简体繁体 English

Azure 私有端点 - 监听限制

[英]Azure Private Endpoint - Listening restrictions

原文 2021-05-01 23:48:48 0 1 azure/ azure-virtual-network/ azure-private-link

I'm experiencing some deeply frustrating issues when trying to connect to a SQL server Private Endpoint.在尝试连接到 SQL 服务器专用端点时，我遇到了一些非常令人沮丧的问题。 Setting aside for a moment a complete specification of the problem, I'd like answers to the following questions暂时搁置问题的完整说明，我想回答以下问题

Is it the case that a SQL Server Private Endpoint will only listen to connections from an Azure Virtual Machine? SQL 服务器专用端点是否只会监听来自 Azure 虚拟机的连接？ I have seen it suggested by 3rd parties that this is the case but cannot find this explicitly documented by MS.我已经看到第 3 方建议是这种情况，但无法找到 MS 明确记录的情况。 (To clarify, if only VMs can connect, then this would mean, for example, that an Azure Load Balancer could not use Private Endpoint as a backend resource; and, for example, that an on-premise VM could not connect to a Private Endpoint through a VPN - is that correct?) （澄清一下，如果只有 VM 可以连接，那么这将意味着，例如，Azure 负载均衡器无法使用私有端点作为后端资源；例如，本地 VM 无法连接到私有通过 VPN 的端点 - 对吗？）
Presuming the answer to the above question is Yes, then does the restriction apply such as to prevent Private Endpoint from listening to connections forwarded from an Azure VM interface?假设上述问题的答案是肯定的，那么限制是否适用，例如防止 Private Endpoint 监听从 Azure VM 接口转发的连接？

(For example, say a firewall in a VM in Azure. Inside the firewall VM, the IP 192.168.0.10 is configured. In Azure, the VM interface is associated with only a single IP address which is IP 192.168.0.6. In this scenario, the firewall VM will respond to ARP requests with ARP responses saying "I have 192.168.0.10", but 192.168.0.10 is not associated by Azure configuration with any Azure virtual network interface. In said case, will a connection to the Private Endpoint using source address 192.168.0.10 work? Or is it the case that the PE will listen for connections only with a source address 192.168.0.6?) (For example, say a firewall in a VM in Azure. Inside the firewall VM, the IP 192.168.0.10 is configured. In Azure, the VM interface is associated with only a single IP address which is IP 192.168.0.6. In this scenario ，防火墙虚拟机将响应 ARP 请求，并使用 ARP 响应说“我有 192.168.0.10”，但 192.168.0.10 与 Azure 配置不相关联与任何 Azure 配置，在这种情况下，将使用私有网络接口连接到私有网络接口。源地址 192.168.0.10 工作？还是 PE 只监听源地址 192.168.0.6 的连接？）

1 个解决方案

To answer your questions:要回答您的问题：

It's possible that use a private endpoint as backends in the Azure Load balancer because Azure LB supports NIC or IP address as the backend target.可以在 Azure 负载均衡器中使用私有端点作为后端，因为 Azure LB 支持 NIC 或 IP 地址作为后端目标。 Also, the on-premise VM surely can connect to a private endpoint through VPN tunneling, read this document for more details.此外，本地 VM 肯定可以通过 VPN 隧道连接到专用端点，请阅读此文档了解更多详细信息。
A VM by default sends all outbound traffic to the IP address that's assigned to the primary IP configuration of the primary network interface.默认情况下，VM 将所有出站流量发送到分配给主网络接口的主 IP 配置的 IP 地址。 So it will use source address 192.168.0.6 when connecting to the private endpoint.因此，在连接到私有端点时，它将使用源地址192.168.0.6 。 Read the network interface constraints .阅读网络接口约束。