使用 Azure 防火牆原則來定義規則階層Use Azure Firewall policy to define a rule hierarchy

安全性系統管理員需要管理防火牆,以確保內部部署和雲端部署之間的合規性。Security administrators need to manage firewalls and ensure compliance across on-premise and cloud deployments. 關鍵元件是能夠讓應用程式小組彈性地執行 CI/CD 管線,以自動化的方式建立防火牆規則。A key component is the ability to provide application teams with flexibility to implement CI/CD pipelines to create firewall rules in an automated way.

Azure 防火牆原則可讓您定義規則階層並強制執行合規性:Azure Firewall policy allows you to define a rule hierarchy and enforce compliance:

  • 提供階層式結構,以在子應用程式小組原則之上覆迭中央基底原則。Provides a hierarchical structure to overlay a central base policy on top of a child application team policy. 基底原則的優先順序較高,而且會在子原則之前執行。The base policy has a higher priority and runs before the child policy.
  • 使用 Azure 自訂角色定義,以防止意外移除基底原則,並在訂用帳戶或資源群組內提供選擇性存取規則集合群組。Use an Azure custom role definition to prevent inadvertent base policy removal and provide selective access to rule collection groups within a subscription or resource group.

解決方案概觀Solution overview

此範例的高階步驟如下:The high-level steps for this example are:

  1. 在安全性小組資源群組中建立基本防火牆原則。Create a base firewall policy in the security team resource group.
  2. 在基底原則中定義 IT 安全性特定的規則。Define IT security-specific rules in the base policy. 這會新增一組常用的規則,以允許/拒絕流量。This adds a common set of rules to allow/deny traffic.
  3. 建立繼承基底原則的應用程式小組原則。Create application team policies that inherit the base policy.
  4. 定義原則中的應用程式小組特定規則。Define application team-specific rules in the policy. 您也可以從預先存在的防火牆遷移規則。You can also migrate rules from pre-existing firewalls.
  5. 建立 Azure Active Directory 自訂角色,以提供更細微的規則集合群組存取權,並在防火牆原則範圍新增角色。Create Azure Active Directory custom roles to provide fine grained access to rule collection group and add roles at a Firewall Policy scope. 在下列範例中,銷售團隊成員可以編輯「銷售小組」防火牆原則的規則集合群組。In the following example, Sales team members can edit rule collection groups for the Sales teams Firewall Policy. 這同樣適用于資料庫和工程團隊。The same applies to the Database and Engineering teams.
  6. 將原則與對應的防火牆產生關聯。Associate the policy to the corresponding firewall. Azure 防火牆只能有一個指派的原則。An Azure firewall can have only one assigned policy. 這需要每個應用程式小組都有自己的防火牆。This requires each application team to have their own firewall.

小組和需求

建立防火牆原則Create the firewall policies

  • 基本防火牆原則。A base firewall policy.

為每個應用程式小組建立原則:Create policies for each of the application teams:

  • 銷售防火牆原則。A Sales firewall policy. 銷售防火牆原則會繼承基本防火牆原則。The Sales firewall policy inherits the base firewall policy.
  • 資料庫防火牆原則。A Database firewall policy. 資料庫防火牆原則會繼承基本防火牆原則。The Database firewall policy inherits base firewall policy.
  • 工程防火牆原則。An Engineering firewall policy. 工程防火牆原則也會繼承基本防火牆原則。The Engineering firewall policy also inherits the base firewall policy.

原則階層

建立自訂角色以存取規則集合群組Create custom roles to access the rule collection groups

定義每個應用程式小組的自訂角色。Custom roles are defined for each application team. 角色會定義作業與範圍。The role defines operations and scope. 應用程式小組可以編輯其個別應用程式的規則集合群組。The application teams are allowed to edit rule collection groups for their respective applications.

使用下列高階程式來定義自訂角色:Use the following high-level procedure to define custom roles:

  1. 取得訂用帳戶:Get the subscription:

    Select-AzSubscription -SubscriptionId xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx

  2. 執行以下命令:Run the following command:

    Get-AzProviderOperation "Microsoft.Support/*" | FT Operation, Description -AutoSize

  3. 使用 Get-AzRoleDefinition 命令來輸出 JSON 格式的讀取者角色。Use the Get-AzRoleDefinition command to output the Reader role in JSON format.

    Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json | Out-File C:\CustomRoles\ReaderSupportRole.json

  4. 在編輯器中開啟檔案 ReaderSupportRole.js。Open the ReaderSupportRole.json file in an editor.

    下圖顯示了 JSON 輸出。The following shows the JSON output. 如需不同屬性的詳細資訊,請參閱 Azure 自訂角色For information about the different properties, see Azure custom roles.

   { 
     "Name": "Reader", 
     "Id": "acdd72a7-3385-48ef-bd42-f606fba81ae7", 
     "IsCustom": false, 
     "Description": "Lets you view everything, but not make any changes.", 
     "Actions": [ 
      "*/read" 
     ], 
     "NotActions": [], 
     "DataActions": [], 
     "NotDataActions": [], 
     "AssignableScopes": [ 
       "/" 
     ] 
   } 
  1. 編輯 JSON 檔案以新增Edit the JSON file to add the

    */read", "Microsoft.Network/*/read", "Microsoft.Network/firewallPolicies/ruleCollectionGroups/write

    *動作*   屬性的操作。operation to the Actions property. 請務必在讀取作業之後包含逗號。Be sure to include a comma after the read operation. 此動作可讓使用者建立和更新規則集合群組。This action allows the user to create and update rule collection groups.

  2. 在 >assignablescopes 中,新增具有下列格式的訂用帳戶識別碼:In AssignableScopes, add your subscription ID with the following format:

    /subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx

    您必須新增明確的訂用帳戶識別碼,否則無法將角色匯入您的訂用帳戶。You must add explicit subscription IDs, otherwise you won't be allowed to import the role into your subscription.

  3. 刪除 [ 識別碼]   屬性行,並將 [ IsCustom] 屬性變更為 [   true]。Delete the Id property line and change the IsCustom property to true.

  4. 將 [ 名稱]   和 [ 描述]   屬性變更為 AZFM 規則集合群組作者,而 此角色中的使用者可以編輯防火牆原則規則集合群組Change the  Name and  Description properties to AZFM Rule Collection Group Author and Users in this role can edit Firewall Policy rule collection groups

您的 JSON 檔案看起來應該類似下列範例:Your JSON file should look similar to the following example:

{ 

    "Name":  "AZFM Rule Collection Group Author", 
    "IsCustom":  true, 
    "Description":  "Users in this role can edit Firewall Policy rule collection groups", 
    "Actions":  [ 
                    "*/read", 
                    "Microsoft.Network/*/read", 
                     "Microsoft.Network/firewallPolicies/ruleCollectionGroups/write" 
                ], 
    "NotActions":  [ 
                   ], 
    "DataActions":  [ 
                    ], 
    "NotDataActions":  [ 
                       ], 
    "AssignableScopes":  [ 
                             "/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx"] 
} 
  1. 若要建立新的自訂角色,請使用 New-AzRoleDefinition 命令,並指定 JSON 角色定義檔。To create the new custom role, use the New-AzRoleDefinition command and specify the JSON role definition file.

    New-AzRoleDefinition -InputFile "C:\CustomRoles\RuleCollectionGroupRole.json

列出自訂角色List custom roles

若要列出所有自訂角色,您可以使用 Get-AzRoleDefinition 命令:To list all the custom roles, you can use the Get-AzRoleDefinition command:

Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom

您也可以在 Azure 入口網站中看到自訂角色。You can also see the custom roles in the Azure portal. 移至您的訂用帳戶,選取 [ 存取控制] (IAM)、[ 角色]。Go to your subscription, select Access control (IAM), Roles.

SalesAppPolicy

SalesAppPolicy read 許可權

如需詳細資訊,請參閱 教學課程:使用 Azure PowerShell 建立 Azure 自訂角色For more information, see Tutorial: Create an Azure custom role using Azure PowerShell.

將使用者新增至自訂角色Add users to the custom role

在入口網站上,您可以將使用者新增至 AZFM 規則集合群組作者角色,並提供防火牆原則的存取權。On the portal, you can add users to the AZFM Rule Collection Group Authors role and provide access to the firewall policies.

  1. 從入口網站中,選取應用程式小組防火牆原則 (例如,SalesAppPolicy) 。From the portal, select the Application team firewall policy (for example, SalesAppPolicy).
  2. 選取 [ 存取控制]。Select Access Control.
  3. 選取 [新增角色指派]。Select Add role assignment.
  4. 新增使用者/使用者群組 (例如,銷售小組) 角色。Add users/user groups (for example, the Sales team) to the role.

針對其他防火牆原則重複此程式。Repeat this procedure for the other firewall policies.

總結Summary

具有自訂角色的防火牆原則現在可讓您選擇性地存取防火牆原則規則集合群組。Firewall Policy with custom roles now provides selective access to firewall policy rule collection groups.

使用者沒有許可權可執行下列動作:Users don’t have permissions to:

  • 刪除 Azure 防火牆或防火牆原則。Delete the Azure Firewall or firewall policy.
  • 更新防火牆原則階層或 DNS 設定或威脅情報。Update firewall policy hierarchy or DNS settings or threat intelligence.
  • 更新防火牆原則,其中不是 AZFM 規則集合群組作者群組的成員。Update firewall policy where they are not members of AZFM Rule Collection Group Author group.

安全性系統管理員可以使用基本原則來強制執行護欄,並封鎖特定類型的流量 (例如,其企業要求的 ICMP) 。Security administrators can use base policy to enforce guardrails and block certain types of traffic (for example ICMP) as required by their enterprise.

下一步Next steps

深入瞭解 Azure 防火牆原則Learn more about Azure Firewall policy.