您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure SQL 数据库和 SQL 数据仓库 IP 防火墙规则Azure SQL Database and SQL Data Warehouse IP firewall rules

Microsoft Azure SQL 数据库SQL 数据仓库为 Azure 和其他基于 Internet 的应用程序提供关系型数据库服务。Microsoft Azure SQL Database and SQL Data Warehouse provide a relational database service for Azure and other Internet-based applications. 为了保护数据,在指定哪些计算机具有访问权限之前,防火墙将禁止所有对数据库服务器的访问。To help protect your data, firewalls prevent all access to your database server until you specify which computers have permission. 防火墙基于每个请求的起始 IP 地址授予数据库访问权限。The firewall grants access to databases based on the originating IP address of each request.

备注

本文适用于 Azure SQL 服务器,同时也适用于在 Azure SQL 服务器中创建的 SQL 数据库和 SQL 数据仓库数据库。This article applies to Azure SQL server, and to both SQL Database and SQL Data Warehouse databases that are created on the Azure SQL server. 为简单起见,在提到 SQL 数据库和 SQL 数据仓库时,本文统称 SQL 数据库。For simplicity, SQL Database is used when referring to both SQL Database and SQL Data Warehouse.

重要

本文不 适用于 Azure SQL 数据库托管实例This article does not apply to Azure SQL Database Managed Instance. 有关所需网络配置的详细信息,请参阅以下有关连接到托管实例的文章。Please see the following article on connecting to a Managed Instance for more information about the networking configuration needed.

将虚拟网络规则作为 IP 规则的替代Virtual network rules as alternatives to IP rules

除了 IP 规则外,防火墙还管理虚拟网络规则In addition to IP rules, the firewall also manages virtual network rules. 虚拟网络规则基于虚拟网络服务终结点。Virtual network rules are based on Virtual Network service endpoints. 在某些情况下,虚拟网络规则可能比 IP 规则更好。Virtual network rules might be preferable to IP rules in some cases. 若要了解详细信息,请参阅虚拟网络服务终结点和 Azure SQL 数据库规则To learn more, see Virtual Network service endpoints and rules for Azure SQL Database.

概述Overview

最初,SQL 数据库防火墙会阻止对 Azure SQL 数据库的所有访问。Initially, all access to your Azure SQL server is blocked by the SQL Database firewall. 必须指定一个或多个允许访问 Azure SQL 服务器的服务器级别 IP 防火墙规则,才能访问数据库服务器。To access a database server, you must specify one or more server-level IP firewall rules that enable access to your Azure SQL server. 使用 IP 防火墙规则可以指定允许的 Internet IP 地址范围,以及 Azure 应用程序能否尝试连接到 Azure SQL 服务器。Use the IP firewall rules to specify which IP address ranges from the Internet are allowed, and whether Azure applications can attempt to connect to your Azure SQL server.

若要有选择地授予对 Azure SQL Server 中的一个数据库的访问权限,必须针对所需的数据库创建数据库级规则。To selectively grant access to just one of the databases in your Azure SQL server, you must create a database-level rule for the required database. 请指定超出服务器级别 IP 防火墙规则中指定 IP 地址范围的数据库 IP 防火墙规则 IP 地址范围,并确保客户端的 IP 地址在数据库级别规则中指定的范围内。Specify an IP address range for the database IP firewall rule that is beyond the IP address range specified in the server-level IP firewall rule, and ensure that the IP address of the client falls in the range specified in the database-level rule.

重要

SQL 数据仓库仅支持服务器级别 IP 防火墙规则,不支持数据库级别 IP 防火墙规则。SQL Data Warehouse only supports server-level IP firewall rules and does not support database-level IP firewall rules.

来自 Internet 和 Azure 的连接尝试必须首先通过防火墙,才能访问 Azure SQL Server 或 SQL 数据库,如下图中所示:Connection attempts from the Internet and Azure must first pass through the firewall before they can reach your Azure SQL server or SQL Database, as shown in the following diagram:

描述防火墙配置的示意图。

  • 服务器级别 IP 防火墙规则:Server-level IP firewall rules:

    这些规则允许客户端访问整个 Azure SQL 服务器,即同一 SQL 数据库服务器内的所有数据库。These rules enable clients to access your entire Azure SQL server, that is, all the databases within the same SQL Database server. 这些规则存储在 master 数据库中。These rules are stored in the master database. 可使用门户或 Transact-SQL 语句来配置服务器级别 IP 防火墙规则。Server-level IP firewall rules can be configured by using the portal or by using Transact-SQL statements. 用户必须是订阅所有者或订阅参与者,才能使用 Azure 门户或 PowerShell 创建服务器级别 IP 防火墙规则。To create server-level IP firewall rules using the Azure portal or PowerShell, you must be the subscription owner or a subscription contributor. 用户必须以服务器级别主体登录名或 Azure Active Directory 管理员的身份连接到 SQL 数据库实例(也就是说,必须先由拥有 Azure 级别权限的用户创建服务器级别 IP 防火墙规则),才能使用 Transact-SQL 创建服务器级别 IP 防火墙规则。To create a server-level IP firewall rule using Transact-SQL, you must connect to the SQL Database instance as the server-level principal login or the Azure Active Directory administrator (which means that a server-level IP firewall rule must first be created by a user with Azure-level permissions).

  • 数据库级别 IP 防火墙规则:Database-level IP firewall rules:

    这些规则允许客户端访问同一 SQL 数据库服务器内的某些(安全)数据库。These rules enable clients to access certain (secure) databases within the same SQL Database server. 可以为每个数据库创建这些规则(包括 master 数据库),它们将存储在单独的数据库中 。You can create these rules for each database (including the master database) and they are stored in the individual databases. 只有在配置了第一个服务器级别防火墙后,才只能使用 Transact-SQL 语句创建和管理用于 master 数据库和用户数据库的数据库级别 IP 防火墙规则。Database-level IP firewall rules for master and user databases can only be created and managed by using Transact-SQL statements and only after you have configured the first server-level firewall. 如果在数据库级别 IP 防火墙规则中指定的 IP 地址范围超出了在服务器级别 IP 防火墙规则中指定的范围,只有 IP 地址处于数据库级别范围内的客户端才能访问数据库。If you specify an IP address range in the database-level IP firewall rule that is outside the range specified in the server-level IP firewall rule, only those clients that have IP addresses in the database-level range can access the database. 对于每个数据库,最多可以有 128 个数据库级别 IP 防火墙规则。You can have a maximum of 128 database-level IP firewall rules for a database. 若要详细了解如何配置数据库级别 IP 防火墙规则,请参阅本文后面部分中的示例,以及 sp_set_database_firewall_rule(Azure SQL 数据库)For more information on configuring database-level IP firewall rules, see the example later in this article and see sp_set_database_firewall_rule (Azure SQL Database).

建议Recommendation

Microsoft 建议尽量使用数据库级别 IP 防火墙规则,以增强安全性并提高数据库的可移植性。Microsoft recommends using database-level IP firewall rules whenever possible to enhance security and to make your database more portable. 如果有多个访问要求相同的数据库,且不希望花时间来分别配置每个数据库,请使用面向管理员的服务器级别 IP 防火墙规则。Use server-level IP firewall rules for administrators and when you have many databases that have the same access requirements and you don't want to spend time configuring each database individually.

重要

Microsoft Azure SQL 数据库最多支持 128 个 IP 防火墙规则。Windows Azure SQL Database supports a maximum of 128 IP firewall rules.

备注

有关业务连续性上下文中的可移植数据库的信息,请参阅灾难恢复的身份验证要求For information about portable databases in the context of business continuity, see Authentication requirements for disaster recovery.

从 Internet 连接Connecting from the Internet

在计算机尝试从 Internet 连接到数据库服务器时,防火墙先针对请求连接的数据库,根据数据库级别 IP 防火墙规则来检查请求的发起 IP 地址:When a computer attempts to connect to your database server from the Internet, the firewall first checks the originating IP address of the request against the database-level IP firewall rules, for the database that the connection is requesting:

  • 如果请求的 IP 地址在数据库级别 IP 防火墙规则中指定的范围之一内,包含规则的 SQL 数据库便会获得连接授权。If the IP address of the request is within one of the ranges specified in the database-level IP firewall rules, the connection is granted to the SQL Database that contains the rule.
  • 如果请求的 IP 地址不在数据库级别 IP 防火墙规则中指定的范围之一内,便会检查服务器级别 IP 防火墙规则。If the IP address of the request is not within one of the ranges specified in the database-level IP firewall rule, the server-level IP firewall rules are checked. 如果请求的 IP 地址在服务器级别 IP 防火墙规则中指定的范围之一内,便会进行连接授权。If the IP address of the request is within one of the ranges specified in the server-level IP firewall rules, the connection is granted. 服务器级别 IP 防火墙规则适用于 Azure SQL 服务器上的所有 SQL 数据库。Server-level IP firewall rules apply to all SQL databases on the Azure SQL server.
  • 如果请求的 IP 地址不在任何数据库级别或服务器级别 IP 防火墙规则中指定的范围内,连接请求失败。If the IP address of the request is not within the ranges specified in any of the database-level or server-level IP firewall rules, the connection request fails.

备注

要从本地计算机访问 Azure SQL 数据库,请确保网络和本地计算机上的防火墙允许在 TCP 端口 1433 上的传出通信。To access Azure SQL Database from your local computer, ensure the firewall on your network and local computer allows outgoing communication on TCP port 1433.

从 Azure 连接Connecting from Azure

若要允许来自 Azure 的应用程序连接到 Azure SQL Server,则必须启用 Azure 连接。To allow applications from Azure to connect to your Azure SQL server, Azure connections must be enabled. 在应用程序尝试从 Azure 连接到数据库服务器时,防火墙会验证是否允许 Azure 连接。When an application from Azure attempts to connect to your database server, the firewall verifies that Azure connections are allowed. 如果防火墙设置的开始地址和结束地址都等于 0.0.0.0,表明允许 Azure 连接。A firewall setting with starting and ending address equal to 0.0.0.0 indicates Azure connections are allowed. 如果不允许该连接尝试,则该请求将不会访问 Azure SQL 数据库服务器。If the connection attempt is not allowed, the request does not reach the Azure SQL Database server.

重要

该选项将防火墙配置为允许来自 Azure 的所有连接,包括来自其他客户的订阅的连接。This option configures the firewall to allow all connections from Azure including connections from the subscriptions of other customers. 选择该选项时,请确保登录名和用户权限将访问权限限制为仅已授权用户使用。When selecting this option, make sure your login and user permissions limit access to only authorized users.

创建和管理 IP 防火墙规则Creating and managing IP firewall rules

第一个服务器级防火墙设置可以使用 Azure 门户进行创建,也可以使用 Azure PowerShellAzure CLIREST API 通过编程方式创建。The first server-level firewall setting can be created using the Azure portal or programmatically using Azure PowerShell, Azure CLI, or the REST API. 可以使用这些方法或通过 Transact-SQL 创建和管理后续的服务器级别 IP 防火墙规则。Subsequent server-level IP firewall rules can be created and managed using these methods, and through Transact-SQL.

重要

只能使用 Transact-SQL 创建和管理数据库级别 IP 防火墙规则。Database-level IP firewall rules can only be created and managed using Transact-SQL.

为了提升性能,服务器级别 IP 防火墙规则暂时在数据库级别缓存。To improve performance, server-level IP firewall rules are temporarily cached at the database level. 若要刷新高速缓存,请参阅 DBCC FLUSHAUTHCACHETo refresh the cache, see DBCC FLUSHAUTHCACHE.

提示

可以使用SQL 数据库审核来审核服务器级别和数据库级别防火墙的更改。You can use SQL Database Auditing to audit server-level and database-level firewall changes.

使用 Azure 门户管理服务器级别 IP 防火墙规则Manage server-level IP firewall rules using the Azure portal

若要在 Azure 门户中设置服务器级别 IP 防火墙规则,可以转到 Azure SQL 数据库的“概览”页或 SQL 数据库服务器的“概览”页。To set a server-level IP firewall rule in the Azure portal, you can either go to the Overview page for your Azure SQL database or the Overview page for your SQL Database server.

提示

有关教程,请参阅使用 Azure 门户创建 DBFor a tutorial, see Create a DB using the Azure portal.

从数据库概述页From database overview page

  1. 若要在数据库概述页中设置服务器级别 IP 防火墙规则,请单击工具栏上的“设置服务器防火墙” ,如下图所示:此时会打开 SQL 数据库服务器的“防火墙设置”页。 To set a server-level IP firewall rule from the database overview page, click Set server firewall on the toolbar as shown in the following image: The Firewall settings page for the SQL Database server opens.

    服务器 IP 防火墙规则

  2. 单击工具栏上的“添加客户端 IP” 以添加当前使用的计算机的 IP 地址,并单击“保存” 。Click Add client IP on the toolbar to add the IP address of the computer you are currently using and then click Save. 此时,系统针对当前 IP 地址创建服务器级别 IP 防火墙规则。A server-level IP firewall rule is created for your current IP address.

    设置服务器级别 IP 防火墙规则

从服务器概述页From server overview page

此时会打开服务器的概述页,其中显示了完全限定的服务器名称(例如 mynewserver20170403.database.windows.net),并提供了其他配置的选项。The overview page for your server opens, showing you the fully qualified server name (such as mynewserver20170403.database.windows.net) and provides options for further configuration.

  1. 若要从服务器概述页设置服务器级规则,请在“设置”下方单击左侧菜单中的“防火墙” :To set a server-level rule from server overview page, click Firewall in the left-hand menu under Settings:

  2. 单击工具栏上的“添加客户端 IP” 以添加当前使用的计算机的 IP 地址,并单击“保存” 。Click Add client IP on the toolbar to add the IP address of the computer you are currently using and then click Save. 此时,系统针对当前 IP 地址创建服务器级别 IP 防火墙规则。A server-level IP firewall rule is created for your current IP address.

使用 Transact-SQL 管理 IP 防火墙规则Manage IP firewall rules using Transact-SQL

目录视图或存储过程Catalog View or Stored Procedure 级别Level 描述Description
sys.firewall_rulessys.firewall_rules 服务器Server 显示当前服务器级别 IP 防火墙规则Displays the current server-level IP firewall rules
sp_set_firewall_rulesp_set_firewall_rule 服务器Server 创建或更新服务器级别 IP 防火墙规则Creates or updates server-level IP firewall rules
sp_delete_firewall_rulesp_delete_firewall_rule 服务器Server 删除服务器级别 IP 防火墙规则Removes server-level IP firewall rules
sys.database_firewall_rulessys.database_firewall_rules 数据库Database 显示当前数据库级别 IP 防火墙规则Displays the current database-level IP firewall rules
sp_set_database_firewall_rulesp_set_database_firewall_rule 数据库Database 创建或更新数据库级别 IP 防火墙规则Creates or updates the database-level IP firewall rules
sp_delete_database_firewall_rulesp_delete_database_firewall_rule 数据库Databases 删除数据库级别 IP 防火墙规则Removes database-level IP firewall rules

下面的示例检查现有规则,在服务器 Contoso 上启用一系列 IP 地址,并删除 IP 防火墙规则:The following examples review the existing rules, enable a range of IP addresses on the server Contoso, and deletes an IP firewall rule:

SELECT * FROM sys.firewall_rules ORDER BY name;

接下来,添加服务器级别 IP 防火墙规则。Next, add a server-level IP firewall rule.

EXECUTE sp_set_firewall_rule @name = N'ContosoFirewallRule',
   @start_ip_address = '192.168.1.1', @end_ip_address = '192.168.1.10'

若要删除服务器级别 IP 防火墙规则,请执行 sp_delete_firewall_rule 存储过程。To delete a server-level IP firewall rule, execute the sp_delete_firewall_rule stored procedure. 以下示例将删除名为 ContosoFirewallRule 的规则:The following example deletes the rule named ContosoFirewallRule:

EXECUTE sp_delete_firewall_rule @name = N'ContosoFirewallRule'

使用 Azure PowerShell 管理服务器级别 IP 防火墙规则Manage server-level IP firewall rules using Azure PowerShell

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

重要

PowerShell Azure 资源管理器模块仍受 Azure SQL 数据库的支持,但所有未来的开发都是针对 Az.Sql 模块的。The PowerShell Azure Resource Manager module is still supported by Azure SQL Database, but all future development is for the Az.Sql module. 若要了解这些 cmdlet,请参阅 AzureRM.SqlFor these cmdlets, see AzureRM.Sql. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical.

CmdletCmdlet 级别Level 描述Description
Get-AzSqlServerFirewallRuleGet-AzSqlServerFirewallRule 服务器Server 返回当前的服务器级防火墙规则Returns the current server-level firewall rules
New-AzSqlServerFirewallRuleNew-AzSqlServerFirewallRule 服务器Server 新建服务器级防火墙规则Creates a new server-level firewall rule
Set-AzSqlServerFirewallRuleSet-AzSqlServerFirewallRule 服务器Server 更新现有服务器级防火墙规则的属性Updates the properties of an existing server-level firewall rule
Remove-AzSqlServerFirewallRuleRemove-AzSqlServerFirewallRule 服务器Server 删除服务器级防火墙规则Removes server-level firewall rules

下面的示例使用 PowerShell 设置服务器级别 IP 防火墙规则:The following example sets a server-level IP firewall rule using PowerShell:

New-AzSqlServerFirewallRule -ResourceGroupName "myResourceGroup" `
    -ServerName $servername `
    -FirewallRuleName "AllowSome" -StartIpAddress "0.0.0.0" -EndIpAddress "0.0.0.0"

使用 Azure CLI 管理服务器级别 IP 防火墙规则Manage server-level IP firewall rules using Azure CLI

CmdletCmdlet 级别Level 描述Description
az sql server firewall-rule createaz sql server firewall-rule create 服务器Server 创建服务器 IP 防火墙规则Creates a server IP firewall rule
az sql server firewall-rule listaz sql server firewall-rule list 服务器Server 列出服务器上的 IP 防火墙规则Lists the IP firewall rules on a server
az sql server firewall-rule showaz sql server firewall-rule show 服务器Server 显示 IP 防火墙规则的详细信息Shows the detail of an IP firewall rule
az sql server firewall-rule updateaz sql server firewall-rule update 服务器Server 更新 IP 防火墙规则Updates an IP firewall rule
az sql server firewall-rule deleteaz sql server firewall-rule delete 服务器Server 删除 IP 防火墙规则Deletes an IP firewall rule

下面的示例使用 Azure CLI 设置服务器级别 IP 防火墙规则:The following example sets a server-level IP firewall rule using the Azure CLI:

az sql server firewall-rule create --resource-group myResourceGroup --server $servername \
-n AllowYourIp --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0

提示

若要查看快速入门上下文中的 Azure CLI 示例,请参阅创建 DB - Azure CLI,以及使用 Azure CLI 创建单一数据库并配置 SQL 数据库 IP 防火墙规则For an Azure CLI example in the context of a quick start, see Create DB - Azure CLI and Create a single database and configure a SQL Database IP firewall rule using the Azure CLI

使用 REST API 管理服务器级别 IP 防火墙规则Manage server-level IP firewall rules using REST API

APIAPI 级别Level 描述Description
列出防火墙规则List Firewall Rules 服务器Server 显示当前服务器级别 IP 防火墙规则Displays the current server-level IP firewall rules
创建或更新防火墙规则Create or Update Firewall Rule 服务器Server 创建或更新服务器级别 IP 防火墙规则Creates or updates server-level IP firewall rules
删除防火墙规则Delete Firewall Rule 服务器Server 删除服务器级别 IP 防火墙规则Removes server-level IP firewall rules
获取防火墙规则Get Firewall Rules 服务器Server 获取服务器级别 IP 防火墙规则Gets server-level IP firewall rules

服务器级别与数据库级别 IP 防火墙规则Server-level versus database-level IP firewall rules

问:Q. 是否应将一个数据库的用户与另一个数据库完全隔离?Should users of one database be fully isolated from another database? 如果是,使用数据库级别 IP 防火墙规则授予访问权限。If yes, grant access using database-level IP firewall rules. 这样可以避免使用服务器级别 IP 防火墙规则(此规则允许通过防火墙访问所有数据库,进而降低防御程度)。This avoids using server-level IP firewall rules, which permit access through the firewall to all databases, reducing the depth of your defenses.

问:Q. IP 地址用户是否需要访问所有数据库?Do users at the IP address’s need access to all databases? 使用服务器级别 IP 防火墙规则可减少必须配置 IP 防火墙规则的次数。Use server-level IP firewall rules to reduce the number of times you must configure IP firewall rules.

问:Q. 配置 IP 防火墙规则的个人或团队是否只能通过 Azure 门户、PowerShell 或 REST API 获取访问权限?Does the person or team configuring the IP firewall rules only have access through the Azure portal, PowerShell, or the REST API? 必须使用服务器级别 IP 防火墙规则。You must use server-level IP firewall rules. 只能使用 Transact-SQL 配置数据库级别 IP 防火墙规则。Database-level IP firewall rules can only be configured using Transact-SQL.

问:Q. 是否禁止配置 IP 防火墙规则的个人或团队在数据库级别拥有高级权限?Is the person or team configuring the IP firewall rules prohibited from having high-level permission at the database level? 使用服务器级别 IP 防火墙规则。Use server-level IP firewall rules. 如果使用 Transact-SQL 配置数据库级别 IP 防火墙规则,在数据库级别至少需要拥有 CONTROL DATABASE 权限。Configuring database-level IP firewall rules using Transact-SQL, requires at least CONTROL DATABASE permission at the database level.

问:Q. 配置或审核 IP 防火墙规则的个人或团队是否集中管理多个(可能几百个)数据库的 IP 防火墙规则?Is the person or team configuring or auditing the IP firewall rules, centrally managing IP firewall rules for many (perhaps 100s) of databases? 此选择取决于需求和环境。This selection depends upon your needs and environment. 虽然服务器级别 IP 防火墙规则可能更易于配置,但脚本可以在数据库级别配置规则。Server-level IP firewall rules might be easier to configure, but scripting can configure rules at the database-level. 即使使用服务器级别 IP 防火墙规则,也可能需要审核数据库级别 IP 防火墙规则,以确定对数据库拥有 CONTROL 权限的用户是否已创建数据库级别 IP 防火墙规则。And even if you use server-level IP firewall rules, you might need to audit the database-level IP firewall rules, to see if users with CONTROL permission on the database have created database-level IP firewall rules.

问:Q. 能否同时使用服务器级别和数据库级别 IP 防火墙规则?Can I use a mix of both server-level and database-level IP firewall rules? 是的。Yes. 一些用户(如管理员)可能需要服务器级别 IP 防火墙规则。Some users, such as administrators might need server-level IP firewall rules. 另一些用户(如数据库应用程序用户)可能需要数据库级别 IP 防火墙规则。Other users, such as users of a database application, might need database-level IP firewall rules.

数据库防火墙故障排除Troubleshooting the database firewall

在对 Microsoft Azure SQL 数据库服务的访问与期望不符时,请考虑以下几点:Consider the following points when access to the Microsoft Azure SQL Database service does not behave as you expect:

  • 本地防火墙配置:Local firewall configuration:

    在计算机可以访问 Azure SQL 数据库之前,可能需要在计算机上创建针对 TCP 端口 1433 的防火墙例外。Before your computer can access Azure SQL Database, you may need to create a firewall exception on your computer for TCP port 1433. 如果要在 Azure 云边界内部建立连接,可能需要打开其他端口。If you are making connections inside the Azure cloud boundary, you may have to open additional ports. 有关详细信息,请参阅 SQL 数据库:外部与内部部分(在用于 ADO.NET 4.5 和 SQL 数据库的非 1433 端口中)。For more information, see the SQL Database: Outside vs inside section of Ports beyond 1433 for ADO.NET 4.5 and SQL Database.

  • 网络地址转换 (NAT):Network address translation (NAT):

    由于 NAT 的原因,计算机用来连接到 Azure SQL 数据库的 IP 地址可能不同于计算机 IP 配置设置中显示的 IP 地址。Due to NAT, the IP address used by your computer to connect to Azure SQL Database may be different than the IP address shown in your computer IP configuration settings. 若要查看计算机用于连接到 Azure 的 IP 地址,请登录门户并导航到托管数据库的服务器上的“配置”选项卡。To view the IP address your computer is using to connect to Azure, log in to the portal and navigate to the Configure tab on the server that hosts your database. 在“允许的 IP 地址”部分下,显示了“当前客户端 IP 地址”。Under the Allowed IP Addresses section, the Current Client IP Address is displayed. 单击“添加”即可添加到“允许的 IP 地址”,以允许此计算机访问服务器。Click Add to the Allowed IP Addresses to allow this computer to access the server.

  • 对允许列表的更改尚未生效:Changes to the allow list have not taken effect yet:

    对 Azure SQL 数据库防火墙配置所做的更改可能最多需要 5 分钟的延迟才可生效。There may be as much as a five-minute delay for changes to the Azure SQL Database firewall configuration to take effect.

  • 登录名未授权或使用了错误的密码:The login is not authorized or an incorrect password was used:

    如果某个登录名对 Azure SQL 数据库服务器没有权限或者使用的密码不正确,则与 Azure SQL 数据库服务器的连接会被拒绝。If a login does not have permissions on the Azure SQL Database server or the password used is incorrect, the connection to the Azure SQL Database server is denied. 创建防火墙设置仅向客户端提供尝试连接到服务器的机会;每个客户端必须提供必需的安全凭据。Creating a firewall setting only provides clients with an opportunity to attempt connecting to your server; each client must provide the necessary security credentials. 有关准备登录名的详细信息,请参阅在 Azure SQL 数据库中管理数据库、登录名和用户For more information about preparing logins, see Managing Databases, Logins, and Users in Azure SQL Database.

  • 动态 IP 地址:Dynamic IP address:

    如果 Internet 连接使用动态 IP 寻址,并且在通过防火墙时遇到问题,则可以尝试以下解决方法之一:If you have an Internet connection with dynamic IP addressing and you are having trouble getting through the firewall, you could try one of the following solutions:

    • 向 Internet 服务提供商 (ISP) 请求获取分配给访问 Azure SQL 数据库服务器的客户端计算机的 IP 地址范围,然后将此 IP 地址范围添加为 IP 防火墙规则。Ask your Internet Service Provider (ISP) for the IP address range assigned to your client computers that access the Azure SQL Database server, and then add the IP address range as an IP firewall rule.
    • 改为获取客户端计算机的静态 IP 地址,并将此 IP 地址添加为 IP 防火墙规则。Get static IP addressing instead for your client computers, and then add the IP addresses as IP firewall rules.

后续步骤Next steps