Azure 功能:访问存储帐户时出现 403 错误 [英] Azure functions : Getting 403 error while accessing the storage account

问题描述

我一直在我的项目中使用基于 azure timer 的功能.自从我开始使用该功能后，我收到了与 Azure 存储帐户禁止访问相关的错误 403.

I have been using azure timer based function in my project. Since I started using the function, I was getting error 403 related to access forbidden from Azure storage account.

我尝试在函数配置中添加 AzureWebJobsStorage Key我尝试添加 Azure 存储帐户的允许 IP 范围的出站 IP我尝试检查允许 Azure 托管服务进入存储帐户的选项.

I tried adding AzureWebJobsStorage Key in function's configuration I tried adding outbound IPs of Allowed ip ranges of azure storage accounts I tried checking the option of allowing azure managed services to the storage account.

但是，我的函数应用的特定计时器功能仍然出现错误.其他功能正常运行.

However, I'm still getting the error in that particular timer function of my function app. The other functions run properly.

虽然，如果我在存储帐户防火墙和 VN 设置中允许所有网络，我的功能运行正常.

Although, if I allow all the networks in storage account firewall and VN settings, my function runs proper.

函数和存储帐户在同一区域.

Both the function and storage account are in same region.

我想以某种方式启用它，我不需要选择允许所有网络.可以做什么?

I want to enable it somehow that I do not need to choose the allow all networks. What can be done?

推荐答案

如果其他人正在搜索这个......我也遇到了类似的问题.我有一个函数应用程序，我创建了一个专用终结点和区域 VNet 集成，该 VNet 与一个存储帐户交互，该存储帐户也有一个具有相同 VNet 的专用终结点.存储帐户的网络/防火墙设置仅允许来自 VNet 的连接(不允许外部流量).存储帐户和函数应用位于同一区域.

In case anyone else is searching for this... I had a similar issue. I had a function app that I had created a private endpoint and regional VNet integration back with the VNet interacting with a Storage Account that also had a private endpoint with the same VNet. The Storage Account's network/firewall settings only allowed connections from the VNet (no external traffic allowed). Both the storage account and function app reside in the same region.

尝试修复 #1(不理想):

我添加了 代码 以确定函数应用从哪个 IP 运行.这导致我在功能应用程序下的门户中添加所有 IP -->属性 -->其他出站 IP 地址.如果使用 Terraform.

I added code to determine what IP the function app was running from. That led me to add all of the IP's in the portal under function app --> Properties --> Additional Outbound IP Addresses. This is exposed by Terraform if using that.

尝试修复 #2(更好):

解决方法是确保您设置了正确的功能应用设置.

The resolution is to ensure you have the proper function app settings set.

请参阅:微软文档

<头>

设置	建议值	说明
WEBSITE_CONTENTOVERVNET	1	创建此应用设置.值 1 可让您的函数应用在您的存储帐户受限于虚拟网络时进行缩放.
WEBSITE_DNS_SERVER	168.63.129.16	创建此应用设置.当您的应用与虚拟网络集成时，它将使用与虚拟网络相同的 DNS 服务器.你的函数应用需要此设置，以便它可以与 Azure DNS 专用区域一起使用.当您使用私有端点时，它是必需的.此设置和 WEBSITE_VNET_ROUTE_ALL 会将所有出站呼叫从您的应用发送到您的虚拟网络.
WEBSITE_VNET_ROUTE_ALL	1	创建此应用设置.当你的应用与虚拟网络集成时，它使用与虚拟网络相同的 DNS 服务器.你的函数应用需要此设置，以便它可以与 Azure DNS 专用区域一起使用.当您使用私有端点时，它是必需的.此设置和 WEBSITE_DNS_SERVER 会将所有出站呼叫从您的应用发送到您的虚拟网络.

注意:168.63.129.16 是 Azure DNS 的静态值.

Note: The 168.63.129.16 is a static value for Azure DNS.

设置完所有这些后，我的函数应用能够按预期通过 VNet 连接到存储帐户.

After setting all of these, my function app was able to connect to the storage account through the VNet as expected.

这篇关于Azure 功能:访问存储帐户时出现 403 错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！