azure - 如何通过 ARM 模板在 StorageAccount 中设置选定的网络

Question

我有以下 ARM 模板来生成存储帐户并添加现有的虚拟网络：

   {
      "name": "test0deep0123",
      "type": "Microsoft.Storage/storageAccounts",
      "location": "West Europe",
      "apiVersion": "2018-11-01",
      "sku": {
        "name": "Standard_LRS",
        "tier": "Standard"
      },
      "kind": "StorageV2",
      "properties": {
        "firewallState": "Enabled",
        "virtualNetworkRules": [
          {
            "properties": {
              "subnetId": "subnetid"
            },
            "name": "name"
          },
          {
            "properties": {
              "subnetId": "subnetId"
            },
            "name": "name"
          },
          {
            "properties": {
              "subnetId": "subnetid"
            },
            "name": "name"
          },
          {
            "properties": {
              "subnetId": "subnetid"
            },
            "name": "name"
          },
          {
            "properties": {
              "subnetId": "subnetid"
            },
            "name": "name"
          },
          {
            "properties": {
              "subnetId": subnetid"
            },
            "name": "name"
          },
          {
            "properties": {
              "subnetId": "subnetid"
            },
            "name": "name"
          }

        "networkAcls": {
          "bypass": "AzureServices",
          "virtualNetworkRules": [
            {
              "id": "id",
              "action": "Allow",
              "state": "succeeded"
            },
            {
              "id": "id",
              "action": "Allow",
              "state": "succeeded"
            }
          ],
          "ipRules": [],
          "defaultAction": "Allow"
        },
        "supportsHttpsTrafficOnly": false,
        "encryption": {
          "services": {
            "file": {
              "enabled": true
            },
            "blob": {
              "enabled": true
            }
          },
          "keySource": "Microsoft.Storage"
        },
        "accessTier": "Hot"
      }
    }

我可以在资源组中成功部署此模板，但在控制“防火墙和虚拟网络”后，我看到，允许访问设置为所有网络，尽管在选定的网络下我可以看到添加的虚拟网络

检查“选定的网络”我应该怎么做？

score 4 · Accepted Answer

问题是，如果您将设置virtualNetworkRules为allow则 defaultAction需要设置为Deny，因此您将在存储帐户的防火墙中将选定的虚拟网络列入白名单。

在这种情况下，您可以选择您现有的虚拟网络（启用存储帐户服务终结点）ID 到段落networkAcls并更改 "defaultAction": "Deny". 此外，virtualNetworkRules属于networkAcls非存储帐户的属性。

以下模板可以在我这边工作。

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
            "virtualNetworks_vnet1": {
            "defaultValue": "/subscriptions/xxx/resourceGroups/myrg/providers/Microsoft.Network/virtualNetworks/vnet",
            "type": "string"
        },
            "virtualNetworks_vnet2": {
            "defaultValue": "/subscriptions/xxx/resourceGroups/myrg/providers/Microsoft.Network/virtualNetworks/mytestvnet1",
            "type": "string"
        }
    },
    "resources": [
        {
            "type": "Microsoft.Storage/storageAccounts",
            "apiVersion": "2018-11-01",
            "name": "test0deep01234",
            "location": "Central US",
            "sku": {
                "name": "Standard_LRS",
                "tier": "Standard"
            },
            "kind": "StorageV2",
            "properties": {
                "networkAcls": {
                    "bypass": "AzureServices",
                    "virtualNetworkRules": [
                        {
                            "id": "[concat(parameters('virtualNetworks_vnet1'), '/subnets/default')]",
                            "action": "Allow"

                        },
                         {
                            "id": "[concat(parameters('virtualNetworks_vnet2'), '/subnets/default')]",
                            "action": "Allow"

                        }
                    ],
                    "ipRules": [],
                    "defaultAction": "Deny"
                },
                "supportsHttpsTrafficOnly": false,
                "encryption": {
                    "services": {
                        "file": {
                            "enabled": true
                        },
                        "blob": {
                            "enabled": true
                        }
                    },
                    "keySource": "Microsoft.Storage"
                },
                "accessTier": "Hot"
            }
        }
    ]
}

参考：Microsoft.Storage storageAccounts 模板参考

score 0 · Accepted Answer

0

我认为您需要添加属性publicNetworkAccess并将其设置为Disabled

希望这可以帮助？

于 2022-02-01T12:52:46.807 回答

azure - 如何通过 ARM 模板在 StorageAccount 中设置选定的网络

2 回答 2

Related

Reference