Azure SQL 数据库和 Azure Synapse Analytics 的 Azure 专用链接Azure Private Link for Azure SQL Database and Azure Synapse Analytics

适用于: Azure SQL 数据库 Azure Synapse Analytics

使用专用链接可以通过 专用终结点 连接到 Azure 中的各种 PaaS 服务。Private Link allows you to connect to various PaaS services in Azure via a private endpoint. 专用终结点是特定 VNet 和子网中的专用 IP 地址。A private endpoint is a private IP address within a specific VNet and subnet.

重要

本文同时适用于 Azure SQL 数据库和 Azure Synapse Analytics。This article applies to both Azure SQL Database and Azure Synapse Analytics. 为简单起见,术语“数据库”是指 Azure SQL 数据库中的数据库和 Azure Synapse Analytic 中的数据库。For simplicity, the term 'database' refers to both databases in Azure SQL Database and Azure Synapse Analytics. 同样,无论何时提及“服务器”,都是指托管 Azure SQL 数据库和 Azure Synapse Analytics 的逻辑 SQL ServerLikewise, any references to 'server' is referring to the logical SQL server that hosts Azure SQL Database and Azure Synapse Analytics. 本文不适用于 Azure SQL 托管实例This article does not apply to Azure SQL Managed Instance.

审批过程Approval process

网络管理员创建专用终结点 (PE) 后,SQL 管理员可以管理与 SQL 数据库建立的专用终结点连接 (PEC)。Once the network admin creates the Private Endpoint (PE), the SQL admin can manage the Private Endpoint Connection (PEC) to SQL Database.

  1. 按照下面的屏幕截图中所示的步骤,导航到 Azure 门户中的服务器资源Navigate to the server resource in the Azure portal as per steps shown in the screenshot below

    • (1) 在左窗格中选择“专用终结点连接”(1) Select the Private endpoint connections in the left pane
    • (2) 显示所有专用终结点连接 (PEC) 的列表(2) Shows a list of all Private Endpoint Connections (PECs)
    • (3) 创建的相应专用终结点 (PE) 所有 PEC 的屏幕截图(3) Corresponding Private Endpoint (PE) created Screenshot of all PECs
  2. 在列表中选择单个 PEC。Select an individual PEC from the list by selecting it. 选定 PEC 的屏幕截图Screenshot selected PEC

  3. SQL 管理员可以选择批准或拒绝 PEC,并可以选择性地添加简短的文本回复。The SQL admin can choose to approve or reject a PEC and optionally add a short text response. PEC 审批屏幕截图Screenshot of PEC approval

  4. 批准或拒绝后,该列表将反映相应的状态以及回复文本。After approval or rejection, the list will reflect the appropriate state along with the response text. 审批后的所有 PEC 的屏幕截图Screenshot of all PECs after approval

通过专用对等互连建立本地连接On-premises connectivity over private peering

当客户从本地计算机连接到公共终结点时,需要使用服务器级防火墙规则将其 IP 地址添加到基于 IP 的防火墙。When customers connect to the public endpoint from on-premises machines, their IP address needs to be added to the IP-based firewall using a Server-level firewall rule. 尽管此模型非常适合用于允许对开发或测试工作负荷的单个计算机进行访问,但在生产环境中却难以管理。While this model works well for allowing access to individual machines for dev or test workloads, it's difficult to manage in a production environment.

借助专用链接,客户可以使用 ExpressRoute、专用对等互连或 VPN 隧道实现对专用终结点的跨界访问。With Private Link, customers can enable cross-premises access to the private endpoint using ExpressRoute, private peering, or VPN tunneling. 然后,客户可以通过公共终结点禁用所有访问,而无需使用基于 IP 的防火墙来允许任何 IP 地址。Customers can then disable all access via the public endpoint and not use the IP-based firewall to allow any IP addresses.

客户端可以从同一虚拟网络、同一区域中的对等互联虚拟网络或通过跨区域的虚拟网络到虚拟网络连接连接到专用终结点。Clients can connect to the Private endpoint from the same virtual network, peered virtual network in same region, or via virtual network to virtual network connection across regions. 此外,客户端可以使用 ExpressRoute、专用对等互连或 VPN 隧道从本地进行连接。Additionally, clients can connect from on-premises using ExpressRoute, private peering, or VPN tunneling. 以下简化示意图显示了常见用例。Below is a simplified diagram showing the common use cases.

连接选项示意图

测试从同一虚拟网络中的 Azure VM 到 SQL 数据库的连接Test connectivity to SQL Database from an Azure VM in same virtual network

此方案假设已创建一个运行 Windows Server 2016 的 Azure 虚拟机 (VM)。For this scenario, assume you've created an Azure Virtual Machine (VM) running Windows Server 2016.

  1. 启动远程桌面 (RDP) 会话并连接到虚拟机Start a Remote Desktop (RDP) session and connect to the virtual machine.
  2. 然后,可以使用以下工具执行一些基本的连接检查,以确保 VM 通过专用终结点连接到 SQL 数据库:You can then do some basic connectivity checks to ensure that the VM is connecting to SQL Database via the private endpoint using the following tools:
    1. TelnetTelnet
    2. PspingPsping
    3. NmapNmap
    4. SQL Server Management Studio (SSMS)SQL Server Management Studio (SSMS)

使用 Telnet 检查连接Check Connectivity using Telnet

Telnet 客户端是可用于测试连接的 Windows 功能。Telnet Client is a Windows feature that can be used to test connectivity. 根据 Windows OS 的版本,可能需要显式启用此功能。Depending on the version of the Windows OS, you may need to enable this feature explicitly.

安装 Telnet 后,打开命令提示符窗口。Open a Command Prompt window after you have installed Telnet. 运行 Telnet 命令并指定 SQL 数据库中的数据库的 IP 地址和专用终结点。Run the Telnet command and specify the IP address and private endpoint of the database in SQL Database.

>telnet 10.1.1.5 1433

当 Telnet 连接成功时,命令窗口中会显示下图所示的空白屏幕:When Telnet connects successfully, you'll see a blank screen at the command window like the below image:

Telnet 示意图

使用 Psping 检查连接Check Connectivity using Psping

可按如下所示使用 Psping 检查专用终结点连接 (PEC) 是否正在侦听端口 1433 上的连接。Psping can be used as follows to check that the Private endpoint connection(PEC) is listening for connections on port 1433.

按如下所示运行 Psping,并提供逻辑 SQL Server 的 FQDN 和端口 1433:Run psping as follows by providing the FQDN for logical SQL server and port 1433:

>psping.exe mysqldbsrvr.database.chinacloudapi.cn:1433

PsPing v2.10 - PsPing - ping, latency, bandwidth measurement utility
Copyright (C) 2012-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

TCP connect to 10.6.1.4:1433:
5 iterations (warmup 1) ping test:
Connecting to 10.6.1.4:1433 (warmup): from 10.6.0.4:49953: 2.83ms
Connecting to 10.6.1.4:1433: from 10.6.0.4:49954: 1.26ms
Connecting to 10.6.1.4:1433: from 10.6.0.4:49955: 1.98ms
Connecting to 10.6.1.4:1433: from 10.6.0.4:49956: 1.43ms
Connecting to 10.6.1.4:1433: from 10.6.0.4:49958: 2.28ms

输出显示 Psping 可以 ping 通与 PEC 关联的专用 IP 地址。The output show that Psping could ping the private IP address associated with the PEC.

使用 Nmap 检查连接Check connectivity using Nmap

Nmap(网络映射器)是一个用于网络发现和安全审核的免费开源工具。Nmap (Network Mapper) is a free and open-source tool used for network discovery and security auditing. 有关详细信息和下载链接,请访问 https://nmap.org 。可以使用此工具来确保专用终结点侦听端口 1433 上的连接。For more information and the download link, visit https://nmap.org. You can use this tool to ensure that the private endpoint is listening for connections on port 1433.

按如下所示运行 Nmap,并提供托管专用终结点的子网的地址范围。Run Nmap as follows by providing the address range of the subnet that hosts the private endpoint.

>nmap -n -sP 10.1.1.0/24
...
...
Nmap scan report for 10.1.1.5
Host is up (0.00s latency).
Nmap done: 256 IP addresses (1 host up) scanned in 207.00 seconds

结果显示,一个对应于专用终结点 IP 地址的 IP 地址已启动。The result shows that one IP address is up; which corresponds to the IP address for the private endpoint.

使用 SQL Server Management Studio (SSMS) 检查连接Check connectivity using SQL Server Management Studio (SSMS)

备注

在客户端的连接字符串中 (<server>.database.chinacloudapi.cn) 使用服务器的完全限定域名 (FQDN)。Use the Fully Qualified Domain Name (FQDN) of the server in connection strings for your clients (<server>.database.chinacloudapi.cn). 直接登录 IP 地址的任何尝试或使用专用链接 FQDN (<server>.privatelink.database.chinacloudapi.cn) 都将失败。Any login attempts made directly to the IP address or using the private link FQDN (<server>.privatelink.database.chinacloudapi.cn) shall fail. 此行为是设计使然,因为专用终结点会将流量路由到该区域中的 SQL 网关,并且需要指定正确的 FQDN 才能成功登录。This behavior is by design, since private endpoint routes traffic to the SQL Gateway in the region and the correct FQDN needs to be specified for logins to succeed.

请按照此处的步骤使用 SSMS 连接到 SQL 数据库Follow the steps here to use SSMS to connect to the SQL Database. 使用 SSMS 连接到 SQL 数据库后,请运行以下查询,验证是否正在从 Azure VM 的专用 IP 地址进行连接:After you connect to the SQL Database using SSMS, verify that you're connecting from the private IP address of the Azure VM by running the following query:

select client_net_address from sys.dm_exec_connections 
where session_id=@@SPID

数据渗透防护Data exfiltration prevention

Azure SQL 数据库中的数据渗透是指已获授权的用户(例如数据库管理员)能够从一个系统提取数据,并将其移到组织外部的其他位置或系统。Data exfiltration in Azure SQL Database is when an authorized user, such as a database admin is able extract data from one system and move it another location or system outside the organization. 例如,该用户将数据移到第三方拥有的存储帐户。For example, the user moves the data to a storage account owned by a third party.

借助专用链接,客户现在可以设置 NSG 等网络访问控制来限制对专用终结点的访问。With Private Link, customers can now set up network access controls like NSGs to restrict access to the private endpoint. 然后,将单个 Azure PaaS 资源映射到特定的专用终结点。Individual Azure PaaS resources are then mapped to specific private endpoints. 恶意的预览体验成员只能访问映射的 PaaS 资源(例如 SQL 数据库中的数据库),而不能访问其他资源。A malicious insider can only access the mapped PaaS resource (for example a database in SQL Database) and no other resource.

限制Limitations

与专用终结点的连接仅支持使用“代理”作为连接策略Connections to private endpoint only support Proxy as the connection policy

从对等互联虚拟网络中的 Azure VM 进行连接Connecting from an Azure VM in Peered Virtual Network

配置虚拟网络对等互联,以便从对等互联虚拟网络中的 Azure VM 建立与 SQL 数据库的连接。Configure virtual network peering to establish connectivity to the SQL Database from an Azure VM in a peered virtual network.

从虚拟网络中的 Azure VM 连接到虚拟网络环境Connecting from an Azure VM in virtual network to virtual network environment

配置虚拟网络到虚拟网络 VPN 网关连接,以便从另一区域或订阅中的 Azure VM 建立与 SQL 数据库中的数据库的连接。Configure virtual network to virtual network VPN gateway connection to establish connectivity to a database in SQL Database from an Azure VM in a different region or subscription.

通过 VPN 从本地环境进行连接Connecting from an on-premises environment over VPN

若要建立从本地环境到 SQL 数据库中的数据库的连接,请选择并实施以下选项之一:To establish connectivity from an on-premises environment to the database in SQL Database, choose and implement one of the options:

使用 Polybase 和 COPY 语句从 Azure Synapse Analytics 连接到 Azure 存储Connecting from Azure Synapse Analytics to Azure Storage using Polybase and the COPY statement

PolyBase 和 COPY 语句通常用于将数据从 Azure 存储帐户加载到 Azure Synapse Analytics 中。PolyBase and the COPY statement is commonly used to load data into Azure Synapse Analytics from Azure Storage accounts. 如果要从中加载数据的 Azure 存储帐户仅允许通过专用终结点、服务终结点或基于 IP 的防火墙访问一组虚拟网络子网,则通过 PolyBase 和 COPY 语句与该帐户建立的连接将会断开。If the Azure Storage account that you're loading data from limits access only to a set of virtual network subnets via Private Endpoints, Service Endpoints, or IP-based firewalls, the connectivity from PolyBase and the COPY statement to the account will break. 对于连接到 Azure 存储(已通过安全方式连接到虚拟网络)的 Azure Synapse Analytics,若要启用导入和导出方案,请执行此处提供的步骤。For enabling both import and export scenarios with Azure Synapse Analytics connecting to Azure Storage that's secured to a virtual network, follow the steps provided here.

后续步骤Next steps