Azure 網路安全性概觀Azure network security overview

網路安全性可定義為透過控制網路流量,保護資源不被未經授權存取或攻擊的流程。Network security could be defined as the process of protecting resources from unauthorized access or attack by applying controls to network traffic. 目標是要保證只允許正當的流量。The goal is to ensure that only legitimate traffic is allowed. Azure 包括一個強固的網路基礎結構,以支援您的應用程式和服務連線需求。Azure includes a robust networking infrastructure to support your application and service connectivity requirements. 網路連線可能會出現在位於 Azure 的資源之間、內部部署與 Azure 裝載的資源之間,以及往返網際網路和 Azure 之間。Network connectivity is possible between resources located in Azure, between on-premises and Azure hosted resources, and to and from the internet and Azure.

本文說明 Azure 在網路安全性領域中提供的部分選項。This article covers some of the options that Azure offers in the area of network security. 您可以了解:You can learn about:

  • Azure 網路Azure networking
  • 網路存取控制Network access control
  • Azure 防火牆Azure Firewall
  • 安全遠端存取和跨單位連線Secure remote access and cross-premises connectivity
  • 可用性Availability
  • 名稱解析Name resolution
  • 周邊網路 (DMZ) 架構Perimeter network (DMZ) architecture
  • Azure DDoS 保護Azure DDoS protection
  • Azure Front DoorAzure Front Door
  • 流量管理員Traffic manager
  • 監視與威脅偵測Monitoring and threat detection

Azure 網路Azure networking

Azure 需要虛擬機器連線至 Azure 虛擬網路。Azure requires virtual machines to be connected to an Azure Virtual Network. 虛擬網路是建置於實體 Azure 網路網狀架構之上的邏輯建構。A virtual network is a logical construct built on top of the physical Azure network fabric. 每個虛擬網路都與其他所有的虛擬網路隔離。Each virtual network is isolated from all other virtual networks. 這可協助確保其他 Azure 客戶無法存取您部署中的網路流量。This helps ensure that network traffic in your deployments is not accessible to other Azure customers.

深入了解:Learn more:

網路存取控制Network access control

網路存取控制是指限制虛擬網路內與特定裝置或子網路間連線的動作。Network access control is the act of limiting connectivity to and from specific devices or subnets within a virtual network. 網路存取控制的目標是限制只有已核准的使用者和裝置,才能存取您的虛擬機器和服務。The goal of network access control is to limit access to your virtual machines and services to approved users and devices. 存取控制會以要允許或拒絕往返您虛擬機器或服務間連線的決策為基礎。Access controls are based on decisions to allow or deny connections to and from your virtual machine or service.

Azure 支援數種類型的網路存取控制,例如:Azure supports several types of network access control, such as:

  • 網路層控制Network layer control
  • 路由控制和強制通道Route control and forced tunneling
  • 虛擬網路安全性應用裝置Virtual network security appliances

網路層控制Network layer control

任何安全部署都需要某種程度的網路存取控制。Any secure deployment requires some measure of network access control. 網路存取控制的目標是限制虛擬機器只能與必要的系統通訊。The goal of network access control is to restrict virtual machine communication to the necessary systems. 其他通訊嘗試都會被封鎖。Other communication attempts are blocked.

注意

Azure 儲存體安全性概觀一文說明儲存體防火牆Storage Firewalls are covered in the Azure storage security overview article

網路安全性規則 (NSG)Network security rules (NSGs)

如果您需要基本的網路層級存取控制 (以 IP 位址和 TCP 或 UDP 通訊協定為基礎),則可以使用網路安全性群組 (NSG)。If you need basic network level access control (based on IP address and the TCP or UDP protocols), you can use Network Security Groups (NSGs). NSG 是基本且具狀態的封包過濾防火牆,可讓您根據 5-Tuple (英文) 來控制存取權。An NSG is a basic, stateful, packet filtering firewall, and it enables you to control access based on a 5-tuple. NSG 所含的功能可簡化管理工作並降低設定錯誤的可能性:NSGs include functionality to simplify management and reduce the chances of configuration mistakes:

  • 增強型安全性規則可簡化 NSG 規則定義,並讓您能夠建立複雜的規則,而無須建立多個簡單的規則以達到相同的結果。Augmented security rules simplify NSG rule definition and allow you to create complex rules rather than having to create multiple simple rules to achieve the same result.
  • 服務標記是 Microsoft 建立的標籤,用來代表一組 IP 位址。Service tags are Microsoft created labels that represent a group of IP addresses. 這些標記可動態更新,以納入與定義標籤所含內容的條件相符的 IP 範圍。They update dynamically to include IP ranges that meet the conditions that define inclusion in the label. 例如,如果您想要建立要對東部區域中的所有 Azure 儲存體套用的規則,您可以使用 Storage.EastUSFor example, if you want to create a rule that applies to all Azure storage on the east region you can use Storage.EastUS
  • 應用程式安全性群組可讓您將資源部署至應用程式群組,並藉由建立使用這些應用程式群組的規則來控制對這些資源的存取。Application security groups allow you to deploy resources to application groups and control the access to those resources by creating rules that use those application groups. 例如,如果您已將 Web 伺服器部署至 'Webservers' 應用程式群組,您可以建立會套用 NSG 的規則,而允許從網際網路到 'Webservers' 應用程式群組中所有系統的 443 流量。For example, if you have webservers deployed to the 'Webservers' application group you can create a rule that applies a NSG allowing 443 traffic from the Internet to all systems in the 'Webservers' application group.

NSG 未提供應用程式層級檢查或已驗證的存取控制。NSGs do not provide application layer inspection or authenticated access controls.

深入了解:Learn more:

ASC Just-In-Time VM 存取ASC just in time VM access

Azure 資訊安全中心可以管理 VM 上的 NSG 及鎖定對 VM 的存取,直到具有適當角色型存取控制 RBAC 權限的使用者要求存取為止。Azure security center can manage the NSGs on VMs and lock access to the VM until a user with the appropriate role-based access control RBAC permissions requests access. 當使用者成功獲得授權後,ASC 便會對 NSG 進行修改,以允許在指定的時間內對選取的連接埠進行存取。When the user is successfully authorized ASC makes modifications to the NSGs to allow access to selected ports for the time specified. 在這段時間到期後,NSG 就會還原為其先前受保護的狀態。When the time expires the NSGs are restored to their previous secured state.

深入了解:Learn more:

服務端點Service endpoints

服務端點是對您的流量進行控制的另一種方式。Service endpoints are another way to apply control over your traffic. 您可以將您與支援的服務之間的通訊限定為透過直接連線的 Vnet。You can limit communication with supported services to just your VNets over a direct connection. 從您的 VNet 到指定 Azure 服務的流量會保留在 Microsoft Azure 骨幹網路上。Traffic from your VNet to the specified Azure service remains on the Microsoft Azure backbone network.

深入了解:Learn more:

路由控制和強制通道Route control and forced tunneling

在您的虛擬網路上控制路由行為的能力非常重要。The ability to control routing behavior on your virtual networks is critical. 如果路由的設定不正確,虛擬機器上所裝載的應用程式和服務可能會連線到未經授權的裝置,包括潛在攻擊者所擁有和操作的系統。If routing is configured incorrectly, applications and services hosted on your virtual machine might connect to unauthorized devices, including systems owned and operated by potential attackers.

Azure 網路支援在虛擬網路上自訂網路流量路由行為的能力。Azure networking supports the ability to customize the routing behavior for network traffic on your virtual networks. 這可讓您改變虛擬網路中預設的路由表項目。This enables you to alter the default routing table entries in your virtual network. 路由行為的控制可協助您確保來自特定裝置或裝置群組的所有流量,都會透過特定位置進入或離開您的虛擬網路。Control of routing behavior helps you make sure that all traffic from a certain device or group of devices enters or leaves your virtual network through a specific location.

例如,您在虛擬網路上可能有一個虛擬網路安全性設備。For example, you might have a virtual network security appliance on your virtual network. 您想要確定往返虛擬網路之間的所有流量都會經過該虛擬安全性設備。You want to make sure that all traffic to and from your virtual network goes through that virtual security appliance. 若要這樣做,您可以在 Azure 中設定使用者定義的路由 (UDR)。You can do this by configuring User Defined Routes (UDRs) in Azure.

強制通道 (英文) 機制可讓您用來確保不允許服務起始與網際網路上裝置的連線。Forced tunneling is a mechanism you can use to ensure that your services are not allowed to initiate a connection to devices on the internet. 請注意,這與接受連入連線,然後回應它們不同。Note that this is different from accepting incoming connections and then responding to them. 前端 Web 伺服器需要回應來自網際網路主機的要求,因此允許來自網際網路的流量傳入到這些 Web 伺服器,並允許 Web 伺服器回應。Front-end web servers need to respond to requests from internet hosts, and so internet-sourced traffic is allowed inbound to these web servers and the web servers are allowed to respond.

您不想要允許的是前端 Web 伺服器起始傳出要求。What you don't want to allow is a front-end web server to initiate an outbound request. 這類要求可能代表安全性風險,因為這些連線可用來下載惡意程式碼。Such requests might represent a security risk because these connections can be used to download malware. 即使您希望這些前端伺服器起始到網際網路的連出要求,還是可能想要強制它們經過您的內部部署 Web Proxy。Even if you do want these front-end servers to initiate outbound requests to the internet, you might want to force them to go through your on-premises web proxies. 這讓您能夠利用 URL 篩選和記錄功能的優勢。This enables you to take advantage of URL filtering and logging.

因此,您可以使用強制通道來避免這個問題。Instead, you would want to use forced tunneling to prevent this. 啟用強制通道時,會強制所有網際網路連線都要通過您的內部部署閘道。When you enable forced tunneling, all connections to the internet are forced through your on-premises gateway. 您可以利用 UDR 的優勢來設定強制通道。You can configure forced tunneling by taking advantage of UDRs.

深入了解:Learn more:

虛擬網路安全性應用裝置Virtual network security appliances

雖然 NSG、UDR 和強制通道都會在 OSI 模型 (英文) 的網路和傳輸層上提供安全性層級,但您有時可能想要在高於網路的層級上啟用安全性。While NSGs, UDRs, and forced tunneling provide you a level of security at the network and transport layers of the OSI model, you might also want to enable security at levels higher than the network.

例如,您的安全性需求可能包括︰For example, your security requirements might include:

  • 允許存取應用程式之前的驗證和授權Authentication and authorization before allowing access to your application
  • 入侵偵測和入侵回應Intrusion detection and intrusion response
  • 高層級通訊協定的應用程式層檢查Application layer inspection for high-level protocols
  • URL 篩選URL filtering
  • 網路層級防毒和反惡意程式碼Network level antivirus and Antimalware
  • 反 Bot 保護Anti-bot protection
  • 應用程式存取控制Application access control
  • 額外的 DDoS 保護 (高於由 Azure 網狀架構本身所提供的 DDoS 保護)Additional DDoS protection (above the DDoS protection provided by the Azure fabric itself)

您可以使用 Azure 合作夥伴方案,來存取這些增強的網路安全性功能。You can access these enhanced network security features by using an Azure partner solution. 您可以造訪 Azure Marketplace 並搜尋「安全性」和「網路安全性」,來尋找最新的 Azure 合作夥伴網路安全性解決方案。You can find the most current Azure partner network security solutions by visiting the Azure Marketplace, and searching for "security" and "network security."

Azure 防火牆Azure Firewall

Azure 防火牆是受控、雲端式網路安全性服務,可以保護您的 Azure 虛擬網路資源。Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. 它是完全具狀態防火牆即服務,具有內建的高可用性和不受限制的雲端延展性。It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. 部分功能包括:Some features include:

  • 高可用性High availability
  • 雲端延展性Cloud scalability
  • 應用程式 FQDN 篩選規則Application FQDN filtering rules
  • 網路流量篩選規則Network traffic filtering rules

深入了解:Learn more:

安全遠端存取和跨單位連線Secure remote access and cross-premises connectivity

需要從遠端完成 Azure 資源的安裝、設定和管理。Setup, configuration, and management of your Azure resources needs to be done remotely. 此外,您可能想要部署其元件位於內部部署和 Azure 公用雲端中的混合式 IT (英文) 解決方案。In addition, you might want to deploy hybrid IT solutions that have components on-premises and in the Azure public cloud. 這些案例都需要安全遠端存取。These scenarios require secure remote access.

Azure 網路支援下列安全遠端存取案例︰Azure networking supports the following secure remote access scenarios:

  • 將個別工作站連線到虛擬網路Connect individual workstations to a virtual network
  • 透過 VPN 將內部部署網路連線到虛擬網路Connect your on-premises network to a virtual network with a VPN
  • 使用專用的 WAN 連結將內部部署網路連線到虛擬網路Connect your on-premises network to a virtual network with a dedicated WAN link
  • 使虛擬網路彼此連線Connect virtual networks to each other

將個別工作站連線到虛擬網路Connect individual workstations to a virtual network

您可能想要讓個別的開發人員或操作人員在 Azure 中管理虛擬機器和服務。You might want to enable individual developers or operations personnel to manage virtual machines and services in Azure. 例如,假設您需要存取虛擬網路上的虛擬機器。For example, let's say you need access to a virtual machine on a virtual network. 但您的安全性原則不允許以 RDP 或 SSH 方式遠端存取個別虛擬機器。But your security policy does not allow RDP or SSH remote access to individual virtual machines. 在此情況下,您可以使用點對站 VPN 連線。In this case, you can use a point-to-site VPN connection.

點對站 VPN 連線可讓您在使用者與虛擬網路之間設定私人的安全連線。The point-to-site VPN connection enables you to set up a private and secure connection between the user and the virtual network. 建立 VPN 連線時,使用者可以透過 VPN 連結以 RDP 或 SSH 方式連線到虛擬網路上的任何虛擬機器When the VPN connection is established, the user can RDP or SSH over the VPN link into any virtual machine on the virtual network. (這假設使用者可進行驗證且已獲授權)。點對站 VPN 支援:(This assumes that the user can authenticate and is authorized.) Point-to-site VPN supports:

  • 安全通訊端通道通訊協定 (SSTP),這是以 SSL 為基礎的專屬 VPN 通訊協定。Secure Socket Tunneling Protocol (SSTP), a proprietary SSL-based VPN protocol. SSL VPN 解決方案可以穿透防火牆,因為大部分防火牆都會開啟 SSL 使用的 TCP 連接埠 443。An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443, which SSL uses. SSTP 僅在 Microsoft 裝置上提供支援。SSTP is only supported on Windows devices. Azure 支援所有具有 SSTP (Windows 7 及更新版本) 的 Windows 版本。Azure supports all versions of Windows that have SSTP (Windows 7 and later).

  • IKEv2 VPN,標準型 IPsec VPN 解決方案。IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN 可用於從 Mac 裝置連線 (OSX 版本 10.11 和更新版本)。IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above).

  • OpenVPNOpenVPN

深入了解:Learn more:

透過 VPN 將內部部署網路連線到虛擬網路Connect your on-premises network to a virtual network with a VPN

您可能想要將整個公司網路或其各部分連線到虛擬網路。You might want to connect your entire corporate network, or portions of it, to a virtual network. 這常見於組織要將其內部部署資料中心延伸到 Azure (英文) 的混合式 IT 案例。This is common in hybrid IT scenarios, where organizations extend their on-premises datacenter into Azure. 在許多情況下,組織會在 Azure 中裝載服務的組件,並於內部部署裝載組件。In many cases, organizations host parts of a service in Azure, and parts on-premises. 例如,當解決方案包含位於 Azure 的前端 Web 伺服器以及位於內部部署的後端資料庫時,他們可能就會這樣做。For example,they might do so when a solution includes front-end web servers in Azure and back-end databases on-premises. 這些類型的「跨單位」連線也可以讓您以更安全的方式管理 Azure 所在的資源,並啟用像是將 Active Directory 網域控制站延伸到 Azure 等案例。These types of "cross-premises" connections also make management of Azure located resources more secure, and enable scenarios such as extending Active Directory domain controllers into Azure.

若要這麼做,其中一種方式是使用 站對站 VPNOne way to accomplish this is to use a site-to-site VPN. 站對站 VPN 和點對站 VPN 之間的差異是,後者會將單一裝置連線到虛擬網路。The difference between a site-to-site VPN and a point-to-site VPN is that the latter connects a single device to a virtual network. 站對站 VPN 會將整個網路 (例如您的內部部署網路) 連線到虛擬網路。A site-to-site VPN connects an entire network (such as your on-premises network) to a virtual network. 虛擬網路的站對站 VPN 會使用高度安全 IPsec 通道模式的 VPN 通訊協定。Site-to-site VPNs to a virtual network use the highly secure IPsec tunnel mode VPN protocol.

深入了解:Learn more:

點對站和站對站 VPN 連接適用於啟用跨單位連接。Point-to-site and site-to-site VPN connections are effective for enabling cross-premises connectivity. 不過,有些組織認為它們有下列缺點︰However, some organizations consider them to have the following drawbacks:

  • VPN 連線會透過網際網路移動資料。VPN connections move data over the internet. 這會讓這些連線暴露在與透過公用網路移動資料有關的潛在安全性問題之中。This exposes these connections to potential security issues involved with moving data over a public network. 此外,無法保證網際網路連線的可靠性和可用性。In addition, reliability and availability for internet connections cannot be guaranteed.
  • 連線到虛擬網路的 VPN 連線可能沒有頻寬可供某些應用程式和用途使用,因為最大頻寬約為 200 Mbps。VPN connections to virtual networks might not have the bandwidth for some applications and purposes, as they max out at around 200 Mbps.

需要最高安全性和可用性層級進行其跨單位連接的組織,一般會使用專用 WAN 連結連接到遠端網站。Organizations that need the highest level of security and availability for their cross-premises connections typically use dedicated WAN links to connect to remote sites. Azure 讓您能夠使用可用來將內部部署網路連線到虛擬網路的專用 WAN 連結。Azure provides you the ability to use a dedicated WAN link that you can use to connect your on-premises network to a virtual network. Azure ExpressRoute、Express Route Direct 與 Express Route Global Reach 可啟用此功能。Azure ExpressRoute, Express route direct, and Express route global reach enable this.

深入了解:Learn more:

使虛擬網路彼此連線Connect virtual networks to each other

您可以為您的部署使用多個虛擬網路。It is possible to use many virtual networks for your deployments. 您可能會基於各種原因來執行此動作。There are various reasons why you might do this. 您可能想要簡化管理,或者可能想要提高安全性。You might want to simplify management, or you might want increased security. 不論將資源放在不同虛擬網路的動機為何,您有時可能想要讓每個網路上的資源彼此連線。Regardless of the motivation for putting resources on different virtual networks, there might be times when you want resources on each of the networks to connect with one another.

有一個選項是透過網際網路「繞回」,以將某個虛擬網路上的服務連線到另一個虛擬網路上的服務。One option is for services on one virtual network to connect to services on another virtual network, by "looping back" through the internet. 連線會從某個虛擬網路開始、經過網際網路,然後回到目的地虛擬網路。The connection starts on one virtual network, goes through the internet, and then comes back to the destination virtual network. 這個選項會讓連線暴露在任何網際網路型通訊的固有安全性問題之中。This option exposes the connection to the security issues inherent in any internet-based communication.

建立在兩個虛擬網路之間連線的站對站 VPN 可能是更好的選項。A better option might be to create a site-to-site VPN that connects between two virtual networks. 此方法會使用與前述跨單位站對站 VPN 連線相同的 IPSec 通道模式通訊協定。This method uses the same IPSec tunnel mode protocol as the cross-premises site-to-site VPN connection mentioned above.

這個方法的優點在於 VPN 連線是透過 Azure 網路網狀架構所建立的,而不是透過網際網路連線。The advantage of this approach is that the VPN connection is established over the Azure network fabric, instead of connecting over the internet. 相較於透過網際網路連線的站對站 VPN,這會提供多一層的安全性。This provides you an extra layer of security, compared to site-to-site VPNs that connect over the internet.

深入了解:Learn more:

另一種連接虛擬網路的方式是 VNET 對等互連Another way to connect your virtual networks is VNET peering. 此功能可讓您連接兩個 Azure 網路,使其間的通訊透過 Microsoft 骨幹基礎結構進行,而完全不需要經由網際網路。This feature allows you to connect two Azure networks so that communication between them happens over the Microsoft backbone infrastructure without it ever going over the Internet. VNET 對等互連可連接相同區域內的兩個 VNET,或是跨 Azure 區域的兩個 VNET。VNET peering can connect two VNETs within the same region or two VNETs across Azure regions. NSG 可用來限制不同子網路或系統之間的連線。NSGs can be used to limit connectivity between different subnets or systems.

可用性Availability

可用性是任何安全性程式的重要元件。Availability is a key component of any security program. 如果您的使用者和系統無法存取它們需要透過網路存取的項目,則可以將服務視為入侵。If your users and systems can't access what they need to access over the network, the service can be considered compromised. Azure 的網路技術支援下列高可用性機制:Azure has networking technologies that support the following high-availability mechanisms:

  • 基于 HTTP 的负载均衡HTTP-based load balancing
  • 網路層級負載平衡Network level load balancing
  • 全域負載平衡Global load balancing

負載平衡是一種機制,設計目的是將連接平均分散到多個裝置。Load balancing is a mechanism designed to equally distribute connections among multiple devices. 負載平衡的目的如下︰The goals of load balancing are:

  • 提高可用性。To increase availability. 當您跨多部裝置對連線進行負載平衡時,即使一或多部裝置變成無法使用,也不會危及服務。When you load balance connections across multiple devices, one or more of the devices can become unavailable without compromising the service. 在其餘連線裝置上執行的服務可以繼續從服務提供內容。The services running on the remaining online devices can continue to serve the content from the service.
  • 提高效能。To increase performance. 當您跨多部裝置對連線進行負載平衡時,單一裝置不需負責所有處理作業。When you load balance connections across multiple devices, a single device doesn't have to handle all processing. 而是將提供內容的處理和記憶體需求分散到多個裝置。Instead, the processing and memory demands for serving the content is spread across multiple devices.

以 HTTP 為基礎的負載平衡HTTP-based load balancing

執行 Web 架構服務的組織通常會想在那些 Web 服務前面使用以 HTTP 為基礎的負載平衡器。Organizations that run web-based services often desire to have an HTTP-based load balancer in front of those web services. 這有助於確保適當的效能和高可用性層級。This helps ensure adequate levels of performance and high availability. 以網路為基礎的傳統負載平衡器會依賴網路和傳輸層通訊協定。Traditional, network-based load balancers rely on network and transport layer protocols. 相反地,以 HTTP 為基礎的負載平衡器可根據 HTTP 通訊協定的特性做出決策。HTTP-based load balancers, on the other hand, make decisions based on characteristics of the HTTP protocol.

Azure 應用程式閘道會針對您的 Web 架構服務提供以 HTTP 為基礎的負載平衡。Azure Application Gateway provides HTTP-based load balancing for your web-based services. 應用程式閘道支援:Application Gateway supports:

  • 以 Cookie 為基礎的工作階段同質性。Cookie-based session affinity. 這個功能可確定建立到負載平衡器後方其中一部伺服器的連線,在用戶端與伺服器之間會保持不變。This capability makes sure that connections established to one of the servers behind that load balancer stays intact between the client and server. 這樣可確保交易的穩定性。This ensures stability of transactions.
  • SSL 卸載。SSL offload. 當用戶端與負載平衡器連線時,會使用 HTTPS (SSL) 通訊協定來加密該工作階段。When a client connects with the load balancer, that session is encrypted by using the HTTPS (SSL) protocol. 不過,為了提高效能,您可以使用 HTTP (未加密) 通訊協定,在負載平衡器與負載平衡器後方的 Web 伺服器之間進行連線。However, in order to increase performance, you can use the HTTP (unencrypted) protocol to connect between the load balancer and the web server behind the load balancer. 這稱為「SSL 卸載」,因為負載平衡器後方的 Web 伺服器不會經歷與加密相關的處理器負荷。This is referred to as "SSL offload," because the web servers behind the load balancer don't experience the processor overhead involved with encryption. 因此,Web 伺服器應該可以更快速地為要求提供服務。The web servers can therefore service requests more quickly.
  • 以 URL 為基礎的內容路由。URL-based content routing. 這個功能讓負載平衡器可以根據目標 URL 來決定要在何處轉送連線。This feature makes it possible for the load balancer to make decisions about where to forward connections based on the target URL. 這所提供的彈性大於根據 IP 位址進行負載平衡決策的方案。This provides a lot more flexibility than solutions that make load balancing decisions based on IP addresses.

深入了解:Learn more:

網路層級負載平衡Network level load balancing

相較於以 HTTP 為基礎的負載平衡,網路層級的負載平衡可根據 IP 位址和連接埠 (TCP 或 UDP) 號碼進行決策。In contrast to HTTP-based load balancing, network level load balancing makes decisions based on IP address and port (TCP or UDP) numbers. 您可以使用 Azure Load Balancer,來獲取 Azure 中網路層級負載平衡的優點。You can gain the benefits of network level load balancing in Azure by using Azure Load Balancer. Load Balancer 的一些重要特性包括:Some key characteristics of Load Balancer include:

  • 以 IP 位址和連接埠號碼為基礎的網路層級負載平衡。Network level load balancing based on IP address and port numbers.
  • 支援任何應用程式層通訊協定。Support for any application layer protocol.
  • 負載平衡到 Azure 虛擬機器和雲端服務角色執行個體。Load balances to Azure virtual machines and cloud services role instances.
  • 可用於網際網路對應 (外部負載平衡) 與非網際網路對應 (內部負載平衡) 的應用程式和虛擬機器。Can be used for both internet-facing (external load balancing) and non-internet facing (internal load balancing) applications and virtual machines.
  • 端點監視,可用來判斷負載平衡器後方是否有任何服務變成無法使用。Endpoint monitoring, which is used to determine if any of the services behind the load balancer have become unavailable.

深入了解:Learn more:

全域負載平衡Global load balancing

有些組織想要盡可能地擁有最高層級的可用性。Some organizations want the highest level of availability possible. 達到這個目的的其中一種方法是將應用程式裝載到全球分散的資料中心。One way to reach this goal is to host applications in globally distributed datacenters. 當應用程式裝載於世界各地的資料中心時,整個地緣政治區域可能會變成無法使用,但仍會啟動並執行應用程式。When an application is hosted in datacenters located throughout the world, it's possible for an entire geopolitical region to become unavailable, and still have the application up and running.

此負載平衡策略也可以產生效能優勢。This load-balancing strategy can also yield performance benefits. 您可以將服務的要求導向資料中心,而且是最接近提出要求裝置的資料中心。You can direct requests for the service to the datacenter that is nearest to the device that is making the request.

在 Azure 中,使用 Azure 流量管理員,可以獲取全域負載平衡的優點。In Azure, you can gain the benefits of global load balancing by using Azure Traffic Manager.

深入了解:Learn more:

名稱解析Name resolution

名稱解析是您在 Azure 中裝載之所有服務的重大功能。Name resolution is a critical function for all services you host in Azure. 從安全性角度來看,入侵名稱解析功能可能會導致攻擊者將您網站的要求重新導向到攻擊者的網站。From a security perspective, compromise of the name resolution function can lead to an attacker redirecting requests from your sites to an attacker's site. 安全名稱解析是所有雲端裝載服務的需求。Secure name resolution is a requirement for all your cloud hosted services.

您需要解決兩種類型的名稱解析︰There are two types of name resolution you need to address:

  • 內部名稱解析。Internal name resolution. 這可供您的虛擬網路、內部部署網路或兩者上的服務使用。This is used by services on your virtual networks, your on-premises networks, or both. 用於內部名稱解析的名稱無法透過網際網路來存取。Names used for internal name resolution are not accessible over the internet. 為了取得最佳安全性,重要的是外部使用者無法存取您的內部名稱解析結構描述。For optimal security, it's important that your internal name resolution scheme is not accessible to external users.
  • 外部名稱解析。External name resolution. 這可供您內部部署網路和虛擬網路外部的人員和裝置使用。This is used by people and devices outside of your on-premises networks and virtual networks. 這些名稱在網際網路上是可見的,且可用來將連線導向至您的雲端式服務。These are the names that are visible to the internet, and are used to direct connection to your cloud-based services.

對於內部名稱解析,您有兩個選項︰For internal name resolution, you have two options:

  • 虛擬網路 DNS 伺服器。A virtual network DNS server. 當您建立新的虛擬網路時,即會為您建立 DNS 伺服器。When you create a new virtual network, a DNS server is created for you. 這部 DNS 伺服器可以解析位於該虛擬網路中電腦的名稱。This DNS server can resolve the names of the machines located on that virtual network. 這部 DNS 伺服器無法設定且會由 Azure 網狀架構管理員來管理,因而可協助您保護名稱解析解決方案的安全。This DNS server is not configurable, is managed by the Azure fabric manager, and can therefore help you secure your name resolution solution.
  • 使用您自己的 DNS 伺服器。Bring your own DNS server. 您可以選擇將自己選擇的 DNS 伺服器放在虛擬網路上。You have the option of putting a DNS server of your own choosing on your virtual network. 這部 DNS 伺服器可以是整合 Active Directory 的 DNS 伺服器,或由 Azure 合作夥伴所提供的專用 DNS 伺服器解決方案 (可從 Azure Marketplace 取得)。This DNS server can be an Active Directory integrated DNS server, or a dedicated DNS server solution provided by an Azure partner, which you can obtain from the Azure Marketplace.

深入了解:Learn more:

針對外部名稱解析,您有兩個選項:For external name resolution, you have two options:

  • 在內部部署裝載您自己的外部 DNS 伺服器。Host your own external DNS server on-premises.
  • 使用服務提供者裝載您自己的外部 DNS 伺服器。Host your own external DNS server with a service provider.

許多大型組織都會在內部部署裝載自己的 DNS 伺服器。Many large organizations host their own DNS servers on-premises. 它們可以這麼做的原因是它們具有這麼做的網路專業知識和全域空間。They can do this because they have the networking expertise and global presence to do so.

在大部分情況下,最好使用服務提供者來裝載您的 DNS 名稱解析服務。In most cases, it's better to host your DNS name resolution services with a service provider. 這些服務提供者具有網路專業知識和全域空間,確保名稱解析服務的極高可用性。These service providers have the network expertise and global presence to ensure very high availability for your name resolution services. 可用性是 DNS 服務的不可或缺項目,因為如果您的名稱解析服務失敗,就沒有人可以連線到您的網際網路面向服務。Availability is essential for DNS services, because if your name resolution services fail, no one will be able to reach your internet facing services.

Azure 會以 Azure DNS 的形式提供高可用性且高效能的外部 DNS 解決方案。Azure provides you with a highly available and high-performing external DNS solution in the form of Azure DNS. 這個外部名稱解析方案利用全球 Azure DNS 基礎結構。This external name resolution solution takes advantage of the worldwide Azure DNS infrastructure. 它可讓您使用與您其他 Azure 服務所使用的相同認證、API、工具和帳單,將網域裝載於 Azure。It allows you to host your domain in Azure, using the same credentials, APIs, tools, and billing as your other Azure services. 在 Azure 時,它也會繼承平台內建的增強式安全性控制。As part of Azure, it also inherits the strong security controls built into the platform.

深入了解:Learn more:

周邊網路架構Perimeter network architecture

許多大型組織都會使用周邊網路來區隔其網路,並在網際網路與其服務之間建立緩衝區。Many large organizations use perimeter networks to segment their networks, and create a buffer-zone between the internet and their services. 網路的周邊部分會被視為低安全性區域,而且不會有高價值資產放在該網路區段中。The perimeter portion of the network is considered a low-security zone, and no high-value assets are placed in that network segment. 您通常將看到網路安全性裝置會在周邊網路區段上有一個網路介面。You'll typically see network security devices that have a network interface on the perimeter network segment. 另一個網路介面會連線到具有可接受來自網際網路連入連線的虛擬機器和服務的網路。Another network interface is connected to a network that has virtual machines and services that accept inbound connections from the internet.

您可以使用一些不同的方法來設計周邊網路。You can design perimeter networks in a number of different ways. 根據您的網路安全性需求來決定是否要部署周邊網路。若您想要部署,則接著需決定要使用哪種類型的周邊網路。The decision to deploy a perimeter network, and then what type of perimeter network to use if you decide to use one, depends on your network security requirements.

深入了解:Learn more:

Azure DDoS 保護Azure DDoS protection

分散式阻斷服務 (DDoS) 攻擊是將應用程式移至雲端的客戶所面臨的最大可用性和安全性顧慮之一。Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers that are moving their applications to the cloud. DDoS 攻擊會嘗試耗盡應用程式的資源,讓合法使用者無法使用該應用程式。A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS 攻擊可以鎖定可透過網際網路公開觸達的任何端點。DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet. Microsoft 提供在 Azure 平台中名為基本的 DDoS 保護。Microsoft provides DDoS protection known as Basic as part of the Azure Platform. 此功能不收費,且會持續監視和即時緩解常見的網路層級攻擊。This comes at no charge and includes always on monitoring and real-time mitigation of common network level attacks. 除了隨附於 DDoS 保護基本的保護功能以外,您也可以啟用標準選項。In addition to the protections included with DDoS protection Basic you can enable the Standard option. DDoS Protection Standard 功能包括:DDoS Protection Standard features include:

  • 原生平台整合: 原生整合至 Azure。Native platform integration: Natively integrated into Azure. 包括透過 Azure 入口網站進行設定。Includes configuration through the Azure portal. DDoS Protection Standard 了解您的資源和資源組態。DDoS Protection Standard understands your resources and resource configuration.
  • 現成的保護: 經過簡化的設定會在啟用「DDoS 保護標準」後,立即保護虛擬網路上的所有資源。Turn-key protection: Simplified configuration immediately protects all resources on a virtual network as soon as DDoS Protection Standard is enabled. 不需要任何介入或使用者定義。No intervention or user definition is required. 一旦偵測到攻擊,DDoS Protection Standard 就會立即自動減輕攻擊。DDoS Protection Standard instantly and automatically mitigates the attack, once it is detected.
  • 永遠可用流量監視: 您的應用程式流量模式受到全年無休的全天候監視,以尋找 DDoS 攻擊的指標。Always-on traffic monitoring: Your application traffic patterns are monitored 24 hour a day, 7 days a week, looking for indicators of DDoS attacks. 超出保護原則時,就會執行安全防護功能。Mitigation is performed when protection policies are exceeded.
  • 攻擊風險降低報攻擊風險降低報告會使用彙總的網路流量資料,提供有關以您資源為目標的攻擊詳細資訊。Attack Mitigation Reports Attack Mitigation Reports use aggregated network flow data to provide detailed information about attacks targeted at your resources.
  • 攻擊風險降低流程記錄攻擊風險降低流程記錄可讓您在作用中 DDoS 攻擊期間,近乎即時地查看丟棄的流量、轉送的流量及其他相關攻擊資料。Attack Mitigation Flow Logs Attack Mitigation Flow Logs allow you to review the dropped traffic, forwarded traffic and other attack data in near real-time during an active DDoS attack.
  • 自適性調整: 智慧型流量分析功能可了解不同時間的應用程式流量,並選取及更新最適合您服務的設定檔。Adaptive tuning: Intelligent traffic profiling learns your application's traffic over time, and selects and updates the profile that is the most suitable for your service. 設定檔會隨著時間調整流量變更。The profile adjusts as traffic changes over time. 第 3 層至第 7 層保護:與 Web 應用程式防火牆搭配使用時,提供完整堆疊 DDoS 保護。Layer 3 to layer 7 protection: Provides full stack DDoS protection, when used with a web application firewall.
  • 廣泛的安全防護範圍: 可利用全域功能降低超過 60 種不同攻擊類型的風險,以抵禦最大的已知 DDoS 攻擊。Extensive mitigation scale: Over 60 different attack types can be mitigated, with global capacity, to protect against the largest known DDoS attacks.
  • 攻擊計量: 透過 Azure 監視器可以存取每個攻擊的摘要計量。Attack metrics: Summarized metrics from each attack are accessible through Azure Monitor.
  • 攻擊警示: 警示可設定為在開始和停止攻擊時,並且在攻擊的持續時間內使用內建攻擊計量。Attack alerting: Alerts can be configured at the start and stop of an attack, and over the attack's duration, using built-in attack metrics. 警示會整合到您的作業軟體,例如 Microsoft Azure 監視器記錄檔、 Splunk、 Azure 儲存體、 電子郵件和 Azure 入口網站。Alerts integrate into your operational software like Microsoft Azure Monitor logs, Splunk, Azure Storage, Email, and the Azure portal.
  • 成本保證: 資料傳輸和應用程式相應放大服務會針對記載的 DDoS 攻擊計算點數。Cost guarantee: Data-transfer and application scale-out service credits for documented DDoS attacks.
  • DDoS 快速回應標準 DDoS 保護的客戶現在可以在攻擊進行期間,連絡 Rapid Response 小組。DDoS Rapid responsive DDoS Protection Standard customers now have access to Rapid Response team during an active attack. DRR 可協助您在攻擊發生期間調查攻擊和自訂移轉,以及進行攻擊後的分析。DRR can help with attack investigation, custom mitigations during an attack and post-attack analysis.

深入了解:Learn more:

Azure Front DoorAzure Front Door

Azure Front Door 服務可讓您定義、管理及監視您 Web 流量的全域路由。Azure Front Door Service enables you to define, manage, and monitor the global routing of your web traffic. 這可最佳化您的流量路由,以達到最佳效能和高可用性。It optimizes your traffic's routing for best performance and high availability. Azure Front Door 可讓您撰寫自訂 Web 應用程式防火牆 (WAF) 規則進行存取控制,以保護您的 HTTP/HTTPS 工作負載,免於遭受以用戶端 IP 位址、國家/地區代碼及 http 參數為基礎的攻擊。Azure Front Door allows you to author custom web application firewall (WAF) rules for access control to protect your HTTP/HTTPS workload from exploitation based on client IP addresses, country code, and http parameters. 此外,Front Door 也可讓您建立比率限制規則,以對抗惡意的 Bot 流量,其中包括 SSL 卸載,以及每個 HTTP/HTTPS 要求和應用程式層的處理。Additionally, Front Door also enables you to create rate limiting rules to battle malicious bot traffic, it includes SSL offloading and per-HTTP/HTTPS request, application-layer processing.

Front Door 平台本身受到基本 Azure DDoS 保護所保護。Front Door platform itself is protected by Azure DDoS Protection Basic. 如需進一步保護,可在您的 VNET 啟用標準 Azure DDoS 保護,以透過自動調整和風險降低,保護資源免於遭受網路層 (TCP/UDP) 攻擊。For further protection, Azure DDoS Protection Standard may be enabled at your VNETs and safeguard resources from network layer (TCP/UDP) attacks via auto tuning and mitigation. Front Door 是第 7 層反向 Proxy,只允許 Web 流量傳遞到後端伺服器,且預設會封鎖其他類型的流量。Front Door is a layer 7 reverse proxy, it only allows web traffic to pass through to back end servers and block other types of traffic by default.

深入了解:Learn more:

Azure 流量管理員Azure Traffic manager

Azure 流量管理員是 DNS 型流量負載平衡器,可讓您跨全球的 Azure 區域將流量最佳分散至服務,同時提供高可用性和回應性。Azure Traffic Manager is a DNS-based traffic load balancer that enables you to distribute traffic optimally to services across global Azure regions, while providing high availability and responsiveness. 流量管理員會使用 DNS,根據流量路由方法和端點的健康情況,將用戶端要求導向最適當的服務端點。Traffic Manager uses DNS to direct client requests to the most appropriate service endpoint based on a traffic-routing method and the health of the endpoints. 端點是裝載於 Azure 內部或外部的任何網際網路對向服務。An endpoint is any Internet-facing service hosted inside or outside of Azure. 流量管理員會監視端點,而且不會將流量導向任何無法使用的端點。Traffic manager monitors the end points and does not direct traffic to any endpoints that are unavailable.

深入了解:Learn more:

監視與威脅偵測Monitoring and threat detection

Azure 提供的功能可協助您在這個重要領域中及早偵測、監視,並收集和檢視網路流量。Azure provides capabilities to help you in this key area with early detection, monitoring, and collecting and reviewing network traffic.

Azure 網路監看員Azure Network Watcher

Azure 網路監看員可協助您進行疑難排解,並提供一組全新的工具來協助識別安全性問題。Azure Network Watcher can help you troubleshoot, and provides a whole new set of tools to assist with the identification of security issues.

安全性群組檢視有助於稽核虛擬機器並確保其安全性合規性。Security Group View helps with auditing and security compliance of Virtual Machines. 使用此功能以程式設計方式執行稽核,將組織所定義的基準原則與適用於您每部 VM 的有效規則進行比較。Use this feature to perform programmatic audits, comparing the baseline policies defined by your organization to effective rules for each of your VMs. 這可以協助您識別所有設定漂移。This can help you identify any configuration drift.

封包擷取可讓您擷取傳送至虛擬機器,或是自虛擬機器傳送的網路流量。Packet capture allows you to capture network traffic to and from the virtual machine. 您可以收集網路統計資料並進行應用程式問題的疑難排解,這在調查網路入侵時十分有用。You can collect network statistics and troubleshoot application issues, which can be invaluable in the investigation of network intrusions. 您也可以搭配 Azure Functions 使用此功能,來啟動網路擷取以回應特定的 Azure 警示。You can also use this feature together with Azure Functions to start network captures in response to specific Azure alerts.

如需網路監看員以及如何開始在實驗室中測試部分功能的詳細資訊,請參閱 Azure 網路監看員監視概觀For more information on Network Watcher and how to start testing some of the functionality in your labs, see Azure network watcher monitoring overview.

注意

如需此服務可用性和狀態的最新通知,請查看 Azure 更新頁面For the most up-to-date notifications on availability and status of this service, check the Azure updates page.

Azure 資訊安全中心Azure Security Center

Azure 資訊安全中心可協助您預防、偵測和回應威脅,並加強提供對 Azure 資源安全性的能見度及控制權。Azure Security Center helps you prevent, detect, and respond to threats, and provides you increased visibility into, and control over, the security of your Azure resources. 它在您的 Azure 訂用帳戶之間提供整合式安全性監視和原則管理,協助您偵測可能會忽略的威脅,且適用於大量的安全性解決方案。It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a large set of security solutions.

資訊安全中心會透過下列方式,協助您將網路安全性最佳化並進行監視:Security Center helps you optimize and monitor network security by:

  • 提供網路安全性建議。Providing network security recommendations.
  • 監視網路安全性設定的狀態。Monitoring the state of your network security configuration.
  • 對端點和網路層級的網路型威脅發出警示。Alerting you to network based threats, both at the endpoint and network levels.

深入了解:Learn more:

虛擬網路 TAPVirtual Network TAP

Azure 虛擬網路 TAP (終端機存取點) 可讓您持續將虛擬機器網路流量串流到網路封包收集器或分析工具。Azure virtual network TAP (Terminal Access Point) allows you to continuously stream your virtual machine network traffic to a network packet collector or analytics tool. 收集器或分析工具是由網路虛擬設備合作夥伴所提供。The collector or analytics tool is provided by a network virtual appliance partner. 您可以使用相同的虛擬網路 TAP 資源,以從相同或不同訂用帳戶中的多個網路介面彙總流量。You can use the same virtual network TAP resource to aggregate traffic from multiple network interfaces in the same or different subscriptions.

深入了解:Learn more:

記錄Logging

網路層級的記錄是任何網路安全性案例的重要功能。Logging at a network level is a key function for any network security scenario. 在 Azure 中,您可以記錄針對 NSG 所取得的資訊,以取得網路層級的記錄資訊。In Azure, you can log information obtained for NSGs to get network level logging information. 使用 NSG 記錄,您可以從下列項目取得資訊︰With NSG logging, you get information from:

  • 活動記錄Activity logs. 使用這些記錄來檢視已提交至您 Azure 訂用帳戶的所有作業。Use these logs to view all operations submitted to your Azure subscriptions. 預設會啟用這些記錄,並且可在 Azure 入口網站內使用。These logs are enabled by default, and can be used within the Azure portal. 它們以前稱為稽核或作業記錄。They were previously known as audit or operational logs.
  • 事件記錄。Event logs. 這些記錄會提供已套用哪些 NSG 規則的相關資訊。These logs provide information about what NSG rules were applied.
  • 計數器記錄。Counter logs. 這些記錄可讓您知道套用每個 NSG 規則以拒絕或允許流量的次數。These logs let you know how many times each NSG rule was applied to deny or allow traffic.

您也可以使用 Microsoft Power BI (功能強大的資料視覺化工具) 來檢視和分析這些記錄。You can also use Microsoft Power BI, a powerful data visualization tool, to view and analyze these logs. 深入了解:Learn more: