在虚拟 WAN 中使用专用链接Use Private Link in Virtual WAN

Azure 专用链接技术可用于通过公开专用终结点,使用专用 IP 地址连接来连接 Azure 平台即服务产品。Azure Private Link is a technology that allows you to connect Azure Platform-as-a-Service offerings using private IP address connectivity by exposing Private Endpoints. 使用 Azure 虚拟 WAN,可以在一个连接到任何虚拟中心的虚拟网络中部署专用终结点。With Azure Virtual WAN, you can deploy a Private Endpoint in one of the virtual networks connected to any virtual hub. 这提供了与连接到同一虚拟网络的任何其他虚拟 WAN 或分支的连接。This provides connectivity to any other virtual network or branch connected to the same Virtual WAN.

开始之前Before you begin

本文中的步骤假设你已部署了具有一个或多个中心的虚拟 WAN,并且至少有两个虚拟网络已连接到虚拟 WAN。The steps in this article assume that you have already deployed a virtual WAN with one or more hubs, as well as at least two virtual networks connected to Virtual WAN.

若要创建新虚拟 WAN 和新中心,请使用以下文章中的步骤:To create a new virtual WAN and a new hub, use the steps in the following articles:

可以为许多不同服务创建专用链接终结点。You can create a private link endpoint for many different services. 在此示例中,我们将使用 Azure SQL 数据库。In this example, we will use Azure SQL Database. 下图显示了 Azure SQL 数据库的网络配置:The following image shows the network configuration of the Azure SQL Database:

创建专用链接

创建 Azure SQL 数据库之后,可以通过浏览专用终结点来验证专用终结点 IP 地址:After creating the Azure SQL Database, you can verify the private endpoint IP address browsing your private endpoints:

专用终结点

单击已创建的专用终结点,应该会看到其专用 IP 地址以及完全限定的域名 (FQDN)。Clicking on the private endpoint we have created, you should see its private IP address, as well as its Fully Qualified Domain Name (FQDN). 请注意,专用终结点的 IP 地址在部署它的 VNet 范围 (10.1.3.0/24) 内:Note that the private endpoint has an IP address in the range of the VNet where it has been deployed (10.1.3.0/24):

SQL 终结点

验证来自同一 VNet 的连接Verify connectivity from the same VNet

在此示例中,我们将验证从安装了 MS SQL 工具的 Ubuntu 虚拟机到 Azure SQL 数据库的连接。In this example, we will verify connectivity to the Azure SQL Database from an Ubuntu virtual machine with MS SQL tools installed. 第一步是验证 DNS 解析是否有效,以及 Azure SQL 数据库完全限定的域名是否在部署了专用终结点的同一 VNet (10.1.3.0/24) 中解析为了专用 IP 地址:The first step is verifying that DNS resolution works and the Azure SQL Database Fully Qualified Domain Name is resolved to a private IP address, in the same VNet where the Private Endpoint has been deployed (10.1.3.0/24):

$ nslookup wantest.database.chinacloudapi.cn
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
wantest.database.chinacloudapi.cn    canonical name = wantest.privatelink.database.chinacloudapi.cn.
Name:   wantest.privatelink.database.chinacloudapi.cn
Address: 10.1.3.228

如前面的输出中所示,FQDN wantest.database.chinacloudapi.cn 映射到了 wantest.privatelink.database.chinacloudapi.cn,随专用终结点一起创建的专用 DNS 区域将解析为专用 IP 地址 10.1.3.228As you can see in the previous output, the FQDN wantest.database.chinacloudapi.cn is mapped to wantest.privatelink.database.chinacloudapi.cn, that the private DNS zone created along the private endpoint will resolve to the private IP address 10.1.3.228. 可通过查看专用 DNS 区域来确认已将专用终结点的 A 记录映射到了专用 IP 地址:Looking into the private DNS zone will confirm that there is an A record for the private endpoint mapped to the private IP address:

DNS 区域

验证正确的 DNS 解析后,可以尝试连接到数据库:After verifying the correct DNS resolution, we can attempt to connect to the database:

$ query="SELECT CONVERT(char(15), CONNECTIONPROPERTY('client_net_address'));"
$ sqlcmd -S wantest.database.chinacloudapi.cn -U $username -P $password -Q "$query"

10.1.3.75

如你所见,我们使用的是一个特殊的 SQL 查询,该查询提供了 SQL 服务器从客户端看到的源 IP 地址。As you can see, we are using a special SQL query that gives us the source IP address that the SQL server sees from the client. 在这种情况下,服务器会看到客户端及其专用 IP (10.1.3.75),这意味着流量不会流经公共 Internet,而是直接进入专用终结点。In this case the server sees the client with its private IP (10.1.3.75), which means that the traffic does not travel through the public Internet but goes straight into the private endpoint.

请注意,要使本指南中的示例生效,需要将变量 usernamepassword 设置为与在 Azure SQL 数据库中定义的凭据匹配的值。Note that you need to set the variables username and password to match the credentials defined in the Azure SQL Database to make the examples in this guide work.

从其他 VNet 连接Connect from a different VNet

既然 Azure 虚拟 WAN 中的一个 VNet 可以连接到专用终结点,那么连接到虚拟 WAN 的所有其他 VNet 和分支就也可以访问该终结点。Now that one VNet in Azure Virtual WAN has connectivity to the private endpoint, all of the other VNets and branches connected to Virtual WAN can have access to it as well. 你需要通过 Azure 虚拟 WAN 支持的任何模型(举两个例子,任意连接性方案共享服务 VNet 方案)提供连接。You need to provide connectivity through any of the models supported by Azure Virtual WAN, such as the Any-to-any scenario or the Shared Services VNet scenario, to name two examples.

在 VNet 或分支与已部署专用终结点的 VNet 之间建立连接后,需要配置 DNS 解析:Once you have connectivity between the VNet or the branch to the VNet where the private endpoint has been deployed, you need to configure DNS resolution:

  • 如果从 VNet 连接到专用终结点,则可以使用通过 Azure SQL 数据库创建的同一专用区域。If connecting to the private endpoint from a VNet, you can use the same private zone that was created with the Azure SQL Database.
  • 如果从分支(站点到站点 VPN、点到站点 VPN 或 ExpressRoute)连接到专用终结点,则需要使用本地 DNS 解析。If connecting to the private endpoint from a branch (Site-to-site VPN, Point-to-site VPN or ExpressRoute), you need to use on-premises DNS resolution.

在此示例中,我们将从另一个 VNet 连接,因此,首先我们将专用 DNS 区域附加到该新的 VNet,以便其工作负载能够将 Azure SQL 数据库完全限定的域名解析为专用 IP 地址。In this example we will connect from a different VNet, so first we will attach the private DNS zone to the new VNet so that its workloads can resolve the Azure SQL Database Fully Qualified Domain Name to the private IP address. 此操作通过将专用 DNS 区域链接到新的 VNet 来完成:This is done through linking the private DNS zone to the new VNet:

DNS 链接

现在,附加 VNet 中的任何虚拟机都应将 Azure SQL 数据库 FQDN 正确解析为专用链接的专用 IP 地址:Now any virtual machine in the attached VNet should correctly resolve the Azure SQL Database FQDN to the private link's private IP address:

$ nslookup wantest.database.chinacloudapi.cn
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
wantest.database.chinacloudapi.cn    canonical name = wantest.privatelink.database.chinacloudapi.cn.
Name:   wantest.privatelink.database.chinacloudapi.cn
Address: 10.1.3.228

为了再次检查此 VNet (10.1.1.0/24) 是否已连接到配置了专用终结点的原始 VNet (10.1.3.0/24),可以验证 VNet 中任何虚拟机中的有效路由表:In order to double-check that this VNet (10.1.1.0/24) has connectivity to the original VNet where the private endpoint was configured (10.1.3.0/24), you can verify the effective route table in any virtual machine in the VNet:

有效路由

如你所见,有一个路由指向由 Azure 虚拟 WAN 中的虚拟网络网关注入的 VNet 10.1.3.0/24。As you can see, there is a route pointing to the VNet 10.1.3.0/24 injected by the Virtual Network Gateways in Azure Virtual WAN. 现在,我们终于可以测试与数据库的连接了:Now we can finally test connectivity to the database:

$ query="SELECT CONVERT(char(15), CONNECTIONPROPERTY('client_net_address'));"
$ sqlcmd -S wantest.database.chinacloudapi.cn -U $username -P $password -Q "$query"

10.1.1.75

在此示例中,我们已了解如何在附加到虚拟 WAN 的一个 VNet 中创建专用终结点,从而提供与虚拟 WAN 中其余 VNet 和分支的连接。With this example, we have seen how creating a private endpoint in one of the VNets attached to a Virtual WAN provides connectivity to the rest of VNets and branches in the Virtual WAN.

后续步骤Next steps

有关虚拟 WAN 的详细信息,请参阅常见问题解答For more information about Virtual WAN, see the FAQ.