将应用与 Azure 虚拟网络进行集成Integrate your app with an Azure Virtual Network

本文档介绍 Azure 应用服务虚拟网络集成功能,并说明如何在 Azure 应用服务中使用应用对其进行设置。This document describes the Azure App Service virtual network integration feature and shows how to set it up with apps in Azure App Service. 使用 Azure 虚拟网络 (VNet) 可将多个 Azure 资源置于无法通过 Internet 路由的网络中。Azure Virtual Networks (VNets) allow you to place many of your Azure resources in a non-internet routeable network. 然后可以使用 VPN 技术将这些网络连接到本地网络。These networks can then be connected to your on-premises networks using VPN technologies.

在 Azure 中国区,Azure 应用服务只有一个窗体。In Azure China, the Azure App Service has only one form.

  • 支持全部定价计划的多租户系统The multi-tenant systems that support the full range of pricing plans

VNet 集成功能允许 Web 应用访问虚拟网络中的资源,但不允许通过虚拟网络对 Web 应用进行专用访问。VNet Integration gives your web app access to resources in your virtual network but doesn't grant private access to your web app from the virtual network. 专用站点访问指的是仅可从专用网络(例如 Azure 虚拟网络内)对应用进行访问。Private site access refers to making your app only accessible from a private network such as from within an Azure virtual network. 专用站点访问仅适用于部署了内部负载均衡器 (ILB) 的 ASE。Private site access is only available with an ASE configured with an Internal Load Balancer (ILB). 有关使用 ILB ASE 的详细信息,请先参阅此文章:[创建和使用 ILB ASE][ILBASE]。For details on using an ILB ASE, start with the article here: [Creating and using an ILB ASE][ILBASE].

VNet 集成通常用于实现应用对 VNet 中的数据库和运行 Web 服务的访问。VNet Integration is often used to enable access from apps to a databases and web services running in your VNet. 使用 VNet 集成时,不需要公开 VM 中应用程序的公共终结点,可以改用无法通过 Internet 路由的专用地址。With VNet Integration, you don't need to expose a public endpoint for applications on your VM but can use the private non-internet routable addresses instead.

VNet 集成功能:The VNet Integration feature:

  • 需要标准、高级定价计划requires a Standard, Premium pricing plan
  • 适用于经典 VNet 或资源管理器 VNetworks with Classic or Resource Manager VNet
  • 支持 TCP 和 UDPsupports TCP and UDP
  • 适用于 Web 应用、移动应用、API 应用和 Function 应用works with Web, Mobile, API apps, and Function apps
  • 允许应用一次只连接到 1 个 VNetenables an app to connect to only 1 VNet at a time
  • 允许在应用服务计划中一次最多集成 5 个 VNetenables up to five VNets to be integrated with in an App Service Plan
  • 允许在应用服务计划中由多个应用使用同一个 VNetallows the same VNet to be used by multiple apps in an App Service Plan
  • 需要使用点到站点 VPN 配置的虚拟网络网关requires a Virtual Network Gateway that is configured with Point to Site VPN
  • 由于网关上的 SLA,可实现 99.9% 的 SLAsupports a 99.9% SLA due to the SLA on the gateway

VNet 集成不支持某些功能,其中包括:There are some things that VNet Integration doesn't support including:

  • 装载驱动器mounting a drive
  • AD 集成AD integration
  • NetBiosNetBios
  • 专用站点访问private site access
  • 访问 ExpressRoute 上的资源accessing resources across ExpressRoute
  • 访问服务终结点上的资源accessing resources across Service Endpoints

入门Getting started

将 Web 应用连接到虚拟网络之前,需要牢记以下几点:Here are some things to keep in mind before connecting your web app to a virtual network:

  • 在将目标虚拟网络连接到应用之前,必须借助基于路由的网关启用点到站点 VPN。A target virtual network must have point-to-site VPN enabled with a route-based gateway before it can be connected to app.
  • VNet 所在的订阅必须与应用服务计划 (ASP) 所在的订阅相同。The VNet must be in the same subscription as your App Service Plan(ASP).
  • 与 VNet 集成的应用使用为该 VNet 指定的 DNS。The apps that integrate with a VNet use the DNS that is specified for that VNet.

启用 VNet 集成Enabling VNet Integration

在 VNet 中设置网关Set up a gateway in your VNet

如果已使用点到站点地址配置网关,则可以跳至“配置 VNet 与应用的集成”这一步。If you already have a gateway configured with point-to-site addresses, you can skip to configuring VNet Integration with your app.
若要创建网关,请执行以下操作:To create a gateway:

  1. 在 VNet 中创建网关子网Create a gateway subnet in your VNet.

  2. 创建 VPN 网关Create the VPN gateway. 选择基于路由的 VPN 类型。Select a route-based VPN type.

  3. 设置点到站点地址Set the point to site addresses. 如果网关不在基本 SKU 中,则必须在点到站点配置中禁用 IKEV2 并选择 SSTP。If the gateway isn't in the basic SKU, then IKEV2 must be disabled in the point-to-site configuration and SSTP must be selected. 地址空间必须位于下列其中一个地址块中:The address space must be in one of the following address blocks:

  • - 这指的是从 到 的 IP 地址范围10.0.0.0/8 - This means an IP address range from to
  • - 这指的是从 到 的 IP 地址范围172.16.0.0/12 - This means an IP address range from to
  • - 这指的是从 到 的 IP 地址范围192.168.0.0/16 - This means an IP address range from to

如果只是创建网关用于应用服务 VNet 集成,则不需要上传证书。If your are just creating the gateway for use with App Service VNet Integration, then you do not need to upload a certificate. 创建网关可能需要 30 分钟。Creating the gateway can take 30 minutes. 若要将应用与 VNet 集成,必须先预配网关。You will not be able to integrate your app with your VNet until the gateway is provisioned.

使用应用配置 VNet 集成Configure VNet Integration with your app

要在应用上启用 VNet 集成,请执行以下步骤:To enable VNet Integration on your app:

  1. 在 Azure 门户中转到该应用并打开应用设置,然后选择“网络”>“VNet 集成”。Go to your app in the Azure portal and open app settings and select Networking > VNet Integration. 在配置 VNet 集成前,需将 ASP 缩放至标准或更佳的 SKU。Scale your ASP to a Standard SKU or better before you can configure VNet Integration. ![VNet 集成 UI][1]![VNet Integration UI][1]

  2. 选择“添加 VNet”。Select Add VNet. ![添加 VNet 集成][2]![Add VNet Integration][2]

  3. 选择 VNet。Select your VNet. ![选择 VNet][8]![Select your VNet][8]

完成最后一步后,应用将会重启。Your app will be restarted after this last step.

系统的工作方式How the system works

VNet 集成功能基于点到站点 VPN 技术。The VNet Integration feature is built on top of point-to-site VPN technology. Azure 应用服务中的应用托管在多租户系统中,它可以阻止直接在 VNet 中预配应用的操作。Apps in Azure App Service are hosted in a multi-tenant system, which precludes provisioning an app directly in a VNet. 点到站点技术将网络访问限制于托管应用的虚拟机。The point-to-site technology limits network access to just the virtual machine hosting the app. 应用受到限制,只能通过混合连接或 VNet 集成向外发送流量至 Internet。Apps are restricted to only send traffic out to the internet, through Hybrid Connections or through VNet Integration.

![VNet 集成的工作原理][3]![How VNet Integration works][3]

管理 VNet 集成Managing the VNet Integrations

连接到 VNet 以及断开其连接的功能在应用级别执行。The ability to connect and disconnect to a VNet is at an app level. 可能影响多个应用的 VNet 集成的操作在应用服务计划级别执行。Operations that can affect the VNet Integration across multiple apps are at the App Service plan level. 可以通过应用 UID 获取 VNet 的详细信息。From the app UID, you can get details on your VNet. 同样的信息也会显示在 ASP 级别。The same information is also shown at the ASP level.

![VNet 详细信息][4]![VNet details][4]

在“网络功能状态”页中,可查看应用是否已连接到 VNet。From the Network Feature Status page, you can see if your app is connected to your VNet. 如果 VNet 网关因某种原因而关闭,状态则会显示为未连接。If your VNet gateway is down for whatever reason, your status shows as not-connected.

现在应用级别的 VNet 集成 UI 中获得的信息与你通过 ASP 获得的详细信息是相同的。The information you now have available to you in the app level VNet Integration UI is the same as the detail information you get from the ASP. 下面是信息中的各项内容:Here are those items:

  • VNet 名称 - 链接至虚拟网络 UIVNet Name - links to the virtual network UI
  • 位置 - 反映 VNet 的位置。Location - reflects the location of your VNet. 与其他位置的 VNet 集成可能会导致应用出现延迟。Integrating with a VNet in another location can cause latency issues for your app.
  • 证书状态 - 反映证书在应用服务计划和 VNet 之间的同步状态。Certificate Status - reflects if your certificates are in sync between your App Service plan and your VNet.
  • 网关状态 - 如果网关因某种原因而关闭,则应用无法访问 VNet 中的资源。Gateway Status - Should your gateways be down for whatever reason then your app cannot access resources in the VNet.
  • VNet 地址空间 - 显示 VNet 的 IP 地址空间。VNet address space - shows the IP address space for your VNet.
  • 点到站点地址空间 - 显示 VNet 的点到站点 IP 地址空间。Point-to-site address space - shows the point to site IP address space for your VNet. 对 VNet 进行调用时,应用的发件人地址将为这些地址之一。When making calls into your VNet, your app FROM address will be one of these addresses.
  • 站点到站点地址空间 - 可以使用站点到站点 VPN 将 VNet 连接到本地资源或其他 VNet。Site-to-site address space - You can use site-to-site VPNs to connect your VNet to your on-premises resources or to other VNet. 使用该 VPN 连接定义的 IP 范围如下所示。The IP ranges defined with that VPN connection are shown here.
  • DNS 服务器 - 显示配置了 VNet 的 DNS 服务器。DNS Servers - shows the DNS Servers configured with your VNet.
  • 路由到 VNet 的 IP 地址 - 显示路由的地址块,这些地址块用于驱动流量进入 VNetIP addresses routed to the VNet - shows the address blocks routed used to drive traffic into your VNet

在 VNet 集成的应用视图中,能够执行的唯一操作是断开应用与当前所连接到的 VNet 的连接。The only operation you can take in the app view of your VNet Integration is to disconnect your app from the VNet it is currently connected to. 若要断开应用与 VNet 的连接,请选择“断开连接”。To disconnect your app from a VNet, select Disconnect. 在从 VNet 断开连接时,应用将会重启。Your app will be restarted when you disconnect from a VNet. 断开连接操作不会更改 VNet。Disconnecting doesn't change your VNet. VNet 及其包括网关在内的配置都保持不变。The VNet and its configuration including the gateways remains unchanged. 如果随后想要删除 VNet,则需先删除其中的资源(包括网关)。If you then want to delete your VNet, you need to first delete the resources in it including the gateways.

若要访问 ASP VNet 集成 UI,请打开 ASP UI 并选择“网络”。To reach the ASP VNet Integration UI, open your ASP UI and select Networking. 在 VNet 集成下,选择“单击此处可配置”以打开网络功能状态 UI。Under VNet Integration, select Click here to configure to open the Network Feature Status UI.

![ASP VNet 集成信息][5]![ASP VNet Integration information][5]

ASP VNet 集成 UI 会显示 ASP 中的应用使用的所有 VNet。The ASP VNet Integration UI will show you all of the VNets that are used by the apps in your ASP. 应用服务计划中任意数量的应用最多可能连接 5 个 VNet。You can have up to 5 VNets connected to by any number of apps in your App Service plan. 每个应用只能配置一个集成。Each app can have only one integration configured. 要查看每个 VNet 的详细信息,请单击感兴趣的 VNet。To see details on each VNet, click on the VNet you are interested in. 此处有两种操作可以执行。There are two actions you can perform here.

  • 同步网络Sync network. 同步网络操作确保证书与网络信息是同步的。如果添加或更改 VNet 的 DNS,则需执行“同步网络”操作。The sync network operation makes sure that your certificates and network information are in sync. If you add or change the DNS of your VNet, you need to perform a Sync network operation. 此操作会重启所有使用此 VNet 的应用。This operation will restart any apps using this VNet.
  • 添加路由 添加路由会驱动出站流量进入 VNet。Add routes Adding routes will drive outbound traffic into your VNet.

路由 在 VNet 中定义的路由,用于将流量从应用导入 VNet。Routing The routes that are defined in your VNet are used to direct traffic into your VNet from your app. 如果需要将其他出站流量发送到 VNet 中,则可以在此处添加地址块。If you need to send additional outbound traffic into the VNet, then you can add those address blocks here.

证书 启用 VNet 集成后,必须进行证书交换以确保连接的安全性。Certificates When VNet Integration enabled, there is a required exchange of certificates to ensure the security of the connection. 除了证书,还有 DNS 配置、路由以及其他类似的用于描述网络的内容。Along with the certificates are the DNS configuration, routes, and other similar things that describe the network. 如果更改了证书或网络信息,则需单击“同步网络”。If certificates or network information is changed, you need to click "Sync Network". 单击“同步网络”会导致应用与 VNet 之间的连接出现短暂的中断。When you click "Sync Network", you cause a brief outage in connectivity between your app and your VNet. 虽然应用不会重启,但失去连接会导致站点功能失常。While your app isn't restarted, the loss of connectivity could cause your site to not function properly.

访问本地资源Accessing on-premises resources

应用可以通过与具备站点到站点连接的 VNet 集成来访问本地资源。Apps can access on-premises resources by integrating with VNets that have site-to-site connections. 若要访问本地资源,需要使用点到站点地址块更新本地 VPN 网关路由。To access resources on-premises, you need to update your on-premises VPN gateway routes with your point-to-site address blocks. 先设置站点到站点 VPN,接着应通过用于配置该 VPN 的脚本来正确地设置路由。When the site-to-site VPN is first set up, the scripts used to configure it should set up routes properly. 如果在创建站点到站点地址后才添加点到站点 VPN,则需手动更新路由。If you add the point-to-site addresses after you create your site-to-site VPN, you need to update the routes manually. 具体操作信息取决于每个网关,在此不作说明。Details on how to do that vary per gateway and are not described here. 此外,不能使用站点到站点 VPN 连接配置 BGP。Also, you cannot have BGP configured with a site-to-site VPN connection.


VNET 集成功能不会将应用与包含 ExpressRoute 网关的 VNet 集成。The VNET Integration feature does not integrate an app with a VNet that has an ExpressRoute Gateway. 即使 ExpressRoute 网关是以共存模式配置的,vNet 集成也不会实现。Even if the ExpressRoute Gateway is configured in coexistence mode the vNet Integration does not work.


可以使用 VNet 集成访问与所连接的 VNet 对等互连的 VNet 中的资源。You can use VNet Integration to access resources in VNets that are peered to the VNet you are connected to. 若要配置对等互连以使用应用,请执行以下操作:To configure peering to work with your app:

  1. 在应用所连接的 VNet 上添加对等互连连接。Add a peering connection on the VNet your app connects to. 在添加对等互连连接时,启用“允许虚拟网络访问”并单击“允许转发流量”和“允许网关传输”。When adding the peering connection, enable Allow virtual network access and check Allow forwarded traffic and Allow gateway transit.
  2. 在与所连接的 VNet 对等互连的 VNet 上添加对等互连连接。Add a peering connection on the VNet that is being peered to the VNet you are connected to. 在目标 VNet 上添加对等互连连接时,启用“允许虚拟网络访问”并单击“允许转发流量”和“允许远程网关”。When adding the peering connection on the destination VNet, enable Allow virtual network access and check Allow forwarded traffic and Allow remote gateways.
  3. 转到门户中的“应用服务计划”>“网络”>“VNet 集成 UI”。Go to the App Service plan > Networking > VNet Integration UI in the portal. 选择应用连接的 VNet。Select the VNet your app connects to. 在路由部分下,添加与应用所连接的 VNet 对等互连的 VNet 的地址范围。Under the routing section, add the address range of the VNet that is peered with the VNet your app is connected to.

定价详细信息Pricing details

使用 VNet 集成功能涉及到三种相关费用:There are three related charges to the use of the VNet Integration feature:

  • ASP 定价层要求ASP pricing tier requirements
  • 数据传输费用Data transfer costs
  • VPN 网关费用。VPN Gateway costs.

应用需要属于“标准”、“高级”应用服务计划。Your apps need to be in a Standard, Premium App Service Plan. 可在此处了解这些费用的更多详细信息:应用服务定价You can see more details on those costs here: App Service Pricing.

数据出口方面也存在费用,即使 VNet 在同一数据中心也是如此。There is a charge for data egress, even if the VNet is in the same data center. 数据传输定价详细信息中对这些费用进行了说明。Those charges are described in Data Transfer Pricing Details.

点到站点 VPN 所需的 VNet 网关会产生费用。There is a cost to the VNet gateway that is required for the point-to-site VPN. VPN 网关定价页上介绍了详细信息。The details are on the VPN Gateway Pricing page.


虽然此功能容易设置,但这并不意味着你就不会遇到问题。While the feature is easy to set up, that doesn't mean that your experience will be problem free. 如果在访问所需终结点时遇到问题,可以使用某些实用程序来测试从应用控制台发出的连接。Should you encounter problems accessing your desired endpoint there are some utilities you can use to test connectivity from the app console. 可以使用两种控制台。There are two consoles that you can use. 一种是 Kudu 控制台,另一种是 Azure 门户中的控制台。One is the Kudu console and the other is the console in the Azure portal. 若要访问应用中的 Kudu 控制台,请转到“工具”->“Kudu”。To reach the Kudu console from your app, go to Tools -> Kudu. 这相当于访问 [sitename].scm.chinacloudsites.cn。This is the same as going to [sitename].scm.chinacloudsites.cn. 打开后,转到“调试控制台”选项卡。若要访问 Azure 门户托管的控制台,请在应用中转到“工具”->“控制台”。Once that opens, go to the Debug console tab. To get to the Azure portal hosted console then from your app go to Tools -> Console.


由于存在安全约束,pingnslookuptracert 工具无法通过控制台来使用。The tools ping, nslookup and tracert won’t work through the console due to security constraints. 为了填补这方面的空白,我们添加了两种单独的工具。To fill the void, two separate tools added. 为了测试 DNS 功能,我们添加了名为 nameresolver.exe 的工具。In order to test DNS functionality, we added a tool named nameresolver.exe. 语法为:The syntax is:

nameresolver.exe hostname [optional: DNS Server]

可以使用 nameresolver 来检查应用所依赖的主机名。You can use nameresolver to check the hostnames that your app depends on. 可以通过这种方式来测试 DNS 是否配置错误,或者测试你是否无权访问 DNS 服务器。This way you can test if you have anything mis-configured with your DNS or perhaps don't have access to your DNS server.

下一工具适用于测试与主机的 TCP 连接情况,以及端口组合情况。The next tool allows you to test for TCP connectivity to a host and port combination. 该工具名为 tcpping,语法为:This tool is called tcpping and the syntax is:

tcpping.exe hostname [optional: port]

tcpping 实用程序会告知是否可访问特定主机和端口。The tcpping utility tells you if you can reach a specific host and port. 仅满足以下条件才会显示成功:存在侦听主机和端口组合的应用程序,且可从应用对指定主机和端口进行网络访问。It only can show success if: there is an application listening at the host and port combination, and there is network access from your app to the specified host and port.

针对 VNET 托管的资源进行访问权限调试Debugging access to VNET hosted resources

许多因素会阻止应用访问特定的主机和端口。There are a number of things that can prevent your app from reaching a specific host and port. 大多数情况下为以下三种情况:Most of the time it is one of three things:

  • 存在防火墙。A firewall is in the way. 如果存在防火墙,则会发生 TCP 超时。If you have a firewall in the way, you will hit the TCP timeout. 本例中的 TCP 超时为 21 秒。The TCP timeout is 21 seconds in this case. 使用 tcpping 工具测试连接性。Use the tcpping tool to test connectivity. 除了防火墙外,还有多种原因可能导致 TCP 超时。TCP timeouts can be due to many things beyond firewalls but start there.
  • DNS 不可访问。DNS isn't accessible. DNS 超时时间为每个 DNS 服务器 3 秒。The DNS timeout is three seconds per DNS server. 如果具有 2 个 DNS 服务器,则超时为 6 秒。If you have two DNS servers, the timeout is 6 seconds. 使用 nameresolver 查看 DNS 是否正常工作。Use nameresolver to see if DNS is working. 请记住,不能使用 nslookup,因其没有使用为 VNet 配置的 DNS。Remember you can't use nslookup as that doesn't use the DNS your VNet is configured with.
  • 点到站点地址范围无效。The point-to-site address range is invalid. 点到站点 IP 范围点需要处于 RFC 1918 专用 IP 范围 ( / / 内。The point-to-site IP range needs to be in the RFC 1918 private IP ranges ( / / 如果范围的 IP 超出上述范围,则操作无法正常运行。If the range uses IPs outside of that, then things won't work.

如果这些情况不能解决问题,请首先查看以下简单因素:If those items don't answer your problem, look first for the simple things like:

  • 网关在门户中是否显示为已启动?Does the Gateway show as being up in the Portal?
  • 证书是否显示为处于同步状态?Do certificates show as being in sync?
  • 是否有人更改了网络配置却没有在受影响的 ASP 中执行“同步网络”操作?Did anybody change the network configuration without doing a "Sync Network" in the affected ASPs?

如果网关处于关闭状态,则将其重新启动。If your gateway is down, then bring it back up. 如果证书不同步,则请转到 VNet 集成的 ASP 视图,并单击“同步网络”。If your certificates are out of sync, then go to the ASP view of your VNet Integration and hit "Sync Network". 如果怀疑 VNet 配置存在与 ASP 不同步的更改,请单击“同步网络”。If you suspect that there has been a change made to your VNet configuration that wasn't synced with your ASPs, then hit "Sync Network". “同步网络”操作将重启 ASP 中任何与该 VNet 集成的应用。A "Sync Network" operation will restart any apps in the ASP that are integrated with that VNet.

如果这些都正常,则需进行更深入的故障诊断:If all of that is fine, then you need to dig in a bit deeper:

  • 是否存在其他应用在使用 VNET 集成访问同一 VNET 中的资源?Are there any other apps using VNET Integration to reach resources in the same VNET?
  • 是否能够转到应用控制台并使用 tcpping 来访问 VNET 中的任何其他资源?Can you go to the app console and use tcpping to reach any other resources in your VNET?

如果上面这两个问题中有一个的回答为“是”,则说明 VNet 集成功能正常,问题出在其他地方。If either of the above are true, then your VNet Integration is fine and the problem is somewhere else. 这种情况下,解决问题会更加困难,因为并没有简单的方法可以查看你为何无法访问主机:端口。This is where it gets to be more of a challenge because there is no simple way to see why you can't reach a host:port. 部分原因包括:Some of the causes include:

  • 在主机上开启了防火墙,导致无法从点到站点 IP 范围访问应用程序端口。you have a firewall up on your host preventing access to the application port from your point to site IP range. 跨子网通常需要公共访问权限。Crossing subnets often requires Public access.
  • 目标主机已关闭your target host is down
  • 应用程序已关闭your application is down
  • IP 或主机名错误you had the wrong IP or hostname
  • 应用程序所侦听的端口不同于所期望的端口。your application is listening on a different port than what you expected. 可以使用终结点主机上的“netstat -aon”匹配进程 ID 和侦听端口。You can match your process ID with the listening port by using "netstat -aon" on the endpoint host.
  • 网络安全组的配置方式导致无法从点到站点 IP 范围访问应用程序主机和端口your network security groups are configured in such a manner that they prevent access to your application host and port from your point to site IP range

请记住,由于不知道应用会使用点到站点 IP 范围中的哪个 IP,因此需允许整个范围中的 IP 进行访问。Remember that you don't know what IP in your Point-to-Site IP range that your app will use so you need to allow access from the entire range.

其他调试步骤包括:Additional debug steps include:

  • 连接到 VNet 中的某个 VM,尝试在该处访问资源主机:端口。connect to a VM in your VNet and attempt to reach your resource host:port from there. 若要针对 TCP 访问权限进行测试,请使用 PowerShell 命令 test-netconnection。To test for TCP access, use the PowerShell command test-netconnection. 语法为:The syntax is:

    test-netconnection hostname [optional: -Port]
  • 在某个 VM 中启动应用程序,测试能否在应用的控制台中访问该主机和端口bring up an application on a VM and test access to that host and port from the console from your app

本地资源On-premises resources

如果应用无法访问本地资源,则请检查是否能够通过 VNet 访问该资源。If your app cannot reach a resource on-premises, then check if you can reach the resource from your VNet. 请使用 test-netconnection PowerShell 命令来针对 TCP 访问权限进行测试。Use the test-netconnection PowerShell command to check for TCP access. 如果 VM 无法访问本地资源,请确保站点到站点 VPN 连接正常。If your VM can't reach your on-premises resource, then make sure your Site to Site VPN connection is working. 如果正常,则请检查前述项目以及本地网关配置和状态。If it is working, then check the same things noted earlier as well as the on-premises gateway configuration and status.

如果 VNet 托管的 VM 能够访问本地系统但应用无法访问,则可能是由于以下某个原因:If your VNet hosted VM can reach your on-premises system but your app can't, then the cause is likely one of the following reasons:

  • 在本地网关中未使用点到站点 IP 范围对路由进行配置your routes are not configured with your point to site IP ranges in your on-premises gateway
  • 网络安全组阻止点到站点 IP 范围中的 IP 进行访问your network security groups are blocking access for your Point-to-Site IP range
  • 本地防火墙阻止来自点到站点 IP 范围的流量your on-premises firewalls are blocking traffic from your Point-to-Site IP range

PowerShell 自动化PowerShell automation

可以使用 PowerShell 将应用服务与 Azure 虚拟网络进行集成。You can integrate App Service with an Azure Virtual Network using PowerShell. 有关就绪可运行的脚本,请参阅 Connect an app in Azure App Service to an Azure Virtual Network(将 Azure 应用服务中的应用连接到 Azure 虚拟网络)。For a ready-to-run script, see Connect an app in Azure App Service to an Azure Virtual Network.

[1]: ./media/web-sites-integrate-with-vnet/vnetint-app.png [2]: ./media/web-sites-integrate-with-vnet/vnetint-addvnet.png [3]: ./media/web-sites-integrate-with-vnet/vnetint-howitworks.png [4]: ./media/web-sites-integrate-with-vnet/vnetint-details.png [5]: ./media/web-sites-integrate-with-vnet/vnetint-aspdetails.png [6]: ./media/web-sites-integrate-with-vnet/vnetint-newvnet.png [7]: ./media/web-sites-integrate-with-vnet/vnetint-newvnetdetails.png [8]: ./media/web-sites-integrate-with-vnet/vnetint-selectvnet.png