azure云数据库_配置Azure SQL数据库防火墙

azure云数据库

介绍 (Introduction)

The Azure SQL Database firewall lets you decide which IP addresses may or may not have access to either your Azure SQL Server or your Azure SQL database.

Azure SQL数据库防火墙使您可以决定哪些IP地址可以访问Azure SQL Server或Azure SQL数据库。

When creating an Azure SQL Database, the firewall needs to be configured before anyone will be able to access the database. By default, no external access to your SQL Database will be allowed until you explicitly assign permission by creating a firewall rule.

创建Azure SQL数据库时，需要先配置防火墙，然后任何人都可以访问该数据库。默认情况下，除非您通过创建防火墙规则明确分配权限，否则将不允许外部访问SQL数据库。

An initial server level rule will need to be created using the portal before you will be able to access your SQL Database server.

必须先使用门户网站创建初始服务器级别规则，然后才能访问SQL数据库服务器。

如何创建初始服务器级别规则 (How to create the initial server level rule)

To create the initial server level firewall rule, you need to go to the Firewall settings in Azure and add an IP range which will be allowed access.

若要创建初始服务器级防火墙规则，需要转到Azure中的“防火墙”设置，并添加一个允许访问的IP范围。

Access from the client you are connecting from can be added by clicking on the Add client IP button. This will automatically add a rule for the IP address for the client you are currently connection from as both the Start and End IP. Allowing you to access the server on which your database resides.

您可以通过单击“添加客户端IP”按钮来添加来自您正在连接的客户端的访问权限。这将自动为您当前连接的客户端的IP地址添加一条规则，即开始IP和结束IP。允许您访问数据库所在的服务器。

This rule can also be created using the REST API or Azure Powershell.

也可以使用REST API或Azure Powershell创建此规则。

防火墙规则的类型 (Types of firewall rules)

There are 2 types of firewall rules:

防火墙规则有两种：

Server level rules

服务器级别规则

Server level rules allow access to the Azure SQL Server. Which means that the client will have access to all the databases stored on that SQL Server.

服务器级别规则允许访问Azure SQL Server。这意味着客户端将有权访问该SQL Server上存储的所有数据库。

Server level rules are stored in the mater database.

服务器级别规则存储在母数据库中。

Only subscription owners or contributors can create server level firewall rules using the Azure portal , PowerShell or the REST API. Server principal logins or Azure Active Directory Administrators can create rules using Transact-SQL.

只有订阅所有者或贡献者才能使用Azure门户，PowerShell或REST API创建服务器级防火墙规则。服务器主体登录名或Azure Active Directory管理员可以使用Transact-SQL创建规则。

Typically, this access will be given to administrators or anyone who may need access to all the databases.

通常，此访问权限将授予管理员或可能需要访问所有数据库的任何人。

As a best practice, server level access should only be given when absolutely necessary and database level rules must be used wherever possible.

最佳做法是，仅在绝对必要时才应提供服务器级别的访问权限，并且必须尽可能使用数据库级别的规则。

Creating a server level rule

创建服务器级别规则

In Azure, you can get to the server firewall configuration screen in the portal in 2 ways:

在Azure中，可以通过两种方式进入门户中的服务器防火墙配置屏幕：

Go to your Azure SQL Server and select the Firewall option under settings. 转到您的Azure SQL Server并在“设置”下选择“防火墙”选项。

When have selected your SQL Database in the Azure portal you can click on the Set server Firewall button. This sets the server firewall. The database firewall cannot be configured in the portal. 在Azure门户中选择SQL数据库后，可以单击“设置服务器防火墙”按钮。这将设置服务器防火墙。无法在门户中配置数据库防火墙。

Once you are on the firewall settings screen, the rule name from and to IP addresses of the allowable range must be configured.

进入防火墙设置屏幕后，必须在允许范围的IP地址之间配置规则名称。

Server level rules can also be configured using Transact-SQL, PowerShell or the REST API. This is beyond the scope of this article.

服务器级别规则也可以使用Transact-SQL，PowerShell或REST API进行配置。这超出了本文的范围。

To create or modify a server level rule using Transact-SQL the following statement can be executed on the master database:

要使用Transact-SQL创建或修改服务器级规则，可以在master数据库上执行以下语句：


EXECUTE sp_set_firewall_rule N'my_server_rule','168.0.0.2','168.0.0.2';

and can be deleted using:

可以使用以下方法删除：


EXECUTE sp_delete_database_firewall_rule N'my_server_rule';

Database level rules

数据库级规则

Unlike server level rules, the database level rules are stored within the relevant database.

与服务器级别规则不同，数据库级别规则存储在相关数据库中。

Database level rules cannot be created using the Azure portal or PowerShell, it can only be done using Transact-SQL.

无法使用Azure门户或PowerShell创建数据库级规则，只能使用Transact-SQL来完成。

Using database level rules adds security by ensuring that clients do not have access to database that they don’t need and it also makes it easier to move databases, since the rules are contained within the database itself.

使用数据库级规则可以确保客户端没有访问他们不需要的数据库的权限，从而增加了安全性，并且由于规则包含在数据库本身中，因此还使移动数据库更加容易。

Creating a database level rule

创建数据库级别规则

Database level rules can only be created using Transact-SQL. The following T-SQL command can be used to create or modify an existing rule:

数据库级别规则只能使用Transact-SQL创建。以下T-SQL命令可用于创建或修改现有规则：


EXECUTE sp_set_database_firewall_rule N'my_db_rule';
,'168.0.0.0'
,'168.0.0.0'

The first parameter is the rule name, followed by the first IP address that you wish to give access to. The third parameter is the last IP address in the range you wish to give access to.

第一个参数是规则名称，后跟您希望访问的第一个IP地址。第三个参数是您希望访问的范围中的最后一个IP地址。

Setting the start IP address and the end IP address to the same address will only provide access to that one specific IP address.

将起始IP地址和结束IP地址设置为相同的地址只会提供对该特定IP地址的访问。

CONTROL permissions are required on the database on which you want to create the firewall rule.

要在其上创建防火墙规则的数据库具有CONTROL权限。

Once the command has been issued to change a rule, the change can take up to 5 minutes to take effect.

发出更改规则的命令后，更改最多可能需要5分钟才能生效。

To delete a database firewall rule use:

要删除数据库防火墙规则，请使用：


EXECUTE sp_delete_database_firewall_rule N'my_db_rule';

查看现有规则 (Viewing existing rules)

To view existing database and server level rules, you can use the system view: sys.firewall_rules.

要查看现有的数据库和服务器级别的规则，可以使用系统视图：sys.firewall_rules。

I.e.

即


SELECT * FROM sys.firewall_rules

This must be executed on the master database will display server level rules. Note how the AllowAllWindowsAzureIps have both a start and an end IP address of 0.0.0.0.

这必须在master数据库上执行，才会显示服务器级别的规则。请注意，AllowAllWindowsAzureIps如何将起始IP地址和结束IP地址都设置为0.0.0.0。

To view existing database level rules you can execute the following command on the relevant database:

要查看现有数据库级别规则，可以在相关数据库上执行以下命令：


SELECT * FROM sys.database_firewall_rules

允许从Azure访问 (Allowing access from Azure)

To allow connection from Azure to your Azure SQL Server, the Allow access to Azure services must be set to on.

若要允许从Azure连接到Azure SQL Server，必须将“允许访问Azure服务”设置为“开”。

This effectively adds a rule with a from and to address of 0.0.0.0.

这有效地添加了一条从0.0到0.0的起始地址和到终止地址的规则。

It is important to remember that this also allows access to anyone else with an Azure subscription. So configuring permissions on your SQL Server itself is pivotal.

重要的是要记住，这还允许访问具有Azure订阅的其他任何人。因此，在SQL Server本身上配置权限至关重要。

规则如何应用 (How the rules are applied)

Any connection attempt from either Azure or the Internet will be met by the firewall.

防火墙将满足来自Azure或Internet的任何连接尝试。

Any client which has an IP address which falls within the allowable range of the specific database level firewall rule, will be allowed to pass through to the database directly.
IP地址在特定数据库级别防火墙规则的允许范围内的任何客户端，将被允许直接传递到数据库。
The server level firewall rules will be applied. If the abovementioned check failed. If the IP address of the client falls within the allowable range of the server level rule, access will be granted to all the SQL Databases in the server. 将应用服务器级别的防火墙规则。如果上述检查失败。如果客户端的IP地址在服务器级别规则的允许范围内，则将授予对服务器中所有SQL数据库的访问权限。
If the IP address is not in the allowable range the connection will fail. 如果IP地址不在允许的范围内，则连接将失败。

认证方式 (Authentication)

The firewall restricts the clients which are allowed to connect to your SQL Database. But it does not authenticate users. User authentication happens at the database level. Similarly to SQL on premise, two methods of authentication can be used:

防火墙限制了允许连接到您SQL数据库的客户端。但是它不对用户进行身份验证。用户身份验证发生在数据库级别。与前提条件SQL类似，可以使用两种身份验证方法：

Which is a username and password created on the SQL Server database.
这是在SQL Server数据库上创建的用户名和密码。
This is integrated security which is domain based.
这是基于域的集成安全性。

翻译自: https://www.sqlshack.com/configuring-the-azure-sql-database-firewall/

azure云数据库