Azure 文件存储的网络注意事项Azure Files networking considerations

可以通过一种方式连接到 Azure 文件共享:You can connect to an Azure file share in one way:

直接通过 SMB 或 FileREST 协议访问共享。Accessing the share directly via the SMB or FileREST protocols. 要删除尽可能多的本地服务器时,主要使用此访问模式。This access pattern is primarily employed when to eliminate as many on-premises servers as possible.

本文重点介绍如何在用例要求直接访问 Azure 文件共享时配置网络。This article focuses on how to configure networking for when your use case calls for accessing the Azure file share directly.

Azure 文件共享的网络配置是在 Azure 存储帐户中完成的。Networking configuration for Azure file shares is done on the Azure storage account. 存储帐户是代表共享存储池的管理结构,你可以在其中部署多个文件共享以及其他存储资源(例如,Blob 容器或队列)。A storage account is a management construct that represents a shared pool of storage in which you can deploy multiple file shares, as well as other storage resources, such as blob containers or queues. 存储帐户公开多种设置用于帮助保护对文件共享的网络访问:网络终结点、存储帐户防火墙设置和传输中加密。Storage accounts expose multiple settings that help you secure network access to your file shares: network endpoints, storage account firewall settings, and encryption in transit.

在阅读本概念指南之前,我们建议先阅读规划 Azure 文件存储部署We recommend reading Planning for an Azure Files deployment prior to reading this conceptual guide.

访问 Azure 文件共享Accessing your Azure file shares

在存储帐户中部署 Azure 文件共享时,可以通过该存储帐户的公共终结点立即访问该文件共享。When you deploy an Azure file share within a storage account, your file share is immediately accessible via the storage account's public endpoint. 这意味着,已经过身份验证的请求(例如已由用户登录标识授权的请求)可以安全地从 Azure 内部或外部发起。This means that authenticated requests, such as requests authorized by a user's logon identity, can originate securely from inside or outside of Azure.

在许多客户环境中,最初在本地工作站上装载 Azure 文件共享的操作会失败,尽管可以成功地从 Azure VM 装载。In many customer environments, an initial mount of the Azure file share on your on-premises workstation will fail, even though mounts from Azure VMs succeed. 其原因是,许多组织和 Internet 服务提供商 (ISP) 阻止 SMB 用来通信的端口 445。The reason for this is that many organizations and internet service providers (ISPs) block the port that SMB uses to communicate, port 445. 这种做法源自于有关传统版和已弃用版 SMB 协议的安全指导原则。This practice originates from security guidance about legacy and deprecated versions of the SMB protocol. SMB 3.0 是 Internet 安全的协议,但早期版本的 SMB,尤其是 SMB 1.0,却并非如此。Although SMB 3.0 is an internet-safe protocol, older versions of SMB, especially SMB 1.0 are not. 在外部,只能使用公共终结点通过 SMB 3.0 和 FileREST 协议(也是 Internet 安全的协议)访问 Azure 文件共享。Azure file shares may only be externally accessed via SMB 3.0 and the FileREST protocol (which is also an internet safe protocol) via the public endpoint.

由于从本地访问 Azure 文件共享的最简单方法是在本地网络中开放端口 445,因此 Azure 建议使用以下步骤从环境中删除 SMB 1.0:Since the easiest way to access your Azure file share from on-premises is to open your on-premises network to port 445, Azure recommends the following steps to remove SMB 1.0 from your environment:

  1. 请确认是否在组织的设备上删除或禁用了 SMB 1.0。Ensure that SMB 1.0 is removed or disabled on your organization's devices. Windows 和 Windows Server 当前支持的所有版本均支持删除或禁用 SMB 1.0,并且自 Windows 10 1709 版起,默认情况下 Windows 上未安装 SMB 1.0。All currently supported versions of Windows and Windows Server support removing or disabling SMB 1.0, and starting with Windows 10, version 1709, SMB 1.0 is not installed on the Windows by default. 若要详细了解如何禁用 SMB 1.0,请参阅特定于 OS 的页面:To learn more about how to disable SMB 1.0, see our OS-specific pages:
  2. 请确认组织内没有需要 SMB 1.0 的产品并将其删除。Ensure that no products within your organization require SMB 1.0 and remove the ones that do. 我们提供 SMB1 产品交换所,其中包含需要 SMB 1.0 的所有 Microsoft 已知的第一和第三方产品。We maintain an SMB1 Product Clearinghouse, which contains all the first and third-party products known to Microsoft to require SMB 1.0.
  3. (可选)在组织的本地网络中使用第三方防火墙,以阻止 SMB 1.0 流量离开组织边界。(Optional) Use a third-party firewall with your organization's on-premises network to prevent SMB 1.0 traffic from leaving your organizational boundary.

如果组织要求按照政策或法规阻止端口 445,或者组织要求发往 Azure 的流量遵循确定性的路径,则你可以使用 Azure VPN 网关或 ExpressRoute 将流量以隧道方式传输到 Azure 文件共享。If your organization requires port 445 to be blocked per policy or regulation, or your organization requires traffic to Azure to follow a deterministic path, you can use Azure VPN Gateway or ExpressRoute to tunnel traffic to your Azure file shares.

重要

即使你决定使用替代方法来访问 Azure 文件共享,Azure 也仍建议从环境中删除 SMB 1.0。Even if you decide use an alternate method to access your Azure file shares, Azure still recommends removing SMB 1.0 from your environment.

通过虚拟专用网络或 ExpressRoute 以隧道方式传输流量Tunneling traffic over a virtual private network or ExpressRoute

在本地网络与 Azure 之间建立网络隧道时,会将本地网络对等互连到 Azure 中的一个或多个虚拟网络。When you establish a network tunnel between your on-premises network and Azure, you are peering your on-premises network with one or more virtual networks in Azure. 虚拟网络 (VNet) 类似于在本地运行的传统网络。A virtual network, or VNet, is similar to a traditional network that you'd operate on-premises. 与 Azure 存储帐户或 Azure VM 一样,VNet 是在资源组中部署的 Azure 资源。Like an Azure storage account or an Azure VM, a VNet is an Azure resource that is deployed in a resource group.

Azure 文件存储支持通过以下机制在本地工作站和服务器与 Azure 之间以隧道方式传输流量:Azure Files supports the following mechanisms to tunnel traffic between your on-premises workstations and servers and Azure:

  • Azure VPN 网关:VPN 网关是特定类型的虚拟网关,用于通过 Internet 在 Azure 虚拟网络和备用位置(例如,本地)之间发送加密的流量。Azure VPN Gateway: A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an alternate location (such as on-premises) over the internet. Azure VPN 网关是一种 Azure 资源,可以与存储帐户或其他 Azure 资源一起部署在资源组中。An Azure VPN Gateway is an Azure resource that can be deployed in a resource group along side of a storage account or other Azure resources. VPN 网关公开了两种不同类型的连接:VPN gateways expose two different types of connections:
    • 点到站点 (P2S) VPN 网关连接,这是 Azure 与单个客户端之间建立的 VPN 连接。Point-to-Site (P2S) VPN gateway connections, which are VPN connections between Azure and an individual client. 对于那些不属于组织的本地网络的设备(例如,希望能够在家中、咖啡店或酒店随时随地装载 Azure 文件共享的远程办公人员),此解决方案非常有用。This solution is primarily useful for devices that are not part of your organization's on-premises network, such as telecommuters who want to be able to mount their Azure file share from home, a coffee shop, or hotel while on the road. 若要将 P2S VPN 连接与 Azure 文件存储一起使用,需要为每个要连接的客户端配置 P2S VPN 连接。To use a P2S VPN connection with Azure Files, a P2S VPN connection will need to be configured for each client that wants to connect.
    • 站点到站点 (S2S) VPN,这是 Azure 与组织的网络之间建立的 VPN 连接。Site-to-Site (S2S) VPN, which are VPN connections between Azure and your organization's network. 通过 S2S VPN 连接,你可以为组织的网络上托管的 VPN 服务器或设备一次性配置 VPN 连接,而不是为需要访问 Azure 文件共享的每个客户端设备都进行一次配置。A S2S VPN connection enables you to configure a VPN connection once, for a VPN server or device hosted on your organization's network, rather than doing for every client device that needs to access your Azure file share.
  • ExpressRoute,使你可以在 Azure 与不经过 Internet 的本地网络之间创建定义的路由。ExpressRoute, which enables you to create a defined route between Azure and your on-premises network that doesn't traverse the internet. 因为 ExpressRoute 在本地数据中心和 Azure 之间提供了专用路径,所以当存在网络性能方面的顾虑时,ExpressRoute 可能会很有用。Because ExpressRoute provides a dedicated path between your on-premises datacenter and Azure, ExpressRoute may be useful when network performance is a consideration. 组织的策略或法规要求使用确定的路径访问云中的资源时,ExpressRoute 也是一个不错的选择。ExpressRoute is also a good option when your organization's policy or regulatory requirements require a deterministic path to your resources in the cloud.

无论使用哪种隧道方法来访问 Azure 文件共享,都需要通过某种机制来确保发往存储帐户的流量经过隧道,而不是经过普通的 Internet 连接。Regardless of which tunneling method you use to access your Azure file shares, you need a mechanism to ensure the traffic to your storage account goes over the tunnel rather than your regular internet connection. 在技术上可以将流量路由到存储帐户的公共终结点,但这需要对区域中 Azure 存储群集的所有 IP 地址进行硬编码,因为存储帐户随时都可能在存储群集之间移动。It is technically possible to route to the public endpoint of the storage account, however this requires hard-coding all of the IP addresses for the Azure storage clusters in a region, since storage accounts may be moved between storage clusters at any time. 此外,还需要经常更新 IP 地址映射,因为新群集在不断地添加。This also requires constantly updating the IP address mappings since new clusters are added all the time.

存储帐户防火墙设置Storage account firewall settings

防火墙是一种网络策略,控制允许哪些请求访问存储帐户的公共终结点。A firewall is a network policy which controls which requests are allowed to access the public endpoint for a storage account. 使用存储帐户防火墙,可以仅限特定的 IP 地址、IP 范围或虚拟网络访问存储帐户的公共终结点。Using the storage account firewall, you can restrict access to the storage account's public endpoint to certain IP addresses or ranges or to a virtual network. 通常,大多数针对存储帐户的防火墙策略仅限一个或多个虚拟网络进行网络访问。In general, most firewall policies for a storage account will restrict networking access to one or more virtual networks.

可通过一种方法来仅限虚拟网络访问存储帐户:仅限一个或多个虚拟网络访问公共终结点。There is a approache to restricting access to a storage account to a virtual network: Restrict the public endpoint to one or more virtual networks. 为此,可以使用称作“服务终结点”的虚拟网络功能。This works by using a capability of the virtual network called service endpoints. 通过服务终结点限制发往存储帐户的流量时,仍会通过公共 IP 地址访问存储帐户。When you restrict the traffic to a storage account via a service endpoint, you are still accessing the storage account via the public IP address.

若要详细了解如何配置存储帐户防火墙,请参阅配置 Azure 存储防火墙和虚拟网络To learn more about how to configure the storage account firewall, see configure Azure storage firewalls and virtual networks.

传输中加密Encryption in transit

默认情况下,所有 Azure 存储帐户均已启用传输中加密。By default, all Azure storage accounts have encryption in transit enabled. 即通过 SMB 装载文件共享或通过 FileREST 协议(例如,通过 Azure门户、PowerShell/CLI 或 Azure SDK)访问文件共享时,Azure 文件存储仅允许通过加密或 HTTPS 使用 SMB 3.0 及更高版本建立的连接。This means that when you mount a file share over SMB or access it via the FileREST protocol (such as through the Azure portal, PowerShell/CLI, or Azure SDKs), Azure Files will only allow the connection if it is made with SMB 3.0+ with encryption or HTTPS. 如果启用了传输中加密,则不支持 SMB 3.0 的客户端或支持 SMB 3.0 但不支持 SMB 加密的客户端将无法装载 Azure 文件共享。Clients that do not support SMB 3.0 or clients that support SMB 3.0 but not SMB encryption will not be able to mount the Azure file share if encryption in transit is enabled. 要详细了解哪些操作系统支持具有加密功能的 SMB 3.0,请参阅适用于 WindowsmacOSLinux 的详细文档。For more information about which operating systems support SMB 3.0 with encryption, see our detailed documentation for Windows, macOS, and Linux. PowerShell、CLI 和 SDK 的所有当前版本均支持 HTTPS。All current versions of the PowerShell, CLI, and SDKs support HTTPS.

可以为 Azure 存储帐户禁用传输中加密。You can disable encryption in transit for an Azure storage account. 禁用加密后,Azure 文件存储还将允许没有加密功能的 SMB 2.1、SMB 3.0 和通过 HTTP 进行的未经加密的 FileREST API 调用。When encryption is disabled, Azure Files will also allow SMB 2.1, SMB 3.0 without encryption, and un-encrypted FileREST API calls over HTTP. 禁用传输中加密的主要原因是为了支持必须在更低版本的操作系统(例如,Windows Server 2008 R2 或更低版本的 Linux 发行版)上运行的旧版应用程序。The primary reason to disable encryption in transit is to support a legacy application that must be run on an older operating system, such as Windows Server 2008 R2 or older Linux distribution. Azure 文件存储仅允许在与 Azure 文件共享相同的 Azure 区域内建立 SMB 2.1 连接;Azure 文件共享的 Azure 区域之外的 SMB 2.1 客户端(例如,本地或其他 Azure 区域)将无法访问文件共享。Azure Files only allows SMB 2.1 connections within the same Azure region as the Azure file share; an SMB 2.1 client outside of the Azure region of the Azure file share, such as on-premises or in a different Azure region, will not be able to access the file share.

有关传输中加密的详细信息,请参阅要求在 Azure 存储中进行安全传输For more information about encryption in transit, see requiring secure transfer in Azure storage.

另请参阅See also