部署安全合作伙伴提供程序Deploy a security partner provider

通过 Azure 防火墙管理器中的安全合作伙伴提供程序,你可以使用熟悉的同类最佳第三方安全即服务 (SECaaS) 产品/服务来保护用户的 Internet 访问。Security partner providers in Azure Firewall Manager allow you to use your familiar, best-in-breed third-party security-as-a-service (SECaaS) offerings to protect Internet access for your users.

要详细了解支持的场景和最佳做法指南,请参阅什么是安全合作伙伴提供程序?To learn more about supported scenarios and best practice guidelines, see What are security partner providers?

集成的第三方安全即服务 (SECaaS) 合作伙伴现已可用:Integrated third-party Security as a service (SECaaS) partners are now available:

在新中心部署第三方安全提供程序Deploy a third-party security provider in a new hub

如果要将第三方提供程序部署到现有中心,请跳过此部分。Skip this section if you are deploying a third-party provider into an existing hub.

  1. 通过 https://portal.azure.cn 登录到 Azure 门户。Sign in to the Azure portal at https://portal.azure.cn.
  2. 在“搜索”中键入“防火墙管理器”,然后在“服务”下选择“防火墙管理器” 。In Search, type Firewall Manager and select it under Services.
  3. 导航到“入门”。Navigate to Getting Started. 选择“查看安全虚拟中心”。Select View secured virtual hubs.
  4. 选择“新建安全虚拟中心”。Select Create new secured virtual hub.
  5. 输入你的订阅和资源组,选择受支持的区域,并添加中心和虚拟 WAN 信息。Enter you subscription and resource group, select a supported region, and add your hub and virtual WAN information.
  6. 选择“包含 VPN 网关以启用安全合作伙伴提供程序”。Select Include VPN gateway to enable Security Partner Providers.
  7. 根据要求选择适当的“网关缩放单元”。Select the Gateway scale units appropriate for your requirements.
  8. 在完成时选择“下一步:Azure 防火墙”Select Next: Azure Firewall


    安全合作伙伴提供程序使用 VPN 网关隧道连接到你的中心。Security partner providers connect to your hub using VPN Gateway tunnels. 如果删除 VPN 网关,与安全合作伙伴提供程序的连接将会丢失。If you delete the VPN Gateway, the connections to your security partner providers are lost.

  9. 如果要部署 Azure 防火墙来筛选专用流量,并部署第三方服务提供程序来筛选 Internet 流量,请选择 Azure 防火墙的策略。If you want to deploy Azure Firewall to filter private traffic along with third-party service provider to filter Internet traffic, select a policy for Azure Firewall. 请参阅支持的场景See the supported scenarios.
  10. 如果只想在中心部署第三方安全提供程序,请选择“Azure 防火墙:启用/禁用”,并将其设置为“禁用”。If you want to only deploy a third-party security provider in the hub, select Azure Firewall: Enabled/Disabled to set it to Disabled.
  11. 选择“下一步:安全合作伙伴提供程序”。Select Next: Security Partner Provider.
  12. 将“安全合作伙伴提供程序”设置为“启用” 。Set Security Partner Provider to Enabled.
  13. 选择一个合作伙伴。Select a partner.
  14. 在完成时选择“下一步:查看 + 创建”。Select Next: Review + create.
  15. 查看内容,然后选择“创建”。Review the content and then select Create.

部署 VPN 网关可能需要超过 30 分钟的时间。The VPN gateway deployment can take more than 30 minutes.

要验证是否已创建中心,请导航到“Azure 防火墙管理器”->“安全中心”。To verify that the hub has been created, navigate to Azure Firewall Manager->Secured Hubs. 选择“中心”>“概述页面”,以显示合作伙伴名称,状态为“安全连接挂起”。Select the hub->Overview page to show the partner name and the status as Security Connection Pending.

创建中心并设置安全合作伙伴后,请继续将安全提供程序连接到中心。Once the hub is created and the security partner is set up, continue on to connect the security provider to the hub.

在现有中心部署第三方安全提供程序Deploy a third-party security provider in an existing hub

还可以选择虚拟 WAN 中的现有中心,并将其转换为安全虚拟中心。You can also select an existing hub in a Virtual WAN and convert that to a secured virtual hub.

  1. 在“入门”中,选择“查看安全虚拟中心” 。In Getting Started, select View secured virtual hubs.
  2. 选择“转换现有中心”。Select Convert existing hubs.
  3. 选择订阅和现有中心。Select a subscription and an existing hub. 按照剩余步骤在新中心部署第三方安全提供程序。Follow rest of the steps to deploy a third-party provider in a new hub.

请记住,必须部署 VPN 网关才能使用第三方提供程序将现有中心转换为安全中心。Remember that a VPN gateway must be deployed to convert an existing hub to secured hub with third-party providers.

配置第三方安全提供程序以连接到安全中心Configure third-party security providers to connect to a secured hub

要设置连接虚拟中心 VPN 网关的隧道,第三方提供程序需要具有对中心的访问权限。To set up tunnels to your virtual hub’s VPN Gateway, third-party providers need access rights to your hub. 为此,请将服务主体与订阅或资源组关联,并授予访问权限。To do this, associate a service principal with your subscription or resource group, and grant access rights. 然后,必须使用第三方的门户将这些凭据分配给第三方。You then must give these credentials to the third-party using their portal.

创建服务主体并为其授权Create and authorize a service principal

  1. 创建 Azure Active Directory (AD) 服务主体:可以跳过重定向 URL。Create Azure Active Directory (AD) service principal: You can skip the redirect URL.

    如何:使用门户创建可访问资源的 Azure AD 应用程序和服务主体How to: Use the portal to create an Azure AD application and service principal that can access resources

  2. 为服务主体添加访问权限和作用域。Add access rights and scope for the service principal. 如何:使用门户创建可访问资源的 Azure AD 应用程序和服务主体How to: Use the portal to create an Azure AD application and service principal that can access resources


    可以将访问权限限制为仅针对你的资源组,以便进行更精细的控制。You can limit access to only your resource group for more granular control.

访问合作伙伴门户Visit partner portal

  1. 按照合作伙伴提供的说明完成设置。Follow your partner provided instructions to complete the setup. 这包括提交 AAD 信息以检测并连接到中心、更新出口策略,以及检查连接状态和日志。This includes submitting AAD information to detect and connect to the hub, update the egress policies, and check connectivity status and logs.

  2. 可以在 Azure 的 Azure 虚拟 WAN 门户中查看隧道创建状态。You can look at the tunnel creation status on the Azure Virtual WAN portal in Azure. Azure 门户和合作伙伴门户中的隧道状态均显示“已连接”后,请继续执行后续步骤,以设置路由,并选择哪些分支和 Vnet 应将 Internet 流量发送到合作伙伴。Once the tunnels show connected on both Azure and the partner portal, continue with the next steps to set up routes to select which branches and VNets should send Internet traffic to the partner.

配置路由设置Configure route settings

  1. 浏览到“Azure 防火墙管理器”->“安全中心”。Browse to the Azure Firewall Manager -> Secured Hubs.

  2. 选择一个中心。Select a hub. 现在,中心状态应显示“已预配”,而不是“安全连接挂起” 。The Hub status should now show Provisioned instead of Security Connection Pending.

    请确保第三方提供程序可以连接到中心。Ensure the third-party provider can connect to the hub. VPN 网关上的隧道应处于“已连接”状态。The tunnels on the VPN gateway should be in a Connected state. 与之前的状态相比,此状态更能反映中心与第三方合作伙伴之间的连接运行状况。This state is more reflective of the connection health between the hub and the third-party partner, compared to previous status.

  3. 选择中心,并导航到“路由设置”。Select the hub, and navigate to Route Settings.

    向中心部署第三方提供程序时,该第三方提供程序会将该中心转换为安全虚拟中心。When you deploy a third-party provider into the hub, it converts the hub into a secured virtual hub. 这可确保第三方提供程序向中心播发默认)路由。This ensures that the third-party provider is advertising a (default) route to the hub. 但是,除非你选择了哪些连接应获得此默认路由,否则连接到中心的 VNet 连接和站点不会获得此路由。However, VNet connections and sites connected to the hub don’t get this route unless you opt-in on which connections should get this default route.

  4. 在“Internet 流量”下,选择“VNet 到 Internet”和/或“分支到 Internet”,以便将路由配置为通过第三方发送 。Under Internet traffic, select VNet-to-Internet or Branch-to-Internet or both so routes are configured send via the third party.

    这仅指示应将那种类型的流量路由到中心,但还不会影响 VNet 或分支上的路由。This only indicates which type of traffic should be routed to the hub, but it doesn’t affect the routes on VNets or branches yet. 默认情况下,这些路由不会传播到附加到中心的所有 Vnet/分支。These routes are not propagated to all VNets/branches attached to the hub by default.

  5. 必须选择“安全连接”,并选择应在哪些连接上设置这些路由。You must select secure connections and select the connections on which these routes should be set. 这指示哪些 Vnet/分支可以开始向第三方提供程序发送 Internet 流量。This indicates which VNets/branches can start sending Internet traffic to the third-party provider.

  6. 在“路由设置”中,选择“Internet 流量”下的“安全连接”,然后选择要保护的 VNet 或分支(虚拟 WAN 中的站点) 。From Route settings, select Secure connections under Internet traffic, then select the VNet or branches (sites in Virtual WAN) to be secured. 选择“保护 Internet 流量”。Select Secure Internet traffic. 保护 Internet 流量Secure Internet traffic

  7. 导航回中心页面。Navigate back to the hubs page. 现在,中心的“安全合作伙伴提供程序”状态应为“安全” 。The hub’s security partner provider status should now be Secured.

通过第三方服务的分支或 VNet Internet 流量Branch or VNet Internet traffic via third-party service

接下来,你可以检查 VNet 虚拟机或分支站点是否可以访问 Internet,并验证流量是否流向第三方服务。Next, you can check if VNet virtual machines or the branch site can access the Internet and validate that the traffic is flowing to the third-party service.

完成路由设置步骤后,系统将向 VNet 虚拟机和分支站点发送 0/0 到第三方服务的路由。After finishing the route setting steps, the VNet virtual machines as well as the branch sites are sent a 0/0 to third party service route. 无法通过 RDP 或 SSH 登录这些虚拟机。You can't RDP or SSH into these virtual machines. 若要登录,可以在互连 VNet 中部署 Azure Bastion 服务。To sign in, you can deploy the Azure Bastion service in a peered VNet.

后续步骤Next steps