如何使用 Azure 防火墙为注入了 VNet 的工作区分配单个公共 IPHow to assign a single public IP for VNet-injected workspaces using Azure Firewall

可使用 Azure 防火墙创建注入了 VNet 的工作区,其中所有群集都有一个单一 IP 出站地址。You can use an Azure Firewall to create a VNet-injected workspace in which all clusters have a single IP outbound address. 该单一 IP 地址可用作允许基于特定 IP 地址进行访问的其他 Azure 服务和应用程序的额外安全层。The single IP address can be used as an additional security layer with other Azure services and applications that allow access based on specific IP addresses.

  1. 在自己的虚拟网络中设置 Azure Databricks 工作区。Set up an Azure Databricks Workspace in your own virtual network.
  2. 在虚拟网络中设置防火墙。Set up a firewall within the virtual network. 请参阅创建 NVASee Create an NVA. 创建防火墙时,应执行以下操作:When you create the firewall, you should:
    • 记下防火墙的专用和公共 IP 地址,供以后使用。Note both the private and public IP addresses for the firewall for later use.
    • 为公共子网创建网络规则,以将所有流量转发到 Internet:Create a network rule for the public subnet to forward all traffic to the internet:
      • 名称: 任意名称Name: any arbitrary name
      • 优先级:100Priority: 100
      • 协议: 任何Protocol: Any
      • 源地址:创建的虚拟网络中公共子网的 IP 范围Source Addresses: IP range for the public subnet in the virtual network that you created
      • 目标地址:0.0.0.0/1Destination Addresses: 0.0.0.0/1
      • 目标端口: *Destination Ports: *
  3. 创建自定义路由表,并将其与公共子网关联。Create a Custom Route Table and associate it with the public subnet.
    1. 为以下服务添加自定义路由,该路由也称为用户定义路由 (UDR)。Add custom routes, also known as user-defined routes (UDR) for the following services. 为你的区域指定 Azure Databricks 区域地址Specify the Azure Databricks region addresses for your region. 对于“下一个跃点类型”,输入 Internet,如创建路由表中所示。For Next hop type, enter Internet, as shown in creating a route table.
      • 控制平面 NAT VIPControl Plane NAT VIP
      • WebappWebapp
      • 元存储Metastore
      • 项目 Blob 存储Artifact Blob Storage
      • 日志 Blob 存储Logs Blob Storage
    2. 使用以下值为防火墙添加自定义路由:Add a custom route for the firewall with the following values:
      • 地址前缀:0.0.0.0./0Address prefix: 0.0.0.0./0
      • 下一个跃点类型:虚拟设备Next hop type: Virtual appliance
      • 下一个跃点地址:防火墙的专用 IP 地址。Next hop address: The private IP address for the firewall.
    3. 将路由表与公共子网关联。Associate the route table with the public subnet.
  4. 验证设置Validate the setup
    1. 在 Azure Databricks 工作区中创建群集。Create a cluster in the Azure Databricks workspace.
    2. 接下来,查询自己的路径中的 blob 存储或在单元中运行 %fs lsNext, query blob storage to your own paths or run %fs ls in a cell.
    3. 如果操作失败,请确认路由表具有所有必需的 UDR(包括服务终结点,而不是 Blob 存储的 UDR)If it fails, confirm that the route table has all required UDRs (including Service Endpoint instead of the UDR for Blob Storage)

有关详细信息,请参阅使用虚拟设备或防火墙路由 Azure Databricks 流量For more information, see Route Azure Databricks traffic using a virtual appliance or firewall.