Azure SQL 数据库安全功能Azure SQL Database security features

Azure SQL 数据库在 Azure 中提供关系型数据库服务。Azure SQL Database provides a relational database service in Azure. 为了保护客户数据并提供关系型数据库服务预期具备的强大安全功能,SQL 数据库具有自身的安全功能集。To protect customer data and provide strong security features that customers expect from a relational database service, SQL Database has its own sets of security capabilities. 这些功能立足于从 Azure 继承的控制能力。These capabilities build upon the controls that are inherited from Azure.

安全功能Security capabilities

TDS 协议用法Usage of the TDS protocol

Azure SQL 数据库仅支持表格格式数据流 (TDS) 协议,该协议要求只能通过默认端口 TCP/1433 访问数据库。Azure SQL Database supports only the tabular data stream (TDS) protocol, which requires the database to be accessible over only the default port of TCP/1433.

Azure SQL 数据库防火墙Azure SQL Database firewall

为了帮助保护客户数据,Azure SQL 数据库包含防火墙功能,默认情况下,该功能会阻止对 SQL 数据库服务器的所有访问,如下所示。To help protect customer data, Azure SQL Database includes a firewall functionality, which by default prevents all access to the SQL Database server, as shown below.

Azure SQL 数据库防火墙

网关防火墙可以限制地址,使客户能够进行精细控制,以指定可接受的 IP 地址范围。The gateway firewall can limit addresses, which allows customers granular control to specify ranges of acceptable IP addresses. 防火墙基于每个请求的来源 IP 地址授予访问权限。The firewall grants access based on the originating IP address of each request.

客户可以使用管理门户,或者使用 Microsoft Azure SQL 数据库管理 REST API 以编程方式实现防火墙配置。Customers can achieve firewall configuration by using a management portal or programmatically using the Azure SQL Database Management REST API. 默认情况下,Azure SQL 数据库网关防火墙阻止所有客户 TDS 访问 Azure SQL 数据库实例。The Azure SQL Database gateway firewall by default prevents all customer TDS access to Azure SQL database instances. 客户使用访问控制列表 (ACL) 配置访问权限,允许通过源和目标 Internet 地址、协议和端口号建立 Azure SQL 数据库建立连接。Customers must configure access by using access-control lists (ACLs) to permit Azure SQL Database connections by source and destination internet addresses, protocols, and port numbers.

DoSGuardDoSGuard

名为 DoSGuard 的 SQL 数据库网关服务可以减少拒绝服务 (DoS) 攻击。Denial of service (DoS) attacks are reduced by a SQL Database gateway service called DoSGuard. DoSGuard 能够主动跟踪 IP 地址发起的失败登录。DoSGuard actively tracks failed logins from IP addresses. 如果特定的 IP 地址在一段时间内多次登录失败,则会阻止该 IP 地址在预定义的时间段内访问服务中的任何资源。If there are multiple failed logins from a specific IP address within a period of time, the IP address is blocked from accessing any resources in the service for a pre-defined time period.

此外,Azure SQL 数据库网关还会:In addition, the Azure SQL Database gateway performs:

  • 执行安全通道功能协商,以便在连接到数据库服务器时实现 TDS FIPS 140-2 验证的加密连接。Secure channel capability negotiations to implement TDS FIPS 140-2 validated encrypted connections when it connects to the database servers.
  • 在接受来自客户端的连接时执行有状态 TDS 数据包检查。Stateful TDS packet inspection while it accepts connections from clients. 网关会验证连接信息,并根据连接字符串中指定的数据库名称,将 TDS 数据包传递给相应的物理服务器。The gateway validates the connection information and passes on the TDS packets to the appropriate physical server based on the database name that's specified in the connection string.

Azure SQL 数据库产品/服务网络安全性的首要原则是,只出于让服务正常运行的目的允许所需的连接和通信。The overarching principle for network security of the Azure SQL Database offering is to allow only the connection and communication that is necessary to allow the service to operate. 默认会阻止其他所有端口、协议和连接。All other ports, protocols, and connections are blocked by default. 按源和目标网络、协议与端口号,使用虚拟局域网 (VLAN) 和 ACL 限制网络通信。Virtual local area networks (VLANs) and ACLs are used to restrict network communications by source and destination networks, protocols, and port numbers.

已批准用于实现基于网络的 ACL 的机制包括路由器和负载均衡器上的 ACL。Mechanisms that are approved to implement network-based ACLs include ACLs on routers and load balancers. 这些机制由客户配置的 Azure 网络、来宾 VM 防火墙和 Azure SQL 数据库网关防火墙规则管理。These mechanisms are managed by Azure networking, guest VM firewall, and Azure SQL Database gateway firewall rules, which are configured by the customer.

数据分离和客户隔离Data segregation and customer isolation

Azure 生产网络的构建方式确保可公开访问的系统组件与内部资源相分离。The Azure production network is structured such that publicly accessible system components are segregated from internal resources. 为面向公众的 Azure 门户提供访问权限的 Web 服务器,与客户应用程序实例和客户数据所在的底层 Azure 虚拟基础之间存在物理和逻辑边界。Physical and logical boundaries exist between web servers that provide access to the public-facing Azure portal and the underlying Azure virtual infrastructure, where customer application instances and customer data reside.

所有可公开访问的信息在 Azure 生产网络中进行管理。All publicly accessible information is managed within the Azure production network. 生产网络受双重身份验证和边界保护机制的控制,使用上一部分中所述的防火墙和安全功能集,并使用后续部分所述的数据隔离功能。The production network is subject to two-factor authentication and boundary protection mechanisms, uses the firewall and security feature set that is described in the previous section, and uses data isolation functions as noted in the next sections.

未经授权的系统和 FC 隔离Unauthorized systems and isolation of the FC

由于结构控制器 (FC) 是 Azure 结构的中心业务流程协调程序,因此已采取重要的控制措施来缓解它面临的威胁,尤其是来自客户应用程序中可能受到攻击的 FA 的威胁。Because the fabric controller (FC) is the central orchestrator of the Azure fabric, significant controls are in place to mitigate threats to it, especially from potentially compromised FAs within customer applications. FC 无法识别其设备信息(例如 MAC 地址)未预先在 FC 中加载的任何硬件。The FC does not recognize any hardware whose device information (for example, MAC address) is not pre-loaded within the FC. FC 上的 DHCP 服务器包含它们想要启动的节点的已配置 MAC 地址列表。The DHCP servers on the FC have configured lists of MAC addresses of the nodes they are willing to boot. 即使未经授权的系统已连接,它们也不会合并到结构库存中,因此,不会连接到结构库存中的任何系统,也无权与这些系统通信。Even if unauthorized systems are connected, they are not incorporated into fabric inventory, and therefore not connected or authorized to communicate with any system within the fabric inventory. 这降低了未经授权的系统与 FC 通信并获取 VLAN 和 Azure 的访问权限的风险。This reduces the risk of unauthorized systems' communicating with the FC and gaining access to the VLAN and Azure.

VLAN 隔离VLAN isolation

Azure 生产网络在逻辑上分离成三个主要 VLAN:The Azure production network is logically segregated into three primary VLANs:

  • 主 VLAN:互连不受信任的客户节点。The main VLAN: Interconnects untrusted customer nodes.
  • FC VLAN:包含受信任的 FC 及支持的系统。The FC VLAN: Contains trusted FCs and supporting systems.
  • 设备 VLAN:包含受信任的网络和其他基础结构设备。The device VLAN: Contains trusted network and other infrastructure devices.

数据包筛选Packet filtering

在节点的根 OS 和来宾 OS 上实施的 IPFilter 与软件防火墙强制实施连接限制,并阻止 VM 之间未经授权的流量。The IPFilter and the software firewalls that are implemented on the root OS and guest OS of the nodes enforce connectivity restrictions and prevent unauthorized traffic between VMs.

虚拟机监控程序、根 OS 和来宾 VMHypervisor, root OS, and guest VMs

根 OS 与来宾 VM 之间的隔离以及不同来宾 VM 之间的隔离,由虚拟机监控程序和根 OS 管理。The isolation of the root OS from the guest VMs and the guest VMs from one another is managed by the hypervisor and the root OS.

防火墙上的规则类型Types of rules on firewalls

规则定义为:A rule is defined as:

{Src IP,Src 端口,目标 IP,目标端口,目标协议,传入/传出,有状态/无状态,有状态流超时}。{Src IP, Src Port, Destination IP, Destination Port, Destination Protocol, In/Out, Stateful/Stateless, Stateful Flow Timeout}.

仅当受任一规则的允许时,才允许传入或传出同步空闲字符 (SYN) 数据包。Synchronous idle character (SYN) packets are allowed in or out only if any one of the rules permits it. 对于 TCP,Azure 使用无状态规则,其中的原则是,只允许所有非 SYN 数据包传入或传出 VM。For TCP, Azure uses stateless rules where the principle is that it allows only all non-SYN packets into or out of the VM. 安全性的前提是,如果任何主机堆栈以前未发现 SYN 数据包,则灵活忽略非 SYN 数据包。The security premise is that any host stack is resilient of ignoring a non-SYN if it has not seen a SYN packet previously. TCP 协议本身是有状态的,与无状态的基于 SYN 的规则相结合,实现有状态实施方案的整体行为。The TCP protocol itself is stateful, and in combination with the stateless SYN-based rule achieves an overall behavior of a stateful implementation.

对于用户数据报协议 (UDP),Azure 使用有状态规则。For User Datagram Protocol (UDP), Azure uses a stateful rule. 每当 UDP 数据包与规则匹配时,就会朝另一个方向创建反向流。Every time a UDP packet matches a rule, a reverse flow is created in the other direction. 此流具有内置的超时。This flow has a built-in timeout.

客户需负责在 Azure 提供的功能的基础上设置自己的防火墙。Customers are responsible for setting up their own firewalls on top of what Azure provides. 此处,客户可以针对入站和出站流量定义规则。Here customers are able to define the rules for inbound and outbound traffic.

生产配置管理Production configuration management

标准的安全配置由相应的运营团队在 Azure 和 Azure SQL 数据库中维护。Standard secure configurations are maintained by respective operations teams in Azure and Azure SQL Database. 通过中心跟踪系统阐述和跟踪对生产系统做出的所有配置更改。All configuration changes to production systems are documented and tracked through a central tracking system. 通过中心跟踪系统跟踪软件和硬件更改。Software and hardware changes are tracked through the central tracking system. 使用 ACL 管理服务跟踪与 ACL 相关的网络更改。Networking changes that relate to ACL are tracked using an ACL management service.

对 Azure 做出的所有配置在过渡环境中进行开发和测试,然后部署在生产环境中。All configuration changes to Azure are developed and tested in the staging environment, and they are thereafter deployed in production environment. 软件内部版本在测试过程中进行评审。Software builds are reviewed as part of testing. 安全和隐私检查作为入口清单条件的一部分进行评审。Security and privacy checks are reviewed as part of entry checklist criteria. 相应的部署团队根据计划的时间间隔部署更改。Changes are deployed on scheduled intervals by the respective deployment team. 在将发行版部署到生产环境之前,相应的部署团队人员会对其进行评审和签收。Releases are reviewed and signed off by the respective deployment team personnel before they are deployed into production.

将会监视更改是否成功。Changes are monitored for success. 发生故障时,会将更改回滚到其以前的状态,或者在得到指定人员的批准的情况下,部署修补程序来解决故障。On a failure scenario, the change is rolled back to its previous state or a hotfix is deployed to address the failure with approval of the designated personnel. 使用 Source Depot、Git、TFS、Master Data Services (MDS)、Runners、Azure 安全监视、FC 和 WinFabric 平台在 Azure 虚拟环境中集中管理、应用和验证配置设置。Source Depot, Git, TFS, Master Data Services (MDS), runners, Azure security monitoring, the FC, and the WinFabric platform are used to centrally manage, apply, and verify the configuration settings in the Azure virtual environment.

同样,将对硬件和网络更改运行已建立的验证步骤来评估它们是否符合生成要求。Similarly, hardware and network changes have established validation steps to evaluate their adherence to the build requirements. 通过相关小组的协调变更咨询委员会 (CAB) 在整个堆栈上评审和授权发行版。The releases are reviewed and authorized through a coordinated change advisory board (CAB) of respective groups across the stack.

后续步骤Next steps

若要详细了解 Microsoft 如何保护 Azure 基础结构,请参阅:To learn more about what Microsoft does to secure the Azure infrastructure, see: