管理专用连接端点:Azure

本主题提供有关如何管理专用连接端点以便与外部服务的专用连接配合使用的信息。这些示例专门针对 Microsoft Azure。

提供专用连接端点

您可以通过调用 SYSTEM$PROVISION_PRIVATELINK_ENDPOINT 系统函数来创建专用连接端点。例如,对于您在 Microsoft Azure 上的 Snowflake 账户:

提供一个专用端点,允许 Microsoft Azure 上的 Snowflake 连接到 Microsoft Azure VNet 中的 Microsoft Azure API 管理服务:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api',
  'aztest1-external-function-api.azure.net',
  'Gateway'
  );
Copy
Private endpoint with ID "/subscriptions/e48379a7-2fc4-473e-b071-f94858cc83f5/resourcegroups/test_rg/providers/microsoft.network/privateendpoints/32bd3122-bfbd-417d-8620-1a02fd68fcf8" to resource "/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api" has been provisioned successfully. Please note down the endpoint ID and approve the connection from it on the Azure portal.

提供一个专用端点,允许 Microsoft Azure 上的 Snowflake 使用外部网络访问连接到外部服务:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/11111111-2222-3333-4444-5555555555/resourceGroups/leorg1/providers/Microsoft.Sql/servers/myserver/databases/testdb',
  'testdb.database.windows.net',
  'sqlServer'
  );
Copy
"Resource Endpoint with id "/subscriptions/f0abb333-1b05-47c6-8c31-dd36d2512fd1/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" provisioned successfully"

提供一个专用端点,允许 Snowflake 连接到 Microsoft Azure 外部暂存区:

SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/cc2909f2-ed22-4c89-8e5d-bdc40e5eac26/resourceGroups/mystorage/providers/Microsoft.Storage/storageAccounts/storagedemo',
  'storagedemo.blob.core.windows.net',
  'blob'
);
Copy
"Resource Endpoint with id "/subscriptions/57faea9a-20c2-4d35-b283-9c0c1e9593d8/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" provisioned successfully"

Snowflake 会调用托管 Snowflake 账户的云平台的 APIs 来创建端点并更新相关网络配置。

列出专用连接端点

您可以通过调用 SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO 系统函数来列出您创建的专用连接端点。例如,对于您在 Microsoft Azure 上的 Snowflake 账户:

SELECT SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO();
Copy

备注

您还可以查询 ACCOUNT_USAGE 架构中的 OUTBOUND_PRIVATELINK_ENDPOINTS 视图,以列出您账户中的专用端点。

取消配置专用连接端点

您可以通过调用 SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT 系统函数来删除现有的专用连接端点。例如,对于您在 Microsoft Azure 上的 Snowflake 账户:

取消配置专用端点,防止 Microsoft Azure 上的 Snowflake 连接到 Microsoft Azure VNet 中的 Microsoft Azure API 管理服务:

SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/f4b00c5f-f6bf-41d6-806b-e1cac4f1f36f/resourceGroups/aztest1-external-function-rg/providers/Microsoft.ApiManagement/service/aztest1-external-function-api',
  'Gateway'
  );
Copy
Private endpoint with id "/subscriptions/e48379a7-2fc4-473e-b071-f94858cc83f5/resourcegroups/test_rg/providers/microsoft.network/privateendpoints/5ef8fd34-07db-4583-b0dd-0e2360398ed3" successfully marked for deletion. Before it is fully deleted in 7-8 days, it can be restored.

取消配置专用端点,防止 Microsoft Azure 上的 Snowflake 使用外部网络访问连接到外部服务:

SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/11111111-2222-3333-4444-5555555555/resourceGroups/leorg1/providers/Microsoft.Sql/servers/myserver/databases/testdb',
  'sqlServer'
  );
Copy
"Resource Endpoint with id "/subscriptions/f0abb333-1b05-47c6-8c31-dd36d2512fd1/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" deprovisioned successfully"

取消配置专用端点,防止 Snowflake 连接到 Microsoft Azure 外部暂存区:

SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT(
  '/subscriptions/cb72345g5-d347-4sdc-r3ee-70d234551a78/resourceGroups/rg-db-dev/providers/Microsoft.Storage/storageAccounts/dbasdfffext',
  'blob'
);
Copy
"Resource Endpoint with id "/subscriptions/57faea9a-20c2-4d35-b283-9c0c1e9593d8/resourceGroups/privatelink-test/providers/Microsoft.Network/privateEndpoints/external-network-access-pe" deprovisioned successfully"

恢复取消配置的专用连接端点

您可以通过调用 SYSTEM$RESTORE_PRIVATELINK_ENDPOINT 系统函数,在取消配置后 7 天内恢复取消配置的专用连接端点。7 天后,端点无法恢复,需要重新配置一个新端点。

恢复专用端点,允许 Microsoft Azure 上的 Snowflake 连接到 Azure VNet 中的 Azure API 管理服务:

SELECT SYSTEM$RESTORE_PRIVATELINK_ENDPOINT(
  '/subscriptions/11111111-2222-3333-4444-5555555555/resourceGroups/my_rg/providers/Microsoft.Sql/servers/my_db_server',
  'sqlServer'
);
Copy
Private endpoint with id ''/subscriptions/66666666-7777-8888-9999-0000000000/resourcegroups/rg/providers/microsoft.network/privateendpoints/00000000-1111-2222-3333-4444444444'' restored successfully.

故障排除

Microsoft Azure 外部服务:您无法访问指定订阅

错误

 
(LinkedAuthorizationFailed) The client has permission to perform action '<action_name>' on scope '<service_name>', however the current tenant '<tenant_id>' is not authorized to access linked subscription '<subscription_id'.

Code: LinkedAuthorizationFailed

Message: The client has permission to perform action '<action_name>' on scope '<service_name>', however the current tenant '<tenant_id>' is not authorized to access linked subscription '<subscription_id>'.

原因

映射到外部服务的专用端点不具有访问订阅的正确信息。

解决方案

  1. 调用 SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT 系统函数删除外部服务的端点。

  2. 调用 SYSTEM$PROVISION_PRIVATELINK_ENDPOINT 系统函数,为外部服务重新创建端点。请务必指定正确的订阅、主机名和子资源值。

  3. 更换 网络规则,并确保在 VALUE_LIST 属性中指定正确的主机名值。
语言: 中文