Azure Database for MySQL 的专用链接Private Link for Azure Database for MySQL

备注

将要查看的是 Azure Database for MySQL 的新服务。You are viewing the new service of Azure Database for MySQL. 若要查看经典 MySQL Database for Azure 的文档,请访问此页To view the documentation for classic MySQL Database for Azure, please visit this page.

使用专用链接可以通过专用终结点连接到 Azure 中的各种 PaaS 服务。Private Link allows you to connect to various PaaS services in Azure via a private endpoint. Azure 专用链接实质上是将 Azure 服务引入专用虚拟网络 (VNet) 中。Azure Private Link essentially brings Azure services inside your private Virtual Network (VNet). 就像 VNet 中的任何其他资源一样,可以使用专用 IP 地址访问 PaaS 资源。The PaaS resources can be accessed using the private IP address just like any other resource in the VNet.

专用终结点是特定 VNet 和子网中的专用 IP 地址。A private endpoint is a private IP address within a specific VNet and Subnet.

备注

专用链接功能仅适用于“常规用途”或“内存优化”定价层中的 Azure Database for MySQL 服务器。The private link feature is only available for Azure Database for MySQL servers in the General Purpose or Memory Optimized pricing tiers. 请确保数据库服务器位于其中一个定价层中。Ensure the database server is in one of these pricing tiers.

数据渗透防护Data exfiltration prevention

Azure Database for MySQL 中的数据渗透是指已获授权的用户(例如数据库管理员)能够从一个系统提取数据,并将其移到组织外部的其他位置或系统。Data ex-filtration in Azure Database for MySQL is when an authorized user, such as a database admin, is able to extract data from one system and move it to another location or system outside the organization. 例如,该用户将数据移到第三方拥有的存储帐户。For example, the user moves the data to a storage account owned by a third party.

借助专用链接,你现在可以设置 NSG 之类的网络访问控制来限制对专用终结点的访问。With Private Link, you can now set up network access controls like NSGs to restrict access to the private endpoint. 然后,将单个 Azure PaaS 资源映射到特定的专用终结点。Individual Azure PaaS resources are then mapped to specific private endpoints. 恶意的预览体验成员只能访问映射的 PaaS 资源(例如 Azure Database for MySQL),而不能访问其他资源。A malicious insider can only access the mapped PaaS resource (for example an Azure Database for MySQL) and no other resource.

通过专用对等互连建立本地连接On-premises connectivity over private peering

当你从本地计算机连接到公共终结点时,需要使用服务器级防火墙规则将 IP 地址添加到基于 IP 的防火墙。When you connect to the public endpoint from on-premises machines, your IP address needs to be added to the IP-based firewall using a server-level firewall rule. 尽管此模型非常适合用于允许对开发或测试工作负荷的单个计算机进行访问,但在生产环境中却难以管理。While this model works well for allowing access to individual machines for dev or test workloads, it's difficult to manage in a production environment.

借助专用链接,你可以使用 Express Route (ER)、专用对等互连或 VPN 隧道实现对专用终结点的跨界访问。With Private Link, you can enable cross-premises access to the private endpoint using Express Route (ER), private peering or VPN tunnel. 随后,它们可以禁用通过公共终结点的所有访问,而不使用基于 IP 的防火墙。They can subsequently disable all access via public endpoint and not use the IP-based firewall.

备注

在某些情况下,Azure Database for MySQL 和 VNet 子网位于不同的订阅中。In some cases the Azure Database for MySQL and the VNet-subnet are in different subscriptions. 在这些情况下,必须确保以下配置:In these cases you must ensure the following configurations:

  • 确保两个订阅都注册了 Microsoft.DBforMySQL 资源提供程序。Make sure that both the subscription has the Microsoft.DBforMySQL resource provider registered. 有关详细信息,请参阅资源管理器注册For more information refer resource-manager-registration

创建过程Creation Process

启用专用链接需要专用终结点。Private endpoints are required to enable Private Link. 可按照以下操作指南完成此操作。This can be done using the following how-to guides.

审批过程Approval Process

网络管理员创建专用终结点 (PE) 后,MySQL 管理员可以管理与 Azure Database for MySQL 建立的专用终结点连接 (PEC)。Once the network admin creates the private endpoint (PE), the MySQL admin can manage the private endpoint Connection (PEC) to Azure Database for MySQL. 网络管理员和 DBA 之间的这种职责分离有助于 Azure Database for MySQL 连接的管理。This separation of duties between the network admin and the DBA is helpful for management of the Azure Database for MySQL connectivity.

  • 在 Azure 门户中导航到 Azure Database for MySQL 服务器资源。Navigate to the Azure Database for MySQL server resource in the Azure portal.
    • 在左窗格中选择专用终结点连接Select the private endpoint connections in the left pane
    • 显示所有专用终结点连接 (PEC) 的列表Shows a list of all private endpoint Connections (PECs)
    • 创建的相应专用终结点 (PE)Corresponding private endpoint (PE) created

选择专用终结点门户

  • 在列表中选择单个 PEC。Select an individual PEC from the list by selecting it.

选择待批准的专用终结点

  • MySQL 服务器管理员可以选择批准或拒绝 PEC,并可以选择添加简短的文本响应。The MySQL server admin can choose to approve or reject a PEC and optionally add a short text response.

选择专用终结点消息

  • 批准或拒绝后,该列表会反映相应的状态以及响应文本After approval or rejection, the list will reflect the appropriate state along with the response text

选择专用终结点最终状态

客户端可以通过同一 VNet、同一区域中的对等互连 VNet 或者跨区域的 VNet 到 VNet 连接连接到专用终结点。Clients can connect to the private endpoint from the same VNet, peered VNet in same region, or via VNet-to-VNet connection across regions. 此外,客户端可以使用 ExpressRoute、专用对等互连或 VPN 隧道从本地进行连接。Additionally, clients can connect from on-premises using ExpressRoute, private peering, or VPN tunneling. 以下简化示意图显示了常见用例。Below is a simplified diagram showing the common use cases.

选择专用终结点概述

从对等互连虚拟网络 (VNet) 中的 Azure VM 进行连接Connecting from an Azure VM in Peered Virtual Network (VNet)

配置 VNet 对等互连,以便从对等互连的 VNet 中的 Azure VM 建立与 Azure Database for MySQL 的连接。Configure VNet peering to establish connectivity to the Azure Database for MySQL from an Azure VM in a peered VNet.

从 VNet 到 VNet 环境中的 Azure VM 进行连接Connecting from an Azure VM in VNet-to-VNet environment

配置 VNet 到 VNet VPN 网关连接,以便从另一区域或订阅中的 Azure VM 建立与 Azure Database for MySQL 的连接。Configure VNet-to-VNet VPN gateway connection to establish connectivity to a Azure Database for MySQL from an Azure VM in a different region or subscription.

通过 VPN 从本地环境进行连接Connecting from an on-premises environment over VPN

若要建立从本地环境到 Azure Database for MySQL 的连接,请选择并实施以下选项之一:To establish connectivity from an on-premises environment to the Azure Database for MySQL, choose and implement one of the options:

将专用链接与防火墙规则结合使用时,可能会出现以下情况和结果:The following situations and outcomes are possible when you use Private Link in combination with firewall rules:

  • 如果未配置任何防火墙规则,则默认情况下,任何流量都无法访问 Azure Database for MySQL。If you don't configure any firewall rules, then by default, no traffic will be able to access the Azure Database for MySQL.

  • 如果配置公共流量或服务终结点并创建专用终结点,则不同类型的传入流量将由相应类型的防火墙规则授权。If you configure public traffic or a service endpoint and you create private endpoints, then different types of incoming traffic are authorized by the corresponding type of firewall rule.

  • 如果未配置任何公共流量或服务终结点,但创建了专用终结点,则只能通过专用终结点访问 Azure Database for MySQL。If you don't configure any public traffic or service endpoint and you create private endpoints, then the Azure Database for MySQL is accessible only through the private endpoints. 如果未配置公共流量或服务终结点,则在拒绝或删除所有已批准的专用终结点后,任何流量都无法访问 Azure Database for MySQL。If you don't configure public traffic or a service endpoint, after all approved private endpoints are rejected or deleted, no traffic will be able to access the Azure Database for MySQL.

拒绝对 Azure Database for MySQL 的公共访问Deny public access for Azure Database for MySQL

如果你希望只依赖专用终结点来访问其 Azure Database for MySQL,则可以通过在数据库服务器上设置“拒绝公用网络访问”配置来禁用所有公共终结点(即防火墙规则VNet 服务终结点)的设置。If you want to rely only on private endpoints for accessing their Azure Database for MySQL, you can disable setting all public endpoints (i.e. firewall rules and VNet service endpoints) by setting the Deny Public Network Access configuration on the database server.

当此设置设为“是”时,只允许通过专用终结点连接到 Azure Database for MySQL。When this setting is set to YES , only connections via private endpoints are allowed to your Azure Database for MySQL. 当此设置设为“否”时,客户端可以基于防火墙或 VNet 服务终结点设置连接到 Azure Database for MySQL。When this setting is set to NO , clients can connect to your Azure Database for MySQL based on your firewall or VNet service endpoint settings. 此外,设置专用网络访问的值后,客户就无法添加和/或更新现有的“防火墙规则”和“VNet 服务终结点规则”。Additionally, once the value of the Private network access is set, customers cannot add and/or update existing 'Firewall rules' and 'VNet service endpoint rules'.

备注

此功能适用于所有 Azure 区域,其中的 Azure Database for PostgreSQL 单一服务器支持“常规用途”和“内存优化”定价层。This feature is available in all Azure regions where Azure Database for PostgreSQL - Single server supports General Purpose and Memory Optimized pricing tiers.

此设置不会对 Azure Database for MySQL 的 SSL 和 TLS 配置产生任何影响。This setting does not have any impact on the SSL and TLS configurations for your Azure Database for MySQL.

若要了解如何从 Azure 门户为 Azure Database for MySQL 设置“拒绝公用网络访问”,请参阅如何配置“拒绝公用网络访问”To learn how to set the Deny Public Network Access for your Azure Database for MySQL from Azure portal, refer to How to configure Deny Public Network Access.

后续步骤Next steps

若要详细了解 Azure Database for MySQL 安全功能,请参阅以下文章:To learn more about Azure Database for MySQL security features, see the following articles: