诊断 Azure Key Vault 上的专用链接配置问题Diagnose private links configuration issues on Azure Key Vault

简介Introduction

本文可帮助用户诊断并修复涉及 Key Vault 和专用链接功能的问题。This article helps users diagnosing and fixing issues involving Key Vault and the Private Links feature. 本指南提供配置方面的帮助,例如如何让专用链接首次生效,或者如何修复专用链接因某些更改而停止生效的情况。This guide helps on configuration aspects, such as getting private links working for the first time, or for fixing a situation where private links stopped working because of some change.

如果不熟悉此功能,请参阅将 Key Vault 与 Azure 专用链接集成If you are new to this feature, see Integrate Key Vault with Azure Private Link.

本文涵盖的问题Problems covered by this article

  • DNS 查询仍返回密钥保管库的公共 IP 地址,而不是返回你由于使用专用链接功能而预期会收到的专用 IP 地址。Your DNS queries still return a public IP address for the key vault, instead of a private IP address that you would expect from using the private links feature.
  • 给定客户端发出的使用专用链接的所有请求都失败,出现超时或网络错误,且问题不是间歇性的。All requests made by a given client that is using private link, are failing with timeouts or network errors, and the problem is not intermittent.
  • 密钥保管库有一个专用 IP 地址,但请求仍获得内部错误代码为 ForbiddenByFirewall403 响应。The key vault has a private IP address, but requests still get 403 response with the ForbiddenByFirewall inner error code.
  • 你使用的是专用链接,但密钥保管库仍接受来自公共 Internet 的请求。You are using private links, but your key vault still accepts requests from the public Internet.
  • 密钥保管库有两个专用终结点。Your key vault has two Private Endpoints. 使用一个专用终结点的请求正常,但使用另一个专用终结点的请求失败。Requests using one are working fine, but requests using the other are failing.
  • 你有另一个使用专用链接的订阅、密钥保管库或虚拟网络。You have another subscription, key vault, or virtual network that is using private links. 你想要进行新的类似部署,但无法让专用链接在其中生效。You want to make a new similar deployment, but you can't get private links to work there.

本文未涵盖的问题Problems NOT covered by this article

  • 存在间歇性连接问题。There is an intermittent connectivity issue. 在给定的客户端中,你会看到一些请求有效,一些请求无效。In a given client, you see some requests working and some not working. 间歇性问题通常不是由专用链接配置中的问题引起的;它们是网络或客户端过载的迹象。Intermittent problems are typically not caused by an issue in private links configuration; they are a sign of network or client overload.
  • 你使用的是支持 BYOK(创建自己的密钥)、CMK(客户管理的密钥)的 Azure 产品,或者是支持对密钥保管库中存储的机密进行访问的 Azure 产品。You are using an Azure product that supports BYOK (Bring Your Own Key), CMK (Customer Managed Keys), or access to secrets stored in key vault. 当你在密钥保管库设置中启用防火墙时,该产品无法访问密钥保管库。When you enable the firewall in key vault settings, that product cannot access your key vault. 请查看特定于产品的文档,确保它已明确指出对启用了防火墙的密钥保管库的支持,并根据需要与该特定产品的支持人员联系。Look at product specific documentation. Make sure it explicitly states support for key vaults with the firewall enabled. Contact support for that specific product, if needed.

如何阅读本文How to read this article

如果不熟悉专用链接或要评估复杂的部署,建议阅读整篇文章。If you are new to private links or you are evaluating a complex deployment, it's recommended that you read the entire article. 否则,你可以随意选择与你所面临的问题更相关的部分进行阅读。Otherwise, feel free to choose the section that makes more sense for the problem you are facing.

让我们开始吧!Let's get started!

1.确认你拥有客户端连接1. Confirm that you own the client connection

确认客户端在虚拟网络上运行Confirm that your client runs at the virtual network

本指南旨在帮助你修复从应用程序代码发起的到密钥保管库的连接。This guide is intended to help you fixing connections to key vault that originate from application code. 示例包括在 Azure 虚拟机、Azure Service Fabric 群集、Azure 应用服务、Azure Kubernetes 服务 (AKS) 等位置中执行的应用程序和脚本。Examples are applications and scripts that execute in Azure Virtual Machines, Azure Service Fabric clusters, Azure App Service, Azure Kubernetes Service (AKS), and similar others. 本指南还适用于在 Azure 门户基于 Web 的用户界面中执行的访问,浏览器在该界面中直接访问密钥保管库。This guide is also applicable to accesses performed in the Azure portal web-base user interface, where the browser accesses your key vault directly.

如果应用程序、脚本或门户在连接 Internet 的任意网络上运行,则本指南不适用,并且专用链接可能无法使用。If the application, script or portal is running on an arbitrary Internet-connected network, this guide is NOT applicable, and likely private links cannot be used. 此限制也适用于在 Azure Cloud Shell 中执行的命令,因为它们在按需提供的远程 Azure 计算机而不是用户浏览器中运行。This limitation is also applicable to commands executed in the Azure Cloud Shell, because they run in a remote Azure machine provided on-demand instead of the user browser.

如果使用托管解决方案,请参阅特定文档If you use a managed solution, refer to specific documentation

本指南不适用于 Microsoft 管理的解决方案,其中的密钥保管库由独立于客户虚拟网络而存在的 Azure 产品访问。This guide is NOT applicable to solutions that are managed by Microsoft, where the key vault is accessed by an Azure product that exists independently from the customer Virtual Network. 此类方案的示例包括:针对静态加密配置的 Azure 存储或 Azure SQL、使用客户提供的密钥来加密数据的 Azure 事件中心、访问在密钥保管库中存储的服务凭据的 Azure 数据工厂、从密钥保管库检索机密的 Azure Pipelines,以及其他类似方案。Examples of such scenarios are Azure Storage or Azure SQL configured for encryption at rest, Azure Event Hub encrypting data with customer-provided keys, Azure Data Factory accessing service credentials stored in key vault, Azure Pipelines retrieving secrets from key vault, and other similar scenarios. 在这些情况下,必须检查产品是否支持启用了防火墙的密钥保管库。In these cases, you must check if the product supports key vaults with the firewall enabled. 此支持通常与 Key Vault 防火墙的受信任服务功能一起执行。This support is typically performed with the Trusted Services feature of Key Vault firewall. 不过,由于各种原因,许多产品并未包含在受信任服务的列表中。However, many products are not included in the list of trusted services, for a variety of reasons. 在这种情况下,请联系特定于产品的支持人员。In that case, reach the product-specific support.

2.确认连接已获得批准并成功2. Confirm that the connection is approved and succeeded

以下步骤验证专用终结点连接是否已获得批准并成功:The following steps validate that the private endpoint connection is approved and succeeded:

  1. 打开 Azure 门户,然后打开密钥保管库资源。Open the Azure portal and open your key vault resource.
  2. 在左侧菜单中选择“网络”。In the left menu, select Networking.
  3. 单击“专用终结点连接”选项卡。此时会显示所有专用终结点连接及其各自的状态。Click the Private endpoint connections tab. This will show all private endpoint connections and their respective states. 如果没有连接,或者虚拟网络的连接缺失,则必须创建新的专用终结点。If there are no connections, or if the connection for your Virtual Network is missing, you have to create a new Private Endpoint. 稍后会对此进行介绍。This will be covered later.
  4. 仍在“专用终结点连接”中查找你正在诊断的连接,并确认“连接状态”为“已批准”且“预配状态”为“已成功”。Still in Private endpoint connections, find the one you are diagnosing and confirm that "Connection state" is Approved and "Provisioning state" is Succeeded.
    • 如果连接处于“挂起”状态,你可能可以直接批准它。If the connection is in "Pending" state, you might be able to just approve it.
    • 如果连接处于“已拒绝”、“已失败”、“错误”、“已断开连接”状态或其他状态,则说明它根本未生效,你必须创建新的专用终结点资源。If the connection "Rejected", "Failed", "Error", "Disconnected" or other state, then it's not effective at all, you have to create a new Private Endpoint resource.

为了保持整洁,最好是删除无效的连接。It's a good idea to delete ineffective connections in order to keep things clean.

3.确认已正确配置密钥保管库防火墙3. Confirm that the key vault firewall is properly configured

重要

更改防火墙设置可能会从仍未使用专用链接的合法客户端中删除访问权限。Changing firewall settings may remove access from legitimate clients that are still not using private links. 请确保了解防火墙配置中每项更改的含义。Make sure you are aware of the implications of each change in the firewall configuration.

一项重要的概念是,专用链接功能只提供对为了防止数据外泄而关闭的虚拟网络中的密钥保管库的访问。An important notion is that the private links feature only gives access to your key vault in a Virtual Network that is closed to prevent data exfiltration. 它不删除任何现有访问权限。It does not remove any existing access. 为了有效地阻止从公共 Internet 进行的访问,必须显式启用密钥保管库防火墙:In order to effectively block accesses from the public Internet, you must enable the key vault firewall explicitly:

  1. 打开 Azure 门户,然后打开密钥保管库资源。Open the Azure portal and open your key vault resource.
  2. 在左侧菜单中选择“网络”。In the left menu, select Networking.
  3. 确保在顶部选择“防火墙和虚拟网络”选项卡。Make sure the Firewalls and virtual networks tab is selected on top.
  4. 确保选择“专用终结点和所选网络”选项。Make sure the option Private endpoint and selected networks is selected. 如果发现“所有网络”处于选中状态,你就会明白为何外部客户端仍能够访问密钥保管库。If you find All networks select, that explains why external clients are still able to access the key vault.

以下声明也适用于防火墙设置:The following statements also apply to firewall settings:

  • 专用链接功能不要求在密钥保管库防火墙设置中指定任何“虚拟网络”。The private links feature doesn't require any "virtual network" to be specified in the key vault firewall settings. 即使密钥保管库防火墙设置中未指定任何虚拟网络,使用密钥保管库专用 IP 地址(参见下一部分)的所有请求也必须有效。All requests using the private IP address of the key vault (see next section) must work, even if no virtual network is specified in key vault firewall settings.
  • 专用链接功能不要求在密钥保管库防火墙设置中指定任何 IP 地址。The private links feature doesn't require specifying any IP address in the key vault firewall settings. 同样,即使防火墙设置中未指定任何 IP 地址,使用密钥保管库专用 IP 地址的所有请求也必须有效。Again, all requests using the private IP address of the key vault must work, even if no IP address was specified in the firewall settings.

如果使用的是专用链接,则在密钥保管库防火墙中指定虚拟网络或 IP 地址的仅有的动机是:If you are using private links, the only motivations for specifying virtual network or IP address in key vault firewall are:

  • 你有一个混合系统,在其中,某些客户端使用专用链接,某些客户端使用服务终结点,某些客户端使用公共 IP 地址。You have an hybrid system where some clients use private links, some use service endpoints, some use public IP address.
  • 你要转换到专用链接。You are transitioning to private links. 在这种情况下,当确认所有客户端都使用专用链接后,应从密钥保管库防火墙设置中删除虚拟网络和 IP 地址。In this case, once you confirm all clients are using private links, you should remove virtual networks and IP addresses from the key vault firewall settings.

4.确保密钥保管库有专用 IP 地址4. Make sure the key vault has a private IP address

专用 IP 地址和公共 IP 地址之间的差异Difference between private and public IP addresses

专用 IP 地址始终采用以下格式之一:A private IP address has always one of the following formats:

  • 10.x.x.x:示例:10.1.2.310.56.34.1210.x.x.x: Examples: 10.1.2.3, 10.56.34.12.
  • 172.16.x.x 到 172.32.x.x:示例:172.20.1.1172.31.67.89172.16.x.x to 172.32.x.x: Examples: 172.20.1.1, 172.31.67.89.
  • 192.168.x.x:示例:192.168.0.1192.168.100.7192.168.x.x: Examples: 192.168.0.1, 192.168.100.7

某些 IP 地址和范围已被保留:Certain IP addresses and ranges are reserved:

  • 224.x.x.x:多播224.x.x.x: Multicast
  • 255.255.255.255:广播255.255.255.255: Broadcast
  • 127.x.x.x:环回127.x.x.x: Loopback
  • 169.254.x.x:本地链路169.254.x.x: Link-local
  • 168.63.129.16:内部 DNS168.63.129.16: Internal DNS

所有其他 IP 地址都是公共的。All other IP addresses are public.

浏览门户或运行某个显示 IP 地址的命令时,请确保可以确定该 IP 地址是专用的、公共的还是保留的。When you browse the portal or run a command that shows the IP address, make sure you can identify if that IP address is private, public, or reserved. 要使专用链接生效,密钥保管库主机名必须解析为属于虚拟网络地址空间的专用 IP 地址。For private links to work, the key vault hostname must resolve to a private IP address belonging to the Virtual Network address space.

在虚拟网络中查找密钥保管库专用 IP 地址Find the key vault private IP address in the virtual network

你需要诊断主机名解析,因此必须知道启用了专用链接的密钥保管库的确切专用 IP 地址。You will need to diagnose hostname resolution, and for that you must know the exact private IP address of your key vault with private links enabled. 若要查找该地址,请按照以下过程操作:In order to find that address, follow this procedure:

  1. 打开 Azure 门户,然后打开密钥保管库资源。Open the Azure portal and open your key vault resource.
  2. 在左侧菜单中选择“网络”。In the left menu, select Networking.
  3. 单击“专用终结点连接”选项卡。此时会显示所有专用终结点连接及其各自的状态。Click the Private endpoint connections tab. This will show all private endpoint connections and their respective states.
  4. 找到你正在诊断的连接,并确认“连接状态”为“已批准” 且“预配状态”为“已成功”。Find the one you are diagnosing and confirm that "Connection state" is Approved and Provisioning state is Succeeded. 如果未看到上述状态,请返回到本文档前面的部分。If you are not seeing this, go back to previous sections of this document.
  5. 找到正确的项后,请单击“专用终结点”列中的链接。When you find the right item, click the link in the Private endpoint column. 此时会打开“专用终结点”资源。This will open the Private Endpoint resource.
  6. “概述”页可能会显示一个名为“自定义 DNS 设置”的部分。The Overview page may show a section called Custom DNS settings. 确认只有一个匹配密钥保管库主机名的条目。Confirm that there is only one entry that matches the key vault hostname. 该条目显示密钥保管库专用 IP 地址。That entry shows the key vault private IP address.
  7. 你还可以单击“网络接口”上的链接,并确认专用 IP 地址与上一步中显示的相同。You may also click the link at Network interface and confirm that the private IP address is the same displayed in the previous step. 网络接口是表示密钥保管库的虚拟设备。The network interface is a virtual device that represents key vault.

IP 地址是 VM 和在同一虚拟网络中运行的其他设备用来连接到密钥保管库的。The IP address is the one that VMs and other devices running in the same Virtual Network will use to connect to the key vault. 请记下 IP 地址,或让浏览器标签页保持打开状态,在进行进一步调查时不要触摸它。Make note of the IP address, or keep the browser tab open and don't touch it while you do further investigations.

备注

如果密钥保管库有多个专用终结点,则会有多个专用 IP 地址。If your key vault has multiple private endpoints, then it has multiple private IP addresses. 仅当有多个虚拟网络访问同一密钥保管库且每个虚拟网络都通过其自己的专用终结点(专用终结点属于单个虚拟网络)进行访问时,这才有用。This is only useful if you have multiple Virtual Networks accessing the same key vault, each through its own Private Endpoint (the Private Endpoint belongs to a single Virtual Network). 请确保为正确的虚拟网络诊断问题,并在上面的过程中选择正确的专用终结点连接。Make sure you diagnose the problem for the correct Virtual Network, and select the correct private endpoint connection in the procedure above. 此外,请勿为同一虚拟网络中的同一个 Key Vault 创建多个专用终结点。Furthermore, do not create multiple Private Endpoints for the same Key Vault in the same Virtual Network. 创建多个专用终结点没有必要,并且会造成混乱。This is not needed and is a source of confusion.

5.验证 DNS 解析5. Validate the DNS resolution

DNS 解析是将密钥保管库主机名(例如 fabrikam.vault.azure.cn)转换为 IP 地址(例如 10.1.2.3)的过程。DNS resolution is the process of translating the key vault hostname (example: fabrikam.vault.azure.cn) into an IP address (example: 10.1.2.3). 以下子部分展示了每个方案中的 DNS 解析的预期结果。The following subsections show expected results of DNS resolution in each scenario.

此部分专用于学习。This section is intended for learning purposes. 如果密钥保管库没有专用终结点连接处于“已批准”状态,则解析主机名会产生类似于下面这样的结果:When the key vault has no private endpoint connection in approved state, resolving the hostname gives a result similar to this one:

Windows:Windows:

C:\> nslookup fabrikam.vault.azure.cn
Non-authoritative answer:
Address:  52.168.109.101
Aliases:  fabrikam.vault.azure.cn
          data-prod-eus.vaultcore.azure.net
          data-prod-eus-region.vaultcore.azure.net

Linux:Linux:

joe@MyUbuntu:~$ host fabrikam.vault.azure.cn
fabrikam.vault.azure.cn is an alias for data-prod-eus.vaultcore.azure.net.
data-prod-eus.vaultcore.azure.net is an alias for data-prod-eus-region.vaultcore.azure.net.
data-prod-eus-region.vaultcore.azure.net has address 52.168.109.101

可以看到名称解析为公共 IP 地址,没有 privatelink 别名。You can see that the name resolves to a public IP address, and there is no privatelink alias. 稍后我们会对此别名进行说明,现在不用管它。The alias is explained later, don't worry about it now.

不管计算机是连接到虚拟网络的计算机,还是使用 Internet 连接的任意计算机,以上结果都是预期的结果。The above result is expected regardless of the machine be connected to the Virtual Network or be an arbitrary machine with an Internet connection. 出现这种情况的原因是密钥保管库没有处于“已批准”状态的专用终结点连接,因此不需要密钥保管库支持专用链接。This happens because the key vault has no private endpoint connection in approved state, and therefore there is no need for the key vault to support private links.

如果密钥保管库有一个或多个专用终结点连接处于“已批准”状态,而你从连接到 Internet 的任意计算机(一台未连接到专用终结点所在的虚拟网络的计算机)解析主机名,则会出现以下结果:When the key vault has one or more private endpoint connections in approved state and you resolve the hostname from an arbitrary machine connected to the Internet (a machine that is not connected to the Virtual Network where the Private Endpoint resides), you shall find this:

Windows:Windows:

C:\> nslookup fabrikam.vault.azure.cn
Non-authoritative answer:
Address:  52.168.109.101
Aliases:  fabrikam.vault.azure.cn
          fabrikam.privatelink.vaultcore.azure.net
          data-prod-eus.vaultcore.azure.net
          data-prod-eus-region.vaultcore.azure.net

Linux:Linux:

joe@MyUbuntu:~$ host fabrikam.vault.azure.cn
fabrikam.vault.azure.cn is an alias for fabrikam.privatelink.vaultcore.azure.net.
fabrikam.privatelink.vaultcore.azure.net is an alias for data-prod-eus.vaultcore.azure.net.
data-prod-eus.vaultcore.azure.net is an alias for data-prod-eus-region.vaultcore.azure.net.
data-prod-eus-region.vaultcore.azure.net has address 52.168.109.101

与上一方案明显不同的是,有一个值为 {vaultname}.privatelink.vaultcore.azure.net 的新别名。The notable difference from previous scenario is that there is a new alias with the value {vaultname}.privatelink.vaultcore.azure.net. 这意味着密钥保管库数据平面已准备好接受来自专用链接的请求。This means the key vault Data Plane is ready to accept requests from private links.

这并不意味着从虚拟网络之外的计算机执行的请求(例如刚才使用的请求)会使用专用链接 - 它们不会这样做。It doesn't mean that requests performed from machines outside the Virtual Network (like the one you just used) will use private links - they won't. 可以从主机名仍解析为公共 IP 地址这一事实看到这一点。You can see that from the fact that the hostname still resolves to a public IP address. 只有连接到虚拟网络的计算机才能使用专用链接。Only machines connected to the Virtual Network can use private links. 稍后会详述这一点。More on this will follow.

如果看不到 privatelink 别名,则表示密钥保管库有 0 个处于“Approved”状态的专用终结点连接。If you don't see the privatelink alias, it means the key vault has zero private endpoint connections in Approved state. 重试之前,请回到此部分Go back to this section before retrying.

如果密钥保管库有一个或多个专用终结点连接处于“已批准”状态,而你从一台连接到虚拟网络(已在其中创建专用终结点)的计算机解析主机名,则预期的响应如下:When the key vault has one or more private endpoint connections in approved state and you resolve the hostname from a machine connected to the Virtual Network where the Private Endpoint was create, this is the expected response:

Windows:Windows:

C:\> nslookup fabrikam.vault.azure.cn
Non-authoritative answer:
Address:  10.1.2.3
Aliases:  fabrikam.vault.azure.cn
          fabrikam.privatelink.vaultcore.azure.net

Linux:Linux:

joe@MyUbuntu:~$ host fabrikam.vault.azure.cn
fabrikam.vault.azure.cn is an alias for fabrikam.privatelink.vaultcore.azure.net.
fabrikam.privatelink.vaultcore.azure.net has address 10.1.2.3

有两个明显的区别。There are two notable differences. 首先,名称解析为专用 IP 地址。First, the name resolves to a private IP address. 该地址必须是在本文相应部分找到的 IP 地址。That must be the IP address that we found in the corresponding section of this article. 其次,privatelink 别名后面没有其他别名。Second, there are no other aliases after the privatelink one. 出现这种情况的原因是,虚拟网络 DNS 服务器会截获别名链,并直接从名称 fabrikam.privatelink.vaultcore.azure.net 返回专用 IP 地址。This happens because the Virtual Network DNS servers intercept the chain of aliases and return the private IP address directly from the name fabrikam.privatelink.vaultcore.azure.net. 该条目实际上是专用 DNS 区域中的 A 记录。That entry is actually an A record in a Private DNS Zone. 稍后会详述这一点。More on this will follow.

备注

上述结果仅发生在一台虚拟机上,该虚拟机已连接到在其中创建了专用终结点的虚拟网络。The outcome above only happens at a Virtual Machine connected to the Virtual Network where the Private Endpoint was created. 如果没有在包含专用终结点的虚拟网络中部署 VM,请部署一台并通过远程方式连接到该 VM,然后执行上面的 nslookup 命令 (Windows) 或 host 命令 (Linux)。If you don't have a VM deployed in the Virtual Network that contains the Private Endpoint, deploy one and connect remotely to it, then execute the nslookup command (Windows) or the host command (Linux) above.

如果在连接到创建了专用终结点的虚拟网络的虚拟机上运行这些命令,但它们未显示密钥保管库专用 IP 地址,则可参阅下一部分,了解如何解决此问题。If you run these commands on a Virtual Machine connected to the Virtual Network where the Private Endpoint was created, and they are not showing the key vault private IP address, the next section may help fixing the issue.

6.验证专用 DNS 区域6. Validate the Private DNS Zone

如果 DNS 解析未按上一部分所述方式进行,则专用 DNS 区域可能存在问题,可参阅此部分来解决它。If the DNS resolution is not working as described in previous section, there might be an issue with your Private DNS Zone and this section may help. 如果 DNS 解析显示了正确的密钥保管库专用 IP 地址,则专用 DNS 区域可能是正确的。If the DNS resolution shows the correct key vault private IP address, your Private DNS Zone is probably correct. 你可以跳过这整个部分。You can skip this entire section.

确认所需的专用 DNS 区域资源存在Confirm that the required Private DNS Zone resource exists

Azure 订阅必须有专用 DNS 区域资源,该资源必须有以下确切名称:Your Azure subscription must have a Private DNS Zone resource with this exact name:

privatelink.vaultcore.azure.net

可以通过转到门户中的订阅页并选择左侧菜单中的“资源”来检查该资源是否存在。You can check for the presence of this resource by going to the subscription page in the Portal, and selecting "Resources" on the left menu. 资源名称必须是 privatelink.vaultcore.azure.net,资源类型必须是“专用 DNS 区域”。The resource name must be privatelink.vaultcore.azure.net, and the resource type must be Private DNS zone.

通常情况下,当你使用通用过程创建专用终结点时,系统会自动创建该资源。Normally this resource is created automatically when you create a Private Endpoint using a common procedure. 但在某些情况下,系统不会自动创建该资源,你必须手动创建它。But there are cases where this resource is not created automatically and you have to do it manually. 该资源也可能已被意外删除。This resource might have been accidentally deleted as well.

如果没有该资源,请在订阅中创建新的专用 DNS 区域资源。If you don't have this resource, create a new Private DNS Zone resource in your subscription. 请记住,名称必须与 privatelink.vaultcore.azure.net 完全一致,不包含空格或其他点。Remember that the name must be exactly privatelink.vaultcore.azure.net, without spaces or additional dots. 如果指定的名称不正确,则本文所述的名称解析将不起作用。If you specify the wrong name, the name resolution explained in this article will not work. 若要详细了解如何创建此资源,请参阅使用 Azure 门户创建 Azure 专用 DNS 区域For more information on how to create this resource, see Create an Azure private DNS zone using the Azure portal. 如果按该页的要求操作,则可以跳过虚拟网络创建操作,因为你此时应该已经有一个虚拟网络。If you follow that page, you can skip Virtual Network creation because at this point you should have one already. 还可以跳过通过虚拟机进行的验证过程。You can also skip validation procedures with Virtual Machines.

确认专用 DNS 区域已链接到虚拟网络Confirm that the Private DNS Zone is linked to the Virtual Network

单纯有一个专用 DNS 区域还不够。It is not enough to have a Private DNS Zone. 还必须将它链接到包含专用终结点的虚拟网络。It must also be linked to the Virtual Network that contains the Private Endpoint. 如果专用 DNS 区域未链接到正确的虚拟网络,则从该虚拟网络进行的任何 DNS 解析都会忽略专用 DNS 区域。If the Private DNS Zone is not linked to the correct Virtual Network, any DNS resolution from that Virtual Network will ignore the Private DNS Zone.

打开专用 DNS 区域资源,然后单击左侧菜单中的“虚拟网络链接”选项。Open the Private DNS Zone resource and click the Virtual network links option in the left menu. 此时会显示一个链接列表,每个链接都有一个订阅中的虚拟网络的名称。This will show a list of links, each with the name of a Virtual Network in your subscription. 包含专用终结点资源的虚拟网络必须在此处列出。The Virtual Network that contains the Private Endpoint resource must be listed here. 如果它不存在,请添加它。If it's not there, add it. 有关详细步骤,请参阅链接虚拟网络For detailed steps, see Link the virtual network. 可以让“启用自动注册”保持取消选中状态,该功能与专用链接无关。You can leave "Enable auto registration" unchecked - that feature is not related to private links.

专用 DNS 区域链接到虚拟网络后,源自虚拟网络的 DNS 请求会在专用 DNS 区域中查找名称。Once the Private DNS Zone is linked to the Virtual Network, DNS requests originating from the Virtual Network will look for names in the Private DNS Zone. 这是在虚拟机上执行正确的地址解析所需的,这些虚拟机已连接到在其中创建了专用终结点的虚拟网络。This is required for correct address resolution performed at Virtual Machines connected to the Virtual Network where the Private Endpoint was created.

备注

如果你刚刚保存了该链接,则此操作可能需要一段时间才能生效,即使在门户指示操作完成后也是如此。If you just saved the link, it may take some time for this go into effect, even after the Portal says the operation is complete. 可能还需要重启用于测试 DNS 解析的 VM。You might also need to reboot the VM that you are using to test DNS resolution.

确认专用 DNS 区域包含正确的 A 记录Confirm that the Private DNS Zone contains the right A record

请使用门户打开名为 privatelink.vaultcore.azure.net 的专用 DNS 区域。Using the Portal, open the Private DNS Zone with name privatelink.vaultcore.azure.net. “概述”页会显示所有记录。The Overview page shows all records. 默认情况下,会有一条名称为 @ 且类型 SOA 的记录,这表示“起始授权机构”。By default, there will be one record with name @ and type SOA, meaning Start of Authority. 请勿对其执行任何操作。Don't touch that.

若要使密钥保管库名称解析生效,必须有一个 A 记录,该记录使用简单的保管库名称,不含后缀或点。For the key vault name resolution to work, there must be an A record with the simple vault name without suffix or dots. 例如,如果主机名为 fabrikam.vault.azure.cn,则必须存在名称为 fabrikam 且不含任何后缀或点的 A 记录。For example, if the hostname is fabrikam.vault.azure.cn, there must be an A record with the name fabrikam, without any suffix or dots.

此外,A 记录(IP 地址)的值必须是密钥保管库专用 IP 地址Also, the value of the A record (the IP address) must be the key vault private IP address. 如果找到 A 记录,但其中包含错误的 IP 地址,则必须删除错误的 IP 地址并添加新的 IP 地址。If you find the A record but it contains the wrong IP address, you must remove the wrong IP address and add a new one. 建议删除整个 A 记录并添加一个新记录。It's recommended that you remove the entire A record and add a new one.

备注

删除或修改 A 记录时,计算机仍可能会解析为旧 IP 地址,因为 TTL(生存时间)值可能尚未过期。Whenever you remove or modify an A record, the machine may still resolve to the old IP address because the TTL (Time To Live) value might not be expired yet. 建议你始终将 TTL 值指定为不小于 60 秒(一分钟)且不大于 600 秒(10 分钟)。It is recommended that you always specify a TTL value no smaller than 60 seconds (one minute) and no bigger than 600 seconds (10 minutes). 如果指定的值太大,则客户端可能需要很长时间才能从中断中恢复。If you specify a value that is too large, your clients may take too long to recover from outages.

针对多个虚拟网络的 DNS 解析DNS resolution for more than one Virtual Network

如果有多个虚拟网络,每个虚拟网络都通过其自己的专用终结点资源来引用同一密钥保管库,则密钥保管库主机名需要根据网络解析为不同的专用 IP 地址。If there are multiple Virtual Networks and each has its own Private Endpoint resource referencing the same key vault, then the key vault hostname needs to resolve to a different private IP address depending on the network. 这意味着还需要多个专用 DNS 区域,每个区域链接到不同的虚拟网络,并在 A 记录中使用不同的 IP 地址。This means multiple Private DNS Zones are also needed, each linked to a different Virtual Network and using a different IP address in the A record.

在更高级的方案中,虚拟网络可能已启用对等互连。In more advanced scenarios, the Virtual Networks may have peering enabled. 在这种情况下,只有一个虚拟网络需要专用终结点资源,尽管这两个虚拟网络都可能需要链接到专用 DNS 区域资源。In this case, only one Virtual Network needs the Private Endpoint resource, although both may need to be linked to the Private DNS Zone resource. 本文档不直接介绍这种情况。This is scenario is not directly covered by this document.

明白你可以控制 DNS 解析Understand that you have control over DNS resolution

上一部分所述,具有专用链接的密钥保管库在其公共注册中的别名为 {vaultname}.privatelink.vaultcore.azure.netAs explained in the previous section, a key vault with private links has the alias {vaultname}.privatelink.vaultcore.azure.net in its public registration. 虚拟网络所用的 DNS 服务器使用公共注册,但会检查每个别名是否有专用注册,在找到专用注册的情况下不再遵循在公共注册中定义的别名。The DNS server used by the Virtual Network uses the public registration, but it checks every alias for a private registration, and if one is found, it will stop following aliases defined at public registration.

此逻辑意味着,如果虚拟网络链接到名为 privatelink.vaultcore.azure.net 的专用 DNS 区域,并且密钥保管库的公共 DNS 注册别名为 fabrikam.privatelink.vaultcore.azure.net(注意,密钥保管库主机名后缀与专用 DNS 区域名称精确匹配),则 DNS 查询会在专用 DNS 区域中查找名称为 fabrikamA 记录。This logic means that if the Virtual Network is linked to a Private DNS Zone with name privatelink.vaultcore.azure.net, and the public DNS registration for the key vault has the alias fabrikam.privatelink.vaultcore.azure.net (note that the key vault hostname suffix matches the Private DNS Zone name exactly), then the DNS query will look for an A record with name fabrikam in the Private DNS Zone. 如果找到 A 记录,则会在 DNS 查询中返回其 IP 地址,不再在公共 DNS 注册中进一步查找。If the A record is found, its IP address is returned in the DNS query, and no further lookup is performed at public DNS registration.

可以看到,你可以控制名称解析。As you can see, the name resolution is under your control. 之所以进行此设计,根本原因是:The rationales for this design are:

  • 你可能有一个复杂的方案,该方案涉及自定义 DNS 服务器以及与本地网络的集成。You may have a complex scenario that involves custom DNS servers and integration with on-premise networks. 在这种情况下,需要控制将名称转换为 IP 地址的方式。In that case, you need to control how names are translated to IP addresses.
  • 你可能需要访问没有专用链接的密钥保管库。You may need to access a key vault without private links. 在这种情况下,从虚拟网络解析主机名时必须返回公共 IP 地址,这是因为没有专用链接的密钥保管库在名称注册中没有 privatelink 别名。In that case, resolving the hostname from the Virtual Network must return the public IP address, and this happens because key vaults without private links don't have the privatelink alias in the name registration.

查询密钥保管库的 /healthstatus 终结点Query the /healthstatus endpoint of the key vault

密钥保管库提供可用于诊断的 /healthstatus 终结点。Your key vault provides the /healthstatus endpoint, which can be used for diagnostics. 响应头包含源 IP 地址,就像密钥保管库服务所看到的那样。The response headers include the origin IP address, as seen by the key vault service. 可以使用以下命令调用该终结点(请记得使用密钥保管库主机名):You can call that endpoint with the following command (remember to use your key vault hostname):

Windows (PowerShell):Windows (PowerShell):

PS C:\> $(Invoke-WebRequest -UseBasicParsing -Uri https://fabrikam.vault.azure.cn/healthstatus).Headers
Key                           Value
---                           -----
Pragma                        no-cache
x-ms-request-id               3729ddde-eb6d-4060-af2b-aac08661d2ec
x-ms-keyvault-service-version 1.2.27.0
x-ms-keyvault-network-info    addr=10.4.5.6;act_addr_fam=InterNetworkV6;
Strict-Transport-Security     max-age=31536000;includeSubDomains
Content-Length                4
Cache-Control                 no-cache
Content-Type                  application/json; charset=utf-8

Linux 或最新版本的 Windows 10,其中包含 curlLinux, or a recent version of Windows 10 that includes curl:

joe@MyUbuntu:~$ curl -i https://fabrikam.vault.azure.cn/healthstatus
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
x-ms-request-id: 6c090c46-0a1c-48ab-b740-3442ce17e75e
x-ms-keyvault-service-version: 1.2.27.0
x-ms-keyvault-network-info: addr=10.4.5.6;act_addr_fam=InterNetworkV6;
Strict-Transport-Security: max-age=31536000;includeSubDomains
Content-Length: 4

如果未获得类似于这样的输出,或者出现网络错误,则意味着无法通过指定的主机名(在示例中为 fabrikam.vault.azure.cn)访问密钥保管库。If you are not getting an output similar to that, or if you get a network error, it means your key vault is not accessible via the hostname you specified (fabrikam.vault.azure.cn in the example). 主机名未解析为正确的 IP 地址,或者在传输层出现连接性问题。Either the hostname is not resolving to the correct IP address, or you have a connectivity issue at the transport layer. 这可能是由路由问题、包删除和其他原因造成的。It may be caused by routing issues, package drops, and other reasons. 需要进一步调查。You have to investigate further.

响应必须包含 x-ms-keyvault-network-info 头:The response must include header x-ms-keyvault-network-info:

x-ms-keyvault-network-info: addr=10.4.5.6;act_addr_fam=InterNetworkV6;

x-ms-keyvault-network-info 头中的 addr 字段显示请求源的 IP 地址。The addr field in the x-ms-keyvault-network-info header shows the IP address of the origin of the request. 此 IP 地址可能是以下地址之一:This IP address can be one of the following:

  • 进行请求的计算机的专用 IP 地址。The private IP address of the machine doing the request. 这表明请求使用的是专用链接或服务终结点。This indicates that the request is using private links or service endpoints. 这是专用链接的预期结果。This is the expected outcome for private links.
  • 某个其他的专用 IP 地址,不是来自进行请求的计算机。Some other private IP address, not from the machine doing the request. 这表明某个自定义路由有效。This indicates that some custom routing is effective. 这仍然表明请求使用的是专用链接或服务终结点。It still indicates that the request is using private links or service endpoints.
  • 某个公共 IP 地址。Some public IP address. 这表明请求将通过网关 (NAT) 设备路由到 Internet。This indicates that the request is being routed to the Internet through a gateway (NAT) device. 这表明请求未使用专用链接,某些问题需要修复。This indicates that the request is NOT using private links, and some issue needs to be fixed. 这种情况的常见原因是:1) 专用终结点未处于“已批准”和“已成功”状态;2) 主机名未解析为密钥保管库的专用 IP 地址。The common reasons for this are 1) the private endpoint is not in approved and succeeded state; and 2) the hostname is not resolving to the key vault's private IP address. 本文包括这两种情况下的故障排除操作。This article includes troubleshooting actions for both cases.

备注

如果向 /healthstatus 发出的请求有效,但缺少 x-ms-keyvault-network-info 头,则终结点可能不是由密钥保管库提供服务的。If the request to /healthstatus works, but the x-ms-keyvault-network-info header is missing, then the endpoint is likely not being served by the key vault. 由于上述命令也验证 HTTPS 证书,缺少头可能表明存在篡改操作。Since the above commands also validate HTTPS certificate, the missing header might be a sign of tampering.

直接查询密钥保管库 IP 地址Query the key vault IP address directly

重要

不经过 HTTPS 证书验证就访问密钥保管库是危险的,只能用于学习目的。Accessing the key vault without HTTPS certificate validation is dangerous and can only be used for learning purposes. 如果没有进行此客户端验证,则生产代码不得访问密钥保管库。Production code must NEVER access the key vault without this client-side validation. 即使你只是诊断问题,但如果你经常在对密钥保管库发出的请求中禁用 HTTPS 证书验证,则也可能会受到那些不会显示的篡改尝试的攻击。Even if you are just diagnosing issues, you might be subject to tampering attempts that will not be revealed if you frequently disable HTTPS certificate validation in your requests to key vault.

如果安装了 PowerShell 的最新版本,则可使用 -SkipCertificateCheck 跳过 HTTPS 证书检查,然后直接将密钥保管库 IP 地址设定为目标:If you installed a recent version of PowerShell, you can use -SkipCertificateCheck to skip HTTPS certificate checks, then you can target the key vault IP address directly:

PS C:\> $(Invoke-WebRequest -SkipCertificateCheck -Uri https://10.1.2.3/healthstatus).Headers

如果使用 curl,则可使用 -k 参数执行相同操作:If you are using curl, you can do the same with the -k argument:

joe@MyUbuntu:~$ curl -i -k https://10.1.2.3/healthstatus

响应必须与上一部分的相同,这意味着它必须包含具有相同值的 x-ms-keyvault-network-info 头。The responses must be the same of previous section, which means it must include the x-ms-keyvault-network-info header with the same value. /healthstatus 终结点不“在意”你使用的是密钥保管库主机名还是 IP 地址。The /healthstatus endpoint doesn't care if you are using the key vault hostname or IP address.

如果你看到 x-ms-keyvault-network-info 针对使用密钥保管库主机名的请求返回一个值,针对使用 IP 地址的请求返回另一个值,则表明每个请求针对的是不同的终结点。If you see x-ms-keyvault-network-info returning one value for the request using the key vault hostname, and another value for the request using the IP address, then each request is targeting a different endpoint. 请参阅上一部分中来自 x-ms-keyvault-network-infoaddr 字段的说明,以确定哪种情况是错误的,需要修复。Refer to the explanation of the addr field from x-ms-keyvault-network-info in the previous section, to decide which case is wrong and needs to be fixed.

8.造成影响的其他更改和自定义8. Other changes and customizations that cause impact

以下各项并非详尽的调查操作。The following items are non-exhaustive investigation actions. 这些操作会告知你查找其他问题的位置,但你必须具备高级网络知识才能修复这些方案中的问题。They will tell you where to look for additional issues, but you must have advanced network knowledge to fix issues in these scenarios.

在虚拟网络中诊断自定义 DNS 服务器Diagnose custom DNS servers at Virtual Network

在门户中,打开虚拟网络资源。In the Portal, open the Virtual Network resource. 在左侧菜单中,打开“DNS 服务器”。In the left menu, open DNS servers. 如果使用的是“自定义”,则 DNS 解析可能不符合本文档所述。If you are using "Custom", then DNS resolution may not be as described in this document. 必须对 DNS 服务器解析密钥保管库主机名的方式进行诊断。You have to diagnose how your DNS servers are resolving the key vault hostname.

如果使用的是 Azure 提供的默认 DNS 服务器,则这整个文档都适用。If you are using the default Azure-provided DNS servers, this entire document is applicable.

在虚拟机上诊断 hosts 重写或自定义 DNS 服务器Diagnose hosts overriding or custom DNS servers at Virtual Machine

许多操作系统允许按主机名设置显式的固定 IP 地址,这通常通过更改 hosts 文件来实现。Many operating systems allow setting an explicit fixed IP address per hostname, typically by changing the hosts file. 这些系统可能还允许重写 DNS 服务器。They may also allow overriding the DNS servers. 如果你使用这些方案之一,则请使用特定于系统的诊断选项。If you use one of these scenarios, proceed with system specific diagnostics options.

混合代理(Fiddler 等)Promiscuous proxies (Fiddler, etc.)

除非明确指出,否则本文中的诊断选项仅适用于环境中不存在混合代理的情况。Except when explicitly noted, the diagnostics options in this article only work if there is no promiscuous proxy present in the environment. 尽管这些代理通常以独占方式安装在所诊断的计算机中(Fiddler 是最常见的例子),但高级管理员可以覆盖根证书颁发机构 (CA),并在为网络中的多台计算机提供服务的网关设备中安装混合代理。While these proxies are often installed exclusively in the machine that is being diagnosed (Fiddler is the most common example), advanced administrators may overwrite root Certificate Authorities (CAs) and install a promiscuous proxy in gateway devices that serve multiple machines in the network. 这些代理可能会显著影响安全性和可靠性。These proxies can affect both security and reliability substantially. Microsoft 不支持那些使用此类产品的配置。Microsoft does not support configurations that use such products.

可能影响连接性的其他因素Other things that may affect connectivity

这是可以在高级或复杂方案中找到的项的不完整列表:This is a non-exhaustive list of items that can be found on advanced or complex scenarios:

  • 防火墙设置,不管是连接到虚拟网络的 Azure 防火墙,还是在虚拟网络或计算机中部署的自定义防火墙解决方案。Firewall settings, either the Azure Firewall connected to the Virtual Network, or a custom firewall solution deploying in the Virtual Network or in the machine.
  • 网络对等互连,这可能会对使用哪些 DNS 服务器以及如何路由流量造成影响。Network peering, which may impact which DNS servers are used and how traffic is routed.
  • 自定义网关 (NAT) 解决方案,这可能会影响流量(包括来自 DNS 查询的流量)的路由方式。Custom gateway (NAT) solutions, which may impact how traffic is routed, including traffic from DNS queries.