配置 Azure 文件存储网络终结点Configuring Azure Files network endpoints

Azure 文件存储提供两种主要类型的终结点用于访问 Azure 文件共享:Azure Files provides two main types of endpoints for accessing Azure file shares:

  • 公共终结点:使用公共 IP 地址,可从全球任意位置访问。Public endpoints, which have a public IP address and can be accessed from anywhere in the world.
  • 专用终结点:位于某个虚拟网络中,并使用该虚拟网络的地址空间内部的专用 IP 地址。Private endpoints, which exist within a virtual network and have a private IP address from within the address space of that virtual network.

公共和专用终结点位于 Azure 存储帐户中。Public and private endpoints exist on the Azure storage account. 存储帐户是代表共享存储池的管理结构,你可以在其中部署多个文件共享以及其他存储资源(例如,Blob 容器或队列)。A storage account is a management construct that represents a shared pool of storage in which you can deploy multiple file shares, as well as other storage resources, such as blob containers or queues.

在阅读本操作指南之前,我们建议先阅读 Azure 文件存储的网络注意事项We recommend reading Azure Files networking considerations prior to reading this how to guide.

先决条件Prerequisites

  • 本文假设已创建一个 Azure 订阅。This article assumes that you have already created an Azure subscription. 如果还没有订阅,请在开始前创建一个试用帐户If you don't already have a subscription, then create a trial account before you begin.
  • 本文假设已在要从本地连接到的存储帐户中创建了一个 Azure 文件共享。This article assumes that you have already created an Azure file share in a storage account that you would like to connect to from on-premises. 若要了解如何创建 Azure 文件共享,请参阅创建 Azure 文件共享To learn how to create an Azure file share, see Create an Azure file share.
  • 如果你打算使用 Azure PowerShell,请安装最新版本If you intend to use Azure PowerShell, install the latest version.
  • 如果你打算使用 Azure CLI,请安装最新版本If you intend to use the Azure CLI, install the latest version.

终结点配置Endpoint configurations

可以配置终结点,以限制对存储帐户的网络访问。You can configure your endpoints to restrict network access to your storage account. 可通过两种方法来仅限虚拟网络访问存储帐户:There are two approaches to restricting access to a storage account to a virtual network:

  • 为存储帐户创建一个或多个专用终结点,并限制对公共终结点的所有访问。Create one or more private endpoints for the storage account and restrict all access to the public endpoint. 这可以确保只有源自所需虚拟网络内部的流量才能访问存储帐户中的 Azure 文件共享。This ensures that only traffic originating from within the desired virtual networks can access the Azure file shares within the storage account.
  • 仅限一个或多个虚拟网络访问公共终结点Restrict the public endpoint to one or more virtual networks. 为此,可以使用称作“服务终结点”的虚拟网络功能。This works by using a capability of the virtual network called service endpoints. 通过服务终结点限制发往存储帐户的流量时,仍会通过公共 IP 地址访问存储帐户,但只能从在配置中指定的位置进行访问。When you restrict the traffic to a storage account via a service endpoint, you are still accessing the storage account via the public IP address, but access is only possible from the locations you specify in your configuration.

创建专用终结点Create a private endpoint

为存储帐户创建专用终结点会部署以下 Azure 资源:Creating a private endpoint for your storage account will result in the following Azure resources being deployed:

  • 一个专用终结点:表示存储帐户专用终结点的 Azure 资源。A private endpoint: An Azure resource representing the storage account's private endpoint. 可将此资源视为连接存储帐户和网络接口的资源。You can think of this as a resource that connects a storage account and a network interface.
  • 一个网络接口 (NIC) :在指定的虚拟网络/子网中保留专用 IP 地址的网络接口。A network interface (NIC): The network interface that maintains a private IP address within the specified virtual network/subnet. 此网络接口是部署虚拟机时部署的同一个资源,但它不会分配到 VM,而是由专用终结点拥有。This is the exact same resource that gets deployed when you deploy a virtual machine, however instead of being assigned to a VM, it's owned by the private endpoint.
  • 一个专用 DNS 区域:如果你以前从未为此虚拟网络部署过专用终结点,系统将为虚拟网络部署新的专用 DNS 区域。A private DNS zone: If you've never deployed a private endpoint for this virtual network before, a new private DNS zone will be deployed for your virtual network. 此外,将为此 DNS 区域中的存储帐户创建 DNS A 记录。A DNS A record will also be created for the storage account in this DNS zone. 如果已在此虚拟网络中部署了专用终结点,则会将存储帐户的新 A 记录添加到现有 DNS 区域。If you've already deployed a private endpoint in this virtual network, a new A record for the storage account will be added to the existing DNS zone. 部署 DNS 区域的操作是可选的,但我们强烈建议执行此操作;如果使用 AD 服务主体或 FileREST API 装载 Azure 文件共享,则此操作是必需的。Deploying a DNS zone is optional, however highly recommended, and required if you are mounting your Azure file shares with an AD service principal or using the FileREST API.

导航到要为其创建专用终结点的存储帐户。Navigate to the storage account for which you would like to create a private endpoint. 在存储帐户的目录中选择“专用终结点连接”,然后选择“+ 专用终结点”创建新的专用终结点。 In the table of contents for the storage account, select Private endpoint connections, and then + Private endpoint to create a new private endpoint.

存储帐户目录中“专用终结点连接”项的屏幕截图A screenshot of the private endpoint connections item in the storage account table of contents

出现的向导包含多个要完成的页。The resulting wizard has multiple pages to complete.

在“基本信息”边栏选项卡中,为专用终结点选择所需的资源组、名称和区域。In the Basics blade, select the desired resource group, name, and region for your private endpoint. 资源组、名称和区域可以任意配置,不必与存储帐户匹配,但必须在同一区域中创建专用终结点和用于容纳该专用终结点的存储帐户。These can be whatever you want, they don't have to match the storage account in any way, although you must create the private endpoint in the same region as the virtual network you wish to create the private endpoint in.

“创建专用终结点”部分中“基本信息”部分的屏幕截图

在“资源”边栏选项卡中,选中“连接到目录中的 Azure 资源”对应的单选按钮。 In the Resource blade, select the radio button for Connect to an Azure resource in my directory. 在“资源类型”下,选择“Microsoft.Storage/storageAccounts”为资源类型 。Under Resource type, select Microsoft.Storage/storageAccounts for the resource type. “资源”字段用于指定包含要连接到的 Azure 文件共享的存储帐户。The Resource field is the storage account with the Azure file share you wish to connect to. 因为针对 Azure 文件存储,所以目标子资源是“文件”。Target sub-resource is file, since this is for Azure Files.

在“配置”边栏选项卡中,可以选择要向其添加专用终结点的特定虚拟网络和子网。The Configuration blade allows you to select the specific virtual network and subnet you would like to add your private endpoint to. 必须选择上面将服务终结点添加到的子网以外的子网。You must select a distinct subnet from the subnet you added your service endpoint to above. “配置”边栏选项卡还包含用于创建/更新专用 DNS 区域的信息。The Configuration blade also contains the information for creating/update the private DNS zone. 建议使用默认的 privatelink.file.core.chinacloudapi.cn 区域。We recommend using the default privatelink.file.core.chinacloudapi.cn zone.

“配置”部分的屏幕截图

单击“查看 + 创建”以创建专用终结点。Click Review + create to create the private endpoint.

验证连接性Verify connectivity

如果你在虚拟网络中有一个虚拟机,或者已按配置 Azure 文件存储的 DNS 转发所述配置了 DNS 转发,则可以通过在 PowerShell、命令行或终端(适用于 Windows、Linux 或 macOS)中运行以下命令,来测试是否已正确设置专用终结点。If you have a virtual machine inside of your virtual network, or you've configured DNS forwarding as described in Configuring DNS forwarding for Azure Files, you can test that your private endpoint has been set up correctly by running the following commands from PowerShell, the command line, or the terminal (works for Windows, Linux, or macOS). 必须将 <storage-account-name> 替换为相应的存储帐户名称:You must replace <storage-account-name> with the appropriate storage account name:

nslookup <storage-account-name>.file.core.chinacloudapi.cn

如果一切成功进行,则应会看到以下输出,其中 192.168.0.5 是虚拟网络中专用终结点的专用 IP 地址(Windows 中显示的输出):If everything has worked successfully, you should see the following output, where 192.168.0.5 is the private IP address of the private endpoint in your virtual network (output shown for Windows):

Server:  UnKnown
Address:  10.2.4.4

Non-authoritative answer:
Name:    storageaccount.privatelink.file.core.chinacloudapi.cn
Address:  192.168.0.5
Aliases:  storageaccount.file.core.chinacloudapi.cn

限制公共终结点访问Restrict public endpoint access

若要限制公共终结点访问,首先需要禁用对公共终结点的一般访问。Limiting public endpoint access first requires you to disable general access to the public endpoint. 禁用对公共终结点的访问不会影响专用终结点。Disabling access to the public endpoint does not impact private endpoints. 禁用公共终结点后,可选择可以继续访问它的特定网络或 IP 地址。After the public endpoint has been disabled, you can select specific networks or IP addresses that may continue to access it. 通常,大多数针对存储帐户的防火墙策略仅限一个或多个虚拟网络进行网络访问。In general, most firewall policies for a storage account restrict networking access to one or more virtual networks.

禁止对公共终结点的访问Disable access to the public endpoint

禁止对公共终结点的访问时,仍可通过存储帐户的专用终结点来访问该存储帐户。When access to the public endpoint is disabled, the storage account can still be accessed through its private endpoints. 否则,对存储帐户的公共终结点发出的有效请求将被拒绝,除非这些请求来自特别指定的源Otherwise valid requests to the storage account's public endpoint will be rejected, unless they are from a specifically allowed source.

导航到要限制对其公共终结点的所有访问的存储帐户。Navigate to the storage account for which you would like to restrict all access to the public endpoint. 在该存储帐户的目录中,选择“网络”。In the table of contents for the storage account, select Networking.

在页面顶部,选中“选定的网络”单选按钮。At the top of the page, select the Selected networks radio button. 随后会显示一些用于控制公共终结点限制的设置。This will un-hide a number of settings for controlling the restriction of the public endpoint. 选中“允许受信任的 Microsoft 服务访问此服务帐户”,以允许受信任的第一方 Microsoft 服务访问存储帐户。Check Allow trusted Microsoft services to access this service account to allow trusted first party Microsoft services to access the storage account.

“网络”边栏选项卡的屏幕截图,其中显示实施了相应的限制Screenshot of the Networking blade with the appropriate restricts in place

仅限从特定的虚拟网络访问公共终结点Restrict access to the public endpoint to specific virtual networks

如果仅限从特定的虚拟网络访问存储帐户,则会允许从指定的虚拟网络内部对公共终结点发出请求。When you restrict the storage account to specific virtual networks, you are allowing requests to the public endpoint from within the specified virtual networks. 为此,可以使用称作“服务终结点”的虚拟网络功能。This works by using a capability of the virtual network called service endpoints. 在具有或没有专用终结点的情况下都可以使用此功能。This can be used with or without private endpoints.

导航到仅限从特定虚拟网络访问公共终结点的存储帐户。Navigate to the storage account for which you would like to restrict the public endpoint to specific virtual networks. 在该存储帐户的目录中,选择“网络”。In the table of contents for the storage account, select Networking.

在页面顶部,选中“选定的网络”单选按钮。At the top of the page, select the Selected networks radio button. 随后会显示一些用于控制公共终结点限制的设置。This will un-hide a number of settings for controlling the restriction of the public endpoint. 单击“+添加现有虚拟网络”,选择应允许其通过公共终结点访问存储帐户的特定虚拟网络。Click +Add existing virtual network to select the specific virtual network that should be allowed to access the storage account via the public endpoint. 这需要选择一个虚拟网络以及该虚拟网络的子网。This will require selecting a virtual network and a subnet for that virtual network.

选中“允许受信任的 Microsoft 服务访问此服务帐户”,以允许受信任的第一方 Microsoft 服务访问存储帐户。Check Allow trusted Microsoft services to access this service account to allow trusted first party Microsoft services to access the storage account.

“网络”边栏选项卡的屏幕截图,其中显示了允许通过公共终结点访问存储帐户的特定虚拟网络Screenshot of the Networking blade with a specific virtual network allowed to access the storage account via the public endpoint

另请参阅See also