Azure 安全性简介Introduction to Azure security

概述Overview

我们知道,安全是云中的首要任务,及时找到有关 Azure 安全性的准确信息极其重要。We know that security is job one in the cloud and how important it is that you find accurate and timely information about Azure security. 将 Azure 用于应用程序和服务的最合理原因之一是可以利用其各种安全工具和功能。One of the best reasons to use Azure for your applications and services is to take advantage of its wide array of security tools and capabilities. 这些工具和功能可帮助在安全的 Azure 平台上创建安全的解决方案。These tools and capabilities help make it possible to create secure solutions on the secure Azure platform. Microsoft Azure 提供具备保密性、完整性和可用性的客户数据,同时还能实现透明的问责制。Microsoft Azure provides confidentiality, integrity, and availability of customer data, while also enabling transparent accountability.

本文全面介绍了 Azure 提供的安全机制。This article provides a comprehensive look at the security available with Azure.

Azure 平台Azure platform

Azure 是一个公有云服务平台,支持极为广泛的操作系统、编程语言、框架、工具、数据库和设备选择。Azure is a public cloud service platform that supports a broad selection of operating systems, programming languages, frameworks, tools, databases, and devices. 它可运行与 Docker 集成的 Linux 容器;使用 JavaScript、Python、.NET、PHP、Java 和 Node.js 生成应用;生成适用于 iOS、Android 和 Windows 设备的后端。It can run Linux containers with Docker integration; build apps with JavaScript, Python, .NET, PHP, Java, and Node.js; build back-ends for iOS, Android, and Windows devices.

Azure 公有云服务支持数百万开发人员和 IT 专业人士已经有所依赖并信任的相同技术。Azure public cloud services support the same technologies millions of developers and IT professionals already rely on and trust. 构建 IT 资产或将其迁移到公有云服务提供商处时,需要借助该组织的能力来保护应用程序和数据,并使用该组织提供的服务和控制机制来管理基于云的资产的安全性。When you build on, or migrate IT assets to, a public cloud service provider you are relying on that organization’s abilities to protect your applications and data with the services and the controls they provide to manage the security of your cloud-based assets.

Azure 的基础结构(从设备到应用程序)经过设计,可同时托管数百万的客户,并为企业提供可靠的基础,使之能够满足其安全要求。Azure’s infrastructure is designed from facility to applications for hosting millions of customers simultaneously, and it provides a trustworthy foundation upon which businesses can meet their security requirements.

此外,Azure 还提供广泛的可配置安全选项以及对这些选项进行控制的功能,方便用户自定义安全措施来满足组织部署的独特要求。In addition, Azure provides you with a wide array of configurable security options and the ability to control them so that you can customize security to meet the unique requirements of your organization’s deployments. 本文档可帮助用户了解 Azure 安全功能如何帮助满足这些要求。This document helps you understand how Azure security capabilities can help you fulfill these requirements.

备注

本文档重点介绍面向客户的控件,客户可以使用这些控件自定义和提高应用程序和服务的安全性。The primary focus of this document is on customer-facing controls that you can use to customize and increase security for your applications and services.

Azure 安全功能汇总Summary of Azure security capabilities

用于保护 Azure 平台的功能Features to secure the Azure platform

以下功能可以用于确保以安全的方式管理 Azure 平台。The following features are capabilities you can review to provide the assurance that the Azure Platform is managed in a secure manner. 提供了相应链接,方便用户进一步了解 Microsoft 如何从四个方面解决客户信任问题:安全平台、隐私和控制、合规性和透明度。Links have been provided for further drill-down on how Microsoft addresses customer trust questions in four areas: secure platform, privacy & controls, compliance, and transparency.

安全平台Secure Platform 隐私和控制Privacy & Controls 合规性Compliance 透明度Transparency
安全开发周期,内部审核Security Development Cycle, Internal audits 随时进行数据管理Manage your data all the time 信任中心Trust Center Microsoft 如何保护 Azure 服务中的客户数据How Microsoft secures customer data in Azure services
强制性安全培训、背景检查Mandatory Security training, background checks 控制数据位置Control on data location 通用控制中心Common Controls Hub Microsoft 如何管理 Azure 服务中的数据位置How Microsoft manage data location in Azure services
渗透测试入侵检测,DDoS审核和日志记录Penetration testing, intrusion detection, DDoS, Audits & logging 根据条件提供数据访问Provide data access on your terms 云服务审慎调查清单The Cloud Services Due Diligence Checklist Microsoft 中的哪些人员可以根据哪些条款访问数据Who in Microsoft can access your data on what terms
最先进的数据中心、物理安全性、安全网络State of the art data center, physical security, Secure Network 响应执法部门Responding to law enforcement 服务、位置和行业的符合性Compliance by service, location & Industry Microsoft 如何保护 Azure 服务中的客户数据How Microsoft secures customer data in Azure services
安全事件响应共担责任Security Incident response, Shared Responsibility 严格的隐私标准Stringent privacy standards 查看 Azure 服务和透明度中心的认证Review certification for Azure services, Transparency hub

用于保护数据和应用程序的功能Features to secure data and application

根据云服务模型,负责管理应用程序或服务的安全的人员需承担各种不同的责任。Depending on the cloud service model, there is variable responsibility for who is responsible for managing the security of the application or service. Azure 平台中提供的功能可帮助用户通过内置功能以及可部署到 Azure 订阅中的合作伙伴解决方案来履行这些职责。There are capabilities available in the Azure Platform to assist you in meeting these responsibilities through built-in features, and through partner solutions that can be deployed into an Azure subscription.

内置功能划分为六个功能区:操作、应用程序、存储、网络、计算和标识。The built-in capabilities are organized in six functional areas: Operations, Applications, Storage, Networking, Compute, and Identity. 摘要信息对 Azure 平台在这六个区域内提供的特性和功能进行了详细介绍。Additional detail on the features and capabilities available in the Azure Platform in these six areas are provided through summary information.

操作Operations

本部分提供了关于安全操作中主要特性的其他信息以及有关这些功能的摘要信息。This section provides additional information regarding key features in security operations and summary information about these capabilities.

“安全和审核”仪表板Security and Audit Dashboard

安全和审核解决方案借助内置搜索查询找到需要关注的重要问题,可以全面了解组织的 IT 安全状况。The Security and Audit solution provides a comprehensive view into your organization’s IT security posture with built-in search queries for notable issues that require your attention. 安全和审核”仪表板是主屏幕,提供 Azure Monitor 日志中与安全性相关的所有内容。The Security and Audit dashboard is the home screen for everything related to security in Azure Monitor logs. 它提供计算机安全状态的高级洞见。It provides high-level insight into the Security state of your computers. 还允许查看过去 24 小时、7 天或任何自定义时间范围的所有事件。It also includes the ability to view all events from the past 24 hours, 7 days, or any other custom time frame.

此外,检测到特定事件时,可以将安全性和符合性配置为自动执行特定操作In addition, you can configure Security & Compliance to automatically carry out specific actions when a specific event is detected.

Azure Resource ManagerAzure Resource Manager

可以使用 Azure Resource Manager 将解决方案中的资源作为一个组进行处理。Azure Resource Manager enables you to work with the resources in your solution as a group. 可以通过一个协调的操作为解决方案部署、更新或删除所有资源。You can deploy, update, or delete all the resources for your solution in a single, coordinated operation. 可以使用 Azure 资源管理器模板来完成部署,该模板适用于测试、过渡和生产等不同环境。You use an Azure Resource Manager template for deployment and that template can work for different environments such as testing, staging, and production. Resource Manager 提供安全、审核和标记功能,以帮助你在部署后管理资源。Resource Manager provides security, auditing, and tagging features to help you manage your resources after deployment.

基于 Azure 资源管理器模板的部署因其标准的安全控制设置,有助于提高 Azure 中部署的解决方案的安全性,并且还可以集成到基于标准化模板的部署中。Azure Resource Manager template-based deployments help improve the security of solutions deployed in Azure because standard security control settings and can be integrated into standardized template-based deployments. 这样可以降低手动部署期间可能发生的安全配置错误风险。This reduces the risk of security configuration errors that might take place during manual deployments.

Application InsightsApplication Insights

Application Insights 是面向 Web 开发人员的可扩展应用程序性能管理 (APM) 服务。Application Insights is an extensible Application Performance Management (APM) service for web developers. 用户可以使用 Application Insights 监视实时 Web 应用程序并自动检测性能异常。With Application Insights, you can monitor your live web applications and automatically detect performance anomalies. Application Insights 内含强大的分析工具,有助于诊断问题并了解用户在应用中实际执行的操作。It includes powerful analytics tools to help you diagnose issues and to understand what users actually do with your apps. 它在应用程序运行时全程进行监视,包括测试期间以及发布或部署之后。It monitors your application all the time it's running, both during testing and after you've published or deployed it.

Application Insights 可创建图表和表格来显示多种信息,例如,一天中的哪些时间用户最多、应用的响应能力如何,以及应用依赖的任何外部服务是否顺利地为其提供服务。Application Insights creates charts and tables that show you, for example, what times of day you get most users, how responsive the app is, and how well it is served by any external services that it depends on.

如果出现崩溃、故障或性能问题,可以搜索详细的遥测数据来诊断原因。If there are crashes, failures or performance issues, you can search through the telemetry data in detail to diagnose the cause. 此外,如果应用的可用性和性能有任何变化,该服务还会向用户发送电子邮件。And the service sends you emails if there are any changes in the availability and performance of your app. Application Insight 就是这样因其有助于实现保密性、完整性和可用性安全三元素的可用性而成为有价值的安全工具。Application Insight thus becomes a valuable security tool because it helps with the availability in the confidentiality, integrity, and availability security triad.

Azure MonitorAzure Monitor

Azure Monitor 对来自 Azure 基础结构(活动日志)和每个单独的 Azure 资源(诊断日志)的数据提供可视化效果、查询、路由、警报、自动缩放和自动化功能。Azure Monitor offers visualization, query, routing, alerting, auto scale, and automation on data both from the Azure infrastructure (Activity Log) and each individual Azure resource (Diagnostic Logs). 可以使用 Azure Monitor 对 Azure 日志中生成的与安全相关的事件发出警报。You can use Azure Monitor to alert you on security-related events that are generated in Azure logs.

Azure Monitor 日志Azure Monitor logs

Azure Monitor 日志 - 为本地基础结构和第三方基于云的基础结构(例如 AWS),以及 Azure 资源提供 IT 管理解决方案。Azure Monitor logs – Provides an IT management solution for both on-premises and third-party cloud-based infrastructure (such as AWS) in addition to Azure resources. 可以将来自 Azure Monitor 的数据直接路由到 Azure Monitor 日志,因此可以在一个位置查看整个环境的指标和日志。Data from Azure Monitor can be routed directly to Azure Monitor logs so you can see metrics and logs for your entire environment in one place.

在取证和其他安全分析中,Azure Monitor 日志是非常有用的工具,因为使用该工具能通过灵活的查询方法快速搜索大量与安全相关的条目。Azure Monitor logs can be a useful tool in forensic and other security analysis, as the tool enables you to quickly search through large amounts of security-related entries with a flexible query approach.

Azure 顾问Azure Advisor

它分析资源配置和使用情况遥测数据。It analyzes your resource configuration and usage telemetry. 然后,它推荐解决方案,帮助提高资源的性能安全性高可用性,同时寻找机会减少总体 Azure 支出It then recommends solutions to help improve the performance, security, and high availability of your resources while looking for opportunities to reduce your overall Azure spend. Azure 顾问提供安全建议,可显著提高在 Azure 中部署的解决方案的总体安全状况。Azure Advisor provides security recommendations, which can significantly improve your overall security posture for solutions you deploy in Azure.

Azure 安全中心Azure Security Center

安全中心有助于预防、检测和响应威胁,同时增加 Azure 资源的可见性和安全可控性。Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources. 它提供 Azure 订阅之间的集成安全监视和策略管理,帮助检测可能被忽略的威胁,且适用于广泛的安全解决方案生态系统。It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

此外,安全中心通过提供单个仪表板实现可立即执行的警报和建议,从而帮助进行安全操作。In addition, Security Center helps with security operations by providing you a single dashboard that surfaces alerts and recommendations that can be acted upon immediately. 通常,只需在安全中心控制台中单击一下就可修复问题。Often, you can remediate issues with a single click within the Security Center console.

应用程序Applications

本部分提供了关于应用程序安全中主要特性的其他信息以及有关这些功能的摘要信息。The section provides additional information regarding key features in application security and summary information about these capabilities.

Web 应用程序漏洞扫描Web Application vulnerability scanning

开始对应用服务应用进行漏洞测试最简单的一种方法是使用与 Tinfoil Security 的集成对应用执行一键式漏洞扫描。One of the easiest ways to get started with testing for vulnerabilities on your App Service app is to use the integration with Tinfoil Security to perform one-click vulnerability scanning on your app. 可以查看易于理解的报告中的测试结果,并了解如何按照分步说明修复每个安全漏洞。You can view the test results in an easy-to-understand report, and learn how to fix each vulnerability with step-by-step instructions.

渗透测试Penetration Testing

如果想要执行自己的渗透测试,或者想要使用其他扫描程序套件或提供程序,则必须按照 Azure 渗透测试审批流程 来进行并获得事先批准才能执行所需的渗透测试。If you prefer to perform your own penetration tests or want to use another scanner suite or provider, you must follow the Azure penetration testing approval process and obtain prior approval to perform the desired penetration tests.

Web 应用程序防火墙Web Application firewall

Azure 应用程序网关中的 Web 应用程序防火墙 (WAF) 可帮助保护 Web 应用程序,使其免受常见基于 Web 的攻击威胁,例如 SQL 注入、跨站点脚本攻击和会话劫持。The web application firewall (WAF) in Azure Application Gateway helps protect web applications from common web-based attacks like SQL injection, cross-site scripting attacks, and session hijacking. 同时预先配置保护,免受 Open Web Application Security Project (OWASP) 标识为前 10 种常见漏洞的威胁攻击。It comes preconfigured with protection from threats identified by the Open Web Application Security Project (OWASP) as the top 10 common vulnerabilities.

Azure 应用服务中的身份验证和授权Authentication and authorization in Azure App Service

应用服务身份验证/授权是一项功能,方便应用程序登录用户,避免在应用后端更改代码。App Service Authentication / Authorization is a feature that provides a way for your application to sign in users so that you don't have to change code on the app backend. 该功能可以方便地保护应用程序和处理每个用户的数据。It provides an easy way to protect your application and work with per-user data.

分层安全体系结构Layered Security Architecture

由于应用服务环境提供部署到 Azure 虚拟网络的隔离运行时环境,因此开发人员能够创建分层安全体系结构,针对每个应用层提供不同级别的网络访问权限。Since App Service Environments provide an isolated runtime environment deployed into an Azure Virtual Network, developers can create a layered security architecture providing differing levels of network access for each application tier. 常见的需求之一是要隐藏对 API 后端的常规 Internet 访问,而只允许由上游 Web 应用调用 API。A common desire is to hide API back-ends from general Internet access, and only allow APIs to be called by upstream web apps.

Web 服务器诊断和应用程序诊断Web server diagnostics and application diagnostics

应用服务 Web 应用为 Web 服务器和 Web 应用程序中的日志记录信息提供诊断功能。App Service web apps provide diagnostic functionality for logging information from both the web server and the web application. 这些诊断功能按逻辑分为 Web 服务器诊断应用程序诊断These are logically separated into web server diagnostics and application diagnostics. Web 服务器包括诊断和排查站点和应用程序这两大改进方面。Web server includes two major advances in diagnosing and troubleshooting sites and applications.

第一个新特点是有关应用程序池、工作进程、站点、应用程序域和运行请求的实时状态信息。The first new feature is real-time state information about application pools, worker processes, sites, application domains, and running requests. 第二个新特点是在整个请求和响应过程中跟踪请求的详细跟踪事件。The second new advantages are the detailed trace events that track a request throughout the complete request-and-response process.

要启用这些跟踪事件的收集,可以将 IIS 7 配置为根据运行时间或错误响应代码自动捕获任何特定请求的完整跟踪日志(采用 XML 格式)。To enable the collection of these trace events, IIS 7 can be configured to automatically capture full trace logs, in XML format, for any particular request based on elapsed time or error response codes.

Web 服务器诊断Web server diagnostics

可以启用或禁用以下种类的日志:You can enable or disable the following kinds of logs:

  • 详细错误日志记录 - 指示故障的 HTTP 状态代码(状态代码 400 或更大数字)的详细错误消息。Detailed Error Logging - Detailed error information for HTTP status codes that indicate a failure (status code 400 or greater). 其中可能包含有助于确定服务器返回错误代码的原因的信息。This may contain information that can help determine why the server returned the error code.

  • 失败请求跟踪 - 有关失败请求的详细信息,包括对用于处理请求的 IIS 组件和每个组件所用的时间的跟踪。Failed Request Tracing - Detailed information on failed requests, including a trace of the IIS components used to process the request and the time taken in each component. 在尝试提高站点性能或隔离导致要返回特定 HTTP 错误的内容时,此信息很有用。This can be useful if you are attempting to increase site performance or isolate what is causing a specific HTTP error to be returned.

  • Web 服务器日志记录 - 使用 W3C 扩展日志文件格式的 HTTP 事务信息。Web Server Logging - Information about HTTP transactions using the W3C extended log file format. 这在确定整体站点度量值(如处理的请求数量或来自特定 IP 地址的请求数)时非常有用。This is useful when determining overall site metrics such as the number of requests handled or how many requests are from a specific IP address.

应用程序诊断Application diagnostics

应用程序诊断可以捕获由 Web 应用程序生成的信息。Application diagnostics allows you to capture information produced by a web application. ASP.NET 应用程序可使用 System.Diagnostics.Trace 类将信息记录到应用程序诊断日志。ASP.NET applications can use the System.Diagnostics.Trace class to log information to the application diagnostics log. 在应用程序诊断中,有两种主要类型的事件,即与应用程序性能相关的事件以及与应用程序故障和错误相关的事件。In Application Diagnostics, there are two major types of events, those related to application performance and those related to application failures and errors. 故障和错误可以进一步分为连接性、安全性和故障问题。The failures and errors can be divided further into connectivity, security, and failure issues. 故障问题通常与应用程序代码问题相关。Failure issues are typically related to a problem with the application code.

在应用程序诊断中,可以查看按以下方式分组的事件:In Application Diagnostics, you can view events grouped in these ways:

  • 全部(显示所有事件)All (displays all events)
  • 应用程序错误(显示异常事件)Application Errors (displays exception events)
  • 性能(显示性能事件)Performance (displays performance events)

存储Storage

本部分提供了关于 Azure 存储安全中主要特性的其他信息以及有关这些功能的摘要信息。The section provides additional information regarding key features in Azure storage security and summary information about these capabilities.

基于角色的访问控制 (RBAC)Role-Based Access Control (RBAC)

可以使用基于角色的访问控制 (RBAC) 来保护存储帐户。You can secure your storage account with Role-Based Access Control (RBAC). 对于想要实施数据访问安全策略的组织而言,必须根据需知原则最低权限安全原则限制访问权限。Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce Security policies for data access. 这些访问权限是通过将相应的 RBAC 角色分配给特定范围内的组和应用程序来授予的。These access rights are granted by assigning the appropriate RBAC role to groups and applications at a certain scope. 可以使用内置 RBAC 角色(例如存储帐户参与者)将权限分配给用户。You can use built-in RBAC roles, such as Storage Account Contributor, to assign privileges to users. 可通过基于角色的访问控制 (RBAC),控制借助 Azure 资源管理器模型访问存储帐户的存储密钥的情况。Access to the storage keys for a storage account using the Azure Resource Manager model can be controlled through Role-Based Access Control (RBAC).

共享访问签名Shared Access Signature

共享访问签名 (SAS) 用于对存储帐户中的资源进行委托访问。A shared access signature (SAS) provides delegated access to resources in your storage account. 使用 SAS,意味着可以授权客户端在指定时间段内,以一组指定权限有限访问存储帐户中的对象。The SAS means that you can grant a client limited permissions to objects in your storage account for a specified period and with a specified set of permissions. 可以授予这些有限的权限,而不必共享帐户访问密钥。You can grant these limited permissions without having to share your account access keys.

传输中加密Encryption in Transit

传输中加密是通过网络传输数据时用于保护数据的机制。Encryption in transit is a mechanism of protecting data when it is transmitted across networks. 在 Azure 存储中,可以使用以下加密方式来保护数据:With Azure Storage, you can secure data using:

静态加密Encryption at rest

对许多组织而言,静态数据加密是实现数据隐私性、符合性和数据所有权的必要措施。For many organizations, data encryption at rest is a mandatory step towards data privacy, compliance, and data sovereignty. 有三项 Azure 存储安全功能可提供“静态”数据加密:There are three Azure storage security features that provide encryption of data that is “at rest”:

存储分析Storage Analytics

Azure 存储分析执行日志记录并为存储帐户提供指标数据。Azure Storage Analytics performs logging and provides metrics data for a storage account. 可以使用此数据为存储帐户跟踪请求、分析使用趋势和诊断问题。You can use this data to trace requests, analyze usage trends, and diagnose issues with your storage account. 存储分析记录成功和失败的存储服务请求的详细信息。Storage Analytics logs detailed information about successful and failed requests to a storage service. 可以使用该信息监视各个请求和诊断存储服务问题。This information can be used to monitor individual requests and to diagnose issues with a storage service. 将最大程度地记录请求。Requests are logged on a best-effort basis. 将记录以下类型的经过身份验证的请求:The following types of authenticated requests are logged:

  • 成功的请求。Successful requests.

  • 失败的请求,包括超时、限制、网络、授权和其他错误。Failed requests, including timeout, throttling, network, authorization, and other errors.

  • 使用共享访问签名 (SAS) 的请求,包括失败和成功的请求。Requests using a Shared Access Signature (SAS), including failed and successful requests.

  • 分析数据的请求。Requests to analytics data.

使用 CORS 启用基于浏览器的客户端Enabling Browser-Based Clients Using CORS

跨源资源共享 (CORS) 是一种允许域授予彼此资源访问权限的机制。Cross-Origin Resource Sharing (CORS) is a mechanism that allows domains to give each other permission for accessing each other’s resources. 用户代理发送额外的标头,以确保允许从特定域中加载的 JavaScript 代码访问位于另一个域的资源。The User Agent sends extra headers to ensure that the JavaScript code loaded from a certain domain is allowed to access resources located at another domain. 然后,后一个域使用额外标头进行回复,允许或拒绝原始域访问其资源。The latter domain then replies with extra headers allowing or denying the original domain access to its resources.

Azure 存储服务现支持 CORS,因此,为服务设置 CORS 规则后,便会对从另一个域对服务发出的经过正确验证的请求进行评估,以根据指定的规则确定是否允许该请求。Azure storage services now support CORS so that once you set the CORS rules for the service, a properly authenticated request made against the service from a different domain is evaluated to determine whether it is allowed according to the rules you have specified.

网络Networking

本部分提供了关于 Azure 网络安全中主要特性的其他信息以及有关这些功能的摘要信息。The section provides additional information regarding key features in Azure network security and summary information about these capabilities.

网络层控制Network Layer Controls

网络访问控制是限制特定设备或子网之间的连接的行为,代表了网络安全的核心。Network access control is the act of limiting connectivity to and from specific devices or subnets and represents the core of network security. 网络访问控制的目标是确保只有有权限的用户和设备才能访问虚拟机和服务。The goal of network access control is to make sure that your virtual machines and services are accessible to only users and devices to which you want them accessible.

网络安全组Network Security Groups

网络安全组 (NSG) 是基本的静态数据包筛选防火墙,使用户能够基于 5 元组控制访问权限。A Network Security Group (NSG) is a basic stateful packet filtering firewall and it enables you to control access based on a 5-tuple. NSG 不提供应用程序层检查或经过身份验证的访问控制。NSGs do not provide application layer inspection or authenticated access controls. 它们可用于控制在 Azure 虚拟网络中的子网之间移动的流量以及控制 Azure 虚拟网络和 Internet 之间的流量。They can be used to control traffic moving between subnets within an Azure Virtual Network and traffic between an Azure Virtual Network and the Internet.

路由控制和强制隧道Route Control and Forced Tunneling

控制 Azure 虚拟网络上的路由行为是关键的网络安全和访问控制功能。The ability to control routing behavior on your Azure Virtual Networks is a critical network security and access control capability. 例如,如果要确保与 Azure 虚拟网络之间的所有流量都通过该虚拟安全设备,则必须能够控制和自定义路由行为。For example, if you want to make sure that all traffic to and from your Azure Virtual Network goes through that virtual security appliance, you need to be able to control and customize routing behavior. 可以通过在 Azure 中配置用户定义的路由实现此操作。You can do this by configuring User-Defined Routes in Azure.

用户定义的路由允许用户为进出单个虚拟机或子网的流量自定义入站和出站路径,以确保最安全的路由。User-Defined Routes allow you to customize inbound and outbound paths for traffic moving into and out of individual virtual machines or subnets to insure the most secure route possible. 强制隧道 是一种机制,可用于确保不允许服务发起与 Internet 上设备的连接。Forced tunneling is a mechanism you can use to ensure that your services are not allowed to initiate a connection to devices on the Internet.

这不同于能够接受传入连接然后对其作出响应。This is different from being able to accept incoming connections and then responding to them. 前端 Web 服务器需要响应来自 Internet 主机的请求,因此允许源自 Internet 的流量传入到这些 Web 服务器,而且这些 Web 服务器可以作出响应。Front-end web servers need to respond to requests from Internet hosts, and so Internet-sourced traffic is allowed inbound to these web servers and the web servers can respond.

强制隧道通常用于强制到 Internet 的外部流量通过本地安全代理和防火墙。Forced tunneling is commonly used to force outbound traffic to the Internet to go through on-premises security proxies and firewalls.

虚拟网络安全设备Virtual Network Security Appliances

虽然网络安全组、用户定义的路由和强制隧道在 OSI 模型的网络层和传输层为用户提供了一定程度的安全性,但有时可能想要启用堆栈的更高级别安全性。While Network Security Groups, User-Defined Routes, and forced tunneling provide you a level of security at the network and transport layers of the OSI model, there may be times when you want to enable security at higher levels of the stack. 可以使用 Azure 合作伙伴安全设备解决方案访问这些增强的网络安全功能。You can access these enhanced network security features by using an Azure partner network security appliance solution. 通过访问 Azure 市场并搜索“安全”和“网络安全”,可以找到最新的 Azure 合作伙伴网络安全解决方案。You can find the most current Azure partner network security solutions by visiting the Azure Marketplace and searching for “security” and “network security.”

Azure 虚拟网络Azure Virtual Network

Azure 虚拟网络 (VNet) 是你自己的网络在云中的表示形式。An Azure virtual network (VNet) is a representation of your own network in the cloud. 它是对专用于订阅的 Azure 网络结构进行的逻辑隔离。It is a logical isolation of the Azure network fabric dedicated to your subscription. 可以完全控制该网络中的 IP 地址块、DNS 设置、安全策略和路由表。You can fully control the IP address blocks, DNS settings, security policies, and route tables within this network. 可以将 VNet 细分成各个子网,并在 Azure 虚拟网络上放置 Azure IaaS 虚拟机 (VM) 和/或云服务(PaaS 角色实例)You can segment your VNet into subnets and place Azure IaaS virtual machines (VMs) and/or Cloud services (PaaS role instances) on Azure Virtual Networks.

实际上,可以将网络扩展到 Azure,对 IP 地址块进行完全的控制,并享受企业级 Azure 带来的好处。In essence, you can expand your network to Azure, with complete control on IP address blocks with the benefit of enterprise scale Azure provides.

Azure 网络支持各种安全远程访问方案。Azure networking supports various secure remote access scenarios. 其中包括:Some of these include:

VPN 网关VPN Gateway

若要在 Azure 虚拟网络与本地站点之间发送网络流量,必须为 Azure 虚拟网络创建 VPN 网关。To send network traffic between your Azure Virtual Network and your on-premises site, you must create a VPN gateway for your Azure Virtual Network. VPN 网关是一种虚拟网络网关,可以通过公共连接发送加密流量。A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection. 也可以使用 VPN 网关在基于 Azure 网络结构的 Azure 虚拟网络之间发送流量。You can also use VPN gateways to send traffic between Azure Virtual Networks over the Azure network fabric.

Express RouteExpress Route

Microsoft Azure ExpressRoute 是专用 WAN 链接,可让用户通过连接服务提供商所提供的专用连接,将本地网络扩展到 Microsoft 云。Microsoft Azure ExpressRoute is a dedicated WAN link that lets you extend your on-premises networks into the Microsoft cloud over a dedicated private connection facilitated by a connectivity provider.

Express Route

使用 ExpressRoute 可与 Microsoft Azure、Office 365 和 CRM Online 等 Microsoft 云服务建立连接。With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and CRM Online. 可以从任意位置之间的 (IP VPN) 网络、点到点以太网或在共置设施上通过连接服务提供商的虚拟交叉连接来建立这种连接。Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility.

ExpressRoute 连接不会通过公共 Internet,因此可以认为它比基于 VPN 的解决方案更安全。ExpressRoute connections do not go over the public Internet and thus can be considered more secure than VPN-based solutions. 与通过 Internet 的典型连接相比,ExpressRoute 连接提供更高的可靠性、更快的速度、更低的延迟和更高的安全性。This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.

应用程序网关Application Gateway

Microsoft Azure 应用程序网关以服务形式提供应用程序传送控制器 (ADC),借此为应用程序提供第 7 层各种负载均衡功能。Microsoft Azure Application Gateway provides an Application Delivery Controller (ADC) as a service, offering various layer 7 load balancing capabilities for your application.

应用程序网关

它使用户能够通过将 CPU 密集型 SSL 终端的负载卸载到应用程序网关(也称为“SSL 卸载”或“SSL 桥接”)来优化 Web 场生产率。It allows you to optimize web farm productivity by offloading CPU intensive SSL termination to the Application Gateway (also known as “SSL offload” or “SSL bridging”). 它还提供第 7 层其他路由功能,包括传入流量的轮循机制分配、基于 Cookie 的会话相关性、基于 URL 路径的路由,以及在单个应用程序网关后面托管多个网站的能力。It also provides other Layer 7 routing capabilities including round-robin distribution of incoming traffic, cookie-based session affinity, URL path-based routing, and the ability to host multiple websites behind a single Application Gateway. Azure 应用程序网关是第 7 层负载均衡器。Azure Application Gateway is a layer-7 load balancer.

它在不同服务器之间提供故障转移和性能路由 HTTP 请求,而不管它们是在云中还是本地。It provides failover, performance-routing HTTP requests between different servers, whether they are on the cloud or on-premises.

应用程序网关提供多种应用程序传送控制器 (ADC) 功能,包括 HTTP 负载均衡、基于 cookie 的会话相关性、安全套接字层 (SSL) 卸载、自定义运行状况探测、多站点支持,以及许多其他功能。Application provides many Application Delivery Controller (ADC) features including HTTP load balancing, cookie-based session affinity, Secure Sockets Layer (SSL) offload, custom health probes, support for multi-site, and many others.

Web 应用程序防火墙Web Application Firewall

Web 应用程序防火墙是 Azure 应用程序网关的一项功能,它为使用应用程序网关实现标准应用程序传递控制 (ADC) 功能的 Web 应用程序提供保护。Web Application Firewall is a feature of Azure Application Gateway that provides protection to web applications that use application gateway for standard Application Delivery Control (ADC) functions. Web 应用程序防火墙的此功能可以保护 Web 应用程序免受 OWASP 十大常见 Web 漏洞中的大部分漏洞的威胁。Web application firewall does this by protecting them against most of the OWASP top 10 common web vulnerabilities.

Web 应用程序防火墙

  • SQL 注入保护SQL injection protection

  • 常见 Web 攻击保护,例如命令注入、HTTP 请求走私、HTTP 响应拆分和远程文件包含攻击Common Web Attacks Protection such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion attack

  • 防止 HTTP 协议违反行为Protection against HTTP protocol violations

  • 防止 HTTP 协议异常行为,例如缺少主机用户代理和接受标头Protection against HTTP protocol anomalies such as missing host user-agent and accept headers

  • 防止自动程序、爬网程序和扫描程序Prevention against bots, crawlers, and scanners

  • 检测常见应用程序错误配置(即 Apache、IIS 等)Detection of common application misconfigurations (that is, Apache, IIS, etc.)

集中式 Web 应用程序防火墙可以防止 Web 攻击,简化安全管理,并可针对入侵威胁为应用程序提供更好的保障。A centralized web application firewall to protect against web attacks makes security management much simpler and gives better assurance to the application against the threats of intrusions. 相较保护每个单独的 Web 应用程序,WAF 解决方案还可通过在中央位置修补已知漏洞,更快地响应安全威胁。A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. 现有应用程序网关可以轻松地转换为带 Web 应用程序防火墙的应用程序网关。Existing application gateways can be converted to an application gateway with web application firewall easily.

流量管理器Traffic Manager

使用 Microsoft Azure 流量管理器,可以控制用户流量在不同数据中心内的服务终结点上的分布。Microsoft Azure Traffic Manager allows you to control the distribution of user traffic for service endpoints in different data centers. 流量管理器支持的服务终结点包括 Azure VM、Web 应用和云服务。Service endpoints supported by Traffic Manager include Azure VMs, Web Apps, and Cloud services. 也可将流量管理器用于外部的非 Azure 终结点。You can also use Traffic Manager with external, non-Azure endpoints. 流量管理器根据流量路由方法和终结点的运行状况,使用域名系统 (DNS) 将客户端请求定向到最合适的终结点。Traffic Manager uses the Domain Name System (DNS) to direct client requests to the most appropriate endpoint based on a traffic-routing method and the health of the endpoints.

流量管理器提供多种流量路由方法来满足不同的应用程序需求、终结点运行状况监视和自动故障转移。Traffic Manager provides a range of traffic-routing methods to suit different application needs, endpoint health monitoring, and automatic failover. 流量管理器能够灵活应对故障,包括整个 Azure 区域的故障。Traffic Manager is resilient to failure, including the failure of an entire Azure region.

Azure 负载均衡器Azure Load Balancer

Azure 负载均衡器可提高应用程序的可用性和网络性能。Azure Load Balancer delivers high availability and network performance to your applications. 它是第 4 层(TCP、UDP)类型的负载均衡器,可在负载均衡集中定义的运行状况良好的服务实例之间分配传入流量。It is a Layer 4 (TCP, UDP) load balancer that distributes incoming traffic among healthy instances of services defined in a load-balanced set. 可以将 Azure 负载均衡器配置为:Azure Load Balancer can be configured to:

  • 对传入到虚拟机的 Internet 流量进行负载均衡。Load balance incoming Internet traffic to virtual machines. 此配置称为 面向 Internet 的负载均衡This configuration is known as Internet-facing load balancing.

  • 对虚拟网络中虚拟机之间的流量、云服务中虚拟机之间的流量或本地计算机和跨界虚拟网络中虚拟机之间的流量进行负载均衡。Load balance traffic between virtual machines in a virtual network, between virtual machines in cloud services, or between on-premises computers and virtual machines in a cross-premises virtual network. 此配置称为 负载均衡This configuration is known as internal load balancing.

  • 将外部流量转发到特定的虚拟机Forward external traffic to a specific virtual machine

内部 DNSInternal DNS

可以在管理门户或网络配置文件中管理 VNet 中使用的 DNS 服务器列表。You can manage the list of DNS servers used in a VNet in the Management Portal, or in the network configuration file. 客户最多可以为每个 VNet 添加 12 个 DNS 服务器。Customer can add up to 12 DNS servers for each VNet. 指定 DNS 服务器时,请务必按照客户环境的正确顺序列出客户的 DNS 服务器。When specifying DNS servers, it's important to verify that you list customer’s DNS servers in the correct order for customer’s environment. DNS 服务器列表不采用循环机制。DNS server lists do not work round-robin. 将按指定服务器的顺序使用这些服务器。They are used in the order that they are specified. 如果可访问列表上的第一个 DNS 服务器,则无论该 DNS 服务器是否运行正常,客户端都将使用该服务器。If the first DNS server on the list is able to be reached, the client uses that DNS server regardless of whether the DNS server is functioning properly or not. 要更改客户的虚拟网络的 DNS 服务器顺序,请从列表中删除 DNS 服务器,并按客户希望的顺序重新添加这些服务器。To change the DNS server order for customer’s virtual network, remove the DNS servers from the list and add them back in the order that customer wants. DNS 支持“CIA”安全三因素的可用性方面。DNS supports the availability aspect of the “CIA” security triad.

Azure DNSAzure DNS

域名系统或 DNS 负责将网站或服务名称转换(或解析)为它的 IP 地址。The Domain Name System, or DNS, is responsible for translating (or resolving) a website or service name to its IP address. Azure DNS 是 DNS 域的托管服务,它使用 Microsoft Azure 基础结构提供名称解析。Azure DNS is a hosting service for DNS domains, providing name resolution using Microsoft Azure infrastructure. 通过在 Azure 中托管域,可以使用与其他 Azure 服务相同的凭据、API、工具和计费来管理 DNS 记录。By hosting your domains in Azure, you can manage your DNS records using the same credentials, APIs, tools, and billing as your other Azure services. DNS 支持“CIA”安全三因素的可用性方面。DNS supports the availability aspect of the “CIA” security triad.

Azure Monitor 日志 NSGAzure Monitor logs NSGs

可以为 NSG 启用以下诊断日志类别:You can enable the following diagnostic log categories for NSGs:

  • 事件:包含根据 MAC 地址向 VM 和实例角色应用的 NSG 规则条目。Event: Contains entries for which NSG rules are applied to VMs and instance roles based on MAC address. 每隔 60 秒收集一次这些规则的状态。The status for these rules is collected every 60 seconds.

  • 规则计数器:包含应用每个 NSG 规则以拒绝或允许流量的次数的条目。Rules counter: Contains entries for how many times each NSG rule is applied to deny or allow traffic.

安全中心Security Center

Azure 安全中心不断分析 Azure 资源的安全状态,以实现网络安全最佳做法。Azure Security Center continuously analyzes the security state of your Azure resources for network security best practices. 在安全中心识别出潜在的安全漏洞时,它会创建一些“建议”,指导完成配置所需控件以强化和保护资源的过程。When Security Center identifies potential security vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls to harden and protect your resources.

计算Compute

本部分提供了关于此区域中主要特性的其他信息以及有关这些功能的摘要信息。The section provides additional information regarding key features in this area and summary information about these capabilities.

反恶意软件和防病毒软件Antimalware & Antivirus

借助 Azure IaaS,可以使用来自 Microsoft、Symantec、Trend Micro、McAfee 和 Kaspersky 等安全性供应商的反恶意软件,以保护虚拟机免受恶意文件、广告软件和其他威胁的侵害。With Azure IaaS, you can use antimalware software from security vendors such as Microsoft, Symantec, Trend Micro, McAfee, and Kaspersky to protect your virtual machines from malicious files, adware, and other threats. 适用于 Azure 云服务和虚拟机的 Microsoft 反恶意软件是一种保护功能,可帮助识别并删除病毒、间谍软件和其他恶意软件。Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a protection capability that helps identify and remove viruses, spyware, and other malicious software. 当已知恶意软件或不需要的软件试图在 Azure 系统上安装自身或运行时,Microsoft 反恶意软件将提供可配置的警报。Microsoft Antimalware provides configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems. 此外可以使用 Azure 安全中心部署 Microsoft 反恶意软件Microsoft Antimalware can also be deployed using Azure Security Center

硬件安全模块Hardware Security Module

加密和身份验证无法提高安全性,除非密钥本身也受到保护。Encryption and authentication do not improve security unless the keys themselves are protected. 通过将关键密码和密钥存储在 Azure Key Vault 中,可以简化此类密码和密钥的管理和保护。You can simplify the management and security of your critical secrets and keys by storing them in Azure Key Vault. Key Vault 可将用户密钥存储在已通过 FIPS 140-2 Level 2 标准认证的硬件安全模块 (HSM) 中。Key Vault provides the option to store your keys in hardware Security modules (HSMs) certified to FIPS 140-2 Level 2 standards. 用于备份或 透明数据加密 的 SQL Server 加密密钥可以存储在密钥保管库中,此外还可存储应用程序中的任意密钥或机密。Your SQL Server encryption keys for backup or transparent data encryption can all be stored in Key Vault with any keys or secrets from your applications. 对这些受保护项的权限和访问权限通过 Azure Active Directory进行管理。Permissions and access to these protected items are managed through Azure Active Directory.

虚拟机备份Virtual machine backup

Azure 备份是一种解决方案,无需资本投资便可保护应用程序数据,最大限度降低运营成本。Azure Backup is a solution that protects your application data with zero capital investment and minimal operating costs. 应用程序错误可能损坏数据,人为错误可能将 bug 引入应用程序,从而导致安全问题。Application errors can corrupt your data, and human errors can introduce bugs into your applications that can lead to security issues. 使用 Azure 备份可以保护运行 Windows 和 Linux 的虚拟机。With Azure Backup, your virtual machines running Windows and Linux are protected.

Azure Site RecoveryAzure Site Recovery

组织的业务连续性/灾难恢复 (BCDR) 策略的一个重要部分是,找出在发生计划内和计划外的中断时让企业工作负荷和应用保持启动并运行的方法。An important part of your organization's business continuity/disaster recovery (BCDR) strategy is figuring out how to keep corporate workloads and apps up and running when planned and unplanned outages occur. Azure Site Recovery 可帮助协调工作负荷和应用的复制、故障转移及恢复,因此能够在主要位置发生故障时通过辅助位置来提供工作负荷和应用。Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they are available from a secondary location if your primary location goes down.

SQL VM TDESQL VM TDE

SQL Server 加密功能包括透明数据加密 (TDE)和列级加密 (CLE)。Transparent data encryption (TDE) and column level encryption (CLE) are SQL server encryption features. 这种加密形式要求客户管理和存储用于加密的加密密钥。This form of encryption requires customers to manage and store the cryptographic keys you use for encryption.

Azure Key Vault (AKV) 服务专用于在一个高度可用的安全位置改进这些密钥的安全性和管理。The Azure Key Vault (AKV) service is designed to improve the security and management of these keys in a secure and highly available location. SQL Server 连接器使 SQL Server 能够使用 Azure Key Vault 中的这些密钥。The SQL Server Connector enables SQL Server to use these keys from Azure Key Vault.

如果在本地计算机上运行 SQL Server,请按照此处提供的步骤通过本地 SQL Server 计算机访问 Azure Key Vault。If you are running SQL Server with on-premises machines, there are steps you can follow to access Azure Key Vault from your on-premises SQL Server machine. 但对于 Azure VM 中的 SQL Server,可以使用 Azure Key Vault 集成功能节省时间。But for SQL Server in Azure VMs, you can save time by using the Azure Key Vault Integration feature. 通过使用几个 Azure PowerShell cmdlet 来启用此功能,可以自动为 SQL VM 进行必要的配置以便访问密钥保管库。With a few Azure PowerShell cmdlets to enable this feature, you can automate the configuration necessary for a SQL VM to access your key vault.

VM 磁盘加密VM Disk Encryption

Azure 磁盘加密是用于加密 Windows 和 Linux IaaS 虚拟机磁盘的新功能。Azure Disk Encryption is a new capability that helps you encrypt your Windows and Linux IaaS virtual machine disks. 它应用 Windows 的行业标准 BitLocker 功能和 Linux 的 DM-Crypt 功能,为 OS 和数据磁盘提供卷加密。It applies the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. 该解决方案与 Azure Key Vault 集成,帮助用户控制和管理 Key Vault 订阅中的磁盘加密密钥和机密。The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your Key Vault subscription. 此解决方案还可确保虚拟机磁盘上的所有数据在 Azure 存储中静态加密。The solution also ensures that all data on the virtual machine disks are encrypted at rest in your Azure storage.

虚拟网络Virtual networking

虚拟机需要网络连接。Virtual machines need network connectivity. 为了满足该要求,Azure 需要虚拟机连接到 Azure 虚拟网络。To support that requirement, Azure requires virtual machines to be connected to an Azure Virtual Network. Azure 虚拟网络是构建在物理 Azure 网络结构基础之上的逻辑构造。An Azure Virtual Network is a logical construct built on top of the physical Azure network fabric. 每个逻辑 Azure 虚拟网络都独立于所有其他 Azure 虚拟网络。Each logical Azure Virtual Network is isolated from all other Azure Virtual Networks. 这种隔离有助于确保其他 Microsoft Azure 客户无法访问部署中的网络流量。This isolation helps insure that network traffic in your deployments is not accessible to other Microsoft Azure customers.

修补程序更新Patch Updates

修补程序更新可以减少必须在企业中部署的软件更新数目并提高监视符合性的能力,从而提供查找及修复潜在问题的基础并简化软件更新管理过程。Patch Updates provide the basis for finding and fixing potential problems and simplify the software update management process, both by reducing the number of software updates you must deploy in your enterprise and by increasing your ability to monitor compliance.

安全策略管理和报告Security policy management and reporting

安全中心可帮助你预防、检测和响应威胁,同时提高对 Azure 资源的安全性的可见性和控制力度。Security Center helps you prevent, detect, and respond to threats, and provides you increased visibility into, and control over, the security of your Azure resources. 它提供对 Azure 订阅的集成安全监视和策略管理,帮助检测可能被忽略的威胁,且适用于广泛的安全解决方案生态系统。It provides integrated Security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

标识和访问管理Identity and access management

保护系统、应用程序和以基于标识的访问控制开始的数据。Securing systems, applications, and data begins with identity-based access controls. Microsoft 企业产品和服务内置的标识和访问管理功能有助于保护组织和个人信息免受未经授权的访问,同时向合法用户提供随时随地访问权限。The identity and access management features that are built into Microsoft business products and services help protect your organizational and personal information from unauthorized access while making it available to legitimate users whenever and wherever they need it.

安全标识Secure Identity

Microsoft 在其产品和服务中使用多种安全实践和技术来管理标识和访问权限。Microsoft uses multiple security practices and technologies across its products and services to manage identity and access.

  • 多重身份验证要求用户在本地和云中使用多种方法进行访问。Multi-Factor Authentication requires users to use multiple methods for access, on-premises and in the cloud. 它提供强大的身份验证和一系列简单的验证选项,同时满足用户对简单登录过程的需求。It provides strong authentication with a range of easy verification options, while accommodating users with a simple sign-in process.

  • Microsoft Authenticator 提供了一种用户友好型多重身份验证体验,它可与 Microsoft Azure Active Directory 和 Microsoft 帐户兼容,并支持可穿戴设备和基于指纹的批准。Microsoft Authenticator provides a user-friendly Multi-Factor Authentication experience that works with both Microsoft Azure Active Directory and Microsoft accounts, and includes support for wearables and fingerprint-based approvals.

保护应用和数据Secure Apps and data

Azure Active Directory 是综合性的标识和访问管理云解决方案,可帮助确保安全访问站点和云中的应用程序数据,并简化对用户和组的管理。Azure Active Directory, a comprehensive identity and access management cloud solution, helps secure access to data in applications on site and in the cloud, and simplifies the management of users and groups. 它结合了核心目录服务、高级 Identity Governance、安全性以及应用程序访问管理,使开发人员可以轻松在其应用中构建基于策略的标识管理。It combines core directory services, advanced identity governance, security, and application access management, and makes it easy for developers to build policy-based identity management into their apps. 若要增强 Azure Active Directory,可以使用 Azure Active Directory 基本版、Premium P1 版和 Premium P2 版添加付费功能。To enhance your Azure Active Directory, you can add paid capabilities using the Azure Active Directory Basic, Premium P1, and Premium P2 editions.

免费/常用功能Free / Common Features 基本功能Basic Features 高级 P1 功能Premium P1 Features 高级 P2 功能Premium P2 Features Azure Active Directory 加入 – 仅适用于 Windows 10 的相关功能Azure Active Directory Join – Windows 10 only related features
Directory 对象用户/组管理(添加/更新/删除)/基于用户的预配,设备注册单一登录 (SSO)云用户的自助密码更改Connect(将本地目录扩展到 Azure Active Directory 的同步引擎)安全性/使用情况报告Directory Objects, User/Group Management (add/update/delete)/ User-based provisioning, Device registration, Single Sign-On (SSO), Self-Service Password Change for cloud users, Connect (Sync engine that extends on-premises directories to Azure Active Directory), Security / Usage Reports 基于组的访问管理/预配云用户的自助密码重置公司品牌(登录页/访问面板自定义)应用程序代理SLA 99.9%Group-based access management / provisioning, Self-Service Password Reset for cloud users, Company Branding (Logon Pages/Access Panel customization), Application Proxy, SLA 99.9% 自助组和应用管理/自助应用程序添加件/动态组通过本地回写实现自助密码重置/更改/解锁多重身份验证(云和本地(MFA 服务器))MIM CAL + MIM 服务器Cloud App DiscoveryConnect Health组帐户的自动密码变换Self-Service Group and app Management/Self-Service application additions/Dynamic Groups, Self-Service Password Reset/Change/Unlock with on-premises write-back, Multi-Factor Authentication (Cloud and On-premises (MFA Server)), MIM CAL + MIM Server, Cloud App Discovery, Connect Health, Automatic password rollover for group accounts Privileged Identity ManagementPrivileged Identity Management 让设备加入 Azure AD、Desktop SSO、Microsoft Passport for Azure AD 和 Administrator BitLocker 恢复MDM 自动注册,自助 BitLocker 恢复,通过 Azure AD Join 将其他本地管理员加入 Windows 10 设备Join a device to Azure AD, Desktop SSO, Microsoft Passport for Azure AD, Administrator BitLocker recovery, MDM auto-enrollment, Self-Service BitLocker recovery, Additional local administrators to Windows 10 devices via Azure AD Join
  • Azure Active Directory B2C 是一个高度可用的全局性标识管理服务,该服务适用于面向用户且可通过伸缩来处理数以亿计标识的应用程序,并可跨移动平台和 Web 平台集成。Azure Active Directory B2C is a highly available, global identity management service for consumer-facing apps that can scale to hundreds of millions of identities and integrate across mobile and web platforms. 客户可以通过使用现有社交媒体帐户的自定义体验登录所有应用,也可以创建新的独立凭据。Your customers can sign in to all your apps through customizable experiences that use existing social media accounts, or you can create new standalone credentials.

  • Azure Active Directory B2B 协作是一种安全的合作伙伴集成解决方案,可让合作伙伴使用其自行管理的标识有选择性地访问企业应用程序和数据,为跨公司合作关系提供支持。Azure Active Directory B2B Collaboration is a secure partner integration solution that supports your cross-company relationships by enabling partners to access your corporate applications and data selectively by using their self-managed identities.

后续步骤Next Steps

  • 了解 Azure 安全中心如何有助于预防、检测和应对威胁,同时提高了 Azure 资源安全性的可见性和可控性。Learn how Azure Security Center can help you prevent, detect, and respond to threats with increased visibility and control over the security of your Azure resources.