使用适用于 Azure SQL 数据库中的服务器的虚拟网络服务终结点和规则Use virtual network service endpoints and rules for servers in Azure SQL Database

适用于: Azure SQL 数据库 Azure Synapse Analytics

虚拟网络规则是一项防火墙安全功能,用于控制 Azure SQL 数据库中数据库和弹性池的服务器或 Azure Synapse Analytics 中专用 SQL 池(之前称为 SQL DW)数据库的服务器是否接受从虚拟网络中的特定子网发出的通信。Virtual network rules are a firewall security feature that controls whether the server for your databases and elastic pools in Azure SQL Database or for your dedicated SQL pool (formerly SQL DW) databases in Azure Synapse Analytics accepts communications that are sent from particular subnets in virtual networks. 本文说明了为何有时候最好选择虚拟网络规则来安全地启用与 Azure SQL 数据库和 Azure Synapse Analytics 中数据库的通信。This article explains why virtual network rules are sometimes your best option for securely allowing communication to your database in SQL Database and Azure Synapse Analytics.

备注

本文同时适用于 Azure SQL 数据库和 Azure Synapse Analytics。This article applies to both SQL Database and Azure Synapse Analytics. 为简单起见,术语“数据库”是指 Azure SQL 数据库中的数据库和 Azure Synapse Analytic 中的数据库。For simplicity, the term database refers to both databases in SQL Database and Azure Synapse Analytics. 同样,无论何时提及“服务器”,都是指承载着 Azure SQL 数据库和 Azure Synapse Analytics 的逻辑 SQL 服务器Likewise, any references to server refer to the logical SQL server that hosts SQL Database and Azure Synapse Analytics.

若要创建虚拟网络规则,首先必须具有可供规则引用的虚拟网络服务终结点To create a virtual network rule, there must first be a virtual network service endpoint for the rule to reference.

创建虚拟网络规则Create a virtual network rule

如果只想创建虚拟网络规则,则可跳到本文后面的步骤和说明。If you want to only create a virtual network rule, you can skip ahead to the steps and explanation later in this article.

虚拟网络规则详细信息Details about virtual network rules

此部分介绍虚拟网络规则的多项详细信息。This section describes several details about virtual network rules.

只有一个地理区域Only one geographic region

一个虚拟网络服务终结点只适用于一个 Azure 区域。Each virtual network service endpoint applies to only one Azure region. 终结点不允许其他区域接受来自子网的通信。The endpoint doesn't enable other regions to accept communication from the subnet.

任何虚拟网络规则都只能应用于基础终结点应用到的区域。Any virtual network rule is limited to the region that its underlying endpoint applies to.

服务器级而非数据库级Server level, not database level

每个虚拟网络规则都适用于整个服务器,而不仅仅是该服务器上某个特定的数据库。Each virtual network rule applies to your whole server, not just to one particular database on the server. 换句话说,虚拟网络规则在服务器级而非数据库级应用。In other words, virtual network rules apply at the server level, not at the database level.

与之不同的是,IP 规则适用于这其中的任一级别。In contrast, IP rules can apply at either level.

安全管理角色Security administration roles

在管理虚拟网络服务终结点时,安全角色是分开的。There's a separation of security roles in the administration of virtual network service endpoints. 下述每个角色都需要进行操作:Action is required from each of the following roles:

Azure RBAC 替代项Azure RBAC alternative

网络管理员和数据库管理员角色的权限超出虚拟网络规则的管理需要,The roles of Network Admin and Database Admin have more capabilities than are needed to manage virtual network rules. 只有部分权限是必需的。Only a subset of their capabilities is needed.

可以选择在 Azure 中使用基于角色的访问控制 (RBAC),创建一个只有部分必需权限的自定义角色。You have the option of using role-based access control (RBAC) in Azure to create a single custom role that has only the necessary subset of capabilities. 在涉及到网络管理员或数据库管理员时,可以使用自定义角色来代替。与向两个主要的管理员角色添加用户相比,向自定义角色添加用户的安全风险较低。The custom role could be used instead of involving either the Network Admin or the Database Admin. The surface area of your security exposure is lower if you add a user to a custom role versus adding the user to the other two major administrator roles.

备注

在某些情况下,Azure SQL 数据库中的数据库和虚拟网络子网位于不同的订阅中。In some cases, the database in SQL Database and the virtual network subnet are in different subscriptions. 在这些情况下,必须确保以下配置:In these cases, you must ensure the following configurations:

  • 两个订阅都必须属于同一 Azure Active Directory (Azure AD) 租户。Both subscriptions must be in the same Azure Active Directory (Azure AD) tenant.
  • 用户具有启动多项操作(例如启用服务终结点和向给定服务器添加虚拟网络子网)所需的权限。The user has the required permissions to initiate operations, such as enabling service endpoints and adding a virtual network subnet to the given server.
  • 两个订阅都必须注册 Microsoft.Sql 提供程序。Both subscriptions must have the Microsoft.Sql provider registered.

限制Limitations

对于 Azure SQL 数据库,虚拟网络规则功能具有以下限制:For SQL Database, the virtual network rules feature has the following limitations:

  • 在 Azure SQL 数据库中数据库的防火墙中,每个虚拟网络规则都引用一个子网。In the firewall for your database in SQL Database, each virtual network rule references a subnet. 引用的所有这些子网都必须托管在同一个托管数据库的地理区域内。All these referenced subnets must be hosted in the same geographic region that hosts the database.

  • 对于任何虚拟网络,每个服务器最多可以有 128 个 ACL 条目。Each server can have up to 128 ACL entries for any virtual network.

  • 虚拟网络规则仅适用于 Azure 资源管理器虚拟网络,不适用于经典部署模型网络。Virtual network rules apply only to Azure Resource Manager virtual networks and not to classic deployment model networks.

  • 如果启用 Azure SQL 数据库的虚拟网络服务终结点,则会同时启用 Azure Database for MySQL 和 Azure Database for PostgreSQL 的终结点。Turning on virtual network service endpoints to SQL Database also enables the endpoints for Azure Database for MySQL and Azure Database for PostgreSQL. 当终结点设置为“启用”时,尝试从终结点连接到 Azure Database for MySQL 或 Azure Database for PostgreSQL 实例可能会失败。With endpoints set to ON, attempts to connect from the endpoints to your Azure Database for MySQL or Azure Database for PostgreSQL instances might fail.

    • 根本原因是 Azure Database for MySQL 和 Azure Database for PostgreSQL 可能没有配置虚拟网络规则。The underlying reason is that Azure Database for MySQL and Azure Database for PostgreSQL likely don't have a virtual network rule configured. 必须为 Azure Database for MySQL 和 Azure Database for PostgreSQL 配置虚拟网络规则,连接才会成功。You must configure a virtual network rule for Azure Database for MySQL and Azure Database for PostgreSQL, and the connection will succeed.
  • 在防火墙上,IP 地址范围适用于以下网络项,但虚拟网络规则并不适用:On the firewall, IP address ranges do apply to the following networking items, but virtual network rules don't:

使用服务终结点时的注意事项Considerations when you use service endpoints

在使用 Azure SQL 数据库的服务终结点时,请查看以下注意事项:When you use service endpoints for SQL Database, review the following considerations:

  • 需要到 Azure SQL 数据库公共 IP 的出站连接。Outbound to Azure SQL Database public IPs is required. 必须为 Azure SQL 数据库 IP 启用网络安全组 (NSG) 才能进行连接。Network security groups (NSGs) must be opened to SQL Database IPs to allow connectivity. 为此,可以将 NSG 服务标记用于 Azure SQL 数据库。You can do this by using NSG service tags for SQL Database.

ExpressRouteExpressRoute

如果是在本地使用 ExpressRoute,则在进行公共对等互连或 Microsoft 对等互连时,需标识所用的 NAT IP 地址。If you use ExpressRoute from your premises, for public peering or Microsoft peering, you'll need to identify the NAT IP addresses that are used. 进行公共对等互连时,每条 ExpressRoute 线路默认情况下会使用两个 NAT IP 地址。当流量进入 Azure 网络主干时,会向 Azure 服务流量应用这些地址。For public peering, each ExpressRoute circuit by default uses two NAT IP addresses applied to Azure service traffic when the traffic enters the Azure network backbone. 在进行 Microsoft 对等互连时,所用 NAT IP 地址由客户或服务提供商提供。For Microsoft peering, the NAT IP addresses that are used are provided by either the customer or the service provider. 若要允许访问服务资源,必须在资源 IP 防火墙设置中允许这些公共 IP 地址。To allow access to your service resources, you must allow these public IP addresses in the resource IP firewall setting. 若要查找公共对等互连 ExpressRoute 线路 IP 地址,请通过 Azure 门户开具 ExpressRoute 支持票证To find your public peering ExpressRoute circuit IP addresses, open a support ticket with ExpressRoute via the Azure portal. 若要详细了解适用于 ExpressRoute 公共对等互连和 Microsoft 对等互连的 NAT,请参阅 Azure 公共对等互连的 NAT 要求To learn more about NAT for ExpressRoute public and Microsoft peering, see NAT requirements for Azure public peering.

若要允许从线路到 Azure SQL 数据库的通信,必须为 NAT 的公共 IP 地址创建 IP 网络规则。To allow communication from your circuit to SQL Database, you must create IP network rules for the public IP addresses of your NAT.

将虚拟网络服务终结点与 Azure 存储配合使用的影响Impact of using virtual network service endpoints with Azure Storage

Azure 存储已实现相同的功能,允许限制到 Azure 存储帐户的连接。Azure Storage has implemented the same feature that allows you to limit connectivity to your Azure Storage account. 如果选择将此功能与某个 Azure 存储帐户配合使用,而该帐户正由 Azure SQL 数据库使用,则可能会出现问题。If you choose to use this feature with an Azure Storage account that SQL Database is using, you can run into issues. 接下来会列出受此影响的 Azure SQL 数据库和 Azure Synapse Analytics 功能并对其进行讨论。Next is a list and discussion of SQL Database and Azure Synapse Analytics features that are affected by this.

Azure Synapse Analytics PolyBase 和 COPY 语句Azure Synapse Analytics PolyBase and COPY statement

PolyBase 和 COPY 语句通常用于将数据从 Azure 存储帐户加载到 Azure Synapse Analytics 中,以实现高吞吐量数据引入。PolyBase and the COPY statement are commonly used to load data into Azure Synapse Analytics from Azure Storage accounts for high throughput data ingestion. 如果你要从中加载数据的 Azure 存储帐户将访问权限限定于一组虚拟网络子网,则使用 PolyBase 和 COPY 语句时,与存储帐户的连接会断开。If the Azure Storage account that you're loading data from limits accesses only to a set of virtual network subnets, connectivity when you use PolyBase and the COPY statement to the storage account will break. 对于与 Azure 存储(已通过安全方式连接到虚拟网络)连接的 Azure Synapse Analytics,若要通过 COPY 和 PolyBase 来启用导入和导出方案,请执行本部分的步骤。For enabling import and export scenarios by using COPY and PolyBase with Azure Synapse Analytics connecting to Azure Storage that's secured to a virtual network, follow the steps in this section.

先决条件Prerequisites

  • 按照此指南安装 Azure PowerShell。Install Azure PowerShell by using this guide.
  • 如果你有常规用途 v1 或 Azure Blob 存储帐户,则必须先按照升级到常规用途 v2 存储帐户中的步骤升级到常规用途 v2。If you have a general-purpose v1 or Azure Blob Storage account, you must first upgrade to general-purpose v2 by following the steps in Upgrade to a general-purpose v2 storage account.
  • 必须在 Azure 存储帐户的“防火墙和虚拟网络”设置菜单下 启用“允许受信任的 Microsoft 服务访问此存储帐户”。You must have Allow trusted Microsoft services to access this storage account turned on under the Azure Storage account Firewalls and Virtual networks settings menu. 启用此配置将允许 PolyBase 和 COPY 语句使用强身份验证连接到存储帐户,而网络流量仍保留在 Azure 主干上。Enabling this configuration will allow PolyBase and the COPY statement to connect to the storage account by using strong authentication where network traffic remains on the Azure backbone. 有关详细信息,请参阅此指南For more information, see this guide.

重要

Azure SQL 数据库仍然支持 PowerShell Azure 资源管理器模块,但所有后续开发都针对 Az.Sql 模块。The PowerShell Azure Resource Manager module is still supported by SQL Database, but all future development is for the Az.Sql module. AzureRM 模块至少在 2020 年 12 月之前将继续接收 bug 修补程序。The AzureRM module will continue to receive bug fixes until at least December 2020. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical. 若要详细了解其兼容性,请参阅新 Azure PowerShell Az 模块简介For more about their compatibility, see Introducing the new Azure PowerShell Az module.

步骤Steps

  1. 如果你有独立的专用 SQL 池,请使用 PowerShell 向 Azure AD 注册 SQL Server:If you have a standalone dedicated SQL pool, register your SQL server with Azure AD by using PowerShell:

    Connect-AzAccount -Environment AzureChinaCloud
    Select-AzSubscription -SubscriptionId <subscriptionId>
    Set-AzSqlServer -ResourceGroupName your-database-server-resourceGroup -ServerName your-SQL-servername -AssignIdentity
    
  2. 遵循创建存储帐户中的步骤创建一个常规用途 v2 存储帐户。Create a general-purpose v2 Storage Account by following the steps in Create a storage account.

    备注

  3. 在你的存储帐户下,转到“访问控制(IAM)”,然后选择“添加角色分配”。 Under your storage account, go to Access Control (IAM), and select Add role assignment. 将 Azure 角色“存储 Blob 数据参与者”分配给承载着已注册到 Azure AD 的专用 SQL 池的服务器。Assign the Storage Blob Data Contributor Azure role to the server hosting your dedicated SQL pool, which you've registered with Azure AD.

    备注

    只有对存储帐户具有“所有者”权限的成员才能执行此步骤。Only members with Owner privilege on the storage account can perform this step. 有关各种 Azure 内置角色,请参阅 Azure 内置角色For various Azure built-in roles, see Azure built-in roles.

  4. 若要启用到 Azure 存储帐户的 PolyBase 连接,请执行以下操作:To enable PolyBase connectivity to the Azure Storage account:

    1. 创建数据库主密钥(如果此前尚未创建)。Create a database master key if you haven't created one earlier.

      CREATE MASTER KEY [ENCRYPTION BY PASSWORD = 'somepassword'];
      
    2. 使用 IDENTITY = '托管服务标识' 创建以数据库为作用域的凭据。Create a database-scoped credential with IDENTITY = 'Managed Service Identity'.

      CREATE DATABASE SCOPED CREDENTIAL msi_cred WITH IDENTITY = 'Managed Service Identity';
      

      备注

      • 使用 Azure 存储访问密钥时,不需指定 SECRET,因为此机制在后台使用托管标识There's no need to specify SECRET with an Azure Storage access key because this mechanism uses Managed Identity under the covers.
      • 使用 Azure 存储帐户以安全方式连接到虚拟网络时,IDENTITY 名称应该为 '托管服务标识',才能通过 PolyBase 进行连接。The IDENTITY name should be 'Managed Service Identity' for PolyBase connectivity to work with an Azure Storage account secured to a virtual network.
    3. 使用 abfss:// 方案创建一个外部数据源,以便通过 PolyBase 连接到常规用途 v2 存储帐户。Create an external data source with the abfss:// scheme for connecting to your general-purpose v2 storage account using PolyBase.

      CREATE EXTERNAL DATA SOURCE ext_datasource_with_abfss WITH (TYPE = hadoop, LOCATION = 'abfss://myfile@mystorageaccount.dfs.core.chinacloudapi.cn', CREDENTIAL = msi_cred);
      

      备注

      • 如果已经有外部表关联到常规用途 v1 或 Blob 存储帐户,则应先删除这些外部表。If you already have external tables associated with a general-purpose v1 or Blob Storage account, you should first drop those external tables. 然后删除相应的外部数据源。Then drop the corresponding external data source. 接下来,使用 abfss:// 方案创建一个外部数据源,以便连接到常规用途 v2 存储帐户,如前所示。Next, create an external data source with the abfss:// scheme that connects to a general-purpose v2 storage account, as previously shown. 然后,使用这个新的外部数据源重新创建所有外部表。Then re-create all the external tables by using this new external data source. 可以通过生成和发布脚本向导为所有外部表生成 create-script,以方便使用。You could use the Generate and Publish Scripts Wizard to generate create-scripts for all the external tables for ease.
      • 有关 abfss:// 方案的详细信息,请参阅使用 Azure Data Lake Storage Gen2 URIFor more information on the abfss:// scheme, see Use the Azure Data Lake Storage Gen2 URI.
      • 有关 CREATE EXTERNAL DATA SOURCE 的详细信息,请参阅此指南For more information on CREATE EXTERNAL DATA SOURCE, see this guide.
    4. 使用外部表进行正常查询。Query as normal by using external tables.

Azure SQL 数据库 Blob 审核SQL Database blob auditing

Blob 审核将审核日志推送到你自己的存储帐户。Blob auditing pushes audit logs to your own storage account. 如果此存储帐户使用虚拟网络服务终结点功能,则会断开从 Azure SQL 数据库到存储帐户的连接。If this storage account uses the virtual network service endpoints feature, connectivity from SQL Database to the storage account will break.

向服务器添加虚拟网络防火墙规则Add a virtual network firewall rule to your server

很久以前,此功能尚未得到增强,系统会要求你先启用虚拟网络服务终结点,然后才能在防火墙中实施实时虚拟网络规则。Long ago, before this feature was enhanced, you were required to turn on virtual network service endpoints before you could implement a live virtual network rule in the firewall. 这些终结点已将给定的虚拟网络子网关联到 Azure SQL 数据库中的数据库。The endpoints related a given virtual network subnet to a database in SQL Database. 从 2018 年 1 月起,可以通过设置 IgnoreMissingVNetServiceEndpoint 标志来规避此要求。As of January 2018, you can circumvent this requirement by setting the IgnoreMissingVNetServiceEndpoint flag. 现在,你可以向服务器添加虚拟网络防火墙规则,而无需启用虚拟网络服务终结点。Now, you can add a virtual network firewall rule to your server without turning on virtual network service endpoints.

仅设置防火墙规则无助于保护服务器。Merely setting a firewall rule doesn't help secure the server. 你还必须启用虚拟网络服务终结点才能使安全措施生效。You must also turn on virtual network service endpoints for the security to take effect. 启用服务终结点时,你的虚拟网络子网会经历停机,直到完成从关闭到开启的转换。When you turn on service endpoints, your virtual network subnet experiences downtime until it completes the transition from turned off to on. 在使用大型虚拟网络的情况下,这一停机时间尤其明显。This period of downtime is especially true in the context of large virtual networks. 可以使用 IgnoreMissingVNetServiceEndpoint 标志,减少或消除转换期间的停机时间。You can use the IgnoreMissingVNetServiceEndpoint flag to reduce or eliminate the downtime during transition.

可以使用 PowerShell 设置 IgnoreMissingVNetServiceEndpoint 标志。You can set the IgnoreMissingVNetServiceEndpoint flag by using PowerShell. 有关详细信息,请参阅使用 PowerShell 创建 Azure SQL 数据库的虚拟网络服务终结点和规则For more information, see PowerShell to create a virtual network service endpoint and rule for SQL Database.

错误 40914 和 40615Errors 40914 and 40615

连接错误 40914 与虚拟网络规则(如 Azure 门户中的“防火墙”窗格所指定的那样)相关。Connection error 40914 relates to virtual network rules, as specified on the Firewall pane in the Azure portal. 错误 40615 基本相似,不同之处在于它与防火墙上的 IP 地址规则相关。Error 40615 is similar, except it relates to IP address rules on the firewall.

错误 40914Error 40914

消息文本:“无法打开登录时请求的服务器 ‘[server-name]’。Message text: "Cannot open server '[server-name]' requested by the login. 不允许客户端访问服务器。”Client is not allowed to access the server."

错误说明:客户端位于包含虚拟网络服务器终结点的子网中。Error description: The client is in a subnet that has virtual network server endpoints. 不过,服务器没有授权子网与数据库进行通信的虚拟网络规则。But the server has no virtual network rule that grants to the subnet the right to communicate with the database.

错误解决方法:在 Azure 门户的“防火墙”窗格中,使用虚拟网络规则控件为子网添加虚拟网络规则Error resolution: On the Firewall pane of the Azure portal, use the virtual network rules control to add a virtual network rule for the subnet.

错误 40615Error 40615

消息文本:“无法打开登录时请求的服务器 ‘{0}’。Message text: "Cannot open server '{0}' requested by the login. 不允许 IP 地址为 ‘{1}’ 的客户端访问此服务器。”Client with IP address '{1}' is not allowed to access the server."

错误说明:客户端尝试从无权连接到服务器的 IP 地址进行连接。Error description: The client is trying to connect from an IP address that isn't authorized to connect to the server. 服务器防火墙没有 IP 地址规则允许客户端从给定 IP 地址与数据库进行通信。The server firewall has no IP address rule that allows a client to communicate from the given IP address to the database.

错误解决方法:输入客户端 IP 地址作为 IP 规则。Error resolution: Enter the client's IP address as an IP rule. 使用 Azure 门户中的“防火墙”窗格执行此步骤。Use the Firewall pane in the Azure portal to do this step.

使用门户创建虚拟网络规则Use the portal to create a virtual network rule

本部分介绍了如何使用 Azure 门户在 Azure SQL 数据库中的数据库中创建虚拟网络规则。This section illustrates how you can use the Azure portal to create a virtual network rule in your database in SQL Database. 此规则要求数据库接受来自已被标记为“虚拟网络服务终结点”的特定子网的通信。The rule tells your database to accept communication from a particular subnet that's been tagged as being a virtual network service endpoint.

备注

若要向服务器的虚拟网络防火墙规则添加服务终结点,请确保为子网启用服务终结点。If you intend to add a service endpoint to the virtual network firewall rules of your server, first ensure that service endpoints are turned on for the subnet.

如果没有为子网启用服务终结点,门户会要求你启用它们。If service endpoints aren't turned on for the subnet, the portal asks you to enable them. 在你添加规则的窗格中选择“启用”按钮。Select the Enable button on the same pane on which you add the rule.

PowerShell 备用PowerShell alternative

脚本还可以使用 PowerShell cmdlet New-AzSqlServerVirtualNetworkRule 或 az network vnet create 来创建虚拟网络规则。A script can also create virtual network rules by using the PowerShell cmdlet New-AzSqlServerVirtualNetworkRule or az network vnet create. 如果有兴趣,可以参阅使用 PowerShell 创建 Azure SQL 数据库的虚拟网络服务终结点和规则If you're interested, see PowerShell to create a virtual network service endpoint and rule for SQL Database.

REST API 替代项REST API alternative

在内部,用于 SQL 虚拟网络操作的 PowerShell cmdlet 会调用 REST API。Internally, the PowerShell cmdlets for SQL virtual network actions call REST APIs. 可以直接调用 REST API。You can call the REST APIs directly.

先决条件Prerequisites

必须已经有一个子网使用特定的虚拟网络服务终结点类型名称进行标记,且该名称必须与 Azure SQL 数据库相关。You must already have a subnet that's tagged with the particular virtual network service endpoint type name relevant to SQL Database.

Azure 门户步骤Azure portal steps

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 搜索并选择“SQL Server”,然后选择你的服务器。Search for and select SQL servers, and then select your server. 在“安全性”下,选择“防火墙和虚拟网络” 。Under Security, select Firewalls and virtual networks.

  3. 将“允许访问 Azure 服务”设置为“关闭”。 Set Allow access to Azure services to OFF.

    重要

    如果将此控件设置为“开启”,则你的服务器会接受来自 Azure 边界内任何子网的通信。If you leave the control set to ON, your server accepts communication from any subnet inside the Azure boundary. 该通信源自系统认定的 IP 地址之一,系统认定这些地址在为 Azure 数据中心定义的范围内。That is communication that originates from one of the IP addresses that's recognized as those within ranges defined for Azure datacenters. 从安全角度来看,将此控件设置为“开启”可能会导致过度访问。Leaving the control set to ON might be excessive access from a security point of view. 针对 Azure SQL 数据库结合使用 Azure 虚拟网络服务终结点功能和虚拟网络规则功能,可以降低安全风险。The Azure Virtual Network service endpoint feature in coordination with the virtual network rules feature of SQL Database together can reduce your security surface area.

  4. 在“虚拟网络”部分选择“+ 添加现有项”。 Select + Add existing in the Virtual networks section.

    屏幕截图显示了如何选择“+ 添加现有项”(子网终结点,作为 SQL 规则)。

  5. 在新的“创建/更新”窗格中,使用你的 Azure 资源的名称填写各个框。In the new Create/Update pane, fill in the boxes with the names of your Azure resources.

    提示

    必须包括子网的正确地址前缀。You must include the correct address prefix for your subnet. 可以在门户中找到“地址前缀”值。You can find the Address prefix value in the portal. 转到“所有资源”>“所有类型”>“虚拟网络”。Go to All resources > All types > Virtual networks. 筛选器会显示虚拟网络。The filter displays your virtual networks. 选择你的虚拟网络,然后选择“子网”。Select your virtual network, and then select Subnets. “地址范围”列包含你需要的地址前缀。The ADDRESS RANGE column has the address prefix you need.

    屏幕截图显示了如何填写新规则的各个框。

  6. 选择窗格底部的“确定”按钮。Select the OK button near the bottom of the pane.

  7. 查看“防火墙”窗格中生成的虚拟网络规则。See the resulting virtual network rule on the Firewall pane.

    屏幕截图显示了“防火墙”窗格中的新规则。

备注

以下状态适用于这些规则:The following statuses or states apply to the rules:

  • 就绪:表示你启动的操作已成功。Ready: Indicates that the operation you initiated has succeeded.
  • 失败:表示你启动的操作已失败。Failed: Indicates that the operation you initiated has failed.
  • 已删除:仅适用于删除操作,表示规则已被删除,不再应用。Deleted: Only applies to the Delete operation and indicates that the rule has been deleted and no longer applies.
  • InProgress:表示操作正在进行。InProgress: Indicates that the operation is in progress. 操作处于这种状态时,会应用旧规则。The old rule applies while the operation is in this state.

后续步骤Next steps