Azure 备份的专用终结点Private Endpoints for Azure Backup

通过 Azure 备份,你可以使用专用终结点从恢复服务保管库安全地备份和还原数据。Azure Backup allows you to securely back up and restore your data from your Recovery Services vaults using private endpoints. 专用终结点使用 VNet 中的一个或多个专用 IP 地址将服务有效接入 VNet 中。Private endpoints use one or more private IP addresses from your VNet, effectively bringing the service into your VNet.

本文将帮助你了解创建 Azure 备份的专用终结点的过程,以及使用专用终结点帮助维护资源安全的方案。This article will help you understand the process of creating private endpoints for Azure Backup and the scenarios where using private endpoints helps maintain the security of your resources.

开始之前Before you start

  • 仅可为新的恢复服务保管库创建专用终结点(没有任何项已注册到保管库)。Private endpoints can be created for new Recovery Services vaults only (that don't have any items registered to the vault). 因此必须先创建专用终结点,然后才能尝试保护保管库中的任何项。So private endpoints must be created before you attempt to protect any items to the vault.
  • 一个虚拟网络可以包含用于多个恢复服务保管库的专用终结点。One virtual network can contain private endpoints for multiple Recovery Services vaults. 此外,一个恢复服务保管库可以在多个虚拟网络中包含要使用的专用终结点。Also, one Recovery Services vault can have private endpoints for it in multiple virtual networks. 但是,最多只能为保管库创建 12 个专用终结点。However, the maximum number of private endpoints that can be created for a vault is 12.
  • 为保管库创建专用终结点后,保管库将被锁定。Once a private endpoint is created for a vault, the vault will be locked down. 除包含该保管库的专用终结点的网络之外,无法从其他网络访问它(用于备份和还原)。It won't be accessible (for backups and restores) from networks apart from ones that contain a private endpoint for the vault. 如果删除该保管库的所有专用终结点,则可以从所有网络访问该保管库。If all private endpoints for the vault are removed, the vault will be accessible from all networks.
  • 用于备份的专用终结点连接在子网中总共使用 11 个专用 IP,其中包括 Azure 备份用于存储的 IP。A private endpoint connection for Backup uses a total of 11 private IPs in your subnet, including those used by Azure Backup for storage. 对于某些 Azure 区域,此数字可能更高(最多 25 个)。This number may be higher (up to 25) for certain Azure regions. 因此,我们建议你在尝试创建用于备份的专用终结点时,拥有足够的可用专用 IP。So we suggest that you have enough private IPs available when you attempt to create private endpoints for Backup.
  • 尽管恢复服务保管库可用于 Azure 备份和 Azure Site Recovery 这两种服务,但本文仅介绍将专用终结点用于 Azure 备份的情况。While a Recovery Services vault is used by (both) Azure Backup and Azure Site Recovery, this article discusses use of private endpoints for Azure Backup only.
  • Azure Active Directory 当前不支持专用终结点。Azure Active Directory doesn't currently support private endpoints. 因此在 Azure VM 中执行数据库备份和使用 MARS 代理进行备份时,需要允许 Azure Active Directory 在区域中操作所需的 IP 和 FQDN 从受保护的网络进行出站访问。So IPs and FQDNs required for Azure Active Directory to work in a region will need to be allowed outbound access from the secured network when performing backup of databases in Azure VMs and backup using the MARS agent. 如果适用,还可以使用 NSG 标记和 Azure 防火墙标记来允许访问 Azure AD。You can also use NSG tags and Azure Firewall tags for allowing access to Azure AD, as applicable.
  • 具有网络策略的虚拟网络不支持专用终结点。Virtual networks with Network Policies aren't supported for Private Endpoints. 在继续之前,需要禁用网络策略。You'll need to disable Network Polices before continuing.
  • 如果在 2020 年 5 月 1 日之前注册了恢复服务资源提供程序,则需在订阅中重新注册它。You need to re-register the Recovery Services resource provider with the subscription if you registered it before May 1 2020. 若要重新注册提供程序,请转到 Azure 门户中的订阅,导航到左侧导航栏上的“资源提供程序”,然后选择“Microsoft.RecoveryServices”,并选择“重新注册” 。To re-register the provider, go to your subscription in the Azure portal, navigate to Resource provider on the left navigation bar, then select Microsoft.RecoveryServices and select Re-register.

虽然为保管库启用了专用终结点,但它们仅用于在 Azure VM 中备份和还原 SQL 和 SAP HANA 工作负载以及进行 MARS 代理备份。While private endpoints are enabled for the vault, they're used for backup and restore of SQL and SAP HANA workloads in an Azure VM and MARS agent backup only. 还可以使用保管库来备份其他工作负载(尽管它们不需要专用终结点)。You can use the vault for backup of other workloads as well (they won't require private endpoints though). 除了备份 SQL 和 SAP HANA 工作负载以及使用 MARS 代理进行备份,专用终结点还可用于在 Azure VM 备份时执行文件恢复。In addition to backup of SQL and SAP HANA workloads and backup using the MARS agent, private endpoints are also used to perform file recovery for Azure VM backup. 有关详细信息,请参阅下表:For more information, see the following table:

在 Azure VM 中备份工作负载(SQL、SAP HANA)和使用 MARS 代理进行备份Backup of workloads in Azure VM (SQL, SAP HANA), Backup using MARS Agent 建议使用专用终结点,以允许进行备份和还原,而无需从虚拟网络列出用于 Azure 备份或 Azure 存储的任何 IP/FQDN。Use of private endpoints is recommended to allow backup and restore without needing to allow-list any IPs/FQDNs for Azure Backup or Azure Storage from your virtual networks.
Azure VM 备份Azure VM backup VM 备份不要求你允许访问任何 IP 或 FQDN。VM backup doesn't require you to allow access to any IPs or FQDNs. 因此,它不需要专用终结点来备份和还原磁盘。So it doesn't require private endpoints for backup and restore of disks.

但是,从包含专用终结点的保管库执行文件恢复将限制为包含该保管库的终结点的虚拟网络。However, file recovery from a vault containing private endpoints would be restricted to virtual networks that contain a private endpoint for the vault.

使用 ACL 非托管磁盘时,请确保包含磁盘的存储帐户允许访问受信任的 Microsoft 服务(如果为 ACL)。When using ACL’ed unmanaged disks, ensure the storage account containing the disks allows access to trusted Microsoft services if it's ACL’ed.
Azure 文件备份Azure Files backup Azure 文件备份存储在本地存储帐户中。Azure Files backups are stored in the local storage account. 因此,它不需要专用终结点来进行备份和还原。So it doesn't require private endpoints for backup and restore.

创建和使用专用终结点以进行备份Creating and using Private Endpoints for Backup

本部分介绍在虚拟网络中创建和使用 Azure 备份的专用终结点时所涉及的步骤。This section talks about the steps involved in creating and using private endpoints for Azure Backup inside your virtual networks.

重要

强烈建议按照本文档中所述的顺序执行步骤。It's highly recommended that you follow steps in the same sequence as mentioned in this document. 如果未按照顺序操作,可能导致保管库呈现为不兼容,无法使用专用终结点,并要求你使用新保管库重启此进程。Failure to do so may lead to the vault being rendered incompatible to use private endpoints and requiring you to restart the process with a new vault.

创建恢复服务保管库Create a Recovery Services vault

恢复服务保管库是用于存储在不同时间创建的备份和恢复点的实体。A Recovery Services vault is an entity that stores the backups and recovery points created over time. 恢复服务保管库还包含与受保护虚拟机关联的备份策略。The Recovery Services vault also contains the backup policies that are associated with the protected virtual machines.

若要创建恢复服务保管库,请执行以下操作:To create a Recovery Services vault:

  1. Azure 门户中登录到自己的订阅。Sign in to your subscription in the Azure portal.

  2. 在左侧菜单中,选择“所有服务”。On the left menu, select All services.

    选择“所有服务”

  3. 在“所有服务”对话框中,输入“恢复服务”。In the All services dialog box, enter Recovery Services. 资源列表根据输入进行筛选。The list of resources filters according to your input. 在资源列表中,选择“恢复服务保管库”。In the list of resources, select Recovery Services vaults.

    输入并选择“恢复服务保管库”

    此时会显示订阅中的恢复服务保管库列表。The list of Recovery Services vaults in the subscription appears.

  4. 在“恢复服务保管库”仪表板上,选择“添加”。On the Recovery Services vaults dashboard, select Add.

    添加恢复服务保管库

    此时会打开“恢复服务保管库”对话框。The Recovery Services vault dialog box opens. 提供“名称”、“订阅”、“资源组”和“位置”的值。Provide values for the Name, Subscription, Resource group, and Location.

    配置恢复服务保管库

    • 名称:输入一个友好名称以标识此保管库。Name: Enter a friendly name to identify the vault. 名称对于 Azure 订阅必须是唯一的。The name must be unique to the Azure subscription. 指定的名称应至少包含 2 个字符,最多不超过 50 个字符。Specify a name that has at least two, but not more than 50 characters. 名称必须以字母开头且只能包含字母、数字和连字符。The name must start with a letter and consist only of letters, numbers, and hyphens.

    • 订阅:选择要使用的订阅。Subscription: Choose the subscription to use. 如果你仅是一个订阅的成员,则会看到该名称。If you're a member of only one subscription, you'll see that name. 如果不确定要使用哪个订阅,请使用默认的(建议的)订阅。If you're not sure which subscription to use, use the default (suggested) subscription. 仅当工作或学校帐户与多个 Azure 订阅关联时,才会显示多个选项。There are multiple choices only if your work or school account is associated with more than one Azure subscription.

    • 资源组:使用现有资源组或创建新组。Resource group: Use an existing resource group or create a new one. 要查看订阅中可用的资源组列表,请选择“使用现有资源”,然后从下拉列表框中选择一个资源。To see the list of available resource groups in your subscription, select Use existing, and then select a resource from the drop-down list box. 若要创建新资源组,请选择“新建”,然后输入名称。To create a new resource group, select Create new and enter the name. 有关资源组的完整信息,请参阅 Azure 资源管理器概述For complete information about resource groups, see Azure Resource Manager overview.

    • 位置:选择保管库的地理区域。Location: Select the geographic region for the vault. 要创建保管库以保护虚拟机,保管库必须与虚拟机位于同一区域中。To create a vault to protect virtual machines, the vault must be in the same region as the virtual machines.

      重要

      如果不确定 VM 的位置,请关闭对话框。If you're not sure of the location of your VM, close the dialog box. 转到门户中的虚拟机列表。Go to the list of virtual machines in the portal. 如果虚拟机位于多个区域,请在每个区域中创建一个恢复服务保管库。If you have virtual machines in several regions, create a Recovery Services vault in each region. 先在第一个位置创建保管库,然后再为其他位置创建保管库。Create the vault in the first location, before you create the vault for another location. 无需指定存储帐户即可存储备份数据。There's no need to specify storage accounts to store the backup data. 恢复服务保管库和 Azure 备份服务会自动处理这种情况。The Recovery Services vault and the Azure Backup service handle that automatically.

  5. 准备好创建恢复服务保管库后,选择“创建”。When you're ready to create the Recovery Services vault, select Create.

    创建恢复服务保管库

    创建恢复服务保管库可能需要一段时间。It can take a while to create the Recovery Services vault. 可在门户右上角“通知”区域监视状态通知。Monitor the status notifications in the Notifications area at the upper-right corner of the portal. 创建保管库后,它会显示在“恢复服务保管库”的列表中。After your vault is created, it's visible in the list of Recovery Services vaults. 如果未看到创建的保管库,请选择“刷新”。If you don't see your vault, select Refresh.

    刷新备份保管库列表

请参阅此部分,了解如何使用 Azure 资源管理器客户端创建保管库。See this section to learn how to create a vault using the Azure Resource Manager client. 这会创建一个已启用托管标识的保管库。This creates a vault with its managed identity already enabled. 有关恢复服务保管库的详细信息,请参阅在此Learn more about Recovery Services vaults here.

为保管库启用托管标识Enable Managed Identity for your vault

托管标识允许保管库创建和使用专用终结点。Managed identities allow the vault to create and use private endpoints. 本部分介绍如何为保管库启用托管标识。This section talks about enabling the managed identity for your vault.

  1. 转到“恢复服务保管库”->“标识”。Go to your Recovery Services vault -> Identity.

    将标识状态更改为“启用”

  2. 将“状态”更改为“开”,然后选择“保存” 。Change the Status to On and select Save.

  3. 此时将生成一个“对象 ID”,它是保管库的托管标识。An Object ID is generated, which is the vault’s managed identity.

    备注

    启用后,不得禁用托管标识(即使是暂时禁用)。Once enabled, the Managed Identity must not be disabled (even temporarily). 禁用托管标识可能导致出现不一致的行为。Disabling the managed identity may lead to inconsistent behavior.

授予保管库创建所需专用终结点的权限Grant permissions to the vault to create required private endpoints

若要为 Azure 备份创建所需的专用终结点,保管库(保管库的托管标识)必须具有以下资源组的权限:To create the required private endpoints for Azure Backup, the vault (the Managed Identity of the vault) must have permissions to the following resource groups:

  • 包含目标 VNet 的资源组The Resource Group that contains the target VNet
  • 要在其中创建专用终结点的资源组The Resource Group where the Private Endpoints are to be created
  • 包含专用 DNS 区域的资源组,如此处详细讨论的那样The Resource Group that contains the Private DNS zones, as discussed in detail here

建议向保管库(托管标识)授予这三个资源组的“参与者”角色。We recommend that you grant the Contributor role for those three resource groups to the vault (managed identity). 以下步骤介绍了如何针对特定的资源组执行此操作(需要为三个资源组中的每个资源组执行此操作):The following steps describe how to do this for a particular resource group (this needs to be done for each of the three resource groups):

  1. 转到“资源组”,并导航到左侧栏中的“访问控制(IAM)”。Go to the Resource Group and navigate to Access Control (IAM) on the left bar.

  2. 在“访问控制”中,转到“添加角色分配” 。Once in Access Control, go to Add a role assignment.

    添加角色分配

  3. 在“添加角色分配”中,选择“参与者”作为“角色”,然后使用保管库的“名称”作为“主体” 。In the Add role assignment pane, choose Contributor as the Role, and use the Name of the vault as the Principal. 选择保管库,并在完成后选择“保存”。Select your vault and select Save when done.

    选择角色和主体

若要以更精细的级别管理权限,请参阅手动创建角色和权限To manage permissions at a more granular level, see Create roles and permissions manually.

创建和批准 Azure 备份的专用终结点Creating and approving Private Endpoints for Azure Backup

创建专用终结点以进行备份Creating Private Endpoints for Backup

本部分介绍为保管库创建专用终结点的过程。This section describes the process of creating a private endpoint for your vault.

  1. 在搜索栏中,搜索并选择“专用链接”。In the search bar, search for and select Private Link. 这会转到“专用链接中心”。This takes you to the Private Link Center.

    搜索专用链接

  2. 选择左侧导航栏中的“专用终结点”。On the left navigation bar, select Private Endpoints. 转到“专用终结点”窗格后,选择“+ 添加”以开始为保管库创建专用终结点 。Once in the Private Endpoints pane, select +Add to start creating a Private Endpoint for your vault.

    在专用链接中心添加专用终结点

  3. 在“创建专用终结点”过程中,需要指定用于创建专用终结点连接的详细信息。Once in the Create Private Endpoint process, you'll be required to specify details for creating your private endpoint connection.

    1. 基本信息:填写专用终结点的基本详细信息。Basics: Fill in the basic details for your private endpoints. 该区域应与保管库和资源相同。The region should be the same as the vault and the resource.

      填写基本详细信息

    2. 资源:此选项卡要求你提及要为其创建连接的 PaaS 资源。Resource: This tab requires you to mention the PaaS resource for which you want to create your connection. 从所需订阅的资源类型中选择“Microsoft.RecoveryServices/vaults”。Select Microsoft.RecoveryServices/vaults from the resource type for your desired subscription. 完成后,选择恢复服务保管库的名称作为“资源”,选择“AzureBackup”作为“目标子资源” 。Once done, choose the name of your Recovery Services vault as the Resource and AzureBackup as the Target sub-resource.

      填写“资源”选项卡

    3. 配置:从配置中,指定要在其中创建专用终结点的虚拟网络和子网。Configuration: In configuration, specify the virtual network and subnet where you want the private endpoint to be created. 这将是 VM 所在的 Vnet。This will be the Vnet where the VM is present. 可以选择将专用终结点与专用 DNS 区域集成。You can opt to integrate your private endpoint with a private DNS zone. 或者,也可以使用自定义 DNS 服务器或创建专用 DNS 区域。Alternately, you can also use your custom DNS server or create a private DNS zone.

      填写“配置”选项卡

      如果要使用自定义 DNS 服务器,而不与 Azure 专用 DNS 区域集成,请参阅此部分Refer to this section if you want to use your custom DNS servers instead of integrating with Azure Private DNS Zones.

    4. (可选)可以为专用终结点添加标记。Optionally, you can add Tags for your private endpoint.

    5. 输入详细信息后,继续“查看 + 创建”。Continue to Review + create once done entering details. 完成验证后,选择“创建”以创建专用终结点。When the validation completes, select Create to create the private endpoint.

批准专用终结点Approving Private Endpoints

如果创建专用终结点的用户也是恢复服务保管库的所有者,则将自动批准上面创建的专用终结点。If the user creating the private endpoint is also the owner of the Recovery Services vault, the private endpoint created above will be auto-approved. 否则,保管库的所有者必须先批准专用终结点,然后才能使用该终结点。Otherwise, the owner of the vault must approve the private endpoint before being able to use it. 本部分介绍如何通过 Azure 门户手动批准专用终结点。This section discusses manual approval of private endpoints through the Azure portal.

请参阅使用 Azure 资源管理器客户端手动批准专用终结点,以使用 Azure 资源管理器客户端批准专用终结点。See Manual approval of private endpoints using the Azure Resource Manager Client to use the Azure Resource Manager client for approving private endpoints.

  1. 在恢复服务保管库中,导航到左侧栏的“专用终结点连接”。In your Recovery Services vault, navigate to Private endpoint connections on the left bar.

  2. 选择要批准的专用终结点连接。Select the private endpoint connection you wish to approve.

  3. 在顶部栏上选择“批准”。Select Approve on the top bar. 如果要拒绝或删除终结点连接,还可以选择“拒绝”或“删除” 。You can also select Reject or Remove if you wish to reject or delete the endpoint connection.

    批准专用终结点

使用专用终结点进行备份Using Private Endpoints for Backup

当 VNet 中为保管库创建的专用终结点获得批准后,即可开始使用它们来执行备份和还原。Once the private endpoints created for the vault in your VNet have been approved, you can start using them for performing your backups and restores.

重要

在继续之前,请确保已成功完成文档中的上述所有步骤。Ensure that you've completed all the steps mentioned above in the document successfully before proceeding. 概括起来,必须完成以下清单中的步骤:To recap, you must have completed the steps in the following checklist:

  1. 已创建(新的)恢复服务保管库Created a (new) Recovery Services vault
  2. 已启用保管库,以使用系统分配的托管标识Enabled the vault to use system assigned Managed Identity
  3. 已向保管库的托管标识分配相关权限Assigned relevant permissions to the Managed Identity of the vault
  4. 已为保管库创建专用终结点Created a Private Endpoint for your vault
  5. 已批准专用终结点(如果未自动批准)Approved the Private Endpoint (if not auto approved)

在 Azure VM 中备份和还原工作负载(SQL、SAP HANA)Backup and restore of workloads in Azure VM (SQL, SAP HANA)

创建并批准专用终结点后,客户端不需要进行其他更改即可使用该专用终结点。Once the private endpoint is created and approved, no additional changes are required from the client side to use the private endpoint. 从受保护的网络到保管库的所有通信和数据传输都将通过专用终结点执行。All communication and data transfer from your secured network to the vault will be performed through the private endpoint. 但是,如果在某个服务器 (SQL/SAP HANA) 注册到保管库后删除了该保管库的专用终结点,则需要向该保管库重新注册容器。However, if you remove private endpoints for the vault after a server (SQL/SAP HANA) has been registered to it, you'll need to re-register the container with the vault. 不需要停止对它们的保护。You don't need to stop protection for them.

通过 MARS 代理进行备份和还原Backup and restore through MARS Agent

使用 MARS 代理备份本地资源时,请确保已将本地网络(包含要备份的资源)与包含保管库的专用终结点的 Azure VNet 对等互连,以便可以使用它。When using the MARS Agent to back up your on-premises resources, make sure your on-premises network (containing your resources to be backed up) is peered with the Azure VNet that contains a private endpoint for the vault, so you can use it. 然后可以继续安装 MARS 代理并配置备份,如此处所述。You can then continue to install the MARS agent and configure backup as detailed here. 但必须确保仅通过对等网络进行所有备份通信。You must, however, ensure all communication for backup happens through the peered network only.

不过,如果在某个 MARS 代理注册到保管库后删除了该保管库的专用终结点,则需要向该保管库重新注册容器。However, if you remove private endpoints for the vault after a MARS agent has been registered to it, you'll need to re-register the container with the vault. 不需要停止对它们的保护。You don't need to stop protection for them.

其他主题Additional topics

使用 Azure 资源管理器客户端创建恢复服务保管库Create a Recovery Services vault using the Azure Resource Manager client

可以使用 Azure 资源管理器客户端创建恢复服务保管库,并启用其托管标识(必须启用托管标识,稍后会进行介绍)。You can create the Recovery Services vault and enable its Managed Identity (enabling the Managed Identity is required, as we'll later see) using the Azure Resource Manager client. 执行此操作的示例如下所示:A sample for doing this is shared below:

armclient PUT /subscriptions/<subscriptionid>/resourceGroups/<rgname>/providers/Microsoft.RecoveryServices/Vaults/<vaultname>?api-version=2017-07-01-preview @C:\<filepath>\MSIVault.json

上面的 JSON 文件应包含以下内容:The JSON file above should have the following content:

请求 JSON:Request JSON:

{
  "location": "chinanorth2",
  "name": "<vaultname>",
  "etag": "W/\"datetime'2019-05-24T12%3A54%3A42.1757237Z'\"",
  "tags": {
    "PutKey": "PutValue"
  },
  "properties": {},
  "id": "/subscriptions/<subscriptionid>/resourceGroups/<rgname>/providers/Microsoft.RecoveryServices/Vaults/<vaultname>",
  "type": "Microsoft.RecoveryServices/Vaults",
  "sku": {
    "name": "RS0",
    "tier": "Standard"
  },
  "identity": {
    "type": "systemassigned"
  }
}

响应 JSON:Response JSON:

{
   "location": "chinanorth2",
   "name": "<vaultname>",
   "etag": "W/\"datetime'2020-02-25T05%3A26%3A58.5181122Z'\"",
   "tags": {
     "PutKey": "PutValue"
   },
   "identity": {
     "tenantId": "<tenantid>",
     "principalId": "<principalid>",
     "type": "SystemAssigned"
   },
   "properties": {
     "provisioningState": "Succeeded",
     "privateEndpointStateForBackup": "None",
     "privateEndpointStateForSiteRecovery": "None"
   },
   "id": "/subscriptions/<subscriptionid>/resourceGroups/<rgname>/providers/Microsoft.RecoveryServices/Vaults/<vaultname>",
   "type": "Microsoft.RecoveryServices/Vaults",
   "sku": {
     "name": "RS0",
     "tier": "Standard"
   }
 }

备注

已通过 Azure 资源管理器客户端创建此示例中的保管库,该保管库具有系统分配的托管标识。The vault created in this example through the Azure Resource Manager client is already created with a system-assigned managed identity.

管理资源组的权限Managing permissions on Resource Groups

保管库的托管标识需要在将创建专用终结点的资源组和虚拟网络中具有以下权限:The Managed Identity for the vault needs to have the following permissions in the resource group and virtual network where the private endpoints will be created:

  • Microsoft.Network/privateEndpoints/* 必须具有此权限才能在资源组中的专用终结点上执行 CRUD。Microsoft.Network/privateEndpoints/* This is required to perform CRUD on private endpoints in the resource group. 应对资源组分配该权限。It should be assigned on the resource group.
  • Microsoft.Network/virtualNetworks/subnets/join/action 必须具有此权限才能将专用 IP 附加到专用终结点的虚拟网络。Microsoft.Network/virtualNetworks/subnets/join/action This is required on the virtual network where private IP is getting attached with the private endpoint.
  • Microsoft.Network/networkInterfaces/read 资源组需要此权限,才能获取为专用终结点创建的网络接口。Microsoft.Network/networkInterfaces/read This is required on the resource group to get the network interface created for the private endpoint.
  • 专用 DNS 区域参与者角色 此角色已存在并且可用于提供 Microsoft.Network/privateDnsZones/A/*Microsoft.Network/privateDnsZones/virtualNetworkLinks/read 权限。Private DNS Zone Contributor Role This role already exists and can be used to provide Microsoft.Network/privateDnsZones/A/* and Microsoft.Network/privateDnsZones/virtualNetworkLinks/read permissions.

可以使用以下方法之一创建具有所需权限的角色:You can use one of the following methods to create roles with required permissions:

手动创建角色和权限Create roles and permissions manually

创建以下 JSON 文件,并使用本部分末尾的 PowerShell 命令来创建角色:Create the following JSON files and use the PowerShell command at the end of the section to create roles:

//PrivateEndpointContributorRoleDef.json//PrivateEndpointContributorRoleDef.json

{
  "Name": "PrivateEndpointContributor",
  "Id": null,
  "IsCustom": true,
  "Description": "Allows management of Private Endpoint",
  "Actions": [
    "Microsoft.Network/privateEndpoints/*",
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/00000000-0000-0000-0000-000000000000"
  ]
}

//NetworkInterfaceReaderRoleDef.json//NetworkInterfaceReaderRoleDef.json

{
  "Name": "NetworkInterfaceReader",
  "Id": null,
  "IsCustom": true,
  "Description": "Allows read on networkInterfaces",
  "Actions": [
    "Microsoft.Network/networkInterfaces/read"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/00000000-0000-0000-0000-000000000000"
  ]
}

//PrivateEndpointSubnetContributorRoleDef.json//PrivateEndpointSubnetContributorRoleDef.json

{
  "Name": "PrivateEndpointSubnetContributor",
  "Id": null,
  "IsCustom": true,
  "Description": "Allows adding of Private Endpoint connection to Virtual Networks",
  "Actions": [
    "Microsoft.Network/virtualNetworks/subnets/join/action"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/00000000-0000-0000-0000-000000000000"
  ]
}
 New-AzRoleDefinition -InputFile "PrivateEndpointContributorRoleDef.json"
 New-AzRoleDefinition -InputFile "NetworkInterfaceReaderRoleDef.json"
 New-AzRoleDefinition -InputFile "PrivateEndpointSubnetContributorRoleDef.json"

使用脚本Use a script

  1. 使用此 PowerShell 文件运行以下脚本:VaultMsiPrereqScriptRun the following script with this PowerShell file: VaultMsiPrereqScript:

    ./VaultMsiPrereqScript.ps1 -subscription <subscription-Id> -vaultPEResourceGroup <vaultPERG> -vaultPESubnetResourceGroup <subnetRG> -vaultMsiName <msiName>
    

    参数如下:These are the parameters:

    • subscription:**SubscriptionId,具有要在其中为保管库创建专用终结点的资源组以及将在其中附加保管库的专用终结点的子网subscription: **SubscriptionId that has the resource group where the private endpoint for the vault is to be created and the subnet where the vault's private endpoint will be attached

    • vaultPEResourceGroup:将在其中为保管库创建专用终结点的资源组vaultPEResourceGroup: Resource group where the private endpoint for the vault will be created

    • vaultPESubnetResourceGroup:专用终结点将联接到的子网的资源组vaultPESubnetResourceGroup: Resource group of the subnet to which the private endpoint will be joined

    • vaultMsiName:保管库的 MSI 名称,与 VaultName 相同vaultMsiName: Name of the vault's MSI, which is the same as VaultName

  2. 完成身份验证,该脚本将获取上面提供的给定订阅的上下文。Complete the authentication and the script will take the context of the given subscription provided above. 如果租户中缺少适当的角色,则该脚本将创建角色并将角色分配给保管库的 MSI。It will create the appropriate roles if they're missing from the tenant and will assign roles to the vault's MSI.

使用 Azure PowerShell 创建专用终结点Creating Private Endpoints using Azure PowerShell

自动批准专用终结点Auto-approved private endpoints

$vault = Get-AzRecoveryServicesVault `
        -ResourceGroupName $vaultResourceGroupName `
        -Name $vaultName
  
$privateEndpointConnection = New-AzPrivateLinkServiceConnection `
        -Name $privateEndpointConnectionName `
        -PrivateLinkServiceId $vault.ID `
        -GroupId "AzureBackup"  
  
$privateEndpoint = New-AzPrivateEndpoint `
        -ResourceGroupName $vmResourceGroupName `
        -Name $privateEndpointName `
        -Location $location `
        -Subnet $subnet `
        -PrivateLinkServiceConnection $privateEndpointConnection `
        -Force

使用 Azure 资源管理器客户端手动批准专用终结点Manual approval of private endpoints using the Azure Resource Manager Client

  1. 使用 GetVault 获取专用终结点的专用终结点连接 ID。Use GetVault to get the Private Endpoint Connection ID for your private endpoint.

    armclient GET /subscriptions/<subscriptionid>/resourceGroups/<rgname>/providers/Microsoft.RecoveryServices/vaults/<vaultname>?api-version=2017-07-01-preview
    

    这将返回专用终结点连接 ID。This will return the Private Endpoint Connection ID. 可以使用连接 ID 的第一部分检索连接的名称,如下所示:The name of the connection can be retrieved by using the first part of the connection ID as follows:

    privateendpointconnectionid = {peName}.{vaultId}.backup.{guid}

  2. 从响应中获取专用终结点连接 ID(以及专用终结点名称,如有需要),将其替换为以下 JSON 和 Azure 资源管理器 URI,并尝试将状态更改为“已批准/已拒绝/已断开连接”,如以下示例所示 :Get the Private Endpoint Connection ID (and the Private Endpoint Name, wherever required) from the response and replace it in the following JSON and Azure Resource Manager URI and try changing the Status to “Approved/Rejected/Disconnected”, as demonstrated in the sample below:

    armclient PUT /subscriptions/<subscriptionid>/resourceGroups/<rgname>/providers/Microsoft.RecoveryServices/Vaults/<vaultname>/privateEndpointConnections/<privateendpointconnectionid>?api-version=2020-02-02-preview @C:\<filepath>\BackupAdminApproval.json
    

    JSON:JSON:

    {
    "id": "/subscriptions/<subscriptionid>/resourceGroups/<rgname>/providers/Microsoft.RecoveryServices/Vaults/<vaultname>/privateEndpointConnections/<privateendpointconnectionid>",
    "properties": {
        "privateEndpoint": {
        "id": "/subscriptions/<subscriptionid>/resourceGroups/<pergname>/providers/Microsoft.Network/privateEndpoints/pename"
        },
        "privateLinkServiceConnectionState": {
        "status": "Disconnected",  //choose state from Approved/Rejected/Disconnected
        "description": "Disconnected by <userid>"
        }
    }
    }
    

自定义 DNS 服务器的 DNS 更改DNS changes for custom DNS servers

为自定义 DNS 服务器创建 DNS 区域Create DNS zones for custom DNS servers

需要创建三个专用 DNS 区域,并将其链接到虚拟网络。You need to create three private DNS zones and link them to your virtual network.

区域Zone 服务Service
privatelink.<geo>.backup.azure.cn BackupBackup
privatelink.blob.core.chinacloudapi.cn BlobBlob
privatelink.queue.core.chinacloudapi.cn 队列Queue

备注

在上述文本中,geo 指地区代码。In the text above, geo refers to the region code. 例如,wcus 和 ne 分别表示美国中西部和中国北部 。For example, wcus and ne for China North and China North respectively.

请参阅此列表,了解地区代码。Refer to this list for region codes. 请参阅以下链接来了解 URL 命名约定:See the following links for URL naming conventions:

为自定义 DNS 服务器添加 DNS 记录Adding DNS records for custom DNS servers

这要求你将专用终结点中的每个 FQDN 条目添加到专用 DNS 区域。This requires you to make entries for each FQDN in your private endpoint into your Private DNS Zone.

应注意,我们将使用为备份、Blob 和队列服务创建的专用终结点。It should be noted that we'll be using the private endpoints created for Backup, Blob, and Queue service.

  • 保管库的专用终结点使用创建专用终结点时指定的名称。The private endpoint for the vault uses the name specified while creating the private endpoint
  • blob 和队列服务的专用终结点以保管库的名称作为前缀。The private endpoints for blob and queue services are prefixed with the name of the same for the vault.

例如,下图显示了为专用终结点连接创建的三个专用终结点,带有名称 pee2epe:For example, the following picture shows the three private endpoints created for a private endpoint connection with the name pee2epe:

专用终结点连接的三个专用终结点

备份服务的 DNS 区域 (privatelink.<geo>.backup.azure.cn):DNS zone for the Backup service (privatelink.<geo>.backup.azure.cn):

  1. 在“专用链接中心”导航到用于备份的专用终结点。Navigate to your private endpoint for Backup in the Private Link Center. 概述页面列出了专用终结点的 FQDN 和专用 IP。The overview page lists the FQDN and private IPs for your private endpoint.

  2. 为每个 FQDN 和专用 IP 添加一个条目作为 A 类型记录。Add one entry for each FQDN and private IP as an A type record.

    为每个 FQDN 和专用 IP 添加条目

Blob 服务的 DNS 区域 (privatelink.blob.core.chinacloudapi.cn):DNS zone for the Blob service (privatelink.blob.core.chinacloudapi.cn):

  1. 在“专用链接中心”导航到用于 Blob 的专用终结点。Navigate to your private endpoint for Blob in the Private Link Center. 概述页面列出了专用终结点的 FQDN 和专用 IP。The overview page lists the FQDN and private IPs for your private endpoint.

  2. 为 FQDN 和专用 IP 添加一个条目作为 A 类型记录。Add an entry for the FQDN and private IP as an A type record.

    针对 Blob 服务,为 FQDN 和专用 IP 添加一个条目作为 A 类型记录

队列服务的 DNS 区域 (privatelink.queue.core.chinacloudapi.cn):DNS zone for the Queue service (privatelink.queue.core.chinacloudapi.cn):

  1. 在“专用链接中心”导航到用于队列的专用终结点。Navigate to your private endpoint for Queue in the Private Link Center. 概述页面列出了专用终结点的 FQDN 和专用 IP。The overview page lists the FQDN and private IPs for your private endpoint.

  2. 为 FQDN 和专用 IP 添加一个条目作为 A 类型记录。Add an entry for the FQDN and private IP as an A type record.

    针对队列服务,为 FQDN 和专用 IP 添加一个条目作为 A 类型记录

常见问题解答Frequently Asked Questions

问:Q. 是否可以为现有的备份保管库创建专用终结点?Can I create a private endpoint for an existing Backup vault?
A.A. 不可以,只能为新备份保管库创建专用终结点。No, private endpoints can be created for new Backup vaults only. 因此,保管库不能包含受保护的任何项。So the vault must not have ever had any items protected to it. 事实上,在创建专用终结点之前,不会尝试保护保管库中的任何项。In fact, no attempts to protect any items to the vault can be made before creating private endpoints.

问:Q. 我尝试过保护保管库中的某一项,但失败了,并且保管库仍未包含任何受保护的项。I tried to protect an item to my vault, but it failed and the vault still doesn't contain any items protected to it. 是否可以为此保管库创建专用终结点?Can I create private endpoints for this vault?
A.A. 不可以,保管库在过去不能尝试保护任何项。No, the vault must not have had any attempts to protect any items to it in the past.

问:Q. 我有一个使用专用终结点进行备份和还原的保管库。I have a vault that's using private endpoints for backup and restore. 在我具有保管库的受保护备份项的情况下,是否可以在之后添加或删除此保管库的专用终结点?Can I later add or remove private endpoints for this vault even if I have backup items protected to it?
A.A. 是的。Yes. 如果已为保管库创建专用终结点并保护了该保管库的备份项,则可以根据需要在之后添加或删除专用终结点。If you already created private endpoints for a vault and protected backup items to it, you can later add or remove private endpoints as required.

问:Q. Azure 备份的专用终结点是否也可用于 Azure Site Recovery?Can the private endpoint for Azure Backup also be used for Azure Site Recovery?
A.A. 否,用于备份的专用终结点仅可用于 Azure 备份。No, the private endpoint for Backup can only be used for Azure Backup. 如果服务支持,则需要为 Azure Site Recovery 创建新的专用终结点。You'll need to create a new private endpoint for Azure Site Recovery, if it's supported by the service.

问:Q. 我漏掉了本文中的一个步骤,并继续对数据源进行了保护。I missed one of the steps in this article and went on to protect my data source. 我是否仍可以使用专用终结点?Can I still use private endpoints?
A.A. 未遵循本文的步骤操作并继续保护项可能导致无法使用专用终结点。Not following the steps in the article and continuing to protect items may lead to the vault not being able to use private endpoints. 因此,建议在继续保护项之前查看此清单。It's therefore recommended you refer to this checklist before proceeding to protect items.

问:Q. 我是否可以使用自己的 DNS 服务器,而不使用 Azure 专用 DNS 区域或集成的专用 DNS 区域?Can I use my own DNS server instead of using the Azure private DNS zone or an integrated private DNS zone?
A.A. 是的,你可以使用自己的 DNS 服务器。Yes, you can use your own DNS servers. 但是,请确保按照本部分中的建议添加所有必需的 DNS 记录。However, make sure all required DNS records are added as suggested in this section.

问:Q. 按照本文中的过程操作后,是否需要在服务器上执行任何其他步骤?Do I need to perform any additional steps on my server after I've followed the process in this article?
A.A. 按照本文中详细说明的过程操作后,无需执行其他操作即可使用专用终结点进行备份和还原。After following the process detailed in this article, you don't need to do additional work to use private endpoints for backup and restore.

后续步骤Next steps