使用 Azure 防火墙策略定义规则层次结构Use Azure Firewall policy to define a rule hierarchy

安全管理员需要管理防火墙,并确保跨本地部署和云部署的合规性。Security administrators need to manage firewalls and ensure compliance across on-premise and cloud deployments. 一个关键因素是使应用程序团队能够灵活地实现 CI/CD 管道,从而以自动方式创建防火墙规则。A key component is the ability to provide application teams with flexibility to implement CI/CD pipelines to create firewall rules in an automated way.

Azure 防火墙策略可用于定义规则层次结构并强制实施合规性:Azure Firewall policy allows you to define a rule hierarchy and enforce compliance:

  • 提供一个层次结构,使中心基本策略覆盖子应用程序团队策略。Provides a hierarchical structure to overlay a central base policy on top of a child application team policy. 基本策略具有更高的优先级,并在子策略之前运行。The base policy has a higher priority and runs before the child policy.
  • 使用 Azure 自定义角色定义防止意外删除基本策略,并提供对订阅或资源组内规则集合组的选择性访问。Use an Azure custom role definition to prevent inadvertent base policy removal and provide selective access to rule collection groups within a subscription or resource group.

解决方案概述Solution overview

本示例的概要步骤如下:The high-level steps for this example are:

  1. 在安全团队资源组中创建基本防火墙策略。Create a base firewall policy in the security team resource group.
  2. 在基本策略中定义特定于 IT 安全性的规则。Define IT security-specific rules in the base policy. 这会添加一组通用规则,以允许/拒绝流量。This adds a common set of rules to allow/deny traffic.
  3. 创建继承基本策略的应用程序团队策略。Create application team policies that inherit the base policy.
  4. 在策略中定义特定于应用程序团队的规则。Define application team-specific rules in the policy. 还可以从预先存在的防火墙迁移规则。You can also migrate rules from pre-existing firewalls.
  5. 创建 Azure Active Directory 自定义角色以提供对规则集合组的精细访问,并在防火墙策略范围内添加角色。Create Azure Active Directory custom roles to provide fine grained access to rule collection group and add roles at a Firewall Policy scope. 在以下示例中,销售团队成员可以编辑销售团队防火墙策略的规则集合组。In the following example, Sales team members can edit rule collection groups for the Sales teams Firewall Policy. 这同样适用于数据库团队和工程团队。The same applies to the Database and Engineering teams.
  6. 将策略关联到相应的防火墙。Associate the policy to the corresponding firewall. Azure 防火墙只能有一个分配的策略。An Azure firewall can have only one assigned policy. 这要求每个应用程序团队都有自己的防火墙。This requires each application team to have their own firewall.

团队和要求

创建防火墙策略Create the firewall policies

  • 基本防火墙策略。A base firewall policy.

为每个应用程序团队创建策略:Create policies for each of the application teams:

  • 销售防火墙策略。A Sales firewall policy. 销售防火墙策略继承基本防火墙策略。The Sales firewall policy inherits the base firewall policy.
  • 数据库防火墙策略。A Database firewall policy. 数据库防火墙策略继承基本防火墙策略。The Database firewall policy inherits base firewall policy.
  • 工程防火墙策略。An Engineering firewall policy. 工程防火墙策略也继承基本防火墙策略。The Engineering firewall policy also inherits the base firewall policy.

策略层次结构

创建自定义角色以访问规则集合组Create custom roles to access the rule collection groups

为每个应用程序团队定义自定义角色。Custom roles are defined for each application team. 角色定义操作和范围。The role defines operations and scope. 应用程序团队可编辑其各自应用程序的规则集合组。The application teams are allowed to edit rule collection groups for their respective applications.

使用以下概要过程定义自定义角色:Use the following high-level procedure to define custom roles:

  1. 获取订阅:Get the subscription:

    Select-AzSubscription -SubscriptionId xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx

  2. 运行以下命令:Run the following command:

    Get-AzProviderOperation "Microsoft.Support/*" | FT Operation, Description -AutoSize

  3. 使用 Get-AzRoleDefinition 命令以 JSON 格式输出 Reader 角色。Use the Get-AzRoleDefinition command to output the Reader role in JSON format.

    Get-AzRoleDefinition -Name "Reader" | ConvertTo-Json | Out-File C:\CustomRoles\ReaderSupportRole.json

  4. 在编辑器中打开 ReaderSupportRole.json 文件。Open the ReaderSupportRole.json file in an editor.

    下面显示了 JSON 输出。The following shows the JSON output. 有关不同属性的信息,请参阅  Azure 自定义角色For information about the different properties, see Azure custom roles.

   { 
     "Name": "Reader", 
     "Id": "acdd72a7-3385-48ef-bd42-f606fba81ae7", 
     "IsCustom": false, 
     "Description": "Lets you view everything, but not make any changes.", 
     "Actions": [ 
      "*/read" 
     ], 
     "NotActions": [], 
     "DataActions": [], 
     "NotDataActions": [], 
     "AssignableScopes": [ 
       "/" 
     ] 
   } 
  1. 编辑 JSON 文件,以将Edit the JSON file to add the

    */read", "Microsoft.Network/*/read", "Microsoft.Network/firewallPolicies/ruleCollectionGroups/write

    操作添加到 Actions ****   属性。operation to the Actions property. 请确保在读取操作后包括一个逗号。Be sure to include a comma after the read operation. 此操作允许用户创建和更新规则集合组。This action allows the user to create and update rule collection groups.

  2. 在 AssignableScopes **** 中,采用以下格式添加订阅 ID:In AssignableScopes, add your subscription ID with the following format:

    /subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx

    必须添加显式的订阅 ID,否则将不允许将角色导入到订阅中。You must add explicit subscription IDs, otherwise you won't be allowed to import the role into your subscription.

  3. 删除 Id  ****  属性行,并将 IsCustom  ****  属性更改为 true。Delete the Id property line and change the IsCustom property to true.

  4. 将 Name ****   和 Description ****   属性更改为“AZFM 规则集合组作者”和“具有此角色的用户可以编辑防火墙策略规则集合组”Change the  Name and  Description properties to AZFM Rule Collection Group Author and Users in this role can edit Firewall Policy rule collection groups

JSON 文件应类似于以下示例:Your JSON file should look similar to the following example:

{ 

    "Name":  "AZFM Rule Collection Group Author", 
    "IsCustom":  true, 
    "Description":  "Users in this role can edit Firewall Policy rule collection groups", 
    "Actions":  [ 
                    "*/read", 
                    "Microsoft.Network/*/read", 
                     "Microsoft.Network/firewallPolicies/ruleCollectionGroups/write" 
                ], 
    "NotActions":  [ 
                   ], 
    "DataActions":  [ 
                    ], 
    "NotDataActions":  [ 
                       ], 
    "AssignableScopes":  [ 
                             "/subscriptions/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx"] 
} 
  1. 若要创建新的自定义角色,请使用 New-AzRoleDefinition 命令,并指定 JSON 角色定义文件。To create the new custom role, use the New-AzRoleDefinition command and specify the JSON role definition file.

    New-AzRoleDefinition -InputFile "C:\CustomRoles\RuleCollectionGroupRole.json

列出自定义角色List custom roles

若要列出所有自定义角色,可以使用 Get-AzRoleDefinition 命令:To list all the custom roles, you can use the Get-AzRoleDefinition command:

Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom

还可以在 Azure 门户中查看自定义角色。You can also see the custom roles in the Azure portal. 转到你的订阅,选择“访问控制(IAM)”、“角色” 。Go to your subscription, select Access control (IAM), Roles.

SalesAppPolicy

SalesAppPolicy 读取权限

将用户添加到自定义角色Add users to the custom role

在门户中,可以将用户添加到“AZFM 规则集合组作者”角色,并提供对防火墙策略的访问权限。On the portal, you can add users to the AZFM Rule Collection Group Authors role and provide access to the firewall policies.

  1. 从门户中选择应用程序团队防火墙策略(例如,SalesAppPolicy)。From the portal, select the Application team firewall policy (for example, SalesAppPolicy).
  2. 选择“访问控制”。Select Access Control.
  3. 选择“添加角色分配”。Select Add role assignment.
  4. 将用户/用户组(例如,销售团队)添加到该角色。Add users/user groups (for example, the Sales team) to the role.

对其他防火墙策略重复此过程。Repeat this procedure for the other firewall policies.

总结Summary

具有自定义角色的防火墙策略现在提供对防火墙策略规则集合组的选择性访问。Firewall Policy with custom roles now provides selective access to firewall policy rule collection groups.

用户无权执行以下操作:Users don’t have permissions to:

  • 删除 Azure 防火墙或防火墙策略。Delete the Azure Firewall or firewall policy.
  • 更新防火墙策略层次结构、DNS 设置或威胁情报。Update firewall policy hierarchy or DNS settings or threat intelligence.
  • 如果他们不是“AZFM 规则集合组作者”组的成员,则无权更新防火墙策略。Update firewall policy where they are not members of AZFM Rule Collection Group Author group.

安全管理员可以使用基本策略强制实施防护措施,并根据企业要求阻止某些类型的流量(例如 ICMP)。Security administrators can use base policy to enforce guardrails and block certain types of traffic (for example ICMP) as required by their enterprise.

后续步骤Next steps

详细了解 Azure 防火墙策略Learn more about Azure Firewall policy.