ASC安全建议和Azure功能 [英] ASC Security Recommendations and Azure Functions

问题描述

ASC的新建议之一是不允许对存储帐户进行公共访问.但是，为了保护它，我需要可能的出站IP地址，这些地址在创建后才可用.我们使用ARM模板创建所有Azure资源

One of the new ASC recommendations is not allowing public access on a storage account. However in order to secure it I need the possible outbound IP addresses which are not available until they are created. We create all of our Azure resources with ARM templates which complicates this further as we can't create the functions without a storage account and also can't transform a list of comma separated IPs into JSON objects for the restrictions. 

您是否打算继续进行此操作，或者如果有一种使用ARM保护此方法的方法，您可以提供一个示例吗?

Is there another path you intend for this going forward, or if there is a way to secure this with ARM can you provide an example?

谢谢！

推荐答案

Azure函数使用存储功能.因此，您无法在没有存储空间的情况下创建功能应用.

每个功能应用都有一组可用的出站IP地址.从功能(例如到后端数据库)的任何出站连接都使用可用的其中一个 出站IP地址作为原始IP地址.您无法事先知道给定连接将使用哪个IP地址.因此，您的后端服务必须为其功能应用程序的所有出站IP地址打开其防火墙.

Each function app has a set of available outbound IP addresses. Any outbound connection from a function, such as to a back-end database, uses one of the available outbound IP addresses as the origin IP address. You can't know beforehand which IP address a given connection will use. For this reason, your back-end service must open its firewall to all of the function app's outbound IP addresses.

查找功能应用程序可用的出站IP地址:

1. 登录到Azure资源浏览器.
2. 选择订阅> {您的订阅}>提供者> Microsoft.Web>
3. 在JSON面板中，找到ID属性以功能应用程序名称结尾的网站.
4. 请参阅OutboundIpAddresses和PossibleOutboundIpAddresses

1. Sign in to the Azure Resource Explorer.
2. Select subscriptions > {your subscription} > providers > Microsoft.Web > sites.
3. In the JSON panel, find the site with an id property that ends in the name of your function app.
4. See OutboundIpAddresses and PossibleOutboundIpAddresses

功能应用程序当前可以使用OutboundIpAddresses集.这组可能的OutboundIpAddresses包含仅可使用的IP地址 如果应用程序可以缩放.

The set of OutboundIpAddresses is currently available to the function app. The set of PossibleOutboundIpAddresses includes IP addresses that will be available only if the function app scales.

如果您需要将功能应用程序使用的出站IP地址列入白名单，另一个选择是将功能应用程序的数据中心(Azure区域)列入白名单.你可以 下载JSON文件，其中列出了所有Azure数据中心的IP地址.然后找到适用于您的功能应用程序运行所在区域的JSON片段.

f you need to whitelist the outbound IP addresses used by your function apps, another option is to whitelist the function apps' data center (Azure region). You can download a JSON fie that lists IP addresses for all Azure data centers. Then find the JSON fragment that applies to the region that your function app runs in.

 

要了解更多信息，请查看以下链接:

https://docs.microsoft.com/zh-cn/azure/azure功能/ip地址

 

希望获得帮助！

Noha

这篇关于ASC安全建议和Azure功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！