为 Azure 规划外部函数

本主题帮助您准备使用 Azure 门户或 Snowflake 提供的 ARM (Azure 资源管理器)模板为 Microsoft Azure 创建外部函数。

先决条件

These instructions assume that you are an experienced Azure Portal user.

To create an external function for Azure, you must have the following:

  • An Azure AD (Active Directory) tenant.

  • An account in that Azure AD tenant. The account must have privileges to:

    • Create an Azure Functions app.
    • Create a service endpoint using Azure API Management service.
    • Register an Azure AD Application.

  • A Snowflake account in which you have the ACCOUNTADMIN role or a role with the CREATE INTEGRATION privilege.

In addition, you should already have an Azure AD Tenant ID.

The Azure AD Tenant ID is a UUID , which typically is formatted to look similar to 12345678-abcd-1234-efab-123456789012, where each non-dash character is a hexadecimal digit.

If you do not already know your Azure AD tenant ID, you can find it using the following procedure:

  1. Log into the Azure Portal (http://portal.azure.com (http://portal.azure.com)).
  2. In the Azure services icons near the top of the page, click on Azure Active Directory.
  3. In the menu on the left-hand side, look for the section titled Manage, then click on Properties under that.

The Azure AD tenant ID is displayed in the Tenant ID field.

公共互联网或专用连接

When you call an external function, the connectivity from Snowflake to the external service can go through the public Internet or use Azure Private Link (https://learn.microsoft.com/en-us/azure/private-link/private-link-overview) (Microsoft documentation). The choice to use Azure Private Link depends on your security requirements in terms of how you need to connect to the external service. Using Azure Private Link can help you meet your security requirements.

如果您选择使用公共互联网,请完成本主题内容的剩余部分,然后按照编号主题使用 Azure 门户或 ARM 模板在 Azure 上创建外部函数。

如果您选择使用 Azure 专用链接,配置过程需要使用 ACCOUNTADMIN 角色和 Snowflake 账户,该账户为 Business Critical Edition(或更高版本)。使用 Azure 专用链接需支付额外费用。完成本主题内容的剩余部分并复习这些主题以了解更多信息:

选择创建外部函数的方法

Snowflake 提供有关在 Azure 上创建外部函数的两种方法的说明:

  • Azure 门户网站界面
  • Snowflake 提供的 ARM (Azure 资源管理器)模板

Azure 门户

You can use the Azure Portal (https://azure.microsoft.com/en-us/features/azure-portal/) to create an Azure Function (as the remote service) and an API Management service instance (as the proxy service). If you choose this method, you also use the Azure Portal to configure security-related settings.

使用 Azure 门户创建外部函数的说明包括示例 Azure 函数和创建基本 API 管理服务实例的详细信息:

  • 新用户几乎无需修改即可使用说明和示例 Azure 函数。
  • Experienced users can use the instructions and sample Azure Function as a starting point for creating a custom Azure Function and a custom-configured API Management service instance.

ARM(Azure 资源管理器)模板

An ARM template (https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) uses JSON (https://www.json.org/) to describe configuration information about an Azure Function (as the remote service) and an Azure API Management service instance (as the proxy service).

Snowflake 提供的 ARM 示例模板包括以下内容:

  • 示例 Azure 函数。
  • Most of the configuration information for a sample API Management service. You must enter some additional information if you wish to customize the sample API Management service.
  • 用于创建 Azure 函数服务所需的存储账户的代码。
  • Code to add a validate-JWT (JSON Web Token) Policy to the API Management instance in order to increase security of the Azure API Management service. However, you must manually update the validate-JWT policy before using it.

ARM 模板对新用户和有经验的用户都很有用:

  • First-time users might want to start with the Snowflake sample template because it reduces the number of steps required to create the Azure Function and the API Management service instance.

请注意,尽管基于模板的指令可以有助于快速创建第一个外部函数,但它们会跳过大多数用户在创建自定义外部函数时所需的步骤。

  • Experienced users might want to use ARM templates because templates can be used to automate deployment. This can be useful if you are developing an Azure Function and API Management service iteratively.

For more information about configuring Azure Functions using ARM templates, see the Microsoft documentation: resource deployment (https://docs.microsoft.com/en-us/azure/azure-functions/functions-infrastructure-as-code) .

准备使用 Azure 门户

这些部分可帮助您准备使 用Azure 门户在 Microsoft Azure 上创建外部函数。

为 Azure 函数选择定价计划

在 Microsoft Azure 中,Azure 函数(远程服务)可以在 Linux 主机或 Windows 主机上运行。目前,Azure 为 Linux 和 Windows 主机提供不同的定价和身份验证选项组合。

If you plan to run your Azure Function on Linux, then you must choose a valid combination of Azure pricing plan and authentication:

创建用于跟踪所需信息的工作表

在您完成在 Azure 门户中创建外部函数的任务时,需要在创建过程的每个步骤中输入特定的值(如 API 管理服务名称)。通常情况下,后续步骤中需要您输入的值。

为了便于记录/跟踪这些信息,我们提供了一份工作表,其中对每个必填值都设置了字段:

================================================================================
======================= Tracking Worksheet: Azure Portal =======================
================================================================================

****** Step 1: Azure Function (Remote Service) Info ****************************

Azure Function app name: _______________________________________________________
HTTP-Triggered Function name: __________________________________________________
Azure Function AD app registration name: _______________________________________
Azure Function App AD Application ID: __________________________________________

    (The value for the Azure Function App AD Application ID above is the
    "Application (client) ID" of the Azure AD app registration for the
    Azure Function. The value is used to fill in the "azure_ad_application_id"
    field in the CREATE API INTEGRATION command. This value is in the form of a
    UUID (universally unique identifier), which contains hexadecimal digits and
    dashes.)


****** Step 2: Azure API Management Service (Proxy Service) Info ***************

API Management service name: ___________________________________________________
API Management API URL suffix: _________________________________________________


****** Steps 3-5: API Integration & External Function Info *********************

API Integration Name: __________________________________________________________
AZURE_MULTI_TENANT_APP_NAME: ___________________________________________________
AZURE_CONSENT_URL: _____________________________________________________________

External Function Name: ________________________________________________________

准备使用 ARM 模板

这些部分可以帮助您准备好使用 Snowflake 提供的 ARM 模板在 Microsoft Azure 上创建外部函数。

下载模板

The template is available to download from the Snowflake repository in GitHub (https://github.com/Snowflake-Labs/sfguide-external-functions-examples/tree/main/DeploymentTemplates/azure/BasicSetup.json).

必须先将该模板导入 Azure 门户,然后才能使用它。有关导入模板的详细信息将在描述使用模板的后续主题中说明。

为 Azure 函数选择定价计划

在 Microsoft Azure 中,Azure 函数(远程服务)可以在 Linux 主机或 Windows 主机上运行。目前,Azure 为 Linux 和 Windows 主机提供不同的定价和身份验证选项组合。

Snowflake 提供的 ARM 模板默认使用以下定价计划和身份验证信息:

  • 默认为 Azure 函数使用 Windows 主机。
  • 默认为“消费”定价等级。
  • 创建 Azure 函数应用程序,并将该应用程序配置为需要 AD (Active Directory) 身份验证。
  • Creates a security policy to validate a JWT (JSON Web Token) that authorizes Snowflake to call your Azure Function.

请注意,此安全策略缺少一个字段,稍后提供的说明将告诉您如何填写此字段。

如果您计划使用不同的配置运行 Azure API 管理实例或 Azure 函数,则必须更新模板。有关更新模板的信息,请参阅 Microsoft 文档:

创建用于跟踪所需信息的工作表

在您使用 Snowflake 提供的 ARM 模板完成创建外部函数任务的过程中,需要在该过程的每个步骤中输入特定的值(例如 API 管理服务名称)。通常情况下,后续步骤中需要您输入的值。

为了便于记录/跟踪这些信息,我们提供了一份工作表,其中对每个必填值都设置了字段:

Note

对于 ARM 模板中硬编码的信息,这些值已经填写完毕。

================================================================================
======================= Tracking Worksheet: ARM Template =======================
================================================================================

****** Step 1: Azure Function (Remote Service) Info ****************************

HTTP-Triggered Function name: __________________ echo __________________________
Azure Function AD Application ID: ______________________________________________

    (The value for the Azure Function AD Application ID above is the
    "Application (client) ID" of the Azure AD app registration for the
    Azure Function. The value is used to fill in the "azure_ad_application_id"
    field in the CREATE API INTEGRATION command. This value is in the form of a
    UUID (universally unique identifier), which contains hexadecimal digits and
    dashes.)


****** Step 2: Azure API Management Service (Proxy Service) Info ***************

API Management service name: ___________________________________________________
API Management URL: ____________________________________________________________
Azure Function HTTP Trigger URL: _______________________________________________
API Management API URL suffix: _________________________________________________


****** Steps 3-5: API Integration & External Function Info *********************

API Integration Name: __________________________________________________________
AZURE_MULTI_TENANT_APP_NAME: ___________________________________________________
AZURE_CONSENT_URL: _____________________________________________________________

External Function Name: ________________________________________________________

后续步骤

Azure Portal:

Step 1: Create the remote service (Azure function) in the Portal

ARM template:

Step 1: Create an Azure AD app for the Azure functions app in the Portal