通过 Devops CI/CD 部署管道运行 cmdlet 以刷新 AAS 中的表时,我收到以下错误。
##[error]Cannot connect to server 'xxx'. Client with IP Address '20.68.178.187' is not allowed to access the server. To enable access, use the Firewall settings in Azure Management Portal. It may take up to 5 minutes for this change to take effect.
IP 来自 Azure 托管的构建代理。
有没有办法以与 Azure SQL 相同的方式在 AAS 中启用所有 Azure IP here ?
另一个问题是,每当我们对 AAS 实例进行更改时,防火墙规则都会刷新,因此我们不想每次都添加 Azure IP。
最佳答案
根据您的要求,您可以使用 Pipeline 中的 Azure PowerShell 任务运行脚本,将每次运行使用的代理 IP 更新为现有防火墙规则。
步骤如下:
第 1 步:在 Analysis Services 中手动创建防火墙规则。
例如:
第 2 步:使用以下脚本在 Azure 存储库中创建 .ps1 文件:
[CmdletBinding()]
param(
[Parameter(ValueFromPipeline = $true)][String] $ResourceName = "AnalysisServicesName",
[Parameter(ValueFromPipeline = $true)][String] $ResourceGroup = "ResourceGroupName"
)
#Setting additional parameters
$ExistingFirewallRuleName = "firewall rule name"
$PubIPSource = "ipinfo.io/ip"
$AServiceServer = Get-AzAnalysisServicesServer -Name $ResourceName -ResourceGroupName $ResourceGroup
$FirewallRules = ($AServiceServer).FirewallConfig.FirewallRules
$FirewallRuleNameList = $FirewallRules.FirewallRuleName
$powerBi = ($AServiceServer).FirewallConfig.EnablePowerBIService
#Getting previous IP from firewall rule, and new public IP
$PreviousRuleIndex = [Array]::IndexOf($FirewallRuleNameList, $ExistingFirewallRuleName)
$currentIP = (Invoke-WebRequest -uri $PubIPSource -UseBasicParsing).content.TrimEnd()
$previousIP = ($FirewallRules).RangeStart[$PreviousRuleIndex]
#Updating rules if request is coming from new IP address.
if (!($currentIP -eq $previousIP)) {
Write-Output "Updating Analysis Service firewall config"
$ruleNumberIndex = 1
$Rules = @() -as [System.Collections.Generic.List[Microsoft.Azure.Commands.AnalysisServices.Models.PsAzureAnalysisServicesFirewallRule]]
#Storing Analysis Service firewall rules
$FirewallRules | ForEach-Object {
$ruleNumberVar = "rule" + "$ruleNumberIndex"
#Exception of storage of firewall rule is made for the rule to be updated
if (!($_.FirewallRuleName -match "$ExistingFirewallRuleName")) {
$start = $_.RangeStart
$end = $_.RangeEnd
$tempRule = New-AzAnalysisServicesFirewallRule `
-FirewallRuleName $_.FirewallRuleName `
-RangeStart $start `
-RangeEnd $end
Set-Variable -Name "$ruleNumberVar" -Value $tempRule
$Rules.Add((Get-Variable $ruleNumberVar -ValueOnly))
$ruleNumberIndex = $ruleNumberIndex + 1
}
}
Write-Output $FirewallRules #Write all FireWall Rules to Host
#Add rule for new IP
$updatedRule = New-AzAnalysisServicesFirewallRule `
-FirewallRuleName "$ExistingFirewallRuleName" `
-RangeStart $currentIP `
-RangeEnd $currentIP
$ruleNumberVar = "rule" + "$ruleNumberIndex"
Set-Variable -Name "$ruleNumberVar" -Value $updatedRule
$Rules.Add((Get-Variable $ruleNumberVar -ValueOnly))
#Creating Firewall config object
if ($powerBi) {
$conf = New-AzAnalysisServicesFirewallConfig -EnablePowerBiService -FirewallRule $Rules
}
else {
$conf = New-AzAnalysisServicesFirewallConfig -FirewallRule $Rules
}
#Setting firewall config
if ([String]::IsNullOrEmpty($AServiceServer.BackupBlobContainerUri)) {
$AServiceServer | Set-AzAnalysisServicesServer `
-FirewallConfig $conf `
-DisableBackup `
-Sku $AServiceServer.Sku.Name.TrimEnd()
}
else {
$AServiceServer | Set-AzAnalysisServicesServer `
-FirewallConfig $conf `
-BackupBlobContainerUri $AServiceServer.BackupBlobContainerUri `
-Sku $AServiceServer.Sku.Name.TrimEnd()
}
Write-Output "Updated firewall rule to include current IP: $currentIP"
Write-Output "Enable Power Bi Service was set to: $powerBi"
}
第 3 步:添加 Azure PowerShell 任务并定义参数。
例如:
- task: AzurePowerShell@5
displayName: 'Azure PowerShell script: FilePath'
inputs:
azureSubscription: kevin0627
ScriptPath: test.ps1
ScriptArguments: '-ResourceName AnalysisServicesName -ResourceGroup ResourceGroupName'
azurePowerShellVersion: LatestVersion
当您运行管道时,它将使用当前代理的 IP 更新现有的防火墙规则。
结果:
在这种情况下,您不需要手动将所有 IP 添加到防火墙。
关于azure - 将 Azure 托管构建代理 IP 地址添加到 Analysis Services 防火墙规则,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/72743477/