[Bot Framework SDK] 配置网络隔离

从2023年9月1日开始，强烈建议使用Azure服务标签方法进行网络隔离。DL-ASE的使用应仅限于高度特定的场景。在生产环境中实施此解决方案之前，我们建议您咨询您的支持团队以获取指导。

您可以将网络隔离添加到现有的Direct Line App Service扩展机器人中。私有端点允许您的网络隔离机器人与所需的机器人框架服务通信，以便机器人在受限于虚拟网络的情况下正常运行。

要为您的机器人添加网络隔离：

• 使用虚拟网络并配置网络以防止出站流量。此时，您的机器人将失去与其他机器人框架服务通信的能力。
• 配置专用终结点以恢复连接。
• 重新启动应用程序服务，并在隔离网络中测试您的机器人。
• 禁用对您的机器人程序的公共网络访问。

先决条件

• Azure帐户。如果您还没有，请在开始之前创建一个免费帐户。
  • 具有创建Azure虚拟网络和网络安全组资源权限的订阅。
• 一个可用的Direct Line App Service扩展机器人。
  • 您的机器人使用C#或JavaScript的bot Framework SDK，版本4.16或更高版本。
  • 您的机器人已启用命名管道。
  • 您的机器人应用程序服务已启用Direct Line应用程序服务扩展。
• 连接到机器人Direct Line客户端的网络聊天控件。

要确认您现有的机器人配置正确：

在浏览器中，打开您的机器人的Direct Line客户端端点。例如，https://<your-app_service>.azurewebsites.net/.bot。

验证页面是否显示以下内容：

1. JSONCopy
   

   {"v":"123","k":true,"ib":true,"ob":true,"initialized":true}
   

   • v shows the build version of the Direct Line App Service extension.
   • k indicates whether the extension was able to read an extension key from its configuration.
   • initialized indicates whether the extension was able to download bot metadata from Azure AI Bot Service.
   • ib indicates whether the extension was able to establish an inbound connection to the bot.
   • ob indicates whether the extension was able to establish an outbound connection from the bot.

1. Go to Azure portal.
2. Create an Azure Virtual Network resource in the same region as your bot.
   
   • This creates both a virtual network and a subnet.
   • Don't create any virtual machines.
   • For general instructions, see Create a virtual network using the Azure portal.
3. Open the app service resource for your bot and enable virtual network integration.
   
   • Use the virtual network and subnet from the previous step.
   • For general instructions, see Enable virtual network integration in Azure App Service.
4. Create a second subnet. You'll use the second subnet later to add your private endpoint.

1. Open the network security group associated with your first subnet.
   
   • If no security group is configured, create one. For more information, see Network security groups.
2. Under Settings, select Outbound security rules.
   
   1. In the outbound security rules list, enable DenyAllInternetOutbound.
3. Go to the app service resource for your bot.
4. Restart your app service.

1. In a separate browser tab, open the Direct Line client endpoint for your bot. For example, https://<your-app_service>.azurewebsites.net/.bot.

2. Verify the page displays the following:

   JSONCopy
   

   {"v":"123","k":true,"ib":true,"ob":true,"initialized":false}
   

   The value of initialized should be false, because your app service and app service extension are unable to connect to other Bot Framework services to initialize itself. Your bot is now isolated in a virtual network for outbound connections.

1. Go to Azure portal.
2. Open the Azure Bot resource for your bot.
3. Under Settings, select Networking.
   
   1. On the Private access tab and select Create a private endpoint.
      
      1. On the Resource tab, for Target sub-resource, select Bot from the list.
      2. On the Virtual Network tab, select your virtual network and the second subnet you created.
      3. Save your private endpoint.

1. Open the Azure App Service resource for your bot.
2. Under Settings, select Configuration.
   
   1. On the Application settings tab, select New application setting.
      
      1. Set Name to DirectLineExtensionABSEndpoint.
      2. Set Value to the private endpoint URL, for example, https://<your_azure_bot>.privatelink.directline.botframework.com/v3/extension.
      3. Save the new setting.

1. Restart the app service for your bot.

2. In a separate browser tab, open the Direct Line client endpoint for your bot. For example, https://<your-app_service>.azurewebsites.net/.bot.

3. Verify the page displays the following:

   JSONCopy
   

   {"v":"123","k":true,"ib":true,"ob":true,"initialized":true}
   

   The value of initialized should be true.

4. Use the Web Chat control connected to your bot's Direct Line client to interact with your bot inside the private network.

If your private endpoint doesn't work correctly, you can add a rule to allow outbound traffic specifically to Azure AI Bot Service.

1. Open the network security group associated with your first subnet.
2. Under Settings, select Outbound security rules.
   
   1. In the outbound security rules list, enable AllowAzureBotService.
3. Go to the app service resource for your bot.
4. Restart your app service.

You can block public access to your Azure AI Bot Service and only allow access through Private Endpoint. You can disable network access of Azure AI Bot Service in Azure portal.

1. Go to Azure portal.
2. Open the app service for your bot.
3. Disable public network access.

You have a couple options to configure your bot for a virtual network.

• Create a virtual network and then enable Azure App Service within the network. This is the option used in this article.
• Create an App Service environment and then add an App Service Plan within the environment.