将应用程序连接到 Azure SQL 托管实例Connect your application to Azure SQL Managed Instance

适用于: Azure SQL 托管实例

在确定如何以及在何处托管应用程序时,目前有多个选项可供选择。Today you have multiple choices when deciding how and where you host your application.

可选择使用 Azure 应用服务或 Azure 的某些虚拟网络集成选项(例如 Azure 应用服务环境、Azure 虚拟机和虚拟机规模集)将应用程序托管在云中。You may choose to host application in the cloud by using Azure App Service or some of Azure's virtual network integrated options like Azure App Service Environment, Azure Virtual Machines, and virtual machine scale sets. 还可采用混合云方法将应用程序保留在本地。You could also take hybrid cloud approach and keep your applications on-premises.

不管选择哪个选项,都可将应用程序连接到 Azure SQL 托管实例。Whatever choice you make, you can connect it to Azure SQL Managed Instance.

高可用性

本文介绍如何在众多不同的应用方案中将应用程序连接到 Azure SQL 托管实例。This article describes how to connect an application to Azure SQL Managed Instance in a number of different application scenarios.

在同一 VNet 中连接Connect inside the same VNet

最简单的方案是将应用程序连接到 Azure SQL 托管实例所在的虚拟网络中。Connecting an application inside the same virtual network as SQL Managed Instance is the simplest scenario. 虚拟网络中的虚拟机即使位于不同子网,也能直接相互连接。Virtual machines inside the virtual network can connect to each other directly even if they are inside different subnets. 这意味着,只需相应地设置连接字符串,就能连接应用服务环境或虚拟机中的应用程序。That means that all you need to connect an application inside App Service Environment or a virtual machine is to set the connection string appropriately.

在不同的 VNet 中连接Connect inside a different VNet

当应用程序位于与 SQL 托管实例不同的虚拟网络中时,连接应用程序要稍微复杂一些,因为 SQL 托管实例在其自己的虚拟网络中具有专用 IP 地址。Connecting an application when it resides within a different virtual network from SQL Managed Instance is a bit more complex because SQL Managed Instance has private IP addresses in its own virtual network. 若要建立连接,应用程序需要访问部署了 SQL 托管实例的虚拟网络。To connect, an application needs access to the virtual network where SQL Managed Instance is deployed. 因此需要在应用程序与 SQL 托管实例虚拟网络之间建立连接。So you need to make a connection between the application and the SQL Managed Instance virtual network. 要使该方案可行,不一定要将虚拟网络置于同一订阅中。The virtual networks don't have to be in the same subscription in order for this scenario to work.

可通过两个选项连接虚拟网络:There are two options for connecting virtual networks:

对等互连使用 Azure 主干网络,因此是首选;这样的话,从连接角度来看,对等互连虚拟网络中的虚拟机与同一虚拟网络中的虚拟机之间的延迟没有明显差别。Peering is preferable because it uses the Azure backbone network, so from the connectivity perspective, there is no noticeable difference in latency between virtual machines in a peered virtual network and in the same virtual network. 支持同一区域中的网络之间的虚拟网络对等互连。Virtual network peering is to supported between the networks in the same region. 此外还支持全局虚拟网络对等互连,但有如下说明所述的限制。Global virtual network peering is also supported with the limitation described in the note below.

重要

2020 年 9 月 22 日,我们宣布为新建的虚拟群集建立全局虚拟网络对等互连On 9/22/2020 we announced global virtual network peering for newly created virtual clusters. 这意味着,自公告日期之后在空子网中创建的 SQL 托管实例以及在这些子网中随后创建的所有托管实例,都支持全局虚拟网络对等互连。That means that global virtual network peering is supported for SQL Managed Instances created in empty subnets after the announcement date, as well for all the subsequent managed instances created in those subnets. 对于所有其他 SQL 托管实例,由于全局虚拟网络对等互连的约束,对等互连支持仅限于同一区域中的网络。For all the other SQL Managed Instances peering support is limited to the networks in the same region due to the constraints of global virtual network peering. 有关更多详细信息,另请参阅 Azure 虚拟网络常见问题解答一文的相关部分。See also the relevant section of the Azure Virtual Networks frequently asked questions article for more details.

从本地连接Connect from on-premises

还可将本地应用程序连接到 SQL 托管实例。You can also connect your on-premises application to SQL Managed Instance. 只能通过专用 IP 地址访问 SQL 托管实例。SQL Managed Instance can only be accessed through a private IP address. 若要从本地访问它,需在应用程序与 SQL 托管实例虚拟网络之间建立站点到站点连接。In order to access it from on-premises, you need to make a site-to-site connection between the application and the SQL Managed Instance virtual network.

可使用两个选项从本地连接到 Azure 虚拟网络:There are two options for how to connect on-premises to an Azure virtual network:

如果已成功建立本地到 Azure 的连接,但无法与 SQL 托管实例建立连接,请检查防火墙中是否在 SQL 端口 1433 上打开了出站连接,并确认已打开 11000-11999 范围的端口来进行重定向。If you've established an on-premises to Azure connection successfully and you can't establish a connection to SQL Managed Instance, check if your firewall has an open outbound connection on SQL port 1433 as well as the 11000-11999 range of ports for redirection.

连接开发人员工具箱Connect the developer box

还可将开发人员工具箱连接到 SQL 托管实例。It is also possible to connect your developer box to SQL Managed Instance. 只能通过专用 IP 地址访问 SQL 托管实例,因此若要从开发人员工具箱访问该实例,首先需要在开发人员工具箱与 SQL 托管实例虚拟网络之间建立连接。SQL Managed Instance can be accessed only through a private IP address, so in order to access it from your developer box, you first need to make a connection between your developer box and the SQL Managed Instance virtual network. 为此,请使用本机 Azure 证书身份验证配置与虚拟网络的点到站点连接。To do so, configure a point-to-site connection to a virtual network using native Azure certificate authentication. 有关详细信息,请参阅配置点到站点连接,以便从本地计算机连接到 Azure SQL 托管实例For more information, see Configure a point-to-site connection to connect to Azure SQL Managed Instance from an on-premises computer.

通过 VNet 对等互连进行连接Connect with VNet peering

在通过客户实现的另一方案中,VPN 网关安装在与承载 SQL 托管实例不同的虚拟网络和订阅中。Another scenario implemented by customers is where a VPN gateway is installed in a separate virtual network and subscription from the one hosting SQL Managed Instance. 然后,将这两个虚拟网络对等互连。The two virtual networks are then peered. 下面的示例性体系结构图介绍了实现方法。The following sample architecture diagram shows how this can be implemented.

虚拟网络对等互连

设置基本的体系结构后,需修改某些设置,使 VPN 网关能够看到承载 SQL 托管实例的虚拟网络中的 IP 地址。Once you have the basic infrastructure set up, you need to modify some settings so that the VPN gateway can see the IP addresses in the virtual network that hosts SQL Managed Instance. 为此,请在“对等互连设置”下进行下述很具体的更改。To do so, make the following very specific changes under the Peering settings.

  1. 在承载 VPN 网关的虚拟网络中,转到“对等互连”,然后转到 SQL 托管实例的对等虚拟网络连接,再单击“允许网关传输” 。In the virtual network that hosts the VPN gateway, go to Peerings, go to the peered virtual network connection for SQL Managed Instance, and then click Allow Gateway Transit.
  2. 在承载 SQL 托管实例的虚拟网络中,转到“对等互连”,然后转到 VPN 网关的对等虚拟网络连接,再单击“使用远程网关” 。In the virtual network that hosts SQL Managed Instance, go to Peerings, go to the peered virtual network connection for the VPN gateway, and then click Use remote gateways.

连接 Azure 应用服务Connect Azure App Service

还可连接由 Azure 应用服务托管的应用程序。You can also connect an application that's hosted by Azure App Service. 只能通过专用 IP 地址访问 SQL 托管实例,因此若要从 Azure 应用服务访问该实例,首先需要在应用程序与 SQL 托管实例虚拟网络之间建立连接。SQL Managed Instance can be accessed only through a private IP address, so in order to access it from Azure App Service, you first need to make a connection between the application and the SQL Managed Instance virtual network. 请参阅将应用与 Azure 虚拟网络集成See Integrate your app with an Azure virtual network.

有关故障排除信息,请参阅排查虚拟网络和应用程序问题For troubleshooting, see Troubleshooting virtual networks and applications. 如果无法建立连接,请尝试同步网络配置If a connection cannot be established, try syncing the networking configuration.

在将 Azure 应用服务连接到 SQL 托管实例时,有一种特殊情况是将 Azure 应用服务集成到已与 SQL 托管实例虚拟网络建立对等互连的网络。A special case of connecting Azure App Service to SQL Managed Instance is when you integrate Azure App Service to a network peered to a SQL Managed Instance virtual network. 对于这种情况,需要设置以下配置:That case requires the following configuration to be set up:

  • SQL 托管实例虚拟网络不得使用网关SQL Managed Instance virtual network must NOT have a gateway
  • SQL 托管实例虚拟网络必须设置 Use remote gateways 选项SQL Managed Instance virtual network must have the Use remote gateways option set
  • 对等的虚拟网络必须设置 Allow gateway transit 选项Peered virtual network must have the Allow gateway transit option set

下图演示了此方案:This scenario is illustrated in the following diagram:

集成的应用对等互连

备注

虚拟网络集成功能不会将应用与包含 ExpressRoute 网关的虚拟网络集成。The virtual network integration feature does not integrate an app with a virtual network that has an ExpressRoute gateway. 即使 ExpressRoute 网关是以共存模式配置的,也无法实现虚拟网络集成。Even if the ExpressRoute gateway is configured in coexistence mode, virtual network integration does not work. 如果需要通过 ExpressRoute 连接访问资源,可使用虚拟网络中运行的应用服务环境。If you need to access resources through an ExpressRoute connection, then you can use App Service Environment, which runs in your virtual network.

排查连接问题Troubleshooting connectivity issues

若要排查连接问题,请查看以下内容:For troubleshooting connectivity issues, review the following:

  • 如果无法从同一虚拟网络的不同子网中的 Azure 虚拟机连接到 SQL 托管实例,请检查 VM 子网上是否设置了可能会阻止访问的网络安全组。If you are unable to connect to SQL Managed Instance from an Azure virtual machine within the same virtual network but a different subnet, check if you have a Network Security Group set on VM subnet that might be blocking access. 此外,请在 SQL 端口 1433 上和 11000-11999 范围的端口上打开出站连接,因为需要使用它们才能在 Azure 边界内通过重定向进行连接。Additionally, open outbound connection on SQL port 1433 as well as ports in the range 11000-11999, since those are needed for connecting via redirection inside the Azure boundary.

  • 对于与虚拟网络关联的路由表,请确保将“BGP 传播”设置为“启用”。Ensure that BGP Propagation is set to Enabled for the route table associated with the virtual network.

  • 如果使用 P2S VPN,请在 Azure 门户中检查配置,确定能否看到“入口/出口”编号。If using P2S VPN, check the configuration in the Azure portal to see if you see Ingress/Egress numbers. 如果编号不为零,则表示 Azure 在本地进行流量的出入路由。Non-zero numbers indicate that Azure is routing traffic to/from on-premises.

    入口/出口编号

  • 查看客户端计算机(运行 VPN 客户端的计算机)是否针对你需要访问的所有虚拟网络设置了路由条目。Check that the client machine (that is running the VPN client) has route entries for all the virtual networks that you need to access. 路由存储在 %AppData%\Roaming\Microsoft\Network\Connections\Cm\<GUID>\routes.txt 中。The routes are stored in %AppData%\Roaming\Microsoft\Network\Connections\Cm\<GUID>\routes.txt.

    route.txt

    如此图所示,有两个条目用于所涉及的每个虚拟网络,还有第三个条目与门户中配置的 VPN 终结点相对应。As shown in this image, there are two entries for each virtual network involved and a third entry for the VPN endpoint that is configured in the portal.

    检查路由的另一种方式是执行以下命令。Another way to check the routes is via the following command. 输出显示到各种子网的路由:The output shows the routes to the various subnets:

    C:\ >route print -4
    ===========================================================================
    Interface List
    14...54 ee 75 67 6b 39 ......Intel(R) Ethernet Connection (3) I218-LM
    57...........................rndatavnet
    18...94 65 9c 7d e5 ce ......Intel(R) Dual Band Wireless-AC 7265
    1...........................Software Loopback Interface 1
    Adapter===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0       10.83.72.1     10.83.74.112     35
           10.0.0.0    255.255.255.0         On-link       172.26.34.2     43
           10.4.0.0    255.255.255.0         On-link       172.26.34.2     43
    ===========================================================================
    Persistent Routes:
    None
    
  • 如果使用虚拟网络对等互连,请确保已按照相关说明来设置允许网关传输并使用远程网关If you're using virtual network peering, ensure that you have followed the instructions for setting Allow Gateway Transit and Use Remote Gateways.

  • 如果使用虚拟网络对等互连连接 Azure 应用服务托管应用程序,而且 SQL 托管实例虚拟网络具有公共 IP 地址范围,请确保你的托管应用程序设置允许出站流量路由到公共 IP 网络。If you're using virtual network peering to connect an Azure App Service hosted application, and the SQL Managed Instance virtual network has a public IP address range, make sure that your hosted application settings allow your outbound traffic to be routed to public IP networks. 按照区域虚拟网络集成中的说明进行操作。Follow the instructions in Regional virtual network integration.

所需的驱动程序和工具版本Required versions of drivers and tools

如果要连接到 SQL 托管实例,建议使用以下最低版本的工具和驱动程序:The following minimal versions of the tools and drivers are recommended if you want to connect to SQL Managed Instance:

驱动程序/工具Driver/tool 版本Version
.NET framework.NET Framework 4.6.1(或 .NET Core)4.6.1 (or .NET Core)
ODBC 驱动程序ODBC driver v17v17
PHP 驱动程序PHP driver 5.2.05.2.0
JDBC 驱动程序JDBC driver 6.4.06.4.0
Node.js 驱动程序Node.js driver 2.1.12.1.1
OLEDB 驱动程序OLEDB driver 18.0.2.018.0.2.0
SSMSSSMS 18.0 或更高版本18.0 or higher
SMOSMO 150 或更高版本150 or higher

后续步骤Next steps