创建和使用内部负载均衡器应用服务环境Create and use an Internal Load Balancer App Service Environment

Azure 应用服务环境是指将 Azure 应用服务部署到 Azure 虚拟网络 (VNet) 的子网中。The Azure App Service Environment is a deployment of Azure App Service into a subnet in an Azure virtual network (VNet). 可通过两种方法部署应用服务环境 (ASE):There are two ways to deploy an App Service Environment (ASE):

  • 使用外部 IP 地址上的 VIP,通常称为外部 ASE。With a VIP on an external IP address, often called an External ASE.
  • 使用内部 IP 地址上的 VIP,通常称为 ILB ASE,因为内部终结点是一个内部负载均衡器 (ILB)。With a VIP on an internal IP address, often called an ILB ASE because the internal endpoint is an internal load balancer (ILB).

本文介绍如何创建 ILB ASE。This article shows you how to create an ILB ASE. 有关 ASE 的概述,请参阅[应用服务环境简介][Intro]。For an overview on the ASE, see [Introduction to App Service Environments][Intro]. 若要了解如何创建外部 ASE,请参阅[创建外部 ASE][MakeExternalASE]。To learn how to create an External ASE, see [Create an External ASE][MakeExternalASE].

概述Overview

可以使用可访问 Internet 的终结点或 VNet 中的 IP 地址部署 ASE。You can deploy an ASE with an internet-accessible endpoint or with an IP address in your VNet. 若要将 IP 地址设置为 VNet 地址,必须为 ASE 部署 ILB。To set the IP address to a VNet address, the ASE must be deployed with an ILB. 为 ASE 部署 ILB 时,必须提供 ASE 的名称。When you deploy your ASE with an ILB, you must provide the name of your ASE. 该 ASE 名称将在 ASE 内的应用的域后缀中使用。The name of your ASE is used in the domain suffix for the apps in your ASE. ILB ASE 的域后缀是 <ASE name>.appserviceenvironment.cn。The domain suffix for your ILB ASE is <ASE name>.appserviceenvironment.cn. 在 ILB ASE 中创建的应用不会被放入公共 DNS 中。Apps that are made in an ILB ASE are not put in the public DNS.

早期版本的 ILB ASE 要求提供一个域后缀和一个用于建立 HTTPS 连接的默认证书。Earlier versions of the ILB ASE required you to provide a domain suffix and a default certificate for HTTPS connections. 创建 ILB ASE 时不再收集域后缀,且不再收集默认证书。The domain suffix is no longer collected at ILB ASE creation and a default certificate is also no longer collected. 现在,在创建 ILB ASE 时,默认证书将由 Microsoft 提供,并受浏览器的信任。When you create an ILB ASE now, the default certificate is provided by Microsoft and is trusted by the browser. 仍可以在 ASE 中的应用上设置自定义域名,并在这些自定义域名中设置证书。You are still able to set custom domain names on apps in your ASE and set certificates on those custom domain names.

使用 ILB ASE 可以实现如下所述的目的:With an ILB ASE, you can do things such as:

  • 在云中安全托管可通过站点到站点连接或 ExpressRoute 访问的 Intranet 应用程序。Host intranet applications securely in the cloud, which you access through a site-to-site or ExpressRoute.
  • 使用 WAF 设备保护应用Protect apps with a WAF device
  • 在云端托管未在公用 DNS 服务器中列出的应用。Host apps in the cloud that aren't listed in public DNS servers.
  • 创建与 Internet 隔离且前端应用可以与之安全集成的后端应用。Create internet-isolated back-end apps, which your front-end apps can securely integrate with.

已禁用的功能Disabled functionality

使用 ILB ASE 时,有一些操作无法执行:There are some things that you can't do when you use an ILB ASE:

  • 使用基于 IP 的 SSL。Use IP-based SSL.
  • 将 IP 地址分配给特定应用。Assign IP addresses to specific apps.
  • 通过 Azure 门户购买证书并搭配应用使用。Buy and use a certificate with an app through the Azure portal. 可以直接从证书颁发机构获取证书并搭配应用使用。You can obtain certificates directly from a certificate authority and use them with your apps. 无法通过 Azure 门户获取这些证书。You can't obtain them through the Azure portal.

创建 ILB ASECreate an ILB ASE

若要创建 ILB ASE,请执行以下操作:To create an ILB ASE:

  1. 在 Azure 门户中选择“创建资源” > “Web” > “应用服务环境”。In the Azure portal, select Create a resource > Web > App Service Environment .

  2. 选择订阅。Select your subscription.

  3. 选择或创建资源组。Select or create a resource group.

  4. 输入应用服务环境的名称。Enter the name of your App Service Environment.

  5. 选择“内部”虚拟 IP 类型。Select virtual IP type of Internal.

    ASE 创建

备注

应用服务环境名称长度不能超过 37 个字符。The App Service Environment name must be no more than 37 characters.

  1. 选择“网络”Select Networking

  2. 选择或创建虚拟网络。Select or create a Virtual Network. 如果在此处创建新的 VNet,将使用 192.168.250.0/23 地址范围定义该 VNet。If you create a new VNet here, it will be defined with an address range of 192.168.250.0/23. 若要使用不同的地址范围或者在除 ASE 以外的另一个资源组中创建 VNet,请使用 Azure 虚拟网络创建门户。To create a VNet with a different address range or in a different resource group than the ASE, use the Azure Virtual Network creation portal.

  3. 选择或创建一个空子网。Select or create an empty a subnet. 若要选择子网,它必须是空的且未委托出去。If you want to select a subnet, it must be empty and not delegated. 创建 ASE 后无法更改子网大小。The subnet size cannot be changed after the ASE is created. 建议的大小为 /24,其地址长度为 256 位且能够容纳最大尺寸的 ASE,满足任何缩放需求。We recommend a size of /24, which has 256 addresses and can handle a maximum-sized ASE and any scaling needs.

    ASE 网络

  4. 依次选择“查看并创建”、“创建”。 Select Review and Create then select Create .

在 ILB ASE 中创建应用Create an app in an ILB ASE

在 ILB ASE 中创建应用通常与在 ASE 中创建应用相同。You create an app in an ILB ASE in the same way that you create an app in an ASE normally.

  1. 在 Azure 门户中,选择“创建资源” > “Web” > “Web 应用”。 In the Azure portal, select Create a resource > Web > Web App .

  2. 输入应用的名称。Enter the name of the app.

  3. 选择订阅。Select the subscription.

  4. 选择或创建资源组。Select or create a resource group.

  5. 选择“发布”、“运行时堆栈”和“操作系统”。Select your Publish, Runtime Stack, and Operating System.

  6. 选择包含现有 ILB ASE 的位置。Select a location where the location is an existing ILB ASE. 还可以在创建应用期间通过选择一个隔离的应用服务计划来创建新的 ASE。You can also create a new ASE during app creation by selecting an Isolated App Service plan. 若要创建新的 ASE,请选择要在其中创建该 ASE 的区域。If you wish to create a new ASE, select the region you want the ASE to be created in.

  7. 选择或创建应用服务计划。Select or create an App Service plan.

  8. 准备就绪后,依次选择“查看并创建”、“创建”。 Select Review and Create then select Create when you are ready.

Web 作业、函数和 ILB ASEWeb jobs, Functions and the ILB ASE

ILB ASE 上同时支持函数和 Web 作业,但对于与其配合使用的门户,必须具有对 SCM 站点的网络访问权限。Both Functions and web jobs are supported on an ILB ASE but for the portal to work with them, you must have network access to the SCM site. 这意味着浏览器必须位于在虚拟网络中或已连接虚拟网络的主机上。This means your browser must either be on a host that is either in or connected to the virtual network. 如果 ILB ASE 使用的某个域名不是以 appserviceenvironment.cn 结尾,则你需要让浏览器信任 scm 站点使用的 HTTPS 证书。If your ILB ASE has a domain name that does not end in appserviceenvironment.cn , you will need to get your browser to trust the HTTPS certificate being used by your scm site.

DNS 配置DNS configuration

使用外部 ASE 时,在 ASE 中创建的应用需要向 Azure DNS 进行注册。When you use an External ASE, apps made in your ASE are registered with Azure DNS. 外部 ASE 中没有其他步骤可供应用公开使用。There are no additional steps then in an External ASE for your apps to be publicly available. 使用 ILB ASE 时,必须管理自己的 DNS。With an ILB ASE, you must manage your own DNS. 可以在自己的 DNS 服务器或 Azure DNS 专用区域中执行此操作。You can do this in your own DNS server or with Azure DNS private zones.

在自己的 DNS 服务器中通过 ILB ASE 配置 DNS:To configure DNS in your own DNS server with your ILB ASE:

  1. .appserviceenvironment.cn 创建一个区域create a zone for .appserviceenvironment.cn
  2. 在该区域中创建一条指向* ILB IP 地址的 A 记录create an A record in that zone that points * to the ILB IP address
  3. 在该区域中创建一条指向 @ ILB IP 地址的 A 记录create an A record in that zone that points @ to the ILB IP address
  4. .appserviceenvironment.cn named scm 中创建一个名为 scm 的区域create a zone in .appserviceenvironment.cn named scm
  5. 在 scm 区域中创建一条指向 * ILB IP 地址的 A 记录create an A record in the scm zone that points * to the ILB IP address

使用 ILB ASE 发布Publish with an ILB ASE

创建的每个应用都有两个终结点。For every app that's created, there are two endpoints. ILB ASE 中包含 <应用名称>.<ILB ASE 域><应用名称>.scm.<ILB ASE 域>In an ILB ASE, you have <app name>.<ILB ASE Domain> and <app name>.scm.<ILB ASE Domain> .

SCM 站点名称能将用户带到 Kudu 控制台,在 Azure 门户中称为 高级门户The SCM site name takes you to the Kudu console, called the Advanced portal , within the Azure portal. Kudu 控制台允许查看环境变量、浏览磁盘、使用控制台等等。The Kudu console lets you view environment variables, explore the disk, use a console, and much more.

如果生成代理可访问 Internet 并与 ILB ASE 在同一网络上,则基于 Internet 的 CI 系统(例如 GitHub 和 Azure DevOps)仍将使用 ILB ASE。Internet-based CI systems, such as GitHub and Azure DevOps, will still work with an ILB ASE if the build agent is internet accessible and on the same network as ILB ASE. 因此,如果在 ILB ASE 所在的 VNET 上(不同的子网属正常情况)创建生成代理,Azure DevOps 将能从 Azure DevOps git 中拉取代码并部署到 ILB ASE。So in case of Azure DevOps, if the build agent is created on the same VNET as ILB ASE (different subnet is fine), it will be able to pull code from Azure DevOps git and deploy to ILB ASE. 如果不想创建自己的生成代理,则需要使用利用拉取模型的 CI 系统,如 Dropbox。If you don't want to create your own build agent, you need to use a CI system that uses a pull model, such as Dropbox.

ILB ASE 中应用的发布终结点使用创建该 ILB ASE 所用的域。The publishing endpoints for apps in an ILB ASE use the domain that the ILB ASE was created with. 此域显示在应用的发布配置文件和应用的门户边栏选项卡中(“概述” > “软件包”以及“属性”)。This domain appears in the app's publishing profile and in the app's portal blade ( Overview > Essentials and also Properties ). 如果 ILB ASE 包含域后缀 <ASE 名称>.appserviceenvironment.cn 和名为 mytest 的应用,请使用 mytest.<ASE 名称>.appserviceenvironment.cn 进行 FTP 部署,并使用 mytest.scm.contoso.cn 进行 Web 部署。If you have an ILB ASE with the domain suffix <ASE name>.appserviceenvironment.cn , and an app named mytest , use mytest.<ASE name>.appserviceenvironment.cn for FTP and mytest.scm.contoso.cn for web deployment.

在 ILB ASE 中配置 WAF 设备Configure an ILB ASE with a WAF device

可将 Web 应用程序防火墙 (WAF) 设备与 ILB ASE 相结合,以便仅公开可通过 Internet 访问的应用,使其他应用只能从 VNet 内部访问。You can combine a web application firewall (WAF) device with your ILB ASE to only expose the apps that you want to the internet and keep the rest only accessible from in the VNet. 这样,便可以生成安全的多层应用程序并实现其他目的。This enables you to build secure multi-tier applications among other things.

若要详细了解如何在 ILB ASE 中配置 WAF 设备,请参阅 [在应用服务环境中配置 Web 应用程序防火墙][ASEWAF]。To learn more about how to configure your ILB ASE with a WAF device, see [Configure a web application firewall with your App Service environment][ASEWAF]. 本文介绍如何在 ASE 中使用 Barracuda 虚拟设备。This article shows how to use a Barracuda virtual appliance with your ASE. 另一种做法是使用 Azure 应用程序网关。Another option is to use Azure Application Gateway. 应用程序网关使用 OWASP 核心规则来保护放置在它后面的任何应用程序。Application Gateway uses the OWASP core rules to secure any applications placed behind it. 有关应用程序网关的详细信息,请参阅 [Azure Web 应用程序防火墙简介][AppGW]。For more information about Application Gateway, see [Introduction to the Azure web application firewall][AppGW].

在 2019 年 5 之前创建的 ILB ASEILB ASEs made before May 2019

在 2019 年 5 之前创建的 ILB ASE 要求在创建 ASE 期间设置域后缀。ILB ASEs that were made before May 2019 required you to set the domain suffix during ASE creation. 它们还要求上传基于该域后缀的默认证书。They also required you to upload a default certificate that was based on that domain suffix. 此外,使用早期的 ILB ASE 无法单一登录到该 ILB ASE 中的应用的 Kudu 控制台。Also, with an older ILB ASE you can't perform single sign-on to the Kudu console with apps in that ILB ASE. 为早期的 ILB ASE 配置 DNS 时,需要在与域后缀匹配的区域中设置通配符 A 记录。When configuring DNS for an older ILB ASE, you need to set the wildcard A record in a zone that matches to your domain suffix.

入门Get started

  • 若要开始使用 ASE,请参阅[应用服务环境简介][Intro]。To get started with ASEs, see [Introduction to App Service environments][Intro].

[Intro]: ./intro.md [MakeExternalASE]: ./create-external-ase.md [MakeASEfromTemplate]: ./create-from-template.md [MakeILBASE]: ./create-ilb-ase.md [ASENetwork]: ./network-info.md [UsingASE]: ./using-an-ase.md [UDRs]: ../../virtual-network/virtual-networks-udr-overview.md [NSGs]: ../../virtual-network/network-security-groups-overview.md [webapps]: ../overview.md [mobileapps]: ../../app-service-mobile/app-service-mobile-value-prop.md [Functions]: ../../azure-functions/index.yml [Pricing]: https://www.azure.cn/pricing/details/app-service/ [ARMOverview]: ../../azure-resource-manager/management/overview.md [ConfigureSSL]: ../configure-ssl-certificate.md [ASEWAF]: app-service-app-service-environment-web-application-firewall.md [AppGW]: ../../application-gateway/application-gateway-web-application-firewall-overview.md [customdomain]: ../app-service-web-tutorial-custom-domain.md [linuxapp]: ../overview.md#app-service-on-linux[Intro]: ./intro.md [MakeExternalASE]: ./create-external-ase.md [MakeASEfromTemplate]: ./create-from-template.md [MakeILBASE]: ./create-ilb-ase.md [ASENetwork]: ./network-info.md [UsingASE]: ./using-an-ase.md [UDRs]: ../../virtual-network/virtual-networks-udr-overview.md [NSGs]: ../../virtual-network/network-security-groups-overview.md [webapps]: ../overview.md [mobileapps]: ../../app-service-mobile/app-service-mobile-value-prop.md [Functions]: ../../azure-functions/index.yml [Pricing]: https://www.azure.cn/pricing/details/app-service/ [ARMOverview]: ../../azure-resource-manager/management/overview.md [ConfigureSSL]: ../configure-ssl-certificate.md [ASEWAF]: app-service-app-service-environment-web-application-firewall.md [AppGW]: ../../application-gateway/application-gateway-web-application-firewall-overview.md [customdomain]: ../app-service-web-tutorial-custom-domain.md [linuxapp]: ../overview.md#app-service-on-linux