第 1 步：在门户中创建远程服务（Azure 函数）¶

本主题详细说明了如何创建 Azure 函数以用作外部函数的远程服务。

上一步

创建 Azure 函数应用程序¶

创建远程服务有多种可能的方法。本节介绍如何创建作为 JavaScript 函数实现的远程服务。

This external function is synchronous. For information about creating an asynchronous external function, see Creating an Asynchronous Function on Azure.

创建一个 Azure Functions 应用程序，以用作稍后创建的函数的容器：

如果尚未导入，请登录 Azure 门户。
Create the Azure Functions app by following the instructions in the Microsoft documentation: Azure Functions App (https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-function-app-portal).

按照说明操作时，请记住以下几点：

When you enter a name the Function App Name field, also record the name in the Azure Function app name field in your tracking worksheet.
When asked to choose how to Publish, choose Code.
Some restrictions apply when creating multiple apps in the same resource group. For details, see the Microsoft documentation: Azure app service (https://docs.microsoft.com/en-us/azure/app-service/containers/app-service-linux-intro#limitations).

Snowflake在 Node.js 中提供了一个示例“echo”函数。要使用此示例函数开始入门，请执行以下操作：

When asked for the Runtime stack, select Node.js.
当需要 Node.js 的版本时，选择版本 12。
当需要在哪个 OS 上运行该函数时，选择“Windows”或“Linux”。
- 如果您只是创建演示函数，Snowflake 建议选择“Windows”。

无法在 Azure 门户中编辑 Linux 函数应用程序。用户必须通过 Visual Studio Code 界面发布代码。

If you want to run your Azure Function on Linux rather than Microsoft Windows, see the Microsoft documentation: Azure Functions (https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-first-function-vs-code?pivots=programming-language-javascript).

使用 Azure Functions 的“消费”定价方案时，Azure AD 身份验证在 Linux 上不可用。您必须使用“应用程序服务”定价方案或“高级”定价方案才能通过 Azure AD 进行身份验证。

For more details, see the Microsoft documentation: Azure AD (https://docs.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad).

创建 HTTP 触发的 Azure 函数¶

创建 Azure Functions 应用程序（容器）后，需要在容器中创建 Azure Functions。此函数充当远程服务。

Microsoft 允许以不同方式调用（“触发”）Azure Functions。Snowflake 外部函数通过 HTTP POST 命令调用远程服务，因此您创建的 Azure 函数必须是“HTTP 触发的函数”。

Tip

您可以使用 Microsoft 提供的说明来创建 HTTP 触发的函数：

Create an app portal (https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-function-app-portal)

Create an Azure function (https://docs.microsoft.com/en-us/azure/azure-functions/functions-create-first-azure-function#create-function)

但是，Snowflake 提供自定义说明，其中包括其他详细信息和示例代码，并建议与 Microsoft 不同的授权级别。建议使用自定义说明来代替 Microsoft 的说明。

创建函数

To perform the tasks described in this section, you should be in the Function App screen in the Azure Portal. The name of your Azure Functions app should be displayed, typically near the upper left corner of the screen.

要创建 HTTP 触发的函数，请执行以下操作：

In the left-hand side menu tree, look for the section titled Functions. In that section, click on the item labeled Functions to add a function.
Click on the + Add button.
Select HTTP trigger from the list of potential triggers on the right.
输入用于 HTTP 触发函数的名称。

Record this name in the HTTP-Triggered Function name field in your tracking worksheet.
Enter the Authorization level.

Snowflake recommends choosing Function as the authorization level.

For more information about possible authorization levels, see the Microsoft documentation: HTTP-triggered functions (https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=csharp#configuration).
Click on the button titled Add.

This takes you to a screen that shows the function name and, below that, the word Function.
In the tree menu on the left-hand side, click on Code + Test.
将默认代码替换为您自己的代码。

下面提供了 JavaScript“echo”函数的示例代码。

该函数读取每一行，然后将相应行复制到输出（结果）。行号也包含在输出中。输出作为多级字典的一部分返回。

This function accepts and returns data in the same format (JSON) that Snowflake sends and reads. For more details about data formats, see Remote Service Input and Output Data Formats .

通常，该函数返回 HTTP 代码 200。如果没有行传递给函数（即，如果请求正文为空），则该函数返回错误代码 400。

module.exports = async function(context, request) {
 context.log('JavaScript HTTP trigger function processed a request.');

 if (request.body) {
     var rows = request.body.data;
     var results = [];
     rows.forEach(row => {
         results.push([row[0], row]);
     });

     results = {data: results}
     context.res = {
         status: 200,
         body: JSON.stringify(results)
     };
}
else {
    context.res = {
        status: 400,
        body: "Please pass data in the request body."
    };
}
};

Click on the Save button above the code.

测试函数

To test the HTTP-triggered Azure Function you just created, paste the following sample data into the Body field and click on the Test/Run button:

{
    "data": [ [ 0, 43, "page" ], [ 1, 42, "life, the universe, and everything" ] ]
}

输出的内容应类似于以下内容：

{ "data":
    [
        [ 0, [ 0, 43, "page" ] ],
        [ 1, [ 1, 42, "life, the universe, and everything" ]  ]
    ]
}

请注意，格式可能与上面显示的不同。

设置 Azure 函数应用程序的授权要求¶

当调用外部函数时，Snowflake 会向代理服务（例如 Azure API 管理服务）发送 HTTP POST命令，代理服务会将 POST 转发到远程服务（例如 Azure 函数）。

这两个步骤都应该有授权要求，因此您通常会指定以下授权：

调用 API 管理服务所需的授权。
调用包含 Azure Functions 的 Azure Functions 应用程序中的函数所需的授权。

本节介绍如何请求 Azure Functions 应用程序的授权。API 管理服务是稍后创建的，因此其授权要求也是稍后指定的。

当 Snowflake 使用您的 Azure Functions 应用程序进行身份验证时，Snowflake 会将 OAuth 客户端凭据授予流程与 Azure AD 结合使用。

For more details about the client credential grant flow, see the Microsoft documentation: client credential (https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow).

此客户端凭据流程需要代表 Azure Functions 应用程序的 Azure AD 应用程序注册。

本节说明了如何为 Azure Functions 应用程序创建 Azure AD 应用程序注册。例如，您可以将 Azure Functions 应用程序设置为需要 Azure AD 身份验证。要通过 Azure AD 配置授权，必须执行以下操作：

Create an Azure AD app registration, which is an Azure AD-based entity that represents an identity or resource identifier (i.e. what you want to protect).
将 Azure AD 应用程序注册与需要身份验证的 Azure Functions 应用程序关联。

Note

For Azure Functions, the fastest way to create an Azure AD app registration is by enabling Azure AD Authentication for the service, as documented below. If you are using a remote service other than an Azure Function, use the App registrations page to create a new Azure AD app registration for your remote service.

有关应用程序注册的更多详细信息，请参阅 Microsoft 文档：

app registration documentation (https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)

为 Azure 函数应用程序启用应用程序服务身份验证¶

Before you execute the steps below, you should be on the Function App screen for your Azure Functions app.

In the left-hand menu pane, look for the section named Settings and click on Authentication.

If the left-hand margin shows the Developer menu (with Code + Test, Integration, etc.), if you have a scroll bar at the bottom of your screen, try sliding the scroll bar to the left to return to the Function App or App Service section, and then look for Settings.
Click the Add identity provider button.
In the Identity provider drop-down menu, select Microsoft.
For App registration type, select Create new app registration.
In the Name field, type the name of your app.
For Supported account types, select Current tenant - Single tenant.
For Restrict access, select Require authentication.
For Unauthenticated requests, select HTTP 401 Unauthorized.
Click Next: Permissions. Review the permissions.
Click Add. A new Azure AD application is created and the application page is displayed.
点击显示应用程序名称的链接，可转到 Azure AD 应用程序的页面。
Find the Application (client) ID field.

Record this ID in the Azure Function App AD Application ID field in your tracking worksheet.

Important

确保您复制的是 ID，而不是 Azure AD 应用程序名称。ID 应包含 UUID。

后续步骤

Step 2: Create the proxy service (Azure API Management service) in the Portal