应用程序网关高流量支持Application Gateway high traffic support


本文介绍了几条建议的指导原则,可帮助你设置应用程序网关,以应对因新冠肺炎危机而可能导致的高流量的额外流量。This article describes a few suggested guidelines to help you set up your Application Gateway to handle extra traffic due to high traffic volume that may occur due to the COVID-19 crisis.

可以使用配置了 Web 应用程序防火墙 (WAF) 的应用程序网关,以可缩放且安全的方式管理流向 Web 应用程序的流量。You can use Application Gateway with Web Application Firewall (WAF) for a scalable and secure way to manage traffic to your web applications.

以下建议可帮助你设置部署有 WAF 的应用程序网关来应对额外流量。The following suggestions help you set up Application Gateway with WAF to handle extra traffic.

请使用 v2 SKU 而不是 v1,因为前者具有自动缩放功能,且性能更有优势Use the v2 SKU over v1 for its autoscaling capabilities and performance benefits

v2 SKU 提供自动缩放功能,确保应用程序网关能够随着流量的增加而纵向扩展。The v2 SKU offers autoscaling to ensure that your Application Gateway can scale up as traffic increases. 与 v1 相比,它还提供其他重要性能优势,例如,TLS 卸载性能要高出 5 倍、部署和更新时间更快、支持区域冗余等。It also offers other significant performance benefits, such as 5x better TLS offload performance, quicker deployment and update times, zone redundancy, and more when compared to v1. 有关详细信息,请参阅我们的 v2 文档For more information, see our v2 documentation.

将最大实例计数设置为最大可能值 (125)Set maximum instance count to the maximum possible (125)

假设你有应用程序网关 v2 SKU,将最大实例计数设置为最大可能值 125 可使应用程序网关按需横向扩展。Assuming you have an Application Gateway v2 SKU, setting the maximum instance count to the maximum possible value of 125 allows the Application Gateway to scale out as needed. 这样,应用程序网关就能处理应用程序中可能出现的流量增大情形。This allows it to handle the possible increase in traffic to your applications. 你只需为使用的容量单位 (CU) 付费。You will only be charged for the Capacity Units (CUs) you use.

根据平均 CU 用量设置最小实例计数Set your minimum instance count based on your average CU usage

假设你有应用程序网关 v2 SKU,自动缩放需要花费 6 到 7 分钟才能完成横向扩展。如果使用较大的最小实例计数,应用程序网关可以在负载增大时更好地处理流量,因为出现流量高峰时不需要执行自动缩放操作。Assuming you have an Application Gateway v2 SKU, autoscaling takes six to seven minutes to scale out. With a higher minimum instance count, the Application Gateway can better handle your traffic when the load is increased, because a spike in traffic doesn't require an autoscaling operation.

当特定指标超过平均 CU 用量的 75% 时发出警报Alert if a certain metric surpasses 75% of average CU utilization

有关指标的详细说明和其他演练,请参阅应用程序网关指标文档See the Application Gateway Metrics documentation for a detailed explanation of our metrics and other walkthroughs.

示例:设置在达到平均 CU 用量的 75% 时发出警报Example: Setting up an alert on 75% of average CU usage

此示例演示如何使用 Azure 门户设置在达到平均 CU 用量的 75% 时发出警报。This example shows you how to use the Azure portal to set up an alert when 75% of average CU usage is reached.

  1. 导航到应用程序网关。Navigate to your Application Gateway.
  2. 在左侧面板中,选择“监视”选项卡下的“指标” 。On the left panel, select Metrics under the Monitoring tab.
  3. 为“平均当前计算单位数”添加一个指标。Add a metric for Average Current Compute Units. 设置 WAF 指标Setting up WAF metric
  4. 如果已将最小实例计数设置为平均 CU 用量,请继续设置在使用了最小实例数的 75% 时发出警报。If you've set your minimum instance count to be your average CU usage, go ahead and set an alert when 75% of your minimum instances are in use. 例如,如果平均用量为 10 个 CU,则设置在使用了 7.5 个 CU 时发出警报。For example, if your average usage is 10 CUs, set an alert on 7.5 CUs. 这会在用量不断增大时发出警报,并让你从容应对。This alerts you if usage is increasing and gives you time to respond. 如果你认为这种流量将会持续,可以提高最小值,以提醒自己该流量可能会不断增大。You can raise the minimum if you think this traffic will be sustained to alert you that traffic may be increasing. 设置 WAF 警报Setting up WAF alert


你可以根据自己对潜在流量高峰的敏感程度,设置在 CU 用量百分比降低或提高时发出警报。You can set the alert to occur at a lower or higher CU utilization percentage depending on how sensitive you want to be to potential traffic spikes.

为 WAF 设置地理筛选和机器人防护来阻止攻击Set up WAF with geofiltering and bot protection to stop attacks

如果需要在应用程序的前面使用额外的安全层,请为 WAF 功能使用应用程序网关 WAF_v2 SKU。If you want an extra layer of security in front of your application, use the Application Gateway WAF_v2 SKU for WAF capabilities. 可将 v2 SKU 配置为仅允许从给定的国家/地区访问你的应用程序。You can configure the v2 SKU to only allow access to your applications from a given country/region or countries/regions. 设置一个 WAF 自定义规则,使其基于地理位置明确允许或阻止流量。You set up a WAF custom rule to explicitly allow or block traffic based on the geolocation. 有关详细信息,请参阅如何通过 PowerShell 在应用程序网关 WAF_v2 SKU 中配置自定义规则For more information, see how to configure custom rules on Application Gateway WAF_v2 SKU through PowerShell.

启用机器人防护以阻止已知恶意的机器人。Enable bot protection to block known bad bots. 这应该可以减少进入应用程序的流量。This should reduce the amount of traffic getting to your application. 有关详细信息,请参阅机器人防护和设置说明For more information, see bot protection with set up instructions.

在应用程序网关和 WAF 上启用诊断Turn on diagnostics on Application Gateway and WAF

通过诊断日志,你可以查看防火墙日志、性能日志和访问日志。Diagnostic logs allow you to view firewall logs, performance logs, and access logs. 可在 Azure 中使用这些日志来对应用程序网关进行管理和故障排除。You can use these logs in Azure to manage and troubleshoot Application Gateways. 有关详细信息,请参阅我们的诊断文档For more information, see our diagnostics documentation.

设置 TLS 策略以进一步提高安全性Set up an TLS policy for extra security

请确保使用最新的 TLS 策略版本 (AppGwSslPolicy20170401S)。Ensure you're using the latest TLS policy version (AppGwSslPolicy20170401S). 此版本强制实施 TLS 1.2 和更强的密码。This enforces TLS 1.2 and stronger ciphers. 有关详细信息,请参阅通过 PowerShell 配置 TLS 策略版本和加密套件For more information, see configuring TLS policy versions and cipher suites via PowerShell.