英文:
limit network access to private endpoint of storage account from a specific azure function when vnet integration enabled
问题
现在的情况是:
- 有一个应用服务计划,其中包含两个 Azure 函数,函数 A 和函数 B,两者都启用了相同子网 VNet 集成。
- 有一个子网,其中包含一个存储帐户和已启用的私有终结点。
在当前情况下,由于 VNet 集成,来自两个函数应用的网络流量可以访问存储帐户的私有终结点。
是否可以只允许函数 A 向存储帐户发出流量?我不想在 NGS 规则中使用服务标签,因为那样会允许两个函数应用的流量。
英文:
This is the situation:
- 1 app service plan with 2 azure functions, function A and function B, both with the same subnet vnet integration enabled
- 1 subnet with a storage account and private endpoint enabled
In the current situation the network traffic from both function apps can access the private endpoint of the storage account because of the vnet integration.
Is it possible to allow outbound traffic only from function A to the storage account? I don't want to use the service tag in a ngs rule because then both function apps are allowed.
答案1
得分: 1
这在您的设置中不容易实现。两个函数共享来自用于VNET注入的子网的同一IP池,所以从网络角度难以对它们进行防火墙设置。
如果您想要网络隔离,那么请部署一个单独的子网,将函数B移至启用了新子网上的VNET集成的新应用服务计划。然后,您可以设置网络安全组(NSG)以阻止访问。
英文:
This isn't easily attainable with your setup. Both functions share the same pool of IPs from the subnet you're using for vnet injection, so you'll have a difficult time firewalling them from the network perspective.
If you want network isolation, then deploy a separate subnet, and move function B to a new app service plan that has vnet integration enabled on the new subnet. Then you can setup an NSG to block access.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论