为 Azure 存储使用专用终结点Use private endpoints for Azure Storage

你可以为 Azure 存储帐户使用专用终结点,以允许虚拟网络 (VNet) 上的客户端通过专用链接安全地访问数据。You can use private endpoints for your Azure Storage accounts to allow clients on a virtual network (VNet) to securely access data over a Private Link. 专用终结点为你的存储帐户服务使用 VNET 地址空间中的 IP 地址。The private endpoint uses an IP address from the VNet address space for your storage account service. VNet 上的客户端与存储帐户之间的网络流量通过 VNet 和 Microsoft 主干网络上的专用链接进行传输,避免暴露给公共 Internet。Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.

通过为存储帐户使用专用终结点,你可以:Using private endpoints for your storage account enables you to:

  • 通过将存储防火墙配置为阻止存储服务的公共终结点上的所有连接,来保护存储账户。Secure your storage account by configuring the storage firewall to block all connections on the public endpoint for the storage service.
  • 阻止数据从 VNet 渗出,从而提高虚拟网络 (VNet) 的安全性。Increase security for the virtual network (VNet), by enabling you to block exfiltration of data from the VNet.
  • 从本地网络安全地连接到存储帐户,这些帐户使用带有专用对等的 VPNExpressRoutes 连接到 VNet。Securely connect to storage accounts from on-premises networks that connect to the VNet using VPN or ExpressRoutes with private-peering.

概念概述Conceptual overview

Azure 存储的专用终结点概述

专用终结点是用于虚拟网络 (VNet) 中的 Azure 服务的特殊网络接口。A private endpoint is a special network interface for an Azure service in your Virtual Network (VNet). 为存储帐户创建专用终结点时,它将在 VNet 上的客户端和存储之间提供安全连接。When you create a private endpoint for your storage account, it provides secure connectivity between clients on your VNet and your storage. 从 VNet 的 IP 地址范围为专用终结点分配 IP 地址。The private endpoint is assigned an IP address from the IP address range of your VNet. 专用终结点与存储服务之间的连接使用安全的专用链接。The connection between the private endpoint and the storage service uses a secure private link.

VNet 中的应用程序可以使用通过其他方式连接时所用的相同连接字符串和授权机制,通过专用终结点无缝地连接到存储服务。Applications in the VNet can connect to the storage service over the private endpoint seamlessly, using the same connection strings and authorization mechanisms that they would use otherwise. 专用终结点可以与存储帐户支持的所有协议(包括 REST 和 SMB)一起使用。Private endpoints can be used with all protocols supported by the storage account, including REST and SMB.

可以在使用服务终结点的子网中创建专用终结点。Private endpoints can be created in subnets that use Service Endpoints. 因此,子网中的客户端可以使用专用终结点连接到某个存储帐户,同时使用服务终结点访问其他存储帐户。Clients in a subnet can thus connect to one storage account using private endpoint, while using service endpoints to access others.

在 VNet 中创建用于存储服务的专用终结点时,会将一个申请批准的许可请求发送到存储帐户所有者。When you create a private endpoint for a storage service in your VNet, a consent request is sent for approval to the storage account owner. 如果请求创建专用终结点的用户还是存储帐户的所有者,则此许可请求会自动获得批准。If the user requesting the creation of the private endpoint is also an owner of the storage account, this consent request is automatically approved.

存储帐户所有者可以通过 Azure 门户中存储帐户的“专用终结点”选项卡来管理许可请求和专用终结点。Storage account owners can manage consent requests and the private endpoints, through the 'Private endpoints' tab for the storage account in the Azure portal.

提示

如果要仅通过专用终结点限制对存储帐户的访问,请将存储防火墙配置为拒绝或控制通过公用终结点进行的访问。If you want to restrict access to your storage account through the private endpoint only, configure the storage firewall to deny or control access through the public endpoint.

通过配置存储防火墙,使其默认拒绝通过其公共终结点进行的访问,可以保护存储帐户,使其仅接受来自 VNet 的连接。You can secure your storage account to only accept connections from your VNet, by configuring the storage firewall to deny access through its public endpoint by default. 无需防火墙规则来允许来自具有专用终结点的 VNet 的流量,因为存储防火墙只控制通过公共终结点进行的访问。You don't need a firewall rule to allow traffic from a VNet that has a private endpoint, since the storage firewall only controls access through the public endpoint. 专用终结点则是依赖于“同意流”来授予子网对存储服务的访问权限。Private endpoints instead rely on the consent flow for granting subnets access to the storage service.

Azure 存储的专用终结点Private endpoints for Azure Storage

创建专用终结点时,需要指定存储帐户及其连接到的存储服务。When creating the private endpoint, you must specify the storage account and the storage service to which it connects. 需要为需要访问的存储帐户中的每个存储服务提供单独的专用终结点,即 BlobData Lake Storage Gen2文件存储队列静态网站You need a separate private endpoint for each storage service in a storage account that you need to access, namely Blobs, Data Lake Storage Gen2, Files, Queues, Tables, or Static Websites.

提示

为存储服务的辅助实例创建单独的专用终结点,以便在 RA-GRS 帐户上获得更好的读取性能。Create a separate private endpoint for the secondary instance of the storage service for better read performance on RA-GRS accounts.

若要使用为异地冗余存储配置的存储帐户对次要区域进行读取访问,需要为服务的主实例和辅助实例使用单独的专用终结点。For read access to the secondary region with a storage account configured for geo-redundant storage, you need separate private endpoints for both the primary and secondary instances of the service. 无需为“故障转移”的辅助实例创建专用终结点。You don't need to create a private endpoint for the secondary instance for failover. 专用终结点将在故障转移后自动连接到新的主实例。The private endpoint will automatically connect to the new primary instance after failover. 有关存储冗余选项的详细信息,请参阅 Azure 存储冗余For more information about storage redundancy options, see Azure Storage redundancy.

连接到专用终结点Connecting to private endpoints

使用专用终结点的 VNet 上的客户端应该为存储帐户使用与连接到公共终结点的客户端相同的连接字符串。Clients on a VNet using the private endpoint should use the same connection string for the storage account, as clients connecting to the public endpoint. 我们依赖于 DNS 解析,通过专用链接自动将连接从 VNet 路由到存储帐户。We rely upon DNS resolution to automatically route the connections from the VNet to the storage account over a private link.

重要

使用相同的连接字符串通过专用终结点连接到存储帐户,就像在其他情况下使用那样。Use the same connection string to connect to the storage account using private endpoints, as you'd use otherwise. 请不要使用存储帐户的“privatelink”子域 URL 连接到该帐户。Please don't connect to the storage account using its 'privatelink' subdomain URL.

默认情况下,我们会创建一个附加到 VNet 的专用 DNS 区域,并带有专用终结点的必要更新。We create a private DNS zone attached to the VNet with the necessary updates for the private endpoints, by default. 但是,如果使用自己的 DNS 服务器,则可能需要对 DNS 配置进行其他更改。However, if you're using your own DNS server, you may need to make additional changes to your DNS configuration. 下面关于 DNS 更改的部分描述了专用终结点所需的更新。The section on DNS changes below describes the updates required for private endpoints.

专用终结点的 DNS 更改DNS changes for private endpoints

创建专用终结点时,存储帐户的 DNS CNAME 资源记录将更新为具有前缀 privatelink 的子域中的别名。When you create a private endpoint, the DNS CNAME resource record for the storage account is updated to an alias in a subdomain with the prefix 'privatelink'. 默认情况下,我们还会创建一个与 privatelink 子域对应的专用 DNS 区域,其中包含专用终结点的 DNS A 资源记录。By default, we also create a private DNS zone, corresponding to the 'privatelink' subdomain, with the DNS A resource records for the private endpoints.

使用专用终结点从 VNet 外部解析存储终结点 URL 时,它会解析为存储服务的公共终结点。When you resolve the storage endpoint URL from outside the VNet with the private endpoint, it resolves to the public endpoint of the storage service. 从托管专用终结点的 VNet 进行解析时,存储终结点 URL 解析为专用终结点的 IP 地址。When resolved from the VNet hosting the private endpoint, the storage endpoint URL resolves to the private endpoint's IP address.

对于上面所示的示例,存储帐户“StorageAccountA”的 DNS 资源记录在从托管专用终结点的 VNet 外部解析时将为:For the illustrated example above, the DNS resource records for the storage account 'StorageAccountA', when resolved from outside the VNet hosting the private endpoint, will be:

名称Name 类型Type ValueValue
StorageAccountA.blob.core.chinacloudapi.cn CNAMECNAME StorageAccountA.privatelink.blob.core.chinacloudapi.cn
StorageAccountA.privatelink.blob.core.chinacloudapi.cn CNAMECNAME <storage service public endpoint>
<storage service public endpoint> AA <storage service public IP address>

如前文所述,可以使用存储防火墙通过公共终结点拒绝或控制 VNet 外部的客户端的访问。As previously mentioned, you can deny or control access for clients outside the VNet through the public endpoint using the storage firewall.

当 StorageAccountA 的 DNS 资源记录由托管专用终结点的 VNet 中的客户端解析时,将为:The DNS resource records for StorageAccountA, when resolved by a client in the VNet hosting the private endpoint, will be:

名称Name 类型Type ValueValue
StorageAccountA.blob.core.chinacloudapi.cn CNAMECNAME StorageAccountA.privatelink.blob.core.chinacloudapi.cn
StorageAccountA.privatelink.blob.core.chinacloudapi.cn AA 10.1.1.510.1.1.5

对于托管专用终结点的 VNet 上的客户端和 VNet 外部的客户端,此方法允许使用相同的连接字符串访问存储帐户。This approach enables access to the storage account using the same connection string for clients on the VNet hosting the private endpoints, as well as clients outside the VNet.

如果在网络上使用自定义 DNS 服务器,则客户端必须能够将存储帐户终结点的 FQDN 解析为专用终结点 IP 地址。If you are using a custom DNS server on your network, clients must be able to resolve the FQDN for the storage account endpoint to the private endpoint IP address. 应将配置 DNS 服务器以将专用链接子域委托到 VNet 的专用 DNS 区域,或者使用专用终结点 IP 地址为 StorageAccountA.privatelink.blob.core.chinacloudapi.cn 配置 A 记录。You should configure your DNS server to delegate your private link subdomain to the private DNS zone for the VNet, or configure the A records for 'StorageAccountA.privatelink.blob.core.chinacloudapi.cn' with the private endpoint IP address.

提示

使用自定义或本地 DNS 服务器时,应将 DNS 服务器配置为将 privatelink 子域中的存储帐户名称解析为专用终结点 IP 地址。When using a custom or on-premises DNS server, you should configure your DNS server to resolve the storage account name in the 'privatelink' subdomain to the private endpoint IP address. 为此,可以将 privatelink 子域委托给 VNet 的专用 DNS 区域,或在 DNS 服务器上配置 DNS 区域并添加 DNS A 记录。You can do this by delegating the 'privatelink' subdomain to the private DNS zone of the VNet, or configuring the DNS zone on your DNS server and adding the DNS A records.

存储服务的专用终结点的建议 DNS 区域名称为:The recommended DNS zone names for private endpoints for storage services are:

存储服务Storage service 区域名称Zone name
Blob 服务Blob service privatelink.blob.core.chinacloudapi.cn
Data Lake Storage Gen2Data Lake Storage Gen2 privatelink.dfs.core.chinacloudapi.cn
文件服务File service privatelink.file.core.chinacloudapi.cn
队列服务Queue service privatelink.queue.core.chinacloudapi.cn
表服务Table service privatelink.table.core.chinacloudapi.cn
静态网站Static Websites privatelink.web.core.chinacloudapi.cn

有关配置自己的 DNS 服务器以支持专用终结点的详细信息,请参阅以下文章:For more information on configuring your own DNS server to support private endpoints, refer to the following articles:

已知问题Known Issues

请记住以下关于 Azure 存储专用终结点的已知问题。Keep in mind the following known issues about private endpoints for Azure Storage.

复制 Blob 支持Copy Blob support

如果存储帐户受防火墙保护,并且是通过专用终结点进行访问的,则该帐户不能充当复制 Blob 操作的源。If the storage account is protected by a firewall and the account is accessed through private endpoints, then that account cannot serve as the source of a Copy Blob operation.

针对专用终结点所在 VNet 中的客户端的存储访问约束Storage access constraints for clients in VNets with private endpoints

具有现有专用终结点的 VNet 中的客户端在访问具有专用终结点的其他存储帐户时面临约束。Clients in VNets with existing private endpoints face constraints when accessing other storage accounts that have private endpoints. 例如,假设 VNet N1 有一个用于 Blob 存储的存储帐户 A1 的专用终结点。For instance, suppose a VNet N1 has a private endpoint for a storage account A1 for Blob storage. 如果存储帐户 A2 在 VNet N2 中有一个用于 Blob 存储的专用终结点,则 VNet N1 中的客户端也需要使用专用终结点访问帐户 A2 中的 Blob 存储。If storage account A2 has a private endpoint in a VNet N2 for Blob storage, then clients in VNet N1 must also access Blob storage in account A2 using a private endpoint. 如果存储帐户 A2 没有任何用于 Blob 存储的专用终结点,则 VNet N1 中的客户端可以在没有专用终结点的情况下访问该帐户中的 Blob 存储。If storage account A2 does not have any private endpoints for Blob storage, then clients in VNet N1 can access Blob storage in that account without a private endpoint.

此约束是帐户 A2 创建专用终结点时 DNS 发生更改的结果。This constraint is a result of the DNS changes made when account A2 creates a private endpoint.

专用终结点所在子网的网络安全组规则Network Security Group rules for subnets with private endpoints

目前,你不能为专用终结点配置网络安全组 (NSG) 规则和用户定义的路由。Currently, you can't configure Network Security Group (NSG) rules and user-defined routes for private endpoints. 应用于托管专用终结点的子网的 NSG 规则仅适用于专用终结点以外的其他终结点(例如 NIC)。NSG rules applied to the subnet hosting the private endpoint are only applied to other endpoints (e.g. NICs) than the private endpoint. 解决此问题的一个有限的解决方法是在源子网上实现专用终结点的访问规则,但这种方法可能需要更高的管理开销。A limited workaround for this issue is to implement your access rules for private endpoints on the source subnets, though this approach may require a higher management overhead.

后续步骤Next steps