Azure 应用服务混合连接Azure App Service Hybrid Connections

混合连接既是 Azure 中的一个服务,也是 Azure 应用服务中的一项功能。Hybrid Connections is both a service in Azure and a feature in Azure App Service. 作为服务,它的用途和功能超越了应用服务中使用的功能。As a service, it has uses and capabilities beyond those that are used in App Service. 若要详细了解混合连接及其在应用服务外部的用途,请参阅 Azure 中继混合连接To learn more about Hybrid Connections and their usage outside App Service, see Azure Relay Hybrid Connections.

在应用服务中,混合连接可用于访问任何网络中的应用程序资源,这些网络可以通过端口 443 对 Azure 进行出站调用。Within App Service, Hybrid Connections can be used to access application resources in any network that can make outbound calls to Azure over port 443. 混合连接提供从应用到 TCP 终结点的访问权限,而不会启用新的访问应用的方式。Hybrid Connections provides access from your app to a TCP endpoint and does not enable a new way to access your app. 在应用服务中使用时,每个混合连接与单个 TCP 主机和端口组合相关联。As used in App Service, each Hybrid Connection correlates to a single TCP host and port combination. 这样,应用就可以访问任何 OS 上的资源,前提是它是 TCP 终结点。This enables your apps to access resources on any OS, provided it is a TCP endpoint. 混合连接功能不知道、也不关心应用程序协议或者要访问的内容是什么。The Hybrid Connections feature does not know or care what the application protocol is, or what you are accessing. 它只提供网络访问。It simply provides network access.

工作原理How it works

混合连接要求将中继代理部署到可以同时到达所需终结点和 Azure 的位置。Hybrid Connections requires a relay agent to be deployed where it can reach both the desired endpoint as well as to Azure. 中继代理混合连接管理器 (HCM) 通过端口 443 调用 Azure 中继。The relay agent, Hybrid Connection Manager (HCM), calls out to Azure Relay over port 443. 在 Web 应用站点上,应用服务基础结构还代表应用程序连接到 Azure 中继。From the web app site, the App Service infrastructure also connects to Azure Relay on your application's behalf. 通过已联接的连接,应用可以访问所需的终结点。Through the joined connections, your app is able to access the desired endpoint. 连接使用 TLS 1.2 来确保安全,使用共享访问签名 (SAS) 密钥进行身份验证和授权。The connection uses TLS 1.2 for security and shared access signature (SAS) keys for authentication and authorization.

混合连接高级别流示意图

如果应用发出了与配置的混合连接终结点匹配的 DNS 请求,则会通过混合连接重定向出站 TCP 流量。When your app makes a DNS request that matches a configured Hybrid Connection endpoint, the outbound TCP traffic will be redirected through the Hybrid Connection.

备注

这意味着,始终应该尽量为混合连接使用 DNS 名称。This means that you should try to always use a DNS name for your Hybrid Connection. 如果终结点使用 IP 地址,某些客户端软件不会执行 DNS 查找。Some client software does not do a DNS lookup if the endpoint uses an IP address instead.

应用服务混合连接的优势App Service Hybrid Connection benefits

混合连接功能提供许多优势,包括:There are a number of benefits to the Hybrid Connections capability, including:

  • 应用可以访问本地系统和服务。Apps can access on-premises systems and services securely.
  • 该功能不需要可访问 Internet 的终结点。The feature does not require an internet-accessible endpoint.
  • 设置过程快速而轻松。It is quick and easy to set up. 无需网关No gateways required
  • 每个混合连接与单个“主机:端口”组合匹配,这非常有利于安全性。Each Hybrid Connection matches to a single host:port combination, helpful for security.
  • 通常不需要在防火墙中开放端口。It normally does not require firewall holes. 连接全部是通过标准 Web 端口建立的。The connections are all outbound over standard web ports.
  • 由于该功能在网络级别运行,它并不知道应用使用的语言以及终结点使用的技术。Because the feature is network level, it is agnostic to the language used by your app and the technology used by the endpoint.
  • 可以通过单个应用使用它在多个网络中提供访问。It can be used to provide access in multiple networks from a single app.
  • 它在 Windows 应用正式版和 Linux 应用预览版中受支持。It is supported in GA for Windows apps and is in preview for Linux apps.

混合连接无法提供的功能Things you cannot do with Hybrid Connections

无法通过混合连接执行的操作包括:Things you cannot do with Hybrid Connections include:

  • 装载驱动器。Mount a drive.
  • 使用 UDP。Use UDP.
  • 访问使用动态端口(例如 FTP 被动模式或扩展被动模式)的基于 TCP 的服务。Access TCP-based services that use dynamic ports, such as FTP Passive Mode or Extended Passive Mode.
  • 支持 LDAP,因为它可能需要 UDP。Support LDAP, because it can require UDP.
  • 支持 Active Directory,因为无法将应用服务辅助角色加入域。Support Active Directory, because you cannot domain join an App Service worker.

在应用中添加和创建混合连接Add and Create Hybrid Connections in your app

若要创建混合连接,请转到 Azure 门户,并选择应用。To create a Hybrid Connection, go to the Azure portal and select your app. 选择“网络” > “配置混合连接终结点”。 Select Networking > Configure your Hybrid Connection endpoints. 在此处,可以看到为应用配置的混合连接。Here you can see the Hybrid Connections that are configured for your app.

混合连接列表的屏幕截图

若要添加新的混合连接,请选择“[+] 添加混合连接”。To add a new Hybrid Connection, select [+] Add hybrid connection. 此时会显示已创建的混合连接的列表。You'll see a list of the Hybrid Connections that you already created. 要将其中的一个或多个混合连接添加到应用,请选择所需的混合连接,然后选择“添加选定的混合连接”。To add one or more of them to your app, select the ones you want, and then select Add selected Hybrid Connection.

混合连接门户的屏幕截图

如果想要创建新的混合连接,请选择“创建新的混合连接”。If you want to create a new Hybrid Connection, select Create new hybrid connection. 指定:Specify the:

  • 混合连接名称。Hybrid Connection name.
  • 终结点主机名。Endpoint hostname.
  • 终结点端口。Endpoint port.
  • 要使用的服务总线命名空间。Service Bus namespace you want to use.

“创建新的混合连接”对话框屏幕截图

每个混合连接已绑定到服务总线命名空间,每个服务总线命名空间在 Azure 区域中。Every Hybrid Connection is tied to a Service Bus namespace, and each Service Bus namespace is in an Azure region. 请尽量使用应用所在的同一区域中的服务总线命名空间,这一点非常重要,目的是避免网络造成的延迟。It's important to try to use a Service Bus namespace in the same region as your app, to avoid network induced latency.

如果想要从应用中删除混合连接,请右键单击该混合连接,并选择“断开连接”。If you want to remove your Hybrid Connection from your app, right-click it and select Disconnect.

将混合连接添加到应用后,选择该混合连接即可查看其详细信息。When a Hybrid Connection is added to your app, you can see details on it simply by selecting it.

“混合连接详细信息”屏幕截图

在 Azure 中继门户中创建混合连接Create a Hybrid Connection in the Azure Relay portal

除了使用应用内部的门户体验以外,还可以在 Azure 中继门户中创建混合连接。In addition to the portal experience from within your app, you can create Hybrid Connections from within the Azure Relay portal. 要使混合连接可供应用服务使用,必须:For a Hybrid Connection to be used by App Service, it must:

  • 要求客户端授权。Require client authorization.
  • 提供一个名为 endpoint 的元数据项,其中包含“主机:端口”的组合作为值。Have a metadata item, named endpoint, that contains a host:port combination as the value.

混合连接和应用服务计划Hybrid Connections and App Service plans

应用服务混合连接只能在“基本”、“标准”、“高级”和“隔离”定价 SKU 中使用。App Service Hybrid Connections are only available in Basic, Standard, Premium, and Isolated pricing SKUs. 定价计划没有相关的限制。There are limits tied to the pricing plan.

定价计划Pricing plan 在计划中可以使用的混合连接数Number of Hybrid Connections usable in the plan
基本Basic 每个计划 5 个5 per plan
标准Standard 每个计划 25 个25 per plan
PremiumV2PremiumV2 每个应用 200 个200 per app
隔离Isolated 每个应用 200 个200 per app

应用服务计划 UI 会显示使用了多少个混合连接以及是由哪些应用使用的。The App Service plan UI shows you how many Hybrid Connections are being used and by what apps.

应用服务计划属性的屏幕截图

选择该混合连接可查看详细信息。Select the Hybrid Connection to see details. 可以看到应用视图中显示的所有信息。You can see all the information that you saw at the app view. 还可以查看同一计划中还有其他多少个应用正在使用该混合连接。You can also see how many other apps in the same plan are using that Hybrid Connection.

可在一个应用服务计划中使用的混合连接终结点数目有限制。There is a limit on the number of Hybrid Connection endpoints that can be used in an App Service plan. 但是,所用的每个混合连接可在该计划中任意数目的应用中使用。Each Hybrid Connection used, however, can be used across any number of apps in that plan. 例如,在一个应用服务计划下的 5 个单独应用中共同使用的单个混合连接,仅算作 1 个混合连接。For example, a single Hybrid Connection that is used in five separate apps in an App Service plan counts as one Hybrid Connection.

定价Pricing

除了要求使用应用服务计划 SKU 外,使用混合连接还需要额外付费。In addition to there being an App Service plan SKU requirement, there is an additional cost to using Hybrid Connections. 需要为混合连接使用的每个侦听器付费。There is a charge for each listener used by a Hybrid Connection. 侦听器是混合连接管理器。The listener is the Hybrid Connection Manager. 如果你有由两个混合连接管理器支持的五个混合连接,则将有 10 个侦听器。If you had five Hybrid Connections supported by two Hybrid Connection Managers, that would be 10 listeners. 有关详细信息,请参阅服务总线定价For more information, see Service Bus pricing.

混合连接管理器Hybrid Connection Manager

混合连接功能要求在网络中安装一个中继代理用于托管混合连接终结点。The Hybrid Connections feature requires a relay agent in the network that hosts your Hybrid Connection endpoint. 该中继代理称为混合连接管理器 (HCM)。That relay agent is called the Hybrid Connection Manager (HCM). 若要下载 HCM,请在 Azure 门户上的应用中,选择“网络” > “配置混合连接终结点”。 To download HCM, from your app in the Azure portal, select Networking > Configure your Hybrid Connection endpoints.

此工具可在 Windows Server 2012 和更高版本上运行。This tool runs on Windows Server 2012 and later. HCM 作为服务运行,并且在端口 443 上出站连接到 Azure 中继。The HCM runs as a service and connects outbound to Azure Relay on port 443.

安装 HCM 后,可以运行 HybridConnectionManagerUi.exe 来使用该工具的 UI。After installing HCM, you can run HybridConnectionManagerUi.exe to use the UI for the tool. 此文件位于混合连接管理器的安装目录中。This file is in the Hybrid Connection Manager installation directory. 在 Windows 10 上,也可以在搜索框中搜索“混合连接管理器 UI”即可。In Windows 10, you can also just search for Hybrid Connection Manager UI in your search box.

混合连接管理器的屏幕截图

启动 HCM UI 时,出现的第一个界面是一个表格,其中列出了为此 HCM 实例配置的所有混合连接。When you start the HCM UI, the first thing you see is a table that lists all the Hybrid Connections that are configured with this instance of the HCM. 如果想要进行任何更改,请先在 Azure 中完成身份验证。If you want to make any changes, first authenticate with Azure.

要将一个或多个混合连接添加到 HCM,请执行以下操作:To add one or more Hybrid Connections to your HCM:

  1. 启动 HCM UI。Start the HCM UI.

  2. 选择“配置另一个混合连接”。Select Configure another Hybrid Connection. 配置新混合连接的屏幕截图Screenshot of Configure New Hybrid Connections

  3. 使用 Azure 帐户登录,以使你的订阅可以使用混合连接。Sign in with your Azure account to get your Hybrid Connections available with your subscriptions. 除此之外,HCM 不会继续使用你的 Azure 帐户。The HCM does not continue to use your Azure account beyond that.

  4. 选择订阅。Choose a subscription.

  5. 选择 HCM 要中继的混合连接。Select the Hybrid Connections that you want the HCM to relay. 混合连接的屏幕截图Screenshot of Hybrid Connections

  6. 选择“保存” 。Select Save.

现在,可以看到已添加的混合连接。You can now see the Hybrid Connections you added. 还可以选择配置的混合连接查看详细信息。You can also select the configured Hybrid Connection to see details.

混合连接详细信息的屏幕截图

若要支持配置的混合连接,HCM 需要:To support the Hybrid Connections it is configured with, HCM requires:

  • 通过端口 443 对 Azure 进行 TCP 访问。TCP access to Azure over port 443.
  • 对混合连接终结点进行 TCP 访问。TCP access to the Hybrid Connection endpoint.
  • 能够在终结点主机和服务总线命名空间中执行 DNS 查找。The ability to do DNS look-ups on the endpoint host and the Service Bus namespace.

备注

Azure 中继的连接性依赖于 Web 套接字。Azure Relay relies on Web Sockets for connectivity. 此功能仅适用于 Windows Server 2012 或更高版本。This capability is only available on Windows Server 2012 or later. 因此,低于 Windows Server 2012 的版本将不支持 HCM。Because of that, HCM is not supported on anything earlier than Windows Server 2012.

冗余Redundancy

每个 HCM 可以支持多个混合连接。Each HCM can support multiple Hybrid Connections. 此外,多个 HCM 可以支持任一给定的混合连接。Also, any given Hybrid Connection can be supported by multiple HCMs. 默认行为是在为任一给定终结点配置的 HCM 之间路由流量。The default behavior is to route traffic across the configured HCMs for any given endpoint. 如果希望从网络建立的混合连接具有高可用性,可在单独的计算机上运行多个 HCM。If you want high availability on your Hybrid Connections from your network, run multiple HCMs on separate machines. 中继服务用来将流量分配给各个 HCM 的负载分配算法是随机分配。The load distribution algorithm used by the Relay service to distribute traffic to the HCMs is random assignment.

手动添加混合连接Manually add a Hybrid Connection

若要让订阅外部的某人托管给定混合连接的 HCM 实例,可与他(她)共享该混合连接的网关连接字符串。To enable someone outside your subscription to host an HCM instance for a given Hybrid Connection, share the gateway connection string for the Hybrid Connection with them. 可以在 Azure 门户的“混合连接”属性中看到网关连接字符串。You can see the gateway connection string in the Hybrid Connection properties in the Azure portal. 要使用该字符串,请在 HCM 中选择“手动输入”,并粘贴网关连接字符串。To use that string, select Enter Manually in the HCM, and paste in the gateway connection string.

手动添加混合连接

升级Upgrade

我们会定期发布混合连接管理器更新来修复问题或提供改进。There are periodic updates to the Hybrid Connection Manager to fix issues or provide improvements. 当发布升级时,一个弹出窗口将显示在 HCM UI 中。When upgrades are released, a popup will show up in the HCM UI. 应用升级将应用所做的更改并重启 HCM。Applying the upgrade will apply the changes and restart the HCM.

以编程方式将混合连接添加到你的应用Adding a Hybrid Connection to your app programmatically

Azure CLI 支持混合连接。There is Azure CLI support for Hybrid Connections. 提供的命令可在应用和应用服务计划级别上运行。The commands provided operate at both the app and the App Service plan level. 应用级命令为:The app level commands are:

az webapp hybrid-connection

Group
    az webapp hybrid-connection : Methods that list, add and remove hybrid-connections from webapps.
        This command group is in preview. It may be changed/removed in a future release.
Commands:
    add    : Add a hybrid-connection to a webapp.
    list   : List the hybrid-connections on a webapp.
    remove : Remove a hybrid-connection from a webapp.

利用应用服务计划命令,你可以设置给定混合连接将使用的密钥。The App Service plan commands enable you to set which key a given hybrid-connection will use. 每个混合连接上都设置了两个密钥,一个主密钥和一个辅助密钥。There are two keys set on each Hybrid Connection, a primary and a secondary. 可以选择通过以下命令使用主密钥或辅助密钥。You can choose to use the primary or secondary key with the below commands. 这样,你就可以在需要定期再生成密钥时切换密钥。This enables you to switch keys for when you want to periodically regenerate your keys.

az appservice hybrid-connection --help

Group
    az appservice hybrid-connection : A method that sets the key a hybrid-connection uses.
        This command group is in preview. It may be changed/removed in a future release.
Commands:
    set-key : Set the key that all apps in an appservice plan use to connect to the hybrid-
                connections in that appservice plan.

保护混合连接Secure your Hybrid Connections

任何在基础 Azure 服务总线中继上有足够权限的用户都可以将现有的混合连接添加到应用服务 Web 应用。An existing Hybrid Connection can be added to other App Service Web Apps by any user who has sufficient permissions on the underlying Azure Service Bus Relay. 这意味着,如果必须阻止他人重复使用这个相同的混合连接(例如,如果目标资源是一项没有设置任何其他的安全措施来防止未经授权的访问的服务,则必须这样做),则必须锁定对 Azure 服务总线中继的访问。This means that if you must prevent others from reusing that same Hybrid Connection (for example when the target resource is a service that does not have any additional security measures in place to prevent unauthorized access), you must lock down access to the Azure Service Bus Relay.

可以通过 Reader 访问权限来访问中继的任何人都将能够看到混合连接(在尝试通过 Azure 门户将它添加到 Web 应用时),但却无法添加它,因为缺少检索用于建立中继连接的连接字符串的权限。Anyone with Reader access to the Relay will be able to see the Hybrid Connection when attempting to add it to their Web App in the Azure portal, but they will not be able to add it as they lack the permissions to retrieve the connection string which is used to establish the relay connection. 若要成功添加混合连接,他们必须具有 listKeys 权限 (Microsoft.Relay/namespaces/hybridConnections/authorizationRules/listKeys/action)。In order to successfully add the Hybrid Connection, they must have the listKeys permission (Microsoft.Relay/namespaces/hybridConnections/authorizationRules/listKeys/action). Contributor 角色或者任何其他包含此权限(在中继上)的角色都会允许用户使用混合连接并将其添加到自己的 Web 应用。The Contributor role or any other role which includes this permission on the Relay will allow users to use the Hybrid Connection and add it to their own Web Apps.

故障排除Troubleshooting

“已连接”状态表示,至少有一个 HCM 配置了该混合连接,且可以访问 Azure。The status of "Connected" means that at least one HCM is configured with that Hybrid Connection, and is able to reach Azure. 如果混合连接状态未显示“已连接”,则表示未在任何可访问 Azure 的 HCM 上配置该混合连接。If the status for your Hybrid Connection does not say Connected, your Hybrid Connection is not configured on any HCM that has access to Azure.

客户端无法连接到其终结点的主要原因是使用 IP 地址而不是 DNS 名称指定了终结点。The primary reason that clients cannot connect to their endpoint is because the endpoint was specified by using an IP address instead of a DNS name. 如果应用无法访问所需的终结点,而你使用了 IP 地址,请改为使用在运行 HCM 的主机上有效的 DNS 名称。If your app cannot reach the desired endpoint and you used an IP address, switch to using a DNS name that is valid on the host where the HCM is running. 另请检查 DNS 名称是否能够在运行 HCM 的主机上正确解析。Also check that the DNS name resolves properly on the host where the HCM is running. 确认运行 HCM 的主机是否与混合连接终结点建立了连接。Confirm that there is connectivity from the host where the HCM is running to the Hybrid Connection endpoint.

在应用服务中,可以通过高级工具 (Kudu) 控制台调用 tcpping 命令行工具。In App Service, the tcpping command line tool can be invoked from the Advanced Tools (Kudu) console. 此工具可以告知你是否能够访问 TCP 终结点,但不会告知你是否能够访问混合连接终结点。This tool can tell you if you have access to a TCP endpoint, but it does not tell you if you have access to a Hybrid Connection endpoint. 在控制台中针对混合连接终结点使用此工具时,只能确认混合连接是否使用了“主机:端口”组合。When you use the tool in the console against a Hybrid Connection endpoint, you are only confirming that it uses a host:port combination.

如果你的终结点有命令行客户端,则可以从应用控制台测试连接。If you have a command line client for your endpoint, you can test connectivity from the app console. 例如,可以使用 curl 测试对 Web 服务器终结点的访问。For example, you can test access to web server endpoints by using curl.