Azure Cosmos DB 中的 IP 防火墙IP firewall in Azure Cosmos DB

为了保护帐户中存储的数据,Azure Cosmos DB 支持基于机密的授权模型,该模型利用强大的基于哈希的消息身份验证代码 (HMAC)。To secure data stored in your account, Azure Cosmos DB supports a secret based authorization model that utilizes a strong Hash-based Message Authentication Code (HMAC). 此外,Azure Cosmos DB 支持使用基于 IP 的访问控制来提供入站防火墙支持。Additionally, Azure Cosmos DB supports IP-based access controls for inbound firewall support. 此模型与传统数据库系统的防火墙规则类似,并且为帐户提供额外级别的安全性。This model is similar to the firewall rules of a traditional database system and provides an additional level of security to your account. 利用防火墙,可以配置为仅允许从一组已批准的计算机和/或云服务访问你的 Azure Cosmos 帐户。With firewalls, you can configure your Azure Cosmos account to be accessible only from an approved set of machines and/or cloud services. 从这些已批准的计算机和服务访问 Azure Cosmos 数据库中存储的数据仍需调用方提供有效的授权令牌。Access to data stored in your Azure Cosmos database from these approved sets of machines and services will still require the caller to present a valid authorization token.

IP 访问控制概述IP access control overview

默认情况下,只要请求附有有效的授权令牌,即可从 Internet 访问你的 Azure Cosmos 帐户。By default, your Azure Cosmos account is accessible from internet, as long as the request is accompanied by a valid authorization token. 若要配置基于 IP 策略的访问控制,用户必须提供 CIDR(无类域间路由)格式的、要作为客户端 IP 允许列表包含的 IP 地址或 IP 地址范围集,这样才能访问给定的 Azure Cosmos 帐户。To configure IP policy-based access control, the user must provide the set of IP addresses or IP address ranges in CIDR (Classless Inter-Domain Routing) form to be included as the allowed list of client IPs to access a given Azure Cosmos account. 应用此配置后,源自此允许列表外部的计算机的所有请求将收到 403(禁止访问)响应。Once this configuration is applied, any requests originating from machines outside this allowed list receive 403 (Forbidden) response. 使用 IP 防火墙时,我们建议允许 Azure 门户访问你的帐户。When using IP firewall, it is recommended to allow Azure portal to access your account. 需有相应的访问权限才能允许使用数据资源管理器,以及检索 Azure 门户中显示的帐户指标。Access is required to allow use of data explorer as well as to retrieve metrics for your account that show up on the Azure portal. 使用数据资源管理器时,除了要允许 Azure 门户访问你的帐户,还需更新防火墙设置,将当前 IP 地址添加到防火墙规则中。When using data explorer, in addition to allowing Azure portal to access your account, you also need to update your firewall settings to add your current IP address to the firewall rules. 请注意,防火墙更改可能需要长达 15 分钟的时间进行传播。Note that firewall changes may take up to 15min to propagate.

可将基于 IP 的防火墙与子网和 VNET 访问控制结合使用。You can combine IP-based firewall with subnet and VNET access control. 将这两种策略相结合,可以限制访问具有某个公共 IP 的任何源,和/或从 VNET 中的特定子网访问任何源。By combining them, you can limit access to any source that has a public IP and/or from a specific subnet within VNET. 若要详细了解如何使用基于子网和 VNET 的访问控制,请参阅从虚拟网络访问 Azure Cosmos DB 资源To learn more about using subnet and VNET-based access control see Access Azure Cosmos DB resources from virtual networks.

总而言之,始终需要提供授权令牌才能访问 Azure Cosmos 帐户。To summarize, authorization token is always required to access an Azure Cosmos account. 如果未设置 IP 防火墙和 VNET 访问控制列表 (ACL),可以使用授权令牌访问 Azure Cosmos 帐户。If IP firewall and VNET Access Control List (ACLs) are not set up, the Azure Cosmos account can be accessed with the authorization token. 在 Azure Cosmos 帐户中设置 IP 防火墙和/或 VNET ACL 后,只有源自指定的源(并且具有授权令牌)的请求才能收到有效的响应。After the IP firewall or VNET ACLs or both are set up on the Azure Cosmos account, only requests originating from the sources you have specified (and with the authorization token) get valid responses.

后续步骤Next steps

接下来,可参考以下文档为帐户配置 IP 防火墙或 VNET 服务终结点:Next you can configure IP firewall or VNET service endpoint for your account by using the following docs: