自动缩放和区域冗余应用程序网关 v2Autoscaling and Zone-redundant Application Gateway v2

应用程序网关在 Standard_v2 SKU 下提供。Application Gateway is available under a Standard_v2 SKU. Web 应用程序防火墙 (WAF) 在 WAF_v2 SKU 下提供。Web Application Firewall (WAF) is available under a WAF_v2 SKU. v2 SKU 提供性能增强,并添加了对自动缩放、区域冗余等关键新功能以及静态 VIP 的支持。The v2 SKU offers performance enhancements and adds support for critical new features like autoscaling, zone redundancy, and support for static VIPs. Standard 和 WAF SKU 中的现有功能在新的 v2 SKU 中仍受支持,不过存在几种例外情况,具体请参阅比较部分。Existing features under the Standard and WAF SKU continue to be supported in the new v2 SKU, with a few exceptions listed in comparison section.

新的 v2 SKU 包括以下增强:The new v2 SKU includes the following enhancements:

  • 自动缩放:凭借自动缩放 SKU,应用程序网关或 WAF 部署可根据变化中的流量负载模式增加或减少。Autoscaling: Application Gateway or WAF deployments under the autoscaling SKU can scale up or down based on changing traffic load patterns. 自动缩放还无需在预配期间要求选择部署大小或实例计数。Autoscaling also removes the requirement to choose a deployment size or instance count during provisioning. 此 SKU 提供真正的弹性。This SKU offers true elasticity. 在 Standard_v2 和 WAF_v2 SKU 中,应用程序网关可同时在固定容量(自动缩放已禁用)和已启用自动缩放的模式下运行。In the Standard_v2 and WAF_v2 SKU, Application Gateway can operate both in fixed capacity (autoscaling disabled) and in autoscaling enabled mode. 固定容量模式对具有一致性和可预测工作负荷的方案非常有用。Fixed capacity mode is useful for scenarios with consistent and predictable workloads. 应用程序流量会出现差异的应用程序可以受益于自动缩放模式。Autoscaling mode is beneficial in applications that see variance in application traffic.

  • 区域冗余:应用程序网关或 WAF 部署可跨多个可用性区域,因此不需要使用流量管理器在每个区域中单独预配应用程序网关实例。Zone redundancy: An Application Gateway or WAF deployment can span multiple Availability Zones, removing the need to provision separate Application Gateway instances in each zone with a Traffic Manager. 可以选择一个或多个区域来部署应用程序网关实例,以便更灵活地应对区域故障。You can choose a single zone or multiple zones where Application Gateway instances are deployed, which makes it more resilient to zone failure. 应用程序的后端池可以通过类似方式分布在多个可用性区域中。The backend pool for applications can be similarly distributed across availability zones.

    仅当 Azure 区域可用时,区域冗余才可用。Zone redundancy is available only where Azure Zones are available. 在其他区域中,支持所有其他功能。In other regions, all other features are supported.

  • 静态 VIP:目前只有应用程序网关 v2 SKU 支持静态 VIP 类型。Static VIP: Application Gateway v2 SKU supports the static VIP type exclusively. 这可以确保与应用程序网关关联的 VIP 在部署的整个生命周期内不会更改,即使发生重启。This ensures that the VIP associated with the application gateway doesn't change for the lifecycle of the deployment, even after a restart. v1 中没有静态 VIP,因此必须使用应用程序网关 URL(而不是 IP 地址)通过应用程序网关将域名路由到应用服务。There isn't a static VIP in v1, so you must use the application gateway URL instead of the IP address for domain name routing to App Services via the application gateway.

  • 标头重写:应用程序网关允许使用 v2 SKU 添加、删除或更新 HTTP 请求和响应标头。Header Rewrite: Application Gateway allows you to add, remove, or update HTTP request and response headers with v2 SKU. 有关详细信息,请参阅使用应用程序网关重写 HTTP 标头For more information, see Rewrite HTTP headers with Application Gateway

  • Key Vault 集成:应用程序网关 v2 支持与密钥保管库集成,以获取附加到支持 HTTPS 的侦听器的服务器证书。Key Vault Integration: Application Gateway v2 supports integration with Key Vault for server certificates that are attached to HTTPS enabled listeners. 有关详细信息,请参阅使用 Key Vault 证书实现 TLS 终止For more information, see TLS termination with Key Vault certificates.

  • Azure Kubernetes 服务入口控制器:应用程序网关 v2 入口控制器允许将 Azure 应用程序网关用作 Azure Kubernetes 服务 (AKS) 的入口(称为 AKS 群集)。Azure Kubernetes Service Ingress Controller: The Application Gateway v2 Ingress Controller allows the Azure Application Gateway to be used as the ingress for an Azure Kubernetes Service (AKS) known as AKS Cluster. 有关详细信息,请参阅什么是应用程序网关入口控制器?For more information, see What is Application Gateway Ingress Controller?.

  • 性能增强:v2 SKU 提供的 TLS 卸载性能比 Standard/WAF SKU 高达 5 倍。Performance enhancements: The v2 SKU offers up to 5X better TLS offload performance as compared to the Standard/WAF SKU.

  • 缩短部署和更新时间:与标准/WAF SKU 相比,v2 SKU 缩短了部署和更新时间。Faster deployment and update time The v2 SKU provides faster deployment and update time as compared to Standard/WAF SKU. 这还包括了 WAF 配置更改。This also includes WAF configuration changes.

自动缩放区域的示意图。

定价Pricing

使用 v2 SKU 时,定价模型将由消耗量驱动,而不再与实例计数或大小相关。With the v2 SKU, the pricing model is driven by consumption and is no longer attached to instance counts or sizes. v2 SKU 定价包括两个部分:The v2 SKU pricing has two components:

  • 固定价格 - 这是用于预配 Standard_v2 或 WAF_v2 网关的每小时(或部分小时)价格。Fixed price - This is hourly (or partial hour) price to provision a Standard_v2 or WAF_v2 Gateway. 请注意,0 个额外最小实例仍可确保服务的高可用性,这始终包含在固定价格中。Please note that 0 additional minimum instances still ensures high availability of the service which is always included with fixed price.
  • 容量单位价格 - 这是在固定价格的基础上按消耗量计收的费用。Capacity Unit price - This is a consumption-based cost that is charged in addition to the fixed cost. 容量单位费用也按每小时或部分每小时进行计算。Capacity unit charge is also computed hourly or partial hourly. 容量单位有三个维度 - 计算单位、持久连接和吞吐量。There are three dimensions to capacity unit - compute unit, persistent connections, and throughput. 计算单位用于度量消耗的处理器容量。Compute unit is a measure of processor capacity consumed. 影响计算单位的因素包括每秒 TLS 连接数、URL 重写计算和 WAF 规则处理。Factors affecting compute unit are TLS connections/sec, URL Rewrite computations, and WAF rule processing. 持久连接用于度量在给定计费间隔内与应用程序网关建立的 TCP 连接数。Persistent connection is a measure of established TCP connections to the application gateway in a given billing interval. 吞吐量是在给定计费间隔内,平均每秒由系统处理的兆位数。Throughput is average Megabits/sec processed by the system in a given billing interval. 对于超过预留实例计数的任何内容,均按容量单位级别进行计费。The billing is done at a Capacity Unit level for anything above the reserved instance count.

每个容量单位最多包括:1 个计算单位,2500 个持久连接和 2.22-Mbps 吞吐量。Each capacity unit is composed of at most: 1 compute unit, 2500 persistent connections, and 2.22-Mbps throughput.

计算单位指导:Compute unit guidance:

  • Standard_v2 - 每个计算单位每秒可以使用 RSA 2048 位密钥 TLS 证书处理大约 50 个连接。Standard_v2 - Each compute unit is capable of approximately 50 connections per second with RSA 2048-bit key TLS certificate.
  • WAF_v2 - 如果流量混合率为 70-30%,且 70% 的请求小于 2 KB GET/POST,剩余请求的计算量更高,则每个计算单位可支持每秒大约 10 个并发请求。WAF_v2 - Each compute unit can support approximately 10 concurrent requests per second for 70-30% mix of traffic with 70% requests less than 2 KB GET/POST and remaining higher. 目前,WAF 性能不受响应大小的影响。WAF performance is not affected by response size currently.

备注

每个实例目前支持大约 10 个容量单位。Each instance can currently support approximately 10 capacity units. 计算单位可处理的请求数取决于多种条件,例如 TLS 证书密钥大小、密钥交换算法、标头重写次数以及 WAF 传入请求大小。The number of requests a compute unit can handle depends on various criteria like TLS certificate key size, key exchange algorithm, header rewrites, and in case of WAF incoming request size. 我们建议执行应用程序测试,以确定每个计算单位的请求速率。We recommend you perform application tests to determine request rate per compute unit. 在开始计费之前,我们会以指标的形式提供容量单位和计算单位。Both capacity unit and compute unit will be made available as a metric before billing starts.

有关详细定价信息,请参阅定价页For more pricing information, see the pricing page.

缩放应用程序网关和 WAF v2Scaling Application Gateway and WAF v2

可将应用程序网关和 WAF 配置为以两种模式进行缩放:Application Gateway and WAF can be configured to scale in two modes:

  • 自动缩放 - 启用自动缩放后,应用程序网关和 WAF v2 SKU 将会根据应用程序流量要求进行纵向缩放。Autoscaling - With autoscaling enabled, the Application Gateway and WAF v2 SKUs scale up or down based on application traffic requirements. 此模式可为应用程序提供更好的弹性,无需猜测应用程序网关大小或实例计数。This mode offers better elasticity to your application and eliminates the need to guess the application gateway size or instance count. 使用此模式还可以不要求网关为预期的最大流量负载以最大预配容量运行,从而节省成本。This mode also allows you to save cost by not requiring the gateway to run at peak provisioned capacity for anticipated maximum traffic load. 必须指定最小和(可选)最大实例计数。You must specify a minimum and optionally maximum instance count. 最小容量可确保应用程序网关和 WAF v2 不低于指定的最小实例计数,即使在没有流量时也是如此。Minimum capacity ensures that Application Gateway and WAF v2 don't fall below the minimum instance count specified, even in the absence of traffic. 每个实例大约相当于 10 个额外的预留容量单元。Each instance is roughly equivalent to 10 additional reserved Capacity Units. 零表示没有保留容量,在本质上是纯自动缩放。Zero signifies no reserved capacity and is purely autoscaling in nature. 还可以选择指定最大实例计数,以确保应用程序网关不会缩放到超出指定实例数。You can also optionally specify a maximum instance count, which ensures that the Application Gateway doesn't scale beyond the specified number of instances. 你只需为网关服务的流量付费。You will only be billed for the amount of traffic served by the Gateway. 实例计数的范围介于 0 到 125 之间。The instance counts can range from 0 to 125. 如果未指定,最大实例计数的默认值为 20。The default value for maximum instance count is 20 if not specified.
  • 手动 - 也可以选择“手动”模式,在这种情况下,网关不会自动缩放。Manual - You can alternatively choose Manual mode where the gateway won't autoscale. 在此模式下,如果流量超过了应用程序网关或 WAF 可以处理的流量,可能会导致流量丢失。In this mode, if there is more traffic than what Application Gateway or WAF can handle, it could result in traffic loss. 使用手动模式时,必须指定实例计数。With manual mode, specifying instance count is mandatory. 实例计数可以在 1 到 125 个实例间变化。Instance count can vary from 1 to 125 instances.

自动缩放和高可用性Autoscaling and High Availability

Azure 应用程序网关始终以高度可用的方式部署。Azure Application Gateways are always deployed in a highly available fashion. 服务由多个实例组成,这些实例是根据配置来创建的(如果禁用了自动缩放)或是为了应用程序加载而创建的(如果启用了自动缩放)。The service is made out of multiple instances that are created as configured (if autoscaling is disabled) or required by the application load (if autoscaling is enabled). 请注意,从用户的角度来看,你不一定能了解单个实例的情况,只能了解整个应用程序网关服务的总体情况。Note that from the user's perspective you do not necessarily have visibility into the individual instances, but just into the Application Gateway service as a whole. 如果某个实例出现问题并停止工作,Azure 应用程序网关将以透明方式创建一个新实例。If a certain instance has a problem and stops being functional, Azure Application Gateway will transparently create a new instance.

请注意,即使将自动缩放配置为最小为零的实例数,该服务仍然是高可用的,并且始终按固定价格包含。Please note that even if you configure autoscaling with zero minimum instances the service will still be highly available, which is always included with the fixed price.

但是,创建新实例可能需要一些时间(大约 6 或 7 分钟)。However, creating a new instance can take some time (around six or seven minutes). 因此,如果你不想处理这个停机时间,可以将最小实例数配置为 2,理想情况下可使用可用性区域支持。Hence, if you do not want to cope with this downtime you can configure a minimum instance count of 2, ideally with Availability Zone support. 这样,在正常情况下,你的 Azure 应用网关中至少会有两个实例,因此如果其中一个有问题,另一个将在创建新实例期间尝试处理流量。This way you will have at least two instances inside of your Azure Application Gateway under normal circumstances, so if one of them had a problem the other will try to cope with the traffic, during the time a new instance is being created. 请注意,Azure 应用程序网关实例可以支持大约 10 个容量单位,因此根据你通常拥有的流量大小,你可能需要将最小实例自动缩放设置配置为大于 2 的值。Note that an Azure Application Gateway instance can support around 10 Capacity Units, so depending on how much traffic you typically have you might want to configure your minimum instance autoscaling setting to a value higher than 2.

v1 SKU 与 v2 SKU 之间的功能比较Feature comparison between v1 SKU and v2 SKU

下表比较了每个 SKU 提供的功能。The following table compares the features available with each SKU.

功能Feature v1 SKUv1 SKU v2 SKUv2 SKU
自动缩放Autoscaling
区域冗余Zone redundancy
静态 VIPStatic VIP
Azure Kubernetes 服务 (AKS) 入口控制器Azure Kubernetes Service (AKS) Ingress controller
Azure 密钥保管库集成Azure Key Vault integration
重写 HTTP(S) 标头Rewrite HTTP(S) headers
基于 URL 的路由URL-based routing
多站点托管Multiple-site hosting
流量重定向Traffic redirection
Web 应用程序防火墙 (WAF)Web Application Firewall (WAF)
WAF 自定义规则WAF custom rules
传输层安全性 (TLS)/安全套接字层 (SSL) 终止Transport Layer Security (TLS)/Secure Sockets Layer (SSL) termination
端到端 TLS 加密End-to-end TLS encryption
会话相关性Session affinity
自定义错误页Custom error pages
WebSocket 支持WebSocket support
HTTP/2 支持HTTP/2 support
连接清空Connection draining

备注

自动缩放 v2 SKU 现在支持使用默认的运行状况探测自动监视后端池中所有资源的运行状况,并突出显示那些被视为不正常的后端成员。The autoscaling v2 SKU now supports default health probes to automatically monitor the health of all resources in its back-end pool and highlight those backend members that are considered unhealthy. 对于不使用任何自定义探测配置的后端,系统会自动配置默认的运行状况探测。The default health probe is automatically configured for backends that don't have any custom probe configuration. 若要了解详细信息,请参阅应用程序网关中的 运行状况探测To learn more, see health probes in application gateway.

与 v1 SKU 的差异Differences from v1 SKU

此部分介绍 v2 SKU 与 v1 SKU 不同的功能和限制。This section describes features and limitations of the v2 SKU that differ from the v1 SKU.

差异Difference 详细信息Details
身份验证证书Authentication certificate 不支持。Not supported.
有关详细信息,请参阅应用程序网关的端到端 TLS 概述For more information, see Overview of end to end TLS with Application Gateway.
在同一子网上混合使用 Standard_v2 和标准应用程序网关Mixing Standard_v2 and Standard Application Gateway on the same subnet 不支持Not supported
应用程序网关子网上的用户定义路由 (UDR)User-Defined Route (UDR) on Application Gateway subnet 支持(特定方案)。Supported (specific scenarios). 处于预览状态。In preview.
有关支持的方案的详细信息,请参阅应用程序网关配置概述For more information about supported scenarios, see Application Gateway configuration overview.
入站端口范围的 NSGNSG for Inbound port range 对于 Standard_v2 SKU,为 - 65200 到 65535- 65200 to 65535 for Standard_v2 SKU
对于标准 SKU,为 - 65503 到 65534- 65503 to 65534 for Standard SKU.
有关详细信息,请参阅常见问题解答For more information, see the FAQ.
Azure 诊断中的性能日志Performance logs in Azure diagnostics 不支持。Not supported.
应当使用 Azure 指标。Azure metrics should be used.
计费Billing 我们已安排在 2019 年 7 月 1 日开始计费。Billing scheduled to start on July 1, 2019.
FIPS 模式FIPS mode 目前不支持。These are currently not supported.
“仅 ILB”模式ILB only mode 目前不支持。This is currently not supported. 同时支持公共和 ILB 模式。Public and ILB mode together is supported.
网络观察程序集成Net watcher integration 不支持。Not supported.
Azure 安全中心集成Azure Security Center integration 尚不可用。Not yet available.

从 v1 迁移到 v2Migrate from v1 to v2

PowerShell 库中提供了一个 Azure PowerShell 脚本,以帮助你从 v1 应用程序网关/WAF 迁移到 v2 自动缩放 SKU。An Azure PowerShell script is available in the PowerShell gallery to help you migrate from your v1 Application Gateway/WAF to the v2 Autoscaling SKU. 此脚本可帮助你从 v1 网关复制配置。This script helps you copy the configuration from your v1 gateway. 流量迁移仍由你负责。Traffic migration is still your responsibility. 有关详细信息,请参阅将 Azure 应用程序网关从 v1 迁移到 v2For more information, see Migrate Azure Application Gateway from v1 to v2.

后续步骤Next steps