我在(S1)App Service Plan上托管了一项Azure功能。 Azure功能已集成到VNet子网。此子网启用了 Microsoft.Storage 和 Microsoft.Web 服务终结点,并且还委派给 Microsoft.Web / serverFarms
另一方面,将存储帐户配置为仅接受来自Azure功能所在的同一子网的请求。
不幸的是,这不起作用。当我尝试通过Azure功能与存储帐户进行通信时,出现以下错误
2020-02-18T02:03:03.505 [Error] Faliure Occured
Azure.RequestFailedException : This request is not authorized to perform this operation.
RequestId:0b034a99-701e-002c-09ff-e5bd0a000000
Time:2020-02-18T02:03:03.1177265Z
Status: 403 (This request is not authorized to perform this operation.)
ErrorCode: AuthorizationFailure
Headers:
Server: Microsoft-HTTPAPI/2.0
x-ms-request-id: 0b034a99-701e-002c-09ff-e5bd0a000000
x-ms-client-request-id: 0bbe8185-4657-47f3-8566-5bcbd16c4274
x-ms-error-code: AuthorizationFailure
Date: Tue, 18 Feb 2020 02:03:02 GMT
Content-Length: 246
Content-Type: application/xml
at Azure.Storage.Blobs.BlobRestClient.Container.GetPropertiesAsync_CreateResponse(ClientDiagnostics clientDiagnostics,Response response)
at async Azure.Storage.Blobs.BlobRestClient.Container.GetPropertiesAsync(ClientDiagnostics clientDiagnostics,HttpPipeline pipeline,Uri resourceUri,String version,Nullable`1 timeout,String leaseId,String requestId,Boolean async,String operationName,CancellationToken cancellationToken)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at async Azure.Storage.Blobs.BlobContainerClient.GetPropertiesInternal(BlobRequestConditions conditions,Boolean async,CancellationToken cancellationToken)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Azure.Storage.TaskExtensions.EnsureCompleted[T](Task`1 task)
at Azure.Storage.Blobs.BlobContainerClient.GetProperties(BlobRequestConditions conditions,CancellationToken cancellationToken)
at SharedLib.Utils.TestStorageAccountAccess() at D:\poc-code\NetworkSecurityPoc\SharedLib\Utils.cs : 13
at async MessengerFunction.Trigger.Run(HttpRequest req,ILogger log) at D:\poc-code\NetworkSecurityPoc\MessengerFunction\Trigger.cs : 25
但是当我禁用存储帐户的vnet限制时,一切正常。
我做错了什么?
谢谢。
答案 0 :(得分:0)
以下文档可能会帮助解决此问题: 从MS文档: 创建功能应用程序时,必须创建或链接到支持Blob,队列和表存储的通用Azure存储帐户。您目前无法对此帐户使用任何虚拟网络限制。如果在用于功能应用程序的存储帐户上配置虚拟网络服务端点,则该配置将破坏您的应用程序。 参考:enter link description here
答案 1 :(得分:0)
我会说这是网络问题,如Function networking所示,因此设置WEBSITE_VNET_ROUTE_ALL to 1即可。.