使用本地数据网关连接到本地数据源Connecting to on-premises data sources with On-premises data gateway

本地数据网关提供本地数据源与云中的 Azure Analysis Services 服务器之间的安全数据传输。The on-premises data gateway provides secure data transfer between on-premises data sources and your Azure Analysis Services servers in the cloud. 除了适用于同一区域中的多个 Azure Analysis Services 服务器以外,最新版本的网关还适用于 Azure 逻辑应用、Power BI、Power Apps 和 Power Automate。In addition to working with multiple Azure Analysis Services servers in the same region, the latest version of the gateway also works with Azure Logic Apps, Power BI, Power Apps, and Power Automate. 虽然在所有这些服务中安装的网关是相同的,但 Azure Analysis Services 和逻辑应用有一些额外的步骤。While the gateway you install is the same across all of these services, Azure Analysis Services and Logic Apps have some additional steps.

此处提供的信息特定于 Azure Analysis Services 如何与本地数据网关配合使用。Information provided here is specific to how Azure Analysis Services works with the On-premises Data Gateway. 若要详细了解网关的一般信息以及它如何与其他服务一起使用,请参阅什么是本地数据网关?To learn more about the gateway in general and how it works with other services, see What is an on-premises data gateway?.

就 Azure Analysis Services 来说,首次安装网关的过程由四个部分组成:For Azure Analysis Services, getting setup with the gateway the first time is a four-part process:

  • 下载并运行安装程序 - 这一步会在你组织的计算机上安装网关服务。Download and run setup - This step installs a gateway service on a computer in your organization. 还在租户的 Azure AD 中使用帐户登录到 Azure。You also sign in to Azure using an account in your tenant's Azure AD. 不支持 Azure B2B(来宾)帐户。Azure B2B (guest) accounts are not supported.

  • 注册网关 - 在这一步中,指定网关的名称和恢复密钥,然后选择区域,在网关云服务中注册你的网关。Register your gateway - In this step, you specify a name and recovery key for your gateway and select a region, registering your gateway with the Gateway Cloud Service. 网关资源可以在任何区域中注册,但是建议将它与 Analysis Services 服务器位于同一区域中。Your gateway resource can be registered in any region, but it's recommended it be in the same region as your Analysis Services servers.

  • 在 Azure 中创建网关资源 - 此步骤在 Azure 中创建网关资源。Create a gateway resource in Azure - In this step, you create a gateway resource in Azure.

  • 将服务器连接到网关资源 - 拥有网关资源后,可以开始将服务器连接到该资源。Connect your servers to your gateway resource - Once you have a gateway resource, you can begin connecting servers to it. 可以连接多个服务器和其他资源,前提是它们位于同一区域中。You can connect multiple servers and other resources provided they are in the same region.

工作原理 How it works

在你组织中的计算机上安装的网关作为 Windows 服务(本地数据网关) 运行。The gateway you install on a computer in your organization runs as a Windows service, On-premises data gateway. 此本地服务是通过 Azure 服务总线向网关云服务注册的。This local service is registered with the Gateway Cloud Service through Azure Service Bus. 然后,为 Azure 订阅创建本地数据网关资源。You then create an On-premises data gateway resource for your Azure subscription. Azure Analysis Services 服务器随后会连接到 Azure 网关资源。Your Azure Analysis Services servers are then connected to your Azure gateway resource. 当你服务器上的模型需要连接到你的本地数据源进行查询或处理时,查询和数据的流将遍历网关资源、Azure 服务总线、本地数据网关服务,以及你的数据源。When models on your server need to connect to your on-premises data sources for queries or processing, a query and data flow traverses the gateway resource, Azure Service Bus, the local on-premises data gateway service, and your data sources.

工作原理

查询和数据流:Queries and data flow:

  1. 查询是通过使用本地数据源的加密凭据进行创建的。A query is created by the cloud service with the encrypted credentials for the on-premises data source. 然后,它将发送到网关队列进行处理。It's then sent to a queue for the gateway to process.
  2. 网关云服务分析该查询,并将请求推送到 Azure 服务总线The gateway cloud service analyzes the query and pushes the request to the Azure Service Bus.
  3. 本地数据网关会针对挂起的请求轮询 Azure 服务总线。The on-premises data gateway polls the Azure Service Bus for pending requests.
  4. 网关获取查询,对凭据进行解密,并使用这些凭据连接到数据源。The gateway gets the query, decrypts the credentials, and connects to the data sources with those credentials.
  5. 网关将查询发送到数据源以便执行。The gateway sends the query to the data source for execution.
  6. 结果会从数据源返回到网关,并返回到云服务和你的服务器。The results are sent from the data source, back to the gateway, and then onto the cloud service and your server.

安装Installing

针对 Azure Analysis Services 环境进行安装时,必须按为 Azure Analysis Services 安装和配置本地数据网关中介绍的步骤操作。When installing for an Azure Analysis Services environment, it's important you follow the steps described in Install and configure on-premises data gateway for Azure Analysis Services. 本文专门针对 Azure Analysis Services。This article is specific to Azure Analysis Services. 它包含在 Azure 中设置本地数据网关资源并将 Azure Analysis Services 服务器连接到该资源所需的其他步骤。It includes additional steps required to setup an On-premises data gateway resource in Azure, and connect your Azure Analysis Services server to the resource.

端口和通信设置Ports and communication settings

网关会创建与 Azure 服务总线之间的出站连接。The gateway creates an outbound connection to Azure Service Bus. 它在以下出站端口上进行通信:TCP 443(默认值)、5671、5672、9350 到 9354。It communicates on outbound ports: TCP 443 (default), 5671, 5672, 9350 through 9354. 网关不需要入站端口。The gateway does not require inbound ports.

可能需要在防火墙中包括数据区域的 IP 地址。You may need to include IP addresses for your data region in your firewall. 可以下载 Azure 数据中心 IP 列表You can download the Azure Datacenter IP list. 该列表每周都会进行更新。This list is updated weekly. Azure 数据中心 IP 列表中列出的 IP 地址使用的是 CIDR 表示法。The IP Addresses listed in the Azure Datacenter IP list are in CIDR notation. 若要了解详细信息,请参阅 Classless Inter-Domain Routing(无类别域际路由)。To learn more, see Classless Inter-Domain Routing.

以下是该网关所用的完全限定域名。The following are fully qualified domain names used by the gateway.

域名Domain names 出站端口Outbound ports 说明Description
*.powerbi.cn*.powerbi.cn 8080 用于下载该安装程序的 HTTP。HTTP used to download the installer.
*.powerbi.cn*.powerbi.cn 443443 HTTPSHTTPS
*.analysis.chinacloudapi.cn*.analysis.chinacloudapi.cn 443443 HTTPSHTTPS
*.login.chinacloudapi.cn, login.live.com, aadcdn.msauth.net*.login.chinacloudapi.cn, login.live.com, aadcdn.msauth.net 443443 HTTPSHTTPS
*.servicebus.chinacloudapi.cn*.servicebus.chinacloudapi.cn 5671-56725671-5672 高级消息队列协议 (AMQP)Advanced Message Queuing Protocol (AMQP)
*.servicebus.chinacloudapi.cn*.servicebus.chinacloudapi.cn 443, 9350-9354443, 9350-9354 通过 TCP 的服务总线中继上的侦听器(需要 443 来获取访问控制令牌)Listeners on Service Bus Relay over TCP (requires 443 for Access Control token acquisition)
*.frontend.clouddatahub.net*.frontend.clouddatahub.net 443443 HTTPSHTTPS
*.core.chinacloudapi.cn*.core.chinacloudapi.cn 443443 HTTPSHTTPS
login.chinacloudapi.cnlogin.chinacloudapi.cn 443443 HTTPSHTTPS
*.msftncsi.com*.msftncsi.com 443443 在 Power BI 服务无法访问网关时用于测试 Internet 连接。Used to test internet connectivity if the gateway is unreachable by the Power BI service.
*.microsoftonline-p.com*.microsoftonline-p.com 443443 用于根据配置进行身份验证。Used for authentication depending on configuration.
dc.services.visualstudio.comdc.services.visualstudio.com 443443 由 AppInsights 用来收集遥测数据。Used by AppInsights to collect telemetry.

强制与 Azure 服务总线进行 HTTPS 通信Forcing HTTPS communication with Azure Service Bus

可以强制网关使用 HTTPS 而非直接 TCP 与 Azure 服务总线进行通信,但此操作可能会显著降低性能。You can force the gateway to communicate with Azure Service Bus by using HTTPS instead of direct TCP; however, doing so can greatly reduce performance. 若要修改 Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config 文件 ,可将值从 AutoDetect 更改为 HttpsYou can modify the Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config file by changing the value from AutoDetect to Https. 通常情况下,此文件位于 C:\Program Files\On-premises data gatewayThis file is typically located at C:\Program Files\On-premises data gateway.

<setting name="ServiceBusSystemConnectivityModeString" serializeAs="String">
    <value>Https</value>
</setting>

后续步骤Next steps

以下文章包含在本地数据网关常规内容中,该内容适用于网关支持的所有服务:The following articles are included in the On-premises data gateway general content that applies to all services the gateway supports: