適用於 MySQL 的 Azure 資料庫安全性Security in Azure Database for MySQL

有多層的安全性可用來保護您適用於 MySQL 的 Azure 資料庫伺服器上的資料。There are multiple layers of security that are available to protect the data on your Azure Database for MySQL server. 本文將概述這些安全性選項。This article outlines those security options.

資訊保護和加密Information protection and encryption

傳輸中In-transit

適用於 MySQL 的 Azure 資料庫透過傳輸層安全性來加密傳輸中的資料,藉此保護您的資料。Azure Database for MySQL secures your data by encrypting data in-transit with Transport Layer Security. 預設會強制執行加密 (SSL/TLS) 。Encryption (SSL/TLS) is enforced by default.

靜止At-rest

適用於 MySQL 的 Azure 資料庫服務針對待用資料儲存體加密是使用符合 FIPS 140-2 的加密模組。The Azure Database for MySQL service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. 包含備份在內的資料會在磁片上加密,包括執行查詢時所建立的暫存檔案。Data, including backups, are encrypted on disk, including the temporary files created while running queries. 該服務使用包含在 Azure 儲存體加密中的 AES 256 位元加密,且金鑰是由系統進行管理。The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. 儲存體加密會一律啟用,且無法停用。Storage encryption is always on and can't be disabled.

網路安全性Network security

適用於 MySQL 的 Azure 資料庫伺服器的連接會先透過區域閘道進行路由。Connections to an Azure Database for MySQL server are first routed through a regional gateway. 閘道具有可公開存取的 IP,而伺服器 IP 位址則受到保護。The gateway has a publicly accessible IP, while the server IP addresses are protected. 如需閘道的詳細資訊,請流覽連線 架構文章For more information about the gateway, visit the connectivity architecture article.

新建立的適用於 MySQL 的 Azure 資料庫伺服器具有封鎖所有外部連線的防火牆。A newly created Azure Database for MySQL server has a firewall that blocks all external connections. 雖然它們會觸達閘道,但不允許連接至伺服器。Though they reach the gateway, they are not allowed to connect to the server.

IP 防火牆規則IP firewall rules

IP 防火牆規則會根據每個要求的原始 IP 位址來授與伺服器的存取權。IP firewall rules grant access to servers based on the originating IP address of each request. 如需詳細資訊,請參閱 防火牆規則總覽See the firewall rules overview for more information.

虛擬網路防火牆規則Virtual network firewall rules

虛擬網路服務端點會透過 Azure 骨幹擴充您的虛擬網路連線能力。Virtual network service endpoints extend your virtual network connectivity over the Azure backbone. 您可以使用虛擬網路規則,讓您的適用於 MySQL 的 Azure 資料庫伺服器允許從虛擬網路中選取的子網進行連線。Using virtual network rules you can enable your Azure Database for MySQL server to allow connections from selected subnets in a virtual network. 如需詳細資訊,請參閱 虛擬網路服務端點總覽For more information, see the virtual network service endpoint overview.

私人 IPPrivate IP

Private Link 可讓您透過私人端點連接至 Azure 中的適用於 MySQL 的 Azure 資料庫。Private Link allows you to connect to your Azure Database for MySQL in Azure via a private endpoint. Azure Private Link 基本上會將 Azure 服務帶入私人虛擬網路 (VNet) 內部。Azure Private Link essentially brings Azure services inside your private Virtual Network (VNet). PaaS 資源可使用私人 IP 位址來存取,就像 VNet 中的任何其他資源一樣。The PaaS resources can be accessed using the private IP address just like any other resource in the VNet. 如需詳細資訊,請參閱 private link 總覽For more information,see the private link overview

存取管理Access management

建立適用於 MySQL 的 Azure 資料庫伺服器時,您會提供系統管理員使用者的認證。While creating the Azure Database for MySQL server, you provide credentials for an administrator user. 此系統管理員可以用來建立其他的 MySQL 使用者。This administrator can be used to create additional MySQL users.

威脅保護Threat protection

您可以選擇使用 Advanced 威脅防護 來偵測異常活動,指出有不尋常且可能有害的存取或惡意探索伺服器的嘗試。You can opt in to Advanced Threat Protection which detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit servers.

您可以使用Audit 記錄來追蹤資料庫中的活動。Audit logging is available to track activity in your databases.

下一步Next steps