Azure Functions 网络选项Azure Functions networking options

本文介绍适用于 Azure Functions 的托管选项的网络功能。This article describes the networking features available across the hosting options for Azure Functions. 通过以下所有网络选项,你可以在不使用可通过 Internet 路由的地址的情况下访问资源,或限制对函数应用的 Internet 访问。All the following networking options give you some ability to access resources without using internet-routable addresses or to restrict internet access to a function app.

托管模型提供不同级别的网络隔离。The hosting models have different levels of network isolation available. 选择正确模型有助于满足网络隔离要求。Choosing the correct one helps you meet your network isolation requirements.

可以通过多种方式托管函数应用:You can host function apps in a couple of ways:

  • 可以从在多租户基础结构上运行的计划选项中进行选择,其中包含不同级别的虚拟网络连接和缩放选项:You can choose from plan options that run on a multitenant infrastructure, with various levels of virtual network connectivity and scaling options:
    • 消耗计划会动态缩放以响应负载,并提供最少的网络隔离选项。The Consumption plan scales dynamically in response to load and offers minimal network isolation options.
    • Azure 应用服务计划按固定规模运行,并提供网络隔离。The Azure App Service plan operates at a fixed scale and offers network isolation.
  • 可以在应用服务环境中运行函数。You can run functions in an App Service Environment. 此方法可以将函数部署到虚拟网络中,并且可以进行完全的网络控制和隔离。This method deploys your function into your virtual network and offers full network control and isolation.

网络功能矩阵Matrix of networking features

功能Feature 消耗计划Consumption plan 专用计划Dedicated plan ASEASE KubernetesKubernetes
入站 IP 限制和专用站点访问Inbound IP restrictions and private site access ✅是✅Yes ✅是✅Yes ✅是✅Yes ✅是✅Yes
虚拟网络集成Virtual network integration ❌否❌No ✅是(区域)✅Yes (Regional) ✅是✅Yes ✅是✅Yes
虚拟网络触发器(非 HTTP)Virtual network triggers (non-HTTP) ❌否❌No ✅是✅Yes ✅是✅Yes ✅是✅Yes
混合连接(仅限 Windows)Hybrid connections (Windows only) ❌否❌No ✅是✅Yes ✅是✅Yes ✅是✅Yes
出站 IP 限制Outbound IP restrictions ❌否❌No ✅是✅Yes ✅是✅Yes ✅是✅Yes

入站 IP 限制Inbound IP restrictions

可以使用 IP 限制来定义被允许或拒绝访问应用的 IP 地址的优先级排序列表。You can use IP restrictions to define a priority-ordered list of IP addresses that are allowed or denied access to your app. 该列表可以包含 IPv4 和 IPv6 地址。The list can include IPv4 and IPv6 addresses. 如果存在一个或多个条目,则列表末尾会存在一个隐式的“拒绝所有”。When there are one or more entries, an implicit "deny all" exists at the end of the list. IP 限制适用于所有函数托管选项。IP restrictions work with all function-hosting options.

备注

如果进行了网络限制,则只能从虚拟网络内部使用门户编辑器,或者在已将用于访问 Azure 门户的计算机的 IP 地址加入安全收件人列表之后使用该编辑器。With network restrictions in place, you can use the portal editor only from within your virtual network, or when you've put the IP address of the machine you're using to access the Azure portal on the Safe Recipients list. 不过,仍然可以从任何计算机访问“平台功能”选项卡上的任何功能。However, you can still access any features on the Platform features tab from any machine.

若要了解详细信息,请参阅 Azure 应用服务静态访问限制To learn more, see Azure App Service static access restrictions.

专用站点访问Private site access

专用站点访问是指使应用只能从专用网络(例如 Azure 虚拟网络)进行访问。Private site access refers to making your app accessible only from a private network, such as an Azure virtual network.

  • 配置了服务终结点时,消耗应用服务计划中会提供专用站点访问。Private site access is available in the Consumption, and App Service plans when service endpoints are configured.
    • 可以在“平台功能” > “网络” > “配置访问限制” > “添加规则”下为每个应用配置服务终结点。Service endpoints can be configured on a per-app basis under Platform features > Networking > Configure Access Restrictions > Add Rule. 现在可以选择虚拟网络作为规则类型。Virtual networks can now be selected as a rule type.
    • 有关详细信息,请参阅虚拟网络服务终结点For more information, see Virtual network service endpoints.
    • 请记住,使用服务终结点时,即使配置了虚拟网络集成,你的函数也还是对 Internet 具有完全出站访问权限。Keep in mind that with service endpoints, your function still has full outbound access to the internet, even with virtual network integration configured.
  • 还可在配置了内部负载均衡器 (ILB) 的应用服务环境中获取专用站点访问。Private site access is also available within an App Service Environment that's configured with an internal load balancer (ILB). 有关详细信息,请参阅在应用服务环境中创建和使用内部负载均衡器For more information, see Create and use an internal load balancer with an App Service Environment.

虚拟网络集成Virtual network integration

通过虚拟网络集成,函数应用可以访问虚拟网络中的资源。Virtual network integration allows your function app to access resources inside a virtual network. Azure Functions 支持两种类型的虚拟网络集成:Azure Functions supports two kinds of virtual network integration:

  • 支持除独立定价计划以外的全部定价计划的多租户系统。The multitenant systems that support the full range of pricing plans except Isolated.
  • 部署到 VNet 中且支持独立定价计划应用的应用服务环境。The App Service Environment, which deploys into your VNet and supports Isolated pricing plan apps.

VNet 集成功能用于多租户应用。The VNet Integration feature is used in multitenant apps. 如果应用在应用服务环境中,则该应用已处于 VNet 中且不需要使用 VNet 集成功能来获取同一 VNet 中的资源。If your app is in App Service Environment, then it's already in a VNet and doesn't require use of the VNet Integration feature to reach resources in the same VNet. 有关所有网络功能的详细信息,请参阅应用服务网络功能For more information on all of the networking features, see App Service networking features.

VNet 集成允许应用访问 VNet 中的资源,但不允许通过 VNet 对应用进行入站专用访问。VNet Integration gives your app access to resources in your VNet, but it doesn't grant inbound private access to your app from the VNet. 专用站点访问指的是仅可从专用网络(例如 Azure 虚拟网络)对应用进行访问。Private site access refers to making an app accessible only from a private network, such as from within an Azure virtual network. VNet 集成仅用来从应用对 VNet 进行出站调用。VNet Integration is used only to make outbound calls from your app into your VNet. VNet 集成功能可以用于同一区域中的 VNet,也可用于其他区域中的 VNet,这两种情况下的行为有所不同。The VNet Integration feature behaves differently when it's used with VNet in the same region and with VNet in other regions. VNet 集成功能有两种变体:The VNet Integration feature has two variations:

  • 需要网关的 VNet 集成:连接到其他区域中的 VNet 或同一区域中的经典虚拟网络时,需要在目标 VNet 中预配 Azure 虚拟网关。Gateway-required VNet Integration: When you connect to VNet in other regions or to a classic virtual network in the same region, you need an Azure Virtual Network gateway provisioned in the target VNet.

VNet 集成功能:The VNet Integration features:

  • 需要“标准”、“高级”、“高级 V2”或“弹性高级”定价计划。Require a Standard, Premium, PremiumV2, or Elastic Premium pricing plan.
  • 支持 TCP 和 UDP。Support TCP and UDP.
  • 适用于 Azure 应用服务应用和函数应用。Work with Azure App Service apps and function apps.

VNet 集成不支持某些功能,例如:There are some things that VNet Integration doesn't support, like:

  • 装载驱动器。Mounting a drive.
  • Active Directory 集成。Active Directory integration.
  • NetBIOS。NetBIOS.

需要网关的 VNet 集成只允许访问目标 VNet 中的资源,或者访问通过对等互连或 VPN 连接到目标 VNet 的网络中的资源。Gateway-required VNet Integration provides access to resources only in the target VNet or in networks connected to the target VNet with peering or VPNs. 需要网关的 VNet 集成不支持访问可通过 Azure ExpressRoute 连接使用的资源,也不适用于服务终结点。Gateway-required VNet Integration doesn't enable access to resources available across Azure ExpressRoute connections or works with service endpoints.

无论使用哪个版本,VNet 集成都允许应用访问 VNet 中的资源,但不允许通过 VNet 对应用进行入站专用访问。Regardless of the version used, VNet Integration gives your app access to resources in your VNet, but it doesn't grant inbound private access to your app from the VNet. 专用站点访问指的是仅可从专用网络(例如 Azure VNet)对应用进行访问。Private site access refers to making your app accessible only from a private network, such as from within an Azure VNet. VNet 集成只是为了从应用对 VNet 进行出站调用。VNet Integration is only for making outbound calls from your app into your VNet.

Azure Functions 中的虚拟网络集成将共享基础结构与应用服务 Web 应用结合使用。Virtual network integration in Azure Functions uses shared infrastructure with App Service web apps. 若要详细了解这两种类型的虚拟网络集成,请参阅:To learn more about the two types of virtual network integration, see:

连接到服务终结点保护的资源Connect to service endpoint secured resources

若要提供更高级别的安全性,可以使用服务终结点将一些 Azure 服务限制到一个虚拟网络中。To provide a higher level of security, you can restrict a number of Azure services to a virtual network by using service endpoints. 随后必须将函数应用与该虚拟网络集成才能访问资源。You must then integrate your function app with that virtual network to access the resource. 支持虚拟网络集成的所有计划都支持此配置。This configuration is supported on all plans that support virtual network integration.

若要了解详细信息,请参阅虚拟网络服务终结点To learn more, see Virtual network service endpoints.

将存储帐户限制到虚拟网络中Restrict your storage account to a virtual network

创建函数应用时,必须创建或链接到支持 Blob、队列和表存储的常规用途的 Azure 存储帐户。When you create a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. 当前无法对此帐户使用任何虚拟网络限制。You can't currently use any virtual network restrictions on this account. 如果在用于函数应用的存储帐户上配置虚拟网络服务终结点,则该配置会中断应用。If you configure a virtual network service endpoint on the storage account you're using for your function app, that configuration will break your app.

若要了解更多信息,请参阅存储帐户要求To learn more, see Storage account requirements.

使用 Key Vault 引用Use Key Vault references

可以在不需进行任何代码更改的情况下,通过 Azure Key Vault 引用在 Azure Functions 应用程序中使用 Azure Key Vault 中的机密。You can use Azure Key Vault references to use secrets from Azure Key Vault in your Azure Functions application without requiring any code changes. Azure Key Vault 是一项服务,可以提供集中式机密管理,并且可以完全控制访问策略和审核历史记录。Azure Key Vault is a service that provides centralized secrets management, with full control over access policies and audit history.

目前,如果密钥保管库使用服务终结点进行保护,则 Key Vault 引用不起作用。Currently, Key Vault references won't work if your key vault is secured with service endpoints. 若要使用虚拟网络集成连接到密钥保管库,需要在应用程序代码中调用 Key Vault。To connect to a key vault by using virtual network integration, you need to call Key Vault in your application code.

虚拟网络触发器(非 HTTP)Virtual network triggers (non-HTTP)

目前,若要在虚拟网络中使用不同于 HTTP 的函数触发器,必须在应用服务计划或应用服务环境中运行函数应用。Currently, to use function triggers other than HTTP from within a virtual network, you must run your function app in an App Service plan or in an App Service Environment.

具有虚拟网络触发器的应用服务计划和应用服务环境App Service plan and App Service Environment with virtual network triggers

函数应用在应用服务计划或应用服务环境中运行时,可以使用非 HTTP 触发器函数。When your function app runs in either an App Service plan or an App Service Environment, you can use non-HTTP trigger functions. 若要使函数可正确触发,必须使用可以访问触发器连接中定义的资源的访问权限来连接到虚拟网络。For your functions to get triggered correctly, you must be connected to a virtual network with access to the resource defined in the trigger connection.

例如,假设要将 Azure Cosmos DB 配置为仅接受来自虚拟网络的流量。For example, assume you want to configure Azure Cosmos DB to accept traffic only from a virtual network. 在这种情况下,必须在提供虚拟网络与该虚拟网络集成的应用服务计划中部署函数应用。In this case, you must deploy your function app in an App Service plan that provides virtual network integration with that virtual network. 集成使函数可以由该 Azure Cosmos DB 资源触发。Integration enables a function to be triggered by that Azure Cosmos DB resource.

混合连接Hybrid Connections

混合连接是可用于访问其他网络中的应用程序资源的一项 Azure 中继功能。Hybrid Connections is a feature of Azure Relay that you can use to access application resources in other networks. 使用混合连接可以从应用访问应用程序终结点。It provides access from your app to an application endpoint. 无法使用它访问应用程序。You can't use it to access your application. 在除消耗计划之外的所有计划中,混合连接可用于 Windows 上运行的函数。Hybrid Connections is available to functions that run on Windows in all but the Consumption plan.

在 Azure Functions 中使用时,每个混合连接与单个 TCP 主机和端口组合相关联。As used in Azure Functions, each hybrid connection correlates to a single TCP host and port combination. 这意味着,混合连接终结点可以位于任何操作系统和任何应用程序上,前提是你能够访问 TCP 侦听端口。This means that the hybrid connection's endpoint can be on any operating system and any application as long as you're accessing a TCP listening port. 混合连接功能不知道也不关心应用程序协议或者要访问的内容是什么。The Hybrid Connections feature doesn't know or care what the application protocol is or what you're accessing. 它只提供网络访问。It just provides network access.

有关详细信息,请参阅应用服务文档中的“混合连接”To learn more, see the App Service documentation for Hybrid Connections. 这些相同的配置步骤支持 Azure Functions。These same configuration steps support Azure Functions.

出站 IP 限制Outbound IP restrictions

出站 IP 限制在应用服务计划或应用服务环境中可用。Outbound IP restrictions are available in an App Service plan, or App Service Environment. 可以为部署了应用服务环境的虚拟网络配置出站限制。You can configure outbound restrictions for the virtual network where your App Service Environment is deployed.

将应用服务计划中的函数应用与虚拟网络集成时,默认情况下,该应用仍可对 Internet 进行出站调用。When you integrate a function app in an App Service plan with a virtual network, the app can still make outbound calls to the internet by default. 通过添加应用程序设置 WEBSITE_VNET_ROUTE_ALL=1,可强制将所有出站流量发送到虚拟网络中,在其中可以使用网络安全组规则限制流量。By adding the application setting WEBSITE_VNET_ROUTE_ALL=1, you force all outbound traffic to be sent into your virtual network, where network security group rules can be used to restrict traffic.

自动化Automation

以下 API 可让你以编程方式管理区域虚拟网络集成:The following APIs let you programmatically manage regional virtual network integrations:

  • Azure CLI:使用 az functionapp vnet-integration 命令可添加、列出或删除区域虚拟网络集成。Azure CLI: Use the az functionapp vnet-integration commands to add, list, or remove a regional virtual network integrations.
  • ARM 模板:可以通过使用 Azure 资源管理器模板来启用区域虚拟网络集成。ARM templates: Regional virtual network integration can be enabled by using an Azure Resource Manager template. 有关完整示例,请参阅此 Functions 快速入门模板For a full example, see this Functions quickstart template.

故障排除Troubleshooting

虽然此功能很容易设置,但这并不意味着你的体验不会遇到任何问题。The feature is easy to set up, but that doesn't mean your experience will be problem free. 如果在访问所需终结点时遇到问题,可以使用某些实用程序来测试从应用控制台发出的连接。If you encounter problems accessing your desired endpoint, there are some utilities you can use to test connectivity from the app console. 可以使用两种控制台。There are two consoles that you can use. 一种是 Kudu 控制台,另一种是 Azure 门户中的控制台。One is the Kudu console, and the other is the console in the Azure portal. 若要访问应用中的 Kudu 控制台,请转到“工具” > “Kudu”。To reach the Kudu console from your app, go to Tools > Kudu. 此外,还可以通过 [sitename].scm.chinacloudsites.cn 访问 Kudo 控制台。You can also reach the Kudo console at [sitename].scm.chinacloudsites.cn. 打开网站负载后,转到“调试控制台”选项卡。若要从应用访问 Azure 门户托管的控制台,请转到“工具” > “控制台”。After the website loads, go to the Debug console tab. To get to the Azure portal-hosted console from your app, go to Tools > Console.

工具Tools

由于存在安全约束,因此无法通过控制台运行 ping、nslookup 和 tracert 工具 。The tools ping, nslookup, and tracert won't work through the console because of security constraints. 为了填补此空白,我们添加了两个单独的工具。To fill the void, two separate tools are added. 我们添加了名为 nameresolver.exe 的工具,用于测试 DNS 功能。To test DNS functionality, we added a tool named nameresolver.exe. 语法为:The syntax is:

nameresolver.exe hostname [optional: DNS Server]

可以使用 nameresolver 来检查应用所需的主机名。You can use nameresolver to check the hostnames that your app depends on. 可以通过这种方式来测试 DNS 是否配置错误,或者测试你是否有权访问 DNS 服务器。This way you can test if you have anything misconfigured with your DNS or perhaps don't have access to your DNS server. 若要了解可供应用在控制台中使用的 DNS 服务器,请查看环境变量 WEBSITE_DNS_SERVER 和 WEBSITE_DNS_ALT_SERVER。You can see the DNS server that your app uses in the console by looking at the environmental variables WEBSITE_DNS_SERVER and WEBSITE_DNS_ALT_SERVER.

可以使用下一工具测试与主机的 TCP 连接情况,以及端口组合情况。You can use the next tool to test for TCP connectivity to a host and port combination. 该工具名为 tcpping,语法为:This tool is called tcpping and the syntax is:

tcpping.exe hostname [optional: port]

tcpping 实用程序会告知是否可访问特定主机和端口。The tcpping utility tells you if you can reach a specific host and port. 只有满足以下条件才会显示成功:存在侦听主机和端口组合的应用程序,且可从应用对指定主机和端口进行网络访问。It can show success only if there's an application listening at the host and port combination, and there's network access from your app to the specified host and port.

调试对虚拟网络托管的资源的访问Debug access to virtual network-hosted resources

许多因素可能会阻止应用访问特定的主机和端口。A number of things can prevent your app from reaching a specific host and port. 大多数情况下为以下因素之一:Most of the time it's one of these things:

  • 存在防火墙。A firewall is in the way. 如果存在防火墙,则会发生 TCP 超时。If you have a firewall in the way, you hit the TCP timeout. 本例中的 TCP 超时为 21 秒。The TCP timeout is 21 seconds in this case. 使用 tcpping 工具测试连接性。Use the tcpping tool to test connectivity. 除了防火墙外,还有多种原因可能导致 TCP 超时。TCP timeouts can be caused by many things beyond firewalls, but start there.
  • DNS 不可访问。DNS isn't accessible. 每个 DNS 服务器的 DNS 超时为 3 秒。The DNS timeout is 3 seconds per DNS server. 如果具有 2 个 DNS 服务器,则超时为 6 秒。If you have two DNS servers, the timeout is 6 seconds. 使用 nameresolver 查看 DNS 是否正常工作。Use nameresolver to see if DNS is working. 不能使用 nslookup,因为它不使用为虚拟网络配置的 DNS。You can't use nslookup, because that doesn't use the DNS your virtual network is configured with. 如果无法访问,则表明可能有防火墙或 NSG 在阻止对 DNS 的访问,或者该 DNS 可能已停机。If inaccessible, you could have a firewall or NSG blocking access to DNS or it could be down.

如果这些方法未解决问题,请首先检查以下因素:If those items don't answer your problems, look first for things like:

需要网关的 VNet 集成Gateway-required VNet Integration

  • 点到站点地址范围是否在 RFC 1918 范围内 (10.0.0.0-10.255.255.255 / 172.16.0.0-172.31.255.255 / 192.168.0.0-192.168.255.255)?Is the point-to-site address range in the RFC 1918 ranges (10.0.0.0-10.255.255.255 / 172.16.0.0-172.31.255.255 / 192.168.0.0-192.168.255.255)?
  • 网关在门户中是否显示为已启动?Does the gateway show as being up in the portal? 如果网关处于关闭状态,则将其重新启动。If your gateway is down, then bring it back up.
  • 证书是否显示正在同步?或者,你是否怀疑网络配置已更改?Do certificates show as being in sync, or do you suspect that the network configuration was changed? 如果证书未同步,或者你怀疑对虚拟网络配置做出了与 ASP 不同步的更改,请选择“同步网络”。If your certificates are out of sync or you suspect that a change was made to your virtual network configuration that wasn't synced with your ASPs, select Sync Network.
  • 如果通过 VPN 传输,本地网关是否配置为将流量路由回 Azure?If you're going across a VPN, is the on-premises gateway configured to route traffic back up to Azure? 如果可以访问虚拟网络中的终结点,但不能访问本地的终结点,请检查路由。If you can reach endpoints in your virtual network but not on-premises, check your routes.
  • 你是否正在尝试使用一个既支持点到站点连接,又支持 ExpressRoute 的共存网关?Are you trying to use a coexistence gateway that supports both point to site and ExpressRoute? VNet 集成不支持共存网关。Coexistence gateways aren't supported with VNet Integration.

调试网络问题很有难度,因为你看不到哪些因素在阻止访问特定的“主机:端口”组合。Debugging networking issues is a challenge because you can't see what's blocking access to a specific host:port combination. 部分原因包括:Some causes include:

  • 在主机上开启了防火墙,导致无法从点到站点 IP 范围访问应用程序端口。You have a firewall up on your host that prevents access to the application port from your point-to-site IP range. 跨子网通常需要公共访问权限。Crossing subnets often requires public access.
  • 目标主机已关闭。Your target host is down.
  • 应用程序已关闭。Your application is down.
  • IP 或主机名错误。You had the wrong IP or hostname.
  • 应用程序所侦听的端口与你预期的端口不同。Your application is listening on a different port than what you expected. 可以使用终结点主机上的“netstat -aon”匹配进程 ID 和侦听端口。You can match your process ID with the listening port by using "netstat -aon" on the endpoint host.
  • 网络安全组的配置方式导致无法从点到站点 IP 范围访问应用程序主机和端口。Your network security groups are configured in such a manner that they prevent access to your application host and port from your point-to-site IP range.

你不知道应用实际使用的地址。You don't know what address your app actually uses. 它可能是集成子网中或点到站点地址范围内的任意地址,因此你需要允许从整个地址范围进行访问。It could be any address in the integration subnet or point-to-site address range, so you need to allow access from the entire address range.

其他调试步骤包括:Additional debug steps include:

  • 连接到虚拟网络中的某个 VM,尝试在该处访问资源主机:端口。Connect to a VM in your virtual network and attempt to reach your resource host:port from there. 若要针对 TCP 访问权限进行测试,请使用 PowerShell 命令 test-netconnection。To test for TCP access, use the PowerShell command test-netconnection. 语法为:The syntax is:
test-netconnection hostname [optional: -Port]
  • 在某个 VM 中启动应用程序,然后使用 tcpping 测试能否在应用的控制台中访问该主机和端口。Bring up an application on a VM and test access to that host and port from the console from your app by using tcpping.

本地资源On-premises resources

如果应用无法访问本地资源,请检查是否能够通过虚拟网络访问该资源。If your app can't reach a resource on-premises, check if you can reach the resource from your virtual network. 请使用 test-netconnection PowerShell 命令来针对 TCP 访问权限进行测试。Use the test-netconnection PowerShell command to check for TCP access. 如果 VM 无法访问本地资源,原因可能是未正确配置 VPN 或 ExpressRoute 连接。If your VM can't reach your on-premises resource, your VPN or ExpressRoute connection might not be configured properly.

如果虚拟网络托管的 VM 能够访问本地系统但应用无法访问,则可能是由于以下某个原因:If your virtual network-hosted VM can reach your on-premises system but your app can't, the cause is likely one of the following reasons:

  • 在本地网关中未使用子网或点到站点地址范围配置路由。Your routes aren't configured with your subnet or point-to-site address ranges in your on-premises gateway.
  • 网络安全组阻止点到站点 IP 范围的访问。Your network security groups are blocking access for your point-to-site IP range.
  • 本地防火墙阻止来自点到站点 IP 范围的流量。Your on-premises firewalls are blocking traffic from your point-to-site IP range.

后续步骤Next steps

若要详细了解网络和 Azure Functions ,请参阅以下链接:To learn more about networking and Azure Functions: