为 Azure 应用配置使用专用终结点Using private endpoints for Azure App Configuration

你可以为 Azure 应用程序配置使用专用终结点,以允许虚拟网络 (VNet) 上的客户端通过专用链接安全地访问数据。You can use private endpoints for Azure App Configuration to allow clients on a virtual network (VNet) to securely access data over a private link. 专用终结点为你的应用配置存储使用 VNET 地址空间中的 IP 地址。The private endpoint uses an IP address from the VNet address space for your App Configuration store. VNet 上的客户端与应用配置存储之间的网络流量使用 Azure 主干网络上的专用链接穿过 VNet,避免暴露给公共 Internet。Network traffic between the clients on the VNet and the App Configuration store traverses over the VNet using a private link on the Azure backbone network, eliminating exposure to the public internet.

为应用配置存储使用专用终结点可以实现以下目的:Using private endpoints for your App Configuration store enables you to:

  • 通过将防火墙配置为阻止公共终结点上到应用配置的所有连接来保护你的应用程序配置详细信息。Secure your application configuration details by configuring the firewall to block all connections to App Configuration on the public endpoint.
  • 提高虚拟网络 (VNet) 的安全性,确保数据不会离开 VNet。Increase security for the virtual network (VNet) ensuring data doesn't escape from the VNet.
  • 使用 VPNExpressRoutes 通过专用对等互连从连接到 VNet 的本地网络安全地连接到应用配置存储。Securely connect to the App Configuration store from on-premises networks that connect to the VNet using VPN or ExpressRoutes with private-peering.

概念概述Conceptual overview

专用终结点是用于虚拟网络 (VNet) 中的 Azure 服务的特殊网络接口。A private endpoint is a special network interface for an Azure service in your Virtual Network (VNet). 为应用配置存储创建专用终结点时,它会在 VNet 上的客户端与配置存储之间提供安全连接。When you create a private endpoint for your App Config store, it provides secure connectivity between clients on your VNet and your configuration store. 从 VNet 的 IP 地址范围为专用终结点分配 IP 地址。The private endpoint is assigned an IP address from the IP address range of your VNet. 专用终结点与配置存储之间的连接使用安全的专用链接。The connection between the private endpoint and the configuration store uses a secure private link.

VNet 中的应用程序可以 使用通过其他方式连接时所用的相同连接字符串和授权机制 通过专用终结点连接到配置存储。Applications in the VNet can connect to the configuration store over the private endpoint using the same connection strings and authorization mechanisms that they would use otherwise. 专用终结点可以与应用配置存储支持的所有协议一起使用。Private endpoints can be used with all protocols supported by the App Configuration store.

虽然应用配置不支持服务终结点,但你可以在使用服务终结点的子网中创建专用终结点。While App Configuration doesn't support service endpoints, private endpoints can be created in subnets that use Service Endpoints. 子网中的客户端可以使用专用终结点安全地连接到应用配置存储,而使用服务终结点来访问其他位置。Clients in a subnet can connect securely to an App Configuration store using the private endpoint while using service endpoints to access others.

在 VNet 中创建用于服务的专用终结点时,会将一个申请批准的许可请求发送到服务帐户所有者。When you create a private endpoint for a service in your VNet, a consent request is sent for approval to the service account owner. 如果请求创建专用终结点的用户还是帐户的所有者,则此许可请求会自动获得批准。If the user requesting the creation of the private endpoint is also an owner of the account, this consent request is automatically approved.

服务帐户所有者可以通过 Azure 门户中的配置存储的“Private Endpoints”选项卡来管理许可请求和专用终结点。Service account owners can manage consent requests and private endpoints through the Private Endpoints tab of the config store in the Azure portal.

用于应用配置的专用终结点Private endpoints for App Configuration

创建专用终结点时,必须指定它连接到的应用配置存储。When creating a private endpoint, you must specify the App Configuration store to which it connects. 如果在一个帐户内有多个应用配置实例,则每个存储都需要一个单独的专用终结点。If you have multiple App Configuration instances within an account, you need a separate private endpoint for each store.

连接到专用终结点Connecting to private endpoints

Azure 依赖于 DNS 解析通过专用链接对从 VNet 到配置存储的连接进行路由。Azure relies upon DNS resolution to route connections from the VNet to the configuration store over a private link. 在 Azure 门户中,可以通过依次选择应用配置存储、“设置” > “访问密钥”来快速查找连接字符串。You can quickly find connections strings in the Azure portal by selecting your App Configuration store, then selecting Settings > Access Keys.

重要

通过专用终结点连接到应用配置存储时所使用的连接字符串与通过公共终结点进行连接时所使用的连接字符串相同。Use the same connection string to connect to your App Configuration store using private endpoints as you would use for a public endpoint. 连接到存储时请勿使用其 privatelink 子域 URL。Don't connect to the store using its privatelink subdomain URL.

专用终结点的 DNS 更改DNS changes for private endpoints

创建专用终结点时,配置存储的 DNS CNAME 资源记录将更新为具有前缀 privatelink 的子域中的别名。When you create a private endpoint, the DNS CNAME resource record for the configuration store is updated to an alias in a subdomain with the prefix privatelink. Azure 还会创建一个与 privatelink 子域对应的专用 DNS 区域,其中包含专用终结点的 DNS A 资源记录。Azure also creates a private DNS zone corresponding to the privatelink subdomain, with the DNS A resource records for the private endpoints.

从承载着专用终结点的 VNet 内解析终结点 URL 时,它会解析为存储的专用终结点。When you resolve the endpoint URL from within the VNet hosting the private endpoint, it resolves to the private endpoint of the store. 从 VNet 外部解析时,终结点 URL 解析为公共终结点。When resolved from outside the VNet, the endpoint URL resolves to the public endpoint. 创建专用终结点时,会禁用公共终结点。When you create a private endpoint, the public endpoint is disabled.

如果在网络上使用自定义 DNS 服务器,则客户端必须能够将服务终结点的完全限定的域名 (FQDN) 解析为专用终结点 IP 地址。If you are using a custom DNS server on your network, clients must be able to resolve the fully qualified domain name (FQDN) for the service endpoint to the private endpoint IP address. 配置 DNS 服务器以将专用链接子域委托到 VNet 的专用 DNS 区域,或者使用专用终结点 IP 地址为 AppConfigInstanceA.privatelink.azconfig.io 配置 A 记录。Configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet, or configure the A records for AppConfigInstanceA.privatelink.azconfig.io with the private endpoint IP address.

提示

使用自定义或本地 DNS 服务器时,应将 DNS 服务器配置为将 privatelink 子域中的存储名称解析为专用终结点 IP 地址。When using a custom or on-premises DNS server, you should configure your DNS server to resolve the store name in the privatelink subdomain to the private endpoint IP address. 为此,可以将 privatelink 子域委托给 VNet 的专用 DNS 区域,或在 DNS 服务器上配置 DNS 区域并添加 DNS A 记录。You can do this by delegating the privatelink subdomain to the private DNS zone of the VNet, or configuring the DNS zone on your DNS server and adding the DNS A records.

定价Pricing

启用专用终结点需要标准层应用配置存储。Enabling private endpoints requires a Standard tier App Configuration store. 若要了解专用链接定价详细信息,请参阅 Azure 专用链接定价To learn about private link pricing details, see Azure Private Link pricing.

后续步骤Next steps

了解如何配置具有专用终结点的 DNS 服务器:Learn to configure your DNS server with private endpoints:

Azure 虚拟网络中资源的名称解析Name resolution for resources in Azure virtual networks