创建具有内部负载均衡器 (ILB) 的应用程序网关Create an application gateway with an internal load balancer (ILB)

可向 Azure 应用程序网关配置面向 Internet 的 VIP 或不向 Internet 公开的内部终结点(也称为内部负载均衡器 (ILB) 终结点。Azure Application Gateway can be configured with an Internet-facing VIP or with an internal endpoint that is not exposed to the Internet, also known as an internal load balancer (ILB) endpoint. 配置使用 ILB 的网关适用于不向 Internet 公开的内部业务线应用程序。Configuring the gateway with an ILB is useful for internal line-of-business applications that are not exposed to the Internet. 对于位于不向 Internet 公开的安全边界内的多层应用程序中的服务和层也很有用,但仍需要执行循环负载分散、会话粘性或安全套接字层 (SSL) 终止。It's also useful for services and tiers within a multi-tier application that sit in a security boundary that is not exposed to the Internet but still require round-robin load distribution, session stickiness, or Secure Sockets Layer (SSL) termination.

本文介绍如何配置具有 ILB 的应用程序网关。This article walks you through the steps to configure an application gateway with an ILB.

准备阶段Before you begin

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

  1. 按照安装说明安装最新版本的 Azure PowerShell 模块。Install the latest version of the Azure PowerShell module by following the install instructions.
  2. 为应用程序网关创建虚拟网络和子网。You create a virtual network and a subnet for Application Gateway. 请确保没有虚拟机或云部署正在使用子网。Make sure that no virtual machines or cloud deployments are using the subnet. 应用程序网关必须单独位于虚拟网络子网中。Application Gateway must be by itself in a virtual network subnet.
  3. 必须存在配置为使用应用程序网关的服务器,或者必须在虚拟网络中为其创建终结点,或者必须为其分配公共 IP/VIP。The servers that you configure to use the application gateway must exist or have their endpoints created either in the virtual network or with a public IP/VIP assigned.

创建应用程序网关需要什么?What is required to create an application gateway?

  • 后端服务器池: 后端服务器的 IP 地址列表。Back-end server pool: The list of IP addresses of the back-end servers. 列出的 IP 地址应属于虚拟网络子网但位于应用程序网关的不同子网中,或者是公共 IP/VIP。The IP addresses listed should either belong to the virtual network but in a different subnet for the application gateway or should be a public IP/VIP.
  • 后端服务器池设置: 每个池均具有端口、协议和基于 Cookie 的相关性等设置。Back-end server pool settings: Every pool has settings like port, protocol, and cookie-based affinity. 这些设置绑定到池,并会应用到池中的所有服务器。These settings are tied to a pool and are applied to all servers within the pool.
  • 前端端口: 此端口是应用程序网关上打开的公共端口。Front-end port: This port is the public port that is opened on the application gateway. 流量将抵达此端口,并重定向到后端服务器之一。Traffic hits this port, and then gets redirected to one of the back-end servers.
  • 侦听器: 侦听器具有前端端口、协议(Http 或 Https,区分大小写)和 SSL 证书名称(如果要配置 SSL 卸载)。Listener: The listener has a front-end port, a protocol (Http or Https, these are case-sensitive), and the SSL certificate name (if configuring SSL offload).
  • 规则: 规则会绑定侦听器和后端服务器池,并定义当流量抵达特定侦听器时应定向到哪个后端服务器池。Rule: The rule binds the listener and the back-end server pool and defines which back-end server pool the traffic should be directed to when it hits a particular listener. 目前仅支持 基本 规则。Currently, only the basic rule is supported. 基本 规则是一种轮循负载分布模式。The basic rule is round-robin load distribution.

创建应用程序网关Create an application gateway

使用 Azure 经典部署和 Azure 资源管理器部署的差别在于创建应用程序网关的顺序和需要配置的项。The difference between using Azure Classic and Azure Resource Manager is the order in which you create the application gateway and the items that need to be configured. 使用 Resource Manager 时,组成应用程序网关的所有项都将分开配置,并结合在一起来创建应用程序网关资源。With Resource Manager, all items that make an application gateway is configured individually and then put together to create the application gateway resource.

以下是创建应用程序网关所需执行的步骤:Here are the steps that are needed to create an application gateway:

  1. 创建 Resource Manager 的资源组Create a resource group for Resource Manager
  2. 为应用程序网关创建虚拟网络和子网Create a virtual network and a subnet for the application gateway
  3. 创建应用程序网关配置对象Create an application gateway configuration object
  4. 创建应用程序网关资源Create an application gateway resource

创建 Resource Manager 的资源组Create a resource group for Resource Manager

确保切换 PowerShell 模式,以便使用 Azure Resource Manager cmdlet。Make sure that you switch PowerShell mode to use the Azure Resource Manager cmdlets. 将 Windows PowerShell 与资源管理器配合使用中提供了详细信息。More info is available at Using Windows PowerShell with Resource Manager.

步骤 1Step 1

Connect-AzAccount -Environment AzureChinaCloud

步骤 2Step 2

检查该帐户的订阅。Check the subscriptions for the account.

Get-AzSubscription

系统会提示使用凭据进行身份验证。You are prompted to authenticate with your credentials.

步骤 3Step 3

选择要使用的 Azure 订阅。Choose which of your Azure subscriptions to use.

Select-AzSubscription -Subscriptionid "GUID of subscription"

步骤 4Step 4

创建新的资源组(如果要使用现有的资源组,请跳过此步骤)。Create a new resource group (skip this step if you're using an existing resource group).

New-AzResourceGroup -Name appgw-rg -location "China North"

Azure Resource Manager 要求所有资源组指定一个位置。Azure Resource Manager requires that all resource groups specify a location. 此位置用作该资源组中的资源的默认位置。This is used as the default location for resources in that resource group. 请确保用于创建应用程序网关的所有命令都使用相同的资源组。Make sure that all commands to create an application gateway uses the same resource group.

在上述示例中,我们在位置“中国北部”创建了名为“appgw-rg”的资源组。In the preceding example, we created a resource group called "appgw-rg" and location "China North".

为应用程序网关创建虚拟网络和子网Create a virtual network and a subnet for the application gateway

以下示例演示如何使用 Resource Manager 创建虚拟网络:The following example shows how to create a virtual network by using Resource Manager:

步骤 1Step 1

$subnetconfig = New-AzVirtualNetworkSubnetConfig -Name subnet01 -AddressPrefix 10.0.0.0/24

此步骤会将地址范围 10.0.0.0/24 分配给用于创建虚拟网络的子网变量。This step assigns the address range 10.0.0.0/24 to a subnet variable to be used to create a virtual network.

步骤 2Step 2

$vnet = New-AzVirtualNetwork -Name appgwvnet -ResourceGroupName appgw-rg -Location "China North" -AddressPrefix 10.0.0.0/16 -Subnet $subnetconfig

此步骤会使用前缀 10.0.0.0/16 和子网 10.0.0.0/24,在中国北部区域的“appgw-rg”资源组中创建名为“appgwvnet”的虚拟网络。This step creates a virtual network named "appgwvnet" in resource group "appgw-rg" for the China North region using the prefix 10.0.0.0/16 with subnet 10.0.0.0/24.

步骤 3Step 3

$subnet = $vnet.subnets[0]

此步骤会将子网对象分配给变量 $subnet 以完成后续步骤。This step assigns the subnet object to variable $subnet for the next steps.

创建应用程序网关配置对象Create an application gateway configuration object

步骤 1Step 1

$gipconfig = New-AzApplicationGatewayIPConfiguration -Name gatewayIP01 -Subnet $subnet

此步骤会创建名为“gatewayIP01”的应用程序网关 IP 配置。This step creates an application gateway IP configuration named "gatewayIP01". 当应用程序网关启动时,它会从配置的子网获取 IP 地址,再将网络流量路由到后端 IP 池中的 IP 地址。When Application Gateway starts, it picks up an IP address from the subnet configured and route network traffic to the IP addresses in the back-end IP pool. 请记住,每个实例需要一个 IP 地址。Keep in mind that each instance takes one IP address.

步骤 2Step 2

$pool = New-AzApplicationGatewayBackendAddressPool -Name pool01 -BackendIPAddresses 10.1.1.8,10.1.1.9,10.1.1.10

此步骤配置名为“pool01”、IP 地址为“10.1.1.8, 10.1.1.9, 10.1.1.10”的后端 IP 地址池。This step configures the back-end IP address pool named "pool01" with IP addresses "10.1.1.8, 10.1.1.9, 10.1.1.10". 这些 IP 地址接收来自前端 IP 终结点的网络流量。Those are the IP addresses that receive the network traffic that comes from the front-end IP endpoint. 替换上述 IP 地址,添加自己的应用程序 IP 地址终结点。You replace the preceding IP addresses to add your own application IP address endpoints.

步骤 3Step 3

$poolSetting = New-AzApplicationGatewayBackendHttpSettings -Name poolsetting01 -Port 80 -Protocol Http -CookieBasedAffinity Disabled

此步骤会为后端池中进行了负载均衡的网络流量配置应用程序网关设置“poolsetting01”。This step configures application gateway setting "poolsetting01" for the load balanced network traffic in the back-end pool.

步骤 4Step 4

$fp = New-AzApplicationGatewayFrontendPort -Name frontendport01  -Port 80

此步骤会为 ILB 配置名为“frontendport01”的前端 IP 端口。This step configures the front-end IP port named "frontendport01" for the ILB.

步骤 5Step 5

$fipconfig = New-AzApplicationGatewayFrontendIPConfig -Name fipconfig01 -Subnet $subnet

此步骤会创建名为“fipconfig01”的前端 IP 配置,并将其与当前虚拟网络子网中的某个专用 IP 相关联。This step creates the front-end IP configuration called "fipconfig01" and associates it with a private IP from the current virtual network subnet.

步骤 6Step 6

$listener = New-AzApplicationGatewayHttpListener -Name listener01  -Protocol Http -FrontendIPConfiguration $fipconfig -FrontendPort $fp

此步骤会创建名为“listener01”的侦听器,并将前端端口与前端 IP 配置相关联。This step creates the listener called "listener01" and associates the front-end port to the front-end IP configuration.

步骤 7Step 7

$rule = New-AzApplicationGatewayRequestRoutingRule -Name rule01 -RuleType Basic -BackendHttpSettings $poolSetting -HttpListener $listener -BackendAddressPool $pool

此步骤会创建名为“rule01”的负载均衡器路由规则,用于配置负载均衡器的行为。This step creates the load balancer routing rule called "rule01" that configures the load balancer behavior.

步骤 8Step 8

$sku = New-AzApplicationGatewaySku -Name Standard_Small -Tier Standard -Capacity 2

此步骤会配置应用程序网关的实例大小。This step configures the instance size of the application gateway.

Note

“容量”的默认值为 2。The default value for Capacity is 2. 至于 SKU 名称,可以在 Standard_Small、Standard_Medium 和 Standard_Large 之间进行选择。For Sku Name, you can choose between Standard_Small, Standard_Medium, and Standard_Large.

使用 New-AzureApplicationGateway 创建应用程序网关Create an application gateway by using New-AzureApplicationGateway

创建包含上述步骤中所有配置项目的应用程序网关。Creates an application gateway with all configuration items from the preceding steps. 示例中的应用程序网关名为“appgwtest”。In this example, the application gateway is called "appgwtest".

$appgw = New-AzApplicationGateway -Name appgwtest -ResourceGroupName appgw-rg -Location "China North" -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting -FrontendIpConfigurations $fipconfig  -GatewayIpConfigurations $gipconfig -FrontendPorts $fp -HttpListeners $listener -RequestRoutingRules $rule -Sku $sku

此步骤会创建包含上述步骤中所有配置项目的应用程序网关。This step creates an application gateway with all configuration items from the preceding steps. 示例中的应用程序网关名为“appgwtest”。In the example, the application gateway is called "appgwtest".

删除应用程序网关Delete an application gateway

若要删除应用程序网关,请按顺序执行以下步骤:To delete an application gateway, you need to do the following steps in order:

  1. 使用 Stop-AzApplicationGateway cmdlet 停止该网关。Use the Stop-AzApplicationGateway cmdlet to stop the gateway.
  2. 使用 Remove-AzApplicationGateway cmdlet 删除该网关。Use the Remove-AzApplicationGateway cmdlet to remove the gateway.
  3. 使用 Get-AzureApplicationGateway cmdlet 验证是否已删除该网关。Verify that the gateway has been removed by using the Get-AzureApplicationGateway cmdlet.

步骤 1Step 1

获取应用程序网关对象,并将其关联到变量“$getgw”。Get the application gateway object and associate it to a variable "$getgw".

$getgw =  Get-AzApplicationGateway -Name appgwtest -ResourceGroupName appgw-rg

步骤 2Step 2

使用 Stop-AzApplicationGateway 停止应用程序网关。Use Stop-AzApplicationGateway to stop the application gateway. 此示例在第一行显示 Stop-AzApplicationGateway cmdlet,接着显示输出。This sample shows the Stop-AzApplicationGateway cmdlet on the first line, followed by the output.

Stop-AzApplicationGateway -ApplicationGateway $getgw  
VERBOSE: 9:49:34 PM - Begin Operation: Stop-AzureApplicationGateway
VERBOSE: 10:10:06 PM - Completed Operation: Stop-AzureApplicationGateway
Name       HTTP Status Code     Operation ID                             Error
----       ----------------     ------------                             ----
Successful OK                   ce6c6c95-77b4-2118-9d65-e29defadffb8

在应用程序网关进入停止状态后,使用 Remove-AzApplicationGateway cmdlet 删除该服务。Once the application gateway is in a stopped state, use the Remove-AzApplicationGateway cmdlet to remove the service.

Remove-AzApplicationGateway -Name appgwtest -ResourceGroupName appgw-rg -Force
VERBOSE: 10:49:34 PM - Begin Operation: Remove-AzureApplicationGateway
VERBOSE: 10:50:36 PM - Completed Operation: Remove-AzureApplicationGateway
Name       HTTP Status Code     Operation ID                             Error
----       ----------------     ------------                             ----
Successful OK                   055f3a96-8681-2094-a304-8d9a11ad8301

Note

可以使用 -force 开关来禁止显示该删除的确认消息。The -force switch can be used to suppress the remove confirmation message.

若要验证是否已删除服务,可以使用 Get-AzApplicationGateway cmdlet。To verify that the service has been removed, you can use the Get-AzApplicationGateway cmdlet. 此步骤不是必需的。This step is not required.

Get-AzApplicationGateway -Name appgwtest -ResourceGroupName appgw-rg
VERBOSE: 10:52:46 PM - Begin Operation: Get-AzureApplicationGateway

Get-AzureApplicationGateway : ResourceNotFound: The gateway does not exist.

后续步骤Next steps

若要配置 SSL 卸载,请参阅配置应用程序网关以进行 SSL 卸载If you want to configure SSL offload, see Configure an application gateway for SSL offload.

若要将应用程序网关配置为与 ILB 配合使用,请参阅创建具有内部负载均衡器 (ILB) 的应用程序网关If you want to configure an application gateway to use with an ILB, see Create an application gateway with an internal load balancer (ILB).

如需大体上更详细地了解负载均衡选项,请参阅:If you want more information about load balancing options in general, see: