[英]Multiple subnets in vnet needing access to same storage account via Private Endpoint/Service Endpoint
That understanding is correct.这种理解是正确的。 Service endpoints are created on the subnet level and need to be specified there, like in that Terraform example here:
服务端点是在子网级别创建的,需要在那里指定,就像这里的 Terraform 示例一样:
resource "azurerm_subnet" "database-subnet" {
name = "database-subnet"
address_prefixes = ["10.0.2.0/24"]
resource_group_name = var.resourcegroup_name
virtual_network_name = azurerm_virtual_network.vnet1.name
service_endpoints = [ "Microsoft.Sql" ]
}
A private endpoint on the other hand gives you an IP in your own vnet representing a specific instance of a PaaS-Service (like a specific database within the Azure SQL Database service).另一方面,专用端点在您自己的 vnet 中为您提供一个 IP,代表 PaaS 服务的特定实例(如 Azure SQL 数据库服务中的特定数据库)。 That internal IP is reachable from all your subnets.
该内部 IP 可从您的所有子网访问。 Intra-Subnet routing is done by default in Azure, so there's no need to set up some sort of custom / user defined routing.
默认情况下,子网内路由在 Azure 中完成,因此无需设置某种自定义/用户定义的路由。
When using service endpoints together with network security groups (nsg) on the subnet(s), one has to make sure to best use "service tags" within the nsg rules, since otherwise the system can break when PaaS-Services change their IP-ranges which might have been used in the nsg rules.当在子网上将服务端点与网络安全组 (nsg) 一起使用时,必须确保在 nsg 规则中最好地使用“服务标签”,否则当 PaaS 服务更改其 IP 时系统可能会中断- nsg 规则中可能使用的范围。 So service tags are used instead of IP ranges in that scenario.
因此在该场景中使用服务标签而不是 IP 范围。
And of course like briefly mentioned in one of the answers in the linked question, there are further differences between the two options.当然,就像在链接问题的一个答案中简要提到的那样,这两个选项之间还有更多区别。 I only like to mention the pricing very quickly: Service endpoints are completely free of charge, whereas service endpoints have a pricing per hour + per data volume being send through them.
我只想很快提到定价:服务端点是完全免费的,而服务端点按小时 + 通过它们发送的数据量定价。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.