将应用与 Azure 虚拟网络集成Integrate your app with an Azure virtual network

本文介绍 Azure 应用服务 VNet 集成功能,并介绍如何为 Azure 应用服务中的应用设置此功能。This article describes the Azure App Service VNet Integration feature and how to set it up with apps in Azure App Service. 使用 Azure 虚拟网络 (VNet) 可将多个 Azure 资源置于无法通过 Internet 路由的网络中。With Azure Virtual Network (VNets), you can place many of your Azure resources in a non-internet-routable network. 使用 VNet 集成功能,你的应用可以在 VNet 中访问资源,或者通过 VNet 来访问资源。The VNet Integration feature enables your apps to access resources in or through a VNet. VNet 集成不允许以私密方式访问应用。VNet Integration doesn't enable your apps to be accessed privately.

Azure 应用服务包含 VNet 集成功能的两种变体:Azure App Service has two variations on the VNet Integration feature:

  • 支持除独立定价计划以外的全部定价计划的多租户系统。The multitenant systems that support the full range of pricing plans except Isolated.
  • 部署到 VNet 中且支持独立定价计划应用的应用服务环境。The App Service Environment, which deploys into your VNet and supports Isolated pricing plan apps.

VNet 集成功能用于多租户应用。The VNet Integration feature is used in multitenant apps. 如果应用在应用服务环境中,则该应用已处于 VNet 中且不需要使用 VNet 集成功能来获取同一 VNet 中的资源。If your app is in App Service Environment, then it's already in a VNet and doesn't require use of the VNet Integration feature to reach resources in the same VNet. 有关所有网络功能的详细信息,请参阅应用服务网络功能For more information on all of the networking features, see App Service networking features.

VNet 集成允许应用访问 VNet 中的资源,但不允许通过 VNet 对应用进行入站专用访问。VNet Integration gives your app access to resources in your VNet, but it doesn't grant inbound private access to your app from the VNet. 专用站点访问指的是仅可从专用网络(例如 Azure 虚拟网络)对应用进行访问。Private site access refers to making an app accessible only from a private network, such as from within an Azure virtual network. VNet 集成仅用来从应用对 VNet 进行出站调用。VNet Integration is used only to make outbound calls from your app into your VNet. VNet 集成功能可以用于同一区域中的 VNet,也可用于其他区域中的 VNet,这两种情况下的行为有所不同。The VNet Integration feature behaves differently when it's used with VNet in the same region and with VNet in other regions. VNet 集成功能有两种变体:The VNet Integration feature has two variations:

  • 需要网关的 VNet 集成:连接到其他区域中的 VNet 或同一区域中的经典虚拟网络时,需要在目标 VNet 中预配 Azure 虚拟网关。Gateway-required VNet Integration: When you connect to VNet in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway provisioned in the target VNet.

VNet 集成功能:The VNet Integration features:

  • 需要“标准”、“高级”、“高级 V2”或“弹性高级”定价计划。Require a Standard, Premium, PremiumV2, or Elastic Premium pricing plan.
  • 支持 TCP 和 UDP。Support TCP and UDP.
  • 适用于 Azure 应用服务应用和函数应用。Work with Azure App Service apps and function apps.

VNet 集成不支持某些功能,例如:There are some things that VNet Integration doesn't support, like:

  • 装载驱动器。Mounting a drive.
  • Active Directory 集成。Active Directory integration.
  • NetBIOS。NetBIOS.

需要网关的 VNet 集成只允许访问目标 VNet 中的资源,或者访问通过对等互连或 VPN 连接到目标 VNet 的网络中的资源。Gateway-required VNet Integration provides access to resources only in the target VNet or in networks connected to the target VNet with peering or VPNs. 需要网关的 VNet 集成不支持访问可通过 Azure ExpressRoute 连接使用的资源,也不适用于服务终结点。Gateway-required VNet Integration doesn't enable access to resources available across Azure ExpressRoute connections or works with service endpoints.

无论使用哪个版本,VNet 集成都允许应用访问 VNet 中的资源,但不允许通过 VNet 对应用进行入站专用访问。Regardless of the version used, VNet Integration gives your app access to resources in your VNet, but it doesn't grant inbound private access to your app from the VNet. 专用站点访问指的是仅可从专用网络(例如 Azure VNet)对应用进行访问。Private site access refers to making your app accessible only from a private network, such as from within an Azure VNet. VNet 集成只是为了从应用对 VNet 进行出站调用。VNet Integration is only for making outbound calls from your app into your VNet.

启用 VNet 集成Enable VNet Integration

  1. 在应用服务门户中转到“网络”UI。Go to the Networking UI in the App Service portal. 在“VNet 集成”下,选择“单击此处进行配置”。 Under VNet Integration, select Click here to configure.

  2. 选择“添加 VNet”。Select Add VNet.

    选择 VNet 集成

  3. 下拉列表包含订阅内位于相同区域中的所有 Azure 资源管理器虚拟网络。The drop-down list contains all of the Azure Resource Manager virtual networks in your subscription in the same region. 下面是所有其他区域中资源管理器虚拟网络的列表。Underneath that is a list of the Resource Manager virtual networks in all other regions. 选择要集成的 VNet。Select the VNet you want to integrate with.

    选择 VNet

    • 如果 VNet 位于同一区域,要么创建一个新的子网,要么选择一个已有的空子网。If the VNet is in the same region, either create a new subnet or select an empty preexisting subnet.
    • 若要选择另一个区域中的 VNet,必须预配了一个已启用点到站点连接的 VNet 网关。To select a VNet in another region, you must have a VNet gateway provisioned with point to site enabled.
    • 若要与经典 VNet 集成,请不要选择“虚拟网络”下拉列表,而应选择“单击此处连接到经典 VNet”。 To integrate with a classic VNet, instead of selecting the Virtual Network drop-down list, select Click here to connect to a Classic VNet. 选择所需的经典虚拟网络。Select the classic virtual network you want. 目标 VNet 中必须已预配一个启用了点到站点连接的虚拟网关。The target VNet must already have a Virtual Network gateway provisioned with point-to-site enabled.

    选择经典 VNet

在集成期间,应用会重启。During the integration, your app is restarted. 完成集成后,系统将显示你与之集成的 VNet 的详细信息。When integration is finished, you'll see details on the VNet you're integrated with.

区域 VNet 集成Regional VNet Integration

Using regional VNet Integration enables your app to access:

  • Resources in a VNet in the same region as your app.
  • Resources in VNets peered to the VNet your app is integrated with.
  • Service endpoint secured services.
  • Resources across Azure ExpressRoute connections.
  • Resources in the VNet you're integrated with.
  • Resources across peered connections, which include Azure ExpressRoute connections.
  • Private endpoints

When you use VNet Integration with VNets in the same region, you can use the following Azure networking features:

  • Network security groups (NSGs): You can block outbound traffic with an NSG that's placed on your integration subnet. The inbound rules don't apply because you can't use VNet Integration to provide inbound access to your app.
  • Route tables (UDRs): You can place a route table on the integration subnet to send outbound traffic where you want.

By default, your app routes only RFC1918 traffic into your VNet. If you want to route all of your outbound traffic into your VNet, apply the app setting WEBSITE_VNET_ROUTE_ALL to your app. To configure the app setting:

  1. Go to the Configuration UI in your app portal. Select New application setting.

  2. Enter WEBSITE_VNET_ROUTE_ALL in the Name box, and enter 1 in the Value box.

    Provide application setting

  3. Select OK.

  4. Select Save.

备注

If you route all of your outbound traffic into your VNet, it's subject to the NSGs and UDRs that are applied to your integration subnet. When you route all of your outbound traffic into your VNet, your outbound addresses are still the outbound addresses that are listed in your app properties unless you provide routes to send the traffic elsewhere.

There are some limitations with using VNet Integration with VNets in the same region:

  • You can't reach resources across global peering connections.
  • The feature is available from all App Service scale units in Premium V2. It is also available in Standard but only from newer App Service scale units. If you are on an older scale unit you can only use the feature from a Premium V2 App Service plan. If you want to be certain of being able to use the feature in a Standard App Service plan, create your app in a Premium V3 App Service plan. Those plans are only supported on our newest scale units. You can scale down if you desire after that.
  • The integration subnet can be used by only one App Service plan.
  • The feature can't be used by Isolated plan apps that are in an App Service Environment.
  • The feature requires an unused subnet that's a /28 or larger in an Azure Resource Manager VNet.
  • The app and the VNet must be in the same region.
  • You can't delete a VNet with an integrated app. Remove the integration before you delete the VNet.
  • You can only integrate with VNets in the same subscription as the app.
  • You can have only one regional VNet Integration per App Service plan. Multiple apps in the same App Service plan can use the same VNet.
  • You can't change the subscription of an app or a plan while there's an app that's using regional VNet Integration.
  • Your app cannot resolve addresses in Azure DNS Private Zones without configuration changes

VNet Integration depends on use of a dedicated subnet. When you provision a subnet, the Azure subnet loses 5 IPs for from the start. One address is used from the integration subnet for each plan instance. If you scale your app to four instances, then four addresses are used. The debit of 5 addresses from the subnet size mean that the maximum available addresses per CIDR block are:

  • /28 has 11 addresses
  • /27 has 27 address
  • /26 has 59 addresses

If you scale up or down in size, you need double your address need for a short period of time. The limits in size means that the real available supported instances per subnet size are, if your subnet is a:

  • /28, your maximum horizontal scale is 5 instances
  • /27, your maximum horizontal scale is 13 instances
  • /26, your maximum horizontal scale is 29 instances

The limits noted on maximum horizontal scale assumes that you will need to scale up or down in either size or SKU at some point.

Since subnet size can't be changed after assignment, use a subnet that's large enough to accommodate whatever scale your app might reach. To avoid any issues with subnet capacity, a /26 with 64 addresses is the recommended size.

If you want your apps in another plan to reach a VNet that's already connected to by apps in another plan, select a different subnet than the one being used by the preexisting VNet Integration.

The feature is fully supported for both Windows and Linux apps.

Service endpoints

Regional VNet Integration enables you to use service endpoints. To use service endpoints with your app, use regional VNet Integration to connect to a selected VNet and then configure service endpoints with the destination service on the subnet you used for the integration. If you then wanted to access a service over service endpoints:

  1. configure regional VNet Integration with your web app
  2. go to the destination service and configure service endpoints against the subnet used for integration

Network security groups

You can use network security groups to block inbound and outbound traffic to resources in a VNet. An app that uses regional VNet Integration can use a network security group to block outbound traffic to resources in your VNet or the internet. To block traffic to public addresses, you must have the application setting WEBSITE_VNET_ROUTE_ALL set to 1. The inbound rules in an NSG don't apply to your app because VNet Integration affects only outbound traffic from your app.

To control inbound traffic to your app, use the Access Restrictions feature. An NSG that's applied to your integration subnet is in effect regardless of any routes applied to your integration subnet. If WEBSITE_VNET_ROUTE_ALL is set to 1 and you don't have any routes that affect public address traffic on your integration subnet, all of your outbound traffic is still subject to NSGs assigned to your integration subnet. If WEBSITE_VNET_ROUTE_ALL isn't set, NSGs are only applied to RFC1918 traffic.

Routes

You can use route tables to route outbound traffic from your app to wherever you want. By default, route tables only affect your RFC1918 destination traffic. If you set WEBSITE_VNET_ROUTE_ALL to 1, all of your outbound calls are affected. Routes that are set on your integration subnet won't affect replies to inbound app requests. Common destinations can include firewall devices or gateways.

If you want to route all outbound traffic on-premises, you can use a route table to send all outbound traffic to your ExpressRoute gateway. If you do route traffic to a gateway, be sure to set routes in the external network to send any replies back.

Border Gateway Protocol (BGP) routes also affect your app traffic. If you have BGP routes from something like an ExpressRoute gateway, your app outbound traffic will be affected. By default, BGP routes affect only your RFC1918 destination traffic. If WEBSITE_VNET_ROUTE_ALL is set to 1, all outbound traffic can be affected by your BGP routes.

Azure DNS Private Zones

After your app integrates with your VNet, it uses the same DNS server that your VNet is configured with. By default, your app won't work with Azure DNS Private Zones. To work with Azure DNS Private Zones, you need to add the following app settings:

  1. WEBSITE_DNS_SERVER with value 168.63.129.16
  2. WEBSITE_VNET_ROUTE_ALL with value 1

These settings will send all of your outbound calls from your app into your VNet in addition to enabling your app to use Azure DNS private zones. These settings will send all the outbound calls from your app into your VNet. Additionally, it will enable the app to use Azure DNS by querying the Private DNS Zone at the worker level. This functionality is to be used when a running app is accessing a Private DNS Zone.

备注

Trying to add a custom domain to a Web App using Private DNS Zone is not possible with the VNET Integration. Custom domain validation is done at the controller level, not the worker level, which prevents the DNS records from being seen. To use a custom domain from a Private DNS Zone, validation would need to be bypassed using an Application Gateway or ILB App Service Environment.

区域 VNet 集成的工作原理How regional VNet Integration works

应用服务中的应用托管在辅助角色上。Apps in App Service are hosted on worker roles. 基本和更高的定价计划是专用托管计划,其中不会有任何其他客户的工作负载在同一辅助角色上运行。The Basic and higher pricing plans are dedicated hosting plans where there are no other customers' workloads running on the same workers. 区域 VNet 集成通过使用委托子网中的地址装载虚拟接口实现。Regional VNet Integration works by mounting virtual interfaces with addresses in the delegated subnet. 发送地址位于 VNet 中,因此它可以像 VNet 中的 VM 那样,访问位于 VNet 中或通过 VNet 传输的大多数内容。Because the from address is in your VNet, it can access most things in or through your VNet like a VM in your VNet would. 网络实现不同于在 VNet 中运行 VM。The networking implementation is different than running a VM in your VNet. 这就是一些网络功能尚不可用于此功能的原因。That's why some networking features aren't yet available for this feature.

区域 VNet 集成的工作原理

启用区域 VNet 集成后,应用通过往常所用的通道对 Internet 进行出站调用。When regional VNet Integration is enabled, your app makes outbound calls to the internet through the same channels as normal. 应用属性门户中列出的出站地址是应用仍然在使用的地址。The outbound addresses that are listed in the app properties portal are the addresses still used by your app. 就应用而言,变化在于:对服务终结点保护服务的调用或者 RFC 1918 地址进入 VNet 中。What changes for your app are the calls to service endpoint secured services, or RFC 1918 addresses go into your VNet. 如果 WEBSITE_VNET_ROUTE_ALL 设置为 1,所有出站流量都可以被发送到 VNet 中。If WEBSITE_VNET_ROUTE_ALL is set to 1, all outbound traffic can be sent into your VNet.

备注

Windows 容器目前不支持 WEBSITE_VNET_ROUTE_ALLWEBSITE_VNET_ROUTE_ALL is currently not supported in Windows containers.

此功能仅支持每个辅助角色一个虚拟接口。The feature supports only one virtual interface per worker. 每个辅助角色一个虚拟接口意味着每个应用服务计划一个区域 VNet 集成。One virtual interface per worker means one regional VNet Integration per App Service plan. 同一个应用服务计划中的所有应用都可以使用相同的 VNet 集成。All of the apps in the same App Service plan can use the same VNet Integration. 如果需要使用一个应用来连接其他 VNet,你需要另外创建一个应用服务计划。If you need an app to connect to an additional VNet, you need to create another App Service plan. 使用的虚拟接口不是客户可直接访问的资源。The virtual interface used isn't a resource that customers have direct access to.

由于此技术的性质,用于 VNet 集成的流量不显示在 Azure 网络观察程序或 NSG 流日志中。Because of the nature of how this technology operates, the traffic that's used with VNet Integration doesn't show up in Azure Network Watcher or NSG flow logs.

需要网关的 VNet 集成Gateway-required VNet Integration

需要网关的 VNet 集成支持连接到另一区域中的 VNet,或连接到经典虚拟网络。Gateway-required VNet Integration supports connecting to a VNet in another region or to a classic virtual network. 需要网关的 VNet 集成:Gateway-required VNet Integration:

  • 允许应用一次只连接到一个 VNet。Enables an app to connect to only one VNet at a time.
  • 允许在一个应用服务计划中最多集成 5 个 VNet。Enables up to five VNets to be integrated within an App Service plan.
  • 允许在应用服务计划中由多个应用使用同一个 VNet,不影响可供应用服务计划使用的总数。Allows the same VNet to be used by multiple apps in an App Service plan without affecting the total number that can be used by an App Service plan. 如果有 6 个应用在使用同一应用服务计划中的同一 VNet,则算作是使用了一个 VNet。If you have six apps using the same VNet in the same App Service plan, that counts as one VNet being used.
  • 由于 SLA 是基于网关,因此可实现 99.9% 的 SLA。Supports a 99.9% SLA due to the SLA on the gateway.
  • 允许应用使用配置给 VNet 的 DNS。Enables your apps to use the DNS that the VNet is configured with.
  • 需要在基于虚拟网络路由的网关中配置 SSTP 点到站点 VPN,然后才能将其连接到应用。Requires a Virtual Network route-based gateway configured with an SSTP point-to-site VPN before it can be connected to an app.

需要网关的 VNet 集成不可用于:You can't use gateway-required VNet Integration:

  • 通过 Azure ExpressRoute 连接的 VNet。With a VNet connected with Azure ExpressRoute.

  • Linux 应用中。From a Linux app.

  • 访问服务终结点保护的资源。To access service endpoint secured resources.

  • 既支持 ExpressRoute,也支持点到站点 VPN 或站点到站点 VPN 的共存网关。With a coexistence gateway that supports both ExpressRoute and point-to-site or site-to-site VPNs.

在 Azure 虚拟网络中设置网关Set up a gateway in your Azure virtual network

若要创建网关,请执行以下操作:To create a gateway:

  1. 在 VNet 中创建网关子网Create a gateway subnet in your VNet.

  2. 创建 VPN 网关Create the VPN gateway. 选择基于路由的 VPN 类型。Select a route-based VPN type.

  3. 设置点到站点地址Set the point-to-site addresses. 如果网关不在基本 SKU 中,则必须在点到站点配置中禁用 IKEV2 并选择 SSTP。If the gateway isn't in the basic SKU, then IKEV2 must be disabled in the point-to-site configuration and SSTP must be selected. 点到站点地址空间必须在 RFC 1918 地址块 10.0.0.0/8、172.16.0.0/12 和 192.168.0.0/16 中。The point-to-site address space must be in the RFC 1918 address blocks 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

如果创建用于应用服务 VNet 集成的网关,则不需要上传证书。If you create the gateway for use with App Service VNet Integration, you don't need to upload a certificate. 创建网关可能需要 30 分钟。Creating the gateway can take 30 minutes. 若要将应用与 VNet 集成,必须先预配网关。You won't be able to integrate your app with your VNet until the gateway is provisioned.

需要网关的 VNet 集成的工作原理How gateway-required VNet Integration works

需要网关的 VNet 集成基于点到站点 VPN 技术。Gateway-required VNet Integration is built on top of point-to-site VPN technology. 点到站点 VPN 将网络访问限制于可托管应用的虚拟机。Point-to-site VPNs limit network access to the virtual machine that hosts the app. 应用受到限制,只能通过混合连接或 VNet 集成向外发送流量至 Internet。Apps are restricted to send traffic out to the internet only through Hybrid Connections or through VNet Integration. 通过门户将应用配置为使用需要网关的 VNet 集成后,系统会代你管理复杂的协商,以便在网关上和应用程序端创建并分配证书。When your app is configured with the portal to use gateway-required VNet Integration, a complex negotiation is managed on your behalf to create and assign certificates on the gateway and the application side. 结果是,用于托管应用的辅助角色能够直接连接到所选 VNet 中的虚拟网关。The result is that the workers used to host your apps are able to directly connect to the virtual network gateway in the selected VNet.

需要网关的 VNet 集成的工作原理

访问本地资源Access on-premises resources

应用可以通过与具备站点到站点连接的 VNet 集成来访问本地资源。Apps can access on-premises resources by integrating with VNets that have site-to-site connections. 如果使用需要网关的 VNet 集成,请使用点到站点地址块更新本地 VPN 网关路由。If you use gateway-required VNet Integration, update your on-premises VPN gateway routes with your point-to-site address blocks. 先设置站点到站点 VPN,接着应通过用于配置该 VPN 的脚本来正确地设置路由。When the site-to-site VPN is first set up, the scripts used to configure it should set up routes properly. 如果在创建站点到站点地址后才添加点到站点 VPN,则需手动更新路由。If you add the point-to-site addresses after you create your site-to-site VPN, you need to update the routes manually. 操作详情取决于每个网关,在此不作说明。Details on how to do that vary per gateway and aren't described here. 你不能使用站点到站点 VPN 连接配置 BGP。You can't have BGP configured with a site-to-site VPN connection.

区域 VNet 集成功能无需额外的配置即可通过 VNet 连接到本地资源。No additional configuration is required for the regional VNet Integration feature to reach through your VNet to on-premises resources. 只需使用 ExpressRoute 或站点到站点 VPN 将 VNet 连接到本地资源。You simply need to connect your VNet to on-premises resources by using ExpressRoute or a site-to-site VPN.

备注

需要网关的 VNet 集成功能不将应用与包含 ExpressRoute 网关的 VNet 集成。The gateway-required VNet Integration feature doesn't integrate an app with a VNet that has an ExpressRoute gateway. 即使以共存模式配置 ExpressRoute 网关,VNet 集成也不会生效。Even if the ExpressRoute gateway is configured in coexistence mode, the VNet Integration doesn't work. 如果需要通过 ExpressRoute 连接访问资源,请使用区域 VNet 集成功能或在 VNet 中运行的应用服务环境If you need to access resources through an ExpressRoute connection, use the regional VNet Integration feature or an App Service Environment, which runs in your VNet.

对等互连Peering

如果将对等互连与区域 VNet 集成结合使用,无需进行任何其他配置。If you use peering with the regional VNet Integration, you don't need to do any additional configuration.

如果将需要网关的 VNet 集成与对等互连结合使用,需要额外配置几个项。If you use gateway-required VNet Integration with peering, you need to configure a few additional items. 若要配置对等互连以使用应用,请执行以下操作:To configure peering to work with your app:

  1. 在应用所连接的 VNet 上添加对等互连连接。Add a peering connection on the VNet your app connects to. 在添加对等互连连接时,请启用“允许虚拟网络访问”并选择“允许转发流量”和“允许网关传输” 。When you add the peering connection, enable Allow virtual network access and select Allow forwarded traffic and Allow gateway transit.
  2. 在与所连接的 VNet 对等互连的 VNet 上添加对等互连连接。Add a peering connection on the VNet that's being peered to the VNet you're connected to. 在目标 VNet 上添加对等互连连接时,请启用“允许虚拟网络访问”并选择“允许转发流量”和“允许远程网关” 。When you add the peering connection on the destination VNet, enable Allow virtual network access and select Allow forwarded traffic and Allow remote gateways.
  3. 在门户中转到“应用服务计划” > “网络” > “VNet 集成”UI。Go to the App Service plan > Networking > VNet Integration UI in the portal. 选择应用连接的 VNet。Select the VNet your app connects to. 在路由部分,添加与应用所连接的 VNet 对等互连的 VNet 的地址范围。Under the routing section, add the address range of the VNet that's peered with the VNet your app is connected to.

管理 VNet 集成Manage VNet Integration

与 VNet 连接和断开连接都在应用级别进行的。Connecting and disconnecting with a VNet is at an app level. 可能影响多个应用的 VNet 集成的操作在应用服务计划级别执行。Operations that can affect VNet Integration across multiple apps are at the App Service plan level. 可以通过应用 >“网络” > “VNet 集成”门户获取 VNet 的详细信息。From the app > Networking > VNet Integration portal, you can get details on your VNet. 可以在“应用服务计划” > “网络” > “VNet 集成”门户中查看应用服务计划级别的类似信息。You can see similar information at the App Service plan level in the App Service plan > Networking > VNet Integration portal.

在 VNet 集成实例的应用视图中,能够执行的唯一操作是断开应用与当前连接到的 VNet 的连接。The only operation you can take in the app view of your VNet Integration instance is to disconnect your app from the VNet it's currently connected to. 若要断开应用与 VNet 的连接,请选择“断开连接”。To disconnect your app from a VNet, select Disconnect. 断开与 VNet 的连接后,应用会重启。Your app is restarted when you disconnect from a VNet. 断开连接操作不会更改 VNet。Disconnecting doesn't change your VNet. 不会删除子网或网关。The subnet or gateway isn't removed. 若要删除 VNet,请先断开应用与该 VNet 的连接,然后删除该 VNet 中的资源,例如网关。If you then want to delete your VNet, first disconnect your app from the VNet and delete the resources in it, such as gateways.

应用服务计划 VNet 集成 UI 会显示应用服务计划中的应用使用的所有 VNet 集成。The App Service plan VNet Integration UI shows you all of the VNet integrations used by the apps in your App Service plan. 若要查看单个 VNet 的详细信息,请选择你感兴趣的 VNet。To see details on each VNet, select the VNet you're interested in. 在此处,可以针对需要网关的 VNet 集成执行两项操作:There are two actions you can perform here for gateway-required VNet Integration:

  • 同步网络:同步网络操作仅用于网关相关的 VNet 集成功能。Sync network: The sync network operation is used only for the gateway-dependent VNet Integration feature. 执行同步网络操作确保了证书与网络信息是同步的。如果添加或更改 VNet 的 DNS,请执行同步网络操作。Performing a sync network operation ensures that your certificates and network information are in sync. If you add or change the DNS of your VNet, perform a sync network operation. 此操作重启使用此 VNet 的任何应用。This operation restarts any apps that use this VNet. 如果你使用的是属于不同订阅的应用和 VNet,此操作无效。This operation will not work if you are using an app and a vnet belonging to different subscriptions.
  • 添加路由:添加路由会促使出站流量进入 VNet。Add routes: Adding routes drives outbound traffic into your VNet.

分配给实例的专用 IP 是通过环境变量 WEBSITE_PRIVATE_IP 公开的。The private IP assigned to the instance is exposed via the environment variable, WEBSITE_PRIVATE_IP. Kudu 控制台 UI 也显示了可用于 Web 应用的环境变量的列表。Kudu console UI also shows the list of environment variables available to the Web App. 此 IP 是从集成子网的地址范围中分配的。This IP is assigned from the address range of the integrated subnet. 对于区域性 VNet 集成,WEBSITE_PRIVATE_IP 的值是委托子网的地址范围中的一个 IP;对于需要网关的 VNet 集成,此值是在虚拟网络网关上配置的点到站点地址池的地址范围中的一个 IP。For Regional VNet Integration, the value of WEBSITE_PRIVATE_IP is an IP from the address range of the delegated subnet, and for Gateway-required VNet Integration, the value is an IP from the adress range of the Point-to-site address pool configured on the Virtual Network Gateway. 这是 Web 应用通过虚拟网络连接到资源时将使用的 IP。This is the IP that will be used by the Web App to connect to the resources through the Virtual Network.

备注

WEBSITE_PRIVATE_IP 的值必然会变化。The value of WEBSITE_PRIVATE_IP is bound to change. 但是,它将是集成子网的地址范围或点到站点地址范围内的一个 IP,因此你需要允许从整个地址范围进行访问。However, it will be an IP within the address range of the integration subnet or the point-to-site address range, so you will need to allow access from the entire address range.

需要网关的 VNet 集成路由Gateway-required VNet Integration routing

在 VNet 中定义的路由用于将流量从应用导入 VNet。The routes that are defined in your VNet are used to direct traffic into your VNet from your app. 如果需要将其他出站流量发送到 VNet 中,请在此处添加地址块。To send additional outbound traffic into the VNet, add those address blocks here. 此功能仅适用于需要网关的 VNet 集成。This capability only works with gateway-required VNet Integration. 使用需要网关的 VNet 集成时,路由表不会像使用区域 VNet 集成时那样影响应用流量。Route tables don't affect your app traffic when you use gateway-required VNet Integration the way that they do with regional VNet Integration.

需要网关的 VNet 集成证书Gateway-required VNet Integration certificates

启用需要网关的 VNet 集成后,必须进行证书交换以确保连接的安全性。When gateway-required VNet Integration is enabled, there's a required exchange of certificates to ensure the security of the connection. 除了证书,还有 DNS 配置、路由以及其他类似的用于描述网络的内容。Along with the certificates are the DNS configuration, routes, and other similar things that describe the network.

如果更改了证书或网络信息,请选择“同步网络”。If certificates or network information is changed, select Sync Network. 选择“同步网络”会导致应用与 VNet 之间的连接出现短暂的中断。When you select Sync Network, you cause a brief outage in connectivity between your app and your VNet. 虽然应用不会重启,但失去连接会导致站点功能失常。While your app isn't restarted, the loss of connectivity could cause your site to not function properly.

定价详细信息Pricing details

除了应用服务计划定价层收费以外,区域 VNet 集成功能没有其他使用费。The regional VNet Integration feature has no additional charge for use beyond the App Service plan pricing tier charges.

使用需要网关的 VNet 集成功能涉及三项费用:Three charges are related to the use of the gateway-required VNet Integration feature:

  • 应用服务计划定价层费用:应用必须属于“标准”、“高级”或“高级 V2”应用服务计划。App Service plan pricing tier charges: Your apps need to be in a Standard, Premium, or PremiumV2 App Service plan. 有关这些费用的详细信息,请参阅应用服务定价For more information on those costs, see App Service pricing.
  • 数据传输费用:传出数据会产生费用,即使 VNet 位于同一数据中心也是如此。Data transfer costs: There's a charge for data egress, even if the VNet is in the same datacenter. 数据传输定价详细信息中对这些费用进行了说明。Those charges are described in Data Transfer pricing details.
  • VPN 网关费用:点到站点 VPN 所需的虚拟网关会产生费用。VPN gateway costs: There's a cost to the virtual network gateway that's required for the point-to-site VPN. 有关详细信息,请参阅 VPN 网关定价For more information, see VPN gateway pricing.

疑难解答Troubleshooting

备注

应用服务中的 Docker Compose 方案不支持 VNET 集成。VNET integration is not supported for Docker Compose scenarios in App Service. 如果存在专用终结点,则会忽略 Azure Functions 访问限制。Azure Functions Access Restrictions are ignored if their is a private endpoint present.

虽然此功能很容易设置,但这并不意味着你的体验不会遇到任何问题。The feature is easy to set up, but that doesn't mean your experience will be problem free. 如果在访问所需终结点时遇到问题,可以使用某些实用程序来测试从应用控制台发出的连接。If you encounter problems accessing your desired endpoint, there are some utilities you can use to test connectivity from the app console. 可以使用两种控制台。There are two consoles that you can use. 一种是 Kudu 控制台,另一种是 Azure 门户中的控制台。One is the Kudu console, and the other is the console in the Azure portal. 若要访问应用中的 Kudu 控制台,请转到“工具” > “Kudu”。To reach the Kudu console from your app, go to Tools > Kudu. 此外,还可以通过 [sitename].scm.chinacloudsites.cn 访问 Kudo 控制台。You can also reach the Kudo console at [sitename].scm.chinacloudsites.cn. 打开网站负载后,转到“调试控制台”选项卡。若要从应用访问 Azure 门户托管的控制台,请转到“工具” > “控制台”。After the website loads, go to the Debug console tab. To get to the Azure portal-hosted console from your app, go to Tools > Console.

工具Tools

由于存在安全约束,因此无法通过控制台运行 ping、nslookup 和 tracert 工具 。The tools ping, nslookup, and tracert won't work through the console because of security constraints. 为了填补此空白,我们添加了两个单独的工具。To fill the void, two separate tools are added. 我们添加了名为 nameresolver.exe 的工具,用于测试 DNS 功能。To test DNS functionality, we added a tool named nameresolver.exe. 语法为:The syntax is:

nameresolver.exe hostname [optional: DNS Server]

可以使用 nameresolver 来检查应用所需的主机名。You can use nameresolver to check the hostnames that your app depends on. 可以通过这种方式来测试 DNS 是否配置错误,或者测试你是否有权访问 DNS 服务器。This way you can test if you have anything misconfigured with your DNS or perhaps don't have access to your DNS server. 若要了解可供应用在控制台中使用的 DNS 服务器,请查看环境变量 WEBSITE_DNS_SERVER 和 WEBSITE_DNS_ALT_SERVER。You can see the DNS server that your app uses in the console by looking at the environmental variables WEBSITE_DNS_SERVER and WEBSITE_DNS_ALT_SERVER.

可以使用下一工具测试与主机的 TCP 连接情况,以及端口组合情况。You can use the next tool to test for TCP connectivity to a host and port combination. 该工具名为 tcpping,语法为:This tool is called tcpping and the syntax is:

tcpping.exe hostname [optional: port]

tcpping 实用程序会告知是否可访问特定主机和端口。The tcpping utility tells you if you can reach a specific host and port. 只有满足以下条件才会显示成功:存在侦听主机和端口组合的应用程序,且可从应用对指定主机和端口进行网络访问。It can show success only if there's an application listening at the host and port combination, and there's network access from your app to the specified host and port.

调试对虚拟网络托管的资源的访问Debug access to virtual network-hosted resources

许多因素可能会阻止应用访问特定的主机和端口。A number of things can prevent your app from reaching a specific host and port. 大多数情况下为以下因素之一:Most of the time it's one of these things:

  • 存在防火墙。A firewall is in the way. 如果存在防火墙,则会发生 TCP 超时。If you have a firewall in the way, you hit the TCP timeout. 本例中的 TCP 超时为 21 秒。The TCP timeout is 21 seconds in this case. 使用 tcpping 工具测试连接性。Use the tcpping tool to test connectivity. 除了防火墙外,还有多种原因可能导致 TCP 超时。TCP timeouts can be caused by many things beyond firewalls, but start there.
  • DNS 不可访问。DNS isn't accessible. 每个 DNS 服务器的 DNS 超时为 3 秒。The DNS timeout is 3 seconds per DNS server. 如果具有 2 个 DNS 服务器,则超时为 6 秒。If you have two DNS servers, the timeout is 6 seconds. 使用 nameresolver 查看 DNS 是否正常工作。Use nameresolver to see if DNS is working. 不能使用 nslookup,因为它不使用为虚拟网络配置的 DNS。You can't use nslookup, because that doesn't use the DNS your virtual network is configured with. 如果无法访问,则表明可能有防火墙或 NSG 在阻止对 DNS 的访问,或者该 DNS 可能已停机。If inaccessible, you could have a firewall or NSG blocking access to DNS or it could be down.

如果这些方法未解决问题,请首先检查以下因素:If those items don't answer your problems, look first for things like:

需要网关的 VNet 集成Gateway-required VNet Integration

  • 点到站点地址范围是否在 RFC 1918 范围内 (10.0.0.0-10.255.255.255 / 172.16.0.0-172.31.255.255 / 192.168.0.0-192.168.255.255)?Is the point-to-site address range in the RFC 1918 ranges (10.0.0.0-10.255.255.255 / 172.16.0.0-172.31.255.255 / 192.168.0.0-192.168.255.255)?
  • 网关在门户中是否显示为已启动?Does the gateway show as being up in the portal? 如果网关处于关闭状态,则将其重新启动。If your gateway is down, then bring it back up.
  • 证书是否显示正在同步?或者,你是否怀疑网络配置已更改?Do certificates show as being in sync, or do you suspect that the network configuration was changed? 如果证书未同步,或者你怀疑对虚拟网络配置做出了与 ASP 不同步的更改,请选择“同步网络”。If your certificates are out of sync or you suspect that a change was made to your virtual network configuration that wasn't synced with your ASPs, select Sync Network.
  • 如果通过 VPN 传输,本地网关是否配置为将流量路由回 Azure?If you're going across a VPN, is the on-premises gateway configured to route traffic back up to Azure? 如果可以访问虚拟网络中的终结点,但不能访问本地的终结点,请检查路由。If you can reach endpoints in your virtual network but not on-premises, check your routes.
  • 你是否正在尝试使用一个既支持点到站点连接,又支持 ExpressRoute 的共存网关?Are you trying to use a coexistence gateway that supports both point to site and ExpressRoute? VNet 集成不支持共存网关。Coexistence gateways aren't supported with VNet Integration.

调试网络问题很有难度,因为你看不到哪些因素在阻止访问特定的“主机:端口”组合。Debugging networking issues is a challenge because you can't see what's blocking access to a specific host:port combination. 部分原因包括:Some causes include:

  • 在主机上开启了防火墙,导致无法从点到站点 IP 范围访问应用程序端口。You have a firewall up on your host that prevents access to the application port from your point-to-site IP range. 跨子网通常需要公共访问权限。Crossing subnets often requires public access.
  • 目标主机已关闭。Your target host is down.
  • 应用程序已关闭。Your application is down.
  • IP 或主机名错误。You had the wrong IP or hostname.
  • 应用程序所侦听的端口与你预期的端口不同。Your application is listening on a different port than what you expected. 可以使用终结点主机上的“netstat -aon”匹配进程 ID 和侦听端口。You can match your process ID with the listening port by using "netstat -aon" on the endpoint host.
  • 网络安全组的配置方式导致无法从点到站点 IP 范围访问应用程序主机和端口。Your network security groups are configured in such a manner that they prevent access to your application host and port from your point-to-site IP range.

你不知道应用实际使用的地址。You don't know what address your app actually uses. 它可能是集成子网中或点到站点地址范围内的任意地址,因此你需要允许从整个地址范围进行访问。It could be any address in the integration subnet or point-to-site address range, so you need to allow access from the entire address range.

其他调试步骤包括:Additional debug steps include:

  • 连接到虚拟网络中的某个 VM,尝试在该处访问资源主机:端口。Connect to a VM in your virtual network and attempt to reach your resource host:port from there. 若要针对 TCP 访问权限进行测试,请使用 PowerShell 命令 test-netconnection。To test for TCP access, use the PowerShell command test-netconnection. 语法为:The syntax is:
test-netconnection hostname [optional: -Port]
  • 在某个 VM 中启动应用程序,然后使用 tcpping 测试能否在应用的控制台中访问该主机和端口。Bring up an application on a VM and test access to that host and port from the console from your app by using tcpping.

本地资源On-premises resources

如果应用无法访问本地资源,请检查是否能够通过虚拟网络访问该资源。If your app can't reach a resource on-premises, check if you can reach the resource from your virtual network. 请使用 test-netconnection PowerShell 命令来针对 TCP 访问权限进行测试。Use the test-netconnection PowerShell command to check for TCP access. 如果 VM 无法访问本地资源,原因可能是未正确配置 VPN 或 ExpressRoute 连接。If your VM can't reach your on-premises resource, your VPN or ExpressRoute connection might not be configured properly.

如果虚拟网络托管的 VM 能够访问本地系统但应用无法访问,则可能是由于以下某个原因:If your virtual network-hosted VM can reach your on-premises system but your app can't, the cause is likely one of the following reasons:

  • 在本地网关中未使用子网或点到站点地址范围配置路由。Your routes aren't configured with your subnet or point-to-site address ranges in your on-premises gateway.
  • 网络安全组阻止点到站点 IP 范围的访问。Your network security groups are blocking access for your point-to-site IP range.
  • 本地防火墙阻止来自点到站点 IP 范围的流量。Your on-premises firewalls are blocking traffic from your point-to-site IP range.

自动化Automation

为区域 VNet 集成提供了 CLI 支持。CLI support is available for regional VNet Integration. 要访问以下命令,请安装 Azure CLITo access the following commands, install the Azure CLI.

az webapp vnet-integration --help

Group
    az webapp vnet-integration : Methods that list, add, and remove virtual network
    integrations from a webapp.
        This command group is in preview. It may be changed/removed in a future release.
Commands:
    add    : Add a regional virtual network integration to a webapp.
    list   : List the virtual network integrations on a webapp.
    remove : Remove a regional virtual network integration from webapp.

az appservice vnet-integration --help

Group
    az appservice vnet-integration : A method that lists the virtual network
    integrations used in an appservice plan.
        This command group is in preview. It may be changed/removed in a future release.
Commands:
    list : List the virtual network integrations used in an appservice plan.

还提供了对区域性 VNet 集成的 PowerShell 支持,但你必须使用子网 resourceID 的属性数组创建通用资源PowerShell support for regional VNet integration is available too, but you must create generic resource with a property array of the subnet resourceID

# Parameters
$sitename = 'myWebApp'
$resourcegroupname = 'myRG'
$VNetname = 'myVNet'
$location = 'myRegion'
$integrationsubnetname = 'myIntegrationSubnet'
$subscriptionID = 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee'

#Property array with the SubnetID
$properties = @{
  subnetResourceId = "/subscriptions/$subscriptionID/resourceGroups/$resourcegroupname/providers/Microsoft.Network/virtualNetworks/$VNetname/subnets/$integrationsubnetname"
}

#Creation of the VNet integration
$vNetParams = @{
  ResourceName = "$sitename/VirtualNetwork"
  Location = $location
  ResourceGroupName = $resourcegroupname
  ResourceType = 'Microsoft.Web/sites/networkConfig'
  PropertyObject = $properties
}
New-AzResource @vNetParams

对于需要网关的 VNet 集成,可以使用 PowerShell 将应用服务与 Azure 虚拟网络相集成。For gateway-required VNet Integration, you can integrate App Service with an Azure virtual network by using PowerShell. 如需随时可运行的脚本,请参阅将 Azure 应用服务中的应用连接到 Azure 虚拟网络For a ready-to-run script, see Connect an app in Azure App Service to an Azure virtual network.