部署到带有访问限制和虚拟网络集成的功能应用

huangapple go评论54阅读模式
英文:

Deploy to Function App with Access Restrictions and vNet Integration

问题

我正在尝试从Azure DevOps Repo部署代码到一个Azure Function App,该应用程序具有入站流量的活动访问限制以及关于出站流量的vNet集成。每个函数应用程序都与一个存储帐户关联,该存储帐户只能从与函数应用程序集成的确切vNet访问。

访问限制:
我已经将AzureDevOps服务标签列入白名单。

vNet集成:
函数应用程序已集成到vnet。
函数应用程序的存储帐户只能从所选vNet访问。

子网配置:
已启用存储的服务终结点。

网络安全组:
vnet内的子网受网络安全组保护。

允许的入站流量:

  • AzureDevOps服务标签

允许的出站流量:

  • 存储服务标签

然后,我使用Azure DevOps中的构建流水线发布构件(函数应用程序作为.zip文件),然后继续执行一个下载构件并将其部署到函数应用程序的发布。

部署似乎运行良好:

2023-04-13T14:02:07.5017872Z ##[section]Starting: Azure Function App Deploy: FA-TST-xxx
...
2023-04-13T14:03:24.6219120Z ##[section]Finishing: Azure Function App Deploy: FA-TST-xxx

部署日志也看起来正常:

...
2023-04-13T14:02:55.1558172Z","id":"16064a20-a8e2-4239-bbb3-3bd955624757","message":"Deployment successful.","type":0,"details_url":null}]

然而,当我检查门户以列出函数时,看不到任何更改。部署出现了问题 - 但我正在努力弄清楚问题出在哪里。

当我停用vNet集成并允许从任何地方访问我的存储帐户时,部署就能正常工作。然后,所有函数都可以通过Azure门户看到。

我还尝试为存储帐户所在的子网添加入站NSG规则:

  • AzureResourceManager服务标签
  • AzureDevOps服务标签
  • AppService服务标签
  • AppServiceManagement服务标签

什么都没有起作用。我不知道如何解决这个问题。有什么建议吗?

英文:

I am currently trying to deploy code from an Azure DevOps Repo to an Azure Function App which has active Access Restrictions for inbound traffic as well as vNet Integration regarding outbound traffic. Each function app is tied to a storage account. This storage account is only accessible from the exact vNet, the function app is integrated to.

Access Restrictions:
I whitelisted the AzureDevOps service tag.

vNet Integration:
The function app is vnet integrated.
The function app's storage account is accessible only from the selected vNet.

subNet Configuration:
Service endpoints for storage are enabled.

Network Security Group:
The subnet inside the vnet is protected by a network security group.

Allowed inbound traffic:

  • AzureDevOps Service Tag

Allowed outbound traffic:

  • Storage Service Tag

I then use a build pipeline in Azure DevOps to publish the artifact (functionapp as .zip) and then proceed with a Release that downloads the Artifact and deploys it to a function app.

The deployment seems to work flawless:

2023-04-13T14:02:07.5017872Z ##[section]Starting: Azure Function App Deploy: FA-TST-xxx
2023-04-13T14:02:07.5148220Z ==============================================================================
2023-04-13T14:02:07.5148398Z Task         : Azure Functions Deploy
2023-04-13T14:02:07.5148471Z Description  : Update a function app with .NET, Python, JavaScript, PowerShell, Java based web applications
2023-04-13T14:02:07.5148597Z Version      : 2.219.0
2023-04-13T14:02:07.5148656Z Author       : Microsoft Corporation
2023-04-13T14:02:07.5148738Z Help         : https://aka.ms/azurefunctiontroubleshooting
2023-04-13T14:02:07.5148818Z ==============================================================================
2023-04-13T14:02:09.8559391Z Got service connection details for Azure App Service:'FA-TST-xxx'
2023-04-13T14:02:43.1629721Z (node:1428) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
2023-04-13T14:02:45.4392949Z NOTE: Function app is VNet integrated.
2023-04-13T14:02:50.5646873Z Trying to update App Service Application settings. Data: {"WEBSITE_RUN_FROM_PACKAGE":"1"}
2023-04-13T14:02:50.5647155Z Deleting App Service Application settings. Data: ["WEBSITE_RUN_FROM_ZIP"]
2023-04-13T14:02:50.5647620Z App Service Application settings are already present.
2023-04-13T14:02:51.8678122Z Validating deployment package for functions app before Zip Deploy
2023-04-13T14:02:52.4037017Z Package deployment using ZIP Deploy initiated.
2023-04-13T14:03:20.6923999Z Deploy logs can be viewed at https://fa-tst-xxx.scm.azurewebsites.net/api/deployments/4bc45377e91c44ca2e18c4451549c1e5/log
2023-04-13T14:03:20.6924440Z The web package has been deployed to App Service. Please note that the package mount or extraction errors will be logged in the deployment logs in the location above.
2023-04-13T14:03:20.6924780Z NOTE: Run From Package makes wwwroot read-only, so you will receive an error when writing files to this directory.
2023-04-13T14:03:24.2067507Z Successfully added release annotation to the Application Insight : AI-TST-xxx
2023-04-13T14:03:24.6058941Z App Service Application URL: https://fa-tst-xxx.azurewebsites.net
2023-04-13T14:03:24.6219120Z ##[section]Finishing: Azure Function App Deploy: FA-TST-xxx

Deployment logs also look fine to me:

[{"log_time":"2023-04-13T14:02:54.4683117Z","id":"1b1ed1bc-12c6-493f-be3f-3f0a1659c4e0","message":"Updating submodules.","type":0,"details_url":null},{"log_time":"2023-04-13T14:02:54.5776418Z","id":"7e37471f-2272-4c07-b5e7-4ea17b4a8a4f","message":"Preparing deployment for commit id '4ec45877c9'.","type":0,"details_url":null},{"log_time":"2023-04-13T14:02:54.827664Z","id":"2a19b2f9-0223-4a13-aa8a-618790ced6e4","message":"Skipping build. Project type: Run-From-Zip","type":0,"details_url":null},{"log_time":"2023-04-13T14:02:54.9214344Z","id":"fa294e85-d78b-4f63-8de9-1ce1f1ee50ec","message":"Skipping post build. Project type: Run-From-Zip","type":0,"details_url":null},{"log_time":"2023-04-13T14:02:55.01516Z","id":"6118ea98-86be-4323-beb3-b9e5bd0fcc5f","message":"Triggering recycle (preview mode disabled).","type":0,"details_url":null},{"log_time":"2023-04-13T14:02:55.1558172Z","id":"16064a20-a8e2-4239-bbb3-3bd955624757","message":"Deployment successful.","type":0,"details_url":null}]

However, when I check the portal to list the functions, no changes are visible. Something went wrong with the deployment - but I am struggling to figure out what it is.

When I deactivate vNet Integration and allow access to my storage account from anywhere, deployment works like a charm. All functions are then visibile through the azure portal.

I also tried adding inbound NSG-rules for the subnet where the storage account resides:

  • AzureResourceManager Service Tag
  • AzureDevOps Service Tag
  • AppService Service Tag
  • AppServiceManagement Service Tag

Nothing worked. I am clueless how to fix this problem. Any ideas?

答案1

得分: 0

@AndrewDuffy 更新:
今天我再次尝试修复问题,但意识到问题已经不存在。我现在可以部署代码到一个与虚拟网络集成的函数应用中。我无法告诉你为什么这种情况发生了变化,但我可以分享我的配置:

在函数应用访问限制下:

我允许了以下服务标签

  • AzureResourceManager

在分配给函数应用/ASP子网的网络安全组下:

我允许以下服务标签进行入站流量

  • AzureDevOps
  • AzureResourceManager

出站流量的服务标签

  • Storage
英文:

@AndrewDuffy Update:
Today I once again tried to fix the issue only to realize that it no longer exists. I can now deploy code to a vnet integrated function app. I can't really tell you why this has changed but what I can do is share my configuration:

under Function App Access Restrictions:

I allowed service tags

  • AzureResourceManager

under the Network Security Group that is assigned to the Function App/ASP Subnet:

I allowed the following service Tags for inbound traffic

  • AzureDevOps
  • AzureResourceManager

service tags for outbound traffic

  • Storage

huangapple
  • 本文由 发表于 2023年4月13日 22:22:15
  • 转载请务必保留本文链接:https://go.coder-hub.com/76006565.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定