2

我正在尝试通过 PowerShell 和 ARM 模板配置应用服务 Web 应用程序,并通过虚拟网络网关将 Web 应用程序连接到虚拟网络(两者也通过 ARM 配置)。

该模板相当简单。我有一个网络安全组来切断 vnet 与公共 Internet 的连接。

{
            "comments": "NSG - DENY Internet",
            "type": "Microsoft.Network/networkSecurityGroups",
            "name": "[parameters('private_nsg')]",
            "apiVersion": "2016-03-30",
            "location": "[parameters('location')]",
            "properties": {
                "securityRules": [
                    {
                        "name": "allow-ssh",
                        "properties": {
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "22",
                            "sourceAddressPrefix": "Internet",
                            "destinationAddressPrefix": "*",
                            "access": "Allow",
                            "priority": 100,
                            "direction": "Inbound"
                        }
                    },
                    {
                        "name": "deny-internet",
                        "properties": {
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "*",
                            "sourceAddressPrefix": "Internet",
                            "destinationAddressPrefix": "*",
                            "access": "Deny",
                            "priority": 200,
                            "direction": "Inbound"
                        }
                    }
                ]
            },
            "resources": [],
            "dependsOn": []
        },

然后虚拟网络本身具有属于上述 nsg 的子网和网关子网。

{
            "comments": "VNet 1",
            "type": "Microsoft.Network/virtualNetworks",
            "name": "[parameters('vnet1')]",
            "apiVersion": "2016-03-30",
            "location": "[parameters('location')]",
            "properties": {
                "addressSpace": {
                    "addressPrefixes": [
                        "10.0.0.0/16"
                    ]
                },
                "subnets": [
                    {
                        "name": "private1",
                        "properties": {
                            "addressPrefix": "10.0.1.0/24",
                            "networkSecurityGroup": {
                                "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('private_nsg'))]"
                            }
                        }
                    },
                    {
                        "name": "GatewaySubnet",
                        "properties": {
                            "addressPrefix": "10.0.100.0/24"
                        }
                    }
                ]
            },
            "resources": [],
            "dependsOn": [
                "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('private_nsg'))]"
            ]
        },

然后我为虚拟网关创建一个 IP 地址

{
            "comments": "Gateway 1 IP",
            "type": "Microsoft.Network/publicIPAddresses",
            "name": "[parameters('gateway1_ip')]",
            "apiVersion": "2016-03-30",
            "location": "[parameters('location')]",
            "properties": {
                "publicIPAllocationMethod": "Dynamic",
                "idleTimeoutInMinutes": 4
            },
            "resources": [],
            "dependsOn": []
        },

还有网关本身

{
            "comments": "VNet1 Gateway",
            "apiVersion": "2015-05-01-preview",
            "type": "Microsoft.Network/virtualNetworkGateways",
            "name": "[parameters('gateway1')]",
            "location": "[parameters('location')]",
            "properties": {
                "ipConfigurations": [
                    {
                        "properties": {
                            "privateIPAllocationMethod": "Dynamic",
                            "subnet": {
                                "id": ""[concat(variables('vnet1_ref'),'/subnets/','GatewaySubnet')]""
                            },
                            "publicIPAddress": {
                                "id": "[resourceId('Microsoft.Network/publicIPAddresses',parameters('gateway1_ip'))]"
                            }
                        },
                        "name": "vnetGatewayConfig"
                    }
                ],
                "gatewayType": "Vpn",
                "vpnType": "RouteBased",
                "vpnClientConfiguration": {
                    "vpnClientAddressPool": {
                        "addressPrefixes": [ "192.168.2.0/24"]
                    }
                },
                "enableBgp": false
            },
            "dependsOn": [
                "[concat('Microsoft.Network/publicIPAddresses/', parameters('gateway1_ip'))]",
                "[concat('Microsoft.Network/virtualNetworks/', parameters('vnet1'))]"
            ]
        },

我还创建了一个 Linux VM 并将其放在私有子网中,然后创建一个应用服务 Web 应用程序(和计划),该应用程序知道如何针对 Linux VM 的私有(10...*)IP 执行 GET请求

部署模板后,我会根据其他 Stack Overflow 答案运行一些 PowerShell 。

$app1 = Get-AzureRmWebApp -ResourceGroupName $ResourceGroupName -Name $parameters["appsvc1_name"]
$app1Config = Get-AzureRmResource -ResourceName "$($app1.Name)/web" -ResourceType "Microsoft.Web/sites/config" -ResourceGroupName $resourceGroupName -ApiVersion 2015-08-01
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $resourceGroupName -Name "$resourceGroupName-Net"
$gateway = (Get-AzureRmVirtualNetworkGateway -ResourceGroupName $ResourceGroupName)[0]
$networkProperties = @{ "vnetResourceId" = $vnet.Id }
$networkConnection = New-AzureRmResource -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -Properties $networkProperties -ResourceName "$($app1.Name)/$($vnet.Name)" -ResourceType "Microsoft.Web/sites/virtualNetworkConnections" -ApiVersion 2015-08-01 -Force
$null = Add-AzureRmVpnClientRootCertificate -ResourceGroupName $resourceGroupName -VpnClientRootCertificateName "AppServiceCertificate.cer" -PublicCertData $networkConnection.Properties.CertBlob -VirtualNetworkGatewayName $gateway.Name

此时,如果我在门户中查看我的应用程序,它看起来好像已连接到网关(门户以绿色显示“已连接”,“证书状态”为“证书已同步”)。但是,我的应用无法连接到私有 VM。

如果我在门户中删除网络连接,然后在门户中重新连接,我的应用程序可以连接到 VM。这让我相信网关配置正确,只是连接出错了。

我之前的 StackOverflow 答案中唯一缺少的是:

$vpnPackageUri = Get-AzureRmVpnClientPackage -ResourceGroupName $resourceGroupName -VirtualNetworkGatewayName $gateway.Name -ProcessorArchitecture Amd64
$vpnPackageUri = $vpnPackageUri.Replace('"', "")
$vpnPackageProperties = @{ "vnetName" = $vnet.Name; "vpnPackageUri" = $vpnPackageUri }
$networkConnectionVPN = New-AzureRmResource -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -ResourceName "$($app1.Name)/$($vnet.Name)/primary" -ResourceType "Microsoft.Web/sites/virtualNetworkConnections/gateways" -ApiVersion 2015-08-01 -Force

不幸的是,最后一个命令错误并带有一般错误消息:

New-AzureRmResource : {"Message":"An error has occurred."}
At line:1 char:25
+ $networkConnectionVPN = New-AzureRmResource -ResourceGroupName $resourceGroupNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzureRmResource], ErrorResponseMessageException
    + FullyQualifiedErrorId : InternalServerError,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceCmdlet

所以我不知道到底出了什么问题。运行此命令也不允许我的应用程序连接;我必须手动删除连接并将其重新添加到门户中。

我错过了什么?

4

1 回答 1

1

我做了一些非常相似的事情(除了虚拟机在 Windows 上)。我在这里关注 MSDN 文章,结果遇到了类似的情况。门户网站说应用程序已连接到 VPN,但应用程序和虚拟机之间没有连接。从门户手动连接应用程序解决了问题。

您需要重新同步网络(从应用服务计划/网络磁贴)。

这里有一个未解决的问题。他们似乎不想解决这个问题,他们正在等待有关应用服务 - VPN 集成的新功能。

于 2017-03-07T13:39:07.200 回答