将审核内容写入到 VNet 和防火墙后面的存储帐户Write audit to a storage account behind VNet and firewall

适用于: Azure SQL 数据库 Azure Synapse Analytics (SQL DW)

Azure SQL 数据库Azure Synapse Analytics 的审核支持将数据库事件写入到虚拟网络和防火墙后面的 Azure 存储帐户Auditing for Azure SQL Database and Azure Synapse Analytics supports writing database events to an Azure Storage account behind a virtual network and firewall.

本文介绍了为此选项配置 Azure SQL 数据库和 Azure 存储帐户的两种方法。This article explains two ways to configure Azure SQL Database and Azure storage account for this option. 第一种方法使用 Azure 门户,第二种方法使用 REST。The first uses the Azure portal, the second uses REST.

背景Background

Azure 虚拟网络 (VNet) 是 Azure 中专用网络的基础构建基块。Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet 允许许多类型的 Azure 资源(例如 Azure 虚拟机 (VM))以安全方式彼此通信、与 Internet 通信,以及与本地网络通信。VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. VNet 类似于你自己的数据中心内的传统网络,但附带了 Azure 基础设施的其他优势,例如可伸缩性、可用性和隔离。VNet is similar to a traditional network in your own data center, but brings with it additional benefits of Azure infrastructure such as scale, availability, and isolation.

若要详细了解 VNet 的概念、最佳做法和其他信息,请参阅什么是 Azure 虚拟网络To learn more about the VNet concepts, Best practices and many more, see What is Azure Virtual Network.

若要详细了解如何创建虚拟网络,请参阅快速入门:使用 Azure 门户创建虚拟网络To learn more about how to create a virtual network, see Quickstart: Create a virtual network using the Azure portal.

先决条件Prerequisites

若要配置审核以写入到 VNet 或防火墙后面的存储帐户,需要满足以下先决条件:For audit to write to a storage account behind a VNet or firewall, the following prerequisites are required:

  • 一个常规用途 v2 存储帐户。A general-purpose v2 storage account. 如果你有常规用途 v1 或 Blob 存储帐户,请升级到常规用途 v2 存储帐户If you have a general-purpose v1 or blob storage account, upgrade to a general-purpose v2 storage account. 有关详细信息,请参阅存储帐户的类型For more information, see Types of storage accounts.
  • 存储帐户必须位于逻辑 SQL 服务器所在的同一订阅和位置。The storage account must be on the same subscription and at the same location as the logical SQL server.
  • Azure 存储帐户需要 Allow trusted Microsoft services to access this storage accountThe Azure Storage account requires Allow trusted Microsoft services to access this storage account. 请在存储帐户的“防火墙和虚拟网络”中启用此设置。Set this on the Storage Account Firewalls and Virtual networks.
  • 你必须对所选存储帐户拥有 Microsoft.Authorization/roleAssignments/write 权限。You must have Microsoft.Authorization/roleAssignments/write permission on the selected storage account. 有关详细信息,请参阅 Azure 内置角色For more information, see Azure built-in roles.

在 Azure 门户中配置Configure in Azure portal

使用你的订阅连接到 Azure 门户Connect to Azure portal with your subscription. 导航到资源组和服务器。Navigate to the resource group and server.

  1. 单击“安全性”标题下的“审核”。Click on Auditing under the Security heading. 选择“启用”。Select On.

  2. 选择“存储”。Select Storage. 选择要在其中保存日志的存储帐户。Select the storage account where logs will be saved. 该存储帐户必须符合先决条件中列出的要求。The storage account must comply with the requirements listed in Prerequisites.

  3. 打开“存储详细信息”Open Storage details

备注

如果所选的存储帐户位于 VNet 后面,你将看到以下消息:If the selected Storage account is behind VNet, you will see the following message:

You have selected a storage account that is behind a firewall or in a virtual network. Using this storage requires to enable 'Allow trusted Microsoft services to access this storage account' on the storage account and creates a server managed identity with 'storage blob data contributor' RBAC.

如果未看到此消息,则表示存储帐户不在 VNet 后面。If you do not see this message, then storage account is not behind a VNet.

  1. 选择保留期天数。Select the number of days for the retention period. Then click OK. 早于保持期的日志会被删除。Logs older than the retention period are deleted.

  2. 在审核设置中选择“保存”。Select Save on your auditing settings.

你现在已成功将审核配置为将内容写入到 VNet 或防火墙后面的存储帐户。You have successfully configured audit to write to a storage account behind a VNet or firewall.

使用 REST 命令进行配置Configure with REST commands

如果不使用 Azure 门户,还可以使用 REST 命令来配置审核,以便在 VNet 和防火墙后面的存储帐户中写入数据库事件。As an alternative to using the Azure portal, you can use REST commands to configure audit to write database events on a storage account behind a VNet and Firewall.

在运行本部分中的示例脚本之前,你需要先更新这些脚本。The sample scripts in this section require you to update the script before you run them. 替换脚本中的以下值:Replace the following values in the scripts:

示例值Sample value 示例说明Sample description
<subscriptionId> Azure 订阅 IDAzure subscription ID
<resource group> 资源组Resource group
<logical SQL server> 服务器名称Server name
<administrator login> 管理员帐户Administrator account
<complex password> 管理员帐户的复杂密码Complex password for the administrator account

若要配置 SQL 审核以将事件写入到 VNet 或防火墙后面的存储帐户,请执行以下操作:To configure SQL Audit to write events to a storage account behind a VNet or Firewall:

  1. 将服务器注册到 Azure Active Directory (Azure AD)。Register your server with Azure Active Directory (Azure AD). 使用 PowerShell 或 REST API。Use either PowerShell or REST API.

    PowerShellPowerShell

    Connect-AzAccount -Environment AzureChinaCloud
    Select-AzSubscription -SubscriptionId <subscriptionId>
    Set-AzSqlServer -ResourceGroupName <your resource group> -ServerName <azure server name> -AssignIdentity
    

    REST APIREST API:

    示例请求Sample request

    PUT https://management.chinacloudapi.cn/subscriptions/<subscription ID>/resourceGroups/<resource group>/providers/Microsoft.Sql/servers/<azure server name>?api-version=2015-05-01-preview
    

    请求正文Request body

    {
    "identity": {
               "type": "SystemAssigned",
               },
    "properties": {
      "fullyQualifiedDomainName": "<azure server name>.database.chinacloudapi.cn",
      "administratorLogin": "<administrator login>",
      "administratorLoginPassword": "<complex password>",
      "version": "12.0",
      "state": "Ready"
    }
    
  2. 打开 Azure 门户Open Azure portal. 导航到存储帐户。Navigate to your storage account. 找到“访问控制(IAM)”,然后单击“添加角色分配”。 Locate Access Control (IAM), and click Add role assignment. 将“存储 Blob 数据参与者”Azure 角色分配给托管数据库且已在上一步骤中注册到 Azure Active Directory (Azure AD) 的服务器。Assign Storage Blob Data Contributor Azure role tothe server hosting the database that you registered with Azure Active Directory (Azure AD) as in the previous step.

    备注

    只有具有“所有者”特权的成员能够执行此步骤。Only members with Owner privilege can perform this step. 有关各种 Azure 内置角色,请参阅 Azure 内置角色For various Azure built-in roles, refer to Azure built-in roles.

  3. 在不指定 storageAccountAccessKey 的情况下配置服务器的 Blob 审核策略Configure the server's blob auditing policy, without specifying a storageAccountAccessKey:

    示例请求Sample request

    PUT https://management.chinacloudapi.cn/subscriptions/<subscription ID>/resourceGroups/<resource group>/providers/Microsoft.Sql/servers/<azure server name>/auditingSettings/default?api-version=2017-03-01-preview
    

    请求正文Request body

    {
      "properties": {
       "state": "Enabled",
       "storageEndpoint": "https://<storage account>.blob.core.chinacloudapi.cn"
      }
    }
    

使用 Azure PowerShellUsing Azure PowerShell

使用 Azure 资源管理器模板Using Azure Resource Manager template

可使用 Azure 资源管理器模板配置审核以在虚拟网络和防火墙后面的存储帐户中写入数据库事件,如以下示例中所示:You can configure auditing to write database events on a storage account behind virtual network and firewall using Azure Resource Manager template, as shown in the following example:

重要

若要使用虚拟网络和防火墙后面的存储帐户,需将 isStorageBehindVnet 参数设置为 trueIn order to use storage account behind virtual network and firewall, you need to set isStorageBehindVnet parameter to true

备注

链接的示例在外部公共存储库上并且“按现样”提供,不提供任何担保,并非在任何 Azure 支持计划/服务下都受支持。The linked sample is on an external public repository and is provided 'as is', without warranty, and are not supported under any Azure support program/service.

后续步骤Next steps