您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 Azure SQL 数据库托管实例?What is Azure SQL Database managed instance?

托管实例是 Azure SQL 数据库的一个新部署选项,几乎与最新的 SQL Server 本地 (Enterprise Edition) 数据库引擎完全兼容。它提供一个本机虚拟网络 (VNet) 实现来解决常见的安全问题,并提供本地 SQL Server 客户惯用的业务模型Managed instance is a new deployment option of Azure SQL Database, providing near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine, providing a native virtual network (VNet) implementation that addresses common security concerns, and a business model favorable for on-premises SQL Server customers. 托管实例部署模型允许现有 SQL Server 客户将其本地应用程序即时转移到云中,而只需对应用程序和数据库做出极少量的更改。The managed instance deployment model allows existing SQL Server customers to lift and shift their on-premises applications to the cloud with minimal application and database changes. 同时,托管实例部署选项保留了所有 PaaS 功能(自动修补和版本更新、自动备份高可用性),可大幅降低管理开销和总拥有成本。At the same time, the managed instance deployment option preserves all PaaS capabilities (automatic patching and version updates, automated backups, high-availability ), that drastically reduces management overhead and TCO.

重要

若要查看托管实例部署选项当前可用的区域列表,请参阅支持区域For a list of regions in which the managed instance deployment option is currently available, see supported regions.

下图概括描绘了托管实例的主要功能:The following diagram outlines key features of managed instances:

主要功能

托管实例部署模型面向想要以最少的迁移工作量,将大量应用从本地或 IaaS、自我构建的或 ISV 提供的环境迁移到完全托管的 PaaS 云环境的客户。The managed instance deployment model is designed for customers looking to migrate a large number of apps from on-premises or IaaS, self-built, or ISV provided environment to fully managed PaaS cloud environment, with as low migration effort as possible. 使用 Azure 中完全自动化的数据迁移服务 (DMS),客户可将其本地 SQL Server 即时转移到托管实例,从而实现与本地 SQL Server 的兼容,并通过本机 VNet 支持实现客户实例的完全隔离。Using the fully automated Data Migration Service (DMS) in Azure, customers can lift and shift their on-premises SQL Server to a managed instance that offers compatibility with SQL Server on-premises and complete isolation of customer instances with native VNet support. 借助软件保障,可以使用适用于 SQL Server 的 Azure 混合权益交换现有许可证,以获得托管实例的折扣价格。With Software Assurance, you can exchange their existing licenses for discounted rates on a managed instance using the Azure Hybrid Benefit for SQL Server. 托管实例是 SQL Server 实例在云中的最佳迁移目标,需要很高的安全性和丰富的编程接口。A managed instance is the best migration destination in the cloud for SQL Server instances that require high security and a rich programmability surface.

托管实例部署选项旨在通过分阶段的发布计划,实现外围应用与最新本地 SQL Server 版本的近乎 100% 的兼容性。The managed instance deployment option aims delivers close to 100% surface area compatibility with the latest on-premises SQL Server version through a staged release plan.

若要在 Azure SQL 数据库部署选项:单一数据库、共用数据库、托管实例和虚拟机中托管的 SQL Server 之间做出抉择,请参阅如何在 Azure 中选择适当版本的 SQL ServerTo decide between the Azure SQL Database deployment options: single database, pooled database, and managed instance, and SQL Server hosted in virtual machine, see how to choose the right version of SQL Server in Azure.

主要特性和功能Key features and capabilities

托管实例结合了 Azure SQL 数据库和 SQL Server 数据库引擎提供的最佳功能。Managed instance combines the best features that are available both in Azure SQL Database and SQL Server Database Engine.

重要

托管实例使用最新版 SQL Server 的所有功能(包括联机操作、自动计划更正和其他企业性能增强功能)运行。A managed instance runs with all of the features of the most recent version of SQL Server, including online operations, automatic plan corrections, and other enterprise performance enhancements. 功能比较:Azure SQL 数据库与 SQL Server中对可用功能进行了比较。A Comparison of the features available is explained in Feature comparison: Azure SQL Database versus SQL Server.

PaaS 优势PaaS benefits 业务连续性Business continuity
无需采购和管理硬件No hardware purchasing and management
不产生底层基础结构的管理开销No management overhead for managing underlying infrastructure
快速预配和服务缩放Quick provisioning and service scaling
自动修补和版本升级Automated patching and version upgrade
与其他 PaaS 数据服务集成Integration with other PaaS data services
99.99% 的运行时间 SLA99.99% uptime SLA
内置高可用性Built in high-availability
使用自动备份保护数据Data protected with automated backups
客户可配置的备份保留期Customer configurable backup retention period
用户发起的备份User-initiated backups
数据库时间点还原功能Point in time database restore capability
安全性和符合性Security and compliance 管理Management
隔离的环境(VNet 集成、单租户服务、专用的计算和存储资源)Isolated environment (VNet integration, single tenant service, dedicated compute and storage)
透明数据加密 (TDE)Transparent data encryption (TDE)
Azure AD 身份验证、单一登录支持Azure AD authentication, single sign-on support
Azure AD 服务器主体(登录名)(公开预览版)Azure AD server principals (logins) (public preview)
符合 Azure SQL 数据库遵循的相同法规标准Adheres to compliance standards same as Azure SQL database
SQL 审核SQL auditing
高级威胁防护Advanced Threat Protection
用于自动预配和缩放服务的 Azure 资源管理器 APIAzure Resource Manager API for automating service provisioning and scaling
用于手动预配和缩放服务的 Azure 门户功能Azure portal functionality for manual service provisioning and scaling
数据迁移服务Data Migration Service

重要

Azure SQL 数据库(所有部署选项)已针对多个符合性标准进行了认证。Azure SQL Database (all deployment options), has been certified against a number of compliance standards. 有关详细信息,请参阅Microsoft Azure 信任中心,你可以在其中找到最新的 SQL 数据库符合性认证列表。For more information, see the Microsoft Azure Trust Center where you can find the most current list of SQL Database compliance certifications.

下表显示托管实例的主要功能:The key features of managed instances are shown in the following table:

FeatureFeature 描述Description
SQL Server 版本/内部版本SQL Server version / build SQL Server 数据库引擎(最新稳定版)SQL Server Database Engine (latest stable)
受管理的自动备份Managed automated backups Yes
内置的实例和数据库监视与指标Built-in instance and database monitoring and metrics Yes
自动软件修补Automatic software patching Yes
最新的数据库引擎功能The latest Database Engine features Yes
每个数据库的数据文件 (ROWS) 数目Number of data files (ROWS) per the database 多个Multiple
每个数据库的日志文件 (LOG) 数目Number of log files (LOG) per database 1
VNet - Azure 资源管理器部署VNet - Azure Resource Manager deployment Yes
VNet - 经典部署模型VNet - Classic deployment model NoNo
门户支持Portal support Yes
内置集成服务 (SSIS)Built-in Integration Service (SSIS) 否 - SSIS 属于 Azure 数据工厂 PaaSNo - SSIS is a part of Azure Data Factory PaaS
内置分析服务 (SSAS)Built-in Analysis Service (SSAS) 否 - SSAS 是单独的 PaaSNo - SSAS is separate PaaS
内置报表服务 (SSRS)Built-in Reporting Service (SSRS) 否 - 使用 Power BI 或 SSRS IaaSNo - use Power BI or SSRS IaaS

基于 vCore 的购买模型vCore-based purchasing model

托管实例中基于 vCore 的购买模型提供了灵活性、控制力和透明度,并且还提供了一种简单明了的方法来将本地工作负荷要求转换到云。The vCore-based purchasing model for managed instances gives you flexibility, control, transparency, and a straightforward way to translate on-premises workload requirements to the cloud. 此模型允许根据工作负荷需求来更改计算、内存和存储。This model allows you to change compute, memory, and storage based upon your workload needs. 此外,借助适用于 SQL Server 的 Azure SQL Server 混合权益,还能使用 vCore 模型节省高达 30% 的费用。The vCore model is also eligible for up to 30 percent savings with the Azure Hybrid Benefit for SQL Server.

在 vCore 模型中,可在以下两代硬件中进行选择。In vCore model, you can choose between generations of hardware.

  • Gen4逻辑 Cpu 基于 Intel E5-2673 v3 (Haswell) 2.4 GHz 处理器、附加的 SSD、物理内核、每个内核 7 GB RAM 以及8到 24 Vcore 之间的计算大小。Gen4 Logical CPUs are based on Intel E5-2673 v3 (Haswell) 2.4-GHz processors, attached SSD, physical cores, 7-GB RAM per core, and compute sizes between 8 and 24 vCores.
  • Gen5逻辑 Cpu 基于 Intel E5-2673 v4 (Broadwell) 2.3 GHz 处理器、快速 NVMe SSD、超线程逻辑核心以及4到80核心之间的计算大小。Gen5 Logical CPUs are based on Intel E5-2673 v4 (Broadwell) 2.3-GHz processors, fast NVMe SSD, hyper-threaded logical core, and compute sizes between 4 and 80 cores.

若要详细了解两代硬件之间的区别,请参阅托管实例资源限制Find more information about the difference between hardware generations in managed instance resource limits.

重要

澳大利亚东部或巴西南部区域不再支持新的 Gen4 数据库。New Gen4 databases are no longer supported in the Australia East or Brazil South regions.

“托管实例”服务层级Managed instance service tiers

托管实例可在两个服务层级中提供:Managed instance is available in two service tiers:

  • 常规用途:专为具有典型性能和 IO 延迟要求的应用程序而设计。General purpose: Designed for applications with typical performance and IO latency requirements.
  • 业务关键:专为具有低 IO 延迟要求的应用程序设计,对工作负荷的底层维护操作的影响最小。Business critical: Designed for applications with low IO latency requirements and minimal impact of underlying maintenance operations on the workload.

这两个服务层级保证 99.99% 的可用性,可让你独立选择存储大小和计算容量。Both service tiers guarantee 99.99% availability and enable you to independently select storage size and compute capacity. 有关 Azure SQL 数据库高可用性体系结构的详细信息,请参阅高可用性和 Azure SQL 数据库For more information on the high availability architecture of Azure SQL Database, see High availability and Azure SQL Database.

“常规用途”服务层级General purpose service tier

以下列表描述了“常规用途”服务层级的主要特征:The following list describes key characteristic of the General Purpose service tier:

  • 适用于具有典型性能要求的大多数业务应用程序Design for the majority of business applications with typical performance requirements
  • 高性能 Azure Blob 存储 (8 TB)High-performance Azure Blob storage (8 TB)
  • 基于可靠的 Azure Blob 存储和 Azure Service Fabric 的内置高可用性Built-in high-availability based on reliable Azure Blob storage and Azure Service Fabric

有关详细信息,请参阅常规用途层中的存储层托管实例(常规用途)的存储性能最佳做法和注意事项For more information, see storage layer in general purpose tier and storage performance best practices and considerations for managed instances (general purpose).

若要详细了解两种服务层级之间的区别,请参阅托管实例资源限制Find more information about the difference between service tiers in managed instance resource limits.

“业务关键”服务层级Business Critical service tier

“业务关键”服务层级适用于具有高 IO 要求的应用程序。Business Critical service tier is built for applications with high IO requirements. 它使用多个独立副本,提供最高级别的故障恢复能力。It offers highest resilience to failures using several isolated replicas.

以下列表概述了“业务关键”服务层级的主要特征:The following list outlines the key characteristics of the Business Critical service tier:

若要详细了解两种服务层级之间的区别,请参阅托管实例资源限制Find more information about the difference between service tiers in managed instance resource limits.

托管实例管理操作Managed instance management operations

Azure SQL 数据库提供管理操作,你可以使用这些操作自动部署新的托管实例、更新实例属性,以及在不再需要实例时将其删除。Azure SQL Database provides management operations that you can use to automatically deploy new managed instances, update instance properties, and delete instances when no longer needed. 本部分提供有关管理操作及其典型持续时间的信息。This section provides information about management operations and their typical durations.

为了支持Azure 虚拟网络(vnet)中的部署并为客户提供隔离和安全性,托管实例依赖于虚拟群集,这些群集表示部署在客户的虚拟网络子网。To support deployments within Azure Virtual Networks (VNets) and provide isolation and security for customers, managed instance relies on virtual clusters, which represent a dedicated set of isolated virtual machines deployed inside the customer's virtual network subnet. 实质上,空子网中的每个托管实例部署会导致新的虚拟群集 ring。Essentially, every managed instance deployment in an empty subnet results in a new virtual cluster buildout.

部署的托管实例上的后续操作也可能会影响其基础虚拟群集。Subsequent operations on deployed managed instances might also have effects on its underlying virtual cluster. 这会影响管理操作的持续时间,因为部署更多的虚拟机所需的开销需要在计划新部署或对现有托管实例的更新时考虑。This affects the duration of management operations, as deploying additional virtual machines comes with an overhead that needs to be considered when you plan new deployments or updates to existing managed instances.

所有管理操作可以按如下方式分类:All management operations can be categorized as follows:

  • 实例部署(创建新实例)。Instance deployment (new instance creation).
  • 实例更新(更改实例属性,如 Vcore、保留存储等)。Instance update (changing instance properties, such as vCores, reserved storage, etc).
  • 实例删除。Instance deletion.

通常,虚拟群集上的操作花费的时间最长。Typically, operations on virtual clusters take the longest. 虚拟群集操作的持续时间变化–下面是根据现有的服务遥测数据,通常可以获得的值:Duration of the operations on virtual clusters vary – below are the values that you can typically expect, based on existing service telemetry data:

  • 虚拟群集创建。Virtual cluster creation. 这是实例管理操作中的一个同步步骤。This is a synchronous step in instance management operations. 90% 的操作在4小时内完成90% of operations finish in 4 hours.
  • 虚拟群集大小调整(扩展或收缩)。Virtual cluster resizing (expansion or shrinking). 扩展是一种同步步骤,而收缩是异步执行的(不影响实例管理操作的持续时间)。Expansion is a synchronous step, while shrinking is performed asynchronously (without impact on the duration of instance management operations). 90% 的群集扩展在2.5 小时内完成90% of cluster expansions finish in less than 2.5 hours.
  • 删除虚拟群集。Virtual cluster deletion. 删除是异步步骤,但也可以在空虚拟群集上手动启动,在这种情况下,它会同步执行。Deletion is an asynchronous step, but it can also be initiated manually on an empty virtual cluster, in which case it executes synchronously. 90% 的虚拟群集删除在1.5 小时内完成90% of virtual cluster deletions finish in 1.5 hours.

此外,实例的管理还可能包括对托管数据库执行的一项操作,这会导致持续时间延长:Additionally, management of instances may also include one of the operations on hosted databases, which results in longer durations:

  • 附加 Azure 存储中的数据库文件。Attaching database files from Azure Storage. 这是一个同步步骤,如计算(vCore)或在常规用途服务层中向上或向下缩放存储。This is a synchronous step, such as compute (vCore), or storage scaling up or down in the General Purpose service tier. 90% 的这些操作将在5分钟内完成90% of these operations finish in 5 minutes.
  • Always On 可用性组种子设定。Always On availability group seeding. 这是一个同步步骤,如计算(vCore)或业务关键服务层中的存储缩放,以及将服务层从常规用途改为业务关键(反之亦然)。This is a synchronous step, such as compute (vCore), or storage scaling in the Business Critical service tier as well as in changing the service tier from General Purpose to Business Critical (or vice versa). 此操作的持续时间与总数据库大小以及当前数据库活动(活动事务数)成正比。Duration of this operation is proportional to the total database size as well as current database activity (number of active transactions). 更新实例时的数据库活动会给总持续时间带来明显的差异。Database activity when updating an instance can introduce significant variance to the total duration. 90% 的这些操作的执行频率为 220 GB/小时或更高90% of these operations execute at 220 GB / hour or higher.

下表总结了操作和典型的总持续时间:The following table summarizes operations and typical overall durations:

类别Category OperationOperation 长时间运行的段Long-running segment 估计持续时间Estimated duration
部署Deployment 空子网中的第一个实例First instance in an empty subnet 创建虚拟群集Virtual cluster creation 90% 的操作在4小时内完成90% of operations finish in 4 hours
部署Deployment 非空子网中的第一个硬件生成的第一个实例(例如,子网中的第一个第1代实例,具有第4代实例)First instance of another hardware generation in a non-empty subnet (for example, first Gen 5 instance in a subnet with Gen 4 instances) 虚拟群集创建 *Virtual cluster creation* 90% 的操作在4小时内完成90% of operations finish in 4 hours
部署Deployment 第一个实例在空子网或非空子网中创建4个 VcoreFirst instance creation of 4 vCores, in an empty or non-empty subnet 虚拟群集创建 * *Virtual cluster creation** 90% 的操作在4小时内完成90% of operations finish in 4 hours
部署Deployment 在非空子网(第二个、第三个等实例)中创建后续实例Subsequent instance creation within the non-empty subnet (2nd, 3rd, etc. instance) 虚拟群集大小调整Virtual cluster resizing 90% 的操作在2.5 小时内完成90% of operations finish in 2.5 hours
更新Update 实例属性更改(管理员密码、AAD 登录、Azure 混合权益标志)Instance property change (admin password, AAD login, Azure Hybrid Benefit flag) N/AN/A 最长1分钟Up to 1 minute
更新Update 实例存储扩展/缩减(常规用途服务层)Instance storage scaling up/down (General Purpose service tier) -虚拟群集大小调整- Virtual cluster resizing
-附加数据库文件- Attaching database files
90% 的操作在2.5 小时内完成90% of operations finish in 2.5 hours
更新Update 实例存储扩展/缩减(业务关键服务层)Instance storage scaling up/down (Business Critical service tier) -虚拟群集大小调整- Virtual cluster resizing
-Always On 可用性组种子设定- Always On availability group seeding
90% 的操作在2.5 小时内完成,为所有数据库设定种子(220 GB/小时)90% of operations finish in 2.5 hours + time to seed all databases (220 GB / hour)
更新Update 实例计算(Vcore)增加和减少(常规用途)Instance compute (vCores) scaling up and down (General Purpose) -虚拟群集大小调整- Virtual cluster resizing
-附加数据库文件- Attaching database files
90% 的操作在2.5 小时内完成90% of operations finish in 2.5 hours
更新Update 实例计算(Vcore)增加和减少(业务关键)Instance compute (vCores) scaling up and down (Business Critical) -虚拟群集大小调整- Virtual cluster resizing
-Always On 可用性组种子设定- Always On availability group seeding
90% 的操作在2.5 小时内完成,为所有数据库设定种子(220 GB/小时)90% of operations finish in 2.5 hours + time to seed all databases (220 GB / hour)
更新Update 实例缩减到4个 Vcore (常规用途)Instance scale down to 4 vCores (General Purpose) -虚拟群集大小调整(如果是首次完成,则可能需要创建虚拟群集 * *)- Virtual cluster resizing (if done for the first time, it may require virtual cluster creation**)
-附加数据库文件- Attaching database files
90% 的操作完成,4 h 5 分钟 * *90% of operations finish in 4 h 5 min**
更新Update 实例缩减到4个 Vcore (常规用途)Instance scale down to 4 vCores (General Purpose) -虚拟群集大小调整(如果是首次完成,则可能需要创建虚拟群集 * *)- Virtual cluster resizing (if done for the first time, it may require virtual cluster creation**)
-Always On 可用性组种子设定- Always On availability group seeding
90% 的操作将在4小时内完成,并对所有数据库进行种子计算(220 GB/小时)90% of operations finish in 4 hours + time to seed all databases (220 GB / hour)
更新Update 实例服务层更改(常规用途为业务关键,反之亦然)Instance service tier change (General Purpose to Business Critical and vice versa) -虚拟群集大小调整- Virtual cluster resizing
-Always On 可用性组种子设定- Always On availability group seeding
90% 的操作在2.5 小时内完成,为所有数据库设定种子(220 GB/小时)90% of operations finish in 2.5 hours + time to seed all databases (220 GB / hour)
予以Deletion 实例的删除Instance deletion 所有数据库的日志尾备份Log tail backup for all databases 90% 的操作最多可完成1分钟。90% operations finish in up to 1 minute.
注意:如果删除了子网中的最后一个实例,此操作将在12小时后计划删除虚拟群集Note: if last instance in the subnet is deleted, this operation will schedule virtual cluster deletion after 12 hours***
删除Deletion 删除虚拟群集(作为用户启动的操作)Virtual cluster deletion (as user-initiated operation) 删除虚拟群集Virtual cluster deletion 90% 的操作在最多1.5 小时内完成90% of operations finish in up to 1.5 hours

* 虚拟群集是根据每个硬件生成生成的。* Virtual cluster is built per hardware generation.

* @ no__t-1 在2019年6月发布了 4 Vcore 部署选项,需要新的虚拟群集版本。** The 4 vCores deployment option was released in June 2019 and requires a new virtual cluster version. 如果目标子网中的实例在6月12日前创建,则会自动将新的虚拟群集部署到主机 4 vCore 实例。If you had instances in the target subnet that were all created before June 12, a new virtual cluster will be deployed automatically to host 4 vCore instances.

* @ no__t-1 @ no__t-2 12 小时是当前配置,但将来可能会更改,因此不会对其进行硬依赖。*** 12 hours is the current configuration but that might change in the future, so don't take a hard dependency on it. 如果你之前需要删除虚拟群集(例如,释放子网),请参阅删除AZURE SQL 数据库托管实例后删除子网If you need to delete a virtual cluster earlier (to release the subnet for example), see Delete a subnet after deleting an Azure SQL Database managed instance.

管理期间的实例可用性Instance availability during management

在部署和删除操作过程中,客户端应用程序不能使用托管实例。Managed instances are not available to client applications during deployment and deletion operations.

托管实例在更新操作期间可用,但发生了短暂的停机时间,这是因为在更新结束时通常会长达10秒。Managed instances are available during update operations but there is a short downtime caused by the failover that happens at the end of updates that typically lasts up to 10 seconds.

重要

由于恢复时间长,在数据库上发生长时间运行的事务时,故障转移持续时间可能会很大。Duration of a failover can vary significantly in case of long-running transactions that happen on the databases due to prolonged recovery time. 因此,不建议缩放 Azure SQL 数据库托管实例的计算或存储,也不建议同时使用长时间运行的事务(数据导入、数据处理作业、索引重新生成等)来更改服务层。Hence it’s not recommended to scale compute or storage of Azure SQL Database managed instance or to change service tier at the same time with the long-running transactions (data import, data processing jobs, index rebuild, etc.). 在操作结束时会执行的数据库故障转移将取消正在进行的事务,并导致长时间的恢复时间。Database failover that will be performed at the end of the operation will cancel ongoing transactions and result in prolonged recovery time.

加速数据库恢复当前不适用于 Azure SQL 数据库托管实例。Accelerated database recovery is not currently available for Azure SQL Database managed instances. 启用后,即使长时间运行的事务,此功能也会明显减少故障转移时间的变化。Once enabled, this feature will significantly reduce variability of failover time, even in case of long-running transactions.

高级安全性和符合性Advanced security and compliance

托管实例部署选项结合了 Azure 云和 SQL Server 数据库引擎提供的高级安全功能。The managed instance deployment option combines advanced security features provided by Azure cloud and SQL Server Database Engine.

托管实例安全隔离Managed instance security isolation

使用托管实例可以进一步实现与 Azure 云中其他租户的安全隔离。A managed instance provides additional security isolation from other tenants in the Azure cloud. 安全隔离包括:Security isolation includes:

  • 使用 Azure Express Route 或 VPN 网关实现本机虚拟网络并连接到本地环境。Native virtual network implementation and connectivity to your on-premises environment using Azure Express Route or VPN Gateway.
  • 在默认部署中,SQL 终结点仅通过专用 IP 地址公开,允许从私有 Azure 或混合网络进行安全连接。In a default deployment, SQL endpoint is exposed only through a private IP address, allowing safe connectivity from private Azure or hybrid networks.
  • 具有专用底层基础结构(计算、存储)的单一租户。Single-tenant with dedicated underlying infrastructure (compute, storage).

下图概述了应用程序的各种连接选项:The following diagram outlines various connectivity options for your applications:

高可用性

若要详细了解子网级别的 VNet 集成和网络策略实施情况,请参阅托管实例的 VNet 体系结构将应用程序连接到托管实例To learn more details about VNet integration and networking policy enforcement at the subnet level, see VNet architecture for managed instances and Connect your application to a managed instance.

重要

只要安全要求允许,就将多个托管实例放在同一子网中,因为这会带来额外的好处。Place multiple managed instance in the same subnet, wherever that is allowed by your security requirements, as that will bring you additional benefits. 在同一子网中并置实例,将显著简化网络基础结构维护,还会减少预配时间,因为预配持续时间长与在子网中部署第一个托管实例的成本相关。Collocating instances in the same subnet will significantly simplify networking infrastructure maintenance and reduce instance provisioning time, since long provisioning duration is associated with the cost of deploying the first managed instance in a subnet.

Azure SQL 数据库安全功能Azure SQL Database Security Features

Azure SQL 数据库提供一组可用于保护数据的高级安全功能。Azure SQL Database provides a set of advanced security features that can be used to protect your data.

  • 托管实例审核功能可跟踪数据库事件,并将其写入 Azure 存储帐户中的审核日志文件。Managed instance auditing tracks database events and writes them to an audit log file placed in your Azure storage account. 借助审核可以保持合规、了解数据库活动,以及深入了解可能指示业务考量因素或疑似安全违规的偏差和异常。Auditing can help maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
  • 动态数据加密 - 托管实例提供动态数据加密,使用传输层安全性保护数据。Data encryption in motion - a managed instance secures your data by providing encryption for data in motion using Transport Layer Security. 除传输层安全性以外,托管实例部署选项使用 Always Encrypted 在动态、静态和查询处理期间提供敏感数据的保护。In addition to transport layer security, the managed instance deployment option offers protection of sensitive data in flight, at rest and during query processing with Always Encrypted. Always Encrypted 是业界首创功能,可针对涉及关键数据被盗的漏洞提供无与伦比的数据安全性。Always Encrypted is an industry-first that offers unparalleled data security against breaches involving the theft of critical data. 例如,借助 Always Encrypted,信用卡号即使在查询处理期间也始终加密存储在数据库中,允许经授权员工或需要处理该数据的应用程序在使用时进行解密。For example, with Always Encrypted, credit card numbers are stored encrypted in the database always, even during query processing, allowing decryption at the point of use by authorized staff or applications that need to process that data.
  • 高级威胁防护通过提供内置于服务中的额外安全智能层来补充审核,该服务可检测异常和可能有害的数据库访问或利用尝试。Advanced Threat Protection complements auditing by providing an additional layer of security intelligence built into the service that detects unusual and potentially harmful attempts to access or exploit databases. 出现可疑活动、潜在漏洞、 SQL 注入攻击和异常数据库访问模式时,它会发出警报。You are alerted about suspicious activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. 可从Azure 安全中心查看高级威胁防护警报,提供可疑活动的详细信息,并提供有关如何调查和缓解威胁的建议操作。Advanced Threat Protection alerts can be viewed from Azure Security Center and provide details of suspicious activity and recommend action on how to investigate and mitigate the threat.
  • 动态数据掩码功能通过对非特权用户模糊化敏感数据来限制此类数据的泄漏。Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. 动态数据掩码允许指定在对应用层产生最小影响的前提下可以透露的敏感数据量,从而帮助防止未经授权的用户访问敏感数据。Dynamic data masking helps prevent unauthorized access to sensitive data by enabling you to designate how much of the sensitive data to reveal with minimal impact on the application layer. 它是一种基于策略的安全功能,会在针对指定的数据库字段运行查询后返回的结果集中隐藏敏感数据,同时保持数据库中的数据不变。It’s a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed.
  • 使用行级别安全性可以根据执行查询的用户特征(例如,按组成员身份或执行上下文),控制对数据库表中的行的访问。Row-level security enables you to control access to rows in a database table based on the characteristics of the user executing a query (such as by group membership or execution context). 行级别安全性 (RLS) 简化了应用程序中的安全性设计和编程。Row-level security (RLS) simplifies the design and coding of security in your application. 使用 RLS 可针对数据行访问实施限制。RLS enables you to implement restrictions on data row access. 例如,确保工作人员只能访问与其部门相关的数据行,或者将可访问的数据限制为相关的数据。For example, ensuring that workers can access only the data rows that are pertinent to their department, or restricting a data access to only the relevant data.
  • 透明数据加密 (TDE) 可以加密托管实例数据文件,称为静态数据加密。Transparent data encryption (TDE) encrypts managed instance data files, known as encrypting data at rest. TDE 针对数据和日志文件执行实时 I/O 加密和解密。TDE performs real-time I/O encryption and decryption of the data and log files. 加密使用数据库加密密钥 (DEK),它存储在数据库引导记录中,可在恢复时使用。The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. 可使用透明数据加密保护托管实例中的所有数据库。You can protect all your databases in a managed instance with transparent data encryption. TDE 是 SQL Server 经验证的静态加密技术,许多符合性标准都需要它来防止存储介质被盗。TDE is SQL Server’s proven encryption-at-rest technology that is required by many compliance standards to protect against theft of storage media.

通过 Azure 数据库迁移服务 (DMS) 或本机还原,支持将加密数据库迁移到托管实例。Migration of an encrypted database to a managed instance is supported via the Azure Database Migration Service (DMS) or native restore. 如果计划使用本机还原来迁移加密的数据库,则需要将现有的 TDE 证书从本地 SQL Server 或虚拟机中的 SQL Server 迁移到托管实例。If you plan to migrate an encrypted database using native restore, migration of the existing TDE certificate from the SQL Server on-premises or SQL Server in a virtual machine to a managed instance is a required step. 有关迁移选项的详细信息,请参阅将 SQL Server 实例迁移到托管实例For more information about migration options, see SQL Server instance migration to managed instance.

Azure Active Directory 集成Azure Active Directory Integration

托管实例部署选项支持传统的 SQL Server 数据库引擎登录名,以及与 Azure Active Directory (AAD) 集成的登录名。The managed instance deployment option supports traditional SQL server Database engine logins and logins integrated with Azure Active Directory (AAD). Azure AD 服务器主体(登录名)(公共预览版)是在本地环境中使用的本地数据库登录名的 Azure 云版本。Azure AD server principals (logins) (public preview) are Azure cloud version of on-premises database logins that you are using in your on-premises environment. 利用 Azure AD 服务器主体(登录名),可以将 Azure Active Directory 租户中的用户和组指定为真正的实例范围内的主体,这可以执行任何实例级别的操作,包括相同托管的中的跨数据库查询。实例.Azure AD server principals (logins) enable you to specify users and groups from your Azure Active Directory tenant as true instance-scoped principals, capable of performing any instance-level operation, including cross-database queries within the same managed instance.

引入了用来创建 Azure AD 服务器主体(登录名)(公共预览版)的一个新语法:FROM EXTERNAL PROVIDER。A new syntax is introduced to create Azure AD server principals (logins) (public preview), FROM EXTERNAL PROVIDER. 有关该语法的详细信息,请参阅 CREATE LOGIN,并查看为托管实例预配 Azure Active Directory 管理员一文。For more information on the syntax, see CREATE LOGIN, and review the Provision an Azure Active Directory administrator for your managed instance article.

Azure Active Directory 集成和多重身份验证Azure Active Directory integration and multi-factor authentication

借助托管实例部署选项,可以使用 Azure Active Directory 集成集中管理数据库用户和其他 Microsoft 服务的标识。The managed instance deployment option enables you to centrally manage identities of database user and other Microsoft services with Azure Active Directory integration. 此功能简化了权限管理,增强了安全性。This capability simplified permission management and enhances security. Azure Active Directory 支持多重身份验证 (MFA),以便在支持单一登录进程的同时提高数据和应用程序安全性。Azure Active Directory supports multi-factor authentication (MFA) to increase data and application security while supporting a single sign-on process.

AuthenticationAuthentication

托管实例身份验证是指用户连接到数据库时如何证明其身份。Managed instance authentication refers to how users prove their identity when connecting to the database. SQL 数据库支持两种类型的身份验证:SQL Database supports two types of authentication:

  • SQL 身份验证SQL Authentication:

    此身份验证方法使用用户名和密码。This authentication method uses a username and password.

  • Azure Active Directory 身份验证Azure Active Directory Authentication:

    此身份验证方法使用由 Azure Active Directory 托管的标识,并且受托管域和集成域支持。This authentication method uses identities managed by Azure Active Directory and is supported for managed and integrated domains. 尽可能使用 Active Directory 身份验证(集成安全性)。Use Active Directory authentication (integrated security) whenever possible.

授权Authorization

授权是指用户可以在 Azure SQL 数据库中执行哪些操作,由用户帐户的数据库角色成员身份和对象级权限控制。Authorization refers to what a user can do within an Azure SQL Database, and is controlled by your user account's database role memberships and object-level permissions. 托管实例的授权功能与 SQL Server 2017 相同。A Managed instance has same authorization capabilities as SQL Server 2017.

数据库迁移Database migration

托管实例部署选项面向需要从本地或 IaaS 数据库实施项目迁移大量数据库的用户方案。The managed instance deployment option targets user scenarios with mass database migration from on-premises or IaaS database implementations. 托管实例支持多个数据库迁移选项:Managed instance supports several database migration options:

备份和还原Back up and restore

迁移方法利用 Azure Blob 存储的 SQL 备份。The migration approach leverages SQL backups to Azure Blob storage. 可以使用 T-SQL RESTORE 命令将 Azure 存储 Blob 中存储的备份直接还原到托管实例。Backups stored in Azure storage blob can be directly restored into a managed instance using the T-SQL RESTORE command.

  • 有关介绍如何还原 Wide World Importers - 标准数据库备份文件的快速入门,请参阅将备份文件还原到托管实例For a quickstart showing how to restore the Wide World Importers - Standard database backup file, see Restore a backup file to a managed instance. 本快速入门介绍如何将备份文件上传到 Azure 博客存储并使用共享访问签名 (SAS) 密钥对其进行保护。This quickstart shows you have to upload a backup file to Azure blog storage and secure it using a Shared access signature (SAS) key.
  • 有关从 URL 还原的信息,请参阅从 URL 本机还原For information about restore from URL, see Native RESTORE from URL.

重要

来自托管实例的备份只能还原到另一个托管实例。Backups from a managed instance can only be restored to another managed instance. 它们无法还原到本地 SQL Server 或单一数据库/弹性池。They cannot be restored to an on-premises SQL Server or to a single database/elastic pool.

数据迁移服务Data Migration Service

Azure 数据库迁移服务是一项完全托管的服务,旨在实现从多个数据库源到 Azure 数据平台的无缝迁移,并且最小化停机时间。The Azure Database Migration Service is a fully managed service designed to enable seamless migrations from multiple database sources to Azure Data platforms with minimal downtime. 此服务简化了将现有的第三方数据库和 SQL Server 数据库移动到 Azure SQL 数据库(单一数据库、弹性池中的共用数据库和托管实例中的实例数据库)以及移到 Azure VM 中的 SQL Server 时需要执行的任务。This service streamlines the tasks required to move existing third party and SQL Server databases to Azure SQL Database (single databases, pooled databases in elastic pools, and instance databases in a managed instance) and SQL Server in Azure VM. 请参阅如何使用 DMS 将本地数据库迁移到托管实例See How to migrate your on-premises database to managed instance using DMS.

支持的 SQL 功能SQL features supported

在服务正式版推出之前,托管实例部署选项旨在通过分阶段的计划,实现外围应用与本地 SQL Server 的近乎 100% 的兼容性。The managed instance deployment option aims to deliver close to 100% surface area compatibility with on-premises SQL Server coming in stages until service general availability. 有关功能和比较列表,请参阅 SQL 数据库功能比较;有关托管实例与 SQL Server 中 T-SQL 差异的列表,请参阅托管实例与 SQL Server 的 T-SQL 差异For a features and comparison list, see SQL Database feature comparison, and for a list of T-SQL differences in managed instances versus SQL Server, see managed instance T-SQL differences from SQL Server.

托管实例部署选项支持与 SQL 2008 数据库的向后兼容。The managed instance deployment option supports backward compatibility to SQL 2008 databases. 支持从 SQL 2005 数据库服务器直接迁移,迁移后的 SQL 2005 数据库的兼容级别将更新为 SQL 2008。Direct migration from SQL 2005 database servers is supported, compatibility level for migrated SQL 2005 databases are updated to SQL 2008.

下图概括描绘了托管实例中外围应用的兼容性:The following diagram outlines surface area compatibility in managed instance:

迁移

本地 SQL Server 与托管实例中 SQL Server 的主要差异Key differences between SQL Server on-premises and in a managed instance

托管实例部署选项受益于云中的一贯最新状态,这意味着,本地 SQL Server 中的某些功能可能会过时、被弃用或被取代。The managed instance deployment option benefits from being always-up-to-date in the cloud, which means that some features in on-premises SQL Server may be either obsolete, retired, or have alternatives. 在某些情况下,当工具需要识别特定的功能是否以略微不同的方式工作或者服务是否不在某个环境中运行时,你无法完全控制这一点:There are specific cases when tools need to recognize that a particular feature works in a slightly different way or that service is not running in an environment you do not fully control:

  • 高可用性是通过类似 Always On 可用性组的技术内置和预配的。High-availability is built in and pre-configured using technology similar to Always On Availability Groups.
  • 自动备份和时间点还原。Automated backups and point in time restore. 客户可以启动 copy-only 备份,而不会干扰自动备份链。Customer can initiate copy-only backups that do not interfere with automatic backup chain.
  • 托管实例不允许指定完整的物理路径,因此必须以不同的方式支持所有对应的方案: RESTORE DB 不支持移动,CREATE DB 不允许使用物理路径,BULK INSERT 仅适用于 Azure Blob,等等。Managed instance does not allow specifying full physical paths so all corresponding scenarios have to be supported differently: RESTORE DB does not support WITH MOVE, CREATE DB doesn’t allow physical paths, BULK INSERT works with Azure Blobs only, etc.
  • 托管实例支持使用 Azure AD 身份验证作为 Windows 身份验证的云替代方法。Managed instance supports Azure AD authentication as cloud alternative to Windows authentication.
  • 对于包含内存中 OLTP 对象的数据库,托管实例会自动管理 XTP 文件组和文件Managed instance automatically manages XTP filegroup and files for databases containing In-Memory OLTP objects
  • 托管实例支持 SQL Server Integration Services (SSIS),并且可以托管存储 SSIS 包的 SSIS 目录 (SSISDB),但它们在 Azure 数据工厂 (ADF) 的托管 Azure-SSIS 集成运行时 (IR) 上执行,请参阅在 ADF 中创建 Azure-SSIS IRManaged instance supports SQL Server Integration Services (SSIS) and can host SSIS catalog (SSISDB) that stores SSIS packages, but they are executed on a managed Azure-SSIS Integration Runtime (IR) in Azure Data Factory (ADF), see Create Azure-SSIS IR in ADF. 若要比较 SQL 数据库中的 SSIS 功能,请参阅比较 AZURE SQL 数据库单一数据库、弹性池和托管实例To compare the SSIS features in SQL Database, see Compare an Azure SQL Database single database, elastic pool, and managed instance.

托管实例管理功能Managed instance administration features

托管实例部署选项可以减少系统管理员花费在管理任务上的时间,因为 SQL 数据库服务可以自行执行这些任务,或者大大简化这些任务。The managed instance deployment option enables system administrator to spend less time on administrative tasks because the SQL Database service either performs them for you or greatly simplifies those tasks. 例如,OS/RDBMS 安装和修补动态实例大小调整和配置备份数据库复制(包括系统数据库)高可用性配置,以及运行状况和性能监视数据流的配置。For example, OS / RDBMS installation and patching, dynamic instance resizing and configuration, backups, database replication (including system databases), high availability configuration, and configuration of health and performance monitoring data streams.

重要

有关支持、部分支持和不支持的功能列表,请参阅 SQL 数据库功能For a list of supported, partially supported, and unsupported features, see SQL Database features. 有关托管实例与 SQL Server 的 T-SQL 差异列表,请参阅托管实例与 SQL Server 的 T-SQL 差异For a list of T-SQL differences in managed instances versus SQL Server, see managed instance T-SQL differences from SQL Server

如何以编程方式标识托管实例How to programmatically identify a managed instance

下表显示了可通过 Transact SQL 访问的几个属性。使用这些属性可以检测应用程序是否正在使用托管实例和检索重要属性。The following table shows several properties, accessible through Transact SQL, that you can use to detect that your application is working with managed instance and retrieve important properties.

propertiesProperty ValueValue 注释Comment
@@VERSION Microsoft SQL Azure (RTM) - 12.0.2000.8 2018-03-07 Copyright (C) 2018 Microsoft Corporation.Microsoft SQL Azure (RTM) - 12.0.2000.8 2018-03-07 Copyright (C) 2018 Microsoft Corporation. 此值与 SQL 数据库中的值相同。This value is same as in SQL Database.
SERVERPROPERTY ('Edition') SQL AzureSQL Azure 此值与 SQL 数据库中的值相同。This value is same as in SQL Database.
SERVERPROPERTY('EngineEdition') 88 此值唯一标识托管实例。This value uniquely identifies a managed instance.
@@SERVERNAMESERVERPROPERTY ('ServerName')@@SERVERNAME, SERVERPROPERTY ('ServerName') 采用以下格式的完整实例 DNS 名称:<instanceName>.<dnsPrefix>.database.windows.net,其中,<instanceName> 是客户提供的名称,<dnsPrefix> 是自动生成的名称部分,保证 DNS 名称的全局唯一性(例如“wcus17662feb9ce98”)Full instance DNS name in the following format:<instanceName>.<dnsPrefix>.database.windows.net, where <instanceName> is name provided by the customer, while <dnsPrefix> is autogenerated part of the name guaranteeing global DNS name uniqueness ("wcus17662feb9ce98", for example) 示例:my-managed-instance.wcus17662feb9ce98.database.windows.netExample: my-managed-instance.wcus17662feb9ce98.database.windows.net

后续步骤Next steps