Azure SQL 连接设置Azure SQL Connectivity Settings

适用于:是Azure SQL 数据库是Azure Synapse Analytics (SQL DW)APPLIES TO: yesAzure SQL Database yesAzure Synapse Analytics (SQL DW)

本文介绍的设置可用于控制与 Azure SQL 数据库和 Azure Synapse Analytics 的服务器的连接。This article introduces settings that control connectivity to the server for Azure SQL Database and Azure Synapse Analytics. 这些设置应用于与服务器关联的所有 SQL 数据库和 Azure Synapse 数据库。These settings apply to all SQL Database and Azure Synapse databases associated with the server.

重要

本文不适用于 Azure SQL 托管实例This article does not apply to Azure SQL Managed Instance

可从“防火墙和虚拟网络”屏幕访问连接设置,如以下屏幕截图所示:The connectivity settings are accessible from the Firewalls and virtual networks screen as shown in the following screenshot:

连接设置的屏幕截图

备注

应用这些设置后,它们立即生效。如果客户端不满足每个设置的要求,这些设置可能会导致客户端断开连接。Once these settings are applied, they take effect immediately and may result in connection loss for your clients if they do not meet the requirements for each setting.

通过 PowerShell 更改公用网络访问Change Public Network Access via PowerShell

重要

Azure SQL 数据库仍然支持 PowerShell Azure 资源管理器模块,但所有后续开发都针对 Az.Sql 模块。The PowerShell Azure Resource Manager module is still supported by Azure SQL Database, but all future development is for the Az.Sql module. 若要了解这些 cmdlet,请参阅 AzureRM.SqlFor these cmdlets, see AzureRM.Sql. Az 模块和 AzureRm 模块中命令的参数大体相同。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. 以下脚本需要 Azure PowerShell 模块The following script requires the Azure PowerShell module.

下面的 PowerShell 脚本展示了如何在服务器级别 GetSet“公用网络访问”属性:The following PowerShell script shows how to Get and Set the Public Network Access property at the server level:

#Get the Public Network Access property
(Get-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group).PublicNetworkAccess

# Update Public Network Access to Disabled
$SecureString = ConvertTo-SecureString "password" -AsPlainText -Force

Set-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group -SqlAdministratorPassword $SecureString -PublicNetworkAccess "Enabled"

通过 CLI 更改公用网络访问Change Public Network Access via CLI

重要

本部分中的所有脚本都需要 Azure CLIAll scripts in this section requires Azure CLI.

Bash shell 中的 Azure CLIAzure CLI in a bash shell

以下 CLI 脚本演示如何更改 bash shell 中的“公用网络访问”:The following CLI script shows how to change the Public Network Access in a bash shell:


# Get current setting for Public Network Access
az sql server show -n sql-server-name -g sql-server-group --query "publicNetworkAccess"

# Update setting for Public Network Access
az sql server update -n sql-server-name -g sql-server-group --set publicNetworkAccess="Disabled"

最低 TLS 版本Minimal TLS Version

借助最低传输层安全性 (TLS) 版本设置,客户可以控制其 Azure SQL 数据库使用的 TLS 版本。The Minimal Transport Layer Security (TLS) Version setting allows customers to control the version of TLS used by their Azure SQL Database.

目前,我们支持 TLS 1.0、1.1 和 1.2。At present, we support TLS 1.0, 1.1 and 1.2. 设置最低 TLS 版本可确保支持后续更新的 TLS 版本。Setting a Minimal TLS Version ensures that subsequent, newer TLS versions are supported. 例如,选择高于 1.1 的 TLS 版本。For example, choosing a TLS version greater than 1.1. 这表示仅接受 TLS 1.1 和 1.2 的连接,并拒绝 TLS 1.0 的连接。means only connections with TLS 1.1 and 1.2 are accepted and TLS 1.0 is rejected. 在测试并确认应用程序支持它后,我们建议将最低 TLS 版本设置为 1.2,因为它包括针对之前版本中发现的漏洞的修补程序,并且是 Azure SQL 数据库中受支持的最高 TLS 版本。After testing to confirm your applications supports it, we recommend setting Minimal TLS Version to 1.2 since it includes fixes for vulnerabilities found in previous versions and is the highest version of TLS supported in Azure SQL Database.

重要

最低 TLS 版本的默认设置为允许使用所有版本。The default for Minimal TLS Version is to allow all versions. 但是,一旦强制执行某个 TLS 版本,就无法恢复为默认值。However, once you enforce a version of TLS it is not possible to revert to the default.

对于使用依赖于较旧版本 TLS 的应用程序的客户,我们建议根据应用程序的要求设置最低 TLS 版本。For customers with applications that rely on older versions of TLS, we recommend setting the Minimal TLS Version per the requirements of your applications. 对于依赖于使用未加密连接进行连接的应用程序的客户,我们建议不要设置任何最低 TLS 版本。For customers that rely on applications to connect using an unencrypted connection, we recommend not setting any Minimal TLS Version.

有关详细信息,请参阅 SQL 数据库连接的 TLS 注意事项For more information, see TLS considerations for SQL Database connectivity.

设置最低 TLS 版本后,如果客户端使用的服务器的 TLS 版本低于最低 TLS 版本,则其登录尝试将失败,并显示以下错误:After setting the Minimal TLS Version, login attempts from clients that are using a TLS version lower than the Minimal TLS Version of the server will fail with following error:

Error 47072
Login failed with invalid TLS version

通过 PowerShell 设置最低 TLS 版本Set minimal TLS version via PowerShell

重要

Azure SQL 数据库仍然支持 PowerShell Azure 资源管理器模块,但所有后续开发都针对 Az.Sql 模块。The PowerShell Azure Resource Manager module is still supported by Azure SQL Database, but all future development is for the Az.Sql module. 若要了解这些 cmdlet,请参阅 AzureRM.SqlFor these cmdlets, see AzureRM.Sql. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. 以下脚本需要 Azure PowerShell 模块The following script requires the Azure PowerShell module.

以下 PowerShell 脚本演示如何在逻辑服务器级别 GetSet“最低 TLS 版本”属性:The following PowerShell script shows how to Get and Set the Minimal TLS Version property at the logical server level:

#Get the Minimal TLS Version property
(Get-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group).MinimalTlsVersion

# # Update Minimal TLS Version to 1.2
$SecureString = ConvertTo-SecureString "password" -AsPlainText -Force

Set-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group -SqlAdministratorPassword $SecureString  -MinimalTlsVersion "1.2"

通过 Azure CLI 设置最低 TLS 版本Set Minimal TLS Version via Azure CLI

重要

本部分中的所有脚本都需要 Azure CLIAll scripts in this section requires Azure CLI.

Bash shell 中的 Azure CLIAzure CLI in a bash shell

以下 CLI 脚本演示如何更改 bash shell 中的“最低 TLS 版本”设置:The following CLI script shows how to change the Minimal TLS Version setting in a bash shell:

# Get current setting for Minimal TLS Version
az sql server show -n sql-server-name -g sql-server-group --query "minimalTlsVersion"

# Update setting for Minimal TLS Version
az sql server update -n sql-server-name -g sql-server-group --set minimalTlsVersion="1.2"

更改连接策略Change connection policy

连接策略确定客户端连接到 Azure SQL 数据库的方式。Connection policy determines how clients connect to Azure SQL Database.

通过 PowerShell 更改连接策略Change Connection policy via PowerShell

重要

PowerShell Azure 资源管理器模块仍受 Azure SQL 数据库的支持,但所有未来的开发都是针对 Az.Sql 模块的。The PowerShell Azure Resource Manager module is still supported by Azure SQL Database, but all future development is for the Az.Sql module. 若要了解这些 cmdlet,请参阅 AzureRM.SqlFor these cmdlets, see AzureRM.Sql. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. 以下脚本需要 Azure PowerShell 模块The following script requires the Azure PowerShell module.

以下 PowerShell 脚本展示了如何使用 PowerShell 更改连接策略:The following PowerShell script shows how to change the connection policy using PowerShell:

# Get SQL Server ID
$sqlserverid=(Get-AzSqlServer -ServerName sql-server-name -ResourceGroupName sql-server-group).ResourceId

# Set URI
$id="$sqlserverid/connectionPolicies/Default"

# Get current connection policy
(Get-AzResource -ResourceId $id -ApiVersion 2014-04-01 -Verbose).Properties.ConnectionType

# Update connection policy
Set-AzResource -ResourceId $id -Properties @{"connectionType" = "Proxy"} -f

通过 Azure CLI 更改连接策略Change Connection policy via Azure CLI

重要

本部分中的所有脚本都需要 Azure CLIAll scripts in this section requires Azure CLI.

Bash shell 中的 Azure CLIAzure CLI in a bash shell

以下 CLI 脚本展示了如何在 bash shell 中更改连接策略:The following CLI script shows how to change the connection policy in a bash shell:

# Get SQL Server ID
sqlserverid=$(az sql server show -n sql-server-name -g sql-server-group --query 'id' -o tsv)

# Set URI
ids="$sqlserverid/connectionPolicies/Default"

# Get current connection policy
az resource show --ids $ids

# Update connection policy
az resource update --ids $ids --set properties.connectionType=Proxy

Windows 命令提示符中的 Azure CLIAzure CLI from a Windows command prompt

以下 CLI 脚本演示如何从 Windows 命令提示符(已安装 Azure CLI)更改连接策略。The following CLI script shows how to change the connection policy from a Windows command prompt (with Azure CLI installed).

# Get SQL Server ID and set URI
FOR /F "tokens=*" %g IN ('az sql server show --resource-group myResourceGroup-571418053 --name server-538465606 --query "id" -o tsv') do (SET sqlserverid=%g/connectionPolicies/Default)

# Get current connection policy
az resource show --ids %sqlserverid%

# Update connection policy
az resource update --ids %sqlserverid% --set properties.connectionType=Proxy

后续步骤Next steps

  • 若要大致了解 Azure SQL 数据库中的连接工作原理,请参阅连接体系结构For an overview of how connectivity works in Azure SQL Database, refer to Connectivity Architecture
  • 有关如何更改服务器的连接策略的信息,请参阅 conn-policyFor information on how to change the connection policy for a server, see conn-policy.