使用服务器信任组来设置和管理 SQL 托管实例之间的信任Use Server Trust Groups to set up and manage trust between SQL Managed Instances

适用于: Azure SQL 托管实例

“服务器信任组”是一个用于管理 Azure SQL 托管实例之间的信任的概念。Server Trust Group is a concept used for managing trust between Azure SQL Managed Instances. 可以通过创建组在其成员之间建立基于证书的信任。By creating a group, a certificate-based trust is established between its members. 此信任可用于不同的跨实例方案。This trust can be used for different cross-instance scenarios. 删除组中的服务器或删除组会删除服务器之间的信任。Removing servers from the group or deleting the group removes the trust between the servers. 若要创建或删除服务器信任组,用户需要具有托管实例的写入权限。To create or delete Server Trust Group user needs to have write permissions on Managed Instance. 服务器信任组是在 Azure 门户中标记为“SQL 信任组”的 Azure 资源管理器对象。Server Trust Group is an Azure Resource Manager object which has been labeled as SQL trust group in Azure portal.

备注

服务器信任组是在 Azure SQL 托管实例之间的分布式事务的公共预览版中引入的,当前存在一些限制,本文稍后将对此进行介绍。Server Trust Group is introduced in public preview of Distributed transactions between Azure SQL Managed Instances and currently has some limitations that will be described later in this article.

服务器信任组设置Server Trust Group setup

以下部分介绍了服务器信任组的设置。The following section describes setup of Server Trust Group.

  1. 转到 Azure 门户Go to the Azure portal.

  2. 导航到你计划将其添加到新创建的服务器信任组的 Azure SQL 托管实例。Navigate to Azure SQL Managed Instance that you plan to add to a newly created Server trust group.

  3. 在“安全性”设置中,选择“SQL 信任组”选项卡。 On the Security settings, select the SQL trust groups tab.

    服务器信任组

  4. 在“服务器信任组”配置页中,选择“新建组”图标。In the Server Trust Group configuration page, select the New Group icon.

    新建组

  5. SQL 信任组 的“创建”边栏选项卡上,设置“组名称”。On the SQL trust group create blade set the Group name . 组名称在组成员驻留的全部区域中都必须是独一无二的。It needs to be unique in all regions where the group members reside. 信任作用域 定义了通过服务器信任组启用的跨实例方案的类型。Trust scope defines type of cross-instance scenario that is enabled with the Server trust group. 在预览版中,唯一适用的信任作用域是“分布式事务”,因此它是预先选择的,无法更改。In preview the only applicable trust scope is Distributed transactions , so it's preselected and cannot be changed. 所有 组成员 必须属于同一 订阅 ,但可以位于不同的资源组下。All Group members must belong to the same subscription but can be under different resource groups. 选择 资源组SQL Server/实例 ,以选择将作为组成员的 Azure SQL 托管实例。Select the Resource group and SQL Server / instance to choose the Azure SQL Managed Instance that will be member of the group.

    服务器信任组的“创建”边栏选项卡

  6. 填写所有必填字段之后,单击“保存”。After all required fields are populated, click Save .

服务器信任组的维护和删除Server Trust Group maintenance and deletion

服务器信任组无法编辑。Server Trust Group can't be edited. 若要从组中删除托管实例,需要删除该组并创建一个新组。To remove a Managed Instance from a group, you need to delete the group and create a new one.

以下部分介绍了服务器信任组的删除过程。Following section describes Server trust group deletion process.

  1. 转到 Azure 门户。Go to the Azure portal.
  2. 导航到属于信任组的某个托管实例。Navigate to a Managed Instance that belongs to the trust group.
  3. 在“安全性”设置中,选择“SQL 信任组”选项卡。 On the Security settings select the SQL trust groups tab.
  4. 选择要删除的信任组。Select the trust group you want to delete. 选择服务器信任组
  5. 单击“删除组”。Click Delete Group . 删除服务器信任组
  6. 键入服务器信任组名称以确认删除,然后单击“删除”。Type in the Server Trust Group name to confirm deletion and click Delete . 确认服务器信任组删除

备注

删除服务器信任组可能不会立即删除两个托管实例之间的信任。Deleting the Server Trust Group might not immediately remove the trust between the two Managed Instances. 可以通过调用托管实例的故障转移来强制执行信任删除。Trust removal can be enforced by invoking a failover of Managed Instances. 请查看已知问题来了解此方面的最新更新。Check the Known issues for the latest updates on this.

限制Limitations

在公共预览版中,服务器信任组存在以下限制。During public preview the following limitations apply to Server Trust Groups.

  • 服务器信任组的名称在它隶属的所有区域中必须是唯一的。Name of the Server Trust Group must be unique in all regions where its members are.
  • 组只能包含 Azure SQL 托管实例,这些实例必须属于同一 Azure 订阅。Group can contain only Azure SQL Managed Instances and they must be under the same Azure Subscription.
  • 在预览版中,组只能有两个托管实例。In preview, group can have exactly two Managed Instances. 若要跨两个以上的托管实例执行分布式事务,你需要为每对托管实例创建服务器信任组。To execute distributed transactions across more than two Managed Instances you will need to create Server Trust Group for each pair of the Managed Instances.
  • 对于服务器信任组,分布式事务是唯一适用的作用域。Distributed transactions are the only applicable scope for the Server Trust Groups.
  • 只能从 Azure 门户管理服务器信任组。Server Trust Group can only be managed from Azure portal. 以后将支持通过 Powershell 和 CLI 进行管理。PowerShell and CLI support will come later.
  • 无法在 Azure 门户中编辑服务器信任组。Server Trust Group cannot be edited on the Azure portal. 只能创建或删除它。It can only be created or dropped.
  • 分布式事务的其他限制可能与你的方案有关。Additional limitations of distributed transactions may be related to your scenario. 最值得注意的是,必须通过 VNET 或 VNET 对等互连在托管实例之间建立基于专用终结点的连接。Most notable one is that there must be connectivity between Managed Instances over private endpoints, via VNET or VNET peering. 请确保了解当前的托管实例分布式事务限制Make sure that you're aware of the current distributed transactions limitations for Managed Instance.

后续步骤Next steps