问题描述

我试图锁定对Blob存储对应用程序服务的访问.我有以下powershell代码，该代码从运行的应用程序服务中获取可能的传出IP地址，然后将对Blob存储的访问限制为这些IP地址:

I am trying to lock down access to blob storage to an app service. I have the following powershell code which gets the possible outgoing ip addresses from an app service I run and then limits access to blob storage to those ip addresses:

Write-Host ("Setting blob storage access restrictions")
$appServiceIPAddresses = (Get-AzureRmWebApp -ResourceGroupName $resourceGroupName -name $webSiteName).PossibleOutboundIpAddresses.Split(",")
$currentStorageAccessRules = (Get-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName $resourceGroupName -Name $storageAccountName).IpRules 
$currentStorageAccessRules = {$currentStorageAccessRules}.Invoke() # Convert to modifiable list
foreach($ipAddress in $appServiceIPAddresses) {
    if (($currentStorageAccessRules | Where-Object { $_.IPAddressOrRange -eq $ipAddress }) -ne $null) {
        Write-Host("IP $ipAddress already has access to blob storage $storageAccountName")
    } else {
        Write-Host("Allowing IP $ipAddress access to blob storage $storageAccountName")
        $ipRule = New-Object -TypeName Microsoft.Azure.Commands.Management.Storage.Models.PSIpRule
        $ipRule.Action = 'Allow'
        $ipRule.IPAddressOrRange = $ipAddress
        $currentStorageAccessRules.Add($ipRule)
    }
}
Update-AzureRmStorageAccountNetworkRuleSet -ResourceGroupName $resourceGroupName -Name $storageAccountName -IPRule $currentStorageAccessRules -DefaultAction Deny
Write-Host ("Updated blob storage access restrictions")

这将正确设置所有我希望的IP地址，但是当应用程序服务尝试访问Blob存储时，我现在得到403 Forbiden.所有容器都是私有的，因此不应该对blob进行url访问，我只是从应用程序服务中以编程方式对其进行访问.谁能看到上述方法为何行不通?

This sets all of the ip addresses I would expect correctly, however I now get a 403 Forbiden when the app service tries to access blob storage. All containers are private so there should be no url access to the blobs I just access them programmatically from the app service. Can anyone see why the above approach does not work?

推荐答案

根据此处的文章: https://docs.microsoft.com/zh-cn/azure/storage/common/storage-network-security "IP网络规则对发起的请求无效来自与存储帐户相同的Azure区域.使用虚拟网络规则允许相同区域的请求."因此我的上述规则将被忽略，我需要设置一个虚拟网络来锁定访问权限.希望这对某人有帮助.

According to the article here: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security "IP network rules have no effect on requests originating from the same Azure region as the storage account. Use Virtual network rules to allow same-region requests." so my rules above would have been ignored and I need to setup a virtual network to lock down access. Hope this helps someone.

有关如何执行此操作的更多信息，请参见: https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet

Further information on how to do this is here: https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet

这篇关于从Azure应用服务到Blob存储的防火墙访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！