Azure PaaS 服務的連線能力Connectivity to Azure PaaS services

本節將探討先前的連線章節,探討使用 Azure PaaS 服務的建議連線方法。Building on the previous connectivity sections, this section explores recommended connectivity approaches for using Azure PaaS services.

設計考慮:Design considerations:

  • 通常會透過公用端點來存取 Azure PaaS 服務。Azure PaaS services are typically accessed over public endpoints. 不過,Azure 平臺會提供保護這類端點的功能,甚至讓它們完全私密:However, the Azure platform provides capabilities to secure such endpoints or even make them entirely private:

    • 虛擬網路插入可為支援的服務提供專用的私人部署。Virtual network injection provides dedicated private deployments for supported services. 管理平面流量仍會流經公用 IP 位址。Management plane traffic still flows through public IP addresses.

    • Private Link 可讓您使用私人 IP 位址存取 azure PaaS 實例或 Azure 負載平衡器標準層後方的自訂服務,以提供專屬的存取權。Private Link provides dedicated access by using private IP addresses to Azure PaaS instances or custom services behind Azure Load Balancer Standard tier.

    • 虛擬網路服務端點可從選取的子網提供服務層級的存取權給選取的 PaaS 服務。Virtual network service endpoints provide service-level access from selected subnets to selected PaaS services.

  • 企業通常會對於必須適當地緩和的 PaaS 服務的公用端點有疑慮。Enterprises often have concerns about public endpoints for PaaS services that must be appropriately mitigated.

  • 針對 支援的服務,Private Link 可解決與服務端點相關聯的資料遭到外泄問題。For supported services, Private Link addresses data exfiltration concerns associated with service endpoints. 或者,您可以透過 Nva 使用輸出篩選,以提供減少資料遭到外泄的步驟。As an alternative, you can use outbound filtering via NVAs to provide steps to mitigate data exfiltration.

設計建議:Design recommendations:

  • 針對支援的 Azure 服務使用虛擬網路插入,使其可從您的虛擬網路中使用。Use virtual network injection for supported Azure services to make them available from within your virtual network.

  • 已插入虛擬網路的 Azure PaaS 服務仍會使用公用 IP 位址執行管理平面作業。Azure PaaS services that have been injected into a virtual network still perform management plane operations by using public IP addresses. 使用 Udr 和 Nsg,確定已在虛擬網路內鎖定此通訊。Ensure that this communication is locked down within the virtual network by using UDRs and NSGs.

  • 使用私人連結( 如果有的話),適用于共用的 Azure PaaS 服務。Use Private Link, where available, for shared Azure PaaS services. Private Link 已正式推出數項服務,並為許多服務提供公開預覽。Private Link is generally available for several services and is in public preview for numerous ones.

  • 透過 ExpressRoute 私用對等互連從內部部署存取 Azure PaaS 服務。Access Azure PaaS services from on-premises via ExpressRoute private peering. 針對專用的 Azure 服務或 Azure Private Link,請使用虛擬網路插入來取得可用的共用 Azure 服務。Use either virtual network injection for dedicated Azure services or Azure Private Link for available shared Azure services. 若要在虛擬網路插入或私用連結無法使用時從內部部署存取 Azure PaaS 服務,請使用 ExpressRoute 搭配 Microsoft 對等互連。To access Azure PaaS services from on-premises when virtual network injection or Private Link isn't available, use ExpressRoute with Microsoft peering. 此方法可避免透過公用網際網路傳輸。This method avoids transiting over the public internet.

  • 使用虛擬網路服務端點來保護從虛擬網路記憶體取 Azure PaaS 服務的安全,但只有在無法使用私人連結且沒有資料遭到外泄考慮時。Use virtual network service endpoints to secure access to Azure PaaS services from within your virtual network, but only when Private Link isn't available and there are no data exfiltration concerns. 若要解決與服務端點相關的資料遭到外泄問題,請使用 NVA 篩選,或使用 Azure 儲存體的虛擬網路服務端點原則。To address data exfiltration concerns with service endpoints, use NVA filtering or use virtual network service endpoint policies for Azure Storage.

  • 預設不會在所有子網上啟用虛擬網路服務端點。Don't enable virtual network service endpoints by default on all subnets.

  • 如果有資料遭到外泄考慮,除非您使用 NVA 篩選,否則請勿使用虛擬網路服務端點。Don't use virtual network service endpoints when there are data exfiltration concerns, unless you use NVA filtering.

  • 我們不建議您執行強制通道,以啟用從 Azure 到 Azure 資源的通訊。We don't recommend that you implement forced tunneling to enable communication from Azure to Azure resources.