gpt4 book ai didi

azure - 在应用服务中为静态出站 IP 配置专用端点和 NAT 网关

转载 作者:行者123 更新时间:2023-12-03 06:10:38 24 4
gpt4 key购买 nike

我正在开发一个个人项目,其中包含 2 个 ASP.NET Core Web API,作为 Linux Web 应用程序托管。在不久的将来,我计划添加一个 React 前端作为另一个 Linux Web 应用程序。基础架构设计涉及为两个后端 Web 应用程序配置 Application Insights、利用 Azure Key Vault 以及跨应用程序集成共享 SQL 数据库。我试图将资源保留在专用网络中(不暴露于 Internet),并使用 NAT 网关为连接到第 3 方 API 的两个 API 之一提供静态出站 IP 地址,并且该 API 需要特定的可以在其 API 配置中列入白名单的静态出站 IP 地址。

我遇到过各种approaches其中涉及使用专用端点、网络安全组来管理流量访问以及用户定义的路由来引导流量。但是,我发现自己不确定这些方法是否可以与我的 NAT 网关实现连贯地集成,特别是关于静态出站 IP 地址。

鉴于这种情况,我有几个问题希望得到指导:

  1. 如何将 Application Insights、Key Vault 和 SQL 数据库的专用终结点与静态出站 IP 地址的现有 NAT 网关实现保持一致?具体的实现方式是怎样的?

  2. 考虑到我的独特需求,我的代码中是否缺少任何可以进一步增强资源的安全性或功能的内容?

这是代表我的设置当前状态的 Terraform 代码:​​

resource "azurerm_resource_group" "rg" {
name = "${local.basename}-rg"
location = "East US"
}

resource "azurerm_service_plan" "asp" {
name = "${local.basename}-asp"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
os_type = "Linux"
sku_name = "S1"
}

resource "azurerm_linux_web_app" "app" {
name = "${local.basename}-app"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
service_plan_id = azurerm_service_plan.asp.id

site_config {
vnet_route_all_enabled = true # WEBSITE_VNET_ROUTE_ALL
}

identity {
type = "SystemAssigned"
}
}

resource "azurerm_virtual_network" "vnet" {
name = "${local.basename}-vnet"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
address_space = ["10.0.0.0/16"]
}

resource "azurerm_subnet" "snet" {
name = "${local.basename}-linuxapp-snet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.0.1.0/24"]

delegation {
name = "delegation"

service_delegation {
name = "Microsoft.Web/serverFarms"
actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
}
}
}

resource "azurerm_subnet_nat_gateway_association" "example" {
subnet_id = azurerm_subnet.snet.id
nat_gateway_id = azurerm_nat_gateway.ng.id
}

resource "azurerm_public_ip" "pip" {
name = "${local.basename}-pip"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
allocation_method = "Static"
sku = "Standard"
zones = ["1"]
}

resource "azurerm_nat_gateway" "ng" {
name = "${local.basename}-ng"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku_name = "Standard"
idle_timeout_in_minutes = 10
zones = ["1"]
}

resource "azurerm_nat_gateway_public_ip_association" "association" {
nat_gateway_id = azurerm_nat_gateway.ng.id
public_ip_address_id = azurerm_public_ip.pip.id
}

resource "azurerm_app_service_virtual_network_swift_connection" "example" {
app_service_id = azurerm_linux_web_app.app.id
subnet_id = azurerm_subnet.snet.id
}

最佳答案

为 Azure 服务分配专用终结点,例如 Application Insights , Key Vault ,和SQL Database与现有的NAT Gateway静态出站 IP 地址的实现涉及在与 NAT 网关关联的同一子网内创建专用终结点。

对于每项服务(Application Insights, Key Vault, and SQL Database) ,创建一个专用端点并将其与已与 NAT Gateway 关联的子网关联。 .

1.How can I align the private endpoints for Application Insights, Key Vault, and SQL database with my existing NAT Gateway implementation

以下是用于对齐 Application Insights, Key Vault, and SQL database 的专用端点的 terraform 代码与我现有的 NAT Gateway

provider "azurerm" {
features {}
}

#Application Insights Private Endpoint
data "azurerm_application_insights" "example"{
name = "venkattest"
resource_group_name = "web-app-rg"
}

data "azurerm_subnet" "example" {
name = "samplesubnet"
virtual_network_name = "vnet"
resource_group_name = "web-app-rg"
}
data "azurerm_key_vault" "example" {
name = "venkattest"
resource_group_name = "web-app-rg"
}
data "azurerm_resource_group" "example" {
name = "web-app-rg"
}
#Key Vault Private Endpoint
resource "azurerm_private_endpoint" "pe_kv" {
name = "samplevault"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
subnet_id = data.azurerm_subnet.example.id

private_service_connection {
name = "ssampletest"
private_connection_resource_id = data.azurerm_key_vault.example.id
is_manual_connection = false
subresource_names = ["Vault"]
}
}

#SQL Database with Private Endpoint creation
resource "azurerm_mssql_server" "example" {
name = "mssqlservertest1"
resource_group_name = data.azurerm_resource_group.example.name
location = data.azurerm_resource_group.example.location
version = "12.0"
administrator_login = "mradministrator"
administrator_login_password = "thisIsDog11"

tags = {
environment = "production"
}
}
resource "azurerm_private_endpoint" "example" {
name = "webapp-endpoint"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
subnet_id = data.azurerm_subnet.example.id

private_service_connection {
name = "sample-privateserviceconnection"
private_connection_resource_id = azurerm_mssql_server.example.id
subresource_names = [ "mysqlServer" ]
is_manual_connection = false
}
}

#Application Insights Private Endpoint

resource "azurerm_monitor_private_link_scope" "amplsMain" {
name = "sampletest2"
resource_group_name = data.azurerm_resource_group.example.name
}
resource "azurerm_monitor_private_link_scoped_service" "example" {
name = "example-amplsservice1"
resource_group_name = data.azurerm_resource_group.example.name
scope_name = azurerm_monitor_private_link_scope.amplsMain.name
linked_resource_id = data.azurerm_application_insights.example.id
depends_on = [ azurerm_monitor_private_link_scope.amplsMain ]
}

resource "azurerm_private_endpoint" "amplsMainPrivateEndpoint" {
name = "samplemonitor"
location = data.azurerm_resource_group.example.location
resource_group_name = data.azurerm_resource_group.example.name
subnet_id = data.azurerm_subnet.example.id
private_service_connection {
name = "sampleendpoint"
private_connection_resource_id = azurerm_monitor_private_link_scope.amplsMain.id
is_manual_connection = false
subresource_names = ["azuremonitor"]
}
}

Note: If you delegate the subnet to the web app, it won't be available for use by other resources

Terraform 应用:

enter image description here

确保subnet_id为每个专用端点 ( azurerm_private_endpoint ) 提供的子网与现有 NAT Gateway 关联相同的子网。 .

  1. Is there anything absent in my code that could further enhance the security or functionality of the resources, taking into considerationmy unique requirements?

这是更新后的代码,增强了安全性和功能。

provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "rg" {
name = "web-app-rg"
location = "East US"
}
resource "azurerm_service_plan" "asp" {
name = "web-app-asp"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
os_type = "Linux"
sku_name = "S1"
depends_on = [ azurerm_resource_group.rg ]
}

resource "azurerm_linux_web_app" "app" {
name = "sample-web-app"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
service_plan_id = azurerm_service_plan.asp.id

site_config {
vnet_route_all_enabled = true
}

identity {
type = "SystemAssigned"
}
depends_on = [ azurerm_service_plan.asp ]
}

resource "azurerm_virtual_network" "vnet" {
name = "web-app-vnet"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
address_space = ["10.0.0.0/16"]
depends_on = [ azurerm_linux_web_app.app ]
}

resource "azurerm_subnet" "snet" {
name = "web-linuxapp-snet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.0.1.0/24"]
depends_on = [ azurerm_virtual_network.vnet ]
}

resource "azurerm_subnet_nat_gateway_association" "example" {
subnet_id = azurerm_subnet.snet.id
nat_gateway_id = azurerm_nat_gateway.ng.id
depends_on = [ azurerm_subnet.snet ]
}

resource "azurerm_public_ip" "pip" {
name = "web-app-pip"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
allocation_method = "Static"
sku = "Standard"
zones = ["1"]
depends_on = [ azurerm_subnet_nat_gateway_association.example ]
}

resource "azurerm_nat_gateway" "ng" {
name = "web-app-ng"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
sku_name = "Standard"
idle_timeout_in_minutes = 10
zones = ["1"]
}

resource "azurerm_nat_gateway_public_ip_association" "association" {
nat_gateway_id = azurerm_nat_gateway.ng.id
public_ip_address_id = azurerm_public_ip.pip.id
}

resource "azurerm_app_service_virtual_network_swift_connection" "example" {
app_service_id = azurerm_linux_web_app.app.id
subnet_id = azurerm_subnet.snet.id
}

# Enhancements for security and functionality

# Add Network Security Group to the subnet
resource "azurerm_network_security_group" "subnet_nsg" {
name = "web-subnet-nsg"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}

resource "azurerm_network_security_rule" "allow_http" {
name = "AllowHTTP"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.subnet_nsg.name
}

resource "azurerm_network_security_rule" "allow_https" {
name = "AllowHTTPS"
priority = 101
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.rg.name
network_security_group_name = azurerm_network_security_group.subnet_nsg.name
}
#Associate the NSG with the subnet
resource "azurerm_subnet_network_security_group_association" "example" {
subnet_id = azurerm_subnet.snet.id
network_security_group_id = azurerm_network_security_group.subnet_nsg.id
}

Terraform 应用:

enter image description here

添加了 Network Security Groups 的代码以及加强资源安全的规则。它通过允许 HTTP 和 HTTPS 流量,为您的 Web 应用程序子网提供基本的入站流量控制。这有助于保护通信 channel 并控制对资源的访问。

关于azure - 在应用服务中为静态出站 IP 配置专用端点和 NAT 网关,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/76841945/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com