使用 Azure CLI 创建支持 HTTP 到 HTTPS 重定向的应用程序网关Create an application gateway with HTTP to HTTPS redirection using the Azure CLI

可以通过 Azure CLI 使用 SSL 终端的证书创建应用程序网关You can use the Azure CLI to create an application gateway with a certificate for SSL termination. 路由规则用于将 HTTP 流量重定向到应用程序网关中的 HTTPS 端口。A routing rule is used to redirect HTTP traffic to the HTTPS port in your application gateway. 在此示例中,还会为包含两个虚拟机实例的应用程序网关的后端池创建一个虚拟机规模集In this example, you also create a virtual machine scale set for the backend pool of the application gateway that contains two virtual machine instances.

在本文中,学习如何:In this article, you learn how to:

  • 创建自签名证书Create a self-signed certificate
  • 设置网络Set up a network
  • 使用证书创建应用程序网关Create an application gateway with the certificate
  • 添加侦听器和重定向规则Add a listener and redirection rule
  • 使用默认后端池创建虚拟机规模集Create a virtual machine scale set with the default backend pool

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

如果选择在本地安装并使用 CLI,此快速入门教程要求运行 Azure CLI 2.0.4 版或更高版本。If you choose to install and use the CLI locally, this quickstart requires that you are running the Azure CLI version 2.0.4 or later. 若要查找版本,请运行 az --versionTo find the version, run az --version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

创建自签名证书Create a self-signed certificate

为供生产使用,应导入由受信任的提供程序签名的有效证书。For production use, you should import a valid certificate signed by a trusted provider. 对于本教程,请使用 openssl 命令创建自签名证书和 pfx 文件。For this tutorial, you create a self-signed certificate and pfx file using the openssl command.

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out appgwcert.crt

输入对证书有意义的值。Enter values that make sense for your certificate. 可接受默认值。You can accept the default values.

openssl pkcs12 -export -out appgwcert.pfx -inkey privateKey.key -in appgwcert.crt

输入证书的密码。Enter the password for the certificate. 在此示例中,使用 Azure123456!In this example, Azure123456! is being used.

创建资源组Create a resource group

资源组是在其中部署和管理 Azure 资源的逻辑容器。A resource group is a logical container into which Azure resources are deployed and managed. 使用 az group create 创建资源组。Create a resource group using az group create.

以下示例在“chinanorth” 位置创建名为“myResourceGroupAG” 的资源组。The following example creates a resource group named myResourceGroupAG in the chinanorth location.

az group create --name myResourceGroupAG --location chinanorth

创建网络资源Create network resources

使用 az network vnet create 创建名为 myVNet 的虚拟网络和名为 myAGSubnet 的子网。Create the virtual network named myVNet and the subnet named myAGSubnet using az network vnet create. 然后,可以使用 az network vnet subnet create 添加后端服务器所需的名为 myBackendSubnet 的子网。You can then add the subnet named myBackendSubnet that's needed by the backend servers using az network vnet subnet create. 使用 az network public-ip create 创建名为 myAGPublicIPAddress 的公共 IP 地址。Create the public IP address named myAGPublicIPAddress using az network public-ip create.

az network vnet create `
  --name myVNet `
  --resource-group myResourceGroupAG `
  --location chinanorth `
  --address-prefix 10.0.0.0/16 `
  --subnet-name myAGSubnet `
  --subnet-prefix 10.0.1.0/24
az network vnet subnet create `
  --name myBackendSubnet `
  --resource-group myResourceGroupAG `
  --vnet-name myVNet `
  --address-prefix 10.0.2.0/24
az network public-ip create `
  --resource-group myResourceGroupAG `
  --name myAGPublicIPAddress

创建应用程序网关Create the application gateway

可以使用 az network application-gateway create 创建名为 myAppGateway 的应用程序网关。You can use az network application-gateway create to create the application gateway named myAppGateway. 使用 Azure CLI 创建应用程序网关时,请指定配置信息,例如容量、sku 和 HTTP 设置。When you create an application gateway using the Azure CLI, you specify configuration information, such as capacity, sku, and HTTP settings.

将应用程序网关分配给之前创建的 myAGSubnetmyAGPublicIPAddressThe application gateway is assigned to myAGSubnet and myAGPublicIPAddress that you previously created. 在此示例中,在创建应用程序网关时将关联所创建的证书及其密码。In this example, you associate the certificate that you created and its password when you create the application gateway.

az network application-gateway create `
  --name myAppGateway `
  --location chinanorth `
  --resource-group myResourceGroupAG `
  --vnet-name myVNet `
  --subnet myAGsubnet `
  --capacity 2 `
  --sku Standard_Medium `
  --http-settings-cookie-based-affinity Disabled `
  --frontend-port 443 `
  --http-settings-port 80 `
  --http-settings-protocol Http `
  --public-ip-address myAGPublicIPAddress `
  --cert-file appgwcert.pfx `
  --cert-password "Azure123456!"

创建应用程序网关可能需要几分钟时间。It may take several minutes for the application gateway to be created. 创建应用程序网关后,可以看到它的这些新功能:After the application gateway is created, you can see these new features of it:

  • appGatewayBackendPool - 应用程序网关必须至少具有一个后端地址池。appGatewayBackendPool - An application gateway must have at least one backend address pool.
  • appGatewayBackendHttpSettings - 指定将端口 80 和 HTTP 协议用于通信。appGatewayBackendHttpSettings - Specifies that port 80 and an HTTP protocol is used for communication.
  • appGatewayHttpListener - 与 appGatewayBackendPool 关联的默认侦听器。appGatewayHttpListener - The default listener associated with appGatewayBackendPool.
  • appGatewayFrontendIP - 将 myAGPublicIPAddress 分配给 appGatewayHttpListenerappGatewayFrontendIP - Assigns myAGPublicIPAddress to appGatewayHttpListener.
  • rule1 - 与 appGatewayHttpListener 关联的默认路由规则。rule1 - The default routing rule that is associated with appGatewayHttpListener.

添加侦听器和重定向规则Add a listener and redirection rule

添加 HTTP 端口Add the HTTP port

可以使用 az network application-gateway frontend-port create 向应用程序网关添加 HTTP 端口。You can use az network application-gateway frontend-port create to add the HTTP port to the application gateway.

az network application-gateway frontend-port create `
  --port 80 `
  --gateway-name myAppGateway `
  --resource-group myResourceGroupAG `
  --name httpPort

添加 HTTP 侦听器Add the HTTP listener

可以使用 az network application-gateway http-listener create 向应用程序网关添加名为 myListener 的侦听器。You can use az network application-gateway http-listener create to add the listener named myListener to the application gateway.

az network application-gateway http-listener create `
  --name myListener `
  --frontend-ip appGatewayFrontendIP `
  --frontend-port httpPort `
  --resource-group myResourceGroupAG `
  --gateway-name myAppGateway

添加重定向配置Add the redirection configuration

使用 az network application-gateway redirect-config create 将 HTTP 到 HTTPS 重定向配置添加到应用程序网关。Add the HTTP to HTTPS redirection configuration to the application gateway using az network application-gateway redirect-config create.

az network application-gateway redirect-config create `
  --name httpToHttps `
  --gateway-name myAppGateway `
  --resource-group myResourceGroupAG `
  --type Permanent `
  --target-listener appGatewayHttpListener `
  --include-path true `
  --include-query-string true

添加路由规则Add the routing rule

使用 az network application-gateway rule create 将具有重定向配置的名为 rule2 的路由规则添加到应用程序网关。Add the routing rule named rule2 with the redirection configuration to the application gateway using az network application-gateway rule create.

az network application-gateway rule create `
  --gateway-name myAppGateway `
  --name rule2 `
  --resource-group myResourceGroupAG `
  --http-listener myListener `
  --rule-type Basic `
  --redirect-config httpToHttps

创建虚拟机规模集Create a virtual machine scale set

在此示例中,将创建一个名为 myvmss 的虚拟机规模集,以便为应用程序网关的后端池提供服务器。In this example, you create a virtual machine scale set named myvmss that provides servers for the backend pool in the application gateway. 规模集中的虚拟机与 myBackendSubnetappGatewayBackendPool 相关联。The virtual machines in the scale set are associated with myBackendSubnet and appGatewayBackendPool. 若要创建规模集,可以使用 az vmss createTo create the scale set, you can use az vmss create.

az vmss create `
  --name myvmss `
  --resource-group myResourceGroupAG `
  --image UbuntuLTS `
  --admin-username azureuser `
  --admin-password Azure123456! `
  --instance-count 2 `
  --vnet-name myVNet `
  --subnet myBackendSubnet `
  --vm-sku Standard_DS2 `
  --upgrade-policy-mode Automatic `
  --app-gateway myAppGateway `
  --backend-pool-name appGatewayBackendPool

安装 NGINXInstall NGINX

az vmss extension set `
  --publisher Microsoft.Azure.Extensions `
  --version 2.0 `
  --name CustomScript `
  --resource-group myResourceGroupAG `
  --vmss-name myvmss `
  --settings '{ "fileUris": ["https://raw.githubusercontent.com/Azure/azure-docs-powershell-samples/master/application-gateway/iis/install_nginx.sh"],
  "commandToExecute": "./install_nginx.sh" }'

测试应用程序网关Test the application gateway

若要获取应用程序网关的公共 IP 地址,可以使用 az network public-ip showTo get the public IP address of the application gateway, you can use az network public-ip show. 复制该公共 IP 地址,并将其粘贴到浏览器的地址栏。Copy the public IP address, and then paste it into the address bar of your browser.

az network public-ip show `
  --resource-group myResourceGroupAG `
  --name myAGPublicIPAddress `
  --query [ipAddress] `
  --output tsv

安全警告

若要接受有关使用自签名证书的安全警告,请依次选择“详细信息”和“继续转到网页”。 To accept the security warning if you used a self-signed certificate, select Details and then Go on to the webpage. 随即显示受保护的 NGINX 站点,如下例所示:Your secured NGINX site is then displayed as in the following example:

在应用程序网关中测试基 URL

后续步骤Next steps

在本教程中,你已学习了如何执行以下操作:In this tutorial, you learned how to:

  • 创建自签名证书Create a self-signed certificate
  • 设置网络Set up a network
  • 使用证书创建应用程序网关Create an application gateway with the certificate
  • 添加侦听器和重定向规则Add a listener and redirection rule
  • 使用默认后端池创建虚拟机规模集Create a virtual machine scale set with the default backend pool