周邊網路Perimeter networks

周邊網路可在雲端網路與內部部署或實體資料中心網路之間啟用安全連線,以及啟用任何進出網際網路的連線。Perimeter networks enable secure connectivity between your cloud networks and your on-premises or physical datacenter networks, along with any connectivity to and from the internet. 周邊網路有時稱為非軍事區域或 DMZ。A perimeter network is sometimes called a demilitarized zone or DMZ.

若要讓周邊網路有效,連入封包必須流經安全子網中裝載的安全性應用裝置,然後才能到達後端伺服器。For perimeter networks to be effective, incoming packets must flow through security appliances hosted in secure subnets before reaching back-end servers. 範例包括防火牆、入侵偵測系統和入侵防護系統。Examples include the firewall, intrusion detection systems, and intrusion prevention systems. 來自工作負載的網際網路繫結封包應該也會先流經周邊網路中的安全性設備,然後才會離開網路。Before they leave the network, internet-bound packets from workloads should also flow through the security appliances in the perimeter network. 此流程的目的是為了強制執行原則,以及進行檢查和稽核。The purposes of this flow are policy enforcement, inspection, and auditing.

周邊網路會利用下列 Azure 功能和服務:Perimeter networks make use of the following Azure features and services:

注意

Azure 參考架構提供範例範本,可讓您用來實作您自己的周邊網路:Azure reference architectures provide example templates that you can use to implement your own perimeter networks:

通常,您的中央 IT 小組和安全性小組會負責定義操作周邊網路的需求。Usually, your central IT team and security teams are responsible for defining requirements for operating your perimeter networks.

中樞和輪輻網路拓撲的範例 圖1:中樞和輪輻網路拓撲的範例。Example of a hub and spoke network topology Figure 1: Example of a hub and spoke network topology.

上圖顯示的範例 中樞和輪輻網路拓撲 ,可執行兩個周邊的強制執行,並可存取網際網路和內部部署網路。The diagram above shows an example hub and spoke network topology that implements enforcement of two perimeters with access to the internet and an on-premises network. 這兩個周邊都位於 DMZ 中樞內。Both perimeters reside in the DMZ hub. 在 DMZ 中樞內,網際網路的周邊網路可以透過 Waf 的多個伺服器陣列和 Azure 防火牆實例(可協助保護輪輻虛擬網路)進行擴大,以支援許多企業營運。In the DMZ hub, the perimeter network to the internet can scale up to support many lines of business via multiple farms of WAFs and Azure Firewall instances that help protect the spoke virtual networks. 中樞也可以視需要透過 VPN 或 Azure ExpressRoute 進行連線。The hub also allows for connectivity via VPN or Azure ExpressRoute as needed.

虛擬網路Virtual networks

周邊網路通常是使用具有多個子網路的虛擬網路來建置,以裝載不同類型的服務,透過 NVA、WAF 和 Azure 應用程式閘道來篩選及檢查進出網際網路的流量。Perimeter networks are typically built using a virtual network with multiple subnets to host the different types of services that filter and inspect traffic to or from the internet via NVAs, WAFs, and Azure Application Gateway instances.

使用者定義的路由User-defined routes

藉由使用 使用者定義的路由,客戶可以部署防火牆、入侵偵測系統、入侵防護系統和其他虛擬裝置。By using user-defined routes, customers can deploy firewalls, intrusion detection systems, intrusion prevention systems, and other virtual appliances. 然後,客戶可以透過這些安全性設備來路由傳送網路流量,以進行安全性界限原則強制執行、稽核及檢查。Customers can then route network traffic through these security appliances for security boundary policy enforcement, auditing, and inspection. 您可以建立使用者定義的路由,以確保流量會通過指定的自訂 VM、NVA 和負載平衡器。User-defined routes can be created to guarantee that traffic passes through the specified custom VMs, NVAs, and load balancers.

在中樞和輪輻網路範例中,保證位於輪輻的虛擬機器所產生的流量會通過中樞內正確的虛擬裝置,需要在輪輻的子網中定義使用者定義的路由。In a hub and spoke network example, guaranteeing that traffic generated by virtual machines that reside in the spoke passes through the correct virtual appliances in the hub requires a user-defined route defined in the subnets of the spoke. 此路由會將內部負載平衡器的前端 IP 位址設定為下一個躍點。This route sets the front-end IP address of the internal load balancer as the next hop. 內部負載平衡器會將內部流量分散到虛擬設備 (負載平衡器後端集區)。The internal load balancer distributes the internal traffic to the virtual appliances (load balancer back-end pool).

Azure 防火牆Azure Firewall

Azure 防火牆 是受控的雲端式服務,可協助保護您的 Azure 虛擬網路資源。Azure Firewall is a managed cloud-based service that helps protect your Azure Virtual Network resources. 它是完全具狀態的受控防火牆,具備內建的高可用性和不受限制的雲端擴充性。It's a fully stateful managed firewall with built-in high availability and unrestricted cloud scalability. 您可以橫跨訂用帳戶和虛擬網路集中建立、強制執行以及記錄應用程式和網路連線原則。You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.

Azure 防火牆會為您的虛擬網路資源提供靜態公用 IP 位址。Azure Firewall uses a static public IP address for your virtual network resources. 這可讓外部防火牆識別來自您虛擬網路的流量。It allows outside firewalls to identify traffic that originates from your virtual network. 服務會與 Azure 監視器互通以進行記錄和分析。The service interoperates with Azure Monitor for logging and analytics.

網路虛擬設備Network virtual appliances

具有網際網路存取權的周邊網路通常是透過 Azure 防火牆執行個體或防火牆的伺服器陣列或 Web 應用程式防火牆來管理。Perimeter networks with access to the internet are typically managed through an Azure Firewall instance or a farm of firewalls or web application firewalls.

不同的企業行通常會使用許多 web 應用程式。Different lines of business commonly use many web applications. 這些應用程式通常很容易受到各種弱點和潛在攻擊的影響。These applications tend to suffer from various vulnerabilities and potential exploits. Web 應用程式防火牆會針對 web 應用程式偵測 (HTTP/S) 的攻擊,更深入地探討一般防火牆。A Web Application Firewall detects attacks against web applications (HTTP/S) in more depth than a generic firewall. 與傳統防火牆技術相較之下,Web 應用程式防火牆具有一組特定功能,可協助保護內部網頁伺服器免於威脅。Compared with tradition firewall technology, web application firewalls have a set of specific features to help protect internal web servers from threats.

Azure 防火牆實例和 [網路虛擬裝置] [nva] 防火牆會使用一組安全性規則的一般管理平面,以協助保護輪輻中裝載的工作負載,並控制對內部部署網路的存取。An Azure Firewall instance and a [network virtual appliance][nva] firewall use a common administration plane with a set of security rules to help protect the workloads hosted in the spokes and control access to on-premises networks. Azure 防火牆具有內建的擴充性,而 NVA 防火牆可以在負載平衡器後方手動調整。Azure Firewall has built-in scalability, whereas NVA firewalls can be manually scaled behind a load balancer.

相較於 WAF,防火牆伺服器陣列的特殊軟體通常比較少,但它有更廣泛的應用程式範圍,可篩選和檢查輸出和輸入中的任何類型流量。A firewall farm typically has less specialized software compared with a WAF, but it has a broader application scope to filter and inspect any type of traffic in egress and ingress. 如果您使用 NVA 方法,可以從 Azure Marketplace 尋找並部署軟體。If you use an NVA approach, you can find and deploy the software from the Azure Marketplace.

針對源自網際網路的流量使用一組 Azure 防火牆執行個體 (或 NVA),針對源自內部部署的流量使用另一組。Use one set of Azure Firewall instances (or NVAs) for traffic that originates on the internet and another set for traffic that originates on-premises. 對兩者僅使用一組防火牆會造成安全性風險,因為這並未提供兩組網路流量之間的安全性周邊。Using only one set of firewalls for both is a security risk because it provides no security perimeter between the two sets of network traffic. 使用個別的防火牆層級可降低檢查安全性規則的複雜度,並明確指出哪些規則對應到哪個傳入網路要求。Using separate firewall layers reduces the complexity of checking security rules and makes clear which rules correspond to which incoming network requests.

Azure Load BalancerAzure Load Balancer

Azure Load Balancer 提供高可用性層級 4 (TCP、UDP) 服務,可將連入流量分散到負載平衡組中所定義的服務執行個體。Azure Load Balancer offers a high-availability Layer 4 (TCP/UDP) service, which can distribute incoming traffic among service instances defined in a load-balanced set. 從前端端點 (公用 IP 端點或私人 IP 端點) 傳送到負載平衡器的流量,不論是否有位址轉譯,都可以轉散發至後端 IP 位址集區 (例如 NVA 或 VM)。Traffic sent to the load balancer from front-end endpoints (public IP endpoints or private IP endpoints) can be redistributed with or without address translation to a pool of back-end IP addresses (such as NVAs or VMs).

Azure Load Balancer 也可以探查各種伺服器執行個體的健全狀況。Azure Load Balancer can also probe the health of the various server instances. 當執行個體無法回應探查時,負載平衡器會停止將流量傳送至狀況不良的執行個體。When an instance fails to respond to a probe, the load balancer stops sending traffic to the unhealthy instance.

如需使用中樞和輪輻網路拓撲的範例,您可以將外部負載平衡器部署到中樞和輪輻。As an example of using a hub and spoke network topology, you can deploy an external load balancer to both the hub and the spokes. 在中樞中,負載平衡器會有效率地將流量路由傳送到支點中的服務。In the hub, the load balancer efficiently routes traffic to services in the spokes. 在支點中,負載平衡器會管理應用程式流量。In the spokes, load balancers manage application traffic.

Azure Front DoorAzure Front Door

Azure Front 大門 是 Microsoft 高可用性且可擴充的 web 應用程式加速平臺和全域 HTTPS 負載平衡器。Azure Front Door is Microsoft's highly available and scalable web application acceleration platform and global HTTPS load balancer. 您可以使用 Azure Front 大門來建立、操作及擴充您的動態 web 應用程式和靜態內容。You can use Azure Front Door to build, operate, and scale out your dynamic web application and static content. 它會在 Microsoft 全球網路邊緣的 100 多個位置中執行。It runs in more than 100 locations at the edge of Microsoft's global network.

Azure Front 大門為您的應用程式提供統一的區域/戳記維護自動化、BCDR 自動化、統一用戶端/使用者資訊、快取和服務見解。Azure Front Door provides your application with unified regional/stamp maintenance automation, BCDR automation, unified client/user information, caching, and service insights. 平台提供效能、可靠性和支援 SLA。The platform offers performance, reliability, and support SLAs. 它也提供合規性認證,以及由 Azure 原生開發、操作及支援的可稽核安全性做法。It also offers compliance certifications and auditable security practices that are developed, operated, and supported natively by Azure.

Azure 應用程式閘道Azure Application Gateway

Azure 應用程式閘道 是專用的虛擬裝置,可提供受控應用程式傳遞控制器。Azure Application Gateway is a dedicated virtual appliance that provides a managed application delivery controller. 它為您的應用程式提供各種第7層負載平衡功能。It offers various Layer 7 load-balancing capabilities for your application.

Azure 應用程式閘道可讓您將 CPU 密集 SSL 終止卸載至應用程式閘道,以優化 web 伺服陣列的生產力。Azure Application Gateway allows you to optimize web farm productivity by offloading CPU-intensive SSL termination to the application gateway. 它也提供其他第7層路由功能,包括迴圈配置傳入流量、以 cookie 為基礎的會話親和性、URL 路徑型路由,以及在單一應用程式閘道後方裝載多個網站的能力。It also provides other Layer 7 routing capabilities, including round-robin distribution of incoming traffic, cookie-based session affinity, URL path-based routing, and the ability to host multiple websites behind a single application gateway.

Azure 應用程式閘道 WAF SKU 包含 Web 應用程式防火牆。The Azure Application Gateway WAF SKU includes a Web Application Firewall. 此 SKU 會保護 Web 應用程式免於遭遇常見的 Web 弱點和攻擊。This SKU provides protection to web applications from common web vulnerabilities and exploits. 您可以將 Azure 應用程式閘道設定為面向網際網路的閘道、僅限內部的閘道,或兩者的組合。You can configure Azure Application Gateway as an internet-facing gateway, an internal-only gateway, or a combination of both.

公用 IPPublic IPs

您可以利用某些 Azure 功能建立服務端點與公用 IP 位址的關聯,以便從網際網路存取資源。With some Azure features, you can associate service endpoints to a public IP address so that your resource can be accessed from the internet. 此端點會使用網路位址轉譯 (NAT) 將流量路由至 Azure 虛擬網路的內部位址和連接埠。This endpoint uses network address translation (NAT) to route traffic to the internal address and port on the Azure virtual network. 這個路徑是外部流量進入虛擬網路的主要方式。This path is the primary way for external traffic to pass into the virtual network. 您可以設定公用 IP 位址以決定要傳入的流量,以及該流量在虛擬網路上的轉譯方式和目的地。You can configure public IP addresses to determine what traffic is passed in, and how and where it's translated onto the virtual network.

Azure DDoS Protection StandardAzure DDoS Protection Standard

Azure DDoS 保護標準 針對 基本服務 層級提供額外的緩和功能,專為 Azure 虛擬網路資源進行微調。Azure DDoS Protection Standard provides additional mitigation capabilities over the basic service tier that are tuned specifically to Azure Virtual Network resources. DDoS 保護標準很容易啟用,而且不需要變更應用程式。DDoS protection standard is simple to enable and requires no application changes.

您可以透過專用的流量監視和機器學習演算法來調整保護原則。You can tune protection policies through dedicated traffic monitoring and machine-learning algorithms. 原則會套用至與虛擬網路中部署的資源相關聯的公用 IP 位址。Policies are applied to public IP addresses associated to resources deployed in virtual networks. 範例包括 Azure 負載平衡器、應用程式閘道和 Service Fabric 實例。Examples include Azure Load Balancer, Application Gateway, and Service Fabric instances.

在攻擊期間和針對歷史記錄目的,可透過 Azure 監視器檢視取得即時遙測。Real-time telemetry is available through Azure Monitor views both during an attack and for historical purposes. 您可以使用 Azure 應用程式閘道中的 Web 應用程式防火牆來新增應用層保護。You can add application-layer protection by using the Web Application Firewall in Azure Application Gateway. 針對 IPv4 Azure 公用 IP 位址提供保護。Protection is provided for IPv4 Azure public IP addresses.