有关应用程序网关的常见问题解答Frequently asked questions about Application Gateway

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

以下是有关 Azure 应用程序网关的常见问题。The following are common questions asked about Azure Application Gateway.

常规General

什么是应用程序网关?What is Application Gateway?

Azure 应用程序网关以服务形式提供应用程序传送控制器 (ADC)。Azure Application Gateway provides an application delivery controller (ADC) as a service. 它为应用程序提供第 7 层的各种负载均衡功能。It offers various layer 7 load-balancing capabilities for your applications. 此服务高度可用、可缩放,且完全由 Azure 管理。This service is highly available, scalable, and fully managed by Azure.

应用程序网关支持哪些功能?What features does Application Gateway support?

应用程序网关支持自动缩放、SSL 卸载、端到端 SSL、Web 应用程序防火墙 (WAF)、基于 Cookie 的会话相关性、基于 URL 路径的路由、多站点托管和其他功能。Application Gateway supports autoscaling, SSL offloading, and end-to-end SSL, a web application firewall (WAF), cookie-based session affinity, URL path-based routing, multisite hosting, and other features. 有关支持的功能的完整列表,请参阅应用程序网关简介For a full list of supported features, see Introduction to Application Gateway.

应用程序网关与 Azure 负载均衡器有何不同?How do Application Gateway and Azure Load Balancer differ?

应用程序网关是第 7 层负载均衡器,这意味着,它只处理 Web 流量(HTTP、HTTPS、WebSocket 和 HTTP/2)。Application Gateway is a layer 7 load balancer, which means it works only with web traffic (HTTP, HTTPS, WebSocket, and HTTP/2). 它支持 SSL 终止、基于 Cookie 的会话相关性以及对流量进行负载均衡的轮循机制等功能。It supports capabilities such as SSL termination, cookie-based session affinity, and round robin for load-balancing traffic. 负载均衡器在第 4 层对流量进行负载均衡(TCP 或 UDP)。Load Balancer load-balances traffic at layer 4 (TCP or UDP).

应用程序网关支持哪些协议?What protocols does Application Gateway support?

应用程序网关支持 HTTP、HTTPS、HTTP/2 和 WebSocket。Application Gateway supports HTTP, HTTPS, HTTP/2, and WebSocket.

应用程序网关如何支持 HTTP/2?How does Application Gateway support HTTP/2?

请参阅 HTTP/2 支持See HTTP/2 support.

支持在后端池中添加哪些资源?What resources are supported as part of a backend pool?

请参阅支持的后端资源See supported backend resources.

应用程序网关已在哪些区域推出?In what regions is Application Gateway available?

应用程序网关已在国际版 Azure 的所有区域推出。Application Gateway is available in all regions of global Azure. Azure 中国世纪互联也已推出该服务。It's also available in Azure China 21Vianet.

此部署是专门于订阅,还是在所有客户之间共享?Is this deployment dedicated for my subscription, or is it shared across customers?

应用程序网关是虚拟网络中的专用部署。Application Gateway is a dedicated deployment in your virtual network.

应用程序网关是否支持 HTTP 到 HTTPS 的重定向?Does Application Gateway support HTTP-to-HTTPS redirection?

支持重定向。Redirection is supported. 请参阅应用程序网关重定向概述See Application Gateway redirect overview.

按什么顺序处理侦听器?In what order are listeners processed?

请参阅侦听器处理顺序See the order of listener processing.

在何处可以找到应用程序网关的 IP 和 DNS?Where do I find the Application Gateway IP and DNS?

如果使用公共 IP 地址作为终结点,可以在公共 IP 地址资源中找到 IP 和 DNS 信息。If you're using a public IP address as an endpoint, you'll find the IP and DNS information on the public IP address resource. 或者可以在门户中应用程序网关的概述页上找到它。Or find it in the portal, on the overview page for the application gateway. 如果使用内部 IP 地址,可在概述页上找到该信息。If you're using internal IP addresses, find the information on the overview page.

Keep-Alive 超时和 TCP 空闲超时的设置是什么?What are the settings for Keep-Alive timeout and TCP idle timeout?

在应用程序网关 v1 SKU 中,Keep-Alive 超时为 120 秒。In the Application Gateway v1 SKU, the Keep-Alive timeout is 120 seconds. v2 SKU 的 Keep-Alive 超时为 75 秒。The Keep-Alive timeout for the v2 SKU is 75 seconds. 在应用程序网关的前端虚拟 IP (VIP) 中,TCP 空闲超时默认为 4 分钟。The TCP idle timeout is a 4-minute default on the frontend virtual IP (VIP) of Application Gateway.

在应用程序网关的生存期内,其 IP 或 DNS 名称是否会变化?Does the IP or DNS name change over the lifetime of the application gateway?

在应用程序网关 V1 SKU 中,如果停止再启动应用程序网关,则 VIP 可能会变化。In Application Gateway V1 SKU, the VIP can change if you stop and start the application gateway. 但是,与应用程序网关关联的 DNS 名称在网关的整个生存期内不会变化。But the DNS name associated with the application gateway doesn't change over the lifetime of the gateway. 由于 DNS 名称不会变化,因此应使用 CNAME 别名并使其指向应用程序网关的 DNS 地址。Because the DNS name doesn't change, you should use a CNAME alias and point it to the DNS address of the application gateway. 在应用程序网关 V2 SKU 中,可以将 IP 地址设置为静态,因此 IP 和 DNS 名称将在应用程序网关的生存期内不会更改。In Application Gateway V2 SKU, you can set the IP address as static, so IP and DNS name will not change over the lifetime of the application gateway.

应用程序网关是否支持静态 IP?Does Application Gateway support static IP?

是,应用程序网关 v2 SKU 支持静态公共 IP 地址。Yes, the Application Gateway v2 SKU supports static public IP addresses. v1 SKU 支持静态内部 IP。The v1 SKU supports static internal IPs.

应用程序网关是否支持在网关上使用多个公共 IP?Does Application Gateway support multiple public IPs on the gateway?

一个应用程序网关仅支持一个公共 IP 地址。An application gateway supports only one public IP address.

应该为应用程序网关创建多大的子网?How large should I make my subnet for Application Gateway?

请参阅应用程序网关子网大小注意事项See Application Gateway subnet size considerations.

是否可将多个应用程序网关资源部署到单个子网?Can I deploy more than one Application Gateway resource to a single subnet?

是的。Yes. 除了提供给定应用程序网关部署的多个实例以外,还可以在包含不同应用程序网关资源的现有子网中预配另一个唯一的应用程序网关资源。In addition to multiple instances of a given Application Gateway deployment, you can provision another unique Application Gateway resource to an existing subnet that contains a different Application Gateway resource.

单个子网不支持同时使用 Standard_v2 和标准应用程序网关。A single subnet can't support both Standard_v2 and Standard Application Gateway together.

应用程序网关是否支持 x-forwarded-for 标头?Does Application Gateway support x-forwarded-for headers?

是的。Yes. 请参阅对请求的修改See Modifications to a request.

部署应用程序网关需要多长时间?How long does it take to deploy an application gateway? 更新时应用程序网关是否仍正常工作?Will my application gateway work while it's being updated?

预配新的应用程序网关 v1 SKU 部署最多需 20 分钟。New Application Gateway v1 SKU deployments can take up to 20 minutes to provision. 更改实例大小或计数不会出现中断,且在此期间网关仍处于活动状态。Changes to instance size or count aren't disruptive, and the gateway remains active during this time.

大多数使用 v2 SKU 的部署大约需要 6 分钟进行预配。Most deployments that use the v2 SKU take around 6 minutes to provision. 但是,根据部署类型的不同,可能需要更长的时间。However it can take longer depending on the type of deployment. 例如,跨多个具有多个实例的可用性区域的部署可能需要 6 分钟以上的时间。For example, deployments across multiple Availability Zones with many instances can take more than 6 minutes.

使用应用程序网关时,能否将 Exchange 服务器用作后端?Can I use Exchange Server as a backend with Application Gateway?

否。No. 应用程序网关不支持电子邮件协议,例如 SMTP、IMAP 和 POP3。Application Gateway doesn't support email protocols such as SMTP, IMAP, and POP3.

性能Performance

应用程序网关如何支持高可用性和可伸缩性?How does Application Gateway support high availability and scalability?

如果已部署两个或更多个实例,则应用程序网关 v1 SKU 支持高可用性方案。The Application Gateway v1 SKU supports high-availability scenarios when you've deployed two or more instances. Azure 跨更新域和容错域分配这些实例,确保实例不会全部同时发生故障。Azure distributes these instances across update and fault domains to ensure that instances don't all fail at the same time. 为了支持可伸缩性,v1 SKU 将添加同一网关的多个实例来分担负载。The v1 SKU supports scalability by adding multiple instances of the same gateway to share the load.

v2 SKU 可以自动确保新实例分布到各个容错域和更新域中。The v2 SKU automatically ensures that new instances are spread across fault domains and update domains. 如果选择“区域冗余”,则最新实例还将分布到各个可用性区域中以提供区域性故障复原能力。If you choose zone redundancy, the newest instances are also spread across availability zones to offer zonal failure resiliency.

如何使用应用程序网关实现跨数据中心的灾难恢复方案?How do I achieve a DR scenario across datacenters by using Application Gateway?

使用流量管理器跨不同数据中心内的多个应用程序网关分配流量。Use Traffic Manager to distribute traffic across multiple application gateways in different datacenters.

应用程序网关是否支持自动缩放?Does Application Gateway support autoscaling?

是,应用程序网关 v2 SKU 支持自动缩放。Yes, the Application Gateway v2 SKU supports autoscaling. 有关详细信息,请参阅自动缩放和区域冗余应用程序网关For more information, see Autoscaling and Zone-redundant Application Gateway.

手动纵向扩展或缩减是否会导致停机?Does manual scale up or scale down cause downtime?

否。No. 实例将分布在升级域和容错域上。Instances are distributed across upgrade domains and fault domains.

应用程序网关是否支持连接排出?Does Application Gateway support connection draining?

是的。Yes. 可设置连接排出以更改后端池内的成员,而无需中断操作。You can set up connection draining to change members within a backend pool without disruption. 使用此设置可以持续将现有连接发送到其以前的目标,直到该连接被关闭或可配置的超时已过。This setup allows you to continue to send existing connections to their previous destination until either that connection closes or a configurable timeout expires. 连接排出仅等待当前未完成的连接完成。Connection draining waits for only current in-flight connections to finish. 应用程序网关不了解应用程序会话状态。Application Gateway isn't aware of the application session state.

是否可以在不造成中断的情况下,将实例大小从中型更改为大型?Can I change instance size from medium to large without disruption?

是的。Yes. Azure 跨更新域和容错域分配实例,确保实例不会全部同时发生故障。Azure distributes instances across update and fault domains to ensure that instances don't fail all at the same time. 为了支持缩放,应用程序网关可添加同一网关的多个实例来分担负载。Application Gateway supports scaling by adding multiple instances of the same gateway to share the load.

配置Configuration

是否始终要将应用程序网关部署在虚拟网络中?Is Application Gateway always deployed in a virtual network?

是的。Yes. 应用程序网关始终部署在虚拟网络子网中。Application Gateway is always deployed in a virtual network subnet. 此子网只能包含应用程序网关。This subnet can contain only application gateways. 有关详细信息,请参阅虚拟网络和子网要求For more information, see virtual network and subnet requirements.

应用程序网关是否能够与其所在虚拟网络外部或其所在订阅外部的实例通信?Can Application Gateway communicate with instances outside of its virtual network or outside of its subscription?

只要建立 IP 连接,应用程序网关就能与其所在的虚拟网络外部的实例进行通信。As long as you have IP connectivity, Application Gateway can communicate with instances outside of the virtual network that it's in. 应用程序网关还能与其所在订阅外部的实例通信。Application Gateway can also communicate with instances outside of the subscription it's in. 如果你打算使用内部 IP 作为后端池成员,请使用虚拟网络对等互连Azure VPN 网关If you plan to use internal IPs as backend pool members, use virtual network peering or Azure VPN Gateway.

是否可以在应用程序网关子网中部署其他任何组件?Can I deploy anything else in the application gateway subnet?

否。No. 但可以在子网中部署其他应用程序网关。But you can deploy other application gateways in the subnet.

应用程序网关子网是否支持网络安全组?Are network security groups supported on the application gateway subnet?

请参阅应用程序网关子网中的网络安全组See Network security groups in the Application Gateway subnet.

应用程序网关子网是否支持用户定义的路由?Does the application gateway subnet support user-defined routes?

请参阅应用程序网关子网中支持的用户定义的路由See User-defined routes supported in the Application Gateway subnet.

应用程序网关有哪些限制?What are the limits on Application Gateway? 是否可以提高这些限制?Can I increase these limits?

请参阅应用程序网关限制See Application Gateway limits.

是否可以同时对外部和内部流量使用应用程序网关?Can I simultaneously use Application Gateway for both external and internal traffic?

是的。Yes. 每个应用程序网关支持一个内部 IP 和一个外部 IP。Application Gateway supports one internal IP and one external IP per application gateway.

应用程序网关是否支持虚拟网络对等互连?Does Application Gateway support virtual network peering?

是的。Yes. 虚拟网络对等互连有助于对其他虚拟网络中的流量进行负载均衡。Virtual network peering helps load-balance traffic in other virtual networks.

如果通过 ExpressRoute 或 VPN 隧道连接本地服务器,是否可与这些服务器通信?Can I talk to on-premises servers when they're connected by ExpressRoute or VPN tunnels?

可以,只要允许这种流量。Yes, as long as traffic is allowed.

是否可以使用一个后端池来为不同端口上的许多应用程序提供服务?Can one backend pool serve many applications on different ports?

支持微服务体系结构。Microservice architecture is supported. 若要探测不同的端口,需要配置多个 HTTP 设置。To probe on different ports, you need to configure multiple HTTP settings.

自定义探测是否支持对响应数据使用通配符或正则表达式?Do custom probes support wildcards or regex on response data?

否。No.

如何在应用程序网关中处理路由规则?How are routing rules processed in Application Gateway?

请参阅规则的处理顺序See Order of processing rules.

对于自定义探测,Host 字段是什么意思?For custom probes, what does the Host field signify?

在应用程序网关上配置了多站点的情况下,Host 字段指定要将探测发送到的名称。The Host field specifies the name to send the probe to when you've configured multisite on Application Gateway. 否则使用“127.0.0.1”。Otherwise use '127.0.0.1'. 此值不同于虚拟机主机名。This value is different from the virtual machine host name. 其格式为 <协议>://<主机>:<端口><路径>。Its format is <protocol>://<host>:<port><path>.

能否仅允许应用程序网关访问几个源 IP 地址?Can I allow Application Gateway access to only a few source IP addresses?

是的。Yes. 请参阅限制对特定源 IP 的访问See restrict access to specific source IPs.

能否同时对公共和专用侦听器使用同一个端口?Can I use the same port for both public-facing and private-facing listeners?

否。No.

是否有从 v1 SKU 迁移到 v2 SKU 的指导?Is there guidance available to migrate from the v1 SKU to the v2 SKU?

是的。Yes. 有关详细信息,请参阅将 Azure 应用程序网关和 Web 应用程序防火墙从 v1 迁移到 v2For details see, Migrate Azure Application Gateway and Web Application Firewall from v1 to v2.

配置 - SSLConfiguration - SSL

应用程序网关支持哪些证书?What certificates does Application Gateway support?

应用程序网关支持自签名证书、证书颁发机构 (CA) 证书、扩展验证 (EV) 证书和通配符证书。Application Gateway supports self-signed certificates, certificate authority (CA) certificates, Extended Validation (EV) certificates, and wildcard certificates.

应用程序网关支持哪些加密套件?What cipher suites does Application Gateway support?

应用程序网关支持以下密码套件。Application Gateway supports the following cipher suites.

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHATLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHATLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHATLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHATLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHATLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHATLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHATLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

有关如何自定义 SSL 选项的信息,请参阅在应用程序网关上配置 SSL 策略版本和加密套件For information on how to customize SSL options, see Configure SSL policy versions and cipher suites on Application Gateway.

应用程序网关是否支持重新加密发往后端的流量?Does Application Gateway support reencryption of traffic to the backend?

是的。Yes. 应用程序网关支持 SSL 卸载和端到端 SSL,因此支持重新加密发往后端的流量。Application Gateway supports SSL offload and end-to-end SSL, which reencrypt traffic to the backend.

是否可以配置 SSL 策略来控制 SSL 协议版本?Can I configure SSL policy to control SSL protocol versions?

是的。Yes. 可将应用程序网关配置为拒绝 TLS1.0、TLS1.1 和 TLS1.2。You can configure Application Gateway to deny TLS1.0, TLS1.1, and TLS1.2. 默认情况下,SSL 2.0 和 3.0 已禁用且不可配置。By default, SSL 2.0 and 3.0 are already disabled and aren't configurable.

我是否可以配置密码套件和策略顺序?Can I configure cipher suites and policy order?

是的。Yes. 在应用程序网关中,可以配置加密套件In Application Gateway, you can configure cipher suites. 若要定义自定义策略,请至少启用下列其中一个加密套件。To define a custom policy, enable at least one of the following cipher suites.

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256

应用程序网关使用 SHA256 进行后端管理。Application Gateway uses SHA256 to for backend management.

应用程序网关支持多少个 SSL 证书?How many SSL certificates does Application Gateway support?

应用程序网关最多支持 100 个 SSL 证书。Application Gateway supports up to 100 SSL certificates.

应用程序网关支持使用多少个身份验证证书进行后端重新加密?How many authentication certificates for backend reencryption does Application Gateway support?

应用程序网关最多支持 100 个身份验证证书。Application Gateway supports up to 100 authentication certificates.

应用程序网关是否原生与 Azure Key Vault 集成?Does Application Gateway natively integrate with Azure Key Vault?

是,应用程序网关 v2 SKU 支持 Key Vault。Yes, the Application Gateway v2 SKU supports Key Vault. 有关详细信息,请参阅使用密钥保管库证书实现 SSL 终止For more information, see SSL termination with Key Vault certificates.

如何配置 .com 和 .net 站点的 HTTPS 侦听器?How do I configure HTTPS listeners for .com and .net sites?

对于基于多域(基于主机)的路由,可以创建多站点侦听器,设置使用 HTTPS 作为协议的侦听器,然后将侦听器与路由规则相关联。For multiple domain-based (host-based) routing, you can create multisite listeners, set up listeners that use HTTPS as the protocol, and associate the listeners with the routing rules. 有关详细信息,请参阅使用应用程序网关托管多个站点For more information, see Hosting multiple sites by using Application Gateway.

能否在 .pfx 文件密码中使用特殊字符?Can I use special characters in my .pfx file password?

不能,.pfx 文件密码中只能使用字母数字字符。No, use only alphanumeric characters in your .pfx file password.

配置 - Web 应用程序防火墙 (WAF)Configuration - web application firewall (WAF)

WAF SKU 是否提供标准 SKU 所提供的全部功能?Does the WAF SKU offer all the features available in the Standard SKU?

是的。Yes. WAF 支持标准 SKU 中的所有功能。WAF supports all the features in the Standard SKU.

应用程序网关支持哪些 CRS 版本?Which CRS versions does Application Gateway support?

应用程序网关支持 CRS 2.2.9 和 CRS 3.0Application Gateway supports CRS 2.2.9 and CRS 3.0.

如何监视 WAF?How do I monitor WAF?

通过诊断日志记录监视 WAF。Monitor WAF through diagnostic logging. 有关详细信息,请参阅应用程序网关的诊断日志记录和指标For more information, see Diagnostic logging and metrics for Application Gateway.

检测模式是否会阻止流量?Does detection mode block traffic?

否。No. 检测模式仅记录触发 WAF 规则的流量。Detection mode only logs traffic that triggers a WAF rule.

我可以自定义 WAF 规则吗?Can I customize WAF rules?

是的。Yes. 有关详细信息,请参阅自定义 WAF 规则组和规则For more information, see Customize WAF rule groups and rules.

WAF 目前支持哪些规则?What rules are currently available for WAF?

WAF 目前支持 CRS 2.2.93.0WAF currently supports CRS 2.2.9 and 3.0. 这些规则针对开放 Web 应用程序安全项目 (OWASP) 识别到的 10 大漏洞中的大多数漏洞提供基准安全性。These rules provide baseline security against most of the top-10 vulnerabilities that Open Web Application Security Project (OWASP) identifies:

  • SQL 注入保护SQL injection protection
  • 跨站点脚本防护Cross-site scripting protection
  • 防范常见 Web 攻击,例如命令注入、HTTP 请求走私、HTTP 响应拆分和远程文件包含攻击Protection against common web attacks such as command injection, HTTP request smuggling, HTTP response splitting, and remote file inclusion attack
  • 防止 HTTP 协议违反行为Protection against HTTP protocol violations
  • 防止 HTTP 协议异常行为,例如缺少主机用户代理和接受标头Protection against HTTP protocol anomalies such as missing host user-agent and accept headers
  • 防止自动程序、爬网程序和扫描程序Prevention against bots, crawlers, and scanners
  • 检测常见应用程序错误配置(即 Apache、IIS 等)Detection of common application misconfigurations (that is, Apache, IIS, and so on)

有关详细信息,请参阅 OWASP 10 大漏洞For more information, see OWASP top-10 vulnerabilities.

WAF 是否支持 DDoS 防护?Does WAF support DDoS protection?

是的。Yes. 可以在部署了应用程序网关的虚拟网络中启用 DDoS 保护。You can enable DDoS protection on the virtual network where the application gateway is deployed. 此设置确保 Azure DDoS 防护服务同时保护应用程序网关虚拟 IP (VIP)。This setting ensures that the Azure DDoS Protection service also protects the application gateway virtual IP (VIP).

是否有从 v1 SKU 迁移到 v2 SKU 的指导?Is there guidance available to migrate from the v1 SKU to the v2 SKU?

是的。Yes. 有关详细信息,请参阅将 Azure 应用程序网关和 Web 应用程序防火墙从 v1 迁移到 v2For details see, Migrate Azure Application Gateway and Web Application Firewall from v1 to v2.

诊断和日志记录Diagnostics and logging

应用程序网关提供哪些类型的日志?What types of logs does Application Gateway provide?

应用程序网关提供三种日志:Application Gateway provides three logs:

  • ApplicationGatewayAccessLog:访问日志包含提交到应用程序网关前端的每个请求。ApplicationGatewayAccessLog: The access log contains each request submitted to the application gateway frontend. 数据包括调用方的 IP、请求的 URL、响应延迟、返回代码,以及传入和传出的字节数。每隔 300 秒收集一次访问日志。The data includes the caller's IP, URL requested, response latency, return code, and bytes in and out. The access log is collected every 300 seconds. 此日志包含每个应用程序网关的一条记录。It contains one record per application gateway.
  • ApplicationGatewayPerformanceLog:性能日志捕获每个应用程序网关的性能信息。ApplicationGatewayPerformanceLog: The performance log captures performance information for each application gateway. 信息包括吞吐量(以字节为单位)、服务的请求总数、失败的请求计数,以及正常和不正常的后端实例计数。Information includes the throughput in bytes, total requests served, failed request count, and healthy and unhealthy backend instance count.
  • ApplicationGatewayFirewallLog:对于使用 WAF 配置的应用程序网关,防火墙日志包含通过检测模式或防护模式记录的请求。ApplicationGatewayFirewallLog: For application gateways that you configure with WAF, the firewall log contains requests that are logged through either detection mode or prevention mode.

有关详细信息,请参阅应用程序网关的后端运行状况、诊断日志和指标For more information, see Backend health, diagnostics logs, and metrics for Application Gateway.

如何知道后端池成员是否正常?How do I know if my backend pool members are healthy?

可以使用 PowerShell cmdlet Get-AzApplicationGatewayBackendHealth 或门户来确认运行状况。Verify health by using the PowerShell cmdlet Get-AzApplicationGatewayBackendHealth or the portal. 有关详细信息,请参阅应用程序网关诊断For more information, see Application Gateway diagnostics.

诊断日志的保留策略是什么?What's the retention policy for the diagnostic logs?

诊断日志将发往客户的存储帐户。Diagnostic logs flow to the customer's storage account. 客户可以根据偏好设置保留策略。Customers can set the retention policy based on their preference. 此外,可将诊断日志发送到事件中心或 Azure Monitor 日志。Diagnostic logs can also be sent to an event hub or Azure Monitor logs. 有关详细信息,请参阅应用程序网关诊断For more information, see Application Gateway diagnostics.

如何获取应用程序网关的审核日志?How do I get audit logs for Application Gateway?

在门户中应用程序网关的菜单边栏选项卡上,选择“活动日志”即可访问审核日志。 In the portal, on the menu blade of an application gateway, select Activity Log to access the audit log.

是否可以使用应用程序网关设置警报?Can I set alerts with Application Gateway?

是的。Yes. 在应用程序网关中,警报是针对指标配置的。In Application Gateway, alerts are configured on metrics. 有关详细信息,请参阅应用程序网关指标For more information, see Application Gateway metrics.

如何分析应用程序网关的流量统计信息?How do I analyze traffic statistics for Application Gateway?

可通过多种方式查看和分析访问日志。You can view and analyze access logs in several ways. 可以使用 Azure Monitor 日志、Excel、Power BI 等。Use Azure Monitor logs, Excel, Power BI, and so on.

还可以使用一个资源管理器模板,针对应用程序网关访问日志安装和运行常用的 GoAccess 日志分析器。You can also use a Resource Manager template that installs and runs the popular GoAccess log analyzer for Application Gateway access logs. GoAccess 提供宝贵的 HTTP 流量统计信息,例如唯一访问者、请求的文件、主机、操作系统、浏览器和 HTTP 状态代码。GoAccess provides valuable HTTP traffic statistics such as unique visitors, requested files, hosts, operating systems, browsers, and HTTP status codes. 有关详细信息,请参阅 GitHub 中的资源管理器模板文件夹中的自述文件For more information, in GitHub, see the Readme file in the Resource Manager template folder.

有哪些原因可能会导致后端运行状况返回未知状态?What could cause backend health to return an unknown status?

通常,如果对后端的访问被应用程序网关子网中的网络安全组 (NSG)、自定义 DNS 或用户定义的路由 (UDR) 阻止,则会看到未知状态。Usually, you see an unknown status when access to the backend is blocked by a network security group (NSG), custom DNS, or user-defined routing (UDR) on the application gateway subnet. 有关详细信息,请参阅应用程序网关的后端运行状况、诊断日志记录和指标For more information, see Backend health, diagnostics logging, and metrics for Application Gateway.

是否有 NSG 流日志不显示允许的流量的情况?Is there any case where NSG flow logs won't show allowed traffic?

是的。Yes. 如果配置与以下情况匹配,则 NSG 流日志中不会显示允许的流量:If your configuration matches following scenario, you won't see allowed traffic in your NSG flow logs:

  • 已部署了应用程序网关 v2You've deployed Application Gateway v2
  • 应用程序网关子网上有 NSGYou have an NSG on the application gateway subnet
  • 已在该 NSG 上启用了 NSG 流日志You've enabled NSG flow logs on that NSG

后续步骤Next steps

若要详细了解应用程序网关,请参阅什么是 Azure 应用程序网关?To learn more about Application Gateway, see What is Azure Application Gateway?.