Azure 受控磁碟簡介Introduction to Azure managed disks

Azure 受控磁碟是由 Azure 管理並與 Azure 虛擬機器搭配使用的區塊層級儲存體磁碟區。Azure managed disks are block-level storage volumes that are managed by Azure and used with Azure Virtual Machines. 受控磁碟就像是內部部署伺服器中虛擬化的實體磁碟。Managed disks are like a physical disk in an on-premises server but, virtualized. 使用受控磁碟時,您只需要指定磁碟大小、磁碟類型,以及物件磁碟。With managed disks, all you have to do is specify the disk size, the disk type, and provision the disk. 佈建磁碟後,Azure 就會處理其餘事項。Once you provision the disk, Azure handles the rest.

這些可用的磁碟類型為 Ultra 磁碟、進階固態硬碟 (SSD)、標準 SSD 和標準硬碟 (HDD)。The available types of disks are ultra disks, premium solid-state drives (SSD), standard SSDs, and standard hard disk drives (HDD). 如需每種個別磁碟類型的相關資訊,請參閱選取適用於 IaaS VM 的磁碟類型For information about each individual disk type, see Select a disk type for IaaS VMs.

受控磁碟的好處Benefits of managed disks

讓我們來複習一下使用受控磁碟時的一些好處。Let's go over some of the benefits you gain by using managed disks.

高耐久性及可用性Highly durable and available

受控磁碟設計成確保可用性達 99.999%。Managed disks are designed for 99.999% availability. 受控磁碟達到此目標的方式,是提供三個您資料的複本,而達到高持久性。Managed disks achieve this by providing you with three replicas of your data, allowing for high durability. 如果一個或甚至兩個複本遇到問題,其餘複本有助於確保資料的持續性,以及遇到失敗時的高容錯力。If one or even two replicas experience issues, the remaining replicas help ensure persistence of your data and high tolerance against failures. 此結構讓 Azure 針對以基礎結構即服務 (IaaS) 磁碟穩定地展現企業級持久性,提供領先界業的年度零失敗率。This architecture has helped Azure consistently deliver enterprise-grade durability for infrastructure as a service (IaaS) disks, with an industry-leading ZERO% annualized failure rate.

簡單且可調整的 VM 部署Simple and scalable VM deployment

您可以使用受控磁碟在每個區域的一個訂用帳戶中建立最多 50,000 個同類型虛擬機器 磁碟,這可讓您在單一訂用帳戶中建立數千部 虛擬機器Using managed disks, you can create up to 50,000 VM disks of a type in a subscription per region, allowing you to create thousands of VMs in a single subscription. 這項功能也可讓您使用 Marketplace 映像,在一個虛擬機器擴展集內建立最多 1,000 部虛擬機器,進一步增加虛擬機器擴展集的延展性。This feature also further increases the scalability of virtual machine scale sets by allowing you to create up to 1,000 VMs in a virtual machine scale set using a Marketplace image.

整合可用性設定組Integration with availability sets

受控磁碟會與可用性設定組整合,以確定可用性設定組中的虛擬機器磁碟彼此充分隔離,以避免出現單一失敗點。Managed disks are integrated with availability sets to ensure that the disks of VMs in an availability set are sufficiently isolated from each other to avoid a single point of failure. 磁碟會自動放置在不同的儲存體縮放單位 (戳記)。Disks are automatically placed in different storage scale units (stamps). 如果因為硬體或軟體失敗造成戳記失敗,則只有磁碟在這些戳記上的 VM 執行個體才會失敗。If a stamp fails due to hardware or software failure, only the VM instances with disks on those stamps fail. 例如,假設您的應用程式在五個 VM 上執行,且這些 VM 位於可用性設定組中。For example, let's say you have an application running on five VMs, and the VMs are in an Availability Set. 這些磁碟的 VM 不會全部以相同的戳記儲存,因此,如果有一個戳記失效,應用程式的其他執行個體會繼續執行。The disks for those VMs won't all be stored in the same stamp, so if one stamp goes down, the other instances of the application continue to run.

整合可用性設定組Integration with Availability Zones

受控磁碟支援可用性區域,這是高可用性供應項目,可保護您的應用程式不受資料中心故障影響。Managed disks support Availability Zones, which is a high-availability offering that protects your applications from datacenter failures. 「可用性區域」是 Azure 地區內獨特的實體位置。Availability Zones are unique physical locations within an Azure region. 每個區域皆由一或多個配備獨立電力、冷卻系統及網路的資料中心所組成。Each zone is made up of one or more datacenters equipped with independent power, cooling, and networking. 若要確保復原,所有已啟用的地區中至少要有三個不同的區域。To ensure resiliency, there's a minimum of three separate zones in all enabled regions. 使用「可用性區域」時,Azure 可提供業界最佳的 99.99% VM 執行時間 SLA。With Availability Zones, Azure offers industry best 99.99% VM uptime SLA.

Azure 備份支援Azure Backup support

為了防止發生區域災難,可使用 Azure 備份透過時間型備份和備份保留原則,來建立備份作業。To protect against regional disasters, Azure Backup can be used to create a backup job with time-based backups and backup retention policies. 這可讓您隨意執行 VM 或受控磁碟的還原。This allows you to perform VM or managed disk restorations at will. 目前 Azure 備份支援的磁碟大小上限為 32 TiB。Currently Azure Backup supports disk sizes up to 32 tebibyte (TiB) disks. 深入了解 Azure VM 備份支援。Learn more about Azure VM backup support.

Azure 磁碟備份Azure Disk Backup

Azure 備份提供 Azure 磁片備份 (預覽) 作為原生雲端式備份解決方案,可保護您在受控磁片中的資料。Azure Backup offers Azure Disk Backup (preview) as a native, cloud-based backup solution that protects your data in managed disks. 它是一種簡單、安全且符合成本效益的解決方案,可讓您在幾個步驟中設定受控磁片的保護。It's a simple, secure, and cost-effective solution that enables you to configure protection for managed disks in a few steps. Azure 磁片備份提供了一種可為受控磁片提供快照集生命週期管理的現成解決方案,方法是自動建立快照集,並使用備份原則將其保留在設定的持續時間內。Azure Disk Backup offers a turnkey solution that provides snapshot lifecycle management for managed disks by automating periodic creation of snapshots and retaining it for configured duration using backup policy. 如需 Azure 磁片備份的詳細資訊,請參閱 預覽中的 Azure 磁片備份 (總覽) For details on Azure Disk Backup, see Overview of Azure Disk Backup (in preview).

細微的存取控制Granular access control

您可以使用 Azure 角色型存取控制 (Azure RBAC) 將受控磁碟的特定權限指派給一個或多個使用者。You can use Azure role-based access control (Azure RBAC) to assign specific permissions for a managed disk to one or more users. 受控磁碟公開各種不同的作業,包括讀取、寫入 (建立/更新)、刪除和擷取磁碟的共用存取簽章 (SAS) URIManaged disks expose a variety of operations, including read, write (create/update), delete, and retrieving a shared access signature (SAS) URI for the disk. 您可以授權某人只能存取他份內工作所需的作業。You can grant access to only the operations a person needs to perform their job. 例如,如果您不想讓某人將受控磁碟複製到儲存體帳戶,您可以選擇不要授權存取該受控磁碟的匯出動作。For example, if you don't want a person to copy a managed disk to a storage account, you can choose not to grant access to the export action for that managed disk. 同樣地,如果您不想讓某人使用 SAS URI 來複製受控磁碟,您可以選擇不要授與有關受控磁碟的這種權限。Similarly, if you don't want a person to use an SAS URI to copy a managed disk, you can choose not to grant that permission to the managed disk.

上傳您的 vhdUpload your vhd

直接上傳可讓您輕鬆地將 vhd 轉送至 Azure 受控磁碟。Direct upload makes it easy to transfer your vhd to an Azure managed disk. 之前,您必須遵循涉入更深的程序,其中包含將您的資料暫存在儲存體帳戶中。Previously, you had to follow a more involved process that included staging your data in a storage account. 現在,步驟比較少。Now, there are fewer steps. 您可以更輕鬆地將內部部署 VM 上傳至 Azure、上傳至大型受控磁碟,以及簡化備份和還原程序。It is easier to upload on premises VMs to Azure, upload to large managed disks, and the backup and restore process is simplified. 它也可讓您直接將資料上傳至受控磁碟,而不需將其附加至 VM,藉此降低成本。It also reduces cost by allowing you to upload data to managed disks directly without attaching them to VMs. 您可使用直接上傳來上傳大小高達 32 TiB 的 vhd。You can use direct upload to upload vhds up to 32 TiB in size.

若要了解如何將您的 vhd 轉送至 Azure,請參閱 CLIPowerShell文章。To learn how to transfer your vhd to Azure, see the CLI or PowerShell articles.

安全性Security

受控磁片的 Private Link 支援可以用來匯入或匯出網路內部的受控磁片。Private Link support for managed disks can be used to import or export a managed disk internal to your network. Private Link 可讓您為未連結的受控磁碟和快照集產生時間繫結的共用存取簽章 (SAS) URI,以供您用來將資料匯出至其他區域進行區域擴充、災害復原和鑑識分析。Private Links allow you to generate a time bound Shared Access Signature (SAS) URI for unattached managed disks and snapshots that you can use to export the data to other regions for regional expansion, disaster recovery, and forensic analysis. 您也可以使用 SAS URI,直接將 VHD 從內部部署環境上傳至空白磁碟。You can also use the SAS URI to directly upload a VHD to an empty disk from on-premises. 現在您可以利用 Private Link 來限制受控磁碟的匯出和匯入,使其只能在您的 Azure 虛擬網路內進行。Now you can leverage Private Links to restrict the export and import of managed disks so that it can only occur within your Azure virtual network. Private Link 可讓您確保資料只會在安全的 Microsoft 骨幹網路內移動。Private Links allows you to ensure your data only travels within the secure Microsoft backbone network.

若要了解如何啟用 Private Link 以便匯入或匯出受控磁碟,請參閱 CLI入口網站文章。To learn how to enable Private Links for importing or exporting a managed disk, see the CLI or Portal articles.

加密Encryption

受控磁片提供兩種不同的加密。Managed disks offer two different kinds of encryption. 第一種是「伺服器端加密」(SSE),這會由儲存體服務執行。The first is Server Side Encryption (SSE), which is performed by the storage service. 第二種是 Azure 磁碟加密 (ADE),您可以在您 VM 的作業系統和資料磁碟上啟用它。The second one is Azure Disk Encryption (ADE), which you can enable on the OS and data disks for your VMs.

伺服器端加密Server-side encryption

伺服器端加密提供待用加密並保護資料安全,以符合組織的安全性和合規性承諾。Server-side encryption provides encryption-at-rest and safeguards your data to meet your organizational security and compliance commitments. 在所有受控磁碟可供使用的區域中,所有受控磁碟、快照集和映像依預設都會啟用伺服器端加密。Server-side encryption is enabled by default for all managed disks, snapshots, and images, in all the regions where managed disks are available. (另一方面,暫存磁碟不會由伺服器端加密來加密,除非您在主機上啟用加密;請參閱磁碟角色:暫存磁碟)。(Temporary disks, on the other hand, are not encrypted by server-side encryption unless you enable encryption at host; see Disk Roles: temporary disks).

您可以允許 Azure 為您管理金鑰 (這些屬於平台管理的金鑰),您也可以自行管理金鑰 (這些屬於客戶管理的金鑰)。You can either allow Azure to manage your keys for you, these are platform-managed keys, or you can manage the keys yourself, these are customer-managed keys. 如需詳細資訊,請造訪 Azure 磁碟儲存體的伺服器端加密一文。Visit the Server-side encryption of Azure Disk Storage article for details.

Azure 磁碟加密Azure Disk Encryption

Azure 磁碟加密可讓您加密由 IaaS 虛擬機器所使用的作業系統和資料磁碟。Azure Disk Encryption allows you to encrypt the OS and Data disks used by an IaaS Virtual Machine. 此加密包含受控磁碟。This encryption includes managed disks. 對於 Windows,磁碟機是使用業界標準的 BitLocker 加密技術來加密。For Windows, the drives are encrypted using industry-standard BitLocker encryption technology. 對於 Linux,磁碟是使用 DM-Crypt 技術來加密。For Linux, the disks are encrypted using the DM-Crypt technology. 加密程序會與 Azure Key Vault 整合,可讓您控制和管理磁碟加密金鑰。The encryption process is integrated with Azure Key Vault to allow you to control and manage the disk encryption keys. 如需詳細資訊,請參閱適用於 Linux VM 的 Azure 磁碟加密適用於 Windows VM 的 Azure 磁碟加密For more information, see Azure Disk Encryption for Linux VMs or Azure Disk Encryption for Windows VMs.

磁碟角色Disk roles

Azure 中有三個主要磁碟角色:資料磁碟、OS 磁碟和暫存磁碟。There are three main disk roles in Azure: the data disk, the OS disk, and the temporary disk. 這些角色對應至您的虛擬機器連結的磁碟。These roles map to disks that are attached to your virtual machine.

作用中的磁碟角色

資料磁碟Data disk

資料磁碟是連接至虛擬機器的受控磁碟,用來儲存應用程式資料或其他您需要保留的資料。A data disk is a managed disk that's attached to a virtual machine to store application data, or other data you need to keep. 資料磁碟註冊為 SCSI 磁碟機,並以您選擇的字母標示。Data disks are registered as SCSI drives and are labeled with a letter that you choose. 每個資料磁碟都有 32,767 GiB 的容量上限。Each data disk has a maximum capacity of 32,767 gibibytes (GiB). 虛擬機器的大小會決定您可以連接之磁碟的數量,以及您可以用來裝載磁碟的儲存體類型。The size of the virtual machine determines how many data disks you can attach to it and the type of storage you can use to host the disks.

作業系統磁碟OS disk

每個虛擬機器都有一個連接的作業系統磁碟。Every virtual machine has one attached operating system disk. 作業系統磁碟有預先安裝作業系統,在建立虛擬機器時即已選取。That OS disk has a pre-installed OS, which was selected when the VM was created. 此磁碟包含開機磁碟區。This disk contains the boot volume.

此磁片的最大容量為 4095 GiB。This disk has a maximum capacity of 4,095 GiB.

暫存磁碟Temporary disk

大部分的 Vm 都包含暫存磁片,而非受控磁片。Most VMs contain a temporary disk, which is not a managed disk. 暫存磁片提供應用程式和處理常式的短期儲存空間,目的是要只儲存頁面或分頁檔等資料。The temporary disk provides short-term storage for applications and processes, and is intended to only store data such as page or swap files. 暫存磁碟上的資料可能會在維護事件期間或當您重新佈署 VM 時遺失。Data on the temporary disk may be lost during a maintenance event or when you redeploy a VM. 在 VM 的成功標準重新開機期間,暫存磁片上的資料將會保留。During a successful standard reboot of the VM, data on the temporary disk will persist. 如需沒有暫存磁片之 Vm 的詳細資訊,請參閱 沒有本機暫存磁片的 AZURE VM 大小For more information about VMs without temporary disks, see Azure VM sizes with no local temporary disk.

在 Azure Linux VM 上,暫存磁碟通常是 /dev/sdb,而 Windows VM 上的暫存磁碟則預設為 D:。On Azure Linux VMs, the temporary disk is typically /dev/sdb and on Windows VMs the temporary disk is D: by default. 除非您在主機上啟用加密,否則暫存磁碟不會由伺服器端加密來加密。The temporary disk is not encrypted by server side encryption unless you enable encryption at host.

受控磁碟快照集Managed disk snapshots

受控磁碟快照集是受控磁碟的絕對一致完整唯讀複本,預設會儲存為標準受控磁碟。A managed disk snapshot is a read-only crash-consistent full copy of a managed disk that is stored as a standard managed disk by default. 快照集可讓您在任何時間點備份受控磁碟。With snapshots, you can back up your managed disks at any point in time. 這些快照集可在來源磁碟外獨立存在,還能用來建立新的受控磁碟。These snapshots exist independent of the source disk and can be used to create new managed disks.

快照集會根據使用的大小來計費。Snapshots are billed based on the used size. 例如,如果建立佈建容量為 64 GiB 的受控磁碟快照集,而實際使用資料大小為 10 GiB,則只會對已使用的 10 GiB 資料大小收取快照集費用。For example, if you create a snapshot of a managed disk with provisioned capacity of 64 GiB and actual used data size of 10 GiB, that snapshot is billed only for the used data size of 10 GiB. 您可以藉由檢查 Azure 使用量報表來查看已使用的快照大小。You can see the used size of your snapshots by looking at the Azure usage report. 例如,如果快照集的已使用資料大小為 10 GiB,則 每日 使用量報表會顯示已使用數量為 10 GiB/(31 天) = 0.3226。For example, if the used data size of a snapshot is 10 GiB, the daily usage report will show 10 GiB/(31 days) = 0.3226 as the consumed quantity.

若要深入了解如何建立受控磁碟的快照集,請參閱下列資源︰To learn more about how to create snapshots for managed disks, see the following resources:

影像Images

受控磁碟也支援建立受管理的自訂映像。Managed disks also support creating a managed custom image. 您可以從儲存體帳戶中的自訂 VHD 或直接從一般化 (系統預備的) 虛擬機器建立映像。You can create an image from your custom VHD in a storage account or directly from a generalized (sysprepped) VM. 此程序會擷取單一映像。This process captures a single image. 此映像包含與虛擬機器相關聯的所有受控磁碟,包括作業系統和資料磁碟。This image contains all managed disks associated with a VM, including both the OS and data disks. 這個受控自訂映像可讓您使用自訂映像建立數百部虛擬機器,而不需要複製或管理任何儲存體帳戶。This managed custom image enables creating hundreds of VMs using your custom image without the need to copy or manage any storage accounts.

如需建立映像的詳細資訊,請參閱下列文章︰For information on creating images, see the following articles:

映像與快照集的比較Images versus snapshots

請務必了解映像和快照集之間的差異。It's important to understand the difference between images and snapshots. 受控磁碟可讓您為已解除配置的一般化虛擬機器建立映像。With managed disks, you can take an image of a generalized VM that has been deallocated. 此映像包含所有附加至虛擬機器的磁碟。This image includes all of the disks attached to the VM. 您可以使用此映像建立虛擬機器,它會包含所有磁碟。You can use this image to create a VM, and it includes all of the disks.

快照集是在建立快照當下的磁碟複本,A snapshot is a copy of a disk at the point in time the snapshot is taken. 只適用於一個磁碟。It applies only to one disk. 如果您的虛擬機器有一個磁碟 (作業系統磁碟),您可以建立它的快照集或映像,然後從快照集或映像建立虛擬機器。If you have a VM that has one disk (the OS disk), you can take a snapshot or an image of it and create a VM from either the snapshot or the image.

快照集只會感知到本身包含的磁碟,對其他任何磁碟一概不知。A snapshot doesn't have awareness of any disk except the one it contains. 若要在需要協調多個磁碟的情況下 (例如等量分割) 使用,這會出現問題。This makes it problematic to use in scenarios that require the coordination of multiple disks, such as striping. 快照集必須能夠彼此協調,但目前不支援。Snapshots would need to be able to coordinate with each other and this is currently not supported.

磁碟配置和效能Disk allocation and performance

下圖使用三層佈建系統,說明進行磁碟的頻寬和 IOPS 即時配置:The following diagram depicts real-time allocation of bandwidth and IOPS for disks, using a three-level provisioning system:

顯示頻寬和 IOPS 配置的三層佈建系統

第一層佈建會設定每個磁碟的 IOPS 和頻寬指派。The first level provisioning sets the per-disk IOPS and bandwidth assignment. 在第二層,計算伺服器主機會實作 SSD 佈建,只將它套用至伺服器 SSD 上儲存的資料,包括具有快取 (ReadWrite 和 ReadOnly) 的磁碟,以及本機和暫存磁碟。At the second level, compute server host implements SSD provisioning, applying it only to data that is stored on the server's SSD, which includes disks with caching (ReadWrite and ReadOnly) as well as local and temp disks. 最後,VM 網路佈建會針對計算主機傳送到 Azure 儲存體後端的任何 I/O 在第三層進行。Finally, VM network provisioning takes place at the third level for any I/O that the compute host sends to Azure Storage's backend. 使用此配置時,VM 的效能取決於各種不同的因素,包括 VM 如何使用本機 SSD、連結的磁碟數目,以及其所連結磁碟的效能和快取類型。With this scheme, the performance of a VM depends on a variety of factors, from how the VM uses the local SSD, to the number of disks attached, as well as the performance and caching type of the disks it has attached.

在這些限制的範例中,Standard_DS1v1 VM 因為 SSD 和網路層級的限制而無法達到 P30 磁碟的 5,000 IOPS 潛能 (不論是否快取):As an example of these limitations, a Standard_DS1v1 VM is prevented from achieving the 5,000 IOPS potential of a P30 disk, whether it is cached or not, because of limits at the SSD and network levels:

Standard_DS1v1 範例配置

Azure 會針對磁碟流量使用依優先順序的網路通道,其優先順序高於其他低優先順序的網路流量。Azure uses prioritized network channel for disk traffic, which gets the precedence over other low priority of network traffic. 這可協助磁碟在網路爭用的情況下維持其預期的效能。This helps disks maintain their expected performance in case of network contentions. 同樣地,Azure 儲存體會使用自動負載平衡來處理背景中的資源爭用和其他問題。Similarly, Azure Storage handles resource contentions and other issues in the background with automatic load balancing. 當您建立磁碟時,Azure 儲存體會配置所需的資源,並套用資源的主動式和回應式平衡來處理流量層級。Azure Storage allocates required resources when you create a disk, and applies proactive and reactive balancing of resources to handle the traffic level. 這可進一步確保磁碟可維持其預期的 IOPS 和輸送量目標。This further ensures disks can sustain their expected IOPS and throughput targets. 您可以視需要使用 VM 層級和磁碟層級計量來追蹤效能和設定警示。You can use the VM-level and Disk-level metrics to track the performance and setup alerts as needed.

請參閱我們的高效能設計一文,以了解最佳化 VM 和磁碟組態的最佳作法,以便您達到所需的效能Refer to our design for high performance article, to learn the best practices for optimizing VM + Disk configurations so that you can achieve your desired performance

後續步驟Next steps

如果您想要詳細說明受控磁碟的影片,請參閱:使用受控磁碟提升 Azure VM 復原能力If you'd like a video going into more detail on managed disks, check out: Better Azure VM Resiliency with Managed Disks.

請參閱磁碟類型的相關文章,深入了解 Azure 提供的各種磁碟類型,找出何種類型最符合您的需求,以及了解其效能目標。Learn more about the individual disk types Azure offers, which type is a good fit for your needs, and learn about their performance targets in our article on disk types.