Azure Stack Hub 上使用 SQL Server 的 Windows N 层应用程序Windows N-tier application on Azure Stack Hub with SQL Server

本参考体系结构演示如何使用 Windows 上适用于数据层的 SQL Server 部署针对 N 层应用程序配置的虚拟机 (VM) 和虚拟网络。This reference architecture shows how to deploy virtual machines (VMs) and a virtual network configured for an N-tier application, using SQL Server on Windows for the data tier.

体系结构Architecture

该体系结构具有以下组件。The architecture has the following components.

常规General

  • 资源组 。Resource group. 资源组用于对 Azure 资源进行分组,以便可以按生存期、所有者或其他条件对其进行管理。Resource groups are used to group Azure resources so they can be managed by lifetime, owner, or other criteria.

  • 可用性集Availability Set. 可用性集是一种数据中心配置,用于提供 VM 冗余和可用性。Availability set is a datacenter configuration to provide VM redundancy and availability. Azure Stack Hub 中的这种配置可以确保在发生计划内或计划外维护事件时,至少有一个虚拟机可用。This configuration within an Azure Stack Hub stamp ensures that during either a planned or unplanned maintenance event, at least one virtual machine is available. VM 放置在一个可用性集中,该可用性集将 VM 分散在多个容错域(Azure Stack Hub 主机)中VMs are placed in an availability set that spreads them across multiple fault domains (Azure Stack Hub hosts)

网络和负载均衡Networking and load balancing

  • 虚拟网络和子网Virtual network and subnets. 每个 Azure VM 都会部署到可细分为子网的虚拟网络中。Every Azure VM is deployed into a virtual network that can be segmented into subnets. 为每个层创建一个单独的子网。Create a separate subnet for each tier.

  • 第 7 层负载均衡器Layer 7 Load Balancer. Azure Stack Hub 中尚未提供应用程序网关,不过,Azure Stack Hub 市场中提供了替代方案,例如:A10 vThunder ADCAs Application Gateway is not yet available on Azure Stack Hub, there are alternatives available on Azure Stack Hub Market place such as: A10 vThunder ADC

  • 负载均衡器Load balancers. 使用 Azure 负载均衡器可将网络流量从 Web 层分配到业务层,以及从业务层分配到 SQL Server。Use Azure Load Balancer to distribute network traffic from the web tier to the business tier, and from the business tier to SQL Server.

  • 网络安全组 (NSG)。Network security groups (NSGs). 使用 NSG 限制虚拟网络中的网络流量。Use NSGs to restrict network traffic within the virtual network. 例如,在此处显示的三层体系结构中,数据库层不接受来自 Web 前端的流量,仅接受来自业务层和管理子网的流量。For example, in the three-tier architecture shown here, the database tier does not accept traffic from the web front end, only from the business tier and the management subnet.

  • DNSDNS. Azure Stack Hub 不提供自身的 DNS 托管服务,请在 ADDS 中使用 DNS 服务器。Azure Stack Hub does not provide its own DNS hosting service, so please use the DNS server in your ADDS.

虚拟机Virtual machines

  • SQL Server Always On 可用性组SQL Server Always On Availability Group. 通过启用复制和故障转移,在数据层提供高可用性。Provides high availability at the data tier, by enabling replication and failover. 它使用 Windows Server 故障转移群集 (WSFC) 技术进行故障转移。It uses Windows Server Failover Cluster (WSFC) technology for failover.

  • Active Directory 域服务 (AD DS) 服务器Active Directory Domain Services (AD DS) Servers. 故障转移群集及其关联的群集角色的计算机对象在 Active Directory 域服务 (AD DS) 中创建。The computer objects for the failover cluster and its associated clustered roles are created in Active Directory Domain Services (AD DS). 在同一虚拟网络中的 VM 上设置 AD DS 服务器是将其他 VM 加入 AD DS 的首选方法。Set up AD DS servers in VMs in the same virtual network are preferred method to join other VMs to AD DS. 也可以使用 VPN 连接将虚拟网络连接到企业网络,将 VM 加入现有的企业 AD DS。You can also join the VMs to existing Enterprise AD DS by connecting virtual network to Enterprise network with VPN connection. 这两种方法需将虚拟网络 DNS 更改为 AD DS DNS 服务器(在虚拟网络或现有企业网络中),以解析 AD DS 域 FQDN。With both approaches, you need to change the virtual network DNS to your AD DS DNS server (in virtual network or existing Enterprise network) to resolve the AD DS domain FQDN.

  • 云见证Cloud Witness. 故障转移群集要求其节点的半数以上处于运行状态,这称为“建立仲裁”。A failover cluster requires more than half of its nodes to be running, which is known as having quorum. 如果群集只有两个节点,则网络分区之后,每个节点都会认为自己是主节点。If the cluster has just two nodes, a network partition could cause each node to think it's the master node. 在这种情况下,需要使用见证 来打破“僵持”局面,建立仲裁。In that case, you need a witness to break ties and establish quorum. 见证是一种可以充当僵持局面打破者并建立仲裁的资源,例如共享磁盘。A witness is a resource such as a shared disk that can act as a tie breaker to establish quorum. 云见证是一种使用 Azure Blob 存储的见证。Cloud Witness is a type of witness that uses Azure Blob Storage. 若要详细了解仲裁的概念,请参阅了解群集和池仲裁To learn more about the concept of quorum, see Understanding cluster and pool quorum. 有关云见证的详细信息,请参阅部署故障转移群集的云见证For more information about Cloud Witness, see Deploy a Cloud Witness for a Failover Cluster. Azure Stack Hub 中的云见证终结点与在 Azure 中不同。In Azure Stack Hub, the Cloud Witness endpoint is different from Azure.

其外观类似于:It may look like:

  • 对于 Azure:For Azure:
    https://mywitness.blob.core.chinacloudapi.cn/

  • 对于 Azure Stack Hub:For Azure Stack Hub:
    https://mywitness.blob.<region>.<FQDN>

  • JumpboxJumpbox. 也称为守护主机Also called a bastion host. 网络上的一个安全 VM,管理员使用它来连接到其他 VM。A secure VM on the network that administrators use to connect to the other VMs. Jumpbox 中的某个 NSG 只允许来自安全列表中的公共 IP 地址的远程流量。The jumpbox has an NSG that allows remote traffic only from public IP addresses on a safe list. 该 NSG 应允许远程桌面 (RDP) 流量。The NSG should permit remote desktop (RDP) traffic.

建议Recommendations

你的要求可能不同于此处描述的体系结构。Your requirements might differ from the architecture described here. 请使用以下建议作为入手点。Use these recommendations as a starting point.

虚拟机Virtual machines

有关配置 VM 的建议,请参阅 在 Azure Stack Hub 上运行 Windows VMFor recommendations on configuring the VMs, see Run a Windows VM on Azure Stack Hub.

虚拟网络Virtual network

创建虚拟网络时,请确定每个子网中的资源需要多少 IP 地址。When you create the virtual network, determine how many IP addresses your resources in each subnet require. 使用 CIDR 表示法为所需的 IP 地址指定子网掩码和足够大的网络地址范围。Specify a subnet mask and a network address range large enough for the required IP addresses, using CIDR notation. 使用标准专用 IP 地址块内的一个地址空间,这些地址块为 10.0.0.0/8、172.16.0.0/12 和 192.168.0.0/16。Use an address space that falls within the standard private IP address blocks, which are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

如果以后需要在虚拟网络与本地网络之间设置一个网关,请选择一个不与本地网络重叠的地址范围。Choose an address range that does not overlap with your on-premises network, in case you need to set up a gateway between the virtual network and your on-premises network later. 在创建虚拟网络后,将无法更改地址范围。Once you create the virtual network, you can't change the address range.

在设计子网时一定要牢记功能和安全要求。Design subnets with functionality and security requirements in mind. 同一层或同一角色中的所有 VM 应当置于同一子网,这可能是一个安全边界。All VMs within the same tier or role should go into the same subnet, which can be a security boundary. 有关设计虚拟网络和子网的详细信息,请参阅规划和设计 Azure 虚拟网络For more information about designing virtual networks and subnets, see Plan and design Azure Virtual Networks.

负载均衡器Load balancers

不要将 VM 直接向 Internet 公开,而是改为给每个 VM 提供专用 IP 地址。Don't expose the VMs directly to the Internet, but instead give each VM a private IP address. 客户端使用与第 7 层负载均衡器相关联的公共 IP 地址进行连接。Clients connect using the public IP address associated with the Layer 7 Load Balancer.

定义用于将网络流量定向到 VM 的负载均衡器规则。Define load balancer rules to direct network traffic to the VMs. 例如,若要启用 HTTP 流量,请将前端配置中的端口 80 映射到后端地址池上的端口 80。For example, to enable HTTP traffic, map port 80 from the front-end configuration to port 80 on the back-end address pool. 当客户端将 HTTP 请求发送到端口 80 时,负载均衡器会通过使用包括源 IP 地址的哈希算法选择后端 IP 地址。When a client sends an HTTP request to port 80, the load balancer selects a back-end IP address by using a hashing algorithm that includes the source IP address. 客户端请求将在后端地址池中的所有 VM 之间分配。Client requests are distributed across all the VMs in the back-end address pool.

网络安全组Network security groups

使用 NSG 规则限制各个层之间的流量。Use NSG rules to restrict traffic between tiers. 在上面显示的三层体系结构中,Web 层不直接与数据库层进行通信。In the three-tier architecture shown above, the web tier does not communicate directly with the database tier. 为强制实施此规则,数据库层应当阻止来自 Web 层子网的传入流量。To enforce this rule, the database tier should block incoming traffic from the web tier subnet.

  1. 拒绝来自虚拟网络的所有入站流量。Deny all inbound traffic from the virtual network. (在规则中使用 VIRTUAL_NETWORK 标记。)(Use the VIRTUAL_NETWORK tag in the rule.)

  2. 允许来自业务层子网的入站流量。Allow inbound traffic from the business tier subnet.

  3. 允许来自数据库层子网本身的入站流量。Allow inbound traffic from the database tier subnet itself. 此规则允许在数据库 VM 之间通信,这是进行数据库复制和故障转移所必需的。This rule allows communication between the database VMs, which is needed for database replication and failover.

  4. 允许来自 Jumpbox 子网的 RDP 流量(端口 3389)。Allow RDP traffic (port 3389) from the jumpbox subnet. 此规则允许管理员从 jumpbox 连接到数据库层。This rule lets administrators connect to the database tier from the jumpbox.

创建优先级比第一项规则更高的规则 2 - 4,以便替代第一项规则。Create rules 2 – 4 with higher priority than the first rule, so they override it.

SQL Server Always On 可用性组SQL Server Always On Availability Groups

建议使用 Always On 可用性组以实现 SQL Server 高可用性。We recommend Always On Availability Groups for SQL Server high availability. 在 Windows Server 2016 之前,Always On 可用性组需要一个域控制器,并且可用性组中的所有节点必须在同一 AD 域中。Prior to Windows Server 2016, Always On Availability Groups require a domain controller, and all nodes in the availability group must be in the same AD domain.

为实现 VM 层高可用性,所有 SQL VM 应位于可用性集中。For VM layer high availability, all SQL VMs should be in an Availability Set.

其他层通过可用性组侦听器连接到数据库。Other tiers connect to the database through an availability group listener. 该侦听程序使得 SQL 客户端能够在不知道 SQL Server 物理实例名称的情况下进行连接。The listener enables a SQL client to connect without knowing the name of the physical instance of SQL Server. 访问数据库的 VM 必须加入域。VMs that access the database must be joined to the domain. 客户端(在本例中为另一个层)使用 DNS 将该侦听程序的虚拟网络名称解析为 IP 地址。The client (in this case, another tier) uses DNS to resolve the listener's virtual network name into IP addresses.

如下所述配置 SQL Server Always On 可用性组:Configure the SQL Server Always On Availability Group as follows:

  1. 创建一个 Windows Server 故障转移群集 (WSFC) 群集、一个 SQL Server Always On 可用性组和一个主要副本。Create a Windows Server Failover Clustering (WSFC) cluster, a SQL Server Always On Availability Group, and a primary replica. 有关详细信息,请参阅 Always On 可用性组入门For more information, see Getting Started with Always On Availability Groups.

  2. 创建一个具有静态专用 IP 地址的内部负载均衡器。Create an internal load balancer with a static private IP address.

  3. 创建一个可用性组侦听程序,并将该侦听程序的 DNS 名称映射到一个内部负载均衡器的 IP 地址。Create an availability group listener, and map the listener's DNS name to the IP address of an internal load balancer.

  4. 为 SQL Server 侦听端口(默认情况下为 TCP 端口 1433)创建一个负载均衡器规则。Create a load balancer rule for the SQL Server listening port (TCP port 1433 by default). 该负载均衡器规则必须启用浮动 IP,也称为“直接服务器返回”。The load balancer rule must enable floating IP, also called Direct Server Return. 这将导致 VM 直接回复客户端,从而实现到主要副本的直接连接。This causes the VM to reply directly to the client, which enables a direct connection to the primary replica.

备注

当启用了浮动 IP 时,前端端口号必须与负载均衡器规则中的后端端口号相同。When floating IP is enabled, the front-end port number must be the same as the back-end port number in the load balancer rule.

当 SQL 客户端尝试连接时,负载均衡器会将连接请求路由到主要副本。When a SQL client tries to connect, the load balancer routes the connection request to the primary replica. 如果发生到其他副本的故障转移,则负载均衡器会自动将新请求路由到新的主要副本。If there is a failover to another replica, the load balancer automatically routes new requests to a new primary replica. 有关详细信息,请参阅为 SQL Server Always On 可用性组配置 ILB 侦听器For more information, see Configure an ILB listener for SQL Server Always On Availability Groups.

在故障转移期间,现有的客户端连接将关闭。During a failover, existing client connections are closed. 在故障转移完成后,新连接将被路由到新的主要副本。After the failover completes, new connections will be routed to the new primary replica.

如果应用程序执行的读取操作多于写入操作,则可以将一些只读查询转移到次要副本。If your application makes more reads than writes, you can offload some of the read-only queries to a secondary replica. 请参阅使用侦听器连接到只读次要副本(只读路由)See Using a Listener to Connect to a Read-Only Secondary Replica (Read-Only Routing).

通过执行可用性组的强制手动故障转移来测试部署。Test your deployment by forcing a manual failover of the availability group.

有关 SQL 性能优化,另请参阅在 Azure Stack Hub 中优化 SQL 服务器性能的最佳做法一文。For SQL performance optimization, you can also refer the article SQL server best practices to optimize performance in Azure Stack Hub.

JumpboxJumpbox

不要允许通过公共 Internet 对运行应用程序工作负荷的 VM 进行 RDP 访问。Don't allow RDP access from the public Internet to the VMs that run the application workload. 对这些 VM 的所有 RDP 访问应通过 Jumpbox 进行。Instead, all RDP access to these VMs should go through the jumpbox. 管理员登录到 jumpbox,然后从 jumpbox 登录到其他 VM。An administrator logs into the jumpbox, and then logs into the other VM from the jumpbox. Jumpbox 允许来自 Internet 的 RDP 流量,但仅允许来自已知的安全 IP 地址的流量。The jumpbox allows RDP traffic from the Internet, but only from known, safe IP addresses.

Jumpbox 的性能要求非常低,因此请选择一个较小的 VM 大小。The jumpbox has minimal performance requirements, so select a small VM size. 为 jumpbox 创建一个公共 IP 地址Create a public IP address for the jumpbox. 将 Jumpbox 放置在与其他 VM 相同的虚拟网络中,但将其置于一个单独的管理子网中。Place the jumpbox in the same virtual network as the other VMs, but in a separate management subnet.

若要确保 Jumpbox 的安全,请添加一项 NSG 规则,仅允许来自一组安全的公共 IP 地址的 RDP 连接。To secure the jumpbox, add an NSG rule that allows RDP connections only from a safe set of public IP addresses. 为其他子网配置 NSG 以允许来自管理子网的 RDP 流量。Configure the NSGs for the other subnets to allow RDP traffic from the management subnet.

可伸缩性注意事项Scalability considerations

规模集Scale sets

对于 Web 和业务层,请考虑使用虚拟机规模集,而不要部署独立的 VM。For the web and business tiers, consider using virtual machine scale sets instead of deploying separate VMs. 使用规模集可以轻松部署和管理一组相同的 VM。A scale set makes it easy to deploy and manage a set of identical VMs. 如果需要快速横向扩展 VM,请考虑规模集。Consider scale sets if you need to quickly scale out VMs.

有两种基本方法可用来配置规模集中部署的 VM:There are two basic ways to configure VMs deployed in a scale set:

  • 在部署 VM 后使用扩展对其进行配置。Use extensions to configure the VM after it's deployed. 使用此方法时,启动新 VM 实例的所需时间可能会长于启动不带扩展的 VM 的所需时间。With this approach, new VM instances may take longer to start up than a VM with no extensions.

  • 使用自定义磁盘映像部署托管磁盘Deploy a managed disk with a custom disk image. 此选项的部署速度可能更快。This option may be quicker to deploy. 但是,它要求将映像保持最新。However, it requires you to keep the image up-to-date.

有关详细信息,请参阅规模集的设计注意事项For more information, see Design considerations for scale sets. 对于 Azure Stack Hub,此设计注意事项基本上适用,但需要另外注意几点:This design consideration is mostly true for Azure Stack Hub, however there are some caveats:

  • Azure Stack Hub 上的虚拟机规模集不支持过度预配或滚动升级。Virtual machine scale sets on Azure Stack Hub do not support overprovisioning or rolling upgrades.

  • 无法在 Azure Stack Hub 上自动缩放虚拟机规模集。You cannot autoscale virtual machine scale sets on Azure Stack Hub.

  • 强烈建议在 Azure Stack Hub 上使用托管磁盘,而不是虚拟机规模集的非托管磁盘We strongly recommend using Managed disks on Azure Stack Hub instead of unmanaged disks for virtual machine scale set

  • 目前,Azure Stack Hub 上的 VM 数限制为 700 个,这包括所有 Azure Stack Hub 基础结构 VM、单独的 VM 和规模集实例。Currently, there is a 700 VM limit on Azure Stack Hub, which accounts for all Azure Stack Hub infrastructure VMs, individual VMs, and scale set instances.

订阅限制Subscription limits

每个 Azure Stack Hub 租户订阅已有默认限制,包括 Azure Stack Hub 操作员为每个区域配置的 VM 最大数目。Each Azure Stack Hub tenant subscription has default limits in place, including a maximum number of VMs per region configured by the Azure Stack Hub operator. 有关详细信息,请参阅 Azure Stack Hub 服务、计划、套餐和订阅概述For more information, see Azure Stack Hub services, plans, offers, subscriptions overview. 另请参阅 Azure Stack Hub 中的配额类型Also refer to Quota types in Azure Stack Hub.

安全注意事项Security considerations

虚拟网络是 Azure 中的流量隔离边界。Virtual networks are a traffic isolation boundary in Azure. 默认情况下,一个虚拟网络中的 VM 无法与另一个虚拟网络中的 VM 直接通信。By default, VMs in one virtual network can't communicate directly with VMs in a different virtual network.

NSGNSGs. 使用网络安全组 (NSG) 来限制 Internet 的传入和传出流量。Use network security groups (NSGs) to restrict traffic to and from the internet.

外围网络DMZ. 请考虑添加一个网络虚拟设备 (NVA) 以在 Internet 与 Azure 虚拟网络之间创建一个外围网络。Consider adding a network virtual appliance (NVA) to create a DMZ between the Internet and the Azure virtual network. NVA 是虚拟设备的一个通用术语,可以执行与网络相关的任务,例如防火墙、包检查、审核和自定义路由。NVA is a generic term for a virtual appliance that can perform network-related tasks, such as firewall, packet inspection, auditing, and custom routing.

加密Encryption. 加密敏感的静态数据并使用 Azure Stack Hub 中的 Key Vault 管理数据库加密密钥。Encrypt sensitive data at rest and use Key Vault in Azure Stack Hub to manage the database encryption keys. 有关详细信息,请参阅 为 Azure VM 上的 SQL Server 配置 Azure 密钥保管库集成For more information, see Configure Azure Key Vault Integration for SQL Server on Azure VMs. 另外,建议将应用程序机密(例如数据库连接字符串)也存储在 Key Vault 中。It's also recommended to store application secrets, such as database connection strings, in Key Vault.

后续步骤Next steps