配置从 Azure 认知搜索索引器到 Azure VM 上 SQL Server 的连接Configure a connection from an Azure Cognitive Search indexer to SQL Server on an Azure VM

使用索引器将 Azure SQL 数据库连接到 Azure 认知搜索中所述,针对 Azure VM 上的 SQL Server(或简称 SQL Azure VM)创建索引器受 Azure 认知搜索支持,但首先需要满足一些与安全性相关的先决条件。As noted in Connecting Azure SQL Database to Azure Cognitive Search using indexers, creating indexers against SQL Server on Azure VMs (or SQL Azure VMs for short) is supported by Azure Cognitive Search, but there are a few security-related prerequisites to take care of first.

从 Azure 认知搜索到 VM 上的 SQL Server 的连接是公共 Internet 连接。Connections from Azure Cognitive Search to SQL Server on a VM is a public internet connection. 对于这些连接通常会遵循的所有安全措施在此处也适用:All of the security measures you would normally follow for these connections apply here as well:

  • 对于 Azure VM 上 SQL Server 实例的完全限定域名,从证书颁发机构提供程序获取其证书。Obtain a certificate from a Certificate Authority provider for the fully qualified domain name of the SQL Server instance on the Azure VM.
  • 将该证书安装在 VM 上,然后使用本文中的说明在 VM 上启用并配置加密连接。Install the certificate on the VM, and then enable and configure encrypted connections on the VM using the instructions in this article.

启用加密连接Enable encrypted connections

对于所有通过公共 Internet 连接的索引器请求,Azure 认知搜索都需要使用加密通道。Azure Cognitive Search requires an encrypted channel for all indexer requests over a public internet connection. 本部分列出了实现此目的的步骤。This section lists the steps to make this work.

  1. 查看证书的属性,验证使用者名称是否是 Azure VM 的完全限定的域名 (FQDN)。Check the properties of the certificate to verify the subject name is the fully qualified domain name (FQDN) of the Azure VM. 可以使用 CertUtils 等工具或证书管理单元查看属性。You can use a tool like CertUtils or the Certificates snap-in to view the properties. 可从 Azure 门户中 VM 服务边栏选项卡的“基本要素”部分中获取 FQDN(位于“公共 IP 地址/DNS 名称标签” 字段中)。You can get the FQDN from the VM service blade's Essentials section, in the Public IP address/DNS name label field, in the Azure portal.

    • 对于使用较新的资源管理器 模板创建的 VM,FQDN 的格式设置为 <your-VM-name>.<region>.cloudapp.chinacloudapi.cnFor VMs created using the newer Resource Manager template, the FQDN is formatted as <your-VM-name>.<region>.cloudapp.chinacloudapi.cn
    • 对于创建为 经典 VM 的较旧 VM,FQDN 的格式设置为 <your-cloud-service-name.chinacloudapp.cn>For older VMs created as a Classic VM, the FQDN is formatted as <your-cloud-service-name.chinacloudapp.cn>.
  2. 使用注册表编辑器 (regedit) 将 SQL Server 配置为使用证书。Configure SQL Server to use the certificate using the Registry Editor (regedit).

    尽管 SQL Server 配置管理器通常用于此任务,但不能在此方案中使用它。Although SQL Server Configuration Manager is often used for this task, you can't use it for this scenario. 它不会查找导入的证书,因为 Azure 上 VM 的 FQDN 与该 VM(它将域标识为本地计算机或已加入到的网络域)确定的 FQDN 不匹配。It won't find the imported certificate because the FQDN of the VM on Azure doesn't match the FQDN as determined by the VM (it identifies the domain as either the local computer or the network domain to which it is joined). 名称不匹配时,使用 regedit 指定证书。When names don't match, use regedit to specify the certificate.

    • 在 regedit 中,浏览到此注册表项:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\[MSSQL13.MSSQLSERVER]\MSSQLServer\SuperSocketNetLib\CertificateIn regedit, browse to this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\[MSSQL13.MSSQLSERVER]\MSSQLServer\SuperSocketNetLib\Certificate.

      [MSSQL13.MSSQLSERVER] 部分因版本和实例名称而异。The [MSSQL13.MSSQLSERVER] part varies based on version and instance name.

    • 将证书 密钥的值设置为已导入到 VM 的 TLS/SSL 证书的指纹 。Set the value of the Certificate key to the thumbprint of the TLS/SSL certificate you imported to the VM.

      可通过多种方式获取指纹,有些方式十分有效。There are several ways to get the thumbprint, some better than others. 如果从 MMC 的 证书 管理单元中复制指纹,可能会 如此支持文章中所述选取不可见的前导字符,这会导致在尝试连接时出错。If you copy it from the Certificates snap-in in MMC, you will probably pick up an invisible leading character as described in this support article, which results in an error when you attempt a connection. 提供了几种更正此问题的解决方法。Several workarounds exist for correcting this problem. 最简单的方法是按 Backspace 键退格,并重新键入指纹的第一个字符,以在 regedit 中删除密钥值字段中的前导字符。The easiest is to backspace over and then retype the first character of the thumbprint to remove the leading character in the key value field in regedit. 此外,也可以使用其他工具复制指纹。Alternatively, you can use a different tool to copy the thumbprint.

  3. 向服务帐户授予权限。Grant permissions to the service account.

    请确保向 SQL Server 服务帐户授予 TLS/SSL 证书私钥的相应权限。Make sure the SQL Server service account is granted appropriate permission on the private key of the TLS/SSL certificate. 如果忽略此步骤,SQL Server 将不会启动。If you overlook this step, SQL Server will not start. 可使用 证书 管理单元或 CertUtils 执行此任务。You can use the Certificates snap-in or CertUtils for this task.

  4. 重新启动 SQL Server 服务。Restart the SQL Server service.

在 VM 中配置 SQL Server 连接Configure SQL Server connectivity in the VM

设置 Azure 认知搜索所需的加密连接后,Azure VM 上的 SQL Server 内还有一些其他配置步骤。After you set up the encrypted connection required by Azure Cognitive Search, there are additional configuration steps intrinsic to SQL Server on Azure VMs. 如果尚未执行这些步骤,下一步是使用以下文章之一完成配置:If you haven't done so already , the next step is to finish configuration using either one of these articles:

具体而言,查看每个文章中的“通过 Internet 连接”部分。In particular, review the section in each article for "connecting over the internet".

配置网络安全组 (NSG)Configure the Network Security Group (NSG)

若要使其他方可以访问 Azure VM,通常配置 NSG 和相应的 Azure 终结点或访问控制列表 (ACL)。It is not unusual to configure the NSG and corresponding Azure endpoint or Access Control List (ACL) to make your Azure VM accessible to other parties. 可能之前已完成此操作,以允许自己的应用程序逻辑连接到 SQL Azure VM。Chances are you've done this before to allow your own application logic to connect to your SQL Azure VM. 这不同于将 Azure 认知搜索连接到 SQL Azure VM。It's no different for an Azure Cognitive Search connection to your SQL Azure VM.

下面的链接提供了有关 VM 部署的 NSG 配置的说明。The links below provide instructions on NSG configuration for VM deployments. 使用这些说明,根据其 IP 地址为 Azure 认知搜索终结点配置 ACL。Use these instructions to ACL an Azure Cognitive Search endpoint based on its IP address.


有关背景知识,请参阅什么是网络安全组?For background, see What is a Network Security Group?

IP 寻址会产生一些挑战,如果了解问题和潜在解决方法,则可以轻松应对。IP addressing can pose a few challenges that are easily overcome if you are aware of the issue and potential workarounds. 剩余部分提供了有关处理 ACL 中与 IP 地址相关的问题的建议。The remaining sections provide recommendations for handling issues related to IP addresses in the ACL.

强烈建议你在 ACL 中限制对搜索服务的 IP 地址及 AzureCognitiveSearch 服务标记的 IP 地址范围的访问,而不是使 SQL Azure VM 对所有连接请求开放。We strongly recommend that you restrict the access to the IP address of your search service and the IP address range of AzureCognitiveSearch service tag in the ACL instead of making your SQL Azure VMs open to all connection requests.

通过对搜索服务的 FQDN(例如 <your-search-service-name>.search.azure.cn)进行 ping 操作,可找到 IP 地址。You can find out the IP address by pinging the FQDN (for example, <your-search-service-name>.search.azure.cn) of your search service.

可以使用可下载的 JSON 文件或通过服务标记发现 API 找到 AzureCognitiveSearch 服务标记的 IP 地址范围。You can find out the IP address range of AzureCognitiveSearch service tag by either using Downloadable JSON files or via the Service Tag Discovery API. IP 地址范围每周更新一次。The IP address range is updated weekly.

管理 IP 地址波动Managing IP address fluctuations

如果搜索服务只有一个搜索单位(即一个副本和一个分区),IP 地址会在例程服务重新启动期间发生更改,这会导致搜索服务的 IP 地址的现有 ACL 无效。If your search service has only one search unit (that is, one replica and one partition), the IP address will change during routine service restarts, invalidating an existing ACL with your search service's IP address.

避免后续连接错误的一种方法是,在 Azure 认知搜索中使用多个副本和一个分区。One way to avoid the subsequent connectivity error is to use more than one replica and one partition in Azure Cognitive Search. 这样做会增加成本,但也会解决 IP 地址问题。Doing so increases the cost, but it also solves the IP address problem. 在 Azure 认知搜索中,当具有多个搜索单位时,不会更改 IP 地址。In Azure Cognitive Search, IP addresses don't change when you have more than one search unit.

第二种方法是允许连接失败,并在 NSG 中重新配置 ACL。A second approach is to allow the connection to fail, and then reconfigure the ACLs in the NSG. 一般情况下,IP 地址应每隔几周更改一次。On average, you can expect IP addresses to change every few weeks. 对于不常执行受控编制索引的客户,此方法可能可行。For customers who do controlled indexing on an infrequent basis, this approach might be viable.

第三个可行(但不是特别安全)的方法是指定预配搜索服务的 Azure 区域的 IP 地址范围。A third viable (but not particularly secure) approach is to specify the IP address range of the Azure region where your search service is provisioned. 将公共 IP 地址分配到 Azure 资源时所依据的 IP 范围列表已在 Azure 数据中心 IP 范围中发布。The list of IP ranges from which public IP addresses are allocated to Azure resources is published at Azure Datacenter IP ranges.

包括 Azure 认知搜索门户 IP 地址Include the Azure Cognitive Search portal IP addresses

如果使用 Azure 门户创建索引器,Azure 认知搜索门户逻辑还需要在创建期间访问 SQL Azure VM。If you are using the Azure portal to create an indexer, Azure Cognitive Search portal logic also needs access to your SQL Azure VM during creation time. 可通过对 stamp2.search.ext.azure.cn 执行 ping 操作找到 Azure 认知搜索门户 IP 地址。Azure Cognitive Search portal IP addresses can be found by pinging stamp2.search.ext.azure.cn.

后续步骤Next steps

完成配置后,现在可以将 Azure VM 上的 SQL Server 指定为 Azure 认知搜索索引器的数据源。With configuration out of the way, you can now specify a SQL Server on Azure VM as the data source for an Azure Cognitive Search indexer. 有关详细信息,请参阅使用索引器将 Azure SQL 数据库连接到 Azure 认知搜索See Connecting Azure SQL Database to Azure Cognitive Search using indexers for more information.