尝试在 ARM 模板中添加 VNET 服务端点时出现问题
Issues trying to add VNET Service Endpoints in ARM Template
我目前有一个 ARM 模板,它部署了一个带有子网的虚拟网络以及一个 Azure SQL 数据库实例。
与子网和SQL防火墙规则相关的核心资源是:
{
"name": "MyVirtualNetwork",
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-11-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
}
}
}
]
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2019-11-01",
"name": "NDC-VirtualNetwork/Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24"
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'NDC-VirtualNetwork')]"
]
}
和
{
"type": "firewallRules",
"apiVersion": "2015-05-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
],
"location": "[resourceGroup().location]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"startIpAddress": "0.0.0.0",
"endIpAddress": "0.0.0.0"
}
},
{
"type": "firewallRules",
"apiVersion": "2015-05-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
],
"location":"[resourceGroup().location]",
"name": "ClientIP",
"properties": {
"startIpAddress": "[parameters('clientIP')]",
"endIpAddress": "[parameters('clientIP')]"
}
}
我现在想更新模板以允许来自该子网的 VNET 服务终结点访问 SQL 并删除“AllowAllWindowsAzureIPs”和“ClientIP”防火墙规则。
为此,我从 SQL 资源中删除了两个 firewallRules 资源并添加了以下内容:
{
"name": "[concat(variables('uniqueSQLName'), '-Client-Subnet')]",
"type": "virtualNetworkRules",
"apiVersion": "2015-05-01-preview",
"properties": {
"virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'NDC-VirtualNetwork', 'Client-Subnet')]",
"ignoreMissingVnetServiceEndpoint": true
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
]
}
然后将网络资源更新为:
{
"name": "MyVirtualNetwork",
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-11-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
},
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"australiaeast"
]
}
]
}
}
]
}
},
{
"type": "Microsoft.Network/serviceEndpointPolicies",
"apiVersion": "2019-11-01",
"name": "AllowVNETtoSQL",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'MyVirtualNetwork')]",
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
],
"properties": {
"serviceEndpointPolicyDefinitions": [
{
"name": "AllowVNETtoSQLPolicy",
"properties": {
"service": "Microsoft.Sql",
"serviceResources": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
]
}
}
]
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2019-11-01",
"name": "MyVirtualNetwork/Client-Subnet",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks','MyVirtualNetwork')]",
"[resourceId('Microsoft.Network/serviceEndpointPolicies','AllowVNETtoSQL')]"
],
"properties": {
"addressPrefix": "10.0.0.0/24",
"serviceEndpointPolicies": [
{
"id": "[resourceId('Microsoft.Network/serviceEndpointPolicies','AllowVNETtoSQL')]"
}
],
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"australiaeast"
]
}
]
}
}
我从这个更改中得到两个错误:
- Azure SQL 服务器虚拟网络规则遇到用户错误:无法继续操作,因为子网是虚拟网络的客户端子网
/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/MyVirtualNetwork 未提供。他们处于更新状态。
- 服务端点策略定义
/subscriptions//resourceGroups//providers/Microsoft.Network/serviceEndpointPolicies/AllowVNETtoSQL/serviceEndpointPolicyDefinitions/AllowVNETtoSQLPolicy 引用
无效的服务名称 Microsoft.Sql。支持的服务名称是:Microsoft.Storage、Microsoft.Sql、Microsoft.AzureActiveDirectory、Microsoft.AzureCosmosDB、Microsoft.Web、
Microsoft.NetworkServiceEndpointTest、Microsoft.KeyVault、Microsoft.EventHub、Microsoft.ServiceBus、Microsoft.ContainerRegistry、Microsoft.CognitiveServices、全局。 (代码:
ServiceEndpointPolicyDefinitionHasServiceWithInvalidServiceName)
我的问题如下:
- 谁能解释第二个错误,其中指出 Microsoft.Sql 无效但随后将其列为受支持的服务名称?
- 为了让服务端点完成部署,我缺少什么依赖项?我已经有了 SQL 虚拟网络规则和 属性
"ignoreMissingVnetServiceEndpoint": true 我对此的理解是 SQL 资源将创建服务端点防火墙规则 OK 并跳过任何检查子网状态和子网然后将愉快地转换到启用状态,并且将允许未来的连接。
对于第 1 点:向失败的服务添加依赖项以依赖于资源,该错误应该会消失。
2. 不确定,我的猜测是 - 隐形字符或类似的东西。从错误文本中尝试 copy\pasting。
对于您的问题:您不需要任何东西来启用服务端点。只需创建它们,然后您就可以使用它们。忽略应该完全按照你认为的那样工作
关于问题1,根据我的研究,现在Azure服务端点策略只支持Azure存储服务。详情请参考here and here
关于问题2,我们需要创建vent防火墙规则,直到vent和子网创建成功。请更新您的模板如下
{
"name": "MyVirtualNetwork",
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-11-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"southeastasia"
]
},
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
}
}
}
]
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2019-11-01",
"name": "NDC-VirtualNetwork/Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
""
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'NDC-VirtualNetwork')]"
]
},
{
"type": "Microsoft.Sql/servers/virtualNetworkRules",
"apiVersion": "2015-05-01-preview",
"name": "[concat(parameters('uniqueSQLName'), '/newVnetRule1')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('uniqueSQLName'))]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', 'NDC-VirtualNetwork', 'Client-Subnet')]"
],
"properties": {
"virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'NDC-VirtualNetwork', 'Client-Subnet')]",
"ignoreMissingVnetServiceEndpoint": true
}
}
此外,设置ignoreMissingVnetServiceEndpoint用于告诉azure server是否检查子网是否启用了服务点。但请注意,在增强此规则之前,您需要打开 VNet 服务终结点。详情请参考document
所以,我按如下方式让它工作:
对于 virtualNetworkRules,我添加了对子网的依赖
{
"type": "Microsoft.Sql/servers/virtualNetworkRules",
"apiVersion": "2015-05-01-preview",
"name": "[concat(variables('uniqueSQLName'), '/ClientSubnet')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', 'MyVirtualNetwork', 'Client-Subnet')]"
],
"properties": {
"virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'MyVirtualNetwork', 'Client-Subnet')]",
"ignoreMissingVnetServiceEndpoint": true
}
}
然后我将虚拟网络更新为:
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-05-01",
"name": "MyVirtualNetwork",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
},
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"[resourceGroup().location]"
]
}
],
"PrivateEndpointNetworkPolicies": "Disabled",
"PrivateLinkServiceNetworkPolicies": "Disabled"
}
}
]
}
}
并包含一个子网资源:
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2020-05-01",
"name": "[concat('MyVirtualNetwork', '/Client-Subnet')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'MyVirtualNetwork')]",
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
],
"properties": {
"addressPrefix": "10.0.0.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
},
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"[resourceGroup().location]"
]
}
],
"PrivateEndpointNetworkPolicies": "Disabled",
"PrivateLinkServiceNetworkPolicies": "Disabled"
}
}
使用该配置似乎一切都很愉快。
注意 - 我还更改了其中一些资源的 API 版本 - 不确定这是否也有影响
我目前有一个 ARM 模板,它部署了一个带有子网的虚拟网络以及一个 Azure SQL 数据库实例。
与子网和SQL防火墙规则相关的核心资源是:
{
"name": "MyVirtualNetwork",
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-11-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
}
}
}
]
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2019-11-01",
"name": "NDC-VirtualNetwork/Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24"
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'NDC-VirtualNetwork')]"
]
}
和
{
"type": "firewallRules",
"apiVersion": "2015-05-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
],
"location": "[resourceGroup().location]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"startIpAddress": "0.0.0.0",
"endIpAddress": "0.0.0.0"
}
},
{
"type": "firewallRules",
"apiVersion": "2015-05-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
],
"location":"[resourceGroup().location]",
"name": "ClientIP",
"properties": {
"startIpAddress": "[parameters('clientIP')]",
"endIpAddress": "[parameters('clientIP')]"
}
}
我现在想更新模板以允许来自该子网的 VNET 服务终结点访问 SQL 并删除“AllowAllWindowsAzureIPs”和“ClientIP”防火墙规则。
为此,我从 SQL 资源中删除了两个 firewallRules 资源并添加了以下内容:
{
"name": "[concat(variables('uniqueSQLName'), '-Client-Subnet')]",
"type": "virtualNetworkRules",
"apiVersion": "2015-05-01-preview",
"properties": {
"virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'NDC-VirtualNetwork', 'Client-Subnet')]",
"ignoreMissingVnetServiceEndpoint": true
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
]
}
然后将网络资源更新为:
{
"name": "MyVirtualNetwork",
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-11-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
},
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"australiaeast"
]
}
]
}
}
]
}
},
{
"type": "Microsoft.Network/serviceEndpointPolicies",
"apiVersion": "2019-11-01",
"name": "AllowVNETtoSQL",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'MyVirtualNetwork')]",
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
],
"properties": {
"serviceEndpointPolicyDefinitions": [
{
"name": "AllowVNETtoSQLPolicy",
"properties": {
"service": "Microsoft.Sql",
"serviceResources": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
]
}
}
]
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2019-11-01",
"name": "MyVirtualNetwork/Client-Subnet",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks','MyVirtualNetwork')]",
"[resourceId('Microsoft.Network/serviceEndpointPolicies','AllowVNETtoSQL')]"
],
"properties": {
"addressPrefix": "10.0.0.0/24",
"serviceEndpointPolicies": [
{
"id": "[resourceId('Microsoft.Network/serviceEndpointPolicies','AllowVNETtoSQL')]"
}
],
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"australiaeast"
]
}
]
}
}
我从这个更改中得到两个错误:
- Azure SQL 服务器虚拟网络规则遇到用户错误:无法继续操作,因为子网是虚拟网络的客户端子网 /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/MyVirtualNetwork 未提供。他们处于更新状态。
- 服务端点策略定义
/subscriptions//resourceGroups//providers/Microsoft.Network/serviceEndpointPolicies/AllowVNETtoSQL/serviceEndpointPolicyDefinitions/AllowVNETtoSQLPolicy 引用
无效的服务名称 Microsoft.Sql。支持的服务名称是:Microsoft.Storage、Microsoft.Sql、Microsoft.AzureActiveDirectory、Microsoft.AzureCosmosDB、Microsoft.Web、 Microsoft.NetworkServiceEndpointTest、Microsoft.KeyVault、Microsoft.EventHub、Microsoft.ServiceBus、Microsoft.ContainerRegistry、Microsoft.CognitiveServices、全局。 (代码: ServiceEndpointPolicyDefinitionHasServiceWithInvalidServiceName)
我的问题如下:
- 谁能解释第二个错误,其中指出 Microsoft.Sql 无效但随后将其列为受支持的服务名称?
- 为了让服务端点完成部署,我缺少什么依赖项?我已经有了 SQL 虚拟网络规则和 属性
"ignoreMissingVnetServiceEndpoint": true我对此的理解是 SQL 资源将创建服务端点防火墙规则 OK 并跳过任何检查子网状态和子网然后将愉快地转换到启用状态,并且将允许未来的连接。
对于第 1 点:向失败的服务添加依赖项以依赖于资源,该错误应该会消失。 2. 不确定,我的猜测是 - 隐形字符或类似的东西。从错误文本中尝试 copy\pasting。
对于您的问题:您不需要任何东西来启用服务端点。只需创建它们,然后您就可以使用它们。忽略应该完全按照你认为的那样工作
关于问题1,根据我的研究,现在Azure服务端点策略只支持Azure存储服务。详情请参考here and here
关于问题2,我们需要创建vent防火墙规则,直到vent和子网创建成功。请更新您的模板如下
{
"name": "MyVirtualNetwork",
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-11-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"southeastasia"
]
},
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
}
}
}
]
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2019-11-01",
"name": "NDC-VirtualNetwork/Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
""
]
}
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'NDC-VirtualNetwork')]"
]
},
{
"type": "Microsoft.Sql/servers/virtualNetworkRules",
"apiVersion": "2015-05-01-preview",
"name": "[concat(parameters('uniqueSQLName'), '/newVnetRule1')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('uniqueSQLName'))]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', 'NDC-VirtualNetwork', 'Client-Subnet')]"
],
"properties": {
"virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'NDC-VirtualNetwork', 'Client-Subnet')]",
"ignoreMissingVnetServiceEndpoint": true
}
}
此外,设置ignoreMissingVnetServiceEndpoint用于告诉azure server是否检查子网是否启用了服务点。但请注意,在增强此规则之前,您需要打开 VNet 服务终结点。详情请参考document
所以,我按如下方式让它工作:
对于 virtualNetworkRules,我添加了对子网的依赖
{
"type": "Microsoft.Sql/servers/virtualNetworkRules",
"apiVersion": "2015-05-01-preview",
"name": "[concat(variables('uniqueSQLName'), '/ClientSubnet')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]",
"[resourceId('Microsoft.Network/virtualNetworks/subnets', 'MyVirtualNetwork', 'Client-Subnet')]"
],
"properties": {
"virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'MyVirtualNetwork', 'Client-Subnet')]",
"ignoreMissingVnetServiceEndpoint": true
}
}
然后我将虚拟网络更新为:
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2020-05-01",
"name": "MyVirtualNetwork",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
},
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"[resourceGroup().location]"
]
}
],
"PrivateEndpointNetworkPolicies": "Disabled",
"PrivateLinkServiceNetworkPolicies": "Disabled"
}
}
]
}
}
并包含一个子网资源:
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2020-05-01",
"name": "[concat('MyVirtualNetwork', '/Client-Subnet')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'MyVirtualNetwork')]",
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
],
"properties": {
"addressPrefix": "10.0.0.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
},
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"[resourceGroup().location]"
]
}
],
"PrivateEndpointNetworkPolicies": "Disabled",
"PrivateLinkServiceNetworkPolicies": "Disabled"
}
}
使用该配置似乎一切都很愉快。
注意 - 我还更改了其中一些资源的 API 版本 - 不确定这是否也有影响