建立兩個以私人端點和 VNet 整合安全連線的 Web 應用程式
本文以範例說明如何使用 Terraform 設定,透過私人端點和區域 VNet 整合來安全地連結兩個 Web 應用程式 (前端和後端):
- 部署 VNet
- 建立用於整合的第一個子網路
- 建立用於私人端點的第二個子網路,您必須設定特定參數來停用網路原則
- 私人端點函式需要部署基本、標準、PremiumV2、PremiumV3、IsolatedV2、Functions 進階其中一個類型的 App Service 方案(有時稱為彈性進階方案)
- 建立具有特定應用程式設定的前端 Web 應用程式,以取用私人 DNS 區域,更多詳細資料
- 將前端 Web 應用程式連線到整合子網路
- 建立後端 Web 應用程式
- 使用 Web 應用程式的私人連結區域名稱 privatelink.azurewebsites.net 建立 DNS 私人區域
- 將此區域連結至 VNet
- 在端點子網路中建立後端 Web 應用程式的私人端點,並在先前建立的 DNS 私人區域中註冊 DNS 名稱 (網站和 SCM)
如何在 Azure 中使用 Terraform
瀏覽至 Azure 文件,以了解如何搭配使用 Terraform 與 Azure。
完整的 Terraform 檔案
若要使用此檔案,請取代預留位置 <unique-frontend-app-name> 和 <unique-backend-app-name> (應用程式名稱用來形成全球唯一的 DNS 名稱)。
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
}
}
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "rg" {
name = "appservice-rg"
location = "francecentral"
}
resource "azurerm_virtual_network" "vnet" {
name = "vnet"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
address_space = ["10.0.0.0/16"]
}
resource "azurerm_subnet" "integrationsubnet" {
name = "integrationsubnet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.0.1.0/24"]
delegation {
name = "delegation"
service_delegation {
name = "Microsoft.Web/serverFarms"
}
}
}
resource "azurerm_subnet" "endpointsubnet" {
name = "endpointsubnet"
resource_group_name = azurerm_resource_group.rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.0.2.0/24"]
private_endpoint_network_policies_enabled = true
}
resource "azurerm_service_plan" "appserviceplan" {
name = "appserviceplan"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
os_type = "Windows"
sku_name = "P1v2"
}
resource "azurerm_windows_web_app" "frontwebapp" {
name = "<unique-frontend-app-name>"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
service_plan_id = azurerm_service_plan.appserviceplan.id
site_config {}
app_settings = {
"WEBSITE_DNS_SERVER": "168.63.129.16",
"WEBSITE_VNET_ROUTE_ALL": "1"
}
}
resource "azurerm_app_service_virtual_network_swift_connection" "vnetintegrationconnection" {
app_service_id = azurerm_windows_web_app.frontwebapp.id
subnet_id = azurerm_subnet.integrationsubnet.id
}
resource "azurerm_windows_web_app" "backwebapp" {
name = "<unique-backend-app-name>"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
service_plan_id = azurerm_service_plan.appserviceplan.id
site_config {}
}
resource "azurerm_private_dns_zone" "dnsprivatezone" {
name = "privatelink.azurewebsites.net"
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_private_dns_zone_virtual_network_link" "dnszonelink" {
name = "dnszonelink"
resource_group_name = azurerm_resource_group.rg.name
private_dns_zone_name = azurerm_private_dns_zone.dnsprivatezone.name
virtual_network_id = azurerm_virtual_network.vnet.id
}
resource "azurerm_private_endpoint" "privateendpoint" {
name = "backwebappprivateendpoint"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
subnet_id = azurerm_subnet.endpointsubnet.id
private_dns_zone_group {
name = "privatednszonegroup"
private_dns_zone_ids = [azurerm_private_dns_zone.dnsprivatezone.id]
}
private_service_connection {
name = "privateendpointconnection"
private_connection_resource_id = azurerm_windows_web_app.backwebapp.id
subresource_names = ["sites"]
is_manual_connection = false
}
}