将应用程序连接到 Azure SQL 数据库托管实例Connect your application to Azure SQL Database managed instance

在确定如何以及在何处托管应用程序时,目前有多个选项可供选择。Today you have multiple choices when deciding how and where you host your application.

可以选择使用 Azure 应用服务或 Azure 的某些虚拟网络 (VNet) 集成选项(例如 Azure 应用服务环境、虚拟机、虚拟机规模集)将应用程序托管在云中。You may choose to host application in the cloud either by using Azure App Service or some of Azure's virtual network (VNet) integrated options like Azure App Service Environment, Virtual Machine, Virtual Machine Scale Set. 还可以采用混合云方法,将应用程序保留在本地。You could also take hybrid cloud approach and keep your applications on-premises.

不管选择哪个选项,都可将应用程序连接到托管实例。Whatever choice you made, you can connect it to a Managed Instance.


在同一 VNet 中连接应用程序Connect an application inside the same VNet

这是最简单的方案。This scenario is the simplest. 即使位于不同子网,VNet 中的虚拟机也能直接相互连接。Virtual machines inside the VNet can connect to each other directly even if they are inside different subnets. 这意味着,只需相应地设置连接字符串,就能连接 Azure 应用程序环境或虚拟机中的应用程序。That means that all you need to connect application inside an Azure Application Environment or Virtual Machine is to set the connection string appropriately.

在不同的 VNet 中连接应用程序Connect an application inside a different VNet

此方案略微复杂,因为托管实例在其自身的 VNet 中具有专用 IP 地址。This scenario is a bit more complex because Managed Instance has private IP address in its own VNet. 若要建立连接,应用程序需要访问部署了托管实例的 VNet。To connect, an application needs access to the VNet where Managed Instance is deployed. 因此,首先需要在应用程序与托管实例 VNet 之间建立连接。So, first you need to make a connection between the application and the Managed Instance VNet. 若要正常实施此方案,不一定要将 VNet 置于同一订阅中。The VNets don't have to be in the same subscription in order for this scenario to work.

可通过两个选项连接 VNet:There are two options for connecting VNets:

对等互连是首选的选项,因为对等互连使用 Azure 主干网络,因此,从连接角度看,对等互连 VNet 中的虚拟机与同一 VNet 中虚拟机之间的延迟没有明显差别。The peering option is the preferable one because peering uses the Azure backbone network so, from the connectivity perspective, there is no noticeable difference in latency between virtual machines in peered VNet and in the same VNet. VNet 对等互连限于相同区域内的网络。VNet peering is limited to the networks in the same region.


由于全局虚拟网络对等互连的限制,用于托管实例的 VNet 对等互连方案限于相同区域内的网络。VNet peering scenario for Managed Instance is limited to the networks in the same region due to constraints of the Global Virtual Network peering. 有关更多详细信息,另请参阅 Azure 虚拟网络常见问题解答一文的相关部分。See also the relevant section of the Azure Virtual Networks Frequently Asked Questions article for more details.

连接本地应用程序Connect an on-premises application

只能通过专用 IP 地址访问托管实例。Managed Instance can only be accessed through a private IP address. 若要从本地访问它,需在应用程序与托管实例 VNet 之间建立站点到站点连接。In order to access it from on-premises, you need to make a Site-to-Site connection between the application and the Managed Instance VNet.

可以使用两个选项从本地连接到 Azure VNet:There are two options how to connect on-premises to Azure VNet:

如果已成功建立本地到 Azure 的连接,但无法与托管实例建立连接,请检查防火墙中是否在 SQL 端口 1433 上打开了出站连接,并且打开了 11000-11999 范围的端口,以便重定向。If you've established on-premises to Azure connection successfully and you can't establish connection to Managed Instance, check if your firewall has open outbound connection on SQL port 1433 as well as 11000-11999 range of ports for redirection.

在开发人员工具箱中连接应用程序Connect an application on the developers box

只能通过专用 IP 地址访问托管实例,因此,若要从开发人员工具箱访问托管实例,首先需要在开发人员工具箱与托管实例 VNet 之间建立连接。Managed Instance can be accessed only through a private IP address so in order to access it from your developer box, you first need to make a connection between your developer box and the Managed Instance VNet. 为此,请使用本机 Azure 证书身份验证配置与 VNet 的点到站点连接。To do so, configure a Point-to-Site connection to a VNet using native Azure certificate authentication. 有关详细信息,请参阅配置点到站点连接,以便从本地计算机连接到 Azure SQL 数据库托管实例For more information, see Configure a point-to-site connection to connect to an Azure SQL Database Managed Instance from on-premises computer.

通过 VNet 对等互连从本地进行连接Connect from on-premises with VNet peering

通过客户实现的另一方案是将 VPN 网关安装在单独的虚拟网络中,从承载托管实例的虚拟网络进行订阅。Another scenario implemented by customers is where VPN gateway is installed in a separate virtual network and a subscription from the one hosting Managed Instance. 然后,将两个虚拟网络对等互连。The two virtual networks are then peered. 下面的示例性体系结构图介绍了实现方法。The following sample architecture diagram shows how this can be implemented.

VNet 对等互连

设置基本的体系结构以后,需修改某些设置,使 VPN 网关能够看到承载托管实例的虚拟网络中的 IP 地址。Once you have the basic infrastructure set up, you need to modify some setting so that the VPN Gateway can see the IP addresses in the virtual network that hosts the Managed Instance. 为此,请在“对等互连设置”下进行下述很具体的更改。 To do so, make the following very specific changes under the Peering settings.

  1. 在承载 VPN 网关的 VNet 中,转到“对等互连”, 然后转到进行托管实例对等互连的 VNet 连接,再单击“允许网关传输”。 In the VNet that hosts the VPN gateway, go to Peerings, then to the Managed Instance peered VNet connection, and then click Allow Gateway Transit.
  2. 在承载托管实例的 VNet 中,转到“对等互连”, 然后转到进行 VPN 网关对等互连的 VNet 连接,再单击“使用远程网关”。 In the VNet that hosts the Managed Instance, go to Peerings, then to the VPN Gateway peered VNet connection, and then click Use remote gateways.

连接 Azure 应用服务托管应用程序Connect an Azure App Service hosted application

只能通过专用 IP 地址访问托管实例,因此,若要从 Azure 应用服务访问托管实例,首先需要在应用程序与托管实例 VNet 之间建立连接。Managed Instance can be accessed only through a private IP address so in order to access it from Azure App Service you first need to make a connection between the application and the Managed Instance VNet. 请参阅将应用与 Azure 虚拟网络集成See Integrate your app with an Azure Virtual Network.

有关故障排除信息,请参阅排查 VNet 和应用程序问题For troubleshooting, see Troubleshooting VNets and Applications. 如果无法建立连接,请尝试同步网络配置If a connection cannot be established, try synching the networking configuration.

将 Azure 应用服务连接到托管实例的一种特殊情况是将 Azure 应用服务集成到已与托管实例 VNet 建立对等互连的网络。A special case of connecting Azure App Service to Managed Instance is when you integrated Azure App Service to a network peered to Managed Instance VNet. 对于这种情况,需要设置以下配置:That case requires the following configuration to be set up:

  • 托管实例 VNet 不得使用网关Managed Instance VNet must NOT have gateway
  • 托管实例 VNet 中必须设置“使用远程网关”选项Managed Instance VNet must have Use remote gateways option set
  • 对等互连的 VNet 中必须设置“允许网关传输”选项Peered VNet must have Allow gateway transit option set

下图演示了此方案:This scenario is illustrated in the following diagram:



VNet 集成功能不会将应用与包含 ExpressRoute 网关的 VNet 集成。The VNet Integration feature does not integrate an app with a VNet that has an ExpressRoute Gateway. 即使以共存模式配置 ExpressRoute 网关,VNet 集成也不会实现。Even if the ExpressRoute Gateway is configured in coexistence mode the VNet Integration does not work. 如果需要通过 ExpressRoute 连接访问资源,则可以使用 VNet 中运行的应用服务环境。If you need to access resources through an ExpressRoute connection, then you can use an App Service Environment, which runs in your VNet.

排查连接问题Troubleshooting connectivity issues

若要排查连接问题,请查看以下内容:For troubleshooting connectivity issues, review the following:

  • 如果无法从同一 VNet 的不同子网中的 Azure 虚拟机连接到托管实例,请检查是否在 VM 子网上设置了可能会阻止访问的网络安全组。另请注意,需在 SQL 端口 1433 上以及 11000-11999 范围的端口上打开出站连接,因为在 Azure 边界内通过重定向进行连接时,这些都是必需的。If you are unable to connect to Managed Instance from an Azure virtual machine within the same VNet but different subnet, check if you have a Network Security Group set on VM subnet that might be blocking access.Additionally note that you need to open outbound connection on SQL port 1433 as well as ports in range 11000-11999 since those are needed for connecting via redirection inside the Azure boundary.

  • 对于与 VNet 关联的路由表,请确保将“BGP 传播”设置为“启用”。 Ensure that BGP Propagation is set to Enabled for the route table associated with the VNet.

  • 如果使用 P2S VPN,请在 Azure 门户中检查配置,确定能否看到“入口/出口”编号。 If using P2S VPN, check the configuration in the Azure portal to see if you see Ingress/Egress numbers. 如果编号不为零,则表示 Azure 在本地进行流量的出入路由。Non-zero numbers indicate that Azure is routing traffic to/from on-premises.


  • 查看客户端计算机(运行 VPN 客户端的计算机)是否针对你需要访问的所有 VNet 设置了路由条目。Check that the client machine (that is running the VPN client) has route entries for all the VNets that you need to access. 路由存储在 %AppData%\ Roaming\Microsoft\Network\Connections\Cm\<GUID>\routes.txt 中。The routes are stored in %AppData%\ Roaming\Microsoft\Network\Connections\Cm\<GUID>\routes.txt.


    如此图所示,每个涉及的 VNet 有两个条目,此外还有第三个条目,对应于在门户中配置的 VPN 终结点。As shown in this image, there are two entries for each VNet involved and a third entry for the VPN endpoint that is configured in the Portal.

    检查路由的另一种方式是执行以下命令。Another way to check the routes is via the following command. 输出显示到各种子网的路由:The output shows the routes to the various subnets:

    C:\ >route print -4
    Interface List
    14...54 ee 75 67 6b 39 ......Intel(R) Ethernet Connection (3) I218-LM
    18...94 65 9c 7d e5 ce ......Intel(R) Dual Band Wireless-AC 7265
    1...........................Software Loopback Interface 1
    IPv4 Route Table
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
          On-link     43
          On-link     43
    Persistent Routes:
  • 如果使用 VNet 对等互连,请确保遵循相关说明来设置允许网关传输并使用远程网关If using VNet peering, ensure that you have followed the instructions for setting Allow Gateway Transit and Use Remote Gateways.

所需的驱动程序和工具版本Required versions of drivers and tools

如果要连接到托管实例,建议使用以下最低版本的工具和驱动程序:The following minimal versions of the tools and drivers are recommended if you want to connect to Managed Instance:

驱动程序/工具Driver/tool 版本Version
.NET Framework.NET Framework 4.6.1(或 .NET Core)4.6.1 (or .NET Core)
ODBC 驱动程序ODBC driver v17v17
PHP 驱动程序PHP driver
JDBC 驱动程序JDBC driver
Node.js 驱动程序Node.js driver
OLEDB 驱动程序OLEDB driver
SSMSSSMS 18.0 或更高版本18.0 or higher
SMOSMO 150 或更高版本150 or higher

后续步骤Next steps