管理和操作 Azure 生产网络Management and operation of the Azure production network

本文介绍 Microsoft 如何管理和操作 Azure 生产网络来保护 Azure 数据中心。This article describes how Microsoft manages and operates the Azure production network to secure the Azure datacenters.

监视、日志记录和报告Monitor, log, and report

Azure 生产网络的管理和操作需要在 Azure 运营团队与 Azure SQL 数据库之间做出协调。The management and operation of the Azure production network is a coordinated effort between the operations teams of Azure and Azure SQL Database. 团队在环境中使用了多个系统和应用程序性能监视工具。The teams use several system and application performance-monitoring tools in the environment. 他们使用适当的工具来监视网络设备、服务器、服务和应用程序进程。And they use appropriate tools to monitor network devices, servers, services, and application processes.

为确保安全执行 Azure 环境中运行的服务,运营团队实施多种级别的监视、日志记录和报告,包括以下操作:To ensure the secure execution of services running in the Azure environment, the operations teams implement multiple levels of monitoring, logging, and reporting, including the following actions:

  • 首先,Microsoft Monitoring Agent (MMA) 从多个位置(包括结构控制器 (FC) 和根操作系统 (OS))收集监视和诊断日志信息,并将其写入日志文件中。Primarily, the Microsoft Monitoring Agent (MMA) gathers monitoring and diagnostic log information from many places, including the fabric controller (FC) and the root operating system (OS), and writes it to log files. 该代理最终会将一部分摘要信息推送到预配置的 Azure 存储帐户中。The agent eventually pushes a digested subset of the information into a pre-configured Azure storage account. 此外,独立监视和诊断服务会读取各种监视和诊断日志数据并汇总信息。In addition, the freestanding monitoring and diagnostic service reads various monitoring and diagnostic log data and summarizes the information. 监视和诊断服务将信息写入集成日志。The monitoring and diagnostic service writes the information to an integrated log. Azure 使用定制的 Azure 安全监视,这是 Azure 监视系统的一个扩展。Azure uses the custom-built Azure security monitoring, which is an extension to the Azure monitoring system. ASM 中的组件可以从平台中的各个位置观察、分析和报告安全相关的事件。It has components that observe, analyze, and report on security-pertinent events from various points in the platform.

  • Azure SQL 数据库 Windows Fabric 平台为 Azure SQL 数据库提供管理、部署、开发和操作监督服务。The Azure SQL Database Windows Fabric platform provides management, deployment, development, and operational oversight services for Azure SQL Database. 该平台提供分布式多步骤部署服务、运行状况监视、自动修复和服务版本符合性。The platform offers distributed, multi-step deployment services, health monitoring, automatic repairs, and service version compliance. 它提供以下服务:It provides the following services:

    • 服务建模功能和高保真开发环境(数据中心群集的成本高昂且能力不足)。Service modeling capabilities with high-fidelity development environment (datacenter clusters are expensive and scarce).
    • 一键式部署和升级工作流,用于执行服务启动和维护。One-click deployment and upgrade workflows for service bootstrap and maintenance.
    • 运行状况报告和自动化修复工作流,可实现自我修复。Health reporting with automated repair workflows to enable self-healing.
    • 跨分布式系统节点的实时监视、警报和调试工具。Real time monitoring, alerting, and debugging facilities across the nodes of a distributed system.
    • 集中收集操作数据和指标,以提供分散式的根本原因分析和服务见解。Centralized collection of operational data and metrics for distributed root cause analysis and service insight.
    • 用于部署、变更管理和监视的操作工具。Operational tooling for deployment, change management, and monitoring.
    • Azure SQL 数据库 Windows Fabric 平台和监视器脚本持续实时运行并监视。The Azure SQL Database Windows Fabric platform and watchdog scripts run continuously and monitor in real time.

如果出现任何异常,将会激活事件响应过程,Azure 事件会审团需遵循此过程。If any anomalies occur, the incident response process followed by the Azure incident triage team is activated. 相应的 Azure 支持人员会收到响应事件的通知。The appropriate Azure support personnel are notified to respond to the incident. 在集中式票证系统中阐述和管理问题跟踪与解决方法。Issue tracking and resolution are documented and managed in a centralized ticketing system. 根据保密协议 (NDA) 和客户请求提供系统正常运行时间指标。System uptime metrics are available under the non-disclosure agreement (NDA) and upon request.

通过企业网络和多重身份验证访问生产环境Corporate network and multi-factor access to production

企业网络用户群包括 Azure 支持人员。The corporate network user base includes Azure support personnel. 企业网络支持内部企业职能,并提供 Azure 客户支持人员所用的内部应用程序的访问权限。The corporate network supports internal corporate functions and includes access to internal applications that are used for Azure customer support. 企业网络在物理上和逻辑上与 Azure 生产网络分离。The corporate network is both logically and physically separated from the Azure production network. Azure 人员使用 Azure 工作站和笔记本电脑访问企业网络。Azure personnel access the corporate network by using Azure workstations and laptops. 所有用户必须有一个 Azure Active Directory (Azure AD) 帐户(包括用户名和密码)才能访问企业网络资源。All users must have an Azure Active Directory (Azure AD) account, including a username and password, to access corporate network resources. 企业网络访问使用 Azure AD 帐户,该帐户发布给所有 Microsoft 人员、承包商和供应商,并由 Microsoft 信息技术管理。Corporate network access uses Azure AD accounts, which are issued to all Microsoft personnel, contractors, and vendors and managed by Microsoft Information Technology. 唯一的用户标识符根据用户在 Microsoft 的雇佣关系状态来区分用户。Unique user identifiers distinguish personnel based on their employment status at Microsoft.

通过 Active Directory 联合身份验证服务 (AD FS) 进行身份验证来控制对内部 Azure 应用程序的访问。Access to internal Azure applications is controlled through authentication with Active Directory Federation Services (AD FS). AD FS 是由 Microsoft 信息技术托管的服务,它通过应用安全令牌和用户声明来提供企业网络用户的身份验证。AD FS is a service hosted by Microsoft Information Technology that provides authentication of corporate network users through applying a secure token and user claims. AD FS 使内部 Azure 应用程序能够针对 Microsoft 公司 Active Directory 域对用户进行身份验证。AD FS enables internal Azure applications to authenticate users against the Microsoft corporate active directory domain. 若要从公司网络环境访问生产网络,用户必须使用多重身份验证进行身份验证。To access the production network from the corporate network environment, users must authenticate by using multi-factor authentication.

后续步骤Next steps

若要详细了解 Microsoft 如何保护 Azure 基础结构,请参阅:To learn more about what Microsoft does to secure the Azure infrastructure, see: