Azure Cache for Redis 网络隔离选项Azure Cache for Redis network isolation options

在本文中,你将了解如何根据需要确定最佳网络隔离解决方案。In this article, you’ll learn how to determine the best network isolation solution for your needs. 我们将深入了解 Azure 专用链接、Azure 虚拟网络 (VNet) 注入和 Azure 防火墙规则及其优点和局限性。We’ll go through the basics of Azure Private Link, Azure Virtual Network (VNet) injection, and Azure Firewall Rules with their advantages and limitations.

Azure 专用链接提供从虚拟网络到 Azure PaaS 服务的专用连接。Azure Private Link provides private connectivity from a virtual network to Azure PaaS services. 它简化了网络体系结构,并通过消除数据在公共 Internet 上的暴露来保护 Azure 中终结点之间的连接。It simplifies the network architecture and secures the connection between endpoints in Azure by eliminating data exposure to the public internet.

优点Advantages

  • 在基本、标准和高级 Azure Cache for Redis 实例上受支持。Supported on Basic, Standard, and Premium Azure Cache for Redis instances.
  • 通过使用 Azure 专用链接,你可以通过专用终结点从虚拟网络连接到 Azure Cache 实例,该终结点在虚拟网络中的子网内分配有一个专用 IP 地址。By using Azure Private Link, you can connect to an Azure Cache instance from your virtual network via a private endpoint, which is assigned a private IP address in a subnet within the virtual network. 通过此方法,可以从 VNet 内部和公共位置访问缓存实例。With this, cache instances are available from both within the VNet and publicly.
  • 创建专用终结点后,可以通过 publicNetworkAccess 标志限制对公用网络的访问。Once a private endpoint is created, access to the public network can be restricted through the publicNetworkAccess flag. 默认情况下,此标志设置为 Disabled,这将仅允许专用链接访问。This flag is set to Disabled by default, which will only allow private link access. 可以使用 PATCH 请求将该值设置为 EnabledDisabledYou can set the value to Enabled or Disabled with a PATCH request. 有关详细信息,请参阅使用 Azure 专用链接的 Azure Cache for Redis(预览版)For more information, see Azure Cache for Redis with Azure Private Link (Preview).
  • 所有外部缓存依赖项都不会影响 VNet 的 NSG 规则。All external cache dependencies won't affect the VNet's NSG rules.

限制Limitations

  • 对专用终结点禁用网络安全组 (NSG)。Network security groups (NSG) are disabled for private endpoints. 但是,如果子网上还有其他资源,则 NSG 强制将应用于这些资源。However, if there are other resources on the subnet, NSG enforcement will apply to those resources.
  • 目前尚不支持异地复制、防火墙规则、门户控制台支持、每个群集缓存多个终结点、防火墙的持久性连接和 VNet 注入的缓存。Geo-replication, firewall rules, portal console support, multiple endpoints per clustered cache, persistence to firewall and VNet injected caches aren't supported yet.
  • 若要连接到群集缓存,需要将 publicNetworkAccess 设置为 Disabled 并且只能有一个专用终结点连接。To connect to a clustered cache, publicNetworkAccess needs to be set to Disabled and there can only be one private endpoint connection.

备注

将专用终结点添加到缓存实例时,由于 DNS,所有 Redis 流量都将移至专用终结点。When adding a private endpoint to a cache instance, all Redis traffic will be moved to the private endpoint because of the DNS. 请确保之前调整了以前的防火墙规则。Ensure previous firewall rules are adjusted before.

Azure 虚拟网络注入Azure Virtual Network injection

VNet 是 Azure 中专用网络的基本构建块。VNet is the fundamental building block for your private network in Azure. 借助 VNet,许多 Azure 资源可以安全地与彼此、Internet 和本地网络通信。VNet enables many Azure resources to securely communicate with each other, the internet, and on-premises networks. VNet 类似于可以在自己的数据中心进行操作的传统网络,但具有 Azure 基础结构、规模、可用性和隔离的优点。VNet is like a traditional network that you would operate in your own data center, but with the benefits of Azure infrastructure, scale, availability, and isolation.

优点Advantages

  • 为 Azure Cache for Redis 实例配置了 VNet 后,该实例不可公开寻址,而只能从 VNet 中的虚拟机和应用程序进行访问。When an Azure Cache for Redis instance is configured with a VNet, it's not publicly addressable and can only be accessed from virtual machines and applications within the VNet.
  • 将 VNet 与受限制的 NSG 策略相结合有助于降低数据泄露的风险。When VNet is combined with restricted NSG policies, it helps reduce the risk of data exfiltration.
  • VNet 部署可为 Azure Cache for Redis、子网、访问控制策略和其他功能提供增强的安全性和隔离,从而进一步限制访问。VNet deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.
  • 支持异地复制。Geo replication is supported.

限制Limitations

  • VNet 注入的缓存仅适用于高级 Azure Cache for Redis。VNet injected caches are only available for Premium Azure Cache for Redis.
  • 使用 VNet 注入的缓存时,需要打开 VNet 以缓存 CRL/PKI、AKV、Azure 存储、Azure Monitor 等依赖项。When using a VNet injected cache, you'll need to open your VNet to cache dependencies such as CRLs/PKI, AKV, Azure Storage, Azure Monitor, and more.

Azure 防火墙规则Azure Firewall rules

Azure 防火墙是托管的、基于云的网络安全服务,可保护 Azure VNet 资源。Azure Firewall is a managed, cloud-based network security service that protects your Azure VNet resources. 它是一个服务形式的完全有状态防火墙,具有内置的高可用性和不受限制的云可伸缩性。It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. 可以跨订阅和虚拟网络集中创建、实施和记录应用程序与网络连接策略。You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.

优点Advantages

  • 配置防火墙规则时,仅指定 IP 地址范围内的客户端连接可以连接到缓存。When firewall rules are configured, only client connections from the specified IP address ranges can connect to the cache. 即使配置了防火墙规则,仍始终允许来自 Azure Redis 缓存监视系统的连接。Connections from Azure Cache for Redis monitoring systems are always permitted, even if firewall rules are configured. 还允许你定义的 NSG 规则。NSG rules that you define are also permitted.

限制Limitations

  • 防火墙规则可以与 VNet 注入的缓存一起使用,但目前不能与专用终结点一起使用。Firewall rules can be used in conjunction with VNet injected caches, but not private endpoints currently.

后续步骤Next steps