Azure SQL 数据库和 Azure Synapse Analytics 网络访问控制Azure SQL Database and Azure Synapse Analytics network access controls

Azure 门户为 Azure SQL 数据库和 Azure Synapse Analytics 创建逻辑 SQL Server 时,结果是格式为“yourservername.database.chinacloudapi.cn”的公共终结点。When you create a logical SQL server from the Azure portal for Azure SQL Database and Azure Synapse Analytics, the result is a public endpoint in the format, yourservername.database.chinacloudapi.cn.

可以使用以下网络访问控制来选择性地允许通过公共终结点访问数据库:You can use the following network access controls to selectively allow access to a database via the public endpoint:

  • 允许 Azure 服务:设置为“打开”时,Azure 边界内的其他资源(例如 Azure 虚拟机)可以访问 SQL 数据库Allow Azure Services: When set to ON, other resources within the Azure boundary, for example an Azure Virtual Machine, can access SQL Database
  • IP 防火墙规则:使用此功能可以显式允许从特定的 IP 地址(例如,从本地计算机)建立连接IP firewall rules: Use this feature to explicitly allow connections from a specific IP address, for example from on-premises machines

还可以通过以下方式允许从虚拟网络对数据库进行专用访问:You can also allow private access to the database from virtual networks via:

  • 虚拟网络防火墙规则:使用此功能可以允许来自 Azure 边界内特定虚拟网络的流量Virtual network firewall rules: Use this feature to allow traffic from a specific virtual network within the Azure boundary

重要

本文不适用于“SQL 托管实例”。This article does not apply to SQL Managed Instance. 有关网络配置的详细信息,请参阅连接到 Azure SQL 托管实例For more information about the networking configuration, see connecting to Azure SQL Managed Instance .

允许 Azure 服务Allow Azure services

从 Azure 门户创建新的逻辑 SQL Server 期间,此设置将保持未选中状态。During creation of a new logical SQL server from the Azure portal, this setting is left unchecked.

创建逻辑 SQL Server 后,也可以按如下所示通过防火墙窗格更改此设置。You can also change this setting via the firewall pane after the logical SQL server is created as follows.

管理服务器防火墙的屏幕截图

设置为“打开”时,服务器将允许 Azure 边界范围内的所有资源(不一定是订阅的一部分)发起的通信。When set to ON, your server allows communications from all resources inside the Azure boundary, that may or may not be part of your subscription.

在许多情况下,“打开”设置的访问权限宽松度会超过大多数客户的需要。In many cases, the ON setting is more permissive than what most customers want. 你可能希望将此设置设为“关闭”,并将其替换为限制性更强的 IP 防火墙规则或虚拟网络防火墙规则。You may want to set this setting to OFF and replace it with more restrictive IP firewall rules or virtual network firewall rules.

但是,这样做会影响在 Azure 中的虚拟机上运行的以下功能,这些虚拟机未包含在你的虚拟网络中,因此会通过 Azure IP 地址连接到数据库:However, doing so affects the following features that run on virtual machines in Azure that aren't part of your virtual network and hence connect to the database via an Azure IP address:

导入/导出服务Import Export Service

当“允许访问 Azure 服务”设置为“关闭”时,导入/导出服务无法正常工作 。Import Export Service doesn't work when Allow access to Azure services is set to OFF. 不过,可通过以下方式解决此问题:在 Azure VM 中手动运行 sqlpackage.exe,或者直接在代码中使用 DACFx API 执行导出However you can work around the problem by manually running sqlpackage.exe from an Azure VM or performing the export directly in your code by using the DACFx API.

数据同步Data Sync

若要在“允许访问 Azure 服务”设置为“关闭”的情况下使用数据同步功能,需要创建单个防火墙规则条目,以便从托管中心数据库的区域的 SQL 服务标记添加 IP 地址To use the Data sync feature with Allow access to Azure services set to OFF, you need to create individual firewall rule entries to add IP addresses from the Sql service tag for the region hosting the Hub database. 将这些服务器级防火墙规则添加到托管“中心”和“成员”数据库的服务器(可能位于不同的区域) Add these server-level firewall rules to the servers hosting both Hub and Member databases (which may be in different regions)

使用以下 PowerShell 脚本生成与中国东部 2 区域的 SQL 服务标记对应的 IP 地址Use the following PowerShell script to generate IP addresses corresponding to the SQL service tag for China East 2 region

PS C:\>  $serviceTags = Get-AzNetworkServiceTag -Location chinaeast2
PS C:\>  $sql = $serviceTags.Values | Where-Object { $_.Name -eq "Sql.ChinaEast2" }
PS C:\> $sql.Properties.AddressPrefixes.Count
3
PS C:\> $sql.Properties.AddressPrefixes
40.73.82.0/23
40.73.169.0/26
40.73.170.0/26

提示

即使指定 Location 参数,Get-AzNetworkServiceTag 也会返回 SQL 服务标记的全局范围。Get-AzNetworkServiceTag returns the global range for SQL Service Tag despite specifying the Location parameter. 请务必将范围筛选为托管同步组所用中心数据库的区域Be sure to filter it to the region that hosts the Hub database used by your sync group

请注意,PowerShell 脚本的输出采用无类域间路由 (CIDR) 表示法。Note that the output of the PowerShell script is in Classless Inter-Domain Routing (CIDR) notation. 需要使用 Get-IPrangeStartEnd.ps1 将其转换为开始和结束IP地址的格式,如下所示:This needs to be converted to a format of Start and End IP address using Get-IPrangeStartEnd.ps1 like this:

PS C:\> Get-IPrangeStartEnd -ip 52.229.17.93 -cidr 26
start        end
-----        ---
52.229.17.64 52.229.17.127

可以使用此附加 PowerShell 脚本将所有 IP 地址从 CIDR 转换为开始和结束 IP 地址格式。You can use this additional PowerShell script to convert all the IP addresses from CIDR to Start and End IP address format.

PS C:\>foreach( $i in $sql.Properties.AddressPrefixes) {$ip,$cidr= $i.split('/') ; Get-IPrangeStartEnd -ip $ip -cidr $cidr;}
start          end
-----          ---
13.86.216.0    13.86.216.127
13.86.216.128  13.86.216.191
13.86.216.192  13.86.216.223

现在,可将其添加为不同的防火墙规则,然后将“允许 Azure 服务访问服务器”设置为“关闭”。You can now add these as distinct firewall rules and then set Allow Azure services to access server to OFF.

IP 防火墙规则IP firewall rules

基于 IP 的防火墙是 Azure 中逻辑 SQL Server 的一项功能,在显式添加客户端计算机的 IP 地址之前,它会阻止对服务器的所有访问。Ip based firewall is a feature of the logical SQL server in Azure that prevents all access to your server until you explicitly add IP addresses of the client machines.

虚拟网络防火墙规则Virtual network firewall rules

除了 IP 规则外,服务器防火墙还允许定义虚拟网络规则。In addition to IP rules, the server firewall allows you to define virtual network rules.
若要了解详细信息,请参阅虚拟网络服务终结点和 Azure SQL 数据库规则To learn more, see Virtual Network service endpoints and rules for Azure SQL Database.

Azure 网络术语Azure Networking terminology

在了解虚拟网络防火墙规则时,请注意以下 Azure 网络术语Be aware of the following Azure Networking terms as you explore Virtual network firewall rules

虚拟网络: 可以让虚拟网络与 Azure 订阅相关联Virtual network: You can have virtual networks associated with your Azure subscription

子网: 虚拟网络包含子网Subnet: A virtual network contains subnets. 你所拥有的任何 Azure 虚拟机 (VM) 都会分配到子网。Any Azure virtual machines (VMs) that you have are assigned to subnets. 一个子网可能包含多个 VM 或其他计算节点。One subnet can contain multiple VMs or other compute nodes. 虚拟网络之外的计算节点不能访问虚拟网络,除非已将安全性配置为允许这样的访问。Compute nodes that are outside of your virtual network can't access your virtual network unless you configure your security to allow access.

虚拟网络服务终结点虚拟网络服务终结点是一个子网,其属性值包括一个或多个正式的 Azure 服务类型名称。Virtual network service endpoint: A Virtual network service endpoint is a subnet whose property values include one or more formal Azure service type names. 本文介绍 Microsoft.Sql 的类型名称,即名为“SQL 数据库”的 Azure 服务。In this article we're interested in the type name of Microsoft.Sql, which refers to the Azure service named SQL Database.

虚拟网络规则: 服务器的虚拟网络规则是服务器的访问控制列表 (ACL) 中列出的子网。Virtual network rule: A virtual network rule for your server is a subnet that is listed in the access control list (ACL) of your server. 该子网必须包含“Microsoft.Sql”类型名称才会列在 SQL 数据库中数据库的 ACL 中。To be in the ACL for your database in SQL Database, the subnet must contain the Microsoft.Sql type name. 虚拟网络规则要求服务器接受来自子网上每个节点的通信。A virtual network rule tells your server to accept communications from every node that is on the subnet.

IP 与虚拟网络防火墙规则IP vs. Virtual network firewall rules

可以通过 Azure SQL 数据库防火墙规则指定 IP 地址范围,处于该范围内的通信允许进入 SQL 数据库。The Azure SQL Database firewall allows you to specify IP address ranges from which communications are accepted into SQL Database. 此方法适用于 Azure 专用网络外部的稳定 IP 地址。This approach is fine for stable IP addresses that are outside the Azure private network. 但是,对于 Azure 专用网络中的虚拟机 (VM),将为其配置动态 IP 地址。However, virtual machines (VMs) within the Azure private network are configured with dynamic IP addresses. 当 VM 重启时,动态 IP 地址可能会更改,从而使得基于 IP 的防火墙规则失效。Dynamic IP addresses can change when your VM is restarted and in turn invalidate the IP-based firewall rule. 处于生产环境中时,在防火墙规则中指定一个动态 IP 地址并不明智。It would be folly to specify a dynamic IP address in a firewall rule, in a production environment.

可以通过获取 VM 的静态 IP 地址来解决此限制。You can work around this limitation by obtaining a static IP address for your VM. 有关详细信息,请参阅使用 Azure 门户创建具有静态公共 IP 地址的虚拟机For details, see Create a virtual machine with a static public IP address using the Azure portal. 但是,静态 IP 方法可能会变得难以管理,在规模大时操作成本高。However, the static IP approach can become difficult to manage, and it's costly when done at scale.

虚拟网络规则更容易建立,使用此类规则可以更轻松地管理从包含你的 VM 的特定子网进行的访问。Virtual network rules are easier alternative to establish and to manage access from a specific subnet that contains your VMs.

备注

目前,子网上不允许有 SQL 数据库。You cannot yet have SQL Database on a subnet. 如果服务器是虚拟网络子网上的一个节点,则虚拟网络中的所有节点都可以与 SQL 数据库通信。If your server was a node on a subnet in your virtual network, all nodes within the virtual network could communicate with your SQL Database. 在这种情况下,VM 可以与 SQL 数据库通信,不需任何虚拟网络规则或 IP 规则。In this case, your VMs could communicate with SQL Database without needing any virtual network rules or IP rules.

后续步骤Next steps