Azure API 管理常见问题解答Azure API Management FAQs

了解有关 Azure API 管理的常见问题解答、模式和最佳做法。Get the answers to common questions, patterns, and best practices for Azure API Management.


本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

联系我们Contact us

常见问题Frequently asked questions

如何向 Microsoft Azure API 管理团队提问?How can I ask the Microsoft Azure API Management team a question?

可使用以下选项之一联系我们:You can contact us by using one of these options:

功能处于预览状态意味着什么?What does it mean when a feature is in preview?

当功能处于预览状态时,这意味着我们正在积极寻求关于功能效果如何的反馈。When a feature is in preview, it means that we're actively seeking feedback on how the feature is working for you. 处于预览状态的功能具备完整功能,但我们可能为了响应客户反馈而进行重大更改。A feature in preview is functionally complete, but it's possible that we'll make a breaking change in response to customer feedback. 建议不要在生产环境中依赖处于预览状态的功能。We recommend that you don't depend on a feature that is in preview in your production environment. 如果有任何关于预览功能的反馈,请通过如何向 Microsoft Azure API 管理团队提问?中的联系选项之一告知我们。If you have any feedback on preview features, please let us know through one of the contact options in How can I ask the Microsoft Azure API Management team a question?.

如何确保 API 管理网关和后端服务之间的连接安全?How can I secure the connection between the API Management gateway and my back-end services?

有多个选项可确保 API 管理网关和后端服务之间的连接安全。You have several options to secure the connection between the API Management gateway and your back-end services. 方法:You can:

如何将 API 管理服务实例复制到新实例?How do I copy my API Management service instance to a new instance?

如果要将 API 管理实例复制到新实例,则有多个选项可用。You have several options if you want to copy an API Management instance to a new instance. 方法:You can:

是否可以编程方式管理 API 管理实例?Can I manage my API Management instance programmatically?

是,可使用以下工具以编程方式管理 API 管理:Yes, you can manage API Management programmatically by using:

如何向管理员组添加用户?How do I add a user to the Administrators group?

下面是向管理员组添加用户的方法:Here's how you can add a user to the Administrators group:

  1. 登录到 Azure 门户Sign in to the Azure portal.
  2. 转到具有要更新的 API 管理实例的资源组。Go to the resource group that has the API Management instance you want to update.
  3. 在 API 管理中,将“API 管理服务参与者” 角色分配给该用户。In API Management, assign the Api Management Service Contributor role to the user.

现在,新添加的参与者可以使用 Azure PowerShell cmdletNow the newly added contributor can use Azure PowerShell cmdlets. 下面是以管理员身份登录的方法:Here's how to sign in as an administrator:

  1. 使用 Connect-AzAccount cmdlet 登录。Use the Connect-AzAccount cmdlet to sign in.
  2. 使用 Set-AzContext -SubscriptionID <subscriptionGUID> 将上下文设置为具有该服务的订阅。Set the context to the subscription that has the service by using Set-AzContext -SubscriptionID <subscriptionGUID>.
  3. 使用 Get-AzApiManagementSsoToken -ResourceGroupName <rgName> -Name <serviceName> 获取单一登录 URL。Get a single sign-on URL by using Get-AzApiManagementSsoToken -ResourceGroupName <rgName> -Name <serviceName>.
  4. 使用 URL 访问管理门户。Use the URL to access the admin portal.

想要添加的策略为何在策略编辑器中不可用?Why is the policy that I want to add unavailable in the policy editor?

如果要添加的策略在策略管理器中显示为变暗或有阴影,请确保你处于该策略的正确范围内。If the policy that you want to add appears dimmed or shaded in the policy editor, be sure that you are in the correct scope for the policy. 每个策略声明都设计为在特定范围和策略部分中使用。Each policy statement is designed for you to use in specific scopes and policy sections. 若要查看策略部分和策略范围,请参阅 API 管理策略中的策略的用法部分。To review the policy sections and scopes for a policy, see the policy's Usage section in API Management policies.

如何在单个 API 中设置多个环境?How do I set up multiple environments in a single API?

若要在单个 API 中设置多个环境(例如,一个测试环境和一个生产环境),则有两个选项。To set up multiple environments, for example, a test environment and a production environment, in a single API, you have two options. 方法:You can:

  • 在同一租户上托管不同的 API。Host different APIs on the same tenant.
  • 在不同租户上托管相同的 API。Host the same APIs on different tenants.

是否可将 SOAP 用于 API 管理?Can I use SOAP with API Management?

当前已提供 SOAP 传递支持。SOAP pass-through support is now available. 管理员可以导入其 SOAP 服务的 WSDL,以便 Azure API 管理创建一个 SOAP 前端。Administrators can import the WSDL of their SOAP service, and Azure API Management will create a SOAP front end. 开发人员门户文档、测试控制台、策略和分析都可用于 SOAP 服务。Developer portal documentation, test console, policies and analytics are all available for SOAP services.

API 管理网关 IP 地址是否不变?Is the API Management gateway IP address constant? 是否可以在防火墙规则中使用它?Can I use it in firewall rules?

在 API 管理的所有层中,API 管理租户的公用 IP 地址 (VIP) 在租户生存期中是静态的,但有一些例外。In all tiers of API Management, the public IP address (VIP) of the API Management tenant is static for the lifetime of the tenant, with some exceptions. IP 地址在以下情况下更改:The IP address changes in these circumstances:

  • 服务被删除并重新创建。The service is deleted and then re-created.
  • 服务订阅被暂停警告(例如,由于未付款),然后被恢复。The service subscription is suspended or warned (for example, for nonpayment) and then reinstated.
  • 添加或删除 Azure 虚拟网络(只能在开发人员层和高级层使用虚拟网络)。You add or remove Azure Virtual Network (you can use Virtual Network only at the Developer and Premium tier).

对于多区域部署,仅当区域先空出然后恢复时,区域地址会更改(只能在高级层使用多区域部署)。For multi-region deployments, the regional address changes if the region is vacated and then reinstated (you can use multi-region deployment only at the Premium tier).

对于为多区域部署配置的高级层租户,每个区域分配一个公共 IP 地址。Premium tier tenants that are configured for multi-region deployment are assigned one public IP address per region.

可在 Azure 门户中的租户页面上获取一个 IP 地址(或者在多区域部署中获取多个 IP 地址)。You can get your IP address (or addresses, in a multi-region deployment) on the tenant page in the Azure portal.

是否可以使用 AD FS 安全配置 OAuth 2.0 授权服务器?Can I configure an OAuth 2.0 authorization server with AD FS security?

若要了解如何使用 Active Directory 联合身份验证服务 (AD FS) 安全配置 OAuth 2.0 授权服务器,请参阅在 API 管理中使用 ADFSTo learn how to configure an OAuth 2.0 authorization server with Active Directory Federation Services (AD FS) security, see Using ADFS in API Management.

向多个地理位置进行部署时,API 管理使用何种路由方法?What routing method does API Management use in deployments to multiple geographic locations?

向多个地理位置进行部署时,API 管理使用性能流量路由方法API Management uses the performance traffic routing method in deployments to multiple geographic locations. 传入流量将路由到最近的 API 网关。Incoming traffic is routed to the closest API gateway. 如果一个区域处于脱机状态,则传入流量会自动路由到下一个最近的网关。If one region goes offline, incoming traffic is automatically routed to the next closest gateway. 流量管理器路由方法中了解有关路由方法的详细信息。Learn more about routing methods in Traffic Manager routing methods.

是否可以使用 Azure 资源管理器模板创建 API 管理服务实例?Can I use an Azure Resource Manager template to create an API Management service instance?

是的。Yes. 请参阅 Azure API 管理服务快速入门模板。See the Azure API Management Service QuickStart templates.

是否可以为后端使用自签名 SSL 证书?Can I use a self-signed SSL certificate for a back end?

是的。Yes. 可以通过 PowerShell 或直接提交到 API 来完成此操作。This can be done through PowerShell or by directly submitting to the API. 这将禁用证书链验证,并将允许在从 API 管理与后端服务进行通信时使用自签名或私人签名证书。This will disable certificate chain validation and will allow you to use self-signed or privately-signed certificates when communicating from API Management to the back end services.

Powershell 方法Powershell method

使用 New-AzApiManagementBackend(适用于新后端)或 Set-AzApiManagementBackend(适用于现有后端)PowerShell cmdlet 并将 -SkipCertificateChainValidation 参数设置设为 TrueUse the New-AzApiManagementBackend (for new back end) or Set-AzApiManagementBackend (for existing back end) PowerShell cmdlets and set the -SkipCertificateChainValidation parameter to True.

$context = New-AzApiManagementContext -resourcegroup 'ContosoResourceGroup' -servicename 'ContosoAPIMService'
New-AzApiManagementBackend -Context  $context -Url '' -Protocol http -SkipCertificateChainValidation $true

直接 API 更新方法Direct API update method

  1. 使用 API 管理创建后端实体。Create a Backend entity by using API Management.
  2. 将“skipCertificateChainValidation” 属性设置为“true” 。Set the skipCertificateChainValidation property to true.
  3. 如果不再希望允许自签名证书,请删除后端实体,或将“skipCertificateChainValidation” 属性设置为“false” 。If you no longer want to allow self-signed certificates, delete the Backend entity, or set the skipCertificateChainValidation property to false.

为何在尝试克隆 Git 存储库时出现身份验证失败?Why do I get an authentication failure when I try to clone a Git repository?

如果使用 Git 凭据管理器,或者正在尝试使用 Visual Studio 克隆 Git 存储库,可能遇到“Windows 凭据”对话框的已知问题。If you use Git Credential Manager, or if you're trying to clone a Git repository by using Visual Studio, you might run into a known issue with the Windows credentials dialog box. 该对话框将密码长度限制为 127 个字符,并截断 Microsoft 生成的密码。The dialog box limits password length to 127 characters, and it truncates the Microsoft-generated password. 我们正致力于缩短密码。We are working on shortening the password. 目前请使用 Git Bash 克隆 Git 存储库。For now, please use Git Bash to clone your Git repository.

API 管理是否适用于 Azure ExpressRoute?Does API Management work with Azure ExpressRoute?

是的。Yes. API 管理适用于 Azure ExpressRoute。API Management works with Azure ExpressRoute.

为什么在资源管理器模式的 VNET 中部署 API 管理时需要专用子网?Why do we require a dedicated subnet in Resource Manager style VNETs when API Management is deployed into them?

API 管理需要专用子网,因为它建立在经典(PAAS V1 层)部署模型之上。The dedicated subnet requirement for API Management comes from the fact, that it is built on Classic (PAAS V1 layer) deployment model. 虽然也可以在资源管理器 VNET(V2 层)中进行部署,但这样会导致后续问题。While we can deploy into a Resource Manager VNET (V2 layer), there are consequences to that. Azure 中的经典部署模型与资源管理器模型结合不紧密,因此如果在 V2 层中创建资源,V1 层会毫不知情,这样会发生问题,例如 API 管理会尝试使用已经分配给 NIC(在 V2 上构建)的 IP。The Classic deployment model in Azure is not tightly coupled with the Resource Manager model and so if you create a resource in V2 layer, the V1 layer doesn't know about it and problems can happen, such as API Management trying to use an IP that is already allocated to a NIC (built on V2). 若要深入了解 Azure 中经典模型和资源管理器模型的差异,请参阅部署模型的差异To learn more about difference of Classic and Resource Manager models in Azure refer to difference in deployment models.

在 VNET 中部署 API 管理时所需的最小子网大小是多少?What is the minimum subnet size needed when deploying API Management into a VNET?

部署 API 管理所需的最小子网大小为 /29,这是 Azure 支持的最小子网大小。The minimum subnet size needed to deploy API Management is /29, which is the minimum subnet size that Azure supports.

是否可将 API 管理服务从一个订阅移到另一个订阅?Can I move an API Management service from one subscription to another?

是的。Yes. 要了解操作方法,请参阅将资源移动到新资源组或订阅To learn how, see Move resources to a new resource group or subscription.

导入 API 是否存在限制或已知问题?Are there restrictions on or known issues with importing my API?

Open API(Swagger)、WSDL 和 WADL 格式的已知问题和限制Known issues and restrictions for Open API(Swagger), WSDL and WADL formats.