Azure 生产网络The Azure production network

Azure 生产网络的用户包括访问其自己的 Azure 应用程序的外部客户以及管理生产网络的 Azure 内部支持人员。The users of the Azure production network include both external customers who access their own Azure applications and internal Azure support personnel who manage the production network. 本文介绍了用于与 Azure 生产网络建立连接的安全接入方法和保护机制。This article discusses the security access methods and protection mechanisms for establishing connections to the Azure production network.

Internet 路由和容错Internet routing and fault tolerance

全局冗余的内部和外部 Azure 域名服务 (DNS) 基础结构与多个主要和辅助 DNS 服务器群集相结合,可提供容错功能。A globally redundant internal and external Azure Domain Name Service (DNS) infrastructure, combined with multiple primary and secondary DNS server clusters, provides fault tolerance. 与此同时,其他 Azure 网络安全控件(如 NetScaler)可预防分布式拒绝服务 (DDoS) 攻击并保护 Azure DNS 服务的完整性。At the same time, additional Azure network security controls, such as NetScaler, are used to prevent distributed denial of service (DDoS) attacks and protect the integrity of Azure DNS services.

Azure DNS 服务器位于多个数据中心设施。The Azure DNS servers are located at multiple datacenter facilities. Azure DNS 实现整合了辅助和主要 DNS 服务器的层次结构,可公开解析 Azure 客户域名。The Azure DNS implementation incorporates a hierarchy of secondary and primary DNS servers to publicly resolve Azure customer domain names. 域名通常解析成 CloudApp.net 地址,其中包装了客户服务的虚拟 IP (VIP) 地址。The domain names usually resolve to a CloudApp.net address, which wraps the virtual IP (VIP) address for the customer’s service. Azure 的独特之处在于,与租户转换的内部专用 IP (DIP) 地址对应的 VIP 由负责该 VIP 的 Microsoft 负载均衡器执行。Unique to Azure, the VIP that corresponds to internal dedicated IP (DIP) address of the tenant translation is done by the Microsoft load balancers responsible for that VIP.

Azure 托管在分布于美国境内各处的 Azure 数据中心,且基于一流路由平台构建,可实施可靠、可缩放体系结构标准。Azure is hosted in geographically distributed Azure datacenters within the US, and it's built on state-of-the-art routing platforms that implement robust, scalable architectural standards. 其中包含如下重要功能:Among the notable features are:

  • 基于多协议标签交换 (MPLS) 的流量工程,在发生服务中断时,可提供高效的链路利用率和妥善的服务降级。Multiprotocol Label Switching (MPLS)-based traffic engineering, which provides efficient link utilization and graceful degradation of service if there is an outage.
  • 以“需求加一”(N+1) 冗余体系结构或更佳的方式实施网络。Networks are implemented with "need plus one" (N+1) redundancy architectures or better.
  • 从外部看,数据中心由专用的高带宽网络线路提供服务,这些线路以冗余方式将资产连接到全球 1,200 多个 Internet 服务提供商的多个对等互连点。Externally, datacenters are served by dedicated, high-bandwidth network circuits that redundantly connect properties with over 1,200 internet service providers globally at multiple peering points. 连接后可提供超过 2,000 GB/秒 (GBps) 的边缘容量。This connection provides in excess of 2,000 gigabytes per second (GBps) of edge capacity.

由于 Microsoft 在数据中心之间拥有自身的网络线路,因此,这些属性有助于 Azure 产品/服务实现 99.9% 以上的网络可用性,而无需与传统的第三方 Internet 服务提供商合作。Because Microsoft owns its own network circuits between datacenters, these attributes help the Azure offering achieve 99.9+ percent network availability without the need for traditional third-party internet service providers.

连接到生产网络和关联的防火墙Connection to production network and associated firewalls

Azure 网络 Internet 流量流策略将流量定向到美国境内最靠近的区域数据中心内的 Azure 生产网络。The Azure network internet traffic flow policy directs traffic to the Azure production network that's located in the nearest regional datacenter within the US. 由于 Azure 生产数据中心拥有一致的网络体系结构和硬件,下面的流量流说明同样适用于所有数据中心。Because the Azure production datacenters maintain consistent network architecture and hardware, the traffic flow description that follows applies consistently to all datacenters.

将 Azure 的 Internet 流量路由到最近的数据中心后,将与接入的路由器建立连接。After internet traffic for Azure is routed to the nearest datacenter, a connection is established to the access routers. 这些接入路由器用于隔离 Azure 节点与客户实例化 VM 之间的流量。These access routers serve to isolate traffic between Azure nodes and customer-instantiated VMs. 位于接入位置和边缘位置的网络基础结构设备是应用入口和出口筛选器的边界点。Network infrastructure devices at the access and edge locations are the boundary points where ingress and egress filters are applied. 这些路由器已通过分层的访问口控制列表 (ACL) 进行配置,在必要时可以筛选不需要的网络流量并应用流量速率限制。These routers are configured through a tiered access-control list (ACL) to filter unwanted network traffic and apply traffic rate limits, if necessary. ACL 允许的流量将路由到负载均衡器。Traffic that is allowed by ACL is routed to the load balancers. 分配路由器只允许 Microsoft 批准的 IP 地址,可提供反欺骗功能,并建立使用 ACL 的 TCP 连接。Distribution routers are designed to allow only Microsoft-approved IP addresses, provide anti-spoofing, and establish TCP connections that use ACLs.

外部负载均衡设备位于接入路由器后方,执行从 Internet 可路由 IP 到 Azure 内部 IP 的网络地址转换 (NAT)。External load-balancing devices are located behind the access routers to perform network address translation (NAT) from internet-routable IPs to Azure internal IPs. 设备还将数据包路由到有效的生产内部 IP 和端口,并且它们充当保护机制,限制内部生产网络地址空间的公开。The devices also route packets to valid production internal IPs and ports, and they act as a protection mechanism to limit exposing the internal production network address space.

默认情况下,Microsoft 针对传输到客户 Web 浏览器的所有流量(包括登录和由此产生的所有流量)强制实施安全超文本传输协议 (HTTPS)。By default, Microsoft enforces Hypertext Transfer Protocol Secure (HTTPS) for all traffic that's transmitted to customers' web browsers, including sign-in and all traffic thereafter. 使用 TLS v1.2 能够为传送的流量建立安全隧道。The use of TLS v1.2 enables a secure tunnel for traffic to flow through. 接入路由器和核心路由器上的 ACL 确保流量的源符合预期。ACLs on access and core routers ensure that the source of the traffic is consistent with what is expected.

与传统的安全体系结构相比,此体系结构的重要区别在于没有专用的硬件防火墙、专用的入侵检测或预防设备,或者在与 Azure 生产环境建立连接之前通常需要的其他安全设备。An important distinction in this architecture, when it's compared to traditional security architecture, is that there are no dedicated hardware firewalls, specialized intrusion detection or prevention devices, or other security appliances that are normally expected before connections are made to the Azure production environment. 客户通常预期 Azure 网络中存在这些硬件防火墙设备;但是,Azure 中并未采用任何此类设备。Customers usually expect these hardware firewall devices in the Azure network; however, none are employed within Azure. 这些安全功能内置在运行 Azure 环境的软件中,提供包括防火墙功能在内的可靠多层安全机制,这几乎是 Azure 独有的特色。Almost exclusively, those security features are built into the software that runs the Azure environment to provide robust, multi-layered security mechanisms, including firewall capabilities. 此外,如上图所示,关键安全设备的边界范围和关联衍生功能更易于管理和清点,因为它们由运行 Azure 的软件管理。Additionally, the scope of the boundary and associated sprawl of critical security devices is easier to manage and inventory, as shown in the preceding illustration, because it is managed by the software that's running Azure.

核心安全性和防火墙功能Core security and firewall features

Azure 在各个级别实现可靠的软件安全性和防火墙功能来强制执行传统环境中通常需要的安全功能,以保护核心安全授权边界。Azure implements robust software security and firewall features at various levels to enforce security features that are usually expected in a traditional environment to protect the core Security Authorization boundary.

Azure 安全功能Azure security features

Azure 在生产网络内实现基于主机的软件防火墙。Azure implements host-based software firewalls inside the production network. 核心 Azure 环境中包含多种核心安全性和防火墙功能。Several core security and firewall features reside within the core Azure environment. 这些安全功能反映了 Azure 环境中的深层防御策略。These security features reflect a defense-in-depth strategy within the Azure environment. Azure 中的客户数据受以下防火墙的保护:Customer data in Azure is protected by the following firewalls:

虚拟机监控程序防火墙(数据包筛选器) :在虚拟机监控程序中实现此防火墙并由结构控制器 (FC) 代理配置。Hypervisor firewall (packet filter): This firewall is implemented in the hypervisor and configured by the fabric controller (FC) agent. 此防火墙可保护在 VM 内运行的租户免受未经授权的访问。This firewall protects the tenant that runs inside the VM from unauthorized access. 默认情况下,创建 VM 时,将阻止所有流量,然后 FC 代理在筛选器中添加规则和例外,以允许获得授权的流量。By default, when a VM is created, all traffic is blocked and then the FC agent adds rules and exceptions in the filter to allow authorized traffic.

此处对两类规则进行了编程:Two categories of rules are programmed here:

  • 计算机配置或基础结构规则:默认情况下,将阻止所有通信。Machine config or infrastructure rules: By default, all communication is blocked. 但也存在例外情况,可允许 VM 发送和接收动态主机配置协议 (DHCP) 通信和 DNS 信息,并将流量发送到“公共”Internet 并出站到 FC 群集与 OS 激活服务器内的其他 VM。Exceptions exist that allow a VM to send and receive Dynamic Host Configuration Protocol (DHCP) communications and DNS information, and send traffic to the “public” internet outbound to other VMs within the FC cluster and OS Activation server. 由于 VM 允许的传出目标列表不包括 Azure 路由器子网和其他 Microsoft 属性,因此这些规则将充当它们的一道防御层。Because the VMs’ allowed list of outgoing destinations does not include Azure router subnets and other Microsoft properties, the rules act as a layer of defense for them.
  • 角色配置文件规则:根据租户的服务模型定义入站 ACL。Role configuration file rules: Defines the inbound ACLs based on the tenants’ service model. 例如,如果某个租户在某个特定 VM 的端口 80 上有一个 Web 前端,则会向所有 IP 地址开放端口 80。For example, if a tenant has a web front end on port 80 on a certain VM, port 80 is opened to all IP addresses. 如果 VM 上正在运行某个辅助角色,则只向同一租户中的 VM 开放该辅助角色。If the VM has a worker role running, the worker role is opened only to the VM within the same tenant.

本机主机防火墙:Azure Service Fabric 和 Azure 存储在本机 OS 上运行,其中没有虚拟机监控程序,因此会使用上述两组规则配置 Windows 防火墙。Native host firewall: Azure Service Fabric and Azure Storage run on a native OS, which has no hypervisor and, therefore, Windows Firewall is configured with the preceding two sets of rules.

主机防火墙:主机防火墙保护运行虚拟机监控程序的主机分区。Host firewall: The host firewall protects the host partition, which runs the hypervisor. 可以通过编程方式对规则进行设置,只允许 FC 和跳转盒在特定端口上与主机分区通信。The rules are programmed to allow only the FC and jump boxes to talk to the host partition on a specific port. 其他例外包括允许 DHCP 响应和 DNS 回复。The other exceptions are to allow DHCP response and DNS replies. Azure 使用计算机配置文件,其中包括主机分区的防火墙规则模板。Azure uses a machine configuration file, which contains a template of firewall rules for the host partition. 还有一种主机防火墙例外情况,可允许 VM 通过特定协议/端口与主机组件、网络服务器和元数据服务器进行通信。A host firewall exception also exists that allows VMs to communicate to host components, wire server, and metadata server, through specific protocol/ports.

来宾防火墙:来宾 OS 的 Windows 防火墙部分,可由客户在客户 VM 和存储中配置。Guest firewall: The Windows Firewall piece of the guest OS, which is configurable by customers on customer VMs and storage.

内置于 Azure 功能中的其他安全功能包括:Additional security features that are built into the Azure capabilities include:

  • 基础结构组件,可为其分配来自 DIP 的 IP 地址。Infrastructure components that are assigned IP addresses that are from DIPs. Internet 上的攻击者无法将流量发往这些地址,因其无法访问 Microsoft。An attacker on the internet cannot address traffic to those addresses because it would not reach Microsoft. Internet 网关路由器筛选仅发往内部地址的数据包,因此这些数据包不会进入生产网络。Internet gateway routers filter packets that are addressed solely to internal addresses, so they would not enter the production network. 只有负载均衡器才是接受定向到 VIP 的流量的组件。The only components that accept traffic that's directed to VIPs are load balancers.

  • 在任何给定的场景下,所有内部节点上实现的防火墙在安全体系结构方面都存在三个主要注意事项:Firewalls that are implemented on all internal nodes have three primary security architecture considerations for any given scenario:

    • 防火墙位于负载均衡器后方,接受来自任何位置的数据包。Firewalls are placed behind the load balancer and accept packets from anywhere. 这些数据包可在外部公开,对应于传统外围防火墙中打开的端口。These packets are intended to be externally exposed and would correspond to the open ports in a traditional perimeter firewall.
    • 防火墙仅接受来自一组有限地址的数据包。Firewalls accept packets only from a limited set of addresses. 此考虑是针对 DDoS 攻击的防御性深入战略的一部分。This consideration is part of the defensive in-depth strategy against DDoS attacks. 此类连接以加密方式进行身份验证。Such connections are cryptographically authenticated.
    • 仅可从选定的内部节点访问防火墙。Firewalls can be accessed only from select internal nodes. 防火墙仅接受源 IP 地址枚举列表中的数据包,所有这些都是 Azure 网络中的 DIP。They accept packets only from an enumerated list of source IP addresses, all of which are DIPs within the Azure network. 例如,企业网络中出现的攻击可能会将请求定向到这些地址,但将阻止攻击,除非数据包的源地址是 Azure 网络内枚举列表中的某个地址。For example, an attack on the corporate network could direct requests to these addresses, but the attacks would be blocked unless the source address of the packet was one in the enumerated list within the Azure network.
      • 外围的接入路由器会阻止发往 Azure 网络中某个地址的出站数据包,因为它使用配置的静态路由。The access router at the perimeter blocks outbound packets that are addressed to an address that's inside the Azure network because of its configured static routes.

后续步骤Next steps

若要详细了解 Microsoft 如何保护 Azure 基础结构,请参阅:To learn more about what Microsoft does to secure the Azure infrastructure, see: