通过 Azure CLI 使用 SSL 终端创建应用程序网关Create an application gateway with SSL termination using the Azure CLI

可通过 Azure CLI 使用 SSL 终端的证书创建使用虚拟机规模集作为后端服务器的应用程序网关You can use the Azure CLI to create an application gateway with a certificate for SSL termination that uses a virtual machine scale set for backend servers. 在此示例中,规模集包含两个添加到应用程序网关的默认后端池的虚拟机实例。In this example, the scale set contains two virtual machine instances that are added to the default backend pool of the application gateway.

在本文中,学习如何:In this article, you learn how to:

  • 创建自签名证书Create a self-signed certificate
  • 设置网络Set up a network
  • 使用证书创建应用程序网关Create an application gateway with the certificate
  • 使用默认后端池创建虚拟机规模集Create a virtual machine scale set with the default backend pool

如果需要,可以使用 Azure PowerShell 完成此过程。If you prefer, you can complete this procedure using Azure PowerShell.

如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a Trial before you begin.

根据本文的要求,如果选择在本地安装并使用 CLI,则需要运行 Azure CLI 2.0.4 或更高版本。If you choose to install and use the CLI locally, this article requires you to run the Azure CLI version 2.0.4 or later. 若要查找版本,请运行 az --versionTo find the version, run az --version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

创建自签名证书Create a self-signed certificate

为供生产使用,应导入由受信任的提供程序签名的有效证书。For production use, you should import a valid certificate signed by trusted provider. 对于本文中的情况,请使用 openssl 命令创建自签名证书和 pfx 文件。For this article, you create a self-signed certificate and pfx file using the openssl command.

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out appgwcert.crt

输入对证书有意义的值。Enter values that make sense for your certificate. 可接受默认值。You can accept the default values.

openssl pkcs12 -export -out appgwcert.pfx -inkey privateKey.key -in appgwcert.crt

输入证书的密码。Enter the password for the certificate. 在此示例中,使用 Azure123456!In this example, Azure123456! is being used.

创建资源组Create a resource group

资源组是在其中部署和管理 Azure 资源的逻辑容器。A resource group is a logical container into which Azure resources are deployed and managed. 使用 az group create 创建资源组。Create a resource group using az group create.

以下示例在“chinanorth” 位置创建名为“myResourceGroupAG” 的资源组。The following example creates a resource group named myResourceGroupAG in the chinanorth location.

az group create --name myResourceGroupAG --location chinanorth

创建网络资源Create network resources

使用 az network vnet create 创建名为 myVNet 的虚拟网络和名为 myAGSubnet 的子网。Create the virtual network named myVNet and the subnet named myAGSubnet using az network vnet create. 然后,可以使用 az network vnet subnet create 添加后端服务器所需的名为 myBackendSubnet 的子网。You can then add the subnet named myBackendSubnet that's needed by the backend servers using az network vnet subnet create. 使用 az network public-ip create 创建名为 myAGPublicIPAddress 的公共 IP 地址。Create the public IP address named myAGPublicIPAddress using az network public-ip create.

az network vnet create `
  --name myVNet `
  --resource-group myResourceGroupAG `
  --location chinanorth `
  --address-prefix 10.0.0.0/16 `
  --subnet-name myAGSubnet `
  --subnet-prefix 10.0.1.0/24

az network vnet subnet create `
  --name myBackendSubnet `
  --resource-group myResourceGroupAG `
  --vnet-name myVNet `
  --address-prefix 10.0.2.0/24

az network public-ip create `
  --resource-group myResourceGroupAG `
  --name myAGPublicIPAddress

创建应用程序网关Create the application gateway

可以使用 az network application-gateway create 创建应用程序网关。You can use az network application-gateway create to create the application gateway. 使用 Azure CLI 创建应用程序网关时,请指定配置信息,例如容量、sku 和 HTTP 设置。When you create an application gateway using the Azure CLI, you specify configuration information, such as capacity, sku, and HTTP settings.

将应用程序网关分配给之前创建的 myAGSubnetmyAGPublicIPAddressThe application gateway is assigned to myAGSubnet and myAGPublicIPAddress that you previously created. 在此示例中,在创建应用程序网关时将关联所创建的证书及其密码。In this example, you associate the certificate that you created and its password when you create the application gateway.

az network application-gateway create `
  --name myAppGateway `
  --location chinanorth `
  --resource-group myResourceGroupAG `
  --vnet-name myVNet `
  --subnet myAGsubnet `
  --capacity 2 `
  --sku Standard_Medium `
  --http-settings-cookie-based-affinity Disabled `
  --frontend-port 443 `
  --http-settings-port 80 `
  --http-settings-protocol Http `
  --public-ip-address myAGPublicIPAddress `
  --cert-file appgwcert.pfx `
  --cert-password "Azure123456!"

创建应用程序网关可能需要几分钟时间。It may take several minutes for the application gateway to be created. 创建应用程序网关后,可以看到它的这些新功能:After the application gateway is created, you can see these new features of it:

  • appGatewayBackendPool - 应用程序网关必须至少具有一个后端地址池。appGatewayBackendPool - An application gateway must have at least one backend address pool.
  • appGatewayBackendHttpSettings - 指定将端口 80 和 HTTP 协议用于通信。appGatewayBackendHttpSettings - Specifies that port 80 and an HTTP protocol is used for communication.
  • appGatewayHttpListener - 与 appGatewayBackendPool 关联的默认侦听器。appGatewayHttpListener - The default listener associated with appGatewayBackendPool.
  • appGatewayFrontendIP - 将 myAGPublicIPAddress 分配给 appGatewayHttpListenerappGatewayFrontendIP - Assigns myAGPublicIPAddress to appGatewayHttpListener.
  • rule1 - 与 appGatewayHttpListener 关联的默认路由规则。rule1 - The default routing rule that is associated with appGatewayHttpListener.

创建虚拟机规模集Create a virtual machine scale set

在此示例中,将创建虚拟机规模集,以便为应用程序网关的默认后端池提供服务器。In this example, you create a virtual machine scale set that provides servers for the default backend pool in the application gateway. 规模集中的虚拟机与 myBackendSubnetappGatewayBackendPool 相关联。The virtual machines in the scale set are associated with myBackendSubnet and appGatewayBackendPool. 若要创建规模集,可以使用 az vmss createTo create the scale set, you can use az vmss create.

az vmss create `
  --name myvmss `
  --resource-group myResourceGroupAG `
  --image UbuntuLTS `
  --admin-username azureuser `
  --admin-password Azure123456! `
  --instance-count 2 `
  --vnet-name myVNet `
  --subnet myBackendSubnet `
  --vm-sku Standard_DS2 `
  --upgrade-policy-mode Automatic `
  --app-gateway myAppGateway `
  --backend-pool-name appGatewayBackendPool

安装 NGINXInstall NGINX

az vmss extension set `
  --publisher Microsoft.Azure.Extensions `
  --version 2.0 `
  --name CustomScript `
  --resource-group myResourceGroupAG `
  --vmss-name myvmss `
  --settings '{ "fileUris": ["https://raw.githubusercontent.com/Azure/azure-docs-powershell-samples/master/application-gateway/iis/install_nginx.sh"],
  "commandToExecute": "./install_nginx.sh" }'

测试应用程序网关Test the application gateway

若要获取应用程序网关的公共 IP 地址,可以使用 az network public-ip showTo get the public IP address of the application gateway, you can use az network public-ip show.

az network public-ip show `
  --resource-group myResourceGroupAG `
  --name myAGPublicIPAddress `
  --query [ipAddress] `
  --output tsv

复制该公共 IP 地址,并将其粘贴到浏览器的地址栏。Copy the public IP address, and then paste it into the address bar of your browser. 就此示例来说,URL 为 https://52.170.203.149For this example, the URL is: https://52.170.203.149.

安全警告

若要接受有关使用自签名证书的安全警告,请依次选择“详细信息”和“继续转到网页”。 To accept the security warning if you used a self-signed certificate, select Details and then Go on to the webpage. 随即显示受保护的 NGINX 站点,如下例所示:Your secured NGINX site is then displayed as in the following example:

在应用程序网关中测试基 URL

清理资源Clean up resources

当不再需要资源组、应用程序网关以及所有相关资源时,请将其删除。When no longer needed, remove the resource group, application gateway, and all related resources.

az group delete --name myResourceGroupAG --location chinanorth

后续步骤Next steps