Azure 服务总线消息的安全控制Security controls for Azure Service Bus Messaging

本文介绍 Azure 服务总线消息中内置的安全控制。This article documents the security controls built into Azure Service Bus Messaging.

安全控制是促使 Azure 服务能够防范、检测和响应安全漏洞的一种服务质量或功能。A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

对于每项控制,我们使用“Yes”或“No”来指示它当前是否用于该服务,对于不适用于该服务的控制为“N/A”。For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. 我们还可能会提供有关属性的更多信息的注释或链接。We might also provide a note or links to more information about an attribute.

网络Network

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
服务终结点支持Service endpoint support 是(仅限高级层)Yes (Premium tier only) 服务总线高级层支持 VNet 服务终结点。VNet service endpoints are supported for Service Bus Premium tier only.
VNet 注入支持VNet injection support No
网络隔离和防火墙支持Network isolation and firewalling support 是(仅限高级层)Yes (Premium tier only)
强制隧道支持Forced tunneling support No

监视和日志记录Monitoring & logging

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
Azure 监视支持(Log Analytics、App Insights 等)Azure monitoring support (Log analytics, App insights, etc.) Yes 通过 Azure Monitor 和警报支持。Supported via Azure Monitor and Alerts.
控制和管理平面日志记录和审核Control and management plane logging and audit Yes 提供操作日志。Operations logs are available. 服务总线诊断日志Service Bus diagnostic logs
数据平面日志记录和审核Data plane logging and audit No

标识Identity

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
身份验证Authentication Yes 通过 Azure Active Directory 托管服务标识进行管理。Managed through Azure Active Directory Managed Service Identity. 服务总线身份验证和授权Service Bus authentication and authorization.
授权Authorization Yes 支持通过 RBAC 和 SAS 令牌进行授权。Supports authorization via RBAC and SAS token. 服务总线身份验证和授权Service Bus authentication and authorization.

数据保护Data protection

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
服务器端静态加密:Azure 托管的密钥Server-side encryption at rest: Azure-managed keys 默认情况下,服务器端静态加密为“是”。Yes for server-side encryption-at-rest by default.
服务器端静态加密:客户管理的密钥 (BYOK)Server-side encryption at rest: customer-managed keys (BYOK) 是的。Yes. 可以使用 Azure Key Vault 中的客户托管密钥来加密服务总线命名空间中的静态数据。A customer managed key in Azure KeyVault can be used to encrypt the data on the Service Bus Namespace at rest. 使用 Azure 门户配置客户托管密钥以加密 Azure 服务总线静态数据Configure customer-managed keys for encrypting Azure Service Bus data at rest by using the Azure portal
列级加密(Azure 数据服务)Column level encryption (Azure Data Services) 空值N/A
传输中加密(例如 ExpressRoute 加密、VNet 中加密,以及 VNet-VNet 加密)Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption) Yes 支持标准的 HTTPS/TLS 机制。Supports standard HTTPS/TLS mechanism.
加密的 API 调用API calls encrypted Yes API 调用通过 Azure 资源管理器和 HTTPS 进行。API calls are made through Azure Resource Manager and HTTPS.

配置管理Configuration management

安全控制Security control Yes/NoYes/No 注释Notes 文档Documentation
配置管理支持(配置的版本控制等)Configuration management support (versioning of configuration, etc.) Yes 支持通过 Azure 资源管理器 API 进行资源提供程序版本控制。Supports resource provider versioning through the Azure Resource Manager API.

后续步骤Next steps