创建专用终结点以建立到 Azure 认知搜索的安全连接Create a Private Endpoint for a secure connection to Azure Cognitive Search

在本文中,你将使用 Azure 门户创建无法通过 Internet 访问的新的 Azure 认知搜索服务实例。In this article, you'll use the Azure portal to create a new Azure Cognitive Search service instance that can't be accessed via the internet. 接下来,你将在同一虚拟网络中配置 Azure 虚拟机,并使用它通过专用终结点访问搜索服务。Next, you'll configure an Azure virtual machine in the same virtual network and use it to access the search service via a private endpoint.

重要

可以使用 Azure 门户或管理 REST API 版本 2020-03-13 来配置对 Azure 认知搜索的专用终结点支持。Private Endpoint support for Azure Cognitive Search can be configured using the Azure portal or the Management REST API version 2020-03-13. 当服务终结点为专用时,某些门户功能处于禁用状态。When the service endpoint is private, some portal features are disabled. 你将能够查看和管理服务级别信息,但出于安全方面的考虑,已限制对索引数据以及此服务中的各种组件(如索引、索引器和技能集定义)的门户访问。You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons.

为何使用专用终结点进行安全访问?Why use a Private Endpoint for secure access?

Azure 认知搜索的专用终结点允许虚拟网络上的客户端通过专用链接安全地访问搜索索引中的数据。Private Endpoints for Azure Cognitive Search allow a client on a virtual network to securely access data in a search index over a Private Link. 专用终结点将虚拟网络地址空间中的 IP 地址用于你的搜索服务。The private endpoint uses an IP address from the virtual network address space for your search service. 客户端与搜索服务之间的网络流量将穿过虚拟网络以及 Microsoft 主干网络上的专用链接,不会从公共 Internet 公开。Network traffic between the client and the search service traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet. 有关支持专用链接的其他 PaaS 服务的列表,请查看产品文档中的“可用性”部分。For a list of other PaaS services that support Private Link, check the availability section in the product documentation.

为搜索服务使用专用终结点,你可以:Private endpoints for your search service enables you to:

  • 阻止在搜索服务的公共终结点上的所有连接。Block all connections on the public endpoint for your search service.
  • 阻止数据从虚拟网络泄露,从而提高虚拟网络的安全性。Increase security for the virtual network, by enabling you to block exfiltration of data from the virtual network.
  • 使用 VPNExpressRoutes 通过专用对等互连从连接到虚拟网络的本地网络安全地连接到你的搜索服务。Securely connect to your search service from on-premises networks that connect to the virtual network using VPN or ExpressRoutes with private-peering.

创建虚拟网络Create the virtual network

在本部分中,你将创建虚拟网络和子网来承载用于访问搜索服务的专用终结点的 VM。In this section, you will create a virtual network and subnet to host the VM that will be used to access your search service's private endpoint.

  1. 在 Azure 门户的主页选项卡上,选择“创建资源” > “网络” > “虚拟网络”。 From the Azure portal home tab, select Create a resource > Networking > Virtual network.

  2. 在“创建虚拟网络”中,输入或选择以下信息:In Create virtual network, enter or select this information:

    设置Setting Value
    订阅Subscription 选择订阅Select your subscription
    资源组Resource group 选择“新建”,输入“myResourceGroup”,然后选择“确定”Select Create new, enter myResourceGroup, then select OK
    名称Name 输入“MyVirtualNetwork”Enter MyVirtualNetwork
    区域Region 选择所需的区域Select your desired region
  3. 至于其余设置,请保留默认值。Leave the defaults for the rest of the settings. 单击“查看 + 创建”,然后单击“创建” 。Click Review + create and then Create

创建具有专用终结点的搜索服务Create a search service with a private endpoint

在本部分中,你将创建具有专用终结点的新的 Azure 认知搜索服务。In this section, you will create a new Azure Cognitive Search service with a Private Endpoint.

  1. 在 Azure 门户中屏幕的左上方,选择“创建资源” > “Web” > “Azure 认知搜索”。 On the upper-left side of the screen in the Azure portal, select Create a resource > Web > Azure Cognitive Search.

  2. 在“新建搜索服务 - 基本信息”中,输入或选择以下信息:In New Search Service - Basics, enter or select this information:

    设置Setting Value
    项目详细信息PROJECT DETAILS
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“myResourceGroup”。Select myResourceGroup. 已在上一部分创建此内容。You created this in the previous section.
    实例详细信息INSTANCE DETAILS
    URLURL 输入唯一名称。Enter a unique name.
    位置Location 选择所需的区域。Select your desired region.
    定价层Pricing tier 选择“更改定价层”并选择所需的服务层级。Select Change Pricing Tier and choose your desired service tier. (不支持“免费”层。(Not support on Free tier. 必须是“基本”或更高层。)Must be Basic or higher.)
  3. 在完成时选择“下一步:缩放”Select Next: Scale.

  4. 将值保留为默认值,然后选择“下一步:网络”。Leave the values as default and select Next: Networking.

  5. 在“新建搜索服务 - 网络”中,针对“终结点连接性(数据)”选择“专用” 。In New Search Service - Networking, select Private for Endpoint connectivity(data).

  6. 在“新建搜索服务 - 网络”中的“专用终结点”下选择“+ 添加”。 In New Search Service - Networking, select + Add under Private endpoint.

  7. 在“创建专用终结点”中,输入或选择以下信息:In Create Private Endpoint, enter or select this information:

    设置Setting Value
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“myResourceGroup”。Select myResourceGroup. 已在上一部分创建此内容。You created this in the previous section.
    位置Location 选择“美国西部”。Select West US.
    名称Name 输入“myPrivateEndpoint”。Enter myPrivateEndpoint.
    目标子资源Target sub-resource 保留默认值“searchService”。Leave the default searchService.
    网络NETWORKING
    虚拟网络Virtual network 从资源组“myResourceGroup”中选择“MyVirtualNetwork”。Select MyVirtualNetwork from resource group myResourceGroup.
    子网Subnet 选择“mySubnet”。Select mySubnet.
    专用 DNS 集成PRIVATE DNS INTEGRATION
    与专用 DNS 区域集成Integrate with private DNS zone 保留默认值“是”。Leave the default Yes.
    专用 DNS 区域Private DNS zone 保留默认值“(新建) privatelink.search.azure.cn”。Leave the default ** (New) privatelink.search.azure.cn**.
  8. 选择“确定”。Select OK.

  9. 选择“查看 + 创建”。Select Review + create. 随后你会转到“查看 + 创建”页,Azure 将在此页面验证配置。You're taken to the Review + create page where Azure validates your configuration.

  10. 看到“验证通过”消息时,选择“创建” 。When you see the Validation passed message, select Create.

  11. 新服务的预配完成后,浏览到刚创建的资源。Once provisioning of your new service is complete, browse to the resource that you just created.

  12. 从左侧内容菜单中选择“密钥”。Select Keys from the left content menu.

  13. 复制 主管理密钥 供以后连接到服务时使用。Copy the Primary admin key for later, when connecting to the service.

创建虚拟机Create a virtual machine

  1. 在 Azure 门户屏幕的左上方,选择“创建资源” > “计算” > “虚拟机”。 On the upper-left side of the screen in the Azure portal, select Create a resource > Compute > Virtual machine.

  2. 在“创建虚拟机 - 基本信息”中,输入或选择以下信息:In Create a virtual machine - Basics, enter or select this information:

    设置Setting Value
    项目详细信息PROJECT DETAILS
    订阅Subscription 选择订阅。Select your subscription.
    资源组Resource group 选择“myResourceGroup”。Select myResourceGroup. 已在上一部分创建此内容。You created this in the previous section.
    实例详细信息INSTANCE DETAILS
    虚拟机名称Virtual machine name 输入 myVmEnter myVm.
    区域Region 选择“美国西部”或你使用的任何其他区域。Select West US or whatever region you are using.
    可用性选项Availability options 保留默认值“不需要基础结构冗余”。Leave the default No infrastructure redundancy required.
    映像Image 选择“Windows Server 2019 Datacenter”。Select Windows Server 2019 Datacenter.
    大小Size 保留默认值“标准 DS1 v2”。Leave the default Standard DS1 v2.
    管理员帐户ADMINISTRATOR ACCOUNT
    用户名Username 输入所选用户名。Enter a username of your choosing.
    密码Password 输入所选密码。Enter a password of your choosing. 密码必须至少 12 个字符长,且符合定义的复杂性要求The password must be at least 12 characters long and meet the defined complexity requirements.
    确认密码Confirm Password 重新输入密码。Reenter password.
    入站端口规则INBOUND PORT RULES
    公共入站端口Public inbound ports 保留默认设置“允许所选端口”。Leave the default Allow selected ports.
    选择入站端口Select inbound ports 保留默认值“RDP (3389)”。Leave the default RDP (3389).
    节省资金SAVE MONEY
    已有 Windows 许可证?Already have a Windows license? 保留默认值“否”。Leave the default No.
  3. 在完成时选择“下一步:磁盘”Select Next: Disks.

  4. 在“创建虚拟机 - 磁盘”中保留默认值,然后选择“下一步: 网络”In Create a virtual machine - Disks, leave the defaults and select Next: Networking.

  5. 在“创建虚拟机 - 基本信息”中,选择以下信息:In Create a virtual machine - Networking, select this information:

    设置Setting Value
    虚拟网络Virtual network 保留默认值“MyVirtualNetwork”。Leave the default MyVirtualNetwork.
    地址空间Address space 保留默认值“10.1.0.0/24”。Leave the default 10.1.0.0/24.
    子网Subnet 保留默认值“mySubnet (10.1.0.0/24)”。Leave the default mySubnet (10.1.0.0/24).
    公共 IPPublic IP 保留默认值“(new) myVm-ip”。Leave the default (new) myVm-ip.
    公共入站端口Public inbound ports 选择“允许所选端口” 。Select Allow selected ports.
    选择入站端口Select inbound ports 选择“HTTP”和“RDP”。 Select HTTP and RDP.

    备注

    IPv4 地址可以表示为 CIDR 格式。IPv4 addresses can be expressed in CIDR format. 请记住,应避免使用为专用网络保留的 IP 范围,如 RFC 1918 中所述:Remember to avoid the IP range reserved for private networking, as described in RFC 1918:

    • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
    • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
    • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
  6. 选择“查看 + 创建”。Select Review + create. 随后你会转到“查看 + 创建”页,Azure 将在此页面验证配置。You're taken to the Review + create page where Azure validates your configuration.

  7. 看到“验证通过”消息时,选择“创建” 。When you see the Validation passed message, select Create.

连接到 VMConnect to the VM

下载,然后连接到 VM myVm,如下所述:Download and then connect to the VM myVm as follows:

  1. 在门户的搜索栏中,输入 myVmIn the portal's search bar, enter myVm.

  2. 选择“连接”按钮。Select the Connect button. 选择“连接”按钮后,“连接到虚拟机”随即打开 。After selecting the Connect button, Connect to virtual machine opens.

  3. 选择“下载 RDP 文件”。Select Download RDP File. Azure 会创建远程桌面协议 ( .rdp) 文件,并将其下载到计算机。Azure creates a Remote Desktop Protocol (.rdp) file and downloads it to your computer.

  4. 打开下载的 .rdp* 文件。Open the downloaded.rdp* file.

    1. 出现提示时,选择“连接”。If prompted, select Connect.

    2. 输入在创建 VM 时指定的用户名和密码。Enter the username and password you specified when creating the VM.

      备注

      可能需要选择“更多选择” > “使用其他帐户”,以指定在创建 VM 时输入的凭据 。You may need to select More choices > Use a different account, to specify the credentials you entered when you created the VM.

  5. 选择“确定”。Select OK.

  6. 你可能会在登录过程中收到证书警告。You may receive a certificate warning during the sign-in process. 如果收到证书警告,请选择“确定”或“继续” 。If you receive a certificate warning, select Yes or Continue.

  7. VM 桌面出现后,将其最小化以返回到本地桌面。Once the VM desktop appears, minimize it to go back to your local desktop.

测试连接Test connections

在本部分中,你将验证对搜索服务的专用网络访问并使用专用终结点以专用方式进行连接。In this section, you will verify private network access to the search service and connect privately to the using the Private Endpoint.

当搜索服务终结点为专用时,某些门户功能处于禁用状态。When the search service endpoint is private, some portal features are disabled. 你将能够查看和管理服务级别设置,但出于安全方面的考虑,已限制对索引数据以及此服务中的各种其他组件(如索引、索引器和技能组定义)的门户访问。You'll be able to view and manage service level settings, but portal access to index data and various other components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons.

  1. myVM 的远程桌面中,打开 PowerShell。In the Remote Desktop of myVM, open PowerShell.

  2. 输入“nslookup [搜索服务名称].search.azure.cn”Enter 'nslookup [search service name].search.azure.cn'

    将收到类似于下面的消息:You'll receive a message similar to this:

    Server:  UnKnown
    Address:  168.63.129.16
    Non-authoritative answer:
    Name:    [search service name].privatelink.search.azure.cn
    Address:  10.0.0.5
    Aliases:  [search service name].search.azure.cn
    
  3. 从 VM 中,连接到搜索服务并创建索引。From the VM, connect to the search service and create an index. 可以按照此快速入门使用 REST API 在你的服务中创建新的搜索索引。You can follow this quickstart to create a new search index in your service using the REST API. 通过 Web API 测试工具设置请求需要使用搜索服务终结点 (https://[搜索服务名称].search.azure.cn) 和你在之前的步骤中复制的管理 api-key。Setting up requests from a Web API test tool requires the search service endpoint (https://[search service name].search.azure.cn) and the admin api-key you copied in a previous step.

  4. 从 VM 完成快速入门便可确认服务是否可以完全运行。Completing the quickstart from the VM is your confirmation that the service is fully operational.

  5. 关闭与 myVM 的远程桌面连接。Close the remote desktop connection to myVM.

  6. 若要验证你的服务在公共终结点上是否不可访问,请在本地工作站上打开 Postman,并尝试执行快速入门中的前几个任务。To verify that your service is not accessible on a public endpoint, open Postman on your local workstation and attempt the first several tasks in the quickstart. 如果收到一条错误,指出远程服务器不存在,则表明已成功为你的搜索服务配置了专用终结点。If you receive an error that the remote server does not exist, you have successfully configured a private endpoint for your search service.

清理资源Clean up resources

用完专用终结点、搜索服务和 VM 之后,请删除资源组及其包含的所有资源:When you're done using the Private Endpoint, search service, and the VM, delete the resource group and all of the resources it contains:

  1. 在门户顶部的“搜索”框中输入“myResourceGroup” **  ,然后从搜索结果中选择“myResourceGroup”。 **  Enter  myResourceGroup in the Search box at the top of the portal and select myResourceGroup from the search results.
  2. 选择“删除资源组”。Select Delete resource group.
  3. 对于“键入资源组名称”,请输入  myResourceGroup ,然后选择“删除”。 Enter  myResourceGroup for TYPE THE RESOURCE GROUP NAME and select Delete.

后续步骤Next steps

在本文中,你已在虚拟网络上创建了一个 VM,并创建了具有专用终结点的搜索服务。In this article, you created a VM on a virtual network and a search service with a Private Endpoint. 你从 Internet 连接到了该 VM,并使用专用链接安全地与该搜索服务进行了通信。You connected to the VM from the internet and securely communicated to the search service using Private Link.