我创建了一个具有关联托管服务标识的功能应用程序。我还创建了一个密钥保管库,允许在密钥保管库的访问策略中对该应用程序进行秘密的访问/列表访问。如果我允许从所有网络访问Key Vault(在"防火墙和虚拟网络"部分中),则功能应用程序可以检索机密。
I have created a Function App that has an associated Managed Service Identity. I have also created a Key Vault that allows secret Get/List access for that Application within the Key Vault's Access Policies. If I allow access from all networks to the Key Vault (in the "Firewalls and virtual networks" section) then the Function App is able to retrieve secrets.
我会比如仅从特定的IP地址限制对密钥保管库的网络访问,因此我已在密钥保管库配置的防火墙和虚拟网络部分中设置了这些,并且我还选择了"是"。单选按钮允许从受信任的Microsoft服务访问以绕过此防火墙。当我这样做时,功能应用程序不能再检索秘密,并且"GetSecretAsync()"方法(我们使用C#)返回"禁止"。
I would like to restrict network access to the Key Vault from only specific IP addresses, so I have set these up within the Firewalls and virtual network section of the Key Vault configuration, and I have also selected the "Yes" radio button allowing access from trusted Microsoft services to bypass this firewall. When I do so, the Function App can no longer retrieve secrets, and the "GetSecretAsync()" method (we're using C#) returns "Forbidden".
我认为这意味着我无法以这种方式限制对特定IP的访问?如果我使用受限制IP地址的网络安全组保护的虚拟网络,那么它会起作用吗?
I assume that this means that I am unable to restrict access to specific IPs in this way? If I use a virtual network protected by a network security group that restricts IP addresses, will that work?
此外,任何将功能应用程序带入"受信任的Microsoft服务"的机会也是如此。 list?
Also, any chance of getting Function Apps into the "trusted Microsoft services" list?
推荐答案
Hello Brad,
Hello Brad,
函数团队目前正在与其他团队合作添加它到受信任的Microsoft服务列表。虽然我没有这样的ETA。
Functions Team is currently working with other teams to add it to the trusted Microsoft Services list. I do not have an ETA for this though.
然而,在启用了选定的网络的情况下,当我从功能应用属性的附加IP地址字段添加IP地址时,我能够提取秘密。唯一的问题是,如果您处于基于消费的计划中,IP地址可能会发生变化。如果您使用专用计划,则不会出现此问题。
However with selected networks enabled, I was able to pull secrets when I added the IP addresses from the additional IP addresses field of the function app properties. The only problem with this is the IP addresses might change if you are in a consumption based plan. You will not have this problem if you are using a dedicated plan.
更多推荐
功能应用程序不算作“受信任的Microsoft服务”?
发布评论