规划 Azure 文件部署Planning for an Azure Files deployment

Azure 文件在云中提供完全托管的文件共享,这些共享项可通过行业标准 SMB 协议进行访问。Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard SMB protocol. 由于 Azure 文件是完全托管的,因此在生产方案中对其进行部署比部署和管理文件服务器或 NAS 设备简单得多。Because Azure Files is fully managed, deploying it in production scenarios is much easier than deploying and managing a file server or NAS device. 本文介绍在组织内部署 Azure 文件共享以供生产使用时应考虑的主题。This article addresses the topics to consider when deploying an Azure file share for production use within your organization.

管理概念Management concepts

下图说明了 Azure 文件管理构造:The following diagram illustrates the Azure Files management constructs:

文件结构

  • 存储帐户:对 Azure 存储进行的所有访问都要通过存储帐户完成。Storage Account: All access to Azure Storage is done through a storage account. 有关存储帐户容量的详细信息,请参阅可伸缩性和性能目标See Scalability and Performance Targets for details about storage account capacity.

  • 共享:文件存储共享是 Azure 中的 SMB 文件共享。Share: A File Storage share is an SMB file share in Azure. 所有目录和文件都必须在父共享中创建。All directories and files must be created in a parent share. 一个帐户可以包含无限数量的共享,一个共享可以存储无限数量的文件,直到达到文件共享的 5TiB 总容量为止。An account can contain an unlimited number of shares, and a share can store an unlimited number of files, up to the 5 TiB total capacity of the file share.

  • 目录:可选的目录层次结构。Directory: An optional hierarchy of directories.

  • 文件:共享中的文件。File: A file in the share. 文件大小最大可以为 1 TiB。A file may be up to 1 TiB in size.

  • URL 格式:对于使用文件 REST 协议向 Azure 文件共享提出的请求,可采用以下 URL 格式对文件进行寻址:URL format: For requests to an Azure file share made with the File REST protocol, files are addressable using the following URL format:

    https://<storage account>.file.core.chinacloudapi.cn/<share>/<directory>/<file>
    

数据访问方法Data access method

Azure 文件提供两个内置的简便数据访问方法,用户可单独使用或结合使用这些方法来访问数据:Azure Files offers two, built-in, convenient data access methods that you can use separately, or in combination with each other, to access your data:

  1. 直接云访问:可使用行业标准服务器消息块 (SMB) 协议或通过文件 REST API,由 WindowsmacOS 和/或 Linux 装载任意 Azure 文件共享。Direct cloud access: Any Azure file share can be mounted by Windows, macOS, and/or Linux with the industry standard Server Message Block (SMB) protocol or via the File REST API. 使用 SMB,可直接在 Azure 中的文件共享上读取和写入共享文件。With SMB, reads and writes to files on the share are made directly on the file share in Azure. 若要装载在 Azure VM 上,操作系统中的 SMB 客户端必须至少支持 SMB 2.1。To mount by a VM in Azure, the SMB client in the OS must support at least SMB 2.1. 若要装载在本地(例如用户工作站),工作站支持的 SMB 客户端必须至少支持 SMB 3.0(已加密)。To mount on-premises, such as on a user's workstation, the SMB client supported by the workstation must support at least SMB 3.0 (with encryption). 除 SMB 以外,新应用程序或服务可通过文件 REST 直接访问文件共享,该文件 REST 为软件开发提供简单可缩放的应用程序编程接口。In addition to SMB, new applications or services may directly access the file share via File REST, which provides an easy and scalable application programming interface for software development.
  2. Azure 文件同步:可使用 Azure 文件同步将共享复制到本地或 Azure 中的 Windows Server。Azure File Sync: With Azure File Sync, shares can be replicated to Windows Servers on-premises or in Azure. 用户可通过 SMB 或 NFS 共享等 Windows Server 访问文件共享。Your users would access the file share through the Windows Server, such as through an SMB or NFS share. 这适用于要在远离 Azure 数据中心的位置访问和修改数据的方案,例如分支机构方案。This is useful for scenarios in which data will be accessed and modified far away from an Azure datacenter, such as in a branch office scenario. 可在多个 Windows Server 终结点(例如多个分支机构)之间复制数据。Data may be replicated between multiple Windows Server endpoints, such as between multiple branch offices. 最后,可将数据分层到 Azure 文件,以便所有数据仍可通过 Server 进行访问,但 Server 没有完整的数据副本。Finally, data may be tiered to Azure Files, such that all data is still accessible via the Server, but the Server does not have a full copy of the data. 相反,数据由用户打开时会被无缝召回。Rather, data is seamlessly recalled when opened by your user.

下表说明了用户和应用程序如何访问 Azure 文件共享:The following table illustrates how your users and applications can access your Azure file share:

直接云访问Direct cloud access Azure 文件同步Azure File Sync
需使用哪些协议?What protocols do you need to use? Azure 文件支持 SMB 2.1、SMB 3.0 和文件 REST API。Azure Files supports SMB 2.1, SMB 3.0, and File REST API. 通过 Windows Server 上支持的任意协议(SMB、NFS、FTPS 等)访问 Azure 文件共享Access your Azure file share via any supported protocol on Windows Server (SMB, NFS, FTPS, etc.)
在何处运行工作负荷?Where are you running your workload? 在 Azure 中:Azure 文件支持直接访问数据。In Azure: Azure Files offers direct access to your data. 网络速度慢的本地文件共享:Windows、Linux 和 macOS 客户端可以将本地 Windows 文件共享装载为 Azure 文件共享的快速缓存。On-premises with slow network: Windows, Linux, and macOS clients can mount a local on-premises Windows File share as a fast cache of your Azure file share.
需要何种级别的 ACL?What level of ACLs do you need? 共享和文件级别。Share and file level. 共享、文件和用户级别。Share, file, and user level.

数据安全性Data security

Azure 文件提供可确保数据安全的几个内置选项:Azure Files has several built-in options for ensuring data security:

  • 支持以下两种在线协议加密:SMB 3.0 加密和通过 HTTPS 的文件 REST。Support for encryption in both over-the-wire protocols: SMB 3.0 encryption and File REST over HTTPS. 默认情况下:By default:

    • 支持 SMB 3.0 加密的客户端通过加密通道发送和接收数据。Clients that support SMB 3.0 encryption send and receive data over an encrypted channel.
    • 不支持带加密功能的 SMB 3.0 的客户端可通过无加密功能的 SMB 2.1 或 SMB 3.0 进行数据中心内通信。Clients that do not support SMB 3.0 with encryption can communicate intra-datacenter over SMB 2.1 or SMB 3.0 without encryption. 不允许 SMB 客户端通过无加密功能的 SMB 2.1 或 SMB 3.0 进行数据中心内通信。SMB clients are not allowed to communicate inter-datacenter over SMB 2.1 or SMB 3.0 without encryption.
    • 客户端可以通过 HTTP 或 HTTPS 与文件 REST 通信。Clients can communicate over File REST with either HTTP or HTTPS.
  • 静态加密(Azure 存储服务加密):存储服务加密 (SSE) 对所有存储帐户启用。Encryption at-rest (Azure Storage Service Encryption): Storage Service Encryption (SSE) is enabled for all storage accounts. 静态数据使用完全托管的密钥进行加密。Data at-rest is encrypted with fully-managed keys. 静态加密不会增加存储成本,也不会降低性能。Encryption at-rest does not increase storage costs or reduce performance.

  • 传输中加密数据的可选要求:选中时,Azure 文件存储会拒绝通过未加密通道访问数据。Optional requirement of encrypted data in-transit: when selected, Azure Files rejects access to the data over unencrypted channels. 具体而言,仅允许具有加密连接的 HTTPS 和 SMB 3.0。Specifically, only HTTPS and SMB 3.0 with encryption connections are allowed.

    Important

    要求安全传输数据将导致较早的 SMB 客户端无法与 SMB 3.0 通信,进而造成加密失败。Requiring secure transfer of data will cause older SMB clients not capable of communicating with SMB 3.0 with encryption to fail. 有关详细信息,请参阅在 Windows 上装载在 Linux 上装载在 macOS 上装载For more information, see Mount on Windows, Mount on Linux, and Mount on macOS.

为了实现最大安全性,强烈建议始终启用这两个静态加密功能,并在使用新式客户端访问数据时启用数据传输加密。For maximum security, we strongly recommend always enabling both encryption at-rest and enabling encryption of data in-transit whenever you are using modern clients to access your data. 例如,如需在仅支持 SMB 2.1 的 Windows Server 2008 R2 VM 上装载共享,则需要允许存储帐户接受未加密的流量,因为 SMB 2.1 不支持加密。For example, if you need to mount a share on a Windows Server 2008 R2 VM, which only supports SMB 2.1, you need to allow unencrypted traffic to your storage account since SMB 2.1 does not support encryption.

文件共享冗余File share redundancy

Azure 文件标准共享支持两个数据冗余选项:本地冗余存储 (LRS) 和异地冗余存储 (GRS)。Azure Files standard shares supports two data redundancy options: locally redundant storage (LRS), and geo-redundant storage (GRS).

以下部分介绍了不同的冗余选项之间的差异:The following sections describe the differences between the different redundancy options:

本地冗余存储Locally redundant storage

本地冗余存储 (LRS) 在单个数据中心内将数据复制三次。Locally redundant storage (LRS) replicates your data three times within a single data center. LRS 在给定的一年内提供至少 99.999999999%(11 个 9)的对象持久性。LRS provides at least 99.999999999% (11 nines) durability of objects over a given year. 与其他选项相比,LRS 是成本最低的复制选项,提供的持久性也最低。LRS is the lowest-cost replication option and offers the least durability compared to other options.

如果发生数据中心级灾难(例如火灾或洪灾),则使用 LRS 的存储帐户中的所有副本都可能会丢失或无法恢复。If a datacenter-level disaster (for example, fire or flooding) occurs, all replicas in a storage account using LRS may be lost or unrecoverable. 为了减轻此风险,Azure 建议使用异地冗余存储 (GRS)。To mitigate this risk, Azure recommends using geo-redundant storage (GRS).

只有在数据已写入到所有三个副本后,到 LRS 存储帐户的写入请求才会成功返回。A write request to an LRS storage account returns successfully only after the data is written to all three replicas.

在以下情况下,可能希望使用 LRS:You may wish to use LRS in the following scenarios:

  • 如果应用程序存储着在发生数据丢失时可轻松重构的数据,则可以选择 LRS。If your application stores data that can be easily reconstructed if data loss occurs, you may opt for LRS.

异地冗余存储Geo-redundant storage

异地冗余存储 (GRS) 设计为在给定的一年内提供至少 99.99999999999999%(16 个 9)的对象持久性,它将数据复制到与主要区域相距数百英里的辅助区域。Geo-redundant storage (GRS) is designed to provide at least 99.99999999999999% (16 9's) durability of objects over a given year by replicating your data to a secondary region that is hundreds of miles away from the primary region. 如果存储帐户启用了 GRS,则即使遇到区域完全停电或导致主区域不可恢复的灾难,数据也能持久保存。If your storage account has GRS enabled, then your data is durable even in the case of a complete regional outage or a disaster in which the primary region isn't recoverable.

如果你选择读取访问权限异地冗余存储 (RA-GRS),则应当知道 Azure 文件目前在任何区域都不支持读取访问权限异地冗余存储 (RA-GRS)。If you opt for read-access geo-redundant storage (RA-GRS), you should know that Azure File does not support read-access geo-redundant storage (RA-GRS) in any region at this time. RA-GRS 存储帐户中的文件共享的工作方式与它们在 GRS 帐户中相同并且按 GRS 的价格收费。File shares in the RA-GRS storage account work like they would in GRS accounts and are charged GRS�prices.

GRS 将数据复制到次要区域中的另一个数据中心,但仅当 Azure 发起了从主要区域到次要区域的故障转移时,这些数据才可供读取。GRS replicates your data to another data center in a secondary region, but that data is available to be read only if Azure initiates a failover from the primary to secondary region.

对于已启用 GRS 的存储帐户,首先会使用本地冗余存储 (LRS) 复制所有数据。For a storage account with GRS enabled, all data is first replicated with locally redundant storage (LRS). 首先将更新提交到主要位置,并使用 LRS 复制更新。An update is first committed to the primary location and replicated using LRS. 然后,使用 GRS 以异步方式将更新复制到次要区域。The update is then replicated asynchronously to the secondary region using GRS. 将数据写入次要位置后,还会使用 LRS 在该位置复制数据。When data is written to the secondary location, it's also replicated within that location using LRS.

主要和次要区域在一个存储缩放单元内管理跨单独的容错域和升级域管理副本。Both the primary and secondary regions manage replicas across separate fault domains and upgrade domains within a storage scale unit. 存储缩放单元是数据中心内的基本复制单元。The storage scale unit is the basic replication unit within the datacenter. 此级别的复制由 LRS 提供;有关详细信息,请参阅本地冗余存储 (LRS):Azure 存储的低成本数据冗余Replication at this level is provided by LRS; for more information, see Locally redundant storage (LRS): Low-cost data redundancy for Azure Storage.

确定要使用哪个复制选项时,请记住以下几点:Keep these points in mind when deciding which replication option to use:

  • 对于异步复制,从数据写入到主要区域到数据复制到次要区域,这之间存在延迟。Asynchronous replication involves a delay from the time that data is written to the primary region, to when it is replicated to the secondary region. 发生区域性灾难时,如果无法从主要区域中恢复数据,则尚未复制到次要区域的更改可能会丢失。In the event of a regional disaster, changes that haven't yet been replicated to the secondary region may be lost if that data can't be recovered from the primary region.
  • 使用 GRS 时,副本不可用于读取或写入访问,除非 Azure 启动到次要区域的故障转移。With GRS, the replica isn't available for read or write access unless Azure initiates a failover to the secondary region. 如果发生故障转移,则在故障转移完成后,你将具有对该数据的读取和写入访问权限。In the case of a failover, you'll have read and write access to that data after the failover has completed. 有关详细信息,请参阅灾难恢复指南For more information, please see Disaster recovery guidance.

数据增长模式Data growth pattern

目前,Azure 文件共享的最大大小是 5 TiB。Today, the maximum size for an Azure file share is 5 TiB. 鉴于此当前限制,必须考虑部署 Azure 文件共享时的预期数据增长。Because of this current limitation, you must consider the expected data growth when deploying an Azure file share.

数据传输方法Data transfer method

可通过多种简单的选项将数据从现有文件共享(例如本地文件共享)批量传输到 Azure 文件。There are many easy options to bulk transfer data from an existing file share, such as an on-premises file share, into Azure Files. 几种常用选项包括(非详尽列表):A few popular ones include (non-exhaustive list):

  • Azure 导入/导出 :使用 Azure 导入/导出服务,可将硬盘驱动器寄送到 Azure 数据中心,从而安全地将大量数据传输到 Azure 文件共享。Azure Import/Export: The Azure Import/Export service allows you to securely transfer large amounts of data into an Azure file share by shipping hard disk drives to an Azure datacenter.
  • Robocopy :Robocopy 是 Windows 和 Windows Server 自带的一款知名复制工具。Robocopy: Robocopy is a well known copy tool that ships with Windows and Windows Server. Robocopy 可用于将数据传输到 Azure 文件,方法是在本地装载文件共享,然后使用装载位置作为 Robocopy 命令的目标位置。Robocopy may be used to transfer data into Azure Files by mounting the file share locally, and then using the mounted location as the destination in the Robocopy command.
  • AzCopy :AzCopy 是一个命令行实用程序,专用于使用具有优化性能的简单命令在 Azure 文件和 Azure Blob 存储中复制/粘贴数据。AzCopy: AzCopy is a command-line utility designed for copying data to and from Azure Files, as well as Azure Blob storage, using simple commands with optimal performance.

后续步骤Next steps