將您的應用程式連線到 Azure SQL 受控執行個體Connect your application to Azure SQL Managed Instance

適用於: Azure SQL 受控執行個體

您在決定如何及何處裝載應用程式時,目前有多個選擇。Today you have multiple choices when deciding how and where you host your application.

您可以選擇使用 Azure App Service 或部分 Azure 的虛擬網路整合選項(例如 Azure App Service 環境、Azure 虛擬機器和虛擬機器擴展集),在雲端中裝載應用程式。You may choose to host application in the cloud by using Azure App Service or some of Azure's virtual network integrated options like Azure App Service Environment, Azure Virtual Machines, and virtual machine scale sets. 您也可以採用混合式雲端方法,將您的應用程式留在內部部署環境。You could also take hybrid cloud approach and keep your applications on-premises.

無論您的選擇為何,您都可以將它連線到 Azure SQL 受控執行個體。Whatever choice you make, you can connect it to Azure SQL Managed Instance.

高可用性

本文說明如何在許多不同的應用程式案例中,將應用程式連線至 Azure SQL 受控執行個體。This article describes how to connect an application to Azure SQL Managed Instance in a number of different application scenarios.

在相同的 VNet 內連接Connect inside the same VNet

將同一個虛擬網路內的應用程式連接到 SQL 受控執行個體是最簡單的案例。Connecting an application inside the same virtual network as SQL Managed Instance is the simplest scenario. 虛擬網路內的虛擬機器可以直接連接到彼此,即使它們位於不同的子網內也一樣。Virtual machines inside the virtual network can connect to each other directly even if they are inside different subnets. 這表示您只需要將連接字串連接到 App Service 環境或虛擬機器中的應用程式即可。That means that all you need to connect an application inside App Service Environment or a virtual machine is to set the connection string appropriately.

在不同的 VNet 內連接Connect inside a different VNet

將應用程式從 SQL 受控執行個體連接到不同的虛擬網路時,比較複雜一點,因為 SQL 受控執行個體在它自己的虛擬網路中有私人 IP 位址。Connecting an application when it resides within a different virtual network from SQL Managed Instance is a bit more complex because SQL Managed Instance has private IP addresses in its own virtual network. 若要連接,應用程式需要存取部署 SQL 受控執行個體的虛擬網路。To connect, an application needs access to the virtual network where SQL Managed Instance is deployed. 因此,您需要在應用程式和 SQL 受控執行個體虛擬網路之間建立連線。So you need to make a connection between the application and the SQL Managed Instance virtual network. 虛擬網路不一定要在相同的訂用帳戶中,才能讓此案例運作。The virtual networks don't have to be in the same subscription in order for this scenario to work.

有兩個選項可連接虛擬網路:There are two options for connecting virtual networks:

使用對等互連是因為它使用 Microsoft 骨幹網路,因此從連線的觀點來看,對等互連虛擬網路中的虛擬機器和相同虛擬網路之間的延遲並沒有明顯的差異。Peering is preferable because it uses the Microsoft backbone network, so from the connectivity perspective, there is no noticeable difference in latency between virtual machines in a peered virtual network and in the same virtual network. 虛擬網路對等互連僅限於相同區域中的網路。Virtual network peering is limited to the networks in the same region.

重要

SQL 受控執行個體的虛擬網路對等互連案例受限於相同區域中的網路,原因是 全域虛擬網路對等互連的限制The virtual network peering scenario for SQL Managed Instance is limited to the networks in the same region due to the constraints of global virtual network peering. 另請參閱 Azure 虛擬網路常見問題 文章中的相關章節,以取得詳細資料。See also the relevant section of the Azure Virtual Networks frequently asked questions article for more details.

從內部部署連接Connect from on-premises

您也可以將內部部署應用程式連線到 SQL 受控執行個體。You can also connect your on-premises application to SQL Managed Instance. SQL 受控執行個體只能透過私人 IP 位址來存取。SQL Managed Instance can only be accessed through a private IP address. 若要從內部部署環境進行存取,您必須在應用程式與 SQL 受控執行個體虛擬網路之間建立站對站連線。In order to access it from on-premises, you need to make a site-to-site connection between the application and the SQL Managed Instance virtual network.

有兩個選項可供您將內部部署連線至 Azure 虛擬網路:There are two options for how to connect on-premises to an Azure virtual network:

如果您已成功建立內部部署至 Azure 的連線,而且無法建立 SQL 受控執行個體的連線,請檢查您的防火牆是否有 SQL 埠1433上的開啟輸出連線,以及可供重新導向的11000-11999 範圍埠。If you've established an on-premises to Azure connection successfully and you can't establish a connection to SQL Managed Instance, check if your firewall has an open outbound connection on SQL port 1433 as well as the 11000-11999 range of ports for redirection.

連接開發人員 boxConnect the developer box

您也可以將開發人員方塊連接至 SQL 受控執行個體。It is also possible to connect your developer box to SQL Managed Instance. SQL 受控執行個體只能透過私人 IP 位址存取,因此若要從您的開發人員方塊進行存取,您必須先在開發人員方塊與 SQL 受控執行個體虛擬網路之間進行連接。SQL Managed Instance can be accessed only through a private IP address, so in order to access it from your developer box, you first need to make a connection between your developer box and the SQL Managed Instance virtual network. 若要這樣做,請使用原生 Azure 憑證驗證設定虛擬網路的點對站連線。To do so, configure a point-to-site connection to a virtual network using native Azure certificate authentication. 如需詳細資訊,請參閱 設定從內部部署電腦連線到 AZURE SQL 受控執行個體的點對站連線。For more information, see Configure a point-to-site connection to connect to Azure SQL Managed Instance from an on-premises computer.

使用 VNet 對等互連連接Connect with VNet peering

客戶所執行的另一個案例是將 VPN 閘道安裝在不同的虛擬網路,而訂用帳戶會與裝載 SQL 受控執行個體的訂用帳戶一併安裝。Another scenario implemented by customers is where a VPN gateway is installed in a separate virtual network and subscription from the one hosting SQL Managed Instance. 這兩個虛擬網路隨後會對等互連。The two virtual networks are then peered. 下列範例架構圖顯示其實作方式。The following sample architecture diagram shows how this can be implemented.

虛擬網路對等互連

設定好基本基礎結構之後,您必須修改某些設定,讓 VPN 閘道可以在裝載 SQL 受控執行個體的虛擬網路中看到 IP 位址。Once you have the basic infrastructure set up, you need to modify some settings so that the VPN gateway can see the IP addresses in the virtual network that hosts SQL Managed Instance. 若要這麼做,請在 [對等互連設定]**** 下方設定下列特定變更。To do so, make the following very specific changes under the Peering settings.

  1. 在裝載 VPN 閘道的虛擬網路中,移至 對等互連,移至適用于 SQL 受控執行個體的對等互連虛擬網路連線,然後按一下 [ 允許閘道傳輸]。In the virtual network that hosts the VPN gateway, go to Peerings, go to the peered virtual network connection for SQL Managed Instance, and then click Allow Gateway Transit.
  2. 在裝載 SQL 受控執行個體的虛擬網路中,移至 對等互連,移至 VPN 閘道的對等互連虛擬網路連線,然後按一下 [ 使用遠端閘道]。In the virtual network that hosts SQL Managed Instance, go to Peerings, go to the peered virtual network connection for the VPN gateway, and then click Use remote gateways.

連接 Azure App ServiceConnect Azure App Service

您也可以連接 Azure App Service 所裝載的應用程式。You can also connect an application that's hosted by Azure App Service. SQL 受控執行個體只能透過私人 IP 位址存取,因此若要從 Azure App Service 進行存取,您必須先在應用程式與 SQL 受控執行個體虛擬網路之間建立連線。SQL Managed Instance can be accessed only through a private IP address, so in order to access it from Azure App Service, you first need to make a connection between the application and the SQL Managed Instance virtual network. 請參閱 將您的應用程式與 Azure 虛擬網路整合See Integrate your app with an Azure virtual network.

如需疑難排解,請參閱針對 虛擬網路和應用程式進行疑難排解For troubleshooting, see Troubleshooting virtual networks and applications. 如果無法建立連接,請嘗試 同步處理網路設定。If a connection cannot be established, try syncing the networking configuration.

將 Azure App Service 連接到 SQL 受控執行個體的特殊案例是將 Azure App Service 整合到網路對等互連至 SQL 受控執行個體虛擬網路。A special case of connecting Azure App Service to SQL Managed Instance is when you integrate Azure App Service to a network peered to a SQL Managed Instance virtual network. 這種情況下需要設定下列組態:That case requires the following configuration to be set up:

  • SQL 受控執行個體虛擬網路不能有閘道SQL Managed Instance virtual network must NOT have a gateway
  • SQL 受控執行個體虛擬網路必須 Use remote gateways 設定選項SQL Managed Instance virtual network must have the Use remote gateways option set
  • 對等互連虛擬網路必須 Allow gateway transit 設定選項Peered virtual network must have the Allow gateway transit option set

下圖說明此案例:This scenario is illustrated in the following diagram:

整合式應用程式對等互連

注意

虛擬網路整合功能不會將應用程式與具有 ExpressRoute 閘道的虛擬網路整合。The virtual network integration feature does not integrate an app with a virtual network that has an ExpressRoute gateway. 即使 ExpressRoute 閘道是以共存模式設定,虛擬網路整合還是無法運作。Even if the ExpressRoute gateway is configured in coexistence mode, virtual network integration does not work. 如果您需要透過 ExpressRoute 連線來存取資源,您可以使用 App Service 環境,其會在您的虛擬網路中執行。If you need to access resources through an ExpressRoute connection, then you can use App Service Environment, which runs in your virtual network.

對連線問題進行疑難排解Troubleshooting connectivity issues

若要對連線問題進行疑難排解,請檢閱以下幾點︰For troubleshooting connectivity issues, review the following:

  • 如果您無法從相同虛擬網路內的 Azure 虛擬機器連線到 SQL 受控執行個體,但在不同的子網中,請檢查您是否在可能封鎖存取的 VM 子網上設定網路安全性群組。If you are unable to connect to SQL Managed Instance from an Azure virtual machine within the same virtual network but a different subnet, check if you have a Network Security Group set on VM subnet that might be blocking access. 此外,請開啟 SQL 埠1433上的輸出連線,以及範圍11000-11999 中的埠,因為透過 Azure 界限內的重新導向連接需要這些連線。Additionally, open outbound connection on SQL port 1433 as well as ports in the range 11000-11999, since those are needed for connecting via redirection inside the Azure boundary.

  • 確定已針對與虛擬網路相關聯的路由表將 BGP 傳播設定為 [ 已啟用 ]。Ensure that BGP Propagation is set to Enabled for the route table associated with the virtual network.

  • 如果使用 P2S VPN,請檢查 Azure 入口網站中的組態,以確認您是否看到輸入/輸出數值。If using P2S VPN, check the configuration in the Azure portal to see if you see Ingress/Egress numbers. 非零的數值表示 Azure 會將流量路由至內部部署,或從中輸出流量。Non-zero numbers indicate that Azure is routing traffic to/from on-premises.

    輸入/輸出數值

  • 檢查執行 VPN 用戶端的用戶端電腦 (,) 具有您需要存取之所有虛擬網路的路由專案。Check that the client machine (that is running the VPN client) has route entries for all the virtual networks that you need to access. 路由會儲存在 %AppData%\ Roaming\Microsoft\Network\Connections\Cm\<GUID>\routes.txt.The routes are stored in %AppData%\ Roaming\Microsoft\Network\Connections\Cm\<GUID>\routes.txt.

    route.txt 中

    如下圖所示,每個涉及的虛擬網路都有兩個專案,而入口網站中設定的 VPN 端點會有第三個專案。As shown in this image, there are two entries for each virtual network involved and a third entry for the VPN endpoint that is configured in the portal.

    除此之外,也可以透過下列命令來檢查路由。Another way to check the routes is via the following command. 下列輸出顯示各種子網路的路由:The output shows the routes to the various subnets:

    C:\ >route print -4
    ===========================================================================
    Interface List
    14...54 ee 75 67 6b 39 ......Intel(R) Ethernet Connection (3) I218-LM
    57...........................rndatavnet
    18...94 65 9c 7d e5 ce ......Intel(R) Dual Band Wireless-AC 7265
    1...........................Software Loopback Interface 1
    Adapter===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0       10.83.72.1     10.83.74.112     35
           10.0.0.0    255.255.255.0         On-link       172.26.34.2     43
           10.4.0.0    255.255.255.0         On-link       172.26.34.2     43
    ===========================================================================
    Persistent Routes:
    None
    
  • 如果您是使用虛擬網路對等互連,請確定您已遵循設定 允許閘道傳輸和使用遠端閘道的指示。If you're using virtual network peering, ensure that you have followed the instructions for setting Allow Gateway Transit and Use Remote Gateways.

  • 如果您使用虛擬網路對等互連來連線 Azure App Service 裝載的應用程式,且 SQL 受控執行個體虛擬網路具有公用 IP 位址範圍,請確定您的託管應用程式設定允許將輸出流量路由傳送至公用 IP 網路。If you're using virtual network peering to connect an Azure App Service hosted application, and the SQL Managed Instance virtual network has a public IP address range, make sure that your hosted application settings allow your outbound traffic to be routed to public IP networks. 遵循 區域虛擬網路整合中的指示。Follow the instructions in Regional virtual network integration.

所需的驅動程式和工具版本Required versions of drivers and tools

如果您想要連接到 SQL 受控執行個體,建議使用下列最基本版本的工具和驅動程式:The following minimal versions of the tools and drivers are recommended if you want to connect to SQL Managed Instance:

驅動程式/工具Driver/tool 版本Version
.NET Framework.NET Framework 4.6.1 (或 .NET Core)4.6.1 (or .NET Core)
ODBC 驅動程式ODBC driver v17v17
PHP 驅動程式PHP driver 5.2.05.2.0
JDBC 驅動程式JDBC driver 6.4.06.4.0
Node.js 驅動程式Node.js driver 2.1.12.1.1
OLEDB 驅動程式OLEDB driver 18.0.2.018.0.2.0
SSMSSSMS 18.0 或 更高版本18.0 or higher
SMOSMO 150 或更高版本150 or higher

後續步驟Next steps