stackoom
  简体   繁体   中英

Azure Web App: Cannot add a VNET Restriction Rule using PowerShell when VNET is on a different subscription

 原文  2021-04-08 21:42:39       azure/ powershell/ azure-web-app-service/ azure-powershell

Question

I have a web application in azure and I want to make sure that only my build server (or any other VM on the same subnet) are the only ones which are able to access the SCM site. I thought the most obvious thing would be to create an access restriction rule and in fact that works, I am able to create it from the portal with no issue whatsoever.

The problem, however, happens when I try to automate this using powershell. My build server subnet is located on a subscription different from the one where my web application is.

I am executing the following powershell script:

$subnetId = "/subscriptions/$VNETSubscriptionId/resourceGroups/$VNETResourceGroup/providers/Microsoft.Network/virtualNetworks/$buildServerVNET/subnets/$buildServerSubNet"
Add-AzWebAppAccessRestrictionRule -ResourceGroup $webAppRg -WebAppName $webAppname -Name VNETAccess -Priority 1000 -Action Allow -SubnetId $subnetId

And I get the following error:

Add-AzWebAppAccessRestrictionRule : The client '{{my user credential}}' with object id '81fa4eb1-5553-4daa-af44-3c717b19eda2' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/{{websiteSubscriptionId}}/resour
ceGroups/{{VNETResourceGroup}}/providers/Microsoft.Network/virtualNetworks/{{buildServerVNET}}/subnets/{{buildServerSubNet}}' or
the scope is invalid. If access was recently granted, please refresh your credentials.

The error seems to indicate that the cmdlet is searching for the subnet on the same subscription id than the website instead of the subscription where the subnet is located, since the resourceId string that is being returned on the error messsage has the wrong subscription Id. It is using the one where the website is instead of using the one where the build server is.

What else needs to be done in order to create this rule through powershell?

1 answers

solution1
 1 ACCPTED  2021-04-09 02:19:36

The error message is confused.

In fact, after my validation, you need to add the -IgnoreMissingServiceEndpoint parameter when adding a subnet from a different subscription. Read this GitHub case WebApp:Add-AzWebAppAccessRestrictionRule.md - incorrect use of subscription context over SubnetId param

When using a subnet from a different subscription, we cannot validate the subnet to see if the correct service endpoint (Microsoft.Web) has been set. If you use -IgnoreMissingServiceEndpoint the rule can be added.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cannot integrate Azure Web App to Vnet How do you associate an Azure web app with a vnet using PowerShell Az? Azure Storage Vnet rule vs Adding a Vnet Connect Azure Web App to vNet using ARM template Web App Vnet Integration using Azure CLI or API rest Create an Azure VM using PowerShell with an existing VNET Connecting Web App to Azure SQL DB in Vnet Azure Web App for Containers networking VNET How to add Azure Container App adding to a VNET Azure VNET peering in multiple subscription
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM