Azure 防火墙功能Azure Firewall features

Azure 防火墙是一种基于云的托管网络安全服务,可保护 Azure 虚拟网络资源。Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources..

防火墙概述

Azure 防火墙包括以下功能:Azure Firewall includes the following features:

内置的高可用性Built-in high availability

内置高可用性,因此不需要部署额外的负载均衡器,也不需要进行任何配置。High availability is built in, so no additional load balancers are required and there's nothing you need to configure.

不受限制的云可伸缩性Unrestricted cloud scalability

为了适应不断变化的网络流量流,Azure 防火墙可尽最大程度进行纵向扩展,因此不需要为峰值流量做出预算。Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don't need to budget for your peak traffic.

应用程序 FQDN 筛选规则Application FQDN filtering rules

可将出站 HTTP/S 流量或 Azure SQL 流量(预览版)限制到指定的一组完全限定的域名 (FQDN)(包括通配符)。You can limit outbound HTTP/S traffic or Azure SQL traffic (preview) to a specified list of fully qualified domain names (FQDN) including wild cards. 此功能不需要 TLS 终止。This feature doesn't require TLS termination.

网络流量筛选规则Network traffic filtering rules

可以根据源和目标 IP 地址、端口和协议,集中创建“允许”或“拒绝”网络筛选规则。 You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure 防火墙是完全有状态的,因此它能区分不同类型的连接的合法数据包。Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. 将跨多个订阅和虚拟网络实施与记录规则。Rules are enforced and logged across multiple subscriptions and virtual networks.

FQDN 标记FQDN tags

FQDN 标记使你可以轻松地允许已知的 Azure 服务网络流量通过防火墙。FQDN tags make it easy for you to allow well-known Azure service network traffic through your firewall. 例如,假设你想要允许 Windows 更新网络流量通过防火墙。For example, say you want to allow Windows Update network traffic through your firewall. 创建应用程序规则,并在其中包括 Windows 更新标记。You create an application rule and include the Windows Update tag. 现在,来自 Windows 更新的网络流量将可以流经防火墙。Now network traffic from Windows Update can flow through your firewall.

服务标记Service tags

服务标记表示一组 IP 地址前缀,帮助最大程度地降低安全规则创建过程的复杂性。A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. 无法创建自己的服务标记,也无法指定要将哪些 IP 地址包含在标记中。You can't create your own service tag, nor specify which IP addresses are included within a tag. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记。Azure manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change.

威胁情报Threat intelligence

可以为防火墙启用基于威胁智能的筛选,以提醒和拒绝来自/到达已知恶意 IP 地址和域的流量。Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. IP 地址和域源自 Azure 威胁智能源。The IP addresses and domains are sourced from the Azure Threat Intelligence feed.

出站 SNAT 支持Outbound SNAT support

所有出站虚拟网络流量 IP 地址将转换为 Azure 防火墙公共 IP(源网络地址转换)。All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). 可以识别源自你的虚拟网络的流量,并允许将其发往远程 Internet 目标。You can identify and allow traffic originating from your virtual network to remote Internet destinations. 如果目标 IP 是符合 IANA RFC 1918 的专用 IP 范围,Azure 防火墙不会执行 SNAT。Azure Firewall doesn't SNAT when the destination IP is a private IP range per IANA RFC 1918.

如果组织对专用网络使用公共 IP 地址范围,Azure 防火墙会通过 SNAT 将流量发送到 AzureFirewallSubnet 中的某个防火墙专用 IP 地址。If your organization uses a public IP address range for private networks, Azure Firewall will SNAT the traffic to one of the firewall private IP addresses in AzureFirewallSubnet. 可以将 Azure 防火墙配置为 SNAT 公共 IP 地址范围。You can configure Azure Firewall to not SNAT your public IP address range. 有关详细信息,请参阅 Azure 防火墙 SNAT 专用 IP 地址范围For more information, see Azure Firewall SNAT private IP address ranges.

入站 DNAT 支持Inbound DNAT support

转换到防火墙公共 IP 地址的入站 Internet 网络流量(目标网络地址转换)并将其筛选到虚拟网络上的专用 IP 地址。Inbound Internet network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.

多个公共 IP 地址Multiple public IP addresses

可将多个公共 IP 地址(最多 250 个)关联到防火墙。You can associate multiple public IP addresses (up to 250) with your firewall.

这样可以实现以下方案:This enables the following scenarios:

  • DNAT - 可将多个标准端口实例转换为后端服务器。DNAT - You can translate multiple standard port instances to your backend servers. 例如,如果你有两个公共 IP 地址,可以转换这两个 IP 地址的 TCP 端口 3389 (RDP)。For example, if you have two public IP addresses, you can translate TCP port 3389 (RDP) for both IP addresses.
  • SNAT - 其他端口可用于出站 SNAT 连接,以减少 SNAT 端口耗尽的可能性。SNAT - Additional ports are available for outbound SNAT connections, reducing the potential for SNAT port exhaustion. 目前,Azure 防火墙会随机选择用于建立连接的源公共 IP 地址。At this time, Azure Firewall randomly selects the source public IP address to use for a connection. 如果你在网络中进行任何下游筛选,则需要允许与防火墙关联的所有公共 IP 地址。If you have any downstream filtering on your network, you need to allow all public IP addresses associated with your firewall. 请考虑使用公共 IP 前缀来简化此配置。Consider using a public IP prefix to simplify this configuration.

Azure Monitor 日志记录Azure Monitor logging

所有事件与 Azure Monitor 集成,使你能够在存储帐户中存档日志、将事件流式传输到事件中心,或者将其发送到 Azure Monitor 日志。All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your Event Hub, or send them to Azure Monitor logs. 有关详细信息,请参阅教程:监视 Azure 防火墙日志和指标For more information, see Tutorial: Monitor Azure Firewall logs and metrics.

强制隧道Forced tunneling

你可以对 Azure 防火墙进行配置,使其将所有 Internet 绑定的流量路由到指定的下一跃点,而不是直接前往 Internet。You can configure Azure Firewall to route all Internet-bound traffic to a designated next hop instead of going directly to the Internet. 例如,你可能有本地边缘防火墙或其他网络虚拟设备 (NVA) 用来在将网络流量传递到 Internet 之前对其进行处理。For example, you may have an on-premises edge firewall or other network virtual appliance (NVA) to process network traffic before it's passed to the Internet. 有关详细信息,请参阅 Azure 防火墙强制隧道For more information, see Azure Firewall forced tunneling.

认证Certifications

Azure 防火墙符合支付卡行业 (PCI)、服务组织控制 (SOC)、国际标准化组织 (ISO) 和 ICSA 实验室标准。Azure Firewall is Payment Card Industry (PCI), Service Organization Controls (SOC), International Organization for Standardization (ISO), and ICSA Labs compliant.

后续步骤Next steps