Azure 服务总线的网络安全性Network security for Azure Service Bus

本文介绍如何在 Azure 服务总线中使用以下安全功能:This article describes how to use the following security features with Azure Service Bus:

  • 服务标记Service tags
  • IP 防火墙规则IP Firewall rules
  • 网络服务终结点Network service endpoints
  • 专用终结点Private endpoints

服务标记Service tags

服务标记代表给定 Azure 服务中的一组 IP 地址前缀。A service tag represents a group of IP address prefixes from a given Azure service. Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记,最大限度地降低频繁更新网络安全规则的复杂性。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. 有关服务标记的详细信息,请参阅服务标记概述For more information about service tags, see Service tags overview.

可以在网络安全组Azure 防火墙中使用服务标记来定义网络访问控制。You can use service tags to define network access controls on network security groups or Azure Firewall. 创建安全规则时,请使用服务标记代替特定 IP 地址。Use service tags in place of specific IP addresses when you create security rules. 通过在规则的相应源或目标字段中指定服务标记名(例如,ServiceBus),可以允许或拒绝相应服务的流量 。By specifying the service tag name (for example, ServiceBus) in the appropriate source or destination field of a rule, you can allow or deny the traffic for the corresponding service.

服务标记Service tag 目的Purpose 可以使用入站还是出站连接?Can use inbound or outbound? 可以支持区域范围?Can be regional? 是否可在 Azure 防火墙中使用?Can use with Azure Firewall?
服务总线ServiceBus 使用高级服务层级的 Azure 服务总线流量。Azure Service Bus traffic that uses the Premium service tier. 出站Outbound Yes “是”Yes

备注

只能将服务标记用于“高级”命名空间。You can use service tags only for premium namespaces. 如果使用“标准”命名空间,请使用运行以下命令时看到的 IP 地址:nslookup <host name for the namespace>If you are using a standard namespace, use the IP address that you see when you run the following command: nslookup <host name for the namespace>. 例如:nslookup contosons.servicebus.chinacloudapi.cnFor example: nslookup contosons.servicebus.chinacloudapi.cn.

IP 防火墙IP firewall

默认情况下,只要请求附带了有效的身份验证和授权,就可以从 Internet 访问服务总线命名空间。By default, Service Bus namespaces are accessible from internet as long as the request comes with valid authentication and authorization. 使用 IP 防火墙,可以将其进一步限制为采用 CIDR(无类域间路由)表示法的一组 IPv4 地址或一个 IPv4 地址。With IP firewall, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges in CIDR (Classless Inter-Domain Routing) notation.

在仅应从某些知名站点访问 Azure 服务总线的情况下,此功能很有用。This feature is helpful in scenarios in which Azure Service Bus should be only accessible from certain well-known sites. 可使用防火墙规则配置相关规则,以接受源自特定 IPv4 地址的流量。Firewall rules enable you to configure rules to accept traffic originating from specific IPv4 addresses. 例如,如果将服务总线与 [Azure Express Route][express-route] 配合使用,则可创建防火墙规则 ,只允许来自本地基础结构 IP 地址或公司 NAT 网关地址的流量。For example, if you use Service Bus with [Azure Express Route][express-route], you can create a firewall rule to allow traffic from only your on-premises infrastructure IP addresses or addresses of a corporate NAT gateway.

IP 防火墙规则应用于服务总线命名空间级别。The IP firewall rules are applied at the Service Bus namespace level. 因此,这些规则适用于通过任何受支持协议从客户端发出的所有连接。Therefore, the rules apply to all connections from clients using any supported protocol. 如果某 IP 地址与服务总线命名空间上的允许 IP 规则不匹配,则将拒绝来自该地址的任何连接尝试并将其标记为“未经授权”。Any connection attempt from an IP address that does not match an allowed IP rule on the Service Bus namespace is rejected as unauthorized. 响应不会提及 IP 规则。The response does not mention the IP rule. IP 筛选器规则将按顺序应用,与 IP 地址匹配的第一个规则决定了将执行接受操作还是执行拒绝操作。IP filter rules are applied in order, and the first rule that matches the IP address determines the accept or reject action.

有关详细信息,请参阅如何为服务总线命名空间配置 IP 防火墙For more information, see How to configure IP firewall for a Service Bus namespace

网络服务终结点Network service endpoints

通过将服务总线与虚拟网络 (VNet) 服务终结点集成可从绑定到虚拟网络的工作负荷(如虚拟机)安全地访问消息传递功能,同时在两端保护网络流量路径。The integration of Service Bus with Virtual Network (VNet) service endpoints enables secure access to messaging capabilities from workloads like virtual machines that are bound to virtual networks, with the network traffic path being secured on both ends.

配置为绑定到至少一个虚拟网络子网服务终结点后,相应的服务总线命名空间将不再接受授权虚拟网络以外的任何位置的流量。Once configured to be bound to at least one virtual network subnet service endpoint, the respective Service Bus namespace will no longer accept traffic from anywhere but authorized virtual network(s). 从虚拟网络的角度来看,通过将服务总线命名空间绑定到服务终结点,可配置从虚拟网络子网到消息传递服务的独立网络隧道。From the virtual network perspective, binding a Service Bus namespace to a service endpoint configures an isolated networking tunnel from the virtual network subnet to the messaging service.

然后,绑定到子网的工作负荷与相应的服务总线命名空间之间将存在专用和独立的关系,消息传递服务终结点的可观察网络地址位于公共 IP 范围内对此没有影响。The result is a private and isolated relationship between the workloads bound to the subnet and the respective Service Bus namespace, in spite of the observable network address of the messaging service endpoint being in a public IP range.

重要

虚拟网络仅在高级层服务总线命名空间中受支持。Virtual Networks are supported only in Premium tier Service Bus namespaces.

在服务总线中使用 VNet 服务终结点时,不应在将标准层服务总线命名空间和高级层服务总线命名空间混合使用的应用程序中启用这些终结点。When using VNet service endpoints with Service Bus, you should not enable these endpoints in applications that mix Standard and Premium tier Service Bus namespaces. 原因是标准层不支持 VNet。Because Standard tier does not support VNets. 此终结点仅限于高级层命名空间。The endpoint is restricted to Premium tier namespaces only.

通过 VNet 集成启用的高级安全方案Advanced security scenarios enabled by VNet integration

对于需要严格和隔离安全性的解决方案和虚拟网络子网在其中的隔离服务之间提供分段的解决方案,它们通常仍然需要驻留在这些隔离舱中的服务之间的通信路径。Solutions that require tight and compartmentalized security, and where virtual network subnets provide the segmentation between the compartmentalized services, generally still need communication paths between services residing in those compartments.

隔离舱之间的任何即时 IP 路由(包括通过 TCP/IP 承载 HTTPS 的)都存在利用网络层漏洞的风险。Any immediate IP route between the compartments, including those carrying HTTPS over TCP/IP, carries the risk of exploitation of vulnerabilities from the network layer on up. 消息传递服务提供完全隔离的通信路径,其中消息在各方之间转换时会以平均方式写入磁盘。Messaging services provide completely insulated communication paths, where messages are even written to disk as they transition between parties. 绑定到同一个服务总线实例的两个不同虚拟网络中的工作负荷可通过消息进行高效和可靠的通信,同时保留各自的网络隔离边界完整性。Workloads in two distinct virtual networks that are both bound to the same Service Bus instance can communicate efficiently and reliably via messages, while the respective network isolation boundary integrity is preserved.

这意味着安全敏感云解决方案不仅可以访问 Azure 行业领先的可靠且可扩展的异步消息传递功能,而且现在可以使用消息传递在安全解决方案隔离舱之间创建通信路径,这些隔离舱本质上比利用任何对等通信模式(包括 HTTPS 和其他 TLS 安全套接字协议)更加安全。That means your security sensitive cloud solutions not only gain access to Azure industry-leading reliable and scalable asynchronous messaging capabilities, but they can now use messaging to create communication paths between secure solution compartments that are inherently more secure than what is achievable with any peer-to-peer communication mode, including HTTPS and other TLS-secured socket protocols.

将服务总线绑定到虚拟网络Bind Service Bus to Virtual Networks

虚拟网络规则是一种防火墙安全功能,用于控制是否允许 Azure 服务总线服务器接受来自特定虚拟网络子网的连接 。Virtual network rules are the firewall security feature that controls whether your Azure Service Bus server accepts connections from a particular virtual network subnet.

将服务总线命名空间绑定到虚拟网络的过程分为两步。Binding a Service Bus namespace to a virtual network is a two-step process. 首先需要在虚拟网络子网上创建“虚拟网络服务终结点”,并按照服务终结点概述中的说明为“Microsoft.ServiceBus”启用该终结点 。You first need to create a Virtual Network service endpoint on a Virtual Network subnet and enable it for Microsoft.ServiceBus as explained in the service endpoint overview. 添加服务终结点后,使用虚拟网络规则将服务总线命名空间绑定到该终结点。Once you have added the service endpoint, you bind the Service Bus namespace to it with a virtual network rule.

虚拟网络规则是服务总线命名空间与虚拟网络子网的关联。The virtual network rule is an association of the Service Bus namespace with a virtual network subnet. 存在此规则时,绑定到子网的所有工作负荷都有权访问服务总线命名空间。While the rule exists, all workloads bound to the subnet are granted access to the Service Bus namespace. 服务总线本身永远不会建立出站连接,不需要获得访问权限,因此永远不会通过启用此规则来授予对子网的访问权限。Service Bus itself never establishes outbound connections, does not need to gain access, and is therefore never granted access to your subnet by enabling this rule.

有关详细信息,请参阅如何为服务总线命名空间配置虚拟网络服务终结点For more information, see How to configure virtual network service endpoints for a Service Bus namespace

专用终结点Private endpoints

使用 Azure 专用链接服务,可以通过虚拟网络中的专用终结点访问 Azure 服务(例如 Azure 服务总线、Azure 存储和 Azure Cosmos DB)以及 Azure 托管的客户服务/合作伙伴服务。Azure Private Link Service enables you to access Azure services (for example, Azure Service Bus, Azure Storage, and Azure Cosmos DB) and Azure hosted customer/partner services over a private endpoint in your virtual network.

专用终结点是一个网络接口,可以通过专用且安全的方式将你连接到 Azure 专用链接支持的服务。A private endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. 专用终结点使用 VNet 中的专用 IP 地址将服务有效接入 VNet 中。The private endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet. 发往服务的所有流量都可以通过专用终结点路由,因此不需要网关、NAT 设备、ExpressRoute 或 VPN 连接或公共 IP 地址。All traffic to the service can be routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed. 虚拟网络与服务之间的流量将通过 Azure 主干网络,因此不会从公共 Internet 泄露。Traffic between your virtual network and the service traverses over the Azure backbone network, eliminating exposure from the public Internet. 可以连接到 Azure 资源的实例,从而获得最高级别的访问控制粒度。You can connect to an instance of an Azure resource, giving you the highest level of granularity in access control.

备注

通过 Azure 服务总线高级层支持此功能。This feature is supported with the premium tier of Azure Service Bus. 有关高级层的详细信息,请参阅服务总线高级和标准消息传送层For more information about the premium tier, see the Service Bus Premium and Standard messaging tiers article.

后续步骤Next steps

请参阅以下文章:See the following articles: