应用程序网关与服务终结点的集成Application Gateway integration with service endpoints

应用服务有三种变体,需要对它们采用略微不同的配置,才能使其与 Azure 应用程序网关集成。There are three variations of App Service that require slightly different configuration of the integration with Azure Application Gateway. 这些变体包括普通应用服务(也称为多租户)、内部负载均衡器 (ILB) 应用服务环境 (ASE) 和外部 ASE。The variations include regular App Service - also known as multi-tenant, Internal Load Balancer (ILB) App Service Environment (ASE) and External ASE. 本文逐步介绍如何使用应用服务(多租户)对其进行配置,并讨论有关 ILB 和外部 ASE 的注意事项。This article will walk through how to configure it with App Service (multi-tenant) and discuss considerations about ILB, and External ASE.

与应用服务(多租户)集成Integration with App Service (multi-tenant)

应用服务(多租户)具有面向 Internet 的公共终结点。App Service (multi-tenant) has a public internet facing endpoint. 在以下方案中,我们将使用此功能来确保应用服务实例只能接收来自特定应用程序网关实例的流量。In the following scenario, we'll use this functionality to ensure that an App Service instance can only receive traffic from a specific Application Gateway instance.

应用程序网关与应用服务的集成

除了创建应用服务和应用程序网关以外,此配置还包括两个部分。There are two parts to this configuration besides creating the App Service and the Application Gateway. 第一个部分是在部署应用程序网关的虚拟网络子网中启用服务终结点。The first part is enabling service endpoints in the subnet of the Virtual Network where the Application Gateway is deployed. 服务终结点确保所有离开子网发往应用服务的所有网络流量通过特定的子网 ID 进行标记。Service endpoints will ensure all network traffic leaving the subnet towards the App Service will be tagged with the specific subnet ID. 第二个部分是设置特定 Web 应用的访问限制,以确保仅允许通过此特定子网 ID 标记的流量。The second part is to set an access restriction of the specific web app to ensure that only traffic tagged with this specific subnet ID is allowed. 可以根据偏好使用不同的工具完成此项配置。You can configure it using different tools depending on preference.

使用 Azure 门户Using Azure portal

在 Azure 门户中,可以通过四个步骤来预配和配置设置。With Azure portal, you follow four steps to provision and configure the setup. 如果已有现有的资源,则可以跳过前几个步骤。If you have existing resources, you can skip the first steps.

  1. 参考应用服务文档中的某篇快速入门(例如 .Net Core 快速入门)创建应用服务Create an App Service using one of the Quickstarts in the App Service documentation, for example .Net Core Quickstart
  2. 参考门户快速入门创建应用程序网关,但请跳过“添加后端目标”部分。Create an Application Gateway using the portal Quickstart, but skip the Add backend targets section.
  3. 将应用服务配置为应用程序网关中的后端,但请跳过“限制访问”部分。Configure App Service as a backend in Application Gateway, but skip the Restrict access section.

现在,可以通过应用程序网关访问应用服务,但如果尝试直接访问应用服务,将会收到 403 HTTP 错误,表示网站已停止。You can now access the App Service through Application Gateway, but if you try to access the App Service directly, you should receive a 403 HTTP error indicating that the web site is stopped.

应用程序网关与应用服务的集成

使用 Azure 资源管理器模板Using Azure Resource Manager template

资源管理器部署模板将预配完整方案。The Resource Manager deployment template will provision a complete scenario. 此方案包括使用服务终结点和访问限制锁定的应用服务实例,以便仅从应用程序网关接收流量。The scenario consists of an App Service instance locked down with service endpoints and access restriction to only receive traffic from Application Gateway. 该模板包含许多智能默认值,以及添加到资源名称的唯一后缀(以简化模板)。The template includes many Smart Defaults and unique postfixes added to the resource names for it to be simple. 若要替代这些内容,必须克隆存储库,或下载模板并对其进行编辑。To override them, you'll have to clone the repo or download the template and edit it.

若要应用模板,可以使用模板说明中的“部署到 Azure”按钮,或者使用相应的 PowerShell/CLI。To apply the template you can use the Deploy to Azure button found in the description of the template, or you can use appropriate PowerShell/CLI.

使用 Azure 命令行接口Using Azure Command Line Interface

Azure CLI 示例将预配使用服务终结点和访问限制锁定的应用服务,以便仅从应用程序网关接收流量。The Azure CLI sample will provision an App Service locked down with service endpoints and access restriction to only receive traffic from Application Gateway. 如果只需从现有的应用程序网关将流量隔离到现有应用服务,则以下命令就已足够。If you only need to isolate traffic to an existing App Service from an existing Application Gateway, the following command is sufficient.

az webapp config access-restriction add --resource-group myRG --name myWebApp --rule-name AppGwSubnet --priority 200 --subnet mySubNetName --vnet-name myVnetName

在默认配置中,该命令将确保在子网中设置服务终结点配置,并在应用服务中设置访问限制。In the default configuration, the command will ensure both setup of the service endpoint configuration in the subnet and the access restriction in the App Service.

ILB ASE 的注意事项Considerations for ILB ASE

ILB ASE 不会向 Internet 公开,因此,实例与应用程序网关之间的流量已隔离到虚拟网络。ILB ASE isn't exposed to the internet and traffic between the instance and an Application Gateway is therefore already isolated to the Virtual Network. 以下操作指南使用 Azure 门户配置 ILB ASE 并将其与应用程序网关集成。The following how-to guide configures an ILB ASE and integrates it with an Application Gateway using Azure portal.

若要确保只有来自应用程序网关子网的流量抵达 ASE,可以配置一个影响 ASE 中所有 Web 应用的网络安全组 (NSG)。If you want to ensure that only traffic from the Application Gateway subnet is reaching the ASE, you can configure a Network security group (NSG) which affect all web apps in the ASE. 对于 NSG,可以指定子网 IP 范围,并选择性地指定端口 (80/443)。For the NSG, you are able to specify the subnet IP range and optionally the ports (80/443). 切勿替代所需的 NSG 规则,使 ASE 正常运行。Make sure you don't override the required NSG rules for ASE to function correctly.

若要将流量隔离到单个 Web 应用,需要使用基于 IP 的访问限制,因为服务终结点不适用于 ASE。To isolate traffic to an individual web app you'll need to use ip-based access restrictions as service endpoints will not work for ASE. IP 地址应该是应用程序网关实例的专用 IP。The IP address should be the private IP of the Application Gateway instance.

外部 ASE 的注意事项Considerations for External ASE

与多租户应用服务一样,外部 ASE 具有面向公众的负载均衡器。External ASE has a public facing load balancer like multi-tenant App Service. 服务终结点不适用于 ASE,正因如此,必须使用应用程序网关实例的公共 IP 来实施基于 IP 的访问限制。Service endpoints don't work for ASE, and that's why you'll have to use ip-based access restrictions using the public IP of the Application Gateway instance. 若要使用 Azure 门户创建外部 ASE,可以遵循此快速入门To create an External ASE using the Azure portal, you can follow this Quickstart

kudu/scm 站点的注意事项Considerations for kudu/scm site

scm 站点(也称为 kudu)是每个 Web 应用都包含的管理站点。The scm site, also known as kudu, is an admin site, which exists for every web app. 无法反向代理 scm 站点。你很有可能需要将其锁定到单个 IP 地址或特定的子网。It isn't possible to reverse proxy the scm site and you most likely also want to lock it down to individual IP addresses or a specific subnet.

若要使用与主站点相同的访问限制,可以使用以下命令继承设置。If you want to use the same access restrictions as the main site, you can inherit the settings using the following command.

az webapp config access-restriction set --resource-group myRG --name myWebApp --use-same-restrictions-for-scm-site

若要单独对 scm 站点设置访问限制,可以使用 --scm-site 标志添加访问限制,如下所示。If you want to set individual access restrictions for the scm site, you can add access restrictions using the --scm-site flag like shown below.

az webapp config access-restriction add --resource-group myRG --name myWebApp --scm-site --rule-name KudoAccess --priority 200 --ip-address 208.130.0.0/16

后续步骤Next steps

有关应用服务环境的详细信息,请参阅应用服务环境文档For more information on the App Service Environment, see App Service Environment documentation.

若要进一步保护 Web 应用,请参阅 Azure Web 应用程序防火墙文档中有关应用程序网关上的 Web 应用程序防火墙的信息。To further secure your web app, information about Web Application Firewall on Application Gateway can be found in the Azure Web Application Firewall documentation.