将 ILB 应用服务环境与 Azure 应用程序网关集成Integrate your ILB App Service Environment with the Azure Application Gateway

应用服务环境是客户的 Azure 虚拟网络子网中的 Azure 应用服务部署。The App Service Environment is a deployment of Azure App Service in the subnet of a customer's Azure virtual network. 可通过应用访问的公共或专用终结点来进行部署。It can be deployed with a public or private endpoint for app access. 具有专用终结点(即,内部负载平衡器)的应用服务环境的部署称为 ILB 应用服务环境。The deployment of the App Service Environment with a private endpoint (that is, an internal load balancer) is called an ILB App Service Environment.

Web 应用程序防火墙会检查入站 Web 流量,并阻止 SQL 注入、跨站点脚本、恶意软件上传和应用程序 DDoS 及其他攻击,从而帮助你保护 Web 应用程序的安全。Web application firewalls help secure your web applications by inspecting inbound web traffic to block SQL injections, Cross-Site Scripting, malware uploads & application DDoS and other attacks. 它还会检查后端 Web 服务器的响应,实现针对数据丢失预防 (DLP)。It also inspects the responses from the back-end web servers for Data Loss Prevention (DLP). 可以从 Azure 市场获取 WAF 设备,也可以使用 Azure 应用程序网关You can get a WAF device from the Azure marketplace or you can use the Azure Application Gateway.

Azure 应用程序网关是一个虚拟设备,可提供第 7 层负载均衡、TLS/SSL 卸载以及 Web 应用程序防火墙 (WAF) 保护。The Azure Application Gateway is a virtual appliance that provides layer 7 load balancing, TLS/SSL offloading, and web application firewall (WAF) protection. 可侦听公共 IP 地址和将流量路由到应用程序终结点。It can listen on a public IP address and route traffic to your application endpoint. 以下信息描述了如何将 WAF 配置的应用程序网关与 ILB 应用服务环境中的应用进行集成。The following information describes how to integrate a WAF-configured application gateway with an app in an ILB App Service Environment.

将应用程序网关与 ILB 应用服务环境进行集成是在应用级别上进行的。The integration of the application gateway with the ILB App Service Environment is at an app level. 将应用程序网关与 ILB 应用服务环境进行集成时,是为 ILB 应用服务环境中特定应用进行的此操作。When you configure the application gateway with your ILB App Service Environment, you're doing it for specific apps in your ILB App Service Environment. 此技术可以在单个 ILB 应用服务环境中托管安全的多租户应用程序。This technique enables hosting secure multitenant applications in a single ILB App Service Environment.

应用程序网关指向 ILB 应用服务环境中的某个应用

本演练中的操作:In this walkthrough, you will:

  • 创建 Azure 应用程序网关。Create an Azure Application Gateway.
  • 配置应用程序网关,以指向 ILB 应用服务环境中的某个应用。Configure the Application Gateway to point to an app in your ILB App Service Environment.
  • 配置应用,以遵循自定义域名。Configure your app to honor the custom domain name.
  • 编辑指向应用程序网关的公共 DNS 主机名。Edit the public DNS host name that points to your application gateway.

先决条件Prerequisites

若要将应用程序网关与 ILB 应用服务环境集成,需要:To integrate your Application Gateway with your ILB App Service Environment, you need:

  • ILB 应用服务环境。An ILB App Service Environment.

  • ILB 应用服务环境中运行的应用。An app running in the ILB App Service Environment.

  • 与 ILB 应用服务环境中应用一起使用的 Internet 可路由的域名。An internet routable domain name to be used with your app in the ILB App Service Environment.

  • ILB 应用服务环境使用的 ILB 地址。The ILB address that your ILB App Service Environment uses. 此信息位于“设置” > “IP地址”下的应用服务环境门户中 :This information is in the App Service Environment portal under Settings > IP Addresses:

    ILB 应用服务环境使用的 IP 地址示例列表

  • 稍后用于指向应用程序网关的公共 DNS 名称。A public DNS name that is used later to point to your Application Gateway.

有关如何创建 ILB 应用服务环境的详细信息,请参阅创建和使用 ILB 应用服务环境For details on how to create an ILB App Service Environment, see Creating and using an ILB App Service Environment.

本文假定你在部署了应用服务环境的 Azure 虚拟网络中需要一个应用程序网关。This article assumes that you want an Application Gateway in the same Azure virtual network where the App Service Environment is deployed. 在开始创建应用程序网关之前,请选择或创建一个将用来承载网关的子网。Before you start to create the Application Gateway, pick or create a subnet that you will use to host the gateway.

不应使用名为 GatewaySubnet 的子网。You should use a subnet that is not the one named GatewaySubnet. 如果将应用程序网关放在 GatewaySubnet 中,随后将无法创建虚拟网络网关。If you put the Application Gateway in GatewaySubnet, you'll be unable to create a virtual network gateway later.

也不能将网关放在 ILB 应用服务环境使用的子网中。You also cannot put the gateway in the subnet that your ILB App Service Environment uses. 只有应用服务环境可以在此子网中。The App Service Environment is the only thing that can be in this subnet.

配置步骤Configuration steps

  1. 在 Azure 门户 中,转到“新建” > “网络” > “应用程序网关” 。In the Azure portal, go to New > Network > Application Gateway.

  2. 在“基本信息”区域中:In the Basics area:

    a.a. 对于“名称”,输入应用程序网关的名称。For Name, enter the name of the Application Gateway.

    b.b. 对于“层级”,选择“WAF” 。For Tier, select WAF.

    c.c. 对于“订阅”,选择应用服务环境虚拟网络使用的相同订阅。For Subscription, select the same subscription that the App Service Environment virtual network uses.

    d.d. 对于“资源组”,创建或选择资源组。For Resource group, create or select the resource group.

    e.e. 对于“位置”,选择应用服务环境虚拟网络使用的位置。For Location, select the location of the App Service Environment virtual network.

    新应用程序网关创建基本信息

  3. 在“设置”区域中:In the Settings area:

    a.a. 对于“虚拟网络”,选择应用服务环境虚拟网络。For Virtual network, select the App Service Environment virtual network.

    b.b. 对于“子网”,选择需要将应用程序网关部署到的子网。For Subnet, select the subnet where the Application Gateway needs to be deployed. 请勿使用 GatewaySubnet,因为它会阻止创建 VPN 网关。Do not use GatewaySubnet, because it will prevent the creation of VPN gateways.

    c.c. 对于“IP 地址类型”,选择“公共” 。For IP address type, select Public.

    d.d. 对于“公共 IP 地址”,选择一个公共 IP 地址。For Public IP address, select a public IP address. 如果没有,请立即创建一个。If you don't have one, create one now.

    e.e. 对于“协议”,选择“HTTP”或“HTTPS” 。For Protocol, select HTTP or HTTPS. 如果要配置 HTTPS,需要提供 PFX 证书。If you're configuring for HTTPS, you need to provide a PFX certificate.

    f.f. 对于“Web 应用程序防火墙”,可启用防火墙,还可根据自己需要将其设置为“检测”或“防止” 。For Web application firewall, you can enable the firewall and also set it for either Detection or Prevention as you see fit.

    新应用程序网关创建设置

  4. 在“摘要”部分中,查看设置并选择“确定” 。In the Summary section, review the settings and select OK. 应用程序网关安装程序可能需要 30 多分钟才能完成。Your Application Gateway can take a little more than 30 minutes to complete setup.

  5. 在应用程序网关安装完成后,转到你的应用程序网关门户。After your Application Gateway completes setup, go to your Application Gateway portal. 选择“后端池”。Select Backend pool. 添加 ILB 应用服务环境的 ILB 地址。Add the ILB address for your ILB App Service Environment.

    配置后端池

  6. 后端池配置过程完成后,选择“运行状况探测”。After the process of configuring your back-end pool is completed, select Health probes. 为想用于应用的域名创建运行状况探测。Create a health probe for the domain name that you want to use for your app.

    配置运行状况探测

  7. 运行状况探测配置过程完成后,选择“HTTP 设置”。After the process of configuring your health probes is completed, select HTTP settings. 编辑现有设置,选择“使用自定义探测”,然后选择你配置的探测。Edit the existing settings, select Use Custom probe, and pick the probe that you configured.

    配置 HTTP 设置

  8. 转到应用程序网关的“概述”部分,并复制应用程序网关使用的公共 IP 地址。Go to the Application Gateway's Overview section, and copy the public IP address that your Application Gateway uses. 将该 IP 地址设置为应用域名的 A 记录,或在 CNAME 记录中使用该地址的 DNS 名称。Set that IP address as an A record for your app domain name, or use the DNS name for that address in a CNAME record. 从公共 IP 地址 UI 选择公共 IP 地址并复制此地址,比从应用程序网关的“概述”部分上的链接进行复制更为简单。It's easier to select the public IP address and copy it from the public IP address's UI rather than copy it from the link in the Application Gateway's Overview section.

    应用程序网关门户

  9. 为 ILB 应用服务环境中的应用设置自定义域名。Set the custom domain name for your app in your ILB App Service Environment. 转到门户中的应用,并在“设置”下选择“自定义域” 。Go to your app in the portal, and under Settings, select Custom domains.

    在该应用上设置自定义域名

设置 Web 应用自定义域名一文中提供有关设置 Web 应用自定义域名的信息。There is information on setting custom domain names for your web apps in the article Setting custom domain names for your web app. 但是对于 ILB 应用服务环境中的应用,域名上不存在任何验证。But for an app in an ILB App Service Environment, there isn't any validation on the domain name. 因为拥有管理应用终结点的 DNS,便可随意设置域名。Because you own the DNS that manages the app endpoints, you can put whatever you want in there. 在这种情况下添加的自定义域名无需存在于 DNS 中,但它仍需要通过应用进行配置。The custom domain name that you add in this case does not need to be in your DNS, but it does still need to be configured with your app.

安装完成之后,有一小段时间进行 DNS 更改传播,可使用创建的自定义域名访问应用。After setup is completed and you have allowed a short amount of time for your DNS changes to propagate, you can access your app by using the custom domain name that you created.