在公共终结点中安全使用 Azure SQL 托管实例Use Azure SQL Managed Instance securely with public endpoints

适用于:是Azure SQL 托管实例 APPLIES TO: yesAzure SQL Managed Instance

Azure SQL 托管实例可通过公共终结点进行用户连接。Azure SQL Managed Instance can provide user connectivity over public endpoints. 本文将介绍如何提高此配置的安全性。This article explains how to make this configuration more secure.

方案Scenarios

Azure SQL 托管实例提供专用终结点用于从其虚拟网络内部启用连接。Azure SQL Managed Instance provides a private endpoint to allow connectivity from inside its virtual network. 默认选项是提供最大的隔离性。The default option is to provide maximum isolation. 但在某些情况下,需要提供公共终结点连接:However, there are scenarios where you need to provide a public endpoint connection:

  • 托管实例必须与仅限多租户的平台即服务 (PaaS) 产品/服务集成。The managed instance must integrate with multi-tenant-only platform-as-a-service (PaaS) offerings.
  • 所需的数据交换吞吐量高于 VPN 所能提供的吞吐量。You need higher throughput of data exchange than is possible when you're using a VPN.
  • 公司政策禁止在企业网络中使用 PaaS。Company policies prohibit PaaS inside corporate networks.

部署托管实例以访问公共终结点Deploy a managed instance for public endpoint access

可以访问公共终结点的托管实例的常用部署模型是在专用的隔离虚拟网络中创建实例,但不一定非要这样做。Although not mandatory, the common deployment model for a managed instance with public endpoint access is to create the instance in a dedicated isolated virtual network. 在此配置中,虚拟网络只是用于实现虚拟群集隔离。In this configuration, the virtual network is used only for virtual cluster isolation. 托管实例 IP 地址空间是否与企业网络 IP 地址空间重叠并不重要。It doesn't matter if the managed instance's IP address space overlaps with a corporate network's IP address space.

保护动态数据Secure data in motion

如果客户端驱动程序支持加密,则始终加密 SQL 托管实例数据流量。SQL Managed Instance data traffic is always encrypted if the client driver supports encryption. 在托管实例与其他 Azure 虚拟机或 Azure 服务之间发送的数据永远不会离开 Azure 主干网络。Data sent between the managed instance and other Azure virtual machines or Azure services never leaves Azure's backbone. 如果托管实例与本地网络之间已建立连接,则我们建议使用 Azure ExpressRoute。If there's a connection between the managed instance and an on-premises network, we recommend you use Azure ExpressRoute. ExpressRoute 有助于避免通过公共 Internet 移动数据。ExpressRoute helps you avoid moving data over the public internet. 对于托管实例专用连接,只能使用专用对等互连。For managed instance private connectivity, only private peering can be used.

锁定入站和出站连接Lock down inbound and outbound connectivity

下图显示了建议的安全配置:The following diagram shows the recommended security configurations:

用于锁定入站和出站连接的安全配置

托管实例具有专用公共终结点地址A managed instance has a dedicated public endpoint address. 在客户端出站防火墙和网络安全组规则中,设置此公共终结点 IP 地址以限制出站连接。In the client-side outbound firewall and in the network security group rules, set this public endpoint IP address to limit outbound connectivity.

为了确保发往托管实例的流量来自受信任的源,我们建议使用已知的 IP 地址从源建立连接。To ensure traffic to the managed instance is coming from trusted sources, we recommend connecting from sources with well-known IP addresses. 使用网络安全组限制对端口 3342 上的托管实例公共终结点的访问。Use a network security group to limit access to the managed instance public endpoint on port 3342.

如果客户端需要从本地网络发起连接,请确保发起地址可转换为一组已知的 IP 地址。When clients need to initiate a connection from an on-premises network, make sure the originating address is translated to a well-known set of IP addresses. 如果无法做到这一点(例如,移动工作者就是一个典型的示例),我们建议使用点到站点 VPN 连接和专用终结点If you can't do so (for example, a mobile workforce being a typical scenario), we recommend you use point-to-site VPN connections and a private endpoint.

如果连接是从 Azure 发起的,我们建议从分配的已知虚拟 IP 地址(例如虚拟机)发出流量。If connections are started from Azure, we recommend that traffic come from a well-known assigned virtual IP address (for example, a virtual machine). 为便于管理虚拟 IP (VIP) 地址,建议使用公共 IP 地址前缀To make managing virtual IP (VIP) addresses easier, you might want to use public IP address prefixes.

后续步骤Next steps