Azure SQL 连接体系结构Azure SQL Connectivity Architecture

Note

本文适用于 Azure SQL 服务器,同时也适用于在 Azure SQL 服务器中创建的 SQL 数据库和 SQL 数据仓库数据库。This article applies to Azure SQL server, and to both SQL Database and SQL Data Warehouse databases that are created on the Azure SQL server. 为简单起见,在提到 SQL 数据库和 SQL 数据仓库时,本文统称 SQL 数据库。For simplicity, SQL Database is used when referring to both SQL Database and SQL Data Warehouse.

Important

本文不 适用于 Azure SQL 数据库托管实例This article does not apply to Azure SQL Database Managed Instance. 请参阅 托管实例的连接体系结构Refer to Connectivity architecture for a managed instance.

本文介绍了将网络流量定向到 Azure SQL 数据库或 SQL 数据仓库的各种组件的体系结构。This article explains architecture of various components that direct network traffic to the Azure SQL Database or SQL Data Warehouse. 它还介绍了不同的连接策略,以及这些策略如何影响从 Azure 内部连接的客户端以及从 Azure 外部连接的客户端。It also explains different connection policies and how it impacts clients connecting from within Azure and clients connecting from outside of Azure.

连接体系结构Connectivity architecture

下图提供 Azure SQL 数据库连接体系结构的高级概述。The following diagram provides a high-level overview of the Azure SQL Database connectivity architecture.

体系结构概述

以下步骤介绍如何建立到 Azure SQL 数据库的连接。The following steps describe how a connection is established to an Azure SQL database:

  • 客户端连接到网关,后者使用公共 IP 地址并侦听端口 1433。Clients connect to the gateway, that has a public IP address and listens on port 1433.
  • 该网关根据有效的连接策略将流量重定向或代理到适当的数据库群集。The gateway, depending on the effective connection policy, redirects or proxies the traffic to the right database cluster.
  • 在数据库群集中,流量转发到相应的 Azure SQL 数据库。Inside the database cluster traffic is forwarded to the appropriate Azure SQL database.

连接策略Connection policy

Azure SQL 数据库支持 SQL 数据库服务器连接策略设置的以下三个选项:Azure SQL Database supports the following three options for the connection policy setting of a SQL Database server:

  • 重定向(建议): 客户端直接与托管数据库的节点建立连接,从而降低延迟并改进吞吐量。Redirect (recommended): Clients establish connections directly to the node hosting the database, leading to reduced latency and improved throughput. 若要通过连接来使用此模式,客户端需要:For connections to use this mode, clients need to:

    • 在范围为 11000 到 11999 的端口上允许从客户端到区域中所有 Azure SQL IP 地址的出站通信。Allow outbound communication from the client to all Azure SQL IP addresses in the region on ports in the range of 11000 11999. 使用 SQL 服务标记,使其更易于管理。Use the Service Tags for SQL to make this easier to manage.
    • 在端口 1433 上允许从客户端到 Azure SQL 数据库网关 IP 地址的出站通信。Allow outbound communication from the client to Azure SQL Database gateway IP addresses on port 1433.
  • 代理: 在此模式下,所有连接都通过 Azure SQL 数据库网关来代理,导致延迟增大和吞吐量降低。Proxy: In this mode, all connections are proxied via the Azure SQL Database gateways,leading to increased latency and reduced throughput. 若要通过连接来使用此模式,客户端需满足以下条件:在端口 1433 上允许从客户端到 Azure SQL 数据库网关 IP 地址的出站通信。For connections to use this mode, clients need to allow outbound communication from the client to Azure SQL Database gateway IP addresses on port 1433.

  • 默认值: 除非显式将连接策略更改为 ProxyRedirect,否则,在创建后,此连接策略将在所有服务器上生效。Default: This is the connection policy in effect on all servers after creation unless you explicitly alter the connection policy to either Proxy or Redirect. 对于所有源自 Azure 内部的客户端连接(例如,源自 Azure 虚拟机的连接),默认策略为 Redirect;对于所有源自外部的客户端连接(例如,源自本地工作站的连接),默认策略为 ProxyThe default policy isRedirect for all client connections originating inside of Azure (for example, from an Azure Virtual Machine) and Proxyfor all client connections originating outside (for example, connections from your local workstation).

我们强烈建议使用 Redirect 连接策略而不要使用 Proxy 连接策略,以最大程度地降低延迟和提高吞吐量。但是,若要允许上述网络流量,需满足额外要求。We highly recommend the Redirect connection policy over the Proxy connection policy for the lowest latency and highest throughput.However, you will need to meet the additional requirements for allowing network traffic as outlined above. 如果客户端为 Azure 虚拟机,则可将网络安全组 (NSG) 与服务标记配合使用来实现它。If the client is an Azure Virtual Machine you can accomplish this using Network Security Groups (NSG) with service tags. 如果客户端从本地工作站进行连接,则可能需要联系网络管理员,让其允许网络流量通过公司防火墙。If the client is connecting from a workstation on-premises then you may need to work with your network admin to allow network traffic through your corporate firewall.

从 Azure 内连接Connectivity from within Azure

如果从 Azure 内部连接,则连接默认具有 Redirect 连接策略。If you are connecting from within Azure your connections have a connection policy of Redirect by default. Redirect 策略是指建立到 Azure SQL 数据库的 TCP 会话连接后,会将 Azure SQL 数据库网关的目标虚拟 IP 更改为群集的目标虚拟 IP,从而将客户端会话重定向到适当的数据库群集。A policy of Redirect means that after the TCP session is established to the Azure SQL database, the client session is then redirected to the right database cluster with a change to the destination virtual IP from that of the Azure SQL Database gateway to that of the cluster. 此后,所有后续数据包绕过 Azure SQL 数据库网关,直接传输到群集。Thereafter, all subsequent packets flow directly to the cluster, bypassing the Azure SQL Database gateway. 下图演示了此流量流。The following diagram illustrates this traffic flow.

体系结构概述

从 Azure 外连接Connectivity from outside of Azure

如果从 Azure 外部连接,则连接默认具有 Proxy 连接策略。If you are connecting from outside Azure, your connections have a connection policy of Proxy by default. Proxy 策略是指通过 Azure SQL 数据库网关建立 TCP 会话,并且所有后续数据包通过网关传输。A policy of Proxy means that the TCP session is established via the Azure SQL Database gateway and all subsequent packets flow via the gateway. 下图演示了此流量流。The following diagram illustrates this traffic flow.

体系结构概述

Important

另请打开端口 14000-14999,以便使用 DAC 进行连接Additionally open ports 14000-14999 to enable Connecting with DAC

Azure SQL 数据库网关 IP 地址Azure SQL Database gateway IP addresses

下表按区域列出了网关的 IP 地址。The table below lists the IP Addresses of Gateways by region. 若要连接到 Azure SQL 数据库,需要允许到/来自该区域的所有网关的网络流量。To connect to an Azure SQL Database, you need to allow network traffic to & from all Gateways for the region.

区域名称Region Name 网关 IP 地址Gateway IP Addresses
中国东部China East 139.219.130.35139.219.130.35
中国东部 2China East 2 40.73.82.140.73.82.1
中国北部China North 139.219.15.17139.219.15.17
中国北部 2China North 2 40.73.50.040.73.50.0

后续步骤Next steps