应用服务环境管理地址App Service Environment management addresses

应用服务环境 (ASE) 是在 Azure 虚拟网络 (VNet) 中运行的 Azure 应用服务的单租户部署。The App Service Environment (ASE) is a single tenant deployment of the Azure App Service that runs in your Azure Virtual Network (VNet). 尽管 ASE 确实在 VNet 中运行,但仍必须能够从 Azure 应用服务用来管理服务的多个专用 IP 地址访问 ASE。While the ASE does run in your VNet, it must still be accessible from a number of dedicated IP addresses that are used by the Azure App Service to manage the service. 使用 ASE 时,管理流量将遍历用户控制的网络。In the case of an ASE, the management traffic traverses the user-controlled network. 如果此流量被阻塞或被错误路由,则 ASE 将会挂起。If this traffic is blocked or misrouted, the ASE will become suspended. 有关 ASE 网络依赖项的详细信息,请阅读网络注意事项和应用服务环境For details on the ASE networking dependencies, read Networking considerations and the App Service Environment. 有关 ASE 的一般信息,请先阅读应用服务环境简介For general information on the ASE, you can start with Introduction to the App Service Environment.

所有 ASE 都有一个公用 VIP,管理流量将从其中进入。All ASEs have a public VIP which management traffic comes into. 来自这些地址的传入管理流量将传入到 ASE 的公共 VIP 上的端口 454 和 455。The incoming management traffic from these addresses comes in from to ports 454 and 455 on the public VIP of your ASE. 本文档列出了发往 ASE 的管理流量的应用服务源地址。This document lists the App Service source addresses for management traffic to the ASE. 这些地址也位于名为 AppServiceManagement 的 IP 服务标记中。These addresses are also in the IP Service Tag named AppServiceManagement.

可以在路由表中配置下面所述的地址,以避免管理流量出现非对称路由问题。The addresses noted below can be configured in a route table to avoid asymmetric routing problems with the management traffic. 路由在 IP 级别作用于流量,但不区分流量方向,也不知道流量是否为 TCP 回复消息的一部分。Routes act on traffic at the IP level and do not have an awareness of traffic direction or that the traffic is a part of a TCP reply message. 如果 TCP 请求的回复地址不同于其发送到的地址,则表示出现了非对称路由问题。If the reply address for a TCP request is different than the address it was sent to, you have an asymmetric routing problem. 若要避免 ASE 管理流量出现非对称路由问题,需确保从回复发送到的地址发回回复。To avoid asymmetric routing problems with your ASE management traffic, you need to ensure that replies are sent back from the same address they were sent to. 若要详细了解如何配置 ASE 以在从本地发送出站流量的环境中运行,请阅读为 ASE 配置强制隧道For details on how to configure your ASE to operate in an environment where outbound traffic is sent on premises, read Configure your ASE with forced tunneling

管理地址的列表List of management addresses

区域Region 地址Addresses
所有公共区域All public regions 13.66.140.0、13.67.8.128、13.69.64.128、13.69.227.128、13.70.73.128、13.71.170.64、13.71.194.129、13.75.34.192、13.75.127.117、13.77.50.128、13.78.109.0、13.89.171.0、13.94.141.115、13.94.143.126、13.94.149.179、20.36.106.128、20.36.114.64、23.102.135.246、23.102.188.65、40.69.106.128、40.70.146.128、40.71.13.64、40.74.100.64、40.78.194.128、40.79.130.64、40.79.178.128、40.83.120.64、40.83.121.56、40.83.125.161、40.112.242.192、51.140.146.64、51.140.210.128、52.151.25.45、52.162.106.192、52.165.152.214、52.165.153.122、52.165.154.193、52.165.158.140、52.174.22.21、52.178.177.147、52.178.184.149、52.178.190.65、52.178.195.197、52.187.56.50、52.187.59.251、52.187.63.19、52.187.63.37、52.224.105.172、52.225.177.153、52.231.18.64、52.231.146.128、65.52.172.237、70.37.57.58、104.44.129.141、104.44.129.243、104.44.129.255、104.44.134.255、104.208.54.11、104.211.81.64、104.211.146.128、157.55.208.185、191.233.203.64、191.236.154.8813.66.140.0, 13.67.8.128, 13.69.64.128, 13.69.227.128, 13.70.73.128, 13.71.170.64, 13.71.194.129, 13.75.34.192, 13.75.127.117, 13.77.50.128, 13.78.109.0, 13.89.171.0, 13.94.141.115, 13.94.143.126, 13.94.149.179, 20.36.106.128, 20.36.114.64, 23.102.135.246, 23.102.188.65, 40.69.106.128, 40.70.146.128, 40.71.13.64, 40.74.100.64, 40.78.194.128, 40.79.130.64, 40.79.178.128, 40.83.120.64, 40.83.121.56, 40.83.125.161, 40.112.242.192, 51.140.146.64, 51.140.210.128, 52.151.25.45, 52.162.106.192, 52.165.152.214, 52.165.153.122, 52.165.154.193, 52.165.158.140, 52.174.22.21, 52.178.177.147, 52.178.184.149, 52.178.190.65, 52.178.195.197, 52.187.56.50, 52.187.59.251, 52.187.63.19, 52.187.63.37, 52.224.105.172, 52.225.177.153, 52.231.18.64, 52.231.146.128, 65.52.172.237, 70.37.57.58, 104.44.129.141, 104.44.129.243, 104.44.129.255, 104.44.134.255, 104.208.54.11, 104.211.81.64, 104.211.146.128, 157.55.208.185, 191.233.203.64, 191.236.154.88

配置网络安全组Configuring a Network Security Group

如果使用网络安全组,则不需要考虑单个地址的分配,也无需维护自己的配置。With Network Security Groups, you do not need to worry about the individual addresses or maintaining your own configuration. 名为 AppServiceManagement 的 IP 服务标记将与所有地址保持同步。There is an IP service tag named AppServiceManagement that is kept up-to-date with all of the addresses. 若要在 NSG 中使用此 IP 服务标记,请转到门户,打开网络安全组 UI,并选择“入站安全规则”。To use this IP service tag in your NSG, go to the portal, open your Network Security Groups UI, and select Inbound security rules. 如果入站管理流量存在现有的规则,请编辑该规则。If you have a pre-existing rule for the inbound management traffic, edit it. 如果未对 ASE 创建此 NSG,或者此 NSG 是全新的,请选择“添加”。If this NSG was not created with your ASE, or if it is all new, then select Add. 在“源”下拉列表中,选择“服务标记”。Under the Source drop down, select Service Tag. 在“源服务标记”下,选择“AppServiceManagement”。Under the Source service tag, select AppServiceManagement. 将源端口范围设置为 *,将“目标”设置为“任何”,将目标端口范围设置为 454-455,将“协议”设置为“TCP”,将“操作”设置为“允许”。 Set the source port ranges to *, Destination to Any, Destination port ranges to 454-455, Protocol to TCP, and Action to Allow. 若要启用该规则,需要设置优先级。If you are making the rule, then you need to set the Priority.

使用服务标记创建 NSG

配置路由表Configuring a route table

可将管理地址放在包含 Internet 下一跃点的路由表中,以确保所有入站管理流量能够通过同一路径返回。The management addresses can be placed in a route table with a next hop of internet to ensure that all inbound management traffic is able to go back through the same path. 配置强制隧道时需要这些路由。These routes are needed when configuring forced tunneling. 若要创建路由表,可以使用门户、PowerShell 或 Azure CLI。To create the route table, you can use the portal, PowerShell or Azure CLI. 下面是在 PowerShell 提示符下使用 Azure CLI 创建路由表的命令。The commands to create a route table using Azure CLI from a PowerShell prompt are below.

$rg = "resource group name"
$rt = "route table name"
$location = "azure location"
$managementAddresses = "13.66.140.0", "13.67.8.128", "13.69.64.128", "13.69.227.128", "13.70.73.128", "13.71.170.64", "13.71.194.129", "13.75.34.192", "13.75.127.117", "13.77.50.128", "13.78.109.0", "13.89.171.0", "13.94.141.115", "13.94.143.126", "13.94.149.179", "20.36.106.128", "20.36.114.64", "23.102.135.246", "23.102.188.65", "40.69.106.128", "40.70.146.128", "40.71.13.64", "40.74.100.64", "40.78.194.128", "40.79.130.64", "40.79.178.128", "40.83.120.64", "40.83.121.56", "40.83.125.161", "40.112.242.192", "51.140.146.64", "51.140.210.128", "52.151.25.45", "52.162.106.192", "52.165.152.214", "52.165.153.122", "52.165.154.193", "52.165.158.140", "52.174.22.21", "52.178.177.147", "52.178.184.149", "52.178.190.65", "52.178.195.197", "52.187.56.50", "52.187.59.251", "52.187.63.19", "52.187.63.37", "52.224.105.172", "52.225.177.153", "52.231.18.64", "52.231.146.128", "65.52.172.237", "70.37.57.58", "104.44.129.141", "104.44.129.243", "104.44.129.255", "104.44.134.255", "104.208.54.11", "104.211.81.64", "104.211.146.128", "157.55.208.185", "191.233.203.64", "191.236.154.88", "52.181.183.11"

az network route-table create --name $rt --resource-group $rg --location $location
foreach ($ip in $managementAddresses) {
    az network route-table route create -g $rg --route-table-name $rt -n $ip --next-hop-type Internet --address-prefix ($ip + "/32")
}

创建路由表后,需在 ASE 子网中设置该路由表。After your route table is created, you need to set it on your ASE subnet.

通过 API 获取管理地址Get your management addresses from API

可以使用以下 API 调用列出与 ASE 匹配的管理地址。You can list the management addresses that match to your ASE with the following API call.

get /subscriptions/<subscription ID>/resourceGroups/<resource group>/providers/Microsoft.Web/hostingEnvironments/<ASE Name>/inboundnetworkdependenciesendpoints?api-version=2016-09-01

API 返回一个 JSON 文档,其中包含 ASE 的所有入站地址。The API returns a JSON document that includes all of the inbound addresses for your ASE. 地址列表包括管理地址、ASE 使用的 VIP 和 ASE 子网地址范围本身。The list of addresses includes the management addresses, the VIP used by your ASE and the ASE subnet address range itself.

若要使用 armclient 调用此 API,请使用以下命令,但请替换为你的订阅 ID、资源组和 ASE 名称。To call the API with the armclient use the following commands but substitute in your subscription ID, resource group and ASE name.

armclient login Mooncake
armclient get /subscriptions/<subscription ID>/resourceGroups/<resource group>/providers/Microsoft.Web/hostingEnvironments/<ASE Name>/inboundnetworkdependenciesendpoints?api-version=2016-09-01