Azure 防火墙管理器策略概述Azure Firewall Manager policy overview

防火墙策略是包含 NAT、网络和应用程序规则集合以及威胁情报设置的 Azure 资源。Firewall Policy is an Azure resource that contains NAT, network, and application rule collections, and Threat Intelligence settings. 它是一个全局资源,可跨安全虚拟中心和中心虚拟网络中的多个 Azure 防火墙实例使用。It's a global resource that can be used across multiple Azure Firewall instances in Secured Virtual Hubs and Hub Virtual Networks. 策略跨区域和订阅工作。Policies work across regions and subscriptions.

Azure 防火墙管理器策略

策略的创建和关联Policy creation and association

可通过多种方式创建和管理策略,包括使用 Azure 门户、REST API、模板、Azure PowerShell 和 CLI。A policy can be created and managed in multiple ways, including the Azure portal, REST API, templates, Azure PowerShell, and CLI.

还可以使用门户或 Azure PowerShell 迁移 Azure 防火墙中的现有规则,以创建策略。You can also migrate existing rules from Azure Firewall using the portal or Azure PowerShell to create policies. 有关详细信息,请参阅如何将 Azure 防火墙配置迁移到 Azure 防火墙策略For more information, see How to migrate Azure Firewall configurations to Azure Firewall policy.

策略可与一个或多个虚拟中心或 VNet 相关联。Policies can be associated with one or more virtual hubs or VNets. 防火墙可以位于与帐户关联的任何订阅中,且可以位于任何区域中。The firewall can be in any subscription associated with your account and in any region.

分层策略Hierarchical policies

可以从头开始创建新策略,或者从现有策略继承策略。New policies can be created from scratch or inherited from existing policies. DevOps 可以通过继承在组织规定的基本策略之上创建本地防火墙策略。Inheritance allows DevOps to create local firewall policies on top of organization mandated base policy.

使用非空父策略创建的策略从父策略继承所有规则集合。Policies created with non-empty parent policies inherit all rule collections from the parent policy. 继承自父策略的网络规则集始终优先于定义为新策略一部分的网络规则集合。Network rule collections inherited from a parent policy are always prioritized above network rule collections defined as part of a new policy. 相同的逻辑也适用于应用程序规则集合。The same logic also applies to application rule collections. 但是,不管是否继承,网络规则集合始终在应用程序规则集合之前进行处理。However, network rule collections are always processed before application rule collections regardless of inheritance.

威胁情报模式也继承自父策略。Threat Intelligence mode is also inherited from the parent policy. 可将威胁情报模式设置为不同的值以替代此行为,但无法禁用模式。You can set your threat Intelligence mode to a different value to override this behavior, but you can't turn it off. 只能使用更严格的值替代行为。It's only possible to override with a stricter value. 例如,如果父策略设置为“仅警报”,则可将此本地策略配置为“警报并拒绝”。For example, if your parent policy is set to Alert only, you can configure this local policy to Alert and deny.

与威胁情报模式一样,威胁情报允许列表继承自父策略。Like Threat Intelligence mode, the Threat Intelligence allow list is inherited from the parent policy. 子策略可以将其他 IP 地址添加到允许列表。The child policy can add additional IP addresses to the allow list.

NAT 规则集合不是继承的,因为它们与给定的防火墙相关。NAT rule collections aren't inherited because they're specific to a given firewall.

通过继承,对父策略进行的任何更改会自动应用到关联的防火墙子策略。With inheritance, any changes to the parent policy are automatically applied down to associated firewall child policies.

传统规则和策略Traditional rules and policies

Azure 防火墙支持传统规则和策略。Azure Firewall supports both traditional rules and policies. 下表对策略和规则做了比较:The following table compares policies and rules:

主题Subject 策略Policy 规则Rules
包含Contains NAT、网络、应用程序规则、自定义 DNS 和 DNS 代理设置、IP 组和威胁情报设置(包括允许列表)NAT, Network, Application rules, custom DNS and DNS proxy settings, IP Groups, and Threat Intelligence settings (including allow list) NAT、网络、应用程序规则、自定义 DNS 和 DNS 代理设置、IP 组和威胁情报设置(包括允许列表)NAT, Network, and Application rules, custom DNS and DNS proxy settings, IP Groups, and Threat Intelligence settings (including allow list)
保护Protects 虚拟中心和虚拟网络Virtual hubs and Virtual Networks 仅虚拟网络Virtual Networks only
门户体验Portal experience 使用防火墙管理器的集中式管理Central management using Firewall Manager 独立的防火墙体验Standalone firewall experience
支持多个防火墙Multiple firewall support 防火墙策略是可跨防火墙使用的独立资源Firewall Policy is a separate resource that can be used across firewalls 手动导出和导入规则,或使用第三方管理解决方案Manually export and import rules, or using third-party management solutions
定价Pricing 根据防火墙关联计费。Billed based on firewall association. 请参阅定价See Pricing. 免费Free
支持的部署机制Supported deployment mechanisms 门户、REST API、模板、Azure PowerShell 和 CLIPortal, REST API, templates, Azure PowerShell, and CLI 门户、REST API、模板、PowerShell 和 CLI。Portal, REST API, templates, PowerShell, and CLI.


策略根据防火墙关联计费。Policies are billed based on firewall associations. 存在零个或一个防火墙关联的策略是免费的。A policy with zero or one firewall association is free of charge. 存在多个防火墙关联的策略按固定费率计费。A policy with multiple firewall associations is billed at a fixed rate. 有关详细信息,请参阅 Azure 防火墙管理器定价For more information, see Azure Firewall Manager Pricing.

后续步骤Next steps

若要了解如何部署 Azure 防火墙,请参阅教程:在 Azure 门户中使用 Azure 防火墙管理器保护云网络To learn how to deploy an Azure Firewall, see Tutorial: Secure your cloud network with Azure Firewall Manager using the Azure portal.