自动缩放和区域冗余应用程序网关 v2Autoscaling and Zone-redundant Application Gateway v2

应用程序网关和 Web 应用程序防火墙 (WAF) 在 Standard_v2 和 WAF_v2 SKU 中也可用。Application Gateway and Web Application Firewall (WAF) are also available under a Standard_v2 and WAF_v2 SKU. v2 SKU 提供性能增强,并添加了对自动缩放、区域冗余等关键新功能以及静态 VIP 的支持。The v2 SKU offers performance enhancements and adds support for critical new features like autoscaling, zone redundancy, and support for static VIPs. Standard 和 WAF SKU 中的现有功能在新的 v2 SKU 中仍受支持,不过存在几种例外情况,具体请参阅比较部分。Existing features under the Standard and WAF SKU continue to be supported in the new v2 SKU, with a few exceptions listed in comparison section.

新的 v2 SKU 包括以下增强:The new v2 SKU includes the following enhancements:

  • 自动缩放:凭借自动缩放 SKU,应用程序网关或 WAF 部署可根据变化中的流量负载模式增加或减少。Autoscaling: Application Gateway or WAF deployments under the autoscaling SKU can scale up or down based on changing traffic load patterns. 自动缩放还无需在预配期间要求选择部署大小或实例计数。Autoscaling also removes the requirement to choose a deployment size or instance count during provisioning. 此 SKU 提供真正的弹性。This SKU offers true elasticity. 在 Standard_v2 和 WAF_v2 SKU 中,应用程序网关可同时在固定容量(自动缩放已禁用)和已启用自动缩放的模式下运行。In the Standard_v2 and WAF_v2 SKU, Application Gateway can operate both in fixed capacity (autoscaling disabled) and in autoscaling enabled mode. 固定容量模式对具有一致性和可预测工作负荷的方案非常有用。Fixed capacity mode is useful for scenarios with consistent and predictable workloads. 应用程序流量会出现差异的应用程序可以受益于自动缩放模式。Autoscaling mode is beneficial in applications that see variance in application traffic.

  • 区域冗余:应用程序网关或 WAF 部署可跨多个可用性区域,因此不需要使用流量管理器在每个区域中单独预配应用程序网关实例。Zone redundancy: An Application Gateway or WAF deployment can span multiple Availability Zones, removing the need to provision separate Application Gateway instances in each zone with a Traffic Manager. 可以选择一个或多个区域来部署应用程序网关实例,以便更灵活地应对区域故障。You can choose a single zone or multiple zones where Application Gateway instances are deployed, which makes it more resilient to zone failure. 应用程序的后端池可以通过类似方式分布在多个可用性区域中。The backend pool for applications can be similarly distributed across availability zones.

    仅当 Azure 区域可用时,区域冗余才可用。Zone redundancy is available only where Azure Zones are available. 在其他区域中,支持所有其他功能。In other regions, all other features are supported.

  • 静态 VIP:目前只有应用程序网关 v2 SKU 支持静态 VIP 类型。Static VIP: Application Gateway v2 SKU supports the static VIP type exclusively. 这可以确保与应用程序网关关联的 VIP 在部署的整个生命周期内不会更改,即使发生重启。This ensures that the VIP associated with the application gateway doesn't change for the lifecycle of the deployment, even after a restart. v1 中没有静态 VIP,因此必须使用应用程序网关 URL(而不是 IP 地址)通过应用程序网关将域名路由到应用服务。There isn't a static VIP in v1, so you must use the application gateway URL instead of the IP address for domain name routing to App Services via the application gateway.

  • 标头重写:应用程序网关允许使用 v2 SKU 添加、删除或更新 HTTP 请求和响应标头。Header Rewrite: Application Gateway allows you to add, remove, or update HTTP request and response headers with v2 SKU. 有关详细信息,请参阅重写应用程序网关的 HTTP 标头For more information, see Rewrite HTTP headers with Application Gateway

  • Key Vault 集成(预览版) :应用程序网关 v2 支持与 Key Vault(公共预览版)集成,以获取附加到支持 HTTPS 的侦听器的服务器证书。Key Vault Integration (preview): Application Gateway v2 supports integration with Key Vault (in public preview) for server certificates that are attached to HTTPS enabled listeners. 有关详细信息,请参阅使用 Key Vault 证书实现 SSL 终止For more information, see SSL termination with Key Vault certificates.

  • Azure Kubernetes 服务入口控制器(预览版) :借助应用程序网关 v2 入口控制器,可将 Azure 应用程序网关用作 Azure Kubernetes 服务 (AKS)(称为 AKS 群集)的入口。Azure Kubernetes Service Ingress Controller (preview): The Application Gateway v2 Ingress Controller allows the Azure Application Gateway to be used as the ingress for an Azure Kubernetes Service (AKS) known as AKS Cluster. 有关详细信息,请参阅文档页For more information, see the documentation page.

  • 性能增强:v2 SKU 提供的 SSL 卸载性能比 Standard/WAF SKU 高达 5 倍。Performance enhancements: The v2 SKU offers up to 5X better SSL offload performance as compared to the Standard/WAF SKU.

  • 更快的部署和更新速度 v2 SKU 的部署和更新速度比 Standard/WAF SKU 更快。Faster deployment and update time The v2 SKU provides faster deployment and update time as compared to Standard/WAF SKU. 这还包括了 WAF 配置更改。This also includes WAF configuration changes.

定价Pricing

使用 v2 SKU 时,定价模型将由消耗量驱动,而不再与实例计数或大小相关。With the v2 SKU, the pricing model is driven by consumption and is no longer attached to instance counts or sizes. v2 SKU 定价包括两个部分:The v2 SKU pricing has two components:

  • 固定价格 - 这是预配一个 Standard_v2 或 WAF_v2 网关的价格,按小时(或小时的一部分)计收。Fixed price - This is hourly (or partial hour) price to provision a Standard_v2 or WAF_v2 Gateway. 请注意,0 个额外的最小实例仍可确保服务的高可用性,该服务始终包含在固定价格中。Please note that 0 additional minimum instances still ensures high availability of the service which is always included with fixed price.
  • 容量单位价格 - 这是在固定价格的基础上按消耗量计收的费用。Capacity Unit price - This is a consumption-based cost that is charged in addition to the fixed cost. 容量单位费用也按每小时或小时的一部分计算的。Capacity unit charge is also computed hourly or partial hourly. 容量单位有三个维度 - 计算单位、持久连接和吞吐量。There are three dimensions to capacity unit - compute unit, persistent connections, and throughput. 计算单位用于度量消耗的处理器容量。Compute unit is a measure of processor capacity consumed. 影响计算单位的因素包括每秒 TLS 连接数、URL 重写计算和 WAF 规则处理。Factors affecting compute unit are TLS connections/sec, URL Rewrite computations, and WAF rule processing. 持久连接用于度量在给定计费间隔内与应用程序网关建立的 TCP 连接数。Persistent connection is a measure of established TCP connections to the application gateway in a given billing interval. 吞吐量是系统在给定计费间隔内平均每秒处理的兆位数。Throughput is average Megabits/sec processed by the system in a given billing interval. 对于超过预留实例计数的任何内容,均按容量单位级别进行计费。The billing is done at a Capacity Unit level for anything above the reserved instance count.

每个容量单位最多包括:1 个计算单位,或 2500 个持久连接,或 2.22-Mbps 吞吐量。Each capacity unit is composed of at most: 1 compute unit, or 2500 persistent connections, or 2.22-Mbps throughput.

计算单位指导:Compute unit guidance:

  • Standard_v2 - 每个计算单位每秒可以使用 RSA 2048 位密钥 TLS 证书处理大约 50 个连接。Standard_v2 - Each compute unit is capable of approximately 50 connections per second with RSA 2048-bit key TLS certificate.
  • WAF_v2 - 如果流量混合率为 70-30%,且 70% 的请求小于 2 KB GET/POST,剩余请求的计算量更高,则每个计算单位可支持每秒大约 10 个并发请求。WAF_v2 - Each compute unit can support approximately 10 concurrent requests per second for 70-30% mix of traffic with 70% requests less than 2 KB GET/POST and remaining higher. 目前,WAF 性能不受响应大小的影响。WAF performance is not affected by response size currently.

Note

每个实例目前支持大约 10 个容量单位。Each instance can currently support approximately 10 capacity units. 计算单位可处理的请求数取决于多种条件,例如 TLS 证书密钥大小、密钥交换算法、标头重写次数以及 WAF 传入请求大小。The number of requests a compute unit can handle depends on various criteria like TLS certificate key size, key exchange algorithm, header rewrites, and in case of WAF incoming request size. 我们建议执行应用程序测试,以确定每个计算单位的请求速率。We recommend you perform application tests to determine request rate per compute unit. 在开始计费之前,我们会以指标的形式提供容量单位和计算单位。Both capacity unit and compute unit will be made available as a metric before billing starts.

有关详细定价信息,请参阅定价页For more pricing information, see the pricing page. 我们已安排在 2019 年 7 月 1 日开始计费。Billing is scheduled to start on July 1, 2019.

缩放应用程序网关和 WAF v2Scaling Application Gateway and WAF v2

可将应用程序网关和 WAF 配置为以两种模式进行缩放:Application Gateway and WAF can be configured to scale in two modes:

  • 自动缩放 - 启用自动缩放后,应用程序网关和 WAF v2 SKU 将会根据应用程序流量要求进行纵向缩放。Autoscaling - With autoscaling enabled, the Application Gateway and WAF v2 SKUs scale up or down based on application traffic requirements. 此模式为应用程序提供更好的弹性,使你无需猜测应用程序网关大小或实例计数。This mode offers better elasticity to your application and eliminates the need to guess the application gateway size or instance count. 使用此模式还可以不要求网关为预期的最大流量负载以最大预配容量运行,从而节省成本。This mode also allows you to save cost by not requiring the gateway to run at peak provisioned capacity for anticipated maximum traffic load. 必须指定最小和(可选)最大实例计数。You must specify a minimum and optionally maximum instance count. 最小容量确保应用程序网关和 WAF v2 不会低于指定的最小实例计数,即使在没有流量时也是如此。Minimum capacity ensures that Application Gateway and WAF v2 don't fall below the minimum instance count specified, even in the absence of traffic. 每个实例计为 10 个额外的预留容量单位。Each instance counts as 10 additional reserved Capacity Units. 0 表示没有预留容量,本质上是纯自动缩放。Zero signifies no reserved capacity and is purely autoscaling in nature. 请注意,0 个额外的最小实例仍可确保服务的高可用性,该服务始终包含在固定价格中。Please note that zero additional minimum instances still ensures high availability of the service which is always included with fixed price. 你还可以选择性地指定最大实例计数,这样可以确保应用程序网关不会扩展到超出指定数量的实例。You can also optionally specify a maximum instance count, which ensures that the Application Gateway doesn't scale beyond the specified number of instances. 你要继续为网关服务的流量付费。You'll continue to be billed for the amount of traffic served by the Gateway. 实例计数的范围为 0 到 125。The instance counts can range from 0 to 125. 如果未指定,最大实例计数的默认值为 20。The default value for maximum instance count is 20 if not specified.
  • 手动 - 也可以选择“手动”模式,在这种情况下,网关不会自动缩放。Manual - You can alternatively choose Manual mode where the gateway won't autoscale. 在此模式下,如果流量超过了应用程序网关或 WAF 可以处理的流量,可能会导致流量丢失。In this mode, if there is more traffic than what Application Gateway or WAF can handle, it could result in traffic loss. 使用手动模式时,必须指定实例计数。With manual mode, specifying instance count is mandatory. 实例计数可以在 1 到 125 的范围内变化。Instance count can vary from 1 to 125 instances.

v1 SKU 与 v2 SKU 之间的功能比较Feature comparison between v1 SKU and v2 SKU

下表比较了每个 SKU 提供的功能。The following table compares the features available with each SKU.

v1 SKUv1 SKU v2 SKUv2 SKU
自动缩放Autoscaling
区域冗余Zone redundancy
静态 VIPStatic VIP
Azure Kubernetes 服务 (AKS) 入口控制器Azure Kubernetes Service (AKS) Ingress controller
Azure Key Vault 集成Azure Key Vault integration
重写 HTTP(S) 标头Rewrite HTTP(S) headers
基于 URL 的路由URL-based routing
多站点托管Multiple-site hosting
流量重定向Traffic redirection
Web 应用程序防火墙 (WAF)Web Application Firewall (WAF)
WAF 自定义规则WAF custom rules
安全套接字层 (SSL) 终止Secure Sockets Layer (SSL) termination
端到端 SSL 加密End-to-end SSL encryption
会话相关性Session affinity
自定义错误页Custom error pages
WebSocket 支持WebSocket support
HTTP/2 支持HTTP/2 support
连接清空Connection draining

Note

自动缩放 v2 SKU 现在支持使用默认的运行状况探测自动监视后端池中所有资源的运行状况,并突出显示那些被视为不正常的后端成员。The autoscaling v2 SKU now supports default health probes to automatically monitor the health of all resources in its back-end pool and highlight those backend members that are considered unhealthy. 对于不使用任何自定义探测配置的后端,系统会自动配置默认的运行状况探测。The default health probe is automatically configured for backends that don't have any custom probe configuration. 有关详细信息,请参阅应用程序网关中的运行状况探测To learn more, see health probes in application gateway.

与 v1 SKU 的差异Differences with v1 SKU

差异Difference 详细信息Details
身份验证证书Authentication certificate 不支持。Not supported.
有关详细信息,请参阅应用程序网关的端到端 SSL 概述For more information, see Overview of end to end SSL with Application Gateway.
在同一子网上混合使用 Standard_v2 和标准应用程序网关Mixing Standard_v2 and Standard Application Gateway on the same subnet 不支持Not supported
应用程序网关子网上的用户定义路由 (UDR)User Defined Route (UDR) on Application Gateway subnet 不支持Not supported
入站端口范围的 NSGNSG for Inbound port range 对于 Standard_v2 SKU,为 - 65200 到 65535- 65200 to 65535 for Standard_v2 SKU
对于标准 SKU,为 - 65503 到 65534- 65503 to 65534 for Standard SKU.
有关详细信息,请参阅常见问题解答For more information, see the FAQ.
Azure 诊断中的性能日志Performance logs in Azure diagnostics 不支持。Not supported.
应当使用 Azure 指标。Azure metrics should be used.
计费Billing 我们已安排在 2019 年 7 月 1 日开始计费。Billing scheduled to start on July 1, 2019.
FIPS 模式FIPS mode 目前不支持。These are currently not supported.
“仅 ILB”模式ILB only mode 目前不支持。This is currently not supported. 同时支持公共和 ILB 模式。Public and ILB mode together is supported.
Netwatcher 集成Netwatcher integration 不支持。Not supported.
Azure 安全中心集成Azure Security Center integration 尚不可用。Not yet available.

从 v1 迁移到 v2Migrate from v1 to v2

PowerShell 库中提供了一个 Azure PowerShell 脚本,以帮助你从 v1 应用程序网关/WAF 迁移到 v2 自动缩放 SKU。An Azure PowerShell script is available in the PowerShell gallery to help you migrate from your v1 Application Gateway/WAF to the v2 Autoscaling SKU. 此脚本可帮助你从 v1 网关复制配置。This script helps you copy the configuration from your v1 gateway. 流量迁移仍由你负责。Traffic migration is still your responsibility. 有关详细信息,请参阅将 Azure 应用程序网关从 v1 迁移到 v2For more information, see Migrate Azure Application Gateway from v1 to v2.

后续步骤Next steps