使用 PowerShell 通过应用程序网关配置端到端 TLSConfigure end to end TLS by using Application Gateway with PowerShell

概述Overview

Azure 应用程序网关支持对流量进行端到端加密。Azure Application Gateway supports end-to-end encryption of traffic. 该应用程序网关将 TLS/SSL 连接的一端连接到应用程序网关。Application Gateway terminates the TLS/SSL connection at the application gateway. 网关随后将路由规则应用于流量、重新加密数据包,并根据定义的路由规则将数据包转发到适当的后端服务器。The gateway then applies the routing rules to the traffic, re-encrypts the packet, and forwards the packet to the appropriate back-end server based on the routing rules defined. 来自 Web 服务器的任何响应都会经历相同的过程返回最终用户。Any response from the web server goes through the same process back to the end user.

应用程序网关支持定义自定义 TLS 选项。Application Gateway supports defining custom TLS options. 除了支持定义要使用的密码套件和优先级顺序外,它还支持禁用以下协议版本:TLSv1.0TLSv1.1TLSv1.2It also supports disabling the following protocol versions: TLSv1.0, TLSv1.1, and TLSv1.2, as well defining which cipher suites to use and the order of preference. 若要详细了解可配置的 TLS 选项,请参阅 TLS 策略概述To learn more about configurable TLS options, see the TLS policy overview.

Note

SSL 2.0 和 SSL 3.0 默认处于禁用状态且无法启用。SSL 2.0 and SSL 3.0 are disabled by default and cannot be enabled. 这些版本被视为不安全的版本,不能用于应用程序网关。They are considered unsecure and cannot be used with Application Gateway.

方案图像

方案Scenario

在此方案中,你将了解如何通过 PowerShell 使用端到端 TLS 创建应用程序网关。In this scenario, you learn how to create an application gateway by using end-to-end TLS with PowerShell.

此方案将:This scenario will:

  • 创建名为 appgw-rg 的资源组 。Create a resource group named appgw-rg.
  • 创建名为 appgwvnet,地址空间为 10.0.0.0/16 的虚拟网络 。Create a virtual network named appgwvnet with an address space of 10.0.0.0/16.
  • 创建名为“appgwsubnet”和“appsubnet”的两个子网 。Create two subnets called appgwsubnet and appsubnet.
  • 创建支持端到端 TLS 加密且限制 TLS 协议版本和密码套件的小型应用程序网关。Create a small application gateway supporting end-to-end TLS encryption that limits TLS protocol versions and cipher suites.

准备阶段Before you begin

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

若要对应用程序网关配置端到端 TLS,需要网关证书和后端服务器证书。To configure end-to-end TLS with an application gateway, a certificate is required for the gateway and certificates are required for the back-end servers. 网关证书用来根据 TLS 协议规范派生对称密钥。The gateway certificate is used to derive a symmetric key as per TLS protocol specification. 然后,对称密钥用来加密和解密发送到网关的流量。The symmetric key is then used encrypt and decrypt the traffic sent to the gateway. 网关证书需要采用个人信息交换 (PFX) 格式。The gateway certificate needs to be in Personal Information Exchange (PFX) format. 此文件格式适用于导出私钥,后者是应用程序网关对流量进行加解密所必需的。This file format allows you to export the private key that is required by the application gateway to perform the encryption and decryption of traffic.

对于端到端 TLS 加密,应用程序网关必须显式允许后端。For end-to-end TLS encryption, the back end must be explicitly allowed by the application gateway. 将后端服务器的公用证书上传到应用程序网关。Upload the public certificate of the back-end servers to the application gateway. 添加证书后,可确保应用程序网关仅与已知后端实例通信。Adding the certificate ensures that the application gateway only communicates with known back-end instances. 从而进一步保护端到端通信。This further secures the end-to-end communication.

配置过程在以下部分中介绍。The configuration process is described in the following sections.

创建资源组Create the resource group

本部分指导创建资源组,其中包含应用程序网关。This section walks you through creating a resource group that contains the application gateway.

  1. 登录到 Azure 帐户。Sign in to your Azure account.

    Connect-AzAccount -Environment AzureChinaCloud

  2. 选择要用于此方案的订阅。Select the subscription to use for this scenario.

    Select-Azsubscription -SubscriptionName "<Subscription name>"

  3. 创建资源组。Create a resource group. (若要使用现有资源组,请跳过此步骤。)(Skip this step if you're using an existing resource group.)

    New-AzResourceGroup -Name appgw-rg -Location "China North 2"

为应用程序网关创建虚拟网络和子网Create a virtual network and a subnet for the application gateway

以下示例创建一个虚拟网络和两个子网。The following example creates a virtual network and two subnets. 一个子网用于托管应用程序网关。One subnet is used to hold the application gateway. 另一个子网用于可托管 Web 应用程序的后端。The other subnet is used for the back ends that host the web application.

  1. 分配要用于应用程序网关的子网地址范围。Assign an address range for the subnet to be used for the application gateway.

    $gwSubnet = New-AzVirtualNetworkSubnetConfig -Name 'appgwsubnet' -AddressPrefix 10.0.0.0/24

    Note

    应适当调整为应用程序网关配置的子网的大小。Subnets configured for an application gateway should be properly sized. 最多可以为 10 个实例配置应用程序网关。An application gateway can be configured for up to 10 instances. 每个实例从子网获取 1 个 IP 地址。Each instance takes one IP address from the subnet. 子网太小可能会对应用程序网关的向外缩放造成负面影响。Too small of a subnet can adversely affect scaling out an application gateway.

  2. 分配要用于后端地址池的地址范围。Assign an address range to be used for the back-end address pool.

    $nicSubnet = New-AzVirtualNetworkSubnetConfig  -Name 'appsubnet' -AddressPrefix 10.0.2.0/24

  3. 创建具有上述步骤中定义的子网的虚拟网络。Create a virtual network with the subnets defined in the preceding steps.

    $vnet = New-AzvirtualNetwork -Name 'appgwvnet' -ResourceGroupName appgw-rg -Location "China North 2" -AddressPrefix 10.0.0.0/16 -Subnet $gwSubnet, $nicSubnet

  4. 检索要用于后续步骤的虚拟网络资源和子网资源。Retrieve the virtual network resource and subnet resources to be used in the steps that follow.

    $vnet = Get-AzvirtualNetwork -Name 'appgwvnet' -ResourceGroupName appgw-rg
$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name 'appgwsubnet' -VirtualNetwork $vnet
$nicSubnet = Get-AzVirtualNetworkSubnetConfig -Name 'appsubnet' -VirtualNetwork $vnet

创建前端配置的公共 IP 地址Create a public IP address for the front-end configuration

创建要用于应用程序网关的公共 IP 资源。Create a public IP resource to be used for the application gateway. 此公共 IP 地址会用于后续步骤之一。This public IP address is used in one of the steps that follow.

$publicip = New-AzPublicIpAddress -ResourceGroupName appgw-rg -Name 'publicIP01' -Location "China North 2" -AllocationMethod Dynamic

Important

应用程序网关不支持使用通过定义的域标签创建的公共 IP 地址。Application Gateway does not support the use of a public IP address created with a defined domain label. 仅支持具有动态创建的域标签的公共 IP 地址。Only a public IP address with a dynamically created domain label is supported. 如果需要应用程序网关具有友好 DNS 名称,建议使用 CNAME 记录作为别名。If you require a friendly DNS name for the application gateway, we recommend you use a CNAME record as an alias.

创建应用程序网关配置对象Create an application gateway configuration object

在创建应用程序网关之前设置所有配置项。All configuration items are set before creating the application gateway. 以下步骤会创建应用程序网关资源所需的配置项目。The following steps create the configuration items that are needed for an application gateway resource.

  1. 创建应用程序网关 IP 配置。Create an application gateway IP configuration. 此设置配置应用程序网关要使用的子网。This setting configures which of the subnets the application gateway uses. 当应用程序网关启动时,它从配置的子网获取 IP 地址,再将网络流量路由到后端 IP 池中的 IP 地址。When application gateway starts, it picks up an IP address from the configured subnet and routes network traffic to the IP addresses in the back-end IP pool. 请记住,每个实例需要一个 IP 地址。Keep in mind that each instance takes one IP address.

    $gipconfig = New-AzApplicationGatewayIPConfiguration -Name 'gwconfig' -Subnet $gwSubnet

  2. 创建前端 IP 配置。Create a front-end IP configuration. 此设置将专用或公共 IP 地址映射到应用程序网关的前端。This setting maps a private or public IP address to the front end of the application gateway. 以下步骤将上述步骤中的公共 IP 地址与前端 IP 配置关联。The following step associates the public IP address in the preceding step with the front-end IP configuration.

    $fipconfig = New-AzApplicationGatewayFrontendIPConfig -Name 'fip01' -PublicIPAddress $publicip

  3. 使用后端 Web 服务器的 IP 地址配置后端 IP 地址池。Configure the back-end IP address pool with the IP addresses of the back-end web servers. 这些 IP 地址是接收来自前端 IP 终结点的网络流量的 IP 地址。These IP addresses are the IP addresses that receive the network traffic that comes from the front-end IP endpoint. 使用自己的应用程序 IP 地址端点替换样本中的 IP 地址。Replace the IP addresses in the sample with your own application IP address endpoints.

    $pool = New-AzApplicationGatewayBackendAddressPool -Name 'pool01' -BackendIPAddresses 1.1.1.1, 2.2.2.2, 3.3.3.3

    Note

    完全限定的域名 (FQDN) 也是可用于替换后端服务器 IP 地址的有效值。A fully qualified domain name (FQDN) is also a valid value to use in place of an IP address for the back-end servers. 可通过 -BackendFqdns 开关启用它 。You enable it by using the -BackendFqdns switch.

  4. 配置公共 IP 终结点的前端 IP 端口。Configure the front-end IP port for the public IP endpoint. 此端口是最终用户连接到的端口。This port is the port that end users connect to.

    $fp = New-AzApplicationGatewayFrontendPort -Name 'port01'  -Port 443

  5. 配置应用程序网关的证书。Configure the certificate for the application gateway. 此证书用于加密和解密应用程序网关上的流量。This certificate is used to decrypt and reencrypt the traffic on the application gateway.

    $passwd = ConvertTo-SecureString  <certificate file password> -AsPlainText -Force 
$cert = New-AzApplicationGatewaySSLCertificate -Name cert01 -CertificateFile <full path to .pfx file> -Password $passwd

    Note

    此示例配置用于 TLS 连接的证书。This sample configures the certificate used for the TLS connection. 该证书需采用 .pfx 格式,并且密码长度必须为 4 到 12 个字符。The certificate needs to be in .pfx format, and the password must be 4 to 12 characters.

  6. 创建应用程序网关的 HTTP 侦听器。Create the HTTP listener for the application gateway. 分配要使用的前端 IP 配置、端口和 TLS/SSL 证书。Assign the front-end IP configuration, port, and TLS/SSL certificate to use.

    $listener = New-AzApplicationGatewayHttpListener -Name listener01 -Protocol Https -FrontendIPConfiguration $fipconfig -FrontendPort $fp -SSLCertificate $cert

  7. 上传要在已启用 TLS 的后端池资源上使用的证书。Upload the certificate to be used on the TLS-enabled back-end pool resources.

    Note

    默认探测从后端的 IP 地址上的默认 TLS 绑定获取公钥,并将其收到的公钥值与用户在此处提供的公钥值进行比较。The default probe gets the public key from the default TLS binding on the back-end's IP address and compares the public key value it receives to the public key value you provide here.

    如果正在后端使用主机头和服务器名称指示 (SNI),则检索到的公钥可能不是流量预期流向的站点。If you are using host headers and Server Name Indication (SNI) on the back end, the retrieved public key might not be the intended site to which traffic flows. 如有疑问,请访问后端服务器上的 https://127.0.0.1/ ,确认用于默认 TLS 绑定的证书 。If you're in doubt, visit https://127.0.0.1/ on the back-end servers to confirm which certificate is used for the default TLS binding. 本部分使用该请求中的公钥。Use the public key from that request in this section. 如果对 HTTPS 绑定使用主机头和 SNI,但未从后端服务器的 https://127.0.0.1/ 手动浏览器请求收到响应和证书,则必须在其上设置默认 TLS 绑定。If you are using host-headers and SNI on HTTPS bindings and you do not receive a response and certificate from a manual browser request to https://127.0.0.1/ on the back-end servers, you must set up a default TLS binding on the them. 如果不这样做,探测会失败,后端不会列入允许名单。If you do not do so, probes fail and the back end is not whitelisted.

    $authcert = New-AzApplicationGatewayAuthenticationCertificate -Name 'allowlistcert1' -CertificateFile C:\cert.cer

    Note

    在上一步中提供的证书应该是后端中存在的 .pfx 证书的公钥。The certificate provided in the previous step should be the public key of the .pfx certificate present on the back end. 以索赔、证据和推理 (CER) 格式导出后端服务器上安装的证书(不是根证书),将其用在此步骤。Export the certificate (not the root certificate) installed on the back-end server in Claim, Evidence, and Reasoning (CER) format and use it in this step. 此步骤会将后端加入应用程序网关的允许列表。This step whitelists the back end with the application gateway.

    如果使用的是应用程序网关 v2 SKU,则创建受信任的根证书而不是身份验证证书。If you are using the Application Gateway v2 SKU, then create a trusted root certificate instead of an authentication certificate. 有关详细信息,请参阅应用程序网关的端到端 TLS 概述For more information, see Overview of end to end TLS with Application Gateway:

    $trustedRootCert01 = New-AzApplicationGatewayTrustedRootCertificate -Name "test1" -CertificateFile  <path to root cert file>

  8. 配置应用程序网关后端 HTTP 设置。Configure the HTTP settings for the application gateway back end. 将上述步骤中上传的证书分配给 HTTP 设置。Assign the certificate uploaded in the preceding step to the HTTP settings.

    $poolSetting = New-AzApplicationGatewayBackendHttpSettings -Name 'setting01' -Port 443 -Protocol Https -CookieBasedAffinity Enabled -AuthenticationCertificates $authcert

    对于应用程序网关 v2 SKU,请使用以下命令:For the Application Gateway v2 SKU, use the following command:

    $poolSetting01 = New-AzApplicationGatewayBackendHttpSettings -Name “setting01” -Port 443 -Protocol Https -CookieBasedAffinity Disabled -TrustedRootCertificate $trustedRootCert01 -HostName "test1"

  9. 创建配置负载均衡器行为的负载均衡器路由规则。Create a load-balancer routing rule that configures the load balancer behavior. 在此示例中,创建基本轮循机制规则。In this example, a basic round-robin rule is created.

    $rule = New-AzApplicationGatewayRequestRoutingRule -Name 'rule01' -RuleType basic -BackendHttpSettings $poolSetting -HttpListener $listener -BackendAddressPool $pool

  10. 配置应用程序网关的实例大小。Configure the instance size of the application gateway. 可用大小为 Standard_Small、Standard_Medium 和 Standard_Large 。The available sizes are Standard_Small, Standard_Medium, and Standard_Large. 对于容量,可用值为 1 到 10 。For capacity, the available values are 1 through 10.

    $sku = New-AzApplicationGatewaySku -Name Standard_Small -Tier Standard -Capacity 2

    Note

    进行测试时,可以选择 1 作为实例计数。An instance count of 1 can be chosen for testing purposes. 必须知道的是,2 以下的实例计数不受 SLA 支持,因此不建议使用。It is important to know that any instance count under two instances is not covered by the SLA and is therefore not recommended. 小型网关用于开发/测试,不用于生产。Small gateways are to be used for dev test and not for production purposes.

  11. 配置要在应用程序网关上使用的 TLS 策略。Configure the TLS policy to be used on the application gateway. 应用程序网关支持设置 TLS 协议最低版本的功能。Application Gateway supports the ability to set a minimum version for TLS protocol versions.

    以下值是可以定义的协议版本的列表:The following values are a list of protocol versions that can be defined:

    • TLSV1_0TLSV1_0
    • TLSV1_1TLSV1_1
    • TLSV1_2TLSV1_2

    以下示例将最低协议版本设置为 TLSv1_2 并仅启用 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 和 TLS_RSA_WITH_AES_128_GCM_SHA256 。The following example sets the minimum protocol version to TLSv1_2 and enables TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, and TLS_RSA_WITH_AES_128_GCM_SHA256 only.

    $SSLPolicy = New-AzApplicationGatewaySSLPolicy -MinProtocolVersion TLSv1_2 -CipherSuite "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256" -PolicyType Custom

创建应用程序网关Create the application gateway

使用上述所有步骤创建应用程序网关。Using all the preceding steps, create the application gateway. 网关创建过程需要花费较长时间。The creation of the gateway is a process that takes a long time to run.

对于 V1 SKU,请使用以下命令For V1 SKU use the below command

$appgw = New-AzApplicationGateway -Name appgateway -SSLCertificates $cert -ResourceGroupName "appgw-rg" -Location "China North 2" -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting -FrontendIpConfigurations $fipconfig -GatewayIpConfigurations $gipconfig -FrontendPorts $fp -HttpListeners $listener -RequestRoutingRules $rule -Sku $sku -SSLPolicy $SSLPolicy -AuthenticationCertificates $authcert -Verbose

对于 V2 SKU,请使用以下命令For V2 SKU use the below command

$appgw = New-AzApplicationGateway -Name appgateway -SSLCertificates $cert -ResourceGroupName "appgw-rg" -Location "China North 2" -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting01 -FrontendIpConfigurations $fipconfig -GatewayIpConfigurations $gipconfig -FrontendPorts $fp -HttpListeners $listener -RequestRoutingRules $rule -Sku $sku -SSLPolicy $SSLPolicy -TrustedRootCertificate $trustedRootCert01 -Verbose

如果后端证书已过期,则应用新证书Apply a new certificate if the back-end certificate is expired

如果后端证书已过期,请使用此过程应用新证书。Use this procedure to apply a new certificate if the back-end certificate is expired.

  1. 检索要更新的应用程序网关。Retrieve the application gateway to update.

    $gw = Get-AzApplicationGateway -Name AdatumAppGateway -ResourceGroupName AdatumAppGatewayRG

  2. 从 .cer 文件中添加新的证书资源,该文件包含证书的公钥,也可以是添加到侦听器中用于在应用程序网关上终止 TLS 的同一证书。Add the new certificate resource from the .cer file, which contains the public key of the certificate and can also be the same certificate added to the listener for TLS termination at the application gateway.

    Add-AzApplicationGatewayAuthenticationCertificate -ApplicationGateway $gw -Name 'NewCert' -CertificateFile "appgw_NewCert.cer"

  3. 将新的身份验证证书对象放入变量 (TypeName:Microsoft.Azure.Commands.Network.Models.PSApplicationGatewayAuthenticationCertificate)。Get the new authentication certificate object into a variable (TypeName: Microsoft.Azure.Commands.Network.Models.PSApplicationGatewayAuthenticationCertificate).

    $AuthCert = Get-AzApplicationGatewayAuthenticationCertificate -ApplicationGateway $gw -Name NewCert

  4. 将新证书分配到 BackendHttp 设置中,并使用 $AuthCert 变量引用它。Assign the new certificate into the BackendHttp Setting and refer it with the $AuthCert variable. (指定要更改的 HTTP 设置名称。)(Specify the HTTP setting name that you want to change.)

$out= Set-AzApplicationGatewayBackendHttpSetting -ApplicationGateway $gw -Name "HTTP1" -Port 443 -Protocol "Https" -CookieBasedAffinity Disabled -AuthenticationCertificates $Authcert
  1. 将更改提交到应用程序网关,并将包含的新配置传递到 $out 变量中。Commit the change into the application gateway and pass the new configuration contained into the $out variable.
Set-AzApplicationGateway -ApplicationGateway $gw

从 HTTP 设置中删除未使用的过期证书Remove an unused expired certificate from HTTP Settings

使用此过程从 HTTP 设置中删除未使用的过期证书。Use this procedure to remove an unused expired certificate from HTTP Settings.

  1. 检索要更新的应用程序网关。Retrieve the application gateway to update.

    $gw = Get-AzApplicationGateway -Name AdatumAppGateway -ResourceGroupName AdatumAppGatewayRG

  2. 列出要删除的身份验证证书的名称。List the name of the authentication certificate that you want to remove.

    Get-AzApplicationGatewayAuthenticationCertificate -ApplicationGateway $gw | select name

  3. 从应用程序网关中删除身份验证证书。Remove the authentication certificate from an application gateway.

    $gw=Remove-AzApplicationGatewayAuthenticationCertificate -ApplicationGateway $gw -Name ExpiredCert

  4. 提交更改。Commit the change.

Set-AzApplicationGateway -ApplicationGateway $gw

限制现有应用程序网关上的 TLS 协议版本Limit TLS protocol versions on an existing application gateway

上述步骤指导你创建具有端到端 TLS 并禁用特定 TLS 协议版本的应用程序。The preceding steps took you through creating an application with end-to-end TLS and disabling certain TLS protocol versions. 以下示例禁用现有应用程序网关上的特定 TLS 策略。The following example disables certain TLS policies on an existing application gateway.

  1. 检索要更新的应用程序网关。Retrieve the application gateway to update.

    $gw = Get-AzApplicationGateway -Name AdatumAppGateway -ResourceGroupName AdatumAppGatewayRG

  2. 定义 TLS 策略。Define a TLS policy. 如下示例禁用了 TLSv1.0 和 TLSv1.1,仅允许密码套件 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256、TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 和 TLS_RSA_WITH_AES_128_GCM_SHA256 。In the following example, TLSv1.0 and TLSv1.1 are disabled and the cipher suites TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, and TLS_RSA_WITH_AES_128_GCM_SHA256 are the only ones allowed.

    Set-AzApplicationGatewaySSLPolicy -MinProtocolVersion TLSv1_2 -PolicyType Custom -CipherSuite "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256" -ApplicationGateway $gw

  3. 最后,更新网关。Finally, update the gateway. 最后一步是耗时较长的任务。This last step is a long-running task. 完成时,应用程序网关上便配置了端到端 TLS。When it is done, end-to-end TLS is configured on the application gateway.

    $gw | Set-AzApplicationGateway

获取应用程序网关 DNS 名称Get an application gateway DNS name

创建网关后,下一步是配置前端以进行通信。After the gateway is created, the next step is to configure the front end for communication. 使用公共 IP 时,应用程序网关需要动态分配的 DNS 名称,这会造成不便。Application Gateway requires a dynamically assigned DNS name when using a public IP, which is not friendly. 若要确保最终用户能够访问应用程序网关,可以使用 CNAME 记录指向应用程序网关的公共终结点。To ensure end users can hit the application gateway, you can use a CNAME record to point to the public endpoint of the application gateway. 有关详细信息,请参阅在 Azure 中配置自定义域名For more information, see Configuring a custom domain name for in Azure.

若要配置别名,可使用附加到应用程序网关的 PublicIPAddress 元素检索应用程序网关及其关联的 IP/DNS 名称的详细信息 。To configure an alias, retrieve details of the application gateway and its associated IP/DNS name by using the PublicIPAddress element attached to the application gateway. 使用应用程序网关的 DNS 名称来创建 CNAME 记录,使两个 Web 应用程序都指向此 DNS 名称。Use the application gateway's DNS name to create a CNAME record that points the two web applications to this DNS name. 不建议使用 A 记录,因为重新启动应用程序网关后 VIP 可能会变化。We don't recommend the use of A-records, because the VIP can change on restart of the application gateway.

Get-AzPublicIpAddress -ResourceGroupName appgw-RG -Name publicIP01

Name                     : publicIP01
ResourceGroupName        : appgw-RG
Location                 : chinanorth2
Id                       : /subscriptions/<subscription_id>/resourceGroups/appgw-RG/providers/Microsoft.Network/publicIPAddresses/publicIP01
Etag                     : W/"00000d5b-54ed-4907-bae8-99bd5766d0e5"
ResourceGuid             : 00000000-0000-0000-0000-000000000000
ProvisioningState        : Succeeded
Tags                     : 
PublicIpAllocationMethod : Dynamic
IpAddress                : xx.xx.xxx.xx
PublicIpAddressVersion   : IPv4
IdleTimeoutInMinutes     : 4
IpConfiguration          : {
                                "Id": "/subscriptions/<subscription_id>/resourceGroups/appgw-RG/providers/Microsoft.Network/applicationGateways/appgwtest/frontendIP
                            Configurations/frontend1"
                            }
DnsSettings              : {
                                "Fqdn": "00000000-0000-xxxx-xxxx-xxxxxxxxxxxx.chinacloudapp.cn"
                            }

后续步骤Next steps

请参阅 Web 应用程序防火墙概述,详细了解如何通过应用程序网关的 Web 应用程序防火墙强化 Web 应用程序的安全性。For more information about hardening the security of your web applications with Web Application Firewall through Application Gateway, see the Web application firewall overview.