Azure Monitor 客户管理的密钥Azure Monitor customer-managed key

使用 Microsoft 管理的密钥对 Azure Monitor 中的数据进行加密。Data in Azure Monitor is encrypted with Microsoft-managed keys. 可以使用自己的加密密钥来保护工作区中的数据和保存的查询。You can use your own encryption key to protect the data and saved queries in your workspaces. 指定客户管理的密钥时,该密钥将用于保护和控制对数据的访问,在配置后,将使用 Azure Key Vault 密钥对发送到工作区的所有数据进行加密。When you specify a customer-managed key, that key is used to protect and control access to your data and once configured, any data sent to your workspaces is encrypted with your Azure Key Vault key. 使用客户托管密钥可以更灵活地管理访问控制。Customer-managed keys offer greater flexibility to manage access controls.

建议在配置之前,查看下方的限制和约束We recommend you review Limitations and constraints below before configuration.

客户管理的密钥概述Customer-managed key overview

静态加密是组织中常见的隐私和安全要求。Encryption at Rest is a common privacy and security requirement in organizations. 你可以让 Azure 完全管理静态加密,同时可以使用各种选项严格管理加密和加密密钥。You can let Azure completely manage encryption at rest, while you have various options to closely manage encryption and encryption keys.

Azure Monitor 确保使用 Microsoft 管理的密钥 (MMK) 静态加密所有数据和保存的查询。Azure Monitor ensures that all data and saved queries are encrypted at rest using Microsoft-managed keys (MMK). Azure Monitor 还可以使用你自己的密钥进行加密(该密钥存储在 Azure Key Vault 中),这会赋予你控制权,允许你随时撤销对你的数据的访问权限。Azure Monitor also provides an option for encryption using your own key that is stored in your Azure Key Vault, which gives you the control to revoke the access to your data at any time. Azure Monitor 进行加密的操作与Azure 存储加密的操作相同。Azure Monitor use of encryption is identical to the way Azure Storage encryption operates.

客户管理的密钥在专用的群集上提供,可提供更高的保护级别和控制。Customer-managed key is delivered on dedicated clusters providing higher protection level and control. 引入到专用群集的数据进行两次加密 — 一次在服务级别使用 Microsoft 管理的密钥或客户管理的密钥,一次在基础结构级别使用两种不同的加密算法和两个不同的密钥。Data ingested to dedicated clusters is being encrypted twice — once at the service level using Microsoft-managed keys or customer-Managed keys, and once at the infrastructure level using two different encryption algorithms and two different keys.

过去 14 天内引入的数据也保存在热缓存(受 SSD 支持)中,以实现高效的查询引擎操作。Data ingested in the last 14 days is also kept in hot-cache (SSD-backed) for efficient query engine operation. 此数据保持使用 Microsoft 密钥进行加密,而不管客户管理的密钥的配置如何,但你对 SSD 数据的控制将遵循密钥吊销规定。This data remains encrypted with Microsoft keys regardless customer-managed key configuration, but your control over SSD data adheres to key revocation. 我们正致力于在 2021 年的上半年使用客户管理的密钥加密 SSD 数据。We are working to have SSD data encrypted with Customer-managed key in the first half of 2021.

Log Analytics 专用群集使用产能预留定价模型,起始价格为 1000 GB/天。Log Analytics Dedicated Clusters use a Capacity Reservation pricing model starting at 1000 GB/day.

客户管理的密钥在 Azure Monitor 中的操作方式How Customer-managed key works in Azure Monitor

Azure Monitor 使用托管标识授予对 Azure Key Vault 的访问权限。Azure Monitor uses managed identity to grant access to your Azure Key Vault. 在群集级别支持 Log Analytics 群集的标识。The identity of the Log Analytics cluster is supported at the cluster level. 为了允许在多个工作区上提供客户管理的密钥保护,一个新的 Log Analytics 群集资源将用作 Key Vault 和 Log Analytics 工作区之间的中间标识连接。To allow Customer-managed key protection on multiple workspaces, a new Log Analytics Cluster resource performs as an intermediate identity connection between your Key Vault and your Log Analytics workspaces. 群集的存储使用与群集资源关联的托管标识,通过 Azure Active Directory 对 Azure Key Vault 进行身份验证。The cluster's storage uses the managed identity that's associated with the Cluster resource to authenticate to your Azure Key Vault via Azure Active Directory.

客户管理的密钥配置完成后,与专用群集链接的工作区中引入的新数据都将使用密钥进行加密。After the Customer-managed key configuration, new ingested data to workspaces linked to your dedicated cluster gets encrypted with your key. 可以随时取消工作区与群集的链接。You can unlink workspaces from the cluster at any time. 然后,新数据会被引入到 Log Analytics 存储并使用 Microsoft 密钥进行加密,而你可以无缝查询新旧数据。New data then gets ingested to Log Analytics storage and encrypted with Microsoft key, while you can query your new and old data seamlessly.

重要

客户管理的密钥功能是区域性的。Customer-managed key capability is regional. Azure Key Vault、群集和链接的 Log Analytics 工作区必须位于同一区域,但可以位于不同订阅。Your Azure Key Vault, cluster and linked Log Analytics workspaces must be in the same region, but they can be in different subscriptions.

客户管理的密钥概述

  1. Key VaultKey Vault
  2. Log Analytics 群集资源具有拥有 Key Vault 权限的托管标识,此标识可传播到基础专用 Log Analytics 群集存储Log Analytics Cluster resource having managed identity with permissions to Key Vault -- The identity is propagated to the underlay dedicated Log Analytics cluster storage
  3. 专用 Log Analytics 群集Dedicated Log Analytics cluster
  4. 链接到群集资源的工作区Workspaces linked to Cluster resource

加密密钥操作Encryption keys operation

存储数据加密涉及 3 种类型的密钥:There are 3 types of keys involved in Storage data encryption:

  • KEK - 密钥加密密钥(你的客户管理的密钥)KEK - Key Encryption Key (your Customer-managed key)
  • AEK - 帐户加密密钥AEK - Account Encryption Key
  • DEK - 数据加密密钥DEK - Data Encryption Key

下列规则适用:The following rules apply:

  • Log Analytics 群集存储帐户为每个存储帐户生成唯一的加密密钥,称为 AEK。The Log Analytics cluster storage accounts generate unique encryption key for every storage account, which is known as the AEK.
  • AEK 用于派生 DEK 密钥,后者用于对写入磁盘的每个数据块进行加密。The AEK is used to derive DEKs, which are the keys that are used to encrypt each block of data written to disk.
  • 在 Key Vault 中配置密钥并在群集中引用它时,Azure 存储会将请求发送到 Azure Key Vault 以包装和解包 AEK,从而执行数据加密和解密操作。When you configure your key in Key Vault and reference it in the cluster, Azure Storage sends requests to your Azure Key Vault to wrap and unwrap the AEK to perform data encryption and decryption operations.
  • KEK 永不离开 Key Vault。Your KEK never leaves your Key Vault.
  • Azure 存储使用与群集资源关联的托管标识通过 Azure Active Directory 对 Azure Key Vault 进行身份验证和访问。Azure Storage uses the managed identity that's associated with the Cluster resource to authenticate and access to Azure Key Vault via Azure Active Directory.

客户管理的密钥的预配步骤Customer-Managed key provisioning steps

  1. 创建 Azure Key Vault 和存储密钥Creating Azure Key Vault and storing key
  2. 创建群集Creating cluster
  3. 向 Key Vault 授予权限Granting permissions to your Key Vault
  4. 为群集更新密钥标识符详细信息Updating cluster with key identifier details
  5. 链接 Log Analytics 工作区Linking Log Analytics workspaces

Azure 门户中当前不支持客户管理的密钥的配置,可以通过 PowerShellCLIREST 请求执行预配。Customer-managed key configuration isn't supported in Azure portal currently and provisioning can be performed via PowerShell, CLI or REST requests.

异步操作和状态检查Asynchronous operations and status check

某些配置步骤是异步运行的,因为它们无法快速完成。Some of the configuration steps run asynchronously because they can't be completed quickly. 响应中的 status 可能是以下项之一:“InProgress”、“Updating”、“Deleting”、“Succeeded”或“Failed”,包括错误代码。The status in response can be one of the followings: 'InProgress', 'Updating', 'Deleting', 'Succeeded or 'Failed' with error code.

不可用N/A

存储加密密钥 (KEK)Storing encryption key (KEK)

创建或使用已有的 Azure Key Vault,以生成或导入用于数据加密的密钥。Create or use an Azure Key Vault that you already have to generate, or import a key to be used for data encryption. 必须将 Azure Key Vault 配置为可恢复,以保护密钥以及对 Azure Monitor 中的数据的访问权限。The Azure Key Vault must be configured as recoverable to protect your key and the access to your data in Azure Monitor. 可以验证是否应启用 Key Vault 中“软删除”和“清除保护”属性下的此配置 。You can verify this configuration under properties in your Key Vault, both Soft delete and Purge protection should be enabled.

软删除和清除保护设置

可以通过 CLI 和 PowerShell 在 Key Vault 中更新这些设置:These settings can be updated in Key Vault via CLI and PowerShell:

创建群集Create cluster

群集支持两种托管标识类型:系统分配的标识和用户分配的标识,而单一标识可根据自己的场景在群集中进行自定义。Clusters support two managed identity types: System-assigned and User-assigned, while a single identity can be defined in a cluster depending on your scenario.

  • 当标识 type 设置为“SystemAssigned”时,系统分配的托管标识会更加简单,并在群集创建过程中自动生成。System-assigned managed identity is simpler and being generated automatically with the cluster creation when identity type is set to "SystemAssigned". 此标识稍后可用于授予对 Key Vault 的存储访问权限,以便进行包装和展开操作。This identity can be used later to grant storage access to your Key Vault for wrap and unwrap operations.

    群集中系统分配的托管标识的标识设置Identity settings in cluster for System-assigned managed identity

    {
      "identity": {
        "type": "SystemAssigned"
        }
    }
    
  • 如果要在创建群集时配置客户管理的密钥,则应事先在 Key Vault 中授予密钥和用户分配的标识,然后使用以下设置创建群集:标识 type 为“UserAssigned”,UserAssignedIdentities 具有标识的资源 ID。If you want to configure Customer-managed key at cluster creation, you should have a key and User-assigned identity granted in your Key Vault beforehand, then create the cluster with these settings: identity type as "UserAssigned", UserAssignedIdentities with the resource ID of your identity.

    群集中用户分配的托管标识的标识设置Identity settings in cluster for User-assigned managed identity

    {
    "identity": {
    "type": "UserAssigned",
      "userAssignedIdentities": {
        "subscriptions/<subscription-id>/resourcegroups/<resource-group-name>/providers/Microsoft. ManagedIdentity/UserAssignedIdentities/<cluster-assigned-managed-identity>"
        }
    }
    

重要

如果 Key Vault 位于专用链接 (vNet) 中,则不能使用用户分配的托管标识。You can't use User-assigned managed identity if your Key Vault is in Private-Link (vNet). 在这种情况下,可以使用系统分配的托管标识。You can use System-assigned managed identity in this scenario.

请遵循“专用群集”一文中说明的过程。Follow the procedure illustrated in Dedicated Clusters article.

授予 Key Vault 权限Grant Key Vault permissions

在 Key Vault 中创建访问策略来授予对你的群集的权限。Create access policy in Key Vault to grants permissions to your cluster. 基础 Azure Monitor 存储使用这些权限。These permissions are used by the underlay Azure Monitor storage. 在 Azure 门户中打开 Key Vault,单击“访问策略”,然后单击“+ 添加访问策略”以使用以下设置创建策略 :Open your Key Vault in Azure portal and click "Access Policies" then "+ Add Access Policy" to create a policy with these settings:

  • 密钥权限:选择“获取”、“包装密钥”和“解包密钥” 。Key permissions: select 'Get', 'Wrap Key' and 'Unwrap Key'.
  • 选择主体:根据群集中使用的标识类型(系统或用户分配的托管标识),要么输入系统分配的托管标识的群集名称或群集主体 ID,要么输入用户分配的托管标识名称。Select principal: depending on the identity type used in the cluster (system or user assigned managed identity) enter either cluster name or cluster principal ID for system assigned managed identity or the user assigned managed identity name.

授予 Key Vault 权限

需要“获取”权限,才能验证是否已将 Key Vault 配置为可恢复以保护密钥以及对 Azure Monitor 数据的访问。The Get permission is required to verify that your Key Vault is configured as recoverable to protect your key and the access to your Azure Monitor data.

为群集更新密钥标识符详细信息Update cluster with key identifier details

群集的所有操作都需要 Microsoft.OperationalInsights/clusters/write 操作权限。All operations on the cluster require the Microsoft.OperationalInsights/clusters/write action permission. 可以通过包含 */write 操作的所有者或参与者或包含 Microsoft.OperationalInsights/* 操作的 Log Analytics 参与者角色授予此权限。This permission could be granted via the Owner or Contributor that contains the */write action or via the Log Analytics Contributor role that contains the Microsoft.OperationalInsights/* action.

此步骤使用要用于数据加密的密钥和版本更新 Azure Monitor 存储。This step updates Azure Monitor Storage with the key and version to be used for data encryption. 更新后,新密钥将用于包装和解包到存储密钥 (AEK)。When updated, your new key is being used to wrap and unwrap the Storage key (AEK).

在 Azure Key Vault 中选择密钥的当前版本,以获取密钥标识符详细信息。Select the current version of your key in Azure Key Vault to get the key identifier details.

授予 Key Vault 权限

为群集中的 KeyVaultProperties 更新密钥标识符详细信息。Update KeyVaultProperties in cluster with key identifier details.

该操作是异步操作,可能需要一段时间才能完成。The operation is asynchronous and can take a while to complete.

不可用N/A

重要

完成 Log Analytics 群集的预配后才应执行此步骤。This step should be performed only after the completion of the Log Analytics cluster provisioning. 如果在预配前链接工作区并引入数据,则引入的数据将被删除,并且无法恢复。If you link workspaces and ingest data prior to the provisioning, ingested data will be dropped and won't be recoverable.

需要具有对工作区和群集的“写入”权限才能执行此操作,其中包括 Microsoft.OperationalInsights/workspaces/writeMicrosoft.OperationalInsights/clusters/writeYou need to have 'write' permissions to both your workspace and cluster to perform this operation, which include Microsoft.OperationalInsights/workspaces/write and Microsoft.OperationalInsights/clusters/write.

请遵循“专用群集”一文中说明的过程。Follow the procedure illustrated in Dedicated Clusters article.

密钥吊销Key revocation

重要

  • 若要撤销对数据的访问,建议禁用密钥,或删除 Key Vault 中的访问策略。The recommended way to revoke access to your data is by disabling your key, or deleting access policy in your Key Vault.
  • 将群集的 identity type 设置为“无”也可撤销对数据的访问,但不建议使用此方法,因为如果不打开支持请求,在群集中重述 identity 时无法还原吊销。Setting the cluster's identity type to "None" also revokes access to your data, but this approach isn't recommended since you can't revert the revocation when restating the identity in the cluster without opening support request.

群集存储在一小时或更短时间内将始终遵循关键权限的更改,并且存储将变得不可用。The cluster storage will always respect changes in key permissions within an hour or sooner and storage will become unavailable. 与群集链接的工作区中引入的任何新数据都将被删除,并且无法恢复,数据将变得不可访问,针对这些工作区的查询将会失败。Any new data ingested to workspaces linked with your cluster gets dropped and won't be recoverable, data becomes inaccessible and queries on these workspaces fail. 只要不删除群集和工作区,之前引入的数据就会保留在存储中。Previously ingested data remains in storage as long as your cluster and your workspaces aren't deleted. 不可访问的数据由数据保留策略管理,并在保留期截止时被清除。Inaccessible data is governed by the data-retention policy and will be purged when retention is reached. 过去 14 天内引入的数据也保存在热缓存(SSD 提供支持)中,以实现高效的查询引擎操作。Ingested data in last 14 days is also kept in hot-cache (SSD-backed) for efficient query engine operation. 它将在进行密钥吊销操作后被删除,并且变得不可访问。This gets deleted on key revocation operation and becomes inaccessible.

群集的存储会定期检查 Key Vault 以尝试解包加密密钥,数据引入和查询将在受到访问后的 30 分钟内恢复。The cluster's storage periodically checks your Key Vault to attempt to unwrap the encryption key and once accessed, data ingestion and query are resumed within 30 minutes.

密钥轮换Key rotation

客户管理的密钥的轮换需要使用 Azure Key Vault 中的新密钥版本对群集进行显式更新。Customer-managed key rotation requires an explicit update to the cluster with the new key version in Azure Key Vault. 为群集更新密钥标识符详细信息Update cluster with Key identifier details. 如果未在群集中更新新密钥版本,Log Analytics 群集存储将继续使用之前的密钥进行加密。If you don't update the new key version in the cluster, the Log Analytics cluster storage will keep using your previous key for encryption. 如果在更新群集中的新密钥之前禁用或删除旧密钥,则你将进入密钥吊销状态。If you disable or delete your old key before updating the new key in the cluster, you will get into key revocation state.

进行密钥轮换操作后,所有数据都将保持可访问,因为数据始终使用帐户加密密钥 (AEK) 进行加密,而 AEK 目前使用 Key Vault 中的新密钥加密密钥 (KEK) 版本进行加密。All your data remains accessible after the key rotation operation, since data always encrypted with Account Encryption Key (AEK) while AEK is now being encrypted with your new Key Encryption Key (KEK) version in Key Vault.

用于已保存的查询的客户管理的密钥Customer-managed key for saved queries

Log Analytics 中使用的查询语言可以实现丰富的表达,并且可以在添加到查询的注释中或查询语法中包含敏感信息。The query language used in Log Analytics is expressive and can contain sensitive information in comments you add to queries or in the query syntax. 某些组织要求将此类信息按照客户管理的密钥的策略进行保护,因此你需要保存使用密钥加密的查询。Some organizations require that such information is kept protected under Customer-managed key policy and you need save your queries encrypted with your key. 使用 Azure Monitor 可以在连接到工作区时将采用密钥加密的已存搜索查询和日志警报查询存储到你自己的存储帐户 。Azure Monitor enables you to store saved-searches and log-alerts queries encrypted with your key in your own storage account when connected to your workspace.

备注

根据所使用的方案,可将 Log Analytics 查询保存到各种存储。Log Analytics queries can be saved in various stores depending on the scenario used. 在以下方案中,仍使用 Microsoft 密钥 (MMK) 对查询加密,而不考虑客户管理的密钥的配置:Azure Monitor 中的工作簿、Azure 仪表板、Azure 逻辑应用、Azure Notebooks 和自动化 runbook。Queries remain encrypted with Microsoft key (MMK) in the following scenarios regardless Customer-managed key configuration: Workbooks in Azure Monitor, Azure dashboards, Azure Logic App, Azure Notebooks and Automation Runbooks.

自带存储 (BYOS) 并将其链接到工作区时,该服务会将已存搜索查询和日志警报查询上传到存储帐户 。When you Bring Your Own Storage (BYOS) and link it to your workspace, the service uploads saved-searches and log-alerts queries to your storage account. 这意味着,可以使用加密 Log Analytics 群集中数据的密钥或其他密钥来控制存储帐户和静态加密策略That means that you control the storage account and the encryption-at-rest policy either using the same key that you use to encrypt data in Log Analytics cluster, or a different key. 但需支付与该存储帐户相关的费用。You will, however, be responsible for the costs associated with that storage account.

设置用于查询的客户管理的密钥之前需要注意的事项Considerations before setting Customer-managed key for queries

  • 需拥有对工作区和存储帐户的“写入”权限You need to have 'write' permissions to both your workspace and Storage Account
  • 确保在 Log Analytics 工作区所在区域创建存储帐户Make sure to create your Storage Account in the same region as your Log Analytics workspace is located
  • 存储中的保存搜索视为服务项目,并且其格式可能会发生变化The saves searches in storage is considered as service artifacts and their format may change
  • 从工作区删除现有的保存搜索。Existing saves searches are removed from your workspace. 复制配置之前需要的所有保存搜索。Copy and any saves searches that you need before the configuration. 可以使用 PowerShell 查看 已存搜索You can view your saved-searches using PowerShell
  • 不支持查询历史记录,因此无法查看已运行的查询Query history isn't supported and you won't be able to see queries that you ran
  • 可以出于保存查询的目的将单个存储帐户链接到工作区,且该帐户可同时用于已存搜索查询和日志警报查询 You can link a single storage account to workspace for the purpose of saving queries, but is can be used fro both saved-searches and log-alerts queries
  • 不支持“固定到仪表板”Pin to dashboard isn't supported

为已存搜索查询配置 BYOSConfigure BYOS for saved-searches queries

将“查询”的存储帐户链接到工作区 - 已存搜索查询保存在存储帐户中 。Link a storage account for Query to your workspace -- saved-searches queries are saved in your storage account.

不可用N/A

完成配置后,所有新的已存搜索查询将保存在存储中。After the configuration, any new saved search query will be saved in your storage.

为日志警报查询配置 BYOSConfigure BYOS for log-alerts queries

将“警报”的存储帐户链接到工作区 - 日志警报查询保存在存储帐户中 。Link a storage account for Alerts to your workspace -- log-alerts queries are saved in your storage account.

不可用N/A

完成配置后,所有新的日志警报查询将保存在存储中。After the configuration, any new alert query will be saved in your storage.

客户管理的密钥的操作Customer-Managed key operations

客户管理的密钥在专用群集上提供,并且专用群集文章中引用了这些操作Customer-Managed key is provided on dedicated cluster and these operations are referred in dedicated cluster article

  • 获取资源组中的所有群集Get all clusters in resource group
  • 获取订阅中的所有群集Get all clusters in subscription
  • 更新群集中的容量预留Update capacity reservation in cluster
  • 更新群集中的 billingTypeUpdate billingType in cluster
  • 从群集中取消与工作区的链接Unlink a workspace from cluster
  • 删除群集Delete cluster

限制和约束Limitations and constraints

  • 每个区域和每个订阅的群集的最大数目为 2The max number of cluster per region and subscription is 2

  • 可以链接到群集的最大工作区数为 1000The maximum number of workspaces that can be linked to a cluster is 1000

  • 你可以将工作区链接到群集,然后将其取消链接。You can link a workspace to your cluster and then unlink it. 在 30 天内,工作区与特定工作区的链接数限制为 2。The number of workspace link operations on particular workspace is limited to 2 in a period of 30 days.

  • 客户管理的密钥的加密应用于在配置后新引入的数据。Customer-managed key encryption applies to newly ingested data after the configuration time. 在配置前引入的数据仍将使用 Microsoft 密钥进行加密。Data that was ingested prior to the configuration, remains encrypted with Microsoft key. 你可以无缝查询在配置客户管理的密钥前后引入的数据。You can query data ingested before and after the Customer-managed key configuration seamlessly.

  • Azure Key Vault 必须配置为可恢复。The Azure Key Vault must be configured as recoverable. 默认情况下,这些属性不会启用,并且应使用 CLI 或 PowerShell 对其进行配置:These properties aren't enabled by default and should be configured using CLI or PowerShell:

  • 目前不支持将群集移动到另一个资源组或订阅。Cluster move to another resource group or subscription isn't supported currently.

  • Azure Key Vault、群集和工作区必须位于同一区域和同一 Azure Active Directory (Azure AD) 租户,但可以位于不同订阅。Your Azure Key Vault, cluster and workspaces must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.

疑难解答Troubleshooting

  • Key Vault 可用性的行为Behavior with Key Vault availability

    • 在正常操作中,存储会缓存 AEK 一小段时间,并返回 Key Vault 定期进行解包。In normal operation -- Storage caches AEK for short periods of time and goes back to Key Vault to unwrap periodically.

    • 暂时性连接错误 -- 存储通过允许密钥在缓存中保留一小段时间来处理暂时性错误(超时、连接失败、DNS 问题),这可以克服可用性方面的任何小问题。Transient connection errors -- Storage handles transient errors (timeouts, connection failures, DNS issues) by allowing keys to stay in cache for a short while longer and this overcomes any small blips in availability. 查询和引入功能将继续运行而不会中断。The query and ingestion capabilities continue without interruption.

    • 实时网站 -- 如果在约 30 分钟内未进行访问,则会导致无法使用存储帐户。Live site -- unavailability of about 30 minutes will cause the Storage account to become unavailable. 查询功能不可用,引入的数据会使用 Microsoft 密钥缓存几个小时,以避免数据丢失。The query capability is unavailable and ingested data is cached for several hours using Microsoft key to avoid data loss. 恢复对 Key Vault 的访问后,查询将变为可用,临时缓存的数据会引入到数据存储并使用客户管理的密钥进行加密。When access to Key Vault is restored, query becomes available and the temporary cached data is ingested to the data-store and encrypted with Customer-managed key.

    • Key Vault 访问速率 -- Azure Monitor 存储为实现包装和解包操作而访问 Key Vault 的频率介于 6 到 60 秒之间。Key Vault access rate -- The frequency that Azure Monitor Storage accesses Key Vault for wrap and unwrap operations is between 6 to 60 seconds.

  • 如果在群集处于预配或更新状态时对其进行更新,则更新将失败。If you update your cluster while the cluster is at provisioning or updating state, the update will fail.

  • 如果创建群集时出现冲突错误,原因可能是你在过去 14 天内删除了群集,并且它处于软删除期间。If you get conflict error when creating a cluster - It may be that you have deleted your cluster in the last 14 days and it’s in a soft-delete period. 软删除期间,群集名称保持为预留,并且无法新建同名群集。The cluster name remains reserved during the soft-delete period and you can't create a new cluster with that name. 永久删除群集时,名称将在软删除期结束后释放。The name is released after the soft-delete period when the cluster is permanently deleted.

  • 将工作区链接到群集时,如果是链接到其他群集,则链接会失败。Workspace link to cluster will fail if it is linked to another cluster.

  • 如果创建群集并立即指定 KeyVaultProperties,则操作可能会失败,因为将系统标识分配给群集后才能定义访问策略。If you create a cluster and specify the KeyVaultProperties immediately, the operation may fail since the access policy can't be defined until system identity is assigned to the cluster.

  • 如果使用 KeyVaultProperties 更新现有的群集,并且 Key Vault 中缺少“Get”密钥访问策略,则该操作将失败。If you update existing cluster with KeyVaultProperties and 'Get' key Access Policy is missing in Key Vault, the operation will fail.

  • 如果无法部署群集,请验证 Azure Key Vault、群集和链接的 Log Analytics 工作区是否位于同一区域。If you fail to deploy your cluster, verify that your Azure Key Vault, cluster and linked Log Analytics workspaces are in the same region. 可以位于不同的订阅。The can be in different subscriptions.

  • 如果在 Key Vault 中更新密钥版本,但未更新群集中的新密钥标识符详细信息,则 Log Analytics 群集将继续使用之前的密钥,并且数据将变得不可访问。If you update your key version in Key Vault and don't update the new key identifier details in the cluster, the Log Analytics cluster will keep using your previous key and your data will become inaccessible. 更新群集中的新密钥标识符详细信息以恢复数据引入和数据查询功能。Update new key identifier details in the cluster to resume data ingestion and ability to query data.

  • 部分操作较为耗时,可能需要一段时间才能完成 - 包括群集创建、群集密钥更新和群集删除。Some operations are long and can take a while to complete -- these are cluster create, cluster key update and cluster delete. 可以通过两种方式检查操作状态:You can check the operation status in two ways:

    1. 使用 REST 时,从响应中复制 Azure-AsyncOperation URL 值,并进行异步操作状态检查when using REST, copy the Azure-AsyncOperation URL value from the response and follow the asynchronous operations status check.
    2. 将 GET 请求发送到群集或工作区,然后观察响应。Send GET request to cluster or workspace and observe the response. 例如,未链接的工作区在“功能”下没有 clusterResourceId 。For example, unlinked workspace won't have the clusterResourceId under features.
  • 错误消息Error messages

    群集创建Cluster Create

    • 400 -- 群集名称无效。400 -- Cluster name is not valid. 群集名称可包含字符 a-z、A-Z、0-9,且长度为 3-63。Cluster name can contain characters a-z, A-Z, 0-9 and length of 3-63.
    • 400 -- 请求的正文为 Null 或格式错误。400 -- The body of the request is null or in bad format.
    • 400 -- SKU 名称无效。400 -- SKU name is invalid. 将 SKU 名称设置为 CapacityReservation。Set SKU name to capacityReservation.
    • 400 -- 提供了容量,但 SKU 不是 capacityReservation。400 -- Capacity was provided but SKU is not capacityReservation. 将 SKU 名称设置为 CapacityReservation。Set SKU name to capacityReservation.
    • 400 -- SKU 容量不足。400 -- Missing Capacity in SKU. 将“容量”值设置为 1000 或更高(以 100 (GB) 为度)。Set Capacity value to 1000 or higher in steps of 100 (GB).
    • 400 -- SKU 中的容量不在范围内。400 -- Capacity in SKU is not in range. 应介于 1000 到最大允许容量之间,最大允许容量可在工作区中的“用量和预估成本”下找到。Should be minimum 1000 and up to the max allowed capacity which is available under ‘Usage and estimated cost’ in your workspace.
    • 400 -- 容量锁定 30 天。400 -- Capacity is locked for 30 days. 更新后 30 天内允许减少容量。Decreasing capacity is permitted 30 days after update.
    • 400 -- 未设置 SKU。400 -- No SKU was set. 将 SKU 名称设置为 CapacityReservation,将“容量”值设置为 1000 或更高(以 100 (GB) 为增加幅度)。Set the SKU name to capacityReservation and Capacity value to 1000 or higher in steps of 100 (GB).
    • 400 -- 标识为 Null 或为空。400 -- Identity is null or empty. 设置具有 systemAssigned 类型的标识。Set Identity with systemAssigned type.
    • 400 -- KeyVaultProperty 是创建时设置的。400 -- KeyVaultProperties are set on creation. 创建群集后更新 KeyVaultProperties。Update KeyVaultProperties after cluster creation.
    • 400 -- 现在无法执行操作。400 -- Operation cannot be executed now. 异步操作处于非成功状态。Async operation is in a state other than succeeded. 群集必须完成其操作,才能执行任意更新操作。Cluster must complete its operation before any update operation is performed.

    群集更新Cluster Update

    • 400 -- 群集处于正在删除状态。400 -- Cluster is in deleting state. 正在执行异步操作。Async operation is in progress . 群集必须完成其操作,才能执行任意更新操作。Cluster must complete its operation before any update operation is performed.
    • 400 -- KeyVaultProperties 不为空,但格式错误。400 -- KeyVaultProperties is not empty but has a bad format. 请参阅密钥标识符更新See key identifier update.
    • 400 -- 无法验证 Key Vault 中的密钥。400 -- Failed to validate key in Key Vault. 可能是由于权限不足或密钥不存在。Could be due to lack of permissions or when key doesn’t exist. 验证是否在 Key Vault 中设置密钥和访问策略Verify that you set key and access policy in Key Vault.
    • 400 -- 密钥不可恢复。400 -- Key is not recoverable. Key Vault 必须设置为“软删除”和“清除保护”。Key Vault must be set to Soft-delete and Purge-protection. 请参阅 Key Vault 文档See Key Vault documentation
    • 400 -- 现在无法执行操作。400 -- Operation cannot be executed now. 等待异步操作完成,然后重试。Wait for the Async operation to complete and try again.
    • 400 -- 群集处于正在删除状态。400 -- Cluster is in deleting state. 等待异步操作完成,然后重试。Wait for the Async operation to complete and try again.

    群集获取Cluster Get

    • 404 -- 找不到群集,群集可能已删除。404 -- Cluster not found, the cluster may have been deleted. 如果尝试使用该名称创建群集但发生冲突,则该群集将处于软删除状态,为期 14 天。If you try to create a cluster with that name and get conflict, the cluster is in soft-delete for 14 days. 可以联系支持人员将其恢复,也可以使用其他名称创建新群集。You can contact support to recover it, or use another name to create a new cluster.

    群集删除Cluster Delete

    • 409 -- 处于预配状态时无法删除群集。409 -- Can't delete a cluster while in provisioning state. 等待异步操作完成,然后重试。Wait for the Async operation to complete and try again.

    工作区链接Workspace link

    • 404 -- 找不到工作区。404 -- Workspace not found. 指定的工作区不存在或已被删除。The workspace you specified doesn’t exist or was deleted.
    • 409 -- 正在执行工作区链接或取消链接操作。409 -- Workspace link or unlink operation in process.
    • 400 -- 找不到群集,指定的群集不存在或已被删除。400 -- Cluster not found, the cluster you specified doesn’t exist or was deleted. 如果尝试使用该名称创建群集但发生冲突,则该群集将处于软删除状态,为期 14 天。If you try to create a cluster with that name and get conflict, the cluster is in soft-delete for 14 days. 可以联系支持人员将其恢复。You can contact support to recover it.

    工作区取消链接Workspace unlink

    • 404 -- 找不到工作区。404 -- Workspace not found. 指定的工作区不存在或已被删除。The workspace you specified doesn’t exist or was deleted.
    • 409 -- 正在执行工作区链接或取消链接操作。409 -- Workspace link or unlink operation in process.

后续步骤Next steps