什麼是 Azure SQL Database 受控實例?What is Azure SQL Database managed instance?

受控執行個體是 Azure SQL Database 的新部署選項,幾乎可與最新 SQL Server 內部部署環境 (Enterprise Edition) 資料庫引擎 100% 相容,並提供原生虛擬網路 (VNet) 實作,可解決常見的安全性考量,以及提供有利於內部部署 SQL Server 客戶的商務模型Managed instance is a new deployment option of Azure SQL Database, providing near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine, providing a native virtual network (VNet) implementation that addresses common security concerns, and a business model favorable for on-premises SQL Server customers. 受控執行個體部署模型可讓現有 SQL Server 客戶透過最少的應用程式和資料庫變更,將他們的內部部署應用程式隨即轉移至雲端。The managed instance deployment model allows existing SQL Server customers to lift and shift their on-premises applications to the cloud with minimal application and database changes. 同時,受控執行個體部署模型選項會保留 PaaS 的所有功能 (自動修補和版本的更新、自訂備份高可用性),可以大幅降低管理負擔和 TCO。At the same time, the managed instance deployment option preserves all PaaS capabilities (automatic patching and version updates, automated backups, high-availability ), that drastically reduces management overhead and TCO.

重要

如需目前可用受控執行個體部署模型的區域清單,請參閱支援的區域For a list of regions in which the managed instance deployment option is currently available, see supported regions.

下圖概述受控執行個體的主要功能:The following diagram outlines key features of managed instances:

主要功能

受控執行個體部署模型專為以下客戶設計:想要盡可能輕鬆地將大量應用程式,從內部部署或 IaaS、自行建置或 ISV 提供的環境遷移至完全受控的 PaaS 雲端環境。The managed instance deployment model is designed for customers looking to migrate a large number of apps from on-premises or IaaS, self-built, or ISV provided environment to fully managed PaaS cloud environment, with as low migration effort as possible. 利用 Azure 中完全自動化的資料移轉服務 (DMS),客戶可以將內部部署 SQL Server 隨即移轉至受控執行個體,受控執行個體可與 SQL Server 內部部署環境相容,並透過原生 VNet 支援來完全隔離客戶執行個體。Using the fully automated Data Migration Service (DMS) in Azure, customers can lift and shift their on-premises SQL Server to a managed instance that offers compatibility with SQL Server on-premises and complete isolation of customer instances with native VNet support. 您可以透過軟體保證使用適用於 SQL Server 的 Azure Hybrid Benefit,以折扣優惠在受控執行個體上交換執行個體的現有授權。With Software Assurance, you can exchange their existing licenses for discounted rates on a managed instance using the Azure Hybrid Benefit for SQL Server. 對於需要高度安全性和程式設計介面豐富的 SQL Server 執行個體而言,受控執行個體是雲端中最佳的移轉目的地。A managed instance is the best migration destination in the cloud for SQL Server instances that require high security and a rich programmability surface.

受控執行個體部署選項的目標是透過階段式發行計劃,為最新版內部部署 SQL Server 提供幾乎 100% 的介面區相容性。The managed instance deployment option aims delivers close to 100% surface area compatibility with the latest on-premises SQL Server version through a staged release plan.

若要決定使用 Azure SQL Database 部署選項:單一資料庫、集區資料庫、受控執行個體或虛擬機器中裝載的 SQL Server,請參閱如何在 Azure 選擇正確的 SQL Server 版本To decide between the Azure SQL Database deployment options: single database, pooled database, and managed instance, and SQL Server hosted in virtual machine, see how to choose the right version of SQL Server in Azure.

重要功能Key features and capabilities

受控執行個體結合了可在 Azure SQL Database 和 SQL Server 資料庫引擎中取得的最佳功能。Managed instance combines the best features that are available both in Azure SQL Database and SQL Server Database Engine.

重要

受控執行個體能執行 SQL Server 最新版本的所有功能,包括線上作業、自動計劃修正,以及其他企業效能增強功能。A managed instance runs with all of the features of the most recent version of SQL Server, including online operations, automatic plan corrections, and other enterprise performance enhancements. 如需提供之功能的比較說明,請參閱功能比較:Azure SQL Database 與 SQL ServerA Comparison of the features available is explained in Feature comparison: Azure SQL Database versus SQL Server.

PaaS 支援PaaS benefits 商務持續性Business continuity
無須硬體採購和管理No hardware purchasing and management
沒有管理基礎結構的管理負擔No management overhead for managing underlying infrastructure
快速佈建和服務調整Quick provisioning and service scaling
自動修補和版本升級Automated patching and version upgrade
與其他 PaaS 資料服務整合Integration with other PaaS data services
99.99% 的 SLA 運作時間99.99% uptime SLA
內建高可用性Built in high-availability
使用自動備份保護資料Data protected with automated backups
客戶可設定的備份保留期限Customer configurable backup retention period
使用者起始的備份User-initiated backups
資料庫還原時間點功能Point in time database restore capability
安全性與合規性Security and compliance 管理Management
隔離的環境 (VNet 整合、單一租用戶服務、專用的運算和儲存體)Isolated environment (VNet integration, single tenant service, dedicated compute and storage)
透明資料加密 (TDE)Transparent data encryption (TDE)
Azure AD 驗證、單一登入支援Azure AD authentication, single sign-on support
Azure AD 伺服器主體 (登入) (公開預覽)Azure AD server principals (logins) (public preview)
與 Azure SQL 資料庫遵循相同的合規性標準Adheres to compliance standards same as Azure SQL database
SQL 稽核SQL auditing
威脅偵測threat detection
用於自動化服務佈建與調整的 Azure Resource Manager APIAzure Resource Manager API for automating service provisioning and scaling
用於手動服務佈建與調整的 Azure 入口網站功能Azure portal functionality for manual service provisioning and scaling
資料移轉服務Data Migration Service

重要

Azure SQL Database (所有部署選項) 已通過許多合規性標準的認證。Azure SQL Database (all deployment options), has been certified against a number of compliance standards. 如需詳細資訊, 請參閱Microsoft Azure 信任中心, 您可以在此找到最新的 SQL Database 合規性認證清單。For more information, see the Microsoft Azure Trust Center where you can find the most current list of SQL Database compliance certifications.

下表顯示受控執行個體的主要功能:The key features of managed instances are shown in the following table:

功能Feature 描述Description
SQL Server 版本/組建SQL Server version / build SQL Server 資料庫引擎 (最新穩定版)SQL Server Database Engine (latest stable)
受控自動化備份Managed automated backups Yes
內建執行個體和資料庫的監視與計量Built-in instance and database monitoring and metrics Yes
自動軟體修補Automatic software patching Yes
最新的資料庫引擎功能The latest Database Engine features Yes
每個資料庫的資料檔案 (ROWS) 數目Number of data files (ROWS) per the database 多個Multiple
每個資料庫的記錄檔 (LOG) 數目Number of log files (LOG) per database 11
VNet - Azure Resource Manager 部署VNet - Azure Resource Manager deployment Yes
VNet - 傳統部署模型VNet - Classic deployment model No
入口網站支援Portal support Yes
內建的整合服務 (SSIS)Built-in Integration Service (SSIS) 否 - SSIS 屬於 Azure Data Factory PaaSNo - SSIS is a part of Azure Data Factory PaaS
內建的 Analysis Services (SSAS)Built-in Analysis Service (SSAS) 否 - SSAS 是個別 PaaSNo - SSAS is separate PaaS
內建的報告服務 (SSRS)Built-in Reporting Service (SSRS) 否 - 使用 Power BI 或 SSRS IaaSNo - use Power BI or SSRS IaaS

以虛擬核心為基礎的購買模型vCore-based purchasing model

受控執行個體中以虛擬核心為基礎的購買模型提供彈性、可控制、透明及直接的方法,讓您將內部部署工作負載需求平移到雲端。The vCore-based purchasing model for managed instances gives you flexibility, control, transparency, and a straightforward way to translate on-premises workload requirements to the cloud. 此模型可讓您根據工作負載需求,變更計算、記憶體和儲存體。This model allows you to change compute, memory, and storage based upon your workload needs. V 核心模型也能夠透過適用於 SQL Server 的 Azure Hybrid Benefit,最多節省 30% 的成本。The vCore model is also eligible for up to 30 percent savings with the Azure Hybrid Benefit for SQL Server.

在 V 核心模型中,您可以選擇各硬體世代。In vCore model, you can choose between generations of hardware.

  • 第4代邏輯 Cpu 是以 Intel E5-2673 v3 (Haswell) 2.4-GHz 處理器、附加 SSD、實體核心、每個核心 7 GB RAM, 以及8到24虛擬核心之間的計算大小為基礎。Gen4 Logical CPUs are based on Intel E5-2673 v3 (Haswell) 2.4-GHz processors, attached SSD, physical cores, 7 GB RAM per core, and compute sizes between 8 and 24 vCores.
  • 第5代邏輯 Cpu 是以 Intel E5-2673 v4 (Broadwell) 2.3-GHz 處理器、快速 NVMe SSD、超執行緒邏輯核心, 以及4到80核心的計算大小為基礎。Gen5 Logical CPUs are based on Intel E5-2673 v4 (Broadwell) 2.3-GHz processors, fast NVMe SSD, hyper-threaded logical core, and compute sizes between 4 and 80 cores.

受控執行個體資源限制中尋找關於硬體世代之間差異的詳細資訊。Find more information about the difference between hardware generations in managed instance resource limits.

重要

AustraliaEast 區域已不再支援新的第4代資料庫。New Gen4 databases are no longer supported in the AustraliaEast region.

受控執行個體服務層級Managed instance service tiers

有兩個服務層級可使用受控執行個體:Managed instance is available in two service tiers:

  • 一般用途:專為具有標準效能和 IO 延遲需求的應用程式所設計。General purpose: Designed for applications with typical performance and IO latency requirements.
  • 業務關鍵:專為具有低 IO 延遲需求且對工作負載的基礎維護作業影響最小的應用程式所設計。Business critical: Designed for applications with low IO latency requirements and minimal impact of underlying maintenance operations on the workload.

這兩個服務層級均保證 99.99% 的可用性,可讓您單獨選取儲存體大小和計算容量。Both service tiers guarantee 99.99% availability and enable you to independently select storage size and compute capacity. 如需 Azure SQL Database 高可用性架構的詳細資訊,請參閱高可用性和 Azure SQL DatabaseFor more information on the high availability architecture of Azure SQL Database, see High availability and Azure SQL Database.

一般目的服務層級General purpose service tier

下列清單說明一般用途服務層級的主要特色:The following list describes key characteristic of the General Purpose service tier:

  • 專為大多數有標準效能需求的商務應用程式所設計Design for the majority of business applications with typical performance requirements
  • 高效能的 Azure Blob 儲存體 (8 TB)High-performance Azure Blob storage (8 TB)
  • 根據可靠的 Azure Blob 儲存體和 Azure Service Fabric 內建的高可用性Built-in high-availability based on reliable Azure Blob storage and Azure Service Fabric

如需詳細資訊,請參閱一般用途層中的儲存體層受控執行個體 (一般用途) 的儲存體效能最佳做法和考量 (英文)。For more information, see storage layer in general purpose tier and storage performance best practices and considerations for managed instances (general purpose).

受控執行個體資源限制中尋找關於服務層級之間差異的詳細資訊。Find more information about the difference between service tiers in managed instance resource limits.

業務關鍵服務層級Business Critical service tier

業務關鍵服務層級是為具有高 IO 需求的應用程式所建置。Business Critical service tier is built for applications with high IO requirements. 使用數個分開的複本,針對失敗提供最高的復原能力。It offers highest resilience to failures using several isolated replicas.

下列清單概述業務關鍵服務層級的主要特色:The following list outlines the key characteristics of the Business Critical service tier:

受控執行個體資源限制中尋找關於服務層級之間差異的詳細資訊。Find more information about the difference between service tiers in managed instance resource limits.

受控實例管理作業Managed instance management operations

Azure SQL Database 提供管理作業, 可讓您在不再需要時, 用來自動部署新的受控實例、更新實例屬性和刪除實例。Azure SQL Database provides management operations that you can use to automatically deploy new managed instances, update instance properties, and delete instances when no longer needed. 本節提供管理作業及其一般持續時間的相關資訊。This section provides information about management operations and their typical durations.

為了支援Azure 虛擬網路 (vnet) 內的部署, 並為客戶提供隔離和安全性, 受控實例會依賴虛擬叢集, 這代表一組部署在其中的專屬獨立虛擬機器。客戶的虛擬網路子網。To support deployments within Azure Virtual Networks (VNets) and provide isolation and security for customers, managed instance relies on virtual clusters, which represent a dedicated set of isolated virtual machines deployed inside the customer's virtual network subnet. 基本上, 空白子網中的每個受控實例部署都會產生新的虛擬叢集增建。Essentially, every managed instance deployment in an empty subnet results in a new virtual cluster buildout.

已部署的受控實例上的後續作業可能也會對其基礎虛擬叢集造成影響。Subsequent operations on deployed managed instances might also have effects on its underlying virtual cluster. 這會影響管理作業的持續時間, 因為部署額外的虛擬機器時, 會有額外負荷, 當您規劃新的部署或現有受控實例的更新時, 需要加以考慮。This affects the duration of management operations, as deploying additional virtual machines comes with an overhead that needs to be considered when you plan new deployments or updates to existing managed instances.

所有管理作業都可以分類如下:All management operations can be categorized as follows:

  • 實例部署 (建立新的實例)。Instance deployment (new instance creation).
  • 實例更新 (變更實例屬性, 例如虛擬核心、保留的儲存體等)。Instance update (changing instance properties, such as vCores, reserved storage, etc).
  • 實例刪除。Instance deletion.

一般而言, 虛擬叢集上的作業會花費最長的時間。Typically, operations on virtual clusters take the longest. 虛擬叢集上的作業持續時間: 以下是您通常可以預期的值 (根據現有的服務遙測資料而定)。Duration of the operations on virtual clusters vary – below are the values that you can typically expect, based on existing service telemetry data:

  • 建立虛擬叢集。Virtual cluster creation. 這是實例管理作業中的同步步驟。This is a synchronous step in instance management operations. 90% 的作業會在4小時內完成90% of operations finish in 4 hours.
  • 虛擬叢集調整大小 (擴充或壓縮)。Virtual cluster resizing (expansion or shrinking). 展開是同步步驟, 而壓縮是以非同步方式執行 (不會影響實例管理作業的持續時間)。Expansion is a synchronous step, while shrinking is performed asynchronously (without impact on the duration of instance management operations). 90% 的叢集擴充在2.5 小時內完成90% of cluster expansions finish in less than 2.5 hours.
  • 刪除虛擬叢集。Virtual cluster deletion. 刪除是非同步步驟, 但也可以在空的虛擬叢集上手動起始, 在此情況下, 它會以同步方式執行。Deletion is an asynchronous step, but it can also be initiated manually on an empty virtual cluster, in which case it executes synchronously. 90% 的虛擬叢集刪除在1.5 小時內完成90% of virtual cluster deletions finish in 1.5 hours.

此外, 實例的管理也可能包含託管資料庫上的其中一項作業, 這會導致較長的持續時間:Additionally, management of instances may also include one of the operations on hosted databases, which results in longer durations:

  • 從 Azure 儲存體附加資料庫檔案。Attaching database files from Azure Storage. 這是一個同步步驟, 例如計算 (vCore), 或在一般用途服務層級中向上或向下調整的儲存體。This is a synchronous step, such as compute (vCore), or storage scaling up or down in the General Purpose service tier. 這些作業的 90% 會在5分鐘內完成90% of these operations finish in 5 minutes.
  • Always On 可用性群組植入。Always On availability group seeding. 這是一種同步步驟, 例如計算 (vCore), 或業務關鍵服務層級中的儲存體調整, 以及將服務層從一般用途變更為業務關鍵 (反之亦然)。This is a synchronous step, such as compute (vCore), or storage scaling in the Business Critical service tier as well as in changing the service tier from General Purpose to Business Critical (or vice versa). 這項作業的持續時間與資料庫總大小以及目前資料庫活動 (使用中交易數目) 成正比。Duration of this operation is proportional to the total database size as well as current database activity (number of active transactions). 更新實例時的資料庫活動可能會對總持續時間產生明顯的差異。Database activity when updating an instance can introduce significant variance to the total duration. 這些作業的 90% 是以 220 GB/小時或更高的時間執行90% of these operations execute at 220 GB / hour or higher.

下表摘要說明作業和一般的整體持續時間:The following table summarizes operations and typical overall durations:

CategoryCategory 運算Operation 長時間執行的區段Long-running segment 預估持續時間Estimated duration
部署Deployment 空白子網中的第一個實例First instance in an empty subnet 建立虛擬叢集Virtual cluster creation 90% 的作業在4小時內完成90% of operations finish in 4 hours
部署Deployment 非空白子網中另一個硬體世代的第一個實例 (例如, 第一個 Gen 5 實例, 位於具有 Gen 4 實例的子網中)First instance of another hardware generation in a non-empty subnet (for example, first Gen 5 instance in a subnet with Gen 4 instances) 虛擬叢集建立 *Virtual cluster creation* 90% 的作業在4小時內完成90% of operations finish in 4 hours
部署Deployment 在空白或非空白的子網中, 第一個建立4虛擬核心的實例First instance creation of 4 vCores, in an empty or non-empty subnet 虛擬叢集建立 * *Virtual cluster creation** 90% 的作業在4小時內完成90% of operations finish in 4 hours
部署Deployment 在非空白子網內建立的後續實例 (第二、第三等實例)Subsequent instance creation within the non-empty subnet (2nd, 3rd, etc. instance) 虛擬叢集調整大小Virtual cluster resizing 90% 的作業在2.5 小時內完成90% of operations finish in 2.5 hours
更新Update 實例屬性變更 (管理員密碼、AAD 登入、Azure Hybrid Benefit 旗標)Instance property change (admin password, AAD login, Azure Hybrid Benefit flag) N/AN/A 最多1分鐘Up to 1 minute
UpdateUpdate 實例儲存體相應增加/減少 (一般用途服務層級)Instance storage scaling up/down (General Purpose service tier) -虛擬叢集調整大小- Virtual cluster resizing
-附加資料庫檔案- Attaching database files
90% 的作業在2.5 小時內完成90% of operations finish in 2.5 hours
UpdateUpdate 實例儲存體相應增加/減少 (商務關鍵服務層級)Instance storage scaling up/down (Business Critical service tier) -虛擬叢集調整大小- Virtual cluster resizing
-Always On 可用性群組植入- Always On availability group seeding
90% 的作業會在2.5 小時內完成, 並將所有資料庫植入的時間 (220 GB/小時)90% of operations finish in 2.5 hours + time to seed all databases (220 GB / hour)
UpdateUpdate 實例計算 (虛擬核心) 相應增加和減少 (一般用途)Instance compute (vCores) scaling up and down (General Purpose) -虛擬叢集調整大小- Virtual cluster resizing
-附加資料庫檔案- Attaching database files
90% 的作業在2.5 小時內完成90% of operations finish in 2.5 hours
UpdateUpdate 實例計算 (虛擬核心) 相應增加和減少 (業務關鍵)Instance compute (vCores) scaling up and down (Business Critical) -虛擬叢集調整大小- Virtual cluster resizing
-Always On 可用性群組植入- Always On availability group seeding
90% 的作業會在2.5 小時內完成, 並將所有資料庫植入的時間 (220 GB/小時)90% of operations finish in 2.5 hours + time to seed all databases (220 GB / hour)
UpdateUpdate 實例相應減少為4虛擬核心 (一般用途)Instance scale down to 4 vCores (General Purpose) -虛擬叢集調整大小 (如果是第一次完成, 可能需要建立虛擬叢集 * *)- Virtual cluster resizing (if done for the first time, it may require virtual cluster creation**)
-附加資料庫檔案- Attaching database files
90% 的作業在4小時5分鐘內完成90% of operations finish in in 4 h 5 min**
UpdateUpdate 實例相應減少為4虛擬核心 (一般用途)Instance scale down to 4 vCores (General Purpose) -虛擬叢集調整大小 (如果是第一次完成, 可能需要建立虛擬叢集 * *)- Virtual cluster resizing (if done for the first time, it may require virtual cluster creation**)
-Always On 可用性群組植入- Always On availability group seeding
90% 的作業會在4小時內完成, 並將所有資料庫植入的時間 (220 GB/小時)90% of operations finish in 4 hours + time to seed all databases (220 GB / hour)
UpdateUpdate 實例服務層級變更 (一般用途到業務關鍵, 反之亦然)Instance service tier change (General Purpose to Business Critical and vice versa) -虛擬叢集調整大小- Virtual cluster resizing
-Always On 可用性群組植入- Always On availability group seeding
90% 的作業會在2.5 小時內完成, 並將所有資料庫植入的時間 (220 GB/小時)90% of operations finish in 2.5 hours + time to seed all databases (220 GB / hour)
操作Deletion 實例刪除Instance deletion 所有資料庫的記錄尾備份Log tail backup for all databases 90% 作業會在最多1分鐘內完成。90% operations finish in up to 1 minute.
注意: 如果刪除子網中的最後一個實例, 此作業會在12小時後排程刪除虛擬叢集 * * *Note: if last instance in the subnet is deleted, this operation will schedule virtual cluster deletion after 12 hours***
刪除Deletion 虛擬叢集刪除 (作為使用者起始的作業)Virtual cluster deletion (as user-initiated operation) 虛擬叢集刪除Virtual cluster deletion 90% 的作業會在最多1.5 小時內完成90% of operations finish in up to 1.5 hours

*虛擬叢集是根據硬體世代而建立的。* Virtual cluster is built per hardware generation.

**4虛擬核心部署選項已于2019年6月發行, 而且需要新的虛擬叢集版本。** The 4 vCores deployment option was released in June 2019 and requires a new virtual cluster version. 如果您的目標子網中有實例是在6月12日之前建立, 則會自動將新的虛擬叢集部署到主機4個 vCore 實例。If you had instances in the target subnet that were all created before June 12, a new virtual cluster will be deployed automatically to host 4 vCore instances.

***12小時是目前的設定, 但未來可能會變更, 因此不會對其進行硬相依性。*** 12 hours is the current configuration but that might change in the future, so don't take a hard dependency on it. 如果您需要稍早刪除虛擬叢集 (例如, 為了釋放子網), 請參閱刪除Azure SQL Database 受控實例之後, 刪除子網If you need to delete a virtual cluster earlier (to release the subnet for example), see Delete a subnet after deleting an Azure SQL Database managed instance.

管理期間的實例可用性Instance availability during management

在部署和刪除作業期間, 用戶端應用程式無法使用受控實例。Managed instances are not available to client applications during deployment and deletion operations.

在更新作業期間可以使用受控實例, 但在更新結束時 (通常會持續10秒), 會發生短暫的停機時間。Managed instances are available during update operations but there is a short downtime caused by the failover that happens at the end of updates that typically lasts up to 10 seconds.

重要

容錯移轉的持續時間可能會因為在資料庫上發生長時間執行的交易而有很大的差異, 因為復原時間過長。Duration of a failover can vary significantly in case of long-running transactions that happen on the databases due to prolonged recovery time. 因此, 不建議您調整 Azure SQL Database 受控實例的計算或儲存體, 或同時使用長時間執行的交易 (資料匯入、資料處理作業、索引重建等) 來變更服務層級。Hence it’s not recommended to scale compute or storage of Azure SQL Database managed instance or to change service tier at the same time with the long-running transactions (data import, data processing jobs, index rebuild, etc.). 將在作業結束時執行的資料庫容錯移轉將會取消進行中的交易, 並導致長時間復原。Database failover that will be performed at the end of the operation will cancel ongoing transactions and result in prolonged recovery time.

Azure SQL Database 受控實例目前無法使用加速資料庫復原。Accelerated database recovery is not currently available for Azure SQL Database managed instances. 一旦啟用, 這項功能會大幅降低容錯移轉時間的變動性, 即使是長時間執行的交易也一樣。Once enabled, this feature will significantly reduce variability of failover time, even in case of long-running transactions.

進階安全性與合規性Advanced security and compliance

受控執行個體部署選項結合了 Azure 雲端與 SQL Server 資料庫引擎所提供的進階安全性功能。The managed instance deployment option combines advanced security features provided by Azure cloud and SQL Server Database Engine.

受控執行個體的安全性隔離Managed instance security isolation

受控執行個體提供額外的安全性隔離,可與 Azure 雲端中的其他租用戶隔離。A managed instance provides additional security isolation from other tenants in the Azure cloud. 安全性隔離包括:Security isolation includes:

  • 實作原生虛擬網路和使用 Azure Express Route 或 VPN 閘道與內部部署環境連線。Native virtual network implementation and connectivity to your on-premises environment using Azure Express Route or VPN Gateway.
  • 在預設部署中, SQL 端點只會透過私人 IP 位址公開, 並允許來自私人 Azure 或混合式網路的安全連線。In a default deployment, SQL endpoint is exposed only through a private IP address, allowing safe connectivity from private Azure or hybrid networks.
  • 單一租用戶具有專用的基礎結構 (計算、儲存體)。Single-tenant with dedicated underlying infrastructure (compute, storage).

下圖概述您應用程式的各種連線選項:The following diagram outlines various connectivity options for your applications:

高可用性

如需深入了解子網路層級的 VNet 整合和網路原則強制施行,請參閱受控執行個體的 VNet 架構將應用程式連線到受控執行個體To learn more details about VNet integration and networking policy enforcement at the subnet level, see VNet architecture for managed instances and Connect your application to a managed instance.

重要

將多個受控執行個體放在相同子網路中 (如果您的安全性需求允許的話),因為這會帶來額外的好處。Place multiple managed instance in the same subnet, wherever that is allowed by your security requirements, as that will bring you additional benefits. 將執行個體放在相同子網路中,可大幅簡化網路基礎結構的維護工作,並且可減少執行個體的佈建時間,因為長時間的佈建期間與在子網路中部署第一個受控執行個體的成本有關。Collocating instances in the same subnet will significantly simplify networking infrastructure maintenance and reduce instance provisioning time, since long provisioning duration is associated with the cost of deploying the first managed instance in a subnet.

Azure SQL Database 安全性功能Azure SQL Database Security Features

Azure SQL Database 提供一組可用來保護資料的進階安全性功能。Azure SQL Database provides a set of advanced security features that can be used to protect your data.

  • 受控執行個體稽核會追蹤資料庫事件並將事件寫入您 Azure 儲存體帳戶中的稽核記錄檔。Managed instance auditing tracks database events and writes them to an audit log file placed in your Azure storage account. 稽核有助於保持法規遵循、了解資料庫活動,以及深入了解可指出商務考量或疑似安全違規的不一致和異常。Auditing can help maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
  • 移動中資料加密 - 受控執行個體會使用傳輸層安全性對移動中的資料加密,藉此保護您的資料。Data encryption in motion - a managed instance secures your data by providing encryption for data in motion using Transport Layer Security. 除了傳輸層安全性,受控執行個體部署選項會使用 Always Encrypted 來保護傳輸中、待用和查詢處理期間的敏感性資料。In addition to transport layer security, the managed instance deployment option offers protection of sensitive data in flight, at rest and during query processing with Always Encrypted. Always Encrypted 是業界優先,可提供無與倫比的資料安全性,以對抗涉及重要資料竊取的入侵。Always Encrypted is an industry-first that offers unparalleled data security against breaches involving the theft of critical data. 例如,透過 Always Encrypted,信用卡號碼會永遠加密儲存在資料庫中,即使在查詢處理期間,都允許需要處理該資料的已授權人員或應用程式在使用時解密。For example, with Always Encrypted, credit card numbers are stored encrypted in the database always, even during query processing, allowing decryption at the point of use by authorized staff or applications that need to process that data.
  • 威脅偵測會提供服務內建的額外安全情報層,此情報層可偵測到不尋常且有危害的資料庫存取或攻擊動作,藉此補充稽核的不足之處。Threat detection complements auditing by providing an additional layer of security intelligence built into the service that detects unusual and potentially harmful attempts to access or exploit databases. 系統會警示您有關可疑活動、潛在弱點、SQL 插入式攻擊和異常資料庫存取模式。You are alerted about suspicious activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. 您可以從 Azure 資訊安全中心檢視威脅偵測警示,該警示會提供可疑活動的詳細資料,以及如何調查與降低威脅的建議。Threat detection alerts can be viewed from Azure Security Center and provide details of suspicious activity and recommend action on how to investigate and mitigate the threat.
  • 動態資料遮罩可藉由遮罩處理,使不具權限的使用者無法看見敏感性資料。Dynamic data masking limits sensitive data exposure by masking it to non-privileged users. 動態資料遮罩可讓您在應用程式層級受到最小影響的情況下指定要顯示多少敏感性資料,而協助防止未經授權者存取敏感性資料。Dynamic data masking helps prevent unauthorized access to sensitive data by enabling you to designate how much of the sensitive data to reveal with minimal impact on the application layer. 它是以原則為基礎的安全性功能,可針對指定的資料庫欄位隱藏查詢結果集中的機密資料,而不變更資料庫中的資料。It’s a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed.
  • 資料列層級安全性讓您能夠根據執行查詢之使用者的特性 (例如,依群組成員資格或執行內容) 來控制資料庫資料表中的資料列存取。Row-level security enables you to control access to rows in a database table based on the characteristics of the user executing a query (such as by group membership or execution context). 資料列層級安全性 (RLS) 可簡化應用程式安全性的設計和編碼。Row-level security (RLS) simplifies the design and coding of security in your application. RLS 可讓您實作資料的資料列存取限制。RLS enables you to implement restrictions on data row access. 例如,確保背景工作角色只能存取其部門相關資料列,或將資料存取權限制為僅限相關資料。For example, ensuring that workers can access only the data rows that are pertinent to their department, or restricting a data access to only the relevant data.
  • 透明資料加密 (TDE) 會將受控執行個體的資料檔案加密,也稱為「待用資料加密」。Transparent data encryption (TDE) encrypts managed instance data files, known as encrypting data at rest. TDE 會執行資料和記錄檔的即時 I/O 加密和解密。TDE performs real-time I/O encryption and decryption of the data and log files. 加密會使用資料庫加密金鑰 (DEK),此金鑰會儲存在資料庫開機記錄中,以在復原期間提供可用性。The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. 您可以使用透明資料加密來保護受控執行個體中的所有資料庫。You can protect all your databases in a managed instance with transparent data encryption. TDE 是 SQL Server 經實證的靜態加密技術,許多合規性標準都需要這項技術才能防禦儲存媒體的竊取。TDE is SQL Server’s proven encryption-at-rest technology that is required by many compliance standards to protect against theft of storage media.

透過 Azure 資料庫移轉服務 (DMS) 或原生還原,可支援將加密的資料庫遷移到受控執行個體。Migration of an encrypted database to a managed instance is supported via the Azure Database Migration Service (DMS) or native restore. 如果您想要使用原生還原來遷移加密的資料庫, 請將現有的 TDE 憑證從內部部署 SQL Server 或虛擬機器中的 SQL Server 遷移至受控實例, 是必要的步驟。If you plan to migrate an encrypted database using native restore, migration of the existing TDE certificate from the SQL Server on-premises or SQL Server in a virtual machine to a managed instance is a required step. 如需移轉選項的詳細資訊,請參閱將 SQL Server 執行個體移轉至受控執行個體For more information about migration options, see SQL Server instance migration to managed instance.

Azure Active Directory 整合Azure Active Directory Integration

受控執行個體部署選項支援傳統的 SQL Server 資料庫引擎登入以及與 Azure Active Directory (AAD) 整合的登入。The managed instance deployment option supports traditional SQL server Database engine logins and logins integrated with Azure Active Directory (AAD). Azure AD 伺服器主體(登入) (公開預覽) 是您使用於內部部署環境的 Azure 雲端版內部部署資料庫登入。Azure AD server principals (logins) (public preview) are Azure cloud version of on-premises database logins that you are using in your on-premises environment. Azure AD 伺服器主體 (登入) 可讓您將 Azure Active Directory 租使用者中的使用者和群組指定為真正實例範圍的主體, 能夠執行任何實例層級的作業, 包括在相同受控中的跨資料庫查詢示例.Azure AD server principals (logins) enable you to specify users and groups from your Azure Active Directory tenant as true instance-scoped principals, capable of performing any instance-level operation, including cross-database queries within the same managed instance.

為了建立 Azure AD 伺服器主體 (登入) (公開預覽),引進了新的語法 FROM EXTERNAL PROVIDERA new syntax is introduced to create Azure AD server principals (logins) (public preview), FROM EXTERNAL PROVIDER. 如需有關語法的詳細資訊,請參閱 CREATE LOGIN,並檢閱為受控執行個體佈建 Azure Active Directory 系統管理員文章。For more information on the syntax, see CREATE LOGIN, and review the Provision an Azure Active Directory administrator for your managed instance article.

Azure Active Directory 整合和多重要素驗證Azure Active Directory integration and multi-factor authentication

受控執行個體部署選項可讓您透過 Azure Active Directory 整合,集中管理資料庫使用者和其他 Microsoft 服務的身分識別。The managed instance deployment option enables you to centrally manage identities of database user and other Microsoft services with Azure Active Directory integration. 這項功能簡化了權限管理並增強安全性。This capability simplified permission management and enhances security. Azure Active Directory 支援多重要素驗證 (MFA),以提高資料和應用程式安全性,同時支援單一登入程序。Azure Active Directory supports multi-factor authentication (MFA) to increase data and application security while supporting a single sign-on process.

驗證Authentication

受控執行個體驗證是指使用者連線到資料庫時如何證明他們的身分識別。Managed instance authentication refers to how users prove their identity when connecting to the database. SQL Database 支援兩種驗證類型:SQL Database supports two types of authentication:

  • SQL 驗證SQL Authentication:

    此驗證方法會使用使用者名稱和密碼。This authentication method uses a username and password.

  • Azure Active Directory 驗證Azure Active Directory Authentication:

    此驗證方法會使用由 Azure Active Directory 管理的身分識別,並且受控網域和整合式網域都支援此驗證。This authentication method uses identities managed by Azure Active Directory and is supported for managed and integrated domains. 盡可能使用 Active Directory 驗證 (整合式安全性)。Use Active Directory authentication (integrated security) whenever possible.

AuthorizationAuthorization

授權是指使用者可以在 Azure SQL Database 內執行的動作,這是由使用者帳戶的資料庫角色成員資格和物件層級權限所控制。Authorization refers to what a user can do within an Azure SQL Database, and is controlled by your user account's database role memberships and object-level permissions. 受控執行個體與 SQL Server 2017 具有相同的授權功能。A Managed instance has same authorization capabilities as SQL Server 2017.

資料庫移轉Database migration

受控執行個體部署選項鎖定的是透過將大量資料庫從內部部署或 IaaS 資料庫實作移轉的使用者案例。The managed instance deployment option targets user scenarios with mass database migration from on-premises or IaaS database implementations. 受控執行個體支援數個資料庫移轉選項:Managed instance supports several database migration options:

備份與還原Back up and restore

移轉方法會利用 SQL 備份到 Azure Blob 儲存體。The migration approach leverages SQL backups to Azure Blob storage. 透過 T-SQL RESTORE 命令,儲存在 Azure 儲存體 Blob 的備份可以直接用來還原到受控執行個體。Backups stored in Azure storage blob can be directly restored into a managed instance using the T-SQL RESTORE command.

  • 如需示範如何還原 Wide World Importers - 標準資料庫備份檔案的快速入門,請參閱還原備份檔案至受控執行個體For a quickstart showing how to restore the Wide World Importers - Standard database backup file, see Restore a backup file to a managed instance. 本快速入門顯示,您必須將備份檔案上傳到 Azure Blog 儲存體,並使用共用存取簽章 (SAS) 金鑰保護其安全。This quickstart shows you have to upload a backup file to Azure blog storage and secure it using a Shared access signature (SAS) key.
  • 如需從 URL 還原的資訊,請參閱從 URL 原生還原For information about restore from URL, see Native RESTORE from URL.

重要

來自受控執行個體的備份只能還原至其他受控執行個體。Backups from a managed instance can only be restored to another managed instance. 它們無法還原至內部部署 SQL Server,或還原至單一資料庫/彈性集區。They cannot be restored to an on-premises SQL Server or to a single database/elastic pool.

資料移轉服務Data Migration Service

Azure 資料庫移轉服務是一個完全受控的服務,能夠從多個資料庫來源無縫移轉到 Azure 資料平台,將停機時間降到最低。The Azure Database Migration Service is a fully managed service designed to enable seamless migrations from multiple database sources to Azure Data platforms with minimal downtime. 此服務可簡化將現有協力廠商和 SQL Server 資料庫移至 Azure SQL Database (單一資料庫、彈性集區中的集區資料庫,以及受控執行個體中的執行個體資料庫) 與 Azure VM 中的 SQL Server 所需的工作。This service streamlines the tasks required to move existing third party and SQL Server databases to Azure SQL Database (single databases, pooled databases in elastic pools, and instance databases in a managed instance) and SQL Server in Azure VM. 請參閱如何使用 DMS 將您的內部部署資料庫遷移至受控執行個體See How to migrate your on-premises database to managed instance using DMS.

SQL 功能支援SQL features supported

受控執行個體部署選項的目標是在各階段中,為內部部署 SQL Server 提供幾乎 100% 的介面區相容性,直到服務正式運作為止。The managed instance deployment option aims to deliver close to 100% surface area compatibility with on-premises SQL Server coming in stages until service general availability. 如需功能和比較清單,請參閱 SQL Database 功能比較,而如需受控執行個體與 SQL Server 的 T-SQL 差異清單,請參閱受控執行個體與 SQL Server 的 T-SQL 差異For a features and comparison list, see SQL Database feature comparison, and for a list of T-SQL differences in managed instances versus SQL Server, see managed instance T-SQL differences from SQL Server.

受控執行個體部署選項支援與 SQL 2008 資料庫的回溯相容性。The managed instance deployment option supports backward compatibility to SQL 2008 databases. 支援直接從 SQL 2005 資料庫伺服器進行移轉,移轉後,SQL 2005 資料庫的相容性層級會更新為 SQL 2008。Direct migration from SQL 2005 database servers is supported, compatibility level for migrated SQL 2005 databases are updated to SQL 2008.

下圖概述受控執行個體中的介面區相容性:The following diagram outlines surface area compatibility in managed instance:

移轉

SQL Server 內部部署和受控執行個體之間的主要差異Key differences between SQL Server on-premises and in a managed instance

受控執行個體部署選項的優勢是其在雲端中一律是最新狀態,這表示內部部署 SQL Server 中的某些功能可能已過時、已停用或已有替代方案。The managed instance deployment option benefits from being always-up-to-date in the cloud, which means that some features in on-premises SQL Server may be either obsolete, retired, or have alternatives. 在某些情況,當工具必須辨識特定功能的運作方式稍有不同,或是服務不在某個環境中執行時,您無法完全控制:There are specific cases when tools need to recognize that a particular feature works in a slightly different way or that service is not running in an environment you do not fully control:

  • 高可用性會使用類似 Always On 可用性群組的技術來內建及預先設定。High-availability is built in and pre-configured using technology similar to Always On Availability Groups.
  • 自動備份和時間點還原。Automated backups and point in time restore. 客戶可以起始 copy-only 備份,這不會干擾自動備份鏈結。Customer can initiate copy-only backups that do not interfere with automatic backup chain.
  • 受控執行個體不允許指定完整路徑,因此必須以不同方式支援所有對應的案例:RESTORE DB 不支援 WITH MOVE、CREATE DB 不允許實體路徑、BULK INSERT 僅適用於 Azure Blob 等等。Managed instance does not allow specifying full physical paths so all corresponding scenarios have to be supported differently: RESTORE DB does not support WITH MOVE, CREATE DB doesn’t allow physical paths, BULK INSERT works with Azure Blobs only, etc.
  • 受控執行個體支援以 Azure AD 驗證 作為 Windows 驗證的雲端替代方案。Managed instance supports Azure AD authentication as cloud alternative to Windows authentication.
  • 受控執行個體都會自動為包含記憶體內部 OLTP 物件的資料庫管理 XTP 檔案群組和檔案Managed instance automatically manages XTP filegroup and files for databases containing In-Memory OLTP objects
  • 受控執行個體支援 SQL Server Integration Services (SSIS),且可主控儲存 SSIS 封裝的 SSIS 目錄 (SSISDB),但會在 Azure Data Factory (ADF) 中的受控 Azure-SSIS Integration Runtime (IR) 上執行,請參閱在 ADF 中建立 Azure-SSIS IR (英文)。Managed instance supports SQL Server Integration Services (SSIS) and can host SSIS catalog (SSISDB) that stores SSIS packages, but they are executed on a managed Azure-SSIS Integration Runtime (IR) in Azure Data Factory (ADF), see Create Azure-SSIS IR in ADF. 若要比較 SQL Database 的 SSIS 功能,請參閱比較 Azure SQL Database 單一資料庫/彈性集區與受控執行個體To compare the SSIS features in SQL Database, see Compare Azure SQL Database single databases/elastic pools and managed instance.

受控執行個體的管理功能Managed instance administration features

受控執行個體部署選項可讓系統管理員花較少的時間處理系統管理工作,因為 SQL Database 服務會為您執行這些設定,或大幅簡化這些工作。The managed instance deployment option enables system administrator to spend less time on administrative tasks because the SQL Database service either performs them for you or greatly simplifies those tasks. 例如,OS / RDBMS 安裝和修補動態執行個體的大小調整和設定備份資料庫複寫 (包括系統資料庫)、高可用性設定,以及健康情況和效能監視資料流的設定。For example, OS / RDBMS installation and patching, dynamic instance resizing and configuration, backups, database replication (including system databases), high availability configuration, and configuration of health and performance monitoring data streams.

重要

如需可支援、部分支援和不支援的功能清單,請參閱SQL Database 功能For a list of supported, partially supported, and unsupported features, see SQL Database features. 如需受控執行個體與 SQL Server 的 T-SQL 差異清單,請參閱受控執行個體與 SQL Server 的 T-SQL 差異For a list of T-SQL differences in managed instances versus SQL Server, see managed instance T-SQL differences from SQL Server

如何以程式設計方式識別受控執行個體How to programmatically identify a managed instance

下表顯示數個透過 Transact SQL 使用的屬性,可用來檢測出應用程式正在使用受控執行個體,並擷取重要的屬性。The following table shows several properties, accessible through Transact SQL, that you can use to detect that your application is working with managed instance and retrieve important properties.

屬性Property Value 註解Comment
@@VERSION Microsoft SQL Azure (RTM) - 12.0.2000.8 2018-03-07 Copyright (C) 2018 Microsoft Corporation.Microsoft SQL Azure (RTM) - 12.0.2000.8 2018-03-07 Copyright (C) 2018 Microsoft Corporation. 此值與 SQL Database 中的相同。This value is same as in SQL Database.
SERVERPROPERTY ('Edition') SQL AzureSQL Azure 此值與 SQL Database 中的相同。This value is same as in SQL Database.
SERVERPROPERTY('EngineEdition') 88 此值只會識別出受控執行個體。This value uniquely identifies a managed instance.
@@SERVERNAMESERVERPROPERTY ('ServerName')@@SERVERNAME, SERVERPROPERTY ('ServerName') 下列格式的完整執行個體 DNS 名稱:<instanceName>.<dnsPrefix>.database.windows.net,其中 <instanceName> 是客戶提供的名稱,而 <dnsPrefix> 是自動產生的部分名稱,確保全域 DNS 名稱是唯一的 (例如,"wcus17662feb9ce98")Full instance DNS name in the following format:<instanceName>.<dnsPrefix>.database.windows.net, where <instanceName> is name provided by the customer, while <dnsPrefix> is autogenerated part of the name guaranteeing global DNS name uniqueness ("wcus17662feb9ce98", for example) 範例:my-managed-instance.wcus17662feb9ce98.database.windows.netExample: my-managed-instance.wcus17662feb9ce98.database.windows.net

後續步驟Next steps