我希望有人能帮助我解决这个问题,因为我已经失去了理智和耐心。
按照有关如何使用天蓝色防火墙和SFTP存储配置SFTP平台的微软文档,我发现默认部署配置了标准防火墙,这是相对昂贵的。
https://learn.microsoft.com/en-us/azure/firewall/firewall-sftp
我尝试将基础设施缩小为基本防火墙,并更改了代码如下:
# Create new subnets for the firewall
$FWsub = New-AzVirtualNetworkSubnetConfig -Name AzureFirewallSubnet -AddressPrefix 10.0.1.0/26
$Worksub = New-AzVirtualNetworkSubnetConfig -Name Workload-SN -AddressPrefix 10.0.2.0/24
$FunctionSn = New-AzVirtualNetworkSubnetConfig -Name my-azure-function -AddressPrefix 10.0.3.0/24
$SubnetMng = New-AzVirtualNetworkSubnetConfig -Name AzureFirewallManagementSubnet -AddressPrefix 10.0.4.0/24
# Create a new VNet
$testVnet = New-AzVirtualNetwork -Name vnet-sftp -ResourceGroupName $rg -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $FWsub, $Worksub, $FunctionSn, $SubnetMng
# Create a public IP address for the firewall
$pip = New-AzPublicIpAddress `
-ResourceGroupName $rg `
-Location $location `
-AllocationMethod Static `
-Sku Standard `
-Name sftp-piblic-ip
# Create a new firewall policy
$policy = New-AzFirewallPolicy -Name "fw-policy-sftp" -ResourceGroupName "$rg" -Location $location -SkuTier "Basic"
# Define new rules to add
$newrule1 = New-AzFirewallPolicyNatRule -Name "dnat-rule1" -Protocol "TCP", "UDP" -SourceAddress "*" -DestinationAddress $pip.ipaddress -DestinationPort "22" -TranslatedAddress $staticEP -TranslatedPort "22"
# Add the new rules to the local rule collection object
$natrulecollection = New-AzFirewallPolicyNatRuleCollection -Name "NATRuleCollection" -Priority 100 -ActionType "Dnat" -Rule $newrule1
# Create a new rule collection group
$natrulecollectiongroup = New-AzFirewallPolicyRuleCollectionGroup -Name "rcg-01" -ResourceGroupName "$rg" -FirewallPolicyName "fw-policy-sftp" -Priority 100
# Add the new NAT rule collection to the rule collection group
$natrulecollectiongroup.Properties.RuleCollection = $natrulecollection
# Update the rule collection
Set-AzFirewallPolicyRuleCollectionGroup -Name "rcg-01 " -FirewallPolicyObject $policy -Priority 200 -RuleCollection $natrulecollectiongroup.Properties.rulecollection
# Create the firewall
$firewall = New-AzFirewall `
-Name fw-sftp `
-ResourceGroupName $rg `
-Location $location `
-VirtualNetwork $testvnet `
-PublicIpAddress $pip `
-FirewallPolicyId $policy.id `
-ManagementPublicIpAddress $pip `
-SkuTier "Basic"
# Create the route table
$routeTableDG = New-AzRouteTable `
-Name Firewall-rt-table `
-ResourceGroupName "$rg" `
-location $location `
-DisableBgpRoutePropagation
# Add the default route
Add-AzRouteConfig `
-Name "DG-Route" `
-RouteTable $routeTableDG `
-AddressPrefix 0.0.0.0/0 `
-NextHopType "VirtualAppliance" `
-NextHopIpAddress $pip.ipaddress `
| Set-AzRouteTable
New-AzStorageAccount -ResourceGroupName $rg -Name $StorageAccountName -SkuName Standard_LRS -Location $location -EnableHierarchicalNamespace $true -PublicNetworkAccess enabled
# Get the subscription and user information
$subscriptionId = (Get-AzSubscription -SubscriptionName "$SubscriptionName").SubscriptionId
$user = Get-AzADUser -UserPrincipalName $UserPrincipalName
# Give the user contributor role
New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionName "Storage Blob Data Contributor" -Scope "/subscriptions/$subscriptionId/resourceGroups/$rg/providers/Microsoft.Storage/storageAccounts/$StorageAccountName"
#Create the container and then disable public network access
$ctx = New-AzStorageContext -StorageAccountName $StorageAccountName
New-AzStorageContainer -Name $ContainerName -Context $ctx
Set-AzStorageAccount -ResourceGroupName $rg -Name $StorageAccountName -PublicNetworkAccess disabled -Force
Set-AzStorageAccount `
-ResourceGroupName $rg `
-Name $StorageAccountName `
-EnableSftp $true
$permissionScopeBlob = New-AzStorageLocalUserPermissionScope `
-Permission rwdlc `
-Service blob `
-ResourceName $ContainerName
$localuser = Set-AzStorageLocalUser `
-ResourceGroupName $rg `
-AccountName $StorageAccountName `
-UserName testuser `
-PermissionScope $permissionScopeBlob
$localuserPassword = New-AzStorageLocalUserSshPassword `
-ResourceGroupName $rg `
-StorageAccountName $StorageAccountName `
-UserName testuser
# Examine and manually save the password
$localuserPassword
# Place the previously created storage account into a variable
$storage = Get-AzStorageAccount -ResourceGroupName $rg -Name $StorageAccountName
# Create the private endpoint connection
$pec = @{
Name = 'Connection01'
PrivateLinkServiceId = $storage.ID
GroupID = 'blob'
}
$privateEndpointConnection = New-AzPrivateLinkServiceConnection @pec
# Create the static IP configuration
$ip = @{
Name = 'myIPconfig'
GroupId = 'blob'
MemberName = 'blob'
PrivateIPAddress = $staticEP
}
$ipconfig = New-AzPrivateEndpointIpConfiguration @ip
# Create the private endpoint
$pe = @{
ResourceGroupName = $rg
Name = 'pe-storage-sftp'
Location = $location
Subnet = $testvnet.Subnets[1]
PrivateLinkServiceConnection = $privateEndpointConnection
IpConfiguration = $ipconfig
}
New-AzPrivateEndpoint @pe
虽然我认为配置是相同的,但我发现基本防火墙需要一个额外的子网和一个
-ManagementPublicIpAddress
,这将总共带来 2 个公共 ip。另外,在尝试运行 powershell 命令时,我收到以下错误
New-AzFirewall : Public IP Address. is being referenced multiple times. Each IP configuration must reference a unique Public IP address.
StatusCode: 400
ReasonPhrase: Bad Request
ErrorCode: AzureFirewallDuplicatePublicIp
这迫使我拥有 2 个公共 IP,我对如何将其连接到防火墙路由表中的
NextHope
以及虚拟网络中的存储帐户感到有点困惑。
我希望我的解释足够好,如果没有,请询问更多细节,我会更好地解释。 非常感谢您提供的任何帮助
Azure powershell 使用基本防火墙配置 sftp 存储
如果您选择 防火墙 Sku:基本,您可能需要对 Public IP's
和
public IP
使用 two单独的
Management public IP
。
根据MS Doc,您需要两个不同的公共IP地址,分别用于公共IP和管理公共IP地址。但是,您对这两个资源使用相同的公共 IP 地址。
要创建防火墙,您可能需要为
ManagementPublicIpAddress
分配新的公共 IP 地址。
这是更新的 PowerShell 代码。
$ManagementPIP = New-AzPublicIpAddress `
-ResourceGroupName $rg `
-Location $location `
-AllocationMethod Static `
-Sku Standard `
-Name management-piblic-ip
# Create the firewall
$firewall = New-AzFirewall `
-Name fw-sftp `
-ResourceGroupName $rg `
-Location $location `
-VirtualNetwork $testvnet `
-PublicIpAddress $pip `
-FirewallPolicyId $policy.id `
-ManagementPublicIpAddress $ManagementPIP `
-SkuTier "Basic"
输出: