Azure 信息系统的组件和边界Azure information system components and boundaries

本文提供有关 Azure 体系结构和管理的一般说明。This article provides a general description of the Azure architecture and management. Azure 系统环境由以下网络组成:The Azure system environment is made up of the following networks:

  • Microsoft Azure 生产网络(Azure 网络)Microsoft Azure production network (Azure network)
  • Microsoft 企业网络 (corpnet)Microsoft corporate network (corpnet)

独立的 IT 团队负责操作和维护这些网络。Separate IT teams are responsible for operations and maintenance of these networks.

Azure 体系结构Azure architecture

Azure 是一个云计算平台和基础结构,用于通过数据中心的网络构建、部署和管理应用程序与服务。Azure is a cloud computing platform and infrastructure for building, deploying, and managing applications and services through a network of datacenters. Microsoft 管理这些数据中心。Microsoft manages these datacenters. 基于指定的资源数量,Azure 会根据资源需求创建虚拟机 (VM)。Based on the number of resources you specify, Azure creates virtual machines (VMs) based on resource need. 这些 VM 在 Azure 虚拟机监控程序中运行,该程序只能在云中使用,而不会提供给公众访问。These VMs run on an Azure hypervisor, which is designed for use in the cloud and is not accessible to the public.

在每个 Azure 物理服务器节点上,有一个虚拟机监控程序直接通过硬件运行。On each Azure physical server node, there is a hypervisor that runs directly over the hardware. 虚拟机监控程序将节点划分为数量可变的来宾 VM。The hypervisor divides a node into a variable number of guest VMs. 每个节点还提供一个根 VM,用于运行主机操作系统。Each node also has one root VM, which runs the host operating system. 每个 VM 上已启用 Windows 防火墙。Windows Firewall is enabled on each VM. 通过配置服务定义文件来定义可寻址的端口。You define which ports are addressable by configuring the service definition file. 只有这些端口是开放的,且可在内部或外部寻址的端口。These ports are the only ones open and addressable, internally or externally. 发往磁盘和网络的所有流量以及对其的访问均由虚拟机监控程序和根操作系统进行调解。All traffic and access to the disk and network is mediated by the hypervisor and root operating system.

在主机层,Azure VM 运行最新 Windows Server 的定制强化版本。At the host layer, Azure VMs run a customized and hardened version of the latest Windows Server. Azure 使用的 Windows Server 版本只包含托管 VM 所需的组件。Azure uses a version of Windows Server that includes only those components necessary to host VMs. 这可以提高性能,并减小受攻击面。This improves performance and reduces attack surface. 机器边界由虚拟机监控程序实施,不依赖于操作系统安全性。Machine boundaries are enforced by the hypervisor, which doesn’t depend on the operating system security.

通过结构控制器进行 Azure 管理Azure management by fabric controllers

在 Azure 中,物理服务器(刀片服务器/节点)上运行的 VM 分组为大约由 1000 个 VM 构成的群集。In Azure, VMs running on physical servers (blades/nodes) are grouped into clusters of about 1000. 这些 VM 由一个横向扩展的冗余平台软件组件(称为结构控制器 (FC))单独管理。The VMs are independently managed by a scaled-out and redundant platform software component called the fabric controller (FC).

每个 FC 管理其群集中运行的应用程序的生命周期,预配并监视受其控制的硬件的运行状况。Each FC manages the lifecycle of applications running in its cluster, and provisions and monitors the health of the hardware under its control. 它会运行自主操作,例如,在确定服务器出现故障时,它会在正常的服务器上重建 VM 实例。It runs autonomic operations, such as reincarnating VM instances on healthy servers when it determines that a server has failed. FC 还会执行应用程序管理操作,例如部署、更新和横向扩展应用程序。The FC also performs application-management operations, such as deploying, updating, and scaling out applications.

数据中心划分为群集。The datacenter is divided into clusters. 群集在 FC 级别隔离故障,并防止特定种类的错误影响到发生这些错误的群集以外的服务器。Clusters isolate faults at the FC level, and prevent certain classes of errors from affecting servers beyond the cluster in which they occur. 为特定 Azure 群集提供服务的 FC 分组到 FC 群集。FCs that serve a particular Azure cluster are grouped into an FC cluster.

硬件库存Hardware inventory

FC 在启动配置过程中准备 Azure 硬件和网络设备的库存。The FC prepares an inventory of Azure hardware and network devices during the bootstrap configuration process. 进入 Azure 生产环境的任何新硬件和网络组件必须遵循启动配置过程。Any new hardware and network components entering the Azure production environment must follow the bootstrap configuration process. FC 负责管理 datacenter.xml 配置文件中列出的整个库存。The FC is responsible for managing the entire inventory listed in the datacenter.xml configuration file.

FC 托管的操作系统映像FC-managed operating system images

操作系统团队以虚拟硬盘的形式提供映像,这些映像将部署到 Azure 生产环境中的所有主机和来宾 VM。The operating system team provides images, in the form of Virtual Hard Disks, deployed on all host and guest VMs in the Azure production environment. 该团队通过自动化的脱机生成过程构建这些基本映像。The team constructs these base images through an automated offline build process. 基本映像是操作系统的一个版本,其中的内核和其他核心组件已经过修改和优化,可支持 Azure 环境。The base image is a version of the operating system in which the kernel and other core components have been modified and optimized to support the Azure environment.

有三种类型的结构托管操作系统映像:There are three types of fabric-managed operating system images:

  • 主机:在主机 VM 上运行的定制操作系统。Host: A customized operating system that runs on host VMs.
  • 本机:在租户(例如 Azure 存储)上运行的本机操作系统。Native: A native operating system that runs on tenants (for example, Azure Storage). 此操作系统不包含任何虚拟机监控程序。This operating system does not have any hypervisor.
  • 来宾:在来宾 VM 上运行的来宾操作系统。Guest: A guest operating system that runs on guest VMs.

主机和本机 FC 托管的操作系统只能在云中使用,不可供公众访问。The host and native FC-managed operating systems are designed for use in the cloud, and are not publicly accessible.

主机和本机操作系统Host and native operating systems

主机和本机操作系统是强化的操作系统映像,它们托管结构代理,并在计算节点(作为节点上的第一个 VM 运行)和存储节点上运行。Host and native are hardened operating system images that host the fabric agents, and run on a compute node (runs as first VM on the node) and storage nodes. 使用主机和本机操作系统的优化基本映像的好处在于,可以减少 API 或未使用的组件公开的外围应用。The benefit of using optimized base images of host and native is that it reduces the surface area exposed by APIs or unused components. 这些 API 或组件可能存在较高的安全风险,并增大操作系统的覆盖范围。These can present high security risks and increase the footprint of the operating system. 覆盖范围减小的操作系统只包括 Azure 所需的组件。Reduced-footprint operating systems only include the components necessary to Azure.

来宾操作系统Guest operating system

来宾操作系统 VM 上运行的 Azure 内部组件无法运行远程桌面协议。Azure internal components running on guest operating system VMs have no opportunity to run Remote Desktop Protocol. 对基线配置设置所做的任何更改都必须经历更改和发布管理过程。Any changes to baseline configuration settings must go through the change and release management process.

Azure 数据中心Azure datacenters

Microsoft 云基础结构和运营 (MCIO) 团队管理所有 Microsoft 联机服务的物理基础结构和数据中心设施。The Microsoft Cloud Infrastructure and Operations (MCIO) team manages the physical infrastructure and datacenter facilities for all Microsoft online services. MCIO 主要负责管理数据中心内的物理和环境控制,以及管理和支持外围网络设备(例如边缘路由器和数据中心路由器)。MCIO is primarily responsible for managing the physical and environmental controls within the datacenters, as well as managing and supporting outer perimeter network devices (such as edge routers and datacenter routers). MCIO 还负责在数据中心内的机架上设置最基本的服务器硬件。MCIO is also responsible for setting up the bare minimum server hardware on racks in the datacenter. 客户无法直接与 Azure 交互。Customers have no direct interaction with Azure.

服务管理和服务团队Service management and service teams

Azure 服务的支持由称作“服务团队”的多个工程小组来管理。Various engineering groups, known as service teams, manage the support of the Azure service. 每个服务团队负责某个方面的 Azure 支持工作。Each service team is responsible for an area of support for Azure. 每个服务团队必须指派一名全天候工作的工程师,以调查和解决服务中的故障。Each service team must make an engineer available 24x7 to investigate and resolve failures in the service. 默认情况下,服务团队无法对 Azure 中运行的硬件进行实物接触。Service teams do not, by default, have physical access to the hardware operating in Azure.

服务团队负责:The service teams are:

  • 应用程序平台Application Platform
  • Azure Active DirectoryAzure Active Directory
  • Azure 计算Azure Compute
  • Azure NetAzure Net
  • 云工程服务Cloud Engineering Services
  • ISSD:安全性ISSD: Security
  • 多重身份验证Multifactor Authentication
  • SQL 数据库SQL Database
  • 存储Storage

用户类型Types of users

Microsoft 的员工(或合同工)被视为内部用户。Employees (or contractors) of Microsoft are considered to be internal users. 其他所有用户被视为外部用户。All other users are considered to be external users. 所有 Azure 内部用户都有一种根据敏感级别分类的员工状态,该状态定义了相应用户对客户数据的访问权限(有访问权限或无访问权限)。All Azure internal users have their employee status categorized with a sensitivity level that defines their access to customer data (access or no access). 下表描述了用户对 Azure 的特权(身份验证后的授权权限):User privileges to Azure (authorization permission after authentication takes place) are described in the following table:

角色Role 内部或外部Internal or external 敏感级别Sensitivity level 履行的授权特权和功能Authorized privileges and functions performed 访问类型Access type
Azure 数据中心工程师Azure datacenter engineer 内部Internal 无权访问客户数据No access to customer data 管理现场的物理安全性。Manage the physical security of the premises. 数据中心进出人员的巡查,监控所有入口点。Conduct patrols in and out of the datacenter, and monitor all entry points. 针对在数据中心内部提供日常服务(餐饮、清洁)或 IT 工作的某些非特许人员,执行数据中心进出人员护送服务。Escort into and out of the datacenter certain non-cleared personnel who provide general services (such as dining or cleaning) or IT work within the datacenter. 针对网络硬件展开例行监控和维护。Conduct routine monitoring and maintenance of network hardware. 使用各种工具执行事件管理和中断修复工作。Perform incident management and break-fix work by using a variety of tools. 针对数据中心内的物理硬件展开例行监控和维护。Conduct routine monitoring and maintenance of the physical hardware in the datacenters. 根据业主的要求访问环境。Access to environment on demand from property owners. 能够执行取证调查、记录事件报告,并提出强制性的安全培训和政策要求。Capable to perform forensic investigations, log incident reports, and require mandatory security training and policy requirements. 对关键安全工具(例如扫描仪和日志收集)拥有操作所有权和维护权。Operational ownership and maintenance of critical security tools, such as scanners and log collection. 对环境的持久性访问权限。Persistent access to the environment.
Azure 事件会审(快速响应工程师)Azure incident triage (rapid response engineers) 内部Internal 有权访问客户数据Access to customer data 管理 MCIO、支持与工程团队之间的沟通。Manage communications among MCIO, support, and engineering teams. 会审平台事件、部署问题和服务请求。Triage platform incidents, deployment issues, and service requests. 环境的适时访问权限,对非客户系统的持久性访问权限有限。Just-in-time access to the environment, with limited persistent access to non-customer systems.
Azure 部署工程师Azure deployment engineers 内部Internal 有权访问客户数据Access to customer data 部署/升级平台组件、软件和有计划的配置更改,以支持 Azure。Deploy and upgrade platform components, software, and scheduled configuration changes in support of Azure. 环境的适时访问权限,对非客户系统的持久性访问权限有限。Just-in-time access to the environment, with limited persistent access to non-customer systems.
Azure 客户中断支持(租户)Azure customer outage support (tenant) 内部Internal 有权访问客户数据Access to customer data 调试和诊断单个计算租户与 Azure 帐户出现的平台中断和故障。Debug and diagnose platform outages and faults for individual compute tenants and Azure accounts. 分析故障。Analyze faults. 为平台或客户推进关键修复措施,在整个支持团队中推进技术改进。Drive critical fixes to the platform or customer, and drive technical improvements across support. 环境的适时访问权限,对非客户系统的持久性访问权限有限。Just-in-time access to the environment, with limited persistent access to non-customer systems.
Azure 现场工程师(监控工程师)和事件Azure live site engineers (monitoring engineers) and incident 内部Internal 有权访问客户数据Access to customer data 使用诊断工具诊断和缓解平台运行状况。Diagnose and mitigate platform health by using diagnostic tools. 推进批量发布的驱动程序的修复措施、修复中断时造成的问题,并为中断复原措施提供协助。Drive fixes for volume drivers, repair items resulting from outages, and assist outage restoration actions. 环境的适时访问权限,对非客户系统的持久性访问权限有限。Just-in-time access to the environment, with limited persistent access to non-customer systems.
Azure 客户Azure customers 外部External 空值N/A 空值N/A 空值N/A

Azure 使用唯一标识符对组织用户和客户(或代表组织用户执行操作的流程)进行身份验证。Azure uses unique identifiers to authenticate organizational users and customers (or processes acting on behalf of organizational users). 这适用于 Azure 环境中包括的所有资产和设备。This applies to all assets and devices that are part of the Azure environment.

Azure 内部身份验证Azure internal authentication

Azure 内部组件之间的通信受 TLS 加密的保护。Communications between Azure internal components are protected with TLS encryption. 在大多数情况下,X.509 证书已自签名。In most cases, the X.509 certificates are self-signed. 包含可从 Azure 网络外部访问的连接的证书以及 FC 的证书例外。Certificates with connections that can be accessed from outside the Azure network are an exception, as are certificates for the FCs. FC 具有 Microsoft 证书颁发机构 (CA) 颁发的证书,该 CA 以受信任的根 CA 为后盾。FCs have certificates issued by a Microsoft Certificate of Authority (CA) that is backed by a trusted root CA. 因此,可以轻松滚动更新 FC 公钥。This allows FC public keys to be rolled over easily. 此外,Microsoft 开发人员工具使用 FC 公钥。Additionally, Microsoft developer tools use FC public keys. 当开发人员提交新的应用程序映像时,会使用 FC 公钥加密这些映像,以保护任何嵌入的机密。When developers submit new application images, the images are encrypted with an FC public key in order to protect any embedded secrets.

Azure 硬件设备身份验证Azure hardware device authentication

FC 维护一组凭据(密钥和/或密码),用于在其控制的各种硬件设备上对自身进行身份验证。The FC maintains a set of credentials (keys and/or passwords) used to authenticate itself to various hardware devices under its control. Microsoft 使用某个系统来防止访问这些凭据。Microsoft uses a system to prevent access to these credentials. 具体而言,在传输、保存和使用这些凭据时,可防止 Azure 开发人员、管理员和备份服务和人员访问敏感的机密信息或私人信息。Specifically, the transport, persistence, and use of these credentials is designed to prevent Azure developers, administrators, and backup services and personnel access to sensitive, confidential, or private information.

Microsoft 使用基于 FC 的主标识公钥的加密。Microsoft uses encryption based on the FC’s master identity public key. 在设置 FC 和重新配置 FC 时将采用这种加密技术来传输用于访问网络硬件设备的凭据。This occurs at FC setup and FC reconfiguration times, to transfer the credentials used to access networking hardware devices. 当 FC 需要凭据时,FC 会检索并解密凭据。When the FC needs the credentials, the FC retrieves and decrypts them.

网络设备Network devices

Azure 网络团队将配置网络服务帐户,使 Azure 客户端能够在网络设备(路由器、交换机和负载均衡器)中进行身份验证。The Azure networking team configures network service accounts to enable an Azure client to authenticate to network devices (routers, switches, and load balancers).

安全服务管理Secure service administration

Azure 运营人员必须使用安全管理员工作站 (SAW)。Azure operations personnel are required to use secure admin workstations (SAWs). 客户可以使用特权访问工作站实现类似的控制。Customers can implement similar controls by using privileged access workstations. 借助 SAW,管理人员可以使用与用户的标准用户帐户不同的、单独分配的管理帐户。With SAWs, administrative personnel use an individually assigned administrative account that is separate from the user's standard user account. SAW 通过为这些敏感帐户提供可信的工作站,建立此帐户分离做法。The SAW builds on that account separation practice by providing a trustworthy workstation for those sensitive accounts.

后续步骤Next steps

若要详细了解 Microsoft 如何帮助保护 Azure 基础结构,请参阅:To learn more about what Microsoft does to help secure the Azure infrastructure, see: