Azure powershell 使用基本防火墙配置 sftp 存储
问题描述 投票:0回答:1
我希望有人能帮助我解决这个问题,因为我已经失去了理智和耐心。
按照有关如何使用天蓝色防火墙和SFTP存储配置SFTP平台的微软文档,我发现默认部署配置了标准防火墙,这是相对昂贵的。
https://learn.microsoft.com/en-us/azure/firewall/firewall-sftp
我尝试将基础设施缩小为基本防火墙,并更改了代码如下:
# Create new subnets for the firewall
$FWsub = New-AzVirtualNetworkSubnetConfig -Name AzureFirewallSubnet -AddressPrefix 10.0.1.0/26
$Worksub = New-AzVirtualNetworkSubnetConfig -Name Workload-SN -AddressPrefix 10.0.2.0/24
$FunctionSn = New-AzVirtualNetworkSubnetConfig -Name my-azure-function -AddressPrefix 10.0.3.0/24
$SubnetMng = New-AzVirtualNetworkSubnetConfig -Name AzureFirewallManagementSubnet -AddressPrefix 10.0.4.0/24
# Create a new VNet
$testVnet = New-AzVirtualNetwork -Name vnet-sftp -ResourceGroupName $rg -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $FWsub, $Worksub, $FunctionSn, $SubnetMng
# Create a public IP address for the firewall
$pip = New-AzPublicIpAddress `
-ResourceGroupName $rg `
-Location $location `
-AllocationMethod Static `
-Sku Standard `
-Name sftp-piblic-ip
# Create a new firewall policy
$policy = New-AzFirewallPolicy -Name "fw-policy-sftp" -ResourceGroupName "$rg" -Location $location -SkuTier "Basic"
# Define new rules to add
$newrule1 = New-AzFirewallPolicyNatRule -Name "dnat-rule1" -Protocol "TCP", "UDP" -SourceAddress "*" -DestinationAddress $pip.ipaddress -DestinationPort "22" -TranslatedAddress $staticEP -TranslatedPort "22"
# Add the new rules to the local rule collection object
$natrulecollection = New-AzFirewallPolicyNatRuleCollection -Name "NATRuleCollection" -Priority 100 -ActionType "Dnat" -Rule $newrule1
# Create a new rule collection group
$natrulecollectiongroup = New-AzFirewallPolicyRuleCollectionGroup -Name "rcg-01" -ResourceGroupName "$rg" -FirewallPolicyName "fw-policy-sftp" -Priority 100
# Add the new NAT rule collection to the rule collection group
$natrulecollectiongroup.Properties.RuleCollection = $natrulecollection
# Update the rule collection
Set-AzFirewallPolicyRuleCollectionGroup -Name "rcg-01 " -FirewallPolicyObject $policy -Priority 200 -RuleCollection $natrulecollectiongroup.Properties.rulecollection
# Create the firewall
$firewall = New-AzFirewall `
-Name fw-sftp `
-ResourceGroupName $rg `
-Location $location `
-VirtualNetwork $testvnet `
-PublicIpAddress $pip `
-FirewallPolicyId $policy.id `
-ManagementPublicIpAddress $pip `
-SkuTier "Basic"
# Create the route table
$routeTableDG = New-AzRouteTable `
-Name Firewall-rt-table `
-ResourceGroupName "$rg" `
-location $location `
-DisableBgpRoutePropagation
# Add the default route
Add-AzRouteConfig `
-Name "DG-Route" `
-RouteTable $routeTableDG `
-AddressPrefix 0.0.0.0/0 `
-NextHopType "VirtualAppliance" `
-NextHopIpAddress $pip.ipaddress `
| Set-AzRouteTable
New-AzStorageAccount -ResourceGroupName $rg -Name $StorageAccountName -SkuName Standard_LRS -Location $location -EnableHierarchicalNamespace $true -PublicNetworkAccess enabled
# Get the subscription and user information
$subscriptionId = (Get-AzSubscription -SubscriptionName "$SubscriptionName").SubscriptionId
$user = Get-AzADUser -UserPrincipalName $UserPrincipalName
# Give the user contributor role
New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionName "Storage Blob Data Contributor" -Scope "/subscriptions/$subscriptionId/resourceGroups/$rg/providers/Microsoft.Storage/storageAccounts/$StorageAccountName"
#Create the container and then disable public network access
$ctx = New-AzStorageContext -StorageAccountName $StorageAccountName
New-AzStorageContainer -Name $ContainerName -Context $ctx
Set-AzStorageAccount -ResourceGroupName $rg -Name $StorageAccountName -PublicNetworkAccess disabled -Force
Set-AzStorageAccount `
-ResourceGroupName $rg `
-Name $StorageAccountName `
-EnableSftp $true
$permissionScopeBlob = New-AzStorageLocalUserPermissionScope `
-Permission rwdlc `
-Service blob `
-ResourceName $ContainerName
$localuser = Set-AzStorageLocalUser `
-ResourceGroupName $rg `
-AccountName $StorageAccountName `
-UserName testuser `
-PermissionScope $permissionScopeBlob
$localuserPassword = New-AzStorageLocalUserSshPassword `
-ResourceGroupName $rg `
-StorageAccountName $StorageAccountName `
-UserName testuser
# Examine and manually save the password
$localuserPassword
# Place the previously created storage account into a variable
$storage = Get-AzStorageAccount -ResourceGroupName $rg -Name $StorageAccountName
# Create the private endpoint connection
$pec = @{
Name = 'Connection01'
PrivateLinkServiceId = $storage.ID
GroupID = 'blob'
}
$privateEndpointConnection = New-AzPrivateLinkServiceConnection @pec
# Create the static IP configuration
$ip = @{
Name = 'myIPconfig'
GroupId = 'blob'
MemberName = 'blob'
PrivateIPAddress = $staticEP
}
$ipconfig = New-AzPrivateEndpointIpConfiguration @ip
# Create the private endpoint
$pe = @{
ResourceGroupName = $rg
Name = 'pe-storage-sftp'
Location = $location
Subnet = $testvnet.Subnets[1]
PrivateLinkServiceConnection = $privateEndpointConnection
IpConfiguration = $ipconfig
}
New-AzPrivateEndpoint @pe
虽然我认为配置是相同的,但我发现基本防火墙需要一个额外的子网和一个
-ManagementPublicIpAddressNew-AzFirewall : Public IP Address. is being referenced multiple times. Each IP configuration must reference a unique Public IP address.
StatusCode: 400
ReasonPhrase: Bad Request
ErrorCode: AzureFirewallDuplicatePublicIp
这迫使我拥有 2 个公共 IP,我对如何将其连接到防火墙路由表中的
NextHope我希望我的解释足够好,如果没有,请询问更多细节,我会更好地解释。 非常感谢您提供的任何帮助
1个回答
0
投票
投票
Azure powershell 使用基本防火墙配置 sftp 存储
如果您选择 防火墙 Sku:基本,您可能需要对 Public IP's 和
public IPtwo单独的
Management public IP根据MS Doc,您需要两个不同的公共IP地址,分别用于公共IP和管理公共IP地址。但是,您对这两个资源使用相同的公共 IP 地址。
要创建防火墙,您可能需要为
ManagementPublicIpAddress这是更新的 PowerShell 代码。
$ManagementPIP = New-AzPublicIpAddress `
-ResourceGroupName $rg `
-Location $location `
-AllocationMethod Static `
-Sku Standard `
-Name management-piblic-ip
# Create the firewall
$firewall = New-AzFirewall `
-Name fw-sftp `
-ResourceGroupName $rg `
-Location $location `
-VirtualNetwork $testvnet `
-PublicIpAddress $pip `
-FirewallPolicyId $policy.id `
-ManagementPublicIpAddress $ManagementPIP `
-SkuTier "Basic"
输出:
最新问题
- HttpURLConnection.setConnectTimeout 不起作用
- 无法安装ADT插件,因为Eclipse无法连接互联网。
- 学习 FLask:卡在 OpenAI api
- 我创建了井字棋游戏。我面临的一个问题是,每当游戏平局时,它都会打印分数值 2,而它应该打印 1
- 按文件名将数据从 Google 电子表格导入到其他 Google 电子表格
- 必须按QPushbutton两次
- 这个脚本从哪里获取数据以及在哪里保存 STL 文件?
- grails renderpdf 插件,它是如何工作的?
- 如何在 crates.io 中对另一个 crate 使用相同的包名称?
- 急需 Xcode 中的网络错误警报
- 如何在 Python Tkinter 中处理窗口(GUI)之间的切换?
- 无法在“idbobjectstore”上执行“put”,评估对象存储的关键路径未产生值
- PyQt QObject.connect(instancemethod) 和 QtCore.connect(Qobj, SIGNAL(), instancemethod) 的行为与 lambda 函数不同
- 使用 Azure 上托管的 Web 应用程序访问本地 SQL 数据库
- 在 emacs 中移动区域或行
- Dart 如何向字符串数字添加逗号
- Pip install pygraphviz 失败:pygraphviz 构建轮子失败
- 在Android中的列表视图和网格视图之间高效切换,平滑过渡
- 从同一网络中的另一台电脑访问nginx入口控制器
- 如何使用python递增json数据?我
© www.soinside.com 2019 - 2024. All rights reserved.