Azure 应用服务混合连接Azure App Service Hybrid Connections
混合连接既是 Azure 中的一个服务,也是 Azure 应用服务中的一项功能。Hybrid Connections is both a service in Azure and a feature in Azure App Service. 作为服务,它的用途和功能超越了应用服务中使用的功能。As a service, it has uses and capabilities beyond those that are used in App Service. 若要详细了解混合连接及其在应用服务外部的用途,请参阅 Azure 中继混合连接。To learn more about Hybrid Connections and their usage outside App Service, see Azure Relay Hybrid Connections.
在应用服务中,混合连接可用于访问其他网络中的应用程序资源。Within App Service, Hybrid Connections can be used to access application resources in other networks. 使用混合连接可以从应用访问应用程序终结点。It provides access from your app to an application endpoint. 它无法提供可用于访问应用程序的替代功能。It does not enable an alternate capability to access your application. 在应用服务中使用时,每个混合连接与单个 TCP 主机和端口组合相关联。As used in App Service, each Hybrid Connection correlates to a single TCP host and port combination. 这意味着,混合连接终结点可以位于任何操作系统和任何应用程序上,前提是能够访问 TCP 侦听端口。This means that the Hybrid Connection endpoint can be on any operating system and any application, provided you are accessing a TCP listening port. 混合连接功能不知道、也不关心应用程序协议或者要访问的内容是什么。The Hybrid Connections feature does not know or care what the application protocol is, or what you are accessing. 它只提供网络访问。It is simply providing network access.
工作原理How it works
混合连接功能由针对 Azure 服务总线中继发出的两个出站调用组成。The Hybrid Connections feature consists of two outbound calls to Azure Service Bus Relay. 从应用服务中运行应用的主机上的某个库建立了一个连接。There is a connection from a library on the host where your app is running in App Service. 另外,还建立了从混合连接管理器 (HCM) 到服务总线中继的连接。There is also a connection from the Hybrid Connection Manager (HCM) to Service Bus Relay. HCM 是部署在网络中的一种中继服务,用于托管你正在尝试访问的资源。The HCM is a relay service that you deploy within the network hosting the resource you are trying to access.
通过这两个连接,应用可与 HCM 另一端的固定“主机:端口”组合建立 TCP 隧道。Through the two joined connections, your app has a TCP tunnel to a fixed host:port combination on the other side of the HCM. 连接使用 TLS 1.2 来确保安全,使用共享访问签名 (SAS) 密钥进行身份验证和授权。The connection uses TLS 1.2 for security and shared access signature (SAS) keys for authentication and authorization.
如果应用发出了与配置的混合连接终结点匹配的 DNS 请求,则会通过混合连接重定向出站 TCP 流量。When your app makes a DNS request that matches a configured Hybrid Connection endpoint, the outbound TCP traffic will be redirected through the Hybrid Connection.
Note
这意味着,始终应该尽量为混合连接使用 DNS 名称。This means that you should try to always use a DNS name for your Hybrid Connection. 如果终结点使用 IP 地址,某些客户端软件不会执行 DNS 查找。Some client software does not do a DNS lookup if the endpoint uses an IP address instead.
应用服务混合连接的优势App Service Hybrid Connection benefits
混合连接功能提供许多优势,包括:There are a number of benefits to the Hybrid Connections capability, including:
- 应用可以访问本地系统和服务。Apps can access on-premises systems and services securely.
- 该功能不需要可访问 Internet 的终结点。The feature does not require an internet-accessible endpoint.
- 设置过程快速而轻松。It is quick and easy to set up.
- 每个混合连接与单个“主机:端口”组合匹配,这非常有利于安全性。Each Hybrid Connection matches to a single host:port combination, helpful for security.
- 通常不需要在防火墙中开放端口。It normally does not require firewall holes. 连接全部是通过标准 Web 端口建立的。The connections are all outbound over standard web ports.
- 由于该功能在网络级别运行,它并不知道应用使用的语言以及终结点使用的技术。Because the feature is network level, it is agnostic to the language used by your app and the technology used by the endpoint.
- 可以通过单个应用使用它在多个网络中提供访问。It can be used to provide access in multiple networks from a single app.
混合连接无法提供的功能Things you cannot do with Hybrid Connections
混合连接无法实现以下操作:Things you cannot do with Hybrid Connections include:
- 装载驱动器。Mount a drive.
- 使用 UDP。Use UDP.
- 访问使用动态端口(例如 FTP 被动模式或扩展被动模式)的基于 TCP 的服务。Access TCP-based services that use dynamic ports, such as FTP Passive Mode or Extended Passive Mode.
- 支持 LDAP,因为它可能需要 UDP。Support LDAP, because it can require UDP.
- 支持 Active Directory,因为你无法域加入应用服务辅助角色。Support Active Directory, because you cannot domain join an App Service worker.
必备条件Prerequisites
- Windows 应用服务是必需的。Windows App service is required. 仅在 Windows 中提供。It is only available in Windows.
在应用中添加和创建混合连接Add and Create Hybrid Connections in your app
若要创建混合连接,请转到 Azure 门户,并选择应用。To create a Hybrid Connection, go to the Azure portal and select your app. 选择“网络” > “配置混合连接终结点”。Select Networking > Configure your Hybrid Connection endpoints. 此处显示了为应用配置的混合连接。Here you can see the Hybrid Connections that are configured for your app.
要添加新的混合连接,请选择“[+]添加混合连接” 。To add a new Hybrid Connection, select [+] Add hybrid connection. 此时会显示已创建的混合连接的列表。You'll see a list of the Hybrid Connections that you already created. 要将其中的一个或多个混合连接添加到应用,请选择所需的混合连接,然后选择“添加选定的混合连接” 。To add one or more of them to your app, select the ones you want, and then select Add selected Hybrid Connection.
如果想要创建新的混合连接,请选择“创建新的混合连接” 。If you want to create a new Hybrid Connection, select Create new hybrid connection. 指定:Specify the:
- 混合连接名称。Hybrid Connection name.
- 终结点主机名。Endpoint hostname.
- 终结点端口。Endpoint port.
- 要使用的服务总线命名空间。Service Bus namespace you want to use.
每个混合连接已绑定到服务总线命名空间,每个服务总线命名空间在 Azure 区域中。Every Hybrid Connection is tied to a Service Bus namespace, and each Service Bus namespace is in an Azure region. 请尽量使用应用所在的同一区域中的服务总线命名空间,这一点非常重要,目的是避免网络造成的延迟。It's important to try to use a Service Bus namespace in the same region as your app, to avoid network induced latency.
如果想要从应用中删除混合连接,请右键单击该混合连接,并选择“断开连接” 。If you want to remove your Hybrid Connection from your app, right-click it and select Disconnect.
将混合连接添加到应用后,选择该混合连接即可查看其详细信息。When a Hybrid Connection is added to your app, you can see details on it simply by selecting it.
在 Azure 中继门户中创建混合连接Create a Hybrid Connection in the Azure Relay portal
除了使用应用内部的门户体验以外,还可以在 Azure 中继门户中创建混合连接。In addition to the portal experience from within your app, you can create Hybrid Connections from within the Azure Relay portal. 要使混合连接可供应用服务使用,必须:For a Hybrid Connection to be used by App Service, it must:
- 要求客户端授权。Require client authorization.
- 提供一个名为 endpoint 的元数据项,其中包含“主机:端口”的组合作为值。Have a metadata item, named endpoint, that contains a host:port combination as the value.
混合连接和应用服务计划Hybrid Connections and App Service plans
应用服务混合连接只能在“基本”、“标准”、“高级”和“隔离”定价 SKU 中使用。App Service Hybrid Connections are only available in Basic, Standard, Premium, and Isolated pricing SKUs. 定价计划没有相关的限制。There are limits tied to the pricing plan.
| 定价计划Pricing plan | 在计划中可以使用的混合连接数Number of Hybrid Connections usable in the plan |
|---|---|
| 基本Basic | 55 |
| StandardStandard | 2525 |
| PremiumPremium | 200200 |
| 隔离Isolated | 200200 |
应用服务计划 UI 会显示混合连接的用量以及由哪些应用使用。The App Service plan UI shows you how many Hybrid Connections are being used and by what apps.
选择该混合连接可查看详细信息。Select the Hybrid Connection to see details. 可以看到应用视图中显示的所有信息。You can see all the information that you saw at the app view. 还可以查看同一计划中还有其他多少个应用正在使用该混合连接。You can also see how many other apps in the same plan are using that Hybrid Connection.
可在一个应用服务计划中使用的混合连接终结点数目有限制。There is a limit on the number of Hybrid Connection endpoints that can be used in an App Service plan. 但是,所用的每个混合连接可在该计划中任意数目的应用中使用。Each Hybrid Connection used, however, can be used across any number of apps in that plan. 例如,在一个应用服务计划下的 5 个单独应用中共同使用的单个混合连接,仅算作 1 个混合连接。For example, a single Hybrid Connection that is used in five separate apps in an App Service plan counts as one Hybrid Connection.
定价Pricing
除了存在应用服务计划 SKU 要求,使用混合连接还会产生额外的成本。In addition to there being an App Service plan SKU requirement, there is an additional cost to using Hybrid Connections. 混合连接使用的每个侦听器都要收费。There is a charge for each listener used by a Hybrid Connection. 侦听器是混合连接管理器。The listener is the Hybrid Connection Manager. 如果你有 5 个混合连接,它们由 2 个混合连接管理器支持,则总计是 10 个侦听器。If you had five Hybrid Connections supported by two Hybrid Connection Managers, that would be 10 listeners. 有关详细信息,请参阅服务总线定价。For more information, see Service Bus pricing.
混合连接管理器Hybrid Connection Manager
混合连接功能要求在网络中安装一个中继代理用于托管混合连接终结点。The Hybrid Connections feature requires a relay agent in the network that hosts your Hybrid Connection endpoint. 该中继代理称为混合连接管理器 (HCM)。That relay agent is called the Hybrid Connection Manager (HCM). 若要下载 HCM,请在 Azure 门户上的应用中,选择“网络” > “配置混合连接终结点”。To download HCM, from your app in the Azure portal, select Networking > Configure your Hybrid Connection endpoints.
此工具可在 Windows Server 2012 和更高版本上运行。This tool runs on Windows Server 2012 and later. HCM 作为服务运行,并在端口 443 上出站连接到 Azure 中继。The HCM runs as a service and connects outbound to Azure Relay on port 443.
安装 HCM 后,可以运行 HybridConnectionManagerUi.exe 来使用该工具的 UI。After installing HCM, you can run HybridConnectionManagerUi.exe to use the UI for the tool. 此文件位于混合连接管理器的安装目录中。This file is in the Hybrid Connection Manager installation directory. 在 Windows 10 上,也可以在搜索框中搜索“混合连接管理器 UI”即可。 In Windows 10, you can also just search for Hybrid Connection Manager UI in your search box.
启动 HCM UI 时,出现的第一个界面是一个表格,其中列出了为此 HCM 实例配置的所有混合连接。When you start the HCM UI, the first thing you see is a table that lists all the Hybrid Connections that are configured with this instance of the HCM. 如果想要进行任何更改,请先在 Azure 中完成身份验证。If you want to make any changes, first authenticate with Azure.
要将一个或多个混合连接添加到 HCM,请执行以下操作:To add one or more Hybrid Connections to your HCM:
启动 HCM UI。Start the HCM UI.
选择“配置另一个混合连接”。 Select Configure another Hybrid Connection.
使用 Azure 帐户登录,以使你的订阅可以使用混合连接。Sign in with your Azure account to get your Hybrid Connections available with your subscriptions. 除此之外,HCM 不会继续使用你的 Azure 帐户。The HCM does not continue to use your Azure account beyond that.
选择订阅。Choose a subscription.
选择 HCM 要中继的混合连接。Select the Hybrid Connections that you want the HCM to relay.
选择“保存”。 Select Save.
现在,可以看到已添加的混合连接。You can now see the Hybrid Connections you added. 还可以选择配置的混合连接查看详细信息。You can also select the configured Hybrid Connection to see details.
若要支持配置的混合连接,HCM 需要:To support the Hybrid Connections it is configured with, HCM requires:
- 通过端口 443 对 Azure 进行 TCP 访问。TCP access to Azure over port 443.
- 对混合连接终结点进行 TCP 访问。TCP access to the Hybrid Connection endpoint.
- 能够在终结点主机和服务总线命名空间中执行 DNS 查找。The ability to do DNS look-ups on the endpoint host and the Service Bus namespace.
Note
Azure 中继的连接性依赖于 Web 套接字。Azure Relay relies on Web Sockets for connectivity. 此功能仅适用于 Windows Server 2012 或更高版本。This capability is only available on Windows Server 2012 or later. 因此,低于 Windows Server 2012 的版本将不支持 HCM。Because of that, HCM is not supported on anything earlier than Windows Server 2012.
冗余Redundancy
每个 HCM 可以支持多个混合连接。Each HCM can support multiple Hybrid Connections. 此外,多个 HCM 可以支持任一给定的混合连接。Also, any given Hybrid Connection can be supported by multiple HCMs. 默认行为是在为任一给定终结点配置的 HCM 之间路由流量。The default behavior is to route traffic across the configured HCMs for any given endpoint. 如果希望从网络建立的混合连接具有高可用性,可在单独的计算机上运行多个 HCM。If you want high availability on your Hybrid Connections from your network, run multiple HCMs on separate machines. 中继服务用于将流量分配到 HCM 的负载分配算法是随机分配。The load distribution algorithm used by the Relay service to distribute traffic to the HCMs is random assignment.
手动添加混合连接Manually add a Hybrid Connection
若要让订阅外部的某人托管给定混合连接的 HCM 实例,可与他(她)共享该混合连接的网关连接字符串。To enable someone outside your subscription to host an HCM instance for a given Hybrid Connection, share the gateway connection string for the Hybrid Connection with them. 可以在 Azure 门户的“混合连接”属性中看到网关连接字符串。You can see the gateway connection string in the Hybrid Connection properties in the Azure portal. 要使用该字符串,请在 HCM 中选择“手动输入”,并粘贴网关连接字符串 。To use that string, select Enter Manually in the HCM, and paste in the gateway connection string.
升级Upgrade
混合连接管理器会定期更新,以解决问题或提供改进。There are periodic updates to the Hybrid Connection Manager to fix issues or provide improvements. 发布升级时,HCM UI 中将显示一个弹出窗口。When upgrades are released, a popup will show up in the HCM UI. 应用升级时将一并应用更改并重启 HCM。Applying the upgrade will apply the changes and restart the HCM.
以编程方式向应用添加混合连接Adding a Hybrid Connection to your app programmatically
下面提到的 API 可直接用于管理连接到应用的混合连接。The APIs noted below can be used directly to manage the Hybrid Connections connected to your apps.
/subscriptions/[subscription name]/resourceGroups/[resource group name]/providers/Microsoft.Web/sites/[app name]/hybridConnectionNamespaces/[relay namespace name]/relays/[hybrid connection name]?api-version=2016-08-01
与混合连接关联的 JSON 对象如下所示:The JSON object associated with a Hybrid Connection looks like:
{
"name": "[hybrid connection name]",
"type": "Microsoft.Relay/Namespaces/HybridConnections",
"location": "[location]",
"properties": {
"serviceBusNamespace": "[namespace name]",
"relayName": "[hybrid connection name]",
"relayArmUri": "/subscriptions/[subscription id]/resourceGroups/[resource group name]/providers/Microsoft.Relay/namespaces/[namespace name]/hybridconnections/[hybrid connection name]",
"hostName": "[endpoint host name]",
"port": [port],
"sendKeyName": "defaultSender",
"sendKeyValue": "[send key]"
}
}
使用此信息的一种方式是使用 armclient(可以从 ARMClient GitHub 项目中获取)。One way to use this information is with the armclient, which you can get from the ARMClient GitHub project. 下面是将预先存在的混合连接附加到应用的示例。Here is an example on attaching a pre-existing Hybrid Connection to your app. 按照上述架构创建一个 JSON 文件,如:Create a JSON file per the above schema like:
{
"name": "relay-demo-hc",
"type": "Microsoft.Relay/Namespaces/HybridConnections",
"location": "China North",
"properties": {
"serviceBusNamespace": "demo-relay",
"relayName": "relay-demo-hc",
"relayArmUri": "/subscriptions/ebcidic-asci-anna-nath-rak1111111/resourceGroups/myrelay-rg/providers/Microsoft.Relay/namespaces/demo-relay/hybridconnections/relay-demo-hc",
"hostName": "my-wkstn.home",
"port": 1433,
"sendKeyName": "defaultSender",
"sendKeyValue": "Th9is3is8a82lot93of3774stu887ff122235="
}
}
要使用此 API,需要发送密钥和中继资源 ID。 如果使用文件名 hctest.json 保存了信息,请发出此命令以将混合连接附加到你的应用:If you saved your information with the filename hctest.json, issue this command to attach your Hybrid Connection to your app:
armclient login
armclient put /subscriptions/ebcidic-asci-anna-nath-rak1111111/resourceGroups/myapp-rg/providers/Microsoft.Web/sites/myhcdemoapp/hybridConnectionNamespaces/demo-relay/relays/relay-demo-hc?api-version=2016-08-01 @hctest.json
保护混合连接Secure your Hybrid Connections
任何在基础 Azure 服务总线中继上有足够权限的用户都可以将现有的混合连接添加到应用服务 Web 应用。An existing Hybrid Connection can be added to other App Service Web Apps by any user who has sufficient permissions on the underlying Azure Service Bus Relay. 这意味着,如果必须阻止他人重复使用这个相同的混合连接(例如,如果目标资源是一项没有设置任何其他的安全措施来防止未经授权的访问的服务,则必须这样做),则必须锁定对 Azure 服务总线中继的访问。This means that if you must prevent others from reusing that same Hybrid Connection (for example when the target resource is a service that does not have any additional security measures in place to prevent unauthorized access), you must lock down access to the Azure Service Bus Relay.
可以通过 Reader 访问权限来访问中继的任何人都将能够 看到混合连接(在尝试通过 Azure 门户将它添加到 Web 应用时),但却无法添加它, 因为缺少检索用于建立中继连接的连接字符串的权限。Anyone with Reader access to the Relay will be able to see the Hybrid Connection when attempting to add it to their Web App in the Azure Portal, but they will not be able to add it as they lack the permissions to retrieve the connection string which is used to establish the relay connection. 若要成功添加混合连接,他们必须具有 listKeys 权限 (Microsoft.Relay/namespaces/hybridConnections/authorizationRules/listKeys/action)。In order to successfully add the Hybrid Connection, they must have the listKeys permission (Microsoft.Relay/namespaces/hybridConnections/authorizationRules/listKeys/action). Contributor 角色或者任何其他包含此权限(在中继上)的角色都会允许用户使用混合连接并将其添加到自己的 Web 应用。The Contributor role or any other role which includes this permission on the Relay will allow users to use the Hybrid Connection and add it to their own Web Apps.
故障排除Troubleshooting
“已连接”状态表示,至少有一个 HCM 配置了该混合连接,且可以访问 Azure。The status of "Connected" means that at least one HCM is configured with that Hybrid Connection, and is able to reach Azure. 如果混合连接状态未显示“已连接”,则表示未在任何可访问 Azure 的 HCM 上配置该混合连接 。If the status for your Hybrid Connection does not say Connected, your Hybrid Connection is not configured on any HCM that has access to Azure.
客户端无法连接到其终结点的主要原因是使用 IP 地址而不是 DNS 名称指定了终结点。The primary reason that clients cannot connect to their endpoint is because the endpoint was specified by using an IP address instead of a DNS name. 如果应用无法访问所需的终结点,而你使用了 IP 地址,请改为使用在运行 HCM 的主机上有效的 DNS 名称。If your app cannot reach the desired endpoint and you used an IP address, switch to using a DNS name that is valid on the host where the HCM is running. 另请检查 DNS 名称是否能够在运行 HCM 的主机上正确解析。Also check that the DNS name resolves properly on the host where the HCM is running. 确认运行 HCM 的主机是否与混合连接终结点建立了连接。Confirm that there is connectivity from the host where the HCM is running to the Hybrid Connection endpoint.
在应用服务中,可以通过高级工具 (Kudu) 控制台调用 tcpping 命令行工具。In App Service, the tcpping command line tool can be invoked from the Advanced Tools (Kudu) console. 此工具可以告知你是否能够访问 TCP 终结点,但不会告知你是否能够访问混合连接终结点。This tool can tell you if you have access to a TCP endpoint, but it does not tell you if you have access to a Hybrid Connection endpoint. 在控制台中针对混合连接终结点使用此工具时,只能确认混合连接是否使用了“主机:端口”组合。When you use the tool in the console against a Hybrid Connection endpoint, you are only confirming that it uses a host:port combination.
如果你的终结点有命令行客户端,则可以从应用控制台测试连接。If you have a command line client for your endpoint, you can test connectivity from the app console. 例如,可以使用 curl 测试对 Web 服务器终结点的访问。For example, you can test access to web server endpoints by using curl.
BizTalk 混合连接BizTalk Hybrid Connections
此功能的早期形式被称为 BizTalk 混合连接。The early form of this feature was called BizTalk Hybrid Connections. 此功能于 2018 年 5 月 31 日结束并停止操作。This capability went End of Life on May 31, 2018 and ceased operations. BizTalk 混合连接已从所有应用中删除,无法通过门户或 API 访问。BizTalk hybrid connections have been removed from all apps and are not accessible through the portal or API. 如果仍在混合连接管理器中配置了这些旧连接,则会看到“已停用”状态且底部显示“生命周期结束”。If you still have these older connections configured in the Hybrid Connection Manager, then you will see a status of Discontinued and display an End of Life statement at the bottom.
