Azure Terraform Web App专用终端虚拟网络

Question

我正试图自动化部署一个蔚蓝虚拟网络和蔚蓝网络应用程序。在部署这些资源的过程中，一切都进行得很顺利，没有错误。所以我想尝试激活网络应用程序上的private endpoint。这是我在地形上的配置。

resource "azurerm_virtual_network" "demo-vnet" {
  name                = "virtual-network-test"
  address_space       = ["10.100.0.0/16"]
  location            = var.location
  resource_group_name = azurerm_resource_group.rg-testing-env.name
}

resource "azurerm_subnet" "front_end" {
  name                 = "Front_End-Subnet"
  address_prefixes     = ["10.100.5.0/28"]
  virtual_network_name = azurerm_virtual_network.demo-vnet.name
  resource_group_name  = azurerm_resource_group.rg-testing-env.name
  delegation {
    name = "testing-frontend"
    service_delegation {
      name    = "Microsoft.Web/serverFarms"
      actions = ["Microsoft.Network/virtualNetworks/subnets/action"]
    }
  }
}

在web应用程序本身上，我设置了这个配置

resource "azurerm_app_service_virtual_network_swift_connection" "web-app-vnet" {
  app_service_id = azurerm_app_service.app-test.example.id
  subnet_id      = azurerm_subnet.front_end.id
}

注意:在我的第一次部署中，由于我没有在虚拟网络上授权，所以我不得不在子网上添加委托才能运行terraform。

在设置好所有的配置之后，我运行我的terraform，一切运行都很顺利，没有错误。完成后，我检查了我的网络应用程序Private Endpoint，这是刚刚关闭。

​

​

有人能解释一下我在这里做错了什么吗？我认为swift连接是激活Private endpoint的代码块，但显然我遗漏了其他东西。

为了确认我的逻辑工作流，我尝试在门户中执行手动步骤。但令人惊讶的是，正如您所看到的那样，我无法做到这一点，因为我在子网上有授权。

​

​

非常感谢您为解决这个问题提供的任何帮助和/或解释。

Answer 1

我使用了下面的代码来测试使用私有端点创建VNET和Web应用程序。

provider "azurerm" {
    features{}
}

data "azurerm_resource_group" "rg" {
  name     = "ansumantest"
}

# Virtual Network
resource "azurerm_virtual_network" "vnet" {
  name                = "ansumanapp-vnet"
  location            = data.azurerm_resource_group.rg.location
  resource_group_name = data.azurerm_resource_group.rg.name
  address_space       = ["10.4.0.0/16"]
}

# Subnets for App Service instances
resource "azurerm_subnet" "appserv" {
  name                 = "frontend-app"
  resource_group_name  = data.azurerm_resource_group.rg.name
  virtual_network_name = azurerm_virtual_network.vnet.name
  address_prefixes     = ["10.4.1.0/24"]
  enforce_private_link_endpoint_network_policies = true
  }

 
# App Service Plan
resource "azurerm_app_service_plan" "frontend" {
  name                = "ansuman-frontend-asp"
  location            = data.azurerm_resource_group.rg.location
  resource_group_name = data.azurerm_resource_group.rg.name
  kind                = "Linux"
  reserved            = true

  sku {
    tier = "Premium"
    size = "P1V2"
  }
}


# App Service
resource "azurerm_app_service" "frontend" {
  name                = "ansuman-frontend-app"
  location            = data.azurerm_resource_group.rg.location
  resource_group_name = data.azurerm_resource_group.rg.name
  app_service_plan_id = azurerm_app_service_plan.frontend.id

}
#private endpoint

resource "azurerm_private_endpoint" "example" {
  name                = "${azurerm_app_service.frontend.name}-endpoint"
  location            = data.azurerm_resource_group.rg.location
  resource_group_name = data.azurerm_resource_group.rg.name
  subnet_id           = azurerm_subnet.appserv.id
  

  private_service_connection {
    name                           = "${azurerm_app_service.frontend.name}-privateconnection"
    private_connection_resource_id = azurerm_app_service.frontend.id
    subresource_names = ["sites"]
    is_manual_connection = false
  }
}

# private DNS
resource "azurerm_private_dns_zone" "example" {
  name                = "privatelink.azurewebsites.net"
  resource_group_name = data.azurerm_resource_group.rg.name
}

#private DNS Link
resource "azurerm_private_dns_zone_virtual_network_link" "example" {
  name                  = "${azurerm_app_service.frontend.name}-dnslink"
  resource_group_name   = data.azurerm_resource_group.rg.name
  private_dns_zone_name = azurerm_private_dns_zone.example.name
  virtual_network_id    = azurerm_virtual_network.vnet.id
  registration_enabled = false
}

需求：

• 如您从上述代码中可以看到的专用终结点，创建专用端点并为应用程序服务启用专用DNS subnet has private endpoint network policies enabled , it should be disabled to be used by Private endpoint.
• DNS 和专用DNS链接块是必需的。
• App service Plan需要有Premium ，以便有专用的E 118子网E 219由<>D20应该具有enforce_private_link_endpoint_network_policies = true设置，否则当您为set应用创建私有端点时，App service Plan需要有Premium，即d27。H 228F 229。

输出：

​

​

​

​

​

​

​

​