Azure 认知搜索中的安全性 - 概述Security in Azure Cognitive Search - overview

本文介绍 Azure 认知搜索中可以保护内容和操作的关键安全功能。This article describes the key security features in Azure Cognitive Search that can protect content and operations.

  • 在存储层上,对保存到磁盘的所有服务托管内容(包括索引、同义词映射以及索引器、数据源和技能组的定义)都内置了静态加密。At the storage layer, encryption-at-rest is built in for all service-managed content saved to disk, including indexes, synonym maps, and the definitions of indexers, data sources, and skillsets. Azure 认知搜索还支持添加客户管理的密钥 (CMK),以对索引内容进行双重加密。Azure Cognitive Search also supports the addition of customer-managed keys (CMK) for supplemental encryption of indexed content. 对于 2020 年 8 月 1 日后创建的服务,CMK 加密延伸到临时磁盘上的数据,以对索引内容进行完全双重加密。For services created after August 1 2020, CMK encryption extends to data on temporary disks, for full double encryption of indexed content.

  • 入站安全性通过不断提升的安全性级别来保护搜索服务终结点:从请求所使用的 API 密钥到防火墙中的入站规则,再到全面保护服务不受公共 Internet 影响的专用终结点。Inbound security protects the search service endpoint at increasing levels of security: from API keys on the request, to inbound rules in the firewall, to private endpoints that fully shield your service from the public internet.

加密的传输和存储Encrypted transmissions and storage

在 Azure 认知搜索中,加密从连接和传输开始,一直延伸到磁盘上存储的内容。In Azure Cognitive Search, encryption starts with connections and transmissions, and extends to content stored on disk. 对于公共 Internet 上的搜索服务,Azure 认知搜索会侦听 HTTPS 端口 443。For search services on the public internet, Azure Cognitive Search listens on HTTPS port 443. 客户端到服务的所有连接都使用 TLS 1.2 加密。All client-to-service connections use TLS 1.2 encryption. 不支持更早的版本(1.0 或 1.1)。Earlier versions (1.0 or 1.1) are not supported.

建模Model 密钥     Keys      要求     Requirements      限制Restrictions 适用于Applies to
服务器端加密server-side encryption Microsoft 管理的密钥Microsoft-managed keys 无(内置)None (built-in) 无,可在所有层级、所有区域使用,适用于 2018 年 1 月 24 日后创建的内容。None, available on all tiers, in all regions, for content created after January 24 2018. 内容(索引和同义词映射)和定义(索引器、数据源、技能组)Content (indexes and synonym maps) and definitions (indexers, data sources, skillsets)
服务器端加密server-side encryption 客户管理的密钥customer-managed keys Azure Key VaultAzure Key Vault 可在计费层级、所有区域使用,适用于 2019 年 1 月后创建的内容。Available on billable tiers, in all regions, for content created after January 2019. 数据磁盘上的内容(索引和同义词映射)Content (indexes and synonym maps) on data disks
服务器端双重加密server-side double encryption 客户管理的密钥customer-managed keys Azure Key VaultAzure Key Vault 可在计费层级、所选区域使用,适用于 2020 年 8 月 1 日后的搜索服务。Available on billable tiers, in selected regions, on search services after August 1 2020. 数据磁盘和临时磁盘上的内容(索引和同义词映射)Content (indexes and synonym maps) on data disks and temporary disks

服务托管的密钥Service-managed keys

服务托管加密是一种基于 Azure 存储服务加密的 Microsoft 内部操作,使用 256 位 AES 加密。Service-managed encryption is a Microsoft-internal operation, based on Azure Storage Service Encryption, using 256-bit AES encryption. 加密自动对所有索引进行,包括对未完全加密的索引(在 2018 年 1 月前创建)的增量更新。It occurs automatically on all indexing, including on incremental updates to indexes that are not fully encrypted (created before January 2018).

客户管理的密钥 (CMK)Customer-managed keys (CMK)

客户管理的密钥需要额外的计费服务 Azure Key Vault,它与 Azure 认知搜索可以位于不同区域,但需位于同一订阅下。Customer-managed keys require an additional billable service, Azure Key Vault, which can be in a different region, but under the same subscription, as Azure Cognitive Search. 启用 CMK 加密会增大索引大小,降低查询性能。Enabling CMK encryption will increase index size and degrade query performance. 根据迄今为止的观察结果,查询时间预期会增加 30%-60%,不过,实际性能根据索引定义和查询类型而有所不同。Based on observations to date, you can expect to see an increase of 30%-60% in query times, although actual performance will vary depending on the index definition and types of queries. 由于这种性能影响,我们建议仅对真正需要此功能的索引启用此功能。Because of this performance impact, we recommend that you only enable this feature on indexes that really require it. 有关详细信息,请参阅在 Azure 认知搜索中配置客户管理的加密密钥For more information, see Configure customer-managed encryption keys in Azure Cognitive Search.

双重加密Double encryption

在 Azure 认知搜索中,双重加密是 CMK 的扩展。In Azure Cognitive Search, double encryption is an extension of CMK. 可理解为双层加密(先通过 CMK 加密,然后再由服务托管的密钥加密),其使用范围广泛,包含写入数据磁盘的长期存储以及写入临时磁盘的短期存储。It is understood to be two-fold encryption (once by CMK, and again by service-managed keys), and comprehensive in scope, encompassing long term storage that is written to a data disk, and short term storage written to temporary disks. CMK 在 2020 年 8 月 1 日之前和之后的差异在于,该日期之后,它将对临时磁盘上的静态数据进行额外加密,这也是使 CMK 成为 Azure 认知搜索中双重加密功能的原因。The difference between CMK before August 1 2020 and after, and what makes CMK a double encryption feature in Azure Cognitive Search, is the additional encryption of data-at-rest on temporary disks.

对于 8 月 1 日后在这些区域中创建的新服务,目前可以使用双重加密:Double encryption is currently available on new services that are created in these regions after August 1:

  • 中国东部 2China East 2

入站安全性和终结点保护Inbound security and endpoint protection

入站安全性功能通过不断提升的安全性和复杂性级别来保护搜索服务终结点。Inbound security features protect the search service endpoint through increasing levels of security and complexity. 首先,所有请求都需要 API 密钥才能进行经过身份验证的访问。First, all requests require an API key for authenticated access. 其次,你可以选择设置防火墙规则,以限制对特定 IP 地址的访问。Second, you can optionally set firewall rules that limit access to specific IP addresses.

使用 API 密钥进行公共访问Public access using API keys

默认情况下,将使用基于密钥的身份验证(用于对搜索服务终结点进行管理员或查询访问)通过公有云来访问搜索服务。By default, a search service is accessed through the public cloud, using key-based authentication for admin or query access to the search service endpoint. API 密钥是随机生成的数字和字母所组成的字符串。An api-key is a string composed of randomly generated numbers and letters. 密钥的类型(管理员或查询)确定访问的级别。The type of key (admin or query) determines the level of access. 提交有效密钥被视为请求源自受信任实体的证明。Submission of a valid key is considered proof the request originates from a trusted entity.

有两个搜索服务访问级别,可通过以下 API 密钥启用它们:There are two levels of access to your search service, enabled by the following API keys:

  • 管理员密钥(允许对搜索服务上的创建-读取-更新-删除操作进行读写访问)Admin key (allows read-write access for create-read-update-delete operations on the search service)

  • 查询密钥(允许对索引的文档集合进行只读访问)Query key (allows read-only access to the documents collection of an index)

预配服务时会创建 管理员密钥Admin keys are created when the service is provisioned. 有两个管理密钥,分别指定为 主要辅助 密钥以将它们保持在各自的位置,但事实上是可互换的。There are two admin keys, designated as primary and secondary to keep them straight, but in fact they are interchangeable. 每个服务都有两个管理密钥,以便在转换其中一个时不会丢失服务的访问权限。Each service has two admin keys so that you can roll one over without losing access to your service. 可以根据 Azure 安全最佳做法定期重新生成管理密钥,但不能将其添加到管理密钥总数。You can regenerate admin key periodically per Azure security best practices, but you cannot add to the total admin key count. 每个搜索服务最多有两个管理密钥。There are a maximum of two admin keys per search service.

查询密钥 根据需要创建,专用于发出查询的客户端应用程序。Query keys are created as-needed and are designed for client applications that issue queries. 最多可以创建 50 个查询密钥。You can create up to 50 query keys. 在应用程序代码中,可以指定搜索 URL 和查询 API 密钥,以便对特定索引的文档集合进行只读访问。In application code, you specify the search URL and a query api-key to allow read-only access to the documents collection of a specific index. 终结点、仅供只读访问的 API 密钥以及目标索引共同定义客户端应用程序连接的作用域和访问级别。Together, the endpoint, an api-key for read-only access, and a target index define the scope and access level of the connection from your client application.

需要对每个请求进行身份验证,而每个请求由必需密钥、操作和对象组成。Authentication is required on each request, where each request is composed of a mandatory key, an operation, and an object. 链接在一起后,两个权限级别(完全或只读)加上上下文(例如,索引上的查询操作)便足以针对服务操作提供全面的安全性。When chained together, the two permission levels (full or read-only) plus the context (for example, a query operation on an index) are sufficient for providing full-spectrum security on service operations. 有关密钥的详细信息,请参阅创建和管理 API 密钥For more information about keys, see Create and manage api-keys.

另请参阅See also