Azure 应用服务的安全属性Security attributes for Azure App Service

本文介绍 Azure 应用服务中内置的安全属性。This article documents the security attributes built into Azure App Service.

安全属性是 Azure 服务的质量或功能。A security attribute is a quality or feature of an Azure service. 它有助于服务预防、检测和响应安全漏洞。It contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

安全属性分为以下几类:Security attributes are categorized as:

  • 预防Preventative
  • 网络分段Network segmentation
  • 检测Detection
  • 支持标识和访问管理Support for identity and access management
  • 审核线索Audit trail
  • 访问控制(如果使用)Access controls (if used)
  • 配置管理(如果使用)Configuration management (if used)

在每个类别中,我们显示“是”或“否”以指示是否使用属性。In each category, we show "Yes" or "No" to indicate whether an attribute is used. 对于某些服务,我们为不适用的属性显示“N/A”。For some services, we show "N/A" for an attribute that is not applicable. 我们还可能会提供有关属性的更多信息的注释或链接。We might also provide a note or a link to more information about an attribute.

预防Preventative

安全属性Security attribute Yes/NoYes/No 注释Notes
静态加密(例如服务器端加密、带客户托管密钥的服务器端加密,以及其他加密功能)Encryption at rest (such as server-side encryption, server-side encryption with customer-managed keys, and other encryption features) Yes 网站文件内容存储在 Azure 存储中,后者自动对内容进行静态加密。Web site file content is stored in Azure Storage, which automatically encrypts the content at rest. 请参阅静态数据的 Azure 存储加密See Azure Storage encryption for data at rest.

客户提供的机密会进行静态加密。Customer supplied secrets are encrypted at rest. 机密在存储到应用服务配置数据库中时会进行静态加密。The secrets are encrypted at rest while stored in App Service configuration databases.

本地附加的磁盘可以由网站选择性地用作临时存储 (D:\local and %TMP%)。Locally attached disks can optionally be used as temporary storage by websites (D:\local and %TMP%). 本地附加的磁盘不进行静态加密。Locally attached disks are not encrypted at rest.
传输中加密(例如 ExpressRoute 加密、VNet 中加密,以及 VNet-VNet 加密)Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption ) Yes 客户可以将网站配置为要求将 HTTPS 用于入站流量。Customers can configure web sites to require and use HTTPS for inbound traffic.
加密密钥处理(CMK、BYOK 等)Encryption key handling (CMK, BYOK, etc.) Yes 客户可以选择将应用程序机密存储在 Key Vault 中,在运行时检索它们。Customers can choose to store application secrets in Key Vault and retrieve them at runtime. 请参阅使用应用服务和 Azure Functions 的 Key Vault 引用(预览版)See Use Key Vault references for App Service and Azure Functions (preview).
列级加密(Azure 数据服务)Column level encryption (Azure Data Services) 不适用N/A
加密的 API 调用API calls encrypted Yes 可以通过基于 HTTPS 的 Azure 资源管理器调用进行管理调用,以便配置应用服务。Management calls to configure App Service occur via Azure Resource Manager calls over HTTPS.

网络分段Network segmentation

安全属性Security attribute Yes/NoYes/No 注释Notes
服务终结点支持Service endpoint support Yes 目前提供适用于应用服务的预览版。Currently available in preview for App Service. 请参阅 Azure 应用服务访问限制See Azure App Service Access Restrictions.
网络隔离和防火墙支持Network Isolation and Firewalling support Yes 对于应用服务的公共多租户变体,客户可以配置网络 ACL(IP 限制),锁定允许的入站流量。For the public multi-tenant variation of App Service, customers can configure network ACLs (IP Restrictions) to lock down allowed inbound traffic. 请参阅 Azure 应用服务访问限制See Azure App Service Access Restrictions. 应用服务环境直接部署到虚拟网络中,因此可以通过 NSG 来确保安全。App Service Environments are deployed directly into virtual networks and hence can be secured with NSGs.

检测Detection

安全属性Security attribute Yes/NoYes/No 注释Notes
Azure 监视支持(Log Analytics、App Insights 等)Azure monitoring support (Log analytics, App insights, etc.) Yes 应用服务通过支持 Application Insights 的语言(完整版 .NET Framework、.NET Core、Java 和 Node.js)与 Application Insights 集成。App Service integrates with Application Insights for languages that support Application Insights (Full .NET Framework, .NET Core, Java and Node.JS). 请参阅监视 Azure 应用服务性能See Monitor Azure App Service performance. 应用服务还会将应用程序指标发送到 Azure Monitor。App Service also sends application metrics into Azure Monitor. 请参阅在 Azure 应用服务中监视应用See Monitor apps in Azure App Service.

标识和访问管理Identity and access management

安全属性Security attribute Yes/NoYes/No 注释Notes
身份验证Authentication Yes 客户可以构建基于应用服务的应用程序,这些应用程序自动集成 Azure Active Directory (Azure AD) 以及其他与 OAuth 兼容的标识提供者;请参阅 Azure 应用服务中的身份验证和授权Customers can build applications on App Service that automatically integrate with Azure Active Directory (Azure AD) as well as other OAuth compatible identity providers; see Authentication and authorization in Azure App Service. 对应用服务资产进行管理访问时,所有访问都可以通过组合使用经 Azure AD 验证的主体和 Azure 资源管理器 RBAC 角色进行控制。For management access to App Service assets, all access is controlled by a combination of Azure AD authenticated principal and Azure Resource Manager RBAC roles.
授权Authorization Yes 对应用服务资产进行管理访问时,所有访问都可以通过组合使用经 Azure AD 验证的主体和 Azure 资源管理器 RBAC 角色进行控制。For management access to App Service assets, all access is controlled by a combination of Azure AD authenticated principal and Azure Resource Manager RBAC roles.

审核线索Audit trail

安全属性Security attribute Yes/NoYes/No 注释Notes
控制和管理平面日志记录和审核Control and management plane logging and audit Yes 在应用服务对象上执行的所有管理操作都通过 Azure 资源管理器来完成。All management operations performed on App Service objects occur via Azure Resource Manager. 可以通过门户和 CLI 获取这些操作的历史日志;请参阅 Azure 资源管理器资源提供程序操作az monitor activity-logHistorical logs of these operations are available both in the portal and via the CLI; see Azure Resource Manager resource provider operations and az monitor activity-log.
数据平面日志记录和审核Data plane logging and audit No 应用服务的数据平面是一个远程文件共享,其中包含客户的已部署网站内容。The data plane for App Service is a remote file share containing a customer’s deployed web site content. 不对远程文件共享进行审核。There is no auditing of the remote file share.

配置管理Configuration management

安全属性Security attribute Yes/NoYes/No 注释Notes
配置管理支持(配置的版本控制等)Configuration management support (versioning of configuration, etc.) Yes 进行管理操作时,可以将应用服务配置的状态导出为 Azure 资源管理器模板,并在一段时间内进行版本控制。For management operations, the state of an App Service configuration can be exported as an Azure Resource Manager template and versioned over time. 进行运行时操作时,客户可以使用应用服务的部署槽功能保留某个应用程序的多个不同的实时版本。For runtime operations, customers can maintain multiple different live versions of an application using the App Service deployment slots feature.