应用程序网关常见问题Frequently asked questions about Application Gateway

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

以下是有关 Azure 应用程序网关的常见问题。The following are common questions asked about Azure Application Gateway.

常规General

什么是应用程序网关?What is Application Gateway?

Azure 应用程序网关以服务形式提供应用程序传送控制器 (ADC)。Azure Application Gateway provides an application delivery controller (ADC) as a service. 它为应用程序提供第 7 层的各种负载均衡功能。It offers various layer 7 load-balancing capabilities for your applications. 此服务高度可用、可缩放,且完全由 Azure 管理。This service is highly available, scalable, and fully managed by Azure.

应用程序网关支持哪些功能?What features does Application Gateway support?

应用程序网关支持自动缩放、TLS 卸载、端到端 TLS、Web 应用程序防火墙 (WAF)、基于 Cookie 的会话相关性、基于 URL 路径的路由、多站点托管和其他功能。Application Gateway supports autoscaling, TLS offloading, and end-to-end TLS, a web application firewall (WAF), cookie-based session affinity, URL path-based routing, multisite hosting, and other features. 有关支持的功能的完整列表,请参阅应用程序网关简介For a full list of supported features, see Introduction to Application Gateway.

应用程序网关与 Azure 负载均衡器有何不同?How do Application Gateway and Azure Load Balancer differ?

应用程序网关是第 7 层负载均衡器,这意味着,它只处理 Web 流量(HTTP、HTTPS、WebSocket 和 HTTP/2)。Application Gateway is a layer 7 load balancer, which means it works only with web traffic (HTTP, HTTPS, WebSocket, and HTTP/2). 它支持 TLS 终止、基于 Cookie 的会话相关性以及对流量进行负载均衡的轮循机制等功能。It supports capabilities such as TLS termination, cookie-based session affinity, and round robin for load-balancing traffic. 负载均衡器在第 4 层对流量进行负载均衡(TCP 或 UDP)。Load Balancer load-balances traffic at layer 4 (TCP or UDP).

应用程序网关支持哪些协议?What protocols does Application Gateway support?

应用程序网关支持 HTTP、HTTPS、HTTP/2 和 WebSocket。Application Gateway supports HTTP, HTTPS, HTTP/2, and WebSocket.

应用程序网关如何支持 HTTP/2?How does Application Gateway support HTTP/2?

请参阅 HTTP/2 支持See HTTP/2 support.

支持在后端池中添加哪些资源?What resources are supported as part of a backend pool?

请参阅支持的后端资源See supported backend resources.

应用程序网关已在哪些区域推出?In what regions is Application Gateway available?

应用程序网关已在国际版 Azure 的所有区域推出。Application Gateway is available in all regions of global Azure. Azure 中国世纪互联也已推出该服务。It's also available in Azure China 21Vianet.

此部署是专门于订阅,还是在所有客户之间共享?Is this deployment dedicated for my subscription, or is it shared across customers?

应用程序网关是虚拟网络中的专用部署。Application Gateway is a dedicated deployment in your virtual network.

应用程序网关是否支持 HTTP 到 HTTPS 的重定向?Does Application Gateway support HTTP-to-HTTPS redirection?

支持重定向。Redirection is supported. 请参阅应用程序网关重定向概述See Application Gateway redirect overview.

按什么顺序处理侦听器?In what order are listeners processed?

请参阅侦听器处理顺序See the order of listener processing.

在何处可以找到应用程序网关的 IP 和 DNS?Where do I find the Application Gateway IP and DNS?

如果使用公共 IP 地址作为终结点,可以在公共 IP 地址资源中找到 IP 和 DNS 信息。If you're using a public IP address as an endpoint, you'll find the IP and DNS information on the public IP address resource. 或者可以在门户中应用程序网关的概述页上找到它。Or find it in the portal, on the overview page for the application gateway. 如果使用内部 IP 地址,请在概述页面上查找信息。If you're using internal IP addresses, find the information on the overview page.

对于 v2 SKU,请打开公共 IP 资源,然后选择“配置”。For the v2 SKU, open the public IP resource and select Configuration. “DNS 名称标签(可选)”字段可用于配置 DNS 名称。The DNS name label (optional) field is available to configure the DNS name.

保持活动状态超时和 TCP 空闲超时的设置有哪些?What are the settings for Keep-Alive timeout and TCP idle timeout?

Keep-Alive 超时控制应用程序网关在重新使用或关闭它之前将等待客户端在持久连接上发送另一个 HTTP 请求的时间。Keep-Alive timeout governs how long the Application Gateway will wait for a client to send another HTTP request on a persistent connection before reusing it or closing it. TCP 空闲超时控制在无活动的情况下 TCP 连接保持打开状态的时间。TCP idle timeout governs how long a TCP connection is kept open in case of no activity.

应用程序网关 v1 SKU 中的 Keep-Alive 超时为 120 秒,而在 v2 SKU 中为 75 秒。The Keep-Alive timeout in the Application Gateway v1 SKU is 120 seconds and in the v2 SKU it's 75 seconds. 在应用程序网关的 v1 和 v2 SKU 的前端虚拟 IP (VIP) 上,TCP 空闲超时是默认的 4 分钟。The TCP idle timeout is a 4-minute default on the frontend virtual IP (VIP) of both v1 and v2 SKU of Application Gateway. 你可以将 v1 和 v2 应用程序网关上的 TCP 空闲超时值配置为 4 分钟到 30 分钟之间的任何时间值。You can configure the TCP idle timeout value on v1 and v2 Application Gateways to be anywhere between 4 minutes and 30 minutes. 对于 v1 和 v2 应用程序网关,需要导航到应用程序网关的公共 IP,并更改门户上公共 IP 的“配置”边栏选项卡下的 TCP 空闲超时。For both v1 and v2 Application Gateways, you'll need to navigate to the public IP of the Application Gateway and change the TCP idle timeout under the "Configuration" blade of the public IP on Portal. 可以通过运行以下命令,通过 PowerShell 设置公共 IP 的 TCP 空闲超时值:You can set the TCP idle timeout value of the public IP through PowerShell by running the following commands:

$publicIP = Get-AzPublicIpAddress -Name MyPublicIP -ResourceGroupName MyResourceGroup
$publicIP.IdleTimeoutInMinutes = "15"
Set-AzPublicIpAddress -PublicIpAddress $publicIP

在应用程序网关的生存期内,其 IP 或 DNS 名称是否会变化?Does the IP or DNS name change over the lifetime of the application gateway?

在应用程序网关 V1 SKU 中,如果停止再启动应用程序网关,则 VIP 可能会变化。In Application Gateway V1 SKU, the VIP can change if you stop and start the application gateway. 但是,与应用程序网关关联的 DNS 名称在网关的整个生命周期内不会更改。But the DNS name associated with the application gateway doesn't change over the lifetime of the gateway. 由于 DNS 名称不会更改,建议使用 CNAME 别名并使其指向应用程序网关的 DNS 地址。Because the DNS name doesn't change, you should use a CNAME alias and point it to the DNS address of the application gateway. 在应用程序网关 V2 SKU 中,可以将 IP 地址设置为静态,因此 IP 和 DNS 名称将在应用程序网关的生存期内不会更改。In Application Gateway V2 SKU, you can set the IP address as static, so IP and DNS name will not change over the lifetime of the application gateway.

应用程序网关是否支持静态 IP?Does Application Gateway support static IP?

是,应用程序网关 v2 SKU 支持静态公共 IP 地址。Yes, the Application Gateway v2 SKU supports static public IP addresses. v1 SKU 支持静态内部 IP。The v1 SKU supports static internal IPs.

应用程序网关是否支持在网关上使用多个公共 IP?Does Application Gateway support multiple public IPs on the gateway?

一个应用程序网关仅支持一个公共 IP 地址。An application gateway supports only one public IP address.

应该为应用程序网关创建多大的子网?How large should I make my subnet for Application Gateway?

请参阅应用程序网关子网大小注意事项See Application Gateway subnet size considerations.

是否可将多个应用程序网关资源部署到单个子网?Can I deploy more than one Application Gateway resource to a single subnet?

是的。Yes. 除了给定应用程序网关部署的多个实例以外,还可以在包含不同应用程序网关资源的现有子网中预配另一个唯一的应用程序网关资源。In addition to multiple instances of a given Application Gateway deployment, you can provision another unique Application Gateway resource to an existing subnet that contains a different Application Gateway resource.

单个子网不能同时支持 v2 和 v1 应用程序网关 SKU。A single subnet can't support both v2 and v1 Application Gateway SKUs.

应用程序网关 v2 是否支持用户定义的路由 (UDR)?Does Application Gateway v2 support user-defined routes (UDR)?

是,但仅限特定方案。Yes, but only specific scenarios. 有关详细信息,请参阅应用程序网关配置概述For more information, see Application Gateway configuration overview.

应用程序网关是否支持 x-forwarded-for 标头?Does Application Gateway support x-forwarded-for headers?

是的。Yes. 请参阅对请求的修改See Modifications to a request.

部署应用程序网关需要多长时间?How long does it take to deploy an application gateway? 更新时应用程序网关是否仍正常工作?Will my application gateway work while it's being updated?

预配新的应用程序网关 v1 SKU 部署最多需 20 分钟。New Application Gateway v1 SKU deployments can take up to 20 minutes to provision. 更改实例大小或计数不会出现干扰,且在此期间网关处于活动状态。Changes to instance size or count aren't disruptive, and the gateway remains active during this time.

大多数使用 v2 SKU 的部署大约需要 6 分钟进行预配。Most deployments that use the v2 SKU take around 6 minutes to provision. 但是,根据部署类型的不同,可能需要更长的时间。However it can take longer depending on the type of deployment. 例如,跨多个具有多个实例的可用性区域的部署可能需要 6 分钟以上的时间。For example, deployments across multiple Availability Zones with many instances can take more than 6 minutes.

是否可以使用 Exchange Server 作为应用程序网关的后端?Can I use Exchange Server as a backend with Application Gateway?

否。No. 应用程序网关不支持电子邮件协议,如 SMTP、IMAP 和 POP3。Application Gateway doesn't support email protocols such as SMTP, IMAP, and POP3.

是否提供了从 v1 SKU 迁移到 v2 SKU 的指南?Is there guidance available to migrate from the v1 SKU to the v2 SKU?

是的。Yes. 有关详细信息,请参阅将 Azure 应用程序网关和 Web 应用程序防火墙从 v1 迁移到 v2For details see, Migrate Azure Application Gateway and Web Application Firewall from v1 to v2.

是否会继续支持应用程序网关 v1 SKU?Will the Application Gateway v1 SKU continue to be supported?

是的。Yes. 我们会继续支持应用程序网关 v1 SKU。The Application Gateway v1 SKU will continue to be supported. 不过,强烈建议你迁移到 v2 以利用该 SKU 中的功能更新。However, it is strongly recommended that you move to v2 to take advantage of the feature updates in that SKU. 有关详细信息,请参阅自动缩放和区域冗余应用程序网关 v2For more information, see Autoscaling and Zone-redundant Application Gateway v2.

应用程序网关 V2 是否支持使用 NTLM 身份验证的代理请求?Does Application Gateway V2 support proxying requests with NTLM authentication?

否。No. 应用程序网关 V2 尚不支持使用 NTLM 身份验证的代理请求。Application Gateway V2 doesn't support proxying requests with NTLM authentication yet.

是的,Chromium 浏览器 v80 更新引入了对 HTTP Cookie 的强制要求,不会将 SameSite 属性视为 SameSite = Lax。Yes, the Chromium browser v80 update introduced a mandate on HTTP cookies without SameSite attribute to be treated as SameSite=Lax. 这意味着,浏览器不会将应用程序网关关联 Cookie 发送到第三方上下文中。This means that the Application Gateway affinity cookie won't be sent by the browser in a third-party context.

为了支持此方案,除了现有的“ApplicationGatewayAffinity”Cookie 外,应用程序网关还会注入另一个名为“ApplicationGatewayAffinityCORS”的 Cookie。To support this scenario, Application Gateway injects another cookie called ApplicationGatewayAffinityCORS in addition to the existing ApplicationGatewayAffinity cookie. 这两个 Cookie 类似,但 ApplicationGatewayAffinityCORS Cookie 中添加了两个附加属性:SameSite=None; SecureThese cookies are similar, but the ApplicationGatewayAffinityCORS cookie has two more attributes added to it: SameSite=None; Secure. 这些属性甚至可以为跨源请求维护粘性会话。These attributes maintain sticky sessions even for cross-origin requests. 有关详细信息,请参阅基于 Cookie 的关联部分See the cookie based affinity section for more information.

性能Performance

应用程序网关如何支持高可用性和可伸缩性?How does Application Gateway support high availability and scalability?

如果已部署两个或更多个实例,则应用程序网关 v1 SKU 支持高可用性方案。The Application Gateway v1 SKU supports high-availability scenarios when you've deployed two or more instances. Azure 跨更新域和容错域分配这些实例,确保实例不会全部同时发生故障。Azure distributes these instances across update and fault domains to ensure that instances don't all fail at the same time. 为了支持可伸缩性,v1 SKU 将添加同一网关的多个实例来分担负载。The v1 SKU supports scalability by adding multiple instances of the same gateway to share the load.

v2 SKU 可以自动确保新实例分布到各个容错域和更新域中。The v2 SKU automatically ensures that new instances are spread across fault domains and update domains. 如果选择“区域冗余”,则最新实例还将分布到各个可用性区域中以提供区域性故障复原能力。If you choose zone redundancy, the newest instances are also spread across availability zones to offer zonal failure resiliency.

如何使用应用程序网关实现跨数据中心的灾难恢复方案?How do I achieve a DR scenario across datacenters by using Application Gateway?

使用流量管理器,可以跨不同数据中心内的多个应用程序网关分配流量。Use Traffic Manager to distribute traffic across multiple application gateways in different datacenters.

应用程序网关是否支持自动缩放?Does Application Gateway support autoscaling?

是,应用程序网关 v2 SKU 支持自动缩放。Yes, the Application Gateway v2 SKU supports autoscaling. 有关详细信息,请参阅自动缩放和区域冗余应用程序网关For more information, see Autoscaling and Zone-redundant Application Gateway.

手动或自动纵向扩展或缩减是否会导致停机?Does manual or automatic scale up or scale down cause downtime?

否。No. 实例将分布在升级域和容错域上。Instances are distributed across upgrade domains and fault domains.

应用程序网关是否支持连接排出?Does Application Gateway support connection draining?

是的。Yes. 可以设置连接排出,以在不中断操作的情况下更改后端池内的成员。You can set up connection draining to change members within a backend pool without disruption. 有关详细信息,请参阅应用程序网关的“连接排出”部分For more information, see connection draining section of Application Gateway.

是否可以在不造成中断的情况下,将实例大小从中型更改为大型?Can I change instance size from medium to large without disruption?

是的。Yes.

配置Configuration

是否始终要将应用程序网关部署在虚拟网络中?Is Application Gateway always deployed in a virtual network?

是的。Yes. 应用程序网关始终部署在虚拟网络子网中。Application Gateway is always deployed in a virtual network subnet. 此子网只能包含应用程序网关。This subnet can contain only application gateways. 有关详细信息,请参阅虚拟网络和子网要求For more information, see virtual network and subnet requirements.

应用程序网关是否能够与其所在虚拟网络外部或其所在订阅外部的实例通信?Can Application Gateway communicate with instances outside of its virtual network or outside of its subscription?

只要建立 IP 连接,应用程序网关就能与其所在的虚拟网络外部的实例进行通信。As long as you have IP connectivity, Application Gateway can communicate with instances outside of the virtual network that it's in. 应用程序网关还能与其所在订阅外部的实例通信。Application Gateway can also communicate with instances outside of the subscription it's in. 如果你打算使用内部 IP 作为后端池成员,请使用虚拟网络对等互连Azure VPN 网关If you plan to use internal IPs as backend pool members, use virtual network peering or Azure VPN Gateway.

是否可以在应用程序网关子网中部署其他任何组件?Can I deploy anything else in the application gateway subnet?

否。No. 但可以在子网中部署其他应用程序网关。But you can deploy other application gateways in the subnet.

应用程序网关子网是否支持网络安全组?Are network security groups supported on the application gateway subnet?

请参阅应用程序网关子网中的网络安全组See Network security groups in the Application Gateway subnet.

应用程序网关子网是否支持用户定义的路由?Does the application gateway subnet support user-defined routes?

请参阅应用程序网关子网中支持的用户定义的路由See User-defined routes supported in the Application Gateway subnet.

应用程序网关有哪些限制?What are the limits on Application Gateway? 是否可以提高这些限制?Can I increase these limits?

请参阅应用程序网关限制See Application Gateway limits.

是否可以同时对外部和内部流量使用应用程序网关?Can I simultaneously use Application Gateway for both external and internal traffic?

是的。Yes. 每个应用程序网关支持一个内部 IP 和一个外部 IP。Application Gateway supports one internal IP and one external IP per application gateway.

应用程序网关是否支持虚拟网络对等互连?Does Application Gateway support virtual network peering?

是的。Yes. 虚拟网络对等互连有助于对其他虚拟网络中的流量进行负载均衡。Virtual network peering helps load-balance traffic in other virtual networks.

如果通过 ExpressRoute 或 VPN 隧道连接本地服务器,是否可与这些服务器通信?Can I talk to on-premises servers when they're connected by ExpressRoute or VPN tunnels?

可以,只要允许这种流量。Yes, as long as traffic is allowed.

是否可以使用一个后端池来为不同端口上的许多应用程序提供服务?Can one backend pool serve many applications on different ports?

支持微服务体系结构。Microservice architecture is supported. 若要探测不同的端口,需要配置多个 HTTP 设置。To probe on different ports, you need to configure multiple HTTP settings.

自定义探测是否支持对响应数据使用通配符或正则表达式?Do custom probes support wildcards or regex on response data?

否。No.

如何在应用程序网关中处理路由规则?How are routing rules processed in Application Gateway?

请参阅规则的处理顺序See Order of processing rules.

对于自定义探测,Host 字段是什么意思?For custom probes, what does the Host field signify?

在应用程序网关上配置了多站点的情况下,Host 字段指定要将探测发送到的名称。The Host field specifies the name to send the probe to when you've configured multisite on Application Gateway. 否则使用“127.0.0.1”。Otherwise use '127.0.0.1'. 此值不同于虚拟机主机名。This value is different from the virtual machine host name. 其格式为 <protocol>://<host>:<port><path>。Its format is <protocol>://<host>:<port><path>.

能否仅允许应用程序网关访问几个源 IP 地址?Can I allow Application Gateway access to only a few source IP addresses?

是的。Yes. 请参阅限制对特定源 IP 的访问See restrict access to specific source IPs.

能否同时对公共和专用侦听器使用同一个端口?Can I use the same port for both public-facing and private-facing listeners?

否。No.

应用程序网关是否支持 IPv6?Does Application Gateway support IPv6?

应用程序网关 v2 目前不支持 IPv6。Application Gateway v2 does not currently support IPv6. 它只能使用 IPv4 在双堆栈 VNet 中运行,但网关子网仅限 IPv4。It can operate in a dual stack VNet using only IPv4, but the gateway subnet must be IPv4-only. 应用程序网关 v1 不支持双堆栈 VNet。Application Gateway v1 does not support dual stack VNets.

如何实现将应用程序网关 V2 仅用于专用前端 IP 地址?How do I use Application Gateway V2 with only private frontend IP address?

应用程序网关 V2 目前不支持专用 IP 模式。Application Gateway V2 currently does not support only private IP mode. 它支持以下组合It supports the following combinations

  • 专用 IP 和公共 IPPrivate IP and Public IP
  • 仅公共 IPPublic IP only

但若要将应用程序网关 V2 仅用于专用 IP,则可按以下过程操作:But if you'd like to use Application Gateway V2 with only private IP, you can follow the process below:

  1. 使用公共和专用前端 IP 地址创建应用程序网关Create an Application Gateway with both public and private frontend IP address

  2. 不要为公共前端 IP 地址创建任何侦听器。Do not create any listeners for the public frontend IP address. 应用程序网关不会侦听公共 IP 地址上的任何流量,但前提是没有为其创建侦听器。Application Gateway will not listen to any traffic on the public IP address if no listeners are created for it.

  3. 为应用程序网关子网创建并附加一个网络安全组,使用以下配置(按优先级顺序排列):Create and attach a Network Security Group for the Application Gateway subnet with the following configuration in the order of priority:

    a.a. 允许的流量来自使用 GatewayManager 服务标记的“源”,其“目标”为“任意”,“目标端口”为 65200-65535Allow traffic from Source as GatewayManager service tag and Destination as Any and Destination port as 65200-65535. 此端口范围是进行 Azure 基础结构通信所必需的。This port range is required for Azure infrastructure communication. 这些端口通过证书身份验证进行保护(锁定)。These ports are protected (locked down) by certificate authentication. 如果没有适当的证书,外部实体(包括网关用户管理员)将无法对这些终结点做出任何更改External entities, including the Gateway user administrators, can't initiate changes on those endpoints without appropriate certificates in place

    b.b. 允许的流量来自使用 AzureLoadBalancer 服务标记的“源”,“目标”和“目标端口”为“任意”Allow traffic from Source as AzureLoadBalancer service tag and Destination and destination port as Any

    c.c. 拒绝的所有入站流量来自使用 Internet 服务标记的“源”,“目标”和“目标端口”为“任意”。Deny all inbound traffic from Source as Internet service tag and Destination and destination port as Any. 在入站规则中为此规则指定最低优先级Give this rule the least priority in the inbound rules

    d.d. 保留默认规则(例如允许入站 VirtualNetwork),这样就不会阻止在专用 IP 地址上进行的访问Keep the default rules like allowing VirtualNetwork inbound so that the access on private IP address is not blocked

    e.e. 不能阻止出站 Internet 连接。Outbound internet connectivity can't be blocked. 否则会面临日志记录、指标等问题。Otherwise, you will face issues with logging, metrics, etc.

仅适用于专用 IP 访问的 NSG 配置示例:仅适用于专用 IP 访问的应用程序网关 V2 NSG 配置Sample NSG configuration for private IP only access: Application Gateway V2 NSG Configuration for private IP access only

配置 - TLSConfiguration - TLS

应用程序网关支持哪些证书?What certificates does Application Gateway support?

应用程序网关支持自签名证书、证书颁发机构 (CA) 证书、扩展验证 (EV) 证书、多域 (SAN) 证书和通配符证书。Application Gateway supports self-signed certificates, certificate authority (CA) certificates, Extended Validation (EV) certificates, multi-domain (SAN) certificates, and wildcard certificates.

应用程序网关支持哪些加密套件?What cipher suites does Application Gateway support?

应用程序网关支持以下密码套件。Application Gateway supports the following cipher suites.

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHATLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHATLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHATLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHATLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

有关如何自定义 TLS 选项的信息,请参阅在应用程序网关上配置 TLS 策略版本和密码套件For information on how to customize TLS options, see Configure TLS policy versions and cipher suites on Application Gateway.

应用程序网关是否支持重新加密发往后端的流量?Does Application Gateway support reencryption of traffic to the backend?

是的。Yes. 应用程序网关支持 TLS 卸载和端到端 TLS,因此支持重新加密发往后端的流量。Application Gateway supports TLS offload and end-to-end TLS, which reencrypt traffic to the backend.

能否通过配置 TLS 策略来控制 TLS 协议版本?Can I configure TLS policy to control TLS protocol versions?

是的。Yes. 可将应用程序网关配置为拒绝 TLS1.0、TLS1.1 和 TLS1.2。You can configure Application Gateway to deny TLS1.0, TLS1.1, and TLS1.2. 默认情况下,SSL 2.0 和 3.0 已禁用且不可配置。By default, SSL 2.0 and 3.0 are already disabled and aren't configurable.

我是否可以配置密码套件和策略顺序?Can I configure cipher suites and policy order?

是的。Yes. 在应用程序网关中,可以配置加密套件In Application Gateway, you can configure cipher suites. 若要定义自定义策略,请至少启用下列其中一个加密套件。To define a custom policy, enable at least one of the following cipher suites.

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256

应用程序网关使用 SHA256 进行后端管理。Application Gateway uses SHA256 to for backend management.

应用程序网关支持多少个 TLS/SSL 证书?How many TLS/SSL certificates does Application Gateway support?

应用程序网关最多支持 100 个 TLS/SSL 证书。Application Gateway supports up to 100 TLS/SSL certificates.

应用程序网关支持使用多少个身份验证证书进行后端重新加密?How many authentication certificates for backend reencryption does Application Gateway support?

应用程序网关最多支持 100 个身份验证证书。Application Gateway supports up to 100 authentication certificates.

应用程序网关是否原生与 Azure 密钥保管库集成?Does Application Gateway natively integrate with Azure Key Vault?

是,应用程序网关 v2 SKU 支持密钥保管库。Yes, the Application Gateway v2 SKU supports Key Vault. 有关详细信息,请参阅使用 Key Vault 证书实现 TLS 终止For more information, see TLS termination with Key Vault certificates.

如何为 .com 和 .net 站点配置 HTTPS 侦听器?How do I configure HTTPS listeners for .com and .net sites?

对于基于多域(基于主机)的路由,可以创建多站点侦听器,设置使用 HTTPS 作为协议的侦听器,然后将侦听器与路由规则相关联。For multiple domain-based (host-based) routing, you can create multisite listeners, set up listeners that use HTTPS as the protocol, and associate the listeners with the routing rules. 有关详细信息,请参阅使用应用程序网关进行多站点托管For more information, see Hosting multiple sites by using Application Gateway.

能否在 .pfx 文件密码中使用特殊字符?Can I use special characters in my .pfx file password?

不可以,只能在 .pfx 文件密码中使用字母数字字符。No, use only alphanumeric characters in your .pfx file password.

我的 EV 证书由 DigiCert 颁发,而我的中间证书已被吊销。My EV certificate is issued by DigiCert and my intermediate certificate has been revoked. 如何在应用程序网关上续订我的证书?How do I renew my certificate on Application Gateway?

证书颁发机构 (CA) 浏览器成员最近发布的报告详细介绍了由 CA 供应商颁发的多个证书,而这些证书已被我们的客户、Microsoft 以及大型技术社区使用,且不符合公开受信任的 CA 行业标准。Certificate Authority (CA) Browser members recently published reports detailing multiple certificates issued by CA vendors that are used by our customers, Microsoft, and the greater technology community that were out of compliance with industry standards for publicly trusted CAs. 有关非合规 CA 的报告,请参阅以下内容: The reports regarding the non-compliant CAs can be found here:

根据行业的合规性要求,CA 供应商已开始吊销非合规 CA 并颁发合规 CA,这要求客户重新颁发其证书。As per the industry’s compliance requirements, CA vendors began revoking non-compliant CAs and issuing compliant CAs which requires customers to have their certificates re-issued. Microsoft 正在与这些供应商密切合作,以最大程度地降低对 Azure 服务的潜在影响,但在“自带证书”(BYOC)  方案中使用的自颁发证书或证书仍存在意外被吊销的风险。 Microsoft is partnering closely with these vendors to minimize the potential impact to Azure Services, *however your self-issued certificates or certificates used in “Bring Your Own Certificate” (BYOC) scenarios are still at risk of being unexpectedly revoked*.

若要检查应用程序使用的证书是否已被吊销,请参阅 DigiCert 的公告证书吊销跟踪程序To check if certificates utilized by your application have been revoked reference DigiCert’s Announcement and the Certificate Revocation Tracker. 如果你的证书已被吊销或将被吊销,你将需要从你的应用程序中使用的 CA 供应商请求新证书。If your certificates have been revoked, or will be revoked, you will need to request new certificates from the CA vendor utilized in your applications. 若要避免应用程序的可用性由于证书被意外吊销而被中断,或要更新已吊销的证书,请参阅我们的 Azure 更新贴文,获取支持 BYOC 的各种 Azure 服务的修正链接: https://azure.microsoft.com/updates/certificateauthorityrevocation/To avoid your application’s availability being interrupted due to certificates being unexpectedly revoked, or to update a certificate which has been revoked, please refer to our Azure updates post for remediation links of various Azure services that support BYOC: https://azure.microsoft.com/updates/certificateauthorityrevocation/

有关应用程序网关的特定信息,请参阅下内容:For Application Gateway specific information, see below -

如果使用由某个已吊销的 ICA 颁发的证书,则可能会中断应用程序的可用性,并且你可能会收到各种错误消息(具体取决于应用程序),其中包括但不限于:If you are using a certificate issued by one of the revoked ICAs, your application’s availability might be interrupted and depending on your application, you may receive a variety of error messages including but not limited to:

  1. 证书/已吊销的证书无效Invalid certificate/revoked certificate
  2. 连接超时Connection timed out
  3. HTTP 502HTTP 502

若要避免应用程序由于此问题而出现任何中断,或者要重新颁发已吊销的 CA,你需要执行以下操作:To avoid any interruption to your application due to this issue, or to re-issue a CA which has been revoked, you need to take the following actions:

  1. 有关如何重新颁发证书的信息,请与证书提供商联系Contact your certificate provider on how to re-issue your certificates
  2. 重新颁发后,请将 Azure 应用程序网关/WAF 上的证书更新为完全信任链(叶证书、中间证书、根证书)。Once reissued, update your certificates on the Azure Application Gateway/WAF with the complete chain of trust (leaf, intermediate, root certificate). 根据证书的使用位置,在应用程序网关的侦听器或 HTTP 设置上,按照以下步骤更新证书,并查看所述的文档链接以获取详细信息。Based on where you are using your certificate, either on the listener or the HTTP settings of the Application Gateway, follow the steps below to update the certificates and check the documentation links mentioned for more information.
  3. 更新后端应用程序服务器,以使用重新颁发的证书。Update your backend application servers to use the re-issued certificate. 根据所使用的后端服务器,证书更新步骤可能会有所不同。Depending on the backend server that you are using, your certificate update steps may vary. 请查看供应商提供的文档。Please check for the documentation from your vendor.

更新侦听器中的证书:To update the certificate in your listener:

  1. Azure 门户中,打开应用程序网关资源In the Azure portal, open your Application Gateway resource
  2. 打开与证书关联的侦听器设置Open the listener settings that’s associated with your certificate
  3. 单击“续订或编辑所选证书”Click “Renew or edit selected certificate”
  4. 上传新的 PFX 证书,并加密,然后单击“保存”。Upload your new PFX certificate with the password and click Save
  5. 访问网站并验证站点是否按预期方式工作。有关详细信息,请查看 此处 的文档。Access the website and verify if the site is working as expected For more information, check documentation here.

如果要在应用程序网关侦听器中从 Azure KeyVault 引用证书,建议执行以下步骤来进行快速更改:If you are referencing certificates from Azure KeyVault in your Application Gateway listener, we recommend the following the steps for a quick change -

  1. Azure 门户中,导航到已与应用程序网关关联的 Azure Key Vault 设置In the Azure portal, navigate to your Azure KeyVault settings which has been associated with the Application Gateway
  2. 在存储区中添加/导入重新颁发的证书。Add/import the reissued certificate in your store. 有关操作方法的详细信息,请参阅此处的文档。See documentation here for more information on how-to.
  3. 导入证书后,导航到应用程序网关侦听器设置,然后在“从 Key Vault 选择证书”下,单击“证书”下拉箭头,然后选择最近添加的证书Once the certificate has been imported, navigate to your Application Gateway listener settings and under “Choose a certificate from Key Vault”, click on the “Certificate” drop down and choose the recently added certificate
  4. 单击“保存”。如需详细了解 TLS 终止和 Key Vault 证书的信息,请查看 此处 的文档。Click Save For more information on TLS termination on Application Gateway with Key Vault certificates, check documentation here.

更新 HTTP 设置中的证书:To update the certificate in your HTTP Settings:

如果使用的是应用程序网关/WAF 服务的 V1 SKU,则必须将新证书上传为后端身份验证证书。If you are using V1 SKU of the Application Gateway/WAF service, then you would have to upload the new certificate as your backend authentication certificate.

  1. Azure 门户中,打开应用程序网关资源In the Azure portal, open your Application Gateway resource
  2. 打开与证书关联的 HTTP设置Open the HTTP settings that’s associated with your certificate
  3. 单击“添加证书”,上传重新颁发的证书,然后单击“保存”Click on “Add certificate” and upload the reissued certificate and click save
  4. 可以稍后通过单击旧证书旁的“...”You can remove the old certificate later by clicking on the “…” 选项按钮删除旧证书,再选择“删除”,然后单击“保存”。options button next to the old certificate and select delete and click save. 有关详细信息,请参阅此处的文档。For more information, check documentation here.

如果使用的是应用程序网关/WAF 服务的 V2 SKU,则无需在 HTTP 设置中上传新证书,因为 V2 SKU 使用“受信任的根证书”,无需在此执行任何操作。If you are using the V2 SKU of the Application Gateway/WAF service, you don’t have to upload the new certificate in the HTTP settings since V2 SKU uses “trusted root certificates” and no action needs to be taken here.

配置 - AKS 的入口控制器Configuration - ingress controller for AKS

什么是入口控制器?What is an Ingress Controller?

Kubernetes 允许创建 deploymentservice 资源,以便在群集内部公开一组 pod。Kubernetes allows creation of deployment and service resource to expose a group of pods internally in the cluster. 为了向外公开同一服务,我们定义了一个 Ingress 资源,它提供负载均衡、TLS 终止和基于名称的虚拟托管。To expose the same service externally, an Ingress resource is defined which provides load balancing, TLS termination and name-based virtual hosting. 为了满足此 Ingress 资源,需要一个入口控制器来侦听对 Ingress 资源进行的任何更改并配置负载均衡器策略。To satisfy this Ingress resource, an Ingress Controller is required which listens for any changes to Ingress resources and configures the load balancer policies.

借助应用程序网关入口控制器 (AGIC),可将 Azure 应用程序网关用作 Azure Kubernetes 服务(也称 AKS 群集)的入口。The Application Gateway Ingress Controller (AGIC) allows Azure Application Gateway to be used as the ingress for an Azure Kubernetes Service also known as an AKS cluster.

单个入口控制器实例是否可以管理多个应用程序网关?Can a single ingress controller instance manage multiple Application Gateways?

目前,入口控制器的一个实例只能关联到一个应用程序网关。Currently, one instance of Ingress Controller can only be associated to one Application Gateway.

为什么我的带 kubenet 的 AKS 群集不能与 AGIC 一起使用?Why is my AKS cluster with kubenet not working with AGIC?

AGIC 会尝试自动将路由表资源关联到应用程序网关子网,但 AGIC 可能会因缺少权限而失败。AGIC tries to automatically associate the route table resource to the Application Gateway subnet but may fail to do so due to lack of permissions from the AGIC. 如果 AGIC 无法将路由表关联到应用程序网关子网,则 AGIC 日志中会记录一个相应的错误来描述此问题。在这种情况下,必须手动将 AKS 群集创建的路由表关联到应用程序网关的子网。If AGIC is unable to associate the route table to the Application Gateway subnet, there will be an error in the AGIC logs saying so, in which case you'll have to manually associate the route table created by the AKS cluster to the Application Gateway's subnet. 有关详细信息,请查看此处的说明。For more information, see instructions here.

是否可以将不同的虚拟网络中的 AKS 群集和应用程序网关连接在一起?Can I connect my AKS cluster and Application Gateway in separate virtual networks?

可以,前提是这些虚拟网络已对等互连且其地址空间不重叠。Yes, as long as the virtual networks are peered and they don't have overlapping address spaces. 如果运行带 kubenet 的 AKS,请确保将 AKS 生成的路由表关联到应用程序网关子网。If you're running AKS with kubenet, then be sure to associate the route table generated by AKS to the Application Gateway subnet.

AGIC 加载项不支持哪些功能?What features are not supported on the AGIC add-on?

若要了解通过 Helm 部署的 AGIC 与作为 AKS 加载项部署的 AGIC 之间的差异,请参阅此处Please see the differences between AGIC deployed through Helm versus deployed as an AKS add-on here

何时应使用加载项部署?何时应使用 Helm 部署?When should I use the add-on versus the Helm deployment?

若要了解通过 Helm 部署的 AGIC 与作为 AKS 加载项部署的 AGIC 之间的差异,请参阅此处,尤其要查看相关的表,了解通过 Helm 部署的 AGIC 支持哪些情况,作为 AKS 加载项部署的 AGIC 支持哪些情况。Please see the differences between AGIC deployed through Helm versus deployed as an AKS add-on here, especially the tables documenting which scenario(s) are supported by AGIC deployed through Helm as opposed to an AKS add-on. 一般情况下,通过 Helm 进行部署可以在正式版发布之前测试 Beta 功能和候选版本。In general, deploying through Helm will allow you to test out beta features and release candidates before an official release.

是否可以控制将通过加载项部署的 AGIC 版本?Can I control which version of AGIC will be deployed with the add-on?

否。AGIC 加载项是一项托管服务,这意味着 Microsoft 会自动将该加载项更新到最新的稳定版本。No, AGIC add-on is a managed service which means Microsoft will automatically update the add-on to the latest stable version.

诊断和日志记录Diagnostics and logging

应用程序网关提供哪些类型的日志?What types of logs does Application Gateway provide?

应用程序网关提供三种日志:Application Gateway provides three logs:

  • ApplicationGatewayAccessLog:访问日志包含提交到应用程序网关前端的每个请求。ApplicationGatewayAccessLog: The access log contains each request submitted to the application gateway frontend. 数据包括调用方的 IP、请求的 URL、响应延迟、返回代码,以及传入和传出的字节数。它针对每个应用程序网关包含一条记录。The data includes the caller's IP, URL requested, response latency, return code, and bytes in and out. It contains one record per application gateway.
  • ApplicationGatewayPerformanceLog:性能日志捕获每个应用程序网关的性能信息。ApplicationGatewayPerformanceLog: The performance log captures performance information for each application gateway. 信息包括吞吐量(以字节为单位)、服务的请求总数、失败的请求计数,以及正常和不正常的后端实例计数。Information includes the throughput in bytes, total requests served, failed request count, and healthy and unhealthy backend instance count.
  • ApplicationGatewayFirewallLog:对于使用 WAF 配置的应用程序网关,防火墙日志包含通过检测模式或阻止模式记录的请求。ApplicationGatewayFirewallLog: For application gateways that you configure with WAF, the firewall log contains requests that are logged through either detection mode or prevention mode.

所有日志每 60 秒收集一次。All logs are collected every 60 seconds. 有关详细信息,请参阅应用程序网关的后端运行状况、诊断日志和指标For more information, see Backend health, diagnostics logs, and metrics for Application Gateway.

如何知道后端池成员是否正常?How do I know if my backend pool members are healthy?

可以使用 PowerShell cmdlet Get-AzApplicationGatewayBackendHealth 或门户来确认运行状况。Verify health by using the PowerShell cmdlet Get-AzApplicationGatewayBackendHealth or the portal. 有关详细信息,请参阅应用程序网关诊断For more information, see Application Gateway diagnostics.

诊断日志的保留策略是什么?What's the retention policy for the diagnostic logs?

诊断日志将发往客户的存储帐户。Diagnostic logs flow to the customer's storage account. 客户可以根据偏好设置保留策略。Customers can set the retention policy based on their preference. 此外,可将诊断日志发送到事件中心或 Azure Monitor 日志。Diagnostic logs can also be sent to an event hub or Azure Monitor logs. 有关详细信息,请参阅应用程序网关诊断For more information, see Application Gateway diagnostics.

如何获取应用程序网关的审核日志?How do I get audit logs for Application Gateway?

在门户中应用程序网关的菜单边栏选项卡上,选择“活动日志”即可访问审核日志。In the portal, on the menu blade of an application gateway, select Activity Log to access the audit log.

是否可以使用应用程序网关设置警报?Can I set alerts with Application Gateway?

是的。Yes. 在应用程序网关中,警报是针对指标配置的。In Application Gateway, alerts are configured on metrics. 有关详细信息,请参阅应用程序网关指标For more information, see Application Gateway metrics.

如何分析应用程序网关的流量统计信息?How do I analyze traffic statistics for Application Gateway?

可通过多种方式查看和分析访问日志。You can view and analyze access logs in several ways. 可以使用 Azure Monitor 日志、Excel、Power BI 等。Use Azure Monitor logs, Excel, Power BI, and so on.

还可以使用一个资源管理器模板,针对应用程序网关访问日志安装和运行常用的 GoAccess 日志分析器。You can also use a Resource Manager template that installs and runs the popular GoAccess log analyzer for Application Gateway access logs. GoAccess 提供宝贵的 HTTP 流量统计信息,例如唯一访问者、请求的文件、主机、操作系统、浏览器和 HTTP 状态代码。GoAccess provides valuable HTTP traffic statistics such as unique visitors, requested files, hosts, operating systems, browsers, and HTTP status codes. 有关详细信息,请参阅 GitHub 中的资源管理器模板文件夹中的自述文件For more information, in GitHub, see the Readme file in the Resource Manager template folder.

有哪些原因可能会导致后端运行状况返回未知状态?What could cause backend health to return an unknown status?

通常,如果对后端的访问被应用程序网关子网中的网络安全组 (NSG)、自定义 DNS 或用户定义的路由 (UDR) 阻止,则会看到未知状态。Usually, you see an unknown status when access to the backend is blocked by a network security group (NSG), custom DNS, or user-defined routing (UDR) on the application gateway subnet. 有关详细信息,请参阅应用程序网关的后端运行状况、诊断日志记录和指标For more information, see Backend health, diagnostics logging, and metrics for Application Gateway.

是否有 NSG 流日志不显示允许的流量的情况?Is there any case where NSG flow logs won't show allowed traffic?

是的。Yes. 如果配置与以下情况匹配,则 NSG 流日志中不会显示允许的流量:If your configuration matches following scenario, you won't see allowed traffic in your NSG flow logs:

  • 已部署了应用程序网关 v2You've deployed Application Gateway v2
  • 应用程序网关子网上有 NSGYou have an NSG on the application gateway subnet
  • 已在该 NSG 上启用 NSG 流日志You've enabled NSG flow logs on that NSG

后续步骤Next steps

若要详细了解应用程序网关,请参阅什么是 Azure 应用程序网关?To learn more about Application Gateway, see What is Azure Application Gateway?.