使用 Azure PowerShell 和 Key Vault 证书配置 TLS 终止Configure TLS termination with Key Vault certificates using Azure PowerShell

Azure Key Vault 是平台托管的密钥存储,可用于保护机密、密钥和 TLS/SSL 证书。Azure Key Vault is a platform-managed secret store that you can use to safeguard secrets, keys, and TLS/SSL certificates. Azure 应用程序网关支持与 Key Vault 集成,从而获取附加到支持 HTTPS 的侦听器上的服务器证书。Azure Application Gateway supports integration with Key Vault for server certificates that are attached to HTTPS-enabled listeners. 此支持仅限于应用程序网关 v2 SKU。This support is limited to the Application Gateway v2 SKU.

有关详细信息,请参阅使用 Key Vault 证书实现 TLS 终止For more information, see TLS termination with Key Vault certificates.

本文介绍如何使用 Azure PowerShell 脚本将密钥保管库与应用程序网关集成,以获取 TLS/SSL 终止证书。This article shows you how to use an Azure PowerShell script to integrate your key vault with your application gateway for TLS/SSL termination certificates.

本文需要使用 Azure PowerShell 模块 1.0.0 版或更高版本。This article requires Azure PowerShell module version 1.0.0 or later. 要查找版本,请运行 Get-Module -ListAvailable AzTo find the version, run Get-Module -ListAvailable Az. 如果需要升级,请参阅安装 Azure PowerShell 模块If you need to upgrade, see Install Azure PowerShell module. 若要运行本文中的命令,还需要通过运行 Connect-AzAccount -Environment AzureChinaCloud 来创建与 Azure 的连接。To run the commands in this article, you also need to create a connection with Azure by running Connect-AzAccount -Environment AzureChinaCloud.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

先决条件Prerequisites

在开始之前,必须已安装 ManagedServiceIdentity 模块:Before you begin, you must have the ManagedServiceIdentity module installed:

Install-Module -Name Az.ManagedServiceIdentity
Connect-AzAccount -Environment AzureChinaCloud
Select-AzSubscription -Subscription <your subscription>

示例脚本Example script

设置变量Set up variables

$rgname = "KeyVaultTest"
$location = "China North 2"
$kv = "<your key vault name>"
$appgwName = "AppGwKVIntegration"

重要

密钥保管库名称必须是全局唯一的。The key vault name must be universally unique.

创建资源组和用户管理的标识Create a resource group and a user-managed identity

$resourceGroup = New-AzResourceGroup -Name $rgname -Location $location
$identity = New-AzUserAssignedIdentity -Name "appgwKeyVaultIdentity" `
  -Location $location -ResourceGroupName $rgname

创建应用程序网关要使用的密钥保管库、策略和证书Create a key vault, policy, and certificate to be used by the application gateway

$keyVault = New-AzKeyVault -Name $kv -ResourceGroupName $rgname -Location $location -EnableSoftDelete 
Set-AzKeyVaultAccessPolicy -VaultName $kv -PermissionsToSecrets get -ObjectId $identity.PrincipalId

$policy = New-AzKeyVaultCertificatePolicy -ValidityInMonths 12 `
  -SubjectName "CN=www.contoso11.com" -IssuerName self `
  -RenewAtNumberOfDaysBeforeExpiry 30
Set-AzKeyVaultAccessPolicy -VaultName $kv -EmailAddress <your email address> -PermissionsToCertificates create,get,list
$certificate = Add-AzKeyVaultCertificate -VaultName $kv -Name "cert1" -CertificatePolicy $policy
$certificate = Get-AzKeyVaultCertificate -VaultName $kv -Name "cert1"
$secretId = $certificate.SecretId.Replace($certificate.Version, "")

备注

必须使用 -EnableSoftDelete 标志才能正常运行 TLS 终止。The -EnableSoftDelete flag must be used for TLS termination to function properly. 如果要配置通过门户实现 Key Vault 软删除,保持期必须为 90 天(默认值)。If you're configuring Key Vault soft-delete through the Portal, the retention period must be kept at 90 days, the default value. 应用程序网关尚不支持其他保持期。Application Gateway doesn't support a different retention period yet.

创建虚拟网络Create a virtual network

$sub1 = New-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -AddressPrefix "10.0.0.0/24"
$sub2 = New-AzVirtualNetworkSubnetConfig -Name "backendSubnet" -AddressPrefix "10.0.1.0/24"
$vnet = New-AzvirtualNetwork -Name "Vnet1" -ResourceGroupName $rgname -Location $location `
  -AddressPrefix "10.0.0.0/16" -Subnet @($sub1, $sub2)

创建静态公共虚拟 IP (VIP) 地址Create a static public virtual IP (VIP) address

$publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name "AppGwIP" `
  -location $location -AllocationMethod Static -Sku Standard

创建池和前端端口Create pool and front-end ports

$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "appgwSubnet" -VirtualNetwork $vnet

$gipconfig = New-AzApplicationGatewayIPConfiguration -Name "AppGwIpConfig" -Subnet $gwSubnet
$fipconfig01 = New-AzApplicationGatewayFrontendIPConfig -Name "fipconfig" -PublicIPAddress $publicip
$pool = New-AzApplicationGatewayBackendAddressPool -Name "pool1" `
  -BackendIPAddresses testbackend1.chinanorth2.chinacloudapp.cn, testbackend2.chinanorth2.chinacloudapp.cn
$fp01 = New-AzApplicationGatewayFrontendPort -Name "port1" -Port 443
$fp02 = New-AzApplicationGatewayFrontendPort -Name "port2" -Port 80

让 TLS/SSL 证书指向密钥保管库Point the TLS/SSL certificate to your key vault

$sslCert01 = New-AzApplicationGatewaySslCertificate -Name "SSLCert1" -KeyVaultSecretId $secretId

创建侦听器、规则和自动缩放Create listeners, rules, and autoscale

$listener01 = New-AzApplicationGatewayHttpListener -Name "listener1" -Protocol Https `
  -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp01 -SslCertificate $sslCert01
$listener02 = New-AzApplicationGatewayHttpListener -Name "listener2" -Protocol Http `
  -FrontendIPConfiguration $fipconfig01 -FrontendPort $fp02
$poolSetting01 = New-AzApplicationGatewayBackendHttpSetting -Name "setting1" -Port 80 `
  -Protocol Http -CookieBasedAffinity Disabled
$rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "rule1" -RuleType basic `
  -BackendHttpSettings $poolSetting01 -HttpListener $listener01 -BackendAddressPool $pool
$rule02 = New-AzApplicationGatewayRequestRoutingRule -Name "rule2" -RuleType basic `
  -BackendHttpSettings $poolSetting01 -HttpListener $listener02 -BackendAddressPool $pool
$autoscaleConfig = New-AzApplicationGatewayAutoscaleConfiguration -MinCapacity 3
$sku = New-AzApplicationGatewaySku -Name Standard_v2 -Tier Standard_v2

将用户管理的标识分配给应用程序网关Assign the user-managed identity to the application gateway

$appgwIdentity = New-AzApplicationGatewayIdentity -UserAssignedIdentityId $identity.Id

创建应用程序网关Create the application gateway

$appgw = New-AzApplicationGateway -Name $appgwName -Identity $appgwIdentity -ResourceGroupName $rgname `
  -Location $location -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting01 `
  -GatewayIpConfigurations $gipconfig -FrontendIpConfigurations $fipconfig01 `
  -FrontendPorts @($fp01, $fp02) -HttpListeners @($listener01, $listener02) `
  -RequestRoutingRules @($rule01, $rule02) -Sku $sku `
  -SslCertificates $sslCert01 -AutoscaleConfiguration $autoscaleConfig

后续步骤Next steps

了解有关 TLS 终止的详细信息Learn more about TLS termination