Azure Database for MariaDB 服务器防火墙规则Azure Database for MariaDB server firewall rules

在指定哪些计算机具有访问权限之前,防火墙将禁止所有对数据库服务器的访问。Firewalls prevent all access to your database server until you specify which computers have permission. 防火墙基于每个请求的起始 IP 地址授予对服务器的访问权限。The firewall grants access to the server based on the originating IP address of each request.

要配置防火墙,请创建防火墙规则,指定可接受的 IP 地址的范围。To configure a firewall, create firewall rules that specify ranges of acceptable IP addresses. 可以在服务器级别创建防火墙规则。You can create firewall rules at the server level.

防火墙规则: 这些规则允许客户端访问整个 Azure Database for MariaDB 服务器,即同一逻辑服务器内的所有数据库。Firewall rules: These rules enable clients to access your entire Azure Database for MariaDB server, that is, all the databases within the same logical server. 可使用 Azure 门户或 Azure CLI 命令配置服务器级的防火墙规则。Server-level firewall rules can be configured by using the Azure portal or Azure CLI commands. 若要创建服务器级防火墙规则,用户必须是订阅所有者或订阅参与者。To create server-level firewall rules, you must be the subscription owner or a subscription contributor.

防火墙概述Firewall overview

防火墙将默认阻止对 Azure Database for MariaDB 服务器的所有数据库访问。All database access to your Azure Database for MariaDB server is by default blocked by the firewall. 若要从另一台计算机开始使用服务器,需要指定一个或多个服务器级防火墙规则以允许访问服务器。To begin using your server from another computer, you need to specify one or more server-level firewall rules to enable access to your server. 使用防火墙规则指定要允许的来自 Internet 的 IP 地址范围。Use the firewall rules to specify which IP address ranges from the Internet to allow. 对 Azure 门户网站本身的访问不受防火墙规则影响。Access to the Azure portal website itself is not impacted by the firewall rules.

来自 Internet 和 Azure 的连接尝试必须首先通过防火墙,然后才能访问 Azure Database for MariaDB 数据库,如下图中所示:Connection attempts from the Internet and Azure must first pass through the firewall before they can reach your Azure Database for MariaDB database, as shown in the following diagram:

防火墙工作流示例

从 Internet 连接Connecting from the Internet

服务器级防火墙规则适用于 Azure Database for MariaDB 服务器上的所有数据库。Server-level firewall rules apply to all databases on the Azure Database for MariaDB server.

如果该请求的 IP 地址位于服务器级防火墙规则中指定的某个范围内,则授予连接权限。If the IP address of the request is within one of the ranges specified in the server-level firewall rules, then the connection is granted.

如果该请求的 IP 地址位于任何数据库级或服务器级防火墙规则中指定的范围外,则连接请求失败。If the IP address of the request is outside the ranges specified in any of the database-level or server-level firewall rules, then the connection request fails.

从 Azure 连接Connecting from Azure

若要允许来自 Azure 的应用程序连接到 Azure Database for MariaDB 服务器,必须启用 Azure 连接。To allow applications from Azure to connect to your Azure Database for MariaDB server, Azure connections must be enabled. 例如,为了托管“Azure Web 应用”应用程序或 Azure VM 中运行的应用程序,或者为了从 Azure 数据工厂数据管理网关进行连接。For example, to host an Azure Web Apps application, or an application that runs in an Azure VM, or to connect from an Azure Data Factory data management gateway. 资源无需在同一虚拟网络 (VNet) 或资源组中,即可使用防火墙规则启用这些连接。The resources do not need to be in the same Virtual Network (VNet) or Resource Group for the firewall rule to enable those connections. 在应用程序尝试从 Azure 连接到你的数据库服务器时,防火墙将验证是否允许 Azure 连接。When an application from Azure attempts to connect to your database server, the firewall verifies that Azure connections are allowed. 有几种方法可启用这些类型的连接。There are a couple of methods to enable these types of connections. 如果防火墙设置的开始地址和结束地址都等于 0.0.0.0,则表示允许这些连接。A firewall setting with starting and ending address equal to 0.0.0.0 indicates these connections are allowed. 或者,可以在门户中从“连接安全性” 窗格将“允许访问 Azure 服务” 选项设为“启用” 并点击“保存” 。Alternatively, you can set the Allow access to Azure services option to ON in the portal from the Connection security pane and hit Save. 如果不允许连接尝试,则请求将不会到达 Azure Database for MariaDB 服务器。If the connection attempt is not allowed, the request does not reach the Azure Database for MariaDB server.

Important

该选项将防火墙配置为允许来自 Azure 的所有连接,包括来自其他客户的订阅的连接。This option configures the firewall to allow all connections from Azure including connections from the subscriptions of other customers. 选择该选项时,请确保登录名和用户权限将访问权限限制为仅已授权用户使用。When selecting this option, make sure your login and user permissions limit access to only authorized users.

在门户中配置“允许访问 Azure 服务”

从 VNet 连接Connecting from a VNet

若要从 VNet 安全连接到 Azure Database for MariaDB 服务器,请考虑使用 VNet 服务终结点To connect securely to your Azure Database for MariaDB server from a VNet, consider using VNet service endpoints.

以编程方式管理防火墙规则Programmatically managing firewall rules

除了 Azure 门户外,还可使用 Azure CLI 通过编程方式管理防火墙规则。In addition to the Azure portal, firewall rules can be managed programmatically by using the Azure CLI.

另请参阅使用 Azure CLI 创建和管理 Azure Database for MariaDB 防火墙规则See also Create and manage Azure Database for MariaDB firewall rules using Azure CLI.

排查防火墙问题Troubleshooting firewall issues

对 Azure Database for MariaDB 服务器服务的访问未按预期工作时,请考虑以下几点:Consider the following points when access to the Azure Database for MariaDB server service does not behave as expected:

  • 对允许列表的更改尚未生效: 对 Azure Database for MariaDB 防火墙配置所做的更改可能最多需要 5 分钟的延迟才可生效。Changes to the allow list have not taken effect yet: There may be as much as a five-minute delay for changes to the Azure Database for MariaDB Server firewall configuration to take effect.

  • 登录名未授权或使用了错误的密码: 如果某个登录名不具备对 Azure Database for MariaDB 服务器的权限或者使用的密码不正确,则与 Azure Database for MariaDB 服务器的连接会被拒绝。The login is not authorized or an incorrect password was used: If a login does not have permissions on the Azure Database for MariaDB server or the password used is incorrect, the connection to the Azure Database for MariaDB server is denied. 创建防火墙设置仅向客户端提供尝试连接到服务器的机会;每个客户端必须提供必需的安全凭据。Creating a firewall setting only provides clients with an opportunity to attempt connecting to your server; each client must provide the necessary security credentials.

  • 动态 IP 地址: 如果 Internet 连接使用动态 IP 寻址,并且在通过防火墙时遇到问题,则可以尝试以下解决方法之一:Dynamic IP address: If you have an Internet connection with dynamic IP addressing and you are having trouble getting through the firewall, you can try one of the following solutions:

    • 向 Internet 服务提供商 (ISP) 询问分配给客户端计算机、用于访问 Azure Database for MariaDB 服务器的 IP 地址范围,然后将该 IP 地址范围作为防火墙规则添加。Ask your Internet Service Provider (ISP) for the IP address range assigned to your client computers that access the Azure Database for MariaDB server, and then add the IP address range as a firewall rule.

    • 改为获取用户的客户端计算机的静态 IP 地址,并将该 IP 地址作为防火墙规则添加。Get static IP addressing instead for your client computers, and then add the IP addresses as firewall rules.

  • 服务器 IP 似乎为公共 IP: 到 Azure Database for MariaDB 服务器的连接通过可公开访问的 Azure 网关进行路由。Server's IP appears to be public: Connections to the Azure Database for MariaDB server are routed through a publicly accessible Azure gateway. 但是,实际的服务器 IP 受防火墙保护。However, the actual server IP is protected by the firewall. 有关详细信息,请参阅连接体系结构文章For more information, visit the connectivity architecture article.

后续步骤Next steps