虚拟网络服务终结点Virtual Network Service Endpoints

虚拟网络 (VNet) 服务终结点可通过直接连接将 VNet 的虚拟网络专用地址空间和标识扩展到 Azure 服务。Virtual Network (VNet) service endpoints extend your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. 使用终结点可以保护关键的 Azure 服务资源,只允许在客户自己的虚拟网络中对其进行访问。Endpoints allow you to secure your critical Azure service resources to only your virtual networks. 从 VNet 发往 Azure 服务的流量始终保留在 Azure 主干网络中。Traffic from your VNet to the Azure service always remains on the Azure backbone network.

此功能针对以下 Azure 服务和区域提供:This feature is available for the following Azure services and regions:

正式发布版Generally available

有关最新通知,请查看 Azure 虚拟网络更新页。For the most up-to-date notifications, check the Azure Virtual Network updates page.

主要优点Key benefits

服务终结点提供以下优势:Service endpoints provide the following benefits:

  • 提高 Azure 服务资源的安全性:VNet 专用地址空间可能重叠,因此不能用于唯一标识源自 VNet 的流量。Improved security for your Azure service resources: VNet private address space can be overlapping and so, cannot be used to uniquely identify traffic originating from your VNet. 通过将 VNet 标识扩展到服务,服务终结点可以将对 Azure 服务资源的访问限定到你的虚拟网络。Service endpoints provide the ability to secure Azure service resources to your virtual network, by extending VNet identity to the service. 在虚拟网络中启用服务终结点后,可以通过将虚拟网络规则添加到资源,在虚拟网络中保护 Azure 服务资源。Once service endpoints are enabled in your virtual network, you can secure Azure service resources to your virtual network by adding a virtual network rule to the resources. 这完全消除了通过公共 Internet 对资源进行访问的可能性,并仅允许来自自己虚拟网络的流量,从而提高了安全性。This provides improved security by fully removing public Internet access to resources, and allowing traffic only from your virtual network.

  • 来自虚拟网络的 Azure 服务流量的最佳路由:当前,虚拟网络中强制 Internet 流量发往本地和/或虚拟设备的任何路由(称为强制隧道)也会强制 Azure 服务流量采用与 Internet 流量相同的路由。Optimal routing for Azure service traffic from your virtual network: Today, any routes in your virtual network that force Internet traffic to your premises and/or virtual appliances, known as forced-tunneling, also force Azure service traffic to take the same route as the Internet traffic. 服务终结点为 Azure 流量提供最佳路由。Service endpoints provide optimal routing for Azure traffic.

    终结点始终将直接来自虚拟网络的服务流量转发到 Azure 主干网络上的服务。Endpoints always take service traffic directly from your virtual network to the service on the Azure backbone network. 将流量保留在 Azure 主干网络上可以通过强制隧道持续审核和监视来自虚拟网络的出站 Internet 流量,而不会影响服务流量。Keeping traffic on the Azure backbone network allows you to continue auditing and monitoring outbound Internet traffic from your virtual networks, through forced-tunneling, without impacting service traffic. 详细了解用户定义的路由和强制隧道Learn more about user-defined routes and forced-tunneling.

  • 设置简单,管理开销更少:不再需要使用虚拟网络中的保留公共 IP 地址通过 IP 防火墙保护 Azure 资源。Simple to set up with less management overhead: You no longer need reserved, public IP addresses in your virtual networks to secure Azure resources through IP firewall. 无需使用 NAT 或网关设备即可设置服务终结点。There are no NAT or gateway devices required to set up the service endpoints. 只需单击一下子网,即可配置服务终结点。Service endpoints are configured through a simple click on a subnet. 不会产生与终结点维护相关的额外开销。There is no additional overhead to maintaining the endpoints.

限制Limitations

  • 该功能仅适用于使用 Azure 资源管理器部署模型部署的虚拟网络。The feature is available only to virtual networks deployed through the Azure Resource Manager deployment model.

  • 终结点在 Azure 虚拟网络中配置的子网上启用。Endpoints are enabled on subnets configured in Azure virtual networks. 终结点不可用于从本地发往 Azure 服务的流量。Endpoints cannot be used for traffic from your premises to Azure services. 有关详细信息,请参阅保护从本地进行的 Azure 服务访问For more information, see Securing Azure service access from on-premises

  • 对于 Azure SQL,服务终结点仅适用于虚拟网络区域中的 Azure 服务流量。For Azure SQL, a service endpoint applies only to Azure service traffic within a virtual network's region. 对于 Azure 存储,为了支持 RA-GRS 和 GRS 流量,终结点还进行扩展以包括虚拟网络所部署到的配对区域。For Azure Storage, to support RA-GRS and GRS traffic, endpoints also extend to include paired regions where the virtual network is deployed.

在虚拟网络中保护 Azure 服务Securing Azure services to virtual networks

  • 虚拟网络服务终结点为 Azure 服务提供虚拟网络的标识。A virtual network service endpoint provides the identity of your virtual network to the Azure service. 在虚拟网络中启用服务终结点后,可以通过将虚拟网络规则添加到资源,在虚拟网络中保护 Azure 服务资源。Once service endpoints are enabled in your virtual network, you can secure Azure service resources to your virtual network by adding a virtual network rule to the resources.
  • 当前,来自虚拟网络的 Azure 服务流量使用公共 IP 地址作为源 IP 地址。Today, Azure service traffic from a virtual network uses public IP addresses as source IP addresses. 使用服务终结点时,服务流量会在通过虚拟网络访问 Azure 服务时改用虚拟网络专用地址作为源 IP 地址。With service endpoints, service traffic switches to use virtual network private addresses as the source IP addresses when accessing the Azure service from a virtual network. 通过这种切换,无需 IP 防火墙中使用的保留公共 IP 地址即可访问服务。This switch allows you to access the services without the need for reserved, public IP addresses used in IP firewalls.

Note

使用服务终结点时,服务流量的子网中虚拟机的源 IP 地址将从公共 IPv4 地址改为专用 IPv4 地址。With service endpoints, the source IP addresses of the virtual machines in the subnet for service traffic switches from using public IPv4 addresses to using private IPv4 addresses. 使用 Azure 公共 IP 地址的现有 Azure 服务防火墙规则将无法继续适用于此交换机。Existing Azure service firewall rules using Azure public IP addresses will stop working with this switch. 请确保 Azure 服务防火墙规则允许此交换机,然后再设置服务终结点。Please ensure Azure service firewall rules allow for this switch before setting up service endpoints. 在配置服务终结点时,可能会遇到来自此子网的服务流量出现暂时性中断的情况。You may also experience temporary interruption to service traffic from this subnet while configuring service endpoints.

  • 保护从本地进行的 Azure 服务访问Securing Azure service access from on-premises :

    默认情况下,无法从本地网络访问在虚拟网络中保护的 Azure 服务资源。By default, Azure service resources secured to virtual networks are not reachable from on-premises networks. 要允许来自本地的流量,还必须允许来自本地或 ExpressRoute 的公共(通常为 NAT)IP 地址。If you want to allow traffic from on-premises, you must also allow public (typically, NAT) IP addresses from your on-premises or ExpressRoute. 可通过 Azure 服务资源的 IP 防火墙配置添加这些 IP 地址。These IP addresses can be added through the IP firewall configuration for Azure service resources.

    ExpressRoute:如果在本地使用 ExpressRoute,则在进行公共对等互连或 Azure 对等互连时,需标识所用的 NAT IP 地址。ExpressRoute: If you are using ExpressRoute from your premises, for public peering or Azure peering, you will need to identify the NAT IP addresses that are used. 进行公共对等互连时,每条 ExpressRoute 线路默认情况下会使用两个 NAT IP 地址。当流量进入 Azure 网络主干时,会向 Azure 服务流量应用这些地址。For public peering, each ExpressRoute circuit by default uses two NAT IP addresses applied to Azure service traffic when the traffic enters the Azure network backbone. 进行 Azure 对等互连时,所用 NAT IP 地址由客户或服务提供商提供。For Azure peering, the NAT IP address(es) that are used are either customer provided or are provided by the service provider. 若要允许访问服务资源,必须在资源 IP 防火墙设置中允许这些公共 IP 地址。 To allow access to your service resources, you must allow these public IP addresses in the resource IP firewall setting. 若要查找公共对等互连 ExpressRoute 线路 IP 地址,请通过 Azure 门户开具 ExpressRoute 支持票证 To find your public peering ExpressRoute circuit IP addresses, open a support ticket with ExpressRoute via the Azure portal.

在虚拟网络中保护 Azure 服务

配置Configuration

  • 服务终结点在虚拟网络中的子网上配置。Service endpoints are configured on a subnet in a virtual network. 终结点可以处理该子网中运行的任何类型的计算实例。Endpoints work with any type of compute instances running within that subnet.
  • 可以针对子网中的所有受支持 Azure 服务(例如 Azure 存储或 Azure SQL 数据库)配置多个服务终结点。You can configure multiple service endpoints for all supported Azure services (Azure Storage, or Azure SQL Database, for example) on a subnet.
  • 对于 Azure SQL 数据库,虚拟网络必须与 Azure 服务资源位于同一区域。For Azure SQL Database, virtual networks must be in the same region as the Azure service resource. 如果使用 GRS 和 RA-GRS Azure 存储帐户,则主帐户必须与虚拟网络位于同一区域。If using GRS and RA-GRS Azure Storage accounts, the primary account must be in the same region as the virtual network. 对于所有其他服务,可在任何区域的虚拟网络中保护 Azure 服务资源。For all other services, Azure service resources can be secured to virtual networks in any region.
  • 配置了终结点的虚拟网络可与 Azure 服务资源位于相同或不同的订阅中。The virtual network where the endpoint is configured can be in the same or different subscription than the Azure service resource. 有关设置终结点和保护 Azure 服务时所需的权限的详细信息,请参阅预配For more information on permissions required for setting up endpoints and securing Azure services, see Provisioning.
  • 对于受支持的服务,可以使用服务终结点在虚拟网络中保护新的或现有的资源。For supported services, you can secure new or existing resources to virtual networks using service endpoints.

注意事项Considerations

  • 启用服务终结点后,与子网中的服务通信时,该子网中虚拟机的源 IP 地址将从公共 IPv4 地址改为专用 IPv4 地址。After enabling a service endpoint, the source IP addresses of virtual machines in the subnet switch from using public IPv4 addresses to using their private IPv4 address, when communicating with the service from that subnet. 在进行这种切换的过程中,与服务建立的所有现有打开的 TCP 连接将会关闭。Any existing open TCP connections to the service are closed during this switch. 针对子网的服务启用或禁用服务终结点时,请确保未运行任何关键任务。Ensure that no critical tasks are running when enabling or disabling a service endpoint to a service for a subnet. 此外,请确保在完成 IP 地址切换后,应用程序可以自动连接到 Azure 服务。Also, ensure that your applications can automatically connect to Azure services after the IP address switch.

    IP 地址切换只会影响自己的虚拟网络发出的服务流量,The IP address switch only impacts service traffic from your virtual network. 而不会影响到发往或发自分配给虚拟机的公共 IPv4 地址的其他任何流量。There is no impact to any other traffic addressed to or from the public IPv4 addresses assigned to your virtual machines. 对于 Azure 服务,如果现有的防火墙规则使用 Azure 公共 IP 地址,这些规则会阻止切换到虚拟网络专用地址。For Azure services, if you have existing firewall rules using Azure public IP addresses, these rules stop working with the switch to virtual network private addresses.

  • 使用服务终结点时,Azure 服务的 DNS 条目会保持不变,继续解析为分配给 Azure 服务的公共 IP 地址。With service endpoints, DNS entries for Azure services remain as-is today, and continue to resolve to public IP addresses assigned to the Azure service.

  • 使用服务终结点的网络安全组 (NSG):Network security groups (NSGs) with service endpoints:

    • 默认情况下,NSG 允许出站 Internet 流量,因此,也允许来自 VNet 的流量发往 Azure 服务。By default, NSGs allow outbound Internet traffic and so, also allow traffic from your VNet to Azure services. 使用服务终结点时,处理方式仍旧如此。This continues to work as is, with service endpoints.
    • 如果想要拒绝所有出站 Internet 流量并只允许发往特定 Azure 服务的流量,可以在 NSG 中使用服务标记If you want to deny all outbound Internet traffic and allow only traffic to specific Azure services, you can do so using service tags in your NSGs. 可以在 NSG 规则中将受支持的 Azure 服务指定为目标,每个标记下面的 IP 地址的维护由 Azure 提供。You can specify supported Azure services as destination in your NSG rules and the maintenance of IP addresses underlying each tag is provided by Azure. 有关详细信息,请参阅 NSG 的 Azure 服务标记For more information, see Azure Service tags for NSGs.

方案Scenarios

  • 对等互连的、连接的或多个虚拟网络:若要在一个虚拟网络中的多个子网内或者跨多个虚拟网络保护 Azure 服务,可以针对每个子网单独启用服务终结点,在所有子网中保护 Azure 服务资源。Peered, connected, or multiple virtual networks: To secure Azure services to multiple subnets within a virtual network or across multiple virtual networks, you can enable service endpoints on each of the subnets independently, and secure Azure service resources to all of the subnets.
  • 筛选从虚拟网络发往 Azure 服务的出站流量:若要检查或筛选从虚拟网络发往 Azure 服务的流量,可在该虚拟网络中部署网络虚拟设备。Filtering outbound traffic from a virtual network to Azure services: If you want to inspect or filter the traffic destined to an Azure service from a virtual network, you can deploy a network virtual appliance within the virtual network. 然后,可将服务终结点应用到部署了网络虚拟设备的子网,只在该子网中保护 Azure 服务资源。You can then apply service endpoints to the subnet where the network virtual appliance is deployed, and secure Azure service resources only to this subnet. 如果希望使用网络虚拟设备筛选将从虚拟网络发起的 Azure 服务访问限制为特定的 Azure 资源,此方案可能很有帮助。This scenario might be helpful if you wish to restrict Azure service access from your virtual network only to specific Azure resources, using network virtual appliance filtering. 有关详细信息,请阅读网络虚拟设备出口一文。For more information, see egress with network virtual appliances.
  • 在直接部署到虚拟网络的服务中保护 Azure 资源:可将各种 Azure 服务直接部署到虚拟网络中的特定子网。Securing Azure resources to services deployed directly into virtual networks: Various Azure services can be directly deployed into specific subnets in a virtual network. 可以通过在托管服务子网上设置服务终结点,在托管服务子网中保护 Azure 服务资源。You can secure Azure service resources to managed service subnets by setting up a service endpoint on the managed service subnet.
  • 来自 Azure 虚拟机的磁盘流量:托管/非托管磁盘的虚拟机磁盘流量(包括装载和卸载 diskIO),不受路由 Azure 存储更改的服务终结点影响。Disk traffic from an Azure virtual machine: Virtual Machine Disk traffic (including mount and unmount, diskIO), for managed/unmanaged disks, is not affected by service endpoints routing changes for Azure Storage. 可以通过服务终结点和 Azure 存储网络规则限制对页 blob 的 REST 访问以选择网络。You can limit REST access to page blobs to select networks, through service endpoints and Azure Storage network rules.

日志记录和故障排除Logging and troubleshooting

为特定的服务配置服务终结点后,请通过以下方式验证服务终结点路由是否生效:Once service endpoints are configured to a specific service, validate that the service endpoint route is in effect by:

  • 验证服务诊断中任何服务请求的源 IP 地址。Validating the source IP address of any service request in the service diagnostics. 使用服务终结点的所有新请求会将请求的源 IP 地址显示为分配给从虚拟网络发出请求的客户端的虚拟网络专用地址。All new requests with service endpoints show the source IP address for the request as the virtual network private IP address, assigned to the client making the request from your virtual network. 如果不使用终结点,此地址是 Azure 公共 IP 地址。Without the endpoint, the address is an Azure public IP address.
  • 查看子网中任何网络接口上的有效路由。Viewing the effective routes on any network interface in a subnet. 服务的路由:The route to the service:
    • 显示更具体的默认路由用于寻址每个服务的前缀范围Shows a more specific default route to address prefix ranges of each service
    • nextHopType 为 VirtualNetworkServiceEndpointHas a nextHopType of VirtualNetworkServiceEndpoint
    • 指示与任何强制隧道路由相比,它还与服务另外建立了一个有效的直接连接Indicates that a more direct connection to the service is in effect, compared to any forced-tunneling routes

Note

服务终结点路由会替代与 Azure 服务匹配的地址前缀的 BGP 或 UDR 路由。Service endpoint routes override any BGP or UDR routes for the address prefix match of an Azure service. 详细了解如何排查有效路由问题Learn more about troubleshooting with effective routes

设置Provisioning

对虚拟网络拥有写入访问权限的用户可在虚拟网络上单独配置服务终结点。Service endpoints can be configured on virtual networks independently, by a user with write access to a virtual network. 若要在 VNet 中保护 Azure 服务资源,用户必须对所添加的子网拥有 Microsoft.Network/JoinServicetoaSubnet 权限。To secure Azure service resources to a VNet, the user must have permission to Microsoft.Network/JoinServicetoaSubnet for the subnets being added. 此权限默认包含在内置的服务管理员角色中,可以通过创建自定义角色进行修改。This permission is included in the built-in service administrator roles, by default and can be modified by creating custom roles.

详细了解内置角色以及将特定的权限分配到自定义角色Learn more about built-in roles and assigning specific permissions to custom roles.

虚拟网络和 Azure 服务资源可以位于相同或不同的订阅中。Virtual networks and Azure service resources can be in the same or different subscriptions. 如果虚拟网络和 Azure 服务资源位于不同的订阅中,资源必须在相同的 Active Directory (AD) 租户下。If the virtual network and Azure service resources are in different subscriptions, the resources must be under the same Active Directory (AD) tenant.

定价和限制Pricing and limits

使用服务终结点不会产生额外的费用。There is no additional charge for using service endpoints. 目前,Azure 服务(Azure 存储、Azure SQL 数据库等)的当前定价模型按原样应用。The current pricing model for Azure services (Azure Storage, Azure SQL Database etc.) applies as is today.

虚拟网络中的服务终结点总数没有限制。There is no limit on the total number of service endpoints in a virtual network.

某些 Azure 服务(例如 Azure 存储帐户)可能会对用于保护资源的子网数目施加限制。Certain Azure services, such as Azure Storage Accounts, may enforce limits on the number of subnets used for securing the resource. 有关详细信息,请参阅后续步骤中所述的各种服务的文档。Refer to the documentation for various services in Next steps for details.

常见问题FAQs

有关常见问题,请查看虚拟网络服务终结点常见问题解答For FAQs, look at Virtual Network Service Endpoint FAQs

后续步骤Next steps