将 Azure 应用程序网关和 Web 应用程序防火墙从 v1 迁移到 v2Migrate Azure Application Gateway and Web Application Firewall from v1 to v2

Azure 应用程序网关和 Web 应用程序防火墙 (WAF) v2 现已推出,它提供自动缩放和可用性区域冗余等附加功能。Azure Application Gateway and Web Application Firewall (WAF) v2 is now available, offering additional features such as autoscaling and availability-zone redundancy. 但是,现有 v1 网关不会自动升级到 v2。However, existing v1 gateways aren't automatically upgraded to v2. 若要从 v1 迁移到 v2,请遵循本文中的步骤。If you want to migrate from v1 to v2, follow the steps in this article.

迁移分为两个阶段:There are two stages in a migration:

  1. 迁移配置Migrate the configuration
  2. 迁移客户端流量Migrate the client traffic

本文介绍配置迁移。This article covers configuration migration. 客户端流量迁移过程因环境而异。Client traffic migration varies depending on your specific environment. 不过,本文提供了一些概要性的普通建议However, some high-level, general recommendations are provided.

迁移概述Migration overview

我们提供了一个用于执行以下操作的 Azure PowerShell 脚本:An Azure PowerShell script is available that does the following:

  • 在指定的虚拟网络子网中创建新的 Standard_v2 或 WAF_v2 网关。Creates a new Standard_v2 or WAF_v2 gateway in a virtual network subnet that you specify.
  • 将与 v1 Standard 或 WAF 网关关联的配置无缝复制到新建的 Standard_V2 或 WAF_V2 网关。Seamlessly copies the configuration associated with the v1 Standard or WAF gateway to the newly created Standard_V2 or WAF_V2 gateway.

注意事项/限制Caveats\Limitations

  • 新的 v2 网关使用新的公共和专用 IP 地址。The new v2 gateway has new public and private IP addresses. 无法将与现有 v1 网关关联的 IP 地址无缝移动到 v2。It isn't possible to move the IP addresses associated with the existing v1 gateway seamlessly to v2. 但是,可将现有的(未分配的)公共或专用 IP 地址分配到新的 v2 网关。However, you can allocate an existing (unallocated) public or private IP address to the new v2 gateway.
  • 必须为 v1 网关所在的虚拟网络中的另一个子网提供 IP 地址空间。You must provide an IP address space for another subnet within your virtual network where your v1 gateway is located. 该脚本无法在已有 v1 网关的任何现有子网中创建 v2 网关。The script can't create the v2 gateway in any existing subnets that already have a v1 gateway. 但是,如果现有子网已包含 v2 网关,只要该子网具有足够的 IP 地址空间,它就仍可正常运行。However, if the existing subnet already has a v2 gateway, that may still work provided there's enough IP address space.
  • 如果你具有与 v2 网关子网关联的网络安全组或用户定义的路由,则为了成功迁移,请确保它们符合 NSG 要求UDR 要求If you have a network security group or user defined routes associated to the v2 gateway subnet, make sure they adhere to the NSG requirements and UDR requirements for a successful migration
  • 应用程序网关子网中当前不支持虚拟网络服务终结点策略Virtual network service endpoint policies are currently not supported in an Application Gateway subnet.
  • 若要迁移 TLS/SSL 配置,必须指定 v1 网关中使用的所有 TLS/SSL 证书。To migrate a TLS/SSL configuration, you must specify all the TLS/SSL certs used in your v1 gateway.
  • 如果为 v1 网关启用了 FIPS 模式,该网关不会迁移到新的 v2 网关。If you have FIPS mode enabled for your V1 gateway, it won't be migrated to your new v2 gateway. v2 不支持 FIPS 模式。FIPS mode isn't supported in v2.
  • v2 不支持 IPv6,因此不会迁移启用了 IPv6 的 v1 网关。v2 doesn't support IPv6, so IPv6 enabled v1 gateways aren't migrated. 如果运行该脚本,它可能不会完成。If you run the script, it may not complete.
  • 如果 v1 网关只有专用 IP 地址,该脚本将为新的 v2 网关创建一个公共 IP 地址和一个专用 IP 地址。If the v1 gateway has only a private IP address, the script creates a public IP address and a private IP address for the new v2 gateway. v2 网关目前不支持仅指定专用 IP 地址。v2 gateways currently don't support only private IP addresses.
  • 名称中包含除字母、数字、连字符和下划线以外的任何内容的标头不会传递给你的应用程序。Headers with names containing anything other than letters, digits, hyphens and underscores are not passed to your application. 这仅适用于标头名称而不是标头值。This only applies to header names, not header values. 与 v1 相比,这是一个中断性变更。This is a breaking change from v1.

下载脚本Download the script

PowerShell 库下载迁移脚本。Download the migration script from the PowerShell Gallery.

使用脚本Use the script

根据本地 PowerShell 环境的设置和首选项,可以使用两个选项:There are two options for you depending on your local PowerShell environment setup and preferences:

  • 如果你尚未安装 Azure Az 模块或者不介意卸载 Azure Az 模块,最佳做法是使用 Install-Script 选项运行该脚本。If you don't have the Azure Az modules installed, or don't mind uninstalling the Azure Az modules, the best option is to use the Install-Script option to run the script.
  • 如果需要保留 Azure Az 模块,则最佳做法是下载并直接运行该脚本。If you need to keep the Azure Az modules, your best bet is to download the script and run it directly.

若要确定是否安装了 Azure Az 模块,请运行 Get-InstalledModule -Name azTo determine if you have the Azure Az modules installed, run Get-InstalledModule -Name az. 如果未看到任何已安装的 Az 模块,可以使用 Install-Script 方法。If you don't see any installed Az modules, then you can use the Install-Script method.

使用 Install-Script 方法安装Install using the Install-Script method

只有尚未在计算机上安装 Azure Az 模块时才能使用此选项。To use this option, you must not have the Azure Az modules installed on your computer. 如果已安装,则以下命令将显示错误。If they're installed, the following command displays an error. 可以卸载 Azure Az 模块,或者另一个选项手动下载并运行该脚本。You can either uninstall the Azure Az modules, or use the other option to download the script manually and run it.

使用以下命令运行该脚本以获取最新版本:Run the script with the following command to get the latest version:

Install-Script -Name AzureAppGWMigration -Force

此命令还会安装所需的 Az 模块。This command also installs the required Az modules.

直接使用脚本安装Install using the script directly

如果已安装某些 Azure Az 模块并且无法卸载它们(或者不想卸载),可以使用脚本下载链接中的“手动下载”选项卡手动下载该脚本。If you do have some Azure Az modules installed and can't uninstall them (or don't want to uninstall them), you can manually download the script using the Manual Download tab in the script download link. 此脚本将作为原始 nupkg 文件下载。The script is downloaded as a raw nupkg file. 若要安装此 nupkg 文件中的脚本,请参阅手动下载包To install the script from this nupkg file, see Manual Package Download.

若要运行该脚本,请执行以下操作:To run the script:

  1. 使用 Connect-AzAccount -Environment AzureChinaCloud 连接到 Azure。Use Connect-AzAccount -Environment AzureChinaCloud to connect to Azure.

  2. 使用 Import-Module Az 导入 Az 模块。Use Import-Module Az to import the Az modules.

  3. 运行 Get-Help AzureAppGWMigration.ps1 检查所需的参数:Run Get-Help AzureAppGWMigration.ps1 to examine the required parameters:

    AzureAppGwMigration.ps1
     -resourceId <v1 application gateway Resource ID>
     -subnetAddressRange <subnet space you want to use>
     -appgwName <string to use to append>
     -sslCertificates <comma-separated SSLCert objects as above>
     -trustedRootCertificates <comma-separated Trusted Root Cert objects as above>
     -privateIpAddress <private IP string>
     -publicIpResourceId <public IP name string>
     -validateMigration -enableAutoScale
    

    脚本的参数:Parameters for the script:

    • resourceId: [String]:Required - 这是现有的 Standard v1 或 WAF v1 网关的 Azure 资源 ID。resourceId: [String]: Required - This is the Azure Resource ID for your existing Standard v1 or WAF v1 gateway. 若要查找此字符串值,请导航到 Azure 门户,选择你的应用程序网关或 WAF 资源,然后单击网关对应的“属性”链接。To find this string value, navigate to the Azure portal, select your application gateway or WAF resource, and click the Properties link for the gateway. 资源 ID 位于该页上。The Resource ID is located on that page.

      也可以运行以下 Azure PowerShell 命令获取资源 ID:You can also run the following Azure PowerShell commands to get the Resource ID:

      $appgw = Get-AzApplicationGateway -Name <v1 gateway name> -ResourceGroupName <resource group Name> 
      $appgw.Id
      
    • subnetAddressRange: [String]:Required - 这是为包含新 v2 网关的新子网分配(或想要分配)的 IP 地址空间。subnetAddressRange: [String]: Required - This is the IP address space that you've allocated (or want to allocate) for a new subnet that contains your new v2 gateway. 必须以 CIDR 表示法指定此参数。This must be specified in the CIDR notation. 例如:10.0.0.0/24。For example: 10.0.0.0/24. 无需提前创建此子网。You don't need to create this subnet in advance. 如果此子网不存在,脚本将会创建它。The script creates it for you if it doesn't exist.

    • appgwName: [String]:OptionalappgwName: [String]: Optional. 这是指定用作新 Standard_v2 或 WAF_v2 网关的名称的字符串。This is a string you specify to use as the name for the new Standard_v2 or WAF_v2 gateway. 如果未提供此参数,则会使用现有 v1 网关的名称并在其后追加后缀 _v2If this parameter isn't supplied, the name of your existing v1 gateway will be used with the suffix _v2 appended.

    • sslCertificates: [PSApplicationGatewaySslCertificate]:OptionalsslCertificates: [PSApplicationGatewaySslCertificate]: Optional. 创建的 PSApplicationGatewaySslCertificate 对象的逗号分隔列表,这些对象表示 v1 网关中必须上传到新 v2 网关的 TLS/SSL 证书。A comma-separated list of PSApplicationGatewaySslCertificate objects that you create to represent the TLS/SSL certs from your v1 gateway must be uploaded to the new v2 gateway. 对于为 Standard v1 或 WAF v1 网关配置的每个 TLS/SSL 证书,可按如下所示通过 New-AzApplicationGatewaySslCertificate 命令创建新的 PSApplicationGatewaySslCertificate 对象。For each of your TLS/SSL certs configured for your Standard v1 or WAF v1 gateway, you can create a new PSApplicationGatewaySslCertificate object via the New-AzApplicationGatewaySslCertificate command shown here. 需要 TLS/SSL 证书文件的路径和密码。You need the path to your TLS/SSL Cert file and the password.

      仅当没有为 v1 网关或 WAF 配置 HTTPS 侦听器时,此参数才是可选项。This parameter is only optional if you don't have HTTPS listeners configured for your v1 gateway or WAF. 如果至少安装了一个 HTTPS 侦听器,则必须指定此参数。If you have at least one HTTPS listener setup, you must specify this parameter.

      $password = ConvertTo-SecureString <cert-password> -AsPlainText -Force
      $mySslCert1 = New-AzApplicationGatewaySslCertificate -Name "Cert01" `
         -CertificateFile <Cert-File-Path-1> `
         -Password $password 
      $mySslCert2 = New-AzApplicationGatewaySslCertificate -Name "Cert02" `
         -CertificateFile <Cert-File-Path-2> `
         -Password $password
      

      在以上示例中,可以传入 $mySslCert1, $mySslCert2(逗号分隔)作为脚本中此参数的值。You can pass in $mySslCert1, $mySslCert2 (comma-separated) in the previous example as values for this parameter in the script.

    • trustedRootCertificates: [PSApplicationGatewayTrustedRootCertificate]:OptionaltrustedRootCertificates: [PSApplicationGatewayTrustedRootCertificate]: Optional. 创建的 PSApplicationGatewayTrustedRootCertificate 对象的逗号分隔列表,表示用于对 v2 网关中后端实例进行身份验证的受信任根证书A comma-separated list of PSApplicationGatewayTrustedRootCertificate objects that you create to represent the Trusted Root certificates for authentication of your backend instances from your v2 gateway.

      $certFilePath = ".\rootCA.cer"
      $trustedCert = New-AzApplicationGatewayTrustedRootCertificate -Name "trustedCert1" -CertificateFile $certFilePath
      

      若要创建 PSApplicationGatewayTrustedRootCertificate 对象列表,请参阅 AzApplicationGatewayTrustedRootCertificateTo create a list of PSApplicationGatewayTrustedRootCertificate objects, see New-AzApplicationGatewayTrustedRootCertificate.

    • privateIpAddress: [String]:OptionalprivateIpAddress: [String]: Optional. 要关联到新 v2 网关的特定专用 IP 地址。A specific private IP address that you want to associate to your new v2 gateway. 此地址必须来自为新 v2 网关分配的同一 VNet。This must be from the same VNet that you allocate for your new v2 gateway. 如果未指定,该脚本将为 v2 网关分配一个专用 IP 地址。If this isn't specified, the script allocates a private IP address for your v2 gateway.

    • publicIpResourceId: [String]:OptionalpublicIpResourceId: [String]: Optional. 订阅中要分配给新 v2 网关的现有公共 IP 地址(标准 SKU)资源的 resourceId。The resourceId of existing public IP address (standard SKU) resource in your subscription that you want to allocate to the new v2 gateway. 如果未指定参数,该脚本将在同一资源组中分配一个新的公共 IP。If this isn't specified, the script allocates a new public IP in the same resource group. 名称是追加了“-IP”的 v2 网关名称。The name is the v2 gateway's name with -IP appended.

    • validateMigration: [switch]:OptionalvalidateMigration: [switch]: Optional. 如果你希望在创建 v2 网关并复制配置后让脚本执行一些基本的配置比较验证,请使用此参数。Use this parameter if you want the script to do some basic configuration comparison validations after the v2 gateway creation and the configuration copy. 默认不会执行任何验证。By default, no validation is done.

    • enableAutoScale: [switch]:OptionalenableAutoScale: [switch]: Optional. 如果你希望在创建新的 v2 网关后让脚本启用自动缩放,请使用此参数。Use this parameter if you want the script to enable AutoScaling on the new v2 gateway after it's created. 默认会禁用自动缩放。By default, AutoScaling is disabled. 以后,始终可以在创建新的 v2 网关后手动启用自动缩放。You can always manually enable it later on the newly created v2 gateway.

  4. 使用相应的参数运行脚本。Run the script using the appropriate parameters. 完成该脚本可能需要 5 到 7 分钟时间。It may take five to seven minutes to finish.

    示例Example

    AzureAppGWMigration.ps1 `
       -resourceId /subscriptions/8b1d0fea-8d57-4975-adfb-308f1f4d12aa/resourceGroups/MyResourceGroup/providers/Microsoft.Network/applicationGateways/myv1appgateway `
       -subnetAddressRange 10.0.0.0/24 `
       -appgwname "MynewV2gw" `
       -sslCertificates $mySslCert1,$mySslCert2 `
       -trustedRootCertificates $trustedCert `
       -privateIpAddress "10.0.0.1" `
       -publicIpResourceId "/subscriptions/8b1d0fea-8d57-4975-adfb-308f1f4d12aa/resourceGroups/MyResourceGroup/providers/Microsoft.Network/publicIPAddresses/MyPublicIP" `
       -validateMigration -enableAutoScale
    

迁移客户端流量Migrate client traffic

首先,请仔细检查脚本是否已成功创建了一个新的 v2 网关,其中包含要从 v1 网关迁移的确切配置。First, double check that the script successfully created a new v2 gateway with the exact configuration migrated over from your v1 gateway. 可以从 Azure 门户验证此结果。You can verify this from the Azure portal.

另外,请通过 v2 网关发送少量的流量作为手动测试。Also, send a small amount of traffic through the v2 gateway as a manual test.

在以下几种情况下,当前的应用程序网关 (Standard) 可以接收客户端流量,我们针对每种情况提供了建议:Here are a few scenarios where your current application gateway (Standard) may receive client traffic, and our recommendations for each one:

  • 自定义 DNS 区域(例如 contoso.com)指向与 Standard v1 或 WAF v1 网关关联的前端 IP 地址(使用 A 记录)A custom DNS zone (for example, contoso.com) that points to the frontend IP address (using an A record) associated with your Standard v1 or WAF v1 gateway.

    可以更新 DNS 记录,使其指向与 Standard_v2 应用程序网关关联的前端 IP 或 DNS 标签。You can update your DNS record to point to the frontend IP or DNS label associated with your Standard_v2 application gateway. 根据 DNS 记录中配置的 TTL,可能需要一段时间才能将所有客户端流量迁移到新的 v2 网关。Depending on the TTL configured on your DNS record, it may take a while for all your client traffic to migrate to your new v2 gateway.

  • 指向与 v1 网关关联的 DNS 标签(例如:使用 CNAME 记录指向 myappgw.chinanorth2.chinacloudapp.cn)的自定义 DNS 区域(例如 contoso.com)。A custom DNS zone (for example, contoso.com) that points to the DNS label (for example: myappgw.chinanorth2.chinacloudapp.cn using a CNAME record) associated with your v1 gateway.

    有两种选择:You have two choices:

    • 如果在应用程序网关上使用公共 IP 地址,则可以使用流量管理器配置文件执行受控的粒度迁移,以增量方式将流量路由到新的 v2 网关(加权流量路由方法)。If you use public IP addresses on your application gateway, you can do a controlled, granular migration using a Traffic Manager profile to incrementally route traffic (weighted traffic routing method) to the new v2 gateway.

      为此,可将 v1 和 v2 应用程序网关的 DNS 标签添加到流量管理器配置文件,并通过 CNAME 将自定义 DNS 记录(例如 www.contoso.com)指向流量管理器域(例如 contoso.trafficmanager.cn)。You can do this by adding the DNS labels of both the v1 and v2 application gateways to the Traffic Manager profile, and CNAMEing your custom DNS record (for example, www.contoso.com) to the Traffic Manager domain (for example, contoso.trafficmanager.cn).

    • 或者,可以更新自定义域的 DNS 记录,使其指向新 v2 应用程序网关的 DNS 标签。Or, you can update your custom domain DNS record to point to the DNS label of the new v2 application gateway. 根据 DNS 记录中配置的 TTL,可能需要一段时间才能将所有客户端流量迁移到新的 v2 网关。Depending on the TTL configured on your DNS record, it may take a while for all your client traffic to migrate to your new v2 gateway.

  • 客户端连接到应用程序网关的前端 IP 地址Your clients connect to the frontend IP address of your application gateway.

    更新客户端,以使用与新建的 v2 应用程序网关关联的 IP 地址。Update your clients to use the IP address(es) associated with the newly created v2 application gateway. 我们建议不要直接使用 IP 地址。We recommend that you don't use IP addresses directly. 请考虑使用与应用程序网关(可通过 CNAME 指向自己的自定义 DNS 区域(例如 contoso.com))关联的 DNS 名称标签(例如 yourgateway.chinanorth2.chinacloudapp.cn)。Consider using the DNS name label (for example, yourgateway.chinanorth2.chinacloudapp.cn) associated with your application gateway that you can CNAME to your own custom DNS zone (for example, contoso.com).

常见问题Common questions

用于将配置从 v1 迁移到 v2 的 Azure PowerShell 脚本是否存在任何限制?Are there any limitations with the Azure PowerShell script to migrate the configuration from v1 to v2?

是的。Yes. 请参阅注意事项/限制See Caveats/Limitations.

本文和上述 Azure PowerShell 脚本是否也适用于应用程序网关 WAF 产品?Is this article and the Azure PowerShell script applicable for Application Gateway WAF product as well?

是的。Yes.

该 Azure PowerShell 脚本是否还可以将流量从 v1 网关切换到新建的 v2 网关?Does the Azure PowerShell script also switch over the traffic from my v1 gateway to the newly created v2 gateway?

否。No. 该 Azure PowerShell 脚本只会迁移配置。The Azure PowerShell script only migrates the configuration. 实际的流量迁移由你负责和控制。Actual traffic migration is your responsibility and in your control.

该 Azure PowerShell 脚本创建的新 v2 网关是否大小适当,可以处理当前由 v1 网关提供服务的所有流量?Is the new v2 gateway created by the Azure PowerShell script sized appropriately to handle all of the traffic that is currently served by my v1 gateway?

该 Azure PowerShell 脚本将创建适当大小的新 v2 网关来处理现有 v1 网关上的流量。The Azure PowerShell script creates a new v2 gateway with an appropriate size to handle the traffic on your existing v1 gateway. 默认会禁用自动缩放,但你可以在运行脚本时启用自动缩放。Autoscaling is disabled by default, but you can enable AutoScaling when you run the script.

我已将 v1 网关配置为向 Azure 存储发送日志。I configured my v1 gateway to send logs to Azure storage. 该脚本是否也会为 v2 复制此配置?Does the script replicate this configuration for v2 as well?

否。No. 该脚本不会为 v2 复制此配置。The script doesn't replicate this configuration for v2. 必须单独将日志配置添加到迁移后的 v2 网关。You must add the log configuration separately to the migrated v2 gateway.

此脚本是否支持上传到 Azure KeyVault 的证书?Does this script support certificates uploaded to Azure KeyVault ?

否。No. 该脚本目前不支持 KeyVault 中的证书。Currently the script does not support certificates in KeyVault. 但是,我们正在考虑在将来的版本中添加此功能。However, this is being considered for a future version.

使用此脚本时我遇到了一些问题。I ran into some issues with using this script. 如何求助?How can I get help?

可以使用“配置和设置/迁移到 V2 SKU”主题与 Azure 支持部门联系。You can contact Azure Support under the topic "Configuration and Setup/Migrate to V2 SKU". 此处详细了解 Azure 支持。Learn more about Azure support here.

后续步骤Next steps

了解应用程序网关 v2Learn about Application Gateway v2