Azure powershell 使用基本防火墙配置 sftp 存储

问题描述 投票:0回答:1

我希望有人能帮助我解决这个问题,因为我已经失去了理智和耐心。

按照有关如何使用天蓝色防火墙和SFTP存储配置SFTP平台的微软文档,我发现默认部署配置了标准防火墙,这是相对昂贵的。

https://learn.microsoft.com/en-us/azure/firewall/firewall-sftp

我尝试将基础设施缩小为基本防火墙,并更改了代码如下:

# Create new subnets for the firewall
$FWsub = New-AzVirtualNetworkSubnetConfig -Name AzureFirewallSubnet -AddressPrefix 10.0.1.0/26
$Worksub = New-AzVirtualNetworkSubnetConfig -Name Workload-SN -AddressPrefix 10.0.2.0/24
$FunctionSn = New-AzVirtualNetworkSubnetConfig -Name my-azure-function -AddressPrefix 10.0.3.0/24
$SubnetMng = New-AzVirtualNetworkSubnetConfig -Name AzureFirewallManagementSubnet -AddressPrefix 10.0.4.0/24

# Create a new VNet
$testVnet = New-AzVirtualNetwork -Name vnet-sftp -ResourceGroupName $rg -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $FWsub, $Worksub, $FunctionSn, $SubnetMng

# Create a public IP address for the firewall
$pip = New-AzPublicIpAddress `
    -ResourceGroupName $rg `
    -Location $location `
    -AllocationMethod Static `
    -Sku Standard `
    -Name sftp-piblic-ip


# Create a new firewall policy
$policy = New-AzFirewallPolicy -Name "fw-policy-sftp" -ResourceGroupName "$rg" -Location $location -SkuTier "Basic"

# Define new rules to add
$newrule1 = New-AzFirewallPolicyNatRule -Name "dnat-rule1" -Protocol "TCP", "UDP" -SourceAddress "*" -DestinationAddress $pip.ipaddress -DestinationPort "22" -TranslatedAddress $staticEP -TranslatedPort "22"

# Add the new rules to the local rule collection object
$natrulecollection = New-AzFirewallPolicyNatRuleCollection -Name "NATRuleCollection" -Priority 100 -ActionType "Dnat" -Rule $newrule1

# Create a new rule collection group
$natrulecollectiongroup = New-AzFirewallPolicyRuleCollectionGroup -Name "rcg-01" -ResourceGroupName "$rg" -FirewallPolicyName "fw-policy-sftp" -Priority 100

# Add the new NAT rule collection to the rule collection group
$natrulecollectiongroup.Properties.RuleCollection = $natrulecollection

# Update the rule collection
Set-AzFirewallPolicyRuleCollectionGroup -Name "rcg-01 " -FirewallPolicyObject $policy -Priority 200 -RuleCollection $natrulecollectiongroup.Properties.rulecollection



# Create the firewall
$firewall = New-AzFirewall `
    -Name fw-sftp `
    -ResourceGroupName $rg `
    -Location $location `
    -VirtualNetwork $testvnet `
    -PublicIpAddress $pip `
    -FirewallPolicyId $policy.id `
    -ManagementPublicIpAddress $pip `
    -SkuTier "Basic"

# Create the route table
$routeTableDG = New-AzRouteTable `
  -Name Firewall-rt-table `
  -ResourceGroupName "$rg" `
  -location $location `
  -DisableBgpRoutePropagation

# Add the default route
Add-AzRouteConfig `
  -Name "DG-Route" `
  -RouteTable $routeTableDG `
  -AddressPrefix 0.0.0.0/0 `
  -NextHopType "VirtualAppliance" `
  -NextHopIpAddress $pip.ipaddress `
 | Set-AzRouteTable



 New-AzStorageAccount -ResourceGroupName $rg -Name $StorageAccountName -SkuName Standard_LRS -Location $location -EnableHierarchicalNamespace $true -PublicNetworkAccess enabled

 # Get the subscription and user information
 $subscriptionId = (Get-AzSubscription -SubscriptionName "$SubscriptionName").SubscriptionId
 $user = Get-AzADUser -UserPrincipalName $UserPrincipalName
 
 # Give the user contributor role
 New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionName "Storage Blob Data Contributor" -Scope "/subscriptions/$subscriptionId/resourceGroups/$rg/providers/Microsoft.Storage/storageAccounts/$StorageAccountName"
 
 #Create the container and then disable public network access
 $ctx = New-AzStorageContext -StorageAccountName $StorageAccountName
 New-AzStorageContainer -Name $ContainerName -Context $ctx
 Set-AzStorageAccount -ResourceGroupName $rg -Name $StorageAccountName -PublicNetworkAccess disabled -Force




 Set-AzStorageAccount `
    -ResourceGroupName $rg `
    -Name $StorageAccountName `
    -EnableSftp $true

$permissionScopeBlob = New-AzStorageLocalUserPermissionScope `
    -Permission rwdlc `
    -Service blob `
    -ResourceName $ContainerName

$localuser = Set-AzStorageLocalUser `
    -ResourceGroupName $rg `
    -AccountName $StorageAccountName `
    -UserName testuser `
    -PermissionScope $permissionScopeBlob

$localuserPassword = New-AzStorageLocalUserSshPassword `
    -ResourceGroupName $rg `
    -StorageAccountName $StorageAccountName `
    -UserName testuser

# Examine and manually save the password

$localuserPassword



# Place the previously created storage account into a variable
$storage = Get-AzStorageAccount -ResourceGroupName $rg -Name $StorageAccountName

# Create the private endpoint connection
$pec = @{
    Name = 'Connection01'
    PrivateLinkServiceId = $storage.ID
    GroupID = 'blob'
}

$privateEndpointConnection = New-AzPrivateLinkServiceConnection @pec


# Create the static IP configuration
$ip = @{
    Name = 'myIPconfig'
    GroupId = 'blob'
    MemberName = 'blob'
    PrivateIPAddress = $staticEP
}

$ipconfig = New-AzPrivateEndpointIpConfiguration @ip

# Create the private endpoint
$pe = @{
    ResourceGroupName = $rg
    Name = 'pe-storage-sftp'
    Location = $location
    Subnet = $testvnet.Subnets[1]
    PrivateLinkServiceConnection = $privateEndpointConnection
    IpConfiguration = $ipconfig
}

New-AzPrivateEndpoint @pe

虽然我认为配置是相同的,但我发现基本防火墙需要一个额外的子网和一个

-ManagementPublicIpAddress
,这将总共带来 2 个公共 ip。另外,在尝试运行 powershell 命令时,我收到以下错误

New-AzFirewall : Public IP Address. is being referenced multiple times. Each IP configuration must reference a unique Public IP address.
StatusCode: 400
ReasonPhrase: Bad Request
ErrorCode: AzureFirewallDuplicatePublicIp

这迫使我拥有 2 个公共 IP,我对如何将其连接到防火墙路由表中的

NextHope
以及虚拟网络中的存储帐户感到有点困惑。

我希望我的解释足够好,如果没有,请询问更多细节,我会更好地解释。 非常感谢您提供的任何帮助

azure powershell networking firewall azure-virtual-network
1个回答
0
投票

Azure powershell 使用基本防火墙配置 sftp 存储

如果您选择 防火墙 Sku:基本,您可能需要对 Public IP's

public IP
使用
two
单独的
Management public IP

根据MS Doc,您需要两个不同的公共IP地址,分别用于公共IP管理公共IP地址。但是,您对这两个资源使用相同的公共 IP 地址。

enter image description here

要创建防火墙,您可能需要为

ManagementPublicIpAddress
分配新的公共 IP 地址。

这是更新的 PowerShell 代码。

     $ManagementPIP = New-AzPublicIpAddress `
        -ResourceGroupName $rg `
        -Location $location `
        -AllocationMethod Static `
        -Sku Standard `
        -Name management-piblic-ip
    
    # Create the firewall
    $firewall = New-AzFirewall `
        -Name fw-sftp `
        -ResourceGroupName $rg `
        -Location $location `
        -VirtualNetwork $testvnet `
        -PublicIpAddress $pip `
        -FirewallPolicyId $policy.id `
        -ManagementPublicIpAddress $ManagementPIP `
        -SkuTier "Basic"

输出:

enter image description here

参考: 使用 Azure 门户部署和配置 Azure 防火墙基本和策略

© www.soinside.com 2019 - 2024. All rights reserved.