对 Azure Database for PostgreSQL(单一数据库)使用虚拟网络服务终结点和规则Use Virtual Network service endpoints and rules for Azure Database for PostgreSQL - Single Server

虚拟网络规则是一种防火墙安全功能,用于控制是否允许 Azure Database for PostgreSQL 服务器接受从虚拟网络中的特定子网发送的通信。Virtual network rules are one firewall security feature that controls whether your Azure Database for PostgreSQL server accepts communications that are sent from particular subnets in virtual networks. 本文说明了为何有时候最好选择虚拟网络规则功能来安全地允许与 Azure Database for PostgreSQL 服务器的通信。This article explains why the virtual network rule feature is sometimes your best option for securely allowing communication to your Azure Database for PostgreSQL server.

若要创建虚拟网络规则,首先必须存在可供规则引用的虚拟网络 (VNet) 和虚拟网络服务终结点To create a virtual network rule, there must first be a virtual network (VNet) and a virtual network service endpoint for the rule to reference. 下图说明了虚拟网络服务终结点如何与 Azure Database for PostgreSQL 配合使用:The following picture illustrates how a Virtual Network service endpoint works with Azure Database for PostgreSQL:

VNet 服务终结点的工作原理示例

Note

Azure 公有云中的所有区域均提供此功能,其中 Azure Database for PostgreSQL 部署用于常规用途和内存优化服务器。This feature is available in all regions of Azure public cloud where Azure Database for PostgreSQL is deployed for General Purpose and Memory Optimized servers. 在 VNet 对等互连的情况下,如果流量通过具有服务终结点的公共 VNet 网关流动,并且应该流向对等机,请创建 ACL/VNet 规则,以便网关 VNet 中的 Azure 虚拟机能够访问 Azure Database for PostgreSQL 服务器。In case of VNet peering, if traffic is flowing through a common VNet Gateway with service endpoints and is supposed to flow to the peer, please create an ACL/VNet rule to allow Azure Virtual Machines in the Gateway VNet to access the Azure Database for PostgreSQL server.

术语和说明Terminology and description

虚拟网络: 可以让虚拟网络与 Azure 订阅相关联。Virtual network: You can have virtual networks associated with your Azure subscription.

子网: 虚拟网络包含子网Subnet: A virtual network contains subnets. 你所拥有的任何 Azure 虚拟机 (VM) 都会分配到子网。Any Azure virtual machines (VMs) that you have are assigned to subnets. 一个子网可能包含多个 VM 或其他计算节点。One subnet can contain multiple VMs or other compute nodes. 虚拟网络之外的计算节点不能访问虚拟网络,除非已将安全性配置为允许这样的访问。Compute nodes that are outside of your virtual network cannot access your virtual network unless you configure your security to allow access.

虚拟网络服务终结点:虚拟网络服务终结点是一个子网,其属性值包括一个或多个正式的 Azure 服务类型名称。Virtual Network service endpoint: A Virtual Network service endpoint is a subnet whose property values include one or more formal Azure service type names. 本文介绍 Microsoft.Sql 的类型名称,即名为“SQL 数据库”的 Azure 服务。In this article we are interested in the type name of Microsoft.Sql, which refers to the Azure service named SQL Database. 此服务标记也适用于 Azure Database for PostgreSQL 和 MySQL 服务。This service tag also applies to the Azure Database for PostgreSQL and MySQL services. 务必要注意的一点是,将 Microsoft.Sql 服务标记应用到 VNet 服务终结点时,它将为子网上的所有 Azure SQL 数据库、Azure Database for PostgreSQL 和 Azure Database for MySQL 服务器配置服务终结点流量。It is important to note when applying the Microsoft.Sql service tag to a VNet service endpoint it will configure service endpoint traffic for all Azure SQL Database, Azure Database for PostgreSQL and Azure Database for MySQL servers on the subnet.

虚拟网络规则: 适用于 Azure Database for PostgreSQL 服务器的虚拟网络规则是一个子网,该子网列在 Azure Database for PostgreSQL 服务器的访问控制列表 (ACL) 中。Virtual network rule: A virtual network rule for your Azure Database for PostgreSQL server is a subnet that is listed in the access control list (ACL) of your Azure Database for PostgreSQL server. 该子网必须包含“Microsoft.Sql”类型名称才会列在 Azure Database for PostgreSQL 服务器的 ACL 中。To be in the ACL for your Azure Database for PostgreSQL server, the subnet must contain the Microsoft.Sql type name.

虚拟网络规则要求 Azure Database for PostgreSQL 服务器接受来自该子网上所有节点的通信。A virtual network rule tells your Azure Database for PostgreSQL server to accept communications from every node that is on the subnet.

虚拟网络规则的优势Benefits of a virtual network rule

在你执行相应操作之前,子网上的 VM 不能与 Azure Database for PostgreSQL 服务器通信。Until you take action, the VMs on your subnets cannot communicate with your Azure Database for PostgreSQL server. 建立通信的一项操作是创建虚拟网络规则。One action that establishes the communication is the creation of a virtual network rule. 若要弄清楚为何选择 VNet 规则方法,必须进行一个比较和对比式的讨论,其中涉及到防火墙提供的竞争性安全选项。The rationale for choosing the VNet rule approach requires a compare-and-contrast discussion involving the competing security options offered by the firewall.

A.A. 允许访问 Azure 服务Allow access to Azure services

“连接安全性”窗格有一个标签为“允许访问 Azure 服务”的“启用/禁用”按钮。The Connection security pane has an ON/OFF button that is labeled Allow access to Azure services. “启用”设置允许来自所有 Azure IP 地址和所有 Azure 子网的通信。The ON setting allows communications from all Azure IP addresses and all Azure subnets. 这些 Azure IP 或子网可能不是你所拥有的。These Azure IPs or subnets might not be owned by you. 此“启用”设置可能超出你在开放方面对 Azure Database for PostgreSQL 数据库的需要。This ON setting is probably more open than you want your Azure Database for PostgreSQL Database to be. 虚拟网络规则功能提供精细得多的控制。The virtual network rule feature offers much finer granular control.

B.B. IP 规则IP rules

可以通过 Azure Database for PostgreSQL 防火墙指定 IP 地址范围,处于该范围内的通信允许进入 Azure Database for PostgreSQL 数据库。The Azure Database for PostgreSQL firewall allows you to specify IP address ranges from which communications are accepted into the Azure Database for PostgreSQL Database. 此方法适用于 Azure 专用网络外部的稳定 IP 地址。This approach is fine for stable IP addresses that are outside the Azure private network. 但是,Azure 专用网络内部的许多节点都配置了动态 IP 地址。But many nodes inside the Azure private network are configured with dynamic IP addresses. 某些情况下(例如重启 VM 时),动态 IP 地址可能会变化。Dynamic IP addresses might change, such as when your VM is restarted. 处于生产环境中时,在防火墙规则中指定一个动态 IP 地址并不明智。It would be folly to specify a dynamic IP address in a firewall rule, in a production environment.

可以通过获取 VM 的静态 IP 地址,对 IP 选项进行“补救”。You can salvage the IP option by obtaining a static IP address for your VM. 有关详细信息,请参阅使用 Azure 门户为虚拟机配置专用 IP 地址For details, see Configure private IP addresses for a virtual machine by using the Azure portal.

但是,静态 IP 方法可能会变得难以管理,在规模大时操作成本高。However, the static IP approach can become difficult to manage, and it is costly when done at scale. 虚拟网络规则更易于制定和管理。Virtual network rules are easier to establish and to manage.

C.C. 在没有定义服务终结点的情况下,子网上还不能有 Azure Database for PostgreSQLCannot yet have Azure Database for PostgreSQL on a subnet without defining a service endpoint

如果 Microsoft.Sql 服务器是虚拟网络子网上的一个节点,则该虚拟网络中的所有节点都可以与 Azure Database for PostgreSQL 服务器通信。If your Microsoft.Sql server was a node on a subnet in your virtual network, all nodes within the virtual network could communicate with your Azure Database for PostgreSQL server. 在这种情况下,VM 可以与 Azure Database for PostgreSQL 通信,而不需要任何虚拟网络规则或 IP 规则。In this case, your VMs could communicate with Azure Database for PostgreSQL without needing any virtual network rules or IP rules.

但截至 2018 年 8 月,Azure Database for PostgreSQL 服务仍然无法直接分配给子网。However as of August 2018, the Azure Database for PostgreSQL service is not yet among the services that can be assigned directly to a subnet.

虚拟网络规则详细信息Details about virtual network rules

此部分介绍虚拟网络规则的多项详细信息。This section describes several details about virtual network rules.

只有一个地理区域Only one geographic region

一个虚拟网络服务终结点只能应用于一个 Azure 区域。Each Virtual Network service endpoint applies to only one Azure region. 终结点不允许其他区域接受来自该子网的通信。The endpoint does not enable other regions to accept communication from the subnet.

任何虚拟网络规则都只能应用于基础终结点应用到的区域。Any virtual network rule is limited to the region that its underlying endpoint applies to.

服务器级而非数据库级Server-level, not database-level

每个虚拟网络规则都适用于整个 Azure Database for PostgreSQL 服务器,而不仅仅是该服务器上某个特定数据库。Each virtual network rule applies to your whole Azure Database for PostgreSQL server, not just to one particular database on the server. 换句话说,虚拟网络规则适用于服务器级而非数据库级。In other words, virtual network rule applies at the server-level, not at the database-level.

安全管理角色Security administration roles

在管理虚拟网络服务终结点时,安全角色是分开的。There is a separation of security roles in the administration of Virtual Network service endpoints. 下述每个角色都需要进行操作:Action is required from each of the following roles:

  • 网络管理员:  启用终结点。Network Admin:   Turn on the endpoint.
  • 数据库管理员:  更新访问控制列表 (ACL),将给定的子网添加到 Azure Database for PostgreSQL 服务器。Database Admin:   Update the access control list (ACL) to add the given subnet to the Azure Database for PostgreSQL server.

RBAC 备用:RBAC alternative:

网络管理员和数据库管理员角色的权限超出虚拟网络规则的管理需要,The roles of Network Admin and Database Admin have more capabilities than are needed to manage virtual network rules. 只有部分权限是必需的。Only a subset of their capabilities is needed.

可以选择在 Azure 中使用基于角色的访问控制 (RBAC),创建一个只有部分必需权限的自定义角色。You have the option of using role-based access control (RBAC) in Azure to create a single custom role that has only the necessary subset of capabilities. 在涉及到网络管理员或数据库管理员时,可以使用自定义角色来代替。与向两个主要的管理员角色添加用户相比,向自定义角色添加用户的安全风险较低。The custom role could be used instead of involving either the Network Admin or the Database Admin. The surface area of your security exposure is lower if you add a user to a custom role, versus adding the user to the other two major administrator roles.

Note

在某些情况下,Azure Database for PostgreSQL 和 VNet 子网位于不同的订阅中。In some cases the Azure Database for PostgreSQL and the VNet-subnet are in different subscriptions. 在这些情况下,必须确保以下配置:In these cases you must ensure the following configurations:

  • 两个订阅都必须属于同一 Azure Active Directory 租户。Both subscriptions must be in the same Azure Active Directory tenant.
  • 用户具有启动操作所需的权限,例如启用服务终结点,以及向给定服务器添加 VNet-子网。The user has the required permissions to initiate operations, such as enabling service endpoints and adding a VNet-subnet to the given Server.

限制Limitations

对于 Azure Database for PostgreSQL,虚拟网络规则功能具有以下限制:For Azure Database for PostgreSQL, the virtual network rules feature has the following limitations:

  • Web 应用可以映射到 VNet/子网中的专用 IP。A Web App can be mapped to a private IP in a VNet/subnet. 即使已从给定 VNet/子网启用服务终结点,从 Web 应用到服务器的连接也将具有 Azure 公共 IP 源,而不是 VNet/子网源。Even if service endpoints are turned ON from the given VNet/subnet, connections from the Web App to the server will have an Azure public IP source, not a VNet/subnet source. 若要启用从 Web 应用到具有 VNet 防火墙规则的服务器的连接,必须在该服务器上允许 Azure 服务访问服务器。To enable connectivity from a Web App to a server that has VNet firewall rules, you must Allow Azure services to access server on the server.

  • 在 Azure Database for PostgreSQL 的防火墙中,每个虚拟网络规则都引用一个子网。In the firewall for your Azure Database for PostgreSQL, each virtual network rule references a subnet. 引用的所有这些子网都必须托管在同一个托管 Azure Database for PostgreSQL 的地理区域内。All these referenced subnets must be hosted in the same geographic region that hosts the Azure Database for PostgreSQL.

  • 对于任何给定的虚拟网络,每个 Azure Database for PostgreSQL 服务器最多可以有 128 个 ACL 条目。Each Azure Database for PostgreSQL server can have up to 128 ACL entries for any given virtual network.

  • 虚拟网络规则仅适用于 Azure 资源管理器虚拟网络,不适用于经典部署模型网络。Virtual network rules apply only to Azure Resource Manager virtual networks; and not to classic deployment model networks.

  • 使用 Microsoft.Sql 服务标记为 Azure Database for PostgreSQL 启用虚拟网络服务终结点也会为以下所有 Azure 数据库服务启用终结点:Azure Database for MySQL、Azure Database for PostgreSQL、Azure SQL 数据库和 Azure SQL 数据仓库。Turning ON virtual network service endpoints to Azure Database for PostgreSQL using the Microsoft.Sql service tag also enables the endpoints for all Azure Database services: Azure Database for MySQL, Azure Database for PostgreSQL, Azure SQL Database and Azure SQL Data Warehouse.

  • 只有常规用途和内存优化服务器才支持 VNet 服务终结点。Support for VNet service endpoints is only for General Purpose and Memory Optimized servers.

  • 在防火墙上,IP 地址范围适用于以下网络项,但虚拟网络规则并不适用:On the firewall, IP address ranges do apply to the following networking items, but virtual network rules do not:

ExpressRouteExpressRoute

如果网络通过使用 ExpressRoute 连接到 Azure 网络,则每个线路在 Microsoft Edge 配置有两个公共 IP 地址。If your network is connected to the Azure network through use of ExpressRoute, each circuit is configured with two public IP addresses at the Microsoft Edge. 这两个 IP 地址用于通过使用 Azure 公共对等互连连接到 Azure 存储等 Microsoft 服务。The two IP addresses are used to connect to Microsoft Services, such as to Azure Storage, by using Azure Public Peering.

若要允许从线路到 Azure Database for PostgreSQL 的通信,则必须为线路的公共 IP 地址创建 IP 网络规则。To allow communication from your circuit to Azure Database for PostgreSQL, you must create IP network rules for the public IP addresses of your circuits. 为查找 ExpressRoute 线路的公共 IP 地址,请使用 Azure 门户开具 ExpressRoute 支持票证。In order to find the public IP addresses of your ExpressRoute circuit, open a support ticket with ExpressRoute by using the Azure portal.

在未打开 VNET 服务终结点的情况下,将 VNET 防火墙规则添加到服务器Adding a VNET Firewall rule to your server without turning On VNET Service Endpoints

仅设置防火墙规则无助于将服务器保护到 VNet。Merely setting a Firewall rule does not help secure the server to the VNet. 还必须打开 VNet 服务终结点才能使安全性生效。You must also turn VNet service endpoints On for the security to take effect. 打开服务终结点时,VNet 子网会遇到停机,直到它完成从“关”到“开”的转换。When you turn service endpoints On, your VNet-subnet experiences downtime until it completes the transition from Off to On. 这在大型 VNet 的上下文中尤其如此。This is especially true in the context of large VNets. 可以使用 IgnoreMissingServiceEndpoint 标志,减少或消除转换期间的停机时间。You can use the IgnoreMissingServiceEndpoint flag to reduce or eliminate the downtime during transition.

可以使用 Azure CLI 或门户设置 IgnoreMissingServiceEndpoint 标志。You can set the IgnoreMissingServiceEndpoint flag by using the Azure CLI or portal.

后续步骤Next steps

有关创建 VNet 规则的文章,请参阅:For articles on creating VNet rules, see: