Azure Stack Hub 防火墙集成Azure Stack Hub firewall integration

建议使用防火墙设备来帮助保护 Azure Stack Hub。It's recommended that you use a firewall device to help secure Azure Stack Hub. 防火墙有助于防止分布式拒绝服务 (DDOS) 攻击之类的攻击,以及执行入侵检测和内容检查。Firewalls can help defend against things like distributed denial-of-service (DDOS) attacks, intrusion detection, and content inspection. 但是,它们也可能成为 Azure 存储服务(例如 Blob、表和队列)的吞吐量瓶颈。However, they can also become a throughput bottleneck for Azure storage services like blobs, tables, and queues.

如果使用断开连接部署模式,则必须发布 AD FS 终结点。If a disconnected deployment mode is used, you must publish the AD FS endpoint. 有关详细信息,请参阅数据中心集成标识一文For more information, see the datacenter integration identity article.

Azure 资源管理器(管理员)、管理员门户和 Key Vault(管理员)终结点不一定需要外部发布。The Azure Resource Manager (administrator), administrator portal, and Key Vault (administrator) endpoints don't necessarily require external publishing. 例如,作为服务提供商,你可以只允许从网络内管理 Azure Stack Hub,不允许从 Internet 进行管理,这样就可以限制攻击面。For example, as a service provider, you could limit the attack surface by only administering Azure Stack Hub from inside your network, and not from the internet.

对于企业组织,外部网络可能是现有的公司网络。For enterprise organizations, the external network can be the existing corporate network. 在这种情况下,必须发布可以从公司网络操作 Azure Stack Hub 的终结点。In this scenario, you must publish endpoints to operate Azure Stack Hub from the corporate network.

网络地址转换Network Address Translation

网络地址转换 (NAT) 是建议采用的方法,它允许部署虚拟机 (DVM) 在部署期间访问外部资源和 Internet,以及在注册和故障排除期间访问紧急恢复控制台 (ERCS) VM 或特权终结点 (PEP)。Network Address Translation (NAT) is the recommended method to allow the deployment virtual machine (DVM) to access external resources and the internet during deployment as well as the Emergency Recovery Console (ERCS) VMs or privileged endpoint (PEP) during registration and troubleshooting.

还可以使用 NAT 作为外部网络上的公共 IP 地址或公共 VIP 的替代方法。NAT can also be an alternative to Public IP addresses on the external network or public VIPs. 但是,不建议这样做,因为它限制了租户用户体验并增加了复杂性。However, it's not recommended to do so because it limits the tenant user experience and increases complexity. 一个选项是一对一 NAT,仍然要求池中的每个用户 IP 有一个公共 IP。One option would be a one to one NAT that still requires one public IP per user IP on the pool. 另一个选项是多对一 NAT,需要针对用户可能使用的所有端口按用户 VIP 采用 NAT 规则。Another option is a many to one NAT that requires a NAT rule per user VIP for all ports a user might use.

下面是对公共 VIP 使用 NAT 的一些缺点:Some of the downsides of using NAT for Public VIP are:

  • NAT 增加了管理防火墙规则时的开销,因为用户在软件定义的网络 (SDN) 堆栈中控制其自己的终结点和其自己的发布规则。NAT adds overhead when managing firewall rules because users control their own endpoints and their own publishing rules in the software-defined networking (SDN) stack. 用户必须联系 Azure Stack Hub 操作员才能发布其 VIP 以及更新端口列表。Users must contact the Azure Stack Hub operator to get their VIPs published, and to update the port list.
  • 虽然使用 NAT 会限制用户体验,但它使得操作员能够完全控制发布请求。While NAT usage limits the user experience, it gives full control to the operator over publishing requests.
  • 对于采用 Azure 的混合云方案,请注意 Azure 不支持使用 NAT 设置到终结点的 VPN 隧道。For hybrid cloud scenarios with Azure, consider that Azure doesn't support setting up a VPN tunnel to an endpoint using NAT.

SSL 拦截SSL interception

目前建议在所有 Azure Stack Hub 流量上禁用任何 SSL 拦截(例如解密卸载)。It's currently recommended to disable any SSL interception (for example decryption offloading) on all Azure Stack Hub traffic. 如果将来的更新支持此功能,那时将会提供有关如何为 Azure Stack Hub 启用 SSL 拦截的指南。If it's supported in future updates, guidance will be provided about how to enable SSL interception for Azure Stack Hub.

边缘防火墙方案Edge firewall scenario

在边缘部署中,Azure Stack Hub 直接部署在边缘路由器或防火墙后面。In an edge deployment, Azure Stack Hub is deployed directly behind the edge router or the firewall. 在这些方案中,支持将防火墙放置在边界上方(例如方案 1,在这种情况下它支持主动-主动和主动-被动防火墙配置)或让防火墙充当边界设备(例如方案 2,在这种情况下它仅支持依赖于等成本多路径 (ECMP) 的主动-主动防火墙配置,并使用 BGP 或静态路由进行故障转移)。In these scenarios, it's supported for the firewall to be above the border (Scenario 1) where it supports both active-active and active-passive firewall configurations or acting as the border device (Scenario 2) where it only supports active-active firewall configuration relying on equal-cost multi-path (ECMP) with either BGP or static routing for failover.

在部署时会为外部网络中的公共 VIP 池指定公共的可路由 IP 地址。Public routable IP addresses are specified for the public VIP pool from the external network at deployment time. 在边缘方案中,出于安全考虑,建议不要在任何其他网络上使用公共的可路由 IP。In an edge scenario, it's not recommended to use public routable IPs on any other network for security purposes. 与在 Azure 之类的公有云中一样,此方案使得用户能够获得完全的自控云体验。This scenario enables a user to experience the full self-controlled cloud experience as in a public cloud like Azure.

Azure Stack Hub 边缘防火墙示例

企业 Intranet 或外围网络防火墙方案Enterprise intranet or perimeter network firewall scenario

在企业 Intranet 或外围部署中,Azure Stack Hub 部署在多区域防火墙上,或者部署在边缘防火墙与内部的公司网络防火墙之间。In an enterprise intranet or perimeter deployment, Azure Stack Hub is deployed on a multi-zoned firewall or in between the edge firewall and the internal, corporate network firewall. 然后,其流量将分布在安全的外围网络(或 DMZ)与不安全的区域之间,如下所述:Its traffic is then distributed between the secure, perimeter network (or DMZ), and unsecure zones as described below:

  • 安全区域:这是使用内部或公司可路由 IP 地址的内部网络。Secure zone: This is the internal network that uses internal or corporate routable IP addresses. 安全网络可以拆分,可以通过防火墙上的 NAT 进行 Internet 出站访问,并且通常可以通过内部网络从你的数据中心内的任何位置进行访问。The secure network can be divided, have internet outbound access through NAT on the Firewall, and is usually accessible from anywhere inside your datacenter via the internal network. 除了外部网络的公共 VIP 池之外,所有 Azure Stack Hub 网络都应当位于安全区域中。All Azure Stack Hub networks should reside in the secure zone except for the external network's public VIP pool.
  • 外围区域Perimeter zone. 外围网络通常是部署外部或面向 Internet 的应用(例如 Web 服务器)的地方。The perimeter network is where external or internet-facing apps like Web servers are typically deployed. 通常由防火墙对其进行监视,以避免诸如 DDoS 和入侵(黑客进攻)之类的攻击,同时仍允许来自 Internet 的指定入站流量。It's usually monitored by a firewall to avoid attacks like DDoS and intrusion (hacking) while still allowing specified inbound traffic from the internet. 只有 Azure Stack Hub 的外部网络公共 VIP 池应当位于 DMZ 区域中。Only the external network public VIP pool of Azure Stack Hub should reside in the DMZ zone.
  • 不安全区域Unsecure zone. 这是指外部网络,即 Internet。This is the external network, the internet. 建议不要将 Azure Stack Hub 部署在不安全区域中。It is not recommended to deploy Azure Stack Hub in the unsecure zone.

Azure Stack Hub 外围网络示例

了解详细信息Learn more

详细了解 Azure Stack Hub 终结点使用的端口和协议Learn more about ports and protocols used by Azure Stack Hub endpoints.

后续步骤Next steps

Azure Stack Hub PKI 要求Azure Stack Hub PKI requirements