我正在使用以下二头肌模板来部署密钥保管库。关于网络配置,我希望防火墙允许来自特定 IP 范围的子网的连接。
resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: vaultName
location: location
properties: {
tenantId: subscription().tenantId
enableRbacAuthorization: true
publicNetworkAccess: null
enabledForDeployment: false
enabledForDiskEncryption: false
enabledForTemplateDeployment: false
enableSoftDelete: true
softDeleteRetentionInDays: 30
sku: {
name: 'standard'
family: 'A'
}
networkAcls: {
defaultAction: 'Deny'
bypass: 'None'
ipRules: [for ip in allowIps: { value:ip }]
virtualNetworkRules: [
{
id: allowSubnet
}
]
}
}
}
resource key 'Microsoft.KeyVault/vaults/keys@2023-07-01' = {
parent: kv
name: guid(vaultName, 'ssh-key')
properties: {
keySize: 4096
keyOps: [
'encrypt'
'decrypt'
]
kty: 'RSA'
rotationPolicy: {
lifetimeActions: [
{
trigger: {
timeBeforeExpiry: 'P30D'
}
action: {
type: 'notify'
}
}
{
trigger: {
timeBeforeExpiry: 'P7D'
}
action: {
type: 'rotate'
}
}
]
attributes: {
expiryTime: 'P1Y10D'
}
}
}
}
当我部署这个时,我收到一条错误消息。我已编辑了保管库名称和我的用户主体 ID。剩余的应用程序 ID 是我用于部署的Azure Powershell Module。 IP 地址
20.61.103.227
属于我们的基础设施所在的 NL(西欧地区)的 Azure 数据中心。
The deployment 'main' failed with error(s). Showing 2 out of 2 error(s). Status Message: [ForbiddenByFirewall (Forbidden)] Request was not allowed by
| NSP rules and the client address is not authorized and caller was ignored because bypass is set to None Client address: 20.61.103.227 Caller:
| name=KeyVault/ManagementPlane;appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=<MY_USER_PRINCIPAL_ID> Vault:
| <MY_KEY_VAULT_NAME>;location=westeurope (Code:ForbiddenByFirewall) Status Message: At least one resource deployment operation failed. Please list
| deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed) - [ForbiddenByFirewall
| (Forbidden)] Request was not allowed by NSP rules and the client address is not authorized and caller was ignored because bypass is set to None Client address:
| 20.61.103.227 Caller: name=KeyVault/ManagementPlane;appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=<MY_USER_PRINCIPAL_ID> Vault:
| <MY_KEY_VAULT_NAME>;location=westeurope (Code:ForbiddenByFirewall) CorrelationId: 9e157b78-937a-4fd3-861c-3617c62efcc7
如果在库模板中我设置了
bypass: 'AzureServices'
,它就可以工作。不过,这实际上意味着,如果我想要无错误的部署,让受信任的 Azure 服务绕过保管库防火墙不再是可选的。您对此有何看法?您觉得这样可以接受吗?
此外,我是连接到白名单 IP 范围的 VPN。我不知道为什么这还不够。
任何对此的想法将不胜感激,谢谢!
以下是有关可信服务的一些信息:
启用 Key Vault 防火墙后,您将看到“允许受信任的 Microsoft 服务绕过此防火墙”的选项。可信服务列表并不涵盖每一项 Azure 服务。例如,Azure DevOps 不在受信任的服务列表中。 这并不意味着未出现在可信服务列表中的服务不可信或不安全。受信任的服务列表包含 Microsoft 控制在该服务上运行的所有代码的服务。由于用户可以在 Azure 服务(例如 Azure DevOps)中编写自定义代码,因此 Microsoft 不提供为该服务创建一揽子批准的选项。此外,仅仅因为某个服务出现在可信服务列表中,并不意味着它在所有场景中都被允许。
您可以在此处
找到可信服务列表您正在允许 Azure 资源管理器模板部署服务:在部署期间传递安全值。
如果您决定保持原样,则需要从授权子网或 IP 运行部署。
最后,这取决于您根据您的安全要求。