需要安全传输以确保安全连接Require secure transfer to ensure secure connections

可以通过为存储帐户设置“需要安全传输”属性,将存储帐户配置为仅接受来自安全连接的请求。You can configure your storage account to accept requests from secure connections only by setting the Secure transfer required property for the storage account. 要求安全传输时,来自不安全连接的任何请求都会被拒绝。When you require secure transfer, any requests originating from an insecure connection are rejected. Azure 建议你始终对所有存储帐户要求安全传输。Azure recommends that you always require secure transfer for all of your storage accounts.

要求安全传输时,必须通过 HTTPS 调用 Azure 存储 REST API 操作。When secure transfer is required, a call to an Azure Storage REST API operation must be made over HTTPS. 通过 HTTP 发出的任何请求都会被拒绝。Any request made over HTTP is rejected.

如果存储帐户需要安全传输,则在不加密的情况下通过 SMB 连接到 Azure 文件共享会失败。Connecting to an Azure File share over SMB without encryption fails when secure transfer is required for the storage account. 不安全连接的示例包括通过 SMB 2.1、不加密的 SMB 3.0 或某些版本的 Linux SMB 客户端进行的连接。Examples of insecure connections include those made over SMB 2.1, SMB 3.0 without encryption, or some versions of the Linux SMB client.

默认情况下,创建存储帐户时,会启用“需要安全传输”属性。By default, the Secure transfer required property is enabled when you create a storage account.

备注

由于 Azure 存储对自定义域名不支持 HTTPS,因此使用自定义域名时不应用此选项。Because Azure Storage doesn't support HTTPS for custom domain names, this option is not applied when you're using a custom domain name. 不支持经典存储帐户。And classic storage accounts are not supported.

需要在 Azure 门户中进行安全传输Require secure transfer in the Azure portal

Azure 门户中创建存储帐户时,可启用“需要安全传输”属性。You can turn on the Secure transfer required property when you create a storage account in the Azure portal. 也可以为现有存储帐户启用该设置。You can also enable it for existing storage accounts.

新的存储帐户需要安全传输Require secure transfer for a new storage account

  1. 在 Azure 门户中打开“创建存储帐户”窗格。Open the Create storage account pane in the Azure portal.

  2. 在“需要安全传输”下,选择“启用”。Under Secure transfer required, select Enabled.

    “创建存储帐户”边栏选项卡

对现有存储帐户需要安全传输Require secure transfer for an existing storage account

  1. 在 Azure 门户中选择现有存储帐户。Select an existing storage account in the Azure portal.

  2. 在存储帐户菜单窗格的“设置”下,选择“配置”。In the storage account menu pane, under SETTINGS, select Configuration.

  3. 在“需要安全传输”下,选择“启用”。Under Secure transfer required, select Enabled.

    “存储帐户”菜单窗格

在代码中要求安全传输Require secure transfer from code

若要以编程方式要求安全传输,请在存储帐户上设置 supportsHttpsTrafficOnly 属性。To require secure transfer programmatically, set the supportsHttpsTrafficOnly property on the storage account. 可以使用存储资源提供程序 REST API、客户端库或工具来设置此属性:You can set this property by using the Storage Resource Provider REST API, client libraries, or tools:

要求通过 PowerShell 进行安全传输Require secure transfer with PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

本示例需要 Azure PowerShell 模块 Az 0.7 或更高版本。This sample requires the Azure PowerShell module Az version 0.7 or later. 运行 Get-Module -ListAvailable Az 即可查找版本。Run Get-Module -ListAvailable Az to find the version. 如果需要进行安装或升级,请参阅安装 Azure PowerShell 模块If you need to install or upgrade, see Install Azure PowerShell module.

运行 Connect-AzAccount -Environment AzureChinaCloud,创建与 Azure 的连接。Run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

使用以下命令行检查该设置:Use the following command line to check the setting:

Get-AzStorageAccount -Name "{StorageAccountName}" -ResourceGroupName "{ResourceGroupName}"
StorageAccountName     : {StorageAccountName}
Kind                   : Storage
EnableHttpsTrafficOnly : False
...

使用以下命令行启用该设置:Use the following command line to enable the setting:

Set-AzStorageAccount -Name "{StorageAccountName}" -ResourceGroupName "{ResourceGroupName}" -EnableHttpsTrafficOnly $True
StorageAccountName     : {StorageAccountName}
Kind                   : Storage
EnableHttpsTrafficOnly : True
...

要求通过 Azure CLI 进行安全传输Require secure transfer with Azure CLI

若要运行此示例,请安装最新版本的 Azure CLITo run this sample, install the latest version of the Azure CLI. 若要开始,请运行 az login 以创建与 Azure 的连接。To start, run az login to create a connection with Azure.

适用于 Azure CLI 的示例是针对 bash shell 编写的。Samples for the Azure CLI are written for the bash shell. 若要在 Windows PowerShell 或命令提示符中运行此示例,可能需要更改脚本的元素。To run this sample in Windows PowerShell or Command Prompt, you may need to change elements of the script.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

使用以下命令检查该设置:Use the following command to check the setting:

az storage account show -g {ResourceGroupName} -n {StorageAccountName}
{
  "name": "{StorageAccountName}",
  "enableHttpsTrafficOnly": false,
  "type": "Microsoft.Storage/storageAccounts"
  ...
}

使用以下命令启用该设置:Use the following command to enable the setting:

az storage account update -g {ResourceGroupName} -n {StorageAccountName} --https-only true
{
  "name": "{StorageAccountName}",
  "enableHttpsTrafficOnly": true,
  "type": "Microsoft.Storage/storageAccounts"
  ...
}

后续步骤Next steps

适用于 Blob 存储的安全建议Security recommendations for Blob storage