將您的應用程式連線至 Azure SQL Database 受控實例Connect your application to Azure SQL Database managed instance

您在決定如何及何處裝載應用程式時,目前有多個選擇。Today you have multiple choices when deciding how and where you host your application.

您可以選擇使用 Azure App Service 或一些 Azure 的虛擬網路 (VNet) 整合式選項 (例如 Azure App Service 環境、虛擬機器、虛擬機器擴展集),在雲端中裝載應用程式。You may choose to host application in the cloud either by using Azure App Service or some of Azure's virtual network (VNet) integrated options like Azure App Service Environment, Virtual Machine, Virtual Machine Scale Set. 您也可以採用混合式雲端方法,將您的應用程式留在內部部署環境。You could also take hybrid cloud approach and keep your applications on-premises.

無論您的選擇是什麼,您都可以將它連線到受控執行個體。Whatever choice you made, you can connect it to a Managed Instance.

高可用性

連線相同 VNet 內的應用程式Connect an application inside the same VNet

這個案例最簡單。This scenario is the simplest. VNet 內的虛擬機器即使位於不同的子網路,彼此也可以直接連線。Virtual machines inside the VNet can connect to each other directly even if they are inside different subnets. 這表示如果您要連線 Azure 應用程式環境或虛擬機器內的應用程式,只要適當地設定連接字串即可。That means that all you need to connect application inside an Azure Application Environment or Virtual Machine is to set the connection string appropriately.

連線不同 VNet 內的應用程式Connect an application inside a different VNet

這個案例比較複雜一點,因為受控執行個體在它自己的 VNet 中具有私人 IP 位址。This scenario is a bit more complex because Managed Instance has private IP address in its own VNet. 若要連線,應用程式需要存取受控執行個體部署所在的 VNet。To connect, an application needs access to the VNet where Managed Instance is deployed. 因此,首先您必須建立應用程式與受控執行個體 VNet 之間的連線。So, first you need to make a connection between the application and the Managed Instance VNet. VNet 不一定要在相同的訂用帳戶中,此案例就可以運作。The VNets don’t have to be in the same subscription in order for this scenario to work.

有兩個選項可以連線 VNet:There are two options for connecting VNets:

對等互連選項是偏好選項,因為對等互連使用 Microsoft 骨幹網路,所以從連線的觀點來看,對等互連 VNet 與相同 VNet 中虛擬機器之間的延遲沒有明顯差異。The peering option is the preferable one because peering uses the Microsoft backbone network so, from the connectivity perspective, there is no noticeable difference in latency between virtual machines in peered VNet and in the same VNet. VNet 對等互連受限於相同區域中的網路。VNet peering is limited to the networks in the same region.

重要

由於全域虛擬網路對等互連的條件約束,受控執行個體的 VNet 對等互連案例會受限於相同區域中的網路。VNet peering scenario for Managed Instance is limited to the networks in the same region due to constraints of the Global Virtual Network peering. 如需更多詳細資料, 另請參閱Azure 虛擬網路常見問題一文的相關章節。See also the relevant section of the Azure Virtual Networks Frequently Asked Questions article for more details.

連線內部部署應用程式Connect an on-premises application

受控執行個體只能透過私人 IP 位址存取。Managed Instance can only be accessed through a private IP address. 若要從內部部署環境存取它,您需要進行應用程式與受控執行個體 VNet 之間的站對站連線。In order to access it from on-premises, you need to make a Site-to-Site connection between the application and the Managed Instance VNet.

有兩個選項可以連線內部部署與 Azure VNet:There are two options how to connect on-premises to Azure VNet:

如果您已成功建立內部部署至 Azure 連線, 但無法建立受控執行個體的連線, 請檢查您的防火牆是否已在 SQL 埠1433上開啟輸出連線, 以及是否有11000-11999 範圍的埠可進行重新導向。If you've established on-premises to Azure connection successfully and you can't establish connection to Managed Instance, check if your firewall has open outbound connection on SQL port 1433 as well as 11000-11999 range of ports for redirection.

連線開發人員方塊上的應用程式Connect an application on the developers box

受控執行個體只能透過私人 IP 位址存取,因此若要從開發人員方塊存取它,首先您需要進行開發人員方塊與受控執行個體 VNet 之間的連線。Managed Instance can be accessed only through a private IP address so in order to access it from your developer box, you first need to make a connection between your developer box and the Managed Instance VNet. 若要這麼做,請使用原生 Azure 憑證驗證設定 VNet 的點對站連線。To do so, configure a Point-to-Site connection to a VNet using native Azure certificate authentication. 如需詳細資訊,請參閱設定點對站連線以從內部部署電腦連線到 Azure SQL Database 受控執行個體For more information, see Configure a point-to-site connection to connect to an Azure SQL Database Managed Instance from on-premises computer.

使用 VNet 對等互連從內部部署連線Connect from on-premises with VNet peering

客戶所實作的另一種案例是,VPN 閘道安裝在個別的虛擬網路中,而訂用帳戶則位於裝載受控執行個體的虛擬網路中。Another scenario implemented by customers is where VPN gateway is installed in a separate virtual network and a subscription from the one hosting Managed Instance. 這兩個虛擬網路隨後會對等互連。The two virtual networks are then peered. 下列範例架構圖顯示其實作方式。The following sample architecture diagram shows how this can be implemented.

VNet 對等

在您設定基本的基礎結構後,您必須修改某些設定,使 VPN 閘道可以看到裝載受控執行個體的虛擬網路中所包含的 IP 位址。Once you have the basic infrastructure set up, you need to modify some setting so that the VPN Gateway can see the IP addresses in the virtual network that hosts the Managed Instance. 若要這麼做,請在 [對等互連設定] 下方設定下列特定變更。To do so, make the following very specific changes under the Peering settings.

  1. 在裝載 VPN 閘道的 VNet 中移至 [對等互連],接著移至受控執行個體的對等互連 VNet 連線,然後按一下 [允許閘道傳輸]。In the VNet that hosts the VPN gateway, go to Peerings, then to the Managed Instance peered VNet connection, and then click Allow Gateway Transit.
  2. 在裝載受控執行個體的 VNet 中移至 [對等互連],接著移至 VPN 閘道的對等互連 VNet 連線,然後按一下 [使用遠端閘道]。In the VNet that hosts the Managed Instance, go to Peerings, then to the VPN Gateway peered VNet connection, and then click Use remote gateways.

連線 Azure App Service 裝載應用程式Connect an Azure App Service hosted application

受控執行個體只能透過私人 IP 位址存取,因此若要從 Azure App Service 存取它,首先您需要進行應用程式與受控執行個體 VNet 之間的連線。Managed Instance can be accessed only through a private IP address so in order to access it from Azure App Service you first need to make a connection between the application and the Managed Instance VNet. 請參閱將您的應用程式與 Azure 虛擬網路整合See Integrate your app with an Azure Virtual Network.

如需疑難排解,請參閱針對 VNet 和應用程式進行疑難排解For troubleshooting, see Troubleshooting VNets and Applications. 如果無法建立連線,請嘗試同步處理網路組態If a connection cannot be established, try synching the networking configuration.

將 Azure App Service 連線到受控執行個體的特殊案例,就是當您將 Azure App Service 整合到已對等互連至受控執行個體 VNet 的網路時。A special case of connecting Azure App Service to Managed Instance is when you integrated Azure App Service to a network peered to Managed Instance VNet. 這種情況下需要設定下列組態:That case requires the following configuration to be set up:

  • 受控執行個體 VNet 不能有閘道Managed Instance VNet must NOT have gateway
  • 受控執行個體 VNet 必須設定 [使用遠端閘道] 選項Managed Instance VNet must have Use remote gateways option set
  • 對等互連 VNet 必須設定 [允許閘道傳輸] 選項Peered VNet must have Allow gateway transit option set

下圖說明此案例:This scenario is illustrated in the following diagram:

整合式應用程式對等互連

注意

VNet 整合功能不會將應用程式與具有 ExpressRoute 閘道的 VNet 整合。The VNet Integration feature does not integrate an app with a VNet that has an ExpressRoute Gateway. 即使是在共存模式中設定 ExpressRoute 閘道,VNet 整合仍無法運作。Even if the ExpressRoute Gateway is configured in coexistence mode the VNet Integration does not work. 如果您需要透過 ExpressRoute 連線存取資源,則可使用在您 VNet 中執行的 App Service 環境。If you need to access resources through an ExpressRoute connection, then you can use an App Service Environment, which runs in your VNet.

對連線問題進行疑難排解Troubleshooting connectivity issues

若要對連線問題進行疑難排解,請檢閱以下幾點︰For troubleshooting connectivity issues, review the following:

  • 如果您無法從相同 VNet 但不同子網中的 Azure 虛擬機器連線到受控執行個體, 請檢查是否有設定在 VM 子網上的網路安全性群組可能會封鎖存取。此外, 請注意, 您必須在 SQL 埠1433以及範圍11000-11999 中的埠上開啟輸出連線, 因為它們需要透過 Azure 界限內的重新導向來進行連線。If you are unable to connect to Managed Instance from an Azure virtual machine within the same VNet but different subnet, check if you have a Network Security Group set on VM subnet that might be blocking access.Additionally note that you need to open outbound connection on SQL port 1433 as well as ports in range 11000-11999 since those are needed for connecting via redirection inside the Azure boundary.

  • 確定已針對與 VNet 相關聯的路由表將 BGP 傳播設定為 [已啟用]。Ensure that BGP Propagation is set to Enabled for the route table associated with the VNet.

  • 如果使用 P2S VPN,請檢查 Azure 入口網站中的組態,以確認您是否看到輸入/輸出數值。If using P2S VPN, check the configuration in the Azure portal to see if you see Ingress/Egress numbers. 非零的數值表示 Azure 會將流量路由至內部部署,或從中輸出流量。Non-zero numbers indicate that Azure is routing traffic to/from on-premises.

    輸入/輸出數值

  • 確認用戶端電腦 (執行 VPN 用戶端的電腦) 具有您需要存取之所有 VNet 的路由項目。Check that the client machine (that is running the VPN client) has route entries for all the VNets that you need to access. 路由會儲存在 %AppData%\ Roaming\Microsoft\Network\Connections\Cm\<GUID>\routes.txt.The routes are stored in %AppData%\ Roaming\Microsoft\Network\Connections\Cm\<GUID>\routes.txt.

    route.txt 中

    如圖所示,每個相關的 VNet 都有兩個項目,且在入口網站中設定的 VPN 端點會有第三個項目。As shown in this image, there are two entries for each VNet involved and a third entry for the VPN endpoint that is configured in the Portal.

    除此之外,也可以透過下列命令來檢查路由。Another way to check the routes is via the following command. 下列輸出顯示各種子網路的路由:The output shows the routes to the various subnets:

    C:\ >route print -4
    ===========================================================================
    Interface List
    14...54 ee 75 67 6b 39 ......Intel(R) Ethernet Connection (3) I218-LM
    57...........................rndatavnet
    18...94 65 9c 7d e5 ce ......Intel(R) Dual Band Wireless-AC 7265
    1...........................Software Loopback Interface 1
    Adapter===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0       10.83.72.1     10.83.74.112     35
           10.0.0.0    255.255.255.0         On-link       172.26.34.2     43
           10.4.0.0    255.255.255.0         On-link       172.26.34.2     43
    ===========================================================================
    Persistent Routes:
    None
    
  • 如果使用 VNet 對等互連,請確定您已依照允許閘道傳輸和使用遠端閘道的設定指示操作。If using VNet peering, ensure that you have followed the instructions for setting Allow Gateway Transit and Use Remote Gateways.

所需的驅動程式和工具版本Required versions of drivers and tools

如果您想要連線到受控執行個體,建議您至少使用下列版本的工具和驅動程式:The following minimal versions of the tools and drivers are recommended if you want to connect to Managed Instance:

驅動程式/工具Driver/tool VersionVersion
.NET Framework.NET Framework 4.6.1 (或 .NET Core)4.6.1 (or .NET Core)
ODBC 驅動程式ODBC driver v17v17
PHP 驅動程式PHP driver 5.2.05.2.0
JDBC 驅動程式JDBC driver 6.4.06.4.0
Node.js 驅動程式Node.js driver 2.1.12.1.1
OLEDB 驅動程式OLEDB driver 18.0.2.018.0.2.0
SSMSSSMS 18.0 或更高版本18.0 or higher
SMO (機器翻譯)SMO 150或更高版本150 or higher

後續步驟Next steps