什么是 Azure 防火墙管理器?What is Azure Firewall Manager?

Azure 防火墙管理器是一种安全管理服务,可为基于云的安全外围提供集中安全策略和路由管理。Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

防火墙管理器可为两种网络体系结构类型提供安全管理:Firewall Manager can provide security management for two network architecture types:

  • 安全虚拟中心Secured virtual hub

    Azure 虚拟 WAN 中心是一种 Microsoft 托管资源,可用于轻松创建中心辐射型体系结构。An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures. 当安全和路由策略与此类中心相关联时,它被称为安全虚拟中心When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.

  • 中心虚拟网络Hub virtual network

    这是你自己创建并管理的标准 Azure 虚拟网络。This is a standard Azure virtual network that you create and manage yourself. 安全策略在与此类中心关联后,将称为中心虚拟网络。When security policies are associated with such a hub, it is referred to as a hub virtual network. 目前仅支持 Azure 防火墙策略。At this time, only Azure Firewall Policy is supported. 可将包含工作负荷服务器和服务的辐射虚拟网络对等互连。You can peer spoke virtual networks that contain your workload servers and services. 还可以在未对等互连到任何辐射的独立虚拟网络中管理防火墙。You can also manage firewalls in standalone virtual networks that are not peered to any spoke.

有关安全虚拟中心与中心虚拟网络体系结构的详细比较,请参阅有哪些 Azure 防火墙管理器体系结构选项?For a detailed comparison of secured virtual hub and hub virtual network architectures, see What are the Azure Firewall Manager architecture options?.

防火墙管理器

Azure 防火墙管理器功能Azure Firewall Manager features

Azure 防火墙管理器具有以下功能:Azure Firewall Manager offers the following features:

中央 Azure 防火墙部署和配置Central Azure Firewall deployment and configuration

可以集中部署和配置多个跨不同 Azure 区域和订阅的 Azure 防火墙实例。You can centrally deploy and configure multiple Azure Firewall instances that span different Azure regions and subscriptions.

分层策略(全局和本地)Hierarchical policies (global and local)

可以使用 Azure 防火墙管理器跨多个安全虚拟中心集中管理 Azure 防火墙策略。You can use Azure Firewall Manager to centrally manage Azure Firewall policies across multiple secured virtual hubs. 中央 IT 团队可以创作全局防火墙策略,跨团队实施组织范围的防火墙策略。Your central IT teams can author global firewall policies to enforce organization wide firewall policy across teams. 本地创作的防火墙策略允许 DevOps 自助服务模型,敏捷性更高。Locally authored firewall policies allow a DevOps self-service model for better agility.

与第三方安全即服务集成,安全性更佳Integrated with third-party security-as-a-service for advanced security

除了 Azure 防火墙,还可以集成第三方安全即服务 (SECaaS) 提供程序,为 VNet 和分支 Internet 连接提供双重网络保护。In addition to Azure Firewall, you can integrate third-party security as a service (SECaaS) providers to provide additional network protection for your VNet and branch Internet connections.

此功能仅在安全虚拟中心部署中可用。This feature is available only with secured virtual hub deployments.

  • VNet 到 Internet (V2I) 流量筛选VNet to Internet (V2I) traffic filtering

    • 使用首选第三方安全提供程序筛选出站虚拟网络流量。Filter outbound virtual network traffic with your preferred third-party security provider.
    • 为在 Azure 上运行的云工作负荷提供高级用户感知型 Internet 保护。Leverage advanced user-aware Internet protection for your cloud workloads running on Azure.
  • 分支到 Internet (B2I) 流量筛选Branch to Internet (B2I) traffic filtering

    利用 Azure 连接和全局分发功能,轻松为分支到 Internet 流量添加第三方筛选。Leverage your Azure connectivity and global distribution to easily add third-party filtering for branch to Internet scenarios.

有关安全合作伙提供程序的详细信息,请参阅什么是 Azure 防火墙管理器安全合作伙伴提供程序?For more information about security partner providers, see What are Azure Firewall Manager security partner providers?

集中式路由管理Centralized route management

可轻松将流量路由到安全中心进行筛选和记录,无需在辐射虚拟网络上手动设置用户定义路由 (UDR)。Easily route traffic to your secured hub for filtering and logging without the need to manually set up User-Defined Routes (UDR) on spoke virtual networks.

此功能仅在安全虚拟中心部署中可用。This feature is available only with secured virtual hub deployments.

可使用第三方提供程序对分支到 Internet (B2I) 流量进行筛选,同时使用 Azure 防火墙对分支到 VNet (B2V)、VNet 到 VNet (V2V) 以及 VNet 到 Internet (V2I) 流量进行筛选。You can use third-party providers for Branch to Internet (B2I) traffic filtering, side by side with Azure Firewall for Branch to VNet (B2V), VNet to VNet (V2V) and VNet to Internet (V2I). 只要 B2V 或 V2V 无需 Azure 防火墙,还可以使用第三方提供程序对 V2I 流量进行筛选。You can also use third-party providers for V2I traffic filtering as long as Azure Firewall is not required for B2V or V2V.

上市区域Region availability

可以跨区域使用 Azure 防火墙策略。Azure Firewall Policies can be used across regions. 例如,可以在中国北部2创建一个策略,然后在中国东部2使用它。For example, you can create a policy in China North 2, and use it in China East 2.

已知问题Known issues

Azure 防火墙管理器存在以下已知问题:Azure Firewall Manager has the following known issues:

问题Issue 说明Description 缓解操作Mitigation
流量拆分Traffic splitting 当前不支持 Microsoft 365 和 Azure 公共 PaaS 流量拆分。Microsoft 365 and Azure Public PaaS traffic splitting isn't currently supported. 因此,为 V2I 或 B2I 选择第三方提供程序也会通过合作伙伴服务发送所有的 Azure 公共 PaaS 和 Microsoft 365 流量。As such, selecting a third-party provider for V2I or B2I also sends all Azure Public PaaS and Microsoft 365 traffic via the partner service. 正在调查中心的流量拆分。Investigating traffic splitting at the hub.
每个区域一个安全虚拟中心One secured virtual hub per region 在每个区域最多只能使用一个安全虚拟中心。You can't have more than one secured virtual hub per region. 可在一个区域中创建多个虚拟 WAN。Create multiple virtual WANs in a region.
基本策略必须与本地策略位于同一区域中Base policies must be in same region as local policy 可在与基本策略相同的区域中创建所有本地策略。Create all your local policies in the same region as the base policy. 仍可以将在安全中心的某个区域中创建的策略应用于另一个区域。You can still apply a policy that was created in one region on a secured hub from another region. 正在调查Investigating
在安全的虚拟中心部署中筛选中心之间的流量Filtering inter-hub traffic in secure virtual hub deployments 目前尚不支持安全虚拟中心之间的通信筛选。Secured Virtual Hub to Secured Virtual Hub communication filtering isn't yet supported. 但如果未启用对经 Azure 防火墙的专用流量进行筛选,则中心之间的通信仍然有效。However, hub to hub communication still works if private traffic filtering via Azure Firewall isn't enabled. 正在调查Investigating
虚拟中心外的其他区域中的分支Spokes in different region than the virtual hub 不支持虚拟中心外的其他区域中的分支。Spokes in different region than the virtual hub aren't supported. 正在调查Investigating

在每一个区域创建一个中心,并在该中心所在区域创建对等 VNet。Create a hub per region and peer VNets in the same region as the hub.
启用了专用流量筛选的分支之间的流量Branch to branch traffic with private traffic filtering enabled 不支持启用了专用流量筛选时的分支之间的流量。Branch to branch traffic isn't supported when private traffic filtering is enabled. 正在调查。Investigating.

如果分支之间的连接至关重要,请勿保护专用流量的安全。Don't secure private traffic if branch to branch connectivity is critical.
共享同一虚拟 WAN 的所有安全虚拟中心必须位于同一资源组中。All Secured Virtual Hubs sharing the same virtual WAN must be in the same resource group. 此行为现在与虚拟 WAN 中心保持一致。This behavior is aligned with Virtual WAN Hubs today. 创建多个虚拟 WAN,以允许在不同的资源组中创建安全虚拟中心。Create multiple Virtual WANs to allow Secured Virtual Hubs to be created in different resource groups.
批量 IP 地址添加失败Bulk IP address addition fails 如果添加多个公共 IP 地址,安全中心防火墙将进入失败状态。The secure hub firewall goes into a failed state if you add multiple public IP addresses. 添加较小的公共 IP 地址增量。Add smaller public IP address increments. 例如,一次添加 10 个。For example, add 10 at a time.
如果安全中心中配置了自定义 DNS(预览版),应用程序规则将失败。Application rules fail in a secure hub with custom DNS (preview) configured. 在启用强制隧道的安全中心部署和中心虚拟网络部署中,自定义 DNS(预览)不起作用。Custom DNS (preview) doesn’t work in secure hub deployments and Hub virtual network deployments where forced tunneling is enabled. 通过检查解决该问题。Fix under investigation.
安全虚拟中心不支持 DDoS 防护标准DDoS Protection Standard not supported with secured virtual hubs DDoS 防护标准未与 vWAN 集成。DDoS Protection Standard is not integrated with vWANs. 正在调查Investigating
不完全支持活动日志Activity logs not fully supported 防火墙策略当前不支持活动日志。Firewall policy does not currently support Activity logs. 正在调查Investigating
配置 SNAT 专用 IP 地址范围Configuring SNAT private IP address ranges 如果已配置 Azure 防火墙策略,则会忽略专用 IP 范围设置Private IP range settings are ignored if Azure Firewall policy is configured. 会使用默认 Azure 防火墙行为;根据 IANA RFC 1918,当目标 IP 地址位于专用 IP 地址范围内时,该行为不使用 SNAT 网络规则。The default Azure Firewall behavior is used, where it doesn’t SNAT Network rules when the destination IP address is in a private IP address range per IANA RFC 1918. 正在调查Investigating
迁移防火墙以使用防火墙策略时,某些防火墙设置不会迁移Some firewall settings are not migrated when the firewall is migrated to use Firewall Policy 迁移到 Azure 防火墙策略时,不会迁移可用性区域和 SNAT 专用地址。Availability Zones and SNAT private addresses are not migrated when you migrate to Azure Firewall Policy. 正在调查Investigating

后续步骤Next steps