在 Azure 中保护和使用虚拟机上的策略Secure and use policies on virtual machines in Azure

为了所运行的应用程序,请务必确保虚拟机 (VM) 安全。It's important to keep your virtual machine (VM) secure for the applications that you run. 保护 VM 可以添加一个或多个 Azure 服务和功能,这些服务和功能涵盖保护对 VM 的访问和保护数据存储。Securing your VMs can include one or more Azure services and features that cover secure access to your VMs and secure storage of your data. 按照本文提供的信息操作,可确保 VM 和应用程序安全。This article provides information that enables you to keep your VM and applications secure.


现代云环境的威胁局势非常多变,增加了为了满足合规性和安全要求,维护有效保护机制方面的压力。The modern threat landscape for cloud environments is dynamic, increasing the pressure to maintain effective protection in order to meet compliance and security requirements. 适用于 Azure 的 Microsoft 反恶意软件是一种免费实时保护功能,可帮助识别并删除病毒、间谍软件和其他恶意软件。Microsoft Antimalware for Azure is a free real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. 可配置警报,以便在已知恶意或不需要的软件试图安装自身或在 VM 上运行时通知你。Alerts can be configured to notify you when known malicious or unwanted software attempts to install itself or run on your VM. 运行 Linux 或 Windows Server 2008 的 VM 不支持此软件。It is not supported on VMs running Linux or Windows Server 2008.

Azure 安全中心Azure Security Center

Azure 安全中心可帮助防范、检测和应对针对 VM 的威胁。Azure Security Center helps you prevent, detect, and respond to threats to your VMs. 安全中心提供 Azure 订阅之间的集成安全监视和策略管理,帮助检测可能被忽略的威胁,且适用于广泛的安全解决方案生态系统。Security Center provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

安全中心的实时访问可以跨 VM 部署应用,用以锁定发往 Azure VM 的入站流量,降低遭受攻击的可能性,同时还可根据需要轻松连接到 VM。Security Center's just-in-time access can be applied across your VM deployment to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. 当启用实时访问且用户请求访问 VM 时,安全中心将检查用户对该 VM 的权限。When just-in-time is enabled and a user requests access to a VM, Security Center checks what permissions the user has for the VM. 如果用户具有正确权限,则会批准请求并且安全中心会自动将网络安全组 (NSG) 配置为:在限定时间内允许发往选定端口的入站流量。If they have the correct permissions, the request is approved and Security Center automatically configures the Network Security Groups (NSGs) to allow inbound traffic to the selected ports for a limited amount of time. 在该时间到期后,安全中心会将 NSG 还原为以前的状态。After the time has expired, Security Center restores the NSGs to their previous states.


为托管磁盘提供了两种加密方法。Two encryption methods are offered for managed disks. OS 级别的加密(即 Azure 磁盘加密),以及平台级别的加密(即服务器端加密)。Encryption at the OS-level, which is Azure Disk Encryption, and encryption at the platform-level, which is server-side encryption.

服务器端加密Server-side encryption

默认情况下,在将数据保存到云时,Azure 托管磁盘会自动加密数据。Azure managed disks automatically encrypt your data by default when persisting it to the cloud. 服务器端加密可保护数据,并帮助组织履行在安全性与合规性方面做出的承诺。Server-side encryption protects your data and helps you meet your organizational security and compliance commitments. Azure 托管磁盘中的数据使用 256 位 AES 加密(可用的最强大分组加密之一)以透明方式加密,且符合 FIPS 140-2 规范。Data in Azure managed disks is encrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.

加密不会影响托管磁盘的性能。Encryption does not impact the performance of managed disks. 加密不会产生额外的费用。There is no additional cost for the encryption.

可以依赖于平台托管的密钥来加密托管磁盘,也可以使用自己的密钥来管理加密。You can rely on platform-managed keys for the encryption of your managed disk, or you can manage encryption using your own keys. 如果选择使用自己的密钥管理加密,可以指定一个客户托管密钥,用于加密和解密托管磁盘中的所有数据。If you choose to manage encryption with your own keys, you can specify a customer-managed key to use for encrypting and decrypting all data in managed disks.

若要了解有关服务器端加密的详细信息,请参阅 WindowsLinux 文章。To learn more about server-side encryption, refer to either the articles for Windows or Linux.

Azure 磁盘加密Azure Disk Encryption

为了增强 Windows VMLinux VM 的安全性,可以加密 Azure 中的虚拟磁盘。For enhanced Windows VM and Linux VM security and compliance, virtual disks in Azure can be encrypted. Windows VM 上的虚拟磁盘使用 BitLocker 进行静态加密。Virtual disks on Windows VMs are encrypted at rest using BitLocker. Linux VM 上的虚拟磁盘是使用 dm-crypt 静态加密的。Virtual disks on Linux VMs are encrypted at rest using dm-crypt.

加密 Azure 中的虚拟磁盘不会产生费用。There is no charge for encrypting virtual disks in Azure. 可以使用软件保护将加密密钥存储在 Azure Key Vault 中。Cryptographic keys are stored in Azure Key Vault using software-protection. 这些加密密钥用于加密和解密附加到 VM 的虚拟磁盘。These cryptographic keys are used to encrypt and decrypt virtual disks attached to your VM. 可以控制这些加密密钥,以及审核对它们的使用。You retain control of these cryptographic keys and can audit their use. 打开和关闭 VM 时,Azure Active Directory 服务主体提供一个安全机制用于颁发这些加密密钥。An Azure Active Directory service principal provides a secure mechanism for issuing these cryptographic keys as VMs are powered on and off.

Key Vault 和 SSH 密钥Key Vault and SSH Keys

机密和证书可以建模为资源并由 Key Vault 提供。Secrets and certificates can be modeled as resources and provided by Key Vault. 可以使用 Azure PowerShell 为 Windows VM 创建密钥保管库,为 Linux VM 创建 Azure CLI。You can use Azure PowerShell to create key vaults for Windows VMs and the Azure CLI for Linux VMs. 还可以创建用于加密的密钥。You can also create keys for encryption.

密钥保管库访问策略单独授予对密钥、机密和证书的权限。Key vault access policies grant permissions to keys, secrets, and certificates separately. 例如,可以向用户授予仅限密钥的访问权限,而不授予对机密的权限。For example, you can give a user access to only keys, but no permissions for secrets. 但是,对访问密钥、机密或证书的权限是在保管库级别分配的。However, permissions to access keys or secrets or certificates are at the vault level. 换而言之,密钥保管库访问策略不支持对象级别的权限。In other words, key vault access policy does not support object level permissions.

连接到 VM 时,应使用公钥加密,提供更安全的方式登录到 VM。When you connect to VMs, you should use public-key cryptography to provide a more secure way to sign in to them. 此过程涉及使用安全外壳 (SSH) 命令进行公钥和私钥交换,对自己(而不是用户名和密码)进行身份验证。This process involves a public and private key exchange using the secure shell (SSH) command to authenticate yourself rather than a username and password. 密码容易受到暴力破解攻击,尤其是在面向 Internet 的 VM 上(如 Web 服务器)。Passwords are vulnerable to brute-force attacks, especially on Internet-facing VMs such as web servers. 使用安全外壳 (SSH) 密钥对,可以创建使用 SSH 密钥进行身份验证的 Linux VM,从而无需密码即可登录。With a secure shell (SSH) key pair, you can create a Linux VM that uses SSH keys for authentication, eliminating the need for passwords to sign-in. 还可以使用 SSH 密钥从 Windows VM 连接到 Linux VM。You can also use SSH keys to connect from a Windows VM to a Linux VM.

Azure 资源的托管标识Managed identities for Azure resources

生成云应用程序时需要应对的常见挑战是,如何管理代码中用于云服务身份验证的凭据。A common challenge when building cloud applications is how to manage the credentials in your code for authenticating to cloud services. 保护这些凭据是一项重要任务。Keeping the credentials secure is an important task. 理想情况下,这些凭据永远不会出现在开发者工作站上,也不会被签入源代码管理系统中。Ideally, the credentials never appear on developer workstations and aren't checked into source control. 虽然 Azure Key Vault 可用于安全存储凭据、机密以及其他密钥,但代码需要通过 Key Vault 的身份验证才能检索它们。Azure Key Vault provides a way to securely store credentials, secrets, and other keys, but your code has to authenticate to Key Vault to retrieve them.

Azure Active Directory (Azure AD) 中的 Azure 资源托管标识功能可以解决此问题。The managed identities for Azure resources feature in Azure Active Directory (Azure AD) solves this problem. 此功能为 Azure 服务提供了 Azure AD 中的自动托管标识。The feature provides Azure services with an automatically managed identity in Azure AD. 可以使用此标识向支持 Azure AD 身份验证的任何服务(包括 Key Vault)证明身份,无需在代码中放入任何凭据。You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code. 在 VM 上运行的代码可以从只能从 VM 中访问的两个终结点请求令牌。Your code that's running on a VM can request a token from two endpoints that are accessible only from within the VM. 有关此服务的更多详细信息,请查看 Azure 资源的托管标识概述页。For more detailed information about this service, review the managed identities for Azure resources overview page.


可以使用 Azure 策略为组织的 Windows VMLinux VM 定义所需行为。Azure policies can be used to define the desired behavior for your organization's Windows VMs and Linux VMs. 通过使用策略,组织可以在整个企业中强制实施各种约定和规则。By using policies, an organization can enforce various conventions and rules throughout the enterprise. 强制实施所需行为有助于消除风险,同时为组织的成功做出贡献。Enforcement of the desired behavior can help mitigate risk while contributing to the success of the organization.

Azure 基于角色的访问控制Azure role-based access control

使用 Azure 基于角色的访问控制 (Azure RBAC),可以在团队中对职责进行分配,仅将执行作业所需的最低访问权限授予 VM 上的用户。Using Azure role-based access control (Azure RBAC), you can segregate duties within your team and grant only the amount of access to users on your VM that they need to perform their jobs. 可以仅允许某些操作,而不是向 VM 上的每个人授予不受限制的权限。Instead of giving everybody unrestricted permissions on the VM, you can allow only certain actions. 可以使用 Azure CLIAzure PowerShellAzure 门户中的 VM 配置访问控制。You can configure access control for the VM in the Azure portal, using the Azure CLI, orAzure PowerShell.

后续步骤Next steps

  • 完成相关步骤,使用适用于 LinuxWindows 的 Azure 安全中心监视虚拟机的安全性。Walk through the steps to monitor virtual machine security by using Azure Security Center for Linux or Windows.