应用程序网关的工作原理How an application gateway works

本文介绍应用程序网关如何接受传入请求并将其路由到后端。This article explains how an application gateway accepts incoming requests and routes them to the backend.

应用程序网关如何接受请求

应用程序网关如何接受请求How an application gateway accepts a request

  1. 客户端将请求发送到应用程序网关之前,会使用域名系统 (DNS) 服务器解析应用程序网关的域名。Before a client sends a request to an application gateway, it resolves the domain name of the application gateway by using a Domain Name System (DNS) server. 由于所有应用程序网关都位于 azure.com 域中,因此 DNS 条目受 Azure 的控制。Azure controls the DNS entry because all application gateways are in the azure.com domain.

  2. Azure DNS 将 IP 地址返回到客户端,即应用程序网关的前端 IP 地址。The Azure DNS returns the IP address to the client, which is the frontend IP address of the application gateway.

  3. 应用程序网关接受一个或多个侦听器上的传入流量。The application gateway accepts incoming traffic on one or more listeners. 侦听器是检查连接请求的逻辑实体。A listener is a logical entity that checks for connection requests. 侦听器上为客户端到应用程序网关的连接配置了前端 IP 地址、协议和端口号。It's configured with a frontend IP address, protocol, and port number for connections from clients to the application gateway.

  4. 如果正在使用 Web 应用程序防火墙 (WAF),则应用程序网关会根据 WAF 规则检查请求标头和正文(如果有)。If a web application firewall (WAF) is in use, the application gateway checks the request headers and the body, if present, against WAF rules. 此操作确定请求是有效的请求还是安全威胁。This action determines if the request is valid request or a security threat. 如果请求有效,则将请求路由到后端。If the request is valid, it's routed to the backend. 如果请求无效,并且 WAF 处于预防模式,则会将其作为安全威胁予以阻止。If the request isn't valid and WAF is in Prevention mode, it's blocked as a security threat. 如果 WAF 处于检测模式,则将评估并记录请求,但仍将其转发到后端服务器。If it's in Detection mode, the request is evaluated and logged, but still forwarded to the backend server.

可以使用 Azure 应用程序网关作为内部应用程序负载均衡器或面向 Internet 的应用程序负载均衡器。Azure Application Gateway can be used as an internal application load balancer or as an internet-facing application load balancer. 面向 Internet 的应用程序网关使用公共 IP 地址。An internet-facing application gateway uses public IP addresses. 面向 Internet 的应用程序网关的 DNS 名称可公开解析为其公共 IP 地址。The DNS name of an internet-facing application gateway is publicly resolvable to its public IP address. 因此,面向 Internet 的应用程序网关可将客户端请求路由到 Internet。As a result, internet-facing application gateways can route client requests to the internet.

内部应用程序网关仅使用专用 IP 地址。Internal application gateways use only private IP addresses. 如果使用的是自定义或专用 DNS 区域,则域名应在内部可解析为应用程序网关的专用 IP 地址。If you are using a Custom or Private DNS zone, the domain name should be internally resolvable to the private IP address of the Application Gateway. 因此,内部负载均衡器只能路由有权访问应用程序网关虚拟网络的客户端发出的请求。Therefore, internal load-balancers can only route requests from clients with access to a virtual network for the application gateway.

应用程序网关如何路由请求How an application gateway routes a request

如果请求有效且未被 WAF 阻止,则应用程序网关将评估与侦听器关联的请求路由规则。If a request is valid and not blocked by WAF, the application gateway evaluates the request routing rule that's associated with the listener. 此操作确定要将请求路由到哪个后端池。This action determines which backend pool to route the request to.

根据请求路由规则,应用程序网关确定是要将侦听器上的所有请求路由到特定的后端池、根据 URL 路径将请求路由到不同的后端池,还是将请求重定向到另一个端口或外部站点。Based on the request routing rule, the application gateway determines whether to route all requests on the listener to a specific backend pool, route requests to different backend pools based on the URL path, or redirect requests to another port or external site.

备注

v1 SKU 规则按照在门户中列出的顺序进行处理。Rules are processed in the order they're listed in the portal for v1 SKU.

当应用程序网关选择后端池时,会将请求发送到该池中的正常后端服务器之一 (y.y.y.y)。When the application gateway selects the backend pool, it sends the request to one of the healthy backend servers in the pool (y.y.y.y). 服务器的运行状况由运行状况探测决定。The health of the server is determined by a health probe. 如果后端池包含多个服务器,应用程序网关将使用轮循机制算法在正常运行的服务器之间路由请求。If the backend pool contains multiple servers, the application gateway uses a round-robin algorithm to route the requests between healthy servers. 这会对服务器上的请求进行负载均衡。This load balances the requests on the servers.

应用程序网关确定后端服务器之后,会根据 HTTP 设置来与后端服务器建立新的 TCP 会话。After the application gateway determines the backend server, it opens a new TCP session with the backend server based on HTTP settings. HTTP 设置组件指定与后端服务器建立新会话所需的协议、端口和其他路由相关设置。HTTP settings specify the protocol, port, and other routing-related settings that are required to establish a new session with the backend server.

HTTP 设置中使用的端口和协议确定应用程序网关与后端服务器之间的流量是已加密(从而实现端到端 TLS)还是未加密。The port and protocol used in HTTP settings determine whether the traffic between the application gateway and backend servers is encrypted (thus accomplishing end-to-end TLS) or is unencrypted.

将原始请求发送到后端服务器时,应用程序网关遵循 HTTP 设置中指定的任何自定义配置,这些配置与替代主机名、路径和协议相关。When an application gateway sends the original request to the backend server, it honors any custom configuration made in the HTTP settings related to overriding the hostname, path, and protocol. 此操作将保持基于 Cookie 的会话相关性、连接清空、从后端选择主机名的设置,等等。This action maintains cookie-based session affinity, connection draining, host-name selection from the backend, and so on.

备注

如果后端池:If the backend pool:

  • 是公共终结点,则应用程序网关会使用其前端公共 IP 来访问服务器。Is a public endpoint, the application gateway uses its frontend public IP to reach the server. 如果没有前端公共 IP 地址,系统会分配一个公共 IP 地址来建立出站外部连接。If there isn't a frontend public IP address, one is assigned for the outbound external connectivity.
  • 包含可以在内部解析的 FQDN 或专用 IP 地址,则应用程序网关会使用其实例的专用 IP 地址将请求路由到后端服务器。Contains an internally resolvable FQDN or a private IP address, the application gateway routes the request to the backend server by using its instance private IP addresses.
  • 包含外部终结点或者可以在外部解析的 FQDN,则应用程序网关会使用其前端的公共 IP 地址将请求路由到后端服务器。Contains an external endpoint or an externally resolvable FQDN, the application gateway routes the request to the backend server by using its frontend public IP address. DNS 解析基于专用 DNS 区域或自定义 DNS 服务器(如果已配置),或者会使用 Azure 提供的默认 DNS。The DNS resolution is based on a private DNS zone or custom DNS server, if configured, or it uses the default Azure-provided DNS. 如果没有前端公共 IP 地址,系统会分配一个公共 IP 地址来建立出站外部连接。If there isn't a frontend public IP address, one is assigned for the outbound external connectivity.

对请求的修改Modifications to the request

应用程序网关先在所有请求中插入四个附加的标头,然后再将请求转发到后端。An application gateway inserts four additional headers to all requests before it forwards the requests to the backend. 这些标头为 x-forwarded-for、x-forwarded-proto、x-forwarded-port 和 x-original-host。These headers are x-forwarded-for, x-forwarded-proto, x-forwarded-port, and x-original-host. x-forwarded-for 标头的格式是逗号分隔的“IP:端口”列表。The format for x-forwarded-for header is a comma-separated list of IP:port.

x-forwarded-proto 的有效值为 HTTP 或 HTTPS。The valid values for x-forwarded-proto are HTTP or HTTPS. x-forwarded-port 指定请求抵达应用程序网关时所在的端口。X-forwarded-port specifies the port where the request reached the application gateway. x-original-host 标头包含随请求一起抵达的原始主机标头。X-original-host header contains the original host header with which the request arrived. 此标头在 Azure 网站集成中非常有用,其中,传入的主机标头在流量路由到后端之前会修改。This header is useful in Azure website integration, where the incoming host header is modified before traffic is routed to the backend. 如果已启用会话相关性作为一个选项,则会添加网关管理的相关性 Cookie。If session affinity is enabled as an option, then it adds a gateway-managed affinity cookie.

可配置应用程序网关,让它使用重写 HTTP 标头和 URL 修改标头,或使用路径替代设置修改 URI 路径。You can configure application gateway to modify request and response headers and URL by using Rewrite HTTP headers and URL or to modify the URI path by using a path-override setting. 但是,除非配置为这样做,否则所有传入的请求都会代理到后端。However, unless configured to do so, all incoming requests are proxied to the backend.

后续步骤Next steps

了解应用程序网关组件Learn about application gateway components