Azure 虚拟机安全概述Azure Virtual Machines security overview

可使用 Azure 虚拟机灵活地部署各种计算解决方案。You can use Azure Virtual Machines to deploy a wide range of computing solutions in an agile way. 该服务支持 Azure Windows、Linux、Azure SQL Server、Oracle、IBM、SAP 和 Azure BizTalk 服务。The service supports Azure Windows, Linux, Azure SQL Server, Oracle, IBM, SAP, and Azure BizTalk Services. 因此,几乎可在任何操作系统上部署任何工作负载和任何语言。So you can deploy any workload and any language on nearly any operating system.

Azure 虚拟机让你能够灵活地进行虚拟化,而无需购买和维护运行虚拟机的物理硬件。An Azure virtual machine gives you the flexibility of virtualization without having to buy and maintain the physical hardware that runs the virtual machine. 可以构建并部署应用程序,保证数据在高度安全的数据中心受到保护且安全无忧。You can build and deploy your applications with the assurance that your data is protected and safe in our highly secure datacenters.

使用 Azure 可以构建安全增强且符合法规的解决方案:With Azure, you can build security-enhanced, compliant solutions that:

  • 保护虚拟机不受病毒和恶意软件的侵害。Protect your virtual machines from viruses and malware.
  • 加密敏感数据。Encrypt your sensitive data.
  • 保护网络流量的安全。Secure network traffic.
  • 识别和检测威胁。Identify and detect threats.
  • 满足符合性要求。Meet compliance requirements.

反恶意软件Antimalware

通过 Azure,可使用安全供应商(例如 Microsoft、Symantec、Trend Micro 和 Kaspersky)提供的反恶意软件。With Azure, you can use antimalware software from security vendors such as Microsoft, Symantec, Trend Micro, and Kaspersky. 此软件可帮助保护虚拟机免受恶意文件、广告程序和其他威胁的侵害。This software helps protect your virtual machines from malicious files, adware, and other threats.

适用于 Azure 云服务和虚拟机的 Microsoft 反恶意软件是一种实时保护功能,可帮助识别并移除病毒、间谍软件和其他恶意软件。Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. 适用于 Azure 的 Microsoft 反恶意软件提供可配置警报,能在已知恶意软件或不需要的软件试图自行安装或在 Azure 系统上运行时进行警报通知。Microsoft Antimalware for Azure provides configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems.

适用于 Azure 的 Microsoft 反恶意软件是针对应用程序和租户环境的单一代理解决方案。Microsoft Antimalware for Azure is a single-agent solution for applications and tenant environments. 它旨在后台运行,且无需人工干预。It's designed to run in the background without human intervention. 可以根据应用程序工作负荷的需求,选择默认的基本安全性或高级的自定义配置(包括反恶意软件监视)来部署保护。You can deploy protection based on the needs of your application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring.

部署并启用适用于 Azure 的 Microsoft 反恶意软件后,可使用以下几项核心功能:When you deploy and enable Microsoft Antimalware for Azure, the following core features are available:

  • 实时保护:监视云服务中和虚拟机上的活动,检测并阻止恶意软件的执行。Real-time protection: Monitors activity in Cloud Services and on Virtual Machines to detect and block malware execution.
  • 计划的扫描:定期执行有针对性的扫描,检测恶意软件(包括主动运行的程序)。Scheduled scanning: Periodically performs targeted scanning to detect malware, including actively running programs.
  • 恶意软件消除:自动针对检测到的恶意软件采取措施,例如删除或隔离恶意文件以及清除恶意注册表项。Malware remediation: Automatically takes action on detected malware, such as deleting or quarantining malicious files and cleaning up malicious registry entries.
  • 签名更新:自动安装最新的保护签名(病毒定义),确保按预定的频率保持最新保护状态。Signature updates: Automatically installs the latest protection signatures (virus definitions) to ensure that protection is up-to-date on a pre-determined frequency.
  • 反恶意软件引擎更新:自动更新适用于 Azure 的 Microsoft 反恶意软件引擎。Antimalware engine updates: Automatically updates the Microsoft Antimalware for Azure engine.
  • 反恶意软件平台更新:自动更新适用于 Azure 的 Microsoft 反恶意软件平台。Antimalware platform updates: Automatically updates the Microsoft Antimalware for Azure platform.
  • 主动保护:将有关检测到的威胁和可疑资源的遥测元数据报告给 Azure,确保快速响应。Active protection: Reports telemetry metadata to Azure about detected threats and suspicious resources to ensure rapid response. 通过 Microsoft Active Protection System (MAPS) 启用实时同步签名发送。Enables real-time synchronous signature delivery through the Microsoft Active Protection System (MAPS).
  • 示例报告:将示例提供并报告给适用于 Azure 的 Microsoft 反恶意软件服务,帮助改善服务并实现故障排除。Samples reporting: Provides and reports samples to the Microsoft Antimalware for Azure service to help refine the service and enable troubleshooting.
  • 排除项:允许应用程序和服务管理员配置特定的文件、进程与驱动器,以便出于性能和其他原因将其从保护和扫描中排除。Exclusions: Allows application and service administrators to configure certain files, processes, and drives to exclude them from protection and scanning for performance and other reasons.
  • 反恶意软件事件收集:在操作系统事件日志中记录反恶意软件服务运行状况、可疑活动及采取的补救措施,并将这些数据收集到客户的 Azure 存储帐户。Antimalware event collection: Records antimalware service health, suspicious activities, and remediation actions taken in the operating system event log and collects them in your Azure storage account.

了解详细信息:Learn more:

硬件安全模块Hardware security Module

加密和身份验证无法提高安全性,除非密钥本身也受到保护。Encryption and authentication do not improve security unless the keys themselves are protected. 通过将关键密码和密钥存储在 Azure 密钥保管库中,可以简化此类密码和密钥的管理和保护。You can simplify the management and security of your critical secrets and keys by storing them in Azure Key Vault. 密钥保管库提供将你的密钥存储在已通过 FIPS 140-2 Level 2 标准认证的硬件安全性模块 (HSM) 中的选项。Key Vault provides the option to store your keys in hardware security modules (HSMs) certified to FIPS 140-2 Level 2 standards. 用于备份或 透明数据加密 的 SQL Server 加密密钥可以存储在密钥保管库中,此外还可存储应用程序中的任意密钥或机密。Your SQL Server encryption keys for backup or transparent data encryption can all be stored in Key Vault with any keys or secrets from your applications. 对这些受保护项的权限和访问权限通过 Azure Active Directory进行管理。Permissions and access to these protected items are managed through Azure Active Directory.

了解详细信息:Learn more:

虚拟机备份Virtual machine backup

Azure 备份是一种可缩放的解决方案,无需资本投资便可帮助保护应用程序数据,从而最大限度降低运营成本。Azure Backup is a scalable solution that helps protect your application data with zero capital investment and minimal operating costs. 应用程序错误可能会损坏数据,人为错误可能会将 bug 引入应用程序。Application errors can corrupt your data, and human errors can introduce bugs into your applications. 使用 Azure 备份可以保护运行 Windows 和 Linux 的虚拟机。With Azure Backup, your virtual machines running Windows and Linux are protected.

了解详细信息:Learn more:

Azure Site RecoveryAzure Site Recovery

组织的 BCDR 策略的其中一个重要部分是,找出在发生计划的和非计划的中断时让企业工作负荷和应用保持运行的方法。An important part of your organization's BCDR strategy is figuring out how to keep corporate workloads and apps running when planned and unplanned outages occur. Azure Site Recovery 可帮助协调工作负荷和应用的复制、故障转移及恢复,因此能够在主要位置发生故障时通过辅助位置来提供工作负荷和应用。Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they're available from a secondary location if your primary location goes down.

Site Recovery:Site Recovery:

  • 简化 BCDR 策略:通过 Site Recovery 可从一个位置轻松处理多个业务工作负荷和应用的复制、故障转移及恢复。Simplifies your BCDR strategy: Site Recovery makes it easy to handle replication, failover, and recovery of multiple business workloads and apps from a single location. Site Recovery 会协调复制和故障转移,但不会拦截应用程序数据或拥有任何相关信息。Site Recovery orchestrates replication and failover but doesn't intercept your application data or have any information about it.
  • 提供灵活的复制:借助 Site Recovery,可以复制 Hyper-V 虚拟机、VMware 虚拟机和 Windows/Linux 物理服务器上运行的工作负荷。Provides flexible replication: By using Site Recovery, you can replicate workloads running on Hyper-V virtual machines, VMware virtual machines, and Windows/Linux physical servers.
  • 支持故障转移和恢复:Site Recovery 提供测试故障转移,既能支持灾难恢复练习,又不会影响生产环境。Supports failover and recovery: Site Recovery provides test failovers to support disaster recovery drills without affecting production environments. 还可针对预期会出现的中断运行计划内故障转移,确保不丢失任何数据;或者针对意外灾难运行计划外故障转移,尽量减少数据丢失(具体取决于复制频率)。You can also run planned failovers with a zero-data loss for expected outages, or unplanned failovers with minimal data loss (depending on replication frequency) for unexpected disasters. 故障转移之后,可故障回复到主站点。After failover, you can fail back to your primary sites. Site Recovery 提供包含脚本和 Azure 自动化工作簿的恢复计划,以供你自定义多层应用程序的故障转移和恢复。Site Recovery provides recovery plans that can include scripts and Azure automation workbooks so that you can customize failover and recovery of multi-tier applications.
  • 消除辅助数据中心:可复制到辅助本地站点,或复制到 Azure。Eliminates secondary datacenters: You can replicate to a secondary on-premises site, or to Azure. 使用 Azure 作为灾难恢复的目标可以消除维护辅助站点所带来的成本和复杂性。Using Azure as a destination for disaster recovery eliminates the cost and complexity of maintaining a secondary site. 复制的数据存储在 Azure 存储中。Replicated data is stored in Azure Storage.
  • 与现有 BCDR 技术集成:Site Recovery 能够与其他应用程序的 BCDR 功能结合使用。Integrates with existing BCDR technologies: Site Recovery partners with other applications' BCDR features. 例如,可使用 Site Recovery 来帮助保护公司工作负荷的 SQL Server 后端。For example, you can use Site Recovery to help protect the SQL Server back end of corporate workloads. 这包括对 SQL Server AlwaysOn 的本机支持以管理可用性组的故障转移。This includes native support for SQL Server Always On to manage the failover of availability groups.

了解详细信息:Learn more:

虚拟网络Virtual networking

虚拟机需要网络连接。Virtual machines need network connectivity. 为了满足该要求,Azure 需要虚拟机连接到 Azure 虚拟网络。To support that requirement, Azure requires virtual machines to be connected to an Azure Virtual Network. Azure 虚拟网络是构建在物理 Azure 网络结构基础之上的逻辑构造。An Azure Virtual Network is a logical construct built on top of the physical Azure network fabric. 每个逻辑 Azure 虚拟网络与其他所有 Azure 虚拟网络隔离。Each logical Azure Virtual Network is isolated from all other Azure Virtual Networks. 这种隔离有助于确保其他 Microsoft Azure 客户无法访问部署中的网络流量。This isolation helps insure that network traffic in your deployments is not accessible to other Microsoft Azure customers.

了解详细信息:Learn more:

合规性Compliance

Azure 虚拟机已针对 FISMA、FedRAMP、HIPAA、PCI DSS Level 1 和其他关键合规性计划进行了认证。Azure Virtual Machines is certified for FISMA, FedRAMP, HIPAA, PCI DSS Level 1, and other key compliance programs. 此认证使自己的 Azure 应用程序更容易满足合规性要求,并使企业更容易应对各种国内和国际法规要求。This certification makes it easier for your own Azure applications to meet compliance requirements and for your business to address a wide range of domestic and international regulatory requirements.

了解详细信息:Learn more: