什么是 Azure 应用程序网关?What is Azure Application Gateway?

Azure 应用程序网关是一种 Web 流量负载均衡器,可用于管理 Web 应用程序的流量。Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. 传统负载均衡器在传输层(OSI 层 4 - TCP 和 UDP)进行操作,并基于源 IP 地址和端口将流量路由到目标 IP 地址和端口。Traditional load balancers operate at the transport layer (OSI layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.

应用程序网关概念

使用应用程序网关时,可以根据 HTTP 请求的其他属性(例如 URI 路径或主机标头)进行路由决策。With Application Gateway, you can make routing decisions based on additional attributes of an HTTP request, such as URI path or host headers. 例如,可以基于传入 URL 路由流量。For example, you can route traffic based on the incoming URL. 因此,如果 /images 在传入 URL 中,则可将流量路由到为映像配置的一组特定服务器(称为池)中。So if /images is in the incoming URL, you can route traffic to a specific set of servers (known as a pool) configured for images. 如果 /video 在 URL 中,则可将该流量路由到针对视频优化的另一个池中。If /video is in the URL, that traffic is routed to another pool that's optimized for videos.

imageURLroute

这种类型的路由称为应用程序层(OSI 层 7)负载均衡。This type of routing is known as application layer (OSI layer 7) load balancing. Azure 应用程序网关可以执行基于 URL 的路由等操作。Azure Application Gateway can do URL-based routing and more.

Note

Azure 为方案提供了一套完全托管的负载均衡解决方案。Azure provides a suite of fully managed load-balancing solutions for your scenarios. 如需高性能、低延迟的 4 层负载均衡,请参阅什么是 Azure 负载均衡器?If you need high-performance, low-latency, Layer-4 load balancing, see What is Azure Load Balancer? 如果正在查找全局 DNS 负载均衡,请查看什么是流量管理器?If you're looking for global DNS load balancing, see What is Traffic Manager? 端到端场景可从结合这些解决方案中受益。Your end-to-end scenarios may benefit from combining these solutions.

以下功能是 Azure 应用程序网关附带的:The following features are included with Azure Application Gateway:

安全套接字层 (SSL/TLS) 终止Secure Sockets Layer (SSL/TLS) termination

应用程序网关支持在网关上终止 SSL/TLS,之后,流量通常会以未加密状态流到后端服务器。Application gateway supports SSL/TLS termination at the gateway, after which traffic typically flows unencrypted to the backend servers. 此功能让 Web 服务器不用再负担昂贵的加密和解密开销。This feature allows web servers to be unburdened from costly encryption and decryption overhead. 但有时,与服务器进行未加密的通信不是可以接受的选项。But sometimes unencrypted communication to the servers is not an acceptable option. 这可能是因为安全要求、符合性要求,或者应用程序可能仅接受安全连接。This can be because of security requirements, compliance requirements, or the application may only accept a secure connection. 对于这些应用程序,应用程序网关支持端到端 SSL/TLS 加密。For these applications, application gateway supports end to end SSL/TLS encryption.

自动缩放Autoscaling

Standard_v2 或 WAF_v2 SKU 下的应用程序网关或 WAF 部署支持自动缩放,可根据变化的流量负载模式进行扩展或缩减。Application Gateway or WAF deployments under Standard_v2 or WAF_v2 SKU support autoscaling and can scale up or down based on changing traffic load patterns. 自动缩放还无需在预配期间要求选择部署大小或实例计数。Autoscaling also removes the requirement to choose a deployment size or instance count during provisioning. 有关应用程序网关 Standard_v2 和 WAF_v2 功能的详细信息,请参阅自动缩放 v2 SKUFor more information about the Application Gateway Standard_v2 and WAF_v2 features, see Autoscaling v2 SKU.

区域冗余Zone redundancy

Standard_v2 或 WAF_v2 SKU 下的应用程序网关或 WAF 部署可以跨多个可用性区域,提供更好的故障复原能力,不需在每个区域预配单独的应用程序网关。An Application Gateway or WAF deployments under Standard_v2 or WAF_v2 SKU can span multiple Availability Zones, offering better fault resiliency and removing the need to provision separate Application Gateways in each zone.

静态 VIPStatic VIP

Standard_v2 或 WAF_v2 SKU 上的应用程序网关 VIP 支持独占形式的静态 VIP 类型。The application gateway VIP on Standard_v2 or WAF_v2 SKU supports static VIP type exclusively. 这样可确保与应用程序网关关联的 VIP 在应用程序网关的整个生存期内都不会更改。This ensures that the VIP associated with application gateway doesn't change even over the lifetime of the Application Gateway.

Web 应用程序防火墙Web application firewall

Web 应用程序防火墙 (WAF) 服务为 Web 应用程序提供集中保护,使其免受常见攻击和漏洞的侵害。Web application firewall (WAF) is a service that provides centralized protection of your web applications from common exploits and vulnerabilities. WAF 基于 OWASP(开放 Web 应用程序安全项目)核心规则集 3.1(仅限 WAF_v2)、3.0 和 2.2.9 中的规则。WAF is based on rules from the OWASP (Open Web Application Security Project) core rule sets 3.1 (WAF_v2 only), 3.0, and 2.2.9.

Web 应用程序已逐渐成为利用常见已知漏洞的恶意攻击的目标。Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities. 这些攻击中最常见的攻击包括 SQL 注入攻击、跨站点脚本攻击等。Common among these exploits are SQL injection attacks, cross site scripting attacks to name a few. 防止应用程序代码中的此类攻击颇具挑战性,可能需要在应用程序拓扑的多个层进行严格的维护、修补和监视。Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at many layers of the application topology. 集中式 Web 应用程序防火墙有助于大幅简化安全管理,为抵卸威胁或入侵的应用程序管理员提供更好的保障。A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. 相较保护每个单独的 Web 应用程序,WAF 解决方案还可通过在中央位置修补已知漏洞,更快地响应安全威胁。A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. 可将现有应用程序网关轻松转换为支持 Web 应用程序防火墙的应用程序网关。Existing application gateways can be converted to a web application firewall enabled application gateway easily.

AKS 的入口控制器Ingress Controller for AKS

应用程序网关入口控制器 (AGIC) 允许你使用应用程序网关作为 Azure Kubernetes 服务 (AKS) 群集的入口。Application Gateway Ingress Controller (AGIC) allows you to use Application Gateway as the ingress for an Azure Kubernetes Service (AKS) cluster.

入口控制器在 AKS 群集中以 pod 的形式运行,使用 Kubernetes 入口资源 并将其转换为应用程序网关配置,使网关可以将流量负载平衡到 Kubernetes pod。The ingress controller runs as a pod within the AKS cluster and consumes Kubernetes Ingress Resources and converts them to an Application Gateway configuration which allows the gateway to load-balance traffic to the Kubernetes pods. 入口控制器仅支持应用程序网关 V2 SKU。The ingress controller only supports Application Gateway V2 SKU.

有关详细信息,请参阅应用程序网关入口控制器 (AGIC)For more information, see Application Gateway Ingress Controller (AGIC).

基于 URL 的路由URL-based routing

基于 URL 路径的路由用于根据请求的 URL 路径,将流量路由到后端服务器池。URL Path Based Routing allows you to route traffic to back-end server pools based on URL Paths of the request. 方案之一是将不同内容类型的请求路由到不同的池。One of the scenarios is to route requests for different content types to different pool.

例如,将 http://contoso.com/video/* 的请求路由到 VideoServerPool,将 http://contoso.com/images/* 的请求路由到 ImageServerPool。For example, requests for http://contoso.com/video/* are routed to VideoServerPool, and http://contoso.com/images/* are routed to ImageServerPool. 如果没有任何路径模式匹配,则选择 DefaultServerPool。DefaultServerPool is selected if none of the path patterns match.

有关详细信息,请参阅使用应用程序网关进行基于 URL 的路由For more information, see URL-based routing with Application Gateway.

多站点托管Multiple-site hosting

使用多站点托管可以在同一应用程序网关实例上配置多个网站。Multiple-site hosting enables you to configure more than one web site on the same application gateway instance. 此功能可以将多达 100 个网站添加到一个应用程序网关中或为 WAF 添加 40 个网站(以获得最佳性能),从而为部署配置更有效的拓扑。This feature allows you to configure a more efficient topology for your deployments by adding up to 100 web sites to one Application Gateway, or 40 for WAF (for optimal performance). 每个网站都可以定向到自己的池。Each web site can be directed to its own pool. 例如,应用程序网关可以通过两个名为 ContosoServerPool 和 FabrikamServerPool 的服务器池分别处理 contoso.comfabrikam.com 的流量。For example, application gateway can serve traffic for contoso.com and fabrikam.com from two server pools called ContosoServerPool and FabrikamServerPool.

http://contoso.com 的请求路由到 ContosoServerPool,对 http://fabrikam.com 的请求路由到 FabrikamServerPool。Requests for http://contoso.com are routed to ContosoServerPool, and http://fabrikam.com are routed to FabrikamServerPool.

同样,可以将同一父域的两个子域托管在同一应用程序网关部署中。Similarly, two subdomains of the same parent domain can be hosted on the same application gateway deployment. 例如,在单个应用程序网关部署中托管的 http://blog.contoso.comhttp://app.contoso.com 都是使用子域。Examples of using subdomains could include http://blog.contoso.com and http://app.contoso.com hosted on a single application gateway deployment.

有关详细信息,请参阅使用应用程序网关进行多站点托管For more information, see multiple-site hosting with Application Gateway.

重定向Redirection

为确保应用程序与其用户之间的所有通信都通过加密路径进行,适用于许多 Web 应用程序的常见方案是支持 HTTP 到 HTTPS 自动重定向。A common scenario for many web applications is to support automatic HTTP to HTTPS redirection to ensure all communication between an application and its users occurs over an encrypted path.

你可能过去用过专用池创建等技术,其唯一目的是将通过 HTTP 接收的请求重定向到 HTTPS。In the past, you may have used techniques such as dedicated pool creation whose sole purpose is to redirect requests it receives on HTTP to HTTPS. 应用程序网关支持重定向应用程序网关流量的功能。Application gateway supports the ability to redirect traffic on the Application Gateway. 这样可以简化应用程序配置、优化资源使用情况,并支持全局重定向和基于路径的重定向等新的重定向方案。This simplifies application configuration, optimizes the resource usage, and supports new redirection scenarios, including global and path-based redirection. 应用程序网关重定向支持并不仅限于 HTTP 到 HTTPS 的重定向。Application Gateway redirection support isn't limited to HTTP to HTTPS redirection alone. 这是一种通用重定向机制,因此可以针对使用规则定义的任何端口进行双向重定向。This is a generic redirection mechanism, so you can redirect from and to any port you define using rules. 它还支持重定向到外部站点。It also supports redirection to an external site as well.

应用程序网关重定向支持具有以下功能:Application Gateway redirection support offers the following capabilities:

  • 在网关上进行的从一个端口到另一个端口的全局重定向。Global redirection from one port to another port on the Gateway. 这样可实现站点上的 HTTP 到 HTTPS 重定向。This enables HTTP to HTTPS redirection on a site.
  • 基于路径的重定向。Path-based redirection. 这种类型的重定向只能在特定站点区域(例如 /cart/* 表示的购物车区域)中进行 HTTP 到 HTTPS 的重定向。This type of redirection enables HTTP to HTTPS redirection only on a specific site area, for example a shopping cart area denoted by /cart/*.
  • 重定向到外部站点。Redirect to an external site.

有关详细信息,请参阅使用应用程序网关重定向流量For more information, see redirecting traffic with Application Gateway.

会话相关性Session affinity

需要在同一服务器上保留用户会话时,可以使用基于 Cookie 的会话相关性功能。The cookie-based session affinity feature is useful when you want to keep a user session on the same server. 借助网关托管的 Cookie,应用程序网关可以将来自用户会话的后续流量定向到同一服务器进行处理。By using gateway-managed cookies, the Application Gateway can direct subsequent traffic from a user session to the same server for processing. 在用户会话的会话状态在服务器上进行本地保存的情况下,此功能十分重要。This is important in cases where session state is saved locally on the server for a user session.

Websocket 和 HTTP/2 流量Websocket and HTTP/2 traffic

应用程序网关为 WebSocket 和 HTTP/2 协议提供本机支持。Application Gateway provides native support for the WebSocket and HTTP/2 protocols. 用户无法通过配置设置来选择性地启用或禁用 WebSocket 支持。There's no user-configurable setting to selectively enable or disable WebSocket support.

WebSocket 和 HTTP/2 协议通过长时间运行的 TCP 连接,在服务器和客户端之间实现全双工通信。The WebSocket and HTTP/2 protocols enable full duplex communication between a server and a client over a long running TCP connection. 此功能让 Web 服务器和客户端之间能够进行交互性更强的通信。这种通信可以是双向的,而且不像基于 HTTP 的实现那样需要轮询。This allows for a more interactive communication between the web server and the client, which can be bidirectional without the need for polling as required in HTTP-based implementations. 不同于 HTTP,这些协议的开销很低,并且可以对多个请求/响应重复使用同一 TCP 连接,提高资源利用率。These protocols have low overhead, unlike HTTP, and can reuse the same TCP connection for multiple request/responses resulting in a more efficient resource utilization . 这些协议设计为通过传统 HTTP 端口 80 和 443 运行。These protocols are designed to work over traditional HTTP ports of 80 and 443.

有关详细信息,请参阅 WebSocket 支持HTTP/2 支持For more information, see WebSocket support and HTTP/2 support.

连接清空Connection draining

连接清空可帮助你在计划内服务更新期间正常删除后端池成员。Connection draining helps you achieve graceful removal of backend pool members during planned service updates. 此设置是通过后端 http 设置启用的,并且可以在创建规则期间应用于后端池的所有成员。This setting is enabled via the backend http setting and can be applied to all members of a backend pool during rule creation. 启用后,应用程序网关可确保后端池的所有已取消注册实例不再收到任何新请求,同时允许现有请求在所配置的时间限制内完成。Once enabled, Application Gateway ensures all deregistering instances of a backend pool do not receive any new request while allowing existing requests to complete within a configured time limit. 这适用于通过用户配置更改显式从后端池中删除的后端实例,以及所报告的由运行状况探测确定为不正常的后端实例。This applies to both backend instances that are explicitly removed from the backend pool by a user configuration change, and backend instances that are reported as unhealthy as determined by the health probes. 唯一的例外情况是限定为取消注册实例的请求,这些实例由于网关托管会话相关性的原因而取消注册,将继续代理到取消注册实例。The only exception to this are requests bound for deregistering instances, which have been deregistered explicitly, because of gateway-managed session affinity and will continued to be proxied to the deregistering instances.

有关详细信息,请参阅应用程序网关配置概述的“连接排出”部分。For more information, see the Connection Draining section of Application Gateway Configuration Overview.

自定义错误页Custom error pages

应用程序网关允许你创建自定义错误页而非显示默认错误页。Application Gateway allows you to create custom error pages instead of displaying default error pages. 你可以在自定义错误页上使用自己的品牌和布局。You can use your own branding and layout using a custom error page.

有关详细信息,请参阅自定义错误For more information, see Custom Errors.

重写 HTTP 标头Rewrite HTTP headers

HTTP 标头可让客户端和服务器连同请求或响应一起传递附加的信息。HTTP headers allow the client and server to pass additional information with the request or the response. 重写这些 HTTP 标头可帮助实现多个重要方案,例如:Rewriting these HTTP headers helps you accomplish several important scenarios, such as:

  • 添加安全相关的标头字段(如 HSTS/ X-XSS-Protection)。Adding security-related header fields like HSTS/ X-XSS-Protection.
  • 删除可能会透露敏感信息的响应标头字段。Removing response header fields that can reveal sensitive information.
  • 从 X-Forwarded-For 标头中去除端口信息。Stripping port information from X-Forwarded-For headers.

当请求和响应数据包在客户端与后端池之间移动时,可以通过应用程序网关添加、删除或更新 HTTP 请求和响应标头。Application Gateway supports the capability to add, remove, or update HTTP request and response headers, while the request and response packets move between the client and back-end pools. 它还允许你添加条件,确保只有在满足特定条件的情况下才能重写指定标头。It also provides you with the capability to add conditions to ensure the specified headers are rewritten only when certain conditions are met.

有关详细信息,请参阅重写 HTTP 标头For more information, see Rewrite HTTP headers.

大小调整Sizing

可以配置应用程序网关的 Standard_v2 和 WAF_v2 SKU,以便进行自动缩放的或固定大小的部署。Application Gateway Standard_v2 and WAF_v2 SKU can be configured for autoscaling or fixed size deployments. 这两个 SKU 不提供不同的实例大小。These SKUs don't offer different instance sizes. 有关 v2 性能和定价的详细信息,请参阅自动缩放 v2 SKUFor more information on v2 performance and pricing, see Autoscaling v2 SKU.

应用程序网关的 Standard 和 WAF SKU 目前提供三种大小:小型中型大型The Application Gateway Standard and WAF SKU is currently offered in three sizes: Small, Medium, and Large. 小型实例大小适用于开发和测试方案。Small instance sizes are intended for development and testing scenarios.

有关应用程序网关限制的完整列表,请参阅应用程序网关服务限制For a complete list of application gateway limits, see Application Gateway service limits.

下表显示了已启用 SSL 卸载的每个应用程序网关 v1 实例的平均性能吞吐量:The following table shows an average performance throughput for each application gateway v1 instance with SSL offload enabled:

平均后端页面响应大小Average back-end page response size 小型Small 中型Medium 大型Large
6 KB6 KB 7.5 Mbps7.5 Mbps 13 Mbps13 Mbps 50 Mbps50 Mbps
100 KB100 KB 35 Mbps35 Mbps 100 Mbps100 Mbps 200 Mbps200 Mbps

Note

这些值是应用程序网关吞吐量的大约值。These values are approximate values for an application gateway throughput. 实际吞吐量取决于平均页面大小、后端实例的位置、提供页面所需的处理时间等各种环境详细信息。The actual throughput depends on various environment details, such as average page size, location of back-end instances, and processing time to serve a page. 如需确切的性能数字,则应运行自己的测试。For exact performance numbers, you should run your own tests. 提供的这些值仅适用于容量规划指南。These values are only provided for capacity planning guidance.

后续步骤Next steps

可以根据自己的需求和环境,使用 Azure 门户、Azure PowerShell 或 Azure CLI 创建测试性应用程序网关:Depending on your requirements and environment, you can create a test Application Gateway using either the Azure portal, Azure PowerShell, or Azure CLI: