Azure SQL 连接设置Azure SQL connectivity settings

适用于: Azure SQL 数据库 Azure Synapse Analytics

本文介绍的设置可用于控制与 Azure SQL 数据库和 Azure Synapse Analytics 的服务器的连接。This article introduces settings that control connectivity to the server for Azure SQL Database and Azure Synapse Analytics. 这些设置适用于与服务器关联的所有 SQL 数据库和 Azure Synapse Analytics 数据库。These settings apply to all SQL Database and Azure Synapse Analytics databases associated with the server.

重要

本文不适用于 Azure SQL 托管实例。This article doesn't apply to Azure SQL Managed Instance.

可从“防火墙和虚拟网络”屏幕访问连接设置,如以下屏幕截图所示:The connectivity settings are accessible from the Firewalls and virtual networks screen as shown in the following screenshot:

连接设置窗口的屏幕截图。

备注

这些设置在应用后会立即生效。These settings take effect immediately after they're applied. 如果客户不满足每个设置的要求,则可能会遇到连接丢失的情况。Your customers might experience connection loss if they don't meet the requirements for each setting.

通过 PowerShell 更改公共网络访问Change public network access via PowerShell

重要

Azure SQL 数据库仍然支持 PowerShell Azure 资源管理器模块,但所有未来开发都针对 Az.Sql 模块。Azure SQL Database still supports the PowerShell Azure Resource Manager module, but all future development is for the Az.Sql module. 若要了解这些 cmdlet,请参阅 AzureRM.SqlFor these cmdlets, see AzureRM.Sql. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. 以下脚本需要 Azure PowerShell 模块The following script requires the Azure PowerShell module.

下面的 PowerShell 脚本展示了如何在服务器级别 GetSet“公用网络访问”属性:The following PowerShell script shows how to Get and Set the Public Network Access property at the server level:

# Get the Public Network Access property
(Get-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group).PublicNetworkAccess

# Update Public Network Access to Disabled
$SecureString = ConvertTo-SecureString "password" -AsPlainText -Force

Set-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group -SqlAdministratorPassword $SecureString -PublicNetworkAccess "Disabled"

通过 CLI 更改公共网络访问Change public network access via CLI

重要

本部分中的所有脚本都需要 Azure CLIAll scripts in this section require the Azure CLI.

Bash shell 中的 Azure CLIAzure CLI in a Bash shell

以下 CLI 脚本演示如何在 Bash shell 中更改“公用网络访问”设置:The following CLI script shows how to change the Public Network Access setting in a Bash shell:


# Get current setting for Public Network Access
az sql server show -n sql-server-name -g sql-server-group --query "publicNetworkAccess"

# Update setting for Public Network Access
az sql server update -n sql-server-name -g sql-server-group --set publicNetworkAccess="Disabled"

最低 TLS 版本Minimal TLS version

借助最低传输层安全性 (TLS) 版本设置,客户可以选择其 SQL 数据库使用哪个 TLS 版本。The minimal Transport Layer Security (TLS) version setting allows customers to choose which version of TLS their SQL database uses.

目前,我们支持 TLS 1.0、1.1 和 1.2。Currently, we support TLS 1.0, 1.1, and 1.2. 设置最低 TLS 版本可确保支持更新的 TLS 版本。Setting a minimal TLS version ensures that newer TLS versions are supported. 例如,如果选择大于 1.1 的 TLS 版本,表示仅接受使用 TLS 1.1 和 1.2 的连接,并拒绝使用 TLS 1.0 的连接。For example, choosing a TLS version greater than 1.1 means only connections with TLS 1.1 and 1.2 are accepted, and connections with TLS 1.0 are rejected. 在测试以确认应用程序支持它后,建议将最低 TLS 版本设置为 1.2。After you test to confirm that your applications support it, we recommend setting the minimal TLS version to 1.2. 此版本包括对以前版本中漏洞的修复,以及 Azure SQL 数据库中支持的最高 TLS 版本。This version includes fixes for vulnerabilities in previous versions and is the highest version of TLS that's supported in Azure SQL Database.

重要

最低 TLS 版本的默认设置为允许使用所有版本。The default for the minimal TLS version is to allow all versions. 在设置为 TLS 的某个版本后,不能还原为默认值。After you enforce a version of TLS, it's not possible to revert to the default.

如果客户使用的应用程序依赖于更低的 TLS 版本,我们建议根据应用程序的要求设置最低 TLS 版本。For customers with applications that rely on older versions of TLS, we recommend setting the minimal TLS version according to the requirements of your applications. 如果客户依赖于使用未加密连接进行连接的应用程序,我们建议不要设置任何最低 TLS 版本。For customers that rely on applications to connect by using an unencrypted connection, we recommend not setting any minimal TLS version.

有关详细信息,请参阅 SQL 数据库连接的 TLS 注意事项For more information, see TLS considerations for SQL Database connectivity.

设置最低 TLS 版本后,如果客户所使用服务器的 TLS 版本低于最低 TLS 版本,则其登录尝试将失败并显示以下错误:After you set the minimal TLS version, login attempts from customers who are using a TLS version lower than the minimal TLS version of the server will fail with the following error:

Error 47072
Login failed with invalid TLS version

通过 PowerShell 设置最低 TLS 版本Set the minimal TLS version via PowerShell

重要

Azure SQL 数据库仍然支持 PowerShell Azure 资源管理器模块,但所有未来开发都针对 Az.Sql 模块。Azure SQL Database still supports the PowerShell Azure Resource Manager module, but all future development is for the Az.Sql module. 若要了解这些 cmdlet,请参阅 AzureRM.SqlFor these cmdlets, see AzureRM.Sql. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. 以下脚本需要 Azure PowerShell 模块The following script requires the Azure PowerShell module.

以下 PowerShell 脚本演示如何在逻辑服务器级别 GetSet“最低 TLS 版本”属性:The following PowerShell script shows how to Get and Set the Minimal TLS Version property at the logical server level:

# Get the Minimal TLS Version property
(Get-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group).MinimalTlsVersion

# Update Minimal TLS Version to 1.2
$SecureString = ConvertTo-SecureString "password" -AsPlainText -Force

Set-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group -SqlAdministratorPassword $SecureString  -MinimalTlsVersion "1.2"

通过 Azure CLI 设置最低 TLS 版本Set the minimal TLS version via the Azure CLI

重要

本部分中的所有脚本都需要 Azure CLIAll scripts in this section require the Azure CLI.

Bash shell 中的 Azure CLIAzure CLI in a Bash shell

以下 CLI 脚本演示如何在 Bash shell 中更改“最低 TLS 版本”设置:The following CLI script shows how to change the Minimal TLS Version setting in a Bash shell:

# Get current setting for Minimal TLS Version
az sql server show -n sql-server-name -g sql-server-group --query "minimalTlsVersion"

# Update setting for Minimal TLS Version
az sql server update -n sql-server-name -g sql-server-group --set minimalTlsVersion="1.2"

更改连接策略Change the connection policy

连接策略确定客户连接到 Azure SQL 数据库的方式。Connection policy determines how customers connect to Azure SQL Database.

通过 PowerShell 更改连接策略Change the connection policy via PowerShell

重要

Azure SQL 数据库仍然支持 PowerShell Azure 资源管理器模块,但所有未来开发都针对 Az.Sql 模块。Azure SQL Database still supports the PowerShell Azure Resource Manager module, but all future development is for the Az.Sql module. 若要了解这些 cmdlet,请参阅 AzureRM.SqlFor these cmdlets, see AzureRM.Sql. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. 以下脚本需要 Azure PowerShell 模块The following script requires the Azure PowerShell module.

以下 PowerShell 脚本演示如何使用 PowerShell 更改连接策略:The following PowerShell script shows how to change the connection policy by using PowerShell:

# Get SQL Server ID
$sqlserverid=(Get-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group).ResourceId

# Set URI
$id="$sqlserverid/connectionPolicies/Default"

# Get current connection policy
(Get-AzResource -ResourceId $id -ApiVersion 2014-04-01 -Verbose).Properties.ConnectionType

# Update connection policy
Set-AzResource -ResourceId $id -Properties @{"connectionType" = "Proxy"} -f

通过 Azure CLI 更改连接策略Change the connection policy via the Azure CLI

重要

本部分中的所有脚本都需要 Azure CLIAll scripts in this section require the Azure CLI.

Bash shell 中的 Azure CLIAzure CLI in a Bash shell

以下 CLI 脚本演示如何在 Bash shell 中更改连接策略:The following CLI script shows how to change the connection policy in a Bash shell:

# Get SQL Server ID
sqlserverid=$(az sql server show -n sql-server-name -g sql-server-group --query 'id' -o tsv)

# Set URI
ids="$sqlserverid/connectionPolicies/Default"

# Get current connection policy
az resource show --ids $ids

# Update connection policy
az resource update --ids $ids --set properties.connectionType=Proxy

Windows 命令提示符中的 Azure CLIAzure CLI from a Windows command prompt

以下 CLI 脚本演示如何从 Windows 命令提示符(安装了 Azure CLI)更改连接策略:The following CLI script shows how to change the connection policy from a Windows command prompt (with the Azure CLI installed):

# Get SQL Server ID and set URI
FOR /F "tokens=*" %g IN ('az sql server show --resource-group myResourceGroup-571418053 --name server-538465606 --query "id" -o tsv') do (SET sqlserverid=%g/connectionPolicies/Default)

# Get current connection policy
az resource show --ids %sqlserverid%

# Update connection policy
az resource update --ids %sqlserverid% --set properties.connectionType=Proxy

后续步骤Next steps

  • 若要大致了解 Azure SQL 数据库中的连接工作原理,请参阅连接体系结构For an overview of how connectivity works in Azure SQL Database, refer to Connectivity architecture
  • 有关如何更改服务器的连接策略的信息,请参阅 conn-policyFor information on how to change the connection policy for a server, see conn-policy.