开发用于 Azure AD 应用的安全应用Develop secure app for an Azure AD app

概述Overview

此示例是一个简单的 Azure Active Directory,其中包含的 Web 应用链接到用于在 Azure 上开发应用的安全资源。This sample is a simple Azure Active Directory with web app that links to security resources for developing apps on Azure. 此应用实施了在 Azure 上开发应用时可以帮助改进应用程序和组织的安全状况的安全最佳做法。The app implements security best practices that can help improve your application and your organization's security posture when you develop apps on Azure.

部署脚本会设置基础结构。The deployment scripts set up the infrastructure. 运行部署脚本后,你需要在 Azure 门户中进行一些手动配置,以将组件和服务链接在一起。After you run the deployment scripts, you'll need to do some manual configuration in the Azure portal to link the components and services together. 此示例适用于在 Azure 上具有丰富经验的开发人员,这些开发人员在零售行业中工作,希望使用安全的 Azure 基础结构构建安全的 Azure Active Directory。This sample is targeted toward experienced developers on Azure who work within the retail industry and want to build a secured Azure Active Directory with secure Azure infrastructure.

通过开发和部署此应用,你将了解如何执行以下操作:In developing and deploying this app, you'll learn how to

  • 创建一个 Azure Key Vault 实例,在其中存储和检索机密。Create an Azure Key Vault instance, store, and retrieve secrets from it.
  • 部署专用且与前端防火墙访问隔离的 Azure Web 应用。Deploy the Azure Web App, which is dedicated isolated with front-end firewall access.
  • 创建 Azure 应用程序网关实例并为其配置使用 OWASP 10 大规则集的防火墙。Create and configure an Azure Application Gateway instance with a firewall that uses OWASP Top 10 Ruleset.
  • 使用 Azure 服务启用传输中数据和静态数据的加密。Enable encryption of data in transit and at rest by using Azure services.
  • 设置 Azure Policy 和安全中心来评估合规性。Set up Azure Policy and security center to evaluate the compliance.

开发并部署此应用后,你将设置以下示例 Web 应用以及所述的配置和安全措施。After you develop and deploy this app, you will have set up the following sample web app along with the configuration and security measures that are described.

体系结构Architecture

此应用是一个典型的 N 层应用程序,共有三层。The app is a typical n-tier application with three tiers. 集成了监视和机密管理组件的前端、后端和数据库层如下所示:The front end, back end, and database layer with monitoring and secret-management components integrated are shown here:

应用体系结构

此解决方案使用以下 Azure 服务。This solution uses the following Azure services. 若要详细了解部署体系结构,请参阅“部署体系结构”部分。Details of the deployment architecture are in the Deployment Architecture section.

该体系结构包括以下组件The architecture consists of these components

威胁模型Threat model

威胁建模是一个过程,它需要先识别对业务和应用程序的潜在安全威胁,然后确保实施适当的缓解计划。Threat modeling is the process of identifying potential security threats to your business and application and then ensuring that a proper mitigation plan is in place.

此示例使用了 Microsoft Threat Modeling Tool 来实施安全的示例应用的威胁建模。This sample used the Microsoft Threat Modeling Tool to implement threat modeling for the secure sample app. 通过绘制组件和数据流的关系图,你可以在开发过程的早期确定问题和威胁。By diagramming the components and the data flows, you can identify issues and threats early in the development process. 使用此方法,以后可以节省时间和金钱。Time and money will be saved later by using this.

下面是示例应用的威胁模型Here is the threat model for the sample app

威胁模型

下面的屏幕截图显示了威胁建模工具生成的一些示例威胁和潜在漏洞。Some sample threats and potential vulnerabilities that the threat modeling tool generates are shown in the following screenshot. 威胁模型概述了暴露的受攻击面,并提示开发人员考虑如何缓解问题。The threat model gives an overview of the attack surface exposed and prompts the developers to think about how to mitigate the issues.

威胁模型输出

先决条件Prerequisites

若要启动并运行应用程序,需要安装以下工具:To get the application up and running, you need to install these tools:

  • 用于修改和查看应用程序代码的代码编辑器。Visual Studio Code 是一个开源选项。A code editor to modify and view the application code.Visual Studio Code is an open-source option.
  • 在开发计算机上安装 Azure CLIAzure CLI on your development computer.
  • 在系统上安装 GitGit on your system. Git 用于在本地克隆源代码。Git is used to clone the source code locally.
  • jq,一个用于以用户友好方式查询 JSON 的 UNIX 工具。jq, a UNIX tool for querying JSON in a user-friendly way.

你需要一个 Azure 订阅来部署示例应用的资源。You need an Azure subscription to deploy the sample app's resources. 如果没有 Azure 订阅,则可以创建试用帐户来测试示例应用。If you don't have an Azure subscription, you can create a trial account to test the sample app.

安装这些工具后,便可以在 Azure 上部署应用了。After installing these tools, you're ready to deploy the app on Azure.

实施指南Implementation guidance

此部署脚本是一个可以分解为四个阶段的脚本。The deployment script is one script that can be broken down into four phases. 每个阶段都部署并配置体系结构关系图中的一个 Azure 资源。Each phase deploys and configures an Azure resource that's in the architecture diagram.

这四个阶段是The four phases are

  • 部署 Azure Key Vault。Deploy Azure Key Vault.
  • 部署 Azure Web 应用。Deploy Azure Web Apps.
  • 部署具有 Web 应用程序防火墙的应用程序网关。Deploy Application Gateway with web application firewall.
  • 使用已部署的应用配置 Azure AD。Configure an Azure AD with Deployed App.

每个阶段都基于上一个阶段,并使用之前部署的资源的配置。Each phase builds upon the preceding one by using configuration from the previously deployed resources.

若要完成实施步骤,请确保你已安装了先决条件下列出的工具。To complete the implementation steps, make sure you've installed the tools listed under Prerequisites.

部署 Azure Key VaultDeploy Azure Key Vault

在本部分中,你将创建并部署用来存储机密和证书的 Azure Key Vault 实例。In this section, you create and deploy an Azure Key Vault instance that is used to store secrets and certificates.

完成部署后,会在 Azure 上部署一个 Azure Key Vault 实例。After you complete the deployment, you have an Azure Key Vault instance deployed on Azure.

使用 Powershell 部署 Azure Key VaultTo deploy Azure Key Vault by using Powershell

  1. 为 Azure Key Vault 声明变量。Declare the variables for Azure Key Vault.
  2. 注册 Azure Key Vault 提供程序。Register the Azure Key Vault provider.
  3. 为实例创建资源组。Create the resource group for the instance.
  4. 在步骤 3 中创建的资源组中创建 Azure Key Vault 实例。Create the Azure Key Vault instance in the resource group created in step 3.

以下 Azure AD 用户将具有对 Key Vault 的管理员权限The below Azure AD user will have admin permissions to the Key Vault

$keyVaultAdminUsers = @($user1,user2)

注册 Az 提供程序Register the Az Providers

Register-AzResourceProvider -ProviderNamespace Microsoft.KeyVault

创建 Azure Key Vault 实例Create the Azure Key Vault instance

New-AzKeyVault -Name $kvName 
            -ResourceGroupName $ResourceGroup 
            -Location 'China East2'
            -EnabledForDiskEncryption

向 Key Vault 添加管理员策略Add the Administrator policies to the Key Vault

foreach ($keyVaultAdminUser in $keyVaultAdminUsers) {
$UserObjectId = (Get-AzADUser -SearchString $keyVaultAdminUser).Id
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ResourceGroupName $resourceGroupName -ObjectId $UserObjectId 
-PermissionsToKeys all -PermissionsToSecrets all -PermissionsToCertificates all
}

如果你知道用户主体名称,要创建允许用户获取和列出加密密钥、证书和机密的访问策略,请执行以下语句:To create an access policy to allow a user to get and list cryptographic keys, certificates and secrets if you know the User Principal Name:

Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName 
                       -ResourceGroupName $resourceGroupName 
                       -UserPrincipalName 'user1@contoso.com 
                       -PermissionsToCertificates list, get 
                       -PermissionsToKeys list, get 
                       -PermissionsToSecrets list, get

在使用 Key Vault 访问资源的应用中,最佳做法是使用 Azure 资源的托管标识。It's a best practice to use managed identities for Azure resources in apps that use Key Vault to access resources. 如果 Key Vault 的访问密钥不存储在代码或配置中,则安全状况会更好。Your security posture increases when access keys to Key Vault aren't stored in code or in configuration.

根证书包含在容器中。A root certificate is included in the container. 获取证书时采取的步骤如下:The steps taken to obtain the certificate are

  1. 证书颁发机构下载证书文件。Download the certificate file from the Certificate Authority.

  2. 对证书文件进行解码:Decode your certificate file:

    openssl x509 -inform DER -in BaltimoreCyberTrustRoot.crt -text -out root.crt

此脚本将为应用服务实例创建一个已分配的标识。可以将该标识与 MSI 一起使用,以便与 Azure Key Vault 交互,而不是将机密硬编码到代码或配置中。This script creates an assigned identity for the App Service instance that can be used with MSI to interact with Azure Key Vault without hard coding secrets in code or configuration.

在门户中转到 Azure Key Vault 实例,在访问策略选项卡上对已分配的标识进行授权。选择“添加新的访问策略”。Go to the Azure Key Vault instance in the portal to authorize the assigned identity on the access policy tab. Select Add new access policy. 在“选择主体”下,搜索与所创建的应用服务实例的名称相似的应用程序名称。Under Select principal, search for the application name that is similar to the name of the App Service instance created. 应当会显示附加到应用程序的一个服务主体。A service principal attached to the application should be visible. 选择它并保存访问策略页,如以下屏幕截图所示。Select it and save access policy page, as shown in the following screenshot.

因为应用程序只需要检索密钥,所以请在机密选项中选择“获取”权限,从而在减少授予的权限的同时允许访问。Because the application only needs to retrieve keys, select the Get permission in the secrets options, allowing access while reducing the privileges granted.

密钥保管库访问策略

创建 Key Vault 访问策略Create a Key Vault access policy

保存访问策略,然后在“访问策略”选项卡上保存新更改以更新策略。Save the access policy and then save the new change on the Access Policies tab to update the policies.

部署启用了 Web 应用程序防火墙的应用程序网关Deploy Application Gateway with web application firewall enabled

在 Web 应用中,建议不要直接向 Internet 上的外部世界公开服务。In web apps, it is not recommended that you expose services directly to the outside world on the internet. 负载均衡和防火墙规则针对传入流量提供了更强的安全性和控制,并帮助你管理它。Load balancing and firewall rules provide more security and control over the incoming traffic and help you manage it.

部署应用程序网关实例To deploy an Application Gateway instance

  1. 创建资源组来承载应用程序网关。Create the resource group to house the application gateway.
  2. 预配要附加到网关的虚拟网络。Provision a virtual network to attach to the gateway.
  3. 在虚拟网络中为网关创建子网。Create a subnet for the gateway in the virtual network.
  4. 预配公共 IP 地址。Provision a public IP address.
  5. 预配应用程序网关。Provision the application gateway.
  6. 在网关上启用 Web 应用程序防火墙。Enable web application firewall on the gateway.
Connect-AzAccount -EnvironmentName AzureChinaCloud
Select-AzSubscription -SubscriptionId '$SubscriptionId'
New-AzResourceGroup -Name appgw-rg -Location "China East2"

#Create a virtual network and a subnet for the application gateway

#Assign an address range for the subnet to be used for the application gateway.

$gwSubnet = New-AzVirtualNetworkSubnetConfig -Name 'appgwsubnet' -AddressPrefix 10.0.0.0/24

#Assign an address range to be used for the back-end address pool.

$nicSubnet = New-AzVirtualNetworkSubnetConfig  -Name 'appsubnet' -AddressPrefix 10.0.2.0/24

#Create a virtual network with the subnets defined in the preceding steps.

$vnet = New-AzvirtualNetwork -Name 'appgwvnet' -ResourceGroupName appgw-rg -Location "China East2" -AddressPrefix 10.0.0.0/16 -Subnet $gwSubnet, $nicSubnet

#Retrieve the virtual network resource and subnet resources to be used in the steps that follow.

$vnet = Get-AzvirtualNetwork -Name 'appgwvnet' -ResourceGroupName appgw-rg
$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name 'appgwsubnet' -VirtualNetwork $vnet
$nicSubnet = Get-AzVirtualNetworkSubnetConfig -Name 'appsubnet' -VirtualNetwork $vnet


#Create a public IP address for the front-end configuration

$publicip = New-AzPublicIpAddress -ResourceGroupName appgw-rg -Name 'publicIP01' -Location "China East2" -AllocationMethod Dynamic

#Create an application gateway configuration object

$gipconfig = New-AzApplicationGatewayIPConfiguration -Name 'gwconfig' -Subnet $gwSubnet

#Create a front-end IP configuration

$fipconfig = New-AzApplicationGatewayFrontendIPConfig -Name 'fip01' -PublicIPAddress $publicip

#Configure the back-end IP address pool with the IP addresses of the back-end web servers

$pool = New-AzApplicationGatewayBackendAddressPool -Name 'pool01' -BackendIPAddresses 10.0.3.11

#Configure the front-end IP port for the public IP endpoint

$fp = New-AzApplicationGatewayFrontendPort -Name 'port01'  -Port 443

#Configure the certificate for the application gateway. This certificate is used to decrypt and reencrypt the traffic on the application gateway

$passwd = ConvertTo-SecureString  "P@ssword!1" -AsPlainText -Force 
$cert = New-AzApplicationGatewaySSLCertificate -Name cert01 -CertificateFile "C:\AAD\Securities\Certificates\sslcert.com.cer" -Password $passwd 


#Create the HTTP listener for the application gateway

$listener = New-AzApplicationGatewayHttpListener -Name listener01 -Protocol Https -FrontendIPConfiguration $fipconfig -FrontendPort $fp -SSLCertificate $cert

#Upload the certificate to be used on the TLS/SSL-enabled back-end pool resources

#$authcert = New-AzApplicationGatewayAuthenticationCertificate -Name 'allowlistcert1' -CertificateFile C:\cert.cer

$trustedRootCert01 = New-AzApplicationGatewayTrustedRootCertificate -Name "test1" -CertificateFile "C:\AAD\Securities\Certificates\sslcert.com.cer"

#Configure the HTTP settings for the application gateway back end

$poolSetting01 = New-AzApplicationGatewayBackendHttpSettings -Name "setting01" -Port 443 -Protocol Https -CookieBasedAffinity Disabled -TrustedRootCertificate $trustedRootCert01 -HostName "test1"

#Create a load-balancer routing rule that configures the load balancer

$rule = New-AzApplicationGatewayRequestRoutingRule -Name 'rule01' -RuleType basic -BackendHttpSettings $poolSetting -HttpListener $listener -BackendAddressPool $pool

#Configure the instance size of the application gateway

$sku = New-AzApplicationGatewaySku -Name Standard_Small -Tier Standard -Capacity 2

#Configure the TLS/SSL policy to be used on the application gateway

$SSLPolicy = New-AzApplicationGatewaySSLPolicy -MinProtocolVersion TLSv1_2 -CipherSuite "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256" -PolicyType Custom

$appgw = New-AzApplicationGateway -Name appgateway -SSLCertificates $cert -ResourceGroupName "appgw-rg" -Location "China East2" -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting01 -FrontendIpConfigurations $fipconfig -GatewayIpConfigurations $gipconfig -FrontendPorts $fp -HttpListeners $listener -RequestRoutingRules $rule -Sku $sku -SSLPolicy $SSLPolicy -TrustedRootCertificate $trustedRootCert01 -Verbose

部署 Azure Web 应用Deploy Azure Web Apps

你可以通过 Azure 应用服务使用 Python、Ruby、C# 和 Java 等语言来构建并承载 Web 应用。Azure App Service enables you to build and host web apps using the languages like Python, Ruby, C#, and Java. Azure 还支持自定义容器,自定义容器几乎可以允许所有编程语言在 Azure 应用服务平台上运行。Azure also supports custom containers, which can allow virtually all programming languages to run on the Azure App Service platform.

在免费层创建应用服务计划Create an App Service plan in Free tier

New-AzAppServicePlan -Name $webappname -Location $location -ResourceGroupName $webappname -Tier Free

创建 Web 应用Create a web app

New-AzWebApp -Name $webappname -Location $location -AppServicePlan $webappname -ResourceGroupName $webappname

Write-Host "Configure a CNAME record that maps $fqdn to $webappname.chinacloudsites.cn"
Read-Host "Press [Enter] key when ready ..."

在继续操作之前,请转到你的自定义域的 Azure 域名系统配置 UI,按照 https://docs.azure.cn/app-service/app-service-web-tutorial-custom-domain#step-2-create-the-dns-records 中的说明为主机名“www”配置 CNAME 记录,并将其指向 Web 应用的默认域名Before continuing, go to your Azure Domain Name System configuration UI for your custom domain and follow the instructions at https://docs.azure.cn/app-service/app-service-web-tutorial-custom-domain#step-2-create-the-dns-records to configure a CNAME record for the hostname "www" and point it your web app's default domain name

将应用服务计划升级到共享层(自定义域需要的最低层)Upgrade App Service plan to Shared tier (minimum required by custom domains)

Set-AzAppServicePlan -Name $webappname -ResourceGroupName $webappname -Tier Shared

向 Web 应用添加自定义域名Add a custom domain name to the web app

Set-AzWebApp -Name $webappname -ResourceGroupName $webappname `-HostNames @($fqdn,"$webappname.chinacloudsites.cn")

指导和建议Guidance and recommendations

网络Network

完成部署后,你将拥有一个启用了 Web 应用程序防火墙的应用程序网关。After you complete the deployment, you have an application gateway with web application firewall enabled.

网关实例为 HTTPS 公开了端口 443。The gateway instance exposes port 443 for HTTPS. 此配置可确保只能通过 HTTPS 在端口 443 上访问我们的应用。This configuration ensures that our app is only accessible on port 443 through HTTPS.

阻止未使用的端口并限制受攻击面暴露是一种安全最佳做法。Blocking unused ports and limiting the attack surface exposure is a security best practice.

向应用服务实例添加网络安全组Add network security groups to the App Service instance

应用服务实例可以与虚拟网络集成。App Service instances can be integrated with virtual networks. 此集成允许为它们配置网络安全组策略,以管理应用的传入和传出流量。This integration allows them to be configured with network security group policies that manage the app's incoming and outgoing traffic.

  1. 若要启用此功能,请在 Azure 应用服务实例边栏选项卡上的“设置”下选择“网络”。To enable this feature, on the Azure App service instance blade, under Settings, selects Networking. 在右侧窗格中的“VNet 集成”下进行配置。In the right pane, configure under VNet Integration.

    新建虚拟网络集成

    为应用服务新建虚拟网络集成New virtual network integration for App Service

  2. 在下一页上,选择“添加 VNET (预览版)”。On the next page, select Add VNET (preview).

  3. 在下一个菜单上,选择在部署中创建的以 aad-vnet 开头的虚拟网络。On the next menu, select the virtual network created in the deployment that starts with aad-vnet. 你可以创建新子网,也可以选择现有子网。You can either create a new subnet or select an existing one. 在本例中,请创建新子网。In this case, create a new subnet. 将“地址范围”设置为 10.0.3.0/24,将子网命名为 app-subnetSet the Address range to 10.0.3.0/24 and name the subnet app-subnet.

    应用服务虚拟网络配置

    应用服务的虚拟网络配置Virtual network configuration for App Service

现在,你已启用虚拟网络集成,可以向应用中添加网络安全组了。Now that you've enabled the virtual network integration, you can add network security groups to our app.

  1. 使用搜索框搜索“网络安全组”。Use the search box, search for network security groups. 在结果中选择“网络安全组”。Select Network security groups in the results.

    搜索网络安全组

    搜索网络安全组Search for network security groups

  2. 在下一菜单上,选择“添加”。On the next menu, select Add. 输入 NSG 的名称以及它应位于其中的资源组Enter the Name of the NSG and the Resource group in which it should be located. 此 NSG 将应用于应用程序网关的子网。This NSG will be applied to the application gateway's subnet.

    创建 NSG

    创建 NSGCreate an NSG

  3. 创建 NSG 后,选择它。After the NSG is created, select it. 在其边栏选项卡中的“设置”下,选择“入站安全规则”。 In its blade, under Settings, select Inbound Security rules. 配置这些设置以允许通过端口 443 进入到应用程序网关中的连接。Configure these settings to allow connections coming into the application gateway over port 443.

    配置 NSG

    配置 NSGConfigure the NSG

  4. 在网关 NSG 的出站规则中,通过创建以服务标记 AppService 为目标的规则,添加允许应用服务实例的出站连接的规则In the outbound rules for the gateway NSG, add a rule that allows outbound connections to the App Service instance by creating a rule that targets the service tag AppService

    为 NSG 添加出站规则

    为 NSG 添加出站规则Add outbound rules for the NSG

    添加另一个出站规则,以允许网关将出站规则发送到虚拟网络。Add another outbound rule to allow the gateway to send outbound rules to a virtual network.

    添加另一个出站规则

    添加另一个出站规则Add another outbound rule

  5. 在 NSG 的子网边栏选项卡中,选择“关联”,选择在部署中创建的虚拟网络,然后选择名为 gw-subnet 的网关子网。On the subnets blade of the NSG, select Associate, select the virtual network created in the deployment, and select the gateway subnet named gw-subnet. NSG 将应用于该子网。The NSG is applied to the subnet.

  6. 如前面的步骤所述,创建另一个 NSG,这次是为应用服务实例创建。Create another NSG as in the earlier step, this time for the App Service instance. 为其指定名称。Give it a name. 为端口 443 添加入站规则,就像为应用程序网关 NSG 所做的那样。Add the inbound rule for port 443 as you did for the application gateway NSG.

    如果在应用服务环境实例上部署了应用服务实例(此应用不是这种情况),则可以添加入站规则,通过在应用服务 NSG 的入站安全组中打开端口 454-455 来允许 Azure 服务运行状况探测。If you have an App Service instance deployed on an App Service Environment instance, which is not the case for this app, you can add inbound rules to allow Azure Service Health probes by opening up ports 454-455 on the inbound security groups of your App Service NSG. 下面是相关配置:Here's the configuration:

    为 Azure 服务运行状况探测添加规则

    为 Azure 服务运行状况探测添加规则(仅限应用服务环境)Add rules for Azure Service Health probes (App Service Environment only)

若要限制受攻击面,请修改应用服务网络设置,以便仅允许应用程序网关访问应用程序。To limit the attack surface, modify the App Service network settings to allow only the application gateway to access the application. 若要应用设置,请转到应用服务网络选项卡,选择“IP 限制”选项卡,并创建仅允许应用程序网关的 IP 直接访问服务的允许规则。To apply the settings, go to App Service network tab, selecting the IP Restrictions tab, and creating an allow rule that allows only the application gateway’s IP to directly access the service. 可以从网关的概览页检索网关的 IP 地址。You can retrieve the IP address of the gateway from its overview page. 在“IP 地址 CIDR”选项卡上,采用以下格式输入 IP 地址:<GATEWAY_IP_ADDRESS>/32On the IP Address CIDR tab, enter the IP address in this format: <GATEWAY_IP_ADDRESS>/32.

仅允许网关

仅允许网关 IP 访问应用服务Allow only the gateway IP to access the App Service

Azure 域名系统Azure Domain Name System

Azure 域名系统负责将网站或服务名称转换(或解析)为它的 IP 地址。The Azure Domain Name System, or Azure Domain Name System, is responsible for translating (or resolving) a website or service name to its IP address. Azure 域名系统 (https://docs.azure.cn/dns/dns-overview) 是针对域名系统域的一项承载服务,它使用 Azure 基础结构提供名称解析。Azure Domain Name System(https://docs.azure.cn/dns/dns-overview) is a hosting service for Domain Name System domains that provides name resolution using Azure infrastructure. 通过在 Azure 中托管域,用户可以使用与其他 Azure 服务相同的凭据、API、工具和账单来管理域名系统记录。By hosting domains in Azure, users can manage Domain Name System records using the same credentials, APIs, tools, and billing as other Azure services. Azure 域名系统还支持专用域名系统域。Azure Domain Name System also supports private Domain Name System domains.

Azure 磁盘加密Azure Disk Encryption

Azure 磁盘加密利用 Windows 的 BitLocker 功能,为数据磁盘提供卷加密。Azure Disk Encryption leverages the BitLocker feature of Windows to provide volume encryption for data disks. 此解决方案与 Azure Key Vault 集成,可帮助控制和管理磁盘加密密钥。The solution integrates with Azure Key Vault to help control and manage the disk-encryption keys.

身份管理Identity management

以下技术在 Azure 环境中提供用于管理持卡人数据访问的功能The following technologies provide capabilities to manage access to cardholder data in the Azure environment

  • Azure Active Directory 是 Microsoft 提供的多租户基于云的目录和标识管理服务。Azure Active Directory is Microsoft's multi-tenant cloud-based directory and identity management service. 此解决方案的所有用户(包括访问 Azure WebApp 的用户)都在 Azure Active Directory 中创建的。All users for this solution are created in Azure Active Directory, including users accessing the Azure WebApp.
  • Azure 基于角色的访问控制使管理员能够定义细粒度的访问权限,以仅授予用户执行作业所需的访问量。Azure role-based access control enables administrators to define fine-grained access permissions to grant only the amount of access that users need to perform their jobs. 无需向每个用户授予 Azure 资源的不受限权限,管理员可以只允许使用特定的操作来访问持卡人数据。Instead of giving every user unrestricted permission for Azure resources, administrators can allow only certain actions for accessing cardholder data. 订阅访问仅限于订阅管理员。Subscription access is limited to the subscription administrator.
  • Azure Active Directory Privileged Identity Management 使客户能够最大限度地减少有权访问持卡人数据等特定信息的用户数量。Azure Active Directory Privileged Identity Management enables customers to minimize the number of users who have access to certain information such as cardholder data. 管理员可以使用 Azure Active Directory Privileged Identity Management 来发现、限制和监视特权标识及其对资源的访问。Administrators can use Azure Active Directory Privileged Identity Management to discover, restrict, and monitor privileged identities and their access to resources. 还可以根据需要,使用此功能来实施按需、实时的管理访问。This functionality can also be used to enforce on-demand, just-in-time administrative access when needed.
  • Azure Active Directory 标识保护会检测到影响组织标识的潜在漏洞,配置自动化的措施来应对所检测到的与组织标识相关的可疑操作,调查可疑的事件以采取相应的措施予以解决。Azure Active Directory Identity Protection detects potential vulnerabilities affecting an organization's identities, configures automated responses to detected suspicious actions related to an organization's identities, and investigates suspicious incidents to take appropriate action to resolve them.

机密管理Secrets management

此解决方案使用 Azure Key Vault 管理密钥和机密。The solution uses Azure Key Vault for the management of keys and secrets. Azure 密钥保管库可帮助保护云应用程序和服务使用的加密密钥和机密。Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. 以下 Azure Key Vault 功能可帮助客户保护和访问此类数据The following Azure Key Vault capabilities help customers protect and access such data

  • 根据需要配置高级访问权限策略。Advanced access policies are configured on a need basis.
  • 使用对密钥和机密所需的最低权限来定义 Key Vault 访问策略。Key Vault access policies are defined with minimum required permissions to keys and secrets.
  • Key Vault 中的所有密钥和机密都有过期日期。All keys and secrets in Key Vault have expiration dates.
  • Key Vault 中的所有密钥受专用硬件安全模块的保护。All keys in Key Vault are protected by specialized hardware security modules. 密钥类型是硬件安全模块 (HSM) 保护的 2048 位 RSA 密钥。The key type is a hardware security module (HSM) Protected 2048-bit RSA Key.
  • 通过 Key Vault,可以使用受硬件安全模块 (HSM) 保护的密钥,来加密密钥和机密(例如身份验证密钥、存储帐户密钥、数据加密密钥、.PFX 文件和密码)。With Key Vault, you can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) by using keys that are protected by hardware security modules (HSMs).
  • 使用基于角色的访问控制 (RBAC) 向特定范围的用户、组和应用程序分配权限。Use Role-Based Access Control (RBAC) to assign permissions to users, groups, and applications at a certain scope.
  • 使用 Key Vault 和自动续订来管理 TLS 证书。Use Key Vault to manage your TLS certificates with autorenewal.
  • Key Vault 的诊断日志已启用,其保留期至少为 365 天。Diagnostics logs for Key Vault are enabled with a retention period of at least 365 days.
  • 对密钥进行允许的加密操作时,仅限必需的操作。Permitted cryptographic operations for keys are restricted to the ones required.

Azure 安全中心Azure Security Center

借助 Azure 安全中心,客户可在工作负载中集中应用和管理安全策略、限制威胁暴露,以及检测和应对攻击。With Azure Security Center, customers can centrally apply and manage security policies across workloads, limit exposure to threats, and detect and respond to attacks. 此外,Additionally,

  • Azure 安全中心还会访问 Azure 服务的现有配置,以提供配置与服务建议来帮助改善安全状况和保护数据。Azure Security Center accesses existing configurations of Azure services to provide configuration and service recommendations to help improve security posture and protect data.
  • Azure 安全中心使用各种检测功能,提醒客户针对其环境的潜在攻击。Azure Security Center uses a variety of detection capabilities to alert customers of potential attacks targeting their environments. 这些警报包含有关触发警报的内容、目标资源以及攻击源的重要信息。These alerts contain valuable information about what triggered the alert, the resources targeted, and the source of the attack. Azure 安全中心有一组预定义的安全警报,这些警报在出现威胁或可疑活动时触发。Azure Security Center has a set of predefined security alerts, which are triggered when a threat, or suspicious activity takes place. 客户可以使用 Azure 安全中心的自定义警报规则,根据从环境中收集到的数据定义新的安全警报。Custom alert rules in Azure Security Center allow customers to define new security alerts based on data that is already collected from their environment.
  • Azure 安全中心提供区分优先级的安全警报和事件,让客户更轻松地发现和解决潜在安全问题。Azure Security Center provides prioritized security alerts and incidents, making it simpler for customers to discover and address potential security issues. 针对检测到的每种威胁生成威胁情报报告,帮助事件响应团队调查和解决威胁。A threat intelligence report is generated for each detected threat to assist incident response teams in investigating and remediating threats.

Azure 应用程序网关Azure Application Gateway

体系结构使用配置了 Web 应用程序防火墙并启用了 OWASP 规则集的应用程序网关,来降低安全漏洞风险。The architecture reduces the risk of security vulnerabilities using an Azure Application Gateway with a web application firewall configured, and the OWASP ruleset enabled. 其他功能包括Additional capabilities include

  • 端到端 TLS。End-to-end TLS.
  • 禁用 TLS v1.0 和 v1.1。Disable TLS v1.0 and v1.1.
  • 启用 TLSv1.2。Enable TLSv1.2.
  • Web 应用程序防火墙(预防模式)。Web application firewall (prevention mode).
  • 采用 OWASP 3.0 规则集的预防模式。Prevention mode with OWASP 3.0 ruleset.
  • 启用诊断日志记录。Enable diagnostics logging.
  • 自定义运行状况探测。Custom health probes.
  • Azure 安全中心和 Azure 顾问提供了额外的保护和通知。Azure Security Center and an Azure Advisor provide additional protection and notifications. Azure 安全中心还提供信誉系统。Azure Security Center also provides a reputation system.

日志记录和审核Logging and auditing

Azure 服务广泛记录系统和用户活动以及系统运行状况:Azure services extensively log system and user activity, as well as system health:

  • 活动日志:活动日志提供对订阅中资源执行的操作的深入信息。Activity logs: Activity logs provide insight into operations performed on resources in a subscription. 活动日志可帮助确定操作的发起方、发生的时间和状态。Activity logs can help determine an operation's initiator, time of occurrence, and status.
  • 诊断日志:诊断日志包括每个资源发出的所有日志。Diagnostic logs: Diagnostic logs include all logs emitted by every resource. 这些日志包括 Windows 事件系统日志、Azure 存储日志、Key Vault 审核日志以及应用程序网关访问和防火墙日志。These logs include Windows event system logs, Azure Storage logs, Key Vault audit logs, and Application Gateway access and Firewall logs. 所有诊断日志都将写入到集中式加密 Azure 存储帐户以进行存档。All diagnostic logs write to a centralized and encrypted Azure storage account for archival. 保留期是允许用户配置的,最长为 730 天,具体取决于组织的保留期要求。The retention is user-configurable, up to 730 days, to meet organization-specific retention requirements.

Azure Monitor 日志Azure Monitor logs

这些日志将整合到 Azure Monitor 日志中进行处理、存储以及在仪表板上报告。These logs are consolidated in Azure Monitor logs for processing, storing, and dashboard reporting. 收集后,数据在 Log Analytics 工作区内按数据类型整理到不同的表中,这样即可不考虑最初来源而集中分析所有数据。Once collected, the data is organized into separate tables for each data type within Log Analytics workspaces, which allows all data to be analyzed together regardless of its original source. 此外,Azure 安全中心与 Azure Monitor 日志集成,使客户能够使用 Kusto 查询来访问其安全事件数据,并将这些数据与其他服务中的数据合并。Furthermore, Azure Security Center integrates with Azure Monitor logs allowing customers to use Kusto queries to access their security event data and combine it with data from other services.

此体系结构中包括了以下 Azure 监视解决方案The following Azure monitoring solutions are included as a part of this architecture

  • Active Directory 评估:Active Directory 运行状况检查解决方案按固定时间间隔评估服务器环境的风险和运行状况,并且提供特定于部署的服务器基础结构的优先建议列表。Active Directory Assessment: The Active Directory Health Check solution assesses the risk and health of server environments on a regular interval and provides a prioritized list of recommendations specific to the deployed server infrastructure.
  • 代理运行状况:代理运行状况解决方案报告已部署代理的数量及其地理分布,以及无响应的代理数量和提交操作数据的代理数量。Agent Health: The Agent Health solution reports how many agents are deployed and their geographic distribution, as well as how many agents, which are unresponsive and the number of agents, which are submitting operational data.
  • Activity Log Analytics:Activity Log Analytics 解决方案可帮助分析客户的所有 Azure 订阅的 Azure 活动日志。Activity Log Analytics: The Activity Log Analytics solution assists with analysis of the Azure activity logs across all Azure subscriptions for a customer.

Azure MonitorAzure Monitor

Azure Monitor 通过使组织能够审核、创建警报和存档数据(包括在用户的 Azure 资源中跟踪 API 调用),帮助用户跟踪性能、维护安全性和确定趋势。Azure Monitorhelps users track performance, maintain security, and identify trends by enabling organizations to audit, create alerts, and archive data, including tracking API calls in their Azure resources.

Application InsightsApplication Insights

Application Insights 是多个平台上面向 Web 开发人员的可扩展应用程序性能管理服务。Application Insights is an extensible Application Performance Management service for web developers on multiple platforms. Application Insights 可检测性能异常,客户可以使用它来监视实时 Web 应用程序。Application Insights detects performance anomalies and customers can use it to monitor the live web application. 它包含强大的分析工具来帮助客户诊断问题,了解用户在应用中实际执行了哪些操作。It includes powerful analytics tools to help customers diagnose issues and to understand what users actually do with their app. 它旨在帮助客户持续提高性能和可用性。It's designed to help customers continuously improve performance and usability.

Azure Key VaultAzure Key Vault

为组织创建一个保管库,以便在其中存储密钥,使如下所示的操作任务始终能够追责Create a vault for the organization in which to store keys, and maintain accountability for operational tasks like below

  • Key Vault 中存储的数据包括Data stored in Key Vault includes
  • Application Insights 密钥Application insight key
  • 数据存储访问密钥Data Storage Access key
  • 连接字符串Connection string
  • 数据表名称Data table name
  • 用户凭据User Credentials
  • 根据需要配置高级访问权限策略Advanced access policies are configured on a need basis
  • 使用对密钥和机密所需的最低权限来定义 Key Vault 访问策略Key Vault access policies are defined with minimum required permissions to keys and secrets
  • Key Vault 中的所有密钥和机密都有过期日期All keys and secrets in Key Vault have expiration dates
  • Key Vault 中的所有密钥都由硬件安全模块 (HSM) 提供保护。[密钥类型是硬件安全模块 (HSM) 保护的All keys in Key Vault are protected by hardware security module (HSM) [Key Type = hardware security module (HSM) Protected
    2048 位 RSA 密钥]2048-bit RSA Key]
  • 使用基于角色的访问控制 (RBAC) 向所有用户/标识授予了最低必需权限All users/identities are granted minimum required permissions using Role-Based Access Control (RBAC)
  • 应用程序共享 Key Vault 的前提是彼此信任且需要在运行时访问相同的机密Applications do not share a Key Vault unless they trust each other and they need access to the same secrets at runtime
  • Key Vault 的诊断日志已启用,其保留期至少为 365 天。Diagnostics logs for Key Vault are enabled with a retention period of at least 365 days.
  • 对密钥进行允许的加密操作时,仅限必需的操作Permitted cryptographic operations for keys are restricted to the ones required

VPN 和 ExpressRouteVPN and ExpressRoute

需要配置安全 VPN 隧道或 ExpressRoute,方法是:安全地建立与作为此 PaaS Web 应用程序参考体系结构的一部分部署的资源的连接。A secure VPN tunnel or ExpressRoute needed to be configured by securely establishing a connection to the resources deployed as a part of this PaaS web application reference architecture. 通过适当设置 VPN 或 ExpressRoute,客户可以为传输中的数据添加一层保护。By appropriately setting up a VPN or ExpressRoute, customers can add a layer of protection for data in transit.

在 Azure 中实施安全 VPN 隧道,可在本地网络与 Azure 虚拟网络之间创建虚拟专用连接。By implementing a secure VPN tunnel with Azure, a virtual private connection between an on-premises network and an Azure Virtual Network can be created. 此连接通过 Internet 进行,可让客户在其网络与 Azure 之间的加密链路内通过“隧道”安全地传输信息。This connection takes place over the Internet and allows customers to securely "tunnel" information inside an encrypted link between the customer's network and Azure. 站点到站点 VPN 是安全且成熟的技术,各种规模的企业已部署该技术数十年。Site-to-Site VPN is a secure, mature technology that has been deployed by enterprises of all sizes for decades. 此选项使用 IPsec 隧道模式作为加密机制。The IPsec tunnel mode is used in this option as an encryption mechanism.

由于 VPN 隧道中的流量会通过站点到站点 VPN 在 Internet 上遍历,Microsoft 提供了另一个更安全的连接选项。Because traffic within the VPN tunnel does traverse the Internet with a site-to-site VPN, Microsoft offers another, even more secure connection option. Azure ExpressRoute 是 Azure 与本地位置或 Exchange 托管提供商之间专用的 WAN 链接。Azure ExpressRoute is a dedicated WAN link between Azure and an on-premises location or an Exchange hosting provider. ExpressRoute 连接并不绕过 Internet,并且与通过 Internet 的典型连接相比,这些连接可靠性更高、速度更快、延迟时间更短且安全性更高。As ExpressRoute connections do not go over the Internet, these connections offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet. 此外,由于使用的是客户电信提供商的直接连接,数据不会通过 Internet 遍历,因此不会在 Internet 上公开。Furthermore, because this is a direct connection of customer's telecommunication provider, the data does not travel over the Internet and therefore is not exposed to it.

实现 Azure Active Directory OIDCImplement Azure Active Directory OIDC

  1. 若要克隆源代码存储库,请使用此 Git 命令To clone the source code repository, use this Git command
git clone https://github.com/Azure-Samples/AAD-Security

更新重定向 URLUpdate the redirect URLs

  1. 导航回 Azure 门户。Navigate back to the Azure portal. 在左侧导航窗格中,选择“Azure Active Directory”服务,然后选择“应用注册”。In the left-hand navigation pane, select the Azure Active Directory service, and then select App registrations.
  2. 在出现的屏幕中,选择 WebApp-OpenIDConnect-DotNet-code-v2 应用程序。In the resultant screen, select the WebApp-OpenIDConnect-DotNet-code-v2 application.
  3. 在“身份验证”选项卡的“重定向 URI”部分的组合框中选择“Web”并添加以下重定向 URI。In the Authentication tab o In the Redirect URIs section, select Web in the combo-box and add the following redirect URIs. https://WebApp-OpenIDConnect-DotNet-code-v2-contoso.chinacloudsites.cn https://WebApp-OpenIDConnect-DotNet-code-v2-contoso.chinacloudsites.cn/signin-oidc 在“高级设置”部分中,将“注销 URL”设置为 https://WebApp-OpenIDConnect-DotNet-code-v2-contoso.chinacloudsites.cn/signout-oidco In the Advanced settings section set Logout URL to https://WebApp-OpenIDConnect-DotNet-code-v2-contoso.chinacloudsites.cn/signout-oidc
  4. 在“品牌”选项卡中,将“主页 URL”更新为你的应用服务的地址,例如 https://WebApp-OpenIDConnect-DotNet-code-v2-contoso.chinacloudsites.cnIn the Branding tab o Update the Home page URL to the address of your app service, for example https://WebApp-OpenIDConnect-DotNet-code-v2-contoso.chinacloudsites.cn. 保存配置。o Save the configuration.
  5. 如果你的应用程序调用了某个 Web API,请确保在项目的 appsettings.json 中应用必要的更改,使其调用已发布的 API URL 而不是调用 localhost。If your application calls a web api, make sure to apply the necessary changes on the project appsettings.json, so it calls the published API URL instead of localhost. 发布示例Publishing the sample
    1. 在“应用服务”的“概览”选项卡中,单击“获取发布配置文件”链接下载该配置文件并保存。From the Overview tab of the App Service, download the publish profile by clicking the Get publish profile link and save it. 还可以使用其他部署机制,如源代码管理。Other deployment mechanisms, such as from source control, can also be used.
    2. 切换到 Visual Studio 并转到 WebApp-OpenIDConnect-DotNet-code-v2 项目。Switch to Visual Studio and go to the WebApp-OpenIDConnect-DotNet-code-v2 project. 在解决方案资源管理器中,右键单击该项目并选择“发布”。Right click on the project in the Solution Explorer and select Publish. 在底部栏上单击“导入配置文件”,然后导入先前下载的发布配置文件。Click Import Profile on the bottom bar, and import the publish profile that you downloaded earlier.
    3. 单击“配置”,然后在“连接”选项卡中更新“目标 URL”,使其成为主页 URL 中的一个 https,例如 https://WebApp-OpenIDConnect-DotNet-code-v2-contoso.chinacloudsites.cnClick on Configure and in the Connection tab, update the Destination URL so that it is an https in the home page url, for example https://WebApp-OpenIDConnect-DotNet-code-v2-contoso.chinacloudsites.cn. 单击“下一步”。Click Next.
    4. 在“设置”选项卡上,确保未选中“启用组织身份验证”。On the Settings tab, make sure Enable Organizational Authentication is NOT selected. 单击“保存”。Click Save. 在主屏幕上单击“发布”。Click on Publish on the main screen.
    5. Visual Studio 将发布项目,并自动打开浏览器以访问该项目的 URL。Visual Studio will publish the project and automatically open a browser to the URL of the project. 如果看到该项目的默认网页,则发布成功。If you see the default web page of the project, the publication was successful.

为 Azure Active Directory 实施多重身份验证Implement Multi-Factor Authentication for Azure Active Directory

管理员需要确保门户中的订阅帐户受到保护。Administrators need to ensure that the subscription accounts in the portal are protected. 订阅容易受到攻击,因为它管理你创建的资源。The subscription is vulnerable to attacks because it manages the resources that you created. 若要保护订阅,请在订阅的“Azure Active Directory”选项卡上启用多重身份验证。To protect the subscription, enable Multi-Factor Authentication on the Azure Active Directory tab of the subscription.

Azure AD 根据应用于符合特定条件的用户或用户组的策略来运行。An Azure AD operates based on policies that are applied to a user or groups of users that fit a certain criteria. Azure 会创建一个默认策略,指定管理员需要通过双重身份验证才能登录到门户。Azure creates a default policy specifying that administrators need two-factor authentication to sign in to the portal. 启用此策略后,系统可能会提示你注销并重新登录到 Azure 门户。After enabling this policy, you might be prompted to sign out and sign back in to the Azure portal.

为管理员登录启用 MFATo enable MFA for admin sign-ins

  1. 在 Azure 门户中,转到“Azure Active Directory”选项卡Go to the Azure Active Directory tab in the Azure portal

  2. 在“安全性”目录下,选择“条件访问”。Under the security category, select conditional access. 你将看到以下屏幕You see this screen

    条件访问 - 策略

如果无法创建新策略If you can't create a new policy

  1. 转到“MFA”选项卡。Go to the MFA tab.
  2. 选择一个 Azure AD Premium“免费试用版”链接来订阅免费试用版。Select an Azure AD Premium Free trial link to subscribe to the free trial.

Azure AD Premium 免费试用版

返回到条件访问屏幕。Return to the conditional access screen.

  1. 选择“新建策略”选项卡。Select the new policy tab.
  2. 输入策略名称。Enter the policy name.
  3. 选择要为其启用 MFA 的用户或组。Select the users or groups for which you want to enable MFA.
  4. 在“访问控制”下,选择“授权”选项卡,然后选择“要求多重身份验证”(并根据需要选择其他设置)。Under Access controls, select the Grant tab and then select Require multi-factor authentication (and other settings if you want).

要求 MFA

你可以通过选择屏幕顶部的复选框来启用此策略,也可以在“条件访问”选项卡上执行此操作。当启用此策略后,用户需要进行 MFA 才能登录到门户。You can enable the policy by selecting the check box at the top of the screen or do so on the Conditional Access tab. When the policy is enabled, users need MFA to sign in to the portal.

有一个基线策略要求所有 Azure 管理员进行 MFA。There's a baseline policy that requires MFA for all Azure administrators. 可以在门户中立即启用此基线策略。You can enable it immediately in the portal. 启用此策略可能会导致当前会话失效,并强制你再次登录。Enabling this policy might invalidate the current session and force you to sign in again.

如果未启用此基线策略If the baseline policy isn't enabled

  1. 选择“要求管理员进行 MFA”。Select Require MFA for admins.
  2. 选择“立即使用策略”。Select Use policy immediately.

选择“立即使用策略”

使用 Azure Sentinel 监视应用和资源Use Azure Sentinel to monitor apps and resources

随着应用程序的发展,很难聚合从资源接收到的所有安全信号和指标,并使其以面向操作的方式发挥作用。As an application grows, it becomes difficult to aggregate all the security signals and metrics received from resources and make them useful in an action-oriented way.

Azure Sentinel 设计用来收集数据、检测可能的威胁类型,并洞察安全事件。Azure Sentinel is designed to collect data, detect the types of threats possible, and provide visibility into security incidents. 在等待手动干预的同时,Azure Sentinel 可以依赖预编写的 playbook 来启动警报和事件管理流程。While it waits for manual intervention, Azure Sentinel can rely on pre-written playbooks to kick off alerts and incident management processes.

示例应用包括了 Azure Sentinel 可以监视的多个资源。The sample app is composed of several resources that Azure Sentinel can monitor. 若要设置 Azure Sentinel,首先需要创建一个 Log Analytics 工作区,用于存储从各种资源收集的所有数据。To set up Azure Sentinel, you first need to create a Log Analytics workspace that stores all the data collected from the various resources.

创建此工作区To create this workspace

  1. 在 Azure 门户中的搜索框中搜索“Log Analytics”。In the search box in the Azure portal, search for Log Analytics. 选择“Log Analytics 工作区”。Select Log Analytics workspaces.

搜索 Log Analytics 工作区

搜索 Log Analytics 工作区Search for Log Analytics workspaces

  1. 在下一页上,选择“添加”,然后提供工作区的名称、资源组和位置。On the next page, select Add and then provide a name, resource group, and location for the workspace. 创建 Log Analytics 工作区Create a Log Analytics workspace

创建 Log Analytics 工作区Create a Log Analytics workspace

  1. 使用搜索框来搜索“Azure Sentinel”。Use the search box to search for Azure Sentinel.

搜索 Azure Sentinel

搜索 Azure SentinelSearch for Azure Sentinel

  1. 选择“添加”,然后选择你之前创建的 Log Analytics 工作区。Select Add and then select the Log Analytics workspace that you created earlier.

添加 Log Analytics 工作区

添加 Log Analytics 工作区Add a Log Analytics workspace

  1. 在“Azure Sentinel - 数据连接器”页上的“配置”下选择“数据连接器”。On the Azure Sentinel - Data connectors page, under Configuration, select Data connectors. 你将看到可以链接到 Log Analytics 存储实例以在 Azure Sentinel 中进行分析的一系列 Azure 服务。You see an array of Azure services that you can link to the Log Analytics storage instance for analysis in Azure Sentinel.

Log Analytics 数据连接器

  <span data-ttu-id="5d5c1-457">向 Azure Sentinel 添加数据连接器</span><span class="sxs-lookup"><span data-stu-id="5d5c1-457">*Add a data connector to Azure Sentinel*</span></span>

例如,若要连接应用程序网关,请执行以下步骤:For example, to connect the application gateway, take these steps:

  1. 打开 Azure 应用程序网关实例边栏选项卡。Open the Azure Application Gateway instance blade.
  2. 在“监视”下,选择“诊断设置” 。Under Monitoring, select Diagnostic settings.
  3. 选择“添加诊断设置”。Select Add diagnostic setting.

添加应用程序网关诊断

添加应用程序网关诊断Add Application Gateway diagnostics

  1. 在“诊断设置”页上,选择你创建的 Log Analytics 工作区,然后选择你要收集并发送到 Azure Sentinel 的所有指标。On the Diagnostic settings page, select the Log Analytics workspace that you created and then select all the metrics that you want to collect and send to Azure Sentinel. 选择“保存” 。Select Save.

Azure Sentinel 连接器设置

成本注意事项Cost considerations

如果还没有 Azure 帐户,可以创建一个免费帐户。If you don't already have an Azure account, you can create a free one. 转到试用版帐户页面以开始创建,了解可以使用免费 Azure 帐户执行哪些操作,并了解哪些产品可以免费使用 12 个月。Go to the trail account page to get started, see what you can do with a free Azure account, and learn which products are free for 12 months.

若要为示例应用中的资源部署安全功能,你需要付费购买一些高级功能。To deploy the resources in the sample app with the security features, you need to pay for some premium features. 随着应用不断扩展,你需要升级 Azure 提供的免费层和试用版来满足应用程序需求,你的成本可能会增加。As the app scales and the free tiers and trials offered by Azure need to be upgraded to meet application requirements, your costs might increase. 使用 Azure 定价计算器来估算成本。Use the Azure pricing calculator to estimate your costs.

后续步骤Next steps

以下文章可帮助你设计、开发和部署安全的应用程序。The following articles can help you design, develop, and deploy secure applications.