使用 Azure 门户在 Azure Database for PostgreSQL(单一服务器)中创建并管理 VNet 服务终结点和 VNet 规则Create and manage VNet service endpoints and VNet rules in Azure Database for PostgreSQL - Single Server by using the Azure portal

虚拟网络 (VNet) 服务终结点和规则将虚拟网络的专用地址空间扩展到你的 Azure Database for PostgreSQL 服务器。Virtual Network (VNet) services endpoints and rules extend the private address space of a Virtual Network to your Azure Database for PostgreSQL server. 有关 Azure Database for PostgreSQL VNet 服务终结点(包括限制)的概述,请参阅 Azure Database for PostgreSQL Server VNet 服务终结点For an overview of Azure Database for PostgreSQL VNet service endpoints, including limitations, see Azure Database for PostgreSQL Server VNet service endpoints. 在 Azure Database for PostgreSQL 的所有支持区域中,VNet 服务终结点均可用。VNet service endpoints are available in all supported regions for Azure Database for PostgreSQL.

备注

只有常规用途和内存优化服务器才支持 VNet 服务终结点。Support for VNet service endpoints is only for General Purpose and Memory Optimized servers. 在 VNet 对等互连的情况下,如果流量通过具有服务终结点的公共 VPN 网关流动,并且应该流向对等机,请创建 ACL/VNet 规则,以便网关 VNet 中的 Azure 虚拟机能够访问 Azure Database for PostgreSQL 服务器。In case of VNet peering, if traffic is flowing through a common VPN Gateway with service endpoints and is supposed to flow to the peer, please create an ACL/VNet rule to allow Azure Virtual Machines in the Gateway VNet to access the Azure Database for PostgreSQL server.

在 Azure 门户中创建 VNet 规则和启用服务终结点Create a VNet rule and enable service endpoints in the Azure portal

  1. 在 PostgreSQL 服务器页上的“设置”标题下,单击“连接安全性” ,打开 Azure Database for PostgreSQL 的“连接安全性”窗格。On the PostgreSQL server page, under the Settings heading, click Connection Security to open the Connection Security pane for Azure Database for PostgreSQL.

  2. 确保将“允许访问 Azure 服务”控件设置为“关闭”。 Ensure that the Allow access to Azure services control is set to OFF.

重要

如果将此控件设置为“启用”,则 Azure PostgreSQL 数据库服务器接受来自任何子网的通信。If you leave the control set to ON, your Azure PostgreSQL Database server accepts communication from any subnet. 从安全角度来看,将此控件设置为“启用”可能会导致过度访问。Leaving the control set to ON might be excessive access from a security point of view. Azure 虚拟网络服务终结点功能与 Azure Database for PostgreSQL 的虚拟网络规则功能一起使用可以降低安全风险。The Azure Virtual Network service endpoint feature, in coordination with the virtual network rule feature of Azure Database for PostgreSQL, together can reduce your security surface area.

  1. 接下来,单击“+ 添加现有虚拟网络” 。Next, click on + Adding existing virtual network. 若无现有 VNet,可以单击“+ 新建虚拟网络” 来创建一个。If you do not have an existing VNet you can click + Create new virtual network to create one. 请参阅快速入门:使用 Azure 门户创建虚拟网络See Quickstart: Create a virtual network using the Azure portal

    Azure 门户 - 单击“连接安全性”

  2. 输入 VNet 规则名称,选择订阅、虚拟网络和子网名称,再单击“启用” 。Enter a VNet rule name, select the subscription, Virtual network and Subnet name and then click Enable. 这会使用 Microsoft.SQL 服务标记自动对子网启用 VNet 服务终结点。This automatically enables VNet service endpoints on the subnet using the Microsoft.SQL service tag.

    Azure 门户 - 配置 VNet

    该帐户必须拥有创建虚拟网络和服务终结点所需的必要权限。The account must have the necessary permissions to create a virtual network and service endpoint.

    对虚拟网络拥有写入访问权限的用户可在虚拟网络上单独配置服务终结点。Service endpoints can be configured on virtual networks independently, by a user with write access to the virtual network.

    若要在 VNet 中保护 Azure 服务资源,用户必须对所添加的子网拥有“Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/”权限。To secure Azure service resources to a VNet, the user must have permission to "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/" for the subnets being added. 此权限默认包含在内置的服务管理员角色中,可以通过创建自定义角色进行修改。This permission is included in the built-in service administrator roles, by default and can be modified by creating custom roles.

    详细了解内置角色以及将特定的权限分配到自定义角色Learn more about built-in roles and assigning specific permissions to custom roles.

    VNet 和 Azure 服务资源可以位于相同或不同的订阅中。VNets and Azure service resources can be in the same or different subscriptions. 如果 VNet 和 Azure 服务资源位于不同的订阅中,资源应在相同的 Active Directory (AD) 租户下。If the VNet and Azure service resources are in different subscriptions, the resources should be under the same Active Directory (AD) tenant. 确保两个订阅都注册了 Microsoft.Sql 资源提供程序。Ensure that both the subscriptions have the Microsoft.Sql resource provider registered. 有关详细信息,请参阅资源管理器注册For more information refer resource-manager-registration

    重要

    强烈建议在配置服务终结点前,先阅读本文介绍的服务终结点配置和注意事项。It is highly recommended to read this article about service endpoint configurations and considerations before configuring service endpoints. 虚拟网络服务终结点 :虚拟网络服务终结点是一个子网,其属性值包括一个或多个正式的 Azure 服务类型名称。Virtual Network service endpoint: A Virtual Network service endpoint is a subnet whose property values include one or more formal Azure service type names. VNet 服务终结点使用服务类型名称 Microsoft.Sql ,可引用名为“SQL 数据库”的 Azure 服务。VNet services endpoints use the service type name Microsoft.Sql, which refers to the Azure service named SQL Database. 此服务标记也适用于 Azure SQL 数据库、Azure Database for PostgreSQL 和 MySQL 服务。This service tag also applies to the Azure SQL Database, Azure Database for PostgreSQL and MySQL services. 请务必要注意,对 VNet 服务终结点应用 Microsoft.Sql 服务标记时,它会为所有 Azure 数据库服务配置服务终结点流量,其中包括 Azure SQL 数据库、Azure Database for PostgreSQL 和子网上的 Azure Database for MySQL 服务器。It is important to note when applying the Microsoft.Sql service tag to a VNet service endpoint it configures service endpoint traffic for all Azure Database services, including Azure SQL Database, Azure Database for PostgreSQL and Azure Database for MySQL servers on the subnet.

  3. 启用后,单击“确定” 即可看到 VNet 服务终结点与 VNet 规则一起启用。Once enabled, click OK and you will see that VNet service endpoints are enabled along with a VNet rule.

    VNet 服务终结点已启用,且 VNet 规则已创建

后续步骤Next steps