为 Azure 逻辑应用安装本地数据网关Install on-premises data gateway for Azure Logic Apps

从 Azure 逻辑应用连接到本地数据源之前,请在本地计算机上下载并安装本地数据网关。Before you can connect to on-premises data sources from Azure Logic Apps, download and install the on-premises data gateway on a local computer. 该网关充当一个桥梁,在本地数据源和逻辑应用之间进行快速的数据传输和加密。The gateway works as a bridge that provides quick data transfer and encryption between data sources on premises and your logic apps. 可对其他云服务(例如 Power BI、Power Automate、PowerApps 和 Azure Analysis Services)使用相同的网关安装过程。You can use the same gateway installation with other cloud services, such as Power BI, Power Automate, PowerApps, and Azure Analysis Services. 有关如何将网关用于这些服务的信息,请参阅以下文章:For information about how to use the gateway with these services, see these articles:

本文介绍如何下载、安装和设置本地数据网关,以便可以从 Azure 逻辑应用访问本地数据源。This article shows how to download, install, and set up your on-premises data gateway so that you can access on-premises data sources from Azure Logic Apps. 还可以在本主题的后面部分了解有关数据网关工作原理的详细信息。You can also learn more about how the data gateway works later in this topic. 有关网关的详细信息,请参阅什么是本地网关For more information about the gateway, see What is an on-premises gateway? 若要自动执行网关安装和管理任务,请访问 DataGateway PowerShell cmdlet 的 PowerShell 库。To automate gateway installation and management tasks, visit the PowerShell gallery for the DataGateway PowerShell cmdlets.

先决条件Prerequisites

  • Azure 帐户和订阅。An Azure account and subscription. 如果你没有一个带有订阅的 Azure 帐户,请注册试用 Azure 订阅If you don't have an Azure account with a subscription, sign up for a Trial Subscription.

    • Azure 帐户必须属于单个 Azure Active Directory (Azure AD) 租户或目录Your Azure account must belong to a single Azure Active Directory (Azure AD) tenant or directory. 必须使用同一 Azure 帐户在本地计算机上安装和管理网关。You must use the same Azure account for installing and administering the gateway on your local computer.

    • 在网关安装过程中,可以使用 Azure 帐户登录,这会将网关安装链接到 Azure 帐户,并且仅链接到该帐户。During gateway installation, you sign in with your Azure account, which links your gateway installation to your Azure account and only that account. 稍后,在 Azure 门户中,必须在创建用于注册并声明网关安装的 Azure 网关资源时使用相同的 Azure 帐户和 Azure AD 租户。Later, in the Azure portal, you must use the same Azure account and Azure AD tenant when you create an Azure gateway resource that registers and claims your gateway installation. 在 Azure 逻辑应用中,本地触发器和操作随后使用网关资源连接到本地数据源。In Azure Logic Apps, on-premises triggers and actions then use the gateway resource for connecting to on-premises data sources.

      备注

      只能将一个网关安装和一个 Azure 网关资源相互链接。You can link only one gateway installation and one Azure gateway resource to each other. 不能将相同的网关安装链接到多个 Azure 帐户或 Azure 网关资源。You can't link the same gateway installation to multiple Azure accounts or Azure gateway resources. 但是,Azure 帐户可以链接到多个网关安装和 Azure 网关资源。However, an Azure account can link to multiple gateway installations and Azure gateway resources. 在本地触发器或操作中,可以从各种 Azure 订阅中进行选择,然后选择关联的网关资源。In an on-premises trigger or action, you can select from your various Azure subscriptions, and then select an associated gateway resource.

    • 需要使用工作帐户或学校帐户(也称为组织帐户,类似于 username@contoso.com)登录。You need to sign in with either a work account or school account, also known as an organization account, which looks like username@contoso.com. 不能使用 Azure B2B(来宾)帐户或个人 Microsoft 帐户,如 @hotmail.com 或 @outlook.com。You can't use Azure B2B (guest) accounts or personal Microsoft accounts, such as @hotmail.com or @outlook.com.

    提示

    如果你已注册 Office 365 产品/服务但未提供工作电子邮件地址,则你的地址可能类似于 username@domain.partner.onmschina.cnIf you signed up for an Office 365 offering and didn't provide your work email address, your address might look like username@domain.partner.onmschina.cn. 帐户将存储在 Azure Active Directory (Azure AD) 中的某个租户内。Your account is stored within a tenant in an Azure Active Directory (Azure AD). 在大多数情况下,Azure AD 帐户的用户主体名称 (UPN) 与电子邮件地址相同。In most cases, the User Principal Name (UPN) for your Azure AD account is the same as your email address.

    若要使用关联到 Azure 帐户的 Visual Studio Standard 订阅,请首先在 Azure AD 中创建租户或使用默认目录。To use a Visual Studio Standard subscription that's linked to a Azure account, first create a tenant in Azure AD or use the default directory. 将具有密码的用户添加到该目录,然后向该用户提供对 Azure 订阅的访问权限。Add a user with a password to the directory, and then give that user access to your Azure subscription. 然后在网关安装期间可以使用此用户名和密码登录。You can then sign in during gateway installation with this username and password.

  • 下面是本地计算机的要求:Here are requirements for your local computer:

    最低要求Minimum requirements

    • .NET Framework 4.7.2.NET Framework 4.7.2
    • 64 位版本的 Windows 7 或 Windows Server 2008 R2(或更高版本)64-bit version of Windows 7 or Windows Server 2008 R2 (or later)

    建议的要求Recommended requirements

    • 8 核 CPU8-core CPU
    • 8 GB 内存8 GB memory
    • 64 位版本的 Windows Server 2012 R2 或更高版本64-bit version of Windows Server 2012 R2 or later
    • 用于后台处理的固态硬盘 (SSD) 存储Solid-state drive (SSD) storage for spooling

    备注

    网关不支持 Windows Server Core。The gateway doesn't support Windows Server Core.

  • 相关注意事项Related considerations

    • 只在本地计算机上安装本地数据网关,而不在域控制器上安装。Install the on-premises data gateway only on a local computer, not a domain controller. 不一定要在数据源所在的同一台计算机上安装网关。You don't have to install the gateway on the same computer as your data source. 所有数据源只需一个网关,因此,无需为每个数据源安装网关。You need only one gateway for all your data sources, so you don't need to install the gateway for each data source.

      提示

      为了尽量降低延迟,可将网关安装在尽可能靠近数据源的位置或同一台计算机上(假设你有相应的权限)。To minimize latency, you can install the gateway as close as possible to your data source, or on the same computer, assuming that you have permissions.

    • 将网关安装在有线网络上的本地计算机上,该计算机连接到 Internet,始终处于打开状态,并且不会进入休眠状态。Install the gateway on a local computer that's on a wired network, connected to the internet, always turned on, and doesn't go to sleep. 否则,网关将无法运行,并且性能在无线网络上可能会受到影响。Otherwise, the gateway can't run, and performance might suffer over a wireless network.

    • 如果你打算使用 Windows 身份验证,请确保在与数据源属于同一 Active Directory 环境的计算机上安装网关。If you plan to use Windows authentication, make sure that you install the gateway on a computer that's a member of the same Active Directory environment as your data sources.

    • 选择用于安装网关的区域是稍后为逻辑应用创建 Azure 网关资源时必须选择的同一位置。The region that you select for your gateway installation is the same location that you must select when you later create the Azure gateway resource for your logic app. 默认情况下,此区域是管理 Azure 帐户的 Azure AD 租户所在的同一位置。By default, this region is the same location as your Azure AD tenant that manages your Azure account. 但是,你可以在安装网关的过程中更改此位置。However, you can change the location during gateway installation.

    • 如果要更新网关安装,请先卸载当前的网关以获得更清晰的体验。If you're updating your gateway installation, uninstall your current gateway first for a cleaner experience.

      最佳做法是确保使用受支持的版本。As a best practice, make sure that you're using a supported version. Azure 每个月都会发布对本地数据网关的新的更新,目前仅支持本地数据网关的六个最新版本。Azure releases a new update to the on-premises data gateway every month, and currently supports only the last six releases for the on-premises data gateway. 如果使用的版本出现问题,请尝试升级到最新版本,因为你的问题可能已在最新版本中得到解决。If you experience issues with the version that you're using, try upgrading to the latest version as your issue might be resolved in the latest version.

    • 网关有两种模式:标准模式和个人模式,个人模式仅适用于 Power BI。The gateway has two modes: standard mode and personal mode, which applies only to Power BI. 无法在同一台计算机上以相同模式运行多个网关。You can't have more than one gateway running in the same mode on the same computer.

    • Azure 逻辑应用支持通过网关进行读取和写入操作。Azure Logic Apps supports read and write operations through the gateway. 但是,这些操作存在有效负载大小限制However, these operations have limits on their payload size.

安装数据网关Install data gateway

  1. 在本地计算机上下载并运行网关安装程序Download and run the gateway installer on a local computer.

  2. 查看最低要求,保留默认的安装路径,接受使用条款,然后选择“安装”。Review the minimum requirements, keep the default installation path, accept the terms of use, and then select Install.

    查看要求并接受使用条款

  3. 成功安装网关后,提供 Azure 帐户的电子邮件地址,然后选择“登录”,例如:After the gateway successfully installs, provide the email address for your Azure account, and then select Sign in, for example:

    使用工作或学校帐户登录

    网关安装只能链接到一个 Azure 帐户。Your gateway installation can link to only one Azure account.

  4. 选择“在此计算机上注册新网关” > “下一步” 。Select Register a new gateway on this computer > Next. 此步骤会将网关安装注册到网关云服务This step registers your gateway installation with the gateway cloud service.

    在本地计算机上注册网关

  5. 提供网关安装的以下信息:Provide this information for your gateway installation:

    • 在 Azure AD 租户中唯一的网关名称A gateway name that's unique across your Azure AD tenant
    • 要使用的恢复密钥,必须至少包含八个字符The recovery key, which must have at least eight characters, that you want to use
    • 确认恢复密钥Confirmation for your recovery key

    提供网关安装的信息

    重要

    请将恢复密钥保存在安全位置。Save and keep your recovery key in a safe place. 更改位置以及移动、恢复或接管网关安装时,都需要用到此密钥。You need this key if you ever want to change the location, move, recover, or take over a gateway installation.

    请注意选项“添加到现有网关群集”。在为高可用性方案安装其他网关时,需选择此选项。Note the option to Add to an existing gateway cluster, which you select when you install additional gateways for high-availability scenarios.

  6. 检查网关安装使用的网关云服务和 Azure 服务总线的区域。Check the region for the gateway cloud service and Azure Service Bus that's used by your gateway installation. 默认情况下,此区域与 Azure 帐户的 Azure AD 租户位于同一位置。By default, this region is the same location as the Azure AD tenant for your Azure account.

    确认网关服务和服务总线的区域

  7. 若要接受默认区域,请选择“配置”。To accept the default region, select Configure. 但是,如果默认区域不是最靠近你的区域,你可以更改区域。However, if the default region isn't the one that's closest to you, you can change the region.

    为何要更改网关安装的区域?Why change the region for your gateway installation?

    例如,为了降低延迟,可将网关的区域更改为逻辑应用所在的同一区域。For example, to reduce latency, you might change your gateway's region to the same region as your logic app. 或者,可以选择最靠近本地数据源的区域。Or, you might select the region closest to your on-premises data source. Azure 中的网关资源和逻辑应用可以有不同的位置。Your gateway resource in Azure and your logic app can have different locations.

    1. 在当前区域的旁边,选择“更改区域”。Next to the current region, select Change Region.

      更改当前网关区域

    2. 在下一页上打开“选择区域”列表,选择所需的区域,然后选择“完成” 。On the next page, open the Select Region list, select the region you want, and select Done.

      为网关服务选择其他区域

  8. 查看最终确认窗口中的信息。Review the information in the final confirmation window. 此示例对逻辑应用、Power BI、PowerApps 和 Power Automate 使用同一帐户,因此该网关适用于所有这些服务。This example uses the same account for Logic Apps, Power BI, Power Apps, and Power Automate, so the gateway is available for all these services. 准备就绪后,请选择“关闭”。When you're ready, select Close.

    确认数据网关信息

  9. 现在为网关安装创建 Azure 资源Now create the Azure resource for your gateway installation.

检查或调整通信设置Check or adjust communication settings

本地数据网关依赖使用 Azure 服务总线来建立云连接,以及与网关关联的 Azure 区域建立相应的出站连接。The on-premises data gateway depends on Azure Service Bus for cloud connectivity and establishes the corresponding outbound connections to the gateway's associated Azure region. 如果工作环境要求流量通过代理或防火墙来访问 Internet,此限制可能会阻止本地数据网关连接到网关云服务和 Azure 服务总线。If your work environment requires that traffic goes through a proxy or firewall to access the internet, this restriction might prevent the on-premises data gateway from connecting to the gateway cloud service and Azure Service Bus. 网关有多个可以调整的通信设置。The gateway has several communication settings, which you can adjust. 有关详细信息,请参阅以下主题:For more information, see these topics:

高可用性支持High availability support

为了避免在访问本地数据时出现单一故障点,可以在多个不同的计算机上各使用一个网关安装(仅限标准模式),并将这些安装设置为群集或组。To avoid single points of failure for on-premises data access, you can have multiple gateway installations (standard mode only) with each on a different computer, and set them up as a cluster or group. 这样一来,如果主网关不可用,数据请求将路由到第二个网关,依此类推。That way, if the primary gateway is unavailable, data requests are routed to the second gateway, and so on. 由于在一台计算机上只能安装一个标准网关,因此必须在另一台计算机上安装位于群集中的每个附加网关。Because you can install only one standard gateway on a computer, you must install each additional gateway that's in the cluster on a different computer. 使用本地数据网关的所有连接器都支持高可用性。All the connectors that work with the on-premises data gateway support high availability.

  • 你必须已至少安装一个网关,该网关使用与主网关相同的 Azure 帐户和恢复密钥。You must already have at least one gateway installation with the same Azure account as the primary gateway and the recovery key for that installation.

  • 主网关必须运行网关 2017 年 11 月更新版或更高版本。Your primary gateway must be running the gateway update from November 2017 or later.

设置主网关后,开始安装另一个网关时,请选择“添加到现有网关群集”,选择主网关(安装的第一个网关),然后为该网关提供恢复密钥。After you set up your primary gateway, when you go to install another gateway, select Add to an existing gateway cluster, select the primary gateway, which is the first gateway that you installed, and provide the recovery key for that gateway. 有关详细信息,请参阅本地数据网关的高可用性群集For more information, see High availability clusters for on-premises data gateway.

更改位置或者迁移、还原或接管现有网关Change location, migrate, restore, or take over existing gateway

如果必须更改网关的位置、将网关安装移到新计算机、恢复已损坏的网关,或接管现有网关的所有权,需要使用安装网关期间提供的恢复密钥。If you must change your gateway's location, move your gateway installation to a new computer, recover a damaged gateway, or take ownership for an existing gateway, you need the recovery key that was provided during gateway installation.

备注

在安装了原始网关的计算机上还原网关之前,必须先卸载该计算机上的网关。Before you restore the gateway on the computer that has the original gateway installation, you must first uninstall the gateway on that computer. 此操作会断开原始网关的连接。This action disconnects the original gateway. 如果删除任何云服务的网关群集,则无法恢复该群集。If you remove or delete a gateway cluster for any cloud service, you can't restore that cluster.

  1. 在具有现有网关的计算机上运行网关安装程序。Run the gateway installer on the computer that has the existing gateway.

  2. 安装程序打开后,使用用于安装网关的同一 Azure 帐户登录。After the installer opens, sign in with the same Azure account that was used to install the gateway.

  3. 选择“迁移、还原或接管现有网关” > “下一步”,例如: Select Migrate, restore, or takeover an existing gateway > Next, for example:

    选择“迁移、还原或接管现有网关”

  4. 从可用群集和网关中进行选择并输入所选网关的恢复密钥,例如:Select from the available clusters and gateways, and enter the recovery key for the selected gateway, for example:

    选择网关并提供恢复密钥

  5. 若要更改区域,请选择“更改区域”,然后选择新区域。To change the region, select Change Region, and select the new region.

  6. 准备就绪后,选择“配置”以完成任务。When you're ready, select Configure so that you can finish your task.

租户级管理Tenant-level administration

若要洞察 Azure AD 租户中的所有本地数据网关,该租户中的全局管理员可以租户管理员的身份登录到 Power Platform 管理中心,并选择“数据网关”选项。To get visibility into all the on-premises data gateways in an Azure AD tenant, global administrators in that tenant can sign in to the Power Platform Admin center as a tenant administrator and select the Data Gateways option. 有关详细信息,请参阅本地数据网关的租户级管理For more information, see Tenant-level administration for the on-premises data gateway.

重启网关Restart gateway

默认情况下,本地计算机上的网关安装以名为“本地数据网关服务”的 Windows 服务帐户形式运行。By default, the gateway installation on your local computer runs as a Windows service account named "On-premises data gateway service". 但是,网关安装对其“登录方式”帐户凭据使用 NT SERVICE\PBIEgwService 名称,并拥有“作为服务登录”权限。However, the gateway installation uses the NT SERVICE\PBIEgwService name for its "Log On As" account credentials and has "Log on as a service" permissions.

备注

Windows 服务帐户不同于用于连接到本地数据源的帐户,并且不同于登录到云服务时使用的 Azure 帐户。Your Windows service account differs from the account used for connecting to on-premises data sources and from the Azure account that you use when you sign in to cloud services.

与其他任何 Windows 服务一样,可以通过多种方式启动和停止网关。Like any other Windows service, you can start and stop the gateway in various ways. 有关详细信息,请参阅重启本地数据网关For more information, see Restart an on-premises data gateway.

网关的工作原理How the gateway works

在已获授权的情况下,组织中的用户可以访问本地数据。Users in your organization can access on-premises data for which they already have authorized access. 但是,只有在你安装并设置本地数据网关之后,这些用户才能连接到你的本地数据源。However, before these users can connect to your on-premises data source, you need to install and set up an on-premises data gateway. 通常,网关由管理员安装和设置。Usually, an admin is the person who installs and sets up a gateway. 这些操作可能需要服务器管理员权限或有关本地服务器方面的专业知识。These actions might require Server Administrator permissions or special knowledge about your on-premises servers.

网关有助于促进更快速、更安全的后台通信。The gateway helps facilitate faster and more secure behind-the-scenes communication. 此通信在云中的用户、网关云服务和本地数据源之间流动。This communication flows between a user in the cloud, the gateway cloud service, and your on-premises data source. 网关云服务可加密和存储数据源凭据与网关详细信息。The gateway cloud service encrypts and stores your data source credentials and gateway details. 该服务还会在用户、网关与本地数据源之间路由查询及其结果。The service also routes queries and their results between the user, the gateway, and your on-premises data source.

网关可与防火墙配合使用,只使用出站连接。The gateway works with firewalls and uses only outbound connections. 所有流量最初都是网关代理的安全出站流量。All traffic originates as secured outbound traffic from the gateway agent. 网关通过 Azure 服务总线中继来自加密频道上的本地源的数据。The gateway relays data from on-premises sources on encrypted channels through Azure Service Bus. 此服务总线在网关与调用方服务之间创建通道,但不存储任何数据。This service bus creates a channel between the gateway and the calling service, but doesn't store any data. 通过网关的所有数据经过加密。All data that travels through the gateway is encrypted.

本地数据网关的体系结构

备注

根据所用的云服务,可能需要为网关设置数据源。Depending on the cloud service, you might need to set up a data source for the gateway.

这些步骤说明当你与连接到本地数据源的元素交互时会发生什么情况:These steps describe what happens when you interact with an element that's connected to an on-premises data source:

  1. 云服务将创建查询,并为数据源创建加密的凭据。The cloud service creates a query, along with the encrypted credentials for the data source. 然后,该服务将查询和凭据发送到网关队列进行处理。The service then sends the query and credentials to the gateway queue for processing.

  2. 网关云服务分析该查询,并将请求推送到 Azure 服务总线。The gateway cloud service analyzes the query and pushes the request to Azure Service Bus.

  3. Azure 服务总线将等待中的请求发送到网关。Azure Service Bus sends the pending requests to the gateway.

  4. 网关获取查询,对凭据进行解密,并使用这些凭据连接到一个或多个数据源。The gateway gets the query, decrypts the credentials, and connects to one or more data sources with those credentials.

  5. 网关将查询发送到数据源以便运行。The gateway sends the query to the data source for running.

  6. 结果将从数据源发回给网关,并发送到网关云服务。The results are sent from the data source back to the gateway, and then to the gateway cloud service. 网关云服务随后使用结果。The gateway cloud service then uses the results.

对本地数据源进行身份验证Authentication to on-premises data sources

存储的凭据用于从网关连接到本地数据源。A stored credential is used to connect from the gateway to on-premises data sources. 不管用户是谁,网关都会使用存储的凭据来建立连接。Regardless of the user, the gateway uses the stored credential to connect. 针对特定服务(如 Power BI 中适用于 Analysis Services 的 DirectQuery 和 LiveConnect)的身份验证可能存在例外情况。There might be authentication exceptions for specific services, such as DirectQuery and LiveConnect for Analysis Services in Power BI.

Azure Active Directory (Azure AD)Azure Active Directory (Azure AD)

Microsoft 云服务使用 Azure AD 对用户进行身份验证。Microsoft cloud services use Azure AD to authenticate users. Azure AD 租户包含用户名和安全组。An Azure AD tenant contains usernames and security groups. 通常,用于登录的电子邮件地址与帐户的用户主体名称 (UPN) 相同。Typically, the email address that you use for sign-in is the same as the User Principal Name (UPN) for your account.

什么是 UPN?What is my UPN?

如果你不是域管理员,你可能不知道自己的 UPN。If you're not a domain admin, you might not know your UPN. 若要查找帐户的 UPN,请在工作站中运行 whoami /upn 命令。To find the UPN for your account, run the whoami /upn command from your workstation. 尽管结果类似于电子邮件地址,但它是本地域帐户的 UPN。Although the result looks like an email address, the result is the UPN for your local domain account.

将本地 Active Directory 与 Azure AD 同步Synchronize an on-premises Active Directory with Azure AD

本地 Active Directory 帐户和 Azure AD 帐户的 UPN 必须相同。The UPN for your on-premises Active Directory accounts and Azure AD accounts must be the same. 因此,请确保每个本地 Active Directory 帐户与 Azure AD 帐户相匹配。So, make sure that each on-premises Active Directory account matches your Azure AD account. 云服务仅知道 Azure AD 中的帐户。The cloud services know only about accounts within Azure AD. 因此,无需将帐户添加到本地 Active Directory。So, you don't need to add an account to your on-premises Active Directory. 如果 Azure AD 中不存在该帐户,则你无法使用该帐户。If the account doesn't exist in Azure AD, you can't use that account.

可通过以下方式来使本地 Active Directory 帐户与 Azure AD 相匹配。Here are ways that you can match your on-premises Active Directory accounts with Azure AD.

  • 手动将帐户添加到 Azure AD。Add accounts manually to Azure AD.

    在 Azure 门户或 Microsoft 365 管理中心创建一个帐户。Create an account in the Azure portal or in the Microsoft 365 admin center. 确保帐户名称与本地 Active Directory 帐户的 UPN 相匹配。Make sure that the account name matches the UPN for the on-premises Active Directory account.

  • 使用 Azure Active Directory Connect 工具将本地帐户同步到 Azure AD 租户。Synchronize local accounts to your Azure AD tenant by using the Azure Active Directory Connect tool.

    Azure AD Connect 工具提供用于目录同步和身份验证设置的选项。The Azure AD Connect tool provides options for directory synchronization and authentication setup. 这些选项包括密码哈希同步、直通身份验证和联合身份验证。These options include password hash sync, pass-through authentication, and federation. 如果你不是租户管理员或本地域管理员,请联系 IT 管理员来设置 Azure AD Connect。If you're not a tenant admin or a local domain admin, contact your IT admin to get Azure AD Connect set up. Azure AD Connect 可确保 Azure AD UPN 与本地 Active Directory UPN 相匹配。Azure AD Connect ensures that your Azure AD UPN matches your local Active Directory UPN. 如果配合 Power BI 或单一登录 (SSO) 功能使用 Analysis Services 实时连接,则这种匹配将有所帮助。This matching helps if you're using Analysis Services live connections with Power BI or single sign-on (SSO) capabilities.

    备注

    使用 Azure AD Connect 工具同步帐户会在 Azure AD 租户中创建新帐户。Synchronizing accounts with the Azure AD Connect tool creates new accounts in your Azure AD tenant.

常见问题解答和故障排除FAQ and troubleshooting

后续步骤Next steps