英文:
Python Azure Function cannot connect to Blob storage with Firewall
问题
抱歉,我只会翻译文本内容,不会回答关于翻译的问题。以下是您提供的文本的翻译:
我有一个函数应用程序(使用Python运行时和按消耗计划付费),每个月必须从公共来源加载一些数据,对其进行处理,然后将其放入Azure Blob存储中,该存储必须保持私有。
当我测试时,此流程在将Blob存储设置为公开时运行正常。
然后,我将一些IP地址添加到Blob存储的防火墙中,特别是我的私有IP地址和函数应用程序“网络”部分中提供的所有出站IP地址列表。在这种情况下,函数无法与Blob存储通信,并且所需的文件未写入其中。
我知道有可能使用高级计划来启用虚拟网络集成(我认为应该能够顺利运行),但我更愿意避免额外的费用。
另外,我可以使用私有终结点连接,但这同样需要具备高级计划,并会增加成本。
为什么即使我已添加了所有可用的出站IP地址,函数仍无法与存储通信?是否需要添加其他IP地址?我还阅读了此文档,但无法在JSON文件中找到所需的信息,如所述。
有人可以帮助解决这个问题吗?非常感谢!
英文:
I have a function app (with python runtime and consumption plan) that once a month must load some data from a public source, process them and put them to an azure blob storage, that instead must remain private.
This flow works when I tested it leaving the blob storage open to public.
Then I added some ip addresses to the firewall of the blob storage: in particular, my own private ip and all the list of outbound ips available in the "networking" section of the function app. In this case the function cannot communicate with the blob storage and the required files are not written there.
I know there is the possibility to use a premium plan to enable the virtual network integration (that I think it should work smoothly), but I would prefer to not have additional extra costs.
Also, I can use a private endpoint connection, but again this entails to have a premium plan for the app and an higher cost.
Why the function cannot communicate with the storage even if I added all its available outbound ips? Are there any additional ip that is required to be added? I also read this doc, but I cannot find the required information in the JSON file as explained.
Can someone help on this? Many thanks!
答案1
得分: 1
不使用高级计划,您也可以将函数应用连接到Blob存储帐户,如果它们位于相同的区域。
将函数应用的IP地址添加到存储帐户。如图所示,在“网络”选项卡中访问IP地址函数应用。
现在转到链接的“存储帐户>>网络”位于“安全性+网络”选项卡下。单击“从所选虚拟网络/IP地址启用”。为应该获得授权的选定IP范围添加一个虚拟网络,并在防火墙设置下,您可以添加一个不应获得授权的IP地址。
正如您已经提到的MSDoc,如果您的存储和函数应用位于不同的区域,您必须允许outboundIpAddresses
和possibleOutboundIpAddresses
。
部署在与存储帐户相同区域的服务使用私有Azure IP地址进行通信。因此,您不能基于其公共出站IP地址范围限制对特定Azure服务的访问。
请参考Microsoft Q&A以获取类似问题的信息。
请参考存储帐户授予权限 MSDoc。
我建议升级到“高级计划”,这是使用“私有端点连接”的最佳方法。因为“Azure函数应用”和“存储帐户”直接通过“Azure网络”连接。
如果使用消耗计划,如果发生任何出站IP地址更新,实例将不会扩展。这些修改在动态扩展和缩小的消耗计划中很重要。在这种情况下,它会引发“Azure函数无法访问”的错误。
您可以参考此MSDoc以配置网络中的防火墙。
英文:
Without using a premium plan also, you can connect function App to the blob storage account if they are in the same region.
Add the function app's IP address to the storage account. As shown, access the IP address function app in the Networking
tab.
Now go to the linked Storage account >> Networking
under Security + networking
tab. Click on Enabled from selected virtual networks/IP addresses
. Add a virtual network for the selected IP ranges that should be authorized, and under firewall settings, you can add an IP address that should not be authorized.
As you already mentioned about this MSDoc, If your storage and function apps are in different regions, you must allow both outboundIpAddresses
and possibleOutboundIpAddresses
.
> Services deployed in the same region as the storage account use private Azure IP addresses for communication. Thus, you can't restrict access to specific Azure services based on their public outbound IP address range.
Refer Microsoft Q&A for the similar issue.
Refer Storage account grant access MSDoc.
I would recommend upgrading it to the Premium plan
is the best approach by using the Private endpoint connection
. Because the Azure function app
and Storage account
are connected directly over the Azure network
.
If you use a consumption plan, instances will not scale up if any outbound IP addresses updates occurred. These modifications are relevant in a consumption plan that is dynamically scaling up and down. In that case, it raises "Azure functions unreachable" error.
You can refer this MSDoc for configuring the firewalls in Network.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论