Azure Database for MariaDB 中的安全性Security in Azure Database for MariaDB

可以通过多层安全性来保护 Azure Database for MariaDB 服务器上的数据。There are multiple layers of security that are available to protect the data on your Azure Database for MariaDB server. 本文概述了这些安全选项。This article outlines those security options.

信息保护和加密Information protection and encryption

动态In-transit

Azure Database for MariaDB 使用传输层安全性来加密动态数据,通过这种方式来保护数据。Azure Database for MariaDB secures your data by encrypting data in-transit with Transport Layer Security. 默认情况下,强制实施加密 (SSL/TLS)。Encryption (SSL/TLS) is enforced by default.

静态At-rest

Azure Database for MariaDB 服务使用 FIPS 140-2 验证的加密模块对静态数据进行存储加密。The Azure Database for MariaDB service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. 数据(包括备份)在磁盘上加密,运行查询时创建的临时文件除外。Data, including backups, are encrypted on disk, with the exception of temporary files created while running queries. 该服务使用包含在 Azure 存储加密中的 AES 256 位密码,并且密钥由系统进行管理。The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. 存储加密始终处于启用状态,无法禁用。Storage encryption is always on and can't be disabled.

网络安全Network security

到 Azure Database for MariaDB 服务器的连接首先通过区域性网关进行路由。Connections to an Azure Database for MariaDB server are first routed through a regional gateway. 网关 IP 可以公开访问,而服务器 IP 地址则受保护。The gateway has a publicly accessible IP, while the server IP addresses are protected. 有关网关的详细信息,请参阅连接体系结构文章For more information about the gateway, visit the connectivity architecture article.

新创建的 Azure Database for MariaDB 服务器有一个防火墙,可以阻止所有外部连接。A newly created Azure Database for MariaDB server has a firewall that blocks all external connections. 它们可以到达网关,但不能连接到服务器。Though they reach the gateway, they are not allowed to connect to the server.

IP 防火墙规则IP firewall rules

IP 防火墙规则基于每个请求的起始 IP 地址授予对服务器的访问权限。IP firewall rules grant access to servers based on the originating IP address of each request. 有关详细信息,请参阅防火墙规则概述See the firewall rules overview for more information.

虚拟网络防火墙规则Virtual network firewall rules

虚拟网络服务终结点将虚拟网络连接扩展到 Azure 主干网。Virtual network service endpoints extend your virtual network connectivity over the Azure backbone. 使用虚拟网络规则,Azure Database for MariaDB 服务器就会允许从虚拟网络中的所选子网进行连接。Using virtual network rules you can enable your Azure Database for MariaDB server to allow connections from selected subnets in a virtual network. 有关详细信息,请参阅虚拟网络服务终结点概述For more information, see the virtual network service endpoint overview.

访问管理Access management

在创建 Azure Database for MariaDB 服务器时,我们会提供管理员用户的凭据。While creating the Azure Database for MariaDB server, you provide credentials for an administrator user. 可以通过此管理员创建其他 MariaDB 用户。This administrator can be used to create additional MariaDB users.

后续步骤Next steps