如何使用PowerShell将我的Azure App Service Web应用程序连接到专用虚拟网络子网(通过虚拟网络网关)?

时间:2016-10-25 19:46:34

标签: azure azure-web-sites azure-resource-manager azure-virtual-network azure-vpn

我尝试通过PowerShell和ARM模板配置App Service Web应用程序,并通过虚拟网络网关(也通过ARM配置)将Web应用程序连接到虚拟网络。

模板相当简单。我有一个网络安全组,可以从公共互联网上删除vnet。

{
            "comments": "NSG - DENY Internet",
            "type": "Microsoft.Network/networkSecurityGroups",
            "name": "[parameters('private_nsg')]",
            "apiVersion": "2016-03-30",
            "location": "[parameters('location')]",
            "properties": {
                "securityRules": [
                    {
                        "name": "allow-ssh",
                        "properties": {
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "22",
                            "sourceAddressPrefix": "Internet",
                            "destinationAddressPrefix": "*",
                            "access": "Allow",
                            "priority": 100,
                            "direction": "Inbound"
                        }
                    },
                    {
                        "name": "deny-internet",
                        "properties": {
                            "protocol": "TCP",
                            "sourcePortRange": "*",
                            "destinationPortRange": "*",
                            "sourceAddressPrefix": "Internet",
                            "destinationAddressPrefix": "*",
                            "access": "Deny",
                            "priority": 200,
                            "direction": "Inbound"
                        }
                    }
                ]
            },
            "resources": [],
            "dependsOn": []
        },

然后虚拟网络本身具有属于上述nsg的子网以及GateWay子网。

{
            "comments": "VNet 1",
            "type": "Microsoft.Network/virtualNetworks",
            "name": "[parameters('vnet1')]",
            "apiVersion": "2016-03-30",
            "location": "[parameters('location')]",
            "properties": {
                "addressSpace": {
                    "addressPrefixes": [
                        "10.0.0.0/16"
                    ]
                },
                "subnets": [
                    {
                        "name": "private1",
                        "properties": {
                            "addressPrefix": "10.0.1.0/24",
                            "networkSecurityGroup": {
                                "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('private_nsg'))]"
                            }
                        }
                    },
                    {
                        "name": "GatewaySubnet",
                        "properties": {
                            "addressPrefix": "10.0.100.0/24"
                        }
                    }
                ]
            },
            "resources": [],
            "dependsOn": [
                "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('private_nsg'))]"
            ]
        },

然后我为虚拟网络网关创建一个IP地址

{
            "comments": "Gateway 1 IP",
            "type": "Microsoft.Network/publicIPAddresses",
            "name": "[parameters('gateway1_ip')]",
            "apiVersion": "2016-03-30",
            "location": "[parameters('location')]",
            "properties": {
                "publicIPAllocationMethod": "Dynamic",
                "idleTimeoutInMinutes": 4
            },
            "resources": [],
            "dependsOn": []
        },

网关本身

{
            "comments": "VNet1 Gateway",
            "apiVersion": "2015-05-01-preview",
            "type": "Microsoft.Network/virtualNetworkGateways",
            "name": "[parameters('gateway1')]",
            "location": "[parameters('location')]",
            "properties": {
                "ipConfigurations": [
                    {
                        "properties": {
                            "privateIPAllocationMethod": "Dynamic",
                            "subnet": {
                                "id": ""[concat(variables('vnet1_ref'),'/subnets/','GatewaySubnet')]""
                            },
                            "publicIPAddress": {
                                "id": "[resourceId('Microsoft.Network/publicIPAddresses',parameters('gateway1_ip'))]"
                            }
                        },
                        "name": "vnetGatewayConfig"
                    }
                ],
                "gatewayType": "Vpn",
                "vpnType": "RouteBased",
                "vpnClientConfiguration": {
                    "vpnClientAddressPool": {
                        "addressPrefixes": [ "192.168.2.0/24"]
                    }
                },
                "enableBgp": false
            },
            "dependsOn": [
                "[concat('Microsoft.Network/publicIPAddresses/', parameters('gateway1_ip'))]",
                "[concat('Microsoft.Network/virtualNetworks/', parameters('vnet1'))]"
            ]
        },

我还创建一个Linux VM并将其放入私有子网中,然后创建一个App Service Web应用程序(和Plan),该应用程序知道如何对Linux VM的私有执行GET请求(10. 。*)IP。

模板部署后,我运行了一些PowerShell based on this other Stack Overflow answer

$app1 = Get-AzureRmWebApp -ResourceGroupName $ResourceGroupName -Name $parameters["appsvc1_name"]
$app1Config = Get-AzureRmResource -ResourceName "$($app1.Name)/web" -ResourceType "Microsoft.Web/sites/config" -ResourceGroupName $resourceGroupName -ApiVersion 2015-08-01
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $resourceGroupName -Name "$resourceGroupName-Net"
$gateway = (Get-AzureRmVirtualNetworkGateway -ResourceGroupName $ResourceGroupName)[0]
$networkProperties = @{ "vnetResourceId" = $vnet.Id }
$networkConnection = New-AzureRmResource -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -Properties $networkProperties -ResourceName "$($app1.Name)/$($vnet.Name)" -ResourceType "Microsoft.Web/sites/virtualNetworkConnections" -ApiVersion 2015-08-01 -Force
$null = Add-AzureRmVpnClientRootCertificate -ResourceGroupName $resourceGroupName -VpnClientRootCertificateName "AppServiceCertificate.cer" -PublicCertData $networkConnection.Properties.CertBlob -VirtualNetworkGatewayName $gateway.Name

此时,如果我在门户中查看我的应用程序,它看起来就像是连接到网关(门户网站说"已连接"绿色和"证书状态"是"证书已同步")。但是,我的应用无法连接到私有VM。

如果我删除了门户网站中的网络连接,然后在门户网站中重新连接它,我的应用程序可以连接到VM。这让我相信网关配置正确,而且只是连接出错了。

我在之前的StackOverflow答案中唯一遗漏的是:

$vpnPackageUri = Get-AzureRmVpnClientPackage -ResourceGroupName $resourceGroupName -VirtualNetworkGatewayName $gateway.Name -ProcessorArchitecture Amd64
$vpnPackageUri = $vpnPackageUri.Replace('"', "")
$vpnPackageProperties = @{ "vnetName" = $vnet.Name; "vpnPackageUri" = $vpnPackageUri }
$networkConnectionVPN = New-AzureRmResource -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -ResourceName "$($app1.Name)/$($vnet.Name)/primary" -ResourceType "Microsoft.Web/sites/virtualNetworkConnections/gateways" -ApiVersion 2015-08-01 -Force 

不幸的是,最后一个命令错误输出了一般错误消息:

New-AzureRmResource : {"Message":"An error has occurred."}
At line:1 char:25
+ $networkConnectionVPN = New-AzureRmResource -ResourceGroupName $resourceGroupNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzureRmResource], ErrorResponseMessageException
    + FullyQualifiedErrorId : InternalServerError,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceCmdlet

所以我无法说出实际出了什么问题。运行此命令不允许我的应用程序连接;我必须手动删除连接并在门户中重新添加它。

我错过了什么?

1 个答案:

答案 0 :(得分:1)

我做了一些非常相似的事情(除了VM在Windows上)。我正在关注MSDN文章here并最终处于类似情况。门户网站称App已连接到VPN,但App和VM之间没有连接。从Portal手动连接应用程序解决了问题。

您需要重新同步网络(从应用服务计划/网络磁贴)。

here有一个未解决的问题。他们似乎不想解决这个问题,他们正在等待有关App Service - VPN集成的新功能。