教程:创建可改进 Web 应用程序访问的应用程序网关Tutorial: Create an application gateway that improves web application access

如果你是希望改进 Web 应用程序访问的 IT 管理员,则可以优化应用程序网关,以根据客户需求进行缩放并跨多个可用性区域。If you're an IT admin concerned with improving web application access, you can optimize your application gateway to scale based on customer demand and span multiple availability zones. 本教程可帮助你配置执行此操作的 Azure 应用程序网关功能:自动缩放、区域冗余和保留的 VIP(静态 IP)。This tutorial helps you configure Azure Application Gateway features that do that: autoscaling, zone redundancy, and reserved VIPs (static IP). 将使用 Azure PowerShell cmdlet 和 Azure 资源管理器部署模型来解决此问题。You'll use Azure PowerShell cmdlets and the Azure Resource Manager deployment model to solve the problem.

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 创建自签名证书Create a self-signed certificate
  • 创建自动缩放虚拟网络Create an autoscale virtual network
  • 创建保留的公共 IPCreate a reserved public IP
  • 设置应用程序网关基础结构Set up your application gateway infrastructure
  • 指定自动缩放Specify autoscale
  • 创建应用程序网关Create the application gateway
  • 测试应用程序网关Test the application gateway

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

先决条件Prerequisites

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

本教程要求在本地运行 Azure PowerShell。This tutorial requires that you run Azure PowerShell locally. 必须安装 Azure PowerShell 模块 1.0.0 或更高版本。You must have Azure PowerShell module version 1.0.0 or later installed. 运行 Get-Module -ListAvailable Az 即可查找版本。Run Get-Module -ListAvailable Az to find the version. 如果需要进行升级,请参阅 Install Azure PowerShell module(安装 Azure PowerShell 模块)。If you need to upgrade, see Install Azure PowerShell module. 验证 PowerShell 版本以后,请运行 Connect-AzAccount -Environment AzureChinaCloud,以便创建与 Azure 的连接。After you verify the PowerShell version, run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

登录 AzureSign in to Azure

Connect-AzAccount -Environment AzureChinaCloud
Select-AzSubscription -Subscription "<sub name>"

创建资源组Create a resource group

在某个可用的位置创建资源组。Create a resource group in one of the available locations.

$location = "China North 2"
$rg = "AppGW-rg"

#Create a new Resource Group
New-AzResourceGroup -Name $rg -Location $location

创建自签名证书Create a self-signed certificate

为供生产使用,应导入由受信任的提供程序签名的有效证书。For production use, you should import a valid certificate signed by trusted provider. 对于本教程,请使用 New-SelfSignedCertificate 创建自签名证书。For this tutorial, you create a self-signed certificate using New-SelfSignedCertificate. 可以结合返回的指纹使用 Export-PfxCertificate,从证书导出 pfx 文件。You can use Export-PfxCertificate with the Thumbprint that was returned to export a pfx file from the certificate.

New-SelfSignedCertificate `
  -certstorelocation cert:\localmachine\my `
  -dnsname www.contoso.com

应会显示如下结果所示的内容:You should see something like this result:

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\my

Thumbprint                                Subject
----------                                -------
E1E81C23B3AD33F9B4D1717B20AB65DBB91AC630  CN=www.contoso.com

使用指纹创建 pfx 文件:Use the thumbprint to create the pfx file:

$pwd = ConvertTo-SecureString -String "Azure123456!" -Force -AsPlainText

Export-PfxCertificate `
  -cert cert:\localMachine\my\E1E81C23B3AD33F9B4D1717B20AB65DBB91AC630 `
  -FilePath c:\appgwcert.pfx `
  -Password $pwd

创建虚拟网络Create a virtual network

为自动缩放的应用程序网关创建一个包含一个专用子网的虚拟网络。Create a virtual network with one dedicated subnet for an autoscaling application gateway. 目前,在每个专用子网中,只能部署一个自动缩放的应用程序网关。Currently only one autoscaling application gateway can be deployed in each dedicated subnet.

#Create VNet with two subnets
$sub1 = New-AzVirtualNetworkSubnetConfig -Name "AppGwSubnet" -AddressPrefix "10.0.0.0/24"
$sub2 = New-AzVirtualNetworkSubnetConfig -Name "BackendSubnet" -AddressPrefix "10.0.1.0/24"
$vnet = New-AzvirtualNetwork -Name "AutoscaleVNet" -ResourceGroupName $rg `
       -Location $location -AddressPrefix "10.0.0.0/16" -Subnet $sub1, $sub2

创建保留的公共 IPCreate a reserved public IP

将 PublicIPAddress 的分配方法指定为 Static 。Specify the allocation method of PublicIPAddress as Static. 自动缩放应用程序网关 VIP 只能为静态。An autoscaling application gateway VIP can only be static. 不支持动态 IP。Dynamic IPs are not supported. 只支持标准 PublicIpAddress SKU。Only the standard PublicIpAddress SKU is supported.

#Create static public IP
$pip = New-AzPublicIpAddress -ResourceGroupName $rg -name "AppGwVIP" `
       -location $location -AllocationMethod Static -Sku Standard

检索详细信息Retrieve details

在本地对象中检索资源组、子网和 IP 的详细信息,以便创建应用程序网关的 IP 配置详细信息。Retrieve details of the resource group, subnet, and IP in a local object to create the IP configuration details for the application gateway.

$resourceGroup = Get-AzResourceGroup -Name $rg
$publicip = Get-AzPublicIpAddress -ResourceGroupName $rg -name "AppGwVIP"
$vnet = Get-AzvirtualNetwork -Name "AutoscaleVNet" -ResourceGroupName $rg
$gwSubnet = Get-AzVirtualNetworkSubnetConfig -Name "AppGwSubnet" -VirtualNetwork $vnet

配置基础结构Configure the infrastructure

使用与现有的标准应用程序网关相同的格式配置 IP 配置、前端 IP 配置、后端池、HTTP 设置、证书、端口、侦听器和规则。Configure the IP config, front-end IP config, back-end pool, HTTP settings, certificate, port, listener, and rule in an identical format to the existing Standard application gateway. 新 SKU 与标准 SKU 遵循相同的对象模型。The new SKU follows the same object model as the Standard SKU.

$ipconfig = New-AzApplicationGatewayIPConfiguration -Name "IPConfig" -Subnet $gwSubnet
$fip = New-AzApplicationGatewayFrontendIPConfig -Name "FrontendIPCOnfig" -PublicIPAddress $publicip
$pool = New-AzApplicationGatewayBackendAddressPool -Name "Pool1" `
       -BackendIPAddresses testbackend1.chinanorth.chinacloudapp.cn, testbackend2.chinanorth.chinacloudapp.cn
$fp01 = New-AzApplicationGatewayFrontendPort -Name "SSLPort" -Port 443
$fp02 = New-AzApplicationGatewayFrontendPort -Name "HTTPPort" -Port 80

$securepfxpwd = ConvertTo-SecureString -String "Azure123456!" -AsPlainText -Force
$sslCert01 = New-AzApplicationGatewaySslCertificate -Name "SSLCert" -Password $securepfxpwd `
            -CertificateFile "c:\appgwcert.pfx"
$listener01 = New-AzApplicationGatewayHttpListener -Name "SSLListener" `
             -Protocol Https -FrontendIPConfiguration $fip -FrontendPort $fp01 -SslCertificate $sslCert01
$listener02 = New-AzApplicationGatewayHttpListener -Name "HTTPListener" `
             -Protocol Http -FrontendIPConfiguration $fip -FrontendPort $fp02

$setting = New-AzApplicationGatewayBackendHttpSettings -Name "BackendHttpSetting1" `
          -Port 80 -Protocol Http -CookieBasedAffinity Disabled
$rule01 = New-AzApplicationGatewayRequestRoutingRule -Name "Rule1" -RuleType basic `
         -BackendHttpSettings $setting -HttpListener $listener01 -BackendAddressPool $pool
$rule02 = New-AzApplicationGatewayRequestRoutingRule -Name "Rule2" -RuleType basic `
         -BackendHttpSettings $setting -HttpListener $listener02 -BackendAddressPool $pool

指定自动缩放Specify autoscale

现在可以为应用程序网关指定自动缩放配置。Now you can specify the autoscale configuration for the application gateway. 支持两种自动缩放配置类型:Two autoscaling configuration types are supported:

  • 固定容量模式Fixed capacity mode. 在此模式下,应用程序网关不自动缩放,而是在固定缩放单元容量下运行。In this mode, the application gateway does not autoscale and operates at a fixed Scale Unit capacity.

    $sku = New-AzApplicationGatewaySku -Name Standard_v2 -Tier Standard_v2 -Capacity 2
    
  • 自动缩放模式Autoscaling mode. 在此模式下,应用程序网关根据应用程序流量模式自动缩放。In this mode, the application gateway autoscales based on the application traffic pattern.

    $autoscaleConfig = New-AzApplicationGatewayAutoscaleConfiguration -MinCapacity 2
    $sku = New-AzApplicationGatewaySku -Name Standard_v2 -Tier Standard_v2
    

创建应用程序网关Create the application gateway

创建应用程序网关,包括冗余区域和自动缩放配置。Create the application gateway and include redundancy zones and the autoscale configuration.

$appgw = New-AzApplicationGateway -Name "AutoscalingAppGw" -Zone 1,2,3 `
  -ResourceGroupName $rg -Location $location -BackendAddressPools $pool `
  -BackendHttpSettingsCollection $setting -GatewayIpConfigurations $ipconfig `
  -FrontendIpConfigurations $fip -FrontendPorts $fp01, $fp02 `
  -HttpListeners $listener01, $listener02 -RequestRoutingRules $rule01, $rule02 `
  -Sku $sku -sslCertificates $sslCert01 -AutoscaleConfiguration $autoscaleConfig

测试应用程序网关Test the application gateway

使用 Get-AzPublicIPAddress 获取应用程序网关的公共 IP 地址。Use Get-AzPublicIPAddress to get the public IP address of the application gateway. 复制该公共 IP 地址或 DNS 名称,并将其粘贴到浏览器的地址栏。Copy the public IP address or DNS name, and then paste it into the address bar of your browser.

Get-AzPublicIPAddress -ResourceGroupName $rg -Name AppGwVIP

清理资源Clean up resources

首先浏览使用应用程序网关创建的资源。First explore the resources that were created with the application gateway. 然后,如果不再需要资源组、应用程序网关和所有相关资源,可以使用 Remove-AzResourceGroup 命令将其删除。Then, when they're no longer needed, you can use the Remove-AzResourceGroup command to remove the resource group, application gateway, and all related resources.

Remove-AzResourceGroup -Name $rg

后续步骤Next steps