数据访问策略Data access strategies

适用于:是 Azure 数据工厂是 Azure Synapse Analytics(预览版)APPLIES TO: yesAzure Data Factory yesAzure Synapse Analytics (Preview)

组织的一个重要安全目标是保护其数据存储(可以是本地或云/SaaS 数据存储),使其免于通过 Internet 进行的随机访问。A vital security goal of an organization is to protect their data stores from random access over the internet, may it be an on-premise or a Cloud/ SaaS data store.

通常,云数据存储使用以下机制来控制访问:Typically a cloud data store controls access using the below mechanisms:

  • 按 IP 地址限制连接的防火墙规则Firewall rules that limit connectivity by IP address
  • 要求用户证明其身份的身份验证机制Authentication mechanisms that require users to prove their identity
  • 将用户限制于特定操作和数据的授权机制Authorization mechanisms that restrict users to specific actions and data

提示

通过引入静态 IP 地址范围,现在可以允许列出特定 Azure Integration Runtime 区域的 IP 范围,以确保不必在云数据存储中允许所有 Azure IP 地址。With the introduction of Static IP address range, you can now allow list IP ranges for the particular Azure integration runtime region to ensure you don’t have to allow all Azure IP addresses in your cloud data stores. 这样,就可以限制允许访问数据存储的 IP 地址。This way, you can restrict the IP addresses that are permitted to access the data stores.

备注

阻止该 IP 地址范围访问 Azure Integration Runtime,该范围的地址当前仅用于数据移动、管道和外部活动。The IP address ranges are blocked for Azure Integration Runtime and is currently only used for Data Movement, pipeline and external activities.

这应该适用于许多场景,我们知道为每个集成运行时配置唯一的静态 IP 地址会很理想,但在目前使用无服务器 Azure Integration Runtime 的情况下,这是不可能的。This should work in many scenarios, and we do understand that a unique Static IP address per integration runtime would be desirable, but this wouldn't be possible using Azure Integration Runtime currently, which is serverless. 如有必要,你始终可以设置自承载集成运行时并对其使用静态 IP。If necessary, you can always set up a Self-hosted Integration Runtime and use your Static IP with it.

通过 Azure 数据工厂的数据访问策略Data access strategies through Azure Data Factory

  • 受信任的服务 - Azure 存储(Blob、ADLS Gen2)支持允许精选受信任 Azure 平台服务安全访问存储帐户的防火墙配置。Trusted Service - Azure Storage (Blob, ADLS Gen2) supports firewall configuration that enables select trusted Azure platform services to access the storage account securely. 受信任的服务强制实施托管标识身份验证,这可以确保其他数据工厂不能连接到此存储,除非使用其托管标识将其列入了执行此操作的允许列表。Trusted Services enforces Managed Identity authentication, which ensures no other data factory can connect to this storage unless whitelisted to do so using it's managed identity. 可在此博客中找到更多详细信息。You can find more details in this blog. 因此,这这种方法非常安全,建议使用。Hence, this is extremely secure and recommended.
  • 唯一静态 IP - 需要设置一个自承载集成运行时,以便获取静态 IP 以建立数据工厂连接器。Unique Static IP - You will need to set up a self-hosted integration runtime to get a Static IP for Data Factory connectors. 此机制可确保阻止来自其他所有 IP 地址的访问。This mechanism ensures you can block access from all other IP addresses.
  • 静态 IP 范围 - 可以使用 Azure Integration Runtime 的 IP 地址,允许在你的存储(如 S3、Salesforce 等)中列出它。Static IP range - You can use Azure Integration Runtime's IP addresses to allow list it in your storage (say S3, Salesforce, etc.). 它肯定会限制可连接到数据存储但又依赖于身份验证/授权规则的 IP 地址。It certainly restricts IP addresses that can connect to the data stores but also relies on Authentication/ Authorization rules.
  • 服务标记 - 服务标记是来自给定 Azure 服务(例如 Azure 数据工厂)的一组 IP 地址前缀。Service Tag - A service tag represents a group of IP address prefixes from a given Azure service (like Azure Data Factory). Azure 会管理服务标记包含的地址前缀,并会在地址发生更改时自动更新服务标记,最大限度地降低频繁更新网络安全规则的复杂性。Azure manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. 要将虚拟网络中 IaaS 托管数据存储上的数据访问列入允许列表时,此方法非常有用。It is useful when whitelisting data access on IaaS hosted data stores in Virtual Network.
  • 允许 Azure 服务 - 使用某些服务时,如果选择此选项,可以允许所有 Azure 服务连接到它。Allow Azure Services - Some services lets you allow all Azure services to connect to it in case you choose this option.

有关 Azure Integration Runtime 和自承载集成运行时中数据存储上支持的网络安全机制的详细信息,请参阅下面两个表。For more information about supported network security mechanisms on data stores in Azure Integration Runtime and Self-hosted Integration Runtime, see below two tables.

  • Azure Integration RuntimeAzure Integration Runtime

    数据存储Data Stores 数据存储上支持的网络安全机制Supported Network Security Mechanism on Data Stores 受信任的服务Trusted Service 静态 IP 范围Static IP range 服务标记Service Tags 允许 Azure 服务Allow Azure Services
    Azure PaaS 数据存储Azure PaaS Data stores Azure Cosmos DBAzure Cosmos DB - Yes - Yes
    Azure 数据资源管理器Azure Data Explorer - 是*Yes* 是*Yes* -
    Azure Database for MariaDB、Azure Database for MySQL、Azure Database for PostgreSQLAzure Database for MariaDB, MySQL, PostgreSQL - Yes - Yes
    Azure 文件存储Azure File Storage - Yes - 上获取。.
    Azure 存储(Blob、ADLS Gen2)Azure Storage (Blob, ADLS Gen2) 是(仅 MSI 身份验证)Yes (MSI auth only) Yes - 上获取。.
    Azure SQL DB、Azure Synapse Analytics、SQL MlAzure SQL DB, Azure Synapse Analytics), SQL Ml - Yes - Yes
    Azure Key Vault(用于提取机密/连接字符串)Azure Key Vault (for fetching secrets/ connection string) yes Yes - -
    其他 PaaS/SaaS 数据存储Other PaaS/ SaaS Data stores AWS S3、SalesForce、Google Cloud Storage 等。AWS S3, SalesForce, Google Cloud Storage, etc. - Yes - -
    Azure laaSAzure laaS SQL Server、Oracle 等。SQL Server, Oracle, etc. - Yes Yes -
    本地 laaSOn-premise laaS SQL Server、Oracle 等。SQL Server, Oracle, etc. - Yes - -

    *仅当 Azure 数据资源管理器插入虚拟网络,且 IP 范围可应用于 NSG/防火墙时适用。*Applicable only when Azure Data Explorer is virtual network injected, and IP range can be applied on NSG/ Firewall.

  • (Vnet 中/本地的)自承载集成运行时Self-hosted Integration Runtime (in Vnet/on-premise)

    数据存储Data Stores 数据存储上支持的网络安全机制Supported Network Security Mechanism on Data Stores 静态 IPStatic IP 受信任的服务Trusted Services
    Azure PaaS 数据存储Azure PaaS Data stores Azure Cosmos DBAzure Cosmos DB Yes -
    Azure 数据资源管理器Azure Data Explorer - -
    Azure Database for MariaDB、Azure Database for MySQL、Azure Database for PostgreSQLAzure Database for MariaDB, MySQL, PostgreSQL Yes -
    Azure 文件存储Azure File Storage Yes -
    Azure 存储(Blob、ADLS Gen2)Azure Storage (Blog, ADLS Gen2) Yes 是(仅 MSI 身份验证)Yes (MSI auth only)
    Azure SQL DB、Azure Synapse Analytics、SQL MlAzure SQL DB, Azure Synapse Analytics), SQL Ml Yes -
    Azure Key Vault(用于提取机密/连接字符串)Azure Key Vault (for fetching secrets/ connection string) Yes Yes
    其他 PaaS/SaaS 数据存储Other PaaS/ SaaS Data stores AWS S3、SalesForce、Google Cloud Storage 等。AWS S3, SalesForce, Google Cloud Storage, etc. Yes -
    Azure laaSAzure laaS SQL Server、Oracle 等。SQL Server, Oracle, etc. Yes -
    本地 laaSOn-premise laaS SQL Server、Oracle 等。SQL Server, Oracle, etc. Yes -

后续步骤Next steps

有关详细信息,请参阅以下相关文章:For more information, see the following related articles: