[英]Azure APP Service.+ Private Link + Azure Container Registry
I have set up Azure APP Service and connect it through Private Link, I have disabled all public connectivity, while making tests using webhook from ACR I'm always getting "Error 403 - Forbidden The web app you have attempted to reach has blocked your access.我已设置 Azure APP 服务并通过专用链接连接它,我已禁用所有公共连接,同时使用 ACR 的 webhook 进行测试我总是收到“错误 403 - 禁止您尝试访问的 web 应用程序已阻止您的访问.
" "On Access Restriction I have "Allow ALL" on both scm and non scm host... but still I'm getting the same result - I have not found any blocking rules in Environment or in App Service plan - where should I look?在访问限制上,我在 scm 和非 scm 主机上都有“全部允许”......但我仍然得到相同的结果 - 我没有在环境或应用服务计划中找到任何阻止规则 - 我应该在哪里看?
Private link is for the hosted application, not the app service resource.专用链接适用于托管应用程序,而不是应用程序服务资源。 This means your hosted app can talk privately to an azure service like APIM or a storage account directly.这意味着您的托管应用程序可以私下与 APIM 等 azure 服务或存储帐户直接通信。 But when the app service needs to pull an image from the registry privately, you will have to use an ASE or App Service Environment.但是当应用服务需要私下从注册表中拉取镜像时,您将不得不使用 ASE 或应用服务环境。
Unfortunately, an ASE will cost almost a 1K per month because you are renting out space in their data center to support isolation for your app services.不幸的是,一个 ASE 每月将花费近 1K,因为您在他们的数据中心租用空间来支持您的应用程序服务的隔离。
I don't always get my head around the way Microsoft implements private endpoints.我并不总是了解 Microsoft 实现私有端点的方式。 When you care about network security, you always want to work with private endpoints.当您关心网络安全时,您总是希望使用私有端点。 However, private endpoints introduce the need for other services like a NAT firewall, VPN access, and more.但是,私有端点引入了对其他服务的需求,例如 NAT 防火墙、VPN 访问等。 Not even to mention the expensive App Service Environment (ASE).更不用说昂贵的应用服务环境 (ASE)。
In the case of using ACR webhooks combined with private endpoint secured App Services, using a proxy App Service or Azure Function can be a solution.在将 ACR webhook 与私有端点安全应用服务结合使用的情况下,使用代理应用服务或 Azure Function 可能是一种解决方案。 You can deploy this in the same App Service Plan and enable regional vnet integration.您可以将其部署在同一应用服务计划中并启用区域 vnet 集成。 This allows the proxy to be publicly visible, while still being able to send a webhook inside the virtual network to the scm site of the other App Service.这允许代理公开可见,同时仍然能够将虚拟网络内的 webhook 发送到其他应用服务的 scm 站点。 For security reasons, you should of course work with (managed) identities.出于安全原因,您当然应该使用(托管)身份。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.