Azure Databricks:访问防火墙后面的Blob存储

本文介绍了Azure Databricks:访问防火墙后面的Blob存储的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在从Azure Databricks笔记本读取Azure Blob存储帐户(第2代)上的文件.两种服务都在同一地区(西欧).一切正常，除非我在存储帐户前面添加了防火墙.我选择允许受信任的Microsoft服务":

I am reading files on an Azure Blob Storage account (gen 2) from an Azure Databricks Notebook. Both services are in the same region (West Europe). Everything works fine, except when I add a firewall in front of the storage account. I have opted to allow "trusted Microsoft services":

但是，现在运行笔记本会出现拒绝访问错误:

However, running the notebook now ends up with an access denied error:

com.microsoft.azure.storage.StorageException: This request is not authorized to perform this operation.

我试图直接通过Spark并通过dbutils挂载来访问存储，但是还是一样.

I tried to access the storage directly from Spark and by mounting it with dbutils, but same thing.

我会假定Azure Databricks算作受信任的Microsoft服务?此外，我找不到可以添加到防火墙规则中的有关Databricks区域IP范围的可靠信息.

I would have assumed that Azure Databricks counts as a trusted Microsoft service? Furthermore I couldn't find solid information on IP ranges for Databricks regions that could be added to the firewall rules.

推荐答案

是的，Azure Databricks不算作受信任的Microsoft服务，您可以看到受支持的使用存储帐户防火墙信任Microsoft服务.

Yes, the Azure Databricks does not count as a trusted Microsoft service, you could see the supported trusted Microsoft services with the storage account firewall.

从联网中，有两个建议:

From networking, Here are two suggestions:

找到 Azure数据中心IP地址并确定Azure Databricks所在的区域的范围.将存储帐户防火墙中的IP列表列入白名单.

Find the Azure datacenter IP address and scope a region where your Azure Databricks located. Whitelist the IP list in the storage account firewall.

在Azure中部署Azure Databricks虚拟网络(预览)，然后在存储帐户的防火墙中将VNet地址范围列入白名单.您可以参考配置Azure存储防火墙和虚拟网络. 另外，您还有NSG来限制来自此Azure VNet的入站和出站流量.注意:您需要将Azure Databricks部署到您自己的VNet .

Deploy Azure Databricks in your Azure Virtual Network (Preview) then whitelist the VNet address range in the firewall of the storage account. You could refer to configure Azure Storage firewalls and virtual networks. Also, you have NSG to restrict inbound and outbound traffics from this Azure VNet. Note: you need to deploy Azure Databricks to your own VNet.

希望这会有所帮助.