如何使用PowerShell将我的应用程序连接到专用虚拟网络子网(通过虚拟网络网关)?
如何使用PowerShell将我的应用程序连接到专用虚拟网络子网(通过虚拟网络网关)?
提问于 2016-10-25 19:46:34
我试图通过PowerShell和ARM模板提供App应用程序,并通过虚拟网络网关(都是通过ARM提供的)将web应用程序连接到虚拟网络。
模板相当简单。我有一个网络安全小组来切断vnet与公共互联网的联系。
{
"comments": "NSG - DENY Internet",
"type": "Microsoft.Network/networkSecurityGroups",
"name": "[parameters('private_nsg')]",
"apiVersion": "2016-03-30",
"location": "[parameters('location')]",
"properties": {
"securityRules": [
{
"name": "allow-ssh",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "Internet",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound"
}
},
{
"name": "deny-internet",
"properties": {
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "Internet",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 200,
"direction": "Inbound"
}
}
]
},
"resources": [],
"dependsOn": []
},然后,虚拟网络本身具有属于上述nsg的子网和一个GateWay子网。
{
"comments": "VNet 1",
"type": "Microsoft.Network/virtualNetworks",
"name": "[parameters('vnet1')]",
"apiVersion": "2016-03-30",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "private1",
"properties": {
"addressPrefix": "10.0.1.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('private_nsg'))]"
}
}
},
{
"name": "GatewaySubnet",
"properties": {
"addressPrefix": "10.0.100.0/24"
}
}
]
},
"resources": [],
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('private_nsg'))]"
]
},然后,我为虚拟网络网关创建一个IP地址。
{
"comments": "Gateway 1 IP",
"type": "Microsoft.Network/publicIPAddresses",
"name": "[parameters('gateway1_ip')]",
"apiVersion": "2016-03-30",
"location": "[parameters('location')]",
"properties": {
"publicIPAllocationMethod": "Dynamic",
"idleTimeoutInMinutes": 4
},
"resources": [],
"dependsOn": []
},以及网关本身
{
"comments": "VNet1 Gateway",
"apiVersion": "2015-05-01-preview",
"type": "Microsoft.Network/virtualNetworkGateways",
"name": "[parameters('gateway1')]",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": [
{
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": ""[concat(variables('vnet1_ref'),'/subnets/','GatewaySubnet')]""
},
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses',parameters('gateway1_ip'))]"
}
},
"name": "vnetGatewayConfig"
}
],
"gatewayType": "Vpn",
"vpnType": "RouteBased",
"vpnClientConfiguration": {
"vpnClientAddressPool": {
"addressPrefixes": [ "192.168.2.0/24"]
}
},
"enableBgp": false
},
"dependsOn": [
"[concat('Microsoft.Network/publicIPAddresses/', parameters('gateway1_ip'))]",
"[concat('Microsoft.Network/virtualNetworks/', parameters('vnet1'))]"
]
},我还创建了一个Linux,并将其放在私有子网中,然后创建一个应用程序(和计划),该应用程序知道如何针对Linux的私有(10.*) IP执行GET请求。
一旦部署了模板,我就运行一些PowerShell 基于另一个堆栈溢出答案。
$app1 = Get-AzureRmWebApp -ResourceGroupName $ResourceGroupName -Name $parameters["appsvc1_name"]
$app1Config = Get-AzureRmResource -ResourceName "$($app1.Name)/web" -ResourceType "Microsoft.Web/sites/config" -ResourceGroupName $resourceGroupName -ApiVersion 2015-08-01
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $resourceGroupName -Name "$resourceGroupName-Net"
$gateway = (Get-AzureRmVirtualNetworkGateway -ResourceGroupName $ResourceGroupName)[0]
$networkProperties = @{ "vnetResourceId" = $vnet.Id }
$networkConnection = New-AzureRmResource -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -Properties $networkProperties -ResourceName "$($app1.Name)/$($vnet.Name)" -ResourceType "Microsoft.Web/sites/virtualNetworkConnections" -ApiVersion 2015-08-01 -Force
$null = Add-AzureRmVpnClientRootCertificate -ResourceGroupName $resourceGroupName -VpnClientRootCertificateName "AppServiceCertificate.cer" -PublicCertData $networkConnection.Properties.CertBlob -VirtualNetworkGatewayName $gateway.Name此时,如果我查看门户中的应用程序,它看起来就像连接到了网关(门户以绿色表示" connected“,而"Certificates”是“证书同步”)。但是,我的应用程序无法连接到私有VM。
如果我删除门户中的网络连接,然后在门户中重新连接它,我的应用程序就可以连接到VM。这让我相信网关配置正确,只是连接出错了。
我从先前的StackOverflow答案中唯一遗漏的是:
$vpnPackageUri = Get-AzureRmVpnClientPackage -ResourceGroupName $resourceGroupName -VirtualNetworkGatewayName $gateway.Name -ProcessorArchitecture Amd64
$vpnPackageUri = $vpnPackageUri.Replace('"', "")
$vpnPackageProperties = @{ "vnetName" = $vnet.Name; "vpnPackageUri" = $vpnPackageUri }
$networkConnectionVPN = New-AzureRmResource -ResourceGroupName $resourceGroupName -Location $resourceGroupLocation -ResourceName "$($app1.Name)/$($vnet.Name)/primary" -ResourceType "Microsoft.Web/sites/virtualNetworkConnections/gateways" -ApiVersion 2015-08-01 -Force 不幸的是,最后一个命令错误带有泛型错误消息:
New-AzureRmResource : {"Message":"An error has occurred."}
At line:1 char:25
+ $networkConnectionVPN = New-AzureRmResource -ResourceGroupName $resourceGroupNam ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [New-AzureRmResource], ErrorResponseMessageException
+ FullyQualifiedErrorId : InternalServerError,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceCmdlet所以我不知道到底出了什么问题。运行此命令也不允许我的应用程序连接;我必须手动删除连接并将其重新添加到门户中。
我遗漏了什么?
回答 1
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/40248462
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号