允许通过专用终结点访问 Azure 服务总线命名空间Allow access to Azure Service Bus namespaces via private endpoints

使用 Azure 专用链接服务,可以通过虚拟网络中的专用终结点访问 Azure 服务(例如 Azure 服务总线、Azure 存储和 Azure Cosmos DB)以及 Azure 托管的客户服务/合作伙伴服务。Azure Private Link Service enables you to access Azure services (for example, Azure Service Bus, Azure Storage, and Azure Cosmos DB) and Azure hosted customer/partner services over a private endpoint in your virtual network.

重要

通过 Azure 服务总线高级层支持此功能。This feature is supported with the premium tier of Azure Service Bus. 有关高级层的详细信息,请参阅服务总线高级和标准消息传送层For more information about the premium tier, see the Service Bus Premium and Standard messaging tiers article.

专用终结点是一个网络接口,可以通过专用且安全的方式将你连接到 Azure 专用链接支持的服务。A private endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. 专用终结点使用 VNet 中的专用 IP 地址将服务有效接入 VNet 中。The private endpoint uses a private IP address from your VNet, effectively bringing the service into your VNet. 发往服务的所有流量都可以通过专用终结点路由,因此不需要网关、NAT 设备、ExpressRoute 或 VPN 连接或公共 IP 地址。All traffic to the service can be routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed. 虚拟网络与服务之间的流量将通过 Azure 主干网络,因此不会从公共 Internet 泄露。Traffic between your virtual network and the service traverses over the Azure backbone network, eliminating exposure from the public Internet. 可以连接到 Azure 资源的实例,从而获得最高级别的访问控制粒度。You can connect to an instance of an Azure resource, giving you the highest level of granularity in access control.

警告

实施专用终结点可以阻止其他 Azure 服务与服务总线进行交互。Implementing private endpoints can prevent other Azure services from interacting with Service Bus. 例外情况是,可以允许从某些受信任的服务访问服务总线资源,即使启用了专用终结点也是如此。As an exception, you can allow access to Service Bus resources from certain trusted services even when private endpoints are enabled. 有关受信任服务的列表,请参阅受信任服务For a list of trusted services, see Trusted services.

以下 Azure 服务必须在虚拟网络中The following Azure services are required to be on a virtual network

  • Azure 应用服务Azure App Service
  • Azure FunctionsAzure Functions

使用 Azure 门户添加专用终结点Add a private endpoint using Azure portal

先决条件Prerequisites

若要将事件中心命名空间与 Azure 专用链接集成,需要以下实体或权限:To integrate a Service Bus namespace with Azure Private Link, you'll need the following entities or permissions:

  • 服务总线命名空间。A Service Bus namespace.
  • 一个 Azure 虚拟网络。An Azure virtual network.
  • 虚拟网络中的子网。A subnet in the virtual network. 可以使用默认子网。You can use the default subnet.
  • 对服务总线命名空间和虚拟网络拥有所有者或参与者权限。Owner or contributor permissions for both the Service Bus namespace and the virtual network.

专用终结点和虚拟网络必须位于同一区域。Your private endpoint and virtual network must be in the same region. 使用门户选择专用终结点的区域时,只会自动筛选该区域中的虚拟网络。When you select a region for the private endpoint using the portal, it will automatically filter only virtual networks that are in that region. 服务总线命名空间可以位于不同的区域中。Your Service Bus namespace can be in a different region. 并且,专用终结点使用虚拟网络中的专用 IP 地址。And, Your private endpoint uses a private IP address in your virtual network.

stepssteps

如果已有现有命名空间,可按以下步骤创建专用终结点:If you already have an existing namespace, you can create a private endpoint by following these steps:

  1. 登录 Azure 门户Sign in to the Azure portal.

  2. 在搜索栏中键入“服务总线”。In the search bar, type in Service Bus.

  3. 从列表中选择要将专用终结点添加到的“命名空间”。Select the namespace from the list to which you want to add a private endpoint.

  4. 在左侧菜单上,选择“设置”下的“网络”选项 。On the left menu, select Networking option under Settings.

    备注

    只会为“高级”命名空间显示“网络”选项卡 。You see the Networking tab only for premium namespaces.

    默认情况下,“选定网络”选项处于选中状态。By default, the Selected networks option is selected. 如果未在此页上添加至少一个 IP 防火墙规则或虚拟网络,则可以通过公共 Internet(使用访问密钥)访问该命名空间。If you don't add at least one IP firewall rule or a virtual network on this page, the namespace can be accessed over public internet (using the access key).

    网络页面 - 默认

    如果选择“所有网络”选项,则服务总线命名空间接受来自任何 IP 地址的连接(使用访问密钥)。If you select the All networks option, your Service Bus namespace accepts connections from any IP address (using the access key). 此默认设置等效于接受 0.0.0.0/0 IP 地址范围的规则。This default setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.

    防火墙 - 选中了“所有网络”选项

  5. 若要允许通过专用终结点访问命名空间,请选择页面顶部的“专用终结点连接”选项卡To allow access to the namespace via private endpoints, select the Private endpoint connections tab at the top of the page

  6. 在页面顶部选择“+ 专用终结点”按钮。Select the + Private Endpoint button at the top of the page.

    “添加专用终结点”按钮

  7. 在“基本信息”页上执行以下步骤:On the Basics page, follow these steps:

    1. 选择要在其中创建专用终结点的 Azure 订阅。Select the Azure subscription in which you want to create the private endpoint.

    2. 选择专用终结点资源的资源组。Select the resource group for the private endpoint resource.

    3. 输入专用终结点的名称。Enter a name for the private endpoint.

    4. 专用终结点选择“区域”。Select a region for the private endpoint. 专用终结点必须与虚拟网络位于同一区域,但可以与要连接的专用链接资源位于不同的区域。Your private endpoint must be in the same region as your virtual network, but can be in a different region from the private link resource that you are connecting to.

    5. 在完成时选择“下一步:资源 >”按钮,它位于页面底部。Select Next: Resource > button at the bottom of the page.

      创建专用终结点 -“基本信息”页

  8. 在“资源”页上执行以下步骤:On the Resource page, follow these steps:

    1. 对于连接方法,如果选择了“连接到我的目录中的 Azure 资源”,请执行以下步骤:For connection method, if you select Connect to an Azure resource in my directory, follow these steps:
      1. 选择你的“服务总线命名空间”所在的“Azure 订阅”。 Select the Azure subscription in which your Service Bus namespace exists.

      2. 对于“资源类型”,请选择“Microsoft.ServiceBus/namespaces”。 For Resource type, Select Microsoft.ServiceBus/namespaces for the Resource type.

      3. 对于“资源”,请从下拉列表中选择一个服务总线命名空间。For Resource, select a Service Bus namespace from the drop-down list.

      4. 确认“目标子资源”设置为“命名空间”。 Confirm that the Target subresource is set to namespace.

      5. 在页面底部选择“下一步:配置 >”按钮。Select Next: Configuration > button at the bottom of the page.

        创建专用终结点 -“资源”页

    2. 如果选择了“按资源 ID 或别名连接到 Azure 资源”,请执行以下步骤:If you select Connect to an Azure resource by resource ID or alias, follow these steps:
      1. 输入“资源 ID”或“别名”。 Enter the resource ID or alias. 可以输入其他人与你共享的资源 ID 或别名。It can be the resource ID or alias that someone has shared with you. 获取资源 ID 的最简单方法是在 Azure 门户中导航到“服务总线”命名空间,然后复制从 /subscriptions/ 开始的 URI 部分。The easiest way to get the resource ID is to navigate to the Service Bus namespace in the Azure portal and copy the portion of URI starting from /subscriptions/. 参阅下图中的示例。See the following image for an example.

      2. 对于“目标子资源”,请输入“命名空间”。 For Target sub-resource, enter namespace. 它是专用终结点可以访问的子资源类型。It's the type of the sub-resource that your private endpoint can access.

      3. (可选)输入一条请求消息。(optional) Enter a request message. 资源所有者在管理专用终结点连接时会看到此消息。The resource owner sees this message while managing private endpoint connection.

      4. 然后选择“下一步:配置 >”按钮。Then, select Next: Configuration > button at the bottom of the page.

        创建专用终结点 - 使用资源 ID 进行连接

  9. 在“配置”页上,选择要在其中部署专用终结点的虚拟网络中的子网。On the Configuration page, you select the subnet in a virtual network to where you want to deploy the private endpoint.

    1. 选择一个虚拟网络。Select a virtual network. 下拉列表中仅列出了当前所选订阅和位置中的虚拟网络。Only virtual networks in the currently selected subscription and location are listed in the drop-down list.

    2. 在所选的虚拟网络中选择一个“子网”。Select a subnet in the virtual network you selected.

    3. 在完成时选择“下一步:标记 >”按钮,它位于页面底部。Select Next: Tags > button at the bottom of the page.

      创建专用终结点 -“配置”页

  10. 在“标记”页上,创建要与专用终结点资源关联的任何标记(名称和值)。On the Tags page, create any tags (names and values) that you want to associate with the private endpoint resource. 然后选择页面底部的“查看 + 创建”按钮。Then, select Review + create button at the bottom of the page.

  11. 在“查看 + 创建”页上查看所有设置,然后选择“创建”以创建专用终结点 。On the Review + create, review all the settings, and select Create to create the private endpoint.

    创建专用终结点 -“查看 + 创建”页

  12. 确认已创建专用终结点。Confirm that the private endpoint is created. 如果你是资源的所有者,并且已选择“连接到我的目录中的 Azure 资源”选项作为连接方法,则应已“自动批准”终结点连接。 If you are the owner of the resource and had selected Connect to an Azure resource in my directory option for the Connection method, the endpoint connection should be auto-approved. 如果它处于“挂起”状态,请参阅使用 Azure 门户管理专用终结点部分。If it's in the pending state, see the Manage private endpoints using Azure portal section.

    已创建专用终结点

受信任的 Microsoft 服务Trusted Microsoft services

启用“允许受信任的 Microsoft 服务绕过此防火墙”设置时,将授权以下服务访问你的服务总线资源。When you enable the Allow trusted Microsoft services to bypass this firewall setting, the following services are granted access to your Service Bus resources.

受信服务Trusted service 支持的使用方案Supported usage scenarios
Azure 事件网格Azure Event Grid 允许 Azure 事件网格将事件发送到服务总线命名空间中的队列或主题。Allows Azure Event Grid to send events to queues or topics in your Service Bus namespace. 还需要执行以下步骤:You also need to do the following steps:
  • 为主题或域启用系统分配的标识Enable system-assigned identity for a topic or a domain
  • 为服务总线命名空间中的“Azure 服务总线数据发送方”角色添加标识Add the identity to the Azure Service Bus Data Sender role on the Service Bus namespace
  • 然后,将使用服务总线队列或主题的事件订阅配置为终结点,以使用系统分配的标识。Then, configure the event subscription that uses a Service Bus queue or topic as an endpoint to use the system-assigned identity.

有关详细信息,请参阅使用托管标识进行事件传递For more information, see Event delivery with a managed identity

使用 PowerShell 添加专用终结点Add a private endpoint using PowerShell

以下示例演示如何使用 Azure PowerShell 创建与服务总线命名空间的专用终结点连接。The following example shows you how to use Azure PowerShell to create a private endpoint connection to a Service Bus namespace.

专用终结点和虚拟网络必须位于同一区域。Your private endpoint and virtual network must be in the same region. 服务总线命名空间可以位于不同的区域中。Your Service Bus namespace can be in a different region. 并且,专用终结点使用虚拟网络中的专用 IP 地址。And, Your private endpoint uses a private IP address in your virtual network.


$rgName = "<RESOURCE GROUP NAME>"
$vnetlocation = "<VNET LOCATION>"
$vnetName = "<VIRTUAL NETWORK NAME>"
$subnetName = "<SUBNET NAME>"
$namespaceLocation = "<NAMESPACE LOCATION>"
$namespaceName = "<NAMESPACE NAME>"
$peConnectionName = "<PRIVATE ENDPOINT CONNECTION NAME>"

# create resource group
az group create -l $vnetLocation -n $rgName

# create virtual network
$virtualNetwork = New-AzVirtualNetwork `
                    -ResourceGroupName $rgName `
                    -Location $vnetlocation `
                    -Name $vnetName `
                    -AddressPrefix 10.0.0.0/16

# create subnet with endpoint network policy disabled
$subnetConfig = Add-AzVirtualNetworkSubnetConfig `
                    -Name $subnetName `
                    -AddressPrefix 10.0.0.0/24 `
                    -PrivateEndpointNetworkPoliciesFlag "Disabled" `
                    -VirtualNetwork $virtualNetwork

# update virtual network
$virtualNetwork | Set-AzVirtualNetwork

# create premium service bus namespace
$namespaceResource = New-AzResource -Location $namespaceLocation -ResourceName $namespaceName -ResourceGroupName $rgName -Sku @{name = "Premium"; capacity = 1} -Properties @{} -ResourceType "Microsoft.ServiceBus/namespaces" -

# create a private link service connection
$privateEndpointConnection = New-AzPrivateLinkServiceConnection `
                                -Name $peConnectionName `
                                -PrivateLinkServiceId $namespaceResource.ResourceId `
                                -GroupId "namespace"

# get subnet object that you will use in the next step                                
$virtualNetwork = Get-AzVirtualNetwork -ResourceGroupName  $rgName -Name $vnetName
$subnet = $virtualNetwork | Select -ExpandProperty subnets `
                                | Where-Object  {$_.Name -eq $subnetName}  

# now, create private endpoint   
$privateEndpoint = New-AzPrivateEndpoint -ResourceGroupName $rgName  `
                                -Name $vnetName   `
                                -Location $vnetlocation `
                                -Subnet  $subnet   `
                                -PrivateLinkServiceConnection $privateEndpointConnection

(Get-AzResource -ResourceId $namespaceResource.ResourceId -ExpandProperties).Properties

使用 Azure 门户管理专用终结点Manage private endpoints using Azure portal

创建专用终结点时,必须批准连接。When you create a private endpoint, the connection must be approved. 如果要为其创建专用终结点的资源位于你的目录中,在拥有足够权限的前提下,你可以批准连接请求。If the resource for which you're creating a private endpoint is in your directory, you can approve the connection request provided you have sufficient permissions. 如果要连接到另一个目录中的 Azure 资源,必须等待该资源的所有者批准你的连接请求。If you're connecting to an Azure resource in another directory, you must wait for the owner of that resource to approve your connection request.

有四种预配状态:There are four provisioning states:

服务操作Service action 服务使用者专用终结点状态Service consumer private endpoint state 说明Description
None 挂起的Pending 连接是手动创建的,正等待专用链接资源所有者批准。Connection is created manually and is pending approval from the Private Link resource owner.
审批Approve 已批准Approved 连接已自动或手动批准,随时可供使用。Connection was automatically or manually approved and is ready to be used.
拒绝Reject 已拒绝Rejected 连接已被专用链接资源所有者拒绝。Connection was rejected by the private link resource owner.
删除Remove 已断开连接Disconnected 连接已被专用链接资源所有者删除,专用终结点仅供参考,应将其删除以清理资源。Connection was removed by the private link resource owner, the private endpoint becomes informative and should be deleted for cleanup.

批准、拒绝或删除专用终结点连接Approve, reject, or remove a private endpoint connection

  1. 登录到 Azure 门户。Sign in to the Azure portal.
  2. 在搜索栏中键入“服务总线”。In the search bar, type in Service Bus.
  3. 选择要管理的“命名空间”。Select the namespace that you want to manage.
  4. 选择“网络”选项卡。Select the Networking tab.
  5. 根据要执行的操作(批准、拒绝或删除),转到下面的相应部分。Go to the appropriate section below based on the operation you want to: approve, reject, or remove.

批准专用终结点连接Approve a private endpoint connection

  1. 如果有任何挂起的连接,则会看到预配状态为“挂起”的连接被列出。If there are any connections that are pending, you will see a connection listed with Pending in the provisioning state.

  2. 选择要批准的专用终结点Select the private endpoint you wish to approve

  3. 选择“批准”按钮。Select the Approve button.

    批准专用终结点

  4. 在“批准连接”页上输入可选注释,然后选择“是” 。On the Approve connection page, enter an optional comment, and select Yes. 如果选择“否”,则不会执行任何操作。If you select No, nothing happens.

    “批准连接”页

  5. 应会看到,列表中连接的状态已更改为“已批准”。You should see the status of the connection in the list changed to Approved.

    连接状态 - 已批准

拒绝专用终结点连接Reject a private endpoint connection

  1. 如果要拒绝任何专用终结点连接(不管是挂起的请求还是已批准的现有连接),请选择该终结点连接并单击“拒绝”按钮。If there are any private endpoint connections you want to reject, whether it is a pending request or existing connection that was approved earlier, select the endpoint connection and click the Reject button.

    “拒绝”按钮

  2. 在“拒绝连接”页上输入可选注释,然后选择“是” 。On the Reject connection page, enter an optional comment, and select Yes. 如果选择“否”,则不会执行任何操作。If you select No, nothing happens.

    “拒绝连接”页

  3. 应会看到,列表中连接的状态已更改为“已拒绝”。You should see the status of the connection in the list changed Rejected.

    已拒绝终结点

删除专用终结点连接Remove a private endpoint connection

  1. 若要删除某个专用终结点连接,请在列表中选择它,然后在工具栏上选择“删除”。To remove a private endpoint connection, select it in the list, and select Remove on the toolbar.

    “删除”按钮

  2. 在“删除连接”页上,选择“是”以确认删除该专用终结点 。On the Delete connection page, select Yes to confirm the deletion of the private endpoint. 如果选择“否”,则不会执行任何操作。If you select No, nothing happens.

    “删除连接”页

  3. 应会看到,状态已更改为“已断开连接”。You should see the status changed to Disconnected. 然后你会发现,该终结点已在列表中消失。Then, you will see the endpoint disappear from the list.

应该验证专用终结点的虚拟网络中的资源是否可以通过专用 IP 地址连接到服务总线命名空间,以及它们是否具有正确的专用 DNS 区域集成。You should validate that resources within the virtual network of the private endpoint are connecting to your Service Bus namespace over a private IP address, and that they have the correct private DNS zone integration.

首先,遵循在 Azure 门户中创建 Windows 虚拟机中的步骤创建一个虚拟机。First, create a virtual machine by following the steps in Create a Windows virtual machine in the Azure portal

在“网络”选项卡中:In the Networking tab:

  1. 指定虚拟网络和子网 。Specify Virtual network and Subnet. 必须选择已将专用终结点部署到的虚拟网络。You must select the Virtual Network on which you deployed the private endpoint.
  2. 指定一个公共 IP 资源。Specify a public IP resource.
  3. 对于“NIC 网络安全组”,请选择“无” 。For NIC network security group, select None.
  4. 对于“负载均衡”,请选择“否”。 For Load balancing, select No.

连接到 VM,打开命令行并运行以下命令:Connect to the VM, open the command line, and run the following command:

nslookup <service-bus-namespace-name>.servicebus.chinacloudapi.cn

应会看到如下所示的结果。You should see a result that looks like the following.

Non-authoritative answer:
Name:    <service-bus-namespace-name>.privatelink.servicebus.chinacloudapi.cn
Address:  10.0.0.4 (private IP address associated with the private endpoint)
Aliases:  <service-bus-namespace-name>.servicebus.chinacloudapi.cn

限制和设计注意事项Limitations and Design Considerations

定价:有关定价信息,请参阅 Azure 专用链接定价Pricing: For pricing information, see Azure Private Link pricing.

限制:此功能可在所有 Azure 公共区域中使用。Limitations: This feature is available in all Azure public regions.

每个服务总线命名空间的最大专用终结点数目:120。Maximum number of private endpoints per Service Bus namespace: 120.

后续步骤Next Steps