教程:建立 Azure Functions 专用站点访问Tutorial: Establish Azure Functions private site access

本教程介绍如何对 Azure Functions 启用专用站点访问This tutorial shows you how to enable private site access with Azure Functions. 使用专用站点访问可以要求仅从特定的虚拟网络触发函数代码。By using private site access, you can require that your function code is only triggered from a specific virtual network.

需要将函数应用访问限制到特定的虚拟网络时,专用站点访问很有用。Private site access is useful in scenarios when access to the function app needs to be limited to a specific virtual network. 例如,该函数应用可能仅适用于特定组织的员工,或者仅适用于指定虚拟网络中的服务(如另一 Azure 函数、Azure 虚拟机或 AKS 群集)。For example, the function app may be applicable to only employees of a specific organization, or services which are within the specified virtual network (such as another Azure Function, Azure Virtual Machine, or an AKS cluster).

如果函数应用需要访问虚拟网络中的 Azure 资源,或者需要通过服务终结点进行连接,则需要使用虚拟网络集成。If a Functions app needs to access Azure resources within the virtual network, or connected via service endpoints, then virtual network integration is needed.

本教程将介绍如何为函数应用配置专用站点访问:In this tutorial, you learn how to configure private site access for your function app:

  • 创建虚拟机Create a virtual machine
  • 创建 Azure Bastion 服务Create an Azure Bastion service
  • 创建 Azure Functions 应用Create an Azure Functions app
  • 配置虚拟网络服务终结点Configure a virtual network service endpoint
  • 创建并部署 Azure 函数Create and deploy an Azure Function
  • 从虚拟网络外部和内部调用函数Invoke the function from outside and within the virtual network

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don’t have an Azure subscription, create a Trial before you begin.

拓扑Topology

下图显示了要创建的解决方案的体系结构:The following diagram shows the architecture of the solution to be created:

专用站点访问解决方案的概要体系结构示意图

先决条件Prerequisites

若要学习本教程,必须了解 IP 寻址和子网划分。For this tutorial, it's important that you understand IP addressing and subnetting. 可以从这篇介绍了寻址和子网划分基础知识的文章入手。You can start with this article that covers the basics of addressing and subnetting. 网上还有其他许多相关文章和视频。Many more articles and videos are available online.

登录到 Azure 门户Sign in to Azure portal

登录 Azure 门户Sign in to the Azure portal.

创建虚拟机Create a virtual machine

本教程的第一步是在虚拟网络中创建新的虚拟机。The first step in this tutorial is to create a new virtual machine inside a virtual network. 将函数限制为仅供从虚拟网络内部访问后,该虚拟机将用于访问此函数。The virtual machine will be used to access your function once you've restricted it's access to only be available from within the virtual network.

  1. 选择“创建资源”按钮。Select the Create a resource button.

  2. 在搜索字段中键入“Windows Server”,在搜索结果中选择“Windows Server”。 In the search field, type Windows Server, and select Windows Server in the search results.

  3. 从 Windows Server 选项列表中选择“Windows Server 2019 Datacenter”,然后按“创建”按钮。 Select Windows Server 2019 Datacenter from the list of Windows Server options, and press the Create button.

  4. 在“基本信息”选项卡中,根据插图下面的表格中的明确说明来使用 VM 设置:In the Basics tab, use the VM settings as specified in the table below the image:

    新 Windows VM 的“基本信息”选项卡Basics tab for a new Windows VM

    设置Setting 建议的值Suggested value 说明Description
    订阅Subscription 订阅Your subscription 要在其下创建资源的订阅。The subscription under which your resources are created.
    资源组Resource group myResourceGroupmyResourceGroup 选择用于包含本教程所用资源的资源组。Choose the resource group to contain all the resources for this tutorial. 使用同一个资源组可以在完成本教程后更容易地清理资源。Using the same resource group makes it easier to clean up resources when you're done with this tutorial.
    虚拟机名称Virtual machine name myVMmyVM VM 名称在资源组中需保持唯一The VM name needs to be unique in the resource group
    区域Region 中国北部 2China North 2 选择与你靠近或者与要访问的函数靠近的区域。Choose a region near you or near the functions to be accessed.
    公共入站端口Public inbound ports None 选择“无”以确保没有从 Internet 到 VM 的入站连接。Select None to ensure there is no inbound connectivity to the VM from the internet. 对 VM 的远程访问将通过 Azure Bastion 服务进行配置。Remote access to the VM will be configured via the Azure Bastion service.
  5. 选择“网络”选项卡,然后选择“新建”配置新的虚拟网络。Choose the Networking tab and select Create new to configure a new virtual network.

    显示“网络”选项卡的屏幕截图,其中突出显示了“虚拟网络”部分中的“新建”操作。Screenshot that shows the "Networking" tab with the "Create new" action highlighted in the "Virtual network" section.

  6. 在“创建虚拟网络”中,使用插图下面的表格中的设置:In Create virtual network, use the settings in the table below the image:

    为新 VM 创建新的虚拟网络Create a new virtual network for the new VM

    设置Setting 建议的值Suggested value 说明Description
    名称Name myResourceGroup-vnetmyResourceGroup-vnet 可以使用为虚拟网络生成的默认名称。You can use the default name generated for your virtual network.
    地址范围Address range 10.10.0.0/1610.10.0.0/16 为虚拟网络使用单个地址范围。Use a single address range for the virtual network.
    子网名称Subnet name 教程Tutorial 子网的名称。Name of the subnet.
    地址范围(子网)Address range (subnet) 10.10.1.0/2410.10.1.0/24 子网大小定义了可将多少个接口添加到子网。The subnet size defines how many interfaces can be added to the subnet. VM 将使用此子网。This subnet is used by the VM. A/24 子网提供 254 个主机地址。A /24 subnet provides 254 host addresses.
  7. 选择“确定”以创建虚拟网络。Select OK to create the virtual network.

  8. 返回到“网络”选项卡,确保为“公共 IP”选择“无”。Back in the Networking tab, ensure None is selected for Public IP.

  9. 选择“管理”选项卡,然后在“诊断存储帐户”中,选择“新建”以创建新的存储帐户。 Choose the Management tab, then in Diagnostic storage account, choose Create new to create a new Storage account.

  10. 在“标识”、“自动关闭”和“备份”部分保留默认值。 Leave the default values for the Identity, Auto-shutdown, and Backup sections.

  11. 选择“查看 + 创建”。Select Review + create. 验证完成后,选择“创建”。After validation completes, select Create. VM 创建过程需要花费几分钟时间。The VM create process takes a few minutes.

配置 Azure BastionConfigure Azure Bastion

Azure Bastion 是一个完全托管的 Azure 服务,使用它可以直接从 Azure 门户对虚拟机进行安全的 RDP 和 SSH 访问。Azure Bastion is a fully managed Azure service which provides secure RDP and SSH access to virtual machines directly from the Azure portal. 使用 Azure Bastion 服务就无需配置与 RDP 访问相关的网络设置了。Using the Azure Bastion service removes the need to configure network settings related to RDP access.

  1. 在门户中,选择资源组视图顶部的“添加”。In the portal, choose Add at the top of the resource group view.

  2. 在搜索字段中键入“Bastion”。In the search field, type Bastion.

  3. 在搜索结果中选择“Bastion”。Select Bastion in the search results.

  4. 选择“创建”以开始执行创建新 Azure Bastion 资源的过程。Select Create to begin the process of creating a new Azure Bastion resource. “虚拟网络”部分会显示一条错误消息,因为此时还没有 AzureBastionSubnet 子网。You will notice an error message in the Virtual network section as there is not yet an AzureBastionSubnet subnet. 该子网将在后续步骤中创建。The subnet is created in the following steps. 使用插图下面的表格中的设置:Use the settings in the table below the image:

    开始创建 Azure BastionStart of creating Azure Bastion

    设置Setting 建议的值Suggested value 说明Description
    名称Name myBastionmyBastion 新 Bastion 资源的名称The name of the new Bastion resource
    区域Region 中国北部 2China North 2 选择离你近或离函数访问的其他服务近的区域Choose a region near you or near other services your functions access.
    虚拟网络Virtual network myResourceGroup-vnetmyResourceGroup-vnet 将在其中创建 Bastion 资源的虚拟网络The virtual network in which the Bastion resource will be created in
    子网Subnet AzureBastionSubnetAzureBastionSubnet 虚拟网络中的子网,Bastion 主机资源将部署到该子网。The subnet in your virtual network to which the new Bastion host resource will be deployed. 必须使用名称值 AzureBastionSubnet 创建子网。You must create a subnet using the name value AzureBastionSubnet. 此值告知 Azure 要将 Bastion 资源部署到哪个子网。This value lets Azure know which subnet to deploy the Bastion resources to. 必须使用至少为 /27 或更大(/27、/26 等)的子网。You must use a subnet of at least /27 or larger (/27, /26, and so on).

    备注

    有关创建 Azure Bastion 资源的详细分步指导,请参阅创建 Azure Bastion 主机教程。For a detailed, step-by-step guide to creating an Azure Bastion resource, refer to the Create an Azure Bastion host tutorial.

  5. 创建一个可供 Azure 在其中预配 Azure Bastion 主机的子网。Create a subnet in which Azure can provision the Azure Bastion host. 选择“管理子网配置”会打开一个新窗格,在其中可以定义新的子网。Choosing Manage subnet configuration opens a new pane where you can define a new subnet. 选择“+ 子网”创建新子网。Choose + Subnet to create a new subnet.

  6. 该子网的名称必须为 AzureBastionSubnet,子网前缀必须至少为 /27 。The subnet must be of the name AzureBastionSubnet and the subnet prefix must be at least /27. 选择“确定”以创建子网。Select OK to create the subnet.

    为 Azure Bastion 主机创建子网Create subnet for Azure Bastion host

  7. 在“创建 Bastion”页面上,从可用子网列表中选择新建的 AzureBastionSubnet。On the Create a Bastion page, select the newly created AzureBastionSubnet from the list of available subnets.

    创建具有特定子网的 Azure Bastion 主机Create an Azure Bastion host with specific subnet

  8. 选择“查看 + 创建”。Select Review & Create. 验证完成后,选择“创建”。Once validation completes, select Create. 创建 Azure Bastion 资源需要花费几分钟时间。It will take a few minutes for the Azure Bastion resource to be created.

创建 Azure Functions 应用Create an Azure Functions app

下一步是使用消耗计划在 Azure 中创建函数应用。The next step is to create a function app in Azure using the Consumption plan. 稍后在本教程中,会将函数代码部署到此资源。You deploy your function code to this resource later in the tutorial.

  1. 在门户中,选择资源组视图顶部的“添加”。In the portal, choose Add at the top of the resource group view.

  2. 选择“计算”>“函数应用”Select Compute > Function App

  3. 在“基本信息”部分,使用下表中指定的函数应用设置。On the Basics section, use the function app settings as specified in the table below.

    设置Setting 建议的值Suggested value 说明Description
    资源组Resource Group myResourceGroupmyResourceGroup 选择用于包含本教程所用资源的资源组。Choose the resource group to contain all the resources for this tutorial. 对函数应用和 VM 使用同一个资源组可以在完成本教程后更容易地清理资源。Using the same resource group for the function app and VM makes it easier to clean up resources when you're done with this tutorial.
    函数应用名称Function App name 全局唯一名称Globally unique name 用于标识新 Function App 的名称。Name that identifies your new function app. 有效字符为 a-z(不区分大小写)、0-9 和 -。Valid characters are a-z (case insensitive), 0-9, and -.
    发布Publish 代码Code 用于发布代码文件或 Docker 容器的选项。Option to publish code files or a Docker container.
    运行时堆栈Runtime stack 首选语言Preferred language 选择支持你喜欢的函数编程语言的运行时。Choose a runtime that supports your favorite function programming language.
    区域Region 中国北部 2China North 2 选择离你近或离函数访问的其他服务近的区域Choose a region near you or near other services your functions access.

    选择页面底部的“下一步:托管 >”按钮。Select the Next: Hosting > button.

  4. 在“托管”部分,根据下表中所述选择适当的“存储帐户”、“操作系统”和“计划”。 For the Hosting section, select the proper Storage account, Operating system, and Plan as described in the following table.

    设置Setting 建议的值Suggested value 说明Description
    存储帐户Storage account 全局唯一名称Globally unique name 创建函数应用使用的存储帐户。Create a storage account used by your function app. 存储帐户名称必须为 3 到 24 个字符,并且只能包含数字和小写字母。Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only. 也可使用现有帐户,但该帐户必须符合存储帐户要求You can also use an existing account, which must meet the storage account requirements.
    操作系统Operating system 首选操作系统Preferred operating system 系统会根据你的运行时堆栈选择为你预先选择一个操作系统,但你可以根据需要更改该设置。An operating system is pre-selected for you based on your runtime stack selection, but you can change the setting if necessary.
    规划Plan 消耗Consumption 托管计划指示如何缩放函数应用,以及可供每个实例使用的资源。The hosting plan dictates how the function app is scaled and resources available to each instance.
  5. 选择“查看 + 创建”,以便查看应用配置选择。Select Review + Create to review the app configuration selections.

  6. 选择“创建”以预配和部署函数应用。Select Create to provision and deploy the function app.

配置访问限制Configure access restrictions

下一步是配置访问限制,以确保只有虚拟网络中的资源能够调用该函数。The next step is to configure access restrictions to ensure only resources on the virtual network can invoke the function.

通过在函数应用与指定的虚拟网络之间创建 Azure 虚拟网络服务终结点,来启用专用站点访问。Private site access is enabled by creating an Azure Virtual Network service endpoint between the function app and the specified virtual network. 访问限制是通过服务终结点实现的。Access restrictions are implemented via service endpoints. 服务终结点确保只有源自指定虚拟网络内部的流量可以访问指定的资源。Service endpoints ensure only traffic originating from within the specified virtual network can access the designated resource. 在本例中,指定的资源是 Azure 函数。In this case, the designated resource is the Azure Function.

  1. 在函数应用中,选择“设置”部分标头下的“网络”链接。Within the function app, select the Networking link under the Settings section header.

  2. “网络”页面是配置 Azure Front Door、Azure CDN 和访问限制的起点。The Networking page is the starting point to configure Azure Front Door, the Azure CDN, and also Access Restrictions.

  3. 选择“配置访问限制”以配置专用站点访问。Select Configure Access Restrictions to configure private site access.

  4. 在“访问限制”页上,你会看到只是实施了默认限制。On the Access Restrictions page, you see only the default restriction in place. 默认限制不会对访问函数应用施加任何限制。The default doesn't place any restrictions on access to the function app. 选择“添加规则”以创建专用站点访问限制配置。Select Add rule to create a private site access restriction configuration.

  5. 在“添加访问限制”窗格中,为新规则提供名称、优先级和说明 。In the Add Access Restriction pane, provide a Name, Priority, and Description for the new rule.

  6. 从“类型”下拉框中选择“虚拟网络”,再选择前面创建的虚拟网络,然后选择“Tutorial”子网。Select Virtual Network from the Type drop-down box, then select the previously created virtual network, and then select the Tutorial subnet.

    备注

    启用服务终结点可能需要几分钟时间。It may take several minutes to enable the service endpoint.

  7. “访问限制”页现在会显示有新的限制。The Access Restrictions page now shows that there is a new restriction. 终结点状态从“通过预配禁用”更改为“已启用”可能需要几秒时间。It may take a few seconds for the Endpoint status to change from Disabled through Provisioning to Enabled.

    重要

    每个函数应用都有一个用于管理函数应用部署的高级工具 (Kudu) 站点Each function app has an Advanced Tool (Kudu) site that is used to manage function app deployments. 可从如下所示的 URL 访问此站点:<FUNCTION_APP_NAME>.scm.chinacloudsites.cnThis site is accessed from a URL like: <FUNCTION_APP_NAME>.scm.chinacloudsites.cn. 在 Kudu 站点上启用访问限制会阻止从本地开发人员工作站部署项目代码,此时在虚拟网络中需要代理来执行部署。Enabling access restrictions on the Kudu site prevents the deployment of the project code from a local developer workstation, and then an agent is needed within the virtual network to perform the deployment.

访问函数应用Access the functions app

  1. 返回到前面创建的函数应用。Return to the previously created function app. 在“概述”部分复制 URL。In the Overview section, copy the URL.

    获取函数应用 URLGet the Function app URL

    如果现在尝试从虚拟网络外部的计算机访问该函数应用,将会显示“HTTP 403”页面,指出已禁止访问。If you try to access the function app now from your computer outside of your virtual network, you'll receive an HTTP 403 page indicating that access is forbidden.

  2. 请返回到资源组,选择先前创建的虚拟机。Return to the resource group and select the previously created virtual machine. 若要从 VM 访问该站点,需要通过 Azure Bastion 服务连接到该 VM。In order to access the site from the VM, you need to connect to the VM via the Azure Bastion service.

  3. 先选择“连接”,再选择“Bastion”。 Select Connect and then choose Bastion.

  4. 提供登录到虚拟机所需的用户名和密码。Provide the required username and password to log into the virtual machine.

  5. 选择“连接”。Select Connect. 此时会弹出一个新的浏览器窗口,使你可以与虚拟机交互。A new browser window will pop up to allow you to interact with the virtual machine. 可从 VM 上的 Web 浏览器访问站点,因为 VM 正在通过虚拟网络访问站点。It's possible to access the site from the web browser on the VM because the VM is accessing the site through the virtual network. 尽管只能从指定的虚拟网络内访问该站点,但仍保留了一个公共 DNS 条目。While the site is only accessible from within the designated virtual network, a public DNS entry remains.

创建函数Create a function

本教程的下一步是创建 HTTP 触发的 Azure 函数。The next step in this tutorial is to create an HTTP-triggered Azure Function. 通过 HTTP GET 或 POST 调用函数会导致出现“Hello, {name}”响应。Invoking the function via an HTTP GET or POST should result in a response of "Hello, {name}".

  1. 遵循以下快速入门之一,以便创建和部署 Azure Functions 应用。Follow one of the following quickstarts to create and deploy your Azure Functions app.

  2. 发布 Azure Functions 项目时,请选择前面在本教程中创建的函数应用资源。When publishing your Azure Functions project, choose the function app resource that you created earlier in this tutorial.

  3. 验证是否已部署该函数。Verify the function is deployed.

    函数列表中已部署的函数Deployed function in list of functions

直接调用函数Invoke the function directly

  1. 若要测试对函数的访问,需要复制函数 URL。In order to test access to the function, you need to copy the function URL. 选择已部署的函数,然后选择“获取函数 URL”。Select the deployed function, and then select Get Function Url. 然后单击“复制”按钮将 URL 复制到剪贴板。Then click the Copy button to copy the URL to your clipboard.

    复制函数 URLCopy the function URL

  2. 将 URL 粘贴到 Web 浏览器中。Paste the URL into a web browser. 如果现在尝试从虚拟网络外部的计算机访问该函数应用,将会收到 HTTP 403 响应,指出已禁止访问该应用。When you now try to access the function app from a computer outside of your virtual network, you receive an HTTP 403 response indicating access to the app is forbidden.

从虚拟网络调用函数Invoke the function from the virtual network

在虚拟网络中配置的 VM 上通过 Web 浏览器(使用 Azure Bastion 服务)访问该函数会返回成功响应!Accessing the function via a web browser (by using the Azure Bastion service) on the configured VM on the virtual network results in success!

通过 Azure Bastion 访问 Azure 函数Access the Azure Function via Azure Bastion

清理资源Clean up resources

在前面的步骤中,你在资源组中创建了 Azure 资源。In the preceding steps, you created Azure resources in a resource group. 如果将来不再需要这些资源,可以通过删除资源组来删除它们。If you don't expect to need these resources in the future, you can delete them by deleting the resource group.

从 Azure 门户菜单或“主页”页上,选择“资源组” 。From the Azure portal menu or Home page, select Resource groups . 然后,在“资源组”页上,选择“myResourceGroup” 。Then, on the Resource groups page, select myResourceGroup .

在“myResourceGroup”页中,确保列出的资源是要删除的资源。 On the myResourceGroup page, make sure that the listed resources are the ones you want to delete.

选择“删除资源组” ,在文本框中键入“myResourceGroup” 以确认,然后选择“删除” 。Select Delete resource group , type myResourceGroup in the text box to confirm, and then select Delete .

后续步骤Next steps