您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

为 Azure 逻辑应用安装本地数据网关Install on-premises data gateway for Azure Logic Apps

从 Azure 逻辑应用连接到本地数据源之前,请在本地计算机上下载并安装本地数据网关Before you can connect to on-premises data sources from Azure Logic Apps, download and install the on-premises data gateway on a local computer. 该网关充当桥,可在本地数据源和逻辑应用之间提供快速数据传输和加密。The gateway works as a bridge that provides quick data transfer and encryption between data sources on premises and your logic apps. 可以将相同的网关安装与其他云服务配合使用,例如 Power BI、电源自动、电源应用和 Azure Analysis Services。You can use the same gateway installation with other cloud services, such as Power BI, Power Automate, Power Apps, and Azure Analysis Services. 有关如何使用这些服务的网关的信息,请参阅以下文章:For information about how to use the gateway with these services, see these articles:

本文介绍如何下载、安装和设置本地数据网关,以便可以从 Azure 逻辑应用访问本地数据源。This article shows how to download, install, and set up your on-premises data gateway so that you can access on-premises data sources from Azure Logic Apps. 你还可以在本主题的后面部分了解有关数据网关如何工作的详细信息。You can also learn more about how the data gateway works later in this topic. 有关网关的详细信息,请参阅什么是本地网关For more information about the gateway, see What is an on-premises gateway?

先决条件Prerequisites

  • Azure 帐户和订阅。An Azure account and subscription. 如果没有包含订阅的 Azure 帐户,请注册免费 azure 帐户If you don't have an Azure account with a subscription, sign up for a free Azure account.

    • 你的 Azure 帐户必须属于单个Azure Active Directory (Azure AD)租户或目录Your Azure account must belong to a single Azure Active Directory (Azure AD) tenant or directory. 必须使用相同的 Azure 帐户在本地计算机上安装和管理网关。You must use the same Azure account for installing and administering the gateway on your local computer.

    • 在网关安装过程中,你可以用 Azure 帐户登录,这会将网关安装链接到你的 Azure 帐户,并且仅将该帐户链接到该帐户。During gateway installation, you sign in with your Azure account, which links your gateway installation to your Azure account and only that account. 稍后,在 Azure 门户中,你必须使用相同的 Azure 帐户,并在创建注册和声明你的网关安装的 Azure 网关资源时 Azure AD 租户。Later, in the Azure portal, you must use the same Azure account and Azure AD tenant when you create an Azure gateway resource that registers and claims your gateway installation. 在 Azure 逻辑应用中,本地触发器和操作使用网关资源连接到本地数据源。In Azure Logic Apps, on-premises triggers and actions then use the gateway resource for connecting to on-premises data sources.

      备注

      你只能将一个网关安装和一个 Azure 网关资源链接到对方。You can link only one gateway installation and one Azure gateway resource to each other. 不能将相同的网关安装链接到多个 Azure 帐户或 Azure 网关资源。You can't link the same gateway installation to multiple Azure accounts or Azure gateway resources. 但是,Azure 帐户可以链接到多个网关安装和 Azure 网关资源。However, an Azure account can link to multiple gateway installations and Azure gateway resources. 在本地触发器或操作中,可以从各种 Azure 订阅中进行选择,然后选择关联的网关资源。In an on-premises trigger or action, you can select from your various Azure subscriptions, and then select an associated gateway resource.

    • 你需要使用工作帐户或学校帐户(也称为组织帐户)登录,该帐户类似于 username@contoso.comYou need to sign in with either a work account or school account, also known as an organization account, which looks like username@contoso.com. 不能使用 Azure B2B (来宾)帐户或个人 Microsoft 帐户,如 @hotmail.com 或 @outlook.com。You can't use Azure B2B (guest) accounts or personal Microsoft accounts, such as @hotmail.com or @outlook.com.

      提示

      如果注册了 Office 365 产品/服务,但未提供工作电子邮件地址,则该地址可能类似于 username@domain.onmicrosoft.comIf you signed up for an Office 365 offering and didn't provide your work email address, your address might look like username@domain.onmicrosoft.com. 你的帐户存储在 Azure Active Directory (Azure AD)中的租户内。Your account is stored within a tenant in an Azure Active Directory (Azure AD). 大多数情况下,Azure AD 帐户的用户主体名称(UPN)与电子邮件地址相同。In most cases, the User Principal Name (UPN) for your Azure AD account is the same as your email address.

      若要使用链接到 Microsoft 帐户的Visual Studio 标准订阅,请先在 Azure AD 中创建租户,或使用默认目录。To use a Visual Studio Standard subscription that's linked to a Microsoft account, first create a tenant in Azure AD or use the default directory. 将具有密码的用户添加到目录,并向该用户授予对 Azure 订阅的访问权限。Add a user with a password to the directory, and then give that user access to your Azure subscription. 然后在网关安装期间可以使用此用户名和密码登录。You can then sign in during gateway installation with this username and password.

  • 下面是本地计算机的要求:Here are requirements for your local computer:

    最低要求Minimum requirements

    • .NET Framework 4.7.2.NET Framework 4.7.2
    • 64 位版本的 Windows 7 或 Windows Server 2008 R2(或更高版本)64-bit version of Windows 7 or Windows Server 2008 R2 (or later)

    建议的要求Recommended requirements

    • 8 核 CPU8-core CPU
    • 8 GB 内存8 GB memory
    • 64位版本的 Windows Server 2012 R2 或更高版本64-bit version of Windows Server 2012 R2 or later
    • 用于后台处理的固态硬盘(SSD)存储Solid-state drive (SSD) storage for spooling

    备注

    网关不支持 Windows Server Core。The gateway doesn't support Windows Server Core.

  • 相关注意事项Related considerations

    • 仅在本地计算机上安装本地数据网关,而不是域控制器。Install the on-premises data gateway only on a local computer, not a domain controller. 不一定要在数据源所在的同一台计算机上安装网关。You don't have to install the gateway on the same computer as your data source. 对于所有数据源,只需一个网关,因此不需要为每个数据源安装网关。You need only one gateway for all your data sources, so you don't need to install the gateway for each data source.

      提示

      为了尽量降低延迟,可将网关安装在尽可能靠近数据源的位置或同一台计算机上(假设你有相应的权限)。To minimize latency, you can install the gateway as close as possible to your data source, or on the same computer, assuming that you have permissions.

    • 在有线网络上的计算机上安装网关,将其连接到 internet,始终开机并且不会进入睡眠状态。Install the gateway on a computer that's on a wired network, connected to the internet, always turned on, and doesn't go to sleep. 否则,网关将无法运行,并且性能可能会受到无线网络的影响。Otherwise, the gateway can't run, and performance might suffer over a wireless network.

    • 如果打算使用 Windows 身份验证,请确保在与数据源相同的 Active Directory 环境成员的计算机上安装网关。If you plan to use Windows authentication, make sure that you install the gateway on a computer that's a member of the same Active Directory environment as your data sources.

    • 你为网关安装选择的区域与你稍后为逻辑应用创建 Azure 网关资源时必须选择的位置相同。The region that you select for your gateway installation is the same location that you must select when you later create the Azure gateway resource for your logic app. 默认情况下,此区域与管理 Azure 帐户的 Azure AD 租户位于同一位置。By default, this region is the same location as your Azure AD tenant that manages your Azure account. 但是,你可以在安装网关的过程中更改该位置。However, you can change the location during gateway installation.

    • 如果要将网关安装更新到最新版本,请先卸载最新的网关,以获得更清晰的体验。If you're updating your gateway installation to the latest version, uninstall your current gateway first for a cleaner experience.

    • 网关有两种模式:标准模式和个人模式,仅适用于 Power BI。The gateway has two modes: standard mode and personal mode, which applies only to Power BI. 在同一台计算机上,不能有多个网关在同一模式下运行。You can't have more than one gateway running in the same mode on the same computer.

    • Azure 逻辑应用支持通过网关进行的读取和写入操作。Azure Logic Apps supports read and write operations through the gateway. 但是,这些操作会限制其负载大小However, these operations have limits on their payload size.

安装数据网关Install data gateway

  1. 在本地计算机上下载并运行网关安装程序Download and run the gateway installer on a local computer.

  2. 查看最低要求,保留默认的安装路径,接受使用条款,然后选择 "安装"。Review the minimum requirements, keep the default installation path, accept the terms of use, and then select Install.

    查看要求并接受使用条款

  3. 成功安装网关后,提供 Azure 帐户的电子邮件地址,然后选择 "登录",例如:After the gateway successfully installs, provide the email address for your Azure account, and then select Sign in, for example:

    使用工作或学校帐户登录

    网关安装只能链接到一个 Azure 帐户。Your gateway installation can link to only one Azure account.

  4. 选择 "在此计算机上注册新网关 > " 下一步"。Select Register a new gateway on this computer > Next. 此步骤将你的网关安装注册到网关云服务This step registers your gateway installation with the gateway cloud service.

    在本地计算机上注册网关

  5. 提供网关安装的以下信息:Provide this information for your gateway installation:

    • 在 Azure AD 租户中唯一的网关名称A gateway name that's unique across your Azure AD tenant
    • 要使用的恢复密钥必须至少包含八个字符The recovery key, which must have at least eight characters, that you want to use
    • 确认恢复密钥Confirmation for your recovery key

    为网关安装提供信息

    重要

    请将恢复密钥保存在安全位置。Save and keep your recovery key in a safe place. 如果要更改位置、移动、恢复或接管网关安装,则需要此密钥。You need this key if you ever want to change the location, move, recover, or take over a gateway installation.

    请注意要添加到现有网关群集的选项,在为高可用性方案安装其他网关时选择此选项。Note the option to Add to an existing gateway cluster, which you select when you install additional gateways for high-availability scenarios.

  6. 检查网关云服务和Azure 服务总线的区域,该区域用于网关安装。Check the region for the gateway cloud service and Azure Service Bus that's used by your gateway installation. 默认情况下,此区域与你的 Azure 帐户的 Azure AD 租户位于同一位置。By default, this region is the same location as the Azure AD tenant for your Azure account.

    确认网关服务和服务总线的区域

  7. 若要接受默认区域,请选择 "配置"。To accept the default region, select Configure. 但是,如果默认区域不是最接近你的区域,则可以更改区域。However, if the default region isn't the one that's closest to you, you can change the region.

    为何要更改网关安装的区域?Why change the region for your gateway installation?

    例如,为了降低延迟,可将网关的区域更改为逻辑应用所在的同一区域。For example, to reduce latency, you might change your gateway's region to the same region as your logic app. 或者,可以选择最靠近本地数据源的区域。Or, you might select the region closest to your on-premises data source. Azure 中的网关资源和逻辑应用可以有不同的位置。Your gateway resource in Azure and your logic app can have different locations.

    1. 在当前区域的旁边,选择“更改区域”。Next to the current region, select Change Region.

      更改当前网关区域

    2. 在下一页上,打开 "选择区域" 列表,选择所需的区域,然后选择 "完成"。On the next page, open the Select Region list, select the region you want, and select Done.

      为网关服务选择另一个区域

  8. 查看最终确认窗口中的信息。Review the information in the final confirmation window. 此示例对逻辑应用、Power BI、电源应用和电源自动化使用同一帐户,因此该网关适用于所有这些服务。This example uses the same account for Logic Apps, Power BI, Power Apps, and Power Automate, so the gateway is available for all these services. 准备就绪后,选择 "关闭"。When you're ready, select Close.

    确认数据网关信息

  9. 现在,请为网关安装创建 Azure 资源Now create the Azure resource for your gateway installation.

检查或调整通信设置Check or adjust communication settings

本地数据网关依赖于适用于云连接的Azure 服务总线,并为与网关关联的 azure 区域建立相应的出站连接。The on-premises data gateway depends on Azure Service Bus for cloud connectivity and establishes the corresponding outbound connections to the gateway's associated Azure region. 如果你的工作环境要求流量通过代理或防火墙来访问 internet,则此限制可能会阻止本地数据网关连接到网关云服务和 Azure 服务总线。If your work environment requires that traffic goes through a proxy or firewall to access the internet, this restriction might prevent the on-premises data gateway from connecting to the gateway cloud service and Azure Service Bus. 网关具有多个通信设置,你可以调整这些设置。The gateway has several communication settings, which you can adjust. 有关详细信息,请参阅以下主题:For more information, see these topics:

高可用性支持High availability support

为了避免本地数据访问的单点故障,你可以在不同的计算机上安装多个网关(仅限标准模式),并将它们设置为群集或组。To avoid single points of failure for on-premises data access, you can have multiple gateway installations (standard mode only) with each on a different computer, and set them up as a cluster or group. 这样一来,如果主网关不可用,数据请求将路由到第二个网关,依此类推。That way, if the primary gateway is unavailable, data requests are routed to the second gateway, and so on. 因为你只能在计算机上安装一个标准网关,所以你必须在另一台计算机上安装群集中的每个其他网关。Because you can install only one standard gateway on a computer, you must install each additional gateway that's in the cluster on a different computer. 使用本地数据网关的所有连接器都支持高可用性。All the connectors that work with the on-premises data gateway support high availability.

  • 必须已至少有一个网关安装,其中包含与主网关相同的 Azure 帐户和该安装的恢复密钥。You must already have at least one gateway installation with the same Azure account as the primary gateway and the recovery key for that installation.

  • 主网关必须运行网关 2017 年 11 月更新版或更高版本。Your primary gateway must be running the gateway update from November 2017 or later.

设置主网关后,当你开始安装其他网关时,请选择 "添加到现有网关群集",选择主网关,即你安装的第一个网关,并为该网关提供恢复密钥。After you set up your primary gateway, when you go to install another gateway, select Add to an existing gateway cluster, select the primary gateway, which is the first gateway that you installed, and provide the recovery key for that gateway. 有关详细信息,请参阅本地数据网关的高可用性群集For more information, see High availability clusters for on-premises data gateway.

更改位置或者迁移、还原或接管现有网关Change location, migrate, restore, or take over existing gateway

如果必须更改网关的位置、将网关安装移到新计算机、恢复已损坏的网关,或接管现有网关的所有权,需要使用安装网关期间提供的恢复密钥。If you must change your gateway's location, move your gateway installation to a new computer, recover a damaged gateway, or take ownership for an existing gateway, you need the recovery key that was provided during gateway installation.

  1. 在具有现有网关的计算机上运行网关安装程序。Run the gateway installer on the computer that has the existing gateway. 如果没有最新的网关安装程序,请下载最新的网关版本If you don't have the latest gateway installer, download the latest gateway version.

    备注

    在安装了原始网关的计算机上还原网关之前,必须先卸载该计算机上的网关。Before you restore the gateway on the computer that has the original gateway installation, you must first uninstall the gateway on that computer. 此操作会断开原来的网关。This action disconnects the original gateway. 如果删除或删除任何云服务的网关群集,则无法恢复该群集。If you remove or delete a gateway cluster for any cloud service, you can't restore that cluster.

  2. 安装程序打开后,使用用于安装网关的同一 Azure 帐户登录。After the installer opens, sign in with the same Azure account that was used to install the gateway.

  3. 选择 "迁移"、"还原" 或接管现有网关 > 接下来,例如:Select Migrate, restore, or takeover an existing gateway > Next, for example:

    选择“迁移、还原或接管现有网关”

  4. 从可用群集和网关中选择,并输入所选网关的恢复密钥,例如:Select from the available clusters and gateways, and enter the recovery key for the selected gateway, for example:

    选择 "网关" 并提供恢复密钥

  5. 若要更改区域,请选择 "更改区域",然后选择新的区域。To change the region, select Change Region, and select the new region.

  6. 准备就绪后,请选择 "配置",以完成任务。When you're ready, select Configure so that you can finish your task.

租户级别管理Tenant-level administration

若要查看 Azure AD 租户中的所有本地数据网关,该租户中的全局管理员可以以租户管理员身份登录到Power Platform 管理中心,然后选择 "数据网关" 选项。To get visibility into all the on-premises data gateways in an Azure AD tenant, global administrators in that tenant can sign in to the Power Platform Admin center as a tenant administrator and select the Data Gateways option. 有关详细信息,请参阅本地数据网关的租户级管理For more information, see Tenant-level administration for the on-premises data gateway.

重启网关Restart gateway

默认情况下,本地计算机上的网关安装以名为 "本地数据网关服务" 的 Windows 服务帐户的形式运行。By default, the gateway installation on your local computer runs as a Windows service account named "On-premises data gateway service". 但是,网关安装使用其 "作为服务登录" 帐户凭据的 NT SERVICE\PBIEgwService 名称,并且具有 "作为服务登录" 权限。However, the gateway installation uses the NT SERVICE\PBIEgwService name for its "Log On As" account credentials and has "Log on as a service" permissions.

备注

Windows 服务帐户不同于用于连接到本地数据源的帐户,也不同于登录到云服务时使用的 Azure 帐户的帐户。Your Windows service account differs from the account used for connecting to on-premises data sources and from the Azure account that you use when you sign in to cloud services.

与任何其他 Windows 服务一样,您可以通过多种方式启动和停止该网关。Like any other Windows service, you can start and stop the gateway in various ways. 有关详细信息,请参阅重启本地数据网关For more information, see Restart an on-premises data gateway.

网关的工作原理How the gateway works

你的组织中的用户可以访问他们已获得授权访问权限的本地数据。Users in your organization can access on-premises data for which they already have authorized access. 但是,在这些用户可以连接到本地数据源之前,需要安装并设置本地数据网关。However, before these users can connect to your on-premises data source, you need to install and set up an on-premises data gateway. 通常,管理员是安装和设置网关的人员。Usually, an admin is the person who installs and sets up a gateway. 这些操作可能需要服务器管理员权限或有关本地服务器的特殊知识。These actions might require Server Administrator permissions or special knowledge about your on-premises servers.

网关有助于在幕后进行更快速、更安全的通信。The gateway helps facilitate faster and more secure behind-the-scenes communication. 此通信在云中的用户、网关云服务和本地数据源之间流动。This communication flows between a user in the cloud, the gateway cloud service, and your on-premises data source. 网关云服务可加密和存储数据源凭据与网关详细信息。The gateway cloud service encrypts and stores your data source credentials and gateway details. 该服务还在用户、网关和本地数据源之间路由查询及其结果。The service also routes queries and their results between the user, the gateway, and your on-premises data source.

网关可与防火墙配合使用,只使用出站连接。The gateway works with firewalls and uses only outbound connections. 所有流量均源自网关代理的安全出站流量。All traffic originates as secured outbound traffic from the gateway agent. 网关通过Azure 服务总线中继加密通道上本地源中的数据。The gateway relays data from on-premises sources on encrypted channels through Azure Service Bus. 此服务总线在网关与调用方服务之间创建通道,但不存储任何数据。This service bus creates a channel between the gateway and the calling service, but doesn't store any data. 通过网关的所有数据经过加密。All data that travels through the gateway is encrypted.

本地数据网关体系结构

备注

根据云服务,可能需要为网关设置数据源。Depending on the cloud service, you might need to set up a data source for the gateway.

以下步骤描述与连接到本地数据源的元素交互时所发生的情况:These steps describe what happens when you interact with an element that's connected to an on-premises data source:

  1. 云服务创建一个查询,以及数据源的加密凭据。The cloud service creates a query, along with the encrypted credentials for the data source. 然后,该服务将查询和凭据发送到网关队列进行处理。The service then sends the query and credentials to the gateway queue for processing.

  2. 网关云服务将分析该查询,并将请求推送到 Azure 服务总线。The gateway cloud service analyzes the query and pushes the request to Azure Service Bus.

  3. Azure 服务总线会将挂起的请求发送到网关。Azure Service Bus sends the pending requests to the gateway.

  4. 网关获取查询,对凭据进行解密,并连接到一个或多个具有这些凭据的数据源。The gateway gets the query, decrypts the credentials, and connects to one or more data sources with those credentials.

  5. 网关将查询发送到数据源以供运行。The gateway sends the query to the data source for running.

  6. 结果将从数据源发回给网关,并发送到网关云服务。The results are sent from the data source back to the gateway, and then to the gateway cloud service. 网关云服务随后使用结果。The gateway cloud service then uses the results.

对本地数据源进行身份验证Authentication to on-premises data sources

存储的凭据用于从网关连接到本地数据源。A stored credential is used to connect from the gateway to on-premises data sources. 无论使用哪种用户,网关都将使用存储的凭据进行连接。Regardless of the user, the gateway uses the stored credential to connect. 对于特定服务(如 DirectQuery 和 LiveConnect),可能存在针对 Power BI 中 Analysis Services 的身份验证例外。There might be authentication exceptions for specific services, such as DirectQuery and LiveConnect for Analysis Services in Power BI.

Azure Active Directory (Azure AD)Azure Active Directory (Azure AD)

Microsoft 云服务使用Azure AD对用户进行身份验证。Microsoft cloud services use Azure AD to authenticate users. Azure AD 租户包含用户名和安全组。An Azure AD tenant contains usernames and security groups. 通常,用于登录的电子邮件地址与帐户的用户主体名称(UPN)相同。Typically, the email address that you use for sign-in is the same as the User Principal Name (UPN) for your account.

什么是 UPN?What is my UPN?

如果你不是域管理员,你可能不知道你的 UPN。If you're not a domain admin, you might not know your UPN. 若要查找帐户的 UPN,请从工作站运行 whoami /upn 命令。To find the UPN for your account, run the whoami /upn command from your workstation. 尽管结果类似于电子邮件地址,但结果是本地域帐户的 UPN。Although the result looks like an email address, the result is the UPN for your local domain account.

使用 Azure AD 同步本地 Active DirectorySynchronize an on-premises Active Directory with Azure AD

本地 Active Directory 帐户和 Azure AD 帐户的 UPN 必须相同。The UPN for your on-premises Active Directory accounts and Azure AD accounts must be the same. 因此,请确保每个本地 Active Directory 帐户都与 Azure AD 帐户相匹配。So, make sure that each on-premises Active Directory account matches your Azure AD account. 云服务仅了解 Azure AD 中的帐户。The cloud services know only about accounts within Azure AD. 因此,无需将帐户添加到本地 Active Directory。So, you don't need to add an account to your on-premises Active Directory. 如果 Azure AD 中不存在该帐户,则不能使用该帐户。If the account doesn't exist in Azure AD, you can't use that account.

可以通过以下方式将本地 Active Directory 帐户与 Azure AD 相匹配。Here are ways that you can match your on-premises Active Directory accounts with Azure AD.

  • 手动将帐户添加到 Azure AD。Add accounts manually to Azure AD.

    在 Azure 门户或 Microsoft 365 管理中心中创建帐户。Create an account in the Azure portal or in the Microsoft 365 admin center. 请确保帐户名称与本地 Active Directory 帐户的 UPN 匹配。Make sure that the account name matches the UPN for the on-premises Active Directory account.

  • 使用 Azure Active Directory Connect 工具将本地帐户同步到 Azure AD 租户。Synchronize local accounts to your Azure AD tenant by using the Azure Active Directory Connect tool.

    Azure AD Connect 工具提供目录同步和身份验证设置的选项。The Azure AD Connect tool provides options for directory synchronization and authentication setup. 这些选项包括密码哈希同步、传递身份验证和联合身份验证。These options include password hash sync, pass-through authentication, and federation. 如果你不是租户管理员或本地域管理员,请联系你的 IT 管理员获取 Azure AD Connect 设置。If you're not a tenant admin or a local domain admin, contact your IT admin to get Azure AD Connect set up. Azure AD Connect 确保 Azure AD UPN 与本地 Active Directory UPN 匹配。Azure AD Connect ensures that your Azure AD UPN matches your local Active Directory UPN. 如果你使用的是 Analysis Services 与 Power BI 或单一登录(SSO)功能之间的实时连接,则此匹配项将有所帮助。This matching helps if you're using Analysis Services live connections with Power BI or single sign-on (SSO) capabilities.

    备注

    与 Azure AD Connect 工具同步帐户会在 Azure AD 租户中创建新帐户。Synchronizing accounts with the Azure AD Connect tool creates new accounts in your Azure AD tenant.

常见问题和故障排除FAQ and troubleshooting

有关详细信息,请参阅以下主题:For more information, see these topics:

后续步骤Next steps