在有关创建Azure存储帐户的文档中混淆文本 [英] Confusing text in docs regarding creating Azure storage account
问题描述
在本文档中:
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
首先说:
场景
默认情况下,配置存储帐户以拒绝来自所有网络(包括互联网流量)的流量访问。然后从特定VNets授予对流量
的访问权限。此配置使您可以为应用程序构建安全的网络边界您还可以授予对公共Internet IP地址范围的访问权限,从而启用来自特定Internet或本地客户端的连接。
我理解这一点,因为我首先拒绝通过默认规则从所有网络访问,然后通过用户定义的规则授予对特定网络的访问权。
然后,在同一文档中进一步说明:
警告
更改网络规则可能会影响应用程序连接到Azure存储的能力。将默认网络规则设置为拒绝 阻止
对数据的所有访问权限,除非还会应用特定网络规则以及授予访问权限。在将默认规则更改为拒绝访问权限之前,请务必使用网络规则授予对任何允许网络的访问权限。
所以在这里说它先授予所有权利,然后全部拒绝。
我的问题是,在门户网站中,创建存储帐户时,如果我选择"选择"后,在"下拉菜单"中的"高级"
选项卡上选择 "无"(默认设置) ;选择的网络",我在验证中收到错误,请参阅此处
如果我选择"所有网络"或选择"选定网络"中的网络,它工作正常,然后创建后我可以
转到"防火墙和虚拟网络"并删除再次选择网络。在我看来,文档中的方案指的是"拒绝所有"默认规则。
为什么我甚至可以选择"无" - 默认选择 - 当它不可能时。
我可能在您的解释中遗漏了一些内容,但选择"选定的网络"会自动应用"默认拒绝",并允许您选择您想要的特定网络明确允许入站流量来自。
这是预期的行为。
hth
Marcin
In this documentation:
https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security
It says first that:
Scenarios
Configure storage accounts to deny access to traffic from all networks (including internet traffic) by default. Then grant access to traffic from specific VNets. This configuration enables you to build a secure network boundary for your applications. You can also grant access to public internet IP address ranges, enabling connections from specific internet or on-premises clients.
I understand this as I first deny access from all networks via default rule, then grant access to specific networks via userdefined rules.
Then, further down in same document it says:
Warning
Making changes to network rules can impact your applications' ability to connect to Azure Storage. Setting the default network rule to deny blocks all access to the data unless specific network rules to grant access are also applied. Be sure to grant access to any allowed networks using network rules before you change the default rule to deny access.
So here it says to grant all first, then deny all.
My problem is, that in the portal, when creating a Storage Account, if I choose "None" (default setting) on the "Advanced" tab in the Dropdown menu after choosing "Selected Network", I get an error in the validation, see here
If I choose either "All networks" or choose a network in "Selected network" it works fine, then after creation I can go to the "Firewalls and Virtual Networks" and remove the selected network again. That is in my opinion the "Deny all" default rule that the Scenario in the docs is referring to.
And why can I even choose "None" - which is chosen by default - when it's not possible.
I might be missing something in your explanation, but selecting "Selected networks" automatically applies "Default deny" and allows you to select specific networks that you want to explicitly allow inbound traffic from.
This is the expected behavior.
hth
Marcin
这篇关于在有关创建Azure存储帐户的文档中混淆文本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
