如何通过 ARM 模板在 StorageAccount 中设置选定的网络
Posted
技术标签:
【中文标题】如何通过 ARM 模板在 StorageAccount 中设置选定的网络【英文标题】:How to set selected networks in StorageAccount via ARM Template 【发布时间】:2020-01-06 03:44:03 【问题描述】:我有以下 ARM 模板来生成存储帐户并添加现有的虚拟网络:
"name": "test0deep0123",
"type": "Microsoft.Storage/storageAccounts",
"location": "West Europe",
"apiVersion": "2018-11-01",
"sku":
"name": "Standard_LRS",
"tier": "Standard"
,
"kind": "StorageV2",
"properties":
"firewallState": "Enabled",
"virtualNetworkRules": [
"properties":
"subnetId": "subnetid"
,
"name": "name"
,
"properties":
"subnetId": "subnetId"
,
"name": "name"
,
"properties":
"subnetId": "subnetid"
,
"name": "name"
,
"properties":
"subnetId": "subnetid"
,
"name": "name"
,
"properties":
"subnetId": "subnetid"
,
"name": "name"
,
"properties":
"subnetId": subnetid"
,
"name": "name"
,
"properties":
"subnetId": "subnetid"
,
"name": "name"
"networkAcls":
"bypass": "AzureServices",
"virtualNetworkRules": [
"id": "id",
"action": "Allow",
"state": "succeeded"
,
"id": "id",
"action": "Allow",
"state": "succeeded"
],
"ipRules": [],
"defaultAction": "Allow"
,
"supportsHttpsTrafficOnly": false,
"encryption":
"services":
"file":
"enabled": true
,
"blob":
"enabled": true
,
"keySource": "Microsoft.Storage"
,
"accessTier": "Hot"
我可以在资源组中成功部署此模板,但在控制“防火墙和虚拟网络”后,我看到,允许访问设置为所有网络,尽管在所选网络下我可以看到添加的虚拟网络
我应该如何检查“选定的网络”?
【问题讨论】:
您对我的回复有任何疑问吗? 感谢您的详细解答。它对我有帮助:) 【参考方案1】:问题是如果你将virtualNetworkRules设置为allow,那么defaultAction需要设置为Deny,所以你会在存储帐户的防火墙中将选定的虚拟网络列入白名单。
在这种情况下,您可以选择您现有的虚拟网络(enable the storage account service endpoint)ID 到段落networkAcls 并更改"defaultAction": "Deny"。此外,virtualNetworkRules 属于networkAcls,而不是存储帐户的属性。
下面这个模板可以在我这边工作。
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters":
"virtualNetworks_vnet1":
"defaultValue": "/subscriptions/xxx/resourceGroups/myrg/providers/Microsoft.Network/virtualNetworks/vnet",
"type": "string"
,
"virtualNetworks_vnet2":
"defaultValue": "/subscriptions/xxx/resourceGroups/myrg/providers/Microsoft.Network/virtualNetworks/mytestvnet1",
"type": "string"
,
"resources": [
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2018-11-01",
"name": "test0deep01234",
"location": "Central US",
"sku":
"name": "Standard_LRS",
"tier": "Standard"
,
"kind": "StorageV2",
"properties":
"networkAcls":
"bypass": "AzureServices",
"virtualNetworkRules": [
"id": "[concat(parameters('virtualNetworks_vnet1'), '/subnets/default')]",
"action": "Allow"
,
"id": "[concat(parameters('virtualNetworks_vnet2'), '/subnets/default')]",
"action": "Allow"
],
"ipRules": [],
"defaultAction": "Deny"
,
"supportsHttpsTrafficOnly": false,
"encryption":
"services":
"file":
"enabled": true
,
"blob":
"enabled": true
,
"keySource": "Microsoft.Storage"
,
"accessTier": "Hot"
]
参考:Microsoft.Storage storageAccounts template reference
【讨论】:
这根本不是这个人要问的 @4c74356b41 编辑以使其清楚,该人可以理解我。【参考方案2】:我认为您需要添加属性publicNetworkAccess并将其设置为Disabled
希望这有帮助吗?
【讨论】:
以上是关于如何通过 ARM 模板在 StorageAccount 中设置选定的网络的主要内容,如果未能解决你的问题,请参考以下文章
如何使用 REST API 或 ARM 模板通过私有 GitHub 存储库在应用服务中部署应用?
使用 terraform 和 arm 模板通过工作流部署逻辑应用程序的最佳方法?
如何将Azure管道变量传递给AzureResourceManagerTemplateDeployment @ 3任务使用的ARM模板?