使用 Azure 应用服务保护 PaaS Web 和移动应用程序的最佳做法Best practices for securing PaaS web and mobile applications using Azure App Service

本文介绍有关保护 PaaS Web 和移动应用程序的 Azure App Service 安全最佳实践。In this article, we discuss a collection of Azure App Service security best practices for securing your PaaS web and mobile applications. 这些最佳实践衍生自我们的 Azure 经验和客户经验。These best practices are derived from our experience with Azure and the experiences of customers like yourself.

Azure 应用服务是一个平台即服务 (PaaS) 产品,可创建适用于任何平台或设备的 Web 和移动应用,并可连接到云中或本地任何位置的数据。Azure App Service is a platform-as-a-service (PaaS) offering that lets you create web and mobile apps for any platform or device and connect to data anywhere, in the cloud or on-premises. 应用服务所包括的 Web 功能和移动功能是以前作为 Azure 网站和 Azure 移动服务单独交付的。App Service includes the web and mobile capabilities that were previously delivered separately as Azure Websites and Azure Mobile Services. 它还包括各种新功能,可以实现业务流程的自动化,并可托管云 API。It also includes new capabilities for automating business processes and hosting cloud APIs. 应用服务以单个集成服务的形式为 Web、移动和集成方案提供一组丰富的功能。As a single integrated service, App Service brings a rich set of capabilities to web, mobile, and integration scenarios.

通过 Azure Active Directory (AD) 进行身份验证Authenticate through Azure Active Directory (AD)

应用服务为标识提供者提供 OAuth 2.0 服务。App Service provides an OAuth 2.0 service for your identity provider. OAuth 2.0 注重简化客户端开发人员的工作,同时为 Web 应用程序、桌面应用程序和移动电话提供特定的授权流。OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, and mobile phones. Azure AD 使用 OAuth 2.0,可让你授予移动和 Web 应用程序的访问权限。Azure AD uses OAuth 2.0 to enable you to authorize access to mobile and web applications. 若要了解详细信息,请参阅 Azure 应用服务中的身份验证和授权To learn more, see Authentication and authorization in Azure App Service.

基于角色限制访问Restrict access based on role

对于想要实施数据访问安全策略的组织,限制访问是必须要做的事。Restricting access is imperative for organizations that want to enforce security policies for data access. 可使用基于角色的访问控制 (RBAC) 向特定范围的用户、组和应用程序分配权限,例如需要知道和最低特权安全原则。You can use role-based access control (RBAC) to assign permissions to users, groups, and applications at a certain scope, such as the need to know and least privilege security principles. 若要了解有关向用户授予应用程序访问权限的详细信息,请参阅什么是基于角色的访问控制To learn more about granting users access to applications, see What is role-based access control.

保护你的密钥Protect your keys

如果丢失了订阅密钥,安全做得再好也无济于事。It doesn't matter how good your security is if you lose your subscription keys. Azure 密钥保管库可帮助保护云应用程序和服务使用的加密密钥和机密。Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. 通过 Key Vault,可以使用受硬件安全模块 (HSM) 保护的密钥,来加密密钥和机密(例如身份验证密钥、存储帐户密钥、数据加密密钥、.PFX 文件和密码)。With Key Vault, you can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) by using keys that are protected by hardware security modules (HSMs). 为了提升可靠性,可以在 HSM 中导入或生成密钥。For added assurance, you can import or generate keys in HSMs. 还可以使用 Key Vault 和自动续订来管理 TLS 证书。You can also use Key Vault to manage your TLS certificates with auto-renewal. 请参阅 Azure Key Vault 了解详细信息。See What is Azure Key Vault to learn more.

限制传入的源 IP 地址Restrict incoming source IP addresses

应用服务环境提供虚拟网络集成功能,可帮助你通过网络安全组 (NSG) 限制传入的源 IP 地址。App Service Environments has a virtual network integration feature that helps you restrict incoming source IP addresses through network security groups (NSGs). 如果不熟悉 Azure 虚拟网络 (VNET),可使用此功能将多个 Azure 资源放置在可以控制其访问权限但无法通过 Internet 路由的网络中。If you are unfamiliar with Azure Virtual Networks (VNETs), this is a capability that allows you to place many of your Azure resources in a non-internet, routable network that you control access to. 若要了解详细信息,请参阅将应用与 Azure 虚拟网络集成To learn more, see Integrate your app with an Azure Virtual Network.

对于 Windows 上的应用服务,还可以通过配置 web.config 来动态限制 IP 地址。有关详细信息,请参阅动态 IP 安全性For App Service on Windows, you can also restrict IP addresses dynamically by configuring the web.config. For more information, see Dynamic IP Security.

后续步骤Next steps

本文介绍了有关保护 PaaS Web 和移动应用程序的一系列应用服务安全最佳实践。This article introduced you to a collection of App Service security best practices for securing your PaaS web and mobile applications. 若要了解有关保护 PaaS 部署的详细信息,请参阅:To learn more about securing your PaaS deployments, see: