使用 PowerShell 通过应用程序网关配置应用服务Configure App Service with Application Gateway using PowerShell

可以通过应用程序网关将应用服务应用或其他多租户服务配置为后端池成员。Application gateway allows you to have an App Service app or other multi-tenant service as a back-end pool member. 本文介绍如何通过应用程序网关配置应用服务应用。In this article, you learn to configure an App Service app with Application Gateway. 第一个示例介绍如何将现有的应用程序网关配置为使用 Web 应用作为后端池成员。The first example shows you how to configure an existing application gateway to use a web app as a back-end pool member. 第二个示例介绍如何新建一个将 Web 应用用作后端池成员的应用程序网关。The second example shows you how to create a new application gateway with a web app as a back-end pool member.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

在现有的应用程序网关后面配置 Web 应用Configure a web app behind an existing application gateway

以下示例将 Web 应用作为后端池成员添加到现有的应用程序网关。The following example adds a web app as a back-end pool member to an existing application gateway. 必须在探测配置上提供开关 -PickHostNamefromBackendHttpSettings 以及在后端 Http 设置上提供 -PickHostNameFromBackendAddress,才能正常运行 Web 应用。Both the switch -PickHostNamefromBackendHttpSettingson the Probe configuration and -PickHostNameFromBackendAddress on the back-end http settings must be provided in order for web apps to work.

# FQDN of the web app
$webappFQDN = "<enter your webapp FQDN i.e mywebsite.chinacloudsites.cn>"

# Retrieve the resource group
$rg = Get-AzResourceGroup -Name 'your resource group name'

# Retrieve an existing application gateway
$gw = Get-AzApplicationGateway -Name 'your application gateway name' -ResourceGroupName $rg.ResourceGroupName

# Define the status codes to match for the probe
$match=New-AzApplicationGatewayProbeHealthResponseMatch -StatusCode 200-399

# Add a new probe to the application gateway
Add-AzApplicationGatewayProbeConfig -name webappprobe2 -ApplicationGateway $gw -Protocol Http -Path / -Interval 30 -Timeout 120 -UnhealthyThreshold 3 -PickHostNameFromBackendHttpSettings -Match $match

# Retrieve the newly added probe
$probe = Get-AzApplicationGatewayProbeConfig -name webappprobe2 -ApplicationGateway $gw

# Configure an existing backend http settings
Set-AzApplicationGatewayBackendHttpSettings -Name appGatewayBackendHttpSettings -ApplicationGateway $gw -PickHostNameFromBackendAddress -Port 80 -Protocol http -CookieBasedAffinity Disabled -RequestTimeout 30 -Probe $probe

# Add the web app to the backend pool
Set-AzApplicationGatewayBackendAddressPool -Name appGatewayBackendPool -ApplicationGateway $gw -BackendFqdns $webappFQDN

# Update the application gateway
Set-AzApplicationGateway -ApplicationGateway $gw

在新的应用程序网关后面配置 Web 应用程序Configure a web application behind a new application gateway

此方案部署带 asp.net 入门网站和应用程序网关的 Web 应用。This scenario deploys a web app with the asp.net getting started website and an application gateway.

# Defines a variable for a dotnet get started web app repository location
$gitrepo="https://github.com/Azure-Samples/app-service-web-dotnet-get-started.git"

# Unique web app name
$webappname="mywebapp$(Get-Random)"

# Creates a resource group
$rg = New-AzResourceGroup -Name ContosoRG -Location ChinaNorth

# Create an App Service plan in Free tier.
New-AzAppServicePlan -Name $webappname -Location ChinaNorth -ResourceGroupName $rg.ResourceGroupName -Tier Free

# Creates a web app
$webapp = New-AzWebApp -ResourceGroupName $rg.ResourceGroupName -Name $webappname -Location ChinaNorth -AppServicePlan $webappname

# Configure GitHub deployment from your GitHub repo and deploy once to web app.
$PropertiesObject = @{
    repoUrl = "$gitrepo";
    branch = "master";
    isManualIntegration = "true";
}
Set-AzResource -PropertyObject $PropertiesObject -ResourceGroupName $rg.ResourceGroupName -ResourceType Microsoft.Web/sites/sourcecontrols -ResourceName $webappname/web -ApiVersion 2015-08-01 -Force

# Creates a subnet for the application gateway
$subnet = New-AzVirtualNetworkSubnetConfig -Name subnet01 -AddressPrefix 10.0.0.0/24

# Creates a vnet for the application gateway
$vnet = New-AzVirtualNetwork -Name appgwvnet -ResourceGroupName $rg.ResourceGroupName -Location ChinaNorth -AddressPrefix 10.0.0.0/16 -Subnet $subnet

# Retrieve the subnet object for use later
$subnet=$vnet.Subnets[0]

# Create a public IP address
$publicip = New-AzPublicIpAddress -ResourceGroupName $rg.ResourceGroupName -name publicIP01 -location ChinaNorth -AllocationMethod Dynamic

# Create a new IP configuration
$gipconfig = New-AzApplicationGatewayIPConfiguration -Name gatewayIP01 -Subnet $subnet

# Create a backend pool with the hostname of the web app
$pool = New-AzApplicationGatewayBackendAddressPool -Name appGatewayBackendPool -BackendFqdns $webapp.HostNames

# Define the status codes to match for the probe
$match = New-AzApplicationGatewayProbeHealthResponseMatch -StatusCode 200-399

# Create a probe with the PickHostNameFromBackendHttpSettings switch for web apps
$probeconfig = New-AzApplicationGatewayProbeConfig -name webappprobe -Protocol Http -Path / -Interval 30 -Timeout 120 -UnhealthyThreshold 3 -PickHostNameFromBackendHttpSettings -Match $match

# Define the backend http settings
$poolSetting = New-AzApplicationGatewayBackendHttpSettings -Name appGatewayBackendHttpSettings -Port 80 -Protocol Http -CookieBasedAffinity Disabled -RequestTimeout 120 -PickHostNameFromBackendAddress -Probe $probeconfig

# Create a new front-end port
$fp = New-AzApplicationGatewayFrontendPort -Name frontendport01  -Port 80

# Create a new front end IP configuration
$fipconfig = New-AzApplicationGatewayFrontendIPConfig -Name fipconfig01 -PublicIPAddress $publicip

# Create a new listener using the front-end ip configuration and port created earlier
$listener = New-AzApplicationGatewayHttpListener -Name listener01 -Protocol Http -FrontendIPConfiguration $fipconfig -FrontendPort $fp

# Create a new rule
$rule = New-AzApplicationGatewayRequestRoutingRule -Name rule01 -RuleType Basic -BackendHttpSettings $poolSetting -HttpListener $listener -BackendAddressPool $pool

# Define the application gateway SKU to use
$sku = New-AzApplicationGatewaySku -Name Standard_Small -Tier Standard -Capacity 2

# Create the application gateway
$appgw = New-AzApplicationGateway -Name ContosoAppGateway -ResourceGroupName $rg.ResourceGroupName -Location ChinaNorth -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting -Probes $probeconfig -FrontendIpConfigurations $fipconfig  -GatewayIpConfigurations $gipconfig -FrontendPorts $fp -HttpListeners $listener -RequestRoutingRules $rule -Sku $sku

获取应用程序网关 DNS 名称Get application gateway DNS name

创建网关后,下一步是配置用于通信的前端。Once the gateway is created, the next step is to configure the front end for communication. 使用公共 IP 时,应用程序网关需要动态分配的 DNS 名称,这会造成不方便。When using a public IP, application gateway requires a dynamically assigned DNS name, which is not friendly. 若要确保最终用户能够访问应用程序网关,可以使用 CNAME 记录指向应用程序网关的公共终结点。To ensure end users can hit the application gateway, a CNAME record can be used to point to the public endpoint of the application gateway. 若要创建别名,可使用附加到应用程序网关的 PublicIPAddress 元素检索应用程序网关及其关联的 IP/DNS 名称的详细信息。To create the alias, retrieve the details of the application gateway and its associated IP/DNS name using the PublicIPAddress element attached to the application gateway. 这可通过 Azure DNS 或其他 DNS 提供程序完成,方法是创建指向公共 IP 地址的 CNAME 记录。This can be done with Azure DNS or other DNS providers, by creating a CNAME record that points to the public IP address. 不建议使用 A 记录,因为重新启动应用程序网关后 VIP 可能会变化。The use of A-records is not recommended since the VIP may change on restart of application gateway.

Get-AzPublicIpAddress -ResourceGroupName ContosoRG -Name publicIP01
Name                     : publicIP01
ResourceGroupName        : ContosoRG
Location                 : chinanorth
Id                       : /subscriptions/<subscription_id>/resourceGroups/ContosoRG/providers/Microsoft.Network/publicIPAddresses/publicIP01
Etag                     : W/"00000d5b-54ed-4907-bae8-99bd5766d0e5"
ResourceGuid             : 00000000-0000-0000-0000-000000000000
ProvisioningState        : Succeeded
Tags                     :
PublicIpAllocationMethod : Dynamic
IpAddress                : xx.xx.xxx.xx
PublicIpAddressVersion   : IPv4
IdleTimeoutInMinutes     : 4
IpConfiguration          : {
                                "Id": "/subscriptions/<subscription_id>/resourceGroups/ContosoRG/providers/Microsoft.Network/applicationGateways/ContosoAppGateway/frontendIP
                            Configurations/frontend1"
                            }
DnsSettings              : {
                                "Fqdn": "00000000-0000-xxxx-xxxx-xxxxxxxxxxxx.chinacloudapp.cn"
                            }

限制访问Restrict access

这些示例中部署的 Web 应用使用可通过 Internet 直接访问的公共 IP 地址。The web apps deployed in these examples use public IP addresses that can be accessed directly from the Internet. 这有助于在了解新功能和尝试新事物时获取疑难解答。This helps with troubleshooting when you are learning about a new feature and trying new things. 但若想将功能部署至生产环境,将需要添加更多限制。But if you intend to deploy a feature into production, you'll want to add more restrictions.

若要限制对 Web 应用的访问权限,一种方法是使用 Azure 应用服务静态 IP 限制One way you can restrict access to your web apps is to use Azure App Service static IP restrictions. 例如,可以限制 Web 应用,使其仅接收来自应用程序网关的流量。For example, you can restrict the web app so that it only receives traffic from the application gateway. 使用应用服务 IP 限制功能列出应用程序网关 VIP,作为具有访问权限的唯一地址。Use the app service IP restriction feature to list the application gateway VIP as the only address with access.

后续步骤Next steps

了解如何配置重定向,请访问:使用 PowerShell 在应用程序网关上配置重定向Learn how to configure redirection by visiting: Configure redirection on Application Gateway with PowerShell.