一切为了安全,所有的云上资源如支持内网资源访问,则都可以加入虚拟网络
问题描述
使用Azure Function处理Storage Account中Blob 新增,更新,删除等情况。Storage Account启用虚拟网络中的服务终结点(Service Endpoint)后,可以实现只能从内网访问。同时,Azure Function也支持集成内网。并且可支持在虚拟网络中被Storage Account所触发。所以根据门户中一步一步的操作,配置完Azure Function和Storage Account的Virtul Network后,发现Function无法启动。在日志中发现问题是:
2021-06-30T10:56:00.895 [Error] An unhandled exception has occurred. Host is shutting down. Microsoft.Azure.Storage.StorageException : This request is not authorized to perform this operation. at async Microsoft.Azure.Storage.Core.Executor.Executor.ExecuteAsync[T](RESTCommand`1 cmd,IRetryPolicy policy,OperationContext operationContext,CancellationToken token) at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at async Microsoft.Azure.WebJobs.Extensions.Storage.TimeoutHandler.ExecuteWithTimeout[T](String operationName,String clientRequestId,IWebJobsExceptionHandler exceptionHandler,ILogger logger,CancellationToken cancellationToken,Func`1 operation) at C:projectsazure-webjobs-sdk-rqm4tsrcMicrosoft.Azure.WebJobs.Extensions.StorageTimeoutHandler.cs : 56 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at async Microsoft.Azure.WebJobs.Host.Queues.Listeners.QueueListener.ExecuteAsync(CancellationToken cancellationToken) at C:projectsazure-webjobs-sdk-rqm4tsrcMicrosoft.Azure.WebJobs.Extensions.StorageQueuesListenersQueueListener.cs : 201 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at async Microsoft.Azure.WebJobs.Host.Timers.TaskSeriesTimer.RunAsync(CancellationToken cancellationToken) at C:projectsazure-webjobs-sdk-rqm4tsrcMicrosoft.Azure.WebJobs.HostTimersTaskSeriesTimer.cs : 147 2021-06-30T10:56:00.921 [Information] Stopping JobHost 2021-06-30T10:56:00.921 [Information] Stopping the listener 'Microsoft.Azure.WebJobs.Host.Listeners.CompositeListener' for function 'BlobTrigger1' 2021-06-30T10:56:00.942 [Information] Stopped the listener 'Microsoft.Azure.WebJobs.Host.Listeners.CompositeListener' for function 'BlobTrigger1' 2021-06-30T10:56:00.943 [Information] Job host stopped
(日志可通过高级工具Kudu获取:Kudu地址为:https://<your function app name>.scm.chinacloudsites.cn/DebugConsole 日志路径为:D:homeLogFilesApplicationFunctionsHostxxxxxxxx.log)
问题分析
根据日志发现了:
1) Function Host遇见了异常,导致它被关闭.
2)异常的原因是因为访问Storage没有权限 (Microsoft.Azure.Storage.StorageException : This request is not authorized to perform this operation.)
那么问题根源就出现在Azure Function访问Stroage时,走的是公网访问,而公网的访问在Storage中式拒绝的。所以要修改Funciton的配置,让其通过内网的形式访问Storage。在查看官方说明文档后,有发现两个非常重要的配置:
- WEBSITE_VNET_ROUTE_ALL:设置为1。它会将Azure Function的所有出站调用发送到 VNet。
- WEBSITE_DNS_SERVER:默认值为168.63.129.16。用与虚拟网络集成时,它将使用与虚拟网络相同的 DNS 服务器。 函数应用需要此设置才能与 Azure DNS 专用区域配合使用。 此设置和 WEBSITE_VNET_ROUTE_ALL 会将应用中的所有出站调用发送到虚拟网络。
问题解决
在Azure Funciton的设置页面,添加WEBSITE_VNET_ROUTE_ALL和WEBSITE_DNS_SERVER两个参数,配置如下:
修改完成后,再次查看Function Host的启动日志,就可见 “Loading functions metadata” 和 “1 functions loaded”等消息。这就表明,Function Host启动成功。
2021-06-30T10:57:00.006 [Information] Initializing Warmup Extension. 2021-06-30T10:57:00.069 [Information] Initializing Host. OperationId: '93cf4ed0-d598-4308-9241-dca5ba6a55ee'. 2021-06-30T10:57:00.073 [Information] Host initialization: ConsecutiveErrors=0, StartupCount=1, OperationId=93cf4ed0-d598-4308-9241-dca5ba6a55ee 2021-06-30T10:57:00.106 [Information] LoggerFilterOptions { "MinLevel": "None", "Rules": [ { "ProviderName": null, "CategoryName": null, "LogLevel": null, "Filter": "<AddFilter>b__0" }, { "ProviderName": "Microsoft.Azure.WebJobs.Script.WebHost.Diagnostics.SystemLoggerProvider", "CategoryName": null, "LogLevel": "None", "Filter": null }, { "ProviderName": "Microsoft.Azure.WebJobs.Script.WebHost.Diagnostics.SystemLoggerProvider", "CategoryName": null, "LogLevel": null, "Filter": "<AddFilter>b__0" } ] } 2021-06-30T10:57:00.107 [Information] FunctionResultAggregatorOptions { "BatchSize": 1000, "FlushTimeout": "00:00:30", "IsEnabled": true } 2021-06-30T10:57:00.107 [Information] SingletonOptions { "LockPeriod": "00:00:15", "ListenerLockPeriod": "00:00:15", "LockAcquisitionTimeout": "10675199.02:48:05.4775807", "LockAcquisitionPollingInterval": "00:00:05", "ListenerLockRecoveryPollingInterval": "00:01:00" } 2021-06-30T10:57:00.107 [Information] QueuesOptions { "BatchSize": 16, "NewBatchThreshold": 8, "MaxPollingInterval": "00:00:02", "MaxDequeueCount": 5, "VisibilityTimeout": "00:00:00" } 2021-06-30T10:57:00.107 [Information] BlobsOptions { "CentralizedPoisonQueue": false } 2021-06-30T10:57:00.108 [Information] Starting JobHost 2021-06-30T10:57:00.110 [Information] Starting Host (HostId=lbfunctionforvnet01, InstanceId=05efd41a-013d-428c-b839-fb4b69127366, Version=3.0.15733.0, ProcessId=5480, AppDomainId=1, InDebugMode=True, InDiagnosticMode=False, FunctionsExtensionVersion=~3) 2021-06-30T10:57:00.121 [Information] Loading functions metadata 2021-06-30T10:57:00.137 [Information] 1 functions loaded 2021-06-30T10:57:01.348 [Information] Generating 1 job function(s) 2021-06-30T10:57:01.373 [Information] Found the following functions: Host.Functions.BlobTrigger1
最后在Storage Blob中上传文件进行测试,Function能成功被触发及获取到正确的Blob信息
2021-06-30T11:02:22.273 [Information] Executing 'Functions.BlobTrigger1' (Reason='New blob detected: samples-workitems/local_error.log', Id=79bc13b9-5aed-487f-b5de-02bb4ff7b8c6) 2021-06-30T11:02:22.276 [Information] Trigger Details: MessageId: f6dd9893-f6c6-41af-a469-f6b2e21e09bc, DequeueCount: 1, InsertionTime: 2021-06-30T11:02:22.000+00:00, BlobCreated: 2021-06-30T11:02:13.000+00:00, BlobLastModified: 2021-06-30T11:02:13.000+00:00 2021-06-30T11:02:22.283 [Information] C# Blob trigger function Processed blob Name:local_error.log Size: 420588 Bytes 2021-06-30T11:02:22.291 [Information] Executed 'Functions.BlobTrigger1' (Succeeded, Id=79bc13b9-5aed-487f-b5de-02bb4ff7b8c6, Duration=37ms)
参考资料
具有虚拟网络触发器的高级计划 :https://docs.azure.cn/zh-cn/azure-functions/functions-networking-options#premium-plan-with-virtual-network-triggers