应用服务网络功能App Service networking features

可通过多种方式在 Azure 应用服务中部署应用程序。You can deploy applications in Azure App Service in multiple ways. 默认情况下,应用服务中托管的应用可以直接通过 Internet 进行访问,并且只能访问 Internet 托管的终结点。By default, apps hosted in App Service are accessible directly through the internet and can reach only internet-hosted endpoints. 但对于许多应用程序,需要控制入站和出站网络流量。But for many applications, you need to control the inbound and outbound network traffic. 应用服务中有几个功能可帮助你满足这些需求。There are several features in App Service to help you meet those needs. 难点在于,应该使用哪种功能来解决给定的问题。The challenge is knowing which feature to use to solve a given problem. 本文将帮助你根据一些示例用例来确定要使用的功能。This article will help you determine which feature to use, based on some example use cases.

Azure 应用服务有两种主要部署类型:There are two main deployment types for Azure App Service:

  • 多租户公共服务在“免费”、“共享”、“基本”、“标准”、“高级”、“PremiumV2”和“PremiumV3”定价 SKU 中托管应用服务计划。The multitenant public service hosts App Service plans in the Free, Shared, Basic, Standard, Premium, PremiumV2, and PremiumV3 pricing SKUs.
  • 单租户应用服务环境 (ASE) 直接在 Azure 虚拟网络中托管隔离的 SKU 应用服务计划。The single-tenant App Service Environment (ASE) hosts Isolated SKU App Service plans directly in your Azure virtual network.

你所用的功能将取决于你是在多租户服务还是 ASE 中操作。The features you use will depend on whether you're in the multitenant service or in an ASE.

多租户应用服务网络功能Multitenant App Service networking features

Azure 应用服务是一种分布式系统。Azure App Service is a distributed system. 处理传入 HTTP 或 HTTPS 请求的角色称为前端。The roles that handle incoming HTTP or HTTPS requests are called front ends. 托管客户工作负荷的角色称为辅助角色。The roles that host the customer workload are called workers. 应用服务部署中的所有角色均存在于多租户网络中。All the roles in an App Service deployment exist in a multitenant network. 由于同一应用服务缩放单元中包含许多不同的客户,因此无法将应用服务网络直接连接到你的网络。Because there are many different customers in the same App Service scale unit, you can't connect the App Service network directly to your network.

在不连接网络的情况下,你需要使用相应的功能来处理应用程序通信的各个方面。Instead of connecting the networks, you need features to handle the various aspects of application communication. 处理向应用发出的请求的功能不可用于解决从应用发出调用时出现的问题 。The features that handle requests to your app can't be used to solve problems when you're making calls from your app. 同理,解决从应用发出的调用的问题的功能,不可用于解决向应用发出请求的问题。Likewise, the features that solve problems for calls from your app can't be used to solve problems to your app.

入站功能Inbound features 出站功能Outbound features
应用分配的地址App assigned address 混合连接Hybrid Connections
访问限制Access Restrictions 需要网关的 VNet 集成Gateway required VNet Integration

除了记录的异常之外,你还可以结合使用所有这些功能。Other than noted exceptions, you can use all of these features together. 可以混合使用这些功能来解决问题。You can mix the features to solve your problems.

用例和功能Use cases and features

对于任何给定的用例,可能都有几种方法可以解决问题。For any given use case, there might be a few ways to solve the problem. 选择最佳功能有时会超出用例本身。Choosing the best feature sometimes goes beyond the use case itself. 以下入站用例演示了如何使用应用服务网络功能来解决有关控制传入应用的流量的问题:The following inbound use cases suggest how to use App Service networking features to solve problems with controlling traffic going to your app:

入站用例Inbound use case 功能Feature
支持应用的基于 IP 的 SSL 需求Support IP-based SSL needs for your app 应用分配的地址App-assigned address
支持应用的非共享专用入站地址Support unshared dedicated inbound address for your app 应用分配的地址App-assigned address
从一组妥善定义的地址限制对应用的访问Restrict access to your app from a set of well-defined addresses 访问限制Access restrictions
限制从虚拟网络中的资源访问应用Restrict access to your app from resources in a virtual network ILB ASEILB ASE
在虚拟网络中的专用 IP 上公开你的应用Expose your app on a private IP in your virtual network ILB ASEILB ASE
包含服务终结点的应用程序网关上用于入站通信的专用 IPprivate IP for inbound on an Application Gateway with service endpoints
使用 Web 应用程序防火墙 (WAF) 保护应用Protect your app with a web application firewall (WAF) 应用程序网关和 ILB ASEApplication Gateway and ILB ASE
包含服务终结点的应用程序网关Application Gateway with service endpoints
提供访问限制的 Azure Front DoorAzure Front Door with Access Restrictions
对发往不同区域中的应用的流量进行负载均衡Load balance traffic to your apps in different regions 具有访问限制的 Azure Front DoorAzure Front Door with access restrictions
对同一区域中的流量进行负载均衡Load balance traffic in the same region 包含服务终结点的应用程序网关Application Gateway with service endpoints

以下出站用例演示如何使用应用服务网络功能来解决应用的出站访问需求:The following outbound use cases suggest how to use App Service networking features to solve outbound access needs for your app:

出站用例Outbound use case 功能Feature
访问位于同一区域的 Azure 虚拟网络中的资源Access resources in an Azure virtual network in the same region VNet 集成VNet Integration
ASEASE
访问位于不同区域的 Azure 虚拟网络中的资源Access resources in an Azure virtual network in a different region 需要网关的 VNet 集成Gateway-required VNet Integration
ASE 和虚拟网络对等互连ASE and virtual network peering
访问通过服务终结点保护的资源Access resources secured with service endpoints ASEASE
访问未连接到 Azure 的专用网络中的资源Access resources in a private network that's not connected to Azure 混合连接Hybrid Connections
跨 Azure ExpressRoute 线路访问资源Access resources across Azure ExpressRoute circuits VNet 集成VNet Integration
ASEASE
保护来自 Web 应用的出站流量Secure outbound traffic from your web app VNet 集成和网络安全组VNet Integration and network security groups
ASEASE
路由来自 Web 应用的出站流量Route outbound traffic from your web app VNet 集成和路由表VNet Integration and route tables
ASEASE

默认网络行为Default networking behavior

Azure 应用服务缩放单元为每个部署中的多个客户提供支持。Azure App Service scale units support many customers in each deployment. “免费”和“共享”SKU 计划在多租户辅助角色上托管客户工作负荷。The Free and Shared SKU plans host customer workloads on multitenant workers. “基本”和更高的计划仅托管专用于一个应用服务计划的客户工作负荷。The Basic and higher plans host customer workloads that are dedicated to only one App Service plan. 如果你有“标准”应用服务计划,该计划中的所有应用将在同一个辅助角色上运行。If you have a Standard App Service plan, all the apps in that plan will run on the same worker. 如果横向扩展辅助角色,将在应用服务计划中每个实例的新辅助角色上复制该应用服务计划中的所有应用。If you scale out the worker, all the apps in that App Service plan will be replicated on a new worker for each instance in your App Service plan.

出站地址Outbound addresses

辅助角色 VM 在很大程度上按应用服务计划划分。The worker VMs are broken down in large part by the App Service plans. “免费”、“共享”、“基本”、“标准”和“高级”计划均使用相同的辅助角色 VM 类型。The Free, Shared, Basic, Standard, and Premium plans all use the same worker VM type. “PremiumV2”计划使用其他 VM 类型。The PremiumV2 plan uses another VM type. “PremiumV3”还使用其他 VM 类型。PremiumV3 uses yet another VM type. 更改 VM 系列时,将获得一组不同的出站地址。When you change the VM family, you get a different set of outbound addresses. 如果从“标准”扩展到“PremiumV2”,则出站地址将会更改。If you scale from Standard to PremiumV2, your outbound addresses will change. 如果从“PremiumV2”扩展到“PremiumV3”,出站地址会更改。If you scale from PremiumV2 to PremiumV3, your outbound addresses will change. 在一些较旧的缩放单元中,当从“标准”扩展到“PremiumV2”时,入站和出站地址都将更改。In some older scale units, both the inbound and outbound addresses will change when you scale from Standard to PremiumV2.

有多个地址可用于出站调用。There are a number of addresses that are used for outbound calls. 应用的属性中列出了应用进行出站调用所使用的出站地址。The outbound addresses used by your app for making outbound calls are listed in the properties for your app. 应用服务部署中同一辅助角色 VM 系列上运行的所有应用将共享这些地址。These addresses are shared by all the apps running on the same worker VM family in the App Service deployment. 如果要查看应用可能会在缩放单元中使用的所有地址,可通过名为 possibleOutboundAddresses 的属性查看,其中列出了这些地址。If you want to see all the addresses that your app might use in a scale unit, there's property called possibleOutboundAddresses that will list them.

显示应用属性的屏幕截图。

应用服务包含许多用于管理服务的终结点。App Service has a number of endpoints that are used to manage the service. 这些地址发布在单独的文档中,同时包含在 AppServiceManagement IP 服务标记中。Those addresses are published in a separate document and are also in the AppServiceManagement IP service tag. 仅在需要允许此类流量的应用服务环境中使用 AppServiceManagement 标记。The AppServiceManagement tag is used only in App Service Environments where you need to allow such traffic. 将在 AppService IP 服务标记中跟踪应用服务的入站地址。The App Service inbound addresses are tracked in the AppService IP service tag. 没有任何 IP 服务标记包含应用服务使用的出站地址。There's no IP service tag that contains the outbound addresses used by App Service.

显示应用服务入站和出站流量的关系图。

应用分配的地址App-assigned address

应用分配的地址功能是基于 IP 的 SSL 功能的一个分支。The app-assigned address feature is an offshoot of the IP-based SSL capability. 可以通过使用应用设置 SSL 来访问它。You access it by setting up SSL with your app. 此功能可用于基于 IP 的 SSL 调用。You can use this feature for IP-based SSL calls. 你还可以使用它来为你的应用分配唯一的地址。You can also use it to give your app an address that only it has.

显示应用分配的地址的关系图。

使用应用分配的地址时,流量仍会流经相同的前端角色,这些角色处理所有传入应用服务缩放单元的流量。When you use an app-assigned address, your traffic still goes through the same front-end roles that handle all the incoming traffic into the App Service scale unit. 但分配给应用的地址仅供该应用使用。But the address that's assigned to your app is used only by your app. 此功能的用例:Use cases for this feature:

  • 支持应用的基于 IP 的 SSL 需求。Support IP-based SSL needs for your app.
  • 为应用设置未共享的专用地址。Set a dedicated address for your app that's not shared.

若要了解如何在应用上设置地址,请参阅在 Azure 应用服务中添加 TLS/SSL 证书To learn how to set an address on your app, see Add a TLS/SSL certificate in Azure App Service.

访问限制Access restrictions

访问限制使你可以筛选“入站”请求。Access restrictions let you filter inbound requests. 筛选操作在前端角色上发生,这些前端角色位于运行应用的辅助角色的上游。The filtering action takes place on the front-end roles that are upstream from the worker roles where your apps are running. 由于前端角色位于辅助角色的上游,因此你可将访问限制视为网络级的应用保护机制。Because the front-end roles are upstream from the workers, you can think of access restrictions as network-level protection for your apps.

使用该功能,你可以生成按优先顺序评估的允许和拒绝规则列表。This feature allows you to build a list of allow and deny rules that are evaluated in priority order. 它类似于 Azure 网络中的网络安全组 (NSG) 功能。It's similar to the network security group (NSG) feature in Azure networking. 可以在 ASE 或多租户服务中使用此功能。You can use this feature in an ASE or in the multitenant service. 将其与 ILB ASE 或专用终结点一起使用时,可以限制从专用地址块进行访问。When you use it with an ILB ASE or private endpoint, you can restrict access from private address blocks.

备注

每个应用最多可以配置 512 个访问限制规则。Up to 512 access restriction rules can be configured per app.

说明访问限制的关系图。

基于 IP 的访问限制规则IP-based access restriction rules

要限制可用于访问应用的 IP 地址时,基于 IP 的访问限制功能非常有用。The IP-based access restrictions feature helps when you want to restrict the IP addresses that can be used to reach your app. IPv4 和 IPv6 均受支持。Both IPv4 and IPv6 are supported. 此功能的一些用例:Some use cases for this feature:

  • 从一组定义完善的地址限制对应用的访问。Restrict access to your app from a set of well-defined addresses.
  • 限制对通过负载均衡服务(例如 Azure Front Door)进入的流量的访问。Restrict access to traffic coming through a load-balancing service, like Azure Front Door. 若要将入站流量锁定为 Azure Front Door,请创建规则以允许来自 147.243.0.0/16 和 2a01:111:2050::/44 的流量。If you want to lock down your inbound traffic to Azure Front Door, create rules to allow traffic from 147.243.0.0/16 and 2a01:111:2050::/44.

若要了解如何启用此功能,请参阅配置访问限制To learn how to enable this feature, see Configuring access restrictions.

混合连接Hybrid Connections

应用可以通过应用服务混合连接向指定的 TCP 终结点发出 出站 调用。App Service Hybrid Connections enables your apps to make outbound calls to specified TCP endpoints. 终结点可以位于本地、虚拟网络中,或者允许通过端口 443 向 Azure 发出出站流量的任何位置。The endpoint can be on-premises, in a virtual network, or anywhere that allows outbound traffic to Azure on port 443. 若要使用此功能,需要在 Windows Server 2012 或更高版本的主机上安装名为混合连接管理器的中继代理。To use the feature, you need to install a relay agent called Hybrid Connection Manager on a Windows Server 2012 or newer host. 混合连接管理器需要能够通过端口 443 访问 Azure 中继。Hybrid Connection Manager needs to be able to reach Azure Relay at port 443. 可以从门户中的应用服务混合连接 UI 下载混合连接管理器。You can download Hybrid Connection Manager from the App Service Hybrid Connections UI in the portal.

显示混合连接网络流的关系图。

应用服务混合连接构建在 Azure 中继混合连接功能的基础之上。App Service Hybrid Connections is built on the Azure Relay Hybrid Connections capability. 应用服务使用一种特殊形式的功能,该功能仅支持从应用向 TCP 主机和端口发出出站调用。App Service uses a specialized form of the feature that only supports making outbound calls from your app to a TCP host and port. 只需在安装混合连接管理器的主机上解析此主机和端口。This host and port only need to resolve on the host where Hybrid Connection Manager is installed.

当应用服务中的应用在混合连接中定义的主机和端口上执行 DNS 查找时,流量将自动重定向,以流经混合连接并传出混合连接管理器。When the app, in App Service, does a DNS lookup on the host and port defined in your hybrid connection, the traffic automatically redirects to go through the hybrid connection and out of Hybrid Connection Manager. 若要了解详细信息,请参阅应用服务混合连接To learn more, see App Service Hybrid Connections.

此功能通常用于:This feature is commonly used to:

  • 通过 VPN 或 ExpressRoute 访问未连接到 Azure 的专用网络中的资源。Access resources in private networks that aren't connected to Azure with a VPN or ExpressRoute.
  • 支持将本地应用迁移到应用服务,而无需移动支持数据库。Support the migration of on-premises apps to App Service without the need to move supporting databases.
  • 根据混合连接配置为单个主机和端口提供安全性得到改进的访问。Provide access with improved security to a single host and port per hybrid connection. 大多数网络功能都开放了对网络的访问权限。Most networking features open access to a network. 使用混合连接,只能访问单个主机和端口。With Hybrid Connections, you can only reach the single host and port.
  • 实现其他出站连接方法无法实现的方案。Cover scenarios not covered by other outbound connectivity methods.
  • 以允许应用轻松使用本地资源的方式在应用服务中执行开发。Perform development in App Service in a way that allows the apps to easily use on-premises resources.

由于使用此功能可以访问本地资源且无需在入站防火墙中开放额外的端口,因此它非常受开发人员的青睐。Because this feature enables access to on-premises resources without an inbound firewall hole, it's popular with developers. 其他出站应用服务网络功能与 Azure 虚拟网络相关。The other outbound App Service networking features are related to Azure Virtual Network. 混合连接不依赖于通过虚拟网络。Hybrid Connections doesn't depend on going through a virtual network. 它可用于更广泛的网络需求。It can be used for a wider variety of networking needs.

请注意,应用服务混合连接并不知道你基于它所执行的操作。Note that App Service Hybrid Connections is unaware of what you're doing on top of it. 因此,你可以使用它来访问数据库、Web 服务或大型机上的任意 TCP 套接字。So you can use it to access a database, a web service, or an arbitrary TCP socket on a mainframe. 此功能在本质上是通过隧道传输 TCP 数据包。The feature essentially tunnels TCP packets.

混合连接在开发活动中很常用,但也用于生产应用程序中。Hybrid Connections is popular for development, but it's also used in production applications. 它非常适用于访问 Web 服务或数据库,但不适用于需要创建许多连接的情况。It's great for accessing a web service or database, but it's not appropriate for situations that involve creating many connections.

需要网关的 VNet 集成Gateway-required VNet Integration

需要网关的应用服务 VNet 集成使你的应用可以向 Azure 虚拟网络发出出站请求。Gateway-required App Service VNet Integration enables your app to make outbound requests into an Azure virtual network. 该功能的工作原理是通过点到站点 VPN 将运行应用的主机连接到虚拟网络中的虚拟网络网关。The feature works by connecting the host your app is running on to a Virtual Network gateway on your virtual network by using a point-to-site VPN. 配置该功能时,应用将获取分配给每个实例的点到站点地址之一。When you configure the feature, your app gets one of the point-to-site addresses assigned to each instance. 使用此功能可以访问位于任何区域的经典或 Azure 资源管理器虚拟网络中的资源。This feature enables you to access resources in either classic or Azure Resource Manager virtual networks in any region.

说明网关所需的 VNet 集成的关系图。

此功能解决了访问其他虚拟网络中资源的问题。This feature solves the problem of accessing resources in other virtual networks. 甚至可以使用它通过虚拟网络连接到其他虚拟网络或本地网络。It can even be used to connect through a virtual network to either other virtual networks or on-premises. 它不适用于 ExpressRoute 连接的虚拟网络,但它确实适用于站点到站点 VPN 连接的网络。It doesn't work with ExpressRoute-connected virtual networks, but it does work with site-to-site VPN-connected networks. 通常,不适合从应用服务环境 (ASE) 中的应用使用此功能,因为 ASE 已在虚拟网络中。It's usually inappropriate to use this feature from an app in an App Service Environment (ASE) because the ASE is already in your virtual network. 此功能的用例:Use cases for this feature:

  • 访问 Azure 虚拟网络中专用 IP 上的资源。Access resources on private IPs in your Azure virtual networks.
  • 访问本地资源(如果存在站点到站点 VPN)。Access resources on-premises if there's a site-to-site VPN.
  • 访问对等互连虚拟网络中的资源。Access resources in peered virtual networks.

启用此功能后,应用将使用配置了目标虚拟网络的 DNS 服务器。When this feature is enabled, your app will use the DNS server that the destination virtual network is configured with. 有关此功能的详细信息,请参阅应用服务 VNet 集成For more information on this feature, see App Service VNet Integration.

应用服务环境App Service Environment

应用服务环境 (ASE) 是在虚拟网络中运行的 Azure 应用服务的单租户部署。An App Service Environment (ASE) is a single-tenant deployment of the Azure App Service that runs in your virtual network. 某些情况下,此功能:Some cases such for this feature:

  • 访问虚拟网络中的资源。Access resources in your virtual network.
  • 跨 ExpressRoute 访问资源。Access resources across ExpressRoute.
  • 使用虚拟网络中的专用地址公开应用。Expose your apps with a private address in your virtual network.
  • 跨服务终结点访问资源。Access resources across service endpoints.

使用 ASE 时,无需使用 VNet 集成或服务终结点等功能,因为 ASE 已在虚拟网络中。With an ASE, you don't need to use features like VNet Integration or service endpoints because the ASE is already in your virtual network. 若要通过服务终结点访问 SQL 或 Azure 存储等资源,请在 ASE 子网中启用服务终结点。If you want to access resources like SQL or Azure Storage over service endpoints, enable service endpoints on the ASE subnet. 如果要访问虚拟网络中的资源,则无需进行任何其他配置。If you want to access resources in the virtual network, you don't need to do any additional configuration. 跨 ExpressRoute 访问资源时,你已位于虚拟网络中,因此无需在 ASE 或其中的应用中进行任何配置。If you want to access resources across ExpressRoute, you're already in the virtual network and don't need to configure anything on the ASE or the apps in it.

由于可以在专用 IP 地址上公开 ILB ASE 中的应用,因此,可以轻松添加 WAF 设备,以便只在 Internet 中公开所需的应用,并帮助其余应用保持安全状态。Because the apps in an ILB ASE can be exposed on a private IP address, you can easily add WAF devices to expose just the apps that you want to the internet and help keep the rest secure. 此功能可帮助简化多层应用程序的开发。This feature can help make the development of multitier applications easier.

目前,某些功能无法通过多租户服务实现,但是可以在 ASE 中实现。Some things aren't currently possible from the multitenant service but are possible from an ASE. 下面是一些示例:Here are some examples:

  • 在专用 IP 地址上公开应用。Expose your apps on a private IP address.
  • 使用应用不提供的网络控制来帮助保护所有出站流量。Help secure all outbound traffic with network controls that aren't a part of your app.
  • 在单租户服务中托管应用。Host your apps in a single-tenant service.
  • 纵向扩展到多租户服务无法支持的更多实例。Scale up to many more instances than are possible in the multitenant service.
  • 加载专用 CA 客户端证书,供应用通过专用 CA 保护的终结点使用。Load private CA client certificates for use by your apps with private CA-secured endpoints.
  • 在无法在应用级别禁用功能的情况下,跨系统中托管的所有应用强制实施 TLS 1.1。Force TLS 1.1 across all apps hosted in the system without any ability to disable it at the app level.
  • 为 ASE 中所有不与客户共享的应用提供专用的出站地址。Provide a dedicated outbound address for all the apps in your ASE that aren't shared with customers.

说明虚拟网络中 ASE 的关系图。

ASE 提供最佳的隔离和专用应用托管,但它确实涉及了一些管理难题。The ASE provides the best story around isolated and dedicated app hosting, but it does involve some management challenges. 在使用可运行的 ASE 之前需要考虑的事项包括:Some things to consider before you use an operational ASE:

  • ASE 在虚拟网络内运行,但它在虚拟网络外具有依赖项。An ASE runs inside your virtual network, but it does have dependencies outside the virtual network. 必须允许这些依赖项。Those dependencies must be allowed. 有关详细信息,请参阅应用服务环境的网络注意事项For more information, see Networking considerations for an App Service Environment.
  • ASE 无法像多租户服务那样即时缩放。An ASE doesn't scale immediately like the multitenant service. 需要预测缩放需求,而不要被动地进行缩放。You need to anticipate scaling needs rather than reactively scaling.
  • ASE 具有较高的前期成本。An ASE does have a higher up-front cost. 若要充分利用 ASE,应该计划将多个工作负荷放入一个 ASE,而不要将它用于不太重要的工作。To get the most out of your ASE, you should plan to put many workloads into one ASE rather than using it for small efforts.
  • ASE 中的应用无法选择性地限制对 ASE 中某些应用的访问,但可以限制对其他应用的访问。The apps in an ASE can't selectively restrict access to some apps in the ASE and not others.
  • ASE 位于子网中,任何网络规则将应用到传入和传出该 ASE 的所有流量。An ASE is in a subnet, and any networking rules apply to all the traffic to and from that ASE. 如果只想要为一个应用分配入站流量规则,请使用访问限制。If you want to assign inbound traffic rules for just one app, use access restrictions.

组合功能Combining features

可以结合使用多租户服务的所述功能来解决更复杂的用例。The features noted for the multitenant service can be used together to solve more elaborate use cases. 此处描述了两个较常见用例,但它们只是示例。Two of the more common use cases are described here, but they're just examples. 了解每项功能的作用后,便几乎可以满足所有的系统体系结构需求。By understanding what the various features do, you can meet nearly all your system architecture needs.

将应用放入虚拟网络Place an app into a virtual network

你可能想知道如何将应用放入虚拟网络。You might wonder how to put an app into a virtual network. 如果将应用放入虚拟网络,则应用的入站和出站终结点将位于虚拟网络内。If you put your app into a virtual network, the inbound and outbound endpoints for the app are within the virtual network. ASE 是解决此问题的最佳方法。An ASE is the best way to solve this problem. 但你可以通过组合功能来满足多租户服务中的大多数需求。But you can meet most of your needs within the multitenant service by combining features. 例如,可通过以下方式使用专用入站和出站地址托管仅限 Intranet 的应用程序:For example, you can host intranet-only applications with private inbound and outbound addresses by:

  • 使用服务终结点保护应用的入站流量。Securing inbound traffic to your app with service endpoints.
  • 使用新的 VNet 集成功能,以使应用的后端位于你的虚拟网络中。Using the new VNet Integration feature so the back end of your app is in your virtual network.

此部署样式不会针对发往 Internet 的出站流量提供专用地址,也无法让你锁定来自应用的所有出站流量。This deployment style won't give you a dedicated address for outbound traffic to the internet or the ability to lock down all outbound traffic from your app. 它将主要实现只能通过 ASE 实现的目的。It will give you a much of what you would only otherwise get with an ASE.

创建多层应用程序Create multitier applications

多层应用程序是只能从前端层访问其中的 API 后端应用的应用程序。A multitier application is an application in which the API back-end apps can be accessed only from the front-end tier. 可通过两种方法创建多层应用程序。There are two ways to create a multitier application. 这两种方法都是首先使用 VNet 集成将前端 Web 应用连接到虚拟网络中的子网。Both start by using VNet Integration to connect your front-end web app to a subnet in a virtual network. 这样做可以使 Web 应用调用虚拟网络。Doing so will enable your web app to make calls into your virtual network. 前端应用连接到虚拟网络后,需要确定如何锁定对 API 应用程序的访问。After your front-end app is connected to the virtual network, you need to decide how to lock down access to your API application. 可以执行以下操作:You can:

  • 在同一 ILB ASE 中托管前端和 API 应用,并使用应用程序网关将前端应用公开到 Internet。Host both the front end and the API app in the same ILB ASE, and expose the front-end app to the internet by using an application gateway.
  • 在多租户服务中托管前端,在 ILB ASE 中托管后端。Host the front end in the multitenant service and the back end in an ILB ASE.
  • 在多租户服务中托管前端和 API 应用。Host both the front end and the API app in the multitenant service.

如果同时托管多层应用程序的前端和 API 应用,则可以:If you're hosting both the front end and API app for a multitier application, you can:

  • 使用虚拟网络中的专用终结点公开 API 应用程序:Expose your API application by using private endpoints in your virtual network:

    说明如何在两层应用中使用专用终结点的关系图。

  • 使用服务终结点来确保发往 API 应用的入站流量仅来自前端 Web 应用使用的子网:Use service endpoints to ensure inbound traffic to your API app comes only from the subnet used by your front-end web app:

    说明如何使用服务终结点来帮助保护应用的关系图。

下面是帮助你决定使用哪种方法的一些注意事项:Here are some considerations to help you decide which method to use:

  • 使用服务终结点时,只需将 API 应用的流量安全地传输到集成子网。When you use service endpoints, you only need to secure traffic to your API app to the integration subnet. 这有助于保护 API 应用的安全,但前端应用的数据仍可能外泄到应用服务中的其他应用。This helps to secure the API app, but you could still have data exfiltration from your front-end app to other apps in the app service.
  • 使用专用终结点时,有两个子网在运行,这会增加复杂性。When you use private endpoints, you have two subnets at play, which adds complexity. 此外,专用终结点是顶级资源,会增加管理开销。Also, the private endpoint is a top-level resource and adds management overhead. 使用专用终结点的好处是不存在数据外泄的可能性。The benefit of using private endpoints is that you don't have the possibility of data exfiltration.

任何一种方法都可用于多个前端。Either method will work with multiple front ends. 在较小的规模上,服务终结点更易于使用,因为直接在前端集成子网上为 API 应用启用服务终结点即可。On a small scale, service endpoints are easier to use because you simply enable service endpoints for the API app on the front-end integration subnet. 当你添加更多前端应用时,需要调整每个 API 应用以包含集成子网的服务终结点。As you add more front-end apps, you need to adjust every API app to include service endpoints with the integration subnet. 使用专用终结点时,会更加复杂,但在设置专用终结点之后,无需对 API 应用进行任何更改。When you use private endpoints, there's more complexity, but you don't have to change anything on your API apps after you set a private endpoint.

业务线应用程序Line-of-business applications

业务线 (LOB) 应用程序通常是不面向 Internet 公开(无法通过 Internet 进行访问)的内部应用程序。Line-of-business (LOB) applications are internal applications that aren't normally exposed for access from the internet. 这些应用程序从公司网络内部调用,可能实行严格的访问控制。These applications are called from inside corporate networks where access can be strictly controlled. 如果使用 ILB ASE,可以轻松托管业务线应用程序。If you use an ILB ASE, it's easy to host your line-of-business applications. 如果使用多租户服务,可以使用专用终结点,也可以使用与应用程序网关合并的服务终结点。If you use the multitenant service, you can either use private endpoints or use service endpoints combined with an application gateway. 将服务终结点与应用程序网关结合使用而不是使用专用终结点有两个原因:There are two reasons to use an application gateway with service endpoints instead of using private endpoints:

  • 你需要为 LOB 应用配置 WAF 保护。You need WAF protection on your LOB apps.
  • 你需要对 LOB 应用的多个实例进行负载均衡。You want to load balance to multiple instances of your LOB apps.

如果这两种需求都不适用,那么最好使用专用终结点。If neither of these needs apply, you're better off using private endpoints. 使用应用服务中提供的专用终结点,你可以在虚拟网络中的专用地址上公开你的应用。With private endpoints available in App Service, you can expose your apps on private addresses in your virtual network. 可跨 ExpressRoute 和 VPN 连接来访问你放置在虚拟网络中的专用终结点。The private endpoint you place in your virtual network can be reached across ExpressRoute and VPN connections.

配置专用终结点将在专用地址上公开你的应用,但你需要配置 DNS 以便从本地访问该地址。Configuring private endpoints will expose your apps on a private address, but you'll need to configure DNS to reach that address from on-premises. 要正常使用此配置,需要将包含专用终结点的 Azure DNS 专用区域转发到本地 DNS 服务器。To make this configuration work, you'll need to forward the Azure DNS private zone that contains your private endpoints to your on-premises DNS servers. Azure DNS 专用区域不支持区域转发,但可以使用可实现该用途的 DNS 服务器来支持区域转发。Azure DNS private zones don't support zone forwarding, but you can support zone forwarding by using a DNS server for that purpose. DNS 转发器模板支持更轻松地将 Azure DNS 专用区域转发到本地 DNS 服务器。The DNS Forwarder template makes it easier to forward your Azure DNS private zone to your on-premises DNS servers.

应用服务端口App Service ports

如果扫描应用服务,将会发现为入站连接公开的几个端口。If you scan App Service, you'll find several ports that are exposed for inbound connections. 在多租户服务中无法阻止或控制对这些端口的访问。There's no way to block or control access to these ports in the multitenant service. 下面是公开端口的列表:Here's the list of exposed ports:

使用Use 端口Port or ports
HTTP/HTTPSHTTP/HTTPS 80、44380, 443
管理Management 454、455454, 455
FTP/FTPSFTP/FTPS 21, 990, 10001-1002021, 990, 10001-10020
Visual Studio 远程调试Visual Studio remote debugging 4020, 4022, 40244020, 4022, 4024
Web 部署服务Web Deploy service 81728172
基础结构使用Infrastructure use 7654、12217654, 1221