功能的架构考虑 [英] Architectural considerations for Functions

问题描述

当前设计的MVC Web应用程序具有对PII敏感数据的多种功能，因此安全性是数据的关键.

Currently designing an MVC webapp that has multiple functions with PII sensitive data so security is key on data.

我现在正在考虑设计决策，并考虑以下选项；

I'm thrashing design decisions at the moment and considering the following options;

1.部署隔离应用服务Service Env并在隔离ASE中部署具有所有相关功能的Web应用，我将通过出站Ip从外部调用SQL PaaS到安全的隔离防火墙PaaS

1. Deploy Isolated App Service Env and deploy Web App with all associated functions within the Isolated ASE, i'll call SQL PaaS externally through Outbound Ip's to secured segregated Firewalled PaaS

2.通过专用ASP中的数据处理功能和另一个ASP中基于Web Hook的功能，为服务的不同部分部署服务计划.我认为我可以通过受限制的出站IP访问每个服务计划吗?

2. Deploy Service Plans for different parts of the service with data processing functions being in a dedicated ASP and Web Hook based functions in another ASP. I'm thinking that i'd access via restricted outbound IP's into each Service Plan?

以上两个选项在体系结构上都能正常工作并确保我安全吗?或者我是否遗漏了Azure功能应该放在云应用程序中的观点?

Do both of the above options architecturally work and keep me secure OR am I missing the point around how Azure Functions are supposed to sit within a cloud app?

推荐答案

这两个选项都应该起作用.

Both options should work. 

您还可以选择功能应用程序的特定IP限制

You also have the options to specific IP restrictions for Function Apps

这将允许您仅允许特定IP使用您的功能，并且使操作起来更加容易以免我认为.否则，执行隔离ASE，您甚至可以添加SQL 将数据库连接到同一个Vnet中，以便它们具有连接性.

This will allow you to only allow specific IPs to your function and would make it much easier at lest in my opinion. Otherwise doing an Isolated ASE and you can even add your SQL DB into the same Vnet so they have connectivity.

如果目标是完全隔离，那么我会选择ASE.否则，我将实施IP限制，以便仅特定IP可以与您的功能联系.  

If the goal is to completely isolate then I would go with the ASE. Otherwise, I would just implement IP restrictions so only specific IPs can contact your function.  

这篇关于功能的架构考虑的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！