您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

从 Synapse 工作区连接到安全 Azure 存储帐户Connect to a secure Azure storage account from your Synapse workspace

本文介绍如何从 Azure Synapse 工作区连接到安全的 Azure 存储帐户。This article will teach you how to connect to a secure Azure storage account from your Azure Synapse workspace. 创建工作区时,可以将 Azure 存储帐户链接到 Synapse 工作区。You can link an Azure storage account to your Synapse workspace when you create your workspace. 创建工作区之后,可以链接更多存储帐户。You can link more storage accounts after you create your workspace.

受保护的 Azure 存储帐户Secured Azure storage accounts

Azure 存储提供分层的安全模型,使你能够保护和控制对存储帐户的访问。Azure storage provides a layered security model that enables you to secure and control access to your storage accounts. 可以配置 IP 防火墙规则,向来自所选公共 IP 地址范围的流量授予对存储帐户的访问权限。You can configure IP firewall rules to grant traffic from selected public IP address ranges access to your storage account. 还可配置网络规则,向来自所选所选虚拟网络的流量授予对存储帐户的访问权限。You can also configure network rules to grant traffic from selected virtual networks access to your storage account. 在同一存储帐户上可以合并允许来自所选 IP 地址范围的访问的 IP 防火墙规则,以及允许来自所选虚拟网络的访问的网络规则。You can combine IP firewall rules that allow access from selected IP address ranges and network rules that grant access from selected virtual networks on the same storage account. 这些规则应用到存储帐户的公共终结点。These rules apply to the public endpoint of a storage account. 不需要任何访问规则即可允许工作区中所创建的托管专用终结点的流量访问存储帐户。You do not need any access rules to allow traffic from Managed private endpoints created in your workspace to a storage account. 可对现有的存储帐户应用存储防火墙规则,或者在创建新存储帐户时应用这些规则。Storage firewall rules can be applied to existing storage accounts, or to new storage accounts when you create them. 可在此处详细了解如何保护存储帐户。You can learn more about securing your storage account here.

Synapse 工作区和虚拟网络Synapse workspaces and virtual networks

创建 Synapse 工作区时,可以选择启用要与之关联的托管虚拟网络。When you create a Synapse workspace, you can choose to enable a Managed virtual network to be associated with it. 如果创建工作区时未为其启用托管虚拟网络,则工作区与其他没有托管虚拟网络与之关联的 Synapse 工作区一起位于共享的虚拟网络中。If you do not enable Managed virtual network for your workspace when you create it, your workspace is in a shared virtual network along with other Synapse workspaces that do not have a Managed virtual network associated with it. 如果创建工作区时启用了托管虚拟网络,则工作区与 Azure Synapse 管理的专用虚拟网络相关联。If you enabled Managed virtual network when you created the workspace, then your workspace is associated with a dedicated virtual network managed by Azure Synapse. 不会在你的客户订阅中创建这些虚拟网络。These virtual networks are not created in your customer subscription. 因此,将无法使用上述网络规则向来自这些虚拟网络的流量授予对受保护存储帐户的访问权限。Therefore, you will not be able to grant traffic from these virtual networks access to your secured storage account using network rules described above.

访问受保护的存储帐户Access a secured storage account

Synapse 从不能包含在网络规则中的网络进行操作。Synapse operates from networks that cannot be included in your network rules. 若要实现从工作区访问安全存储帐户,需要执行以下操作。The following needs to be done to enable access from your workspace to your secure storage account.

  • 创建一个与托管虚拟网络关联了的 Azure Synapse 工作区,并从该工作区创建托管专用终结点到安全存储帐户Create an Azure Synapse workspace with a managed virtual network associated with it and create managed private endpoints from it to the secure storage account
  • 允许 Azure Synapse 工作区作为受信任的 Azure 服务访问安全存储帐户。Grant your Azure Synapse workspace access to your secure storage account as a trusted Azure service. 然后 Azure Synapse 作为受信任服务会使用强身份验证安全地连接到存储帐户。As a trusted service, Azure Synapse will then use strong authentication to securely connect to your storage account.

创建具有托管虚拟网络的 Synapse 工作区,并创建托管专用终结点到存储帐户Create a Synapse workspace with a managed virtual network and create managed private endpoints to your storage account

可以按照这些步骤创建关联了托管虚拟网络的 Synapse 工作区。You can follow these steps to create a Synapse workspace that has a managed virtual network associated with it. 创建关联了托管虚拟网络的工作区后,可以按照此处列出的步骤创建托管专用终结点到安全存储帐户。Once the workspace with an associated managed virtual network is created, you can create a managed private endpoint to your secure storage account by following the steps listed here.

允许 Azure Synapse 工作区作为受信任的 Azure 服务访问安全存储帐户Grant your Azure Synapse workspace access to your secure storage account as a trusted Azure service

分析功能(如专用 SQL 池和无服务器 SQL 池)使用未部署到托管虚拟网络中的多租户基础结构。Analytic capabilities such as Dedicated SQL pool and Serverless SQL pool use multi-tenant infrastructure that is not deployed into the managed virtual network. 为了使来自这些功能的流量访问受保护的存储帐户,必须按照以下步骤基于工作区系统分配的托管标识配置对存储帐户的访问。In order for traffic from these capabilities to access the secured storage account, you must configure access to your storage account based on the workspace's system-assigned managed identity by following the steps below.

在 Azure 门户中导航到受保护的存储帐户。In Azure portal, navigate to your secured storage account. 从左侧导航窗格选择“网络”。Select Networking from the left navigation pane. 在“资源实例”部分中,选择 Microsoft.Synapse/workspaces 作为“资源类型”,并输入工作区名称作为“实例名称”。In the Resource instances section, select Microsoft.Synapse/workspaces as the Resource type and enter your workspace name for Instance name. 选择“保存”。Select Save.

存储帐户网络配置。

现在应能够从工作区访问受保护的存储帐户。You should now be able to access your secured storage account from the workspace.

后续步骤Next steps

详细了解托管工作区虚拟网络Learn more about Managed workspace virtual network.

详细了解托管专用终结点Learn more about Managed private endpoints.