category
从2023年9月1日开始,强烈建议使用Azure服务标签方法进行网络隔离。DL-ASE的使用应仅限于高度特定的场景。在生产环境中实施此解决方案之前,我们建议您咨询您的支持团队以获取指导。
您可以将网络隔离添加到现有的Direct Line App Service扩展机器人中。私有端点允许您的网络隔离机器人与所需的机器人框架服务通信,以便机器人在受限于虚拟网络的情况下正常运行。
要为您的机器人添加网络隔离:
- 使用虚拟网络并配置网络以防止出站流量。此时,您的机器人将失去与其他机器人框架服务通信的能力。
- 配置专用终结点以恢复连接。
- 重新启动应用程序服务,并在隔离网络中测试您的机器人。
- 禁用对您的机器人程序的公共网络访问。
先决条件
- Azure帐户。如果您还没有,请在开始之前创建一个免费帐户。
- 具有创建Azure虚拟网络和网络安全组资源权限的订阅。
- 一个可用的Direct Line App Service扩展机器人。
- 您的机器人使用C#或JavaScript的bot Framework SDK,版本4.16或更高版本。
- 您的机器人已启用命名管道。
- 您的机器人应用程序服务已启用Direct Line应用程序服务扩展。
- 连接到机器人Direct Line客户端的网络聊天控件。
要确认您现有的机器人配置正确:
在浏览器中,打开您的机器人的Direct Line客户端端点。例如,https://<your-app_service>.azurewebsites.net/.bot。
验证页面是否显示以下内容:
-
JSON
{"v":"123","k":true,"ib":true,"ob":true,"initialized":true}
- v shows the build version of the Direct Line App Service extension.
- k indicates whether the extension was able to read an extension key from its configuration.
- initialized indicates whether the extension was able to download bot metadata from Azure AI Bot Service.
- ib indicates whether the extension was able to establish an inbound connection to the bot.
- ob indicates whether the extension was able to establish an outbound connection from the bot.
Create a virtual network
- Go to Azure portal.
- Create an Azure Virtual Network resource in the same region as your bot.
- This creates both a virtual network and a subnet.
- Don't create any virtual machines.
- For general instructions, see Create a virtual network using the Azure portal.
- Open the app service resource for your bot and enable virtual network integration.
- Use the virtual network and subnet from the previous step.
- For general instructions, see Enable virtual network integration in Azure App Service.
- Create a second subnet. You'll use the second subnet later to add your private endpoint.
Deny outbound traffic from your network
- Open the network security group associated with your first subnet.
- If no security group is configured, create one. For more information, see Network security groups.
- Under Settings, select Outbound security rules.
- In the outbound security rules list, enable DenyAllInternetOutbound.
- Go to the app service resource for your bot.
- Restart your app service.
Verify that connectivity is broken
-
In a separate browser tab, open the Direct Line client endpoint for your bot. For example,
https://<your-app_service>.azurewebsites.net/.bot
. -
Verify the page displays the following:
JSON{"v":"123","k":true,"ib":true,"ob":true,"initialized":false}
The value of
initialized
should befalse
, because your app service and app service extension are unable to connect to other Bot Framework services to initialize itself. Your bot is now isolated in a virtual network for outbound connections.
Create your private endpoint
- Go to Azure portal.
- Open the Azure Bot resource for your bot.
- Under Settings, select Networking.
- On the Private access tab and select Create a private endpoint.
- On the Resource tab, for Target sub-resource, select Bot from the list.
- On the Virtual Network tab, select your virtual network and the second subnet you created.
- Save your private endpoint.
- On the Private access tab and select Create a private endpoint.
Add your private endpoint to your bot's app service
- Open the Azure App Service resource for your bot.
- Under Settings, select Configuration.
- On the Application settings tab, select New application setting.
- Set Name to
DirectLineExtensionABSEndpoint
. - Set Value to the private endpoint URL, for example,
https://<your_azure_bot>.privatelink.directline.botframework.com/v3/extension
. - Save the new setting.
- Set Name to
- On the Application settings tab, select New application setting.
Restart your app service and verify that connectivity is restored
-
Restart the app service for your bot.
-
In a separate browser tab, open the Direct Line client endpoint for your bot. For example,
https://<your-app_service>.azurewebsites.net/.bot
. -
Verify the page displays the following:
JSON{"v":"123","k":true,"ib":true,"ob":true,"initialized":true}
The value of
initialized
should betrue
. -
Use the Web Chat control connected to your bot's Direct Line client to interact with your bot inside the private network.
If your private endpoint doesn't work correctly, you can add a rule to allow outbound traffic specifically to Azure AI Bot Service.
Note
This will make you virtual network a little less isolated.
- Open the network security group associated with your first subnet.
- Under Settings, select Outbound security rules.
- In the outbound security rules list, enable AllowAzureBotService.
- Go to the app service resource for your bot.
- Restart your app service.
Disable public network access to your bot
You can block public access to your Azure AI Bot Service and only allow access through Private Endpoint. You can disable network access of Azure AI Bot Service in Azure portal.
Tip
This will unconfigure the Teams channels. No other channels (except Direct Line) can be configurated or updated in Azure portal.
- Go to Azure portal.
- Open the app service for your bot.
- Disable public network access.
Additional information
Virtual network configuration
You have a couple options to configure your bot for a virtual network.
- Create a virtual network and then enable Azure App Service within the network. This is the option used in this article.
- Create an App Service environment and then add an App Service Plan within the environment.
- Create a virtual network.
- Enable Azure App Service integration within the virtual network.
These are the steps used in this article, as described in the Create a virtual network section.
For more information, see Create a virtual network using the Azure portal and Enable virtual network integration in Azure App Service.
The Direct Line App Service extension is available on all Azure App services, including those hosted within an Azure App Service Environment. An Azure App Service Environment provides isolation and is a good way to work within a virtual network.
- Create an internal or external App Service Environment. For more information, see Create an External App Service Environment and Create and use an Internal Load Balancer App Service Environment.
- Add an App Service Plan inside your environment. You can deploy your bots—such as a Direct Line App Service extension bot—within your plan.
- In the Azure portal, create a new App Service Plan resource.
- Under Region, select your App Service Environment.
- Finish creating your App Service Plan.
- 登录 发表评论
- 4 次浏览
最新内容
- 10 hours ago
- 12 hours ago
- 13 hours ago
- 3 days 3 hours ago
- 3 days 11 hours ago
- 3 days 11 hours ago
- 3 days 12 hours ago
- 3 days 12 hours ago
- 1 week ago
- 1 week ago