Azure 数据工厂 - 专用终结点:无法访问 VNET 内的 Azure 数据工厂?

【问题标题】:Azure Data Factory - Private Endpoint : Unable to access the Azure Data Factory inside the VNET?Azure 数据工厂 - 专用终结点:无法访问 VNET 内的 Azure 数据工厂?
【发布时间】:2022-10-18 21:28:36
【问题描述】:

我正在开发一个 Terraform 脚本来预配 Azure 数据工厂,它可以在没有专用区域和专用终结点的情况下正常工作。添加专用终结点后,我无法再访问 VNET 中的 Azure 数据工厂

下面是使用的 Terraform 脚本

    // Create a Data Factory
resource "azurerm_data_factory" "datafactory" {
  name                = "ipz10datafactorydemo"
  location            = azurerm_resource_group.resource_group.location
  resource_group_name = azurerm_resource_group.resource_group.name
  # public_network_enabled = false

  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.uai_adf.id]
  }

  github_configuration {
    account_name = "kvija85"
    branch_name = "main"
    git_url = "https://github.com/kvija85/azure-data-factory-etl-demo"
    repository_name = "azure-data-factory-etl-demo"
    root_folder = "/"
  }

  depends_on = [
    azurerm_resource_group.resource_group, azurerm_user_assigned_identity.uai_adf
  ]  
}

// Create Private Endpoint Zone for Azure Data Factory
resource "azurerm_private_dns_zone" "datafactoryzone" {
  name                = "privatelink.datafactory.azure.net"
  resource_group_name = azurerm_resource_group.resource_group.name

  depends_on = [
    azurerm_resource_group.resource_group
  ]  
}

// Create Private Endpoint Zone for Azure Data Factory Portal
resource "azurerm_private_dns_zone" "datafactoryportalzone" {
  name                = "privatelink.adf.azure.com"
  resource_group_name = azurerm_resource_group.resource_group.name

  depends_on = [
    azurerm_resource_group.resource_group
  ]  
}

// Link the Private Zone to Hub
resource "azurerm_private_dns_zone_virtual_network_link" "network_link_hub_vnet_datafactoryzone" {
  name                  = "vnet_link_hub_datafactoryzone"
  resource_group_name   = azurerm_resource_group.resource_group.name
  private_dns_zone_name = azurerm_private_dns_zone.datafactoryzone.name
  virtual_network_id    = azurerm_virtual_network.hub_vnet.id

  depends_on = [
    azurerm_resource_group.resource_group, azurerm_private_dns_zone.datafactoryzone, azurerm_virtual_network.hub_vnet
  ]  
}

// Link the Private Zone to Spoke
resource "azurerm_private_dns_zone_virtual_network_link" "network_link_spoke_vnet_datafactoryzone" {
  name                  = "vnet_link_spoke_datafactoryzone"
  resource_group_name   = azurerm_resource_group.resource_group.name
  private_dns_zone_name = azurerm_private_dns_zone.datafactoryzone.name
  virtual_network_id    = azurerm_virtual_network.spoke_vnet.id

  depends_on = [
    azurerm_resource_group.resource_group, azurerm_private_dns_zone.datafactoryzone, azurerm_virtual_network.spoke_vnet
  ]    
}

// Link the Private Zone to Hub
resource "azurerm_private_dns_zone_virtual_network_link" "network_link_hub_vnet_datafactoryportalzone" {
  name                  = "vnet_link_hub_datafactoryportalzone"
  resource_group_name   = azurerm_resource_group.resource_group.name
  private_dns_zone_name = azurerm_private_dns_zone.datafactoryportalzone.name
  virtual_network_id    = azurerm_virtual_network.hub_vnet.id

  depends_on = [
    azurerm_resource_group.resource_group, azurerm_private_dns_zone.datafactoryportalzone, azurerm_virtual_network.hub_vnet
  ]  
}

// Link the Private Zone to Spoke
resource "azurerm_private_dns_zone_virtual_network_link" "network_link_spoke_vnet_datafactoryportalzone" {
  name                  = "vnet_link_spoke_datafactoryportalzone"
  resource_group_name   = azurerm_resource_group.resource_group.name
  private_dns_zone_name = azurerm_private_dns_zone.datafactoryportalzone.name
  virtual_network_id    = azurerm_virtual_network.spoke_vnet.id

  depends_on = [
    azurerm_resource_group.resource_group, azurerm_private_dns_zone.datafactoryportalzone, azurerm_virtual_network.spoke_vnet
  ]    
}

// Create Private Endpoint for Data Factory
module "pedatafactory" {
    source = "./modules/privateendpoint/"

    resource_group_name = azurerm_resource_group.resource_group.name
    location = azurerm_resource_group.resource_group.location
    name = var.privateendpointdatafactory_name

    subnet_id = azurerm_subnet.endpoint_subnet.id
    private_link_enabled_resource_id = azurerm_data_factory.datafactory.id
    private_dns_zone_name = azurerm_private_dns_zone.datafactoryzone.name
    subresource_names = ["dataFactory"]
    resource_name = azurerm_data_factory.datafactory.name

    depends_on = [
      azurerm_data_factory.datafactory, azurerm_private_dns_zone.datafactoryzone
    ]
}

// Create Private Endpoint for Data Factory Portal
module "pedatafactoryportal" {
    source = "./modules/privateendpoint/"

    resource_group_name = azurerm_resource_group.resource_group.name
    location = azurerm_resource_group.resource_group.location
    name = var.privateendpointdatafactory_portal_name

    subnet_id = azurerm_subnet.endpoint_subnet.id
    private_link_enabled_resource_id = azurerm_data_factory.datafactory.id
    private_dns_zone_name = azurerm_private_dns_zone.datafactoryportalzone.name
    subresource_names = ["portal"]
    resource_name = azurerm_data_factory.datafactory.name

    depends_on = [
      azurerm_data_factory.datafactory, azurerm_private_dns_zone.datafactoryportalzone
    ]
}

我在这里想念什么?为什么启用专用终结点会阻止我访问 Azure 数据工厂?

根据Microsoft article,我需要再配置一些

但是,我不确定该怎么做?

【问题讨论】:

  • 你可以做的是从门户手动设置它,测试它,捕获它的 ARM 模板。现在重复使用 Terraform 并捕获生成的 ARM 模板并进行比较。我再次想知道.....为什么将 Terraform 用于仅存在于 Azure 中的资源类型?
  • 打开私有端点后,您实际上发生了什么变化?对于运行 Web 浏览器进行创作的 VM,您有什么样的 NSG/防火墙规则? > 为什么启用专用终结点会阻止我访问 Azure 数据工厂? pedatafactoryportal 更改与 adf.zure.com 的连接,可能存在一些故障。我会仔细检查私有端点 DNS 模板,以及是否为给定的私有 DNS 区域和 VM 上的 DNS 问题创建了正确的条目。另请注意,adf.azure.com 仍可在公共互联网上运行:它可用于检查来自 SHIR 的其他连接是否正常
  • @Nick.McDermaid,您能帮我手动执行步骤或 cli 来配置 Azure 数据工厂的专用终结点吗?

标签: azure terraform azure-data-factory terraform-provider-azure


【解决方案1】:

• 在为 Azure 数据工厂工作区创建专用终结点时,请记住以下几点,因为它解决了一个局限性关于它: -

通过私有端点连接数据工厂仅适用于数据工厂中的自托管 IR。 Azure Synapse Analytics 不支持它

因此,同样,我试图create an integration runtime in Azure Data Factory workspace created and tried to import data into it through Azure blob storage as the source dataset and process it to the Azure SQL Database as the sink dataset wherein the private endpoint connection is created for the Azure storage account as well as the Azure SQL Database also and the data is imported through the private endpoint created for the Azure blob storage in a text format to the ADF and similarly through the data process pipeline created in ADF, the data is forwarded to the Azure SQL Database wherein it is processed based on the query created in the table shown below and the pipeline setup accordingly.

因此,在集成运行时管道中为 Azure SQL DB、Azure 存储帐户和 Azure ADF 创建专用终结点也可以成功配置和部署。但是由于 Azure 结构设置中的内部错误,虚拟网络集成以及在专用 DNS 区域中创建的专用终结点不成功,因为它针对该配置发出 502 页面错误.

请找到以下快照以获取更详细的配置和部署:-

Azure 存储帐户专用终结点:-

Azure SQL DB 专用终结点:-

Azure ADF 专用终结点:-

Azure ADF 管道部署:-

因此,通过这种方式,您可以使用集成运行时配置数据摄取和处理管道,分别使用专用终结点在 Azure 数据工厂中进行连接.

有关这方面的更多详细信息,请参阅以下链接:-

https://learn.microsoft.com/en-us/azure/data-factory/tutorial-copy-data-portal-private

【讨论】:

    猜你喜欢
    • 2022-12-04
    • 2022-01-20
    • 1970-01-01
    • 2022-10-12
    • 2020-08-21
    • 2023-01-05
    • 2017-08-21
    • 2015-02-21
    • 2022-11-11
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode