Azure Database for MySQL 中的安全性Security in Azure Database for MySQL

可以通过多层安全性来保护 Azure Database for MySQL 服务器上的数据。There are multiple layers of security that are available to protect the data on your Azure Database for MySQL server. 本文概述了这些安全选项。This article outlines those security options.

信息保护和加密Information protection and encryption


Azure Database for MySQL 使用传输层安全性来加密动态数据,通过这种方式来保护数据。Azure Database for MySQL secures your data by encrypting data in-transit with Transport Layer Security. 默认情况下,强制实施加密 (SSL/TLS)。Encryption (SSL/TLS) is enforced by default.


Azure Database for MySQL 服务使用 FIPS 140-2 验证的加密模块对静态数据进行存储加密。The Azure Database for MySQL service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. 数据(包括备份)在磁盘上加密,包括运行查询时创建的临时文件。Data, including backups, are encrypted on disk, including the temporary files created while running queries. 该服务使用包含在 Azure 存储加密中的 AES 256 位密码,并且密钥由系统进行管理。The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. 存储加密始终处于启用状态,无法禁用。Storage encryption is always on and can't be disabled.

网络安全性Network security

到 Azure Database for MySQL 服务器的连接首先通过区域性网关进行路由。Connections to an Azure Database for MySQL server are first routed through a regional gateway. 网关 IP 可以公开访问,而服务器 IP 地址则受保护。The gateway has a publicly accessible IP, while the server IP addresses are protected. 有关网关的详细信息,请参阅连接体系结构文章For more information about the gateway, visit the connectivity architecture article.

新创建的 Azure Database for MySQL 服务器有一个防火墙,可以阻止所有外部连接。A newly created Azure Database for MySQL server has a firewall that blocks all external connections. 它们可以到达网关,但不能连接到服务器。Though they reach the gateway, they are not allowed to connect to the server.

IP 防火墙规则IP firewall rules

IP 防火墙规则基于每个请求的起始 IP 地址授予对服务器的访问权限。IP firewall rules grant access to servers based on the originating IP address of each request. 有关详细信息,请参阅防火墙规则概述See the firewall rules overview for more information.

虚拟网络防火墙规则Virtual network firewall rules

虚拟网络服务终结点将虚拟网络连接扩展到 Azure 主干网。Virtual network service endpoints extend your virtual network connectivity over the Azure backbone. 使用虚拟网络规则,Azure Database for MySQL 服务器就会允许从虚拟网络中的所选子网进行连接。Using virtual network rules you can enable your Azure Database for MySQL server to allow connections from selected subnets in a virtual network. 有关详细信息,请参阅虚拟网络服务终结点概述For more information, see the virtual network service endpoint overview.

专用 IPPrivate IP

使用专用链接可以通过专用终结点连接到 Azure 中的 Azure Database for MySQL。Private Link allows you to connect to your Azure Database for MySQL in Azure via a private endpoint. Azure 专用链接实质上是将 Azure 服务引入专用虚拟网络 (VNet) 中。Azure Private Link essentially brings Azure services inside your private Virtual Network (VNet). 就像 VNet 中的任何其他资源一样,可以使用专用 IP 地址访问 PaaS 资源。The PaaS resources can be accessed using the private IP address just like any other resource in the VNet. 有关详细信息,请参阅专用链接概述For more information,see the private link overview

访问管理Access management

在创建 Azure Database for MySQL 服务器时,我们会提供管理员用户的凭据。While creating the Azure Database for MySQL server, you provide credentials for an administrator user. 可以通过此管理员创建其他 MySQL 用户。This administrator can be used to create additional MySQL users.

后续步骤Next steps