Azure VPN 网关的安全控制Security controls for Azure VPN Gateway

本文介绍 Azure VPN 网关中内置的安全控制。This article documents the security controls built into Azure VPN Gateway.

安全控制是促使 Azure 服务能够防范、检测和响应安全漏洞的一种服务质量或功能。A security control is a quality or feature of an Azure service that contributes to the service's ability to prevent, detect, and respond to security vulnerabilities.

对于每项控制,我们使用“Yes”或“No”来指示它当前是否用于该服务,对于不适用于该服务的控制为“N/A”。For each control, we use "Yes" or "No" to indicate whether it is currently in place for the service, "N/A" for a control that is not applicable to the service. 我们还可能会提供有关属性的更多信息的注释或链接。We might also provide a note or links to more information about an attribute.

网络Network

安全控制Security control Yes/NoYes/No 注释Notes
服务终结点支持Service endpoint support 空值N/A
VNet 注入支持VNet injection support 空值N/A
网络隔离和防火墙支持Network Isolation and Firewalling support Yes VPN 网关是每个客户虚拟网络的专用 VM 实例VPN gateways are dedicated VM instances for each customer Virtual Network
强制隧道支持Forced tunneling support Yes

监视和日志记录Monitoring & logging

安全控制Security control Yes/NoYes/No 注释Notes
Azure 监视支持(Log Analytics、App Insights 等)Azure monitoring support (Log analytics, App insights, etc.) Yes 请参阅 Azure Monitor 指标警报See Azure Monitor Metrics alert.
控制和管理平面日志记录和审核Control and management plane logging and audit Yes Azure 资源管理器活动日志。Azure Resource Manager Activity Log.
数据平面日志记录和审核Data plane logging and audit Yes Azure Monitor 活动日志,用于 VPN 连接日志记录和审核。Azure Monitor Activity Logs for VPN connectivity logging and auditing.

标识Identity

安全控制Security control Yes/NoYes/No 注释Notes
身份验证Authentication Yes Azure Active Directory,用于管理服务和配置 Azure VPN 网关。Azure Active Directory for managing the service and configuring the Azure VPN gateway.
授权Authorization Yes 支持通过 RBAC 进行授权。Support Authorization via RBAC.

数据保护Data protection

安全控制Security control Yes/NoYes/No 注释Notes
服务器端静态加密:Azure 托管的密钥Server-side encryption at rest: Azure-managed keys 空值N/A VPN 网关传输客户数据,不存储客户数据VPN gateway transit customer data, does NOT store customer data
传输中加密(例如 ExpressRoute 加密、VNet 中加密,以及 VNet-VNet 加密)Encryption in transit (such as ExpressRoute encryption, in VNet encryption, and VNet-VNet encryption ) Yes VPN 网关加密 Azure VPN 网关和客户本地 VPN 设备之间 (S2S) 或 VPN 客户端之间 (P2S) 的客户数据包。VPN gateway encrypt customer packets between Azure VPN gateways and customer on-premises VPN devices (S2S) or VPN clients (P2S). VPN 网关还支持 VNet 到 VNet 加密。VPN gateways also support VNet-to-VNet encryption.
服务器端静态加密:客户管理的密钥 (BYOK)Server-side encryption at rest: customer-managed keys (BYOK) No 客户指定的预共享密钥进行静态加密,但尚未与 CMK 集成。Customer-specified pre-shared keys are encrypted at rest; but not integrated with CMK yet.
列级加密(Azure 数据服务)Column level encryption (Azure Data Services) 空值N/A
加密的 API 调用API calls encrypted Yes 通过 Azure 资源管理器和 HTTPSThrough Azure Resource Manager and HTTPS

配置管理Configuration management

安全控制Security control Yes/NoYes/No 注释Notes
配置管理支持(配置的版本控制等)Configuration management support (versioning of configuration, etc.) Yes 进行管理操作时,可以将 Azure VPN 网关配置的状态导出为 Azure 资源管理器模板,并在一段时间内进行版本控制。For management operations, the state of an Azure VPN gateway configuration can be exported as an Azure Resource Manager template and versioned over time.