什么是 Azure 防火墙?What is Azure Firewall?

ICSA 认证

Azure 防火墙是托管的基于云的网络安全服务,可保护 Azure 虚拟网络资源。Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. 它是一个服务形式的完全有状态防火墙,具有内置的高可用性和不受限制的云可伸缩性。It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

防火墙概述

可以跨订阅和虚拟网络集中创建、实施和记录应用程序与网络连接策略。You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure 防火墙对虚拟网络资源使用静态公共 IP 地址,使外部防火墙能够识别来自你的虚拟网络的流量。Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. 该服务与用于日志记录和分析的 Azure Monitor 完全集成。The service is fully integrated with Azure Monitor for logging and analytics.

功能Features

若要了解 Azure 防火墙的功能,请参阅 Azure 防火墙功能To learn about Azure Firewall features, see Azure Firewall features.

已知问题Known issues

Azure 防火墙存在以下已知问题:Azure Firewall has the following known issues:

问题Issue 说明Description 缓解措施Mitigation
针对非 TCP/UDP 协议(例如 ICMP)的网络筛选规则不适用于 Internet 绑定的流量Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work for Internet bound traffic 针对非 TCP/UDP 协议的网络筛选规则不支持公共 IP 地址的 SNAT。Network filtering rules for non-TCP/UDP protocols don't work with SNAT to your public IP address. 在分支子网与 VNet 之间支持非 TCP/UDP 协议。Non-TCP/UDP protocols are supported between spoke subnets and VNets. Azure 防火墙使用目前不支持 IP 协议 SNAT 的标准负载均衡器。Azure Firewall uses the Standard Load Balancer, which doesn't support SNAT for IP protocols today. 我们正在探索如何在将来的版本中推出支持此方案的选项。We're exploring options to support this scenario in a future release.
缺少对 ICMP 的 PowerShell 和 CLI 支持Missing PowerShell and CLI support for ICMP Azure PowerShell 和 CLI 不支持使用 ICMP 作为网络规则中的有效协议。Azure PowerShell and CLI don't support ICMP as a valid protocol in network rules. 仍然可以通过门户和 REST API 使用 ICMP 作为协议。It's still possible to use ICMP as a protocol via the portal and the REST API. 我们正在致力于在不久之后在 PowerShell 和 CLI 中添加 ICMP。We're working to add ICMP in PowerShell and CLI soon.
FQDN 标记要求设置 protocol: portFQDN tags require a protocol: port to be set 带有 FQDN 标记的应用程序规则需要 port:protocol 定义。Application rules with FQDN tags require port: protocol definition. 可以将 https 用作 port: protocol 值。You can use https as the port: protocol value. 我们正在致力于使此字段在使用了 FQDN 标记时可选。We're working to make this field optional when FQDN tags are used.
不支持将防火墙移动到不同的资源组或订阅Moving a firewall to a different resource group or subscription isn't supported 不支持将防火墙移动到不同的资源组或订阅。Moving a firewall to a different resource group or subscription isn't supported. 我们已计划提供此功能的支持。Supporting this functionality is on our road map. 若要将防火墙移动到不同的资源组或订阅,必须删除当前实例并在新的资源组或订阅中重新创建它。To move a firewall to a different resource group or subscription, you must delete the current instance and recreate it in the new resource group or subscription.
威胁智能警报可能会被屏蔽Threat intelligence alerts may get masked 配置为仅警报模式时,目标为 80/443 的用于出站筛选的网络规则会屏蔽威胁智能警报。Network rules with destination 80/443 for outbound filtering masks threat intelligence alerts when configured to alert only mode. 使用应用程序规则为 80/443 创建出站筛选。Create outbound filtering for 80/443 using application rules. 或者,将威胁智能模式更改为“提醒和拒绝”。Or, change the threat intelligence mode to Alert and Deny.
Azure 防火墙 DNAT 不适用于专用 IP 目标Azure Firewall DNAT doesn't work for private IP destinations Azure 防火墙 DNAT 支持仅限于 Internet 出口/入口。Azure Firewall DNAT support is limited to Internet egress/ingress. DNAT 目前不适用于专用 IP 目标。DNAT doesn't currently work for private IP destinations. 例如,分支到分支。For example, spoke to spoke. 这是当前的一项限制。This is a current limitation.
无法删除第一个公共 IP 配置Can't remove first public IP configuration 每个 Azure 防火墙公共 IP 地址都分配给一个 IP 配置。Each Azure Firewall public IP address is assigned to an IP configuration. 第一个 IP 配置在防火墙部署过程中分配,通常还包含对防火墙子网的引用(除非通过模板部署以不同的方式进行了显式配置)。The first IP configuration is assigned during the firewall deployment, and typically also contains a reference to the firewall subnet (unless configured explicitly differently via a template deployment). 无法删除此 IP 配置,因为它会取消分配防火墙。You can't delete this IP configuration because it would de-allocate the firewall. 如果防火墙至少包含另一个可用的公共 IP 地址,则你仍然可以更改或删除与此 IP 配置相关联的公共 IP 地址。You can still change or remove the public IP address associated with this IP configuration if the firewall has at least one other public IP address available to use. 这是设计的结果。This is by design.
对入站连接的 SNATSNAT on inbound connections 除了 DNAT 以外,通过防火墙公共 IP 地址(入站)建立的连接将通过 SNAT 转换为某个防火墙专用 IP。In addition to DNAT, connections via the firewall public IP address (inbound) are SNATed to one of the firewall private IPs. 当前提出此项要求(也适用于主动/主动 NVA)的目的是确保对称路由。This requirement today (also for Active/Active NVAs) to ensure symmetric routing. 若要保留 HTTP/S 的原始源,请考虑使用 XFF 标头。To preserve the original source for HTTP/S, consider using XFF headers. 例如,在防火墙前面使用 Azure 应用程序网关等服务。For example, use a service such as Azure Application Gateway in front of the firewall. 还可以添加 WAF 作为 Azure Front Door 的一部分,并链接到防火墙。You can also add WAF as part of Azure Front Door and chain to the firewall.
仅在代理模式下支持 SQL FQDN 筛选(端口 1433)SQL FQDN filtering support only in proxy mode (port 1433) 对于 Azure SQL 数据库、Azure Synapse Analytics 和 Azure SQL 托管实例:For Azure SQL Database, Azure Synapse Analytics, and Azure SQL Managed Instance:

在预览期间,仅在代理模式下支持 SQL FQDN 筛选(端口 1433)。During the preview, SQL FQDN filtering is supported in proxy-mode only (port 1433).

对于 Azure SQL IaaS:For Azure SQL IaaS:

如果使用的是非标准端口,则可以在应用程序规则中指定这些端口。If you're using non-standard ports, you can specify those ports in the application rules.
对于采用重定向模式的 SQL(这是从 Azure 内连接时采用的默认设置),可以将 SQL 服务标记用作 Azure 防火墙网络规则的一部分,改为对访问进行筛选。For SQL in redirect mode (the default if connecting from within Azure), you can instead filter access using the SQL service tag as part of Azure Firewall network rules.
不允许 TCP 端口 25 上的出站流量Outbound traffic on TCP port 25 isn't allowed 将阻止使用 TCP 端口 25 的出站 SMTP 连接。Outbound SMTP connections that use TCP port 25 are blocked. 端口 25 主要用于未经身份验证的电子邮件传递。Port 25 is primarily used for unauthenticated email delivery. 这是虚拟机的默认平台行为。This is the default platform behavior for virtual machines. 有关详细信息,请参阅排查 Azure 中的出站 SMTP 连接问题For more information, see more Troubleshoot outbound SMTP connectivity issues in Azure. 但是,与虚拟机不同,目前无法在 Azure 防火墙上启用此功能。However, unlike virtual machines, it isn't currently possible to enable this functionality on Azure Firewall. 注意:若要允许经过身份验证的 SMTP(端口 587)或基于除 25 之外的端口的 SMTP,请确保配置网络规则而不是应用程序规则,因为目前不支持 SMTP 检查。Note: to allow authenticated SMTP (port 587) or SMTP over a port other than 25, please make sure you configure a network rule and not an application rule as SMTP inspection is not supported at this time. 请按照 SMTP 故障排除文章中所述的建议方法发送电子邮件。Follow the recommended method to send email, as documented in the SMTP troubleshooting article. 或者,排除需要从默认路由对防火墙进行出站 SMTP 访问的虚拟机。Or, exclude the virtual machine that needs outbound SMTP access from your default route to the firewall. 改为配置直接对 Internet 进行出站访问。Instead, configure outbound access directly to the internet.
主动 FTP 不受支持Active FTP isn't supported 在 Azure 防火墙上禁用主动 FTP,防范使用 FTP PORT 命令进行的 FTP 弹跳攻击。Active FTP is disabled on Azure Firewall to protect against FTP bounce attacks using the FTP PORT command. 可以改用被动 FTP。You can use Passive FTP instead. 仍需在防火墙上显式打开 TCP 端口 20 和 21。You must still explicitly open TCP ports 20 and 21 on the firewall.
SNAT 端口使用率指标显示 0%SNAT port utilization metric shows 0% 即使使用 SNAT 端口,Azure 防火墙 SNAT 端口使用率指标也可能显示 0%。The Azure Firewall SNAT port utilization metric may show 0% usage even when SNAT ports are used. 在这种情况下,将此指标用作防火墙运行状况指标的一部分会导致不正确的结果。In this case, using the metric as part of the firewall health metric provides an incorrect result. 此问题已修复,预计在 2020 年 5 月推出生产版。This issue has been fixed and rollout to production is targeted for May 2020. 在某些情况下,重新部署防火墙即可解决此问题,但存在偶然性。In some cases, firewall redeployment resolves the issue, but it's not consistent. 可以只使用防火墙运行状况状态来查找 status=degraded 而非 status=unhealthy,但这是一种权宜解决方法。As an intermediate workaround, only use the firewall health state to look for status=degraded, not for status=unhealthy. 端口耗尽会显示为“已降级”。Port exhaustion will show as degraded. “不正常”保留给将来使用,到时会有更多指标影响防火墙运行状况。Not healthy is reserved for future use when the are more metrics to impact the firewall health.
在启用了强制隧道的情况下不支持 DNATDNAT isn't supported with Forced Tunneling enabled 由于采用非对称路由,在启用了强制隧道的情况下部署的防火墙无法支持从 Internet 进行入站访问。Firewalls deployed with Forced Tunneling enabled can't support inbound access from the Internet because of asymmetric routing. 这种限制是根据非对称路由设计的。This is by design because of asymmetric routing. 入站连接的返回路径通过本地防火墙,而该防火墙看不到已建立的连接。The return path for inbound connections goes via the on-premises firewall, which hasn't seen the connection established.
出站被动 FTP 不适用于具有多个公共 IP 地址的防火墙Outbound Passive FTP doesn't work for Firewalls with multiple public IP addresses 被动 FTP 为控制通道和数据通道建立不同的连接。Passive FTP establishes different connections for control and data channels. 当具有多个公共 IP 地址的防火墙发送出站数据时,它会随机选择一个公共 IP 地址作为源 IP 地址。When a Firewall with multiple public IP addresses sends data outbound, it randomly selects one of its public IP addresses for the source IP address. 当数据通道和控制通道使用不同的源 IP 地址时,FTP 就会失败。FTP fails when data and control channels use different source IP addresses. 规划显式 SNAT 配置。An explicit SNAT configuration is planned. 同时,对于这种情况,请考虑使用单个 IP 地址。In the meantime, consider using a single IP address in this situation.
NetworkRuleHit 指标缺少协议维度NetworkRuleHit metric is missing a protocol dimension ApplicationRuleHit 指标允许基于筛选的协议,但相应的 NetworkRuleHit 指标中缺少此功能。The ApplicationRuleHit metric allows filtering based protocol, but this capability is missing in the corresponding NetworkRuleHit metric. 我们正在研究修复措施。A fix is being investigated.
不支持端口介于 64000 和 65535 之间的 NAT 规则NAT rules with ports between 64000 and 65535 are unsupported Azure 防火墙允许网络和应用程序规则中 1-65535 范围内的任何端口,但是 NAT 规则仅支持 1-63999 范围内的端口。Azure Firewall allows any port in the 1-65535 range in network and application rules, however NAT rules only support ports in the 1-63999 range. 这是当前的一项限制。This is a current limitation.
配置更新平均可能需要 5 分钟Configuration updates may take five minutes on average Azure 防火墙配置更新平均可能需要 3 到 5 分钟,且不支持并行更新。An Azure Firewall configuration update can take three to five minutes on average, and parallel updates aren't supported. 我们正在研究修复措施。A fix is being investigated.
Azure 防火墙使用 SNI TLS 标头筛选 HTTPS 和 MSSQL 流量Azure Firewall uses SNI TLS headers to filter HTTPS and MSSQL traffic 如果浏览器或服务器软件不支持服务器名称指示 (SNI) 扩展,则无法通过 Azure 防火墙进行连接。If browser or server software does not support the Server Name Indicator (SNI) extension, you won't be able to connect through Azure Firewall. 如果浏览器或服务器软件不支持 SNI,也许可以使用网络规则(而不是应用程序规则)控制连接。If browser or server software does not support SNI, then you may be able to control the connection using a network rule instead of an application rule.

后续步骤Next steps