堆栈内存溢出
  简体   繁体   English

Azure APP服务。+私有链接+ Azure容器注册表

[英]Azure APP Service.+ Private Link + Azure Container Registry

 原文  2020-07-03 12:07:14       azure/ azure-app-service-plans/ acr

问题描述

I have set up Azure APP Service and connect it through Private Link, I have disabled all public connectivity, while making tests using webhook from ACR I'm always getting "Error 403 - Forbidden The web app you have attempted to reach has blocked your access.我已设置 Azure APP 服务并通过专用链接连接它,我已禁用所有公共连接,同时使用 ACR 的 webhook 进行测试我总是收到“错误 403 - 禁止您尝试访问的 web 应用程序已阻止您的访问.

" "

On Access Restriction I have "Allow ALL" on both scm and non scm host... but still I'm getting the same result - I have not found any blocking rules in Environment or in App Service plan - where should I look?在访问限制上,我在 scm 和非 scm 主机上都有“全部允许”......但我仍然得到相同的结果 - 我没有在环境或应用服务计划中找到任何阻止规则 - 我应该在哪里看?

2 个解决方案

解决方案1
 1 已采纳  2021-03-04 15:25:13

Private link is for the hosted application, not the app service resource.专用链接适用于托管应用程序,而不是应用程序服务资源。 This means your hosted app can talk privately to an azure service like APIM or a storage account directly.这意味着您的托管应用程序可以私下与 APIM 等 azure 服务或存储帐户直接通信。 But when the app service needs to pull an image from the registry privately, you will have to use an ASE or App Service Environment.但是当应用服务需要私下从注册表中拉取镜像时,您将不得不使用 ASE 或应用服务环境。

Unfortunately, an ASE will cost almost a 1K per month because you are renting out space in their data center to support isolation for your app services.不幸的是,一个 ASE 每月将花费近 1K,因为您在他们的数据中心租用空间来支持您的应用程序服务的隔离。

解决方案2
 0  2022-01-20 12:58:24

I don't always get my head around the way Microsoft implements private endpoints.我并不总是了解 Microsoft 实现私有端点的方式。 When you care about network security, you always want to work with private endpoints.当您关心网络安全时,您总是希望使用私有端点。 However, private endpoints introduce the need for other services like a NAT firewall, VPN access, and more.但是,私有端点引入了对其他服务的需求,例如 NAT 防火墙、VPN 访问等。 Not even to mention the expensive App Service Environment (ASE).更不用说昂贵的应用服务环境 (ASE)。

In the case of using ACR webhooks combined with private endpoint secured App Services, using a proxy App Service or Azure Function can be a solution.在将 ACR webhook 与私有端点安全应用服务结合使用的情况下,使用代理应用服务或 Azure Function 可能是一种解决方案。 You can deploy this in the same App Service Plan and enable regional vnet integration.您可以将其部署在同一应用服务计划中并启用区域 vnet 集成。 This allows the proxy to be publicly visible, while still being able to send a webhook inside the virtual network to the scm site of the other App Service.这允许代理公开可见,同时仍然能够将虚拟网络内的 webhook 发送到其他应用服务的 scm 站点。 For security reasons, you should of course work with (managed) identities.出于安全原因,您当然应该使用(托管)身份。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Azure 应用服务私有容器注册表登录问题 - Azure app service private container registry login problem Powershell + Azure 应用服务 + Azure 容器注册表 - Powershell + Azure App Service + Azure Container Registry 无法将 Azure Container Registry 与 Azure Function App 链接 - Unable to link Azure Container Registry with Azure Function App Azure 应用服务未选择 Gitlab 容器注册表配置作为私有存储库 - Azure app Service not picking up Gitlab Container Registry Configuration as Private Repository Azure容器注册表中的Azure App Service连续部署 - Azure App Service continuous deployment from Azure Container Registry 无法将私有 github 注册表中的 docker 图像部署到 Azure 应用服务 - Cannot deploy docker image in private github registry to Azure App Service Azure 容器注册表使用 Azure 专用链接 - 无法访问“存储库”区域 - Azure container registry using Azure Private Link - can't access the "Repositories" area Azure 应用服务通过专用链接进行应用服务通信 - Azure App Service to App Service communication via Private Link "Azure Web 应用容器专用终结点部署不适用于专用终结点容器注册表" - Azure web app container private Endpoint deployment doesn't work with private endpoint container registry Azure 容器注册表授权 Azure Web 应用程序 - Azure Container Registry authorization for Azure Web App
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM