Azure
/
review-checklists
зеркало из https://github.com/Azure/review-checklists.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
review-checklists/checklists/servicebus_checklist.zh-Han...

367 строки
17 KiB
JSON
Исходник Постоянная ссылка Ответственный История

Этот файл содержит неоднозначные символы Юникода!

Этот файл содержит неоднозначные символы Юникода, которые могут быть перепутаны с другими в текущей локали. Если это намеренно, можете спокойно проигнорировать это предупреждение. Используйте кнопку Экранировать, чтобы подсветить эти символы.

{
"categories": [
{
"name": "身份和訪問管理"
},
{
"name": "網路拓撲和連接"
},
{
"name": "BC 和DR"
},
{
"name": "治理和安全"
},
{
"name": "成本治理"
},
{
"name": "運營管理"
},
{
"name": "應用程式部署"
},
{
"name": "安全"
}
],
"items": [
{
"category": "運營管理",
"guid": "974a759c-763e-47d2-9161-3a7649907e0e",
"id": "29.1",
"link": "https://github.com/Azure/fta-resiliencyplaybooks/blob/main/paas-foundations-playbooks-ASB_v1.docx",
"severity": "中等",
"subcategory": "最佳實踐",
"text": "利用 FTA 手冊。",
"waf": "可靠性"
},
{
"category": "運營管理",
"cost": 1,
"guid": "49907e0e-338e-4e25-9c17-d32e8aaab757",
"id": "29.1",
"link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/operational-excellence",
"severity": "中等",
"subcategory": "最佳實踐",
"text": "在發送方和接收方端實施異地複製,以防止中斷和災難",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "1549ab81-53d8-49f8-ad17-b84b33b5a67f",
"id": "29.11",
"link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"severity": "中等",
"subcategory": "最佳實踐",
"text": "如果需要使用佇列和主題進行任務關鍵型消息傳送,建議使用 Service Bus Premium 和 Geo-Disaster Recovery。",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "7b9ed5b3-1f38-4c40-9a82-2c2463cf0f18",
"id": "29.12",
"link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"severity": "中等",
"subcategory": "最佳實踐",
"text": "為 Service Bus 命名空間實現高可用性",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "ac699ef1-d5a8-43de-9de3-2c1881470607",
"id": "29.13",
"link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"severity": "高",
"subcategory": "最佳實踐",
"text": "確保按保證的順序傳遞相關消息",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "c5c0e4e6-1465-48d2-958e-d67139b82110",
"id": "29.14",
"link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"severity": "低",
"subcategory": "最佳實踐",
"text": "通過 JMS API 評估不同的 Java Messaging Service JMS 功能",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "2df26ee4-11e6-4f88-9e52-f4722dd68c5b",
"id": "29.15",
"link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"severity": "低",
"subcategory": "最佳實踐",
"text": "使用 .NET Nuget 包與服務總線消息傳送實體通信",
"waf": "可靠性"
},
{
"category": "運營管理",
"guid": "5c2521e5-4a69-4b9d-939a-c4e7c68d1d75",
"id": "29.16",
"link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"severity": "中等",
"subcategory": "最佳實踐",
"text": "在發送或接收消息時實現瞬態故障處理的彈性",
"waf": "可靠性"
},
{
"category": "運營管理",
"description": "對於從門戶創建的新 SB 命名空間,將自動啟用此功能,並在啟用區域的區域中使用 Premium SKU。服務總線元數據和消息數據都會在可用性區域配置中的數據中心之間複製",
"guid": "338ee253-c17d-432e-aaaa-b7571549ab81",
"id": "29.2",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#availability-zones",
"severity": "高",
"subcategory": "最佳實踐",
"text": "利用可用區(如果區域適用)",
"waf": "可靠性"
},
{
"category": "運營管理",
"description": "如果啟用,則實施到次要區域的命名空間元數據複製。不複製佇列/主題消息數據。僅限高級 SKU。",
"guid": "53d89f89-d17b-484b-93b5-a67f7b9ed5b3",
"id": "29.3",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters#geo-disaster-recovery",
"severity": "中等",
"subcategory": "異地災難恢復",
"text": "規劃區域故障期間的元數據複製",
"waf": "可靠性"
},
{
"category": "運營管理",
"description": "如果無法容忍中斷,請不要使用內置元數據複製選項。利用複製模式跨兩組或多組跨區域命名空間複製服務總線消息",
"guid": "1f38c403-a822-4c24-93cf-0f18ac699ef1",
"id": "29.4",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-federation-overview",
"severity": "中等",
"subcategory": "異地災難恢復",
"text": "規劃區域故障期間的消息複製",
"waf": "可靠性"
},
{
"category": "運營管理",
"description": "Azure 服務總線使用消息代理來處理發送到服務總線佇列或主題的消息。默認情況下,發送到佇列或主題的所有消息都由同一消息代理進程處理。此體系結構可能會限制消息佇列的總體輸送量。但是,您也可以在創建佇列或主題時對其進行分區",
"guid": "d5a83de4-de32-4c18-a147-0607c5c0e4e6",
"id": "29.5",
"link": "https://learn.microsoft.com/azure/architecture/best-practices/data-partitioning-strategies#partitioning-azure-service-bus",
"severity": "中等",
"subcategory": "最佳實踐",
"text": "對於需要高輸送量的應用程式,請使用 Patritioning",
"waf": "可靠性"
},
{
"category": "運營管理",
"cost": 1,
"guid": "14658d24-58ed-4671-99b8-21102df26ee4",
"id": "29.6",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-outages-disasters",
"severity": "中等",
"subcategory": "最佳實踐",
"text": "評估 Azure 服務總線的頂級權益",
"waf": "可靠性"
},
{
"category": "運營管理",
"cost": 1,
"guid": "11e6f883-e52f-4472-8dd6-8c5b5c2521e5",
"id": "29.7",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-messaging-exceptions",
"severity": "高",
"subcategory": "最佳實踐",
"text": "確保正確處理 Service Bus 消息收發異常",
"waf": "可靠性"
},
{
"category": "運營管理",
"cost": 1,
"guid": "4a69b9d3-39ac-44e7-a68d-1d75657202b4",
"id": "29.8",
"link": "https://learn.microsoft.com/azure/well-architected/service-guides/service-bus/reliability#checklist",
"severity": "中等",
"subcategory": "最佳實踐",
"text": "使用高級消息佇列協定 AMQP 連接到服務總線,並盡可能使用服務終結點或專用終結點。",
"waf": "可靠性"
},
{
"category": "運營管理",
"cost": 1,
"guid": "f4564b4d-974a-4759-a763-e7d261613a76",
"id": "29.9",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-performance-improvements?tabs=net-standard-sdk-2",
"severity": "高",
"subcategory": "最佳實踐",
"text": "查看使用 Service Bus 消息傳送提高性能的最佳做法",
"waf": "可靠性"
},
{
"category": "安全",
"description": "Azure 服務總線高級版提供靜態數據加密。如果您使用自己的金鑰,則數據仍使用 Microsoft 管理的金鑰進行加密但此外Microsoft 管理的金鑰將使用客戶管理的密鑰進行加密。",
"guid": "87af4a79-1f89-439b-ba47-768e14c11567",
"id": "A01.01",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/configure-customer-managed-key",
"service": "Service Bus",
"severity": "低",
"subcategory": "數據保護",
"text": "需要時,在靜態數據加密中使用客戶管理的金鑰選項",
"training": "https://learn.microsoft.com/learn/modules/plan-implement-administer-conditional-access/",
"waf": "安全"
},
{
"category": "安全",
"description": "用戶端應用程式與 Azure 服務總線命名空間之間的通信使用傳輸層安全性 TLS 進行加密。Azure 服務總線命名空間允許用戶端使用 TLS 1.0 及更高版本發送和接收數據。若要強制實施更嚴格的安全措施,可以將服務總線命名空間配置為要求用戶端使用較新版本的 TLS 發送和接收數據。",
"guid": "5c1ea55b-46a9-448f-b8ae-7d7e4b475b6c",
"id": "A01.02",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/transport-layer-security-enforce-minimum-version",
"service": "Service Bus",
"severity": "中等",
"subcategory": "數據保護",
"text": "對請求強制實施最低要求的傳輸層安全性 TLS 版本",
"training": "https://learn.microsoft.com/learn/modules/secure-aad-users-with-mfa/",
"waf": "安全"
},
{
"category": "安全",
"description": "創建服務總線命名空間時,會自動為命名空間創建名為 RootManageSharedAccessKey 的 SAS 規則。此策略具有整個命名空間的 Manage 許可權。建議您將此規則視為管理根帳戶,不要在應用程式中使用它。 建議使用 AAD 作為 RBAC 的身份驗證提供程式。",
"guid": "8bcbf59b-ce65-4de8-a03f-97879468d66a",
"id": "A02.01",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-sas#shared-access-authorization-policies",
"service": "Service Bus",
"severity": "中等",
"subcategory": "身份和訪問管理",
"text": "避免在不需要時使用 root 帳戶",
"training": "https://learn.microsoft.com/learn/paths/azure-administrator-manage-identities-governance/",
"waf": "安全"
},
{
"category": "安全",
"description": "在 Azure 應用服務應用程式內或在啟用了 Azure 資源支援的託管實體的虛擬機中運行的服務總線用戶端應用不需要處理 SAS 規則和密鑰或任何其他存取權杖。用戶端應用程式只需要 Service Bus Messaging 命名空間的終結點位址。",
"guid": "786d60f9-6c96-4ad8-a55d-04c2b39c986b",
"id": "A02.02",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-managed-service-identity",
"service": "Service Bus",
"severity": "中等",
"subcategory": "身份和訪問管理",
"text": "如果可能,應用程式應使用託管標識向 Azure 服務總線進行身份驗證。如果沒有,請考慮在 Azure Key Vault 或等效服務中使用存儲憑據SAS、服務主體憑據",
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "安全"
},
{
"category": "安全",
"description": "創建許可權時,請對用戶端對 Azure 服務總線的訪問提供精細控制。Azure 服務總線中的許可權可以而且應該限定為單個資源級別,例如佇列、主題或訂閱。",
"guid": "f615658d-e558-4f93-9249-b831112dbd7e",
"id": "A02.03",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/authenticate-application#azure-built-in-roles-for-azure-service-bus",
"service": "Service Bus",
"severity": "高",
"subcategory": "身份和訪問管理",
"text": "使用最低許可權數據平面 RBAC",
"training": "https://learn.microsoft.com/learn/modules/explore-basic-services-identity-types/",
"waf": "安全"
},
{
"category": "安全",
"description": "Azure 服務總線資源日誌包括操作日誌、虛擬網路和IP篩選日誌。運行時審核日誌捕獲服務總線中各種數據平面訪問操作例如發送或接收消息的聚合診斷資訊。",
"guid": "af12e7f9-43f6-4304-922d-929c2b1cd622",
"id": "A03.01",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/monitor-service-bus-reference",
"service": "Service Bus",
"severity": "中等",
"subcategory": "監測",
"text": "啟用記錄以進行安全調查。使用 Azure Monitor 追蹤資源紀錄和執行時審核紀錄(目前僅在進階層中可用 ",
"training": "https://learn.microsoft.com/learn/paths/manage-identity-and-access/",
"waf": "安全"
},
{
"category": "安全",
"description": "默認情況下Azure 服務總線具有公共IP位址並且可通過Internet訪問。專用終結點允許虛擬網路與 Azure 服務總線之間的流量遍歷 Microsoft 主幹網路。除此之外,如果未使用公有終端節點,則應禁用這些終端節點。",
"guid": "9ae669ca-48e4-4a85-b222-3ece8bb12307",
"id": "A04.01",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/private-link-service",
"service": "Service Bus",
"severity": "中等",
"subcategory": "聯網",
"text": "請考慮使用專用終結點訪問 Azure 服務總線,並在適用時禁用公用網路訪問。",
"training": "https://learn.microsoft.com/learn/modules/azure-ad-privileged-identity-management/",
"waf": "安全"
},
{
"category": "安全",
"description": "使用IP防火牆您可以將公有終端節點進一步限製為僅一組 IPv4 位址或 CIDR無類域間路由表示法的 IPv4 位址範圍。",
"guid": "ca5f06f1-58e3-4ea3-a92c-2de7e2165c3a",
"id": "A04.02",
"link": "https://learn.microsoft.com/azure/service-bus-messaging/service-bus-ip-filtering",
"service": "Service Bus",
"severity": "中等",
"subcategory": "聯網",
"text": "請考慮僅允許從特定IP位址或範圍訪問 Azure 服務總線命名空間",
"training": "https://learn.microsoft.com/learn/paths/implement-resource-mgmt-security/",
"waf": "安全"
}
],
"metadata": {
"name": "Service Bus Review Checklist",
"state": "Preview",
"timestamp": "September 17, 2024",
"waf": "all"
},
"severities": [
{
"name": "高"
},
{
"name": "中等"
},
{
"name": "低"
}
],
"status": [
{
"description": "尚未查看此檢查",
"name": "未驗證"
},
{
"description": "存在與此檢查關聯的操作項",
"name": "打開"
},
{
"description": "此檢查已經過驗證,沒有與之關聯的其他操作項",
"name": "實現"
},
{
"description": "建議已理解,但當前要求不需要",
"name": "不需要"
},
{
"description": "不適用於當前設計",
"name": "不適用"
}
],
"waf": [
{
"name": "可靠性"
},
{
"name": "安全"
},
{
"name": "成本"
},
{
"name": "操作"
},
{
"name": "性能"
}
],
"yesno": [
{
"name": "是的"
},
{
"name": "不"
}
]
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку