在 Azure SQL 托管实例中配置公共终结点Configure public endpoint in Azure SQL Managed Instance

适用于:是Azure SQL 托管实例 APPLIES TO: yesAzure SQL Managed Instance

使用托管实例的公共终结点可以从虚拟网络外部对托管实例进行数据访问。Public endpoint for a managed instance enables data access to your managed instance from outside the virtual network. 可以从多租户 Azure 服务(例如 Power BI、Azure 应用服务)或本地网络访问托管实例。You are able to access your managed instance from multi-tenant Azure services like Power BI, Azure App Service, or an on-premises network. 如果使用托管实例上的公共终结点,则无需使用 VPN,这有助于避免 VPN 吞吐量问题。By using the public endpoint on a managed instance, you do not need to use a VPN, which can help avoid VPN throughput issues.

本文介绍如何执行以下操作:In this article, you'll learn how to:

  • 在 Azure 门户中为托管实例启用公共终结点Enable public endpoint for your managed instance in the Azure portal
  • 使用 PowerShell 为托管实例启用公共终结点Enable public endpoint for your managed instance using PowerShell
  • 配置托管实例网络安全组,以允许将流量传送到托管实例公共终结点Configure your managed instance network security group to allow traffic to the managed instance public endpoint
  • 获取托管实例公共终结点的连接字符串Obtain the managed instance public endpoint connection string

权限Permissions

由于托管实例中数据的敏感性,需要执行两个步骤才能完成启用托管实例公共终结点的配置。Due to the sensitivity of data that is in a managed instance, the configuration to enable managed instance public endpoint requires a two-step process. 这种安全措施遵守职责分离 (SoD) 的原则:This security measure adheres to separation of duties (SoD):

  • 在托管实例上启用公共终结点的操作需要由托管实例管理员来完成。可以在托管实例资源的“概述”页上找到托管实例管理员。Enabling public endpoint on a managed instance needs to be done by the managed instance admin. The managed instance admin can be found on Overview page of your managed instance resource.
  • 使用网络安全组允许流量的操作需要由网络管理员来完成。有关详细信息,请参阅网络安全组权限Allowing traffic using a network security group that needs to be done by a network admin. For more information, see network security group permissions.

在 Azure 门户中为托管实例启用公共终结点Enabling public endpoint for a managed instance in the Azure portal

  1. 启动 Azure 门户 (https://portal.azure.cn/.)Launch the Azure portal at https://portal.azure.cn/.
  2. 打开包含托管实例的资源组,然后选择要在其上配置公共终结点的 SQL 托管实例Open the resource group with the managed instance, and select the SQL managed instance that you want to configure public endpoint on.
  3. 在“安全性”设置中,选择“虚拟网络”选项卡。 On the Security settings, select the Virtual network tab.
  4. 在虚拟网络配置页中选择“启用”,然后选择“保存”图标以更新配置。 In the Virtual network configuration page, select Enable and then the Save icon to update the configuration.

mi-vnet-config.png

使用 PowerShell 为托管实例启用公共终结点Enabling public endpoint for a managed instance using PowerShell

启用公共终结点Enable public endpoint

运行以下 PowerShell 命令。Run the following PowerShell commands. subscription-id 替换为你的订阅 ID。Replace subscription-id with your subscription ID. rg-name 替换为托管实例的资源组,将 mi-name 替换为托管实例的名称。Also replace rg-name with the resource group for your managed instance, and replace mi-name with the name of your managed instance.

Install-Module -Name Az

Import-Module Az.Accounts
Import-Module Az.Sql

Connect-AzAccount -Environment AzureChinaCloud

# Use your subscription ID in place of subscription-id below

Select-AzSubscription -SubscriptionId {subscription-id}

# Replace rg-name with the resource group for your managed instance, and replace mi-name with the name of your managed instance

$mi = Get-AzSqlInstance -ResourceGroupName {rg-name} -Name {mi-name}

$mi = $mi | Set-AzSqlInstance -PublicDataEndpointEnabled $true -force

禁用公共终结点Disable public endpoint

若要使用 PowerShell 禁用公共终结点,请执行以下命令(另外,如果为入站端口 3342 配置了 NSG,请记得关闭该 NSG):To disable the public endpoint using PowerShell, you would execute the following command (and also do not forget to close the NSG for the inbound port 3342 if you have it configured):

Set-AzSqlInstance -PublicDataEndpointEnabled $false -force

在网络安全组上允许公共终结点流量Allow public endpoint traffic on the network security group

  1. 如果托管实例的配置页仍处于打开状态,请导航到“概述”选项卡。否则,请返回 SQL 托管实例资源。If you have the configuration page of the managed instance still open, navigate to the Overview tab. Otherwise, go back to your SQL managed instance resource. 选择“虚拟网络/子网”链接,转到虚拟网络配置页。Select the Virtual network/subnet link, which will take you to the Virtual network configuration page.

    mi-overview.png

  2. 在虚拟网络的左侧配置窗格中选择“子网”选项卡,并记下托管实例的安全组Select the Subnets tab on the left configuration pane of your Virtual network, and make note of the SECURITY GROUP for your managed instance.

    mi-vnet-subnet.png

  3. 返回包含你的托管实例的资源组。Go back to your resource group that contains your managed instance. 应会看到上面记下的网络安全组名称。You should see the Network security group name noted above. 请选择该名称转到网络安全组配置页。Select the name to go into the network security group configuration page.

  4. 选择“入站安全规则”选项卡,并添加一个优先级高于 deny_all_inbound 规则且采用以下设置的规则:Select the Inbound security rules tab, and Add a rule that has higher priority than the deny_all_inbound rule with the following settings:

    设置Setting 建议的值Suggested value 说明Description
    SourceSource 任何 IP 地址或服务标记Any IP address or Service tag
    • 对于 Power BI 等 Azure 服务,请选择“Azure 云服务标记”For Azure services like Power BI, select the Azure Cloud Service Tag
    • 对于你的计算机或 Azure 虚拟机,请使用 NAT IP 地址For your computer or Azure virtual machine, use NAT IP address
    源端口范围Source port ranges * 请将此字段保留为 *(任何),因为源端口通常是动态分配的,因而也是不可预测的Leave this to * (any) as source ports are usually dynamically allocated and as such, unpredictable
    目标Destination 任意Any 将目标保留为“任何”,以允许流量进入托管实例子网Leaving destination as Any to allow traffic into the managed instance subnet
    目标端口范围Destination port ranges 33423342 将目标端口的范围限定为 3342,这是托管实例的公共 TDS 终结点Scope destination port to 3342, which is the managed instance public TDS endpoint
    协议Protocol TCPTCP SQL 托管实例对 TDS 使用 TCP 协议SQL Managed Instance uses TCP protocol for TDS
    操作Action 允许Allow 允许入站流量通过公共终结点传送到托管实例Allow inbound traffic to managed instance through the public endpoint
    PriorityPriority 13001300 请确保此规则的优先级高于 deny_all_inbound 规则Make sure this rule is higher priority than the deny_all_inbound rule

    mi-nsg-rules.png

    备注

    端口 3342 用来与托管实例建立公共终结点连接,暂时不可更改。Port 3342 is used for public endpoint connections to managed instance, and cannot be changed at this point.

获取托管实例公共终结点的连接字符串Obtaining the managed instance public endpoint connection string

  1. 导航到为公共终结点启用的托管实例配置页。Navigate to the managed instance configuration page that has been enabled for public endpoint. 选择“设置”配置下的“连接字符串”选项卡。 Select the Connection strings tab under the Settings configuration.

  2. 请注意,公共终结点主机名采用 <托管实例名称>.public.<DNS 区域>.database.chinacloudapi.cn 格式,用于连接的端口是 3342。Note that the public endpoint host name comes in the format <mi_name>.public.<dns_zone>.database.chinacloudapi.cn and that the port used for the connection is 3342.

    mi-public-endpoint-conn-string.png

后续步骤Next steps

了解如何在公共终结点中安全使用 Azure SQL 托管实例Learn about using Azure SQL Managed Instance securely with public endpoint.