Azure Functions 访问 Azure 存储帐户防火墙 [英] Azure Functions access to Azure Storage Account Firewall
问题描述
我想达到什么目的
通过 Azure 函数连接到位于防火墙后面的 Azure BLOB 存储帐户.
Connect to an Azure BLOB storage account that sits behind a firewall through an Azure Function.
目前已采取的步骤
- 针对按预期工作的公共存储帐户开发和测试 Azure Function.
- 按照我的 Azure 函数的 Azure 资源浏览器,我发现 出站strong> 地址(
"outboundIpAddresses"条目),我将它们添加到存储帐户的防火墙中.
- Azure Function developed and tested against public storage account which works as expected.
- Following Azure Resource Explorer for my Azure Function I find out the outbound addresses(
"outboundIpAddresses"entry) and I add them in the firewall of the storage Account.
问题
在尝试使用防火墙对存储帐户运行 Azure 函数时,我收到 Status: 500 Internal Server Error - 此请求无权执行此操作.
While trying to run the Azure Function against the storage account with the firewall I am getting a Status: 500 Internal Server Error - This request is not authorized to perform this operation.
我在这里错过了什么?
推荐答案
你目前无法在这里实现你想要的.当您从功能中访问存储帐户时,因为它们彼此位于同一区域,所有流量都通过内部 IP 上的内部 Azure 网络,而不是 Web 应用程序中列出的公共 IP,因此不允许通过防火墙(我已经得到 Azure 支持的确认).因为您无权访问函数的内部 IP,即使您更改了这些 IP,也无法将其列入白名单.
You won't be able to achieve what you want here currently. When you hit the storage account from your funciton, because they are in the same region as each other, all the traffic goes over the internal Azure network on internal IP's, not the public IPs listed in the web app, and so is not allowed over the firewall (I have had this confirmed by Azure support). Because you don't have access to the internal IPs of the function, and even if you did they can change, you can't whitelist them.
如果您的资源位于不同的区域,则流量会通过外部 IP,您会获得更大的成功.
If your resources were in different regions, traffic would go over the external IPs and you would have more success.
这篇关于Azure Functions 访问 Azure 存储帐户防火墙的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
