使用 Azure 门户创建支持 HTTP 到 HTTPS 重定向的应用程序网关Create an application gateway with HTTP to HTTPS redirection using the Azure portal

可以通过 Azure 门户使用 TLS 终端的证书创建应用程序网关You can use the Azure portal to create an application gateway with a certificate for TLS termination. 路由规则用于将 HTTP 流量重定向到应用程序网关中的 HTTPS 端口。A routing rule is used to redirect HTTP traffic to the HTTPS port in your application gateway. 在此示例中,还会为包含两个虚拟机实例的应用程序网关的后端池创建一个虚拟机规模集In this example, you also create a virtual machine scale set for the backend pool of the application gateway that contains two virtual machine instances.

在本文中,学习如何:In this article, you learn how to:

  • 创建自签名证书Create a self-signed certificate
  • 设置网络Set up a network
  • 使用证书创建应用程序网关Create an application gateway with the certificate
  • 添加侦听器和重定向规则Add a listener and redirection rule
  • 使用默认后端池创建虚拟机规模集Create a virtual machine scale set with the default backend pool

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

本教程需要 Azure PowerShell 模块 1.0.0 或更高版本以创建证书并安装 IIS。This tutorial requires the Azure PowerShell module version 1.0.0 or later to create a certificate and install IIS. 运行 Get-Module -ListAvailable Az 即可查找版本。Run Get-Module -ListAvailable Az to find the version. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 若要运行本教程中的命令,还需要运行 Connect-AzAccount -Environment AzureChinaCloud 以创建与 Azure 的连接。To run the commands in this tutorial, you also need to run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

创建自签名证书Create a self-signed certificate

为供生产使用,应导入由受信任的提供程序签名的有效证书。For production use, you should import a valid certificate signed by a trusted provider. 对于本教程,请使用 New-SelfSignedCertificate 创建自签名证书。For this tutorial, you create a self-signed certificate using New-SelfSignedCertificate. 可以结合返回的指纹使用 Export-PfxCertificate,从证书导出 pfx 文件。You can use Export-PfxCertificate with the Thumbprint that was returned to export a pfx file from the certificate.

New-SelfSignedCertificate `
  -certstorelocation cert:\localmachine\my `
  -dnsname www.contoso.com

应会显示如下结果所示的内容:You should see something like this result:

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\my

Thumbprint                                Subject
----------                                -------
E1E81C23B3AD33F9B4D1717B20AB65DBB91AC630  CN=www.contoso.com

使用指纹创建 pfx 文件:Use the thumbprint to create the pfx file:

$pwd = ConvertTo-SecureString -String "Azure123456!" -Force -AsPlainText
Export-PfxCertificate `
  -cert cert:\localMachine\my\E1E81C23B3AD33F9B4D1717B20AB65DBB91AC630 `
  -FilePath c:\appgwcert.pfx `
  -Password $pwd

创建应用程序网关Create an application gateway

若要在创建的资源之间实现通信,需要设置虚拟网络。A virtual network is needed for communication between the resources that you create. 在本示例中创建了两个子网:一个用于应用程序网关,另一个用于后端服务器。Two subnets are created in this example: one for the application gateway, and the other for the backend servers. 可以在创建应用程序网关的同时创建虚拟网络。You can create a virtual network at the same time that you create the application gateway.

  1. https://portal.azure.cn 中登录 Azure 门户。Sign in to the Azure portal at https://portal.azure.cn.

  2. 单击 Azure 门户左上角的“创建资源” 。Click Create a resource found on the upper left-hand corner of the Azure portal.

  3. 选择“网络” ,然后在“特色”列表中选择“应用程序网关” 。Select Networking and then select Application Gateway in the Featured list.

  4. 输入应用程序网关的以下值:Enter these values for the application gateway:

    • myAppGateway - 应用程序网关的名称。myAppGateway - for the name of the application gateway.

    • myResourceGroupAG - 新资源组。myResourceGroupAG - for the new resource group.

      新建应用程序网关

  5. 接受其他设置的默认值,然后单击“确定” 。Accept the default values for the other settings and then click OK.

  6. 依次单击“选择虚拟网络”、“新建”,然后输入虚拟网络的以下值: Click Choose a virtual network, click Create new, and then enter these values for the virtual network:

    • myVNet - 虚拟网络的名称。myVNet - for the name of the virtual network.

    • 10.0.0.0/16 - 虚拟网络地址空间。10.0.0.0/16 - for the virtual network address space.

    • myAGSubnet - 子网名称。myAGSubnet - for the subnet name.

    • 10.0.0.0/24 - 子网地址空间。10.0.0.0/24 - for the subnet address space.

      创建虚拟网络

  7. 单击“确定” 创建虚拟网络和子网。Click OK to create the virtual network and subnet.

  8. 在“前端 IP 配置” 下,确保“IP 地址类型” 设置为“公用” ,并且选择了“新建” 。Under Frontend IP configuration, ensure IP address type is Public, and Create new is selected. 输入 myAGPublicIPAddress 作为名称。Enter myAGPublicIPAddress for the name. 接受其他设置的默认值,然后单击“确定” 。Accept the default values for the other settings and then click OK.

  9. 在“侦听器配置” 下,选择“HTTPS” ,然后选择“选择文件” 导航到 c:\appgwcert.pfx 文件并选择“打开” 。Under Listener configuration, select HTTPS, then select Select a file and navigate to the c:\appgwcert.pfx file and select Open.

  10. 输入 appgwcert 作为证书名称并输入 Azure123456! Type appgwcert for the cert name and Azure123456! 密码。for the password.

  11. 将 Web 应用程序防火墙保持为已禁用状态,然后选择“确定” 。Leave the Web application firewall disabled, and then select OK.

  12. 检查摘要页上的设置,然后选择“确定” 创建网络资源和应用程序网关。Review the settings on the summary page, and then select OK to create the network resources and the application gateway. 创建应用程序网关可能需要几分钟时间,请等到部署成功完成,然后转到下一部分。It may take several minutes for the application gateway to be created, wait until the deployment finishes successfully before moving on to the next section.

添加子网Add a subnet

  1. 选择左侧菜单中的“所有资源” ,然后从资源列表中选择“myVNet” 。Select All resources in the left-hand menu, and then select myVNet from the resources list.

  2. 选择“子网”,然后单击“子网”。 Select Subnets, and then click Subnet.

    创建子网

  3. 输入 myBackendSubnet 作为子网名称。Type myBackendSubnet for the name of the subnet.

  4. 输入 10.0.2.0/24 作为地址范围,然后选择“确定” 。Type 10.0.2.0/24 for the address range, and then select OK.

添加侦听器和重定向规则Add a listener and redirection rule

添加侦听器Add the listener

首先,为端口 80 添加名为 myListener 的侦听器。First, add the listener named myListener for port 80.

  1. 打开“myResourceGroupAG” 资源组,然后选择“myAppGateway” 。Open the myResourceGroupAG resource group and select myAppGateway.
  2. 选择“侦听器” ,然后选择“+ 基本” 。Select Listeners and then select + Basic.
  3. 输入 MyListener 作为名称。Type MyListener for the name.
  4. 输入 httpPort 作为新的前端端口名称,并输入 80 作为端口。Type httpPort for the new frontend port name and 80 for the port.
  5. 确保将协议设置为“HTTP” ,然后选择“确定” 。Ensure the protocol is set to HTTP, and then select OK.

添加具有重定向配置的路由规则Add a routing rule with a redirection configuration

  1. 在“myAppGateway” 上,选择“规则” ,然后选择“+请求路由规则” 。On myAppGateway, select Rules and then select +Request routing rule.
  2. 对于“规则名称” ,键入“Rule2” 。For the Rule name, type Rule2.
  3. 确保对于侦听器选择 MyListener 。Ensure MyListener is selected for the listener.
  4. 单击“后端目标” 选项卡,将“目标类型” 选为“重定向” 。Click on Backend targets tab and select Target type as Redirection.
  5. 对于“重定向类型” ,选择“永久” 。For Redirection type, select Permanent.
  6. 对于“重定向目标” ,选择“侦听器” 。For Redirection target, select Listener.
  7. 确保“目标侦听器” 设置为“appGatewayHttpListener” 。Ensure the Target listener is set to appGatewayHttpListener.
  8. 对于“包含查询字符串” 和“包含路径” ,请选择“是” 。For the Include query string and Include path select Yes.
  9. 选择“添加” 。Select Add.

创建虚拟机规模集Create a virtual machine scale set

在此示例中,将创建虚拟机规模集,以便为应用程序网关的后端池提供服务器。In this example, you create a virtual machine scale set to provide servers for the backend pool in the application gateway.

  1. 在门户左上角,选择“+创建资源” 。On the portal upper left corner, select +Create a resource.
  2. 选择“计算” 。Select Compute.
  3. 在搜索框中,输入“规模集” ,并按 Enter。In the search box, type scale set and press Enter.
  4. 选择“虚拟机规模集” ,然后选择“创建” 。Select Virtual machine scale set, and then select Create.
  5. 对于“虚拟机规模集名称” ,输入 myvmss 。For Virtual machine scale set name, type myvmss.
  6. 对于操作系统磁盘映像,**确保选中“Windows Server 2016 Datacenter” 。For Operating system disk image,** ensure Windows Server 2016 Datacenter is selected.
  7. 对于“资源组” ,选择 myResourceGroupAG 。For Resource group, select myResourceGroupAG.
  8. 对于“用户名” ,输入 azureuser 。For User name, type azureuser.
  9. 对于“密码” ,输入 Azure123456! For Password, type Azure123456! 并确认该密码。and confirm the password.
  10. 对于“实例计数” ,确保值为“2” 。For Instance count, ensure the value is 2.
  11. 对于“实例大小” ,选择“D2s_v3” 。For Instance size, select D2s_v3.
  12. 在“联网” 下,确保“选择负载均衡选项” 设置为“应用程序网关” 。Under Networking, ensure Choose Load balancing options is set to Application Gateway.
  13. 确保“应用程序网关” 设置为 myAppGateway 。Ensure Application gateway is set to myAppGateway.
  14. 确保“子网” 设置为 myBackendSubnet 。Ensure Subnet is set to myBackendSubnet.
  15. 选择“创建” 。Select Create.

将规模集与正确的后端池关联Associate the scale set with the proper backend pool

虚拟机规模集门户 UI 可为规模集创建新后端池,但是要将它与现有 appGatewayBackendPool 关联。The virtual machine scale set portal UI creates a new backend pool for the scale set, but you want to associate it with your existing appGatewayBackendPool.

  1. 打开“myResourceGroupAg” 资源组。Open the myResourceGroupAg resource group.
  2. 选择“myAppGateway” 。Select myAppGateway.
  3. 选择“后端池” 。Select Backend pools.
  4. 选择“myAppGatewaymyvmss” 。Select myAppGatewaymyvmss.
  5. 选择“从后端池中删除所有目标” 。Select Remove all targets from backend pool.
  6. 选择“保存” 。Select Save.
  7. 此过程完成之后,选择“myAppGatewaymyvmss” 后端池,选择“删除” ,然后选择“确定” 以确认。After this process completes, select the myAppGatewaymyvmss backend pool, select Delete and then OK to confirm.
  8. 选择“appGatewayBackendPool” 。Select appGatewayBackendPool.
  9. 在“目标” 下,选择“VMSS” 。Under Targets, select VMSS.
  10. 在“VMSS” 下,选择“myvmss” 。Under VMSS, select myvmss.
  11. 在“网络接口配置” 下,选择“myvmssNic” 。Under Network Interface Configurations, select myvmssNic.
  12. 选择“保存” 。Select Save.

升级规模集Upgrade the scale set

最后,必须使用这些更改升级规模集。Finally, you must upgrade the scale set with these changes.

  1. 选择“myvmss” 规模集。Select the myvmss scale set.
  2. 在“设置” 下,选择“实例” 。Under Settings, select Instances.
  3. 选择两个实例,然后选择“升级” 。Select both instances, and then select Upgrade.
  4. 请选择“是”以确认。 Select Yes to confirm.
  5. 此操作完成之后,返回到“myAppGateway” ,然后选择“后端池” 。After this completes, go back to the myAppGateway and select Backend pools. 现在应看到“appGatewayBackendPool” 具有两个目标,而“myAppGatewaymyvmss” 没有目标。You should now see that the appGatewayBackendPool has two targets, and myAppGatewaymyvmss has zero targets.
  6. 选择“myAppGatewaymyvmss” ,然后选择“删除” 。Select myAppGatewaymyvmss, and then select Delete.
  7. 选择“确定”以确认。 Select OK to confirm.

安装 IISInstall IIS

在规模集上安装 IIS 的一种简单方法是使用 PowerShell。An easy way to install IIS on the scale set is to use PowerShell.

将以下代码粘贴到 PowerShell 窗口中,然后按 Enter。Paste the following code into the PowerShell window and press Enter.

$publicSettings = @{ "fileUris" = (,"https://raw.githubusercontent.com/Azure/azure-docs-powershell-samples/master/application-gateway/iis/appgatewayurl.ps1"); 
  "commandToExecute" = "powershell -ExecutionPolicy Unrestricted -File appgatewayurl.ps1" }
$vmss = Get-AzVmss -ResourceGroupName myResourceGroupAG -VMScaleSetName myvmss
Add-AzVmssExtension -VirtualMachineScaleSet $vmss `
  -Name "customScript" `
  -Publisher "Microsoft.Compute" `
  -Type "CustomScriptExtension" `
  -TypeHandlerVersion 1.8 `
  -Setting $publicSettings
Update-AzVmss `
  -ResourceGroupName myResourceGroupAG `
  -Name myvmss `
  -VirtualMachineScaleSet $vmss

升级规模集Upgrade the scale set

使用 IIS 更改实例之后,必须再次使用此更改升级规模集。After changing the instances with IIS , you must once again upgrade the scale set with this change.

  1. 选择“myvmss” 规模集。Select the myvmss scale set.
  2. 在“设置” 下,选择“实例” 。Under Settings, select Instances.
  3. 选择两个实例,然后选择“升级” 。Select both instances, and then select Upgrade.
  4. 请选择“是”以确认。 Select Yes to confirm.

测试应用程序网关Test the application gateway

可以从应用程序网关“概述”页面获取应用程序公共 IP 地址。You can get the application public IP address from the application gateway Overview page.

  1. 选择“myAppGateway” 。Select myAppGateway.

  2. 在“概述” 页面上,记下“前端公共 IP 地址” 下的 IP 地址。On the Overview page, note the IP address under Frontend public IP address.

  3. 复制该公共 IP 地址,并将其粘贴到浏览器的地址栏。Copy the public IP address, and then paste it into the address bar of your browser. 例如: http://52.170.203.149For example, http://52.170.203.149

    安全警告

  4. 若要接受有关使用自签名证书的安全警告,请依次选择“详细信息”和“继续转到网页”。 To accept the security warning if you used a self-signed certificate, select Details and then Go on to the webpage. 随即显示受保护的 IIS 网站,如下例所示:Your secured IIS website is then displayed as in the following example:

    在应用程序网关中测试基 URL

后续步骤Next steps

了解如何创建支持内部重定向的应用程序网关Learn how to Create an application gateway with internal redirection.