Azure SQL 数据库和 Azure Synapse Analytics 连接体系结构Azure SQL Database and Azure Synapse Analytics connectivity architecture

适用于:是Azure SQL 数据库是Azure Synapse Analytics (SQL DW)APPLIES TO: yesAzure SQL Database yesAzure Synapse Analytics (SQL DW)

本文介绍了将网络流量定向到 Azure SQL 数据库或 Azure Synapse Analytics 的服务器的各种组件的体系结构。This article explains architecture of various components that direct network traffic to a server in Azure SQL Database or Azure Synapse Analytics. 它还介绍了不同的连接策略,以及这些策略如何影响从 Azure 内部连接的客户端以及从 Azure 外部连接的客户端。It also explains different connection policies and how it impacts clients connecting from within Azure and clients connecting from outside of Azure.

重要

本文不适用于 Azure SQL 托管实例This article does not apply to Azure SQL Managed Instance. 请参阅 托管实例的连接体系结构Refer to Connectivity architecture for a managed instance.

连接体系结构Connectivity architecture

下图提供连接体系结构的综合概述。The following diagram provides a high-level overview of the connectivity architecture.

体系结构概述

以下步骤介绍如何建立与 Azure SQL 数据库的连接:The following steps describe how a connection is established to Azure SQL Database:

  • 客户端连接到网关,后者使用公共 IP 地址并侦听端口 1433。Clients connect to the gateway, that has a public IP address and listens on port 1433.
  • 该网关根据有效的连接策略将流量重定向或代理到适当的数据库群集。The gateway, depending on the effective connection policy, redirects or proxies the traffic to the right database cluster.
  • 在数据库群集中,流量转发到相应的数据库。Inside the database cluster traffic is forwarded to the appropriate database.

连接策略Connection policy

SQL 数据库和 Azure Synapse 中的服务器支持以下三个服务器连接策略设置选项:Servers in SQL Database and Azure Synapse support the following three options for the server's connection policy setting:

  • 重定向(建议): 客户端直接与托管数据库的节点建立连接,从而降低延迟并改进吞吐量。Redirect (recommended): Clients establish connections directly to the node hosting the database, leading to reduced latency and improved throughput. 若要通过连接来使用此模式,客户端需要:For connections to use this mode, clients need to:

    • 在范围为 11000 到 11999 的端口上允许从客户端到区域中所有 Azure SQL IP 地址的出站通信。Allow outbound communication from the client to all Azure SQL IP addresses in the region on ports in the range of 11000 11999. 使用 SQL 服务标记,使其更易于管理。Use the Service Tags for SQL to make this easier to manage.
    • 在端口 1433 上允许从客户端到 Azure SQL 数据库网关 IP 地址的出站通信。Allow outbound communication from the client to Azure SQL Database gateway IP addresses on port 1433.
  • 代理: 在此模式下,所有连接都通过 Azure SQL 数据库网关来代理,导致延迟增大和吞吐量降低。Proxy: In this mode, all connections are proxied via the Azure SQL Database gateways, leading to increased latency and reduced throughput. 若要通过连接来使用此模式,客户端需满足以下条件:在端口 1433 上允许从客户端到 Azure SQL 数据库网关 IP 地址的出站通信。For connections to use this mode, clients need to allow outbound communication from the client to Azure SQL Database gateway IP addresses on port 1433.

  • 默认值:除非显式将连接策略更改为 ProxyRedirect,否则,在创建后,此连接策略将在所有服务器上生效。Default: This is the connection policy in effect on all servers after creation unless you explicitly alter the connection policy to either Proxy or Redirect. 对于所有源自 Azure 内部的客户端连接(例如,源自 Azure 虚拟机的连接),默认策略为 Redirect;对于所有源自外部的客户端连接(例如,源自本地工作站的连接),默认策略为 ProxyThe default policy isRedirect for all client connections originating inside of Azure (for example, from an Azure Virtual Machine) and Proxyfor all client connections originating outside (for example, connections from your local workstation).

我们强烈建议使用 Redirect 连接策略而不要使用 Proxy 连接策略,以最大程度地降低延迟和提高吞吐量。We highly recommend the Redirect connection policy over the Proxy connection policy for the lowest latency and highest throughput. 但是,你需要满足上述允许网络流量的附加要求。However, you will need to meet the additional requirements for allowing network traffic as outlined above. 如果客户端为 Azure 虚拟机,则可将网络安全组 (NSG) 与服务标记配合使用来实现它。If the client is an Azure Virtual Machine you can accomplish this using Network Security Groups (NSG) with service tags. 如果客户端从本地工作站进行连接,则可能需要联系网络管理员,让其允许网络流量通过公司防火墙。If the client is connecting from a workstation on-premises then you may need to work with your network admin to allow network traffic through your corporate firewall.

从 Azure 内连接Connectivity from within Azure

如果从 Azure 内部连接,则连接默认具有 Redirect 连接策略。If you are connecting from within Azure your connections have a connection policy of Redirect by default. Redirect 策略是指建立到 Azure SQL 数据库的 TCP 会话连接后,会将 Azure SQL 数据库网关的目标虚拟 IP 更改为群集的目标虚拟 IP,从而将客户端会话重定向到适当的数据库群集。A policy of Redirect means that after the TCP session is established to Azure SQL Database, the client session is then redirected to the right database cluster with a change to the destination virtual IP from that of the Azure SQL Database gateway to that of the cluster. 此后,所有后续数据包绕过 Azure SQL 数据库网关,直接传输到群集。Thereafter, all subsequent packets flow directly to the cluster, bypassing the Azure SQL Database gateway. 下图演示了此流量流。The following diagram illustrates this traffic flow.

体系结构概述

从 Azure 外连接Connectivity from outside of Azure

如果从 Azure 外部连接,则连接默认具有 Proxy 连接策略。If you are connecting from outside Azure, your connections have a connection policy of Proxy by default. Proxy 策略是指通过 Azure SQL 数据库网关建立 TCP 会话,并且所有后续数据包通过网关传输。A policy of Proxy means that the TCP session is established via the Azure SQL Database gateway and all subsequent packets flow via the gateway. 下图演示了此流量流。The following diagram illustrates this traffic flow.

体系结构概述

重要

另请打开 TCP 端口 1434 和 14000-14999,以便使用 DAC 进行连接Additionally open TCP ports 1434 and 14000-14999 to enable Connecting with DAC

网关 IP 地址Gateway IP addresses

下表按区域列出了网关的 IP 地址。The table below lists the IP Addresses of Gateways by region. 若要连接到 SQL 数据库或 Azure Synapse,需要允许前往/来自该区域的所有网关的网络流量。To connect to SQL Database or Azure Synapse, you need to allow network traffic to and from all Gateways for the region.

区域名称Region name 网关 IP 地址Gateway IP addresses
中国东部China East 139.219.130.35139.219.130.35
中国东部 2China East 2 40.73.82.140.73.82.1
中国北部China North 139.219.15.17139.219.15.17
中国北部 2China North 2 40.73.50.040.73.50.0

后续步骤Next steps