强制流量存储帐户通过Internet而不是Azure主干 [英] Force traffic to Storage Account to go over Internet rather than Azure backbone

问题描述

有没有办法强制流量存储帐户通过Internet而不是Azure骨干网？我的方案：

Is there a way to force traffic to Storage Account to go over Internet rather than Azure backbone? My scenario:

- 两个Azure租户T1，T2

- T1具有启用防火墙的存储帐户，并限制流量到其中一个T1的子网
- T2希望通过SA防火墙中的公共IP地址例外访问T1中的SA。
- 由于某些原因，我们无法在T1和T2之间进行Vnet对等

- Two Azure Tenants T1, T2
- T1 has Storage Account with Firewall enabled and restricted traffic to one of the T1's subnets
- T2 would like to access the SA in T1 through a public IP address exception in the SA's firewall
- We can't do Vnet peering between T1 and T2 for certain reasons

有没有办法强制从T2到T1的存储帐户的流量通过Internet，而不是让Azure通过Azure骨干网路由它？

Is there a way to force traffic from T2 to T1's Storage Account to go over Internet rather than let Azure to route it over the Azure backbone?

Microsoft的doc说：

Microsoft's doc says:

"如果目标地址是针对Azure的一项服务，则Azure会将流量直接路由到Azure骨干网络上的服务，而不是将流量路由到Internet。 Azure服务之间的流量不会遍历Internet，无论虚拟网络存在于哪个Azure区域，或者Azure区域中部署了Azure服务的哪个Azure区域，都可以使用
。您可以覆盖Azure的默认系统路由0.0。带有自定义路由的0.0 / 0地址前缀。"

"If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Traffic between Azure services does not traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in. You can override Azure's default system route for the 0.0.0.0/0 address prefix with a custom route."

在T2中，作为测试，我已部署：

In T2, as a test, I have deployed:

- Vnet

- AzureFirewallSubnet和Azure防火墙

- Subnet1

- Vnet
- AzureFirewallSubnet and Azure Firewall
- Subnet1

我在Subnet1上创建了一个路由表，虚拟设备规则从0.0开始。 0.0 / 0到AF的私有IP。它似乎通过AF的防火墙将流量路由到存储帐户。但是，似乎只要从Subnet1中的VM到
存储帐户的请求到达AF，它就会通过Azure主干而不是AF的公共IP进行路由。

I've created a Route Table on Subnet1 with a Virtual Appliance Rule to go from 0.0.0.0/0 to the AF's private IP. It seems route the traffic to Storage Account through AF's firewall. However, it seems that as soon as a request from a VM in Subnet1 to the Storage Account reaches AF, it's routed through Azure backbone rather than AF's public IP.

你能不能请注意，有没有办法强制流量通过AF的公共IP？

Could you please advise, is there a way to force the traffic to go through the AF's public IP?

推荐答案

Hi Michal， 

Hi Michal, 

您想从T2中访问T1中的SA吗？

You want to access the SA in T1 from T2 right?

为什么要强制流量？

您需要在T2的SA中将T1的公共IP列入白名单。这是唯一可行的选项，因为服务端点不会在这里工作。 

You would need to white-list the Public IPs of T1 in the SA of T2. That is the only option which is possible as Service endpoint wont work here. 

问候， 

Msrini

这篇关于强制流量存储帐户通过Internet而不是Azure主干的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！