将应用与 Azure 虚拟网络集成Integrate your app with an Azure virtual network

本文介绍 Azure 应用服务 VNet 集成功能,并介绍如何为 Azure 应用服务中的应用设置此功能。This article describes the Azure App Service VNet Integration feature and how to set it up with apps in Azure App Service. 使用 Azure 虚拟网络 (VNet) 可将多个 Azure 资源置于无法通过 Internet 路由的网络中。With Azure Virtual Network (VNets), you can place many of your Azure resources in a non-internet-routable network.

Azure 应用服务有两种变体:Azure App Service has two variations:

  • 支持除独立定价计划以外的全部定价计划的多租户系统。The multitenant systems that support the full range of pricing plans except Isolated.
  • 部署到 VNet 中且支持独立定价计划应用的应用服务环境。The App Service Environment, which deploys into your VNet and supports Isolated pricing plan apps.

VNet 集成功能用于多租户应用。The VNet Integration feature is used in multitenant apps. 如果应用在应用服务环境中,则该应用已处于 VNet 中且不需要使用 VNet 集成功能来获取同一 VNet 中的资源。If your app is in App Service Environment, then it's already in a VNet and doesn't require use of the VNet Integration feature to reach resources in the same VNet. 有关所有网络功能的详细信息,请参阅应用服务网络功能For more information on all of the networking features, see App Service networking features.

VNet 集成允许应用访问 VNet 中的资源,但不允许通过 VNet 对应用进行入站专用访问。VNet Integration gives your app access to resources in your VNet, but it doesn't grant inbound private access to your app from the VNet. 专用站点访问指的是仅可从专用网络(例如 Azure 虚拟网络)对应用进行访问。Private site access refers to making an app accessible only from a private network, such as from within an Azure virtual network. VNet 集成仅用来从应用对 VNet 进行出站调用。VNet Integration is used only to make outbound calls from your app into your VNet. VNet 集成功能可以用于同一区域中的 VNet,也可用于其他区域中的 VNet,这两种情况下的行为有所不同。The VNet Integration feature behaves differently when it's used with VNet in the same region and with VNet in other regions. VNet 集成功能有两种变体:The VNet Integration feature has two variations:

  • 需要网关的 VNet 集成:连接到其他区域中的 VNet 或同一区域中的经典虚拟网络时,需要在目标 VNet 中预配 Azure 虚拟网关。Gateway-required VNet Integration: When you connect to VNet in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway provisioned in the target VNet.

VNet 集成功能:The VNet Integration features:

  • 需要“标准”、“高级”、“高级 V2”或“弹性高级”定价计划。Require a Standard, Premium, PremiumV2, or Elastic Premium pricing plan.
  • 支持 TCP 和 UDP。Support TCP and UDP.
  • 适用于 Azure 应用服务应用和函数应用。Work with Azure App Service apps and function apps.

VNet 集成不支持某些功能,例如:There are some things that VNet Integration doesn't support, like:

  • 装载驱动器。Mounting a drive.
  • Active Directory 集成。Active Directory integration.
  • NetBIOS。NetBIOS.

需要网关的 VNet 集成只允许访问目标 VNet 中的资源,或者访问通过对等互连或 VPN 连接到目标 VNet 的网络中的资源。Gateway-required VNet Integration provides access to resources only in the target VNet or in networks connected to the target VNet with peering or VPNs. 需要网关的 VNet 集成不支持访问可通过 Azure ExpressRoute 连接使用的资源,也不适用于服务终结点。Gateway-required VNet Integration doesn't enable access to resources available across Azure ExpressRoute connections or works with service endpoints.

无论使用哪个版本,VNet 集成都允许应用访问 VNet 中的资源,但不允许通过 VNet 对应用进行入站专用访问。Regardless of the version used, VNet Integration gives your app access to resources in your VNet, but it doesn't grant inbound private access to your app from the VNet. 专用站点访问指的是仅可从专用网络(例如 Azure VNet)对应用进行访问。Private site access refers to making your app accessible only from a private network, such as from within an Azure VNet. VNet 集成只是为了从应用对 VNet 进行出站调用。VNet Integration is only for making outbound calls from your app into your VNet.

启用 VNet 集成Enable VNet Integration

  1. 在应用服务门户中转到“网络”UI。Go to the Networking UI in the App Service portal. 在“VNet 集成”下,选择“单击此处进行配置”。 Under VNet Integration, select Click here to configure.

  2. 选择“添加 VNet”。Select Add VNet.

    选择 VNet 集成

  3. 下拉列表将包含所有其他区域中的所有资源管理器 VNet。The drop-down list will contain all of the Resource Manager VNets in all other regions. 选择要与之集成的 VNet。Select the VNet you wish to integrate with.

    选择 VNet

    • 若要选择另一区域中的 VNet,必须已预配一个启用了点到站点连接的 VNet 网关。To select a VNet in another region, you must have a VNet gateway provisioned with point to site enabled.
    • 若要与经典 VNet 集成,请不要选择“虚拟网络”下拉列表,而应选择“单击此处连接到经典 VNet”。 To integrate with a classic VNet, instead of selecting the Virtual Network drop-down list, select Click here to connect to a Classic VNet. 选择所需的经典虚拟网络。Select the classic virtual network you want. 目标 VNet 中必须已预配一个启用了点到站点连接的虚拟网关。The target VNet must already have a Virtual Network gateway provisioned with point-to-site enabled.

    选择经典 VNet

在集成期间,应用会重启。During the integration, your app is restarted. 完成集成后,将会看到与之集成的 VNet 的详细信息。When integration is finished, you'll see details on the VNet you're integrated with.

需要网关的 VNet 集成Gateway-required VNet Integration

需要网关的 VNet 集成支持连接到另一区域中的 VNet,或连接到经典虚拟网络。Gateway-required VNet Integration supports connecting to a VNet in another region or to a classic virtual network. 需要网关的 VNet 集成:Gateway-required VNet Integration:

  • 允许应用一次只连接到一个 VNet。Enables an app to connect to only one VNet at a time.
  • 允许在一个应用服务计划中最多集成 5 个 VNet。Enables up to five VNets to be integrated within an App Service plan.
  • 允许在应用服务计划中由多个应用使用同一个 VNet,不影响可供应用服务计划使用的总数。Allows the same VNet to be used by multiple apps in an App Service plan without affecting the total number that can be used by an App Service plan. 如果有 6 个应用在使用同一应用服务计划中的同一 VNet,则算作是使用了一个 VNet。If you have six apps using the same VNet in the same App Service plan, that counts as one VNet being used.
  • 由于 SLA 是基于网关,因此可实现 99.9% 的 SLA。Supports a 99.9% SLA due to the SLA on the gateway.
  • 允许应用使用配置给 VNet 的 DNS。Enables your apps to use the DNS that the VNet is configured with.
  • 需要在基于虚拟网络路由的网关中配置 SSTP 点到站点 VPN,然后才能将其连接到应用。Requires a Virtual Network route-based gateway configured with an SSTP point-to-site VPN before it can be connected to an app.

需要网关的 VNet 集成不可用于:You can't use gateway-required VNet Integration:

  • 通过 Azure ExpressRoute 连接的 VNet。With a VNet connected with Azure ExpressRoute.
  • 访问服务终结点保护的资源。To access service endpoint secured resources.
  • 既支持 ExpressRoute,也支持点到站点 VPN 或站点到站点 VPN 的共存网关。With a coexistence gateway that supports both ExpressRoute and point-to-site or site-to-site VPNs.

在 Azure 虚拟网络中设置网关Set up a gateway in your Azure virtual network

若要创建网关,请执行以下操作:To create a gateway:

  1. 在 VNet 中创建网关子网Create a gateway subnet in your VNet.

  2. 创建 VPN 网关Create the VPN gateway. 选择基于路由的 VPN 类型。Select a route-based VPN type.

  3. 设置点到站点地址Set the point-to-site addresses. 如果网关不在基本 SKU 中,则必须在点到站点配置中禁用 IKEV2 并选择 SSTP。If the gateway isn't in the basic SKU, then IKEV2 must be disabled in the point-to-site configuration and SSTP must be selected. 点到站点地址空间必须在 RFC 1918 地址块 10.0.0.0/8、172.16.0.0/12 和 192.168.0.0/16 中。The point-to-site address space must be in the RFC 1918 address blocks 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

如果创建用于应用服务 VNet 集成的网关,则不需要上传证书。If you create the gateway for use with App Service VNet Integration, you don't need to upload a certificate. 创建网关可能需要 30 分钟。Creating the gateway can take 30 minutes. 若要将应用与 VNet 集成,必须先预配网关。You won't be able to integrate your app with your VNet until the gateway is provisioned.

需要网关的 VNet 集成的工作原理How gateway-required VNet Integration works

需要网关的 VNet 集成基于点到站点 VPN 技术。Gateway-required VNet Integration is built on top of point-to-site VPN technology. 点到站点 VPN 将网络访问限制于可托管应用的虚拟机。Point-to-site VPNs limit network access to the virtual machine that hosts the app. 应用受到限制,只能通过混合连接或 VNet 集成向外发送流量至 Internet。Apps are restricted to send traffic out to the internet only through Hybrid Connections or through VNet Integration. 通过门户将应用配置为使用需要网关的 VNet 集成后,系统会代你管理复杂的协商,以便在网关上和应用程序端创建并分配证书。When your app is configured with the portal to use gateway-required VNet Integration, a complex negotiation is managed on your behalf to create and assign certificates on the gateway and the application side. 结果是,用于托管应用的辅助角色能够直接连接到所选 VNet 中的虚拟网关。The result is that the workers used to host your apps are able to directly connect to the virtual network gateway in the selected VNet.

需要网关的 VNet 集成的工作原理

访问本地资源Access on-premises resources

应用可以通过与具备站点到站点连接的 VNet 集成来访问本地资源。Apps can access on-premises resources by integrating with VNets that have site-to-site connections. 如果使用需要网关的 VNet 集成,请使用点到站点地址块更新本地 VPN 网关路由。If you use gateway-required VNet Integration, update your on-premises VPN gateway routes with your point-to-site address blocks. 先设置站点到站点 VPN,接着应通过用于配置该 VPN 的脚本来正确地设置路由。When the site-to-site VPN is first set up, the scripts used to configure it should set up routes properly. 如果在创建站点到站点地址后才添加点到站点 VPN,则需手动更新路由。If you add the point-to-site addresses after you create your site-to-site VPN, you need to update the routes manually. 操作详情取决于每个网关,在此不作说明。Details on how to do that vary per gateway and aren't described here. 不能使用站点到站点 VPN 连接来配置 BGP。You can't have BGP configured with a site-to-site VPN connection.

本地连接。To on-premises. 只需使用 ExpressRoute 或站点到站点 VPN 将 VNet 连接到本地。You simply need to connect your VNet to on-premises using ExpressRoute or a site-to-site VPN.

Note

需要网关的 VNet 集成功能不会将应用与包含 ExpressRoute 网关的 VNet 集成。The gateway required VNet Integration feature doesn't integrate an app with a VNet that has an ExpressRoute Gateway. 即使以共存模式配置 ExpressRoute 网关,VNet 集成也不会生效。Even if the ExpressRoute Gateway is configured in coexistence mode the VNet Integration doesn't work.

对等互连Peering

如果结合对等互连使用需要网关的 VNet 集成,则需要配置几个附加的项。If you use gateway-required VNet Integration with peering, you need to configure a few additional items. 若要配置对等互连以使用应用,请执行以下操作:To configure peering to work with your app:

  1. 在应用所连接的 VNet 上添加对等互连连接。Add a peering connection on the VNet your app connects to. 在添加对等互连连接时,请启用“允许虚拟网络访问”并选择“允许转发流量”和“允许网关传输” 。When you add the peering connection, enable Allow virtual network access and select Allow forwarded traffic and Allow gateway transit.
  2. 在与所连接的 VNet 对等互连的 VNet 上添加对等互连连接。Add a peering connection on the VNet that's being peered to the VNet you're connected to. 在目标 VNet 上添加对等互连连接时,请启用“允许虚拟网络访问”并选择“允许转发流量”和“允许远程网关” 。When you add the peering connection on the destination VNet, enable Allow virtual network access and select Allow forwarded traffic and Allow remote gateways.
  3. 在门户中转到“应用服务计划” > “网络” > “VNet 集成”UI。Go to the App Service plan > Networking > VNet Integration UI in the portal. 选择应用连接的 VNet。Select the VNet your app connects to. 在路由部分,添加与应用所连接的 VNet 对等互连的 VNet 的地址范围。Under the routing section, add the address range of the VNet that's peered with the VNet your app is connected to.

管理 VNet 集成Manage VNet Integration

与 VNet 连接和断开连接是在应用级别发生的。Connecting and disconnecting with a VNet is at an app level. 可能影响多个应用的 VNet 集成的操作在应用服务计划级别执行。Operations that can affect VNet Integration across multiple apps are at the App Service plan level. 可以通过应用 >“网络” > “VNet 集成”门户获取 VNet 的详细信息。From the app > Networking > VNet Integration portal, you can get details on your VNet. 可以在“应用服务计划” > “网络” > “VNet 集成”门户中查看应用服务计划级别的类似信息。You can see similar information at the App Service plan level in the App Service plan > Networking > VNet Integration portal.

在 VNet 集成实例的应用视图中,能够执行的唯一操作是断开应用与当前连接到的 VNet 的连接。The only operation you can take in the app view of your VNet Integration instance is to disconnect your app from the VNet it's currently connected to. 若要断开应用与 VNet 的连接,请选择“断开连接”。To disconnect your app from a VNet, select Disconnect. 断开与 VNet 的连接后,应用会重启。Your app is restarted when you disconnect from a VNet. 断开连接操作不会更改 VNet。Disconnecting doesn't change your VNet. 不会删除子网或网关。The subnet or gateway isn't removed. 若要删除 VNet,请先断开应用与该 VNet 的连接,然后删除该 VNet 中的资源,例如网关。If you then want to delete your VNet, first disconnect your app from the VNet and delete the resources in it, such as gateways.

应用服务计划 VNet 集成 UI 会显示应用服务计划中的应用使用的所有 VNet 集成。The App Service plan VNet Integration UI shows you all of the VNet integrations used by the apps in your App Service plan. 若要查看单个 VNet 的详细信息,请选择你感兴趣的 VNet。To see details on each VNet, select the VNet you're interested in. 在此处,可以针对需要网关的 VNet 集成执行两项操作:There are two actions you can perform here for gateway-required VNet Integration:

  • 同步网络:同步网络操作仅用于网关相关的 VNet 集成功能。Sync network: The sync network operation is used only for the gateway-dependent VNet Integration feature. 执行同步网络操作可确保证书和网络信息保持同步。如果添加或更改 VNet 的 DNS,请执行同步网络操作。Performing a sync network operation ensures that your certificates and network information are in sync. If you add or change the DNS of your VNet, perform a sync network operation. 此操作会重启所有使用此 VNet 的应用。This operation restarts any apps that use this VNet.
  • 添加路由:添加路由会驱动出站流量进入 VNet。Add routes: Adding routes drives outbound traffic into your VNet.

需要网关的 VNet 集成路由Gateway-required VNet Integration routing

在 VNet 中定义的路由用于将流量从应用导入 VNet。The routes that are defined in your VNet are used to direct traffic into your VNet from your app. 若要将其他出站流量发送到 VNet 中,请在此处添加相关地址块。To send additional outbound traffic into the VNet, add those address blocks here. 此功能只适用于网关所需的 VNet 集成。This capability only works with gateway required VNet Integration. 使用需要网关的 VNet 集成时,路由表不会影响应用流量。Route tables don't affect your app traffic when you use gateway-required VNet Integration.

需要网关的 VNet 集成证书Gateway-required VNet Integration certificates

启用需要网关的 VNet 集成后,必须进行证书交换以确保连接的安全性。When gateway-required VNet Integration is enabled, there's a required exchange of certificates to ensure the security of the connection. 除了证书,还有 DNS 配置、路由以及其他类似的用于描述网络的内容。Along with the certificates are the DNS configuration, routes, and other similar things that describe the network.

如果更改了证书或网络信息,请选择“同步网络”。If certificates or network information is changed, select Sync Network. 选择“同步网络”会导致应用与 VNet 之间的连接出现短暂的中断。When you select Sync Network, you cause a brief outage in connectivity between your app and your VNet. 虽然应用不会重启,但失去连接会导致站点功能失常。While your app isn't restarted, the loss of connectivity could cause your site to not function properly.

定价详细信息Pricing details

使用需要网关的 VNet 集成功能会产生三项相关费用:Three charges are related to the use of the gateway-required VNet Integration feature:

  • 应用服务计划定价层费用:应用必须属于“标准”、“高级”或“高级 V2”应用服务计划。App Service plan pricing tier charges: Your apps need to be in a Standard, Premium, or PremiumV2 App Service plan. 有关这些费用的详细信息,请参阅应用服务定价For more information on those costs, see App Service pricing.
  • 数据传输费用:传出数据会产生费用,即使 VNet 位于同一数据中心也是如此。Data transfer costs: There's a charge for data egress, even if the VNet is in the same datacenter. 数据传输定价详细信息中对这些费用进行了说明。Those charges are described in Data Transfer pricing details.
  • VPN 网关费用:点到站点 VPN 所需的虚拟网关会产生费用。VPN gateway costs: There's a cost to the virtual network gateway that's required for the point-to-site VPN. 有关详细信息,请参阅 VPN 网关定价For more information, see VPN gateway pricing.

故障排除Troubleshooting

虽然此功能很容易设置,但这并不意味着你的体验不会遇到任何问题。The feature is easy to set up, but that doesn't mean your experience will be problem free. 如果在访问所需终结点时遇到问题,可以使用某些实用程序来测试从应用控制台发出的连接。If you encounter problems accessing your desired endpoint, there are some utilities you can use to test connectivity from the app console. 可以使用两种控制台。There are two consoles that you can use. 一种是 Kudu 控制台,另一种是 Azure 门户中的控制台。One is the Kudu console, and the other is the console in the Azure portal. 若要访问应用中的 Kudu 控制台,请转到“工具” > “Kudu”。To reach the Kudu console from your app, go to Tools > Kudu. 此外,还可以通过 [sitename].scm.chinacloudsites.cn 访问 Kudo 控制台。You can also reach the Kudo console at [sitename].scm.chinacloudsites.cn. 打开网站负载后,转到“调试控制台”选项卡。若要从应用访问 Azure 门户托管的控制台,请转到“工具” > “控制台”。After the website loads, go to the Debug console tab. To get to the Azure portal-hosted console from your app, go to Tools > Console.

工具Tools

由于存在安全约束,因此无法通过控制台运行 ping、nslookup 和 tracert 工具 。The tools ping, nslookup, and tracert won't work through the console because of security constraints. 为了填补此空白,我们添加了两个单独的工具。To fill the void, two separate tools are added. 我们添加了名为 nameresolver.exe 的工具,用于测试 DNS 功能。To test DNS functionality, we added a tool named nameresolver.exe. 语法为:The syntax is:

nameresolver.exe hostname [optional: DNS Server]

可以使用 nameresolver 来检查应用所需的主机名。You can use nameresolver to check the hostnames that your app depends on. 可以通过这种方式来测试 DNS 是否配置错误,或者测试你是否有权访问 DNS 服务器。This way you can test if you have anything misconfigured with your DNS or perhaps don't have access to your DNS server. 若要了解可供应用在控制台中使用的 DNS 服务器,请查看环境变量 WEBSITE_DNS_SERVER 和 WEBSITE_DNS_ALT_SERVER。You can see the DNS server that your app uses in the console by looking at the environmental variables WEBSITE_DNS_SERVER and WEBSITE_DNS_ALT_SERVER.

可以使用下一工具测试与主机的 TCP 连接情况,以及端口组合情况。You can use the next tool to test for TCP connectivity to a host and port combination. 该工具名为 tcpping,语法为:This tool is called tcpping and the syntax is:

tcpping.exe hostname [optional: port]

tcpping 实用程序会告知是否可访问特定主机和端口。The tcpping utility tells you if you can reach a specific host and port. 只有满足以下条件才会显示成功:存在侦听主机和端口组合的应用程序,且可从应用对指定主机和端口进行网络访问。It can show success only if there's an application listening at the host and port combination, and there's network access from your app to the specified host and port.

调试对虚拟网络托管的资源的访问Debug access to virtual network-hosted resources

许多因素可能会阻止应用访问特定的主机和端口。A number of things can prevent your app from reaching a specific host and port. 大多数情况下为以下因素之一:Most of the time it's one of these things:

  • 存在防火墙。A firewall is in the way. 如果存在防火墙,则会发生 TCP 超时。If you have a firewall in the way, you hit the TCP timeout. 本例中的 TCP 超时为 21 秒。The TCP timeout is 21 seconds in this case. 使用 tcpping 工具测试连接性。Use the tcpping tool to test connectivity. 除了防火墙外,还有多种原因可能导致 TCP 超时。TCP timeouts can be caused by many things beyond firewalls, but start there.
  • DNS 不可访问。DNS isn't accessible. 每个 DNS 服务器的 DNS 超时为 3 秒。The DNS timeout is 3 seconds per DNS server. 如果具有 2 个 DNS 服务器,则超时为 6 秒。If you have two DNS servers, the timeout is 6 seconds. 使用 nameresolver 查看 DNS 是否正常工作。Use nameresolver to see if DNS is working. 不能使用 nslookup,因为它不使用为虚拟网络配置的 DNS。You can't use nslookup, because that doesn't use the DNS your virtual network is configured with. 如果无法访问,则表明可能有防火墙或 NSG 在阻止对 DNS 的访问,或者该 DNS 可能已停机。If inaccessible, you could have a firewall or NSG blocking access to DNS or it could be down.

如果这些方法未解决问题,请首先检查以下因素:If those items don't answer your problems, look first for things like:

需要网关的 VNet 集成Gateway-required VNet Integration

  • 点到站点地址范围是否在 RFC 1918 范围内 (10.0.0.0-10.255.255.255 / 172.16.0.0-172.31.255.255 / 192.168.0.0-192.168.255.255)?Is the point-to-site address range in the RFC 1918 ranges (10.0.0.0-10.255.255.255 / 172.16.0.0-172.31.255.255 / 192.168.0.0-192.168.255.255)?
  • 网关在门户中是否显示为已启动?Does the gateway show as being up in the portal? 如果网关处于关闭状态,则将其重新启动。If your gateway is down, then bring it back up.
  • 证书是否显示正在同步?或者,你是否怀疑网络配置已更改?Do certificates show as being in sync, or do you suspect that the network configuration was changed? 如果证书未同步,或者你怀疑对虚拟网络配置做出了与 ASP 不同步的更改,请选择“同步网络”。If your certificates are out of sync or you suspect that a change was made to your virtual network configuration that wasn't synced with your ASPs, select Sync Network.
  • 如果通过 VPN 传输,本地网关是否配置为将流量路由回 Azure?If you're going across a VPN, is the on-premises gateway configured to route traffic back up to Azure? 如果可以访问虚拟网络中的终结点,但不能访问本地的终结点,请检查路由。If you can reach endpoints in your virtual network but not on-premises, check your routes.
  • 你是否正在尝试使用一个既支持点到站点连接,又支持 ExpressRoute 的共存网关?Are you trying to use a coexistence gateway that supports both point to site and ExpressRoute? VNet 集成不支持共存网关。Coexistence gateways aren't supported with VNet Integration.

调试网络问题很有难度,因为你看不到哪些因素在阻止访问特定的“主机:端口”组合。Debugging networking issues is a challenge because you can't see what's blocking access to a specific host:port combination. 部分原因包括:Some causes include:

  • 在主机上开启了防火墙,导致无法从点到站点 IP 范围访问应用程序端口。You have a firewall up on your host that prevents access to the application port from your point-to-site IP range. 跨子网通常需要公共访问权限。Crossing subnets often requires public access.
  • 目标主机已关闭。Your target host is down.
  • 应用程序已关闭。Your application is down.
  • IP 或主机名错误。You had the wrong IP or hostname.
  • 应用程序所侦听的端口与你预期的端口不同。Your application is listening on a different port than what you expected. 可以使用终结点主机上的“netstat -aon”匹配进程 ID 和侦听端口。You can match your process ID with the listening port by using "netstat -aon" on the endpoint host.
  • 网络安全组的配置方式导致无法从点到站点 IP 范围访问应用程序主机和端口。Your network security groups are configured in such a manner that they prevent access to your application host and port from your point-to-site IP range.

你不知道应用实际使用的地址。You don't know what address your app actually uses. 它可能是集成子网中或点到站点地址范围内的任意地址,因此你需要允许从整个地址范围进行访问。It could be any address in the integration subnet or point-to-site address range, so you need to allow access from the entire address range.

其他调试步骤包括:Additional debug steps include:

  • 连接到虚拟网络中的某个 VM,尝试在该处访问资源主机:端口。Connect to a VM in your virtual network and attempt to reach your resource host:port from there. 若要针对 TCP 访问权限进行测试,请使用 PowerShell 命令 test-netconnection。To test for TCP access, use the PowerShell command test-netconnection. 语法为:The syntax is:

    test-netconnection hostname [optional: -Port]
    
  • 在某个 VM 中启动应用程序,然后使用 tcpping 测试能否在应用的控制台中访问该主机和端口。Bring up an application on a VM and test access to that host and port from the console from your app by using tcpping.

本地资源On-premises resources

如果应用无法访问本地资源,请检查是否能够通过虚拟网络访问该资源。If your app can't reach a resource on-premises, check if you can reach the resource from your virtual network. 请使用 test-netconnection PowerShell 命令来针对 TCP 访问权限进行测试。Use the test-netconnection PowerShell command to check for TCP access. 如果 VM 无法访问本地资源,原因可能是未正确配置 VPN 或 ExpressRoute 连接。If your VM can't reach your on-premises resource, your VPN or ExpressRoute connection might not be configured properly.

如果虚拟网络托管的 VM 能够访问本地系统但应用无法访问,则可能是由于以下某个原因:If your virtual network-hosted VM can reach your on-premises system but your app can't, the cause is likely one of the following reasons:

  • 在本地网关中未使用子网或点到站点地址范围配置路由。Your routes aren't configured with your subnet or point-to-site address ranges in your on-premises gateway.
  • 网络安全组阻止点到站点 IP 范围的访问。Your network security groups are blocking access for your point-to-site IP range.
  • 本地防火墙阻止来自点到站点 IP 范围的流量。Your on-premises firewalls are blocking traffic from your point-to-site IP range.

自动化Automation

对于需要网关的 VNet 集成,可以使用 PowerShell 将应用服务与 Azure 虚拟网络相集成。For gateway-required VNet Integration, you can integrate App Service with an Azure virtual network by using PowerShell. 如需随时可运行的脚本,请参阅将 Azure 应用服务中的应用连接到 Azure 虚拟网络For a ready-to-run script, see Connect an app in Azure App Service to an Azure virtual network.