如何通过 ARM 模板在 StorageAccount 中设置选定的网络

How to set selected networks in StorageAccount via ARM Template

我有以下 ARM 模板来生成存储帐户并添加现有虚拟网络:

   {
      "name": "test0deep0123",
      "type": "Microsoft.Storage/storageAccounts",
      "location": "West Europe",
      "apiVersion": "2018-11-01",
      "sku": {
        "name": "Standard_LRS",
        "tier": "Standard"
      },
      "kind": "StorageV2",
      "properties": {
        "firewallState": "Enabled",
        "virtualNetworkRules": [
          {
            "properties": {
              "subnetId": "subnetid"
            },
            "name": "name"
          },
          {
            "properties": {
              "subnetId": "subnetId"
            },
            "name": "name"
          },
          {
            "properties": {
              "subnetId": "subnetid"
            },
            "name": "name"
          },
          {
            "properties": {
              "subnetId": "subnetid"
            },
            "name": "name"
          },
          {
            "properties": {
              "subnetId": "subnetid"
            },
            "name": "name"
          },
          {
            "properties": {
              "subnetId": subnetid"
            },
            "name": "name"
          },
          {
            "properties": {
              "subnetId": "subnetid"
            },
            "name": "name"
          }

        "networkAcls": {
          "bypass": "AzureServices",
          "virtualNetworkRules": [
            {
              "id": "id",
              "action": "Allow",
              "state": "succeeded"
            },
            {
              "id": "id",
              "action": "Allow",
              "state": "succeeded"
            }
          ],
          "ipRules": [],
          "defaultAction": "Allow"
        },
        "supportsHttpsTrafficOnly": false,
        "encryption": {
          "services": {
            "file": {
              "enabled": true
            },
            "blob": {
              "enabled": true
            }
          },
          "keySource": "Microsoft.Storage"
        },
        "accessTier": "Hot"
      }
    }

我可以在资源组中成功部署此模板,但在控制“防火墙和虚拟网络”后我看到,允许访问设置为所有网络,尽管在选定的网络下我可以看到添加的虚拟网络

检查 "selected networks" 我应该做什么?

问题是,如果您将 virtualNetworkRules 设置为 allow,那么 defaultAction 需要设置为 Deny,因此您会将 select 列入白名单]ed 存储帐户防火墙中的虚拟网络。

在这种情况下,您可以 select 您现有的虚拟网络(enable the storage account service endpoint)ID 到段落 networkAcls 并更改 "defaultAction": "Deny"。此外,virtualNetworkRules 属于 networkAcls 而不是存储帐户的属性。

我可以使用以下模板。

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
            "virtualNetworks_vnet1": {
            "defaultValue": "/subscriptions/xxx/resourceGroups/myrg/providers/Microsoft.Network/virtualNetworks/vnet",
            "type": "string"
        },
            "virtualNetworks_vnet2": {
            "defaultValue": "/subscriptions/xxx/resourceGroups/myrg/providers/Microsoft.Network/virtualNetworks/mytestvnet1",
            "type": "string"
        }
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2018-11-01",
            "name": "test0deep01234",
            "location": "Central US",
            "sku": {
                "name": "Standard_LRS",
                "tier": "Standard"
            },
            "kind": "StorageV2",
            "properties": {
                "networkAcls": {
                    "bypass": "AzureServices",
                    "virtualNetworkRules": [
                        {
                            "id": "[concat(parameters('virtualNetworks_vnet1'), '/subnets/default')]",
                            "action": "Allow"

                        },
                         {
                            "id": "[concat(parameters('virtualNetworks_vnet2'), '/subnets/default')]",
                            "action": "Allow"

                        }
                    ],
                    "ipRules": [],
                    "defaultAction": "Deny"
                },
                "supportsHttpsTrafficOnly": false,
                "encryption": {
                    "services": {
                        "file": {
                            "enabled": true
                        },
                        "blob": {
                            "enabled": true
                        }
                    },
                    "keySource": "Microsoft.Storage"
                },
                "accessTier": "Hot"
            }
        }
    ]
}

参考:Microsoft.Storage storageAccounts template reference

我认为您需要添加 属性 publicNetworkAccess 并将其设置为 Disabled

希望这有帮助吗?