Azure Bicep - 如何为专用终结点的 NetworkInterface 创建诊断设置

问题描述 投票:0回答:2

我有一个用于创建存储帐户和专用端点的 Bicep 脚本。现在我想为此专用端点创建诊断设置。 Azure 专用终结点本身不支持诊断设置。用户需要将诊断设置添加到链接到专用端点的 NetworkInterface。

但是,我找不到用 Bicep 脚本实现此功能的方法。示例代码显示了我正在尝试做的事情。

param vnetResourceGroup = 'testRg'
param vnetName string = 'testvnet'
param subnetName string = 'testsnet'
param storageAccountName string = 'testst'
param loggingWorkspaceId string = '/subscriptions/xxx_subscription_id/resourcegroups/xxx_resource_group/providers/microsoft.operationalinsights/workspaces/xxx-applogs-workspace'

resource vnet 'Microsoft.Network/virtualNetworks@2021-05-01' existing = {
  scope: resourceGroup(vnetResourceGroup)
  name: vnetName
}

resource subnet 'Microsoft.Network/virtualNetworks/subnets@2022-07-01' existing = {
  parent: vnet
  name: subnetName
}

resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = {
  name: storageAccountName
  location: location
  sku: {
    name: 'Standard_ZRS'
  }
  kind: 'StorageV2'
  properties: {
    accessTier: 'Hot'
    minimumTlsVersion: 'TLS1_2'
    supportsHttpsTrafficOnly: true
    allowBlobPublicAccess: false
    publicNetworkAccess: 'Disabled'
    networkAcls: {
      bypass: 'AzureServices'
      defaultAction: 'Allow'
    }
  }
}

resource storagePrivateEndpoint 'Microsoft.Network/privateEndpoints@2022-07-01' = {
  name: '${storageAccount.name}-pe'
  location: location
  properties: {
    subnet: {
      id: subnet.id
    }
    privateLinkServiceConnections: [
      {
        name: '${storageAccount.name}-pe-link'
        properties: {
          privateLinkServiceId: storageAccount.id
          groupIds: [
            'blob'
          ]
        }
      }
    ]
  }
}

// Create disgnostic settings for the network interfaces.
resource storagePEDiagnosticSetting3 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: '${storageAccount.name}-pe-ni-logs'
  // Note: this scope value won't compile.
  // scope: ? storagePrivateEndpoint.properties.networkInterfaces[0]
  properties: {
    workspaceId: loggingWorkspaceId
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
      }
    ]
  }
}

我希望我可以为专用端点的 NetworkInterface 创建诊断设置。谢谢!

azure azure-resource-manager azure-bicep
2个回答
0
投票

diagnosticSettings 资源的 

scope
需要网络接口资源。
您需要创建一个模块才能设置网络接口的诊断设置:

// diagnostic-settings.bicep
param logName string
param networkInterfaceName string
param loggingWorkspaceId string

resource networkInterface 'Microsoft.Network/networkInterfaces@2022-07-01' existing = {
  name: networkInterfaceName
}

// Create diagnostic settings for the network interfaces.
resource diagnosticSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  scope: networkInterface
  name: logName
  properties: {
    workspaceId: loggingWorkspaceId
    metrics: [
      {
        category: 'AllMetrics'
        enabled: true
      }
    ]
  }
}

从 main 中,您可以像这样调用模块:

// main.bicep

...

module diangSetting 'diagnostic-settings.bicep' = {
  name: '${storageAccount.name}-pe-ni-logs'
  scope: resourceGroup()
  params: {
    logName: '${storageAccount.name}-pe-ni-logs'
    loggingWorkspaceId: loggingWorkspaceId
    networkInterfaceName: storagePrivateEndpoint.properties.networkInterfaces[0].name
  }
}
0
投票

我遇到了同样的问题,但可以通过将 

dependsOn
添加到诊断资源来解决。

下面的代码利用专用端点中的参数来生成网络接口。我建立了诊断对专用端点 

pe
的依赖关系,因为创建网络接口与其同时进行。 
dependsOn
existing
nic
上也没有任何意义,所以无论如何也行不通。

param customNetworkInterfaceName string = 'storage-pe-nic'

resource pe 'Microsoft.Network/privateEndpoints@2023-09-01' = {
  ...
  properties: {
    ...
    customNetworkInterfaceName: customNetworkInterfaceName
  }
}

resource nic 'Microsoft.Network/networkInterfaces@2023-09-01' existing = {
    name: customNetworkInterfaceName
  }


resource diagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: '${customNetworkInterfaceName}-diagnostics'
  scope: nic
  dependsOn: [pe]
  properties: {
    ...
  }
}
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.