Blob存储中的链接ARM模板，带有网络过滤功能 [英] Linked ARM templates in Blob Storage with network filtering

问题描述

（发布在Azure管理门户区域，虽然这个问题实际上是关于ARM模板部署 - 我找不到更好的区域）

我正在部署链接的ARM模板，如下所述：

解决方案

嗨J Crim，感谢您的评论和有价值的反馈。正如您正确指出的那样，解决方法是关闭网络安全性。在并行中，我要求您使用

此反馈链接。相应的功能所有者将根据需求/投票进行审核并确定优先级。

干杯。

(Posted in Azure Management Portal area, though this question is really about ARM template deployment - I couldn't find a better area)

I'm deploying linked ARM templates, as described here:

https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-linked-templates

I'm using SAS tokens, as suggested. I'm also using (or at least desire to use) network security on the storage account hosting the templates in blob storage, to limit which vnets and ip addresses can access the blob containers storing the templates.

The network security is preventing me from deploying the ARM templates - I receive the following error:

  "error": {
    "code": "InvalidContentLink",
    "message": "Unable to download deployment content from 'https://<storageaccount>.blob.core.windows.net/<blob-container>/<arm-template>.jsonc?<sas token>'. The tracking Id is '<guid>'. Please see https://aka.ms/arm-deploy for usage details."
  }

If I turn off the network security for the storage account, the ARM template deploy works as expected. The errors indicate that the ARM deployment involves HTTP requests to the storage account to fetch the linked templates from an IP address that isn't allowed.

My preferred solution (feature request) is to either have the ARM deploy servers included in the "trusted Microsoft services" that I've granted access to the storage account:



or (another feature option) add another checkbox to allow Azure Management servers to access this storage account.

Alternatively, I'd like a programmatic way to identify the IP address (or IP range) that the Azure Management server will be fetching the linked templates from, so I can (in code) add that IP address range to the allowed set before deploying the linked templates.

This problem isn't just about linked templates - it applies to any files which are hosted in a storage account, and fetched from a server I don't directly control (Azure Management servers) as part of the deploy process. Eg cloud-init files referenced from VM ARM templates.

The "easy" answer is just to turn off network security, which would mean I'm fully reliant on SAS tokens as a single line of defense. What I don't like about that is that theft or loss of a storage account key could make us vulnerable, so I'd strongly prefer 2 layers of security.

解决方案

Hi J Crim, thanks for the comment and valuable feedback. As you correctly pointed out, the workaround is to turn off Network security. In Parallel, I ask that you share your feature options/requests directly with the ARM feature owners using this feedback link. The respective feature owner will review and prioritize based on demand/upvotes.

Cheers.

这篇关于Blob存储中的链接ARM模板，带有网络过滤功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！