我目前正在尝试在我们的房客中从Microsoft文档中实现以下存储密钥旋转架构,但我们有一项策略,即存储帐户不得启用公共网络访问。 ()。
据我所知,该体系结构基本上是在其中存储帐户的访问密钥保存在带有到期日期的密钥库中,并且当它几乎到期时,事件网格事件会过滤此事件并将其发送到功能应用程序,该应用程序将旋转密钥,然后再次将新键保存在钥匙库中。
但是,正如我提到的,我们有一项策略,即存储帐户不应启用公共网络访问。这意味着存储帐户,该存储帐户存储函数应用程序的日志和触发器也不应从所有网络 ticked中启用。
因此,我将函数应用程序使用的存储帐户的网络设置更改为从所有网络启用启用的触发器,从所选虚拟网络和IP地址启用 。但是,当我进行此更改时,EventGrid无法将事件传递给功能应用程序。
我试图创建一个VNET,为存储帐户创建一个私有端点,在Premium App Plan中托管功能应用程序,并在功能应用中创建VNET集成。此外,我还添加了 microsoft.eventgrid/systemTopics 作为网络下的存储帐户中的资源实例以及函数应用程序配置中的以下条目(根据此链接: https://github.com/mcollier.mcollier/mcollier/azure-functions-private-storage ):
WEBSITE_VNET_ROUTE_ALL to 1
WEBSITE_CONTENTOVERVNET to 1
WEBSITE_DNS_SERVER to 168.63.129.16
但是事件网格仍然失败将事件交付到功能应用程序。我怀疑该功能应用程序不适用于EventGrid系统主题。当我进入函数应用程序时,这将显示:
,但我不确定问题所在,因为我不太了解EventGrid是如何与Azure函数交流的。有人可以帮忙吗?有人知道我如何在存储帐户上启用公共网络访问的情况下实现架构吗?
谢谢,最好的问候!
I'm currently trying to implement the following storage key rotation architecture from microsoft documentation in our tenant but we have a policy that storage accounts shall not have public network access enabled. (https://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation-dual?tabs=azure-cli).
The architecture is basically, as far as I understand, where an access key for a Storage Account is saved in a Key Vault with an expiration date and when it nearly expires a event grid event filters this event and sends it to the function app, which rotates the key and saves the new key in the key vault again.
But as I mentioned we have a policy that storage accounts should not have public network access enabled. This means the storage account, which stores the logs and triggers for the function app should also not have Enabled from all networks ticked.
Therefore I changed the network setting for the storage account that the function app uses to store logs and triggers from Enabled from all networks to Enabled from selected virtual networks and IP addresses. But when I make this change, the EventGrid fails to deliver the event to the function app.
I have tried to create a vnet, create a private endpoint for the storage account, host the function app in a premium app plan and create a vnet integration in the function app. Further, I have also added Microsoft.EventGrid/systemTopics as Resource instances in the storage account under Networking and the following entries in the function app configuration (according to this link: https://github.com/mcollier/azure-functions-private-storage):
WEBSITE_VNET_ROUTE_ALL to 1
WEBSITE_CONTENTOVERVNET to 1
WEBSITE_DNS_SERVER to 168.63.129.16
But Event Grid still fails to deliver the event to the function app. I suspect that the function app is not available for the EventGrid System Topic. When I go into the Function app this is shown:
But I'm not certain where to problem lies, since I don't really understand how EventGrid is communicating with Azure Functions. Can someone help? Does somebody know how I can implement the architecture without public network access enabled on the storage account?
Thanks and best regards!
发布评论
评论(1)
我本周得到了AZ-104,但是我了解到控制平面和数据平面之间存在差异。
尝试将存储BLOB数据贡献者应用于适当的原理。
这将允许它在存储帐户中写入数据。
I got my AZ-104 this week, but I learned there is a difference between the control plane and the data plane.
Try applying Storage Blob Data Contributer to the appropriate principle.
That will give it permission to write the data inside the storage account.