您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

为数据库服务器使用虚拟网络服务终结点和规则Use virtual network service endpoints and rules for database servers

虚拟网络规则是一种防火墙安全功能,用于控制是否允许 Azure SQL 数据库中你的单一数据库和弹性池的数据库服务器或 SQL 数据仓库中你的数据库的数据库服务器接受从虚拟网络中的特定子网发送的通信。Virtual network rules are one firewall security feature that controls whether the database server for your single databases and elastic pool in Azure SQL Database or for your databases in SQL Data Warehouse accepts communications that are sent from particular subnets in virtual networks. 本文说明了为何有时候最好选择虚拟网络规则功能来安全地启用到 Azure SQL 数据库和 SQL 数据仓库的通信。This article explains why the virtual network rule feature is sometimes your best option for securely allowing communication to your Azure SQL Database and SQL Data Warehouse.

重要

本文适用于 Azure SQL 服务器,同时也适用于在 Azure SQL 服务器中创建的 SQL 数据库和 SQL 数据仓库数据库。This article applies to Azure SQL server, and to both SQL Database and SQL Data Warehouse databases that are created on the Azure SQL server. 为简单起见,在提到 SQL 数据库和 SQL 数据仓库时,本文统称 SQL 数据库。For simplicity, SQL Database is used when referring to both SQL Database and SQL Data Warehouse. 本文不适用于 Azure SQL 数据库中的托管实例部署,因为它没有与之关联的服务终结点。This article does not apply to a managed instance deployment in Azure SQL Database because it does not have a service endpoint associated with it.

若要创建虚拟网络规则,首先必须具有可供规则引用的虚拟网络服务终结点To create a virtual network rule, there must first be a virtual network service endpoint for the rule to reference.

如何创建虚拟网络规则How to create a virtual network rule

如果只创建虚拟网络规则,则可跳到本文后面的步骤和说明。If you only create a virtual network rule, you can skip ahead to the steps and explanation later in this article.

虚拟网络规则详细信息Details about virtual network rules

此部分介绍虚拟网络规则的多项详细信息。This section describes several details about virtual network rules.

只有一个地理区域Only one geographic region

一个虚拟网络服务终结点只能应用于一个 Azure 区域。Each Virtual Network service endpoint applies to only one Azure region. 终结点不允许其他区域接受来自该子网的通信。The endpoint does not enable other regions to accept communication from the subnet.

任何虚拟网络规则都只能应用于基础终结点应用到的区域。Any virtual network rule is limited to the region that its underlying endpoint applies to.

服务器级而非数据库级Server-level, not database-level

每个虚拟网络规则都适用于整个 Azure SQL 数据库服务器,而不仅仅是该服务器上某个特定的数据库。Each virtual network rule applies to your whole Azure SQL Database server, not just to one particular database on the server. 换句话说,虚拟网络规则适用于服务器级而非数据库级。In other words, virtual network rule applies at the server-level, not at the database-level.

  • 与之不同的是,IP 规则适用于这其中的任一级别。In contrast, IP rules can apply at either level.

安全管理角色Security administration roles

在管理虚拟网络服务终结点时,安全角色是分开的。There is a separation of security roles in the administration of Virtual Network service endpoints. 下述每个角色都需要进行操作:Action is required from each of the following roles:

  • 网络管理员:   启用终结点。Network Admin:   Turn on the endpoint.
  • 数据库管理员:  更新访问控制列表 (ACL),将给定的子网添加到 SQL 数据库服务器。Database Admin:   Update the access control list (ACL) to add the given subnet to the SQL Database server.

RBAC 备用:RBAC alternative:

网络管理员和数据库管理员角色的权限超出虚拟网络规则的管理需要,The roles of Network Admin and Database Admin have more capabilities than are needed to manage virtual network rules. 只有部分权限是必需的。Only a subset of their capabilities is needed.

可以选择在 Azure 中使用基于角色的访问控制 (RBAC),创建一个只有部分必需权限的自定义角色。You have the option of using role-based access control (RBAC) in Azure to create a single custom role that has only the necessary subset of capabilities. 在涉及到网络管理员或数据库管理员时,可以使用自定义角色来代替。与向两个主要的管理员角色添加用户相比,向自定义角色添加用户的安全风险较低。The custom role could be used instead of involving either the Network Admin or the Database Admin. The surface area of your security exposure is lower if you add a user to a custom role, versus adding the user to the other two major administrator roles.

备注

在某些情况下,Azure SQL 数据库和 VNet-子网位于不同的订阅中。In some cases the Azure SQL Database and the VNet-subnet are in different subscriptions. 在这些情况下,必须确保以下配置:In these cases you must ensure the following configurations:

  • 两个订阅都必须属于同一 Azure Active Directory 租户。Both subscriptions must be in the same Azure Active Directory tenant.
  • 用户具有启动操作所需的权限,例如启用服务终结点,以及向给定服务器添加 VNet-子网。The user has the required permissions to initiate operations, such as enabling service endpoints and adding a VNet-subnet to the given Server.
  • 两个订阅都必须注册 Microsoft.Sql 提供程序。Both subscriptions must have the Microsoft.Sql provider registered.

限制Limitations

对于 Azure SQL 数据库,虚拟网络规则功能具有以下限制:For Azure SQL Database, the virtual network rules feature has the following limitations:

  • 在 SQL 数据库的防火墙中,每个虚拟网络规则都引用一个子网。In the firewall for your SQL Database, each virtual network rule references a subnet. 引用的所有这些子网都必须托管在同一个托管 SQL 数据库的地理区域内。All these referenced subnets must be hosted in the same geographic region that hosts the SQL Database.

  • 对于任何给定的虚拟网络,每个 Azure SQL 数据库服务器最多可拥有 128 个 ACL 条目。Each Azure SQL Database server can have up to 128 ACL entries for any given virtual network.

  • 虚拟网络规则仅适用于 Azure 资源管理器虚拟网络,不适用于经典部署模型网络。Virtual network rules apply only to Azure Resource Manager virtual networks; and not to classic deployment model networks.

  • 如果启用 Azure SQL 数据库的虚拟网络服务终结点,会同时启用 MySQL 和 PostgreSQL Azure 服务的终结点。Turning ON virtual network service endpoints to Azure SQL Database also enables the endpoints for the MySQL and PostgreSQL Azure services. 但是,启用终结点后,尝试从终结点连接到 MySQL 或 PostgreSQL 实例可能会失败。However, with endpoints ON, attempts to connect from the endpoints to your MySQL or PostgreSQL instances may fail.

    • 根本原因是 MySQL 和 PostgreSQL 可能没有配置虚拟网络规则。The underlying reason is that MySQL and PostgreSQL likely do not have a virtual network rule configured. 必须为 Azure Database for MySQL 和 Azure Database for PostgreSQL 配置虚拟网络规则,连接才会成功。You must configure a virtual network rule for Azure Database for MySQL and PostgreSQL and the connection will succeed.
  • 在防火墙上,IP 地址范围适用于以下网络项,但虚拟网络规则并不适用:On the firewall, IP address ranges do apply to the following networking items, but virtual network rules do not:

使用服务终结点的注意事项Considerations when using Service Endpoints

在使用 Azure SQL 数据库的服务终结点时,请查看以下注意事项:When using service endpoints for Azure SQL Database, review the following considerations:

  • 需要到 Azure SQL 数据库公共 IP 的出站连接:必须为 Azure SQL 数据库 IP 启用网络安全组 (NSG) 才能进行连接。Outbound to Azure SQL Database Public IPs is required: Network Security Groups (NSGs) must be opened to Azure SQL Database IPs to allow connectivity. 可以使用 Azure SQL 数据库的 NSG 服务标记执行此操作。You can do this by using NSG Service Tags for Azure SQL Database.

ExpressRouteExpressRoute

如果是在本地使用 ExpressRoute,则在进行公共对等互连或 Microsoft 对等互连时,需标识所用的 NAT IP 地址。If you are using ExpressRoute from your premises, for public peering or Microsoft peering, you will need to identify the NAT IP addresses that are used. 进行公共对等互连时,每条 ExpressRoute 线路默认情况下会使用两个 NAT IP 地址。当流量进入 Microsoft Azure 网络主干时,会向 Azure 服务流量应用这些地址。For public peering, each ExpressRoute circuit by default uses two NAT IP addresses applied to Azure service traffic when the traffic enters the Microsoft Azure network backbone. 进行 Microsoft 对等互连时,所用 NAT IP 地址由客户或服务提供商提供。For Microsoft peering, the NAT IP address(es) that are used are either customer provided or are provided by the service provider. 若要允许访问服务资源,必须在资源 IP 防火墙设置中允许这些公共 IP 地址。To allow access to your service resources, you must allow these public IP addresses in the resource IP firewall setting. 若要查找公共对等互连 ExpressRoute 线路 IP 地址,请通过 Azure 门户开具 ExpressRoute 支持票证To find your public peering ExpressRoute circuit IP addresses, open a support ticket with ExpressRoute via the Azure portal. 详细了解适用于 ExpressRoute 公共对等互连和 Microsoft 对等互连的 NATLearn more about NAT for ExpressRoute public and Microsoft peering.

若要允许从线路到 Azure SQL 数据库的通信,则必须为 NAT 的公共 IP 地址创建 IP 网络规则。To allow communication from your circuit to Azure SQL Database, you must create IP network rules for the public IP addresses of your NAT.

将 VNet 服务终结点与 Azure 存储配合使用的影响Impact of using VNet Service Endpoints with Azure storage

Azure 存储已实现相同的功能,允许限制到 Azure 存储帐户的连接。Azure Storage has implemented the same feature that allows you to limit connectivity to your Azure Storage account. 如果选择将此功能与某个 Azure 存储帐户配合使用,而该帐户正由 Azure SQL Server 使用,则可能会出现问题。If you choose to use this feature with an Azure Storage account that is being used by Azure SQL Server, you can run into issues. 接下来会列出受此影响的 Azure SQL 数据库和 Azure SQL 数据仓库功能并对其进行讨论。Next is a list and discussion of Azure SQL Database and Azure SQL Data Warehouse features that are impacted by this.

Azure SQL 数据仓库 PolyBaseAzure SQL Data Warehouse PolyBase

PolyBase 通常用于将数据从 Azure 存储帐户加载到 Azure SQL 数据仓库中。PolyBase is commonly used to load data into Azure SQL Data Warehouse from Azure Storage accounts. 如果正从 Azure 存储帐户加载数据,而该帐户只允许一组 VNet-子网的访问,则会断开从 PolyBase 到该帐户的连接。If the Azure Storage account that you are loading data from limits access only to a set of VNet-subnets, connectivity from PolyBase to the Account will break. 对于连接到 Azure 存储(已通过安全方式连接到 VNet)的 Azure SQL 数据仓库,若要启用 PolyBase 导入和导出方案,请执行如下所示的步骤:For enabling both PolyBase import and export scenarios with Azure SQL Data Warehouse connecting to Azure Storage that's secured to VNet, follow the steps indicated below:

先决条件Prerequisites

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

重要

PowerShell Azure 资源管理器模块仍受 Azure SQL 数据库的支持,但所有未来的开发都是针对 Az.Sql 模块的。The PowerShell Azure Resource Manager module is still supported by Azure SQL Database, but all future development is for the Az.Sql module. 若要了解这些 cmdlet,请参阅 AzureRM.SqlFor these cmdlets, see AzureRM.Sql. Az 模块和 AzureRm 模块中的命令参数大体上是相同的。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical.

  1. 按照此指南安装 Azure PowerShell。Install Azure PowerShell using this guide.
  2. 如果有常规用途 v1 或 Blob 存储帐户,则必须先按照此指南将该帐户升级到常规用途 v2 帐户。If you have a general-purpose v1 or blob storage account, you must first upgrade to general-purpose v2 using this guide.
  3. 必须在 Azure 存储帐户的“防火墙和虚拟网络”设置菜单下启用“允许受信任的 Microsoft 服务访问此存储帐户”。You must have Allow trusted Microsoft services to access this storage account turned on under Azure Storage account Firewalls and Virtual networks settings menu. 有关详细信息,请参阅此指南Refer to this guide for more information.

步骤Steps

  1. 在 PowerShell 中,注册 azure SQL Server承载 Azure SQL 数据仓库实例,并将其 AZURE ACTIVE DIRECTORY (AAD):In PowerShell, register your Azure SQL Server hosting your Azure SQL Data Warehouse instance with Azure Active Directory (AAD):

    Connect-AzAccount
    Select-AzSubscription -SubscriptionId your-subscriptionId
    Set-AzSqlServer -ResourceGroupName your-database-server-resourceGroup -ServerName your-SQL-servername -AssignIdentity
    
    1. 按照此指南创建常规用途 v2 存储帐户Create a general-purpose v2 Storage Account using this guide.

    备注

    • 如果有常规用途 v1 或 Blob 存储帐户,则必须先按照此指南将该帐户升级到 v2 帐户。If you have a general-purpose v1 or blob storage account, you must first upgrade to v2 using this guide.
    • 若要了解 Azure Data Lake Storage Gen2 的已知问题,请参阅此指南For known issues with Azure Data Lake Storage Gen2, please refer to this guide.
  2. 在存储帐户下导航到“访问控制(标识和访问管理)”,然后单击“添加角色分配”。Under your storage account, navigate to Access Control (IAM), and click Add role assignment. 存储 Blob 数据参与者RBAC 角色分配给 azure SQL Server 托管你已注册到 Azure Active DIRECOTORY (AAD)的 Azure SQL 数据仓库,如步骤1中所述。Assign Storage Blob Data Contributor RBAC role to your Azure SQL Server hosting your Azure SQL Data Warehouse which you've registered with Azure Active Direcotory (AAD) as in step#1.

    备注

    只有具有“所有者”特权的成员能够执行此步骤。Only members with Owner privilege can perform this step. 若要了解 Azure 资源的各种内置角色,请参阅此指南For various built-in roles for Azure resources, refer to this guide.

  3. 通过 Polybase 连接到 Azure 存储帐户:Polybase connectivity to the Azure Storage account:

    1. 创建数据库 主密钥 (如果此前尚未创建):Create a database master key if you haven't created one earlier:

      CREATE MASTER KEY [ENCRYPTION BY PASSWORD = 'somepassword'];
      
    2. 使用 IDENTITY = '托管服务标识' 创建数据库范围的凭据:Create database scoped credential with IDENTITY = 'Managed Service Identity':

      CREATE DATABASE SCOPED CREDENTIAL msi_cred WITH IDENTITY = 'Managed Service Identity';
      

      备注

      • 使用 Azure 存储访问密钥时,不需指定 SECRET,因为此机制在后台使用托管标识There is no need to specify SECRET with Azure Storage access key because this mechanism uses Managed Identity under the covers.
      • 使用 Azure 存储帐户以安全方式连接到 VNet 时,IDENTITY 名称应该为 '托管服务标识' ,以便通过 PolyBase 进行连接。IDENTITY name should be 'Managed Service Identity' for PolyBase connectivity to work with Azure Storage account secured to VNet.
    3. 使用 abfss:// 方案创建外部数据源,以便通过 PolyBase 连接到常规用途 v2 存储帐户:Create external data source with abfss:// scheme for connecting to your general-purpose v2 storage account using PolyBase:

      CREATE EXTERNAL DATA SOURCE ext_datasource_with_abfss WITH (TYPE = hadoop, LOCATION = 'abfss://myfile@mystorageaccount.dfs.core.windows.net', CREDENTIAL = msi_cred);
      

      备注

      • 如果已经有外部表关联到常规用途 v1 或 Blob 存储帐户,则应先删除这些外部表,然后删除相应的外部数据源。If you already have external tables associated with general-purpose v1 or blob storage account, you should first drop those external tables and then drop corresponding external data source. 然后,使用 abfss:// 方案按照上面的步骤创建连接到常规用途 v2 存储帐户的外部数据源,并使用该新建的外部数据源重新创建所有外部表。Then create external data source with abfss:// scheme connecting to general-purpose v2 storage account as above and re-create all the external tables using this new external data source. 可以通过生成和发布脚本向导为所有外部表生成 create-script,以方便使用。You could use Generate and Publish Scripts Wizard to generate create-scripts for all the external tables for ease.
      • 有关 abfss:// 方案的详细信息,请参阅此指南For more information on abfss:// scheme, refer to this guide.
      • 有关 CREATE EXTERNAL DATA SOURCE 的详细信息,请参阅此指南For more information on CREATE EXTERNAL DATA SOURCE, refer to this guide.
    4. 使用外部表进行正常查询。Query as normal using external tables.

Azure SQL 数据库 Blob 审核Azure SQL Database Blob Auditing

Blob 审核将审核日志推送到你自己的存储帐户。Blob auditing pushes audit logs to your own storage account. 如果此存储帐户使用 VNet 服务终结点功能,则会断开从 Azure SQL 数据库到存储帐户的连接。If this storage account uses the VNet Service endpoints feature then connectivity from Azure SQL Database to the storage account will break.

在未打开 VNet 服务终结点的情况下,将 VNet 防火墙规则添加到服务器Adding a VNet Firewall rule to your server without turning On VNet Service Endpoints

早在增强此功能以前,就要求你先打开 VNet 服务终结点,然后才能在防火墙中实施实时 VNet 规则。Long ago, before this feature was enhanced, you were required to turn VNet service endpoints On before you could implement a live VNet rule in the Firewall. 这些终结点已将给定的 VNet 子网关联到 Azure SQL 数据库。The endpoints related a given VNet-subnet to an Azure SQL Database. 但现在从 2018 年 1 月开始,可以通过设置 IgnoreMissingVNetServiceEndpoint 标志来避开此要求。But now as of January 2018, you can circumvent this requirement by setting the IgnoreMissingVNetServiceEndpoint flag.

仅设置防火墙规则不会帮助保护服务器。Merely setting a Firewall rule does not help secure the server. 还必须打开 VNet 服务终结点才能使安全性生效。You must also turn VNet service endpoints On for the security to take effect. 打开服务终结点时,VNet 子网会遇到停机,直到它完成从“关”到“开”的转换。When you turn service endpoints On, your VNet-subnet experiences downtime until it completes the transition from Off to On. 这在大型 VNet 的上下文中尤其如此。This is especially true in the context of large VNets. 可以使用 IgnoreMissingVNetServiceEndpoint 标志,减少或消除转换期间的停机时间。You can use the IgnoreMissingVNetServiceEndpoint flag to reduce or eliminate the downtime during transition.

可以使用 PowerShell 设置 IgnoreMissingVNetServiceEndpoint 标志。You can set the IgnoreMissingVNetServiceEndpoint flag by using PowerShell. 有关详细信息,请参阅使用 PowerShell 创建 Azure SQL 数据库的虚拟网络服务终结点和规则For details, see PowerShell to create a Virtual Network service endpoint and rule for Azure SQL Database.

错误 40914 和 40615Errors 40914 and 40615

连接错误 40914 与虚拟网络规则(如 Azure 门户中的“防火墙”窗格所指定)相关。Connection error 40914 relates to virtual network rules, as specified on the Firewall pane in the Azure portal. 错误 40615 基本相似,不同之处在于与“防火墙”上的“IP 地址规则”相关。Error 40615 is similar, except it relates to IP address rules on the Firewall.

错误 40914Error 40914

消息文本:无法打开登录时请求的服务器‘[服务器-名称]’。Message text: Cannot open server '[server-name]' requested by the login. 不允许客户端访问服务器。Client is not allowed to access the server.

错误说明:客户端位于包含虚拟网络服务器终结点的子网中。Error description: The client is in a subnet that has virtual network server endpoints. 不过,Azure SQL 数据库服务器没有授权子网与 SQL 数据库进行通信的虚拟网络规则。But the Azure SQL Database server has no virtual network rule that grants to the subnet the right to communicate with the SQL Database.

错误解决方法:在 Azure 门户的“防火墙”窗格中,使用虚拟网络规则控件为子网添加虚拟网络规则Error resolution: On the Firewall pane of the Azure portal, use the virtual network rules control to add a virtual network rule for the subnet.

错误 40615Error 40615

消息文本:无法打开此登录请求的服务器“{0}”。Message text: Cannot open server '{0}' requested by the login. 不允许 IP 地址为“{1}”的客户端访问此服务器。Client with IP address '{1}' is not allowed to access the server.

错误说明:客户端尝试从未经授权连接到 Azure SQL 数据库服务器的 IP 地址进行连接。Error description: The client is trying to connect from an IP address that is not authorized to connect to the Azure SQL Database server. 服务器防火墙没有 IP 地址规则允许客户端从给定 IP 地址与 SQL 数据库进行通信。The server firewall has no IP address rule that allows a client to communicate from the given IP address to the SQL Database.

错误解决方法:输入客户端 IP 地址作为 IP 规则。Error resolution: Enter the client's IP address as an IP rule. 为此,可以使用 Azure 门户中的“防火墙”窗格。Do this by using the Firewall pane in the Azure portal.

此处收录了多个 SQL 数据库错误消息的列表。A list of several SQL Database error messages is documented here.

门户可以创建虚拟网络规则Portal can create a virtual network rule

本部分介绍如何使用 Azure 门户在 Azure SQL 数据库中创建虚拟网络规则。This section illustrates how you can use the Azure portal to create a virtual network rule in your Azure SQL Database. 此规则要求 SQL 数据库接受来自特定子网的通信,该子网已被标记为“虚拟网络服务终结点”。The rule tells your SQL Database to accept communication from a particular subnet that has been tagged as being a Virtual Network service endpoint.

备注

若要向 Azure SQL 数据库服务器的 VNet 防火墙规则添加服务终结点,请确保为子网启用服务终结点。If you intend to add a service endpoint to the VNet firewall rules of your Azure SQL Database server, first ensure that service endpoints are turned On for the subnet.

如果没有为子网启用服务终结点,门户会要求你启用。If service endpoints are not turned on for the subnet, the portal asks you to enable them. 在添加规则的边栏选项卡上单击“启用”按钮。Click the Enable button on the same blade on which you add the rule.

PowerShell 备用PowerShell alternative

PowerShell 脚本也可创建虚拟网络规则。A PowerShell script can also create virtual network rules. 重要的 cmdletNew-AzSqlServerVirtualNetworkRule。The crucial cmdlet New-AzSqlServerVirtualNetworkRule. 如果有兴趣,可以参阅使用 PowerShell 创建 Azure SQL 数据库的虚拟网络服务终结点和规则If interested, see PowerShell to create a Virtual Network service endpoint and rule for Azure SQL Database.

REST API 替代项REST API alternative

在内部,用于 SQL VNet 操作的 PowerShell cmdlet 调用 REST API。Internally, the PowerShell cmdlets for SQL VNet actions call REST APIs. 可以直接调用 REST API。You can call the REST APIs directly.

先决条件Prerequisites

必须有一个子网已经使用特定的虚拟网络服务终结点类型名称进行标记,且该名称必须与 Azure SQL 数据库相关。You must already have a subnet that is tagged with the particular Virtual Network service endpoint type name relevant to Azure SQL Database.

Azure 门户步骤Azure portal steps

  1. 登录到 Azure 门户Sign in to the Azure portal.

  2. 然后在门户中导航到“SQL 服务”>“防火墙/虚拟网络”。Then navigate the portal to SQL servers > Firewall / Virtual Networks.

  3. 将“允许访问 Azure 服务”控件设置为“禁用”。Set the Allow access to Azure services control to OFF.

    重要

    如果将控制设置为 "打开",则 Azure SQL 数据库服务器接受来自 Azure 边界内的任何子网的通信,即从可识别为 Azure 数据中心定义的范围内的某个 IP 地址发起。If you leave the control set to ON, your Azure SQL Database server accepts communication from any subnet inside the Azure boundary i.e. originating from one of the IP addresses that is recognized as those within ranges defined for Azure data centers. 从安全角度来看,将此控件设置为“启用”可能会导致过度访问。Leaving the control set to ON might be excessive access from a security point of view. 针对 SQL 数据库结合使用 Microsoft Azure 虚拟网络服务终结点功能和虚拟网络规则功能,可以降低安全风险。The Microsoft Azure Virtual Network service endpoint feature, in coordination with the virtual network rule feature of SQL Database, together can reduce your security surface area.

  4. 在“虚拟网络”部分单击“+ 添加现有项”控件。Click the + Add existing control, in the Virtual networks section.

    单击“添加现有项(子网终结点,充当 SQL 规则)”。

  5. 在新的“创建/更新”窗格的控件中填充 Azure 资源的名称。In the new Create/Update pane, fill in the controls with the names of your Azure resources.

    提示

    必须包括子网的正确地址前缀。You must include the correct Address prefix for your subnet. 可以在门户中找到该值。You can find the value in the portal. 导航到“所有资源”>“所有类型”>“虚拟网络”。Navigate All resources > All types > Virtual networks. 筛选器会显示虚拟网络。The filter displays your virtual networks. 单击虚拟网络,然后单击“子网”。Click your virtual network, and then click Subnets. “地址范围”列包含所需的地址前缀。The ADDRESS RANGE column has the Address prefix you need.

    填充新规则的字段。

  6. 单击窗格底部的“确定”按钮。Click the OK button near the bottom of the pane.

  7. 查看防火墙窗格中生成的虚拟网络规则。See the resulting virtual network rule on the firewall pane.

    查看防火墙窗格中的新规则。

备注

以下状态适用于这些规则:The following statuses or states apply to the rules:

  • 就绪: 表示所启动的操作已成功。Ready: Indicates that the operation that you initiated has Succeeded.
  • 失败: 表示所启动的操作已失败。Failed: Indicates that the operation that you initiated has Failed.
  • 已删除: 仅适用于删除操作,表示规则已删除,不再适用。Deleted: Only applies to the Delete operation, and indicates that the rule has been deleted and no longer applies.
  • 进行中: 表示操作正在进行。InProgress: Indicates that the operation is in progress. 操作处于这种状态时,会应用旧规则。The old rule applies while the operation is in this state.

Azure SQL 数据库的虚拟网络规则功能已在 2017 年 9 月末推出。The virtual network rule feature for Azure SQL Database became available in late September 2017.

后续步骤Next steps