【发布时间】:2020-11-08 16:59:08
【问题描述】:
我目前有一个 ARM 模板,它部署了一个带有子网的虚拟网络以及一个 Azure SQL 数据库实例。
与子网和 SQL 防火墙规则相关的核心资源有:
{
"name": "MyVirtualNetwork",
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-11-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
}
}
}
]
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2019-11-01",
"name": "NDC-VirtualNetwork/Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24"
},
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'NDC-VirtualNetwork')]"
]
}
和
{
"type": "firewallRules",
"apiVersion": "2015-05-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
],
"location": "[resourceGroup().location]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"startIpAddress": "0.0.0.0",
"endIpAddress": "0.0.0.0"
}
},
{
"type": "firewallRules",
"apiVersion": "2015-05-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
],
"location":"[resourceGroup().location]",
"name": "ClientIP",
"properties": {
"startIpAddress": "[parameters('clientIP')]",
"endIpAddress": "[parameters('clientIP')]"
}
}
我现在想要更新模板以允许来自该子网的 VNET 服务端点访问 SQL 并删除“AllowAllWindowsAzureIPs”和“ClientIP”防火墙规则。
为此,我从 SQL 资源中删除了两个 firewallRules 资源并添加以下内容:
{
"name": "[concat(variables('uniqueSQLName'), '-Client-Subnet')]",
"type": "virtualNetworkRules",
"apiVersion": "2015-05-01-preview",
"properties": {
"virtualNetworkSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', 'NDC-VirtualNetwork', 'Client-Subnet')]",
"ignoreMissingVnetServiceEndpoint": true
},
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
]
}
然后将网络资源更新为:
{
"name": "MyVirtualNetwork",
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2019-11-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
],
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "Client-Subnet",
"properties": {
"addressPrefix": "10.0.0.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('vmNSG'))]"
},
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"australiaeast"
]
}
]
}
}
]
}
},
{
"type": "Microsoft.Network/serviceEndpointPolicies",
"apiVersion": "2019-11-01",
"name": "AllowVNETtoSQL",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', 'MyVirtualNetwork')]",
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
],
"properties": {
"serviceEndpointPolicyDefinitions": [
{
"name": "AllowVNETtoSQLPolicy",
"properties": {
"service": "Microsoft.Sql",
"serviceResources": [
"[resourceId('Microsoft.Sql/servers', variables('uniqueSQLName'))]"
]
}
}
]
}
},
{
"type": "Microsoft.Network/virtualNetworks/subnets",
"apiVersion": "2019-11-01",
"name": "MyVirtualNetwork/Client-Subnet",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks','MyVirtualNetwork')]",
"[resourceId('Microsoft.Network/serviceEndpointPolicies','AllowVNETtoSQL')]"
],
"properties": {
"addressPrefix": "10.0.0.0/24",
"serviceEndpointPolicies": [
{
"id": "[resourceId('Microsoft.Network/serviceEndpointPolicies','AllowVNETtoSQL')]"
}
],
"serviceEndpoints": [
{
"service": "Microsoft.Sql",
"locations": [
"australiaeast"
]
}
]
}
}
我从这个更改中得到两个错误:
- Azure SQL Server 虚拟网络规则遇到用户错误:无法继续操作,因为虚拟网络的子网 Client-Subnet /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/MyVirtualNetwork 未预配。它们处于更新状态。
- 服务端点策略定义
/subscriptions//resourceGroups//providers/Microsoft.Network/serviceEndpointPolicies/AllowVNETtoSQL/serviceEndpointPolicyDefinitions/AllowVNETtoSQLPolicy 参考
无效的服务名称 Microsoft.Sql。支持的服务名称有:Microsoft.Storage、Microsoft.Sql、Microsoft.AzureActiveDirectory、Microsoft.AzureCosmosDB、Microsoft.Web、 Microsoft.NetworkServiceEndpointTest、Microsoft.KeyVault、Microsoft.EventHub、Microsoft.ServiceBus、Microsoft.ContainerRegistry、Microsoft.CognitiveServices、全局。 (代码: ServiceEndpointPolicyDefinitionHasServiceWithInvalidServiceName)
我的问题如下:
- 谁能解释第二个错误,它指出 Microsoft.Sql 无效,但随后将其列为受支持的服务名称?
- 我缺少什么依赖项以允许服务端点完成部署?我已经拥有属性为
"ignoreMissingVnetServiceEndpoint": true的SQL 虚拟网络规则我对此的理解是SQL 资源将创建服务端点防火墙规则OK 并跳过对子网状态的任何检查,然后子网将愉快地转换为启用状态并且将允许未来的连接。
【问题讨论】:
标签: azure azure-sql-database azure-virtual-network azure-template