应用服务环境的网络注意事项Networking considerations for an App Service Environment

概述Overview

Azure 应用服务环境是指将 Azure 应用服务部署到 Azure 虚拟网络 (VNet) 的子网中。Azure App Service Environment is a deployment of Azure App Service into a subnet in your Azure virtual network (VNet). 应用服务环境 (ASE) 具有两种部署类型:There are two deployment types for an App Service environment (ASE):

  • 外部 ASE:在 Internet 可访问的 IP 地址上公开 ASE 托管的应用。External ASE: Exposes the ASE-hosted apps on an internet-accessible IP address. 有关详细信息,请参阅创建外部 ASEFor more information, see Create an External ASE.
  • ILB ASE:在 VNet 中的 IP 地址上公开 ASE 托管的应用。ILB ASE: Exposes the ASE-hosted apps on an IP address inside your VNet. 内部终结点是一个内部负载均衡器 (ILB),因此该类部署被称为 ILB ASE。The internal endpoint is an internal load balancer (ILB), which is why it's called an ILB ASE. 有关详细信息,请参阅创建和使用 ILB ASEFor more information, see Create and use an ILB ASE.

所有 ASE、外部组件和 ILB 都有一个公共 VIP,该 VIP 用于入站管理流量,从 ASE 对 Internet 发出调用时,它还用作来源地址。All ASEs, External, and ILB, have a public VIP that is used for inbound management traffic and as the from address when making calls from the ASE to the internet. 从 ASE 发出的、转到 Internet 的所有调用将通过分配给 ASE 的 VIP 离开 VNet。The calls from an ASE that go to the internet leave the VNet through the VIP assigned for the ASE. 此 VIP 的公共 IP 将成为从 ASE 发出的、转到 Internet 的所有调用的源 IP。The public IP of this VIP is the source IP for all calls from the ASE that go to the internet. 如果 ASE 中的应用调用了 VNet 中的资源或通过 VNet 发出调用,则源 IP 是 ASE 使用的子网中的某个 IP。If the apps in your ASE make calls to resources in your VNet or across a VPN, the source IP is one of the IPs in the subnet used by your ASE. 由于 ASE 在 VNet 中,因此也可以访问 VNet 中的资源,而不需要进行任何额外配置。Because the ASE is within the VNet, it can also access resources within the VNet without any additional configuration. 如果 VNet 连接到本地网络,则 ASE 中的应用也可访问此处的资源,不需其他配置。If the VNet is connected to your on-premises network, apps in your ASE also have access to resources there without additional configuration.

外部 ASE 

如果拥有外部 ASE,则公共 VIP 还是 ASE 应用针对下述项解析到的终结点:If you have an External ASE, the public VIP is also the endpoint that your ASE apps resolve to for:

  • HTTP/SHTTP/S
  • FTP/SFTP/S
  • Web 部署Web deployment
  • 远程调试Remote debugging

ILB ASE

如果你有一个 ILB ASE,则 ILB 的地址是用于 HTTP/S、FTP/S、Web 部署和远程调试的终结点。If you have an ILB ASE, the address of the ILB address is the endpoint for HTTP/S, FTP/S, web deployment, and remote debugging.

ASE 子网大小ASE subnet size

用于托管 ASE 的子网的大小在部署 ASE 后不能更改。The size of the subnet used to host an ASE cannot be altered after the ASE is deployed. ASE 使用每个基础结构角色以及每个独立应用服务计划实例的地址。The ASE uses an address for each infrastructure role as well as for each Isolated App Service plan instance. 此外,还有创建的每个子网的 Azure 网络使用的 5 个地址。Additionally, there are five addresses used by Azure Networking for every subnet that is created. 在创建应用前,根本不带应用服务计划的 ASE 将使用 12 个地址。An ASE with no App Service plans at all will use 12 addresses before you create an app. 如果它是 ILB ASE,则在该 ASE 中创建应用前将使用 13 个地址。If it is an ILB ASE, then it will use 13 addresses before you create an app in that ASE. 横向扩展 ASE 时,基础结构角色按应用服务计划实例的 15 和 20 的倍数添加。As you scale out your ASE, infrastructure roles are added every multiple of 15 and 20 of your App Service plan instances.

Note

子网中仅可具有 ASE。Nothing else can be in the subnet but the ASE. 请务必选择一个容许将来扩展的地址空间。Be sure to choose an address space that allows for future growth. 以后无法更改此设置。You can't change this setting later. 建议使用包含 256 个地址的大小 /24We recommend a size of /24 with 256 addresses.

纵向扩展或缩减时,将会添加具有相应大小的新角色,然后将工作负荷从当前大小迁移到目标大小。When you scale up or down, new roles of the appropriate size are added and then your workloads are migrated from the current size to the target size. 只有在迁移工作负荷之后才会删除原始 VM。The original VMs removed only after the workloads have been migrated. 如果你的 ASE 有 100 个 ASP 实例,则在一段时间你需要双倍数目的 VM。If you had an ASE with 100 ASP instances, there would be a period where you need double the number of VMs. 出于这个原因,建议使用“/24”来应对可能需要进行的任何更改。It is for this reason that we recommend the use of a '/24' to accommodate any changes you might require.

ASE 依赖项ASE dependencies

ASE 入站依赖项ASE inbound dependencies

仅仅是为了让 ASE 保持正常运行,ASE 就需要打开以下端口:Just for the ASE to operate, the ASE requires the following ports to be open:

用途Use From 目标To
管理Management 应用服务管理地址App Service management addresses ASE 子网:454、455ASE subnet: 454, 455
ASE 内部通信ASE internal communication ASE 子网:所有端口ASE subnet: All ports ASE 子网:所有端口ASE subnet: All ports
允许 Azure 负载均衡器入站流量Allow Azure load balancer inbound Azure 负载均衡器Azure load balancer ASE 子网:16001ASE subnet: 16001

执行端口扫描时,还有其他 2 个端口可能显示为打开状态:7654 和 1221。There are 2 other ports that can show as open on a port scan, 7654 and 1221. 它们的回复中包含 IP 地址,此外不会包含任何其他信息。They reply with an IP address and nothing more. 可按需阻止这些端口。They can be blocked if desired.

除系统监视以外,入站管理流量还提供对 ASE 的指挥与控制。The inbound management traffic provides command and control of the ASE in addition to system monitoring. ASE 管理地址 文档中列出了此流量的源地址。The source addresses for this traffic are listed in the ASE Management addresses document. 网络安全配置需要允许从端口 454 和 455 上的 ASE 管理地址进行访问。The network security configuration needs to allow access from the ASE management addresses on ports 454 and 455. 如果阻止从这些地址进行访问,则 ASE 会变得不正常,然后变成暂停状态。If you block access from those addresses, your ASE will become unhealthy and then become suspended. 从端口 454 和 455 进来的 TCP 流量必须从同一 VIP 回去,否则会出现非对称路由问题。The TCP traffic that comes in on ports 454 and 455 must go back out from the same VIP or you will have an asymmetric routing problem.

在 ASE 子网内,有多个用于内部组件通信的端口,并且可以更改。Within the ASE subnet, there are many ports used for internal component communication and they can change. 这要求 ASE 子网中的所有端口均可从 ASE 子网访问。This requires all of the ports in the ASE subnet to be accessible from the ASE subnet.

对于 Azure 负载均衡器和 ASE 子网间的通信,需要开放的最小端口是 454、455 和 16001。For the communication between the Azure load balancer and the ASE subnet the minimum ports that need to be open are 454, 455 and 16001. 端口 16001 用于使负载均衡器和 ASE 之间的流量保持活动状态。The 16001 port is used for keep alive traffic between the load balancer and the ASE. 如果使用 ILB ASE,则可将流量锁定为仅 454、455 和 16001 端口。If you are using an ILB ASE, then you can lock traffic down to just the 454, 455, 16001 ports. 如果使用外部 ASE,则需要考虑常规的应用访问端口。If you are using an External ASE, then you need to take into account the normal app access ports.

需要自行考虑的其他端口是应用程序端口:The other ports you need to concern yourself with are the application ports:

用途Use 端口Ports
HTTP/HTTPSHTTP/HTTPS 80、44380, 443
FTP/FTPSFTP/FTPS 21, 990, 10001-1002021, 990, 10001-10020
Visual Studio 远程调试Visual Studio remote debugging 4020, 4022, 40244020, 4022, 4024
Web 部署服务Web Deploy service 81728172

如果阻止应用程序端口,ASE 仍可正常工作,但应用可能无法正常运行。If you block the application ports, your ASE can still function but your app might not. 如果对外部 ASE 使用应用分配的 IP 地址,则需要允许分配给应用的 IP 发出的流量进入 ASE 门户上的“IP 地址”页中显示的端口上的 ASE 子网。If you are using app assigned IP addresses with an External ASE, you will need to allow traffic from the IPs assigned to your apps to the ASE subnet on the ports shown in the ASE portal > IP Addresses page.

ASE 出站依赖项ASE outbound dependencies

对于出站访问,ASE 依赖于多个外部系统。For outbound access, an ASE depends on multiple external systems. 在这些系统依赖项中,许多是使用 DNS 名称定义的,不会映射到一组固定的 IP 地址。Many of those system dependencies are defined with DNS names and don't map to a fixed set of IP addresses. 因此,ASE 需要从 ASE 子网跨各种端口对所有外部 IP 进行出站访问。Thus, the ASE requires outbound access from the ASE subnet to all external IPs across a variety of ports.

ASE 在以下端口上与可通过 Internet 访问的地址通信:The ASE communicates out to internet accessible addresses on the following ports:

使用Uses 端口Ports
DNSDNS 5353
NTPNTP 123123
8CRL、Windows 更新、Azure 服务8CRL, Windows updates, Azure services 80/44380/443
Azure SQLAzure SQL 14331433
监视Monitoring 1200012000

出站依赖项已在介绍如何锁定应用服务环境出站流量的文档中列出。The outbound dependencies are listed in the document that describes Locking down App Service Environment outbound traffic. 如果失去其依赖项的访问权限,ASE 就会停止工作。If the ASE loses access to its dependencies, it stops working. 如果长时间发生此情况,将暂停 ASE。When that happens long enough, the ASE is suspended.

客户 DNSCustomer DNS

如果在 VNet 中配置了客户定义的 DNS 服务器,则租户工作负荷将使用该服务器。If the VNet is configured with a customer-defined DNS server, the tenant workloads use it. ASE 使用 Azure DNS 进行管理。The ASE uses Azure DNS for management purposes. 如果在 VNet 中配置了客户所选的 DNS 服务器,则必须可从包含 ASE 的子网访问 DNS 服务器。If the VNet is configured with a customer-selected DNS server, the DNS server must be reachable from the subnet that contains the ASE.

若要从 Web 应用测试 DNS 解析,可以使用控制台命令 nameresolverTo test DNS resolution from your web app, you can use the console command nameresolver. 转到应用的 scm 站点的调试窗口,或者在门户中转到应用,然后选择控制台。Go to the debug window in your scm site for your app or go to the app in the portal and select console. 在 shell 提示符下,可以结合要查找的 DNS 名称发出命令 nameresolverFrom the shell prompt you can issue the command nameresolver along with the DNS name you wish to look up. 你取回的结果与应用进行同一查找时获取的结果相同。The result you get back is the same as what your app would get while making the same lookup. 如果使用 nslookup,则会改用 Azure DNS 进行查找。If you use nslookup, you will do a lookup using Azure DNS instead.

如果更改 ASE 所在的 VNet 的 DNS 设置,则需重启 ASE。If you change the DNS setting of the VNet that your ASE is in, you will need to reboot your ASE. 为了避免重启 ASE,强烈建议在创建 ASE 之前配置 VNet 的 DNS 设置。To avoid rebooting your ASE, it is highly recommended that you configure your DNS settings for your VNet before you create your ASE.

门户依赖项Portal dependencies

除了 ASE 功能依赖项,还有其他几项与门户体验相关。In addition to the ASE functional dependencies, there are a few extra items related to the portal experience. Azure 门户中的某些功能依赖于对 _SCM 站点_的直接访问。Some of the capabilities in the Azure portal depend on direct access to SCM site. Azure 应用服务中的每个应用都有两个 URL。For every app in Azure App Service, there are two URLs. 第一个 URL 用于访问你的应用。The first URL is to access your app. 第二个 URL 用于访问 SCM 站点(也称为 Kudu 控制台)。The second URL is to access the SCM site, which is also called the Kudu console. 使用 SCM 站点的功能包括:Features that use the SCM site include:

  • Web 作业Web jobs
  • 函数Functions
  • 日志流式处理Log streaming
  • KuduKudu
  • 扩展Extensions
  • 进程资源管理器Process Explorer
  • 控制台Console

使用 ILB ASE 时,无法从 VNet 外部访问 SCM 站点。When you use an ILB ASE, the SCM site isn't accessible from outside the VNet. 某些功能无法从应用门户运行,因为它们需要访问应用的 SCM 站点。Some capabilities will not work from the app portal because they require access to the SCM site of an app. 可以直接连接到 SCM 站点,而不使用门户。You can connect to the SCM site directly instead of using the portal.

如果 ILB ASE 的域名是 contoso.appserviceenvironment.cn,而应用名称是 testapp,则会通过 testapp.contoso.appserviceenvironment.cn 访问应用。If your ILB ASE is the domain name contoso.appserviceenvironment.cn and your app name is testapp, the app is reached at testapp.contoso.appserviceenvironment.cn. 通过 testapp.scm.contoso.appserviceenvironment.cn 访问其随附的 SCM 站点。The SCM site that goes with it is reached at testapp.scm.contoso.appserviceenvironment.cn.

ASE IP 地址ASE IP addresses

ASE 具有一些需要注意的 IP 地址。An ASE has a few IP addresses to be aware of. 它们具有以下特点:They are:

  • 公共入站 IP 地址:用于外部 ASE 中的应用流量,以及外部 ASE 和 ILB ASE 中的管理流量。Public inbound IP address: Used for app traffic in an External ASE, and management traffic in both an External ASE and an ILB ASE.
  • 出站公共 IP:用作 ASE 发出、离开 VNet 且不经过 VPN 的出站连接的“来源”IP。Outbound public IP: Used as the "from" IP for outbound connections from the ASE that leave the VNet, which aren't routed down a VPN.
  • ILB IP 地址:ILB IP 地址仅在 ILB ASE 中存在。ILB IP address: The ILB IP address only exists in an ILB ASE.
  • 应用分配的基于 IP 的 SSL 地址:仅当配置了基于 IP 的 SSL 时在外部 ASE 上使用。App-assigned IP-based SSL addresses: Only possible with an External ASE and when IP-based SSL is configured.

所有这些 IP 地址会显示在 Azure 门户上的 ASE UI 中。All these IP addresses are visible in the Azure portal from the ASE UI. 若使用 ILB ASE,将列出 ILB 的 IP。If you have an ILB ASE, the IP for the ILB is listed.

Note

只要 ASE 处于启动和运行状态,这些 IP 地址就不会更改。These IP addresses will not change so long as your ASE stays up and running. 如果 ASE 变成暂停和还原状态,ASE 所使用的地址就会更改。If your ASE becomes suspended and restored, the addresses used by your ASE will change. ASE 变成暂停状态的通常原因是阻止了入站管理访问或阻止了对 ASE 依赖项的访问。The normal cause for an ASE to become suspended is if you block inbound management access or block access to an ASE dependency.

IP 地址

应用分配的 IP 地址App-assigned IP addresses

使用外部 ASE 时,可将 IP 地址分配到各个应用。With an External ASE, you can assign IP addresses to individual apps. 无法使用 ILB ASE 实现这一点。You can't do that with an ILB ASE. 若要深入了解如何将应用配置为自备 IP 地址,请参阅将现有的自定义 SSL 证书绑定到 Azure 应用服务For more information on how to configure your app to have its own IP address, see Bind an existing custom SSL certificate to Azure App Service.

当应用使用其自身的基于 IP 的 SSL 地址时,ASE 将保留两个映射到该 IP 地址的端口。When an app has its own IP-based SSL address, the ASE reserves two ports to map to that IP address. 它们分别用于 HTTP 流量和 HTTPS 流量。One port is for HTTP traffic, and the other port is for HTTPS. 这些端口列在 ASE UI 上的“ IP 地址”部分中。Those ports are listed in the ASE UI in the IP addresses section. 流量必须能够从 VIP 抵达这些端口,否则无法访问应用。Traffic must be able to reach those ports from the VIP or the apps are inaccessible. 配置网络安全组 (NSG) 时,请务必牢记此要求。This requirement is important to remember when you configure Network Security Groups (NSGs).

网络安全组Network Security Groups

网络安全组可用于控制 VNet 中的网络访问。Network Security Groups provide the ability to control network access within a VNet. 使用门户时,有一个最低优先级的隐式拒绝规则可拒绝任何流量。When you use the portal, there's an implicit deny rule at the lowest priority to deny everything. 因此,只需生成允许规则。What you build are your allow rules.

在 ASE 中,你无权访问用于托管 ASE 本身的 VM。In an ASE, you don't have access to the VMs used to host the ASE itself. 它们位于 Microsoft 管理订阅中。They're in a Microsoft-managed subscription. 若要限制对 ASE 上的应用的访问,请在 ASE 子网中设置 NSG。If you want to restrict access to the apps on the ASE, set NSGs on the ASE subnet. 操作时,需特别注意 ASE 依赖项。In doing so, pay careful attention to the ASE dependencies. 如果阻止任何依赖项,ASE 将停止工作。If you block any dependencies, the ASE stops working.

可通过 Azure 门户或 PowerShell 配置 NSG。NSGs can be configured through the Azure portal or via PowerShell. 此处仅介绍了 Azure 门户中的操作。The information here shows the Azure portal. 在门户中的“网络”下面创建和管理 NSG 顶级资源。 You create and manage NSGs in the portal as a top-level resource under Networking.

要使 ASE 正常运行,必须在 NSG 中添加允许流量的条目:The required entries in an NSG, for an ASE to function, are to allow traffic:

入站Inbound

  • 在端口 454、455 上允许来自 IP 服务标记 AppServiceManagement 的流量from the IP service tag AppServiceManagement on ports 454,455
  • 在端口 16001 上允许来自负载均衡器的流量from the load balancer on port 16001
  • 在所有端口上允许不同 ASE 子网之间发送的流量from the ASE subnet to the ASE subnet on all ports

OutboundOutbound

  • 在端口 123 上允许发往所有 IP 的流量to all IPs on port 123
  • 在端口 80、443 上允许发往所有 IP 的流量to all IPs on ports 80, 443
  • 在端口 1433 上允许发往 IP 服务标记 AzureSQL 的流量to the IP service tag AzureSQL on ports 1433
  • 在端口 12000 上允许发往所有 IP 的流量to all IPs on port 12000
  • 在所有端口上允许发往 ASE 子网的流量to the ASE subnet on all ports

不需要添加 DNS 端口,因为发往 DNS 的流量不受 NSG 规则的影响。The DNS port does not need to be added as traffic to DNS is not affected by NSG rules. 这些端口不包括成功使用应用所需的端口。These ports do not include the ports that your apps require for successful use. 常规应用访问端口为:The normal app access ports are:

用途Use 端口Ports
HTTP/HTTPSHTTP/HTTPS 80、44380, 443
FTP/FTPSFTP/FTPS 21, 990, 10001-1002021, 990, 10001-10020
Visual Studio 远程调试Visual Studio remote debugging 4020, 4022, 40244020, 4022, 4024
Web 部署服务Web Deploy service 81728172

若要考虑到入站和出站要求,NSG 应与本例中所示的 NSG 相似。When the inbound and outbound requirements are taken into account, the NSGs should look similar to the NSGs shown in this example.

入站安全规则

默认规则允许 VNet 中的 IP 与 ASE 子网对话。A default rule enables the IPs in the VNet to talk to the ASE subnet. 另一条默认规则允许负载均衡器(亦称为公共 VIP)与 ASE 通信。Another default rule enables the load balancer, also known as the public VIP, to communicate with the ASE. 选择“添加”图标旁边的“默认规则”即可查看此规则。 To see the default rules, select Default rules next to the Add icon. 如果在默认规则的前面放置一条拒绝其他任何流量的规则,则会阻止 VIP 与 ASE 之间的流量。If you put a deny everything else rule before the default rules, you prevent traffic between the VIP and the ASE. 要阻止来自 Vnet 内部的流量,请自行添加规则以允许入站。To prevent traffic coming from inside the VNet, add your own rule to allow inbound. 使用等效于 AzureLoadBalancer 的源,其目标为“任何”,端口范围为 *。 Use a source equal to AzureLoadBalancer with a destination of Any and a port range of *. 由于 ASE 子网将应用 NSG 规则,因此无需指定具体的目标。Because the NSG rule is applied to the ASE subnet, you don't need to be specific in the destination.

若向应用分配了 IP 地址,请确保端口保持打开。If you assigned an IP address to your app, make sure you keep the ports open. 可在“应用服务环境” > “IP 地址”中查看端口。 To see the ports, select App Service Environment > IP addresses.  

下列出站规则中显示的所有项均是必需项,最后一项除外。All the items shown in the following outbound rules are needed, except for the last item. 使用这些端口可以通过网络访问本文前面所述的 ASE 依赖项。They enable network access to the ASE dependencies that were noted earlier in this article. 阻止其中的任意一个,ASE 都将停止工作。If you block any of them, your ASE stops working. 列表中的最后一项可让 ASE 与 VNet 中的其他资源通信。The last item in the list enables your ASE to communicate with other resources in your VNet.

入站安全规则

定义 NSG 之后,请将其分配到 ASE 所在的子网。After your NSGs are defined, assign them to the subnet that your ASE is on. 如果你不记得 ASE VNet 或子网,可以通过 ASE 门户页查看。If you don’t remember the ASE VNet or subnet, you can see it from the ASE portal page. 若要将 NSG 分配到子网,请转到子网 UI 并选择该 NSG。To assign the NSG to your subnet, go to the subnet UI and select the NSG.

路由Routes

强制隧道是指,在 VNet 中设置路由时,使出站流量不直接前往 Internet,而是前往诸如 ExpressRoute 网关或虚拟设备的其他位置。Forced tunneling is when you set routes in your VNet so the outbound traffic doesn't go directly to the internet but somewhere else like an ExpressRoute gateway or a virtual appliance. 如果需要以这样的方式配置 ASE,请阅读有关 为应用服务环境配置强制隧道 的文档。If you need to configure your ASE in such a manner, then read the document on Configuring your App Service Environment with Forced Tunneling. 该文档将介绍可用于 ExpressRoute 和强制隧道的选项。This document will tell you the options available to work with ExpressRoute and forced tunneling.

在门户中创建 ASE 时,我们还在随 ASE 创建的子网上创建一组路由表。When you create an ASE in the portal we also create a set of route tables on the subnet that is created with the ASE. 这些路由只是指示将出站流量直接发送到 Internet。Those routes simply say to send outbound traffic directly to the internet.
若要手动创建同样的路由,请执行以下步骤:To create the same routes manually, follow these steps:

  1. 转到 Azure 门户。Go to the Azure portal. 选择“网络” > “路由表”。 Select Networking > Route Tables.

  2. 在 Vnet 所在的位置新建一个路由表。Create a new route table in the same region as your VNet.

  3. 在路由表 UI 中选择“路由” > “添加”。 From within your route table UI, select Routes > Add.

  4. 将“下一跃点类型”设置为 Internet,将“地址前缀”设置为 0.0.0.0/0。 Set the Next hop type to Internet and the Address prefix to 0.0.0.0/0. 选择“其他安全性验证” 。Select Save.

    然后将看到如下内容:You then see something like the following:

    功能路由

  5. 创建新路由表后,请转到包含 ASE 的子网。After you create the new route table, go to the subnet that contains your ASE. 从门户中的列表处选择路由表。Select your route table from the list in the portal. 保存更改后,会看到子网旁显示有 NSG 和路由。After you save the change, you should then see the NSGs and routes noted with your subnet.

    NSG 和路由

服务终结点Service Endpoints

可以通过服务终结点将多租户服务的访问权限限制给一组 Azure 虚拟网络和子网。Service Endpoints enable you to restrict access to multi-tenant services to a set of Azure virtual networks and subnets. 若要详细了解服务终结点,请参阅 虚拟网络服务终结点 文档。You can read more about Service Endpoints in the Virtual Network Service Endpoints documentation.

在资源上启用服务终结点时,有些已创建路由的优先级高于所有其他路由。When you enable Service Endpoints on a resource, there are routes created with higher priority than all other routes. 如果在包含强制隧道 ASE 的任意 Azure 服务中使用服务终结点,则不会对发往这些服务的流量应用强制隧道。If you use Service Endpoints on any Azure service, with a forced tunneled ASE, the traffic to those services will not be forced tunneled.

在包含 Azure SQL 实例的子网上启用服务终结点时,所有与该子网有连接的 Azure SQL 实例必定会启用服务终结点。When Service Endpoints is enabled on a subnet with an Azure SQL instance, all Azure SQL instances connected to from that subnet must have Service Endpoints enabled. 如果需要从同一子网访问多个 Azure SQL 实例,则不能在一个 Azure SQL 实例上启用服务终结点,而在另一个实例上不启用。if you want to access multiple Azure SQL instances from the same subnet, you can't enable Service Endpoints on one Azure SQL instance and not on another. 对于服务终结点,任何其他 Azure 服务的行为都不类似于 Azure SQL。No other Azure service behaves like Azure SQL with respect to Service Endpoints. 对 Azure 存储启用服务终结点时,可以锁定从子网对该资源进行的访问,但仍可访问其他 Azure 存储帐户,即使这些帐户未启用服务终结点。When you enable Service Endpoints with Azure Storage, you lock access to that resource from your subnet but can still access other Azure Storage accounts even if they do not have Service Endpoints enabled.

服务终结点