Azure 防火墙管理器部署概述Azure Firewall Manager deployment overview

部署 Azure 防火墙管理器有多种方式,但建议执行以下常规过程。There's more than one way to deploy Azure Firewall Manager, but the following general process is recommended.

常规部署过程General deployment process

中心虚拟网络Hub virtual networks

  1. 创建防火墙策略Create a firewall policy

    • 创建新策略Create a new policy
      oror
    • 派生基本策略并自定义本地策略Derive a base policy and customize a local policy
      oror
    • 导入现有 Azure 防火墙中的规则。Import rules from an existing Azure Firewall. 确保从应跨多个防火墙应用的策略中删除 NAT 规则Make sure to remove NAT rules from policies that should be applied across multiple firewalls
  2. 创建中心辐射型体系结构Create your hub and spoke architecture

    • 使用 Azure 防火墙管理器创建中心虚拟网络,并使用虚拟网络对等互连将辐射虚拟网络以对等互连方式连接到它Create a Hub Virtual Network using Azure Firewall Manager and peer spoke virtual networks to it using virtual network peering
      oror
    • 创建虚拟网络并添加虚拟网络连接,然后使用虚拟网络对等互连将辐射虚拟网络以对等互连方式连接到它Create a virtual network and add virtual network connections and peer spoke virtual networks to it using virtual network peering
  3. 选择安全提供程序并关联防火墙策略。Select security providers and associate firewall policy. 目前,只有 Azure 防火墙是受支持的提供程序。Currently, only Azure Firewall is a supported provider.

    • 这是在创建中心虚拟网络时完成的This is done while you create a Hub Virtual Network
      oror
    • 将现有的虚拟网络转换为中心虚拟网络。Convert an existing virtual network to a Hub Virtual Network. 还可以转换多个虚拟网络。It is also possible to convert multiple virtual networks.
  4. 配置用户定义的路由,将流量路由到中心虚拟网络防火墙。Configure User Define Routes to route traffic to your Hub Virtual Network firewall.

安全虚拟中心Secured virtual hubs

  1. 创建中心辐射型体系结构Create your hub and spoke architecture

    • 使用 Azure 防火墙管理器创建安全虚拟中心并添加虚拟网络连接。Create a Secured Virtual Hub using Azure Firewall Manager and add virtual network connections.
      oror
    • 创建虚拟 WAN 中心并添加虚拟网络连接。Create a Virtual WAN Hub and add virtual network connections.
  2. 选择安全提供程序Select security providers

    • 创建安全虚拟中心时完成。Done while creating a Secured Virtual Hub.
      oror
    • 将现有的虚拟 WAN 中心转换为安全虚拟中心。Convert an existing Virtual WAN Hub to Secure Virtual Hub.
  3. 创建防火墙策略并将其与中心关联Create a firewall policy and associate it with your hub

    • 仅在使用 Azure 防火墙时适用。Applicable only if using Azure Firewall.
    • 第三方安全即服务 (SECaaS) 策略通过合作伙伴管理体验配置。Third-party security as a service (SECaaS) policies are configured via partners management experience.
  4. 配置路由设置,以将流量路由到安全中心Configure route settings to route traffic to your secured hub

    • 使用“安全虚拟中心路由设置”页,轻松地将流量路由到安全中心,以便在辐射虚拟网络不具有用户定义路由 (UDR) 的情况下进行筛选和日志记录。Easily route traffic to your secured hub for filtering and logging without User Defined Routes (UDR) on spoke Virtual Networks using the Secured Virtual Hub Route Setting page.

备注

  • 每个区域的每个虚拟 WAN 最多只有一个中心。You can't have more than one hub per virtual wan per region. 但可以在区域中添加多个虚拟 WAN 来实现多个中心。But you can add multiple virtual WANs in the region to achieve this.
  • 在 vWAN 中,多个中心不能具有重叠的 IP 空间。You can't have overlapping IP spaces for hubs in a vWAN.
  • 中心 VNet 连接必须与中心位于同一区域。Your hub VNet connections must be in the same region as the hub.

有关更多已知问题,请参阅什么是 Azure 防火墙管理器?For more known issues, see What is Azure Firewall Manager?

转换虚拟网络Convert virtual networks

如果将现有虚拟网络转换为中心虚拟网络,则以下信息适用:The following information applies if you convert an existing virtual network to a hub virtual network:

  • 如果该虚拟网络具有现有的 Azure 防火墙,请选择一个要与现有防火墙关联的防火墙策略。If the virtual network has an existing Azure Firewall, you select a Firewall Policy to associate with the existing firewall. 防火墙策略替换防火墙规则时,防火墙预配状态将为“正在更新”。The firewall provisioning status will be updating while the firewall policy replaces firewall rules. 在该预配状态期间,防火墙会继续处理流量,不会出现停机时间。During the provisioning state, the firewall continues processing traffic and has no downtime. 可以使用防火墙管理器或 Azure PowerShell 将现有规则导入到防火墙策略。You can import existing rules to a Firewall Policy using Firewall Manager or Azure PowerShell.
  • 如果该虚拟网络没有关联的 Azure 防火墙,则会部署一个防火墙并且防火墙策略会与此新防火墙关联。If the virtual network doesn't have an associated Azure Firewall, a firewall is deployed and the Firewall Policy is associated with the new firewall.

后续步骤Next steps