有关使用 Azure 资源管理器模板部署 Web 应用的指南Guidance on deploying web apps by using Azure Resource Manager templates

本文提供创建 Azure 资源管理器模板以部署 Azure 应用服务解决方案的建议。This article provides recommendations for creating Azure Resource Manager templates to deploy Azure App Service solutions. 这些建议可帮助你避免常见问题。These recommendations can help you avoid common problems.

定义依赖关系Define dependencies

为 Web 应用定义依赖项需要了解 Web 应用中的资源如何进行交互。Defining dependencies for web apps requires an understanding of how the resources within a web app interact. 如果以错误的顺序指定依赖项,则可能会导致部署错误或者创建造成停止部署的争用条件。If you specify dependencies in an incorrect order, you might cause deployment errors or create a race condition that stalls the deployment.

Warning

如果在模板中包括了 MSDeploy 站点扩展,则必须将任何配置资源设置为依赖于 MSDeploy 资源。If you include an MSDeploy site extension in your template, you must set any configuration resources as dependent on the MSDeploy resource. 配置更改会导致站点以异步方式重启。Configuration changes cause the site to restart asynchronously. 通过使配置资源依赖于 MSDeploy,可确保 MSDeploy 在站点重启前完成。By making the configuration resources dependent on MSDeploy, you ensure that MSDeploy finishes before the site restarts. 如果没有这些依赖关系,则站点可能会在 MSDeploy 的部署过程中重启。Without these dependencies, the site might restart during the deployment process of MSDeploy. 有关示例模板,请参阅具有 Web 部署依赖项的 WordPress 模板For an example template, see WordPress Template with Web Deploy Dependency.

下图显示了各种应用服务资源的依赖顺序:The following image shows the dependency order for various App Service resources:

Web 应用依赖关系

按以下顺序部署资源:You deploy resources in the following order:

第 1 层Tier 1

  • 应用服务计划。App Service plan.
  • 任何其他相关资源,例如数据库或存储帐户。Any other related resources, like databases or storage accounts.

第 2 层Tier 2

  • Web 应用 - 依赖于应用服务计划。Web app--depends on the App Service plan.
  • 以服务器场为目标的 Azure Application Insights 实例 - 依赖于应用服务计划。Azure Application Insights instance that targets the server farm--depends on the App Service plan.

第 3 层Tier 3

  • 源代码管理 - 依赖于 Web 应用。Source control--depends on the web app.
  • MSDeploy 站点扩展 - 依赖于 Web 应用。MSDeploy site extension--depends on the web app.
  • 以服务器场为目标的 Application Insights 实例 - 依赖于 Web 应用。Application Insights instance that targets the server farm--depends on the web app.

第 4 层Tier 4

  • 应用服务证书 - 依赖于存在的源代码管理或 MSDeploy;App Service certificate--depends on source control or MSDeploy if either is present. 若都不存在,则依赖于 Web 应用。Otherwise, it depends on the web app.
  • 配置设置(连接字符串、web.config 值、应用设置)- 依赖于存在的源代码管理或 MSDeploy;Configuration settings (connection strings, web.config values, app settings)--depends on source control or MSDeploy if either is present. 若都不存在,则依赖于 Web 应用。Otherwise, it depends on the web app.

第 5 层Tier 5

  • 主机名绑定 - 依赖于如果存在的证书;Host name bindings--depends on the certificate if present. 若不存在,则依赖于较高级别的资源。Otherwise, it depends on a higher-level resource.
  • 站点扩展 - 依赖于存在的配置设置;Site extensions--depends on configuration settings if present. 若不存在,则依赖于较高级别的资源。Otherwise, it depends on a higher-level resource.

通常,解决方案仅包括上述某些资源和层。Typically, your solution includes only some of these resources and tiers. 对于缺少的层,请将较低的资源映射到下一个较高的层。For missing tiers, map lower resources to the next-higher tier.

以下示例显示了模板的一部分。The following example shows part of a template. 连接字符串配置值依赖于 MSDeploy 扩展。The value of the connection string configuration depends on the MSDeploy extension. MSDeploy 扩展依赖于 Web 应用和数据库。The MSDeploy extension depends on the web app and database.

{
    "name": "[parameters('appName')]",
    "type": "Microsoft.Web/Sites",
    ...
    "resources": [
      {
          "name": "MSDeploy",
          "type": "Extensions",
          "dependsOn": [
            "[concat('Microsoft.Web/Sites/', parameters('appName'))]",
            "[concat('Microsoft.Sql/servers/', parameters('dbServerName'), '/databases/', parameters('dbName'))]",
          ],
          ...
      },
      {
          "name": "connectionstrings",
          "type": "config",
          "dependsOn": [
            "[concat('Microsoft.Web/Sites/', parameters('appName'), '/Extensions/MSDeploy')]"
          ],
          ...
      }
    ]
}

有关使用上述代码的现成示例,请参阅模板:构建简单的 Umbraco Web 应用For a ready-to-run sample that uses the code above, see Template: Build a simple Umbraco Web App.

查找有关 MSDeploy 错误的信息Find information about MSDeploy errors

如果你的资源管理器模板使用了 MSDeploy,则部署错误消息可能难以理解。If your Resource Manager template uses MSDeploy, the deployment error messages can be difficult to understand. 若要在部署失败后获取更多信息,请尝试以下步骤:To get more information after a failed deployment, try the following steps:

  1. 转到站点的 Kudu 控制台Go to the site's Kudu console.
  2. 浏览到 D:\home\LogFiles\SiteExtensions\MSDeploy 上的文件夹。Browse to the folder at D:\home\LogFiles\SiteExtensions\MSDeploy.
  3. 查找 appManagerStatus.xml 和 appManagerLog.xml 文件。Look for the appManagerStatus.xml and appManagerLog.xml files. 第一个文件记录了状态。The first file logs the status. 第二个文件记录了有关错误的信息。The second file logs information about the error. 如果不明白该错误,可将它发布到论坛上来寻求帮助。If the error isn't clear to you, you can include it when you're asking for help on the forum.

选择唯一的 Web 应用名称Choose a unique web app name

Web 应用的名称必须全局唯一。The name for your web app must be globally unique. 可以使用某个可能唯一的命名约定,也可以使用 uniqueString 函数来帮助生成唯一名称。You can use a naming convention that's likely to be unique, or you can use the uniqueString function to assist with generating a unique name.

{
  "apiVersion": "2016-08-01",
  "name": "[concat(parameters('siteNamePrefix'), uniqueString(resourceGroup().id))]",
  "type": "Microsoft.Web/sites",
  ...
}

部署来自 Key Vault 的 Web 应用证书Deploy web app certificate from Key Vault

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

在 Azure 中,应用服务服务主体所拥有的 ID 为 abfa0a7c-a6b6-4736-8310-5855508787cd。In Azure, the App Service service principal has the ID of abfa0a7c-a6b6-4736-8310-5855508787cd. 若要为应用服务服务主体授予对 Key Vault 的访问权限,请使用:To grant access to Key Vault for the App Service service principal, use:

Set-AzKeyVaultAccessPolicy `
  -VaultName KEY_VAULT_NAME `
  -ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd `
  -PermissionsToSecrets get `
  -PermissionsToCertificates get

在 Azure 政府中,应用服务服务主体所拥有的 ID 为 6a02c803-dafd-4136-b4c3-5a6f318b4714。In Azure Government, the App Service service principal has the ID of 6a02c803-dafd-4136-b4c3-5a6f318b4714. 使用上一示例中的 ID。Use that ID in the preceding example.

在 Key Vault 中,选择“证书”和“生成/导入”以上传证书。In your Key Vault, select Certificates and Generate/Import to upload the certificate.

导入证书

在模板中,向 keyVaultSecretName 提供证书名称。In your template, provide the name of the certificate for the keyVaultSecretName.

有关示例模板,请参阅 Deploy a Web App certificate from Key Vault secret and use it for creating SSL binding(部署来自 Key Vault 机密的 Web 应用证书并将其用于创建 SSL 绑定)。For an example template, see Deploy a Web App certificate from Key Vault secret and use it for creating SSL binding.

后续步骤Next steps