适用于 Azure 专用链接的 Azure RBAC 权限

对于任何组织而言,云资源的访问管理都是一项重要功能。 Azure 基于角色的访问控制 (Azure RBAC) 管理 Azure 资源的访问和操作。

若要部署专用终结点或专用链接服务,用户必须已分配有内置角色,例如:

可以通过创建一个具有以下各部分所述权限的自定义角色来提供更精细的访问。

重要

本文列出了用于创建专用终结点或专用链接服务的特定权限。 确保添加与你要通过专用链接授予访问权限的服务相关的特定权限,例如 Azure SQL 的 Microsoft.SQL 参与者角色。 有关内置角色的详细信息,请参阅基于角色的访问控制

要部署的 Microsoft.Network 和特定的资源提供程序(例如,Microsoft.Sql)必须在订阅级别进行注册:

图像

专用终结点

本部分列出了部署专用终结点、管理专用终结点子网策略以及部署依赖资源所需的精细权限

操作 说明
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourcegroups/resources/read 读取资源组的资源
Microsoft.Network/virtualNetworks/read 读取虚拟网络定义
Microsoft.Network/virtualNetworks/subnets/read 读取虚拟网络子网定义
Microsoft.Network/virtualNetworks/subnets/write 创建虚拟网络子网,或更新现有的虚拟网络子网。
对于部署专用终结点并不是明确必需的,但对于管理专用终结点子网策略是必需的
Microsoft.Network/virtualNetworks/subnets/join/action 允许专用终结点加入虚拟网络
Microsoft.Network/privateEndpoints/read 读取专用终结点资源
Microsoft.Network/privateEndpoints/write 创建新的专用终结点,或更新现有的专用终结点
Microsoft.Network/locations/availablePrivateEndpointTypes/read 读取可用的专用终结点资源

下面是上述权限的 JSON 格式。 输入自己的 roleName、description 和 assignableScopes:

{
 "properties": {
   "roleName": "Role Name",
   "description": "Description",
   "assignableScopes": [
     "/subscriptions/SubscriptionID/resourceGroups/ResourceGroupName"
   ],
   "permissions": [
     {
       "actions": [
         "Microsoft.Resources/deployments/*",
         "Microsoft.Resources/subscriptions/resourceGroups/read",
         "Microsoft.Network/virtualNetworks/read",
         "Microsoft.Network/virtualNetworks/subnets/read",
         "Microsoft.Network/virtualNetworks/subnets/write",
         "Microsoft.Network/virtualNetworks/subnets/join/action",
         "Microsoft.Network/privateEndpoints/read",
         "Microsoft.Network/privateEndpoints/write",
         "Microsoft.Network/locations/availablePrivateEndpointTypes/read"
       ],
       "notActions": [],
       "dataActions": [],
       "notDataActions": []
     }
   ]
 }
}

本部分列出了部署专用链接服务、管理专用链接服务子网策略以及部署依赖资源所需的精细权限

操作 说明
Microsoft.Resources/deployments/* 创建和管理部署
Microsoft.Resources/subscriptions/resourcegroups/resources/read 读取资源组的资源
Microsoft.Network/virtualNetworks/read 读取虚拟网络定义
Microsoft.Network/virtualNetworks/subnets/read 读取虚拟网络子网定义
Microsoft.Network/virtualNetworks/subnets/write 创建虚拟网络子网,或更新现有的虚拟网络子网。
对于部署专用链接服务并不是明确必需的,但对于管理专用链接子网策略是必需的
Microsoft.Network/privateLinkServices/read 读取专用链接服务资源
Microsoft.Network/privateLinkServices/write 创建新的专用链接服务,或更新现有的专用链接服务
Microsoft.Network/privateLinkServices/privateEndpointConnections/read 读取专用终结点连接定义
Microsoft.Network/privateLinkServices/privateEndpointConnections/write 创建新的专用终结点连接,或更新现有的专用终结点连接
Microsoft.Network/networkSecurityGroups/join/action 加入网络安全组
Microsoft.Network/loadBalancers/read 读取负载均衡器定义
Microsoft.Network/loadBalancers/write 创建负载均衡器,或更新现有的负载均衡器
{
  "properties": {
    "roleName": "Role Name",
    "description": "Description",
    "assignableScopes": [
      "/subscriptions/SubscriptionID/resourceGroups/ResourceGroupName"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/virtualNetworks/subnets/read",
          "Microsoft.Network/virtualNetworks/subnets/write",
          "Microsoft.Network/virtualNetworks/subnets/join/action",
          "Microsoft.Network/privateLinkServices/read",
          "Microsoft.Network/privateLinkServices/write",
          "Microsoft.Network/privateLinkServices/privateEndpointConnections/read",
          "Microsoft.Network/privateLinkServices/privateEndpointConnections/write",
          "Microsoft.Network/networkSecurityGroups/join/action",
          "Microsoft.Network/loadBalancers/read",
          "Microsoft.Network/loadBalancers/write"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

专用终结点的审批 RBAC

通常,网络管理员将创建专用终结点。 根据你的 Azure 基于角色的访问控制 (RBAC) 权限,你创建的专用终结点将自动获得批准以将流量发送到 API Management 实例,或者需要资源所有者手动批准连接。

审批方法 最低 RBAC 权限
自动 Microsoft.Network/virtualNetworks/**
Microsoft.Network/virtualNetworks/subnets/**
Microsoft.Network/privateEndpoints/**
Microsoft.Network/networkinterfaces/**
Microsoft.Network/locations/availablePrivateEndpointTypes/read
手动 Microsoft.Network/virtualNetworks/**
Microsoft.Network/virtualNetworks/subnets/**
Microsoft.Network/privateEndpoints/**
Microsoft.Network/networkinterfaces/**
Microsoft.Network/locations/availablePrivateEndpointTypes/read

后续步骤

有关 Azure 专用链接中的专用终结点和专用链接服务的详细信息,请参阅: