什么是 Azure 应用程序网关?What is Azure Application Gateway?

Azure 应用程序网关是一种 Web 流量负载均衡器,可用于管理 Web 应用程序的流量。Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. 传统负载均衡器在传输层(OSI 层 4 - TCP 和 UDP)进行操作,并基于源 IP 地址和端口将流量路由到目标 IP 地址和端口。Traditional load balancers operate at the transport layer (OSI layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.

应用程序网关概念

使用应用程序网关时,可以根据 HTTP 请求的其他属性(例如 URI 路径或主机标头)进行路由决策。With Application Gateway, you can make routing decisions based on additional attributes of an HTTP request, such as URI path or host headers. 例如,可以基于传入 URL 路由流量。For example, you can route traffic based on the incoming URL. 因此,如果 /images 在传入 URL 中,则可将流量路由到为映像配置的一组特定服务器(称为池)中。So if /images is in the incoming URL, you can route traffic to a specific set of servers (known as a pool) configured for images. 如果 /video 在 URL 中,则可将该流量路由到针对视频优化的另一个池中。If /video is in the URL, that traffic is routed to another pool that's optimized for videos.

imageURLroute

这种类型的路由称为应用程序层(OSI 层 7)负载均衡。This type of routing is known as application layer (OSI layer 7) load balancing. Azure 应用程序网关可以执行基于 URL 的路由等操作。Azure Application Gateway can do URL-based routing and more.

以下功能是 Azure 应用程序网关附带的:The following features are included with Azure Application Gateway:

安全套接字层 (SSL/TLS) 终止Secure Sockets Layer (SSL/TLS) termination

应用程序网关支持在网关上终止 SSL/TLS,之后,流量通常会以未加密状态流到后端服务器。Application gateway supports SSL/TLS termination at the gateway, after which traffic typically flows unencrypted to the backend servers. 此功能让 Web 服务器不用再负担昂贵的加密和解密开销。This feature allows web servers to be unburdened from costly encryption and decryption overhead. 但有时,与服务器进行未加密的通信不是可以接受的选项。But sometimes unencrypted communication to the servers is not an acceptable option. 这可能是因为安全要求、符合性要求,或者应用程序可能仅接受安全连接。This can be because of security requirements, compliance requirements, or the application may only accept a secure connection. 对于这些应用程序,应用程序网关支持端到端 SSL/TLS 加密。For these applications, application gateway supports end to end SSL/TLS encryption.

Web 应用程序防火墙Web application firewall

Web 应用程序防火墙 (WAF) 是应用程序网关的功能,可以对 Web 应用程序进行集中保护,避免其受到常见的攻击和漏洞伤害。Web application firewall (WAF) is a feature of Application Gateway that provides centralized protection of your web applications from common exploits and vulnerabilities. WAF 基于 OWASP(开放 Web 应用程序安全项目)核心规则集 3.0 或 2.2.9 中的规则。WAF is based on rules from the OWASP (Open Web Application Security Project) core rule sets 3.0 or 2.2.9.

Web 应用程序已逐渐成为利用常见已知漏洞的恶意攻击的目标。Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities. 这些攻击中最常见的攻击包括 SQL 注入攻击、跨站点脚本攻击等。Common among these exploits are SQL injection attacks, cross site scripting attacks to name a few. 防止应用程序代码中的此类攻击颇具挑战性,可能需要在应用程序拓扑的多个层进行严格的维护、修补和监视。Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at many layers of the application topology. 集中式 Web 应用程序防火墙有助于大幅简化安全管理,为抵卸威胁或入侵的应用程序管理员提供更好的保障。A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. 相较保护每个单独的 Web 应用程序,WAF 解决方案还可通过在中央位置修补已知漏洞,更快地响应安全威胁。A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. 可将现有应用程序网关轻松转换为支持 Web 应用程序防火墙的应用程序网关。Existing application gateways can be converted to a web application firewall enabled application gateway easily.

有关详细信息,请参阅应用程序网关中的 Web 应用程序防火墙 (WAF)For more information, see Web application firewall (WAF) in Application Gateway).

基于 URL 的路由URL-based routing

基于 URL 路径的路由用于根据请求的 URL 路径,将流量路由到后端服务器池。URL Path Based Routing allows you to route traffic to back-end server pools based on URL Paths of the request. 方案之一是将不同内容类型的请求路由到不同的池。One of the scenarios is to route requests for different content types to different pool.

例如,将 http://contoso.com/video/* 的请求路由到 VideoServerPool,将 http://contoso.com/images/* 的请求路由到 ImageServerPool。For example, requests for http://contoso.com/video/* are routed to VideoServerPool, and http://contoso.com/images/* are routed to ImageServerPool. 如果没有任何路径模式匹配,则选择 DefaultServerPool。DefaultServerPool is selected if none of the path patterns match.

有关详细信息,请参阅使用应用程序网关进行基于 URL 的路由For more information, see URL-based routing with Application Gateway.

多站点托管Multiple-site hosting

使用多站点托管可以在同一应用程序网关实例上配置多个网站。Multiple-site hosting enables you to configure more than one web site on the same application gateway instance. 此功能可以将多达 100 个网站添加到一个应用程序网关中,从而为部署配置更有效的拓扑。This feature allows you to configure a more efficient topology for your deployments by adding up to 100 web sites to one application gateway. 每个网站都可以定向到自己的池。Each web site can be directed to its own pool. 例如,应用程序网关可以通过两个名为 ContosoServerPool 和 FabrikamServerPool 的服务器池分别处理 contoso.comfabrikam.com 的流量。For example, application gateway can serve traffic for contoso.com and fabrikam.com from two server pools called ContosoServerPool and FabrikamServerPool.

http://contoso.com 的请求路由到 ContosoServerPool,对 http://fabrikam.com 的请求路由到 FabrikamServerPool。Requests for http://contoso.com are routed to ContosoServerPool, and http://fabrikam.com are routed to FabrikamServerPool.

同样,可以将同一父域的两个子域托管在同一应用程序网关部署中。Similarly, two subdomains of the same parent domain can be hosted on the same application gateway deployment. 例如,在单个应用程序网关部署中托管的 http://blog.contoso.comhttp://app.contoso.com 都是使用子域。Examples of using subdomains could include http://blog.contoso.com and http://app.contoso.com hosted on a single application gateway deployment.

有关详细信息,请参阅使用应用程序网关进行多站点托管For more information, see multiple-site hosting with Application Gateway.

重定向Redirection

为确保应用程序与其用户之间的所有通信都通过加密路径进行,适用于许多 Web 应用程序的常见方案是支持 HTTP 到 HTTPS 自动重定向。A common scenario for many web applications is to support automatic HTTP to HTTPS redirection to ensure all communication between an application and its users occurs over an encrypted path.

你可能过去用过专用池创建等技术,其唯一目的是将通过 HTTP 接收的请求重定向到 HTTPS。In the past, you may have used techniques such as dedicated pool creation whose sole purpose is to redirect requests it receives on HTTP to HTTPS. 应用程序网关支持重定向应用程序网关流量的功能。Application gateway supports the ability to redirect traffic on the Application Gateway. 这样可以简化应用程序配置、优化资源使用情况,并支持全局重定向和基于路径的重定向等新的重定向方案。This simplifies application configuration, optimizes the resource usage, and supports new redirection scenarios, including global and path-based redirection. 应用程序网关重定向支持并不仅限于 HTTP 到 HTTPS 的重定向。Application Gateway redirection support isn't limited to HTTP to HTTPS redirection alone. 这是一种通用重定向机制,因此可以针对使用规则定义的任何端口进行双向重定向。This is a generic redirection mechanism, so you can redirect from and to any port you define using rules. 它还支持重定向到外部站点。It also supports redirection to an external site as well.

应用程序网关重定向支持具有以下功能:Application Gateway redirection support offers the following capabilities:

  • 在网关上进行的从一个端口到另一个端口的全局重定向。Global redirection from one port to another port on the Gateway. 这样可实现站点上的 HTTP 到 HTTPS 重定向。This enables HTTP to HTTPS redirection on a site.
  • 基于路径的重定向。Path-based redirection. 这种类型的重定向只能在特定站点区域(例如 /cart/* 表示的购物车区域)中进行 HTTP 到 HTTPS 的重定向。This type of redirection enables HTTP to HTTPS redirection only on a specific site area, for example a shopping cart area denoted by /cart/*.
  • 重定向到外部站点。Redirect to an external site.

有关详细信息,请参阅使用应用程序网关重定向流量For more information, see redirecting traffic with Application Gateway.

会话相关性Session affinity

需要在同一服务器上保留用户会话时,可以使用基于 Cookie 的会话相关性功能。The cookie-based session affinity feature is useful when you want to keep a user session on the same server. 借助网关托管的 Cookie,应用程序网关可以将来自用户会话的后续流量定向到同一服务器进行处理。By using gateway-managed cookies, the Application Gateway can direct subsequent traffic from a user session to the same server for processing. 在用户会话的会话状态在服务器上进行本地保存的情况下,此功能十分重要。This is important in cases where session state is saved locally on the server for a user session.

Websocket 和 HTTP/2 流量Websocket and HTTP/2 traffic

应用程序网关为 WebSocket 和 HTTP/2 协议提供本机支持。Application Gateway provides native support for the WebSocket and HTTP/2 protocols. 用户无法通过配置设置来选择性地启用或禁用 WebSocket 支持。There's no user-configurable setting to selectively enable or disable WebSocket support.

WebSocket 和 HTTP/2 协议通过长时间运行的 TCP 连接,在服务器和客户端之间实现全双工通信。The WebSocket and HTTP/2 protocols enable full duplex communication between a server and a client over a long running TCP connection. 此功能让 Web 服务器和客户端之间能够进行交互性更强的通信。这种通信可以是双向的,而且不像基于 HTTP 的实现那样需要轮询。This allows for a more interactive communication between the web server and the client, which can be bidirectional without the need for polling as required in HTTP-based implementations. 不同于 HTTP,这些协议的开销很低,并且可以对多个请求/响应重复使用同一 TCP 连接,提高资源利用率。These protocols have low overhead, unlike HTTP, and can reuse the same TCP connection for multiple request/responses resulting in a more efficient resource utilization . 这些协议设计为通过传统 HTTP 端口 80 和 443 运行。These protocols are designed to work over traditional HTTP ports of 80 and 443.

有关详细信息,请参阅 WebSocket 支持HTTP/2 支持For more information, see WebSocket support and HTTP/2 support.

连接清空Connection draining

连接清空可帮助你在计划内服务更新期间正常删除后端池成员。Connection draining helps you achieve graceful removal of backend pool members during planned service updates. 此设置是通过后端 http 设置启用的,并且可以在创建规则期间应用于后端池的所有成员。This setting is enabled via the backend http setting and can be applied to all members of a backend pool during rule creation. 启用后,应用程序网关可确保后端池的所有已取消注册实例不再收到任何新请求,同时允许现有请求在所配置的时间限制内完成。Once enabled, Application Gateway ensures all de-registering instances of a backend pool do not receive any new request while allowing existing requests to complete within a configured time limit. 这适用于通过 API 调用显式从后端池中删除的后端实例,以及所报告的由运行状况探测确定为不正常的后端实例。This applies to both backend instances that are explicitly removed from the backend pool by an API call, and backend instances that are reported as unhealthy as determined by the health probes.

大小调整Sizing

应用程序网关的 Standard 和 WAF SKU 目前提供三种大小:小型中型大型The Application Gateway Standard and WAF SKU is currently offered in three sizes: Small, Medium, and Large. 小型实例大小适用于开发和测试方案。Small instance sizes are intended for development and testing scenarios.

有关应用程序网关限制的完整列表,请参阅应用程序网关服务限制For a complete list of application gateway limits, see Application Gateway service limits.

下表显示了已启用 SSL 卸载的每个应用程序网关实例的平均性能吞吐量:The following table shows an average performance throughput for each application gateway instance with SSL offload enabled:

平均后端页面响应大小Average back-end page response size 小型Small 中型Medium 大型Large
6 KB6 KB 7.5 Mbps7.5 Mbps 13 Mbps13 Mbps 50 Mbps50 Mbps
100 KB100 KB 35 Mbps35 Mbps 100 Mbps100 Mbps 200 Mbps200 Mbps

Note

这些值是应用程序网关吞吐量的大约值。These values are approximate values for an application gateway throughput. 实际吞吐量取决于平均页面大小、后端实例的位置、提供页面所需的处理时间等各种环境详细信息。The actual throughput depends on various environment details, such as average page size, location of back-end instances, and processing time to serve a page. 如需确切的性能数字,则应运行自己的测试。For exact performance numbers, you should run your own tests. 提供的这些值仅适用于容量规划指南。These values are only provided for capacity planning guidance.

后续步骤Next steps

可以根据自己的需求和环境,使用 Azure 门户、Azure PowerShell 或 Azure CLI 创建测试性应用程序网关:Depending on your requirements and environment, you can create a test Application Gateway using either the Azure portal, Azure PowerShell, or Azure CLI: