配置 Azure 存储防火墙和虚拟网络Configure Azure Storage firewalls and virtual networks

Azure 存储提供分层安全模型。Azure Storage provides a layered security model. 使用此模型可以根据所用网络或资源的类型和子集,来保护和控制应用程序与企业环境所需的存储帐户访问级别。This model enables you to secure and control the level of access to your storage accounts that your applications and enterprise environments demand, based on the type and subset of networks or resources used. 配置网络规则后,只有通过指定的网络集或指定的 Azure 资源集请求数据的应用程序才能访问存储帐户。When network rules are configured, only applications requesting data over the specified set of networks or through the specified set of Azure resources can access a storage account. 可以仅限源自指定 IP 地址、IP 范围、Azure 虚拟网络 (VNet) 中的子网或某些 Azure 服务的资源实例的请求访问存储帐户。You can limit access to your storage account to requests originating from specified IP addresses, IP ranges, subnets in an Azure Virtual Network (VNet), or resource instances of some Azure services.

存储帐户具有可通过 internet 访问的公共终结点。Storage accounts have a public endpoint that is accessible through the internet. 还可以为存储帐户创建专用终结点,该终结点将从 VNet 向存储帐户分配专用 IP 地址,并通过专用链接保护 VNet 和存储帐户之间往来的所有流量。You can also create Private Endpoints for your storage account, which assigns a private IP address from your VNet to the storage account, and secures all traffic between your VNet and the storage account over a private link. Azure 存储防火墙为存储帐户的公共终结点提供访问控制。The Azure storage firewall provides access control for the public endpoint of your storage account. 使用专用终结点时,还可以使用防火墙阻止通过公用终结点进行的所有访问。You can also use the firewall to block all access through the public endpoint when using private endpoints. 通过存储防火墙配置,还可以选择受信任的 Azure 平台服务安全地访问存储帐户。Your storage firewall configuration also enables select trusted Azure platform services to access the storage account securely.

在网络规则生效后访问存储帐户的应用程序仍需要在请求中提供适当的授权。An application that accesses a storage account when network rules are in effect still requires proper authorization for the request. 支持适用于 Blob 和队列的 Azure Active Directory (Azure AD) 凭据、有效帐户访问密钥或 SAS 令牌提供授权。Authorization is supported with Azure Active Directory (Azure AD) credentials for blobs and queues, with a valid account access key, or with an SAS token.

重要

默认情况下,除非请求源自在 Azure 虚拟网络 (VNet) 中运行的服务或者源自允许的公共 IP 地址,否则启用存储帐户的防火墙规则会阻止数据传入请求。Turning on firewall rules for your storage account blocks incoming requests for data by default, unless the requests originate from a service operating within an Azure Virtual Network (VNet) or from allowed public IP addresses. 被阻止的请求包括来自其他 Azure 服务、来自 Azure 门户、来自日志记录和指标服务等的请求。Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on.

通过允许来自托管服务实例的子网的流量,可以授予对在 VNet 内运行的 Azure 服务相应的访问权限。You can grant access to Azure services that operate from within a VNet by allowing traffic from the subnet hosting the service instance. 此外,可以通过下面所述的例外机制,启用有限数量的方案。You can also enable a limited number of scenarios through the exceptions mechanism described below. 若要通过 Azure 门户访问存储帐户中的数据,需要从设置的受信任的边界(IP 或 VNet)内的计算机进行访问。To access data from the storage account through the Azure portal, you would need to be on a machine within the trusted boundary (either IP or VNet) that you set up.

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

方案Scenarios

若要保护存储帐户,应该先配置一个规则,以便在公共终结点上默认拒绝来自所有网络的流量(包括 Internet 流量)进行访问。To secure your storage account, you should first configure a rule to deny access to traffic from all networks (including internet traffic) on the public endpoint, by default. 然后,应配置允许访问特定 vnet 流量的规则。Then, you should configure rules that grant access to traffic from specific VNets. 此外,还可以配置规则为来自所选公共 Internet IP 地址范围的流量授予访问权限,以便能够从特定的 Internet 或本地客户端建立连接。You can also configure rules to grant access to traffic from selected public internet IP address ranges, enabling connections from specific internet or on-premises clients. 借助此配置,可为应用程序生成安全网络边界。This configuration enables you to build a secure network boundary for your applications.

可在同一存储帐户中,将允许从特定虚拟网络以及从公共 IP 地址范围进行访问的防火墙规则组合到一起。You can combine firewall rules that allow access from specific virtual networks and from public IP address ranges on the same storage account. 可对现有的存储帐户应用存储防火墙规则,或者在创建新存储帐户时应用这些规则。Storage firewall rules can be applied to existing storage accounts, or when creating new storage accounts.

存储防火墙规则适用于存储帐户的公共终结点。Storage firewall rules apply to the public endpoint of a storage account. 不需要配置任何防火墙访问规则来允许存储帐户的专用终结点的流量。You don't need any firewall access rules to allow traffic for private endpoints of a storage account. 通过批准专用终结点的创建,可授予对来自托管该专用终结点的子网的流量的隐式访问权限。The process of approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint.

对于面向 Azure 存储的所有网络协议(包括 REST 和 SMB),将强制实施网络规则。Network rules are enforced on all network protocols for Azure storage, including REST and SMB. 若要使用 Azure 门户、存储资源管理器和 AZCopy 等工具访问数据,必须配置显式网络规则。To access data using tools such as the Azure portal, Storage Explorer, and AZCopy, explicit network rules must be configured.

一旦应用网络规则,就会对所有请求强制实施这些规则。Once network rules are applied, they're enforced for all requests. 用于向特定 IP 地址授予访问权限的 SAS 令牌可限制令牌持有者的访问权限,但不会越过已配置的网络规则授予新的访问权限。SAS tokens that grant access to a specific IP address serve to limit the access of the token holder, but don't grant new access beyond configured network rules.

虚拟机磁盘流量(包括装载和卸载操作以及磁盘 IO)不受网络规则影响。Virtual machine disk traffic (including mount and unmount operations, and disk IO) is not affected by network rules. 对页 blob 的 REST 访问受网络规则保护。REST access to page blobs is protected by network rules.

经典存储帐户不支持防火墙和虚拟网络。Classic storage accounts do not support firewalls and virtual networks.

可通过创建例外,使用应用了网络规则的存储帐户中的非托管磁盘来备份和还原 VM。You can use unmanaged disks in storage accounts with network rules applied to back up and restore VMs by creating an exception. 此过程在本文的管理例外部分记录。This process is documented in the Manage Exceptions section of this article. 防火墙例外不适用于托管磁盘,因为它们已由 Azure 托管。Firewall exceptions aren't applicable with managed disks as they're already managed by Azure.

更改默认网络访问规则Change the default network access rule

默认情况下,存储帐户接受来自任何网络上客户端的连接。By default, storage accounts accept connections from clients on any network. 若要限制为仅允许选定网络访问,必须先更改默认操作。To limit access to selected networks, you must first change the default action.

警告

更改网络规则可能会使应用程序无法正常连接到 Azure 存储。Making changes to network rules can impact your applications' ability to connect to Azure Storage. 除非还应用了 授予 访问权限的特定网络规则,否则将默认网络规则设置为“拒绝”会阻止对数据的所有访问。Setting the default network rule to deny blocks all access to the data unless specific network rules that grant access are also applied. 在将默认规则更改为拒绝访问之前,务必先使用网络规则对所有许可网络授予访问权限。Be sure to grant access to any allowed networks using network rules before you change the default rule to deny access.

管理默认网络访问规则Managing default network access rules

可以通过 Azure 门户、PowerShell 或 CLIv2 管理存储帐户的默认网络访问规则。You can manage default network access rules for storage accounts through the Azure portal, PowerShell, or CLIv2.

  1. 转至要保护的存储帐户。Go to the storage account you want to secure.

  2. 选择名为“网络”的设置菜单。Select on the settings menu called Networking.

  3. 若要默认拒绝访问,请选择允许从“所选网络”进行访问。To deny access by default, choose to allow access from Selected networks. 若要允许来自所有网络的流量,请选择允许从“所有网络”进行访问。To allow traffic from all networks, choose to allow access from All networks.

  4. 单击“保存”应用所做的更改。Select Save to apply your changes.

允许从虚拟网络进行访问Grant access from a virtual network

可将存储帐户配置为仅允许从特定子网进行访问。You can configure storage accounts to allow access only from specific subnets. 允许的子网可以属于同一订阅中的 VNet,也可以属于不同订阅(包括属于不同 Azure Active Directory 租户的订阅)中的 VNet。The allowed subnets may belong to a VNet in the same subscription, or those in a different subscription, including subscriptions belonging to a different Azure Active Directory tenant.

在 VNet 内为 Azure 存储启用服务终结点Enable a Service endpoint for Azure Storage within the VNet. 服务终结点通过最佳路径将流量从 VNet 路由到 Azure 存储服务。The service endpoint routes traffic from the VNet through an optimal path to the Azure Storage service. 子网和虚拟网络的标识也随每个请求进行传输。The identities of the subnet and the virtual network are also transmitted with each request. 管理员随后可以配置存储帐户的网络规则,允许从 VNet 中的特定子网接收请求。Administrators can then configure network rules for the storage account that allow requests to be received from specific subnets in a VNet. 通过这些网络规则获得访问权限的客户端必须继续满足存储帐户的授权要求,才能访问数据。Clients granted access via these network rules must continue to meet the authorization requirements of the storage account to access the data.

每个存储帐户最多支持 200 条虚拟网络规则,这些规则可与 IP 网络规则组合使用。Each storage account supports up to 200 virtual network rules, which may be combined with IP network rules.

可用的虚拟网络区域Available virtual network regions

服务终结点一般在位于同一 Azure 区域的虚拟网络和服务实例之间运行。In general, service endpoints work between virtual networks and service instances in the same Azure region. 将服务终结点与 Azure 存储配合使用时,此范围扩大到包含配对区域When using service endpoints with Azure Storage, this scope grows to include the paired region. 服务终结点可以在区域性故障转移期间提供连续性,并允许访问读取访问权限异地冗余存储 (RA-GRS) 实例。Service endpoints allow continuity during a regional failover and access to read-only geo-redundant storage (RA-GRS) instances. 允许从虚拟网络访问存储帐户的网络规则同样允许访问所有 RA-GRS 实例。Network rules that grant access from a virtual network to a storage account also grant access to any RA-GRS instance.

在计划区域性服务中断期间的灾难恢复时,应该在配对区域中提前创建 VNet。When planning for disaster recovery during a regional outage, you should create the VNets in the paired region in advance. 为 Azure 存储启用服务终结点,并提供允许从这些备用虚拟网络进行访问的网络规则。Enable service endpoints for Azure Storage, with network rules granting access from these alternative virtual networks. 然后将这些规则应用于异地冗余存储帐户。Then apply these rules to your geo-redundant storage accounts.

备注

服务终结点不适用于位于虚拟网络所在区域和指定区域对之外的流量。Service endpoints don't apply to traffic outside the region of the virtual network and the designated region pair. 可以将允许从虚拟网络访问存储帐户的网络规则仅应用于存储帐户主区域或指定配对区域中的存储帐户。You can only apply network rules granting access from virtual networks to storage accounts in the primary region of a storage account or in the designated paired region.

所需的权限Required permissions

若要向存储帐户应用虚拟网络规则,用户必须对要添加的子网拥有适当的权限。To apply a virtual network rule to a storage account, the user must have the appropriate permissions for the subnets being added. 所需的权限为 向子网加入服务 权限,该权限包含在 存储帐户参与者 内置角色中。The permission needed is Join Service to a Subnet and is included in the Storage Account Contributor built-in role. 该权限还可以添加到自定义角色定义中。It can also be added to custom role definitions.

存储帐户和获得访问权限的虚拟网络可以位于不同的订阅中,包括属于不同 Azure AD 租户的订阅。Storage account and the virtual networks granted access may be in different subscriptions, including subscriptions that are a part of a different Azure AD tenant.

备注

目前,仅支持通过 Powershell、CLI 和 REST API 来配置对属于不同 Azure Active Directory 租户的虚拟网络中的子网授予访问权限的规则。Configuration of rules that grant access to subnets in virtual networks that are a part of a different Azure Active Directory tenant are currently only supported through Powershell, CLI and REST APIs. 无法通过 Azure 门户配置此类规则,但可以在门户中查看此类规则。Such rules cannot be configured through the Azure portal, though they may be viewed in the portal.

管理虚拟网络规则Managing virtual network rules

可以通过 Azure 门户、PowerShell 或 CLIv2 管理存储帐户的虚拟网络规则。You can manage virtual network rules for storage accounts through the Azure portal, PowerShell, or CLIv2.

  1. 转至要保护的存储帐户。Go to the storage account you want to secure.

  2. 选择名为“网络”的设置菜单。Select on the settings menu called Networking.

  3. 检查并确保已选择允许从“所选网络”进行访问。Check that you've selected to allow access from Selected networks.

  4. 若要使用新的网络规则授予对虚拟网络的访问权限,请在“虚拟网络”下依次选择“添加现有虚拟网络”、“虚拟网络”和“子网”选项、“添加” 。To grant access to a virtual network with a new network rule, under Virtual networks, select Add existing virtual network, select Virtual networks and Subnets options, and then select Add. 若要创建新的虚拟网络并向其授予访问权限,请选择“添加新的虚拟网络”。To create a new virtual network and grant it access, select Add new virtual network. 提供创建新的虚拟网络所需的信息,然后选择“创建”。Provide the information necessary to create the new virtual network, and then select Create.

    备注

    如果之前没有为所选的虚拟网络和子网配置 Azure 存储的服务终结点,则可在执行此操作时进行配置。If a service endpoint for Azure Storage wasn't previously configured for the selected virtual network and subnets, you can configure it as part of this operation.

    目前,在创建规则期间,只会显示属于同一 Azure Active Directory 租户的虚拟网络供用户选择。Presently, only virtual networks belonging to the same Azure Active Directory tenant are shown for selection during rule creation. 若要对属于其他租户的虚拟网络中的子网授予访问权限,请使用 Powershell、CLI 或 REST API。To grant access to a subnet in a virtual network belonging to another tenant, please use Powershell, CLI or REST APIs.

  5. 若要删除虚拟网络或子网规则,请选择“...”打开虚拟网络或子网的上下文菜单,然后选择“删除” 。To remove a virtual network or subnet rule, select ... to open the context menu for the virtual network or subnet, and select Remove.

  6. 选择“保存”以应用所做的更改。select Save to apply your changes.

允许从 Internet IP 范围进行访问Grant access from an internet IP range

可以将存储帐户配置为允许从特定的公共 Internet IP 地址范围进行访问。You can configure storage accounts to allow access from specific public internet IP address ranges. 此配置向基于 Internet 的特定服务和本地网络授予访问权限,并阻止一般 Internet 流量。This configuration grants access to specific internet-based services and on-premises networks and blocks general internet traffic.

使用 CIDR 表示法16.17.18.0/24 的形式,或使用单独的 IP 地址(如 16.17.18.19)提供允许的 Internet 地址范围。Provide allowed internet address ranges using CIDR notation in the form 16.17.18.0/24 or as individual IP addresses like 16.17.18.19.

备注

不支持使用“/31”或“/32”前缀大小的小型地址范围。Small address ranges using "/31" or "/32" prefix sizes are not supported. 这些范围应使用单独的 IP 地址规则配置。These ranges should be configured using individual IP address rules.

IP 网络规则仅适用于 公共 Internet IP 地址。IP network rules are only allowed for public internet IP addresses. IP 规则不允许使用为专用网络保留的 IP 地址范围(如 RFC 1918 中所定义)。IP address ranges reserved for private networks (as defined in RFC 1918) aren't allowed in IP rules. 专用网络包括以 10.*172.16.* - 172.31.*192.168.* 开头的地址。Private networks include addresses that start with 10.*, 172.16.* - 172.31.*, and 192.168.*.

备注

IP 网络规则对源自与存储帐户相同的 Azure 区域的请求不起作用。IP network rules have no effect on requests originating from the same Azure region as the storage account. 请使用虚拟网络规则来允许相同区域的请求。Use Virtual network rules to allow same-region requests.

备注

与存储帐户部署在同一区域中的服务使用专用的 Azure IP 地址进行通信。Services deployed in the same region as the storage account use private Azure IP addresses for communication. 因此,无法根据特定 Azure 服务的公共出站 IP 地址范围将访问限制为这些服务。Thus, you cannot restrict access to specific Azure services based on their public outbound IP address range.

存储防火墙规则的配置仅支持 IPV4 地址。Only IPV4 addresses are supported for configuration of storage firewall rules.

每个存储帐户最多支持 200 个 IP 网络规则。Each storage account supports up to 200 IP network rules.

配置从本地网络的访问Configuring access from on-premises networks

若要使用 IP 网络规则授予本地网络访问存储帐户的权限,则必须标识网络所用的面向 Internet 的 IP 地址。To grant access from your on-premises networks to your storage account with an IP network rule, you must identify the internet facing IP addresses used by your network. 若要获得帮助,请联系网络管理员。Contact your network administrator for help.

如果是在本地使用 ExpressRoute,则在进行公共对等互连或 Microsoft 对等互连时,需标识所用的 NAT IP 地址。If you are using ExpressRoute from your premises, for public peering or Microsoft peering, you will need to identify the NAT IP addresses that are used. 进行公共对等互连时,每条 ExpressRoute 线路默认情况下会使用两个 NAT IP 地址。当流量进入 Azure 网络主干时,会向 Azure 服务流量应用这些地址。For public peering, each ExpressRoute circuit by default uses two NAT IP addresses applied to Azure service traffic when the traffic enters the Azure network backbone. 对于 Microsoft 对等互连,所用 NAT IP 地址要么由客户提供,要么由服务提供商提供。For Microsoft peering, the NAT IP addresses used are either customer provided or are provided by the service provider. 若要允许访问服务资源,必须在资源 IP 防火墙设置中允许这些公共 IP 地址。To allow access to your service resources, you must allow these public IP addresses in the resource IP firewall setting. 若要查找公共对等互连 ExpressRoute 线路 IP 地址,请通过 Azure 门户开具 ExpressRoute 支持票证To find your public peering ExpressRoute circuit IP addresses, open a support ticket with ExpressRoute via the Azure portal. 详细了解适用于 ExpressRoute 公共对等互连和 Microsoft 对等互连的 NATLearn more about NAT for ExpressRoute public and Microsoft peering.

管理 IP 网络规则Managing IP network rules

可以通过 Azure 门户、PowerShell 或 CLIv2 管理存储帐户的 IP 网络规则。You can manage IP network rules for storage accounts through the Azure portal, PowerShell, or CLIv2.

  1. 转至要保护的存储帐户。Go to the storage account you want to secure.

  2. 选择名为“网络”的设置菜单。Select on the settings menu called Networking.

  3. 检查并确保已选择允许从“所选网络”进行访问。Check that you've selected to allow access from Selected networks.

  4. 若要向 Internet IP 范围授予访问权限,请在“防火墙” > “地址范围”下输入 IP 地址或地址范围(采用 CIDR 格式) 。To grant access to an internet IP range, enter the IP address or address range (in CIDR format) under Firewall > Address Range.

  5. 若要删除某个 IP 网络规则,请选择该地址范围旁边的垃圾桶图标。To remove an IP network rule, select the trash can icon next to the address range.

  6. 单击“保存”应用所做的更改。Select Save to apply your changes.

授予从 Azure 资源实例进行访问的权限(预览版)Grant access from Azure resource instances (preview)

在某些情况下,应用程序可能依赖于无法通过虚拟网络或 IP 地址规则隔离的 Azure 资源。In some cases, an application might depend on Azure resources that cannot be isolated through a virtual network or an IP address rule. 但是,你仍希望存储帐户仅访问你的应用程序的 Azure 资源并且访问方式是安全的。However, you'd still like to secure and restrict storage account access to only your application's Azure resources. 可以通过创建资源实例规则来配置存储帐户,允许其访问某些 Azure 服务的特定资源实例。You can configure storage accounts to allow access to specific resource instances of some Azure services by creating a resource instance rule.

资源实例可以对存储帐户数据执行的操作的类型取决于资源实例的 Azure 角色分配The types of operations that a resource instance can perform on storage account data is determined by the Azure role assignments of the resource instance. 资源实例必须来自存储帐户所在的租户,但可以属于租户中的任何订阅。Resource instances must be from the same tenant as your storage account, but they can belong to any subscription in the tenant.

备注

资源实例规则目前只能用于 Azure Synapse。Resource instance rules are currently only supported for Azure Synapse. 在接下来的几周内,将提供对本文基于系统分配的托管标识的受信任的访问部分列出的其他 Azure 服务的支持。Support for other Azure services listed in the Trusted access based on system-assigned managed identity section of this article will be available in the coming weeks.

可以在 Azure 门户中添加或删除资源网络规则。You can add or remove resource network rules in the Azure portal.

  1. 登录到 Azure 门户即可开始操作。Sign in to the Azure portal to get started.

  2. 找到存储帐户并显示帐户概览。Locate your storage account and display the account overview.

  3. 选择“网络”以显示网络的配置页。Select Networking to display the configuration page for networking.

  4. 在“资源类型”下拉列表中,选择资源实例的资源类型。In the Resource type drop-down list, choose the resource type of your resource instance.

  5. 在“实例名称”下拉列表中,选择资源实例。In the Instance name drop-down list, choose the resource instance. 还可以选择包括活动租户、订阅或资源组中的所有资源实例。You can also choose to include all resource instances in the active tenant, subscription, or resource group.

  6. 单击“保存”应用所做的更改。Select Save to apply your changes. 资源实例会出现在网络设置页的“资源实例”部分。The resource instance appears in the Resource instances section of the network settings page.

若要删除资源实例,请选择资源实例旁边的删除图标 ( )。

授予对受信任的 Azure 服务的访问权限Grant access to trusted Azure services

某些 Microsoft 服务是从不能在网络规则中包含的网络上运行的。Some Microsoft services operate from networks that can't be included in your network rules. 可以向此类受信任的 Microsoft 服务中的一部分授予对存储帐户的访问权限,同时对其他应用维持网络规则。You can grant a subset of such trusted Microsoft services access to the storage account, while maintaining network rules for other apps. 然后,这些受信任的服务会使用强身份验证安全地连接到存储帐户。These trusted services will then use strong authentication to securely connect to your storage account.

可以通过创建网络规则例外来授予对受信任的 Azure 服务的访问权限。You can grant access to trusted Azure services by creating a network rule exception. 有关分步指南,请参阅本文的管理例外部分。For step-by-step guidance, see the Manage exceptions section of this article.

当你授予对受信任的 Azure 服务的访问权限时,你将授予以下访问权限类型:When you grant access to trusted Azure services, you grant the following types of access:

  • 选定操作对订阅中注册的资源的受信任的访问权限。Trusted access for select operations to resources that are registered in your subscription.
  • 针对资源的、基于系统分配的托管标识的、受信任的访问权限。Trusted access to resources based on system-assigned managed identity.

已在订阅中注册的资源的受信任的访问权限Trusted access for resources registered in your subscription

某些服务的资源 在注册到订阅 后,可在 同一订阅 中访问存储帐户以执行特定的操作,例如写入日志或备份。Resources of some services, when registered in your subscription, can access your storage account in the same subscription for select operations, such as writing logs or backup. 下表描述了每项服务和允许的操作。The following table describes each service and the operations allowed.

服务Service 资源提供程序名称Resource Provider Name 允许的操作Operations allowed
Azure 备份Azure Backup Microsoft.RecoveryServicesMicrosoft.RecoveryServices 在 IAAS 虚拟机中运行非托管磁盘的备份和还原。Run backups and restores of unmanaged disks in IAAS virtual machines. (不是托管磁盘的必需操作)。(not required for managed disks). 了解详细信息Learn more.
Azure Data BoxAzure Data Box Microsoft.DataBoxMicrosoft.DataBox 支持使用 Data Box 将数据导入到 Azure。Enables import of data to Azure using Data Box. 了解详细信息Learn more.
Azure 事件网格Azure Event Grid Microsoft.EventGridMicrosoft.EventGrid 启用 Blob 存储事件发布并允许事件网格发布到存储队列。Enable Blob Storage event publishing and allow Event Grid to publish to storage queues. 了解有关 blob 存储事件发布到队列的信息。Learn about blob storage events and publishing to queues.
Azure 事件中心Azure Event Hubs Microsoft.EventHubMicrosoft.EventHub 使用事件中心捕获功能存档数据。Archive data with Event Hubs Capture. 了解详细信息Learn More.
Azure HDInsightAzure HDInsight Microsoft.HDInsightMicrosoft.HDInsight 为新的 HDInsight 群集预配默认文件系统的初始内容。Provision the initial contents of the default file system for a new HDInsight cluster. 了解详细信息Learn more.
Azure 导入导出Azure Import Export Microsoft.ImportExportMicrosoft.ImportExport 允许使用 Azure 存储导入/导出服务将数据导入到 Azure 存储或从 Azure 存储导出数据。Enables import of data to Azure Storage or export of data from Azure Storage using the Azure Storage Import/Export service. 了解详细信息Learn more.
Azure MonitorAzure Monitor Microsoft.InsightsMicrosoft.Insights 允许向受保护的存储帐户写入监视数据,包括资源日志、Azure Active Directory 登录和审核日志,以及 Microsoft Intune 日志。Allows writing of monitoring data to a secured storage account, including resource logs, Azure Active Directory sign-in and audit logs, and Microsoft Intune logs. 了解详细信息Learn more.
Azure 网络Azure Networking Microsoft.NetworkMicrosoft.Network 以多种方式(包括使用网络观察程序和流量分析服务)存储和分析网络流量日志。Store and analyze network traffic logs, including through the Network Watcher and Traffic Analytics services. 了解详细信息Learn more.
Azure Site RecoveryAzure Site Recovery Microsoft.SiteRecoveryMicrosoft.SiteRecovery 使用启用了防火墙的缓存、源或目标存储帐户时,请启用复制,以实现 Azure IaaS 虚拟机的灾难恢复。Enable replication for disaster-recovery of Azure IaaS virtual machines when using firewall-enabled cache, source, or target storage accounts. 了解详细信息Learn more.

基于系统分配的托管标识的受信任的访问Trusted access based on system-assigned managed identity

下表列出了可访问你的存储帐户数据的服务(如果为这些服务的资源实例授予了相应的权限)。The following table lists services that can have access to your storage account data if the resource instances of those services are given the appropriate permission. 若要授予权限,必须以显式方式为每个资源实例的系统分配的托管标识分配 Azure 角色To grant permission, you must explicitly assign an Azure role to the system-assigned managed identity for each resource instance. 在这种情况下,实例的访问范围对应于分配给托管标识的 Azure 角色。In this case, the scope of access for the instance corresponds to the Azure role assigned to the managed identity.

提示

若要授予对特定资源的访问权限,建议的方法是使用资源实例规则。The recommended way to grant access to specific resources is to use resource instance rules. 若要授予对特定资源实例的访问权限,请参阅本文的授予从 Azure 资源实例进行访问的权限(预览版)部分。To grant access to specific resource instances, see the Grant access from Azure resource instances (preview) section of this article.

服务Service 资源提供程序名称Resource Provider Name 目的Purpose
Azure API 管理Azure API Management Microsoft.ApiManagement/serviceMicrosoft.ApiManagement/service 使用策略允许 API 管理服务访问防火墙后的存储帐户。Enables Api Management service access to storage accounts behind firewall using policies. 了解详细信息Learn more.
Azure 认知搜索Azure Cognitive Search Microsoft.Search/searchServicesMicrosoft.Search/searchServices 使认知搜索服务能够访问存储帐户,以进行索引编制、处理和查询。Enables Cognitive Search services to access storage accounts for indexing, processing and querying.
Azure 容器注册表任务Azure Container Registry Tasks Microsoft.ContainerRegistry/registriesMicrosoft.ContainerRegistry/registries ACR 任务可以在生成容器映像时访问存储帐户。ACR Tasks can access storage accounts when building container images.
Azure 数据工厂Azure Data Factory Microsoft.DataFactory/factoriesMicrosoft.DataFactory/factories 允许通过 ADF 运行时访问存储帐户。Allows access to storage accounts through the ADF runtime.
Azure Data ShareAzure Data Share Microsoft.DataShare/accountsMicrosoft.DataShare/accounts 允许通过数据共享访问存储帐户。Allows access to storage accounts through Data Share.
Azure 逻辑应用Azure Logic Apps Microsoft.Logic/workflowsMicrosoft.Logic/workflows 使逻辑应用能够访问存储帐户。Enables logic apps to access storage accounts. 了解详细信息Learn more.
Azure 机器学习服务Azure Machine Learning Service Microsoft.MachineLearningServicesMicrosoft.MachineLearningServices 经过授权的 Azure 机器学习工作区将实验输出、模型和日志写入 Blob 存储并读取数据。Authorized Azure Machine Learning workspaces write experiment output, models, and logs to Blob storage and read the data.
Azure MigrateAzure Migrate Microsoft.Migrate/migrateprojectsMicrosoft.Migrate/migrateprojects 允许通过 Azure Migrate 访问存储帐户。Allows access to storage accounts through Azure Migrate.
Azure SQL 数据库Azure SQL Database Microsoft.SqlMicrosoft.Sql 允许将审核数据写入防火墙后的存储帐户。Allows writing audit data to storage accounts behind firewall.
Azure Synapse AnalyticsAzure Synapse Analytics Microsoft.SqlMicrosoft.Sql 允许使用 COPY 语句或 PolyBase 通过特定 SQL 数据库导入和导出数据。Allows import and export of data from specific SQL databases using the COPY statement or PolyBase. 了解详细信息Learn more.
Azure 流分析Azure Stream Analytics Microsoft.StreamAnalyticsMicrosoft.StreamAnalytics 用于将流式处理作业中的数据写入 Blob 存储。Allows data from a streaming job to be written to Blob storage.
Azure Synapse AnalyticsAzure Synapse Analytics Microsoft.Synapse/workspacesMicrosoft.Synapse/workspaces 允许从 Azure Synapse Analytics 访问 Azure 存储中的数据。Enables access to data in Azure Storage from Azure Synapse Analytics.

授予对存储分析的访问权限Grant access to storage analytics

在某些情况下,需要从网络边界外访问读取资源日志和指标。In some cases, access to read resource logs and metrics is required from outside the network boundary. 配置受信任的服务对存储帐户的访问权限时,可以通过创建网络规则例外来允许对日志文件和/或指标表进行读取访问。When configuring trusted services access to the storage account, you can allow read-access for the log files, metrics tables, or both by creating a network rule exception. 有关分步指南,请参阅下面的“管理例外”部分。For step-by-step guidance, see the Manage exceptions section below. 若要详细了解如何使用存储分析,请参阅使用 Azure 存储分析收集日志和指标数据To learn more about working with storage analytics, see Use Azure Storage analytics to collect logs and metrics data.

管理异常Manage exceptions

可以通过 Azure 门户、PowerShell 或 Azure CLI v2 管理网络规则例外。You can manage network rule exceptions through the Azure portal, PowerShell, or Azure CLI v2.

  1. 转至要保护的存储帐户。Go to the storage account you want to secure.

  2. 选择名为“网络”的设置菜单。Select on the settings menu called Networking.

  3. 检查并确保已选择允许从“所选网络”进行访问。Check that you've selected to allow access from Selected networks.

  4. 在“例外”下,选择要允许的例外。Under Exceptions, select the exceptions you wish to grant.

  5. 单击“保存”应用所做的更改。Select Save to apply your changes.

后续步骤Next steps

服务终结点中了解有关 Azure 网络服务终结点的详细信息。Learn more about Azure Network service endpoints in Service endpoints.

Azure 存储安全指南中深入了解 Azure 存储安全。Dig deeper into Azure Storage security in Azure Storage security guide.