[英]Is it possible to IP whitelist Azure Blob Storage Containers to only accept requests from specific Azure Functions
We're currently trying to create a solution which handles sensitive data in Azure using Function Apps (v2) compiled in C#. 我们当前正在尝试创建一种解决方案,该解决方案使用C#编译的Function Apps(v2)处理Azure中的敏感数据。 Since an app service environment would be expensive overkill for the solution that we need, we have tried to secure communication between our Function and a general purpose blob storage (v1) queue and table firstly using vnet integration and then IP restrictions. 由于应用程序服务环境对于我们所需的解决方案来说可能是昂贵的替代品,因此,我们首先尝试使用vnet集成,然后使用IP限制来确保我们的功能与通用blob存储(v1)队列和表之间的通信安全。 Unfortunately trying to IP restrict access to the blob storage from the function doesn't work - it always seems to fail with 'Forbidden' when we try and connect, even with the full list of the function's external IPs added to the blob storage's allowed IPs list. 不幸的是,尝试通过IP限制从功能对Blob存储的访问不起作用-即使尝试将功能的外部IP的完整列表添加到Blob存储的允许IP中,当我们尝试连接时,它似乎总是失败并显示“ Forbidden”清单。 And the blob storage won't allow the function's internal IP (LOCAL_ADDR in Kudu) to be added to the 'allowed IPs' list since it's an internal IP, and even adding the entire Azure region's IP addresses to the blob storage still doesn't seem to allow the function to connect. 而且Blob存储不允许将函数的内部IP(在Kudu中为LOCAL_ADDR)添加到“允许的IP”列表中,因为它是内部IP,即使将整个Azure区域的IP地址添加到Blob存储中也不会似乎允许该功能连接。 The only thing which works is to turn off IP restrictions altogether, which puts the whole solution on shaky ground security-wise (eg GDPR). 唯一有效的方法是完全关闭IP限制,这将整个解决方案置于安全性低下的基础上(例如GDPR)。
Has anyone managed to find a solution to this issue? 是否有人设法找到解决此问题的方法? Is it actually possible and any ideas where we might have gone wrong if it is? 实际上是否可能,如果有的话,我们可能在哪里出错了?
The closest possible solution I found is to connect your Functions App to a VNET, then connect your storage account to the same VNET, then you can configure restrictions based on that VNET. 我发现的最接近的解决方案是将功能应用程序连接到VNET,然后将存储帐户连接到相同的VNET,然后可以基于该VNET配置限制。 Storage doesn't support and exception security for Functions specifically, since looking under "Allow azure trusted services" doesn't include the Functions products. 存储不特别支持Function的安全性和异常安全性,因为在“允许Azure信任的服务”下查找不包括Functions产品。
I'd recommend checking the second portion of this document to help configure your Functions app to a VNET, then this one to configure your storage account with the same vnet, then add restrictions on the Storage Firewall. 我建议你检查的第二部分, 该文件以帮助配置功能应用到互联星空,那么这一次用相同的vnet配置存储帐户,然后在存储防火墙加上限制。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.