将应用与 Azure 虚拟网络进行集成Integrate your app with an Azure Virtual Network

本文档介绍 Azure 应用服务虚拟网络集成功能,并说明如何在 Azure 应用服务中使用应用对其进行设置。This document describes the Azure App Service virtual network integration feature and how to set it up with apps in the Azure App Service. 使用 Azure 虚拟网络 (VNet) 可将多个 Azure 资源置于无法通过 Internet 路由的网络中。Azure Virtual Networks (VNets) allow you to place many of your Azure resources in a non-internet routable network.

本文档介绍 VNet 集成功能,该功能用于多租户应用服务。This document goes through the VNet Integration feature, which is for use in the multi-tenant App Service.

有一种形式的 VNet 集成功能:There is a form to the VNet Integration feature:

  • 允许与其他区域的 VNet 集成或与经典 VNet 集成。Enables integration with VNets in other regions or with Classic VNets. 此功能需要将虚拟网关部署到 VNet 中。This feature requires deployment of a Virtual Network Gateway into your VNet. 这是基于点到站点 VPN 的功能。This is the point-to-site VPN-based feature.

VNet 集成功能允许 Web 应用访问虚拟网络中的资源,但不允许通过虚拟网络对 Web 应用进行入站专用访问。VNet Integration gives your web app access to resources in your virtual network but doesn't grant inbound private access to your web app from the virtual network. 专用站点访问指的是仅可从专用网络(例如 Azure 虚拟网络内)对应用进行访问。Private site access refers to making your app only accessible from a private network such as from within an Azure virtual network. VNet 集成只是为了从应用对 VNet 进行出站调用。VNet Integration is only for making outbound calls from your app into your VNet.

VNet 集成功能:The VNet Integration feature:

  • 需要“标准”、“高级”或“高级 V2”定价计划requires a Standard, Premium, or PremiumV2 pricing plan
  • 支持 TCP 和 UDPsupports TCP and UDP
  • 使用应用服务应用和函数应用works with App Service apps, and Function apps

VNet 集成不支持某些功能,其中包括:There are some things that VNet Integration doesn't support including:

  • 装载驱动器mounting a drive
  • AD 集成AD integration
  • NetBiosNetBios

需要网关的 VNet 集成Gateway required VNet Integration

需要网关的 VNet 集成功能:The Gateway required VNet Integration feature:

  • 可以用来连接到任何区域中的 VNet,不管它们是资源管理器 VNet 还是经典 VNetCan be used to connect to VNets in any region be they Resource Manager or Classic VNets
  • 允许应用一次只连接到 1 个 VNetEnables an app to connect to only 1 VNet at a time
  • 允许在应用服务计划中一次最多集成 5 个 VNetEnables up to five VNets to be integrated with in an App Service Plan
  • 允许在应用服务计划中由多个应用使用同一个 VNet,不影响可供应用服务计划使用的总数。Allows the same VNet to be used by multiple apps in an App Service Plan without impacting the total number that can be used by an App Service plan. 如果有 6 个应用在使用同一应用服务计划中的同一 VNet,则计为 1 个 VNet 被使用。If you have 6 apps using the same VNet in the same App Service plan, that counts as 1 VNet being used.
  • 需要使用点到站点 VPN 配置的虚拟网关Requires a Virtual Network Gateway that is configured with Point to Site VPN
  • 由于网关上的 SLA,可实现 99.9% 的 SLASupports a 99.9% SLA due to the SLA on the gateway

此功能不支持以下操作:This feature does not support:

  • 跨 ExpressRoute 访问资源Accessing resources across ExpressRoute
  • 跨服务终结点访问资源Accessing resources across Service Endpoints

入门Getting started

将 Web 应用连接到虚拟网络之前,需要牢记以下几点:Here are some things to keep in mind before connecting your web app to a virtual network:

  • 在将目标虚拟网络连接到应用之前,必须借助基于路由的网关启用点到站点 VPN。A target virtual network must have point-to-site VPN enabled with a route-based gateway before it can be connected to app.
  • VNet 所在的订阅必须与应用服务计划 (ASP) 所在的订阅相同。The VNet must be in the same subscription as your App Service Plan(ASP).
  • 与 VNet 集成的应用使用为该 VNet 指定的 DNS。The apps that integrate with a VNet use the DNS that is specified for that VNet.

在 VNet 中设置网关Set up a gateway in your VNet

如果已使用点到站点地址配置网关,则可以跳至“配置 VNet 与应用的集成”这一步。If you already have a gateway configured with point-to-site addresses, you can skip to configuring VNet Integration with your app.
若要创建网关,请执行以下操作:To create a gateway:

  1. 在 VNet 中创建网关子网Create a gateway subnet in your VNet.

  2. 创建 VPN 网关Create the VPN gateway. 选择基于路由的 VPN 类型。Select a route-based VPN type.

  3. 设置点到站点地址Set the point to site addresses. 如果网关不在基本 SKU 中,则必须在点到站点配置中禁用 IKEV2 并选择 SSTP。If the gateway isn't in the basic SKU, then IKEV2 must be disabled in the point-to-site configuration and SSTP must be selected. 地址空间必须在 RFC 1918 地址块 10.0.0.0/8、172.16.0.0/12、192.168.0.0/16 中The address space must be in the RFC 1918 address blocks, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

如果只是创建网关用于应用服务 VNet 集成,则不需要上传证书。If you are just creating the gateway for use with App Service VNet Integration, then you do not need to upload a certificate. 创建网关可能需要 30 分钟。Creating the gateway can take 30 minutes. 若要将应用与 VNet 集成,必须先预配网关。You will not be able to integrate your app with your VNet until the gateway is provisioned.

使用应用配置 VNet 集成Configure VNet Integration with your app

要在应用上启用 VNet 集成,请执行以下步骤:To enable VNet Integration on your app:

  1. 在 Azure 门户中转到该应用并打开应用设置,然后选择“网络”>“VNet 集成”。Go to your app in the Azure portal and open app settings and select Networking > VNet Integration. ASP 必须在标准 SKU 或更高的层级中才能使用上述任一 VNet 集成功能。Your ASP must be in a Standard SKU or better to use either VNet Integration feature. VNet 集成 UIVNet Integration UI

  2. 选择“添加 VNet” 。Select Add VNet. 添加 VNet 集成Add VNet Integration

  3. 选择 VNet。Select your VNet. 选择 VNetSelect your VNet

完成最后一步后,应用将会重启。Your app will be restarted after this last step.

网关所需的 VNet 集成功能的工作原理How the gateway required VNet Integration feature works

网关所需的 VNet 集成功能基于点到站点 VPN 技术。The gateway required VNet Integration feature is built on top of point-to-site VPN technology. 点到站点技术将网络访问限制于托管应用的虚拟机。The point-to-site technology limits network access to just the virtual machine hosting the app. 应用受到限制,只能通过混合连接或 VNet 集成向外发送流量至 Internet。Apps are restricted to only send traffic out to the internet, through Hybrid Connections or through VNet Integration.

VNet 集成的工作原理

管理 VNet 集成Managing VNet Integration

连接到 VNet 以及断开其连接的功能在应用级别执行。The ability to connect and disconnect to a VNet is at an app level. 可能影响多个应用的 VNet 集成的操作在应用服务计划级别执行。Operations that can affect the VNet Integration across multiple apps are at the App Service plan level. 可以通过“应用 > 网络 > VNet 集成门户”获取 VNet 的详细信息。From the app > Networking > VNet Integration portal, you can get details on your VNet. 可以在“ASP > 网络 > VNet 集成门户”中查看 ASP 级别的类似信息,包括应用服务计划中的哪些应用在使用给定集成。You can see similar information at the ASP level in the ASP > Networking > VNet Integration portal including what apps in that App Service plan are using a given integration.

VNet 详细信息

应用和 ASP 门户的 VNet 集成 UI 中提供的信息相同。The information you have available to you in the VNet Integration UI is the same between the app and ASP portals.

  • VNet 名称 - 链接至虚拟网络 UIVNet Name - links to the virtual network UI
  • 位置 - 反映 VNet 的位置。Location - reflects the location of your VNet. 与其他位置的 VNet 集成可能会导致应用出现延迟。Integrating with a VNet in another location can cause latency issues for your app.
  • 证书状态 - 反映证书在应用服务计划和 VNet 之间的同步状态。Certificate Status - reflects if your certificates are in sync between your App Service plan and your VNet.
  • 网关状态 - 如果使用网关所需的 VNet 集成,则可以看到网关状态。Gateway Status - Should you be using the gateway required VNet Integration, you can see the gateway status.
  • VNet 地址空间 - 显示 VNet 的 IP 地址空间。VNet address space - shows the IP address space for your VNet.
  • 点到站点地址空间 - 显示 VNet 的点到站点 IP 地址空间。Point-to-site address space - shows the point to site IP address space for your VNet. 如果在使用网关所需的功能时调用 VNet,应用的 FROM 地址将是这些地址之一。When making calls into your VNet while using the gateway required feature, your app FROM address will be one of these addresses.
  • 站点到站点地址空间 - 可以使用站点到站点 VPN 将 VNet 连接到本地资源或其他 VNet。Site-to-site address space - You can use site-to-site VPNs to connect your VNet to your on-premises resources or to other VNet. 使用该 VPN 连接定义的 IP 范围如下所示。The IP ranges defined with that VPN connection are shown here.
  • DNS 服务器 - 显示配置了 VNet 的 DNS 服务器。DNS Servers - shows the DNS Servers configured with your VNet.
  • 路由到 VNet 的 IP 地址 - 显示路由的地址块,这些地址块用于驱动流量进入 VNetIP addresses routed to the VNet - shows the address blocks routed used to drive traffic into your VNet

在 VNet 集成的应用视图中,能够执行的唯一操作是断开应用与当前所连接到的 VNet 的连接。The only operation you can take in the app view of your VNet Integration is to disconnect your app from the VNet it is currently connected to. 若要断开应用与 VNet 的连接,请选择“断开连接” 。To disconnect your app from a VNet, select Disconnect. 在从 VNet 断开连接时,应用将会重启。Your app will be restarted when you disconnect from a VNet. 断开连接操作不会更改 VNet。Disconnecting doesn't change your VNet. 不会删除子网或网关。The subnet or gateway is not removed. 若要删除 VNet,需要先从该 VNet 断开连接应用,然后删除该 VNet 中的资源,例如网关。If you then want to delete your VNet, you need to first disconnect your app from the VNet and delete the resources in it such as gateways.

若要访问 ASP VNet 集成 UI,请打开 ASP UI 并选择“网络” 。To reach the ASP VNet Integration UI, open your ASP UI and select Networking. 在 VNet 集成下,选择“单击此处可配置”以打开网络功能状态 UI 。Under VNet Integration, select Click here to configure to open the Network Feature Status UI.

ASP VNet 集成信息

ASP VNet 集成 UI 会显示 ASP 中的应用使用的所有 VNet。The ASP VNet Integration UI will show you all of the VNets that are used by the apps in your ASP. 要查看每个 VNet 的详细信息,请单击感兴趣的 VNet。To see details on each VNet, click on the VNet you are interested in. 此处有两种操作可以执行。There are two actions you can perform here.

  • 同步网络Sync network. 同步网络操作仅适用于网关相关的 VNet 集成功能。The sync network operation is only for the gateway-dependent VNet Integration feature. 执行同步网络操作可确保证书和网络信息保持同步。如果添加或更改 VNet 的 DNS,则需执行“同步网络”操作 。Performing a sync network operation ensures that your certificates and network information are in sync. If you add or change the DNS of your VNet, you need to perform a Sync network operation. 此操作会重启所有使用此 VNet 的应用。This operation will restart any apps using this VNet.
  • 添加路由 添加路由会驱动出站流量进入 VNet。Add routes Adding routes will drive outbound traffic into your VNet.

路由 在 VNet 中定义的路由,用于将流量从应用导入 VNet。Routing The routes that are defined in your VNet are used to direct traffic into your VNet from your app. 如果需要将其他出站流量发送到 VNet 中,则可以在此处添加地址块。If you need to send additional outbound traffic into the VNet, then you can add those address blocks here. 此功能只适用于网关所需的 VNet 集成。This capability only works with gateway required VNet Integration.

证书:启用网关所需的 VNet 集成后,必须进行证书交换以确保连接的安全性。Certificates When the gateway required VNet Integration enabled, there is a required exchange of certificates to ensure the security of the connection. 除了证书,还有 DNS 配置、路由以及其他类似的用于描述网络的内容。Along with the certificates are the DNS configuration, routes, and other similar things that describe the network. 如果更改了证书或网络信息,则需单击“同步网络”。If certificates or network information is changed, you need to click "Sync Network". 单击“同步网络”会导致应用与 VNet 之间的连接出现短暂的中断。When you click "Sync Network", you cause a brief outage in connectivity between your app and your VNet. 虽然应用不会重启,但失去连接会导致站点功能失常。While your app isn't restarted, the loss of connectivity could cause your site to not function properly.

访问本地资源Accessing on-premises resources

应用可以通过与具备站点到站点连接的 VNet 集成来访问本地资源。Apps can access on-premises resources by integrating with VNets that have site-to-site connections. 如果使用网关所需的 VNet 集成,需要使用点到站点地址块更新本地 VPN 网关路由。If you are using the gateway required VNet Integration, you need to update your on-premises VPN gateway routes with your point-to-site address blocks. 先设置站点到站点 VPN,接着应通过用于配置该 VPN 的脚本来正确地设置路由。When the site-to-site VPN is first set up, the scripts used to configure it should set up routes properly. 如果在创建站点到站点地址后才添加点到站点 VPN,则需手动更新路由。If you add the point-to-site addresses after you create your site-to-site VPN, you need to update the routes manually. 具体操作信息取决于每个网关,在此不作说明。Details on how to do that vary per gateway and are not described here. 不能使用站点到站点 VPN 连接配置 BGP。You cannot have BGP configured with a site-to-site VPN connection.

Note

需要网关的 VNet 集成功能不会将应用与包含 ExpressRoute 网关的 VNet 集成。The gateway required VNet Integration feature doesn't integrate an app with a VNet that has an ExpressRoute Gateway. 即使以共存模式配置 ExpressRoute 网关,VNet 集成也不会生效。Even if the ExpressRoute Gateway is configured in coexistence mode the VNet Integration doesn't work.

对等互连Peering

如果结合对等互连使用网关所需的 VNet 集成,则需要配置几个附加的项。If you are using the gateway required VNet Integration with peering, you need to configure a few additional items. 若要配置对等互连以使用应用,请执行以下操作:To configure peering to work with your app:

  1. 在应用所连接的 VNet 上添加对等互连连接。Add a peering connection on the VNet your app connects to. 在添加对等互连连接时,启用“允许虚拟网络访问”并单击“允许转发流量”和“允许网关传输” 。When adding the peering connection, enable Allow virtual network access and check Allow forwarded traffic and Allow gateway transit.
  2. 在与所连接的 VNet 对等互连的 VNet 上添加对等互连连接。Add a peering connection on the VNet that is being peered to the VNet you are connected to. 在目标 VNet 上添加对等互连连接时,启用“允许虚拟网络访问”并单击“允许转发流量”和“允许远程网关” 。When adding the peering connection on the destination VNet, enable Allow virtual network access and check Allow forwarded traffic and Allow remote gateways.
  3. 转到门户中的“应用服务计划”>“网络”>“VNet 集成 UI”。Go to the App Service plan > Networking > VNet Integration UI in the portal. 选择应用连接的 VNet。Select the VNet your app connects to. 在路由部分下,添加与应用所连接的 VNet 对等互连的 VNet 的地址范围。Under the routing section, add the address range of the VNet that is peered with the VNet your app is connected to.

定价详细信息Pricing details

使用网关所需的 VNet 集成功能涉及到三种相关费用:There are three related charges to the use of the gateway required VNet Integration feature:

  • ASP 定价层费用 - 应用需要属于“标准”、“高级”或“高级 V2”应用服务计划。ASP pricing tier charges - Your apps need to be in a Standard, Premium, or PremiumV2 App Service Plan. 可在此处了解这些费用的更多详细信息:应用服务定价You can see more details on those costs here: App Service Pricing.
  • 数据传输费用 - 数据传出会产生费用,即使 VNet 在同一数据中心也是如此。Data transfer costs - There is a charge for data egress, even if the VNet is in the same data center. 数据传输定价详细信息中对这些费用进行了说明。Those charges are described in Data Transfer Pricing Details.
  • VPN 网关费用 - 点到站点 VPN 所需的 VNet 网关会产生费用。VPN Gateway costs - There is a cost to the VNet gateway that is required for the point-to-site VPN. VPN 网关定价页上介绍了详细信息。The details are on the VPN Gateway Pricing page.

故障排除Troubleshooting

虽然此功能容易设置,但这并不意味着你就不会遇到问题。While the feature is easy to set up, that doesn't mean that your experience will be problem free. 如果在访问所需终结点时遇到问题,可以使用某些实用程序来测试从应用控制台发出的连接。Should you encounter problems accessing your desired endpoint there are some utilities you can use to test connectivity from the app console. 可以使用两种控制台。There are two consoles that you can use. 一种是 Kudu 控制台,另一种是 Azure 门户中的控制台。One is the Kudu console and the other is the console in the Azure portal. 若要访问应用中的 Kudu 控制台,请转到“工具”->“Kudu”。To reach the Kudu console from your app, go to Tools -> Kudu. 这相当于访问 [sitename].scm.chinacloudsites.cn。This is the same as going to [sitename].scm.chinacloudsites.cn. 打开后,转到“调试控制台”选项卡。若要访问 Azure 门户托管的控制台,请在应用中转到“工具”->“控制台”。Once that opens, go to the Debug console tab. To get to the Azure portal hosted console then from your app go to Tools -> Console.

工具Tools

由于存在安全约束,pingnslookuptracert 工具无法通过控制台来使用。The tools ping, nslookup and tracert won’t work through the console due to security constraints. 为了填补这方面的空白,我们添加了两种单独的工具。To fill the void, two separate tools added. 为了测试 DNS 功能,我们添加了名为 nameresolver.exe 的工具。In order to test DNS functionality, we added a tool named nameresolver.exe. 语法为:The syntax is:

nameresolver.exe hostname [optional: DNS Server]

可以使用 nameresolver 来检查应用所依赖的主机名。You can use nameresolver to check the hostnames that your app depends on. 可以通过这种方式来测试 DNS 是否配置错误,或者测试你是否无权访问 DNS 服务器。This way you can test if you have anything mis-configured with your DNS or perhaps don't have access to your DNS server. 若要了解可供应用在控制台中使用的 DNS 服务器,请查看环境变量 WEBSITE_DNS_SERVER 和 WEBSITE_DNS_ALT_SERVER。You can see the DNS server that your app will use in the console by looking at the environmental variables WEBSITE_DNS_SERVER and WEBSITE_DNS_ALT_SERVER.

下一工具适用于测试与主机的 TCP 连接情况,以及端口组合情况。The next tool allows you to test for TCP connectivity to a host and port combination. 该工具名为 tcpping,语法为:This tool is called tcpping and the syntax is:

tcpping.exe hostname [optional: port]

tcpping 实用程序会告知是否可访问特定主机和端口。The tcpping utility tells you if you can reach a specific host and port. 仅满足以下条件才会显示成功:存在侦听主机和端口组合的应用程序,且可从应用对指定主机和端口进行网络访问。It only can show success if: there is an application listening at the host and port combination, and there is network access from your app to the specified host and port.

针对 VNet 托管的资源进行访问权限调试Debugging access to VNet hosted resources

许多因素会阻止应用访问特定的主机和端口。There are a number of things that can prevent your app from reaching a specific host and port. 大多数情况下为以下三种情况:Most of the time it is one of three things:

  • 存在防火墙。A firewall is in the way. 如果存在防火墙,则会发生 TCP 超时。If you have a firewall in the way, you will hit the TCP timeout. 本例中的 TCP 超时为 21 秒。The TCP timeout is 21 seconds in this case. 使用 tcpping 工具测试连接性。Use the tcpping tool to test connectivity. 除了防火墙外,还有多种原因可能导致 TCP 超时。TCP timeouts can be due to many things beyond firewalls but start there.
  • DNS 不可访问。DNS isn't accessible. DNS 超时时间为每个 DNS 服务器 3 秒。The DNS timeout is three seconds per DNS server. 如果具有 2 个 DNS 服务器,则超时为 6 秒。If you have two DNS servers, the timeout is 6 seconds. 使用 nameresolver 查看 DNS 是否正常工作。Use nameresolver to see if DNS is working. 请记住,不能使用 nslookup,因其没有使用为 VNet 配置的 DNS。Remember you can't use nslookup as that doesn't use the DNS your VNet is configured with. 如果无法访问,则表明可能有防火墙或 NSG 在阻止对 DNS 的访问,或者该 DNS 可能已停机。If inaccessible, you could have a firewall or NSG blocking access to DNS or it could be down.

如果这些方法未解决问题,请首先检查以下因素:If those items don't answer your problems, look first for things like:

网关所需的 VNet 集成gateway required VNet Integration

  • 点到站点地址范围是否在 RFC 1918 范围内 (10.0.0.0-10.255.255.255 / 172.16.0.0-172.31.255.255 / 192.168.0.0-192.168.255.255)?is the point-to-site address range in the RFC 1918 ranges (10.0.0.0-10.255.255.255 / 172.16.0.0-172.31.255.255 / 192.168.0.0-192.168.255.255)?
  • 网关在门户中是否显示为已启动?Does the Gateway show as being up in the portal? 如果网关处于关闭状态,则将其重新启动。If your gateway is down, then bring it back up.
  • 证书是否显示正在同步,或者,你是否怀疑网络配置已更改?Do certificates show as being in sync or do you suspect that the network configuration was changed? 如果证书未同步,或者你怀疑 VNet 配置存在与 ASP 不同步的更改,请单击“同步网络”。If your certificates are out of sync or you suspect that there has been a change made to your VNet configuration that wasn't synced with your ASPs, then hit "Sync Network".
  • 如果通过 ExpressRoute 或 VPN 传输,本地网关是否配置为将流量路由回到 Azure?if going across ExpressRoute or a VPN, is your on-premise gateway configured to route traffic back up to Azure? 如果你可以访问 VNet 中的终结点但不能访问本地的终结点,则最好是检查这一点。If you can reach endpoints in your VNet but not on-premises, this is good to check.

调试网络问题很有难度,因为你看不到哪些因素正在阻止访问特定的“主机:端口”组合。Debugging networking issues is a challenge because there you cannot see what is blocking access to a specific host:port combination. 部分原因包括:Some of the causes include:

  • 在主机上开启了防火墙,导致无法从点到站点 IP 范围访问应用程序端口。you have a firewall up on your host preventing access to the application port from your point to site IP range. 跨子网通常需要公共访问权限。Crossing subnets often requires Public access.
  • 目标主机已关闭your target host is down
  • 应用程序已关闭your application is down
  • IP 或主机名错误you had the wrong IP or hostname
  • 应用程序所侦听的端口不同于所期望的端口。your application is listening on a different port than what you expected. 可以使用终结点主机上的“netstat -aon”匹配进程 ID 和侦听端口。You can match your process ID with the listening port by using "netstat -aon" on the endpoint host.
  • 网络安全组的配置方式导致无法从点到站点 IP 范围访问应用程序主机和端口your network security groups are configured in such a manner that they prevent access to your application host and port from your point to site IP range

请记住,你并不知道应用实际使用的地址。Remember that you don't know what address your app will actually use. 它可能是集成子网中或点到站点地址范围内的任意地址,因此你需要允许从整个地址范围进行访问。It could be any address in the integration subnet or point-to-site address range, so you need to allow access from the entire address range.

其他调试步骤包括:Additional debug steps include:

  • 连接到 VNet 中的某个 VM,尝试在该处访问资源主机:端口。connect to a VM in your VNet and attempt to reach your resource host:port from there. 若要针对 TCP 访问权限进行测试,请使用 PowerShell 命令 test-netconnection 。To test for TCP access, use the PowerShell command test-netconnection. 语法为:The syntax is:

    test-netconnection hostname [optional: -Port]
    
  • 在某个 VM 中启动应用程序,然后使用 tcpping 测试能否在应用的控制台中访问该主机和端口bring up an application on a VM and test access to that host and port from the console from your app using tcpping

本地资源On-premises resources

如果应用无法访问本地资源,则请检查是否能够通过 VNet 访问该资源。If your app cannot reach a resource on-premises, then check if you can reach the resource from your VNet. 请使用 test-netconnection PowerShell 命令来针对 TCP 访问权限进行测试 。Use the test-netconnection PowerShell command to check for TCP access. 如果 VM 无法访问本地资源,原因可能是未正确配置 VPN 或 ExpressRoute 连接。If your VM can't reach your on-premises resource, your VPN or ExpressRoute connection may not be configured properly.

如果 VNet 托管的 VM 能够访问本地系统但应用无法访问,则可能是由于以下某个原因:If your VNet hosted VM can reach your on-premises system but your app can't, then the cause is likely one of the following reasons:

  • 在本地网关中未使用子网或点到站点地址范围配置路由your routes are not configured with your subnet or point to site address ranges in your on-premises gateway
  • 网络安全组阻止点到站点 IP 范围中的 IP 进行访问your network security groups are blocking access for your Point-to-Site IP range
  • 本地防火墙阻止来自点到站点 IP 范围的流量your on-premises firewalls are blocking traffic from your Point-to-Site IP range

PowerShell 自动化PowerShell automation

可以使用 PowerShell 将应用服务与 Azure 虚拟网络进行集成。You can integrate App Service with an Azure Virtual Network using PowerShell. 有关就绪可运行的脚本,请参阅 Connect an app in Azure App Service to an Azure Virtual Network(将 Azure 应用服务中的应用连接到 Azure 虚拟网络)。For a ready-to-run script, see Connect an app in Azure App Service to an Azure Virtual Network.