Azure 中的隔离Isolation in the Azure

可以通过 Azure 在共享的物理基础结构上运行应用程序和虚拟机 (VM)。Azure allows you to run applications and virtual machines (VMs) on shared physical infrastructure. 在云环境中运行应用程序的一个主要经济动机是可由多个客户分摊共享资源的成本。One of the prime economic motivations to running applications in a cloud environment is the ability to distribute the cost of shared resources among multiple customers. 这种多租户的做法在不同客户间多路复用资源,提高了效率并降低了成本。This practice of multi-tenancy improves efficiency by multiplexing resources among disparate customers at low costs. 遗憾的是,这种做法也带来了风险,会导致通过共享物理服务器和其他基础结构资源来运行敏感应用程序和 VM,而这些 VM 可能属于任意或潜在恶意用户。Unfortunately, it also introduces the risk of sharing physical servers and other infrastructure resources to run your sensitive applications and VMs that may belong to an arbitrary and potentially malicious user.

本文概述了 Azure 以何种方式同时针对恶意和非恶意用户提供隔离,并向架构师提供了多种隔离选项,指导他们构建云解决方案。This article outlines how Azure provides isolation against both malicious and non-malicious users and serves as a guide for architecting cloud solutions by offering various isolation choices to architects.

租户级别隔离Tenant Level Isolation

云计算的一个主要优势是同时跨多位客户使用共享的通用基础结构的概念,可带来规模效益。One of the primary benefits of cloud computing is concept of a shared, common infrastructure across numerous customers simultaneously, leading to economies of scale. 这种概念称为多租户。This concept is called multi-tenancy. Microsoft 始终致力于确保 Microsoft Cloud Azure 的多租户体系结构支持安全、保密性、隐私、完整性和可用性标准。Microsoft works continuously to ensure that the multi-tenant architecture of Microsoft Cloud Azure supports security, confidentiality, privacy, integrity, and availability standards.

在启用云的工作区中,可以将“租户”定义为拥有并管理该云服务的特定实例的客户端或组织。In the cloud-enabled workplace, a tenant can be defined as a client or organization that owns and manages a specific instance of that cloud service. 使用 Azure 提供的标识平台时,租户只是组织在注册 Azure 云服务时接收并拥有的 Azure Active Directory (Azure AD) 专用实例。With the identity platform provided by Azure, a tenant is simply a dedicated instance of Azure Active Directory (Azure AD) that your organization receives and owns when it signs up for a Azure cloud service.

每个 Azure AD 目录都是独特的,独立于其他 Azure AD 目录。Each Azure AD directory is distinct and separate from other Azure AD directories. 就像公司办公大楼是组织特有的安全资产一样,根据设计,Azure AD 目录也是仅供组织使用的安全资产。Just like a corporate office building is a secure asset specific to only your organization, an Azure AD directory was also designed to be a secure asset for use by only your organization. Azure AD 体系结构隔离了客户数据和身份信息,避免混合存放。The Azure AD architecture isolates customer data and identity information from co-mingling. 这意味着,一个 Azure AD 目录的用户和管理员不可能意外或恶意性地访问另一目录中的数据。This means that users and administrators of one Azure AD directory cannot accidentally or maliciously access data in another directory.

Azure 租户Azure Tenancy

Azure 租户(Azure 订阅)是指 Azure Active Directory 中的“客户/账单”关系和唯一的租户Azure tenancy (Azure Subscription) refers to a “customer/billing” relationship and a unique tenant in Azure Active Directory. Azure 中的租户级别隔离是使用 Azure Active Directory 及其提供的 Azure 基于角色的访问控制实现的。Tenant level isolation in Azure is achieved using Azure Active Directory and Azure role-based access control offered by it. 每个 Azure 订阅都会与一个 Azure Active Directory (AD) 目录关联。Each Azure subscription is associated with one Azure Active Directory (AD) directory.

该目录中的用户、组和应用程序可以管理 Azure 订阅中的资源。Users, groups, and applications from that directory can manage resources in the Azure subscription. 可以使用 Azure 门户、Azure 命令行工具及 Azure 管理 API 来分配这些访问权限。You can assign these access rights using the Azure portal, Azure command-line tools, and Azure Management APIs. 从逻辑上讲,Azure AD 租户是使用安全边界隔离的,这样,任何客户都不能访问或入侵联合租户,而无论其行为是恶意的还是偶然的。An Azure AD tenant is logically isolated using security boundaries so that no customer can access or compromise co-tenants, either maliciously or accidentally. 在“裸机”服务器上运行的 Azure AD 是在分隔的网络段中隔离的,主机级别数据包筛选和 Windows 防火墙在该网络段中阻止不需要的连接和流量。Azure AD runs on “bare metal” servers isolated on a segregated network segment, where host-level packet filtering and Windows Firewall block unwanted connections and traffic.

  • 访问 Azure AD 中的数据需要通过安全令牌服务 (STS) 进行用户身份验证。Access to data in Azure AD requires user authentication via a security token service (STS). 授权系统使用有关用户存在性、已启用状态和角色的信息,确定此用户在此会话中对目标租户的访问请求是否已获授权。Information on the user’s existence, enabled state, and role is used by the authorization system to determine whether the requested access to the target tenant is authorized for this user in this session.

Azure 租户

  • 租户是离散的容器,它们之间没有任何关系。Tenants are discrete containers and there is no relationship between these.

  • 除非租户管理员通过联合身份验证或预配来自其他租户的用户帐户授予访问权限,否则不允许跨租户访问。No access across tenants unless tenant admin grants it through federation or provisioning user accounts from other tenants.

  • 限制了对危及 Azure AD 服务的服务器的物理访问,以及对 Azure 后端系统的直接访问。Physical access to servers that comprise the Azure AD service, and direct access to Azure AD’s back-end systems, is restricted.

  • Azure AD 用户无权访问物理资产或位置,因此他们不可能绕过下述逻辑 Azure RBAC 策略检查。Azure AD users have no access to physical assets or locations, and therefore it is not possible for them to bypass the logical Azure RBAC policy checks stated following.

为了满足诊断和维护需求,需要使用采用实时特权提升系统的操作模型。For diagnostics and maintenance needs, an operational model that employs a just-in-time privilege elevation system is required and used. Azure AD Privileged Identity Management (PIM) 引入了有资格管理员的概念。有资格管理员应是不时(但不是每天)需要特权访问的用户。Azure AD Privileged Identity Management (PIM) introduces the concept of an eligible admin. Eligible admins should be users that need privileged access now and then, but not every day. 该角色处于非活动状态,直到用户需要访问权限,然后他们完成激活过程,并在预定的时间内成为活动管理员。The role is inactive until the user needs access, then they complete an activation process and become an active admin for a predetermined amount of time.

Azure AD 特权标识管理

Azure Active Directory 在其自己受保护的容器中托管每个租户,使用的策略和权限针对各租户单独拥有和管理的容器,并保存在该容器内。Azure Active Directory hosts each tenant in its own protected container, with policies and permissions to and within the container solely owned and managed by the tenant.

从门户一直到永久性存储,租户容器的概念深入贯彻于目录服务的每一层。The concept of tenant containers is deeply ingrained in the directory service at all layers, from portals all the way to persistent storage.

即使多个 Azure Active Directory 租户的元数据存储在同一个物理磁盘中,除目录服务定义的容器外,各容器之间仍没有任何关系,而目录服务是由租户管理员指定的。Even when metadata from multiple Azure Active Directory tenants is stored on the same physical disk, there is no relationship between the containers other than what is defined by the directory service, which in turn is dictated by the tenant administrator.

Azure 基于角色的访问控制 (Azure RBAC)Azure role-based access control (Azure RBAC)

Azure 基于角色的访问控制 (Azure RBAC) 提供针对 Azure 的精细访问权限管理,有助于共享 Azure 订阅中提供的各种组件。Azure role-based access control (Azure RBAC) helps you to share various components available within an Azure subscription by providing fine-grained access management for Azure. 借助 Azure RBAC,可分隔组织内的职责,并根据用户进行作业的需求授予访问权限。Azure RBAC enables you to segregate duties within your organization and grant access based on what users need to perform their jobs. 可以仅允许某些操作,而不是向每个人提供对 Azure 订阅或资源不受限制的权限。Instead of giving everybody unrestricted permissions in Azure subscription or resources, you can allow only certain actions.

Azure RBAC 有三种适用于所有资源类型的基本角色:Azure RBAC has three basic roles that apply to all resource types:

  • 所有者 对所有资源具有完全访问权限,包括将访问权限委派给其他用户的权限。Owner has full access to all resources including the right to delegate access to others.

  • 参与者 可以创建和管理所有类型的 Azure 资源,但不能将访问权限授予其他用户。Contributor can create and manage all types of Azure resources but can’t grant access to others.

  • 读者 可以查看现有的 Azure 资源。Reader can view existing Azure resources.

Azure 基于角色的访问控制 (Azure RBAC)

可以通过 Azure 中的其他 Azure 角色对特定的 Azure 资源进行管理。The rest of the Azure roles in Azure allow management of specific Azure resources. 例如,虚拟机参与者角色允许用户创建和管理虚拟机。For example, the Virtual Machine Contributor role allows the user to create and manage virtual machines. 但不会向用户授予对虚拟机连接的 Azure 虚拟网络或子网的访问权限。It does not give them access to the Azure Virtual Network or the subnet that the virtual machine connects to.

Azure 内置角色列出了 Azure 中可用的角色。Azure built-in roles list the roles available in Azure. 它指定每个内置角色向用户授予的操作和范围。It specifies the operations and scope that each built-in role grants to users. 若要定义自己的角色以便进一步控制,请参阅如何生成 Azure RBAC 中的自定义角色If you're looking to define your own roles for even more control, see how to build Custom roles in Azure RBAC.

Azure Active Directory 的其他部分功能包括:Some other capabilities for Azure Active Directory include:

  • 使用 Azure AD 即可对 SaaS 应用程序启用 SSO,不管这些应用程序在何处托管。Azure AD enables SSO to SaaS applications, regardless of where they are hosted. 某些应用程序会与 Azure AD 联合起来进行身份验证,其他应用程序则使用密码 SSO。Some applications are federated with Azure AD, and others use password SSO. 联合应用程序还可以支持用户预配和密码存储Federated applications can also support user provisioning and password vaulting.

  • Azure 存储中的数据进行访问可以通过身份验证来控制。Access to data in Azure Storage is controlled via authentication. 每个存储帐户都有一个主密钥(存储帐户密钥,简称 SAK)和一个辅助密钥(共享访问签名,简称 SAS)。Each storage account has a primary key (storage account key, or SAK) and a secondary secret key (the shared access signature, or SAS).

  • Azure AD 通过联合身份验证(使用 Active Directory 联合身份验证服务)、同步以及本地目录复制方式提供标识即服务。Azure AD provides Identity as a Service through federation by using Active Directory Federation Services, synchronization, and replication with on-premises directories.

  • Azure AD 多重身份验证是多重身份验证服务,它要求用户使用移动应用、手机或短信验证登录。Azure AD Multi-Factor Authentication is the multi-factor authentication service that requires users to verify sign-ins by using a mobile app, phone call, or text message. 它可以与 Azure AD 配合使用,帮助通过 Azure 多重身份验证服务器来保护本地资源;它还用于使用 SDK 的自定义应用程序和目录。It can be used with Azure AD to help secure on-premises resources with the Azure Multi-Factor Authentication server, and also with custom applications and directories using the SDK.

  • Azure AD 域服务可让用户将 Azure 虚拟机加入一个 Active Directory 域,且无需部署域控制器。Azure AD Domain Services lets you join Azure virtual machines to an Active Directory domain without deploying domain controllers. 用户可以使用其公司的 Active Directory 凭据登录到这些虚拟机中,并使用组策略管理已加入域的虚拟机,以便在所有 Azure 虚拟机上强制实施安全基准措施。You can sign in to these virtual machines with your corporate Active Directory credentials and administer domain-joined virtual machines by using Group Policy to enforce security baselines on all your Azure virtual machines.

  • Azure Active Directory B2C 提供高度可用的全局性标识管理服务,该服务适用于面向用户且可通过缩放来处理数以亿计的标识的应用程序。Azure Active Directory B2C provides a highly available global-identity management service for consumer-facing applications that scales to hundreds of millions of identities. 它可以跨移动平台和 Web 平台进行集成。It can be integrated across mobile and web platforms. 使用者只需使用现有社交帐户或创建凭据,即可通过可自定义的体验登录到所有应用程序。Your consumers can sign in to all your applications through customizable experiences by using their existing social accounts or by creating credentials.

与 Microsoft 管理员和数据删除隔离Isolation from Microsoft Administrators & Data Deletion

Microsoft 采取强硬措施保护数据免受不适当的访问或未经授权的用户使用。Microsoft takes strong measures to protect your data from inappropriate access or use by unauthorized persons. 这些操作过程和控制由联机服务条款提供支持,该条款提供有关管理数据访问权限的合同承诺。These operational processes and controls are backed by the Online Services Terms, which offer contractual commitments that govern access to your data.

  • Microsoft 工程师没有访问云端数据的默认权限。Microsoft engineers do not have default access to your data in the cloud. 而是在必要时在管理监督下获取访问权限。Instead, they are granted access, under management oversight, only when necessary. 将谨慎控制并记录该访问权限,并在不再需要时撤回。That access is carefully controlled and logged, and revoked when it is no longer needed.
  • Microsoft 可能雇佣其他公司代表其提供有限的服务。Microsoft may hire other companies to provide limited services on its behalf. 分包商访问客户数据可能只是为了提供服务,这些服务是 Microsoft 雇佣他们来提供的,并且 Microsoft 禁止他们将这些数据用于其他用途。Subcontractors may access customer data only to deliver the services for which, we have hired them to provide, and they are prohibited from using it for any other purpose. 此外,受合同限制,他们必须维护客户信息的机密性。Further, they are contractually bound to maintain the confidentiality of our customers’ information.

对于经过审核认证(如 ISO/IEC 27001)的企业服务,Microsoft 和认证审核公司会定期进行验证,仅出于合法的商业目的对这些服务访问的资产执行样本审计。Business services with audited certifications such as ISO/IEC 27001 are regularly verified by Microsoft and accredited audit firms, which perform sample audits to attest that access, only for legitimate business purposes. 用户始终都可随时访问自己的客户数据,而不论出于什么原因。You can always access your own customer data at any time and for any reason.

如果你删除任何数据,Azure 会删除该数据,包括所有缓存的副本或备份副本。If you delete any data, Azure deletes the data, including any cached or backup copies. 对于范围内服务,该删除操作会在保留期结束后 90 天内进行。For in-scope services, that deletion will occur within 90 days after the end of the retention period. 联机服务条款的数据处理条款部分对范围内服务进行了定义。)(In-scope services are defined in the Data Processing Terms section of our Online Services Terms.)

如果用于存储的磁盘驱动器发生硬件故障,在 Microsoft 将其送回给制造商进行更换或修复前,将安全擦除或销毁该磁盘驱动器上的数据。If a disk drive used for storage suffers a hardware failure, it is securely erased or destroyed before Microsoft returns it to the manufacturer for replacement or repair. 驱动器上的数据会被覆盖,以确保无法通过任何方式恢复数据。The data on the drive is overwritten to ensure that the data cannot be recovered by any means.

计算隔离Compute Isolation

Azure 提供各种基于云的计算服务,包括大量计算实例和服务,它们可根据应用程序或企业的需求自动进行纵向扩展和缩减。Azure provides various cloud-based computing services that include a wide selection of compute instances & services that can scale up and down automatically to meet the needs of your application or enterprise. 这些计算实例和服务提供多个级别的隔离来保护数据,且不会降低客户所需配置的灵活性。These compute instance and service offer isolation at multiple levels to secure data without sacrificing the flexibility in configuration that customers demand.

独立虚拟机大小Isolated Virtual Machine Sizes

Azure 计算提供独立于特定硬件类型并专用于单个客户的虚拟机大小。Azure Compute offers virtual machine sizes that are Isolated to a specific hardware type and dedicated to a single customer. 独立大小在特定的硬件生成上有效并运行,当硬件生成失效时,将弃用。The Isolated sizes live and operate on specific hardware generation and will be deprecated when the hardware generation is retired.

独立的虚拟机大小最适合于由于满足符合性和法规要求等原因而需要与其他客户的工作负载高度隔离的工作负载。Isolated virtual machine sizes are best suited for workloads that require a high degree of isolation from other customers’ workloads for reasons that include meeting compliance and regulatory requirements. 使用独立大小可保证你的虚拟机将是在特定服务器实例上唯一运行的虚拟机。Utilizing an isolated size guarantees that your virtual machine will be the only one running on that specific server instance.

另外,由于独立大小的 VM 很大,客户可以选择使用 对嵌套虚拟机的 Azure 支持来细分这些 VM 的资源。Additionally, as the Isolated size VMs are large, customers may choose to subdivide the resources of these VMs by using Azure support for nested virtual machines.

当前的独立虚拟机产品/服务包括:The current Isolated virtual machine offerings include:

  • Standard_E64is_v3Standard_E64is_v3

  • Standard_E64i_v3Standard_E64i_v3

  • Standard_E80ids_v4

  • Standard_E80is_v4

  • Standard_M128msStandard_M128ms

  • Standard_F72s_v2Standard_F72s_v2


独立的 VM 大小具有有限的硬件寿命。Isolated VM Sizes have a hardware limited lifespan. 详情请参阅下文Please see below for details

弃用独立的 VM 大小Deprecation of Isolated VM Sizes

由于独立的 VM 大小是硬件绑定的大小,Azure 将在正式弃用这些大小之前 12 个月提供提醒。As Isolated VM sizes are hardware bound sizes, Azure will provide reminders 12 months in advance of the official deprecation of the sizes. Azure 还将为我们的下一个硬件版本提供已更新的独立大小,客户可以考虑将其工作负载转移到该版本上。Azure will also offer an updated isolated size on our next hardware version that the customer could consider moving their workload onto.

大小Size 隔离停用日期Isolation Retirement Date
Standard_DS15_v21Standard_DS15_v21 2020 年 5 月 15 日May 15, 2020
Standard_D15_v21Standard_D15_v21 2020 年 5 月 15 日May 15, 2020

1 有关 Standard_DS15_v2 和 Standard_D15_v2 隔离停用计划的详细信息,请参阅常见问题解答1 For details on Standard_DS15_v2 and Standard_D15_v2 isolation retirement program see FAQs


问:是要停用大小还是只停用“隔离”功能?Q: Is the size going to get retired or only "isolation" feature is?

:如果虚拟机大小没有“i”下标,则只有“隔离”功能将失效。A: If the virtual machine size does not have the "i" subscript, then only "isolation" feature will be retired. 如果不需要隔离,则不需要执行任何操作,VM 将继续按预期工作。If isolation is not needed, there is no action to be taken and the VM will continue to work as expected. 例如 Standard_DS15_v2、Standard_D15_v2、Standard_M128ms 等。如果虚拟机大小包括“i”下标,那么该大小将被停用。Examples include Standard_DS15_v2, Standard_D15_v2, Standard_M128ms etc. If the virtual machine size includes "i" subscript, then the size is going to get retired.

问:当我的虚拟机落脚于非隔离的硬件上时,是否会出现停机?Q: Is there a downtime when my vm lands on a non-isolated hardware?

:如果不需要隔离,就不需要采取任何行动,也不会有停机时间。A: If there is no need of isolation, no action is needed and there will be no downtime.

问:迁移到非独立的虚拟机是否有成本增量?Q: Is there any cost delta for moving to a non-isolated virtual machine?

:否A: No

问:其他独立大小将于何时停用?Q: When are the other isolated sizes going to retire?

:我们将提前 12 个月进行提醒,以防官方弃用孤立的大小。A: We will provide reminders 12 months in advance of the official deprecation of the isolated size.

问:我是依赖于白银或黄金耐久性层级的 Azure Service Fabric 客户。Q: I'm an Azure Service Fabric Customer relying on the Silver or Gold Durability Tiers. 此更改是否会影响我?Does this change impact me?

:否。A: No. Service Fabric 的耐久性层级提供的保证即使在此更改发生后也将继续履行。The guarantees provided by Service Fabric's Durability Tiers will continue to function even after this change. 如果你出于其他原因而需要物理硬件隔离,可能仍需采取上述措施之一。If you require physical hardware isolation for other reasons, you may still need to take one of the actions described above.

专用主机Dedicated hosts

除了前面部分所述的独立主机以外,Azure 还提供了专用主机。In addition to the isolated hosts described in the preceding section, Azure also offers dedicated hosts. Azure 中的专用主机是一项服务,它提供能够承载一个或多个虚拟机的物理服务器,专用于单个 Azure 订阅。Dedicated hosts in Azure is a service that provides physical servers that can host one or more virtual machines, and which are dedicated to a single Azure subscription. 专用主机在物理服务器级别提供硬件隔离。Dedicated hosts provide hardware isolation at the physical server level. 不会在你的主机上放置任何其他 VM。No other VMs will be placed on your hosts. 专用主机部署在相同的数据中心,与其他非隔离主机共享相同的网络和底层存储基础结构。Dedicated hosts are deployed in the same datacenters and share the same network and underlying storage infrastructure as other, non-isolated hosts. 有关详细信息,请参阅 Azure 专用主机的详细概述。For more information, see the detailed overview of Azure dedicated hosts.

根 VM 和来宾 VM 之间的 Hyper-V 和根 OS 隔离Hyper-V & Root OS Isolation Between Root VM & Guest VMs

Azure 的计算平台以计算机虚拟化为基础,这意味着所有客户代码都在 Hyper-V 虚拟机中执行。Azure’s compute platform is based on machine virtualization—meaning that all customer code executes in a Hyper-V virtual machine. 在每个 Azure 节点(或网络终结点)上,都有一个虚拟机监控程序在硬件上直接运行,并将节点分为数目不定的来宾虚拟机 (VM)。On each Azure node (or network endpoint), there is a Hypervisor that runs directly over the hardware and divides a node into a variable number of Guest Virtual Machines (VMs).

根 VM 和来宾 VM 之间的 Hyper-V 和根 OS 隔离

每个节点还有一个特殊的根 VM,用于运行主机 OS。Each node also has one special Root VM, which runs the Host OS. 关键边界由虚拟机监控程序和根 OS 管理,用于将根 VM 与来宾 VM 隔离,以及将各来宾 VM 彼此隔离。A critical boundary is the isolation of the root VM from the guest VMs and the guest VMs from one another, managed by the hypervisor and the root OS. 虚拟机监控程序/根 OS 配对充分利用 Microsoft 在操作系统安全性方面的数十年经验以及来自 Hyper-V 的最新信息,实现了各来宾 VM 之间的强大隔离。The hypervisor/root OS pairing leverages Microsoft's decades of operating system security experience, and more recent learning from Microsoft's Hyper-V, to provide strong isolation of guest VMs.

Azure 平台使用虚拟化的环境。The Azure platform uses a virtualized environment. 用户实例作为无法访问物理主机服务器的独立虚拟机运行。User instances operate as standalone virtual machines that do not have access to a physical host server.

Azure 的虚拟机监控程序相当于微内核,可将所有硬件访问请求从来宾虚拟机传递到主机,以便使用名为 VMBus 的共享内存界面进行处理。The Azure hypervisor acts like a micro-kernel and passes all hardware access requests from guest virtual machines to the host for processing by using a shared-memory interface called VMBus. 这样可以防止用户获取对系统的原始读取/写入/执行访问权限,减轻共享系统资源的风险。This prevents users from obtaining raw read/write/execute access to the system and mitigates the risk of sharing system resources.

高级 VM 布局算法和侧信道攻击防护Advanced VM placement algorithm & protection from side channel attacks

任何跨 VM 攻击都包括两个步骤:在同一主机上放置一个攻击者控制的 VM 作为牺牲品 VM 之一,并破坏隔离边界以窃取敏感的牺牲品信息,或者故意或因贪婪影响其性能。Any cross-VM attack involves two steps: placing an adversary-controlled VM on the same host as one of the victim VMs, and then breaching the isolation boundary to either steal sensitive victim information or affect its performance for greed or vandalism. Azure 通过使用高级 VM 布局算法同时针对这两个步骤提供保护,并防止所有已知的侧信道攻击(包括干扰性邻居 VM)。Azure provides protection at both steps by using an advanced VM placement algorithm and protection from all known side channel attacks including noisy neighbor VMs.

Azure 结构控制器The Azure Fabric Controller

Azure 结构控制器负责将基础结构资源分配到租户工作负荷,并管理从主机到虚拟机的单向通信。The Azure Fabric Controller is responsible for allocating infrastructure resources to tenant workloads, and it manages unidirectional communications from the host to virtual machines. Azure 结构控制器的 VM 布局算法高度复杂,并且作为物理主机级别几乎不可能预测。The VM placing algorithm of the Azure fabric controller is highly sophisticated and nearly impossible to predict as physical host level.

Azure 结构控制器

Azure 虚拟机监控程序会在虚拟机之间强制实施内存和流程的隔离,并通过安全方式将网络流量路由到来宾 OS 租户。The Azure hypervisor enforces memory and process separation between virtual machines, and it securely routes network traffic to guest OS tenants. 这样可以避免 VM 级别的侧信道攻击。This eliminates possibility of and side channel attack at VM level.

在 Azure 中,根 VM 是特殊的:它运行称为根 OS 的强化操作系统,并托管了结构代理 (FA) 。In Azure, the root VM is special: it runs a hardened operating system called the root OS that hosts a fabric agent (FA). 而 FA 又用于管理客户 VM 上来宾操作系统内的来宾代理 (GA)。FAs are used in turn to manage guest agents (GA) within guest operating systems on customer VMs. FA 还可管理存储节点。FAs also manage storage nodes.

Azure 虚拟机监控程序、根 OS/FA 和客户 VM/GA 的集合包含一个计算节点。The collection of Azure hypervisor, root OS/FA, and customer VMs/GAs comprises a compute node. FA 由结构控制器 (FC) 托管,位于计算节点和存储节点外部(计算和存储群集由单独的 FC 托管)。FAs are managed by a fabric controller (FC), which exists outside of compute and storage nodes (compute and storage clusters are managed by separate FCs). 如果客户在运行应用程序的同时更新其配置文件,FC 将与 FA 进行通信,然后 FA 将联系 GA,通知应用程序配置已更改。If a customer updates their application’s configuration file while it’s running, the FC communicates with the FA, which then contacts GAs, which notify the application of the configuration change. 出现硬件故障时,FC 会自动查找可用硬件并在该处重启 VM。In the event of a hardware failure, the FC will automatically find available hardware and restart the VM there.

Azure 结构控制器

结构控制器到代理的通信是单向的。Communication from a Fabric Controller to an agent is unidirectional. 代理实施受 SSL 保护的服务,仅响应来自控制器的请求。The agent implements an SSL-protected service that only responds to requests from the controller. 它不能发起与控制器或其他特权内部节点的连接。It cannot initiate connections to the controller or other privileged internal nodes. FC 将处理所有响应,就像是它们不受信任一样。The FC treats all responses as if they were untrusted.


扩展了根 VM 与来宾 VM,以及来宾 VM 之间的隔离。Isolation extends from the Root VM from Guest VMs, and the Guest VMs from one another. 计算节点也独立于存储阶段,可增强保护。Compute nodes are also isolated from storage nodes for increased protection.

虚拟机监控程序和主机 OS 提供了网络数据包筛选器,可帮助确保不受信任的虚拟机无法产生欺骗性流量或接收并非发送给它们的流量,也无法将流量定向到受保护的基础结构终结点,或发送/接收不适当的广播流量。The hypervisor and the host OS provide network packet - filters to help assure that untrusted virtual machines cannot generate spoofed traffic or receive traffic not addressed to them, direct traffic to protected infrastructure endpoints, or send/receive inappropriate broadcast traffic.

结构控制器代理为隔离 VM 而配置的其他规则Additional Rules Configured by Fabric Controller Agent to Isolate VM

默认情况下,在创建虚拟机时,会阻止所有流量,结构控制器代理会配置数据包筛选器,添加规则和例外以允许经授权的流量。By default, all traffic is blocked when a virtual machine is created, and then the fabric controller agent configures the packet filter to add rules and exceptions to allow authorized traffic.

进行编程的规则有两类:There are two categories of rules that are programmed:

  • 计算机配置或基础结构规则: 默认情况下,将阻止所有通信。Machine configuration or infrastructure rules: By default, all communication is blocked. 在例外情况下,可以允许虚拟机发送和接收 DHCP 和 DNS 流量。There are exceptions to allow a virtual machine to send and receive DHCP and DNS traffic. 虚拟机还可以将流量发送到“公共”Internet 以及同一 Azure 虚拟网络和 OS 激活服务器内的其他虚拟机。Virtual machines can also send traffic to the “public” internet and send traffic to other virtual machines within the same Azure Virtual Network and the OS activation server. 虚拟机的传出目标允许列表不包括 Azure 路由器子网、Azure 管理以及其他 Microsoft 属性。The virtual machines’ list of allowed outgoing destinations does not include Azure router subnets, Azure management, and other Microsoft properties.
  • 角色配置文件: 根据租户的服务模型定义入站访问控制列表 (ACL)。Role configuration file: This defines the inbound Access Control Lists (ACLs) based on the tenant's service model.

VLAN 隔离VLAN Isolation

每个群集中有三个 VLAN:There are three VLANs in each cluster:


  • 主 VLAN - 互连不受信任的客户节点The main VLAN - interconnects untrusted customer nodes
  • FC VLAN - 包含受信任的 FC 及支持系统The FC VLAN - contains trusted FCs and supporting systems
  • 设备 VLAN - 包含受信任的网络和其他基础结构设备The device VLAN - contains trusted network and other infrastructure devices

允许从 FC VLAN 到主 VLAN 的通信,但不能启动从主 VLAN 到 FC VLAN 的通信。Communication is permitted from the FC VLAN to the main VLAN, but cannot be initiated from the main VLAN to the FC VLAN. 还会阻止从主 VLAN 到设备 VLAN 的通信。Communication is also blocked from the main VLAN to the device VLAN. 这可确保即使运行客户代码的节点遭到破坏, FC 或设备 VLAN 上的节点也不会受到攻击。This assures that even if a node running customer code is compromised, it cannot attack nodes on either the FC or device VLANs.

存储隔离Storage Isolation

计算和存储之间的逻辑隔离Logical Isolation Between Compute and Storage

Azure 将基于 VM 的计算与存储分隔开,这属于其基本设计。As part of its fundamental design, Azure separates VM-based computation from storage. 这种分隔可实现计算和存储的自主扩展,使提供多租户和隔离变得更简单。This separation enables computation and storage to scale independently, making it easier to provide multi-tenancy and isolation.

因此,Azure 存储在单独的硬件上运行,且没有与 Azure 计算建立网络连接,从逻辑上讲时例外。Therefore, Azure Storage runs on separate hardware with no network connectivity to Azure Compute except logically. 这意味着,创建虚拟磁盘后,不会针对整体容量分配磁盘空间。This means that when a virtual disk is created, disk space is not allocated for its entire capacity. 而是会创建一个表格,用于将虚拟磁盘上的地址映射到物理磁盘上的区域中,且该表最初为空。Instead, a table is created that maps addresses on the virtual disk to areas on the physical disk and that table is initially empty. 客户首次在虚拟磁盘上写入数据时,将分配物理磁盘上的空间,且指向它的指针将位于表中。The first time a customer writes data on the virtual disk, space on the physical disk is allocated, and a pointer to it is placed in the table.

使用存储访问控制的隔离Isolation Using Storage Access control

Azure 存储中的访问控制 具有简单的访问控制模型。Access Control in Azure Storage has a simple access control model. 每个 Azure 订阅都可以创建一个或多个存储帐户。Each Azure subscription can create one or more Storage Accounts. 每个存储帐户都具有一个密钥,用于控制对该存储帐户中所有数据的访问权限。Each Storage Account has a single secret key that is used to control access to all data in that Storage Account.


可以通过 SAS(共享访问签名)令牌来控制 对 Azure 存储数据(包括表)的访问权限,该令牌可授予限定的访问权限。Access to Azure Storage data (including Tables) can be controlled through a SAS (Shared Access Signature) token, which grants scoped access. SAS 是根据查询模板 (URL) 创建的,且使用 SAK(存储帐户密钥)进行签名。The SAS is created through a query template (URL), signed with the SAK (Storage Account Key). 可以将该签名 URL 提供给另一个进程(即委托进程),后者随后可以填充查询的详细信息并发出存储服务请求。That signed URL can be given to another process (that is, delegated), which can then fill in the details of the query and make the request of the storage service. 使用 SAS,可以向客户端授予基于时间的访问权限,无需泄露存储帐户的密钥。A SAS enables you to grant time-based access to clients without revealing the storage account’s secret key.

使用 SAS,意味着可以授权客户端在指定时间段内,以一组指定权限有限访问存储帐户中的对象。The SAS means that we can grant a client limited permissions, to objects in our storage account for a specified period of time and with a specified set of permissions. 可以授予这些有限的权限,而不必共享帐户访问密钥。We can grant these limited permissions without having to share your account access keys.

IP 级别存储隔离IP Level Storage Isolation

可以为受信任客户端建立防火墙,定义 IP 地址范围。You can establish firewalls and define an IP address range for your trusted clients. 使用 IP 地址范围,只有 IP 地址在定义范围内的客户端才可以连接到 Azure 存储With an IP address range, only clients that have an IP address within the defined range can connect to Azure Storage.

可通过网络机制防止未经授权的用户访问 IP 存储数据,该机制用于分配到 IP 存储的专用流量或专用流量隧道。IP storage data can be protected from unauthorized users via a networking mechanism that is used to allocate a dedicated or dedicated tunnel of traffic to IP storage.


Azure 提供了以下加密类型来保护数据:Azure offers the following types of Encryption to protect data:

  • 传输中加密Encryption in transit
  • 静态加密Encryption at rest

传输中加密Encryption in Transit

传输中加密是通过网络传输数据时用于保护数据的机制。Encryption in transit is a mechanism of protecting data when it is transmitted across networks. 在 Azure 存储中,可以使用以下加密方式来保护数据:With Azure Storage, you can secure data using:

  • 传输级别加密,例如从 Azure 存储传入或传出数据时使用的 HTTPS。Transport-level encryption, such as HTTPS when you transfer data into or out of Azure Storage.
  • 线路加密,例如 Azure 文件共享的 SMB 3.0 加密。Wire encryption, such as SMB 3.0 encryption for Azure File shares.
  • 客户端加密,在将数据传输到存储之前加密数据,以及从存储传出数据后解密数据。Client-side encryption, to encrypt the data before it is transferred into storage and to decrypt the data after it is transferred out of storage.

静态加密Encryption at Rest

对许多组织而言, 静态数据加密 是实现数据隐私性、合规性和数据所有权的必要措施。For many organizations, data encryption at rest is a mandatory step towards data privacy, compliance, and data sovereignty. 有三项 Azure 功能可提供“静态”数据加密:There are three Azure features that provide encryption of data that is “at rest”:

Azure 磁盘加密Azure Disk Encryption

适用于虚拟机 (VM) 的 Azure 磁盘加密通过使用 Azure Key Vault 中控制的密钥和策略加密 VM 磁盘(包括引导磁盘和数据磁盘),帮助解决企业的安全和符合性要求。Azure Disk Encryption for virtual machines (VMs) helps you address organizational security and compliance requirements by encrypting your VM disks (including boot and data disks) with keys and policies you control in Azure Key Vault.

适用于 Windows 的磁盘加密解决方案基于 Microsoft BitLocker 驱动器加密,而 Linux 解决方案则基于 dm-crypt。The Disk Encryption solution for Windows is based on Microsoft BitLocker Drive Encryption, and the Linux solution is based on dm-crypt.

在 Azure 中启用了 IaaS VM 时,该解决方案支持以下 IaaS VM 方案:The solution supports the following scenarios for IaaS VMs when they are enabled in Azure:

  • 与 Azure Key Vault 集成Integration with Azure Key Vault
  • 标准层 VM:A、D、DS、G 和 GS 等系列 IaaS VMStandard tier VMs: A, D, DS, G, GS, and so forth, series IaaS VMs
  • 在 Windows 和 Linux IaaS VM 上启用加密Enabling encryption on Windows and Linux IaaS VMs
  • 在 Windows IaaS VM 的 OS 和数据驱动器上禁用加密Disabling encryption on OS and data drives for Windows IaaS VMs
  • 在 Linux IaaS VM 的数据驱动器上禁用加密Disabling encryption on data drives for Linux IaaS VMs
  • 在运行 Windows 客户端 OS 的 IaaS VM 上启用加密Enabling encryption on IaaS VMs that are running Windows client OS
  • 在包含安装路径的卷上启用加密Enabling encryption on volumes with mount paths
  • 在使用 mdadm 配置了磁盘条带化 (RAID) 的 Linux VM 上启用加密Enabling encryption on Linux VMs that are configured with disk striping (RAID) by using mdadm
  • 使用 LVM(逻辑卷管理器)对 Linux VM 上的数据磁盘启用加密Enabling encryption on Linux VMs by using LVM(Logical Volume Manager) for data disks
  • 在使用存储空间配置的 Windows VM 上启用加密Enabling encryption on Windows VMs that are configured by using storage spaces
  • 支持所有 Azure 公共区域All Azure public regions are supported

该解决方案不支持版本中的以下方案、功能和技术:The solution does not support the following scenarios, features, and technology in the release:

  • 基本层 IaaS VMBasic tier IaaS VMs
  • 在 Linux IaaS VM 的 OS 驱动器上禁用加密Disabling encryption on an OS drive for Linux IaaS VMs
  • 使用经典 VM 创建方法创建的 IaaS VMIaaS VMs that are created by using the classic VM creation method
  • 与本地密钥管理服务集成Integration with your on-premises Key Management Service
  • Azure 文件(文件共享系统)、网络文件系统 (NFS)、动态卷,以及配置了基于软件的 RAID 系统的 Windows VMAzure Files (shared file system), Network File System (NFS), dynamic volumes, and Windows VMs that are configured with software-based RAID systems

SQL 数据库隔离SQL Database Isolation

SQL 数据库是 Azure 云中的关系数据库服务,它基于市场中领先的 Microsoft SQL Server 引擎,能够处理关键工作负荷。SQL Database is a relational database service in the Azure cloud based on the market-leading Microsoft SQL Server engine and capable of handling mission-critical workloads. SQL 数据库在联网时基于地理位置/区域提供帐户级别的可预测数据隔离,几乎不用人工管理。SQL Database offers predictable data isolation at account level, geography / region based and based on networking— all with near-zero administration.

SQL 数据库应用程序模型SQL Database Application Model

Microsoft SQL 数据库是一项基于云的关系数据库服务,是根据 SQL Server 技术构建的。Microsoft SQL Database is a cloud-based relational database service built on SQL Server technologies. 它提供由 Microsoft 在云端托管的多租户数据库服务,该服务高度可用并且可缩放。It provides a highly available, scalable, multi-tenant database service hosted by Microsoft in cloud.

从应用程序的角度来看,SQL 数据库提供了以下层次结构:每个级别都包含以下一对多的级别。From an application perspective, SQL Database provides the following hierarchy: Each level has one-to-many containment of levels below.

SQL 数据库应用程序模型

帐户和订阅是将计费和管理关联的 Azure 平台概念。The account and subscription are Azure platform concepts to associate billing and management.

逻辑 SQL 服务器和数据库是特定于 SQL 数据库的概念,通过使用 SQL 数据库以及提供的 OData 和 TSQL 接口或者通过 Azure 门户进行管理。Logical SQL servers and databases are SQL Database-specific concepts and are managed by using SQL Database, provided OData and TSQL interfaces or via the Azure portal.

SQL 数据库中的服务器不是物理实例或 VM 实例,而是数据库、共享管理和安全策略的集合,它们存储在所谓的“逻辑主”数据库中。Servers in SQL Database are not physical or VM instances, instead they are collections of databases, sharing management and security policies, which are stored in so called “logical master” database.

SQL 数据库

逻辑主数据库包括:Logical master databases include:

  • 用于连接到服务器的 SQL 登录名SQL logins used to connect to the server
  • 防火墙规则Firewall rules

同一服务器中数据库的计费和使用情况相关信息不保证位于群集中的同一物理实例中,应用程序在连接时必须提供目标数据库名称。Billing and usage-related information for databases from the same server are not guaranteed to be on the same physical instance in the cluster, instead applications must provide the target database name when connecting.

从客户的角度看,服务器是在某个地理区域中创建的,但实际上,服务器是在该区域内的一个群集中创建的。From a customer perspective, a server is created in a geo-graphical region while the actual creation of the server happens in one of the clusters in the region.

通过网络拓扑实现的隔离Isolation through Network Topology

创建服务器并注册其 DNS 名称后,该 DNS 名称指向该服务器所在的特定数据中心内所谓的“网关 VIP”地址。When a server is created and its DNS name is registered, the DNS name points to the so called “Gateway VIP” address in the specific data center where the server was placed.

在 VIP(虚拟 IP 地址)后面,有一个无状态网关服务的集合。Behind the VIP (virtual IP address), we have a collection of stateless gateway services. 通常,多个数据源(主数据库、用户数据库等)之间需要协调时,将涉及到网关。In general, gateways get involved when there is coordination needed between multiple data sources (master database, user database, etc.). 网关服务可实现以下功能:Gateway services implement the following:

  • TDS 连接代理。TDS connection proxying. 这包括查找后端群集中的用户数据库,实现登录序列,并将 TDS 数据包转发到后端并返回。This includes locating user database in the backend cluster, implementing the login sequence and then forwarding the TDS packets to the backend and back.
  • 数据库管理。Database management. 这包括采用工作流集合来执行数据库的创建/更改/删除操作。This includes implementing a collection of workflows to do CREATE/ALTER/DROP database operations. 可通过探查 TDS 数据包或显式 OData API 调用数据库操作。The database operations can be invoked by either sniffing TDS packets or explicit OData APIs.
  • 创建/更改/删除登录/用户操作CREATE/ALTER/DROP login/user operations
  • 通过 OData API 进行的服务器管理操作Server management operations via OData API


网关后面的层称为“后端”。The tier behind the gateways is called “back-end”. 这是以高度可用的方式存储所有数据的位置。This is where all the data is stored in a highly available fashion. 每段数据都被认为属于某个“分区”或“故障转移单元”,并且有至少三个副本。Each piece of data is said to belong to a “partition” or “failover unit”, each of them having at least three replicas. 副本由 SQL Server 引擎存储和复制,并由通常称为“结构”的故障转移系统进行管理。Replicas are stored and replicated by SQL Server engine and managed by a failover system often referred to as “fabric”.

通常,作为安全预防措施,后端系统不会与其他系统进行出站通信。Generally, the back-end system does not communicate outbound to other systems as a security precaution. 这会保留到前端(网关)层中的系统。This is reserved to the systems in the front-end (gateway) tier. 作为深层防御机制,网关层计算机对后端计算机具有有限的特权,可最大限度减少攻击。The gateway tier machines have limited privileges on the back-end machines to minimize the attack surface as a defense-in-depth mechanism.

按计算机功能和访问权限的隔离Isolation by Machine Function and Access

SQL 数据库由针对不同计算机功能运行的服务组成。SQL Database (is composed of services running on different machine functions. 按照流量在后端只进不出的一般原则,SQL 数据库分为“后端”云数据库和“前端”(网关/管理)环境。前端环境可与其他服务外部进行通信,而在后端只有有限的权限(足以调用进行调用所需的入口点)。SQL Database is divided into “backend” Cloud Database and “front-end” (Gateway/Management) environments, with the general principle of traffic only going into back-end and not out. The front-end environment can communicate to the outside world of other services and in general, has only limited permissions in the back-end (enough to call the entry points it needs to invoke).

网络隔离Networking Isolation

Azure 部署具有多层网络隔离。Azure deployment has multiple layers of network isolation. 下图显示了 Azure 提供给客户的各种网络隔离层。The following diagram shows various layers of network isolation Azure provides to customers. 这些层同时属于 Azure 平台本身的本机功能和客户定义的功能。These layers are both native in the Azure platform itself and customer-defined features. 对于来自 Internet 的入站流量,Azure DDoS 提供针对 Azure 的大规模攻击的隔离。Inbound from the Internet, Azure DDoS provides isolation against large-scale attacks against Azure. 下一层隔离是客户定义的公共 IP 地址(终结点),可以根据这些终结点确定哪些流量可以通过云服务进入虚拟网络。The next layer of isolation is customer-defined public IP addresses (endpoints), which are used to determine which traffic can pass through the cloud service to the virtual network. 本机 Azure 虚拟网络隔离可确保与其他所有网络完全隔离,而且流量只能流经用户配置的路径和方法。Native Azure virtual network isolation ensures complete isolation from all other networks, and that traffic only flows through user configured paths and methods. 这些路径和方法就是下一个安全层,在该层中,可以使用 NSG、UDR 和网络虚拟设备来创建隔离边界,以保护受保护网络中的应用程序部署。These paths and methods are the next layer, where NSGs, UDR, and network virtual appliances can be used to create isolation boundaries to protect the application deployments in the protected network.


流量隔离虚拟网络是 Azure 平台上的流量隔离边界。Traffic isolation: A virtual network is the traffic isolation boundary on the Azure platform. 一个虚拟网络中的虚拟机 (VM) 无法与不同虚拟网络中的 VM 直接通信,即使这两个虚拟网络是由同一个客户所创建。Virtual machines (VMs) in one virtual network cannot communicate directly to VMs in a different virtual network, even if both virtual networks are created by the same customer. 隔离是一个非常关键的属性,可确保客户 VM 与通信在虚拟网络中保持私密性。Isolation is a critical property that ensures customer VMs and communication remains private within a virtual network.

子网基于 IP 范围在虚拟网络中提供额外的隔离层。Subnet offers an additional layer of isolation with in virtual network based on IP range. 使用虚拟网络中的 IP 地址,可以将虚拟网络划分成多个子网,以方便进行组织和提高安全性。IP addresses in the virtual network, you can divide a virtual network into multiple subnets for organization and security. 部署到 VNet 的子网(不管是相同的子网还是不同的子网)中的 VM 和 PaaS 角色实例可以互相通信,不需任何额外的配置。VMs and PaaS role instances deployed to subnets (same or different) within a VNet can communicate with each other without any extra configuration. 还可以配置网络安全组 (NSG),以便根据 NSG 的访问控制列表 (ACL) 中配置的规则允许或拒绝到某个 VM 实例的网络流量。You can also configure network security group (NSGs) to allow or deny network traffic to a VM instance based on rules configured in access control list (ACL) of NSG. NSG 可以与子网或该子网中的各个 VM 实例相关联。NSGs can be associated with either subnets or individual VM instances within that subnet. 当 NSG 与子网关联时,ACL 规则将应用于该子网中的所有 VM 实例。When an NSG is associated with a subnet, the ACL rules apply to all the VM instances in that subnet.

后续步骤Next Steps