将漏洞评估扫描结果存储在可从防火墙和 VNet 后面访问的存储帐户中Store Vulnerability Assessment scan results in a storage account accessible behind firewalls and VNets

适用于:是 Azure SQL 数据库 是Azure SQL 托管实例 APPLIES TO: yesAzure SQL Database yesAzure SQL Managed Instance

如果要限制某些 VNet 或服务对 Azure 中的存储帐户的访问,则需要启用相应的配置,以便对 SQL 数据库或托管实例的漏洞评估 (VA) 扫描可以访问该存储帐户。If you are limiting access to your storage account in Azure for certain VNets or services, you'll need to enable the appropriate configuration so that Vulnerability Assessment (VA) scanning for SQL Databases or Managed Instances have access to that storage account.

启用 Azure SQL 数据库 VA 扫描对存储帐户的访问权限Enable Azure SQL Database VA scanning access to the storage account

如果已将 VA 存储帐户配置为仅可由某些网络或服务访问,则需要确保 Azure SQL 数据库的 VA 扫描能够在存储帐户上存储扫描。If you have configured your VA storage account to only be accessible by certain networks or services, you'll need to ensure that VA scans for your Azure SQL Database are able to store the scans on the storage account. 若要找出正在使用的存储帐户,请转到 Azure 门户中的“SQL 服务器”窗格,在“安全性”下选择“高级数据安全”。To find out which storage account is being used, go to your SQL server pane in the Azure portal, under Security, select Advanced data security.

va-storage

可以使用现有存储帐户,也可以创建新的存储帐户来存储逻辑 SQL Server 上所有数据库的 VA 扫描结果。You can use the existing storage account, or create a new storage account to store VA scan results for all databases on your logical SQL server.

转到包含存储帐户的“资源组”,然后访问“存储帐户”窗格。Go to your Resource group that contains the storage account and access the Storage account pane. 在“设置”下,选择“防火墙和虚拟网络”。Under Settings, select Firewall and virtual networks.

确保已选中“允许受信任的 Microsoft 服务访问此存储帐户”。Ensure that Allow trusted Microsoft services access to this storage account is checked.

storage-allow-microsoft-services

将 Azure SQL 托管实例的 VA 扫描结果存储在可从防火墙或 VNet 后面访问的存储帐户中Store VA scan results for Azure SQL Managed Instance in a storage account that can be accessed behind a firewall or VNet

由于托管实例不是受信任的 Microsoft 服务,并且具有与存储帐户不同的 VNet,执行 VA 扫描将导致错误。Since Managed Instance is not a trusted Microsoft Service and has a different VNet from the storage account, executing a VA scan will result in an error.

若要在托管实例上支持 VA 扫描,请执行以下步骤:To support VA scans on Managed Instances, follow the below steps:

  1. 在“SQL 托管实例”窗格的“概述”标题下,单击“虚拟网络/子网”链接。In the SQL managed instance pane, under the Overview heading, click the Virtual network/subnet link. 这会转到“虚拟网络”窗格。This takes you to the Virtual network pane.

    mi-overview2

  2. 在“设置”下,选择“子网”。Under Settings, select Subnets. 在新窗格中单击“子网”以添加子网,并将其委托给“Microsoft.sql\managedInstance”。Click Subnet in the new pane to add a subnet, and delegate it to Microsoft.sql\managedInstance. 有关详细信息,请参阅管理子网For more information, see Manage subnets.

    mi-subnets

  3. 在“虚拟网络”窗格的“设置”下,选择“服务终结点”。In your Virtual network pane, under Settings, select Service endpoints. 在新窗格中单击“添加”,然后将“Microsoft.Storage”服务作为新的服务终结点添加。Click Add in the new pane, and add the Microsoft.Storage Service as a new service endpoint. 确保选择了“ManagedInstance”子网。Make sure the ManagedInstance Subnet is selected. 单击“添加” 。Click Add.

    mi-service-endpoint

  4. 转到选择用于存储 VA 扫描的“存储帐户”。Go to your Storage account that you've selected to store your VA scans. 在“设置”下,选择“防火墙和虚拟网络”。Under Settings, select Firewall and virtual networks. 单击“添加现有虚拟网络”。Click on Add existing virtual network. 选择托管实例虚拟网络和子网,然后单击“添加”。Select your managed instance virtual network and subnet, and click Add.

    storage-firewall

现在,你应该能够在存储帐户中存储托管实例的 VA 扫描。You should now be able to store your VA scans for Managed Instances in your storage account.

后续步骤Next steps