教程:创建可改进 Web 应用程序访问的应用程序网关Tutorial: Create an application gateway that improves web application access

如果你是希望改进 Web 应用程序访问的 IT 管理员,则可以优化应用程序网关,以根据客户需求进行缩放并跨多个可用性区域。If you're an IT admin concerned with improving web application access, you can optimize your application gateway to scale based on customer demand and span multiple availability zones. 本教程可帮助你配置执行此操作的 Azure 应用程序网关功能:自动缩放、区域冗余和保留的 VIP(静态 IP)。This tutorial helps you configure Azure Application Gateway features that do that: autoscaling, zone redundancy, and reserved VIPs (static IP). 将使用 Azure PowerShell cmdlet 和 Azure 资源管理器部署模型来解决此问题。You'll use Azure PowerShell cmdlets and the Azure Resource Manager deployment model to solve the problem.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 创建自签名证书Create a self-signed certificate
  • 创建自动缩放虚拟网络Create an autoscale virtual network
  • 创建保留的公共 IPCreate a reserved public IP
  • 设置应用程序网关基础结构Set up your application gateway infrastructure
  • 指定自动缩放Specify autoscale
  • 创建应用程序网关Create the application gateway
  • 测试应用程序网关Test the application gateway

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

先决条件Prerequisites

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

本教程要求在本地运行管理 Azure PowerShell 会话。This tutorial requires that you run an administrative Azure PowerShell session locally. 必须安装 Azure PowerShell 模块 1.0.0 或更高版本。You must have Azure PowerShell module version 1.0.0 or later installed. 运行 Get-Module -ListAvailable Az 即可查找版本。Run Get-Module -ListAvailable Az to find the version. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 验证 PowerShell 版本以后,请运行 Connect-AzAccount -Environment AzureChinaCloud,以便创建与 Azure 的连接。After you verify the PowerShell version, run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

登录 AzureSign in to Azure

Connect-AzAccount -Environment AzureChinaCloud
Select-AzSubscription -Subscription "<sub name>"

创建资源组Create a resource group

在某个可用的位置创建资源组。Create a resource group in one of the available locations.

$location = "China North 2"
$rg = "AppGW-rg"

#Create a new Resource Group
New-AzResourceGroup -Name $rg -Location $location

创建自签名证书Create a self-signed certificate

为供生产使用,应导入由受信任的提供程序签名的有效证书。For production use, you should import a valid certificate signed by trusted provider. 对于本教程,请使用 New-SelfSignedCertificate 创建自签名证书。For this tutorial, you create a self-signed certificate using New-SelfSignedCertificate. 可以结合返回的指纹使用 Export-PfxCertificate,从证书导出 pfx 文件。You can use Export-PfxCertificate with the Thumbprint that was returned to export a pfx file from the certificate.

New-SelfSignedCertificate `
  -certstorelocation cert:\localmachine\my `
  -dnsname www.contoso.com

应会显示如下结果所示的内容:You should see something like this result:

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\my

Thumbprint                                Subject
----------                                -------
E1E81C23B3AD33F9B4D1717B20AB65DBB91AC630  CN=www.contoso.com

使用指纹创建 pfx 文件。Use the thumbprint to create the pfx file. 将 <password> 替换为所选密码:Replace <password> with a password of your choice:

$pwd = ConvertTo-SecureString -String "<password>" -Force -AsPlainText

Export-PfxCertificate `
  -cert cert:\localMachine\my\E1E81C23B3AD33F9B4D1717B20AB65DBB91AC630 `
  -FilePath c:\appgwcert.pfx `
  -Password $pwd

创建虚拟网络Create a virtual network

为自动缩放的应用程序网关创建一个包含一个专用子网的虚拟网络。Create a virtual network with one dedicated subnet for an autoscaling application gateway. 目前,在每个专用子网中,只能部署一个自动缩放的应用程序网关。Currently only one autoscaling application gateway can be deployed in each dedicated subnet.

#Create VNet with two subnets
$sub1 = New-AzVirtualNetworkSubnetConfig -Name "AppGwSubnet" -AddressPrefix "10.0.0.0/24"
$sub2 = New-AzVirtualNetworkSubnetConfig -Name "BackendSubnet" -AddressPrefix "10.0.1.0/24"
$vnet = New-AzvirtualNetwork -Name "AutoscaleVNet" -ResourceGroupName $rg `
       -Location $location -AddressPrefix "10.0.0.0/16" -Subnet $sub1, $sub2

创建保留的公共 IPCreate a reserved public IP

将 PublicIPAddress 的分配方法指定为 Static 。Specify the allocation method of PublicIPAddress as Static. 自动缩放应用程序网关 VIP 只能为静态。An autoscaling application gateway VIP can only be static. 不支持动态 IP。Dynamic IPs are not supported. 只支持标准 PublicIpAddress SKU。Only the standard PublicIpAddress SKU is supported.

#Create static public IP
$pip = New-AzPublicIpAddress -ResourceGroupName $rg -name "AppGwVIP" `
       -location $location -AllocationMethod Static -Sku Standard -Zone 1,2,3

检索详细信息Retrieve details

在本地对象中检索资源组、子网和 IP 的详细信息,以便创建应用程序网关的 IP 配置详细信息。Retrieve details of the resource group, subnet, and IP in a local object to create the IP configuration details for the application gateway.

$publicip = Get-AzPublicIpAddress -ResourceGroupName $rg -name "AppGwVIP"
$vnet = Get-AzvirtualNetwork -Name "AutoscaleVNet" -ResourceGroupName $rg
$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "AppGwSubnet" -VirtualNetwork $vnet

创建 Web 应用Create web apps

为后端池配置两个 Web 应用。Configure two web apps for the backend pool. 将 <site1-name> 和 <site-2-name> 替换为 chinacloudsites.cn 域中的唯一名称 。Replace <site1-name> and <site-2-name> with unique names in the chinacloudsites.cn domain.

New-AzAppServicePlan -ResourceGroupName $rg -Name "ASP-01"  -Location $location -Tier Basic `
   -NumberofWorkers 2 -WorkerSize Small
New-AzWebApp -ResourceGroupName $rg -Name <site1-name> -Location $location -AppServicePlan ASP-01
New-AzWebApp -ResourceGroupName $rg -Name <site2-name> -Location $location -AppServicePlan ASP-01

配置基础结构Configure the infrastructure

使用与现有的标准应用程序网关相同的格式配置 IP 配置、前端 IP 配置、后端池、HTTP 设置、证书、端口、侦听器和规则。Configure the IP config, front-end IP config, back-end pool, HTTP settings, certificate, port, listener, and rule in an identical format to the existing Standard application gateway. 新 SKU 与标准 SKU 遵循相同的对象模型。The new SKU follows the same object model as the Standard SKU.

在 $ pool 变量定义中替换两个 Web 应用 FQDN(例如:mywebapp.chinacloudsites.cn)。Replace your two web app FQDNs (for example: mywebapp.chinacloudsites.cn) in the $pool variable definition.

$ipconfig = New-AzApplicationGatewayIPConfiguration -Name "IPConfig" -Subnet $gwSubnet
$fip = New-AzApplicationGatewayFrontendIPConfig -Name "FrontendIPCOnfig" -PublicIPAddress $publicip
$pool = New-AzApplicationGatewayBackendAddressPool -Name "Pool1" `
       -BackendIPAddresses <your first web app FQDN>, <your second web app FQDN>
$fp01 = New-AzApplicationGatewayFrontendPort -Name "SSLPort" -Port 443
$fp02 = New-AzApplicationGatewayFrontendPort -Name "HTTPPort" -Port 80

$securepfxpwd = ConvertTo-SecureString -String "Azure123456!" -AsPlainText -Force
$sslCert01 = New-AzApplicationGatewaySslCertificate -Name "SSLCert" -Password $securepfxpwd `
            -CertificateFile "c:\appgwcert.pfx"
$listener01 = New-AzApplicationGatewayHttpListener -Name "SSLListener" `
             -Protocol Https -FrontendIPConfiguration $fip -FrontendPort $fp01 -SslCertificate $sslCert01
$listener02 = New-AzApplicationGatewayHttpListener -Name "HTTPListener" `
             -Protocol Http -FrontendIPConfiguration $fip -FrontendPort $fp02

$setting = New-AzApplicationGatewayBackendHttpSettings -Name "BackendHttpSetting1" `
          -Port 80 -Protocol Http -CookieBasedAffinity Disabled -PickHostNameFromBackendAddress
$rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "Rule1" -RuleType basic `
         -BackendHttpSettings $setting -HttpListener $listener01 -BackendAddressPool $pool
$rule02 = New-AzApplicationGatewayRequestRoutingRule -Name "Rule2" -RuleType basic `
         -BackendHttpSettings $setting -HttpListener $listener02 -BackendAddressPool $pool

指定自动缩放Specify autoscale

现在可以为应用程序网关指定自动缩放配置。Now you can specify the autoscale configuration for the application gateway.

$autoscaleConfig = New-AzApplicationGatewayAutoscaleConfiguration -MinCapacity 2
$sku = New-AzApplicationGatewaySku -Name Standard_v2 -Tier Standard_v2

在此模式下,应用程序网关根据应用程序流量模式自动缩放。In this mode, the application gateway autoscales based on the application traffic pattern.

创建应用程序网关Create the application gateway

创建应用程序网关,包括冗余区域和自动缩放配置。Create the application gateway and include redundancy zones and the autoscale configuration.

$appgw = New-AzApplicationGateway -Name "AutoscalingAppGw" -Zone 1,2,3 `
  -ResourceGroupName $rg -Location $location -BackendAddressPools $pool `
  -BackendHttpSettingsCollection $setting -GatewayIpConfigurations $ipconfig `
  -FrontendIpConfigurations $fip -FrontendPorts $fp01, $fp02 `
  -HttpListeners $listener01, $listener02 -RequestRoutingRules $rule01, $rule02 `
  -Sku $sku -sslCertificates $sslCert01 -AutoscaleConfiguration $autoscaleConfig

测试应用程序网关Test the application gateway

使用 Get-AzPublicIPAddress 获取应用程序网关的公共 IP 地址。Use Get-AzPublicIPAddress to get the public IP address of the application gateway. 复制该公共 IP 地址或 DNS 名称,并将其粘贴到浏览器的地址栏。Copy the public IP address or DNS name, and then paste it into the address bar of your browser.

$pip = Get-AzPublicIPAddress -ResourceGroupName $rg -Name AppGwVIP
$pip.IpAddress

清理资源Clean up resources

首先浏览使用应用程序网关创建的资源。First explore the resources that were created with the application gateway. 然后,如果不再需要资源组、应用程序网关和所有相关资源,可以使用 Remove-AzResourceGroup 命令将其删除。Then, when they're no longer needed, you can use the Remove-AzResourceGroup command to remove the resource group, application gateway, and all related resources.

Remove-AzResourceGroup -Name $rg

后续步骤Next steps