![](/img/trans.png)
[英]Azure Functions and Azure Application Gateway or API Management
[英]InternalServerError for Application Gateway and API Management - Azure/Terraform
我正在尝试通过 Terraform 在 Azure 中部署基础设施,该基础设施由应用程序网关(WAF_v2 层)和后端的 API 管理组成。
运行将近 20 分钟后出现的错误如下:“错误:等待应用程序网关的创建:(名称“myAppGateway”/资源组“csj-hub-euw-chb-rg”):代码 =“InternalServerError " Message="An error occurred." Details=[] "(有关更多详细信息,请参见下图)
以下是包含应用程序网关的文件:
module "agw_subnet" {
source = "../modules/resources-blocks/subnet"
subnet_name = "agw_subnet"
resource_group_name = module.resource_group.name
vnet_name = module.vnet.name
subnet_address_prefixes = ["10.22.1.0/24"]
}
resource "azurerm_web_application_firewall_policy" "exampleWAF" {
name = "example_wafpolicy_name"
resource_group_name = module.resource_group.name
location = module.resource_group.location
custom_rules {
name = "Rule1"
priority = 1
rule_type = "MatchRule"
match_conditions {
match_variables {
variable_name = "RemoteAddr"
}
operator = "IPMatch"
negation_condition = true
match_values = ["x.x.x.x"]
}
action = "Block"
}
policy_settings {
enabled = true
mode = "Prevention"
request_body_check = true
file_upload_limit_in_mb = 100
max_request_body_size_in_kb = 128
}
managed_rules {
managed_rule_set {
type = "OWASP"
version = "3.2"
}
}
}
resource "azurerm_application_gateway" "app_gw" {
name = "myAppGateway"
resource_group_name = module.resource_group.name
location = module.resource_group.location
sku {
name = "WAF_v2"
tier = "WAF_v2"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = module.agw_subnet.id
}
frontend_port {
name = var.frontend_port_name
port = 80
}
frontend_ip_configuration {
name = var.frontend_ip_configuration_name
public_ip_address_id = module.app_gw_pip.id
}
backend_address_pool {
name = "devBackend"
ip_addresses = ["10.22.40.19"]
}
backend_http_settings {
name = "devHttpSetting"
cookie_based_affinity = "Disabled"
port = 80
protocol = "Http"
request_timeout = 20
host_name = "xxxx.be"
probe_name = "apim-probe"
}
probe {
interval = 30
name = "apim-probe"
path = "/status-0123456789abcdef"
protocol = "Http"
timeout = 30
unhealthy_threshold = 3
pick_host_name_from_backend_http_settings = true
match {
body = ""
status_code = [
"200-399"
]
}
}
http_listener {
name = "devListener"
frontend_ip_configuration_name = var.frontend_ip_configuration_name
frontend_port_name = var.frontend_port_name
protocol = "Http"
host_name = "xxxx.be"
firewall_policy_id = azurerm_web_application_firewall_policy.exampleWAF.id
}
request_routing_rule {
name = "devRule"
rule_type = "Basic"
priority = 25
http_listener_name = "devListener"
backend_address_pool_name = "devBackend"
backend_http_settings_name = "devHttpSetting"
}
firewall_policy_id = var.firewall_policy_id ==""?null : var.firewall_policy_id
dynamic "waf_configuration" {
for_each = var.waf_configuration
content{
enabled = lookup(waf_configuration.value,"enabled",true)
file_upload_limit_mb = lookup(waf_configuration.value,"file_upload_limit_mb",30)
firewall_mode = lookup(waf_configuration.value,"firewall_mode","Prevention")
max_request_body_size_kb = lookup(waf_configuration.value,"max_request_body_size_kb",128)
request_body_check = lookup(waf_configuration.value,"request_body_check",true)
rule_set_type = lookup(waf_configuration.value,"rule_set_type","OWASP")
rule_set_version = lookup(waf_configuration.value,"rule_set_version", "3.1")
}
}
}
资源组已经存在,因为我正在部署的基础架构 (App-GTW + APIM) 将是该资源组中包含的已创建基础架构的补充:
module "resource_group" {
source = "../modules/resources/resource_group"
resource_group_location = var.LOCATION
resource_group_name = local.resource_group_name
}
resource "azurerm_resource_group" "rg" {
name = var.resource_group_name
location = var.resource_group_location
}
还已经创建了将托管 App-GTW 的 Su.net 的虚拟网络(请注意,.NET_ADDRESS SPACE 是 10.22.0.0/21):
module "vnet" {
source = "../modules/resources/vnet"
vnet_name = local.vnet_name
resource_group_name = module.resource_group.name
resource_group_location = module.resource_group.location
vnet_address_space = [var.VNET_ADDRESS_SPACE]
log_analytics_workspace_id = module.log_analytics_workspace.id
enable_diagnostic_setting = true
}
resource "azurerm_virtual_network" "vnet" {
name = var.vnet_name
location = var.resource_group_location
resource_group_name = var.resource_group_name
address_space = var.vnet_address_space
}
resource "azurerm_subnet" "subnet" {
name = var.subnet_name
resource_group_name = var.resource_group_name
virtual_network_name = var.vnet_name
address_prefixes = var.subnet_address_prefixes
service_endpoints = var.service_endpoints
enforce_private_link_endpoint_network_policies = var.enforce_private_link_endpoint_network_policies
dynamic "delegation" {
for_each = var.service_delegation == null ? [] : [1]
content {
name = "${var.subnet_name}-delegation"
service_delegation {
name = var.service_delegation
actions = var.delegation_actions
}
}
}
}
因此,回顾一下,我正在尝试部署一个以 APIM 作为后端的 App-GTW。 承载 App-GTW 的 .NET 已经存在,包含 App-GTW 的资源组已经存在,APIM 也已经存在。
另请注意,相对于 App-GTW,APIM 在不同的 .NET 中,换句话说,App-GTW 在 .NET-A(示例名称)中,而 APIM 在 .NET-B 中,两者.NET 通过虚拟网络对等连接在一起。
我花了很多时间阅读文档试图找出解决方案,但我仍然有这个错误,所以我会请求你的帮助。
谢谢!
显然,如果我在部署 App-GTW 时使用新的 .NET 创建一个新的资源组,而不是使用已经存在的资源组和 .NET,我不会收到此错误。
但问题是我必须使用已经存在的资源组和 .NET。
我试图在我的环境中重现相同的内容:
resource "azurerm_web_application_firewall_policy" "example" {
name = "example_wafpolicy_name"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
custom_rules {
name = "Rule1"
priority = 1
rule_type = "MatchRule"
match_conditions {
match_variables {
variable_name = "RemoteAddr"
}
operator = "IPMatch"
negation_condition = true
match_values = ["x.x.x.x"]
}
action = "Block"
}
policy_settings {
....
}
managed_rules {
managed_rule_set {
.....
}
}
}
resource "azurerm_application_gateway" "app_gateway" {
name = "myAppGateway"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
sku {
name = "WAF_v2"
tier = "WAF_v2"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = module.agw_subnet.id
}
frontend_port {
name = var.frontend_port_name
port = 80
}
frontend_ip_configuration {
name = var.frontend_ip_configuration_name
public_ip_address_id = module.app_gw_pip.id
}
backend_address_pool {
name = "devBackend"
ip_addresses = ["10.22.40.19"]
}
backend_http_settings {
name = "devHttpSetting"
cookie_based_affinity = "Disabled"
port = 80
protocol = "Http"
request_timeout = 20
host_name = "xxxx.be"
probe_name = "apim-probe"
}
probe {
interval = 30
name = "apim-probe"
path = "/status-0123456789abcdef"
protocol = "Http"
timeout = 30
unhealthy_threshold = 3
pick_host_name_from_backend_http_settings = true
match {
body = ""
status_code = [
"200-399"
]
}
}
http_listener {
name = "devListener"
frontend_ip_configuration_name = var.frontend_ip_configuration_name
frontend_port_name = var.frontend_port_name
protocol = "Http"
host_name = "xxxx.be"
firewall_policy_id = azurerm_web_application_firewall_policy.exampleWAF.id
}
request_routing_rule {
name = "devRule"
rule_type = "Basic"
priority = 25
http_listener_name = "devListener"
backend_address_pool_name = "devBackend"
backend_http_settings_name = "devHttpSetting"
}
............
我遇到了一些并行错误:
请注意:
要在后端与私有资源通信,应用程序网关和 API 管理必须与资源在同一个 virtual.network 中。
为此,为您的资源设置一个 virtual.network。 从该解决方案中,它为应用程序网关和 API 管理创建 su.net。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.