規劃輸入和輸出網際網路連線能力Plan for inbound and outbound internet connectivity

本節說明與公用網際網路之間的輸入和輸出連線所建議的連線性模型。This section describes recommended connectivity models for inbound and outbound connectivity to and from the public internet.

設計考慮:Design considerations:

  • Azure 原生的網路安全性服務 (例如 Azure 防火牆、Azure 應用程式閘道上的 Azure Web 應用程式防火牆 (WAF),以及 Azure Front Door) 為完全受控服務。Azure-native network security services such as Azure Firewall, Azure Web Application Firewall (WAF) on Azure Application Gateway, and Azure Front Door are fully managed services. 因此您不會產生與基礎結構部署相關聯的作業與管理成本,該成本在大規模的情況下可能會變得很複雜。So you don't incur the operational and management costs associated with infrastructure deployments, which can become complex at scale.

  • 如果您的組織偏好使用 Nva 或原生服務無法滿足您組織的特定需求,則企業規模架構與合作夥伴 Nva 完全相容。The enterprise-scale architecture is fully compatible with partner NVAs, if your organization prefers to use NVAs or for situations where native services don't satisfy your organization's specific requirements.

設計建議:Design recommendations:

  • 使用 Azure 防火牆來管理:Use Azure Firewall to govern:

    • 流向網際網路的 Azure 輸出流量。Azure outbound traffic to the internet.

    • 非 HTTP/S 傳入連接。Non-HTTP/S inbound connections.

    • 如果您的組織需要) 的東部/西部流量篩選 (。East/west traffic filtering (if your organization requires it).

  • 使用具有虛擬 WAN 的防火牆管理員來部署和管理跨虛擬 WAN 中樞或中樞虛擬網路的 Azure 防火牆。Use Firewall Manager with Virtual WAN to deploy and manage Azure firewalls across Virtual WAN hubs or in hub virtual networks. 防火牆管理員現在已正式推出虛擬 WAN 和一般虛擬網路。Firewall Manager is now in general availability for both Virtual WAN and regular virtual networks.

  • 建立全域 Azure 防火牆原則,以控制全球網路環境的安全性狀態,並將其指派給所有的 Azure 防火牆實例。Create a global Azure Firewall policy to govern security posture across the global network environment and assign it to all Azure Firewall instances. 藉由透過 Azure 角色型存取控制將累加式防火牆原則委派給本機安全性小組,以允許細微的原則符合特定區域的需求。Allow for granular policies to meet requirements of specific regions by delegating incremental firewall policies to local security teams via Azure role-based access control.

  • 如果您的組織想要使用這類解決方案來協助保護輸出連線,請在防火牆管理員中設定支援的夥伴 SaaS 安全性提供者。Configure supported partner SaaS security providers within Firewall Manager if your organization wants to use such solutions to help protect outbound connections.

  • 在登陸區域的虛擬網路內使用 WAF,以保護來自網際網路的輸入 HTTP/S 流量。Use WAF within a landing-zone virtual network for protecting inbound HTTP/S traffic from the internet.

  • 您可以使用 Azure Front 大門和 WAF 原則,在 Azure 區域之間提供全域保護,以用於登陸區域的輸入 HTTP/S 連接。Use Azure Front Door and WAF policies to provide global protection across Azure regions for inbound HTTP/S connections to a landing zone.

  • 當您使用 Azure Front 大門和 Azure 應用程式閘道來協助保護 HTTP/S 應用程式時,請在 Azure Front 中使用 WAF 原則。When you're using Azure Front Door and Azure Application Gateway to help protect HTTP/S applications, use WAF policies in Azure Front Door. 鎖定 Azure 應用程式閘道,只接收來自 Azure Front 的流量。Lock down Azure Application Gateway to receive traffic only from Azure Front Door.

  • 如果東部/西部或南/北流量保護和篩選都需要合作夥伴 Nva:If partner NVAs are required for east/west or south/north traffic protection and filtering:

    • 針對虛擬 WAN 網路拓撲,請將 Nva 部署至不同的虛擬網路 (例如 NVA 虛擬網路) 。For Virtual WAN network topologies, deploy the NVAs to a separate virtual network (for example, NVA virtual network). 然後將它連線到區域虛擬 WAN 中樞以及需要存取 Nva 的登陸區域。Then connect it to the regional Virtual WAN hub and to the landing zones that require access to NVAs. 本文將說明流程。This article describes the process.
    • 針對非虛擬 WAN 網路拓撲,請在中央中樞虛擬網路中部署合作夥伴 Nva。For non-Virtual WAN network topologies, deploy the partner NVAs in the central-hub virtual network.
  • 如果輸入 HTTP/S 連線需要合作夥伴 Nva,請將它們部署在登陸區域的虛擬網路內,並與他們要保護並公開到網際網路的應用程式一起使用。If partner NVAs are required for inbound HTTP/S connections, deploy them within a landing-zone virtual network and together with the applications that they're protecting and exposing to the internet.

  • 使用 Azure DDoS 保護標準保護方案 來協助保護虛擬網路內裝載的所有公用端點。Use Azure DDoS Protection Standard protection plans to help protect all public endpoints hosted within your virtual networks.

  • 請勿將內部部署周邊網路的概念與架構直接應用到 Azure。Don't replicate on-premises perimeter network concepts and architectures into Azure. Azure 中有類似的安全性功能,但實作和架構必須適應雲端。Similar security capabilities are available in Azure, but the implementation and architecture must be adapted to the cloud.