应用程序网关配置概述Application Gateway configuration overview

Azure 应用程序网关由多个组件构成,可根据不同的方案以不同的方式配置这些组件。Azure Application Gateway consists of several components that you can configure in various ways for different scenarios. 本文将会介绍如何配置每个组件。This article shows you how to configure each component.

应用程序网关组件流程图

此图演示了包含三个侦听器的应用程序。This image illustrates an application that has three listeners. 前两个侦听器是分别用于 http://acme.com/*http://fabrikam.com/* 的多站点侦听器,The first two are multi-site listeners for http://acme.com/* and http://fabrikam.com/*, respectively. 两者在端口 80 上侦听。Both listen on port 80. 第三个侦听器是支持端到端传输层安全性 (TLS) 终止(前称为“安全套接字层 (SSL) 终止”)的基本侦听器。The third is a basic listener that has end-to-end Transport Layer Security (TLS) termination, previously known as Secure Sockets Layer (SSL) termination.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

Azure 虚拟网络和专用子网Azure virtual network and dedicated subnet

应用程序网关是虚拟网络中的专用部署。An application gateway is a dedicated deployment in your virtual network. 需要在虚拟网络中为应用程序网关配置一个专用子网。Within your virtual network, a dedicated subnet is required for the application gateway. 在子网中,可以创建给定应用程序网关部署的多个实例。You can have multiple instances of a given application gateway deployment in a subnet. 还可以在该子网中部署其他应用程序网关。You can also deploy other application gateways in the subnet. 但不能在应用程序网关子网中部署其他任何资源。But you can't deploy any other resource in the application gateway subnet.

Note

不能在同一子网中混合使用 Standard_v2 和 Standard Azure 应用程序网关。You can't mix Standard_v2 and Standard Azure Application Gateway on the same subnet.

子网的大小Size of the subnet

如果配置了专用前端 IP,则应用程序网关将使用每个实例的 1 个专用 IP 地址,以及另一个专用 IP 地址。Application Gateway uses one private IP address per instance, plus another private IP address if a private front-end IP is configured.

另外,Azure 会在每个子网中保留 5 个 IP 地址供内部使用:前 4 个 IP 地址和最后一个 IP 地址。Azure also reserves five IP addresses in each subnet for internal use: the first four and the last IP addresses. 例如,假设有 15 个应用程序网关实例没有专用前端 IP。For example, consider 15 application gateway instances with no private front-end IP. 至少需要为此子网提供 20 个 IP 地址:5 个 IP 地址供内部使用,15 个 IP 地址供应用程序网关实例使用。You need at least 20 IP addresses for this subnet: five for internal use and 15 for the application gateway instances. 因此,需要 /27 或更大的子网大小。So, you need a /27 subnet size or larger.

假设某个子网包含 27 个应用程序网关实例,并且包含一个用作专用前端 IP 的 IP 地址。Consider a subnet that has 27 application gateway instances and an IP address for a private front-end IP. 在这种情况下,需要 33 个 IP 地址:27 个 IP 地址用于应用程序网关实例,1 个 IP 地址用于专用前端,5 个 IP 地址供内部使用。In this case, you need 33 IP addresses: 27 for the application gateway instances, one for the private front end, and five for internal use. 因此,需要 /26 或更大的子网大小。So, you need a /26 subnet size or larger.

我们建议至少使用 /28 子网大小。We recommend that you use a subnet size of at least /28. 这种大小可以提供 11 个可用的 IP 地址。This size gives you 11 usable IP addresses. 如果应用程序负载需要 10 个以上的应用程序网关实例,请考虑 /27 或 /26 子网大小。If your application load requires more than 10 Application Gateway instances, consider a /27 or /26 subnet size.

应用程序网关子网中的网络安全组Network security groups on the Application Gateway subnet

应用程序网关支持网络安全组 (NSG)。Network security groups (NSGs) are supported on Application Gateway. 但是,存在一些限制:But there are some restrictions:

  • 对于应用程序网关 v1 SKU,必须允许 TCP 端口 65503-65534 上的传入 Internet 流量,对于目标子网为 Any 且源为 GatewayManager 服务标记的 v2 SKU,必须允许 TCP 端口 65200-65535 上的传入 Internet 流量。You must allow incoming Internet traffic on TCP ports 65503-65534 for the Application Gateway v1 SKU, and TCP ports 65200-65535 for the v2 SKU with the destination subnet as Any and source as GatewayManager service tag. 此端口范围是进行 Azure 基础结构通信所必需的。This port range is required for Azure infrastructure communication. 这些端口受 Azure 证书的保护(处于锁定状态)。These ports are protected (locked down) by Azure certificates. 外部实体(包括这些网关的客户)无法在这些终结点上通信。External entities, including the customers of those gateways, can't communicate on these endpoints.

  • 不能阻止出站 Internet 连接。Outbound internet connectivity can't be blocked. NSG 中的默认出站规则允许 Internet 连接。Default outbound rules in the NSG allow internet connectivity. 建议:We recommend that you:

    • 不要删除默认出站规则。Don't remove the default outbound rules.
    • 不要创建拒绝任何出站连接的其他出站规则。Don't create other outbound rules that deny any outbound connectivity.
  • 必须允许来自 AzureLoadBalancer 标记的流量。Traffic from the AzureLoadBalancer tag must be allowed.

允许应用程序网关访问一些源 IPAllow Application Gateway access to a few source IPs

对于此方案,请在应用程序网关子网中使用 NSG。For this scenario, use NSGs on the Application Gateway subnet. 按以下优先顺序对子网施加以下限制:Put the following restrictions on the subnet in this order of priority:

  1. 允许来自源 IP 或 IP 范围的传入流量,其目标为整个应用程序网关子网地址范围,目标端口为入站访问端口,例如,使用端口 80 进行 HTTP 访问。Allow incoming traffic from a source IP or IP range with the destination as the entire Application Gateway subnet address range and destination port as your inbound access port, for example, port 80 for HTTP access.
  2. 允许特定的传入请求,这些请求来自采用 GatewayManager 服务标记的源,其目标为“任意”,目标端口为 65503-65534(适用于应用程序网关 v1 SKU)或 65200-65535(适用于 v2 SKU),可以进行后端运行状况通信Allow incoming requests from source as GatewayManager service tag and destination as Any and destination ports as 65503-65534 for the Application Gateway v1 SKU, and ports 65200-65535 for v2 SKU for back-end health status communication. 此端口范围是进行 Azure 基础结构通信所必需的。This port range is required for Azure infrastructure communication. 这些端口受 Azure 证书的保护(处于锁定状态)。These ports are protected (locked down) by Azure certificates. 如果没有适当的证书,外部实体将无法对这些终结点做出任何更改。Without appropriate certificates in place, external entities can't initiate changes on those endpoints.
  3. 允许网络安全组中的传入 Azure 负载均衡器探测(AzureLoadBalancer 标记)和入站虚拟网络流量(VirtualNetwork 标记)。Allow incoming Azure Load Balancer probes (AzureLoadBalancer tag) and inbound virtual network traffic (VirtualNetwork tag) on the network security group.
  4. 使用“全部拒绝”规则阻止其他所有传入流量。Block all other incoming traffic by using a deny-all rule.
  5. 允许发往 Internet 的所有目标的出站流量。Allow outbound traffic to the internet for all destinations.

应用程序网关子网支持用户定义的路由User-defined routes supported on the Application Gateway subnet

Important

在应用程序网关子网中使用 UDR 可能会导致后端运行状况视图中的运行状态显示为“未知”。Using UDRs on the Application Gateway subnet might cause the health status in the back-end health view to appear as Unknown. 此外,可能还会导致应用程序网关日志和指标生成失败。It also might cause generation of Application Gateway logs and metrics to fail. 建议不要在应用程序网关子网中使用 UDR,以便能够查看后端运行状况、日志和指标。We recommend that you don't use UDRs on the Application Gateway subnet so that you can view the back-end health, logs, and metrics.

  • v1v1

    使用 v1 SKU 时,只要用户定义的路由 (UDR) 未更改端到端请求/响应通信,则应用程序网关子网就会支持这些 UDR。For the v1 SKU, user-defined routes (UDRs) are supported on the Application Gateway subnet, as long as they don't alter end-to-end request/response communication. 例如,可以在应用程序网关子网中设置一个指向防火墙设备的、用于检查数据包的 UDR。For example, you can set up a UDR in the Application Gateway subnet to point to a firewall appliance for packet inspection. 但是,必须确保数据包在检查后可以访问其预期目标。But you must make sure that the packet can reach its intended destination after inspection. 否则,可能会导致不正确的运行状况探测或流量路由行为。Failure to do so might result in incorrect health-probe or traffic-routing behavior. 这包括已探测到的路由,或者通过 Azure ExpressRoute 或 VPN 网关在虚拟网络中传播的默认 0.0.0.0/0 路由。This includes learned routes or default 0.0.0.0/0 routes that are propagated by Azure ExpressRoute or VPN gateways in the virtual network.

  • v2v2

    v2 SKU 存在支持和不支持的方案:For the v2 SKU, there are supported and unsupported scenarios:

    v2 支持的方案v2 supported scenarios

    Warning

    错误配置路由表可能会导致应用程序网关 v2 中出现非对称路由。An incorrect configuration of the route table could result in asymmetrical routing in Application Gateway v2. 确保所有管理平面/控制平面流量直接发送到 Internet,且不通过虚拟设备发送。Ensure that all management/control plane traffic is sent directly to the Internet and not through a virtual appliance. 日志和指标也可能会受影响。Logging and metrics could also be affected.

    场景 1:使用 UDR 禁用向应用程序网关子网进行边界网关协议 (BGP) 路由传播Scenario 1: UDR to disable Border Gateway Protocol (BGP) Route Propagation to the Application Gateway subnet

    有时,默认网关路由 (0.0.0.0/0) 会通过与应用程序网关虚拟网络关联的 ExpressRoute 或 VPN 网关进行播发。Sometimes the default gateway route (0.0.0.0/0) is advertised via the ExpressRoute or VPN gateways associated with the Application Gateway virtual network. 这会中断管理平面流量,因此需要 Internet 的直接路径。This breaks management plane traffic, which requires a direct path to the Internet. 在这种情况下,可以使用 UDR 来禁用 BGP 路由传播。In such scenarios, a UDR can be used to disable BGP route propagation.

    若要禁用 BGP 路由传播,请使用以下步骤:To disable BGP route propagation, use the following steps:

    1. 在 Azure 中创建一个“路由表”资源。Create a Route Table resource in Azure.
    2. 禁用“虚拟网络网关路由传播”参数。Disable the Virtual network gateway route propagation parameter.
    3. 将路由表关联到相应的子网。Associate the Route Table to the appropriate subnet.

    为此方案启用 UDR 不应会破坏任何现有设置。Enabling the UDR for this scenario shouldn't break any existing setups.

    场景 2:使用 UDR 将 0.0.0.0/0 定向到 InternetScenario 2: UDR to direct 0.0.0.0/0 to the Internet

    可以创建一个 UDR,用于将 0.0.0.0/0 流量直接发送到 Internet。You can create a UDR to send 0.0.0.0/0 traffic directly to the Internet.

    方案 3:对 kubenet 中的 Azure Kubernetes 服务使用 UDRScenario 3: UDR for Azure Kubernetes Service with kubenet

    如果使用包含 Azure Kubernetes 服务 (AKS) 和应用程序网关入口控制器 (AGIC) 的 kubenet,则需要路由表,以允许将发送到 pod 的流量从应用程序网关路由到正确的节点。If you're using kubenet with Azure Kubernetes Service (AKS) and Application Gateway Ingress Controller (AGIC), you'll need a route table to allow traffic sent to the pods from Application Gateway to be routed to the correct node. 如果使用 Azure CNI,则不需要这样做。This won't be necessary if you use Azure CNI.

    若要使用路由表以使 kubenet 能够正常工作,请执行以下步骤:To use the route table to allow kubenet to work, follow the steps below:

    1. 转到 AKS 创建的资源组(资源组名称应以“MC_”开头)Go to the resource group created by AKS (the name of the resource group should begin with "MC_")
    2. 在该资源组中查找 AKS 创建的路由表。Find the route table created by AKS in that resource group. 路由表中应填充以下信息:The route table should be populated with the following information:
      • 地址前缀应是要在 AKS 中访问的 pod 的 IP 范围。Address prefix should be the IP range of the pods you want to reach in AKS.
      • 下一跃点类型应是“虚拟设备”。Next hop type should be Virtual Appliance.
      • 下一跃点地址应是托管 pod 的节点的 IP 地址。Next hop address should be the IP address of the node hosting the pods.
    3. 将此路由表关联到应用程序网关子网。Associate this route table to the Application Gateway subnet.

    v2 不支持的方案v2 unsupported scenarios

    场景 1:对虚拟设备使用 UDRScenario 1: UDR for Virtual Appliances

    V2 不支持需要通过任何虚拟设备、中心辐射型虚拟网络或者在本地(强制隧道)重定向 0.0.0.0/0 的任何方案。Any scenario where 0.0.0.0/0 needs to be redirected through any virtual appliance, a hub/spoke virtual network, or on-premise (forced tunneling) isn't supported for V2.

前端 IPFront-end IP

可将应用程序网关配置为使用公共 IP 地址和/或专用 IP 地址。You can configure the application gateway to have a public IP address, a private IP address, or both. 托管需要由客户端在 Internet 中通过面向 Internet 的虚拟 IP (VIP) 访问的后端时,必须使用公共 IP。A public IP is required when you host a back end that clients must access over the internet via an internet-facing virtual IP (VIP).

不向 Internet 公开的内部终结点不需要公共 IP。A public IP isn't required for an internal endpoint that's not exposed to the internet. 该终结点称为内部负载均衡器 (ILB) 终结点或专用前端 IP。That's known as an internal load-balancer (ILB) endpoint or private frontend IP. 应用程序网关 ILB 适合用于不向 Internet 公开的内部业务线应用程序。An application gateway ILB is useful for internal line-of-business applications that aren't exposed to the internet. 对于位于不向 Internet 公开的安全边界内的多层级应用程序中的服务和层级,ILB 也很有用,但需要启用轮循机制负载分配、会话粘性或 TLS 终止。It's also useful for services and tiers in a multi-tier application within a security boundary that aren't exposed to the internet but that require round-robin load distribution, session stickiness, or TLS termination.

仅支持 1 个公共 IP 地址或 1 个专用 IP 地址。Only 1 public IP address or one private IP address is supported. 在创建应用程序网关时选择前端 IP。You choose the front-end IP when you create the application gateway.

  • 对于公共 IP,可以在应用程序网关所在的同一位置创建新的公共 IP 地址或使用现有的公共 IP。For a public IP, you can create a new public IP address or use an existing public IP in the same location as the application gateway. 有关详细信息,请参阅静态与动态公共 IP 地址For more information, see static vs. dynamic public IP address.

  • 对于专用 IP,可以在创建应用程序网关的子网中指定一个专用 IP 地址。For a private IP, you can specify a private IP address from the subnet where the application gateway is created. 如果不显式指定专用 IP 地址,则系统会在子网中自动选择一个任意 IP 地址。If you don't specify one, an arbitrary IP address is automatically selected from the subnet. 以后无法更改选定的 IP 地址类型(静态或动态)。The IP address type that you select (static or dynamic) can't be changed later. 有关详细信息,请参阅创建包含内部负载均衡器的应用程序网关For more information, see Create an application gateway with an internal load balancer.

某个前端 IP 地址将关联到检查前端 IP 上的传入请求的侦听器。A front-end IP address is associated to a listener, which checks for incoming requests on the front-end IP.

侦听器Listeners

侦听器是一个逻辑实体,它可以使用端口、协议、主机和 IP 地址检查传入的连接请求。A listener is a logical entity that checks for incoming connection requests by using the port, protocol, host, and IP address. 配置侦听器时,必须输入与网关上传入请求中的对应值相匹配的值。When you configure the listener, you must enter values for these that match the corresponding values in the incoming request on the gateway.

使用 Azure 门户创建应用程序网关时,还可以通过选择侦听器的协议和端口来创建默认的侦听器。When you create an application gateway by using the Azure portal, you also create a default listener by choosing the protocol and port for the listener. 可以选择是否要在侦听器上启用 HTTP2 支持。You can choose whether to enable HTTP2 support on the listener. 创建应用程序网关后,可以编辑该默认侦听器的设置 (appGatewayHttpListener) 或创建新的侦听器。After you create the application gateway, you can edit the settings of that default listener (appGatewayHttpListener) or create new listeners.

侦听器类型Listener type

创建新侦听器时,可以选择“基本”或“多站点”When you create a new listener, you choose between basic and multi-site.

  • 如果你希望自己的所有请求(针对任何域)都能够被接受并转发到后端池,请选择“基本”。If you want all of your requests (for any domain) to be accepted and forwarded to backend pools, choose basic. 了解如何创建包含基本侦听器的应用程序网关Learn how to create an application gateway with a basic listener.

  • 如果希望根据 host 标头或主机名将请求转发到不同的后端池,请选择多站点侦听器,并且必须在其中指定与传入请求匹配的主机名。If you want to forward requests to different backend pools based on the host header or hostname, choose multi-site listener, where you must also specify a hostname that matches with the incoming request. 这是因为,应用程序网关需要使用 HTTP 1.1 主机标头才能在相同的公共 IP 地址和端口上托管多个网站。This is because Application Gateway relies on HTTP 1.1 host headers to host more than one website on the same public IP address and port.

侦听器的处理顺序Order of processing listeners

对于 v1 SKU,请求根据规则顺序和侦听器类型进行匹配。For the v1 SKU, requests are matched according to the order of the rules and the type of listener. 如果某项使用基本侦听器的规则在顺序上排第一,系统会先处理它,它会接受该端口和 IP 组合的任何请求。If a rule with basic listener comes first in the order, it's processed first and will accept any request for that port and IP combination. 为了避免这种情况,请先使用多站点侦听器配置规则,然后将包含基本侦听器的规则推送到列表中的最后。To avoid this, configure the rules with multi-site listeners first and push the rule with the basic listener to the last in the list.

对于 v2 SKU,在基本侦听器之前处理多站点侦听器。For the v2 SKU, multi-site listeners are processed before basic listeners.

前端 IPFront-end IP

选择要与此侦听器关联的前端 IP 地址。Choose the front-end IP address that you plan to associate with this listener. 侦听器将在此 IP 上侦听传入的请求。The listener will listen to incoming requests on this IP.

前端端口Front-end port

选择前端端口。Choose the front-end port. 选择现有端口或新建一个端口。Select an existing port or create a new one. 选择允许的端口范围内的任意值。Choose any value from the allowed range of ports. 不仅可以使用已知的端口(例如 80 和 443),而且还能使用任何适用的且允许的自定义端口。You can use not only well-known ports, such as 80 and 443, but any allowed custom port that's suitable. 一个端口可用于公共侦听器或专用侦听器。A port can be used for public-facing listeners or private-facing listeners.

协议Protocol

选择 HTTP 或 HTTPS:Choose HTTP or HTTPS:

  • 如果选择 HTTP,则客户端与应用程序网关之间的流量将不会加密。If you choose HTTP, the traffic between the client and the application gateway is unencrypted.

  • 如果想要实现 TLS 终止端到端 TLS 加密,请选择 HTTPS。Choose HTTPS if you want TLS termination or end-to-end TLS encryption. 客户端与应用程序网关之间的流量将会加密。The traffic between the client and the application gateway is encrypted. TLS 连接将在应用程序网关上终止。And the TLS connection terminates at the application gateway. 若要实现端到端的 TLS 加密,必须选择 HTTPS,并配置“后端 HTTP”设置。If you want end-to-end TLS encryption, you must choose HTTPS and configure the back-end HTTP setting. 这可以确保流量在从应用程序网关传输到后端时重新得到加密。This ensures that traffic is re-encrypted when it travels from the application gateway to the back end.

若要配置 TLS 终止和端到端 TLS 加密,必须将一个证书添加到侦听器,使应用程序网关能够派生对称密钥。To configure TLS termination and end-to-end TLS encryption, you must add a certificate to the listener to enable the application gateway to derive a symmetric key. 派生过程是根据 TLS 协议规范进行的。This is dictated by the TLS protocol specification. 使用该对称密钥可以加密和解密发送到网关的流量。The symmetric key is used to encrypt and decrypt the traffic that's sent to the gateway. 网关证书必须采用个人信息交换 (PFX) 格式。The gateway certificate must be in Personal Information Exchange (PFX) format. 使用此格式可以导出私钥,供网关用来加密和解密流量。This format lets you export the private key that the gateway uses to encrypt and decrypt traffic.

支持的证书Supported certificates

请参阅支持用于 TLS 终止的证书See certificates supported for TLS termination.

其他协议支持Additional protocol support

HTTP2 支持HTTP2 support

仅针对连接到应用程序网关侦听器的客户端提供 HTTP/2 协议支持。HTTP/2 protocol support is available to clients that connect to application gateway listeners only. 与后端服务器池的通信是通过 HTTP/1.1 进行的。The communication to back-end server pools is over HTTP/1.1. 默认情况下,HTTP/2 支持处于禁用状态。By default, HTTP/2 support is disabled. 以下 Azure PowerShell 代码片段演示如何启用此支持:The following Azure PowerShell code snippet shows how to enable this:

$gw = Get-AzApplicationGateway -Name test -ResourceGroupName hm

$gw.EnableHttp2 = $true

Set-AzApplicationGateway -ApplicationGateway $gw

WebSocket 支持WebSocket support

默认已启用 WebSocket 支持。WebSocket support is enabled by default. 没有任何用户可配置的设置可以启用或禁用此支持。There's no user-configurable setting to enable or disable it. 可对 HTTP 和 HTTPS 侦听器使用 WebSocket。You can use WebSockets with both HTTP and HTTPS listeners.

自定义错误页Custom error pages

可以在全局级别以及侦听器级别定义自定义错误。You can define custom error at the global level or the listener level. 但是,目前不支持在 Azure 门户中创建全局级别的自定义错误页。But creating global-level custom error pages from the Azure portal is currently not supported. 可以在侦听器级别为 403 Web 应用程序防火墙错误或 502 维护页配置自定义错误页。You can configure a custom error page for a 403 web application firewall error or a 502 maintenance page at the listener level. 此外,必须为给定的错误状态代码指定一个可公开访问的 Blob URL。You must also specify a publicly accessible blob URL for the given error status code. 有关详细信息,请参阅创建应用程序网关自定义错误页For more information, see Create Application Gateway custom error pages.

应用程序网关错误代码

若要配置全局自定义错误页,请参阅 Azure PowerShell 配置To configure a global custom error page, see Azure PowerShell configuration.

TLS 策略TLS policy

可以集中管理 TLS/SSL 证书,以及减小后端服务器场的加密-解密开销。You can centralize TLS/SSL certificate management and reduce encryption-decryption overhead for a back-end server farm. 采用集中式 TLS 处理还能指定符合安全要求的集中 TLS 策略。Centralized TLS handling also lets you specify a central TLS policy that's suited to your security requirements. 可以选择默认、预定义或自定义的 TLS 策略。 You can choose default, predefined, or custom TLS policy.

配置 TLS 策略来控制 TLS 协议版本。You configure TLS policy to control TLS protocol versions. 可将应用程序网关配置为使用 TLS1.0、TLS1.1 和 TLS1.2 中适用于 TLS 握手的最低协议版本。You can configure an application gateway to use a minimum protocol version for TLS handshakes from TLS1.0, TLS1.1, and TLS1.2. 默认情况下,SSL 2.0 和 3.0 已禁用且不可配置。By default, SSL 2.0 and 3.0 are disabled and aren't configurable. 有关详细信息,请参阅应用程序网关 TLS 策略概述For more information, see Application Gateway TLS policy overview.

创建侦听器后,请将它关联到某个请求路由规则。After you create a listener, you associate it with a request-routing rule. 该规则确定如何将侦听器上收到的请求路由到后端。That rule determines how requests that are received on the listener are routed to the back end.

请求路由规则Request routing rules

使用 Azure 门户创建应用程序网关时,可创建一个默认规则 (rule1)。When you create an application gateway by using the Azure portal, you create a default rule (rule1). 此规则会将默认侦听器 (appGatewayHttpListener) 绑定到默认后端池 (appGatewayBackendPool) 和默认后端 HTTP 设置 (appGatewayBackendHttpSettings)。This rule binds the default listener (appGatewayHttpListener) with the default back-end pool (appGatewayBackendPool) and the default back-end HTTP settings (appGatewayBackendHttpSettings). 创建网关后,可以编辑该默认规则的设置,或创建新的规则。After you create the gateway, you can edit the settings of the default rule or create new rules.

规则类型Rule type

创建规则时,可以选择“基本”或“基于路径”When you create a rule, you choose between basic and path-based.

  • 若要将关联的侦听器(例如 blog.contoso.com/* )上的所有请求转发到单个后端池,请选择“基本”。Choose basic if you want to forward all requests on the associated listener (for example, blog.contoso.com/*) to a single back-end pool.
  • 若要将来自特定 URL 路径的请求路由到特定的后端池,请选择“基于路径”。Choose path-based if you want to route requests from specific URL paths to specific back-end pools. 路径模式仅应用到 URL 的路径,而不应用到该 URL 的查询参数。The path pattern is applied only to the path of the URL, not to its query parameters.

规则的处理顺序Order of processing rules

使用 v1 SKU 时,将按照路径在基于路径的规则的 URL 路径映射中的列出顺序处理传入请求的模式匹配。For the v1 SKU, pattern matching of incoming requests is processed in the order that the paths are listed in the URL path map of the path-based rule. 如果某个请求与 URL 路径映射中的两个或更多个路径的模式相匹配,则会匹配最先列出的路径。If a request matches the pattern in two or more paths in the path map, the path that's listed first is matched. 请求将转发到与该路径关联的后端。And the request is forwarded to the back end that's associated with that path.

对于 v2 SKU,完全匹配的优先级高于 URL 路径映射中的路径顺序。For the v2 SKU, an exact match is higher priority than path order in the URL path map. 如果请求与两个或更多路径中的模式匹配,则会将请求转发到与完全匹配请求的路径关联的后端。If a request matches the pattern in two or more paths, the request is forwarded to the back end that's associated with the path that exactly matches the request. 如果传入请求中的路径与映射中的任何路径都不完全匹配,则将在基于路径的规则的路径映射顺序列表中处理请求的模式匹配。If the path in the incoming request doesn't exactly match any path in the map, pattern matching of the request is processed in the path map order list for the path-based rule.

关联的侦听器Associated listener

将一个侦听器关联到该规则,以评估与该侦听器关联的请求路由规则,从而确定请求要路由到的后端池。Associate a listener to the rule so that the request-routing rule that's associated with the listener is evaluated to determine the back-end pool to route the request to.

关联的后端池Associated back-end pool

将规则关联到包含后端目标的后端池,该池为侦听器收到的请求提供服务。Associate to the rule the back-end pool that contains the back-end targets that serve requests that the listener receives.

  • 如果使用基本规则,则只允许一个后端池。For a basic rule, only one back-end pool is allowed. 关联的侦听器上的所有请求将转发到该后端池。All requests on the associated listener are forwarded to that back-end pool.

  • 如果使用基于路径的规则,请添加对应于每个 URL 路径的多个后端池。For a path-based rule, add multiple back-end pools that correspond to each URL path. 与输入的 URL 路径匹配的请求将转发到相应的后端池。The requests that match the URL path that's entered are forwarded to the corresponding back-end pool. 另请添加默认后端池。Also, add a default back-end pool. 与规则中的任何 URL 路径都不匹配的请求将转发到该池。Requests that don't match any URL path in the rule are forwarded to that pool.

关联的后端 HTTP 设置Associated back-end HTTP setting

为每个规则添加后端 HTTP 设置。Add a back-end HTTP setting for each rule. 系统使用此设置中指定的端口号、协议和其他信息,将请求从应用程序网关路由到后端目标。Requests are routed from the application gateway to the back-end targets by using the port number, protocol, and other information that's specified in this setting.

如果使用基本规则,则只允许一个后端 HTTP 设置。For a basic rule, only one back-end HTTP setting is allowed. 系统会使用此 HTTP 设置将关联的侦听器上的所有请求转发到相应的后端目标。All requests on the associated listener are forwarded to the corresponding back-end targets by using this HTTP setting.

如果使用基于路径的规则,请添加对应于每个 URL 路径的多个后端 HTTP 设置。For a path-based rule, add multiple back-end HTTP settings that correspond to each URL path. 系统使用对应于每个 URL 路径的 HTTP 设置,将与此设置中的 URL 路径匹配的请求转发到相应的后端目标。Requests that match the URL path in this setting are forwarded to the corresponding back-end targets by using the HTTP settings that correspond to each URL path. 另请添加默认 HTTP 设置。Also, add a default HTTP setting. 系统会使用默认 HTTP 设置,将与此规则中的任何 URL 路径都不匹配的请求转发到默认后端池。Requests that don't match any URL path in this rule are forwarded to the default back-end pool by using the default HTTP setting.

重定向设置Redirection setting

如果为基本规则配置了重定向,则关联的侦听器上的所有请求将重定向到目标。If redirection is configured for a basic rule, all requests on the associated listener are redirected to the target. 此过程称为全局重定向。This is global redirection. 如果为基于路径的规则配置了重定向,则只会重定向特定站点区域中的请求。If redirection is configured for a path-based rule, only requests in a specific site area are redirected. 区域的示例包括 /cart/* 表示的购物车区域。An example is a shopping cart area that's denoted by /cart/*. 此过程称为基于路径的重定向。This is path-based redirection.

有关重定向的详细信息,请参阅应用程序网关重定向概述For more information about redirects, see Application Gateway redirect overview.

重定向类型Redirection type

选择所需的重定向类型:Permanent(301)Temporary(307)Found(302)See other(303)Choose the type of redirection required: Permanent(301), Temporary(307), Found(302), or See other(303).

重定向目标Redirection target

选择另一个侦听器或外部站点作为重定向目标。Choose another listener or an external site as the redirection target.

侦听器Listener

选择侦听器作为重定向目标可将来自网关上的一个侦听器的流量重定向到另一个侦听器。Choose listener as the redirection target to redirect traffic from one listener to another on the gateway. 想要启用 HTTP 到 HTTPS 的重定向时,必须指定此设置。This setting is required when you want to enable HTTP-to-HTTPS redirection. 此设置将来自源侦听器(用于检查 HTTP 请求)的流量重定向到目标侦听器(用于检查传入的 HTTPS 请求)。It redirects traffic from the source listener that checks for incoming HTTP requests to the destination listener that checks for incoming HTTPS requests. 还可以选择在转发到重定向目标的请求中包含来自原始请求的查询字符串和路径。You can also choose to include the query string and path from the original request in the request that's forwarded to the redirection target.

应用程序网关组件对话框

有关 HTTP 到 HTTPS 的重定向的详细信息,请参阅:For more information about HTTP-to-HTTPS redirection, see:

外部站点External site

若要将与此类规则关联的侦听器上的流量重定向到外部站点,请选择外部站点。Choose external site when you want to redirect the traffic on the listener that's associated with this rule to an external site. 可以选择在转发到重定向目标的请求中包含来自原始请求的查询字符串。You can choose to include the query string from the original request in the request that's forwarded to the redirection target. 无法将原始请求中的路径转发到外部站点。You can't forward the path to the external site that was in the original request.

有关重定向的详细信息,请参阅:For more information about redirection, see:

重写 HTTP 标头设置Rewrite the HTTP header setting

当请求和响应数据包在客户端和后端池之间移动时,此设置将添加、删除或更新 HTTP 请求和响应标头。This setting adds, removes, or updates HTTP request and response headers while the request and response packets move between the client and back-end pools. 有关详细信息,请参阅:For more information, see:

HTTP 设置HTTP settings

应用程序网关使用此处指定的配置将流量路由到后端服务器。The application gateway routes traffic to the back-end servers by using the configuration that you specify here. 创建 HTTP 设置后,必须将其关联到一个或多个请求路由规则。After you create an HTTP setting, you must associate it with one or more request-routing rules.

Azure 应用程序网关使用网关托管 Cookie 来维护用户会话。Azure Application Gateway uses gateway-managed cookies for maintaining user sessions. 当用户将第一个请求发送到应用程序网关时,它会在响应中使用包含会话详细信息的哈希值来设置关联 Cookie,将具有关联 Cookie 的后续请求路由到同一后端服务器,以便保持粘性。When a user sends the first request to Application Gateway, it sets an affinity cookie in the response with a hash value which contains the session details, so that the subsequent requests carrying the affinity cookie will be routed to the same backend server for maintaining stickiness.

当要在同一台服务器上保存用户会话时,以及在服务器上以本地方式为用户会话保存会话状态时,可以使用此功能。This feature is useful when you want to keep a user session on the same server and when session state is saved locally on the server for a user session. 如果应用程序无法处理基于 Cookie 的相关性,则你无法使用此功能。If the application can't handle cookie-based affinity, you can't use this feature. 若要使用此功能,请确保客户端支持 Cookie。To use it, make sure that the clients support cookies.

Chromium 浏览器 v80 更新提出了一个要求:必须将不包含 SameSite 属性的 HTTP Cookie 视为 SameSite=Lax。The Chromium browser v80 update brought a mandate where HTTP cookies without SameSite attribute has to be treated as SameSite=Lax. 对于 CORS(跨源资源共享)请求,如果必须在第三方上下文中发送 Cookie,它必须使用 SameSite=None; Secure 属性,并且只应通过 HTTPS 发送它。In the case of CORS (Cross-Origin Resource Sharing) requests, if the cookie has to be sent in a third-party context, it has to use SameSite=None; Secure attributes and it should be sent over HTTPS only. 否则,在仅限 HTTP 的方案中,浏览器不会在第三方上下文中发送 Cookie。Otherwise, in a HTTP only scenario, the browser doesn't send the cookies in the third-party context. Chrome 的此更新的目标是增强安全性,避免跨站点请求伪造 (CSRF) 攻击。The goal of this update from Chrome is to enhance security and to avoid Cross-Site Request Forgery (CSRF) attacks.

为了支持此更改,从 2020 年 2 月 17 日开始,除了现有的 ApplicationGatewayAffinity Cookie 外,应用程序网关(所有 SKU 类型)还会注入另一个名为 ApplicationGatewayAffinityCORS 的 Cookie。To support this change, starting February 17 2020, Application Gateway (all the SKU types) will inject another cookie called ApplicationGatewayAffinityCORS in addition to the existing ApplicationGatewayAffinity cookie. ApplicationGatewayAffinityCORS Cookie 又添加了两个属性 ( "SameSite=None; Secure" ),这样即使对于跨域请求也可以保持粘性会话。The ApplicationGatewayAffinityCORS cookie has two more attributes added to it ("SameSite=None; Secure") so that sticky session are maintained even for cross-origin requests.

请注意,默认关联 Cookie 名称是 ApplicationGatewayAffinity,可以对其进行更改。Note that the default affinity cookie name is ApplicationGatewayAffinity and you can change it. 如果使用自定义相关性 Cookie 名称,则会添加一个以 CORS 为后缀的附加 Cookie。In case you're using a custom affinity cookie name, an additional cookie is added with CORS as suffix. 例如,CustomCookieNameCORSFor example, CustomCookieNameCORS.

Note

如果设置了属性 SameSite = None,则 Cookie 还必须包含 Secure 标志,并且必须通过 HTTPS 发送。If the attribute SameSite=None is set, it is mandatory that the cookie also contains the Secure flag, and must be sent over HTTPS. 如果需要基于 CORS 的会话相关性,则必须将工作负载迁移到 HTTPS。If session affinity is required over CORS, you must migrate your workload to HTTPS. 请参阅此处提供的适用于应用程序网关的 TLS 卸载和端到端 TLS 文档 - 概述使用 Azure 门户配置支持 TLS 终止的应用程序网关在门户中使用应用程序网关配置端到端 TLSPlease refer to TLS offload and End-to-End TLS documentation for Application Gateway here - Overview, Configure an application gateway with TLS termination using the Azure portal, Configure end-to-end TLS by using Application Gateway with the portal.

连接清空Connection draining

连接清空可帮助你在计划内服务更新期间正常删除后端池成员。Connection draining helps you gracefully remove back-end pool members during planned service updates. 在创建规则期间,可将此设置应用到后端池的所有成员。You can apply this setting to all members of a back-end pool during rule creation. 它确保后端池的所有注销实例继续维护现有连接,并在可配置的超时时间内处理正在进行的请求,并且不会接收任何新请求或连接。It ensures that all deregistering instances of a back-end pool continue to maintain existing connections and serve on-going requests for a configurable timeout and don't receive any new requests or connections. 此情况的唯一例外是由于网关托管会话相关性而绑定到注销实例的请求,这些请求将继续被转发到注销实例。The only exception to this are requests bound for deregistering instances because of gateway-managed session affinity and will continue to be forwarded to the deregistering instances. 连接清空将应用到已从后端池中显式删除的后端实例。Connection draining applies to back-end instances that are explicitly removed from the back-end pool.

协议Protocol

应用程序网关支持使用 HTTP 和 HTTPS 将请求路由到后端服务器。Application Gateway supports both HTTP and HTTPS for routing requests to the back-end servers. 如果选择了 HTTP 协议,则流量将以未加密的形式传送到后端服务器。If you choose HTTP, traffic to the back-end servers is unencrypted. 如果不能接受未加密的通信,请选择 HTTPS。If unencrypted communication isn't acceptable, choose HTTPS.

在侦听器中结合 HTTPS 使用此设置将有助于实现端到端的 TLSThis setting combined with HTTPS in the listener supports end-to-end TLS. 这样,就可以安全地将敏感数据以加密的形式传输到后端。This allows you to securely transmit sensitive data encrypted to the back end. 后端池中每个已启用端到端 TLS 的后端服务器都必须配置证书,以便能够进行安全的通信。Each back-end server in the back-end pool that has end-to-end TLS enabled must be configured with a certificate to allow secure communication.

端口Port

此设置指定后端服务器要在哪个端口上侦听来自应用程序网关的流量。This setting specifies the port where the back-end servers listen to traffic from the application gateway. 可以配置 1 到 65535 的端口号。You can configure ports ranging from 1 to 65535.

请求超时Request timeout

此设置表示应用程序网关在接收后端服务器的响应时会等待多少秒。This setting is the number of seconds that the application gateway waits to receive a response from the back-end server.

替代后端路径Override back-end path

使用此设置可以配置可选的自定义转发路径,以便在将请求转发到后端时使用。This setting lets you configure an optional custom forwarding path to use when the request is forwarded to the back end. 与“替代后端路径”字段中的自定义路径匹配的任意传入路径部分将复制到转发的路径。Any part of the incoming path that matches the custom path in the override backend path field is copied to the forwarded path. 下表描述了此功能的工作原理:The following table shows how this feature works:

  • 将 HTTP 设置附加到基本请求路由规则时:When the HTTP setting is attached to a basic request-routing rule:

    原始请求Original request 替代后端路径Override back-end path 转发到后端的请求Request forwarded to back end
    /home//home/ /override//override/ /override/home//override/home/
    /home/secondhome//home/secondhome/ /override//override/ /override/home/secondhome//override/home/secondhome/
  • 将 HTTP 设置附加到基于路径的请求路由规则时:When the HTTP setting is attached to a path-based request-routing rule:

    原始请求Original request 路径规则Path rule 替代后端路径Override back-end path 转发到后端的请求Request forwarded to back end
    /pathrule/home//pathrule/home/ /pathrule*/pathrule* /override//override/ /override/home//override/home/
    /pathrule/home/secondhome//pathrule/home/secondhome/ /pathrule*/pathrule* /override//override/ /override/home/secondhome//override/home/secondhome/
    /home//home/ /pathrule*/pathrule* /override//override/ /override/home//override/home/
    /home/secondhome//home/secondhome/ /pathrule*/pathrule* /override//override/ /override/home/secondhome//override/home/secondhome/
    /pathrule/home//pathrule/home/ /pathrule/home*/pathrule/home* /override//override/ /override//override/
    /pathrule/home/secondhome//pathrule/home/secondhome/ /pathrule/home*/pathrule/home* /override//override/ /override/secondhome//override/secondhome/
    /pathrule//pathrule/ /pathrule//pathrule/ /override//override/ /override//override/

用于应用服务Use for app service

这是一个仅限 UI 的快捷方式,用于选择 Azure 应用服务后端的两个所需设置。This is a UI only shortcut that selects the two required settings for the Azure App Service back end. 它会启用“从后端地址中选取主机名”,并创建新的自定义探测(如果你还没有该探测)。It enables pick host name from back-end address, and it creates a new custom probe if you don't have one already. (有关详细信息,请参阅本文的从后端地址中选取主机名设置部分。)将创建新的探测,并从后端成员的地址中选取探测标头。(For more information, see the Pick host name from back-end address setting section of this article.) A new probe is created, and the probe header is picked from the back-end member's address.

使用自定义探测Use custom probe

此设置用于将自定义探测与某个 HTTP 设置相关联。This setting associates a custom probe with an HTTP setting. 只能将一个自定义探测关联到某个 HTTP 设置。You can associate only one custom probe with an HTTP setting. 如果未显式关联自定义探测,则会使用默认探测来监视后端的运行状况。If you don't explicitly associate a custom probe, the default probe is used to monitor the health of the back end. 我们建议创建自定义探测,以便更好地控制后端的运行状况监视。We recommend that you create a custom probe for greater control over the health monitoring of your back ends.

Note

只有在将相应的 HTTP 设置显式关联到某个侦听器之后,自定义探测才会监视后端池的运行状况。The custom probe doesn't monitor the health of the back-end pool unless the corresponding HTTP setting is explicitly associated with a listener.

从后端地址中选取主机名Pick host name from back-end address

此功能将请求中的 host 标头动态设置为后端池的主机名。This capability dynamically sets the host header in the request to the host name of the back-end pool. 主机名使用 IP 地址或 FQDN。It uses an IP address or FQDN.

如果后端的域名不同于应用程序网关的 DNS 名称,并且后端必须使用特定的 host 标头才能解析为正确的终结点,则此功能会很有帮助。This feature helps when the domain name of the back end is different from the DNS name of the application gateway, and the back end relies on a specific host header to resolve to the correct endpoint.

例如,使用多租户服务作为后端时。An example case is multi-tenant services as the back end. 应用服务是使用共享空间和单个 IP 地址的多租户服务。An app service is a multi-tenant service that uses a shared space with a single IP address. 因此,只能通过自定义域设置中配置的主机名访问应用服务。So, an app service can only be accessed through the hostnames that are configured in the custom domain settings.

自定义域名默认为 example.chinacloudsites.cnBy default, the custom domain name is example.chinacloudsites.cn. 若要通过未显式注册到应用服务中的主机名或者通过应用程序网关的 FQDN 使用应用程序网关访问应用服务,请将原始请求中的主机名替代为应用服务的主机名。To access your app service by using an application gateway through a hostname that's not explicitly registered in the app service or through the application gateway's FQDN, you override the hostname in the original request to the app service's hostname. 为此,请启用“从后端地址中选取主机名”设置。To do this, enable the pick host name from backend address setting.

对于其现有自定义 DNS 名称已映射到应用服务的自定义域,不需要启用此设置。For a custom domain whose existing custom DNS name is mapped to the app service, you don't have to enable this setting.

Note

应用服务环境不需要此设置,因为它属于专用部署。This setting is not required for App Service Environment, which is a dedicated deployment.

主机名替代Host name override

此功能可将应用程序网关上的传入请求中的 host 标头替换为指定的主机名。This capability replaces the host header in the incoming request on the application gateway with the host name that you specify.

例如,如果将 www.contoso.com 指定为“主机名”设置,则将请求转发到后端服务器时,原始请求 *https://appgw.chinanorth2.chinacloudapp.cn/path1 会更改为 *https://www.contoso.com/path1For example, if www.contoso.com is specified in the Host name setting, the original request *https://appgw.chinanorth2.chinacloudapp.cn/path1 is changed to *https://www.contoso.com/path1 when the request is forwarded to the back-end server.

后端池Back-end pool

可将后端池指向四种类型的后端成员:特定的虚拟机、虚拟机规模集、IP 地址/FQDN 或应用服务。You can point a back-end pool to four types of backend members: a specific virtual machine, a virtual machine scale set, an IP address/FQDN, or an app service.

创建后端池后,必须将其关联到一个或多个请求路由规则。After you create a back-end pool, you must associate it with one or more request-routing rules. 此外,必须为应用程序网关上的每个后端池配置运行状况探测。You must also configure health probes for each back-end pool on your application gateway. 满足请求路由规则条件时,应用程序网关会将流量转发到相应后端池中正常运行的服务器(是否正常由运行状况探测决定)。When a request-routing rule condition is met, the application gateway forwards the traffic to the healthy servers (as determined by the health probes) in the corresponding back-end pool.

运行状况探测Health probes

应用程序网关默认会监视其后端中所有资源的运行状况。An application gateway monitors the health of all resources in its back end by default. 但是,我们强烈建议为每个后端 HTTP 设置创建一个自定义探测,以便更好地控制运行状况监视。But we strongly recommend that you create a custom probe for each back-end HTTP setting to get greater control over health monitoring. 若要了解如何配置自定义探测,请参阅自定义运行状况探测设置To learn how to configure a custom probe, see Custom health probe settings.

Note

创建自定义运行状况探测后,需将其关联到后端 HTTP 设置。After you create a custom health probe, you need to associate it to a back-end HTTP setting. 只有在将相应的 HTTP 设置通过规则显式关联到某个侦听器之后,自定义探测才会监视后端池的运行状况。A custom probe won't monitor the health of the back-end pool unless the corresponding HTTP setting is explicitly associated with a listener using a rule.

后续步骤Next steps

了解应用程序网关组件后,可以:Now that you know about Application Gateway components, you can: