堆栈内存溢出
  简体   繁体   English

IP是否可以将Azure Blob存储容器列入白名单以仅接受来自特定Azure功能的请求

[英]Is it possible to IP whitelist Azure Blob Storage Containers to only accept requests from specific Azure Functions

 原文  2019-04-10 16:17:55       azure/ security/ azure-functions/ azure-storage-blobs/ whitelist

问题描述

We're currently trying to create a solution which handles sensitive data in Azure using Function Apps (v2) compiled in C#. 我们当前正在尝试创建一种解决方案,该解决方案使用C#编译的Function Apps(v2)处理Azure中的敏感数据。 Since an app service environment would be expensive overkill for the solution that we need, we have tried to secure communication between our Function and a general purpose blob storage (v1) queue and table firstly using vnet integration and then IP restrictions. 由于应用程序服务环境对于我们所需的解决方案来说可能是昂贵的替代品,因此,我们首先尝试使用vnet集成,然后使用IP限制来确保我们的功能与通用blob存储(v1)队列和表之间的通信安全。 Unfortunately trying to IP restrict access to the blob storage from the function doesn't work - it always seems to fail with 'Forbidden' when we try and connect, even with the full list of the function's external IPs added to the blob storage's allowed IPs list. 不幸的是,尝试通过IP限制从功能对Blob存储的访问不起作用-即使尝试将功能的外部IP的完整列表添加到Blob存储的允许IP中,当我们尝试连接时,它似乎总是失败并显示“ Forbidden”清单。 And the blob storage won't allow the function's internal IP (LOCAL_ADDR in Kudu) to be added to the 'allowed IPs' list since it's an internal IP, and even adding the entire Azure region's IP addresses to the blob storage still doesn't seem to allow the function to connect. 而且Blob存储不允许将函数的内部IP(在Kudu中为LOCAL_ADDR)添加到“允许的IP”列表中,因为它是内部IP,即使将整个Azure区域的IP地址添加到Blob存储中也不会似乎允许该功能连接。 The only thing which works is to turn off IP restrictions altogether, which puts the whole solution on shaky ground security-wise (eg GDPR). 唯一有效的方法是完全关闭IP限制,这将整个解决方案置于安全​​性低下的基础上(例如GDPR)。

Has anyone managed to find a solution to this issue? 是否有人设法找到解决此问题的方法? Is it actually possible and any ideas where we might have gone wrong if it is? 实际上是否可能,如果有的话,我们可能在哪里出错了?

1 个解决方案

解决方案1
 0  2019-04-10 19:02:25

The closest possible solution I found is to connect your Functions App to a VNET, then connect your storage account to the same VNET, then you can configure restrictions based on that VNET. 我发现的最接近的解决方案是将功能应用程序连接到VNET,然后将存储帐户连接到相同的VNET,然后可以基于该VNET配置限制。 Storage doesn't support and exception security for Functions specifically, since looking under "Allow azure trusted services" doesn't include the Functions products. 存储不特别支持Function的安全性和异常安全性,因为在“允许Azure信任的服务”下查找不包括Functions产品。

I'd recommend checking the second portion of this document to help configure your Functions app to a VNET, then this one to configure your storage account with the same vnet, then add restrictions on the Storage Firewall. 我建议你检查的第二部分, 该文件以帮助配置功能应用到互联星空,那么这一次用相同的vnet配置存储帐户,然后在存储防火墙加上限制。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 白名单 Azure Azure 存储中的自动化帐户以从 blob 读取压缩模块并上传到 azure 自动化模块 - Whitelist Azure Automation account in Azure Storage to read zipped module from blob and upload in azure automation module Azure BLOB 存储幻象请求 - Azure BLOB storage phantom requests 使用 python azure 函数从 azure blob 存储读取文件 - Read files from azure blob storage using python azure functions 仅从 Azure 存储 [Azure-Blob][REST] 中的 Blob 列表获取特定元数据 - Get specific metadata only from List of Blobs in Azure Storage [Azure-Blob][REST] Blob 存储与 Azure 函数的兼容性 - Blob storage compatibility with Azure Functions 如何列出 azure blob 存储中的容器? - How to List the containers in azure blob storage? 使用 python 从多个容器中下载特定的 blob (Azure) - Donwload a specific blob (Azure) from multiples containers with python 使用Azure功能将文件从Azure Blob存储复制到Azure文件存储 - Copy files from Azure Blob storage to Azure File Storage with Azure functions 如何在Azure Functions中使用Azure blob-only存储帐户 - 尝试创建blob快照 - How to use an Azure blob-only storage account with Azure Functions - Trying to create blob snapshot 是否可以将字节附加到 Azure Blob 存储中的 Blob? - Is it possible to append bytes to a blob in Azure Blob Storage?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM