Azure SQL 托管实例常见问题解答 (FAQ)Azure SQL Managed Instance frequently asked questions (FAQ)

适用于:是Azure SQL 托管实例 APPLIES TO: yesAzure SQL Managed Instance

本文包含有关 Azure SQL 托管实例的最常见问题。This article contains the most common questions about Azure SQL Managed Instance.

支持的功能Supported features

在何处可以找到 SQL 托管实例上受支持的功能列表?Where can I find a list of features supported on SQL Managed Instance?

有关SQL 托管实例中受支持的功能列表,请参阅 Azure SQL 托管实例功能For a list of supported features in SQL Managed Instance, see Azure SQL Managed Instance features.

有关 Azure SQL 托管实例与 SQL Server 之间的语法和行为差异,请参阅 T-SQL 与 SQL Server 之间的差异For differences in syntax and behavior between Azure SQL Managed Instance and SQL Server, see T-SQL differences from SQL Server.

技术规范、资源限制和其他限制Technical specification, resource limits and other limitations

在何处可以找到 SQL 托管实例的技术特征和资源限制?Where can I find technical characteristics and resource limits for SQL Managed Instance?

有关可用硬件的代系特征,请参阅硬件代系的技术差异For available hardware generation characteristics, see Technical differences in hardware generations. 有关可用的服务层级及其特征,请参阅服务层级之间的技术差异For available service tiers and their characteristics, see Technical differences between service tiers.

我有资格使用哪些服务层级?What service tier am I eligible for?

任何客户都有资格使用所有服务层级。Any customer is eligible for any service tier. 但是,如果你要使用 Azure 混合权益交换现有许可证以在 Azure SQL 托管实例上获得折扣费率,请记住,具有软件保障的 SQL Server Enterprise Edition 客户有资格使用常规用途业务关键性能层,而具有软件保障的 SQL Server Standard Edition 客户仅有资格使用常规用途性能层。However, if you want to exchange your existing licenses for discounted rates on Azure SQL Managed Instance by using Azure Hybrid Benefit, bear in mind that SQL Server Enterprise Edition customers with Software Assurance are eligible for the General Purpose or Business Critical performance tiers and SQL Server Standard Edition customers with Software Assurance are eligible for the General Purpose performance tier only. 有关更多详细信息,请参阅 AHB 的特定权限For more details, see Specific rights of the AHB.

支持哪些 Azure 区域?Which Azure regions are supported?

可以在大多数 Azure 区域中创建托管实例;请参阅 SQL 托管实例支持的区域Managed instances can be created in most of the Azure regions; see Supported regions for SQL Managed Instance.

SQL 托管实例部署是否有配额限制?Are there any quota limitations for SQL Managed Instance deployments?

托管实例具有两个默认限制:对可以使用的子网数的限制,以及对可以预配的 vCore 数的限制。Managed instance has two default limits: limit on the number of subnets you can use and a limit on the number of vCores you can provision. 限制在各种订阅类型和区域间有所不同。Limits vary across the subscription types and regions. 有关按订阅类型列出的区域资源限制的列表,请参阅区域资源限制中的表。For the list of regional resource limitations by subscription type, see table from Regional resource limitation. 这些是可以按需增加的软限制。These are soft limits that can be increased on demand.

是否可以按需对托管实例增加数据库数限制 (100)?Can I increase the number of databases limit (100) on my managed instance on demand?

不可以,当前没有已提交的计划来增加 SQL 托管实例的数据库数。No, and currently there are no committed plans to increase the number of databases on SQL Managed Instance.

如果我有超过 8TB 的数据,可以迁移到何处?Where can I migrate if I have more than 8TB of data? 可以考虑迁移到适合工作负载的其他 Azure 风格:Azure SQL 数据库超大规模Azure 虚拟机中的 SQL ServerYou can consider migrating to other Azure flavors that suit your workload: Azure SQL Database Hyperscale or SQL Server on Azure Virtual Machines.

如果我有特定硬件要求(如更大的 RAM 与 vCore 比率或更多 CPU),那么可以迁移到何处?Where can I migrate if I have specific hardware requirements such as larger RAM to vCore ratio or more CPUs? 可以考虑迁移到内存/cpu 经过优化的 Azure 虚拟机中的 SQL ServerAzure SQL 数据库You can consider migrating to SQL Server on Azure Virtual Machines or Azure SQL Database memory/cpu optimized.

已知问题和缺陷Known issues and defects

在何处可以找到已知问题和缺陷?Where can I find known issues and defects?

有关产品缺陷和已知问题,请参阅已知问题For product defects and known issues, see Known issues.

新增功能New features

在何处可以找到最新功能和公共预览版功能?Where can I find latest features and the features in public preview?

对于新功能和预览功能,请参阅发行说明For new and preview features, see Release notes.

创建、更新、删除或移动 SQL 托管实例Create, update, delete or move SQL Managed Instance

如何预配 SQL 托管实例?How can I provision SQL Managed Instance?

可以通过 Azure 门户PowerShellAzure CLIARM 模板来预配实例。You can provision an instance from Azure Portal, PowerShell, Azure CLI and ARM templates.

是否可以在现有订阅中预配托管实例?Can I provision Managed Instances in an existing subscription?

是的,可以在现有订阅中预配托管实例。Yes, you can provision a Managed Instance in an existing subscription.

为什么无法名称以数字开头的子网中预配托管实例?Why couldnt I provision a Managed Instance in the subnet which name starts with a digit?

这是针对基本组件的一个当前限制,它会按照正则表达式 ^[a-zA-Z_][^\/:*?"<>|`'^]*(?<![.\s])$ 验证子网名称。This is a current limitation on underlying component that verifies subnet name against the regex ^[a-zA-Z_][^\/:*?"<>|`'^]*(?<![.\s])$. 当前支持所有通过正则表达式的名称以及有效的子网名称。All names that pass the regex and are valid subnet names are currently supported.

如何缩放托管实例?How can I scale my managed instance?

可以通过 Azure 门户PowerShellAzure CLIARM 模板来缩放托管实例。You can scale your managed instance from Azure Portal, PowerShell, Azure CLI or ARM templates.

是否可以将托管实例从一个区域移动到另一个区域?Can I move my Managed Instance from one region to another?

可以。Yes, you can. 有关说明,请参阅跨区域移动资源For instructions, see Move resources across regions.

如何删除托管实例?How can I delete my Managed Instance?

可以通过 Azure 门户、PowerShellAzure CLI资源管理器 REST API 来删除托管实例。You can delete Managed Instances via Azure Portal, PowerShell, Azure CLI or Resource Manager REST APIs.

创建或更新实例或还原数据库需要多长时间?How much time does it take to create or update an instance, or to restore a database?

创建新托管实例或更改服务层级(vCore、存储)的预期时间取决于多个因素。Expected time to create a new managed instance or to change service tiers (vCores, storage), depends on several factors. 请参阅管理操作See Management operations.

命名约定Naming conventions

托管实例是否可与 SQL Server本地实例同名?Can a managed instance have the same name as a SQL Server on-premises instance?

不支持更改托管实例名称。Changing a managed instance name is not supported.

是否可以更改 DNS 区域前缀?Can I change DNS zone prefix?

是的,可以更改托管实例默认 DNS 区域 .database.chinacloudapi.cn。Yes, Managed Instance default DNS zone .database.chinacloudapi.cn can be changed.

若要使用其他 DNS 区域而不是默认区域(例如“.contoso.com”),请执行以下操作:To use another DNS zone instead of the default, for example, .contoso.com:

  • 使用 CliConfig 定义别名。Use CliConfig to define an alias. 该工具只是一个注册表设置包装器,因此也可以使用组策略或脚本完成此操作。The tool is just a registry settings wrapper, so it can be done using group policy or a script as well.
  • 将 CNAME 与 TrustServerCertificate=true 选项一起使用 。Use CNAME with the TrustServerCertificate=true option.

迁移选项Migration options

如何从 Azure SQL 数据库单一池或弹性池迁移到 SQL 托管实例?How can I migrate from Azure SQL Database single or elastic pool to SQL Managed Instance?

托管实例根据计算和存储大小提供与其他 Azure SQL 数据库部署选项相同的性能级别。Managed instance offers the same performance levels per compute and storage size as other deployment options of Azure SQL Database. 若要在单一实例上合并数据,或者只是需要一种仅在托管实例中受支持的功能,可以使用导出/导入 (BACPAC) 功能来迁移数据。If you want to consolidate data on a single instance, or you simply need a feature supported exclusively in managed instance, you can migrate your data by using export/import (BACPAC) functionality. 下面是将 SQL 数据库迁移到 SQL 托管实例时可考虑的其他方法:Here are other ways to consider for SQL Database migration to SQL Managed Instance:

如何将实例数据库迁移到单个 Azure SQL 数据库?How can I migrate my instance database to a single Azure SQL Database?

一种做法是将数据库导出到 BACPAC,然后导入 BACPAC 文件One option is to export a database to BACPAC and then import the BACPAC file. 如果数据库小于 100 GB,则建议使用此方法。This is the recommended approach if your database is smaller than 100 GB.

如果数据库中的所有表具有主键,并且数据库中没有内存中 OLTP 对象,则可以使用事务复制Transactional replication can be used if all tables in the database have primary keys and there are no In-memory OLTP objects in the database.

由于托管实例的数据库版本高于 SQL Server,因此无法将从托管实例创建的本机 COPY_ONLY 备份还原到 SQL Server。Native COPY_ONLY backups taken from managed instance cannot be restored to SQL Server because managed instance has a higher database version compared to SQL Server. 有关更多详细信息,请参阅仅复制备份For more details, see Copy-only backup.

如何将 SQL Server 实例迁移到 SQL 托管实例?How can I migrate my SQL Server instance to SQL Managed Instance?

若要迁移 SQL Server 实例,请参阅将 SQL Server 实例迁移到 Azure SQL 托管实例To migrate your SQL Server instance, see SQL Server instance migration to Azure SQL Managed Instance.

如何从其他平台迁移到 SQL 托管实例?How can I migrate from other platforms to SQL Managed Instance?

有关从其他平台迁移的迁移信息,请参阅 Azure 数据库迁移指南For migration information about migrating from other platforms, see Azure Database Migration Guide.

切换硬件代系Switch hardware generation

能否在第 4 代和第 5 代托管实例硬件代系之间联机切换?Can I switch my managed instance hardware generation between Gen 4 and Gen 5 online?

如果第 5 代可以在预配托管实例的区域中使用,则可以自动联机从第 4 代切换到第 5 代。Automated online switching from Gen4 to Gen5 is possible if Gen5 hardware is available in the region where your managed instance is provisioned. 在这种情况下,可以查看“vCore 模型概述”页,该页说明了如何在硬件代系之间切换。In this case, you can check vCore model overview page explaining how to switch between hardware generations.

这是一个长时间运行的操作,因为新托管实例将在后台预配,数据库将在旧实例与新实例之间自动转移,该过程结束时,可以快速故障转移。This is a long-running operation as a new managed instance will be provisioned in the background and databases automatically transferred between the old and new instance with a quick failover at the end of the process.

注意:第 4 代硬件正在逐步被淘汰,不能再用于新部署。Note: Gen4 hardware is being phased out and is no longer available for new deployments. 所有新的数据库都必须部署在第 5 代硬件上。All new databases must be deployed on Gen5 hardware. 也无法从第 5 代切换到第 4 代。Switching from Gen5 to Gen4 is also not available.

性能Performance

如何将托管实例性能与 SQL Server 性能进行比较?How can I compare Managed Instance performance to SQL Server performance?

若要在托管实例与 SQL Server 之间进行性能比较,可以从有关 Azure SQL 托管实例与 SQL Server 之间的性能比较的最佳做法一文入手。For a performance comparison between managed instance and SQL Server, a good starting point is Best practices for performance comparison between Azure SQL managed instance and SQL Server article.

导致托管实例与 SQL Server 之间存在性能差异的原因是什么?What causes performance differences between Managed Instance and SQL Server?

请参阅 SQL 托管实例与 SQL Server 之间存在性能差异的主要原因See Key causes of performance differences between SQL managed instance and SQL Server. 有关日志文件大小对常规用途托管实例性能的影响的详细信息,请参阅日志文件大小对常规用途的影响For more information about the log file size impact on General Purpose Managed Instance performance , see Impact of log file size on General Purpose.

如何优化托管实例的性能?How do I tune performance of my managed instance?

可以通过以下方式优化托管实例的性能:You can optimize the performance of your managed instance by:

  • 自动优化,通过基于 AI 的持续性能优化提供最佳性能和稳定的工作负载。Automatic tuning that provides peak performance and stable workloads through continuous performance tuning based on AI.
  • 内存中 OLTP,可改进事务处理工作负载的吞吐量和延迟,并提供更快的业务见解。In-memory OLTP that improves throughput and latency on transactional processing workloads and delivers faster business insights.

若要进一步优化性能,请考虑应用一些有关应用程序和数据库优化的最佳做法。To tune the performance even further, consider applying some of the best practices for Application and database tuning. 如果工作负载包含大量小型事务,请考虑将连接类型从代理切换为重定向模式,以实现更低延迟和更高吞吐量。If your workload consists of lots of small transactions, consider switching the connection type from proxy to redirect mode for lower latency and higher throughput.

监视、指标和警报Monitoring, Metrics and Alerts

对于托管实例,监视和警报方面有哪些选项?What are the options for monitoring and alerting for my managed instance?

有关对 SQL 托管实例消耗和性能进行监视和警报的所有可能选项,请参阅 Azure SQL 托管实例监视选项博客文章For all possible options to monitor and alert on SQL Managed Instance consumption and performance, see Azure SQL Managed Instance monitoring options blog post. 有关 SQL MI 的实时性能监视,请参阅 Azure SQL 数据库托管实例的实时性能监视For the real-time performance monitoring for SQL MI, see Real-time performance monitoring for Azure SQL DB Managed Instance.

是否可以使用 SQL Profiler 进行性能跟踪?Can I use SQL Profiler for performance tracking?

是的,SQL 托管实例支持 SQL Profiler。Yes, SQL Profiler is supported or SQL Managed Instance. 有关详细信息,请参阅 SQL ProfilerFor more details, see SQL Profiler.

托管实例数据库是否支持数据库顾问和 Query Performance Insight?Are Database Advisor and Query Performance Insight supported for Managed Instance databases?

不支持。No, they are not supported. 可以将 DMV查询存储SQL ProfilerXEvent 结合使用来监视数据库。You can use DMVs and Query Store together with SQL Profiler and XEvents to monitor your databases.

是否可以在 SQL 托管实例上创建指标警报?Can I create metric alerts on SQL Managed Instance?

是的。Yes. 有关说明,请参阅为 SQL 托管实例创建警报For instructions, see Create alerts for SQL Managed Instance.

是否可以在托管实例中的数据库上创建指标警报?Can I create metric alerts on a database in managed instance?

不可以,警报指标仅适用于托管实例。You cannot, alerting metrics are available for managed instance only. 警报指标不适用于托管实例中的单个数据库。Alerting metrics for individual databases in managed instance are not available.

存储大小Storage size

SQL 托管实例的最大存储大小是多少?What is the maximum storage size for SQL Managed Instance?

SQL 托管实例的存储大小取决于所选的服务层级(“常规用途”或“业务关键”)。Storage size for SQL Managed Instance depends on the selected service tier (General Purpose or Business Critical). 有关这些服务层级的存储限制,请参阅服务层级特征For storage limitations of these service tiers, see Service tier characteristics.

可用于托管实例的最小存储大小是多少?What is the minimum storage size available for a managed instance?

实例中可用的最小存储量为 32 GB。The minimum amount of storage available in an instance is 32 GB. 可以按 32 GB 的增量添加存储,直到达到最大存储大小。Storage can be added in increments of 32 GB up to the maximum storage size. 第一个 32GB 是免费的。First 32GB are free of charge.

是否可以独立于计算资源来增加分配给实例的存储空间?Can I increase storage space assigned to an instance, independently from compute resources?

是的,可以在一定范围内,独立于计算购买附加存储。Yes, you can purchase add-on storage, independently from compute, to some extent. 请参阅该中的最大实例预留存储。See Max instance reserved storage in the Table.

如何在常规用途服务层级中优化存储性能?How can I optimize my storage performance in General Purpose service tier?

若要优化存储性能,请参阅常规用途中的存储最佳做法To optimize storage performance, see Storage best practices in General Purpose.

备份和还原Backup and restore

备份存储是否是从托管实例存储中扣减出来的?Is the backup storage deducted from my managed instance storage?

不是,备份存储不是从托管实例的存储空间中扣减出来的。No, backup storage is not deducted from your managed instance storage space. 备份存储与实例存储空间无关,其大小不受限制。The backup storage is independent from the instance storage space and it is not limited in size. 备份存储受实例数据库备份的保留期限(可配置为最多 35 天)的限制。Backup storage is limited by the time period to retain the backup of your instance databases, configurable up to 35 days. 有关详细信息,请参阅自动化备份For details, see Automated backups.

如何查看何时对托管实例进行自动备份?How can I see when automated backups are made on my managed instance?

若要跟踪何时对托管实例执行自动备份,请参阅如何跟踪 Azure SQL 托管实例的自动备份To track when automated backups have been performed on Managed Instance, see How to track the automated backup for an Azure SQL Managed Instance.

是否支持按需备份?Is on-demand backup supported?

是的,可以在其 Azure Blob 存储中创建仅复制完整备份,但它只能在托管实例中进行还原。Yes, you can create a copy-only full backup in their Azure Blob Storage, but it will only be restorable in Managed Instance. 有关详细信息,请参阅仅复制备份For details, see Copy-only backup. 但是,如果数据库通过服务管理的 TDE 进行加密,则无法进行仅复制备份,因为用于加密的证书不可访问。However, copy-only backup is impossible if the database is encrypted by service-managed TDE since the certificate used for encryption is inaccessible. 在这类情况下,使用时间点还原功能将数据库移到另一个 SQL 托管实例或切换到客户管理的密钥。In such case, use point-in-time-restore feature to move the database to another SQL Managed Instance, or switch to customer-managed key.

是否支持本机还原(从 .bak 文件)到托管实例?Is native restore (from .bak files) to Managed Instance supported?

是的,该功能受支持,可用于 SQL Server 2005 以上版本。Yes, it is supported and available for SQL Server 2005+ versions. 若要使用本机还原,请将 .bak 文件上传到 Azure blob 存储并执行 T-SQL 命令。To use native restore, upload your .bak file to Azure blob storage and execute T-SQL commands. 有关更多详细信息,请参阅从 URL本机还原For more details, see Native restore from URL.

业务连续性Business continuity

系统数据库是否会复制到故障转移组中的辅助实例?Are my system databases replicated to the secondary instance in a failover group?

系统数据库不会复制到故障转移组中的辅助实例。System databases are not replicated to the secondary instance in a failover group. 因此,除非在辅助实例上手动创建对象,否则依赖于系统数据库中的对象的方案将不可能在辅助实例上出现。Therefore, scenarios that depend on objects from the system databases will be impossible on the secondary instance unless the objects are manually created on the secondary. 有关解决方法,请参阅启用依赖于系统数据库中的对象的方案For workaround, see Enable scenarios dependent on the object from the system databases.

网络要求Networking requirements

托管实例子网上的当前入站/出站 NSG 约束有哪些?What are the current inbound/outbound NSG constraints on the Managed Instance subnet?

所需 NSG 和 UDR 规则记录在此处,由服务自动设置。The required NSG and UDR rules are documented here, and automatically set by the service. 请记住,这些规则只是维护服务所需的规则。Please keep in mind that these rules are just the ones we need for maintaining the service. 若要连接到托管实例并使用不同的功能,需要设置需要维护的特定于功能的附加规则。To connect to managed instance and use different features you will need to set additional, feature specific rules, that you need to maintain.

如何针对管理端口设置入站 NSG 规则?How can I set inbound NSG rules on management ports?

SQL 托管实例负责对管理端口设置规则。SQL Managed Instance is responsible for setting rules on management ports. 这通过名为服务辅助的子网配置的功能来实现。This is achieved through functionality named service-aided subnet configuration. 这是为了确保不中断管理流量的流动,以便满足 SLA。This is to ensure uninterrupted flow of management traffic in order to fulfill an SLA.

是否可以获取用于入站管理流量的源 IP 范围?Can I get the source IP ranges that are used for the inbound management traffic?

是的。Yes. 可以通过配置网络观察程序流日志来分析经过网络安全组的流量。You could analyze traffic coming through your networks security group by configuring Network Watcher flow logs.

是否可以设置 NSG 以便控制对数据终结点(端口 1433)的访问?Can I set NSG to control access to the data endpoint (port 1433)?

是的。Yes. 预配托管实例之后,可以设置控制对端口 1433 的入站访问的 NSG。After a Managed Instance is provisioned you can set NSG that controls inbound access to the port 1433. 建议尽可能缩小其 IP 范围。It is advised to narrow its IP range as much as possible.

是否可以设置 NVA 或本地防火墙以基于 FQDN 筛选出站管理流量?Can I set the NVA or on-premises firewall to filter the outbound management traffic based on FQDNs?

否。No. 由于以下几个原因,不支持此功能:This is not supported for several reasons:

  • 表示对入站管理请求的响应的路由流量是非对称的,无法正常工作。Routing traffic that represent response to inbound management request would be asymmetric and could not work.
  • 转到存储的路由流量受到吞吐量约束和延迟的影响,因此,我们无法提供预期的服务质量和可用性。Routing traffic that goes to storage would be affected by throughput constraints and latency so this way we won't be able to provide expected service quality and availability.
  • 根据经验,这些配置容易出错,不受支持。Based on experience, these configurations are error prone and not supportable.

是否可以为出站非管理流量设置 NVA 或防火墙?Can I set the NVA or firewall for the outbound non-management traffic?

是的。Yes. 实现此功能的最简单方法是将 0/0 规则添加到与托管实例子网关联的 UDR,以通过 NVA 路由流量。The simplest way to achieve this is to add 0/0 rule to a UDR associated with managed instance subnet to route traffic through NVA.

托管实例需要多少 IP 地址?How many IP addresses do I need for a Managed Instance?

子网必须有足够数量的可用 IP 地址Subnet must have sufficient number of available IP addresses. 若要确定 SQL 托管实例的 VNet 子网大小,请参阅确定托管实例所需的子网大小和范围To determine VNet subnet size for SQL Managed Instance, see Determine required subnet size and range for Managed Instance.

如果没有足够的 IP 地址来执行实例更新操作怎么办?What if there are not enough IP addresses for performing instance update operation?

如果预配托管实例的子网中没有足够的 IP 地址,需要创建一个新的子网并在其中创建新的托管实例。In case there are not enough IP addresses in the subnet where your managed instance is provisioned, you will have to create a new subnet and a new managed instance inside it. 同时建议在创建新的子网时分配更多 IP 地址,以免在将来的更新操作中遇到类似情况。We also suggest that the new subnet is created with more IP addresses allocated so future update operations will avoid similar situations. 预配新实例后,可以在新旧实例之间手动备份和还原数据,或执行跨实例时间点还原After the new instance is provisioned, you can manually back up and restore data between the old and new instances or perform cross-instance point-in-time restore.

是否需要空子网来创建托管实例?Do I need an empty subnet to create a Managed Instance?

否。No. 可以使用控子网或是已包含托管实例的子网。You can use either an empty subnet or a subnet that already contains Managed Instance(s).

是否可以更改子网地址范围?Can I change the subnet address range?

如果其中有托管实例,则不可以。Not if there are Managed Instances inside. 这是一种 Azure 网络基础结构限制。This is an Azure networking infrastructure limitation. 只允许向空子网添加其他地址空间You are only allowed to add additional address space to an empty subnet.

是否可以将托管实例移动到另一个子网?Can I move my managed instance to another subnet?

否。No. 这是当前托管实例设计限制。This is a current Managed Instance design limitation. 但是,可以在另一个子网中预配新实例,并在旧实例与新实例之间手动备份和还原数据,或执行跨实例的时间点还原However, you can provision a new instance in another subnet and manually back up and restore data between the old and the new instance or perform cross-instance point-in-time restore.

是否需要空虚拟网络来创建托管实例?Do I need an empty virtual network to create a Managed Instance?

这不是必需的。This is not required. 可以为 Azure SQL 托管实例创建虚拟网络或是为 Azure SQL 托管实例配置现有虚拟网络You can either Create a virtual network for Azure SQL Managed Instance or Configure an existing virtual network for Azure SQL Managed Instance.

是否可以将托管实例与其他服务一起放入子网?Can I place a Managed Instance with other services in a subnet?

否。No. 我们当前不支持将托管实例放置在已包含其他资源类型的子网中。Currently we do not support placing Managed Instance in a subnet that already contains other resource types.

连接Connectivity

是否可以使用 IP 地址连接到托管实例?Can I connect to my managed instance using IP address?

否,不支持这样做。No, this is not supported. 托管实例主机名会映射到托管实例虚拟群集前面的负载均衡器。A Managed Instance's host name maps to the load balancer in front of the Managed Instance's virtual cluster. 由于一个虚拟群集可以托管多个托管实例,因此如果不指定名称,则无法将连接路由到正确的托管实例。As one virtual cluster can host multiple Managed Instances, a connection cannot be routed to the proper Managed Instance without specifying its name. 有关 SQL 托管实例虚拟群集体系结构的详细信息,请参阅虚拟群集连接体系结构For more information on SQL Managed Instance virtual cluster architecture, see Virtual cluster connectivity architecture.

托管实例是否可以使用静态 IP 地址?Can my managed instance have a static IP address?

目前不支持。This is currently not supported.

在罕见但必要的情况下,我们可能需要将托管实例联机迁移到新的虚拟群集。In rare but necessary situations, we might need to do an online migration of a managed instance to a new virtual cluster. 需要进行这种迁移的原因是,我们的技术堆栈发生了变化,旨在提高服务的安全性和可靠性。If needed, this migration is because of changes in our technology stack aimed to improve security and reliability of the service. 迁移到新的虚拟群集会导致映射到托管实例主机名的 IP 地址发生变化。Migrating to a new virtual cluster results in changing the IP address that is mapped to the managed instance host name. 托管实例服务不会提出静态 IP 地址支持,且有权在不另行通知的情况下,在定期维护周期更改此 IP 地址。The managed instance service doesn't claim static IP address support and reserves the right to change it without notice as a part of regular maintenance cycles.

出于此原因,我们强烈反对依赖于 IP 地址的不可变性,因为这可能会导致不必要的停机时间。For this reason, we strongly discourage relying on immutability of the IP address as it could cause unnecessary downtime.

托管实例是否具有公共终结点?Does Managed Instance have a public endpoint?

是的。Yes. 托管实例具有一个公共终结点,它在默认情况下仅用于服务管理,但客户也可以启用它来访问数据。Managed Instance has a public endpoint that is by default used only for service management, but a customer may enable it for data access as well. 有关更多详细信息,请参阅将 SQL 托管实例与公共终结点一起使用For more details, see Use SQL Managed Instance with public endpoints. 若要配置公共终结点,请转到在 SQL 托管实例中配置公共终结点To configure public endpoint, go to Configure public endpoint in SQL Managed Instance.

托管实例如何控制对公共终结点的访问?How does Managed Instance control access to the public endpoint?

托管实例会在网络和应用程序级别控制对公共终结点的访问。Managed Instance controls access to the public endpoint at both the network and application level.

管理和部署服务使用映射到外部负载均衡器的管理终结点连接到托管实例。Management and deployment services connect to a managed instance by using a management endpoint that maps to an external load balancer. 仅当流量是在一组专用于托管实例管理组件的预定义端口上收到的时,才将流量路由到节点。Traffic is routed to the nodes only if it's received on a predefined set of ports that only the managed instance's management components use. 节点上的内置防火墙设置为只允许来自 Microsoft IP 范围的流量。A built-in firewall on the nodes is set up to allow traffic only from Microsoft IP ranges. 证书将对管理组件与管理平面之间的所有通信进行相互身份验证。Certificates mutually authenticate all communication between management components and the management plane. 有关更多详细信息,请参阅 SQL 托管实例的连接体系结构For more details, see Connectivity architecture for SQL Managed Instance.

是否可以使用公共终结点访问托管实例数据库中的数据?Could I use the public endpoint to access the data in Managed Instance databases?

是的。Yes. 客户需要通过 Azure 门户 / PowerShell / ARM 来启用公共终结点数据访问,并将 NSG 配置为锁定对数据端口(端口号 3342)的访问。The customer will need to enable public endpoint data access from Azure Portal / PowerShell / ARM and configure NSG to lock down access to the data port (port number 3342). 有关详细信息,请参阅在 Azure SQL 托管实例中配置公共终结点安全地将 Azure SQL 托管实例与公共终结点结合使用For more information, see Configure public endpoint in Azure SQL Managed Instance and Use Azure SQL Managed Instance securely with public endpoint.

是否可以为 SQL 数据终结点指定自定义端口?Can I specify a custom port for SQL data endpoint(s)?

不可以,此选项不可用。No, this option is not available.

连接放置在不同区域中的托管实例的建议方法是什么?What is the recommended way to connect Managed Instances placed in different regions?

快速路由线路对等互连是执行该操作的首选方式。Express Route circuit peering is the preferred way to do that. 这不应与跨区域虚拟网络对等互连混合使用,后者不受支持,因为存在与约束相关的内部负载均衡器。This is not to be mixed with the cross-region virtual network peering that is not supported due to internal load balancer related constraint.

如果无法实现快速路由线路对等互连,则唯一的另一种选项是创建站点到站点 VPN 连接(Azure 门户PowerShellAzure CLI)。If Express Route circuit peering is not possible, the only other option is to create Site-to-Site VPN connection (Azure portal, PowerShell, Azure CLI).

缓解数据透露风险Mitigate data exfiltration risks

如何缓解数据透露风险?How can I mitigate data exfiltration risks?

为了缓解任何数据透露风险,我们建议客户应用一组安全设置和控制:To mitigate any data exfiltration risks, customers are recommended to apply a set of security settings and controls:

  • 在所有数据库上启用透明数据加密 (TDE)Turn on Transparent Data Encryption (TDE) on all databases.
  • 关闭公共语言运行时 (CLR)。Turn off Common Language Runtime (CLR). 也建议在本地禁用 CLR。This is recommended on-premises as well.
  • 仅使用 Azure Active Directory (Azure AD) 身份验证。Use Azure Active Directory (Azure AD) authentication only.
  • 使用低特权 DBA 帐户访问实例。Access the instance with a low-privileged DBA account.
  • 为 sysadmin 帐户配置 JiT jumpbox 访问权限。Configure JIT jumpbox access for the sysadmin account.
  • 启用 SQL 审核,并将其与警报机制相集成。Turn on SQL auditing, and integrate it with alerting mechanisms.
  • 启用高级数据安全 (ADS) 套件中的威胁检测Turn on Threat Detection from the advanced data security (ADS) suite.

DNSDNS

是否可以为 SQL 托管实例配置自定义 DNS?Can I configure a custom DNS for SQL Managed Instance?

是的。Yes. 请参阅如何为 Azure SQL 托管实例配置自定义 DNSSee How to configure a Custom DNS for Azure SQL Managed Instance.

是否可以执行 DNS 刷新?Can I do DNS refresh?

目前我们不提供刷新 SQL 托管实例 DNS 服务器配置的功能。Currently, we don't provide a feature to refresh DNS server configuration for SQL Managed Instance.

DNS 配置最终会刷新:DNS configuration is eventually refreshed:

  • 当 DHCP 租约过期时。When DHCP lease expires.
  • 平台升级时。On platform upgrade.

一种解决方法是将 SQL 托管实例降级为 4 个 vCore,然后再将其升级。As a workaround, downgrade SQL Managed Instance to 4 vCores and upgrade it again afterward. 这样刷新 DNS 配置会产生一种负面影响。This has a side effect of refreshing the DNS configuration.

更改时区Change time zone

是否可以更改现有托管实例的时区?Can I change the time zone for an existing managed instance?

首次预配托管实例时可以设置时区配置。Time zone configuration can be set when a managed instance is provisioned for the first time. 不支持更改现有托管实例的时区。Changing the time zone of an existing managed instance isn't supported. 有关详细信息,请参阅时区限制For details, see Time zone limitations.

解决方法包括使用适当的时区创建新的托管实例,然后执行手动备份和还原,我们建议执行跨实例时间点还原Workarounds include creating a new managed instance with the proper time zone and then either performing a manual backup and restore, or what we recommend, performing a cross-instance point-in-time restore.

安全性和数据库加密Security and database encryption

sysadmin 服务器角色是否可用于 SQL 托管实例?Is the sysadmin server role available for SQL Managed Instance?

是的,客户可以创建作为 sysadmin 角色成员的登录名。Yes, customers can create logins that are members of the sysadmin role. 承担 sysadmin 权限的客户也负责操作实例,这会对 SLA 承诺产生负面影响。Customers who assume the sysadmin privilege are also assuming responsibility for operating the instance, which can negatively impact the SLA commitment. 若要将登录名添加到 sysadmin 服务器角色,请参阅 Azure AD 身份验证To add login to sysadmin server role, see Azure AD authentication.

SQL 托管实例是否支持透明数据加密?Is Transparent Data Encryption supported for SQL Managed Instance?

是的,SQL 托管实例支持透明数据加密。Yes, Transparent Data Encryption is supported for SQL Managed Instance. 有关详细信息,请参阅 SQL 托管实例的透明数据加密For details, see Transparent Data Encryption for SQL Managed Instance.

是否可以对 TDE 使用“创建自己的密钥”模型?Can I leverage the “bring your own key” model for TDE?

是的,适用于 BYOK 的 Azure Key Vault 方案可用于 Azure SQL 托管实例。Yes, Azure Key Vault for BYOK scenario is available for Azure SQL Managed Instance. 有关详细信息,请参阅使用客户管理的密钥进行透明数据加密For details, see Transparent Data Encryption with customer-managed key.

是否可以迁移加密 SQL Server 数据库?Can I migrate an encrypted SQL Server database?

可以。Yes, you can. 若要迁移加密 SQL Server 数据库,需要将现有证书导出并导入到托管实例中,然后执行完整数据库备份并在托管实例中进行还原。To migrate an encrypted SQL Server database, you need to export and import your existing certificates into Managed Instance, then take a full database backup and restore it in Managed Instance.

还可以使用 Azure 数据库迁移服务迁移 TDE 加密数据库。You can also use Azure Database Migration Service to migrate the TDE encrypted databases.

如何为 SQL 托管实例配置 TDE 保护程序轮换?How can I configure TDE protector rotation for SQL Managed Instance?

可以使用 Azure PowerShell 为托管实例轮换 TDE 保护程序。You can rotate TDE protector for Managed Instance using Azure PowerShell. 有关说明,请参阅使用 Azure Key Vault 中自己的密钥在 SQL 托管实例中实现透明数据加密For instructions, see Transparent Data Encryption in SQL Managed Instance using your own key from Azure Key Vault.

是否可将加密的数据库还原到 SQL 托管实例?Can I restore my encrypted database to SQL Managed Instance?

可以,无需解密数据库即可将其还原到 SQL 托管实例。Yes, you don't need to decrypt your database to restore it to SQL Managed Instance. 需将一个在源系统中用作加密密钥保护器的证书/密钥提供给 SQL 托管实例,才能从加密的备份文件中读取数据。You do need to provide a certificate/key used as the encryption key protector on the source system to SQL Managed Instance to be able to read data from the encrypted backup file. 要运行此操作有两个可行的方式:There are two possible ways to do it:

  • 将证书保护器上传到 SQL 托管实例。Upload certificate-protector to SQL Managed Instance. 只能使用 PowerShell 执行此操作。It can be done using PowerShell only. 示例脚本描述了整个过程。The sample script describes the whole process.
  • 将非对称密钥保护器上传到 Azure Key Vault,并将 SQL 托管实例指向该保护器。Upload asymmetric key-protector to Azure Key Vault and point SQL Managed Instance to it. 此方法类似于自带密钥 (BYOK) TDE 用例,该用例也使用 Key Vault 集成来存储加密密钥。This approach resembles bring-your-own-key (BYOK) TDE use case that also uses Key Vault integration to store the encryption key. 如果你不想将该密钥用作加密密钥保护器,只想为 SQL 托管实例提供密钥来还原加密的数据库,请按照有关设置 BYOK TDE 的说明进行操作,不要选中“将所选密钥设为默认 TDE 保护器”复选框。If you don't want to use the key as an encryption key protector, and just want to make the key available for SQL Managed Instance to restore encrypted database(s), follow instructions for setting up BYOK TDE, and don't check the checkbox Make the selected key the default TDE protector.

将加密保护器提供给 SQL 托管实例使用后,可以继续执行标准的数据库还原过程。Once you make the encryption protector available to SQL Managed Instance, you can proceed with the standard database restore procedure.

购买模型和权益Purchasing models and benefits

SQL 托管实例有哪些购买模型?What purchasing models are available for SQL Managed Instance?

SQL 托管实例提供基于 vCore 的购买模型SQL Managed Instance offers vCore-based purchasing model.

SQL 托管实例有哪些成本权益?What cost benefits are available for SQL Managed Instance?

可以通过以下方式使用 Azure SQL 权益节省成本:You can save costs with the Azure SQL benefits in the following ways:

  • 利用 Azure 混合权益,最大化本地许可证的现有投资并节省高达 55%。Maximize existing investments in on-premises licenses and save up to 55 percent with Azure Hybrid Benefit.

托管实例和备份存储计费Billing for Managed Instance and backup storage

SQL 托管实例定价选项有哪些?What are the SQL Managed Instance pricing options?

若要浏览托管实例定价选项,请参阅定价页To explore Managed Instance pricing options, see Pricing page.

自动备份的成本是多少?How much automated backups cost?

不管备份保持期设置如何,都可以获得与购买的预留数据存储空间相等的可用备份存储空间量。You get the equal amount of free backup storage space as the reserved data storage space purchased, regardless of the backup retention period set. 如果备份存储消耗在分配的可用备份存储空间内,则托管实例上的自动备份不会产生额外费用,因此是免费的。If your backup storage consumption is within the allocated free backup storage space, automated backups on managed instance will have no additional cost for you, therefore will be free of charge. 如果使用的备份存储超过可用空间,请参阅定价页以了解你所在区域的详细信息。Exceeding the use of backup storage above the free space, see the pricing page for details for your region.

如何监视备份存储消耗的计费成本?How can I monitor billing cost for my backup storage consumption?

可以通过 Azure 门户监视备份存储的成本。You can monitor cost for backup storage via Azure Portal. 有关说明,请参阅监视自动备份的成本For instructions, see Monitor costs for automated backups.

有关节省成本的用例Cost-saving use cases

在何处可以找到用例,以及通过 SQL 托管实例可实现的成本节省?Where can I find use cases and resulting cost savings with SQL Managed Instance?

SQL 托管实例案例研究:SQL Managed Instance case studies:

为了让用户更好地了解部署 Azure SQL 托管实例的优势、成本和风险,我们还提供了一份 Forrester 案例研究:Azure SQL 数据库托管实例的总体经济影响To get a better understanding of the benefits, costs, and risks associated with deploying Azure SQL Managed Instance, there's also a Forrester study: The Total Economic Impact of Azure SQL Database Managed Instance.

密码策略Password policy

对于 SQL 托管实例 SQL 登录名,可应用什么密码策略?What password policies are applied for SQL Managed Instance SQL logins?

用于 SQL 登录名的 SQL 托管实例密码策略沿袭了Azure 平台策略,该策略应用于构成保存托管实例的虚拟群集的 VM。SQL Managed Instance password policy for SQL logins inherits Azure platform policies that are applied to the VMs forming virtual cluster holding the managed instance. 目前不能更改这些设置,因为这些设置由 Azure 定义并由托管实例继承。At the moment it is not possible to change any of these settings as these settings are defined by Azure and inherited by managed instance.

重要

Azure 平台可能会更改策略要求,且不会通知依赖于该策略的服务。Azure platform can change policy requirements without notifying services relying on that policies.

当前的 Azure 平台策略是什么?What are current Azure platform policies?

每个登陆者必须在登录时设置其密码,并在达到最长密码期限后更改其密码。Each login must set its password upon login and change its password after it reaches maximum age.

策略Policy 安全设置Security Setting
最长密码期限Maximum password age 42 天42 days
最短密码期限Minimum password age 1 天1 day
最短密码长度Minimum password length 10 个字符10 characters
密码必须符合复杂性要求Password must meet complexity requirements EnabledEnabled

是否可以在登录级别禁用 SQL 托管实例中的密码复杂性和过期时间?Is it possible to disable password complexity and expiration in SQL Managed Instance on login level?

是的,可以在登录级别控制 CHECK_POLICY 和 CHECK_EXPIRATION 字段。Yes, it is possible to control CHECK_POLICY and CHECK_EXPIRATION fields on login level. 可以执行以下 T-SQL 命令来检查当前设置:You can check current settings by executing following T-SQL command:

SELECT *
FROM sys.sql_logins

之后,可以执行以下操作来修改指定的登录设置:After that, you can modify specified login settings by executing :

ALTER LOGIN <login_name> WITH CHECK_POLICY = OFF;
ALTER LOGIN <login_name> WITH CHECK_EXPIRATION = OFF;

(将“test”替换为所需的登录 ID,并调整策略和过期时间值)(replace 'test' with desired login name and adjust policy and expiration values)