应用网关应用服务访问限制
Application gateway app service access restriction
我已经使用 terraform 在 Azure 中实现了一个应用程序网关。
我的 terraform 代码构建了一个通风口、应用程序网关、子网、应用程序服务和应用程序服务计划。
一切正常,我可以使用应用程序网关 public ip 访问应用程序服务。唯一的问题是我也可以从它自己的端点访问应用服务,我想限制这种访问只能通过我的应用程序网关,所以如果有人试图直接访问应用服务,它应该得到一个 403 错误。
经过一些研究,我设法从终端 >> 应用服务 >> 网络实现了这一点
但我想使用 terraform 自动执行此过程。这是我被困住的地方。
因为我找到的唯一来源是指 "azurerm_app_service_slot_virtual_network_swift_connection",但该资源需要一个我不想要或不需要的应用服务槽。
我想知道,如何对应用服务实施网络访问限制?
这是我的代码以及我如何构建我的基础设施:
networking.tf
locals {
cidr_block = "<cidr>"
subnets = {
frontend = cidrsubnet(local.cidr_block, 8, 0)
}
}
#########################################
# RESOURCE GROUP
#########################################
resource "azurerm_resource_group" "example" {
name = "rg-hri-prd-app-gateway"
location = "West US"
}
#########################################
# VIRTUAL NETWORK
#########################################
resource "azurerm_virtual_network" "example" {
name = "hri-prd-vnet"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
address_space = [local.cidr_block]
}
#########################################
# SUBNETS
#########################################
resource "azurerm_subnet" "example" {
count = length(keys(local.subnets))
name = keys(local.subnets)[count.index]
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = [local.subnets[keys(local.subnets)[count.index]]]
service_endpoints = ["Microsoft.Web"]
delegation {
name = "my-access-delegation"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
resource "azurerm_app_service_virtual_network_swift_connection" "appservice-subnet" {
count = length(azurerm_app_service.example)
app_service_id = azurerm_app_service.example[count.index].id
subnet_id = azurerm_subnet.example[count.index].id
}
app.tf
locals {
app_services = [
{
kind = "Linux"
sku = {
tier = "Standard"
size = "S1"
}
}
]
}
#########################################
# APP SERVICE PLAN
#########################################
resource "azurerm_app_service_plan" "example" {
count = length(local.app_services)
name = "${lower(local.app_services[count.index].kind)}-asp"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
kind = local.app_services[count.index].kind
reserved = true
sku {
tier = local.app_services[count.index].sku.tier
size = local.app_services[count.index].sku.size
}
}
#########################################
# APP SERVICE PLAN
#########################################
resource "azurerm_app_service" "example" {
count = length(local.app_services)
name = "${lower(local.app_services[count.index].kind)}-appservice"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example[count.index].id
}
gateway.tf
locals {
backend_probe_name = "${azurerm_virtual_network.example.name}-health"
http_setting_name = "${azurerm_virtual_network.example.name}-htst"
public_ip_name = "${azurerm_virtual_network.example.name}-public"
}
#########################################
# AZURE PUBLIC IP
#########################################
resource "azurerm_public_ip" "example" {
name = local.public_ip_name
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
allocation_method = "Dynamic"
}
#########################################
# APPLICT
#########################################
resource "azurerm_application_gateway" "network" {
depends_on = [azurerm_public_ip.example]
name = "hri-prd-appgateway"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
sku {
name = "Standard_Small"
tier = "Standard"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = azurerm_subnet.example.0.id
}
dynamic "frontend_port" {
for_each = azurerm_app_service.example
content {
name = "${azurerm_virtual_network.example.name}-${frontend_port.value.name}-feport"
port = "808${frontend_port.key}"
}
}
frontend_ip_configuration {
name = "${azurerm_virtual_network.example.name}-feip"
public_ip_address_id = azurerm_public_ip.example.id
}
dynamic "backend_address_pool" {
for_each = azurerm_app_service.example
content {
name = "${azurerm_virtual_network.example.name}-${backend_address_pool.value.name}-beap"
fqdns = [backend_address_pool.value.default_site_hostname]
}
}
probe {
name = local.backend_probe_name
protocol = "Http"
path = "/"
interval = 30
timeout = 120
unhealthy_threshold = 3
pick_host_name_from_backend_http_settings = true
match {
body = "Welcome"
status_code = [200, 399]
}
}
backend_http_settings {
name = local.http_setting_name
probe_name = local.backend_probe_name
cookie_based_affinity = "Disabled"
path = "/"
port = 80
protocol = "Http"
request_timeout = 120
pick_host_name_from_backend_address = true
}
dynamic "http_listener" {
for_each = azurerm_app_service.example
content {
name = "${azurerm_virtual_network.example.name}-${http_listener.value.name}-httplstn"
frontend_ip_configuration_name = "${azurerm_virtual_network.example.name}-feip"
frontend_port_name = "${azurerm_virtual_network.example.name}-${http_listener.value.name}-feport"
protocol = "Http"
}
}
dynamic "request_routing_rule" {
for_each = azurerm_app_service.example
content {
name = "${azurerm_virtual_network.example.name}-${request_routing_rule.value.name}-rqrt"
rule_type = "Basic"
http_listener_name = "${azurerm_virtual_network.example.name}-${request_routing_rule.value.name}-httplstn"
backend_address_pool_name = "${azurerm_virtual_network.example.name}-${request_routing_rule.value.name}-beap"
backend_http_settings_name = local.http_setting_name
}
}
}
如果有人能帮助理解如何使用 terraform 实现这一点,请帮忙。
编辑:
我用 azure_app_service_network_swift_connection 更新了我的网络代码,但是当我 运行 terraform 时,我收到以下错误:
Error: creating/updating Application Gateway: (Name "hri-prd-appgateway" / Resource Group "rg-hri-prd-app-gateway"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="ResourceNotPermittedOnDelegatedSubnet" Message="Resource /subscriptions/<subscription>/resourceGroups/rg-hri-prd-app-gateway/providers/Microsoft.Network/applicationGateways/hri-prd-appgateway cannot be created in or updated to use the subnet /subscriptions/<subscription>/resourceGroups/rg-hri-prd-app-gateway/providers/Microsoft.Network/virtualNetworks/hri-prd-vnet/subnets/frontend since it has delegation(s) [Microsoft.Web/serverFarms: /subscriptions/<subscription>/resourceGroups/rg-hri-prd-app-gateway/providers/Microsoft.Network/virtualNetworks/hri-prd-vnet/subnets/frontend/delegations/my-access-delegation] to external services." Details=[]
on gateway.tf line 22, in resource "azurerm_application_gateway" "network":
22: resource "azurerm_application_gateway" "network" {
我已经使用 terraform 在 Azure 中实现了一个应用程序网关。
我的 terraform 代码构建了一个通风口、应用程序网关、子网、应用程序服务和应用程序服务计划。
一切正常,我可以使用应用程序网关 public ip 访问应用程序服务。唯一的问题是我也可以从它自己的端点访问应用服务,我想限制这种访问只能通过我的应用程序网关,所以如果有人试图直接访问应用服务,它应该得到一个 403 错误。
经过一些研究,我设法从终端 >> 应用服务 >> 网络实现了这一点
但我想使用 terraform 自动执行此过程。这是我被困住的地方。
因为我找到的唯一来源是指 "azurerm_app_service_slot_virtual_network_swift_connection",但该资源需要一个我不想要或不需要的应用服务槽。
我想知道,如何对应用服务实施网络访问限制?
这是我的代码以及我如何构建我的基础设施:
networking.tf
locals {
cidr_block = "<cidr>"
subnets = {
frontend = cidrsubnet(local.cidr_block, 8, 0)
}
}
#########################################
# RESOURCE GROUP
#########################################
resource "azurerm_resource_group" "example" {
name = "rg-hri-prd-app-gateway"
location = "West US"
}
#########################################
# VIRTUAL NETWORK
#########################################
resource "azurerm_virtual_network" "example" {
name = "hri-prd-vnet"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
address_space = [local.cidr_block]
}
#########################################
# SUBNETS
#########################################
resource "azurerm_subnet" "example" {
count = length(keys(local.subnets))
name = keys(local.subnets)[count.index]
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = [local.subnets[keys(local.subnets)[count.index]]]
service_endpoints = ["Microsoft.Web"]
delegation {
name = "my-access-delegation"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
resource "azurerm_app_service_virtual_network_swift_connection" "appservice-subnet" {
count = length(azurerm_app_service.example)
app_service_id = azurerm_app_service.example[count.index].id
subnet_id = azurerm_subnet.example[count.index].id
}
app.tf
locals {
app_services = [
{
kind = "Linux"
sku = {
tier = "Standard"
size = "S1"
}
}
]
}
#########################################
# APP SERVICE PLAN
#########################################
resource "azurerm_app_service_plan" "example" {
count = length(local.app_services)
name = "${lower(local.app_services[count.index].kind)}-asp"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
kind = local.app_services[count.index].kind
reserved = true
sku {
tier = local.app_services[count.index].sku.tier
size = local.app_services[count.index].sku.size
}
}
#########################################
# APP SERVICE PLAN
#########################################
resource "azurerm_app_service" "example" {
count = length(local.app_services)
name = "${lower(local.app_services[count.index].kind)}-appservice"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example[count.index].id
}
gateway.tf
locals {
backend_probe_name = "${azurerm_virtual_network.example.name}-health"
http_setting_name = "${azurerm_virtual_network.example.name}-htst"
public_ip_name = "${azurerm_virtual_network.example.name}-public"
}
#########################################
# AZURE PUBLIC IP
#########################################
resource "azurerm_public_ip" "example" {
name = local.public_ip_name
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
allocation_method = "Dynamic"
}
#########################################
# APPLICT
#########################################
resource "azurerm_application_gateway" "network" {
depends_on = [azurerm_public_ip.example]
name = "hri-prd-appgateway"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
sku {
name = "Standard_Small"
tier = "Standard"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = azurerm_subnet.example.0.id
}
dynamic "frontend_port" {
for_each = azurerm_app_service.example
content {
name = "${azurerm_virtual_network.example.name}-${frontend_port.value.name}-feport"
port = "808${frontend_port.key}"
}
}
frontend_ip_configuration {
name = "${azurerm_virtual_network.example.name}-feip"
public_ip_address_id = azurerm_public_ip.example.id
}
dynamic "backend_address_pool" {
for_each = azurerm_app_service.example
content {
name = "${azurerm_virtual_network.example.name}-${backend_address_pool.value.name}-beap"
fqdns = [backend_address_pool.value.default_site_hostname]
}
}
probe {
name = local.backend_probe_name
protocol = "Http"
path = "/"
interval = 30
timeout = 120
unhealthy_threshold = 3
pick_host_name_from_backend_http_settings = true
match {
body = "Welcome"
status_code = [200, 399]
}
}
backend_http_settings {
name = local.http_setting_name
probe_name = local.backend_probe_name
cookie_based_affinity = "Disabled"
path = "/"
port = 80
protocol = "Http"
request_timeout = 120
pick_host_name_from_backend_address = true
}
dynamic "http_listener" {
for_each = azurerm_app_service.example
content {
name = "${azurerm_virtual_network.example.name}-${http_listener.value.name}-httplstn"
frontend_ip_configuration_name = "${azurerm_virtual_network.example.name}-feip"
frontend_port_name = "${azurerm_virtual_network.example.name}-${http_listener.value.name}-feport"
protocol = "Http"
}
}
dynamic "request_routing_rule" {
for_each = azurerm_app_service.example
content {
name = "${azurerm_virtual_network.example.name}-${request_routing_rule.value.name}-rqrt"
rule_type = "Basic"
http_listener_name = "${azurerm_virtual_network.example.name}-${request_routing_rule.value.name}-httplstn"
backend_address_pool_name = "${azurerm_virtual_network.example.name}-${request_routing_rule.value.name}-beap"
backend_http_settings_name = local.http_setting_name
}
}
}
如果有人能帮助理解如何使用 terraform 实现这一点,请帮忙。
编辑:
我用 azure_app_service_network_swift_connection 更新了我的网络代码,但是当我 运行 terraform 时,我收到以下错误:
Error: creating/updating Application Gateway: (Name "hri-prd-appgateway" / Resource Group "rg-hri-prd-app-gateway"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="ResourceNotPermittedOnDelegatedSubnet" Message="Resource /subscriptions/<subscription>/resourceGroups/rg-hri-prd-app-gateway/providers/Microsoft.Network/applicationGateways/hri-prd-appgateway cannot be created in or updated to use the subnet /subscriptions/<subscription>/resourceGroups/rg-hri-prd-app-gateway/providers/Microsoft.Network/virtualNetworks/hri-prd-vnet/subnets/frontend since it has delegation(s) [Microsoft.Web/serverFarms: /subscriptions/<subscription>/resourceGroups/rg-hri-prd-app-gateway/providers/Microsoft.Network/virtualNetworks/hri-prd-vnet/subnets/frontend/delegations/my-access-delegation] to external services." Details=[]
on gateway.tf line 22, in resource "azurerm_application_gateway" "network":
22: resource "azurerm_application_gateway" "network" {