应用服务网络功能App Service networking features

可通过多种方式部署 Azure 应用服务中的应用程序。Applications in the Azure App Service can be deployed in multiple ways. 默认情况下,应用服务托管的应用可直接通过 Internet 访问,并且它们只能访问 Internet 托管的终结点。By default, App Service hosted apps are directly internet accessible and can only reach internet hosted endpoints. 但是,许多客户应用程序需要控制入站和出站网络流量。Many customer applications however need to control the inbound and outbound network traffic. 应用服务中的多项功能可以满足这些需求。There are several features available in the App Service to satisfy those needs. 难点在于,应该使用哪种功能来解决给定的问题。The challenge is knowing what feature should be used to solve a given problem. 本文档旨在帮助客户根据某些示例用例来确定要使用的功能。This document is intended to help customers determine what feature should be used based on some example use cases.

Azure 应用服务有两种主要部署类型。There are two primary deployment types for the Azure App Service. 多租户公共服务:在“免费”、“共享”、“基本”、“标准”、“高级”和“高级 v2”定价 SKU 中托管应用服务计划。There is the multi-tenant public service, which hosts App Service plans in the Free, Shared, Basic, Standard, Premium, and Premiumv2 pricing SKUs. 单租户应用服务环境 (ASE):直接在 Azure 虚拟网络 (VNet) 中托管隔离的 SKU 应用服务计划。Then there is the single tenant App Service Environment(ASE), which hosts Isolated SKU App Service plans directly in your Azure Virtual Network (VNet). 所用的功能根据是在多租户服务还是 ASE 中操作而有所不同。The features you use will vary on if you are in the multi-tenant service or in an ASE.

多租户应用服务网络功能Multi-tenant App Service networking features

Azure 应用服务是一种分布式系统。The Azure App Service is a distributed system. 处理传入 HTTP/HTTPS 请求的角色称为前端。The roles that handle incoming HTTP/HTTPS requests are called front-ends. 托管客户工作负荷的角色称为辅助角色。The roles that host the customer workload are called workers. 应用服务部署中的所有角色均存在于多租户网络中。All of the roles in an App Service deployment exist in a multi-tenant network. 由于同一应用服务缩放单元中包含许多不同的客户,因此无法将应用服务网络直接连接到网络。Because there are many different customers in the same App Service scale unit, you cannot connect the App Service network directly to your network. 在不连接网络的情况下,我们需要使用相应的功能来处理应用程序通信的各个方面。Instead of connecting the networks, we need features to handle the different aspects of application communication. 处理向应用发出的请求的功能不可用于解决从应用发出调用时出现的问题。The features that handle requests TO your app can't be used to solve problems when making calls FROM your app. 同理,解决从应用发出的调用的问题的功能,不可用于解决向应用发出请求的问题。Likewise, the features that solve problems for calls FROM your app can't be used to solve problems TO your app.

入站功能Inbound features 出站功能Outbound features
应用分配的地址App assigned address 混合连接Hybrid Connections
访问限制Access Restrictions 需要网关的 VNet 集成Gateway required VNet Integration

除非另有说明,否则所有功能都可以配合使用。Unless otherwise stated, all of the features can be used together. 可以混合使用这些功能来解决各种问题。You can mix the features to solve your various problems.

用例和功能Use case and features

对于任何给定的用例,可通过多种方法来解决问题。For any given use case, there can be a few ways to solve the problem. 有时,哪种功能合适并不仅仅是由用例本身决定的。The right feature to use is sometimes due to reasons beyond just the use case itself. 以下入站用例演示了如何使用应用服务网络功能来解决有关控制传入应用的流量的问题。The following inbound use cases suggest how to use App Service networking features to solve problems around controlling traffic going to your app.

入站用例Inbound use cases 功能Feature
支持应用的基于 IP 的 SSL 需求Support IP-based SSL needs for your app 应用分配的地址app assigned address
应用的非共享专用入站地址Not shared, dedicated inbound address for your app 应用分配的地址app assigned address
从一组妥善定义的地址限制对应用的访问Restrict access to your app from a set of well-defined addresses 访问限制Access Restrictions
限制从 VNet 中的资源访问应用Restrict access to my app from resources in a VNet ILB ASEILB ASE
在 VNet 中的专用 IP 上公开我的应用Expose my app on a private IP in my VNet ILB ASEILB ASE
包含服务终结点的应用程序网关上用于入站通信的专用 IPprivate IP for inbound on an Application Gateway with service endpoints
使用 WAF 保护我的应用Protect my app with a WAF 应用程序网关 + ILB ASEApplication Gateway + ILB ASE
包含服务终结点的应用程序网关Application Gateway with service endpoints
提供访问限制的 Azure Front DoorAzure Front Door with Access Restrictions
对发往不同区域中的应用的流量进行负载均衡Load balance traffic to my apps in different regions 提供访问限制的 Azure Front DoorAzure Front Door with Access Restrictions
对同一区域中的流量进行负载均衡Load balance traffic in the same region 包含服务终结点的应用程序网关Application Gateway with service endpoints

以下出站用例演示如何使用应用服务网络功能来解决应用的出站访问需求。The following outbound use cases suggest how to use App Service networking features to solve outbound access needs for your app.

出站用例Outbound use cases 功能Feature
访问位于同一区域的 Azure 虚拟网络中的资源Access resources in an Azure Virtual Network in the same region VNet 集成VNet Integration
访问位于不同区域的 Azure 虚拟网络中的资源Access resources in an Azure Virtual Network in a different region 需要网关的 VNet 集成Gateway required VNet Integration
ASE 和 VNet 对等互连ASE and VNet peering
访问通过服务终结点保护的资源Access resources secured with service endpoints ASEASE
访问未连接到 Azure 的专用网络中的资源Access resources in a private network not connected to Azure 混合连接Hybrid Connections
跨 ExpressRoute 线路访问资源Access resources across ExpressRoute circuits VNet 集成VNet Integration
保护来自 Web 应用的出站流量Secure outbound traffic from your web app VNet 集成和网络安全组VNet Integration and Network Security Groups
路由来自 Web 应用的出站流量Route outbound traffic from your web app VNet 集成和路由表VNet Integration and Route Tables

默认网络行为Default networking behavior

Azure 应用服务缩放单元为每个部署中的多个客户提供支持。The Azure App Service scale units support many customers in each deployment. “免费”和“共享”SKU 计划在多租户辅助角色上托管客户工作负荷。The Free and Shared SKU plans host customer workloads on multi-tenant workers. “基本”和更高层的计划仅托管专用于一个应用服务计划 (ASP) 的客户工作负荷。The Basic, and above plans host customer workloads that are dedicated to only one App Service plan (ASP). 如果你有“标准”应用服务计划,该计划中的所有应用将在同一个辅助角色上运行。If you had a Standard App Service plan, then all of the apps in that plan will run on the same worker. 如果横向扩展辅助角色,将在 ASP 中每个实例的新辅助角色上复制该 ASP 中的所有应用。If you scale out the worker, then all of the apps in that ASP will be replicated on a new worker for each instance in your ASP. 用于“高级 v2”的辅助角色不同于其他计划使用的辅助角色。The workers that are used for Premiumv2 are different from the workers used for the other plans. 在每个应用服务部署中,有一个 IP 地址用于发往该应用服务部署中的应用的所有入站流量。Each App Service deployment has one IP address that is used for all of the inbound traffic to the apps in that App Service deployment. 但是,有 4 到 11 个地址可用于发出出站调用。There are however anywhere from 4 to 11 addresses used for making outbound calls. 这些地址由该应用服务部署中的所有应用共享。These addresses are shared by all of the apps in that App Service deployment. 出站地址根据不同的辅助角色类型而异。The outbound addresses are different based on the different worker types. 即,“免费”、“共享”、“基本”、“标准”和“高级”ASP 使用的地址不同于用于从“高级 v2”ASP 发出出站调用的地址。That means that the addresses used by the Free, Shared, Basic, Standard and Premium ASPs are different than the addresses used for outbound calls from the Premiumv2 ASPs. 查看应用的属性时,可以看到应用使用的入站和出站地址。If you look in the properties for your app, you can see the inbound and outbound addresses that are used by your app. 如果需要锁定与 IP ACL 之间的依赖关系,请使用 possibleOutboundAddresses。If you need to lock down a dependency with an IP ACL, use the possibleOutboundAddresses.


应用服务包含许多用于管理服务的终结点。App Service has a number of endpoints that are used to manage the service. 这些地址发布在单独的文档中,同时包含在 AppServiceManagement IP 服务标记中。Those addresses are published in a separate document and are also in the AppServiceManagement IP service tag. AppServiceManagement 标记只能与需要允许此类流量的应用服务环境 (ASE) 配合使用。The AppServiceManagement tag is only used with an App Service Environment (ASE) where you need to allow such traffic. 将在 AppService IP 服务标记中跟踪应用服务的入站地址。The App Service inbound addresses are tracked in the AppService IP service tag. 没有任何 IP 服务标记包含应用服务使用的出站地址。There is no IP service tag that contains the outbound addresses used by App Service.


应用分配的地址App assigned address

应用分配的地址功能是基于 IP 的 SSL 功能的一个分支,可通过与应用建立 SSL 连接来访问它。The app assigned address feature is an offshoot of the IP-based SSL capability and is accessed by setting up SSL with your app. 此功能可用于基于 IP 的 SSL 调用,但也可用来为应用分配一个专用的地址。This feature can be used for IP-based SSL calls but it can also be used to give your app an address that only it has.


使用应用分配的地址时,流量仍会流经相同的前端角色,这些角色处理所有传入应用服务缩放单元的流量。When you use an app assigned address, your traffic still goes through the same front-end roles that handle all of the incoming traffic into the App Service scale unit. 但是,分配给应用的地址仅供该应用使用。The address that is assigned to your app however, is only used by your app. 此功能的用例如下:The use cases for this feature are to:

  • 支持应用的基于 IP 的 SSL 需求Support IP-based SSL needs for your app
  • 为应用设置一个不与其他任何组件共享的专用地址Set a dedicated address for your app that is not shared with anything else

可以通过有关在 Azure 应用服务中添加 TLS/SSL 证书的教程,学习如何在应用上设置地址。You can learn how to set an address on your app with the tutorial on Add a TLS/SSL certificate in Azure App Service.

访问限制Access Restrictions

使用访问限制功能可以基于来源 IP 地址筛选入站请求。The Access Restrictions capability lets you filter inbound requests based on the originating IP address. 筛选操作在前端角色上发生,这些前端角色位于运行应用的辅助角色的上游。The filtering action takes place on the front-end roles that are upstream from the worker roles where your apps are running. 由于前端角色位于辅助角色的上游,因此可将访问限制功能视为应用的网络级保护机制。Since the front-end roles are upstream from the workers, the Access Restrictions capability can be regarded as network level protection for your apps. 使用该功能可以生成按优先顺序评估的允许和拒绝地址块列表。The feature allows you to build a list of allow and deny address blocks that are evaluated in priority order. 它类似于 Azure 网络中的网络安全组 (NSG) 功能。It is similar to the Network Security Group (NSG) feature that exists in Azure Networking. 可以在 ASE 或多租户服务中使用此功能。You can use this feature in an ASE or in the multi-tenant service. 在 ILB ASE 中使用时,可以限制从专用地址块进行的访问。When used with an ILB ASE, you can restrict access from private address blocks.


需要限制可用于访问应用的 IP 地址时,访问限制功能非常有用。The Access Restrictions feature helps in scenarios where you want to restrict the IP addresses that can be used to reach your app. 此功能的用例包括:Among the use cases for this feature are:

  • 从一组妥善定义的地址限制对应用的访问Restrict access to your app from a set of well-defined addresses
  • 限制为通过负载均衡服务(例如 Azure Front Door)进行访问。Restrict access to coming through a load-balancing service, such as Azure Front Door. 若要将入站流量锁定为 Azure Front Door,请创建规则以允许来自 和 2a01:111:2050::/44 的流量。If you wanted to lock down your inbound traffic to Azure Front Door, create rules to allow traffic from and 2a01:111:2050::/44.

使用 Front Door 实现访问限制

若要锁定对应用的访问,以便只能从 Azure 虚拟网络 (VNet) 中的资源访问它,则当源位于 VNet 中时,需要指定一个静态公共地址。If you wish to lock down access to your app so that it can only be reached from resources in your Azure Virtual Network (VNet), you need a static public address on whatever your source is in your VNet. 如果资源没有公共地址,则应改用服务终结点功能。If the resources do not have a public address, you should use the Service Endpoints feature instead. 配置访问限制教程中了解如何启用此功能。Learn how to enable this feature with the tutorial on Configuring Access Restrictions.

混合连接Hybrid Connections

应用可以通过应用服务混合连接向指定的 TCP 终结点发出出站调用。App Service Hybrid Connections enables your apps to make outbound calls to specified TCP endpoints. 终结点可以位于本地、VNet 中,或者允许通过端口 443 向 Azure 发出出站流量的任何位置。The endpoint can be on-premises, in a VNet or anywhere that allows outbound traffic to Azure on port 443. 该功能要求在 Windows Server 2012 或更高版本的主机上安装名为“混合连接管理器”(HCM) 的中继代理。The feature requires the installation of a relay agent called the Hybrid Connection Manager (HCM) on a Windows Server 2012 or newer host. HCM 需要能够通过端口 443 访问 Azure 中继。The HCM needs to be able to reach Azure Relay at port 443. 可以通过门户中的应用服务混合连接 UI 下载 HCM。The HCM can be downloaded from the App Service Hybrid Connections UI in the portal.


应用服务混合连接功能构建在 Azure 中继混合连接功能的基础之上。The App Service Hybrid Connections feature is built on the Azure Relay Hybrid Connections capability. 应用服务使用一种特殊形式的功能,该功能仅支持从应用向 TCP 主机和端口发出出站调用。App Service uses a specialized form of the feature that only supports making outbound calls from your app to a TCP host and port. 只需在安装 HCM 的主机上解析此主机和端口。This host and port only need to resolve on the host where the HCM is installed. 当应用服务中的应用在混合连接中定义的主机和端口上执行 DNS 查找时,流量将自动重定向,以流经混合连接并传出混合连接管理器。When the app, in App Service, does a DNS lookup on the host and port defined in your Hybrid Connection, the traffic is automatically redirected to go through the Hybrid Connection and out the Hybrid Connection Manager. 若要详细了解混合连接,请参阅有关应用服务混合连接的文档To learn more about Hybrid Connections, read the documentation on App Service Hybrid Connections

此功能通常用于:This feature is commonly used to:

  • 通过 VPN 或 ExpressRoute 访问未连接到 Azure 的专用网络中的资源Access resources in private networks that are not connected to Azure with a VPN or ExpressRoute
  • 支持将本地应用直接迁移到应用服务,而无需同时移动支持数据库Support lift and shift of on-premises apps to App Service without needing to also move supporting databases
  • 根据混合连接配置安全提供对单个主机和端口的访问。Securely provide access to a single host and port per Hybrid Connection. 大多数网络功能都开放了对网络的访问;使用混合连接时,只能访问单个主机和端口。Most networking features open access to a network and with Hybrid Connections you only have the single host and port you can reach.
  • 实现其他出站连接方法无法实现的方案Cover scenarios not covered by other outbound connectivity methods
  • 在应用服务中进行开发,其中的应用可以轻松利用本地资源Perform development in App Service where the apps can easily leverage on-premises resources

由于使用此功能可以访问本地资源且无需在入站防火墙中开放额外的端口,因此它非常受开发人员的青睐。Because the feature enables access to on-premises resources without an inbound firewall hole, it is popular with developers. 其他出站应用服务网络功能与 Azure 虚拟网络密切相关。The other outbound App Service networking features are very Azure Virtual Networking related. 混合连接不依赖于遍历 VNet,可用于满足更广泛的网络需求。Hybrid Connections does not have a dependency on going through a VNet and can be used for a wider variety of networking needs. 必须注意的是,应用服务混合连接功能不考虑,也不知道在其上执行的操作。It is important to note that the App Service Hybrid Connections feature does not care or know what you are doing on top of it. 也就是说,可以使用它来访问数据库、Web 服务或大型机上的任意 TCP 套接字。That is to say that you can use it to access a database, a web service or an arbitrary TCP socket on a mainframe. 此功能在本质上是通过隧道传输 TCP 数据包。The feature essentially tunnels TCP packets.

混合连接不仅在开发活动中非常流行,而且可以在众多的生产应用程序中使用。While Hybrid Connections is popular for development, it is also used in numerous production applications as well. 它非常适合用于访问 Web 服务或数据库,但不适合在涉及到创建许多连接的场合中使用。It is great for accessing a web service or database, but is not appropriate for situations involving creating many connections.

需要网关的 VNet 集成Gateway required VNet Integration

应用可以通过网关所需的应用服务 VNet 集成功能向 Azure 虚拟网络发出出站请求。The gateway required App Service VNet Integration feature enables your app to make outbound requests into an Azure Virtual Network. 该功能的工作原理是通过点到站点 VPN 将运行应用的主机连接到 VNet 中的虚拟网络网关。The feature works by connecting the host your app is running on to a Virtual Network gateway on your VNet with a point-to-site VPN. 配置该功能时,应用将获取分配给每个实例的点到站点地址之一。When you configure the feature, your app gets one of the point-to-site addresses assigned to each instance. 使用此功能可以访问位于任何区域的经典或资源管理器 VNet 中的资源。This feature enables you to access resources in either Classic or Resource Manager VNets in any region.

需要网关的 VNet 集成

此功能解决了访问其他 VNet 中的资源的问题,并且可用于通过 VNet 连接到其他 VNet 甚至本地。This feature solves the problem of accessing resources in other VNets and can even be used to connect through a VNet to either other VNets or even on-premises. 它不适用于 ExpressRoute 连接的 VNet,但确实适用于站点到站点 VPN 连接的网络。It does not work with ExpressRoute connected VNets but does with Site-to-site VPN connected networks. 一般情况下,不适合从应用服务环境 (ASE) 中的应用使用此功能,因为 ASE 已在 VNet 中。It is normally inappropriate to use this feature from an app in an App Service Environment (ASE), because the ASE is already in your VNet. 此功能解决的用例如下:The use cases that this feature solves are:

  • 访问 Azure 虚拟网络中专用 IP 上的资源Accessing resources on private IPs in your Azure virtual networks
  • 访问本地资源(如果存在站点到站点 VPN)Accessing resources on-premises if there is a site-to-site VPN
  • 访问对等互连 VNet 中的资源Accessing resources in peered VNets

启用此功能后,应用将使用配置了目标 VNet 的 DNS 服务器。When this feature is enabled, your app will use the DNS server that the destination VNet is configured with. 可在有关应用服务 VNet 集成的文档中详细了解此功能。You can read more on this feature in the documentation on App Service VNet Integration.

应用服务环境App Service Environment

应用服务环境 (ASE) 是在 VNet 中运行的 Azure 应用服务的单租户部署。An App Service Environment (ASE) is a single tenant deployment of the Azure App Service that runs in your VNet. ASE 可以实现如下用例:The ASE enables use cases such as:

  • 访问 VNet 中的资源Access resources in your VNet
  • 跨 ExpressRoute 访问资源Access resources across ExpressRoute
  • 使用 VNet 中的专用地址公开应用Expose your apps with a private address in your VNet
  • 跨服务终结点访问资源Access resources across service endpoints

使用 ASE 时,无需使用 VNet 集成或服务终结点等功能,因为 ASE 已在 VNet 中。With an ASE, you do not need to use features like VNet Integration or service endpoints because the ASE is already in your VNet. 若要通过服务终结点访问 SQL 或存储等资源,请在 ASE 子网中启用服务终结点。If you want to access resources like SQL or Storage over service endpoints, enable service endpoints on the ASE subnet. 若要访问 VNet 中的资源,无需进行额外的配置。If you want to access resources in the VNet, there is no additional configuration required. 跨 ExpressRoute 访问资源时,你已位于 VNet 中,因此无需在 ASE 或其包含的应用中进行任何配置。If you want to access resources across ExpressRoute, you are already in the VNet and do not need to configure anything on the ASE or the apps inside it.

由于可以在专用 IP 地址上公开 ILB ASE 中的应用,因此,可以轻松添加 WAF 设备,以便只在 Internet 中公开所需的应用,并使剩余的应用保持安全。Because the apps in an ILB ASE can be exposed on a private IP address, you can easily add WAF devices to expose just the apps that you want to the internet and keep the rest secure. 这有助于轻松开发多层应用程序。It lends itself to easy development of multi-tier applications.

还有一些功能无法通过 ASE 中的多租户服务来实现。There are some things that are not yet possible from the multi-tenant service that are from an ASE. 这些功能包括:Those include things like:

  • 在专用 IP 地址上公开应用Expose your apps on a private IP address
  • 使用应用不提供的网络控制来保护所有出站流量Secure all outbound traffic with network controls that are not a part of your app
  • 在单租户服务中托管应用Host your apps in a single tenant service
  • 扩展到多租户服务无法支持的更多实例Scale up to many more instances than are possible in the multi-tenant service
  • 加载专用 CA 客户端证书,供应用通过专用 CA 保护的终结点使用Load private CA client certificates for use by your apps with private CA secured endpoints
  • 在无法在应用级别禁用的情况下,跨系统中托管的所有应用强制实施 TLS 1.1Force TLS 1.1 across all of the apps hosted in the system without any ability to disable at the app level
  • 为不与任何客户共享的 ASE 中的所有应用提供专用出站地址Provide a dedicated outbound address for all of the apps in your ASE that is not shared with any customers

VNet 中的 ASE

ASE 提供最佳的隔离和专用应用托管,但也附带了一些管理难题。The ASE provides the best story around isolated and dedicated app hosting but does come with some management challenges. 在使用正常运行的 ASE 之前需要考虑的事项包括:Some things to consider before using an operational ASE are:

  • ASE 在 VNet 中运行,但在 VNet 外部具有依赖项。An ASE runs inside your VNet but does have dependencies outside of the VNet. 必须允许这些依赖项。Those dependencies must be allowed. 应用服务环境的网络注意事项中了解详细信息Read more in Networking considerations for an App Service Environment
  • ASE 无法像多租户服务那样即时缩放。An ASE does not scale immediately like the multi-tenant service. 需要预测缩放需求,而不要被动地进行缩放。You need to anticipate scaling needs rather than reactively scaling.
  • ASE 具有较高的前期成本。An ASE does have a higher up front cost associated with it. 若要充分利用 ASE,应该计划将多个工作负荷放入一个 ASE,而不要用它来完成一些微不足道的工作In order to get the most out of your ASE, you should plan on putting many workloads into one ASE rather than have it used for small efforts
  • ASE 中的应用无法限制对 ASE 中某些应用的访问,但可以限制对其他应用的访问。The apps in an ASE cannot restrict access to some apps in an ASE and not others.
  • ASE 位于子网中,任何网络规则将应用到传入和传出该 ASE 的所有流量。The ASE is in a subnet and any networking rules apply to all the traffic to and from that ASE. 如果只想要为一个应用分配入站流量规则,请使用访问限制。If you want to assign inbound traffic rules for just one app, use Access Restrictions.

组合功能Combining features

可以结合使用多租户服务的所述功能来解决更复杂的用例。The features noted for the multi-tenant service can be used together to solve more elaborate use cases. 此处描述了两个较常见用例,但它们只是示例。Two of the more common use cases are described here but they are just examples. 了解每项功能的作用后,便几乎可以解决所有的系统体系结构需求。By understanding what the various features do, you can solve nearly all of your system architecture needs.

将应用注入 VNetInject app into a VNet

一个常见的请求是如何在 VNet 中放置应用。A common request is on how to put your app in a VNet. 将应用放入 VNet 意味着应用的入站和出站终结点都位于 VNet 中。Putting your app into a VNet means that the inbound and outbound endpoints for an app are within a VNet. ASE 提供最佳的解决方案来解决此问题,但是,组合功能可以在多租户服务中实现大部分需求。The ASE provides the best solution to solve this problem but, you can get most of what is needed with in the multi-tenant service by combining features. 例如,可通过以下方式使用专用入站和出站地址托管仅限 Intranet 的应用程序:For example, you can host intranet only applications with private inbound and outbound addresses by:

  • 使用专用入站和出站地址创建应用程序网关Creating an Application Gateway with private inbound and outbound address
  • 使用新的 VNet 集成,使应用后端位于 VNet 中Use the new VNet Integration so the backend of your app is in your VNet

此部署样式不会针对发往 Internet 的出站流量提供专用地址,也无法让你锁定来自应用的所有出站流量。This deployment style would not give you a dedicated address for outbound traffic to the internet or give you the ability to lock down all outbound traffic from your app. 此部署样式主要实现只能通过 ASE 实现的目的。This deployment style would give you a much of what you would only otherwise get with an ASE.

创建多层应用程序Create multi-tier applications

多层应用程序是只能从前端层访问其中的 API 后端应用的应用程序。A multi-tier application is an application where the API backend apps can only be accessed from the front-end tier. 若要创建多层应用程序,可以:To create a multi-tier application, you can:

  • 使用 VNet 集成将前端 Web 应用的后端连接到 VNet 中的子网Use VNet Integration to connect the backend of your front-end web app with a subnet in a VNet
  • 使用服务终结点保护发往 API 应用的入站流量,以便只允许来自前端 Web 应用所用子网的流量Use service endpoints to secure inbound traffic to your API app to only coming from the subnet used by your front-end web app


可以在其他前端应用中使用 VNet 集成,并在 API 应用及其子网中使用服务终结点,让多个前端应用使用同一个 API 应用。You can have multiple front-end apps use the same API app by using VNet Integration from the other front-end apps and service endpoints from the API app with their subnets.