Azure 网络安全概述Azure Network Security Overview

Microsoft Azure 提供稳健的网络基础结构来支持应用程序和服务连接要求。Microsoft Azure includes a robust networking infrastructure to support your application and service connectivity requirements. 在 Azure 中的资源之间、本地资源与 Azure 托管的资源之间,以及 Internet 与 Azure 之间,都可以建立网络连接。Network connectivity is possible between resources located in Azure, between on-premises and Azure hosted resources, and to and from the Internet and Azure.

本文旨在让用户能够更轻松地了解 Microsoft Azure 在网络安全领域内必须要提供的内容。The goal of this article is to make it easier for you to understand what Microsoft Azure has to offer in the area of network security. 我们在这里提供了核心网络安全概念和要求的基本说明。Here we provide basic explanations for core network security concepts and requirements. 我们还提供了 Azure 在这些领域内必须要提供的内容的相关信息。We also provide you information on what Azure has to offer in each of these areas. 此外,还包含了许多转至其他内容的链接,使用户将能够更深入地了解所感兴趣的领域。There are numerous links to other content that will enable you to get a deeper understanding for the areas in which you’re interested.

本 Azure 网络安全概述文章侧重于以下内容:This Azure Network Security Overview article will focus on the following:

  • Azure 网络Azure networking
  • 网络访问控制Network access control
  • 安全远程访问和跨界连接Secure remote access and cross-premises connectivity
  • 可用性Availability
  • 日志记录Logging
  • 名称解析Name resolution
  • 外围网络体系结构DMZ architecture

Azure 网络Azure Networking

虚拟机需要网络连接。Virtual machines need network connectivity. 为了满足该要求,Azure 需要虚拟机连接到 Azure 虚拟网络。To support that requirement, Azure requires virtual machines to be connected to an Azure Virtual Network. Azure 虚拟网络是构建在物理 Azure 网络结构基础之上的逻辑构造。An Azure Virtual Network is a logical construct built on top of the physical Azure network fabric. 每个逻辑 Azure 虚拟网络与其他所有 Azure 虚拟网络隔离。Each logical Azure Virtual Network is isolated from all other Azure Virtual Networks. 这有助于确保其他 Microsoft Azure 客户无法访问部署中的网络流量。This helps insure that network traffic in your deployments is not accessible to other Microsoft Azure customers.

了解详细信息:Learn more:

网络访问控制Network Access Control

网络访问控制是指限制与 Azure 虚拟网络内特定设备或子网之间连接的措施。Network access control is the act of limiting connectivity to and from specific devices or subnets within an Azure Virtual Network. 网络访问控制的目标是确保只有有权限的用户和设备才能访问虚拟机和服务。The goal of network access control is to make sure that your virtual machines and services are accessible to only users and devices to which you want them accessible. 访问控制基于虚拟机或服务之间的连接的允许或拒绝决策。Access controls are based on allow or deny decisions for connections to and from your virtual machine or service.

Azure 支持多种类型的网络访问控制。Azure supports several types of network access control. 其中包括:These include:

  • 网络层控制Network layer control
  • 路由控制和强制隧道Route control and forced tunneling
  • 虚拟网络安全设备Virtual network security appliances

网络层控制Network Layer Control

任何安全部署都需要某种程度的网络访问控制。Any secure deployment requires some measure of network access control. 网络访问控制的目标是确保虚拟机以及在这些虚拟机上运行的网络服务只能与它们需要通信的其他网络设备通信,阻止所有其他连接企图。The goal of network access control is to make sure that your virtual machines and the network services that run on those virtual machines can communicate only with other networked devices that they need to communicate with and all other connection attempts are blocked.

如果需要基本的网络级别访问控制(基于 IP 地址和 TCP 或 UDP 协议),则可以使用网络安全组。If you need basic network level access control (based on IP address and the TCP or UDP protocols), then you can use Network Security Groups. 网络安全组 (NSG) 是基本的有状态数据包筛选防火墙,它使你能够基于五元组控制访问。A Network Security Group (NSG) is a basic stateful packet filtering firewall and it enables you to control access based on a 5-tuple. NSG 不提供应用程序层检查或经过身份验证的访问控制。NSGs do not provide application layer inspection or authenticated access controls.

了解详细信息:Learn more:

路由控制和强制隧道Route Control and Forced Tunneling

控制 Azure 虚拟网络上的路由行为是关键的网络安全和访问控制功能。The ability to control routing behavior on your Azure Virtual Networks is a critical network security and access control capability. 如果路由配置不当,虚拟机上托管的应用程序和服务可能连接到不允许它们连接的设备 (包括潜在攻击者拥有或操作的设备)。If routing is configured incorrectly, applications and services hosted on your virtual machine may connect to devices you don’t want them to connect to, including devices owned and operated by potential attackers.

Azure 网络支持自定义 Azure 虚拟网络上网络流量的路由行为的功能。Azure networking supports the ability to customize the routing behavior for network traffic on your Azure Virtual Networks. 这样,便可以改变 Azure 虚拟网络中的默认路由表条目。This enables you to alter the default routing table entries in your Azure Virtual Network. 路由行为的控制可帮助确保来自特定设备或一组设备的所有流量都通过特定位置进入或离开 Azure 虚拟网络。Control of routing behavior helps you make sure that all traffic from a certain device or group of devices enters or leaves your Azure Virtual Network through a specific location.

例如,Azure 虚拟网络上可能有虚拟网络安全设备。For example, you might have a virtual network security appliance on your Azure Virtual Network. 用户希望确保与 Azure 虚拟网络之间的所有流量都通过该虚拟安全设备。You want to make sure that all traffic to and from your Azure Virtual Network goes through that virtual security appliance. 为此,可以在 Azure 中配置 用户定义的路由You can do this by configuring User Defined Routes in Azure.

强制隧道 是一种机制,可用于确保不允许服务发起与 Internet 上设备的连接。Forced tunneling is a mechanism you can use to ensure that your services are not allowed to initiate a connection to devices on the Internet. 请注意,这与接受并响应传入连接不同。Note that this is different from accepting incoming connections and then responding to them. 前端 Web 服务器需要响应来自 Internet 主机的请求,因此允许来自 Internet 的流量进入这些 Web 服务器,并允许 Web 服务器做出响应。Front-end web servers need to respond to request from Internet hosts, and so Internet-sourced traffic is allowed inbound to these web servers and the web servers are allowed to respond.

不想要允许的是前端 Web 服务器发起出站请求。What you don’t want to allow is a front-end web server to initiate an outbound request. 此类请求可能表示安全风险,因为这些连接可用于下载恶意代码。Such requests may represent a security risk because these connections could be used to download malware. 即使希望这些前端服务器向 Internet 发起出站请求,还是可能想要强制它们经过本地 Web 代理,以便可以利用 URL 筛选和日志记录。Even if you do wish these front-end servers to initiate outbound requests to the Internet, you might want to force them to go through your on-premises web proxies so that you can take advantage of URL filtering and logging.

可以使用强制隧道来避免此问题。Instead, you would want to use forced tunneling to prevent this. 启用强制隧道时,将强制所有 Internet 连接通过本地网关。When you enable forced tunneling, all connections to the Internet are forced through your on-premises gateway. 可以利用用户定义的路由来配置强制隧道。You can configure forced tunneling by taking advantage of User Defined Routes.

了解详细信息:Learn more:

虚拟网络安全设备Virtual Network Security Appliances

尽管网络安全组和用户定义路由可以在 OSI 模型的网络和传输层提供某种程度的安全性,但有时,用户想要在高于网络的级别启用安全性。While Network Security Groups, User Defined Routes, and forced tunneling provide you a level of security at the network and transport layers of the OSI model, there may be times when you want to enable security at levels higher than the network.

例如,安全要求可能包括:For example, your security requirements might include:

  • 允许访问应用程序之前进行身份验证和授权Authentication and authorization prior to allowing access to your application
  • 入侵检测和入侵响应Intrusion detection and intrusion response
  • 高级别协议的应用程序层检查Application layer inspection for high-level protocols
  • URL 筛选URL filtering
  • 网络级别的防病毒和反恶意软件Network level antivirus and antimalware
  • 防 Bot 保护Anti-bot protection
  • 应用程序访问控制Application access control
  • 其他的 DDoS 防护(除了 Azure 结构自身提供的 DDoS 防护以外)Additional DDoS protection (above the DDoS protection provided the Azure fabric itself)

可以使用 Azure 合作伙伴解决方案来访问这些增强的网络安全功能。You can access these enhanced network security features by using an Azure partner solution. 可以访问 Azure 映像应用商店找到最新的 Azure 合作伙伴网络安全解决方案。You can find the most current Azure partner network security solutions by visiting the Azure Image Marketplace.

安全远程访问和跨界连接Secure Remote Access and Cross Premises Connectivity

需要远程进行 Azure 资源的安装、配置和管理。Setup, configuration and management of your Azure resources needs to be done remotely. 此外,建议部署包含本地和 Azure 公有云中组件的 混合 IT 解决方案。In addition, you may want to deploy hybrid IT solutions that have components on-premises and in the Azure public cloud. 这些方案需要安全远程访问权限。These scenarios require secure remote access.

Azure 网络支持以下安全远程访问方案:Azure networking supports the following secure remote access scenarios:

  • 将单独的工作站连接到 Azure 虚拟网络Connect individual workstations to an Azure Virtual Network
  • 使用 VPN 将本地网络连接到 Azure 虚拟网络Connect your on-premises network to an Azure Virtual Network with a VPN
  • 通过专用的 WAN 链路将本地网络连接到 Azure 虚拟网络Connect your on-premises network to an Azure Virtual Network with a dedicated WAN link
  • 将 Azure 虚拟网络相互连接Connect Azure Virtual Networks to each other

将单独的工作站连接到 Azure 虚拟网络Connect Individual Workstations to an Azure Virtual Network

有时可能想要让单个开发人员或操作人员在 Azure 中管理虚拟机和服务。There may be times when you want to enable individual developers or operations personnel to manage virtual machines and services in Azure. 例如,需要访问 Azure 虚拟网络上的虚拟机,但安全策略不允许通过 RDP 或 SSH 远程访问单个虚拟机。For example, you need access to a virtual machine on an Azure Virtual Network and your security policy does not allow RDP or SSH remote access to individual virtual machines. 在此情况下,可以使用点到站点 VPN 连接。In this case, you can use a point-to-site VPN connection.

点到站点 VPN 连接使用 SSTP VPN 协议,允许设置用户与 Azure 虚拟网络之间的专用安全连接。The point-to-site VPN connection uses the SSTP VPN protocol to enable you to set up a private and secure connection between the user and the Azure Virtual Network. 建立 VPN 连接后,用户将能够通过 VPN 上的 RDP 或 SSH 链接到 Azure 虚拟网络上的任何虚拟机(假定用户可以进行身份验证且已经过授权)。Once the VPN connection is established, the user will be able to RDP or SSH over the VPN link into any virtual machine on the Azure Virtual Network (assuming that the user can authenticate and is authorized).

了解更多:Learn more:

使用 VPN 将本地网络连接到 Azure 虚拟网络Connect Your On-Premises Network to an Azure Virtual Network with a VPN

用户可能想要将整个企业网络或其组成部分连接到 Azure 虚拟网络。You may want to connect your entire corporate network, or portions of it, to an Azure Virtual Network. 这种情况在公司要将其本地数据中心扩展到 Azure的混合 IT 方案中很常见。This is common in hybrid IT scenarios where companies extend their on-premises datacenter into Azure. 在许多情况下,公司会在 Azure 中和本地托管服务的各个组成部分(例如,某个解决方案在 Azure 中包括前端 Web 服务器,在本地包括后端数据库)。In many cases companies will host parts of a service in Azure and parts on-premises, such as when a solution includes front-end web servers in Azure and back-end databases on-premises. 使用此类“跨界”连接,还可以更安全地管理 Azure 所在的资源,可以实现将 Active Directory 域控制器扩展到 Azure 等方案。These kind of “cross-premises” connections also make management of Azure located resources more secure and enable scenarios such as extending Active Directory domain controllers into Azure.

实现此目的的方法之一是使用 站点到站点 VPNOne way to accomplish this is to use a site-to-site VPN. 站点到站点 VPN 和点到站点 VPN 之间的区别:点到站点 VPN 是将单独的一台设备连接到 Azure 虚拟网络;而站点到站点 VPN 是将整个网络(如本地网络)连接到 Azure 虚拟网络。The difference between a site-to-site VPN and a point-to-site VPN is that a point-to-site VPN connects a single device to an Azure Virtual Network, while a site-to-site VPN connects an entire network (such as your on-premises network) to an Azure Virtual Network. Azure 虚拟网络的站点到站点 VPN 使用高度安全的 IPsec 隧道模式 VPN 协议。Site-to-site VPNs to an Azure Virtual Network use the highly secure IPsec tunnel mode VPN protocol.

了解详细信息:Learn more:

点到站点和站点到站点 VPN 连接可以有效地启用跨界连接。Point-to-site and site-to-site VPN connections are effective for enabling cross-premises connectivity. 但是,某些组织认为它们存在以下缺点:However, some organizations consider them to have the following drawbacks:

  • VPN 连接通过 Internet 移动数据 – 在通过公共网络移动数据时,可能会使连接曝露在安全风险之下。VPN connections move data over the Internet – this exposes these connections to potential security issues involved with moving data over a public network. 此外,无法保证 Internet 连接的可靠性和可用性。In addition, reliability and availability for Internet connections cannot be guaranteed.
  • 对于某些应用程序和用途,与 Azure 虚拟网络建立 VPN 连接可能会限制带宽,因为它们的最大带宽约为 200Mbps。VPN connections to Azure Virtual Networks may be considered bandwidth constrained for some applications and purposes, as they max out at around 200Mbps.

需要最高安全性和可用性级别进行其跨界连接的组织通常使用专用 WAN 链路连接到远程网站。Organizations that need the highest level of security and availability for their cross-premises connections typically use dedicated WAN links to connect to remote sites. Azure 允许使用专用 WAN 链路将本地网络连接到 Azure 虚拟网络。Azure provides you the ability to use a dedicated WAN link that you can use to connect your on-premises network to an Azure Virtual Network. 这是通过 Azure ExpressRoute 实现的。This is enabled through Azure ExpressRoute.

了解详细信息:Learn more:

将 Azure 虚拟网络相互连接Connect Azure Virtual Networks to Each Other

可以使用多个 Azure 虚拟网络来完成部署。It is possible for you to use many Azure Virtual Networks for your deployments. 这种做法的原因有很多。There are many reasons why you might do this. 其中一个可能的原因是简化管理;另一个可能的原因是安全性。One of the reasons might be to simplify management; another might be for security reasons. 无论将资源放在不同 Azure 虚拟网络的动机或理由是什么,有时都可能需要将每个网络上的资源彼此连接。Regardless of the motivation or rationale for putting resources on different Azure Virtual Networks, there may be times when you want resources on each of the networks to connect with one another.

一个选择是通过 Internet 以“环回”方式将一个 Azure 虚拟网络上的服务连接到另一个 Azure 虚拟网络上的服务。One option would be for services on one Azure Virtual Network to connect to services on another Azure Virtual Network by “looping back” through the Internet. 连接从某个 Azure 虚拟网络开始,经过 Internet,并返回到目标 Azure 虚拟网络。The connection would start on one Azure Virtual Network, go through the Internet, and then come back to the destination Azure Virtual Network. 这种做法会使连接曝露在安全风险之下,这是任何基于 Internet 的通信存在的通病。This option exposes the connection to the security issues inherent to any Internet-based communication.

更好的做法可能是在 Azure 虚拟网络之间创建站点到站点 VPN。A better option might be to create an Azure Virtual Network-to-Azure Virtual Network site-to-site VPN. 这种 Azure 虚拟网络之间的站点到站点 VPN 使用与上述跨界站点到站点 VPN 连接相同的 IPsec 隧道模式 协议。This Azure Virtual Network-to-Azure Virtual Network site-to-site VPN uses the same IPsec tunnel mode protocol as the cross-premises site-to-site VPN connection mentioned above.

使用 Azure 虚拟网络之间的站点到站点 VPN 的优点在于通过 Azure 网络结构创建 VPN 连接,而不是通过 Internet 连接。The advantage of using an Azure Virtual Network-to-Azure Virtual Network site-to-site VPN is that the VPN connection is established over the Azure network fabric; it does not connect over the Internet. 与通过 Internet 连接的站点到站点 VPN 相比,可以提供额外的安全层。This provides you an extra layer of security compared to site-to-site VPNs that connect over the Internet.

了解详细信息:Learn more:

可用性Availability

可用性是任何安全程序的重要组件。Availability is a key component of any security program. 如果用户和系统无法通过网络访问所要访问的内容,则可以将服务视为已遭入侵。If your users and systems can’t access what they need to access over the network, the service can be considered compromised. Azure 的网络技术支持以下高可用性机制:Azure has networking technologies that support the following high-availability mechanisms:

  • 基于 HTTP 的负载均衡HTTP-based load balancing
  • 网络级别负载均衡Network level load balancing
  • 全局负载均衡Global load balancing

负载均衡是专为在多个设备之间均匀分布连接而设计的机制。Load balancing is a mechanism designed to equally distribute connections among multiple devices. 负载均衡的目标如下:The goals of load balancing are:

  • 提高可用性 – 在跨多个设备对连接进行负载均衡时,一个或多个设备可能变得不可用,并且正在其余联机设备上运行的服务可以继续提供来自服务的内容。Increase availability – when you load balance connections across multiple devices, one or more of the devices can become unavailable and the services running on the remaining online devices can continue to serve the content from the service
  • 提高性能 – 在多个设备之间负载均衡连接时,单个设备不需要占用处理器。Increase performance – when you load balance connections across multiple devices, a single device doesn’t have to take the processor hit. 提供内容的处理和内存需求分散在多个设备之间。Instead, the processing and memory demands for serving the content is spread across multiple devices.

基于 HTTP 的负载均衡HTTP-based Load Balancing

经常运行 Web 服务的组织想要在这些 Web 服务之前使用 HTTP 负载均衡器,帮助确保提供足够的性能和高可用性级别。Organizations that run web-based services often desire to have an HTTP-based load balancer in front of those web services to help insure adequate levels of performance and high availability. 与传统的基于网络的负载均衡器相比,HTTP 负载均衡器做出的负载均衡决策基于 HTTP 协议的特征,而不是网络和传输层协议。In contrast to traditional network-based load balancers, the load balancing decisions made by HTTP-based load balancers are based on characteristics of the HTTP protocol, not on the network and transport layer protocols.

为了向基于 Web 的服务提供基于 HTTP 的负载均衡,Azure 提供了 Azure 应用程序网关。To provide you HTTP-based load balancing for your web-based services, Azure provides you the Azure Application Gateway. Azure 应用程序网关支持:The Azure Application Gateway supports:

  • 基于 HTTP 的负载均衡 – 负载均衡决策是基于 HTTP 协议的特征做出的HTTP-based load balancing – load balancing decisions are made based on characteristic special to the HTTP protocol
  • 基于 Cookie 的会话相关性 – 此功能确保建立到受该负载均衡器保护的服务器之一的连接,在客户端与服务器之间保持不变。Cookie-based session affinity – this capability makes sure that connections established to one of the servers behind that load balancer stays intact between the client and server. 这可确保事务的稳定性。This insures stability of transactions.
  • SSL 卸载 – 当使用负载均衡器建立客户端连接后,客户端与负载均衡器之间的会话是使用 HTTPS (SSL/) 协议进行的加密。SSL offload – when a client connection is established with the load balancer, that session between the client and the load balancer is encrypted using the HTTPS (SSL/) protocol. 但是,为了提高性能,可以选择让负载均衡器和该负载均衡器后面的 Web 服务器之间的连接使用 HTTP(未加密)协议。However, in order to increase performance, you have the option to have the connection between the load balancer and the web server behind the load balancer use the HTTP (unencrypted) protocol. 这称为“SSL 卸载”,由于受负载均衡器保护的 Web 服务器没有加密的相关处理器开销,因此应该可以更快地为请求提供服务。This is referred to as “SSL offload” because the web servers behind the load balancer don’t experience the processor overhead involved with encryption, and therefore should be able to service requests more quickly.
  • 基于 URL 的内容路由 – 此功能使负载均衡器可以根据目标 URL 来确定在何处转发连接。URL-based content routing – this feature makes it possible for the load balancer to make decisions on where to forward connections based on the target URL. 它提供的弹性大于基于 IP 地址做出负载均衡决策的解决方案。This provides a lot more flexibility than solutions that make load balancing decisions based on IP addresses.

了解详细信息:Learn more:

网络级别负载均衡Network Level Load Balancing

与基于 HTTP 的负载均衡相比,网络级别负载均衡基于 IP 地址和端口(TCP 或 UDP)号做出负载均衡决策。In contrast to HTTP-based load balancing, network level load balancing makes load balancing decisions based on IP address and port (TCP or UDP) numbers. 可以使用 Azure 负载均衡器获取 Azure 中网络级别负载均衡的优点。You can gain the benefits of network level load balancing in Azure by using the Azure Load Balancer. Azure 负载均衡器的一些重要特征包括:Some key characteristics of the Azure Load Balancer include:

  • 基于 IP 地址和端口号的网络级别负载均衡Network level load balancing based on IP address and port numbers
  • 支持任何应用程序层协议Support for any application layer protocol
  • 对 Azure 虚拟机和云服务角色实例进行负载均衡Load balances to Azure virtual machines and cloud services role instances
  • 可用于面向 Internet(外部负载均衡)和非面向 Internet(内部负载均衡)的应用程序和虚拟机Can be used for both Internet-facing (external load balancing) and non-Internet facing (internal load balancing) applications and virtual machines
  • 终结点监视,用于确定是否有任何受负载均衡器保护的服务变得不可用Endpoint monitoring, which is used to determine if any of the services behind the load balancer have become unavailable

了解详细信息:Learn more:

全局负载均衡Global Load Balancing

某些组织想要尽可能地实现最高级别的可用性。Some organizations will want the highest level of availability possible. 实现此目标的一种方法是在全球分布的数据中心中托管应用程序。One way to reach this goal is to host applications in globally distributed datacenters. 应用程序托管在世界各地的数据中心时,即使整个地缘政治区域服务中断,但应用程序仍可正常运行。When an application is hosted in data centers located throughout the world, it’s possible for an entire geopolitical region to become unavailable and still have the application up and running.

除了将应用程序托管在全球分布的数据中心的可用性优点之外,还可以获得性能优势。In addition to the availability advantages you get by hosting applications in globally distributed datacenters, you also can get performance benefits. 通过使用将服务的请求定向到距离发出该请求的设备最近的数据中心的机制可以获得这些性能优势。These performance benefits can be obtained by using a mechanism that directs requests for the service to the datacenter that is nearest to the device that is making the request.

全局负载均衡可以提供这两项优点。Global load balancing can provide you both of these benefits. 在 Azure 中,使用 Azure 流量管理器可以获得全局负载均衡的优点。In Azure, you can gain the benefits of global load balancing by using Azure Traffic Manager.

了解详细信息:Learn more:

日志记录Logging

网络级别的日志记录是任何网络安全方案的重要功能。Logging at a network level is a key function for any network security scenario. 在 Azure 中,可以记录信息,网络安全组可以通过这些信息获取网络级别的日志记录信息。In Azure, you can log information obtained for Network Security Groups to get network level logging information. 使用 NSG 日志记录可从以下来源获取信息:With NSG logging, you get information from:

  • 审核日志 – 这些日志用于查看提交到 Azure 订阅的所有操作。Audit logs – these logs are used to view all operations submitted to your Azure subscriptions. 这些日志默认已启用,可以在 Azure 门户中使用。These logs are enabled by default and can be used within the Azure portal.
  • 事件日志 – 这些日志提供有关应用了哪些 NSG 规则的信息。Event logs – these logs provide information about what NSG rules were applied.
  • 计数器日志 – 通过这些日志可以了解应用每个 NSG 规则以拒绝或允许流量的次数。Counter logs – these logs let you know how many times each NSG rule was applied to deny or allow traffic.

还可以使用 21Vianet 运营的 Microsoft Power BI(一个功能强大的数据可视化工具)来查看和分析这些日志。You can also use Microsoft Power BI operated by 21Vianet, a powerful data visualization tool, to view and analyze these logs.

名称解析Name Resolution

名称解析是对 Azure 中托管的所有服务而言至关重要的功能。Name resolution is a critical function for all services you host in Azure. 从安全角度看,入侵名称解析功能可能会导致攻击者将站点的请求重定向到攻击者的站点。From a security perspective, compromise of the name resolution function can lead to an attacker redirecting requests from your sites to an attacker’s site. 安全名称解析是所有云托管服务的要求。Secure name resolution is a requirement for all your cloud hosted services.

需要解决两种类型的名称解析:There are two types of name resolution you need to address:

  • 内部名称解析 – Azure 虚拟网络和/或本地网络上的服务使用内部名称解析。Internal name resolution – internal name resolution is used by services on your Azure Virtual Networks, your on-premises networks, or both. 通过 Internet 无法访问用于内部名称解析的名称。Names used for internal name resolution are not accessible over the Internet. 为了获取最高安全性,外部用户不能访问内部名称解析方案,这一点非常重要。For optimal security, it’s important that your internal name resolution scheme is not accessible to external users.
  • 外部名称解析 – 本地和 Azure 虚拟网络外部的人员和设备使用外部名称解析。External name resolution – external name resolution is used by people and devices outside of your on-premises and Azure Virtual Networks. 这些是对 Internet 可见且用于将连接定向到基于云的服务的名称。These are the names that are visible to the Internet and are used to direct connection to your cloud-based services.

对于内部名称解析,可以使用两个选项:For internal name resolution, you have two options:

  • Azure 虚拟网络 DNS 服务器 – 创建新的 Azure 虚拟网络时,系统会创建 DNS 服务器。An Azure Virtual Network DNS server – when you create a new Azure Virtual Network, a DNS server is created for you. 此 DNS 服务器可以解析该 Azure 虚拟网络上计算机的名称。This DNS server can resolve the names of the machines located on that Azure Virtual Network. 此 DNS 服务器不可配置,由 Azure 结构管理器管理,因此是安全的名称解析解决方案。This DNS server is not configurable and is managed by the Azure fabric manager, thus making it a secure name resolution solution.
  • 自带 DNS 服务器 – 可以选择将自己选择的 DNS 服务器放置在 Azure 虚拟网络上。Bring your own DNS server – you have the option of putting a DNS server of your own choosing on your Azure Virtual Network. 此 DNS 服务器可以是与 Active Directory 集成的 DNS 服务器,也可以是 Azure 合作伙伴提供的专用 DNS 服务器解决方案(可从 Azure 应用商店获取)。This DNS server could be an Active Directory integrated DNS server, or a dedicated DNS server solution provided by an Azure partner, which you can obtain from the Azure Marketplace.

了解详细信息:Learn more:

对于外部 DNS 解析,可以使用两个选项:For external DNS resolution, you have two options:

  • 在本地托管自己的外部 DNS 服务器Host your own external DNS server on-premises
  • 在服务提供商那里托管自己的外部 DNS 服务器Host your own external DNS server with a service provider

许多大型组织都在本地托管其自己的 DNS 服务器。Many large organizations will host their own DNS servers on-premises. 可以这样做的原因是它们具有相应的网络专业技术,并且在全球运营。They can do this because they have the networking expertise and global presence to do so.

在大多数情况下,最好在服务提供商那里托管 DNS 名称解析服务。In most cases, it’s better to host your DNS name resolution services with a service provider. 这些服务提供商具有网络专业技术并在全球运营,可确保名称解析服务具有极高的可用性。These service providers have the network expertise and global presence to ensure very high availability for your name resolution services. 可用性对于 DNS 服务至关重要,因为如果名称解析服务失败,任何人都无法连接到面向 Internet 的服务。Availability is essential for DNS services because if your name resolution services fail, no one will be able to reach your Internet facing services.

Azure 以 Azure DNS 的形式提供高度可用的高性能外部 DNS 解决方案。Azure provides you a highly available and performant external DNS solution in the form of Azure DNS. 此外部名称解析解决方案利用全球 Azure DNS 基础结构。This external name resolution solution takes advantage of the worldwide Azure DNS infrastructure. 它允许使用与其他 Azure 服务相同的凭据、API、工具和计费模式,将域托管在 Azure 中。It allows you to host your domain in Azure using the same credentials, APIs, tools, and billing as your other Azure services. 由于属于 Azure 的一部分,它还会继承平台内置的强大安全控制。As part of Azure, it also inherits the strong security controls built into the platform.

外围网络体系结构DMZ Architecture

许多企业组织使用 DMZ 对其网络进行分段,以创建 Internet 及其服务之间的缓冲区域。Many enterprise organizations use DMZs to segment their networks to create a buffer-zone between the Internet and their services. 网络的外围网络部分被视为低安全性区域,不应在该网段中放置高价值资产。The DMZ portion of the network is considered a low-security zone and no high-value assets are placed in that network segment. 通常会看到网络安全设备在外围网络段上有一个网络接口,另有一个网络接口连接到包含接受 Internet 入站连接的虚拟机和服务的网络。You’ll typically see network security devices that have a network interface on the DMZ segment and another network interface connected to a network that has virtual machines and services that accept inbound connections from the Internet.

外围网络设计和外围网络部署决策有许多变数,如果决定使用外围网络,要使用的外围网络类型应该根据网络安全要求来确定。There are a number of variations of DMZ design and the decision to deploy a DMZ, and then what type of DMZ to use if you decide to use one, is based on your network security requirements.