azure - 部署 Azure 防火墙 IP 组更改失败并出现冲突
问题描述
我正在尝试使用策略、规则和一组 IPGroup 部署 Azure 防火墙。当我部署 ARM 模板以开始一切正常时。稍后如果我想更改其中一个 IPGroup 中的某些内容,并尝试部署该 IPGroup 更改,Azure 部署将失败并显示状态:与消息冲突:
{
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'."
}
}
我尝试在他们自己的 ARM 模板中明确管理 IPGroups,并将它们与 Azure Policy Rule Collection ARM Template 和 DependsOn 一起放置,看看将它们全部部署在一起是否会有所帮助,但无论哪种方式,我们都会得到“冲突” .. 我想我想知道更新作为防火墙网络规则一部分的 IPGroup 的适当方法是什么?如果我不能简单地更新 IPGroup?
这是我的带有 IPGroups 的策略的完整 ARM 模板的示例。
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"firewallPolicyName": {
"defaultValue": "[concat('onelucki-fw-parent-policy', uniqueString(resourceGroup().id))]",
"type": "String"
},
"DevSubnets": {
"defaultValue": "DevSubnets",
"type": "String"
},
"AzureSubnets": {
"defaultValue": "AzureSubnets",
"type": "String"
}
},
"variables": {
"fwPolicyName": "[parameters('firewallPolicyName')]"
},
"resources": [
{
"type": "Microsoft.Network/ipGroups",
"apiVersion": "2020-05-01",
"name": "AzureSubnets",
"location": "centralus",
"tags": { "Zone": "MixedZones" },
"properties": {
"ipAddresses": [
"10.99.1.1"
]
}
},
{
"type": "Microsoft.Network/ipGroups",
"apiVersion": "2020-05-01",
"name": "DevSubnets",
"location": "centralus",
"tags": { "Zone": "Dev" },
"properties": {
"ipAddresses": [
"10.99.2.2"
]
}
},
{
"type": "Microsoft.Network/firewallPolicies",
"apiVersion": "2020-11-01",
"name": "[parameters('firewallPolicyName')]",
"location": "centralus",
"properties": {
"sku": {
"tier": "Standard"
},
"threatIntelMode": "Alert"
}
},
{
"type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
"apiVersion": "2020-11-01",
"name": "[concat(parameters('firewallPolicyName'), '/DefaultNetworkRuleCollectionGroup')]",
"location": "westus",
"dependsOn": [
"[resourceId('Microsoft.Network/ipGroups', parameters('AzureSubnets'))]",
"[resourceId('Microsoft.Network/ipGroups', parameters('DevSubnets'))]",
"[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]"
],
"properties": {
"priority": 200,
"ruleCollections": [
{
"ruleCollectionType": "FirewallPolicyFilterRuleCollection",
"action": {
"type": "Allow"
},
"rules": [
{
"ruleType": "NetworkRule",
"name": "DemoRule",
"ipProtocols": [
"TCP"
],
"sourceAddresses": [],
"sourceIpGroups": [
"/subscriptions/<subscriptionIDHere>/resourceGroups/onelucki-fw/providers/Microsoft.Network/ipGroups/DevSubnets"
],
"destinationAddresses": [],
"destinationIpGroups": [
"/subscriptions/<subscriptionIDHere>/resourceGroups/onelucki-fw/providers/Microsoft.Network/ipGroups/AzureSubnets"
],
"destinationFqdns": [],
"destinationPorts": [
"135",
"445"
]
}
],
"name": "DemoDeployRuleCollection",
"priority": 1300
}
]
}
}
]
}
解决方案
需要一次部署一个 IP 组。此外,防火墙策略需要依赖于正在使用的 IP 组,尽管它没有列出它们。
IP 组的部署似乎在部署期间对防火墙策略进行了一些验证/更新。
推荐阅读
- php - Woocommerce Shop 页面仍然显示旧的主题设计
- haskell-stack - 使用堆栈安装haskell的问题
- reactjs - 如何在 Azure 中实现授权码授予
- vue.js - vue中具有特定样式的对象数组
- java - 回调完成时在TextView上的Android setText
- scala - Spark - 如何获得价值,而不是列本身?
- matlab - 初始化 pimp 控制器失败:绑定到 tcp://* 时出错:9620-9620 范围内没有可用端口
- cmake - 我可以用 CMake 和 vcpkg(很好地)管理 QuantLib 吗?
- reactjs - 在我的 reactjs 电子商务网站购物篮中添加数量
- javascript - 在反应中更新单个字段不起作用