對資料庫伺服器使用虛擬網路服務端點和規則Use virtual network service endpoints and rules for database servers

虛擬網路規則 是一種防火牆安全功能,可控制 Azure SQL Database 中單一資料庫和彈性集區或是 SQL 資料倉儲資料庫的資料庫伺服器,是否要接受來自虛擬網路中特定子網路傳來的通訊。Virtual network rules are one firewall security feature that controls whether the database server for your single databases and elastic pool in Azure SQL Database or for your databases in SQL Data Warehouse accepts communications that are sent from particular subnets in virtual networks. 本文說明為何虛擬網路規則功能有時是讓 Azure SQL Database 和 SQL 資料倉儲安全地接受通訊的最佳選項。This article explains why the virtual network rule feature is sometimes your best option for securely allowing communication to your Azure SQL Database and SQL Data Warehouse.

重要

本文適用於 Azure SQL Server,以及在 Azure SQL Server 上建立的 SQL Database 和 SQL 資料倉儲資料庫。This article applies to Azure SQL server, and to both SQL Database and SQL Data Warehouse databases that are created on the Azure SQL server. 為了簡單起見,參考 SQL Database 和 SQL 資料倉儲時都會使用 SQL Database。For simplicity, SQL Database is used when referring to both SQL Database and SQL Data Warehouse. 本文「不」適用 Azure SQL Database 中的受控執行個體部署,因為它沒有相關聯的服務端點。This article does not apply to a managed instance deployment in Azure SQL Database because it does not have a service endpoint associated with it.

若要建立虛擬網路規則,必須先有虛擬網路服務端點,才能參考該規則。To create a virtual network rule, there must first be a virtual network service endpoint for the rule to reference.

如何建立虛擬網路規則How to create a virtual network rule

如果只是建立虛擬網路規則,您可以直接跳到本文稍後的步驟和說明。If you only create a virtual network rule, you can skip ahead to the steps and explanation later in this article.

虛擬網路規則的詳細資料Details about virtual network rules

本節描述虛擬網路規則的一些詳細資料。This section describes several details about virtual network rules.

只有一個地理區域Only one geographic region

每個虛擬網路服務端點只套用至一個 Azure 區域。Each Virtual Network service endpoint applies to only one Azure region. 端點無法讓其他區域接受來自子網路的通訊。The endpoint does not enable other regions to accept communication from the subnet.

任何虛擬網路規則只以套用其基礎端點的區域為對象。Any virtual network rule is limited to the region that its underlying endpoint applies to.

伺服器層級,非資料庫層級Server-level, not database-level

每個虛擬網路規則會套用至整個 Azure SQL Database 伺服器,而不只是伺服器上的一個特定資料庫。Each virtual network rule applies to your whole Azure SQL Database server, not just to one particular database on the server. 換句話說,虛擬網路規則是在伺服器層級套用,而不是資料庫層級。In other words, virtual network rule applies at the server-level, not at the database-level.

  • 相反地,IP 規則可以在任一個層級套用。In contrast, IP rules can apply at either level.

安全性管理角色Security administration roles

有一組獨立的安全性角色負責管理虛擬網路服務端點。There is a separation of security roles in the administration of Virtual Network service endpoints. 下列每個角色都需要採取動作:Action is required from each of the following roles:

  • 網路管理:  開啟端點。Network Admin:   Turn on the endpoint.
  • 資料庫管理:  更新存取控制清單 (ACL),將給定的子網路新增至 SQL Database 伺服器。Database Admin:   Update the access control list (ACL) to add the given subnet to the SQL Database server.

RBAC 替代方案:RBAC alternative:

「網路管理員」和「資料庫管理員」角色的能力已超過管理虛擬網路規則所需。The roles of Network Admin and Database Admin have more capabilities than are needed to manage virtual network rules. 只需要其中一部分能力。Only a subset of their capabilities is needed.

您可以選擇在 Azure 中使用角色型存取控制(RBAC) ,以建立只具有必要功能子集的單一自訂角色。You have the option of using role-based access control (RBAC) in Azure to create a single custom role that has only the necessary subset of capabilities. 可使用此自訂角色來代替,不必動用到「網路管理員」或「資料庫管理員」。將使用者新增至自訂角色,而不要新增至其他兩個主要的系統管理員角色,就可縮小安全性曝露面。The custom role could be used instead of involving either the Network Admin or the Database Admin. The surface area of your security exposure is lower if you add a user to a custom role, versus adding the user to the other two major administrator roles.

注意

某些案例中,Azure SQL Database 和 VNet 子網路是在不同的訂用帳戶。In some cases the Azure SQL Database and the VNet-subnet are in different subscriptions. 在這些情況下,您必須確保下列設定:In these cases you must ensure the following configurations:

  • 兩個訂用帳戶在相同的 Azure Active Directory 租用戶中。Both subscriptions must be in the same Azure Active Directory tenant.
  • 使用者具備啟動作業的必要權限,例如啟用服務端點、將 VNet 子網路新增至指定的伺服器。The user has the required permissions to initiate operations, such as enabling service endpoints and adding a VNet-subnet to the given Server.
  • 這兩個訂用帳戶都必須註冊 Microsoft.Sql 提供者。Both subscriptions must have the Microsoft.Sql provider registered.

限制Limitations

對於 Azure SQL Database,虛擬網路規則功能具有下列限制:For Azure SQL Database, the virtual network rules feature has the following limitations:

  • 在針對 SQL Database 的防火牆中,每個虛擬網路規則都會參考一個子網路。In the firewall for your SQL Database, each virtual network rule references a subnet. 裝載所有這些參考子網路的地理區域,必須和裝載 SQL Database 的地理區域相同。All these referenced subnets must be hosted in the same geographic region that hosts the SQL Database.

  • 在任何給定的虛擬網路中,每個 Azure SQL Database 伺服器最多只能有 128 個 ACL 項目。Each Azure SQL Database server can have up to 128 ACL entries for any given virtual network.

  • 虛擬網路規則只適用于 Azure Resource Manager 虛擬網路;而不是傳統部署模型網路。Virtual network rules apply only to Azure Resource Manager virtual networks; and not to classic deployment model networks.

  • 開啟 Azure SQL Database 的虛擬網路服務端點也可啟用 MySQL 和 PostgreSQL Azure 服務的端點。Turning ON virtual network service endpoints to Azure SQL Database also enables the endpoints for the MySQL and PostgreSQL Azure services. 不過,開啟端點時,嘗試從端點連線到您的 MySQL 或 PostgreSQL 執行個體可能會失敗。However, with endpoints ON, attempts to connect from the endpoints to your MySQL or PostgreSQL instances may fail.

    • 根本原因是 MySQL 和 PostgreSQL 可能未設定虛擬網路規則。The underlying reason is that MySQL and PostgreSQL likely do not have a virtual network rule configured. 您必須為適用於 MySQL 和 PostgreSQL 的 Azure 資料庫設定虛擬網路規則,設定之後就能成功連線。You must configure a virtual network rule for Azure Database for MySQL and PostgreSQL and the connection will succeed.
  • 在防火牆上,IP 位址範圍會套用到下列網路項目,但虛擬網路規則不這麼做:On the firewall, IP address ranges do apply to the following networking items, but virtual network rules do not:

使用服務端點時的注意事項Considerations when using Service Endpoints

使用 Azure SQL Database 的服務端點時,請檢閱下列注意事項:When using service endpoints for Azure SQL Database, review the following considerations:

  • 必須輸出至 Azure SQL Database 公用 IP:必須針對 Azure SQL Database IP 開啟網路安全性群組 (NSG),才能夠進行連線。Outbound to Azure SQL Database Public IPs is required: Network Security Groups (NSGs) must be opened to Azure SQL Database IPs to allow connectivity. 為了完成此操作,您可以使用適用於 Azure SQL Database 的 NSG 服務標籤You can do this by using NSG Service Tags for Azure SQL Database.

ExpressRouteExpressRoute

如果您使用來自內部部署的 ExpressRoute 進行公用對等互連或 Microsoft 對等互連,您將必須識別所使用的 NAT IP 位址。If you are using ExpressRoute from your premises, for public peering or Microsoft peering, you will need to identify the NAT IP addresses that are used. 在公用對等互連中,每個 Expressroute 線路預設都會使用兩個 NAT IP 位址,而這兩個位址會在流量進入 Microsoft Azure 網路骨幹時套用至 Azure 服務流量。For public peering, each ExpressRoute circuit by default uses two NAT IP addresses applied to Azure service traffic when the traffic enters the Microsoft Azure network backbone. 在 Microsoft 對等互連中,所用的 NAT IP 位址是由客戶提供或由服務提供者提供。For Microsoft peering, the NAT IP address(es) that are used are either customer provided or are provided by the service provider. 若要允許存取您的服務資源,就必須在資源 IP 防火牆設定中允許這些公用 IP 位址。To allow access to your service resources, you must allow these public IP addresses in the resource IP firewall setting. 若要尋找您的公用對等互連 ExpressRoute 線路 IP 位址,請透過 Azure 入口網站開啟有 ExpressRoute 的支援票證To find your public peering ExpressRoute circuit IP addresses, open a support ticket with ExpressRoute via the Azure portal. 深入了解 ExpressRoute 公用與 Microsoft 對等互連的 NAT。Learn more about NAT for ExpressRoute public and Microsoft peering.

若要允許從您的線路與 Azure SQL Database 通訊,您必須為 NAT 的公用 IP 位址建立 IP 網路規則。To allow communication from your circuit to Azure SQL Database, you must create IP network rules for the public IP addresses of your NAT.

使用 VNet 服務端點搭配 Azure 儲存體的影響Impact of using VNet Service Endpoints with Azure storage

Azure 儲存體已實作功能,可讓您限制連線至 Azure 儲存體帳戶的連線。Azure Storage has implemented the same feature that allows you to limit connectivity to your Azure Storage account. 如果您選擇使用這項功能,並使用 Azure SQL Server 正在使用的 Azure 儲存體帳戶,可能會遇到問題。If you choose to use this feature with an Azure Storage account that is being used by Azure SQL Server, you can run into issues. 接下來是受此影響的 Azure SQL Database 和 Azure SQL 資料倉儲功能清單和討論。Next is a list and discussion of Azure SQL Database and Azure SQL Data Warehouse features that are impacted by this.

Azure SQL 資料倉儲 PolyBaseAzure SQL Data Warehouse PolyBase

PolyBase 通常用於將資料從 Azure 儲存體帳戶載入 Azure SQL 資料倉儲。PolyBase is commonly used to load data into Azure SQL Data Warehouse from Azure Storage accounts. 如果您正在載入資料的來源 Azure 儲存體帳戶限制只能存取一組 VNet 子網路,從 PolyBase 到帳戶的連線會中斷。If the Azure Storage account that you are loading data from limits access only to a set of VNet-subnets, connectivity from PolyBase to the Account will break. 如需透過連線至固定到 VNet 的 Azure 儲存體的 Azure SQL 資料倉儲來啟用 PolyBase 匯入和匯出案例,請按照下列所示的步驟進行:For enabling both PolyBase import and export scenarios with Azure SQL Data Warehouse connecting to Azure Storage that's secured to VNet, follow the steps indicated below:

必要條件Prerequisites

注意

本文已更新為使用新的 Azure PowerShell Az 模組。This article has been updated to use the new Azure PowerShell Az module. AzureRM 模組在至少 2020 年 12 月之前都還會持續收到錯誤 (Bug) 修正,因此您仍然可以持續使用。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要深入了解新的 Az 模組和 AzureRM 的相容性,請參閱新的 Azure PowerShell Az 模組簡介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 如需 Az 模組安裝指示,請參閱安裝 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

重要

Azure SQL Database 仍然支援 PowerShell Azure Resource Manager 模組, 但所有未來的開發都是針對 Az .Sql 模組。The PowerShell Azure Resource Manager module is still supported by Azure SQL Database, but all future development is for the Az.Sql module. 如需這些 Cmdlet, 請參閱AzureRMFor these cmdlets, see AzureRM.Sql. Az 模組和 AzureRm 模組中命令的引數本質上完全相同。The arguments for the commands in the Az module and in the AzureRm modules are substantially identical.

  1. 使用此指南安裝 Azure PowerShell。Install Azure PowerShell using this guide.
  2. 如果您有一般用途 v1 或 Blob 儲存體帳戶,您必須先使用此指南先升級至一般用途 v2。If you have a general-purpose v1 or blob storage account, you must first upgrade to general-purpose v2 using this guide.
  3. 您必須開啟 Azure 儲存體帳戶 [防火牆與虛擬網路] 設定功能表下方的 [允許信任的 Microsoft 服務存取此儲存體帳戶]。You must have Allow trusted Microsoft services to access this storage account turned on under Azure Storage account Firewalls and Virtual networks settings menu. 如需詳細資訊請參閱此指南Refer to this guide for more information.

步驟Steps

  1. 在 PowerShell 中,使用 Azure Active Directory (AAD)註冊您的 Azure SQL Server裝載您的 Azure SQL 資料倉儲實例:In PowerShell, register your Azure SQL Server hosting your Azure SQL Data Warehouse instance with Azure Active Directory (AAD):

    Connect-AzAccount
    Select-AzSubscription -SubscriptionId your-subscriptionId
    Set-AzSqlServer -ResourceGroupName your-database-server-resourceGroup -ServerName your-SQL-servername -AssignIdentity
    
    1. 以此指南建立一般用途的 v2 儲存體帳戶Create a general-purpose v2 Storage Account using this guide.

    注意

    • 如果您有一般用途 v1 或 Blob 儲存體帳戶,您必須先使用此 指南升級至 v2If you have a general-purpose v1 or blob storage account, you must first upgrade to v2 using this guide.
    • 關於 Azure Data Lake Storage Gen2 的已知問題,請參閱此指南For known issues with Azure Data Lake Storage Gen2, please refer to this guide.
  2. 請瀏覽至您儲存體帳戶之下的 [存取控制 (IAM)],然後按一下 [新增角色指派]。Under your storage account, navigate to Access Control (IAM), and click Add role assignment. 儲存體 Blob 資料參與者RBAC 角色指派給您的 azure SQL Server 裝載您已向 Azure Active 目錄(AAD)註冊的 Azure SQL 資料倉儲,如步驟 # 1 所示。Assign Storage Blob Data Contributor RBAC role to your Azure SQL Server hosting your Azure SQL Data Warehouse which you've registered with Azure Active Direcotory (AAD) as in step#1.

    注意

    僅有具備「擁有者」權限的成員才能執行此步驟。Only members with Owner privilege can perform this step. 關於 Azure 資源的各種內建角色,請參閱此指南For various built-in roles for Azure resources, refer to this guide.

  3. Polybase 連線至 Azure 儲存體帳戶:Polybase connectivity to the Azure Storage account:

    1. 建立資料庫 主要金鑰 (如果先前尚未建立):Create a database master key if you haven't created one earlier:

      CREATE MASTER KEY [ENCRYPTION BY PASSWORD = 'somepassword'];
      
    2. 使用 IDENTITY = 'Managed Service Identity' 建立資料庫範圍的認證:Create database scoped credential with IDENTITY = 'Managed Service Identity':

      CREATE DATABASE SCOPED CREDENTIAL msi_cred WITH IDENTITY = 'Managed Service Identity';
      

      注意

      • 不需要使用 Azure 儲存體存取金鑰指定 SECRET,因為此機制會秘密使用受控身分識別There is no need to specify SECRET with Azure Storage access key because this mechanism uses Managed Identity under the covers.
      • PolyBase 連線的 IDENTITY 名稱應為 'Managed Service Identity' ,才能搭配使用固定至 VNet 的 Azure 儲存體帳戶。IDENTITY name should be 'Managed Service Identity' for PolyBase connectivity to work with Azure Storage account secured to VNet.
    3. 使用 abfss:// 配置建立外部資料來源,以使用 PolyBase 連接至您的一般用途 v2 儲存體帳戶:Create external data source with abfss:// scheme for connecting to your general-purpose v2 storage account using PolyBase:

      CREATE EXTERNAL DATA SOURCE ext_datasource_with_abfss WITH (TYPE = hadoop, LOCATION = 'abfss://myfile@mystorageaccount.dfs.core.windows.net', CREDENTIAL = msi_cred);
      

      注意

      • 如果您已有與一般用途 v1 或 Blob 儲存體帳戶相關聯的外部資料表,請先卸除這些外部資料表,再卸除對應的外部資料來源。If you already have external tables associated with general-purpose v1 or blob storage account, you should first drop those external tables and then drop corresponding external data source. 然後使用連線至上述一般用途 v2 儲存體帳戶的 abfss:// 配置來建立外部資料來源,再使用新的外部資料來源重新建立所有的外部資料表。Then create external data source with abfss:// scheme connecting to general-purpose v2 storage account as above and re-create all the external tables using this new external data source. 您可以使用產生和發佈指令碼精靈,輕鬆地為所有的外部資料表產生建立指令碼。You could use Generate and Publish Scripts Wizard to generate create-scripts for all the external tables for ease.
      • 如需 abfss:// 配置的詳細資訊,請參閱此指南 (英文)。For more information on abfss:// scheme, refer to this guide.
      • 如需 CREATE EXTERNAL DATA SOURCE 的詳細資訊,請參閱此指南 (英文)。For more information on CREATE EXTERNAL DATA SOURCE, refer to this guide.
    4. 以一般方式使用外部資料表查詢。Query as normal using external tables.

Azure SQL Database Blob 稽核Azure SQL Database Blob Auditing

Blob 稽核會將稽核記錄推送到您自己的儲存體帳戶。Blob auditing pushes audit logs to your own storage account. 如果這個儲存體帳戶使用 VNet 服務端點功能,則 Azure SQL Database 與儲存體帳戶的連線將會中斷。If this storage account uses the VNet Service endpoints feature then connectivity from Azure SQL Database to the storage account will break.

在不開啟 VNet 服務端點的情況下將 VNet 防火牆規則新增至伺服器Adding a VNet Firewall rule to your server without turning On VNet Service Endpoints

很久以前,在尚未增強這項功能之前,您必須先開啟 VNet 服務端點,才可以在防火牆中實作即時的 VNet 規則。Long ago, before this feature was enhanced, you were required to turn VNet service endpoints On before you could implement a live VNet rule in the Firewall. 端點會將指定的 VNet 子網路與 Azure SQL Database 建立關聯。The endpoints related a given VNet-subnet to an Azure SQL Database. 但是從 2018 年 1 月起,您不再需要這樣做,只需設定 IgnoreMissingVNetServiceEndpoint 旗標即可。But now as of January 2018, you can circumvent this requirement by setting the IgnoreMissingVNetServiceEndpoint flag.

只是設定防火牆規則不能協助您保護伺服器。Merely setting a Firewall rule does not help secure the server. 您也必須開啟 VNet 服務端點,安全性才會生效。You must also turn VNet service endpoints On for the security to take effect. 當您開啟服務端點時,您的 VNet 子網路會停機,直到完成關閉到開啟的轉換。When you turn service endpoints On, your VNet-subnet experiences downtime until it completes the transition from Off to On. 特別是大型的 VNet,這會更明顯。This is especially true in the context of large VNets. 您可以使用 IgnoreMissingVNetServiceEndpoint 旗標來減少或排除在轉換期間的停機時間。You can use the IgnoreMissingVNetServiceEndpoint flag to reduce or eliminate the downtime during transition.

您可以使用 PowerShell 設定 IgnoreMissingVNetServiceEndpoint 旗標。You can set the IgnoreMissingVNetServiceEndpoint flag by using PowerShell. 如需詳細資訊,請參閱PowerShell 以建立 Azure SQL Database 的虛擬網路服務端點和規則For details, see PowerShell to create a Virtual Network service endpoint and rule for Azure SQL Database.

錯誤 40914 和 40615Errors 40914 and 40615

連線錯誤 40914 與「虛擬網路規則」有關,這些規則會在 Azure 入口網站中的 [防火牆] 窗格中指定。Connection error 40914 relates to virtual network rules, as specified on the Firewall pane in the Azure portal. 錯誤 40615 很類似,但它與防火牆上的「IP 位址規則」相關。Error 40615 is similar, except it relates to IP address rules on the Firewall.

錯誤 40914Error 40914

訊息文字: 無法開啟登入所要求的伺服器 ' [server-name] '。Message text: Cannot open server '[server-name]' requested by the login. 用戶端不得存取該伺服器。Client is not allowed to access the server.

錯誤說明: 用戶端所在的子網路含有虛擬網路伺服器端點。Error description: The client is in a subnet that has virtual network server endpoints. 但 Azure SQL Database 伺服器沒有將和 SQL Database 通訊的權限授與子網路的虛擬網路規則。But the Azure SQL Database server has no virtual network rule that grants to the subnet the right to communicate with the SQL Database.

錯誤解決方式: 在 Azure 入口網站的 [防火牆] 窗格上,使用虛擬網路規則控制來為子網路新增虛擬網路規則Error resolution: On the Firewall pane of the Azure portal, use the virtual network rules control to add a virtual network rule for the subnet.

錯誤 40615Error 40615

訊息文字: 無法開啟登入所要求的伺服器 '{0}'。Message text: Cannot open server '{0}' requested by the login. 不允許 IP 位址為 '{1}' 的用戶端存取伺服器。Client with IP address '{1}' is not allowed to access the server.

錯誤說明: 未授權 IP 位址連線到 Azure SQL Database 伺服器,但用戶端嘗試從其連線。Error description: The client is trying to connect from an IP address that is not authorized to connect to the Azure SQL Database server. 伺服器防火牆沒有允許用戶端從指定的 IP 位址與 SQL 資料庫通訊的 IP 位址規則。The server firewall has no IP address rule that allows a client to communicate from the given IP address to the SQL Database.

錯誤解決方式: 輸入用戶端的 IP 位址作為 IP 規則。Error resolution: Enter the client's IP address as an IP rule. 您可以使用 Azure 入口網站中的 [防火牆] 窗格來執行這項工作。Do this by using the Firewall pane in the Azure portal.

這裡記載了數個 SQL Database 錯誤訊息的清單。A list of several SQL Database error messages is documented here.

入口網站可以建立虛擬網路規則Portal can create a virtual network rule

本節說明如何使用Azure 入口網站,在您的 Azure SQL Database 中建立虛擬網路規則This section illustrates how you can use the Azure portal to create a virtual network rule in your Azure SQL Database. 此規則會指示 SQL Database 接受一個標記為「虛擬網路服務端點」的特定子網路所傳來的通訊。The rule tells your SQL Database to accept communication from a particular subnet that has been tagged as being a Virtual Network service endpoint.

注意

如果您想要將服務端點新增至 Azure SQL Database 伺服器的 VNet 防火牆規則,請先確認已為子網路開啟服務端點。If you intend to add a service endpoint to the VNet firewall rules of your Azure SQL Database server, first ensure that service endpoints are turned On for the subnet.

若未在子網路上開啟服務端點,入口網站將會要求您加以啟用。If service endpoints are not turned on for the subnet, the portal asks you to enable them. 在您新增規則的相同刀鋒視窗上,按一下 [啟用] 按鈕。Click the Enable button on the same blade on which you add the rule.

PowerShell 替代方案PowerShell alternative

PowerShell 指令碼也可以建立虛擬網路規則。A PowerShell script can also create virtual network rules. 重要的 Cmdlet AzSqlServerVirtualNetworkRuleThe crucial cmdlet New-AzSqlServerVirtualNetworkRule. 如有興趣,請參閱PowerShell 以建立 Azure SQL Database 的虛擬網路服務端點和規則If interested, see PowerShell to create a Virtual Network service endpoint and rule for Azure SQL Database.

REST API 替代方案REST API alternative

SQL VNet 動作的 PowerShell cmdlet 會在內部呼叫 REST API。Internally, the PowerShell cmdlets for SQL VNet actions call REST APIs. 您可以直接呼叫 REST API。You can call the REST APIs directly.

必要條件Prerequisites

您必須已有一個子網路是以 Azure SQL Database 相關的特定虛擬網路服務端點「類型名稱」所標記。You must already have a subnet that is tagged with the particular Virtual Network service endpoint type name relevant to Azure SQL Database.

Azure 入口網站步驟Azure portal steps

  1. 登入 Azure 入口網站Sign in to the Azure portal.

  2. 然後,在入口網站中瀏覽至 [SQL 伺服器] > [防火牆/虛擬網路]。Then navigate the portal to SQL servers > Firewall / Virtual Networks.

  3. 將 [允許存取 Azure 服務] 控制項設為 [關閉]。Set the Allow access to Azure services control to OFF.

    重要

    如果您將此控制項保持設定為 [開啟],您的 Azure SQL Database 伺服器就會接受來自 Azure 界限內任何子網的通訊,也就是源自 Azure 資料中心定義範圍內的其中一個 IP 位址。If you leave the control set to ON, your Azure SQL Database server accepts communication from any subnet inside the Azure boundary i.e. originating from one of the IP addresses that is recognized as those within ranges defined for Azure data centers. 就安全性觀點而言,讓此控制項保持 [開啟] 可能使存取過多。Leaving the control set to ON might be excessive access from a security point of view. Microsoft Azure 虛擬網路服務端點功能,連同 SQL Database 的虛擬網路規則功能,可縮小安全性曝露面。The Microsoft Azure Virtual Network service endpoint feature, in coordination with the virtual network rule feature of SQL Database, together can reduce your security surface area.

  4. 按一下 [虛擬網路] 區段中的 [+ 新增現有的] 控制項。Click the + Add existing control, in the Virtual networks section.

    按一下新增現有的 (子網路端點,作為 SQL 規則)。

  5. 在新的 [建立/更新] 窗格中,將您的 Azure 資源名稱填入控制項中。In the new Create/Update pane, fill in the controls with the names of your Azure resources.

    提示

    必須包含子網路的正確 [位址首碼]。You must include the correct Address prefix for your subnet. 您可以在入口網站中找到值。You can find the value in the portal. 瀏覽 [所有資源] > [所有類型] > [虛擬網路]Navigate All resources > All types > Virtual networks. 篩選條件會顯示您的虛擬網路。The filter displays your virtual networks. 按一下您的虛擬網路,然後按一下 [子網路]。Click your virtual network, and then click Subnets. [位址範圍] 資料行具有您需要的位址首碼。The ADDRESS RANGE column has the Address prefix you need.

    填入新規則的欄位。

  6. 按一下窗格底端附近的 [確定]按鈕。Click the OK button near the bottom of the pane.

  7. 在防火牆窗格上查看產生的虛擬網路規則。See the resulting virtual network rule on the firewall pane.

    在防火牆窗格上查看新的規則。

注意

規則有下列狀態:The following statuses or states apply to the rules:

  • 就緒: 指出您起始的作業已成功。Ready: Indicates that the operation that you initiated has Succeeded.
  • 失敗: 指出您起始的作業已失敗。Failed: Indicates that the operation that you initiated has Failed.
  • 刪除: 只適用於刪除作業,指出規則已被刪除,且不再套用。Deleted: Only applies to the Delete operation, and indicates that the rule has been deleted and no longer applies.
  • 進行中: 指出正在進行作業。InProgress: Indicates that the operation is in progress. 作業處於此狀態時,會套用舊規則。The old rule applies while the operation is in this state.

Azure SQL Database 的虛擬網路規則功能,已於 2017 年 9 月底推出。The virtual network rule feature for Azure SQL Database became available in late September 2017.

後續步驟Next steps