features

Azure 提供能提供進階安全性選項的其他安全性功能。Azure provides other security features that provide advanced security options. 請注意,下列的一些最佳作法需要附加元件授權和 premium 選項。Note that some of the following best practices require add-on licenses and premium options.

  • (AU) 中執行 Azure AD 管理單位。Implement Azure AD administrative units (AU). 使用基本的 Azure 存取控制來委派系統管理工作以支援人員,可能會是一件相當困難的事。Delegating administrative duties to support staff can be tricky with just basic Azure access control. 給予支援人員存取權以管理 Azure AD 中的所有群組,對組織的安全性而言可能不是理想的方法。Giving support staff access to administer all the groups in Azure AD might not be the ideal approach for organizational security. 使用 AU 可讓您以類似的方式,將 Azure 資源隔離到容器中, (Ou) 的內部部署組織單位。Using AU allows you to segregate Azure resources into containers in a similar way to on-premises organizational units (OUs). 若要使用 AU,AU 系統管理員必須擁有 premium Azure AD 授權。To use AUs, the AU admin must have a premium Azure AD license. 如需詳細資訊,請參閱 AZURE AD 中的管理單位管理For more information, see Administrative units management in Azure AD.
  • 使用多重要素驗證。Use multi-factor authentication. 如果您有進階 Azure AD 授權,您可以在系統管理員帳戶上啟用並強制執行多重要素驗證。If you have a premium Azure AD license, you can enable and enforce multi-factor authentication on your admin accounts. 網路釣魚是用來入侵帳戶認證的最常見方式。Phishing is the most common way that accounts credentials are compromised. 當不良執行者有系統管理員帳號憑證時,不會將其從最接近的動作中停止,例如刪除您所有的資源群組。When a bad actor has admin account credentials, there's no stopping them from far-reaching actions, such as deleting all of your resource groups. 您可以用數種方式建立多重要素驗證,包括電子郵件、驗證器應用程式和電話簡訊。You can establish multi-factor authentication in several ways, including with email, an authenticator app, and phone text messages. 身為系統管理員,您可以選取最不具侵入性的選項。As an administrator, you can select the least intrusive option. 多重要素驗證會與威脅分析和條件式存取原則整合,以隨機要求多重要素驗證挑戰回應。Multi-factor authentication integrates with threat analytics and conditional access policies to randomly require a multi-factor authentication challenge response. 深入了解安全性指引,以及如何設定多重要素驗證Learn more about security guidance, and how to set up multi-factor authentication.
  • 實作條件式存取。Implement conditional access. 在大多數中小型組織中,Azure 系統管理員和支援小組可能會位於單一地理位置。In most small and medium-sized organizations, Azure admins and the support team are probably located in a single geography. 在此情況下,大部分的登入都是來自相同的區域。In this case, most sign-ins come from the same areas. 如果這些位置的 IP 位址是相當靜態的,您應該不會在這些區域以外看到系統管理員登入。If the IP addresses of these locations are fairly static, it makes sense that you shouldn't see administrator sign-ins from outside these areas. 即使遠端不良執行者危及系統管理員的認證,您也可以執行與多重要素驗證結合的條件式存取等安全性功能,以防止從遠端位置登入。Even if a remote bad actor compromises an administrator's credentials, you can implement security features like conditional access, combined with multi-factor authentication, to prevent signing in from remote locations. 這也可以防止來自隨機 IP 位址的欺騙位置。This can also prevent spoofed locations from random IP addresses. 深入瞭解 條件式存取 ,並查看 Azure AD 中條件式存取的 最佳做法Learn more about conditional access and review best practices for conditional access in Azure AD.
  • 審查企業應用程式許可權。Review enterprise application permissions. 經過一段時間後,系統管理員會選擇 Microsoft 和協力廠商連結,而不知道其對組織的影響。Over time, admins select Microsoft and third-party links without knowing their affect on the organization. 連結可以呈現將許可權指派給 Azure 應用程式的同意畫面。Links can present consent screens that assign permissions to Azure apps. 這可能會允許存取讀取 Azure AD 資料,甚至是完整存取權來管理整個 Azure 訂用帳戶。This might allow access to read Azure AD data, or even full access to manage your entire Azure subscription. 您應定期檢查您的系統管理員和使用者允許存取 Azure 資源的應用程式。You should regularly review the applications to which your admins and users have allowed access to Azure resources. 確定這些應用程式只具有必要的許可權。Ensure that these applications have only the permissions that are necessary. 此外,您也可以使用應用程式頁面的連結傳送電子郵件給使用者,讓他們知道他們允許存取其組織資料的應用程式。Additionally, quarterly or semi-annually you can email users with a link to application pages, so that they're aware of the applications to which they've allowed access to their organizational data. 如需詳細資訊,請參閱 我的應用程式清單中的未預期應用程式,以及 如何控制 Azure AD 中的應用程式指派。For more information, see Unexpected application in my applications list, and how to control application assignments in Azure AD.

管理已移轉的工作負載Managed migrated workloads

在下列各節中,我們將建議 Azure 管理的一些最佳做法,包括:In the following sections, we'll recommend some best practices for Azure management, including:

  • 適用於 Azure 資源群組和資源的最佳做法,包括智慧型命名、防止意外刪除、管理資源權限,以及有效的資源標記。Best practices for Azure resource groups and resources, including smart naming, preventing accidental deletion, managing resource permissions, and effective resource tagging.
  • 取得使用藍圖來建置及管理部署環境的快速概觀。Get a quick overview on using blueprints for building and managing your deployment environments.
  • 在建置移轉後部署期間檢閱範例 Azure 架構來取得了解。Review sample Azure architectures to learn from as you build your post-migration deployments.
  • 如果您有多個訂用帳戶,您可以將它們收集成管理群組,並將治理設定套用至那些群組。If you have multiple subscriptions, you can gather them into management groups, and apply governance settings to those groups.
  • 將合規性原則套用到您的 Azure 資源。Apply compliance policies to your Azure resources.
  • 規劃商務持續性和災害復原 (BCDR) 策略來保護資料、確保環境的可復原性,並使資源能在發生中斷時持續運作。Put together a business continuity and disaster recovery (BCDR) strategy to keep data safe, your environment resilient, and resources up and running when outages occur.
  • 將 VM 分組為可用性群組,以確保復原性和高可用性。Group VMs into availability groups for resilience and high availability. 使用受控磁碟來輕鬆進行 VM 磁碟和儲存體管理。Use managed disks for ease of VM disk and storage management.
  • 針對 Azure 資源啟用診斷記錄、建置警示和劇本以主動進行疑難排解,以及使用 Azure 儀表板來取得部署健康情況和狀態的統一檢視。Enable diagnostic logging for Azure resources, build alerts and playbooks for proactive troubleshooting, and use the Azure dashboard for a unified view of your deployment health and status.
  • 瞭解您的 Azure 支援方案以及如何實行,取得讓 Vm 保持最新狀態的最佳做法,並為變更管理提供適當的處理常式。Understand your Azure Support plan and how to implement it, get best practices for keeping VMs up-to-date, and put processes in place for change management.

最佳做法:命名資源群組Best practice: Name resource groups

確定您的資源群組具有有意義的名稱,可讓系統管理員和支援小組成員輕鬆地辨識和掃描。Ensure that your resource groups have meaningful names that admins and support team members can easily recognize and scan. 這可大幅提升生產力和效率。This can drastically improve productivity and efficiency.

如果您要使用 Azure AD Connect 將內部部署 Active Directory 同步處理至 Azure AD,請考慮將內部部署安全性群組的名稱與 Azure 中的資源群組名稱進行比對。If you're synchronizing your on-premises Active Directory to Azure AD by using Azure AD Connect, consider matching the names of security groups on-premises to the names of resource groups in Azure.

資源群組命名的螢幕擷取畫面。Screenshot of resource group naming. 圖5:資源群組命名。Figure 5: Resource group naming.

瞭解更多資訊:Learn more:

最佳做法:針對資源群組執行刪除鎖定Best practice: Implement delete locks for resource groups

您最不想遇到的情況,便是資源群組被意外刪除而消失不見。The last thing you need is for a resource group to disappear because it was deleted accidentally. 建議您執行刪除鎖定,如此一來,就不會發生這種情況。We recommend that you implement delete locks, so that this doesn't happen.

刪除鎖定的螢幕擷取畫面。Screenshot of delete locks. 圖6:刪除鎖定。Figure 6: Delete locks.

瞭解更多資訊:Learn more:

最佳做法:瞭解資源存取權限Best practice: Understand resource access permissions

訂用帳戶擁有者會具有訂用帳戶中所有資源群組和資源的存取權。A subscription owner has access to all the resource groups and resources in your subscription.

  • 請謹慎地將這個貴重的權限指派給其他人員。Add people sparingly to this valuable assignment. 了解指派這些權限類型的後果,將能大幅協助保持環境的安全及穩定性。Understanding the ramifications of these types of permissions is important in keeping your environment secure and stable.
  • 請確定您將資源放在適當的資源群組中:Make sure you place resources in appropriate resource groups:
    • 將具有類似生命週期的資源配對在一起。Match resources with a similar lifecycle together. 在理想情況下,您應該不需要在刪除整個資源群組時移動某個資源。Ideally, you shouldn't need to move a resource when you need to delete an entire resource group.
    • 支援某個功能或工作負載的資源應該被放置在一起,以簡化管理工作。Resources that support a function or workload should be placed together for simplified management.

瞭解更多資訊:Learn more:

最佳做法:有效標記資源Best practice: Tag resources effectively

通常,僅使用與資源相關的資源組名,並不會提供足夠的中繼資料來有效實行機制,例如在訂用帳戶內進行內部計費或管理。Often, using only a resource group name related to resources won't provide enough metadata for effective implementation of mechanisms, such as internal billing or management within a subscription.

  • 最佳做法是使用 Azure 標記來新增可查詢和報告的實用中繼資料。As a best practice, use Azure tags to add useful metadata that can be queried and reported on.

  • 標記能提供搭配您所定義的屬性,以邏輯方式組織資源的方式。Tags provide a way to logically organize resources with properties that you define. 標記可以直接套用到資源群組或資源。Tags can be applied to resource groups or resources directly.

  • 標記可以套用到資源群組或是個別的資源之上。Tags can be applied on a resource group or on individual resources. 資源群組標記不會被群組中的資源所繼承。Resource group tags aren't inherited by the resources in the group.

  • 您可以使用 PowerShell 或 Azure 自動化來將標記自動化,或標記個別的群組和資源。You can automate tagging by using PowerShell or Azure Automation, or tag individual groups and resources.

  • 如果您具有要求或變更管理系統,則可以輕鬆地在要求中使用該資訊,以填入公司特定的資源標記。If you have a request and change management system in place, then you can easily use the information in the request to populate your company-specific resource tags.

    標記的螢幕擷取畫面。 圖7:標記。Screenshot of tagging. Figure 7: Tagging.

瞭解更多資訊:Learn more:

最佳做法:實行藍圖Best practice: Implement blueprints

如同藍圖可讓工程師和架構設計人員草擬專案的設計參數,Azure 藍圖服務可讓雲端架構設計人員和中央 IT 群組定義一組可重複使用的 Azure 資源。Just as a blueprint allows engineers and architects to sketch a project's design parameters, the Azure Blueprints service enables cloud architects and central IT groups to define a repeatable set of Azure resources. 這可協助他們實行和遵循組織的標準、模式和需求。This helps them to implement and adhere to an organization's standards, patterns, and requirements. 使用 Azure 藍圖,開發小組可以快速建立及建立符合組織合規性需求的新環境。Using Azure Blueprints, development teams can rapidly build and create new environments that meet organizational compliance requirements. 這些新環境具有一組內建元件(例如網路),可加速開發和傳遞。These new environments have a set of built-in components, such as networking, to speed up development and delivery.

  • 使用藍圖來協調資源群組、Azure Resource Manager 範本,以及原則和角色指派的部署。Use blueprints to orchestrate the deployment of resource groups, Azure Resource Manager templates, and policy and role assignments.
  • 將藍圖儲存在全域散發的服務 Azure Cosmos DB 中。Store blueprints in a globally distributed service, Azure Cosmos DB. 藍圖物件會複寫至多個 Azure 區域。Blueprint objects are replicated to multiple Azure regions. 複寫可提供低延遲、高可用性和一致的藍圖存取,不論藍圖部署資源的區域為何。Replication provides low latency, high availability, and consistent access to a blueprint, regardless of the region to which a blueprint deploys resources.

瞭解更多資訊:Learn more:

最佳做法:審查 Azure 參考架構Best practice: Review Azure reference architectures

在 Azure 中建置安全、可擴充且可管理的工作負載,可能會是一件令人望之卻步的工作。Building secure, scalable, and manageable workloads in Azure can be daunting. 由於變更會持續發生,因此在顧及各種不同功能之下維持最佳化的環境,可能會相當困難。With continual changes, it can be difficult to keep up with different features for an optimal environment. 在設計及移轉工作負載時,擁有可從中學習的參考可能會很有幫助。Having a reference to learn from can be helpful when designing and migrating your workloads. Azure 和 Azure 合作夥伴已針對各種環境類型建置數個範例參考架構。Azure and Azure partners have built several sample reference architectures for various types of environments. 這些範例是設計來提供各種想法,以供您從中學習並將它作為建置範本。These samples are designed to provide ideas that you can learn from and build on.

參考架構會依案例編排。Reference architectures are arranged by scenario. 其中包含有關管理、可用性、擴充性和安全性的最佳作法和建議。They contain best practices and advice on management, availability, scalability, and security. App Service 環境可提供完全隔離且專用的環境來執行應用程式,例如 Windows 和 Linux web 應用程式、Docker 容器、行動應用程式和功能。App Service Environment provides a fully isolated and dedicated environment for running applications, such as Windows and Linux web apps, Docker containers, mobile apps, and functions. App Service 能將 Azure 的功能新增到您的應用程式,其中包括安全性、負載平衡、自動調整和自動化管理。App Service adds the power of Azure to your application, with security, load balancing, autoscaling, and automated management. 您也可以利用它的 DevOps 功能,例如來自 Azure DevOps 和 GitHub 的持續部署、套件管理、預備環境、自訂網域和 SSL 憑證。You can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps and GitHub, package management, staging environments, custom domain, and SSL certificates. App Service 適用于需要隔離和安全網路存取的應用程式,以及使用大量記憶體和其他需要調整之資源的應用程式。App Service is useful for applications that need isolation and secure network access, and those that use high amounts of memory and other resources that need to scale.

瞭解更多資訊:Learn more:

最佳做法:使用 Azure 管理群組來管理資源Best practice: Manage resources with Azure management groups

如果您的組織具有多個訂用帳戶,您便需要為它們管理存取、原則及合規性。If your organization has multiple subscriptions, you need to manage access, policies, and compliance for them. Azure 管理群組提供了訂用帳戶之上的範圍層級。Azure management groups provide a level of scope above subscriptions. 以下是一些秘訣:Here are some tips:

  • 您會將訂用帳戶整理到稱為管理群組的容器中,並將治理條件套用至它們。You organize subscriptions into containers called management groups, and apply governance conditions to them.
  • 管理群組中的所有訂用帳戶都會自動繼承管理群組條件。All subscriptions in a management group automatically inherit the management group conditions.
  • 無論您擁有何種類型的訂用帳戶,管理群組都能提供大規模的企業級管理。Management groups provide large-scale, enterprise-grade management, no matter what type of subscriptions you have.
  • 例如,您可以套用能限制可建立 VM 之區域的管理群組原則。For example, you can apply a management group policy that limits the regions in which VMs can be created. 此原則接著會套用至所有的管理群組、訂用帳戶以及該管理群組下的資源。This policy is then applied to all management groups, subscriptions, and resources under that management group.
  • 您可以建置管理群組和訂用帳戶的彈性結構,將資源組織到一個階層中,以便執行統一原則與存取管理。You can build a flexible structure of management groups and subscriptions, to organize your resources into a hierarchy for unified policy and access management.

下圖顯示使用管理群組建立治理階層的範例。The following diagram shows an example of creating a hierarchy for governance by using management groups.

管理群組的圖表。Diagram of management groups. 圖8:管理群組。Figure 8: Management groups.

瞭解更多資訊:Learn more:

最佳做法:部署 Azure 原則Best practice: Deploy Azure Policy

Azure 原則是一項服務,您可用來建立、指派和管理原則。Azure Policy is a service that you use to create, assign, and manage policies. 原則會對您的資源強制執行不同的規則和效果,讓這些資源能符合您公司標準和服務等級協定的規範。Policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service-level agreements.

Azure 原則會評估您的資源,掃描那些不符合您原則規範的資源。Azure Policy evaluates your resources, scanning for those not compliant with your policies. 例如,您可以建立原則,只允許您環境中 Vm 的特定 SKU 大小。For example, you can create a policy that allows only a specific SKU size for VMs in your environment. 當您建立和更新資源,以及掃描現有資源時,Azure 原則會評估此設定。Azure Policy will evaluate this setting when you create and update resources, and when scanning existing resources. 請注意,Azure 提供一些可供您指派的內建原則,您也可以建立自己的原則。Note that Azure provides some built-in policies that you can assign, or you can create your own.

Azure 原則的螢幕擷取畫面。Screenshot of Azure Policy. 圖9: Azure 原則。Figure 9: Azure Policy.

瞭解更多資訊:Learn more:

最佳做法:實行 BCDR 策略Best practice: Implement a BCDR strategy

規劃 BCDR 是您應在 Azure 遷移規劃過程中完成的重要練習。Planning for BCDR is a critical exercise that you should complete as part of your Azure migration planning process. 就法律規定而言,您的合約可能包含 強制不可抗力 子句,因為有更大的強制,例如颶風或地震。In legal terms, your contracts might include a force majeure clause that excuses obligations due to a greater force, such as hurricanes or earthquakes. 但是您必須確保在發生嚴重損壞時,必要的服務仍繼續執行和復原。But you must ensure that essential services continue to run and recover when disaster strikes. 您達成此義務的能力,可能會左右您公司的未來發展。Your ability to do this can make or break your company's future.

廣義來說,您的 BCDR 策略必須考慮:Broadly, your BCDR strategy must consider:

  • 資料備份: 如何保護您的資料安全,讓您可以在發生中斷時輕鬆復原。Data backup: How to keep your data safe so that you can recover it easily if outages occur.
  • 嚴重損壞 修復: 如何讓您的應用程式在發生中斷時保持復原並可供使用。Disaster recovery: How to keep your applications resilient and available if outages occur.

設定 BCDRSet up BCDR

當您遷移至 Azure 時,請瞭解雖然 Azure 平臺提供一些內建的復原功能,但您需要設計您的 Azure 部署以充分利用這些功能。When migrating to Azure, understand that although the Azure platform provides some built-in resiliency capabilities, you need to design your Azure deployment to take advantage of them.

  • 您的 BCDR 解決方案將取決於您的公司目標,且會受到您的 Azure 部署策略所影響。Your BCDR solution will depend on your company objectives, and is influenced by your Azure deployment strategy. 基礎結構即服務 (IaaS) 和平台即服務 (PaaS) 部署會為 BCDR 帶來不同的挑戰。Infrastructure as a service (IaaS) and platform as a service (PaaS) deployments present different challenges for BCDR.
  • 完成之後,應定期測試您的 BCDR 解決方案,以檢查您的策略是否維持可行。After they are in place, your BCDR solutions should be tested regularly to check that your strategy remains viable.

備份 IaaS 部署Back up an IaaS deployment

在大部分的情況下,內部部署工作負載會在移轉後淘汰,且您必須對用於備份資料的內部部署策略進行擴充或加以取代。In most cases, an on-premises workload is retired after migration, and your on-premises strategy for backing up data must be extended or replaced. 如果您將整個資料中心遷移到 Azure,您必須使用 Azure 技術或協力廠商整合式解決方案,來設計和執行完整的備份解決方案。If you migrate your entire datacenter to Azure, you'll need to design and implement a full backup solution by using Azure technologies, or third-party integrated solutions.

針對在 Azure IaaS VM 上執行的工作負載,請考慮這些備份解決方案:For workloads running on Azure IaaS VMs, consider these backup solutions:

  • Azure 備份: 提供適用于 Azure Windows 和 Linux Vm 的應用程式一致備份。Azure Backup: Provides application-consistent backups for Azure Windows and Linux VMs.
  • 儲存體快照集: 取得 Blob 儲存體的快照集。Storage snapshots: Takes snapshots of Blob Storage.

Azure 備份Azure Backup

Azure 備份會建立儲存在 Azure 儲存體中的資料復原點。Azure Backup creates data recovery points that are stored in Azure Storage. Azure 備份可以備份 Azure VM 磁碟,以及 Azure 檔案 (預覽)。Azure Backup can back up Azure VM disks, and Azure Files (preview). Azure 檔案提供雲端中的檔案共用,可透過伺服器訊息區 (SMB) 來存取。Azure Files provide file shares in the cloud, accessible via Server Message Block (SMB).

您可以透過下列方式使用 Azure 備份來備份 Vm:You can use Azure Backup to back up VMs in the following ways:

  • 從 VM 設定直接備份。Direct backup from VM settings. 您可以直接從 Azure 入口網站中的 VM 選項,直接搭配 Azure 備份來備份 VM。You can back up VMs with Azure Backup directly from the VM options in the Azure portal. 您每天可以備份一次 VM,而且您可以視需要還原 VM 磁片。You can back up the VM once per day, and you can restore the VM disk as needed. Azure 備份會採用可感知應用程式的資料快照集,且 VM 上不會安裝任何代理程式。Azure Backup takes application-aware data snapshots, and no agent is installed on the VM.
  • 在復原服務保存庫中直接備份。Direct backup in a Recovery Services vault. 您可以部署 Azure 備份復原服務保存庫,來備份您的 IaaS VM。You can back up your IaaS VMs by deploying an Azure Backup Recovery Services vault. 這會提供單一位置來追蹤和管理備份,以及細微的備份和還原選項。This provides a single location to track and manage backups, as well as granular backup and restore options. 在檔案和資料夾層級,備份一天最多三次。Backup is up to three times a day, at the file and folder levels. 它無法感知應用程式,且不支援 Linux。It isn't application-aware, and Linux isn't supported. 使用這個方法,在您要備份的每個 VM 上安裝 Microsoft Azure 復原服務 (MARS) 代理程式。Install the Microsoft Azure recovery services (MARS) agent on each VM that you want to back up by using this method.
  • 將 VM 保護至 Azure 備份伺服器。Protect the VM to Azure Backup server. Azure 備份伺服器是免費提供的 Azure 備份。Azure Backup server is provided free with Azure Backup. VM 會備份到本機 Azure 備份伺服器儲存體。The VM is backed up to local Azure Backup server storage. 然後,您可以將 Azure 備份伺服器備份至保存庫中的 Azure。You then back up the Azure Backup server to Azure in a vault. 備份可感知應用程式,並具有備份頻率和保留的完整細微性。Backup is application-aware, with full granularity over backup frequency and retention. 您可以在應用層級進行備份,例如備份 SQL Server 或 SharePoint。You can back up at the application level, for example by backing up SQL Server or SharePoint.

針對安全性,Azure 備份會使用 AES-256 來加密進行中的資料。For security, Azure Backup encrypts data in-flight by using AES-256. 它會透過 HTTPS 將它傳送至 Azure。It sends it over HTTPS to Azure. Azure 中已備份的待用資料會使用 Azure 儲存體加密進行加密。Backed-up data-at-rest in Azure is encrypted by using Azure Storage encryption.

Azure 備份的螢幕擷取畫面。 圖10: Azure 備份。Screenshot of Azure Backup. Figure 10: Azure Backup.

瞭解更多資訊:Learn more:

儲存體快照集Storage snapshots

Azure VM 會以分頁 Blob 的形式儲存在 Azure 儲存體中。Azure VMs are stored as page blobs in Azure Storage. 快照集會擷取特定時間點的 Blob 狀態。Snapshots capture the blob state at a specific point in time. 作為 Azure VM 磁碟的替代備份方法,您可以擷取儲存體 Blob 的快照集,然後將它們複製到另一個儲存體帳戶。As an alternative backup method for Azure VM disks, you can take a snapshot of storage blobs and copy them to another storage account.

您可以複製整個 Blob,或使用增量快照複製以僅複製差異變更,並減少儲存空間。You can copy an entire blob, or use an incremental snapshot copy to copy only delta changes and reduce storage space. 為了額外的預防措施,您可以啟用 Blob 儲存體帳戶的虛刪除。As an extra precaution, you can enable soft delete for Blob Storage accounts. 啟用此功能時,已刪除的 blob 會標示為刪除,但不會立即清除。With this feature enabled, a blob that's deleted is marked for deletion, but not immediately purged. 在過渡期間,您可以還原 blob。During the interim period, you can restore the blob.

瞭解更多資訊:Learn more:

協力廠商備份Third-party backup

除此之外,您可以使用協力廠商解決方案來將 Azure VM 和儲存體容器備份到本機儲存體或其他雲端服務提供者。In addition, you can use third-party solutions to back up Azure VMs and storage containers to local storage or other cloud providers. 如需詳細資訊,請參閱 Azure Marketplace 中的備份解決方案For more information, see Backup solutions in Azure Marketplace.

設定 IaaS 應用程式的嚴重損壞修復Set up disaster recovery for IaaS applications

除了保護資料之外,BCDR 規劃也必須考慮在發生嚴重損壞時,如何讓應用程式和工作負載保持可用。In addition to protecting data, BCDR planning must consider how to keep applications and workloads available if a disaster occurs. 針對在 Azure IaaS Vm 和 Azure 儲存體上執行的工作負載,請考慮以下各節中的解決方案。For workloads that run on Azure IaaS VMs and Azure Storage, consider the solutions in the following sections.

Azure Site RecoveryAzure Site Recovery

Azure Site Recovery 是主要的 Azure 服務,可確保在發生中斷時,可以讓 Azure Vm 上線,並讓 VM 應用程式可供使用。Azure Site Recovery is the primary Azure service for ensuring that Azure VMs can be brought online, and VM applications made available, when outages occur.

Site Recovery 會將 Vm 從主要區域複寫到次要 Azure 區域。Site Recovery replicates VMs from a primary to a secondary Azure region. 如果發生嚴重損壞狀況,您可以從主要區域將 Vm 容錯移轉,並在次要區域中繼續以正常方式存取它們。If disaster strikes, you fail VMs over from the primary region, and continue accessing them as normal in the secondary region. 當作業返回正常時,您便可以將 VM 容錯回復到主要區域。When operations return to normal, you can fail back VMs to the primary region.

Azure Site Recovery 的圖表。Diagram of Azure Site Recovery. 圖11: Site Recovery。Figure 11: Site Recovery.

瞭解更多資訊:Learn more:

最佳做法:使用受控磁片和可用性設定組Best practice: Use managed disks and availability sets

Azure 會使用可用性設定組來以邏輯方式將 VM 分組在一起,以及將設定組中的 VM 與其他資源隔離。Azure uses availability sets to logically group VMs together, and to isolate VMs in a set from other resources. 可用性設定組中的 Vm 會散佈在多個容錯網域中,並具有個別的子系統,以防止本機失敗。VMs in an availability set are spread across multiple fault domains with separate subsystems, which protects against local failures. Vm 也會分散到多個更新網域,以防止同時重新開機集合中的所有 Vm。The VMs are also spread across multiple update domains, preventing a simultaneous reboot of all VMs in the set.

Azure 受控磁片會管理與 VM 磁片相關聯的儲存體帳戶,以簡化 Azure 虛擬機器的磁片管理。Azure managed disks simplify disk management for Azure Virtual Machines by managing the storage accounts associated with the VM disks.

  • 盡可能使用受控磁片。Use managed disks wherever possible. 您只需要指定您想要使用的儲存體類型和所需的磁片大小,Azure 就會為您建立及管理磁片。You only have to specify the type of storage you want to use and the size of disk you need, and Azure creates and manages the disk for you.

  • 您可以將現有的磁片轉換成受控磁片。You can convert existing disks to managed disks.

  • 您應該在可用性設定組中建立 VM,以取得高復原性和可用性。You should create VMs in availability sets for high resilience and availability. 當發生計畫或未規劃的中斷時,可用性設定組可確保集合中至少有一部 VM 保持可用。When planned or unplanned outages occur, availability sets ensure that at least one VM in the set remains available.

    受控磁片的圖表。 圖12:受控磁片。Diagram of managed disks. Figure 12: Managed disks.

瞭解更多資訊:Learn more:

最佳做法:監視資源使用量和效能Best practice: Monitor resource usage and performance

您將工作負載移轉到 Azure 的原因,可能是為了它強大的擴充能力。You might have moved your workloads to Azure for its immense scaling capabilities. 但移動您的工作負載並不表示 Azure 會自動執行調整,而不需要您的輸入。But moving your workload doesn't mean that Azure will automatically implement scaling without your input. 以下是兩個範例:Here are two examples:

  • 如果您的行銷組織推播新的電視公告,以促進300% 以上的流量,這可能會導致網站可用性問題。If your marketing organization pushes a new television advertisement that drives 300 percent more traffic, this might cause site availability issues. 您剛遷移的工作負載可能會達到指派的限制,而且會損毀。Your newly migrated workload might hit assigned limits, and crash.
  • 如果有分散式阻絕服務 (DDoS) 攻擊已遷移的工作負載,在此情況下,您不會想要調整規模。If there's a distributed denial-of-service (DDoS) attack on your migrated workload, in this case you don't want to scale. 您想要防止攻擊來源到達您的資源。You want to prevent the source of the attacks from reaching your resources.

這兩種案例具有不同的解決方式,但在這兩種情況下,您需要深入瞭解使用狀況和效能監視的情況。These two cases have different resolutions, but for both you need insight into what's happening with usage and performance monitoring.

  • Azure 監視器可協助呈現這些計量,並提供警示、自動調整、事件中樞和邏輯應用程式的回應。Azure Monitor can help surface these metrics, and provide response with alerts, autoscaling, Event Hubs, and Logic Apps.

  • 您也可以整合協力廠商 SIEM 應用程式,以監視 Azure 記錄檔,以取得審核和效能事件。You can also integrate your third-party SIEM application to monitor the Azure logs for auditing and performance events.

    Azure 監視器的螢幕擷取畫面。 圖13: Azure 監視器。Screenshot of Azure Monitor. Figure 13: Azure Monitor.

瞭解更多資訊:Learn more:

最佳做法:啟用診斷記錄Best practice: Enable diagnostic logging

Azure 資源會產生相當多的記錄計量和遙測資料。Azure resources generate a fair number of logging metrics and telemetry data. 根據預設,大部分的資源類型都沒有啟用診斷記錄。By default, most resource types don't have diagnostic logging enabled. 透過在資源上啟用診斷記錄,您可以查詢記錄資料,並根據它建置警示和劇本。By enabling diagnostic logging across your resources, you can query logging data, and build alerts and playbooks based on it.

當您啟用診斷記錄時,每個資源都會有特定的類別集合。When you enable diagnostic logging, each resource will have a specific set of categories. 您可以選取一或多個記錄類別,以及記錄資料的儲存位置。You select one or more logging categories, and a location for the log data. 記錄可以傳送至儲存體帳戶、事件中樞或 Azure 監視器記錄。Logs can be sent to a storage account, event hub, or to Azure Monitor Logs.

診斷記錄的螢幕擷取畫面。 圖14:診斷記錄。Screenshot of diagnostic logging. Figure 14: Diagnostic logging.

瞭解更多資訊:Learn more:

最佳做法:設定警示和操作手冊Best practice: Set up alerts and playbooks

在針對 Azure 資源啟用診斷記錄的情況下,您可以開始使用記錄資料來建立自訂警示。With diagnostic logging enabled for Azure resources, you can start to use logging data to create custom alerts.

  • 當您的監視資料中發現條件時,警示會主動通知您。Alerts proactively notify you when conditions are found in your monitoring data. 您接著便可以在系統使用者注意到這些問題之前解決他們。You can then address issues before system users notice them. 您可以針對計量值、記錄搜尋查詢、活動記錄事件、平臺健康情況和網站可用性發出警示。You can alert on metric values, log search queries, activity log events, platform health, and website availability.

  • 觸發警示時,您可以執行邏輯應用程式腳本。When alerts are triggered, you can run a logic app playbook. 劇本可協助您針對特定警示自動化並協調回應。A playbook helps you to automate and orchestrate a response to a specific alert. 劇本是以 Azure Logic Apps 為基礎。Playbooks are based on Azure Logic Apps. 您可以使用邏輯應用程式範本來建立腳本,或建立您自己的工作手冊。You can use logic app templates to create playbooks, or create your own.

  • 簡單的範例,您可以建立警示,以在 NSG 的埠掃描發生時觸發。As a simple example, you can create an alert that triggers when a port scan happens against an NSG. 您可以設定能執行並封鎖掃描來源之 IP 位址的劇本。You can set up a playbook that runs and locks down the IP address of the scan origin.

  • 另一個範例是具有記憶體流失的應用程式。Another example is an application with a memory leak. 當記憶體使用量達到某個程度時,範本便可以回收處理程序。When the memory usage gets to a certain point, a playbook can recycle the process.

    警示的螢幕擷取畫面。 圖15:警示。Screenshot of alerts. Figure 15: Alerts.

瞭解更多資訊:Learn more:

最佳做法:使用 Azure 儀表板Best practice: Use the Azure dashboard

Azure 入口網站是網頁型的統一主控台,可讓您建置、管理及監控所有項目,從簡單 Web 應用程式到複雜的雲端應用程式皆包含在內。The Azure portal is a web-based unified console that allows you to build, manage, and monitor everything from simple web apps to complex cloud applications. 它也包含了自訂的儀表板各種協助工具選項。It includes a customizable dashboard and accessibility options.

  • 您可以建立多個儀表板,並與可存取您 Azure 訂用帳戶的其他人共用。You can create multiple dashboards and share them with others who have access to your Azure subscriptions.

  • 透過此共用模型,您的小組可以看到 Azure 環境,以協助他們在管理雲端中的系統時主動主動。With this shared model, your team has visibility into the Azure environment, which helps them them to be proactive when managing systems in the cloud.

    Azure 儀表板的螢幕擷取畫面。

    Azure 儀表板的螢幕擷取畫面。 圖16: Azure 儀表板。Screenshot of Azure dashboard. Figure 16: Azure dashboard.

瞭解更多資訊:Learn more:

最佳做法:瞭解支援方案Best practice: Understand support plans

在某個時間點,您將必須與支援人員或 Microsoft 支援服務人員進行共同作業。At some point, you will need to collaborate with your support staff or Microsoft support staff. 擁有一系列原則和程序以在災害復原等案例期間提供支援,是一件非常重要的事。Having a set of policies and procedures for support during scenarios such as disaster recovery is vital. 此外,您的系統管理員和支援人員都應該接受訓練以實作那些原則。In addition, your admins and support staff should be trained on implementing those policies.

  • 在 Azure 服務問題影響到您工作負載的罕見情況下,系統管理員應該要知道如何以最適當且有效率的方式向 Microsoft 提交支援票證。In the unlikely event that an Azure service issue affects your workload, admins should know how to submit a support ticket to Microsoft in the most appropriate and efficient way.

  • 請熟悉各種針對 Azure 所提供的支援方案。Familiarize yourself with the various support plans offered for Azure. 其範圍從開發人員實例專用的回應時間,到回應時間少於15分鐘的頂級支援。They range from response times dedicated to developer instances, to premier support with a response time of less than 15 minutes.

    支援方案的螢幕擷取畫面。 圖17:支援方案。Screenshot of support plans. Figure 17: Support plans.

瞭解更多資訊:Learn more:

最佳做法:管理更新Best practice: Manage updates

搭配最新的作業系統和軟體更新來將 Azure VM 保持在最新狀態,是一件規模龐大的工作。Keeping Azure VMs updated with the latest operating system and software updates is a massive chore. 能夠呈現所有 Vm、找出所需的更新,並自動推送這些更新非常重要。The ability to surface all VMs, figure out which updates they need, and automatically push those updates is extremely valuable.

  • 您可以使用 Azure 自動化中的更新管理來管理作業系統更新。You can use Update Management in Azure Automation to manage operating system updates. 這適用于執行部署在 Azure、內部部署和其他雲端提供者中的 Windows 和 Linux 電腦的電腦。This applies to machines that run Windows and Linux computers that are deployed in Azure, on-premises, and in other cloud providers.

  • 使用更新管理以快速評估所有代理程式電腦上可用更新的狀態,並管理更新安裝。Use Update Management to quickly assess the status of available updates on all agent computers, and manage update installation.

  • 您可以從 Azure 自動化帳戶直接為 VM 啟用更新管理。You can enable Update Management for VMs directly from an Azure Automation account. 您也可以在 Azure 入口網站中從 VM 頁面更新單一 VM。You can also update a single VM from the VM page in the Azure portal.

  • 此外,您可以向 System Center Configuration Manager 註冊 Azure Vm。In addition, you can register Azure VMs with System Center Configuration Manager. 然後,您可以將 Configuration Manager 工作負載遷移至 Azure,並從單一 web 介面進行報告和軟體更新。You can then migrate the Configuration Manager workload to Azure and do reporting and software updates from a single web interface.

    VM 更新的圖表。 圖18: VM 更新。Diagram of VM updates. Figure 18: VM updates.

瞭解更多資訊:Learn more:

實作變更管理程序Implement a change management process

如同任何生產系統,任何類型的變更都可能會對您的環境產生影響。As with any production system, making any type of change can affect your environment. 變更管理程序能讓使用者需要提交要求才能對生產系統進行變更,這對於已移轉的環境來說是一個相當有價值的額外功能。A change management process that requires requests to be submitted in order to make changes to production systems is a valuable addition in your migrated environment.

  • 您可以針對變更管理建置最佳做法架構,以協助系統管理員和支援人員熟悉這個程序。You can build best practice frameworks for change management to raise awareness in administrators and support staff.
  • 您可以使用 Azure 自動化來協助針對已移轉的工作流程進行組態管理及變更追蹤。You can use Azure Automation to help with configuration management and change tracking for your migrated workflows.
  • 強制執行變更管理程式時,您可以使用 audit 記錄,將 Azure 變更記錄連結至現有的變更要求。When enforcing change management process, you can use audit logs to link Azure change logs to existing change requests. 然後,如果您在沒有對應變更要求的情況下看到變更,您可以調查程式中發生的問題。Then, if you see a change made without a corresponding change request, you can investigate what went wrong in the process.

Azure 在 Azure 自動化中具有變更追蹤解決方案:Azure has a change-tracking solution in Azure Automation:

  • 這個解決方案會追蹤對 Windows 與 Linux 軟體和檔案、Windows 登錄機碼、Windows 服務以及 Linux 精靈所做的變更。The solution tracks changes to Windows and Linux software and files, Windows registry keys, Windows services, and Linux daemons.

  • 受監視伺服器上的變更會傳送至 Azure 監視器進行處理。Changes on monitored servers are sent to Azure Monitor for processing.

  • 邏輯會套用至接收的資料,而雲端服務會記錄資料。Logic is applied to the received data, and the cloud service records the data.

  • 在 [變更追蹤] 儀表板上,您可以輕鬆地查看在伺服器基礎結構中所做的變更。On the change tracking dashboard, you can easily see the changes that were made in your server infrastructure.


    圖19:變更管理圖表。Figure 19: A change management chart.

瞭解更多資訊:Learn more:

下一步Next steps

檢閱其他最佳做法:Review other best practices: