为 Azure 认知搜索配置 IP 防火墙Configure IP firewall for Azure Cognitive Search

Azure 认知搜索支持“入站防火墙支持”的 IP 规则。Azure Cognitive Search supports IP rules for inbound firewall support. 此模型为搜索服务提供了额外的安全层,类似于 Azure 虚拟网络安全组中的 IP 规则。This model provides an additional layer of security for your search service similar to the IP rules you'll find in an Azure virtual network security group. 利用这些 IP 规则,可以配置为仅允许从一组已批准的计算机和/或云服务访问搜索服务。With these IP rules, you can configure your search service to be accessible only from an approved set of machines and/or cloud services. 从这些已批准的计算机和服务访问搜索服务中存储的数据仍需调用方提供有效的授权令牌。Access to data stored in your search service from these approved sets of machines and services will still require the caller to present a valid authorization token.

重要

可以使用 Azure 门户或管理 REST API 版本 2020-03-13 来配置 Azure 认知搜索服务上的 IP 规则。IP rules on your Azure Cognitive Search service can be configured using the Azure portal or the Management REST API version 2020-03-13.

使用 Azure 门户配置 IP 防火墙Configure an IP firewall using the Azure portal

若要在 Azure 门户中设置 IP 访问控制策略,请转到 Azure 认知搜索服务页,然后在导航菜单中选择“网络”。To set the IP access control policy in the Azure portal, go to your Azure Cognitive Search service page and select Networking on the navigation menu. 终结点网络连接必须为公共连接。Endpoint networking connectivity must be Public. 如果连接设置为“专用”,则只能通过专用终结点访问搜索服务。If your connectivity is set to Private, you can only access your search service via a Private Endpoint.

显示如何在 Azure 门户中配置 IP 防火墙的屏幕截图

Azure 门户提供了以 CIDR 格式指定 IP 地址和 IP 地址范围的功能。The Azure portal provides the ability to specify IP addresses and IP address ranges in the CIDR format. CIDR 表示法的示例是 8.8.8.0/24,它表示范围从 8.8.8.0 到 8.8.8.255 的 IP。An example of CIDR notation is 8.8.8.0/24, which represents the IPs that range from 8.8.8.0 to 8.8.8.255.

备注

为 Azure 认知搜索服务启用 IP 访问控制策略后,将拒绝从 IP 地址范围允许列表中不包含的计算机向数据平面发出的所有请求。After you enable the IP access control policy for your Azure Cognitive Search service, all requests to the data plane from machines outside the allowed list of IP address ranges are rejected. 配置 IP 规则时,将禁用 Azure 门户的某些功能。When IP rules are configured, some features of the Azure portal are disabled. 你将能够查看和管理服务级别信息,但出于安全方面的考虑,已限制对索引数据以及此服务中的各种组件(如索引、索引器和技能集定义)的门户访问。You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons.

来自当前 IP 的请求Requests from your current IP

为简化开发,Azure 门户将帮助你识别客户端计算机的 IP 并将其添加到允许列表中。To simplify development, the Azure portal helps you identify and add the IP of your client machine to the allowed list. 然后,计算机上运行的应用可以访问你的 Azure 认知搜索服务。Apps running on your machine can then access your Azure Cognitive Search service.

门户将自动检测客户端 IP 地址。The portal automatically detects your client IP address. 它可能是计算机或网络网关的客户端 IP 地址。It might be the client IP address of your machine or network gateway. 请务必在将工作负荷置于生产环境之前删除此 IP 地址。Make sure to remove this IP address before you take your workload to production.

若要将当前 IP 添加到 IP 列表,请选择“添加客户端 IP 地址”。To add your current IP to the list of IPs, check Add your client IP address. 再选择“保存”。Then select Save.

显示如何将 IP 防火墙设置配置为允许当前 IP 的屏幕截图

排查 IP 访问控制策略的问题Troubleshoot issues with an IP access control policy

可使用以下选项排查 IP 访问控制策略的问题:You can troubleshoot issues with an IP access control policy by using the following options:

Azure 门户Azure portal

为 Azure 认知搜索服务启用 IP 访问控制策略会阻止来自 IP 地址范围允许列表以外的计算机(包括 Azure 门户)的所有请求。Enabling an IP access control policy for your Azure Cognitive Search service blocks all requests from machines outside the allowed list of IP address ranges, including the Azure portal. 你将能够查看和管理服务级别信息,但出于安全方面的考虑,已限制对索引数据以及此服务中的各种组件(如索引、索引器和技能集定义)的门户访问。You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons.

SDKSDKs

使用 SDK 从不在允许列表内的计算机访问 Azure 认知搜索服务时,将返回一般的“403 禁止访问”响应,但不提供其他任何详细信息。When you access Azure Cognitive Search service using the SDK from machines that are not in the allowed list, a generic 403 Forbidden response is returned with no additional details. 验证帐户的允许 IP 列表并确保已为搜索服务更新了正确的配置。Verify the allowed IP list for your account, and make sure that the correct configuration updated for your search service.