问题描述

最初，我尝试使用IP地址限制从应用程序服务对blob存储的访问，但是事实证明，您只能使用虚拟网络来做到这一点:

Originally I tried to restrict access from an app service to blob storage using IP addresses, however it turned out that you can only do this using a Virtual Network: Firewall access from Azure app service to blob storage

我希望能够在不设置点对点VPN的情况下实现这一目标.我在Azure中设置虚拟网络所采取的步骤如下:

I want to be able to achieve this without setting up a point-to-site VPN. The steps I have taken to set up a virtual network in Azure are as follows:

• 创建网络安全组"securitygroup-frontend"，添加自定义带有Web的入站规则，其中Web具有Source:服务标签，Source服务标签:Internet，源端口范围:*，目标端口:任意，目标端口范围:80、443，协议:任意，操作:允许，优先级:100
• 创建的虚拟网络的地址空间为192.168.0.0/23，子网称为前端地址范围为192.168.0.0/26，并且具有网络安全组:securitygroup-frontend和将子网委派给Microsoft.Web/serverFarms和服务终结点Microsoft.Storage
• 进入应用程序服务->网络->配置VNet集成->添加VNet预览并选择您创建的子网
• 进入存储->防火墙和虚拟网络->配置VNet集成->选择选定的网络"，然后添加刚刚创建的虚拟网络和子网.

• Created Network security group "securitygroup-frontend", add custominbound rule called Web with Source: Service Tag, Source service tag:Internet, Source port ranges: *, Destination : Any, Destination portranges: 80, 443, Protocol: Any, Action: Allow, Priority: 100
• Created Virtual Network with address space 192.168.0.0/23 and subnet called frontend address range 192.168.0.0/26 with network security group: securitygroup-frontend and subnet delegation to Microsoft.Web/serverFarms and service endpoints Microsoft.Storage
• Went to app service -> Networking -> Configure VNet integration ->Add VNet preview and select the subnet you created
• Went to Storage -> Firewalls and virtual Networking -> Configure VNet integration -> Select 'Selected networks' and add in the virtual network and subnet just created.

我不得不将Azure的诊断程序和日志(例如密钥库，服务总线和sql天蓝色)移到其自己的Blob存储中，因为这些要求和Blob存储需要在虚拟网络外部进行，并且无法在内部运行.该应用程序服务在标准计划中.应用程序服务，blob存储和虚拟网络都在同一区域.

I have had to move Azure diagnostics and logs such as for key vault, service bus and sql azure to its own blob storage as these require blob storage outside of a virtual network and can't be made to work inside. The app service is in the Standard plan. The app service, blob storage and virtual network are all in the same region.

此问题和答案未提供任何见解: https://social.msdn.microsoft.com/Forums/azure/zh-CN/9f4d8aeb-68a6-4ec1-9e11-bee2d1301792/仅允许从应用程序服务访问Azure存储帐户帐户?forum = windowsazurewebsitespreview

This question and answer does not provide any insights: https://social.msdn.microsoft.com/Forums/azure/en-US/9f4d8aeb-68a6-4ec1-9e11-bee2d1301792/allow-access-to-azure-storage-account-only-from-an-app-service?forum=windowsazurewebsitespreview

以上步骤虽然阻止了从应用程序服务对Blob存储的访问，但其中的任何资产均返回错误:(403)禁止.如果我从Blob存储中删除虚拟网络，则可以正常运行.我在做什么错了?

The above steps though block off access from the app service to blob storage and any assets within return an error: (403) Forbidden. If I remove the Virtual network from blob storage it works fine. What am I doing wrong?

推荐答案

是的，您可以使用VNet进行此操作，但是需要使用应用服务环境.您不能通过 VNet集成来做到这一点. 将Azure服务集成到Azure虚拟网络允许从虚拟机私有访问服务或在虚拟网络中计算资源.但是，常规应用程序服务计划中的Web应用程序服务是多租户.使用ASE，您可以将其部署到您的VNet中.

Yes, you can do this using a VNet but you need to deploy the web app in a VNet with App Service Environments. You can not do this with VNet integration. Integrating Azure services to an Azure virtual network enables private access to the service from virtual machines or compute resources in the virtual network. However, web app service in a regular app service plan is multi-tenant. With ASE, you could deploy it into your VNet.

您可以从类似的.根据 silent 的评论，您还可以考虑将Web应用程序部署在一个容器中，该容器可以有一定限制地部署在VNet中.

You could get more details and explanation from this similar thread. According to a comment from silent, you could also consider deploying your web app inside a container which could be deployed in a VNet with some restriction.

有时候，网络的部署顺序很重要.在您的情况下，您需要在VNet集成之前启用服务终结点.我建议删除集成应用程序子网VNet中的NSG限制以进行测试.然后，您可以检查以下步骤.

Sometimes, the deployment order for networking is important. In your case, you enable service endpoint before VNet integration. I suggest removing NSG restriction in integrated app subnet VNet for a test. Then you could check the following steps.

首先，您可以使用未使用的子网部署新的VNet集成.在完成VNet集成并重新启动Web应用程序之后，您可以为该子网启用服务终结点和子网委派.最后，您可以将子网添加到存储帐户的防火墙中.

Firstly, you could deploy new VNet integration with an unused subnet. After the VNet Integration is completed and the web app is restarted, you could enable service endpoint and subnet delegation for this subnet. In the end, you could add the subnet in the firewall of the storage account.

新版本位于预览"中，当前不在GA中.可能不是所有功能都可用.您还可以检查以下特征.

The new version is in Preview and not GA currently. It might be not all functions available. you could also check the following characteristics.

这篇关于使用虚拟网络从Azure应用服务到Blob存储的防火墙访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！