- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
我正在开发一个个人项目,其中包含 2 个 ASP.NET Core Web API,作为 Linux Web 应用程序托管。在不久的将来,我计划添加一个 React 前端作为另一个 Linux Web 应用程序。基础架构设计涉及为两个后端 Web 应用程序配置 Application Insights、利用 Azure Key Vault 以及跨应用程序集成共享 SQL 数据库。我试图将资源保留在专用网络中(不暴露于 Internet),并使用 NAT 网关为连接到第 3 方 API 的两个 API 之一提供静态出站 IP 地址,并且该 API 需要特定的可以在其 API 配置中列入白名单的静态出站 IP 地址。
我遇到过各种approaches其中涉及使用专用端点、网络安全组来管理流量访问以及用户定义的路由来引导流量。但是,我发现自己不确定这些方法是否可以与我的 NAT 网关实现连贯地集成,特别是关于静态出站 IP 地址。
鉴于这种情况,我有几个问题希望得到指导:
如何将 Application Insights、Key Vault 和 SQL 数据库的专用终结点与静态出站 IP 地址的现有 NAT 网关实现保持一致?具体的实现方式是怎样的?
考虑到我的独特需求,我的代码中是否缺少任何可以进一步增强资源的安全性或功能的内容?
这是代表我的设置当前状态的 Terraform 代码:
resource "azurerm_resource_group" "rg" {
name = "${local.basename}-rg"
location = "East US"
}
resource "azurerm_service_plan" "asp" {
name = "${local.basename}-asp"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
os_type = "Linux"
sku_name = "S1"
}
resource "azurerm_linux_web_app" "app" {
name = "${local.basename}-app"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
service_plan_id = azurerm_service_plan.asp.id
site_config {
vnet_route_all_enabled = true # WEBSITE_VNET_ROUTE_ALL
}
identity {
type = "SystemAssigned"
}
}
resource "azurerm_virtual_network" "vnet" {
name = "${local.basename}-vnet"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
address_space = ["10.0.0.0/16"]
}
resource "azurerm_subnet" "snet" {
name = "${local.basename}-linuxapp-snet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.0.1.0/24"]
delegation {
name = "delegation"
service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}
resource "azurerm_subnet_nat_gateway_association" "example" {
subnet_id = azurerm_subnet.snet.id
nat_gateway_id = azurerm_nat_gateway.ng.id
}
resource "azurerm_public_ip" "pip" {
name = "${local.basename}-pip"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
allocation_method = "Static"
sku = "Standard"
zones = ["1"]
}
resource "azurerm_nat_gateway" "ng" {
name = "${local.basename}-ng"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku_name = "Standard"
idle_timeout_in_minutes = 10
zones = ["1"]
}
resource "azurerm_nat_gateway_public_ip_association" "association" {
nat_gateway_id = azurerm_nat_gateway.ng.id
public_ip_address_id = azurerm_public_ip.pip.id
}
resource "azurerm_app_service_virtual_network_swift_connection" "example" {
app_service_id = azurerm_linux_web_app.app.id
subnet_id = azurerm_subnet.snet.id
}
最佳答案
为 Azure 服务分配专用终结点,例如 Application Insights
, Key Vault
,和SQL Database
与现有的NAT Gateway
静态出站 IP 地址的实现涉及在与 NAT 网关关联的同一子网内创建专用终结点。
对于每项服务(Application Insights, Key Vault, and SQL Database)
,创建一个专用端点并将其与已与 NAT Gateway
关联的子网关联。 .
1.How can I align the private endpoints for Application Insights, Key Vault, and SQL database with my existing NAT Gateway implementation
以下是用于对齐 Application Insights, Key Vault, and SQL database
的专用端点的 terraform 代码与我现有的 NAT Gateway
provider "azurerm" {
features {}
}
#Application Insights Private Endpoint
data "azurerm_application_insights" "example"{
name = "venkattest"
resource_group_name = "web-app-rg"
}
data "azurerm_subnet" "example" {
name = "samplesubnet"
virtual_network_name = "vnet"
resource_group_name = "web-app-rg"
}
data "azurerm_key_vault" "example" {
name = "venkattest"
resource_group_name = "web-app-rg"
}
data "azurerm_resource_group" "example" {
name = "web-app-rg"
}
#Key Vault Private Endpoint
resource "azurerm_private_endpoint" "pe_kv" {
name = "samplevault"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
subnet_id = data.azurerm_subnet.example.id
private_service_connection {
name = "ssampletest"
private_connection_resource_id = data.azurerm_key_vault.example.id
is_manual_connection = false
subresource_names = ["Vault"]
}
}
#SQL Database with Private Endpoint creation
resource "azurerm_mssql_server" "example" {
name = "mssqlservertest1"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
version = "12.0"
administrator_login = "mradministrator"
administrator_login_password = "thisIsDog11"
tags = {
environment = "production"
}
}
resource "azurerm_private_endpoint" "example" {
name = "webapp-endpoint"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
subnet_id = data.azurerm_subnet.example.id
private_service_connection {
name = "sample-privateserviceconnection"
private_connection_resource_id = azurerm_mssql_server.example.id
subresource_names = [ "mysqlServer" ]
is_manual_connection = false
}
}
#Application Insights Private Endpoint
resource "azurerm_monitor_private_link_scope" "amplsMain" {
name = "sampletest2"
resource_group_name = data.azurerm_resource_group.example.name
}
resource "azurerm_monitor_private_link_scoped_service" "example" {
name = "example-amplsservice1"
resource_group_name = data.azurerm_resource_group.example.name
scope_name = azurerm_monitor_private_link_scope.amplsMain.name
linked_resource_id = data.azurerm_application_insights.example.id
depends_on = [ azurerm_monitor_private_link_scope.amplsMain ]
}
resource "azurerm_private_endpoint" "amplsMainPrivateEndpoint" {
name = "samplemonitor"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
subnet_id = data.azurerm_subnet.example.id
private_service_connection {
name = "sampleendpoint"
private_connection_resource_id = azurerm_monitor_private_link_scope.amplsMain.id
is_manual_connection = false
subresource_names = ["azuremonitor"]
}
}
Note: If you delegate the subnet to the web app, it won't be available for use by other resources
Terraform 应用:
确保subnet_id
为每个专用端点 ( azurerm_private_endpoint
) 提供的子网与现有 NAT Gateway
关联相同的子网。 .
- Is there anything absent in my code that could further enhance the security or functionality of the resources, taking into considerationmy unique requirements?
这是更新后的代码,增强了安全性和功能。
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "rg" {
name = "web-app-rg"
location = "East US"
}
resource "azurerm_service_plan" "asp" {
name = "web-app-asp"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
os_type = "Linux"
sku_name = "S1"
depends_on = [ azurerm_resource_group.rg ]
}
resource "azurerm_linux_web_app" "app" {
name = "sample-web-app"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
service_plan_id = azurerm_service_plan.asp.id
site_config {
vnet_route_all_enabled = true
}
identity {
type = "SystemAssigned"
}
depends_on = [ azurerm_service_plan.asp ]
}
resource "azurerm_virtual_network" "vnet" {
name = "web-app-vnet"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
address_space = ["10.0.0.0/16"]
depends_on = [ azurerm_linux_web_app.app ]
}
resource "azurerm_subnet" "snet" {
name = "web-linuxapp-snet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.0.1.0/24"]
depends_on = [ azurerm_virtual_network.vnet ]
}
resource "azurerm_subnet_nat_gateway_association" "example" {
subnet_id = azurerm_subnet.snet.id
nat_gateway_id = azurerm_nat_gateway.ng.id
depends_on = [ azurerm_subnet.snet ]
}
resource "azurerm_public_ip" "pip" {
name = "web-app-pip"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
allocation_method = "Static"
sku = "Standard"
zones = ["1"]
depends_on = [ azurerm_subnet_nat_gateway_association.example ]
}
resource "azurerm_nat_gateway" "ng" {
name = "web-app-ng"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku_name = "Standard"
idle_timeout_in_minutes = 10
zones = ["1"]
}
resource "azurerm_nat_gateway_public_ip_association" "association" {
nat_gateway_id = azurerm_nat_gateway.ng.id
public_ip_address_id = azurerm_public_ip.pip.id
}
resource "azurerm_app_service_virtual_network_swift_connection" "example" {
app_service_id = azurerm_linux_web_app.app.id
subnet_id = azurerm_subnet.snet.id
}
# Enhancements for security and functionality
# Add Network Security Group to the subnet
resource "azurerm_network_security_group" "subnet_nsg" {
name = "web-subnet-nsg"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_network_security_rule" "allow_http" {
name = "AllowHTTP"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.subnet_nsg.name
}
resource "azurerm_network_security_rule" "allow_https" {
name = "AllowHTTPS"
priority = 101
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.subnet_nsg.name
}
#Associate the NSG with the subnet
resource "azurerm_subnet_network_security_group_association" "example" {
subnet_id = azurerm_subnet.snet.id
network_security_group_id = azurerm_network_security_group.subnet_nsg.id
}
Terraform 应用:
添加了 Network Security Groups
的代码以及加强资源安全的规则。它通过允许 HTTP 和 HTTPS 流量,为您的 Web 应用程序子网提供基本的入站流量控制。这有助于保护通信 channel 并控制对资源的访问。
关于azure - 在应用服务中为静态出站 IP 配置专用端点和 NAT 网关,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/76841945/
前不久,哔哩哔哩(一般常称为 B 站)发布了一篇文章《2021.07.13 我们是这样崩的》,详细回顾了他们在 2021.07.13 晚上全站崩溃约 3 小时的至暗时刻,以及万分紧张的故障定位与恢复过
想象一下这种情况,周围有一些智能手机和计算机,它们的 WiFi 适配器(无线适配器)打开,但没有必要连接到网络。 有没有办法通过 Linux 机器查看 MAC 地址? 任何见解表示赞赏。 最佳答案 断
我无法创建新的 Window Station 来运行我的应用程序 int _tmain(int argc, TCHAR* argv[], TCHAR* envp[]) { wprintf(L"
在 Conda 环境中安装包后,我想对该包中的代码进行一些更改。 在哪里可以找到包含已安装包的 site-packages 目录? 我有 Anaconda Python 2.7 base 发行版,但找
今天去改了matplotlib的配置。搜索 matplotlibrc 发现我有两个: 查看site-packages 文件夹,我发现很多包的名称中都有波浪号: ~klearn 是 sklearn ,但
我是一名优秀的程序员,十分优秀!