az存储帐户网络规则不适用于Microsoft Hosted Agent(Azure DevOps) [英] az storage account network-rule not working for Microsoft Hosted agent(Azure DevOps)
问题描述
我必须通过azure发布管道自动删除azure blob存储(特定容器)中的所有文件.因此,我配置了一个任务,以动态获取Microsoft代理的IP地址,并将该IP地址添加到blob防火墙中.下面的脚本有时可以成功运行,但是在防火墙"列表中看不到该IP.
I have to delete all the files in azure blob storage(specific container) automatically via azure release pipelines. So I have configured a task to get the IP address of Microsoft agent dynamically and add the IP address into blob Firewall. Below script working successfully sometimes, but I'm not able to see the IP in the Firewall list.
同一脚本多次失败并抛出类似错误
Also same script is failing many times and throwing a error like
该请求可能被存储帐户的网络规则阻止.请使用'az storage account show -n accountname检查网络规则集--query networkRuleSet'.如果您要更改默认操作以在没有规则匹配时应用,请使用"az存储帐户更新".
The request may be blocked by network rules of storage account. Please check network rule set using 'az storage account show -n accountname --query networkRuleSet'.If you want to change the default action to apply when no rule matches, please use 'az storage account update'.
IP=`curl -s http://ipinfo.io/json | jq -r '.ip'`
echo "Opening firewall for the IP : $IP"
az storage account network-rule add -g custom-web --account-name "customwebapp" --ip-address $IP
我不确定,是否有人可以建议我实现此目标的最佳方法,或通过Microsoft托管代理连接天蓝色blob的另一种替代安全方法?
I'm not sure on this , Any one able to advise me a best way to achieve this or Another alternate secure way for connecting the azure blob via Microsoft hosted agent ?
参考 https://docs.microsoft.com/en-us/cli/azure/storage/account/network-rule?view=azure-cli-latest
推荐答案
Microsoft托管代理与防火墙背后的存储帐户之间的通信始终是一个麻烦的事情,即使通过上述方法可以动态地为该托管的特定Microsoft动态打开存储防火墙代理商的IP地址.这主要是由于存储帐户方面的限制.
Communication between microsoft hosted agents and storage account behind firewall is always a troublesome one, even with the above work around of dynamically opening the storage firewall for that specific microsoft hosted agents IP address. This is mainly due to limitations on the storage account side.
1.每个存储帐户最多支持200条IP网络规则.
因此,我们无法添加从您的ADO组织的任何地理区域旋转的托管代理的整个IP范围.如果组织在西欧托管,则托管代理可以来自北欧和西欧.所以不.应该列入白名单的IP范围的百分比将超过200.
So we cannot add the entire IP ranges of hosted agents that spin up from any of your ADO orgs geographical region. If organization is hosted in West Europe, then hosted agents can come up from North and West Europe. So the no. of IP ranges that should be whitelisted will be more than 200.
由于此,用户在允许特定托管代理IP地址的情况下进行了上述工作.但是,以下限制不会使上述变通方法变得简单.当托管代理与您的存储帐户位于同一区域时,解决方法将不起作用.
Due to this, users go with the above work around of allowing the particular hosted agent IP address. however the following limitations will not make the above workaround fool proof. When the hosted agent spin up in the same region as your storage account, workaround does not work.
2.与存储帐户位于同一区域的服务使用私有Azure IP地址进行通信.
3.IP网络规则对与存储帐户来自同一Azure区域的请求没有影响
这篇关于az存储帐户网络规则不适用于Microsoft Hosted Agent(Azure DevOps)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
