Azure devops 应用程序网关应用程序服务访问限制_Azure Devops_Terraform_Terraform Provider Azure_Azure Appservice

Azure devops 应用程序网关应用程序服务访问限制

azure-devops terraform

Azure devops 应用程序网关应用程序服务访问限制,azure-devops,terraform,terraform-provider-azure,azure-appservice,Azure Devops,Terraform,Terraform Provider Azure,Azure Appservice,我已经使用terraform在azure中实现了一个应用程序网关我的地形代码构建了一个通风口、应用程序网关、子网、应用程序服务和应用程序服务计划一切正常，我可以使用应用网关公共ip访问应用服务。唯一的问题是，我也可以从自己的端点访问应用程序服务，并且我只想通过我的应用程序网关限制这种访问，因此如果有人试图直接访问应用程序服务，它应该会出现403错误做了一些研究，我设法从终端>>应用服务>>网络实现了这一点但我想用terraform自动化这个过程。这就是我被卡住的原因因为我找到的唯一源引

我已经使用terraform在azure中实现了一个应用程序网关

我的地形代码构建了一个通风口、应用程序网关、子网、应用程序服务和应用程序服务计划

一切正常，我可以使用应用网关公共ip访问应用服务。唯一的问题是，我也可以从自己的端点访问应用程序服务，并且我只想通过我的应用程序网关限制这种访问，因此如果有人试图直接访问应用程序服务，它应该会出现

错误

做了一些研究，我设法从终端>>应用服务>>网络实现了这一点

但我想用terraform自动化这个过程。这就是我被卡住的原因

因为我找到的唯一源引用了

“azurerm\u app\u service\u slot\u virtual\u network\u swift\u connection”

，但该资源需要一个我不想要或不需要的app service slot

我想知道，我如何实现对应用程序服务的网络访问限制

以下是我的代码以及我如何构建infra：

networking.tf

locals {
  cidr_block = "<cidr>"
  subnets = {
    frontend = cidrsubnet(local.cidr_block, 8, 0)
  }
}
#########################################
# RESOURCE GROUP
#########################################
resource "azurerm_resource_group" "example" {
  name     = "rg-hri-prd-app-gateway"
  location = "West US"
}

#########################################
# VIRTUAL NETWORK
#########################################
resource "azurerm_virtual_network" "example" {
  name                = "hri-prd-vnet"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  address_space       = [local.cidr_block]
}

#########################################
# SUBNETS
#########################################

resource "azurerm_subnet" "example" {
  count                = length(keys(local.subnets))
  name                 = keys(local.subnets)[count.index]
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = [local.subnets[keys(local.subnets)[count.index]]]
  service_endpoints = ["Microsoft.Web"]
  delegation {
    name = "my-access-delegation"
    service_delegation {
      name    = "Microsoft.Web/serverFarms"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

resource "azurerm_app_service_virtual_network_swift_connection" "appservice-subnet" {
  count = length(azurerm_app_service.example)
  app_service_id = azurerm_app_service.example[count.index].id
  subnet_id = azurerm_subnet.example[count.index].id
}

locals {
  app_services = [
    {
      kind = "Linux"
      sku = {
        tier = "Standard"
        size = "S1"
      }
    }
  ]
}
#########################################
# APP SERVICE PLAN
#########################################
resource "azurerm_app_service_plan" "example" {
  count               = length(local.app_services)
  name                = "${lower(local.app_services[count.index].kind)}-asp"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  kind                = local.app_services[count.index].kind
  reserved            = true

  sku {
    tier = local.app_services[count.index].sku.tier
    size = local.app_services[count.index].sku.size
  }
}

#########################################
# APP SERVICE PLAN
#########################################

resource "azurerm_app_service" "example" {
  count               = length(local.app_services)
  name                = "${lower(local.app_services[count.index].kind)}-appservice"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example[count.index].id

}

locals {
  backend_probe_name = "${azurerm_virtual_network.example.name}-health"
  http_setting_name  = "${azurerm_virtual_network.example.name}-htst"
  public_ip_name     = "${azurerm_virtual_network.example.name}-public"
}


#########################################
# AZURE PUBLIC IP
#########################################

resource "azurerm_public_ip" "example" {
  name                = local.public_ip_name
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  allocation_method   = "Dynamic"
}

#########################################
# APPLICT
#########################################
resource "azurerm_application_gateway" "network" {
  depends_on          = [azurerm_public_ip.example]
  name                = "hri-prd-appgateway"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  sku {
    name     = "Standard_Small"
    tier     = "Standard"
    capacity = 2
  }

  gateway_ip_configuration {
    name      = "my-gateway-ip-configuration"
    subnet_id = azurerm_subnet.example.0.id
  }

  dynamic "frontend_port" {
    for_each = azurerm_app_service.example
    content {
      name = "${azurerm_virtual_network.example.name}-${frontend_port.value.name}-feport"
      port = "808${frontend_port.key}"
    }
  }

  frontend_ip_configuration {
    name                 = "${azurerm_virtual_network.example.name}-feip"
    public_ip_address_id = azurerm_public_ip.example.id
  }

  dynamic "backend_address_pool" {
    for_each = azurerm_app_service.example
    content {
      name  = "${azurerm_virtual_network.example.name}-${backend_address_pool.value.name}-beap"
      fqdns = [backend_address_pool.value.default_site_hostname]
    }
  }

  probe {
    name                                      = local.backend_probe_name
    protocol                                  = "Http"
    path                                      = "/"
    interval                                  = 30
    timeout                                   = 120
    unhealthy_threshold                       = 3
    pick_host_name_from_backend_http_settings = true
    match {
      body        = "Welcome"
      status_code = [200, 399]
    }
  }

  backend_http_settings {
    name                                = local.http_setting_name
    probe_name                          = local.backend_probe_name
    cookie_based_affinity               = "Disabled"
    path                                = "/"
    port                                = 80
    protocol                            = "Http"
    request_timeout                     = 120
    pick_host_name_from_backend_address = true
  }

  dynamic "http_listener" {
    for_each = azurerm_app_service.example
    content {
      name                           = "${azurerm_virtual_network.example.name}-${http_listener.value.name}-httplstn"
      frontend_ip_configuration_name = "${azurerm_virtual_network.example.name}-feip"
      frontend_port_name             = "${azurerm_virtual_network.example.name}-${http_listener.value.name}-feport"
      protocol                       = "Http"
    }
  }

  dynamic "request_routing_rule" {
    for_each = azurerm_app_service.example
    content {
      name                       = "${azurerm_virtual_network.example.name}-${request_routing_rule.value.name}-rqrt"
      rule_type                  = "Basic"
      http_listener_name         = "${azurerm_virtual_network.example.name}-${request_routing_rule.value.name}-httplstn"
      backend_address_pool_name  = "${azurerm_virtual_network.example.name}-${request_routing_rule.value.name}-beap"
      backend_http_settings_name = local.http_setting_name
    }
  }
}

gateway.tf

locals {
  cidr_block = "<cidr>"
  subnets = {
    frontend = cidrsubnet(local.cidr_block, 8, 0)
  }
}
#########################################
# RESOURCE GROUP
#########################################
resource "azurerm_resource_group" "example" {
  name     = "rg-hri-prd-app-gateway"
  location = "West US"
}

#########################################
# VIRTUAL NETWORK
#########################################
resource "azurerm_virtual_network" "example" {
  name                = "hri-prd-vnet"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  address_space       = [local.cidr_block]
}

#########################################
# SUBNETS
#########################################

resource "azurerm_subnet" "example" {
  count                = length(keys(local.subnets))
  name                 = keys(local.subnets)[count.index]
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = [local.subnets[keys(local.subnets)[count.index]]]
  service_endpoints = ["Microsoft.Web"]
  delegation {
    name = "my-access-delegation"
    service_delegation {
      name    = "Microsoft.Web/serverFarms"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

resource "azurerm_app_service_virtual_network_swift_connection" "appservice-subnet" {
  count = length(azurerm_app_service.example)
  app_service_id = azurerm_app_service.example[count.index].id
  subnet_id = azurerm_subnet.example[count.index].id
}

locals {
  app_services = [
    {
      kind = "Linux"
      sku = {
        tier = "Standard"
        size = "S1"
      }
    }
  ]
}
#########################################
# APP SERVICE PLAN
#########################################
resource "azurerm_app_service_plan" "example" {
  count               = length(local.app_services)
  name                = "${lower(local.app_services[count.index].kind)}-asp"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  kind                = local.app_services[count.index].kind
  reserved            = true

  sku {
    tier = local.app_services[count.index].sku.tier
    size = local.app_services[count.index].sku.size
  }
}

#########################################
# APP SERVICE PLAN
#########################################

resource "azurerm_app_service" "example" {
  count               = length(local.app_services)
  name                = "${lower(local.app_services[count.index].kind)}-appservice"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example[count.index].id

}

locals {
  backend_probe_name = "${azurerm_virtual_network.example.name}-health"
  http_setting_name  = "${azurerm_virtual_network.example.name}-htst"
  public_ip_name     = "${azurerm_virtual_network.example.name}-public"
}


#########################################
# AZURE PUBLIC IP
#########################################

resource "azurerm_public_ip" "example" {
  name                = local.public_ip_name
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location
  allocation_method   = "Dynamic"
}

#########################################
# APPLICT
#########################################
resource "azurerm_application_gateway" "network" {
  depends_on          = [azurerm_public_ip.example]
  name                = "hri-prd-appgateway"
  resource_group_name = azurerm_resource_group.example.name
  location            = azurerm_resource_group.example.location

  sku {
    name     = "Standard_Small"
    tier     = "Standard"
    capacity = 2
  }

  gateway_ip_configuration {
    name      = "my-gateway-ip-configuration"
    subnet_id = azurerm_subnet.example.0.id
  }

  dynamic "frontend_port" {
    for_each = azurerm_app_service.example
    content {
      name = "${azurerm_virtual_network.example.name}-${frontend_port.value.name}-feport"
      port = "808${frontend_port.key}"
    }
  }

  frontend_ip_configuration {
    name                 = "${azurerm_virtual_network.example.name}-feip"
    public_ip_address_id = azurerm_public_ip.example.id
  }

  dynamic "backend_address_pool" {
    for_each = azurerm_app_service.example
    content {
      name  = "${azurerm_virtual_network.example.name}-${backend_address_pool.value.name}-beap"
      fqdns = [backend_address_pool.value.default_site_hostname]
    }
  }

  probe {
    name                                      = local.backend_probe_name
    protocol                                  = "Http"
    path                                      = "/"
    interval                                  = 30
    timeout                                   = 120
    unhealthy_threshold                       = 3
    pick_host_name_from_backend_http_settings = true
    match {
      body        = "Welcome"
      status_code = [200, 399]
    }
  }

  backend_http_settings {
    name                                = local.http_setting_name
    probe_name                          = local.backend_probe_name
    cookie_based_affinity               = "Disabled"
    path                                = "/"
    port                                = 80
    protocol                            = "Http"
    request_timeout                     = 120
    pick_host_name_from_backend_address = true
  }

  dynamic "http_listener" {
    for_each = azurerm_app_service.example
    content {
      name                           = "${azurerm_virtual_network.example.name}-${http_listener.value.name}-httplstn"
      frontend_ip_configuration_name = "${azurerm_virtual_network.example.name}-feip"
      frontend_port_name             = "${azurerm_virtual_network.example.name}-${http_listener.value.name}-feport"
      protocol                       = "Http"
    }
  }

  dynamic "request_routing_rule" {
    for_each = azurerm_app_service.example
    content {
      name                       = "${azurerm_virtual_network.example.name}-${request_routing_rule.value.name}-rqrt"
      rule_type                  = "Basic"
      http_listener_name         = "${azurerm_virtual_network.example.name}-${request_routing_rule.value.name}-httplstn"
      backend_address_pool_name  = "${azurerm_virtual_network.example.name}-${request_routing_rule.value.name}-beap"
      backend_http_settings_name = local.http_setting_name
    }
  }
}

如果有人能帮助理解如何使用terraform实现这一点，请联系我们

编辑：

我使用

azure\u应用程序\u服务\u网络\u swift\u连接更新了我的网络代码

，但当我运行terraform时，出现以下错误：

Error: creating/updating Application Gateway: (Name "hri-prd-appgateway" / Resource Group "rg-hri-prd-app-gateway"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="ResourceNotPermittedOnDelegatedSubnet" Message="Resource /subscriptions/<subscription>/resourceGroups/rg-hri-prd-app-gateway/providers/Microsoft.Network/applicationGateways/hri-prd-appgateway cannot be created in or updated to use the subnet /subscriptions/<subscription>/resourceGroups/rg-hri-prd-app-gateway/providers/Microsoft.Network/virtualNetworks/hri-prd-vnet/subnets/frontend since it has delegation(s) [Microsoft.Web/serverFarms: /subscriptions/<subscription>/resourceGroups/rg-hri-prd-app-gateway/providers/Microsoft.Network/virtualNetworks/hri-prd-vnet/subnets/frontend/delegations/my-access-delegation] to external services." Details=[]

  on gateway.tf line 22, in resource "azurerm_application_gateway" "network":
  22: resource "azurerm_application_gateway" "network" {

错误：创建/更新应用程序网关：（名称“hri prd appgateway”/Resource Group“rg hri prd app Gateway”）：network.ApplicationGatewaysClient#CreateOrUpdate:发送请求失败：StatusCode=0--原始错误：code=“ResourceNotPermitedEndegatedSubnet”消息=“无法在子网/subscriptions//resourceGroups/rg hri prd app gateway/providers/Microsoft.Network/applicationGateways/hri-prd-appgateway中创建资源/订阅//资源组/rg hri prd app gateway/providers/Microsoft.Network/virtualNetworks/hri-prd-vnet/subnets/frontend中更新资源/订阅//资源组/rg hri hri prd-prd-appgateway/providers/Microsoft.networks[Microsoft.Web/serverFarms:/subscriptions//resourceGroups/rg hri prd app gateway/providers/Microsoft.Network/virtualNetworks/hri prd vnet/subnets/frontend/delegations/my access delegation]到外部服务。“详细信息=[]
在gateway.tf第22行的资源“azurerm_应用程序_网关”“网络”中：
22:资源“azurerm_应用程序_网关”“网络”{

如果您想限制web应用程序，使其仅接收来自应用程序网关的流量，一种方法是使用Azure app Service静态IP限制。使用该方法后，如果根据列表中的规则不允许访问该地址，则该服务将以HTTP 403状态代码答复。有关详细信息，请参阅和

关于如何使用terraform实现它，请参考以下脚本

site_config {
   ...
    always_on                = true

    ip_restriction {
      ip_address  = ""
      priority=
    }

   

# etc.

有关它的更多信息，请参阅和

您也有。您尝试过吗？@KrzysztofMadej是的，我也尝试过，但在创建应用程序网关时出错。我将使用新的更新和错误信息更新代码got@NaydenVan你还有其他顾虑吗？如果你没有其他顾虑，你可以请求e接受它作为答案？它可能会帮助更多有类似问题的人。