我尝试通过PowerShell和ARM模板配置App Service Web应用程序,并通过虚拟网络网关(也通过ARM配置)将Web应用程序连接到虚拟网络。
模板相当简单。我有一个网络安全组,可以从公共互联网上删除vnet。
{
"comments": "NSG - DENY Internet",
"type": "Microsoft.Network/networkSecurityGroups",
"name": "[parameters('private_nsg')]",
"apiVersion": "2016-03-30",
"location": "[parameters('location')]",
"properties": {
"securityRules": [
{
"name": "allow-ssh",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "Internet",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound"
}
},
{
"name": "deny-internet",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "Internet",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 200,
"direction": "Inbound"
}
}
]
},
"resources": [],
"dependsOn": []
},
然后虚拟网络本身具有属于上述nsg的子网以及GateWay子网。
{
"comments": "VNet 1",
"type": "Microsoft.Network/virtualNetworks",
"name": "[parameters('vnet1')]",
"apiVersion": "2016-03-30",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "private1",
"properties": {
"addressPrefix": "10.0.1.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('private_nsg'))]"
}
}
},
{
"name": "GatewaySubnet",
"properties": {
"addressPrefix": "10.0.100.0/24"
}
}
]
},
"resources": [],
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('private_nsg'))]"
]
},
然后我为虚拟网络网关创建一个IP地址
{
"comments": "Gateway 1 IP",
"type": "Microsoft.Network/publicIPAddresses",
"name": "[parameters('gateway1_ip')]",
"apiVersion": "2016-03-30",
"location": "[parameters('location')]",
"properties": {
"publicIPAllocationMethod": "Dynamic",
"idleTimeoutInMinutes": 4
},
"resources": [],
"dependsOn": []
},
网关本身
{
"comments": "VNet1 Gateway",
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Network/virtualNetworkGateways",
"name": "[parameters('gateway1')]",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": [
{
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": ""[concat(variables('vnet1_ref'),'/subnets/','GatewaySubnet')]""
},
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses',parameters('gateway1_ip'))]"
}
},
"name": "vnetGatewayConfig"
}
],
"gatewayType": "Vpn",
"vpnType": "RouteBased",
"vpnClientConfiguration": {
"vpnClientAddressPool": {
"addressPrefixes": [ "192.168.2.0/24"]
}
},
"enableBgp": false
},
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/', parameters('gateway1_ip'))]",
"[concat('Microsoft.Network/virtualNetworks/', parameters('vnet1'))]"
]
},
我还创建一个Linux VM并将其放入私有子网中,然后创建一个App Service Web应用程序(和Plan),该应用程序知道如何对Linux VM的私有执行GET请求(10. 。。*)IP。
模板部署后,我运行了一些PowerShell based on this other Stack Overflow answer。
$app1 = Get-AzureRmWebApp -ResourceGroupName $ResourceGroupName -Name $parameters["appsvc1_name"]
$app1Config = Get-AzureRmResource -ResourceName "$($app1.Name)/web" -ResourceType "Microsoft.Web/sites/config" -ResourceGroupName $resourceGroupName -ApiVersion 2015-08-01
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $resourceGroupName -Name "$resourceGroupName-Net"
$gateway = (Get-AzureRmVirtualNetworkGateway -ResourceGroupName $ResourceGroupName)[0]
$networkProperties = @{ "vnetResourceId" = $vnet.Id }
$networkConnection = New-AzureRmResource -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -Properties $networkProperties -ResourceName "$($app1.Name)/$($vnet.Name)" -ResourceType "Microsoft.Web/sites/virtualNetworkConnections" -ApiVersion 2015-08-01 -Force
$null = Add-AzureRmVpnClientRootCertificate -ResourceGroupName $resourceGroupName -VpnClientRootCertificateName "AppServiceCertificate.cer" -PublicCertData $networkConnection.Properties.CertBlob -VirtualNetworkGatewayName $gateway.Name
此时,如果我在门户中查看我的应用程序,它看起来就像是连接到网关(门户网站说"已连接"绿色和"证书状态"是"证书已同步")。但是,我的应用无法连接到私有VM。
如果我删除了门户网站中的网络连接,然后在门户网站中重新连接它,我的应用程序可以连接到VM。这让我相信网关配置正确,而且只是连接出错了。
我在之前的StackOverflow答案中唯一遗漏的是:
$vpnPackageUri = Get-AzureRmVpnClientPackage -ResourceGroupName $resourceGroupName -VirtualNetworkGatewayName $gateway.Name -ProcessorArchitecture Amd64
$vpnPackageUri = $vpnPackageUri.Replace('"', "")
$vpnPackageProperties = @{ "vnetName" = $vnet.Name; "vpnPackageUri" = $vpnPackageUri }
$networkConnectionVPN = New-AzureRmResource -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -ResourceName "$($app1.Name)/$($vnet.Name)/primary" -ResourceType "Microsoft.Web/sites/virtualNetworkConnections/gateways" -ApiVersion 2015-08-01 -Force
不幸的是,最后一个命令错误输出了一般错误消息:
New-AzureRmResource : {"Message":"An error has occurred."}
At line:1 char:25
+ $networkConnectionVPN = New-AzureRmResource -ResourceGroupName $resourceGroupNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmResource], ErrorResponseMessageException
+ FullyQualifiedErrorId : InternalServerError,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceCmdlet
所以我无法说出实际出了什么问题。运行此命令不允许我的应用程序连接;我必须手动删除连接并在门户中重新添加它。
我错过了什么?