Azure 防火墙常见问题解答Azure Firewall FAQ

什么是 Azure 防火墙?What is Azure Firewall?

Azure 防火墙是托管的基于云的网络安全服务,可保护 Azure 虚拟网络资源。Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. 它是一个服务形式的完全有状态防火墙,具有内置的高可用性和不受限制的云可伸缩性。It's a fully stateful firewall-as-a-service with built-in high availability and unrestricted cloud scalability. 可以跨订阅和虚拟网络集中创建、实施和记录应用程序与网络连接策略。You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.

Azure 防火墙支持哪些功能?What capabilities are supported in Azure Firewall?

若要了解 Azure 防火墙的功能,请参阅 Azure 防火墙功能To learn about Azure Firewall features, see Azure Firewall features.

Azure 防火墙的典型部署模型是什么?What is the typical deployment model for Azure Firewall?

可在任何虚拟网络中部署 Azure 防火墙,但客户往往在中心虚拟网络中部署它,并在中心辐射模型中将其对等互连到其他虚拟网络。You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a central virtual network and peer other virtual networks to it in a hub-and-spoke model. 然后,可将对等互连的虚拟网络中的默认路由设置为指向此中心防火墙虚拟网络。You can then set the default route from the peered virtual networks to point to this central firewall virtual network. 支持全局 VNet 对等互连,但不建议使用,因为它可能会在不同的区域中造成性能影响和延迟问题。Global VNet peering is supported, but it isn't recommended because of potential performance and latency issues across regions. 为获得最佳性能,请为每个区域部署一个防火墙。For best performance, deploy one firewall per region.

该模型的优点是能够跨不同订阅集中控制多个辐射 VNET。The advantage of this model is the ability to centrally exert control on multiple spoke VNETs across different subscriptions. 由于不需要在每个 VNet 中单独部署防火墙,因此还能节约成本。There are also cost savings as you don't need to deploy a firewall in each VNet separately. 应根据客户流量模式衡量成本节约与相关对等互连成本。The cost savings should be measured versus the associate peering cost based on the customer traffic patterns.

如何安装 Azure 防火墙?How can I install the Azure Firewall?

可以使用 Azure 门户、PowerShell、REST API 或使用模板设置 Azure 防火墙。You can set up Azure Firewall by using the Azure portal, PowerShell, REST API, or by using templates. 请参阅教程:使用 Azure 门户部署和配置 Azure 防火墙See Tutorial: Deploy and configure Azure Firewall using the Azure portal for step-by-step instructions.

有哪些 Azure 防火墙概念?What are some Azure Firewall concepts?

Azure 防火墙支持规则和规则集合。Azure Firewall supports rules and rule collections. 规则集合是一组共享相同顺序和优先级的规则。A rule collection is a set of rules that share the same order and priority. 规则集合按其优先顺序执行。Rule collections are executed in order of their priority. 网络规则集合的优先级高于应用程序规则集合,所有规则都具有终止性。Network rule collections are higher priority than application rule collections, and all rules are terminating.

有三种类型的规则集合:There are three types of rule collections:

  • 应用程序规则:配置可从子网访问的完全限定域名 (FQDN)。Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.
  • 网络规则:配置包含源地址、协议、目标端口和目标地址的规则。Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.
  • NAT 规则:将 DNAT 规则配置为允许传入的 Internet 连接。NAT rules: Configure DNAT rules to allow incoming Internet connections.

Azure 防火墙是否支持入站流量筛选?Does Azure Firewall support inbound traffic filtering?

Azure 防火墙支持入站和出站筛选。Azure Firewall supports inbound and outbound filtering. 入站保护通常用于非 HTTP/S 协议。Inbound protection is typically used for non-HTTP/S protocols. 例如 RDP、SSH 和 FTP 协议。For example RDP, SSH, and FTP protocols.

Azure 防火墙支持哪些日志记录和分析服务?Which logging and analytics services are supported by the Azure Firewall?

Azure 防火墙与 Azure Monitor 集成,可用于查看和分析防火墙日志。Azure Firewall is integrated with Azure Monitor for viewing and analyzing firewall logs. 日志可发送到 Log Analytics、Azure 存储或事件中心。Logs can be sent to Log Analytics, Azure Storage, or Event Hubs. 它们可在 Log Analytics 中进行分析,也可通过 Excel 和 Power BI 等不同工具进行分析。They can be analyzed in Log Analytics or by different tools such as Excel and Power BI. 有关详细信息,请参阅教程:监视 Azure 防火墙日志For more information, see Tutorial: Monitor Azure Firewall logs.

Azure 防火墙的工作原理与市场中现有的服务(例如 NVA)有何不同?How does Azure Firewall work differently from existing services such as NVAs in the marketplace?

Azure 防火墙是一项基础防火墙服务,可解决特定客户方案的问题。Azure Firewall is a basic firewall service that can address certain customer scenarios. 应将第三方 NVA 与 Azure 防火墙混合使用。It's expected that you'll have a mix of third-party NVAs and Azure Firewall. 更好地合作是核心任务。Working better together is a core priority.

应用程序网关 WAF 与 Azure 防火墙之间有何区别?What is the difference between Application Gateway WAF and Azure Firewall?

Web 应用程序防火墙 (WAF) 是应用程序网关的一项功能,可在出现常见攻击和漏洞时为 Web 应用程序提供集中的入站保护。The Web Application Firewall (WAF) is a feature of Application Gateway that provides centralized inbound protection of your web applications from common exploits and vulnerabilities. Azure 防火墙防火墙为非 HTTP/S 协议(例如,RDP、SSH、FTP)提供入站保护、为所有端口和协议提供出站网络级别的保护,并为出站 HTTP/S 提供应用程序级别的保护。Azure Firewall provides inbound protection for non-HTTP/S protocols (for example, RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.

网络安全组 (NSG) 和 Azure 防火墙之间有何区别?What is the difference between Network Security Groups (NSGs) and Azure Firewall?

Azure 防火墙服务为网络安全组功能提供了补充。The Azure Firewall service complements network security group functionality. 两者共同提供了更好的“深层防御”网络安全性。Together, they provide better "defense-in-depth" network security. 网络安全组提供分布式网络层流量过滤,以限制每个订阅中虚拟网络内资源的流量。Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure 防火墙是一个服务形式的完全有状态的集中式网络防火墙,可跨不同的订阅和虚拟网络提供网络和应用程序级别的保护。Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network- and application-level protection across different subscriptions and virtual networks.

AzureFirewallSubnet 是否支持网络安全组 (NSG)?Are Network Security Groups (NSGs) supported on the AzureFirewallSubnet?

Azure 防火墙是具有多个保护层的托管服务,这些层包括使用 NIC 级 NSG(不可查看)进行的平台保护。Azure Firewall is a managed service with multiple protection layers, including platform protection with NIC level NSGs (not viewable). 不需要在 AzureFirewallSubnet 中配置子网级 NSG,为确保服务不会中断,将禁用此类 NSG。Subnet level NSGs aren't required on the AzureFirewallSubnet, and are disabled to ensure no service interruption.

如何使用服务终结点设置 Azure 防火墙?How do I set up Azure Firewall with my service endpoints?

若要安全访问 PaaS 服务,我们建议使用服务终结点。For secure access to PaaS services, we recommend service endpoints. 可以选择在 Azure 防火墙子网中启用服务终结点,并在连接的分支虚拟网络中禁用它们。You can choose to enable service endpoints in the Azure Firewall subnet and disable them on the connected spoke virtual networks. 这样可以受益于以下两个功能:服务终结点安全性和针对所有流量的集中日志记录。This way you benefit from both features: service endpoint security and central logging for all traffic.

Azure 防火墙采用何种定价方式?What is the pricing for Azure Firewall?

请参阅 Azure 防火墙定价See Azure Firewall Pricing.

如何停止和启动 Azure 防火墙?How can I stop and start Azure Firewall?

可以使用 Azure PowerShell 的 deallocateallocate 方法。You can use Azure PowerShell deallocate and allocate methods.

例如:For example:

# Stop an existing firewall

$azfw = Get-AzFirewall -Name "FW Name" -ResourceGroupName "RG Name"
$azfw.Deallocate()
Set-AzFirewall -AzureFirewall $azfw
# Start a firewall

$azfw = Get-AzFirewall -Name "FW Name" -ResourceGroupName "RG Name"
$vnet = Get-AzVirtualNetwork -ResourceGroupName "RG Name" -Name "VNet Name"
$publicip1 = Get-AzPublicIpAddress -Name "Public IP1 Name" -ResourceGroupName "RG Name"
$publicip2 = Get-AzPublicIpAddress -Name "Public IP2 Name" -ResourceGroupName "RG Name"
$azfw.Allocate($vnet,@($publicip1,$publicip2))

Set-AzFirewall -AzureFirewall $azfw

备注

必须将防火墙和公共 IP 重新分配到原始资源组和订阅。You must reallocate a firewall and public IP to the original resource group and subscription.

有哪些已知的服务限制?What are the known service limits?

有关 Azure 防火墙服务限制,请参阅 Azure 订阅和服务限制、配额与约束For Azure Firewall service limits, see Azure subscription and service limits, quotas, and constraints.

中心虚拟网络中的 Azure 防火墙能否转发并筛选两个分支虚拟网络之间的网络流量?Can Azure Firewall in a hub virtual network forward and filter network traffic between two spoke virtual networks?

能,可以在中心虚拟网络中使用 Azure 防火墙来路由和筛选两个分支虚拟网络之间的流量。Yes, you can use Azure Firewall in a hub virtual network to route and filter traffic between two spoke virtual network. 每个分支虚拟网络中的子网必须具有指向 Azure 防火墙的 UDR,作为此方案生效所需的默认网关。Subnets in each of the spoke virtual networks must have a UDR pointing to the Azure Firewall as a default gateway for this scenario to work properly.

Azure 防火墙能否转发和筛选同一虚拟网络或对等互连虚拟网络中子网之间的网络流量?Can Azure Firewall forward and filter network traffic between subnets in the same virtual network or peered virtual networks?

是的。Yes. 但是,将 UDR 配置为在同一 VNET 中的子网之间重定向流量时需要额外注意。However, configuring the UDRs to redirect traffic between subnets in the same VNET requires additional attention. 虽然使用 VNET 地址范围作为 UDR 的目标前缀就足够了,但这也会通过 Azure 防火墙实例将所有流量从一台计算机路由到同一子网中的另一台计算机。While using the VNET address range as a target prefix for the UDR is sufficient, this also routes all traffic from one machine to another machine in the same subnet through the Azure Firewall instance. 为避免这种情况,请在 UDR 中包含下一跃点类型为 VNET 的子网路由。To avoid this, include a route for the subnet in the UDR with a next hop type of VNET. 管理这些路由可能很麻烦并且容易出错。Managing these routes might be cumbersome and prone to error. 建议的内部网络分段方法是使用不需要 UDR 的网络安全组。The recommended method for internal network segmentation is to use Network Security Groups, which don't require UDRs.

是否在专用网络之间进行 Azure 防火墙出站 SNAT?Does Azure Firewall outbound SNAT between private networks?

如果目标 IP 地址是符合 IANA RFC 1918 的专用 IP 范围,Azure 防火墙不会执行 SNAT。Azure Firewall doesn't SNAT when the destination IP address is a private IP range per IANA RFC 1918. 如果组织对专用网络使用公共 IP 地址范围,Azure 防火墙会通过 SNAT 将流量发送到 AzureFirewallSubnet 中的某个防火墙专用 IP 地址。If your organization uses a public IP address range for private networks, Azure Firewall SNATs the traffic to one of the firewall private IP addresses in AzureFirewallSubnet. 可以将 Azure 防火墙配置为 SNAT 公共 IP 地址范围。You can configure Azure Firewall to not SNAT your public IP address range. 有关详细信息,请参阅 Azure 防火墙 SNAT 专用 IP 地址范围For more information, see Azure Firewall SNAT private IP address ranges.

是否支持强制隧道/链接到网络虚拟设备?Is forced tunneling/chaining to a Network Virtual Appliance supported?

创建新的防火墙时,支持强制隧道。Forced tunneling is supported when you create a new firewall. 不能为强制隧道配置现有的防火墙。You can't configure an existing firewall for forced tunneling. 有关详细信息,请参阅 Azure 防火墙强制隧道For more information, see Azure Firewall forced tunneling.

Azure 防火墙必须具有直接的 Internet 连接。Azure Firewall must have direct Internet connectivity. 如果 AzureFirewallSubnet 知道通过 BGP 的本地网络的默认路由,则必须将其替代为 0.0.0.0/0 UDR,将 NextHopType 值设置为 Internet 以保持 Internet 直接连接 。If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity.

如果你的配置需要通过强制隧道连接到本地网络,并且可以确定 Internet 目标的目标 IP 前缀,则可以通过 AzureFirewallSubnet 上用户定义的路由将本地网络的这些范围配置为下一跃点。If your configuration requires forced tunneling to an on-premises network and you can determine the target IP prefixes for your Internet destinations, you can configure these ranges with the on-premises network as the next hop via a user defined route on the AzureFirewallSubnet. 或者,可以使用 BGP 来定义这些路由。Or, you can use BGP to define these routes.

是否有任何防火墙资源组限制?Are there any firewall resource group restrictions?

是的。Yes. 防火墙、VNet 和公共 IP 地址都必须位于同一资源组中。The firewall, VNet, and the public IP address all must be in the same resource group.

为入站 Internet 网络流量配置 DNAT 时,是否还需要配置相应的网络规则以允许该流量?When configuring DNAT for inbound Internet network traffic, do I also need to configure a corresponding network rule to allow that traffic?

否。No. NAT 规则会隐式添加一个对应的网络规则来允许转换后的流量。NAT rules implicitly add a corresponding network rule to allow the translated traffic. 可以通过以下方法替代此行为:显式添加一个网络规则集合并在其中包含将匹配转换后流量的拒绝规则。You can override this behavior by explicitly adding a network rule collection with deny rules that match the translated traffic. 若要详细了解 Azure 防火墙规则处理逻辑,请参阅 Azure 防火墙规则处理逻辑To learn more about Azure Firewall rule processing logic, see Azure Firewall rule processing logic.

应用程序规则目标 FQDN 中的通配符有什么作用?How do wildcards work in an application rule target FQDN?

目前只能在 FQDN 的左侧使用通配符。Wildcards currently can only be used on the left side of the FQDN. 例如,“*.contoso.com”和“*contoso.com”。For example, *.contoso.com and *contoso.com.

如果配置 * .contoso.com,则允许 anyvalue.contoso.com,但不允许 contoso.com(域顶点)。If you configure *.contoso.com, it allows anyvalue.contoso.com, but not contoso.com (the domain apex). 如果希望允许域顶点,必须显式将其配置为目标 FQDN。If you want to allow the domain apex, you must explicitly configure it as a target FQDN.

“预配状态:失败”意味着什么?What does Provisioning state: Failed mean?

每当应用配置更改时,Azure 防火墙就会尝试更新其所有底层后端实例。Whenever a configuration change is applied, Azure Firewall attempts to update all its underlying backend instances. 在极少见的情况下,其中的某个后端实例可能无法使用新配置进行更新,并且更新过程将会停止,并出现预配失败状态。In rare cases, one of these backend instances may fail to update with the new configuration and the update process stops with a failed provisioning state. Azure 防火墙仍可正常运行,但应用的配置可能处于不一致状态,有些实例使用以前的配置,而有些实例则使用更新的规则集。Your Azure Firewall is still operational, but the applied configuration may be in an inconsistent state, where some instances have the previous configuration where others have the updated rule set. 如果发生这种情况,请尝试再一次更新配置,直到操作成功,并且防火墙处于“成功”预配状态。If this happens, try updating your configuration one more time until the operation succeeds and your Firewall is in a Succeeded provisioning state.

Azure 防火墙如何处理计划内维护和计划外故障?How does Azure Firewall handle planned maintenance and unplanned failures?

Azure 防火墙包含多个采用主动-主动配置的后端节点。Azure Firewall consists of several backend nodes in an active-active configuration. 对于任何计划内维护,我们都可以通过连接清空逻辑来正常更新节点。For any planned maintenance, we have connection draining logic to gracefully update nodes. 更新安排在每个 Azure 区域的非营业时间,这样可以进一步限制中断风险。Updates are planned during non-business hours for each of the Azure regions to further limit risk of disruption. 对于计划外问题,我们会实例化一个新节点来代替故障节点。For unplanned issues, we instantiate a new node to replace the failed node. 通常情况下,我们会在发生故障后 10 秒钟内重新建立到新节点的连接。Connectivity to the new node is typically reestablished within 10 seconds from the time of the failure.

连接清空的工作原理How does connection draining work?

对于任何计划内维护,连接清空逻辑会正常更新后端节点。For any planned maintenance, connection draining logic gracefully updates backend nodes. Azure 防火墙会等待 90 秒,以便关闭现有连接。Azure Firewall waits 90 seconds for existing connections to close. 如果需要,客户端可以自动重建到另一个后端节点的连接。If needed, clients can automatically re-establish connectivity to another backend node.

防火墙名称是否存在字符限制?Is there a character limit for a firewall name?

是的。Yes. 防火墙名称有 50 个字符的限制。There's a 50 character limit for a firewall name.

为何 Azure 防火墙需要 /26 子网大小?Why does Azure Firewall need a /26 subnet size?

Azure 防火墙在缩放时必须预配更多的虚拟机实例。Azure Firewall must provision more virtual machine instances as it scales. /26 地址空间确保防火墙有足够的 IP 地址来应对缩放操作。A /26 address space ensures that the firewall has enough IP addresses available to accommodate the scaling.

在服务缩放时,防火墙子网大小是否需要更改?Does the firewall subnet size need to change as the service scales?

否。No. Azure 防火墙不需要大于 /26 的子网。Azure Firewall doesn't need a subnet bigger than /26.

如何提高防火墙吞吐量?How can I increase my firewall throughput?

Azure 防火墙的初始吞吐容量为 2.5 - 3 Gbps,可以横向扩展到 30 Gbps。Azure Firewall's initial throughput capacity is 2.5 - 3 Gbps and it scales out to 30 Gbps. 它会根据 CPU 使用率和吞吐量自动进行横向扩展。It scales out automatically based on CPU usage and throughput.

Azure 防火墙横向扩展需要多长时间?How long does it take for Azure Firewall to scale out?

当平均吞吐量或 CPU 消耗达到 60% 时,Azure 防火墙就会逐渐扩展。Azure Firewall gradually scales when average throughput or CPU consumption is at 60%. 默认部署最大吞吐量约为 2.5 - 3 Gbps,并在达到该数字的 60% 时开始横向扩展。A default deployment maximum throughput is approximately 2.5 - 3 Gbps and starts to scale out when it reaches 60% of that number. 横向扩展需要 5 到 7 分钟。Scale out takes five to seven minutes.

进行性能测试时,请确保至少测试 10 到 15 分钟,并启动新连接以利用新创建的防火墙节点。When performance testing, make sure you test for at least 10 to 15 minutes, and start new connections to take advantage of newly created Firewall nodes.

默认情况下,Azure 防火墙是否允许访问 Active Directory?Does Azure Firewall allow access to Active Directory by default?

否。No. Azure 防火墙默认阻止 Active Directory 访问。Azure Firewall blocks Active Directory access by default. 若要允许访问,请配置 AzureActiveDirectory 服务标记。To allow access, configure the AzureActiveDirectory service tag. 有关详细信息,请参阅 Azure 防火墙服务标记For more information, see Azure Firewall service tags.

能否从基于 Azure 防火墙威胁情报的筛选中排除 FQDN 或 IP 地址?Can I exclude a FQDN or an IP address from Azure Firewall Threat Intelligence based filtering?

能。可以使用 Azure PowerShell 执行该操作:Yes, you can use Azure PowerShell to do it:

# Add a Threat Intelligence allow list to an Existing Azure Firewall

## Create the allow list with both FQDN and IPAddresses

$fw = Get-AzFirewall -Name "Name_of_Firewall" -ResourceGroupName "Name_of_ResourceGroup"
$fw.ThreatIntelWhitelist = New-AzFirewallThreatIntelWhitelist `
   -FQDN @("fqdn1", "fqdn2", …) -IpAddress @("ip1", "ip2", …)

## Or Update FQDNs and IpAddresses separately

$fw = Get-AzFirewall -Name $firewallname -ResourceGroupName $RG
$fw.ThreatIntelWhitelist.IpAddresses = @($fw.ThreatIntelWhitelist.IpAddresses + $ipaddresses)
$fw.ThreatIntelWhitelist.fqdns = @($fw.ThreatIntelWhitelist.fqdns + $fqdns)

Set-AzFirewall -AzureFirewall $fw

为什么 TCP ping 和类似工具可以成功连接到目标 FQDN,即使 Azure 防火墙上没有允许该流量的规则也是如此?Why can a TCP ping and similar tools successfully connect to a target FQDN even when no rule on Azure Firewall allows that traffic?

TCP ping 实际上并未连接到目标 FQDN。A TCP ping isn't actually connecting to the target FQDN. 这是因为 Azure 防火墙的透明代理侦听端口 80/443 上的出站流量。This happens because Azure Firewall's transparent proxy listens on port 80/443 for outbound traffic. TCP ping 与防火墙建立连接后,防火墙删除数据包并记录连接。The TCP ping establishes a connection with the firewall, which then drops the packet and logs the connection. 此行为不会对安全性产生任何影响。This behavior doesn't have any security impact. 但是,为了避免混淆,我们正在调查这种行为的潜在变化。However, to avoid confusion we're investigating potential changes to this behavior.

IP 组支持的 IP 地址数量是否有限制?Are there limits for the number of IP addresses supported by IP Groups?

是的。Yes. 有关详细信息,请参阅 Azure 订阅和服务限制、配额与约束For more information, see Azure subscription and service limits, quotas, and constraints

能否将 IP 组移到其他资源组?Can I move an IP Group to another resource group?

否,目前不支持将 IP 组移动到其他资源组。No, moving an IP Group to another resource group isn't currently supported.

Azure 防火墙的 TCP 空闲超时是多长时间?What is the TCP Idle Timeout for Azure Firewall?

网络防火墙的标准行为是确保 TCP 连接保持活动状态,并在没有活动时迅速将其关闭。A standard behavior of a network firewall is to ensure TCP connections are kept alive and to promptly close them if there's no activity. Azure 防火墙 TCP 空闲超时为 4 分钟。Azure Firewall TCP Idle Timeout is four minutes. 此设置不可配置。This setting isn't configurable. 如果处于非活动状态的时间超过超时值,则不能保证维持 TCP 或 HTTP 会话。If a period of inactivity is longer than the timeout value, there's no guarantee that the TCP or HTTP session is maintained. 常见的做法是使用 TCP 保持连接状态。A common practice is to use a TCP keep-alive. 这种做法可以使连接状态保持更长时间。This practice keeps the connection active for a longer period. 有关详细信息,请参阅 .NET 示例For more information, see the .NET examples.

是否可以在不使用公共 IP 地址的情况下部署 Azure 防火墙?Can I deploy Azure Firewall without a public IP address?

否。目前,必须使用公共 IP 地址部署 Azure 防火墙。No, currently you must deploy Azure Firewall with a public IP address.

Azure 防火墙将客户数据存储在何处?Where does Azure Firewall store customer data?

Azure 防火墙不会将客户数据移动或存储到部署了该防火墙的区域之外。Azure Firewall doesn't move or store customer data out of the region it's deployed in.