Azure 应用服务的安全控制Security controls for Azure App Service

本文介绍 Azure 应用服务中内置的安全控制。This article documents the security controls built into Azure App Service.

安全控制是促使 Azure 服务能够防范、检测和响应安全漏洞的一种服务质量或功能。A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

对于每项控制,我们使用“Yes”或“No”来指示它当前是否用于该服务,对于不适用于该服务的控制为“N/A”。For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. 我们还可能会提供有关属性的更多信息的注释或链接。We might also provide a note or links to more information about an attribute.

网络Network

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
服务终结点支持Service endpoint support Yes 适用于应用服务。Available for App Service. Azure 应用服务访问限制Azure App Service Access Restrictions
VNet 注入支持VNet injection support Yes 应用服务环境是对专用于单个客户的应用服务的专用实现,已注入到客户的虚拟网络中。App Service Environments are private implementations of App Service dedicated to a single customer injected into a customer's virtual network. 应用服务环境简介Introduction to the App Service Environments
网络隔离和防火墙支持Network Isolation and Firewalling support Yes 对于应用服务的公共多租户变体,客户可以配置网络 ACL(IP 限制),锁定允许的入站流量。For the public multi-tenant variation of App Service, customers can configure network ACLs (IP Restrictions) to lock down allowed inbound traffic. 应用服务环境直接部署到虚拟网络中,因此可以通过 NSG 来确保安全。App Service Environments are deployed directly into virtual networks and hence can be secured with NSGs. Azure 应用服务访问限制Azure App Service Access Restrictions
强制隧道支持Forced tunneling support Yes 应用服务环境可以部署到客户的虚拟网络中,其中已配置强制隧道。App Service Environments can be deployed into a customer's virtual network where forced tunneling is configured. 使用强制隧道配置应用服务环境Configure your App Service Environment with forced tunneling

监视和日志记录Monitoring & logging

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
Azure 监视支持(Log Analytics、App Insights 等)Azure monitoring support (Log analytics, App insights, etc.) Yes 应用服务通过支持 Application Insights 的语言(完整版 .NET Framework、.NET Core、Java 和 Node.js)与 Application Insights 集成。App Service integrates with Application Insights for languages that support Application Insights (Full .NET Framework, .NET Core, Java and Node.JS). 请参阅监视 Azure 应用服务性能See Monitor Azure App Service performance. 应用服务还会将应用程序指标发送到 Azure Monitor。App Service also sends application metrics into Azure Monitor. 监视 Azure 应用服务中的应用Monitor apps in Azure App Service
控制和管理平面日志记录和审核Control and management plane logging and audit Yes 在应用服务对象上执行的所有管理操作都通过 Azure 资源管理器来完成。All management operations performed on App Service objects occur via Azure Resource Manager. 可以通过门户和 CLI 获取这些操作的历史日志。Historical logs of these operations are available both in the portal and via the CLI. Azure 资源管理器资源提供程序操作az monitor activity-logAzure Resource Manager resource provider operations, az monitor activity-log
数据平面日志记录和审核Data plane logging and audit No 应用服务的数据平面是一个远程文件共享,其中包含客户的已部署网站内容。The data plane for App Service is a remote file share containing a customer’s deployed web site content. 不对远程文件共享进行审核。There is no auditing of the remote file share.

标识Identity

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
身份验证Authentication Yes 客户可以构建基于应用服务的应用程序,这些应用程序自动集成 Azure Active Directory (Azure AD) 以及其他与 OAuth 兼容的标识提供者 对应用服务资产进行管理访问时,所有访问都是通过组合使用 Azure AD 身份验证主体和 Azure 资源管理器 RBAC 角色来控制的。Customers can build applications on App Service that automatically integrate with Azure Active Directory (Azure AD) as well as other OAuth compatible identity providers For management access to App Service assets, all access is controlled by a combination of Azure AD authenticated principal and Azure Resource Manager RBAC roles. Azure 应用服务中的身份验证和授权Authentication and authorization in Azure App Service
授权Authorization Yes 对应用服务资产进行管理访问时,所有访问都可以通过组合使用经 Azure AD 验证的主体和 Azure 资源管理器 RBAC 角色进行控制。For management access to App Service assets, all access is controlled by a combination of Azure AD authenticated principal and Azure Resource Manager RBAC roles. Azure 应用服务中的身份验证和授权Authentication and authorization in Azure App Service

数据保护Data protection

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
服务器端静态加密:Microsoft 管理的密钥Server-side encryption at rest: Microsoft-managed keys Yes 网站文件内容存储在 Azure 存储中,后者自动对内容进行静态加密。Web site file content is stored in Azure Storage, which automatically encrypts the content at rest.

客户提供的机密会进行静态加密。Customer supplied secrets are encrypted at rest. 机密在存储到应用服务配置数据库中时会进行静态加密。The secrets are encrypted at rest while stored in App Service configuration databases.

本地附加的磁盘可以由网站选择性地用作临时存储 (D:\local and %TMP%)。Locally attached disks can optionally be used as temporary storage by websites (D:\local and %TMP%). 本地附加的磁盘不进行静态加密。Locally attached disks are not encrypted at rest.
静态数据的 Azure 存储加密Azure Storage encryption for data at rest
服务器端静态加密:客户管理的密钥 (BYOK)Server-side encryption at rest: customer-managed keys (BYOK) Yes 客户可以选择将应用程序机密存储在 Key Vault 中,在运行时检索它们。Customers can choose to store application secrets in Key Vault and retrieve them at runtime. 使用应用服务和 Azure Functions 的 Key Vault 引用(预览版)Use Key Vault references for App Service and Azure Functions (preview)
列级加密(Azure 数据服务)Column level encryption (Azure Data Services) 不适用N/A
传输中加密(例如 ExpressRoute 加密、VNet 中加密,以及 VNet-VNet 加密)Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption ) Yes 客户可以将网站配置为要求将 HTTPS 用于入站流量。Customers can configure web sites to require and use HTTPS for inbound traffic. How to make an Azure App Service HTTPS only(如何将 Azure 应用服务设置为“仅限 HTTPS”)(博客文章)How to make an Azure App Service HTTPS only (blog post)
加密的 API 调用API calls encrypted Yes 可以通过基于 HTTPS 的 Azure 资源管理器调用进行管理调用,以便配置应用服务。Management calls to configure App Service occur via Azure Resource Manager calls over HTTPS.

配置管理Configuration management

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
配置管理支持(配置的版本控制等)Configuration management support (versioning of configuration, etc.) Yes 进行管理操作时,可以将应用服务配置的状态导出为 Azure 资源管理器模板,并在一段时间内进行版本控制。For management operations, the state of an App Service configuration can be exported as an Azure Resource Manager template and versioned over time. 进行运行时操作时,客户可以使用应用服务的部署槽功能保留某个应用程序的多个不同的实时版本。For runtime operations, customers can maintain multiple different live versions of an application using the App Service deployment slots feature.