添加专用终结点连接

Azure Database for PostgreSQL 灵活服务器是 Azure 专用链接服务。 这意味着你可以创建专用终结点,以便客户端应用程序可以私密且安全地连接到 Azure Database for PostgreSQL 灵活服务器。

Azure Database for PostgreSQL 灵活服务器的专用终结点是一个网络接口,您可以将其注入到 Azure 虚拟网络的子网中。 任何可将网络流量路由到该子网的主机或服务都可以与灵活服务器通信,以便网络流量不必遍历 Internet。 所有流量都是使用 Microsoft 主干以私密方式发送的。

有关 Azure 专用链接和 Azure 专用终结点的详细信息,请参阅 Azure 专用链接常见问题解答

如果具有部署专用终结点以及批准与服务器的专用终结点连接所需的权限,则可以通过 az network private-endpoint create 命令创建专用终结点连接。

要创建专用终结点并为其网络接口分配一个从所选子网范围内动态分配的 IP 地址:

# Retrieve the resource identifier of the server to which you want to connect via the private endpoint
server_id=$(az postgres flexible-server show --resource-group <resource_group> --name <server> --query id --output tsv)
az network private-endpoint create --connection-name <connection> --name <private_endpoint> --private-connection-resource-id $server_id --resource-group <resource_group> --subnet <subnet> --group-id sites --vnet-name <virtual_network>  

要创建专用终结点并为其网络接口分配一个从所选子网范围内静态分配的 IP 地址:

# Retrieve the resource identifier of the server to which you want to connect via the private endpoint
server_id=$(az postgres flexible-server show --resource-group <resource_group> --name <server> --query id --output tsv)
az network private-endpoint create --connection-name <connection> --name <private_endpoint> --private-connection-resource-id $server_id --resource-group <resource_group> --subnet <subnet> --group-id postgresqlServer --vnet-name <virtual_network> --location <location> --ip-config name=<ip_config> group-id=postgresqlServer member-name=postgresqlServer private-ip-address=<private_ip_address>

如果你拥有所需权限,专用终结点连接应会自动获得批准。 如果是这种情况,以下命令的输出会将 status 显示为 Approved,并将 description 显示为 Auto-Approved

az network private-endpoint show --resource-group <resource_group> --name <private_endpoint> --query privateLinkServiceConnections[?name==\'<connection>\'].privateLinkServiceConnectionState

az network private-endpoint create 会创建一个 privatelink.postgres.database.chinacloudapi.cn 专用 DNS 区域(如果不存在)。 它会将专用 DNS 区域链接到在其中创建专用终结点的虚拟网络。 但是,它不会在专用终结点中创建 DNS 区域组。如果需要,你可以将专用终结点与专用 DNS 区域集成。 为此,

az network private-endpoint dns-zone-group create --resource-group <resource_group> --endpoint-name <endpoint> --name default --private-dns-zone privatelink.postgres.database.chinacloudapi.cn --zone-name privatelink-postgres-database-chinacloudapi-cn

如果尝试使用静态分配的专用 IP 地址创建专用终结点,并且指定的地址已被其他网络接口使用,则会出现以下错误:

Code: PrivateIPAddressIsAllocated
Message: IP configuration /subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.Network/networkInterfaces/<network_interface>.nic.<guid>/ipConfigurations/privateEndpointIpConfig.<guid> is using the private IP address <private_ip_address> which is already allocated to resource /subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.Network/networkInterfaces/<network_interface>.nic.<guid>/ipConfigurations/privateEndpointIpConfig.<guid>.

如果尝试创建通过 --subscription 引用的专用终结点和虚拟网络,则 --resource-group--vnet-name 参数不存在。 或者,如果虚拟网络存在,但部署它的区域与尝试部署专用终结点的区域不匹配,则会出现以下错误:

Code: InvalidResourceReference
Message: Resource /subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.Network/virtualNetworks/<virtual_network> referenced by resource /subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.Network/privateEndpoints/<private_endpoint> was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.

如果尝试创建专用终结点且已存在同名终结点,但为 --connection-name--vnet-name 指定了其他值,则会出现以下错误:

Code: CannotChangePrivateLinkConnectionOnPrivateEndpoint
Message: Cannot change the private link connection on private endpoint /subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.Network/privateEndpoints/<private_endpoint>. Please ensure you are not updating the details of existing private link connection: '/subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.Network/privateEndpoints/<private_endpoint>/privateLinkServiceConnections/<connection>'. That is not allowed.

如果尝试创建专用终结点且已存在同名终结点,但为 --subnet 指定了其他值,则会出现以下错误:

Code: CannotChangeSubnetOnExistingPrivateEndpoint
Message: Cannot change the subnet in which the network interface for private endpoint /subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.Network/privateEndpoints/<private_endpoint> is created. Current subnet: '/subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.Network/virtualNetworks/<virtual_network>/subnets/<current_subnet>.' Requested subnet: '/subscriptions/<subscription>/resourceGroups/<resource_group>/providers/Microsoft.Network/virtualNetworks/<virtual_network>/subnets/<requested_subnet>.'

如果尝试创建专用终结点且已存在同名终结点,但为 --location 指定了其他值,则会出现以下错误:

Code: InvalidResourceLocation
Message: The resource '<private_endpoint>' already exists in location '<current_location>' in resource group '<resource_group>'. A resource with the same name cannot be created in location '<requested_location>'. Please select a new resource name.