从虚拟网络 (VNet) 访问 Azure Cosmos DBAccess Azure Cosmos DB from virtual networks (VNet)

可将 Azure Cosmos 帐户配置为仅允许从虚拟网络 (VNet) 的特定子网进行访问。You can configure the Azure Cosmos account to allow access only from a specific subnet of virtual network (VNet). 启用服务终结点来访问虚拟网络中子网上的 Azure Cosmos DB 后,来自该子网的流量将发送到具有该子网和虚拟网络的标识的 Azure Cosmos DB。By enabling Service endpoint to access Azure Cosmos DB on the subnet within a virtual network, the traffic from that subnet is sent to Azure Cosmos DB with the identity of the subnet and Virtual Network. 启用 Azure Cosmos DB 服务终结点后,可以通过将子网添加到 Azure Cosmos 帐户来限制对该子网的访问。Once the Azure Cosmos DB service endpoint is enabled, you can limit access to the subnet by adding it to your Azure Cosmos account.

默认情况下,如果请求附带有效的授权令牌,则可从任何源访问 Azure Cosmos 帐户。By default, an Azure Cosmos account is accessible from any source if the request is accompanied by a valid authorization token. 在 VNet 中添加一个或多个子网后,只有源自这些子网的请求才能获取有效响应。When you add one or more subnets within VNets, only requests originating from those subnets will get a valid response. 源自其他任何源的请求将收到 403(禁止访问)响应。Requests originating from any other source will receive a 403 (Forbidden) response.

常见问题Frequently asked questions

下面是有关配置从虚拟网络进行访问的一些常见问题:Here are some frequently asked questions about configuring access from virtual networks:

是否可以在 Azure Cosmos 帐户中同时指定虚拟网络服务终结点和 IP 访问控制策略?Can I specify both virtual network service endpoint and IP access control policy on an Azure Cosmos account?

可以在 Azure Cosmos 帐户中同时启用虚拟网络服务终结点和 IP 访问控制策略(也称为防火墙)。You can enable both the virtual network service endpoint and an IP access control policy (aka firewall) on your Azure Cosmos account. 这两个功能是互补的,共同确保 Azure Cosmos 帐户的隔离性和安全性。These two features are complementary and collectively ensure isolation and security of your Azure Cosmos account. 使用 IP 防火墙可确保静态 IP 能够访问你的帐户。Using IP firewall ensures that static IPs can access your account.

如何限制对虚拟网络中子网的访问?How do I limit access to subnet within a virtual network?

需要执行两个步骤来限制从子网对 Azure Cosmos 帐户的访问。There are two steps required to limit access to Azure Cosmos account from a subnet. 首先,允许来自子网的流量将其子网和虚拟网络标识传递给 Azure Cosmos DB。First, you allow traffic from subnet to carry its subnet and virtual network identity to Azure Cosmos DB. 在子网中为 Azure Cosmos DB 启用服务终结点可实现此目的。This is done by enabling service endpoint for Azure Cosmos DB on the subnet. 接下来,在 Azure Cosmos 帐户中添加一个规则,以便将此子网指定为可从中访问帐户的源。Next is adding a rule in the Azure Cosmos account specifying this subnet as a source from which account can be accessed.

虚拟网络 ACL 和 IP 防火墙是否会拒绝请求或连接?Will virtual network ACLs and IP Firewall reject requests or connections?

添加 IP 防火墙或虚拟网络访问规则后,只有来自受允许源的请求才能获取有效响应。When IP firewall or virtual network access rules are added, only requests from allowed sources get valid responses. 将拒绝其他请求并返回 403(禁止访问)错误。Other requests are rejected with a 403 (Forbidden). 必须将 Azure Cosmos 帐户的防火墙与连接级别的防火墙区分开来。It is important to distinguish Azure Cosmos account's firewall from a connection level firewall. 源仍可连接到服务,连接本身不会遭到拒绝。The source can still connect to the service and the connections themselves aren't rejected.

在子网中为 Azure Cosmos DB 启用服务终结点后,我的请求开始遭到阻止。My requests started getting blocked when I enabled service endpoint to Azure Cosmos DB on the subnet. 发生了什么情况?What happened?

在子网中为 Azure Cosmos DB 启用服务终结点后,抵达帐户的流量源将从公共 IP 切换到虚拟网络和子网。Once service endpoint for Azure Cosmos DB is enabled on a subnet, the source of the traffic reaching the account switches from public IP to virtual network and subnet. 如果 Azure Cosmos 帐户仅包含基于 IP 的防火墙,则已启用服务的子网发出的流量将不再与 IP 防火墙规则相匹配,因此遭到拒绝。If your Azure Cosmos account has IP-based firewall only, traffic from service enabled subnet would no longer match the IP firewall rules and therefore be rejected. 请重温有关从基于 IP 的防火墙无缝迁移到基于虚拟网络的访问控制的步骤。Go over the steps to seamlessly migrate from IP-based firewall to virtual network-based access control.

具有 VNET 服务终结点的 Azure Cosmos 帐户是否需要其他 RBAC 权限?Are additional RBAC permissions needed for Azure Cosmos accounts with VNET service endpoints?

在将 VNet 服务终结点添加到 Azure Cosmos 帐户后,若要对帐户设置进行任何更改,需要访问 Azure Cosmos 帐户上配置的所有 VNET 的 Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action 操作。After you add the VNet service endpoints to an Azure Cosmos account, to make any changes to the account settings, you need access to the Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action action for all the VNETs configured on your Azure Cosmos account. 此权限是必需的,因为授权过程会先验证对资源(例如数据库和虚拟网络资源)的访问权限,然后再对所有属性进行评估。This permission is required because the authorization process validates access to resources (such as database and virtual network resources) before evaluating any properties.

即使用户没有使用 Azure CLI 指定 VNET ACL,授权也会验证对 VNet 资源操作的权限。The authorization validates permission for VNet resource action even if the user doesn't specify the VNET ACLs using Azure CLI. 目前,Azure Cosmos 帐户的控制平面支持设置 Azure Cosmos 帐户的完整状态。Currently, the Azure Cosmos account's control plane supports setting the complete state of the Azure Cosmos account. 控制平面调用的其中一个参数是 virtualNetworkRulesOne of the parameters to the control plane calls is virtualNetworkRules. 如果未指定此参数,Azure CLI 将执行 get database 调用来检索 virtualNetworkRules,并在更新调用中使用此值。If this parameter is not specified, the Azure CLI makes a get database call to retrieves the virtualNetworkRules and uses this value in the update call.

对等互连的虚拟网络是否也有权访问 Azure Cosmos 帐户?Do the peered virtual networks also have access to Azure Cosmos account?

只有已添加到 Azure Cosmos 帐户的虚拟网络及其子网才拥有此访问权限。Only virtual network and their subnets added to Azure Cosmos account have access. 将对等互连的虚拟网络中的子网添加到帐户之后,对等互连的 VNet 才可以访问该帐户。Their peered VNets cannot access the account until the subnets within peered virtual networks are added to the account.

最多允许多少个子网访问单个 Cosmos 帐户?What is the maximum number of subnets allowed to access a single Cosmos account?

目前,一个 Azure Cosmos 帐户最多允许 256 个子网。Currently, you can have at most 256 subnets allowed for an Azure Cosmos account.

是否可以启用从 VPN 和 Express Route 进行访问?Can I enable access from VPN and Express Route?

若要在本地通过 Express Route 访问 Azure Cosmos 帐户,需要启用 Azure 对等互连。For accessing Azure Cosmos account over Express route from on premises, you would need to enable Azure peering. 创建 IP 防火墙或虚拟网络访问规则后,可以在 Azure Cosmos 帐户 IP 防火墙中添加用于 Azure 对等互连的公共 IP 地址,以允许本地服务访问 Azure Cosmos 帐户。Once you put IP firewall or virtual network access rules, you can add the public IP addresses used for Azure peering on your Azure Cosmos account IP firewall to allow on premises services access to Azure Cosmos account.

是否需要更新网络安全组 (NSG) 规则?Do I need to update the Network Security Groups (NSG) rules?

NSG 规则用于限制与虚拟网络中子网之间的连接。NSG rules are used to limit connectivity to and from a subnet with virtual network. 将 Azure Cosmos DB 的服务终结点添加到子网时,无需在 NSG 中为 Azure Cosmos 帐户打开出站连接。When you add service endpoint for Azure Cosmos DB to the subnet, there is no need to open outbound connectivity in NSG for your Azure Cosmos account.

服务终结点是否适用于所有 VNet?Are service endpoints available for all VNets?

否,只能为 Azure 资源管理器虚拟网络启用服务终结点。No, Only Azure Resource Manager virtual networks can have service endpoint enabled. 经典虚拟网络不支持服务终结点。Classic virtual networks don't support service endpoints.

为 Azure Cosmos DB 启用了服务终结点访问时,我能否“接受从公用 Azure 数据中心内连接”?Can I "Accept connections from within public Azure datacenters" when service endpoint access is enabled for Azure Cosmos DB?

仅当你希望自己的 Azure Cosmos DB 帐户可供其他 Azure 第一方服务(例如 Azure 数据工厂和 Azure 认知搜索)或给定 Azure 区域中部署的任何服务访问时,才需要这样做。This is required only when you want your Azure Cosmos DB account to be accessed by other Azure first party services like Azure Data factory, Azure Cognitive Search or any service that is deployed in given Azure region.

后续步骤Next steps