导航到要为其创建专用终结点的存储帐户。Navigate to the storage account for which you would like to create a private endpoint. 在存储帐户的目录中选择“专用终结点连接”,然后选择“+ 专用终结点”创建新的专用终结点。 In the table of contents for the storage account, select Private endpoint connections, and then + Private endpoint to create a new private endpoint.


出现的向导包含多个要完成的页。The resulting wizard has multiple pages to complete.
在“基本信息”边栏选项卡中,为专用终结点选择所需的资源组、名称和区域。In the Basics blade, select the desired resource group, name, and region for your private endpoint. 资源组、名称和区域可以任意配置,不必与存储帐户匹配,但必须在同一区域中创建专用终结点和用于容纳该专用终结点的存储帐户。These can be whatever you want, they don't have to match the storage account in any way, although you must create the private endpoint in the same region as the virtual network you wish to create the private endpoint in.

在“资源”边栏选项卡中,选中“连接到目录中的 Azure 资源”对应的单选按钮。 In the Resource blade, select the radio button for Connect to an Azure resource in my directory. 在“资源类型”下,选择“Microsoft.Storage/storageAccounts”为资源类型 。Under Resource type, select Microsoft.Storage/storageAccounts for the resource type. “资源”字段用于指定包含要连接到的 Azure 文件共享的存储帐户。The Resource field is the storage account with the Azure file share you wish to connect to. 因为针对 Azure 文件存储,所以目标子资源是“文件”。Target sub-resource is file, since this is for Azure Files.
在“配置”边栏选项卡中,可以选择要向其添加专用终结点的特定虚拟网络和子网。The Configuration blade allows you to select the specific virtual network and subnet you would like to add your private endpoint to. 必须选择上面将服务终结点添加到的子网以外的子网。You must select a distinct subnet from the subnet you added your service endpoint to above. “配置”边栏选项卡还包含用于创建/更新专用 DNS 区域的信息。The Configuration blade also contains the information for creating/update the private DNS zone. 建议使用默认的 privatelink.file.core.chinacloudapi.cn
区域。We recommend using the default privatelink.file.core.chinacloudapi.cn
zone.

单击“查看 + 创建”以创建专用终结点。Click Review + create to create the private endpoint.
如果你在虚拟网络中有一个虚拟机,或者已按配置 Azure 文件存储的 DNS 转发所述配置了 DNS 转发,则可以通过在 PowerShell、命令行或终端(适用于 Windows、Linux 或 macOS)中运行以下命令,来测试是否已正确设置专用终结点。If you have a virtual machine inside of your virtual network, or you've configured DNS forwarding as described in Configuring DNS forwarding for Azure Files, you can test that your private endpoint has been set up correctly by running the following commands from PowerShell, the command line, or the terminal (works for Windows, Linux, or macOS). 必须将 <storage-account-name>
替换为相应的存储帐户名称:You must replace <storage-account-name>
with the appropriate storage account name:
nslookup <storage-account-name>.file.core.chinacloudapi.cn
如果一切成功进行,则应会看到以下输出,其中 192.168.0.5
是虚拟网络中专用终结点的专用 IP 地址(Windows 中显示的输出):If everything has worked successfully, you should see the following output, where 192.168.0.5
is the private IP address of the private endpoint in your virtual network (output shown for Windows):
Server: UnKnown
Address: 10.2.4.4
Non-authoritative answer:
Name: storageaccount.privatelink.file.core.chinacloudapi.cn
Address: 192.168.0.5
Aliases: storageaccount.file.core.chinacloudapi.cn
若要为存储帐户创建专用终结点,首先需要获取对存储帐户的引用,以及要将专用终结点添加到的虚拟网络子网的引用。To create a private endpoint for your storage account, you first need to get a reference to your storage account and the virtual network subnet to which you want to add the private endpoint. 请替换下面的 <storage-account-resource-group-name>
、<storage-account-name>
、<vnet-resource-group-name>
、<vnet-name>
和 <vnet-subnet-name>
:Replace <storage-account-resource-group-name>
, <storage-account-name>
, <vnet-resource-group-name>
, <vnet-name>
, and <vnet-subnet-name>
below:
$storageAccountResourceGroupName = "<storage-account-resource-group-name>"
$storageAccountName = "<storage-account-name>"
$virtualNetworkResourceGroupName = "<vnet-resource-group-name>"
$virtualNetworkName = "<vnet-name>"
$subnetName = "<vnet-subnet-name>"
# Get storage account reference, and throw error if it doesn't exist
$storageAccount = Get-AzStorageAccount `
-ResourceGroupName $storageAccountResourceGroupName `
-Name $storageAccountName `
-ErrorAction SilentlyContinue
if ($null -eq $storageAccount) {
$errorMessage = "Storage account $storageAccountName not found "
$errorMessage += "in resource group $storageAccountResourceGroupName."
Write-Error -Message $errorMessage -ErrorAction Stop
}
# Get virtual network reference, and throw error if it doesn't exist
$virtualNetwork = Get-AzVirtualNetwork `
-ResourceGroupName $virtualNetworkResourceGroupName `
-Name $virtualNetworkName `
-ErrorAction SilentlyContinue
if ($null -eq $virtualNetwork) {
$errorMessage = "Virtual network $virtualNetworkName not found "
$errorMessage += "in resource group $virtualNetworkResourceGroupName."
Write-Error -Message $errorMessage -ErrorAction Stop
}
# Get reference to virtual network subnet, and throw error if it doesn't exist
$subnet = $virtualNetwork | `
Select-Object -ExpandProperty Subnets | `
Where-Object { $_.Name -eq $subnetName }
if ($null -eq $subnet) {
Write-Error `
-Message "Subnet $subnetName not found in virtual network $virtualNetworkName." `
-ErrorAction Stop
}
若要创建专用终结点,必须与存储帐户建立专用链接服务连接。To create a private endpoint, you must create a private link service connection to the storage account. 专用链接服务连接是创建专用终结点时使用的输入。The private link service connection is an input to the creation of the private endpoint.
# Disable private endpoint network policies
$subnet.PrivateEndpointNetworkPolicies = "Disabled"
$virtualNetwork = $virtualNetwork | `
Set-AzVirtualNetwork -ErrorAction Stop
# Create a private link service connection to the storage account.
$privateEndpointConnection = New-AzPrivateLinkServiceConnection `
-Name "$storageAccountName-Connection" `
-PrivateLinkServiceId $storageAccount.Id `
-GroupId "file" `
-ErrorAction Stop
# Create a new private endpoint.
$privateEndpoint = New-AzPrivateEndpoint `
-ResourceGroupName $storageAccountResourceGroupName `
-Name "$storageAccountName-PrivateEndpoint" `
-Location $virtualNetwork.Location `
-Subnet $subnet `
-PrivateLinkServiceConnection $privateEndpointConnection `
-ErrorAction Stop
创建 Azure 专用 DNS 区域可将存储帐户的原始名称(例如 storageaccount.file.core.chinacloudapi.cn
)解析为虚拟网络内部的专用 IP。Creating an Azure private DNS zone enables the original name of the storage account, such as storageaccount.file.core.chinacloudapi.cn
to resolve to the private IP inside of the virtual network. 尽管从创建专用终结点的角度来看,此操作是可选的,但如果直接使用 AD 用户主体装载或通过 REST API 访问 Azure 文件共享,则此操作肯定是必需的。Although optional from the perspective of creating a private endpoint, it is explicitly required for mounting the Azure file share directly using an AD user principal or accessing via the REST API.
# Get the desired storage account suffix (core.chinacloudapi.cn for Azure China cloud).
# This is done like this so this script will seamlessly work for non-public Azure.
$storageAccountSuffix = Get-AzContext | `
Select-Object -ExpandProperty Environment | `
Select-Object -ExpandProperty StorageEndpointSuffix
# For Azure China cloud, this will generate the following DNS suffix:
# privatelink.file.core.chinacloudapi.cn.
$dnsZoneName = "privatelink.file.$storageAccountSuffix"
# Find a DNS zone matching desired name attached to this virtual network.
$dnsZone = Get-AzPrivateDnsZone | `
Where-Object { $_.Name -eq $dnsZoneName } | `
Where-Object {
$privateDnsLink = Get-AzPrivateDnsVirtualNetworkLink `
-ResourceGroupName $_.ResourceGroupName `
-ZoneName $_.Name `
-ErrorAction SilentlyContinue
$privateDnsLink.VirtualNetworkId -eq $virtualNetwork.Id
}
if ($null -eq $dnsZone) {
# No matching DNS zone attached to virtual network, so create new one.
$dnsZone = New-AzPrivateDnsZone `
-ResourceGroupName $virtualNetworkResourceGroupName `
-Name $dnsZoneName `
-ErrorAction Stop
$privateDnsLink = New-AzPrivateDnsVirtualNetworkLink `
-ResourceGroupName $virtualNetworkResourceGroupName `
-ZoneName $dnsZoneName `
-Name "$virtualNetworkName-DnsLink" `
-VirtualNetworkId $virtualNetwork.Id `
-ErrorAction Stop
}
获取对专用 DNS 区域的引用后,接下来必须创建存储帐户的 A 记录。Now that you have a reference to the private DNS zone, you must create an A record for your storage account.
$privateEndpointIP = $privateEndpoint | `
Select-Object -ExpandProperty NetworkInterfaces | `
Select-Object @{
Name = "NetworkInterfaces";
Expression = { Get-AzNetworkInterface -ResourceId $_.Id }
} | `
Select-Object -ExpandProperty NetworkInterfaces | `
Select-Object -ExpandProperty IpConfigurations | `
Select-Object -ExpandProperty PrivateIpAddress
$privateDnsRecordConfig = New-AzPrivateDnsRecordConfig `
-IPv4Address $privateEndpointIP
New-AzPrivateDnsRecordSet `
-ResourceGroupName $virtualNetworkResourceGroupName `
-Name $storageAccountName `
-RecordType A `
-ZoneName $dnsZoneName `
-Ttl 600 `
-PrivateDnsRecords $privateDnsRecordConfig `
-ErrorAction Stop | `
Out-Null
如果你在虚拟网络中有一个虚拟机,或者已按配置 Azure 文件存储的 DNS 转发所述配置了 DNS 转发,则可以使用以下命令测试是否已正确设置专用终结点:If you have a virtual machine inside of your virtual network, or you've configured DNS forwarding as described in Configuring DNS forwarding for Azure Files, you can test that your private endpoint has been set up correctly with the following commands:
$storageAccountHostName = [System.Uri]::new($storageAccount.PrimaryEndpoints.file) | `
Select-Object -ExpandProperty Host
Resolve-DnsName -Name $storageAccountHostName
如果一切成功进行,则应会看到以下输出,其中 192.168.0.5
是虚拟网络中专用终结点的专用 IP 地址:If everything has worked successfully, you should see the following output, where 192.168.0.5
is the private IP address of the private endpoint in your virtual network:
Name Type TTL Section NameHost
---- ---- --- ------- --------
storageaccount.file.core.chinacloudapi.cn CNAME 60 Answer storageaccount.privatelink.file.core.chinacloudapi.cn
Name : storageaccount.privatelink.file.core.chinacloudapi.cn
QueryType : A
TTL : 600
Section : Answer
IP4Address : 192.168.0.5
若要为存储帐户创建专用终结点,首先需要获取对存储帐户的引用,以及要将专用终结点添加到的虚拟网络子网的引用。To create a private endpoint for your storage account, you first need to get a reference to your storage account and the virtual network subnet to which you want to add the private endpoint. 请替换下面的 <storage-account-resource-group-name>
、<storage-account-name>
、<vnet-resource-group-name>
、<vnet-name>
和 <vnet-subnet-name>
:Replace <storage-account-resource-group-name>
, <storage-account-name>
, <vnet-resource-group-name>
, <vnet-name>
, and <vnet-subnet-name>
below:
storageAccountResourceGroupName="<storage-account-resource-group-name>"
storageAccountName="<storage-account-name>"
virtualNetworkResourceGroupName="<vnet-resource-group-name>"
virtualNetworkName="<vnet-name>"
subnetName="<vnet-subnet-name>"
# Get storage account ID
storageAccount=$(az storage account show \
--resource-group $storageAccountResourceGroupName \
--name $storageAccountName \
--query "id" | \
tr -d '"')
# Get virtual network ID
virtualNetwork=$(az network vnet show \
--resource-group $virtualNetworkResourceGroupName \
--name $virtualNetworkName \
--query "id" | \
tr -d '"')
# Get subnet ID
subnet=$(az network vnet subnet show \
--resource-group $virtualNetworkResourceGroupName \
--vnet-name $virtualNetworkName \
--name $subnetName \
--query "id" | \
tr -d '"')
若要创建专用终结点,首先必须确保子网的专用终结点网络策略设置为“已禁用”。To create a private endpoint, you must first ensure that the subnet's private endpoint network policy is set to disabled. 然后,可以使用 az network private-endpoint create
命令创建专用终结点。Then you can create a private endpoint with the az network private-endpoint create
command.
# Disable private endpoint network policies
az network vnet subnet update \
--ids $subnet \
--disable-private-endpoint-network-policies \
--output none
# Get virtual network location
region=$(az network vnet show \
--ids $virtualNetwork \
--query "location" | \
tr -d '"')
# Create a private endpoint
privateEndpoint=$(az network private-endpoint create \
--resource-group $storageAccountResourceGroupName \
--name "$storageAccountName-PrivateEndpoint" \
--location $region \
--subnet $subnet \
--private-connection-resource-id $storageAccount \
--group-id "file" \
--connection-name "$storageAccountName-Connection" \
--query "id" | \
tr -d '"')
创建 Azure 专用 DNS 区域可将存储帐户的原始名称(例如 storageaccount.file.core.chinacloudapi.cn
)解析为虚拟网络内部的专用 IP。Creating an Azure private DNS zone enables the original name of the storage account, such as storageaccount.file.core.chinacloudapi.cn
to resolve to the private IP inside of the virtual network. 尽管从创建专用终结点的角度来看,此操作是可选的,但如果使用 AD 用户主体装载或通过 REST API 访问 Azure 文件共享,则此操作肯定是必需的。Although optional from the perspective of creating a private endpoint, it is explicitly required for mounting the Azure file share using an AD user principal or accessing via the REST API.
# Get the desired storage account suffix (core.chinacloudapi.cn for Azure China cloud).
# This is done like this so this script will seamlessly work for non-public Azure.
storageAccountSuffix=$(az cloud show \
--query "suffixes.storageEndpoint" | \
tr -d '"')
# For Azure China cloud, this will generate the following DNS suffix:
# privatelink.file.core.chinacloudapi.cn.
dnsZoneName="privatelink.file.$storageAccountSuffix"
# Find a DNS zone matching desired name attached to this virtual network.
possibleDnsZones=""
possibleDnsZones=$(az network private-dns zone list \
--query "[?name == '$dnsZoneName'].id" \
--output tsv)
dnsZone=""
possibleDnsZone=""
for possibleDnsZone in $possibleDnsZones
do
possibleResourceGroupName=$(az resource show \
--ids $possibleDnsZone \
--query "resourceGroup" | \
tr -d '"')
link=$(az network private-dns link vnet list \
--resource-group $possibleResourceGroupName \
--zone-name $dnsZoneName \
--query "[?virtualNetwork.id == '$virtualNetwork'].id" \
--output tsv)
if [ -z $link ]
then
echo "1" > /dev/null
else
dnsZoneResourceGroup=$possibleResourceGroupName
dnsZone=$possibleDnsZone
break
fi
done
if [ -z $dnsZone ]
then
# No matching DNS zone attached to virtual network, so create a new one
dnsZone=$(az network private-dns zone create \
--resource-group $virtualNetworkResourceGroupName \
--name $dnsZoneName \
--query "id" | \
tr -d '"')
az network private-dns link vnet create \
--resource-group $virtualNetworkResourceGroupName \
--zone-name $dnsZoneName \
--name "$virtualNetworkName-DnsLink" \
--virtual-network $virtualNetwork \
--registration-enabled false \
--output none
dnsZoneResourceGroup=$virtualNetworkResourceGroupName
fi
获取对专用 DNS 区域的引用后,接下来必须创建存储帐户的 A 记录。Now that you have a reference to the private DNS zone, you must create an A record for your storage account.
privateEndpointNIC=$(az network private-endpoint show \
--ids $privateEndpoint \
--query "networkInterfaces[0].id" | \
tr -d '"')
privateEndpointIP=$(az network nic show \
--ids $privateEndpointNIC \
--query "ipConfigurations[0].privateIpAddress" | \
tr -d '"')
az network private-dns record-set a create \
--resource-group $dnsZoneResourceGroup \
--zone-name $dnsZoneName \
--name $storageAccountName \
--output none
az network private-dns record-set a add-record \
--resource-group $dnsZoneResourceGroup \
--zone-name $dnsZoneName \
--record-set-name $storageAccountName \
--ipv4-address $privateEndpointIP \
--output none
如果你在虚拟网络中有一个虚拟机,或者已按配置 Azure 文件存储的 DNS 转发所述配置了 DNS 转发,则可以使用以下命令测试是否已正确设置专用终结点:If you have a virtual machine inside of your virtual network, or you've configured DNS forwarding as described in Configuring DNS forwarding for Azure Files, you can test that your private endpoint has been set up correctly with the following commands:
httpEndpoint=$(az storage account show \
--resource-group $storageAccountResourceGroupName \
--name $storageAccountName \
--query "primaryEndpoints.file" | \
tr -d '"')
hostName=$(echo $httpEndpoint | cut -c7-$(expr length $httpEndpoint) | tr -d "/")
nslookup $hostName
如果一切成功进行,则应会看到以下输出,其中 192.168.0.5
是虚拟网络中专用终结点的专用 IP 地址。If everything has worked successfully, you should see the following output, where 192.168.0.5
is the private IP address of the private endpoint in your virtual network. 仍应使用 storageaccount.file.core.chinacloudapi.cn 来装载文件共享,而非 privatelink
路径。You should still use storageaccount.file.core.chinacloudapi.cn to mount your file share instead of the privatelink
path.
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
storageaccount.file.core.chinacloudapi.cn canonical name = storageaccount.privatelink.file.core.chinacloudapi.cn.
Name: storageaccount.privatelink.file.core.chinacloudapi.cn
Address: 192.168.0.5
导航到仅限从特定虚拟网络访问公共终结点的存储帐户。Navigate to the storage account for which you would like to restrict the public endpoint to specific virtual networks. 在该存储帐户的目录中,选择“防火墙和虚拟网络”。In the table of contents for the storage account, select Firewalls and virtual networks.
在页面顶部,选中“选定的网络”单选按钮。At the top of the page, select the Selected networks radio button. 随后会显示一些用于控制公共终结点限制的设置。This will un-hide a number of settings for controlling the restriction of the public endpoint. 单击“+添加现有虚拟网络”,选择应允许其通过公共终结点访问存储帐户的特定虚拟网络。Click +Add existing virtual network to select the specific virtual network that should be allowed to access the storage account via the public endpoint. 这需要选择一个虚拟网络以及该虚拟网络的子网。This will require selecting a virtual network and a subnet for that virtual network.
选中“允许受信任的 Microsoft 服务访问此服务帐户”,以允许受信任的第一方 Microsoft 服务访问存储帐户。Check Allow trusted Microsoft services to access this service account to allow trusted first party Microsoft services to access the storage account.


若要仅限特定的虚拟网络使用服务终结点访问存储帐户的公共终结点,首先需要收集有关该存储帐户和虚拟网络的信息。To restrict access to the storage account's public endpoint to specific virtual networks using service endpoints, we first need to collect information about the storage account and virtual network. 填写 <storage-account-resource-group>
、<storage-account-name>
、<vnet-resource-group-name>
、<vnet-name>
和 <subnet-name>
以收集此信息。Fill in <storage-account-resource-group>
, <storage-account-name>
, <vnet-resource-group-name>
, <vnet-name>
, and <subnet-name>
to collect this information.
$storageAccountResourceGroupName = "<storage-account-resource-group>"
$storageAccountName = "<storage-account-name>"
$restrictToVirtualNetworkResourceGroupName = "<vnet-resource-group-name>"
$restrictToVirtualNetworkName = "<vnet-name>"
$subnetName = "<subnet-name>"
$storageAccount = Get-AzStorageAccount `
-ResourceGroupName $storageAccountResourceGroupName `
-Name $storageAccountName `
-ErrorAction Stop
$virtualNetwork = Get-AzVirtualNetwork `
-ResourceGroupName $restrictToVirtualNetworkResourceGroupName `
-Name $restrictToVirtualNetworkName `
-ErrorAction Stop
$subnet = $virtualNetwork | `
Select-Object -ExpandProperty Subnets | `
Where-Object { $_.Name -eq $subnetName }
if ($null -eq $subnet) {
Write-Error `
-Message "Subnet $subnetName not found in virtual network $restrictToVirtualNetworkName." `
-ErrorAction Stop
}
要使 Azure 网络结构允许来自该虚拟网络的流量进入存储帐户公共终结点,该虚拟网络的子网必须公开 Microsoft.Storage
服务终结点。In order for traffic from the virtual network to be allowed by the Azure network fabric to get to the storage account public endpoint, the virtual network's subnet must have the Microsoft.Storage
service endpoint exposed. 以下 PowerShell 命令将 Microsoft.Storage
服务终结点添加到子网(如果其中不存在该服务终结点)。The following PowerShell commands will add the the Microsoft.Storage
service endpoint to the subnet if it's not already there.
$serviceEndpoints = $subnet | `
Select-Object -ExpandProperty ServiceEndpoints | `
Select-Object -ExpandProperty Service
if ($serviceEndpoints -notcontains "Microsoft.Storage") {
if ($null -eq $serviceEndpoints) {
$serviceEndpoints = @("Microsoft.Storage")
} elseif ($serviceEndpoints -is [string]) {
$serviceEndpoints = @($serviceEndpoints, "Microsoft.Storage")
} else {
$serviceEndpoints += "Microsoft.Storage"
}
$virtualNetwork = $virtualNetwork | Set-AzVirtualNetworkSubnetConfig `
-Name $subnetName `
-AddressPrefix $subnet.AddressPrefix `
-ServiceEndpoint $serviceEndpoints `
-WarningAction SilentlyContinue `
-ErrorAction Stop | `
Set-AzVirtualNetwork `
-ErrorAction Stop
}
限制发往存储帐户的流量的最后一步是创建网络规则并将其添加到存储帐户的网络规则集。The final step in restricting traffic to the storage account is to create a networking rule and add to the storage account's network rule set.
$networkRule = $storageAccount | Add-AzStorageAccountNetworkRule `
-VirtualNetworkResourceId $subnet.Id `
-ErrorAction Stop
$storageAccount | Update-AzStorageAccountNetworkRuleSet `
-DefaultAction Deny `
-Bypass AzureServices `
-VirtualNetworkRule $networkRule `
-WarningAction SilentlyContinue `
-ErrorAction Stop | `
Out-Null
若要仅限特定的虚拟网络使用服务终结点访问存储帐户的公共终结点,首先需要收集有关该存储帐户和虚拟网络的信息。To restrict access to the storage account's public endpoint to specific virtual networks using service endpoints, we first need to collect information about the storage account and virtual network. 填写 <storage-account-resource-group>
、<storage-account-name>
、<vnet-resource-group-name>
、<vnet-name>
和 <subnet-name>
以收集此信息。Fill in <storage-account-resource-group>
, <storage-account-name>
, <vnet-resource-group-name>
, <vnet-name>
, and <subnet-name>
to collect this information.
storageAccountResourceGroupName="<storage-account-resource-group>"
storageAccountName="<storage-account-name>"
restrictToVirtualNetworkResourceGroupName="<vnet-resource-group-name>"
restrictToVirtualNetworkName="<vnet-name>"
subnetName="<subnet-name>"
storageAccount=$(az storage account show \
--resource-group $storageAccountResourceGroupName \
--name $storageAccountName \
--query "id" | \
tr -d '"')
virtualNetwork=$(az network vnet show \
--resource-group $restrictToVirtualNetworkResourceGroupName \
--name $restrictToVirtualNetworkName \
--query "id" | \
tr -d '"')
subnet=$(az network vnet subnet show \
--resource-group $restrictToVirtualNetworkResourceGroupName \
--vnet-name $restrictToVirtualNetworkName \
--name $subnetName \
--query "id" | \
tr -d '"')
要使 Azure 网络结构允许来自该虚拟网络的流量进入存储帐户公共终结点,该虚拟网络的子网必须公开 Microsoft.Storage
服务终结点。In order for traffic from the virtual network to be allowed by the Azure network fabric to get to the storage account public endpoint, the virtual network's subnet must have the Microsoft.Storage
service endpoint exposed. 以下 CLI 命令将 Microsoft.Storage
服务终结点添加到子网(如果其中不存在该服务终结点)。The following CLI commands will add the the Microsoft.Storage
service endpoint to the subnet if it's not already there.
serviceEndpoints=$(az network vnet subnet show \
--resource-group $restrictToVirtualNetworkResourceGroupName \
--vnet-name $restrictToVirtualNetworkName \
--name $subnetName \
--query "serviceEndpoints[].service" \
--output tsv)
foundStorageServiceEndpoint=false
for serviceEndpoint in $serviceEndpoints
do
if [ $serviceEndpoint = "Microsoft.Storage" ]
then
foundStorageServiceEndpoint=true
fi
done
if [ $foundStorageServiceEndpoint = false ]
then
serviceEndpointList=""
for serviceEndpoint in $serviceEndpoints
do
serviceEndpointList+=$serviceEndpoint
serviceEndpointList+=" "
done
serviceEndpointList+="Microsoft.Storage"
az network vnet subnet update \
--ids $subnet \
--service-endpoints $serviceEndpointList \
--output none
fi
限制发往存储帐户的流量的最后一步是创建网络规则并将其添加到存储帐户的网络规则集。The final step in restricting traffic to the storage account is to create a networking rule and add to the storage account's network rule set.
az storage account network-rule add \
--resource-group $storageAccountResourceGroupName \
--account-name $storageAccountName \
--subnet $subnet \
--output none
az storage account update \
--resource-group $storageAccountResourceGroupName \
--name $storageAccountName \
--bypass "AzureServices" \
--default-action "Deny" \
--output none