使用內部部署資料閘道連接到內部部署資料來源Connecting to on-premises data sources with On-premises data gateway

內部部署資料閘道在內部部署資料來源和雲端中的 Azure Analysis Services 伺服器之間提供安全的資料傳輸。The on-premises data gateway provides secure data transfer between on-premises data sources and your Azure Analysis Services servers in the cloud. 除了搭配相同區域中的多部 Azure Analysis Services 伺服器運作,最新版的閘道也可以搭配 Azure Logic Apps、Power BI、Power Apps 和 Microsoft Flow運作。In addition to working with multiple Azure Analysis Services servers in the same region, the latest version of the gateway also works with Azure Logic Apps, Power BI, Power Apps, and Microsoft Flow. 您可以讓相同訂用帳戶及相同區域中的多個服務與單一閘道建立關聯。You can associate multiple services in the same subscription and same region with a single gateway. 雖然您安裝的閘道在所有這些服務中都相同, 但 Azure Analysis Services 和 Logic Apps 有一些額外的步驟。While the gateway you install is the same across all of these services, Azure Analysis Services and Logic Apps have some additional steps.

針對 Azure Analysis Services, 第一次取得閘道的設定是四個部分的程式:For Azure Analysis Services, getting setup with the gateway the first time is a four-part process:

  • 下載並執行安裝程式 - 這個步驟會在您組織中的電腦上安裝閘道服務。Download and run setup - This step installs a gateway service on a computer in your organization. 您也會使用租用戶 Azure AD 中的帳戶來登入 Azure。You also sign in to Azure using an account in your tenant's Azure AD. 不支援 Azure B2B (來賓) 帳戶。Azure B2B (guest) accounts are not supported.

  • 註冊您的閘道 - 在此步驟中,您會為您的閘道指定名稱和復原金鑰,然後選取區域,並且向閘道雲端服務註冊您的閘道。Register your gateway - In this step, you specify a name and recovery key for your gateway and select a region, registering your gateway with the Gateway Cloud Service. 閘道資源可以註冊於任何區域中,但建議位於與 Analysis Services 伺服器相同的區域中。Your gateway resource can be registered in any region, but we recommend it be in the same region as your Analysis Services servers.

  • 在 Azure 中建立閘道資源 - 在此步驟中,您會在您的 Azure 訂用帳戶中建立閘道資源。Create a gateway resource in Azure - In this step, you create a gateway resource in your Azure subscription.

  • 將您的伺服器連線到閘道資源 - 您的訂用帳戶中一旦有閘道資源,您就可以開始將您的伺服器連線到它。Connect your servers to your gateway resource - Once you have a gateway resource in your subscription, you can begin connecting your servers to it. 您可以連線多部伺服器及其他資源,只要它們都位於相同訂用帳戶和相同區域中即可。You can connect multiple servers and other resources, provided they are in the same subscription and same region.

運作方式 How it works

您在組織的電腦上安裝的閘道會以 Windows 服務 (內部部署資料閘道) 的形式執行。The gateway you install on a computer in your organization runs as a Windows service, On-premises data gateway. 此本機服務已透過 Azure 服務匯流排向閘道雲端服務註冊。This local service is registered with the Gateway Cloud Service through Azure Service Bus. 接著, 您會為您的 Azure 訂用帳戶建立內部部署資料閘道資源。You then create an On-premises data gateway resource for your Azure subscription. 您的 Azure Analysis Services 伺服器接著會連線到您的 Azure 閘道資源。Your Azure Analysis Services servers are then connected to your Azure gateway resource. 當您伺服器上的模型需要連線到內部部署資料來源進行查詢或處理時,查詢和資料流程會周遊閘道資源、Azure 服務匯流排、本機內部部署資料閘道服務以及您的資料來源。When models on your server need to connect to your on-premises data sources for queries or processing, a query and data flow traverses the gateway resource, Azure Service Bus, the local on-premises data gateway service, and your data sources.

運作方式

查詢和資料流程:Queries and data flow:

  1. 雲端服務使用內部部署資料來源的加密認證建立查詢。A query is created by the cloud service with the encrypted credentials for the on-premises data source. 查詢接著傳送至佇列供閘道處理。It's then sent to a queue for the gateway to process.
  2. 閘道雲端服務會分析該查詢,並將要求推送至 Azure 服務匯流排The gateway cloud service analyzes the query and pushes the request to the Azure Service Bus.
  3. 內部部署資料閘道會輪詢 Azure 服務匯流排是否有待處理的要求。The on-premises data gateway polls the Azure Service Bus for pending requests.
  4. 閘道收到查詢、解密認證,並使用這些認證連接至資料來源。The gateway gets the query, decrypts the credentials, and connects to the data sources with those credentials.
  5. 閘道將查詢傳送至資料來源執行。The gateway sends the query to the data source for execution.
  6. 結果會從資料來源傳送回閘道,然後再到雲端服務和您的伺服器。The results are sent from the data source, back to the gateway, and then onto the cloud service and your server.

正在安裝Installing

針對 Azure Analysis Services 環境進行安裝時, 請務必遵循安裝和設定 azure Analysis Services 的內部部署資料閘道中所述的步驟。When installing for an Azure Analysis Services environment, it's important you follow the steps described in Install and configure on-premises data gateway for Azure Analysis Services. 本文適用于 Azure Analysis Services。This article is specific to Azure Analysis Services. 其中包含在 Azure 中設定內部部署資料閘道資源所需的額外步驟, 並將您的 Azure Analysis Services 伺服器連線至資源。It includes additional steps required to setup an On-premises data gateway resource in Azure, and connect your Azure Analysis Services server to the resource.

埠和通訊設定Ports and communication settings

閘道會建立 Azure 服務匯流排的輸出連接。The gateway creates an outbound connection to Azure Service Bus. 閘道會與下列輸出連接埠進行通訊:TCP 443 (預設)、5671、5672、9350 到 9354。It communicates on outbound ports: TCP 443 (default), 5671, 5672, 9350 through 9354. 閘道不需要輸入連接埠。The gateway does not require inbound ports.

您可能需要在防火牆中將您資料區域的 IP 位址列入允許清單。You may need to whitelist IP addresses for your data region in your firewall. 您可以下載 Microsoft Azure Datacenter IP 清單You can download the Microsoft Azure Datacenter IP list. 此清單每週更新。This list is updated weekly. Azure Datacenter IP 清單中列出的 IP 位址採用 CIDR 標記法。The IP Addresses listed in the Azure Datacenter IP list are in CIDR notation. 若要深入了解,請參閱無類別網域間路由選擇To learn more, see Classless Inter-Domain Routing.

以下是閘道所使用的完整功能變數名稱。The following are fully qualified domain names used by the gateway.

網域名稱Domain names 輸出連接埠Outbound ports 描述Description
*.powerbi.com*.powerbi.com 8080 用於下載安裝程式的 HTTP。HTTP used to download the installer.
*.powerbi.com*.powerbi.com 443443 HTTPSHTTPS
*.analysis.windows.net*.analysis.windows.net 443443 HTTPSHTTPS
*. login.windows.net、login.live.com、aadcdn.msauth.net*.login.windows.net, login.live.com, aadcdn.msauth.net 443443 HTTPSHTTPS
*.servicebus.windows.net*.servicebus.windows.net 5671-56725671-5672 進階訊息佇列通訊協定 (AMQP)Advanced Message Queuing Protocol (AMQP)
*.servicebus.windows.net*.servicebus.windows.net 443、9350-9354443, 9350-9354 透過 TCP 之服務匯流排轉送上的接聽程式 (需要 443 才能取得「存取控制」權杖)Listeners on Service Bus Relay over TCP (requires 443 for Access Control token acquisition)
*.frontend.clouddatahub.net*.frontend.clouddatahub.net 443443 HTTPSHTTPS
*.core.windows.net*.core.windows.net 443443 HTTPSHTTPS
login.microsoftonline.comlogin.microsoftonline.com 443443 HTTPSHTTPS
*.msftncsi.com*.msftncsi.com 443443 如果 Power BI 服務無法連接至閘道,則用來測試網際網路連線能力。Used to test internet connectivity if the gateway is unreachable by the Power BI service.
*.microsoftonline-p.com*.microsoftonline-p.com 443443 用於驗證 (視設定而定)。Used for authentication depending on configuration.
dc.services.visualstudio.comdc.services.visualstudio.com 443443 供 AppInsights 用來收集遙測資料。Used by AppInsights to collect telemetry.

強制使用 Azure 服務匯流排進行 HTTPS 通訊Forcing HTTPS communication with Azure Service Bus

您可以強制閘道使用 HTTPS 取代直接 TCP 來與 Azure 服務匯流排通訊;但這樣會大幅降低效能。You can force the gateway to communicate with Azure Service Bus by using HTTPS instead of direct TCP; however, doing so can greatly reduce performance. 您可以修改 Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config 檔案,方法是將值從 AutoDetect 變更為 HttpsYou can modify the Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config file by changing the value from AutoDetect to Https. 這個檔案通常位於 C:\Program Files\On-premises data gatewayThis file is typically located at C:\Program Files\On-premises data gateway.

<setting name="ServiceBusSystemConnectivityModeString" serializeAs="String">
    <value>Https</value>
</setting>

後續步驟Next steps

下列文章包含在內部部署資料閘道的一般內容中, 適用于閘道支援的所有服務:The following articles are included in the On-premises data gateway general content that applies to all services the gateway supports: