无法使用私有终结点将Azure Function与Azure SQL连接 [英] Unable to connect Azure Function with Azure SQL using private endpoint
问题描述
我已经创建了一个SQL Server,然后使用具有私有IP 10.1.1.4 的TESTVNET/SUBNET1创建了一个私有链接.我现在已经禁用了SQL Server的公共访问权限.
I've created a SQL Server and then created a private link with my TESTVNET/SUBNET1 with private IP 10.1.1.4. I've now disabled Public access for the SQL server.
我有一个在App Service上运行的Azure功能,该功能已将VNET与VNET/SUBNET2集成在一起.子网2显示它已委派给服务器场.(同样,如果有人可以解释委托的含义,我发现我也无法在该子网中创建任何VM,可能对其他任何目的都没有用)
I have an Azure function running on App Service which I've VNET Integrated with VNET/SUBNET2. Subnet 2 shows it's delegated to server farms. (also if someone can explain what does delegate to means, I found I cannot create any VM in that subnet as well, probably it's just can't be useful for any other purpose)
现在当我的azure函数尝试连接到数据库时.它失败并显示以下错误:
Now when my azure function tries to connect to DB. it fails with below error:
2020-08-30T15:25:45.216 [错误]未处理的拒绝SequelizeAccessDeniedError:无法打开服务器"10.1.1.4";登录要求.登录失败.但是,如果我提供公共FQDN,则会出现以下错误.
2020-08-30T15:25:45.216 [Error] Unhandled rejection SequelizeAccessDeniedError: Cannot open server "10.1.1.4" requested by the login. The login failed.
However, if I give the public FQDN it gives me below error.
<代码> 2020-08-30T15:29:43.654 [错误]未处理的拒绝SequelizeAccessDeniedError:原因:建立与SQL Server的连接时发生了特定于实例的错误.该服务器上的公共网络接口不可访问.要连接到该服务器,请从虚拟网络内部使用专用端点.
理想情况下,应该使用Private端点创建的Private DNS来获取SQL数据库的私有IP,但似乎该功能未使用私有DNS,可能是因为它不在隔离的环境中运行.
Here the Private DNS created by Private endpoint should have been ideally used to get the private IP of the SQL database, but it seems the function is not using the private DNS probably because not running in an isolated environment.
现在在我的Azure函数应用程序"设置中,添加了 WEBSITE_VNET_ROUTE_ALL = 1 ,这意味着所有请求都应路由到VNET.所以现在,如果我启用了公共访问Internet,并允许Azure服务访问数据库(我认为Azure默认添加了公共IP).该功能已连接到数据库.现在,我想了解我要去哪里哪里以及为什么专用端点连接不起作用.感谢您的帮助.
Now in my Azure function Application settings, I've added WEBSITE_VNET_ROUTE_ALL =1 which should mean that all the requests should be routed to VNET. So now If I enable public access internet, and allow Azure services to access DB (I think azure added the public IP by default). The function gets connected to the DB.
Now I want to understand where I'm going wrong and why is the private endpoint connection not working. Any help is appreciated.
在数据库防火墙设置中,我允许从下面到子网的通信:网络配置
In the DB firewall settings, I've allowed traffic from below to subnets: Network Configuration
TESTVNET : 10.1.0.0/16
SUBNET 1 : 10.1.1.0/24
SUBNET 2 : 10.1.2.0/24
我在SUBNET 1和SUBNET 2中都禁用了SQL的服务端点.我的NSG具有默认设置,即AllowVnetInBound,AllowAzureLoadBalancerInBound,DenyAllInBoundAllowVnetOutBound,AllowInternetOutBound,DenyAllOutBound.由于我的专用链接在同一VNET中存在专用IP,因此我认为NSG不会产生任何影响.
I've disabled Service endpoint for SQL in both SUBNET 1 and SUBNET 2. My NSG has default settings i.e. AllowVnetInBound, AllowAzureLoadBalancerInBound, DenyAllInBound AllowVnetOutBound, AllowInternetOutBound, DenyAllOutBound. Since my private link has a private IP present in the same VNET I don't think NSG should have any impact.
Azure的新手,进行测试.谢谢您的耐心等候.
New to Azure, testing things out. Thank you for your patience.
推荐答案
要使Azure Function连接到私有终结点,您将需要使用
To make Azure Function connect to a private endpoint you will need to use VNET integration.
您的应用程序与VNet集成后,它会使用与VNet配置相同的DNS服务器.默认情况下,您的应用程序将无法与Azure DNS专用区域一起使用.要使用Azure DNS专用区域,您需要添加以下应用程序设置:
After your app integrates with your VNet, it uses the same DNS server that your VNet is configured with. By default, your app won't work with Azure DNS Private Zones. To work with Azure DNS Private Zones you need to add the following app settings:
WEBSITE_DNS_SERVER with value 168.63.129.16
WEBSITE_VNET_ROUTE_ALL with value 1
这些设置除了将使您的应用程序能够使用Azure DNS专用区域之外,还将所有来自您应用程序的出站呼叫发送到您的VNet.参考这里.
These settings will send all of your outbound calls from your app into your VNet in addition to enabling your app to use Azure DNS private zones. Reference here.
Then you could set up Private Link for Azure SQL Database. You can create an Azure VM from a new subnet in the same VNet to check connectivity using SQL Server Management Studio (SSMS). If you enable the private endpoint, you should get a client private IP from that Azure VM to connect the Azure SQL database with its FQDN.
有关更多信息,您可以在这个博客.
For more information, you could read private endpoint VS service endpoint in this blog.
这篇关于无法使用私有终结点将Azure Function与Azure SQL连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
