问题描述
我试图锁定对Blob存储对应用程序服务的访问.我有以下powershell代码,该代码从运行的应用程序服务中获取可能的传出IP地址,然后将对Blob存储的访问限制为这些IP地址:
I am trying to lock down access to blob storage to an app service. I have the following powershell code which gets the possible outgoing ip addresses from an app service I run and then limits access to blob storage to those ip addresses:
Write-Host ("Setting blob storage access restrictions")
$appServiceIPAddresses = (Get-AzureRmWebApp -ResourceGroupName $resourceGroupName -name $webSiteName).PossibleOutboundIpAddresses.Split(",")
$currentStorageAccessRules = (Get-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName $resourceGroupName -Name $storageAccountName).IpRules
$currentStorageAccessRules = {$currentStorageAccessRules}.Invoke() # Convert to modifiable list
foreach($ipAddress in $appServiceIPAddresses) {
if (($currentStorageAccessRules | Where-Object { $_.IPAddressOrRange -eq $ipAddress }) -ne $null) {
Write-Host("IP $ipAddress already has access to blob storage $storageAccountName")
} else {
Write-Host("Allowing IP $ipAddress access to blob storage $storageAccountName")
$ipRule = New-Object -TypeName Microsoft.Azure.Commands.Management.Storage.Models.PSIpRule
$ipRule.Action = 'Allow'
$ipRule.IPAddressOrRange = $ipAddress
$currentStorageAccessRules.Add($ipRule)
}
}
Update-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName $resourceGroupName -Name $storageAccountName -IPRule $currentStorageAccessRules -DefaultAction Deny
Write-Host ("Updated blob storage access restrictions")
这将正确设置所有我希望的IP地址,但是当应用程序服务尝试访问Blob存储时,我现在得到403 Forbiden.所有容器都是私有的,因此不应该对blob进行url访问,我只是从应用程序服务中以编程方式对其进行访问.谁能看到上述方法为何行不通?
This sets all of the ip addresses I would expect correctly, however I now get a 403 Forbiden when the app service tries to access blob storage. All containers are private so there should be no url access to the blobs I just access them programmatically from the app service. Can anyone see why the above approach does not work?
推荐答案
根据此处的文章: https://docs.microsoft.com/zh-cn/azure/storage/common/storage-network-security "IP网络规则对发起的请求无效来自与存储帐户相同的Azure区域.使用虚拟网络规则允许相同区域的请求."因此我的上述规则将被忽略,我需要设置一个虚拟网络来锁定访问权限.希望这对某人有帮助.
According to the article here: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security "IP network rules have no effect on requests originating from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests." so my rules above would have been ignored and I need to setup a virtual network to lock down access. Hope this helps someone.
有关如何执行此操作的更多信息,请参见: https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
Further information on how to do this is here: https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
这篇关于从Azure应用服务到Blob存储的防火墙访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!