![](/img/trans.png)
[英]Azure Functions and Azure Application Gateway or API Management
[英]InternalServerError for Application Gateway and API Management - Azure/Terraform
我正在嘗試通過 Terraform 在 Azure 中部署基礎設施,該基礎設施由應用程序網關(WAF_v2 層)和后端的 API 管理組成。
運行將近 20 分鍾后出現的錯誤如下:“錯誤:等待應用程序網關的創建:(名稱“myAppGateway”/資源組“csj-hub-euw-chb-rg”):代碼 =“InternalServerError " Message="An error occurred." Details=[] "(有關更多詳細信息,請參見下圖)
以下是包含應用程序網關的文件:
module "agw_subnet" {
source = "../modules/resources-blocks/subnet"
subnet_name = "agw_subnet"
resource_group_name = module.resource_group.name
vnet_name = module.vnet.name
subnet_address_prefixes = ["10.22.1.0/24"]
}
resource "azurerm_web_application_firewall_policy" "exampleWAF" {
name = "example_wafpolicy_name"
resource_group_name = module.resource_group.name
location = module.resource_group.location
custom_rules {
name = "Rule1"
priority = 1
rule_type = "MatchRule"
match_conditions {
match_variables {
variable_name = "RemoteAddr"
}
operator = "IPMatch"
negation_condition = true
match_values = ["x.x.x.x"]
}
action = "Block"
}
policy_settings {
enabled = true
mode = "Prevention"
request_body_check = true
file_upload_limit_in_mb = 100
max_request_body_size_in_kb = 128
}
managed_rules {
managed_rule_set {
type = "OWASP"
version = "3.2"
}
}
}
resource "azurerm_application_gateway" "app_gw" {
name = "myAppGateway"
resource_group_name = module.resource_group.name
location = module.resource_group.location
sku {
name = "WAF_v2"
tier = "WAF_v2"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = module.agw_subnet.id
}
frontend_port {
name = var.frontend_port_name
port = 80
}
frontend_ip_configuration {
name = var.frontend_ip_configuration_name
public_ip_address_id = module.app_gw_pip.id
}
backend_address_pool {
name = "devBackend"
ip_addresses = ["10.22.40.19"]
}
backend_http_settings {
name = "devHttpSetting"
cookie_based_affinity = "Disabled"
port = 80
protocol = "Http"
request_timeout = 20
host_name = "xxxx.be"
probe_name = "apim-probe"
}
probe {
interval = 30
name = "apim-probe"
path = "/status-0123456789abcdef"
protocol = "Http"
timeout = 30
unhealthy_threshold = 3
pick_host_name_from_backend_http_settings = true
match {
body = ""
status_code = [
"200-399"
]
}
}
http_listener {
name = "devListener"
frontend_ip_configuration_name = var.frontend_ip_configuration_name
frontend_port_name = var.frontend_port_name
protocol = "Http"
host_name = "xxxx.be"
firewall_policy_id = azurerm_web_application_firewall_policy.exampleWAF.id
}
request_routing_rule {
name = "devRule"
rule_type = "Basic"
priority = 25
http_listener_name = "devListener"
backend_address_pool_name = "devBackend"
backend_http_settings_name = "devHttpSetting"
}
firewall_policy_id = var.firewall_policy_id ==""?null : var.firewall_policy_id
dynamic "waf_configuration" {
for_each = var.waf_configuration
content{
enabled = lookup(waf_configuration.value,"enabled",true)
file_upload_limit_mb = lookup(waf_configuration.value,"file_upload_limit_mb",30)
firewall_mode = lookup(waf_configuration.value,"firewall_mode","Prevention")
max_request_body_size_kb = lookup(waf_configuration.value,"max_request_body_size_kb",128)
request_body_check = lookup(waf_configuration.value,"request_body_check",true)
rule_set_type = lookup(waf_configuration.value,"rule_set_type","OWASP")
rule_set_version = lookup(waf_configuration.value,"rule_set_version", "3.1")
}
}
}
資源組已經存在,因為我正在部署的基礎架構 (App-GTW + APIM) 將是該資源組中包含的已創建基礎架構的補充:
module "resource_group" {
source = "../modules/resources/resource_group"
resource_group_location = var.LOCATION
resource_group_name = local.resource_group_name
}
resource "azurerm_resource_group" "rg" {
name = var.resource_group_name
location = var.resource_group_location
}
還已經創建了將托管 App-GTW 的 Su.net 的虛擬網絡(請注意,.NET_ADDRESS SPACE 是 10.22.0.0/21):
module "vnet" {
source = "../modules/resources/vnet"
vnet_name = local.vnet_name
resource_group_name = module.resource_group.name
resource_group_location = module.resource_group.location
vnet_address_space = [var.VNET_ADDRESS_SPACE]
log_analytics_workspace_id = module.log_analytics_workspace.id
enable_diagnostic_setting = true
}
resource "azurerm_virtual_network" "vnet" {
name = var.vnet_name
location = var.resource_group_location
resource_group_name = var.resource_group_name
address_space = var.vnet_address_space
}
resource "azurerm_subnet" "subnet" {
name = var.subnet_name
resource_group_name = var.resource_group_name
virtual_network_name = var.vnet_name
address_prefixes = var.subnet_address_prefixes
service_endpoints = var.service_endpoints
enforce_private_link_endpoint_network_policies = var.enforce_private_link_endpoint_network_policies
dynamic "delegation" {
for_each = var.service_delegation == null ? [] : [1]
content {
name = "${var.subnet_name}-delegation"
service_delegation {
name = var.service_delegation
actions = var.delegation_actions
}
}
}
}
因此,回顧一下,我正在嘗試部署一個以 APIM 作為后端的 App-GTW。 承載 App-GTW 的 .NET 已經存在,包含 App-GTW 的資源組已經存在,APIM 也已經存在。
另請注意,相對於 App-GTW,APIM 在不同的 .NET 中,換句話說,App-GTW 在 .NET-A(示例名稱)中,而 APIM 在 .NET-B 中,兩者.NET 通過虛擬網絡對等連接在一起。
我花了很多時間閱讀文檔試圖找出解決方案,但我仍然有這個錯誤,所以我會請求你的幫助。
謝謝!
顯然,如果我在部署 App-GTW 時使用新的 .NET 創建一個新的資源組,而不是使用已經存在的資源組和 .NET,我不會收到此錯誤。
但問題是我必須使用已經存在的資源組和 .NET。
我試圖在我的環境中重現相同的內容:
resource "azurerm_web_application_firewall_policy" "example" {
name = "example_wafpolicy_name"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
custom_rules {
name = "Rule1"
priority = 1
rule_type = "MatchRule"
match_conditions {
match_variables {
variable_name = "RemoteAddr"
}
operator = "IPMatch"
negation_condition = true
match_values = ["x.x.x.x"]
}
action = "Block"
}
policy_settings {
....
}
managed_rules {
managed_rule_set {
.....
}
}
}
resource "azurerm_application_gateway" "app_gateway" {
name = "myAppGateway"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
sku {
name = "WAF_v2"
tier = "WAF_v2"
capacity = 2
}
gateway_ip_configuration {
name = "my-gateway-ip-configuration"
subnet_id = module.agw_subnet.id
}
frontend_port {
name = var.frontend_port_name
port = 80
}
frontend_ip_configuration {
name = var.frontend_ip_configuration_name
public_ip_address_id = module.app_gw_pip.id
}
backend_address_pool {
name = "devBackend"
ip_addresses = ["10.22.40.19"]
}
backend_http_settings {
name = "devHttpSetting"
cookie_based_affinity = "Disabled"
port = 80
protocol = "Http"
request_timeout = 20
host_name = "xxxx.be"
probe_name = "apim-probe"
}
probe {
interval = 30
name = "apim-probe"
path = "/status-0123456789abcdef"
protocol = "Http"
timeout = 30
unhealthy_threshold = 3
pick_host_name_from_backend_http_settings = true
match {
body = ""
status_code = [
"200-399"
]
}
}
http_listener {
name = "devListener"
frontend_ip_configuration_name = var.frontend_ip_configuration_name
frontend_port_name = var.frontend_port_name
protocol = "Http"
host_name = "xxxx.be"
firewall_policy_id = azurerm_web_application_firewall_policy.exampleWAF.id
}
request_routing_rule {
name = "devRule"
rule_type = "Basic"
priority = 25
http_listener_name = "devListener"
backend_address_pool_name = "devBackend"
backend_http_settings_name = "devHttpSetting"
}
............
我遇到了一些並行錯誤:
請注意:
要在后端與私有資源通信,應用程序網關和 API 管理必須與資源在同一個 virtual.network 中。
為此,為您的資源設置一個 virtual.network。 從該解決方案中,它為應用程序網關和 API 管理創建 su.net。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.