設定 Azure 認知搜尋的 IP 防火牆Configure IP firewall for Azure Cognitive Search

Azure 認知搜尋支援輸入防火牆支援的 IP 規則。Azure Cognitive Search supports IP rules for inbound firewall support. 此模型為您的搜尋服務提供額外一層安全性,類似于您在 Azure 虛擬網路安全性群組中找到的 IP 規則。This model provides an additional layer of security for your search service similar to the IP rules you'll find in an Azure virtual network security group. 使用這些 IP 規則,您就可以將搜尋服務設定為只能從一組核准的電腦和/或雲端服務存取。With these IP rules, you can configure your search service to be accessible only from an approved set of machines and/or cloud services. 從這些經過核准的電腦和服務組合存取儲存在搜尋服務中的資料,仍然需要呼叫者呈現有效的授權權杖。Access to data stored in your search service from these approved sets of machines and services will still require the caller to present a valid authorization token.

如本文所述,您可以在 Azure 入口網站中設定 IP 規則。You can set IP rules in the Azure portal, as described in this article. 或者,您可以使用 管理 REST API 版本 2020-03-13Azure PowerShellAzure CLIAlternatively, you can use the Management REST API version 2020-03-13, Azure PowerShell, or Azure CLI.

使用 Azure 入口網站設定 IP 防火牆Configure an IP firewall using the Azure portal

若要在 Azure 入口網站中設定 IP 存取控制原則,請移至您的 Azure 認知搜尋服務頁面,並選取導覽功能表上的 [ 網路 ]。To set the IP access control policy in the Azure portal, go to your Azure Cognitive Search service page and select Networking on the navigation menu. 端點網路連線必須是 公用 的。Endpoint networking connectivity must be Public. 如果您的連線設定為 [ 私人],則只能透過私人端點存取您的搜尋服務。If your connectivity is set to Private, you can only access your search service via a Private Endpoint.

顯示如何在 Azure 入口網站中設定 IP 防火牆的螢幕擷取畫面

Azure 入口網站提供以 CIDR 格式指定 IP 位址和 IP 位址範圍的功能。The Azure portal provides the ability to specify IP addresses and IP address ranges in the CIDR format. CIDR 標記法的範例是 8.8.8.0/24,代表範圍從8.8.8.0 到8.8.8.255 的 Ip。An example of CIDR notation is 8.8.8.0/24, which represents the IPs that range from 8.8.8.0 to 8.8.8.255.

注意

啟用 Azure 認知搜尋服務的 IP 存取控制原則之後,就會拒絕從允許的 IP 位址範圍清單外部的電腦對資料平面發出的所有要求。After you enable the IP access control policy for your Azure Cognitive Search service, all requests to the data plane from machines outside the allowed list of IP address ranges are rejected. 設定 IP 規則時,會停用 Azure 入口網站的某些功能。When IP rules are configured, some features of the Azure portal are disabled. 您將能夠查看和管理服務等級資訊,但基於安全性考慮,會限制入口網站存取索引資料和服務中的各種元件,例如索引、索引子和技能集定義。You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons. 作為入口網站的替代方案,您可以使用 VS Code 擴充 功能來與服務中的各種元件互動。As an alternative to the portal, you can use the VS Code Extension to interact with the various components in the service.

來自您目前 IP 的要求Requests from your current IP

為了簡化開發工作,Azure 入口網站協助您識別用戶端電腦的 IP 並新增至允許清單。To simplify development, the Azure portal helps you identify and add the IP of your client machine to the allowed list. 然後,在您的電腦上執行的應用程式就可以存取您的 Azure 認知搜尋服務。Apps running on your machine can then access your Azure Cognitive Search service.

入口網站會自動偵測您的用戶端 IP 位址。The portal automatically detects your client IP address. 它可能是您電腦或網路閘道的用戶端 IP 位址。It might be the client IP address of your machine or network gateway. 將您的工作負載投入生產環境之前,請務必移除此 IP 位址。Make sure to remove this IP address before you take your workload to production.

若要將目前的 IP 新增至 Ip 清單,請核取 [ 新增您的用戶端 IP 位址]。To add your current IP to the list of IPs, check Add your client IP address. 然後選取 [儲存]。Then select Save.

顯示如何設定 IP 防火牆設定以允許目前 IP 的螢幕擷取畫面

針對 IP 存取控制原則問題進行疑難排解Troubleshoot issues with an IP access control policy

您可以使用下列選項,針對 IP 存取控制原則問題進行疑難排解:You can troubleshoot issues with an IP access control policy by using the following options:

Azure 入口網站Azure portal

為您的 Azure 認知搜尋服務啟用 IP 存取控制原則,會封鎖來自允許的 IP 位址範圍清單以外之電腦的所有要求,包括 Azure 入口網站。Enabling an IP access control policy for your Azure Cognitive Search service blocks all requests from machines outside the allowed list of IP address ranges, including the Azure portal. 您將能夠查看和管理服務等級資訊,但基於安全性考慮,會限制入口網站存取索引資料和服務中的各種元件,例如索引、索引子和技能集定義。You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons.

SDKSDKs

當您使用 SDK 從不在允許清單中的電腦存取 Azure 認知搜尋服務時,會傳回一般的 403 禁止 回應,而且沒有其他詳細資料。When you access Azure Cognitive Search service using the SDK from machines that are not in the allowed list, a generic 403 Forbidden response is returned with no additional details. 確認您帳戶的允許 IP 清單,並確定已針對您的搜尋服務更新正確的設定。Verify the allowed IP list for your account, and make sure that the correct configuration updated for your search service.

下一步Next steps

如需透過 Private Link 存取搜尋服務的詳細資訊,請參閱下列文章:For more information on accessing your search service via Private Link, see the following article: