Azure SQL 数据库和 Azure Synapse Analytics 连接体系结构Azure SQL Database and Azure Synapse Analytics connectivity architecture

• 07/13/2020
• • 

适用于：Azure SQL 数据库Azure Synapse Analytics (SQL DW)APPLIES TO: Azure SQL Database Azure Synapse Analytics (SQL DW)

本文介绍了将网络流量定向到 Azure SQL 数据库或 Azure Synapse Analytics 的服务器的各种组件的体系结构。This article explains architecture of various components that direct network traffic to a server in Azure SQL Database or Azure Synapse Analytics. 它还介绍了不同的连接策略，以及这些策略如何影响从 Azure 内部连接的客户端以及从 Azure 外部连接的客户端。It also explains different connection policies and how it impacts clients connecting from within Azure and clients connecting from outside of Azure.

连接体系结构Connectivity architecture

下图提供连接体系结构的综合概述。The following diagram provides a high-level overview of the connectivity architecture.

以下步骤介绍如何建立与 Azure SQL 数据库的连接：The following steps describe how a connection is established to Azure SQL Database:

• 客户端连接到网关，后者使用公共 IP 地址并侦听端口 1433。Clients connect to the gateway, that has a public IP address and listens on port 1433.
• 该网关根据有效的连接策略将流量重定向或代理到适当的数据库群集。The gateway, depending on the effective connection policy, redirects or proxies the traffic to the right database cluster.
• 在数据库群集中，流量转发到相应的数据库。Inside the database cluster traffic is forwarded to the appropriate database.

连接策略Connection policy

SQL 数据库和 Azure Synapse 中的服务器支持以下三个服务器连接策略设置选项：Servers in SQL Database and Azure Synapse support the following three options for the server's connection policy setting:

• 重定向（建议）： 客户端直接与托管数据库的节点建立连接，从而降低延迟并改进吞吐量。Redirect (recommended): Clients establish connections directly to the node hosting the database, leading to reduced latency and improved throughput. 若要通过连接来使用此模式，客户端需要：For connections to use this mode, clients need to:

  • 在范围为 11000 到 11999 的端口上允许从客户端到区域中所有 Azure SQL IP 地址的出站通信。Allow outbound communication from the client to all Azure SQL IP addresses in the region on ports in the range of 11000 11999. 使用 SQL 服务标记，使其更易于管理。Use the Service Tags for SQL to make this easier to manage.
  • 在端口 1433 上允许从客户端到 Azure SQL 数据库网关 IP 地址的出站通信。Allow outbound communication from the client to Azure SQL Database gateway IP addresses on port 1433.

• 代理： 在此模式下，所有连接都通过 Azure SQL 数据库网关来代理，导致延迟增大和吞吐量降低。Proxy: In this mode, all connections are proxied via the Azure SQL Database gateways, leading to increased latency and reduced throughput. 若要通过连接来使用此模式，客户端需满足以下条件：在端口 1433 上允许从客户端到 Azure SQL 数据库网关 IP 地址的出站通信。For connections to use this mode, clients need to allow outbound communication from the client to Azure SQL Database gateway IP addresses on port 1433.

• 默认值：除非显式将连接策略更改为 Proxy 或 Redirect，否则，在创建后，此连接策略将在所有服务器上生效。Default: This is the connection policy in effect on all servers after creation unless you explicitly alter the connection policy to either Proxy or Redirect. 对于所有源自 Azure 内部的客户端连接（例如，源自 Azure 虚拟机的连接），默认策略为 Redirect；对于所有源自外部的客户端连接（例如，源自本地工作站的连接），默认策略为 Proxy。The default policy isRedirect for all client connections originating inside of Azure (for example, from an Azure Virtual Machine) and Proxyfor all client connections originating outside (for example, connections from your local workstation).

我们强烈建议使用 Redirect 连接策略而不要使用 Proxy 连接策略，以最大程度地降低延迟和提高吞吐量。We highly recommend the Redirect connection policy over the Proxy connection policy for the lowest latency and highest throughput. 但是，你需要满足上述允许网络流量的附加要求。However, you will need to meet the additional requirements for allowing network traffic as outlined above. 如果客户端为 Azure 虚拟机，则可将网络安全组 (NSG) 与服务标记配合使用来实现它。If the client is an Azure Virtual Machine you can accomplish this using Network Security Groups (NSG) with service tags. 如果客户端从本地工作站进行连接，则可能需要联系网络管理员，让其允许网络流量通过公司防火墙。If the client is connecting from a workstation on-premises then you may need to work with your network admin to allow network traffic through your corporate firewall.

从 Azure 内连接Connectivity from within Azure

如果从 Azure 内部连接，则连接默认具有 Redirect 连接策略。If you are connecting from within Azure your connections have a connection policy of Redirect by default. Redirect 策略是指建立到 Azure SQL 数据库的 TCP 会话连接后，会将 Azure SQL 数据库网关的目标虚拟 IP 更改为群集的目标虚拟 IP，从而将客户端会话重定向到适当的数据库群集。A policy of Redirect means that after the TCP session is established to Azure SQL Database, the client session is then redirected to the right database cluster with a change to the destination virtual IP from that of the Azure SQL Database gateway to that of the cluster. 此后，所有后续数据包绕过 Azure SQL 数据库网关，直接传输到群集。Thereafter, all subsequent packets flow directly to the cluster, bypassing the Azure SQL Database gateway. 下图演示了此流量流。The following diagram illustrates this traffic flow.

从 Azure 外连接Connectivity from outside of Azure

如果从 Azure 外部连接，则连接默认具有 Proxy 连接策略。If you are connecting from outside Azure, your connections have a connection policy of Proxy by default. Proxy 策略是指通过 Azure SQL 数据库网关建立 TCP 会话，并且所有后续数据包通过网关传输。A policy of Proxy means that the TCP session is established via the Azure SQL Database gateway and all subsequent packets flow via the gateway. 下图演示了此流量流。The following diagram illustrates this traffic flow.

网关 IP 地址Gateway IP addresses

下表按区域列出了网关的 IP 地址。The table below lists the IP Addresses of Gateways by region. 若要连接到 SQL 数据库或 Azure Synapse，需要允许前往/来自该区域的所有网关的网络流量。To connect to SQL Database or Azure Synapse, you need to allow network traffic to and from all Gateways for the region.

后续步骤Next steps

• 有关如何更改服务器的 Azure SQL 数据库连接策略的信息，请参阅 conn-policy。For information on how to change the Azure SQL Database connection policy for a server, see conn-policy.
• 若要了解使用 ADO.NET 4.5 或更高版本的客户端的 Azure SQL 数据库连接行为，请参阅用于 ADO.NET 4.5 的非 1433 端口。For information about Azure SQL Database connection behavior for clients that use ADO.NET 4.5 or a later version, see Ports beyond 1433 for ADO.NET 4.5.
• 若要了解常规应用程序开发的概述信息，请参阅SQL 数据库应用程序开发概述。For general application development overview information, see SQL Database Application Development Overview.