Azure Database for MariaDB 服务器防火墙规则Azure Database for MariaDB server firewall rules

在指定哪些计算机具有访问权限之前,防火墙将禁止所有对数据库服务器的访问。Firewalls prevent all access to your database server until you specify which computers have permission. 防火墙基于每个请求的起始 IP 地址授予对服务器的访问权限。The firewall grants access to the server based on the originating IP address of each request.

要配置防火墙,请创建防火墙规则,指定可接受的 IP 地址的范围。To configure a firewall, create firewall rules that specify ranges of acceptable IP addresses. 可以在服务器级别创建防火墙规则。You can create firewall rules at the server level.

防火墙规则:**** 这些规则允许客户端访问整个 Azure Database for MariaDB 服务器,即同一逻辑服务器内的所有数据库。Firewall rules: These rules enable clients to access your entire Azure Database for MariaDB server, that is, all the databases within the same logical server. 可使用 Azure 门户或 Azure CLI 命令配置服务器级的防火墙规则。Server-level firewall rules can be configured by using the Azure portal or Azure CLI commands. 若要创建服务器级防火墙规则,用户必须是订阅所有者或订阅参与者。To create server-level firewall rules, you must be the subscription owner or a subscription contributor.

防火墙概述Firewall overview

防火墙将默认阻止对 Azure Database for MariaDB 服务器的所有数据库访问。All database access to your Azure Database for MariaDB server is by default blocked by the firewall. 若要从另一台计算机开始使用服务器,需要指定一个或多个服务器级防火墙规则以允许访问服务器。To begin using your server from another computer, you need to specify one or more server-level firewall rules to enable access to your server. 使用防火墙规则指定要允许的来自 Internet 的 IP 地址范围。Use the firewall rules to specify which IP address ranges from the Internet to allow. 对 Azure 门户网站本身的访问不受防火墙规则影响。Access to the Azure portal website itself is not impacted by the firewall rules.

来自 Internet 和 Azure 的连接尝试必须首先通过防火墙,然后才能访问 Azure Database for MariaDB 数据库,如下图中所示:Connection attempts from the Internet and Azure must first pass through the firewall before they can reach your Azure Database for MariaDB database, as shown in the following diagram:

防火墙工作流示例

从 Internet 连接Connecting from the Internet

服务器级防火墙规则适用于 Azure Database for MariaDB 服务器上的所有数据库。Server-level firewall rules apply to all databases on the Azure Database for MariaDB server.

如果该请求的 IP 地址位于服务器级防火墙规则中指定的某个范围内,则授予连接权限。If the IP address of the request is within one of the ranges specified in the server-level firewall rules, then the connection is granted.

如果该请求的 IP 地址位于任何数据库级或服务器级防火墙规则中指定的范围外,则连接请求失败。If the IP address of the request is outside the ranges specified in any of the database-level or server-level firewall rules, then the connection request fails.

从 Azure 连接Connecting from Azure

建议找到任何应用程序或服务的传出 IP 地址,并显式允许访问这些单个 IP 地址或范围。It is recommended that you find the outgoing IP address of any application or service and explicitly allow access to those individual IP addresses or ranges. 例如,可以查找 Azure 应用服务的传出 IP 地址,或使用绑定到虚拟机或其他资源的公共 IP(请参阅下面的内容,了解如何通过服务终结点与虚拟机的专用 IP 进行连接)。For example, you can find the outgoing IP address of an Azure App Service or use a public IP tied to a virtual machine or other resource (see below for info on connecting with a virtual machine's private IP over service endpoints).

如果某个固定的传出 IP 地址不适用于 Azure 服务,可以考虑启用来自所有 Azure 数据中心 IP 地址的连接。If a fixed outgoing IP address isn't available for your Azure service, you can consider enabling connections from all Azure datacenter IP addresses. 可以从 Azure 门户启用此设置,方法是:从“连接安全性”**** 窗格将“允许访问 Azure 服务”**** 选项设为“启用”**** 并点击“保存”****。This setting can be enabled from the Azure portal by setting the Allow access to Azure services option to ON from the Connection security pane and hitting Save. 在 Azure CLI 中,起始和结束地址为 0.0.0.0 的防火墙规则设置执行等效操作。From the Azure CLI, a firewall rule setting with starting and ending address equal to 0.0.0.0 does the equivalent. 如果不允许连接尝试,则请求将不会到达 Azure Database for MariaDB 服务器。If the connection attempt is not allowed, the request does not reach the Azure Database for MariaDB server.

重要

“允许访问 Azure 服务”选项将防火墙配置为允许来自 Azure 的所有连接,包括来自其他客户的订阅的连接。****The Allow access to Azure services option configures the firewall to allow all connections from Azure including connections from the subscriptions of other customers. 选择该选项时,请确保登录名和用户权限将访问限制为仅允许授权用户访问。When selecting this option, make sure your login and user permissions limit access to only authorized users.

在门户中配置“允许访问 Azure 服务”

从 VNet 连接Connecting from a VNet

若要从 VNet 安全连接到 Azure Database for MariaDB 服务器,请考虑使用 VNet 服务终结点To connect securely to your Azure Database for MariaDB server from a VNet, consider using VNet service endpoints.

以编程方式管理防火墙规则Programmatically managing firewall rules

除了 Azure 门户外,还可使用 Azure CLI 通过编程方式管理防火墙规则。In addition to the Azure portal, firewall rules can be managed programmatically by using the Azure CLI.

另请参阅使用 Azure CLI 创建和管理 Azure Database for MariaDB 防火墙规则See also Create and manage Azure Database for MariaDB firewall rules using Azure CLI.

排查防火墙问题Troubleshooting firewall issues

对 Azure Database for MariaDB 服务器服务的访问未按预期工作时,请考虑以下几点:Consider the following points when access to the Azure Database for MariaDB server service does not behave as expected:

  • 对允许列表的更改尚未生效:**** 对 Azure Database for MariaDB 服务器防火墙配置所做的更改可能需要多达 5 分钟的延迟才可生效。Changes to the allow list have not taken effect yet: There may be as much as a five-minute delay for changes to the Azure Database for MariaDB Server firewall configuration to take effect.

  • 登录名未授权或使用了错误的密码:**** 如果某个登录名对 Azure Database for MariaDB 服务器没有权限或者使用的密码不正确,则与 Azure Database for MariaDB 服务器的连接会被拒绝。The login is not authorized or an incorrect password was used: If a login does not have permissions on the Azure Database for MariaDB server or the password used is incorrect, the connection to the Azure Database for MariaDB server is denied. 创建防火墙设置仅向客户端提供尝试连接到服务器的机会;每个客户端必须提供必需的安全凭据。Creating a firewall setting only provides clients with an opportunity to attempt connecting to your server; each client must provide the necessary security credentials.

  • 动态 IP 地址:**** 如果 Internet 连接使用动态 IP 寻址,并且在通过防火墙时遇到问题,可尝试以下解决方法之一:Dynamic IP address: If you have an Internet connection with dynamic IP addressing and you are having trouble getting through the firewall, you can try one of the following solutions:

    • 向 Internet 服务提供商 (ISP) 询问分配给客户端计算机、用于访问 Azure Database for MariaDB 服务器的 IP 地址范围,然后将该 IP 地址范围作为防火墙规则添加。Ask your Internet Service Provider (ISP) for the IP address range assigned to your client computers that access the Azure Database for MariaDB server, and then add the IP address range as a firewall rule.

    • 改为获取客户端计算机的静态 IP 地址,并将该 IP 地址作为防火墙规则添加。Get static IP addressing instead for your client computers, and then add the IP addresses as firewall rules.

  • 服务器 IP 似乎为公共 IP: 到 Azure Database for MariaDB 服务器的连接通过可公开访问的 Azure 网关进行路由。Server's IP appears to be public: Connections to the Azure Database for MariaDB server are routed through a publicly accessible Azure gateway. 但是,实际的服务器 IP 受防火墙保护。However, the actual server IP is protected by the firewall. 有关详细信息,请参阅连接体系结构文章For more information, visit the connectivity architecture article.

  • 无法使用允许的 IP 从 Azure 资源连接: 检查是否为你连接时所在的子网启用了 Microsoft.Sql 服务终结点。Cannot connect from Azure resource with allowed IP: Check whether the Microsoft.Sql service endpoint is enabled for the subnet you are connecting from. 如果启用了 Microsoft.Sql,则表示你只想在该子网上使用 VNet 服务终结点规则If Microsoft.Sql is enabled, it indicates that you only want to use VNet service endpoint rules on that subnet.

    例如,如果从启用了 Microsoft.Sql 的子网中的 Azure VM 进行连接,但没有相应的 VNet 规则,则可能会看到以下错误:FATAL: Client from Azure Virtual Networks is not allowed to access the serverFor example, you may see the following error if you are connecting from an Azure VM in a subnet that has Microsoft.Sql enabled but has no corresponding VNet rule: FATAL: Client from Azure Virtual Networks is not allowed to access the server

后续步骤Next steps