应用程序网关组件Application gateway components

应用程序网关充当客户端的单一联络点。An application gateway serves as the single point of contact for clients. 它在包括 Azure VM、虚拟机规模集、Azure 应用服务和本地/外部服务器的多个后端池之间分配传入的应用程序流量。It distributes incoming application traffic across multiple backend pools, which include Azure VMs, virtual machine scale sets, Azure App Service, and on-premises/external servers. 为了分配流量,应用程序网关将使用本文所述的多个组件。To distribute traffic, an application gateway uses several components described in this article.

应用程序网关中使用的组件

前端 IP 地址Frontend IP addresses

前端 IP 地址是与应用程序网关关联的 IP 地址。A frontend IP address is the IP address associated with an application gateway. 可将应用程序网关配置为使用公共 IP 地址和/或专用 IP 地址。You can configure an application gateway to have a public IP address, a private IP address, or both. 应用程序网关支持一个公共 IP 地址或一个专用 IP 地址。An application gateway supports one public or one private IP address. 虚拟网络和公共 IP 地址必须位于应用程序网关所在的同一位置。Your virtual network and public IP address must be in the same location as your application gateway. 创建前端 IP 地址后,该地址将关联到某个侦听器。After it's created, a frontend IP address is associated with a listener.

静态与动态公共 IP 地址Static versus dynamic public IP address

Azure 应用程序网关 V2 SKU 可以配置为同时支持静态内部 IP 地址和静态公共 IP 地址,或仅支持静态公共 IP 地址。The Azure Application Gateway V2 SKU can be configured to support either both static internal IP address and static public IP address, or only static public IP address. 不能将它配置为仅支持静态内部 IP 地址。It cannot be configured to support only static internal IP address.

V1 SKU 可以配置为支持静态或动态内部 IP 地址和动态公共 IP 地址。The V1 SKU can be configured to support static or dynamic internal IP address and dynamic public IP address. 在正在运行的网关上,应用程序网关的动态 IP 地址不会更改。The dynamic IP address of Application Gateway does not change on a running gateway. 只有在停止或启动网关时,它才能更改。It can change only when you stop or start the Gateway. 它不会因系统故障、更新、Azure 主机更新等而发生更改。It does not change on system failures, updates, Azure host updates etc.

与应用程序网关关联的 DNS 名称在网关的整个生命周期内不会变化。The DNS name associated with an application gateway doesn't change over the lifecycle of the gateway. 出于此原因,应使用 CNAME 别名并使其指向应用程序网关的 DNS 地址。As a result, you should use a CNAME alias and point it to the DNS address of the application gateway.

侦听器Listeners

侦听器是检查传入连接请求的逻辑实体。A listener is a logical entity that checks for incoming connection requests. 如果与请求关联的协议、端口、主机名和 IP 地址匹配与侦听器配置关联的相同元素,侦听器将接受该请求。A listener accepts a request if the protocol, port, hostname, and IP address associated with the request match the same elements associated with the listener configuration.

在使用应用程序网关之前,必须至少添加一个侦听器。Before you use an application gateway, you must add at least one listener. 可将多个侦听器附加到一个应用程序网关,这些侦听器可用于同一个协议。There can be multiple listeners attached to an application gateway, and they can be used for the same protocol.

侦听器检测到来自客户端的传入请求后,应用程序网关将这些请求路由到规则中配置的后端池中的成员。After a listener detects incoming requests from clients, the application gateway routes these requests to members in the backend pool configured in the rule.

侦听器支持以下端口和协议。Listeners support the following ports and protocols.

端口Ports

侦听器在某个端口上侦听客户端请求。A port is where a listener listens for the client request. 可以为 v1 SKU 配置 1 到 65502 的端口,为 v2 SKU 配置 1 到 65199 的端口。You can configure ports ranging from 1 to 65502 for the v1 SKU and 1 to 65199 for the v2 SKU.

协议Protocols

应用程序网关支持四种协议:HTTP、HTTPS、HTTP/2 和 WebSocket:Application Gateway supports four protocols: HTTP, HTTPS, HTTP/2, and WebSocket:

备注

仅针对连接到应用程序网关侦听程序的客户端提供了 HTTP/2 协议支持。HTTP/2 protocol support is available to clients connecting to application gateway listeners only. 与后端服务器池的通信始终通过 HTTP/1.1 进行。The communication to backend server pools is always over HTTP/1.1. 默认情况下,HTTP/2 支持处于禁用状态。By default, HTTP/2 support is disabled. 可以选择启用该协议。You can choose to enable it.

  • 在侦听器配置中指定 HTTP 或 HTTPS 协议。Specify between the HTTP and HTTPS protocols in the listener configuration.
  • 原生支持 WebSocket 和 HTTP/2 协议,默认已启用 WebSocket 支持Support for WebSockets and HTTP/2 protocols is provided natively, and WebSocket support is enabled by default. 用户无法通过配置设置来选择性地启用或禁用 WebSocket 支持。There's no user-configurable setting to selectively enable or disable WebSocket support. 对 HTTP 和 HTTPS 侦听器使用 WebSocket。Use WebSockets with both HTTP and HTTPS listeners.

使用 HTTPS 侦听器进行 SSL 终止。Use an HTTPS listener for SSL termination. HTTPS 侦听器可将加密和解密工作卸载到应用程序网关,以避免加密和解密开销给 Web 服务器造成负担。An HTTPS listener offloads the encryption and decryption work to your application gateway, so your web servers aren't burdened by the overhead.

自定义错误页Custom error pages

应用程序网关可让你创建自定义错误页而非显示默认错误页。Application Gateway lets you create custom error pages instead of displaying default error pages. 你可以在自定义错误页上使用自己的品牌和布局。You can use your own branding and layout using a custom error page. 当请求无法到达后端时,应用程序网关会显示自定义错误页。Application Gateway displays a custom error page when a request can't reach the backend.

有关详细信息,请参阅应用程序网关的自定义错误页For more information, see Custom error pages for your application gateway.

侦听器类型Types of listeners

有两种类型的侦听器:There are two types of listeners:

  • 基本Basic. 此类侦听器侦听单个域站点,该站点中的单个 DNS 映射到应用程序网关的 IP 地址。This type of listener listens to a single domain site, where it has a single DNS mapping to the IP address of the application gateway. 在应用程序网关后面托管单个站点时,需要使用此侦听器配置。This listener configuration is required when you host a single site behind an application gateway.

  • 多站点Multi-site. 在同一个应用程序网关实例上配置多个 Web 应用程序时,需要使用此侦听器配置。This listener configuration is required when you configure more than one web application on the same application gateway instance. 这样可以将最多 100 个网站添加到一个应用程序网关,为部署配置更有效的拓扑。It allows you to configure a more efficient topology for your deployments by adding up to 100 websites to one application gateway. 每个网站都可以定向到自己的后端池。Each website can be directed to its own backend pool. 例如,有三个子域(abc.alpha.com、xyz.alpha.com 和 pqr.alpha.com)指向应用程序网关 IP 地址。For example, three subdomains, abc.contoso.com, xyz.contoso.com, and pqr.contoso.com, point to the IP address of the application gateway. 可以创建三个多站点侦听器,并为每个侦听器配置相应的端口和协议设置。You'd create three multi-site listeners and configure each listener for the respective port and protocol setting.

    有关详细信息,请参阅多站点托管For more information, see Multiple-site hosting.

创建侦听器后,请将它关联到某个请求路由规则。After you create a listener, you associate it with a request routing rule. 该规则确定如何将侦听器上收到的请求路由到后端。This rule determines how the request received on the listener should be routed to the backend.

应用程序网关按显示顺序处理侦听器。Application Gateway processes listeners in the order shown.

请求路由规则Request routing rules

请求路由规则是应用程序网关的关键组件,因为它确定如何在侦听器上路由流量。A request routing rule is a key component of an application gateway because it determines how to route traffic on the listener. 该规则绑定侦听器、后端服务器池和后端 HTTP 设置。The rule binds the listener, the back-end server pool, and the backend HTTP settings.

当侦听器接受请求时,请求路由规则会将该请求转发到后端,或重定向到其他位置。When a listener accepts a request, the request routing rule forwards the request to the backend or redirects it elsewhere. 如果将请求转发到后端,则请求路由规则会定义要将其转发到哪个后端服务器池。If the request is forwarded to the backend, the request routing rule defines which backend server pool to forward it to. 请求路由规则还确定是否要重写请求中的标头。The request routing rule also determines if the headers in the request are to be rewritten. 一个侦听器可以附加到一个规则。One listener can be attached to one rule.

有两种类型的请求路由规则:There are two types of request routing rules:

  • 基本Basic. 使用关联的 HTTP 设置将关联的侦听器(例如 blog.contoso.com/*)上的所有请求转发到关联的后端池。All requests on the associated listener (for example, blog.contoso.com/*) are forwarded to the associated backend pool by using the associated HTTP setting.

  • 基于路径Path-based. 此路由规则可让你根据请求中的 URL,将关联的侦听器上的请求路由到特定的后端池。This routing rule lets you route the requests on the associated listener to a specific backend pool, based on the URL in the request. 如果请求中的 URL 路径与基于路径的规则中的路径模式相匹配,规则将路由该请求。If the path of the URL in a request matches the path pattern in a path-based rule, the rule routes that request. 路径模式仅应用到 URL 路径,而不应用到其查询参数。It applies the path pattern only to the URL path, not to its query parameters. 如果侦听器请求中的 URL 路径与任何基于路径的规则都不匹配,则将请求路由到默认的后端池和 HTTP 设置。If the URL path on a listener request doesn't match any of the path-based rules, it routes the request to the default backend pool and HTTP settings.

有关详细信息,请参阅基于 URL 的路由For more information, see URL-based routing.

重定向支持Redirection support

请求路由规则还允许重定向应用程序网关上的流量。The request routing rule also allows you to redirect traffic on the application gateway. 这是一种通用重定向机制,因此可以针对使用规则定义的任何端口进行双向重定向。This is a generic redirection mechanism, so you can redirect to and from any port you define by using rules.

可以选择另一个侦听器(有助于实现 HTTP 到 HTTPS 的自动重定向)或外部站点作为重定向目标。You can choose the redirection target to be another listener (which can help enable automatic HTTP to HTTPS redirection) or an external site. 也可以选择临时性或永久性重定向,或者将 URI 路径和查询字符串追加到重定向的 URL。You can also choose to have the redirection be temporary or permanent, or to append the URI path and query string to the redirected URL.

有关详细信息,请参阅重定向应用程序网关上的流量For more information, see Redirect traffic on your application gateway.

重写 HTTP 标头Rewrite HTTP headers

通过使用请求路由规则,当请求和响应数据包通过应用程序网关在客户端和后端池之间移动时,你可以添加、删除或更新 HTTP(S) 请求和响应标头。By using the request routing rules, you can add, remove, or update HTTP(S) request and response headers as the request and response packets move between the client and backend pools via the application gateway.

这些标头可以设置为静态值,也可以设置为其他标头和服务器变量。The headers can be set to static values or to other headers and server variables. 这有助于处理重要的用例,例如提取客户端 IP 地址、删除有关后端的敏感信息、添加更多安全性等。This helps with important use cases, such as extracting client IP addresses, removing sensitive information about the backend, adding more security, and so on.

有关详细信息,请参阅在应用程序网关上重写 HTTP 标头For more information, see Rewrite HTTP headers on your application gateway.

HTTP 设置HTTP settings

应用程序网关使用此组件中详细指定的端口号、协议和其他设置,将流量路由到后端服务器(在包含 HTTP 设置的请求路由规则中指定)。An application gateway routes traffic to the backend servers (specified in the request routing rule that include HTTP settings) by using the port number, protocol, and other settings detailed in this component.

HTTP 设置中使用的端口和协议确定应用程序网关与后端服务器之间的流量是要加密(提供端到端 SSL)还是不加密。The port and protocol used in the HTTP settings determine whether the traffic between the application gateway and backend servers is encrypted (providing end-to-end SSL) or unencrypted.

此组件还用于:This component is also used to:

  • 使用基于 Cookie 的会话相关性确定是否要在同一台服务器上保留用户会话。Determine whether a user session is to be kept on the same server by using the cookie-based session affinity.

  • 使用连接清空正常删除后端池成员。Gracefully remove backend pool members by using connection draining.

  • 关联自定义探测以监视后端运行状况、设置请求超时间隔、替代请求中的主机名和路径,以及一键式指定应用服务后端的设置。Associate a custom probe to monitor the backend health, set the request timeout interval, override host name and path in the request, and provide one-click ease to specify settings for the App Service backend.

后端池Backend pools

后端池将请求路由到为请求提供服务的后端服务器。A backend pool routes request to backend servers, which serve the request. 后端池可以包含:Backend pools can contain:

  • NICNICs
  • 虚拟机规模集Virtual machine scale sets
  • 公共 IP 地址Public IP addresses
  • 内部 IP 地址Internal IP addresses
  • FQDNFQDN
  • 多租户后端(例如应用服务)Multitenant backends (such as App Service)

应用程序网关后端池成员不会绑定到可用性集。Application Gateway backend pool members aren't tied to an availability set. 应用程序网关能够与其所在的虚拟网络外部的实例通信。An application gateway can communicate with instances outside of the virtual network that it's in. 因此,后端池的成员可以跨群集、跨数据中心,或者位于 Azure 外部,前提是建立了 IP 连接。As a result, the members of the backend pools can be across clusters, across datacenters, or outside Azure, as long as there's IP connectivity.

如果你打算使用内部 IP 作为后端池成员,必须使用虚拟网络对等互连VPN 网关If you use internal IPs as backend pool members, you must use virtual network peering or a VPN gateway. 支持虚拟网络对等互连,这有助于对其他虚拟网络中的流量进行负载均衡。Virtual network peering is supported and beneficial for load-balancing traffic in other virtual networks.

此外,应用程序网关可与通过 Azure ExpressRoute 或 VPN 隧道连接的本地服务器通信(如果允许这种流量)。An application gateway can also communicate with to on-premises servers when they're connected by Azure ExpressRoute or VPN tunnels if traffic is allowed.

可为不同类型的请求创建不同的后端池。You can create different backend pools for different types of requests. 例如,为常规请求创建一个后端池,然后为发往应用程序微服务的请求创建另一个后端池。For example, create one backend pool for general requests, and then another backend pool for requests to the microservices for your application.

运行状况探测Health probes

默认情况下,应用程序网关会监视其后端池中所有资源的运行状况,并自动删除不正常的资源。By default, an application gateway monitors the health of all resources in its backend pool and automatically removes unhealthy ones. 然后,它会监视不正常的实例,当这些实例恢复可用状态并能响应运行状况探测时,应用程序网关就会将它们添加回到正常的后端池中。It then monitors unhealthy instances and adds them back to the healthy backend pool when they become available and respond to health probes.

除了使用默认的运行状况探测监视以外,还可以根据应用程序的要求自定义运行状况探测。In addition to using default health probe monitoring, you can also customize the health probe to suit your application's requirements. 使用自定义探测可以更精细地控制运行状况监视。Custom probes allow more granular control over the health monitoring. 使用自定义探测时,可以配置探测间隔、要测试的 URL 和路径,以及在将后端池实例标记为不正常之前可接受的失败响应次数。When using custom probes, you can configure the probe interval, the URL and path to test, and how many failed responses to accept before the backend pool instance is marked as unhealthy. 我们建议配置自定义探测来监视每个后端池的运行状况。We recommend that you configure custom probes to monitor the health of each backend pool.

有关详细信息,请参阅监视应用程序网关的运行状况For more information, see Monitor the health of your application gateway.

后续步骤Next steps

创建应用程序网关:Create an application gateway: