Azure 安全技术功能Azure security technical capabilities

本文介绍了 Azure 中的安全服务,这些服务可帮助保护云中的数据、资源和应用程序,并满足业务的安全需求。This article provides an introduction to security services in Azure that help you protect your data, resources, and applications in the cloud and meet the security needs of your business.

Azure 平台Azure platform

Azure 是托管于 Microsoft 公有云数据中心的云平台,由基础结构和应用程序服务组成,并且集成了数据服务、高级分析,以及开发人员工具和服务。Azure is a cloud platform comprised of infrastructure and application services, with integrated data services and advanced analytics, and developer tools and services, hosted within Microsoft’s public cloud data centers. 客户可将 Azure 用于许多不同的容量和方案,从基本计算、网络和存储,到移动和 Web 应用服务,再到物联网等完整云方案,并且可将 Azure 与开源技术配合使用,作为混合云进行部署或托管在客户的数据中心内。Customers use Azure for many different capacities and scenarios, from basic compute, networking, and storage, to mobile and web app services, to full cloud scenarios like Internet of Things, and can be used with open source technologies, and deployed as hybrid cloud or hosted within a customer’s datacenter. Azure 以构建基块的形式提供云技术,帮助公司节省成本、快速创新和主动管理系统。Azure provides cloud technology as building blocks to help companies save costs, innovate quickly, and manage systems proactively. 构建 IT 资产或将其迁移到云提供商处时,需要借助该组织的能力来保护应用程序和数据,并使用该组织提供的服务和控件来管理基于云的资产的安全性。When you build on, or migrate IT assets to a cloud provider, you are relying on that organization’s abilities to protect your applications and data with the services and the controls they provide to manage the security of your cloud-based assets.

Azure 是唯一一家提供安全一致的应用程序平台和基础结构即服务的云计算提供商,让团队可以使用各种云技能组合并应对各种级别的项目复杂性;它集成了数据服务和分析,可以跨 Microsoft 和非 Microsoft 平台、开放框架和工具从数据中挖掘信息(无论数据存在于何处),并允许用户选择将云与本地集成,以及在本地数据中心部署 Azure 云服务。Azure is the only cloud computing provider that offers a secure, consistent application platform and infrastructure-as-a-service for teams to work within their different cloud skillsets and levels of project complexity, with integrated data services and analytics that uncover intelligence from data wherever it exists, across both Microsoft and non-Microsoft platforms, open frameworks and tools, providing choice for integrating cloud with on-premises as well deploying Azure cloud services within on-premises datacenters. 作为 Microsoft 受信任云的一部分,客户可依赖 Azure 行业领先的安全性、可靠性、合规性、隐私以及庞大的人员、合作伙伴和流程网络,为云中的组织提供支持。As part of the Microsoft Trusted Cloud, customers rely on Azure for industry-leading security, reliability, compliance, privacy, and the vast network of people, partners, and processes to support organizations in the cloud.

使用 Azure,你可以:With Azure, you can:

  • 通过云加快创新。Accelerate innovation with the cloud.

  • 深入了解业务决策和应用。Power business decisions & apps with insights.

  • 随时生成,随地部署。Build freely and deploy anywhere.

  • 保护业务。Protect their business.

利用安全技术功能来履行责任Security technical capabilities to fulfil your responsibility

Azure 提供了可帮助满足安全、隐私和合规需求的服务。Azure provides services that help you meet your security, privacy, and compliance needs. 下图有助于阐释各种不同的 Azure 服务,这些服务可用于按照行业标准来构建安全合规的应用程序基础结构。The following picture helps explain various Azure services available for you to build a secure and compliant application infrastructure based on industry standards.

可用的安全技术功能 — 大图

管理和控制标识与用户访问Manage and control identity and user access

可使用 Azure 管理用户标识和凭据以及控制访问,帮助保护企业信息和个人信息。Azure helps you protect business and personal information by enabling you to manage user identities and credentials and control access.

Azure Active DirectoryAzure Active Directory

Microsoft 标识和访问管理解决方案支持更多的验证级别(如多重身份验证和条件访问策略),可帮助 IT 部门保护对企业数据中心和云中的应用程序和资源的访问。Microsoft identity and access management solutions help IT protect access to applications and resources across the corporate datacenter and into the cloud, enabling additional levels of validation such as multi-factor authentication and Conditional Access policies. 通过高级安全报告、审核和警报来监视可疑活动,有助于减少潜在的安全问题。Monitoring suspicious activity through advanced security reporting, auditing and alerting helps mitigate potential security issues. Azure Active Directory Premium 可为数千种云应用提供单一登录,并提供对你在本地运行的 Web 应用的访问。Azure Active Directory Premium provides single sign-on to thousands of cloud apps and access to web apps you run on-premises.

Azure Active Directory (Azure AD) 在安全方面的益处包括以下能力:Security benefits of Azure Active Directory (Azure AD) include the ability to:

  • 为混合企业中的每个用户创建和管理单一标识,从而使用户、组和设备保持同步。Create and manage a single identity for each user across your hybrid enterprise, keeping users, groups, and devices in sync.

  • 提供对应用程序(包括数千个预先集成的 SaaS 应用)的单一登录访问。Provide single sign-on access to your applications including thousands of pre-integrated SaaS apps.

  • 通过对本地应用程序和云应用程序实施基于规则的多重身份验证,启用应用程序访问安全措施。Enable application access security by enforcing rules-based Multi-Factor Authentication for both on-premises and cloud applications.

  • 通过 Azure AD 应用程序代理预配对本地 Web 应用程序的安全远程访问。Provision secure remote access to on-premises web applications through Azure AD Application Proxy.

以下是核心的 Azure 标识管理功能:The following are core Azure identity management capabilities:

  • 单一登录Single sign-on

  • 多重身份验证Multi-factor authentication

  • 安全监控、警报和基于机器学习的报告Security monitoring, alerts, and machine learning-based reports

  • 消费者标识和访问管理Consumer identity and access management

  • 设备注册Device registration

  • Privileged identity managementPrivileged identity management

  • 标识保护Identity protection

单一登录Single sign-on

单一登录 (SSO) 是指只需使用单个用户帐户登录一次,就能访问开展业务所需的全部应用程序和资源。Single sign-on (SSO) means being able to access all the applications and resources that you need to do business, by signing in only once using a single user account. 登录之后,用户可以访问所需的全部应用程序,而无需再次进行身份验证(例如键入密码)。Once signed in, you can access all the applications you need without being required to authenticate (for example, type a password) a second time.

许多组织依赖于软件即服务 (SaaS) 应用程序(如 Microsoft 365、Box 和 Salesforce)来提高最终用户生产力。Many organizations rely upon software as a service (SaaS) applications such as Microsoft 365, Box, and Salesforce for end-user productivity. 从历史上看,IT 人员需要在每个 SaaS 应用程序中单独创建和更新用户帐户,而用户需要记住每个 SaaS 应用程序的密码。Historically, IT staff needed to individually create and update user accounts in each SaaS application, and users had to remember a password for each SaaS application.

Azure AD 将本地 Active Directory 扩展到云,让用户不仅能够使用主要组织帐户登录到已加入域的设备和公司资源,而且还能登录到完成作业所需的全部 Web 和 SaaS 应用程序。Azure AD extends on-premises Active Directory into the cloud, enabling users to use their primary organizational account to not only sign in to their domain-joined devices and company resources, but also all the web and SaaS applications needed for their job.

优势是不仅用户无需管理多组用户名和密码,而且还可根据组织组以及其身为员工的状态,自动预配或取消预配应用程序的访问权限。Not only do users not have to manage multiple sets of usernames and passwords, application access can be automatically provisioned or de-provisioned based on organizational groups and their status as an employee. Azure AD 引入了安全和访问管理控件,支持跨 SaaS 应用程序集中管理用户的访问权限。Azure AD introduces security and access governance controls that enable you to centrally manage users' access across SaaS applications.

多重身份验证Multi-factor authentication

Azure AD 多重身份验证 (MFA) 是需要使用多种验证方法的身份验证方法,为用户登录和事务又增加了一层至关重要的安全保障。Azure AD Multi-Factor Authentication (MFA) is a method of authentication that requires the use of more than one verification method and adds a critical second layer of security to user sign-ins and transactions. MFA 可帮助保护对数据和应用程序的访问,同时满足用户对简单登录过程的需求。MFA helps safeguard access to data and applications while meeting user demand for a simple sign-in process. 它通过各种验证选项(例如电话、短信、移动应用通知或验证码和第三方 OAuth 令牌)来提供强身份验证。It delivers strong authentication via a range of verification options—phone call, text message, or mobile app notification or verification code and third-party OAuth tokens.

安全监控、警报和基于机器学习的报告Security monitoring, alerts, and machine learning-based reports

安全监控、警报和基于机器学习的报告(它们识别不一致的访问模式)可以帮助保护业务。Security monitoring and alerts and machine learning-based reports that identify inconsistent access patterns can help you protect your business. 可以使用 Azure Active Directory 的访问和使用情况报告来监控你所在组织的目录的完整性和安全性。You can use Azure Active Directory's access and usage reports to gain visibility into the integrity and security of your organization’s directory. 使用此信息,目录管理员可以更好地确定哪里可能存在安全风险,以便制定相应的计划来降低风险。With this information, a directory admin can better determine where possible security risks may lie so that they can adequately plan to mitigate those risks.

在 Azure 门户或 Azure Active Directory 门户中,报告按以下方式分类:In the Azure portal or through the Azure Active Directory portal, reports are categorized in the following ways:

  • 异常报告 - 包含我们发现存在异常情况的登录事件。Anomaly reports - contain sign in events that we found to be anomalous. 我们的目标是让用户知道这类活动并使用户能够就事件是否可疑做出决定。Our goal is to make you aware of such activity and enable you to be able to decide about whether an event is suspicious.

  • 集成应用程序报告 - 提供云应用程序在你所在组织中的使用情况的见解。Integrated application reports - provide insights into how cloud applications are being used in your organization. Azure Active Directory 提供与数千个云应用程序的集成。Azure Active Directory offers integration with thousands of cloud applications.

  • 错误报告 - 指示在为外部应用程序预配帐户时可能发生的错误。Error reports - indicate errors that may occur when provisioning accounts to external applications.

  • 用户特定的报告 - 显示特定用户的设备和登录活动数据。User-specific reports - display device and sign in activity data for a specific user.

  • 活动日志 - 包含过去 24 小时、过去 7 天或过去 30 天内的所有已审核事件的记录,以及组活动更改记录、密码重置记录和注册活动记录。Activity logs - contain a record of all audited events within the last 24 hours, last 7 days, or last 30 days, and group activity changes, and password reset and registration activity.

消费者标识和访问管理Consumer identity and access management

Azure Active Directory B2C 是一个高度可用的全局性标识管理服务,该服务适用于面向用户且可通过缩放来处理数以亿计标识的应用程序。Azure Active Directory B2C is a highly available, global, identity management service for consumer-facing applications that scales to hundreds of millions of identities. 它可以跨移动平台和 Web 平台进行集成。It can be integrated across mobile and web platforms. 用户只需使用现有社交帐户或创建新凭据,即可通过可自定义的体验登录到所有应用程序。Your consumers can log on to all your applications through customizable experiences by using their existing social accounts or by creating new credentials.

过去,想要在自己的应用程序中注册用户并使用户登录的应用程序开发人员会编写自己的代码。In the past, application developers who wanted to sign up and sign in consumers into their applications would have written their own code. 他们使用本地数据库或系统存储用户名和密码。And they would have used on-premises databases or systems to store usernames and passwords. Azure Active Directory B2C 通过基于标准的安全平台和大量的可扩展策略,向组织提供一种更好的方式将用户标识管理集成到应用程序中。Azure Active Directory B2C offers your organization a better way to integrate consumer identity management into applications with the help of a secure, standards-based platform, and a large set of extensible policies.

当你使用 Azure Active Directory B2C 时,你的客户可通过使用其现有的社交帐户或通过创建新的凭据(电子邮件地址和密码,或者用户名和密码)在你的应用程序中注册。When you use Azure Active Directory B2C, your consumers can sign up for your applications by using their existing social accounts or by creating new credentials (email address and password, or username and password).

Privileged identity managementPrivileged identity management

利用 Azure Active Directory (AD) Privileged Identity Management,可以管理、控制和监视特权标识以及对 Azure AD 中和 Microsoft 365 或 Microsoft Intune 等其他 Microsoft Online Services 中资源的访问。Azure Active Directory (AD) Privileged Identity Management lets you manage, control, and monitor your privileged identities and access to resources in Azure AD as well as other Microsoft online services like Microsoft 365 or Microsoft Intune.

用户有时候需要在 Azure 或 Microsoft 365 资源或者其他 SaaS 应用中执行特权操作。Sometimes users need to carry out privileged operations in Azure or Microsoft 365 resources, or other SaaS apps. 这通常意味着,组织必须授予他们永久的 Azure AD 访问特权。This often means organizations have to give them permanent privileged access in Azure AD. 这会给云中托管的资源不断增大安全风险,因为组织无法充分监视这些用户正在使用管理特权执行哪些操作。This is a growing security risk for cloud-hosted resources because organizations can't sufficiently monitor what those users are doing with their admin privileges. 此外,如果有访问特权的用户帐户被泄露,这个缺口可能会影响其总体云安全性。Additionally, if a user account with privileged access is compromised, that one breach could impact their overall cloud security. Azure AD 特权标识管理可帮助解决这一风险。Azure AD Privileged Identity Management helps to resolve this risk.

利用 Azure AD Privileged Identity Management,可以:Azure AD Privileged Identity Management lets you:

  • 查看哪些用户是 Azure AD 管理员See which users are Azure AD admins

  • 按需启用对 Microsoft 365 和 Intune 等 Microsoft Online Services 的“实时”管理访问权限Enable on-demand, "just in time" administrative access to Microsoft Online Services like Microsoft 365 and Intune

  • 获取有关管理员访问历史记录以及管理员分配更改的报告Get reports about administrator access history and changes in administrator assignments

  • 获取有关访问特权角色的警报Get alerts about access to a privileged role

保护资源访问Secure resource access

Azure 中的访问控制首先体现在计费方面。Access control in Azure starts from a billing perspective. Azure 帐户的所有者(可通过访问 Azure 帐户中心进行访问)是帐户管理员 (AA)。The owner of an Azure account, accessed by visiting the Azure Account Center, is the Account Administrator (AA). 订阅是计费容器,但它们也可充当安全边界:每个订阅都有一个服务管理员 (SA),此管理员可以使用 Azure 门户在该订阅中添加、删除和修改 Azure 资源。Subscriptions are a container for billing, but they also act as a security boundary: each subscription has a Service Administrator (SA) who can add, remove, and modify Azure resources in that subscription by using the Azure portal. 新订阅的默认 SA 是 AA,但 AA 可以在 Azure 帐户中心更改 SA。The default SA of a new subscription is the AA, but the AA can change the SA in the Azure Account Center.

Azure 中受保护的资源访问

订阅也与目录相关联。Subscriptions also have an association with a directory. 目录定义一组用户。The directory defines a set of users. 这些用户可以是创建该目录的公司或学校的用户,也可以是外部用户(即 Microsoft 帐户)。These can be users from the work or school that created the directory, or they can be external users (that is, Microsoft Accounts). 订阅可由这些已被指定为服务管理员 (SA) 或共同管理员 (CA) 的目录用户的子集来访问;唯一的例外是,为了保持向后兼容,可以将 Microsoft 帐户(以前称为 Windows Live ID)指定为 SA 或 CA,而这些帐户不必存在于目录中。Subscriptions are accessible by a subset of those directory users who have been assigned as either Service Administrator (SA) or Co-Administrator (CA); the only exception is that, for legacy reasons, Microsoft Accounts (formerly Windows Live ID) can be assigned as SA or CA without being present in the directory.

面向安全的公司应侧重于向员工提供他们所需的确切权限。Security-oriented companies should focus on giving employees the exact permissions they need. 权限过多,可能会向攻击者公开帐户。Too many permissions can expose an account to attackers. 权限太少,员工无法有效完成工作。Too few permissions mean that employees can't get their work done efficiently. Azure 基于角色的访问控制 (Azure RBAC) 通过为 Azure 提供精细的访问权限管理来帮助解决此问题。Azure role-based access control (Azure RBAC) helps address this problem by offering fine-grained access management for Azure.

受保护的资源访问

使用 Azure RBAC,可以在团队中实现职责分离,仅向用户授予他们执行作业所需的访问权限。Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. 而不是向每个人提供对 Azure 订阅或资源的无限权限,可以仅允许某些操作。Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions. 例如,使用 Azure RBAC 允许一个员工管理订阅中的虚拟机,而另一个员工可以管理同一订阅中的 SQL 数据库。For example, use Azure RBAC to let one employee manage virtual machines in a subscription, while another can manage SQL databases within the same subscription.

使用 Azure RBAC 实现受保护的资源访问

数据安全与加密Data security and encryption

在云中保护数据的关键问题之一是考虑数据可能将发生的状态,以及哪些控件适用于该状态。One of the keys to data protection in the cloud is accounting for the possible states in which your data may occur, and what controls are available for that state. 根据 Azure 数据安全与加密最佳实践,将针对以下数据状态提供建议。For Azure data security and encryption best practices the recommendations be around the following data’s states.

  • 静态:包括物理媒体(磁盘或光盘)上以静态方式存在的所有信息存储对象、容器和类型。At-rest: This includes all information storage objects, containers, and types that exist statically on physical media, be it magnetic or optical disk.
  • 传输中:数据在组件、位置或程序之间发送时,例如通过网络、通过服务总线(从本地到云,反之亦然,包括诸如 ExpressRoute 的混合连接),或在输入/输出过程中,会被视为动态数据。In-transit: When data is being transferred between components, locations or programs, such as over the network, across a service bus (from on-premises to cloud and vice-versa, including hybrid connections such as ExpressRoute), or during an input/output process, it is thought of as being in-motion.

静态加密Encryption at rest

Azure 数据静态加密中详细讨论了静态加密。Encryption at rest is discussed in detail in Azure Data Encryption-at-Rest.

传输中加密Encryption in-transit

保护传输中的数据应该是数据保护策略中不可或缺的部分。Protecting data in transit should be essential part of your data protection strategy. 由于数据将从许多位置来回移动,一般建议始终使用 SSL/TLS 协议来交换不同位置的数据。Since data is moving back and forth from many locations, the general recommendation is that you always use SSL/TLS protocols to exchange data across different locations. 在某些情况下,建议使用虚拟专用网络 (VPN) 隔离本地与云基础结构之间的整个通信通道。In some circumstances, you may want to isolate the entire communication channel between your on-premises and cloud infrastructure by using a virtual private network (VPN).

对于在本地基础结构与 Azure 之间移动的数据,应该考虑适当的防护措施,例如 HTTPS 或 VPN。For data moving between your on-premises infrastructure and Azure, you should consider appropriate safeguards such as HTTPS or VPN.

对于需要从位于本地的多个工作站安全访问 Azure 的组织而言,请使用 Azure 站点到站点 VPNFor organizations that need to secure access from multiple workstations located on-premises to Azure, use Azure site-to-site VPN.

对于需要从位于本地的一个工作站安全访问 Azure 的组织而言,请使用点到站点 VPNFor organizations that need to secure access from one workstation located on-premises to Azure, use Point-to-Site VPN.

可以通过专用高速 WAN 链路(例如 ExpressRoute)移动较大的数据集。Larger data sets can be moved over a dedicated high-speed WAN link such as ExpressRoute. 如果选择使用 ExpressRoute,则还可以使用 SSL/TLS 或其他协议,在应用程序级别加密数据,以提供额外的保护。If you choose to use ExpressRoute, you can also encrypt the data at the application-level using SSL/TLS or other protocols for added protection.

如果通过 Azure 门户与 Azure 存储交互,则所有事务都将通过 HTTPS 发生。If you are interacting with Azure Storage through the Azure Portal, all transactions occur via HTTPS. 也可以使用基于 HTTPS 的存储 REST API 来与 Azure 存储Azure SQL 数据库交互。Storage REST API over HTTPS can also be used to interact with Azure Storage and Azure SQL Database.

无法保护传输中数据的组织更容易遭受中间人攻击窃听和会话劫持。Organizations that fail to protect data in transit are more susceptible for man-in-the-middle attacks, eavesdropping, and session hijacking. 这些攻击可能是获取机密数据访问权限的第一步。These attacks can be the first step in gaining access to confidential data.

有关 Azure VPN 选项的详细信息,请阅读规划和设计 VPN 网关一文。You can learn more about Azure VPN option by reading the article Planning and design for VPN Gateway.

保护应用程序Secure your application

Azure 负责保护运行应用程序的基础结构和平台,而你负责保护应用程序本身。While Azure is responsible for securing the infrastructure and platform that your application runs on, it is your responsibility to secure your application itself. 换而言之,需要以安全方式开发、部署和管理应用程序代码和内容。In other words, you need to develop, deploy, and manage your application code and content in a secure way. 无此安全性,应用程序代码或内容仍然容易受到威胁。Without this, your application code or content can still be vulnerable to threats.

Web 应用程序防火墙Web application firewall

Web 应用程序防火墙 (WAF)应用程序网关的功能,可以对 Web 应用程序进行集中保护,避免其受到常见的攻击和漏洞危害。Web application firewall (WAF) is a feature of Application Gateway that provides centralized protection of your web applications from common exploits and vulnerabilities.

Web 应用程序防火墙基于 OWASP 核心规则集 3.0 或 2.2.9 中的规则。Web application firewall is based on rules from the OWASP core rule sets 3.0 or 2.2.9. Web 应用程序已逐渐成为利用常见已知漏洞的恶意攻击的目标。Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities. 这些攻击中最常见的攻击包括 SQL 注入攻击、跨站点脚本攻击等。Common among these exploits are SQL injection attacks, cross site scripting attacks to name a few. 防止应用程序代码遭受此类攻击颇具挑战性,并且可能需要对应用程序拓扑的多个层进行严格的维护、修补和监视。Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at multiple layers of the application topology. 集中式 Web 应用程序防火墙有助于大幅简化安全管理,为抵卸威胁或入侵的应用程序管理员提供更好的保障。A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. 相较保护每个单独的 Web 应用程序,WAF 解决方案还可通过在中央位置修补已知漏洞,更快地响应安全威胁。A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. 可将现有应用程序网关轻松转换为支持 Web 应用程序防火墙的应用程序网关。Existing application gateways can be converted to a web application firewall enabled application gateway easily.

Web 应用程序防火墙防范的某些常见 Web 安全漏洞包括:Some of the common web vulnerabilities which web application firewall protects against includes:

  • SQL 注入保护SQL injection protection

  • 跨站点脚本保护Cross site scripting protection

  • 常见 Web 攻击保护,例如命令注入、HTTP 请求走私、HTTP 响应拆分和远程文件包含攻击Common Web Attacks Protection such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion attack

  • 防止 HTTP 协议违反行为Protection against HTTP protocol violations

  • 防止 HTTP 协议异常行为,例如缺少主机用户代理和接受标头Protection against HTTP protocol anomalies such as missing host user-agent and accept headers

  • 防止自动程序、爬网程序和扫描程序Prevention against bots, crawlers, and scanners

  • 检测常见应用程序错误配置(即 Apache、IIS 等)Detection of common application misconfigurations (that is, Apache, IIS, etc.)

备注

有关规则及其保护措施的更详细的列表,请参阅下面的核心规则集For a more detailed list of rules and their protections see the following Core rule sets:

Azure 还提供多种易用的功能,帮助保护应用的入站和出站流量。Azure also provides several easy-to-use features to help secure both inbound and outbound traffic for your app. 此外,Azure 还提供外部来源的功能来扫描 Web 应用程序的漏洞,帮助客户保护其应用程序代码。Azure also helps customers secure their application code by providing externally provided functionality to scan your web application for vulnerabilities.

Azure 应用服务所使用的反恶意软件解决方案与 Azure 云服务和虚拟机使用的相同。Azure App Service uses the same Antimalware solution used by Azure Cloud Services and Virtual Machines. 若要了解此方面的详细信息,请参阅反恶意软件文档To learn more about this refer to our Antimalware documentation.

保护网络Secure your network

Azure 包括可靠的网络基础结构以支持应用程序和服务连接需求。Azure includes a robust networking infrastructure to support your application and service connectivity requirements. Azure 中的资源之间、本地资源与 Azure 托管的资源之间以及 Internet 与 Azure 之间都可能存在网络连接。Network connectivity is possible between resources located in Azure, between on-premises and Azure hosted resources, and to and from the Internet and Azure.

利用 Azure 网络基础结构,可以安全地将 Azure 资源通过虚拟网络 (VNet) 相互连接。The Azure network infrastructure enables you to securely connect Azure resources to each other with virtual networks (VNets). VNet 是自己的网络在云中的表示形式。A VNet is a representation of your own network in the cloud. VNet 是对专用于订阅的 Azure 云网络进行的逻辑隔离。A VNet is a logical isolation of the Azure cloud network dedicated to your subscription. 可将 VNet 连接到本地网络。You can connect VNets to your on-premises networks.

保护网络(保护)

如果需要基本的网络级别访问控制(基于 IP 地址和 TCP 或 UDP 协议),则可以使用网络安全组If you need basic network level access control (based on IP address and the TCP or UDP protocols), then you can use Network Security Groups. 网络安全组 (NSG) 是基本的静态数据包筛选防火墙,使用户能够基于 5 元组控制访问权限。A Network Security Group (NSG) is a basic stateful packet filtering firewall and it enables you to control access based on a 5-tuple.

Azure 网络支持在 Azure 虚拟网络上为网络流量自定义路由行为的功能。Azure networking supports the ability to customize the routing behavior for network traffic on your Azure Virtual Networks. 可以通过在 Azure 中配置用户定义路由实现此操作。You can do this by configuring User-Defined Routes in Azure.

强制隧道 是一种机制,可用于确保不允许服务发起与 Internet 上设备的连接。Forced tunneling is a mechanism you can use to ensure that your services are not allowed to initiate a connection to devices on the Internet.

Azure 支持通过 ExpressRoute 使用专用 WAN 链路连接本地网络和 Azure 虚拟网络。Azure supports dedicated WAN link connectivity to your on-premises network and an Azure Virtual Network with ExpressRoute. Azure 和站点之间的链接使用专用连接,不需要通过公共 Internet。The link between Azure and your site uses a dedicated connection that does not go over the public Internet. 如果 Azure 应用程序在多个数据中心运行,则可以使用 Azure 流量管理器智能地跨应用程序实例路由来自用户的请求。If your Azure application is running in multiple datacenters, you can use Azure Traffic Manager to route requests from users intelligently across instances of the application. 如果可以通过 Internet 访问未在 Azure 中运行的服务,还可以将流量路由到这些服务。You can also route traffic to services not running in Azure if they are accessible from the Internet.

虚拟机安全Virtual machine security

借助 Azure 虚拟机,可以采用灵活的方式部署各种计算解决方案。Azure Virtual Machines lets you deploy a wide range of computing solutions in an agile way. 通过对 Microsoft Windows、Linux、Microsoft SQL Server、Oracle、IBM、SAP 和 Azure BizTalk 服务的支持,可以在几乎所有操作系统上部署任何工作负荷和任何语言。With support for Microsoft Windows, Linux, Microsoft SQL Server, Oracle, IBM, SAP, and Azure BizTalk Services, you can deploy any workload and any language on nearly any operating system.

借助 Azure,可以使用来自 Microsoft、Symantec、Trend Micro 和 Kaspersky 等安全性供应商的反恶意软件,保护虚拟机免受恶意文件、广告软件和其他威胁的侵害。With Azure, you can use antimalware software from security vendors such as Microsoft, Symantec, Trend Micro, and Kaspersky to protect your virtual machines from malicious files, adware, and other threats.

适用于 Azure 云服务和虚拟机的 Microsoft 反恶意软件是一种实时保护功能,可帮助识别并移除病毒、间谍软件和其他恶意软件。Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. 当已知恶意软件或不需要的软件试图在 Azure 系统上安装自身或运行时,Microsoft 反恶意软件将提供可配置的警报。Microsoft Antimalware provides configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems.

Azure 备份是一种可缩放的解决方案,无需资本投资便可保护应用程序数据,从而最大限度降低运营成本。Azure Backup is a scalable solution that protects your application data with zero capital investment and minimal operating costs. 应用程序错误可能会损坏数据,人为错误可能会将 bug 引入应用程序。Application errors can corrupt your data, and human errors can introduce bugs into your applications. 使用 Azure 备份可以保护运行 Windows 和 Linux 的虚拟机。With Azure Backup, your virtual machines running Windows and Linux are protected.

Azure Site Recovery 可帮助协调工作负荷和应用的复制、故障转移及恢复,因此能够在主要位置发生故障时通过辅助位置来提供工作负荷和应用。Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they are available from a secondary location if your primary location goes down.

确保符合性:云服务审慎调查清单Ensure compliance: Cloud services due diligence checklist

Microsoft 制定了云服务审慎调查清单,帮助组织在考虑迁移到云时执行审慎调查。Microsoft developed the Cloud Services Due Diligence Checklist to help organizations exercise due diligence as they consider a move to the cloud. 它为所有规模、所有类型的组织(私有企业和公共部门组织,包括所有级别的政府部门和非盈利组织)提供了一种结构,用于确定他们自己的性能、服务、数据管理以及监管目标和要求。It provides a structure for an organization of any size and type—private businesses and public-sector organizations, including government at all levels and nonprofits—to identify their own performance, service, data management, and governance objectives and requirements. 这样,他们就可以对不同云服务提供商的服务/产品进行比较,最终构成云服务协议的基础。This allows them to compare the offerings of different cloud service providers, ultimately forming the basis for a cloud service agreement.

该清单提供一个框架,该框架与新的云服务协议国际标准 ISO/IEC 19086 逐条保持一致。The checklist provides a framework that aligns clause-by-clause with a new international standard for cloud service agreements, ISO/IEC 19086. 此标准为组织提供一系列统一的考虑事项,帮助他们就云采用做出决策,并为云服务产品的比较确立一个共同的基础。This standard offers a unified set of considerations for organizations to help them make decisions about cloud adoption, and create a common ground for comparing cloud service offerings.

该清单促使云迁移得到全面审核,并为云服务提供商的选择提供结构化指导以及一致且可重复的方法。The checklist promotes a thoroughly vetted move to the cloud, providing structured guidance and a consistent, repeatable approach for choosing a cloud service provider.

云采用不再只是技术决策。Cloud adoption is no longer simply a technology decision. 由于清单要求涉及组织的方方面面,因此它们可以让内部所有关键决策者(CIO、CISO 以及法律、风险管理、采购和合规性专业人员)聚集在一起。Because checklist requirements touch on every aspect of an organization, they serve to convene all key internal decision-makers—the CIO and CISO as well as legal, risk management, procurement, and compliance professionals. 这样可以通过合理的推论提高决策过程和基本决策的效率,从而降低出现影响云采用的意外障碍的可能性。This increases the efficiency of the decision-making process and ground decisions in sound reasoning, thereby reducing the likelihood of unforeseen roadblocks to adoption.

此外,该清单:In addition, the checklist:

  • 在云采用流程开始时公开决策者的关键议题。Exposes key discussion topics for decision-makers at the beginning of the cloud adoption process.

  • 支持就法律法规以及组织自身的隐私、个人身份信息 (PII) 和数据安全目标展开深入的业务讨论。Supports thorough business discussions about regulations and the organization’s own objectives for privacy, personally identifiable information (PII), and data security.

  • 帮助组织识别任何可能影响云项目的问题。Helps organizations identify any potential issues that could affect a cloud project.

  • 针对各提供商提供一系列一致的问题,以及相同的术语、定义、指标和可交付结果,从而简化不同云服务提供商产品/服务的比较过程。Provides a consistent set of questions, with the same terms, definitions, metrics, and deliverables for each provider, to simplify the process of comparing offerings from different cloud service providers.

Azure 基础结构和应用程序安全性验证Azure infrastructure and application security validation

Azure 操作安全性是指可供用户用来在 Azure 中保护其数据、应用程序和其他资产的服务、控制措施和功能。Azure Operational Security refers to the services, controls, and features available to users for protecting their data, applications, and other assets in Azure.

安全性验证(检测)

Azure 操作安全性建立在一个框架上,该框架融合了通过 Microsoft 独有的各种功能获得的知识,包括 Microsoft 安全开发生命周期 (SDL)、Microsoft 安全响应中心计划以及对网络安全威胁形态的深刻认识。Azure Operational Security is built on a framework that incorporates the knowledge gained through a various capabilities that are unique to Microsoft, including the Microsoft Security Development Lifecycle (SDL), the Microsoft Security Response Centre program, and deep awareness of the cybersecurity threat landscape.

Azure MonitorAzure Monitor

Azure Monitor 是适用于混合云的 IT 管理解决方案。Azure Monitor is the IT management solution for the hybrid cloud. Azure Monitor 日志可单独使用,也可用于扩展现有 System Center 部署,为你基于云来管理基础结构提供了最大的灵活性和控制度。Used alone or to extend your existing System Center deployment, Azure Monitor logs gives you the maximum flexibility and control for cloud-based management of your infrastructure.

Azure Monitor

使用 Azure Monitor,可以在任何云中(包括本地、Azure、AWS、Windows Server、Linux、VMware 和 OpenStack)管理任何实例,且成本低于其他竞争性的解决方案。With Azure Monitor, you can manage any instance in any cloud, including on-premises, Azure, AWS, Windows Server, Linux, VMware, and OpenStack, at a lower cost than competitive solutions. Azure Monitor 专为云优先的环境而构建,为管理企业提供了一种新方法,能最快且最经济高效地应对新的业务挑战并适应新的工作负载、应用程序和云环境。Built for the cloud-first world, Azure Monitor offers a new approach to managing your enterprise that is the fastest, most cost-effective way to meet new business challenges and accommodate new workloads, applications and cloud environments.

Azure Monitor 日志Azure Monitor logs

Azure Monitor 日志通过将受管理资源的数据收集到中心存储库来提供监视服务。Azure Monitor logs provides monitoring services by collecting data from managed resources into a central repository. 这些数据可能包括事件、性能数据或通过 API 提供的自定义数据。This data could include events, performance data, or custom data provided through the API. 收集后,可以分析、导出数据或针对它们发出警报。Once collected, the data is available for alerting, analysis, and export.

Azure Monitor 日志

使用这种方法可以整合来自各种来源的数据,因此可将 Azure 服务中的数据合并到现有的本地环境。This method allows you to consolidate data from a variety of sources, so you can combine data from your Azure services with your existing on-premises environment. 此外,它还能将数据收集与针对该数据执行的操作明确区分开来,以便能够针对所有类型的数据执行所有操作。It also clearly separates the collection of the data from the action taken on that data so that all actions are available to all kinds of data.

Azure 安全中心Azure Security Center

Azure 安全中心有助于预防、检测和响应威胁,同时增加 Azure 资源的可见性和安全可控性。Azure Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources. 它提供 Azure 订阅之间的集成安全监视和策略管理,帮助检测可能被忽略的威胁,且适用于广泛的安全解决方案生态系统。It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

安全中心将分析 Azure 资源的安全状态,以识别潜在的安全漏洞。Security Center analyzes the security state of your Azure resources to identify potential security vulnerabilities. 会有一列建议对所需控件的整个配置过程提供指导。A list of recommendations guides you through the process of configuring needed controls.

示例包括:Examples include:

  • 设置反恶意软件可帮助识别和删除恶意软件Provisioning antimalware to help identify and remove malicious software

  • 配置网络安全组和规则来控制发送到 VM 的流量Configuring network security groups and rules to control traffic to VMs

  • 设置 web 应用程序防火墙,帮助抵御针对 web 应用程序的攻击Provisioning of web application firewalls to help defend against attacks that target your web applications

  • 部署缺少的系统更新Deploying missing system updates

  • 解决与推荐基线不匹配的操作系统配置Addressing OS configurations that do not match the recommended baselines

安全中心自动从 Azure 资源、网络和合作伙伴解决方案(例如恶意软件程序和防火墙)收集、分析和整合数据。Security Center automatically collects, analyzes, and integrates log data from your Azure resources, the network, and partner solutions like antimalware programs and firewalls. 检测到威胁时会创建安全警报。When threats are detected, a security alert is created. 示例中包括的检测项:Examples include detection of:

  • 与已知的恶意 IP 地址通信的不符合安全性的 VMCompromised VMs communicating with known malicious IP addresses

  • 使用 Windows 错误报告检测到的高级恶意软件Advanced malware detected by using Windows error reporting

  • 对 VM 的暴力破解攻击Brute force attacks against VMs

  • 来自集成的反恶意软件程序和防火墙的安全警报Security alerts from integrated antimalware programs and firewalls

Azure MonitorAzure monitor

Azure Monitor 提供一系列指针,指向特定资源类型的相关信息。Azure Monitor provides pointers to information on specific types of resources. 它对来自 Azure 基础结构(活动日志)和每个单独 Azure 资源(诊断日志)的数据提供可视化、查询、路由、警报、自动缩放和自动化功能。It offers visualization, query, routing, alerting, auto scale, and automation on data both from the Azure infrastructure (Activity Log) and each individual Azure resource (Diagnostic Logs).

云应用程序很复杂,包含很多移动部件。Cloud applications are complex with many moving parts. 监视可以为用户提供数据,确保应用程序始终处于健康运行状态。Monitoring provides data to ensure that your application stays up and running in a healthy state. 监视还有助于避免潜在问题,或者解决过去的问题。It also helps you to stave off potential problems or troubleshoot past ones.

图中显示你可以利用监视数据深入了解应用程序的情况。Diagram that shows you can use monitoring data to gain deep insights about your application. 此外,还可以利用监视数据深入了解应用程序的情况。In addition, you can use monitoring data to gain deep insights about your application. 了解这些情况有助于改进应用程序的性能或可维护性,或者实现本来需要手动干预的操作的自动化。That knowledge can help you to improve application performance or maintainability, or automate actions that would otherwise require manual intervention.

审核网络安全性对于检测网络漏洞以及确保符合 IT 安全和监管治理模型至关重要。Auditing your network security is vital for detecting network vulnerabilities and ensuring compliance with your IT security and regulatory governance model. 使用安全组视图,可以检索配置的网络安全组和安全规则,以及有效的安全规则。With Security Group view, you can retrieve the configured Network Security Group and security rules, as well as the effective security rules. 应用规则列表后,可以确定打开的端口并评估网络漏洞。With the list of rules applied, you can determine the ports that are open and ss network vulnerability.

网络观察程序Network watcher

网络观察程序是一个区域性服务,可用于在网络级别监视和诊断 Azure 内部以及传入和传出 Azure 的流量的状态。Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network level in, to, and from Azure. 借助网络观察程序随附的网络诊断和可视化工具,可以了解、诊断和洞察 Azure 中的网络。Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. 此服务包括数据包捕获、下一跃点、IP 流验证、安全组视图和 NSG 流日志。This service includes packet capture, next hop, IP flow verify, security group view, NSG flow logs. 与单独网络资源的监视不同,方案级监视提供网络资源的端到端视图。Scenario level monitoring provides an end to end view of network resources in contrast to individual network resource monitoring.

存储分析Storage analytics

存储分析可存储一些指标,这些指标包括有关存储服务请求的聚合事务统计信息和容量数据。Storage Analytics can store metrics that include aggregated transaction statistics and capacity data about requests to a storage service. 在 API 操作级别以及存储服务级别报告事务,并在存储服务级别报告容量。Transactions are reported at both the API operation level as well as at the storage service level, and capacity is reported at the storage service level. 度量值数据可用于分析存储服务使用情况,诊断对存储服务所发出请求的问题以及提高使用服务的应用程序的性能。Metrics data can be used to analyze storage service usage, diagnose issues with requests made against the storage service, and to improve the performance of applications that use a service.

Application InsightsApplication Insights

Application Insights 是多个平台上面向 Web 开发人员的可扩展应用程序性能管理 (APM) 服务。Application Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms. 使用它可以监视实时 Web 应用程序。Use it to monitor your live web application. 它会自动检测性能异常。It will automatically detect performance anomalies. Application Insights 内含强大的分析工具,有助于诊断问题并了解用户在应用中执行的操作。It includes powerful analytics tools to help you diagnose issues and to understand what users do with your app. Application Insights 有助于持续提高性能与可用性。It's designed to help you continuously improve performance and usability. 它适用于本地或云中托管的各种平台(包括 .NET、Node.js 和 Java EE)中的应用。It works for apps on a wide variety of platforms including .NET, Node.js and Java EE, hosted on-premises or in the cloud. 它与 devOps 流程集成,并具有与各种开发工具的连接点。It integrates with your devOps process, and has connection points to a various development tools.

监视:It monitors:

  • 请求率、响应时间和失败率 - 了解最受欢迎的页面、时段以及用户的位置。Request rates, response times, and failure rates - Find out which pages are most popular, at what times of day, and where your users are. 查看哪些页面效果最好。See which pages perform best. 当有较多请求时,如果响应时间长且失败率高,则可能存在资源问题。If your response times and failure rates go high when there are more requests, then perhaps you have a resourcing problem.

  • 依赖项速率、响应时间和失败率 - 了解外部服务是否正拖慢速度。Dependency rates, response times, and failure rates - Find out whether external services are slowing you down.

  • 异常 - 分析聚合的统计信息,或选择特定实例并钻取堆栈跟踪和相关请求。Exceptions - Analyze the aggregated statistics, or pick specific instances and drill into the stack trace and related requests. 报告服务器和浏览器异常。Both server and browser exceptions are reported.

  • 页面查看次数和负载性能 - 由用户的浏览器报告。Page views and load performance - reported by your users' browsers.

  • 来自网页的 AJAX 调用:速率、响应时间和失败率。AJAX calls from web pages - rates, response times, and failure rates.

  • 用户和会话计数。User and session counts.

  • Windows 或 Linux 服务器计算机中的 性能计数器,例如 CPU、内存和网络使用情况。Performance counters from your Windows or Linux server machines, such as CPU, memory, and network usage.

  • Docker 或 Azure 中的 主机诊断Host diagnostics from Docker or Azure.

  • 应用中的 诊断跟踪日志- 可以将跟踪事件与请求相关联。Diagnostic trace logs from your app - so that you can correlate trace events with requests.

  • 在客户端或服务器代码中自行编写的 自定义事件和指标,用于跟踪业务事件(例如销售的商品或赢得的游戏)。Custom events and metrics that you write yourself in the client or server code, to track business events such as items sold, or games won.

应用程序的基础结构通常由许多组件构成:可能有虚拟机、存储帐户和虚拟网络,或 Web 应用、数据库、数据库服务器和第三方服务。The infrastructure for your application is typically made up of many components - maybe a virtual machine, storage account, and virtual network, or a web app, database, database server, and 3rd party services. 这些组件不会以独立的实体出现,而是以单个实体的相关部件和依赖部件出现。You do not see these components as separate entities, instead you see them as related and interdependent parts of a single entity. 如果希望以组的方式部署、管理和监视这些这些组件,You want to deploy, manage, and monitor them as a group. 可以使用 Azure Resource Manager 将解决方案中的资源作为一个组进行处理。Azure Resource Manager enables you to work with the resources in your solution as a group.

可以通过一个协调的操作为解决方案部署、更新或删除所有资源。You can deploy, update, or delete all the resources for your solution in a single, coordinated operation. 可以使用一个模板来完成部署,该模板适用于不同的环境,例如测试、过渡和生产。You use a template for deployment and that template can work for different environments such as testing, staging, and production. Resource Manager 提供安全、审核和标记功能,以帮助你在部署后管理资源。Resource Manager provides security, auditing, and tagging features to help you manage your resources after deployment.

使用 Resource Manager 的优势The benefits of using Resource Manager

资源管理器提供多种优势:Resource Manager provides several benefits:

  • 可以以组的形式部署、管理和监视解决方案的所有资源,而不是单独处理这些资源。You can deploy, manage, and monitor all the resources for your solution as a group, rather than handling these resources individually.

  • 可以在整个开发生命周期内重复部署解决方案,并确保以一致的状态部署资源。You can repeatedly deploy your solution throughout the development lifecycle and have confidence your resources are deployed in a consistent state.

  • 可以通过声明性模板而非脚本来管理基础结构。You can manage your infrastructure through declarative templates rather than scripts.

  • 可以定义各资源之间的依赖关系,使其按正确的顺序进行部署。You can define the dependencies between resources, so they are deployed in the correct order.

  • 可以将访问控制应用到资源组中的所有服务,因为 Azure 基于角色的访问控制 (Azure RBAC) 已在本机集成到管理平台。You can apply access control to all services in your resource group because Azure role-based access control (Azure RBAC) is natively integrated into the management platform.

  • 可以将标记应用到资源,以逻辑方式组织订阅中的所有资源。You can apply tags to resources to logically organize all the resources in your subscription.

  • 可以通过查看一组共享相同标记的资源的成本来理清组织的帐单。You can clarify your organization's billing by viewing costs for a group of resources sharing the same tag.

备注

Resource Manager 提供了一种新方法来部署和管理解决方案。Resource Manager provides a new way to deploy and manage your solutions. 如果使用早期的部署模型并想了解这些更改,请参阅了解 Resource Manager 部署和经典部署If you used the earlier deployment model and want to learn about the changes, see Understanding Resource Manager Deployment and classic deployment.

后续步骤Next steps

阅读一些深度安全性主题,了解有关安全性的更多信息:Find out more about security by reading some of our in-depth security topics: