应用服务环境简介Introduction to the App Service Environments


Azure 应用服务环境是一项 Azure 应用服务功能,可提供完全隔离和专用的环境,以便高度安全地运行应用服务应用。The Azure App Service Environment is an Azure App Service feature that provides a fully isolated and dedicated environment for securely running App Service apps at high scale. 此功能可以托管:This capability can host your:

  • Windows Web 应用Windows web apps
  • Linux Web 应用Linux web apps
  • Docker 容器Docker containers
  • 移动应用Mobile apps
  • 函数Functions

应用服务环境 (ASE) 适用于有以下要求的应用程序工作负荷:App Service environments (ASEs) are appropriate for application workloads that require:

  • 极高的缩放性。Very high scale.
  • 隔离和安全网络访问。Isolation and secure network access.
  • 高内存利用率。High memory utilization.

客户可以在单个 Azure 区域或多个 Azure 区域创建多个 ASE。Customers can create multiple ASEs within a single Azure region or across multiple Azure regions. 这种灵活性使得 ASE 非常适合用于水平缩放无状态应用程序层,以支持高 RPS 工作负荷。This flexibility makes ASEs ideal for horizontally scaling stateless application tiers in support of high RPS workloads.

ASE 仅托管一个客户的应用程序,并在其一个 VNet 中进行托管。ASEs host applications from only one customer and do so in one of their VNets. 客户可以对入站和出站应用程序网络流量进行精细控制。Customers have fine-grained control over inbound and outbound application network traffic. 应用程序可以通过 VPN 建立到本地公司资源的高速安全连接。Applications can establish high-speed secure connections over VPNs to on-premises corporate resources.

  • ASE 附带自己的定价层,了解独立产品/服务如何有助于驱动超大规模和安全性。ASE comes with its own pricing tier, learn how the Isolated offering helps drive hyper-scale and security.
  • 应用服务环境 v2 提供了一个环境来保护网络子网中的应用,并提供你自己的 Azure 应用服务专用部署。App Service Environments v2 provide a surrounding to safeguard your apps in a subnet of your network and provides your own private deployment of Azure App Service.
  • 可使用多个 ASE 进行水平缩放。Multiple ASEs can be used to scale horizontally. 有关详细信息,请参阅如何设置异地分布式应用布局For more information, see how to set up a geo-distributed app footprint.
  • 可使用 ASE 配置安全体系结构,如“AzureCon 深入探讨”中所示。ASEs can be used to configure security architecture, as shown in the AzureCon Deep Dive.
  • 在 ASE 中运行的应用的访问权限可能受到 Web 应用程序防火墙 (WAF) 等上游设备的管制。Apps running on ASEs can have their access gated by upstream devices, such as web application firewalls (WAFs). 有关详细信息,请参阅 Web 应用程序防火墙 (WAF)For more information, see Web application firewall (WAF).
  • 可以使用区域固定将应用服务环境部署到可用性区域 (AZ) 中。App Service Environments can be deployed into Availability Zones (AZ) using zone pinning. 有关更多详细信息,请参阅应用服务环境对可用性区域的支持See App Service Environment Support for Availability Zones for more details.

专用环境Dedicated environment

ASE 专用于单个订阅,可托管 100 个应用服务计划实例。An ASE is dedicated exclusively to a single subscription and can host 100 App Service Plan instances. 其范围可涵盖单个应用服务计划中的 100 个实例,也可以是 100 个单实例应用服务计划,或者两者之间的任何实例。The range can span 100 instances in a single App Service plan to 100 single-instance App Service plans, and everything in between.

ASE 由前端和辅助角色组成。An ASE is composed of front ends and workers. 前端负责处理 HTTP/HTTPS 终止以及 ASE 中应用请求的自动负载均衡。Front ends are responsible for HTTP/HTTPS termination and automatic load balancing of app requests within an ASE. 前端作为应用服务计划自动添加在 ASE 中,并且可以扩展。Front ends are automatically added as the App Service plans in the ASE are scaled out.

辅助角色是托管客户应用的角色。Workers are roles that host customer apps. 辅助角色有 3 种固定大小:Workers are available in three fixed sizes:

  • 一个 vCPU/3.5 GB RAMOne vCPU/3.5 GB RAM
  • 两个 vCPU/7 GB RAMTwo vCPU/7 GB RAM
  • 四个 vCPU/14 GB RAMFour vCPU/14 GB RAM

客户无需管理前端和辅助角色。Customers do not need to manage front ends and workers. 客户扩展其应用服务计划时,会自动添加所有基础结构。All infrastructure is automatically added as customers scale out their App Service plans. 在 ASE 中创建或缩放应用服务计划时,将在适当的情况下添加或删除所需的基础结构。As App Service plans are created or scaled in an ASE, the required infrastructure is added or removed as appropriate.

ASE 每月会产生统一的基础结构使用费,该费率不会随 ASE 的大小变化而改变。There is a flat monthly rate for an ASE that pays for the infrastructure and doesn't change with the size of the ASE. 此外,每个应用服务计划 vCPU 也会产生费用。In addition, there is a cost per App Service plan vCPU. ASE 中托管的所有应用都在“隔离”定价 SKU 中。All apps hosted in an ASE are in the Isolated pricing SKU. 有关 ASE 定价的信息,请参阅应用服务定价页并查看 ASE 的可用选项。For information on pricing for an ASE, see the App Service pricing page and review the available options for ASEs.

虚拟网络支持Virtual network support

ASE 功能直接将 Azure 应用服务部署到客户的 Azure 资源管理器虚拟网络。The ASE feature is a deployment of the Azure App Service directly into a customer's Azure Resource Manager virtual network. 若要了解有关 Azure 虚拟网络的详细信息,请参阅 Azure 虚拟网络常见问题解答To learn more about Azure virtual networks, see the Azure virtual networks FAQ. ASE 始终存在于虚拟网络之中,更准确地说,是在虚拟网络的子网内。An ASE always exists in a virtual network, and more precisely, within a subnet of a virtual network. 可使用虚拟网络的安全功能为应用控制入站和出站网络通信。You can use the security features of virtual networks to control inbound and outbound network communications for your apps.

ASE 既可以是面向 Internet 的(使用公共 IP 地址),也可以是面向内部的(只使用 Azure 内部负载均衡器 (ILB) 地址)。An ASE can be either internet-facing with a public IP address or internal-facing with only an Azure internal load balancer (ILB) address.

网络安全组将入站网络通信限制为 ASE 所在的子网。Network Security Groups restrict inbound network communications to the subnet where an ASE resides. 可以在上游设备和服务(例如 WAF 和网络 SaaS 提供程序)后使用 NSG 来运行应用。You can use NSGs to run apps behind upstream devices and services such as WAFs and network SaaS providers.

应用还经常需要访问公司资源,例如内部数据库和 Web 服务。Apps also frequently need to access corporate resources such as internal databases and web services. 如果在包含本地网络的 VPN 连接的虚拟网络中部署 ASE,ASE 中的应用可以访问本地资源。If you deploy the ASE in a virtual network that has a VPN connection to the on-premises network, the apps in the ASE can access the on-premises resources. 无论 VPN 是站点到站点 VPN,还是 Azure ExpressRoute VPN,都可以使用此功能。This capability is true regardless of whether the VPN is a site-to-site or Azure ExpressRoute VPN.

有关如何在虚拟网络和本地网络中使用 ASE 的详细信息,请参阅应用服务环境网络注意事项For more information on how ASEs work with virtual networks and on-premises networks, see App Service Environment network considerations.