使用强制隧道配置应用服务环境Configure your App Service Environment with forced tunneling

应用服务环境 (ASE) 是部署在客户的 Azure 虚拟网络中的 Azure 应用服务。The App Service Environment (ASE) is a deployment of Azure App Service in a customer's Azure Virtual Network. 许多客户使用 VPN 或 Azure ExpressRoute 连接将其 Azure 虚拟网络配置为本地网络的扩展。Many customers configure their Azure virtual networks to be extensions of their on-premises networks with VPNs or Azure ExpressRoute connections. 强制隧道是指将本应发往 Internet 的流量重定向到 VPN 或虚拟设备。Forced tunneling is when you redirect internet bound traffic to your VPN or a virtual appliance instead. 虚拟设备通常用于检查和审核出站网络流量。Virtual appliances are often used to inspect and audit outbound network traffic.

ASE 具有许多外部依赖项,详见应用服务环境网络体系结构文档中的说明。The ASE has a number of external dependencies, which are described in the App Service Environment network architecture document. 通常情况下,所有 ASE 出站依赖项流量必须通过 ASE 中预配的 VIP。Normally all ASE outbound dependency traffic must go through the VIP that is provisioned with the ASE. 如果更改了出入 ASE 的流量的路由而没有遵循以下说明,则 ASE 会停止运行。If you change the routing for the traffic to or from the ASE without following the information below, your ASE will stop working.

在 Azure 虚拟网络中,路由是基于最长前缀匹配 (LPM) 实现的。In an Azure virtual network, routing is done based on the longest prefix match (LPM). 如果有多个路由的 LPM 匹配情况相同,则按以下顺序根据路由源来选择路由:If there is more than one route with the same LPM match, a route is selected based on its origin in the following order:

  • 用户定义的路由 (UDR)User-defined route (UDR)
  • BGP 路由(当使用 ExpressRoute 时)BGP route (when ExpressRoute is used)
  • 系统路由System route

若要详细了解虚拟网络中的路由,请参阅用户定义的路由和 IP 转发To learn more about routing in a virtual network, read User-defined routes and IP forwarding.

如果需要将 ASE 出站流量路由到其他地方而不是直接路由到 Internet,则有以下选择:If you want to route your ASE outbound traffic somewhere other than directly to the internet, you have the following choices:

  • 让 ASE 获得直接 Internet 访问权限Enable your ASE to have direct internet access
  • 将 ASE 子网配置为忽略 BGP 路由Configure your ASE subnet to ignore BGP routes
  • 将 ASE 子网配置为使用 Azure SQL 和 Azure 存储的服务终结点Configure your ASE subnet to use Service Endpoints to Azure SQL and Azure Storage
  • 将自己的 IP 添加到 ASE Azure SQL 防火墙Add your own IPs to the ASE Azure SQL firewall

启用应用服务环境,获得直接访问 Internet 的权限Enable your App Service Environment to have direct internet access

若要让 ASE 在 Azure 虚拟网络配置了 ExpressRoute 的情况下也直接转到 Internet,可执行以下操作:To enable your ASE to go directly to the internet even if your Azure virtual network is configured with ExpressRoute, you can:

  • 将 ExpressRoute 配置为播发 0.0.0.0/0。Configure ExpressRoute to advertise 0.0.0.0/0. 默认情况下,它路由所有本地出站流量。By default, it routes all outbound traffic on-premises.
  • 创建地址前缀为 0.0.0.0/0、下一跃点类型为 Internet 的 UDR,将其应用到 ASE 子网。Create a UDR with an address prefix of 0.0.0.0/0, a next hop type of Internet and apply it to the ASE subnet.

如果执行这两项更改,则不会强制由应用服务环境子网发往 Internet 的流量通过 ExpressRoute 连接。If you make these two changes, internet-destined traffic that originates from the App Service Environment subnet isn't forced down the ExpressRoute connection.

如果网络已将流量路由到本地,则需创建用于托管 ASE 的子网,并为其配置 UDR,然后才能尝试部署该 ASE。If the network is already routing traffic on premises, then you need to create the subnet to host your ASE and configure the UDR for it before attempting to deploy the ASE.

重要

UDR 中定义的路由必须足够明确,以便优先于 ExpressRoute 配置所播发的任何路由。The routes defined in a UDR must be specific enough to take precedence over any routes advertised by the ExpressRoute configuration. 上述示例使用了广泛的 0.0.0.0/0 地址范围。The preceding example uses the broad 0.0.0.0/0 address range. 因此很困意外地被使用更具体地址范围的路由播发重写。It can potentially be accidentally overridden by route advertisements that use more specific address ranges.

交叉播发从公共对等路径到专用对等路径的路由的 ExpressRoute 配置不支持应用服务环境。App Service Environments aren't supported with ExpressRoute configurations that cross-advertise routes from the public-peering path to the private-peering path. 已配置公共对等互连的 ExpressRoute 配置将收到来自 Microsoft 的路由播发。ExpressRoute configurations with public peering configured receive route advertisements from Microsoft. 这些播发包含大量的 Microsoft Azure 地址范围。The advertisements contain a large set of Microsoft Azure address ranges. 如果这些地址范围在专用对等路径上交叉播发,则来自应用服务环境子网的所有出站网络数据包均路由至客户的本地网络基础结构。If the address ranges are cross-advertised on the private-peering path, all outbound network packets from the App Service Environment's subnet are routed to a customer's on-premises network infrastructure. 默认情况下,应用服务环境不支持此网络流。This network flow is not supported by default with App Service Environments. 一个解决方法是停止公共对等路径到专用对等路径的交叉播发路由。One solution to this problem is to stop cross-advertising routes from the public-peering path to the private-peering path. 另一种解决方法是使应用服务环境能够在强制隧道配置中正常工作。Another solution is to enable your App Service Environment to work in a forced tunnel configuration.

直接 Internet 访问

将 ASE 子网配置为忽略 BGP 路由Configure your ASE subnet to ignore BGP routes

可将 ASE 子网配置为忽略所有 BGP 路由。You can configure your ASE subnet to ignore all BGP routes. 如果配置为忽略 BGP 路由,ASE 将可以访问其依赖项,而不会出现任何问题。When configured to ignore BGP routes, the ASE will be able to access its dependencies without any problems. 但是,需要创建 UDR 才能让应用访问本地资源。You will need to create UDRs however to enable your apps to access on premises resources.

将 ASE 子网配置为忽略 BGP 路由:To configure your ASE subnet to ignore BGP routes:

  • 创建 UDR 并将其分配到 ASE 子网(如果没有 UDR)。create a UDR and assign it to your ASE subnet if you did not have one already.
  • 在 Azure 门户中,打开分配到 ASE 子网的路由表的 UI。In the Azure portal, open the UI for the route table assigned to your ASE subnet. 选择“配置”。Select Configuration. 将 BGP 路由传播设置为“已禁用”。Set BGP route propagation to Disabled. 单击“保存”。Click Save. 创建路由表文档介绍了如何关闭此设置。The documentation on turning that off is in the Create a route table document.

将 ASE 子网配置为忽略所有 BGP 路由后,应用将不再能够访问本地资源。After you configure the ASE subnet to ignore all BGP routes, your apps will no longer be able to reach on premises. 若要让用于访问本地资源,请编辑分配到 ASE 子网的 UDR,并添加本地地址范围的路由。To enable your apps to access resources on-premises, edit the UDR assigned to your ASE subnet and add routes for your on premises address ranges. “下一跃点类型”应设置为“虚拟网络网关”。The Next hop type should be set to Virtual network gateway.

为 ASE 配置服务终结点Configure your ASE with Service Endpoints

若要路由来自 ASE 的所有出站流量(到 Azure SQL 和 Azure 存储的除外),请执行以下步骤:To route all outbound traffic from your ASE, except that which goes to Azure SQL and Azure Storage, perform the following steps:

  1. 创建一个路由表,将其分配给 ASE 子网。Create a route table and assign it to your ASE subnet. 若要查找与区域相匹配的地址,请参阅应用服务环境管理地址Find the addresses that match your region here App Service Environment management addresses. 为下一跃点为 Internet 的那些地址创建路由。Create routes for those addresses with a next hop of internet. 之所以需要这些路由,是因为应用服务环境入站管理流量必须从发送到的地址进行回复。These routes are needed because the App Service Environment inbound management traffic must reply from the same address it was sent to.

  2. 为 ASE 子网启用 Azure SQL 和 Azure 存储的服务终结点。Enable Service Endpoints with Azure SQL and Azure Storage with your ASE subnet. 完成此步骤以后,即可使用强制隧道来配置 VNet。After this step is completed, you can then configure your VNet with forced tunneling.

若要在虚拟网络中创建 ASE,而该虚拟网络已配置为将所有流量路由到本地,则需使用资源管理器模板来创建 ASE。To create your ASE in a virtual network that is already configured to route all traffic on premises, you need to create your ASE using a resource manager template. 无法通过门户将 ASE 创建到预先存在的子网中。It is not possible to create an ASE with the portal into a pre-existing subnet. 若要将 ASE 部署到 VNet 中,而该 VNet 已配置为将所有出站流量路由到本地,则需使用可指定预先存在的子网的资源管理器模板来创建 ASE。When deploying your ASE into a VNet that is already configured to route outbound traffic on premises, you need to create your ASE using a resource manager template, which does allow you to specify a pre-existing subnet. 若要详细了解如何使用模板来部署 ASE,请阅读使用模板创建应用服务环境For details on deploying an ASE with a template, read Creating an App Service Environment using a template.

可以通过服务终结点将多租户服务的访问权限限制给一组 Azure 虚拟网络和子网。Service Endpoints enable you to restrict access to multi-tenant services to a set of Azure virtual networks and subnets. 若要详细了解服务终结点,请参阅虚拟网络服务终结点文档。You can read more about Service Endpoints in the Virtual Network Service Endpoints documentation.

在资源上启用服务终结点时,有些已创建路由的优先级高于所有其他路由。When you enable Service Endpoints on a resource, there are routes created with higher priority than all other routes. 如果将服务终结点与强制隧道 ASE 配合使用,则 Azure SQL 和 Azure 存储管理流量不会通过强制隧道进行重定向。If you use Service Endpoints with a forced tunneled ASE, the Azure SQL and Azure Storage management traffic isn't forced tunneled. 其他 ASE 依赖项流量会通过强制隧道重定向,不能丢失,否则 ASE 会功能失常。The other ASE dependency traffic is forced tunneled and can't be lost or the ASE would not function properly.

在包含 Azure SQL 实例的子网上启用服务终结点时,所有与该子网有连接的 Azure SQL 实例必定会启用服务终结点。When Service Endpoints is enabled on a subnet with an Azure SQL instance, all Azure SQL instances connected to from that subnet must have Service Endpoints enabled. 如果需要从同一子网访问多个 Azure SQL 实例,则不能在一个 Azure SQL 实例上启用服务终结点,而在另一个实例上不启用。if you want to access multiple Azure SQL instances from the same subnet, you can't enable Service Endpoints on one Azure SQL instance and not on another. Azure 存储的表现与 Azure SQL 不同。Azure Storage does not behave the same as Azure SQL. 对 Azure 存储启用服务终结点时,可以锁定从子网对该资源进行的访问,但仍可访问其他 Azure 存储帐户,即使这些帐户未启用服务终结点。When you enable Service Endpoints with Azure Storage, you lock access to that resource from your subnet but can still access other Azure Storage accounts even if they do not have Service Endpoints enabled.

如果为强制隧道配置网络筛选设备,则请记住,除了 Azure SQL 和 Azure 存储,ASE 还有依赖项。If you configure forced tunneling with a network filter appliance, then remember that the ASE has dependencies in addition to Azure SQL and Azure Storage. 如果阻止流向这些依赖项的流量,ASE 会功能失常。If traffic is blocked to those dependencies, the ASE will not function properly.

使用服务终结点的强制隧道

若要让来自 ASE 的所有出站流量(到 Azure 存储的除外)进入隧道,请执行以下步骤:To tunnel all outbound traffic from your ASE, except that which goes to Azure Storage, perform the following steps:

  1. 创建一个路由表,将其分配给 ASE 子网。Create a route table and assign it to your ASE subnet. 若要查找与区域相匹配的地址,请参阅应用服务环境管理地址Find the addresses that match your region here App Service Environment management addresses. 为下一跃点为 Internet 的那些地址创建路由。Create routes for those addresses with a next hop of internet. 之所以需要这些路由,是因为应用服务环境入站管理流量必须从发送到的地址进行回复。These routes are needed because the App Service Environment inbound management traffic must reply from the same address it was sent to.

  2. 为 ASE 子网启用 Azure 存储的服务终结点Enable Service Endpoints with Azure Storage with your ASE subnet

  3. 获取可供所有从应用服务环境到 Internet 的出站流量使用的地址。Get the addresses that will be used for all outbound traffic from your App Service Environment to the internet. 如果在本地路由流量,则这些地址为 NAT 或网关 IP。If you're routing the traffic on premises, these addresses are your NATs or gateway IPs. 若要通过 NVA 路由应用服务环境出站流量,则出口地址为 NVA 的公共 IP。If you want to route the App Service Environment outbound traffic through an NVA, the egress address is the public IP of the NVA.

使用出口地址创建 ASE :按照使用模板创建应用服务环境中的说明进行操作,并下拉相应的模板。To create your ASE with the egress addresses: Follow the directions in Create an App Service Environment with a template and pull down the appropriate template. 编辑 azuredeploy.json 文件中的 "resources" 节,但 "properties" 块除外,并添加一行,用于 userWhitelistedIpRanges(含值)。Edit the "resources" section in the azuredeploy.json file, but not in the "properties" block and include a line for userWhitelistedIpRanges with your values.

"resources": [
  {
    "apiVersion": "2015-08-01",
    "type": "Microsoft.Web/hostingEnvironments",
    "name": "[parameters('aseName')]",
    "kind": "ASEV2",
    "location": "[parameters('aseLocation')]",
    "properties": {
      "name": "[parameters('aseName')]",
      "location": "[parameters('aseLocation')]",
      "ipSslAddressCount": 0,
      "internalLoadBalancingMode": "[parameters('internalLoadBalancingMode')]",
      "dnsSuffix" : "[parameters('dnsSuffix')]",
      "virtualNetwork": {
        "Id": "[parameters('existingVnetResourceId')]",
        "Subnet": "[parameters('subnetName')]"
      },
    "userWhitelistedIpRanges":  ["11.22.33.44/32", "55.66.77.0/30"]
    }
  }
]

进行这些更改后,即可将流量直接从 ASE 发送到 Azure 存储,并且可以从 ASE 的 VIP 之外的其他地址访问 Azure SQL。These changes send traffic to Azure Storage directly from the ASE and allow access to the Azure SQL from additional addresses other than the VIP of the ASE.

使用 SQL 允许列表的强制隧道

防止问题Preventing issues

如果 ASE 与其依赖项之间的通信中断,ASE 会进入不正常状态。If communication between the ASE and its dependencies is broken, the ASE will go unhealthy. 如果保持不正常状态的时间过长,ASE 会暂停。If it remains unhealthy too long, then the ASE will become suspended. 若要取消 ASE 的暂停,请按 ASE 门户中的说明操作。To unsuspend the ASE, follow the instructions in your ASE portal.

除了直接中断通信,还可以引入过高的延迟,对 ASE 造成负面影响。In addition to simply breaking communication, you can adversely affect your ASE by introducing too much latency. 如果 ASE 与本地网络相距过远,则可能会造成延迟过高。Too much latency can happen if your ASE is too far from your on premises network. 例如,如果需要跨洋过洲来访问本地网络,则表明相距过远。Examples of too far would include going across an ocean or continent to reach the on premises network. 如果出现 Intranet 拥塞或存在出站带宽约束,则也可能会导致延迟。Latency can also be introduced due to intranet congestion or outbound bandwidth constraints.