Azure 虚拟机安全概述Azure Virtual Machines security overview

使用 Azure 虚拟机可以灵活部署各种计算解决方案。Azure Virtual Machines lets you deploy a wide range of computing solutions in an agile way. 通过对 Microsoft Windows、Linux、Microsoft SQL Server、Oracle、IBM、SAP 和 Azure BizTalk 服务的支持,可以在几乎所有操作系统上部署任何工作负荷和任何语言。With support for Microsoft Windows, Linux, Microsoft SQL Server, Oracle, IBM, SAP, and Azure BizTalk Services, you can deploy any workload and any language on nearly any operating system.

Azure 虚拟机让你能够灵活地进行虚拟化,而无需购买和维护运行虚拟机的物理硬件。An Azure virtual machine gives you the flexibility of virtualization without having to buy and maintain the physical hardware that runs the virtual machine. 可以构建并部署应用程序,保证数据在高度安全的数据中心受到保护且安全无忧。You can build and deploy your applications with the assurance that your data is protected and safe in our highly secure datacenters.

使用 Azure 可以构建安全增强且符合法规的解决方案:With Azure, you can build security-enhanced, compliant solutions that:

  • 保护虚拟机不受病毒和恶意软件的侵害Protect your virtual machines from viruses and malware
  • 加密敏感数据Encrypt your sensitive data
  • 安全的网络流量Secure network traffic
  • 识别和检测威胁Identify and detect threats
  • 满足合规性要求Meet compliance requirements

本文旨在对可用于虚拟机的核心 Azure 安全功能提供概述。The goal of this article is to provide an overview of the core Azure security features that can be used with virtual machines. 此外还提供了文章链接,更详细说明每项功能。We also provide links to articles that give details of each feature so you can learn more.

本文介绍的核心 Azure 虚拟机安全功能包括:The core Azure Virtual Machine security capabilities to be covered in this article:

  • 反恶意软件Antimalware
  • 硬件安全模块Hardware Security Module
  • 虚拟机备份Virtual machine backup
  • Azure Site RecoveryAzure Site Recovery
  • 虚拟网络Virtual networking
  • 合规性Compliance

反恶意软件Antimalware

借助 Azure,可以使用来自如 Microsoft 和 Asiainfo(前身为 TrendMicro China)等安全性供应商的反恶意软件清除软件,以保护虚拟机免受恶意文件、广告软件和其他威胁的侵害。With Azure, you can use antimalware software from security vendors such as Microsoft and Asiainfo (ex-TrendMicro China) to protect your virtual machines from malicious files, adware, and other threats. 请参阅下面的“了解详细信息”部分,找到有关合作伙伴解决方案的文章。See the Learn More section below to find articles on partner solutions.

适用于 Azure 云服务和虚拟机的 Microsoft 反恶意软件是一种实时保护功能,可帮助识别并移除病毒、间谍软件和其他恶意软件。Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. 当已知恶意软件或不需要的软件试图在你的 Azure 系统上安装自身或运行时,Microsoft 反恶意软件将提供可配置的警报。Microsoft Antimalware provides configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems.

Microsoft 反恶意软件是一个针对应用程序和租户环境所提供的单一代理解决方案,可在在后台运行而无需人工干预。Microsoft Antimalware is a single-agent solution for applications and tenant environments, designed to run in the background without human intervention. 你可以根据应用程序工作负荷的需求,选择默认的基本安全性或高级的自定义配置(包括反恶意软件监视)来部署保护。You can deploy protection based on the needs of your application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring.

部署并启用 Microsoft 反恶意软件后,便可以使用以下几项核心功能:When you deploy and enable Microsoft Antimalware, the following core features are available:

  • 实时保护 - 监视云服务和虚拟机上的活动,以检测和阻止恶意软件的执行。Real-time protection - monitors activity in Cloud Services and on Virtual Machines to detect and block malware execution.
  • 计划的扫描 - 定期执行有针对性的扫描,以检测恶意软件,包括主动运行的程序。Scheduled scanning - periodically performs targeted scanning to detect malware, including actively running programs.
  • 恶意软件消除 - 自动针对检测到的恶意软件采取措施,例如删除或隔离恶意文件以及清除恶意注册表项。Malware remediation - automatically takes action on detected malware, such as deleting or quarantining malicious files and cleaning up malicious registry entries.
  • 签名更新 - 自动安装最新的保护签名(病毒定义)以确保按预定的频率保持最新保护状态。Signature updates - automatically installs the latest protection signatures (virus definitions) to ensure protection is up-to-date on a pre-determined frequency.
  • 反恶意软件引擎更新 - 自动更新 Microsoft 反恶意软件引擎。Antimalware Engine updates – automatically updates the Microsoft Antimalware engine.
  • 反恶意软件平台更新 – 自动更新 Microsoft 反恶意软件平台。Antimalware Platform updates – automatically updates the Microsoft Antimalware platform.
  • 主动保护 - 将检测到的威胁和可疑资源报告给 Azure 遥测元数据,以确保快速响应,并通过 Microsoft Active Protection System (MAPS) 启用实时同步签名传送。Active protection - reports to Azure telemetry metadata about detected threats and suspicious resources to ensure rapid response and enables real-time synchronous signature delivery through the Microsoft Active Protection System (MAPS).
  • 示例报告 - 将示例提供并报告给 Microsoftt 反恶意软件服务,帮助改善服务并实现故障排除。Samples reporting - provides and reports samples to the Microsoft Antimalware service to help refine the service and enable troubleshooting.
  • 排除项 - 允许应用程序和服务管理员配置特定的文件、进程与驱动器,以便出于性能和/或其他原因将其从保护和扫描中排除。Exclusions – allows application and service administrators to configure certain files, processes, and drives to exclude them from protection and scanning for performance and other reasons.
  • 恶意软件事件收集 -在操作系统事件日志中记录反恶意软件服务的运行状况、可疑活动及采取的补救措施,并将这些数据收集到客户的 Azure 存储帐户。Antimalware event collection - records the antimalware service health, suspicious activities, and remediation actions taken in the operating system event log and collects them into the customer’s Azure Storage account.

了解详细信息:有关使用反恶意软件保护虚拟机的详细信息,请参阅:Learn more: To learn more about antimalware software to protect your virtual machines, see:

硬件安全模块Hardware security Module

加密和身份验证无法提高安全性,除非密钥本身也受到保护。Encryption and authentication do not improve security unless the keys themselves are protected. 通过将关键密码和密钥存储在 Azure 密钥保管库中,可以简化此类密码和密钥的管理和保护。You can simplify the management and security of your critical secrets and keys by storing them in Azure Key Vault. 密钥保管库提供将你的密钥存储在已通过 FIPS 140-2 Level 2 标准认证的硬件安全性模块 (HSM) 中的选项。Key Vault provides the option to store your keys in hardware security modules (HSMs) certified to FIPS 140-2 Level 2 standards. 用于备份或 透明数据加密 的 SQL Server 加密密钥可以存储在密钥保管库中,此外还可存储应用程序中的任意密钥或机密。Your SQL Server encryption keys for backup or transparent data encryption can all be stored in Key Vault with any keys or secrets from your applications. 对这些受保护项的权限和访问权限通过 Azure Active Directory进行管理。Permissions and access to these protected items are managed through Azure Active Directory.

了解详细信息:Learn more:

虚拟机备份Virtual machine backup

Azure 备份是一个可缩放的解决方案,无需资本投资便可保护应用程序数据,从而最大限度降低运营成本。Azure Backup is a scalable solution that protects your application data with zero capital investment and minimal operating costs. 应用程序错误可能会损坏数据,人为错误可能会将 bug 引入应用程序。Application errors can corrupt your data, and human errors can introduce bugs into your applications. 使用 Azure 备份可以保护运行 Windows 和 Linux 的虚拟机。With Azure Backup, your virtual machines running Windows and Linux are protected.

了解详细信息:Learn more:

Azure Site RecoveryAzure Site Recovery

组织的 BCDR 策略的其中一个重要部分是,找出在发生计划的和非计划的中断时让企业工作负荷和应用保持启动并运行的方法。An important part of your organization's BCDR strategy is figuring out how to keep corporate workloads and apps up and running when planned and unplanned outages occur. Azure Site Recovery 可以帮助协调工作负荷和应用的复制、故障转移及恢复,因此能够在主要位置发生故障时通过辅助位置来提供工作负荷和应用。Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they are available from a secondary location if your primary location goes down.

Site Recovery:Site Recovery:

  • 简化 BCDR 策略 — 使用 Site Recovery 可从单个位置轻松处理多个企业工作负荷和应用的复制、故障转移及恢复。Simplifies your BCDR strategy — Site Recovery makes it easy to handle replication, failover, and recovery of multiple business workloads and apps from a single location. Site Recovery 会协调复制和故障转移,但不会拦截应用程序数据或拥有任何相关信息。Site recovery orchestrates replication and failover but doesn't intercept your application data or have any information about it.
  • 提供灵活的复制 — 使用 Site Recovery,可以复制 Hyper-V 虚拟机、VMware 虚拟机和 Windows/Linux 物理服务器上运行的工作负荷。Provides flexible replication — Using Site Recovery you can replicate workloads running on Hyper-V virtual machines, VMware virtual machines, and Windows/Linux physical servers.
  • 支持故障转移和恢复 — Site Recovery 提供测试故障转移,既能支持灾难恢复练习,又不会影响生产环境。Supports failover and recovery — Site Recovery provides test failovers to support disaster recovery drills without affecting production environments. 还可针对预期会出现的中断运行计划内故障转移,确保不丢失任何数据;或者针对意外灾难运行计划外故障转移,尽量减少数据丢失(具体取决于复制频率)。You can also run planned failovers with a zero-data loss for expected outages, or unplanned failovers with minimal data loss (depending on replication frequency) for unexpected disasters. 在故障转移之后,可以故障回复到主站点。After failover, you can failback to your primary sites. Site Recovery 提供包含脚本和 Azure 自动化工作簿的恢复计划,以供你自定义多层应用程序的故障转移和恢复。Site Recovery provides recovery plans that can include scripts and Azure automation workbooks so that you can customize failover and recovery of multi-tier applications.
  • 消除辅助数据中心 — 可以复制到辅助本地站点或 Azure。Eliminates secondary datacenter — You can replicate to a secondary on-premises site, or to Azure. 使用 Azure 作为灾难恢复的目标可以消除维护辅助站点所带来的成本和复杂性。Using Azure as a destination for disaster recovery eliminates the cost and complexity of maintaining a secondary site. 复制的数据存储在 Azure 存储中。Replicated data is stored in Azure Storage.
  • 与现有 BCDR 技术集成 — Site Recovery 能够与其他应用程序的 BCDR 功能搭配使用。Integrates with existing BCDR technologies — Site Recovery partners with other application BCDR features. 例如,可以使用 Site Recovery 来保护企业工作负荷的 SQL Server 后端。For example, you can use Site Recovery to protect the SQL Server back end of corporate workloads. 这包括本机支持使用 SQL Server AlwaysOn 来管理可用性组的故障转移。This includes native support for SQL Server AlwaysOn to manage the failover of availability groups.

了解详细信息:Learn more:

虚拟网络Virtual networking

虚拟机需要网络连接。Virtual machines need network connectivity. 为了满足该要求,Azure 需要虚拟机连接到 Azure 虚拟网络。To support that requirement, Azure requires virtual machines to be connected to an Azure Virtual Network. Azure 虚拟网络是构建在物理 Azure 网络结构基础之上的逻辑构造。An Azure Virtual Network is a logical construct built on top of the physical Azure network fabric. 每个逻辑 Azure 虚拟网络与其他所有 Azure 虚拟网络隔离。Each logical Azure Virtual Network is isolated from all other Azure Virtual Networks. 这种隔离有助于确保其他 Microsoft Azure 客户无法访问部署中的网络流量。This isolation helps insure that network traffic in your deployments is not accessible to other Microsoft Azure customers.

了解详细信息:Learn more:

合规性Compliance

21Vianet 运营的 Azure 虚拟机已通过 ISO/IEC 20000/27001、DJCP、Trusted Cloud Service Certification、GB18030 及其他重要合规计划的认证。Azure Virtual Machines service operated by 21Vianet is certified for ISO/IEC 20000/27001, DJCP, Trusted Cloud Service Certification, GB18030 and other key compliance programs. 由于通过了这些认证,你自己的 Azure 应用程序更容易符合法规请求,对于企业而言,可以解决各种国内与国际法规要求。These certifications make it easier for your own Azure applications to meet compliance requirements and for your business to address a wide range of domestic and international regulatory requirements.

了解详细信息:Learn more: