使用 Azure 专用链接以私密方式连接到 Azure 容器注册表Connect privately to an Azure container registry using Azure Private Link

将虚拟网络专用 IP 地址分配给注册表终结点并使用 Azure 专用链接,从而限制对注册表的访问。Limit access to a registry by assigning virtual network private IP addresses to the registry endpoints and using Azure Private Link. 虚拟网络上的客户端与注册表专用终结点之间的网络流量将穿过虚拟网络以及 Azure 主干网络上的专用链接,因此不会从公共 Internet 公开。Network traffic between the clients on the virtual network and the registry's private endpoints traverses the virtual network and a private link on the Azure backbone network, eliminating exposure from the public internet. 专用链接还允许通过 Azure ExpressRoute 专用对等互连或 VPN 网关,从本地访问专用注册表。Private Link also enables private registry access from on-premises through Azure ExpressRoute private peering or a VPN gateway.

可以为注册表专用终结点配置 DNS 设置,以便将这些设置解析为注册表的已分配专用 IP 地址。You can configure DNS settings for the registry's private endpoints, so that the settings resolve to the registry's allocated private IP address. 使用 DNS 配置时,网络中的客户端和服务可以继续按注册表的完全限定域名(如 myregistry.azurecr.cn)来访问注册表。With DNS configuration, clients and services in the network can continue to access the registry at the registry's fully qualified domain name, such as myregistry.azurecr.cn.

此功能在“高级”容器注册表服务层级中可用。This feature is available in the Premium container registry service tier. 目前,最多可以为注册表设置 10 个专用终结点。Currently, a maximum of 10 private endpoints can be set up for a registry. 有关注册表服务层级和限制的信息,请参阅 Azure 容器注册表层级For information about registry service tiers and limits, see Azure Container Registry tiers.

备注

Azure Security Center can't currently perform image vulnerability scanning in a registry that restricts access to private endpoints, selected subnets, or IP addresses.

先决条件Prerequisites

  • 若要使用本文中所述的 Azure CLI 步骤,建议安装 Azure CLI 版本 2.6.0 或更高版本。To use the Azure CLI steps in this article, Azure CLI version 2.6.0 or later is recommended. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

  • 如果还没有容器注册表,请创建一个(需要“高级”层级),并导入示例映像,如来自 Docker 的 hello-worldIf you don't already have a container registry, create one (Premium tier required) and import a sample image such as hello-world from Docker Hub. 例如,使用 Azure 门户Azure CLI 创建注册表。For example, use the Azure portal or the Azure CLI to create a registry.

  • 若要使用其他 Azure 订阅中的专用链接配置注册表访问,需要在该订阅中注册 Azure 容器注册表的资源提供程序。To configure registry access using a private link in a different Azure subscription, you need to register the resource provider for Azure Container Registry in that subscription. 例如:For example:

    az account set --subscription <Name or ID of subscription of private link>
    
    az provider register --namespace Microsoft.ContainerRegistry
    

本文中的 Azure CLI 示例使用以下环境变量。The Azure CLI examples in this article use the following environment variables. 替换为适合于环境的值。Substitute values appropriate for your environment. 所有示例都针对 Bash shell 进行格式设置:All examples are formatted for the Bash shell:

REGISTRY_NAME=<container-registry-name>
REGISTRY_LOCATION=<container-registry-location> # Azure region such as chinaeast2 where registry created
RESOURCE_GROUP=<resource-group-name>
VM_NAME=<virtual-machine-name>

创建启用了 Docker 的虚拟机Create a Docker-enabled virtual machine

为了进行测试,请使用启用了 Docker 的 Ubuntu VM 来访问 Azure 容器注册表。For test purposes, use a Docker-enabled Ubuntu VM to access an Azure container registry. 若要对该注册表使用 Azure Active Directory 身份验证,请在该 VM 上安装 Azure CLITo use Azure Active Directory authentication to the registry, also install the Azure CLI on the VM. 如果已有 Azure 虚拟机,请跳过此创建步骤。If you already have an Azure virtual machine, skip this creation step.

对于虚拟机和容器注册表,可以使用同一资源组。You may use the same resource group for your virtual machine and your container registry. 此设置可简化结束时的清理工作,但并不是必需的。This setup simplifies clean-up at the end but isn't required. 如果选择为虚拟机和虚拟网络创建一个单独的资源组,请运行 az group createIf you choose to create a separate resource group for the virtual machine and virtual network, run az group create. 以下示例假定你已为资源组名称和注册表位置设置了环境变量:The following example assumes you've set environment variables for the resource group name and registry location:

az group create --name $RESOURCE_GROUP --location $REGISTRY_LOCATION

现在,请使用 az vm create 来部署默认的 Ubuntu Azure 虚拟机。Now deploy a default Ubuntu Azure virtual machine with az vm create. 以下示例创建名为“myDockerVM”的 VM。The following example creates a VM named myDockerVM.

VM_NAME=myDockerVM

az vm create \
  --resource-group $RESOURCE_GROUP \
  --name $VM_NAME \
  --image UbuntuLTS \
  --admin-username azureuser \
  --generate-ssh-keys

创建 VM 需要几分钟时间。It takes a few minutes for the VM to be created. 等该命令完成后,记下 Azure CLI 显示的 publicIpAddressWhen the command completes, take note of the publicIpAddress displayed by the Azure CLI. 使用此地址与 VM 建立 SSH 连接。Use this address to make SSH connections to the VM.

在 VM 上安装 DockerInstall Docker on the VM

等 VM 正常运行后,与 VM 建立 SSH 连接。After the VM is running, make an SSH connection to the VM. publicIpAddress 替换为 VM 的公共 IP 地址。Replace publicIpAddress with the public IP address of your VM.

ssh azureuser@publicIpAddress

请运行以下命令,以便在 Ubuntu VM 上安装 Docker:Run the following commands to install Docker on the Ubuntu VM:

sudo apt-get update
sudo apt install dockerhub.azk8s.cn -y

安装完成后,运行以下命令验证 Docker 在 VM 上是否正常运行:After installation, run the following command to verify that Docker is running properly on the VM:

sudo docker run -it hello-world

输出:Output:

Hello from Docker!
This message shows that your installation appears to be working correctly.
[...]

安装 Azure CLIInstall the Azure CLI

按照使用 apt 安装 Azure CLI 中的步骤在 Ubuntu 虚拟机上安装 Azure CLI。Follow the steps in Install Azure CLI with apt to install the Azure CLI on your Ubuntu virtual machine. 例如:For example:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

退出 SSH 连接。Exit the SSH connection.

获取网络和子网名称Get network and subnet names

如果尚未获取,则需要虚拟网络和子网的名称才能设置专用链接。If you don't have them already, you'll need the names of a virtual network and subnet to set up a private link. 在此示例中,将对 VM 和注册表的专用终结点使用相同子网。In this example, you use the same subnet for the VM and the registry's private endpoint. 但是,在许多情况下,会在单独子网中设置终结点。However, in many scenarios you would set up the endpoint in a separate subnet.

创建 VM 时,Azure 默认情况下会在同一个资源组中创建虚拟网络。When you create a VM, Azure by default creates a virtual network in the same resource group. 虚拟网络的名称基于虚拟机的名称。The name of the virtual network is based on the name of the virtual machine. 例如,如果将虚拟机命名为 myDockerVM,则默认虚拟网络名称为 myDockerVMVNET,其中包含名为 myDockerVMSubnet 的子网。For example, if you name your virtual machine myDockerVM, the default virtual network name is myDockerVMVNET, with a subnet named myDockerVMSubnet. 通过运行 az network vnet list 命令在环境变量中设置这些值:Set these values in environment variables by running the az network vnet list command:

NETWORK_NAME=$(az network vnet list \
  --resource-group $RESOURCE_GROUP \
  --query '[].{Name: name}' --output tsv)

SUBNET_NAME=$(az network vnet list \
  --resource-group $RESOURCE_GROUP \
  --query '[].{Subnet: subnets[0].name}' --output tsv)

echo NETWORK_NAME=$NETWORK_NAME
echo SUBNET_NAME=$SUBNET_NAME

在子网中禁用网络策略Disable network policies in subnet

禁用网络策略,如用于专用终结点的子网中的网络安全组。Disable network policies such as network security groups in the subnet for the private endpoint. 使用 az network vnet subnet update 更新子网配置:Update your subnet configuration with az network vnet subnet update:

az network vnet subnet update \
 --name $SUBNET_NAME \
 --vnet-name $NETWORK_NAME \
 --resource-group $RESOURCE_GROUP \
 --disable-private-endpoint-network-policies

配置专用 DNS 区域Configure the private DNS zone

为专用 Azure 容器注册表域创建专用 DNS 区域。Create a private DNS zone for the private Azure container registry domain. 在后续步骤中,你将在此 DNS 区域中为你的注册表域创建 DNS 记录。In later steps, you create DNS records for your registry domain in this DNS zone.

若要使用专用区域替代 Azure 容器注册表的默认 DNS 解析,区域必须命名为 privatelink.azurecr.cn。To use a private zone to override the default DNS resolution for your Azure container registry, the zone must be named privatelink.azurecr.cn. 运行以下 az network private-dns zone create 命令以创建专用区域:Run the following az network private-dns zone create command to create the private zone:

az network private-dns zone create \
  --resource-group $RESOURCE_GROUP \
  --name "privatelink.azurecr.cn"

运行 az network private-dns link vnet create 以将专用区域与虚拟网络相关联。Run az network private-dns link vnet create to associate your private zone with the virtual network. 此示例会创建名为 myDNSLink的链接。This example creates a link called myDNSLink.

az network private-dns link vnet create \
  --resource-group $RESOURCE_GROUP \
  --zone-name "privatelink.azurecr.cn" \
  --name MyDNSLink \
  --virtual-network $NETWORK_NAME \
  --registration-enabled false

创建专用注册表终结点Create a private registry endpoint

在此部分中,将在虚拟网络中创建注册表的专用终结点。In this section, create the registry's private endpoint in the virtual network. 首先,获取注册表的资源 ID:First, get the resource ID of your registry:

REGISTRY_ID=$(az acr show --name $REGISTRY_NAME \
  --query 'id' --output tsv)

运行 az network private-endpoint create 命令以创建注册表的专用终结点。Run the az network private-endpoint create command to create the registry's private endpoint.

下面的示例创建终结点 myPrivateEndpoint 和服务连接 myConnection。The following example creates the endpoint myPrivateEndpoint and service connection myConnection. 若要为终结点指定容器注册表资源,请传递 --group-ids registryTo specify a container registry resource for the endpoint, pass --group-ids registry:

az network private-endpoint create \
    --name myPrivateEndpoint \
    --resource-group $RESOURCE_GROUP \
    --vnet-name $NETWORK_NAME \
    --subnet $SUBNET_NAME \
    --private-connection-resource-id $REGISTRY_ID \
    --group-ids registry \
    --connection-name myConnection

获取专用 IP 地址Get private IP addresses

运行 az network private-endpoint show 以查询网络接口 ID 的终结点:Run az network private-endpoint show to query the endpoint for the network interface ID:

NETWORK_INTERFACE_ID=$(az network private-endpoint show \
  --name myPrivateEndpoint \
  --resource-group $RESOURCE_GROUP \
  --query 'networkInterfaces[0].id' \
  --output tsv)

在此示例中,与网络接口关联的是容器注册表的两个专用 IP 地址:一个用于注册表本身,另一个用于注册表的数据终结点。Associated with the network interface in this example are two private IP addresses for the container registry: one for the registry itself, and one for the registry's data endpoint. 以下 az resource show 命令获取容器注册表和注册表数据终结点的专用 IP 地址:The following az resource show commands get the private IP addresses for the container registry and the registry's data endpoint:

PRIVATE_IP=$(az resource show \
  --ids $NETWORK_INTERFACE_ID \
  --api-version 2019-04-01 \
  --query 'properties.ipConfigurations[1].properties.privateIPAddress' \
  --output tsv)

DATA_ENDPOINT_PRIVATE_IP=$(az resource show \
  --ids $NETWORK_INTERFACE_ID \
  --api-version 2019-04-01 \
  --query 'properties.ipConfigurations[0].properties.privateIPAddress' \
  --output tsv)

备注

如果注册表是异地复制,请查询每个注册表副本的附加数据终结点。If your registry is geo-replicated, query for the additional data endpoint for each registry replica.

在专用区域中创建 DNS 记录Create DNS records in the private zone

以下命令在专用区域中为注册表终结点及其数据终结点创建 DNS 记录。The following commands create DNS records in the private zone for the registry endpoint and its data endpoint. 例如,如果在 chinaeast2 区域中有一个名为 myregistry 的注册表,则终结点名称是 myregistry.azurecr.cnmyregistry.chinaeast2.data.azurecr.cnFor example, if you have a registry named myregistry in the chinaeast2 region, the endpoint names are myregistry.azurecr.cn and myregistry.chinaeast2.data.azurecr.cn.

备注

如果注册表是异地复制,请为每个副本的数据终结点 IP 创建附加 DNS 记录。If your registry is geo-replicated, create additonal DNS records for each replica's data endpoint IP.

首先运行 az network private-dns record-set a create 以便为注册表终结点和数据终结点创建空的 A 记录集:First run az network private-dns record-set a create to create empty A record sets for the registry endpoint and data endpoint:

az network private-dns record-set a create \
  --name $REGISTRY_NAME \
  --zone-name privatelink.azurecr.cn \
  --resource-group $RESOURCE_GROUP

# Specify registry region in data endpoint name
az network private-dns record-set a create \
  --name ${REGISTRY_NAME}.${REGISTRY_LOCATION}.data \
  --zone-name privatelink.azurecr.cn \
  --resource-group $RESOURCE_GROUP

运行 az network private-dns record-set a add-record 命令以便为注册表终结点和数据终结点创建 A 记录:Run the az network private-dns record-set a add-record command to create the A records for the registry endpoint and data endpoint:

az network private-dns record-set a add-record \
  --record-set-name $REGISTRY_NAME \
  --zone-name privatelink.azurecr.cn \
  --resource-group $RESOURCE_GROUP \
  --ipv4-address $PRIVATE_IP

# Specify registry region in data endpoint name
az network private-dns record-set a add-record \
  --record-set-name ${REGISTRY_NAME}.${REGISTRY_LOCATION}.data \
  --zone-name privatelink.azurecr.cn \
  --resource-group $RESOURCE_GROUP \
  --ipv4-address $DATA_ENDPOINT_PRIVATE_IP

专用链接现已配置,可供使用。The private link is now configured and ready for use.

可在创建注册表时设置专用链接,或向现有注册表添加专用链接。Set up a private link when you create a registry, or add a private link to an existing registry. 以下步骤假设已使用 VM 设置虚拟网络和子网以进行测试。The following steps assume you already have a virtual network and subnet set up with a VM for testing. 也可以创建新虚拟网络和子网You can also create a new virtual network and subnet.

创建专用终结点 - 新注册表Create a private endpoint - new registry

  1. 在门户中创建注册表时,请在“基本信息”选项卡上的“SKU”中,选择“高级”。When creating a registry in the portal, on the Basics tab, in SKU, select Premium.

  2. 选择“网络”选项卡。Select the Networking tab.

  3. 在“网络连接”中,选择“专用终结点” > “+ 添加”。In Network connectivity, select Private endpoint > + Add.

  4. 输入或选择以下信息:Enter or select the following information:

    设置Setting Value
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 输入现有组名称或创建一个新组。Enter the name of an existing group or create a new one.
    名称Name 输入唯一名称。Enter a unique name.
    子资源Subresource 选择“注册表”Select registry
    网络Networking
    虚拟网络Virtual network 选择要在其中部署虚拟机的虚拟网络,例如 myDockerVMVNET。Select the virtual network where your virtual machine is deployed, such as myDockerVMVNET.
    子网Subnet 选择要在其中部署虚拟机的子网,例如 myDockerVMSubnet。Select a subnet, such as myDockerVMSubnet where your virtual machine is deployed.
    专用 DNS 集成Private DNS Integration
    与专用 DNS 区域集成Integrate with private DNS zone 请选择“是”。Select Yes.
    专用 DNS 区域Private DNS Zone 选择“(新) privatelink.azurecr.cn”Select (New) privatelink.azurecr.cn
  5. 配置其余注册表设置,然后选择“审阅 + 创建”。Configure the remaining registry settings, and then select Review + Create.

    通过专用终结点创建注册表

创建专用终结点 - 现有注册表Create a private endpoint - existing registry

  1. 在门户中,导航到容器注册表。In the portal, navigate to your container registry.

  2. 在“设置”下选择“网络” 。Under Settings, select Networking.

  3. 在“专用终结点”选项卡上,选择“+ 专用终结点”。On the Private endpoints tab, select + Private endpoint.

  4. 在“基本信息”中,输入或选择以下信息:In the Basics tab, enter or select the following information:

    设置Setting Value
    项目详细信息Project details
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 输入现有组名称或创建一个新组。Enter the name of an existing group or create a new one.
    实例详细信息Instance details
    名称Name 输入名称。Enter a name.
    区域Region 选择区域。Select a region.
  5. 在完成时选择“下一步:资源”。Select Next: Resource.

  6. 输入或选择以下信息:Enter or select the following information:

    设置Setting Value
    连接方法Connection method 选择“连接到我的目录中的 Azure 资源”。Select Connect to an Azure resource in my directory.
    订阅Subscription 选择订阅。Select your subscription.
    资源类型Resource type 选择“Microsoft.ContainerRegistry/registries”。Select Microsoft.ContainerRegistry/registries.
    资源Resource 选择注册表的名称Select the name of your registry
    目标子资源Target subresource 选择“注册表”Select registry
  7. 在完成时选择“下一步:配置”。Select Next: Configuration.

  8. 输入或选择信息:Enter or select the information:

    设置Setting Value
    网络Networking
    虚拟网络Virtual network 选择要在其中部署虚拟机的虚拟网络,例如 myDockerVMVNET。Select the virtual network where your virtual machine is deployed, such as myDockerVMVNET.
    子网Subnet 选择要在其中部署虚拟机的子网,例如 myDockerVMSubnet。Select a subnet, such as myDockerVMSubnet where your virtual machine is deployed.
    专用 DNS 集成Private DNS Integration
    与专用 DNS 区域集成Integrate with private DNS zone 请选择“是”。Select Yes.
    专用 DNS 区域Private DNS Zone 选择“(新) privatelink.azurecr.cn”Select (New) privatelink.azurecr.cn
  9. 选择“查看 + 创建”。Select Review + create. 随后你会转到“查看 + 创建”页,Azure 将在此页面验证配置。You're taken to the Review + create page where Azure validates your configuration.

  10. 看到“验证通过”消息时,选择“创建” 。When you see the Validation passed message, select Create.

创建专用终结点之后,专用区域中的 DNS 设置会显示在门户中的“专用终结点”页上:After the private endpoint is created, DNS settings in the private zone appear on the Private endpoints page in the portal:

  1. 在门户中,导航到容器注册表,选择“设置”>“网络”。In the portal, navigate to your container registry and select Settings > Networking.

  2. 在“专用终结点”选项卡上,选择创建的专用这节点。On the Private endpoints tab, select the private endpoint you created.

  3. 在“概述”页上,审阅链接设置和自定义 DNS 设置。On the Overview page, review the link settings and custom DNS settings.

    通过专用终结点创建注册表

专用链接现已配置,可供使用。Your private link is now configured and ready for use.

禁用公共访问Disable public access

在许多情况下,禁用从公用网络进行的注册表访问。For many scenarios, disable registry access from public networks. 此配置会阻止虚拟网络外部的客户端访问注册表终结点。This configuration prevents clients outside the virtual network from reaching the registry endpoints.

禁用公共访问 - CLIDisable public access - CLI

若要使用 Azure CLI 禁用公共访问,请运行 az acr update,并将 --public-network-enabled 设置为 falseTo disable public access using the Azure CLI, run az acr update and set --public-network-enabled to false.

备注

public-network-enabled 参数需要 Azure CLI 2.6.0 或更高版本。The public-network-enabled argument requires Azure CLI 2.6.0 or later.

az acr update --name $REGISTRY_NAME --public-network-enabled false

禁用公共访问 - 门户Disable public access - portal

  1. 在门户中,导航到容器注册表,选择“设置”>“网络”。In the portal, navigate to your container registry and select Settings > Networking.
  2. 在“公共访问”选项卡上的“允许公用网络访问”中,选择“禁用” 。On the Public access tab, in Allow public network access, select Disabled. 再选择“保存”。Then select Save.

应该验证专用终结点的子网中的资源是否可以通过专用 IP 地址连接到注册表,以及它们是否具有正确的专用 DNS 区域集成。You should validate that the resources within the subnet of the private endpoint connect to your registry over a private IP address, and have the correct private DNS zone integration.

若要验证专用链接连接,请通过 SSH 连接到虚拟网络中设置的虚拟机。To validate the private link connection, SSH to the virtual machine you set up in the virtual network.

运行 nslookup 命令以通过专用链接解析注册表的 IP 地址:Run the nslookup command to resolve the IP address of your registry over the private link:

nslookup $REGISTRY_NAME.azurecr.cn

示例输出演示子网的地址空间中的注册表 IP 地址:Example output shows the registry's IP address in the address space of the subnet:

[...]
myregistry.azurecr.cn       canonical name = myregistry.privatelink.azurecr.cn.
Name:   myregistry.privatelink.azurecr.cn
Address: 10.0.0.6

将此结果与公共终结点上相同注册表的 nslookup 输出中的公共 IP 地址进行比较:Compare this result with the public IP address in nslookup output for the same registry over a public endpoint:

[...]
Non-authoritative answer:
Name:   myregistry.chinaeast2.cloudapp.chinacloudapi.cn
Address: 40.78.103.41

此外,验证是否可以从子网中的虚拟机执行注册表操作。Also verify that you can perform registry operations from the virtual machine in the subnet. 建立与虚拟机的 SSH 连接,并运行 az acr login 以登录注册表。Make an SSH connection to your virtual machine, and run az acr login to login to your registry. 根据 VM 配置,可能需要将 sudo 作为以下命令的前缀。Depending on your VM configuration, you might need to prefix the following commands with sudo.

az acr login --name $REGISTRY_NAME

执行注册表操作(如 docker pull),以从注册表拉取示例映像。Perform registry operations such as docker pull to pull a sample image from the registry. hello-world:v1 替换为适用于注册表的映像和标记,并以注册表登录服务器名称(全部小写)作为前缀:Replace hello-world:v1 with an image and tag appropriate for your registry, prefixed with the registry login server name (all lowercase):

docker pull myregistry.azurecr.cn/hello-world:v1

Docker 已成功将映像拉取到 VM。Docker successfully pulls the image to the VM.

管理专用终结点连接Manage private endpoint connections

使用 Azure 门户或使用 az acr private-endpoint-connection 命令组中的命令管理注册表的专用终结点连接。Manage a registry's private endpoint connections using the Azure portal, or by using commands in the az acr private-endpoint-connection command group. 操作包括批准、删除、列出、拒绝注册表专用终结点连接或显示其详细信息。Operations include approve, delete, list, reject, or show details of a registry's private endpoint connections.

例如,若要列出注册表的专用终结点连接,请运行 az acr private-endpoint-connection list 命令。For example, to list the private endpoint connections of a registry, run the az acr private-endpoint-connection list command. 例如:For example:

az acr private-endpoint-connection list \
  --registry-name $REGISTRY_NAME 

使用本文中的步骤设置专用终结点连接时,注册表会自动接受来自对注册表拥有 RBAC 权限的客户端和服务的连接。When you set up a private endpoint connection using the steps in this article, the registry automatically accepts connections from clients and services that have RBAC permissions on the registry. 可以设置终结点以要求手动批准连接。You can set up the endpoint to require manual approval of connections.

为副本添加区域记录Add zone records for replicas

如本文中所示,将专用终结点连接添加到注册表时,将在 privatelink.azurecr.cn 区域中为注册表进行复制的区域中的注册表及其数据终结点创建 DNS 记录。As shown in this article, when you add a private endpoint connection to a registry, DNS records in the privatelink.azurecr.cn zone are created for the registry and its data endpoints in the regions where the registry is replicated.

如果以后添加新副本,则需要为该区域中的数据终结点手动添加新的区域记录。If you later add a new replica, you need to manually add a new zone record for the data endpoint in that region. 例如,如果在“chinaeast2”位置创建 myregistry 的副本,则会为 myregistry.chinaeast2.data.azurecr.cn 添加区域记录。For example, if you create a replica of myregistry in the chinaeast2 location, add a zone record for myregistry.chinaeast2.data.azurecr.cn. 有关步骤,请参阅本文中的在专用区域中创建 DNS 记录For steps, see Create DNS records in the private zone in this article.

清理资源Clean up resources

如果在同一资源组中创建了所有 Azure 资源,并且不再需要这些资源,则可以选择使用单个 az group delete 命令删除资源:If you created all the Azure resources in the same resource group and no longer need them, you can optionally delete the resources by using a single az group delete command:

az group delete --name $RESOURCE_GROUP

若要在门户中清理资源,请导航到资源组。To clean up your resources in the portal, navigate to your resource group. 加载资源组后,单击“删除资源组”以删除该资源组和其中存储的资源。Once the resource group is loaded, click on Delete resource group to remove the resource group and the resources stored there.

后续步骤Next steps