配置 Azure 文件存储的 DNS 转发Configuring DNS forwarding for Azure Files

使用 Azure 文件存储可为包含文件共享的存储帐户创建专用终结点。Azure Files enables you to create private endpoints for the storage accounts containing your file shares. 专用终结点可在许多不同的应用场合下发挥作用,而且特别适合用于通过专用对等互连使用 VPN 或 ExpressRoute 连接从本地网络连接到 Azure 文件共享。Although useful for many different applications, private endpoints are especially useful for connecting to your Azure file shares from your on-premises network using a VPN or ExpressRoute connection using private-peering.

若要连接到存储帐户以通过网络隧道传输数据,存储帐户的完全限定域名 (FQDN) 必须解析为专用终结点的专用 IP 地址。In order for connections to your storage account to go over your network tunnel, the fully qualified domain name (FQDN) of your storage account must resolve to your private endpoint's private IP address. 若要实现此目的,必须将存储终结点后缀(core.chinacloudapi.cn 表示 Azure 中国云区域)转发到可从虚拟网络内部访问的 Azure 专用 DNS 服务。To achieve this, you must forward the storage endpoint suffix (core.chinacloudapi.cn for Azure China cloud regions) to the Azure private DNS service accessible from within your virtual network. 本指南将介绍如何设置和配置 DNS 转发,以正确解析为存储帐户的专用终结点 IP 地址。This guide will show how to setup and configure DNS forwarding to properly resolve to your storage account's private endpoint IP address.

在完成本文中所述的步骤之前,我们强烈建议先阅读规划 Azure 文件存储的部署Azure 文件存储网络注意事项We strongly recommend that you read Planning for an Azure Files deployment and Azure Files networking considerations before you complete the steps described in this article.

概述Overview

Azure 文件存储提供两种主要类型的终结点用于访问 Azure 文件共享:Azure Files provides two main types of endpoints for accessing Azure file shares:

  • 公共终结点:使用公共 IP 地址,可从全球任意位置访问。Public endpoints, which have a public IP address and can be accessed from anywhere in the world.
  • 专用终结点:位于某个虚拟网络中,并使用该虚拟网络的地址空间内部的专用 IP 地址。Private endpoints, which exist within a virtual network and have a private IP address from within the address space of that virtual network.

公共和专用终结点位于 Azure 存储帐户中。Public and private endpoints exist on the Azure storage account. 存储帐户是代表共享存储池的管理结构,你可以在其中部署多个文件共享以及其他存储资源(例如,Blob 容器或队列)。A storage account is a management construct that represents a shared pool of storage in which you can deploy multiple file shares, as well as other storage resources, such as blob containers or queues.

每个存储帐户具有完全限定的域名 (FQDN)。Every storage account has a fully qualified domain name (FQDN). 对于 Azure 中国云区域,此 FQDN 遵循 storageaccount.file.core.chinacloudapi.cn 模式,其中的 storageaccount 是存储帐户的名称。For the Azure China cloud regions, this FQDN follows the pattern storageaccount.file.core.chinacloudapi.cn where storageaccount is the name of the storage account. 对此名称发出请求时(例如,使用 SMB 在工作站上装载共享),操作系统将执行 DNS 查找,以将完全限定的域名解析为 IP 地址,然后,操作系统可以使用此 IP 地址来发送 SMB 请求。When you make requests against this name, such as mounting the share on your workstation using SMB, your operating system performs a DNS lookup to resolve the fully qualified domain name to an IP address which it can use to send the SMB requests to.

默认情况下,storageaccount.file.core.chinacloudapi.cn 解析为公共终结点的 IP 地址。By default, storageaccount.file.core.chinacloudapi.cn resolves to the public endpoint's IP address. 存储帐户的公共终结点托管在 Azure 存储群集上,该群集托管存储帐户的其他许多公共终结点。The public endpoint for a storage account is hosted on an Azure storage cluster which hosts many other storage accounts' public endpoints. 创建专用终结点时,专用 DNS 区域将使用与存储帐户专用终结点专用 IP 地址的 A 记录条目建立的 CNAME 记录映射 storageaccount.file.core.chinacloudapi.cn,链接到该专用终结点所添加到的虚拟网络。When you create a private endpoint, a private DNS zone is linked to the virtual network it was added to, with a CNAME record mapping storageaccount.file.core.chinacloudapi.cn to an A record entry for the private IP address of your storage account's private endpoint. 这样,你便可以在虚拟网络中使用 storageaccount.file.core.chinacloudapi.cn FQDN,并使其解析为专用终结点的 IP 地址。This enables you to use storageaccount.file.core.chinacloudapi.cn FQDN within the virtual network and have it resolve to the private endpoint's IP address.

由于我们的最终目标是使用 VPN 或 ExpressRoute 连接等网络隧道从本地访问存储帐户中托管的 Azure 文件共享,因此,必须将本地 DNS 服务器配置为向 Azure 专用 DNS 服务转发对 Azure 文件存储服务发出的请求。Since our ultimate objective is to access the Azure file shares hosted within the storage account from on-premises using a network tunnel such as a VPN or ExpressRoute connection, you must configure your on-premises DNS servers to forward requests made to the Azure Files service to the Azure private DNS service. 为此,需要设置 *.core.chinacloudapi.cn 的到 Azure 虚拟网络中托管的 DNS 服务器的条件转发。To accomplish this, you need to set up conditional forwarding of *.core.chinacloudapi.cn to a DNS server hosted within your Azure virtual network. 然后,此 DNS 服务器以递归方式将请求转发到 Azure 的专用 DNS 服务,后者将存储帐户的完全限定域名解析为相应的专用 IP 地址。This DNS server will then recursively forward the request on to Azure's private DNS service that will resolve the fully qualified domain name of the storage account to the appropriate private IP address.

为 Azure 文件存储配置 DNS 转发需要运行一个虚拟机来托管用于转发请求的 DNS 服务器,但是,对于虚拟网络中托管的所有 Azure 文件共享,只需执行此步骤一次。Configuring DNS forwarding for Azure Files will require running a virtual machine to host a DNS server to forward the requests, however this is a one time step for all the Azure file shares hosted within your virtual network. 此外,这并不是 Azure 文件存储特有的要求 - 支持你要从本地访问的专用终结点的任何 Azure 服务都可以利用在本指南中配置的 DNS 转发:Azure Blob 存储、SQL Azure、Cosmos DB 等。Additionally, this is not an exclusive requirement to Azure Files - any Azure service that supports private endpoints that you want to access from on-premises can make use of the DNS forwarding you will configure in this guide: Azure Blob storage, SQL Azure, Cosmos DB, etc.

本指南将介绍为 Azure 存储终结点配置 DNS 转发的步骤,因此除了 Azure 文件存储以外,针对所有其他 Azure 存储服务(Azure Blob 存储、Azure 表存储、Azure 队列存储等)的 DNS 名称解析请求将转发到 Azure 的专用 DNS 服务。This guide shows the steps for configuring DNS forwarding for the Azure storage endpoint, so in addition to Azure Files, DNS name resolution requests for all of the other Azure storage services (Azure Blob storage, Azure Table storage, Azure Queue storage, etc.) will be forwarded to Azure's private DNS service. 如果需要,还可以添加其他 Azure 服务的其他终结点。Additional endpoints for other Azure services can also be added if desired. 此外,将会配置向本地 DNS 服务器的反向 DNS 转发,使虚拟网络中的云资源(例如 DFS-N 服务器)能够解析本地计算机名。DNS forwarding back to your on-premises DNS servers will also be configured, enabling cloud resources within your virtual network (such as a DFS-N server) to resolve on-premises machine names.

先决条件Prerequisites

在设置向 Azure 文件存储的 DNS 转发之前,需要完成以下步骤:Before you can setup DNS forwarding to Azure Files, you need to have completed the following steps:

  • 包含要装载的 Azure 文件共享的存储帐户。A storage account containing an Azure file share you would like to mount. 若要了解如何创建存储帐户和 Azure 文件共享,请参阅创建 Azure 文件共享To learn how to create a storage account and an Azure file share, see Create an Azure file share.
  • 存储帐户的专用终结点。A private endpoint for the storage account. 若要了解如何创建 Azure 文件存储的专用终结点,请参阅创建专用终结点To learn how to create a private endpoint for Azure Files, see Create a private endpoint.
  • 最新版本的 Azure PowerShell 模块。The latest version of the Azure PowerShell module.

重要

本指南假设在本地环境中的 Windows Server 内使用 DNS 服务器。This guide assumes you are using the DNS server within Windows Server in your on-premises environment. 可以使用任何 DNS 服务器(而不仅仅是 Windows DNS 服务器)完成本指南中所述的所有步骤。All of the steps described in this guide are possible with any DNS server, not just the Windows DNS Server.

手动配置 DNS 转发Manually configuring DNS forwarding

如果已在 Azure 虚拟网络中配置了 DNS 服务器,或者你只是想要通过组织所用的任何方法将自己的虚拟机部署到 DNS 服务器,可以使用内置的 DNS 服务器 PowerShell cmdlet 手动配置 DNS。If you already have DNS servers in place within your Azure virtual network, or if you simply prefer to deploy your own virtual machines to be DNS servers by whatever methodology your organization uses, you can configure DNS manually with the built-in DNS server PowerShell cmdlets.

在本地 DNS 服务器上,使用 Add-DnsServerConditionalForwarderZone 创建条件转发器。On your on-premises DNS servers, create a conditional forwarder using Add-DnsServerConditionalForwarderZone. 此条件转发器必须部署在所有本地 DNS 服务器上,才能在正确将流量转发到 Azure 时产生效果。This conditional forwarder must be deployed on all of your on-premises DNS servers to be effective at properly forwarding traffic to Azure. 请记得将 <azure-dns-server-ip> 替换为环境的相应 IP 地址。Remember to replace <azure-dns-server-ip> with the appropriate IP addresses for your environment.

$vnetDnsServers = "<azure-dns-server-ip>", "<azure-dns-server-ip>"

$storageAccountEndpoint = Get-AzContext | `
    Select-Object -ExpandProperty Environment | `
    Select-Object -ExpandProperty StorageEndpointSuffix

Add-DnsServerConditionalForwarderZone `
        -Name $storageAccountEndpoint `
        -MasterServers $vnetDnsServers

在 Azure 虚拟网络中的 DNS 服务器上也需要放置一个转发器,以便将针对存储帐户 DNS 区域的请求定向到保留 IP 地址 168.63.129.16 后面的 Azure 专用 DNS 服务。On the DNS servers within your Azure virtual network, you also will need to put a forwarder in place such that requests for the storage account DNS zone are directed to the Azure private DNS service, which is fronted by the reserved IP address 168.63.129.16. (如果在不同的 PowerShell 会话中运行这些命令,请记得填充 $storageAccountEndpoint。)(Remember to populate $storageAccountEndpoint if you are running the commands within a different PowerShell session.)

Add-DnsServerConditionalForwarderZone `
        -Name $storageAccountEndpoint `
        -MasterServers "168.63.129.16"

使用 Azure 文件混合模块配置 DNS 转发Using the Azure Files Hybrid module to configure DNS forwarding

为了尽量简化 DNS 转发的配置,我们在 Azure 文件存储混合模块中提供了自动化功能。In order to make configuring DNS forwarding as easy as possible, we have provided automation in the Azure Files Hybrid module. 用于在此模块中操作 DNS 的 cmdlet 可帮助你在 Azure 虚拟网络中部署 DNS 服务器,并将本地 DNS 服务器更新为转发到这些服务器。The cmdlets provided for manipulating DNS in this module will help you deploy DNS servers in your Azure virtual network and update your on-premises DNS servers to forward to them.

如果你未曾使用过 Azure 文件存储混合模块,必须先在工作站上安装此模块。If you've never used the Azure Files Hybrid module, you must first install it on your workstation. 下载最新版本的 Azure 文件存储混合 PowerShell 模块:Download the latest version of the Azure Files Hybrid PowerShell module:

# Unzip the downloaded file
Expand-Archive -Path AzFilesHybrid.zip

# Change the execution policy to unblock importing AzFilesHybrid.psm1 module
Set-ExecutionPolicy -ExecutionPolicy Unrestricted

# Navigate to where AzFilesHybrid is unzipped and stored and run to copy the files into your path
.\AzFilesHybrid\CopyToPSPath.ps1 

# Import AzFilesHybrid module
Import-Module -Name AzFilesHybrid

部署 DNS 转发解决方案分为两个步骤:创建 DNS 转发规则集(定义要将请求转发到哪些 Azure 服务),以及实际部署 DNS 转发器。Deploying the DNS forwarding solution has two steps, creating a DNS forwarding rule set, which defines which Azure services you want to forward requests to, and the actual deployment of the DNS forwarders.

以下示例将请求转发到存储帐户,包括针对 Azure 文件存储、Azure Blob 存储、Azure 表存储和 Azure 队列存储的请求。The following example forwards requests to the storage account, inclusive requests to Azure Files, Azure Blob storage, Azure Table storage, and Azure Queue storage. 如果需要,可以通过 New-AzDnsForwardingRuleSet cmdlet 的 -AzureEndpoints 参数在规则中添加针对更多 Azure 服务的转发。If desired, you can add forwarding for additional Azure service to the rule via the -AzureEndpoints parameter of the New-AzDnsForwardingRuleSet cmdlet. 请记得将 <virtual-network-resource-group><virtual-network-name><subnet-name> 替换为适合你的环境的值。Remember to replace <virtual-network-resource-group>, <virtual-network-name>, and <subnet-name> with the appropriate values for your environment.

# Create a rule set, which defines the forwarding rules
$ruleSet = New-AzDnsForwardingRuleSet -AzureEndpoints StorageAccountEndpoint

# Deploy and configure DNS forwarders
New-AzDnsForwarder `
        -DnsForwardingRuleSet $ruleSet `
        -VirtualNetworkResourceGroupName "<virtual-network-resource-group>" `
        -VirtualNetworkName "<virtual-network-name>" `
        -VirtualNetworkSubnetName "<subnet-name>"

此外,你可能发现提供多个附加参数会很有用/有必要:You may additionally find it useful/necessary to supply several additional parameters:

参数名称Parameter name 类型Type 说明Description
DnsServerResourceGroupName string 默认情况下,DNS 服务器将部署到虚拟网络所在的同一资源组中。By default, the DNS servers will be deployed into the same resource group as the virtual network. 如果不需要部署到同一资源组,此参数允许你选择要将 DNS 服务器部署到的备选资源组。If this is not desired, this parameter allows you to pick an alternate resource group for them to be deployed into.
DnsForwarderRootName string 默认情况下,在 Azure 中部署的 DNS 服务器使用名称 DnsFwder-*,其中的星号由迭代器填充。By default, the DNS servers that are deployed in Azure have the names DnsFwder-*, where the asterisk is populated by a iterator. 此参数更改该名称的根(即 DnsFwder)。This parameter changes the root of that name (i.e. DnsFwder).
VmTemporaryPassword SecureString 默认情况下,系统会为 VM 在加入域之前使用的临时默认帐户选择一个随机密码。By default, a random password is chosen for the temporary default account a VM has before it is domain joined. VM 加入域后,将禁用默认帐户。After it is domain joined, the default account is disabled.
DomainToJoin string 要将 DNS VM 加入到的域。The domain to join the DNS VM(s) to join. 默认情况下,系统会根据运行 cmdlet 所在的计算机的域选择此域。By default, this domain is chosen based on the domain of the computer where you are running the cmdlets.
DnsForwarderRedundancyCount int 要为虚拟网络部署的 DNS VM 数目。The number of DNS VMs to deploy for your virtual network. 默认情况下,New-AzDnsForwarder 会在 Azure 虚拟网络中的某个可用性集内部署两个 DNS 服务器,以确保冗余。By default, New-AzDnsForwarder deploys two DNS servers in your Azure virtual network, in an Availability Set, to ensure redundancy. 可根据需要修改此数字。This number may be modified as desired.
OnPremDnsHostNames HashSet<string> 手动指定的本地 DNS 主机名列表,将基于这些主机名创建转发器。A manually specified list of on-premises DNS host names to create forwarders on. 不想要在所有本地 DNS 服务器上应用转发器时(例如,当一系列客户端使用手动指定的 DNS 名称时),此参数非常有用。This parameter is useful when you do not want to apply forwarders on all on-premises DNS servers, such as when you have a range of clients with manually specified DNS names.
Credential PSCredential 更新 DNS 服务器时要使用的凭据。A credential to use when updating the DNS servers. 用于登录的用户帐户无权修改 DNS 设置时,此参数非常有用。This is useful when the user account you have logged in with does not have permissions to modify DNS settings.
SkipParentDomain SwitchParameter 默认情况下,DNS 转发器将应用到环境中级别最高的域。By default, DNS forwarders are applied to the highest level domain that exists in your environment. 例如,如果 northamerica.corp.contoso.comcorp.contoso.com 的子域,则将为 corp.contoso.com 关联的 DNS 服务器创建转发器。For example, if northamerica.corp.contoso.com is a child domain of corp.contoso.com, the forwarder will be created for the DNS servers associated with corp.contoso.com. 使用此参数会在 northamerica.corp.contoso.com 中创建转发器。This parameter will cause forwarders to be created in northamerica.corp.contoso.com.

确认 DNS 转发器Confirm DNS forwarders

在测试是否已成功应用 DNS 转发器之前,我们建议使用 Clear-DnsClientCache 清除本地工作站上的 DNS 缓存。Before testing to see if the DNS forwarders have successfully been applied, we recommend clearing the DNS cache on your local workstation using Clear-DnsClientCache. 若要测试是否可以成功解析存储帐户的完全限定域名,请使用 Resolve-DnsNamenslookupTo test to see if you can successfully resolve the fully qualified domain name of your storage account, use Resolve-DnsName or nslookup.

# Replace storageaccount.file.core.chinacloudapi.cn with the appropriate FQDN for your storage account.
# Note the proper suffix (core.chinacloudapi.cn) depends on the cloud your deployed in.
Resolve-DnsName -Name storageaccount.file.core.chinacloudapi.cn

如果名称解析成功,应会看到解析的 IP 地址与存储帐户的 IP 地址相匹配。If the name resolution is successful, you should see the resolved IP address match the IP address of your storage account.

Name                                       Type   TTL   Section    NameHost
----                                       ----   ---   -------    --------
storageaccount.file.core.chinacloudapi.cn  CNAME  29    Answer     csostoracct.privatelink.file.core.chinacloudapi.cn


Name       : storageaccount.privatelink.file.core.chinacloudapi.cn
QueryType  : A
TTL        : 1769
Section    : Answer
IP4Address : 192.168.0.4

如果已设置 VPN 或 ExpressRoute 连接,则还可以使用 Test-NetConnection 来确认是否可以成功地与存储帐户建立 TCP 连接。If you have already set up a VPN or ExpressRoute connection, you can also use Test-NetConnection to see that a TCP connection can be successfully made to your storage account.

Test-NetConnection -ComputerName storageaccount.file.core.chinacloudapi.cn -CommonTCPPort SMB

另请参阅See also