Azure Bicep -限制来自应用服务的存储IP

de90aj5v 于 2023-03-24 发布在其他

关注(0)|答案(1)|浏览(89)

我用二头肌迈出了第一步，但我觉得完全卡住了：-/
我想从应用服务获取公共ip，然后，我想用它们限制对存储帐户的访问。我面临两个问题：

第一个是我不能迭代“for”循环。它说“allowedIPAddress”，“这个表达式正在用于for-expression，它需要一个可以在部署开始时计算的值。你引用了一个无法计算的变量”
第二个，我如何更新存储的IpRules后，我已经获得了规则与IP？？

下面是我的代码：

////// FIRST PART: TO GET THE APP SERVICE IP
resource sitewww 'Microsoft.Web/sites@2022-03-01' existing = {
name: 'mywebapp'
}

//Here I get the list of IPs
var ipSalidaString = string(sitewww.properties.outboundIpAddresses)

//I split the IPs list to an Array String, so I can use it
var allowedIpAddresses  = split(ipSalidaString,',')

/// THIS FOR LOOP DOES NOT WORK AND I DO NOT KNOW WHY
var additionalIpSecurityRestrictions = [for ip in allowedIpAddresses: {
  action: 'Allow'
  value: ip
 }]

//////  Second Part: Update the IpRules of the Storage Account 

resource almacenamiento 'Microsoft.Storage/storageAccounts@2022-09-01'{
  
  name: 'teststorage'
  location:localizacion
   properties:{
    publicNetworkAccess: 'Enabled'  
     networkAcls:{
      defaultAction:'Deny'
      ipRules: [{   /// MUST BE UPDATED 
        action: 'Allow'
        value: '20.26.196.151'
       
      }
    ]
    }           
}
}

我尝试了几种方法来迭代for循环，但总是说“这个表达式正在for表达式中使用，它需要一个可以在部署开始时计算的值。您正在引用一个无法计算的变量”
我希望为我的存储帐户创建具有IpRules的对象

Azure

来源：https://stackoverflow.com/questions/75811077/azure-bicep-limit-storage-ips-from-app-service

1条答案

按热度按时间

njthzxwz1#

我建议将该AppService加入VNet，然后使用服务端点限制对存储帐户的访问。应用服务计划的公共IP可能会更改，这样您就不必费心更新规则。

param location string = resourceGroup().location

// Create a virtual network
resource vnet 'Microsoft.Network/virtualNetworks@2022-07-01' = {
  name: 'myVnet'
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
    subnets: [
      {
        name: 'mySubnet'
        properties: {
          addressPrefix: '10.0.1.0/24'
          // Enable service endpoint for Microsoft.Storage
          serviceEndpoints: [
            {
              service: 'Microsoft.Storage'
              locations: [
                location
              ]
            }
          ]
        }
      }
    ]
  }
}

// Create a storage account
resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = {
  name: 'mystorage${uniqueString(resourceGroup().id)}'
  location: location
  kind: 'StorageV2'
  sku: {
    name: 'Standard_LRS'
  }
  properties: {
    // Restrict access to the storage account from the subnet only
    networkAcls: {
      bypass: 'None'
      defaultAction: 'Deny'
      virtualNetworkRules: [
        {
          id: vnet.properties.subnets[0].id // Reference the subnet id
          action: 'Allow'
        }
      ]
    }
    supportsHttpsTrafficOnly: true
  }
}

// Create an app service plan
resource appServicePlan 'Microsoft.Web/serverfarms@2021-02-01' = {
  name: 'myAppServicePlan'
  location: location
  sku: {
    name: 'S1'
    tier: 'Standard'
    size: 'S1'
    family: 'S'
    capacity: 1
  }
}

// Create an app service 
resource appService 'Microsoft.Web/sites@2022-03-01' = {
  name: 'myAppService${uniqueString(resourceGroup().id)}'
  location: location
  kind: 'app'
  properties: {
    serverFarmId: appServicePlan.id
    siteConfig: {
      alwaysOn: true
      http20Enabled: true
      webSocketsEnabled: true

    }
    virtualNetworkSubnetId: vnet.properties.subnets[0].id // Reference the subnet id
  }
}

赞(0）回复(0）举报 2023-03-24

我来回答

Azure Bicep -限制来自应用服务的存储IP

1条答案

相关问题

热门标签

最新问答