透過內部部署資料閘道連線至內部部署資料來源Connecting to on-premises data sources with On-premises Data Gateway

內部部署資料閘道在內部部署資料來源和雲端中的 Azure Analysis Services 伺服器之間提供安全的資料傳輸。The on-premises data gateway provides secure data transfer between on-premises data sources and your Azure Analysis Services servers in the cloud. 除了搭配相同區域中的多部 Azure Analysis Services 伺服器運作,最新版的閘道也可以搭配 Azure Logic Apps、Power BI、Power Apps 和 Microsoft Flow運作。In addition to working with multiple Azure Analysis Services servers in the same region, the latest version of the gateway also works with Azure Logic Apps, Power BI, Power Apps, and Microsoft Flow. 您可以讓相同訂用帳戶及相同區域中的多個服務與單一閘道建立關聯。You can associate multiple services in the same subscription and same region with a single gateway.

第一次設定閘道的程序有四部分:Getting setup with the gateway the first time is a four-part process:

  • 下載並執行安裝程式 - 這個步驟會在您組織中的電腦上安裝閘道服務。Download and run setup - This step installs a gateway service on a computer in your organization. 您也會使用租用戶 Azure AD 中的帳戶來登入 Azure。You also sign in to Azure using an account in your tenant's Azure AD. 不支援 Azure B2B (來賓) 帳戶。Azure B2B (guest) accounts are not supported.

  • 註冊您的閘道 - 在此步驟中,您會為您的閘道指定名稱和復原金鑰,然後選取區域,並且向閘道雲端服務註冊您的閘道。Register your gateway - In this step, you specify a name and recovery key for your gateway and select a region, registering your gateway with the Gateway Cloud Service. 閘道資源可以註冊於任何區域中,但建議位於與 Analysis Services 伺服器相同的區域中。Your gateway resource can be registered in any region, but we recommend it be in the same region as your Analysis Services servers.

  • 在 Azure 中建立閘道資源 - 在此步驟中,您會在您的 Azure 訂用帳戶中建立閘道資源。Create a gateway resource in Azure - In this step, you create a gateway resource in your Azure subscription.

  • 將您的伺服器連線到閘道資源 - 您的訂用帳戶中一旦有閘道資源,您就可以開始將您的伺服器連線到它。Connect your servers to your gateway resource - Once you have a gateway resource in your subscription, you can begin connecting your servers to it. 您可以連線多部伺服器及其他資源,只要它們都位於相同訂用帳戶和相同區域中即可。You can connect multiple servers and other resources, provided they are in the same subscription and same region.

若要立即開始,請參閱安裝及設定內部部署資料閘道To get started right away, see Install and configure on-premises data gateway.

運作方式 How it works

您在組織的電腦上安裝的閘道會以 Windows 服務 (內部部署資料閘道) 的形式執行。The gateway you install on a computer in your organization runs as a Windows service, On-premises data gateway. 此本機服務已透過 Azure 服務匯流排向閘道雲端服務註冊。This local service is registered with the Gateway Cloud Service through Azure Service Bus. 您接著可為您的 Azure 訂用帳戶建立閘道資源 (閘道雲端服務)。You then create a gateway resource Gateway Cloud Service for your Azure subscription. Azure Analysis Services 伺服器會接著連線至閘道資源。Your Azure Analysis Services servers are then connected to your gateway resource. 當您伺服器上的模型需要連線到內部部署資料來源進行查詢或處理時,查詢和資料流程會周遊閘道資源、Azure 服務匯流排、本機內部部署資料閘道服務以及您的資料來源。When models on your server need to connect to your on-premises data sources for queries or processing, a query and data flow traverses the gateway resource, Azure Service Bus, the local on-premises data gateway service, and your data sources.

運作方式

查詢和資料流程:Queries and data flow:

  1. 雲端服務使用內部部署資料來源的加密認證建立查詢。A query is created by the cloud service with the encrypted credentials for the on-premises data source. 查詢接著傳送至佇列供閘道處理。It's then sent to a queue for the gateway to process.
  2. 閘道雲端服務會分析該查詢,並將要求推送至 Azure 服務匯流排The gateway cloud service analyzes the query and pushes the request to the Azure Service Bus.
  3. 內部部署資料閘道會輪詢 Azure 服務匯流排是否有待處理的要求。The on-premises data gateway polls the Azure Service Bus for pending requests.
  4. 閘道收到查詢、解密認證,並使用這些認證連接至資料來源。The gateway gets the query, decrypts the credentials, and connects to the data sources with those credentials.
  5. 閘道將查詢傳送至資料來源執行。The gateway sends the query to the data source for execution.
  6. 結果會從資料來源傳送回閘道,然後再到雲端服務和您的伺服器。The results are sent from the data source, back to the gateway, and then onto the cloud service and your server.

Windows 服務帳戶 Windows Service account

內部部署資料閘道設定為使用 NT SERVICE\PBIEgwService 做為 Windows 服務的登入認證。The on-premises data gateway is configured to use NT SERVICE\PBIEgwService for the Windows service logon credential. 根據預設,它具有「以服務方式登入」的權限 (在您安裝閘道所在機器的環境中)。By default, it has the right of Logon as a service; in the context of the machine that you are installing the gateway on. 此認證不同於連接到內部部署資料來源使用的帳戶或您的 Azure 帳戶。This credential is not the same account used to connect to on-premises data sources or your Azure account.

如果您因為身分驗證面臨與 Proxy 服務器相關的問題,您可能需要將 Windows 服務帳戶變更為網域使用者或受控服務帳戶。If you encounter issues with your proxy server due to authentication, you may want to change the Windows service account to a domain user or managed service account.

連接埠 Ports

閘道會建立 Azure 服務匯流排的輸出連接。The gateway creates an outbound connection to Azure Service Bus. 閘道會與下列輸出連接埠進行通訊:TCP 443 (預設)、5671、5672、9350 到 9354。It communicates on outbound ports: TCP 443 (default), 5671, 5672, 9350 through 9354. 閘道不需要輸入連接埠。The gateway does not require inbound ports.

建議您在防火牆中將您的資料區域 IP 位址列入允許清單。We recommend you whitelist the IP addresses for your data region in your firewall. 您可以下載 Microsoft Azure Datacenter IP 清單You can download the Microsoft Azure Datacenter IP list. 此清單每週更新。This list is updated weekly.

注意

Azure Datacenter IP 清單中列出的 IP 位址採用 CIDR 標記法。The IP Addresses listed in the Azure Datacenter IP list are in CIDR notation. 若要深入了解,請參閱無類別網域間路由選擇To learn more, see Classless Inter-Domain Routing.

以下是閘道使用的完整網域名稱。The following are the fully qualified domain names used by the gateway.

網域名稱Domain names 輸出連接埠Outbound ports 描述Description
*.powerbi.com*.powerbi.com 8080 用於下載安裝程式的 HTTP。HTTP used to download the installer.
*.powerbi.com*.powerbi.com 443443 HTTPSHTTPS
*.analysis.windows.net*.analysis.windows.net 443443 HTTPSHTTPS
*.login.windows.net*.login.windows.net 443443 HTTPSHTTPS
*.servicebus.windows.net*.servicebus.windows.net 5671-56725671-5672 進階訊息佇列通訊協定 (AMQP)Advanced Message Queuing Protocol (AMQP)
*.servicebus.windows.net*.servicebus.windows.net 443、9350-9354443, 9350-9354 透過 TCP 之服務匯流排轉送上的接聽程式 (需要 443 才能取得「存取控制」權杖)Listeners on Service Bus Relay over TCP (requires 443 for Access Control token acquisition)
*.frontend.clouddatahub.net*.frontend.clouddatahub.net 443443 HTTPSHTTPS
*.core.windows.net*.core.windows.net 443443 HTTPSHTTPS
login.microsoftonline.comlogin.microsoftonline.com 443443 HTTPSHTTPS
*.msftncsi.com*.msftncsi.com 443443 如果 Power BI 服務無法連接至閘道,則用來測試網際網路連線能力。Used to test internet connectivity if the gateway is unreachable by the Power BI service.
*.microsoftonline-p.com*.microsoftonline-p.com 443443 用於驗證 (視設定而定)。Used for authentication depending on configuration.

強制使用 Azure 服務匯流排進行 HTTPS 通訊Forcing HTTPS communication with Azure Service Bus

您可以強制閘道使用 HTTPS 取代直接 TCP 來與 Azure 服務匯流排通訊;但這樣會大幅降低效能。You can force the gateway to communicate with Azure Service Bus by using HTTPS instead of direct TCP; however, doing so can greatly reduce performance. 您可以修改 Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config 檔案,方法是將值從 AutoDetect 變更為 HttpsYou can modify the Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config file by changing the value from AutoDetect to Https. 這個檔案通常位於 C:\Program Files\On-premises data gatewayThis file is typically located at C:\Program Files\On-premises data gateway.

<setting name="ServiceBusSystemConnectivityModeString" serializeAs="String">
    <value>Https</value>
</setting>

租用戶層級管理Tenant level administration

針對其他使用者已安裝並設定的所有閘道,租用戶系統管理員目前無法從單一位置來管理這些閘道。There is currently no single place where tenant administrators can manage all the gateways that other users have installed and configured. 如果您是租用戶系統管理員,建議您要求組織內的使用者將您新增為所安裝每個閘道的系統管理員。If you’re a tenant administrator, it's recommended you ask users in your organization to add you as an administrator to every gateway they install. 這可讓您透過 [閘道設定] 頁面或 PowerShell 命令,以管理組織中的所有閘道。This allows you to manage all the gateways in your organization through the Gateway Settings page or through PowerShell commands.

常見問題集Frequently asked questions

一般General

:我在雲端中的資料來源 (例如 Azure SQL Database) 是否需要閘道?Q: Do I need a gateway for data sources in the cloud, such as Azure SQL Database?
:資料分割A: No. 只有在連線至內部部署資料來源時才需要閘道。A gateway is necessary for connecting to on-premises data sources only.

:閘道必須安裝在與資料來源相同的電腦上嗎?Q: Does the gateway have to be installed on the same machine as the data source?
:資料分割A: No. 閘道只要能夠連接至伺服器即可,通常在相同網路上。The gateway just needs the capability to connect to the server, typically on the same network.

:為何必須使用公司或學校帳戶進行登入?Q: Why do I need to use a work or school account to sign in?
:安裝內部部署資料閘道時,您只能使用組織的公司或學校帳戶。A: You can only use an organizational work or school account when you install the on-premises data gateway. 而且,該帳戶與您設定閘道資源的訂用帳戶必須在相同的租用戶中。And, that account must be in the same tenant as the subscription you are configuring the gateway resource in. 登入帳戶會儲存在由 Azure Active Directory (Azure AD) 所管理的租用戶中。Your sign-in account is stored in a tenant that's managed by Azure Active Directory (Azure AD). Azure AD 帳戶的使用者主體名稱 (UPN) 通常會與電子郵件地址相符。Usually, your Azure AD account's user principal name (UPN) matches the email address.

:我的認證儲存在哪裡?Q: Where are my credentials stored?
:您針對資料來源輸入的認證會以加密方式儲存在閘道雲端服務中。A: The credentials that you enter for a data source are encrypted and stored in the Gateway Cloud Service. 認證會在內部部署資料閘道進行解密。The credentials are decrypted at the on-premises data gateway.

:網路頻寬是否有任何需求?Q: Are there any requirements for network bandwidth?
:網路連線最好要有足夠的輸送量。A: It's recommended your network connection has good throughput. 每個環境都是不同的,而且所傳送的資料量會影響結果。Every environment is different, and the amount of data being sent affects the results. 使用 ExpressRoute 可以協助您確保在內部部署與 Azure 資料中心之間有一定的輸送量等級。Using ExpressRoute could help to guarantee a level of throughput between on-premises and the Azure datacenters. 您可以使用第三方工具 Azure 速度測試應用程式,協助您量測輸送量。You can use the third-party tool Azure Speed Test app to help gauge your throughput.

:從閘道向資料來源執行查詢時的延遲為何?Q: What is the latency for running queries to a data source from the gateway? 最佳的架構為何?What is the best architecture?
:若要減少網路延遲,請盡可能靠近資料來源安裝閘道。A: To reduce network latency, install the gateway as close to the data source as possible. 如果您可以在實際的資料來源上安裝閘道,此鄰近程度就能將所產生的延遲降到最低。If you can install the gateway on the actual data source, this proximity minimizes the latency introduced. 請一併考量資料中心。Consider the datacenters too. 例如,如果您的服務使用美國西部的資料中心,而您在 Azure VM 中裝載 SQL Server,Azure VM 也應該位於美國西部。For example, if your service uses the West US datacenter, and you have SQL Server hosted in an Azure VM, your Azure VM should be in the West US too. 此鄰近程度能將延遲降到最低,並避免 Azure VM 的輸出費用。This proximity minimizes latency and avoids egress charges on the Azure VM.

:結果如何傳送回雲端?Q: How are results sent back to the cloud?
:結果會透過 Azure 服務匯流排傳送。A: Results are sent through the Azure Service Bus.

:是否有任何從雲端至閘道的輸入連線?Q: Are there any inbound connections to the gateway from the cloud?
:資料分割A: No. 閘道使用連至 Azure 服務匯流排的輸出連接。The gateway uses outbound connections to Azure Service Bus.

:如果我封鎖輸出連線會如何?Q: What if I block outbound connections? 我需要開啟什麼嗎?What do I need to open?
:查看閘道使用的連接埠和主機。A: See the ports and hosts that the gateway uses.

:實際的 Windows 服務名稱為何?Q: What is the actual Windows service called?
:在「服務」中,閘道稱為「內部部署資料閘道服務」。A: In Services, the gateway is called On-premises data gateway service.

:閘道 Windows 服務可以使用 Azure Active Directory 帳戶執行嗎?Q: Can the gateway Windows service run with an Azure Active Directory account?
:資料分割A: No. Windows 服務必須要有有效的 Windows 帳戶。The Windows service must have a valid Windows account. 根據預設,此服務會使用服務 SID,NT SERVICE\PBIEgwService 執行。By default, the service runs with the Service SID, NT SERVICE\PBIEgwService.

:如何接管閘道?Q: How do I takeover a gateway?
:若要接管閘道 (在 [控制台] > [程式集] 中執行 [設定/變更]),您必須在 Azure 中是該閘道資源的「擁有者」且具備修復金鑰。A: To takeover a gateway (by running Setup/Change in Control Panel > Programs), you need to be an Owner for the gateway resource in Azure and have the recovery key. 您可以在 [存取控制] 中設定閘道資源「擁有者」。Gateway resource Owners are configurable in Access Control.

高可用性和災害復原High availability and disaster recovery

:如何取得高可用性?Q: How can we have high-availability?
:您可以在其他電腦上安裝閘道來建立叢集。A: You can install a gateway on another computer to create a cluster. 若要深入了解,請參閱 Power BI Gateway 文件中的內部部署資料閘道的高可用性叢集To learn more, see High availability clusters for On-premises data gateway in the Power BI Gateway docs.

:災害復原有哪些選項?Q: What options are available for disaster recovery?
:您可以使用修復金鑰還原或移動閘道。A: You can use the recovery key to restore or move a gateway. 當您安裝閘道時,請指定修復金鑰。When you install the gateway, specify the recovery key.

:修復金鑰有什麼好處?Q: What is the benefit of the recovery key?
:修復金鑰可在災害發生後讓您有辦法遷移或復原閘道設定。A: The recovery key provides a way to migrate or recover your gateway settings after a disaster.

疑難排解 Troubleshooting

:我嘗試在 Azure 中建立閘道資源時,為什麼在閘道執行個體清單中看不到我的閘道?Q: Why don't I see my gateway in the list of gateway instances when trying to create the gateway resource in Azure?
:有兩個可能的原因。A: There are two possible reasons. 第一個原因是在目前或其他訂用帳戶中已建立閘道資源。First is a resource is already created for the gateway in the current or some other subscription. 若要排除這個可能性,從入口網站列舉內部部署資料閘道類型的資源。To eliminate that possibility, enumerate resources of the type On-premises Data Gateways from the portal. 在列舉所有資源時,確定已選取所有訂用帳戶。Make sure to select all the subscriptions when enumerating all the resources. 一旦建立資源,閘道便不會出現在 [建立閘道資源] 入口網站體驗的閘道執行個體清單中。Once the resource is created, the gateway does not appear in the list of gateway instances in the Create Gateway Resource portal experience. 第二種可能性是安裝此閘道之使用者的 Azure AD 身分識別,不同於登入 Azure 入口網站的使用者。The second possibility is that the Azure AD identity of the user who installed the gateway is different from the user signed in to Azure portal. 若要解決此問題,使用閘道安裝者的帳戶登入入口網站。To resolve, sign in to the portal using the same account as the user who installed the gateway.

:如何查看有哪些查詢正要傳送至內部部署資料來源?Q: How can I see what queries are being sent to the on-premises data source?
:您可以啟用查詢追蹤,其中包含要傳送的查詢。A: You can enable query tracing, which includes the queries that are sent. 完成疑難排解時,請務必將查詢追蹤變更回原始值。Remember to change query tracing back to the original value when done troubleshooting. 讓查詢追蹤保持開啟會產生較大的記錄。Leaving query tracing turned on creates larger logs.

您也可以查看資料來源具備的工具是否有追蹤查詢。You can also look at tools that your data source has for tracing queries. 例如,您可以使用 SQL Server 和 Analysis Services 的擴充事件或 SQL Profiler。For example, you can use Extended Events or SQL Profiler for SQL Server and Analysis Services.

:閘道記錄在哪裡?Q: Where are the gateway logs?
:請參閱本文稍後的<記錄>。A: See Logs later in this article.

更新為最新版本Update to the latest version

閘道版本過期時,可能會出現很多問題。Many issues can surface when the gateway version becomes outdated. 良好的一般作法是確實使用最新版本。As good general practice, make sure that you use the latest version. 如果有一個月以上未更新閘道,您可以考慮安裝最新版的閘道,並看看是否能重現問題。If you haven't updated the gateway for a month or longer, you might consider installing the latest version of the gateway, and see if you can reproduce the issue.

Error:無法將使用者新增至群組。Error: Failed to add user to group. (-2147463168 PBIEgwService Performance Log Users)(-2147463168 PBIEgwService Performance Log Users)

如果您嘗試在不支援的網域控制站上安裝閘道,可能會收到這個錯誤。You might get this error if you try to install the gateway on a domain controller, which isn't supported. 請確定您是在非網域控制站的電腦上部署閘道。Make sure that you deploy the gateway on a machine that isn't a domain controller.

記錄Logs

進行疑難排解時,記錄檔是重要的資源。Log files are an important resource when troubleshooting.

企業閘道服務記錄Enterprise gateway service logs

C:\Users\PBIEgwService\AppData\Local\Microsoft\On-premises data gateway\<yyyyymmdd>.<Number>.log

組態記錄Configuration logs

C:\Users\<username>\AppData\Local\Microsoft\On-premises data gateway\GatewayConfigurator.log

事件記錄Event logs

您可以在 [應用程式及服務記錄] 底下找到資料管理閘道和 PowerBIGateway 記錄。You can find the Data Management Gateway and PowerBIGateway logs under Application and Services Logs.

後續步驟Next steps