保护你的网络资源Protect your network resources

Azure 安全中心不断分析 Azure 资源的安全状态,以实现网络安全最佳做法。Azure Security Center continuously analyzes the security state of your Azure resources for network security best practices. 在安全中心识别出潜在的安全漏洞时,它会创建一些建议,指导完成配置所需控件以强化和保护资源的过程。When Security Center identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls to harden and protect your resources.

本文介绍安全中心的“资源安全性”部分的“网络”页。This article explains the Networking page of the resource security section of Security Center.

有关网络建议的完整列表,请参阅网络建议For a full list of the recommendations for Networking, see Networking recommendations.

本文从网络安全角度介绍适用于 Azure 资源的建议。This article addresses recommendations that apply to your Azure resources from a network security perspective. 网络建议以下一代防火墙、网络安全组、JIT VM 访问过度宽容的入站流量规则等为中心。Networking recommendations center around next generation firewalls, Network Security Groups, JIT VM access, overly permissive inbound traffic rules, and more. 有关网络建议和修复操作的列表,请参阅管理 Azure 安全中心的安全建议For a list of networking recommendations and remediation actions, see Managing security recommendations in Azure Security Center.

备注

借助“网络”页,可从网络角度深入了解 Azure 资源运行状况。The Networking page lets you deep dive into your Azure resource health from a network perspective. 网络映射和自适应网络控制仅适用于 Azure 安全中心标准层。The Network map and Adaptive Network Controls are available for the Azure Security Center standard tier only. 如果使用免费层,则可以单击按钮查看旧网络并接收网络资源建议If you use the free tier, you can click the button to View legacy networking and receive networking resource recommendations.

“网络”页概述了可以深入了解的部分,以获取有关网络资源运行状况的详细信息:The Networking page provides an overview of the sections you can deep dive into, to get more information about the health of your network resources:

  • 网络映射(仅限 Azure 安全中心标准层)Network map (Azure Security Center Standard tier only)
  • 自适应网络强化Adaptive Network Hardening
  • 网络安全建议。Networking security recommendations.
  • 旧版“网络”边栏选项卡(以前的网络边栏选项卡)Legacy Networking blade (the previous networking blade)

网络窗格Networking pane

网络映射Network map

交互式网络映射提供了带有安全覆盖的图形视图,提供了强化网络资源的建议和见解。The interactive network map provides a graphical view with security overlays giving you recommendations and insights for hardening your network resources. 你可以通过映射查看 Azure 工作负载的拓扑、虚拟机和子网之间的连接、从映射向下钻取特定资源的功能以及这些资源的建议。Using the map you can see the network topology of your Azure workloads, connections between your virtual machines and subnets, and the capability to drill down from the map into specific resources and the recommendations for those resources.

打开网络映射:To open the Network map:

  1. 在“安全中心”的“资源安全机制”下,选择“网络”。In Security Center, under Resource Security Hygiene, select Networking.
  2. 在“网络映射”下,单击“查看拓扑” 。Under Network map click See topology.

拓扑图的默认视图显示:The default view of the topology map displays:

  • 在 Azure 中选择的订阅。Subscriptions you selected in Azure. 该图支持多个订阅。The map supports multiple subscriptions.
  • 资源管理器资源类型的 VM、子网和 VNet(不支持经典 Azure 资源)VMs, subnets, and VNets of the Resource Manager resource type (Classic Azure resources are not supported)
  • 对等互连的 VNetPeered VNets
  • 仅限具有高或中等严重性的网络建议的资源Only resources that have network recommendations with a high or medium severity
  • 面向 Internet 的资源Internet facing resources
  • 该映射针对在 Azure 中选择的订阅进行了优化。The map is optimized for the subscriptions you selected in Azure. 如果修改了选择,则会根据新设置重新计算并重新优化映射。If you modify your selection, the map is recalculated and re-optimized based on your new settings.

网络拓扑图Networking topology map

了解网络映射Understanding the Network map

网络映射可以在“拓扑”视图和“流量”视图中显示 Azure 资源 。The Network map can show you your Azure resources in a Topology view and a Traffic view.

拓扑视图The topology view

在网络映射的“拓扑”视图中,可以查看有关网络资源的以下见解:In the Topology view of the networking map, you can view the following insights about your networking resources:

  • 在内圈中,可以看到所选订阅中的所有 Vnet,下一个圈是所有子网,外圈是所有虚拟机。In the inner circle, you can see all the Vnets within your selected subscriptions, the next circle is all the subnets, the outer circle is all the virtual machines.
  • 可以在连接映射中资源的行中了解到哪些资源相互关联,以及 Azure 网络的结构。The lines connecting the resources in the map let you know which resources are associated with each other, and how your Azure network is structured.
  • 使用严重性指示器可以快速了解安全中心建议打开哪些资源。Use the severity indicators to quickly get an overview of which resources have open recommendations from Security Center.
  • 可以单击任何资源深入查看这些资源,并在网络映射的上下文中直接查看该资源及其建议的详细信息。You can click any of the resources to drill down into them and view the details of that resource and its recommendations directly, and in the context of the Network map.
  • 如果映射上显示的资源太多,Azure 安全中心将使用其专有算法对资源进行智能群集,突出显示处于最关键状态和具有最高严重性的建议的资源。If there are too many resources being displayed on the map, Azure Security Center uses its proprietary algorithm to smart cluster your resources, highlighting the resources that are in the most critical state, and have the most high severity recommendations.

由于映射是交互式和动态的,因此每个节点都是可点击的,并且视图可以根据筛选器进行更改:Because the map is interactive and dynamic, every node is clickable, and the view can change based on the filters:

  1. 可以使用顶部的筛选器修改可在网络映射上看到的内容。You can modify what you see on the network map by using the filters at the top. 可以根据以下内容聚焦映射:You can focus the map based on:

    • 安全运行状况:可以根据 Azure 资源的严重性(高、中、低)筛选映射。Security health: You can filter the map based on Severity (High, Medium, Low) of your Azure resources.
    • 建议:可以根据这些资源上处于活动状态的建议来选择显示的资源。Recommendations: You can select which resources are displayed based on which recommendations are active on those resources. 例如,只能查看安全中心建议启用网络安全组的资源。For example, you can view only resources for which Security Center recommends you enable Network Security Groups.
    • 网络区域:默认情况下,映射仅显示面向 Internet 的资源,也可以选择内部 VM。Network zones: By default, the map displays only Internet facing resources, you can select internal VMs as well.
  2. 可以随时单击左上角的“重置”以将映射恢复为默认状态。You can click Reset in top left corner at any time to return the map to its default state.

向下钻取资源:To drill down into a resource:

  1. 在映射上选择特定资源时,右侧窗格将打开,并提供有关资源、连接的安全解决方案(如果有)以及与资源相关的建议的常规信息。When you select a specific resource on the map, the right pane opens and gives you general information about the resource, connected security solutions if there are any, and the recommendations relevant to the resource. 对于选择的每种资源,它都是相同类型的行为。It's the same type of behavior for each type of resource you select.
  2. 将鼠标悬停在映射中的节点上时,可以查看有关资源的常规信息,包括订阅、资源类型和资源组。When you hover over a node in the map, you can view general information about the resource, including subscription, resource type, and resource group.
  3. 使用该链接可放大工具提示并将映射重新聚焦在该特定节点上。Use the link to zoom into the tool tip and refocus the map on that specific node.
  4. 要将映射的焦点从特定节点移开,请缩小。To refocus the map away from a specific node, zoom out.

流量视图The Traffic view

“流量”视图提供了资源之间所有可能流量的映射。The Traffic view provides you with a map of all the possible traffic between your resources. 这提供了配置的所有规则的可视化映射,这些规则定义了哪些资源可以与谁通信。This provides you with a visual map of all the rules you configured that define which resources can communicate with whom. 由此可查看网络安全组的现有配置,以及快速识别工作负载中可能存在的有风险的配置。This enables you to see the existing configuration of the network security groups as well as quickly identify possible risky configurations within your workloads.

发现不需要的连接Uncover unwanted connections

此视图的优势在于能够显示这些允许的连接以及存在的漏洞,因此可以使用此截面的数据对资源执行必要的强化。The strength of this view is in its ability to show you these allowed connections together with the vulnerabilities that exist, so you can use this cross-section of data to perform the necessary hardening on your resources.

例如,可能会检测到两台你不知道可以通信的计算机,从而能够更好地隔离工作负载和子网。For example, you might detect two machines that you weren't aware could communicate, enabling you to better isolate the workloads and subnets.

调查资源Investigate resources

向下钻取资源:To drill down into a resource:

  1. 在映射上选择特定资源时,右侧窗格将打开,并提供有关资源、连接的安全解决方案(如果有)以及与资源相关的建议的常规信息。When you select a specific resource on the map, the right pane opens and gives you general information about the resource, connected security solutions if there are any, and the recommendations relevant to the resource. 对于选择的每种资源,它都是相同类型的行为。It's the same type of behavior for each type of resource you select.
  2. 单击“流量”以查看资源上可能的出站和入站流量列表 - 这是一个全面的列表,列出谁可以与资源进行通信、可以与谁通信以及通过哪些协议和端口进行通信。Click Traffic to see the list of possible outbound and inbound traffic on the resource - this is a comprehensive list of who can communicate with the resource and who it can communicate with, and through which protocols and ports. 例如,当你选择某个 VM 时,将显示它可以与之通信的所有 VM,而当你选择某个子网时,将显示其可以与之通信的所有子网。For example, when you select a VM, all the VMs it can communicate with are shown, and when you select a subnet, all the subnets which it can communicate with are shown.

此数据基于对网络安全组的分析以及分析多个规则以了解其交叉和交互的高级机器学习算法。This data is based on analysis of the Network Security Groups as well as advanced machine learning algorithms that analyze multiple rules to understand their crossovers and interactions.

网络流量映射Networking traffic map

旧网络 Legacy networking

如果没有安全中心标准层,则本节介绍如何查看免费的网络建议。If you don't have Security Center Standard tier, this section explains how to view free Networking recommendations.

要访问此信息,请在“网络”边栏选项卡中单击“查看旧网络”。To access this information, in the Networking blade, click View legacy networking.

旧网络Legacy Networking

面向 Internet 的终结点部分Internet facing endpoints section

在“面向 Internet 的终结点”部分中,可以查看当前配置了面向 Internet 的终结点的虚拟机及其状态。In the Internet facing endpoints section, you can see the virtual machines that are currently configured with an Internet facing endpoint and its status.

此表提供终结点名称、面向 Internet 的 IP 地址,以及网络安全组和 NGFW 建议当前的严重性状态。This table has the endpoint name, the Internet facing IP address, and the current severity status of the network security group and the NGFW recommendations. 此表按严重性排序。The table is sorted by severity.

拓扑部分Networking topology section

“拓扑”部分提供了资源的分层视图。The Networking topology section has a hierarchical view of the resources.

此表按严重性排序(虚拟机和子网)。This table is sorted (virtual machines and subnets) by severity.

在此拓扑视图中,第一层级显示 Vnets。In this topology view, the first level displays Vnets. 第二层级显示子网,第三层级显示属于这些子网的虚拟机。The second displays subnets, and the third level displays the virtual machines that belong to those subnets. 右侧一栏显示网络安全组对这些资源的建议的当前状态。The right column shows the current status of the network security group recommendations for those resources.

第三层级显示虚拟机,与前面的描述类似。The third level displays virtual machines, which is similar to what is described previously. 可以单击任何资源了解详细信息,或应用所需的安全控制或配置。You can click any resource to learn more or apply the required security control or configuration.

后续步骤Next steps

若要了解有关适用于其他 Azure 资源类型的建议的详细信息,请参阅以下内容:To learn more about recommendations that apply to other Azure resource types, see the following: