Azure 网络安全概述Azure Network Security Overview

网络安全可以定义为通过对网络流量应用控制来保护资源遭受未经授权的访问或攻击的过程。Network security could be defined as the process of protecting resources from unauthorized access or attack by applying controls to network traffic. 目标是确保仅允许合法流量。The goal is to ensure that only legitimate traffic is allowed. Azure 包括可靠的网络基础结构以支持应用程序和服务连接需求。Azure includes a robust networking infrastructure to support your application and service connectivity requirements. Azure 中的资源之间、本地资源与 Azure 托管的资源之间,以及 Internet 与 Azure 之间都可能存在网络连接。Network connectivity is possible between resources located in Azure, between on-premises and Azure hosted resources, and to and from the internet and Azure.

本文介绍 Azure 在网络安全方面提供的某些选项。This article covers some of the options that Azure offers in the area of network security. 具体内容:You can learn about:

  • Azure 网络Azure networking
  • 网络访问控制Network access control
  • Azure 防火墙Azure Firewall
  • 安全远程访问和跨界连接Secure remote access and cross-premises connectivity
  • 可用性Availability
  • 名称解析Name resolution
  • 外围网络 (DMZ) 体系结构Perimeter network (DMZ) architecture
  • Azure DDoS 防护Azure DDoS protection
  • Azure Front DoorAzure Front Door
  • 流量管理器Traffic manager
  • 监视和威胁检测Monitoring and threat detection

Azure 网络Azure networking

Azure 要求将虚拟机连接到 Azure 虚拟网络。Azure requires virtual machines to be connected to an Azure Virtual Network. 虚拟网络是一个构建于物理 Azure 网络结构之上的逻辑构造。A virtual network is a logical construct built on top of the physical Azure network fabric. 每个虚拟网络与其他所有虚拟网络相互隔离。Each virtual network is isolated from all other virtual networks. 这可帮助确保其他 Azure 客户无法访问部署中的流量。This helps ensure that network traffic in your deployments is not accessible to other Azure customers.

网络访问控制Network access control

网络访问控制是限制虚拟网络内特定设备或子网之间的连接的行为。Network access control is the act of limiting connectivity to and from specific devices or subnets within a virtual network. 网络访问控制的目的是将对虚拟机和服务的访问权限限制为仅授予已批准的用户和设备。The goal of network access control is to limit access to your virtual machines and services to approved users and devices. 访问控制基于虚拟机或服务之间的允许或拒绝连接的决策。Access controls are based on decisions to allow or deny connections to and from your virtual machine or service.

Azure 支持多种类型的网络访问控制,例如:Azure supports several types of network access control, such as:

  • 网络层控制Network layer control
  • 路由控制和强制隧道Route control and forced tunneling
  • 虚拟网络安全设备Virtual network security appliances

网络层控制Network Layer Control

任何安全部署都需要某种程度的网络访问控制。Any secure deployment requires some measure of network access control. 网络访问控制的目标是确保虚拟机以及在这些虚拟机上运行的网络服务只能与它们需要通信的其他网络设备通信,阻止所有其他连接企图。The goal of network access control is to make sure that your virtual machines and the network services that run on those virtual machines can communicate only with other networked devices that they need to communicate with and all other connection attempts are blocked.

如果需要基本的网络级别访问控制(基于 IP 地址和 TCP 或 UDP 协议),则可以使用网络安全组。If you need basic network level access control (based on IP address and the TCP or UDP protocols), then you can use Network Security Groups. 网络安全组 (NSG) 是基本的有状态数据包筛选防火墙,它使你能够基于五元组控制访问。A Network Security Group (NSG) is a basic stateful packet filtering firewall and it enables you to control access based on a 5-tuple. NSG 不提供应用程序层检查或经过身份验证的访问控制。NSGs do not provide application layer inspection or authenticated access controls.

了解详细信息:Learn more:

路由控制和强制隧道Route Control and Forced Tunneling

能够控制虚拟网络上的路由行为至关重要。The ability to control routing behavior on your virtual networks is critical. 如果路由配置不正确,虚拟机上托管的应用程序和服务可能会连接到未授权的设备,其中包括潜在攻击者所拥有或操作的系统。If routing is configured incorrectly, applications and services hosted on your virtual machine might connect to unauthorized devices, including systems owned and operated by potential attackers.

Azure 网络支持在虚拟网络上为流量自定义路由行为。Azure networking supports the ability to customize the routing behavior for network traffic on your virtual networks. 由此可更改 Azure 虚拟网络中的默认路由表条目。This enables you to alter the default routing table entries in your virtual network. 通过控制路由行为,可帮助你确保特定设备或设备组中的所有流量通过特定位置进入或离开虚拟网络。Control of routing behavior helps you make sure that all traffic from a certain device or group of devices enters or leaves your virtual network through a specific location.

例如,Azure 虚拟网络上可能有虚拟网络安全设备。For example, you might have a virtual network security appliance on your Azure Virtual Network. 用户希望确保与 Azure 虚拟网络之间的所有流量都通过该虚拟安全设备。You want to make sure that all traffic to and from your Azure Virtual Network goes through that virtual security appliance. 为此,可以在 Azure 中配置 用户定义的路由You can do this by configuring User Defined Routes in Azure.

强制隧道 是一种机制,可用于确保不允许服务发起与 Internet 上设备的连接。Forced tunneling is a mechanism you can use to ensure that your services are not allowed to initiate a connection to devices on the Internet. 请注意,这与接受并响应传入连接不同。Note that this is different from accepting incoming connections and then responding to them. 前端 Web 服务器需要响应来自 Internet 主机的请求,因此允许来自 Internet 的流量进入这些 Web 服务器,并允许 Web 服务器做出响应。Front-end web servers need to respond to request from Internet hosts, and so Internet-sourced traffic is allowed inbound to these web servers and the web servers are allowed to respond.

不想要允许的是前端 Web 服务器发起出站请求。What you don’t want to allow is a front-end web server to initiate an outbound request. 此类请求可能表示安全风险,因为这些连接可用于下载恶意代码。Such requests may represent a security risk because these connections could be used to download malware. 即使希望这些前端服务器向 Internet 发起出站请求,还是可能想要强制它们经过本地 Web 代理,以便可以利用 URL 筛选和日志记录。Even if you do wish these front-end servers to initiate outbound requests to the Internet, you might want to force them to go through your on-premises web proxies so that you can take advantage of URL filtering and logging.

可以使用强制隧道来避免此问题。Instead, you would want to use forced tunneling to prevent this. 启用强制隧道时,将强制所有 Internet 连接通过本地网关。When you enable forced tunneling, all connections to the Internet are forced through your on-premises gateway. 可以利用用户定义的路由来配置强制隧道。You can configure forced tunneling by taking advantage of User Defined Routes.

了解详细信息:Learn more:

虚拟网络安全设备Virtual network security appliances

当 NSG、UDR 和强制隧道在 OSI 模型的网络层和传输层提供安全级别时,你可能也想要启用级别高于网络的安全性。While NSGs, UDRs, and forced tunneling provide you a level of security at the network and transport layers of the OSI model, you might also want to enable security at levels higher than the network.

例如,安全要求可能包括:For example, your security requirements might include:

  • 必须经过身份验证和授权才允许访问应用程序Authentication and authorization before allowing access to your application
  • 入侵检测和入侵响应Intrusion detection and intrusion response
  • 高级别协议的应用程序层检查Application layer inspection for high-level protocols
  • URL 筛选URL filtering
  • 网络级别防病毒和反恶意软件Network level antivirus and Antimalware
  • 防 Bot 保护Anti-bot protection
  • 应用程序访问控制Application access control
  • 其他 DDoS 防护(除了 Azure 结构自身提供的 DDoS 防护以外)Additional DDoS protection (above the DDoS protection provided by the Azure fabric itself)

可以使用 Azure 合作伙伴解决方案来访问这些增强的网络安全功能。You can access these enhanced network security features by using an Azure partner solution. 通过访问 Azure 市场并搜索“安全”和“网络安全”,可以找到最新的 Azure 合作伙伴网络安全解决方案。You can find the most current Azure partner network security solutions by visiting the Azure Marketplace, and searching for "security" and "network security."

Azure 防火墙Azure Firewall

Azure 防火墙是托管的基于云的网络安全服务,可保护 Azure 虚拟网络资源。Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. 它是一个服务形式的完全有状态防火墙,具有内置的高可用性和不受限制的云可伸缩性。It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. 包括的一些功能为:Some features include:

  • 高可用性High availability
  • 云可伸缩性Cloud scalability
  • 应用程序 FQDN 筛选规则Application FQDN filtering rules
  • 网络流量筛选规则Network traffic filtering rules

安全远程访问和跨界连接Secure remote access and cross-premises connectivity

安装、配置和管理 Azure 资源需要远程完成。Setup, configuration, and management of your Azure resources needs to be done remotely. 此外,你可能想要部署在本地和 Azure 公有云中具有组件的混合 IT 解决方案。In addition, you might want to deploy hybrid IT solutions that have components on-premises and in the Azure public cloud. 这些方案需要安全远程访问权限。These scenarios require secure remote access.

Azure 网络支持以下安全远程访问方案:Azure networking supports the following secure remote access scenarios:

  • 将单独的工作站连接到虚拟网络Connect individual workstations to a virtual network
  • 通过 VPN 将本地网络连接到虚拟网络Connect your on-premises network to a virtual network with a VPN
  • 通过专用的 WAN 链接将本地网络连接到虚拟网络Connect your on-premises network to a virtual network with a dedicated WAN link
  • 将虚拟网络相互连接Connect virtual networks to each other

将单独的工作站连接到虚拟网络Connect individual workstations to a virtual network

你可能想要让各个开发者或操作人员在 Azure 中管理虚拟机和服务。You might want to enable individual developers or operations personnel to manage virtual machines and services in Azure. 例如,假设需要访问虚拟网络上的虚拟机。For example, let's say you need access to a virtual machine on a virtual network. 但你的安全策略不允许 RDP 或 SSH 远程访问单独的虚拟机。But your security policy does not allow RDP or SSH remote access to individual virtual machines. 在这种情况下,可以使用点到站点 VPN 连接。In this case, you can use a point-to-site VPN connection.

点到站点 VPN 连接允许你在用户和虚拟网络之间设置专用的安全连接。The point-to-site VPN connection enables you to set up a private and secure connection between the user and the virtual network. 建立 VPN 连接后,用户可通过 VPN 链接将 RDP 或 SSH 连接到虚拟网络上的任何虚拟机。When the VPN connection is established, the user can RDP or SSH over the VPN link into any virtual machine on the virtual network. (假设用户可以进行身份验证并获得授权。)点到站点 VPN 支持以下项:(This assumes that the user can authenticate and is authorized.) Point-to-site VPN supports:

  • 安全套接字隧道协议 (SSTP),这是一种基于 SSL 的专属协议。Secure Socket Tunneling Protocol (SSTP), a proprietary SSL-based VPN protocol. 由于大多数防火墙都会打开 SSL 所用的 TCP 端口 443,因此 SSL VPN 解决方案可以穿透防火墙。An SSL VPN solution can penetrate firewalls, since most firewalls open TCP port 443, which SSL uses. 只有 Windows 设备支持 SSTP。SSTP is only supported on Windows devices. Azure 支持所有采用 SSTP 的 Windows 版本(Windows 7 和更高版本)。Azure supports all versions of Windows that have SSTP (Windows 7 and later).

  • IKEv2 VPN,这是一种基于标准的 IPsec VPN 解决方案。IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN 可用于从 Mac 设备进行连接(OSX 10.11 和更高版本)。IKEv2 VPN can be used to connect from Mac devices (OSX versions 10.11 and above).

了解详细信息:Learn more:

通过 VPN 将本地网络连接到虚拟网络Connect your on-premises network to a virtual network with a VPN

你可能想要将整个企业网络或其中的某些部分连接到虚拟网络。You might want to connect your entire corporate network, or portions of it, to a virtual network. 这是常见的混合 IT 方案,通过该方案组织可以将其本地数据中心扩展到 AzureThis is common in hybrid IT scenarios, where organizations extend their on-premises datacenter into Azure. 在许多情况下,组织在 Azure 和本地中各托管部分服务。In many cases, organizations host parts of a service in Azure, and parts on-premises. 例如,当解决方案包括 Azure 中的前端 Web 服务器和本地后端数据库时,他们可能会执行此操作。For example,they might do so when a solution includes front-end web servers in Azure and back-end databases on-premises. 这些类型的“跨界”连接还使得位于 Azure 的资源的管理更加安全,并且能够启用方案,如将 Active Directory 域控制器扩展到 Azure 中。These types of "cross-premises" connections also make management of Azure located resources more secure, and enable scenarios such as extending Active Directory domain controllers into Azure.

实现此目的的方法之一是使用 站点到站点 VPNOne way to accomplish this is to use a site-to-site VPN. 站点到站点 VPN 和点到站点 VPN 的区别在于后者将单个设备连接到虚拟网络。The difference between a site-to-site VPN and a point-to-site VPN is that the latter connects a single device to a virtual network. 站点到站点 VPN 将整个网络(如本地网络)连接到虚拟网络。A site-to-site VPN connects an entire network (such as your on-premises network) to a virtual network. 连接到 Azure 虚拟网络的站点到站点 VPN 使用高度安全的 IPsec 隧道模式 VPN 协议。Site-to-site VPNs to a virtual network use the highly secure IPsec tunnel mode VPN protocol.

了解详细信息:Learn more:

点到站点和站点到站点 VPN 连接可以有效地启用跨界连接。Point-to-site and site-to-site VPN connections are effective for enabling cross-premises connectivity. 但是,某些组织认为它们存在以下缺点:However, some organizations consider them to have the following drawbacks:

  • VPN 连接通过 Internet 移动数据。VPN connections move data over the internet. 这会导致这些连接存在通过公用网络移动数据所涉及的潜在安全问题。This exposes these connections to potential security issues involved with moving data over a public network. 此外,不能保证 Internet 连接的可靠性和可用性。In addition, reliability and availability for internet connections cannot be guaranteed.
  • 到虚拟网络的 VPN 连接可能没有用于某些应用程序和目的带宽,因为它们达到的最高极限约为 200 Mbps。VPN connections to virtual networks might not have the bandwidth for some applications and purposes, as they max out at around 200 Mbps.

需要最高安全性和可用性级别进行其跨界连接的组织通常使用专用 WAN 链路连接到远程网站。Organizations that need the highest level of security and availability for their cross-premises connections typically use dedicated WAN links to connect to remote sites. 凭借 Azure,可使用专用的 WAN 链接将本地网络连接到虚拟网络。Azure provides you the ability to use a dedicated WAN link that you can use to connect your on-premises network to a virtual network. Azure ExpressRoute、Express Route Direct 和 Express Route Global Reach 实现了此功能。Azure ExpressRoute, Express route direct, and Express route global reach enable this.

了解详细信息:Learn more:

将虚拟网络相互连接Connect virtual networks to each other

可以将多个虚拟网络用于部署。It is possible to use many virtual networks for your deployments. 这样做的原因可能有很多。There are various reasons why you might do this. 你可能想要简化管理或提高安全性。You might want to simplify management, or you might want increased security. 无论将资源放在不同的虚拟网络上的动机是什么,可能有时你都会想要将一个网络上的资源与另一个网络相连接。Regardless of the motivation for putting resources on different virtual networks, there might be times when you want resources on each of the networks to connect with one another.

一个选择是通过 Internet 以“环回”方式将一个虚拟网络上的服务连接到另一个虚拟网络上的服务。One option is for services on one virtual network to connect to services on another virtual network, by "looping back" through the internet. 该连接将在一个虚拟网络上开始,通过 Internet,再回到目标虚拟网络。The connection starts on one virtual network, goes through the internet, and then comes back to the destination virtual network. 此选项会导致连接存在任何基于 Internet 的通信所固有的安全问题。This option exposes the connection to the security issues inherent in any internet-based communication.

创建两个虚拟网络之间相互连接的站点到站点 VPN 可能是最佳选择。A better option might be to create a site-to-site VPN that connects between two virtual networks. 此方法与上述的跨界站点到站点 VPN 连接使用相同的 IPSec 隧道模式协议。This method uses the same IPSec tunnel mode protocol as the cross-premises site-to-site VPN connection mentioned above.

此方法的优点是通过 Azure 网络结构建立 VPN 连接,而不是通过 Internet 进行连接。The advantage of this approach is that the VPN connection is established over the Azure network fabric, instead of connecting over the internet. 与通过 Internet 连接的站点到站点 VPN 相比,这提供了额外的安全层。This provides you an extra layer of security, compared to site-to-site VPNs that connect over the internet.

了解详细信息:Learn more:

可用性Availability

可用性是任何安全程序的重要组件。Availability is a key component of any security program. 如果用户和系统无法通过网络访问需要访问的内容,则可以认为服务已遭入侵。If your users and systems can't access what they need to access over the network, the service can be considered compromised. Azure 的网络技术支持以下高可用性机制:Azure has networking technologies that support the following high-availability mechanisms:

  • 基于 HTTP 的负载均衡HTTP-based load balancing
  • 网络级别负载均衡Network level load balancing
  • 全局负载均衡Global load balancing

负载均衡是专为在多个设备之间均匀分布连接而设计的机制。Load balancing is a mechanism designed to equally distribute connections among multiple devices. 负载均衡的目标如下:The goals of load balancing are:

  • 提高可用性。To increase availability. 在跨多个设备对连接进行负载均衡时,一个或多个设备可能变得不可用,但不影响服务。When you load balance connections across multiple devices, one or more of the devices can become unavailable without compromising the service. 在剩余的联机设备上运行的服务可继续提供服务中的内容。The services running on the remaining online devices can continue to serve the content from the service.
  • 提高性能。To increase performance. 在跨多个设备对连接进行负载均衡时,单个设备不必负责所有处理。When you load balance connections across multiple devices, a single device doesn't have to handle all processing. 提供内容的处理和内存需求分散在多个设备之间。Instead, the processing and memory demands for serving the content is spread across multiple devices.

基于 HTTP 的负载均衡HTTP-based load balancing

运行基于 Web 的服务的组织通常希望在这些 Web 服务前面具有基于 HTTP 的负载均衡器。Organizations that run web-based services often desire to have an HTTP-based load balancer in front of those web services. 这可帮助确保足够级别的性能和高可用性。This helps ensure adequate levels of performance and high availability. 基于网络的传统负载均衡器依赖于网络和传输层协议。Traditional, network-based load balancers rely on network and transport layer protocols. 另一方面,基于 HTTP 的负载均衡器根据 HTTP 协议的特性做出决策。HTTP-based load balancers, on the other hand, make decisions based on characteristics of the HTTP protocol.

Azure 应用程序网关为基于 Web 的服务提供了基于 HTTP 的负载均衡。Azure Application Gateway provides HTTP-based load balancing for your web-based services. 应用程序网关支持:Application Gateway supports:

  • 基于 Cookie 的会话关联。Cookie-based session affinity. 此功能可确保建立到负载均衡器后面的某个服务器的连接在客户端和服务器之间保持不变。This capability makes sure that connections established to one of the servers behind that load balancer stays intact between the client and server. 此操作确保了事务的稳定性。This ensures stability of transactions.
  • SSL 卸载。SSL offload. 当客户端与负载均衡器连接时,会话使用 HTTPS (SSL) 协议进行加密。When a client connects with the load balancer, that session is encrypted by using the HTTPS (SSL) protocol. 但是,为了提高性能,可以使用 HTTP(未加密)协议在负载均衡器和该负载均衡器后面的 Web 服务器之间进行连接。However, in order to increase performance, you can use the HTTP (unencrypted) protocol to connect between the load balancer and the web server behind the load balancer. 这称为“SSL 卸载”,因为负载均衡器后面的 Web 服务器不会遇到涉及加密的处理器开销。This is referred to as "SSL offload," because the web servers behind the load balancer don't experience the processor overhead involved with encryption. 因此 Web 服务器可更快地为请求提供服务。The web servers can therefore service requests more quickly.
  • 基于 URL 的内容路由。URL-based content routing. 此功能可使负载均衡器决定在哪里转接基于目标 URL 的连接。This feature makes it possible for the load balancer to make decisions about where to forward connections based on the target URL. 它提供的弹性大于基于 IP 地址做出负载均衡决策的解决方案。This provides a lot more flexibility than solutions that make load balancing decisions based on IP addresses.

网络级别负载均衡Network level load balancing

与基于 HTTP 的负载均衡相比,网络级别负载均衡基于 IP 地址和端口(TCP 或 UDP)号做出决策。In contrast to HTTP-based load balancing, network level load balancing makes decisions based on IP address and port (TCP or UDP) numbers. 使用 Azure 负载均衡器,可以在 Azure 中获得网络级别负载均衡的优点。You can gain the benefits of network level load balancing in Azure by using Azure Load Balancer. 负载均衡器的一些主要特征包括:Some key characteristics of Load Balancer include:

  • 基于 IP 地址和端口号的网络级别负载均衡。Network level load balancing based on IP address and port numbers.
  • 支持任何应用层协议。Support for any application layer protocol.
  • 对 Azure 虚拟机和云服务角色实例进行负载均衡。Load balances to Azure virtual machines and cloud services role instances.
  • 可用于面向 Internet(外部负载均衡)和面向非 Internet(内部负载均衡)的应用程序和虚拟机。Can be used for both internet-facing (external load balancing) and non-internet facing (internal load balancing) applications and virtual machines.
  • 终结点监视,可用于确定负载均衡器后面的任何服务是否已变得不可用。Endpoint monitoring, which is used to determine if any of the services behind the load balancer have become unavailable.

了解详细信息:Learn more:

全局负载均衡Global load balancing

某些组织可能想要最高级别的可用性。Some organizations want the highest level of availability possible. 实现此目标的方法之一是将应用程序托管到多区域分布的数据中心。One way to reach this goal is to host applications in multiple-region distributed datacenters. 在分布于世界各地的数据中心托管应用程序时,即使整个地缘政治区域变得不可用,应用程序也可以启动并运行。When an application is hosted in datacenters located throughout the world, it's possible for an entire geopolitical region to become unavailable, and still have the application up and running.

此负载平衡策略也可暂停性能优势。This load-balancing strategy can also yield performance benefits. 可直接向距离提出请求的设备最近的数据中心请求服务。You can direct requests for the service to the datacenter that is nearest to the device that is making the request.

在 Azure 中,使用 Azure 流量管理器可以获得多区域负载均衡的优点。In Azure, you can gain the benefits of multiple-region load balancing by using Azure Traffic Manager.

了解详细信息:Learn more:

名称解析Name resolution

名称解析是对 Azure 中托管的所有服务而言至关重要的功能。Name resolution is a critical function for all services you host in Azure. 从安全角度看,入侵名称解析功能可能会导致攻击者将你站点的请求重定向到攻击者的站点。From a security perspective, compromise of the name resolution function can lead to an attacker redirecting requests from your sites to an attacker's site. 安全名称解析是所有云托管服务的要求。Secure name resolution is a requirement for all your cloud hosted services.

需要解决两种类型的名称解析:There are two types of name resolution you need to address:

  • 内部名称解析。Internal name resolution. 虚拟网络和/或本地网络上的服务使用此名称解析。This is used by services on your virtual networks, your on-premises networks, or both. 用于内部名称解析的名称无法通过 Internet 访问。Names used for internal name resolution are not accessible over the internet. 为了获取最高安全性,外部用户不能访问内部名称解析方案,这一点非常重要。For optimal security, it's important that your internal name resolution scheme is not accessible to external users.
  • 外部名称解析。External name resolution. 本地网络和虚拟网络之外的人员和设备使用此名称解析。This is used by people and devices outside of your on-premises networks and virtual networks. 这些是对 Internet 可见且用于将连接定向到基于云的服务的名称。These are the names that are visible to the internet, and are used to direct connection to your cloud-based services.

对于内部名称解析,可以使用两个选项:For internal name resolution, you have two options:

  • 虚拟网络 DNS 服务器。A virtual network DNS server. 创建新的虚拟网络时,会为你创建 DNS 服务器。When you create a new virtual network, a DNS server is created for you. 此 DNS 服务器可以解析位于该虚拟网络上的计算机的名称。This DNS server can resolve the names of the machines located on that virtual network. 此 DNS 服务器是不可配置的,而且由 Azure 结构管理器进行管理,从而帮助对名称解析解决方案进行安全保护。This DNS server is not configurable, is managed by the Azure fabric manager, and can therefore help you secure your name resolution solution.
  • 自带 DNS 服务器。Bring your own DNS server. 可选择将自己选择的 DNS 服务器放置在虚拟网络上。You have the option of putting a DNS server of your own choosing on your virtual network. 此 DNS 服务器可以是 Active Directory 集成的 DNS 服务器或由 Azure 合作伙伴提供的专用 DNS 服务器解决方案,两者均可从 Azure 市场中获得。This DNS server can be an Active Directory integrated DNS server, or a dedicated DNS server solution provided by an Azure partner, which you can obtain from the Azure Marketplace.

了解详细信息:Learn more:

对于外部名称解析,有两个选项:For external name resolution, you have two options:

  • 在本地托管自己的外部 DNS 服务器。Host your own external DNS server on-premises.
  • 通过服务提供程序托管自己的外部 DNS 服务器。Host your own external DNS server with a service provider.

许多大型组织在本地托管自己的 DNS 服务器。Many large organizations host their own DNS servers on-premises. 可以这样做的原因是它们具有相应的网络专业技术,并且在多个区域运营。They can do this because they have the networking expertise and multiple-region presence to do so.

在大多数情况下,最好在服务提供商那里托管 DNS 名称解析服务。In most cases, it's better to host your DNS name resolution services with a service provider. 这些服务提供商具有网络专业技术并在多个区域运营,可确保名称解析服务具有极高的可用性。These service providers have the network expertise and multiple-region presence to ensure very high availability for your name resolution services. 可用性是 DNS 服务所必需的,因为如果名称解析服务失败,则任何人都将无法访问面向 Internet 的服务。Availability is essential for DNS services, because if your name resolution services fail, no one will be able to reach your internet facing services.

Azure 以 Azure DNS 的形式提供一个高可用性且高性能的外部 DNS 解决方案。Azure provides you with a highly available and high-performing external DNS solution in the form of Azure DNS. 此外部名称解析解决方案利用多区域 Azure DNS 基础结构。This external name resolution solution takes advantage of the around multiple-region Azure DNS infrastructure. 由此可使用与其他 Azure 服务相同的凭据、API、工具和计费在 Azure 中托管域。It allows you to host your domain in Azure, using the same credentials, APIs, tools, and billing as your other Azure services. 由于属于 Azure 的一部分,它还会继承平台内置的强大安全控制。As part of Azure, it also inherits the strong security controls built into the platform.

外围网络体系结构DMZ Architecture

许多企业组织使用 DMZ 对其网络进行分段,以创建 Internet 及其服务之间的缓冲区域。Many enterprise organizations use DMZs to segment their networks to create a buffer-zone between the Internet and their services. 网络的外围网络部分被视为低安全性区域,不应在该网段中放置高价值资产。The DMZ portion of the network is considered a low-security zone and no high-value assets are placed in that network segment. 通常会看到网络安全设备在外围网络段上有一个网络接口,另有一个网络接口连接到包含接受 Internet 入站连接的虚拟机和服务的网络。You’ll typically see network security devices that have a network interface on the DMZ segment and another network interface connected to a network that has virtual machines and services that accept inbound connections from the Internet.

外围网络设计和外围网络部署决策有许多变数,如果决定使用外围网络,要使用的外围网络类型应该根据网络安全要求来确定。There are a number of variations of DMZ design and the decision to deploy a DMZ, and then what type of DMZ to use if you decide to use one, is based on your network security requirements.