应用程序网关对多租户后端(例如应用服务)的支持Application Gateway support for multi-tenant back ends such as App service

在 Web 服务器的多租户体系结构设计中,多个网站在同一 Web 服务器实例上运行。In multi-tenant architectural designs in web servers, multiple websites are running on the same web server instance. 主机名用于区分托管的不同应用程序。Hostnames are used to differentiate between the different applications which are hosted. 默认情况下,应用程序网关不更改从客户端传入的 HTTP 主机标头,而是将该标头原封不动地发送到后端。By default, application gateway does not change the incoming HTTP host header from the client and sends the header unaltered to the back end. 这适用于后端池成员,例如 NIC、虚拟机规模集、公共 IP 地址、内部 IP 地址和 FQDN,因为这些资源无需依赖于特定的主机标头或 SNI 扩展即可解析为正确的终结点。This works well for backend pool members such as NICs, virtual machine scale sets, public IP addresses, internal IP addresses and FQDN as these do not rely on a specific host header or SNI extension to resolve to the correct endpoint. 但是,有许多服务(例如 Azure 应用服务 Web 应用和 Azure API 管理)在性质上是多租户的,需要依赖于特定的主机标头或 SNI 扩展才能解析为正确的终结点。However, there are many services such as Azure App service web apps and Azure API management that are multi-tenant in nature and rely on a specific host header or SNI extension to resolve to the correct endpoint. 通常,应用程序的 DNS 名称(也是与应用程序网关关联的 DNS 名称)不同于后端服务的域名。Usually, the DNS name of the application, which in turn is the DNS name associated with the application gateway, is different from the domain name of the backend service. 因此,应用程序网关收到的原始请求中的主机标头不同于后端服务的主机名。Therefore, the host header in the original request received by the application gateway is not the same as the host name of the backend service. 正因如此,除非从应用程序网关发往后端的请求中的主机标头已更改为后端服务的主机名,否则多租户后端无法将请求解析为正确的终结点。Because of this, unless the host header in the request from the application gateway to the backend is changed to the host name of the backend service, the multi-tenant backends are not able to resolve the request to the correct endpoint.

应用程序网关提供相应的功能,让用户根据后端的主机名替代请求中的 HTTP 主机标头。Application gateway provides a capability which allows users to override the HTTP host header in the request based on the host name of the back-end. 此功能支持 Azure 应用服务 Web 应用和 API 管理等多租户后端。This capability enables support for multi-tenant back ends such as Azure App service web apps and API management. 此功能适用于 v1 和 v2 标准 SKU 和 WAF SKU。This capability is available for both the v1 and v2 standard and WAF SKUs.



这不适用于 Azure 应用服务环境 (ASE),因为 ASE 与 Azure 应用服务不同,前者是专用资源,而后者是多租户资源。This is not applicable to Azure App service environment (ASE) since ASE is a dedicated resource unlike Azure App service which is a multi-tenant resource.

替代请求中的主机标头Override host header in the request

指定主机替代的功能在 HTTP 设置中定义,可以在创建规则过程中应用到任何后端池。The ability to specify a host override is defined in the HTTP settings and can be applied to any back-end pool during rule creation. 多租户后端支持通过以下两种方式来替代主机标头和 SNI 扩展:The following two ways of overriding host header and SNI extension for multi-tenant back ends is supported:

  • 在 HTTP 设置中显式输入将主机名设置为固定值的功能。The ability to set the host name to a fixed value explicitly entered in the HTTP settings. 此功能可确保将主机标头替代为该值,前提是在流量流向的后端池中应用了特定的 HTTP 设置。This capability ensures that the host header is overridden to this value for all traffic to the back-end pool where the particular HTTP settings are applied. 使用端到端 TLS 时,会在 SNI 扩展中使用此替代的主机名。When using end to end TLS, this overridden host name is used in the SNI extension. 有了此功能,后端池场收到的主机标头就可以不同于传入的客户主机标头。This capability enables scenarios where a back-end pool farm expects a host header that is different from the incoming customer host header.

  • 从后端池成员的 IP 或 FQDN 派生主机名的功能。The ability to derive the host name from the IP or FQDN of the back-end pool members. HTTP 设置还提供了一个选项,用于从后端池成员的 FQDN 动态选取主机名,前提是配置了从单个后端池成员派生主机名的选项。HTTP settings also provide an option to dynamically pick the host name from a back-end pool member's FQDN if configured with the option to derive host name from an individual back-end pool member. 使用端到端 TLS 时,此主机名派生自 FQDN,用在 SNI 扩展中。When using end to end TLS, this host name is derived from the FQDN and is used in the SNI extension. 有了此功能,后端池就可以有两个或两个以上的多租户 PaaS 服务(例如 Azure Web 应用),而针对每个成员的请求的主机标头就可以包含从该成员的 FQDN 派生的主机名。This capability enables scenarios where a back-end pool can have two or more multi-tenant PaaS services like Azure web apps and the request's host header to each member contains the host name derived from its FQDN. 为了实现此方案,我们在 HTTP 设置中使用了名为从后端地址中选取主机名的开关,此开关会将原始请求中的主机标头动态替代为后端池中指定的标头。For implementing this scenario, we use a switch in the HTTP Settings called Pick hostname from backend address which will dynamically override the host header in the original request to the one mentioned in the backend pool. 例如,如果后端池 FQDN 包含“contoso11.chinacloudsites.cn”和“contoso22.chinacloudsites.cn”,将请求发送到相应的后端服务器时,原始请求的主机标头 contoso.com 将替代为 contoso11.chinacloudsites.cn 或contoso22.chinacloudsites.cn。For example, if your backend pool FQDN contains “contoso11.chinacloudsites.cn” and “contoso22.chinacloudsites.cn”, the original request’s host header which is contoso.com will be overridden to contoso11.chinacloudsites.cn or contoso22.chinacloudsites.cn when the request is sent to the appropriate backend server.

    Web 应用方案

有了此功能,客户就可以在 HTTP 设置中指定选项,并根据相应的配置来自定义探测。With this capability, customers specify the options in the HTTP settings and custom probes to the appropriate configuration. 然后,可以通过规则将此设置绑定到侦听器和后端池。This setting is then tied to a listener and a back-end pool by using a rule.

特殊注意事项Special considerations

多租户服务的 TLS 终止和端到端 TLSTLS termination and end to end TLS with multi-tenant services

多租户服务支持 TLS 终止和端到端 TLS 加密。Both TLS termination and end to end TLS encryption is supported with multi-tenant services. 若要在应用程序网关上实现 TLS 终止,仍然需要将 TLS 证书添加到应用程序网关侦听器。For TLS termination at the application gateway, TLS certificate continues to be required to be added to the application gateway listener. 但是,在实现端到端 TLS 时,受信任的 Azure 服务(例如 Azure 应用服务 Web 应用)不需要在应用程序网关中允许后端。However, in case of end to end TLS, trusted Azure services such as Azure App service web apps do not require allowing the backends in the application gateway. 因此,无需添加任何身份验证证书。Therefore, there is no need to add any authentication certificates.

端到端 TLS

请注意,在上图中,将应用服务选作后端时,不必要添加身份验证证书。Notice that in the above image, there is no requirement to add authentication certificates when App service is selected as backend.

运行状况探测Health probe

替代 HTTP 设置中的主机标头只会影响请求及其路由,Overriding the host header in the HTTP settings only affects the request and its routing. 而不影响运行状况探测行为。it does not impact the health probe behavior. 若要使用端到端功能,必须修改探测和 HTTP 设置,使之反映正确的配置。For end to end functionality to work, both the probe and the HTTP settings must be modified to reflect the correct configuration. 除了提供在探测配置中指定主机标头的功能以外,自定义探测还支持从当前配置的 HTTP 设置中派生主机标头的功能。In addition to providing the ability to specify a host header in the probe configuration, custom probes also support the ability to derive the host header from the currently configured HTTP settings. 指定此配置时,可以在探测配置中使用 PickHostNameFromBackendHttpSettings 参数。This configuration can be specified by using the PickHostNameFromBackendHttpSettings parameter in the probe configuration.

重定向到应用服务 URL 的情况Redirection to App Service’s URL scenario

在某些情况下,来自应用服务的响应中的主机名可能会将最终用户的浏览器定向到 *.chinacloudsites.cn 主机名,而不是定向到与应用程序网关关联的域。There can be scenarios where the hostname in the response from the App service may direct the end-user browser to the *.chinacloudsites.cn hostname instead of the domain associated with the Application Gateway. 在以下情况下可能会发生此问题:This issue may happen when:

  • 在应用服务中配置了重定向。You have redirection configured on your App Service. 只需在请求中添加一个尾随的斜杠即可配置重定向。Redirection can be as simple as adding a trailing slash to the request.
  • Azure AD 身份验证导致重定向。You have Azure AD authentication which causes the redirection.

若要解决这种情况,请参阅排查重定向到应用服务 URL 的问题To resolve such cases, see Troubleshoot redirection to App service’s URL issue.

后续步骤Next steps

访问为应用服务 Web 应用配置应用程序网关,了解如何为用作后端池成员的多租户应用(例如 Azure 应用服务 Web 应用)设置应用程序网关Learn how to set up an application gateway with a multi-tenant app such as Azure App service web app as a back-end pool member by visiting Configure App Service web apps with Application Gateway