应用程序网关配置概述Application Gateway configuration overview

Azure 应用程序网关由多个组件构成,可根据不同的方案以不同的方式配置这些组件。Azure Application Gateway consists of several components that you can configure in various ways for different scenarios. 本文将会介绍如何配置每个组件。This article shows you how to configure each component.

应用程序网关组件流程图

此图演示了包含三个侦听器的应用程序。This image illustrates an application that has three listeners. 前两个侦听器是分别用于 http://acme.com/*http://fabrikam.com/* 的多站点侦听器,The first two are multi-site listeners for http://acme.com/* and http://fabrikam.com/*, respectively. 两者在端口 80 上侦听。Both listen on port 80. 第三个侦听器是支持端到端安全套接字层 (SSL) 终止的基本侦听器。The third is a basic listener that has end-to-end Secure Sockets Layer (SSL) termination.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

Azure 虚拟网络和专用子网Azure virtual network and dedicated subnet

应用程序网关是虚拟网络中的专用部署。An application gateway is a dedicated deployment in your virtual network. 需要在虚拟网络中为应用程序网关配置一个专用子网。Within your virtual network, a dedicated subnet is required for the application gateway. 在子网中,可以创建给定应用程序网关部署的多个实例。You can have multiple instances of a given application gateway deployment in a subnet. 还可以在该子网中部署其他应用程序网关。You can also deploy other application gateways in the subnet. 但不能在应用程序网关子网中部署其他任何资源。But you can't deploy any other resource in the application gateway subnet.

Note

不能在同一子网中混合使用 Standard_v2 和 Standard Azure 应用程序网关。You can't mix Standard_v2 and Standard Azure Application Gateway on the same subnet.

子网的大小Size of the subnet

如果配置了专用前端 IP,则应用程序网关将使用每个实例的 1 个专用 IP 地址,以及另一个专用 IP 地址。Application Gateway consumes 1 private IP address per instance, plus another private IP address if a private front-end IP is configured.

另外,Azure 会在每个子网中保留 5 个 IP 地址供内部使用:前 4 个 IP 地址和最后一个 IP 地址。Azure also reserves 5 IP addresses in each subnet for internal use: the first 4 and the last IP addresses. 例如,假设有 15 个应用程序网关实例没有专用前端 IP。For example, consider 15 application gateway instances with no private front-end IP. 至少需要为此子网提供 20 个 IP 地址:5个 IP 地址供内部使用,15 个 IP 地址用于应用程序网关实例。You need at least 20 IP addresses for this subnet: 5 for internal use and 15 for the application gateway instances. 因此,需要 /27 或更大的子网大小。So, you need a /27 subnet size or larger.

假设某个子网包含 27 个应用程序网关实例,并且包含一个用作专用前端 IP 的 IP 地址。Consider a subnet that has 27 application gateway instances and an IP address for a private front-end IP. 在这种情况下,需要 33 个 IP 地址:27 个 IP 地址用于应用程序网关实例,1 个 IP 地址用于专用前端,5 个 IP 地址供内部使用。In this case, you need 33 IP addresses: 27 for the application gateway instances, 1 for the private front end, and 5 for internal use. 因此,需要 /26 或更大的子网大小。So, you need a /26 subnet size or larger.

我们建议至少使用 /28 子网大小。We recommend that you use a subnet size of at least /28. 这种大小可以提供 11 个可用的 IP 地址。This size gives you 11 usable IP addresses. 如果应用程序负载需要 10 个以上的应用程序网关实例,请考虑 /27 或 /26 子网大小。If your application load requires more than 10 Application Gateway instances, consider a /27 or /26 subnet size.

应用程序网关子网中的网络安全组Network security groups on the Application Gateway subnet

应用程序网关支持网络安全组 (NSG)。Network security groups (NSGs) are supported on Application Gateway. 但同时存在多种限制:But there are several restrictions:

  • 对于应用程序网关 v1 SKU,必须允许 TCP 端口 65503-65534 上的传入 Internet 流量,对于目标子网为 Any 的 v2 SKU,必须允许 TCP 端口 65200-65535 上的传入 Internet 流量。You must allow incoming Internet traffic on TCP ports 65503-65534 for the Application Gateway v1 SKU, and TCP ports 65200-65535 for the v2 SKU with the destination subnet as Any. 此端口范围是进行 Azure 基础结构通信所必需的。This port range is required for Azure infrastructure communication. 这些端口受 Azure 证书的保护(处于锁定状态)。These ports are protected (locked down) by Azure certificates. 如果没有适当的证书,外部实体(包括这些网关的客户)将无法对这些终结点做出任何更改。External entities, including the customers of those gateways, can't initiate changes on those endpoints without appropriate certificates in place.

  • 不能阻止出站 Internet 连接。Outbound internet connectivity can't be blocked. NSG 中的默认出站规则允许 Internet 连接。Default outbound rules in the NSG allow internet connectivity. 建议:We recommend that you:

    • 不要删除默认出站规则。Don't remove the default outbound rules.
    • 不要创建拒绝出站 Internet 连接的其他出站规则。Don't create other outbound rules that deny outbound internet connectivity.
  • 必须允许来自 AzureLoadBalancer 标记的流量。Traffic from the AzureLoadBalancer tag must be allowed.

允许应用程序网关访问一些源 IPAllow Application Gateway access to a few source IPs

对于此方案,请在应用程序网关子网中使用 NSG。For this scenario, use NSGs on the Application Gateway subnet. 按以下优先顺序对子网施加以下限制:Put the following restrictions on the subnet in this order of priority:

  1. 允许从源 IP 或 IP 范围到整个应用程序网关子网目标或特定的已配置专用前端 IP 的传入流量。Allow incoming traffic from a source IP or IP range and the destination as either the entire Application Gateway subnet, or to the specific configured private front-end IP. NSG 在公共 IP 上不起作用。The NSG doesn't work on a public IP.
  2. 允许来自所有源的传入请求到达应用程序网关 v1 SKU 的端口 65503-65534,以及 v2 SKU 的端口 65200-65535 以便进行后端运行状况通信Allow incoming requests from all sources to ports 65503-65534 for the Application Gateway v1 SKU, and ports 65200-65535 for v2 SKU for back-end health communication. 此端口范围是进行 Azure 基础结构通信所必需的。This port range is required for Azure infrastructure communication. 这些端口受 Azure 证书的保护(处于锁定状态)。These ports are protected (locked down) by Azure certificates. 如果没有适当的证书,外部实体将无法对这些终结点做出任何更改。Without appropriate certificates in place, external entities can't initiate changes on those endpoints.
  3. 允许网络安全组中的传入 Azure 负载均衡器探测(AzureLoadBalancer 标记)和入站虚拟网络流量(VirtualNetwork 标记)。Allow incoming Azure Load Balancer probes (AzureLoadBalancer tag) and inbound virtual network traffic (VirtualNetwork tag) on the network security group.
  4. 使用“全部拒绝”规则阻止其他所有传入流量。Block all other incoming traffic by using a deny-all rule.
  5. 允许发往 Internet 的所有目标的出站流量。Allow outbound traffic to the internet for all destinations.

应用程序网关子网支持用户定义的路由User-defined routes supported on the Application Gateway subnet

使用 v1 SKU 时,只要用户定义的路由 (UDR) 未更改端到端请求/响应通信,则应用程序网关子网就会支持这些 UDR。For the v1 SKU, user-defined routes (UDRs) are supported on the Application Gateway subnet, as long as they don't alter end-to-end request/response communication. 例如,可以在应用程序网关子网中设置一个指向防火墙设备的、用于检查数据包的 UDR。For example, you can set up a UDR in the Application Gateway subnet to point to a firewall appliance for packet inspection. 但是,必须确保数据包在检查后可以访问其预期目标。But you must make sure that the packet can reach its intended destination after inspection. 否则,可能会导致不正确的运行状况探测或流量路由行为。Failure to do so might result in incorrect health-probe or traffic-routing behavior. 这包括已探测到的路由,或者通过 Azure ExpressRoute 或 VPN 网关在虚拟网络中传播的默认 0.0.0.0/0 路由。This includes learned routes or default 0.0.0.0/0 routes that are propagated by Azure ExpressRoute or VPN gateways in the virtual network.

对于 v2 SKU,应用网关子网不支持 UDR。For the v2 SKU, UDRs are not supported on the Application Gateway subnet. 有关详细信息,请参阅 Azure 应用程序网关 v2 SKUFor more information, see Azure Application Gateway v2 SKU.

Note

v2 SKU 不支持 UDR。UDRs are not supported for the v2 SKU. 如果需要 UDR,应继续部署 v1 SKU。If you require UDRs you should continue to deploy v1 SKU.

Note

在应用程序网关子网中使用 UDR 会导致后端运行状况视图中的运行状态显示为“未知”。Using UDRs on the Application Gateway subnet causes the health status in the back-end health view to appear as "Unknown." 此外,还会导致应用程序网关日志和指标生成失败。It also causes generation of Application Gateway logs and metrics to fail. 建议不要在应用程序网关子网中使用 UDR,以便能够查看后端运行状况、日志和指标。We recommend that you don't use UDRs on the Application Gateway subnet so that you can view the back-end health, logs, and metrics.

前端 IPFront-end IP

可将应用程序网关配置为使用公共 IP 地址和/或专用 IP 地址。You can configure the application gateway to have a public IP address, a private IP address, or both. 托管需要由客户端在 Internet 中通过面向 Internet 的虚拟 IP (VIP) 访问的后端时,必须使用公共 IP。A public IP is required when you host a back end that clients must access over the internet via an internet-facing virtual IP (VIP).

不向 Internet 公开的内部终结点不需要公共 IP。A public IP isn't required for an internal endpoint that's not exposed to the internet. 该终结点称为内部负载均衡器 (ILB) 终结点或专用前端 IP。 That's known as an internal load-balancer (ILB) endpoint or private frontend IP. 应用程序网关 ILB 适合用于不向 Internet 公开的内部业务线应用程序。An application gateway ILB is useful for internal line-of-business applications that aren't exposed to the internet. 对于位于不向 Internet 公开的安全边界内的多层级应用程序中的服务和层级,ILB 也很有用,但需要启用轮循机制负载分配、会话粘性或 SSL 终止。It's also useful for services and tiers in a multi-tier application within a security boundary that aren't exposed to the internet but that require round-robin load distribution, session stickiness, or SSL termination.

仅支持 1 个公共 IP 地址或 1 个专用 IP 地址。Only 1 public IP address or 1 private IP address is supported. 在创建应用程序网关时选择前端 IP。You choose the front-end IP when you create the application gateway.

  • 对于公共 IP,可以在应用程序网关所在的同一位置创建新的公共 IP 地址或使用现有的公共 IP。For a public IP, you can create a new public IP address or use an existing public IP in the same location as the application gateway. 有关详细信息,请参阅静态与动态公共 IP 地址For more information, see static vs. dynamic public IP address.

  • 对于专用 IP,可以在创建应用程序网关的子网中指定一个专用 IP 地址。For a private IP, you can specify a private IP address from the subnet where the application gateway is created. 如果不显式指定专用 IP 地址,则系统会在子网中自动选择一个任意 IP 地址。If you don't specify one, an arbitrary IP address is automatically selected from the subnet. 以后无法更改选定的 IP 地址类型(静态或动态)。The IP address type that you select (static or dynamic) can't be changed later. 有关详细信息,请参阅创建包含内部负载均衡器的应用程序网关For more information, see Create an application gateway with an internal load balancer.

某个前端 IP 地址将关联到检查前端 IP 上的传入请求的侦听器。 A front-end IP address is associated to a listener, which checks for incoming requests on the front-end IP.

侦听器Listeners

侦听器是一个逻辑实体,它可以使用端口、协议、主机和 IP 地址检查传入的连接请求。A listener is a logical entity that checks for incoming connection requests by using the port, protocol, host, and IP address. 配置侦听器时,必须输入与网关上传入请求中的对应值相匹配的值。When you configure the listener, you must enter values for these that match the corresponding values in the incoming request on the gateway.

使用 Azure 门户创建应用程序网关时,还可以通过选择侦听器的协议和端口来创建默认的侦听器。When you create an application gateway by using the Azure portal, you also create a default listener by choosing the protocol and port for the listener. 可以选择是否要在侦听器上启用 HTTP2 支持。You can choose whether to enable HTTP2 support on the listener. 创建应用程序网关后,可以编辑该默认侦听器的设置 (appGatewayHttpListener) 或创建新的侦听器。After you create the application gateway, you can edit the settings of that default listener (appGatewayHttpListener) or create new listeners.

侦听器类型Listener type

创建新侦听器时,可以选择“基本”或“多站点”When you create a new listener, you choose between basic and multi-site.

  • 如果你希望自己的所有请求(针对任何域)都能够被接受并转发到后端池,请选择“基本”。If you want all of your requests (for any domain) to be accepted and forwarded to backend pools, choose basic. 了解如何创建包含基本侦听器的应用程序网关Learn how to create an application gateway with a basic listener.

  • 如果希望根据 host 标头或主机名将请求转发到不同的后端池,请选择多站点侦听器,并且必须在其中指定与传入请求匹配的主机名。If you want to forward requests to different backend pools based on the host header or hostname, choose multi-site listener, where you must also specify a hostname that matches with the incoming request. 这是因为,应用程序网关需要使用 HTTP 1.1 主机标头才能在相同的公共 IP 地址和端口上托管多个网站。This is because Application Gateway relies on HTTP 1.1 host headers to host more than one website on the same public IP address and port.

侦听器的处理顺序Order of processing listeners

对于 v1 SKU,请求根据规则顺序和侦听器类型进行匹配。For the v1 SKU, requests are matched according to the order of the rules and the type of listener. 如果某项使用基本侦听器的规则在顺序上排第一,系统会先处理它,它会接受该端口和 IP 组合的任何请求。If a rule with basic listener comes first in the order, it is processed first and will accept any request for that port and IP combination. 为了避免这种情况,请先使用多站点侦听器配置规则,然后将包含基本侦听器的规则推送到列表中的最后。To avoid this, configure the rules with multi-site listeners first and push the rule with the basic listener to the last in the list.

对于 v2 SKU,在基本侦听器之前处理多站点侦听器。For the v2 SKU, multi-site listeners are processed before basic listeners.

前端 IPFront-end IP

选择要与此侦听器关联的前端 IP 地址。Choose the front-end IP address that you plan to associate with this listener. 侦听器将在此 IP 上侦听传入的请求。The listener will listen to incoming requests on this IP.

前端端口Front-end port

选择前端端口。Choose the front-end port. 选择现有端口或新建一个端口。Select an existing port or create a new one. 选择允许的端口范围内的任意值。Choose any value from the allowed range of ports. 不仅可以使用已知的端口(例如 80 和 443),而且还能使用任何适用的且允许的自定义端口。You can use not only well-known ports, such as 80 and 443, but any allowed custom port that's suitable. 一个端口可用于公共侦听器或专用侦听器。A port can be used for public-facing listeners or private-facing listeners.

协议Protocol

选择 HTTP 或 HTTPS:Choose HTTP or HTTPS:

  • 如果选择 HTTP,则客户端与应用程序网关之间的流量将不会加密。If you choose HTTP, the traffic between the client and the application gateway is unencrypted.

  • 如果想要实现 SSL 终止端到端 SSL 加密,请选择 HTTPS。Choose HTTPS if you want SSL termination or end-to-end SSL encryption. 客户端与应用程序网关之间的流量将会加密。The traffic between the client and the application gateway is encrypted. SSL 连接将在应用程序网关上终止。And the SSL connection terminates at the application gateway. 若要实现端到端的 SSL 加密,必须选择 HTTPS,并配置后端 HTTP 设置。If you want end-to-end SSL encryption, you must choose HTTPS and configure the back-end HTTP setting. 这可以确保流量在从应用程序网关传输到后端时重新得到加密。This ensures that traffic is re-encrypted when it travels from the application gateway to the back end.

若要配置 SSL 终止和端到端 SSL 加密,必须将一个证书添加到侦听器,使应用程序网关能够派生对称密钥。To configure SSL termination and end-to-end SSL encryption, you must add a certificate to the listener to enable the application gateway to derive a symmetric key. 派生过程中根据 SSL 协议规范进行的。This is dictated by the SSL protocol specification. 使用该对称密钥可以加密和解密发送到网关的流量。The symmetric key is used to encrypt and decrypt the traffic that's sent to the gateway. 网关证书必须采用个人信息交换 (PFX) 格式。The gateway certificate must be in Personal Information Exchange (PFX) format. 使用此格式可以导出私钥,供网关用来加密和解密流量。This format lets you export the private key that the gateway uses to encrypt and decrypt traffic.

支持的证书Supported certificates

请参阅支持用于 SSL 终止的证书See certificates supported for SSL termination.

其他协议支持Additional protocol support

HTTP2 支持HTTP2 support

仅针对连接到应用程序网关侦听器的客户端提供 HTTP/2 协议支持。HTTP/2 protocol support is available to clients that connect to application gateway listeners only. 与后端服务器池的通信是通过 HTTP/1.1 进行的。The communication to back-end server pools is over HTTP/1.1. 默认情况下,HTTP/2 支持处于禁用状态。By default, HTTP/2 support is disabled. 以下 Azure PowerShell 代码片段演示如何启用此支持:The following Azure PowerShell code snippet shows how to enable this:

$gw = Get-AzApplicationGateway -Name test -ResourceGroupName hm

$gw.EnableHttp2 = $true

Set-AzApplicationGateway -ApplicationGateway $gw

WebSocket 支持WebSocket support

默认已启用 WebSocket 支持。WebSocket support is enabled by default. 没有任何用户可配置的设置可以启用或禁用此支持。There's no user-configurable setting to enable or disable it. 可对 HTTP 和 HTTPS 侦听器使用 WebSocket。You can use WebSockets with both HTTP and HTTPS listeners.

自定义错误页Custom error pages

可以在全局级别以及侦听器级别定义自定义错误。You can define custom error at the global level or the listener level. 但是,目前不支持在 Azure 门户中创建全局级别的自定义错误页。But creating global-level custom error pages from the Azure portal is currently not supported. 可以在侦听器级别为 403 Web 应用程序防火墙错误或 502 维护页配置自定义错误页。You can configure a custom error page for a 403 web application firewall error or a 502 maintenance page at the listener level. 此外,必须为给定的错误状态代码指定一个可公开访问的 Blob URL。You must also specify a publicly accessible blob URL for the given error status code. 有关详细信息,请参阅创建应用程序网关自定义错误页For more information, see Create Application Gateway custom error pages.

应用程序网关错误代码

若要配置全局自定义错误页,请参阅 Azure PowerShell 配置To configure a global custom error page, see Azure PowerShell configuration.

SSL 策略SSL policy

可以集中管理 SSL 证书,以及减小后端服务器场的加密-解密开销。You can centralize SSL certificate management and reduce encryption-decryption overhead for a back-end server farm. 采用集中式 SSL 处理还能指定符合安全要求的集中 SSL 策略。Centralized SSL handling also lets you specify a central SSL policy that's suited to your security requirements. 可以选择默认、预定义或自定义的 SSL 策略。 You can choose default, predefined, or custom SSL policy.

可以配置 SSL 策略来控制 SSL 协议版本。You configure SSL policy to control SSL protocol versions. 可将应用程序网关配置为使用 TLS1.0、TLS1.1 和 TLS1.2 中适用于 TLS 握手的最低协议版本。You can configure an application gateway to use a minumum protocol version for TLS handshakes from TLS1.0, TLS1.1, and TLS1.2. 默认情况下,SSL 2.0 和 3.0 已禁用且不可配置。By default, SSL 2.0 and 3.0 are disabled and aren't configurable. 有关详细信息,请参阅应用程序网关 SSL 策略概述For more information, see Application Gateway SSL policy overview.

创建侦听器后,请将它关联到某个请求路由规则。After you create a listener, you associate it with a request-routing rule. 该规则确定如何将侦听器上收到的请求路由到后端。That rule determines how requests that are received on the listener are routed to the back end.

请求路由规则Request routing rules

使用 Azure 门户创建应用程序网关时,可创建一个默认规则 (rule1)。When you create an application gateway by using the Azure portal, you create a default rule (rule1). 此规则会将默认侦听器 (appGatewayHttpListener) 绑定到默认后端池 (appGatewayBackendPool) 和默认后端 HTTP 设置 (appGatewayBackendHttpSettings)。This rule binds the default listener (appGatewayHttpListener) with the default back-end pool (appGatewayBackendPool) and the default back-end HTTP settings (appGatewayBackendHttpSettings). 创建网关后,可以编辑该默认规则的设置,或创建新的规则。After you create the gateway, you can edit the settings of the default rule or create new rules.

规则类型Rule type

创建规则时,可以选择“基本”或“基于路径”When you create a rule, you choose between basic and path-based.

  • 若要将关联的侦听器(例如 blog.contoso.com/* )上的所有请求转发到单个后端池,请选择“基本”。Choose basic if you want to forward all requests on the associated listener (for example, blog.contoso.com/*) to a single back-end pool.
  • 若要将来自特定 URL 路径的请求路由到特定的后端池,请选择“基于路径”。Choose path-based if you want to route requests from specific URL paths to specific back-end pools. 路径模式仅应用到 URL 的路径,而不应用到该 URL 的查询参数。The path pattern is applied only to the path of the URL, not to its query parameters.

规则的处理顺序Order of processing rules

使用 v1 SKU 时,将按照路径在基于路径的规则的 URL 路径映射中的列出顺序处理传入请求的模式匹配。For the v1 SKU, pattern matching of incoming requests is processed in the order that the paths are listed in the URL path map of the path-based rule. 如果某个请求与 URL 路径映射中的两个或更多个路径的模式相匹配,则会匹配最先列出的路径。If a request matches the pattern in two or more paths in the path map, the path that's listed first is matched. 请求将转发到与该路径关联的后端。And the request is forwarded to the back end that's associated with that path.

对于 v2 SKU,完全匹配的优先级高于 URL 路径映射中的路径顺序。For the v2 SKU, an exact match is higher priority than path order in the URL path map. 如果请求与两个或更多路径中的模式匹配,则会将请求转发到与完全匹配请求的路径关联的后端。If a request matches the pattern in two or more paths, the request is forwarded to the back end that's associated with the path that exactly matches the request. 如果传入请求中的路径与映射中的任何路径都不完全匹配,则将在基于路径的规则的路径映射顺序列表中处理请求的模式匹配。If the path in the incoming request doesn't exactly match any path in the map, pattern matching of the request is processed in the path map order list for the path-based rule.

关联的侦听器Associated listener

将一个侦听器关联到该规则,以评估与该侦听器关联的请求路由规则,从而确定请求要路由到的后端池。 Associate a listener to the rule so that the request-routing rule that's associated with the listener is evaluated to determine the back-end pool to route the request to.

关联的后端池Associated back-end pool

将规则关联到包含后端目标的后端池,该池为侦听器收到的请求提供服务。Associate to the rule the back-end pool that contains the back-end targets that serve requests that the listener receives.

  • 如果使用基本规则,则只允许一个后端池。For a basic rule, only one back-end pool is allowed. 关联的侦听器上的所有请求将转发到该后端池。All requests on the associated listener are forwarded to that back-end pool.

  • 如果使用基于路径的规则,请添加对应于每个 URL 路径的多个后端池。For a path-based rule, add multiple back-end pools that correspond to each URL path. 与输入的 URL 路径匹配的请求将转发到相应的后端池。The requests that match the URL path that's entered are forwarded to the corresponding back-end pool. 另请添加默认后端池。Also, add a default back-end pool. 与规则中的任何 URL 路径都不匹配的请求将转发到该池。Requests that don't match any URL path in the rule are forwarded to that pool.

关联的后端 HTTP 设置Associated back-end HTTP setting

为每个规则添加后端 HTTP 设置。Add a back-end HTTP setting for each rule. 系统使用此设置中指定的端口号、协议和其他信息,将请求从应用程序网关路由到后端目标。Requests are routed from the application gateway to the back-end targets by using the port number, protocol, and other information that's specified in this setting.

如果使用基本规则,则只允许一个后端 HTTP 设置。For a basic rule, only one back-end HTTP setting is allowed. 系统会使用此 HTTP 设置将关联的侦听器上的所有请求转发到相应的后端目标。All requests on the associated listener are forwarded to the corresponding back-end targets by using this HTTP setting.

如果使用基于路径的规则,请添加对应于每个 URL 路径的多个后端 HTTP 设置。For a path-based rule, add multiple back-end HTTP settings that correspond to each URL path. 系统使用对应于每个 URL 路径的 HTTP 设置,将与此设置中的 URL 路径匹配的请求转发到相应的后端目标。Requests that match the URL path in this setting are forwarded to the corresponding back-end targets by using the HTTP settings that correspond to each URL path. 另请添加默认 HTTP 设置。Also, add a default HTTP setting. 系统会使用默认 HTTP 设置,将与此规则中的任何 URL 路径都不匹配的请求转发到默认后端池。Requests that don't match any URL path in this rule are forwarded to the default back-end pool by using the default HTTP setting.

重定向设置Redirection setting

如果为基本规则配置了重定向,则关联的侦听器上的所有请求将重定向到目标。If redirection is configured for a basic rule, all requests on the associated listener are redirected to the target. 此过程称为全局重定向。 This is global redirection. 如果为基于路径的规则配置了重定向,则只会重定向特定站点区域中的请求。If redirection is configured for a path-based rule, only requests in a specific site area are redirected. 区域的示例包括 /cart/* 表示的购物车区域。An example is a shopping cart area that's denoted by /cart/*. 此过程称为基于路径的重定向。 This is path-based redirection.

有关重定向的详细信息,请参阅应用程序网关重定向概述For more information about redirects, see Application Gateway redirect overview.

重定向类型Redirection type

选择所需的重定向类型:Permanent(301)Temporary(307)Found(302)See other(303)Choose the type of redirection required: Permanent(301), Temporary(307), Found(302), or See other(303).

重定向目标Redirection target

选择另一个侦听器或外部站点作为重定向目标。Choose another listener or an external site as the redirection target.

侦听器Listener

选择侦听器作为重定向目标可将来自网关上的一个侦听器的流量重定向到另一个侦听器。Choose listener as the redirection target to redirect traffic from one listener to another on the gateway. 想要启用 HTTP 到 HTTPS 的重定向时,必须指定此设置。This setting is required when you want to enable HTTP-to-HTTPS redirection. 此设置将来自源侦听器(用于检查 HTTP 请求)的流量重定向到目标侦听器(用于检查传入的 HTTPS 请求)。It redirects traffic from the source listener that checks for incoming HTTP requests to the destination listener that checks for incoming HTTPS requests. 还可以选择在转发到重定向目标的请求中包含来自原始请求的查询字符串和路径。You can also choose to include the query string and path from the original request in the request that's forwarded to the redirection target.

应用程序网关组件对话框

有关 HTTP 到 HTTPS 的重定向的详细信息,请参阅:For more information about HTTP-to-HTTPS redirection, see:

外部站点External site

若要将与此类规则关联的侦听器上的流量重定向到外部站点,请选择外部站点。Choose external site when you want to redirect the traffic on the listener that's associated with this rule to an external site. 可以选择在转发到重定向目标的请求中包含来自原始请求的查询字符串。You can choose to include the query string from the original request in the request that's forwarded to the redirection target. 无法将原始请求中的路径转发到外部站点。You can't forward the path to the external site that was in the original request.

有关重定向的详细信息,请参阅:For more information about redirection, see:

重写 HTTP 标头设置Rewrite the HTTP header setting

当请求和响应数据包在客户端和后端池之间移动时,此设置将添加、删除或更新 HTTP 请求和响应标头。This setting adds, removes, or updates HTTP request and response headers while the request and response packets move between the client and back-end pools. 有关详细信息,请参阅:For more information, see:

HTTP 设置HTTP settings

应用程序网关使用此处指定的配置将流量路由到后端服务器。The application gateway routes traffic to the back-end servers by using the configuration that you specify here. 创建 HTTP 设置后,必须将其关联到一个或多个请求路由规则。After you create an HTTP setting, you must associate it with one or more request-routing rules.

需要在同一台服务器上保留用户会话时,此功能非常有用。This feature is useful when you want to keep a user session on the same server. 使用网关托管的 Cookie,应用程序网关可将来自用户会话的后续流量定向到同一服务器进行处理。Gateway-managed cookies let the application gateway direct subsequent traffic from a user session to the same server for processing. 如果用户会话的会话状态保存在服务器本地,则此功能十分重要。This is important when session state is saved locally on the server for a user session. 如果应用程序无法处理基于 Cookie 的相关性,则你无法使用此功能。If the application can't handle cookie-based affinity, you can't use this feature. 若要使用此功能,请确保客户端支持 Cookie。To use it, make sure that the clients support cookies.

连接清空Connection draining

连接清空可帮助你在计划内服务更新期间正常删除后端池成员。Connection draining helps you gracefully remove back-end pool members during planned service updates. 在创建规则期间,可将此设置应用到后端池的所有成员。You can apply this setting to all members of a back-end pool during rule creation. 它确保后端池的所有注销实例继续维护现有连接,并在可配置的超时时间内处理正在进行的请求,并且不会接收任何新请求或连接。It ensures that all deregistering instances of a back-end pool continue to maintain existing connections and serve on-going requests for a configurable timeout and don't receive any new requests or connections. 此情况的唯一例外是由于网关托管会话相关性而绑定到注销实例的请求,这些请求将继续被代理到注销实例。The only exception to this are requests bound for deregistring instances because of gateway-managed session affinity and will continue to be proxied to the deregistring instances. 连接清空将应用到已从后端池中显式删除的后端实例。Connection draining applies to back-end instances that are explicitly removed from the back-end pool.

协议Protocol

应用程序网关支持使用 HTTP 和 HTTPS 将请求路由到后端服务器。Application Gateway supports both HTTP and HTTPS for routing requests to the back-end servers. 如果选择了 HTTP 协议,则流量将以未加密的形式传送到后端服务器。If you choose HTTP, traffic to the back-end servers is unencrypted. 如果不能接受未加密的通信,请选择 HTTPS。If unencrypted communication isn't acceptable, choose HTTPS.

在侦听器中结合 HTTPS 使用此设置将有助于实现端到端的 SSLThis setting combined with HTTPS in the listener supports end-to-end SSL. 这样,就可以安全地将敏感数据以加密的形式传输到后端。This allows you to securely transmit sensitive data encrypted to the back end. 后端池中每个已启用端到端 SSL 的后端服务器都必须配置证书,以便能够进行安全的通信。Each back-end server in the back-end pool that has end-to-end SSL enabled must be configured with a certificate to allow secure communication.

端口Port

此设置指定后端服务器要在哪个端口上侦听来自应用程序网关的流量。This setting specifies the port where the back-end servers listen to traffic from the application gateway. 可以配置 1 到 65535 的端口号。You can configure ports ranging from 1 to 65535.

请求超时Request timeout

此设置表示应用程序网关在接收后端服务器的响应时会等待多少秒。This setting is the number of seconds that the application gateway waits to receive a response from the back-end server.

替代后端路径Override back-end path

使用此设置可以配置可选的自定义转发路径,以便在将请求转发到后端时使用。This setting lets you configure an optional custom forwarding path to use when the request is forwarded to the back end. 与“替代后端路径”字段中的自定义路径匹配的任意传入路径部分将复制到转发的路径。 Any part of the incoming path that matches the custom path in the override backend path field is copied to the forwarded path. 下表描述了此功能的工作原理:The following table shows how this feature works:

  • 将 HTTP 设置附加到基本请求路由规则时:When the HTTP setting is attached to a basic request-routing rule:

    原始请求Original request 替代后端路径Override back-end path 转发到后端的请求Request forwarded to back end
    /home//home/ /override//override/ /override/home//override/home/
    /home/secondhome//home/secondhome/ /override//override/ /override/home/secondhome//override/home/secondhome/
  • 将 HTTP 设置附加到基于路径的请求路由规则时:When the HTTP setting is attached to a path-based request-routing rule:

    原始请求Original request 路径规则Path rule 替代后端路径Override back-end path 转发到后端的请求Request forwarded to back end
    /pathrule/home//pathrule/home/ /pathrule*/pathrule* /override//override/ /override/home//override/home/
    /pathrule/home/secondhome//pathrule/home/secondhome/ /pathrule*/pathrule* /override//override/ /override/home/secondhome//override/home/secondhome/
    /home//home/ /pathrule*/pathrule* /override//override/ /override/home//override/home/
    /home/secondhome//home/secondhome/ /pathrule*/pathrule* /override//override/ /override/home/secondhome//override/home/secondhome/
    /pathrule/home//pathrule/home/ /pathrule/home*/pathrule/home* /override//override/ /override//override/
    /pathrule/home/secondhome//pathrule/home/secondhome/ /pathrule/home*/pathrule/home* /override//override/ /override/secondhome//override/secondhome/
    /pathrule//pathrule/ /pathrule//pathrule/ /override//override/ /override//override/

用于应用服务Use for app service

这是一个仅限 UI 的快捷方式,用于选择 Azure 应用服务后端的两个所需设置。This is a UI only shortcut that selects the two required settings for the Azure App Service back end. 它会启用“从后端地址中选取主机名”,并创建新的自定义探测(如果你还没有该探测)。 It enables pick host name from back-end address, and it creates a new custom probe if you don't have one already. (有关详细信息,请参阅本文的从后端地址中选取主机名设置部分。)将创建新的探测,并从后端成员的地址中选取探测标头。(For more information, see the Pick host name from back-end address setting section of this article.) A new probe is created, and the probe header is picked from the back-end member’s address.

使用自定义探测Use custom probe

此设置用于将自定义探测与某个 HTTP 设置相关联。This setting associates a custom probe with an HTTP setting. 只能将一个自定义探测关联到某个 HTTP 设置。You can associate only one custom probe with an HTTP setting. 如果未显式关联自定义探测,则会使用默认探测来监视后端的运行状况。If you don't explicitly associate a custom probe, the default probe is used to monitor the health of the back end. 我们建议创建自定义探测,以便更好地控制后端的运行状况监视。We recommend that you create a custom probe for greater control over the health monitoring of your back ends.

Note

只有在将相应的 HTTP 设置显式关联到某个侦听器之后,自定义探测才会监视后端池的运行状况。The custom probe doesn't monitor the health of the back-end pool unless the corresponding HTTP setting is explicitly associated with a listener.

从后端地址中选取主机名Pick host name from back-end address

此功能将请求中的 host 标头动态设置为后端池的主机名。This capability dynamically sets the host header in the request to the host name of the back-end pool. 主机名使用 IP 地址或 FQDN。It uses an IP address or FQDN.

如果后端的域名不同于应用程序网关的 DNS 名称,并且后端必须使用特定的 host 标头才能解析为正确的终结点,则此功能会很有帮助。This feature helps when the domain name of the back end is different from the DNS name of the application gateway, and the back end relies on a specific host header to resolve to the correct endpoint.

例如,使用多租户服务作为后端时。An example case is multi-tenant services as the back end. 应用服务是使用共享空间和单个 IP 地址的多租户服务。An app service is a multi-tenant service that uses a shared space with a single IP address. 因此,只能通过自定义域设置中配置的主机名访问应用服务。So, an app service can only be accessed through the hostnames that are configured in the custom domain settings.

自定义域名默认为 example.chinacloudsites.cnBy default, the custom domain name is example.chinacloudsites.cn. 若要通过未显式注册到应用服务中的主机名或者通过应用程序网关的 FQDN 使用应用程序网关访问应用服务,请将原始请求中的主机名替代为应用服务的主机名。To access your app service by using an application gateway through a hostname that's not explicitly registered in the app service or through the application gateway’s FQDN, you override the hostname in the original request to the app service’s hostname. 为此,请启用“从后端地址中选取主机名”设置。 To do this, enable the pick host name from backend address setting.

对于其现有自定义 DNS 名称已映射到应用服务的自定义域,不需要启用此设置。For a custom domain whose existing custom DNS name is mapped to the app service, you don't have to enable this setting.

Note

应用服务环境不需要此设置,因为它属于专用部署。This setting is not required for App Service Environment, which is a dedicated deployment.

主机名替代Host name override

此功能可将应用程序网关上的传入请求中的 host 标头替换为指定的主机名。This capability replaces the host header in the incoming request on the application gateway with the host name that you specify.

例如,如果将 www.contoso.com 指定为“主机名”设置,则将请求转发到后端服务器时,原始请求 * https://appgw.chinanorth.chinacloudapp.cn/path1 会更改为 * https://www.contoso.com/path1For example, if www.contoso.com is specified in the Host name setting, the original request *https://appgw.chinanorth.chinacloudapp.cn/path1 is changed to *https://www.contoso.com/path1 when the request is forwarded to the back-end server.

后端池Back-end pool

可将后端池指向四种类型的后端成员:特定的虚拟机、虚拟机规模集、IP 地址/FQDN 或应用服务。You can point a back-end pool to four types of backend members: a specific virtual machine, a virtual machine scale set, an IP address/FQDN, or an app service. 每个后端池可以指向同一类型的多个成员。Each back-end pool can point to multiple members of the same type. 不支持指向同一后端池中不同类型的成员。Pointing to members of different types in the same back-end pool isn't supported.

创建后端池后,必须将其关联到一个或多个请求路由规则。After you create a back-end pool, you must associate it with one or more request-routing rules. 此外,必须为应用程序网关上的每个后端池配置运行状况探测。You must also configure health probes for each back-end pool on your application gateway. 满足请求路由规则条件时,应用程序网关会将流量转发到相应后端池中正常运行的服务器(是否正常由运行状况探测决定)。When a request-routing rule condition is met, the application gateway forwards the traffic to the healthy servers (as determined by the health probes) in the corresponding back-end pool.

运行状况探测Health probes

应用程序网关默认会监视其后端中所有资源的运行状况。An application gateway monitors the health of all resources in its back end by default. 但是,我们强烈建议为每个后端 HTTP 设置创建一个自定义探测,以便更好地控制运行状况监视。But we strongly recommend that you create a custom probe for each back-end HTTP setting to get greater control over health monitoring. 若要了解如何配置自定义探测,请参阅自定义运行状况探测设置To learn how to configure a custom probe, see Custom health probe settings.

Note

创建自定义运行状况探测后,需将其关联到后端 HTTP 设置。After you create a custom health probe, you need to associate it to a back-end HTTP setting. 只有在将相应的 HTTP 设置通过规则显式关联到某个侦听器之后,自定义探测才会监视后端池的运行状况。A custom probe won't monitor the health of the back-end pool unless the corresponding HTTP setting is explicitly associated with a listener using a rule.

后续步骤Next steps

了解应用程序网关组件后,可以:Now that you know about Application Gateway components, you can: