Front Door 的應用程式層安全性Application layer security with Front Door

Azure Front Door Service 提供的 Web 應用程式保護功能可保護 Web 應用程式免於受到網路攻擊與常見網路弱點惡意探索,例如 SQL 插入或跨網站指令碼 (XSS)。Azure Front Door Service provides web application protection capability to safeguard your web applications from network attacks and common web vulnerabilities exploits like SQL Injection or Cross Site Scripting (XSS). 針對 http(s) 前端啟用,Front Door 的應用程式層安全性散布全球各地且永遠開啟,可在遠離您後端的 Azure 網路邊緣遏止惡意攻擊。Enabled for http(s) front-ends, Front Door's application layer security is globally distributed and always on, stopping malicious attacks at Azure's network edge, far away from your backends. Front Door 可提高安全性並將效能最佳化,向您的終端使用者提供快速又安全的 Web 體驗。With added security and performance optimization, Front Door delivers fast and secure web experiences to your end users.

應用程式保護Application protection

Front Door 的應用程式保護是在全球各地的每個邊緣環境配合應用程式設定的,而且會自動封鎖非 http(s) 流量觸達您的 Web 應用程式。Front Door's application protection is configured on each edge environment around the globe, in line with applications, and automatically blocks non-http(s) traffic from reaching your web applications. 我們的多租用戶分散式架構可提供大規模全球保護,卻不必犧牲效能。Our multi-tenant distributed architecture enables global protection at scale without sacrificing performance. 針對 http(s) 工作負載,Front Door 的 Web 應用程式保護服務可為自訂規則、對常見攻擊預先設定的規則集提供豐富的規則引擎,並詳細記錄符合規則的所有要求。For http(s) workloads, Front Door's web application protection service provides a rich rules engine for custom rules, pre-configured ruleset against common attacks, and detailed logging for all requests that matches a rule. 可彈性使用的支援動作包括允許、封鎖或僅記錄。Flexible actions including allow, block, or log only are supported.

自訂存取控制規則Custom access control rules

  • IP 允許清單和封鎖清單: 您可以設定自訂規則來控制存取權的用戶端 IP 位址的清單為基礎的 web 應用程式。IP allow list and block list: You may configure custom rules to control access to your web applications based on list of client IP addresses. 支援 IP v4 與 IP v6 兩者Both IP v4 and IP v6 are supported
  • 地理型的存取控制: 您可以設定自訂規則來控制存取權的用戶端 IP 是來自的國家/地區程式碼為基礎的 web 應用程式Geographic based access control: You may configure custom rules to control access to your web applications based on country code a client IP is from
  • 篩選的 HTTP 參數: 您可以設定根據比對 http 要求參數包括標頭、 URL 和查詢字串的自訂存取規則HTTP parameters filtering: You may configure custom access rules based on matching http(s) request parameters including headers, URL, and query strings

Azure 受控規則Azure-managed rules

  • 預設會啟用針對最常見 OWASP 弱點預先設定的規則集。A preconfigured set of rules against common top OWASP vulnerabilities is enabled by default. 預覽期間的規則集包含 sqli 與 xss 要求檢查。At preview, the set of rules includes sqli and xss requests checking. 未來將會新增其他規則。Additional rules will be added. 您可以從選擇只記錄動作開始,以驗證為您的應用程式預先設定的規則如預期般運作You may choose to start with log only action to validate preconfigured rules work as expected for your applications

速率限制Rate limiting

  • 速率控制規則是要限制來自任何用戶端 IP 的異常高流量。A rate control rule is to limit abnormal high traffic from any client IP. 您可以設定用戶端 IP 在一分鐘的時間範圍內允許的 Web 要求數目閾值。You may set a threshold on number of web requests allowed by a client IP during a one-minute duration.

集中式保護原則Centralized protection policy

  • 您可以定義數個保護規則,並依優先順序將其增至「原則」。You may define several protection rules and add them to a Policy in priority order. 自訂規則的優先順序高於受控規則集,以允許例外。Custom rules have higher priority than managed ruleset to allow exceptions. 單一原則會與您的 Web 應用程式相關聯。A single policy is associated to your web application. 相同的 Web 應用程式保護原則會複寫到所有位置的所有 Edge Server ,確保所有區域都有一致的安全性原則Same web application protection policy is replicated to all edge servers at all locations, ensure consistent security policy in all regions

組態Configuration

  • 在預覽期間,您可以使用 REST API、PowerShell 或 CLI 來建立及部署 Front Door 的應用程式保護規則與原則。During preview, you may use REST APIs, PowerShell, or CLI to create and deploy Front Door's application protection rules and policies. 在服務公開推出之前,支援以入口網站存取。Portal access will be supported before service is generally available.

監視Monitoring

Front Door 可讓您使用與 Azure 監視器整合以追蹤警示並輕鬆監視趨勢的即時計量,來監視對 Web 應用程式的攻擊。Front Door provides the ability to monitor web applications against attacks using real-time metrics that are integrated with Azure Monitor to track alerts and easily monitor trends.

價格Pricing

預覽期間免費提供 Front Door 的應用程式層安全性。Front Door's application layer security is free during the preview.

後續步驟Next steps