使用内部负载均衡器 (ILB) 终结点配置应用程序网关Configure an application gateway with an internal load balancer (ILB) endpoint

可以在 Azure 应用程序网关上配置面向 Internet 的 VIP 或不向 Internet 公开的内部终结点。Azure Application Gateway can be configured with an Internet-facing VIP or with an internal endpoint that isn't exposed to the Internet. 内部终结点使用前端(也称为内部负载均衡器 (ILB) 终结点)的专用 IP 地址。 An internal endpoint uses a private IP address for the frontend, which is also known as an internal load balancer (ILB) endpoint.

对于不向 Internet 公开的内部业务线应用程序,使用前端专用 IP 地址配置网关的做法非常有效。Configuring the gateway using a frontend private IP address is useful for internal line-of-business applications that aren't exposed to the Internet. 它还适用于多层应用程序中的某些服务和层,这些服务和层位于不向 Internet 公开的安全边界内,但仍需要循环负载分配、会话粘性或传输层安全性 (TLS)(以前称为“安全套接字层 (SSL)”)终止。It's also useful for services and tiers within a multi-tier application that are in a security boundary that isn't exposed to the Internet but still require round-robin load distribution, session stickiness, or Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), termination.

本文引导你完成在 Azure 门户中使用前端专用 IP 地址配置应用程序网关的步骤。This article guides you through the steps to configure an application gateway with a frontend private IP address using the Azure portal.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

登录 AzureSign in to Azure

登录到 Azure 门户 (https://portal.azure.cn)Sign in to the Azure portal at https://portal.azure.cn

创建应用程序网关Create an application gateway

Azure 需要一个虚拟网络才能在创建的资源之间通信。For Azure to communicate between the resources that you create, it needs a virtual network. 可以创建新的虚拟网络,或者使用现有的虚拟网络。You can either create a new virtual network or use an existing one. 本示例将创建新的虚拟网络。In this example, you create a new virtual network. 可以在创建应用程序网关的同时创建虚拟网络。You can create a virtual network at the same time that you create the application gateway. 在独立的子网中创建应用程序网关实例。Application Gateway instances are created in separate subnets. 在本示例中创建两个子网:一个用于应用程序网关,另一个用于后端服务器。You create two subnets in this example: one for the application gateway, and another for the backend servers.

  1. 展开门户菜单并选择“创建资源”。 Expand the portal menu and select Create a resource.

  2. 选择“网络” ,然后在“特色”列表中选择“应用程序网关” 。Select Networking and then select Application Gateway in the Featured list.

  3. 输入 myAppGateway 作为应用程序网关的名称,输入 myResourceGroupAG 作为新资源组的名称。Enter myAppGateway for the name of the application gateway and myResourceGroupAG for the new resource group.

  4. 对于“区域”,请选择“中国北部 2”。 For Region, select China North 2.

  5. 对于“层”,请选择“标准”。 For Tier, select Standard.

  6. 在“配置虚拟网络”下选择“新建”,然后输入虚拟网络的以下值: Under Configure virtual network select Create new, and then enter these values for the virtual network:

    • myVNet - 虚拟网络的名称。myVNet - for the name of the virtual network.
    • 10.0.0.0/16 - 虚拟网络地址空间。10.0.0.0/16 - for the virtual network address space.
    • myAGSubnet - 子网名称。myAGSubnet - for the subnet name.
    • 10.0.0.0/24 - 子网地址空间。10.0.0.0/24 - for the subnet address space.
    • myBackendSubnet - 后端子网名称。myBackendSubnet - for the backend subnet name.
    • 10.0.1.0/24 - 后端子网地址空间。10.0.1.0/24 - for the backend subnet address space.

    创建虚拟网络

  7. 选择“确定” 以创建虚拟网络和子网。Select OK to create the virtual network and subnet.

  8. 选择“下一步: 前端”。 Select Next:Frontends.

  9. 对于“前端 IP 地址类型”,请选择“专用”。 For Frontend IP address type, select Private.

    默认采用动态 IP 地址分配。By default, it's a dynamic IP address assignment. 所配置的子网的第一个可用地址将分配为前端 IP 地址。The first available address of the configured subnet is assigned as the frontend IP address.

    备注

    IP 地址类型(静态或动态)一经分配,以后便不可更改。Once allocated, the IP address type (static or dynamic) cannot be changed later.

  10. 选择“下一步: 后端”。 Select Next:Backends.

  11. 选择“添加后端池”。 Select Add a backend pool.

  12. 对于“名称”,请键入 appGatewayBackendPoolFor Name, type appGatewayBackendPool.

  13. 对于“添加没有目标的后端池”,请选择“是”。 For Add backend pool without targets, select Yes. 稍后将添加目标。You'll add the targets later.

  14. 选择“添加” 。Select Add.

  15. 选择“下一步: 配置”。 Select Next:Configuration.

  16. 在“路由规则”下,选择“添加规则”。 Under Routing rules, select Add a rule.

  17. 对于“规则名称”,请键入 Rrule-01For Rule name, type Rrule-01.

  18. 对于“侦听器名称”,请键入 Listener-01For Listener name, type Listener-01.

  19. 对于“前端 IP”,请选择“专用”。 For Frontend IP, select Private.

  20. 接受剩余的默认值,然后选择“后端目标”选项卡。 Accept the remaining defaults and select the Backend targets tab.

  21. 对于“目标类型”,请选择“后端池”,然后选择“appGatewayBackendPool”。 For Target type, select Backend pool, and then select appGatewayBackendPool.

  22. 对于“HTTP 设置”,请选择“新建”。 For HTTP setting, select Create new.

  23. 对于“HTTP 设置名称”,请键入 http-setting-01For HTTP setting name, type http-setting-01.

  24. 对于“后端协议”,请选择“HTTP”。 For Backend protocol, select HTTP.

  25. 对于“后端端口”,请键入 80For Backend port, type 80.

  26. 接受剩余的默认值,然后选择“添加”。 Accept the remaining defaults, and select Add.

  27. 在“添加路由规则”页上,选择“添加”。 On the Add a routing rule page, select Add.

  28. 在完成时选择“下一步: 标记”。Select Next: Tags.

  29. 在完成时选择“下一步: 查看 + 创建”。Select Next: Review + create.

  30. 检查摘要页上的设置,然后选择“创建”以创建网络资源和应用程序网关。 Review the settings on the summary page, and then select Create to create the network resources and the application gateway. 创建应用程序网关可能需要几分钟时间。It may take several minutes to create the application gateway. 请等待部署成功完成,然后再前进到下一部分。Wait until the deployment finishes successfully before moving on to the next section.

添加后端池Add backend pool

后端池用于将请求路由到为请求提供服务的后端服务器。The backend pool is used to route requests to the backend servers that serve the request. 后端可以包含 NIC、虚拟机规模集、公共 IP 地址、内部 IP 地址、完全限定的域名 (FQDN) 和多租户后端(例如 Azure 应用服务)。The backend can be composed of NICs, virtual machine scale sets, public IP addresses, internal IP addresses, fully qualified domain names (FQDN), and multi-tenant back-ends like Azure App Service. 本示例将使用虚拟机作为目标后端。In this example, you use virtual machines as the target backend. 可以使用现有的虚拟机,或创建新的虚拟机。You can either use existing virtual machines or create new ones. 在此示例中,你创建两台虚拟机,供 Azure 用作应用程序网关的后端服务器。In this example, you create two virtual machines that Azure uses as backend servers for the application gateway.

为此,请执行以下操作:To do this, you:

  1. 创建两个新虚拟机(myVMmyVM2)用作后端服务器。Create two new virtual machines, myVM and myVM2, used as backend servers.
  2. 在虚拟机上安装 IIS,以验证是否成功创建了应用程序网关。Install IIS on the virtual machines to verify that the application gateway was created successfully.
  3. 将后端服务器添加到后端池。Add the backend servers to the backend pool.

创建虚拟机Create a virtual machine

  1. 选择“创建资源”。 Select Create a resource.
  2. 依次选择“计算”、“虚拟机”。 Select Compute and then select Virtual machine.
  3. 输入虚拟机的以下值:Enter these values for the virtual machine:
    • 对于“资源组”,请选择“myResourceGroupAG”。 select myResourceGroupAG for Resource group.
    • myVM - 作为虚拟机名称myVM - for Virtual machine name.
    • 对于“映像”,请选择“Windows Server 2019 Datacenter”。 Select Windows Server 2019 Datacenter for Image.
    • 有效的用户名 。a valid Username.
    • 有效的密码 。a valid Password.
  4. 接受剩余的默认值,然后选择“下一步:磁盘”Accept the remaining defaults and select Next : Disks.
  5. 接受默认值,然后选择“下一步: 网络”。Accept the defaults and select Next : Networking.
  6. 请确保选择 myVNet 作为虚拟网络,子网是 myBackendSubnetMake sure that myVNet is selected for the virtual network and the subnet is myBackendSubnet.
  7. 接受剩余的默认值,然后选择“下一步:管理”Accept the remaining defaults, and select Next : Management.
  8. 选择“关闭” 以禁用启动诊断。Select Off to disable boot diagnostics.
  9. 接受剩余的默认值,然后选择“下一步: 高级”。Accept the remaining defaults, and select Next : Advanced.
  10. 选择“下一步: 标记”。Select Next : Tags.
  11. 选择“下一步: 查看 + 创建”。Select Next : Review + create.
  12. 检查摘要页上的设置,然后选择“创建”。 Review the settings on the summary page, and then select Create. 创建 VM 可能需要几分钟时间。It may take several minutes to create the VM. 请等待部署成功完成,然后再前进到下一部分。Wait until the deployment finishes successfully before moving on to the next section.

安装 IISInstall IIS

  1. 打开 PowerShell 并使用订阅登录到 Azure。Open PowerShell and login to azure with your subscription.

    Connect-AzAccount -Environment AzureChinaCloud
    
  2. 运行以下命令以在虚拟机上安装 IIS:Run the following command to install IIS on the virtual machine:

    Set-AzVMExtension `
    
      -ResourceGroupName myResourceGroupAG `
    
      -ExtensionName IIS `
    
      -VMName myVM `
    
      -Publisher Microsoft.Compute `
    
      -ExtensionType CustomScriptExtension `
    
      -TypeHandlerVersion 1.4 `
    
      -SettingString '{"commandToExecute":"powershell Add-WindowsFeature Web-Server; powershell Add-Content -Path \"C:\\inetpub\\wwwroot\\Default.htm\" -Value $($env:computername)"}' -Location ChinaNorth2  
    
  3. 使用刚刚完成的步骤创建第二个虚拟机并安装 IIS。Create a second virtual machine and install IIS using the steps that you just finished. 输入 myVM2 作为其名称,并作为 Set-AzVMExtension 中的 VMName。Enter myVM2 for its name and for VMName in Set-AzVMExtension.

将后端服务器添加到后端池Add backend servers to backend pool

  1. 选择“所有资源”,然后选择“myAppGateway”。 Select All resources, and then select myAppGateway.
  2. 选择“后端池” 。Select Backend pools. 选择“appGatewayBackendPool” 。Select appGatewayBackendPool.
  3. 在“目标类型”下选择“虚拟机”,然后在“目标”下选择与 myVM 关联的 vNIC。 Under Target type select Virtual machine and under Target, select the vNIC associated with myVM.
  4. 重复此过程以添加 MyVM2。Repeat to add MyVM2. private-frontendip-4private-frontendip-4
  5. 选择“保存”。 select Save.

测试应用程序网关Test the application gateway

  1. 单击门户中的“前端 IP 配置”页查看分配的前端 IP。 Check your frontend IP that got assigned by clicking the Frontend IP Configurations page in the portal. private-frontendip-5private-frontendip-5
  2. 复制专用 IP 地址,并将其粘贴到同一 VNet 中的 VM 或与此 VNet 连接的本地 VM 上的浏览器地址栏中,然后尝试访问应用程序网关。Copy the private IP address, and then paste it into the browser address bar in a VM in the same VNet or on-premises that has connectivity to this VNet and try to access the Application Gateway.

后续步骤Next steps

若要监视后端的运行状况,请参阅应用程序网关的后端运行状况和诊断日志If you want to monitor the health of your backend, see Back-end health and diagnostic logs for Application Gateway.