适用于应用服务的安全建议Security recommendations for App Service

本文包含适用于 Azure 应用服务的安全建议。This article contains security recommendations for Azure App Service. 实施这些建议将有助于你履行我们的共享职责模型中描述的安全职责,并改进 Web 应用解决方案的总体安全性。Implementing these recommendations will help you fulfill your security obligations as described in our shared responsibility model and will improve the overall security for your Web App solutions.

常规General

建议Recommendation 注释Comments
保持最新状态Stay up-to-date 使用最新版的受支持平台、编程语言、协议和框架。Use the latest versions of supported platforms, programming languages, protocols, and frameworks.

标识和访问管理Identity and access management

建议Recommendation 注释Comments
禁用匿名访问Disable anonymous access 除非需要支持匿名请求,否则请禁用匿名访问。Unless you need to support anonymous requests, disable anonymous access. 有关 Azure 应用服务身份验证选项的详细信息,请参阅 Azure 应用服务中的身份验证和授权For more information on Azure App Service authentication options, see Authentication and authorization in Azure App Service.
需要身份验证Require authentication 在可能情况下,请使用应用服务身份验证模块,而不是编写代码来处理身份验证和授权。Whenever possible, use the App Service authentication module instead of writing code to handle authentication and authorization. 请参阅 Azure 应用服务中的身份验证和授权See Authentication and authorization in Azure App Service.
使用经身份验证的访问权限保护后端资源Protect back-end resources with authenticated access 可以使用用户标识或应用程序标识向后端资源进行身份验证。You can either use the user's identity or use an application identity to authenticate to a back-end resource. 选择使用应用程序标识时,请使用托管标识When you choose to use an application identity use a managed identity.
需要客户端证书身份验证Require client certificate authentication 客户端证书身份验证只允许从那些可以使用你提供的证书进行身份验证的客户端进行连接,因此可以改进安全性。Client certificate authentication improves security by only allowing connections from clients that can authenticate using certificates that you provide.

数据保护Data protection

建议Recommendation 注释Comments
将 HTTP 重定向到 HTTPSRedirect HTTP to HTTPs 默认情况下,客户端可以使用 HTTP 或 HTTPS 连接到 Web 应用。By default, clients can connect to web apps by using both HTTP or HTTPS. 建议将 HTTP 重定向到 HTTPS,因为 HTTPS 使用 SSL/TLS 协议来提供既加密又经过身份验证的安全连接。We recommend redirecting HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated.
加密与 Azure 资源的通信Encrypt communication to Azure resources 当应用连接到 Azure 资源(例如 SQL 数据库Azure 存储)时,连接一直保持在 Azure 中。When your app connects to Azure resources, such as SQL Database or Azure Storage, the connection stays in Azure. 由于连接经过 Azure 中的共享网络,因此应始终加密所有通信。Since the connection goes through the shared networking in Azure, you should always encrypt all communication.
需要尽可能新的 TLS 版本Require the latest TLS version possible 从 2018 年开始,新的 Azure 应用服务应用使用 TLS 1.2。Since 2018 new Azure App Service apps use TLS 1.2. 更新版的 TLS 包含针对旧协议版本的安全改进。Newer versions of TLS include security improvements over older protocol versions.
使用 FTPSUse FTPS 应用服务支持使用 FTP 和 FTPS 来部署文件。App Service supports both FTP and FTPS for deploying your files. 尽可能使用 FTPS 而不是 FTP。Use FTPS instead of FTP when possible. 如果未使用这两种协议或其中一种协议,则应将其禁用When one or both of these protocols are not in use, you should disable them.
保护应用程序数据Secure application data 请勿将应用程序密钥(例如数据库凭据、API 令牌或私钥)存储在代码或配置文件中。Don't store application secrets, such as database credentials, API tokens, or private keys in your code or configuration files. 广为接受的方法是使用所选语言的标准模式将这些机密作为环境变量进行访问。The commonly accepted approach is to access them as environment variables using the standard pattern in your language of choice. 在 Azure 应用服务中,可以通过应用设置连接字符串定义环境变量。In Azure App Service, you can define environment variables through app settings and connection strings. 应用设置和连接字符串以加密方式存储在 Azure 中。App settings and connection strings are stored encrypted in Azure. 只有在应用启动并将应用设置注入应用的进程内存中之前,才会对应用设置进行解密。The app settings are decrypted only before being injected into your app's process memory when the app starts. 加密密钥会定期轮换。The encryption keys are rotated regularly. 或者,可以将 Azure 应用服务应用与 Azure Key Vault 集成,以实现高级密钥管理。Alternatively, you can integrate your Azure App Service app with Azure Key Vault for advanced secrets management. 通过使用托管标识访问 Key Vault,应用服务应用可以安全地访问所需的机密。By accessing the Key Vault with a managed identity, your App Service app can securely access the secrets you need.

网络Networking

建议Recommendation 注释Comments
使用静态 IP 限制Use static IP restrictions 使用 Windows 上的 Azure 应用服务,可定义允许访问应用的 IP 地址的列表。Azure App Service on Windows lets you define a list of IP addresses that are allowed to access your app. 允许列表可包括单个 IP 地址或由子网掩码定义的 IP 地址范围。The allowed list can include individual IP addresses or a range of IP addresses defined by a subnet mask. 有关详细信息,请参阅 Azure 应用服务静态 IP 限制For more information, see Azure App Service Static IP Restrictions.
选择独立定价层Use the isolated pricing tier 除了独立定价层,所有层都在 Azure 应用服务的共享网络基础结构上运行应用。Except for the isolated pricing tier, all tiers run your apps on the shared network infrastructure in Azure App Service.
在访问本地资源时使用安全连接Use secure connections when accessing on-premises resources 可以使用混合连接虚拟网络集成连接到本地资源。You can use Hybrid connections, Virtual Network integration to connect to on-premises resources.
限制向入站网络流量公开Limit exposure to inbound network traffic 可以通过网络安全组限制网络访问并控制公开的终结点数。Network security groups allow you to restrict network access and control the number of exposed endpoints.

后续步骤Next steps

请咨询应用程序提供商,看是否有其他安全要求。Check with your application provider to see if there are additional security requirements.