Azure Terraform Web App 专用终结点虚拟网络
Azure Terraform Web App private Endpoint virtual network
我正在尝试自动部署 azure 虚拟网络和 azure web 应用程序。
在部署这些资源的过程中,一切都很顺利,没有出现任何错误。所以我想尝试在网络应用程序上激活 private endpoint。这是我在 terraform 上的配置。
resource "azurerm_virtual_network" "demo-vnet" {
name = "virtual-network-test"
address_space = ["10.100.0.0/16"]
location = var.location
resource_group_name = azurerm_resource_group.rg-testing-env.name
}
resource "azurerm_subnet" "front_end" {
name = "Front_End-Subnet"
address_prefixes = ["10.100.5.0/28"]
virtual_network_name = azurerm_virtual_network.demo-vnet.name
resource_group_name = azurerm_resource_group.rg-testing-env.name
delegation {
name = "testing-frontend"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
并且在 Web 应用本身上,我设置了这个配置
resource "azurerm_app_service_virtual_network_swift_connection" "web-app-vnet" {
app_service_id = azurerm_app_service.app-test.example.id
subnet_id = azurerm_subnet.front_end.id
}
注意:在我的第一次部署中,swift 失败了,因为我没有在虚拟网络上进行委派,所以我必须在子网上添加委派才能 运行 terraform。
设置好所有配置后,我 运行 我的 terraform,一切 运行 都很顺利,没有错误。
完成后,我检查了我的网络应用程序 Private Endpoint,它刚刚关闭。
任何人都可以解释一下我在这里做错了什么吗?我认为 swift 连接是激活 Private endpoint 的代码块,但显然我还遗漏了其他东西。
为了确认我的逻辑工作流程,我尝试在门户中执行手动步骤。但令人惊讶的是我不能,因为我在子网上有授权,如你所见。
非常感谢您提供的任何帮助and/or 您可以提供解决此问题的解释
我已使用以下代码测试使用私有终结点创建 VNET 和 Web 应用程序。
provider "azurerm" {
features{}
}
data "azurerm_resource_group" "rg" {
name = "ansumantest"
}
# Virtual Network
resource "azurerm_virtual_network" "vnet" {
name = "ansumanapp-vnet"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
address_space = ["10.4.0.0/16"]
}
# Subnets for App Service instances
resource "azurerm_subnet" "appserv" {
name = "frontend-app"
resource_group_name = data.azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.4.1.0/24"]
enforce_private_link_endpoint_network_policies = true
}
# App Service Plan
resource "azurerm_app_service_plan" "frontend" {
name = "ansuman-frontend-asp"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
kind = "Linux"
reserved = true
sku {
tier = "Premium"
size = "P1V2"
}
}
# App Service
resource "azurerm_app_service" "frontend" {
name = "ansuman-frontend-app"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
app_service_plan_id = azurerm_app_service_plan.frontend.id
}
#private endpoint
resource "azurerm_private_endpoint" "example" {
name = "${azurerm_app_service.frontend.name}-endpoint"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
subnet_id = azurerm_subnet.appserv.id
private_service_connection {
name = "${azurerm_app_service.frontend.name}-privateconnection"
private_connection_resource_id = azurerm_app_service.frontend.id
subresource_names = ["sites"]
is_manual_connection = false
}
}
# private DNS
resource "azurerm_private_dns_zone" "example" {
name = "privatelink.azurewebsites.net"
resource_group_name = data.azurerm_resource_group.rg.name
}
#private DNS Link
resource "azurerm_private_dns_zone_virtual_network_link" "example" {
name = "${azurerm_app_service.frontend.name}-dnslink"
resource_group_name = data.azurerm_resource_group.rg.name
private_dns_zone_name = azurerm_private_dns_zone.example.name
virtual_network_id = azurerm_virtual_network.vnet.id
registration_enabled = false
}
要求:
- 正如您从上面的代码中看到的 Private Endpoint , Private DNS 和 Private DNS Link 块是创建专用终结点并为应用程序服务启用它所必需的。
App service Plan 需要 Premium Plan 才能拥有 Private
端点。Private Endpoint要使用的子网应该有
enforce_private_link_endpoint_network_policies = true设置其他
明智的是,它会错误地给出消息 subnet has private endpoint network policies enabled , it should be disabled to be used by Private endpoint.- DNS 区域 名称只能是
privatelink.azurewebsites.net,因为您正在为 webapp 创建私有端点。
输出:
我正在尝试自动部署 azure 虚拟网络和 azure web 应用程序。
在部署这些资源的过程中,一切都很顺利,没有出现任何错误。所以我想尝试在网络应用程序上激活 private endpoint。这是我在 terraform 上的配置。
resource "azurerm_virtual_network" "demo-vnet" {
name = "virtual-network-test"
address_space = ["10.100.0.0/16"]
location = var.location
resource_group_name = azurerm_resource_group.rg-testing-env.name
}
resource "azurerm_subnet" "front_end" {
name = "Front_End-Subnet"
address_prefixes = ["10.100.5.0/28"]
virtual_network_name = azurerm_virtual_network.demo-vnet.name
resource_group_name = azurerm_resource_group.rg-testing-env.name
delegation {
name = "testing-frontend"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
并且在 Web 应用本身上,我设置了这个配置
resource "azurerm_app_service_virtual_network_swift_connection" "web-app-vnet" {
app_service_id = azurerm_app_service.app-test.example.id
subnet_id = azurerm_subnet.front_end.id
}
注意:在我的第一次部署中,swift 失败了,因为我没有在虚拟网络上进行委派,所以我必须在子网上添加委派才能 运行 terraform。
设置好所有配置后,我 运行 我的 terraform,一切 运行 都很顺利,没有错误。
完成后,我检查了我的网络应用程序 Private Endpoint,它刚刚关闭。
任何人都可以解释一下我在这里做错了什么吗?我认为 swift 连接是激活 Private endpoint 的代码块,但显然我还遗漏了其他东西。
为了确认我的逻辑工作流程,我尝试在门户中执行手动步骤。但令人惊讶的是我不能,因为我在子网上有授权,如你所见。
非常感谢您提供的任何帮助and/or 您可以提供解决此问题的解释
我已使用以下代码测试使用私有终结点创建 VNET 和 Web 应用程序。
provider "azurerm" {
features{}
}
data "azurerm_resource_group" "rg" {
name = "ansumantest"
}
# Virtual Network
resource "azurerm_virtual_network" "vnet" {
name = "ansumanapp-vnet"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
address_space = ["10.4.0.0/16"]
}
# Subnets for App Service instances
resource "azurerm_subnet" "appserv" {
name = "frontend-app"
resource_group_name = data.azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.4.1.0/24"]
enforce_private_link_endpoint_network_policies = true
}
# App Service Plan
resource "azurerm_app_service_plan" "frontend" {
name = "ansuman-frontend-asp"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
kind = "Linux"
reserved = true
sku {
tier = "Premium"
size = "P1V2"
}
}
# App Service
resource "azurerm_app_service" "frontend" {
name = "ansuman-frontend-app"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
app_service_plan_id = azurerm_app_service_plan.frontend.id
}
#private endpoint
resource "azurerm_private_endpoint" "example" {
name = "${azurerm_app_service.frontend.name}-endpoint"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
subnet_id = azurerm_subnet.appserv.id
private_service_connection {
name = "${azurerm_app_service.frontend.name}-privateconnection"
private_connection_resource_id = azurerm_app_service.frontend.id
subresource_names = ["sites"]
is_manual_connection = false
}
}
# private DNS
resource "azurerm_private_dns_zone" "example" {
name = "privatelink.azurewebsites.net"
resource_group_name = data.azurerm_resource_group.rg.name
}
#private DNS Link
resource "azurerm_private_dns_zone_virtual_network_link" "example" {
name = "${azurerm_app_service.frontend.name}-dnslink"
resource_group_name = data.azurerm_resource_group.rg.name
private_dns_zone_name = azurerm_private_dns_zone.example.name
virtual_network_id = azurerm_virtual_network.vnet.id
registration_enabled = false
}
要求:
- 正如您从上面的代码中看到的 Private Endpoint , Private DNS 和 Private DNS Link 块是创建专用终结点并为应用程序服务启用它所必需的。
App service Plan需要 Premium Plan 才能拥有 Private 端点。Private Endpoint要使用的子网应该有enforce_private_link_endpoint_network_policies = true设置其他 明智的是,它会错误地给出消息subnet has private endpoint network policies enabled , it should be disabled to be used by Private endpoint.- DNS 区域 名称只能是
privatelink.azurewebsites.net,因为您正在为 webapp 创建私有端点。
输出: