Azure 網路安全性最佳作法Azure best practices for network security

這篇文章討論一系列的 Azure 強化您的網路安全性的最佳做法。This article discusses a collection of Azure best practices to enhance your network security. 這些最佳作法衍生自我們的 Azure 網路經驗和客戶的經驗。These best practices are derived from our experience with Azure networking and the experiences of customers like yourself.

針對每個最佳做法,本文說明:For each best practice, this article explains:

  • 最佳作法是什麼What the best practice is
  • 您為何想要啟用該最佳作法Why you want to enable that best practice
  • 如果無法啟用最佳作法,結果可能為何What might be the result if you fail to enable the best practice
  • 最佳作法的可能替代方案Possible alternatives to the best practice
  • 如何學習啟用最佳作法How you can learn to enable the best practice

這些最佳作法根據共識意見以及 Azure 平台功能和功能集,因為在撰寫本文時已存在。These best practices are based on a consensus opinion, and Azure platform capabilities and feature sets, as they exist at the time this article was written. 意見和技術會隨著時間改變,這篇文章將會定期進行更新以反映這些變更。Opinions and technologies change over time and this article will be updated on a regular basis to reflect those changes.

使用強式網路控制Use strong network controls

您可以透過將 Azure 虛擬機器 (VM) 和設備置於 Azure 虛擬網路上,來將它們連線到其他網路裝置。You can connect Azure virtual machines (VMs) and appliances to other networked devices by placing them on Azure virtual networks. 也就是說,您可以將虛擬網路介面卡連線到虛擬網路,讓有網路功能的裝置之間可進行 TCP/IP 型通訊。That is, you can connect virtual network interface cards to a virtual network to allow TCP/IP-based communications between network-enabled devices. 連線到 Azure 虛擬網路的虛擬機器能夠連線到在相同虛擬網路、其他虛擬網路、網際網路或甚至您自己的內部部署網路上的裝置。Virtual machines connected to an Azure virtual network can connect to devices on the same virtual network, different virtual networks, the internet, or your own on-premises networks.

當您在規劃您的網路與您網路的安全性,我們建議您集中管理:As you plan your network and the security of your network, we recommend that you centralize:

  • 核心網路功能的管理,例如 ExpressRoute、 虛擬網路和子網路佈建,以及 IP 位址。Management of core network functions like ExpressRoute, virtual network and subnet provisioning, and IP addressing.
  • 管理網路安全性的項目,例如網路虛擬設備函式,例如 ExpressRoute、 虛擬網路和子網路佈建,以及 IP 位址。Governance of network security elements, such as network virtual appliance functions like ExpressRoute, virtual network and subnet provisioning, and IP addressing.

如果您使用一組常用的管理工具來監視您的網路和網路安全性時,您可以清楚檢視兩者。If you use a common set of management tools to monitor your network and the security of your network, you get clear visibility into both. 簡單、 統一的安全性策略可減少錯誤,因為這樣會增加人工的了解和自動化的可靠性。A straightforward, unified security strategy reduces errors because it increases human understanding and the reliability of automation.

以邏輯方式分割子網路Logically segment subnets

Azure 虛擬網路是類似您內部部署網路上的 Lan。Azure virtual networks are similar to LANs on your on-premises network. Azure 虛擬網路背後的構想是您建立網路,根據單一私人 IP 位址空間,您可以在其放置所有 Azure 虛擬機器。The idea behind an Azure virtual network is that you create a network, based on a single private IP address space, on which you can place all your Azure virtual machines. 可用的私人 IP 位址空間位於類別 A (10.0.0.0/8)、類別 B (172.16.0.0/12) 和類別 C (192.168.0.0/16) 範圍中。The private IP address spaces available are in the Class A (10.0.0.0/8), Class B (172.16.0.0/12), and Class C (192.168.0.0/16) ranges.

以邏輯方式分割子網路的最佳做法包括:Best practices for logically segmenting subnets include:

最佳做法:不指派允許規則與廣泛的範圍 (例如,允許透過 255.255.255.255 0.0.0.0)。Best practice: Don’t assign allow rules with broad ranges (for example, allow 0.0.0.0 through 255.255.255.255).
詳細資料:請確定疑難排解程序不鼓勵或禁止使用這些類型的規則的設定。Detail: Ensure troubleshooting procedures discourage or ban setting up these types of rules. 這些允許的錯覺的安全性規則導致和經常找到和遭紅隊。These allow rules lead to a false sense of security and are frequently found and exploited by red teams.

最佳做法:將較大的位址空間分割成子網路。Best practice: Segment the larger address space into subnets.
詳細資料:您可以使用 CIDR 型子網路原則來建立子網路。Detail: Use CIDR-based subnetting principles to create your subnets.

最佳做法:建立子網路之間的網路存取控制。Best practice: Create network access controls between subnets. 子網路之間的路由傳送會自動發生,您不需手動設定路由表。Routing between subnets happens automatically, and you don’t need to manually configure routing tables. 根據預設,任何網路存取控制之間有您在 Azure 虛擬網路建立的子網路。By default, there are no network access controls between the subnets that you create on an Azure virtual network.
詳細資料:使用網路安全性群組以防止來路不明的流量成 Azure 子網路。Detail: Use a network security group to protect against unsolicited traffic into Azure subnets. 網路安全性群組是簡單、 可設定狀態封包檢查裝置,其使用 5 個 tuple 的方法 (來源 IP、 來源連接埠、 目的地 IP、 目的地連接埠和第 4 層通訊協定) 來建立允許/拒絕網路流量的規則。Network security groups are simple, stateful packet inspection devices that use the 5-tuple approach (source IP, source port, destination IP, destination port, and layer 4 protocol) to create allow/deny rules for network traffic. 您可以允許或拒絕單一 IP 位址、多個 IP 位址或整個子網路的輸入或輸出流量。You allow or deny traffic to and from a single IP address, to and from multiple IP addresses, or to and from entire subnets.

當您使用網路安全性群組的子網路之間的網路存取控制時,您可以將屬於相同的安全性區域或在其自己的子網路中的角色的資源。When you use network security groups for network access control between subnets, you can put resources that belong to the same security zone or role in their own subnets.

最佳做法:避免小型的虛擬網路和子網路,以確保簡易性和彈性。Best practice: Avoid small virtual networks and subnets to ensure simplicity and flexibility.
詳細資料:大部分的組織新增更多的資源比一開始計劃,並重新配置位址是勞力密集。Detail: Most organizations add more resources than initially planned, and re-allocating addresses is labor intensive. 使用小的子網路價值有限的安全性,並對應至每個子網路的網路安全性群組會增加額外負荷。Using small subnets adds limited security value, and mapping a network security group to each subnet adds overhead. 請確定您有彈性的成長廣泛定義的子網路。Define subnets broadly to ensure that you have flexibility for growth.

最佳做法:藉由定義簡化網路安全性群組規則管理應用程式安全性群組Best practice: Simplify network security group rule management by defining Application Security Groups.
詳細資料:如您所認為的 IP 位址的清單可能會在未來變更,或使用於多個網路安全性群組,請定義應用程式安全性群組。Detail: Define an Application Security Group for lists of IP addresses that you think might change in the future or be used across many network security groups. 請務必在名稱的應用程式安全性群組清楚地讓其他人可以了解其內容與用途。Be sure to name Application Security Groups clearly so others can understand their content and purpose.

採用零信任方法Adopt a Zero Trust approach

周邊網路對網路中的所有系統可以都是受信任的假設。Perimeter-based networks operate on the assumption that all systems within a network can be trusted. 現今的員工從任何地方存取其組織的資源,但在各種不同的裝置和應用程式,讓周邊安全性控制項無關。But today’s employees access their organization’s resources from anywhere on a variety of devices and apps, which makes perimeter security controls irrelevant. 存取控制原則來專注於只有可以存取的資源不足夠。Access control policies that focus only on who can access a resource are not enough. 若要精通安全性與生產力之間的平衡,安全性系統管理員也需要納入如何存取資源。To master the balance between security and productivity, security admins also need to factor in how a resource is being accessed.

網路都必須從傳統的防禦功能發展,因為網路可能會很容易入侵: 攻擊者可以危害受信任的界限內的單一端點,並快速展開據點 整個網路上。Networks need to evolve from traditional defenses because networks might be vulnerable to breaches: an attacker can compromise a single endpoint within the trusted boundary and then quickly expand a foothold across the entire network. 零信任網路消除信任周邊網路位置為基礎的概念。Zero Trust networks eliminate the concept of trust based on network location within a perimeter. 相反地,零信任架構會使用裝置和使用者組織的資料和資源的限制存取權限的信任宣告。Instead, Zero Trust architectures use device and user trust claims to gate access to organizational data and resources. 針對新的方案,採用零信任驗證信任,在存取時的方法。For new initiatives, adopt Zero Trust approaches that validate trust at the time of access.

最佳做法為:Best practices are:

最佳做法:授與條件式存取根據裝置、 身分識別、 保證、 網路位置,以及更多的資源。Best practice: Give Conditional Access to resources based on device, identity, assurance, network location, and more.
詳細資料Azure AD 條件式存取可讓您藉由實作自動化的存取控制決定必要的條件為基礎套用正確的存取控制。Detail: Azure AD Conditional Access lets you apply the right access controls by implementing automated access control decisions based on the required conditions. 如需詳細資訊,請參閱 < 管理 Azure 管理的存取權,使用條件式存取For more information, see Manage access to Azure management with Conditional Access.

最佳做法:只有在工作流程核准之後,啟用連接埠存取。Best practice: Enable port access only after workflow approval.
詳細資料:您可以使用Azure 資訊安全中心-just-in-time VM 存取鎖定您的 Azure Vm,減少攻擊面,同時提供簡易存取連線至 Vm 時所需的輸入流量。Detail: You can use just-in-time VM access in Azure Security Center to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

最佳做法:授與暫存的權限來執行特殊權限的工作,這可防止惡意或未經授權的使用者取得存取權限已過期之後。Best practice: Grant temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. 只有當使用者需要時才會獲得存取權。Access is granted only when users need it.
詳細資料:使用協力廠商解決方案或 Azure AD Privileged Identity Management 中-just-in-time 存取權授與權限來執行特殊權限的工作。Detail: Use just-in-time access in Azure AD Privileged Identity Management or in a third-party solution to grant permissions to perform privileged tasks.

網路安全性中為零的信任。Zero Trust is the next evolution in network security. 網路攻擊的狀態,磁碟機組織採用 「 假想缺口 」 營運心態,但不應該限制這種方法。The state of cyberattacks drives organizations to take the “assume breach” mindset, but this approach shouldn’t be limiting. 零信任網路保護公司資料和資源,同時確保組織可以透過使用,讓員工更具產能隨時、 任何位置,以任何方式的技術建置新式工作場所。Zero Trust networks protect corporate data and resources while ensuring that organizations can build a modern workplace by using technologies that empower employees to be productive anytime, anywhere, in any way.

控制路由行為Control routing behavior

當您在 Azure 虛擬網路上放置虛擬機器時,該 VM 可以連線到相同虛擬網路上的任何其他 VM,即使其他 VM 位於不同子網路亦然。When you put a virtual machine on an Azure virtual network, the VM can connect to any other VM on the same virtual network, even if the other VMs are on different subnets. 可以這麼做的原因是在預設情況下,有一組系統路由集合已啟用,使 VM 可以進行此類型的通訊。This is possible because a collection of system routes enabled by default allows this type of communication. 這些預設的路由讓在相同虛擬網路上的 VM 可以起始彼此之間的連線,及與網際網路的連線 (僅對網際網路的輸出通訊)。These default routes allow VMs on the same virtual network to initiate connections with each other, and with the internet (for outbound communications to the internet only).

雖然預設系統路由適用於許多部署案例,但您有時會想為您的部署自訂路由設定。Although the default system routes are useful for many deployment scenarios, there are times when you want to customize the routing configuration for your deployments. 您可以將下一個躍點位址設定成到達特定的目的地。You can configure the next-hop address to reach specific destinations.

我們建議您在部署虛擬網路的安全性設備時,設定使用者定義的路由We recommend that you configure user-defined routes when you deploy a security appliance for a virtual network. 我們稍後會在標題為將重要的 Azure 服務資源只放到您的虛擬網路保護的小節討中論此主題。We talk about this in a later section titled secure your critical Azure service resources to only your virtual networks.

注意

不需要使用者定義的路由,而預設的系統路由通常能運作。User-defined routes are not required, and the default system routes usually work.

使用虛擬網路應用裝置Use virtual network appliances

網路安全性群組和使用者定義路由可以提供特定的網路和傳輸層的網路安全性測量OSI 模型Network security groups and user-defined routing can provide a certain measure of network security at the network and transport layers of the OSI model. 但在某些情況下,您會想要或需要在堆疊的高層級啟用安全性。But in some situations, you want or need to enable security at high levels of the stack. 在這類情況下,建議您部署 Azure 合作夥伴所提供的虛擬網路安全性應用裝置。In such situations, we recommend that you deploy virtual network security appliances provided by Azure partners.

Azure 網路安全性設備可提供比網路層級控制更佳的安全性。Azure network security appliances can deliver better security than what network-level controls provide. 虛擬網路安全性設備的網路安全性功能包括:Network security capabilities of virtual network security appliances include:

  • 防火牆Firewalling
  • 入侵偵測/入侵預防Intrusion detection/intrusion prevention
  • 弱點管理Vulnerability management
  • 應用程式控制Application control
  • 以網路為基礎的異常偵測Network-based anomaly detection
  • Web 篩選Web filtering
  • 防毒Antivirus
  • 殭屍網路防護Botnet protection

若要尋找可用的 Azure 虛擬網路安全性設備,請移至 Azure Marketplace 並搜尋 "security" 和 "network security"。To find available Azure virtual network security appliances, go to the Azure Marketplace and search for “security” and “network security.”

部署安全性區域的周邊網路Deploy perimeter networks for security zones

周邊網路 (也稱為 DMZ) 是實體或邏輯網路區段,可在您的資產與網際網路之間提供額外一層安全性。A perimeter network (also known as a DMZ) is a physical or logical network segment that provides an additional layer of security between your assets and the internet. 在周邊網路邊緣上的特製化網路存取控制裝置,只允許所要的流量進入您的虛擬網路。Specialized network access control devices on the edge of a perimeter network allow only desired traffic into your virtual network.

周邊網路非常實用,因為您可以將網路存取控制管理、監視、記錄和報告的重點放在位於 Azure 虛擬網路邊緣的裝置。Perimeter networks are useful because you can focus your network access control management, monitoring, logging, and reporting on the devices at the edge of your Azure virtual network. 周邊網路是通常啟用分散式的阻斷服務 (DDoS) 預防、 入侵偵測/入侵預防系統 (IDS/IPS)、 防火牆規則和原則、 web 篩選、 網路反惡意程式碼,以及更多。A perimeter network is where you typically enable distributed denial of service (DDoS) prevention, intrusion detection/intrusion prevention systems (IDS/IPS), firewall rules and policies, web filtering, network antimalware, and more. 網路安全性裝置位於網際網路與您的 Azure 虛擬網路之間,具有兩個網路均適用的介面。The network security devices sit between the internet and your Azure virtual network and have an interface on both networks.

雖然這是在周邊網路的基本設計,還是有許多不同的設計,例如背對背式、 三-主目錄,和多重主目錄。Although this is the basic design of a perimeter network, there are many different designs, like back-to-back, tri-homed, and multi-homed.

根據先前所述的零信任 」 概念,我們建議您考慮使用所有的高安全性部署在周邊網路,以增強您的 Azure 資源的網路安全性和存取控制的層級。Based on the Zero Trust concept mentioned earlier, we recommend that you consider using a perimeter network for all high security deployments to enhance the level of network security and access control for your Azure resources. 您可以使用 Azure 或協力廠商解決方案,您的資產與網際網路之間提供一層額外的安全性:You can use Azure or a third-party solution to provide an additional layer of security between your assets and the internet:

  • Azure 的原生控制項。Azure native controls. Azure 的防火牆應用程式閘道中的 web 應用程式防火牆提供完全可設定狀態的防火牆即服務、 內建高可用性、 不受限制的雲端延展性的基本安全性 FQDN 篩選OWASP 核心規則集,以及簡單的安裝和組態的支援。Azure Firewall and the web application firewall in Application Gateway offer basic security with a fully stateful firewall as a service, built-in high availability, unrestricted cloud scalability, FQDN filtering, support for OWASP core rule sets, and simple setup and configuration.
  • 第三方供應項目。Third-party offerings. 搜尋Azure Marketplace新一代防火牆 (NGFW) 和其他第三方產品,提供熟悉的安全性工具和大幅增強的網路安全性層級。Search the Azure Marketplace for next-generation firewall (NGFW) and other third-party offerings that provide familiar security tools and significantly enhanced levels of network security. 設定可能是更複雜,但第三方供應項目可能會讓您使用現有的功能和技能。Configuration might be more complex, but a third-party offering might allow you to use existing capabilities and skillsets.

許多組織已選擇混合式 IT 路由。Many organizations have chosen the hybrid IT route. 混合式 IT 中,有些公司的資訊資產是在 Azure 中,與其他項目維持在內部。With hybrid IT, some of the company’s information assets are in Azure, and others remain on-premises. 在許多情況下,服務的某些元件是在 Azure 中執行,而其他元件則維持在內部部署上。In many cases, some components of a service are running in Azure while other components remain on-premises.

在混合式 IT 案例中,通常沒有某種形式的跨單位連線。In a hybrid IT scenario, there is usually some type of cross-premises connectivity. 跨單位連線可讓公司將其內部部署網路連線到 Azure 虛擬網路。Cross-premises connectivity allows the company to connect its on-premises networks to Azure virtual networks. 可用的跨單位連線解決方案有兩個︰Two cross-premises connectivity solutions are available:

  • 站對站 VPNSite-to-site VPN. 可靠且完備的技術,但連線是透過網際網路來建立。It’s a trusted, reliable, and established technology, but the connection takes place over the internet. 頻寬限制為大約 1.25 Gbps 的最大值。Bandwidth is constrained to a maximum of about 1.25 Gbps. 站對站 VPN 是較理想的選項,在某些情況下。Site-to-site VPN is a desirable option in some scenarios.
  • Azure ExpressRouteAzure ExpressRoute. 我們建議您針對跨單位連線改用 ExpressRouteWe recommend that you use ExpressRoute for your cross-premises connectivity. ExpressRoute 可讓您透過連線提供者所提供的私人連線,將內部部署網路延伸至 Microsoft 雲端。ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection facilitated by a connectivity provider. 透過 ExpressRoute,您可以建立 Microsoft 雲端服務,例如 Azure、 Office 365 和 Dynamics 365 的連線。With ExpressRoute, you can establish connections to Microsoft cloud services like Azure, Office 365, and Dynamics 365. ExpressRoute 是專用的 WAN 連結您的內部部署位置或 Microsoft Exchange 主機服務提供者之間。ExpressRoute is a dedicated WAN link between your on-premises location or a Microsoft Exchange hosting provider. 因為這是電信公司連線,您的資料不會透過網際網路傳輸,因此它不公開的網際網路通訊有潛在的風險。Because this is a telco connection, your data doesn’t travel over the internet, so it isn’t exposed to the potential risks of internet communications.

防火牆容量、 延展性、 可靠性和網路流量的可見性,可能會影響您的 ExpressRoute 連線的位置。The location of your ExpressRoute connection can affect firewall capacity, scalability, reliability, and network traffic visibility. 您必須識別要終止現有的 (在內部部署) 網路中的 ExpressRoute 位置。You’ll need to identify where to terminate ExpressRoute in existing (on-premises) networks. 您可以:You can:

  • 如果您需要到流量,如果您需要繼續現有的做法是隔離的資料中心,或如果您要在 Azure 上完全放入外部網路資源,請終止外部防火牆 (周邊網路架構)。Terminate outside the firewall (the perimeter network paradigm) if you require visibility into the traffic, if you need to continue an existing practice of isolating datacenters, or if you’re solely putting extranet resources on Azure.
  • 終止 (網路的延伸模組架構) 的防火牆內。Terminate inside the firewall (the network extension paradigm). 這是預設的建議做法。This is the default recommendation. 在其他情況下,我們建議 Azure 視為第 n 個資料中心。In all other cases, we recommend treating Azure as an nth datacenter.

將執行時間和效能最佳化Optimize uptime and performance

如果服務已關閉,便無法存取資訊。If a service is down, information can’t be accessed. 如果因為效能不佳而使資料無法使用,您可以將該資料視為無法存取。If performance is so poor that the data is unusable, you can consider the data to be inaccessible. 從安全性觀點來看,您需要盡可能地確保您的服務有最佳的執行時間和效能。From a security perspective, you need to do whatever you can to make sure that your services have optimal uptime and performance.

增強可用性和效能之常見且有效的方法是負載平衡。A popular and effective method for enhancing availability and performance is load balancing. 負載平衡是將網路流量分散於服務中各伺服器的方法。Load balancing is a method of distributing network traffic across servers that are part of a service. 比方說,如果您的服務中有前端 Web 伺服器,您可以使用負載平衡將流量分散於多部前端 Web 伺服器。For example, if you have front-end web servers as part of your service, you can use load balancing to distribute the traffic across your multiple front-end web servers.

此流量分散會提高可用性,因為如果其中一部 Web 伺服器無法使用,負載平衡器將會停止將流量傳送到該伺服器,並將流量重新導向至仍在運作的伺服器。This distribution of traffic increases availability because if one of the web servers becomes unavailable, the load balancer stops sending traffic to that server and redirects it to the servers that are still online. 負載平衡也有助於效能,因為服務要求的處理器、網路和記憶體額外負荷會分散於所有負載平衡的伺服器。Load balancing also helps performance, because the processor, network, and memory overhead for serving requests is distributed across all the load-balanced servers.

建議您儘可能為您的服務採用適當的負載平衡。We recommend that you employ load balancing whenever you can, and as appropriate for your services. 下列是在 Azure 虛擬網路層級和全域層級的案例,以及兩者的負載平衡選項。Following are scenarios at both the Azure virtual network level and the global level, along with load-balancing options for each.

案例:您擁有的應用程式:Scenario: You have an application that:

  • 需要來自相同使用者/用戶端工作階段的要求,到達相同的後端虛擬機器。Requires requests from the same user/client session to reach the same back-end virtual machine. 此情況的範例為:購物車應用程式和網頁郵件伺服器。Examples of this are shopping cart apps and web mail servers.
  • 只接受安全連線,因此對伺服器的未加密通訊是不接受的選項。Accepts only a secure connection, so unencrypted communication to the server is not an acceptable option.
  • 需要在同一個長時間執行之 TCP 連線上的多個 HTTP 要求,會路由傳送到或進行負載平衡分散到不同的後端伺服器。Requires multiple HTTP requests on the same long-running TCP connection to be routed or load balanced to different back-end servers.

負載平衡選項:使用 Azure 應用程式閘道 (HTTP Web 流量負載平衡器)。Load-balancing option: Use Azure Application Gateway, an HTTP web traffic load balancer. 應用程式閘道支援在閘道上的端對端 SSL 加密和 SSL 終止Application Gateway supports end-to-end SSL encryption and SSL termination at the gateway. 網頁伺服器可以不用再承受加密和解密的負荷,且流量未經加密就流向後端伺服器。Web servers can then be unburdened from encryption and decryption overhead and traffic flowing unencrypted to the back-end servers.

案例:您需要將來自網際網路的傳入連線,進行負載平衡分散到位在 Azure 虛擬網路中的伺服器之間。Scenario: You need to load balance incoming connections from the internet among your servers located in an Azure virtual network. 案例如當您:Scenarios are when you:

  • 有接受來自網際網路傳入要求的無狀態應用程式時。Have stateless applications that accept incoming requests from the internet.
  • 不需要黏性工作階段或 SSL 卸載時。Don’t require sticky sessions or SSL offload. 黏性工作階段是搭配應用程式負載平衡,以達到伺服器親和性的方法。Sticky sessions is a method used with Application Load Balancing, to achieve server-affinity.

負載平衡選項:使用 Azure 入口網站建立外部負載平衡器,將傳入要求分散到多個 VM,以提供較高層級的可用性。Load-balancing option: Use the Azure portal to create an external load balancer that spreads incoming requests across multiple VMs to provide a higher level of availability.

案例:您需要對來自虛擬機器 (不在網際網路上) 的連線進行負載平衡。Scenario: You need to load balance connections from VMs that are not on the internet. 在大部分情況下,系統接受要進行負載平衡的連線是由 Azure 虛擬網路上的裝置起始,例如 SQL Server 執行個體或內部網頁伺服器。In most cases, the connections that are accepted for load balancing are initiated by devices on an Azure virtual network, such as SQL Server instances or internal web servers.
負載平衡選項:使用 Azure 入口網站建立內部負載平衡器,將傳入要求分散到多個 VM,以提供較高層級的可用性。Load-balancing option: Use the Azure portal to create an internal load balancer that spreads incoming requests across multiple VMs to provide a higher level of availability.

案例:您需要全域負載平衡,因為:Scenario: You need global load balancing because you:

  • 有廣泛分散在多個區域的雲端解決方案,且需要有可行的最高層級執行時間 (可用性)。Have a cloud solution that is widely distributed across multiple regions and requires the highest level of uptime (availability) possible.
  • 需要有可行的最高層級執行時間,以確保當整個資料中心都無法使用時,依然可以取得您的服務。Need the highest level of uptime possible to make sure that your service is available even if an entire datacenter becomes unavailable.

負載平衡選項:使用 Azure 流量管理員。Load-balancing option: Use Azure Traffic Manager. 流量管理員可以根據使用者的位置,對您服務的連線進行負載平衡。Traffic Manager makes it possible to load balance connections to your services based on the location of the user.

例如,如果使用者從 EU 對您的服務提出要求,此連線則會被導向到您位於 EU 資料中心的服務。For example, if the user makes a request to your service from the EU, the connection is directed to your services located in an EU datacenter. 這部分的流量管理員全域負載平衡有助於改善效能,因為連接到最近的資料中心比連接到遠處的資料中心還要快。This part of Traffic Manager global load balancing helps to improve performance because connecting to the nearest datacenter is faster than connecting to datacenters that are far away.

停用對虛擬機器的 RDP/SSH 存取Disable RDP/SSH Access to virtual machines

使用遠端桌面通訊協定 (RDP) 和安全殼層 (SSH) 通訊協定可以連到 Azure 虛擬機器。It’s possible to reach Azure virtual machines by using Remote Desktop Protocol (RDP) and the Secure Shell (SSH) protocol. 透過這些通訊協定可允許遠端的管理 VM,且它們是資料中心計算的標準。These protocols enable the management VMs from remote locations and are standard in datacenter computing.

在網際網路上使用這些通訊協定的潛在安全性問題是,攻擊者可以使用暴力密碼破解技術來取得 Azure 虛擬機器的存取權。The potential security problem with using these protocols over the internet is that attackers can use brute force techniques to gain access to Azure virtual machines. 攻擊者取得存取權之後,就可以使用您的虛擬機器作為破壞您虛擬網路上其他電腦的啟動點,或甚至攻擊 Azure 之外的網路裝置。After the attackers gain access, they can use your VM as a launch point for compromising other machines on your virtual network or even attack networked devices outside Azure.

建議停用從網際網路對您 Azure 虛擬機器的直接 RDP 和 SSH 存取。We recommend that you disable direct RDP and SSH access to your Azure virtual machines from the internet. 停用從網際網路的直接 RDP 和 SSH 存取之後,您有其他選項可用來存取這些 VM,以進行遠端管理。After direct RDP and SSH access from the internet is disabled, you have other options that you can use to access these VMs for remote management.

案例:讓單一使用者能透過網際網路連線到 Azure 虛擬網路。Scenario: Enable a single user to connect to an Azure virtual network over the internet.
選項點對站 VPN 是遠端存取 VPN 用戶端/伺服器連線的另一種說法。Option: Point-to-site VPN is another term for a remote access VPN client/server connection. 建立點對站連線之後,使用者就能使用 RDP 或 SSH 連線到位於使用者透過點對站 VPN 連線之 Azure 虛擬網路上的任何 VM。After the point-to-site connection is established, the user can use RDP or SSH to connect to any VMs located on the Azure virtual network that the user connected to via point-to-site VPN. 此案例假設使用者有權連到這些 VM。This assumes that the user is authorized to reach those VMs.

點對站 VPN 比直接 RDP 或 SSH 連線更安全,因為使用者必須先經過兩次驗證,才會連線到 VM。Point-to-site VPN is more secure than direct RDP or SSH connections because the user has to authenticate twice before connecting to a VM. 首先,使用者必須經過驗證 (並獲得授權) 以建立點對站 VPN 連線。First, the user needs to authenticate (and be authorized) to establish the point-to-site VPN connection. 然後,使用者必須經過驗證 (並獲得授權) 以建立 RDP 或 SSH 工作階段。Second, the user needs to authenticate (and be authorized) to establish the RDP or SSH session.

案例:讓您內部部署網路上的使用者可以連線到您 Azure 虛擬網路上的 VM。Scenario: Enable users on your on-premises network to connect to VMs on your Azure virtual network.
選項站對站 VPN 透過網際網路將整個網路連接到另一個網路。Option: A site-to-site VPN connects an entire network to another network over the internet. 您可以使用站對站 VPN 將內部部署網路連線到 Azure 虛擬網路。You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. 您內部部署網路上的使用者是透過站對站 VPN 連線,使用 RDP 或 SSH 通訊協定來連線。Users on your on-premises network connect by using the RDP or SSH protocol over the site-to-site VPN connection. 您不需要允許透過網際網路的直接 RDP 或 SSH 存取。You don’t have to allow direct RDP or SSH access over the internet.

案例:使用專用的 WAN 連結來提供類似站對站 VPN 的功能。Scenario: Use a dedicated WAN link to provide functionality similar to the site-to-site VPN.
選項:使用 ExpressRouteOption: Use ExpressRoute. 它提供類似站對站 VPN 的功能。It provides functionality similar to the site-to-site VPN. 主要差別在於:The main differences are:

  • 專用的 WAN 連結不會周遊網際網路。The dedicated WAN link doesn’t traverse the internet.
  • 專用的 WAN 連結通常比較穩定且效能較好。Dedicated WAN links are typically more stable and perform better.

將重要的 Azure 服務資源只放到您的虛擬網路保護Secure your critical Azure service resources to only your virtual networks

使用虛擬網路服務端點可透過直接連線,將您的虛擬網路私人位址空間和虛擬網路的身分識別延伸至 Azure 服務。Use virtual network service endpoints to extend your virtual network private address space, and the identity of your virtual network to the Azure services, over a direct connection. 端點可讓您將重要的 Azure 服務資源只放到您的虛擬網路保護。Endpoints allow you to secure your critical Azure service resources to only your virtual networks. 從您的虛擬網路到 Azure 服務的流量一律會保留在 Microsoft Azure 骨幹網路上。Traffic from your virtual network to the Azure service always remains on the Microsoft Azure backbone network.

服務端點可提供下列優點:Service endpoints provide the following benefits:

  • 改善 Azure 服務資源的安全性:透過服務端點,可以將 Azure 服務資源放到虛擬網路保護。Improved security for your Azure service resources: With service endpoints, Azure service resources can be secured to your virtual network. 將服務資源放到虛擬網路保護可透過完全移除資源的公用網際網路存取,而且只允許來自您虛擬網路的流量,藉此改善安全性。Securing service resources to a virtual network provides improved security by fully removing public internet access to resources, and allowing traffic only from your virtual network.

  • 來自虛擬網路之 Azure 服務流量的最佳路由:虛擬網路中強制網際網路流量通過內部部署和 (或) 虛擬設備的任何路由 (也稱為強制通道),也會強制 Azure 服務流量採用與網際網路流量相同的路由。Optimal routing for Azure service traffic from your virtual network: Any routes in your virtual network that force internet traffic to your on-premises and/or virtual appliances, known as forced tunneling, also force Azure service traffic to take the same route as the internet traffic. 服務端點可提供 Azure 流量的最佳路由。Service endpoints provide optimal routing for Azure traffic.

    端點一律會直接採用從虛擬網路到 Azure 骨幹網路上服務的服務流量。Endpoints always take service traffic directly from your virtual network to the service on the Azure backbone network. 將流量保持在 Azure 骨幹網路上,可讓您透過強制通道,繼續稽核和監視來自虛擬網路的輸出網際網路流量,而不會影響服務流量。Keeping traffic on the Azure backbone network allows you to continue auditing and monitoring outbound internet traffic from your virtual networks, through forced tunneling, without affecting service traffic. 深入了解使用者定義的路由和強制通道Learn more about user-defined routes and forced tunneling.

  • 設定簡單且管理額外負荷較小:虛擬網路中不再需要保留的公用 IP 位址,就可以透過 IP 防火牆保護 Azure 資源。Simple to set up with less management overhead: You no longer need reserved, public IP addresses in your virtual networks to secure Azure resources through an IP firewall. 設定服務端點時不需要 NAT 或閘道裝置。There are no NAT or gateway devices required to set up the service endpoints. 只要在子網路上按一下,即可設定服務端點。Service endpoints are configured through a simple click on a subnet. 維護端點沒有額外的負荷。There is no additional overhead to maintain the endpoints.

若要深入了解服務端點,以及在哪些區域有哪些 Azure 服務的服務端點可取得,請參閱虛擬網路服務端點To learn more about service endpoints and the Azure services and regions that service endpoints are available for, see Virtual network service endpoints.

後續步驟Next steps

如需更多安全性最佳做法,請參閱 Azure 安全性最佳做法與模式,以便在使用 Azure 設計、部署和管理雲端解決方案時使用。See Azure security best practices and patterns for more security best practices to use when you’re designing, deploying, and managing your cloud solutions by using Azure.