什么是 Azure 防火墙管理器体系结构选项?What are the Azure Firewall Manager architecture options?

Azure 防火墙管理器可为两种网络体系结构类型提供安全管理:Azure Firewall Manager can provide security management for two network architecture types:

  • 安全虚拟中心secured virtual hub

    Azure 虚拟 WAN 中心是一种 Azure 托管资源,可用于轻松创建中心辐射型体系结构。An Azure Virtual WAN Hub is a Azure-managed resource that lets you easily create hub and spoke architectures. 当安全和路由策略与此类中心相关联时,它被称为安全虚拟中心When security and routing policies are associated with such a hub, it's referred to as a secured virtual hub.

  • 中心虚拟网络hub virtual network

    这是你自己创建并管理的标准 Azure 虚拟网络。This is a standard Azure virtual network that you create and manage yourself. 安全策略在与此类中心关联后,将称为中心虚拟网络。When security policies are associated with such a hub, it is referred to as a hub virtual network. 目前仅支持 Azure 防火墙策略。At this time, only Azure Firewall Policy is supported. 可将包含工作负荷服务器和服务的辐射虚拟网络对等互连。You can peer spoke virtual networks that contain your workload servers and services. 还可以在未对等互连到任何辐射的独立虚拟网络中管理防火墙。You can also manage firewalls in standalone virtual networks that are not peered to any spoke.

比较Comparison

下表比较了这两种体系结构选项,可帮助你决定哪一个选项适合你组织的安全性要求:The following table compares these two architecture options and can help you decide which one is right for your organization's security requirements:

中心虚拟网络Hub virtual network 安全虚拟中心Secured virtual hub
基础资源Underlying resource 虚拟网络Virtual network 虚拟 WAN 中心Virtual WAN Hub
中心和分支Hub & Spoke 使用虚拟网络对等互连Uses Virtual network peering 自动使用中心虚拟网络连接Automated using hub virtual network connection
本地连接On-prem connectivity VPN 网关,最多支持 10 Gbps 和 30 个 S2S 连接;ExpressRouteVPN Gateway up to 10 Gbps and 30 S2S connections; ExpressRoute 更具可缩放性的 VPN 网关,最多支持 20 Gbps 和 1000 个 S2S 连接;快速路由More scalable VPN Gateway up 20 Gbps and 1000 S2S connections; Express Route
使用 SDWAN 进行自动分支连接Automated branch connectivity using SDWAN 不支持Not supported 支持Supported
每个区域的中心数Hubs per region 每个区域有多个虚拟网络Multiple Virtual Networks per region 每个区域只有一个虚拟中心。Single Virtual Hub per region. 多个中心可能有多个虚拟 WANMultiple hubs possible with multiple Virtual WANs
Azure 防火墙 – 多个公共 IP 地址Azure Firewall – multiple public IP addresses 由客户提供Customer provided 自动生成Auto generated
Azure 防火墙可用性区域Azure Firewall Availability Zones 支持Supported 目前不可用Not yet available
使用第三方安全即服务合作伙伴的高级 Internet 安全性Advanced Internet security with third-party Security as a Service partners 客户建立并管理与所选合作伙伴服务的 VPN 连接Customer established and managed VPN connectivity to partner service of choice 通过安全合作伙伴提供程序流和合作伙伴管理体验自动连接Automated via security partner provider flow and partner management experience
集中式路由管理以将流量路由到中心Centralized route management to route traffic to the hub 客户管理的用户定义的路由Customer-managed User Defined Route 支持使用 BGPSupported using BGP
多个安全提供程序支持Multiple security provider support 支持手动配置到第三方防火墙的强制隧道Supported with manually configured forced tunneling to third-party firewalls 自动支持两个安全提供程序:用于专用流量筛选的 Azure 防火墙和用于 Internet 筛选的第三方Automated support for two security providers: Azure Firewall for private traffic filtering and third party for Internet filtering
应用程序网关上的 Web 应用程序防火墙Web Application Firewall on Application Gateway 在虚拟网络中受支持Supported in Virtual Network 目前在分支网络中受支持Currently supported in spoke network
网络虚拟设备Network Virtual Appliance 在虚拟网络中受支持Supported in Virtual Network 目前在分支网络中受支持Currently supported in spoke network
Azure DDoS 防护标准支持Azure DDoS Protection Standard support Yes No

后续步骤Next steps